MB-52431 Return authType/saslPassword

stevewatanabe · stevewatanabe · commit 22cd5ba257b3 · 2022-06-07T01:21:23.000Z
When running cluster_compat mode older than 7.1 the bucket config still has an authType bucket property which should be returned in REST results. Return the saslPassword if there is one (for pre-7.0 compat mode), return empty saslPassword for 7.0 compat mode, and don't return saslPassword for 7.1 compat mode. Change-Id: I93e1aad382363dc8b3ee5784beeb73f86ecf8d94 Reviewed-on: https://review.couchbase.org/c/ns_server/+/175679 Well-Formed: Restriction Checker Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Dave Finlay <dave.finlay@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com> Tested-by: Steve Watanabe <steve.watanabe@couchbase.com>
diff --git a/src/menelaus_web_buckets.erl b/src/menelaus_web_buckets.erl
@@ -64,6 +64,23 @@
 
 -define(MAX_BUCKET_NAME_LEN, 100).
 
+may_expose_bucket_auth(Name, Req) ->
+    case menelaus_auth:get_token(Req) of
+        undefined ->
+            case cluster_compat_mode:is_cluster_71() of
+                false ->
+                    %% The bucket password permission was removed in 7.1
+                    %% so would only come into play when running mixed versions
+                    %% with pre-7.1 nodes.
+                    menelaus_auth:has_permission({[{bucket, Name}, password],
+                                                  read}, Req);
+                true ->
+                    false
+            end;
+        _ ->
+            false
+    end.
+
 get_info_level(Req) ->
     case proplists:get_value("basic_stats", mochiweb_request:parse_qs(Req)) of
         undefined ->
@@ -227,10 +244,11 @@ build_buckets_info(Req, Buckets, Ctx, InfoLevel) ->
     SkipMap = InfoLevel =/= streaming andalso
         proplists:get_value(
           "skipMap", mochiweb_request:parse_qs(Req)) =:= "true",
-    [build_bucket_info(BucketName, Ctx, InfoLevel, SkipMap) ||
+    [build_bucket_info(BucketName, Ctx, InfoLevel,
+                      may_expose_bucket_auth(BucketName, Req), SkipMap) ||
         BucketName <- Buckets].
 
-build_bucket_info(Id, Ctx, InfoLevel, SkipMap) ->
+build_bucket_info(Id, Ctx, InfoLevel, MayExposeAuth, SkipMap) ->
     Snapshot = menelaus_web_node:get_snapshot(Ctx),
     {ok, BucketConfig} = ns_bucket:get_bucket(Id, Snapshot),
     BucketUUID = ns_bucket:uuid(Id, Snapshot),
@@ -254,10 +272,35 @@ build_bucket_info(Id, Ctx, InfoLevel, SkipMap) ->
                                                "Directory"])},
            {nodeStatsListURI,
             bucket_info_cache:build_pools_uri(["buckets", Id, "nodes"])}]}},
+        build_authType(BucketConfig),
         build_auto_compaction_info(BucketConfig),
         build_purge_interval_info(BucketConfig),
         build_replica_index(BucketConfig),
-        build_dynamic_bucket_info(InfoLevel, Id, BucketConfig, Ctx)])}.
+        build_dynamic_bucket_info(InfoLevel, Id, BucketConfig, Ctx),
+        [build_sasl_password(BucketConfig) || MayExposeAuth]])}.
+
+build_authType(BucketConfig) ->
+    case cluster_compat_mode:is_cluster_71() of
+        false ->
+            [{authType, misc:expect_prop_value(auth_type, BucketConfig)}];
+        true ->
+            []
+    end.
+
+build_sasl_password(BucketConfig) ->
+    case cluster_compat_mode:is_cluster_71() of
+        true ->
+            [];
+        false ->
+            case cluster_compat_mode:is_cluster_70() of
+                true ->
+                    {saslPassword, <<>>};
+                false ->
+                    {saslPassword,
+                     list_to_binary(proplists:get_value(sasl_password,
+                                                        BucketConfig, ""))}
+            end
+    end.
 
 build_replica_index(BucketConfig) ->
     [{replicaIndex, proplists:get_value(replica_index, BucketConfig, true)} ||
diff --git a/src/ns_bucket.erl b/src/ns_bucket.erl
@@ -165,7 +165,7 @@ fetch_snapshot(Bucket, Txn) ->
     fetch_snapshot(Bucket, Txn, all_sub_keys()).
 
 fetch_snapshot(_Bucket, {ns_config, Config}, _SubKeys) ->
-    Converted = bucket_configs_to_chronicle(get_buckets(Config)),
+    Converted = bucket_configs_to_chronicle(get_buckets(Config), false),
     maps:from_list([{K, {V, no_rev}} || {K, V} <- Converted]);
 fetch_snapshot(all, Txn, SubKeys) ->
     {ok, {Names, _} = NamesRev} = chronicle_compat:txn_get(root(), Txn),
@@ -185,15 +185,21 @@ get_snapshot(Bucket, Opts) ->
 
 upgrade_to_chronicle(Buckets, NodesWanted) ->
     BucketConfigs = proplists:get_value(configs, Buckets, []),
-    bucket_configs_to_chronicle(BucketConfigs) ++
+    bucket_configs_to_chronicle(BucketConfigs, true) ++
         collections:default_kvs(BucketConfigs, NodesWanted).
 
-bucket_configs_to_chronicle(BucketConfigs) ->
+bucket_configs_to_chronicle(BucketConfigs, ToChronicle) ->
     [{root(), [N || {N, _} <- BucketConfigs]} |
      lists:flatmap(
        fun ({B, BC}) ->
                {value, {uuid, UUID}, BC1} = lists:keytake(uuid, 1, BC),
-               [{sub_key(B, props), lists:keydelete(sasl_password, 1, BC1)},
+               BC2 = case ToChronicle of
+                         true ->
+                             lists:keydelete(sasl_password, 1, BC1);
+                         false ->
+                             BC1
+                     end,
+               [{sub_key(B, props), BC2},
                 {uuid_key(B), UUID}]
        end, BucketConfigs)].
 
