ING-662: Adds support for client cert authentication

Westwooo · Westwooo · commit a60bd2e95354 · 2025-10-28T18:00:32.000Z
diff --git a/gateway/auth/authenticator.go b/gateway/auth/authenticator.go
@@ -1,7 +1,11 @@
 package auth
 
-import "context"
+import (
+	"context"
+	"crypto/tls"
+)
 
 type Authenticator interface {
 	ValidateUserForObo(ctx context.Context, user, pass string) (string, string, error)
+	ValidateConnStateForObo(ctx context.Context, connState *tls.ConnectionState) (string, string, error)
 }
diff --git a/gateway/auth/cbauthauthenticator.go b/gateway/auth/cbauthauthenticator.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"time"
@@ -12,6 +13,7 @@ import (
 
 var (
 	ErrInvalidCredentials = errors.New("invalid credentials")
+	ErrInvalidCertificate = errors.New("invalid certificate")
 )
 
 type CbAuthAuthenticator struct {
@@ -94,6 +96,19 @@ func (a *CbAuthAuthenticator) ValidateUserForObo(ctx context.Context, user, pass
 	return user, info.Domain, nil
 }
 
+func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connState *tls.ConnectionState) (string, string, error) {
+	info, err := a.Authenticator.CheckCertificate(ctx, connState)
+	if err != nil {
+		if errors.Is(err, cbauthx.ErrInvalidAuth) {
+			return "", "", ErrInvalidCertificate
+		}
+
+		return "", "", fmt.Errorf("failed to check certificate with cbauth: %s", err.Error())
+	}
+
+	return info.User, info.Domain, nil
+}
+
 func (a *CbAuthAuthenticator) Close() error {
 	return a.Authenticator.Close()
 }
diff --git a/gateway/dataimpl/server_v1/authhandler.go b/gateway/dataimpl/server_v1/authhandler.go
@@ -2,6 +2,7 @@ package server_v1
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 
 	"github.com/couchbase/gocbcorex"
@@ -10,7 +11,9 @@ import (
 	"github.com/couchbase/stellar-gateway/gateway/auth"
 	"github.com/couchbase/stellar-gateway/utils/authhdr"
 	"go.uber.org/zap"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 )
 
@@ -45,16 +48,57 @@ func (a AuthHandler) MaybeGetUserPassFromContext(ctx context.Context) (string, s
 	return username, password, nil
 }
 
+func (a AuthHandler) MaybeGetConnStateFromContext(ctx context.Context) (*tls.ConnectionState, *status.Status) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return nil, nil
+	}
+
+	tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)
+	if !ok {
+		a.Logger.Debug("unexpected auth type", zap.String("authType", p.AuthInfo.AuthType()))
+		return nil, a.ErrorHandler.NewUnexpectedAuthTypeStatus()
+	}
+
+	return &tlsInfo.State, nil
+}
+
 func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, string, *status.Status) {
 	username, password, errSt := a.MaybeGetUserPassFromContext(ctx)
 	if errSt != nil {
 		return "", "", errSt
 	}
 
-	if username == "" && password == "" {
+	connState, errSt := a.MaybeGetConnStateFromContext(ctx)
+	if errSt != nil {
+		return "", "", errSt
+	}
+
+	credsFound := username != "" && password != ""
+	certFound := connState != nil && len(connState.PeerCertificates) != 0
+
+	if credsFound && certFound {
+		return "", "", a.ErrorHandler.NewCredentialsAndCertStatus()
+	}
+
+	if !credsFound && !certFound {
 		return "", "", nil
 	}
 
+	if certFound {
+		oboUser, oboDomain, err := a.Authenticator.ValidateConnStateForObo(ctx, connState)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				return "", "", a.ErrorHandler.NewInvalidCertificateStatus()
+			}
+
+			a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))
+			return "", "", a.ErrorHandler.NewInternalStatus()
+		}
+
+		return oboUser, oboDomain, nil
+	}
+
 	oboUser, oboDomain, err := a.Authenticator.ValidateUserForObo(ctx, username, password)
 	if err != nil {
 		if errors.Is(err, auth.ErrInvalidCredentials) {
diff --git a/gateway/dataimpl/server_v1/errorhandler.go b/gateway/dataimpl/server_v1/errorhandler.go
@@ -869,6 +869,26 @@ func (e ErrorHandler) NewInvalidCredentialsStatus() *status.Status {
 	return st
 }
 
+func (e ErrorHandler) NewInvalidCertificateStatus() *status.Status {
+	st := status.New(codes.PermissionDenied, "Your certificate is invalid.")
+	st = e.tryAttachStatusDetails(st, &epb.ResourceInfo{
+		ResourceType: "user",
+		ResourceName: "",
+		Description:  "",
+	})
+	return st
+}
+
+func (e ErrorHandler) NewUnexpectedAuthTypeStatus() *status.Status {
+	st := status.New(codes.InvalidArgument, "Unexpected auth type.")
+	return st
+}
+
+func (e ErrorHandler) NewCredentialsAndCertStatus() *status.Status {
+	st := status.New(codes.InvalidArgument, "Authorization header and client certificate provided.")
+	return st
+}
+
 func (e ErrorHandler) NewInvalidQueryStatus(baseErr error, queryErrStr string) *status.Status {
 	st := status.New(codes.InvalidArgument,
 		fmt.Sprintf("Query parsing failed: %s", queryErrStr))
diff --git a/gateway/gateway.go b/gateway/gateway.go
@@ -410,6 +410,8 @@ func (g *Gateway) Run(ctx context.Context) error {
 			Metrics:     metrics.GetSnMetrics(),
 			RateLimiter: rateLimiter,
 			GrpcTlsConfig: &tls.Config{
+				ClientCAs:  config.ClusterCaCert,
+				ClientAuth: tls.VerifyClientCertIfGiven,
 				GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 					return g.atomicGrpcCert.Load(), nil
 				},
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/aws/aws-sdk-go-v2/config v1.28.8
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.9
-	github.com/couchbase/gocbcorex v0.0.0-20251016083313-1d5a0c9e5beb
+	github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75
 	github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746
 	github.com/couchbaselabs/gocbconnstr v1.0.5
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0-20240607131231-fb385523de28
diff --git a/go.sum b/go.sum
@@ -67,8 +67,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/couchbase/gocbcorex v0.0.0-20251016083313-1d5a0c9e5beb h1:pHlpj241FbkJqrSuPI9gvBAhQ8g906Rfbm+zT/j6rb8=
-github.com/couchbase/gocbcorex v0.0.0-20251016083313-1d5a0c9e5beb/go.mod h1:6dno13KSKXpYALSx1KkYNHCwIQiuZdfL1xc3dDcYl1o=
+github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75 h1:H53znXKq5qgA0SLMgF5XuV0sHGQQ0wrmjJ1Cz7vxgEU=
+github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75/go.mod h1:6dno13KSKXpYALSx1KkYNHCwIQiuZdfL1xc3dDcYl1o=
 github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746 h1:kibnwIhBQ50egj2wCX3cd+MtwPXKre4DTDnXuoXQCGQ=
 github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746/go.mod h1:x/he3raYF/EspPXAfuVsBdLFNEYUxgFhlicJTRduPZ4=
 github.com/couchbaselabs/gocbconnstr v1.0.5 h1:e0JokB5qbcz7rfnxEhNRTKz8q1svoRvDoZihsiwNigA=
