CBG-4704: Anemone merge

.github/copilot-instructions.md

@@ -0,0 +1,11 @@
+When performing a code review, if there are any changes to the REST APIs (e.g. REST handler code, query parameters, structs returned via handler functions), ensure the OpenAPI specifications are updated accordingly in the `docs/api` directory.
+
+When performing a code review, if there is any dev-time logging using `log.Printf`, `fmt.Printf`, or similar, ensure it is removed or replaced with appropriate Sync Gateway logging (e.g. `base.Infof`, `base.Warnf`, `base.Debugf`).
+
+When performing a code review, if a log message includes User Data, ensure the value is wrapped with the `base.UD()` helper function to enable redaction. User Data includes: Document IDs, JSON document contents (keys and values), usernames, email addresses, or other personally identifiable information (PII).
+
+When performing a code review, be mindful of performance implications, such as mutex contention, race conditions, and other concurrency-related issues.
+
+When performing a code review, ensure code comments explain the *intent* or *reasoning* behind an implementation, rather than just restating what the code does.
+
+When performing a code review, ensure `for` loops have sufficient exit conditions and are not prone to infinite loops. Prefer expressing the exit condition in the loop declaration itself, rather than relying on `break` statements within the loop body.

.github/workflows/ci.yml

@@ -154,17 +154,13 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
       - uses: actions/checkout@v4
-      - name: Set up python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.9
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install pytest pytest-github-actions-annotate-failures pytest-httpserver trustme
+      - uses: astral-sh/setup-uv@v6
       - name: Run test
         run: |
-          pytest
+          uv run -- pytest
+      - name: Run mypy
+        run: |
+          uv run -- mypy
 
   test-stats-definition-exporter:
     runs-on: ${{ matrix.os }}
@@ -182,3 +178,13 @@ jobs:
       - name: Run Tests
         run: go test -shuffle=on -timeout=5m -count=1 -json -v "./tools/stats-definition-exporter" | tee test.json | jq -s -jr 'sort_by(.Package,.Time) | .[].Output | select (. != null )'
         shell: bash
+  cache_perf_tool_build:
+    runs-on: ubuntu-latest
+    name: build cache perf tool
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 1.24.4
+      - name: Build
+        run: go build "./tools/cache_perf_tool"

.gitignore

@@ -18,6 +18,10 @@ verbose*.xml
 sync_gateway
 *.pb.gz
 __pycache__
+tools/cache_perf_tool/cache_perf_tool
+cache_perf_tool
+tools/stats-definition-exporter/stats-definition-exporter
+stats-definition-exporter
 
 ### Couchbase Plugin ###
 .cbcache/

.redocly.yaml

@@ -67,14 +67,18 @@ apis:
 
 plugins:
   - './docs/api/plugins/plugin.js'
+  - './docs/api/plugins/rules.js'
 
 extends:
-  - minimal
+  - recommended-strict
 rules:
   # disable unnecessary/invalid warnings
   operation-2xx-response: off # _blipsync 101 Upgrade ...
+  operation-4xx-response: off # do not require a 4xx response
   operation-summary: off      # Optional field
   no-ambiguous-paths: off     # /{db}/{doc} != /_debug/expvar
   no-identical-paths: off     # /{db} != /{targetdb}
   no-path-trailing-slash: off # Some endpoints require a trailing slash
   security-defined: off       # TODO: Denote public and authenticated API endpoints with https://redocly.com/docs/cli/rules/security-defined
+  custom-rules/typecheck-defaults: error
+  custom-rules/check-additional-properties-names: error

auth/auth.go

@@ -854,7 +854,7 @@ func (auth *Authenticator) AuthenticateTrustedJWT(token string, provider *OIDCPr
 	var identity *Identity
 	if provider.AllowUnsignedProviderTokens {
 		// Verify claims - ensures that the token we received from the provider is valid for Sync Gateway
-		identity, err = VerifyClaims(token, base.StringDefault(provider.ClientID, ""), provider.Issuer)
+		identity, err = VerifyClaims(token, base.ValDefault(provider.ClientID, ""), provider.Issuer)
 		if err != nil {
 			base.InfofCtx(auth.LogCtx, base.KeyAuth, "Error verifying raw token in AuthenticateTrustedJWT: %v", err)
 			return nil, PrincipalConfig{}, time.Time{}, err
@@ -913,7 +913,7 @@ func (auth *Authenticator) authenticateJWTIdentity(identity *Identity, provider
 	}
 
 	updates = PrincipalConfig{
-		Name:        base.StringPtr(username),
+		Name:        base.Ptr(username),
 		Email:       &identity.Email,
 		JWTIssuer:   &common.Issuer,
 		JWTRoles:    jwtRoles,

auth/auth_test.go

@@ -799,11 +799,11 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 	auth := NewTestAuthenticator(t, dataStore, nil, DefaultAuthenticatorOptions(ctx))
 
 	var callbackURLFunc OIDCCallbackURLFunc
-	callbackURL := base.StringPtr("http://comcast:4984/_callback")
+	callbackURL := base.Ptr("http://comcast:4984/_callback")
 	providerGoogle := oidcProviderForTest(t, &OIDCProvider{
 		Name: "Google",
 		JWTConfigCommon: JWTConfigCommon{
-			ClientID: base.StringPtr("aud1"),
+			ClientID: base.Ptr("aud1"),
 			Issuer:   issuerGoogleAccounts,
 		},
 		CallbackURL: callbackURL,
@@ -859,7 +859,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 			},
 			AllowUnsignedProviderTokens: true,
 		})
@@ -891,7 +891,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 			},
 		})
 		err = provider.InitUserPrefix(ctx)
@@ -920,7 +920,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud4"),
+				ClientID: base.Ptr("aud4"),
 			},
 		})
 		err = provider.InitUserPrefix(ctx)
@@ -949,7 +949,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud4"),
+				ClientID: base.Ptr("aud4"),
 			},
 		})
 		err = provider.InitUserPrefix(ctx)
@@ -977,7 +977,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 			},
 		})
 		err = provider.InitUserPrefix(ctx)
@@ -1007,7 +1007,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Register: true,
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 			},
 		})
 		err = provider.InitUserPrefix(ctx)
@@ -1038,7 +1038,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 				Register: true,
 			},
 		})
@@ -1068,7 +1068,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 				Register: true,
 			},
 		})
@@ -1102,7 +1102,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:     issuerGoogleAccounts,
-				ClientID:   base.StringPtr("aud1"),
+				ClientID:   base.Ptr("aud1"),
 				UserPrefix: strings.ToLower(providerGoogle.Name),
 				Register:   true,
 			},
@@ -1143,7 +1143,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:     issuerGoogleAccounts,
-				ClientID:   base.StringPtr("aud1"),
+				ClientID:   base.Ptr("aud1"),
 				UserPrefix: strings.ToLower(providerGoogle.Name),
 				Register:   true,
 			},
@@ -1178,7 +1178,7 @@ func TestAuthenticateTrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:     issuerGoogleAccounts,
-				ClientID:   base.StringPtr("aud1"),
+				ClientID:   base.Ptr("aud1"),
 				UserPrefix: strings.ToLower(providerGoogle.Name),
 				Register:   true,
 			},
@@ -1290,20 +1290,20 @@ func TestAuthenticateUntrustedJWT(t *testing.T) {
 
 	issuerFacebookAccounts := "https://accounts.facebook.com"
 	issuerAmazonAccounts := "https://accounts.amazon.com"
-	callbackURL := base.StringPtr("http://comcast:4984/_callback")
+	callbackURL := base.Ptr("http://comcast:4984/_callback")
 	var callbackURLFunc OIDCCallbackURLFunc
 	providerGoogle := oidcProviderForTest(t, &OIDCProvider{
 		Name: "Google",
 		JWTConfigCommon: JWTConfigCommon{
-			ClientID: base.StringPtr("aud1"),
+			ClientID: base.Ptr("aud1"),
 			Issuer:   issuerGoogleAccounts,
 		},
 		CallbackURL: callbackURL,
 	})
 	providerFacebook := oidcProviderForTest(t, &OIDCProvider{
 		Name: "Facebook",
 		JWTConfigCommon: JWTConfigCommon{
-			ClientID: base.StringPtr("aud1"),
+			ClientID: base.Ptr("aud1"),
 			Issuer:   issuerFacebookAccounts,
 		},
 		CallbackURL: callbackURL,
@@ -1415,7 +1415,7 @@ func TestAuthenticateUntrustedJWT(t *testing.T) {
 			Name:        providerGoogle.Name,
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer:   issuerGoogleAccounts,
-				ClientID: base.StringPtr("aud1"),
+				ClientID: base.Ptr("aud1"),
 				Register: true,
 			},
 		})

auth/jwt.go

@@ -200,7 +200,7 @@ func (l *LocalJWTAuthProvider) verifyToken(ctx context.Context, token string, _
 		ClientID:             *l.ClientID,
 		SkipClientIDCheck:    *l.ClientID == "",
 		SupportedSigningAlgs: l.Algorithms,
-		SkipExpiryCheck:      base.BoolDefault(l.SkipExpiryCheck, false),
+		SkipExpiryCheck:      base.ValDefault(l.SkipExpiryCheck, false),
 	})
 
 	idToken, err := verifier.Verify(ctx, token)

auth/jwt_test.go

@@ -89,19 +89,19 @@ func TestJWTVerifyToken(t *testing.T) {
 	ctx := base.TestCtx(t)
 	common := JWTConfigCommon{
 		Issuer:   testIssuer,
-		ClientID: base.StringPtr(testClientID),
+		ClientID: base.Ptr(testClientID),
 	}
 	baseProvider := LocalJWTAuthConfig{
 		JWTConfigCommon: common,
 		Algorithms:      []string{"RS256", "ES256"},
 		Keys:            []jose.JSONWebKey{testRSAJWK, testECJWK, testEncRSAJWK},
-		SkipExpiryCheck: base.BoolPtr(true),
+		SkipExpiryCheck: base.Ptr(true),
 	}.BuildProvider(ctx, "test")
 	providerWithExpiryCheck := LocalJWTAuthConfig{
 		JWTConfigCommon: common,
 		Algorithms:      []string{"RS256", "ES256"},
 		Keys:            []jose.JSONWebKey{testRSAJWK, testECJWK, testEncRSAJWK},
-		SkipExpiryCheck: base.BoolPtr(false),
+		SkipExpiryCheck: base.Ptr(false),
 	}.BuildProvider(ctx, "test")
 
 	t.Run("garbage", test(baseProvider, "INVALID", anyError))

auth/oidc.go

@@ -217,7 +217,7 @@
 func (opm OIDCProviderMap) GetProviderForIssuer(ctx context.Context, issuer string, audiences []string) *OIDCProvider {
 	base.DebugfCtx(ctx, base.KeyAuth, "GetProviderForIssuer with issuer: %v, audiences: %+v", base.UD(issuer), base.UD(audiences))
 	for _, provider := range opm {
-		clientID := base.StringDefault(provider.ClientID, "")
+		clientID := base.ValDefault(provider.ClientID, "")
 		if provider.Issuer == issuer && clientID != "" {
 			// Iterate over the audiences looking for a match
 			for _, aud := range audiences {
@@ -310,7 +310,7 @@
 	}
 
 	config := oauth2.Config{
-		ClientID:    base.StringDefault(op.ClientID, ""),
+		ClientID:    base.ValDefault(op.ClientID, ""),
 		RedirectURL: *op.CallbackURL,
 	}
 
@@ -405,7 +405,7 @@
 	for i := 1; i <= maxRetryAttempts; i++ {
 		provider, err = oidc.NewProvider(GetOIDCClientContext(op.InsecureSkipVerify), op.Issuer)
 		if err == nil && provider != nil {
-			verifier = provider.Verifier(&oidc.Config{ClientID: base.StringDefault(op.ClientID, "")})
+			verifier = provider.Verifier(&oidc.Config{ClientID: base.ValDefault(op.ClientID, "")})
 			if err = provider.Claims(&metadata); err != nil {
 				base.ErrorfCtx(ctx, "Error caching metadata from standard issuer-based discovery endpoint: %s", base.UD(discoveryURL))
 			}
@@ -517,6 +517,7 @@
 	}
 
 	if err := base.JSONUnmarshal(bodyBytes, &metadata); err != nil {
+		err = base.ErrInvalidJSON
 		base.InfofCtx(ctx, base.KeyAuth, "Error parsing body during discovery sync: %v", err)
 		return ProviderMetadata{}, MaxProviderConfigSyncInterval, false, err
 	}
@@ -565,7 +566,7 @@
 	if len(signingAlgorithms.unsupportedAlgorithms) > 0 {
 		base.InfofCtx(ctx, base.KeyAuth, "Found algorithms not supported by underlying OpenID Connect library: %v", signingAlgorithms.unsupportedAlgorithms)
 	}
-	config := &oidc.Config{ClientID: base.StringDefault(op.ClientID, "")}
+	config := &oidc.Config{ClientID: base.ValDefault(op.ClientID, "")}
 	if len(signingAlgorithms.supportedAlgorithms) > 0 {
 		config.SupportedSigningAlgs = signingAlgorithms.supportedAlgorithms
 	}
@@ -653,7 +654,7 @@
 // Returns an error if issuer is not present, returns an empty []string when audience is not present.
 func getIssuerWithAudience(token *jwt.JSONWebToken) (issuer string, audiences []string, err error) {
 	claims := &jwt.Claims{}
 	err = token.UnsafeClaimsWithoutVerification(claims)
 	if err != nil {
 		return issuer, audiences, pkgerrors.Wrapf(err, "failed to parse JWT claims")
 	}

auth/oidc_test.go

@@ -246,7 +246,7 @@ func TestInitOIDCClient(t *testing.T) {
 			JWTConfigCommon: JWTConfigCommon{
 				Issuer: "http://127.0.0.1:12345/auth",
 			},
-			CallbackURL: base.StringPtr("http://127.0.0.1:12345/callback"),
+			CallbackURL: base.Ptr("http://127.0.0.1:12345/callback"),
 		})
 		err := provider.initOIDCClient(ctx)
 		require.Error(t, err, "openid connect client with unavailable issuer")
@@ -256,10 +256,10 @@ func TestInitOIDCClient(t *testing.T) {
 	t.Run("initialize openid connect client with valid provider config", func(t *testing.T) {
 		provider := oidcProviderForTest(t, &OIDCProvider{
 			JWTConfigCommon: JWTConfigCommon{
-				ClientID: base.StringPtr("foo"),
+				ClientID: base.Ptr("foo"),
 				Issuer:   "https://accounts.google.com",
 			},
-			CallbackURL: base.StringPtr("http://sgw-test:4984/_callback"),
+			CallbackURL: base.Ptr("http://sgw-test:4984/_callback"),
 		})
 		err := provider.initOIDCClient(ctx)
 		require.NoError(t, err, "openid connect client with unavailable issuer")
@@ -270,10 +270,10 @@ func TestConcurrentSetConfig(t *testing.T) {
 	providerLock := sync.Mutex{}
 	provider := oidcProviderForTest(t, &OIDCProvider{
 		JWTConfigCommon: JWTConfigCommon{
-			ClientID: base.StringPtr("foo"),
+			ClientID: base.Ptr("foo"),
 			Issuer:   "https://accounts.google.com",
 		},
-		CallbackURL: base.StringPtr("http://sgw-test:4984/_callback"),
+		CallbackURL: base.Ptr("http://sgw-test:4984/_callback"),
 	})
 
 	ctx := base.TestCtx(t)

auth/session.go

@@ -114,15 +114,24 @@ func (auth *Authenticator) CreateSession(ctx context.Context, user User, ttl tim
 	return session, nil
 }
 
+// GetSession returns a session by ID. Return a not found error if the session is not found, or is invalid.
 func (auth *Authenticator) GetSession(sessionID string) (*LoginSession, error) {
 	var session LoginSession
 	_, err := auth.datastore.Get(auth.DocIDForSession(sessionID), &session)
 	if err != nil {
-		if base.IsDocNotFoundError(err) {
-			err = nil
-		}
 		return nil, err
 	}
+	user, err := auth.GetUser(session.Username)
+	if err != nil {
+		return nil, err
+	}
+	if user == nil {
+		return nil, base.ErrNotFound
+	}
+	if session.SessionUUID != user.GetSessionUUID() {
+		return nil, base.ErrNotFound
+	}
+
 	return &session, nil
 }
 

auth/session_test.go

@@ -91,10 +91,9 @@ func TestDeleteSession(t *testing.T) {
 	assert.NoError(t, dataStore.Set(auth.DocIDForSession(mockSession.ID), noSessionExpiry, nil, mockSession))
 	assert.NoError(t, auth.DeleteSession(ctx, mockSession.ID, ""))
 
-	// Just to verify the session has been deleted gracefully.
 	session, err := auth.GetSession(mockSession.ID)
 	assert.Nil(t, session)
-	assert.NoError(t, err)
+	base.RequireDocNotFoundError(t, err)
 }
 
 // Coverage for MakeSessionCookie. The MakeSessionCookie should create a cookie