MINIFICPP-2470 Add mTLS authentication support to CouchbaseClusterSer…

…vice
lordgamez · Oct 16, 2024 · ef790d5 · ef790d5
1 parent add4e1b
commit ef790d5
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 8 deletions.
diff --git a/extensions/couchbase/controllerservices/CouchbaseClusterService.cpp b/extensions/couchbase/controllerservices/CouchbaseClusterService.cpp
@@ -136,8 +136,7 @@ nonstd::expected<void, CouchbaseErrorType> CouchbaseClient::establishConnection(
     return {};
   }
 
-  auto options = ::couchbase::cluster_options(username_, password_);
-  auto [connect_err, cluster] = ::couchbase::cluster::connect(connection_string_, options).get();
+  auto [connect_err, cluster] = ::couchbase::cluster::connect(connection_string_, cluster_options_).get();
   if (connect_err.ec()) {
     logger_->log_error("Failed to connect to Couchbase cluster with error code: '{}' and message: '{}'", connect_err.ec(), connect_err.message());
     return nonstd::make_unexpected(getErrorType(connect_err.ec()));
@@ -159,11 +158,28 @@ void CouchbaseClusterService::onEnable() {
   getProperty(UserName, username);
   std::string password;
   getProperty(UserPassword, password);
-  if (connection_string.empty() || username.empty() || password.empty()) {
-    throw minifi::Exception(ExceptionType::PROCESS_SCHEDULE_EXCEPTION, "Missing connection string, username or password");
+  if (connection_string.empty()) {
+    throw minifi::Exception(ExceptionType::PROCESS_SCHEDULE_EXCEPTION, "Missing connection string");
+  }
+
+  if ((username.empty() || password.empty()) && linked_services_.size() == 0) {
+    throw minifi::Exception(ExceptionType::PROCESS_SCHEDULE_EXCEPTION, "Missing username and password or SSLConextService as a linked service");
+  }
+
+  if ((!username.empty() && !password.empty()) && linked_services_.size() > 0) {
+    throw minifi::Exception(ExceptionType::PROCESS_SCHEDULE_EXCEPTION, "Either username and password or SSLConextService as a linked service should be provided exclusively for authentication");
+  }
+
+  if (linked_services_.size() > 0) {
+    auto ssl_context_service = std::dynamic_pointer_cast<minifi::controllers::SSLContextService>(linked_services_[0]);
+    if (!ssl_context_service) {
+      throw minifi::Exception(ExceptionType::PROCESS_SCHEDULE_EXCEPTION, "Linked service is not an SSLContextService");
+    }
+    client_ = std::make_unique<CouchbaseClient>(connection_string, *ssl_context_service, logger_);
+  } else {
+    client_ = std::make_unique<CouchbaseClient>(connection_string, username, password, logger_);
   }
 
-  client_ = std::make_unique<CouchbaseClient>(connection_string, username, password, logger_);
   auto result = client_->establishConnection();
   if (!result) {
     if (result.error() == CouchbaseErrorType::FATAL) {

diff --git a/extensions/couchbase/controllerservices/CouchbaseClusterService.h b/extensions/couchbase/controllerservices/CouchbaseClusterService.h
@@ -30,6 +30,7 @@
 #include "couchbase/cluster.hxx"
 #include "core/ProcessContext.h"
 #include "core/logging/LoggerConfiguration.h"
+#include "controllers/SSLContextService.h"
 
 namespace org::apache::nifi::minifi::couchbase {
 
@@ -69,7 +70,17 @@ enum class CouchbaseErrorType {
 class CouchbaseClient {
  public:
   CouchbaseClient(std::string connection_string, std::string username, std::string password, const std::shared_ptr<core::logging::Logger>& logger)
-    : connection_string_(std::move(connection_string)), username_(std::move(username)), password_(std::move(password)), logger_(logger) {
+    : connection_string_(std::move(connection_string)), cluster_options_(std::move(username), std::move(password)), logger_(logger) {
+  }
+
+  CouchbaseClient(std::string connection_string, controllers::SSLContextService& ssl_context_service, const std::shared_ptr<core::logging::Logger>& logger)
+    : connection_string_(std::move(connection_string)),
+      cluster_options_(::couchbase::certificate_authenticator(ssl_context_service.getCertificateFile().string(), ssl_context_service.getPrivateKeyFile().string())),
+      logger_(logger) {
+    if (!ssl_context_service.getCACertificate().empty()) {
+      cluster_options_.security().trust_certificate(ssl_context_service.getCertificateFile().string());
+    }
+    cluster_options_.security().tls_verify(::couchbase::tls_verify_mode::peer);
   }
 
   nonstd::expected<CouchbaseUpsertResult, CouchbaseErrorType> upsert(const CouchbaseCollection& collection, CouchbaseValueType document_type, const std::string& document_id,
@@ -94,8 +105,7 @@ class CouchbaseClient {
   nonstd::expected<::couchbase::collection, CouchbaseErrorType> getCollection(const CouchbaseCollection& collection);
 
   std::string connection_string_;
-  std::string username_;
-  std::string password_;
+  ::couchbase::cluster_options cluster_options_;
   std::optional<::couchbase::cluster> cluster_;
   std::shared_ptr<core::logging::Logger> logger_;
 };