couchbase 3.2.5 → 3.2.7

package/deps/lcb/src/ssl/ssl_common.c

@@ -32,6 +32,26 @@
 #define LOGARGS(ssl, lvl) ((lcbio_SOCKET *)SSL_get_app_data(ssl))->settings, "SSL", lvl, __FILE__, __LINE__
 static char *global_event = "dummy event for ssl";
 
+static const char *capella_ca_cert = "-----BEGIN CERTIFICATE-----\n"
+                                     "MIIDFTCCAf2gAwIBAgIRANLVkgOvtaXiQJi0V6qeNtswDQYJKoZIhvcNAQELBQAw\n"
+                                     "JDESMBAGA1UECgwJQ291Y2hiYXNlMQ4wDAYDVQQLDAVDbG91ZDAeFw0xOTEyMDYy\n"
+                                     "MjEyNTlaFw0yOTEyMDYyMzEyNTlaMCQxEjAQBgNVBAoMCUNvdWNoYmFzZTEOMAwG\n"
+                                     "A1UECwwFQ2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfvOIi\n"
+                                     "enG4Dp+hJu9asdxEMRmH70hDyMXv5ZjBhbo39a42QwR59y/rC/sahLLQuNwqif85\n"
+                                     "Fod1DkqgO6Ng3vecSAwyYVkj5NKdycQu5tzsZkghlpSDAyI0xlIPSQjoORA/pCOU\n"
+                                     "WOpymA9dOjC1bo6rDyw0yWP2nFAI/KA4Z806XeqLREuB7292UnSsgFs4/5lqeil6\n"
+                                     "rL3ooAw/i0uxr/TQSaxi1l8t4iMt4/gU+W52+8Yol0JbXBTFX6itg62ppb/Eugmn\n"
+                                     "mQRMgL67ccZs7cJ9/A0wlXencX2ohZQOR3mtknfol3FH4+glQFn27Q4xBCzVkY9j\n"
+                                     "KQ20T1LgmGSngBInAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE\n"
+                                     "FJQOBPvrkU2In1Sjoxt97Xy8+cKNMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B\n"
+                                     "AQsFAAOCAQEARgM6XwcXPLSpFdSf0w8PtpNGehmdWijPM3wHb7WZiS47iNen3oq8\n"
+                                     "m2mm6V3Z57wbboPpfI+VEzbhiDcFfVnK1CXMC0tkF3fnOG1BDDvwt4jU95vBiNjY\n"
+                                     "xdzlTP/Z+qr0cnVbGBSZ+fbXstSiRaaAVcqQyv3BRvBadKBkCyPwo+7svQnScQ5P\n"
+                                     "Js7HEHKVms5tZTgKIw1fbmgR2XHleah1AcANB+MAPBCcTgqurqr5G7W2aPSBLLGA\n"
+                                     "fRIiVzm7VFLc7kWbp7ENH39HVG6TZzKnfl9zJYeiklo5vQQhGSMhzBsO70z4RRzi\n"
+                                     "DPFAN/4qZAgD5q3AFNIq2WWADFQGSwVJhg==\n"
+                                     "-----END CERTIFICATE-----\n";
+
 /******************************************************************************
  ******************************************************************************
  ** Boilerplate lcbio_TABLE Wrappers                                         **
@@ -221,6 +241,9 @@ static void log_callback(const SSL *ssl, int where, int ret)
 {
     int should_log = 0;
     lcbio_SOCKET *sock = SSL_get_app_data(ssl);
+    if (sock == NULL) {
+        return;
+    }
     /* Ignore low-level SSL stuff */
 
     if (where & SSL_CB_ALERT) {
@@ -298,6 +321,48 @@ static long decode_ssl_protocol(const char *protocol)
     return disallow;
 }
 
+static lcb_STATUS add_certificate_authority(const lcb_settings *settings, SSL_CTX *ctx, const char *certificate_value,
+                                            int certificate_length)
+{
+    lcb_STATUS rc = LCB_SUCCESS;
+    ERR_clear_error();
+
+    BIO *bio = BIO_new_mem_buf(certificate_value, certificate_length);
+    if (bio) {
+        X509_STORE *store = SSL_CTX_get_cert_store(ctx);
+        if (store) {
+            for (int added = 0;; added = 1) {
+                X509 *cert = PEM_read_bio_X509(bio, 0, 0, 0);
+                if (!cert) {
+                    unsigned long err = ERR_get_error();
+                    if (added && ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
+                        break;
+                    }
+                    lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR),
+                            "Unable to load default certificate: lib=%s, func=%s, reason=%s", ERR_lib_error_string(err),
+                            ERR_func_error_string(err), ERR_reason_error_string(err));
+                    rc = LCB_ERR_SSL_ERROR;
+                    goto GT_CLEANUP;
+                }
+
+                int ok = X509_STORE_add_cert(store, cert);
+                X509_free(cert);
+                if (ok != 1) {
+                    unsigned long err = ERR_get_error();
+                    lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR),
+                            "Unable to add default certificate: lib=%s, func=%s, reason=%s", ERR_lib_error_string(err),
+                            ERR_func_error_string(err), ERR_reason_error_string(err));
+                    rc = LCB_ERR_SSL_ERROR;
+                    goto GT_CLEANUP;
+                }
+            }
+        }
+    }
+GT_CLEANUP:
+    BIO_free(bio);
+    return rc;
+}
+
 lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *keyfile, int noverify, lcb_STATUS *errp,
                             lcb_settings *settings)
 {
@@ -351,28 +416,41 @@ lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *
     }
 #endif
 
-    if (cafile || tsfile) {
+    if (tsfile) {
         lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Load verify locations from \"%s\"", tsfile ? tsfile : cafile);
         if (!SSL_CTX_load_verify_locations(ret->ctx, tsfile ? tsfile : cafile, NULL)) {
             *errp = LCB_ERR_SSL_ERROR;
             goto GT_ERR;
         }
-        if (cafile && keyfile) {
-            lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Authenticate with key \"%s\", cert \"%s\"", keyfile, cafile);
-            if (!SSL_CTX_use_certificate_chain_file(ret->ctx, cafile)) {
-                *errp = LCB_ERR_SSL_ERROR;
-                goto GT_ERR;
-            }
-            if (!SSL_CTX_use_PrivateKey_file(ret->ctx, keyfile, SSL_FILETYPE_PEM)) {
-                lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR), "Unable to load private key \"%s\"", keyfile);
-                *errp = LCB_ERR_SSL_ERROR;
-                goto GT_ERR;
-            }
-            if (!SSL_CTX_check_private_key(ret->ctx)) {
-                lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR), "Unable to verify private key \"%s\"", keyfile);
-                *errp = LCB_ERR_SSL_ERROR;
-                goto GT_ERR;
-            }
+    } else {
+        lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Use default CA for TLS verify");
+        if (SSL_CTX_set_default_verify_paths(ret->ctx) != 1) {
+            unsigned long err = ERR_get_error();
+            lcb_log(LOGARGS_S(settings, LCB_LOG_WARN), "Unable to load system certificates: lib=%s, reason=%s",
+                    ERR_lib_error_string(err), ERR_reason_error_string(err));
+        }
+        // add the capella Root CA if no other CA was specified.
+        *errp = add_certificate_authority(settings, ret->ctx, capella_ca_cert, strlen(capella_ca_cert));
+        if (*errp != LCB_SUCCESS) {
+            goto GT_ERR;
+        }
+    }
+
+    if (cafile && keyfile) {
+        lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Authenticate with key \"%s\", cert \"%s\"", keyfile, cafile);
+        if (!SSL_CTX_use_certificate_chain_file(ret->ctx, cafile)) {
+            *errp = LCB_ERR_SSL_ERROR;
+            goto GT_ERR;
+        }
+        if (!SSL_CTX_use_PrivateKey_file(ret->ctx, keyfile, SSL_FILETYPE_PEM)) {
+            lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR), "Unable to load private key \"%s\"", keyfile);
+            *errp = LCB_ERR_SSL_ERROR;
+            goto GT_ERR;
+        }
+        if (!SSL_CTX_check_private_key(ret->ctx)) {
+            lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR), "Unable to verify private key \"%s\"", keyfile);
+            *errp = LCB_ERR_SSL_ERROR;
+            goto GT_ERR;
         }
     }
 
@@ -422,15 +500,25 @@ GT_ERR:
     return NULL;
 }
 
+struct proto_ctx_ssl {
+    lcbio_PROTOCTX proto;
+    SSL *ssl;
+};
+
 static void noop_dtor(lcbio_PROTOCTX *arg)
 {
-    free(arg);
+    if (!arg) {
+        return;
+    }
+    struct proto_ctx_ssl *sproto = (struct proto_ctx_ssl *)arg;
+    SSL_set_app_data(sproto->ssl, NULL);
+    free(sproto);
 }
 
 lcb_STATUS lcbio_ssl_apply(lcbio_SOCKET *sock, lcbio_pSSLCTX sctx)
 {
     lcbio_pTABLE old_iot = sock->io, new_iot;
-    lcbio_PROTOCTX *sproto;
+    struct proto_ctx_ssl *sproto;
 
     if (old_iot->model == LCB_IOMODEL_EVENT) {
         new_iot = lcbio_Essl_new(old_iot, sock->u.fd, sctx->ctx);
@@ -440,12 +528,13 @@ lcb_STATUS lcbio_ssl_apply(lcbio_SOCKET *sock, lcbio_pSSLCTX sctx)
 
     if (new_iot) {
         sproto = calloc(1, sizeof(*sproto));
-        sproto->id = LCBIO_PROTOCTX_SSL;
-        sproto->dtor = noop_dtor;
-        lcbio_protoctx_add(sock, sproto);
+        sproto->proto.id = LCBIO_PROTOCTX_SSL;
+        sproto->proto.dtor = noop_dtor;
+        lcbio_protoctx_add(sock, &sproto->proto);
         lcbio_table_unref(old_iot);
         sock->io = new_iot;
         /* just for logging */
+        sproto->ssl = ((lcbio_XSSL *)new_iot)->ssl;
         SSL_set_app_data(((lcbio_XSSL *)new_iot)->ssl, sock);
         return LCB_SUCCESS;
 

package/deps/lcb/src/vbucket/vbucket.c

@@ -932,12 +932,19 @@ char *lcbvb_save_json(lcbvb_CONFIG *cfg)
     cJSON *tmp = NULL, *nodes = NULL;
     cJSON *root = cJSON_CreateObject();
 
-    if (cfg->dtype == LCBVB_DIST_VBUCKET) {
-        tmp = cJSON_CreateString("vbucket");
-    } else {
-        tmp = cJSON_CreateString("ketama");
+    switch (cfg->dtype) {
+        case  LCBVB_DIST_VBUCKET:
+            tmp = cJSON_CreateString("vbucket");
+            break;
+        case LCBVB_DIST_KETAMA:
+            tmp = cJSON_CreateString("ketama");
+            break;
+        default:
+            break;
+    }
+    if (tmp) {
+        cJSON_AddItemToObject(root, "nodeLocator", tmp);
     }
-    cJSON_AddItemToObject(root, "nodeLocator", tmp);
 
     if (cfg->buuid) {
         tmp = cJSON_CreateString(cfg->buuid);
@@ -951,8 +958,10 @@ char *lcbvb_save_json(lcbvb_CONFIG *cfg)
         tmp = cJSON_CreateInt64(cfg->revid);
         cJSON_AddItemToObject(root, "rev", tmp);
     }
-    tmp = cJSON_CreateString(cfg->bname);
-    cJSON_AddItemToObject(root, "name", tmp);
+    if (cfg->bname != NULL) {
+        tmp = cJSON_CreateString(cfg->bname);
+        cJSON_AddItemToObject(root, "name", tmp);
+    }
 
     nodes = cJSON_CreateArray();
     cJSON_AddItemToObject(root, "nodesExt", nodes);

package/deps/lcb/tests/CMakeLists.txt

@@ -173,7 +173,7 @@ MACRO(DEFINE_MOCKTEST plugin test)
             --gtest_filter="ContaminatingUnitTest.*"
             --gtest_throw_on_failure=1
             --gtest_print_time=1
-            --gtest_output=xml:"${PROJECT_BINARY_DIR}/REPORT_${plugin}_${test}.xml")
+            --gtest_output=xml:"${PROJECT_BINARY_DIR}/REPORT_${plugin}_${test}_contaminating.xml")
     SET_TESTS_PROPERTIES(check-contaminating-${plugin}-${test} PROPERTIES LABELS "contaminating" )
 ENDMACRO()
 

package/deps/lcb/tests/ioserver/ssl_connection.cc

@@ -69,14 +69,16 @@ static void log_callback(const SSL *ssl, int where, int ret)
 }
 }
 
-// http://stackoverflow.com/questions/256405/programmatically-create-x509-certificate-using-openss l
+// http://stackoverflow.com/questions/256405/programmatically-create-x509-certificate-using-openssl
 // http://www.opensource.apple.com/source/OpenSSL/OpenSSL-22/openssl/demos/x509/mkcert.c
 // Note we deviate from the examples by directly setting the certificate.
 
-static void genCertificate(SSL_CTX *ctx)
-{
-    EVP_PKEY *pkey = EVP_PKEY_new();
+static void genCertificate(SSL_CTX *ctx) {
     X509 *x509 = X509_new();
+#if OPENSSL_VERSION_NUMBER >= 0x3000000fL
+    EVP_PKEY *pkey = EVP_RSA_gen(2048);
+#else
+    EVP_PKEY *pkey = EVP_PKEY_new();
     RSA *rsa = RSA_new();
     BIGNUM *exponent = BN_new();
     BN_set_word(exponent, RSA_F4);
@@ -84,6 +86,7 @@ static void genCertificate(SSL_CTX *ctx)
     BN_free(exponent);
 
     EVP_PKEY_assign_RSA(pkey, rsa);
+#endif
     ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
     X509_gmtime_adj(X509_get_notBefore(x509), 0);
     X509_gmtime_adj(X509_get_notAfter(x509), 31536000L);
@@ -94,7 +97,7 @@ static void genCertificate(SSL_CTX *ctx)
     X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"MyCompany Inc.", -1, -1, 0);
     X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"localhost", -1, -1, 0);
     X509_set_issuer_name(x509, name);
-    X509_sign(x509, pkey, EVP_sha1());
+    X509_sign(x509, pkey, EVP_sha384());
 
     SSL_CTX_use_PrivateKey(ctx, pkey);
     SSL_CTX_use_certificate(ctx, x509);

package/deps/lcb/tests/iotests/mock-environment.cc

@@ -430,6 +430,9 @@ static void statsCallback(lcb_INSTANCE *instance, lcb_CALLBACK_TYPE, const lcb_R
                     case 1:
                         version = MockEnvironment::VERSION_71;
                         break;
+                    case 2:
+                        version = MockEnvironment::VERSION_72;
+                        break;
                     default:
                         break;
                 }

package/deps/lcb/tests/iotests/mock-environment.h

@@ -248,6 +248,7 @@ class MockEnvironment : public ::testing::Environment
         VERSION_66 = 12,
         VERSION_70 = 13,
         VERSION_71 = 14,
+        VERSION_72 = 15,
     };
 
     void SetUp() override;

package/deps/lcb/tests/iotests/t_ratelimit.cc

@@ -89,6 +89,7 @@ TEST_F(RateLimitTest, testRateLimitsKVNumOps)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -131,6 +132,7 @@ TEST_F(RateLimitTest, testRateLimitsKVIngress)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -162,6 +164,7 @@ TEST_F(RateLimitTest, testRateLimitsKVEgress)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -198,6 +201,7 @@ TEST_F(RateLimitTest, testRateLimitsKVMaxConnections)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -438,6 +442,7 @@ TEST_F(RateLimitTest, testRateLimitsKVScopeDataSize)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -478,6 +483,7 @@ TEST_F(RateLimitTest, testRateLimitsQueryNumIndexes)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -527,6 +533,7 @@ TEST_F(RateLimitTest, testRateLimitsSearchNumQueries)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -576,6 +583,7 @@ TEST_F(RateLimitTest, testRateLimitsSearchEgress)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -631,6 +639,7 @@ TEST_F(RateLimitTest, testRateLimitsSearchIngress)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -684,6 +693,7 @@ TEST_F(RateLimitTest, testRateLimitsSearchConcurrentRequests)
 {
     SKIP_IF_MOCK()
     SKIP_IF_CLUSTER_VERSION_IS_LOWER_THAN(MockEnvironment::VERSION_71)
+    SKIP_IF_CLUSTER_VERSION_IS_HIGHER_THAN(MockEnvironment::VERSION_72)
     HandleWrap hw;
     lcb_INSTANCE *instance;
     createConnection(hw, &instance);
@@ -726,4 +736,4 @@ TEST_F(RateLimitTest, testRateLimitsSearchConcurrentRequests)
     ASSERT_TRUE(found_error);
 
     drop_user(instance, username);
-}
+}

package/deps/lcb/tools/CMakeLists.txt

@@ -75,7 +75,7 @@ IF(NOT WIN32)
     LIST(APPEND CBC_SUBCOMMANDS
         cat create observe observe-seqno incr decr hash lock
         unlock rm stats version verbosity view n1ql admin ping
-        bucket-create bucket-delete bucket-flush connstr write-config strerror
+        bucket-list bucket-create bucket-delete bucket-flush connstr write-config strerror
         touch role-list user-list user-upsert user-delete watch
         mcversion keygen collection-manifest collection-id
         )

package/deps/lcb/tools/cbc-handlers.h

@@ -827,6 +827,45 @@ class UserUpsertHandler : public AdminHandler
     std::string body;
 };
 
+class BucketListHandler : public AdminHandler
+{
+  public:
+    HANDLER_DESCRIPTION("List buckets")
+    HANDLER_USAGE("NAME [OPTIONS ...]")
+    BucketListHandler() : AdminHandler("bucket-list"), o_raw('r', "raw")
+    {
+        o_raw.description("Do not reformat output from server (display JSON response)");
+    }
+
+  protected:
+    void run() override;
+    void format();
+
+    void addOptions() override
+    {
+        AdminHandler::addOptions();
+        parser.addOption(o_raw);
+    }
+
+    std::string getURI() override
+    {
+        return "/pools/default/buckets";
+    }
+
+    std::string getContentType() override
+    {
+        return "application/json";
+    }
+    
+    lcb_HTTP_METHOD getMethod() override
+    {
+        return LCB_HTTP_METHOD_GET;
+    }
+
+  private:
+    cliopts::BoolOption o_raw;
+};
+
 class BucketCreateHandler : public AdminHandler
 {
   public:

package/deps/lcb/tools/cbc-n1qlback.cc

@@ -458,6 +458,7 @@ class ThreadContext
         lcb_STATUS rc = lcb_query(m_instance, &qctx, m_cmd);
         if (rc != LCB_SUCCESS) {
             log_error(rc, query.payload.c_str(), query.payload.size());
+            lcb_tick_nowait(m_instance);
         } else {
             lcb_wait(m_instance, LCB_WAIT_DEFAULT);
             m_metrics.lock();