MB-51776 Add --use-client-cert flag to server-add

lubomarinski · lubomarinski · commit 8953be81bbaa · 2025-04-01T11:00:43.000Z
Optionally the --use-client-cert can be used instead of --server-add-username and --server-add-password. Change-Id: I7691dc30deeeb660ac315cdc0c7bc19bf29237b5 Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/225641 Reviewed-by: Matt Hall <matt.hall@couchbase.com> Tested-by: Build Bot <build@couchbase.com>
diff --git a/cbmgr.py b/cbmgr.py
@@ -2460,9 +2460,11 @@ def __init__(self):
         group.add_argument("--server-add", dest="servers", metavar="<server_list>", required=True,
                            help="The list of servers to add")
         group.add_argument("--server-add-username", dest="server_username", metavar="<username>",
-                           required=True, help="The username for the server to add")
+                           help="The username for the server to add")
         group.add_argument("--server-add-password", dest="server_password", metavar="<password>",
-                           required=True, help="The password for the server to add")
+                           help="The password for the server to add")
+        group.add_argument("--use-client-cert", dest="use_client_cert", action="store_true",
+                           help="Use client certificate for authentication")
         group.add_argument("--group-name", dest="group_name", metavar="<name>",
                            help="The server group to add this server into")
         group.add_argument("--services", dest="services", default="", metavar="<services>",
@@ -2472,6 +2474,14 @@ def __init__(self):
 
     @rest_initialiser(cluster_init_check=True, version_check=True, enterprise_check=False)
     def execute(self, opts):
+        if opts.use_client_cert:
+            if opts.server_username is not None or opts.server_password is not None:
+                _exit_if_errors(["cannot use --server-add-username and --server-add-password with --use-client-cert"])
+        else:
+            if opts.server_username is None or opts.server_password is None:
+                _exit_if_errors(
+                    ["provide either both --server-add-username and --server-add-password or the --use-client-cert flag"])
+
         if not self.enterprise and opts.index_storage_mode == 'memopt':
             _exit_if_errors(["memopt option for --index-storage-setting can only be configured on enterprise edition"])
 
@@ -2499,8 +2509,7 @@ def execute(self, opts):
 
         servers = opts.servers.split(',')
         for server in servers:
-            _, errors = self.rest.add_server(server, opts.group_name, opts.server_username, opts.server_password,
-                                             opts.services)
+            _, errors = self.rest.add_server(server, opts)
             _exit_if_errors(errors)
 
         _success("Server added")
diff --git a/cluster_manager.py b/cluster_manager.py
@@ -508,15 +508,20 @@ def get_add_node_uri(self, group_name):
 
         return f'{self.hostname}{group["addNodeURI"]}', None
 
-    def add_server(self, add_server, group_name, username, password, services):
-        uri, errors = self.get_add_node_uri(group_name)
+    def add_server(self, add_server, opts):
+        uri, errors = self.get_add_node_uri(opts.group_name)
         if errors:
             return None, errors
 
-        return self._post_form_encoded(
-            uri,
-            {"hostname": add_server, "user": username, "password": password, "services": services},
-        )
+        params = {"hostname": add_server, "services": opts.services}
+
+        if opts.use_client_cert:
+            params["clientCertAuth"] = 'true'
+        else:
+            params["user"] = opts.server_username
+            params["password"] = opts.server_password
+
+        return self._post_form_encoded(uri, params)
 
     def readd_server(self, server):
         all_cluster_nodes_info, errors = self._get_all_cluster_nodes_info()
diff --git a/test/test_cli.py b/test/test_cli.py
@@ -1248,8 +1248,9 @@ def test_rebalance_services(self):
 class TestServerAdd(CommandTest):
     def setUp(self):
         self.command = ['couchbase-cli', 'server-add'] + cluster_connect_args
-        self.cmd_args = ['--server-add', 'some-host:6789', '--server-add-username', 'Administrator',
-                         '--server-add-password', 'asdasd']
+        self.cmd_server_add_args = ['--server-add', 'some-host:6789']
+        self.cmd_basic_auth_args = ['--server-add-username', 'Administrator', '--server-add-password', 'asdasd']
+        self.cmd_args = self.cmd_server_add_args + self.cmd_basic_auth_args
 
         self.server_args = {'enterprise': True, 'init': True, 'is_admin': True}
         self.server_args['server-group'] = {'groups': [
@@ -1269,6 +1270,40 @@ def setUp(self):
 
         super(TestServerAdd, self).setUp()
 
+    def test_server_add_use_client_cert(self):
+        self.no_error_run(self.command + self.cmd_server_add_args + ["--use-client-cert"], self.server_args)
+        self.assertIn('POST:/controller/addNode', self.server.trace)
+        expected_params = ['hostname=some-host%3A6789', 'clientCertAuth=true', 'services=kv']
+        self.rest_parameter_match(expected_params)
+
+    def test_server_add_use_client_cert_user_pass(self):
+        self.system_exit_run(self.command + self.cmd_args + ["--use-client-cert"], self.server_args)
+        self.assertIn(
+            'cannot use --server-add-username and --server-add-password with --use-client-cert',
+            self.str_output)
+
+    def test_server_add_no_auth(self):
+        self.system_exit_run(self.command + self.cmd_server_add_args, self.server_args)
+        self.assertIn(
+            'provide either both --server-add-username and --server-add-password or the --use-client-cert flag',
+            self.str_output)
+
+    def test_server_add_no_pass(self):
+        self.system_exit_run(self.command +
+                             self.cmd_server_add_args +
+                             ['--server-add-username', 'Administrator'], self.server_args)
+        self.assertIn(
+            'provide either both --server-add-username and --server-add-password or the --use-client-cert flag',
+            self.str_output)
+
+    def test_server_add_no_user(self):
+        self.system_exit_run(self.command +
+                             self.cmd_server_add_args +
+                             ['--server-add-password', 'asdasd'], self.server_args)
+        self.assertIn(
+            'provide either both --server-add-username and --server-add-password or the --use-client-cert flag',
+            self.str_output)
+
     def test_server_add_basic(self):
         self.no_error_run(self.command + self.cmd_args, self.server_args)
         self.assertIn('POST:/controller/addNode', self.server.trace)
