Add support for authenticating a user with an X.509 cert (#266)

Author: josephcummings

.github/workflows/plugins-tests.yml

@@ -0,0 +1,111 @@
+name: enterprise plugins tests workflow
+
+on:
+  workflow_call:
+    inputs:
+      esdb_version:
+        required: true
+        type: string
+
+jobs:
+  single_node:
+    name: Single Node
+
+    strategy:
+      fail-fast: false
+      matrix:
+        test: [ Plugins ]
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Cloudsmith
+        uses: docker/login-action@v3
+        with:
+          registry: docker.eventstore.com
+          username: ${{ secrets.CLOUDSMITH_CICD_USER }}
+          password: ${{ secrets.CLOUDSMITH_CICD_TOKEN }}
+
+      - uses: actions/checkout@v3
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        with:
+          gradle-version: 7.4
+
+      - name: Generate certificates
+        run: |
+          docker compose --file configure-tls-for-tests.yml up
+          docker compose --file configure-user-certs-for-tests.yml up
+
+      - name: Execute Gradle build
+        run: ./gradlew ci --tests ${{ matrix.test }}Tests
+        env:
+          EVENTSTORE_DOCKER_REGISTRY_ENV: docker.eventstore.com
+          EVENTSTORE_DOCKER_IMAGE_ENV: eventstore-ee/eventstoredb-commercial
+          EVENTSTORE_DOCKER_TAG_ENV: ${{ inputs.esdb_version }}
+          SECURE: true
+
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: esdb_logs.tar.gz
+          path: db-client-java/esdb_logs.tar.gz
+          if-no-files-found: error
+
+  cluster:
+    name: Cluster
+
+    strategy:
+      fail-fast: false
+      matrix:
+        test: [ Plugins ]
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Cloudsmith
+        uses: docker/login-action@v3
+        with:
+          registry: docker.eventstore.com
+          username: ${{ secrets.CLOUDSMITH_CICD_USER }}
+          password: ${{ secrets.CLOUDSMITH_CICD_TOKEN }}
+
+      - uses: actions/checkout@v3
+
+      - name: Enable plugins
+        run: echo "EventStore__Plugins__UserCertificates__Enabled=true" >> vars.env
+
+      - name: Set up cluster with Docker Compose
+        run: docker compose up -d
+        env:
+          CONTAINER_REGISTRY: docker.eventstore.com
+          CONTAINER_IMAGE: eventstore-ee/eventstoredb-commercial
+          CONTAINER_IMAGE_VERSION: ${{ inputs.esdb_version }}
+
+      - name: Generate user certificates
+        run: docker compose --file configure-user-certs-for-tests.yml up
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        with:
+          gradle-version: 7.4
+
+      - name: Execute Gradle build
+        run: ./gradlew ci --tests ${{ matrix.test }}Tests
+        env:
+          SECURE: true
+          CLUSTER: true
+
+      - name: Shutdown cluster
+        run: docker compose down

.github/workflows/pull-requests.yml

@@ -42,4 +42,19 @@ jobs:
 
     uses: ./.github/workflows/tests.yml
     with:
-      esdb_version: ${{ matrix.version }}
+      esdb_version: ${{ matrix.version }}
+
+  plugins-tests:
+    needs: build
+    name: Plugins Tests
+
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [24.2.0-jammy]
+
+    uses: ./.github/workflows/plugins-tests.yml
+    with:
+      esdb_version: ${{ matrix.version }}
+
+    secrets: inherit

.github/workflows/tests.yml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        test: [Streams, PersistentSubscriptions, Expectations ]
+        test: [Streams, PersistentSubscriptions, Expectations]
 
     runs-on: ubuntu-latest
     steps:
@@ -56,7 +56,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Generate certificates
-        run: docker-compose --file configure-tls-for-tests.yml up
+        run: docker compose --file configure-tls-for-tests.yml up
 
       - name: Set up JDK 8
         uses: actions/setup-java@v3
@@ -94,7 +94,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Set up cluster with Docker Compose
-        run: docker-compose up -d
+        run: docker compose up -d
         env:
           CONTAINER_IMAGE_VERSION: ${{ inputs.esdb_version }}
 
@@ -117,4 +117,4 @@ jobs:
           SECURE: true
 
       - name: Shutdown cluster
-        run: docker-compose down
+        run: docker compose down

.gitignore

@@ -171,5 +171,5 @@ fabric.properties
 # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored)
 !gradle-wrapper.jar
 
-# Generated certs
+# Generated certificates
 certs/

configure-tls-for-tests.yml

@@ -10,7 +10,7 @@ services:
     network_mode: "none"
 
   setup:
-    image: eventstore/es-gencert-cli:1.0.2
+    image: ghcr.io/eventstore/es-gencert-cli:1.3.0
     entrypoint: bash
     user: "1000:1000"
     command: >

configure-user-certs-for-tests.yml

@@ -0,0 +1,25 @@
+version: '3.5'
+
+services:
+  volumes-provisioner:
+    image: "hasnat/volumes-provisioner"
+    environment:
+      PROVISION_DIRECTORIES: "1000:1000:0755:/tmp/certs"
+    volumes:
+      - "./certs:/tmp/certs"
+    network_mode: "none"
+
+  setup:
+    image: ghcr.io/eventstore/es-gencert-cli:1.3.0
+    entrypoint: bash
+    user: "1000:1000"
+    command: >
+      -c "mkdir -p ./certs && cd /certs
+      && es-gencert-cli create-user -username admin
+      && es-gencert-cli create-user -username invalid
+      && find . -type f -print0 | xargs -0 chmod 666"
+    container_name: setup
+    volumes:
+      - ./certs:/certs
+    depends_on:
+      - volumes-provisioner

db-client-java/build.gradle

@@ -47,6 +47,8 @@ dependencies {
     implementation "io.grpc:grpc-protobuf:${grpcVersion}"
     implementation "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}"
     implementation 'org.slf4j:slf4j-api:2.0.9'
+    implementation "org.bouncycastle:bcprov-jdk18on:1.77"
+    implementation "org.bouncycastle:bcpkix-jdk18on:1.77"
 
     testImplementation "org.junit.jupiter:junit-jupiter-api:${junitVersion}"
     testImplementation "org.junit.jupiter:junit-jupiter-params:${junitVersion}"
@@ -78,6 +80,11 @@ tasks.register("generateCertificates", Exec) {
     commandLine 'docker', 'compose', '--file', '../configure-tls-for-tests.yml', 'up'
 }
 
+tasks.register("generateUserCertificates", Exec) {
+    description = "Generates X.509 certificates for Plugins tests"
+    commandLine 'docker', 'compose', '--file', '../configure-user-certs-for-tests.yml', 'up'
+}
+
 tasks.register("startDockerCompose", Exec) {
     description = "Starts ESDB cluster"
     commandLine 'docker', 'compose', '--file', '../docker-compose.yml', 'up', '-d'
@@ -125,6 +132,17 @@ tasks.register("clusterTests", Test) {
     }
 }
 
+tasks.register("pluginsTests", Test) {
+    dependsOn generateCertificates
+    dependsOn generateUserCertificates
+
+    environment "SECURE", "true"
+
+    useJUnitPlatform {
+        include("**/PluginsTests.class")
+    }
+}
+
 tasks.register("ci", Test) {
     useJUnitPlatform()
 }

db-client-java/src/main/java/com/eventstore/dbclient/AbstractCreatePersistentSubscription.java

@@ -11,11 +11,11 @@ abstract class AbstractCreatePersistentSubscription<TPos, TSettings extends Pers
     private final GrpcClient client;
     private final String group;
     private final TSettings settings;
-    private final OptionsBase options;
+    private final OptionsBase<?> options;
     private static final Logger logger = LoggerFactory.getLogger(AbstractCreatePersistentSubscription.class);
 
     public AbstractCreatePersistentSubscription(GrpcClient client, String group,
-                                                TSettings settings, OptionsBase options) {
+                                                TSettings settings, OptionsBase<?> options) {
         this.client = client;
         this.group = group;
         this.settings = settings;

db-client-java/src/main/java/com/eventstore/dbclient/AbstractRead.java

@@ -16,9 +16,9 @@ abstract class AbstractRead implements Publisher<ReadMessage> {
     protected static final StreamsOuterClass.ReadReq.Options.Builder defaultReadOptions;
 
     private final GrpcClient client;
-    private final OptionsBase options;
+    private final OptionsBase<?> options;
 
-    protected AbstractRead(GrpcClient client, OptionsBase options) {
+    protected AbstractRead(GrpcClient client, OptionsBase<?> options) {
         this.client = client;
         this.options = options;
     }

db-client-java/src/main/java/com/eventstore/dbclient/AbstractRegularSubscription.java

@@ -22,9 +22,9 @@ abstract class AbstractRegularSubscription {
     protected SubscriptionListener listener;
     protected Checkpointer checkpointer = null;
     private final GrpcClient client;
-    private final OptionsBase options;
+    private final OptionsBase<?> options;
 
-    protected AbstractRegularSubscription(GrpcClient client, OptionsBase options) {
+    protected AbstractRegularSubscription(GrpcClient client, OptionsBase<?> options) {
         this.client = client;
         this.options = options;
     }