MB-65344 Don't require password on xdcr-setup with full encryption

matthallcb · matthallcb · commit 5770b1785564 · 2025-11-17T16:49:04.000Z
If the remote cluster is being setup as full encryption (i.e. only ever users mTLS) then a username and password is not required. Before this commit we would error if they were not passed. Change-Id: I6a6a636cfdf9f2367089d5ceb3744896b39c4c04 Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/236623 Reviewed-by: Safian Ali <safian.ali@couchbase.com> Well-Formed: Restriction Checker Tested-by: Matt Hall <matt.hall@couchbase.com>
diff --git a/cbmgr.py b/cbmgr.py
@@ -4113,9 +4113,9 @@ def _set(self, opts):
             _exit_if_errors([f'--xdcr-cluster-name is required to {cmd} a cluster connection'])
         if opts.hostname is None:
             _exit_if_errors([f'--xdcr-hostname is required to {cmd} a cluster connections'])
-        if opts.username is None:
+        if opts.username is None and opts.secure_connection != "full":
             _exit_if_errors([f'--xdcr-username is required to {cmd} a cluster connections'])
-        if opts.password is None:
+        if opts.password is None and opts.secure_connection != "full":
             _exit_if_errors([f'--xdcr-password is required to {cmd} a cluster connections'])
         if (opts.encrypt is not None or opts.encryption_type is not None) and opts.secure_connection is not None:
             _exit_if_errors(["Cannot use deprecated flags --xdcr-demand-encryption or --xdcr-encryption-type with"
diff --git a/test/test_cli.py b/test/test_cli.py
@@ -2158,6 +2158,21 @@ def test_edit_xdcr(self):
         expected_params = ['name=name', 'hostname=hostname', 'username=username', 'password=pwd', 'demandEncryption=0']
         self.rest_parameter_match(expected_params)
 
+    def test_edit_xdcr_cert(self):
+        contents = 'this-is-the-cert-and-key-file'
+        cert_file = tempfile.NamedTemporaryFile(delete=False)
+        cert_file.write(contents.encode('utf-8'))
+        cert_file.close()
+
+        args = ['--xdcr-hostname', 'hostname', '--xdcr-cluster-name', 'name', '--xdcr-secure-connection', 'full',
+                '--xdcr-user-certificate', cert_file.name, '--xdcr-user-key', cert_file.name,
+                '--xdcr-certificate', cert_file.name]
+        self.no_error_run(self.command + ['--edit'] + args, self.server_args)
+        self.assertIn('POST:/pools/default/remoteClusters/name', self.server.trace)
+        expected_params = ['name=name', 'hostname=hostname', 'demandEncryption=1', 'encryptionType=full',
+                           f'clientCertificate={contents}', f'clientKey={contents}', f'certificate={contents}']
+        self.rest_parameter_match(expected_params)
+
     def test_list_xdcr(self):
         self.server_args['remote-clusters'] = [{'name': 'name', 'uuid': '1', 'hostname': 'host', 'username': 'user',
                                                 'uri': 'uri', 'deleted': False}]
