MB-66374 Add setting-encryption --kmip-server-verification

lubomarinski · lubomarinski · commit dbd38a6178db · 2025-05-09T09:30:38.000Z
Add a flag to set which certificates to trust to verify the server certificates for KMIP. Change-Id: Ic8ab54ab4fea48546b5985ae382613883c0d776d Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/227469 Reviewed-by: Matt Hall <matt.hall@couchbase.com> Tested-by: Build Bot <build@couchbase.com>
diff --git a/cbmgr.py b/cbmgr.py
@@ -3426,6 +3426,13 @@ def __init__(self):
         group.add_argument("--kmip-key-passphrase", dest="kmip_key_passphrase", metavar="<passphrase>",
                            action=CBNonEchoedAction, envvar="CB_KMIP_KEY_PASSPHRASE",
                            help="The passphrase to use to decode the key")
+        group.add_argument("--kmip-server-verification", dest="kmip_server_verification",
+                           choices=["use-system-ca", "use-cb-ca", "use-system-and-cb-ca", "do-not-verify"],
+                           metavar="<verification_option>", help="How to verify the KMIP server. Available options: " +
+                           "use-system-ca (Use system CA certificates), " +
+                           "use-cb-ca (Use Couchbase trusted certificates), " +
+                           "use-system-and-cb-ca (Use system CA certificates and Couchbase trusted certificates), " +
+                           "do-not-verify (Do not verify server certificate - insecure)")
 
         group.add_argument("--auto-rotate-every", dest="auto_rotate_every", metavar="<days>",
                            help="How often to rotate the generated key")
@@ -3525,9 +3532,9 @@ def _add_edit_parse_opts(self, opts):
             typ = "kmip-aes-key-256"
 
             if not (opts.kmip_ops and opts.kmip_key and opts.kmip_host and opts.kmip_port and opts.kmip_key_path
-                    and opts.kmip_cert_path):
+                    and opts.kmip_cert_path and opts.kmip_server_verification):
                 _exit_if_errors(["--kmip-operations, --kmip-key, --kmip-host --kmip-port, --kmip-key-path, "
-                                 "--kmip-cert-path must be specified"])
+                                 "--kmip-cert-path, --kmip-server-verification must be specified"])
 
             if not opts.encrypt_with_master and opts.encrypt_with_key is None:
                 _exit_if_errors(["one of --encrypt-with-master-password, --encrypt-with-key must be specified"])
@@ -3554,6 +3561,16 @@ def _add_edit_parse_opts(self, opts):
             if opts.kmip_key_passphrase:
                 data["keyPassphrase"] = opts.kmip_key_passphrase
 
+            if opts.kmip_server_verification:
+                if opts.kmip_server_verification == "use-system-ca":
+                    data["caSelection"] = "useSysCa"
+                elif opts.kmip_server_verification == "use-cb-ca":
+                    data["caSelection"] = "useCbCa"
+                elif opts.kmip_server_verification == "use-system-and-cb-ca":
+                    data["caSelection"] = "useSysAndCbCa"
+                elif opts.kmip_server_verification == "do-not-verify":
+                    data["caSelection"] = "skipServerCertVerification"
+
         elif opts.key_type == "auto-generated":
             typ = "auto-generated-aes-key-256"
 
diff --git a/docs/modules/cli/pages/cbcli/couchbase-cli-setting-encryption.adoc b/docs/modules/cli/pages/cbcli/couchbase-cli-setting-encryption.adoc
@@ -29,7 +29,7 @@ _couchbase-cli setting-enable_ [--cluster <url>] [--username <user>]
     [--encrypt-with-master-password] [--encrypt-with-key <keyid>]
     [--kmip-operations <ops>] [--kmip-key <key>] [--kmip-host <host>]
     [--kmip-port <port>] [--kmip-key-path <path>] [--kmip-cert-path <path>]
-    [--kmip-key-passphrase <passphrase>]
+    [--kmip-key-passphrase <passphrase>] [--kmip-server-verification <verification_option>]
     [--auto-rotate-every <days>] [--auto-rotate-start-on <iso8601>]
 
 == DESCRIPTION
@@ -55,6 +55,7 @@ arguments, each having their own set of options:
   ** For KMIP keys: `--kmip-operations <ops>`, `--kmip-key <key>`,
    `--kmip-host <host>`, `--kmip-port <port>`, `--kmip-key-path <path>`,
    `--kmip-cert-path <path>`, `--kmip-key-passphrase <passphrase>`,
+   `--kmip-server-verification <verification_option>`
    `--encrypt-with-master-password`, `--encrypt-with-key <keyid>`
   ** For auto-generated keys: `--auto-rotate-every <days>`,
    `--auto-rotate-start-on <iso8601>`, `--encrypt-with-master-password`,
@@ -168,6 +169,9 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
 --kmip-key-passphrase <passphrase>::
   The passphrase to use to decode the key.
 
+--kmip-server-verification <verification_option>::
+  Which certificates should be used for server verification.
+
 --auto-rotate-every <days>::
   How often to rotate the generated key, in days.
 
diff --git a/test/test_cli.py b/test/test_cli.py
@@ -1539,6 +1539,12 @@ def test_add_edit_key_kmip_no_ops(self):
             args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip']
             self.system_exit_run(self.command + args, None, start_server=False)
             self.assertIn('--kmip-operations', self.str_output)
+            self.assertIn('--kmip-key', self.str_output)
+            self.assertIn('--kmip-host', self.str_output)
+            self.assertIn('--kmip-port', self.str_output)
+            self.assertIn('--kmip-key-path', self.str_output)
+            self.assertIn('--kmip-cert-path', self.str_output)
+            self.assertIn('--kmip-server-verification', self.str_output)
 
     def test_add_edit_key_kmip_no_encrypt_method(self):
         self.server.set_args(self.server_args)
@@ -1547,7 +1553,8 @@ def test_add_edit_key_kmip_no_encrypt_method(self):
         for base_args in [['--add-key'], ['--edit-key', '1']]:
             args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip', '--kmip-operations', 'get',
                                 '--kmip-key', 'key', '--kmip-host', 'localhost', '--kmip-port', '1470',
-                                '--kmip-key-path', '/key', '--kmip-cert-path', '/cert']
+                                '--kmip-key-path', '/key', '--kmip-cert-path', '/cert', '--kmip-server-verification',
+                                'use-system-and-cb-ca']
             self.system_exit_run(self.command + args, None, start_server=False)
             self.assertIn(
                 'one of --encrypt-with-master-password, --encrypt-with-key must be specified',
@@ -1561,7 +1568,7 @@ def test_add_edit_key_kmip(self):
             args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip', '--kmip-operations', 'get',
                                 '--kmip-key', 'key', '--kmip-host', 'localhost', '--kmip-port', '1470',
                                 '--kmip-key-path', '/key', '--kmip-cert-path', '/cert',
-                                '--encrypt-with-master-password']
+                                '--encrypt-with-master-password', '--kmip-server-verification', 'use-system-and-cb-ca']
             self.no_error_run(self.command + args, None, start_server=False)
             expected = json.dumps({
                 'usage': ['KEK-encryption'],
@@ -1575,6 +1582,88 @@ def test_add_edit_key_kmip(self):
                     'encryptionApproach': 'useGet',
                     'keyPath': '/key',
                     'certPath': '/cert',
+                    'caSelection': "useSysAndCbCa"
+                }
+            }, sort_keys=True)
+            self.rest_parameter_match([expected], length_match=False)
+
+    def test_add_edit_key_kmip_do_not_verify(self):
+        self.server.set_args(self.server_args)
+        self.server.run()
+
+        for base_args in [['--add-key'], ['--edit-key', '1']]:
+            args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip', '--kmip-operations', 'get',
+                                '--kmip-key', 'key', '--kmip-host', 'localhost', '--kmip-port', '1470',
+                                '--kmip-key-path', '/key', '--kmip-cert-path', '/cert',
+                                '--encrypt-with-master-password', '--kmip-server-verification', 'do-not-verify']
+            self.no_error_run(self.command + args, None, start_server=False)
+            expected = json.dumps({
+                'usage': ['KEK-encryption'],
+                'name': 'key01',
+                'type': 'kmip-aes-key-256',
+                'data': {
+                    'encryptWith': 'nodeSecretManager',
+                    'activeKey': {'kmipId': 'key'},
+                    'host': 'localhost',
+                    'port': 1470,
+                    'encryptionApproach': 'useGet',
+                    'keyPath': '/key',
+                    'certPath': '/cert',
+                    'caSelection': "skipServerCertVerification"
+                }
+            }, sort_keys=True)
+            self.rest_parameter_match([expected], length_match=False)
+
+    def test_add_edit_key_kmip_use_system_ca(self):
+        self.server.set_args(self.server_args)
+        self.server.run()
+
+        for base_args in [['--add-key'], ['--edit-key', '1']]:
+            args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip', '--kmip-operations', 'get',
+                                '--kmip-key', 'key', '--kmip-host', 'localhost', '--kmip-port', '1470',
+                                '--kmip-key-path', '/key', '--kmip-cert-path', '/cert',
+                                '--encrypt-with-master-password', '--kmip-server-verification', 'use-system-ca']
+            self.no_error_run(self.command + args, None, start_server=False)
+            expected = json.dumps({
+                'usage': ['KEK-encryption'],
+                'name': 'key01',
+                'type': 'kmip-aes-key-256',
+                'data': {
+                    'encryptWith': 'nodeSecretManager',
+                    'activeKey': {'kmipId': 'key'},
+                    'host': 'localhost',
+                    'port': 1470,
+                    'encryptionApproach': 'useGet',
+                    'keyPath': '/key',
+                    'certPath': '/cert',
+                    'caSelection': "useSysCa"
+                }
+            }, sort_keys=True)
+            self.rest_parameter_match([expected], length_match=False)
+
+    def test_add_edit_key_kmip_use_cb_ca(self):
+        self.server.set_args(self.server_args)
+        self.server.run()
+
+        for base_args in [['--add-key'], ['--edit-key', '1']]:
+            args = base_args + ['--name', 'key01', '--kek-usage', '--key-type', 'kmip', '--kmip-operations', 'get',
+                                '--kmip-key', 'key', '--kmip-host', 'localhost', '--kmip-port', '1470',
+                                '--kmip-key-path', '/key', '--kmip-cert-path', '/cert',
+                                '--encrypt-with-master-password', '--kmip-server-verification', 'use-cb-ca']
+            self.no_error_run(self.command + args, None, start_server=False)
+            expected = json.dumps({
+                'usage': ['KEK-encryption'],
+                'name': 'key01',
+                'type': 'kmip-aes-key-256',
+                'data': {
+                    'encryptWith': 'nodeSecretManager',
+                    'activeKey': {'kmipId': 'key'},
+                    'host': 'localhost',
+                    'port': 1470,
+                    'encryptionApproach': 'useGet',
+                    'keyPath': '/key',
+                    'certPath': '/cert',
+                    'caSelection': "useCbCa"
                 }
             }, sort_keys=True)
             self.rest_parameter_match([expected], length_match=False)
