Add SSL service connection support for Couchbase

See gh-41137

Author: mhalbritter

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/couchbase/CouchbaseAutoConfiguration.java

@@ -93,15 +93,16 @@ public class CouchbaseAutoConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean(CouchbaseConnectionDetails.class)
-	PropertiesCouchbaseConnectionDetails couchbaseConnectionDetails() {
-		return new PropertiesCouchbaseConnectionDetails(this.properties);
+	PropertiesCouchbaseConnectionDetails couchbaseConnectionDetails(ObjectProvider<SslBundles> sslBundles) {
+		return new PropertiesCouchbaseConnectionDetails(this.properties, sslBundles.getIfAvailable());
 	}
 
 	@Bean
 	@ConditionalOnMissingBean
 	public ClusterEnvironment couchbaseClusterEnvironment(
-			ObjectProvider<ClusterEnvironmentBuilderCustomizer> customizers, ObjectProvider<SslBundles> sslBundles) {
-		Builder builder = initializeEnvironmentBuilder(sslBundles.getIfAvailable());
+			ObjectProvider<ClusterEnvironmentBuilderCustomizer> customizers,
+			CouchbaseConnectionDetails connectionDetails) {
+		Builder builder = initializeEnvironmentBuilder(connectionDetails);
 		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder.build();
 	}
@@ -143,7 +144,7 @@ public Cluster couchbaseCluster(ClusterEnvironment couchbaseClusterEnvironment,
 		return Cluster.connect(connectionDetails.getConnectionString(), options);
 	}
 
-	private ClusterEnvironment.Builder initializeEnvironmentBuilder(SslBundles sslBundles) {
+	private ClusterEnvironment.Builder initializeEnvironmentBuilder(CouchbaseConnectionDetails connectionDetails) {
 		ClusterEnvironment.Builder builder = ClusterEnvironment.builder();
 		Timeouts timeouts = this.properties.getEnv().getTimeouts();
 		builder.timeoutConfig((config) -> config.kvTimeout(timeouts.getKeyValue())
@@ -159,31 +160,24 @@ private ClusterEnvironment.Builder initializeEnvironmentBuilder(SslBundles sslBu
 		builder.ioConfig((config) -> config.maxHttpConnections(io.getMaxEndpoints())
 			.numKvConnections(io.getMinEndpoints())
 			.idleHttpConnectionTimeout(io.getIdleHttpConnectionTimeout()));
-		if (this.properties.getEnv().getSsl().getEnabled()) {
-			configureSsl(builder, sslBundles);
+		SslBundle sslBundle = connectionDetails.getSslBundle();
+		if (sslBundle != null) {
+			configureSsl(builder, sslBundle);
 		}
 		return builder;
 	}
 
-	private void configureSsl(Builder builder, SslBundles sslBundles) {
-		Ssl sslProperties = this.properties.getEnv().getSsl();
-		SslBundle sslBundle = (StringUtils.hasText(sslProperties.getBundle()))
-				? sslBundles.getBundle(sslProperties.getBundle()) : null;
-		Assert.state(sslBundle == null || !sslBundle.getOptions().isSpecified(),
-				"SSL Options cannot be specified with Couchbase");
+	private void configureSsl(Builder builder, SslBundle sslBundle) {
+		Assert.state(!sslBundle.getOptions().isSpecified(), "SSL Options cannot be specified with Couchbase");
 		builder.securityConfig((config) -> {
 			config.enableTls(true);
-			TrustManagerFactory trustManagerFactory = getTrustManagerFactory(sslBundle);
+			TrustManagerFactory trustManagerFactory = sslBundle.getManagers().getTrustManagerFactory();
 			if (trustManagerFactory != null) {
 				config.trustManagerFactory(trustManagerFactory);
 			}
 		});
 	}
 
-	private TrustManagerFactory getTrustManagerFactory(SslBundle sslBundle) {
-		return (sslBundle != null) ? sslBundle.getManagers().getTrustManagerFactory() : null;
-	}
-
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass(ObjectMapper.class)
 	static class JacksonConfiguration {
@@ -247,8 +241,11 @@ static final class PropertiesCouchbaseConnectionDetails implements CouchbaseConn
 
 		private final CouchbaseProperties properties;
 
-		PropertiesCouchbaseConnectionDetails(CouchbaseProperties properties) {
+		private final SslBundles sslBundles;
+
+		PropertiesCouchbaseConnectionDetails(CouchbaseProperties properties, SslBundles sslBundles) {
 			this.properties = properties;
+			this.sslBundles = sslBundles;
 		}
 
 		@Override
@@ -266,6 +263,19 @@ public String getPassword() {
 			return this.properties.getPassword();
 		}
 
+		@Override
+		public SslBundle getSslBundle() {
+			Ssl ssl = this.properties.getEnv().getSsl();
+			if (!ssl.getEnabled()) {
+				return null;
+			}
+			if (StringUtils.hasLength(ssl.getBundle())) {
+				Assert.notNull(this.sslBundles, "SSL bundle name has been set but no SSL bundles found in context");
+				return this.sslBundles.getBundle(ssl.getBundle());
+			}
+			return SslBundle.systemDefault();
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/couchbase/CouchbaseConnectionDetails.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package org.springframework.boot.autoconfigure.couchbase;
 
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetails;
+import org.springframework.boot.ssl.SslBundle;
 
 /**
  * Details required to establish a connection to a Couchbase service.
@@ -46,4 +47,13 @@ public interface CouchbaseConnectionDetails extends ConnectionDetails {
 	 */
 	String getPassword();
 
+	/**
+	 * SSL bundle to use.
+	 * @return the SSL bundle to use
+	 * @since 3.5.0
+	 */
+	default SslBundle getSslBundle() {
+		return null;
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/couchbase/CouchbaseAutoConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -196,7 +196,7 @@ void enableSsl() {
 		testClusterEnvironment((env) -> {
 			SecurityConfig securityConfig = env.securityConfig();
 			assertThat(securityConfig.tlsEnabled()).isTrue();
-			assertThat(securityConfig.trustManagerFactory()).isNull();
+			assertThat(securityConfig.trustManagerFactory()).isNotNull();
 		}, "spring.couchbase.env.ssl.enabled=true");
 	}
 

spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/couchbase/CouchbaseContainerConnectionDetailsFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import org.testcontainers.couchbase.CouchbaseContainer;
 
 import org.springframework.boot.autoconfigure.couchbase.CouchbaseConnectionDetails;
+import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.testcontainers.service.connection.ContainerConnectionDetailsFactory;
 import org.springframework.boot.testcontainers.service.connection.ContainerConnectionSource;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
@@ -66,6 +67,11 @@ public String getConnectionString() {
 			return getContainer().getConnectionString();
 		}
 
+		@Override
+		public SslBundle getSslBundle() {
+			return super.getSslBundle();
+		}
+
 	}
 
 }

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-couchbase/src/dockerTest/java/smoketest/data/couchbase/SampleCouchbaseApplicationReactiveSslTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,8 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.testcontainers.service.connection.PemKeyStore;
+import org.springframework.boot.testcontainers.service.connection.PemTrustStore;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
 import org.springframework.boot.testsupport.container.TestImage;
 import org.springframework.data.couchbase.core.ReactiveCouchbaseTemplate;
@@ -38,16 +40,15 @@
  * @author Scott Frederick
  */
 @Testcontainers(disabledWithoutDocker = true)
-@SpringBootTest(properties = { "spring.couchbase.env.ssl.bundle=client", "spring.data.couchbase.bucket-name=cbbucket",
-		"spring.ssl.bundle.pem.client.keystore.certificate=classpath:ssl/test-client.crt",
-		"spring.ssl.bundle.pem.client.keystore.private-key=classpath:ssl/test-client.key",
-		"spring.ssl.bundle.pem.client.truststore.certificate=classpath:ssl/test-ca.crt" })
+@SpringBootTest(properties = { "spring.data.couchbase.bucket-name=cbbucket" })
 class SampleCouchbaseApplicationReactiveSslTests {
 
 	private static final String BUCKET_NAME = "cbbucket";
 
 	@Container
 	@ServiceConnection
+	@PemKeyStore(certificate = "classpath:ssl/test-client.crt", privateKey = "classpath:ssl/test-client.key")
+	@PemTrustStore(certificate = "classpath:ssl/test-ca.crt")
 	static final CouchbaseContainer couchbase = TestImage.container(SecureCouchbaseContainer.class)
 		.withBucket(new BucketDefinition(BUCKET_NAME));
 

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-couchbase/src/dockerTest/java/smoketest/data/couchbase/SampleCouchbaseApplicationSslTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,8 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.data.couchbase.DataCouchbaseTest;
+import org.springframework.boot.testcontainers.service.connection.PemKeyStore;
+import org.springframework.boot.testcontainers.service.connection.PemTrustStore;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
 import org.springframework.boot.testsupport.container.TestImage;
 import org.springframework.data.couchbase.core.CouchbaseTemplate;
@@ -36,17 +38,16 @@
  * @author Scott Frederick
  */
 @Testcontainers(disabledWithoutDocker = true)
-@DataCouchbaseTest(properties = { "spring.couchbase.env.ssl.bundle=client", "spring.couchbase.env.timeouts.connect=2m",
-		"spring.data.couchbase.bucket-name=cbbucket",
-		"spring.ssl.bundle.pem.client.keystore.certificate=classpath:ssl/test-client.crt",
-		"spring.ssl.bundle.pem.client.keystore.private-key=classpath:ssl/test-client.key",
-		"spring.ssl.bundle.pem.client.truststore.certificate=classpath:ssl/test-ca.crt" })
+@DataCouchbaseTest(
+		properties = { "spring.couchbase.env.timeouts.connect=2m", "spring.data.couchbase.bucket-name=cbbucket" })
 class SampleCouchbaseApplicationSslTests {
 
 	private static final String BUCKET_NAME = "cbbucket";
 
 	@Container
 	@ServiceConnection
+	@PemKeyStore(certificate = "classpath:ssl/test-client.crt", privateKey = "classpath:ssl/test-client.key")
+	@PemTrustStore(certificate = "classpath:ssl/test-ca.crt")
 	static final CouchbaseContainer couchbase = TestImage.container(SecureCouchbaseContainer.class)
 		.withBucket(new BucketDefinition(BUCKET_NAME));