Remove root certificates like other credentials on cbgtManager close

couchbase · Dec 2, 2024 · ea548ac · ea548ac
1 parent 5dc2b50
commit ea548ac
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/base/dcp_feed_type.go b/base/dcp_feed_type.go
@@ -296,9 +296,16 @@ func getCbgtCredentials(dbName string) (cbgtCreds, bool) {
 	return creds, found
 }
 
-// See the comment of cbgtRootCAsProvider for usage details.
+// setCbgtRootCertsForBucket creates root certificates for a given bucket. If TLS should be used, this function must be called. If tls certificate verification is skipped, then this function should be called with pool as nil. See the comment of cbgtRootCAsProvider for usage details.
 func setCbgtRootCertsForBucket(bucketUUID string, pool *x509.CertPool) {
 	cbgtGlobalsLock.Lock()
 	defer cbgtGlobalsLock.Unlock()
 	cbgtRootCertPools[bucketUUID] = pool
 }
+
+// removeCbgtRootCertsForBucket removes all the root certificates for a bucket. See the comment of cbgtRootCAsProvider for usage details.
+func removeCbgtRootCertsForBucket(bucketUUID string) {
+	cbgtGlobalsLock.Lock()
+	defer cbgtGlobalsLock.Unlock()
+	delete(cbgtRootCertPools, bucketUUID)
+}
diff --git a/base/dcp_sharded.go b/base/dcp_sharded.go
@@ -451,6 +451,7 @@ func (c *CbgtContext) Stop() {
 
 func (c *CbgtContext) RemoveFeedCredentials(dbName string) {
 	removeCbgtCredentials(dbName)
+	removeCbgtRootCertsForBucket(c.sourceUUID)
 }
 
 // Format of dest key for retrieval of import dest from cbgtDestFactories