CXXCBC-349: allow to pass trust certificate by value

core/cluster.hxx

@@ -357,6 +357,7 @@ class cluster : public std::enable_shared_from_this<cluster>
 
             if (origin_.options().enable_tls                   /* TLS is enabled */
                 && origin_.options().trust_certificate.empty() /* No CA certificate (or other SDK-specific trust source) is specified */
+                && origin_.options().trust_certificate_value.empty()     /* and certificate value has not been specified */
                 && origin_.options().tls_verify != tls_verify_mode::none /* The user did not disable all TLS verification */
                 && has_non_capella_host /* The connection string has a hostname that does NOT end in ".cloud.couchbase.com" */) {
                 CB_LOG_WARNING("[{}] When TLS is enabled, the cluster options must specify certificate(s) to trust or ensure that they are "
@@ -386,7 +387,8 @@ class cluster : public std::enable_shared_from_this<cluster>
                     tls_.set_verify_mode(asio::ssl::verify_peer);
                     break;
             }
-            if (origin_.options().trust_certificate.empty()) { // trust certificate is not explicitly specified
+            if (origin_.options().trust_certificate.empty() &&
+                origin_.options().trust_certificate_value.empty()) { // trust certificate is not explicitly specified
                 CB_LOG_DEBUG(R"([{}]: use default CA for TLS verify)", id_);
                 std::error_code ec{};
 
@@ -422,11 +424,22 @@ class cluster : public std::enable_shared_from_this<cluster>
                 std::error_code ec{};
                 // load only the explicit certificate
                 // system and default capella certificates are not loaded
-                CB_LOG_DEBUG(R"([{}]: use TLS verify file: "{}")", id_, origin_.options().trust_certificate);
-                tls_.load_verify_file(origin_.options().trust_certificate, ec);
-                if (ec) {
-                    CB_LOG_ERROR("[{}]: unable to load verify file \"{}\": {}", id_, origin_.options().trust_certificate, ec.message());
-                    return close([ec, handler = std::forward<Handler>(handler)]() mutable { return handler(ec); });
+                if (!origin_.options().trust_certificate_value.empty()) {
+                    CB_LOG_DEBUG(R"([{}]: use TLS certificate passed through via options object)", id_);
+                    tls_.add_certificate_authority(asio::const_buffer(origin_.options().trust_certificate_value.data(),
+                                                                      origin_.options().trust_certificate_value.size()),
+                                                   ec);
+                    if (ec) {
+                        CB_LOG_WARNING("[{}]: unable to load CA passed via options object: {}", id_, ec.message());
+                    }
+                }
+                if (!origin_.options().trust_certificate_value.empty()) {
+                    CB_LOG_DEBUG(R"([{}]: use TLS verify file: "{}")", id_, origin_.options().trust_certificate);
+                    tls_.load_verify_file(origin_.options().trust_certificate, ec);
+                    if (ec) {
+                        CB_LOG_ERROR("[{}]: unable to load verify file \"{}\": {}", id_, origin_.options().trust_certificate, ec.message());
+                        return close([ec, handler = std::forward<Handler>(handler)]() mutable { return handler(ec); });
+                    }
                 }
             }
 #ifdef COUCHBASE_CXX_CLIENT_TLS_KEY_LOG_FILE

core/cluster_options.hxx

@@ -53,6 +53,7 @@ struct cluster_options {
     bool tls_disable_deprecated_protocols{ true };
     bool tls_disable_v1_2{ false };
     std::string trust_certificate{};
+    std::string trust_certificate_value{};
     bool enable_mutation_tokens{ true };
     bool enable_tcp_keep_alive{ true };
     io::ip_protocol use_ip_protocol{ io::ip_protocol::any };

core/impl/cluster.cxx

@@ -82,6 +82,9 @@ options_to_origin(const std::string& connection_string, const couchbase::cluster
         if (opts.security.trust_certificate.has_value()) {
             user_options.trust_certificate = opts.security.trust_certificate.value();
         }
+        if (opts.security.trust_certificate_value.has_value()) {
+            user_options.trust_certificate_value = opts.security.trust_certificate_value.value();
+        }
         switch (opts.security.tls_verify) {
             case couchbase::tls_verify_mode::none:
                 user_options.tls_verify = core::tls_verify_mode::none;

couchbase/security_options.hxx

@@ -45,10 +45,17 @@ class security_options
         return *this;
     }
 
+    auto trust_certificate_value(std::string certificate_value) -> security_options&
+    {
+        trust_certificate_value_ = certificate_value;
+        return *this;
+    }
+
     struct built {
         bool enabled;
         tls_verify_mode tls_verify;
         std::optional<std::string> trust_certificate;
+        std::optional<std::string> trust_certificate_value;
         bool disable_mozilla_ca_certificates;
         bool disable_deprecated_protocols;
         bool disable_tls_v1_2;
@@ -57,14 +64,21 @@ class security_options
     [[nodiscard]] auto build() const -> built
     {
         return {
-            enabled_, tls_verify_, trust_certificate_, disable_mozilla_ca_certificates_, disable_deprecated_protocols, disable_tls_v1_2,
+            enabled_,
+            tls_verify_,
+            trust_certificate_,
+            trust_certificate_value_,
+            disable_mozilla_ca_certificates_,
+            disable_deprecated_protocols,
+            disable_tls_v1_2,
         };
     }
 
   private:
     bool enabled_{ true };
     tls_verify_mode tls_verify_{ tls_verify_mode::peer };
     std::optional<std::string> trust_certificate_{};
+    std::optional<std::string> trust_certificate_value_{};
     bool disable_mozilla_ca_certificates_{ false };
     bool disable_deprecated_protocols{ true };
     bool disable_tls_v1_2{ false };