Examples with AuthorizationViolationException - org.neo4j.graphdb.security.AuthorizationViolationException

Example 6 with AuthorizationViolationException

use of org.neo4j.graphdb.security.AuthorizationViolationException in project neo4j by neo4j.

the class PersonalUserManager method newUser.

@Override
public User newUser(String username, String initialPassword, boolean requirePasswordChange) throws IOException, InvalidArgumentsException, AuthorizationViolationException {
    try {
        assertAdmin();
        User user = userManager.newUser(username, initialPassword, requirePasswordChange);
        securityLog.info(securityContext, "created user `%s`%s", username, requirePasswordChange ? ", with password change required" : "");
        return user;
    } catch (AuthorizationViolationException | IOException | InvalidArgumentsException e) {
        securityLog.error(securityContext, "tried to create user `%s`: %s", username, e.getMessage());
        throw e;
    }
}

Also used : User(org.neo4j.kernel.impl.security.User) IOException(java.io.IOException) AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException) InvalidArgumentsException(org.neo4j.kernel.api.exceptions.InvalidArgumentsException)

Example 7 with AuthorizationViolationException

use of org.neo4j.graphdb.security.AuthorizationViolationException in project neo4j by neo4j.

the class OperationsTest method runForSecurityLevel.

protected String runForSecurityLevel(Executable executable, AccessMode mode, boolean shoudldBeAuthorized) throws Exception {
    SecurityContext securityContext = SecurityContext.authDisabled(mode, ClientConnectionInfo.EMBEDDED_CONNECTION, DB_NAME);
    when(transaction.securityContext()).thenReturn(securityContext);
    when(transaction.securityAuthorizationHandler()).thenReturn(new SecurityAuthorizationHandler(securityLog));
    when(nodeCursor.next()).thenReturn(true);
    when(nodeCursor.hasLabel(2)).thenReturn(false);
    when(nodeCursor.hasLabel(3)).thenReturn(true);
    when(tokenHolders.labelTokens().getTokenById(anyInt())).thenReturn(new NamedToken("Label", 2));
    if (shoudldBeAuthorized) {
        assertAuthorized(executable);
        return null;
    } else {
        AuthorizationViolationException exception = assertThrows(AuthorizationViolationException.class, executable);
        return exception.getMessage();
    }
}

Also used : SecurityContext(org.neo4j.internal.kernel.api.security.SecurityContext) NamedToken(org.neo4j.token.api.NamedToken) AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException) SecurityAuthorizationHandler(org.neo4j.internal.kernel.api.security.SecurityAuthorizationHandler)

Example 8 with AuthorizationViolationException

use of org.neo4j.graphdb.security.AuthorizationViolationException in project neo4j by neo4j.

the class AuthorizationEnabledFilter method doFilter.

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    validateRequestType(servletRequest);
    validateResponseType(servletResponse);
    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
    // username is only known after authentication, make connection aware of the user-agent
    JettyHttpConnection.updateUserForCurrentConnection(null, userAgent);
    final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
    if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
        // NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
        // wrap servletRequest in an AuthorizedRequestWrapper here
        filterChain.doFilter(servletRequest, servletResponse);
        return;
    }
    final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    if (header == null) {
        requestAuthentication(request, noHeader).accept(response);
        return;
    }
    final String[] usernameAndPassword = extractCredential(header);
    if (usernameAndPassword == null) {
        badHeader.accept(response);
        return;
    }
    final String username = usernameAndPassword[0];
    final String password = usernameAndPassword[1];
    try {
        ClientConnectionInfo connectionInfo = HttpConnectionInfoFactory.create(request);
        LoginContext securityContext = authenticate(username, password, connectionInfo);
        // username is now known, make connection aware of both username and user-agent
        JettyHttpConnection.updateUserForCurrentConnection(username, userAgent);
        switch(securityContext.subject().getAuthenticationResult()) {
            case PASSWORD_CHANGE_REQUIRED:
            // from the server side if you try to do anything else than changing you own password.
            case SUCCESS:
                try {
                    filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
                } catch (AuthorizationViolationException e) {
                    unauthorizedAccess(e.getMessage()).accept(response);
                }
                return;
            case TOO_MANY_ATTEMPTS:
                tooManyAttempts.accept(response);
                return;
            default:
                log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
                requestAuthentication(request, invalidCredential).accept(response);
        }
    } catch (InvalidAuthTokenException e) {
        requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
    } catch (AuthProviderTimeoutException e) {
        authProviderTimeout.accept(response);
    } catch (AuthProviderFailedException e) {
        authProviderFailed.accept(response);
    }
}

Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ClientConnectionInfo(org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo) LoginContext(org.neo4j.internal.kernel.api.security.LoginContext) AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException) AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException) InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)

Example 9 with AuthorizationViolationException

use of org.neo4j.graphdb.security.AuthorizationViolationException in project neo4j by neo4j.

the class InvocationTest method shouldHandleAuthorizationErrorWhenStartingTransaction.

@Test
void shouldHandleAuthorizationErrorWhenStartingTransaction() {
    // given
    when(databaseFacade.beginTransaction(any(), any(), any())).thenThrow(new AuthorizationViolationException("Forbidden"));
    when(registry.begin(any(TransactionHandle.class))).thenReturn(1337L);
    TransactionHandle handle = getTransactionHandle(executionEngine, registry);
    InputEventStream inputEventStream = mock(InputEventStream.class);
    Statement statement = new Statement("query", map());
    when(inputEventStream.read()).thenReturn(statement, NULL_STATEMENT);
    mockDefaultResult();
    Invocation invocation = new Invocation(log, handle, uriScheme.txCommitUri(1337L), mock(MemoryPool.class, RETURNS_MOCKS), inputEventStream, true);
    // when
    invocation.execute(outputEventStream);
    // then
    verifyNoMoreInteractions(log);
    InOrder outputOrder = inOrder(outputEventStream);
    outputOrder.verify(outputEventStream).writeFailure(Status.Security.Forbidden, "Forbidden");
    outputOrder.verify(outputEventStream).writeTransactionInfo(TransactionNotificationState.NO_TRANSACTION, uriScheme.txCommitUri(1337L), -1);
    verifyNoMoreInteractions(outputEventStream);
}

Also used : InOrder(org.mockito.InOrder) InputEventStream(org.neo4j.server.http.cypher.format.api.InputEventStream) Statement(org.neo4j.server.http.cypher.format.api.Statement) AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException) MemoryPool(org.neo4j.memory.MemoryPool) Test(org.junit.jupiter.api.Test)

Aggregations

AuthorizationViolationException (org.neo4j.graphdb.security.AuthorizationViolationException)9 IOException (java.io.IOException)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 ClientConnectionInfo (org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo)2 LoginContext (org.neo4j.internal.kernel.api.security.LoginContext)2 DeadlockDetectedException (org.neo4j.kernel.DeadlockDetectedException)2 InvalidArgumentsException (org.neo4j.kernel.api.exceptions.InvalidArgumentsException)2 Status (org.neo4j.kernel.api.exceptions.Status)2 InvalidAuthTokenException (org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)2 QueryExecutionKernelException (org.neo4j.kernel.impl.query.QueryExecutionKernelException)2 Statement (org.neo4j.server.http.cypher.format.api.Statement)2 Test (org.junit.jupiter.api.Test)1 InOrder (org.mockito.InOrder)1 CypherException (org.neo4j.cypher.CypherException)1 InvalidSemanticsException (org.neo4j.cypher.InvalidSemanticsException)1 InvalidSemanticsException (org.neo4j.exceptions.InvalidSemanticsException)1 KernelException (org.neo4j.exceptions.KernelException)1 Neo4jException (org.neo4j.exceptions.Neo4jException)1 Result (org.neo4j.graphdb.Result)1