Search in sources :

Example 6 with AccessMode

use of org.neo4j.internal.kernel.api.security.AccessMode in project neo4j by neo4j.

the class AllStoreHolder method createAggregationFunction.

private UserAggregator createAggregationFunction(int id) throws ProcedureException {
    ktx.assertOpen();
    AccessMode mode = ktx.securityContext().mode();
    if (!globalProcedures.isBuiltInAggregatingFunction(id) && !mode.allowsExecuteAggregatingFunction(id)) {
        String message = format("Executing a user defined aggregating function is not allowed for %s.", ktx.securityContext().description());
        throw ktx.securityAuthorizationHandler().logAndGetAuthorizationException(ktx.securityContext(), message);
    }
    final SecurityContext securityContext = mode.shouldBoostAggregatingFunction(id) ? ktx.securityContext().withMode(new OverriddenAccessMode(mode, AccessMode.Static.READ)) : ktx.securityContext().withMode(new RestrictedAccessMode(mode, AccessMode.Static.READ));
    try (KernelTransaction.Revertable ignore = ktx.overrideWith(securityContext)) {
        UserAggregator aggregator = globalProcedures.createAggregationFunction(prepareContext(securityContext, ProcedureCallContext.EMPTY), id);
        return new UserAggregator() {

            @Override
            public void update(AnyValue[] input) throws ProcedureException {
                try (KernelTransaction.Revertable ignore = ktx.overrideWith(securityContext)) {
                    aggregator.update(input);
                }
            }

            @Override
            public AnyValue result() throws ProcedureException {
                try (KernelTransaction.Revertable ignore = ktx.overrideWith(securityContext)) {
                    return aggregator.result();
                }
            }
        };
    }
}
Also used : KernelTransaction(org.neo4j.kernel.api.KernelTransaction) OverriddenAccessMode(org.neo4j.kernel.impl.api.security.OverriddenAccessMode) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) SecurityContext(org.neo4j.internal.kernel.api.security.SecurityContext) UserAggregator(org.neo4j.internal.kernel.api.procs.UserAggregator) AdminAccessMode(org.neo4j.internal.kernel.api.security.AdminAccessMode) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) OverriddenAccessMode(org.neo4j.kernel.impl.api.security.OverriddenAccessMode)

Example 7 with AccessMode

use of org.neo4j.internal.kernel.api.security.AccessMode in project neo4j by neo4j.

the class AllStoreHolder method countsForRelationshipWithoutTxState.

@Override
public long countsForRelationshipWithoutTxState(int startLabelId, int typeId, int endLabelId) {
    AccessMode mode = ktx.securityContext().mode();
    CursorContext cursorContext = ktx.cursorContext();
    if (mode.allowsTraverseRelType(typeId) && mode.allowsTraverseNode(startLabelId) && mode.allowsTraverseNode(endLabelId)) {
        return storageReader.countsForRelationship(startLabelId, typeId, endLabelId, cursorContext);
    }
    if (mode.disallowsTraverseRelType(typeId) || mode.disallowsTraverseLabel(startLabelId) || mode.disallowsTraverseLabel(endLabelId)) {
        // so the count will be 0.
        return 0;
    }
    // token index scan can only scan for single relationship type
    if (typeId != TokenRead.ANY_RELATIONSHIP_TYPE) {
        try {
            var index = findUsableTokenIndex(EntityType.RELATIONSHIP);
            if (index != IndexDescriptor.NO_INDEX) {
                long count = 0;
                try (DefaultRelationshipTypeIndexCursor relationshipsWithType = cursors.allocateRelationshipTypeIndexCursor(cursorContext);
                    DefaultRelationshipScanCursor relationship = cursors.allocateRelationshipScanCursor(cursorContext);
                    DefaultNodeCursor sourceNode = cursors.allocateNodeCursor(cursorContext);
                    DefaultNodeCursor targetNode = cursors.allocateNodeCursor(cursorContext)) {
                    var session = tokenReadSession(index);
                    this.relationshipTypeScan(session, relationshipsWithType, unconstrained(), new TokenPredicate(typeId));
                    while (relationshipsWithType.next()) {
                        relationshipsWithType.relationship(relationship);
                        count += countRelationshipsWithEndLabels(relationship, sourceNode, targetNode, startLabelId, endLabelId);
                    }
                }
                return count - countsForRelationshipInTxState(startLabelId, typeId, endLabelId);
            }
        } catch (KernelException ignored) {
        // ignore, fallback to allRelationshipsScan
        }
    }
    long count;
    try (DefaultRelationshipScanCursor rels = cursors.allocateRelationshipScanCursor(cursorContext);
        DefaultNodeCursor sourceNode = cursors.allocateFullAccessNodeCursor(cursorContext);
        DefaultNodeCursor targetNode = cursors.allocateFullAccessNodeCursor(cursorContext)) {
        this.allRelationshipsScan(rels);
        Predicate<RelationshipScanCursor> predicate = typeId == TokenRead.ANY_RELATIONSHIP_TYPE ? alwaysTrue() : CursorPredicates.hasType(typeId);
        var filteredCursor = new FilteringRelationshipScanCursorWrapper(rels, predicate);
        count = countRelationshipsWithEndLabels(filteredCursor, sourceNode, targetNode, startLabelId, endLabelId);
    }
    return count - countsForRelationshipInTxState(startLabelId, typeId, endLabelId);
}
Also used : RelationshipScanCursor(org.neo4j.internal.kernel.api.RelationshipScanCursor) TokenPredicate(org.neo4j.internal.kernel.api.TokenPredicate) AdminAccessMode(org.neo4j.internal.kernel.api.security.AdminAccessMode) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) OverriddenAccessMode(org.neo4j.kernel.impl.api.security.OverriddenAccessMode) CursorContext(org.neo4j.io.pagecache.context.CursorContext) IndexNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.schema.IndexNotFoundKernelException) KernelException(org.neo4j.exceptions.KernelException)

Example 8 with AccessMode

use of org.neo4j.internal.kernel.api.security.AccessMode in project neo4j by neo4j.

the class KernelToken method propertyKeyGetAllTokens.

@Override
public Iterator<NamedToken> propertyKeyGetAllTokens() {
    ktx.assertOpen();
    AccessMode mode = ktx.securityContext().mode();
    return Iterators.stream(tokenHolders.propertyKeyTokens().getAllTokens().iterator()).filter(propKey -> mode.allowsSeePropertyKeyToken(propKey.id())).iterator();
}
Also used : KernelTransactionImplementation(org.neo4j.kernel.impl.api.KernelTransactionImplementation) LabelNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.LabelNotFoundKernelException) Iterator(java.util.Iterator) Iterators(org.neo4j.internal.helpers.collection.Iterators) PrivilegeAction(org.neo4j.internal.kernel.api.security.PrivilegeAction) RelationshipTypeIdNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.RelationshipTypeIdNotFoundKernelException) TransactionState(org.neo4j.kernel.api.txstate.TransactionState) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode) TokenHolder(org.neo4j.token.api.TokenHolder) PropertyKeyIdNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.PropertyKeyIdNotFoundKernelException) CommandCreationContext(org.neo4j.storageengine.api.CommandCreationContext) KernelException(org.neo4j.exceptions.KernelException) TokenHolders(org.neo4j.token.TokenHolders) TokenNotFoundException(org.neo4j.token.api.TokenNotFoundException) NamedToken(org.neo4j.token.api.NamedToken) TokenWrite.checkValidTokenName(org.neo4j.internal.kernel.api.TokenWrite.checkValidTokenName) StorageReader(org.neo4j.storageengine.api.StorageReader) IntSupplier(java.util.function.IntSupplier) IdCapacityExceededException(org.neo4j.internal.id.IdCapacityExceededException) Token(org.neo4j.internal.kernel.api.Token) TokenCapacityExceededKernelException(org.neo4j.internal.kernel.api.exceptions.schema.TokenCapacityExceededKernelException) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode)

Example 9 with AccessMode

use of org.neo4j.internal.kernel.api.security.AccessMode in project neo4j by neo4j.

the class KernelToken method relationshipTypesGetAllTokens.

@Override
public Iterator<NamedToken> relationshipTypesGetAllTokens() {
    ktx.assertOpen();
    AccessMode mode = ktx.securityContext().mode();
    return Iterators.stream(tokenHolders.relationshipTypeTokens().getAllTokens().iterator()).filter(relType -> mode.allowsTraverseRelType(relType.id())).iterator();
}
Also used : KernelTransactionImplementation(org.neo4j.kernel.impl.api.KernelTransactionImplementation) LabelNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.LabelNotFoundKernelException) Iterator(java.util.Iterator) Iterators(org.neo4j.internal.helpers.collection.Iterators) PrivilegeAction(org.neo4j.internal.kernel.api.security.PrivilegeAction) RelationshipTypeIdNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.RelationshipTypeIdNotFoundKernelException) TransactionState(org.neo4j.kernel.api.txstate.TransactionState) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode) TokenHolder(org.neo4j.token.api.TokenHolder) PropertyKeyIdNotFoundKernelException(org.neo4j.internal.kernel.api.exceptions.PropertyKeyIdNotFoundKernelException) CommandCreationContext(org.neo4j.storageengine.api.CommandCreationContext) KernelException(org.neo4j.exceptions.KernelException) TokenHolders(org.neo4j.token.TokenHolders) TokenNotFoundException(org.neo4j.token.api.TokenNotFoundException) NamedToken(org.neo4j.token.api.NamedToken) TokenWrite.checkValidTokenName(org.neo4j.internal.kernel.api.TokenWrite.checkValidTokenName) StorageReader(org.neo4j.storageengine.api.StorageReader) IntSupplier(java.util.function.IntSupplier) IdCapacityExceededException(org.neo4j.internal.id.IdCapacityExceededException) Token(org.neo4j.internal.kernel.api.Token) TokenCapacityExceededKernelException(org.neo4j.internal.kernel.api.exceptions.schema.TokenCapacityExceededKernelException) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode)

Example 10 with AccessMode

use of org.neo4j.internal.kernel.api.security.AccessMode in project neo4j by neo4j.

the class AllStoreHolder method callFunction.

private AnyValue callFunction(int id, AnyValue[] input) throws ProcedureException {
    ktx.assertOpen();
    AccessMode mode = ktx.securityContext().mode();
    if (!globalProcedures.isBuiltInFunction(id) && !mode.allowsExecuteFunction(id)) {
        String message = format("Executing a user defined function is not allowed for %s.", ktx.securityContext().description());
        throw ktx.securityAuthorizationHandler().logAndGetAuthorizationException(ktx.securityContext(), message);
    }
    final SecurityContext securityContext = mode.shouldBoostFunction(id) ? ktx.securityContext().withMode(new OverriddenAccessMode(mode, AccessMode.Static.READ)) : ktx.securityContext().withMode(new RestrictedAccessMode(mode, AccessMode.Static.READ));
    try (KernelTransaction.Revertable ignore = ktx.overrideWith(securityContext)) {
        return globalProcedures.callFunction(prepareContext(securityContext, ProcedureCallContext.EMPTY), id, input);
    }
}
Also used : KernelTransaction(org.neo4j.kernel.api.KernelTransaction) OverriddenAccessMode(org.neo4j.kernel.impl.api.security.OverriddenAccessMode) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) SecurityContext(org.neo4j.internal.kernel.api.security.SecurityContext) AdminAccessMode(org.neo4j.internal.kernel.api.security.AdminAccessMode) AccessMode(org.neo4j.internal.kernel.api.security.AccessMode) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) OverriddenAccessMode(org.neo4j.kernel.impl.api.security.OverriddenAccessMode)

Aggregations

AccessMode (org.neo4j.internal.kernel.api.security.AccessMode)12 AdminAccessMode (org.neo4j.internal.kernel.api.security.AdminAccessMode)6 KernelTransaction (org.neo4j.kernel.api.KernelTransaction)6 OverriddenAccessMode (org.neo4j.kernel.impl.api.security.OverriddenAccessMode)6 RestrictedAccessMode (org.neo4j.kernel.impl.api.security.RestrictedAccessMode)6 SecurityContext (org.neo4j.internal.kernel.api.security.SecurityContext)5 TransactionState (org.neo4j.kernel.api.txstate.TransactionState)5 KernelException (org.neo4j.exceptions.KernelException)4 ArrayList (java.util.ArrayList)3 HashMap (java.util.HashMap)3 Iterator (java.util.Iterator)3 IntSupplier (java.util.function.IntSupplier)3 Iterators (org.neo4j.internal.helpers.collection.Iterators)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 ZoneId (java.time.ZoneId)2 Arrays (java.util.Arrays)2 Comparator (java.util.Comparator)2 List (java.util.List)2 Map (java.util.Map)2 TimeUnit (java.util.concurrent.TimeUnit)2