Example 6 with LoginContext
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AbstractCypherResource method createNewTransactionHandle.
private TransactionHandle createNewTransactionHandle(TransactionFacade transactionFacade, HttpServletRequest request, HttpHeaders headers, MemoryTracker memoryTracker, boolean implicitTransaction) {
LoginContext loginContext = AuthorizedRequestWrapper.getLoginContextFromHttpServletRequest(request);
long customTransactionTimeout = getTransactionTimeout(headers, log);
return transactionFacade.newTransactionHandle(uriScheme, implicitTransaction, loginContext, loginContext.connectionInfo(), memoryTracker, customTransactionTimeout);
}
Also used :
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
Example 7 with LoginContext
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AuthorizationEnabledFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
validateRequestType(servletRequest);
validateResponseType(servletResponse);
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
// username is only known after authentication, make connection aware of the user-agent
JettyHttpConnection.updateUserForCurrentConnection(null, userAgent);
final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
// NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
// wrap servletRequest in an AuthorizedRequestWrapper here
filterChain.doFilter(servletRequest, servletResponse);
return;
}
final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header == null) {
requestAuthentication(request, noHeader).accept(response);
return;
}
final String[] usernameAndPassword = extractCredential(header);
if (usernameAndPassword == null) {
badHeader.accept(response);
return;
}
final String username = usernameAndPassword[0];
final String password = usernameAndPassword[1];
try {
ClientConnectionInfo connectionInfo = HttpConnectionInfoFactory.create(request);
LoginContext securityContext = authenticate(username, password, connectionInfo);
// username is now known, make connection aware of both username and user-agent
JettyHttpConnection.updateUserForCurrentConnection(username, userAgent);
switch(securityContext.subject().getAuthenticationResult()) {
case PASSWORD_CHANGE_REQUIRED:
// from the server side if you try to do anything else than changing you own password.
case SUCCESS:
try {
filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
} catch (AuthorizationViolationException e) {
unauthorizedAccess(e.getMessage()).accept(response);
}
return;
case TOO_MANY_ATTEMPTS:
tooManyAttempts.accept(response);
return;
default:
log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
requestAuthentication(request, invalidCredential).accept(response);
}
} catch (InvalidAuthTokenException e) {
requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
} catch (AuthProviderTimeoutException e) {
authProviderTimeout.accept(response);
} catch (AuthProviderFailedException e) {
authProviderFailed.accept(response);
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ClientConnectionInfo(org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo)
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException)
InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)
Example 8 with LoginContext
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class TransactionEventsIT method shouldGetSpecifiedUsernameAndMetaDataInTXData.
@Test
void shouldGetSpecifiedUsernameAndMetaDataInTXData() {
final AtomicReference<String> usernameRef = new AtomicReference<>();
final AtomicReference<Map<String, Object>> metaDataRef = new AtomicReference<>();
dbms.registerTransactionEventListener(DEFAULT_DATABASE_NAME, getBeforeCommitListener(txData -> {
usernameRef.set(txData.username());
metaDataRef.set(txData.metaData());
}));
AuthSubject subject = mock(AuthSubject.class);
when(subject.username()).thenReturn("Christof");
LoginContext loginContext = new LoginContext(subject, EMBEDDED_CONNECTION) {
@Override
public SecurityContext authorize(IdLookup idLookup, String dbName, AbstractSecurityLog securityLog) {
return new SecurityContext(subject, AccessMode.Static.WRITE, EMBEDDED_CONNECTION, dbName);
}
};
Map<String, Object> metadata = genericMap("username", "joe");
runTransaction(loginContext, metadata);
assertThat(usernameRef.get()).as("Should have specified username").isEqualTo("Christof");
assertThat(metaDataRef.get()).as("Should have metadata with specified username").isEqualTo(metadata);
}
Also used :
Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows)
Label(org.neo4j.graphdb.Label)
AnonymousContext(org.neo4j.kernel.api.security.AnonymousContext)
RandomExtension(org.neo4j.test.extension.RandomExtension)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
TransactionFailureException(org.neo4j.graphdb.TransactionFailureException)
TransactionData(org.neo4j.graphdb.event.TransactionData)
AuthSubject(org.neo4j.internal.kernel.api.security.AuthSubject)
Iterators.count(org.neo4j.internal.helpers.collection.Iterators.count)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Node(org.neo4j.graphdb.Node)
ArrayList(java.util.ArrayList)
ImpermanentDbmsExtension(org.neo4j.test.extension.ImpermanentDbmsExtension)
DEFAULT_DATABASE_NAME(org.neo4j.configuration.GraphDatabaseSettings.DEFAULT_DATABASE_NAME)
Future(java.util.concurrent.Future)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
GraphDatabaseService(org.neo4j.graphdb.GraphDatabaseService)
Inject(org.neo4j.test.extension.Inject)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
RandomRule(org.neo4j.test.rule.RandomRule)
Map(java.util.Map)
ThreadLocalRandom(java.util.concurrent.ThreadLocalRandom)
TransactionEventListenerAdapter(org.neo4j.graphdb.event.TransactionEventListenerAdapter)
SecurityContext(org.neo4j.internal.kernel.api.security.SecurityContext)
MapUtil.genericMap(org.neo4j.internal.helpers.collection.MapUtil.genericMap)
Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals)
Transaction(org.neo4j.graphdb.Transaction)
BinaryLatch(org.neo4j.util.concurrent.BinaryLatch)
ExecutorService(java.util.concurrent.ExecutorService)
EMBEDDED_CONNECTION(org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo.EMBEDDED_CONNECTION)
AbstractSecurityLog(org.neo4j.internal.kernel.api.security.AbstractSecurityLog)
ExceptionUtils.getRootCause(org.apache.commons.lang3.exception.ExceptionUtils.getRootCause)
Mockito.when(org.mockito.Mockito.when)
Executors(java.util.concurrent.Executors)
GraphDatabaseAPI(org.neo4j.kernel.internal.GraphDatabaseAPI)
Test(org.junit.jupiter.api.Test)
Consumer(java.util.function.Consumer)
TransactionEventListener(org.neo4j.graphdb.event.TransactionEventListener)
AccessMode(org.neo4j.internal.kernel.api.security.AccessMode)
List(java.util.List)
Relationship(org.neo4j.graphdb.Relationship)
KernelTransaction(org.neo4j.kernel.api.KernelTransaction)
Assertions.assertTrue(org.junit.jupiter.api.Assertions.assertTrue)
RelationshipType(org.neo4j.graphdb.RelationshipType)
DatabaseManagementService(org.neo4j.dbms.api.DatabaseManagementService)
Collections(java.util.Collections)
Mockito.mock(org.mockito.Mockito.mock)
AuthSubject(org.neo4j.internal.kernel.api.security.AuthSubject)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
SecurityContext(org.neo4j.internal.kernel.api.security.SecurityContext)
AbstractSecurityLog(org.neo4j.internal.kernel.api.security.AbstractSecurityLog)
Map(java.util.Map)
MapUtil.genericMap(org.neo4j.internal.helpers.collection.MapUtil.genericMap)
Test(org.junit.jupiter.api.Test)
Example 9 with LoginContext
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class BasicAuthIT method shouldCreateUserWithAuthDisabled.
@Test
void shouldCreateUserWithAuthDisabled() throws Exception {
// GIVEN
var systemDatabase = managementService.database(GraphDatabaseSettings.SYSTEM_DATABASE_NAME);
try (Transaction tx = systemDatabase.beginTx()) {
// WHEN
tx.execute("CREATE USER foo SET PASSWORD 'bar'").close();
tx.commit();
}
dbmsController.restartDbms(builder -> builder.setConfig(GraphDatabaseSettings.auth_enabled, true));
// THEN
LoginContext loginContext = authManager.login(AuthToken.newBasicAuthToken("foo", "wrong"), EMBEDDED_CONNECTION);
assertThat(loginContext.subject().getAuthenticationResult(), equalTo(AuthenticationResult.FAILURE));
loginContext = authManager.login(AuthToken.newBasicAuthToken("foo", "bar"), EMBEDDED_CONNECTION);
assertThat(loginContext.subject().getAuthenticationResult(), equalTo(AuthenticationResult.PASSWORD_CHANGE_REQUIRED));
}
Also used :
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
Transaction(org.neo4j.graphdb.Transaction)
Test(org.junit.jupiter.api.Test)
Example 10 with LoginContext
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AuthProceduresIT method newUserShouldNotBeAbleToCallOtherProcedures.
@Test
void newUserShouldNotBeAbleToCallOtherProcedures() throws Throwable {
// Given
assertSuccess(admin, "CREATE USER andres SET PASSWORD 'banana'");
LoginContext user = login("andres", "banana");
// Then
assertThat(execute(user, "CALL dbms.procedures", r -> assertFalse(r.hasNext()))).contains("The credentials you provided were valid, but must be changed before you can use this instance.");
}
Also used :
LoginContext(org.neo4j.internal.kernel.api.security.LoginContext)
Test(org.junit.jupiter.api.Test)
Aggregations
LoginContext (org.neo4j.internal.kernel.api.security.LoginContext)10
Test (org.junit.jupiter.api.Test)5
Transaction (org.neo4j.graphdb.Transaction)3
List (java.util.List)2
Map (java.util.Map)2
Consumer (java.util.function.Consumer)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)2
Assertions.assertEquals (org.junit.jupiter.api.Assertions.assertEquals)2
Assertions.assertTrue (org.junit.jupiter.api.Assertions.assertTrue)2
DEFAULT_DATABASE_NAME (org.neo4j.configuration.GraphDatabaseSettings.DEFAULT_DATABASE_NAME)2
DatabaseManagementService (org.neo4j.dbms.api.DatabaseManagementService)2
AuthorizationViolationException (org.neo4j.graphdb.security.AuthorizationViolationException)2
ArrayList (java.util.ArrayList)1
Arrays (java.util.Arrays)1
Collections (java.util.Collections)1
Collections.emptyList (java.util.Collections.emptyList)1
HashMap (java.util.HashMap)1
Iterator (java.util.Iterator)1
