use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AbstractCypherResource method createNewTransactionHandle.
private TransactionHandle createNewTransactionHandle(TransactionFacade transactionFacade, HttpServletRequest request, HttpHeaders headers, MemoryTracker memoryTracker, boolean implicitTransaction) {
LoginContext loginContext = AuthorizedRequestWrapper.getLoginContextFromHttpServletRequest(request);
long customTransactionTimeout = getTransactionTimeout(headers, log);
return transactionFacade.newTransactionHandle(uriScheme, implicitTransaction, loginContext, loginContext.connectionInfo(), memoryTracker, customTransactionTimeout);
}
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AuthorizationEnabledFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
validateRequestType(servletRequest);
validateResponseType(servletResponse);
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
// username is only known after authentication, make connection aware of the user-agent
JettyHttpConnection.updateUserForCurrentConnection(null, userAgent);
final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
// NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
// wrap servletRequest in an AuthorizedRequestWrapper here
filterChain.doFilter(servletRequest, servletResponse);
return;
}
final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header == null) {
requestAuthentication(request, noHeader).accept(response);
return;
}
final String[] usernameAndPassword = extractCredential(header);
if (usernameAndPassword == null) {
badHeader.accept(response);
return;
}
final String username = usernameAndPassword[0];
final String password = usernameAndPassword[1];
try {
ClientConnectionInfo connectionInfo = HttpConnectionInfoFactory.create(request);
LoginContext securityContext = authenticate(username, password, connectionInfo);
// username is now known, make connection aware of both username and user-agent
JettyHttpConnection.updateUserForCurrentConnection(username, userAgent);
switch(securityContext.subject().getAuthenticationResult()) {
case PASSWORD_CHANGE_REQUIRED:
// from the server side if you try to do anything else than changing you own password.
case SUCCESS:
try {
filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
} catch (AuthorizationViolationException e) {
unauthorizedAccess(e.getMessage()).accept(response);
}
return;
case TOO_MANY_ATTEMPTS:
tooManyAttempts.accept(response);
return;
default:
log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
requestAuthentication(request, invalidCredential).accept(response);
}
} catch (InvalidAuthTokenException e) {
requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
} catch (AuthProviderTimeoutException e) {
authProviderTimeout.accept(response);
} catch (AuthProviderFailedException e) {
authProviderFailed.accept(response);
}
}
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class TransactionEventsIT method shouldGetSpecifiedUsernameAndMetaDataInTXData.
@Test
void shouldGetSpecifiedUsernameAndMetaDataInTXData() {
final AtomicReference<String> usernameRef = new AtomicReference<>();
final AtomicReference<Map<String, Object>> metaDataRef = new AtomicReference<>();
dbms.registerTransactionEventListener(DEFAULT_DATABASE_NAME, getBeforeCommitListener(txData -> {
usernameRef.set(txData.username());
metaDataRef.set(txData.metaData());
}));
AuthSubject subject = mock(AuthSubject.class);
when(subject.username()).thenReturn("Christof");
LoginContext loginContext = new LoginContext(subject, EMBEDDED_CONNECTION) {
@Override
public SecurityContext authorize(IdLookup idLookup, String dbName, AbstractSecurityLog securityLog) {
return new SecurityContext(subject, AccessMode.Static.WRITE, EMBEDDED_CONNECTION, dbName);
}
};
Map<String, Object> metadata = genericMap("username", "joe");
runTransaction(loginContext, metadata);
assertThat(usernameRef.get()).as("Should have specified username").isEqualTo("Christof");
assertThat(metaDataRef.get()).as("Should have metadata with specified username").isEqualTo(metadata);
}
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class BasicAuthIT method shouldCreateUserWithAuthDisabled.
@Test
void shouldCreateUserWithAuthDisabled() throws Exception {
// GIVEN
var systemDatabase = managementService.database(GraphDatabaseSettings.SYSTEM_DATABASE_NAME);
try (Transaction tx = systemDatabase.beginTx()) {
// WHEN
tx.execute("CREATE USER foo SET PASSWORD 'bar'").close();
tx.commit();
}
dbmsController.restartDbms(builder -> builder.setConfig(GraphDatabaseSettings.auth_enabled, true));
// THEN
LoginContext loginContext = authManager.login(AuthToken.newBasicAuthToken("foo", "wrong"), EMBEDDED_CONNECTION);
assertThat(loginContext.subject().getAuthenticationResult(), equalTo(AuthenticationResult.FAILURE));
loginContext = authManager.login(AuthToken.newBasicAuthToken("foo", "bar"), EMBEDDED_CONNECTION);
assertThat(loginContext.subject().getAuthenticationResult(), equalTo(AuthenticationResult.PASSWORD_CHANGE_REQUIRED));
}
use of org.neo4j.internal.kernel.api.security.LoginContext in project neo4j by neo4j.
the class AuthProceduresIT method newUserShouldNotBeAbleToCallOtherProcedures.
@Test
void newUserShouldNotBeAbleToCallOtherProcedures() throws Throwable {
// Given
assertSuccess(admin, "CREATE USER andres SET PASSWORD 'banana'");
LoginContext user = login("andres", "banana");
// Then
assertThat(execute(user, "CALL dbms.procedures", r -> assertFalse(r.hasNext()))).contains("The credentials you provided were valid, but must be changed before you can use this instance.");
}
Aggregations