Search in sources :

Example 1 with EnterpriseSecurityContext

use of org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext in project neo4j by neo4j.

the class QueryLoggerIT method shouldLogTXMetaDataInQueryLog.

@Test
public void shouldLogTXMetaDataInQueryLog() throws Throwable {
    // turn on query logging
    databaseBuilder.setConfig(GraphDatabaseSettings.logs_directory, logsDirectory.getPath());
    databaseBuilder.setConfig(GraphDatabaseSettings.log_queries, Settings.TRUE);
    EmbeddedInteraction db = new EmbeddedInteraction(databaseBuilder, Collections.emptyMap());
    GraphDatabaseFacade graph = db.getLocalGraph();
    db.getLocalUserManager().setUserPassword("neo4j", "123", false);
    EnterpriseSecurityContext subject = db.login("neo4j", "123");
    db.executeQuery(subject, "UNWIND range(0, 10) AS i CREATE (:Foo {p: i})", Collections.emptyMap(), ResourceIterator::close);
    // Set meta data and execute query in transaction
    try (InternalTransaction tx = db.beginLocalTransactionAsUser(subject, KernelTransaction.Type.explicit)) {
        graph.execute("CALL dbms.setTXMetaData( { User: 'Johan' } )", Collections.emptyMap());
        graph.execute("CALL dbms.procedures() YIELD name RETURN name", Collections.emptyMap()).close();
        graph.execute("MATCH (n) RETURN n", Collections.emptyMap()).close();
        graph.execute(QUERY, Collections.emptyMap());
        tx.success();
    }
    // Ensure that old meta data is not retained
    try (InternalTransaction tx = db.beginLocalTransactionAsUser(subject, KernelTransaction.Type.explicit)) {
        graph.execute("CALL dbms.setTXMetaData( { Location: 'Sweden' } )", Collections.emptyMap());
        graph.execute("MATCH ()-[r]-() RETURN count(r)", Collections.emptyMap()).close();
        tx.success();
    }
    db.tearDown();
    // THEN
    List<String> logLines = readAllLines(logFilename);
    assertThat(logLines, hasSize(7));
    assertThat(logLines.get(0), not(containsString("User: 'Johan'")));
    // we don't care if setTXMetaData contains the meta data
    //assertThat( logLines.get( 1 ), containsString( "User: Johan" ) );
    assertThat(logLines.get(2), containsString("User: 'Johan'"));
    assertThat(logLines.get(3), containsString("User: 'Johan'"));
    assertThat(logLines.get(4), containsString("User: 'Johan'"));
    // we want to make sure that the new transaction does not carry old meta data
    assertThat(logLines.get(5), not(containsString("User: 'Johan'")));
    assertThat(logLines.get(6), containsString("Location: 'Sweden'"));
}
Also used : EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) EmbeddedInteraction(org.neo4j.server.security.enterprise.auth.EmbeddedInteraction) Matchers.containsString(org.hamcrest.Matchers.containsString) GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade) ResourceIterator(org.neo4j.graphdb.ResourceIterator) InternalTransaction(org.neo4j.kernel.impl.coreapi.InternalTransaction) Test(org.junit.Test)

Example 2 with EnterpriseSecurityContext

use of org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext in project neo4j by neo4j.

the class QueryLoggerIT method shouldNotLogPassword.

@Test
public void shouldNotLogPassword() throws Exception {
    GraphDatabaseFacade database = (GraphDatabaseFacade) databaseBuilder.setConfig(GraphDatabaseSettings.log_queries, Settings.TRUE).setConfig(GraphDatabaseSettings.logs_directory, logsDirectory.getPath()).setConfig(GraphDatabaseSettings.auth_enabled, Settings.TRUE).newGraphDatabase();
    EnterpriseAuthManager authManager = database.getDependencyResolver().resolveDependency(EnterpriseAuthManager.class);
    EnterpriseSecurityContext neo = authManager.login(AuthToken.newBasicAuthToken("neo4j", "neo4j"));
    String query = "CALL dbms.security.changePassword('abc123')";
    try (InternalTransaction tx = database.beginTransaction(KernelTransaction.Type.explicit, neo)) {
        Result res = database.execute(tx, query, Collections.emptyMap());
        res.close();
        tx.success();
    } finally {
        database.shutdown();
    }
    List<String> logLines = readAllLines(logFilename);
    assertEquals(1, logLines.size());
    assertThat(logLines.get(0), containsString("CALL dbms.security.changePassword(******)"));
    assertThat(logLines.get(0), not(containsString("abc123")));
    assertThat(logLines.get(0), containsString(neo.subject().username()));
}
Also used : EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) EnterpriseAuthManager(org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager) Matchers.containsString(org.hamcrest.Matchers.containsString) GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade) InternalTransaction(org.neo4j.kernel.impl.coreapi.InternalTransaction) Result(org.neo4j.graphdb.Result) Test(org.junit.Test)

Example 3 with EnterpriseSecurityContext

use of org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext in project neo4j by neo4j.

the class QueryLoggerIT method shouldLogCustomUserName.

@Test
public void shouldLogCustomUserName() throws Throwable {
    // turn on query logging
    final Map<String, String> config = stringMap(GraphDatabaseSettings.logs_directory.name(), logsDirectory.getPath(), GraphDatabaseSettings.log_queries.name(), Settings.TRUE);
    EmbeddedInteraction db = new EmbeddedInteraction(databaseBuilder, config);
    // create users
    db.getLocalUserManager().newUser("mats", "neo4j", false);
    db.getLocalUserManager().newUser("andres", "neo4j", false);
    db.getLocalUserManager().addRoleToUser("architect", "mats");
    db.getLocalUserManager().addRoleToUser("reader", "andres");
    EnterpriseSecurityContext mats = db.login("mats", "neo4j");
    // run query
    db.executeQuery(mats, "UNWIND range(0, 10) AS i CREATE (:Foo {p: i})", Collections.emptyMap(), ResourceIterator::close);
    db.executeQuery(mats, "CREATE (:Label)", Collections.emptyMap(), ResourceIterator::close);
    // switch user, run query
    EnterpriseSecurityContext andres = db.login("andres", "neo4j");
    db.executeQuery(andres, "MATCH (n:Label) RETURN n", Collections.emptyMap(), ResourceIterator::close);
    db.tearDown();
    // THEN
    List<String> logLines = readAllLines(logFilename);
    assertThat(logLines, hasSize(3));
    assertThat(logLines.get(0), containsString("mats"));
    assertThat(logLines.get(1), containsString("mats"));
    assertThat(logLines.get(2), containsString("andres"));
}
Also used : EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) EmbeddedInteraction(org.neo4j.server.security.enterprise.auth.EmbeddedInteraction) Matchers.containsString(org.hamcrest.Matchers.containsString) ResourceIterator(org.neo4j.graphdb.ResourceIterator) Test(org.junit.Test)

Example 4 with EnterpriseSecurityContext

use of org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext in project neo4j by neo4j.

the class SecurityProceduresTest method setup.

@Before
public void setup() {
    AuthSubject subject = mock(AuthSubject.class);
    when(subject.username()).thenReturn("pearl");
    EnterpriseSecurityContext ctx = mock(EnterpriseSecurityContext.class);
    when(ctx.subject()).thenReturn(subject);
    when(ctx.roles()).thenReturn(Collections.singleton("jammer"));
    procedures = new SecurityProcedures();
    procedures.securityContext = ctx;
    procedures.userManager = mock(EnterpriseUserManager.class);
}
Also used : EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) AuthSubject(org.neo4j.kernel.api.security.AuthSubject) Before(org.junit.Before)

Example 5 with EnterpriseSecurityContext

use of org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext in project neo4j by neo4j.

the class EnterpriseSecurityContextDescriptionTest method shouldMakeNiceDescriptionAuthDisabledAndRestricted.

@Test
public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() throws Throwable {
    EnterpriseSecurityContext disabled = EnterpriseSecurityContext.AUTH_DISABLED;
    EnterpriseSecurityContext restricted = disabled.withMode(new RestrictedAccessMode(disabled.mode(), AccessMode.Static.READ));
    assertThat(restricted.description(), equalTo("AUTH_DISABLED with FULL restricted to READ"));
}
Also used : EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) RestrictedAccessMode(org.neo4j.kernel.impl.api.security.RestrictedAccessMode) Test(org.junit.Test)

Aggregations

EnterpriseSecurityContext (org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)17 Test (org.junit.Test)14 Matchers.containsString (org.hamcrest.Matchers.containsString)3 InternalTransaction (org.neo4j.kernel.impl.coreapi.InternalTransaction)3 GraphDatabaseFacade (org.neo4j.kernel.impl.factory.GraphDatabaseFacade)3 Before (org.junit.Before)2 ResourceIterator (org.neo4j.graphdb.ResourceIterator)2 RestrictedAccessMode (org.neo4j.kernel.impl.api.security.RestrictedAccessMode)2 EmbeddedInteraction (org.neo4j.server.security.enterprise.auth.EmbeddedInteraction)2 AuthenticationException (org.apache.shiro.authc.AuthenticationException)1 ExcessiveAttemptsException (org.apache.shiro.authc.ExcessiveAttemptsException)1 UnsupportedTokenException (org.apache.shiro.authc.pam.UnsupportedTokenException)1 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)1 QueryExecutionException (org.neo4j.graphdb.QueryExecutionException)1 Result (org.neo4j.graphdb.Result)1 AuthProviderTimeoutException (org.neo4j.graphdb.security.AuthProviderTimeoutException)1 AuthSubject (org.neo4j.kernel.api.security.AuthSubject)1 InvalidAuthTokenException (org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)1 EnterpriseAuthManager (org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager)1 OverriddenAccessMode (org.neo4j.kernel.impl.api.security.OverriddenAccessMode)1