use of org.neo4j.server.security.auth.BasicLoginContext in project neo4j by neo4j.
the class AuthorizationFilterTest method shouldAuthorizeWhenValidCredentialsSupplied.
@Test
void shouldAuthorizeWhenValidCredentialsSupplied() throws Exception {
// Given
final AuthorizationEnabledFilter filter = newFilter();
String credentials = Base64.encodeBase64String("foo:bar".getBytes(UTF_8));
BasicLoginContext loginContext = mock(BasicLoginContext.class);
AuthSubject authSubject = mock(AuthSubject.class);
when(servletRequest.getRemoteAddr()).thenReturn("client");
when(servletRequest.getRemotePort()).thenReturn(1337);
when(servletRequest.getServerName()).thenReturn("server");
when(servletRequest.getServerPort()).thenReturn(42);
when(servletRequest.getMethod()).thenReturn("GET");
when(servletRequest.getContextPath()).thenReturn("/db/data");
when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
when(authManager.login(argThat(new AuthTokenMatcher(authToken("foo", "bar"))), any())).thenReturn(loginContext);
when(loginContext.subject()).thenReturn(authSubject);
when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.SUCCESS);
// When
filter.doFilter(servletRequest, servletResponse, filterChain);
// Then
verify(filterChain).doFilter(eq(new AuthorizedRequestWrapper(BASIC_AUTH, "foo", servletRequest, AUTH_DISABLED)), same(servletResponse));
}
use of org.neo4j.server.security.auth.BasicLoginContext in project neo4j by neo4j.
the class BasicSystemGraphRealm method login.
@Override
public LoginContext login(Map<String, Object> authToken, ClientConnectionInfo connectionInfo) throws InvalidAuthTokenException {
try {
assertValidScheme(authToken);
String username = AuthToken.safeCast(AuthToken.PRINCIPAL, authToken);
byte[] password = AuthToken.safeCastCredentials(AuthToken.CREDENTIALS, authToken);
try {
User user = systemGraphRealmHelper.getUser(username);
AuthenticationResult result = authenticationStrategy.authenticate(user, password);
if (result == AuthenticationResult.SUCCESS && user.passwordChangeRequired()) {
result = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
}
return new BasicLoginContext(user, result, connectionInfo);
} catch (InvalidArgumentsException | FormatException e) {
return new BasicLoginContext(null, AuthenticationResult.FAILURE, connectionInfo);
}
} finally {
AuthToken.clearCredentials(authToken);
}
}
use of org.neo4j.server.security.auth.BasicLoginContext in project neo4j by neo4j.
the class AuthorizationFilterTest method shouldNotAuthorizeWhenTooManyAttemptsMade.
@Test
void shouldNotAuthorizeWhenTooManyAttemptsMade() throws Exception {
// Given
final AuthorizationEnabledFilter filter = newFilter();
String credentials = Base64.encodeBase64String("foo:bar".getBytes(UTF_8));
BasicLoginContext loginContext = mock(BasicLoginContext.class);
AuthSubject authSubject = mock(AuthSubject.class);
when(servletRequest.getRemoteAddr()).thenReturn("client");
when(servletRequest.getRemotePort()).thenReturn(1337);
when(servletRequest.getServerName()).thenReturn("server");
when(servletRequest.getServerPort()).thenReturn(42);
when(servletRequest.getMethod()).thenReturn("GET");
when(servletRequest.getContextPath()).thenReturn("/db/data");
when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
when(authManager.login(argThat(new AuthTokenMatcher(authToken("foo", "bar"))), any())).thenReturn(loginContext);
when(loginContext.subject()).thenReturn(authSubject);
when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.TOO_MANY_ATTEMPTS);
// When
filter.doFilter(servletRequest, servletResponse, filterChain);
// Then
verifyNoMoreInteractions(filterChain);
verify(servletResponse).setStatus(429);
verify(servletResponse).addHeader(HttpHeaders.CONTENT_TYPE, "application/json; charset=UTF-8");
assertThat(outputStream.toString(UTF_8.name())).contains("\"code\" : \"Neo.ClientError.Security.AuthenticationRateLimit\"");
assertThat(outputStream.toString(UTF_8.name())).contains("\"message\" : \"Too many failed authentication requests. " + "Please wait 5 seconds and try again.\"");
}
use of org.neo4j.server.security.auth.BasicLoginContext in project neo4j by neo4j.
the class AuthorizationFilterTest method shouldNotAuthorizeInvalidCredentials.
@Test
void shouldNotAuthorizeInvalidCredentials() throws Exception {
// Given
final AuthorizationEnabledFilter filter = newFilter();
String credentials = Base64.encodeBase64String("foo:bar".getBytes(UTF_8));
BasicLoginContext loginContext = mock(BasicLoginContext.class);
AuthSubject authSubject = mock(AuthSubject.class);
when(servletRequest.getRemoteAddr()).thenReturn("client");
when(servletRequest.getRemotePort()).thenReturn(1337);
when(servletRequest.getServerName()).thenReturn("server");
when(servletRequest.getServerPort()).thenReturn(42);
when(servletRequest.getMethod()).thenReturn("GET");
when(servletRequest.getContextPath()).thenReturn("/db/data");
when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
when(servletRequest.getRemoteAddr()).thenReturn("remote_ip_address");
when(authManager.login(argThat(new AuthTokenMatcher(authToken("foo", "bar"))), any())).thenReturn(loginContext);
when(loginContext.subject()).thenReturn(authSubject);
when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.FAILURE);
// When
filter.doFilter(servletRequest, servletResponse, filterChain);
// Then
verifyNoMoreInteractions(filterChain);
assertThat(logProvider).forClass(AuthorizationEnabledFilter.class).forLevel(WARN).containsMessages("Failed authentication attempt for '%s' from %s", "foo", "remote_ip_address");
verify(servletResponse).setStatus(401);
verify(servletResponse).addHeader(HttpHeaders.CONTENT_TYPE, "application/json; charset=UTF-8");
assertThat(outputStream.toString(UTF_8.name())).contains("\"code\" : \"Neo.ClientError.Security.Unauthorized\"");
assertThat(outputStream.toString(UTF_8.name())).contains("\"message\" : \"Invalid username or password.\"");
}
use of org.neo4j.server.security.auth.BasicLoginContext in project neo4j by neo4j.
the class AuthorizationFilterTest method shouldAuthorizeWhenPasswordChangeRequired.
@Test
void shouldAuthorizeWhenPasswordChangeRequired() throws Exception {
// Given
final AuthorizationEnabledFilter filter = newFilter();
String credentials = Base64.encodeBase64String("foo:bar".getBytes(UTF_8));
BasicLoginContext loginContext = mock(BasicLoginContext.class);
AuthSubject authSubject = mock(AuthSubject.class);
when(servletRequest.getRemoteAddr()).thenReturn("client");
when(servletRequest.getRemotePort()).thenReturn(1337);
when(servletRequest.getServerName()).thenReturn("server");
when(servletRequest.getServerPort()).thenReturn(42);
when(servletRequest.getMethod()).thenReturn("GET");
when(servletRequest.getContextPath()).thenReturn("/db/data");
when(servletRequest.getRequestURL()).thenReturn(new StringBuffer("http://bar.baz:7474/db/data/"));
when(servletRequest.getRequestURI()).thenReturn("/db/data/");
when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
when(authManager.login(argThat(new AuthTokenMatcher(authToken("foo", "bar"))), any())).thenReturn(loginContext);
when(loginContext.subject()).thenReturn(authSubject);
when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
// When
filter.doFilter(servletRequest, servletResponse, filterChain);
// Then
verify(filterChain).doFilter(eq(new AuthorizedRequestWrapper(BASIC_AUTH, "foo", servletRequest, AUTH_DISABLED)), same(servletResponse));
}
Aggregations