Search in sources :

Example 1 with BasicSecurityContext

use of org.neo4j.server.security.auth.BasicSecurityContext in project neo4j by neo4j.

the class AuthorizationFilterTest method shouldNotAuthorizeWhenPasswordChangeRequired.

@Test
public void shouldNotAuthorizeWhenPasswordChangeRequired() throws Exception {
    // Given
    final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter(() -> authManager, logProvider);
    String credentials = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
    BasicSecurityContext securityContext = mock(BasicSecurityContext.class);
    AuthSubject authSubject = mock(AuthSubject.class);
    when(servletRequest.getMethod()).thenReturn("GET");
    when(servletRequest.getContextPath()).thenReturn("/db/data");
    when(servletRequest.getRequestURL()).thenReturn(new StringBuffer("http://bar.baz:7474/db/data/"));
    when(servletRequest.getRequestURI()).thenReturn("/db/data/");
    when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
    when(authManager.login(authToken("foo", "bar"))).thenReturn(securityContext);
    when(securityContext.subject()).thenReturn(authSubject);
    when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
    // When
    filter.doFilter(servletRequest, servletResponse, filterChain);
    // Then
    verifyNoMoreInteractions(filterChain);
    verify(servletResponse).setStatus(403);
    verify(servletResponse).addHeader(HttpHeaders.CONTENT_TYPE, "application/json; charset=UTF-8");
    assertThat(outputStream.toString(StandardCharsets.UTF_8.name()), containsString("\"password_change\" : \"http://bar.baz:7474/user/foo/password\""));
    assertThat(outputStream.toString(StandardCharsets.UTF_8.name()), containsString("\"code\" : \"Neo.ClientError.Security.Forbidden\""));
    assertThat(outputStream.toString(StandardCharsets.UTF_8.name()), containsString("\"message\" : \"User is required to change their password.\""));
}
Also used : AuthSubject(org.neo4j.kernel.api.security.AuthSubject) Matchers.containsString(org.hamcrest.Matchers.containsString) BasicSecurityContext(org.neo4j.server.security.auth.BasicSecurityContext) Test(org.junit.Test)

Example 2 with BasicSecurityContext

use of org.neo4j.server.security.auth.BasicSecurityContext in project neo4j by neo4j.

the class AuthorizationFilterTest method shouldAuthorizeWhenPasswordChangeRequiredForWhitelistedPath.

@Test
public void shouldAuthorizeWhenPasswordChangeRequiredForWhitelistedPath() throws Exception {
    // Given
    final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter(() -> authManager, logProvider);
    String credentials = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
    BasicSecurityContext securityContext = mock(BasicSecurityContext.class);
    AuthSubject authSubject = mock(AuthSubject.class);
    when(servletRequest.getMethod()).thenReturn("GET");
    when(servletRequest.getContextPath()).thenReturn("/user/foo");
    when(servletRequest.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("BASIC " + credentials);
    when(authManager.login(authToken("foo", "bar"))).thenReturn(securityContext);
    when(securityContext.subject()).thenReturn(authSubject);
    when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
    // When
    filter.doFilter(servletRequest, servletResponse, filterChain);
    // Then
    verify(filterChain).doFilter(eq(new AuthorizedRequestWrapper(BASIC_AUTH, "foo", servletRequest, AUTH_DISABLED)), same(servletResponse));
}
Also used : AuthSubject(org.neo4j.kernel.api.security.AuthSubject) Matchers.containsString(org.hamcrest.Matchers.containsString) BasicSecurityContext(org.neo4j.server.security.auth.BasicSecurityContext) Test(org.junit.Test)

Example 3 with BasicSecurityContext

use of org.neo4j.server.security.auth.BasicSecurityContext in project neo4j by neo4j.

the class UserServiceTest method setupAuthManagerAndSubject.

protected void setupAuthManagerAndSubject() {
    BasicAuthManager basicAuthManager = new BasicAuthManager(userRepository, passwordPolicy, mock(AuthenticationStrategy.class), new InMemoryUserRepository());
    userManagerSupplier = basicAuthManager;
    neo4jContext = new BasicSecurityContext(basicAuthManager, NEO4J_USER, AuthenticationResult.SUCCESS);
}
Also used : BasicAuthManager(org.neo4j.server.security.auth.BasicAuthManager) AuthenticationStrategy(org.neo4j.server.security.auth.AuthenticationStrategy) BasicSecurityContext(org.neo4j.server.security.auth.BasicSecurityContext) InMemoryUserRepository(org.neo4j.server.security.auth.InMemoryUserRepository)

Aggregations

BasicSecurityContext (org.neo4j.server.security.auth.BasicSecurityContext)3 Matchers.containsString (org.hamcrest.Matchers.containsString)2 Test (org.junit.Test)2 AuthSubject (org.neo4j.kernel.api.security.AuthSubject)2 AuthenticationStrategy (org.neo4j.server.security.auth.AuthenticationStrategy)1 BasicAuthManager (org.neo4j.server.security.auth.BasicAuthManager)1 InMemoryUserRepository (org.neo4j.server.security.auth.InMemoryUserRepository)1