Search in sources :

Example 1 with SecurityLog

use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.

the class EnterpriseSecurityModule method setup.

@Override
public void setup(Dependencies dependencies) throws KernelException {
    Config config = dependencies.config();
    Procedures procedures = dependencies.procedures();
    LogProvider logProvider = dependencies.logService().getUserLogProvider();
    JobScheduler jobScheduler = dependencies.scheduler();
    FileSystemAbstraction fileSystem = dependencies.fileSystem();
    LifeSupport life = dependencies.lifeSupport();
    SecurityLog securityLog = SecurityLog.create(config, dependencies.logService().getInternalLog(GraphDatabaseFacade.class), fileSystem, jobScheduler);
    life.add(securityLog);
    boolean allowTokenCreate = config.get(SecuritySettings.allow_publisher_create_token);
    PredefinedRolesBuilder.setAllowPublisherTokenCreate(allowTokenCreate);
    procedures.writerCreateToken(allowTokenCreate);
    EnterpriseAuthAndUserManager authManager = newAuthManager(config, logProvider, securityLog, fileSystem, jobScheduler);
    life.add(dependencies.dependencySatisfier().satisfyDependency(authManager));
    // Register procedures
    procedures.registerComponent(SecurityLog.class, (ctx) -> securityLog, false);
    procedures.registerComponent(EnterpriseAuthManager.class, ctx -> authManager, false);
    procedures.registerComponent(EnterpriseSecurityContext.class, ctx -> asEnterprise(ctx.get(SECURITY_CONTEXT)), true);
    if (config.get(SecuritySettings.native_authentication_enabled) || config.get(SecuritySettings.native_authorization_enabled)) {
        procedures.registerComponent(EnterpriseUserManager.class, ctx -> authManager.getUserManager(asEnterprise(ctx.get(SECURITY_CONTEXT))), true);
        if (config.get(SecuritySettings.auth_providers).size() > 1) {
            procedures.registerProcedure(UserManagementProcedures.class, true, Optional.of("%s only applies to native users."));
        } else {
            procedures.registerProcedure(UserManagementProcedures.class, true);
        }
    } else {
        procedures.registerComponent(EnterpriseUserManager.class, ctx -> EnterpriseUserManager.NOOP, true);
    }
    procedures.registerProcedure(SecurityProcedures.class, true);
}
Also used : JobScheduler(org.neo4j.kernel.impl.util.JobScheduler) LogProvider(org.neo4j.logging.LogProvider) FileSystemAbstraction(org.neo4j.io.fs.FileSystemAbstraction) Config(org.neo4j.kernel.configuration.Config) Procedures(org.neo4j.kernel.impl.proc.Procedures) LifeSupport(org.neo4j.kernel.lifecycle.LifeSupport) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade)

Example 2 with SecurityLog

use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.

the class EnterpriseSecurityModule method createPluginRealms.

private static List<PluginRealm> createPluginRealms(Config config, SecurityLog securityLog, SecureHasher secureHasher, SecurityConfig securityConfig) {
    List<PluginRealm> availablePluginRealms = new ArrayList<>();
    Set<Class> excludedClasses = new HashSet<>();
    if (securityConfig.pluginAuthentication && securityConfig.pluginAuthorization) {
        for (AuthPlugin plugin : Service.load(AuthPlugin.class)) {
            PluginRealm pluginRealm = new PluginRealm(plugin, config, securityLog, Clocks.systemClock(), secureHasher);
            availablePluginRealms.add(pluginRealm);
        }
    }
    if (securityConfig.pluginAuthentication) {
        for (AuthenticationPlugin plugin : Service.load(AuthenticationPlugin.class)) {
            PluginRealm pluginRealm;
            if (securityConfig.pluginAuthorization && plugin instanceof AuthorizationPlugin) {
                // This plugin implements both interfaces, create a combined plugin
                pluginRealm = new PluginRealm(plugin, (AuthorizationPlugin) plugin, config, securityLog, Clocks.systemClock(), secureHasher);
                // We need to make sure we do not add a duplicate when the AuthorizationPlugin service gets loaded
                // so we allow only one instance per combined plugin class
                excludedClasses.add(plugin.getClass());
            } else {
                pluginRealm = new PluginRealm(plugin, null, config, securityLog, Clocks.systemClock(), secureHasher);
            }
            availablePluginRealms.add(pluginRealm);
        }
    }
    if (securityConfig.pluginAuthorization) {
        for (AuthorizationPlugin plugin : Service.load(AuthorizationPlugin.class)) {
            if (!excludedClasses.contains(plugin.getClass())) {
                availablePluginRealms.add(new PluginRealm(null, plugin, config, securityLog, Clocks.systemClock(), secureHasher));
            }
        }
    }
    for (String pluginRealmName : securityConfig.pluginAuthProviders) {
        if (!availablePluginRealms.stream().anyMatch(r -> r.getName().equals(pluginRealmName))) {
            throw illegalConfiguration(format("Failed to load auth plugin '%s'.", pluginRealmName));
        }
    }
    List<PluginRealm> realms = availablePluginRealms.stream().filter(realm -> securityConfig.pluginAuthProviders.contains(realm.getName())).collect(Collectors.toList());
    boolean missingAuthenticatingRealm = securityConfig.onlyPluginAuthentication() && !realms.stream().anyMatch(PluginRealm::canAuthenticate);
    boolean missingAuthorizingRealm = securityConfig.onlyPluginAuthorization() && !realms.stream().anyMatch(PluginRealm::canAuthorize);
    if (missingAuthenticatingRealm || missingAuthorizingRealm) {
        String missingProvider = (missingAuthenticatingRealm && missingAuthorizingRealm) ? "authentication or authorization" : missingAuthenticatingRealm ? "authentication" : "authorization";
        throw illegalConfiguration(format("No plugin %s provider loaded even though required by configuration.", missingProvider));
    }
    return realms;
}
Also used : Service(org.neo4j.helpers.Service) Ticker(com.github.benmanes.caffeine.cache.Ticker) EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext) DatabaseManagementSystemSettings(org.neo4j.dbms.DatabaseManagementSystemSettings) EnterpriseAuthManager(org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager) LogProvider(org.neo4j.logging.LogProvider) AuthenticationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin) JobScheduler(org.neo4j.kernel.impl.util.JobScheduler) LifeSupport(org.neo4j.kernel.lifecycle.LifeSupport) SecurityModule(org.neo4j.kernel.api.security.SecurityModule) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) SecuritySettings(org.neo4j.server.security.enterprise.configuration.SecuritySettings) Realm(org.apache.shiro.realm.Realm) SetDefaultAdminCommand(org.neo4j.commandline.admin.security.SetDefaultAdminCommand) SecurityContext(org.neo4j.kernel.api.security.SecurityContext) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) SECURITY_CONTEXT(org.neo4j.kernel.api.proc.Context.SECURITY_CONTEXT) EnterpriseEditionSettings(org.neo4j.kernel.impl.enterprise.configuration.EnterpriseEditionSettings) RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy) Config(org.neo4j.kernel.configuration.Config) CommunitySecurityModule(org.neo4j.server.security.auth.CommunitySecurityModule) BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy) UserRepository(org.neo4j.server.security.auth.UserRepository) Set(java.util.Set) Collectors(java.util.stream.Collectors) File(java.io.File) KernelException(org.neo4j.kernel.api.exceptions.KernelException) String.format(java.lang.String.format) AuthorizationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin) CacheManager(org.apache.shiro.cache.CacheManager) List(java.util.List) Procedures(org.neo4j.kernel.impl.proc.Procedures) PluginRealm(org.neo4j.server.security.enterprise.auth.plugin.PluginRealm) GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade) Optional(java.util.Optional) FileUserRepository(org.neo4j.server.security.auth.FileUserRepository) AuthPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin) Clocks(org.neo4j.time.Clocks) FileSystemAbstraction(org.neo4j.io.fs.FileSystemAbstraction) AuthPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin) PluginRealm(org.neo4j.server.security.enterprise.auth.plugin.PluginRealm) ArrayList(java.util.ArrayList) AuthenticationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin) AuthorizationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin) HashSet(java.util.HashSet)

Example 3 with SecurityLog

use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.

the class PersonalUserManagerTest method setup.

@Before
public void setup() {
    evilUserManager = new EvilUserManager(new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), new InternalFlatFileRealmIT.TestJobScheduler(), new InMemoryUserRepository(), new InMemoryUserRepository()));
    log = spy(Log.class);
    userManager = new PersonalUserManager(evilUserManager, SecurityContext.AUTH_DISABLED, new SecurityLog(log));
}
Also used : RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy) Log(org.neo4j.logging.Log) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) InMemoryUserRepository(org.neo4j.server.security.auth.InMemoryUserRepository) BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy) Before(org.junit.Before)

Example 4 with SecurityLog

use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.

the class LdapCachingTest method setup.

@Before
public void setup() throws Throwable {
    SecurityLog securityLog = mock(SecurityLog.class);
    InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), mock(JobScheduler.class), new InMemoryUserRepository(), new InMemoryUserRepository());
    testRealm = new TestRealm(getLdapConfig(), securityLog, new SecureHasher());
    List<Realm> realms = listOf(internalFlatFileRealm, testRealm);
    fakeTicker = new FakeTicker();
    authManager = new MultiRealmAuthManager(internalFlatFileRealm, realms, new ShiroCaffeineCache.Manager(fakeTicker::read, 100, 10), securityLog, false);
    authManager.init();
    authManager.start();
    authManager.getUserManager().newUser("mike", "123", false);
    authManager.getUserManager().newUser("mats", "456", false);
}
Also used : JobScheduler(org.neo4j.kernel.impl.util.JobScheduler) RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) InMemoryUserRepository(org.neo4j.server.security.auth.InMemoryUserRepository) FakeTicker(com.google.common.testing.FakeTicker) BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy) Realm(org.apache.shiro.realm.Realm) Before(org.junit.Before)

Example 5 with SecurityLog

use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.

the class MultiRealmAuthManagerTest method createAuthManager.

private MultiRealmAuthManager createAuthManager(boolean logSuccessfulAuthentications) throws Throwable {
    Log log = logProvider.getLog(this.getClass());
    InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(users, new InMemoryRoleRepository(), mock(PasswordPolicy.class), authStrategy, mock(JobScheduler.class), CommunitySecurityModule.getInitialUserRepository(config, NullLogProvider.getInstance(), fsRule.get()), EnterpriseSecurityModule.getDefaultAdminRepository(config, NullLogProvider.getInstance(), fsRule.get()));
    manager = new MultiRealmAuthManager(internalFlatFileRealm, Collections.singleton(internalFlatFileRealm), new MemoryConstrainedCacheManager(), new SecurityLog(log), logSuccessfulAuthentications);
    manager.init();
    return manager;
}
Also used : JobScheduler(org.neo4j.kernel.impl.util.JobScheduler) Log(org.neo4j.logging.Log) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog) AssertableLogProvider.inLog(org.neo4j.logging.AssertableLogProvider.inLog) MemoryConstrainedCacheManager(org.apache.shiro.cache.MemoryConstrainedCacheManager) PasswordPolicy(org.neo4j.kernel.api.security.PasswordPolicy) SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)

Aggregations

SecurityLog (org.neo4j.server.security.enterprise.log.SecurityLog)7 JobScheduler (org.neo4j.kernel.impl.util.JobScheduler)5 BasicPasswordPolicy (org.neo4j.server.security.auth.BasicPasswordPolicy)4 Before (org.junit.Before)3 Log (org.neo4j.logging.Log)3 InMemoryUserRepository (org.neo4j.server.security.auth.InMemoryUserRepository)3 RateLimitedAuthenticationStrategy (org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy)3 MemoryConstrainedCacheManager (org.apache.shiro.cache.MemoryConstrainedCacheManager)2 Realm (org.apache.shiro.realm.Realm)2 FileSystemAbstraction (org.neo4j.io.fs.FileSystemAbstraction)2 Config (org.neo4j.kernel.configuration.Config)2 EnterpriseSecurityContext (org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)2 GraphDatabaseFacade (org.neo4j.kernel.impl.factory.GraphDatabaseFacade)2 Procedures (org.neo4j.kernel.impl.proc.Procedures)2 LifeSupport (org.neo4j.kernel.lifecycle.LifeSupport)2 LogProvider (org.neo4j.logging.LogProvider)2 Ticker (com.github.benmanes.caffeine.cache.Ticker)1 FakeTicker (com.google.common.testing.FakeTicker)1 File (java.io.File)1 StringWriter (java.io.StringWriter)1