use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class EnterpriseSecurityModule method setup.
@Override
public void setup(Dependencies dependencies) throws KernelException {
Config config = dependencies.config();
Procedures procedures = dependencies.procedures();
LogProvider logProvider = dependencies.logService().getUserLogProvider();
JobScheduler jobScheduler = dependencies.scheduler();
FileSystemAbstraction fileSystem = dependencies.fileSystem();
LifeSupport life = dependencies.lifeSupport();
SecurityLog securityLog = SecurityLog.create(config, dependencies.logService().getInternalLog(GraphDatabaseFacade.class), fileSystem, jobScheduler);
life.add(securityLog);
boolean allowTokenCreate = config.get(SecuritySettings.allow_publisher_create_token);
PredefinedRolesBuilder.setAllowPublisherTokenCreate(allowTokenCreate);
procedures.writerCreateToken(allowTokenCreate);
EnterpriseAuthAndUserManager authManager = newAuthManager(config, logProvider, securityLog, fileSystem, jobScheduler);
life.add(dependencies.dependencySatisfier().satisfyDependency(authManager));
// Register procedures
procedures.registerComponent(SecurityLog.class, (ctx) -> securityLog, false);
procedures.registerComponent(EnterpriseAuthManager.class, ctx -> authManager, false);
procedures.registerComponent(EnterpriseSecurityContext.class, ctx -> asEnterprise(ctx.get(SECURITY_CONTEXT)), true);
if (config.get(SecuritySettings.native_authentication_enabled) || config.get(SecuritySettings.native_authorization_enabled)) {
procedures.registerComponent(EnterpriseUserManager.class, ctx -> authManager.getUserManager(asEnterprise(ctx.get(SECURITY_CONTEXT))), true);
if (config.get(SecuritySettings.auth_providers).size() > 1) {
procedures.registerProcedure(UserManagementProcedures.class, true, Optional.of("%s only applies to native users."));
} else {
procedures.registerProcedure(UserManagementProcedures.class, true);
}
} else {
procedures.registerComponent(EnterpriseUserManager.class, ctx -> EnterpriseUserManager.NOOP, true);
}
procedures.registerProcedure(SecurityProcedures.class, true);
}
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class EnterpriseSecurityModule method createPluginRealms.
private static List<PluginRealm> createPluginRealms(Config config, SecurityLog securityLog, SecureHasher secureHasher, SecurityConfig securityConfig) {
List<PluginRealm> availablePluginRealms = new ArrayList<>();
Set<Class> excludedClasses = new HashSet<>();
if (securityConfig.pluginAuthentication && securityConfig.pluginAuthorization) {
for (AuthPlugin plugin : Service.load(AuthPlugin.class)) {
PluginRealm pluginRealm = new PluginRealm(plugin, config, securityLog, Clocks.systemClock(), secureHasher);
availablePluginRealms.add(pluginRealm);
}
}
if (securityConfig.pluginAuthentication) {
for (AuthenticationPlugin plugin : Service.load(AuthenticationPlugin.class)) {
PluginRealm pluginRealm;
if (securityConfig.pluginAuthorization && plugin instanceof AuthorizationPlugin) {
// This plugin implements both interfaces, create a combined plugin
pluginRealm = new PluginRealm(plugin, (AuthorizationPlugin) plugin, config, securityLog, Clocks.systemClock(), secureHasher);
// We need to make sure we do not add a duplicate when the AuthorizationPlugin service gets loaded
// so we allow only one instance per combined plugin class
excludedClasses.add(plugin.getClass());
} else {
pluginRealm = new PluginRealm(plugin, null, config, securityLog, Clocks.systemClock(), secureHasher);
}
availablePluginRealms.add(pluginRealm);
}
}
if (securityConfig.pluginAuthorization) {
for (AuthorizationPlugin plugin : Service.load(AuthorizationPlugin.class)) {
if (!excludedClasses.contains(plugin.getClass())) {
availablePluginRealms.add(new PluginRealm(null, plugin, config, securityLog, Clocks.systemClock(), secureHasher));
}
}
}
for (String pluginRealmName : securityConfig.pluginAuthProviders) {
if (!availablePluginRealms.stream().anyMatch(r -> r.getName().equals(pluginRealmName))) {
throw illegalConfiguration(format("Failed to load auth plugin '%s'.", pluginRealmName));
}
}
List<PluginRealm> realms = availablePluginRealms.stream().filter(realm -> securityConfig.pluginAuthProviders.contains(realm.getName())).collect(Collectors.toList());
boolean missingAuthenticatingRealm = securityConfig.onlyPluginAuthentication() && !realms.stream().anyMatch(PluginRealm::canAuthenticate);
boolean missingAuthorizingRealm = securityConfig.onlyPluginAuthorization() && !realms.stream().anyMatch(PluginRealm::canAuthorize);
if (missingAuthenticatingRealm || missingAuthorizingRealm) {
String missingProvider = (missingAuthenticatingRealm && missingAuthorizingRealm) ? "authentication or authorization" : missingAuthenticatingRealm ? "authentication" : "authorization";
throw illegalConfiguration(format("No plugin %s provider loaded even though required by configuration.", missingProvider));
}
return realms;
}
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class PersonalUserManagerTest method setup.
@Before
public void setup() {
evilUserManager = new EvilUserManager(new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), new InternalFlatFileRealmIT.TestJobScheduler(), new InMemoryUserRepository(), new InMemoryUserRepository()));
log = spy(Log.class);
userManager = new PersonalUserManager(evilUserManager, SecurityContext.AUTH_DISABLED, new SecurityLog(log));
}
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class LdapCachingTest method setup.
@Before
public void setup() throws Throwable {
SecurityLog securityLog = mock(SecurityLog.class);
InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), mock(JobScheduler.class), new InMemoryUserRepository(), new InMemoryUserRepository());
testRealm = new TestRealm(getLdapConfig(), securityLog, new SecureHasher());
List<Realm> realms = listOf(internalFlatFileRealm, testRealm);
fakeTicker = new FakeTicker();
authManager = new MultiRealmAuthManager(internalFlatFileRealm, realms, new ShiroCaffeineCache.Manager(fakeTicker::read, 100, 10), securityLog, false);
authManager.init();
authManager.start();
authManager.getUserManager().newUser("mike", "123", false);
authManager.getUserManager().newUser("mats", "456", false);
}
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class MultiRealmAuthManagerTest method createAuthManager.
private MultiRealmAuthManager createAuthManager(boolean logSuccessfulAuthentications) throws Throwable {
Log log = logProvider.getLog(this.getClass());
InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(users, new InMemoryRoleRepository(), mock(PasswordPolicy.class), authStrategy, mock(JobScheduler.class), CommunitySecurityModule.getInitialUserRepository(config, NullLogProvider.getInstance(), fsRule.get()), EnterpriseSecurityModule.getDefaultAdminRepository(config, NullLogProvider.getInstance(), fsRule.get()));
manager = new MultiRealmAuthManager(internalFlatFileRealm, Collections.singleton(internalFlatFileRealm), new MemoryConstrainedCacheManager(), new SecurityLog(log), logSuccessfulAuthentications);
manager.init();
return manager;
}
Aggregations