Example 1 with SecurityLog
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class EnterpriseSecurityModule method setup.
@Override
public void setup(Dependencies dependencies) throws KernelException {
Config config = dependencies.config();
Procedures procedures = dependencies.procedures();
LogProvider logProvider = dependencies.logService().getUserLogProvider();
JobScheduler jobScheduler = dependencies.scheduler();
FileSystemAbstraction fileSystem = dependencies.fileSystem();
LifeSupport life = dependencies.lifeSupport();
SecurityLog securityLog = SecurityLog.create(config, dependencies.logService().getInternalLog(GraphDatabaseFacade.class), fileSystem, jobScheduler);
life.add(securityLog);
boolean allowTokenCreate = config.get(SecuritySettings.allow_publisher_create_token);
PredefinedRolesBuilder.setAllowPublisherTokenCreate(allowTokenCreate);
procedures.writerCreateToken(allowTokenCreate);
EnterpriseAuthAndUserManager authManager = newAuthManager(config, logProvider, securityLog, fileSystem, jobScheduler);
life.add(dependencies.dependencySatisfier().satisfyDependency(authManager));
// Register procedures
procedures.registerComponent(SecurityLog.class, (ctx) -> securityLog, false);
procedures.registerComponent(EnterpriseAuthManager.class, ctx -> authManager, false);
procedures.registerComponent(EnterpriseSecurityContext.class, ctx -> asEnterprise(ctx.get(SECURITY_CONTEXT)), true);
if (config.get(SecuritySettings.native_authentication_enabled) || config.get(SecuritySettings.native_authorization_enabled)) {
procedures.registerComponent(EnterpriseUserManager.class, ctx -> authManager.getUserManager(asEnterprise(ctx.get(SECURITY_CONTEXT))), true);
if (config.get(SecuritySettings.auth_providers).size() > 1) {
procedures.registerProcedure(UserManagementProcedures.class, true, Optional.of("%s only applies to native users."));
} else {
procedures.registerProcedure(UserManagementProcedures.class, true);
}
} else {
procedures.registerComponent(EnterpriseUserManager.class, ctx -> EnterpriseUserManager.NOOP, true);
}
procedures.registerProcedure(SecurityProcedures.class, true);
}
Also used :
JobScheduler(org.neo4j.kernel.impl.util.JobScheduler)
LogProvider(org.neo4j.logging.LogProvider)
FileSystemAbstraction(org.neo4j.io.fs.FileSystemAbstraction)
Config(org.neo4j.kernel.configuration.Config)
Procedures(org.neo4j.kernel.impl.proc.Procedures)
LifeSupport(org.neo4j.kernel.lifecycle.LifeSupport)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade)
Example 2 with SecurityLog
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class EnterpriseSecurityModule method createPluginRealms.
private static List<PluginRealm> createPluginRealms(Config config, SecurityLog securityLog, SecureHasher secureHasher, SecurityConfig securityConfig) {
List<PluginRealm> availablePluginRealms = new ArrayList<>();
Set<Class> excludedClasses = new HashSet<>();
if (securityConfig.pluginAuthentication && securityConfig.pluginAuthorization) {
for (AuthPlugin plugin : Service.load(AuthPlugin.class)) {
PluginRealm pluginRealm = new PluginRealm(plugin, config, securityLog, Clocks.systemClock(), secureHasher);
availablePluginRealms.add(pluginRealm);
}
}
if (securityConfig.pluginAuthentication) {
for (AuthenticationPlugin plugin : Service.load(AuthenticationPlugin.class)) {
PluginRealm pluginRealm;
if (securityConfig.pluginAuthorization && plugin instanceof AuthorizationPlugin) {
// This plugin implements both interfaces, create a combined plugin
pluginRealm = new PluginRealm(plugin, (AuthorizationPlugin) plugin, config, securityLog, Clocks.systemClock(), secureHasher);
// We need to make sure we do not add a duplicate when the AuthorizationPlugin service gets loaded
// so we allow only one instance per combined plugin class
excludedClasses.add(plugin.getClass());
} else {
pluginRealm = new PluginRealm(plugin, null, config, securityLog, Clocks.systemClock(), secureHasher);
}
availablePluginRealms.add(pluginRealm);
}
}
if (securityConfig.pluginAuthorization) {
for (AuthorizationPlugin plugin : Service.load(AuthorizationPlugin.class)) {
if (!excludedClasses.contains(plugin.getClass())) {
availablePluginRealms.add(new PluginRealm(null, plugin, config, securityLog, Clocks.systemClock(), secureHasher));
}
}
}
for (String pluginRealmName : securityConfig.pluginAuthProviders) {
if (!availablePluginRealms.stream().anyMatch(r -> r.getName().equals(pluginRealmName))) {
throw illegalConfiguration(format("Failed to load auth plugin '%s'.", pluginRealmName));
}
}
List<PluginRealm> realms = availablePluginRealms.stream().filter(realm -> securityConfig.pluginAuthProviders.contains(realm.getName())).collect(Collectors.toList());
boolean missingAuthenticatingRealm = securityConfig.onlyPluginAuthentication() && !realms.stream().anyMatch(PluginRealm::canAuthenticate);
boolean missingAuthorizingRealm = securityConfig.onlyPluginAuthorization() && !realms.stream().anyMatch(PluginRealm::canAuthorize);
if (missingAuthenticatingRealm || missingAuthorizingRealm) {
String missingProvider = (missingAuthenticatingRealm && missingAuthorizingRealm) ? "authentication or authorization" : missingAuthenticatingRealm ? "authentication" : "authorization";
throw illegalConfiguration(format("No plugin %s provider loaded even though required by configuration.", missingProvider));
}
return realms;
}
Also used :
Service(org.neo4j.helpers.Service)
Ticker(com.github.benmanes.caffeine.cache.Ticker)
EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)
DatabaseManagementSystemSettings(org.neo4j.dbms.DatabaseManagementSystemSettings)
EnterpriseAuthManager(org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager)
LogProvider(org.neo4j.logging.LogProvider)
AuthenticationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin)
JobScheduler(org.neo4j.kernel.impl.util.JobScheduler)
LifeSupport(org.neo4j.kernel.lifecycle.LifeSupport)
SecurityModule(org.neo4j.kernel.api.security.SecurityModule)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
SecuritySettings(org.neo4j.server.security.enterprise.configuration.SecuritySettings)
Realm(org.apache.shiro.realm.Realm)
SetDefaultAdminCommand(org.neo4j.commandline.admin.security.SetDefaultAdminCommand)
SecurityContext(org.neo4j.kernel.api.security.SecurityContext)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
SECURITY_CONTEXT(org.neo4j.kernel.api.proc.Context.SECURITY_CONTEXT)
EnterpriseEditionSettings(org.neo4j.kernel.impl.enterprise.configuration.EnterpriseEditionSettings)
RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy)
Config(org.neo4j.kernel.configuration.Config)
CommunitySecurityModule(org.neo4j.server.security.auth.CommunitySecurityModule)
BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy)
UserRepository(org.neo4j.server.security.auth.UserRepository)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
File(java.io.File)
KernelException(org.neo4j.kernel.api.exceptions.KernelException)
String.format(java.lang.String.format)
AuthorizationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin)
CacheManager(org.apache.shiro.cache.CacheManager)
List(java.util.List)
Procedures(org.neo4j.kernel.impl.proc.Procedures)
PluginRealm(org.neo4j.server.security.enterprise.auth.plugin.PluginRealm)
GraphDatabaseFacade(org.neo4j.kernel.impl.factory.GraphDatabaseFacade)
Optional(java.util.Optional)
FileUserRepository(org.neo4j.server.security.auth.FileUserRepository)
AuthPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin)
Clocks(org.neo4j.time.Clocks)
FileSystemAbstraction(org.neo4j.io.fs.FileSystemAbstraction)
AuthPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin)
PluginRealm(org.neo4j.server.security.enterprise.auth.plugin.PluginRealm)
ArrayList(java.util.ArrayList)
AuthenticationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin)
AuthorizationPlugin(org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin)
HashSet(java.util.HashSet)
Example 3 with SecurityLog
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class PersonalUserManagerTest method setup.
@Before
public void setup() {
evilUserManager = new EvilUserManager(new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), new InternalFlatFileRealmIT.TestJobScheduler(), new InMemoryUserRepository(), new InMemoryUserRepository()));
log = spy(Log.class);
userManager = new PersonalUserManager(evilUserManager, SecurityContext.AUTH_DISABLED, new SecurityLog(log));
}
Also used :
RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy)
Log(org.neo4j.logging.Log)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
InMemoryUserRepository(org.neo4j.server.security.auth.InMemoryUserRepository)
BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy)
Before(org.junit.Before)
Example 4 with SecurityLog
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class LdapCachingTest method setup.
@Before
public void setup() throws Throwable {
SecurityLog securityLog = mock(SecurityLog.class);
InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), mock(JobScheduler.class), new InMemoryUserRepository(), new InMemoryUserRepository());
testRealm = new TestRealm(getLdapConfig(), securityLog, new SecureHasher());
List<Realm> realms = listOf(internalFlatFileRealm, testRealm);
fakeTicker = new FakeTicker();
authManager = new MultiRealmAuthManager(internalFlatFileRealm, realms, new ShiroCaffeineCache.Manager(fakeTicker::read, 100, 10), securityLog, false);
authManager.init();
authManager.start();
authManager.getUserManager().newUser("mike", "123", false);
authManager.getUserManager().newUser("mats", "456", false);
}
Also used :
JobScheduler(org.neo4j.kernel.impl.util.JobScheduler)
RateLimitedAuthenticationStrategy(org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
InMemoryUserRepository(org.neo4j.server.security.auth.InMemoryUserRepository)
FakeTicker(com.google.common.testing.FakeTicker)
BasicPasswordPolicy(org.neo4j.server.security.auth.BasicPasswordPolicy)
Realm(org.apache.shiro.realm.Realm)
Before(org.junit.Before)
Example 5 with SecurityLog
use of org.neo4j.server.security.enterprise.log.SecurityLog in project neo4j by neo4j.
the class MultiRealmAuthManagerTest method createAuthManager.
private MultiRealmAuthManager createAuthManager(boolean logSuccessfulAuthentications) throws Throwable {
Log log = logProvider.getLog(this.getClass());
InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(users, new InMemoryRoleRepository(), mock(PasswordPolicy.class), authStrategy, mock(JobScheduler.class), CommunitySecurityModule.getInitialUserRepository(config, NullLogProvider.getInstance(), fsRule.get()), EnterpriseSecurityModule.getDefaultAdminRepository(config, NullLogProvider.getInstance(), fsRule.get()));
manager = new MultiRealmAuthManager(internalFlatFileRealm, Collections.singleton(internalFlatFileRealm), new MemoryConstrainedCacheManager(), new SecurityLog(log), logSuccessfulAuthentications);
manager.init();
return manager;
}
Also used :
JobScheduler(org.neo4j.kernel.impl.util.JobScheduler)
Log(org.neo4j.logging.Log)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
AssertableLogProvider.inLog(org.neo4j.logging.AssertableLogProvider.inLog)
MemoryConstrainedCacheManager(org.apache.shiro.cache.MemoryConstrainedCacheManager)
PasswordPolicy(org.neo4j.kernel.api.security.PasswordPolicy)
SecurityLog(org.neo4j.server.security.enterprise.log.SecurityLog)
Aggregations
SecurityLog (org.neo4j.server.security.enterprise.log.SecurityLog)7
JobScheduler (org.neo4j.kernel.impl.util.JobScheduler)5
BasicPasswordPolicy (org.neo4j.server.security.auth.BasicPasswordPolicy)4
Before (org.junit.Before)3
Log (org.neo4j.logging.Log)3
InMemoryUserRepository (org.neo4j.server.security.auth.InMemoryUserRepository)3
RateLimitedAuthenticationStrategy (org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy)3
MemoryConstrainedCacheManager (org.apache.shiro.cache.MemoryConstrainedCacheManager)2
Realm (org.apache.shiro.realm.Realm)2
FileSystemAbstraction (org.neo4j.io.fs.FileSystemAbstraction)2
Config (org.neo4j.kernel.configuration.Config)2
EnterpriseSecurityContext (org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)2
GraphDatabaseFacade (org.neo4j.kernel.impl.factory.GraphDatabaseFacade)2
Procedures (org.neo4j.kernel.impl.proc.Procedures)2
LifeSupport (org.neo4j.kernel.lifecycle.LifeSupport)2
LogProvider (org.neo4j.logging.LogProvider)2
Ticker (com.github.benmanes.caffeine.cache.Ticker)1
FakeTicker (com.google.common.testing.FakeTicker)1
File (java.io.File)1
StringWriter (java.io.StringWriter)1
