-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
BasicAuthentication.java
132 lines (121 loc) · 4.96 KB
/
BasicAuthentication.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
* Copyright (c) 2002-2016 "Neo Technology,"
* Network Engine for Objects in Lund AB [http://neotechnology.com]
*
* This file is part of Neo4j.
*
* Neo4j is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package org.neo4j.bolt.security.auth;
import java.io.IOException;
import java.util.Map;
import java.util.function.Supplier;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.api.security.AccessMode;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import org.neo4j.server.security.auth.AuthSubject;
import org.neo4j.server.security.auth.BasicAuthManager;
/**
* Performs basic authentication with user name and password.
*/
public class BasicAuthentication implements Authentication
{
private final BasicAuthManager authManager;
private final static String SCHEME = "basic";
private final Log log;
private final Supplier<String> identifier;
private AuthSubject authSubject;
public BasicAuthentication( BasicAuthManager authManager, LogProvider logProvider, Supplier<String> identifier )
{
this.authManager = authManager;
this.log = logProvider.getLog( getClass() );
this.identifier = identifier;
}
@Override
public AccessMode authenticate( Map<String,Object> authToken ) throws AuthenticationException
{
if ( !SCHEME.equals( authToken.get( SCHEME_KEY ) ) )
{
throw new AuthenticationException( Status.Security.Unauthorized, identifier.get(),
"Authentication token must contain: '" + SCHEME_KEY + " : " + SCHEME + "'" );
}
String user = safeCast( PRINCIPAL, authToken );
String password = safeCast( CREDENTIALS, authToken );
if ( authToken.containsKey( NEW_CREDENTIALS ) )
{
return update( user, password, safeCast( NEW_CREDENTIALS, authToken ) );
}
else
{
return authenticate( user, password );
}
}
private AccessMode authenticate( String user, String password ) throws AuthenticationException
{
authSubject = authManager.login( user, password );
switch ( authSubject.getAuthenticationResult() )
{
case SUCCESS:
break;
case PASSWORD_CHANGE_REQUIRED:
// TODO: We just return OK for now, but we should notify the client with an appropriate message
//throw new AuthenticationException( Status.Security.CredentialsExpired, identifier.get() );
break;
case TOO_MANY_ATTEMPTS:
throw new AuthenticationException( Status.Security.AuthenticationRateLimit, identifier.get() );
default:
log.warn( "Failed authentication attempt for '%s'", user);
throw new AuthenticationException( Status.Security.Unauthorized, identifier.get() );
}
return authSubject;
}
private AccessMode update( String user, String password, String newPassword ) throws AuthenticationException
{
authSubject = authManager.login( user, password );
switch ( authSubject.getAuthenticationResult() )
{
case SUCCESS:
case PASSWORD_CHANGE_REQUIRED:
try
{
authManager.setPassword( authSubject, user, newPassword );
}
catch ( AuthorizationViolationException e )
{
throw new AuthenticationException( Status.Security.Forbidden, identifier.get(), e.getMessage(), e );
}
catch ( IOException e )
{
throw new AuthenticationException( Status.Security.Unauthorized, identifier.get(), e.getMessage(), e );
}
break;
default:
throw new AuthenticationException( Status.Security.Unauthorized, identifier.get() );
}
return authSubject;
}
private String safeCast( String key, Map<String,Object> authToken ) throws AuthenticationException
{
Object value = authToken.get( key );
if ( value == null || !(value instanceof String) )
{
throw new AuthenticationException( Status.Security.Unauthorized, identifier.get(),
"The value associated with the key `" + key + "` must be a String but was: " +
(value == null ? "null" : value.getClass().getSimpleName()));
}
return (String) value;
}
}