-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
BasicAuthentication.java
130 lines (117 loc) · 4.62 KB
/
BasicAuthentication.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/*
* Copyright (c) 2002-2016 "Neo Technology,"
* Network Engine for Objects in Lund AB [http://neotechnology.com]
*
* This file is part of Neo4j.
*
* Neo4j is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package org.neo4j.bolt.security.auth;
import java.io.IOException;
import java.util.Map;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.api.security.AuthManager;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidArgumentsException;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import static org.neo4j.kernel.api.security.AuthToken.NEW_CREDENTIALS;
import static org.neo4j.kernel.api.security.AuthToken.PRINCIPAL;
import static org.neo4j.kernel.api.security.AuthToken.SCHEME_KEY;
/**
* Performs basic authentication with user name and password.
*/
public class BasicAuthentication implements Authentication
{
private final AuthManager authManager;
private static final String SCHEME = "basic";
private final Log log;
public BasicAuthentication( AuthManager authManager, LogProvider logProvider )
{
this.authManager = authManager;
this.log = logProvider.getLog( getClass() );
}
@Override
public AuthenticationResult authenticate( Map<String,Object> authToken ) throws AuthenticationException
{
if ( !SCHEME.equals( authToken.get( SCHEME_KEY ) ) )
{
throw new AuthenticationException( Status.Security.Unauthorized,
"Missing username and password" );
}
if ( authToken.containsKey( NEW_CREDENTIALS ) )
{
return update( authToken );
}
else
{
return doAuthenticate( authToken );
}
}
private AuthenticationResult doAuthenticate( Map<String,Object> authToken ) throws AuthenticationException
{
try
{
AuthSubject authSubject = authManager.login( authToken );
boolean credentialsExpired = false;
switch ( authSubject.getAuthenticationResult() )
{
case SUCCESS:
break;
case PASSWORD_CHANGE_REQUIRED:
credentialsExpired = true;
break;
case TOO_MANY_ATTEMPTS:
throw new AuthenticationException( Status.Security.AuthenticationRateLimit );
default:
log.warn( "Failed authentication attempt for '%s'", AuthToken.safeCast( PRINCIPAL, authToken ) );
throw new AuthenticationException( Status.Security.Unauthorized );
}
return new BasicAuthenticationResult( authSubject, credentialsExpired );
}
catch ( InvalidAuthTokenException e )
{
throw new AuthenticationException( e.status(), e.getMessage() );
}
}
private AuthenticationResult update( Map<String,Object> authToken ) throws AuthenticationException
{
try
{
AuthSubject authSubject = authManager.login( authToken );
switch ( authSubject.getAuthenticationResult() )
{
case SUCCESS:
case PASSWORD_CHANGE_REQUIRED:
String newPassword = AuthToken.safeCast( NEW_CREDENTIALS, authToken );
authSubject.setPassword( newPassword );
break;
default:
throw new AuthenticationException( Status.Security.Unauthorized );
}
return new BasicAuthenticationResult( authSubject, false );
}
catch ( AuthorizationViolationException | InvalidArgumentsException | InvalidAuthTokenException e )
{
throw new AuthenticationException( e.status(), e.getMessage(), e );
}
catch ( IOException e )
{
throw new AuthenticationException( Status.Security.Unauthorized, e.getMessage(), e );
}
}
}