diff --git a/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/ExecutionEngine.scala b/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/ExecutionEngine.scala index 8bd8f5e7781f..e837098d38fb 100644 --- a/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/ExecutionEngine.scala +++ b/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/ExecutionEngine.scala @@ -150,8 +150,8 @@ class ExecutionEngine(val queryService: GraphDatabaseQueryService, logProvider: val tc = externalTransactionalContext.getOrBeginNewIfClosed() // Temporarily change access mode during query planning - // NOTE: The OVERRIDE_READ mode will force read access even if the current transaction did not have it - val revertable = tc.restrictCurrentTransaction(AccessMode.Static.OVERRIDE_READ) + // NOTE: This will force read access even if the current transaction did not have it + val revertable = tc.restrictCurrentTransaction(AccessMode.Static.READ) val ((plan: ExecutionPlan, extractedParameters), touched) = try { // fetch plan cache diff --git a/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/spi/v3_1/TransactionBoundQueryContext.scala b/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/spi/v3_1/TransactionBoundQueryContext.scala index 511a13e29c96..03854e1005e0 100644 --- a/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/spi/v3_1/TransactionBoundQueryContext.scala +++ b/community/cypher/cypher/src/main/scala/org/neo4j/cypher/internal/spi/v3_1/TransactionBoundQueryContext.scala @@ -52,7 +52,6 @@ import org.neo4j.kernel.api.exceptions.ProcedureException import org.neo4j.kernel.api.exceptions.schema.{AlreadyConstrainedException, AlreadyIndexedException} import org.neo4j.kernel.api.index.{IndexDescriptor, InternalIndexState} import org.neo4j.kernel.api.proc.{QualifiedName => KernelQualifiedName} -import org.neo4j.kernel.api.security.{AccessMode, AuthSubject} import org.neo4j.kernel.impl.core.NodeManager import org.neo4j.kernel.impl.locking.ResourceTypes @@ -586,27 +585,28 @@ final class TransactionBoundQueryContext(val transactionalContext: Transactional } type KernelProcedureCall = (KernelQualifiedName, Array[AnyRef]) => RawIterator[Array[AnyRef], ProcedureException] + type KernelFunctionCall = (KernelQualifiedName, Array[AnyRef]) => AnyRef + + private def shouldElevate(allowed: Array[String]): Boolean = { + // We have to be careful with elevation, since we cannot elevate permissions in a nested procedure call + // above the original allowed procedure mode. With enforce this by checking if mode is already an overridden mode. + val mode = transactionalContext.accessMode + allowed.nonEmpty && !mode.isElevated && mode.getOriginalAccessMode.allowsProcedureWith(allowed) + } override def callReadOnlyProcedure(name: QualifiedName, args: Seq[Any], allowed: Array[String]) = { val call: KernelProcedureCall = - if (allowsOverride(allowed)) - transactionalContext.statement.procedureCallOperations.procedureCallRead(_, _, AccessMode.Static.OVERRIDE_READ) + if (shouldElevate(allowed)) + transactionalContext.statement.procedureCallOperations.procedureCallReadElevated(_, _) else transactionalContext.statement.procedureCallOperations.procedureCallRead(_, _) callProcedure(name, args, call) } - private def allowsOverride(allowed: Array[String]): Boolean = { - // We have to be careful with override, since we cannot elevate permissions in a nested procedure call - // above the original allowed procedure mode. With enforce this by checking if mode is already an overridden mode. - val mode = transactionalContext.accessMode - allowed.nonEmpty && !mode.overrideOriginalMode && mode.getOriginalAccessMode.allowsProcedureWith(allowed) - } - override def callReadWriteProcedure(name: QualifiedName, args: Seq[Any], allowed: Array[String]) = { val call: KernelProcedureCall = - if (allowsOverride(allowed)) - transactionalContext.statement.procedureCallOperations.procedureCallWrite(_, _, AccessMode.Static.OVERRIDE_WRITE) + if (shouldElevate(allowed)) + transactionalContext.statement.procedureCallOperations.procedureCallWriteElevated(_, _) else transactionalContext.statement.procedureCallOperations.procedureCallWrite(_, _) callProcedure(name, args, call) @@ -614,8 +614,8 @@ final class TransactionBoundQueryContext(val transactionalContext: Transactional override def callSchemaWriteProcedure(name: QualifiedName, args: Seq[Any], allowed: Array[String]) = { val call: KernelProcedureCall = - if (allowsOverride(allowed)) - transactionalContext.statement.procedureCallOperations.procedureCallSchema(_, _, AccessMode.Static.OVERRIDE_SCHEMA) + if (shouldElevate(allowed)) + transactionalContext.statement.procedureCallOperations.procedureCallSchemaElevated(_, _) else transactionalContext.statement.procedureCallOperations.procedureCallSchema(_, _) callProcedure(name, args, call) @@ -636,17 +636,16 @@ final class TransactionBoundQueryContext(val transactionalContext: Transactional } override def callFunction(name: QualifiedName, args: Seq[Any], allowed: Array[String]) = { - val revertable = transactionalContext.accessMode match { - case a: AuthSubject if a.allowsProcedureWith(allowed) => - Some(transactionalContext.restrictCurrentTransaction(AccessMode.Static.OVERRIDE_READ)) - case _ => None - } - callFunction(name, args, transactionalContext.statement.readOperations().functionCall, revertable.foreach(_.close)) + val call: KernelFunctionCall = + if (shouldElevate(allowed)) + transactionalContext.statement.procedureCallOperations.functionCallElevated(_, _) + else + transactionalContext.statement.procedureCallOperations.functionCall(_, _) + callFunction(name, args, call) } private def callFunction(name: QualifiedName, args: Seq[Any], - call: (KernelQualifiedName, Array[AnyRef]) => AnyRef, - onClose: => Unit) = { + call: KernelFunctionCall) = { val kn = new KernelQualifiedName(name.namespace.asJava, name.name) val toArray = args.map(_.asInstanceOf[AnyRef]).toArray call(kn, toArray) diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/ProcedureCallOperations.java b/community/kernel/src/main/java/org/neo4j/kernel/api/ProcedureCallOperations.java index d16710e79696..62fe27c78725 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/ProcedureCallOperations.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/ProcedureCallOperations.java @@ -22,7 +22,6 @@ import org.neo4j.collection.RawIterator; import org.neo4j.kernel.api.exceptions.ProcedureException; import org.neo4j.kernel.api.proc.QualifiedName; -import org.neo4j.kernel.api.security.AccessMode; /** * Specifies procedure call operations for the three types of procedure calls that can be made. @@ -40,15 +39,14 @@ RawIterator procedureCallRead( QualifiedName name, throws ProcedureException; /** - * Invoke a read-only procedure by name, and override the transaction's access mode with + * Invoke a read-only procedure by name, and elevate the transaction's access mode to * the given access mode for the duration of the procedure execution. * @param name the name of the procedure. * @param arguments the procedure arguments. - * @param override the access mode to be used for the execution of the procedure. * @return an iterator containing the procedure results. * @throws ProcedureException if there was an exception thrown during procedure execution. */ - RawIterator procedureCallRead( QualifiedName name, Object[] arguments, AccessMode override ) + RawIterator procedureCallReadElevated( QualifiedName name, Object[] arguments ) throws ProcedureException; /** @@ -61,15 +59,14 @@ RawIterator procedureCallRead( QualifiedName name, RawIterator procedureCallWrite( QualifiedName name, Object[] arguments ) throws ProcedureException; /** - * Invoke a read/write procedure by name, and override the transaction's access mode with + * Invoke a read/write procedure by name, and elevate the transaction's access mode to * the given access mode for the duration of the procedure execution. * @param name the name of the procedure. * @param arguments the procedure arguments. - * @param override the access mode to be used for the execution of the procedure. * @return an iterator containing the procedure results. * @throws ProcedureException if there was an exception thrown during procedure execution. */ - RawIterator procedureCallWrite( QualifiedName name, Object[] arguments, AccessMode override ) + RawIterator procedureCallWriteElevated( QualifiedName name, Object[] arguments ) throws ProcedureException; /** @@ -82,14 +79,28 @@ RawIterator procedureCallWrite( QualifiedName name RawIterator procedureCallSchema( QualifiedName name, Object[] arguments ) throws ProcedureException; /** - * Invoke a schema write procedure by name, and override the transaction's access mode with + * Invoke a schema write procedure by name, and elevate the transaction's access mode to * the given access mode for the duration of the procedure execution. * @param name the name of the procedure. * @param arguments the procedure arguments. - * @param override the access mode to be used for the execution of the procedure. * @return an iterator containing the procedure results. * @throws ProcedureException if there was an exception thrown during procedure execution. */ - RawIterator procedureCallSchema( QualifiedName name, Object[] arguments, AccessMode override ) + RawIterator procedureCallSchemaElevated( QualifiedName name, Object[] arguments ) throws ProcedureException; + + /** Invoke a read-only function by name + * @param name the name of the function. + * @param arguments the function arguments. + * @throws ProcedureException if there was an exception thrown during function execution. + */ + Object functionCall( QualifiedName name, Object[] arguments ) throws ProcedureException; + + /** Invoke a read-only function by name, and elevate the transaction's access mode to + * the given access mode for the duration of the function execution. + * @param name the name of the function. + * @param arguments the function arguments. + * @throws ProcedureException if there was an exception thrown during function execution. + */ + Object functionCallElevated( QualifiedName name, Object[] arguments ) throws ProcedureException; } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/ReadOperations.java b/community/kernel/src/main/java/org/neo4j/kernel/api/ReadOperations.java index c7d3853be832..0a0f3fe30c59 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/ReadOperations.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/ReadOperations.java @@ -566,7 +566,4 @@ DoubleLongRegister indexSample( IndexDescriptor index, DoubleLongRegister target /** Fetch all registered procedures */ Set proceduresGetAll(); - - /** Invoke a read-only procedure by name */ - Object functionCall( QualifiedName name, Object[] input ) throws ProcedureException; } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AccessMode.java index addd1401cfa1..07dad426f44a 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AccessMode.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AccessMode.java @@ -48,12 +48,6 @@ public boolean allowsSchemaWrites() { return false; } - - @Override - public boolean overrideOriginalMode() - { - return false; - } }, /** No reading or writing allowed because of expired credentials. */ @@ -77,26 +71,20 @@ public boolean allowsSchemaWrites() return false; } - @Override - public boolean overrideOriginalMode() - { - return false; - } - @Override public AuthorizationViolationException onViolation( String msg ) { return new AuthorizationViolationException( String.format( msg + "%n%nThe credentials you provided were valid, but must be " + - "changed before you can " + - "use this instance. If this is the first time you are using Neo4j, this is to " + - "ensure you are not using the default credentials in production. If you are not " + - "using default credentials, you are getting this message because an administrator " + - "requires a password change.%n" + - "Changing your password is easy to do via the Neo4j Browser.%n" + - "If you are connecting via a shell or programmatically via a driver, " + - "just issue a `CALL dbms.changePassword('new password')` statement in the current " + - "session, and then restart your driver with the new password configured." ), + "changed before you can " + + "use this instance. If this is the first time you are using Neo4j, this is to " + + "ensure you are not using the default credentials in production. If you are not " + + "using default credentials, you are getting this message because an administrator " + + "requires a password change.%n" + + "Changing your password is easy to do via the Neo4j Browser.%n" + + "If you are connecting via a shell or programmatically via a driver, " + + "just issue a `CALL dbms.changePassword('new password')` statement in the current " + + "session, and then restart your driver with the new password configured." ), Status.Security.CredentialsExpired ); } }, @@ -121,12 +109,6 @@ public boolean allowsSchemaWrites() { return false; } - - @Override - public boolean overrideOriginalMode() - { - return false; - } }, /** Allows writing data */ @@ -149,12 +131,6 @@ public boolean allowsSchemaWrites() { return false; } - - @Override - public boolean overrideOriginalMode() - { - return false; - } }, /** Allows reading and writing data, but not schema. */ @@ -177,12 +153,6 @@ public boolean allowsSchemaWrites() { return false; } - - @Override - public boolean overrideOriginalMode() - { - return false; - } }, /** Allows all operations. */ @@ -205,111 +175,7 @@ public boolean allowsSchemaWrites() { return true; } - - @Override - public boolean overrideOriginalMode() - { - return false; - } - }, - - /** Allows reading data and schema, but not writing. - * NOTE: This is a special mode that will override the original access mode when put as a temporary restriction - * on a transaction, potentially elevating the access mode to give read access to a transaction that did not - * have read access before. - */ - OVERRIDE_READ - { - @Override - public boolean allowsReads() - { - return true; - } - - @Override - public boolean allowsWrites() - { - return false; - } - - @Override - public boolean allowsSchemaWrites() - { - return false; - } - - @Override - public boolean overrideOriginalMode() - { - return true; - } - }, - - /** - * Allows writing data, as well as reading data and schema. - * NOTE: This is a special mode that will override the original access mode when put as a temporary restriction - * on a transaction, potentially elevating the access mode to give write access to a transaction that did not - * have write access before. - */ - OVERRIDE_WRITE - { - @Override - public boolean allowsReads() - { - return true; - } - - @Override - public boolean allowsWrites() - { - return true; - } - - @Override - public boolean allowsSchemaWrites() - { - return false; - } - - @Override - public boolean overrideOriginalMode() - { - return true; - } - }, - - /** - * Allows writing and reading data and schema. - * NOTE: This is a special mode that will override the original access mode when put as a temporary restriction - * on a transaction, potentially elevating the access mode to give schema access to a transaction that did not - * have schema access before. - */ - OVERRIDE_SCHEMA - { - @Override - public boolean allowsReads() - { - return true; - } - - @Override - public boolean allowsWrites() - { - return true; - } - - @Override - public boolean allowsSchemaWrites() - { - return true; - } - - @Override - public boolean overrideOriginalMode() - { - return true; - } - }; + }; @Override public AuthorizationViolationException onViolation( String msg ) @@ -327,7 +193,7 @@ public AccessMode getSnapshot() boolean allowsReads(); boolean allowsWrites(); boolean allowsSchemaWrites(); - boolean overrideOriginalMode(); + AuthorizationViolationException onViolation( String msg ); String name(); @@ -341,6 +207,11 @@ default AccessMode getOriginalAccessMode() return this; } + default boolean isElevated() + { + return false; + } + /** * Determines whether this subject is allowed to execute a procedure with the parameter string in its * procedure annotation. diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthSubject.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthSubject.java index ac8c1cf0c544..50d8149f1f1b 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthSubject.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthSubject.java @@ -97,9 +97,9 @@ public boolean allowsSchemaWrites() } @Override - public boolean overrideOriginalMode() + public boolean isElevated() { - return accessMode.overrideOriginalMode(); + return accessMode.isElevated(); } @Override diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactionImplementation.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactionImplementation.java index a4d70e086609..ddf54b4f3745 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactionImplementation.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactionImplementation.java @@ -46,8 +46,6 @@ import org.neo4j.kernel.api.txstate.LegacyIndexTransactionState; import org.neo4j.kernel.api.txstate.TransactionState; import org.neo4j.kernel.api.txstate.TxStateHolder; -import org.neo4j.kernel.impl.api.security.AccessModeSnapshot; -import org.neo4j.kernel.impl.api.security.OverriddenAccessMode; import org.neo4j.kernel.impl.api.state.ConstraintIndexCreator; import org.neo4j.kernel.impl.api.state.TxState; import org.neo4j.kernel.impl.factory.AccessCapability; @@ -801,7 +799,7 @@ public long getCommitTime() public Revertable overrideWith( AccessMode mode ) { AccessMode oldMode = this.accessMode; - this.accessMode = new OverriddenAccessMode( oldMode, mode ); + this.accessMode = mode; return () -> this.accessMode = oldMode; } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java index e9aacae68565..8481e96dedc1 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java @@ -91,6 +91,8 @@ import org.neo4j.kernel.impl.api.operations.QueryRegistrationOperations; import org.neo4j.kernel.impl.api.operations.SchemaReadOperations; import org.neo4j.kernel.impl.api.operations.SchemaStateOperations; +import org.neo4j.kernel.impl.api.security.ElevatedAccessMode; +import org.neo4j.kernel.impl.api.security.RestrictedAccessMode; import org.neo4j.kernel.impl.api.store.RelationshipIterator; import org.neo4j.kernel.impl.proc.Procedures; import org.neo4j.kernel.impl.query.QuerySource; @@ -569,12 +571,6 @@ public Set functionsGetAll() return procedures.getAllFunctions(); } - @Override - public Object functionCall( QualifiedName name, Object[] input ) throws ProcedureException - { - return callFunction( name, input ); - } - @Override public Set proceduresGetAll() { @@ -1502,13 +1498,13 @@ public RawIterator procedureCallRead( QualifiedNam { throw tx.mode().onViolation( format( "Read operations are not allowed for '%s'.", tx.mode().name() ) ); } - return callProcedure( name, input, AccessMode.Static.READ ); + return callProcedure( name, input, new RestrictedAccessMode( tx.mode(), AccessMode.Static.READ ) ); } @Override - public RawIterator procedureCallRead( QualifiedName name, Object[] input, AccessMode override ) throws ProcedureException + public RawIterator procedureCallReadElevated( QualifiedName name, Object[] input ) throws ProcedureException { - return callProcedure( name, input, override ); + return callProcedure( name, input, new ElevatedAccessMode( tx.mode(), AccessMode.Static.READ ) ); } @Override @@ -1518,13 +1514,13 @@ public RawIterator procedureCallWrite( QualifiedNa { throw tx.mode().onViolation( format( "Write operations are not allowed for '%s'.", tx.mode().name() ) ); } - return callProcedure( name, input, AccessMode.Static.WRITE ); + return callProcedure( name, input, new RestrictedAccessMode( tx.mode(), AccessMode.Static.WRITE ) ); } @Override - public RawIterator procedureCallWrite( QualifiedName name, Object[] input, AccessMode override ) throws ProcedureException + public RawIterator procedureCallWriteElevated( QualifiedName name, Object[] input ) throws ProcedureException { - return callProcedure( name, input, override ); + return callProcedure( name, input, new ElevatedAccessMode( tx.mode(), AccessMode.Static.WRITE ) ); } @Override @@ -1534,13 +1530,13 @@ public RawIterator procedureCallSchema( QualifiedN { throw tx.mode().onViolation( format( "Schema operations are not allowed for '%s'.", tx.mode().name() ) ); } - return callProcedure( name, input, AccessMode.Static.FULL ); + return callProcedure( name, input, new RestrictedAccessMode( tx.mode(), AccessMode.Static.FULL ) ); } @Override - public RawIterator procedureCallSchema( QualifiedName name, Object[] input, AccessMode override ) throws ProcedureException + public RawIterator procedureCallSchemaElevated( QualifiedName name, Object[] input ) throws ProcedureException { - return callProcedure( name, input, override ); + return callProcedure( name, input, new ElevatedAccessMode( tx.mode(), AccessMode.Static.FULL ) ); } private RawIterator callProcedure( @@ -1579,13 +1575,25 @@ public Object[] next() throws ProcedureException }; } + @Override + public Object functionCall( QualifiedName name, Object[] arguments ) throws ProcedureException + { + return callFunction( name, arguments, new RestrictedAccessMode( tx.mode(), AccessMode.Static.READ ) ); + } + + @Override + public Object functionCallElevated( QualifiedName name, Object[] arguments ) throws ProcedureException + { + return callFunction( name, arguments, new ElevatedAccessMode( tx.mode(), AccessMode.Static.READ ) ); + } + private Object callFunction( - QualifiedName name, Object[] input ) + QualifiedName name, Object[] input, final AccessMode mode ) throws ProcedureException { statement.assertOpen(); - try ( KernelTransaction.Revertable ignore = tx.overrideWith( AccessMode.Static.READ ) ) + try ( KernelTransaction.Revertable ignore = tx.overrideWith( mode ) ) { BasicContext ctx = new BasicContext(); ctx.put( Context.KERNEL_TRANSACTION, tx ); diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshot.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshot.java index 4e3e40ebbcad..cf08a3390df4 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshot.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshot.java @@ -27,7 +27,6 @@ public class AccessModeSnapshot implements AccessMode private final boolean allowsReads; private final boolean allowsWrites; private final boolean allowsSchemaWrites; - private final boolean overrideOriginalMode; private final AccessMode originalMode; @@ -43,7 +42,6 @@ private AccessModeSnapshot( AccessMode accessMode ) allowsReads = accessMode.allowsReads(); allowsWrites = accessMode.allowsWrites(); allowsSchemaWrites = accessMode.allowsSchemaWrites(); - overrideOriginalMode = accessMode.overrideOriginalMode(); // We use this for delegation of all the remaining methods this.originalMode = accessMode; @@ -70,12 +68,6 @@ public boolean allowsSchemaWrites() return allowsSchemaWrites; } - @Override - public boolean overrideOriginalMode() - { - return overrideOriginalMode; - } - //--------------------------------------- // Delegate remaining methods to original diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/ElevatedAccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/ElevatedAccessMode.java new file mode 100644 index 000000000000..fd8dca6d5c58 --- /dev/null +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/ElevatedAccessMode.java @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2002-2016 "Neo Technology," + * Network Engine for Objects in Lund AB [http://neotechnology.com] + * + * This file is part of Neo4j. + * + * Neo4j is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +package org.neo4j.kernel.impl.api.security; + +import org.neo4j.kernel.api.security.AccessMode; + +public class ElevatedAccessMode extends LayeredAccessMode +{ + public ElevatedAccessMode( AccessMode originalMode, + AccessMode overriddenAccessMode ) + { + super( originalMode, overriddenAccessMode ); + } + + @Override + public boolean allowsReads() + { + return overriddenMode.allowsReads() || originalMode.allowsReads(); + } + + @Override + public boolean allowsWrites() + { + return overriddenMode.allowsWrites() || originalMode.allowsWrites(); + } + + @Override + public boolean allowsSchemaWrites() + { + return overriddenMode.allowsSchemaWrites() || originalMode.allowsSchemaWrites(); + } + + @Override + public boolean isElevated() + { + return true; + } + + @Override + public String name() + { + return originalMode.name() + " elevated to " + overriddenMode.name(); + } +} diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/LayeredAccessMode.java similarity index 54% rename from community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java rename to community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/LayeredAccessMode.java index 25896b3acde0..e4a070ce1a73 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/LayeredAccessMode.java @@ -22,63 +22,23 @@ import org.neo4j.graphdb.security.AuthorizationViolationException; import org.neo4j.kernel.api.security.AccessMode; -public class OverriddenAccessMode implements AccessMode +abstract public class LayeredAccessMode implements AccessMode { - private final AccessMode originalMode; - private final AccessMode overriddenMode; + protected final AccessMode originalMode; + protected final AccessMode overriddenMode; - public OverriddenAccessMode( AccessMode originalMode, AccessMode overriddenMode ) + public LayeredAccessMode( AccessMode originalMode, AccessMode overriddenMode ) { this.originalMode = originalMode; this.overriddenMode = overriddenMode; } - @Override - public boolean allowsReads() - { - return overriddenMode.allowsReads() && - (overriddenMode.overrideOriginalMode() || originalMode.allowsReads()); - } - - @Override - public boolean allowsWrites() - { - return overriddenMode.allowsWrites() && - (overriddenMode.overrideOriginalMode() || originalMode.allowsWrites()); - } - - @Override - public boolean allowsSchemaWrites() - { - return overriddenMode.allowsSchemaWrites() && - (overriddenMode.overrideOriginalMode() || originalMode.allowsSchemaWrites()); - } - - @Override - public boolean overrideOriginalMode() - { - return overriddenMode.overrideOriginalMode(); - } - @Override public AuthorizationViolationException onViolation( String msg ) { return overriddenMode.onViolation( msg ); } - @Override - public String name() - { - if ( overriddenMode.overrideOriginalMode() ) - { - return originalMode.name() + " overridden by " + overriddenMode.name(); - } - else - { - return originalMode.name() + " restricted to " + overriddenMode.name(); - } - } - @Override public String username() { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java new file mode 100644 index 000000000000..a259bbb7f028 --- /dev/null +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2002-2016 "Neo Technology," + * Network Engine for Objects in Lund AB [http://neotechnology.com] + * + * This file is part of Neo4j. + * + * Neo4j is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +package org.neo4j.kernel.impl.api.security; + +import org.neo4j.kernel.api.security.AccessMode; + +public class RestrictedAccessMode extends LayeredAccessMode +{ + public RestrictedAccessMode( AccessMode originalMode, + AccessMode overriddenAccessMode ) + { + super( originalMode, overriddenAccessMode ); + } + + @Override + public boolean allowsReads() + { + return overriddenMode.allowsReads() && originalMode.allowsReads(); + } + + @Override + public boolean allowsWrites() + { + return overriddenMode.allowsWrites() && originalMode.allowsWrites(); + } + + @Override + public boolean allowsSchemaWrites() + { + return overriddenMode.allowsSchemaWrites() && originalMode.allowsSchemaWrites(); + } + + @Override + public String name() + { + return originalMode.name() + " restricted to " + overriddenMode.name(); + } +} diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshotTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshotTest.java index 02bef7617deb..e32126bbc622 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshotTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/security/AccessModeSnapshotTest.java @@ -34,9 +34,6 @@ public void shouldCorrectlyReflectAccessMode() testAccessMode( AccessMode.Static.WRITE ); testAccessMode( AccessMode.Static.WRITE_ONLY ); testAccessMode( AccessMode.Static.FULL ); - testAccessMode( AccessMode.Static.OVERRIDE_READ ); - testAccessMode( AccessMode.Static.OVERRIDE_WRITE ); - testAccessMode( AccessMode.Static.OVERRIDE_SCHEMA ); testAccessMode( AccessMode.Static.CREDENTIALS_EXPIRED ); } @@ -46,7 +43,6 @@ private void testAccessMode( AccessMode originalAccessMode ) assertEquals( accessModeSnapshot.allowsReads(), originalAccessMode.allowsReads() ); assertEquals( accessModeSnapshot.allowsWrites(), originalAccessMode.allowsWrites() ); assertEquals( accessModeSnapshot.allowsSchemaWrites(), originalAccessMode.allowsSchemaWrites() ); - assertEquals( accessModeSnapshot.overrideOriginalMode(), originalAccessMode.overrideOriginalMode() ); assertEquals( accessModeSnapshot.name(), originalAccessMode.name() ); } } diff --git a/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthSubject.java b/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthSubject.java index b49a95eec839..42bfe6407ce2 100644 --- a/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthSubject.java +++ b/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthSubject.java @@ -142,12 +142,6 @@ public boolean allowsSchemaWrites() return accessMode.allowsSchemaWrites(); } - @Override - public boolean overrideOriginalMode() - { - return false; - } - @Override public AuthorizationViolationException onViolation( String msg ) { diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthSubject.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthSubject.java index 445268a3d164..71207b9bb722 100644 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthSubject.java +++ b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthSubject.java @@ -22,7 +22,6 @@ import java.io.IOException; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.kernel.api.security.AccessMode; import org.neo4j.kernel.api.security.AuthSubject; import org.neo4j.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; @@ -72,9 +71,9 @@ public boolean allowsSchemaWrites() } @Override - public boolean overrideOriginalMode() + public boolean isElevated() { - return AuthSubject.AUTH_DISABLED.overrideOriginalMode(); + return AuthSubject.AUTH_DISABLED.isElevated(); } @Override diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseAuthSubject.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseAuthSubject.java index 05d3f105751b..ea8ac33a183e 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseAuthSubject.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseAuthSubject.java @@ -145,12 +145,6 @@ public boolean allowsSchemaWrites() return shiroSubject.isAuthenticated() && shiroSubject.isPermitted( SCHEMA_READ_WRITE ); } - @Override - public boolean overrideOriginalMode() - { - return false; - } - @Override public AuthorizationViolationException onViolation( String msg ) { diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionTest.java index 8fd6b1256312..424d621190a8 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionTest.java @@ -117,9 +117,9 @@ public boolean allowsSchemaWrites() } @Override - public boolean overrideOriginalMode() + public boolean isElevated() { - return ANONYMOUS.overrideOriginalMode(); + return ANONYMOUS.isElevated(); } @Override