Add auth plugin realm support

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java

@@ -40,6 +40,7 @@
 import org.neo4j.procedure.Description;
 import org.neo4j.procedure.Name;
 import org.neo4j.procedure.Procedure;
+import org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles;
 
 import static org.neo4j.graphdb.security.AuthorizationViolationException.PERMISSION_DENIED;
 import static java.lang.String.format;
@@ -172,7 +173,7 @@ public void removeRoleFromUser( @Name( "roleName" ) String roleName, @Name( "use
         try
         {
             StandardEnterpriseAuthSubject adminSubject = ensureAdminAuthSubject();
-            if ( adminSubject.hasUsername( username ) && roleName.equals( PredefinedRolesBuilder.ADMIN ) )
+            if ( adminSubject.hasUsername( username ) && roleName.equals( PredefinedRoles.ADMIN ) )
             {
                 throw new InvalidArgumentsException(
                         "Removing yourself (user '" + username + "') from the admin role is not allowed." );

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthManager.java

@@ -20,9 +20,11 @@
 package org.neo4j.server.security.enterprise.auth;
 
 import org.neo4j.kernel.api.security.AuthManager;
+import org.neo4j.server.security.auth.UserManagerSupplier;
 
-public interface EnterpriseAuthManager extends AuthManager
+public interface EnterpriseAuthManager extends AuthManager, UserManagerSupplier
 {
+    @Override
     EnterpriseUserManager getUserManager();
 
     void clearAuthCache();

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthManagerFactory.java

@@ -36,11 +36,12 @@
 import org.neo4j.kernel.impl.util.JobScheduler;
 import org.neo4j.logging.Log;
 import org.neo4j.logging.LogProvider;
-import org.neo4j.server.security.auth.AuthenticationStrategy;
 import org.neo4j.server.security.auth.BasicPasswordPolicy;
-import org.neo4j.server.security.auth.PasswordPolicy;
 import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
-import org.neo4j.server.security.auth.UserRepository;
+import org.neo4j.server.security.enterprise.auth.plugin.PluginRealm;
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin;
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin;
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin;
 import org.neo4j.time.Clocks;
 
 import static org.neo4j.server.security.auth.BasicAuthManagerFactory.getUserRepository;
@@ -82,10 +83,43 @@ public EnterpriseAuthManager newInstance( Config config, LogProvider logProvider
             realms.add( new LdapRealm( config, securityLog ) );
         }
 
-        if ( config.get( SecuritySettings.plugin_authentication_enabled ) ||
-             config.get( SecuritySettings.plugin_authorization_enabled ) )
+        Boolean pluginAuthenticationEnabled = config.get( SecuritySettings.plugin_authentication_enabled );
+        Boolean pluginAuthorizationEnabled = config.get( SecuritySettings.plugin_authorization_enabled );
+
+        if ( pluginAuthenticationEnabled && pluginAuthorizationEnabled )
+        {
+            // Combined authentication and authorization plugins
+            Iterable<AuthPlugin> authPlugins = Service.load( AuthPlugin.class );
+
+            for ( AuthPlugin plugin : authPlugins )
+            {
+                PluginRealm pluginRealm = new PluginRealm( plugin );
+                realms.add( pluginRealm );
+            }
+        }
+
+        if ( pluginAuthenticationEnabled )
+        {
+            // Authentication only plugins
+            Iterable<AuthenticationPlugin> authenticationPlugins = Service.load( AuthenticationPlugin.class );
+
+            for ( AuthenticationPlugin plugin : authenticationPlugins )
+            {
+                PluginRealm pluginRealm = new PluginRealm( plugin, null );
+                realms.add( pluginRealm );
+            }
+        }
+
+        if ( pluginAuthorizationEnabled )
         {
-            // TODO: Load pluggable realms
+            // Authorization only plugins
+            Iterable<AuthorizationPlugin> authorizationPlugins = Service.load( AuthorizationPlugin.class );
+
+            for ( AuthorizationPlugin plugin : authorizationPlugins )
+            {
+                PluginRealm pluginRealm = new PluginRealm( null, plugin );
+                realms.add( pluginRealm );
+            }
         }
 
         long ttl = config.get( SecuritySettings.auth_cache_ttl );

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java

@@ -54,6 +54,7 @@
 import org.neo4j.server.security.auth.User;
 import org.neo4j.server.security.auth.UserRepository;
 import org.neo4j.server.security.auth.exception.ConcurrentModificationException;
+import org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles;
 
 import static java.lang.String.format;
 
@@ -194,11 +195,11 @@ private void ensureDefaultRoles() throws IOException, InvalidArgumentsException
                     newRole( role );
                 }
             }
-            if ( this.getUsernamesForRole( PredefinedRolesBuilder.ADMIN ).size() == 0 )
+            if ( this.getUsernamesForRole( PredefinedRoles.ADMIN ).size() == 0 )
             {
                 if ( getAllUsernames().contains( "neo4j" ) )
                 {
-                    addRoleToUser( PredefinedRolesBuilder.ADMIN, "neo4j" );
+                    addRoleToUser( PredefinedRoles.ADMIN, "neo4j" );
                 }
             }
         }

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java

@@ -44,11 +44,10 @@
 import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
 import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthSubject;
 import org.neo4j.kernel.impl.enterprise.SecurityLog;
-import org.neo4j.server.security.auth.UserManagerSupplier;
 
 import static org.neo4j.helpers.Strings.escape;
 
-class MultiRealmAuthManager implements EnterpriseAuthManager, UserManagerSupplier
+class MultiRealmAuthManager implements EnterpriseAuthManager
 {
     private final EnterpriseUserManager userManager;
     private final Collection<Realm> realms;

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/PredefinedRolesBuilder.java

@@ -29,13 +29,10 @@
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import static org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles.*;
+
 public class PredefinedRolesBuilder implements RolesBuilder
 {
-    public static final String ADMIN = "admin";
-    public static final String ARCHITECT = "architect";
-    public static final String PUBLISHER = "publisher";
-    public static final String READER = "reader";
-
     public static final Map<String,SimpleRole> roles = staticBuildRoles();
 
     public static Map<String,SimpleRole> staticBuildRoles()

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/ShiroAuthToken.java

@@ -52,7 +52,7 @@ public String getScheme() throws InvalidAuthTokenException
         return AuthToken.safeCast( AuthToken.SCHEME_KEY, authToken );
     }
 
-    Map<String,Object> getAuthTokenMap()
+    public Map<String,Object> getAuthTokenMap()
     {
         return authToken;
     }

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/plugin/PluginAuthInfo.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2002-2016 "Neo Technology,"
+ * Network Engine for Objects in Lund AB [http://neotechnology.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.server.security.enterprise.auth.plugin;
+
+import org.apache.shiro.authz.Permission;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+import java.util.Collection;
+
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthInfo;
+
+public class PluginAuthInfo implements org.apache.shiro.authc.AuthenticationInfo, org.apache.shiro.authz.AuthorizationInfo
+{
+    private final AuthInfo authInfo;
+    private final String realmName;
+
+    public static PluginAuthInfo create( AuthInfo authInfo, String realmName )
+    {
+        return new PluginAuthInfo( authInfo, realmName );
+    }
+
+    private PluginAuthInfo( AuthInfo authInfo, String realmName )
+    {
+        this.authInfo = authInfo;
+        this.realmName = realmName;
+    }
+
+    @Override
+    public PrincipalCollection getPrincipals()
+    {
+        return new SimplePrincipalCollection( this.authInfo.getPrincipal(), realmName );
+    }
+
+    @Override
+    public Object getCredentials()
+    {
+        return this.authInfo.getCredentials();
+    }
+
+    @Override
+    public Collection<String> getRoles()
+    {
+        return this.authInfo.getRoles();
+    }
+
+    @Override
+    public Collection<String> getStringPermissions()
+    {
+        return null;
+    }
+
+    @Override
+    public Collection<Permission> getObjectPermissions()
+    {
+        return null;
+    }
+}

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/plugin/PluginAuthenticationInfo.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2002-2016 "Neo Technology,"
+ * Network Engine for Objects in Lund AB [http://neotechnology.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.server.security.enterprise.auth.plugin;
+
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationInfo;
+
+public class PluginAuthenticationInfo implements org.apache.shiro.authc.AuthenticationInfo
+{
+    private final AuthenticationInfo authenticationInfo;
+    private final String realmName;
+
+    public static PluginAuthenticationInfo create( AuthenticationInfo authenticationInfo, String realmName )
+    {
+        return new PluginAuthenticationInfo( authenticationInfo, realmName );
+    }
+
+    private PluginAuthenticationInfo( AuthenticationInfo authenticationInfo, String realmName )
+    {
+        this.authenticationInfo = authenticationInfo;
+        this.realmName = realmName;
+    }
+
+    @Override
+    public PrincipalCollection getPrincipals()
+    {
+
+        return new SimplePrincipalCollection( this.authenticationInfo.getPrincipal(), realmName );
+    }
+
+    @Override
+    public Object getCredentials()
+    {
+        return this.authenticationInfo.getCredentials();
+    }
+}

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/plugin/PluginAuthorizationInfo.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2002-2016 "Neo Technology,"
+ * Network Engine for Objects in Lund AB [http://neotechnology.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.server.security.enterprise.auth.plugin;
+
+import org.apache.shiro.authz.Permission;
+
+import java.util.Collection;
+
+import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationInfo;
+
+public class PluginAuthorizationInfo implements org.apache.shiro.authz.AuthorizationInfo
+{
+    private final AuthorizationInfo authorizationInfo;
+
+    public static PluginAuthorizationInfo create( AuthorizationInfo authorizationInfo )
+    {
+        return new PluginAuthorizationInfo( authorizationInfo );
+    }
+
+    private PluginAuthorizationInfo( AuthorizationInfo authorizationInfo )
+    {
+        this.authorizationInfo = authorizationInfo;
+    }
+
+    @Override
+    public Collection<String> getRoles()
+    {
+        return this.authorizationInfo.getRoles();
+    }
+
+    @Override
+    public Collection<String> getStringPermissions()
+    {
+        return null;
+    }
+
+    @Override
+    public Collection<Permission> getObjectPermissions()
+    {
+        return null;
+    }
+}