diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java index edd845f358d8a..321568dc4c4aa 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java @@ -86,16 +86,16 @@ else if ( !enterpriseSubject.isAdmin() ) } } - @Procedure( name = "dbms.addUserToRole", mode = DBMS ) - public void addUserToRole( @Name( "username" ) String username, @Name( "roleName" ) String roleName ) + @Procedure( name = "dbms.addRoleToUser", mode = DBMS ) + public void addRoleToUser(@Name( "roleName" ) String roleName, @Name( "username" ) String username ) throws IOException, InvalidArgumentsException { EnterpriseAuthSubject adminSubject = ensureAdminAuthSubject(); - adminSubject.getUserManager().addUserToRole( username, roleName ); + adminSubject.getUserManager().addRoleToUser( roleName, username ); } - @Procedure( name = "dbms.removeUserFromRole", mode = DBMS ) - public void removeUserFromRole( @Name( "username" ) String username, @Name( "roleName" ) String roleName ) + @Procedure( name = "dbms.removeRoleFromUser", mode = DBMS ) + public void removeRoleFromUser( @Name( "roleName" ) String roleName, @Name( "username" ) String username ) throws InvalidArgumentsException, IOException { EnterpriseAuthSubject adminSubject = ensureAdminAuthSubject(); @@ -104,7 +104,7 @@ public void removeUserFromRole( @Name( "username" ) String username, @Name( "rol throw new InvalidArgumentsException( "Removing yourself (user '" + username + "') from the admin role is not allowed." ); } - adminSubject.getUserManager().removeUserFromRole( username, roleName ); + adminSubject.getUserManager().removeRoleFromUser( roleName, username ); } @Procedure( name = "dbms.deleteUser", mode = DBMS ) diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseUserManager.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseUserManager.java index 77b4087a025d1..79f92c48ca0da 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseUserManager.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseUserManager.java @@ -36,24 +36,24 @@ public interface EnterpriseUserManager extends UserManager RoleRecord getRole( String roleName ) throws InvalidArgumentsException; /** - * Add a user to a role. The role has to exist. + * Assign a role to a user. The role and the user have to exist. * - * @param username name of user * @param roleName name of role + * @param username name of user * @throws InvalidArgumentsException if the role does not exist * @throws IOException */ - void addUserToRole( String username, String roleName ) throws IOException, InvalidArgumentsException; + void addRoleToUser( String roleName, String username ) throws IOException, InvalidArgumentsException; /** - * Remove a user from a role. + * Unassign a role from a user. The role and the user have to exist. * - * @param username name of user * @param roleName name of role + * @param username name of user * @throws InvalidArgumentsException if the username or the role does not exist * @throws IOException */ - void removeUserFromRole( String username, String roleName ) throws IOException, InvalidArgumentsException; + void removeRoleFromUser( String roleName, String username ) throws IOException, InvalidArgumentsException; Set getAllRoleNames(); diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java index 8b715f3dcfc3d..d762593af5573 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java @@ -164,7 +164,7 @@ private void ensureDefaultRoles() throws IOException, InvalidArgumentsException { if ( getAllUsernames().contains( "neo4j" ) ) { - addUserToRole( "neo4j", PredefinedRolesBuilder.ADMIN ); + addRoleToUser( PredefinedRolesBuilder.ADMIN, "neo4j" ); } } } @@ -346,9 +346,10 @@ public RoleRecord getRole( String roleName ) throws InvalidArgumentsException } @Override - public void addUserToRole( String username, String roleName ) throws IOException, InvalidArgumentsException + public void addRoleToUser( String roleName, String username ) throws IOException, InvalidArgumentsException { - checkValidityOfUsernameAndRoleName( username, roleName ); + assertValidRoleName( roleName ); + assertValidUsername( username ); synchronized ( this ) { @@ -362,16 +363,17 @@ public void addUserToRole( String username, String roleName ) throws IOException catch ( ConcurrentModificationException e ) { // Try again - addUserToRole( username, roleName ); + addRoleToUser( roleName, username ); } } clearCachedAuthorizationInfoForUser( username ); } @Override - public void removeUserFromRole( String username, String roleName ) throws IOException, InvalidArgumentsException + public void removeRoleFromUser( String roleName, String username ) throws IOException, InvalidArgumentsException { - checkValidityOfUsernameAndRoleName( username, roleName ); + assertValidRoleName( roleName ); + assertValidUsername( username ); synchronized ( this ) { @@ -386,7 +388,7 @@ public void removeUserFromRole( String username, String roleName ) throws IOExce catch ( ConcurrentModificationException e ) { // Try again - removeUserFromRole( username, roleName ); + removeRoleFromUser( roleName, username ); } } clearCachedAuthorizationInfoForUser( username ); @@ -536,12 +538,6 @@ private void removeUserFromAllRoles( String username ) throws IOException } } - private void checkValidityOfUsernameAndRoleName( String username, String roleName ) throws InvalidArgumentsException - { - assertValidUsername( username ); - assertValidRoleName( roleName ); - } - private void assertValidUsername( String name ) throws InvalidArgumentsException { if ( name.isEmpty() ) diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java index ab9e71d090a46..2fbb82bc745e9 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java @@ -80,8 +80,8 @@ public void shouldChangeOwnPasswordEvenIfHasNoAuthorization() throws Throwable @Test public void shouldNotChangeOwnPasswordIfNewPasswordInvalid() throws Exception { - assertFail( readSubject, "CALL dbms.changePassword( '' )", "A password cannot be empty." ); - assertFail( readSubject, "CALL dbms.changePassword( '123' )", + assertFail( readSubject, "CALL dbms.security.changePassword( '' )", "A password cannot be empty." ); + assertFail( readSubject, "CALL dbms.security.changePassword( '123' )", "Old password and new password cannot be the same." ); } @@ -315,7 +315,8 @@ public void shouldNotChangeUserPasswordIfNonExistentUser() throws Exception @Test public void shouldNotChangeUserPasswordIfEmptyPassword() throws Exception { - assertFail( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '' )", "A password cannot be empty." ); + assertFail( adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '' )", + "A password cannot be empty." ); } // Should fail to change password for admin subject and same password @@ -406,7 +407,7 @@ public void shouldDeleteUser() throws Exception e.getMessage().contains( "User 'noneSubject' does not exist." ) ); } - userManager.addUserToRole( "readSubject", PUBLISHER ); + userManager.addRoleToUser( PUBLISHER, "readSubject" ); assertEmpty( adminSubject, "CALL dbms.deleteUser('readSubject')" ); try { @@ -571,10 +572,10 @@ public void shouldFailToActivateYourself() throws Exception //---------- add user to role ----------- @Test - public void shouldAddUserToRole() throws Exception + public void shouldAddRoleToUser() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'readSubject' )" ); assertTrue( "Should have role publisher", userHasRole( "readSubject", PUBLISHER ) ); } @@ -582,44 +583,44 @@ public void shouldAddUserToRole() throws Exception public void shouldAddRetainUserInRole() throws Exception { assertTrue( "Should have role reader", userHasRole( "readSubject", READER ) ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'readSubject')" ); assertTrue( "Should have still have role reader", userHasRole( "readSubject", READER ) ); } @Test public void shouldFailToAddNonExistentUserToRole() throws Exception { - testFailAddUserToRole( adminSubject, "Olivia", PUBLISHER, "User 'Olivia' does not exist." ); - testFailAddUserToRole( adminSubject, "Olivia", "thisRoleDoesNotExist", "User 'Olivia' does not exist." ); - testFailAddUserToRole( adminSubject, "Olivia", "", "The provided role name is empty." ); + testFailAddRoleToUser( adminSubject, PUBLISHER, "Olivia", "User 'Olivia' does not exist." ); + testFailAddRoleToUser( adminSubject, "thisRoleDoesNotExist", "Olivia", "User 'Olivia' does not exist." ); + testFailAddRoleToUser( adminSubject, "", "Olivia", "The provided role name is empty." ); } @Test public void shouldFailToAddUserToNonExistentRole() throws Exception { - testFailAddUserToRole( adminSubject, "readSubject", "thisRoleDoesNotExist", + testFailAddRoleToUser( adminSubject, "thisRoleDoesNotExist", "readSubject", "Role 'thisRoleDoesNotExist' does not exist." ); - testFailAddUserToRole( adminSubject, "readSubject", "", "The provided role name is empty." ); + testFailAddRoleToUser( adminSubject, "", "readSubject", "The provided role name is empty." ); } @Test - public void shouldFailToAddUserToRoleIfNotAdmin() throws Exception + public void shouldFailToAddRoleToUserIfNotAdmin() throws Exception { - testFailAddUserToRole( pwdSubject, "readSubject", PUBLISHER, CHANGE_PWD_ERR_MSG ); - testFailAddUserToRole( readSubject, "readSubject", PUBLISHER, PERMISSION_DENIED ); - testFailAddUserToRole( writeSubject, "readSubject", PUBLISHER, PERMISSION_DENIED ); + testFailAddRoleToUser( pwdSubject, PUBLISHER, "readSubject", CHANGE_PWD_ERR_MSG ); + testFailAddRoleToUser( readSubject, PUBLISHER, "readSubject", PERMISSION_DENIED ); + testFailAddRoleToUser( writeSubject, PUBLISHER, "readSubject", PERMISSION_DENIED ); - testFailAddUserToRole( schemaSubject, "readSubject", PUBLISHER, PERMISSION_DENIED ); - testFailAddUserToRole( schemaSubject, "Olivia", PUBLISHER, PERMISSION_DENIED ); - testFailAddUserToRole( schemaSubject, "Olivia", "thisRoleDoesNotExist", PERMISSION_DENIED ); + testFailAddRoleToUser( schemaSubject, PUBLISHER, "readSubject", PERMISSION_DENIED ); + testFailAddRoleToUser( schemaSubject, PUBLISHER, "Olivia", PERMISSION_DENIED ); + testFailAddRoleToUser( schemaSubject, "thisRoleDoesNotExist", "Olivia", PERMISSION_DENIED ); } //---------- remove user from role ----------- @Test - public void shouldRemoveUserFromRole() throws Exception + public void shouldRemoveRoleFromUser() throws Exception { - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + READER + "', 'readSubject')" ); assertFalse( "Should not have role reader", userHasRole( "readSubject", READER ) ); } @@ -627,43 +628,44 @@ public void shouldRemoveUserFromRole() throws Exception public void shouldKeepUserOutOfRole() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'readSubject')" ); assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); } @Test public void shouldFailToRemoveNonExistentUserFromRole() throws Exception { - testFailRemoveUserFromRole( adminSubject, "Olivia", PUBLISHER, "User 'Olivia' does not exist." ); - testFailRemoveUserFromRole( adminSubject, "Olivia", "thisRoleDoesNotExist", "User 'Olivia' does not exist." ); - testFailRemoveUserFromRole( adminSubject, "Olivia", "", "The provided role name is empty." ); - testFailRemoveUserFromRole( adminSubject, "", "", "The provided user name is empty." ); + testFailRemoveRoleFromUser( adminSubject, PUBLISHER, "Olivia", "User 'Olivia' does not exist." ); + testFailRemoveRoleFromUser( adminSubject, "thisRoleDoesNotExist", "Olivia", "User 'Olivia' does not exist." ); + testFailRemoveRoleFromUser( adminSubject, "", "Olivia", "The provided role name is empty." ); + testFailRemoveRoleFromUser( adminSubject, "", "", "The provided role name is empty." ); + testFailRemoveRoleFromUser( adminSubject, PUBLISHER, "", "The provided user name is empty." ); } @Test public void shouldFailToRemoveUserFromNonExistentRole() throws Exception { - testFailRemoveUserFromRole( adminSubject, "readSubject", "thisRoleDoesNotExist", + testFailRemoveRoleFromUser( adminSubject, "thisRoleDoesNotExist", "readSubject", "Role 'thisRoleDoesNotExist' does not exist." ); - testFailRemoveUserFromRole( adminSubject, "readSubject", "", "The provided role name is empty." ); + testFailRemoveRoleFromUser( adminSubject, "", "readSubject", "The provided role name is empty." ); } @Test - public void shouldFailToRemoveUserFromRoleIfNotAdmin() throws Exception + public void shouldFailToRemoveRoleFromUserIfNotAdmin() throws Exception { - testFailRemoveUserFromRole( pwdSubject, "readSubject", PUBLISHER,CHANGE_PWD_ERR_MSG ); - testFailRemoveUserFromRole( readSubject, "readSubject", PUBLISHER, PERMISSION_DENIED ); - testFailRemoveUserFromRole( writeSubject, "readSubject", PUBLISHER, PERMISSION_DENIED ); + testFailRemoveRoleFromUser( pwdSubject, PUBLISHER, "readSubject",CHANGE_PWD_ERR_MSG ); + testFailRemoveRoleFromUser( readSubject, PUBLISHER, "readSubject", PERMISSION_DENIED ); + testFailRemoveRoleFromUser( writeSubject, PUBLISHER, "readSubject", PERMISSION_DENIED ); - testFailRemoveUserFromRole( schemaSubject, "readSubject", READER, PERMISSION_DENIED ); - testFailRemoveUserFromRole( schemaSubject, "Olivia", READER, PERMISSION_DENIED ); - testFailRemoveUserFromRole( schemaSubject, "Olivia", "thisRoleDoesNotExist", PERMISSION_DENIED ); + testFailRemoveRoleFromUser( schemaSubject, READER, "readSubject", PERMISSION_DENIED ); + testFailRemoveRoleFromUser( schemaSubject, READER, "Olivia", PERMISSION_DENIED ); + testFailRemoveRoleFromUser( schemaSubject, "thisRoleDoesNotExist", "Olivia", PERMISSION_DENIED ); } @Test public void shouldFailToRemoveYourselfFromAdminRole() throws Exception { - assertFail( adminSubject, "CALL dbms.removeUserFromRole('adminSubject', '" + ADMIN + "')", + assertFail( adminSubject, "CALL dbms.removeRoleFromUser('" + ADMIN + "', 'adminSubject')", "Removing yourself (user 'adminSubject') from the admin role is not allowed." ); } @@ -674,12 +676,12 @@ public void shouldAllowAddingAndRemovingUserFromMultipleRoles() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertFalse( "Should not have role architect", userHasRole( "readSubject", ARCHITECT ) ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ARCHITECT + "', 'readSubject')" ); assertTrue( "Should have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertTrue( "Should have role architect", userHasRole( "readSubject", ARCHITECT ) ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + ARCHITECT + "', 'readSubject')" ); assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertFalse( "Should not have role architect", userHasRole( "readSubject", ARCHITECT ) ); } @@ -705,7 +707,7 @@ public void shouldReturnUsersWithRoles() throws Exception "noneSubject", listOf( ), "neo4j", listOf( ADMIN ) ); - userManager.addUserToRole( "writeSubject", READER ); + userManager.addRoleToUser( READER, "writeSubject" ); assertSuccess( adminSubject, "CALL dbms.listUsers()", r -> assertKeyIsMap( r, "username", "roles", expected ) ); } @@ -731,7 +733,7 @@ public void shouldReturnUsersWithFlags() throws Exception @Test public void shouldShowCurrentUser() throws Exception { - userManager.addUserToRole( "writeSubject", READER ); + userManager.addRoleToUser( READER, "writeSubject" ); assertSuccess( adminSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "adminSubject", listOf( ADMIN ) ) ) ); assertSuccess( readSubject, "CALL dbms.showCurrentUser()", @@ -894,7 +896,7 @@ public void shouldSetCorrectPasswordChangeRequiredPermissions() throws Throwable assertPasswordChangeWhenPasswordChangeRequired( pwdSubject, "321" ); assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ARCHITECT + "', 'Henrik')" ); S henrik = neo.login( "Henrik", "bar" ); neo.assertPasswordChangeRequired( henrik ); testFailRead( henrik, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); @@ -903,7 +905,7 @@ public void shouldSetCorrectPasswordChangeRequiredPermissions() throws Throwable assertPasswordChangeWhenPasswordChangeRequired( henrik, "321" ); assertEmpty( adminSubject, "CALL dbms.createUser('Olivia', 'bar', true)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Olivia', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ADMIN + "', 'Olivia')" ); S olivia = neo.login( "Olivia", "bar" ); neo.assertPasswordChangeRequired( olivia ); testFailRead( olivia, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); @@ -966,7 +968,7 @@ public void shouldSetCorrectAdminPermissions() throws Exception @Test public void shouldSetCorrectMultiRolePermissions() throws Exception { - assertEmpty( adminSubject, "CALL dbms.addUserToRole('schemaSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'schemaSubject')" ); testSuccessfulRead( schemaSubject, 3 ); testSuccessfulWrite( schemaSubject ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java index 5529ef989e74e..5e5385d04f144 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java @@ -52,7 +52,7 @@ public abstract class AuthScenariosLogic extends AuthTestBase public void readOperationsShouldNotBeAllowedWhenPasswordChangeRequired() throws Exception { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertPasswordChangeRequired( subject ); testFailRead( subject, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); @@ -62,7 +62,7 @@ public void readOperationsShouldNotBeAllowedWhenPasswordChangeRequired() throws public void passwordChangeShouldEnableRolePermissions() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertPasswordChangeRequired( subject ); assertPasswordChangeWhenPasswordChangeRequired( subject, "foo" ); @@ -76,7 +76,7 @@ public void passwordChangeShouldEnableRolePermissions() throws Throwable public void loginShouldFailWithIncorrectPassword() throws Exception { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "foo" ); neo.assertInitFailed( subject ); } @@ -100,7 +100,7 @@ public void userCreation2() throws Throwable subject = neo.login( "Henrik", "foo" ); neo.assertAuthenticated( subject ); testFailRead( subject, 3 ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); testFailWrite( subject ); testSuccessfulRead( subject, 3 ); } @@ -122,7 +122,7 @@ public void userCreation3() throws Throwable S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testFailRead( subject, 3 ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); testFailSchema( subject ); @@ -152,7 +152,7 @@ public void userCreation4() throws Throwable testFailWrite( subject ); testFailSchema( subject ); testFailCreateUser( subject, PERMISSION_DENIED ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ARCHITECT + "', 'Henrik')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); testSuccessfulSchema( subject ); @@ -170,7 +170,7 @@ public void userCreation4() throws Throwable public void userCreation5() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); testFailCreateUser( subject, PERMISSION_DENIED ); } @@ -201,7 +201,7 @@ public void userDeletion2() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); - assertFail( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')", + assertFail( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')", "User 'Henrik' does not exist" ); } @@ -215,9 +215,9 @@ public void userDeletion2() throws Throwable public void userDeletion3() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); - assertFail( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')", + assertFail( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')", "User 'Henrik' does not exist" ); } @@ -233,7 +233,7 @@ public void userDeletion3() throws Throwable public void userDeletion4() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S henrik = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( henrik ); assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); @@ -259,13 +259,13 @@ public void userDeletion4() throws Throwable public void roleManagement1() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testSuccessfulWrite( subject ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); testFailRead( subject, 4 ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); testFailWrite( subject ); testSuccessfulRead( subject, 4 ); } @@ -285,8 +285,8 @@ public void roleManagement2() throws Throwable S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testFailWrite( subject ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); testSuccessfulWrite( subject ); } @@ -305,13 +305,13 @@ public void roleManagement2() throws Throwable public void roleManagement3() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); testFailWrite( subject ); testSuccessfulRead( subject, 4 ); } @@ -331,14 +331,14 @@ public void roleManagement3() throws Throwable public void roleManagement4() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + READER + "')" ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + READER + "', 'Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); testFailWrite( subject ); testFailRead( subject, 4 ); } @@ -356,7 +356,7 @@ Admin removes user Henrik from role Publisher (while Q still running) public void roleManagement5() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S henrik = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( henrik ); @@ -364,7 +364,7 @@ public void roleManagement5() throws Throwable write.execute( threading, henrik ); write.barrier.await(); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); write.closeAndAssertException( AuthorizationViolationException.class, "Write operations are not allowed for 'Henrik'." ); @@ -386,7 +386,7 @@ Admin removes Henrik from role Publisher (while Q still running) public void roleManagement6() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S henrik = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( henrik ); @@ -409,8 +409,8 @@ public void roleManagement6() throws Throwable nodeCount = pollNumNodes(); } - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); perCommit.closeAndAssertError( "Write operations are not allowed for 'Henrik'." ); @@ -475,7 +475,7 @@ public void userSuspension1() throws Throwable public void userSuspension2() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testSuccessfulRead( subject, 3 ); @@ -528,7 +528,7 @@ public void userListing() throws Throwable S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testFailListUsers( subject, 6, PERMISSION_DENIED ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ADMIN + "', 'Henrik')" ); testSuccessfulListUsers( subject, with( initialUsers, "Henrik" ) ); } @@ -548,7 +548,7 @@ public void rolesListing() throws Throwable neo.assertAuthenticated( subject ); testFailListRoles( subject, PERMISSION_DENIED); testSuccessfulListRoles( adminSubject, initialRoles ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + ADMIN + "', 'Henrik')" ); testSuccessfulListRoles( subject, initialRoles ); } @@ -568,7 +568,7 @@ public void listingUserRoles() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Craig')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); @@ -595,8 +595,8 @@ public void listingRoleUsers() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Craig')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( subject ); testFailListRoleUsers( subject, PUBLISHER, PERMISSION_DENIED ); @@ -624,7 +624,7 @@ public void listingRoleUsers() throws Throwable public void callProcedures1() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + PUBLISHER + "', 'Henrik')" ); S henrik = neo.login( "Henrik", "bar" ); neo.assertAuthenticated( henrik ); @@ -632,13 +632,13 @@ public void callProcedures1() throws Throwable assertSuccess( henrik, "CALL test.numNodes() YIELD count as count RETURN count", r -> assertKeyIs( r, "count", "4" ) ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); assertEmpty( henrik, "CALL test.createNode()" ); assertSuccess( henrik, "CALL test.numNodes() YIELD count as count RETURN count", r -> assertKeyIs( r, "count", "5" ) ); - assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeRoleFromUser('" + PUBLISHER + "', 'Henrik')" ); assertFail( henrik, "CALL test.createNode()", "Write operations are not allowed for 'Henrik'." ); } @@ -662,7 +662,7 @@ public void callProcedures1() throws Throwable public void changeUserPassword1() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "abc" ); neo.assertAuthenticated( subject ); testSuccessfulRead( subject, 3 ); @@ -693,7 +693,7 @@ public void changeUserPassword1() throws Throwable public void changeUserPassword2() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "abc" ); neo.assertAuthenticated( subject ); testSuccessfulRead( subject, 3 ); @@ -719,7 +719,7 @@ public void changeUserPassword3() throws Throwable { assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'abc', false)" ); assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addRoleToUser('" + READER + "', 'Henrik')" ); S subject = neo.login( "Henrik", "abc" ); neo.assertAuthenticated( subject ); testSuccessfulRead( subject, 3 ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java index f0c4a057a364c..f68c6c9bd0926 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java @@ -105,10 +105,10 @@ public void setUp() throws Throwable userManager.newUser( "writeSubject", "abc", false ); userManager.newUser( "readSubject", "123", false ); // Currently admin role is created by default - userManager.addUserToRole( "adminSubject", ADMIN ); - userManager.addUserToRole( "schemaSubject", ARCHITECT ); - userManager.addUserToRole( "writeSubject", PUBLISHER ); - userManager.addUserToRole( "readSubject", READER ); + userManager.addRoleToUser( ADMIN, "adminSubject" ); + userManager.addRoleToUser( ARCHITECT, "schemaSubject" ); + userManager.addRoleToUser( PUBLISHER, "writeSubject" ); + userManager.addRoleToUser( READER, "readSubject" ); userManager.newRole( EMPTY_ROLE ); noneSubject = neo.login( "noneSubject", "abc" ); pwdSubject = neo.login( "pwdSubject", "abc" ); @@ -184,14 +184,14 @@ void testFailCreateUser( S subject, String errMsg ) assertFail( subject, "CALL dbms.createUser('', 'foo', false)", errMsg ); } - void testFailAddUserToRole( S subject, String username, String role, String errMsg ) + void testFailAddRoleToUser( S subject, String role, String username, String errMsg ) { - assertFail( subject, "CALL dbms.addUserToRole('" + username + "', '" + role + "')", errMsg ); + assertFail( subject, "CALL dbms.addRoleToUser('" + role + "', '" + username + "')", errMsg ); } - void testFailRemoveUserFromRole( S subject, String username, String role, String errMsg ) + void testFailRemoveRoleFromUser( S subject, String role, String username, String errMsg ) { - assertFail( subject, "CALL dbms.removeUserFromRole('" + username + "', '" + role + "')", errMsg ); + assertFail( subject, "CALL dbms.removeRoleFromUser('" + role + "', '" + username + "')", errMsg ); } void testFailDeleteUser( S subject, String username, String errMsg ) diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthenticationIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthenticationIT.java index 48d607eedaa54..5bcbebdbe268f 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthenticationIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthenticationIT.java @@ -368,7 +368,7 @@ private void testCreateReaderUser() throws Exception // NOTE: The default user 'neo4j' has password change required, so we have to first change it client.send( TransportTestUtil.chunk( run( "CALL dbms.changeUserPassword('neo4j', '123') CALL dbms.createUser( 'neo', 'invalid', false ) " + - "CALL dbms.addUserToRole( 'neo', 'reader' ) RETURN 0" ), + "CALL dbms.addRoleToUser( 'reader', 'neo' ) RETURN 0" ), pullAll() ) ); assertThat( client, eventuallyReceives( msgSuccess() ) );