diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java index b455fdbb7f88e..4686a123800a0 100644 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java +++ b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java @@ -22,8 +22,9 @@ import org.neo4j.internal.kernel.api.Token; /** - * The LoginContext hold the executing authenticated user (subject). By calling {@link #freeze(Token)} the user is also authorized, and a - * full SecurityContext is returned, which can be used to assert user permissions during query execution. + * The LoginContext hold the executing authenticated user (subject). + * By calling {@link #authorize(Token)} the user is also authorized, and a full SecurityContext is returned, + * which can be used to assert user permissions during query execution. */ public interface LoginContext { @@ -38,7 +39,7 @@ public interface LoginContext * @param token token lookup, used to compile property level security verification * @return the security context */ - SecurityContext freeze( Token token ); + SecurityContext authorize( Token token ); LoginContext AUTH_DISABLED = new LoginContext() { @@ -49,7 +50,7 @@ public AuthSubject subject() } @Override - public SecurityContext freeze( Token token ) + public SecurityContext authorize( Token token ) { return SecurityContext.AUTH_DISABLED; } diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java index a5f6dfc33bded..9ba230e74d3ce 100644 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java +++ b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java @@ -28,24 +28,54 @@ * * Must extend LoginContext to handle procedures creating internal transactions, periodic commit and the parallel cypher prototype. */ -public interface SecurityContext extends LoginContext +public class SecurityContext implements LoginContext { + protected final AuthSubject subject; + protected final AccessMode mode; + + public SecurityContext( AuthSubject subject, AccessMode mode ) + { + this.subject = subject; + this.mode = mode; + } + /** * Get the authorization data of the user. This is immutable. */ - AccessMode mode(); + public AccessMode mode() + { + return mode; + } /** * Check whether the user is an admin. */ - boolean isAdmin(); + public boolean isAdmin() + { + return true; + } + + @Override + public AuthSubject subject() + { + return subject; + } + + @Override + public SecurityContext authorize( Token token ) + { + return this; + } /** * Create a copy of this SecurityContext with the provided mode. */ - SecurityContext withMode( AccessMode mode ); + public SecurityContext withMode( AccessMode mode ) + { + return new SecurityContext( subject, mode ); + } - default void assertCredentialsNotExpired() + public void assertCredentialsNotExpired() { if ( subject().getAuthenticationResult().equals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ) { @@ -53,110 +83,41 @@ default void assertCredentialsNotExpired() } } - default String description() + public String description() { return String.format( "user '%s' with %s", subject().username(), mode().name() ); } - default String defaultString( String name ) + protected String defaultString( String name ) { return String.format( "%s{ username=%s, accessMode=%s }", name, subject().username(), mode() ); } /** Allows all operations. */ - SecurityContext AUTH_DISABLED = new AuthDisabled( AccessMode.Static.FULL ); + public static final SecurityContext AUTH_DISABLED = authDisabled( AccessMode.Static.FULL ); - final class AuthDisabled implements SecurityContext + private static SecurityContext authDisabled( AccessMode mode ) { - private final AccessMode mode; - - private AuthDisabled( AccessMode mode ) - { - this.mode = mode; - } - - @Override - public AccessMode mode() - { - return mode; - } - - @Override - public AuthSubject subject() + return new SecurityContext( AuthSubject.AUTH_DISABLED, mode ) { - return AuthSubject.AUTH_DISABLED; - } - - @Override - public boolean isAdmin() - { - return true; - } - - @Override - public String toString() - { - return defaultString( "auth-disabled" ); - } - @Override - public String description() - { - return "AUTH_DISABLED with " + mode.name(); - } - - @Override - public SecurityContext freeze( Token token ) - { - return this; - } - - @Override - public SecurityContext withMode( AccessMode mode ) - { - return new AuthDisabled( mode ); - } - } - - final class Frozen implements SecurityContext - { - private final AuthSubject subject; - private final AccessMode mode; - - public Frozen( AuthSubject subject, AccessMode mode ) - { - this.subject = subject; - this.mode = mode; - } - - @Override - public AccessMode mode() - { - return mode; - } - - @Override - public AuthSubject subject() - { - return subject; - } - - @Override - public boolean isAdmin() - { - return true; - } - - @Override - public SecurityContext freeze( Token token ) - { - return this; - } - - @Override - public SecurityContext withMode( AccessMode mode ) - { - return new Frozen( subject, mode ); - } + @Override + public SecurityContext withMode( AccessMode mode ) + { + return authDisabled( mode ); + } + + @Override + public String description() + { + return "AUTH_DISABLED with " + mode().name(); + } + + @Override + public String toString() + { + return defaultString( "auth-disabled" ); + } + }; } } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java index f2dfc789e25ce..3a36d2b2b023a 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java @@ -67,8 +67,8 @@ public AuthSubject subject() } @Override - public SecurityContext freeze( Token token ) + public SecurityContext authorize( Token token ) { - return new SecurityContext.Frozen( subject(), accessMode ); + return new SecurityContext( subject(), accessMode ); } } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java index a0c95bb4850a8..484d483e04118 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java @@ -175,7 +175,7 @@ public Supplier explicitIndexTxStateSupplier() public KernelTransaction newInstance( KernelTransaction.Type type, LoginContext loginContext, long timeout ) { assertCurrentThreadIsNotBlockingNewTransactions(); - SecurityContext securityContext = loginContext.freeze( token ); + SecurityContext securityContext = loginContext.authorize( token ); try { while ( !newTransactionsLock.readLock().tryLock( 1, TimeUnit.SECONDS ) ) diff --git a/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java b/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java index 9ab8ac7cec15b..a07eecfea215c 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java @@ -107,7 +107,7 @@ storageEngine, new CanWrite(), new KernelToken( storeReadLayer ), new DefaultCur StatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); - transaction.initialize( 0, 0, statementLocks, KernelTransaction.Type.implicit, loginContext.freeze( mock( Token.class ) ), 0L, 1L ); + transaction.initialize( 0, 0, statementLocks, KernelTransaction.Type.implicit, loginContext.authorize( mock( Token.class ) ), 0L, 1L ); return new Instances( transaction, storageEngine, storeReadLayer, storageStatement ); } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java index 55ab7d10e08e6..1a0b664815eba 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java @@ -450,7 +450,7 @@ public void shouldIncrementReuseCounterOnReuse() throws Exception transaction.close(); SimpleStatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); transaction.initialize( 1, BASE_TX_COMMIT_TIMESTAMP, statementLocks, KernelTransaction.Type.implicit, - loginContext().freeze( mock( Token.class ) ), 0L, 1L ); + loginContext().authorize( mock( Token.class ) ), 0L, 1L ); // THEN assertEquals( reuseCount + 1, transaction.getReuseCount() ); @@ -671,7 +671,7 @@ public void markForTerminationWithCorrectReuseCount() throws Exception Locks.Client locksClient = mock( Locks.Client.class ); SimpleStatementLocks statementLocks = new SimpleStatementLocks( locksClient ); - tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().freeze( mock( Token.class ) ), 0L, 0L ); + tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); assertTrue( tx.markForTermination( reuseCount, terminationReason ) ); @@ -691,7 +691,7 @@ public void markForTerminationWithIncorrectReuseCount() throws Exception Locks.Client locksClient = mock( Locks.Client.class ); SimpleStatementLocks statementLocks = new SimpleStatementLocks( locksClient ); - tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().freeze( mock( Token.class ) ), 0L, 0L ); + tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); assertFalse( tx.markForTermination( nextReuseCount, terminationReason ) ); @@ -758,7 +758,7 @@ private void initializeAndClose( KernelTransactionImplementation tx, int times ) for ( int i = 0; i < times; i++ ) { SimpleStatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); - tx.initialize( i + 10, i + 10, statementLocks, KernelTransaction.Type.implicit, loginContext().freeze( mock( Token.class ) ), 0L, 0L ); + tx.initialize( i + 10, i + 10, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); tx.close(); } } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java index 66642c21c166a..bb8d97d39dc89 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java @@ -144,7 +144,7 @@ public KernelTransactionImplementation newTransaction( long lastTransactionIdWhe { KernelTransactionImplementation tx = newNotInitializedTransaction(); StatementLocks statementLocks = new SimpleStatementLocks( locks ); - SecurityContext securityContext = loginContext.freeze( mock( Token.class ) ); + SecurityContext securityContext = loginContext.authorize( mock( Token.class ) ); tx.initialize( lastTransactionIdWhenStarted, BASE_TX_COMMIT_TIMESTAMP,statementLocks, Type.implicit, securityContext, transactionTimeout, 1L ); return tx; diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java index 66e15d58c651a..f6a2de6d14706 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java @@ -409,7 +409,7 @@ public void shouldNotLeakTransactionOnSecurityContextFreezeFailure() throws Thro { KernelTransactions kernelTransactions = newKernelTransactions(); LoginContext loginContext = mock( LoginContext.class ); - when( loginContext.freeze( any() ) ).thenThrow( new AuthorizationExpiredException( "Freeze failed." ) ); + when( loginContext.authorize( any() ) ).thenThrow( new AuthorizationExpiredException( "Freeze failed." ) ); assertException(() -> kernelTransactions.newInstance(KernelTransaction.Type.explicit, loginContext, 0L), AuthorizationExpiredException.class, "Freeze failed."); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java index d4e01b65f4982..eb5de0fb02779 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java @@ -268,7 +268,7 @@ public void failWhenCallingNonExistingProcedures() throws Throwable { // When dbmsOperations().procedureCallDbms( procedureName( "dbms", "iDoNotExist" ), new Object[0], - AnonymousContext.none().freeze( mock( Token.class ) ) ); + AnonymousContext.none().authorize( mock( Token.class ) ) ); fail( "This should never get here" ); } catch ( Exception e ) diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java index 103f86c1ea4bc..921505cba11f7 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java @@ -346,7 +346,7 @@ public void accessTransactionIdAndCommitTime() @Test public void shouldGetEmptyUsernameForAnonymousContext() { - when( transaction.securityContext() ).thenReturn( AnonymousContext.read().freeze( mock( Token.class ) ) ); + when( transaction.securityContext() ).thenReturn( AnonymousContext.read().authorize( mock( Token.class ) ) ); TxStateTransactionDataSnapshot transactionDataSnapshot = snapshot(); assertEquals( "", transactionDataSnapshot.username() ); @@ -358,7 +358,7 @@ public void shouldAccessUsernameFromAuthSubject() AuthSubject authSubject = mock( AuthSubject.class ); when( authSubject.username() ).thenReturn( "Christof" ); when( transaction.securityContext() ) - .thenReturn( new SecurityContext.Frozen( authSubject, AccessMode.Static.FULL ) ); + .thenReturn( new SecurityContext( authSubject, AccessMode.Static.FULL ) ); TxStateTransactionDataSnapshot transactionDataSnapshot = snapshot(); assertEquals( "Christof", transactionDataSnapshot.username() ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java index 56c5ad91ac3a8..59e58142a56aa 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java @@ -197,9 +197,9 @@ public AuthSubject subject() } @Override - public SecurityContext freeze( Token token ) + public SecurityContext authorize( Token token ) { - return new SecurityContext.Frozen( subject, AccessMode.Static.WRITE ); + return new SecurityContext( subject, AccessMode.Static.WRITE ); } }; Map metadata = genericMap( "username", "joe" ); diff --git a/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java b/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java index 1b484d5ecfa63..55653a389e016 100644 --- a/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java +++ b/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java @@ -107,8 +107,8 @@ public AuthSubject subject() } @Override - public SecurityContext freeze( Token token ) + public SecurityContext authorize( Token token ) { - return new SecurityContext.Frozen( authSubject, accessMode ); + return new SecurityContext( authSubject, accessMode ); } } diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java index 54168a87b2194..92999e05cb8d1 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java @@ -51,7 +51,7 @@ public void shouldFailWhenDeprecatedChangePasswordWithStaticAccessModeInDbmsMode // When dbmsOperations().procedureCallDbms( procedureName( "dbms", "changePassword" ), inputArray, - AnonymousContext.none().freeze( mock( Token.class ) ) ); + AnonymousContext.none().authorize( mock( Token.class ) ) ); } @Test @@ -67,7 +67,7 @@ public void shouldFailWhenChangePasswordWithStaticAccessModeInDbmsMode() throws // When dbmsOperations().procedureCallDbms( procedureName( "dbms", "security", "changePassword" ), inputArray, - AnonymousContext.none().freeze( mock( Token.class ) ) ); + AnonymousContext.none().authorize( mock( Token.class ) ) ); } @Override diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java b/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java index 8afc893b468d5..d3495f8034a81 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java @@ -54,7 +54,7 @@ public void setup() throws Throwable manager.init(); manager.start(); manager.newUser( "johan", "bar", false ); - context = manager.login( authToken( "johan", "bar" ) ).freeze( mock( Token.class ) ); + context = manager.login( authToken( "johan", "bar" ) ).authorize( mock( Token.class ) ); } @After diff --git a/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java b/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java index 3d81d798368ae..614bbe2c5e451 100644 --- a/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java +++ b/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java @@ -153,7 +153,7 @@ private void setUpMocks() QueryRegistryOperations registryOperations = mock( QueryRegistryOperations.class ); when( statement.queryRegistration() ).thenReturn( registryOperations ); when( statementBridge.get() ).thenReturn( statement ); - when( kernelTransaction.securityContext() ).thenReturn( loginContext.freeze( mock( Token.class ) ) ); + when( kernelTransaction.securityContext() ).thenReturn( loginContext.authorize( mock( Token.class ) ) ); when( kernelTransaction.transactionType() ).thenReturn( type ); when( database.getGraph() ).thenReturn( databaseFacade ); when( databaseFacade.getDependencyResolver() ).thenReturn( resolver ); diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java index 16de240610f62..fc2344ba89b63 100644 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java +++ b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java @@ -30,7 +30,7 @@ public interface EnterpriseLoginContext extends LoginContext { Set roles(); - EnterpriseSecurityContext freeze( Token token ); + EnterpriseSecurityContext authorize( Token token ); EnterpriseLoginContext AUTH_DISABLED = new EnterpriseLoginContext() { @@ -47,7 +47,7 @@ public Set roles() } @Override - public EnterpriseSecurityContext freeze( Token token ) + public EnterpriseSecurityContext authorize( Token token ) { return EnterpriseSecurityContext.AUTH_DISABLED; } diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java index 75e0231835c16..7df01e4385116 100644 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java +++ b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java @@ -28,126 +28,71 @@ import org.neo4j.internal.kernel.api.security.SecurityContext; /** - * A logged in user. + * A logged in and authorized user. */ -public interface EnterpriseSecurityContext extends SecurityContext +public class EnterpriseSecurityContext extends SecurityContext { + private final Set roles; + private final boolean isAdmin; - @Override - EnterpriseSecurityContext withMode( AccessMode mode ); - - Set roles(); - - EnterpriseSecurityContext AUTH_DISABLED = new AuthDisabled( AccessMode.Static.FULL ); - - /** Allows all operations. */ - final class AuthDisabled implements EnterpriseSecurityContext + public EnterpriseSecurityContext( AuthSubject subject, AccessMode mode, Set roles, boolean isAdmin ) { - private final AccessMode mode; - - private AuthDisabled( AccessMode mode ) - { - this.mode = mode; - } - - @Override - public EnterpriseSecurityContext freeze( Token token ) - { - return this; - } - - @Override - public EnterpriseSecurityContext withMode( AccessMode mode ) - { - return new EnterpriseSecurityContext.AuthDisabled( mode ); - } - - @Override - public Set roles() - { - return Collections.emptySet(); - } - - @Override - public AuthSubject subject() - { - return AuthSubject.AUTH_DISABLED; - } - - @Override - public AccessMode mode() - { - return mode; - } - - @Override - public String description() - { - return "AUTH_DISABLED with " + mode().name(); - } - - @Override - public String toString() - { - return defaultString( "enterprise-auth-disabled" ); - } - - @Override - public boolean isAdmin() - { - return true; - } + super( subject, mode ); + this.roles = roles; + this.isAdmin = isAdmin; } - final class Frozen implements EnterpriseSecurityContext + @Override + public boolean isAdmin() { - private final AuthSubject subject; - private final AccessMode mode; - private final Set roles; - private final boolean isAdmin; - - public Frozen( AuthSubject subject, AccessMode mode, Set roles, boolean isAdmin ) - { - this.subject = subject; - this.mode = mode; - this.roles = roles; - this.isAdmin = isAdmin; - } - - @Override - public boolean isAdmin() - { - return isAdmin; - } + return isAdmin; + } - @Override - public AccessMode mode() - { - return mode; - } + @Override + public EnterpriseSecurityContext authorize( Token token ) + { + return this; + } - @Override - public AuthSubject subject() - { - return subject; - } + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) + { + return new EnterpriseSecurityContext( subject, mode, roles, isAdmin ); + } - @Override - public EnterpriseSecurityContext freeze( Token token ) - { - return this; - } + /** + * Get the roles of the authenticated user. + */ + public Set roles() + { + return roles; + } - @Override - public EnterpriseSecurityContext withMode( AccessMode mode ) - { - return new EnterpriseSecurityContext.Frozen( subject, mode, roles, isAdmin ); - } + /** Allows all operations. */ + public static final EnterpriseSecurityContext AUTH_DISABLED = authDisabled( AccessMode.Static.FULL ); - @Override - public Set roles() - { - return roles; - } + private static EnterpriseSecurityContext authDisabled( AccessMode mode ) + { + return new EnterpriseSecurityContext( AuthSubject.AUTH_DISABLED, mode, Collections.emptySet(), true ) + { + + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) + { + return authDisabled( mode ); + } + + @Override + public String description() + { + return "AUTH_DISABLED with " + mode().name(); + } + + @Override + public String toString() + { + return defaultString( "enterprise-auth-disabled" ); + } + }; } } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java index 0204eeb8677d8..ffdb04ebddb43 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java @@ -36,7 +36,6 @@ import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; -import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext.Frozen; class StandardEnterpriseLoginContext implements EnterpriseLoginContext { @@ -82,10 +81,10 @@ private StandardAccessMode mode( Token token ) } @Override - public EnterpriseSecurityContext freeze( Token token ) + public EnterpriseSecurityContext authorize( Token token ) { StandardAccessMode mode = mode( token ); - return new Frozen( neoShiroSubject, mode, mode.roles, isAdmin() ); + return new EnterpriseSecurityContext( neoShiroSubject, mode, mode.roles, isAdmin() ); } @Override diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java index 2f892ca0b66a4..9b13360d7ce49 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java @@ -115,9 +115,9 @@ private EnterpriseLoginContext createFakeAnonymousEnterpriseLoginContext() return new EnterpriseLoginContext() { @Override - public EnterpriseSecurityContext freeze( Token token ) + public EnterpriseSecurityContext authorize( Token token ) { - return new EnterpriseSecurityContext.Frozen( subject(), inner.mode(), Collections.emptySet(), false ); + return new EnterpriseSecurityContext( subject(), inner.mode(), Collections.emptySet(), false ); } @Override @@ -126,7 +126,7 @@ public Set roles() return Collections.emptySet(); } - SecurityContext inner = AnonymousContext.none().freeze( mock( Token.class ) ); + SecurityContext inner = AnonymousContext.none().authorize( mock( Token.class ) ); @Override public AuthSubject subject() diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java index 3fbf45d49e647..ca95c665f6087 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java @@ -124,6 +124,6 @@ public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() throws Throwabl private EnterpriseSecurityContext context() throws Exception { - return authManagerRule.getManager().login( authToken( "mats", "foo" ) ).freeze( token ); + return authManagerRule.getManager().login( authToken( "mats", "foo" ) ).authorize( token ); } } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java index 7c99a312514ff..c285110f9828f 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java @@ -43,7 +43,6 @@ import org.neo4j.kernel.api.security.PasswordPolicy; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; -import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.security.Credential; import org.neo4j.kernel.impl.security.User; import org.neo4j.scheduler.JobScheduler; @@ -128,11 +127,11 @@ public void shouldNotCacheAuthorizationInfo() throws InvalidAuthTokenException EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); assertThat( mike.subject().getAuthenticationResult(), equalTo( AuthenticationResult.SUCCESS ) ); - mike.freeze( token ).mode().allowsReads(); + mike.authorize( token ).mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When - mike.freeze( token ).mode().allowsWrites(); + mike.authorize( token ).mode().allowsWrites(); // Then assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java index cbc63110a3c08..6f363fcfbe684 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java @@ -125,11 +125,11 @@ public void shouldCacheAuthorizationInfo() throws InvalidAuthTokenException { // Given EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); - mike.freeze( token ).mode().allowsReads(); + mike.authorize( token ).mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When - mike.freeze( token ).mode().allowsWrites(); + mike.authorize( token ).mode().allowsWrites(); // Then assertThat( "Test realm received a call", testRealm.takeAuthorizationFlag(), is( false ) ); @@ -140,19 +140,19 @@ public void shouldInvalidateAuthorizationCacheAfterTTL() throws InvalidAuthToken { // Given EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); - mike.freeze( token ).mode().allowsReads(); + mike.authorize( token ).mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When fakeTicker.advance( 99, TimeUnit.MILLISECONDS ); - mike.freeze( token ).mode().allowsWrites(); + mike.authorize( token ).mode().allowsWrites(); // Then assertThat( "Test realm received a call", testRealm.takeAuthorizationFlag(), is( false ) ); // When fakeTicker.advance( 2, TimeUnit.MILLISECONDS ); - mike.freeze( token ).mode().allowsWrites(); + mike.authorize( token ).mode().allowsWrites(); // Then assertThat( "Test realm did not received a call", testRealm.takeAuthorizationFlag(), is( true ) ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java index 50cacf177f523..bc0610d34f892 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java @@ -562,12 +562,12 @@ public void defaultUserShouldHaveCorrectPermissions() throws Throwable setMockAuthenticationStrategyResult( "neo4j", "neo4j", AuthenticationResult.SUCCESS ); // When - SecurityContext securityContext = manager.login( authToken( "neo4j", "neo4j" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "neo4j", "neo4j" ) ).authorize( token ); userManager.setUserPassword( "neo4j", "1234", false ); securityContext.subject().logout(); setMockAuthenticationStrategyResult( "neo4j", "1234", AuthenticationResult.SUCCESS ); - securityContext = manager.login( authToken( "neo4j", "1234" ) ).freeze( token ); + securityContext = manager.login( authToken( "neo4j", "1234" ) ).authorize( token ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -583,7 +583,7 @@ public void userWithAdminRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "morpheus", "abc123" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "morpheus", "abc123" ) ).authorize( token ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -599,7 +599,7 @@ public void userWithArchitectRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "trinity", "abc123" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "trinity", "abc123" ) ).authorize( token ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -615,7 +615,7 @@ public void userWithPublisherRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "tank", "abc123" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "tank", "abc123" ) ).authorize( token ); // Then assertTrue( "should allow reads", securityContext.mode().allowsReads() ); @@ -631,7 +631,7 @@ public void userWithReaderRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "neo", "abc123" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "neo", "abc123" ) ).authorize( token ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -647,7 +647,7 @@ public void userWithNonPredefinedRoleShouldHaveNoPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "smith", "abc123" ) ).freeze( token ); + SecurityContext securityContext = manager.login( authToken( "smith", "abc123" ) ).authorize( token ); // Then assertFalse( securityContext.mode().allowsReads() ); @@ -664,14 +664,14 @@ public void shouldHaveNoPermissionsAfterLogout() throws Throwable // When LoginContext loginContext = manager.login( authToken( "morpheus", "abc123" ) ); - SecurityContext securityContext = loginContext.freeze( token ); + SecurityContext securityContext = loginContext.authorize( token ); assertTrue( securityContext.mode().allowsReads() ); assertTrue( securityContext.mode().allowsWrites() ); assertTrue( securityContext.mode().allowsSchemaWrites() ); loginContext.subject().logout(); - securityContext = loginContext.freeze( token ); + securityContext = loginContext.authorize( token ); // Then assertFalse( securityContext.mode().allowsReads() ); assertFalse( securityContext.mode().allowsWrites() ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java index ad275392ecf57..e5b3b9eb459b4 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java @@ -23,15 +23,13 @@ import org.junit.Test; import java.io.IOException; -import java.util.Set; +import java.util.Collections; import org.neo4j.function.ThrowingAction; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.internal.GraphDatabaseAPI; @@ -68,8 +66,10 @@ public void setUp() throws Throwable authProcedures.securityLog = securityLog; generalUserManager = getUserManager(); - EnterpriseSecurityContext adminContext = new TestSecurityContext( "admin", true ); - matsContext = new TestSecurityContext( "mats", false ); + EnterpriseSecurityContext adminContext = + new EnterpriseSecurityContext( new MockAuthSubject( "admin" ), AccessMode.Static.FULL, Collections.emptySet(), true ); + matsContext = + new EnterpriseSecurityContext( new MockAuthSubject( "mats" ), AccessMode.Static.NONE, Collections.emptySet(), false ); setSubject( adminContext ); } @@ -645,81 +645,43 @@ private AssertableLogProvider.LogMatcher error( String message, String... argume return inLog( this.getClass() ).error( message, (Object[]) arguments ); } - private static class TestSecurityContext implements EnterpriseSecurityContext + private static class MockAuthSubject implements AuthSubject { private final String name; - private final boolean isAdmin; - TestSecurityContext( String name, boolean isAdmin ) + private MockAuthSubject( String name ) { this.name = name; - this.isAdmin = isAdmin; } @Override - public AccessMode mode() + public void logout() { throw new UnsupportedOperationException(); } - public boolean isAdmin() - { - return isAdmin; - } - @Override - public EnterpriseSecurityContext withMode( AccessMode mode ) + public AuthenticationResult getAuthenticationResult() { - throw new UnsupportedOperationException(); + return AuthenticationResult.SUCCESS; } @Override - public AuthSubject subject() + public void setPasswordChangeNoLongerRequired() { - return new AuthSubject() - { - @Override - public void logout() - { - throw new UnsupportedOperationException(); - } - - @Override - public AuthenticationResult getAuthenticationResult() - { - return AuthenticationResult.SUCCESS; - } - - @Override - public void setPasswordChangeNoLongerRequired() - { - } - - @Override - public boolean hasUsername( String username ) - { - return name.equals( username ); - } - - @Override - public String username() - { - return name; - } - }; } @Override - public SecurityContext freeze( Token token ) + public boolean hasUsername( String username ) { - return this; + return name.equals( username ); } @Override - public Set roles() - { - throw new UnsupportedOperationException(); - } + public String username() + { + return name; + } } private static class TestUserManagementProcedures extends UserManagementProcedures