Merge pull request #8595 from fickludd/3.1-ldap-aggro-cache-exception…

…-bug Fix erroneous LDAP authorization cache expiry in multi-provider setup
neo4j · Jan 11, 2017 · 2b1b5bf · 2b1b5bf
2 parents bc0d607 + b335dfc
commit 2b1b5bf
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/LdapRealm.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/LdapRealm.java
@@ -246,7 +246,7 @@ protected AuthorizationInfo queryForAuthorizationInfo( PrincipalCollection princ
     {
         if ( authorizationEnabled )
         {
-            String username = (String) getAvailablePrincipal( principals );
+            String username = getUsername( principals );
             if ( username == null )
             {
                 return null;
@@ -289,6 +289,21 @@ protected AuthorizationInfo queryForAuthorizationInfo( PrincipalCollection princ
         return null;
     }
 
+    private String getUsername( PrincipalCollection principals )
+    {
+        String username = null;
+        Collection ldapPrincipals = principals.fromRealm( getName() );
+        if ( !ldapPrincipals.isEmpty() )
+        {
+            username = (String) ldapPrincipals.iterator().next();
+        }
+        else if ( useSystemAccountForAuthorization )
+        {
+            username = (String) principals.getPrimaryPrincipal();
+        }
+        return username;
+    }
+
     private LdapContext getSystemLdapContextUsingStartTls( LdapContextFactory ldapContextFactory )
             throws NamingException
     {

diff --git a/.../src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java b/.../src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java
@@ -864,6 +864,7 @@ public void shouldBeAbleToLoginWithLdapWhenSelectingRealmFromClient() throws Thr
             settings.put( SecuritySettings.native_authorization_enabled, "true" );
             settings.put( SecuritySettings.ldap_authentication_enabled, "true" );
             settings.put( SecuritySettings.ldap_authorization_enabled, "true" );
+            settings.put( SecuritySettings.ldap_authorization_use_system_account, "true" );
         } );
 
         // Given
@@ -872,6 +873,7 @@ public void shouldBeAbleToLoginWithLdapWhenSelectingRealmFromClient() throws Thr
 
         // Then
         // the created "tank" can log in and gets roles from both providers
+        // because the system account is used to authorize over the ldap provider
         reconnect();
         assertAuth( "tank", createdUserPassword, "native" );
         assertRoles( PredefinedRoles.READER, PredefinedRoles.PUBLISHER );
@@ -882,6 +884,32 @@ public void shouldBeAbleToLoginWithLdapWhenSelectingRealmFromClient() throws Thr
         assertRoles( PredefinedRoles.READER, PredefinedRoles.PUBLISHER );
     }
 
+    @Test
+    public void shouldBeAbleToAuthorizeUsingNativeWithLdapEnabled() throws Throwable
+    {
+        restartNeo4jServerWithOverriddenSettings( settings ->
+        {
+            settings.put( SecuritySettings.auth_providers,
+                    SecuritySettings.LDAP_REALM_NAME + "," + SecuritySettings.NATIVE_REALM_NAME );
+            settings.put( SecuritySettings.native_authentication_enabled, "true" );
+            settings.put( SecuritySettings.native_authorization_enabled, "true" );
+            settings.put( SecuritySettings.ldap_authentication_enabled, "true" );
+            settings.put( SecuritySettings.ldap_authorization_enabled, "true" );
+            settings.put( SecuritySettings.ldap_authorization_use_system_account, "false" );
+        } );
+
+        // Given
+        // we have a native 'simon' that is read only
+        testCreateReaderUser( "simon" );
+
+        // When
+        reconnect();
+        assertAuth( "simon", createdUserPassword, "native" );
+
+        // Then
+        assertReadSucceeds();
+    }
+
     @Test
     public void shouldClearAuthenticationCache() throws Throwable
     {