From 4728b573331c0f40983dfb0af5c231da672f8c22 Mon Sep 17 00:00:00 2001
From: Henrik Nyman <henrik.nyman@neotechnology.com>
Date: Wed, 7 Sep 2016 14:49:25 +0200
Subject: [PATCH] Fix using enterprise built-in procedures over REST

---
 .../org/neo4j/server/CommunityNeoServer.java  |  7 ++-
 .../server/modules/AuthorizationModule.java   |  7 ++-
 .../dbms/AuthorizationDisabledFilter.java     |  9 +++-
 .../enterprise/EnterpriseNeoServer.java       |  9 ++++
 .../EnterpriseAuthorizationModule.java        | 48 +++++++++++++++++++
 ...EnterpriseAuthorizationDisabledFilter.java | 32 +++++++++++++
 .../EnterpriseAuthenticationDocIT.java        | 30 ++++++++++++
 7 files changed, 139 insertions(+), 3 deletions(-)
 create mode 100644 enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/modules/EnterpriseAuthorizationModule.java
 create mode 100644 enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java

diff --git a/community/server/src/main/java/org/neo4j/server/CommunityNeoServer.java b/community/server/src/main/java/org/neo4j/server/CommunityNeoServer.java
index a7a2518fda62c..9506cebc0c1ad 100644
--- a/community/server/src/main/java/org/neo4j/server/CommunityNeoServer.java
+++ b/community/server/src/main/java/org/neo4j/server/CommunityNeoServer.java
@@ -79,7 +79,7 @@ protected Iterable<ServerModule> createServerModules()
                 new ThirdPartyJAXRSModule( webServer, getConfig(), logProvider, this ),
                 new ConsoleModule( webServer, getConfig() ),
                 new Neo4jBrowserModule( webServer ),
-                new AuthorizationModule( webServer, authManagerSupplier, logProvider, getConfig(), getUriWhitelist() ),
+                createAuthorizationModule(),
                 new SecurityRulesModule( webServer, getConfig(), logProvider ) );
     }
 
@@ -98,4 +98,9 @@ public Iterable<AdvertisableService> getServices()
 
         return toReturn;
     }
+
+    protected AuthorizationModule createAuthorizationModule()
+    {
+        return new AuthorizationModule( webServer, authManagerSupplier, logProvider, getConfig(), getUriWhitelist() );
+    }
 }
diff --git a/community/server/src/main/java/org/neo4j/server/modules/AuthorizationModule.java b/community/server/src/main/java/org/neo4j/server/modules/AuthorizationModule.java
index 26f88a2779125..b9ad77d322f5f 100644
--- a/community/server/src/main/java/org/neo4j/server/modules/AuthorizationModule.java
+++ b/community/server/src/main/java/org/neo4j/server/modules/AuthorizationModule.java
@@ -60,7 +60,7 @@ public void start()
         }
         else
         {
-            authorizationFilter = new AuthorizationDisabledFilter();
+            authorizationFilter = createAuthorizationDisabledFilter();
         }
 
         webServer.addFilter( authorizationFilter, "/*" );
@@ -70,4 +70,9 @@ public void start()
     public void stop()
     {
     }
+
+    protected AuthorizationDisabledFilter createAuthorizationDisabledFilter()
+    {
+        return new AuthorizationDisabledFilter();
+    }
 }
diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java
index 12ec83dbd4446..2b0bf19f21484 100644
--- a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java
+++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java
@@ -29,6 +29,7 @@
 
 import org.neo4j.graphdb.security.AuthorizationViolationException;
 import org.neo4j.kernel.api.security.AccessMode;
+import org.neo4j.kernel.api.security.AuthSubject;
 
 import static javax.servlet.http.HttpServletRequest.BASIC_AUTH;
 
@@ -45,11 +46,17 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp
 
         try
         {
-            filterChain.doFilter( new AuthorizedRequestWrapper( BASIC_AUTH, "neo4j", request, AccessMode.Static.FULL ), servletResponse );
+            filterChain.doFilter( new AuthorizedRequestWrapper( BASIC_AUTH, "neo4j", request,
+                    getAuthDisabledAccessMode() ), servletResponse );
         }
         catch ( AuthorizationViolationException e )
         {
             unauthorizedAccess( e.getMessage() ).accept( response );
         }
     }
+
+    protected AccessMode getAuthDisabledAccessMode()
+    {
+        return AuthSubject.AUTH_DISABLED;
+    }
 }
diff --git a/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/EnterpriseNeoServer.java b/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/EnterpriseNeoServer.java
index f407326a7e299..19979254fe242 100644
--- a/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/EnterpriseNeoServer.java
+++ b/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/EnterpriseNeoServer.java
@@ -43,7 +43,9 @@
 import org.neo4j.server.CommunityNeoServer;
 import org.neo4j.server.database.Database;
 import org.neo4j.server.database.LifecycleManagingDatabase.GraphFactory;
+import org.neo4j.server.enterprise.modules.EnterpriseAuthorizationModule;
 import org.neo4j.server.enterprise.modules.JMXManagementModule;
+import org.neo4j.server.modules.AuthorizationModule;
 import org.neo4j.server.modules.ServerModule;
 import org.neo4j.server.rest.DatabaseRoleInfoServerModule;
 import org.neo4j.server.rest.MasterInfoService;
@@ -157,6 +159,13 @@ public int idleThreads()
         return webServer;
     }
 
+    @Override
+    protected AuthorizationModule createAuthorizationModule()
+    {
+        return new EnterpriseAuthorizationModule( webServer, authManagerSupplier, logProvider, getConfig(),
+                getUriWhitelist() );
+    }
+
     @SuppressWarnings( "unchecked" )
     @Override
     protected Iterable<ServerModule> createServerModules()
diff --git a/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/modules/EnterpriseAuthorizationModule.java b/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/modules/EnterpriseAuthorizationModule.java
new file mode 100644
index 0000000000000..b10434fa1683f
--- /dev/null
+++ b/enterprise/server-enterprise/src/main/java/org/neo4j/server/enterprise/modules/EnterpriseAuthorizationModule.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2002-2016 "Neo Technology,"
+ * Network Engine for Objects in Lund AB [http://neotechnology.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.server.enterprise.modules;
+
+import java.util.function.Supplier;
+import java.util.regex.Pattern;
+
+import org.neo4j.kernel.api.security.AuthManager;
+import org.neo4j.kernel.configuration.Config;
+import org.neo4j.logging.LogProvider;
+import org.neo4j.server.modules.AuthorizationModule;
+import org.neo4j.server.rest.dbms.AuthorizationDisabledFilter;
+import org.neo4j.server.rest.dbms.EnterpriseAuthorizationDisabledFilter;
+import org.neo4j.server.web.WebServer;
+
+public class EnterpriseAuthorizationModule extends AuthorizationModule
+{
+    public EnterpriseAuthorizationModule( WebServer webServer,
+            Supplier<AuthManager> authManager,
+            LogProvider logProvider, Config config,
+            Pattern[] uriWhitelist )
+    {
+        super( webServer, authManager, logProvider, config, uriWhitelist );
+    }
+
+    @Override
+    protected AuthorizationDisabledFilter createAuthorizationDisabledFilter()
+    {
+        return new EnterpriseAuthorizationDisabledFilter();
+    }
+}
diff --git a/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java b/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java
new file mode 100644
index 0000000000000..affbb070a7103
--- /dev/null
+++ b/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2002-2016 "Neo Technology,"
+ * Network Engine for Objects in Lund AB [http://neotechnology.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.server.rest.dbms;
+
+import org.neo4j.kernel.api.security.AccessMode;
+import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthSubject;
+
+public class EnterpriseAuthorizationDisabledFilter extends AuthorizationDisabledFilter
+{
+    @Override
+    protected AccessMode getAuthDisabledAccessMode()
+    {
+        return EnterpriseAuthSubject.AUTH_DISABLED;
+    }
+}
diff --git a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseAuthenticationDocIT.java b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseAuthenticationDocIT.java
index 5cb951c4b2ebf..111bfd25d19df 100644
--- a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseAuthenticationDocIT.java
+++ b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseAuthenticationDocIT.java
@@ -73,4 +73,34 @@ public void shouldHavePredefinedRoles() throws Exception
                 hasItems( "admin", "architect", "publisher", "reader") );
 
     }
+
+    @Test
+    public void shouldAllowExecutingEnterpriseBuiltInProceduresWithAuthDisabled() throws Exception
+    {
+        // Given
+        startServerWithAuthDisabled();
+
+        // When
+        String method = "POST";
+        String path = "db/data/transaction/commit";
+        HTTP.RawPayload payload = HTTP.RawPayload.quotedJson(
+                "{'statements':[{'statement':'CALL dbms.listQueries()'}]}" );
+        HTTP.Response response = HTTP.request( method, server.baseUri().resolve( path ).toString(), payload );
+
+        // Then
+        assertThat(response.status(), equalTo(200));
+        ArrayNode errors = (ArrayNode) response.get("errors");
+        assertThat( "Should have no errors", errors.size(), equalTo( 0 ) );
+        ArrayNode results = (ArrayNode) response.get("results");
+        ArrayNode data = (ArrayNode) results.get(0).get("data");
+        assertThat( "Should see our own query", data.size(), equalTo( 1 ) );
+    }
+
+    private void startServerWithAuthDisabled() throws IOException
+    {
+        server = EnterpriseServerBuilder.server()
+                .withProperty( GraphDatabaseSettings.auth_enabled.name(), Boolean.toString( false ) )
+                .build();
+        server.start();
+    }
 }