Added procedure to add user to role

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProcedures.java

@@ -49,4 +49,16 @@ public void createUser( @Name( "username" ) String username, @Name( "password" )
         }
         shiroSubject.getUserManager().newUser( username, password, requirePasswordChange );
     }
+
+    @PerformsDBMS
+    @Procedure( "dbms.addUserToRole" )
+    public void addUserToRole( @Name( "username" ) String username, @Name( "role" ) String role ) throws IOException
+    {
+        ShiroAuthSubject shiroSubject = ShiroAuthSubject.castOrFail( authSubject );
+        if ( !shiroSubject.isAdmin() )
+        {
+            throw new AuthorizationViolationException( PERMISSION_DENIED );
+        }
+        shiroSubject.getRoleManager().addUserToRole( username, role );
+    }
 }

enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTest.java

@@ -31,7 +31,6 @@
 import org.neo4j.graphdb.Result;
 import org.neo4j.graphdb.Transaction;
 import org.neo4j.graphdb.security.AuthorizationViolationException;
-import org.neo4j.helpers.collection.Iterators;
 import org.neo4j.kernel.api.KernelTransaction;
 import org.neo4j.kernel.api.exceptions.KernelException;
 import org.neo4j.kernel.api.security.AuthSubject;
@@ -127,6 +126,56 @@ public void shouldAllowUserChangePassword() throws Exception
         assertEquals( AuthenticationResult.SUCCESS, subject.getAuthenticationResult() );
     }
 
+    @Test
+    public void shouldAllowAddingUserToGroup() throws Exception
+    {
+        assertFalse( "Should not have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+        testCallEmpty( db, adminSubject, "CALL dbms.addUserToRole('reader', 'publisher')", null );
+        assertTrue( "Should have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+    }
+
+    @Test
+    public void shouldAllowAddingUserToGroupMultipleTimes() throws Exception
+    {
+        assertFalse( "Should not have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+        testCallEmpty( db, adminSubject, "CALL dbms.addUserToRole('reader', 'publisher')", null );
+        testCallEmpty( db, adminSubject, "CALL dbms.addUserToRole('reader', 'publisher')", null );
+        assertTrue( "Should have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+    }
+
+    @Test
+    public void shouldAllowAddingUserToMultipleGroups() throws Exception
+    {
+        assertFalse( "Should not have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+        assertFalse( "Should not have role architect",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "architect" ) );
+        testCallEmpty( db, adminSubject, "CALL dbms.addUserToRole('reader', 'publisher')", null );
+        testCallEmpty( db, adminSubject, "CALL dbms.addUserToRole('reader', 'architect')", null );
+        assertTrue( "Should have role publisher",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "publisher" ) );
+        assertTrue( "Should have role architect",
+                ShiroAuthSubject.castOrFail( readSubject ).getSubject().hasRole( "architect" ) );
+    }
+
+    @Test
+    public void shouldNotAllowNonAdminAddingUserToGroup() throws Exception
+    {
+        try
+        {
+            testCallEmpty( db, readSubject, "CALL dbms.addUserToRole('reader', 'admin')", null );
+        }
+        catch ( QueryExecutionException e )
+        {
+            assertTrue( "Exception should contain '" + AuthProcedures.PERMISSION_DENIED + "'",
+                    e.getMessage().contains( AuthProcedures.PERMISSION_DENIED ) );
+        }
+    }
+
     //----------User creation scenarios-----------
 
     /*