diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java index 456ed270a653f..18cb044743827 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java @@ -430,10 +430,20 @@ public User assertAndGetUser( String username ) throws IllegalArgumentException return u; } + public User assertCredentialsAndGetUser( String username ) throws IllegalCredentialsException + { + User u = getUser( username ); + if ( u == null ) + { + throw new IllegalCredentialsException( "User " + username + " does not exist." ); + } + return u; + } + @Override public void setUserPassword( String username, String password ) throws IOException, IllegalCredentialsException { - User existingUser = assertAndGetUser( username ); + User existingUser = assertCredentialsAndGetUser( username ); passwordPolicy.validatePassword( password ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java index 252cddf4bc3b3..16972c31fd9c3 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresTestLogic.java @@ -54,7 +54,7 @@ public abstract class AuthProceduresTestLogic extends AuthTestBase @Test public void shouldChangeOwnPassword() throws Throwable { - assertCallSuccess( readSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( readSubject, "CALL dbms.changePassword( '321' )" ); assertEquals( SUCCESS, neo.authenticationResult( readSubject ) ); neo.updateAuthToken( readSubject, "readSubject", "321" ); // Because RESTSubject caches an auth token that is sent with every request testSuccessfulRead( readSubject, 3 ); @@ -64,15 +64,15 @@ public void shouldChangeOwnPassword() throws Throwable public void shouldChangeOwnPasswordEvenIfHasNoAuthorization() throws Throwable { testAuthenticated( noneSubject ); - assertCallSuccess( noneSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( noneSubject, "CALL dbms.changePassword( '321' )" ); assertEquals( SUCCESS, neo.authenticationResult( noneSubject ) ); } @Test public void shouldNotChangeOwnPasswordIfNewPasswordInvalid() throws Exception { - assertCallFail( readSubject, "CALL dbms.changePassword( '' )", "Password cannot be empty" ); - assertCallFail( readSubject, "CALL dbms.changePassword( '123' )", "Old password and new password cannot be the same" ); + assertFail( readSubject, "CALL dbms.changePassword( '' )", "Password cannot be empty" ); + assertFail( readSubject, "CALL dbms.changePassword( '123' )", "Old password and new password cannot be the same" ); } //---------- list running transactions ----------- @@ -80,17 +80,17 @@ public void shouldNotChangeOwnPasswordIfNewPasswordInvalid() throws Exception @Test public void shouldListSelfTransaction() { - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIsMap( r, "username", "transaction", map( "adminSubject", "KernelTransaction[1]" ) ) ); } @Test public void shouldNotListTransactionsIfNotAdmin() { - assertCallFail( noneSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); - assertCallFail( readSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); - assertCallFail( writeSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); + assertFail( noneSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); + assertFail( readSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); + assertFail( writeSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.listTransactions()", PERMISSION_DENIED ); } @Test @@ -101,7 +101,7 @@ public void shouldListTransactions() throws InterruptedException, ExecutionExcep read.execute( threading, readSubject ); read.barrier.await(); - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIsMap( r, "username", "transaction", map( "adminSubject", "KernelTransaction[0]", "readSubject", "KernelTransaction[1]" ) ) ); @@ -118,15 +118,15 @@ public void shouldTerminateTransaction() throws InterruptedException, ExecutionE read.execute( threading, writeSubject ); read.barrier.await(); - assertCallSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", + assertSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", r -> assertKeyIs( r, "username", "writeSubject" ) ); - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIs( r, "username", "adminSubject" ) ); read.close(); - assertCallSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name" ); + assertEmpty( adminSubject, "MATCH (n:Test) RETURN n.name AS name" ); } @Test @@ -141,21 +141,21 @@ public void shouldTerminateOnlyGivenUsersTransaction() throws InterruptedExcepti schema.barrier.await(); write.barrier.await(); - assertCallSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'schemaSubject' )", + assertSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'schemaSubject' )", r -> assertKeyIs( r, "username", "schemaSubject" ) ); - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIs( r, "username", "adminSubject", "writeSubject" ) ); schema.close(); write.close(); - assertCallSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name", + assertSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name", r -> assertKeyIs( r, "name", "writeSubject-node" ) ); } @Test - public void shouldTerminateAllGivenUsersTransaction() throws InterruptedException, ExecutionException + public void shouldTerminateAllTransactionsForGivenUser() throws InterruptedException, ExecutionException { ThreadedTransactionCreate schema1 = new ThreadedTransactionCreate<>( neo ); ThreadedTransactionCreate schema2 = new ThreadedTransactionCreate<>( neo ); @@ -166,24 +166,24 @@ public void shouldTerminateAllGivenUsersTransaction() throws InterruptedExceptio schema1.barrier.await(); schema2.barrier.await(); - assertCallSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'schemaSubject' )", + assertSuccess( adminSubject, "CALL dbms.terminateTransactionsForUser( 'schemaSubject' )", r -> assertKeyIs( r, "username", "schemaSubject", "schemaSubject" ) ); - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIs( r, "username", "adminSubject" ) ); schema1.close(); schema2.close(); - assertCallSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name" ); + assertEmpty( adminSubject, "MATCH (n:Test) RETURN n.name AS name" ); } @Test public void shouldNotTerminateTransactionsIfNonExistentUser() throws InterruptedException, ExecutionException { - assertCallFail( adminSubject, "CALL dbms.terminateTransactionsForUser( 'Petra' )", + assertFail( adminSubject, "CALL dbms.terminateTransactionsForUser( 'Petra' )", "User Petra does not exist" ); - assertCallFail( adminSubject, "CALL dbms.terminateTransactionsForUser( '' )", + assertFail( adminSubject, "CALL dbms.terminateTransactionsForUser( '' )", "User does not exist" ); } @@ -194,17 +194,17 @@ public void shouldNotTerminateTransactionsIfNotAdmin() throws InterruptedExcepti write.execute( threading, writeSubject ); write.barrier.await(); - assertCallFail( noneSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); - assertCallFail( pwdSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", CHANGE_PWD_ERR_MSG ); - assertCallFail( readSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); + assertFail( noneSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); + assertFail( pwdSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", CHANGE_PWD_ERR_MSG ); + assertFail( readSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.terminateTransactionsForUser( 'writeSubject' )", PERMISSION_DENIED ); - assertCallSuccess( adminSubject, "CALL dbms.listTransactions()", + assertSuccess( adminSubject, "CALL dbms.listTransactions()", r -> assertKeyIs( r, "username", "adminSubject", "writeSubject" ) ); write.close(); - assertCallSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name", + assertSuccess( adminSubject, "MATCH (n:Test) RETURN n.name AS name", r -> assertKeyIs( r, "name", "writeSubject-node" ) ); } @@ -214,7 +214,7 @@ public void shouldNotTerminateTransactionsIfNotAdmin() throws InterruptedExcepti @Test public void shouldChangeUserPassword() throws Throwable { - assertCallSuccess( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )" ); + assertEmpty( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )" ); // TODO: uncomment and fix // testUnAuthenticated( readSubject ); @@ -227,21 +227,21 @@ public void shouldChangeUserPassword() throws Throwable @Test public void shouldNotChangeUserPasswordIfNotAdmin() throws Exception { - assertCallFail( schemaSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.changeUserPassword( 'jake', '321' )", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.changeUserPassword( 'readSubject', '' )", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.changeUserPassword( 'jake', '321' )", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.changeUserPassword( 'readSubject', '' )", PERMISSION_DENIED ); } // Should change own password for non-admin or admin subject @Test public void shouldChangeUserPasswordIfSameUser() throws Throwable { - assertCallSuccess( readSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )" ); + assertEmpty( readSubject, "CALL dbms.changeUserPassword( 'readSubject', '321' )" ); assertEquals( SUCCESS, neo.authenticationResult( readSubject ) ); neo.updateAuthToken( readSubject, "readSubject", "321" ); // Because RESTSubject caches an auth token that is sent with every request testSuccessfulRead( readSubject, 3 ); - assertCallSuccess( adminSubject, "CALL dbms.changeUserPassword( 'adminSubject', 'cba' )" ); + assertEmpty( adminSubject, "CALL dbms.changeUserPassword( 'adminSubject', 'cba' )" ); assertEquals( SUCCESS, neo.authenticationResult( adminSubject ) ); neo.updateAuthToken( adminSubject, "adminSubject", "cba" ); // Because RESTSubject caches an auth token that is sent with every request testSuccessfulRead( adminSubject, 3 ); @@ -251,32 +251,32 @@ public void shouldChangeUserPasswordIfSameUser() throws Throwable @Test public void shouldFailToChangeUserPasswordIfSameUserButInvalidPassword() throws Exception { - assertCallFail( readSubject, "CALL dbms.changeUserPassword( 'readSubject', '123' )", + assertFail( readSubject, "CALL dbms.changeUserPassword( 'readSubject', '123' )", "Old password and new password cannot be the same" ); - assertCallFail( adminSubject, "CALL dbms.changeUserPassword( 'adminSubject', 'abc' )", + assertFail( adminSubject, "CALL dbms.changeUserPassword( 'adminSubject', 'abc' )", "Old password and new password cannot be the same" ); } // Should fail nicely to change password for admin subject and non-existing user @Test - public void shouldNotChangeUserPasswordIfNonExistingUser() throws Exception + public void shouldNotChangeUserPasswordIfNonExistentUser() throws Exception { - assertCallFail( adminSubject, "CALL dbms.changeUserPassword( 'jake', '321' )", "User jake does not exist" ); + assertFail( adminSubject, "CALL dbms.changeUserPassword( 'jake', '321' )", "User jake does not exist" ); } // Should fail nicely to change password for admin subject and empty password @Test public void shouldNotChangeUserPasswordIfEmptyPassword() throws Exception { - assertCallFail( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '' )", "Password cannot be empty" ); + assertFail( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '' )", "Password cannot be empty" ); } // Should fail to change password for admin subject and same password @Test public void shouldNotChangeUserPasswordIfSamePassword() throws Exception { - assertCallFail( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '123' )", + assertFail( adminSubject, "CALL dbms.changeUserPassword( 'readSubject', '123' )", "Old password and new password cannot be the same" ); } @@ -285,7 +285,7 @@ public void shouldNotChangeUserPasswordIfSamePassword() throws Exception @Test public void shouldCreateUser() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.createUser('craig', '1234', true)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('craig', '1234', true)" ); assertNotNull( "User craig should exist", userManager.getUser( "craig" ) ); } @@ -294,23 +294,23 @@ public void shouldCreateUser() throws Exception @Test public void shouldNotCreateUserIfInvalidUsername() throws Exception { - assertCallFail( adminSubject, "CALL dbms.createUser('', '1234', true)", "Username cannot be empty" ); - assertCallFail( adminSubject, "CALL dbms.createUser('&%ss!', '1234', true)", "Username cannot be empty" ); - assertCallFail( adminSubject, "CALL dbms.createUser('&%ss!', '', true)", "Username cannot be empty" ); + assertFail( adminSubject, "CALL dbms.createUser('', '1234', true)", "Username cannot be empty" ); + assertFail( adminSubject, "CALL dbms.createUser('&%ss!', '1234', true)", "Username cannot be empty" ); + assertFail( adminSubject, "CALL dbms.createUser('&%ss!', '', true)", "Username cannot be empty" ); } @Test public void shouldNotCreateUserIfInvalidPassword() throws Exception { - assertCallFail( adminSubject, "CALL dbms.createUser('craig', '', true)", "Password cannot be empty" ); + assertFail( adminSubject, "CALL dbms.createUser('craig', '', true)", "Password cannot be empty" ); } @Test public void shouldNotCreateExistingUser() throws Exception { - assertCallFail( adminSubject, "CALL dbms.createUser('readSubject', '1234', true)", + assertFail( adminSubject, "CALL dbms.createUser('readSubject', '1234', true)", "The specified user already exists" ); - assertCallFail( adminSubject, "CALL dbms.createUser('readSubject', '', true)", "Password cannot be empty" ); + assertFail( adminSubject, "CALL dbms.createUser('readSubject', '', true)", "Password cannot be empty" ); } @Test @@ -327,11 +327,11 @@ public void shouldNotAllowNonAdminCreateUser() throws Exception @Test public void shouldDeleteUser() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.deleteUser('noneSubject')" ); + assertEmpty( adminSubject, "CALL dbms.deleteUser('noneSubject')" ); assertNull( "User noneSubject should not exist", userManager.getUser( "noneSubject" ) ); userManager.addUserToRole( "readSubject", PUBLISHER ); - assertCallSuccess( adminSubject, "CALL dbms.deleteUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.deleteUser('readSubject')" ); assertNull( "User readSubject should not exist", userManager.getUser( "readSubject" ) ); assertFalse( userManager.getUsernamesForRole( READER ).contains( "readSubject" ) ); assertFalse( userManager.getUsernamesForRole( PUBLISHER ).contains( "readSubject" ) ); @@ -350,7 +350,7 @@ public void shouldNotDeleteUserIfNotAdmin() throws Exception } @Test - public void shouldNotAllowDeletingNonExistingUser() throws Exception + public void shouldNotAllowDeletingNonExistentUser() throws Exception { testFailDeleteUser( adminSubject, "Craig", "User Craig does not exist" ); testFailDeleteUser( adminSubject, "", "User does not exist" ); @@ -367,36 +367,36 @@ public void shouldNotAllowDeletingYourself() throws Exception @Test public void shouldSuspendUser() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.suspendUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('readSubject')" ); assertTrue( userManager.getUser( "readSubject" ).hasFlag( InternalFlatFileRealm.IS_SUSPENDED ) ); } @Test public void shouldSuspendSuspendedUser() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.suspendUser('readSubject')" ); - assertCallSuccess( adminSubject, "CALL dbms.suspendUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('readSubject')" ); assertTrue( userManager.getUser( "readSubject" ).hasFlag( InternalFlatFileRealm.IS_SUSPENDED ) ); } @Test - public void shouldFailToSuspendNonExistingUser() throws Exception + public void shouldFailToSuspendNonExistentUser() throws Exception { - assertCallFail( adminSubject, "CALL dbms.suspendUser('Craig')", "User Craig does not exist" ); + assertFail( adminSubject, "CALL dbms.suspendUser('Craig')", "User Craig does not exist" ); } @Test public void shouldFailToSuspendIfNotAdmin() throws Exception { - assertCallFail( schemaSubject, "CALL dbms.suspendUser('readSubject')", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.suspendUser('Craig')", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.suspendUser('')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.suspendUser('readSubject')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.suspendUser('Craig')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.suspendUser('')", PERMISSION_DENIED ); } @Test public void shouldFailToSuspendYourself() throws Exception { - assertCallFail( adminSubject, "CALL dbms.suspendUser('adminSubject')", "Suspending yourself is not allowed" ); + assertFail( adminSubject, "CALL dbms.suspendUser('adminSubject')", "Suspending yourself is not allowed" ); } //---------- activate user ----------- @@ -405,7 +405,7 @@ public void shouldFailToSuspendYourself() throws Exception public void shouldActivateUser() throws Exception { userManager.suspendUser( "readSubject" ); - assertCallSuccess( adminSubject, "CALL dbms.activateUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.activateUser('readSubject')" ); assertFalse( userManager.getUser( "readSubject" ).hasFlag( InternalFlatFileRealm.IS_SUSPENDED ) ); } @@ -413,30 +413,30 @@ public void shouldActivateUser() throws Exception public void shouldActivateActiveUser() throws Exception { userManager.suspendUser( "readSubject" ); - assertCallSuccess( adminSubject, "CALL dbms.activateUser('readSubject')" ); - assertCallSuccess( adminSubject, "CALL dbms.activateUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.activateUser('readSubject')" ); + assertEmpty( adminSubject, "CALL dbms.activateUser('readSubject')" ); assertFalse( userManager.getUser( "readSubject" ).hasFlag( InternalFlatFileRealm.IS_SUSPENDED ) ); } @Test - public void shouldFailToActivateNonExistingUser() throws Exception + public void shouldFailToActivateNonExistentUser() throws Exception { - assertCallFail( adminSubject, "CALL dbms.activateUser('Craig')", "User Craig does not exist" ); + assertFail( adminSubject, "CALL dbms.activateUser('Craig')", "User Craig does not exist" ); } @Test public void shouldFailToActivateIfNotAdmin() throws Exception { userManager.suspendUser( "readSubject" ); - assertCallFail( schemaSubject, "CALL dbms.activateUser('readSubject')", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.activateUser('Craig')", PERMISSION_DENIED ); - assertCallFail( schemaSubject, "CALL dbms.activateUser('')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.activateUser('readSubject')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.activateUser('Craig')", PERMISSION_DENIED ); + assertFail( schemaSubject, "CALL dbms.activateUser('')", PERMISSION_DENIED ); } @Test public void shouldFailToActivateYourself() throws Exception { - assertCallFail( adminSubject, "CALL dbms.activateUser('adminSubject')", "Activating yourself is not allowed" ); + assertFail( adminSubject, "CALL dbms.activateUser('adminSubject')", "Activating yourself is not allowed" ); } //---------- add user to role ----------- @@ -445,7 +445,7 @@ public void shouldFailToActivateYourself() throws Exception public void shouldAddUserToRole() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); - assertCallSuccess( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); assertTrue( "Should have role publisher", userHasRole( "readSubject", PUBLISHER ) ); } @@ -453,12 +453,12 @@ public void shouldAddUserToRole() throws Exception public void shouldAddRetainUserInRole() throws Exception { assertTrue( "Should have role reader", userHasRole( "readSubject", READER ) ); - assertCallSuccess( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + READER + "')" ); assertTrue( "Should have still have role reader", userHasRole( "readSubject", READER ) ); } @Test - public void shouldFailToAddNonExistingUserToRole() throws Exception + public void shouldFailToAddNonExistentUserToRole() throws Exception { testFailAddUserToRole( adminSubject, "Olivia", PUBLISHER, "User Olivia does not exist" ); testFailAddUserToRole( adminSubject, "Olivia", "thisRoleDoesNotExist", "User Olivia does not exist" ); @@ -467,7 +467,7 @@ public void shouldFailToAddNonExistingUserToRole() throws Exception } @Test - public void shouldFailToAddUserToNonExistingRole() throws Exception + public void shouldFailToAddUserToNonExistentRole() throws Exception { testFailAddUserToRole( adminSubject, "readSubject", "thisRoleDoesNotExist", "Role thisRoleDoesNotExist does not exist" ); @@ -492,7 +492,7 @@ public void shouldFailToAddUserToRoleIfNotAdmin() throws Exception @Test public void shouldRemoveUserFromRole() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + READER + "')" ); assertFalse( "Should not have role reader", userHasRole( "readSubject", READER ) ); } @@ -500,12 +500,12 @@ public void shouldRemoveUserFromRole() throws Exception public void shouldKeepUserOutOfRole() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); - assertCallSuccess( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); } @Test - public void shouldFailToRemoveNonExistingUserFromRole() throws Exception + public void shouldFailToRemoveNonExistentUserFromRole() throws Exception { testFailRemoveUserFromRole( adminSubject, "Olivia", PUBLISHER, "User Olivia does not exist" ); testFailRemoveUserFromRole( adminSubject, "Olivia", "thisRoleDoesNotExist", "User Olivia does not exist" ); @@ -516,7 +516,7 @@ public void shouldFailToRemoveNonExistingUserFromRole() throws Exception } @Test - public void shouldFailToRemoveUserFromNonExistingRole() throws Exception + public void shouldFailToRemoveUserFromNonExistentRole() throws Exception { testFailRemoveUserFromRole( adminSubject, "readSubject", "thisRoleDoesNotExist", "Role thisRoleDoesNotExist does not exist" ); testFailRemoveUserFromRole( adminSubject, "readSubject", "", @@ -538,7 +538,7 @@ public void shouldFailToRemoveUserFromRoleIfNotAdmin() throws Exception @Test public void shouldFailToRemoveYourselfFromAdminRole() throws Exception { - assertCallFail( adminSubject, "CALL dbms.removeUserFromRole('adminSubject', '" + ADMIN + "')", + assertFail( adminSubject, "CALL dbms.removeUserFromRole('adminSubject', '" + ADMIN + "')", "Removing yourself from the admin role is not allowed" ); } @@ -549,12 +549,12 @@ public void shouldAllowAddingAndRemovingUserFromMultipleRoles() throws Exception { assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertFalse( "Should not have role architect", userHasRole( "readSubject", ARCHITECT ) ); - assertCallSuccess( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); - assertCallSuccess( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('readSubject', '" + ARCHITECT + "')" ); assertTrue( "Should have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertTrue( "Should have role architect", userHasRole( "readSubject", ARCHITECT ) ); - assertCallSuccess( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); - assertCallSuccess( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('readSubject', '" + ARCHITECT + "')" ); assertFalse( "Should not have role publisher", userHasRole( "readSubject", PUBLISHER ) ); assertFalse( "Should not have role architect", userHasRole( "readSubject", ARCHITECT ) ); } @@ -564,7 +564,7 @@ public void shouldAllowAddingAndRemovingUserFromMultipleRoles() throws Exception @Test public void shouldListUsers() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.listUsers() YIELD username", + assertSuccess( adminSubject, "CALL dbms.listUsers() YIELD username", r -> assertKeyIs( r, "username", initialUsers ) ); } @@ -581,7 +581,7 @@ public void shouldReturnUsersWithRoles() throws Exception "neo4j", listOf( ADMIN ) ); userManager.addUserToRole( "writeSubject", READER ); - assertCallSuccess( adminSubject, "CALL dbms.listUsers()", + assertSuccess( adminSubject, "CALL dbms.listUsers()", r -> assertKeyIsMap( r, "username", "roles", expected ) ); } @@ -589,16 +589,16 @@ public void shouldReturnUsersWithRoles() throws Exception public void shouldShowCurrentUser() throws Exception { userManager.addUserToRole( "writeSubject", READER ); - assertCallSuccess( adminSubject, "CALL dbms.showCurrentUser()", + assertSuccess( adminSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "adminSubject", listOf( ADMIN ) ) ) ); - assertCallSuccess( readSubject, "CALL dbms.showCurrentUser()", + assertSuccess( readSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "readSubject", listOf( READER ) ) ) ); - assertCallSuccess( schemaSubject, "CALL dbms.showCurrentUser()", + assertSuccess( schemaSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "schemaSubject", listOf( ARCHITECT ) ) ) ); - assertCallSuccess( writeSubject, "CALL dbms.showCurrentUser()", + assertSuccess( writeSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "writeSubject", listOf( READER, PUBLISHER ) ) ) ); - assertCallSuccess( noneSubject, "CALL dbms.showCurrentUser()", + assertSuccess( noneSubject, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "roles", map( "noneSubject", listOf() ) ) ); } @@ -616,7 +616,7 @@ public void shouldNotAllowNonAdminListUsers() throws Exception @Test public void shouldListRoles() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.listRoles() YIELD role", + assertSuccess( adminSubject, "CALL dbms.listRoles() YIELD role", r -> assertKeyIs( r, "role", initialRoles ) ); } @@ -630,7 +630,7 @@ ARCHITECT, listOf( "schemaSubject" ), PUBLISHER, listOf( "writeSubject" ), "empty", listOf() ); - assertCallSuccess( adminSubject, "CALL dbms.listRoles()", + assertSuccess( adminSubject, "CALL dbms.listRoles()", r -> assertKeyIsMap( r, "role", "users", expected ) ); } @@ -648,34 +648,34 @@ public void shouldNotAllowNonAdminListRoles() throws Exception @Test public void shouldListRolesForUser() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", + assertSuccess( adminSubject, "CALL dbms.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", r -> assertKeyIs( r, "roles", ADMIN ) ); - assertCallSuccess( adminSubject, "CALL dbms.listRolesForUser('readSubject') YIELD value as roles RETURN roles", + assertSuccess( adminSubject, "CALL dbms.listRolesForUser('readSubject') YIELD value as roles RETURN roles", r -> assertKeyIs( r, "roles", READER ) ); } @Test public void shouldListNoRolesForUserWithNoRoles() throws Exception { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.listRolesForUser('Henrik') YIELD value as roles RETURN roles" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.listRolesForUser('Henrik') YIELD value as roles RETURN roles" ); } @Test - public void shouldNotListRolesForNonExistingUser() throws Exception + public void shouldNotListRolesForNonExistentUser() throws Exception { - assertCallFail( adminSubject, "CALL dbms.listRolesForUser('Petra') YIELD value as roles RETURN roles", + assertFail( adminSubject, "CALL dbms.listRolesForUser('Petra') YIELD value as roles RETURN roles", "User Petra does not exist" ); - assertCallFail( adminSubject, "CALL dbms.listRolesForUser('') YIELD value as roles RETURN roles", + assertFail( adminSubject, "CALL dbms.listRolesForUser('') YIELD value as roles RETURN roles", "User does not exist" ); } @Test public void shouldListOwnRolesRoles() throws Exception { - assertCallSuccess( adminSubject, "CALL dbms.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", + assertSuccess( adminSubject, "CALL dbms.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", r -> assertKeyIs( r, "roles", ADMIN ) ); - assertCallSuccess( readSubject, "CALL dbms.listRolesForUser('readSubject') YIELD value as roles RETURN roles", + assertSuccess( readSubject, "CALL dbms.listRolesForUser('readSubject') YIELD value as roles RETURN roles", r -> assertKeyIs( r, "roles", READER ) ); } @@ -700,15 +700,15 @@ public void shouldListUsersForRole() throws Exception @Test public void shouldListNoUsersForRoleWithNoUsers() throws Exception { - assertCallEmpty( adminSubject, "CALL dbms.listUsersForRole('empty') YIELD value as users RETURN users" ); + assertEmpty( adminSubject, "CALL dbms.listUsersForRole('empty') YIELD value as users RETURN users" ); } @Test - public void shouldNotListUsersForNonExistingRole() throws Exception + public void shouldNotListUsersForNonExistentRole() throws Exception { - assertCallFail( adminSubject, "CALL dbms.listUsersForRole('poodle') YIELD value as users RETURN users", + assertFail( adminSubject, "CALL dbms.listUsersForRole('poodle') YIELD value as users RETURN users", "Role poodle does not exist" ); - assertCallFail( adminSubject, "CALL dbms.listUsersForRole('') YIELD value as users RETURN users", + assertFail( adminSubject, "CALL dbms.listUsersForRole('') YIELD value as users RETURN users", "Role does not exist" ); } @@ -743,26 +743,26 @@ public void shouldSetCorrectPasswordChangeRequiredPermissions() throws Throwable testFailRead( pwdSubject, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); testFailWrite( pwdSubject, pwdReqErrMsg( WRITE_OPS_NOT_ALLOWED ) ); testFailSchema( pwdSubject, pwdReqErrMsg( SCHEMA_OPS_NOT_ALLOWED ) ); - assertCallEmpty( pwdSubject, "CALL dbms.changePassword( '321' )" ); + assertPasswordChangeWhenPasswordChangeRequired( pwdSubject, "321" ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); S henrik = neo.login( "Henrik", "bar" ); assertEquals( PASSWORD_CHANGE_REQUIRED, neo.authenticationResult( henrik ) ); testFailRead( henrik, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); testFailWrite( henrik, pwdReqErrMsg( WRITE_OPS_NOT_ALLOWED ) ); testFailSchema( henrik, pwdReqErrMsg( SCHEMA_OPS_NOT_ALLOWED ) ); - assertCallEmpty( henrik, "CALL dbms.changePassword( '321' )" ); + assertPasswordChangeWhenPasswordChangeRequired( henrik, "321" ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Olivia', 'bar', true)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Olivia', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Olivia', 'bar', true)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Olivia', '" + ADMIN + "')" ); S olivia = neo.login( "Olivia", "bar" ); assertEquals( PASSWORD_CHANGE_REQUIRED, neo.authenticationResult( olivia ) ); testFailRead( olivia, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); testFailWrite( olivia, pwdReqErrMsg( WRITE_OPS_NOT_ALLOWED ) ); testFailSchema( olivia, pwdReqErrMsg( SCHEMA_OPS_NOT_ALLOWED ) ); - assertCallFail( olivia, "CALL dbms.createUser('OliviasFriend', 'bar', false)", CHANGE_PWD_ERR_MSG ); - assertCallEmpty( olivia, "CALL dbms.changePassword( '321' )" ); + assertFail( olivia, "CALL dbms.createUser('OliviasFriend', 'bar', false)", CHANGE_PWD_ERR_MSG ); + assertPasswordChangeWhenPasswordChangeRequired( olivia, "321" ); } @Test @@ -772,7 +772,7 @@ public void shouldSetCorrectNoRolePermissions() throws Exception testFailWrite( noneSubject ); testFailSchema( noneSubject ); testFailCreateUser( noneSubject, PERMISSION_DENIED ); - assertCallEmpty( noneSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( noneSubject, "CALL dbms.changePassword( '321' )" ); } @Test @@ -782,7 +782,7 @@ public void shouldSetCorrectReaderPermissions() throws Exception testFailWrite( readSubject ); testFailSchema( readSubject ); testFailCreateUser( readSubject, PERMISSION_DENIED ); - assertCallEmpty( readSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( readSubject, "CALL dbms.changePassword( '321' )" ); } @Test @@ -792,7 +792,7 @@ public void shouldSetCorrectPublisherPermissions() throws Exception testSuccessfulWrite( writeSubject ); testFailSchema( writeSubject ); testFailCreateUser( writeSubject, PERMISSION_DENIED ); - assertCallEmpty( writeSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( writeSubject, "CALL dbms.changePassword( '321' )" ); } @Test @@ -802,7 +802,7 @@ public void shouldSetCorrectSchemaPermissions() throws Exception testSuccessfulWrite( schemaSubject ); testSuccessfulSchema( schemaSubject ); testFailCreateUser( schemaSubject, PERMISSION_DENIED ); - assertCallEmpty( schemaSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( schemaSubject, "CALL dbms.changePassword( '321' )" ); } @Test @@ -811,19 +811,19 @@ public void shouldSetCorrectAdminPermissions() throws Exception testSuccessfulRead( adminSubject, 3 ); testSuccessfulWrite( adminSubject ); testSuccessfulSchema( adminSubject ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Olivia', 'bar', true)" ); - assertCallEmpty( adminSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Olivia', 'bar', true)" ); + assertEmpty( adminSubject, "CALL dbms.changePassword( '321' )" ); } @Test public void shouldSetCorrectMultiRolePermissions() throws Exception { - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('schemaSubject', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('schemaSubject', '" + READER + "')" ); testSuccessfulRead( schemaSubject, 3 ); testSuccessfulWrite( schemaSubject ); testSuccessfulSchema( schemaSubject ); testFailCreateUser( schemaSubject, PERMISSION_DENIED ); - assertCallEmpty( schemaSubject, "CALL dbms.changePassword( '321' )" ); + assertEmpty( schemaSubject, "CALL dbms.changePassword( '321' )" ); } } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java index 16de59799e751..f4008d69ffab7 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthScenariosLogic.java @@ -58,17 +58,14 @@ public abstract class AuthScenariosLogic extends AuthTestBase @Test public void userCreation1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); S subject = neo.login( "Henrik", "foo" ); assertEquals( AuthenticationResult.FAILURE, neo.authenticationResult( subject ) ); subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED, neo.authenticationResult( subject ) ); testFailRead( subject, 3, pwdReqErrMsg( READ_OPS_NOT_ALLOWED ) ); - // TODO: REST doesn't allow changing your own password via procedure if you're in PASSWORD_CHANGE_REQUIRED mode - if ( IS_EMBEDDED ) assertCallEmpty( subject, "CALL dbms.changePassword( 'foo' )" ); - else assertCallEmpty( adminSubject, "CALL dbms.changeUserPassword( 'Henrik', 'foo' )" ); - // remove above if-else ASAP + assertPasswordChangeWhenPasswordChangeRequired( subject, "foo" ); subject = neo.login( "Henrik", "foo" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailWrite( subject ); @@ -87,17 +84,14 @@ Henrik logs in with correct password (gets prompted to change - change to foo) @Test public void userCreation2() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', true)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED, neo.authenticationResult( subject ) ); - // TODO: REST doesn't allow changing your own password via procedure if you're in PASSWORD_CHANGE_REQUIRED mode - if ( IS_EMBEDDED ) assertCallEmpty( subject, "CALL dbms.changePassword( 'foo' )" ); - else assertCallEmpty( adminSubject, "CALL dbms.changeUserPassword( 'Henrik', 'foo' )" ); - // remove above if-else ASAP + assertPasswordChangeWhenPasswordChangeRequired( subject, "foo" ); subject = neo.login( "Henrik", "foo" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailRead( subject, 3 ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); testFailWrite( subject ); testSuccessfulRead( subject, 3 ); } @@ -115,11 +109,11 @@ public void userCreation2() throws Throwable @Test public void userCreation3() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailRead( subject, 3 ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); testFailSchema( subject ); @@ -142,14 +136,14 @@ public void userCreation3() throws Throwable @Test public void userCreation4() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailRead( subject, 3 ); testFailWrite( subject ); testFailSchema( subject ); testFailCreateUser( subject, PERMISSION_DENIED ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ARCHITECT + "')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); testSuccessfulSchema( subject ); @@ -166,8 +160,8 @@ public void userCreation4() throws Throwable @Test public void userCreation5() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); testFailCreateUser( subject, PERMISSION_DENIED ); } @@ -182,8 +176,8 @@ public void userCreation5() throws Throwable @Test public void userDeletion1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.FAILURE, neo.authenticationResult( subject ) ); } @@ -196,9 +190,9 @@ public void userDeletion1() throws Throwable @Test public void userDeletion2() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); - assertCallFail( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')", + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); + assertFail( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')", "User Henrik does not exist" ); } @@ -211,10 +205,10 @@ public void userDeletion2() throws Throwable @Test public void userDeletion3() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); - assertCallEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); - assertCallFail( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')", + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); + assertFail( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')", "User Henrik does not exist" ); } @@ -228,12 +222,12 @@ public void userDeletion3() throws Throwable @Test public void userDeletion4() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); - assertCallEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); - assertCallFail( subject, "MATCH (n:Node) RETURN n", + assertEmpty( adminSubject, "CALL dbms.deleteUser('Henrik')" ); + assertFail( subject, "MATCH (n:Node) RETURN n", IS_EMBEDDED ? "Read operations are not allowed" : "Invalid username or password"); } @@ -253,14 +247,14 @@ public void userDeletion4() throws Throwable @Test public void roleManagement1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testSuccessfulWrite( subject ); - assertCallEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); testFailRead( subject, 4 ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); testFailWrite( subject ); testSuccessfulRead( subject, 4 ); } @@ -276,12 +270,12 @@ public void roleManagement1() throws Throwable @Test public void roleManagement2() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailWrite( subject ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); testSuccessfulWrite( subject ); } @@ -299,14 +293,14 @@ public void roleManagement2() throws Throwable @Test public void roleManagement3() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); - assertCallEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); testFailWrite( subject ); testSuccessfulRead( subject, 4 ); } @@ -325,15 +319,15 @@ public void roleManagement3() throws Throwable @Test public void roleManagement4() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); testSuccessfulWrite( subject ); testSuccessfulRead( subject, 4 ); - assertCallEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + READER + "')" ); - assertCallEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.removeUserFromRole('Henrik', '" + PUBLISHER + "')" ); testFailWrite( subject ); testFailRead( subject, 4 ); } @@ -350,11 +344,11 @@ public void roleManagement4() throws Throwable @Test public void userSuspension1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); neo.logout( subject ); - assertCallEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.FAILURE, neo.authenticationResult( subject ) ); } @@ -371,12 +365,12 @@ public void userSuspension1() throws Throwable @Test public void userSuspension2() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testSuccessfulRead( subject, 3 ); - assertCallEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); // TODO: uncomment and fix //testUnAuthenticated( subject ); @@ -398,11 +392,11 @@ public void userSuspension2() throws Throwable @Test public void userActivation1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.suspendUser('Henrik')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.FAILURE, neo.authenticationResult( subject ) ); - assertCallEmpty( adminSubject, "CALL dbms.activateUser('Henrik')" ); + assertEmpty( adminSubject, "CALL dbms.activateUser('Henrik')" ); subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); } @@ -422,12 +416,12 @@ public void userActivation1() throws Throwable public void userListing() throws Throwable { testSuccessfulListUsers( adminSubject, initialUsers ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); testSuccessfulListUsers( adminSubject, with( initialUsers, "Henrik" ) ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailListUsers( subject, 6, PERMISSION_DENIED ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); testSuccessfulListUsers( subject, with( initialUsers, "Henrik" ) ); } @@ -442,12 +436,12 @@ public void userListing() throws Throwable @Test public void rolesListing() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailListRoles( subject, PERMISSION_DENIED); testSuccessfulListRoles( adminSubject, initialRoles ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + ADMIN + "')" ); testSuccessfulListRoles( subject, initialRoles ); } @@ -465,9 +459,9 @@ public void rolesListing() throws Throwable @Test public void listingUserRoles() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); @@ -492,10 +486,10 @@ public void listingUserRoles() throws Throwable @Test public void listingRoleUsers() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'bar', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'foo', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Craig', '" + PUBLISHER + "')" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + PUBLISHER + "')" ); S subject = neo.login( "Henrik", "bar" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testFailListRoleUsers( subject, PUBLISHER, PERMISSION_DENIED ); @@ -522,12 +516,12 @@ public void listingRoleUsers() throws Throwable @Test public void changeUserPassword1() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); S subject = neo.login( "Henrik", "abc" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testSuccessfulRead( subject, 3 ); - assertCallEmpty( subject, "CALL dbms.changeUserPassword('Henrik', '123')" ); + assertEmpty( subject, "CALL dbms.changeUserPassword('Henrik', '123')" ); //TODO: uncomment the next line and make the test pass //testSuccessfulRead( subject, 3 ); neo.logout( subject ); @@ -553,12 +547,12 @@ public void changeUserPassword1() throws Throwable @Test public void changeUserPassword2() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); S subject = neo.login( "Henrik", "abc" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testSuccessfulRead( subject, 3 ); - assertCallEmpty( adminSubject, "CALL dbms.changeUserPassword('Henrik', '123')" ); + assertEmpty( adminSubject, "CALL dbms.changeUserPassword('Henrik', '123')" ); neo.logout( subject ); subject = neo.login( "Henrik", "abc" ); assertEquals( AuthenticationResult.FAILURE, neo.authenticationResult( subject ) ); @@ -578,12 +572,12 @@ public void changeUserPassword2() throws Throwable @Test public void changeUserPassword3() throws Throwable { - assertCallEmpty( adminSubject, "CALL dbms.createUser('Craig', 'abc', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); - assertCallEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Craig', 'abc', false)" ); + assertEmpty( adminSubject, "CALL dbms.createUser('Henrik', 'abc', false)" ); + assertEmpty( adminSubject, "CALL dbms.addUserToRole('Henrik', '" + READER + "')" ); S subject = neo.login( "Henrik", "abc" ); assertEquals( AuthenticationResult.SUCCESS, neo.authenticationResult( subject ) ); testSuccessfulRead( subject, 3 ); - assertCallFail( subject, "CALL dbms.changeUserPassword('Craig', '123')", PERMISSION_DENIED ); + assertFail( subject, "CALL dbms.changeUserPassword('Craig', '123')", PERMISSION_DENIED ); } } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java index 93e481452e0f8..eabc926c9aec0 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/AuthTestBase.java @@ -132,51 +132,51 @@ void testSuccessfulRead( S subject, int count ) void testFailRead( S subject, int count ) { testFailRead( subject, count, READ_OPS_NOT_ALLOWED ); } void testFailRead( S subject, int count, String errMsg ) { - assertCallFail( subject, "MATCH (n) RETURN n", errMsg ); + assertFail( subject, "MATCH (n) RETURN n", errMsg ); } void testSuccessfulWrite( S subject ) { - assertCallEmpty( subject, "CREATE (:Node)" ); + assertEmpty( subject, "CREATE (:Node)" ); } void testFailWrite( S subject ) { testFailWrite( subject, WRITE_OPS_NOT_ALLOWED ); } void testFailWrite( S subject, String errMsg ) { - assertCallFail( subject, "CREATE (:Node)", errMsg ); + assertFail( subject, "CREATE (:Node)", errMsg ); } void testSuccessfulSchema( S subject ) { - assertCallEmpty( subject, "CREATE INDEX ON :Node(number)" ); + assertEmpty( subject, "CREATE INDEX ON :Node(number)" ); } void testFailSchema( S subject ) { testFailSchema( subject, SCHEMA_OPS_NOT_ALLOWED ); } void testFailSchema( S subject, String errMsg ) { - assertCallFail( subject, "CREATE INDEX ON :Node(number)", errMsg ); + assertFail( subject, "CREATE INDEX ON :Node(number)", errMsg ); } void testFailCreateUser( S subject, String errMsg ) { - assertCallFail( subject, "CALL dbms.createUser('Craig', 'foo', false)", errMsg ); - assertCallFail( subject, "CALL dbms.createUser('Craig', '', false)", errMsg ); - assertCallFail( subject, "CALL dbms.createUser('', 'foo', false)", errMsg ); + assertFail( subject, "CALL dbms.createUser('Craig', 'foo', false)", errMsg ); + assertFail( subject, "CALL dbms.createUser('Craig', '', false)", errMsg ); + assertFail( subject, "CALL dbms.createUser('', 'foo', false)", errMsg ); } void testFailAddUserToRole( S subject, String username, String role, String errMsg ) { - assertCallFail( subject, "CALL dbms.addUserToRole('" + username + "', '" + role + "')", errMsg ); + assertFail( subject, "CALL dbms.addUserToRole('" + username + "', '" + role + "')", errMsg ); } void testFailRemoveUserFromRole( S subject, String username, String role, String errMsg ) { - assertCallFail( subject, "CALL dbms.removeUserFromRole('" + username + "', '" + role + "')", errMsg ); + assertFail( subject, "CALL dbms.removeUserFromRole('" + username + "', '" + role + "')", errMsg ); } void testFailDeleteUser( S subject, String username, String errMsg ) { - assertCallFail( subject, "CALL dbms.deleteUser('" + username + "')", errMsg ); + assertFail( subject, "CALL dbms.deleteUser('" + username + "')", errMsg ); } void testSuccessfulListUsers( S subject, String[] users ) @@ -187,7 +187,7 @@ void testSuccessfulListUsers( S subject, String[] users ) void testFailListUsers( S subject, int count, String errMsg ) { - assertCallFail( subject, "CALL dbms.listUsers() YIELD username", errMsg ); + assertFail( subject, "CALL dbms.listUsers() YIELD username", errMsg ); } void testSuccessfulListRoles( S subject, String[] roles ) @@ -198,42 +198,51 @@ void testSuccessfulListRoles( S subject, String[] roles ) void testFailListRoles( S subject, String errMsg ) { - assertCallFail( subject, "CALL dbms.listRoles() YIELD role", errMsg ); + assertFail( subject, "CALL dbms.listRoles() YIELD role", errMsg ); } void testFailListUserRoles( S subject, String username, String errMsg ) { - assertCallFail( subject, + assertFail( subject, "CALL dbms.listRolesForUser('" + username + "') YIELD value AS roles RETURN count(roles)", errMsg ); } void testFailListRoleUsers( S subject, String roleName, String errMsg ) { - assertCallFail( subject, + assertFail( subject, "CALL dbms.listUsersForRole('" + roleName + "') YIELD value AS users RETURN count(users)", errMsg ); } - void assertCallFail( S subject, String call, String partOfErrorMsg ) + void assertPasswordChangeWhenPasswordChangeRequired( S subject, String newPassword ) + { + // TODO: REST doesn't allow changing your own password via procedure if you're in PASSWORD_CHANGE_REQUIRED mode + if ( IS_EMBEDDED ) assertEmpty( subject, "CALL dbms.changePassword( '" + newPassword + "' )" ); + else assertEmpty( adminSubject, "CALL dbms.changeUserPassword( '" + neo.nameOf( subject ) + "', '" + + newPassword + "' )" ); + // remove above if-else ASAP + } + + void assertFail( S subject, String call, String partOfErrorMsg ) { String err = assertCallEmpty( subject, call ); assertThat( err, containsString( partOfErrorMsg ) ); } - void assertCallSuccess( S subject, String call ) + void assertEmpty( S subject, String call ) { String err = assertCallEmpty( subject, call ); assertThat( err, equalTo( "" ) ); } - void assertCallSuccess( S subject, String call, Consumer>> resultConsumer ) + void assertSuccess( S subject, String call, Consumer>> resultConsumer ) { String err = neo.executeQuery( subject, call, null, resultConsumer ); assertThat( err, equalTo( "" ) ); } - String assertCallEmpty( S subject, String call ) + private String assertCallEmpty( S subject, String call ) { return neo.executeQuery( subject, call, null, ( res ) -> assertFalse( "Expected no results", res.hasNext()