Skip to content

Commit

Permalink
Re added some tests that got accidentally removed
Browse files Browse the repository at this point in the history
  • Loading branch information
@OliviaYtterbrink
OliviaYtterbrink committed Oct 30, 2018
1 parent 346538e commit 79c95c0
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 13 deletions.
25 changes: 19 additions & 6 deletions ...rity/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/AuthIT.java
View file
Expand Up @@ -100,6 +100,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -111,6 +112,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldaps://localhost:10636", SecuritySettings.ldap_server, "ldaps://localhost:10636",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -122,18 +124,19 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://localhost:10389", SecuritySettings.ldap_server, "ldap://localhost:10389",
SecuritySettings.ldap_use_starttls, "true",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
SecuritySettings.ldap_authorization_enabled, "true", SecuritySettings.ldap_authorization_enabled, "true",
SecuritySettings.ldap_authorization_use_system_account, "false", SecuritySettings.ldap_authorization_use_system_account, "false"
SecuritySettings.ldap_use_starttls, "true"
) )
}, },
{"LdapSystemAccount", "abc123", false, {"LdapSystemAccount", "abc123", false,
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -147,6 +150,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldaps://localhost:10636", SecuritySettings.ldap_server, "ldaps://localhost:10636",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -160,20 +164,21 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://localhost:10389", SecuritySettings.ldap_server, "ldap://localhost:10389",
SecuritySettings.ldap_use_starttls, "true",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
SecuritySettings.ldap_authorization_enabled, "true", SecuritySettings.ldap_authorization_enabled, "true",
SecuritySettings.ldap_authorization_use_system_account, "true", SecuritySettings.ldap_authorization_use_system_account, "true",
SecuritySettings.ldap_authorization_system_password, "secret", SecuritySettings.ldap_authorization_system_password, "secret",
SecuritySettings.ldap_authorization_system_username, "uid=admin,ou=system", SecuritySettings.ldap_authorization_system_username, "uid=admin,ou=system"
SecuritySettings.ldap_use_starttls, "true"
) )
}, },
{"Ldap authn cache disabled", "abc123", false, {"Ldap authn cache disabled", "abc123", false,
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -186,6 +191,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -199,6 +205,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_provider, SecuritySettings.LDAP_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -212,6 +219,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "true", SecuritySettings.native_authorization_enabled, "true",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -223,6 +231,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "true", SecuritySettings.native_authentication_enabled, "true",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "false", SecuritySettings.ldap_authentication_enabled, "false",
Expand All @@ -236,6 +245,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "true", SecuritySettings.native_authentication_enabled, "true",
SecuritySettings.native_authorization_enabled, "false", SecuritySettings.native_authorization_enabled, "false",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -247,6 +257,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "false", SecuritySettings.native_authentication_enabled, "false",
SecuritySettings.native_authorization_enabled, "true", SecuritySettings.native_authorization_enabled, "true",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -258,6 +269,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://0.0.0.0:10389", SecuritySettings.ldap_server, "ldap://0.0.0.0:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "true", SecuritySettings.native_authentication_enabled, "true",
SecuritySettings.native_authorization_enabled, "true", SecuritySettings.native_authorization_enabled, "true",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand All @@ -269,6 +281,7 @@ public static Collection<Object[]> configurations()
Arrays.asList( Arrays.asList(
SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME, SecuritySettings.auth_providers, SecuritySettings.LDAP_REALM_NAME + ", " + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.ldap_server, "ldap://127.0.0.1:10389", SecuritySettings.ldap_server, "ldap://127.0.0.1:10389",
SecuritySettings.ldap_use_starttls, "false",
SecuritySettings.native_authentication_enabled, "true", SecuritySettings.native_authentication_enabled, "true",
SecuritySettings.native_authorization_enabled, "true", SecuritySettings.native_authorization_enabled, "true",
SecuritySettings.ldap_authentication_enabled, "true", SecuritySettings.ldap_authentication_enabled, "true",
Expand Down Expand Up @@ -296,10 +309,10 @@ public AuthIT( String suiteName, String password, boolean confidentialityRequire
this.password = password; this.password = password;
this.confidentialityRequired = confidentialityRequired; this.confidentialityRequired = confidentialityRequired;
this.configMap = new HashMap<>(); this.configMap = new HashMap<>();
for ( int i = 0; i < settings.size() - 1; i++ ) for ( int i = 0; i < settings.size() - 1; i += 2 )
{ {
Setting setting = (Setting) settings.get( i ); Setting setting = (Setting) settings.get( i );
String value = (String) settings.get( ++i ); String value = (String) settings.get( i + 1 );
configMap.put( setting, value ); configMap.put( setting, value );
} }
} }
Expand Down
16 changes: 12 additions & 4 deletions ...rc/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/AuthTestBase.java
View file
Expand Up @@ -28,10 +28,10 @@


public abstract class AuthTestBase extends EnterpriseAuthenticationTestBase public abstract class AuthTestBase extends EnterpriseAuthenticationTestBase
{ {
protected static final String NONE_USER = "smith"; static final String NONE_USER = "smith";
protected static final String READ_USER = "neo"; static final String READ_USER = "neo";
protected static final String WRITE_USER = "tank"; static final String WRITE_USER = "tank";
protected static final String PROC_USER = "jane"; static final String PROC_USER = "jane";


@Test @Test
public void shouldLoginWithCorrectInformation() public void shouldLoginWithCorrectInformation()
Expand All @@ -54,6 +54,13 @@ public void shouldFailLoginWithInvalidCredentialsFollowingSuccessfulLogin()
assertAuthFail( READ_USER, "WRONG" ); assertAuthFail( READ_USER, "WRONG" );
} }


@Test
public void shouldLoginFollowingFailedLogin()
{
assertAuthFail( READ_USER, "WRONG" );
assertAuth( READ_USER, getPassword() );
}

@Test @Test
public void shouldGetCorrectAuthorizationNoPermission() public void shouldGetCorrectAuthorizationNoPermission()
{ {
Expand Down Expand Up @@ -90,6 +97,7 @@ public void shouldGetCorrectAuthorizationAllowedProcedure()
try ( Driver driver = connectDriver( PROC_USER, getPassword() ) ) try ( Driver driver = connectDriver( PROC_USER, getPassword() ) )
{ {
assertProcSucceeds( driver ); assertProcSucceeds( driver );
assertReadFails( driver );
assertWriteFails( driver ); assertWriteFails( driver );
} }
} }
Expand Down
54 changes: 51 additions & 3 deletions .../src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java
View file
Expand Up @@ -151,14 +151,25 @@ public void shouldShowCurrentUser()
Record record = session.run( "CALL dbms.showCurrentUser()" ).single(); Record record = session.run( "CALL dbms.showCurrentUser()" ).single();


// then // then
// Assuming showCurrentUser has fields username, roles, flags
assertThat( record.get( 0 ).asString(), equalTo( "smith" ) ); assertThat( record.get( 0 ).asString(), equalTo( "smith" ) );
assertThat( record.get( 1 ).asList(), equalTo( Collections.emptyList() ) ); assertThat( record.get( 1 ).asList(), equalTo( Collections.emptyList() ) );
assertThat( record.get( 2 ).asList(), equalTo( Collections.emptyList() ) ); assertThat( record.get( 2 ).asList(), equalTo( Collections.emptyList() ) );
} }
} }


@Test @Test
public void shouldFailIfAuthorizationExpiredWithUserLdapContext() public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithLdapOnlyAndNoGroupToRoleMapping() throws IOException
{
restartServerWithOverriddenSettings( SecuritySettings.ldap_authorization_group_to_role_mapping.name(), null );
// Then
// User 'neo' has reader role by default, but since we are not passing a group-to-role mapping
// he should get no permissions
assertReadFails( "neo", "abc123" );
}

@Test
public void shouldFailIfAuthorizationExpiredWithserLdapContext()
{ {
// Given // Given
try ( Driver driver = connectDriver( "neo4j", "abc123" ) ) try ( Driver driver = connectDriver( "neo4j", "abc123" ) )
Expand Down Expand Up @@ -204,6 +215,18 @@ public void shouldSucceedIfAuthorizationExpiredWithinTransactionWithUserLdapCont


@Test @Test
public void shouldKeepAuthorizationForLifetimeOfTransaction() throws Throwable public void shouldKeepAuthorizationForLifetimeOfTransaction() throws Throwable
{
assertKeepAuthorizationForLifetimeOfTransaction( "neo" );
}

@Test
public void shouldKeepAuthorizationForLifetimeOfTransactionWithProcedureAllowed() throws Throwable
{
restartServerWithOverriddenSettings( SecuritySettings.ldap_authorization_group_to_role_mapping.name(), "503=admin;504=role1" );
assertKeepAuthorizationForLifetimeOfTransaction( "smith" );
}

private void assertKeepAuthorizationForLifetimeOfTransaction( String username ) throws Throwable
{ {
DoubleLatch latch = new DoubleLatch( 2 ); DoubleLatch latch = new DoubleLatch( 2 );
final Throwable[] threadFail = {null}; final Throwable[] threadFail = {null};
Expand All @@ -212,7 +235,7 @@ public void shouldKeepAuthorizationForLifetimeOfTransaction() throws Throwable
{ {
try try
{ {
try ( Driver driver = connectDriver( "neo", "abc123" ); try ( Driver driver = connectDriver( username, "abc123" );
Session session = driver.session(); Session session = driver.session();
Transaction tx = session.beginTransaction() ) Transaction tx = session.beginTransaction() )
{ {
Expand Down Expand Up @@ -270,6 +293,7 @@ public void shouldTimeoutIfLdapServerDoesNotRespond() throws IOException
{ {
restartServerWithOverriddenSettings( restartServerWithOverriddenSettings(
SecuritySettings.ldap_read_timeout.name(), "1s", SecuritySettings.ldap_read_timeout.name(), "1s",
SecuritySettings.ldap_authorization_connection_pooling.name(), "true",
SecuritySettings.ldap_authorization_use_system_account.name(), "true" SecuritySettings.ldap_authorization_use_system_account.name(), "true"
); );


Expand Down Expand Up @@ -364,7 +388,7 @@ public void shouldGetCombinedAuthorization() throws Throwable
// ===== Logging tests ===== // ===== Logging tests =====


@Test @Test
public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealm() throws IOException, InvalidArgumentsException public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealmNativeFirst() throws IOException, InvalidArgumentsException
{ {
restartServerWithOverriddenSettings( restartServerWithOverriddenSettings(
SecuritySettings.auth_providers.name(), SecuritySettings.NATIVE_REALM_NAME + "," + SecuritySettings.LDAP_REALM_NAME, SecuritySettings.auth_providers.name(), SecuritySettings.NATIVE_REALM_NAME + "," + SecuritySettings.LDAP_REALM_NAME,
Expand All @@ -387,6 +411,30 @@ public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealm() th
assertSecurityLogDoesNotContain( "ERROR" ); assertSecurityLogDoesNotContain( "ERROR" );
} }


@Test
public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealmLdapFirst() throws IOException, InvalidArgumentsException
{
restartServerWithOverriddenSettings(
SecuritySettings.auth_providers.name(), SecuritySettings.LDAP_REALM_NAME + "," + SecuritySettings.NATIVE_REALM_NAME,
SecuritySettings.native_authentication_enabled.name(), "true",
SecuritySettings.native_authorization_enabled.name(), "true",
SecuritySettings.ldap_authentication_enabled.name(), "true",
SecuritySettings.ldap_authorization_enabled.name(), "true",
SecuritySettings.ldap_authorization_use_system_account.name(), "true"
);

// Given
// we have a native 'foo' that does not exist in ldap
createNativeUser( "foo", "bar" );

// Then
// the created "foo" can log in
assertAuth( "foo", "bar" );

// We should not get errors spammed in the security log
assertSecurityLogDoesNotContain( "ERROR" );
}

@Test @Test
public void shouldLogInvalidCredentialErrorFromLdapRealm() throws Throwable public void shouldLogInvalidCredentialErrorFromLdapRealm() throws Throwable
{ {
Expand Down

0 comments on commit 79c95c0

Please sign in to comment.