diff --git a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/AuthenticationResult.java b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/AuthenticationResult.java index 3e834c6b60ec2..2b1d335803241 100644 --- a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/AuthenticationResult.java +++ b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/AuthenticationResult.java @@ -19,20 +19,20 @@ */ package org.neo4j.bolt.security.auth; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; public interface AuthenticationResult { - LoginContext getLoginContext(); + SecurityContext getSecurityContext(); boolean credentialsExpired(); AuthenticationResult AUTH_DISABLED = new AuthenticationResult() { @Override - public LoginContext getLoginContext() + public SecurityContext getSecurityContext() { - return LoginContext.AUTH_DISABLED; + return SecurityContext.AUTH_DISABLED; } @Override diff --git a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthentication.java b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthentication.java index b6db8e7e62f22..c0560a7c6b549 100644 --- a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthentication.java +++ b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthentication.java @@ -23,11 +23,11 @@ import java.util.Map; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.security.AuthManager; import org.neo4j.kernel.api.security.AuthToken; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.UserManagerSupplier; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; @@ -53,7 +53,7 @@ public AuthenticationResult authenticate( Map authToken ) throws { if ( authToken.containsKey( NEW_CREDENTIALS ) ) { - return update( authToken ); + return update( authToken, false ); } else { @@ -65,9 +65,9 @@ private AuthenticationResult doAuthenticate( Map authToken ) thro { try { - LoginContext loginContext = authManager.login( authToken ); + SecurityContext securityContext = authManager.login( authToken ); - switch ( loginContext.subject().getAuthenticationResult() ) + switch ( securityContext.subject().getAuthenticationResult() ) { case SUCCESS: case PASSWORD_CHANGE_REQUIRED: @@ -78,7 +78,7 @@ private AuthenticationResult doAuthenticate( Map authToken ) thro throw new AuthenticationException( Status.Security.Unauthorized ); } - return new BasicAuthenticationResult( loginContext ); + return new BasicAuthenticationResult( securityContext ); } catch ( InvalidAuthTokenException e ) { @@ -86,28 +86,28 @@ private AuthenticationResult doAuthenticate( Map authToken ) thro } } - private AuthenticationResult update( Map authToken ) + private AuthenticationResult update( Map authToken, boolean requiresPasswordChange ) throws AuthenticationException { try { - LoginContext loginContext = authManager.login( authToken ); + SecurityContext securityContext = authManager.login( authToken ); - switch ( loginContext.subject().getAuthenticationResult() ) + switch ( securityContext.subject().getAuthenticationResult() ) { case SUCCESS: case PASSWORD_CHANGE_REQUIRED: String newPassword = AuthToken.safeCast( NEW_CREDENTIALS, authToken ); String username = AuthToken.safeCast( PRINCIPAL, authToken ); - userManagerSupplier.getUserManager( loginContext.subject(), false ) - .setUserPassword( username, newPassword, false ); - loginContext.subject().setPasswordChangeNoLongerRequired(); + userManagerSupplier.getUserManager( securityContext ) + .setUserPassword( username, newPassword, requiresPasswordChange ); + securityContext.subject().setPasswordChangeNoLongerRequired(); break; default: throw new AuthenticationException( Status.Security.Unauthorized ); } - return new BasicAuthenticationResult( loginContext ); + return new BasicAuthenticationResult( securityContext ); } catch ( AuthorizationViolationException | InvalidArgumentsException | InvalidAuthTokenException e ) { diff --git a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthenticationResult.java b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthenticationResult.java index 2e597bb9361f3..726c434e1e044 100644 --- a/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthenticationResult.java +++ b/community/bolt/src/main/java/org/neo4j/bolt/security/auth/BasicAuthenticationResult.java @@ -19,27 +19,27 @@ */ package org.neo4j.bolt.security.auth; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; public class BasicAuthenticationResult implements AuthenticationResult { - private LoginContext loginContext; + private SecurityContext securityContext; - public BasicAuthenticationResult( LoginContext loginContext ) + public BasicAuthenticationResult( SecurityContext securityContext ) { - this.loginContext = loginContext; + this.securityContext = securityContext; } @Override - public LoginContext getLoginContext() + public SecurityContext getSecurityContext() { - return loginContext; + return securityContext; } @Override public boolean credentialsExpired() { - return loginContext.subject().getAuthenticationResult() == + return securityContext.subject().getAuthenticationResult() == org.neo4j.internal.kernel.api.security.AuthenticationResult.PASSWORD_CHANGE_REQUIRED; } } diff --git a/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachine.java b/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachine.java index d8cf078652e0f..3252bdfe423d5 100644 --- a/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachine.java +++ b/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachine.java @@ -31,8 +31,8 @@ import org.neo4j.function.ThrowingAction; import org.neo4j.function.ThrowingConsumer; import org.neo4j.graphdb.TransactionTerminatedException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.exceptions.KernelException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.exceptions.TransactionFailureException; @@ -195,7 +195,7 @@ State run( MutableTransactionState ctx, SPI spi, String statement, { if ( BEGIN.matcher( statement ).matches() ) { - ctx.currentTransaction = spi.beginTransaction( ctx.loginContext ); + ctx.currentTransaction = spi.beginTransaction( ctx.securityContext ); Bookmark bookmark = Bookmark.fromParamsOrNull( params ); if ( bookmark != null ) @@ -241,7 +241,7 @@ else if ( ROLLBACK.matcher( statement ).matches() ) } else { - ctx.currentTransaction = spi.beginTransaction( ctx.loginContext ); + ctx.currentTransaction = spi.beginTransaction( ctx.securityContext ); BoltResultHandle resultHandle = execute( ctx, spi, statement, params ); ctx.currentResultHandle = resultHandle; ctx.currentResult = resultHandle.start(); @@ -407,7 +407,7 @@ private static BoltResultHandle executeQuery( MutableTransactionState ctx, SPI s MapValue params, ThrowingAction onFail ) throws QueryExecutionKernelException { - return spi.executeQuery( ctx.querySource, ctx.loginContext, statement, params, onFail ); + return spi.executeQuery( ctx.querySource, ctx.securityContext, statement, params, onFail ); } /** @@ -424,7 +424,7 @@ interface BoltResultHandle static class MutableTransactionState { /** The current session security context to be used for starting transactions */ - final LoginContext loginContext; + final SecurityContext securityContext; /** The current transaction, if present */ KernelTransaction currentTransaction; @@ -455,7 +455,7 @@ public String[] fieldNames() private MutableTransactionState( AuthenticationResult authenticationResult, Clock clock ) { this.clock = clock; - this.loginContext = authenticationResult.getLoginContext(); + this.securityContext = authenticationResult.getSecurityContext(); } } @@ -465,7 +465,7 @@ interface SPI long newestEncounteredTxId(); - KernelTransaction beginTransaction( LoginContext loginContext ); + KernelTransaction beginTransaction( SecurityContext securityContext ); void bindTransactionToCurrentThread( KernelTransaction tx ); @@ -474,7 +474,7 @@ interface SPI boolean isPeriodicCommit( String query ); BoltResultHandle executeQuery( BoltQuerySource querySource, - LoginContext loginContext, + SecurityContext securityContext, String statement, MapValue params, ThrowingAction onFail ) throws QueryExecutionKernelException; diff --git a/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachineSPI.java b/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachineSPI.java index 3a2517c3c8c28..3a20fdaf3da67 100644 --- a/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachineSPI.java +++ b/community/bolt/src/main/java/org/neo4j/bolt/v1/runtime/TransactionStateMachineSPI.java @@ -28,12 +28,12 @@ import org.neo4j.cypher.internal.javacompat.ExecutionResult; import org.neo4j.cypher.result.QueryResult; import org.neo4j.function.ThrowingAction; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.AvailabilityGuard; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.kernel.api.exceptions.TransactionFailureException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.txtracking.TransactionIdTracker; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.coreapi.InternalTransaction; @@ -97,9 +97,9 @@ public long newestEncounteredTxId() } @Override - public KernelTransaction beginTransaction( LoginContext loginContext ) + public KernelTransaction beginTransaction( SecurityContext securityContext ) { - db.beginTransaction( KernelTransaction.Type.explicit, loginContext ); + db.beginTransaction( KernelTransaction.Type.explicit, securityContext ); return txBridge.getKernelTransactionBoundToThisThread( false ); } @@ -123,11 +123,11 @@ public boolean isPeriodicCommit( String query ) @Override public BoltResultHandle executeQuery( BoltQuerySource querySource, - LoginContext loginContext, + SecurityContext securityContext, String statement, MapValue params, ThrowingAction onFail ) throws QueryExecutionKernelException { - InternalTransaction internalTransaction = queryService.beginTransaction( implicit, loginContext ); + InternalTransaction internalTransaction = queryService.beginTransaction( implicit, securityContext ); ClientConnectionInfo sourceDetails = new BoltConnectionInfo( querySource.principalName, querySource.clientName, querySource.connectionDescriptor.clientAddress(), diff --git a/community/bolt/src/test/java/org/neo4j/bolt/security/auth/BasicAuthenticationTest.java b/community/bolt/src/test/java/org/neo4j/bolt/security/auth/BasicAuthenticationTest.java index 4e3e244f62a50..a7c02111f08e5 100644 --- a/community/bolt/src/test/java/org/neo4j/bolt/security/auth/BasicAuthenticationTest.java +++ b/community/bolt/src/test/java/org/neo4j/bolt/security/auth/BasicAuthenticationTest.java @@ -60,7 +60,8 @@ public void shouldNotDoAnythingOnSuccess() throws Exception authentication.authenticate( map( "scheme", "basic", "principal", "mike", "credentials", "secret2" ) ); // Then - assertThat( result.getLoginContext().subject().username(), equalTo( "mike" ) ); + assertThat(result.getSecurityContext().mode(), equalTo( AccessMode.Static.FULL)); + assertThat( result.getSecurityContext().subject().username(), equalTo( "mike" ) ); } @Test diff --git a/community/cypher/cypher/src/test/java/org/neo4j/cypher/ManyMergesStressTest.java b/community/cypher/cypher/src/test/java/org/neo4j/cypher/ManyMergesStressTest.java index fcca71211350b..6b0113fb98e1e 100644 --- a/community/cypher/cypher/src/test/java/org/neo4j/cypher/ManyMergesStressTest.java +++ b/community/cypher/cypher/src/test/java/org/neo4j/cypher/ManyMergesStressTest.java @@ -32,9 +32,9 @@ import org.neo4j.graphdb.Result; import org.neo4j.graphdb.Transaction; import org.neo4j.helpers.collection.Pair; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.test.rule.EmbeddedDatabaseRule; @@ -93,7 +93,7 @@ public void shouldWorkFine() throws Throwable String query = format( "MERGE (%s:Person {id: %s}) ON CREATE SET %s.name = \"%s\";", ident, id, ident, name ); - try ( InternalTransaction tx = graph.beginTransaction( KernelTransaction.Type.implicit, LoginContext.AUTH_DISABLED ) ) + try ( InternalTransaction tx = graph.beginTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED ) ) { Result result = db.execute( query ); result.close(); diff --git a/community/cypher/cypher/src/test/java/org/neo4j/cypher/internal/javacompat/ExecutionEngineTest.java b/community/cypher/cypher/src/test/java/org/neo4j/cypher/internal/javacompat/ExecutionEngineTest.java index 9db61f4f5a115..154cd83120f6c 100644 --- a/community/cypher/cypher/src/test/java/org/neo4j/cypher/internal/javacompat/ExecutionEngineTest.java +++ b/community/cypher/cypher/src/test/java/org/neo4j/cypher/internal/javacompat/ExecutionEngineTest.java @@ -28,9 +28,9 @@ import org.neo4j.cypher.internal.CommunityCompatibilityFactory; import org.neo4j.graphdb.Result; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.coreapi.PropertyContainerLocker; import org.neo4j.kernel.impl.query.Neo4jTransactionalContextFactory; @@ -66,7 +66,7 @@ public void shouldConvertListsAndMapsWhenPassingFromScalaToJava() throws Excepti Result result; try ( InternalTransaction tx = graph - .beginTransaction( KernelTransaction.Type.implicit, LoginContext.AUTH_DISABLED ) ) + .beginTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED ) ) { String query = "RETURN { key : 'Value' , collectionKey: [{ inner: 'Map1' }, { inner: 'Map2' }]}"; TransactionalContext tc = createTransactionContext( graph, tx, query ); diff --git a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/KillQueryTest.scala b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/KillQueryTest.scala index a4b533a9f7f94..16aa93f2e0124 100644 --- a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/KillQueryTest.scala +++ b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/KillQueryTest.scala @@ -26,7 +26,7 @@ import java.util.concurrent.atomic.AtomicBoolean import org.neo4j.cypher.internal.{CommunityCompatibilityFactory, ExecutionEngine} import org.neo4j.graphdb.{TransactionTerminatedException, TransientTransactionFailureException} import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED +import org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED import org.neo4j.kernel.impl.coreapi.PropertyContainerLocker import org.neo4j.kernel.impl.query.clientconnection.ClientConnectionInfo import org.neo4j.kernel.impl.query.{Neo4jTransactionalContextFactory, TransactionalContext, TransactionalContextFactory} diff --git a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/compiler/v3_4/ActualCostCalculationTest.scala b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/compiler/v3_4/ActualCostCalculationTest.scala index aec4e4e10775c..980728c336a80 100644 --- a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/compiler/v3_4/ActualCostCalculationTest.scala +++ b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/compiler/v3_4/ActualCostCalculationTest.scala @@ -38,7 +38,7 @@ import org.neo4j.cypher.internal.v3_4.expressions.{LabelToken, PropertyKeyToken, import org.neo4j.cypher.internal.v3_4.logical.plans.SingleQueryExpression import org.neo4j.graphdb._ import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext +import org.neo4j.internal.kernel.api.security.SecurityContext import org.neo4j.kernel.GraphDatabaseQueryService import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge import org.neo4j.kernel.impl.coreapi.{InternalTransaction, PropertyContainerLocker} @@ -344,7 +344,7 @@ class ActualCostCalculationTest extends CypherFunSuite { val gds = graph.asInstanceOf[GraphDatabaseCypherService].getGraphDatabaseService def withTx[T](f: InternalTransaction => T): T = { - val tx = graph.beginTransaction(Type.explicit, LoginContext.AUTH_DISABLED) + val tx = graph.beginTransaction(Type.explicit, SecurityContext.AUTH_DISABLED) try { val result = f(tx) tx.success() diff --git a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/queryReduction/CypherReductionSupport.scala b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/queryReduction/CypherReductionSupport.scala index eeda0b37e3c79..ee6ef8c5fa263 100644 --- a/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/queryReduction/CypherReductionSupport.scala +++ b/community/cypher/cypher/src/test/scala/org/neo4j/cypher/internal/queryReduction/CypherReductionSupport.scala @@ -24,6 +24,7 @@ import org.neo4j.cypher.internal.compatibility.v3_4.WrappedMonitors import org.neo4j.cypher.internal.compatibility.v3_4.runtime._ import org.neo4j.cypher.internal.compatibility.v3_4.runtime.executionplan.procs.ProcedureCallOrSchemaCommandExecutionPlanBuilder import org.neo4j.cypher.internal.compatibility.v3_4.runtime.phases.CompilationState +import org.neo4j.cypher.internal.planner.v3_4.spi.PlanningAttributes.{Cardinalities, Solveds} import org.neo4j.cypher.internal.compiler.v3_4._ import org.neo4j.cypher.internal.compiler.v3_4.phases.{CompilationContains, LogicalPlanState} import org.neo4j.cypher.internal.compiler.v3_4.planner.logical.idp.{IDPQueryGraphSolver, IDPQueryGraphSolverMonitor, SingleComponentPlanner, cartesianProductsOrValueJoins} @@ -36,17 +37,16 @@ import org.neo4j.cypher.internal.frontend.v3_4.phases._ import org.neo4j.cypher.internal.frontend.v3_4.prettifier.{ExpressionStringifier, Prettifier} import org.neo4j.cypher.internal.frontend.v3_4.semantics.SemanticState import org.neo4j.cypher.internal.javacompat.GraphDatabaseCypherService -import org.neo4j.cypher.internal.planner.v3_4.spi.PlanningAttributes.{Cardinalities, Solveds} import org.neo4j.cypher.internal.planner.v3_4.spi.{IDPPlannerName, PlanContext, PlannerNameFor} import org.neo4j.cypher.internal.queryReduction.DDmin.Oracle import org.neo4j.cypher.internal.runtime.interpreted.TransactionBoundQueryContext.IndexSearchMonitor import org.neo4j.cypher.internal.runtime.interpreted.{TransactionBoundPlanContext, TransactionBoundQueryContext, TransactionalContextWrapper, ValueConversion} import org.neo4j.cypher.internal.runtime.{InternalExecutionResult, NormalMode} -import org.neo4j.cypher.internal.util.v3_4.attribution.SequentialIdGen +import org.neo4j.cypher.internal.util.v3_4.attribution.{IdGen, SequentialIdGen} import org.neo4j.cypher.internal.util.v3_4.test_helpers.{CypherFunSuite, CypherTestSupport} import org.neo4j.cypher.internal.{CompilerEngineDelegator, ExecutionPlan, RewindableExecutionResult} import org.neo4j.internal.kernel.api.Transaction -import org.neo4j.internal.kernel.api.security.LoginContext +import org.neo4j.internal.kernel.api.security.SecurityContext import org.neo4j.kernel.impl.coreapi.{InternalTransaction, PropertyContainerLocker} import org.neo4j.kernel.impl.query.clientconnection.ClientConnectionInfo.EMBEDDED_CONNECTION import org.neo4j.kernel.impl.query.{Neo4jTransactionalContextFactory, TransactionalContextFactory} @@ -148,8 +148,8 @@ trait CypherReductionSupport extends CypherTestSupport with GraphIcing { statement: Statement, parsingBaseState: BaseState, executeBefore: Option[String]): InternalExecutionResult = { - val explicitTx = graph.beginTransaction(Transaction.Type.explicit, LoginContext.AUTH_DISABLED) - val implicitTx = graph.beginTransaction(Transaction.Type.`implicit`, LoginContext.AUTH_DISABLED) + val explicitTx = graph.beginTransaction(Transaction.Type.explicit, SecurityContext.AUTH_DISABLED) + val implicitTx = graph.beginTransaction(Transaction.Type.`implicit`, SecurityContext.AUTH_DISABLED) try { executeBefore match { case None => diff --git a/community/cypher/interpreted-runtime/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java b/community/cypher/interpreted-runtime/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java index aabd3ab6b802d..8741ec2333db7 100644 --- a/community/cypher/interpreted-runtime/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java +++ b/community/cypher/interpreted-runtime/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java @@ -28,10 +28,10 @@ import org.neo4j.graphdb.Node; import org.neo4j.graphdb.Relationship; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.dbms.DbmsOperations; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -53,16 +53,16 @@ public DependencyResolver getDependencyResolver() } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { - return graph.beginTransaction( type, loginContext ); + return graph.beginTransaction( type, securityContext ); } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ) { - return graph.beginTransaction( type, loginContext, timeout, unit ); + return graph.beginTransaction( type, securityContext, timeout, unit ); } @Override diff --git a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/QueryStateTestSupport.scala b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/QueryStateTestSupport.scala index 497830a7dfd56..e68975e0ac361 100644 --- a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/QueryStateTestSupport.scala +++ b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/QueryStateTestSupport.scala @@ -22,7 +22,7 @@ package org.neo4j.cypher.internal.runtime.interpreted import org.neo4j.cypher.GraphDatabaseTestSupport import org.neo4j.cypher.internal.runtime.interpreted.pipes.QueryState import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED +import org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED import org.neo4j.values.virtual.VirtualValues.EMPTY_MAP trait QueryStateTestSupport { diff --git a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundPlanContextTest.scala b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundPlanContextTest.scala index 4d83fd43a3bfc..d71ab69c45a1e 100644 --- a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundPlanContextTest.scala +++ b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundPlanContextTest.scala @@ -25,7 +25,7 @@ import org.neo4j.cypher.internal.util.v3_4.test_helpers.CypherFunSuite import org.neo4j.cypher.internal.util.v3_4.{Cardinality, LabelId, RelTypeId} import org.neo4j.graphdb.{GraphDatabaseService, Label, RelationshipType} import org.neo4j.internal.kernel.api.Transaction.Type._ -import org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED +import org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED import org.neo4j.kernel.impl.coreapi.{InternalTransaction, PropertyContainerLocker} import org.neo4j.kernel.impl.query.Neo4jTransactionalContextFactory import org.neo4j.kernel.impl.query.clientconnection.ClientConnectionInfo diff --git a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundQueryContextTest.scala b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundQueryContextTest.scala index fa846ddd02734..ccdc0e6c77792 100644 --- a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundQueryContextTest.scala +++ b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/TransactionBoundQueryContextTest.scala @@ -33,7 +33,7 @@ import org.neo4j.graphdb._ import org.neo4j.graphdb.config.Setting import org.neo4j.graphdb.factory.GraphDatabaseSettings import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext +import org.neo4j.internal.kernel.api.security.SecurityContext import org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED import org.neo4j.io.pagecache.tracing.cursor.PageCursorTracerSupplier import org.neo4j.kernel.GraphDatabaseQueryService @@ -195,7 +195,7 @@ class TransactionBoundQueryContextTest extends CypherFunSuite { creator.success() creator.close() - val tx = graph.beginTransaction(Type.explicit, LoginContext.AUTH_DISABLED) + val tx = graph.beginTransaction(Type.explicit, SecurityContext.AUTH_DISABLED) val transactionalContext = TransactionalContextWrapper(createTransactionContext(graph, tx)) val context = new TransactionBoundQueryContext(transactionalContext)(indexSearchMonitor) diff --git a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/pipes/PruningVarLengthExpandPipeTest.scala b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/pipes/PruningVarLengthExpandPipeTest.scala index fc8d64c970659..90bbdcd832b3c 100644 --- a/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/pipes/PruningVarLengthExpandPipeTest.scala +++ b/community/cypher/interpreted-runtime/src/test/scala/org/neo4j/cypher/internal/runtime/interpreted/pipes/PruningVarLengthExpandPipeTest.scala @@ -28,11 +28,11 @@ import org.neo4j.cypher.internal.runtime.interpreted.commands.predicates.{Equals import org.neo4j.cypher.internal.runtime.interpreted.commands.values.UnresolvedProperty import org.neo4j.cypher.internal.v3_4.expressions.SemanticDirection import org.neo4j.graphdb.Node +import org.neo4j.internal.kernel.api.security.SecurityContext import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext import org.neo4j.kernel.impl.util.ValueUtils._ import org.neo4j.values.virtual.VirtualValues.EMPTY_MAP -import org.neo4j.values.virtual.{NodeValue, RelationshipValue} +import org.neo4j.values.virtual.{RelationshipValue, NodeValue} import scala.collection.immutable.IndexedSeq import scala.util.Random @@ -315,7 +315,7 @@ class PruningVarLengthExpandPipeTest extends GraphDatabaseFunSuite { private def setUpGraph(seed: Long, POPULATION: Int, friendCount: Int = 50): IndexedSeq[Node] = { val r = new Random(seed) - var tx = graph.beginTransaction(Type.`implicit`, LoginContext.AUTH_DISABLED) + var tx = graph.beginTransaction(Type.`implicit`, SecurityContext.AUTH_DISABLED) var count = 0 def checkAndSwitch() = { @@ -323,7 +323,7 @@ class PruningVarLengthExpandPipeTest extends GraphDatabaseFunSuite { if (count == 1000) { tx.success() tx.close() - tx = graph.beginTransaction(Type.`implicit`, LoginContext.AUTH_DISABLED) + tx = graph.beginTransaction(Type.`implicit`, SecurityContext.AUTH_DISABLED) count = 0 } } diff --git a/community/cypher/runtime-util/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java b/community/cypher/runtime-util/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java index 7535762d16ed2..bc70be13807b5 100644 --- a/community/cypher/runtime-util/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java +++ b/community/cypher/runtime-util/src/main/java/org/neo4j/cypher/internal/javacompat/GraphDatabaseCypherService.java @@ -25,7 +25,7 @@ import org.neo4j.graphdb.DependencyResolver; import org.neo4j.graphdb.GraphDatabaseService; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.dbms.DbmsOperations; @@ -50,16 +50,16 @@ public DependencyResolver getDependencyResolver() } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { - return graph.beginTransaction( type, loginContext ); + return graph.beginTransaction( type, securityContext ); } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ) { - return graph.beginTransaction( type, loginContext, timeout, unit ); + return graph.beginTransaction( type, securityContext, timeout, unit ); } @Override diff --git a/community/cypher/runtime-util/src/test/scala/org/neo4j/cypher/GraphIcing.scala b/community/cypher/runtime-util/src/test/scala/org/neo4j/cypher/GraphIcing.scala index 0675363ccbb1c..66b15bfea7ac1 100644 --- a/community/cypher/runtime-util/src/test/scala/org/neo4j/cypher/GraphIcing.scala +++ b/community/cypher/runtime-util/src/test/scala/org/neo4j/cypher/GraphIcing.scala @@ -29,7 +29,7 @@ import org.neo4j.graphdb._ import org.neo4j.kernel.GraphDatabaseQueryService import org.neo4j.internal.kernel.api.Transaction.Type import org.neo4j.kernel.api.Statement -import org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED +import org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge import org.neo4j.kernel.impl.coreapi.{InternalTransaction, PropertyContainerLocker} import org.neo4j.kernel.impl.factory.GraphDatabaseFacade diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/Kernel.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/Kernel.java index 6d71f608926ff..9c667b8125747 100644 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/Kernel.java +++ b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/Kernel.java @@ -19,7 +19,7 @@ */ package org.neo4j.internal.kernel.api; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; /** * The Kernel. @@ -28,7 +28,7 @@ public interface Kernel { CursorFactory cursors(); - Session beginSession( LoginContext loginContext ); + Session beginSession( SecurityContext securityContext ); Modes modes(); } diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/AccessMode.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/AccessMode.java index 9b8cdf49ba4f0..397bab0129b1f 100644 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/AccessMode.java +++ b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/AccessMode.java @@ -28,9 +28,9 @@ public interface AccessMode enum Static implements AccessMode { /** No reading or writing allowed. */ - NONE( false, false, false, false, false, false ), + NONE( false, false, false, false, false ), /** No reading or writing allowed because of expired credentials. */ - CREDENTIALS_EXPIRED( false, false, false, false, false, false ) + CREDENTIALS_EXPIRED( false, false, false, false, false ) { @Override public AuthorizationViolationException onViolation( String msg ) @@ -51,31 +51,29 @@ public AuthorizationViolationException onViolation( String msg ) }, /** Allows reading data and schema, but not writing. */ - READ( true, false, false, false, false, true ), + READ( true, false, false, false, false ), /** Allows writing data */ - WRITE_ONLY( false, true, false, false, false, true ), + WRITE_ONLY( false, true, false, false, false ), /** Allows reading and writing data, but not schema. */ - WRITE( true, true, false, false, false, true ), + WRITE( true, true, false, false, false ), /** Allows reading and writing data and creating new tokens, but not schema. */ - TOKEN_WRITE( true, true, true, false, false, true ), + TOKEN_WRITE( true, true, true, false, false ), /** Allows all operations. */ - FULL( true, true, true, true, true, true ); + FULL( true, true, true, true, true ); private final boolean read; private final boolean write; private final boolean token; private final boolean schema; private final boolean procedure; - private final boolean property; - Static( boolean read, boolean write, boolean token, boolean schema, boolean procedure, boolean property ) + Static( boolean read, boolean write, boolean token, boolean schema, boolean procedure ) { this.read = read; this.write = write; this.token = token; this.schema = schema; this.procedure = procedure; - this.property = property; } @Override @@ -102,12 +100,6 @@ public boolean allowsSchemaWrites() return schema; } - @Override - public boolean allowsPropertyReads( int propertyKey ) - { - return property; - } - @Override public boolean allowsProcedureWith( String[] allowed ) { @@ -126,8 +118,6 @@ public AuthorizationViolationException onViolation( String msg ) boolean allowsTokenCreates(); boolean allowsSchemaWrites(); - boolean allowsPropertyReads( int propertyKey ); - /** * Determines whether this mode allows execution of a procedure with the parameter string array in its * procedure annotation. diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java deleted file mode 100644 index 4686a123800a0..0000000000000 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 2002-2018 "Neo Technology," - * Network Engine for Objects in Lund AB [http://neotechnology.com] - * - * This file is part of Neo4j. - * - * Neo4j is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ -package org.neo4j.internal.kernel.api.security; - -import org.neo4j.internal.kernel.api.Token; - -/** - * The LoginContext hold the executing authenticated user (subject). - * By calling {@link #authorize(Token)} the user is also authorized, and a full SecurityContext is returned, - * which can be used to assert user permissions during query execution. - */ -public interface LoginContext -{ - /** - * Get the authenticated user. - */ - AuthSubject subject(); - - /** - * Authorize the user and return a SecurityContext. - * - * @param token token lookup, used to compile property level security verification - * @return the security context - */ - SecurityContext authorize( Token token ); - - LoginContext AUTH_DISABLED = new LoginContext() - { - @Override - public AuthSubject subject() - { - return AuthSubject.AUTH_DISABLED; - } - - @Override - public SecurityContext authorize( Token token ) - { - return SecurityContext.AUTH_DISABLED; - } - }; -} diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java index 9ba230e74d3ce..a06f48ddac939 100644 --- a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java +++ b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java @@ -19,105 +19,130 @@ */ package org.neo4j.internal.kernel.api.security; -import org.neo4j.internal.kernel.api.Token; - import static org.neo4j.graphdb.security.AuthorizationViolationException.PERMISSION_DENIED; -/** - * Controls the capabilities of a KernelTransaction, including the authenticated user and authorization data. - * - * Must extend LoginContext to handle procedures creating internal transactions, periodic commit and the parallel cypher prototype. - */ -public class SecurityContext implements LoginContext +/** Controls the capabilities of a KernelTransaction. */ +public interface SecurityContext { - protected final AuthSubject subject; - protected final AccessMode mode; + AccessMode mode(); + AuthSubject subject(); + boolean isAdmin(); - public SecurityContext( AuthSubject subject, AccessMode mode ) - { - this.subject = subject; - this.mode = mode; - } + SecurityContext freeze(); + SecurityContext withMode( AccessMode mode ); - /** - * Get the authorization data of the user. This is immutable. - */ - public AccessMode mode() + default void assertCredentialsNotExpired() { - return mode; + if ( subject().getAuthenticationResult().equals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ) + { + throw mode().onViolation( PERMISSION_DENIED ); + } } - /** - * Check whether the user is an admin. - */ - public boolean isAdmin() + default String description() { - return true; + return String.format( "user '%s' with %s", subject().username(), mode().name() ); } - @Override - public AuthSubject subject() + default String defaultString( String name ) { - return subject; + return String.format( "%s{ username=%s, accessMode=%s }", name, subject().username(), mode() ); } - @Override - public SecurityContext authorize( Token token ) - { - return this; - } + /** Allows all operations. */ + SecurityContext AUTH_DISABLED = new AuthDisabled( AccessMode.Static.FULL ); - /** - * Create a copy of this SecurityContext with the provided mode. - */ - public SecurityContext withMode( AccessMode mode ) + final class AuthDisabled implements SecurityContext { - return new SecurityContext( subject, mode ); - } + private final AccessMode mode; - public void assertCredentialsNotExpired() - { - if ( subject().getAuthenticationResult().equals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ) + private AuthDisabled( AccessMode mode ) { - throw mode().onViolation( PERMISSION_DENIED ); + this.mode = mode; } - } - public String description() - { - return String.format( "user '%s' with %s", subject().username(), mode().name() ); + @Override + public AccessMode mode() + { + return mode; + } + + @Override + public AuthSubject subject() + { + return AuthSubject.AUTH_DISABLED; + } + + @Override + public boolean isAdmin() + { + return true; + } + + @Override + public String toString() + { + return defaultString( "auth-disabled" ); + } + + @Override + public String description() + { + return "AUTH_DISABLED with " + mode.name(); + } + + @Override + public SecurityContext freeze() + { + return this; + } + + @Override + public SecurityContext withMode( AccessMode mode ) + { + return new AuthDisabled( mode ); + } } - protected String defaultString( String name ) + final class Frozen implements SecurityContext { - return String.format( "%s{ username=%s, accessMode=%s }", name, subject().username(), mode() ); - } + private final AuthSubject subject; + private final AccessMode mode; - /** Allows all operations. */ - public static final SecurityContext AUTH_DISABLED = authDisabled( AccessMode.Static.FULL ); + public Frozen( AuthSubject subject, AccessMode mode ) + { + this.subject = subject; + this.mode = mode; + } - private static SecurityContext authDisabled( AccessMode mode ) - { - return new SecurityContext( AuthSubject.AUTH_DISABLED, mode ) + @Override + public AccessMode mode() + { + return mode; + } + + @Override + public AuthSubject subject() + { + return subject; + } + + @Override + public boolean isAdmin() { + return true; + } - @Override - public SecurityContext withMode( AccessMode mode ) - { - return authDisabled( mode ); - } - - @Override - public String description() - { - return "AUTH_DISABLED with " + mode().name(); - } - - @Override - public String toString() - { - return defaultString( "auth-disabled" ); - } - }; + @Override + public SecurityContext freeze() + { + return this; + } + + @Override + public SecurityContext withMode( AccessMode mode ) + { + return new Frozen( subject, mode ); + } } } diff --git a/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIReadTestBase.java b/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIReadTestBase.java index ee2f5d1b352dd..5b4f91b605977 100644 --- a/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIReadTestBase.java +++ b/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIReadTestBase.java @@ -29,7 +29,7 @@ import org.neo4j.graphdb.GraphDatabaseService; import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; /** * KernelAPIReadTestBase is the basis of read tests targeting the Kernel API. @@ -78,7 +78,7 @@ public void setupGraph() throws IOException, KernelException testSupport.setup( folder.getRoot(), this::createTestGraph ); } Kernel kernel = testSupport.kernelToTest(); - session = kernel.beginSession( LoginContext.AUTH_DISABLED ); + session = kernel.beginSession( SecurityContext.AUTH_DISABLED ); cursors = new ManagedTestCursors( kernel.cursors() ); tx = session.beginTransaction( Transaction.Type.explicit ); token = session.token(); diff --git a/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIWriteTestBase.java b/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIWriteTestBase.java index d5bf792fc6e8e..b7e4a5d96308c 100644 --- a/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIWriteTestBase.java +++ b/community/kernel-api/src/test/java/org/neo4j/internal/kernel/api/KernelAPIWriteTestBase.java @@ -28,7 +28,7 @@ import java.io.IOException; import org.neo4j.graphdb.GraphDatabaseService; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; /** * KernelAPIWriteTestBase is the basis of write tests targeting the Kernel API. @@ -71,7 +71,7 @@ public void setupGraph() throws IOException } testSupport.clearGraph(); Kernel kernel = testSupport.kernelToTest(); - session = kernel.beginSession( LoginContext.AUTH_DISABLED ); + session = kernel.beginSession( SecurityContext.AUTH_DISABLED ); modes = kernel.modes(); cursors = new ManagedTestCursors( kernel.cursors() ); } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/GraphDatabaseQueryService.java b/community/kernel/src/main/java/org/neo4j/kernel/GraphDatabaseQueryService.java index 50fb2785cdf5d..4e8cd5a492f7a 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/GraphDatabaseQueryService.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/GraphDatabaseQueryService.java @@ -24,7 +24,7 @@ import org.neo4j.graphdb.DependencyResolver; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.dbms.DbmsOperations; import org.neo4j.kernel.impl.coreapi.InternalTransaction; @@ -41,21 +41,21 @@ public interface GraphDatabaseQueryService * Begin new internal transaction with with default timeout. * * @param type transaction type - * @param loginContext transaction login context + * @param securityContext transaction security context * @return internal transaction */ - InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ); + InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ); /** * Begin new internal transaction with specified timeout in milliseconds. * * @param type transaction type - * @param loginContext transaction login context + * @param securityContext transaction security context * @param timeout transaction timeout * @param unit time unit of timeout argument * @return internal transaction */ - InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout, + InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ); URL validateURLAccess( URL url ) throws URLAccessValidationError; diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/InwardKernel.java b/community/kernel/src/main/java/org/neo4j/kernel/api/InwardKernel.java index e9c05dcac9c33..3c338c1d4c017 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/InwardKernel.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/InwardKernel.java @@ -20,19 +20,19 @@ package org.neo4j.kernel.api; import org.neo4j.internal.kernel.api.Kernel; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.ProcedureException; import org.neo4j.kernel.api.exceptions.TransactionFailureException; import org.neo4j.kernel.api.proc.CallableProcedure; import org.neo4j.kernel.api.proc.CallableUserAggregationFunction; import org.neo4j.kernel.api.proc.CallableUserFunction; +import org.neo4j.internal.kernel.api.security.SecurityContext; /** * The main API through which access to the Neo4j kernel is made, both read * and write operations are supported as well as creating transactions. * * Changes to the graph (i.e. write operations) are performed via a - * {@link #newTransaction(KernelTransaction.Type, LoginContext) transaction context} where changes done + * {@link #newTransaction(KernelTransaction.Type, SecurityContext) transaction context} where changes done * inside the transaction are visible in read operations for {@link Statement statements} * executed within that transaction context. */ @@ -43,19 +43,19 @@ public interface InwardKernel extends Kernel * underlying graph. * * @param type the type of the new transaction: implicit (internally created) or explicit (created by the user) - * @param loginContext transaction login context + * @param securityContext transaction security context */ - KernelTransaction newTransaction( KernelTransaction.Type type, LoginContext loginContext ) throws TransactionFailureException; + KernelTransaction newTransaction( KernelTransaction.Type type, SecurityContext securityContext ) throws TransactionFailureException; /** * Creates and returns a new {@link KernelTransaction} capable of modifying the * underlying graph with custom timeout in milliseconds. * * @param type the type of the new transaction: implicit (internally created) or explicit (created by the user) - * @param loginContext transaction login context + * @param securityContext transaction security context * @param timeout transaction timeout in millisiseconds */ - KernelTransaction newTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout ) + KernelTransaction newTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout ) throws TransactionFailureException; /** diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransaction.java b/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransaction.java index 73ce247d61e5f..0bdb06f8301e0 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransaction.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransaction.java @@ -24,7 +24,6 @@ import org.neo4j.internal.kernel.api.NodeCursor; import org.neo4j.internal.kernel.api.PropertyCursor; import org.neo4j.internal.kernel.api.Transaction; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.exceptions.TransactionFailureException; @@ -159,7 +158,7 @@ default void close() throws TransactionFailureException /** * @return start time of this transaction, i.e. basically {@link System#currentTimeMillis()} when user called - * {@link Kernel#newTransaction(Type, LoginContext)}. + * {@link Kernel#newTransaction(Type, SecurityContext)}. */ long startTime(); diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransactionHandle.java b/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransactionHandle.java index 432f33f5f9bfb..dc9a5fecaf517 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransactionHandle.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/KernelTransactionHandle.java @@ -23,7 +23,6 @@ import java.util.Optional; import java.util.stream.Stream; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.query.ExecutingQuery; import org.neo4j.internal.kernel.api.security.SecurityContext; @@ -52,7 +51,7 @@ public interface KernelTransactionHandle /** * The start time of the underlying transaction. I.e. basically {@link System#currentTimeMillis()} when user - * called {@link Kernel#newTransaction(KernelTransaction.Type, LoginContext)}. + * called {@link Kernel#newTransaction(KernelTransaction.Type, SecurityContext)}. * * @return the transaction start time. */ diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java index 3a36d2b2b023a..82053d69e311e 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java @@ -19,14 +19,12 @@ */ package org.neo4j.kernel.api.security; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; /** Controls the capabilities of a KernelTransaction. */ -public class AnonymousContext implements LoginContext +public class AnonymousContext implements SecurityContext { private final AccessMode accessMode; @@ -67,8 +65,32 @@ public AuthSubject subject() } @Override - public SecurityContext authorize( Token token ) + public boolean isAdmin() { - return new SecurityContext( subject(), accessMode ); + return false; + } + + @Override + public SecurityContext freeze() + { + return this; + } + + @Override + public SecurityContext withMode( AccessMode mode ) + { + return new Frozen( subject(), mode ); + } + + @Override + public AccessMode mode() + { + return accessMode; + } + + @Override + public String toString() + { + return defaultString( "anonymous" ); } } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthManager.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthManager.java index b1965f0d26873..59593c3275c9a 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthManager.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AuthManager.java @@ -21,7 +21,7 @@ import java.util.Map; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; import org.neo4j.kernel.lifecycle.Lifecycle; @@ -36,7 +36,7 @@ public interface AuthManager extends Lifecycle * @return An AuthSubject representing the newly logged-in user * @throws InvalidAuthTokenException if the authentication token is malformed */ - LoginContext login( Map authToken ) throws InvalidAuthTokenException; + SecurityContext login( Map authToken ) throws InvalidAuthTokenException; /** * Implementation that does no authentication. @@ -64,9 +64,9 @@ public void shutdown() throws Throwable } @Override - public LoginContext login( Map authToken ) + public SecurityContext login( Map authToken ) { - return LoginContext.AUTH_DISABLED; + return SecurityContext.AUTH_DISABLED; } }; } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/UserManagerSupplier.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/UserManagerSupplier.java index 84b33b6f5954c..e10fe8648e529 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/api/security/UserManagerSupplier.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/api/security/UserManagerSupplier.java @@ -19,12 +19,12 @@ */ package org.neo4j.kernel.api.security; -import org.neo4j.internal.kernel.api.security.AuthSubject; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.lifecycle.Lifecycle; public interface UserManagerSupplier extends Lifecycle { - UserManager getUserManager( AuthSubject authSubject, boolean isUserManager ); + UserManager getUserManager( SecurityContext securityContext ); UserManager getUserManager(); @@ -51,7 +51,7 @@ public void shutdown() throws Throwable } @Override - public UserManager getUserManager( AuthSubject authSubject, boolean isUserManager ) + public UserManager getUserManager( SecurityContext securityContext ) { return UserManager.NO_AUTH; } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/Kernel.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/Kernel.java index d59eebf9ae0a6..8434de42afdb5 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/Kernel.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/Kernel.java @@ -24,7 +24,7 @@ import org.neo4j.internal.kernel.api.Modes; import org.neo4j.internal.kernel.api.Session; import org.neo4j.internal.kernel.api.Transaction; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.TransactionHook; @@ -93,18 +93,18 @@ public Kernel( KernelTransactions transactionFactory, TransactionHooks hooks, Da } @Override - public KernelTransaction newTransaction( Transaction.Type type, LoginContext loginContext ) + public KernelTransaction newTransaction( Transaction.Type type, SecurityContext securityContext ) throws TransactionFailureException { - return newTransaction( type, loginContext, config.get( transaction_timeout ).toMillis() ); + return newTransaction( type, securityContext, config.get( transaction_timeout ).toMillis() ); } @Override - public KernelTransaction newTransaction( Transaction.Type type, LoginContext loginContext, long timeout ) throws + public KernelTransaction newTransaction( Transaction.Type type, SecurityContext securityContext, long timeout ) throws TransactionFailureException { health.assertHealthy( TransactionFailureException.class ); - KernelTransaction transaction = transactions.newInstance( type, loginContext, timeout ); + KernelTransaction transaction = transactions.newInstance( type, securityContext, timeout ); transactionMonitor.transactionStarted(); return transaction; } @@ -152,9 +152,9 @@ public CursorFactory cursors() } @Override - public Session beginSession( LoginContext loginContext ) + public Session beginSession( SecurityContext securityContext ) { - return newKernel.beginSession( loginContext ); + return newKernel.beginSession( securityContext ); } @Override diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java index 484d483e04118..8e57ea0f92154 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/KernelTransactions.java @@ -31,7 +31,6 @@ import org.neo4j.function.Factory; import org.neo4j.graphdb.DatabaseShutdownException; import org.neo4j.graphdb.TransactionFailureException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.AvailabilityGuard; import org.neo4j.kernel.api.KernelTransaction; @@ -172,10 +171,10 @@ public Supplier explicitIndexTxStateSupplier() return explicitIndexTxStateSupplier; } - public KernelTransaction newInstance( KernelTransaction.Type type, LoginContext loginContext, long timeout ) + public KernelTransaction newInstance( KernelTransaction.Type type, SecurityContext securityContext, long timeout ) { assertCurrentThreadIsNotBlockingNewTransactions(); - SecurityContext securityContext = loginContext.authorize( token ); + SecurityContext frozenSecurityContext = securityContext.freeze(); try { while ( !newTransactionsLock.readLock().tryLock( 1, TimeUnit.SECONDS ) ) @@ -189,7 +188,7 @@ public KernelTransaction newInstance( KernelTransaction.Type type, LoginContext KernelTransactionImplementation tx = localTxPool.acquire(); StatementLocks statementLocks = statementLocksFactory.newInstance(); tx.initialize( lastCommittedTransaction.transactionId(), lastCommittedTransaction.commitTimestamp(), - statementLocks, type, securityContext, timeout, userTransactionIdCounter.incrementAndGet() ); + statementLocks, type, frozenSecurityContext, timeout, userTransactionIdCounter.incrementAndGet() ); return tx; } finally diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java index c84a4f7a4280a..75f96912e80bc 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/OperationsFacade.java @@ -34,7 +34,6 @@ import org.neo4j.collection.primitive.PrimitiveLongResourceIterator; import org.neo4j.cursor.Cursor; import org.neo4j.graphdb.Direction; -import org.neo4j.helpers.collection.Iterators; import org.neo4j.internal.kernel.api.IndexQuery; import org.neo4j.internal.kernel.api.InternalIndexState; import org.neo4j.internal.kernel.api.exceptions.InvalidTransactionTypeKernelException; @@ -691,9 +690,7 @@ public String propertyKeyGetName( int propertyKeyId ) throws PropertyKeyIdNotFou public Iterator propertyKeyGetAllTokens() { statement.assertOpen(); - AccessMode mode = tx.securityContext().mode(); - return Iterators.stream( tokenRead().propertyKeyGetAllTokens( statement ) ). - filter( propKey -> mode.allowsPropertyReads( propKey.id() ) ).iterator(); + return tokenRead().propertyKeyGetAllTokens( statement ); } @Override diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java index b1d9cf037ac72..ae63dcdd0da87 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/OverriddenAccessMode.java @@ -56,12 +56,6 @@ public boolean allowsSchemaWrites() return wrapping.allowsSchemaWrites(); } - @Override - public boolean allowsPropertyReads( int propertyKey ) - { - return wrapping.allowsPropertyReads( propertyKey ); - } - @Override public boolean allowsProcedureWith( String[] allowed ) { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java index 3e6cc64a0f36d..77bbeb1aef2c9 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/security/RestrictedAccessMode.java @@ -56,12 +56,6 @@ public boolean allowsSchemaWrites() return original.allowsSchemaWrites() && wrapping.allowsSchemaWrites(); } - @Override - public boolean allowsPropertyReads( int propertyKey ) - { - return original.allowsPropertyReads( propertyKey ) && wrapping.allowsPropertyReads( propertyKey ); - } - @Override public boolean allowsProcedureWith( String[] allowed ) { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/state/ConstraintIndexCreator.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/state/ConstraintIndexCreator.java index fa33d4bb76218..a54999652b73f 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/api/state/ConstraintIndexCreator.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/api/state/ConstraintIndexCreator.java @@ -53,7 +53,7 @@ import org.neo4j.kernel.monitoring.Monitors; import static org.neo4j.internal.kernel.api.exceptions.schema.ConstraintValidationException.Phase.VERIFICATION; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException.OperationContext.CONSTRAINT_CREATION; import static org.neo4j.kernel.impl.locking.ResourceTypes.LABEL; diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/core/IsolatedTransactionTokenCreator.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/core/IsolatedTransactionTokenCreator.java index 6a3c106ba3bef..cdcb96a2e22dd 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/core/IsolatedTransactionTokenCreator.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/core/IsolatedTransactionTokenCreator.java @@ -30,7 +30,7 @@ import org.neo4j.internal.kernel.api.exceptions.schema.TooManyLabelsException; import org.neo4j.kernel.impl.store.id.IdGeneratorFactory; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; /** * Creates a key within its own transaction, such that the command(s) for creating the key diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/ClassicCoreSPI.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/ClassicCoreSPI.java index b57b6cec053bb..34ddc63ad0dae 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/ClassicCoreSPI.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/ClassicCoreSPI.java @@ -28,11 +28,11 @@ import org.neo4j.graphdb.event.KernelEventHandler; import org.neo4j.graphdb.event.TransactionEventHandler; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.TransactionFailureException; import org.neo4j.kernel.api.explicitindex.AutoIndexing; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.CoreAPIAvailabilityGuard; import org.neo4j.kernel.impl.query.QueryExecutionKernelException; import org.neo4j.kernel.impl.query.TransactionalContext; @@ -180,12 +180,12 @@ public void shutdown() } @Override - public KernelTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout ) + public KernelTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout ) { try { availability.assertDatabaseAvailable(); - KernelTransaction kernelTx = dataSource.kernelAPI.get().newTransaction( type, loginContext, timeout ); + KernelTransaction kernelTx = dataSource.kernelAPI.get().newTransaction( type, securityContext, timeout ); kernelTx.registerCloseListener( txId -> dataSource.threadToTransactionBridge.unbindTransactionFromCurrentThread() ); dataSource.threadToTransactionBridge.bindTransactionToCurrentThread( kernelTx ); diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacade.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacade.java index 8a01c1be943ba..af8895a82b222 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacade.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacade.java @@ -67,7 +67,7 @@ import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.internal.kernel.api.exceptions.schema.ConstraintValidationException; import org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.io.IOUtils; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; @@ -113,7 +113,7 @@ import static java.lang.String.format; import static org.neo4j.graphdb.factory.GraphDatabaseSettings.transaction_timeout; import static org.neo4j.helpers.collection.Iterators.emptyResourceIterator; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.impl.api.explicitindex.InternalAutoIndexing.NODE_AUTO_INDEX; import static org.neo4j.kernel.impl.api.explicitindex.InternalAutoIndexing.RELATIONSHIP_AUTO_INDEX; import static org.neo4j.kernel.impl.api.operations.KeyReadOperations.NO_SUCH_LABEL; @@ -165,9 +165,10 @@ public interface SPI * Begin a new kernel transaction with specified timeout in milliseconds. * * @throws org.neo4j.graphdb.TransactionFailureException if unable to begin, or a transaction already exists. - * @see GraphDatabaseAPI#beginTransaction(KernelTransaction.Type, LoginContext) + * @see SPI#beginTransaction(KernelTransaction.Type, SecurityContext) */ - KernelTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout ); + KernelTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, + long timeout ); /** Execute a cypher statement */ Result executeQuery( String query, Map parameters, TransactionalContext context ); @@ -368,16 +369,16 @@ public Transaction beginTx( long timeout, TimeUnit unit ) } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { - return beginTransactionInternal( type, loginContext, config.get( transaction_timeout ).toMillis() ); + return beginTransactionInternal( type, securityContext, config.get( transaction_timeout ).toMillis() ); } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ) { - return beginTransactionInternal( type, loginContext, unit.toMillis( timeout ) ); + return beginTransactionInternal( type, securityContext, unit.toMillis( timeout ) ); } @Override @@ -601,7 +602,7 @@ public ResourceIterator findNodes( final Label myLabel ) return allNodesWithLabel( myLabel ); } - private InternalTransaction beginTransactionInternal( KernelTransaction.Type type, LoginContext loginContext, + private InternalTransaction beginTransactionInternal( KernelTransaction.Type type, SecurityContext securityContext, long timeoutMillis ) { if ( statementContext.hasTransaction() ) @@ -609,7 +610,7 @@ private InternalTransaction beginTransactionInternal( KernelTransaction.Type typ // FIXME: perhaps we should check that the new type and access mode are compatible with the current tx return new PlaceboTransaction( statementContext.getKernelTransactionBoundToThisThread( true ), statementContext ); } - return new TopLevelTransaction( spi.beginTransaction( type, loginContext, timeoutMillis ), statementContext ); + return new TopLevelTransaction( spi.beginTransaction( type, securityContext, timeoutMillis ), statementContext ); } private ResourceIterator nodesByLabelAndProperty( Label myLabel, String key, Value value ) diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/index/ExplicitIndexStore.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/index/ExplicitIndexStore.java index b3524a897dead..6d7c17f2b0bd3 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/index/ExplicitIndexStore.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/index/ExplicitIndexStore.java @@ -40,7 +40,7 @@ import org.neo4j.kernel.spi.explicitindex.IndexImplementation; import static org.neo4j.graphdb.index.IndexManager.PROVIDER; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; /** * Uses an {@link IndexConfigStore} and puts logic around providers and configuration comparison. diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/DefaultPropertyCursor.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/DefaultPropertyCursor.java index 704522b272042..ebe9c9d3e6e63 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/DefaultPropertyCursor.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/DefaultPropertyCursor.java @@ -135,21 +135,6 @@ private void init( long reference, Read read, AssertOpen assertOpen ) @Override public boolean next() - { - boolean hasNext; - do - { - hasNext = innerNext(); - } while ( hasNext && !allowed( propertyKey() ) ); - return hasNext; - } - - private boolean allowed( int propertyKey ) - { - return read.ktx.securityContext().mode().allowsPropertyReads( propertyKey ); - } - - private boolean innerNext() { if ( txStateChangedProperties != null ) { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/KernelSession.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/KernelSession.java index 23436c5794dbf..5bda9ae523323 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/KernelSession.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/KernelSession.java @@ -22,7 +22,7 @@ import org.neo4j.internal.kernel.api.Session; import org.neo4j.internal.kernel.api.Transaction; import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; @@ -32,13 +32,13 @@ class KernelSession implements Session { private final InwardKernel kernel; - private final LoginContext loginContext; + private final SecurityContext securityContext; private final KernelToken token; - KernelSession( KernelToken token, InwardKernel kernel, LoginContext loginContext ) + KernelSession( KernelToken token, InwardKernel kernel, SecurityContext securityContext ) { this.kernel = kernel; - this.loginContext = loginContext; + this.securityContext = securityContext; this.token = token; } @@ -51,7 +51,7 @@ public Transaction beginTransaction() throws KernelException @Override public Transaction beginTransaction( KernelTransaction.Type type ) throws KernelException { - return kernel.newTransaction( type, loginContext ); + return kernel.newTransaction( type, securityContext ); } @Override diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/NewKernel.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/NewKernel.java index 5908f20d71da0..92f0db61d6d64 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/NewKernel.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/NewKernel.java @@ -22,7 +22,7 @@ import org.neo4j.internal.kernel.api.CursorFactory; import org.neo4j.internal.kernel.api.Kernel; import org.neo4j.internal.kernel.api.Modes; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.storageengine.api.StorageEngine; import org.neo4j.storageengine.api.StorageStatement; @@ -58,10 +58,10 @@ public CursorFactory cursors() } @Override - public KernelSession beginSession( LoginContext loginContext ) + public KernelSession beginSession( SecurityContext securityContext ) { assert isRunning : "kernel is not running, so it is not possible to use it"; - return new KernelSession( token, kernel, loginContext ); + return new KernelSession( token, kernel, securityContext ); } @Override diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/Read.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/Read.java index b64b06d45de25..ef038e606b70b 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/Read.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/newapi/Read.java @@ -36,7 +36,6 @@ import org.neo4j.internal.kernel.api.RelationshipTraversalCursor; import org.neo4j.internal.kernel.api.Scan; import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.io.pagecache.PageCursor; import org.neo4j.kernel.api.ExplicitIndex; import org.neo4j.kernel.api.ExplicitIndexHits; @@ -91,11 +90,6 @@ public final void nodeIndexSeek( IndexQuery... query ) throws IndexNotApplicableKernelException, IndexNotFoundKernelException { ktx.assertOpen(); - if ( hasForbiddenProperties( index ) ) - { - cursor.close(); - return; - } ((DefaultNodeValueIndexCursor) cursor).setRead( this ); IndexProgressor.NodeValueClient target = (DefaultNodeValueIndexCursor) cursor; @@ -145,11 +139,6 @@ public final void nodeIndexScan( IndexOrder indexOrder ) throws KernelException { ktx.assertOpen(); - if ( hasForbiddenProperties( index ) ) - { - cursor.close(); - return; - } // for a scan, we simply query for existence of the first property, which covers all entries in an index int firstProperty = index.properties()[0]; @@ -157,19 +146,6 @@ public final void nodeIndexScan( indexReader( index ).query( (DefaultNodeValueIndexCursor) cursor, indexOrder, IndexQuery.exists( firstProperty ) ); } - private boolean hasForbiddenProperties( IndexReference index ) - { - AccessMode mode = ktx.securityContext().mode(); - for ( int prop : index.properties() ) - { - if ( !mode.allowsPropertyReads( prop ) ) - { - return true; - } - } - return false; - } - @Override public final void nodeLabelScan( int label, NodeLabelIndexCursor cursor ) { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/impl/proc/ProcedureGDBFacadeSPI.java b/community/kernel/src/main/java/org/neo4j/kernel/impl/proc/ProcedureGDBFacadeSPI.java index 007c64e67895b..4dcb07b4f8547 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/impl/proc/ProcedureGDBFacadeSPI.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/impl/proc/ProcedureGDBFacadeSPI.java @@ -29,12 +29,11 @@ import org.neo4j.graphdb.event.KernelEventHandler; import org.neo4j.graphdb.event.TransactionEventHandler; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.TransactionFailureException; import org.neo4j.kernel.api.explicitindex.AutoIndexing; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.CoreAPIAvailabilityGuard; import org.neo4j.kernel.impl.factory.DataSourceModule; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -172,7 +171,7 @@ public void shutdown() } @Override - public KernelTransaction beginTransaction( KernelTransaction.Type type, LoginContext ignored, long timeout ) + public KernelTransaction beginTransaction( KernelTransaction.Type type, SecurityContext ignoredSecurityContext, long timeout ) { try { diff --git a/community/kernel/src/main/java/org/neo4j/kernel/internal/GraphDatabaseAPI.java b/community/kernel/src/main/java/org/neo4j/kernel/internal/GraphDatabaseAPI.java index 0f094dee8b25b..8b624edcc7c72 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/internal/GraphDatabaseAPI.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/internal/GraphDatabaseAPI.java @@ -26,8 +26,8 @@ import org.neo4j.graphdb.DependencyResolver; import org.neo4j.graphdb.GraphDatabaseService; import org.neo4j.graphdb.security.URLAccessValidationError; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.store.StoreId; @@ -58,18 +58,18 @@ public interface GraphDatabaseAPI extends GraphDatabaseService /** * Begin internal transaction with specified type and access mode * @param type transaction type - * @param loginContext transaction login context + * @param securityContext transaction security context * @return internal transaction */ - InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ); + InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ); /** * Begin internal transaction with specified type, access mode and timeout * @param type transaction type - * @param loginContext transaction login context + * @param securityContext transaction security context * @param timeout transaction timeout * @param unit time unit of timeout argument * @return internal transaction */ - InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout, TimeUnit unit ); + InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ); } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java b/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java index a07eecfea215c..bb5bba23ae72b 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/api/KernelTransactionFactory.java @@ -23,8 +23,7 @@ import java.util.function.Supplier; import org.neo4j.collection.pool.Pool; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.io.pagecache.tracing.cursor.PageCursorTracerSupplier; import org.neo4j.kernel.api.explicitindex.AutoIndexing; import org.neo4j.kernel.impl.api.KernelTransactionImplementation; @@ -79,7 +78,7 @@ private KernelTransactionFactory() { } - static Instances kernelTransactionWithInternals( LoginContext loginContext ) + static Instances kernelTransactionWithInternals( SecurityContext securityContext ) { TransactionHeaderInformation headerInformation = new TransactionHeaderInformation( -1, -1, new byte[0] ); TransactionHeaderInformationFactory headerInformationFactory = mock( TransactionHeaderInformationFactory.class ); @@ -107,13 +106,13 @@ storageEngine, new CanWrite(), new KernelToken( storeReadLayer ), new DefaultCur StatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); - transaction.initialize( 0, 0, statementLocks, KernelTransaction.Type.implicit, loginContext.authorize( mock( Token.class ) ), 0L, 1L ); + transaction.initialize( 0, 0, statementLocks, KernelTransaction.Type.implicit, securityContext, 0L, 1L ); return new Instances( transaction, storageEngine, storeReadLayer, storageStatement ); } - static KernelTransaction kernelTransaction( LoginContext loginContext ) + static KernelTransaction kernelTransaction( SecurityContext securityContext ) { - return kernelTransactionWithInternals( loginContext ).transaction; + return kernelTransactionWithInternals( securityContext ).transaction; } } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSequenceTest.java b/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSequenceTest.java index 518256fb0d9f7..65fbaa772dd49 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSequenceTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSequenceTest.java @@ -26,7 +26,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.api.KernelTransactionFactory.kernelTransaction; public class TransactionStatementSequenceTest diff --git a/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSharingTest.java b/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSharingTest.java index 925fd1ff2c271..7c3722c978df7 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSharingTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/api/TransactionStatementSharingTest.java @@ -27,7 +27,7 @@ import static org.mockito.Mockito.reset; import static org.mockito.Mockito.verify; import static org.neo4j.kernel.api.KernelTransactionFactory.kernelTransaction; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class TransactionStatementSharingTest { diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelSchemaStateFlushingTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelSchemaStateFlushingTest.java index 281af99c1859f..4d006382e8702 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelSchemaStateFlushingTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelSchemaStateFlushingTest.java @@ -41,7 +41,7 @@ import static java.util.concurrent.TimeUnit.MILLISECONDS; import static org.junit.Assert.assertEquals; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class KernelSchemaStateFlushingTest { diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java index 1a0b664815eba..ef15a54331360 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionImplementationTest.java @@ -35,8 +35,6 @@ import java.util.function.Consumer; import org.neo4j.graphdb.TransactionTerminatedException; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.io.pagecache.tracing.cursor.DefaultPageCursorTracer; import org.neo4j.kernel.api.KernelTransaction; @@ -76,7 +74,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.when; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.impl.transaction.log.TransactionIdStore.BASE_TX_COMMIT_TIMESTAMP; import static org.neo4j.kernel.impl.transaction.log.TransactionIdStore.BASE_TX_ID; @@ -118,7 +116,7 @@ public static Collection parameters() public void shouldCommitSuccessfulTransaction() throws Exception { // GIVEN - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -134,7 +132,7 @@ public void shouldCommitSuccessfulTransaction() throws Exception public void shouldRollbackUnsuccessfulTransaction() throws Exception { // GIVEN - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -149,7 +147,7 @@ public void shouldRollbackUnsuccessfulTransaction() throws Exception public void shouldRollbackFailedTransaction() throws Exception { // GIVEN - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -166,7 +164,7 @@ public void shouldRollbackAndThrowOnFailedAndSuccess() throws Exception { // GIVEN boolean exceptionReceived = false; - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -189,7 +187,7 @@ public void shouldRollbackAndThrowOnFailedAndSuccess() throws Exception public void shouldRollbackOnClosingTerminatedTransaction() throws Exception { // GIVEN - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.success(); @@ -215,7 +213,7 @@ public void shouldRollbackOnClosingTerminatedTransaction() throws Exception @Test public void shouldRollbackOnClosingSuccessfulButTerminatedTransaction() throws Exception { - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -233,7 +231,7 @@ public void shouldRollbackOnClosingSuccessfulButTerminatedTransaction() throws E public void shouldRollbackOnClosingTerminatedButSuccessfulTransaction() throws Exception { // GIVEN - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.markForTermination( Status.General.UnknownError ); @@ -260,7 +258,7 @@ public void shouldRollbackOnClosingTerminatedButSuccessfulTransaction() throws E @Test public void shouldNotDowngradeFailureState() throws Exception { - try ( KernelTransaction transaction = newTransaction( loginContext() ) ) + try ( KernelTransaction transaction = newTransaction( securityContext() ) ) { // WHEN transactionInitializer.accept( transaction ); @@ -278,7 +276,7 @@ public void shouldNotDowngradeFailureState() throws Exception @Test public void shouldIgnoreTerminateAfterCommit() throws Exception { - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.success(); transaction.close(); @@ -292,7 +290,7 @@ public void shouldIgnoreTerminateAfterCommit() throws Exception @Test public void shouldIgnoreTerminateAfterRollback() throws Exception { - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.close(); transaction.markForTermination( Status.General.UnknownError ); @@ -305,7 +303,7 @@ public void shouldIgnoreTerminateAfterRollback() throws Exception @Test( expected = TransactionTerminatedException.class ) public void shouldThrowOnTerminationInCommit() throws Exception { - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.success(); transaction.markForTermination( Status.General.UnknownError ); @@ -316,7 +314,7 @@ public void shouldThrowOnTerminationInCommit() throws Exception @Test public void shouldIgnoreTerminationDuringRollback() throws Exception { - KernelTransaction transaction = newTransaction( loginContext() ); + KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); transaction.markForTermination( Status.General.UnknownError ); transaction.close(); @@ -332,7 +330,7 @@ public void shouldAllowTerminatingFromADifferentThread() throws Exception { // GIVEN final DoubleLatch latch = new DoubleLatch( 1 ); - final KernelTransaction transaction = newTransaction( loginContext() ); + final KernelTransaction transaction = newTransaction( securityContext() ); transactionInitializer.accept( transaction ); Future terminationFuture = Executors.newSingleThreadExecutor().submit( () -> @@ -384,11 +382,11 @@ public void shouldUseStartTimeAndTxIdFromWhenStartingTxAsHeader() throws Excepti any( ResourceLocker.class ), anyLong() ); - try ( KernelTransactionImplementation transaction = newTransaction( loginContext() ) ) + try ( KernelTransactionImplementation transaction = newTransaction( securityContext() ) ) { SimpleStatementLocks statementLocks = new SimpleStatementLocks( mock( Locks.Client.class ) ); transaction.initialize( 5L, BASE_TX_COMMIT_TIMESTAMP, statementLocks, KernelTransaction.Type.implicit, - SecurityContext.AUTH_DISABLED, 0L, 1L ); + AUTH_DISABLED, 0L, 1L ); transaction.txState(); try ( KernelStatement statement = transaction.acquireStatement() ) { @@ -411,7 +409,7 @@ public void shouldUseStartTimeAndTxIdFromWhenStartingTxAsHeader() throws Excepti @Test public void successfulTxShouldNotifyKernelTransactionsThatItIsClosed() throws TransactionFailureException { - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.success(); tx.close(); @@ -422,7 +420,7 @@ public void successfulTxShouldNotifyKernelTransactionsThatItIsClosed() throws Tr @Test public void failedTxShouldNotifyKernelTransactionsThatItIsClosed() throws TransactionFailureException { - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.failure(); tx.close(); @@ -443,14 +441,14 @@ private void verifyExtraInteractionWithTheMonitor( TransactionMonitor transactio public void shouldIncrementReuseCounterOnReuse() throws Exception { // GIVEN - KernelTransactionImplementation transaction = newTransaction( loginContext() ); + KernelTransactionImplementation transaction = newTransaction( securityContext() ); int reuseCount = transaction.getReuseCount(); // WHEN transaction.close(); SimpleStatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); transaction.initialize( 1, BASE_TX_COMMIT_TIMESTAMP, statementLocks, KernelTransaction.Type.implicit, - loginContext().authorize( mock( Token.class ) ), 0L, 1L ); + securityContext(), 0L, 1L ); // THEN assertEquals( reuseCount + 1, transaction.getReuseCount() ); @@ -469,7 +467,7 @@ public void markForTerminationNotInitializedTransaction() public void markForTerminationInitializedTransaction() { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); tx.markForTermination( Status.General.UnknownError ); @@ -481,7 +479,7 @@ public void markForTerminationInitializedTransaction() public void markForTerminationTerminatedTransaction() { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); transactionInitializer.accept( tx ); tx.markForTermination( Status.Transaction.Terminated ); @@ -497,7 +495,7 @@ public void markForTerminationTerminatedTransaction() public void terminatedTxMarkedNeitherSuccessNorFailureClosesWithoutThrowing() throws TransactionFailureException { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); transactionInitializer.accept( tx ); tx.markForTermination( Status.General.UnknownError ); @@ -511,7 +509,7 @@ public void terminatedTxMarkedNeitherSuccessNorFailureClosesWithoutThrowing() th public void terminatedTxMarkedForSuccessThrowsOnClose() { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); transactionInitializer.accept( tx ); tx.success(); tx.markForTermination( Status.General.UnknownError ); @@ -531,7 +529,7 @@ public void terminatedTxMarkedForSuccessThrowsOnClose() public void terminatedTxMarkedForFailureClosesWithoutThrowing() throws TransactionFailureException { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); transactionInitializer.accept( tx ); tx.failure(); tx.markForTermination( Status.General.UnknownError ); @@ -546,7 +544,7 @@ public void terminatedTxMarkedForFailureClosesWithoutThrowing() throws Transacti public void terminatedTxMarkedForBothSuccessAndFailureThrowsOnClose() { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); transactionInitializer.accept( tx ); tx.success(); tx.failure(); @@ -567,7 +565,7 @@ public void terminatedTxMarkedForBothSuccessAndFailureThrowsOnClose() public void txMarkedForBothSuccessAndFailureThrowsOnClose() { Locks.Client locksClient = mock( Locks.Client.class ); - KernelTransactionImplementation tx = newTransaction( loginContext(), locksClient ); + KernelTransactionImplementation tx = newTransaction( securityContext(), locksClient ); tx.success(); tx.failure(); @@ -585,7 +583,7 @@ public void txMarkedForBothSuccessAndFailureThrowsOnClose() @Test public void initializedTransactionShouldHaveNoTerminationReason() throws Exception { - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); assertFalse( tx.getReasonIfTerminated().isPresent() ); } @@ -593,7 +591,7 @@ public void initializedTransactionShouldHaveNoTerminationReason() throws Excepti public void shouldReportCorrectTerminationReason() throws Exception { Status status = Status.Transaction.Terminated; - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.markForTermination( status ); assertSame( status, tx.getReasonIfTerminated().get() ); } @@ -601,7 +599,7 @@ public void shouldReportCorrectTerminationReason() throws Exception @Test public void closedTransactionShouldHaveNoTerminationReason() throws Exception { - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.markForTermination( Status.Transaction.Terminated ); tx.close(); assertFalse( tx.getReasonIfTerminated().isPresent() ); @@ -612,7 +610,7 @@ public void shouldCallCloseListenerOnCloseWhenCommitting() throws Exception { // given AtomicLong closeTxId = new AtomicLong( Long.MIN_VALUE ); - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.registerCloseListener( closeTxId::set ); // when @@ -633,7 +631,7 @@ public void shouldCallCloseListenerOnCloseWhenRollingBack() throws Exception { // given AtomicLong closeTxId = new AtomicLong( Long.MIN_VALUE ); - KernelTransactionImplementation tx = newTransaction( loginContext() ); + KernelTransactionImplementation tx = newTransaction( securityContext() ); tx.registerCloseListener( closeTxId::set ); // when @@ -671,7 +669,7 @@ public void markForTerminationWithCorrectReuseCount() throws Exception Locks.Client locksClient = mock( Locks.Client.class ); SimpleStatementLocks statementLocks = new SimpleStatementLocks( locksClient ); - tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); + tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, securityContext(), 0L, 0L ); assertTrue( tx.markForTermination( reuseCount, terminationReason ) ); @@ -691,7 +689,7 @@ public void markForTerminationWithIncorrectReuseCount() throws Exception Locks.Client locksClient = mock( Locks.Client.class ); SimpleStatementLocks statementLocks = new SimpleStatementLocks( locksClient ); - tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); + tx.initialize( 42, 42, statementLocks, KernelTransaction.Type.implicit, securityContext(), 0L, 0L ); assertFalse( tx.markForTermination( nextReuseCount, terminationReason ) ); @@ -748,7 +746,7 @@ public void reportTransactionStatistics() assertEquals( 0, statistics.getWaitingTimeNanos( 0 ) ); } - private LoginContext loginContext() + private SecurityContext securityContext() { return isWriteTx ? AnonymousContext.write() : AnonymousContext.read(); } @@ -758,7 +756,7 @@ private void initializeAndClose( KernelTransactionImplementation tx, int times ) for ( int i = 0; i < times; i++ ) { SimpleStatementLocks statementLocks = new SimpleStatementLocks( new NoOpClient() ); - tx.initialize( i + 10, i + 10, statementLocks, KernelTransaction.Type.implicit, loginContext().authorize( mock( Token.class ) ), 0L, 0L ); + tx.initialize( i + 10, i + 10, statementLocks, KernelTransaction.Type.implicit, securityContext(), 0L, 0L ); tx.close(); } } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionSecurityContextTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionSecurityContextTest.java index 20ef463f3fe44..defb07b9ced98 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionSecurityContextTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionSecurityContextTest.java @@ -30,7 +30,7 @@ import org.neo4j.kernel.api.security.AnonymousContext; import static org.junit.Assert.assertNotNull; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class KernelTransactionSecurityContextTest extends KernelTransactionTestBase { diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java index bb8d97d39dc89..839281c5faef8 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTestBase.java @@ -27,9 +27,7 @@ import org.neo4j.collection.pool.Pool; import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.Transaction.Type; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.io.pagecache.tracing.cursor.PageCursorTracerSupplier; import org.neo4j.kernel.api.exceptions.TransactionFailureException; @@ -73,7 +71,7 @@ import static org.mockito.Mockito.doAnswer; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.impl.transaction.log.TransactionIdStore.BASE_TX_COMMIT_TIMESTAMP; public class KernelTransactionTestBase @@ -118,33 +116,32 @@ public KernelTransactionImplementation newTransaction( long transactionTimeoutMi return newTransaction( 0, AUTH_DISABLED, transactionTimeoutMillis ); } - public KernelTransactionImplementation newTransaction( LoginContext loginContext ) + public KernelTransactionImplementation newTransaction( SecurityContext securityContext ) { - return newTransaction( 0, loginContext ); + return newTransaction( 0, securityContext ); } - public KernelTransactionImplementation newTransaction( LoginContext loginContext, Locks.Client locks ) + public KernelTransactionImplementation newTransaction( SecurityContext securityContext, Locks.Client locks ) { - return newTransaction( 0, loginContext, locks, defaultTransactionTimeoutMillis ); + return newTransaction( 0, securityContext, locks, defaultTransactionTimeoutMillis ); } - public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, LoginContext loginContext ) + public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, SecurityContext securityContext ) { - return newTransaction( lastTransactionIdWhenStarted, loginContext, defaultTransactionTimeoutMillis ); + return newTransaction( lastTransactionIdWhenStarted, securityContext, defaultTransactionTimeoutMillis ); } - public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, LoginContext loginContext, + public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, SecurityContext securityContext, long transactionTimeoutMillis ) { - return newTransaction( lastTransactionIdWhenStarted, loginContext, new NoOpClient(), transactionTimeoutMillis ); + return newTransaction( lastTransactionIdWhenStarted, securityContext, new NoOpClient(), transactionTimeoutMillis ); } - public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, LoginContext loginContext, + public KernelTransactionImplementation newTransaction( long lastTransactionIdWhenStarted, SecurityContext securityContext, Locks.Client locks, long transactionTimeout ) { KernelTransactionImplementation tx = newNotInitializedTransaction(); StatementLocks statementLocks = new SimpleStatementLocks( locks ); - SecurityContext securityContext = loginContext.authorize( mock( Token.class ) ); tx.initialize( lastTransactionIdWhenStarted, BASE_TX_COMMIT_TIMESTAMP,statementLocks, Type.implicit, securityContext, transactionTimeout, 1L ); return tx; diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTimeoutMonitorIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTimeoutMonitorIT.java index 7f00b1bba1c6e..68517dca00edc 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTimeoutMonitorIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionTimeoutMonitorIT.java @@ -35,8 +35,8 @@ import org.neo4j.graphdb.Node; import org.neo4j.graphdb.Transaction; import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.test.rule.DatabaseRule; import org.neo4j.test.rule.EmbeddedDatabaseRule; @@ -144,8 +144,8 @@ private Runnable startAnotherTransaction() { return () -> { - try ( InternalTransaction ignored = database - .beginTransaction( KernelTransaction.Type.implicit, LoginContext.AUTH_DISABLED, 1, + try ( InternalTransaction transaction = database + .beginTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED, 1, TimeUnit.SECONDS ) ) { Node node = database.getNodeById( NODE_ID ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java index f6a2de6d14706..749f590d27f1d 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/KernelTransactionsTest.java @@ -35,7 +35,7 @@ import org.neo4j.graphdb.DatabaseShutdownException; import org.neo4j.graphdb.security.AuthorizationExpiredException; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.AvailabilityGuard; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.KernelTransactionHandle; @@ -103,7 +103,7 @@ import static org.mockito.Mockito.when; import static org.neo4j.helpers.collection.Iterators.asSet; import static org.neo4j.internal.kernel.api.Transaction.Type.explicit; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.impl.transaction.TransactionHeaderInformationFactory.DEFAULT; import static org.neo4j.test.assertion.Assert.assertException; @@ -408,10 +408,10 @@ public void unblockNewTransactionsFromWrongThreadThrows() throws Throwable public void shouldNotLeakTransactionOnSecurityContextFreezeFailure() throws Throwable { KernelTransactions kernelTransactions = newKernelTransactions(); - LoginContext loginContext = mock( LoginContext.class ); - when( loginContext.authorize( any() ) ).thenThrow( new AuthorizationExpiredException( "Freeze failed." ) ); + SecurityContext securityContext = mock(SecurityContext.class); + when( securityContext.freeze() ).thenThrow( new AuthorizationExpiredException( "Freeze failed." ) ); - assertException(() -> kernelTransactions.newInstance(KernelTransaction.Type.explicit, loginContext, 0L), + assertException(() -> kernelTransactions.newInstance(KernelTransaction.Type.explicit, securityContext, 0L), AuthorizationExpiredException.class, "Freeze failed."); assertThat("We should not have any transaction", kernelTransactions.activeTransactions(), is(empty())); @@ -421,17 +421,19 @@ public void shouldNotLeakTransactionOnSecurityContextFreezeFailure() throws Thro public void exceptionWhenStartingNewTransactionOnShutdownInstance() throws Throwable { KernelTransactions kernelTransactions = newKernelTransactions(); + SecurityContext securityContext = mock( SecurityContext.class ); availabilityGuard.shutdown(); expectedException.expect( DatabaseShutdownException.class ); - kernelTransactions.newInstance( KernelTransaction.Type.explicit, AUTH_DISABLED, 0L ); + kernelTransactions.newInstance( KernelTransaction.Type.explicit, securityContext, 0L ); } @Test public void exceptionWhenStartingNewTransactionOnStoppedKernelTransactions() throws Throwable { KernelTransactions kernelTransactions = newKernelTransactions(); + SecurityContext securityContext = mock( SecurityContext.class ); t2.execute( (OtherThreadExecutor.WorkerCommand) state -> { @@ -440,18 +442,19 @@ public void exceptionWhenStartingNewTransactionOnStoppedKernelTransactions() thr } ).get(); expectedException.expect( IllegalStateException.class ); - kernelTransactions.newInstance( KernelTransaction.Type.explicit, AUTH_DISABLED, 0L ); + kernelTransactions.newInstance( KernelTransaction.Type.explicit, securityContext, 0L ); } @Test public void startNewTransactionOnRestartedKErnelTransactions() throws Throwable { KernelTransactions kernelTransactions = newKernelTransactions(); + SecurityContext securityContext = mock( SecurityContext.class ); kernelTransactions.stop(); kernelTransactions.start(); assertNotNull( "New transaction created by restarted kernel transactions component.", - kernelTransactions.newInstance( KernelTransaction.Type.explicit, AUTH_DISABLED, 0L ) ); + kernelTransactions.newInstance( KernelTransaction.Type.explicit, securityContext, 0L ) ); } @Test diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/constraints/ConstraintIndexCreatorTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/constraints/ConstraintIndexCreatorTest.java index a2d8d711414d0..ccf7fda1348f5 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/constraints/ConstraintIndexCreatorTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/constraints/ConstraintIndexCreatorTest.java @@ -40,7 +40,6 @@ import org.neo4j.internal.kernel.api.TokenWrite; import org.neo4j.internal.kernel.api.Write; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; @@ -326,13 +325,13 @@ private class StubKernel implements InwardKernel private final List statements = new ArrayList<>(); @Override - public KernelTransaction newTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public KernelTransaction newTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { return new StubKernelTransaction(); } @Override - public KernelTransaction newTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout ) + public KernelTransaction newTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout ) throws TransactionFailureException { return new StubKernelTransaction( timeout ); @@ -370,7 +369,7 @@ public CursorFactory cursors() } @Override - public Session beginSession( LoginContext loginContext ) + public Session beginSession( SecurityContext securityContext ) { throw new UnsupportedOperationException(); } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexIT.java index 2114bd59ec994..32ac35b8078d4 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexIT.java @@ -36,16 +36,18 @@ import org.neo4j.helpers.collection.Iterables; import org.neo4j.helpers.collection.Iterators; import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.DataWriteOperations; import org.neo4j.kernel.api.ReadOperations; import org.neo4j.kernel.api.SchemaWriteOperations; import org.neo4j.kernel.api.Statement; import org.neo4j.kernel.api.TokenWriteOperations; +import org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException; import org.neo4j.kernel.api.index.PropertyAccessor; import org.neo4j.kernel.api.schema.SchemaDescriptorFactory; import org.neo4j.kernel.api.schema.index.IndexDescriptor; +import org.neo4j.kernel.api.security.AnonymousContext; import org.neo4j.kernel.impl.api.integrationtest.KernelIntegrationTest; import org.neo4j.kernel.impl.api.state.ConstraintIndexCreator; import org.neo4j.kernel.internal.GraphDatabaseAPI; @@ -59,7 +61,6 @@ import static org.junit.Assert.fail; import static org.mockito.Mockito.mock; import static org.neo4j.helpers.collection.Iterators.asSet; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; public class IndexIT extends KernelIntegrationTest { @@ -146,7 +147,7 @@ public void committedAndTransactionalIndexRulesShouldBeMerged() throws Exception commit(); // WHEN - Statement statement = statementInNewTransaction( AUTH_DISABLED ); + Statement statement = statementInNewTransaction( AnonymousContext.AUTH_DISABLED ); IndexDescriptor addedRule = statement.schemaWriteOperations() .indexCreate( SchemaDescriptorFactory.forLabel( labelId, 10 ) ); Set indexRulesInTx = asSet( statement.readOperations().indexesGetForLabel( labelId ) ); @@ -261,7 +262,7 @@ public void shouldFailToCreateIndexWhereAConstraintAlreadyExists() throws Except public void shouldListConstraintIndexesInTheBeansAPI() throws Exception { // given - Statement statement = statementInNewTransaction( AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); statement.schemaWriteOperations().uniquePropertyConstraintCreate( SchemaDescriptorFactory.forLabel( statement.tokenWriteOperations().labelGetOrCreateForName( "Label1" ), diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexPopulationJobTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexPopulationJobTest.java index beb9ef23b5a0f..db68cd5c95290 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexPopulationJobTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/index/IndexPopulationJobTest.java @@ -44,6 +44,7 @@ import org.neo4j.internal.kernel.api.exceptions.schema.IllegalTokenNameException; import org.neo4j.internal.kernel.api.exceptions.schema.TooManyLabelsException; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.Statement; @@ -96,7 +97,7 @@ import static org.neo4j.helpers.collection.MapUtil.genericMap; import static org.neo4j.helpers.collection.MapUtil.map; import static org.neo4j.internal.kernel.api.IndexCapability.NO_CAPABILITY; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.api.index.IndexEntryUpdate.add; import static org.neo4j.kernel.impl.api.index.IndexingService.NO_MONITOR; import static org.neo4j.kernel.impl.api.index.TestSchemaIndexProviderDescriptor.PROVIDER_DESCRIPTOR; @@ -625,7 +626,7 @@ private IndexPopulationJob newIndexPopulationJob( FailedIndexProxyFactory failur private IndexDescriptor indexDescriptor( Label label, String propertyKey, boolean constraint ) throws TransactionFailureException, IllegalTokenNameException, TooManyLabelsException { - try ( KernelTransaction tx = kernel.newTransaction( KernelTransaction.Type.implicit, AUTH_DISABLED ); + try ( KernelTransaction tx = kernel.newTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED ); Statement statement = tx.acquireStatement() ) { int labelId = statement.tokenWriteOperations().labelGetOrCreateForName( label.name() ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java index eb5de0fb02779..18ecc48817621 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/BuiltInProceduresIT.java @@ -31,7 +31,7 @@ import org.neo4j.collection.RawIterator; import org.neo4j.graphdb.Transaction; import org.neo4j.helpers.collection.MapUtil; -import org.neo4j.internal.kernel.api.Token; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.Statement; import org.neo4j.kernel.api.TokenWriteOperations; import org.neo4j.kernel.api.exceptions.ProcedureException; @@ -46,9 +46,7 @@ import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.core.IsEqual.equalTo; import static org.junit.Assert.fail; -import static org.mockito.Mockito.mock; import static org.neo4j.helpers.collection.Iterators.asList; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; import static org.neo4j.kernel.api.proc.ProcedureSignature.procedureName; import static org.neo4j.kernel.api.schema.SchemaDescriptorFactory.forLabel; @@ -268,7 +266,7 @@ public void failWhenCallingNonExistingProcedures() throws Throwable { // When dbmsOperations().procedureCallDbms( procedureName( "dbms", "iDoNotExist" ), new Object[0], - AnonymousContext.none().authorize( mock( Token.class ) ) ); + AnonymousContext.none() ); fail( "This should never get here" ); } catch ( Exception e ) @@ -298,7 +296,7 @@ public void listAllComponents() throws Throwable public void listAllIndexes() throws Throwable { // Given - Statement statement = statementInNewTransaction( AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); int labelId1 = statement.tokenWriteOperations().labelGetOrCreateForName( "Person" ); int labelId2 = statement.tokenWriteOperations().labelGetOrCreateForName( "Age" ); int propertyKeyId1 = statement.tokenWriteOperations().propertyKeyGetOrCreateForName( "foo" ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/CompositeUniquenessConstraintValidationIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/CompositeUniquenessConstraintValidationIT.java index 1d5a9109fa025..f0b719cc03637 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/CompositeUniquenessConstraintValidationIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/CompositeUniquenessConstraintValidationIT.java @@ -34,14 +34,14 @@ import org.neo4j.graphdb.Node; import org.neo4j.graphdb.Transaction; -import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.Statement; +import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.kernel.api.exceptions.TransactionFailureException; import org.neo4j.kernel.api.exceptions.schema.UniquePropertyValueValidationException; import org.neo4j.kernel.api.schema.constaints.ConstraintDescriptorFactory; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.internal.GraphDatabaseAPI; import org.neo4j.test.rule.ImpermanentDatabaseRule; import org.neo4j.values.storable.Values; @@ -319,7 +319,7 @@ private void newTransaction() throws KernelException { fail( "tx already opened" ); } - transaction = kernel.newTransaction( KernelTransaction.Type.implicit, LoginContext.AUTH_DISABLED ); + transaction = kernel.newTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED ); statement = transaction.acquireStatement(); } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIT.java index 8b09e1ff58a17..a43257dcac2a7 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIT.java @@ -38,14 +38,15 @@ import org.neo4j.graphdb.Transaction; import org.neo4j.graphdb.TransactionFailureException; import org.neo4j.internal.kernel.api.exceptions.InvalidTransactionTypeKernelException; -import org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.SchemaWriteOperations; import org.neo4j.kernel.api.Statement; import org.neo4j.kernel.api.TokenWriteOperations; import org.neo4j.kernel.api.exceptions.EntityNotFoundException; import org.neo4j.kernel.api.exceptions.Status; +import org.neo4j.internal.kernel.api.exceptions.schema.SchemaKernelException; import org.neo4j.kernel.api.schema.index.IndexDescriptor; import org.neo4j.kernel.impl.transaction.log.TransactionIdStore; import org.neo4j.kernel.internal.GraphDatabaseAPI; @@ -61,7 +62,7 @@ import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.neo4j.graphdb.Label.label; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.api.schema.SchemaDescriptorFactory.forLabel; import static org.neo4j.test.assertion.Assert.assertEventually; @@ -500,7 +501,7 @@ public void schemaStateShouldBeEvictedOnIndexComingOnline() throws Exception commit(); // WHEN - createIndex( statementInNewTransaction( AUTH_DISABLED ) ); + createIndex( statementInNewTransaction( SecurityContext.AUTH_DISABLED ) ); commit(); try ( Transaction tx = db.beginTx() ) @@ -518,7 +519,7 @@ public void schemaStateShouldBeEvictedOnIndexComingOnline() throws Exception public void schemaStateShouldBeEvictedOnIndexDropped() throws Exception { // GIVEN - IndexDescriptor idx = createIndex( statementInNewTransaction( AUTH_DISABLED ) ); + IndexDescriptor idx = createIndex( statementInNewTransaction( SecurityContext.AUTH_DISABLED ) ); commit(); try ( Transaction tx = db.beginTx() ) diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIntegrationTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIntegrationTest.java index 1777c064e07bd..a9f1e492cc77c 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIntegrationTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/KernelIntegrationTest.java @@ -26,7 +26,6 @@ import org.neo4j.graphdb.GraphDatabaseService; import org.neo4j.graphdb.factory.GraphDatabaseBuilder; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.DataWriteOperations; import org.neo4j.kernel.api.InwardKernel; import org.neo4j.kernel.api.KernelTransaction; @@ -39,6 +38,7 @@ import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.kernel.api.exceptions.TransactionFailureException; import org.neo4j.kernel.api.security.AnonymousContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.api.index.IndexingService; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.internal.GraphDatabaseAPI; @@ -46,7 +46,7 @@ import org.neo4j.test.rule.TestDirectory; import org.neo4j.test.rule.fs.DefaultFileSystemRule; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public abstract class KernelIntegrationTest { @@ -65,9 +65,9 @@ public abstract class KernelIntegrationTest private Statement statement; private DbmsOperations dbmsOperations; - protected Statement statementInNewTransaction( LoginContext loginContext ) throws KernelException + protected Statement statementInNewTransaction( SecurityContext securityContext ) throws KernelException { - transaction = kernel.newTransaction( KernelTransaction.Type.implicit, loginContext ); + transaction = kernel.newTransaction( KernelTransaction.Type.implicit, securityContext ); statement = transaction.acquireStatement(); return statement; } diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/NodeGetUniqueFromIndexSeekIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/NodeGetUniqueFromIndexSeekIT.java index 78e0d016fa2c5..d2126ecef5455 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/NodeGetUniqueFromIndexSeekIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/NodeGetUniqueFromIndexSeekIT.java @@ -25,7 +25,7 @@ import org.neo4j.graphdb.Transaction; import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.DataWriteOperations; import org.neo4j.kernel.api.ReadOperations; import org.neo4j.kernel.api.Statement; @@ -248,7 +248,7 @@ private long createNodeWithValues( Value value1, Value value2 ) throws KernelExc private IndexDescriptor createUniquenessConstraint( int labelId, int... propertyIds ) throws Exception { - Statement statement = statementInNewTransaction( LoginContext.AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); LabelSchemaDescriptor descriptor = SchemaDescriptorFactory.forLabel( labelId, propertyIds ); statement.schemaWriteOperations().uniquePropertyConstraintCreate( descriptor ); IndexDescriptor result = statement.readOperations().indexGetForSchema( descriptor ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java index 921505cba11f7..b510e56ae7ad5 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/coreapi/TxStateTransactionDataViewTest.java @@ -30,15 +30,14 @@ import org.neo4j.graphdb.Relationship; import org.neo4j.graphdb.event.LabelEntry; import org.neo4j.graphdb.event.PropertyEntry; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.AccessMode; -import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.AssertOpen; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.Statement; import org.neo4j.kernel.api.properties.PropertyKeyValue; +import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.kernel.api.security.AnonymousContext; +import org.neo4j.internal.kernel.api.security.AuthSubject; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.txstate.TransactionState; import org.neo4j.kernel.impl.api.KernelTransactionImplementation; import org.neo4j.kernel.impl.api.state.TxState; @@ -346,7 +345,7 @@ public void accessTransactionIdAndCommitTime() @Test public void shouldGetEmptyUsernameForAnonymousContext() { - when( transaction.securityContext() ).thenReturn( AnonymousContext.read().authorize( mock( Token.class ) ) ); + when( transaction.securityContext() ).thenReturn( AnonymousContext.read() ); TxStateTransactionDataSnapshot transactionDataSnapshot = snapshot(); assertEquals( "", transactionDataSnapshot.username() ); @@ -358,7 +357,7 @@ public void shouldAccessUsernameFromAuthSubject() AuthSubject authSubject = mock( AuthSubject.class ); when( authSubject.username() ).thenReturn( "Christof" ); when( transaction.securityContext() ) - .thenReturn( new SecurityContext( authSubject, AccessMode.Static.FULL ) ); + .thenReturn( new SecurityContext.Frozen( authSubject, AccessMode.Static.FULL ) ); TxStateTransactionDataSnapshot transactionDataSnapshot = snapshot(); assertEquals( "Christof", transactionDataSnapshot.username() ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java index 59e58142a56aa..1ae67b47211f2 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/event/TransactionEventsIT.java @@ -46,8 +46,6 @@ import org.neo4j.graphdb.Transaction; import org.neo4j.graphdb.event.TransactionData; import org.neo4j.graphdb.event.TransactionEventHandler; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.Statement; import org.neo4j.internal.kernel.api.security.AccessMode; @@ -188,22 +186,9 @@ public void shouldGetSpecifiedUsernameAndMetaDataInTXData() } ) ); AuthSubject subject = mock( AuthSubject.class ); when( subject.username() ).thenReturn( "Christof" ); - LoginContext loginContext = new LoginContext() - { - @Override - public AuthSubject subject() - { - return subject; - } - - @Override - public SecurityContext authorize( Token token ) - { - return new SecurityContext( subject, AccessMode.Static.WRITE ); - } - }; + SecurityContext securityContext = new SecurityContext.Frozen( subject, AccessMode.Static.WRITE ); Map metadata = genericMap( "username", "joe" ); - runTransaction( loginContext, metadata ); + runTransaction( securityContext, metadata ); assertThat( "Should have specified username", usernameRef.get(), equalTo( "Christof" ) ); assertThat( "Should have metadata with specified username", metaDataRef.get(), equalTo( metadata ) ); @@ -321,9 +306,9 @@ private void runTransaction() runTransaction( AnonymousContext.write(), Collections.emptyMap() ); } - private void runTransaction( LoginContext loginContext, Map metaData ) + private void runTransaction( SecurityContext securityContext, Map metaData ) { - try ( Transaction transaction = db.beginTransaction( KernelTransaction.Type.explicit, loginContext ); + try ( Transaction transaction = db.beginTransaction( KernelTransaction.Type.explicit, securityContext ); Statement statement = db.getDependencyResolver().resolveDependency( ThreadToStatementContextBridge.class ).get() ) { statement.queryRegistration().setMetaData( metaData ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacadeTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacadeTest.java index 45dd7135ac9df..d15b3ef578441 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacadeTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/factory/GraphDatabaseFacadeTest.java @@ -46,7 +46,7 @@ import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class GraphDatabaseFacadeTest { diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/newapi/NodeValueClientFilterTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/newapi/NodeValueClientFilterTest.java index b009a36ebb6dc..471086b9d30ed 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/newapi/NodeValueClientFilterTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/newapi/NodeValueClientFilterTest.java @@ -28,7 +28,6 @@ import org.neo4j.internal.kernel.api.IndexQuery; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.schema.index.IndexDescriptor; import org.neo4j.kernel.api.schema.index.IndexDescriptorFactory; import org.neo4j.storageengine.api.schema.IndexProgressor; @@ -38,7 +37,6 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.when; import static org.neo4j.kernel.impl.newapi.MockStore.block; import static org.neo4j.kernel.impl.store.record.AbstractBaseRecord.NO_ID; import static org.neo4j.values.storable.Values.stringValue; @@ -99,7 +97,6 @@ public void shouldRejectNodeWithNoProperties() throws Exception @Test public void shouldAcceptNodeWithMatchingProperty() throws Exception { - when( store.ktx.securityContext() ).thenReturn( SecurityContext.AUTH_DISABLED ); // given store.node( 17, 1, false, NO_ID, 0 ); store.property( 1, NO_ID, NO_ID, block( 12, stringValue( "hello" ) ) ); @@ -117,7 +114,6 @@ public void shouldAcceptNodeWithMatchingProperty() throws Exception @Test public void shouldNotAcceptNodeWithoutMatchingProperty() throws Exception { - when( store.ktx.securityContext() ).thenReturn( SecurityContext.AUTH_DISABLED ); // given store.node( 17, 1, false, NO_ID, 0 ); store.property( 1, NO_ID, NO_ID, block( 7, stringValue( "wrong" ) ) ); diff --git a/community/kernel/src/test/java/org/neo4j/kernel/impl/store/NeoStoresTest.java b/community/kernel/src/test/java/org/neo4j/kernel/impl/store/NeoStoresTest.java index f08234085c918..64c7830ca4c71 100644 --- a/community/kernel/src/test/java/org/neo4j/kernel/impl/store/NeoStoresTest.java +++ b/community/kernel/src/test/java/org/neo4j/kernel/impl/store/NeoStoresTest.java @@ -109,7 +109,7 @@ import static org.neo4j.function.Predicates.ALWAYS_TRUE_INT; import static org.neo4j.graphdb.factory.GraphDatabaseSettings.counts_store_rotation_timeout; import static org.neo4j.helpers.collection.MapUtil.stringMap; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.api.AssertOpen.ALWAYS_OPEN; import static org.neo4j.kernel.impl.locking.LockService.NO_LOCK; import static org.neo4j.kernel.impl.store.RecordStore.getRecord; diff --git a/community/kernel/src/test/java/org/neo4j/test/rule/DatabaseRule.java b/community/kernel/src/test/java/org/neo4j/test/rule/DatabaseRule.java index 0710a13504233..82b1d80459959 100644 --- a/community/kernel/src/test/java/org/neo4j/test/rule/DatabaseRule.java +++ b/community/kernel/src/test/java/org/neo4j/test/rule/DatabaseRule.java @@ -51,10 +51,10 @@ import org.neo4j.graphdb.security.URLAccessValidationError; import org.neo4j.graphdb.traversal.BidirectionalTraversalDescription; import org.neo4j.graphdb.traversal.TraversalDescription; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.Statement; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.configuration.Config; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.coreapi.InternalTransaction; @@ -199,16 +199,16 @@ public Result execute( String query, Map parameters, long timeout } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { - return getGraphDatabaseAPI().beginTransaction( type, loginContext ); + return getGraphDatabaseAPI().beginTransaction( type, securityContext ); } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout, + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ) { - return getGraphDatabaseAPI().beginTransaction( type, loginContext, timeout, unit ); + return getGraphDatabaseAPI().beginTransaction( type, securityContext, timeout, unit ); } @Override diff --git a/community/neo4j/src/test/java/org/neo4j/locking/QueryExecutionLocksIT.java b/community/neo4j/src/test/java/org/neo4j/locking/QueryExecutionLocksIT.java index 32307e02c77e5..6f0738efe75f5 100644 --- a/community/neo4j/src/test/java/org/neo4j/locking/QueryExecutionLocksIT.java +++ b/community/neo4j/src/test/java/org/neo4j/locking/QueryExecutionLocksIT.java @@ -53,7 +53,6 @@ import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; import org.neo4j.internal.kernel.api.schema.SchemaDescriptor; import org.neo4j.internal.kernel.api.schema.constraints.ConstraintDescriptor; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.ExplicitIndexHits; @@ -207,7 +206,7 @@ private List traceQueryLocks( String query, LockOperationLi GraphDatabaseQueryService graph = databaseRule.resolveDependency( GraphDatabaseQueryService.class ); QueryExecutionEngine executionEngine = databaseRule.resolveDependency( QueryExecutionEngine.class ); try ( InternalTransaction tx = graph - .beginTransaction( KernelTransaction.Type.implicit, LoginContext.AUTH_DISABLED ) ) + .beginTransaction( KernelTransaction.Type.implicit, SecurityContext.AUTH_DISABLED ) ) { TransactionalContextWrapper context = new TransactionalContextWrapper( createTransactionContext( graph, tx, query ), listeners ); diff --git a/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthManager.java b/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthManager.java index 3e9d19adb5d17..ec4a9cacf4777 100644 --- a/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthManager.java +++ b/community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthManager.java @@ -26,13 +26,13 @@ import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.api.security.AuthManager; import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.kernel.api.security.AuthToken; import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.security.PasswordPolicy; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.UserManager; import org.neo4j.kernel.api.security.UserManagerSupplier; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; @@ -116,7 +116,7 @@ public void shutdown() throws Throwable } @Override - public LoginContext login( Map authToken ) throws InvalidAuthTokenException + public BasicSecurityContext login( Map authToken ) throws InvalidAuthTokenException { assertValidScheme( authToken ); @@ -133,7 +133,7 @@ public LoginContext login( Map authToken ) throws InvalidAuthToke result = AuthenticationResult.PASSWORD_CHANGE_REQUIRED; } } - return new BasicLoginContext( user, result ); + return new BasicSecurityContext( this, user, result ); } @Override @@ -224,7 +224,7 @@ public Set getAllUsernames() } @Override - public UserManager getUserManager( AuthSubject authSubject, boolean isUserManager ) + public UserManager getUserManager( SecurityContext securityContext ) { return this; } diff --git a/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java b/community/security/src/main/java/org/neo4j/server/security/auth/BasicSecurityContext.java similarity index 79% rename from community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java rename to community/security/src/main/java/org/neo4j/server/security/auth/BasicSecurityContext.java index 55653a389e016..d527d27dd7257 100644 --- a/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java +++ b/community/security/src/main/java/org/neo4j/server/security/auth/BasicSecurityContext.java @@ -19,11 +19,9 @@ */ package org.neo4j.server.security.auth; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.security.User; @@ -31,13 +29,15 @@ import static org.neo4j.internal.kernel.api.security.AuthenticationResult.PASSWORD_CHANGE_REQUIRED; import static org.neo4j.internal.kernel.api.security.AuthenticationResult.SUCCESS; -public class BasicLoginContext implements LoginContext +public class BasicSecurityContext implements SecurityContext { + private final BasicAuthManager authManager; private final BasicAuthSubject authSubject; private AccessMode accessMode; - public BasicLoginContext( User user, AuthenticationResult authenticationResult ) + public BasicSecurityContext( BasicAuthManager authManager, User user, AuthenticationResult authenticationResult ) { + this.authManager = authManager; this.authSubject = new BasicAuthSubject( user, authenticationResult ); switch ( authenticationResult ) @@ -107,8 +107,33 @@ public AuthSubject subject() } @Override - public SecurityContext authorize( Token token ) + public boolean isAdmin() { - return new SecurityContext( authSubject, accessMode ); + return true; + } + + @Override + public SecurityContext freeze() + { + return this; + } + + @Override + public SecurityContext withMode( AccessMode mode ) + { + return new Frozen( authSubject, mode ); + } + + @Override + public AccessMode mode() + { + return accessMode; + } + + @Override + public String toString() + { + return String.format( "BasicSecurityContext{ securityContext=%s, accessMode=%s }", authSubject.username(), + accessMode ); } } diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresIT.java b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresIT.java index ea22861500eae..932c6b890eaff 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresIT.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresIT.java @@ -42,7 +42,6 @@ import org.neo4j.graphdb.config.Setting; import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.graphdb.mockfs.EphemeralFileSystemAbstraction; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; @@ -67,7 +66,7 @@ public class AuthProceduresIT protected GraphDatabaseAPI db; private EphemeralFileSystemAbstraction fs; private BasicAuthManager authManager; - private LoginContext admin; + private BasicSecurityContext admin; @Before public void setup() throws InvalidAuthTokenException, IOException @@ -120,7 +119,7 @@ public void newUserShouldNotBeAbleToCallOtherProcedures() throws Throwable { // Given authManager.newUser( "andres", "banana", true ); - LoginContext user = login("andres", "banana"); + BasicSecurityContext user = login("andres", "banana"); // Then assertFail( user, "CALL dbms.procedures", @@ -252,7 +251,7 @@ public void shouldShowCurrentUser() throws Exception r -> assertKeyIsMap( r, "username", "flags", map( "neo4j", listOf( PWD_CHANGE ) ) ) ); authManager.newUser( "andres", "123", false ); - LoginContext andres = login( "andres", "123" ); + BasicSecurityContext andres = login( "andres", "123" ); assertSuccess( andres, "CALL dbms.showCurrentUser()", r -> assertKeyIsMap( r, "username", "flags", map( "andres", listOf() ) ) ); } @@ -282,12 +281,12 @@ private void removePreviousAuthFile() throws IOException } } - private LoginContext login( String username, String password ) throws InvalidAuthTokenException + private BasicSecurityContext login( String username, String password ) throws InvalidAuthTokenException { return authManager.login( SecurityTestUtils.authToken( username, password ) ); } - private void assertEmpty( LoginContext subject, String query ) + private void assertEmpty( BasicSecurityContext subject, String query ) { assertThat( execute( subject, query, r -> { @@ -296,7 +295,7 @@ private void assertEmpty( LoginContext subject, String query ) equalTo( "" ) ); } - private void assertFail( LoginContext subject, String query, String partOfErrorMsg ) + private void assertFail( BasicSecurityContext subject, String query, String partOfErrorMsg ) { assertThat( execute( subject, query, r -> { @@ -305,7 +304,7 @@ private void assertFail( LoginContext subject, String query, String partOfErrorM containsString( partOfErrorMsg ) ); } - private void assertSuccess( LoginContext subject, String query, + private void assertSuccess( BasicSecurityContext subject, String query, Consumer>> resultConsumer ) { assertThat( @@ -313,7 +312,7 @@ private void assertSuccess( LoginContext subject, String query, equalTo( "" ) ); } - private String execute( LoginContext subject, String query, + private String execute( BasicSecurityContext subject, String query, Consumer>> resultConsumer ) { try ( Transaction tx = db.beginTransaction( KernelTransaction.Type.implicit, subject ) ) diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java index 92999e05cb8d1..4fd387d8212d2 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/AuthProceduresTest.java @@ -25,12 +25,10 @@ import org.neo4j.graphdb.factory.GraphDatabaseBuilder; import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.kernel.api.exceptions.ProcedureException; import org.neo4j.kernel.api.security.AnonymousContext; import org.neo4j.kernel.impl.api.integrationtest.KernelIntegrationTest; -import static org.mockito.Mockito.mock; import static org.neo4j.kernel.api.proc.ProcedureSignature.procedureName; public class AuthProceduresTest extends KernelIntegrationTest @@ -50,8 +48,8 @@ public void shouldFailWhenDeprecatedChangePasswordWithStaticAccessModeInDbmsMode exception.expectMessage( "Anonymous cannot change password" ); // When - dbmsOperations().procedureCallDbms( procedureName( "dbms", "changePassword" ), inputArray, - AnonymousContext.none().authorize( mock( Token.class ) ) ); + dbmsOperations() + .procedureCallDbms( procedureName( "dbms", "changePassword" ), inputArray, AnonymousContext.none() ); } @Test @@ -66,8 +64,7 @@ public void shouldFailWhenChangePasswordWithStaticAccessModeInDbmsMode() throws exception.expectMessage( "Anonymous cannot change password" ); // When - dbmsOperations().procedureCallDbms( procedureName( "dbms", "security", "changePassword" ), inputArray, - AnonymousContext.none().authorize( mock( Token.class ) ) ); + dbmsOperations().procedureCallDbms( procedureName( "dbms", "security", "changePassword" ), inputArray, AnonymousContext.none() ); } @Override diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/BasicAuthManagerTest.java b/community/security/src/test/java/org/neo4j/server/security/auth/BasicAuthManagerTest.java index 88a8d517f7cb7..8a46c96af6d41 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/BasicAuthManagerTest.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/BasicAuthManagerTest.java @@ -25,7 +25,7 @@ import org.junit.Test; import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.api.security.AuthManager; import org.neo4j.kernel.api.security.AuthToken; @@ -258,7 +258,7 @@ public void shouldFailWhenAuthTokenIsInvalid() throws Throwable private void assertLoginGivesResult( String username, String password, AuthenticationResult expectedResult ) throws InvalidAuthTokenException { - LoginContext securityContext = manager.login( authToken( username, password ) ); + SecurityContext securityContext = manager.login( authToken( username, password ) ); assertThat( securityContext.subject().getAuthenticationResult(), equalTo( expectedResult ) ); } diff --git a/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java b/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java index d3495f8034a81..760c7fdf719c4 100644 --- a/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java +++ b/community/security/src/test/java/org/neo4j/server/security/auth/SecurityContextDescriptionTest.java @@ -23,7 +23,6 @@ import org.junit.Before; import org.junit.Test; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.configuration.Config; @@ -33,7 +32,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertThat; -import static org.mockito.Mockito.mock; import static org.neo4j.server.security.auth.SecurityTestUtils.authToken; public class SecurityContextDescriptionTest @@ -54,7 +52,7 @@ public void setup() throws Throwable manager.init(); manager.start(); manager.newUser( "johan", "bar", false ); - context = manager.login( authToken( "johan", "bar" ) ).authorize( mock( Token.class ) ); + context = manager.login( authToken( "johan", "bar" ) ); } @After @@ -70,6 +68,13 @@ public void shouldMakeNiceDescription() throws Throwable assertThat( context.description(), equalTo( "user 'johan' with FULL" ) ); } + @Test + public void shouldMakeNiceDescriptionFrozen() throws Throwable + { + SecurityContext frozen = context.freeze(); + assertThat( frozen.description(), equalTo( "user 'johan' with FULL" ) ); + } + @Test public void shouldMakeNiceDescriptionWithMode() throws Throwable { diff --git a/community/server/src/main/java/org/neo4j/server/database/CypherExecutor.java b/community/server/src/main/java/org/neo4j/server/database/CypherExecutor.java index 049f333024edf..8ac0f09638859 100644 --- a/community/server/src/main/java/org/neo4j/server/database/CypherExecutor.java +++ b/community/server/src/main/java/org/neo4j/server/database/CypherExecutor.java @@ -39,7 +39,7 @@ import org.neo4j.logging.LogProvider; import org.neo4j.server.rest.web.HttpConnectionInfoFactory; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.kernel.impl.util.ValueUtils.asMapValue; import static org.neo4j.server.web.HttpHeaderUtils.getTransactionTimeout; diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java index 6a266691ab83b..a8e537b4004cd 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java +++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationDisabledFilter.java @@ -28,7 +28,7 @@ import javax.servlet.http.HttpServletResponse; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import static javax.servlet.http.HttpServletRequest.BASIC_AUTH; @@ -47,7 +47,7 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp try { filterChain.doFilter( - new AuthorizedRequestWrapper( BASIC_AUTH, "neo4j", request, getAuthDisabledLoginContext() ), + new AuthorizedRequestWrapper( BASIC_AUTH, "neo4j", request, getAuthDisabledSecurityContext() ), servletResponse ); } catch ( AuthorizationViolationException e ) @@ -56,8 +56,8 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp } } - protected LoginContext getAuthDisabledLoginContext() + protected SecurityContext getAuthDisabledSecurityContext() { - return LoginContext.AUTH_DISABLED; + return SecurityContext.AUTH_DISABLED; } } diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationEnabledFilter.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationEnabledFilter.java index c511a8e21fa18..d981dfc054ea9 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationEnabledFilter.java +++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizationEnabledFilter.java @@ -37,9 +37,9 @@ import org.neo4j.graphdb.security.AuthProviderFailedException; import org.neo4j.graphdb.security.AuthProviderTimeoutException; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.security.AuthManager; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; import org.neo4j.logging.Log; import org.neo4j.logging.LogProvider; @@ -107,7 +107,7 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp try { - LoginContext securityContext = authenticate( username, password ); + SecurityContext securityContext = authenticate( username, password ); switch ( securityContext.subject().getAuthenticationResult() ) { case PASSWORD_CHANGE_REQUIRED: @@ -150,7 +150,7 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp } } - private LoginContext authenticate( String username, String password ) throws InvalidAuthTokenException + private SecurityContext authenticate( String username, String password ) throws InvalidAuthTokenException { AuthManager authManager = authManagerSupplier.get(); Map authToken = newBasicAuthToken( username, password ); diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizedRequestWrapper.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizedRequestWrapper.java index 8eedfae4628be..b9b72fcfe3738 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizedRequestWrapper.java +++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/AuthorizedRequestWrapper.java @@ -22,33 +22,33 @@ import com.sun.jersey.api.core.HttpContext; import com.sun.jersey.api.core.HttpRequestContext; -import java.security.Principal; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; +import java.security.Principal; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.security.AnonymousContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; public class AuthorizedRequestWrapper extends HttpServletRequestWrapper { - public static LoginContext getLoginContextFromHttpServletRequest( HttpServletRequest request ) + public static SecurityContext getSecurityContextFromHttpServletRequest( HttpServletRequest request ) { Principal principal = request.getUserPrincipal(); - return getLoginContextFromUserPrincipal( principal ); + return getSecurityContextFromUserPrincipal( principal ); } - public static LoginContext getLoginContextFromHttpContext( HttpContext httpContext ) + public static SecurityContext getSecurityContextFromHttpContext( HttpContext httpContext ) { HttpRequestContext requestContext = httpContext.getRequest(); Principal principal = requestContext.getUserPrincipal(); - return getLoginContextFromUserPrincipal( principal ); + return getSecurityContextFromUserPrincipal( principal ); } - public static LoginContext getLoginContextFromUserPrincipal( Principal principal ) + public static SecurityContext getSecurityContextFromUserPrincipal( Principal principal ) { if ( principal instanceof DelegatingPrincipal ) { - return ((DelegatingPrincipal) principal).getLoginContext(); + return ((DelegatingPrincipal) principal).getSecurityContext(); } // If whitelisted uris can start transactions we cannot throw exception here //throw new IllegalArgumentException( "Tried to get access mode on illegal user principal" ); @@ -59,11 +59,11 @@ public static LoginContext getLoginContextFromUserPrincipal( Principal principal private final DelegatingPrincipal principal; public AuthorizedRequestWrapper( final String authType, final String username, final HttpServletRequest request, - LoginContext loginContext ) + SecurityContext securityContext ) { super( request ); this.authType = authType; - this.principal = new DelegatingPrincipal( username, loginContext ); + this.principal = new DelegatingPrincipal( username, securityContext ); } @Override diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/DelegatingPrincipal.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/DelegatingPrincipal.java index f50668052f60d..ec0ce2d8a467d 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/dbms/DelegatingPrincipal.java +++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/DelegatingPrincipal.java @@ -21,17 +21,17 @@ import java.security.Principal; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; public class DelegatingPrincipal implements Principal { private String username; - private final LoginContext loginContext; + private final SecurityContext securityContext; - DelegatingPrincipal( String username, LoginContext loginContext ) + DelegatingPrincipal( String username, SecurityContext securityContext ) { this.username = username; - this.loginContext = loginContext; + this.securityContext = securityContext; } @Override @@ -40,9 +40,9 @@ public String getName() return username; } - public LoginContext getLoginContext() + public SecurityContext getSecurityContext() { - return loginContext; + return securityContext; } @Override diff --git a/community/server/src/main/java/org/neo4j/server/rest/dbms/UserService.java b/community/server/src/main/java/org/neo4j/server/rest/dbms/UserService.java index f48e8449e37c5..2452032ce2c7f 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/dbms/UserService.java +++ b/community/server/src/main/java/org/neo4j/server/rest/dbms/UserService.java @@ -30,9 +30,9 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.api.exceptions.Status; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.UserManager; import org.neo4j.kernel.api.security.UserManagerSupplier; import org.neo4j.kernel.impl.security.User; @@ -44,7 +44,7 @@ import org.neo4j.server.rest.transactional.error.Neo4jError; import static javax.ws.rs.core.Response.Status.BAD_REQUEST; -import static org.neo4j.server.rest.dbms.AuthorizedRequestWrapper.getLoginContextFromUserPrincipal; +import static org.neo4j.server.rest.dbms.AuthorizedRequestWrapper.getSecurityContextFromUserPrincipal; import static org.neo4j.server.rest.web.CustomStatusType.UNPROCESSABLE; @Path( "/user" ) @@ -74,8 +74,8 @@ public Response getUser( @PathParam( "username" ) String username, @Context Http return output.notFound(); } - LoginContext loginContext = getLoginContextFromUserPrincipal( principal ); - UserManager userManager = userManagerSupplier.getUserManager( loginContext.subject(), false ); + SecurityContext securityContext = getSecurityContextFromUserPrincipal( principal ); + UserManager userManager = userManagerSupplier.getUserManager( securityContext ); try { @@ -125,14 +125,14 @@ public Response setPassword( @PathParam( "username" ) String username, @Context try { - LoginContext loginContext = getLoginContextFromUserPrincipal( principal ); - if ( loginContext == null ) + SecurityContext securityContext = getSecurityContextFromUserPrincipal( principal ); + if ( securityContext == null ) { return output.notFound(); } else { - UserManager userManager = userManagerSupplier.getUserManager( loginContext.subject(), false ); + UserManager userManager = userManagerSupplier.getUserManager( securityContext ); userManager.setUserPassword( username, newPassword, false ); } } diff --git a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionFacade.java b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionFacade.java index 1aa60fb0635e1..b648755abd581 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionFacade.java +++ b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionFacade.java @@ -23,8 +23,8 @@ import java.io.OutputStream; import java.net.URI; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.query.QueryExecutionEngine; import org.neo4j.logging.LogProvider; import org.neo4j.server.rest.transactional.error.TransactionLifecycleException; @@ -69,10 +69,10 @@ public TransactionFacade( TransitionalPeriodTransactionMessContainer kernel, Que } public TransactionHandle newTransactionHandle( TransactionUriScheme uriScheme, boolean implicitTransaction, - LoginContext loginContext, long customTransactionTimeout ) throws TransactionLifecycleException + SecurityContext securityContext, long customTransactionTimeout ) throws TransactionLifecycleException { return new TransactionHandle( kernel, engine, queryService, registry, uriScheme, implicitTransaction, - loginContext, customTransactionTimeout, logProvider ); + securityContext, customTransactionTimeout, logProvider ); } public TransactionHandle findTransactionHandle( long txId ) throws TransactionLifecycleException diff --git a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionHandle.java b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionHandle.java index 00ad2cdbf229d..739d69cc004b4 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionHandle.java +++ b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionHandle.java @@ -30,13 +30,13 @@ import org.neo4j.graphdb.Result; import org.neo4j.graphdb.security.AuthorizationViolationException; import org.neo4j.graphdb.security.WriteOperationsNotAllowedException; -import org.neo4j.internal.kernel.api.Transaction.Type; -import org.neo4j.internal.kernel.api.exceptions.KernelException; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.DeadlockDetectedException; import org.neo4j.kernel.GraphDatabaseQueryService; +import org.neo4j.internal.kernel.api.Transaction.Type; +import org.neo4j.internal.kernel.api.exceptions.KernelException; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.kernel.api.exceptions.TransactionFailureException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.query.QueryExecutionEngine; import org.neo4j.kernel.impl.query.QueryExecutionKernelException; import org.neo4j.kernel.impl.query.TransactionalContext; @@ -74,7 +74,7 @@ public class TransactionHandle implements TransactionTerminationHandle private final TransactionRegistry registry; private final TransactionUriScheme uriScheme; private final Type type; - private final LoginContext loginContext; + private final SecurityContext securityContext; private long customTransactionTimeout; private final Log log; private final long id; @@ -83,7 +83,7 @@ public class TransactionHandle implements TransactionTerminationHandle TransactionHandle( TransitionalPeriodTransactionMessContainer txManagerFacade, QueryExecutionEngine engine, GraphDatabaseQueryService queryService, TransactionRegistry registry, TransactionUriScheme uriScheme, - boolean implicitTransaction, LoginContext loginContext, long customTransactionTimeout, + boolean implicitTransaction, SecurityContext securityContext, long customTransactionTimeout, LogProvider logProvider ) { this.txManagerFacade = txManagerFacade; @@ -92,7 +92,7 @@ public class TransactionHandle implements TransactionTerminationHandle this.registry = registry; this.uriScheme = uriScheme; this.type = implicitTransaction ? Type.implicit : Type.explicit; - this.loginContext = loginContext; + this.securityContext = securityContext; this.customTransactionTimeout = customTransactionTimeout; this.log = logProvider.getLog( getClass() ); this.id = registry.begin( this ); @@ -210,7 +210,7 @@ private void ensureActiveTransaction() throws InternalBeginTransactionError { try { - context = txManagerFacade.newTransaction( type, loginContext, customTransactionTimeout ); + context = txManagerFacade.newTransaction( type, securityContext, customTransactionTimeout ); } catch ( RuntimeException e ) { @@ -318,7 +318,7 @@ private void executeStatements( StatementDeserializer statements, ExecutionResul } hasPrevious = true; - TransactionalContext tc = txManagerFacade.create( request, queryService, type, loginContext, + TransactionalContext tc = txManagerFacade.create( request, queryService, type, securityContext, statement.statement(), statement.parameters() ); Result result = safelyExecute( statement, hasPeriodicCommit, tc ); output.statementResult( result, statement.includeStats(), statement.resultDataContents() ); diff --git a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionalRequestDispatcher.java b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionalRequestDispatcher.java index 1bfbb012b7e80..0c0a6de7b29bf 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionalRequestDispatcher.java +++ b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransactionalRequestDispatcher.java @@ -23,7 +23,7 @@ import com.sun.jersey.spi.dispatch.RequestDispatcher; import org.neo4j.graphdb.Transaction; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; import org.neo4j.server.database.Database; @@ -53,14 +53,14 @@ public void dispatch( Object o, final HttpContext httpContext ) { RepresentationWriteHandler representationWriteHandler = DO_NOTHING; - LoginContext loginContext = AuthorizedRequestWrapper.getLoginContextFromHttpContext( httpContext ); + SecurityContext securityContext = AuthorizedRequestWrapper.getSecurityContextFromHttpContext( httpContext ); final GraphDatabaseFacade graph = database.getGraph(); if ( o instanceof RestfulGraphDatabase ) { RestfulGraphDatabase restfulGraphDatabase = (RestfulGraphDatabase) o; - final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.implicit, loginContext ); + final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.implicit, securityContext ); restfulGraphDatabase.getOutputFormat().setRepresentationWriteHandler( representationWriteHandler = new CommitOnSuccessfulStatusCodeRepresentationWriteHandler( httpContext, transaction )); @@ -69,7 +69,7 @@ else if ( o instanceof BatchOperationService ) { BatchOperationService batchOperationService = (BatchOperationService) o; - final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.explicit, loginContext ); + final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.explicit, securityContext ); batchOperationService.setRepresentationWriteHandler( representationWriteHandler = new CommitOnSuccessfulStatusCodeRepresentationWriteHandler( httpContext, transaction ) ); @@ -78,7 +78,7 @@ else if ( o instanceof CypherService ) { CypherService cypherService = (CypherService) o; - final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.explicit, loginContext ); + final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.explicit, securityContext ); cypherService.getOutputFormat().setRepresentationWriteHandler( representationWriteHandler = new CommitOnSuccessfulStatusCodeRepresentationWriteHandler( httpContext, transaction ) ); @@ -87,7 +87,7 @@ else if ( o instanceof DatabaseMetadataService ) { DatabaseMetadataService databaseMetadataService = (DatabaseMetadataService) o; - final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.implicit, loginContext ); + final Transaction transaction = graph.beginTransaction( KernelTransaction.Type.implicit, securityContext ); databaseMetadataService.setRepresentationWriteHandler( representationWriteHandler = new RepresentationWriteHandler() @@ -122,7 +122,7 @@ else if ( o instanceof ExtensionService ) @Override public void onRepresentationStartWriting() { - transaction = graph.beginTransaction( KernelTransaction.Type.implicit, loginContext ); + transaction = graph.beginTransaction( KernelTransaction.Type.implicit, securityContext ); } @Override diff --git a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalPeriodTransactionMessContainer.java b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalPeriodTransactionMessContainer.java index 26ac6f6eea590..7e3cdcbc8f672 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalPeriodTransactionMessContainer.java +++ b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalPeriodTransactionMessContainer.java @@ -22,9 +22,9 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; -import org.neo4j.internal.kernel.api.Transaction.Type; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; +import org.neo4j.internal.kernel.api.Transaction.Type; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.coreapi.PropertyContainerLocker; @@ -49,10 +49,10 @@ public TransitionalPeriodTransactionMessContainer( GraphDatabaseFacade db ) this.txBridge = db.getDependencyResolver().resolveDependency( ThreadToStatementContextBridge.class ); } - public TransitionalTxManagementKernelTransaction newTransaction( Type type, LoginContext loginContext, + public TransitionalTxManagementKernelTransaction newTransaction( Type type, SecurityContext securityContext, long customTransactionTimeout ) { - return new TransitionalTxManagementKernelTransaction( db, type, loginContext, customTransactionTimeout, txBridge ); + return new TransitionalTxManagementKernelTransaction( db, type, securityContext, customTransactionTimeout, txBridge ); } ThreadToStatementContextBridge getBridge() @@ -64,13 +64,13 @@ public TransactionalContext create( HttpServletRequest request, GraphDatabaseQueryService service, Type type, - LoginContext loginContext, + SecurityContext securityContext, String query, Map queryParameters ) { TransactionalContextFactory contextFactory = Neo4jTransactionalContextFactory.create( service, locker ); ClientConnectionInfo clientConnection = HttpConnectionInfoFactory.create( request ); - InternalTransaction transaction = service.beginTransaction( type, loginContext ); + InternalTransaction transaction = service.beginTransaction( type, securityContext ); return contextFactory.newContext( clientConnection, transaction, query, ValueUtils.asMapValue( queryParameters ) ); } } diff --git a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransaction.java b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransaction.java index 04703e896a626..003a8293db689 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransaction.java +++ b/community/server/src/main/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransaction.java @@ -22,9 +22,9 @@ import java.util.concurrent.TimeUnit; import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.TransactionFailureException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -33,7 +33,7 @@ class TransitionalTxManagementKernelTransaction { private final GraphDatabaseFacade db; private final KernelTransaction.Type type; - private final LoginContext loginContext; + private final SecurityContext securityContext; private long customTransactionTimeout; private final ThreadToStatementContextBridge bridge; @@ -41,11 +41,11 @@ class TransitionalTxManagementKernelTransaction private KernelTransaction suspendedTransaction; TransitionalTxManagementKernelTransaction( GraphDatabaseFacade db, KernelTransaction.Type type, - LoginContext loginContext, long customTransactionTimeout, ThreadToStatementContextBridge bridge ) + SecurityContext securityContext, long customTransactionTimeout, ThreadToStatementContextBridge bridge ) { this.db = db; this.type = type; - this.loginContext = loginContext; + this.securityContext = securityContext; this.customTransactionTimeout = customTransactionTimeout; this.bridge = bridge; this.tx = startTransaction(); @@ -119,7 +119,7 @@ void reopenAfterPeriodicCommit() private InternalTransaction startTransaction() { return customTransactionTimeout > GraphDatabaseSettings.UNSPECIFIED_TIMEOUT ? - db.beginTransaction( type, loginContext, customTransactionTimeout, TimeUnit.MILLISECONDS ) : - db.beginTransaction( type, loginContext ); + db.beginTransaction( type, securityContext, customTransactionTimeout, TimeUnit.MILLISECONDS ) : + db.beginTransaction( type, securityContext ); } } diff --git a/community/server/src/main/java/org/neo4j/server/rest/web/TransactionalService.java b/community/server/src/main/java/org/neo4j/server/rest/web/TransactionalService.java index 15d6bc7b6ce35..b48b18c13d696 100644 --- a/community/server/src/main/java/org/neo4j/server/rest/web/TransactionalService.java +++ b/community/server/src/main/java/org/neo4j/server/rest/web/TransactionalService.java @@ -38,7 +38,7 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.logging.Log; import org.neo4j.server.rest.dbms.AuthorizedRequestWrapper; import org.neo4j.server.rest.transactional.ExecutionResultSerializer; @@ -83,10 +83,10 @@ public Response executeStatementsInNewTransaction( final InputStream input, @Con try { usage.get( features ).flag( http_tx_endpoint ); - LoginContext loginContext = AuthorizedRequestWrapper.getLoginContextFromHttpServletRequest( request ); + SecurityContext securityContext = AuthorizedRequestWrapper.getSecurityContextFromHttpServletRequest( request ); long customTransactionTimeout = HttpHeaderUtils.getTransactionTimeout( request, log ); TransactionHandle transactionHandle = - facade.newTransactionHandle( uriScheme, false, loginContext, customTransactionTimeout ); + facade.newTransactionHandle( uriScheme, false, securityContext, customTransactionTimeout ); return createdResponse( transactionHandle, executeStatements( input, transactionHandle, uriInfo.getBaseUri(), request ) @@ -147,9 +147,9 @@ public Response commitNewTransaction( final InputStream input, @Context final Ur final TransactionHandle transactionHandle; try { - LoginContext loginContext = AuthorizedRequestWrapper.getLoginContextFromHttpServletRequest( request ); + SecurityContext securityContext = AuthorizedRequestWrapper.getSecurityContextFromHttpServletRequest( request ); long customTransactionTimeout = HttpHeaderUtils.getTransactionTimeout( request, log ); - transactionHandle = facade.newTransactionHandle( uriScheme, true, loginContext, customTransactionTimeout ); + transactionHandle = facade.newTransactionHandle( uriScheme, true, securityContext, customTransactionTimeout ); } catch ( TransactionLifecycleException e ) { diff --git a/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java b/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java index 614bbe2c5e451..6c0d05773be87 100644 --- a/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java +++ b/community/server/src/test/java/org/neo4j/server/database/CypherExecutorTest.java @@ -28,12 +28,11 @@ import org.neo4j.cypher.internal.javacompat.ExecutionEngine; import org.neo4j.graphdb.DependencyResolver; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.QueryRegistryOperations; import org.neo4j.kernel.api.Statement; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.coreapi.TopLevelTransaction; @@ -45,7 +44,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class CypherExecutorTest { @@ -148,20 +147,20 @@ private void setUpMocks() InternalTransaction transaction = new TopLevelTransaction( kernelTransaction, () -> statement ); - LoginContext loginContext = AUTH_DISABLED; + SecurityContext securityContext = AUTH_DISABLED; KernelTransaction.Type type = KernelTransaction.Type.implicit; QueryRegistryOperations registryOperations = mock( QueryRegistryOperations.class ); when( statement.queryRegistration() ).thenReturn( registryOperations ); when( statementBridge.get() ).thenReturn( statement ); - when( kernelTransaction.securityContext() ).thenReturn( loginContext.authorize( mock( Token.class ) ) ); + when( kernelTransaction.securityContext() ).thenReturn( securityContext ); when( kernelTransaction.transactionType() ).thenReturn( type ); when( database.getGraph() ).thenReturn( databaseFacade ); when( databaseFacade.getDependencyResolver() ).thenReturn( resolver ); when( resolver.resolveDependency( QueryExecutionEngine.class ) ).thenReturn( executionEngine ); when( resolver.resolveDependency( ThreadToStatementContextBridge.class ) ).thenReturn( statementBridge ); when( resolver.resolveDependency( GraphDatabaseQueryService.class ) ).thenReturn( databaseQueryService ); - when( databaseQueryService.beginTransaction( type, loginContext ) ).thenReturn( transaction ); - when( databaseQueryService.beginTransaction( type, loginContext, + when( databaseQueryService.beginTransaction( type, securityContext ) ).thenReturn( transaction ); + when( databaseQueryService.beginTransaction( type, securityContext, CUSTOM_TRANSACTION_TIMEOUT, TimeUnit.MILLISECONDS ) ).thenReturn( transaction ); when( databaseQueryService.getDependencyResolver() ).thenReturn( resolver ); when( request.getScheme() ).thenReturn( "http" ); diff --git a/community/server/src/test/java/org/neo4j/server/rest/dbms/AuthorizationFilterTest.java b/community/server/src/test/java/org/neo4j/server/rest/dbms/AuthorizationFilterTest.java index 7c3f418c74845..4a2f03aceb0a8 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/dbms/AuthorizationFilterTest.java +++ b/community/server/src/test/java/org/neo4j/server/rest/dbms/AuthorizationFilterTest.java @@ -38,7 +38,7 @@ import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.logging.AssertableLogProvider; import org.neo4j.server.security.auth.BasicAuthManager; -import org.neo4j.server.security.auth.BasicLoginContext; +import org.neo4j.server.security.auth.BasicSecurityContext; import static javax.servlet.http.HttpServletRequest.BASIC_AUTH; import static org.hamcrest.Matchers.containsString; @@ -50,7 +50,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.when; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.logging.AssertableLogProvider.inLog; import static org.neo4j.server.security.auth.SecurityTestUtils.authToken; @@ -170,14 +170,14 @@ public void shouldNotAuthorizeInvalidCredentials() throws Exception // Given final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter( () -> authManager, logProvider ); String credentials = Base64.encodeBase64String( "foo:bar".getBytes( StandardCharsets.UTF_8 ) ); - BasicLoginContext loginContext = mock( BasicLoginContext.class ); + BasicSecurityContext securityContext = mock( BasicSecurityContext.class ); AuthSubject authSubject = mock( AuthSubject.class ); when( servletRequest.getMethod() ).thenReturn( "GET" ); when( servletRequest.getContextPath() ).thenReturn( "/db/data" ); when( servletRequest.getHeader( HttpHeaders.AUTHORIZATION ) ).thenReturn( "BASIC " + credentials ); when( servletRequest.getRemoteAddr() ).thenReturn( "remote_ip_address" ); - when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( loginContext ); - when( loginContext.subject() ).thenReturn( authSubject ); + when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( securityContext ); + when( securityContext.subject() ).thenReturn( authSubject ); when( authSubject.getAuthenticationResult() ).thenReturn( AuthenticationResult.FAILURE ); // When @@ -201,13 +201,13 @@ public void shouldAuthorizeWhenPasswordChangeRequiredForWhitelistedPath() throws // Given final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter( () -> authManager, logProvider ); String credentials = Base64.encodeBase64String( "foo:bar".getBytes( StandardCharsets.UTF_8 ) ); - BasicLoginContext loginContext = mock( BasicLoginContext.class ); + BasicSecurityContext securityContext = mock( BasicSecurityContext.class ); AuthSubject authSubject = mock( AuthSubject.class ); when( servletRequest.getMethod() ).thenReturn( "GET" ); when( servletRequest.getContextPath() ).thenReturn( "/user/foo" ); when( servletRequest.getHeader( HttpHeaders.AUTHORIZATION ) ).thenReturn( "BASIC " + credentials ); - when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( loginContext ); - when( loginContext.subject() ).thenReturn( authSubject ); + when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( securityContext ); + when( securityContext.subject() ).thenReturn( authSubject ); when( authSubject.getAuthenticationResult() ).thenReturn( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ); // When @@ -224,15 +224,15 @@ public void shouldNotAuthorizeWhenPasswordChangeRequired() throws Exception // Given final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter( () -> authManager, logProvider ); String credentials = Base64.encodeBase64String( "foo:bar".getBytes( StandardCharsets.UTF_8 ) ); - BasicLoginContext loginContext = mock( BasicLoginContext.class ); + BasicSecurityContext securityContext = mock( BasicSecurityContext.class ); AuthSubject authSubject = mock( AuthSubject.class ); when( servletRequest.getMethod() ).thenReturn( "GET" ); when( servletRequest.getContextPath() ).thenReturn( "/db/data" ); when( servletRequest.getRequestURL() ).thenReturn( new StringBuffer( "http://bar.baz:7474/db/data/" ) ); when( servletRequest.getRequestURI() ).thenReturn( "/db/data/" ); when( servletRequest.getHeader( HttpHeaders.AUTHORIZATION ) ).thenReturn( "BASIC " + credentials ); - when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( loginContext ); - when( loginContext.subject() ).thenReturn( authSubject ); + when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( securityContext ); + when( securityContext.subject() ).thenReturn( authSubject ); when( authSubject.getAuthenticationResult() ).thenReturn( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ); // When @@ -256,13 +256,13 @@ public void shouldNotAuthorizeWhenTooManyAttemptsMade() throws Exception // Given final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter( () -> authManager, logProvider ); String credentials = Base64.encodeBase64String( "foo:bar".getBytes( StandardCharsets.UTF_8 ) ); - BasicLoginContext loginContext = mock( BasicLoginContext.class ); + BasicSecurityContext securityContext = mock( BasicSecurityContext.class ); AuthSubject authSubject = mock( AuthSubject.class ); when( servletRequest.getMethod() ).thenReturn( "GET" ); when( servletRequest.getContextPath() ).thenReturn( "/db/data" ); when( servletRequest.getHeader( HttpHeaders.AUTHORIZATION ) ).thenReturn( "BASIC " + credentials ); - when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( loginContext ); - when( loginContext.subject() ).thenReturn( authSubject ); + when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( securityContext ); + when( securityContext.subject() ).thenReturn( authSubject ); when( authSubject.getAuthenticationResult() ).thenReturn( AuthenticationResult.TOO_MANY_ATTEMPTS ); // When @@ -285,13 +285,13 @@ public void shouldAuthorizeWhenValidCredentialsSupplied() throws Exception // Given final AuthorizationEnabledFilter filter = new AuthorizationEnabledFilter( () -> authManager, logProvider ); String credentials = Base64.encodeBase64String( "foo:bar".getBytes( StandardCharsets.UTF_8 ) ); - BasicLoginContext loginContext = mock( BasicLoginContext.class ); + BasicSecurityContext securityContext = mock( BasicSecurityContext.class ); AuthSubject authSubject = mock( AuthSubject.class ); when( servletRequest.getMethod() ).thenReturn( "GET" ); when( servletRequest.getContextPath() ).thenReturn( "/db/data" ); when( servletRequest.getHeader( HttpHeaders.AUTHORIZATION ) ).thenReturn( "BASIC " + credentials ); - when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( loginContext ); - when( loginContext.subject() ).thenReturn( authSubject ); + when( authManager.login( authToken( "foo", "bar" ) ) ).thenReturn( securityContext ); + when( securityContext.subject() ).thenReturn( authSubject ); when( authSubject.getAuthenticationResult() ).thenReturn( AuthenticationResult.SUCCESS ); // When diff --git a/community/server/src/test/java/org/neo4j/server/rest/dbms/UserServiceTest.java b/community/server/src/test/java/org/neo4j/server/rest/dbms/UserServiceTest.java index 1d75194e126e3..3458c0d134ba3 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/dbms/UserServiceTest.java +++ b/community/server/src/test/java/org/neo4j/server/rest/dbms/UserServiceTest.java @@ -29,10 +29,10 @@ import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Response; -import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; +import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.security.PasswordPolicy; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.UserManager; import org.neo4j.kernel.api.security.UserManagerSupplier; import org.neo4j.kernel.impl.security.Credential; @@ -42,7 +42,7 @@ import org.neo4j.server.security.auth.AuthenticationStrategy; import org.neo4j.server.security.auth.BasicAuthManager; import org.neo4j.server.security.auth.BasicPasswordPolicy; -import org.neo4j.server.security.auth.BasicLoginContext; +import org.neo4j.server.security.auth.BasicSecurityContext; import org.neo4j.server.security.auth.InMemoryUserRepository; import org.neo4j.server.security.auth.UserRepository; import org.neo4j.test.server.EntityOutputFormat; @@ -64,7 +64,7 @@ public class UserServiceTest protected final UserRepository userRepository = new InMemoryUserRepository(); protected UserManagerSupplier userManagerSupplier; - protected LoginContext neo4jContext; + protected SecurityContext neo4jContext; protected Principal neo4jPrinciple; protected void setupAuthManagerAndSubject() @@ -73,7 +73,7 @@ protected void setupAuthManagerAndSubject() mock( AuthenticationStrategy.class), new InMemoryUserRepository() ); userManagerSupplier = basicAuthManager; - neo4jContext = new BasicLoginContext( NEO4J_USER, AuthenticationResult.SUCCESS ); + neo4jContext = new BasicSecurityContext( basicAuthManager, NEO4J_USER, AuthenticationResult.SUCCESS ); } @Before diff --git a/community/server/src/test/java/org/neo4j/server/rest/domain/GraphDbHelper.java b/community/server/src/test/java/org/neo4j/server/rest/domain/GraphDbHelper.java index e628dddbd7e32..969e02d1ee294 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/domain/GraphDbHelper.java +++ b/community/server/src/test/java/org/neo4j/server/rest/domain/GraphDbHelper.java @@ -51,7 +51,7 @@ import static org.neo4j.helpers.collection.Iterables.count; import static org.neo4j.helpers.collection.Iterables.single; import static org.neo4j.internal.kernel.api.Transaction.Type.implicit; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; public class GraphDbHelper { diff --git a/community/server/src/test/java/org/neo4j/server/rest/transactional/ConcurrentTransactionAccessTest.java b/community/server/src/test/java/org/neo4j/server/rest/transactional/ConcurrentTransactionAccessTest.java index 093a1ff94e8f8..fbd31335041e0 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/transactional/ConcurrentTransactionAccessTest.java +++ b/community/server/src/test/java/org/neo4j/server/rest/transactional/ConcurrentTransactionAccessTest.java @@ -25,9 +25,9 @@ import java.time.Clock; import javax.servlet.http.HttpServletRequest; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.logging.NullLogProvider; import org.neo4j.server.rest.transactional.error.InvalidConcurrentTransactionAccess; import org.neo4j.server.rest.web.TransactionUriScheme; @@ -50,12 +50,12 @@ public void shouldThrowSpecificExceptionOnConcurrentTransactionAccess() throws E new TransactionHandleRegistry( mock( Clock.class), 0, NullLogProvider.getInstance() ); TransitionalPeriodTransactionMessContainer kernel = mock( TransitionalPeriodTransactionMessContainer.class ); GraphDatabaseQueryService queryService = mock( GraphDatabaseQueryService.class ); - when(kernel.newTransaction( any( KernelTransaction.Type.class ), any( LoginContext.class ), anyLong() ) ) + when(kernel.newTransaction( any( KernelTransaction.Type.class ), any( SecurityContext.class ), anyLong() ) ) .thenReturn( mock(TransitionalTxManagementKernelTransaction.class) ); TransactionFacade actions = new TransactionFacade( kernel, null, queryService, registry, NullLogProvider.getInstance() ); final TransactionHandle transactionHandle = - actions.newTransactionHandle( new DisgustingUriScheme(), true, LoginContext.AUTH_DISABLED, -1 ); + actions.newTransactionHandle( new DisgustingUriScheme(), true, SecurityContext.AUTH_DISABLED, -1 ); final DoubleLatch latch = new DoubleLatch(); diff --git a/community/server/src/test/java/org/neo4j/server/rest/transactional/TransactionHandleTest.java b/community/server/src/test/java/org/neo4j/server/rest/transactional/TransactionHandleTest.java index 257056856ad29..4e8e313d2699d 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/transactional/TransactionHandleTest.java +++ b/community/server/src/test/java/org/neo4j/server/rest/transactional/TransactionHandleTest.java @@ -34,11 +34,11 @@ import org.neo4j.cypher.SyntaxException; import org.neo4j.graphdb.Notification; import org.neo4j.graphdb.Result; -import org.neo4j.internal.kernel.api.Transaction.Type; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.DeadlockDetectedException; import org.neo4j.kernel.GraphDatabaseQueryService; +import org.neo4j.internal.kernel.api.Transaction.Type; import org.neo4j.kernel.api.exceptions.Status; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.query.QueryExecutionEngine; import org.neo4j.kernel.impl.query.QueryExecutionKernelException; import org.neo4j.kernel.impl.query.TransactionalContext; @@ -69,7 +69,7 @@ import static org.mockito.hamcrest.MockitoHamcrest.argThat; import static org.neo4j.helpers.collection.MapUtil.map; import static org.neo4j.internal.kernel.api.Transaction.Type.explicit; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.server.rest.transactional.StubStatementDeserializer.statements; public class TransactionHandleTest @@ -311,7 +311,7 @@ public void shouldCreateTransactionContextOnlyWhenFirstNeeded() throws Exception mock( HttpServletRequest.class ) ); // then - verify( kernel ).newTransaction( any( Type.class ), any( LoginContext.class ), anyLong() ); + verify( kernel ).newTransaction( any( Type.class ), any( SecurityContext.class ), anyLong() ); InOrder outputOrder = inOrder( output ); outputOrder.verify( output ).transactionCommitUri( uriScheme.txCommitUri( 1337 ) ); @@ -465,7 +465,7 @@ public void shouldInterruptTransaction() throws Exception // given TransitionalPeriodTransactionMessContainer kernel = mockKernel(); TransitionalTxManagementKernelTransaction tx = mock( TransitionalTxManagementKernelTransaction.class ); - when( kernel.newTransaction( any( Type.class ), any( LoginContext.class ), anyLong() ) ).thenReturn( tx ); + when( kernel.newTransaction( any( Type.class ), any( SecurityContext.class ), anyLong() ) ).thenReturn( tx ); TransactionRegistry registry = mock( TransactionRegistry.class ); when( registry.begin( any( TransactionHandle.class ) ) ).thenReturn( 1337L ); QueryExecutionEngine executionEngine = mock( QueryExecutionEngine.class ); @@ -551,7 +551,7 @@ private TransitionalPeriodTransactionMessContainer mockKernel() { TransitionalTxManagementKernelTransaction context = mock( TransitionalTxManagementKernelTransaction.class ); TransitionalPeriodTransactionMessContainer kernel = mock( TransitionalPeriodTransactionMessContainer.class ); - when( kernel.newTransaction( any( Type.class ), any( LoginContext.class ), anyLong() ) ).thenReturn( context ); + when( kernel.newTransaction( any( Type.class ), any( SecurityContext.class ), anyLong() ) ).thenReturn( context ); return kernel; } @@ -593,7 +593,7 @@ private TransactionalContext prepareKernelWithQuerySession( TransitionalPeriodTr any( HttpServletRequest.class ), any( GraphDatabaseQueryService.class ), any( Type.class ), - any( LoginContext.class ), + any( SecurityContext.class ), any( String.class ), any( Map.class ) ) ). thenReturn( tc ); diff --git a/community/server/src/test/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransactionTest.java b/community/server/src/test/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransactionTest.java index 0bf7c206306c4..0fc395f7a588f 100644 --- a/community/server/src/test/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransactionTest.java +++ b/community/server/src/test/java/org/neo4j/server/rest/transactional/TransitionalTxManagementKernelTransactionTest.java @@ -23,9 +23,9 @@ import java.util.concurrent.TimeUnit; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.security.AnonymousContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.core.ThreadToStatementContextBridge; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -38,28 +38,28 @@ public class TransitionalTxManagementKernelTransactionTest private GraphDatabaseFacade databaseFacade = mock( GraphDatabaseFacade.class ); private ThreadToStatementContextBridge contextBridge = mock( ThreadToStatementContextBridge.class ); - private LoginContext loginContext = AnonymousContext.read(); + private SecurityContext securityContext = AnonymousContext.read(); private KernelTransaction.Type type = KernelTransaction.Type.implicit; @Test public void reopenStartTransactionWithCustomTimeoutIfSpecified() throws Exception { TransitionalTxManagementKernelTransaction managementKernelTransaction = - new TransitionalTxManagementKernelTransaction( databaseFacade, type, loginContext, 10, contextBridge ); + new TransitionalTxManagementKernelTransaction( databaseFacade, type, securityContext, 10, contextBridge ); managementKernelTransaction.reopenAfterPeriodicCommit(); - verify( databaseFacade, times( 2 ) ).beginTransaction( type, loginContext, 10, TimeUnit.MILLISECONDS); + verify( databaseFacade, times( 2 ) ).beginTransaction( type, securityContext, 10, TimeUnit.MILLISECONDS); } @Test public void reopenStartDefaultTransactionIfTimeoutNotSpecified() { TransitionalTxManagementKernelTransaction managementKernelTransaction = - new TransitionalTxManagementKernelTransaction( databaseFacade, type, loginContext, -1, contextBridge ); + new TransitionalTxManagementKernelTransaction( databaseFacade, type, securityContext, -1, contextBridge ); managementKernelTransaction.reopenAfterPeriodicCommit(); - verify( databaseFacade, times( 2 ) ).beginTransaction( type, loginContext ); + verify( databaseFacade, times( 2 ) ).beginTransaction( type, securityContext ); } } diff --git a/community/shell/src/main/java/org/neo4j/shell/kernel/ReadOnlyGraphDatabaseProxy.java b/community/shell/src/main/java/org/neo4j/shell/kernel/ReadOnlyGraphDatabaseProxy.java index c88fd769a2852..3c64a3df3aa53 100644 --- a/community/shell/src/main/java/org/neo4j/shell/kernel/ReadOnlyGraphDatabaseProxy.java +++ b/community/shell/src/main/java/org/neo4j/shell/kernel/ReadOnlyGraphDatabaseProxy.java @@ -59,7 +59,7 @@ import org.neo4j.helpers.collection.Iterables; import org.neo4j.helpers.collection.PrefetchingResourceIterator; import org.neo4j.helpers.collection.ResourceIterableWrapper; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.store.StoreId; @@ -95,16 +95,16 @@ private static UnsupportedOperationException readOnlyException() } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext ) + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext ) { - return actual.beginTransaction( type, loginContext ); + return actual.beginTransaction( type, securityContext ); } @Override - public InternalTransaction beginTransaction( KernelTransaction.Type type, LoginContext loginContext, long timeout, + public InternalTransaction beginTransaction( KernelTransaction.Type type, SecurityContext securityContext, long timeout, TimeUnit unit ) { - return actual.beginTransaction( type, loginContext, timeout, unit ); + return actual.beginTransaction( type, securityContext, timeout, unit ); } @Override diff --git a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/TransactionProvidingApp.java b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/TransactionProvidingApp.java index dfbf58f422bc3..fb4ed0f158216 100644 --- a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/TransactionProvidingApp.java +++ b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/TransactionProvidingApp.java @@ -59,7 +59,7 @@ import org.neo4j.shell.util.json.JSONException; import static org.neo4j.internal.kernel.api.Transaction.Type.implicit; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; import static org.neo4j.shell.ShellException.stackTraceAsString; /** diff --git a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Dump.java b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Dump.java index 4a9ac2563c0d4..34ce14fccb0c0 100644 --- a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Dump.java +++ b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Dump.java @@ -35,7 +35,7 @@ import org.neo4j.shell.ShellException; import static org.neo4j.internal.kernel.api.Transaction.Type.implicit; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import static org.neo4j.internal.kernel.api.security.SecurityContext.AUTH_DISABLED; @Service.Implementation( App.class ) public class Dump extends Start diff --git a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Start.java b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Start.java index b775f46e49e9c..017dc495a129d 100644 --- a/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Start.java +++ b/community/shell/src/main/java/org/neo4j/shell/kernel/apps/cypher/Start.java @@ -27,9 +27,9 @@ import org.neo4j.graphdb.DependencyResolver; import org.neo4j.graphdb.Result; import org.neo4j.helpers.Service; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.kernel.GraphDatabaseQueryService; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.coreapi.PropertyContainerLocker; import org.neo4j.kernel.impl.query.Neo4jTransactionalContextFactory; @@ -200,7 +200,7 @@ private TransactionalContext createTransactionContext( String queryText, Map makeReplicaGroups( String suffix, int id ) private List> getServerGroups( CoreGraphDatabase db ) { List> serverGroups = new ArrayList<>(); - try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.explicit, EnterpriseLoginContext.AUTH_DISABLED ) ) + try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.explicit, EnterpriseSecurityContext.AUTH_DISABLED ) ) { try ( Result result = db.execute( tx, "CALL dbms.cluster.overview", EMPTY_MAP ) ) { diff --git a/enterprise/causal-clustering/src/test/java/org/neo4j/causalclustering/scenarios/ServerPoliciesLoadBalancingIT.java b/enterprise/causal-clustering/src/test/java/org/neo4j/causalclustering/scenarios/ServerPoliciesLoadBalancingIT.java index 01302f63bfb31..0e04cda2be388 100644 --- a/enterprise/causal-clustering/src/test/java/org/neo4j/causalclustering/scenarios/ServerPoliciesLoadBalancingIT.java +++ b/enterprise/causal-clustering/src/test/java/org/neo4j/causalclustering/scenarios/ServerPoliciesLoadBalancingIT.java @@ -50,7 +50,7 @@ import org.neo4j.helpers.AdvertisedSocketAddress; import org.neo4j.helpers.collection.MapUtil; import org.neo4j.kernel.api.KernelTransaction; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.store.format.standard.Standard; import org.neo4j.kernel.impl.util.ValueUtils; @@ -220,7 +220,7 @@ private void assertGetServersEventuallyMatchesOnAllCores( Matcher context ) { LoadBalancingResult lbResult = null; - try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.explicit, EnterpriseLoginContext.AUTH_DISABLED ) ) + try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.explicit, EnterpriseSecurityContext.AUTH_DISABLED ) ) { Map parameters = MapUtil.map( ParameterNames.CONTEXT.parameterName(), context ); try ( Result result = db.execute( tx, "CALL " + GET_SERVERS_V2.callName(), ValueUtils.asMapValue( parameters )) ) diff --git a/enterprise/cypher/acceptance-spec-suite/src/test/scala/org/neo4j/internal/cypher/acceptance/ExecutionResultAcceptanceTest.scala b/enterprise/cypher/acceptance-spec-suite/src/test/scala/org/neo4j/internal/cypher/acceptance/ExecutionResultAcceptanceTest.scala index 5a1adb1dac9f9..00cdae5c5ba74 100644 --- a/enterprise/cypher/acceptance-spec-suite/src/test/scala/org/neo4j/internal/cypher/acceptance/ExecutionResultAcceptanceTest.scala +++ b/enterprise/cypher/acceptance-spec-suite/src/test/scala/org/neo4j/internal/cypher/acceptance/ExecutionResultAcceptanceTest.scala @@ -22,7 +22,7 @@ package org.neo4j.internal.cypher.acceptance import org.neo4j.cypher.ExecutionEngineFunSuite import org.neo4j.internal.cypher.acceptance.CypherComparisonSupport.Configs import org.neo4j.internal.kernel.api.Transaction.Type -import org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; +import org.neo4j.internal.kernel.api.security.SecurityContext._ class ExecutionResultAcceptanceTest extends ExecutionEngineFunSuite{ diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthManager.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthManager.java index d83f725e146a6..9607815b93c36 100644 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthManager.java +++ b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseAuthManager.java @@ -29,7 +29,7 @@ public interface EnterpriseAuthManager extends AuthManager void clearAuthCache(); @Override - EnterpriseLoginContext login( Map authToken ) throws InvalidAuthTokenException; + EnterpriseSecurityContext login( Map authToken ) throws InvalidAuthTokenException; /** * Implementation that does no authentication. @@ -37,9 +37,9 @@ public interface EnterpriseAuthManager extends AuthManager EnterpriseAuthManager NO_AUTH = new EnterpriseAuthManager() { @Override - public EnterpriseLoginContext login( Map authToken ) + public EnterpriseSecurityContext login( Map authToken ) { - return EnterpriseLoginContext.AUTH_DISABLED; + return EnterpriseSecurityContext.AUTH_DISABLED; } @Override diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java deleted file mode 100644 index fc2344ba89b63..0000000000000 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2002-2018 "Neo Technology," - * Network Engine for Objects in Lund AB [http://neotechnology.com] - * - * This file is part of Neo4j. - * - * Neo4j is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ -package org.neo4j.kernel.enterprise.api.security; - -import java.util.Collections; -import java.util.Set; - -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.LoginContext; - -public interface EnterpriseLoginContext extends LoginContext -{ - Set roles(); - - EnterpriseSecurityContext authorize( Token token ); - - EnterpriseLoginContext AUTH_DISABLED = new EnterpriseLoginContext() - { - @Override - public AuthSubject subject() - { - return AuthSubject.AUTH_DISABLED; - } - - @Override - public Set roles() - { - return Collections.emptySet(); - } - - @Override - public EnterpriseSecurityContext authorize( Token token ) - { - return EnterpriseSecurityContext.AUTH_DISABLED; - } - }; -} diff --git a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java index 7df01e4385116..a328cc4e13f03 100644 --- a/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java +++ b/enterprise/kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseSecurityContext.java @@ -22,77 +22,133 @@ import java.util.Collections; import java.util.Set; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.internal.kernel.api.security.SecurityContext; /** - * A logged in and authorized user. + * A logged in user. */ -public class EnterpriseSecurityContext extends SecurityContext +public interface EnterpriseSecurityContext extends SecurityContext { - private final Set roles; - private final boolean isAdmin; - - public EnterpriseSecurityContext( AuthSubject subject, AccessMode mode, Set roles, boolean isAdmin ) - { - super( subject, mode ); - this.roles = roles; - this.isAdmin = isAdmin; - } - @Override - public boolean isAdmin() - { - return isAdmin; - } + EnterpriseSecurityContext freeze(); @Override - public EnterpriseSecurityContext authorize( Token token ) - { - return this; - } + EnterpriseSecurityContext withMode( AccessMode mode ); - @Override - public EnterpriseSecurityContext withMode( AccessMode mode ) + Set roles(); + + EnterpriseSecurityContext AUTH_DISABLED = new AuthDisabled( AccessMode.Static.FULL ); + + /** Allows all operations. */ + final class AuthDisabled implements EnterpriseSecurityContext { - return new EnterpriseSecurityContext( subject, mode, roles, isAdmin ); + private final AccessMode mode; + + private AuthDisabled( AccessMode mode ) + { + this.mode = mode; + } + + @Override + public EnterpriseSecurityContext freeze() + { + return this; + } + + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) + { + return new EnterpriseSecurityContext.AuthDisabled( mode ); + } + + @Override + public Set roles() + { + return Collections.emptySet(); + } + + @Override + public AuthSubject subject() + { + return AuthSubject.AUTH_DISABLED; + } + + @Override + public AccessMode mode() + { + return mode; + } + + @Override + public String description() + { + return "AUTH_DISABLED with " + mode().name(); + } + + @Override + public String toString() + { + return defaultString( "enterprise-auth-disabled" ); + } + + @Override + public boolean isAdmin() + { + return true; + } } - /** - * Get the roles of the authenticated user. - */ - public Set roles() + final class Frozen implements EnterpriseSecurityContext { - return roles; - } + private final AuthSubject subject; + private final AccessMode mode; + private final Set roles; + private final boolean isAdmin; - /** Allows all operations. */ - public static final EnterpriseSecurityContext AUTH_DISABLED = authDisabled( AccessMode.Static.FULL ); + public Frozen( AuthSubject subject, AccessMode mode, Set roles, boolean isAdmin ) + { + this.subject = subject; + this.mode = mode; + this.roles = roles; + this.isAdmin = isAdmin; + } - private static EnterpriseSecurityContext authDisabled( AccessMode mode ) - { - return new EnterpriseSecurityContext( AuthSubject.AUTH_DISABLED, mode, Collections.emptySet(), true ) - { - - @Override - public EnterpriseSecurityContext withMode( AccessMode mode ) - { - return authDisabled( mode ); - } - - @Override - public String description() - { - return "AUTH_DISABLED with " + mode().name(); - } - - @Override - public String toString() - { - return defaultString( "enterprise-auth-disabled" ); - } - }; + @Override + public boolean isAdmin() + { + return isAdmin; + } + + @Override + public AccessMode mode() + { + return mode; + } + + @Override + public AuthSubject subject() + { + return subject; + } + + @Override + public EnterpriseSecurityContext freeze() + { + return this; + } + + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) + { + return new EnterpriseSecurityContext.Frozen( subject, mode, roles, isAdmin ); + } + + @Override + public Set roles() + { + return roles; + } } } diff --git a/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/AbstractConstraintCreationIT.java b/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/AbstractConstraintCreationIT.java index 871718e2bd245..75456eaae4d4f 100644 --- a/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/AbstractConstraintCreationIT.java +++ b/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/AbstractConstraintCreationIT.java @@ -64,7 +64,6 @@ import static org.neo4j.helpers.collection.Iterators.asCollection; import static org.neo4j.helpers.collection.Iterators.asSet; import static org.neo4j.helpers.collection.Iterators.single; -import static org.neo4j.internal.kernel.api.security.LoginContext.AUTH_DISABLED; public abstract class AbstractConstraintCreationIT extends KernelIntegrationTest @@ -114,7 +113,7 @@ protected GraphDatabaseService createGraphDatabase() public void shouldBeAbleToStoreAndRetrieveConstraint() throws Exception { // given - Statement statement = statementInNewTransaction( AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); // when ConstraintDescriptor constraint = createConstraint( statement.schemaWriteOperations(), descriptor ); @@ -138,7 +137,7 @@ public void shouldBeAbleToStoreAndRetrieveConstraint() throws Exception public void shouldBeAbleToStoreAndRetrieveConstraintAfterRestart() throws Exception { // given - Statement statement = statementInNewTransaction( AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); // when ConstraintDescriptor constraint = createConstraint( statement.schemaWriteOperations(), descriptor ); @@ -183,7 +182,7 @@ public void shouldNotPersistConstraintCreatedInAbortedTransaction() throws Excep public void shouldNotStoreConstraintThatIsRemovedInTheSameTransaction() throws Exception { // given - try ( Statement statement = statementInNewTransaction( AUTH_DISABLED ) ) + try ( Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ) ) { Constraint constraint = createConstraint( statement.schemaWriteOperations(), descriptor ); diff --git a/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/UniquenessConstraintCreationIT.java b/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/UniquenessConstraintCreationIT.java index 075152a7b72f2..d20c1fcdaffb9 100644 --- a/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/UniquenessConstraintCreationIT.java +++ b/enterprise/kernel/src/test/java/org/neo4j/kernel/impl/api/integrationtest/UniquenessConstraintCreationIT.java @@ -31,7 +31,7 @@ import org.neo4j.internal.kernel.api.exceptions.schema.ConstraintValidationException; import org.neo4j.internal.kernel.api.schema.LabelSchemaDescriptor; import org.neo4j.internal.kernel.api.schema.constraints.ConstraintDescriptor; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.ReadOperations; import org.neo4j.kernel.api.SchemaWriteOperations; import org.neo4j.kernel.api.Statement; @@ -188,7 +188,7 @@ public void shouldCreateAnIndexToGoAlongWithAUniquePropertyConstraint() throws E public void shouldDropCreatedConstraintIndexWhenRollingBackConstraintCreation() throws Exception { // given - Statement statement = statementInNewTransaction( LoginContext.AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); statement.schemaWriteOperations().uniquePropertyConstraintCreate( descriptor ); assertEquals( asSet( uniqueIndex ), asSet( statement.readOperations().indexesGetAll() ) ); @@ -265,7 +265,7 @@ private NeoStores neoStores() public void shouldDropConstraintIndexWhenDroppingConstraint() throws Exception { // given - Statement statement = statementInNewTransaction( LoginContext.AUTH_DISABLED ); + Statement statement = statementInNewTransaction( SecurityContext.AUTH_DISABLED ); UniquenessConstraintDescriptor constraint = statement.schemaWriteOperations().uniquePropertyConstraintCreate( descriptor ); assertEquals( asSet( uniqueIndex ), asSet( statement.readOperations().indexesGetAll() ) ); diff --git a/enterprise/query-logging/src/test/java/org/neo4j/kernel/impl/query/QueryLoggerIT.java b/enterprise/query-logging/src/test/java/org/neo4j/kernel/impl/query/QueryLoggerIT.java index 8a129a1fd96df..2b503e8eeafde 100644 --- a/enterprise/query-logging/src/test/java/org/neo4j/kernel/impl/query/QueryLoggerIT.java +++ b/enterprise/query-logging/src/test/java/org/neo4j/kernel/impl/query/QueryLoggerIT.java @@ -53,7 +53,7 @@ import org.neo4j.kernel.api.security.AuthToken; import org.neo4j.kernel.configuration.Settings; import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; import org.neo4j.kernel.impl.query.clientconnection.ClientConnectionInfo; @@ -128,14 +128,14 @@ public void shouldLogCustomUserName() throws Throwable db.getLocalUserManager().addRoleToUser( "architect", "mats" ); db.getLocalUserManager().addRoleToUser( "reader", "andres" ); - EnterpriseLoginContext mats = db.login( "mats", "neo4j" ); + EnterpriseSecurityContext mats = db.login( "mats", "neo4j" ); // run query db.executeQuery( mats, "UNWIND range(0, 10) AS i CREATE (:Foo {p: i})", Collections.emptyMap(), ResourceIterator::close ); db.executeQuery( mats, "CREATE (:Label)", Collections.emptyMap(), ResourceIterator::close ); // switch user, run query - EnterpriseLoginContext andres = db.login( "andres", "neo4j" ); + EnterpriseSecurityContext andres = db.login( "andres", "neo4j" ); db.executeQuery( andres, "MATCH (n:Label) RETURN n", Collections.emptyMap(), ResourceIterator::close ); db.tearDown(); @@ -160,7 +160,7 @@ public void shouldLogTXMetaDataInQueryLog() throws Throwable db.getLocalUserManager().setUserPassword( "neo4j", "123", false ); - EnterpriseLoginContext subject = db.login( "neo4j", "123" ); + EnterpriseSecurityContext subject = db.login( "neo4j", "123" ); db.executeQuery( subject, "UNWIND range(0, 10) AS i CREATE (:Foo {p: i})", Collections.emptyMap(), ResourceIterator::close ); @@ -386,7 +386,7 @@ public void shouldNotLogPassword() throws Exception .newGraphDatabase(); EnterpriseAuthManager authManager = database.getDependencyResolver().resolveDependency( EnterpriseAuthManager.class ); - EnterpriseLoginContext neo = authManager.login( AuthToken.newBasicAuthToken( "neo4j", "neo4j" ) ); + EnterpriseSecurityContext neo = authManager.login( AuthToken.newBasicAuthToken( "neo4j", "neo4j" ) ); String query = "CALL dbms.security.changePassword('abc123')"; try ( InternalTransaction tx = database diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProceduresBase.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProceduresBase.java index a8d73eb60a88e..405b23154a53a 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProceduresBase.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/AuthProceduresBase.java @@ -64,7 +64,7 @@ protected void kickoutUser( String username, String reason ) } catch ( Exception e ) { - securityLog.error( securityContext.subject(), "failed to terminate running transaction and bolt connections for " + + securityLog.error( securityContext, "failed to terminate running transaction and bolt connections for " + "user `%s` following %s: %s", username, reason, e.getMessage() ); throw e; } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthAndUserManager.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthAndUserManager.java index d545c4058e8a9..abf6c6c769358 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthAndUserManager.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseAuthAndUserManager.java @@ -19,14 +19,14 @@ */ package org.neo4j.server.security.enterprise.auth; -import org.neo4j.internal.kernel.api.security.AuthSubject; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager; import org.neo4j.kernel.api.security.UserManagerSupplier; public interface EnterpriseAuthAndUserManager extends EnterpriseAuthManager, UserManagerSupplier { @Override - EnterpriseUserManager getUserManager( AuthSubject authSubject, boolean isUserManager ); + EnterpriseUserManager getUserManager( SecurityContext securityContext ); @Override EnterpriseUserManager getUserManager(); diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java index 0b34016849bd9..2fd17703d165b 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java @@ -25,10 +25,8 @@ import java.io.File; import java.util.ArrayList; -import java.util.HashMap; import java.util.HashSet; import java.util.List; -import java.util.Map; import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; @@ -109,7 +107,7 @@ public void setup( Dependencies dependencies ) throws KernelException || config.get( SecuritySettings.native_authorization_enabled ) ) { procedures.registerComponent( EnterpriseUserManager.class, - ctx -> authManager.getUserManager( ctx.get( SECURITY_CONTEXT ).subject(), ctx.get( SECURITY_CONTEXT ).isAdmin() ), true ); + ctx -> authManager.getUserManager( asEnterprise( ctx.get( SECURITY_CONTEXT ) ) ), true ); if ( config.get( SecuritySettings.auth_providers ).size() > 1 ) { procedures.registerProcedure( UserManagementProcedures.class, true, @@ -173,8 +171,7 @@ public EnterpriseAuthAndUserManager newAuthManager( Config config, LogProvider l } return new MultiRealmAuthManager( internalRealm, orderedActiveRealms, createCacheManager( config ), - securityLog, config.get( SecuritySettings.security_log_successful_authentication ), - securityConfig.propertyAuthorization, securityConfig.propertyBlacklist ); + securityLog, config.get( SecuritySettings.security_log_successful_authentication ) ); } private static List selectOrderedActiveRealms( List configuredRealms, List availableRealms ) @@ -321,12 +318,12 @@ public static UserRepository getDefaultAdminRepository( Config config, LogProvid return new FileUserRepository( fileSystem, getDefaultAdminRepositoryFile( config ), logProvider ); } - private static File getRoleRepositoryFile( Config config ) + public static File getRoleRepositoryFile( Config config ) { return new File( config.get( DatabaseManagementSystemSettings.auth_store_directory ), ROLE_STORE_FILENAME ); } - private static File getDefaultAdminRepositoryFile( Config config ) + public static File getDefaultAdminRepositoryFile( Config config ) { return new File( config.get( DatabaseManagementSystemSettings.auth_store_directory ), DEFAULT_ADMIN_STORE_FILENAME ); @@ -337,7 +334,7 @@ private static IllegalArgumentException illegalConfiguration( String message ) return new IllegalArgumentException( "Illegal configuration: " + message ); } - static class SecurityConfig + class SecurityConfig { final List authProviders; final boolean hasNativeProvider; @@ -349,9 +346,6 @@ static class SecurityConfig final boolean ldapAuthorization; final boolean pluginAuthentication; final boolean pluginAuthorization; - final boolean propertyAuthorization; - private final String propertyAuthMapping; - final Map> propertyBlacklist = new HashMap<>(); SecurityConfig( Config config ) { @@ -368,8 +362,6 @@ static class SecurityConfig ldapAuthorization = config.get( SecuritySettings.ldap_authorization_enabled ); pluginAuthentication = config.get( SecuritySettings.plugin_authentication_enabled ); pluginAuthorization = config.get( SecuritySettings.plugin_authorization_enabled ); - propertyAuthorization = config.get( SecuritySettings.property_level_authorization_enabled ); - propertyAuthMapping = config.get( SecuritySettings.property_level_authorization_permissions ); } void validate() @@ -401,48 +393,6 @@ void validate() throw illegalConfiguration( "Plugin auth provider configured, but both authentication and authorization are disabled." ); } - if ( propertyAuthorization && !parsePropertyPermissions() ) - { - throw illegalConfiguration( - "Property level authorization is enabled but there is a error in the permissions mapping." ); - } - } - - private boolean parsePropertyPermissions() - { - if ( propertyAuthMapping != null && !propertyAuthMapping.isEmpty() ) - { - String rolePattern = "\\s*[a-zA-Z0-9_]+\\s*"; - String propertyPattern = "\\s*[a-zA-Z0-9_]+\\s*"; - String roleToPerm = rolePattern + "=" + propertyPattern + "(," + propertyPattern + ")*"; - String multiLine = roleToPerm + "(;" + roleToPerm + ")*"; - - boolean valid = propertyAuthMapping.matches( multiLine ); - if ( !valid ) - { - return false; - } - - for ( String rolesAndPermissions : propertyAuthMapping.split( ";" ) ) - { - if ( !rolesAndPermissions.isEmpty() ) - { - String[] split = rolesAndPermissions.split( "=" ); - String role = split[0].trim(); - String permissions = split[1]; - List permissionsList = new ArrayList<>(); - for ( String perm : permissions.split( "," ) ) - { - if ( !perm.isEmpty() ) - { - permissionsList.add( perm.trim() ); - } - } - propertyBlacklist.put( role, permissionsList ); - } - } - } - return true; } public boolean onlyPluginAuthentication() diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java index 798289863bb70..45e2505d303f6 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java @@ -93,7 +93,7 @@ public InternalFlatFileRealm( UserRepository userRepository, RoleRepository role JobScheduler jobScheduler, UserRepository initialUserRepository, UserRepository defaultAdminRepository ) { - this( userRepository,roleRepository, passwordPolicy, authenticationStrategy, true, true, + this( userRepository, roleRepository, passwordPolicy, authenticationStrategy, true, true, jobScheduler, initialUserRepository, defaultAdminRepository ); } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java index 6e694ba2802e8..471f7d791116f 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java @@ -42,20 +42,13 @@ import java.util.Collection; import java.util.List; import java.util.Map; -import java.util.Set; -import java.util.function.Function; -import java.util.function.IntPredicate; -import org.neo4j.collection.primitive.Primitive; -import org.neo4j.collection.primitive.PrimitiveIntSet; import org.neo4j.graphdb.security.AuthProviderFailedException; import org.neo4j.graphdb.security.AuthProviderTimeoutException; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.exceptions.schema.IllegalTokenNameException; -import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.internal.kernel.api.security.AuthenticationResult; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.server.security.enterprise.log.SecurityLog; import static org.neo4j.helpers.Strings.escape; @@ -69,11 +62,9 @@ class MultiRealmAuthManager implements EnterpriseAuthAndUserManager private final CacheManager cacheManager; private final SecurityLog securityLog; private final boolean logSuccessfulLogin; - private final boolean propertyAuthorization; - private final Map> roleToPropertyBlacklist; MultiRealmAuthManager( EnterpriseUserManager userManager, Collection realms, CacheManager cacheManager, - SecurityLog securityLog, boolean logSuccessfulLogin, boolean propertyAuthorization, Map> roleToPropertyBlacklist ) + SecurityLog securityLog, boolean logSuccessfulLogin ) { this.userManager = userManager; this.realms = realms; @@ -82,8 +73,6 @@ class MultiRealmAuthManager implements EnterpriseAuthAndUserManager securityManager = new DefaultSecurityManager( realms ); this.securityLog = securityLog; this.logSuccessfulLogin = logSuccessfulLogin; - this.propertyAuthorization = propertyAuthorization; - this.roleToPropertyBlacklist = roleToPropertyBlacklist; securityManager.setSubjectFactory( new ShiroSubjectFactory() ); ((ModularRealmAuthenticator) securityManager.getAuthenticator()) .setAuthenticationStrategy( new ShiroAuthenticationStrategy() ); @@ -101,37 +90,37 @@ private SubjectDAO createSubjectDAO() } @Override - public EnterpriseLoginContext login( Map authToken ) throws InvalidAuthTokenException + public EnterpriseSecurityContext login( Map authToken ) throws InvalidAuthTokenException { - EnterpriseLoginContext securityContext; + EnterpriseSecurityContext securityContext; ShiroAuthToken token = new ShiroAuthToken( authToken ); assertValidScheme( token ); try { - securityContext = new StandardEnterpriseLoginContext( + securityContext = new StandardEnterpriseSecurityContext( this, (ShiroSubject) securityManager.login( null, token ) ); AuthenticationResult authenticationResult = securityContext.subject().getAuthenticationResult(); if ( authenticationResult == AuthenticationResult.SUCCESS ) { if ( logSuccessfulLogin ) { - securityLog.info( securityContext.subject(), "logged in" ); + securityLog.info( securityContext, "logged in" ); } } else if ( authenticationResult == AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) { - securityLog.info( securityContext.subject(), "logged in (password change required)" ); + securityLog.info( securityContext, "logged in (password change required)" ); } else { - String errorMessage = ((StandardEnterpriseLoginContext.NeoShiroSubject) securityContext.subject()) + String errorMessage = ((StandardEnterpriseSecurityContext.NeoShiroSubject) securityContext.subject()) .getAuthenticationFailureMessage(); securityLog.error( "[%s]: failed to log in: %s", escape( token.getPrincipal().toString() ), errorMessage ); } // No need to keep full Shiro authentication info around on the subject - ((StandardEnterpriseLoginContext.NeoShiroSubject) securityContext.subject()).clearAuthenticationInfo(); + ((StandardEnterpriseSecurityContext.NeoShiroSubject) securityContext.subject()).clearAuthenticationInfo(); } catch ( UnsupportedTokenException e ) { @@ -146,7 +135,7 @@ else if ( authenticationResult == AuthenticationResult.PASSWORD_CHANGE_REQUIRED catch ( ExcessiveAttemptsException e ) { // NOTE: We only get this with single (internal) realm authentication - securityContext = new StandardEnterpriseLoginContext( this, + securityContext = new StandardEnterpriseSecurityContext( this, new ShiroSubject( securityManager, AuthenticationResult.TOO_MANY_ATTEMPTS ) ); securityLog.error( "[%s]: failed to log in: too many failed attempts", escape( token.getPrincipal().toString() ) ); @@ -169,7 +158,7 @@ else if ( e.getCause() != null && e.getCause() instanceof AuthProviderFailedExce cause != null && cause.getMessage() != null ? " (" + cause.getMessage() + ")" : "" ); throw new AuthProviderFailedException( e.getCause().getMessage(), e.getCause() ); } - securityContext = new StandardEnterpriseLoginContext( this, + securityContext = new StandardEnterpriseSecurityContext( this, new ShiroSubject( securityManager, AuthenticationResult.FAILURE ) ); Throwable cause = e.getCause(); Throwable causeCause = e.getCause() != null ? e.getCause().getCause() : null; @@ -256,9 +245,9 @@ public void shutdown() throws Throwable } @Override - public EnterpriseUserManager getUserManager( AuthSubject authSubject, boolean isUserManager ) + public EnterpriseUserManager getUserManager( SecurityContext securityContext ) { - return new PersonalUserManager( userManager, authSubject, securityLog, isUserManager ); + return new PersonalUserManager( userManager, securityContext, securityLog ); } @Override @@ -308,37 +297,4 @@ public Collection getAuthorizationInfo( PrincipalCollection p } return infoList; } - - IntPredicate getPropertyPermissions( Set roles, Token token ) - { - if ( propertyAuthorization ) - { - PrimitiveIntSet blackListed = Primitive.intSet(); - for ( String role : roles ) - { - if ( roleToPropertyBlacklist.containsKey( role ) ) - { - assert roleToPropertyBlacklist.get( role ) != null : "Blacklist has to contain properties"; - for ( String propName : roleToPropertyBlacklist.get( role ) ) - { - - try - { - blackListed.add( token.propertyKeyGetOrCreateForName( propName ) ); - } - catch ( IllegalTokenNameException e ) - { - // This can't happen since propName has already been checked to be valid - securityLog.error( "Error in setting up property permissions, '" + propName + "' is not a valid property name." ); - } - } - } - } - return property -> !blackListed.contains( property ); - } - else - { - return property -> true; - } - } } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/PersonalUserManager.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/PersonalUserManager.java index 082f64d1d2c4d..5ed3384458d44 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/PersonalUserManager.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/PersonalUserManager.java @@ -23,8 +23,8 @@ import java.util.Set; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.impl.security.User; import org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles; import org.neo4j.server.security.enterprise.log.SecurityLog; @@ -34,16 +34,14 @@ class PersonalUserManager implements EnterpriseUserManager { private final EnterpriseUserManager userManager; + private final SecurityContext securityContext; private final SecurityLog securityLog; - private final AuthSubject subject; - private final boolean isUserManager; - PersonalUserManager( EnterpriseUserManager userManager, AuthSubject subject, SecurityLog securityLog, boolean isUserManager ) + PersonalUserManager( EnterpriseUserManager userManager, SecurityContext securityContext, SecurityLog securityLog ) { this.userManager = userManager; + this.securityContext = securityContext; this.securityLog = securityLog; - this.subject = subject; - this.isUserManager = isUserManager; } @Override @@ -52,15 +50,15 @@ public User newUser( String username, String initialPassword, boolean requirePas { try { - assertUserManager(); + assertAdmin(); User user = userManager.newUser( username, initialPassword, requirePasswordChange ); - securityLog.info( subject, "created user `%s`%s", username, + securityLog.info( securityContext, "created user `%s`%s", username, requirePasswordChange ? ", with password change required" : "" ); return user; } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to create user `%s`: %s", username, e.getMessage() ); + securityLog.error( securityContext, "tried to create user `%s`: %s", username, e.getMessage() ); throw e; } } @@ -71,18 +69,18 @@ public void suspendUser( String username ) { try { - assertUserManager(); - if ( subject.hasUsername( username ) ) + assertAdmin(); + if ( securityContext.subject().hasUsername( username ) ) { throw new InvalidArgumentsException( "Suspending yourself (user '" + username + "') is not allowed." ); } userManager.suspendUser( username ); - securityLog.info( subject, "suspended user `%s`", username ); + securityLog.info( securityContext, "suspended user `%s`", username ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to suspend user `%s`: %s", username, e.getMessage() ); + securityLog.error( securityContext, "tried to suspend user `%s`: %s", username, e.getMessage() ); throw e; } } @@ -93,18 +91,18 @@ public boolean deleteUser( String username ) { try { - assertUserManager(); - if ( subject.hasUsername( username ) ) + assertAdmin(); + if ( securityContext.subject().hasUsername( username ) ) { throw new InvalidArgumentsException( "Deleting yourself (user '" + username + "') is not allowed." ); } boolean wasDeleted = userManager.deleteUser( username ); - securityLog.info( subject, "deleted user `%s`", username ); + securityLog.info( securityContext, "deleted user `%s`", username ); return wasDeleted; } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to delete user `%s`: %s", username, e.getMessage() ); + securityLog.error( securityContext, "tried to delete user `%s`: %s", username, e.getMessage() ); throw e; } } @@ -115,17 +113,17 @@ public void activateUser( String username, boolean requirePasswordChange ) { try { - assertUserManager(); - if ( subject.hasUsername( username ) ) + assertAdmin(); + if ( securityContext.subject().hasUsername( username ) ) { throw new InvalidArgumentsException( "Activating yourself (user '" + username + "') is not allowed." ); } userManager.activateUser( username, requirePasswordChange ); - securityLog.info( subject, "activated user `%s`", username ); + securityLog.info( securityContext, "activated user `%s`", username ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to activate user `%s`: %s", username, e.getMessage() ); + securityLog.error( securityContext, "tried to activate user `%s`: %s", username, e.getMessage() ); throw e; } } @@ -148,14 +146,14 @@ public RoleRecord newRole( String roleName, String... usernames ) { try { - assertUserManager(); + assertAdmin(); RoleRecord newRole = userManager.newRole( roleName, usernames ); - securityLog.info( subject, "created role `%s`", roleName ); + securityLog.info( securityContext, "created role `%s`", roleName ); return newRole; } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to create role `%s`: %s", roleName, e.getMessage() ); + securityLog.error( securityContext, "tried to create role `%s`: %s", roleName, e.getMessage() ); throw e; } } @@ -166,14 +164,14 @@ public boolean deleteRole( String roleName ) { try { - assertUserManager(); + assertAdmin(); boolean wasDeleted = userManager.deleteRole( roleName ); - securityLog.info( subject, "deleted role `%s`", roleName ); + securityLog.info( securityContext, "deleted role `%s`", roleName ); return wasDeleted; } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to delete role `%s`: %s", roleName, e.getMessage() ); + securityLog.error( securityContext, "tried to delete role `%s`: %s", roleName, e.getMessage() ); throw e; } } @@ -182,17 +180,17 @@ public boolean deleteRole( String roleName ) public void setUserPassword( String username, String password, boolean requirePasswordChange ) throws IOException, InvalidArgumentsException, AuthorizationViolationException { - if ( subject.hasUsername( username ) ) + if ( securityContext.subject().hasUsername( username ) ) { try { userManager.setUserPassword( username, password, requirePasswordChange ); - securityLog.info( subject, "changed password%s", + securityLog.info( securityContext, "changed password%s", requirePasswordChange ? ", with password change required" : "" ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to change password: %s", e.getMessage() ); + securityLog.error( securityContext, "tried to change password: %s", e.getMessage() ); throw e; } } @@ -200,14 +198,14 @@ public void setUserPassword( String username, String password, boolean requirePa { try { - assertUserManager(); + assertAdmin(); userManager.setUserPassword( username, password, requirePasswordChange ); - securityLog.info( subject, "changed password for user `%s`%s", username, + securityLog.info( securityContext, "changed password for user `%s`%s", username, requirePasswordChange ? ", with password change required" : "" ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to change password for user `%s`: %s", username, + securityLog.error( securityContext, "tried to change password for user `%s`: %s", username, e.getMessage() ); throw e; } @@ -219,12 +217,12 @@ public Set getAllUsernames() throws AuthorizationViolationException { try { - assertUserManager(); + assertAdmin(); return userManager.getAllUsernames(); } catch ( AuthorizationViolationException e ) { - securityLog.error( subject, "tried to list users: %s", e.getMessage() ); + securityLog.error( securityContext, "tried to list users: %s", e.getMessage() ); throw e; } } @@ -247,13 +245,13 @@ public void addRoleToUser( String roleName, String username ) { try { - assertUserManager(); + assertAdmin(); userManager.addRoleToUser( roleName, username ); - securityLog.info( subject, "added role `%s` to user `%s`", roleName, username ); + securityLog.info( securityContext, "added role `%s` to user `%s`", roleName, username ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to add role `%s` to user `%s`: %s", roleName, username, + securityLog.error( securityContext, "tried to add role `%s` to user `%s`: %s", roleName, username, e.getMessage() ); throw e; } @@ -265,18 +263,18 @@ public void removeRoleFromUser( String roleName, String username ) { try { - assertUserManager(); - if ( subject.hasUsername( username ) && roleName.equals( PredefinedRoles.ADMIN ) ) + assertAdmin(); + if ( securityContext.subject().hasUsername( username ) && roleName.equals( PredefinedRoles.ADMIN ) ) { throw new InvalidArgumentsException( "Removing yourself (user '" + username + "') from the admin role is not allowed." ); } userManager.removeRoleFromUser( roleName, username ); - securityLog.info( subject, "removed role `%s` from user `%s`", roleName, username ); + securityLog.info( securityContext, "removed role `%s` from user `%s`", roleName, username ); } catch ( AuthorizationViolationException | IOException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to remove role `%s` from user `%s`: %s", roleName, username, e + securityLog.error( securityContext, "tried to remove role `%s` from user `%s`: %s", roleName, username, e .getMessage() ); throw e; } @@ -287,12 +285,12 @@ public Set getAllRoleNames() throws AuthorizationViolationException { try { - assertUserManager(); + assertAdmin(); return userManager.getAllRoleNames(); } catch ( AuthorizationViolationException e ) { - securityLog.error( subject, "tried to list roles: %s", e.getMessage() ); + securityLog.error( securityContext, "tried to list roles: %s", e.getMessage() ); throw e; } } @@ -303,12 +301,12 @@ public Set getRoleNamesForUser( String username ) { try { - assertSelfOrUserManager( username ); + assertSelfOrAdmin( username ); return userManager.getRoleNamesForUser( username ); } catch ( AuthorizationViolationException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to list roles for user `%s`: %s", username, e.getMessage() ); + securityLog.error( securityContext, "tried to list roles for user `%s`: %s", username, e.getMessage() ); throw e; } } @@ -325,12 +323,12 @@ public Set getUsernamesForRole( String roleName ) { try { - assertUserManager(); + assertAdmin(); return userManager.getUsernamesForRole( roleName ); } catch ( AuthorizationViolationException | InvalidArgumentsException e ) { - securityLog.error( subject, "tried to list users for role `%s`: %s", roleName, e.getMessage() ); + securityLog.error( securityContext, "tried to list users for role `%s`: %s", roleName, e.getMessage() ); throw e; } } @@ -341,17 +339,17 @@ public Set silentlyGetUsernamesForRole( String roleName ) return userManager.silentlyGetUsernamesForRole( roleName ); } - private void assertSelfOrUserManager( String username ) + private void assertSelfOrAdmin( String username ) { - if ( !subject.hasUsername( username ) ) + if ( !securityContext.subject().hasUsername( username ) ) { - assertUserManager(); + assertAdmin(); } } - private void assertUserManager() throws AuthorizationViolationException + private void assertAdmin() throws AuthorizationViolationException { - if ( !isUserManager ) + if ( !securityContext.isAdmin() ) { throw new AuthorizationViolationException( PERMISSION_DENIED ); } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext.java similarity index 88% rename from enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java rename to enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext.java index 419669c5abd11..5104ce7c20d13 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext.java @@ -25,20 +25,16 @@ import java.util.List; import java.util.Set; import java.util.TreeSet; -import java.util.function.Function; -import java.util.function.IntPredicate; import java.util.stream.Collectors; import java.util.stream.Stream; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; -class StandardEnterpriseLoginContext implements EnterpriseLoginContext +class StandardEnterpriseSecurityContext implements EnterpriseSecurityContext { private static final String SCHEMA_READ_WRITE = "schema:read,write"; private static final String TOKEN_CREATE = "token:create"; @@ -49,14 +45,20 @@ class StandardEnterpriseLoginContext implements EnterpriseLoginContext private final ShiroSubject shiroSubject; private final NeoShiroSubject neoShiroSubject; - StandardEnterpriseLoginContext( MultiRealmAuthManager authManager, ShiroSubject shiroSubject ) + StandardEnterpriseSecurityContext( MultiRealmAuthManager authManager, ShiroSubject shiroSubject ) { this.authManager = authManager; this.shiroSubject = shiroSubject; this.neoShiroSubject = new NeoShiroSubject(); } - private boolean isAdmin() + public EnterpriseUserManager getUserManager() + { + return authManager.getUserManager( this ); + } + + @Override + public boolean isAdmin() { return shiroSubject.isAuthenticated() && shiroSubject.isPermitted( "*" ); } @@ -67,7 +69,8 @@ public AuthSubject subject() return neoShiroSubject; } - private StandardAccessMode mode( Token token ) + @Override + public StandardAccessMode mode() { boolean isAuthenticated = shiroSubject.isAuthenticated(); return new StandardAccessMode( @@ -76,16 +79,27 @@ private StandardAccessMode mode( Token token ) isAuthenticated && shiroSubject.isPermitted( TOKEN_CREATE ), isAuthenticated && shiroSubject.isPermitted( SCHEMA_READ_WRITE ), shiroSubject.getAuthenticationResult() == AuthenticationResult.PASSWORD_CHANGE_REQUIRED, - queryForRoleNames(), - queryForPropertyPermissions( token ) + queryForRoleNames() ); } @Override - public EnterpriseSecurityContext authorize( Token token ) + public String toString() + { + return defaultString( "enterprise-security-context" ); + } + + @Override + public EnterpriseSecurityContext freeze() + { + StandardAccessMode mode = mode(); + return new Frozen( neoShiroSubject, mode, mode.roles, isAdmin() ); + } + + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) { - StandardAccessMode mode = mode( token ); - return new EnterpriseSecurityContext( neoShiroSubject, mode, mode.roles, isAdmin() ); + return new Frozen( neoShiroSubject, mode, queryForRoleNames(), isAdmin() ); } @Override @@ -107,11 +121,6 @@ private Set queryForRoleNames() .collect( Collectors.toSet() ); } - private IntPredicate queryForPropertyPermissions( Token token ) - { - return authManager.getPropertyPermissions( roles(), token ); - } - private static class StandardAccessMode implements AccessMode { private final boolean allowsReads; @@ -120,10 +129,9 @@ private static class StandardAccessMode implements AccessMode private final boolean allowsTokenCreates; private final boolean passwordChangeRequired; private final Set roles; - private final IntPredicate propertyPermissions; StandardAccessMode( boolean allowsReads, boolean allowsWrites, boolean allowsTokenCreates, boolean allowsSchemaWrites, - boolean passwordChangeRequired, Set roles, IntPredicate propertyPermissions ) + boolean passwordChangeRequired, Set roles ) { this.allowsReads = allowsReads; this.allowsWrites = allowsWrites; @@ -131,7 +139,6 @@ private static class StandardAccessMode implements AccessMode this.allowsSchemaWrites = allowsSchemaWrites; this.passwordChangeRequired = passwordChangeRequired; this.roles = roles; - this.propertyPermissions = propertyPermissions; } @Override @@ -158,12 +165,6 @@ public boolean allowsSchemaWrites() return allowsSchemaWrites; } - @Override - public boolean allowsPropertyReads( int propertyKey ) - { - return propertyPermissions.test( propertyKey ); - } - @Override public boolean allowsProcedureWith( String[] roleNames ) { diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java index f4b46a70f2ba3..2ffe22f989e7c 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java @@ -342,23 +342,4 @@ public class SecuritySettings implements LoadableConfig "system account." ) public static final Setting ldap_authorization_connection_pooling = setting( "unsupported.dbms.security.ldap.authorization.connection_pooling", BOOLEAN, "true" ); - - //========================================================================= - // Property level security settings - //========================================================================= - - @Description( "Set to true to enable property level security." ) - public static final Setting property_level_authorization_enabled = - setting( "dbms.security.property_level.enabled", BOOLEAN, "false" ); - - @Description( "An authorization mapping for property level access for roles. " + - "The map should be formatted as a semicolon separated list of key-value pairs, where the " + - "key is the role name and the value is a comma separated list of blacklisted properties. " + - "For example: role1=prop1;role2=prop2;role3=prop3,prop4,prop5\n\n" + - "You could also use whitespaces and quotes around group names to make this mapping more readable, " + - "for example: dbms.security.property_level.blacklist=\\\n" + - " \"role1\" = ssn; \\\n" + - " \"role2\" = ssn,income; \\\n" ) - public static final Setting property_level_authorization_permissions = - setting( "dbms.security.property_level.blacklist", STRING, NO_DEFAULT ); } diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/log/SecurityLog.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/log/SecurityLog.java index 6a846595e5fed..94006ee92c0ab 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/log/SecurityLog.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/log/SecurityLog.java @@ -26,7 +26,7 @@ import java.util.function.Consumer; import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.security.AuthSubject; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.configuration.Config; import org.neo4j.kernel.lifecycle.LifecycleAdapter; @@ -68,9 +68,9 @@ public SecurityLog( Log log ) inner = log; } - private static String withSubject( AuthSubject subject, String msg ) + private static String withContext( SecurityContext context, String msg ) { - return "[" + escape( subject.username() ) + "]: " + msg; + return "[" + escape( context.subject().username() ) + "]: " + msg; } @Override @@ -103,9 +103,9 @@ public void debug( String format, Object... arguments ) inner.debug( format, arguments ); } - public void debug( AuthSubject subject, String format, Object... arguments ) + public void debug( SecurityContext context, String format, Object... arguments ) { - inner.debug( withSubject( subject, format ), arguments ); + inner.debug( withContext( context, format ), arguments ); } @Override @@ -132,14 +132,14 @@ public void info( String format, Object... arguments ) inner.info( format, arguments ); } - public void info( AuthSubject subject, String format, Object... arguments ) + public void info( SecurityContext context, String format, Object... arguments ) { - inner.info( withSubject( subject, format ), arguments ); + inner.info( withContext( context, format ), arguments ); } - public void info( AuthSubject subject, String format ) + public void info( SecurityContext context, String format ) { - inner.info( withSubject( subject, format ) ); + inner.info( withContext( context, format ) ); } @Override @@ -166,9 +166,9 @@ public void warn( String format, Object... arguments ) inner.warn( format, arguments ); } - public void warn( AuthSubject subject, String format, Object... arguments ) + public void warn( SecurityContext context, String format, Object... arguments ) { - inner.warn( withSubject( subject, format ), arguments ); + inner.warn( withContext( context, format ), arguments ); } @Override @@ -195,9 +195,9 @@ public void error( String format, Object... arguments ) inner.error( format, arguments ); } - public void error( AuthSubject subject, String format, Object... arguments ) + public void error( SecurityContext context, String format, Object... arguments ) { - inner.error( withSubject( subject, format ), arguments ); + inner.error( withContext( context, format ), arguments ); } @Override diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/BoltInteraction.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/BoltInteraction.java index 029a2cef977de..0653b7c58243f 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/BoltInteraction.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/BoltInteraction.java @@ -45,11 +45,11 @@ import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.graphdb.mockfs.EphemeralFileSystemAbstraction; import org.neo4j.helpers.HostnamePort; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.api.exceptions.Status; import org.neo4j.internal.kernel.api.security.AuthenticationResult; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -132,8 +132,8 @@ public FileSystemAbstraction fileSystem() public InternalTransaction beginLocalTransactionAsUser( BoltSubject subject, KernelTransaction.Type txType ) throws Throwable { - LoginContext loginContext = authManager.login( newBasicAuthToken( subject.username, subject.password ) ); - return getLocalGraph().beginTransaction( txType, loginContext ); + SecurityContext securityContext = authManager.login( newBasicAuthToken( subject.username, subject.password ) ); + return getLocalGraph().beginTransaction( txType, securityContext ); } @Override diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/ConfiguredAuthScenariosInteractionTestBase.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/ConfiguredAuthScenariosInteractionTestBase.java index 36ef080e398e2..c0999075c5c52 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/ConfiguredAuthScenariosInteractionTestBase.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/ConfiguredAuthScenariosInteractionTestBase.java @@ -69,7 +69,7 @@ public void shouldWarnWhenUsingNativeAndOtherProvider() throws Throwable r -> assertKeyIsMap( r, "username", "roles", valueOf( userList ) ) ); GraphDatabaseFacade localGraph = neo.getLocalGraph(); InternalTransaction transaction = localGraph - .beginTransaction( KernelTransaction.Type.explicit, StandardEnterpriseLoginContext.AUTH_DISABLED ); + .beginTransaction( KernelTransaction.Type.explicit, StandardEnterpriseSecurityContext.AUTH_DISABLED ); Result result = localGraph.execute( transaction, "EXPLAIN CALL dbms.security.listUsers", EMPTY_MAP ); String description = String.format( "%s (%s)", Status.Procedure.ProcedureWarning.code().description(), @@ -87,7 +87,7 @@ public void shouldNotWarnWhenOnlyUsingNativeProvider() throws Throwable r -> assertKeyIsMap( r, "username", "roles", valueOf( userList ) ) ); GraphDatabaseFacade localGraph = neo.getLocalGraph(); InternalTransaction transaction = localGraph - .beginTransaction( KernelTransaction.Type.explicit, StandardEnterpriseLoginContext.AUTH_DISABLED ); + .beginTransaction( KernelTransaction.Type.explicit, StandardEnterpriseSecurityContext.AUTH_DISABLED ); Result result = localGraph.execute( transaction, "EXPLAIN CALL dbms.security.listUsers", EMPTY_MAP ); String description = String.format( "%s (%s)", Status.Procedure.ProcedureWarning.code().description(), diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedAuthScenariosInteractionIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedAuthScenariosInteractionIT.java index 47e49df0c3830..9876c9ac0b784 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedAuthScenariosInteractionIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedAuthScenariosInteractionIT.java @@ -24,17 +24,17 @@ import java.util.Map; import org.neo4j.graphdb.mockfs.UncloseableDelegatingFileSystemAbstraction; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.test.rule.fs.EphemeralFileSystemRule; -public class EmbeddedAuthScenariosInteractionIT extends AuthScenariosInteractionTestBase +public class EmbeddedAuthScenariosInteractionIT extends AuthScenariosInteractionTestBase { @Rule public EphemeralFileSystemRule fileSystemRule = new EphemeralFileSystemRule(); @Override - protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable + protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable { return new EmbeddedInteraction( config, () -> new UncloseableDelegatingFileSystemAbstraction( fileSystemRule.get() ) ); } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java index 9b13360d7ce49..aef080fce2f0c 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java @@ -27,12 +27,10 @@ import org.neo4j.graphdb.QueryExecutionException; import org.neo4j.graphdb.Result; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.kernel.api.security.AnonymousContext; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; @@ -41,11 +39,10 @@ import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; -import static org.mockito.Mockito.mock; import static org.neo4j.graphdb.security.AuthorizationViolationException.PERMISSION_DENIED; import static org.neo4j.values.virtual.VirtualValues.EMPTY_MAP; -public class EmbeddedBuiltInProceduresInteractionIT extends BuiltInProceduresInteractionTestBase +public class EmbeddedBuiltInProceduresInteractionIT extends BuiltInProceduresInteractionTestBase { @Override @@ -62,7 +59,7 @@ protected Object valueOf( Object obj ) } @Override - protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable + protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable { return new EmbeddedInteraction( config ); } @@ -70,11 +67,10 @@ protected NeoInteractionLevel setUpNeoServer( Map read = new ThreadedTransaction<>( neo, latch ); - String query = read.execute( threading, readSubject, "UNWIND [1,2,3] AS x RETURN x" ); + ThreadedTransaction read = new ThreadedTransaction<>( neo, latch ); + String query = read.execute( threading, authy, "UNWIND [1,2,3] AS x RETURN x" ); latch.startAndWaitForAllToStart(); String id = extractQueryId( query ); - try ( InternalTransaction tx = graph.beginTransaction( KernelTransaction.Type.explicit, unAuthSubject ) ) + try ( InternalTransaction tx = graph + .beginTransaction( KernelTransaction.Type.explicit, AnonymousContext.none() ) ) { graph.execute( tx, "CALL dbms.killQuery('" + id + "')", EMPTY_MAP ); throw new AssertionError( "Expected exception to be thrown" ); @@ -110,14 +107,20 @@ public void shouldNotKillQueryIfNotAuthenticated() throws Throwable read.closeAndAssertSuccess(); } - private EnterpriseLoginContext createFakeAnonymousEnterpriseLoginContext() + private EnterpriseSecurityContext createFakeAnonymousEnterpriseSecurityContext() { - return new EnterpriseLoginContext() + return new EnterpriseSecurityContext() { @Override - public EnterpriseSecurityContext authorize( Token token ) + public EnterpriseSecurityContext freeze() + { + return this; + } + + @Override + public EnterpriseSecurityContext withMode( AccessMode mode ) { - return new EnterpriseSecurityContext( subject(), inner.mode(), Collections.emptySet(), false ); + return new EnterpriseSecurityContext.Frozen( subject(), mode, roles(), isAdmin() ); } @Override @@ -126,13 +129,25 @@ public Set roles() return Collections.emptySet(); } - SecurityContext inner = AnonymousContext.none().authorize( mock( Token.class ) ); + AnonymousContext inner = AnonymousContext.none(); @Override public AuthSubject subject() { return inner.subject(); } + + @Override + public AccessMode mode() + { + return inner.mode(); + } + + @Override + public boolean isAdmin() + { + return false; + } }; } } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredAuthScenariosInteractionIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredAuthScenariosInteractionIT.java index be5dd801c9194..ff5bfa89f2ef5 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredAuthScenariosInteractionIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredAuthScenariosInteractionIT.java @@ -24,16 +24,16 @@ import java.util.Map; import org.neo4j.graphdb.mockfs.UncloseableDelegatingFileSystemAbstraction; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.test.rule.fs.EphemeralFileSystemRule; -public class EmbeddedConfiguredAuthScenariosInteractionIT extends ConfiguredAuthScenariosInteractionTestBase +public class EmbeddedConfiguredAuthScenariosInteractionIT extends ConfiguredAuthScenariosInteractionTestBase { @Rule public EphemeralFileSystemRule fileSystemRule = new EphemeralFileSystemRule(); @Override - protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable + protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable { return new EmbeddedInteraction( config, () -> new UncloseableDelegatingFileSystemAbstraction( fileSystemRule.get() ) ); } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredProceduresIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredProceduresIT.java index 1e0fb7be374fb..153d66eecfcee 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredProceduresIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedConfiguredProceduresIT.java @@ -21,13 +21,13 @@ import java.util.Map; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; -public class EmbeddedConfiguredProceduresIT extends ConfiguredProceduresTestBase +public class EmbeddedConfiguredProceduresIT extends ConfiguredProceduresTestBase { @Override - protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable + protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable { return new EmbeddedInteraction( config ); } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedInteraction.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedInteraction.java index ac046f3284e6b..bf08d988fb513 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedInteraction.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedInteraction.java @@ -29,14 +29,14 @@ import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.graphdb.mockfs.EphemeralFileSystemAbstraction; import org.neo4j.helpers.HostnamePort; -import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.configuration.BoltConnector; import org.neo4j.kernel.configuration.ConnectorPortRegister; import org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig; import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; import org.neo4j.test.TestEnterpriseGraphDatabaseFactory; @@ -46,7 +46,7 @@ import static org.neo4j.kernel.configuration.BoltConnector.EncryptionLevel.OPTIONAL; import static org.neo4j.server.security.auth.SecurityTestUtils.authToken; -public class EmbeddedInteraction implements NeoInteractionLevel +public class EmbeddedInteraction implements NeoInteractionLevel { private GraphDatabaseFacade db; private EnterpriseAuthManager authManager; @@ -113,17 +113,17 @@ public FileSystemAbstraction fileSystem() } @Override - public InternalTransaction beginLocalTransactionAsUser( EnterpriseLoginContext loginContext, + public InternalTransaction beginLocalTransactionAsUser( EnterpriseSecurityContext subject, KernelTransaction.Type txType ) throws Throwable { - return db.beginTransaction( txType, loginContext ); + return db.beginTransaction( txType, subject ); } @Override - public String executeQuery( EnterpriseLoginContext loginContext, String call, Map params, + public String executeQuery( EnterpriseSecurityContext subject, String call, Map params, Consumer>> resultConsumer ) { - try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.implicit, loginContext ) ) + try ( InternalTransaction tx = db.beginTransaction( KernelTransaction.Type.implicit, subject ) ) { Map p = (params == null) ? Collections.emptyMap() : params; resultConsumer.accept( db.execute( call, p ) ); @@ -137,26 +137,26 @@ public String executeQuery( EnterpriseLoginContext loginContext, String call, Ma } @Override - public EnterpriseLoginContext login( String username, String password ) throws Exception + public EnterpriseSecurityContext login( String username, String password ) throws Exception { return authManager.login( authToken( username, password ) ); } @Override - public void logout( EnterpriseLoginContext loginContext ) + public void logout( EnterpriseSecurityContext securityContext ) { - loginContext.subject().logout(); + securityContext.subject().logout(); } @Override - public void updateAuthToken( EnterpriseLoginContext subject, String username, String password ) + public void updateAuthToken( EnterpriseSecurityContext subject, String username, String password ) { } @Override - public String nameOf( EnterpriseLoginContext loginContext ) + public String nameOf( EnterpriseSecurityContext securityContext ) { - return loginContext.subject().username(); + return securityContext.subject().username(); } @Override @@ -166,25 +166,25 @@ public void tearDown() throws Throwable } @Override - public void assertAuthenticated( EnterpriseLoginContext loginContext ) + public void assertAuthenticated( EnterpriseSecurityContext securityContext ) { - assertThat( loginContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.SUCCESS ) ); + assertThat( securityContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.SUCCESS ) ); } @Override - public void assertPasswordChangeRequired( EnterpriseLoginContext loginContext ) + public void assertPasswordChangeRequired( EnterpriseSecurityContext securityContext ) { - assertThat( loginContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ); + assertThat( securityContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ); } @Override - public void assertInitFailed( EnterpriseLoginContext loginContext ) + public void assertInitFailed( EnterpriseSecurityContext securityContext ) { - assertThat( loginContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.FAILURE ) ); + assertThat( securityContext.subject().getAuthenticationResult(), equalTo( AuthenticationResult.FAILURE ) ); } @Override - public void assertSessionKilled( EnterpriseLoginContext loginContext ) + public void assertSessionKilled( EnterpriseSecurityContext subject ) { // There is no session that could have been killed } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedUserManagementProceduresInteractionIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedUserManagementProceduresInteractionIT.java index c1d674f133440..78497c2e6dc30 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedUserManagementProceduresInteractionIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EmbeddedUserManagementProceduresInteractionIT.java @@ -22,15 +22,15 @@ import java.util.List; import java.util.Map; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; -public class EmbeddedUserManagementProceduresInteractionIT extends AuthProceduresInteractionTestBase +public class EmbeddedUserManagementProceduresInteractionIT extends AuthProceduresInteractionTestBase { @Override - protected NeoInteractionLevel setUpNeoServer( Map config ) + protected NeoInteractionLevel setUpNeoServer( Map config ) throws Throwable { return new EmbeddedInteraction( config ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java index ca95c665f6087..4432463633817 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.java @@ -25,7 +25,6 @@ import java.time.Clock; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.internal.kernel.api.security.AccessMode; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.api.security.OverriddenAccessMode; @@ -35,7 +34,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertThat; -import static org.mockito.Mockito.mock; import static org.neo4j.server.security.auth.SecurityTestUtils.authToken; import static org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles.PUBLISHER; @@ -45,8 +43,8 @@ public class EnterpriseSecurityContextDescriptionTest public MultiRealmAuthManagerRule authManagerRule = new MultiRealmAuthManagerRule( new InMemoryUserRepository(), new RateLimitedAuthenticationStrategy( Clock.systemUTC(), 3 ) ); + private EnterpriseSecurityContext context; private EnterpriseUserManager manager; - private Token token; @Before public void setUp() throws Throwable @@ -54,13 +52,13 @@ public void setUp() throws Throwable authManagerRule.getManager().start(); manager = authManagerRule.getManager().getUserManager(); manager.newUser( "mats", "foo", false ); - token = mock( Token.class ); + context = authManagerRule.getManager().login( authToken( "mats", "foo" ) ); } @Test public void shouldMakeNiceDescriptionWithoutRoles() throws Throwable { - assertThat( context().description(), equalTo( "user 'mats' with no roles" ) ); + assertThat( context.description(), equalTo( "user 'mats' with no roles" ) ); } @Test @@ -69,7 +67,17 @@ public void shouldMakeNiceDescriptionWithRoles() throws Throwable manager.newRole( "role1", "mats" ); manager.addRoleToUser( PUBLISHER, "mats" ); - assertThat( context().description(), equalTo( "user 'mats' with roles [publisher,role1]" ) ); + assertThat( context.description(), equalTo( "user 'mats' with roles [publisher,role1]" ) ); + } + + @Test + public void shouldMakeNiceDescriptionFrozen() throws Throwable + { + manager.newRole( "role1", "mats" ); + manager.addRoleToUser( PUBLISHER, "mats" ); + + EnterpriseSecurityContext frozen = context.freeze(); + assertThat( frozen.description(), equalTo( "user 'mats' with roles [publisher,role1]" ) ); } @Test @@ -78,7 +86,7 @@ public void shouldMakeNiceDescriptionWithMode() throws Throwable manager.newRole( "role1", "mats" ); manager.addRoleToUser( PUBLISHER, "mats" ); - EnterpriseSecurityContext modified = context().withMode( AccessMode.Static.CREDENTIALS_EXPIRED ); + EnterpriseSecurityContext modified = context.withMode( AccessMode.Static.CREDENTIALS_EXPIRED ); assertThat( modified.description(), equalTo( "user 'mats' with CREDENTIALS_EXPIRED" ) ); } @@ -88,7 +96,6 @@ public void shouldMakeNiceDescriptionRestricted() throws Throwable manager.newRole( "role1", "mats" ); manager.addRoleToUser( PUBLISHER, "mats" ); - EnterpriseSecurityContext context = context(); EnterpriseSecurityContext restricted = context.withMode( new RestrictedAccessMode( context.mode(), AccessMode.Static.READ ) ); assertThat( restricted.description(), equalTo( "user 'mats' with roles [publisher,role1] restricted to READ" ) ); @@ -100,7 +107,6 @@ public void shouldMakeNiceDescriptionOverridden() throws Throwable manager.newRole( "role1", "mats" ); manager.addRoleToUser( PUBLISHER, "mats" ); - EnterpriseSecurityContext context = context(); EnterpriseSecurityContext overridden = context.withMode( new OverriddenAccessMode( context.mode(), AccessMode.Static.READ ) ); assertThat( overridden.description(), equalTo( "user 'mats' with roles [publisher,role1] overridden by READ" ) ); @@ -121,9 +127,4 @@ public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() throws Throwabl disabled.withMode( new RestrictedAccessMode( disabled.mode(), AccessMode.Static.READ ) ); assertThat( restricted.description(), equalTo( "AUTH_DISABLED with FULL restricted to READ" ) ); } - - private EnterpriseSecurityContext context() throws Exception - { - return authManagerRule.getManager().login( authToken( "mats", "foo" ) ).authorize( token ); - } } diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java index 20814ef880c95..78c505e897c85 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java @@ -26,7 +26,6 @@ import java.time.Duration; import java.util.Arrays; -import java.util.Collections; import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.kernel.configuration.Config; @@ -35,8 +34,6 @@ import org.neo4j.server.security.enterprise.configuration.SecuritySettings; import org.neo4j.server.security.enterprise.log.SecurityLog; -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.equalTo; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -154,63 +151,6 @@ public void shouldNotFailNativeWithPluginAuthorizationProvider() new EnterpriseSecurityModule().newAuthManager( config, mockLogProvider, mock( SecurityLog.class), null, null ); } - @Test - public void shouldNotFailWithPropertyLevelPermissions() - { - nativeAuth( true, true ); - ldapAuth( false, false ); - pluginAuth( false, false ); - authProviders( - SecuritySettings.NATIVE_REALM_NAME - ); - - when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( true ); - when( config.get( SecuritySettings.property_level_authorization_permissions ) ).thenReturn( "smith=alias" ); - - new EnterpriseSecurityModule().newAuthManager( config, mockLogProvider, mock( SecurityLog.class ), null, null ); - } - - @Test - public void shouldFailOnIllegalPropertyLevelPermissions() - { - nativeAuth( true, true ); - ldapAuth( false, false ); - pluginAuth( false, false ); - authProviders( - SecuritySettings.NATIVE_REALM_NAME - ); - - when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( true ); - when( config.get( SecuritySettings.property_level_authorization_permissions ) ).thenReturn( "smithmalias" ); - - thrown.expect( IllegalArgumentException.class ); - thrown.expectMessage( - "Illegal configuration: Property level authorization is enabled but there is a error in the permissions mapping." ); - - new EnterpriseSecurityModule().newAuthManager( config, mockLogProvider, mock( SecurityLog.class ), null, null ); - } - - @Test - public void shouldParsePropertyLevelPermissions() - { - nativeAuth( true, true ); - ldapAuth( false, false ); - pluginAuth( false, false ); - authProviders( - SecuritySettings.NATIVE_REALM_NAME - ); - - when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( true ); - when( config.get( SecuritySettings.property_level_authorization_permissions ) ).thenReturn( - "smith = alias;merovingian=alias ,location;\n abel=alias,\t\thasSilver" ); - - EnterpriseSecurityModule.SecurityConfig securityConfig = new EnterpriseSecurityModule.SecurityConfig( config ); - securityConfig.validate(); - assertThat( securityConfig.propertyBlacklist.get( "smith" ), equalTo( Collections.singletonList( "alias" ) ) ); - assertThat( securityConfig.propertyBlacklist.get( "merovingian" ), equalTo( Arrays.asList( "alias", "location" ) ) ); - assertThat( securityConfig.propertyBlacklist.get( "abel" ), equalTo( Arrays.asList( "alias", "hasSilver" ) ) ); - } - // --------- HELPERS ---------- @Before @@ -221,7 +161,6 @@ public void setup() Log mockLog = mock( Log.class ); when( mockLogProvider.getLog( anyString() ) ).thenReturn( mockLog ); when( mockLog.isDebugEnabled() ).thenReturn( true ); - when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( false ); when( config.get( SecuritySettings.auth_cache_ttl ) ).thenReturn( Duration.ZERO ); when( config.get( SecuritySettings.auth_cache_max_capacity ) ).thenReturn( 10 ); when( config.get( SecuritySettings.auth_cache_use_ttl ) ).thenReturn( true ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java index c285110f9828f..362de44de514a 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.java @@ -37,12 +37,11 @@ import java.util.List; import org.neo4j.commandline.admin.security.SetDefaultAdminCommand; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; +import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.security.PasswordPolicy; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.security.Credential; import org.neo4j.kernel.impl.security.User; import org.neo4j.scheduler.JobScheduler; @@ -77,12 +76,10 @@ public class InternalFlatFileRealmTest private MultiRealmAuthManager authManager; private TestRealm testRealm; - private Token token; @Before public void setup() throws Throwable { - token = mock( Token.class ); testRealm = new TestRealm( new InMemoryUserRepository(), new InMemoryRoleRepository(), @@ -96,7 +93,7 @@ public void setup() throws Throwable List realms = listOf( testRealm ); authManager = new MultiRealmAuthManager( testRealm, realms, new MemoryConstrainedCacheManager(), - mock( SecurityLog.class ), true, false, Collections.emptyMap() ); + mock( SecurityLog.class ), true ); authManager.init(); authManager.start(); @@ -108,7 +105,7 @@ public void setup() throws Throwable public void shouldNotCacheAuthenticationInfo() throws InvalidAuthTokenException { // Given - EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); + EnterpriseSecurityContext mike = authManager.login( authToken( "mike", "123" ) ); assertThat( mike.subject().getAuthenticationResult(), equalTo( AuthenticationResult.SUCCESS ) ); assertThat( "Test realm did not receive a call", testRealm.takeAuthenticationFlag(), is( true ) ); @@ -124,14 +121,14 @@ public void shouldNotCacheAuthenticationInfo() throws InvalidAuthTokenException public void shouldNotCacheAuthorizationInfo() throws InvalidAuthTokenException { // Given - EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); + EnterpriseSecurityContext mike = authManager.login( authToken( "mike", "123" ) ); assertThat( mike.subject().getAuthenticationResult(), equalTo( AuthenticationResult.SUCCESS ) ); - mike.authorize( token ).mode().allowsReads(); + mike.mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When - mike.authorize( token ).mode().allowsWrites(); + mike.mode().allowsWrites(); // Then assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java index 6f363fcfbe684..8d48674c5bed6 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java @@ -38,10 +38,9 @@ import java.util.Map; import java.util.concurrent.TimeUnit; -import org.neo4j.internal.kernel.api.Token; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; import org.neo4j.kernel.configuration.Config; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.scheduler.JobScheduler; import org.neo4j.server.security.auth.BasicPasswordPolicy; import org.neo4j.server.security.auth.InMemoryUserRepository; @@ -62,12 +61,9 @@ public class LdapCachingTest private TestRealm testRealm; private FakeTicker fakeTicker; - private Token token; - @Before public void setup() throws Throwable { - token = mock( Token.class ); SecurityLog securityLog = mock( SecurityLog.class ); InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm( @@ -86,7 +82,7 @@ public void setup() throws Throwable fakeTicker = new FakeTicker(); authManager = new MultiRealmAuthManager( internalFlatFileRealm, realms, - new ShiroCaffeineCache.Manager( fakeTicker::read, 100, 10, true ), securityLog, false, false, Collections.emptyMap() ); + new ShiroCaffeineCache.Manager( fakeTicker::read, 100, 10, true ), securityLog, false ); authManager.init(); authManager.start(); @@ -124,12 +120,12 @@ public void shouldCacheAuthenticationInfo() throws InvalidAuthTokenException public void shouldCacheAuthorizationInfo() throws InvalidAuthTokenException { // Given - EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); - mike.authorize( token ).mode().allowsReads(); + EnterpriseSecurityContext mike = authManager.login( authToken( "mike", "123" ) ); + mike.mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When - mike.authorize( token ).mode().allowsWrites(); + mike.mode().allowsWrites(); // Then assertThat( "Test realm received a call", testRealm.takeAuthorizationFlag(), is( false ) ); @@ -139,20 +135,20 @@ public void shouldCacheAuthorizationInfo() throws InvalidAuthTokenException public void shouldInvalidateAuthorizationCacheAfterTTL() throws InvalidAuthTokenException { // Given - EnterpriseLoginContext mike = authManager.login( authToken( "mike", "123" ) ); - mike.authorize( token ).mode().allowsReads(); + EnterpriseSecurityContext mike = authManager.login( authToken( "mike", "123" ) ); + mike.mode().allowsReads(); assertThat( "Test realm did not receive a call", testRealm.takeAuthorizationFlag(), is( true ) ); // When fakeTicker.advance( 99, TimeUnit.MILLISECONDS ); - mike.authorize( token ).mode().allowsWrites(); + mike.mode().allowsWrites(); // Then assertThat( "Test realm received a call", testRealm.takeAuthorizationFlag(), is( false ) ); // When fakeTicker.advance( 2, TimeUnit.MILLISECONDS ); - mike.authorize( token ).mode().allowsWrites(); + mike.mode().allowsWrites(); // Then assertThat( "Test realm did not received a call", testRealm.takeAuthorizationFlag(), is( true ) ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerRule.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerRule.java index a87585c84cf24..681bce57b67bc 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerRule.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerRule.java @@ -30,10 +30,10 @@ import java.util.Collections; import java.util.List; -import org.neo4j.internal.kernel.api.security.LoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; +import org.neo4j.scheduler.JobScheduler; import org.neo4j.logging.FormattedLog; import org.neo4j.logging.Log; -import org.neo4j.scheduler.JobScheduler; import org.neo4j.server.security.auth.AuthenticationStrategy; import org.neo4j.server.security.auth.BasicPasswordPolicy; import org.neo4j.server.security.auth.InMemoryUserRepository; @@ -81,7 +81,7 @@ private void setupAuthManager( AuthenticationStrategy authStrategy ) throws Thro ); manager = new MultiRealmAuthManager( internalFlatFileRealm, Collections.singleton( internalFlatFileRealm ), - new MemoryConstrainedCacheManager(), securityLog, true, false, Collections.emptyMap() ); + new MemoryConstrainedCacheManager(), securityLog, true ); manager.init(); } @@ -90,9 +90,9 @@ public EnterpriseAuthAndUserManager getManager() return manager; } - public LoginContext makeLoginContext( ShiroSubject shiroSubject ) + public SecurityContext makeSecurityContext( ShiroSubject shiroSubject ) { - return new StandardEnterpriseLoginContext( manager, shiroSubject ); + return new StandardEnterpriseSecurityContext( manager, shiroSubject ); } @Override diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java index bc0610d34f892..856e34d9345d5 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java @@ -29,23 +29,21 @@ import java.util.Collections; import org.neo4j.commandline.admin.security.SetDefaultAdminCommand; -import org.neo4j.internal.kernel.api.Token; -import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.AuthenticationResult; -import org.neo4j.internal.kernel.api.security.LoginContext; -import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; import org.neo4j.kernel.api.security.AuthManager; +import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.kernel.api.security.AuthToken; +import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.security.PasswordPolicy; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException; import org.neo4j.kernel.configuration.Config; import org.neo4j.kernel.impl.security.Credential; import org.neo4j.kernel.impl.security.User; +import org.neo4j.scheduler.JobScheduler; import org.neo4j.logging.AssertableLogProvider; import org.neo4j.logging.Log; import org.neo4j.logging.NullLogProvider; -import org.neo4j.scheduler.JobScheduler; import org.neo4j.server.security.auth.AuthenticationStrategy; import org.neo4j.server.security.auth.CommunitySecurityModule; import org.neo4j.server.security.auth.InitialUserTest; @@ -80,12 +78,9 @@ public class MultiRealmAuthManagerTest extends InitialUserTest @Rule public ExpectedException expect = ExpectedException.none(); - private Token token; - @Before public void setUp() throws Throwable { - token = mock( Token.class ); config = Config.defaults(); users = CommunitySecurityModule.getUserRepository( config, NullLogProvider.getInstance(), fsRule.get() ); authStrategy = mock( AuthenticationStrategy.class ); @@ -113,8 +108,7 @@ private MultiRealmAuthManager createAuthManager( boolean logSuccessfulAuthentica ); manager = new MultiRealmAuthManager( internalFlatFileRealm, Collections.singleton( internalFlatFileRealm ), - new MemoryConstrainedCacheManager(), new SecurityLog( log ), logSuccessfulAuthentications, - false, Collections.emptyMap() ); + new MemoryConstrainedCacheManager(), new SecurityLog( log ), logSuccessfulAuthentications ); manager.init(); return manager; @@ -562,12 +556,12 @@ public void defaultUserShouldHaveCorrectPermissions() throws Throwable setMockAuthenticationStrategyResult( "neo4j", "neo4j", AuthenticationResult.SUCCESS ); // When - SecurityContext securityContext = manager.login( authToken( "neo4j", "neo4j" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "neo4j", "neo4j" ) ); userManager.setUserPassword( "neo4j", "1234", false ); securityContext.subject().logout(); setMockAuthenticationStrategyResult( "neo4j", "1234", AuthenticationResult.SUCCESS ); - securityContext = manager.login( authToken( "neo4j", "1234" ) ).authorize( token ); + securityContext = manager.login( authToken( "neo4j", "1234" ) ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -583,7 +577,7 @@ public void userWithAdminRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "morpheus", "abc123" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "morpheus", "abc123" ) ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -599,7 +593,7 @@ public void userWithArchitectRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "trinity", "abc123" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "trinity", "abc123" ) ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -615,7 +609,7 @@ public void userWithPublisherRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "tank", "abc123" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "tank", "abc123" ) ); // Then assertTrue( "should allow reads", securityContext.mode().allowsReads() ); @@ -631,7 +625,7 @@ public void userWithReaderRoleShouldHaveCorrectPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "neo", "abc123" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "neo", "abc123" ) ); // Then assertTrue( securityContext.mode().allowsReads() ); @@ -647,7 +641,7 @@ public void userWithNonPredefinedRoleShouldHaveNoPermissions() throws Throwable manager.start(); // When - SecurityContext securityContext = manager.login( authToken( "smith", "abc123" ) ).authorize( token ); + SecurityContext securityContext = manager.login( authToken( "smith", "abc123" ) ); // Then assertFalse( securityContext.mode().allowsReads() ); @@ -663,15 +657,13 @@ public void shouldHaveNoPermissionsAfterLogout() throws Throwable manager.start(); // When - LoginContext loginContext = manager.login( authToken( "morpheus", "abc123" ) ); - SecurityContext securityContext = loginContext.authorize( token ); + SecurityContext securityContext = manager.login( authToken( "morpheus", "abc123" ) ); assertTrue( securityContext.mode().allowsReads() ); assertTrue( securityContext.mode().allowsWrites() ); assertTrue( securityContext.mode().allowsSchemaWrites() ); - loginContext.subject().logout(); + securityContext.subject().logout(); - securityContext = loginContext.authorize( token ); // Then assertFalse( securityContext.mode().allowsReads() ); assertFalse( securityContext.mode().allowsWrites() ); diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/PersonalUserManagerTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/PersonalUserManagerTest.java index 4377a90782345..05fe9b6af147b 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/PersonalUserManagerTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/PersonalUserManagerTest.java @@ -75,7 +75,7 @@ public void setup() new InternalFlatFileRealmIT.TestJobScheduler(), new InMemoryUserRepository(), new InMemoryUserRepository() ) ); log = spy( Log.class ); - userManager = new PersonalUserManager( evilUserManager, AuthSubject.AUTH_DISABLED, new SecurityLog( log ), true ); + userManager = new PersonalUserManager( evilUserManager, SecurityContext.AUTH_DISABLED, new SecurityLog( log ) ); } private String withSubject( AuthSubject subject, String msg ) diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java index e5b3b9eb459b4..e0554950d1a82 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.java @@ -19,22 +19,20 @@ */ package org.neo4j.server.security.enterprise.auth; +import org.apache.shiro.mgt.SecurityManager; import org.junit.Before; import org.junit.Test; import java.io.IOException; -import java.util.Collections; import org.neo4j.function.ThrowingAction; import org.neo4j.graphdb.security.AuthorizationViolationException; -import org.neo4j.internal.kernel.api.security.AccessMode; -import org.neo4j.internal.kernel.api.security.AuthSubject; -import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.api.exceptions.InvalidArgumentsException; +import org.neo4j.internal.kernel.api.security.AuthenticationResult; import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; +import org.neo4j.scheduler.JobScheduler; import org.neo4j.kernel.internal.GraphDatabaseAPI; import org.neo4j.logging.AssertableLogProvider; -import org.neo4j.scheduler.JobScheduler; import org.neo4j.server.security.auth.AuthenticationStrategy; import org.neo4j.server.security.auth.BasicPasswordPolicy; import org.neo4j.server.security.auth.InMemoryUserRepository; @@ -66,10 +64,8 @@ public void setUp() throws Throwable authProcedures.securityLog = securityLog; generalUserManager = getUserManager(); - EnterpriseSecurityContext adminContext = - new EnterpriseSecurityContext( new MockAuthSubject( "admin" ), AccessMode.Static.FULL, Collections.emptySet(), true ); - matsContext = - new EnterpriseSecurityContext( new MockAuthSubject( "mats" ), AccessMode.Static.NONE, Collections.emptySet(), false ); + EnterpriseSecurityContext adminContext = new TestSecurityContext( "admin", true, generalUserManager ); + matsContext = new TestSecurityContext( "mats", false, generalUserManager ); setSubject( adminContext ); } @@ -77,8 +73,8 @@ public void setUp() throws Throwable private void setSubject( EnterpriseSecurityContext securityContext ) { authProcedures.securityContext = securityContext; - authProcedures.userManager = new PersonalUserManager( generalUserManager, securityContext.subject(), - authProcedures.securityLog, securityContext.isAdmin() ); + authProcedures.userManager = new PersonalUserManager( generalUserManager, securityContext, + authProcedures.securityLog ); } private EnterpriseUserManager getUserManager() throws Throwable @@ -645,43 +641,48 @@ private AssertableLogProvider.LogMatcher error( String message, String... argume return inLog( this.getClass() ).error( message, (Object[]) arguments ); } - private static class MockAuthSubject implements AuthSubject + private static class TestSecurityContext extends StandardEnterpriseSecurityContext { private final String name; + private final boolean isAdmin; + private final EnterpriseUserManager userManager; - private MockAuthSubject( String name ) + TestSecurityContext( String name, boolean isAdmin, EnterpriseUserManager userManager ) { + super( null, new TestShiroSubject( name ) ); this.name = name; + this.isAdmin = isAdmin; + this.userManager = userManager; } @Override - public void logout() + public boolean isAdmin() { - throw new UnsupportedOperationException(); + return isAdmin; } @Override - public AuthenticationResult getAuthenticationResult() + public EnterpriseUserManager getUserManager() { - return AuthenticationResult.SUCCESS; + return userManager; } + } - @Override - public void setPasswordChangeNoLongerRequired() + private static class TestShiroSubject extends ShiroSubject + { + private final String name; + + TestShiroSubject( String name ) { + super( mock( SecurityManager.class ), AuthenticationResult.SUCCESS ); + this.name = name; } @Override - public boolean hasUsername( String username ) + public Object getPrincipal() { - return name.equals( username ); + return name; } - - @Override - public String username() - { - return name; - } } private static class TestUserManagementProcedures extends UserManagementProcedures diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java index c20cd9ed95f33..510b97844e755 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.java @@ -57,9 +57,9 @@ import org.neo4j.bolt.v1.transport.integration.TransportTestUtil; import org.neo4j.bolt.v1.transport.socket.client.TransportConnection; import org.neo4j.graphdb.config.Setting; -import org.neo4j.internal.kernel.api.security.AuthSubject; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.api.exceptions.Status; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; import org.neo4j.kernel.impl.proc.Procedures; import org.neo4j.kernel.internal.GraphDatabaseAPI; @@ -454,7 +454,7 @@ public void shouldBeAbleToLoginNativelyAndAuthorizeWithLdap() throws Throwable EnterpriseAuthAndUserManager authManager = gds.getDependencyResolver().resolveDependency( EnterpriseAuthAndUserManager.class ); - authManager.getUserManager( AuthSubject.AUTH_DISABLED, true ) + authManager.getUserManager( EnterpriseSecurityContext.AUTH_DISABLED ) .newUser( ldapReaderUser, nativePassword, false ); // Then diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/plugin/PropertyLevelSecurityIT.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/plugin/PropertyLevelSecurityIT.java deleted file mode 100644 index ad9e58104621e..0000000000000 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/plugin/PropertyLevelSecurityIT.java +++ /dev/null @@ -1,526 +0,0 @@ -/* - * Copyright (c) 2002-2018 "Neo Technology," - * Network Engine for Objects in Lund AB [http://neotechnology.com] - * - * This file is part of Neo4j. - * - * Neo4j is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ -package org.neo4j.server.security.enterprise.auth.plugin; - -import org.junit.Before; -import org.junit.Ignore; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; - -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; -import java.util.function.Consumer; - -import org.neo4j.graphdb.ResourceIterator; -import org.neo4j.graphdb.Result; -import org.neo4j.graphdb.factory.GraphDatabaseSettings; -import org.neo4j.internal.kernel.api.security.LoginContext; -import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager; -import org.neo4j.kernel.impl.coreapi.InternalTransaction; -import org.neo4j.kernel.impl.factory.GraphDatabaseFacade; -import org.neo4j.kernel.impl.util.ValueUtils; -import org.neo4j.server.security.enterprise.auth.EnterpriseAuthAndUserManager; -import org.neo4j.server.security.enterprise.auth.EnterpriseUserManager; -import org.neo4j.server.security.enterprise.auth.plugin.api.PredefinedRoles; -import org.neo4j.server.security.enterprise.configuration.SecuritySettings; -import org.neo4j.test.TestEnterpriseGraphDatabaseFactory; -import org.neo4j.test.TestGraphDatabaseFactory; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.contains; -import static org.hamcrest.Matchers.containsString; -import static org.hamcrest.Matchers.equalTo; -import static org.neo4j.internal.kernel.api.Transaction.Type.explicit; -import static org.neo4j.server.security.auth.SecurityTestUtils.authToken; - -public class PropertyLevelSecurityIT -{ - @Rule - public TemporaryFolder tmpdir = new TemporaryFolder(); - - private GraphDatabaseFacade db; - private EnterpriseAuthAndUserManager authManager; - private LoginContext neo; - private LoginContext smith; - private LoginContext morpheus; - - @Before - public void setUp() throws Throwable - { - TestGraphDatabaseFactory s = new TestEnterpriseGraphDatabaseFactory(); - db = (GraphDatabaseFacade) s.newImpermanentDatabaseBuilder( tmpdir.getRoot() ) - .setConfig( SecuritySettings.property_level_authorization_enabled, "true" ) - .setConfig( SecuritySettings.property_level_authorization_permissions, "Agent=alias,secret" ) - .setConfig( GraphDatabaseSettings.auth_enabled, "true" ) - .newGraphDatabase(); - authManager = (EnterpriseAuthAndUserManager) db.getDependencyResolver().resolveDependency( EnterpriseAuthManager.class ); - EnterpriseUserManager userManager = authManager.getUserManager(); - userManager.newUser( "Neo", "eon", false ); - userManager.newUser( "Smith", "mr", false ); - userManager.addRoleToUser( PredefinedRoles.ARCHITECT, "Neo" ); - userManager.newRole( "Agent", "Smith" ); - userManager.addRoleToUser( PredefinedRoles.READER, "Smith" ); - userManager.newUser( "Morpheus", "dealwithit", false ); - userManager.addRoleToUser( PredefinedRoles.READER, "Morpheus" ); - - neo = authManager.login( authToken( "Neo", "eon" ) ); - smith = authManager.login( authToken( "Smith", "mr" ) ); - morpheus = authManager.login( authToken( "Morpheus", "dealwithit" ) ); - } - - @Test - public void shouldNotShowRestrictedTokensForRestrictedUser() throws Throwable - { - Result result = execute( neo, "CREATE (n {name: 'Andersson', alias: 'neo'}) ", Collections.emptyMap() ); - assertThat( result.getQueryStatistics().getNodesCreated(), equalTo( 1 ) ); - assertThat( result.getQueryStatistics().getPropertiesSet(), equalTo( 2 ) ); - result.close(); - execute( smith, "MATCH (n) WHERE n.name = 'Andersson' RETURN n, n.alias as alias", Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "alias" ), equalTo( null ) ); - } ); - } - - @Test - public void shouldShowRestrictedTokensForUnrestrictedUser() throws Throwable - { - Result result = execute( neo, "CREATE (n {name: 'Andersson', alias: 'neo'}) ", Collections.emptyMap() ); - assertThat( result.getQueryStatistics().getNodesCreated(), equalTo( 1 ) ); - assertThat( result.getQueryStatistics().getPropertiesSet(), equalTo( 2 ) ); - result.close(); - execute( morpheus, "MATCH (n) WHERE n.name = 'Andersson' RETURN n, n.alias as alias", Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "alias" ), equalTo( "neo" ) ); - } ); - } - - @Test - public void shouldBehaveLikeDataIsMissing() throws Throwable - { - execute( neo, "CREATE (n {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n) WHERE n.name = 'Andersson' RETURN n.alias as alias"; - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "alias" ), equalTo( null ) ); - } ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "alias" ), equalTo( null ) ); - } ); - } - - @Test - public void shouldBehaveLikeDataIsMissingWhenFiltering() throws Throwable - { - execute( neo, "CREATE (n {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n) WHERE n.alias = 'neo' RETURN n"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( true ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForKeys() throws Throwable - { - execute( neo, "CREATE (n {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n) RETURN keys(n) AS keys"; - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "keys" ), equalTo( Collections.singletonList( "name" ) ) ); - } ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "keys" ), equalTo( Collections.singletonList( "name" ) ) ); - } ); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( (Iterable) r.next().get( "keys" ), contains( "name", "alias" ) ); - } ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForProperties() throws Throwable - { - execute( neo, "CREATE (n {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n) RETURN properties(n) AS props"; - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( Collections.singletonMap( "name", "Andersson" ) ) ); - } ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( Collections.singletonMap( "name", "Andersson" ) ) ); - } ); - - Map expected = new HashMap<>( ); - expected.put( "name", "Andersson" ); - expected.put( "alias", "neo" ); - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( expected ) ); - } ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForExists() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) WHERE exists(n.alias) RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForStringBegins() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) WHERE n.alias starts with 'n' RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForNotContains() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) WHERE NOT n.alias contains 'eo' RETURN n.alias, n.name"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Betasson', alias: 'beta'}) ", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Cetasson'}) ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - Map next = r.next(); - assertThat( next.get( "n.alias" ), equalTo( "beta" ) ); - assertThat( next.get( "n.name" ), equalTo( "Betasson" ) ); - assertThat( r.hasNext(), equalTo( false ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForRange() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) WHERE n.secret > 10 RETURN n.secret"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.secret = 42 ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.secret" ), equalTo( 42L ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForCompositeQuery() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) WHERE n.name = 'Andersson' and n.alias = 'neo' RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - // INDEX - - @Test - public void shouldBehaveLikeDataIsMissingWhenFilteringWithIndex() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'})", Collections.emptyMap() ).close(); - execute( neo, "CREATE INDEX ON :Person(alias)", Collections.emptyMap() ).close(); - execute( neo, "CALL db.awaitIndexes", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) USING INDEX n:Person(alias) WHERE n.alias = 'neo' RETURN n"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.getExecutionPlanDescription().toString(), containsString( "NodeIndexSeek" ) ); - assertThat( r.hasNext(), equalTo( false ) ); - } ); - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( true ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForExistsWithIndex() throws Throwable - { - execute( neo, "CREATE INDEX ON :Person(alias)", Collections.emptyMap() ).close(); - execute( neo, "CALL db.awaitIndexes", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) USING INDEX n:Person(alias) WHERE exists(n.alias) RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.getExecutionPlanDescription().toString(), containsString( "NodeIndexScan" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForStringBeginsWithIndex() throws Throwable - { - execute( neo, "CREATE INDEX ON :Person(alias)", Collections.emptyMap() ).close(); - execute( neo, "CALL db.awaitIndexes", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) USING INDEX n:Person(alias) WHERE n.alias starts with 'n' RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.getExecutionPlanDescription().toString(), containsString( "NodeIndexSeekByRange" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForRangeWithIndex() throws Throwable - { - execute( neo, "CREATE INDEX ON :Person(secret)", Collections.emptyMap() ).close(); - execute( neo, "CALL db.awaitIndexes", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) USING INDEX n:Person(secret) WHERE n.secret > 10 RETURN n.secret"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.secret = 42 ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.getExecutionPlanDescription().toString(), containsString( "NodeIndexSeek" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.secret" ), equalTo( 42L ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - @Test - public void shouldBehaveLikeDataIsMissingForCompositeWithIndex() throws Throwable - { - execute( neo, "CREATE INDEX ON :Person(name , alias)", Collections.emptyMap() ).close(); - execute( neo, "CREATE INDEX ON :Person(name)", Collections.emptyMap() ).close(); - execute( neo, "CALL db.awaitIndexes", Collections.emptyMap() ).close(); - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "MATCH (n:Person) USING INDEX n:Person(name, alias) WHERE n.name = 'Andersson' and n.alias = 'neo' RETURN n.alias"; - - execute( neo, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.getExecutionPlanDescription().toString(), containsString( "NodeIndexSeek" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "n.alias" ), equalTo( "neo" ) ); - } ); - - execute( smith, query, Collections.emptyMap(), r -> assertThat( r.hasNext(), equalTo( false ) ) ); - } - - // RELATIONSHIPS - // TODO: when the realtionship properties are returned through PropertyCursor as well this should be unignored and expanded upon - - @Ignore - public void shouldBehaveLikeDataIsMissingForRelationshipProperties() throws Throwable - { - execute( neo, "CREATE (n {name: 'Andersson'}) CREATE (m { name: 'Betasson'}) CREATE (n)-[:Neighbour]->(m)", Collections.emptyMap() ).close(); - - String query = "MATCH (n)-[r]->(m) WHERE n.name = 'Andersson' AND m.name = 'Betasson' RETURN properties(r) AS props"; - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( Collections.emptyMap() ) ); - } ); - - execute( neo, "MATCH (n {name: 'Andersson'})-[r]->({name: 'Betasson'}) SET r.secret = 'lovers' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( Collections.emptyMap() ) ); - } ); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "props" ), equalTo( Collections.singletonMap( "secret", "lovers" ) ) ); - } ); - } - - // PROCS - - @Test - public void shouldBehaveWithProcedures() throws Throwable - { - execute( neo, "CREATE (n:Person {name: 'Andersson'}) ", Collections.emptyMap() ).close(); - - String query = "CALL db.propertyKeys() YIELD propertyKey RETURN propertyKey ORDER BY propertyKey"; - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "propertyKey" ), equalTo( "name" ) ); - assertThat( r.hasNext(), equalTo( false ) ); - } ); - - execute( neo, "MATCH (n {name: 'Andersson'}) SET n.alias = 'neo' ", Collections.emptyMap() ).close(); - - execute( smith, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "propertyKey" ), equalTo( "name" ) ); - assertThat( r.hasNext(), equalTo( false ) ); - } ); - - execute( neo, query, Collections.emptyMap(), r -> - { - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "propertyKey" ), equalTo( "alias" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "propertyKey" ), equalTo( "name" ) ); - assertThat( r.hasNext(), equalTo( true ) ); - assertThat( r.next().get( "propertyKey" ), equalTo( "secret" ) ); - assertThat( r.hasNext(), equalTo( false ) ); - } ); - } - - private void execute( LoginContext subject, String query, Map params, Consumer consumer ) - { - Result result; - try ( InternalTransaction tx = db.beginTransaction( explicit, subject ) ) - { - result = db.execute( tx, query, ValueUtils.asMapValue( params ) ); - consumer.accept( result ); - tx.success(); - result.close(); - } - } - - private Result execute( LoginContext subject, String query, Map params ) - { - Result result; - try ( InternalTransaction tx = db.beginTransaction( explicit, subject ) ) - { - result = db.execute( tx, query, ValueUtils.asMapValue( params ) ); - tx.success(); - } - return result; - } -} diff --git a/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java b/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java index 625725a52bcb0..27ab1c1768b01 100644 --- a/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java +++ b/enterprise/server-enterprise/src/main/java/org/neo4j/server/rest/dbms/EnterpriseAuthorizationDisabledFilter.java @@ -19,13 +19,14 @@ */ package org.neo4j.server.rest.dbms; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.internal.kernel.api.security.SecurityContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; public class EnterpriseAuthorizationDisabledFilter extends AuthorizationDisabledFilter { @Override - protected EnterpriseLoginContext getAuthDisabledLoginContext() + protected SecurityContext getAuthDisabledSecurityContext() { - return EnterpriseLoginContext.AUTH_DISABLED; + return EnterpriseSecurityContext.AUTH_DISABLED; } } diff --git a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/AbstractRESTInteraction.java b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/AbstractRESTInteraction.java index 7877aeab4226a..3186d8def2c97 100644 --- a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/AbstractRESTInteraction.java +++ b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/AbstractRESTInteraction.java @@ -37,10 +37,10 @@ import org.neo4j.graphdb.ResourceIterator; import org.neo4j.graphdb.factory.GraphDatabaseSettings; import org.neo4j.helpers.HostnamePort; -import org.neo4j.internal.kernel.api.security.LoginContext; import org.neo4j.io.fs.DefaultFileSystemAbstraction; import org.neo4j.io.fs.FileSystemAbstraction; import org.neo4j.kernel.api.KernelTransaction; +import org.neo4j.internal.kernel.api.security.SecurityContext; import org.neo4j.kernel.configuration.BoltConnector; import org.neo4j.kernel.configuration.ConnectorPortRegister; import org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig; @@ -130,8 +130,8 @@ public FileSystemAbstraction fileSystem() public InternalTransaction beginLocalTransactionAsUser( RESTSubject subject, KernelTransaction.Type txType ) throws Throwable { - LoginContext loginContext = authManager.login( newBasicAuthToken( subject.username, subject.password ) ); - return getLocalGraph().beginTransaction( txType, loginContext ); + SecurityContext securityContext = authManager.login( newBasicAuthToken( subject.username, subject.password ) ); + return getLocalGraph().beginTransaction( txType, securityContext ); } @Override diff --git a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseUserServiceTest.java b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseUserServiceTest.java index ca289d4b6d731..0e92bfd0a04eb 100644 --- a/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseUserServiceTest.java +++ b/enterprise/server-enterprise/src/test/java/org/neo4j/server/rest/security/EnterpriseUserServiceTest.java @@ -45,7 +45,7 @@ protected void setupAuthManagerAndSubject() ShiroSubject shiroSubject = mock( ShiroSubject.class ); when( shiroSubject.getPrincipal() ).thenReturn( "neo4j" ); - neo4jContext = authManagerRule.makeLoginContext( shiroSubject ); + neo4jContext = authManagerRule.makeSecurityContext( shiroSubject ); } @Test diff --git a/integrationtests/src/test/java/org/neo4j/ha/HAClusterStartupIT.java b/integrationtests/src/test/java/org/neo4j/ha/HAClusterStartupIT.java index 41abf883557ec..121e1e1dd0577 100644 --- a/integrationtests/src/test/java/org/neo4j/ha/HAClusterStartupIT.java +++ b/integrationtests/src/test/java/org/neo4j/ha/HAClusterStartupIT.java @@ -38,7 +38,7 @@ import org.neo4j.io.fs.FileUtils; import org.neo4j.kernel.api.KernelTransaction; import org.neo4j.kernel.configuration.Settings; -import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext; +import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext; import org.neo4j.kernel.ha.HighlyAvailableGraphDatabase; import org.neo4j.kernel.impl.coreapi.InternalTransaction; import org.neo4j.kernel.impl.enterprise.configuration.OnlineBackupSettings; @@ -106,7 +106,7 @@ public void allClusterNodesShouldSupportTheBuiltInProcedures() throws Throwable // (2) BuiltInProcedures from enterprise try ( InternalTransaction tx = gdb.beginTransaction( KernelTransaction.Type.explicit, - EnterpriseLoginContext.AUTH_DISABLED + EnterpriseSecurityContext.AUTH_DISABLED ) ) { Result result = gdb.execute( tx, "CALL dbms.listQueries()", EMPTY_MAP );