Do not create new users from auth.ini file

The `auth.ini` file may only be used if there are no other users in the system.
It is only usable for the default initial user, called 'neo4j'.

community/security/src/main/java/org/neo4j/server/security/auth/BasicAuthManager.java

@@ -79,22 +79,14 @@ public void start() throws Throwable
 
         if ( userRepository.numberOfUsers() == 0 )
         {
-            if ( initialUserRepository.numberOfUsers() == 0 )
+            User neo4j = newUser( "neo4j", "neo4j", true );
+            if ( initialUserRepository.numberOfUsers() > 0 )
             {
-                newUser( "neo4j", "neo4j", true );
-            }
-        }
-        for ( String username : initialUserRepository.getAllUsernames() )
-        {
-            User oldUser = userRepository.getUserByName( username );
-            User newUser = initialUserRepository.getUserByName( username );
-            if ( oldUser == null )
-            {
-                userRepository.create( newUser );
-            }
-            else
-            {
-                userRepository.update( oldUser, newUser );
+                User user = initialUserRepository.getUserByName( "neo4j" );
+                if ( user != null )
+                {
+                    userRepository.update( neo4j, user );
+                }
             }
         }
     }

community/security/src/test/java/org/neo4j/server/security/auth/BasicAuthManagerTest.java

@@ -97,7 +97,7 @@ public void shouldLoadInitialUserIfNoneExist() throws Throwable
                 CommunitySecurityModule.getInitialUserRepository( config, NullLogProvider.getInstance(), fsRule.get() );
         initialUserRepository.start();
         initialUserRepository.create(
-                new User.Builder( "initUser", Credential.forPassword( "123" ))
+                new User.Builder( "neo4j", Credential.forPassword( "123" ))
                         .withRequiredPasswordChange( false )
                         .build()
         );
@@ -107,14 +107,14 @@ public void shouldLoadInitialUserIfNoneExist() throws Throwable
         manager.start();
 
         // Then
-        final User user = users.getUserByName( "initUser" );
+        final User user = users.getUserByName( "neo4j" );
         assertNotNull( user );
         assertTrue( user.credentials().matchesPassword( "123" ) );
         assertFalse( user.passwordChangeRequired() );
     }
 
     @Test
-    public void shouldAddInitialUserIfUsersExist() throws Throwable
+    public void shouldNotAddInitialUserIfUsersExist() throws Throwable
     {
         // Given
         FileUserRepository initialUserRepository =
@@ -135,9 +135,7 @@ public void shouldAddInitialUserIfUsersExist() throws Throwable
 
         // Then
         final User initUser = users.getUserByName( "initUser" );
-        assertNotNull( initUser );
-        assertTrue( initUser.credentials().matchesPassword( "123" ) );
-        assertFalse( initUser.passwordChangeRequired() );
+        assertNull( initUser );
 
         final User oldUser = users.getUserByName( "oldUser" );
         assertNotNull( oldUser );
@@ -146,7 +144,7 @@ public void shouldAddInitialUserIfUsersExist() throws Throwable
     }
 
     @Test
-    public void shouldUpdateUserIfInitialUserExist() throws Throwable
+    public void shouldNotUpdateUserIfInitialUserExist() throws Throwable
     {
         // Given
         FileUserRepository initialUserRepository =
@@ -168,8 +166,8 @@ public void shouldUpdateUserIfInitialUserExist() throws Throwable
         // Then
         final User oldUser = users.getUserByName( "oldUser" );
         assertNotNull( oldUser );
-        assertTrue( oldUser.credentials().matchesPassword( "newPassword" ) );
-        assertFalse( oldUser.passwordChangeRequired() );
+        assertFalse( oldUser.credentials().matchesPassword( "newPassword" ) );
+        assertTrue( oldUser.passwordChangeRequired() );
     }
 
     @Test

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.java

@@ -212,26 +212,17 @@ private Set<String> ensureDefaultUsers() throws Throwable
         {
             if ( userRepository.numberOfUsers() == 0 )
             {
-                if ( initialUserRepository.numberOfUsers() == 0 )
+                User neo4j = newUser( "neo4j", "neo4j", true );
+                if ( initialUserRepository.numberOfUsers() > 0 )
                 {
-                    newUser( "neo4j", "neo4j", true );
-                    return Collections.singleton( "neo4j" );
-                }
-            }
-            for ( String username : initialUserRepository.getAllUsernames() )
-            {
-                User oldUser = userRepository.getUserByName( username );
-                User newUser = initialUserRepository.getUserByName( username );
-                if ( oldUser == null )
-                {
-                    userRepository.create( newUser );
-                }
-                else
-                {
-                    userRepository.update( oldUser, newUser );
+                    User initUser = initialUserRepository.getUserByName( "neo4j" );
+                    if (initUser != null)
+                    {
+                        userRepository.update( neo4j, initUser );
+                    }
                 }
+                return Collections.singleton( "neo4j" );
             }
-            return initialUserRepository.getAllUsernames();
         }
         return Collections.emptySet();
     }

enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.java

@@ -137,7 +137,7 @@ public void shouldLoadInitialUserIfNoneExist() throws Throwable
                 CommunitySecurityModule.getInitialUserRepository( config, NullLogProvider.getInstance(), fsRule.get() );
         initialUserRepository.start();
         initialUserRepository.create(
-                new User.Builder( "initUser", Credential.forPassword( "123" ))
+                new User.Builder( "neo4j", Credential.forPassword( "123" ))
                         .withRequiredPasswordChange( false )
                         .build()
         );
@@ -147,14 +147,14 @@ public void shouldLoadInitialUserIfNoneExist() throws Throwable
         manager.start();
 
         // Then
-        final User user = users.getUserByName( "initUser" );
+        final User user = users.getUserByName( "neo4j" );
         assertNotNull( user );
         assertTrue( user.credentials().matchesPassword( "123" ) );
         assertFalse( user.passwordChangeRequired() );
     }
 
     @Test
-    public void shouldAddInitialUserIfUsersExist() throws Throwable
+    public void shouldNotAddInitialUserIfUsersExist() throws Throwable
     {
         // Given
         FileUserRepository initialUserRepository =
@@ -171,9 +171,7 @@ public void shouldAddInitialUserIfUsersExist() throws Throwable
 
         // Then
         final User initUser = users.getUserByName( "initUser" );
-        assertNotNull( initUser );
-        assertTrue( initUser.credentials().matchesPassword( "123" ) );
-        assertFalse( initUser.passwordChangeRequired() );
+        assertNull( initUser );
 
         final User oldUser = users.getUserByName( "oldUser" );
         assertNotNull( oldUser );
@@ -182,7 +180,7 @@ public void shouldAddInitialUserIfUsersExist() throws Throwable
     }
 
     @Test
-    public void shouldUpdateUserIfInitialUserExist() throws Throwable
+    public void shouldNotUpdateUserIfInitialUserExist() throws Throwable
     {
         // Given
         FileUserRepository initialUserRepository =
@@ -200,8 +198,8 @@ public void shouldUpdateUserIfInitialUserExist() throws Throwable
         // Then
         final User oldUser = users.getUserByName( "oldUser" );
         assertNotNull( oldUser );
-        assertTrue( oldUser.credentials().matchesPassword( "newPassword" ) );
-        assertFalse( oldUser.passwordChangeRequired() );
+        assertTrue( oldUser.credentials().matchesPassword( "oldPassword" ) );
+        assertTrue( oldUser.passwordChangeRequired() );
     }
 
     @Test