LoginContext#authorize takes lambda instead Token

There was a circular dependency in that we need a securityContext for property level security in
neo4j · Mar 2, 2018 · 90d31ed · 90d31ed
1 parent a1c3b30
commit 90d31ed
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 31 deletions.
diff --git a/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java b/community/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/LoginContext.java
@@ -19,11 +19,11 @@
  */
 package org.neo4j.internal.kernel.api.security;
 
-import org.neo4j.internal.kernel.api.Token;
+import java.util.function.Function;
 
 /**
  * The LoginContext hold the executing authenticated user (subject).
- * By calling {@link #authorize(Token)} the user is also authorized, and a full SecurityContext is returned,
+ * By calling {@link #authorize(Function<String,Integer>)} the user is also authorized, and a full SecurityContext is returned,
  * which can be used to assert user permissions during query execution.
  */
 public interface LoginContext
@@ -36,10 +36,10 @@ public interface LoginContext
     /**
      * Authorize the user and return a SecurityContext.
      *
-     * @param token token lookup, used to compile property level security verification
+     * @param tokenLookup token lookup, used to compile property level security verification
      * @return the security context
      */
-    SecurityContext authorize( Token token );
+    SecurityContext authorize( Function<String, Integer> tokenLookup );
 
     LoginContext AUTH_DISABLED = new LoginContext()
     {
@@ -50,7 +50,7 @@ public AuthSubject subject()
         }
 
         @Override
-        public SecurityContext authorize( Token token )
+        public SecurityContext authorize( Function<String, Integer> tokenLookup )
         {
             return SecurityContext.AUTH_DISABLED;
         }

diff --git a/...nity/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java b/...nity/kernel-api/src/main/java/org/neo4j/internal/kernel/api/security/SecurityContext.java
@@ -19,7 +19,7 @@
  */
 package org.neo4j.internal.kernel.api.security;
 
-import org.neo4j.internal.kernel.api.Token;
+import java.util.function.Function;
 
 import static org.neo4j.graphdb.security.AuthorizationViolationException.PERMISSION_DENIED;
 
@@ -62,7 +62,7 @@ public AuthSubject subject()
     }
 
     @Override
-    public SecurityContext authorize( Token token )
+    public SecurityContext authorize( Function<String, Integer> tokenLookup )
     {
         return this;
     }

diff --git a/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java b/community/kernel/src/main/java/org/neo4j/kernel/api/security/AnonymousContext.java
@@ -19,7 +19,8 @@
  */
 package org.neo4j.kernel.api.security;
 
-import org.neo4j.internal.kernel.api.Token;
+import java.util.function.Function;
+
 import org.neo4j.internal.kernel.api.security.AccessMode;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.LoginContext;
@@ -67,7 +68,7 @@ public AuthSubject subject()
     }
 
     @Override
-    public SecurityContext authorize( Token token )
+    public SecurityContext authorize( Function<String, Integer> tokenLookup )
     {
         return new SecurityContext( subject(), accessMode );
     }

diff --git a/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java b/community/security/src/main/java/org/neo4j/server/security/auth/BasicLoginContext.java
@@ -19,7 +19,8 @@
  */
 package org.neo4j.server.security.auth;
 
-import org.neo4j.internal.kernel.api.Token;
+import java.util.function.Function;
+
 import org.neo4j.internal.kernel.api.security.AccessMode;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.AuthenticationResult;
@@ -107,7 +108,7 @@ public AuthSubject subject()
     }
 
     @Override
-    public SecurityContext authorize( Token token )
+    public SecurityContext authorize( Function<String, Integer> tokenLookup )
     {
         return new SecurityContext( authSubject, accessMode );
     }

diff --git a/...kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java b/...kernel/src/main/java/org/neo4j/kernel/enterprise/api/security/EnterpriseLoginContext.java
@@ -21,16 +21,16 @@
 
 import java.util.Collections;
 import java.util.Set;
+import java.util.function.Function;
 
-import org.neo4j.internal.kernel.api.Token;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.LoginContext;
 
 public interface EnterpriseLoginContext extends LoginContext
 {
     Set<String> roles();
 
-    EnterpriseSecurityContext authorize( Token token );
+    EnterpriseSecurityContext authorize( Function<String, Integer> tokenLookup );
 
     EnterpriseLoginContext AUTH_DISABLED = new EnterpriseLoginContext()
     {
@@ -47,7 +47,7 @@ public Set<String> roles()
         }
 
         @Override
-        public EnterpriseSecurityContext authorize( Token token )
+        public EnterpriseSecurityContext authorize( Function<String, Integer> tokenLookup )
         {
             return EnterpriseSecurityContext.AUTH_DISABLED;
         }

diff --git a/...curity/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java b/...curity/src/main/java/org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.java
@@ -50,8 +50,6 @@
 import org.neo4j.collection.primitive.PrimitiveIntSet;
 import org.neo4j.graphdb.security.AuthProviderFailedException;
 import org.neo4j.graphdb.security.AuthProviderTimeoutException;
-import org.neo4j.internal.kernel.api.Token;
-import org.neo4j.internal.kernel.api.exceptions.schema.IllegalTokenNameException;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.AuthenticationResult;
 import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
@@ -309,7 +307,7 @@ public Collection<AuthorizationInfo> getAuthorizationInfo( PrincipalCollection p
         return infoList;
     }
 
-    IntPredicate getPropertyPermissions( Set<String> roles, Token token )
+    IntPredicate getPropertyPermissions( Set<String> roles, Function<String, Integer> tokenLookup )
     {
         if ( propertyAuthorization )
         {
@@ -324,11 +322,10 @@ IntPredicate getPropertyPermissions( Set<String> roles, Token token )
 
                         try
                         {
-                            blackListed.add( token.propertyKeyGetOrCreateForName( propName ) );
+                            blackListed.add( tokenLookup.apply( propName ) );
                         }
-                        catch ( IllegalTokenNameException e )
+                        catch ( Exception e )
                         {
-                            // This can't happen since propName has already been checked to be valid
                             securityLog.error( "Error in setting up property permissions, '" + propName + "' is not a valid property name." );
                         }
                     }

diff --git a/...c/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java b/...c/main/java/org/neo4j/server/security/enterprise/auth/StandardEnterpriseLoginContext.java
@@ -31,7 +31,6 @@
 import java.util.stream.Stream;
 
 import org.neo4j.graphdb.security.AuthorizationViolationException;
-import org.neo4j.internal.kernel.api.Token;
 import org.neo4j.internal.kernel.api.security.AccessMode;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.AuthenticationResult;
@@ -67,7 +66,7 @@ public AuthSubject subject()
         return neoShiroSubject;
     }
 
-    private StandardAccessMode mode( Token token )
+    private StandardAccessMode mode( Function<String, Integer> tokenLookup )
     {
         boolean isAuthenticated = shiroSubject.isAuthenticated();
         return new StandardAccessMode(
@@ -77,14 +76,14 @@ private StandardAccessMode mode( Token token )
                 isAuthenticated && shiroSubject.isPermitted( SCHEMA_READ_WRITE ),
                 shiroSubject.getAuthenticationResult() == AuthenticationResult.PASSWORD_CHANGE_REQUIRED,
                 queryForRoleNames(),
-                queryForPropertyPermissions( token )
+                queryForPropertyPermissions( tokenLookup )
             );
     }
 
     @Override
-    public EnterpriseSecurityContext authorize( Token token )
+    public EnterpriseSecurityContext authorize( Function<String, Integer> tokenLookup )
     {
-        StandardAccessMode mode = mode( token );
+        StandardAccessMode mode = mode( tokenLookup );
         return new EnterpriseSecurityContext( neoShiroSubject, mode, mode.roles, isAdmin() );
     }
 
@@ -107,9 +106,9 @@ private Set<String> queryForRoleNames()
                 .collect( Collectors.toSet() );
     }
 
-    private IntPredicate queryForPropertyPermissions( Token token )
+    private IntPredicate queryForPropertyPermissions( Function<String, Integer> tokenLookup )
     {
-        return authManager.getPropertyPermissions( roles(), token );
+        return authManager.getPropertyPermissions( roles(), tokenLookup );
     }
 
     private static class StandardAccessMode implements AccessMode

diff --git a/...ava/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java b/...ava/org/neo4j/server/security/enterprise/auth/EmbeddedBuiltInProceduresInteractionIT.java
@@ -24,10 +24,10 @@
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
 
 import org.neo4j.graphdb.QueryExecutionException;
 import org.neo4j.graphdb.Result;
-import org.neo4j.internal.kernel.api.Token;
 import org.neo4j.internal.kernel.api.security.AuthSubject;
 import org.neo4j.internal.kernel.api.security.SecurityContext;
 import org.neo4j.kernel.api.KernelTransaction;
@@ -41,7 +41,6 @@
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
-import static org.mockito.Mockito.mock;
 import static org.neo4j.graphdb.security.AuthorizationViolationException.PERMISSION_DENIED;
 import static org.neo4j.values.virtual.VirtualValues.EMPTY_MAP;
 
@@ -115,7 +114,7 @@ private EnterpriseLoginContext createFakeAnonymousEnterpriseLoginContext()
         return new EnterpriseLoginContext()
         {
             @Override
-            public EnterpriseSecurityContext authorize( Token token )
+            public EnterpriseSecurityContext authorize( Function<String, Integer> tokenLookup )
             {
                 return new EnterpriseSecurityContext( subject(), inner.mode(), Collections.emptySet(), false );
             }
@@ -126,7 +125,7 @@ public Set<String> roles()
                 return Collections.emptySet();
             }
 
-            SecurityContext inner = AnonymousContext.none().authorize( mock( Token.class ) );
+            SecurityContext inner = AnonymousContext.none().authorize( (s) -> -1  );
 
             @Override
             public AuthSubject subject()