Ejemplo n.º 1
0
  @Test
  public void shouldReplyNicelyToTooManyFailedAuthAttempts() throws Exception {
    // Given
    startServerWithConfiguredUser();
    long timeout = System.currentTimeMillis() + 30_000;

    // When
    HTTP.Response response = null;
    while (System.currentTimeMillis() < timeout) {
      // Done in a loop because we're racing with the clock to get enough failed requests into 5
      // seconds
      response =
          HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "incorrect"))
              .POST(
                  server.baseUri().resolve("authentication").toString(),
                  HTTP.RawPayload.quotedJson(
                      "{'username':'******', 'password':'******'}"));

      if (response.status() == 429) {
        break;
      }
    }

    // Then
    assertThat(response.status(), equalTo(429));
    JsonNode firstError = response.get("errors").get(0);
    assertThat(
        firstError.get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthenticationRateLimit"));
    assertThat(
        firstError.get("message").asText(),
        equalTo("Too many failed authentication requests. Please wait 5 seconds and try again."));
  }
Ejemplo n.º 2
0
  private void assertAuthorizationRequired(
      String method, String path, Object payload, int expectedAuthorizedStatus)
      throws JsonParseException {
    // When no header
    HTTP.Response response =
        HTTP.request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(401));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthorizationFailed"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("No authorization header supplied."));
    assertThat(response.header(HttpHeaders.WWW_AUTHENTICATE), equalTo("None"));

    // When malformed header
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, "This makes no sense")
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(400));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Request.InvalidFormat"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("Invalid Authorization header."));

    // When invalid credential
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "incorrect"))
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(401));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthorizationFailed"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("Invalid username or password."));
    assertThat(response.header(HttpHeaders.WWW_AUTHENTICATE), equalTo("None"));

    // When authorized
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "secret"))
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(expectedAuthorizedStatus));
  }
Ejemplo n.º 3
0
  @Test
  public void shouldNotAllowDataAccess() throws Exception {
    // Given
    startServerWithConfiguredUser();

    // When & then
    assertAuthorizationRequired(
        "POST", "db/data/node", RawPayload.quotedJson("{'name':'jake'}"), 201);
    assertAuthorizationRequired("GET", "db/data/node/1234", 404);
    assertAuthorizationRequired(
        "POST",
        "db/data/transaction/commit",
        RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"),
        200);
    assertEquals(200, HTTP.GET(server.baseUri().resolve("webadmin").toString()).status());
    assertEquals(200, HTTP.GET(server.baseUri().resolve("browser").toString()).status());
    assertEquals(200, HTTP.GET(server.baseUri().resolve("").toString()).status());
  }
Ejemplo n.º 4
0
 public void startServerWithConfiguredUser() throws IOException {
   startServer(true);
   // Set the password
   HTTP.Response post =
       HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "neo4j"))
           .POST(
               server.baseUri().resolve("/user/neo4j/password").toString(),
               RawPayload.quotedJson("{'password':'******'}"));
   assertEquals(200, post.status());
 }
Ejemplo n.º 5
0
 public void startServer(boolean authEnabled) throws IOException {
   new File("neo4j-home/data/dbms/authorization")
       .delete(); // TODO: Implement a common component for managing Neo4j file structure and use
                  // that here
   server =
       CommunityServerBuilder.server()
           .withProperty(
               ServerSettings.authorization_enabled.name(), Boolean.toString(authEnabled))
           .build();
   server.start();
 }
Ejemplo n.º 6
0
  @Test
  public void shouldAllowAllAccessIfAuthenticationIsDisabled() throws Exception {
    // Given
    startServer(false);

    // When & then
    assertEquals(
        201,
        HTTP.POST(
                server.baseUri().resolve("db/data/node").toString(),
                RawPayload.quotedJson("{'name':'jake'}"))
            .status());
    assertEquals(404, HTTP.GET(server.baseUri().resolve("db/data/node/1234").toString()).status());
    assertEquals(
        200,
        HTTP.POST(
                server.baseUri().resolve("db/data/transaction/commit").toString(),
                RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"))
            .status());
  }
 public void stop() {
   server.stop();
 }
 public ServerDoctorWhoUniverse(CommunityNeoServer server) throws Exception {
   this.server = server;
   server.start();
 }
Ejemplo n.º 9
0
 private String passwordURL(String username) {
   return server.baseUri().resolve("user/" + username + "/password").toString();
 }
Ejemplo n.º 10
0
 private String userURL(String username) {
   return server.baseUri().resolve("user/" + username).toString();
 }
Ejemplo n.º 11
0
 private String dataURL() {
   return server.baseUri().resolve("db/data/").toString();
 }
Ejemplo n.º 12
0
 @After
 public void cleanup() {
   if (server != null) {
     server.stop();
   }
 }