/**
* Authenticate to access the server
*
* <p>Authenticate by sending a username and a password to Neo4j using HTTP Basic Auth. Requests
* should include an +Authorization+ header, with a value of +Basic realm="Neo4j" <payload>+,
* where "payload" is a base64 encoded string of "username:password".
*/
@Test
@Documented
public void successful_authentication() throws PropertyValueException, IOException {
// Given
startServerWithConfiguredUser();
// Document
RESTDocsGenerator.ResponseEntity response =
gen.get()
.noGraph()
.expectedStatus(200)
.withHeader(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "secret"))
.get(userURL("neo4j"));
// Then
JsonNode data = JsonHelper.jsonNode(response.entity());
assertThat(data.get("username").asText(), equalTo("neo4j"));
assertThat(data.get("password_change_required").asBoolean(), equalTo(false));
assertThat(data.get("password_change").asText(), equalTo(passwordURL("neo4j")));
}
/**
* Missing authorization
*
* <p>If an +Authorization+ header is not supplied, the server will reply with an error.
*/
@Test
@Documented
public void missing_authorization() throws PropertyValueException, IOException {
// Given
startServerWithConfiguredUser();
// Document
RESTDocsGenerator.ResponseEntity response =
gen.get()
.noGraph()
.expectedStatus(401)
.expectedHeader("WWW-Authenticate", "None")
.get(dataURL());
// Then
JsonNode data = JsonHelper.jsonNode(response.entity());
JsonNode firstError = data.get("errors").get(0);
assertThat(
firstError.get("code").asText(), equalTo("Neo.ClientError.Security.AuthorizationFailed"));
assertThat(firstError.get("message").asText(), equalTo("No authorization header supplied."));
}
/**
* Incorrect authentication
*
* <p>If an incorrect username or password is provided, the server replies with an error.
*/
@Test
@Documented
public void incorrect_authentication() throws PropertyValueException, IOException {
// Given
startServerWithConfiguredUser();
// Document
RESTDocsGenerator.ResponseEntity response =
gen.get()
.noGraph()
.expectedStatus(401)
.withHeader(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "incorrect"))
.expectedHeader("WWW-Authenticate", "None")
.post(dataURL());
// Then
JsonNode data = JsonHelper.jsonNode(response.entity());
JsonNode firstError = data.get("errors").get(0);
assertThat(
firstError.get("code").asText(), equalTo("Neo.ClientError.Security.AuthorizationFailed"));
assertThat(firstError.get("message").asText(), equalTo("Invalid username or password."));
}
/**
* Required password changes
*
* <p>In some cases, like the very first time Neo4j is accessed, the user will be required to
* choose a new password. The database will signal that a new password is required and deny
* access.
*
* <p>See <<rest-api-security-user-status-and-password-changing>> for how to set a new password.
*/
@Test
@Documented
public void password_change_required() throws PropertyValueException, IOException {
// Given
startServer(true);
// Document
RESTDocsGenerator.ResponseEntity response =
gen.get()
.noGraph()
.expectedStatus(403)
.withHeader(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "neo4j"))
.get(dataURL());
// Then
JsonNode data = JsonHelper.jsonNode(response.entity());
JsonNode firstError = data.get("errors").get(0);
assertThat(
firstError.get("code").asText(), equalTo("Neo.ClientError.Security.AuthorizationFailed"));
assertThat(
firstError.get("message").asText(), equalTo("User is required to change their password."));
assertThat(data.get("password_change").asText(), equalTo(passwordURL("neo4j")));
}
