示例#1
0
  @Test
  public void shouldReplyNicelyToTooManyFailedAuthAttempts() throws Exception {
    // Given
    startServerWithConfiguredUser();
    long timeout = System.currentTimeMillis() + 30_000;

    // When
    HTTP.Response response = null;
    while (System.currentTimeMillis() < timeout) {
      // Done in a loop because we're racing with the clock to get enough failed requests into 5
      // seconds
      response =
          HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "incorrect"))
              .POST(
                  server.baseUri().resolve("authentication").toString(),
                  HTTP.RawPayload.quotedJson(
                      "{'username':'******', 'password':'******'}"));

      if (response.status() == 429) {
        break;
      }
    }

    // Then
    assertThat(response.status(), equalTo(429));
    JsonNode firstError = response.get("errors").get(0);
    assertThat(
        firstError.get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthenticationRateLimit"));
    assertThat(
        firstError.get("message").asText(),
        equalTo("Too many failed authentication requests. Please wait 5 seconds and try again."));
  }
示例#2
0
  private void assertAuthorizationRequired(
      String method, String path, Object payload, int expectedAuthorizedStatus)
      throws JsonParseException {
    // When no header
    HTTP.Response response =
        HTTP.request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(401));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthorizationFailed"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("No authorization header supplied."));
    assertThat(response.header(HttpHeaders.WWW_AUTHENTICATE), equalTo("None"));

    // When malformed header
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, "This makes no sense")
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(400));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Request.InvalidFormat"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("Invalid Authorization header."));

    // When invalid credential
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "incorrect"))
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(401));
    assertThat(
        response.get("errors").get(0).get("code").asText(),
        equalTo("Neo.ClientError.Security.AuthorizationFailed"));
    assertThat(
        response.get("errors").get(0).get("message").asText(),
        equalTo("Invalid username or password."));
    assertThat(response.header(HttpHeaders.WWW_AUTHENTICATE), equalTo("None"));

    // When authorized
    response =
        HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "secret"))
            .request(method, server.baseUri().resolve(path).toString(), payload);
    assertThat(response.status(), equalTo(expectedAuthorizedStatus));
  }
示例#3
0
  @Test
  public void shouldNotAllowDataAccess() throws Exception {
    // Given
    startServerWithConfiguredUser();

    // When & then
    assertAuthorizationRequired(
        "POST", "db/data/node", RawPayload.quotedJson("{'name':'jake'}"), 201);
    assertAuthorizationRequired("GET", "db/data/node/1234", 404);
    assertAuthorizationRequired(
        "POST",
        "db/data/transaction/commit",
        RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"),
        200);
    assertEquals(200, HTTP.GET(server.baseUri().resolve("webadmin").toString()).status());
    assertEquals(200, HTTP.GET(server.baseUri().resolve("browser").toString()).status());
    assertEquals(200, HTTP.GET(server.baseUri().resolve("").toString()).status());
  }
示例#4
0
 public void startServerWithConfiguredUser() throws IOException {
   startServer(true);
   // Set the password
   HTTP.Response post =
       HTTP.withHeaders(HttpHeaders.AUTHORIZATION, challengeResponse("neo4j", "neo4j"))
           .POST(
               server.baseUri().resolve("/user/neo4j/password").toString(),
               RawPayload.quotedJson("{'password':'******'}"));
   assertEquals(200, post.status());
 }
示例#5
0
  @Test
  public void shouldAllowAllAccessIfAuthenticationIsDisabled() throws Exception {
    // Given
    startServer(false);

    // When & then
    assertEquals(
        201,
        HTTP.POST(
                server.baseUri().resolve("db/data/node").toString(),
                RawPayload.quotedJson("{'name':'jake'}"))
            .status());
    assertEquals(404, HTTP.GET(server.baseUri().resolve("db/data/node/1234").toString()).status());
    assertEquals(
        200,
        HTTP.POST(
                server.baseUri().resolve("db/data/transaction/commit").toString(),
                RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"))
            .status());
  }
示例#6
0
 private String passwordURL(String username) {
   return server.baseUri().resolve("user/" + username + "/password").toString();
 }
示例#7
0
 private String userURL(String username) {
   return server.baseUri().resolve("user/" + username).toString();
 }
示例#8
0
 private String dataURL() {
   return server.baseUri().resolve("db/data/").toString();
 }