JS driver v1.1.0-M01: Checking in transpiled files for bower

Author: Neo Technology Build Agent

lib/browser/neo4j-web.js

@@ -230,10 +230,11 @@ var USER_AGENT = "neo4j-javascript/" + _version.VERSION;
  * options are as follows:
  *
  *     {
- *       // Enable TLS encryption. This is on by default in modern NodeJS installs,
+ *       // Encryption level: one of ENCRYPTION_ON, ENCRYPTION_OFF or ENCRYPTION_NON_LOCAL.
+ *       // ENCRYPTION_NON_LOCAL is on by default in modern NodeJS installs,
  *       // but off by default in the Web Bundle and old (<=1.0.0) NodeJS installs
  *       // due to technical limitations on those platforms.
- *       encrypted: true|false,
+ *       encrypted: ENCRYPTION_ON|ENCRYPTION_OFF|ENCRYPTION_NON_LOCAL
  *
  *       // Trust strategy to use if encryption is enabled. There is no mode to disable
  *       // trust other than disabling encryption altogether. The reason for

lib/browser/neo4j-web.min.js

@@ -44,6 +44,11 @@ var DummyChannel = (function () {
   }
 
   _createClass(DummyChannel, [{
+    key: "isEncrypted",
+    value: function isEncrypted() {
+      return false;
+    }
+  }, {
     key: "write",
     value: function write(buf) {
       this.written.push(buf);

lib/browser/neo4j-web.test.js

@@ -49,6 +49,8 @@ var _os = require('os');
 
 var _buf = require('./buf');
 
+var _util = require('./util');
+
 var _error = require('./../error');
 
 var _CONNECTION_IDGEN = 0;
@@ -83,13 +85,17 @@ function loadFingerprint(serverId, knownHostsPath, cb) {
 }
 
 function storeFingerprint(serverId, knownHostsPath, fingerprint) {
-  _fs2['default'].appendFile(knownHostsPath, serverId + " " + fingerprint + _os.EOL, "utf8");
+  _fs2['default'].appendFile(knownHostsPath, serverId + " " + fingerprint + _os.EOL, "utf8", function (err) {
+    if (err) {
+      console.log(err);
+    }
+  });
 }
 
 var TrustStrategy = {
   TRUST_SIGNED_CERTIFICATES: function TRUST_SIGNED_CERTIFICATES(opts, onSuccess, onFailure) {
     if (!opts.trustedCertificates || opts.trustedCertificates.length == 0) {
-      onFailure((0, _error.newError)("You are using TRUST_SIGNED_CERTIFICATES as the method " + "to verify trust for encrypted  connections, but have not configured any " + "trustedCertificates. You  must specify the path to at least one trusted " + "X.509 certificate for this to work. Two other alternatives is to use " + "TRUST_ON_FIRST_USE or to disable encryption by setting encrypted=false " + "in your driver configuration."));
+      onFailure((0, _error.newError)("You are using TRUST_SIGNED_CERTIFICATES as the method " + "to verify trust for encrypted  connections, but have not configured any " + "trustedCertificates. You  must specify the path to at least one trusted " + "X.509 certificate for this to work. Two other alternatives is to use " + "TRUST_ON_FIRST_USE or to disable encryption by setting encrypted=\"" + _util.ENCRYPTION_OFF + "\"" + "in your driver configuration."));
       return;
     }
 
@@ -102,7 +108,7 @@ var TrustStrategy = {
 
     var socket = _tls2['default'].connect(opts.port, opts.host, tlsOpts, function () {
       if (!socket.authorized) {
-        onFailure((0, _error.newError)("Server certificate is not trusted. If you trust the database you are connecting to, add" + " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" + " using `neo4j.v1.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This " + " is a security measure to protect against man-in-the-middle attacks. If you are just trying " + " Neo4j out and are not concerned about encryption, simply disable it using `encrypted=false` in the driver" + " options."));
+        onFailure((0, _error.newError)("Server certificate is not trusted. If you trust the database you are connecting to, add" + " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" + " using `neo4j.v1.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This " + " is a security measure to protect against man-in-the-middle attacks. If you are just trying " + " Neo4j out and are not concerned about encryption, simply disable it using `encrypted=\"" + _util.ENCRYPTION_OFF + "\"` in the driver" + " options."));
       } else {
         onSuccess();
       }
@@ -124,7 +130,7 @@ var TrustStrategy = {
         // the raw cert cannot be accessed (or, at least I couldn't find a way to)
         // therefore, we can't generate a SHA512 fingerprint, meaning we can't
         // do TOFU, and the safe approach is to fail.
-        onFailure((0, _error.newError)("You are using a version of NodeJS that does not " + "support trust-on-first use encryption. You can either upgrade NodeJS to " + "a newer version, use `trust:TRUST_SIGNED_CERTIFICATES` in your driver " + "config instead, or disable encryption using `encrypted:false`."));
+        onFailure((0, _error.newError)("You are using a version of NodeJS that does not " + "support trust-on-first use encryption. You can either upgrade NodeJS to " + "a newer version, use `trust:TRUST_SIGNED_CERTIFICATES` in your driver " + "config instead, or disable encryption using `encrypted:\"" + _util.ENCRYPTION_OFF + "\"`."));
         return;
       }
 
@@ -139,7 +145,7 @@ var TrustStrategy = {
           storeFingerprint(serverId, knownHostsPath, serverFingerprint);
           onSuccess();
         } else {
-          onFailure((0, _error.newError)("Database encryption certificate has changed, and no longer " + "matches the certificate stored for " + serverId + " in `" + knownHostsPath + "`. As a security precaution, this driver will not automatically trust the new " + "certificate, because doing so would allow an attacker to pretend to be the Neo4j " + "instance we want to connect to. The certificate provided by the server looks like: " + serverCert + ". If you trust that this certificate is valid, simply remove the line " + "starting with " + serverId + " in `" + knownHostsPath + "`, and the driver will " + "update the file with the new certificate. You can configure which file the driver " + "should use to store this information by setting `knownHosts` to another path in " + "your driver configuration - and you can disable encryption there as well using " + "`encrypted:false`."));
+          onFailure((0, _error.newError)("Database encryption certificate has changed, and no longer " + "matches the certificate stored for " + serverId + " in `" + knownHostsPath + "`. As a security precaution, this driver will not automatically trust the new " + "certificate, because doing so would allow an attacker to pretend to be the Neo4j " + "instance we want to connect to. The certificate provided by the server looks like: " + serverCert + ". If you trust that this certificate is valid, simply remove the line " + "starting with " + serverId + " in `" + knownHostsPath + "`, and the driver will " + "update the file with the new certificate. You can configure which file the driver " + "should use to store this information by setting `knownHosts` to another path in " + "your driver configuration - and you can disable encryption there as well using " + "`encrypted:\"" + _util.ENCRYPTION_OFF + "\"`."));
         }
       });
     });
@@ -153,14 +159,15 @@ function connect(opts, onSuccess) {
     return null;
   } : arguments[2];
 
-  if (opts.encrypted === false) {
+  //still allow boolean for backwards compatibility
+  if (opts.encrypted === false || opts.encrypted === _util.ENCRYPTION_OFF || opts.encrypted === _util.ENCRYPTION_NON_LOCAL && (0, _util.isLocalHost)(opts.host)) {
     var conn = _net2['default'].connect(opts.port, opts.host, onSuccess);
     conn.on('error', onFailure);
     return conn;
   } else if (TrustStrategy[opts.trust]) {
     return TrustStrategy[opts.trust](opts, onSuccess, onFailure);
   } else {
-    onFailure((0, _error.newError)("Unknown trust strategy: " + opts.trust + ". Please use either " + "trust:'TRUST_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " + "configuration. Alternatively, you can disable encryption by setting " + "`encrypted:false`. There is no mechanism to use encryption without trust verification, " + "because this incurs the overhead of encryption without improving security. If " + "the driver does not verify that the peer it is connected to is really Neo4j, it " + "is very easy for an attacker to bypass the encryption by pretending to be Neo4j."));
+    onFailure((0, _error.newError)("Unknown trust strategy: " + opts.trust + ". Please use either " + "trust:'TRUST_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " + "configuration. Alternatively, you can disable encryption by setting " + "`encrypted:\"" + _util.ENCRYPTION_OFF + "\"`. There is no mechanism to use encryption without trust verification, " + "because this incurs the overhead of encryption without improving security. If " + "the driver does not verify that the peer it is connected to is really Neo4j, it " + "is very easy for an attacker to bypass the encryption by pretending to be Neo4j."));
   }
 }
 
@@ -191,6 +198,7 @@ var NodeChannel = (function () {
     this._error = null;
     this._handleConnectionError = this._handleConnectionError.bind(this);
 
+    this._encrypted = opts.encrypted;
     this._conn = connect(opts, function () {
       if (!self._open) {
         return;
@@ -221,6 +229,11 @@ var NodeChannel = (function () {
         this.onerror(err);
       }
     }
+  }, {
+    key: 'isEncrypted',
+    value: function isEncrypted() {
+      return this._encrypted;
+    }
 
     /**
      * Write the passed in buffer to connection

lib/v1/driver.js

@@ -33,6 +33,8 @@ var _buf = require("./buf");
 
 var _error = require('./../error');
 
+var _util = require('./util');
+
 /**
  * Create a new WebSocketChannel to be used in web browsers.
  * @access private
@@ -55,12 +57,15 @@ var WebSocketChannel = (function () {
     this._error = null;
     this._handleConnectionError = this._handleConnectionError.bind(this);
 
+    this._encrypted = opts.encrypted;
+
     var scheme = "ws";
-    if (opts.encrypted) {
+    //Allow boolean for backwards compatibility
+    if (opts.encrypted === true || opts.encrypted === _util.ENCRYPTION_ON || opts.encrypted === _util.ENCRYPTION_NON_LOCAL && !(0, _util.isLocalHost)(opts.host)) {
       if (!opts.trust || opts.trust === "TRUST_SIGNED_CERTIFICATES") {
         scheme = "wss";
       } else {
-        this._error = (0, _error.newError)("The browser version of this driver only supports one trust " + "strategy, 'TRUST_SIGNED_CERTIFICATES'. " + opts.trust + " is not supported. Please " + "either use TRUST_SIGNED_CERTIFICATES or disable encryption by setting " + "`encrypted:false` in the driver configuration.");
+        this._error = (0, _error.newError)("The browser version of this driver only supports one trust " + "strategy, 'TRUST_SIGNED_CERTIFICATES'. " + opts.trust + " is not supported. Please " + "either use TRUST_SIGNED_CERTIFICATES or disable encryption by setting " + "`encrypted:\"" + _util.ENCRYPTION_OFF + "\"` in the driver configuration.");
         return;
       }
     }
@@ -106,6 +111,11 @@ var WebSocketChannel = (function () {
         }
       }
     }
+  }, {
+    key: "isEncrypted",
+    value: function isEncrypted() {
+      return this._encrypted;
+    }
 
     /**
      * Write the passed in buffer to connection

lib/v1/internal/ch-dummy.js

@@ -59,6 +59,8 @@ var _integer = require('../integer');
 
 var _error = require('./../error');
 
+var _util = require('./util');
+
 var Channel = undefined;
 if (_chWebsocket2["default"].available) {
   Channel = _chWebsocket2["default"].channel;
@@ -193,6 +195,7 @@ var _mappers = {
  */
 
 var Connection = (function () {
+
   /**
    * @constructor
    * @param channel - channel with a 'write' function and a 'onmessage'
@@ -370,42 +373,60 @@ var Connection = (function () {
   }, {
     key: "initialize",
     value: function initialize(clientName, token, observer) {
+      var _this2 = this;
+
       this._queueObserver(observer);
-      this._packer.packStruct(INIT, [clientName, token]);
+      this._packer.packStruct(INIT, [this._packable(clientName), this._packable(token)], function (err) {
+        return _this2._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
 
     /** Queue a RUN-message to be sent to the database */
   }, {
     key: "run",
     value: function run(statement, params, observer) {
+      var _this3 = this;
+
       this._queueObserver(observer);
-      this._packer.packStruct(RUN, [statement, params]);
+      this._packer.packStruct(RUN, [this._packable(statement), this._packable(params)], function (err) {
+        return _this3._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
 
     /** Queue a PULL_ALL-message to be sent to the database */
   }, {
     key: "pullAll",
     value: function pullAll(observer) {
+      var _this4 = this;
+
       this._queueObserver(observer);
-      this._packer.packStruct(PULL_ALL);
+      this._packer.packStruct(PULL_ALL, [], function (err) {
+        return _this4._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
 
     /** Queue a DISCARD_ALL-message to be sent to the database */
   }, {
     key: "discardAll",
     value: function discardAll(observer) {
+      var _this5 = this;
+
       this._queueObserver(observer);
-      this._packer.packStruct(DISCARD_ALL);
+      this._packer.packStruct(DISCARD_ALL, [], function (err) {
+        return _this5._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
 
     /** Queue a RESET-message to be sent to the database */
   }, {
     key: "reset",
     value: function reset(observer) {
+      var _this6 = this;
+
       this._isHandlingFailure = true;
       var self = this;
       var wrappedObs = {
@@ -419,16 +440,22 @@ var Connection = (function () {
         }
       };
       this._queueObserver(wrappedObs);
-      this._packer.packStruct(RESET);
+      this._packer.packStruct(RESET, [], function (err) {
+        return _this6._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
 
     /** Queue a ACK_FAILURE-message to be sent to the database */
   }, {
     key: "_ackFailure",
     value: function _ackFailure(observer) {
+      var _this7 = this;
+
       this._queueObserver(observer);
-      this._packer.packStruct(ACK_FAILURE);
+      this._packer.packStruct(ACK_FAILURE, [], function (err) {
+        return _this7._handleFatalError(err);
+      });
       this._chunker.messageBoundary();
     }
   }, {
@@ -467,6 +494,11 @@ var Connection = (function () {
     value: function isOpen() {
       return !this._isBroken && this._ch._open;
     }
+  }, {
+    key: "isEncrypted",
+    value: function isEncrypted() {
+      return this._ch.isEncrypted();
+    }
 
     /**
      * Call close on the channel.
@@ -477,6 +509,15 @@ var Connection = (function () {
     value: function close(cb) {
       this._ch.close(cb);
     }
+  }, {
+    key: "_packable",
+    value: function _packable(value) {
+      var _this8 = this;
+
+      return this._packer.packable(value, function (err) {
+        return _this8._handleFatalError(err);
+      });
+    }
   }]);
 
   return Connection;
@@ -489,9 +530,9 @@ function connect(url) {
   return new Connection(new Ch({
     host: host(url),
     port: port(url) || 7687,
-    // Default to using encryption if trust-on-first-use is available
-    encrypted: config.encrypted == null ? (0, _features2["default"])("trust_on_first_use") : config.encrypted,
-    // Default to using trust-on-first-use if it is available
+    // Default to using ENCRYPTION_NON_LOCAL if trust-on-first-use is available
+    encrypted: (0, _util.shouldEncrypt)(config.encrypted, (0, _features2["default"])("trust_on_first_use") ? _util.ENCRYPTION_NON_LOCAL : _util.ENCRYPTION_OFF, host(url)),
+    // Default to using TRUST_ON_FIRST_USE if it is available
     trust: config.trust || ((0, _features2["default"])("trust_on_first_use") ? "TRUST_ON_FIRST_USE" : "TRUST_SIGNED_CERTIFICATES"),
     trustedCertificates: config.trustedCertificates || [],
     knownHosts: config.knownHosts