From 5615e8a47bf1a56d9a68d479a76871e7e345b23f Mon Sep 17 00:00:00 2001 From: Rouven Bauer Date: Thu, 16 Sep 2021 18:34:56 +0200 Subject: [PATCH 1/3] Fix Kerberos auth to use ticket Kerberos auth should use the `ticket` field instead of the `credentials` field to transmit the auth token. Furthermore, extend the TestKit backend to utilize the different auth helper functions and enable feature flags to test them. --- neo4j-driver-lite/src/index.ts | 2 +- src/index.js | 2 +- test/auth.test.js | 2 +- testkit-backend/src/request-handlers.js | 25 ++++++++++++++++++++++++- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/neo4j-driver-lite/src/index.ts b/neo4j-driver-lite/src/index.ts index 48f6c05be..e540b6350 100644 --- a/neo4j-driver-lite/src/index.ts +++ b/neo4j-driver-lite/src/index.ts @@ -349,7 +349,7 @@ const auth = { return { scheme: 'kerberos', principal: '', // This empty string is required for backwards compatibility. - credentials: base64EncodedTicket + ticket: base64EncodedTicket } }, custom: ( diff --git a/src/index.js b/src/index.js index 2aa16d3b3..8bca294f5 100644 --- a/src/index.js +++ b/src/index.js @@ -316,7 +316,7 @@ const auth = { return { scheme: 'kerberos', principal: '', // This empty string is required for backwards compatibility. - credentials: base64EncodedTicket + ticket: base64EncodedTicket } }, custom: (principal, credentials, realm, scheme, parameters = undefined) => { diff --git a/test/auth.test.js b/test/auth.test.js index fb3969d06..4f6cea6ce 100644 --- a/test/auth.test.js +++ b/test/auth.test.js @@ -44,7 +44,7 @@ describe('#unit auth', () => { expect(token).toEqual({ scheme: 'kerberos', principal: '', - credentials: 'my-ticket' + ticket: 'my-ticket' }) }) diff --git a/testkit-backend/src/request-handlers.js b/testkit-backend/src/request-handlers.js index 5dfb37a72..cc7783a7b 100644 --- a/testkit-backend/src/request-handlers.js +++ b/testkit-backend/src/request-handlers.js @@ -10,6 +10,27 @@ export function NewDriver (context, data, { writeResponse }) { userAgent, resolverRegistered } = data + let parsedAuthToken = authToken + switch (authToken.scheme) { + case 'basic': + parsedAuthToken = neo4j.auth.basic( + authToken.principal, + authToken.credentials, + authToken.realm + ) + break + case 'kerberos': + parsedAuthToken = neo4j.auth.kerberos(authToken.ticket) + break + default: + parsedAuthToken = neo4j.auth.custom( + authToken.principal, + authToken.credentials, + authToken.realm, + authToken.scheme, + authToken.parameters + ) + } const resolver = resolverRegistered ? address => new Promise((resolve, reject) => { @@ -17,7 +38,7 @@ export function NewDriver (context, data, { writeResponse }) { writeResponse('ResolverResolutionRequired', { id, address }) }) : undefined - const driver = neo4j.driver(uri, authToken, { + const driver = neo4j.driver(uri, parsedAuthToken, { userAgent, resolver, useBigInt: true, @@ -238,6 +259,8 @@ export function StartTest (_, { testName }, wire) { export function GetFeatures (_context, _params, wire) { wire.writeResponse('FeatureList', { features: [ + 'Feature:Auth:Custom', + 'Feature:Auth:Kerberos', 'AuthorizationExpiredTreatment', 'ConfHint:connection.recv_timeout_seconds' ] From 19b28fd899f10348f653ea01c2a41d7c3caff10a Mon Sep 17 00:00:00 2001 From: Rouven Bauer Date: Tue, 28 Sep 2021 13:50:53 +0200 Subject: [PATCH 2/3] Turns out kerberos auth token should be in `credentials` field --- neo4j-driver-lite/src/index.ts | 2 +- src/index.js | 2 +- test/auth.test.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/neo4j-driver-lite/src/index.ts b/neo4j-driver-lite/src/index.ts index e540b6350..48f6c05be 100644 --- a/neo4j-driver-lite/src/index.ts +++ b/neo4j-driver-lite/src/index.ts @@ -349,7 +349,7 @@ const auth = { return { scheme: 'kerberos', principal: '', // This empty string is required for backwards compatibility. - ticket: base64EncodedTicket + credentials: base64EncodedTicket } }, custom: ( diff --git a/src/index.js b/src/index.js index 8bca294f5..2aa16d3b3 100644 --- a/src/index.js +++ b/src/index.js @@ -316,7 +316,7 @@ const auth = { return { scheme: 'kerberos', principal: '', // This empty string is required for backwards compatibility. - ticket: base64EncodedTicket + credentials: base64EncodedTicket } }, custom: (principal, credentials, realm, scheme, parameters = undefined) => { diff --git a/test/auth.test.js b/test/auth.test.js index 4f6cea6ce..fb3969d06 100644 --- a/test/auth.test.js +++ b/test/auth.test.js @@ -44,7 +44,7 @@ describe('#unit auth', () => { expect(token).toEqual({ scheme: 'kerberos', principal: '', - ticket: 'my-ticket' + credentials: 'my-ticket' }) }) From aab5adce36b0f813613672dce2b27783d9d17c2f Mon Sep 17 00:00:00 2001 From: Robsdedude Date: Mon, 4 Oct 2021 10:49:42 +0200 Subject: [PATCH 3/3] Update TestKit protocol: kerberos uses credentials --- testkit-backend/src/request-handlers.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testkit-backend/src/request-handlers.js b/testkit-backend/src/request-handlers.js index cc7783a7b..9b4cbdbf1 100644 --- a/testkit-backend/src/request-handlers.js +++ b/testkit-backend/src/request-handlers.js @@ -20,7 +20,7 @@ export function NewDriver (context, data, { writeResponse }) { ) break case 'kerberos': - parsedAuthToken = neo4j.auth.kerberos(authToken.ticket) + parsedAuthToken = neo4j.auth.kerberos(authToken.credentials) break default: parsedAuthToken = neo4j.auth.custom(