Introduce AuthToken rotation and session auth support (neo4j#1380)

The main feature of this update is the support for `AuthToken` rotation, which might also be referred to as a refresh or re-auth. In practice, it allows replacing the current token with a new token during the driver's lifetime.

The main objective of this feature is to allow token rotation for the same identity. As such, it is not intended for a change of identity.

A new type called `AuthTokenManager` has the following 2 primary responsibilities:
- supplying a valid token, which may be one of the following:
  - the current token
  - a new token, which instructs the driver to use the new token
- handling a token expiration failure that originates from the server if it determines the current token to be expired (a timely rotation should generally reduce the likelihood of this happening)

The driver does not make judgements on whether the current `AuthToken` should be updated. Instead, it calls the `AuthTokenManager` to check if the provided token is the same as the currently used token and takes action if not. The driver reserves the right to call the manager as often as it deems necessary. The manager implementations must be thread-safe and non-blocking for caller threads. For instance, IO operations must not be done on the calling thread.

The `GraphDatabase` class has been updated to include a set of new methods that accept the `AuthTokenManager`.

An example of the driver instantiation:
```java
var manager = // the manager implementation
var driver = GraphDatabase.driver(uri, manager);
```

The token rotation benefits from the new Bolt 5.1 version, but works on previous Bolt versions at the expence of replacing existing connections with new connections.

An expiration based `AuthTokenManager` implementation is available via a new `AuthTokenManagers` factory. It manages `AuthToken` instances that come with a UTC expiration timestamp and calls a new token supplier, which is provided by the user, when a new token is required.

An example of the expiration based manager instantiation:
```java
var manager = AuthTokenManagers.expirationBased(() -> {
  var token = // get new token logic
  return token.expiringAt(timestamp); // a new method on AuthToken introduced for the supplied expiration based AuthTokenManager implementation
});
```

The new `LOGOFF` and `LOGON` Bolt protocol messages allow for auth management on active Bolt connections and are used by the features in this update.

In addition to the token rotation support, this update also includes support for setting a static `AuthToken` instance on the driver session level.

Unlike the rotation feature, this feature may be used for an identity change. As such, it might be referred to as user switching.

It requires a minimum Bolt 5.1 version.

The `Driver` interface has 2 new `session` methods that accept an `AuthToken` instance.

A basic example:
```java
var token = AuthTokens.bearer("token");
var session = driver.session(Session.class, token);
```

The `Driver` includes a new method that checks whether the session auth is supported.

The implementation assumes all servers to be at the same version.

Sample usage:
```java
var supports = driver.supportsSessionAuth();
```

The `Driver` includes a new method that verifies a given `AuthToken` instance by communicating with the server.

It requires a minimum Bolt 5.1 version.

Sample usage:
```java
var token = AuthTokens.bearer("token");
var successful = driver.verifyAuthentication(token);
```

There are 2 new exceptions:
- `AuthTokenManagerExecutionException` - Indicates that the `AuthTokenManager` execution has lead to an unexpected result. This includes invalid results and errors.
- `TokenExpiredRetryableException` - Indicates that the token supplied by the `AuthTokenManager` has been deemed as expired by the server. This is a retryable variant of the `TokenExpiredException` used when the driver has an explicit `AuthTokenManager` that might supply a new token following this failure. If driver is instantiated with the static `AuthToken`, the `TokenExpiredException` will be used instead.

Author: injectives

driver/clirr-ignored-differences.xml

@@ -62,4 +62,28 @@
         <to>org.neo4j.driver.Config$TrustStrategy trustCustomCertificateSignedBy(java.io.File[])</to>
     </difference>
 
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class)</method>
+    </difference>
+
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class, org.neo4j.driver.SessionConfig)</method>
+    </difference>
+
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class, org.neo4j.driver.AuthToken)</method>
+    </difference>
+
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class, org.neo4j.driver.SessionConfig, org.neo4j.driver.AuthToken)</method>
+    </difference>
+
 </differences>

driver/src/main/java/org/neo4j/driver/BaseSession.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+/**
+ * A base interface for sessions, used by {@link Driver#session(Class)} and {@link Driver#session(Class, SessionConfig)}.
+ */
+public interface BaseSession {}

driver/src/main/java/org/neo4j/driver/Driver.java

@@ -76,7 +76,9 @@ public interface Driver extends AutoCloseable {
      *
      * @return a new {@link Session} object.
      */
-    Session session();
+    default Session session() {
+        return session(Session.class);
+    }
 
     /**
      * Create a new {@link Session} with a specified {@link SessionConfig session configuration}.
@@ -85,7 +87,128 @@ public interface Driver extends AutoCloseable {
      * @return a new {@link Session} object.
      * @see SessionConfig
      */
-    Session session(SessionConfig sessionConfig);
+    default Session session(SessionConfig sessionConfig) {
+        return session(Session.class, sessionConfig);
+    }
+
+    /**
+     * Instantiate a new session of supported type with default {@link SessionConfig session configuration}.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - reactive session using Reactive Streams API</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.2
+     */
+    default <T extends BaseSession> T session(Class<T> sessionClass) {
+        return session(sessionClass, SessionConfig.defaultConfig());
+    }
+
+    /**
+     * Instantiate a new session of a supported type with the supplied {@link AuthToken}.
+     * <p>
+     * This method allows creating a session with a different {@link AuthToken} to the one used on the driver level.
+     * The minimum Bolt protocol version is 5.1. An {@link IllegalStateException} will be emitted on session interaction
+     * for previous Bolt versions.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - reactive session using Reactive Streams API</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @param sessionAuthToken a token, null will result in driver-level configuration being used
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.8
+     */
+    default <T extends BaseSession> T session(Class<T> sessionClass, AuthToken sessionAuthToken) {
+        return session(sessionClass, SessionConfig.defaultConfig(), sessionAuthToken);
+    }
+
+    /**
+     * Create a new session of supported type with a specified {@link SessionConfig session configuration}.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - reactive session using Reactive Streams API</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @param sessionConfig session config, must not be null
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.2
+     */
+    default <T extends BaseSession> T session(Class<T> sessionClass, SessionConfig sessionConfig) {
+        return session(sessionClass, sessionConfig, null);
+    }
+
+    /**
+     * Instantiate a new session of a supported type with the supplied {@link SessionConfig session configuration} and
+     * {@link AuthToken}.
+     * <p>
+     * This method allows creating a session with a different {@link AuthToken} to the one used on the driver level.
+     * The minimum Bolt protocol version is 5.1. An {@link IllegalStateException} will be emitted on session interaction
+     * for previous Bolt versions.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - reactive session using Reactive Streams API</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @param sessionConfig session config, must not be null
+     * @param sessionAuthToken a token, null will result in driver-level configuration being used
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.8
+     */
+    <T extends BaseSession> T session(Class<T> sessionClass, SessionConfig sessionConfig, AuthToken sessionAuthToken);
 
     /**
      * Create a new general purpose {@link RxSession} with default {@link SessionConfig session configuration}.
@@ -95,7 +218,9 @@ public interface Driver extends AutoCloseable {
      *
      * @return a new {@link RxSession} object.
      */
-    RxSession rxSession();
+    default RxSession rxSession() {
+        return session(RxSession.class);
+    }
 
     /**
      * Create a new {@link RxSession} with a specified {@link SessionConfig session configuration}.
@@ -104,7 +229,9 @@ public interface Driver extends AutoCloseable {
      * @param sessionConfig used to customize the session.
      * @return a new {@link RxSession} object.
      */
-    RxSession rxSession(SessionConfig sessionConfig);
+    default RxSession rxSession(SessionConfig sessionConfig) {
+        return session(RxSession.class, sessionConfig);
+    }
 
     /**
      * Create a new general purpose {@link AsyncSession} with default {@link SessionConfig session configuration}.
@@ -114,7 +241,9 @@ public interface Driver extends AutoCloseable {
      *
      * @return a new {@link AsyncSession} object.
      */
-    AsyncSession asyncSession();
+    default AsyncSession asyncSession() {
+        return session(AsyncSession.class);
+    }
 
     /**
      * Create a new {@link AsyncSession} with a specified {@link SessionConfig session configuration}.
@@ -124,7 +253,9 @@ public interface Driver extends AutoCloseable {
      * @param sessionConfig used to customize the session.
      * @return a new {@link AsyncSession} object.
      */
-    AsyncSession asyncSession(SessionConfig sessionConfig);
+    default AsyncSession asyncSession(SessionConfig sessionConfig) {
+        return session(AsyncSession.class, sessionConfig);
+    }
 
     /**
      * Close all the resources assigned to this driver, including open connections and IO threads.

driver/src/main/java/org/neo4j/driver/Session.java

@@ -51,7 +51,7 @@
  *
  * @since 1.0 (Removed async API to {@link AsyncSession} in 4.0)
  */
-public interface Session extends Resource, QueryRunner {
+public interface Session extends BaseSession, Resource, QueryRunner {
     /**
      * Begin a new <em>unmanaged {@linkplain Transaction transaction}</em>. At
      * most one transaction may exist in a session at any point in time. To

driver/src/main/java/org/neo4j/driver/async/AsyncSession.java

@@ -24,6 +24,7 @@
 import java.util.concurrent.Executor;
 import java.util.function.Function;
 import org.neo4j.driver.AccessMode;
+import org.neo4j.driver.BaseSession;
 import org.neo4j.driver.Bookmark;
 import org.neo4j.driver.Query;
 import org.neo4j.driver.Transaction;
@@ -68,7 +69,7 @@
  *
  * @since 4.0
  */
-public interface AsyncSession extends AsyncQueryRunner {
+public interface AsyncSession extends BaseSession, AsyncQueryRunner {
     /**
      * Begin a new <em>unmanaged {@linkplain Transaction transaction}</em>. At
      * most one transaction may exist in a session at any point in time. To

driver/src/main/java/org/neo4j/driver/internal/DirectConnectionProvider.java

@@ -19,12 +19,14 @@
 package org.neo4j.driver.internal;
 
 import static org.neo4j.driver.internal.async.ConnectionContext.PENDING_DATABASE_NAME_EXCEPTION_SUPPLIER;
-import static org.neo4j.driver.internal.messaging.request.MultiDatabaseUtil.supportsMultiDatabase;
 
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
+import java.util.function.Function;
+import org.neo4j.driver.AuthToken;
 import org.neo4j.driver.internal.async.ConnectionContext;
 import org.neo4j.driver.internal.async.connection.DirectConnection;
+import org.neo4j.driver.internal.messaging.request.MultiDatabaseUtil;
 import org.neo4j.driver.internal.spi.Connection;
 import org.neo4j.driver.internal.spi.ConnectionPool;
 import org.neo4j.driver.internal.spi.ConnectionProvider;
@@ -46,7 +48,7 @@ public class DirectConnectionProvider implements ConnectionProvider {
     public CompletionStage<Connection> acquireConnection(ConnectionContext context) {
         CompletableFuture<DatabaseName> databaseNameFuture = context.databaseNameFuture();
         databaseNameFuture.complete(DatabaseNameUtil.defaultDatabase());
-        return acquireConnection()
+        return acquirePooledConnection(context.overrideAuthToken())
                 .thenApply(connection -> new DirectConnection(
                         connection,
                         Futures.joinNowOrElseThrow(databaseNameFuture, PENDING_DATABASE_NAME_EXCEPTION_SUPPLIER),
@@ -56,7 +58,7 @@ public CompletionStage<Connection> acquireConnection(ConnectionContext context)
 
     @Override
     public CompletionStage<Void> verifyConnectivity() {
-        return acquireConnection().thenCompose(Connection::release);
+        return acquirePooledConnection(null).thenCompose(Connection::release);
     }
 
     @Override
@@ -66,9 +68,13 @@ public CompletionStage<Void> close() {
 
     @Override
     public CompletionStage<Boolean> supportsMultiDb() {
-        return acquireConnection().thenCompose(conn -> {
-            boolean supportsMultiDatabase = supportsMultiDatabase(conn);
-            return conn.release().thenApply(ignored -> supportsMultiDatabase);
+        return detectFeature(MultiDatabaseUtil::supportsMultiDatabase);
+    }
+
+    private CompletionStage<Boolean> detectFeature(Function<Connection, Boolean> featureDetectionFunction) {
+        return acquirePooledConnection(null).thenCompose(conn -> {
+            boolean featureDetected = featureDetectionFunction.apply(conn);
+            return conn.release().thenApply(ignored -> featureDetected);
         });
     }
 
@@ -80,7 +86,7 @@ public BoltServerAddress getAddress() {
      * Used only for grabbing a connection with the server after hello message.
      * This connection cannot be directly used for running any queries as it is missing necessary connection context
      */
-    private CompletionStage<Connection> acquireConnection() {
-        return connectionPool.acquire(address);
+    private CompletionStage<Connection> acquirePooledConnection(AuthToken authToken) {
+        return connectionPool.acquire(address, authToken);
     }
 }