Update

Author: injectives

driver/src/main/java/org/neo4j/driver/AuthTokenManagers.java

@@ -76,7 +76,7 @@ public static AuthTokenManager temporalAsync(Supplier<CompletionStage<TemporalAu
      * {@link AuthToken} and its UTC expiration timestamp.
      * @since 5.7
      */
-    public interface TemporalAuthData {
+    public sealed interface TemporalAuthData permits TemporalAuthTokenManager.InternalTemporalAuthData {
         /**
          * Returns a new instance with the provided token and {@link Long#MAX_VALUE} expiration timestamp.
          * @param authToken the token
@@ -89,11 +89,11 @@ static TemporalAuthData of(AuthToken authToken) {
         /**
          * Returns a new instance with the provided token and its expiration timestamp.
          * @param authToken the token
-         * @param expirationTimestamp the expiration timestamp
+         * @param utcExpirationTimestamp the UTC expiration timestamp
          * @return a new instance
          */
-        static TemporalAuthData of(AuthToken authToken, long expirationTimestamp) {
-            return new TemporalAuthTokenManager.InternalTemporalAuthData(authToken, expirationTimestamp);
+        static TemporalAuthData of(AuthToken authToken, long utcExpirationTimestamp) {
+            return new TemporalAuthTokenManager.InternalTemporalAuthData(authToken, utcExpirationTimestamp);
         }
 
         /**

driver/src/main/java/org/neo4j/driver/internal/InternalDriver.java

@@ -166,7 +166,7 @@ public boolean verifyAuthentication(AuthToken authToken) {
                 .withDefaultAccessMode(AccessMode.READ)
                 .build();
         try (var session = session(Session.class, config, authToken)) {
-            session.run("RETURN 1").consume();
+            session.run("SHOW DEFAULT DATABASE").consume();
             return true;
         } catch (RuntimeException e) {
             if (e instanceof Neo4jException neo4jException) {

driver/src/main/java/org/neo4j/driver/internal/async/connection/HandshakeCompletedListener.java

@@ -61,6 +61,7 @@ public void operationComplete(ChannelFuture future) {
                                         connectionInitializedPromise.setFailure(throwable);
                                     } else {
                                         authContext.initiateAuth(authToken);
+                                        authContext.setValidToken(authToken);
                                         protocol.initializeChannel(
                                                 userAgent,
                                                 authToken,

driver/src/main/java/org/neo4j/driver/internal/async/inbound/InboundMessageDispatcher.java

@@ -128,7 +128,7 @@ public void handleFailureMessage(String code, String message) {
                         tokenExpiredException.code(), tokenExpiredException.getMessage());
             }
             var authToken = authContext.getAuthToken();
-            if (authToken != null) {
+            if (authToken != null && authContext.isManaged()) {
                 authTokenProvider.onExpired(authToken);
             }
         } else {

driver/src/main/java/org/neo4j/driver/internal/async/pool/AuthContext.java

@@ -28,17 +28,25 @@ public class AuthContext {
     private AuthToken authToken;
     private Long authTimestamp;
     private boolean pendingLogoff;
+    private boolean managed;
+    private AuthToken validToken;
 
     public AuthContext(AuthTokenManager authTokenManager) {
         requireNonNull(authTokenManager, "authTokenProvider must not be null");
         this.authTokenManager = authTokenManager;
+        this.managed = true;
     }
 
     public void initiateAuth(AuthToken authToken) {
+        initiateAuth(authToken, true);
+    }
+
+    public void initiateAuth(AuthToken authToken, boolean managed) {
         requireNonNull(authToken, "authToken must not be null");
         this.authToken = authToken;
         authTimestamp = null;
         pendingLogoff = false;
+        this.managed = managed;
     }
 
     public AuthToken getAuthToken() {
@@ -61,6 +69,18 @@ public boolean isPendingLogoff() {
         return pendingLogoff;
     }
 
+    public void setValidToken(AuthToken validToken) {
+        this.validToken = validToken;
+    }
+
+    public AuthToken getValidToken() {
+        return validToken;
+    }
+
+    public boolean isManaged() {
+        return managed;
+    }
+
     public AuthTokenManager getAuthTokenManager() {
         return authTokenManager;
     }

driver/src/main/java/org/neo4j/driver/internal/async/pool/NettyChannelHealthChecker.java

@@ -70,6 +70,7 @@ public Future<Boolean> isHealthy(Channel channel) {
                             } else {
                                 var authContext = authContext(channel);
                                 if (authContext.getAuthTimestamp() != null) {
+                                    authContext.setValidToken(authToken);
                                     var equal = authToken.equals(authContext.getAuthToken());
                                     if (isAuthExpiredByFailure(channel) || !equal) {
                                         // Bolt versions prior to 5.1 do not support auth renewal

driver/src/main/java/org/neo4j/driver/internal/async/pool/NettyChannelPool.java

@@ -32,6 +32,7 @@
 import io.netty.channel.pool.FixedChannelPool;
 import java.time.Clock;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
 import java.util.concurrent.CompletionStage;
 import java.util.concurrent.atomic.AtomicBoolean;
 import org.neo4j.driver.AuthToken;
@@ -129,59 +130,94 @@ public NettyChannelHealthChecker healthChecker() {
 
     @Override
     public CompletionStage<Channel> acquire(AuthToken overrideAuthToken) {
-        return asCompletionStage(delegate.acquire()).thenCompose(channel -> pipelineAuth(channel, overrideAuthToken));
+        return asCompletionStage(delegate.acquire()).thenCompose(channel -> auth(channel, overrideAuthToken));
     }
 
-    private CompletionStage<Channel> pipelineAuth(Channel channel, AuthToken overrideAuthToken) {
-        CompletionStage<Channel> pipelinedAuthStage;
+    private CompletionStage<Channel> auth(Channel channel, AuthToken overrideAuthToken) {
+        CompletionStage<Channel> authStage;
         var authContext = authContext(channel);
         if (overrideAuthToken != null) {
             // check protocol version
             var protocolVersion = protocolVersion(channel);
             if (!SessionAuthUtil.supportsSessionAuth(protocolVersion)) {
-                pipelinedAuthStage = Futures.failedFuture(new UnsupportedFeatureException(String.format(
+                authStage = Futures.failedFuture(new UnsupportedFeatureException(String.format(
                         "Detected Bolt %s connection that does not support the auth token override feature, please make sure to have all servers communicating over Bolt 5.1 or above to use the feature",
                         protocolVersion)));
             } else {
                 // auth or re-auth only if necessary
                 if (!overrideAuthToken.equals(authContext.getAuthToken())) {
+                    CompletableFuture<Void> logoffFuture;
                     if (authContext.getAuthTimestamp() != null) {
-                        messageDispatcher(channel).enqueue(new LogoffResponseHandler());
+                        logoffFuture = new CompletableFuture<>();
+                        messageDispatcher(channel).enqueue(new LogoffResponseHandler(logoffFuture));
                         channel.write(LogoffMessage.INSTANCE);
+                    } else {
+                        logoffFuture = null;
                     }
-                    messageDispatcher(channel).enqueue(new LogonResponseHandler(channel.voidPromise(), clock));
-                    authContext.initiateAuth(overrideAuthToken);
+                    var logonFuture = new CompletableFuture<Void>();
+                    messageDispatcher(channel).enqueue(new LogonResponseHandler(logonFuture, channel, clock));
+                    authContext.initiateAuth(overrideAuthToken, false);
+                    authContext.setValidToken(null);
                     channel.write(new LogonMessage(((InternalAuthToken) overrideAuthToken).toMap()));
+                    if (logoffFuture == null) {
+                        authStage = logonFuture.thenApply(ignored -> channel);
+                        channel.flush();
+                    } else {
+                        // do not await for re-login
+                        authStage = CompletableFuture.completedStage(channel);
+                    }
+                } else {
+                    authStage = CompletableFuture.completedStage(channel);
                 }
-                pipelinedAuthStage = CompletableFuture.completedStage(channel);
             }
         } else {
-            pipelinedAuthStage = authContext
-                    .getAuthTokenManager()
-                    .getToken()
-                    .thenApplyAsync(
-                            latestAuthToken -> {
-                                if (authContext.getAuthTimestamp() != null) {
-                                    if (!authContext.getAuthToken().equals(latestAuthToken)
-                                            || authContext.isPendingLogoff()) {
-                                        messageDispatcher(channel).enqueue(new LogoffResponseHandler());
-                                        channel.write(LogoffMessage.INSTANCE);
-                                        messageDispatcher(channel)
-                                                .enqueue(new LogonResponseHandler(channel.voidPromise(), clock));
-                                        authContext.initiateAuth(latestAuthToken);
-                                        channel.write(new LogonMessage(((InternalAuthToken) latestAuthToken).toMap()));
-                                    }
-                                } else {
-                                    messageDispatcher(channel)
-                                            .enqueue(new LogonResponseHandler(channel.voidPromise(), clock));
-                                    authContext.initiateAuth(latestAuthToken);
-                                    channel.write(new LogonMessage(((InternalAuthToken) latestAuthToken).toMap()));
-                                }
-                                return channel;
-                            },
-                            channel.eventLoop());
+            var validToken = authContext.getValidToken();
+            authContext.setValidToken(null);
+            var stage = validToken != null
+                    ? CompletableFuture.completedStage(validToken)
+                    : authContext.getAuthTokenManager().getToken();
+            authStage = stage.thenComposeAsync(
+                    latestAuthToken -> {
+                        CompletionStage<Channel> result;
+                        if (authContext.getAuthTimestamp() != null) {
+                            if (!authContext.getAuthToken().equals(latestAuthToken) || authContext.isPendingLogoff()) {
+                                var logoffFuture = new CompletableFuture<Void>();
+                                messageDispatcher(channel).enqueue(new LogoffResponseHandler(logoffFuture));
+                                channel.write(LogoffMessage.INSTANCE);
+                                var logonFuture = new CompletableFuture<Void>();
+                                messageDispatcher(channel)
+                                        .enqueue(new LogonResponseHandler(logonFuture, channel, clock));
+                                authContext.initiateAuth(latestAuthToken);
+                                channel.write(new LogonMessage(((InternalAuthToken) latestAuthToken).toMap()));
+                                // do not await for re-login
+                                result = CompletableFuture.completedStage(channel);
+                            } else {
+                                result = CompletableFuture.completedStage(channel);
+                            }
+                        } else {
+                            var logonFuture = new CompletableFuture<Void>();
+                            messageDispatcher(channel).enqueue(new LogonResponseHandler(logonFuture, channel, clock));
+                            result = logonFuture.thenApply(ignored -> channel);
+                            authContext.initiateAuth(latestAuthToken);
+                            channel.writeAndFlush(new LogonMessage(((InternalAuthToken) latestAuthToken).toMap()));
+                        }
+                        return result;
+                    },
+                    channel.eventLoop());
         }
-        return pipelinedAuthStage;
+        return authStage.handle((ignored, throwable) -> {
+            if (throwable != null) {
+                channel.close();
+                release(channel);
+                if (throwable instanceof RuntimeException runtimeException) {
+                    throw runtimeException;
+                } else {
+                    throw new CompletionException(throwable);
+                }
+            } else {
+                return channel;
+            }
+        });
     }
 
     @Override

driver/src/main/java/org/neo4j/driver/internal/handlers/LogoffResponseHandler.java

@@ -18,17 +18,33 @@
  */
 package org.neo4j.driver.internal.handlers;
 
+import static java.util.Objects.requireNonNull;
+
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
 import org.neo4j.driver.Value;
+import org.neo4j.driver.exceptions.ProtocolException;
 import org.neo4j.driver.internal.spi.ResponseHandler;
 
 public class LogoffResponseHandler implements ResponseHandler {
+    private final CompletableFuture<?> future;
+
+    public LogoffResponseHandler(CompletableFuture<?> future) {
+        this.future = requireNonNull(future, "future must not be null");
+    }
+
     @Override
-    public void onSuccess(Map<String, Value> metadata) {}
+    public void onSuccess(Map<String, Value> metadata) {
+        future.complete(null);
+    }
 
     @Override
-    public void onFailure(Throwable error) {}
+    public void onFailure(Throwable error) {
+        future.completeExceptionally(error);
+    }
 
     @Override
-    public void onRecord(Value[] fields) {}
+    public void onRecord(Value[] fields) {
+        this.future.completeExceptionally(new ProtocolException("Records are not supported on LOGON"));
+    }
 }

driver/src/main/java/org/neo4j/driver/internal/handlers/LogonResponseHandler.java

@@ -22,38 +22,37 @@
 import static org.neo4j.driver.internal.async.connection.ChannelAttributes.authContext;
 
 import io.netty.channel.Channel;
-import io.netty.channel.ChannelPromise;
 import java.time.Clock;
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
 import org.neo4j.driver.Value;
+import org.neo4j.driver.exceptions.ProtocolException;
 import org.neo4j.driver.internal.spi.ResponseHandler;
 
 public class LogonResponseHandler implements ResponseHandler {
-
-    private final ChannelPromise connectionInitializedPromise;
+    private final CompletableFuture<?> future;
     private final Channel channel;
     private final Clock clock;
 
-    public LogonResponseHandler(ChannelPromise connectionInitializedPromise, Clock clock) {
-        requireNonNull(clock, "clock must not be null");
-        this.connectionInitializedPromise = connectionInitializedPromise;
-        this.channel = connectionInitializedPromise.channel();
-        this.clock = clock;
+    public LogonResponseHandler(CompletableFuture<?> future, Channel channel, Clock clock) {
+        this.future = requireNonNull(future, "future must not be null");
+        this.channel = requireNonNull(channel, "channel must not be null");
+        this.clock = requireNonNull(clock, "clock must not be null");
     }
 
     @Override
     public void onSuccess(Map<String, Value> metadata) {
         authContext(channel).finishAuth(clock.millis());
-        connectionInitializedPromise.setSuccess();
+        future.complete(null);
     }
 
     @Override
     public void onFailure(Throwable error) {
-        channel.close().addListener(future -> connectionInitializedPromise.setFailure(error));
+        channel.close().addListener(future -> this.future.completeExceptionally(error));
     }
 
     @Override
     public void onRecord(Value[] fields) {
-        throw new UnsupportedOperationException();
+        future.completeExceptionally(new ProtocolException("Records are not supported on LOGON"));
     }
 }

driver/src/test/java/org/neo4j/driver/integration/ChannelConnectorImplIT.java

@@ -29,6 +29,7 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.neo4j.driver.internal.logging.DevNullLogging.DEV_NULL_LOGGING;
+import static org.neo4j.driver.internal.util.Neo4jFeature.BOLT_V51;
 import static org.neo4j.driver.testutil.TestUtil.await;
 
 import io.netty.bootstrap.Bootstrap;
@@ -64,6 +65,7 @@
 import org.neo4j.driver.internal.security.SecurityPlan;
 import org.neo4j.driver.internal.security.SecurityPlanImpl;
 import org.neo4j.driver.internal.security.StaticAuthTokenManager;
+import org.neo4j.driver.internal.util.DisabledOnNeo4jWith;
 import org.neo4j.driver.internal.util.FakeClock;
 import org.neo4j.driver.testutil.DatabaseExtension;
 import org.neo4j.driver.testutil.ParallelizableIT;
@@ -129,6 +131,8 @@ void shouldFailToConnectToWrongAddress() throws Exception {
         assertFalse(channel.isActive());
     }
 
+    // Beginning with Bolt 5.1 auth is not sent on HELLO message.
+    @DisabledOnNeo4jWith(BOLT_V51)
     @Test
     void shouldFailToConnectWithWrongCredentials() throws Exception {
         AuthToken authToken = AuthTokens.basic("neo4j", "wrong-password");

driver/src/test/java/org/neo4j/driver/internal/async/inbound/InboundMessageDispatcherTest.java

@@ -445,6 +445,7 @@ void shouldEmitTokenExpiredRetryableExceptionAndNotifyAuthTokenManager() {
         var channel = new EmbeddedChannel();
         var authTokenManager = mock(AuthTokenManager.class);
         var authContext = mock(AuthContext.class);
+        given(authContext.isManaged()).willReturn(true);
         given(authContext.getAuthTokenManager()).willReturn(authTokenManager);
         var authToken = mock(AuthToken.class);
         given(authContext.getAuthToken()).willReturn(authToken);
@@ -473,6 +474,7 @@ void shouldEmitTokenExpiredExceptionAndNotifyAuthTokenManager() {
         var authToken = mock(AuthToken.class);
         var authTokenManager = spy(new StaticAuthTokenManager(authToken));
         var authContext = mock(AuthContext.class);
+        given(authContext.isManaged()).willReturn(true);
         given(authContext.getAuthTokenManager()).willReturn(authTokenManager);
         given(authContext.getAuthToken()).willReturn(authToken);
         setAuthContext(channel, authContext);