Baseline for changes

Author: gjmwoods

driver/src/main/java/org/neo4j/driver/Config.java

@@ -87,9 +87,11 @@ public class Config
 
     /** Indicator for encrypted traffic */
     private final boolean encrypted;
+    private final boolean isEncryptedUserConfigured;
 
     /** Strategy for how to trust encryption certificate */
     private final TrustStrategy trustStrategy;
+    private final boolean isTrustStrategyUserConfigured;
 
     private final int routingFailureLimit;
     private final long routingRetryDelayMillis;
@@ -114,7 +116,9 @@ private Config( ConfigBuilder builder )
         this.connectionAcquisitionTimeoutMillis = builder.connectionAcquisitionTimeoutMillis;
 
         this.encrypted = builder.encrypted;
+        this.isEncryptedUserConfigured = builder.isEncryptedUserConfigured;
         this.trustStrategy = builder.trustStrategy;
+        this.isTrustStrategyUserConfigured = builder.isTrustStrategyUserConfigured;
         this.routingFailureLimit = builder.routingFailureLimit;
         this.routingRetryDelayMillis = builder.routingRetryDelayMillis;
         this.connectionTimeoutMillis = builder.connectionTimeoutMillis;
@@ -193,6 +197,11 @@ public boolean encrypted()
         return encrypted;
     }
 
+    public boolean isEncryptedUserConfigured()
+    {
+        return isEncryptedUserConfigured;
+    }
+
     /**
      * @return the strategy to use to determine the authenticity of an encryption certificate provided by the Neo4j instance we are connecting to.
      */
@@ -201,6 +210,11 @@ public TrustStrategy trustStrategy()
         return trustStrategy;
     }
 
+    public boolean isTrustStrategyUserConfigured()
+    {
+        return isTrustStrategyUserConfigured;
+    }
+
     /**
      * Server address resolver.
      *
@@ -269,7 +283,9 @@ public static class ConfigBuilder
         private long maxConnectionLifetimeMillis = PoolSettings.DEFAULT_MAX_CONNECTION_LIFETIME;
         private long connectionAcquisitionTimeoutMillis = PoolSettings.DEFAULT_CONNECTION_ACQUISITION_TIMEOUT;
         private boolean encrypted = false;
+        private boolean isEncryptedUserConfigured = false;
         private TrustStrategy trustStrategy = trustSystemCertificates();
+        private boolean isTrustStrategyUserConfigured = false;
         private int routingFailureLimit = RoutingSettings.DEFAULT.maxRoutingFailures();
         private long routingRetryDelayMillis = RoutingSettings.DEFAULT.retryTimeoutDelay();
         private long routingTablePurgeDelayMillis = RoutingSettings.DEFAULT.routingTablePurgeDelayMs();
@@ -444,6 +460,7 @@ public ConfigBuilder withConnectionAcquisitionTimeout( long value, TimeUnit unit
         public ConfigBuilder withEncryption()
         {
             this.encrypted = true;
+            this.isEncryptedUserConfigured = true;
             return this;
         }
 
@@ -454,6 +471,7 @@ public ConfigBuilder withEncryption()
         public ConfigBuilder withoutEncryption()
         {
             this.encrypted = false;
+            this.isEncryptedUserConfigured = true;
             return this;
         }
 
@@ -474,6 +492,7 @@ public ConfigBuilder withoutEncryption()
         public ConfigBuilder withTrustStrategy( TrustStrategy trustStrategy )
         {
             this.trustStrategy = trustStrategy;
+            this.isTrustStrategyUserConfigured = true;
             return this;
         }
 

driver/src/main/java/org/neo4j/driver/internal/DriverFactory.java

@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
 
 import org.neo4j.driver.AuthToken;
 import org.neo4j.driver.AuthTokens;
@@ -50,8 +51,8 @@
 import org.neo4j.driver.internal.retry.ExponentialBackoffRetryLogic;
 import org.neo4j.driver.internal.retry.RetryLogic;
 import org.neo4j.driver.internal.retry.RetrySettings;
-import org.neo4j.driver.internal.security.SecurityPlanImpl;
 import org.neo4j.driver.internal.security.SecurityPlan;
+import org.neo4j.driver.internal.security.SecurityPlanImpl;
 import org.neo4j.driver.internal.spi.ConnectionPool;
 import org.neo4j.driver.internal.spi.ConnectionProvider;
 import org.neo4j.driver.internal.util.Clock;
@@ -67,7 +68,12 @@
 public class DriverFactory
 {
     public static final String BOLT_URI_SCHEME = "bolt";
+    public static final String BOLT_HIGH_TRUST_URI_SCHEME = "bolt+s";
+    public static final String BOLT_LOW_TRUST_URI_SCHEME = "bolt+ssc";
     public static final String BOLT_ROUTING_URI_SCHEME = "neo4j";
+    public static final String BOLT_ROUTING_HIGH_TRUST_URI_SCHEME = "neo4j+s";
+    public static final String BOLT_ROUTING_LOW_TRUST_URI_SCHEME = "neo4j+ssc";
+
 
     public final Driver newInstance( URI uri, AuthToken authToken, RoutingSettings routingSettings,
             RetrySettings retrySettings, Config config )
@@ -103,7 +109,7 @@ public final Driver newInstance ( URI uri, AuthToken authToken, RoutingSettings
         }
         else
         {
-            securityPlan = createSecurityPlan( address, config );
+            securityPlan = createSecurityPlan( uri, config );
         }
 
         InternalLoggerFactory.setDefaultFactory( new NettyLogging( config.logging() ) );
@@ -148,17 +154,22 @@ protected ChannelConnector createConnector( ConnectionSettings settings, Securit
     }
 
     private InternalDriver createDriver( URI uri, SecurityPlan securityPlan, BoltServerAddress address, ConnectionPool connectionPool,
-            EventExecutorGroup eventExecutorGroup, RoutingSettings routingSettings, RetryLogic retryLogic, MetricsProvider metricsProvider, Config config )
+                                         EventExecutorGroup eventExecutorGroup, RoutingSettings routingSettings, RetryLogic retryLogic,
+                                         MetricsProvider metricsProvider, Config config )
     {
         try
         {
             String scheme = uri.getScheme().toLowerCase();
             switch ( scheme )
             {
             case BOLT_URI_SCHEME:
+            case BOLT_LOW_TRUST_URI_SCHEME:
+            case BOLT_HIGH_TRUST_URI_SCHEME:
                 assertNoRoutingContext( uri, routingSettings );
                 return createDirectDriver( securityPlan, address, connectionPool, retryLogic, metricsProvider, config );
             case BOLT_ROUTING_URI_SCHEME:
+            case BOLT_ROUTING_LOW_TRUST_URI_SCHEME:
+            case BOLT_ROUTING_HIGH_TRUST_URI_SCHEME:
                 return createRoutingDriver( securityPlan, address, connectionPool, eventExecutorGroup, routingSettings, retryLogic, metricsProvider, config );
             default:
                 throw new ClientException( format( "Unsupported URI scheme: %s", scheme ) );
@@ -287,11 +298,11 @@ protected Bootstrap createBootstrap( EventLoopGroup eventLoopGroup )
         return BootstrapFactory.newBootstrap( eventLoopGroup );
     }
 
-    private static SecurityPlan createSecurityPlan( BoltServerAddress address, Config config )
+    private static SecurityPlan createSecurityPlan( URI uri, Config config )
     {
         try
         {
-            return createSecurityPlanImpl( config );
+            return createSecurityPlanImpl( config, uri );
         }
         catch ( GeneralSecurityException | IOException ex )
         {
@@ -301,31 +312,50 @@ private static SecurityPlan createSecurityPlan( BoltServerAddress address, Confi
 
     /*
      * Establish a complete SecurityPlan based on the details provided for
-     * driver construction.
+     * driver construction based off the scheme and configured properties.
      */
-    private static SecurityPlan createSecurityPlanImpl( Config config )
+    private static SecurityPlan createSecurityPlanImpl( Config config, URI uri )
             throws GeneralSecurityException, IOException
     {
-        if ( config.encrypted() )
+        String scheme = uri.getScheme().toLowerCase();
+
+        if ( scheme.equals( BOLT_URI_SCHEME ) || scheme.equals( BOLT_ROUTING_URI_SCHEME ) )
         {
-            Config.TrustStrategy trustStrategy = config.trustStrategy();
-            boolean hostnameVerificationEnabled = trustStrategy.isHostnameVerificationEnabled();
-            switch ( trustStrategy.strategy() )
+            if ( config.encrypted() )
             {
-            case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
-                return SecurityPlanImpl.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled );
-            case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
-                return SecurityPlanImpl.forSystemCASignedCertificates( hostnameVerificationEnabled );
-            case TRUST_ALL_CERTIFICATES:
-                return SecurityPlanImpl.forAllCertificates( hostnameVerificationEnabled );
-            default:
-                throw new ClientException(
-                        "Unknown TLS authentication strategy: " + trustStrategy.strategy().name() );
+                Config.TrustStrategy trustStrategy = config.trustStrategy();
+                boolean hostnameVerificationEnabled = trustStrategy.isHostnameVerificationEnabled();
+                switch ( trustStrategy.strategy() )
+                {
+                case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
+                    return SecurityPlanImpl.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled );
+                case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
+                    return SecurityPlanImpl.forSystemCASignedCertificates( hostnameVerificationEnabled );
+                case TRUST_ALL_CERTIFICATES:
+                    return SecurityPlanImpl.forAllCertificates( hostnameVerificationEnabled );
+                default:
+                    throw new ClientException(
+                            "Unknown TLS authentication strategy: " + trustStrategy.strategy().name() );
+                }
+            }
+            else
+            {
+                return insecure();
             }
         }
         else
         {
-            return insecure();
+            switch ( scheme )
+            {
+            case BOLT_HIGH_TRUST_URI_SCHEME:
+            case BOLT_ROUTING_HIGH_TRUST_URI_SCHEME:
+                return configureHighTrustSecurityPlan( config, scheme );
+            case BOLT_LOW_TRUST_URI_SCHEME:
+            case BOLT_ROUTING_LOW_TRUST_URI_SCHEME:
+                return configureLowTrustSecurityPlan( config, scheme );
+            default:
+                throw new ClientException( format( "Unsupported URI scheme: %s", scheme ) );
+            }
         }
     }
 
@@ -350,4 +380,46 @@ private static void closeConnectionPoolAndSuppressError( ConnectionPool connecti
             addSuppressed( mainError, closeError );
         }
     }
+
+    private static SecurityPlan configureHighTrustSecurityPlan( Config config, String scheme ) throws NoSuchAlgorithmException
+    {
+        if ( config.isEncryptedUserConfigured() && !config.encrypted() )
+        {
+            throw new IllegalArgumentException( "Encryption must be enabled for scheme: " + scheme );
+        }
+        else if ( config.isTrustStrategyUserConfigured() &&
+                  ( config.trustStrategy().strategy().equals( Config.TrustStrategy.Strategy.TRUST_ALL_CERTIFICATES ) ||
+                    config.trustStrategy().strategy().equals( Config.TrustStrategy.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES )))
+        {
+            throw new IllegalArgumentException( "Scheme: " + scheme + " must use a higher level of trust configuration" );
+        }
+
+        return SecurityPlanImpl.forSystemCASignedCertificates( config.trustStrategy().isHostnameVerificationEnabled() );
+    }
+
+    private static SecurityPlan configureLowTrustSecurityPlan( Config config, String scheme ) throws GeneralSecurityException, IOException
+    {
+        if ( config.isEncryptedUserConfigured() && !config.encrypted() )
+        {
+            throw new IllegalArgumentException( "Encryption must be enabled for scheme: " + scheme );
+        }
+        else if ( config.isTrustStrategyUserConfigured() &&
+                  config.trustStrategy().strategy().equals( Config.TrustStrategy.Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES ) )
+        {
+            throw new IllegalArgumentException( "Scheme: " + scheme + " must use a lower level of trust configuration" );
+        }
+        {
+            if ( !config.isTrustStrategyUserConfigured() ||
+                 (config.isTrustStrategyUserConfigured() && config.trustStrategy().strategy().equals( Config.TrustStrategy.Strategy.TRUST_ALL_CERTIFICATES )) )
+
+            {
+                return SecurityPlanImpl.forAllCertificates( config.trustStrategy().isHostnameVerificationEnabled() );
+            }
+            else
+            {
+                return SecurityPlanImpl.forCustomCASignedCertificates( config.trustStrategy().certFile(),
+                                                                       config.trustStrategy().isHostnameVerificationEnabled() );
+            }
+        }
+    }
 }

driver/src/test/java/org/neo4j/driver/ConfigTest.java

@@ -315,4 +315,36 @@ void shouldErrorWithIllegalEventLoopThreadsSize( int value ) throws Throwable
     {
         assertThrows( IllegalArgumentException.class, () -> Config.builder().withEventLoopThreads( value ).build() );
     }
+
+    @Test
+    void shouldFlagUserChangeOfDefaultEncryption()
+    {
+        Config config = Config.builder()
+                              .withoutEncryption()
+                              .build();
+        assertTrue( config.isEncryptedUserConfigured() );
+    }
+
+    @Test
+    void shouldFlagDefaultEncryption()
+    {
+        Config config = Config.builder().build();
+        assertFalse( config.isEncryptedUserConfigured() );
+    }
+
+    @Test
+    void shouldFlagUserChangeOfTestStrategy()
+    {
+        Config config = Config.builder()
+                              .withTrustStrategy( Config.TrustStrategy.trustAllCertificates() )
+                              .build();
+        assertTrue( config.isTrustStrategyUserConfigured() );
+    }
+
+    @Test
+    void shouldFlagDefaultTustStrategy()
+    {
+        Config config = Config.builder().build();
+        assertFalse( config.isEncryptedUserConfigured() );
+    }
 }

driver/src/test/java/org/neo4j/driver/integration/EncryptionIT.java

@@ -21,6 +21,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
+import java.net.URI;
+
 import org.neo4j.driver.Config;
 import org.neo4j.driver.Driver;
 import org.neo4j.driver.GraphDatabase;
@@ -48,13 +50,13 @@ class EncryptionIT
     @Test
     void shouldOperateWithNoEncryptionWhenItIsOptionalInTheDatabase()
     {
-        testMatchingEncryption( BoltTlsLevel.OPTIONAL, false );
+        testMatchingEncryption( BoltTlsLevel.OPTIONAL, false, neo4j.uri().getScheme() );
     }
 
     @Test
     void shouldOperateWithEncryptionWhenItIsOptionalInTheDatabase()
     {
-        testMatchingEncryption( BoltTlsLevel.OPTIONAL, true );
+        testMatchingEncryption( BoltTlsLevel.OPTIONAL, true, neo4j.uri().getScheme() );
     }
 
     @Test
@@ -66,7 +68,19 @@ void shouldFailWithoutEncryptionWhenItIsRequiredInTheDatabase()
     @Test
     void shouldOperateWithEncryptionWhenItIsAlsoRequiredInTheDatabase()
     {
-        testMatchingEncryption( BoltTlsLevel.REQUIRED, true );
+        testMatchingEncryption( BoltTlsLevel.REQUIRED, true, neo4j.uri().getScheme() );
+    }
+
+    @Test
+    void shouldOperateWithEncryptionWhenConfiguredUsingBoltSscURI()
+    {
+        testMatchingEncryption( BoltTlsLevel.REQUIRED, true, "bolt+ssc" );
+    }
+
+    @Test
+    void shouldOperateWithEncryptionWhenConfiguredUsingNeo4jSscURI()
+    {
+        testMatchingEncryption( BoltTlsLevel.REQUIRED, true, "neo4j+ssc" );
     }
 
     @Test
@@ -78,15 +92,17 @@ void shouldFailWithEncryptionWhenItIsDisabledInTheDatabase()
     @Test
     void shouldOperateWithoutEncryptionWhenItIsAlsoDisabledInTheDatabase()
     {
-        testMatchingEncryption( BoltTlsLevel.DISABLED, false );
+        testMatchingEncryption( BoltTlsLevel.DISABLED, false, neo4j.uri().getScheme() );
     }
 
-    private void testMatchingEncryption( BoltTlsLevel tlsLevel, boolean driverEncrypted )
+    private void testMatchingEncryption( BoltTlsLevel tlsLevel, boolean driverEncrypted, String scheme )
     {
         neo4j.restartDb( Neo4jSettings.TEST_SETTINGS.updateWith( Neo4jSettings.BOLT_TLS_LEVEL, tlsLevel.toString() ) );
         Config config = newConfig( driverEncrypted );
 
-        try ( Driver driver = GraphDatabase.driver( neo4j.uri(), neo4j.authToken(), config ) )
+        URI uri = URI.create( String.format( "%s://%s:%s", scheme, neo4j.uri().getHost(), neo4j.uri().getPort()) );
+
+        try ( Driver driver = GraphDatabase.driver( uri, neo4j.authToken(), config ) )
         {
             assertThat( driver.isEncrypted(), equalTo( driverEncrypted ) );