Auth

Author: injectives

driver/clirr-ignored-differences.xml

@@ -433,4 +433,16 @@
         <method>org.neo4j.driver.BookmarkManager queryTaskBookmarkManager()</method>
     </difference>
 
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class, org.neo4j.driver.AuthToken)</method>
+    </difference>
+
+    <difference>
+        <className>org/neo4j/driver/Driver</className>
+        <differenceType>7012</differenceType>
+        <method>org.neo4j.driver.BaseSession session(java.lang.Class, org.neo4j.driver.SessionConfig, org.neo4j.driver.AuthToken)</method>
+    </difference>
+
 </differences>

driver/src/main/java/org/neo4j/driver/AuthTokenManager.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import java.util.concurrent.CompletionStage;
+
+/**
+ * An {@link AuthToken} manager used by the driver.
+ * <p>
+ * Implementations should supply the same token unless it needs to be updated as a change of token might result in extra
+ * processing by the driver.
+ * <p>
+ * Driver initializes new connections with a token supplied by the manager. If token changes, driver action depends on
+ * connection Bolt protocol version:
+ * <ul>
+ *     <li>Bolt 5.1 or above - {@code LOGOFF} and {@code LOGON} messages are dispatched to update the token</li>
+ *     <li>Bolt 5.0 or below - connection is closed an a new one is initialized with the new token</li>
+ * </ul>
+ * <p>
+ * All implementations of this interface must be non-blocking for caller threads.
+ * @since 5.6
+ */
+public interface AuthTokenManager {
+    /**
+     * Returns a {@link CompletionStage} for a valid {@link AuthToken}.
+     * <p>
+     * Driver invokes this method often to check if token changed.
+     * @return a stage for a valid token
+     */
+    CompletionStage<AuthToken> getToken();
+
+    /**
+     * Handles an error notification emitted by the server of the token is expired.
+     * <p>
+     * This will be called when driver throws {@link org.neo4j.driver.exceptions.TokenExpiredException}.
+     *
+     * @param authToken the token
+     */
+    void onExpired(AuthToken authToken);
+}

driver/src/main/java/org/neo4j/driver/AuthTokenManagers.java

@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import java.time.Clock;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionStage;
+import java.util.concurrent.Flow;
+import java.util.concurrent.ForkJoinPool;
+import java.util.function.Supplier;
+import org.neo4j.driver.internal.reactive.TemporalAuthDataSupplier;
+import org.neo4j.driver.internal.security.TemporalAuthTokenManager;
+import org.reactivestreams.FlowAdapters;
+import org.reactivestreams.Publisher;
+
+/**
+ * Implementations of {@link AuthTokenManager}.
+ * @since 5.6
+ */
+public final class AuthTokenManagers {
+    private AuthTokenManagers() {}
+
+    /**
+     * Returns a temporal {@link AuthTokenManager} implementation that manages {@link AuthToken} instances with UTC
+     * expiration timestamp.
+     * <p>
+     * The implementation will only use the token supplier when it needs a new token instance in the following
+     * situations:
+     * <ol>
+     *     <li>token's UTC timestamp is expired</li>
+     *     <li>server rejects the token (see {@link AuthTokenManager#onExpired(AuthToken)})</li>
+     * </ol>
+     * <p>
+     * The supplier will be called by a task running in the {@link ForkJoinPool#commonPool()} as documented in the
+     * {@link CompletableFuture#supplyAsync(Supplier)}.
+     *
+     * @param freshTokenSupplier a new token supplier
+     * @return a new token manager
+     */
+    public static AuthTokenManager temporal(Supplier<TemporalAuthData> freshTokenSupplier) {
+        return new TemporalAuthTokenManager(() -> CompletableFuture.supplyAsync(freshTokenSupplier), Clock.systemUTC());
+    }
+
+    /**
+     * Returns a temporal {@link AuthTokenManager} implementation that manages {@link AuthToken} instances with UTC
+     * expiration timestamp.
+     * <p>
+     * The implementation will only use the token supplier when it needs a new token instance in the following
+     * situations:
+     * <ol>
+     *     <li>token's UTC timestamp is expired</li>
+     *     <li>server rejects the token (see {@link AuthTokenManager#onExpired(AuthToken)})</li>
+     * </ol>
+     * <p>
+     * The provided supplier and its completion stages must be non-blocking as documented in the {@link AuthTokenManager}.
+     *
+     * @param freshTokenSupplier a new token supplier
+     * @return a new token manager
+     */
+    public static AuthTokenManager temporalAsync(Supplier<CompletionStage<TemporalAuthData>> freshTokenSupplier) {
+        return new TemporalAuthTokenManager(freshTokenSupplier, Clock.systemUTC());
+    }
+
+    /**
+     * Returns a temporal {@link AuthTokenManager} implementation that manages {@link AuthToken} instances with UTC
+     * expiration timestamp.
+     * <p>
+     * The implementation will only use the token publisher when it needs a new token instance in the following
+     * situations:
+     * <ol>
+     *     <li>token's UTC timestamp is expired</li>
+     *     <li>server rejects the token (see {@link AuthTokenManager#onExpired(AuthToken)})</li>
+     * </ol>
+     * @param freshTokenPublisher a new token publisher
+     * @return a new token manager
+     */
+    public static AuthTokenManager temporalFlow(Flow.Publisher<TemporalAuthData> freshTokenPublisher) {
+        return new TemporalAuthTokenManager(
+                new TemporalAuthDataSupplier(FlowAdapters.toPublisher(freshTokenPublisher)), Clock.systemUTC());
+    }
+
+    /**
+     * Returns a temporal {@link AuthTokenManager} implementation that manages {@link AuthToken} instances with UTC
+     * expiration timestamp.
+     * <p>
+     * The implementation will only use the token publisher when it needs a new token instance in the following
+     * situations:
+     * <ol>
+     *     <li>token's UTC timestamp is expired</li>
+     *     <li>server rejects the token (see {@link AuthTokenManager#onExpired(AuthToken)})</li>
+     * </ol>
+     * @param freshTokenPublisher a new token publisher
+     * @return a new token manager
+     */
+    public static AuthTokenManager temporalReactiveStreams(Publisher<TemporalAuthData> freshTokenPublisher) {
+        return new TemporalAuthTokenManager(new TemporalAuthDataSupplier(freshTokenPublisher), Clock.systemUTC());
+    }
+
+    /**
+     * A container used by the temporal {@link AuthTokenManager} implementation provided by the driver, it contains an
+     * {@link AuthToken} and expiration timestamp.
+     */
+    public interface TemporalAuthData {
+        /**
+         * Returns an instance with provided token and {@link Long#MAX_VALUE} expiration timestamp.
+         * @param authToken token
+         * @return a new instance
+         */
+        static TemporalAuthData of(AuthToken authToken) {
+            return of(authToken, Long.MAX_VALUE);
+        }
+
+        /**
+         * Returns an instance with provided token and expiration timestamp.
+         * @param authToken token
+         * @param expirationTimestamp expiration timestamp
+         * @return a new instance
+         */
+        static TemporalAuthData of(AuthToken authToken, long expirationTimestamp) {
+            return new TemporalAuthTokenManager.InternalTemporalAuthData(authToken, expirationTimestamp);
+        }
+
+        /**
+         * Returns an {@link AuthToken}.
+         *
+         * @return token
+         */
+        AuthToken authToken();
+
+        /**
+         * Returns token's UTC expiration timestamp.
+         *
+         * @return token's UTC expiration timestamp
+         */
+        long expirationTimestamp();
+    }
+}

driver/src/main/java/org/neo4j/driver/Driver.java

@@ -144,6 +144,38 @@ default <T extends BaseSession> T session(Class<T> sessionClass) {
         return session(sessionClass, SessionConfig.defaultConfig());
     }
 
+    /**
+     * Instantiate a new session of supported type with default {@link SessionConfig session configuration} and provided {@link AuthToken}.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.ReactiveSession} - reactive session using Flow API</li>
+     *     <li>{@link org.neo4j.driver.reactivestreams.ReactiveSession} - reactive session using Reactive Streams
+     * API</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - deprecated reactive session using Reactive Streams
+     * API, superseded by {@link org.neo4j.driver.reactivestreams.ReactiveSession}</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @param authToken a token, null will result in driver-level configuration being used
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.6
+     */
+    default <T extends BaseSession> T session(Class<T> sessionClass, AuthToken authToken) {
+        return session(sessionClass, SessionConfig.defaultConfig(), authToken);
+    }
+
     /**
      * Create a new session of supported type with a specified {@link SessionConfig session configuration}.
      * <p>
@@ -172,7 +204,40 @@ default <T extends BaseSession> T session(Class<T> sessionClass) {
      * @throws IllegalArgumentException for unsupported session types
      * @since 5.2
      */
-    <T extends BaseSession> T session(Class<T> sessionClass, SessionConfig sessionConfig);
+    default <T extends BaseSession> T session(Class<T> sessionClass, SessionConfig sessionConfig) {
+        return session(sessionClass, sessionConfig, null);
+    }
+
+    /**
+     * Instantiate a new session of supported type with a specified {@link SessionConfig session configuration} and provided {@link AuthToken}.
+     * <p>
+     * Supported types are:
+     * <ul>
+     *     <li>{@link org.neo4j.driver.Session} - synchronous session</li>
+     *     <li>{@link org.neo4j.driver.async.AsyncSession} - asynchronous session</li>
+     *     <li>{@link org.neo4j.driver.reactive.ReactiveSession} - reactive session using Flow API</li>
+     *     <li>{@link org.neo4j.driver.reactivestreams.ReactiveSession} - reactive session using Reactive Streams
+     * API</li>
+     *     <li>{@link org.neo4j.driver.reactive.RxSession} - deprecated reactive session using Reactive Streams
+     * API, superseded by {@link org.neo4j.driver.reactivestreams.ReactiveSession}</li>
+     * </ul>
+     * <p>
+     * Sample usage:
+     * <pre>
+     * {@code
+     * var session = driver.session(AsyncSession.class);
+     * }
+     * </pre>
+     *
+     * @param sessionClass session type class, must not be null
+     * @param sessionConfig session config, must not be null
+     * @param authToken a token, null will result in driver-level configuration being used
+     * @return session instance
+     * @param <T> session type
+     * @throws IllegalArgumentException for unsupported session types
+     * @since 5.6
+     */
+    <T extends BaseSession> T session(Class<T> sessionClass, SessionConfig sessionConfig, AuthToken authToken);
 
     /**
      * Create a new general purpose {@link RxSession} with default {@link SessionConfig session configuration}. The {@link RxSession} provides a reactive way to

driver/src/main/java/org/neo4j/driver/GraphDatabase.java

@@ -18,8 +18,13 @@
  */
 package org.neo4j.driver;
 
+import static java.util.Objects.requireNonNull;
+import static org.neo4j.driver.internal.security.AuthTokenUtil.requireValidAuthToken;
+
 import java.net.URI;
 import org.neo4j.driver.internal.DriverFactory;
+import org.neo4j.driver.internal.security.StaticAuthTokenManager;
+import org.neo4j.driver.internal.security.VerifyingAuthTokenManager;
 
 /**
  * Creates {@link Driver drivers}, optionally letting you {@link #driver(URI, Config)} to configure them.
@@ -114,12 +119,56 @@ public static Driver driver(String uri, AuthToken authToken, Config config) {
      * @return a new driver to the database instance specified by the URL
      */
     public static Driver driver(URI uri, AuthToken authToken, Config config) {
-        return driver(uri, authToken, config, new DriverFactory());
+        if (authToken == null) {
+            authToken = AuthTokens.none();
+        }
+        requireValidAuthToken(authToken);
+        return driver(uri, new StaticAuthTokenManager(authToken), config, new DriverFactory());
+    }
+
+    /**
+     * Return a driver for a Neo4j instance with the default configuration settings
+     *
+     * @param uri the URL to a Neo4j instance
+     * @param authTokenManager manager to use
+     * @return a new driver to the database instance specified by the URL
+     * @since 5.6
+     */
+    public static Driver driver(URI uri, AuthTokenManager authTokenManager) {
+        return driver(uri, authTokenManager, Config.defaultConfig());
+    }
+
+    /**
+     * Return a driver for a Neo4j instance with custom configuration.
+     *
+     * @param uri the URL to a Neo4j instance
+     * @param authTokenManager manager to use
+     * @param config user defined configuration
+     * @return a new driver to the database instance specified by the URL
+     * @since 5.6
+     */
+    public static Driver driver(String uri, AuthTokenManager authTokenManager, Config config) {
+        return driver(URI.create(uri), authTokenManager, config);
+    }
+
+    /**
+     * Return a driver for a Neo4j instance with custom configuration.
+     *
+     * @param uri the URL to a Neo4j instance
+     * @param authTokenManager manager to use
+     * @param config user defined configuration
+     * @return a new driver to the database instance specified by the URL
+     * @since 5.6
+     */
+    public static Driver driver(URI uri, AuthTokenManager authTokenManager, Config config) {
+        return driver(uri, authTokenManager, config, new DriverFactory());
     }
 
-    static Driver driver(URI uri, AuthToken authToken, Config config, DriverFactory driverFactory) {
+    private static Driver driver(
+            URI uri, AuthTokenManager authTokenManager, Config config, DriverFactory driverFactory) {
+        requireNonNull(authTokenManager, "authTokenManager must not be null");
         config = getOrDefault(config);
-        return driverFactory.newInstance(uri, authToken, config);
+        return driverFactory.newInstance(uri, new VerifyingAuthTokenManager(authTokenManager), config);
     }
 
     private static Config getOrDefault(Config config) {