diff --git a/driver/src/main/java/org/neo4j/driver/internal/RoutingDriver.java b/driver/src/main/java/org/neo4j/driver/internal/RoutingDriver.java index 667cba36c0..28270ca86d 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/RoutingDriver.java +++ b/driver/src/main/java/org/neo4j/driver/internal/RoutingDriver.java @@ -26,6 +26,7 @@ import org.neo4j.driver.internal.spi.ConnectionPool; import org.neo4j.driver.internal.util.Clock; import org.neo4j.driver.v1.AccessMode; +import org.neo4j.driver.v1.Config; import org.neo4j.driver.v1.Logging; import org.neo4j.driver.v1.Session; import org.neo4j.driver.v1.exceptions.ClientException; @@ -34,6 +35,16 @@ public class RoutingDriver extends BaseDriver { + // Verify that a security plan is compatible with this driver, throwing an exception if not + private static SecurityPlan verifiedSecurityPlan( SecurityPlan securityPlan ) + { + if ( !securityPlan.isRoutingCompatible() ) + { + throw new IllegalArgumentException( "The chosen security plan is not compatible with a routing driver" ); + } + return securityPlan; + } + private final LoadBalancer loadBalancer; public RoutingDriver( @@ -45,7 +56,7 @@ public RoutingDriver( Clock clock, Logging logging ) { - super( contract, securityPlan, logging ); + super( contract, verifiedSecurityPlan( securityPlan ), logging ); this.loadBalancer = new LoadBalancer( settings, clock, log, connections, seedAddress ); } diff --git a/driver/src/main/java/org/neo4j/driver/internal/net/BoltServerAddress.java b/driver/src/main/java/org/neo4j/driver/internal/net/BoltServerAddress.java index e5f88029b1..b9441a529c 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/net/BoltServerAddress.java +++ b/driver/src/main/java/org/neo4j/driver/internal/net/BoltServerAddress.java @@ -136,23 +136,4 @@ public int port() return port; } - /** - * Determine whether or not this address refers to the local machine. This - * will generally be true for "localhost" or "127.x.x.x". - * - * @return true if local, false otherwise - */ - public boolean isLocal() - { - try - { - // confirmed to work as desired with both "localhost" and "127.x.x.x" - return InetAddress.getByName( host ).isLoopbackAddress(); - } - catch ( UnknownHostException e ) - { - // if it's unknown, it's not local so we can safely return false - return false; - } - } } diff --git a/driver/src/main/java/org/neo4j/driver/internal/net/SocketClient.java b/driver/src/main/java/org/neo4j/driver/internal/net/SocketClient.java index bbe86cd196..dabc70ac7a 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/net/SocketClient.java +++ b/driver/src/main/java/org/neo4j/driver/internal/net/SocketClient.java @@ -294,7 +294,7 @@ public static ByteChannel create( BoltServerAddress address, SecurityPlan securi if (securityPlan.requiresEncryption()) { - channel = new TLSSocketChannel( address, securityPlan, soChannel, logger ); + channel = TLSSocketChannel.create( address, securityPlan, soChannel, logger ); } else { diff --git a/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java b/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java index af10095338..4df04903f8 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java +++ b/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java @@ -41,7 +41,15 @@ */ public class SecurityPlan { - public static SecurityPlan forSignedCertificates( File certFile ) + public static SecurityPlan forAllCertificates() throws GeneralSecurityException, IOException + { + SSLContext sslContext = SSLContext.getInstance( "TLS" ); + sslContext.init( new KeyManager[0], new TrustManager[]{new TrustAllTrustManager()}, null ); + + return new SecurityPlan( true, sslContext, true ); + } + + public static SecurityPlan forCustomCASignedCertificates( File certFile ) throws GeneralSecurityException, IOException { // A certificate file is specified so we will load the certificates in the file @@ -59,36 +67,38 @@ public static SecurityPlan forSignedCertificates( File certFile ) SSLContext sslContext = SSLContext.getInstance( "TLS" ); sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null ); - return new SecurityPlan( true, sslContext); + return new SecurityPlan( true, sslContext, true ); } - public static SecurityPlan forSystemCertificates() throws NoSuchAlgorithmException, KeyStoreException + public static SecurityPlan forSystemCASignedCertificates() throws NoSuchAlgorithmException, KeyStoreException { - return new SecurityPlan( true, SSLContext.getDefault() ); + return new SecurityPlan( true, SSLContext.getDefault(), true ); } - + @Deprecated public static SecurityPlan forTrustOnFirstUse( File knownHosts, BoltServerAddress address, Logger logger ) throws IOException, KeyManagementException, NoSuchAlgorithmException { SSLContext sslContext = SSLContext.getInstance( "TLS" ); sslContext.init( new KeyManager[0], new TrustManager[]{new TrustOnFirstUseTrustManager( address, knownHosts, logger )}, null ); - return new SecurityPlan( true, sslContext); + return new SecurityPlan( true, sslContext, false ); } public static SecurityPlan insecure() { - return new SecurityPlan( false, null ); + return new SecurityPlan( false, null, true ); } private final boolean requiresEncryption; private final SSLContext sslContext; + private final boolean routingCompatible; - private SecurityPlan( boolean requiresEncryption, SSLContext sslContext) + private SecurityPlan( boolean requiresEncryption, SSLContext sslContext, boolean routingCompatible ) { this.requiresEncryption = requiresEncryption; this.sslContext = sslContext; + this.routingCompatible = routingCompatible; } public boolean requiresEncryption() @@ -96,7 +106,14 @@ public boolean requiresEncryption() return requiresEncryption; } + public boolean isRoutingCompatible() + { + return routingCompatible; + } - public SSLContext sslContext() {return sslContext;} + public SSLContext sslContext() + { + return sslContext; + } } diff --git a/driver/src/main/java/org/neo4j/driver/internal/security/TLSSocketChannel.java b/driver/src/main/java/org/neo4j/driver/internal/security/TLSSocketChannel.java index e0c4c88383..0463a14e55 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/security/TLSSocketChannel.java +++ b/driver/src/main/java/org/neo4j/driver/internal/security/TLSSocketChannel.java @@ -21,9 +21,6 @@ import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.ByteChannel; -import java.security.GeneralSecurityException; -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; @@ -32,9 +29,6 @@ import org.neo4j.driver.internal.net.BoltServerAddress; import org.neo4j.driver.v1.Logger; import org.neo4j.driver.internal.util.BytePrinter; -import org.neo4j.driver.internal.util.BytePrinter; -import org.neo4j.driver.v1.Config.TrustStrategy; -import org.neo4j.driver.v1.Logger; import org.neo4j.driver.v1.exceptions.ClientException; import static javax.net.ssl.SSLEngineResult.HandshakeStatus.FINISHED; @@ -67,32 +61,23 @@ public class TLSSocketChannel implements ByteChannel private static final ByteBuffer DUMMY_BUFFER = ByteBuffer.allocate( 0 ); - public TLSSocketChannel( BoltServerAddress address, SecurityPlan securityPlan, ByteChannel channel, Logger logger ) - throws GeneralSecurityException, IOException - { - this( channel, logger, createSSLEngine( address, securityPlan.sslContext() ) ); - } - - public TLSSocketChannel( ByteChannel channel, Logger logger, SSLEngine sslEngine ) throws GeneralSecurityException, IOException + public static TLSSocketChannel create( BoltServerAddress address, SecurityPlan securityPlan, ByteChannel channel, Logger logger ) + throws IOException { - this(channel, logger, sslEngine, - ByteBuffer.allocate( sslEngine.getSession().getApplicationBufferSize() ), - ByteBuffer.allocate( sslEngine.getSession().getPacketBufferSize() ), - ByteBuffer.allocate( sslEngine.getSession().getApplicationBufferSize() ), - ByteBuffer.allocate( sslEngine.getSession().getPacketBufferSize() ) ); + SSLEngine sslEngine = securityPlan.sslContext().createSSLEngine( address.host(), address.port() ); + sslEngine.setUseClientMode( true ); + return new TLSSocketChannel( channel, logger, sslEngine ); } - TLSSocketChannel( ByteChannel channel, Logger logger, SSLEngine sslEngine, - ByteBuffer plainIn, ByteBuffer cipherIn, ByteBuffer plainOut, ByteBuffer cipherOut ) - throws GeneralSecurityException, IOException + public TLSSocketChannel( ByteChannel channel, Logger logger, SSLEngine sslEngine ) throws IOException { this.logger = logger; this.channel = channel; this.sslEngine = sslEngine; - this.plainIn = plainIn; - this.cipherIn = cipherIn; - this.plainOut = plainOut; - this.cipherOut = cipherOut; + this.plainIn = ByteBuffer.allocate( sslEngine.getSession().getApplicationBufferSize() ); + this.cipherIn = ByteBuffer.allocate( sslEngine.getSession().getPacketBufferSize() ); + this.plainOut = ByteBuffer.allocate( sslEngine.getSession().getApplicationBufferSize() ); + this.cipherOut = ByteBuffer.allocate( sslEngine.getSession().getPacketBufferSize() ); runHandshake(); } @@ -353,18 +338,6 @@ static int bufferCopy( ByteBuffer from, ByteBuffer to ) return maxTransfer; } - /** - * Create SSLEngine with the SSLContext just created. - * @param address the host to connect to - * @param sslContext the current ssl context - */ - private static SSLEngine createSSLEngine( BoltServerAddress address, SSLContext sslContext ) - { - SSLEngine sslEngine = sslContext.createSSLEngine( address.host(), address.port() ); - sslEngine.setUseClientMode( true ); - return sslEngine; - } - @Override public int read( ByteBuffer dst ) throws IOException { diff --git a/driver/src/main/java/org/neo4j/driver/internal/security/TrustAllTrustManager.java b/driver/src/main/java/org/neo4j/driver/internal/security/TrustAllTrustManager.java new file mode 100644 index 0000000000..1808f49590 --- /dev/null +++ b/driver/src/main/java/org/neo4j/driver/internal/security/TrustAllTrustManager.java @@ -0,0 +1,42 @@ +/** + * Copyright (c) 2002-2016 "Neo Technology," + * Network Engine for Objects in Lund AB [http://neotechnology.com] + * + * This file is part of Neo4j. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.neo4j.driver.internal.security; + +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import javax.net.ssl.X509TrustManager; + +public class TrustAllTrustManager implements X509TrustManager +{ + public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException + { + throw new CertificateException( "All client connections to this client are forbidden." ); + } + + public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException + { + // all fine, pass through + } + + public X509Certificate[] getAcceptedIssuers() + { + return new X509Certificate[0]; + } +} diff --git a/driver/src/main/java/org/neo4j/driver/v1/Config.java b/driver/src/main/java/org/neo4j/driver/v1/Config.java index 65b88fc1b6..73b58ae9a0 100644 --- a/driver/src/main/java/org/neo4j/driver/v1/Config.java +++ b/driver/src/main/java/org/neo4j/driver/v1/Config.java @@ -27,8 +27,7 @@ import org.neo4j.driver.internal.net.pooling.PoolSettings; import org.neo4j.driver.v1.util.Immutable; -import static java.lang.System.getProperty; -import static org.neo4j.driver.v1.Config.TrustStrategy.trustOnFirstUse; +import static org.neo4j.driver.v1.Config.TrustStrategy.trustAllCertificates; /** * A configuration class to config driver properties. @@ -168,9 +167,8 @@ public static class ConfigBuilder private Logging logging = new JULogging( Level.INFO ); private int maxIdleConnectionPoolSize = PoolSettings.DEFAULT_MAX_IDLE_CONNECTION_POOL_SIZE; private long idleTimeBeforeConnectionTest = PoolSettings.DEFAULT_IDLE_TIME_BEFORE_CONNECTION_TEST; - private EncryptionLevel encryptionLevel = EncryptionLevel.REQUIRED_NON_LOCAL; - private TrustStrategy trustStrategy = trustOnFirstUse( - new File( getProperty( "user.home" ), ".neo4j" + File.separator + "known_hosts" ) ); + private EncryptionLevel encryptionLevel = EncryptionLevel.REQUIRED; + private TrustStrategy trustStrategy = trustAllCertificates(); private RetryLogic retryLogic = RetryLogic.DEFAULT_RETRY_LOGIC; private int routingFailureLimit = 1; private long routingRetryDelayMillis = 5_000; @@ -371,10 +369,6 @@ public enum EncryptionLevel /** With this level, the driver will only connect to the server if it can do it without encryption. */ NONE, - /** With this level, the driver will only connect to the server without encryption if local but with - * encryption otherwise. */ - REQUIRED_NON_LOCAL, - /** With this level, the driver will only connect to the server it if can do it with encryption. */ REQUIRED } @@ -386,10 +380,16 @@ public static class TrustStrategy { public enum Strategy { + @Deprecated TRUST_ON_FIRST_USE, + @Deprecated TRUST_SIGNED_CERTIFICATES, + + TRUST_ALL_CERTIFICATES, + TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, + TRUST_SYSTEM_CA_SIGNED_CERTIFICATES } @@ -445,11 +445,26 @@ public static TrustStrategy trustCustomCertificateSignedBy( File certFile ) return new TrustStrategy( Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, certFile ); } + /** + * + * @return + */ public static TrustStrategy trustSystemCertificates() { return new TrustStrategy( Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES ); } + /** + * + * @return + * + * @since 1.1 + */ + public static TrustStrategy trustAllCertificates() + { + return new TrustStrategy( Strategy.TRUST_ALL_CERTIFICATES ); + } + /** * Automatically trust a Neo4j instance the first time we see it - but fail to connect if its encryption certificate ever changes. * This is similar to the mechanism used in SSH, and protects against man-in-the-middle attacks that occur after the initial setup of your application. @@ -463,7 +478,10 @@ public static TrustStrategy trustSystemCertificates() * * @param knownHostsFile a file where known certificates are stored. * @return an authentication config + * + * @deprecated in 1.1 in favour of {@link #trustAllCertificates()} */ + @Deprecated public static TrustStrategy trustOnFirstUse( File knownHostsFile ) { return new TrustStrategy( Strategy.TRUST_ON_FIRST_USE, knownHostsFile ); diff --git a/driver/src/main/java/org/neo4j/driver/v1/GraphDatabase.java b/driver/src/main/java/org/neo4j/driver/v1/GraphDatabase.java index 04ac17d4f4..b2b9a906cf 100644 --- a/driver/src/main/java/org/neo4j/driver/v1/GraphDatabase.java +++ b/driver/src/main/java/org/neo4j/driver/v1/GraphDatabase.java @@ -40,7 +40,6 @@ import static java.lang.String.format; import static org.neo4j.driver.internal.security.SecurityPlan.insecure; import static org.neo4j.driver.v1.Config.EncryptionLevel.REQUIRED; -import static org.neo4j.driver.v1.Config.EncryptionLevel.REQUIRED_NON_LOCAL; /** * Creates {@link Driver drivers}, optionally letting you {@link #driver(URI, Config)} to configure them. @@ -215,25 +214,33 @@ private static SecurityPlan createSecurityPlan( BoltServerAddress address, Confi throws GeneralSecurityException, IOException { Config.EncryptionLevel encryptionLevel = config.encryptionLevel(); - boolean requiresEncryption = encryptionLevel.equals( REQUIRED ) || - (encryptionLevel.equals( REQUIRED_NON_LOCAL ) && !address.isLocal()); + boolean requiresEncryption = encryptionLevel.equals( REQUIRED ); if ( requiresEncryption ) { Logger logger = config.logging().getLog( "session" ); switch ( config.trustStrategy().strategy() ) { + + // DEPRECATED CASES // + case TRUST_ON_FIRST_USE: + logger.warn( + "Option `TRUST_ON_FIRST_USE` has been deprecated and will be removed in a future " + + "version of the driver. Please switch to use `TRUST_ALL_CERTIFICATES` instead." ); + return SecurityPlan.forTrustOnFirstUse( config.trustStrategy().certFile(), address, logger ); case TRUST_SIGNED_CERTIFICATES: logger.warn( "Option `TRUST_SIGNED_CERTIFICATE` has been deprecated and will be removed in a future " + - "version " + - "of the driver. Please switch to use `TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` instead." ); - //intentional fallthrough + "version of the driver. Please switch to use `TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` instead." ); + // intentional fallthrough + // END OF DEPRECATED CASES // + case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES: - return SecurityPlan.forSignedCertificates( config.trustStrategy().certFile() ); - case TRUST_ON_FIRST_USE: - return SecurityPlan.forTrustOnFirstUse( config.trustStrategy().certFile(), - address, logger ); + return SecurityPlan.forCustomCASignedCertificates( config.trustStrategy().certFile() ); + case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES: + return SecurityPlan.forSystemCASignedCertificates(); + case TRUST_ALL_CERTIFICATES: + return SecurityPlan.forAllCertificates(); default: throw new ClientException( "Unknown TLS authentication strategy: " + config.trustStrategy().strategy().name() ); diff --git a/driver/src/test/java/org/neo4j/driver/internal/ConfigTest.java b/driver/src/test/java/org/neo4j/driver/internal/ConfigTest.java index 363d6ce783..7266c4d5f4 100644 --- a/driver/src/test/java/org/neo4j/driver/internal/ConfigTest.java +++ b/driver/src/test/java/org/neo4j/driver/internal/ConfigTest.java @@ -45,8 +45,7 @@ public void shouldDefaultToKnownCerts() Config.TrustStrategy authConfig = config.trustStrategy(); // Then - assertEquals( authConfig.strategy(), Config.TrustStrategy.Strategy.TRUST_ON_FIRST_USE ); - assertEquals( DEFAULT_KNOWN_HOSTS.getAbsolutePath(), authConfig.certFile().getAbsolutePath() ); + assertEquals( authConfig.strategy(), Config.TrustStrategy.Strategy.TRUST_ALL_CERTIFICATES ); } @Test diff --git a/driver/src/test/java/org/neo4j/driver/internal/DirectDriverBoltKitTest.java b/driver/src/test/java/org/neo4j/driver/internal/DirectDriverBoltKitTest.java index 291ab355c8..2767ccbaf0 100644 --- a/driver/src/test/java/org/neo4j/driver/internal/DirectDriverBoltKitTest.java +++ b/driver/src/test/java/org/neo4j/driver/internal/DirectDriverBoltKitTest.java @@ -24,6 +24,7 @@ import java.io.IOException; import java.net.URI; +import org.neo4j.driver.v1.Config; import org.neo4j.driver.v1.Driver; import org.neo4j.driver.v1.GraphDatabase; import org.neo4j.driver.v1.Record; @@ -33,6 +34,7 @@ import static org.hamcrest.core.IsEqual.equalTo; import static org.junit.Assert.assertThat; import static org.neo4j.driver.v1.Values.parameters; +import static org.neo4j.driver.v1.util.StubServer.INSECURE_CONFIG; public class DirectDriverBoltKitTest { @@ -45,7 +47,7 @@ public void shouldBeAbleRunCypher() throws StubServer.ForceKilled, InterruptedEx int x; // When - try ( Driver driver = GraphDatabase.driver( uri ) ) + try ( Driver driver = GraphDatabase.driver( uri, INSECURE_CONFIG ) ) { try ( Session session = driver.session() ) { diff --git a/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverBoltKitTest.java b/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverBoltKitTest.java index 5210e1aa9e..eb96978b10 100644 --- a/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverBoltKitTest.java +++ b/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverBoltKitTest.java @@ -52,7 +52,9 @@ public class RoutingDriverBoltKitTest @Rule public ExpectedException exception = ExpectedException.none(); - private static final Config config = Config.build().withLogging( new ConsoleLogging( Level.INFO ) ).toConfig(); + private static final Config config = Config.build() + .withEncryptionLevel( Config.EncryptionLevel.NONE ) + .withLogging( new ConsoleLogging( Level.INFO ) ).toConfig(); @Test public void shouldHandleAcquireReadSession() throws IOException, InterruptedException, StubServer.ForceKilled diff --git a/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverTest.java b/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverTest.java index 3b60b1c2cc..dd22b38123 100644 --- a/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverTest.java +++ b/driver/src/test/java/org/neo4j/driver/internal/RoutingDriverTest.java @@ -18,6 +18,7 @@ */ package org.neo4j.driver.internal; +import java.io.File; import java.util.Collections; import java.util.Map; @@ -35,7 +36,10 @@ import org.neo4j.driver.internal.spi.ConnectionPool; import org.neo4j.driver.internal.util.FakeClock; import org.neo4j.driver.v1.AccessMode; +import org.neo4j.driver.v1.Config; +import org.neo4j.driver.v1.Driver; import org.neo4j.driver.v1.EventLogger; +import org.neo4j.driver.v1.GraphDatabase; import org.neo4j.driver.v1.Logging; import org.neo4j.driver.v1.RetryLogic; import org.neo4j.driver.v1.Value; @@ -43,8 +47,11 @@ import org.neo4j.driver.v1.exceptions.ServiceUnavailableException; import static java.util.Arrays.asList; + +import static junit.framework.TestCase.fail; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertTrue; import static org.mockito.Matchers.any; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.doAnswer; @@ -306,6 +313,26 @@ public void shouldRoundRobinAmongWriteServers() assertNotEquals( write3.address(), write1.address() ); } + @Test + public void testTrustOnFirstUseNotCompatibleWithRoutingDriver() + { + // Given + final Config tofuConfig = Config.build() + .withEncryptionLevel( Config.EncryptionLevel.REQUIRED ) + .withTrustStrategy( Config.TrustStrategy.trustOnFirstUse( new File( "foo" ) ) ).toConfig(); + + try + { + // When + GraphDatabase.driver( "bolt+routing://127.0.0.1:7687", tofuConfig ); + fail(); + } + catch ( IllegalArgumentException e ) + { + // Then we should end up here + } + } + @SafeVarargs private final RoutingDriver driverWithServers( long ttl, Map... serverInfo ) { diff --git a/driver/src/test/java/org/neo4j/driver/internal/net/BoltServerAddressTest.java b/driver/src/test/java/org/neo4j/driver/internal/net/BoltServerAddressTest.java index 57f22b7797..94e11af4b5 100644 --- a/driver/src/test/java/org/neo4j/driver/internal/net/BoltServerAddressTest.java +++ b/driver/src/test/java/org/neo4j/driver/internal/net/BoltServerAddressTest.java @@ -27,17 +27,6 @@ public class BoltServerAddressTest { - @Test - public void variantsOfLocalHostShouldResolveAsLocal() throws Exception - { - assertThat( new BoltServerAddress( "localhost", 7687 ).isLocal(), equalTo( true ) ); - assertThat( new BoltServerAddress( "LocalHost", 7687 ).isLocal(), equalTo( true ) ); - assertThat( new BoltServerAddress( "LOCALHOST", 7687 ).isLocal(), equalTo( true ) ); - assertThat( new BoltServerAddress( "127.0.0.1", 7687 ).isLocal(), equalTo( true ) ); - assertThat( new BoltServerAddress( "127.5.6.7", 7687 ).isLocal(), equalTo( true ) ); - assertThat( new BoltServerAddress( "x", 7687 ).isLocal(), equalTo( false ) ); - } - @Test public void defaultPortShouldBe7687() { diff --git a/driver/src/test/java/org/neo4j/driver/v1/GraphDatabaseBoltKitTest.java b/driver/src/test/java/org/neo4j/driver/v1/GraphDatabaseBoltKitTest.java index fe7083699e..c532369998 100644 --- a/driver/src/test/java/org/neo4j/driver/v1/GraphDatabaseBoltKitTest.java +++ b/driver/src/test/java/org/neo4j/driver/v1/GraphDatabaseBoltKitTest.java @@ -31,6 +31,8 @@ import static org.hamcrest.core.IsInstanceOf.instanceOf; import static org.junit.Assert.assertThat; +import static org.neo4j.driver.v1.util.StubServer.INSECURE_CONFIG; + public class GraphDatabaseBoltKitTest { @Test @@ -41,7 +43,7 @@ public void boltPlusDiscoverySchemeShouldInstantiateClusterDriver() throws IOExc URI uri = URI.create( "bolt+routing://127.0.0.1:9001" ); // When - Driver driver = GraphDatabase.driver( uri ); + Driver driver = GraphDatabase.driver( uri, INSECURE_CONFIG ); // Then assertThat( driver, instanceOf( RoutingDriver.class ) ); diff --git a/driver/src/test/java/org/neo4j/driver/v1/integration/EncryptionIT.java b/driver/src/test/java/org/neo4j/driver/v1/integration/EncryptionIT.java index d8baee2588..20e88ad9ca 100644 --- a/driver/src/test/java/org/neo4j/driver/v1/integration/EncryptionIT.java +++ b/driver/src/test/java/org/neo4j/driver/v1/integration/EncryptionIT.java @@ -27,7 +27,6 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.neo4j.driver.v1.Config.EncryptionLevel.NONE; import static org.neo4j.driver.v1.Config.EncryptionLevel.REQUIRED; -import static org.neo4j.driver.v1.Config.EncryptionLevel.REQUIRED_NON_LOCAL; public class EncryptionIT { @@ -57,29 +56,6 @@ public void shouldOperateWithNoEncryption() throws Exception driver.close(); } - @Test - public void shouldOperateWithRequiredNonLocalEncryption() throws Exception - { - // Given - Driver driver = GraphDatabase.driver( neo4j.uri(), Config.build().withEncryptionLevel( REQUIRED_NON_LOCAL ).toConfig() ); - - // Then - assertThat( driver.isEncrypted(), equalTo( !neo4j.address().isLocal() ) ); - - // When - Session session = driver.session(); - StatementResult result = session.run( "RETURN 1" ); - - // Then - Record record = result.next(); - int value = record.get( 0 ).asInt(); - assertThat( value, equalTo( 1 ) ); - - // Finally - session.close(); - driver.close(); - } - @Test public void shouldOperateWithRequiredEncryption() throws Exception { diff --git a/driver/src/test/java/org/neo4j/driver/v1/integration/ServerKilledIT.java b/driver/src/test/java/org/neo4j/driver/v1/integration/ServerKilledIT.java index 2be1b45cfc..f9c59267ab 100644 --- a/driver/src/test/java/org/neo4j/driver/v1/integration/ServerKilledIT.java +++ b/driver/src/test/java/org/neo4j/driver/v1/integration/ServerKilledIT.java @@ -21,6 +21,7 @@ import org.junit.Rule; import org.junit.Test; +import org.neo4j.driver.v1.Config; import org.neo4j.driver.v1.Driver; import org.neo4j.driver.v1.GraphDatabase; import org.neo4j.driver.v1.Session; @@ -43,7 +44,8 @@ public class ServerKilledIT public void shouldRecoverFromServerRestart() throws Throwable { // Given - try ( Driver driver = GraphDatabase.driver( Neo4jRunner.DEFAULT_URI ) ) + try ( Driver driver = GraphDatabase.driver( Neo4jRunner.DEFAULT_URI, + Config.build().withEncryptionLevel( Config.EncryptionLevel.NONE ).toConfig() ) ) { Session s1 = driver.session(); Session s2 = driver.session(); diff --git a/driver/src/test/java/org/neo4j/driver/v1/integration/TLSSocketChannelIT.java b/driver/src/test/java/org/neo4j/driver/v1/integration/TLSSocketChannelIT.java index 45e233329b..97a81f365f 100644 --- a/driver/src/test/java/org/neo4j/driver/v1/integration/TLSSocketChannelIT.java +++ b/driver/src/test/java/org/neo4j/driver/v1/integration/TLSSocketChannelIT.java @@ -117,10 +117,8 @@ public void shouldPerformTLSHandshakeWithTrustedCert() throws Throwable channel.connect( address.toSocketAddress() ); // When - SecurityPlan securityPlan = SecurityPlan.forSignedCertificates( rootCert ); - TLSSocketChannel sslChannel = - new TLSSocketChannel( address, securityPlan, channel, logger - ); + SecurityPlan securityPlan = SecurityPlan.forCustomCASignedCertificates( rootCert ); + TLSSocketChannel sslChannel = TLSSocketChannel.create( address, securityPlan, channel, logger ); sslChannel.close(); // Then @@ -146,13 +144,13 @@ public void shouldNotPerformTLSHandshakeWithNonSystemCert() throws Throwable Logger logger = mock( Logger.class ); SocketChannel channel = SocketChannel.open(); channel.connect( new InetSocketAddress( "localhost", 7687 ) ); - SecurityPlan securityPlan = SecurityPlan.forSystemCertificates(); + SecurityPlan securityPlan = SecurityPlan.forSystemCASignedCertificates(); // When try { TLSSocketChannel sslChannel = - new TLSSocketChannel(address, securityPlan, channel, logger); + TLSSocketChannel.create(address, securityPlan, channel, logger); sslChannel.close(); } catch ( SSLHandshakeException e ) @@ -188,7 +186,7 @@ public void shouldFailTLSHandshakeDueToWrongCertInKnownCertsFile() throws Throwa TLSSocketChannel sslChannel = null; try { - sslChannel = new TLSSocketChannel( address, securityPlan, channel, mock( Logger.class ) ); + sslChannel = TLSSocketChannel.create( address, securityPlan, channel, mock( Logger.class ) ); sslChannel.close(); } catch ( SSLHandshakeException e ) @@ -237,11 +235,11 @@ public void shouldFailTLSHandshakeDueToServerCertNotSignedByKnownCA() throws Thr CertificateTool.saveX509Cert( aRandomCert, trustedCertFile ); // When & Then - SecurityPlan securityPlan = SecurityPlan.forSignedCertificates( trustedCertFile ); + SecurityPlan securityPlan = SecurityPlan.forCustomCASignedCertificates( trustedCertFile ); TLSSocketChannel sslChannel = null; try { - sslChannel = new TLSSocketChannel( neo4j.address(), securityPlan, channel, mock( Logger.class ) ); + sslChannel = TLSSocketChannel.create( neo4j.address(), securityPlan, channel, mock( Logger.class ) ); sslChannel.close(); } catch ( SSLHandshakeException e ) @@ -269,8 +267,8 @@ public void shouldPerformTLSHandshakeWithTheSameTrustedServerCert() throws Throw // When URI url = URI.create( "localhost:7687" ); - SecurityPlan securityPlan = SecurityPlan.forSignedCertificates( Neo4jSettings.DEFAULT_TLS_CERT_FILE ); - TLSSocketChannel sslChannel = new TLSSocketChannel( address, securityPlan, channel, logger ); + SecurityPlan securityPlan = SecurityPlan.forCustomCASignedCertificates( Neo4jSettings.DEFAULT_TLS_CERT_FILE ); + TLSSocketChannel sslChannel = TLSSocketChannel.create( address, securityPlan, channel, logger ); sslChannel.close(); // Then @@ -335,7 +333,7 @@ private void performTLSHandshakeUsingKnownCerts( File knownCerts ) throws Throwa SecurityPlan securityPlan = SecurityPlan.forTrustOnFirstUse( knownCerts, address, new DevNullLogger() ); TLSSocketChannel sslChannel = - new TLSSocketChannel( address, securityPlan, channel, logger ); + TLSSocketChannel.create( address, securityPlan, channel, logger ); sslChannel.close(); // Then diff --git a/driver/src/test/java/org/neo4j/driver/v1/util/StubServer.java b/driver/src/test/java/org/neo4j/driver/v1/util/StubServer.java index 673268cd78..10c52c86d9 100644 --- a/driver/src/test/java/org/neo4j/driver/v1/util/StubServer.java +++ b/driver/src/test/java/org/neo4j/driver/v1/util/StubServer.java @@ -24,6 +24,8 @@ import java.util.ArrayList; import java.util.List; +import org.neo4j.driver.v1.Config; + import static java.lang.Thread.sleep; import static java.util.Arrays.asList; import static java.util.Collections.singletonList; @@ -31,6 +33,9 @@ public class StubServer { + public static final Config INSECURE_CONFIG = Config.build() + .withEncryptionLevel( Config.EncryptionLevel.NONE ).toConfig(); + // This may be thrown if the driver has not been closed properly public static class ForceKilled extends Exception {}