Merge branch '1.0' into 1.1

# Conflicts:
#	src/v1/internal/ch-node.js
#	src/v1/internal/ch-websocket.js
#	src/v1/internal/connector.js
#	test/v1/tck/steps/tlssteps.js

Author: oskarhane

src/v1/driver.js

@@ -197,15 +197,18 @@ let USER_AGENT = "neo4j-javascript/" + VERSION;
  *       // This means that by default, connections "just work" while still giving you
  *       // good encrypted protection.
  *       //
- *       // TRUST_SIGNED_CERTIFICATES is the classic approach to trust verification -
+ *       // TRUST_CUSTOM_CA_SIGNED_CERTIFICATES is the classic approach to trust verification -
  *       // whenever we establish an encrypted connection, we ensure the host is using
  *       // an encryption certificate that is in, or is signed by, a certificate listed
  *       // as trusted. In the web bundle, this list of trusted certificates is maintained
  *       // by the web browser. In NodeJS, you configure the list with the next config option.
- *       trust: "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES",
+ *       //
+ *       // TRUST_SYSTEM_CA_SIGNED_CERTIFICATES meand that you trust whatever certificates
+ *       // are in the default certificate chain of th
+ *       trust: "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES" | TRUST_CUSTOM_CA_SIGNED_CERTIFICATES | TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
  *
  *       // List of one or more paths to trusted encryption certificates. This only
- *       // works in the NodeJS bundle, and only matters if you use "TRUST_SIGNED_CERTIFICATES".
+ *       // works in the NodeJS bundle, and only matters if you use "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES".
  *       // The certificate files should be in regular X.509 PEM format.
  *       // For instance, ['./trusted.pem']
  *       trustedCertificates: [],

src/v1/internal/ch-node.js

@@ -105,9 +105,17 @@ function storeFingerprint( serverId, knownHostsPath, fingerprint, cb ) {
 }
 
 const TrustStrategy = {
-  TRUST_SIGNED_CERTIFICATES : function( opts, onSuccess, onFailure ) {
+  /**
+   * @deprecated Since version 1.0. Will be deleted in a future version. TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.
+   */
+  TRUST_SIGNED_CERTIFICATES: function( opts, onSuccess, onFailure ) {
+    console.log("`TRUST_SIGNED_CERTIFICATES` has been deprecated as option and will be removed in a future version of " +
+      "the driver. Pleas use `TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` instead.");
+    return TrustStrategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES(opts, onSuccess, onFailure);
+  },
+  TRUST_CUSTOM_CA_SIGNED_CERTIFICATES : function( opts, onSuccess, onFailure ) {
     if( !opts.trustedCertificates || opts.trustedCertificates.length == 0 ) {
-      onFailure(newError("You are using TRUST_SIGNED_CERTIFICATES as the method " +
+      onFailure(newError("You are using TRUST_CUSTOM_CA_SIGNED_CERTIFICATES as the method " +
         "to verify trust for encrypted  connections, but have not configured any " +
         "trustedCertificates. You  must specify the path to at least one trusted " +
         "X.509 certificate for this to work. Two other alternatives is to use " +
@@ -139,6 +147,29 @@ const TrustStrategy = {
     socket.on('error', onFailure);
     return socket;
   },
+  TRUST_SYSTEM_CA_SIGNED_CERTIFICATES : function( opts, onSuccess, onFailure ) {
+
+    let tlsOpts = {
+      // Because we manually check for this in the connect callback, to give
+      // a more helpful error to the user
+      rejectUnauthorized: false
+    };
+    let socket = tls.connect(opts.port, opts.host, tlsOpts, function () {
+      if (!socket.authorized) {
+        onFailure(newError("Server certificate is not trusted. If you trust the database you are connecting to, use " +
+          "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add" +
+          " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" +
+          " using `neo4j.v1.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This " +
+          " is a security measure to protect against man-in-the-middle attacks. If you are just trying " +
+          " Neo4j out and are not concerned about encryption, simply disable it using `encrypted=false` in the driver" +
+          " options."));
+      } else {
+        onSuccess();
+      }
+    });
+    socket.on('error', onFailure);
+    return socket;
+  },
   TRUST_ON_FIRST_USE : function( opts, onSuccess, onFailure ) {
     let tlsOpts = {
       // Because we manually verify the certificate against known_hosts
@@ -155,7 +186,7 @@ const TrustStrategy = {
         // do TOFU, and the safe approach is to fail.
         onFailure(newError("You are using a version of NodeJS that does not " +
           "support trust-on-first use encryption. You can either upgrade NodeJS to " +
-          "a newer version, use `trust:TRUST_SIGNED_CERTIFICATES` in your driver " +
+          "a newer version, use `trust:TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` in your driver " +
           "config instead, or disable encryption using `encrypted:\"" + ENCRYPTION_OFF+ "\"`."));
         return;
       }
@@ -205,7 +236,7 @@ function connect( opts, onSuccess, onFailure=(()=>null) ) {
     return TrustStrategy[opts.trust](opts, onSuccess, onFailure);
   } else {
     onFailure(newError("Unknown trust strategy: " + opts.trust + ". Please use either " +
-      "trust:'TRUST_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " +
+      "trust:'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " +
       "configuration. Alternatively, you can disable encryption by setting " +
       "`encrypted:\"" + ENCRYPTION_OFF + "\"`. There is no mechanism to use encryption without trust verification, " +
       "because this incurs the overhead of encryption without improving security. If " +

src/v1/internal/ch-websocket.js

@@ -46,13 +46,13 @@ class WebSocketChannel {
     let scheme = "ws";
     //Allow boolean for backwards compatibility
     if( opts.encrypted === true || opts.encrypted === ENCRYPTION_ON ||
-      (opts.encrypted === ENCRYPTION_NON_LOCAL && !isLocalHost(opts.host))) {
-      if( (!opts.trust) || opts.trust === "TRUST_SIGNED_CERTIFICATES" ) {
+       (opts.encrypted === ENCRYPTION_NON_LOCAL && !isLocalHost(opts.host)) ||
+       opts.trust === "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES" ) {
         scheme = "wss";
       } else {
         this._error = newError("The browser version of this driver only supports one trust " +
-          "strategy, 'TRUST_SIGNED_CERTIFICATES'. "+opts.trust+" is not supported. Please " +
-          "either use TRUST_SIGNED_CERTIFICATES or disable encryption by setting " +
+          "strategy, 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES'. "+opts.trust+" is not supported. Please " +
+          "either use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES or disable encryption by setting " +
           "`encrypted:\"" + ENCRYPTION_OFF + "\"` in the driver configuration.");
         return;
       }

src/v1/internal/connector.js

@@ -438,7 +438,7 @@ function connect( url, config = {}) {
     // Default to using ENCRYPTION_NON_LOCAL if trust-on-first-use is available
     encrypted : shouldEncrypt(config.encrypted, (hasFeature("trust_on_first_use") ? ENCRYPTION_NON_LOCAL : ENCRYPTION_OFF), host(url)),
     // Default to using TRUST_ON_FIRST_USE if it is available
-    trust : config.trust || (hasFeature("trust_on_first_use") ? "TRUST_ON_FIRST_USE" : "TRUST_SIGNED_CERTIFICATES"),
+    trust : config.trust || (hasFeature("trust_on_first_use") ? "TRUST_ON_FIRST_USE" : "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES"),
     trustedCertificates : config.trustedCertificates || [],
     knownHosts : config.knownHosts
   }));

test/internal/tls.test.js

@@ -91,6 +91,81 @@ describe('trust-signed-certificates', function() {
   });
 });
 
+describe('trust-custom-ca-signed-certificates', function() {
+
+  var driver;
+
+  it('should reject unknown certificates', function(done) {
+    // Assuming we only run this test on NodeJS
+    if( !NodeChannel.available ) {
+      done();
+      return;
+    }
+
+    // Given
+    driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
+      encrypted: true,
+      trust: "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES",
+      trustedCertificates: ["test/resources/random.certificate"]
+    });
+
+    // When
+    driver.session().run( "RETURN 1").catch( function(err) {
+      expect( err.message ).toContain( "Server certificate is not trusted" );
+      done();
+    });
+  });
+
+  it('should accept known certificates', function(done) {
+    // Assuming we only run this test on NodeJS with TOFU support
+    if( !NodeChannel.available ) {
+      done();
+      return;
+    }
+
+    // Given
+    driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
+      encrypted: true,
+      trust: "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES",
+      trustedCertificates: ["build/neo4j/certificates/neo4j.cert"]
+    });
+
+    // When
+    driver.session().run( "RETURN 1").then( done );
+  });
+
+  afterEach(function(){
+    if( driver ) {
+      driver.close();
+    }
+  });
+});
+
+describe('trust-system-ca-signed-certificates', function() {
+
+  var driver;
+
+  fit('should reject unknown certificates', function(done) {
+    // Assuming we only run this test on NodeJS
+    if( !NodeChannel.available ) {
+      done();
+      return;
+    }
+
+    // Given
+    driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
+      encrypted: true,
+      trust: "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES"
+    });
+
+    // When
+    driver.session().run( "RETURN 1").catch( function(err) {
+      expect( err.message ).toContain( "Server certificate is not trusted" );
+      done();
+    });
+  });
+});
+
 describe('trust-on-first-use', function() {
 
   var driver;

test/v1/examples.test.js

@@ -357,7 +357,7 @@ describe('examples', function() {
     var driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
       // Note that trust-on-first-use is not available in the browser bundle,
       // in NodeJS, trust-on-first-use is the default trust mode. In the browser
-      // it is TRUST_SIGNED_CERTIFICATES.
+      // it is TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.
       trust: "TRUST_ON_FIRST_USE",
       encrypted:"ENCRYPTION_NON_LOCAL"
     });
@@ -369,7 +369,7 @@ describe('examples', function() {
     var neo4j = neo4jv1;
     // tag::tls-signed[]
     var driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
-      trust: "TRUST_SIGNED_CERTIFICATES",
+      trust: "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES",
       // Configuring which certificates to trust here is only available
       // in NodeJS. In the browser bundle the browsers list of trusted
       // certificates is used, due to technical limitations in some browsers.

test/v1/tck/steps/tlssteps.js

@@ -108,7 +108,7 @@ module.exports = function () {
   this.Given(/^a driver configured to use a trusted certificate$/, function (callback) {
     this.config = {
       encrypted: "ENCRYPTION_ON",
-      trust: "TRUST_SIGNED_CERTIFICATES",
+      trust: "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES",
       knownHosts: this.knownHosts1,
       trustedCertificates: ['./test/resources/root.cert']
     };
@@ -133,7 +133,7 @@ module.exports = function () {
     //common name is not set to localhost
     this.config = {
       encrypted: "ENCRYPTION_ON",
-      trust: "TRUST_SIGNED_CERTIFICATES",
+      trust: "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES",
       knownHosts: this.knownHosts1,
       trustedCertificates: [util.neo4jCert]
     };