Add bearer auth token for SSO

Author: robsdedude

neo4j/__init__.py

@@ -29,6 +29,7 @@
     "AuthToken",
     "basic_auth",
     "kerberos_auth",
+    "bearer_auth",
     "custom_auth",
     "Bookmark",
     "ServerInfo",
@@ -69,6 +70,7 @@
     AuthToken,
     basic_auth,
     kerberos_auth,
+    bearer_auth,
     custom_auth,
     Bookmark,
     ServerInfo,

neo4j/api.py

@@ -66,22 +66,32 @@ class Auth:
     :param scheme: specifies the type of authentication, examples: "basic", "kerberos"
     :type scheme: str
     :param principal: specifies who is being authenticated
-    :type principal: str
+    :type principal: str or None
     :param credentials: authenticates the principal
-    :type credentials: str
+    :type credentials: str or None
     :param realm: specifies the authentication provider
-    :type realm: str
+    :type realm: str or None
     :param parameters: extra key word parameters passed along to the authentication provider
-    :type parameters: str
+    :type parameters: Dict[str, Any]
     """
 
-    #: By default we should not send any realm
-    realm = None
-
+    # TODO in 5.0: change signature to
+    #     def __init__(self, scheme, principal=None, credentials=None,
+    #                  ticket=None, realm=None, **parameters):
     def __init__(self, scheme, principal, credentials, realm=None, **parameters):
         self.scheme = scheme
-        self.principal = principal
-        self.credentials = credentials
+        # Neo4j servers pre 4.4 require the principal field to always be
+        # present. Therefore, we transmit it even if it's an empty sting.
+        if principal is not None:
+            self.principal = principal
+        if credentials:
+            self.credentials = credentials
+        # TODO in 5.0: add ticket
+        # :param ticket: alternative to authenticate the principal (depends on
+        #                scheme)
+        # :type ticket: str or None
+        # if ticket is not None:
+        #     self.ticket = ticket
         if realm:
             self.realm = realm
         if parameters:
@@ -108,7 +118,7 @@ def basic_auth(user, password, realm=None):
 
 
 def kerberos_auth(base64_encoded_ticket):
-    """ Generate a kerberos auth token with the base64 encoded ticket
+    """ Generate a kerberos auth token with the base64 encoded ticket.
 
     This will set the scheme to "kerberos" for the auth token.
 
@@ -117,7 +127,24 @@ def kerberos_auth(base64_encoded_ticket):
     :return: auth token for use with :meth:`GraphDatabase.driver`
     :rtype: :class:`neo4j.Auth`
     """
-    return Auth("kerberos", "", base64_encoded_ticket)
+    token = Auth("kerberos", "", None)
+    # token field is not supported by any other auth scheme. So we inject it.
+    token.ticket = base64_encoded_ticket
+    return token
+
+
+def bearer_auth(base64_encoded_token):
+    """ Generate an auth token for Single-Sign-On providers.
+
+    This will set the scheme to "bearer" for the auth token.
+
+    :param base64_encoded_token: a base64 encoded authentication token generated
+                                 by a Single-Sign-On provider.
+
+    :return: auth token for use with :meth:`GraphDatabase.driver`
+    :rtype: :class:`neo4j.Auth`
+    """
+    return Auth("bearer", None, base64_encoded_token)
 
 
 def custom_auth(principal, credentials, realm, scheme, **parameters):
@@ -134,6 +161,15 @@ def custom_auth(principal, credentials, realm, scheme, **parameters):
     """
     return Auth(scheme, principal, credentials, realm, **parameters)
 
+# TODO in 5.0: alter custom_auth to
+# def custom_auth(principal, credentials, ticket, realm, scheme, **parameters):
+#     """...
+#     :param ticket: alternative to authenticate the principal (depends on
+#                    scheme)
+#     ..."""
+#     return Auth(scheme, principal=principal, credentials=credentials,
+#                 ticket=ticket, realm=realm, **parameter
+
 
 class Bookmark:
     """A Bookmark object contains an immutable list of bookmark string values.

neo4j/exceptions.py

@@ -30,6 +30,7 @@
     + CypherTypeError
     + ConstraintError
     + AuthError
+      + TokenExpired
     + Forbidden
   + DatabaseError
   + TransientError
@@ -199,6 +200,12 @@ class AuthError(ClientError):
     """
 
 
+class TokenExpired(AuthError):
+    """ Raised when the authentication token has expired.
+
+    A new driver instance with a fresh authentication token needs to be created.
+    """
+
 client_errors = {
 
     # ConstraintError
@@ -228,8 +235,11 @@ class AuthError(ClientError):
     "Neo.ClientError.Security.AuthorizationFailed": AuthError,
     "Neo.ClientError.Security.Unauthorized": AuthError,
 
+    # TokenExpired
+    "Neo.ClientError.Security.TokenExpired": TokenExpired,
+
     # NotALeader
-    "Neo.ClientError.Cluster.NotALeader": NotALeader
+    "Neo.ClientError.Cluster.NotALeader": NotALeader,
 }
 
 transient_errors = {

testkitbackend/requests.py

@@ -54,10 +54,23 @@ def NewDriver(backend, data):
     data["authorizationToken"].mark_item_as_read_if_equals(
         "name", "AuthorizationToken"
     )
-    auth = neo4j.Auth(
-            auth_token["scheme"], auth_token["principal"],
-            auth_token["credentials"], realm=auth_token["realm"])
-    auth_token.mark_item_as_read_if_equals("ticket", "")
+    scheme = auth_token["scheme"]
+    if scheme == "basic":
+        auth = neo4j.basic_auth(
+            auth_token["principal"], auth_token["credentials"],
+            realm=auth_token.get("realm", None)
+        )
+    elif scheme == "kerberos":
+        auth = neo4j.kerberos_auth(auth_token["ticket"])
+    elif scheme == "bearer":
+        auth = neo4j.bearer_auth(auth_token["credentials"])
+    else:
+        auth = neo4j.custom_auth(
+            auth_token["principal"], auth_token["credentials"],
+            auth_token["realm"], auth_token["scheme"],
+            **auth_token.get("parameters", {})
+        )
+        auth_token.mark_item_as_read("parameters", recursive=True)
     resolver = None
     if data["resolverRegistered"] or data["domainNameResolverRegistered"]:
         resolver = resolution_func(backend, data["resolverRegistered"],

testkitbackend/test_config.json

@@ -26,12 +26,21 @@
       "Flaky: test requires the driver to contact servers in a specific order",
     "stub.authorization.test_authorization.TestAuthorizationV4x1.test_should_retry_on_auth_expired_on_begin_using_tx_function":
       "Flaky: test requires the driver to contact servers in a specific order",
+    "stub.authorization.test_authorization.TestAuthorizationV4x3.test_should_fail_on_token_expired_on_begin_using_tx_function":
+      "Flaky: test requires the driver to contact servers in a specific order",
+    "stub.authorization.test_authorization.TestAuthorizationV3.test_should_fail_on_token_expired_on_begin_using_tx_function":
+      "Flaky: test requires the driver to contact servers in a specific order",
+    "stub.authorization.test_authorization.TestAuthorizationV4x1.test_should_fail_on_token_expired_on_begin_using_tx_function":
+      "Flaky: test requires the driver to contact servers in a specific order",
     "stub.session_run_parameters.test_session_run_parameters.TestSessionRunParameters.test_empty_query":
       "Driver rejects empty queries before sending it to the server",
     "tls.tlsversions.TestTlsVersions.test_1_1":
       "TLSv1.1 and below are disabled in the driver"
   },
   "features": {
+    "Feature:Auth:Bearer": true,
+    "Feature:Auth:Custom": true,
+    "Feature:Auth:Kerberos": true,
     "AuthorizationExpiredTreatment": true,
     "Optimization:ImplicitDefaultArguments": true,
     "Optimization:MinimalResets": true,

tests/unit/test_security.py

@@ -22,6 +22,7 @@
 from neo4j.api import (
     kerberos_auth,
     basic_auth,
+    bearer_auth,
     custom_auth,
 )
 
@@ -32,8 +33,19 @@ def test_should_generate_kerberos_auth_token_correctly():
     auth = kerberos_auth("I am a base64 service ticket")
     assert auth.scheme == "kerberos"
     assert auth.principal == ""
-    assert auth.credentials == "I am a base64 service ticket"
-    assert not auth.realm
+    assert auth.ticket == "I am a base64 service ticket"
+    assert not hasattr(auth,  "credentials")
+    assert not hasattr(auth,  "realm")
+    assert not hasattr(auth, "parameters")
+
+
+def test_should_generate_bearer_auth_token_correctly():
+    auth = bearer_auth("I am a base64 SSO ticket")
+    assert auth.scheme == "bearer"
+    assert auth.credentials == "I am a base64 SSO ticket"
+    assert not hasattr(auth, "principal")
+    assert not hasattr(auth, "ticket")
+    assert not hasattr(auth, "realm")
     assert not hasattr(auth, "parameters")
 
 
@@ -42,7 +54,7 @@ def test_should_generate_basic_auth_without_realm_correctly():
     assert auth.scheme == "basic"
     assert auth.principal == "molly"
     assert auth.credentials == "meoooow"
-    assert not auth.realm
+    assert not hasattr(auth, "realm")
     assert not hasattr(auth, "parameters")
 
 
@@ -55,6 +67,15 @@ def test_should_generate_base_auth_with_realm_correctly():
     assert not hasattr(auth, "parameters")
 
 
+def test_should_generate_base_auth_with_keyword_realm_correctly():
+    auth = basic_auth("molly", "meoooow", realm="cat_cafe")
+    assert auth.scheme == "basic"
+    assert auth.principal == "molly"
+    assert auth.credentials == "meoooow"
+    assert auth.realm == "cat_cafe"
+    assert not hasattr(auth, "parameters")
+
+
 def test_should_generate_custom_auth_correctly():
     auth = custom_auth("molly", "meoooow", "cat_cafe", "cat", age="1", color="white")
     assert auth.scheme == "cat"