auth

package
v5.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 28, 2024 License: Apache-2.0 Imports: 14 Imported by: 4

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ClientCertificate added in v5.19.0

type ClientCertificate struct {
	CertFile string  // Path to the TLS certificate file.
	KeyFile  string  // Path to the TLS private key file.
	Password *string // Optional password for decrypting the private key file. Nil indicates no password is set.
}

ClientCertificate holds paths to a TLS certificate file and its corresponding private key file. This struct is used to load client certificate-key pairs for use in mutual TLS.

ClientCertificate is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

type ClientCertificateProvider added in v5.19.0

type ClientCertificateProvider interface {
	// GetCertificate returns a tls.Certificate for use in TLS connections.
	// Implementations should ensure thread-safety and handle any necessary logic
	// to provide the most up-to-date certificate.
	//
	// If a nil value is returned, it indicates that no client certificate is available for use in the TLS connection.
	// This might be the case if the certificate is not yet available, or if no certificate is configured for use.
	// GetCertificate is part of the mTLS preview feature
	// (see README on what it means in terms of support and compatibility guarantees)
	GetCertificate() *tls.Certificate
}

ClientCertificateProvider defines an interface for retrieving a tls.Certificate. Implementations of this interface can provide static or dynamically updatable certificates.

ClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

type RotatingClientCertificateProvider added in v5.19.0

type RotatingClientCertificateProvider struct {
	// contains filtered or unexported fields
}

RotatingClientCertificateProvider is an implementation of ClientCertificateProvider that supports dynamic updates to the tls.Certificate it provides. It is useful for scenarios where certificates need to be rotated or updated without restarting the application.

RotatingClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

func NewRotatingClientCertificateProvider added in v5.19.0

func NewRotatingClientCertificateProvider(cert ClientCertificate) (*RotatingClientCertificateProvider, error)

NewRotatingClientCertificateProvider creates a new RotatingClientCertificateProvider given a ClientCertificate. This function loads the certificate-key pair specified in the ClientCertificate and returns a provider that allows updating the certificate dynamically through its UpdateCertificate method.

NewRotatingClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

Example
package main

import (
	"github.com/neo4j/neo4j-go-driver/v5/neo4j"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/auth"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/config"
	"log"
)

func main() {
	password := "thepassword1"
	provider, err := auth.NewRotatingClientCertificateProvider(auth.ClientCertificate{
		CertFile: "path/to/cert.pem",
		KeyFile:  "path/to/key.pem",
		Password: &password,
	})
	if err != nil {
		log.Fatalf("Failed to load certificate: %v", err)
	}
	_, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) {
		config.ClientCertificateProvider = provider
	})
	// Some time later we update the certificate
	err = provider.UpdateCertificate(auth.ClientCertificate{
		CertFile: "path/to/new_cert.pem",
		KeyFile:  "path/to/new_key.pem",
		Password: &password,
	})
	if err != nil {
		// Handle the error
		log.Fatalf("Failed to update certificate: %v", err)
	}
}
Output:

func (*RotatingClientCertificateProvider) GetCertificate added in v5.19.0

func (p *RotatingClientCertificateProvider) GetCertificate() *tls.Certificate

func (*RotatingClientCertificateProvider) UpdateCertificate added in v5.19.0

func (p *RotatingClientCertificateProvider) UpdateCertificate(cert ClientCertificate) error

UpdateCertificate updates the certificate stored in the provider with a new certificate specified by the ClientCertificate. This method allows dynamic updates to the certificate used in TLS connections, facilitating use cases such as certificate rotation.

UpdateCertificate is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

type StaticClientCertificateProvider added in v5.19.0

type StaticClientCertificateProvider struct {
	// contains filtered or unexported fields
}

StaticClientCertificateProvider is an implementation of ClientCertificateProvider that provides a static, unchangeable tls.Certificate. It is intended for use cases where the certificate does not need to be updated over the lifetime of the application.

StaticClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

func NewStaticClientCertificateProvider added in v5.19.0

func NewStaticClientCertificateProvider(cert ClientCertificate) (*StaticClientCertificateProvider, error)

NewStaticClientCertificateProvider creates a new StaticClientCertificateProvider given a ClientCertificate. This function loads the certificate-key pair specified in the ClientCertificate and returns a provider that will always return this loaded certificate.

NewStaticClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)

Example
package main

import (
	"github.com/neo4j/neo4j-go-driver/v5/neo4j"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/auth"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/config"
	"log"
)

func main() {
	password := "thepassword1"
	provider, err := auth.NewStaticClientCertificateProvider(auth.ClientCertificate{
		CertFile: "path/to/cert.pem",
		KeyFile:  "path/to/key.pem",
		Password: &password,
	})
	if err != nil {
		log.Fatalf("Failed to load certificate: %v", err)
	}
	_, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) {
		config.ClientCertificateProvider = provider
	})
}
Output:

func (*StaticClientCertificateProvider) GetCertificate added in v5.19.0

func (p *StaticClientCertificateProvider) GetCertificate() *tls.Certificate

type TokenManager

type TokenManager interface {
	// GetAuthToken retrieves an auth.Token or returns an error if the retrieval fails.
	// auth.Token can be created with built-in functions such as:
	//   - `neo4j.NoAuth`
	//   - `neo4j.BasicAuth`
	//   - `neo4j.KerberosAuth`
	//   - `neo4j.BearerAuth`
	//   - `neo4j.CustomAuth`
	//
	// The token returned must always belong to the same identity.
	// Switching identities using the `TokenManager` is undefined behavior.
	GetAuthToken(ctx context.Context) (auth.Token, error)

	// HandleSecurityException is called when the server returns any `Neo.ClientError.Security.*` error.
	// It should return true if the error was handled, in which case the driver will mark the error as retryable.
	HandleSecurityException(context.Context, auth.Token, *db.Neo4jError) (bool, error)
}

TokenManager is an interface for components that can provide auth tokens. The `neo4j` package provides default implementations of `auth.TokenManager` for common authentication schemes. See `neo4j.NewDriverWithContext`. Custom implementations of this class can be used to provide more complex authentication refresh functionality.

WARNING:

The manager *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour.
Furthermore, the manager is expected to be thread-safe.

func BasicTokenManager added in v5.12.0

func BasicTokenManager(provider authTokenProvider) TokenManager

BasicTokenManager generates a TokenManager to manage basic auth password rotation. The provider is invoked solely when a new token instance is required, triggered by server rejection of the current token due to an authentication exception.

WARNING:

The provider function *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour.

The provider function must only ever return auth information belonging to the same identity. Switching identities is undefined behavior.

Example
package main

import (
	"context"
	"fmt"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/auth"
	"os"
)

func main() {
	fetchBasicAuthToken := func(ctx context.Context) (neo4j.AuthToken, error) {
		// some way of getting basic authentication information
		username, password, realm, err := getBasicAuth()
		if err != nil {
			return neo4j.AuthToken{}, err
		}
		// create and return a basic authentication token with provided username, password and realm
		return neo4j.BasicAuth(username, password, realm), nil
	}
	// create a new driver with a basic token manager which uses provider to handle basic auth password rotation.
	_, _ = neo4j.NewDriverWithContext(getUrl(), auth.BasicTokenManager(fetchBasicAuthToken))
}

func getBasicAuth() (username, password, realm string, error error) {
	username, password, realm = "username", "password", "realm"
	return
}

func getUrl() string {
	return fmt.Sprintf("%s://%s:%s", os.Getenv("TEST_NEO4J_SCHEME"), os.Getenv("TEST_NEO4J_HOST"), os.Getenv("TEST_NEO4J_PORT"))
}
Output:

func BearerTokenManager added in v5.12.0

func BearerTokenManager(provider authTokenWithExpirationProvider) TokenManager

BearerTokenManager generates a TokenManager to manage possibly expiring authentication details.

The provider is invoked when a new token instance is required, triggered by server rejection of the current token due to authentication or token expiration exceptions.

WARNING:

The provider function *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour.

The provider function must only ever return auth information belonging to the same identity. Switching identities is undefined behavior.

Example
package main

import (
	"context"
	"fmt"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j"
	"github.com/neo4j/neo4j-go-driver/v5/neo4j/auth"
	"os"
	"time"
)

func main() {
	fetchAuthTokenFromMyProvider := func(ctx context.Context) (neo4j.AuthToken, *time.Time, error) {
		// some way of getting a token
		token, err := getSsoToken(ctx)
		if err != nil {
			return neo4j.AuthToken{}, nil, err
		}
		// assume we know our tokens expire every 60 seconds
		expiresIn := time.Now().Add(60 * time.Second)
		// Include a little buffer so that we fetch a new token *before* the old one expires
		expiresIn = expiresIn.Add(-10 * time.Second)
		// or return nil instead of `&expiresIn` if we don't expect it to expire
		return token, &expiresIn, nil
	}
	// create a new driver with a bearer token manager which uses provider to handle possibly expiring auth tokens.
	_, _ = neo4j.NewDriverWithContext(getUrl(), auth.BearerTokenManager(fetchAuthTokenFromMyProvider))
}

func getSsoToken(context.Context) (neo4j.AuthToken, error) {
	return neo4j.NoAuth(), nil
}

func getUrl() string {
	return fmt.Sprintf("%s://%s:%s", os.Getenv("TEST_NEO4J_SCHEME"), os.Getenv("TEST_NEO4J_HOST"), os.Getenv("TEST_NEO4J_PORT"))
}
Output:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL