Documentation ¶
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClientCertificate ¶ added in v5.19.0
type ClientCertificate struct { CertFile string // Path to the TLS certificate file. KeyFile string // Path to the TLS private key file. Password *string // Optional password for decrypting the private key file. Nil indicates no password is set. }
ClientCertificate holds paths to a TLS certificate file and its corresponding private key file. This struct is used to load client certificate-key pairs for use in mutual TLS.
ClientCertificate is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
type ClientCertificateProvider ¶ added in v5.19.0
type ClientCertificateProvider interface { // GetCertificate returns a tls.Certificate for use in TLS connections. // Implementations should ensure thread-safety and handle any necessary logic // to provide the most up-to-date certificate. // // If a nil value is returned, it indicates that no client certificate is available for use in the TLS connection. // This might be the case if the certificate is not yet available, or if no certificate is configured for use. // GetCertificate is part of the mTLS preview feature // (see README on what it means in terms of support and compatibility guarantees) GetCertificate() *tls.Certificate }
ClientCertificateProvider defines an interface for retrieving a tls.Certificate. Implementations of this interface can provide static or dynamically updatable certificates.
ClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
type RotatingClientCertificateProvider ¶ added in v5.19.0
type RotatingClientCertificateProvider struct {
// contains filtered or unexported fields
}
RotatingClientCertificateProvider is an implementation of ClientCertificateProvider that supports dynamic updates to the tls.Certificate it provides. It is useful for scenarios where certificates need to be rotated or updated without restarting the application.
RotatingClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
func NewRotatingClientCertificateProvider ¶ added in v5.19.0
func NewRotatingClientCertificateProvider(cert ClientCertificate) (*RotatingClientCertificateProvider, error)
NewRotatingClientCertificateProvider creates a new RotatingClientCertificateProvider given a ClientCertificate. This function loads the certificate-key pair specified in the ClientCertificate and returns a provider that allows updating the certificate dynamically through its UpdateCertificate method.
NewRotatingClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
Example ¶
package main import ( "github.com/neo4j/neo4j-go-driver/v5/neo4j" "github.com/neo4j/neo4j-go-driver/v5/neo4j/auth" "github.com/neo4j/neo4j-go-driver/v5/neo4j/config" "log" ) func main() { password := "thepassword1" provider, err := auth.NewRotatingClientCertificateProvider(auth.ClientCertificate{ CertFile: "path/to/cert.pem", KeyFile: "path/to/key.pem", Password: &password, }) if err != nil { log.Fatalf("Failed to load certificate: %v", err) } _, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) { config.ClientCertificateProvider = provider }) // Some time later we update the certificate err = provider.UpdateCertificate(auth.ClientCertificate{ CertFile: "path/to/new_cert.pem", KeyFile: "path/to/new_key.pem", Password: &password, }) if err != nil { // Handle the error log.Fatalf("Failed to update certificate: %v", err) } }
Output:
func (*RotatingClientCertificateProvider) GetCertificate ¶ added in v5.19.0
func (p *RotatingClientCertificateProvider) GetCertificate() *tls.Certificate
func (*RotatingClientCertificateProvider) UpdateCertificate ¶ added in v5.19.0
func (p *RotatingClientCertificateProvider) UpdateCertificate(cert ClientCertificate) error
UpdateCertificate updates the certificate stored in the provider with a new certificate specified by the ClientCertificate. This method allows dynamic updates to the certificate used in TLS connections, facilitating use cases such as certificate rotation.
UpdateCertificate is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
type StaticClientCertificateProvider ¶ added in v5.19.0
type StaticClientCertificateProvider struct {
// contains filtered or unexported fields
}
StaticClientCertificateProvider is an implementation of ClientCertificateProvider that provides a static, unchangeable tls.Certificate. It is intended for use cases where the certificate does not need to be updated over the lifetime of the application.
StaticClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
func NewStaticClientCertificateProvider ¶ added in v5.19.0
func NewStaticClientCertificateProvider(cert ClientCertificate) (*StaticClientCertificateProvider, error)
NewStaticClientCertificateProvider creates a new StaticClientCertificateProvider given a ClientCertificate. This function loads the certificate-key pair specified in the ClientCertificate and returns a provider that will always return this loaded certificate.
NewStaticClientCertificateProvider is part of the mTLS preview feature (see README on what it means in terms of support and compatibility guarantees)
Example ¶
package main import ( "github.com/neo4j/neo4j-go-driver/v5/neo4j" "github.com/neo4j/neo4j-go-driver/v5/neo4j/auth" "github.com/neo4j/neo4j-go-driver/v5/neo4j/config" "log" ) func main() { password := "thepassword1" provider, err := auth.NewStaticClientCertificateProvider(auth.ClientCertificate{ CertFile: "path/to/cert.pem", KeyFile: "path/to/key.pem", Password: &password, }) if err != nil { log.Fatalf("Failed to load certificate: %v", err) } _, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) { config.ClientCertificateProvider = provider }) }
Output:
func (*StaticClientCertificateProvider) GetCertificate ¶ added in v5.19.0
func (p *StaticClientCertificateProvider) GetCertificate() *tls.Certificate
type TokenManager ¶
type TokenManager interface { // GetAuthToken retrieves an auth.Token or returns an error if the retrieval fails. // auth.Token can be created with built-in functions such as: // - `neo4j.NoAuth` // - `neo4j.BasicAuth` // - `neo4j.KerberosAuth` // - `neo4j.BearerAuth` // - `neo4j.CustomAuth` // // The token returned must always belong to the same identity. // Switching identities using the `TokenManager` is undefined behavior. GetAuthToken(ctx context.Context) (auth.Token, error) // HandleSecurityException is called when the server returns any `Neo.ClientError.Security.*` error. // It should return true if the error was handled, in which case the driver will mark the error as retryable. HandleSecurityException(context.Context, auth.Token, *db.Neo4jError) (bool, error) }
TokenManager is an interface for components that can provide auth tokens. The `neo4j` package provides default implementations of `auth.TokenManager` for common authentication schemes. See `neo4j.NewDriverWithContext`. Custom implementations of this class can be used to provide more complex authentication refresh functionality.
WARNING:
The manager *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour. Furthermore, the manager is expected to be thread-safe.
func BasicTokenManager ¶ added in v5.12.0
func BasicTokenManager(provider authTokenProvider) TokenManager
BasicTokenManager generates a TokenManager to manage basic auth password rotation. The provider is invoked solely when a new token instance is required, triggered by server rejection of the current token due to an authentication exception.
WARNING:
The provider function *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour.
The provider function must only ever return auth information belonging to the same identity. Switching identities is undefined behavior.
Example ¶
package main import ( "context" "fmt" "github.com/neo4j/neo4j-go-driver/v5/neo4j" "github.com/neo4j/neo4j-go-driver/v5/neo4j/auth" "os" ) func main() { fetchBasicAuthToken := func(ctx context.Context) (neo4j.AuthToken, error) { // some way of getting basic authentication information username, password, realm, err := getBasicAuth() if err != nil { return neo4j.AuthToken{}, err } // create and return a basic authentication token with provided username, password and realm return neo4j.BasicAuth(username, password, realm), nil } // create a new driver with a basic token manager which uses provider to handle basic auth password rotation. _, _ = neo4j.NewDriverWithContext(getUrl(), auth.BasicTokenManager(fetchBasicAuthToken)) } func getBasicAuth() (username, password, realm string, error error) { username, password, realm = "username", "password", "realm" return } func getUrl() string { return fmt.Sprintf("%s://%s:%s", os.Getenv("TEST_NEO4J_SCHEME"), os.Getenv("TEST_NEO4J_HOST"), os.Getenv("TEST_NEO4J_PORT")) }
Output:
func BearerTokenManager ¶ added in v5.12.0
func BearerTokenManager(provider authTokenWithExpirationProvider) TokenManager
BearerTokenManager generates a TokenManager to manage possibly expiring authentication details.
The provider is invoked when a new token instance is required, triggered by server rejection of the current token due to authentication or token expiration exceptions.
WARNING:
The provider function *must not* interact with the driver in any way as this can cause deadlocks and undefined behaviour.
The provider function must only ever return auth information belonging to the same identity. Switching identities is undefined behavior.
Example ¶
package main import ( "context" "fmt" "github.com/neo4j/neo4j-go-driver/v5/neo4j" "github.com/neo4j/neo4j-go-driver/v5/neo4j/auth" "os" "time" ) func main() { fetchAuthTokenFromMyProvider := func(ctx context.Context) (neo4j.AuthToken, *time.Time, error) { // some way of getting a token token, err := getSsoToken(ctx) if err != nil { return neo4j.AuthToken{}, nil, err } // assume we know our tokens expire every 60 seconds expiresIn := time.Now().Add(60 * time.Second) // Include a little buffer so that we fetch a new token *before* the old one expires expiresIn = expiresIn.Add(-10 * time.Second) // or return nil instead of `&expiresIn` if we don't expect it to expire return token, &expiresIn, nil } // create a new driver with a bearer token manager which uses provider to handle possibly expiring auth tokens. _, _ = neo4j.NewDriverWithContext(getUrl(), auth.BearerTokenManager(fetchAuthTokenFromMyProvider)) } func getSsoToken(context.Context) (neo4j.AuthToken, error) { return neo4j.NoAuth(), nil } func getUrl() string { return fmt.Sprintf("%s://%s:%s", os.Getenv("TEST_NEO4J_SCHEME"), os.Getenv("TEST_NEO4J_HOST"), os.Getenv("TEST_NEO4J_PORT")) }
Output: