Fix Kerberos and improve custom auth

* Kerberos auth requires principal for backwards compatibility
* Make realm an optional field in TestKit authToken
* Add missing Testkit feature flags for authentication tests
* Reduce custom auth payload when sending default values

Co-authored-by: Florent Biville <florent.biville@neo4j.com>

Author: robsdedude

neo4j/auth_tokens.go

@@ -32,7 +32,9 @@ const schemeBearer = "bearer"
 const keyPrincipal = "principal"
 const keyCredentials = "credentials"
 const keyRealm = "realm"
-const keyTicket = "ticket"
+
+// Deprecated: will be removed in 5.0. Use keyCredentials instead.
+const keyTicket = keyCredentials
 
 // NoAuth generates an empty authentication token
 func NoAuth() AuthToken {
@@ -61,7 +63,9 @@ func KerberosAuth(ticket string) AuthToken {
 	token := AuthToken{
 		tokens: map[string]interface{}{
 			keyScheme: schemeKerberos,
-			keyTicket: ticket,
+			// Backwards compatibility: Neo4j servers pre 4.4 require the presence of the principal.
+			keyPrincipal:   "",
+			keyCredentials: ticket,
 		},
 	}
 
@@ -72,7 +76,7 @@ func KerberosAuth(ticket string) AuthToken {
 func BearerAuth(token string) AuthToken {
 	result := AuthToken{
 		tokens: map[string]interface{}{
-			keyScheme: schemeBearer,
+			keyScheme:      schemeBearer,
 			keyCredentials: token,
 		},
 	}
@@ -83,16 +87,19 @@ func BearerAuth(token string) AuthToken {
 // CustomAuth generates a custom authentication token with provided parameters
 func CustomAuth(scheme string, username string, password string, realm string, parameters map[string]interface{}) AuthToken {
 	tokens := map[string]interface{}{
-		keyScheme:      scheme,
-		keyPrincipal:   username,
-		keyCredentials: password,
+		keyScheme:    scheme,
+		keyPrincipal: username,
+	}
+
+	if password != "" {
+		tokens[keyCredentials] = password
 	}
 
 	if realm != "" {
 		tokens[keyRealm] = realm
 	}
 
-	if parameters != nil {
+	if len(parameters) > 0 {
 		tokens["parameters"] = parameters
 	}
 

neo4j/auth_tokens_test.go

@@ -92,16 +92,20 @@ func TestKerberosAuth(t *testing.T) {
 
 	token := KerberosAuth(ticket)
 
-	if len(token.tokens) != 2 {
-		t.Errorf("should contain 2 keys")
+	if len(token.tokens) != 3 {
+		t.Errorf("should contain 3 keys")
 	}
 
 	if token.tokens[keyScheme] != schemeKerberos {
 		t.Errorf("the key scheme should be 'kerberos' %v", token.tokens[keyScheme])
 	}
 
-	if token.tokens[keyTicket] != ticket {
-		t.Errorf("the key ticket was not properly set %v", token.tokens[keyTicket])
+	if token.tokens[keyPrincipal] != "" {
+		t.Errorf("the key principal was not properly set %v", token.tokens[keyPrincipal])
+	}
+
+	if token.tokens[keyCredentials] != ticket {
+		t.Errorf("the key ticket was not properly set %v", token.tokens[keyCredentials])
 	}
 }
 
@@ -144,8 +148,8 @@ func TestCustomAuthWithEmptyParameters(t *testing.T) {
 
 	token := CustomAuth(scheme, userName, password, realm, parameters)
 
-	if len(token.tokens) != 5 {
-		t.Errorf("should contain 5 keys when parameters data was passed %v", len(token.tokens))
+	if len(token.tokens) != 4 {
+		t.Errorf("should contain 4 keys when parameters data was passed %v", len(token.tokens))
 	}
 
 	if token.tokens[keyScheme] != scheme {

testkit-backend/backend.go

@@ -367,12 +367,16 @@ func (b *backend) handleRequest(req map[string]interface{}) {
 				authTokenMap["credentials"].(string),
 				realm)
 		case "kerberos":
-			authToken = neo4j.KerberosAuth(authTokenMap["ticket"].(string))
+			authToken = neo4j.KerberosAuth(authTokenMap["credentials"].(string))
 		case "bearer":
 			authToken = neo4j.BearerAuth(authTokenMap["credentials"].(string))
 		default:
-			b.writeError(errors.New("Unsupported scheme"))
-			return
+			authToken = neo4j.CustomAuth(
+				authTokenMap["scheme"].(string),
+				authTokenMap["principal"].(string),
+				authTokenMap["credentials"].(string),
+				authTokenMap["realm"].(string),
+				authTokenMap["parameters"].(map[string]interface{}))
 		}
 		// Parse URI (or rather type cast)
 		uri := data["uri"].(string)
@@ -578,10 +582,12 @@ func (b *backend) handleRequest(req map[string]interface{}) {
 		b.writeResponse("FeatureList", map[string]interface{}{
 			"features": []string{
 				"ConfHint:connection.recv_timeout_seconds",
+				"Feature:Auth:Custom",
+				"Feature:Auth:Bearer",
+				"Feature:Auth:Kerberos",
 				"Optimization:ConnectionReuse",
 				"Optimization:ImplicitDefaultArguments",
 				"Optimization:PullPipelining",
-				"Feature:Auth:Bearer",
 			},
 		})