Merge pull request #273 from 2hdddg/user-impersonation

Feature: user impersonation
Requires Neo4j 4.4.

Author: robsdedude

neo4j/db/connection.go

@@ -45,10 +45,11 @@ type Command struct {
 }
 
 type TxConfig struct {
-	Mode      AccessMode
-	Bookmarks []string
-	Timeout   time.Duration
-	Meta      map[string]interface{}
+	Mode             AccessMode
+	Bookmarks        []string
+	Timeout          time.Duration
+	ImpersonatedUser string
+	Meta             map[string]interface{}
 }
 
 // Connection defines an abstract database server connection.
@@ -96,16 +97,21 @@ type Connection interface {
 	// Gets routing table for specified database name or the default database if
 	// database equals DefaultDatabase. If the underlying connection does not support
 	// multiple databases, DefaultDatabase should be used as database.
-	GetRoutingTable(context map[string]string, bookmarks []string, database string) (*RoutingTable, error)
+	// If user impersonation is used (impersonatedUser != "") and default database is used
+	// the database name in the returned routing table will contain the actual name of the
+	// configured default database for the impersonated user. If no impersonation is used
+	// database name in routing table will be set to the name of the requested database.
+	GetRoutingTable(context map[string]string, bookmarks []string, database, impersonatedUser string) (*RoutingTable, error)
 	// Sets Bolt message logger on already initialized connections
 	SetBoltLogger(boltLogger log.BoltLogger)
 }
 
 type RoutingTable struct {
-	TimeToLive int
-	Routers    []string
-	Readers    []string
-	Writers    []string
+	TimeToLive   int
+	DatabaseName string
+	Routers      []string
+	Readers      []string
+	Writers      []string
 }
 
 // Marker for using the default database instance.

neo4j/db/errors.go

@@ -98,12 +98,14 @@ func (e *Neo4jError) IsRetriableCluster() bool {
 	return false
 }
 
-type RoutingNotSupportedError struct {
-	Server string
+type FeatureNotSupportedError struct {
+	Server  string
+	Feature string
+	Reason  string
 }
 
-func (e *RoutingNotSupportedError) Error() string {
-	return fmt.Sprintf("%s does not support routing", e.Server)
+func (e *FeatureNotSupportedError) Error() string {
+	return fmt.Sprintf("Server %s does not support: %s (%s)", e.Server, e.Feature, e.Reason)
 }
 
 type UnsupportedTypeError struct {

neo4j/directrouter.go

@@ -21,6 +21,7 @@ package neo4j
 
 import (
 	"context"
+	"github.com/neo4j/neo4j-go-driver/v4/neo4j/db"
 	"github.com/neo4j/neo4j-go-driver/v4/neo4j/log"
 )
 
@@ -37,6 +38,10 @@ func (r *directRouter) Writers(ctx context.Context, bookmarks []string, database
 	return []string{r.address}, nil
 }
 
+func (r *directRouter) GetNameOfDefaultDatabase(ctx context.Context, bookmarks []string, user string, boltLogger log.BoltLogger) (string, error) {
+	return db.DefaultDatabase, nil
+}
+
 func (r *directRouter) Invalidate(database string) {
 }
 

neo4j/driver.go

@@ -224,8 +224,13 @@ func routingContextFromUrl(useRouting bool, u *url.URL) (map[string]string, erro
 }
 
 type sessionRouter interface {
+	// Returns list of servers that can serve reads on the requested database.
 	Readers(ctx context.Context, bookmarks []string, database string, boltLogger log.BoltLogger) ([]string, error)
+	// Returns list of servers that can serve writes on the requested database.
 	Writers(ctx context.Context, bookmarks []string, database string, boltLogger log.BoltLogger) ([]string, error)
+	// Returns name of default database for specified user. The correct database name is needed when
+	// requesting readers or writers.
+	GetNameOfDefaultDatabase(ctx context.Context, bookmarks []string, user string, boltLogger log.BoltLogger) (string, error)
 	Invalidate(database string)
 	CleanUp()
 }
@@ -253,15 +258,18 @@ func (d *driver) Session(accessMode AccessMode, bookmarks ...string) (Session, e
 			Message: "Trying to create session on closed driver",
 		}
 	}
+	sessConfig := SessionConfig{
+		AccessMode:   accessMode,
+		Bookmarks:    bookmarks,
+		DatabaseName: db.DefaultDatabase,
+	}
 	return newSession(
-		d.config, d.router,
-		d.pool, db.AccessMode(accessMode), bookmarks, db.DefaultDatabase, 0, d.log, nil), nil
+		d.config, sessConfig, d.router, d.pool, d.log), nil
 }
 
 func (d *driver) NewSession(config SessionConfig) Session {
-	databaseName := db.DefaultDatabase
-	if config.DatabaseName != "" {
-		databaseName = config.DatabaseName
+	if config.DatabaseName == "" {
+		config.DatabaseName = db.DefaultDatabase
 	}
 
 	d.mut.Lock()
@@ -270,10 +278,7 @@ func (d *driver) NewSession(config SessionConfig) Session {
 		return &sessionWithError{
 			err: &UsageError{Message: "Trying to create session on closed driver"}}
 	}
-	return newSession(
-		d.config, d.router,
-		d.pool, db.AccessMode(config.AccessMode), config.Bookmarks, databaseName, config.FetchSize,
-		d.log, config.BoltLogger)
+	return newSession(d.config, config, d.router, d.pool, d.log)
 }
 
 func (d *driver) VerifyConnectivity() error {

neo4j/error.go

@@ -113,7 +113,7 @@ func IsTransactionExecutionLimit(err error) bool {
 // TokenExpiredError represent errors caused by the driver not being able to connect to Neo4j services,
 // or lost connections.
 type TokenExpiredError struct {
-	Code string
+	Code    string
 	Message string
 }
 
@@ -129,8 +129,9 @@ func wrapError(err error) error {
 		return &ConnectivityError{inner: err}
 	}
 	switch e := err.(type) {
-	case *db.UnsupportedTypeError:
-		// Usage of a type not supported by database network protocol
+	case *db.UnsupportedTypeError, *db.FeatureNotSupportedError:
+		// Usage of a type not supported by database network protocol or feature
+		// not supported by current version or edition.
 		return &UsageError{Message: err.Error()}
 	case *connector.TlsError, *connector.ConnectError:
 		return &ConnectivityError{inner: err}

neo4j/internal/bolt/bolt3.go

@@ -97,7 +97,7 @@ func NewBolt3(serverName string, conn net.Conn, log log.Logger, boltLog log.Bolt
 				boltLogger: boltLog,
 			},
 			connReadTimeout: -1,
-			logger: log,
+			logger:          log,
 		},
 		birthDate: time.Now(),
 		log:       log,
@@ -220,6 +220,9 @@ func (b *bolt3) TxBegin(txConfig db.TxConfig) (db.TxHandle, error) {
 	if err := b.assertState(bolt3_ready); err != nil {
 		return 0, err
 	}
+	if err := b.checkImpersonation(txConfig.ImpersonatedUser); err != nil {
+		return 0, err
+	}
 
 	tx := &internalTx3{
 		mode:      txConfig.Mode,
@@ -469,6 +472,9 @@ func (b *bolt3) Run(runCommand db.Command, txConfig db.TxConfig) (db.StreamHandl
 	if err := b.assertState(bolt3_streaming, bolt3_ready); err != nil {
 		return nil, err
 	}
+	if err := b.checkImpersonation(txConfig.ImpersonatedUser); err != nil {
+		return nil, err
+	}
 
 	tx := internalTx3{
 		mode:      txConfig.Mode,
@@ -698,13 +704,22 @@ func (b *bolt3) Reset() {
 	}
 }
 
-func (b *bolt3) GetRoutingTable(context map[string]string, bookmarks []string, database string) (*db.RoutingTable, error) {
+func (b *bolt3) checkImpersonation(impersonatedUser string) error {
+	if impersonatedUser != "" {
+		return &db.FeatureNotSupportedError{Server: b.serverName, Feature: "user impersonation", Reason: "requires least server v4.4"}
+	}
+	return nil
+}
+
+func (b *bolt3) GetRoutingTable(context map[string]string, bookmarks []string, database, impersonatedUser string) (*db.RoutingTable, error) {
 	if err := b.assertState(bolt3_ready); err != nil {
 		return nil, err
 	}
-
 	if database != db.DefaultDatabase {
-		return nil, errors.New("Bolt 3 does not support routing to a specifiec database name")
+		return nil, &db.FeatureNotSupportedError{Server: b.serverName, Feature: "route to database", Reason: "requires at least server v4"}
+	}
+	if err := b.checkImpersonation(impersonatedUser); err != nil {
+		return nil, err
 	}
 
 	// Only available when Neo4j is setup with clustering
@@ -718,7 +733,7 @@ func (b *bolt3) GetRoutingTable(context map[string]string, bookmarks []string, d
 		// Give a better error
 		dbError, isDbError := err.(*db.Neo4jError)
 		if isDbError && dbError.Code == "Neo.ClientError.Procedure.ProcedureNotFound" {
-			return nil, &db.RoutingNotSupportedError{Server: b.serverName}
+			return nil, &db.FeatureNotSupportedError{Server: b.serverName, Feature: "routing", Reason: "requires cluster setup"}
 		}
 		return nil, err
 	}
@@ -737,6 +752,8 @@ func (b *bolt3) GetRoutingTable(context map[string]string, bookmarks []string, d
 	if table == nil {
 		return nil, errors.New("Unable to parse routing table")
 	}
+	// Just because
+	table.DatabaseName = db.DefaultDatabase
 
 	return table, nil
 }

neo4j/internal/bolt/bolt4.go

@@ -45,11 +45,12 @@ const (
 const bolt4_fetchsize = 1000
 
 type internalTx4 struct {
-	mode         db.AccessMode
-	bookmarks    []string
-	timeout      time.Duration
-	txMeta       map[string]interface{}
-	databaseName string
+	mode             db.AccessMode
+	bookmarks        []string
+	timeout          time.Duration
+	txMeta           map[string]interface{}
+	databaseName     string
+	impersonatedUser string
 }
 
 func (i *internalTx4) toMeta() map[string]interface{} {
@@ -70,6 +71,9 @@ func (i *internalTx4) toMeta() map[string]interface{} {
 	if i.databaseName != db.DefaultDatabase {
 		meta["db"] = i.databaseName
 	}
+	if i.impersonatedUser != "" {
+		meta["imp_user"] = i.impersonatedUser
+	}
 	return meta
 }
 
@@ -110,7 +114,7 @@ func NewBolt4(serverName string, conn net.Conn, log log.Logger, boltLog log.Bolt
 				boltLogger: boltLog,
 			},
 			connReadTimeout: -1,
-			logger: log,
+			logger:          log,
 		},
 	}
 	b.out = outgoing{
@@ -263,6 +267,13 @@ func (b *bolt4) connect(minor int, auth map[string]interface{}, userAgent string
 	return nil
 }
 
+func (b *bolt4) checkImpersonationAndVersion(impersonatedUser string) error {
+	if impersonatedUser != "" && b.minor < 4 {
+		return &db.FeatureNotSupportedError{Server: b.serverName, Feature: "user impersonation", Reason: "requires at least server v4.4"}
+	}
+	return nil
+}
+
 func (b *bolt4) TxBegin(txConfig db.TxConfig) (db.TxHandle, error) {
 	// Ok, to begin transaction while streaming auto-commit, just empty the stream and continue.
 	if b.state == bolt4_streaming {
@@ -277,12 +288,17 @@ func (b *bolt4) TxBegin(txConfig db.TxConfig) (db.TxHandle, error) {
 		return 0, err
 	}
 
+	if err := b.checkImpersonationAndVersion(txConfig.ImpersonatedUser); err != nil {
+		return 0, err
+	}
+
 	tx := internalTx4{
-		mode:         txConfig.Mode,
-		bookmarks:    txConfig.Bookmarks,
-		timeout:      txConfig.Timeout,
-		txMeta:       txConfig.Meta,
-		databaseName: b.databaseName,
+		mode:             txConfig.Mode,
+		bookmarks:        txConfig.Bookmarks,
+		timeout:          txConfig.Timeout,
+		txMeta:           txConfig.Meta,
+		databaseName:     b.databaseName,
+		impersonatedUser: txConfig.ImpersonatedUser,
 	}
 
 	// If there are bookmarks, begin the transaction immediately for backwards compatible
@@ -608,12 +624,17 @@ func (b *bolt4) Run(cmd db.Command, txConfig db.TxConfig) (db.StreamHandle, erro
 		return nil, err
 	}
 
+	if err := b.checkImpersonationAndVersion(txConfig.ImpersonatedUser); err != nil {
+		return 0, err
+	}
+
 	tx := internalTx4{
-		mode:         txConfig.Mode,
-		bookmarks:    txConfig.Bookmarks,
-		timeout:      txConfig.Timeout,
-		txMeta:       txConfig.Meta,
-		databaseName: b.databaseName,
+		mode:             txConfig.Mode,
+		bookmarks:        txConfig.Bookmarks,
+		timeout:          txConfig.Timeout,
+		txMeta:           txConfig.Meta,
+		databaseName:     b.databaseName,
+		impersonatedUser: txConfig.ImpersonatedUser,
 	}
 	stream, err := b.run(cmd.Cypher, cmd.Params, cmd.FetchSize, &tx)
 	if err != nil {
@@ -873,19 +894,42 @@ func (b *bolt4) Reset() {
 	}
 }
 
-func (b *bolt4) GetRoutingTable(context map[string]string, bookmarks []string, database string) (*db.RoutingTable, error) {
+func (b *bolt4) GetRoutingTable(context map[string]string, bookmarks []string, database, impersonatedUser string) (*db.RoutingTable, error) {
 	if err := b.assertState(bolt4_ready); err != nil {
 		return nil, err
 	}
 
 	b.log.Infof(log.Bolt4, b.logId, "Retrieving routing table")
+	if b.minor > 3 {
+		extras := map[string]interface{}{}
+		if database != db.DefaultDatabase {
+			extras["db"] = database
+		}
+		if impersonatedUser != "" {
+			extras["imp_user"] = impersonatedUser
+		}
+		b.out.appendRoute(context, bookmarks, extras)
+		b.out.send(b.conn)
+		succ := b.receiveSuccess()
+		if b.err != nil {
+			return nil, b.err
+		}
+		return succ.routingTable, nil
+	}
+
+	if err := b.checkImpersonationAndVersion(impersonatedUser); err != nil {
+		return nil, err
+	}
+
 	if b.minor > 2 {
-		b.out.appendRoute(context, bookmarks, database)
+		b.out.appendRouteToV43(context, bookmarks, database)
 		b.out.send(b.conn)
 		succ := b.receiveSuccess()
 		if b.err != nil {
 			return nil, b.err
 		}
+		// On this version we will not receive the database name
+		succ.routingTable.DatabaseName = database
 		return succ.routingTable, nil
 	}
 	return b.callGetRoutingTable(context, bookmarks, database)
@@ -927,6 +971,8 @@ func (b *bolt4) callGetRoutingTable(context map[string]string, bookmarks []strin
 	if table == nil {
 		return nil, errors.New("Unable to parse routing table")
 	}
+	// On this version we will not recive the database name
+	table.DatabaseName = database
 	return table, nil
 }