Introducing protocol 4.4 and User Impersonation (#784)

* Introducing protocol 4.4 and User Impersonation

Users can, when they have been granted explicit permission, run transactions against the database as different users. When impersonating a user, the query is run as the complete security context of the impersonated user and not the authenticated user (e.g. home database, permissions etc).

- Create protocol 4.4 version
- Add protocol to the handshake
- Change the messages RUN, BEGIN and ROUTE to support the impersonation parameter
- Add support to the impersonation into the driver surface
- Add special treatments for the default/home database

Author: bigmontz

packages/bolt-connection/src/bolt/bolt-protocol-util.js

@@ -57,4 +57,25 @@ function assertDatabaseIsEmpty (database, onProtocolError = () => {}, observer)
   }
 }
 
-export { assertDatabaseIsEmpty, assertTxConfigIsEmpty }
+/**
+ * Asserts that the passed-in impersonated user is empty
+ * @param {string} impersonatedUser 
+ * @param {function (err:Error)} onProtocolError Called when it does have impersonated user set
+ * @param {any} observer
+ */
+function assertImpersonatedUserIsEmpty (impersonatedUser, onProtocolError = () => {}, observer) {
+  if (impersonatedUser) {
+    const error = newError(
+      'Driver is connected to the database that does not support user impersonation. ' +
+        'Please upgrade to neo4j 4.4.0 or later in order to use this functionality. ' +
+        `Trying to impersonate ${impersonatedUser}.`
+    )
+
+    // unsupported API was used, consider this a fatal error for the current connection
+    onProtocolError(error.message)
+    observer.onError(error)
+    throw error
+  }
+}
+
+export { assertDatabaseIsEmpty, assertTxConfigIsEmpty, assertImpersonatedUserIsEmpty }

packages/bolt-connection/src/bolt/bolt-protocol-v1.js

@@ -18,7 +18,8 @@
  */
 import {
   assertDatabaseIsEmpty,
-  assertTxConfigIsEmpty
+  assertTxConfigIsEmpty,
+  assertImpersonatedUserIsEmpty
 } from './bolt-protocol-util'
 import { Chunker } from '../chunking'
 import { v1 } from '../packstream'
@@ -143,6 +144,7 @@ export default class BoltProtocol {
    * @param {TxConfig} param.txConfig the configuration.
    * @param {string} param.database the target database name.
    * @param {string} param.mode the access mode.
+   * @param {string} param.impersonatedUser the impersonated user
    * @param {function(err: Error)} param.beforeError the callback to invoke before handling the error.
    * @param {function(err: Error)} param.afterError the callback to invoke after handling the error.
    * @param {function()} param.beforeComplete the callback to invoke before handling the completion.
@@ -154,6 +156,7 @@ export default class BoltProtocol {
     txConfig,
     database,
     mode,
+    impersonatedUser,
     beforeError,
     afterError,
     beforeComplete,
@@ -167,6 +170,7 @@ export default class BoltProtocol {
         txConfig: txConfig,
         database,
         mode,
+        impersonatedUser,
         beforeError,
         afterError,
         beforeComplete,
@@ -248,6 +252,7 @@ export default class BoltProtocol {
    * @param {Bookmark} param.bookmark the bookmark.
    * @param {TxConfig} param.txConfig the transaction configuration.
    * @param {string} param.database the target database name.
+   * @param {string} param.impersonatedUser the impersonated user
    * @param {string} param.mode the access mode.
    * @param {function(keys: string[])} param.beforeKeys the callback to invoke before handling the keys.
    * @param {function(keys: string[])} param.afterKeys the callback to invoke after handling the keys.
@@ -266,6 +271,7 @@ export default class BoltProtocol {
       txConfig,
       database,
       mode,
+      impersonatedUser,
       beforeKeys,
       afterKeys,
       beforeError,
@@ -289,6 +295,8 @@ export default class BoltProtocol {
     assertTxConfigIsEmpty(txConfig, this._onProtocolError, observer)
     // passing in a database name on this protocol version throws an error
     assertDatabaseIsEmpty(database, this._onProtocolError, observer)
+    // passing impersonated user on this protocol version throws an error
+    assertImpersonatedUserIsEmpty(impersonatedUser, this._onProtocolError, observer)
 
     this.write(RequestMessage.run(query, parameters), observer, false)
     this.write(RequestMessage.pullAll(), observer, flush)

packages/bolt-connection/src/bolt/bolt-protocol-v3.js

@@ -18,7 +18,7 @@
  */
 import BoltProtocolV2 from './bolt-protocol-v2'
 import RequestMessage from './request-message'
-import { assertDatabaseIsEmpty } from './bolt-protocol-util'
+import { assertDatabaseIsEmpty, assertImpersonatedUserIsEmpty } from './bolt-protocol-util'
 import {
   StreamObserver,
   LoginObserver,
@@ -78,6 +78,7 @@ export default class BoltProtocol extends BoltProtocolV2 {
     bookmark,
     txConfig,
     database,
+    impersonatedUser,
     mode,
     beforeError,
     afterError,
@@ -95,6 +96,8 @@ export default class BoltProtocol extends BoltProtocolV2 {
 
     // passing in a database name on this protocol version throws an error
     assertDatabaseIsEmpty(database, this._onProtocolError, observer)
+    // passing impersonated user on this protocol version throws an error
+    assertImpersonatedUserIsEmpty(impersonatedUser, this._onProtocolError, observer)
 
     this.write(
       RequestMessage.begin({ bookmark, txConfig, mode }),
@@ -152,6 +155,7 @@ export default class BoltProtocol extends BoltProtocolV2 {
       bookmark,
       txConfig,
       database,
+      impersonatedUser,
       mode,
       beforeKeys,
       afterKeys,
@@ -174,6 +178,8 @@ export default class BoltProtocol extends BoltProtocolV2 {
 
     // passing in a database name on this protocol version throws an error
     assertDatabaseIsEmpty(database, this._onProtocolError, observer)
+    // passing impersonated user on this protocol version throws an error
+    assertImpersonatedUserIsEmpty(impersonatedUser, this._onProtocolError, observer)
 
     this.write(
       RequestMessage.runWithMetadata(query, parameters, {

packages/bolt-connection/src/bolt/bolt-protocol-v4x0.js

@@ -18,6 +18,7 @@
  */
 import BoltProtocolV3 from './bolt-protocol-v3'
 import RequestMessage, { ALL } from './request-message'
+import { assertImpersonatedUserIsEmpty } from './bolt-protocol-util'
 import {
   ResultStreamObserver,
   ProcedureRouteObserver
@@ -44,6 +45,7 @@ export default class BoltProtocol extends BoltProtocolV3 {
     bookmark,
     txConfig,
     database,
+    impersonatedUser,
     mode,
     beforeError,
     afterError,
@@ -59,6 +61,9 @@ export default class BoltProtocol extends BoltProtocolV3 {
     })
     observer.prepareToHandleSingleResponse()
 
+    // passing impersonated user on this protocol version throws an error
+    assertImpersonatedUserIsEmpty(impersonatedUser, this._onProtocolError, observer)
+
     this.write(
       RequestMessage.begin({ bookmark, txConfig, database, mode }),
       observer,
@@ -75,6 +80,7 @@ export default class BoltProtocol extends BoltProtocolV3 {
       bookmark,
       txConfig,
       database,
+      impersonatedUser,
       mode,
       beforeKeys,
       afterKeys,
@@ -101,6 +107,9 @@ export default class BoltProtocol extends BoltProtocolV3 {
       afterComplete
     })
 
+    // passing impersonated user on this protocol version throws an error
+    assertImpersonatedUserIsEmpty(impersonatedUser, this._onProtocolError, observer)
+
     const flushRun = reactive
     this.write(
       RequestMessage.runWithMetadata(query, parameters, {

packages/bolt-connection/src/bolt/bolt-protocol-v4x4.js

@@ -0,0 +1,153 @@
+/**
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import BoltProtocolV43 from './bolt-protocol-v4x3'
+
+import { internal } from 'neo4j-driver-core'
+import RequestMessage, { ALL } from './request-message'
+import { RouteObserver, ResultStreamObserver } from './stream-observers'
+
+const {
+  constants: { BOLT_PROTOCOL_V4_4 },
+  bookmark: { Bookmark },
+} = internal
+
+export default class BoltProtocol extends BoltProtocolV43 {
+  get version() {
+    return BOLT_PROTOCOL_V4_4
+  }
+
+  /**
+  * Request routing information
+  *
+  * @param {Object} param -
+  * @param {object} param.routingContext The routing context used to define the routing table.
+  *  Multi-datacenter deployments is one of its use cases
+  * @param {string} param.databaseName The database name
+  * @param {Bookmark} params.sessionContext.bookmark The bookmark used for request the routing table
+  * @param {function(err: Error)} param.onError
+  * @param {function(RawRoutingTable)} param.onCompleted
+  * @returns {RouteObserver} the route observer
+  */
+  requestRoutingInformation ({
+    routingContext = {},
+    databaseName = null,
+    impersonatedUser = null,
+    sessionContext = {},
+    onError,
+    onCompleted
+  }) {
+    const observer = new RouteObserver({
+      onProtocolError: this._onProtocolError,
+      onError,
+      onCompleted
+    })
+    const bookmark = sessionContext.bookmark || Bookmark.empty()
+    this.write(
+      RequestMessage.routeV4x4(routingContext, bookmark.values(), { databaseName, impersonatedUser }),
+      observer,
+      true
+    )
+
+    return observer
+  }
+
+  run (
+    query,
+    parameters,
+    {
+      bookmark,
+      txConfig,
+      database,
+      mode,
+      impersonatedUser,
+      beforeKeys,
+      afterKeys,
+      beforeError,
+      afterError,
+      beforeComplete,
+      afterComplete,
+      flush = true,
+      reactive = false,
+      fetchSize = ALL
+    } = {}
+  ) {
+    const observer = new ResultStreamObserver({
+      server: this._server,
+      reactive: reactive,
+      fetchSize: fetchSize,
+      moreFunction: this._requestMore.bind(this),
+      discardFunction: this._requestDiscard.bind(this),
+      beforeKeys,
+      afterKeys,
+      beforeError,
+      afterError,
+      beforeComplete,
+      afterComplete
+    })
+
+    const flushRun = reactive
+    this.write(
+      RequestMessage.runWithMetadata(query, parameters, {
+        bookmark,
+        txConfig,
+        database,
+        mode,
+        impersonatedUser
+      }),
+      observer,
+      flushRun && flush
+    )
+
+    if (!reactive) {
+      this.write(RequestMessage.pull({ n: fetchSize }), observer, flush)
+    }
+
+    return observer
+  }
+
+  beginTransaction ({
+    bookmark,
+    txConfig,
+    database,
+    mode,
+    impersonatedUser,
+    beforeError,
+    afterError,
+    beforeComplete,
+    afterComplete
+  } = {}) {
+    const observer = new ResultStreamObserver({
+      server: this._server,
+      beforeError,
+      afterError,
+      beforeComplete,
+      afterComplete
+    })
+    observer.prepareToHandleSingleResponse()
+
+    this.write(
+      RequestMessage.begin({ bookmark, txConfig, database, mode, impersonatedUser }),
+      observer,
+      true
+    )
+
+    return observer
+  }
+
+}

packages/bolt-connection/src/bolt/create.js

@@ -25,6 +25,7 @@ import BoltProtocolV4x0 from './bolt-protocol-v4x0'
 import BoltProtocolV4x1 from './bolt-protocol-v4x1'
 import BoltProtocolV4x2 from './bolt-protocol-v4x2'
 import BoltProtocolV4x3 from './bolt-protocol-v4x3'
+import BoltProtocolV4x4 from './bolt-protocol-v4x4'
 import { Chunker, Dechunker } from '../channel'
 import ResponseHandler from './response-handler'
 
@@ -164,6 +165,16 @@ function createProtocol (
         onProtocolError,
         serversideRouting
       )
+    case 4.4:
+      return new BoltProtocolV4x4(
+        server,
+        chunker,
+        packingConfig,
+        createResponseHandler,
+        log,
+        onProtocolError,
+        serversideRouting
+      )
     default:
       throw newError('Unknown Bolt protocol version: ' + version)
   }

packages/bolt-connection/src/bolt/handshake.js

@@ -76,7 +76,7 @@ function parseNegotiatedResponse (buffer) {
  */
 function newHandshakeBuffer () {
   return createHandshakeMessage([
-    [version(4, 3), version(4, 2)],
+    [version(4, 4), version(4, 2)],
     version(4, 1),
     version(4, 0),
     version(3, 0)