Merge pull request #99 from neo4j-php/oidc

OIDC

Author: transistive

composer.json

@@ -31,7 +31,7 @@
         "psr/http-client": "^1.0",
         "php-http/message": "^1.0",
         "php-http/message-factory": "^1.0",
-        "stefanak-michal/bolt": "^2.5.3",
+        "stefanak-michal/bolt": "^2.7.1",
         "symfony/polyfill-php80": "^1.2",
         "ext-json": "*"
     },

docker-compose.yml

@@ -73,6 +73,8 @@ services:
           <<: *common
         volumes:
           - ./tests/resources:/import
+        env_file:
+          - .env
     core1:
         image: neo4j:4.4-enterprise
         healthcheck:
@@ -91,6 +93,8 @@ services:
           NEO4J_causal__clustering_raft__advertised__address: core1:7000
           NEO4J_dbms_connector_http_advertised__address: core1:7474
           NEO4J_dbms_connector_bolt_advertised__address: core1:7687
+        env_file:
+          - .env
 
     core2:
         image: neo4j:4.4-enterprise
@@ -110,6 +114,8 @@ services:
           NEO4J_dbms_connector_bolt_advertised__address: core2:7687
         volumes:
           - ./tests/resources:/import
+        env_file:
+          - .env
 
     core3:
         image: neo4j:4.4-enterprise
@@ -129,6 +135,8 @@ services:
           NEO4J_dbms_connector_bolt_advertised__address: core3:7687
         volumes:
           - ./tests/resources:/import
+        env_file:
+          - .env
 
     readreplica1:
         image: neo4j:4.4-enterprise
@@ -147,5 +155,7 @@ services:
           NEO4J_causal__clustering_raft__advertised__address: readreplica1:7000
           NEO4J_dbms_connector_http_advertised__address: readreplica1:7474
           NEO4J_dbms_connector_bolt_advertised__address: readreplica1:7687
+        env_file:
+          - .env
         volumes:
           - ./tests/resources:/import

src/Authentication/Authenticate.php

@@ -40,6 +40,16 @@ public static function kerberos(string $token): KerberosAuth
         return new KerberosAuth($token);
     }
 
+    /**
+     * Authenticate using a OpenID Connect token.
+     *
+     * @pure
+     */
+    public static function oidc(string $token): OpenIDConnectAuth
+    {
+        return new OpenIDConnectAuth($token);
+    }
+
     /**
      * Don't authenticate at all.
      *

src/Authentication/BasicAuth.php

@@ -16,6 +16,7 @@
 use function base64_encode;
 use Bolt\Bolt;
 use Bolt\error\MessageException;
+use Bolt\helpers\Auth;
 use Exception;
 use Laudis\Neo4j\Common\TransactionHelper;
 use Laudis\Neo4j\Contracts\AuthenticateInterface;
@@ -63,7 +64,9 @@ public function authenticateHttp(RequestInterface $request, UriInterface $uri, s
     public function authenticateBolt(Bolt $bolt, UriInterface $uri, string $userAgent): void
     {
         try {
-            $bolt->init($userAgent, $this->username, $this->password);
+            $auth = Auth::basic($this->username, $this->password);
+            $auth['user_agent'] = $userAgent;
+            $bolt->init($auth);
         } catch (MessageException $e) {
             $code = TransactionHelper::extractCode($e) ?? '';
             throw new Neo4jException([new Neo4jError($code, $e->getMessage())]);

src/Authentication/KerberosAuth.php

@@ -14,6 +14,7 @@
 namespace Laudis\Neo4j\Authentication;
 
 use Bolt\Bolt;
+use Bolt\helpers\Auth;
 use Laudis\Neo4j\Contracts\AuthenticateInterface;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\UriInterface;
@@ -49,8 +50,12 @@ public function authenticateHttp(RequestInterface $request, UriInterface $uri, s
 
     public function authenticateBolt(Bolt $bolt, UriInterface $uri, string $userAgent): void
     {
-        $bolt->setScheme('kerberos');
-        $bolt->init($userAgent, $this->token, $this->token);
+        /**
+         * @psalm-suppress DeprecatedMethod
+         */
+        $bearer = Auth::bearer($this->token);
+        $bearer['user_agent'] = $userAgent;
+        $bolt->init($bearer);
     }
 
     /**

src/Authentication/NoAuth.php

@@ -14,6 +14,7 @@
 namespace Laudis\Neo4j\Authentication;
 
 use Bolt\Bolt;
+use Bolt\helpers\Auth;
 use Laudis\Neo4j\Contracts\AuthenticateInterface;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\UriInterface;
@@ -38,8 +39,12 @@ public function authenticateHttp(RequestInterface $request, UriInterface $uri, s
 
     public function authenticateBolt(Bolt $bolt, UriInterface $uri, string $userAgent): void
     {
-        $bolt->setScheme('none');
-        $bolt->init($userAgent, '', '');
+        $auth = Auth::none();
+        $auth['user_agent'] = $userAgent;
+        /**
+         * @psalm-suppress DeprecatedMethod
+         */
+        $bolt->init($auth);
     }
 
     /**

src/Authentication/OpenIDConnectAuth.php

@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of the Laudis Neo4j package.
+ *
+ * (c) Laudis technologies <http://laudis.tech>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Laudis\Neo4j\Authentication;
+
+use Bolt\Bolt;
+use Bolt\helpers\Auth;
+use Laudis\Neo4j\Contracts\AuthenticateInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\UriInterface;
+
+final class OpenIDConnectAuth implements AuthenticateInterface
+{
+    private string $token;
+
+    /**
+     * @psalm-external-mutation-free
+     */
+    public function __construct(string $token)
+    {
+        $this->token = $token;
+    }
+
+    /**
+     * @psalm-mutation-free
+     */
+    public function authenticateHttp(RequestInterface $request, UriInterface $uri, string $userAgent): RequestInterface
+    {
+        /**
+         * @psalm-suppress ImpureMethodCall Request is a pure object:
+         *
+         * @see https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-7-http-message-meta.md#why-value-objects
+         */
+        return $request->withHeader('Authorization', 'Bearer '.$this->token)
+            ->withHeader('User-Agent', $userAgent);
+    }
+
+    public function authenticateBolt(Bolt $bolt, UriInterface $uri, string $userAgent): void
+    {
+        /**
+         * @psalm-suppress DeprecatedMethod
+         * @psalm-suppress ImpureMethodCall
+         */
+        $bolt->init(Auth::bearer($this->token));
+    }
+
+    /**
+     * @psalm-mutation-free
+     */
+    public function extractFromUri(UriInterface $uri): AuthenticateInterface
+    {
+        return $this;
+    }
+}

tests/Integration/OIDCTest.php

@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Laudis Neo4j package.
+ *
+ * (c) Laudis technologies <http://laudis.tech>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Laudis\Neo4j\Tests\Integration;
+
+use function array_key_exists;
+use function is_string;
+use Laudis\Neo4j\Authentication\Authenticate;
+use Laudis\Neo4j\ClientBuilder;
+use Laudis\Neo4j\Http\HttpDriver;
+use Monolog\Test\TestCase;
+
+/**
+ * @psalm-suppress MissingConstructor
+ */
+final class OIDCTest extends TestCase
+{
+    public function testConnect(): void
+    {
+        $this->expectNotToPerformAssertions();
+        if (!array_key_exists('ACCESS_TOKEN_BEARER', $_ENV) || !is_string($_ENV['ACCESS_TOKEN_BEARER'])) {
+            $this->markTestSkipped('No OIDC token provided');
+        }
+
+        /** @var mixed */
+        $connections = $_ENV['NEO4J_CONNECTIONS'] ?? '';
+        $connections = is_string($connections) ? $connections : '';
+        foreach (explode(',', $connections) as $connection) {
+            $driver = ClientBuilder::create()
+                ->withDriver('default', $connection, Authenticate::oidc($_ENV['ACCESS_TOKEN_BEARER']))
+                ->build()
+                ->getDriver('default');
+
+            if ($driver instanceof HttpDriver) {
+                continue;
+            }
+
+            $driver->createSession()->run('RETURN 1');
+        }
+    }
+}