Support for changing an expired password

If the server responds with credentials expired upon first connection,
prompt the user for a new password and execute a password change
command toward the system database. Then retry to connect with
the original database.

Author: henriknyman

cypher-shell/src/integration-test/java/org/neo4j/shell/MainIntegrationTest.java

@@ -10,6 +10,7 @@
 import java.io.FileNotFoundException;
 import java.io.InputStream;
 import java.io.PrintStream;
+import java.nio.ByteBuffer;
 
 import org.neo4j.driver.exceptions.ClientException;
 import org.neo4j.driver.exceptions.ServiceUnavailableException;
@@ -26,6 +27,7 @@
 import static java.lang.String.format;
 import static org.hamcrest.CoreMatchers.isA;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.mockito.Matchers.any;
@@ -53,22 +55,26 @@ private static class ShellAndConnection
     private String inputString = String.format( "neo4j%nneo%n" );
     private ByteArrayOutputStream baos;
     private ConnectionConfig connectionConfig;
+    private CliArgs cliArgs;
     private CypherShell shell;
     private Main main;
     private PrintStream printStream;
     private InputStream inputStream;
+    private ByteBuffer inputBuffer;
 
     @Before
     public void setup() {
         // given
-        inputStream = new ByteArrayInputStream(inputString.getBytes());
+        inputBuffer = ByteBuffer.allocate(256);
+        inputBuffer.put(inputString.getBytes());
+        inputStream = new ByteArrayInputStream(inputBuffer.array());
 
         baos = new ByteArrayOutputStream();
         printStream = new PrintStream(baos);
 
         main = new Main(inputStream, printStream);
 
-        CliArgs cliArgs = new CliArgs();
+        cliArgs = new CliArgs();
         cliArgs.setUsername("", "");
         cliArgs.setPassword("", "");
 
@@ -77,6 +83,13 @@ public void setup() {
         connectionConfig = sac.connectionConfig;
     }
 
+    private void ensureUser() throws Exception {
+        shell.execute(":use " + DatabaseManager.SYSTEM_DB_NAME);
+        shell.execute("CREATE OR REPLACE USER foo SET PASSWORD 'pass';");
+        shell.execute("GRANT ROLE reader TO foo;");
+        shell.execute(":use");
+    }
+
     @Test
     public void promptsOnWrongAuthenticationIfInteractive() throws Exception {
         // when
@@ -94,6 +107,47 @@ public void promptsOnWrongAuthenticationIfInteractive() throws Exception {
         assertEquals("neo", connectionConfig.password());
     }
 
+    @Test
+    public void promptsOnPasswordChangeRequired() throws Exception {
+        shell.setCommandHelper(new CommandHelper(mock(Logger.class), Historian.empty, shell));
+        inputBuffer.put(String.format("foo%npass%nnewpass%n").getBytes());
+
+        assertEquals("", connectionConfig.username());
+        assertEquals("", connectionConfig.password());
+
+        // when
+        main.connectMaybeInteractively(shell, connectionConfig, true, true);
+
+        // then
+        // should be connected
+        assertTrue(shell.isConnected());
+        // should have prompted and set the username and password
+        String expectedLoginOutput = format( "username: neo4j%npassword: ***%n" );
+        assertEquals(expectedLoginOutput, baos.toString());
+        assertEquals("neo4j", connectionConfig.username());
+        assertEquals("neo", connectionConfig.password());
+
+        // Create a new user
+        ensureUser();
+        shell.disconnect();
+
+        connectionConfig = getConnectionConfig(cliArgs);
+        assertEquals("", connectionConfig.username());
+        assertEquals("", connectionConfig.password());
+
+        // when
+        main.connectMaybeInteractively(shell, connectionConfig, true, true);
+
+        // then
+        assertTrue(shell.isConnected());
+        // should have prompted to change the password
+        String expectedChangePasswordOutput = format( "username: foo%npassword: ****%nPassword change required%nnew password: *******%n" );
+        assertEquals(expectedLoginOutput + expectedChangePasswordOutput, baos.toString());
+        assertEquals("foo", connectionConfig.username());
+        assertEquals("newpass", connectionConfig.password());
+        assertNull(connectionConfig.newPassword());
+    }
+
     @Test
     public void doesNotPromptToStdOutOnWrongAuthenticationIfOutputRedirected() throws Exception {
         // when
@@ -335,16 +389,21 @@ private ShellAndConnection getShell( CliArgs cliArgs )
     private ShellAndConnection getShell( CliArgs cliArgs, LinePrinter linePrinter )
     {
         PrettyConfig prettyConfig = new PrettyConfig( cliArgs );
-        ConnectionConfig connectionConfig = new ConnectionConfig(
+        ConnectionConfig connectionConfig = getConnectionConfig( cliArgs );
+
+        return new ShellAndConnection( new CypherShell( linePrinter, prettyConfig, true, new ShellParameterMap() ), connectionConfig );
+    }
+
+    private ConnectionConfig getConnectionConfig( CliArgs cliArgs )
+    {
+        return new ConnectionConfig(
                 cliArgs.getScheme(),
                 cliArgs.getHost(),
                 cliArgs.getPort(),
                 cliArgs.getUsername(),
                 cliArgs.getPassword(),
                 cliArgs.getEncryption(),
                 cliArgs.getDatabase() );
-
-        return new ShellAndConnection( new CypherShell( linePrinter, prettyConfig, true, new ShellParameterMap() ), connectionConfig );
     }
 
     private void exit( CypherShell shell ) throws CommandException

cypher-shell/src/main/java/org/neo4j/shell/ConnectionConfig.java

@@ -13,6 +13,7 @@ public class ConnectionConfig {
     private final boolean encryption;
     private String username;
     private String password;
+    private String newPassword;
     private String database;
 
     public ConnectionConfig(@Nonnull String scheme,
@@ -67,6 +68,10 @@ public String password() {
         return password;
     }
 
+    public String newPassword() {
+        return newPassword;
+    }
+
     @Nonnull
     public String driverUrl() {
         return String.format("%s%s:%d", scheme(), host(), port());
@@ -89,4 +94,12 @@ public void setUsername(@Nonnull String username) {
     public void setPassword(@Nonnull String password) {
         this.password = password;
     }
+
+    public void setNewPassword(@Nonnull String password) {
+        this.newPassword = password;
+    }
+
+    public boolean passwordChangeRequired() {
+        return this.newPassword != null;
+    }
 }

cypher-shell/src/main/java/org/neo4j/shell/CypherShell.java

@@ -219,4 +219,15 @@ public ParameterMap getParameterMap()
     {
         return parameterMap;
     }
+
+    public void changePassword(@Nonnull ConnectionConfig connectionConfig) {
+        boltStateHandler.changePassword(connectionConfig);
+    }
+
+    /**
+     * Used for testing purposes
+     */
+    public void disconnect() {
+        boltStateHandler.disconnect();
+    }
 }

cypher-shell/src/main/java/org/neo4j/shell/Main.java

@@ -9,6 +9,7 @@
 import javax.annotation.Nullable;
 
 import org.neo4j.driver.exceptions.AuthenticationException;
+import org.neo4j.driver.exceptions.Neo4jException;
 import org.neo4j.shell.build.Build;
 import org.neo4j.shell.cli.CliArgHelper;
 import org.neo4j.shell.cli.CliArgs;
@@ -122,23 +123,40 @@ void connectMaybeInteractively(@Nonnull CypherShell shell,
             didPrompt = true;
         }
 
-        try {
-            // Try to connect
-            shell.connect(connectionConfig);
-        } catch (AuthenticationException e) {
-            // Fail if we already prompted,
-            // or do not have interactive input,
-            // or already tried with both username and password
-            if (didPrompt || !inputInteractive || (!connectionConfig.username().isEmpty() && !connectionConfig.password().isEmpty())) {
-                throw e;
+        while (true) {
+            try {
+                // Try to connect
+                shell.connect(connectionConfig);
+
+                // If no exception occurred we are done
+                break;
+            } catch (AuthenticationException e) {
+                // Fail if we already prompted,
+                // or do not have interactive input,
+                // or already tried with both username and password
+                if (didPrompt || !inputInteractive || (!connectionConfig.username().isEmpty() && !connectionConfig.password().isEmpty())) {
+                    throw e;
+                }
+
+                // Otherwise we prompt for username and password, and try to connect again
+                promptForUsernameAndPassword(connectionConfig, outputInteractive);
+                didPrompt = true;
+            } catch (Neo4jException e) {
+                if (passwordChangeRequiredException(e)) {
+                    promptForPasswordChange(connectionConfig, outputInteractive);
+                    shell.changePassword(connectionConfig);
+                    didPrompt = true;
+                } else {
+                    throw e;
+                }
             }
-
-            // Otherwise we prompt for username and password, and try to connect again
-            promptForUsernameAndPassword(connectionConfig, outputInteractive);
-            shell.connect(connectionConfig);
         }
     }
 
+    private boolean passwordChangeRequiredException(Neo4jException e) {
+        return "Neo.ClientError.Security.CredentialsExpired".equalsIgnoreCase(e.code());
+    }
+
     private void promptForUsernameAndPassword(ConnectionConfig connectionConfig, boolean outputInteractive) throws Exception {
         OutputStream promptOutputStream = getOutputStreamForInteractivePrompt();
         ConsoleReader consoleReader = new ConsoleReader(in, promptOutputStream);
@@ -162,6 +180,35 @@ private void promptForUsernameAndPassword(ConnectionConfig connectionConfig, boo
         }
     }
 
+    private void promptForPasswordChange(ConnectionConfig connectionConfig, boolean outputInteractive) throws Exception {
+        OutputStream promptOutputStream = getOutputStreamForInteractivePrompt();
+        ConsoleReader consoleReader = new ConsoleReader(in, promptOutputStream);
+        // Disable expansion of bangs: !
+        consoleReader.setExpandEvents(false);
+        // Ensure Reader does not handle user input for ctrl+C behaviour
+        consoleReader.setHandleUserInterrupt(false);
+
+        consoleReader.println("Password change required");
+
+        try {
+            if (connectionConfig.username().isEmpty()) {
+                String username = outputInteractive ?
+                                  promptForNonEmptyText("username", consoleReader, null) :
+                                  promptForText("username", consoleReader, null);
+                connectionConfig.setUsername(username);
+            }
+            if (connectionConfig.password().isEmpty()) {
+                connectionConfig.setPassword(promptForText("password", consoleReader, '*'));
+            }
+            String newPassword = outputInteractive ?
+                                 promptForNonEmptyText("new password", consoleReader, '*') :
+                                 promptForText("new password", consoleReader, '*');
+            connectionConfig.setNewPassword(newPassword);
+        } finally {
+            consoleReader.close();
+        }
+    }
+
     /**
      * @param prompt
      *         to display to the user

cypher-shell/src/main/java/org/neo4j/shell/state/BoltStateHandler.java

@@ -34,6 +34,7 @@ public class BoltStateHandler implements TransactionHandler, Connector, Database
     private String activeDatabaseNameAsSetByUser;
     private String actualDatabaseNameAsReportedByServer;
     private final boolean isInteractive;
+    private Bookmark systemBookmark;
 
     public BoltStateHandler(boolean isInteractive) {
         this(GraphDatabase::driver, isInteractive);
@@ -172,12 +173,13 @@ private void reconnect(boolean keepBookmark) {
         {
             builder.withDatabase( activeDatabaseNameAsSetByUser );
         }
-        if ( session != null && keepBookmark )
-        {
+        if (session != null && keepBookmark) {
             // Save the last bookmark and close the session
             final Bookmark bookmark = session.lastBookmark();
             session.close();
-            builder.withBookmarks( bookmark );
+            builder.withBookmarks(bookmark);
+        } else if (systemBookmark != null) {
+            builder.withBookmarks(systemBookmark);
         }
 
         session = driver.session( builder.build() );
@@ -235,6 +237,52 @@ public void updateActualDbName(@Nonnull ResultSummary resultSummary) {
         actualDatabaseNameAsReportedByServer = getActualDbName(resultSummary);
     }
 
+    public void changePassword(@Nonnull ConnectionConfig connectionConfig) {
+        if (!connectionConfig.passwordChangeRequired()) {
+            return;
+        }
+
+        if (isConnected()) {
+            silentDisconnect();
+        }
+
+        final AuthToken authToken = AuthTokens.basic(connectionConfig.username(), connectionConfig.password());
+
+        try {
+            driver = getDriver(connectionConfig, authToken);
+
+            // This will already throw an exception if there is no connectivity
+            driver.verifyConnectivity();
+
+            SessionConfig.Builder builder = SessionConfig.builder()
+                    .withDefaultAccessMode(AccessMode.WRITE)
+                    .withDatabase(SYSTEM_DB_NAME);
+            session = driver.session(builder.build());
+
+            String command = "ALTER CURRENT USER SET PASSWORD FROM $o TO $n";
+            Value parameters = Values.parameters("o", connectionConfig.password(), "n", connectionConfig.newPassword());
+
+            StatementResult run = session.run(command, parameters);
+            run.consume();
+
+            // If successful, use the new password when reconnecting
+            connectionConfig.setPassword(connectionConfig.newPassword());
+            connectionConfig.setNewPassword(null);
+
+            // Save a system bookmark to make sure we wait for the password change to propagate on reconnection
+            systemBookmark = session.lastBookmark();
+
+            silentDisconnect();
+        } catch (Throwable t) {
+            try {
+                silentDisconnect();
+            } catch (Exception e) {
+                t.addSuppressed(e);
+            }
+            throw t;
+        }
+    }
+
     /**
      * @throws SessionExpiredException when server no longer serves writes anymore
      */
@@ -292,6 +340,14 @@ public void reset() {
         }
     }
 
+    /**
+     * Used for testing purposes
+     */
+    public void disconnect() {
+         reset();
+         silentDisconnect();
+    }
+
     List<Statement> getTransactionStatements() {
         return this.transactionStatements;
     }