Wrap SSO token expiration error into user-facing error

Author: fbiville

neo4j/error.go

@@ -110,6 +110,17 @@ func IsTransactionExecutionLimit(err error) bool {
 	return is
 }
 
+// TokenExpiredError represent errors caused by the driver not being able to connect to Neo4j services,
+// or lost connections.
+type TokenExpiredError struct {
+	Code string
+	Message string
+}
+
+func (e *TokenExpiredError) Error() string {
+	return fmt.Sprintf("TokenExpiredError: %s (%s)", e.Code, e.Message)
+}
+
 func wrapError(err error) error {
 	if err == nil {
 		return nil
@@ -134,6 +145,10 @@ func wrapError(err error) error {
 			// most likely due to read timeout configuration hint being applied
 			return &ConnectivityError{inner: err}
 		}
+	case *db.Neo4jError:
+		if e.Code == "Neo.ClientError.Security.TokenExpired" {
+			return &TokenExpiredError{Code: e.Code, Message: e.Msg}
+		}
 	}
 	return err
 }

neo4j/internal/bolt/bolt4_test.go

@@ -871,4 +871,29 @@ func TestBolt4(ot *testing.T) {
 		assertBoltState(t, bolt4_dead, bolt)
 		AssertError(t, err)
 	})
+
+	ot.Run("Immediately expired authentication token error triggers a connection failure", func(t *testing.T) {
+		bolt, cleanup := connectToServer(t, func(srv *bolt4server) {
+			srv.accept(4)
+			srv.sendFailureMsg("Neo.ClientError.Security.TokenExpired", "SSO token is... expired")
+		})
+		defer cleanup()
+
+		_, err := bolt.Run(db.Command{Cypher: "MATCH (n) RETURN n"}, db.TxConfig{Mode: db.ReadMode})
+		assertBoltState(t, bolt4_failed, bolt)
+		AssertError(t, err)
+	})
+
+	ot.Run("Expired authentication token error after run triggers a connection failure", func(t *testing.T) {
+		bolt, cleanup := connectToServer(t, func(srv *bolt4server) {
+			srv.accept(4)
+			srv.waitForRun()
+			srv.sendFailureMsg("Neo.ClientError.Security.TokenExpired", "SSO token is... expired")
+		})
+		defer cleanup()
+
+		_, err := bolt.Run(db.Command{Cypher: "MATCH (n) RETURN n"}, db.TxConfig{Mode: db.ReadMode})
+		assertBoltState(t, bolt4_failed, bolt)
+		AssertError(t, err)
+	})
 }

neo4j/internal/testutil/asserts.go

@@ -21,6 +21,7 @@
 package testutil
 
 import (
+	"fmt"
 	"io"
 	"reflect"
 	"strings"
@@ -81,10 +82,15 @@ func AssertNoError(t *testing.T, err error) {
 	}
 }
 
+func AssertErrorMessageContains(t *testing.T, err error, msg string, args ...interface{}) {
+	AssertError(t, err)
+	AssertStringContain(t, err.Error(), fmt.Sprintf(msg, args...))
+}
+
 func AssertError(t *testing.T, err error) {
 	t.Helper()
 	if err == nil {
-		t.Fatal("Expected an error but it wasn't")
+		t.Fatal("Expected an error but none occurred")
 	}
 }
 

neo4j/internal/testutil/connfake.go

@@ -48,8 +48,11 @@ type ConnFake struct {
 	Table          *db.RoutingTable
 	Err            error
 	Id             int
+	TxBeginErr     error
 	TxBeginHandle  db.TxHandle
+	RunErr         error
 	RunStream      db.StreamHandle
+	RunTxErr       error
 	RunTxStream    db.StreamHandle
 	Nexts          []Next
 	Bookm          string
@@ -112,7 +115,7 @@ func (c *ConnFake) GetRoutingTable(context map[string]string, bookmarks []string
 
 func (c *ConnFake) TxBegin(txConfig db.TxConfig) (db.TxHandle, error) {
 	c.RecordedTxs = append(c.RecordedTxs, RecordedTx{Origin: "TxBegin", Mode: txConfig.Mode, Bookmarks: txConfig.Bookmarks, Timeout: txConfig.Timeout, Meta: txConfig.Meta})
-	return c.TxBeginHandle, c.Err
+	return c.TxBeginHandle, c.TxBeginErr
 }
 
 func (c *ConnFake) TxRollback(tx db.TxHandle) error {
@@ -129,11 +132,11 @@ func (c *ConnFake) TxCommit(tx db.TxHandle) error {
 func (c *ConnFake) Run(runCommand db.Command, txConfig db.TxConfig) (db.StreamHandle, error) {
 
 	c.RecordedTxs = append(c.RecordedTxs, RecordedTx{Origin: "Run", Mode: txConfig.Mode, Bookmarks: txConfig.Bookmarks, Timeout: txConfig.Timeout, Meta: txConfig.Meta})
-	return c.RunStream, c.Err
+	return c.RunStream, c.RunErr
 }
 
 func (c *ConnFake) RunTx(tx db.TxHandle, runCommand db.Command) (db.StreamHandle, error) {
-	return c.RunTxStream, c.Err
+	return c.RunTxStream, c.RunTxErr
 }
 
 func (c *ConnFake) Keys(streamHandle db.StreamHandle) ([]string, error) {

neo4j/session.go

@@ -208,7 +208,7 @@ func (s *session) BeginTransaction(configurers ...func(*TransactionConfig)) (Tra
 	})
 	if err != nil {
 		s.pool.Return(conn)
-		return nil, err
+		return nil, wrapError(err)
 	}
 
 	// Create transaction wrapper

neo4j/session_test.go

@@ -62,6 +62,8 @@ func TestSession(st *testing.T) {
 		return &router, &pool, sess
 	}
 
+	tokenExpiredErr := &db.Neo4jError{Code: "Neo.ClientError.Security.TokenExpired", Msg: "oopsie whoopsie"}
+
 	st.Run("Retry mechanism", func(rt *testing.T) {
 		// Checks that retries occur on database error and that it stops retrying after a certain
 		// amount of time and that connections are returned to pool upon failure.
@@ -141,17 +143,17 @@ func TestSession(st *testing.T) {
 			dirtyBookmarks := []string{"", "b1", "", "b2", ""}
 			cleanBookmarks := []string{"b1", "b2"}
 			_, pool, sess := createSessionWithBookmarks(dirtyBookmarks)
-			conn := &ConnFake{Alive: true, Err: errors.New("Make all fail")}
+			err := errors.New("make all fail")
+			conn := &ConnFake{Alive: true, RunErr: err, TxBeginErr: err}
 			pool.BorrowConn = conn
 
-			// All of these assume that Err on ConnFake fails the operations
 			sess.Run("cypher", nil)
 			sess.BeginTransaction()
 			sess.ReadTransaction(func(tx Transaction) (interface{}, error) {
-				return nil, errors.New("somehting")
+				return nil, errors.New("something")
 			})
 			sess.WriteTransaction(func(tx Transaction) (interface{}, error) {
-				return nil, errors.New("somehting")
+				return nil, errors.New("something")
 			})
 			AssertLen(t, conn.RecordedTxs, 4)
 			for _, rtx := range conn.RecordedTxs {
@@ -297,6 +299,98 @@ func TestSession(st *testing.T) {
 			_, err = sess.Run("cypher", nil)
 			assertUsageError(t, err)
 		})
+
+		bt.Run("Token expiration in session run after errored connection acquisition", func(t *testing.T) {
+			_, pool, sess := createSession()
+			pool.BorrowErr = tokenExpiredErr
+
+			_, err := sess.Run("cypher", map[string]interface{}{})
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after run", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, RunErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			_, err := sess.Run("cypher", map[string]interface{}{})
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after result collect call", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, Nexts: []Next{{Err: tokenExpiredErr}}}
+			pool.BorrowConn = conn
+
+			result, err := sess.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			_, err = result.Collect()
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after result consume call", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, ConsumeErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			result, err := sess.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			_, err = result.Consume()
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after result consume next and err call", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, Nexts: []Next{{Err: tokenExpiredErr}}}
+			pool.BorrowConn = conn
+
+			result, err := sess.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			_ = result.Next()
+			err = result.Err()
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after result single record extraction", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, Nexts: []Next{{Err: tokenExpiredErr}}}
+			pool.BorrowConn = conn
+
+			result, err := sess.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			_, err = result.Single()
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after write transaction function", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true}
+			pool.BorrowConn = conn
+
+			_, err := sess.WriteTransaction(func(tx Transaction) (interface{}, error) {
+				return nil, tokenExpiredErr
+			})
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after read transaction function", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true}
+			pool.BorrowConn = conn
+
+			_, err := sess.ReadTransaction(func(tx Transaction) (interface{}, error) {
+				return nil, tokenExpiredErr
+			})
+
+			assertTokenExpiredError(t, err)
+		})
 	})
 
 	st.Run("Explicit transaction", func(bt *testing.T) {
@@ -342,6 +436,57 @@ func TestSession(st *testing.T) {
 			_, err := sess.BeginTransaction()
 			AssertNoError(t, err)
 		})
+
+		bt.Run("Token expiration after transaction begin", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, TxBeginErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			tx, err := sess.BeginTransaction()
+
+			AssertNil(t, tx)
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after transaction run", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, RunTxErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			tx, err := sess.BeginTransaction()
+			AssertNil(t, err)
+			_, err = tx.Run("cypher", map[string]interface{}{})
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after transaction commit", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, TxCommitErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			tx, err := sess.BeginTransaction()
+			AssertNil(t, err)
+			_, err = tx.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			err = tx.Commit()
+
+			assertTokenExpiredError(t, err)
+		})
+
+		bt.Run("Token expiration after transaction rollback", func(t *testing.T) {
+			_, pool, sess := createSession()
+			conn := &ConnFake{Alive: true, TxRollbackErr: tokenExpiredErr}
+			pool.BorrowConn = conn
+
+			tx, err := sess.BeginTransaction()
+			AssertNil(t, err)
+			_, err = tx.Run("cypher", map[string]interface{}{})
+			AssertNil(t, err)
+			err = tx.Rollback()
+
+			assertTokenExpiredError(t, err)
+		})
 	})
 
 	st.Run("Close", func(ct *testing.T) {
@@ -367,3 +512,9 @@ func TestSession(st *testing.T) {
 		})
 	})
 }
+
+func assertTokenExpiredError(t *testing.T, err error) {
+	AssertSameType(t, err, &TokenExpiredError{})
+	AssertErrorMessageContains(t, err, "Neo.ClientError.Security.TokenExpired")
+	AssertErrorMessageContains(t, err, "oopsie whoopsie")
+}

testkit-backend/backend.go

@@ -115,10 +115,15 @@ func (b *backend) writeError(err error) {
 	// track of this error so that we can reuse the real thing within a retryable tx
 	fmt.Printf("Error: %s (%T)\n", err.Error(), err)
 	code := ""
+	tokenErr, isTokenExpiredErr := err.(*neo4j.TokenExpiredError)
+	if isTokenExpiredErr {
+		code = tokenErr.Code
+	}
 	if neo4j.IsNeo4jError(err) {
 		code = err.(*db.Neo4jError).Code
 	}
-	isDriverError := neo4j.IsNeo4jError(err) ||
+	isDriverError := isTokenExpiredErr ||
+		neo4j.IsNeo4jError(err) ||
 		neo4j.IsUsageError(err) ||
 		neo4j.IsConnectivityError(err) ||
 		neo4j.IsTransactionExecutionLimit(err) ||
@@ -353,10 +358,14 @@ func (b *backend) handleRequest(req map[string]interface{}) {
 		authTokenMap := data["authorizationToken"].(map[string]interface{})["data"].(map[string]interface{})
 		switch authTokenMap["scheme"] {
 		case "basic":
+			realm, ok := authTokenMap["realm"].(string)
+			if !ok {
+				realm = ""
+			}
 			authToken = neo4j.BasicAuth(
 				authTokenMap["principal"].(string),
 				authTokenMap["credentials"].(string),
-				authTokenMap["realm"].(string))
+				realm)
 		case "kerberos":
 			authToken = neo4j.KerberosAuth(authTokenMap["ticket"].(string))
 		case "bearer":
@@ -572,6 +581,7 @@ func (b *backend) handleRequest(req map[string]interface{}) {
 				"Optimization:ConnectionReuse",
 				"Optimization:ImplicitDefaultArguments",
 				"Optimization:PullPipelining",
+				"Feature:Auth:Bearer",
 			},
 		})