Introduced TRUST_ALL_CERTIFICATES

This option requires encryption but does no checks on the server's
certificate. It is just required to be present.

Author: lutovich

src/v1/index.js

@@ -66,7 +66,10 @@ let USER_AGENT = "neo4j-javascript/" + VERSION;
  *       // this is that if you don't know who you are talking to, it is easy for an
  *       // attacker to hijack your encrypted connection, rendering encryption pointless.
  *       //
- *       // TRUST_ON_FIRST_USE is the default for modern NodeJS deployments, and works
+ *       // TRUST_ALL_CERTIFICATES is the default choice for NodeJS deployments. It only requires
+ *       // new host to provide a certificate and does no verification of the provided certificate.
+ *       //
+ *       // TRUST_ON_FIRST_USE is available for modern NodeJS deployments, and works
  *       // similarly to how `ssl` works - the first time we connect to a new host,
  *       // we remember the certificate they use. If the certificate ever changes, we
  *       // assume it is an attempt to hijack the connection and require manual intervention.
@@ -81,8 +84,8 @@ let USER_AGENT = "neo4j-javascript/" + VERSION;
  *       //
  *       // TRUST_SYSTEM_CA_SIGNED_CERTIFICATES meand that you trust whatever certificates
  *       // are in the default certificate chain of th
- *       trust: "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES" | TRUST_CUSTOM_CA_SIGNED_CERTIFICATES |
- * TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
+ *       trust: "TRUST_ALL_CERTIFICATES" | "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES" |
+  *       "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES" | "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
  *
  *       // List of one or more paths to trusted encryption certificates. This only
  *       // works in the NodeJS bundle, and only matters if you use "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES".

src/v1/internal/ch-node.js

@@ -16,15 +16,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-import net from 'net';
-import tls from 'tls';
-import fs from 'fs';
-import path from 'path';
-import {EOL} from 'os';
-import {NodeBuffer} from './buf';
-import {ENCRYPTION_OFF} from './util';
-import {newError, SESSION_EXPIRED} from './../error';
+import net from "net";
+import tls from "tls";
+import fs from "fs";
+import path from "path";
+import {EOL} from "os";
+import {NodeBuffer} from "./buf";
+import {ENCRYPTION_OFF, isEmptyObjectOrNull} from "./util";
+import {newError, SESSION_EXPIRED} from "./../error";
 
 let _CONNECTION_IDGEN = 0;
 
@@ -119,7 +118,7 @@ const TrustStrategy = {
         "to verify trust for encrypted  connections, but have not configured any " +
         "trustedCertificates. You  must specify the path to at least one trusted " +
         "X.509 certificate for this to work. Two other alternatives is to use " +
-        "TRUST_ON_FIRST_USE or to disable encryption by setting encrypted=\"" + ENCRYPTION_OFF + "\"" +
+        "TRUST_ALL_CERTIFICATES or to disable encryption by setting encrypted=\"" + ENCRYPTION_OFF + "\"" +
         "in your driver configuration."));
       return;
     }
@@ -227,6 +226,26 @@ const TrustStrategy = {
     });
     socket.on('error', onFailure);
     return socket;
+  },
+
+  TRUST_ALL_CERTIFICATES: function (opts, onSuccess, onFailure) {
+    const tlsOpts = {
+      rejectUnauthorized: false
+    };
+    const socket = tls.connect(opts.port, opts.host, tlsOpts, function () {
+      const certificate = socket.getPeerCertificate();
+      if (isEmptyObjectOrNull(certificate)) {
+        onFailure(newError("Secure connection was successful but server did not return any valid " +
+            "certificates. Such connection can not be trusted. If you are just trying " +
+            " Neo4j out and are not concerned about encryption, simply disable it using " +
+            "`encrypted=\"" + ENCRYPTION_OFF + "\"` in the driver options. " +
+            "Socket responded with: " + socket.authorizationError));
+      } else {
+        onSuccess();
+      }
+    });
+    socket.on('error', onFailure);
+    return socket;
   }
 };
 
@@ -240,7 +259,7 @@ function connect( opts, onSuccess, onFailure=(()=>null) ) {
     return TrustStrategy[opts.trust](opts, onSuccess, onFailure);
   } else {
     onFailure(newError("Unknown trust strategy: " + opts.trust + ". Please use either " +
-      "trust:'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " +
+      "trust:'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES' or trust:'TRUST_ALL_CERTIFICATES' in your driver " +
       "configuration. Alternatively, you can disable encryption by setting " +
       "`encrypted:\"" + ENCRYPTION_OFF + "\"`. There is no mechanism to use encryption without trust verification, " +
       "because this incurs the overhead of encryption without improving security. If " +

src/v1/internal/connector.js

@@ -468,9 +468,9 @@ function connect( url, config = {}) {
     host: parseHost(url),
     port: parsePort(url) || 7687,
     // Default to using encryption if trust-on-first-use is available
-    encrypted : (config.encrypted == null) ?  hasFeature("trust_on_first_use") : config.encrypted,
-    // Default to using TRUST_ON_FIRST_USE if it is available
-    trust : config.trust || (hasFeature("trust_on_first_use") ? "TRUST_ON_FIRST_USE" : "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES"),
+    encrypted : (config.encrypted == null) ?  hasFeature("trust_all_certificates") : config.encrypted,
+    // Default to using TRUST_ALL_CERTIFICATES if it is available
+    trust : config.trust || (hasFeature("trust_all_certificates") ? "TRUST_ALL_CERTIFICATES" : "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES"),
     trustedCertificates : config.trustedCertificates || [],
     knownHosts : config.knownHosts
   }), url);

src/v1/internal/features.js

@@ -26,11 +26,20 @@ const FEATURES = {
       // This is insane. We are verifying that we have a version of getPeerCertificate
       // that supports reading the whole certificate, eg this commit:
       // https://github.com/nodejs/node/commit/345c40b6
-      let desc = require('tls').TLSSocket.prototype.getPeerCertificate;
-      return desc.length >= 1;
+      const getPeerCertificateFunction = require('tls').TLSSocket.prototype.getPeerCertificate;
+      const numberOfParameters = getPeerCertificateFunction.length;
+      return numberOfParameters >= 1;
     } catch( e ) {
       return false;
     }
+  },
+  trust_all_certificates: () => {
+    try {
+      const getPeerCertificateFunction = require('tls').TLSSocket.prototype.getPeerCertificate;
+      return true;
+    } catch (e) {
+      return false;
+    }
   }
 };
 

src/v1/internal/util.js

@@ -20,7 +20,22 @@
 const ENCRYPTION_ON = "ENCRYPTION_ON";
 const ENCRYPTION_OFF = "ENCRYPTION_OFF";
 
+function isEmptyObjectOrNull(object) {
+    if (!object) {
+        return true;
+    }
+
+    for (let prop in object) {
+        if (object.hasOwnProperty(prop)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 export {
+    isEmptyObjectOrNull,
     ENCRYPTION_ON,
     ENCRYPTION_OFF
 }

test/internal/tls.test.js

@@ -16,7 +16,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-var NodeChannel = require('../../lib/v1/internal/ch-node.js');
+var NodeChannel = require('../../lib/v1/internal/ch-node.js').default;
 var neo4j = require("../../lib/v1");
 var fs = require("fs");
 var path = require('path');
@@ -25,9 +25,9 @@ var hasFeature = require("../../lib/v1/internal/features").default;
 describe('trust-signed-certificates', function() {
 
   var driver;
-  var log = console.log;
+  var log;
   beforeEach(function() {
-    console.log = function () {}; // To mute deprecation message in test output
+    log = muteConsoleLog();
   });
   it('should reject unknown certificates', function(done) {
     // Assuming we only run this test on NodeJS
@@ -90,7 +90,37 @@ describe('trust-signed-certificates', function() {
     if( driver ) {
       driver.close();
     }
-    console.log = log;
+    unMuteConsoleLog(log);
+  });
+});
+
+describe('trust-all-certificates', function () {
+
+  var driver;
+  it('should work with default certificate', function (done) {
+    // Assuming we only run this test on NodeJS with TAC support
+    if (!hasFeature("trust_all_certificates")) {
+      done();
+      return;
+    }
+
+    // Given
+    driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
+      encrypted: "ENCRYPTION_ON",
+      trust: "TRUST_ALL_CERTIFICATES"
+    });
+
+    // When
+    driver.session().run("RETURN 1").then(function (result) {
+      expect(result.records[0].get(0).toNumber()).toBe(1);
+      done();
+    });
+  });
+
+  afterEach(function () {
+    if (driver) {
+      driver.close();
+    }
   });
 });
 
@@ -171,7 +201,12 @@ describe('trust-system-ca-signed-certificates', function() {
 describe('trust-on-first-use', function() {
 
   var driver;
+  var log;
+  beforeEach(function() {
+    log = muteConsoleLog();
+  });
   afterEach(function(){
+    unMuteConsoleLog(log);
     if( driver ) {
       driver.close();
     }
@@ -364,3 +399,14 @@ describe('trust-on-first-use', function() {
     }
   });
 });
+
+// To mute deprecation message in test output
+function muteConsoleLog() {
+  const originalLog = console.log;
+  console.log = () => {};
+  return originalLog;
+}
+
+function unMuteConsoleLog(originalLog) {
+  console.log = originalLog;
+}

test/v1/direct.driver.boltkit.it.js

@@ -33,7 +33,10 @@ describe('direct driver', function() {
     var server = kit.start('./test/resources/boltkit/return_x.script', 9001);
 
     kit.run(function () {
-        var driver = neo4j.driver("bolt://localhost:9001", neo4j.auth.basic("neo4j", "neo4j"));
+        // BoltKit currently does not support encryption, create driver with encryption turned off
+        var driver = neo4j.driver("bolt://localhost:9001", neo4j.auth.basic("neo4j", "neo4j"), {
+          encrypted: "ENCRYPTION_OFF"
+        });
         // When
         var session = driver.session();
         // Then