Add a test to verify encryption and tls level combinations

Author: ali-ince

src/index.js

@@ -138,19 +138,22 @@ const logging = {
  *       // this is that if you don't know who you are talking to, it is easy for an
  *       // attacker to hijack your encrypted connection, rendering encryption pointless.
  *       //
- *       // TRUST_ALL_CERTIFICATES is the default choice for NodeJS deployments. It only requires
- *       // new host to provide a certificate and does no verification of the provided certificate.
+ *       // TRUST_SYSTEM_CA_SIGNED_CERTIFICATES is the default choice. For NodeJS environments, this
+ *       // means that you trust whatever certificates are in the default trusted certificate
+ *       // store of the underlying system. For Browser environments, the trusted certificate
+ *       // store is usually managed by the browser. Refer to your system or browser documentation
+ *       // if you want to explicitly add a certificate as trusted.
  *       //
- *       // TRUST_CUSTOM_CA_SIGNED_CERTIFICATES is the classic approach to trust verification -
+ *       // TRUST_CUSTOM_CA_SIGNED_CERTIFICATES is another option for trust verification -
  *       // whenever we establish an encrypted connection, we ensure the host is using
- *       // an encryption certificate that is in, or is signed by, a certificate listed
- *       // as trusted. In the web bundle, this list of trusted certificates is maintained
- *       // by the web browser. In NodeJS, you configure the list with the next config option.
+ *       // an encryption certificate that is in, or is signed by, a certificate given
+ *       // as trusted through configuration. This option is only available for NodeJS environments.
  *       //
- *       // TRUST_SYSTEM_CA_SIGNED_CERTIFICATES means that you trust whatever certificates
- *       // are in the default certificate chain of the underlying system.
- *       trust: "TRUST_ALL_CERTIFICATES" | "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES" |
- *       "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
+ *       // TRUST_ALL_CERTIFICATES means that you trust everything without any verifications
+ *       // steps carried out.  This option is only available for NodeJS environments and should not
+ *       // be used on production systems.
+ *       trust: "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES" | "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES" |
+ *       "TRUST_ALL_CERTIFICATES",
  *
  *       // List of one or more paths to trusted encryption certificates. This only
  *       // works in the NodeJS bundle, and only matters if you use "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES".

test/internal/node/encryption.test.js

@@ -0,0 +1,105 @@
+/**
+ * Copyright (c) 2002-2019 "Neo4j,"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import neo4j from '../../../src'
+import sharedNeo4j from '../shared-neo4j'
+
+describe('#integration encryption', () => {
+  let originalTimeout
+
+  beforeEach(() => {
+    originalTimeout = jasmine.DEFAULT_TIMEOUT_INTERVAL
+    jasmine.DEFAULT_TIMEOUT_INTERVAL = 30000
+  })
+
+  afterEach(() => {
+    jasmine.DEFAULT_TIMEOUT_INTERVAL = originalTimeout
+  })
+
+  afterAll(() => {
+    sharedNeo4j.restart()
+  })
+
+  it('should be able to connect when encryption is off and tls_level is DISABLED', () =>
+    verifyEncryption(false, sharedNeo4j.tlsConfig.levels.disabled, null, true))
+
+  it('should not be able to connect when encryption is on and tls_level is DISABLED', () =>
+    verifyEncryption(true, sharedNeo4j.tlsConfig.levels.disabled, null, false))
+
+  it('should be able to connect when encryption is off and tls_level is OPTIONAL', () =>
+    verifyEncryption(false, sharedNeo4j.tlsConfig.levels.optional, null, true))
+
+  it('should not be able to connect when encryption is on and tls_level is OPTIONAL', () =>
+    verifyEncryption(true, sharedNeo4j.tlsConfig.levels.optional, null, false))
+
+  it('should be able to connect when encryption is on, tls_level is OPTIONAL and trust is TRUST_ALL', () =>
+    verifyEncryption(
+      true,
+      sharedNeo4j.tlsConfig.levels.optional,
+      'TRUST_ALL_CERTIFICATES',
+      true
+    ))
+
+  it('should not be able to connect when encryption is off and tls_level is REQUIRED', () =>
+    verifyEncryption(false, sharedNeo4j.tlsConfig.levels.required, null, false))
+
+  it('should not be able to connect when encryption is on and tls_level is REQUIRED', () =>
+    verifyEncryption(true, sharedNeo4j.tlsConfig.levels.required, null, false))
+
+  it('should be able to connect when encryption is on, tls_level is REQUIRED and trust is TRUST_ALL', () =>
+    verifyEncryption(
+      true,
+      sharedNeo4j.tlsConfig.levels.required,
+      'TRUST_ALL_CERTIFICATES',
+      true
+    ))
+
+  async function verifyEncryption (encrypted, tlsLevel, trust, expectToSucceed) {
+    sharedNeo4j.restart(tlsConfig(tlsLevel))
+
+    const config = {
+      encrypted: encrypted,
+      logging: sharedNeo4j.logging
+    }
+    if (trust) {
+      config.trust = trust
+    }
+    const driver = neo4j.driver(
+      'bolt://localhost',
+      sharedNeo4j.authToken,
+      config
+    )
+    const session = driver.session()
+
+    if (expectToSucceed) {
+      await expectAsync(session.run('CREATE (n) RETURN n')).toBeResolved()
+    } else {
+      await expectAsync(session.run('CREATE (n) RETURN n')).toBeRejected()
+    }
+
+    await session.close()
+    await driver.close()
+  }
+
+  function tlsConfig (tlsLevel) {
+    const config = {}
+    config[sharedNeo4j.tlsConfig.key] = tlsLevel
+    return config
+  }
+})

test/internal/node/tls.test.js

@@ -18,12 +18,7 @@
  */
 
 import neo4j from '../../../src'
-import path from 'path'
 import sharedNeo4j from '../shared-neo4j'
-import {
-  ServerVersion,
-  VERSION_4_0_0
-} from '../../../src/internal/server-version'
 
 describe('#integration trust', () => {
   let serverVersion

test/internal/shared-neo4j.js

@@ -124,10 +124,13 @@ const username = 'neo4j'
 const password = 'password'
 const authToken = neo4j.auth.basic(username, password)
 
-const boltTlsLevel = {
-  optional: 'OPTIONAL',
-  required: 'REQUIRED',
-  disabled: 'DISABLED'
+const tlsConfig = {
+  key: 'dbms.connector.bolt.tls_level',
+  levels: {
+    optional: 'OPTIONAL',
+    required: 'REQUIRED',
+    disabled: 'DISABLED'
+  }
 }
 
 const defaultConfig = {
@@ -147,7 +150,7 @@ const defaultConfig = {
   'dbms.memory.pagecache.size': '512m',
 
   // make TLS optional
-  'dbms.connector.bolt.tls_level': boltTlsLevel.optional
+  'dbms.connector.bolt.tls_level': tlsConfig.levels.optional
 }
 
 const NEOCTRLARGS = 'NEOCTRLARGS'
@@ -217,9 +220,7 @@ function configure (config) {
     `Configuring neo4j at "${neo4jDir()}" with "${JSON.stringify(config)}"`
   )
 
-  const configEntries = Object.keys(config).map(
-    key => `${key}=${defaultConfig[key]}`
-  )
+  const configEntries = Object.keys(config).map(key => `${key}=${config[key]}`)
   if (configEntries.length > 0) {
     const result = runCommand('neoctrl-configure', [
       neo4jDir(),
@@ -289,8 +290,15 @@ function stop () {
   stopNeo4j()
 }
 
-function restart () {
+function restart (configOverride) {
   stopNeo4j()
+  const newConfig = Object.assign({}, defaultConfig)
+  if (configOverride) {
+    Object.keys(configOverride).forEach(
+      key => (newConfig[key] = configOverride[key])
+    )
+  }
+  configure(newConfig)
   startNeo4j()
 }
 
@@ -345,5 +353,6 @@ export default {
   password: password,
   authToken: authToken,
   logging: debugLogging,
-  cleanupAndGetVersion: cleanupAndGetVersion
+  cleanupAndGetVersion: cleanupAndGetVersion,
+  tlsConfig: tlsConfig
 }