Mark all connections for closure on LDAP Auth Credential expiration

When an authenticated connection is made by the drivers, the server takes the raw credentials passed in the HELLO message and uses them to generate a token which is then cached and used to authorize all subsequent requests.

In some implementations of auth (principally LDAP), this cached token can expire and the original raw credentials are required to generate a new token. Since these raw credentials are not stored on the server and are only provided during connection initialization, the only way currently to refresh these tokens is by terminating the existing connection and create new connections.

When the driver receives an error with status `Status.Security.AuthorizationExpired` this should have the effect of marking all current connections as stale/invalid, forcing the driver to establish new connections and therefore refreshing the credentials cached on the server. Existing connections which are currently in use should not be interrupted.

Author: bigmontz

bolt-connection/src/connection-provider/connection-provider-direct.js

@@ -18,13 +18,19 @@
  */
 
 import PooledConnectionProvider from './connection-provider-pooled'
-import { createChannelConnection, DelegateConnection } from '../connection'
-import { internal } from 'neo4j-driver-core'
+import {
+  createChannelConnection,
+  DelegateConnection,
+  ConnectionErrorHandler
+} from '../connection'
+import { internal, error } from 'neo4j-driver-core'
 
 const {
   constants: { BOLT_PROTOCOL_V4_0, BOLT_PROTOCOL_V3 }
 } = internal
 
+const { SERVICE_UNAVAILABLE, newError } = error
+
 export default class DirectConnectionProvider extends PooledConnectionProvider {
   constructor ({ id, config, log, address, userAgent, authToken }) {
     super({ id, config, log, userAgent, authToken })
@@ -37,9 +43,26 @@ export default class DirectConnectionProvider extends PooledConnectionProvider {
    * its arguments.
    */
   acquireConnection ({ accessMode, database, bookmarks } = {}) {
+    const databaseSpecificErrorHandler = ConnectionErrorHandler.create({
+      errorCode: SERVICE_UNAVAILABLE,
+      handleAuthorizationExpired: (error, address) =>
+        this._handleAuthorizationExpired(error, address, database)
+    })
+
     return this._connectionPool
       .acquire(this._address)
-      .then(connection => new DelegateConnection(connection, null))
+      .then(
+        connection =>
+          new DelegateConnection(connection, databaseSpecificErrorHandler)
+      )
+  }
+
+  _handleAuthorizationExpired (error, address, database) {
+    this._log.warn(
+      `Direct driver ${this._id} will close connection to ${address} for database '${database}' because of an error ${error.code} '${error.message}'`
+    )
+    this._connectionPool.purge(address).catch(() => {})
+    return error
   }
 
   async _hasProtocolVersion (versionPredicate) {

bolt-connection/src/connection-provider/connection-provider-routing.js

@@ -100,6 +100,14 @@ export default class RoutingConnectionProvider extends PooledConnectionProvider
     return error
   }
 
+  _handleAuthorizationExpired (error, address, database) {
+    this._log.warn(
+      `Routing driver ${this._id} will close connections to ${address} for database '${database}' because of an error ${error.code} '${error.message}'`
+    )
+    this._connectionPool.purge(address).catch(() => {})
+    return error
+  }
+
   _handleWriteFailure (error, address, database) {
     this._log.warn(
       `Routing driver ${this._id} will forget writer ${address} for database '${database}' because of an error ${error.code} '${error.message}'`
@@ -122,7 +130,9 @@ export default class RoutingConnectionProvider extends PooledConnectionProvider
     const databaseSpecificErrorHandler = new ConnectionErrorHandler(
       SESSION_EXPIRED,
       (error, address) => this._handleUnavailability(error, address, database),
-      (error, address) => this._handleWriteFailure(error, address, database)
+      (error, address) => this._handleWriteFailure(error, address, database),
+      (error, address) =>
+        this._handleAuthorizationExpired(error, address, database)
     )
 
     const routingTable = await this._freshRoutingTable({

bolt-connection/src/connection/connection-error-handler.js

@@ -22,10 +22,30 @@ import { error } from 'neo4j-driver-core'
 const { SERVICE_UNAVAILABLE, SESSION_EXPIRED } = error
 
 export default class ConnectionErrorHandler {
-  constructor (errorCode, handleUnavailability, handleWriteFailure) {
+  constructor (
+    errorCode,
+    handleUnavailability,
+    handleWriteFailure,
+    handleAuthorizationExpired
+  ) {
     this._errorCode = errorCode
     this._handleUnavailability = handleUnavailability || noOpHandler
     this._handleWriteFailure = handleWriteFailure || noOpHandler
+    this._handleAuthorizationExpired = handleAuthorizationExpired || noOpHandler
+  }
+
+  static create ({
+    errorCode,
+    handleUnavailability,
+    handleWriteFailure,
+    handleAuthorizationExpired
+  }) {
+    return new ConnectionErrorHandler(
+      errorCode,
+      handleUnavailability,
+      handleWriteFailure,
+      handleAuthorizationExpired
+    )
   }
 
   /**
@@ -43,6 +63,9 @@ export default class ConnectionErrorHandler {
    * @return {Neo4jError} new error that should be propagated to the user.
    */
   handleAndTransformError (error, address) {
+    if (isAutorizationExpiredError(error)) {
+      return this._handleAuthorizationExpired(error, address)
+    }
     if (isAvailabilityError(error)) {
       return this._handleUnavailability(error, address)
     }
@@ -53,6 +76,10 @@ export default class ConnectionErrorHandler {
   }
 }
 
+function isAutorizationExpiredError (error) {
+  return error && error.code === 'Neo.ClientError.Security.AuthorizationExpired'
+}
+
 function isAvailabilityError (error) {
   if (error) {
     return (

test/internal/connection-error-handler.test.js renamed to bolt-connection/test/connection/connection-error-handler.test.js

@@ -17,7 +17,7 @@
  * limitations under the License.
  */
 
-import ConnectionErrorHandler from '../../bolt-connection/lib/connection/connection-error-handler'
+import ConnectionErrorHandler from '../../src/connection/connection-error-handler'
 import { newError, error, internal } from 'neo4j-driver-core'
 
 const {
@@ -79,6 +79,67 @@ describe('#unit ConnectionErrorHandler', () => {
     ])
   })
 
+  it('should handle and transform authorization expired error', () => {
+    const errors = []
+    const addresses = []
+    const transformedError = newError('Message', 'Code')
+    const handler = ConnectionErrorHandler.create({
+      errorCode: SERVICE_UNAVAILABLE,
+      handleAuthorizationExpired: (error, address) => {
+        errors.push(error)
+        addresses.push(address)
+        return transformedError
+      }
+    })
+
+    const error1 = newError(
+      'C',
+      'Neo.ClientError.Security.AuthorizationExpired'
+    )
+
+    const errorTransformed1 = handler.handleAndTransformError(
+      error1,
+      ServerAddress.fromUrl('localhost:0')
+    )
+
+    expect(errorTransformed1).toEqual(transformedError)
+
+    expect(addresses).toEqual([ServerAddress.fromUrl('localhost:0')])
+  })
+
+  it('should return original erro if authorization expired handler is not informed', () => {
+    const errors = []
+    const addresses = []
+    const transformedError = newError('Message', 'Code')
+    const handler = ConnectionErrorHandler.create({
+      errorCode: SERVICE_UNAVAILABLE,
+      handleUnavailability: (error, address) => {
+        errors.push(error)
+        addresses.push(address)
+        return transformedError
+      },
+      handleWriteFailure: (error, address) => {
+        errors.push(error)
+        addresses.push(address)
+        return transformedError
+      }
+    })
+
+    const error1 = newError(
+      'C',
+      'Neo.ClientError.Security.AuthorizationExpired'
+    )
+
+    const errorTransformed1 = handler.handleAndTransformError(
+      error1,
+      ServerAddress.fromUrl('localhost:0')
+    )
+
+    expect(errorTransformed1).toEqual(error1)
+
+    expect(addresses).toEqual([])
+  })
+
   it('should handle and transform failure to write errors', () => {
     const errors = []
     const addresses = []