Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce Client Certificate configuration #1183

Merged
merged 23 commits into from
Mar 7, 2024
Merged

Introduce Client Certificate configuration #1183

merged 23 commits into from
Mar 7, 2024

Conversation

bigmontz
Copy link
Contributor

@bigmontz bigmontz commented Feb 21, 2024
edited
Loading

⚠️ This API is released as preview.
⚠️ This feature is NodeJS only. Browser should configure the client certificate in the system certificates.

The ClientCertificate is a mechanism to support mutual TLS as a second factor for authentication. The driver's certificate will not be used to authenticate a user on the DBMS, but only to authenticate the driver as a trusted client to the DBMS. Another authentication mechanism is still required to authenticate the user.

The configuration is done by using the driver configuration, the property name is clientCertificate and this a object with the following properties:

  • certfile: The path to client certificate file. This is can configured as list of paths.
  • keyfile: The path to key file. This can also be configured as a list of paths, an object contain path and password or a list of objects contain path and password.
  • password (optional): The client key password.

See node documentation for understanding how password, certs and keys work together.

Configuration example:

import neo4j from 'neo4j-driver'

const driver = neo4j.driver('neo4j+s://myhost:7687', MY_CREDENTIALS, {
   clientCertificate: {
      certfile: '/path/to/cert/file.cert',
      keyfile: '/path/to/cert/file.pem',
      password: 'the_key_password' // optional
   }
})

// then use your driver as usual.

Client Certificate Provider and Certificate Rotation

In case of the certificate needs to be changed, the driver offers an api for change client certificates without creating a new driver instance. The change is done by inform an ClientCertificateProvider instead of a ClientCertificate in the driver configuration.

ClientCertificateProvider is a public interface which can be implemented by user. However, the driver offers an implementation of this interface for working with certificate rotation scenarios.

import neo4j from 'neo4j-driver'

const initialClientCertificate: {
  certfile: '/path/to/cert/file.cert',
  keyfile: '/path/to/cert/file.pem',
  password: 'the_key_password' // optional
}

const clientCertificateProvider = neo4j.clientCertificateProviders.rotating({
    initialCertificate: initialClientCertificate
})

const driver = neo4j.driver('neo4j+s://myhost:7687', MY_CREDENTIALS, {
   clientCertificate: clientCertificateProvider
})


// use the driver as usual

// then you have new certificate which will replace the old one
clientCertificateProvider.updateCertificate({
  certfile: '/path/to/cert/new_file.cert',
  keyfile: '/path/to/cert/new_file.pem',
  password: 'the_new_key_password' // optional
})

// New connections will be created using the new certificate.
// however, older connections will not be closed if they still working.

⚠️ This feature is NodeJS only. Browser should configure the client certificate in the system certificates.
⚠️ This API is released as preview.

@bigmontz bigmontz linked an issue Feb 21, 2024 that may be closed by this pull request
Client-authenticated TLS connection #377
Closed
@bigmontz
Exporting types
e4379d1
@bigmontz
Implementing ClientCertificateProviders.rotating()
1627559
@bigmontz
Implement ClientCertificateProviders.routing
36c9b2b
@bigmontz
Add function to convert ClientCertificate to ClientCertificateProvider
9dbed03
@bigmontz
Improve validations
69ba1c3
@bigmontz
Push clientCertificate down the stack
cff410c
@bigmontz
Configure client certificate in Node (missing test)
1c17032
@bigmontz
Fix node mtls
f8daa05
@bigmontz
Deno does not support mtls
ad4c029
@bigmontz
Fix connection config tests
12908f4
@bigmontz
Adjust test code
1b8e971
@bigmontz
Enable the keyfile and cert to have multiple files
9ecd4ff
@bigmontz
Docs adjustments
0172cbd
@bigmontz
sync deno
b7d2ab0
@bigmontz
Loading files
35b2ee3
@bigmontz
Test Client Certificate holder
4371b88
@bigmontz
Fix PooledProvider
e4aa93c
@bigmontz
Consolidating clientCertificate data type
ea8985b
@bigmontz
Add feature flag and skip tests where needed
be44fa3
@bigmontz
Set feature as preview
3611fc3
@bigmontz
Implement cert rotation in the backend
7b4836b
@bigmontz bigmontz marked this pull request as ready for review March 5, 2024 08:46
@bigmontz bigmontz merged commit 552ea6c into neo4j:5.0 Mar 7, 2024
37 checks passed
@bigmontz bigmontz deleted the feature/mtls branch April 8, 2024 09:06
@WontonSam WontonSam mentioned this pull request Jul 17, 2024
Open
@snyk-io snyk-io bot mentioned this pull request Jul 17, 2024
Open
@ThomasvanOtterloo ThomasvanOtterloo mentioned this pull request Jul 17, 2024
Open
@snyk-io snyk-io bot mentioned this pull request Aug 14, 2024
Open
@WontonSam WontonSam mentioned this pull request Aug 17, 2024
Open
This was referenced Sep 8, 2024
Open
Open
This was referenced Sep 16, 2024
Open
Open
@jonkiky jonkiky mentioned this pull request Sep 20, 2024
Open
This was referenced Sep 21, 2024
Open
Open
@WontonSam WontonSam mentioned this pull request Oct 2, 2024
Open
@WontonSam WontonSam mentioned this pull request Nov 3, 2024
Open
@WontonSam WontonSam mentioned this pull request Nov 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ConorNeo ConorNeo ConorNeo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Client-authenticated TLS connection
2 participants
@bigmontz @ConorNeo