Add support for TLS encrypted connections.

This was a bit tricky, several things play into making this as
complicated as it turned out:

- TOFU (Trust on First Use) as we implement it only works on NodeJS,
  and only since nodejs/node@345c40b6
- Browsers do not support specifying which certificates to trust,
  so CA list configuration only works on NodeJS
- The location of `.neo4j/known_hosts`, used by TOFU, differs between windows
  and linux.

However, tests are now green, all rejoice. For a modern NodeJS
deployment, the driver now defaults to using encryption and uses TOFU
for establishing trust, meaning users will get a low-hassle encrypted
setup by default.

If users are running in a web browser, or running a several-years-old
version of NodeJS, the driver will default to not using encryption.
I'm not entirely comfortable with this, but doing encrypted websockets
in the browser is a massive hurdle for users, since each Neo4j database
has it's own self-signed certificate by default. It seems that if we
forced first-time users to install new CA certificates in their
browsers, they will just opt to turn encryption off.

Author: jakewins

gulpfile.js

@@ -204,7 +204,7 @@ gulp.task('download-tck', function() {
 gulp.task('run-tck', ['download-tck', 'nodejs'], function() {
     return gulp.src(featureHome + "/*").pipe(cucumber({
         'steps': 'test/v1/tck/steps/*.js',
-        'format': 'pretty',
+        'format': 'summary',
         'tags' : ['~@in_dev', '~@db']
     }));
 });

src/v1/driver.js

@@ -32,13 +32,15 @@ class Driver {
    * @param {string} url
    * @param {string} userAgent
    * @param {Object} token
+   * @param {Object} config
    */
-  constructor(url, userAgent, token) {
+  constructor(url, userAgent = 'neo4j-javascript/0.0', token = {}, config = {}) {
     this._url = url;
-    this._userAgent = userAgent || 'neo4j-javascript/0.0';
+    this._userAgent = userAgent;
     this._openSessions = {};
     this._sessionIdGenerator = 0;
-    this._token = token || {};
+    this._token = token;
+    this._config = config;
     this._pool = new Pool(
       this._createConnection.bind(this),
       this._destroyConnection.bind(this),
@@ -54,7 +56,7 @@ class Driver {
   _createConnection( release ) {
     let sessionId = this._sessionIdGenerator++;
     let streamObserver = new _ConnectionStreamObserver(this);
-    let conn = connect(this._url);
+    let conn = connect(this._url, this._config);
     conn.initialize(this._userAgent, this._token, streamObserver);
     conn._id = sessionId;
     conn._release = () => release(conn);

src/v1/index.js

@@ -25,7 +25,7 @@ import {Node, Relationship, UnboundRelationship, PathSegment, Path} from './grap
 let USER_AGENT = "neo4j-javascript/" + VERSION;
 
 export default {
-  driver: (url, token) => new Driver(url, USER_AGENT, token),
+  driver: (url, token, config={}) => new Driver(url, USER_AGENT, token, config),
   int,
   isInt,
   auth: {

src/v1/internal/buf.js

@@ -399,7 +399,7 @@ class HeapBuffer extends BaseBuffer {
       let copy = new HeapBuffer(length);
       for (var i = 0; i < length; i++) {
         copy.putUInt8( i, this.getUInt8( i + start ) );
-      };
+      }
       return copy;
     }
   }
@@ -414,7 +414,7 @@ class HeapBuffer extends BaseBuffer {
 }
 
 /**
- * Represents a view of slice of another buffer.
+ * Represents a view as slice of another buffer.
  * @access private
  */
 class SliceBuffer extends BaseBuffer {
@@ -486,7 +486,7 @@ class CombinedBuffer extends BaseBuffer {
       } else {
         return buffer.getInt8(position);
       }
-    };
+    }
   }
 
   getFloat64 ( position ) {
@@ -561,12 +561,12 @@ try {
 } catch(e) {}
 
 /**
-* Allocate a new buffer using whatever mechanism is most sensible for the
-* current platform
-* @access private
-* @param {Integer} size
-* @return new buffer
-*/
+ * Allocate a new buffer using whatever mechanism is most sensible for the
+ * current platform
+ * @access private
+ * @param {Integer} size
+ * @return new buffer
+ */
 function alloc (size) {
   return new _DefaultBuffer(size);
 }

src/v1/internal/ch-node.js

@@ -18,16 +18,152 @@
  */
 
 import net from 'net';
+import tls from 'tls';
+import fs from 'fs';
+import path from 'path';
+import {EOL} from 'os';
 import {NodeBuffer} from './buf';
+import {newError} from './error';
 
 let _CONNECTION_IDGEN = 0;
 
-/**
-  * In a Node.js environment the 'net' module is used
-  * as transport.
-  * @access private
-  */
+function userHome() {
+  // For some reason, Browserify chokes on shimming `process`. This code
+  // will never get executed on the browser anyway, to just hack around it
+  let getOutOfHereBrowserifyYoureDrunk = require;
+  let process = getOutOfHereBrowserifyYoureDrunk('process');
+
+  return process.env[(process.platform == 'win32') ? 'USERPROFILE' : 'HOME'];
+}
+
+function loadFingerprint( serverId, knownHostsPath, cb ) {
+  if( !fs.existsSync( knownHostsPath )) {
+    cb(null);
+    return;
+  }
+  let found = false;
+  require('readline').createInterface({
+    input: fs.createReadStream(knownHostsPath)
+  }).on('line', (line)  => {
+    if( line.startsWith( serverId )) {
+      found = true;
+      cb( line.split(" ")[1] );
+    }
+  }).on('close', () => {
+    if(!found) {
+      cb(null);
+    }
+  });
+}
+
+function storeFingerprint( serverId, knownHostsPath, fingerprint ) {
+  fs.appendFile(knownHostsPath, serverId + " " + fingerprint + EOL, "utf8" );
+}
+
+const TrustStrategy = {
+  TRUST_SIGNED_CERTIFICATES : function( opts, onSuccess, onFailure ) {
+    if( !opts.trustedCertificates || opts.trustedCertificates.length == 0 ) {
+      onFailure(newError("You are using TRUST_SIGNED_CERTIFICATES as the method " +
+        "to verify trust for encrypted  connections, but have not configured any " +
+        "trustedCertificates. You  must specify the path to at least one trusted " +
+        "X.509 certificate for this to work. Two other alternatives is to use " +
+        "TRUST_ON_FIRST_USE or to disable encryption by setting encrypted=false " +
+        "in your driver configuration."));
+      return;
+    }
+
+    let tlsOpts = {
+      ca: opts.trustedCertificates.map(fs.readFileSync),
+      // Because we manually check for this in the connect callback, to give
+      // a more helpful error to the user
+      rejectUnauthorized: false
+    };
+
+    let socket = tls.connect(opts.port, opts.host, tlsOpts, function () {
+      if (!socket.authorized) {
+        onFailure(newError("Server certificate is not trusted. If you trust the database you are connecting to, add" +
+          " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" +
+          " using `neo4j.v1.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This " +
+          " is a security measure to protect against man-in-the-middle attacks. If you are just trying " +
+          " Neo4j out and are not concerned about encryption, simply disable it using `encrypted=false` in the driver" +
+          " options."));
+      } else {
+        onSuccess();
+      }
+    });
+    return socket;
+  },
+  TRUST_ON_FIRST_USE : function( opts, onSuccess, onFailure ) {
+    let tlsOpts = {
+      // Because we manually verify the certificate against known_hosts
+      rejectUnauthorized: false
+    };
+
+    let socket = tls.connect(opts.port, opts.host, tlsOpts, function () {
+      var serverCert = socket.getPeerCertificate(true);
+
+      if( !serverCert.raw ) {
+        // If `raw` is not available, we're on an old version of NodeJS, and
+        // the raw cert cannot be accessed (or, at least I couldn't find a way to)
+        // therefore, we can't generate a SHA512 fingerprint, meaning we can't
+        // do TOFU, and the safe approach is to fail.
+        onFailure(newError("You are using a version of NodeJS that does not " +
+          "support trust-on-first use encryption. You can either upgrade NodeJS to " +
+          "a newer version, use `trust:TRUST_SIGNED_CERTIFICATES` in your driver " +
+          "config instead, or disable encryption using `encrypted:false`."));
+        return;
+      }
+
+      var serverFingerprint = require('crypto').createHash('sha512').update(serverCert.raw).digest("hex");
+      let knownHostsPath = opts.knownHosts || path.join(userHome(), ".neo4j", "known_hosts");
+      let serverId = opts.host + ":" + opts.port;
+
+      loadFingerprint(serverId, knownHostsPath, (knownFingerprint) => {
+        if( knownFingerprint === serverFingerprint ) {
+          onSuccess();
+        } else if( knownFingerprint == null ) {
+          storeFingerprint( serverId, knownHostsPath, serverFingerprint );
+          onSuccess();
+        } else {
+          onFailure(newError("Database encryption certificate has changed, and no longer " +
+            "matches the certificate stored for " + serverId + " in `" + knownHostsPath +
+            "`. As a security precaution, this driver will not automatically trust the new " +
+            "certificate, because doing so would allow an attacker to pretend to be the Neo4j " +
+            "instance we want to connect to. The certificate provided by the server looks like: " +
+            serverCert + ". If you trust that this certificate is valid, simply remove the line " +
+            "starting with " + serverId + " in `" + knownHostsPath + "`, and the driver will " +
+            "update the file with the new certificate. You can configure which file the driver " +
+            "should use to store this information by setting `knownHosts` to another path in " +
+            "your driver configuration - and you can disable encryption there as well using " +
+            "`encrypted:false`."))
+        }
+      });
+    });
+    return socket;
+  }
+};
+
+function connect( opts, onSuccess, onFailure=(()=>null) ) {
+  if( opts.encrypted === false ) {
+    return net.connect(opts.port, opts.host, onSuccess);
+  } else if( TrustStrategy[opts.trust]) {
+    return TrustStrategy[opts.trust](opts, onSuccess, onFailure);
+  } else {
+    onFailure(newError("Unknown trust strategy: " + opts.trust + ". Please use either " +
+      "trust:'TRUST_SIGNED_CERTIFICATES' or trust:'TRUST_ON_FIRST_USE' in your driver " +
+      "configuration. Alternatively, you can disable encryption by setting " +
+      "`encrypted:false`. There is no mechanism to use encryption without trust verification, " +
+      "because this incurs the overhead of encryption without improving security. If " +
+      "the driver does not verify that the peer it is connected to is really Neo4j, it " +
+      "is very easy for an attacker to bypass the encryption by pretending to be Neo4j."));
+  }
+}
 
+/**
+ * In a Node.js environment the 'net' module is used
+ * as transport.
+ * @access private
+ */
 class NodeChannel {
 
   /**
@@ -37,35 +173,42 @@ class NodeChannel {
    * @param {Integer} opts.port - The port to use.
    */
   constructor (opts) {
-    let _self = this;
+    let self = this;
 
     this.id = _CONNECTION_IDGEN++;
     this.available = true;
     this._pending = [];
     this._open = true;
-    this._conn = net.connect((opts.port || 7687), opts.host, () => {
-      if(!_self._open) {
+    this._error = null;
+    this._handleConnectionError = this._handleConnectionError.bind(this);
+
+    this._conn = connect(opts, () => {
+      if(!self._open) {
         return;
       }
+
+      self._conn.on('data', ( buffer ) => {
+        if( self.onmessage ) {
+          self.onmessage( new NodeBuffer( buffer ) );
+        }
+      });
+
+      self._conn.on('error', self._handleConnectionError);
+
       // Drain all pending messages
-      let pending = _self._pending;
-      _self._pending = null;
+      let pending = self._pending;
+      self._pending = null;
       for (let i = 0; i < pending.length; i++) {
-        _self.write( pending[i] );
+        self.write( pending[i] );
       }
-    });
-
-    this._conn.on('data', ( buffer ) => {
-      if( _self.onmessage ) {
-        _self.onmessage( new NodeBuffer( buffer ) );
-      }
-    });
+    }, this._handleConnectionError);
+  }
 
-    this._conn.on('error', function(err){
-      if( _self.onerror ) {
-        _self.onerror(err);
-      }
-    });
+  _handleConnectionError( err ) {
+    this._error = err;
+    if( this.onerror ) {
+      this.onerror(err);
+    }
   }
 
   /**
@@ -89,12 +232,14 @@ class NodeChannel {
    * Close the connection
    * @param {function} cb - Function to call on close.
    */
-  close(cb) {
-    if(cb) {
+  close(cb = (() => null)) {
+    this._open = false;
+    if( this._conn ) {
+      this._conn.end();
       this._conn.on('end', cb);
+    } else {
+      cb();
     }
-    this._open = false;
-    this._conn.end();
   }
 }
 let _nodeChannelModule = {channel: NodeChannel, available: true};