feat: Introduce rest provider for SAF tokens (#1714)

* Add mock implementation for the REST endpoint.
* Initial implementation of the SAD IDT provider.
* Use the actual JWT token
* Generate the SAF token via REST call to defined API

Signed-off-by: Jakub Balhar <jakub@balhar.net>

Author: balhar-jakub

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/saf/SafIdtProvider.java

@@ -0,0 +1,33 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service.saf;
+
+import java.util.Optional;
+
+/**
+ * It's possible to configure various SafIdtProviders. At the moment only one configured at the time is allowed. If there
+ * are multiple providers configures, the behavior could be unpredictable.
+ */
+public interface SafIdtProvider {
+    /**
+     * If the current user has the proper rights generate the SAF token on its behalf and return it back.
+     *
+     * @return Either empty answer meaning the user is either unauthenticated or doesn't have the proper rights.
+     */
+    Optional<String> generate(String username);
+
+    /**
+     * Verify that the provided saf token is valid.
+     *
+     * @param safToken Token to validate.
+     * @return true if the token is valid, false if it is invalid
+     */
+    boolean verify(String safToken);
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/saf/SafProviderBeansConfig.java

@@ -0,0 +1,30 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service.saf;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.client.RestTemplate;
+import org.zowe.apiml.gateway.security.service.AuthenticationService;
+
+@Configuration
+@RequiredArgsConstructor
+public class SafProviderBeansConfig {
+    @Bean
+    @ConditionalOnProperty(name = "apiml.security.saf.provider", havingValue = "rest")
+    public SafIdtProvider restSafProvider(
+        RestTemplate restTemplate,
+        AuthenticationService authenticationService
+    ) {
+        return new SafRestAuthenticationService(restTemplate, authenticationService);
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/saf/SafRestAuthenticationService.java

@@ -0,0 +1,111 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service.saf;
+
+import com.netflix.zuul.context.RequestContext;
+import lombok.Data;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestTemplate;
+import org.zowe.apiml.gateway.security.service.AuthenticationService;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+
+import java.net.URI;
+import java.util.Optional;
+
+import static org.springframework.util.StringUtils.isEmpty;
+
+/**
+ * Authentication provider implementation for the SafIdt Tokens that gets and verifies the tokens across the Restfull
+ * interface
+ * <p>
+ * To work properly the implementation requires two urls:
+ * <p>
+ * - apiml.security.saf.urls.authenticate - URL to generate token
+ * - apiml.security.saf.urls.verify - URL to verify the validity of the token
+ */
+@RequiredArgsConstructor
+@Slf4j
+public class SafRestAuthenticationService implements SafIdtProvider {
+    private final RestTemplate restTemplate;
+    private final AuthenticationService authenticationService;
+
+    @Value("${apiml.security.saf.urls.authenticate}")
+    String authenticationUrl;
+    @Value("${apiml.security.saf.urls.verify}")
+    String verifyUrl;
+
+    @Override
+    public Optional<String> generate(String username) {
+        final RequestContext context = RequestContext.getCurrentContext();
+        Optional<String> jwtToken = authenticationService.getJwtTokenFromRequest(context.getRequest());
+        if (!jwtToken.isPresent()) {
+            return Optional.empty();
+        }
+
+        TokenAuthentication tokenAuthentication = authenticationService.validateJwtToken(jwtToken.get());
+        if (!tokenAuthentication.isAuthenticated()) {
+            return Optional.empty();
+        }
+
+        try {
+            Authentication authentication = new Authentication();
+            authentication.setJwt(jwtToken.get());
+            authentication.setUsername(username);
+
+            ResponseEntity<Token> re = restTemplate.postForEntity(URI.create(authenticationUrl), authentication, Token.class);
+
+            if (!re.getStatusCode().is2xxSuccessful()) {
+                return Optional.empty();
+            }
+
+            Token responseBody = re.getBody();
+            if (responseBody == null) {
+                return Optional.empty();
+            }
+
+            return Optional.of(responseBody.getJwt());
+        } catch (HttpClientErrorException.Unauthorized e) {
+            return Optional.empty();
+        }
+    }
+
+    @Override
+    public boolean verify(String safToken) {
+        if (isEmpty(safToken)) {
+            return false;
+        }
+
+        try {
+            Token token = new Token();
+            token.setJwt(safToken);
+
+            ResponseEntity<String> re = restTemplate.postForEntity(URI.create(verifyUrl), token, String.class);
+
+            return re.getStatusCode().is2xxSuccessful();
+        } catch (HttpClientErrorException.Unauthorized e) {
+            return false;
+        }
+    }
+
+    @Data
+    public static class Token {
+        String jwt;
+    }
+
+    @Data
+    public static class Authentication {
+        String jwt;
+        String username;
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java

@@ -16,7 +16,7 @@
 import org.zowe.apiml.auth.Authentication;
 import org.zowe.apiml.auth.AuthenticationScheme;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
-import org.zowe.apiml.gateway.security.service.SafAuthenticationService;
+import org.zowe.apiml.gateway.security.service.saf.SafIdtProvider;
 import org.zowe.apiml.security.common.token.QueryResponse;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
@@ -32,7 +32,7 @@
 @RequiredArgsConstructor
 public class SafIdtScheme implements AbstractAuthenticationScheme {
     private final AuthenticationService authenticationService;
-    private final SafAuthenticationService safAuthenticationService;
+    private final SafIdtProvider safIdtProvider;
 
     @Override
     public AuthenticationScheme getScheme() {
@@ -60,10 +60,10 @@ public void apply(InstanceInfo instanceInfo) {
             jwtToken.ifPresent(token -> {
                 TokenAuthentication authentication = authenticationService.validateJwtToken(jwtToken.get());
                 if (authentication.isAuthenticated()) {
-                    String safIdt = safAuthenticationService.generateSafIdt(token);
+                    // Get principal from the token?
+                    Optional<String> safIdt = safIdtProvider.generate(authentication.getPrincipal());
 
-                    // TODO: Verify whether authentication should be used.
-                    context.addZuulRequestHeader("X-SAF-Token", safIdt);
+                    safIdt.ifPresent(safToken -> context.addZuulRequestHeader("X-SAF-Token", safToken));
                 }
             });
         }

gateway-service/src/main/resources/application.yml

@@ -62,6 +62,11 @@ apiml:
         x509:
             enabled: false
             externalMapperUrl:
+        saf:
+            provider: rest
+            urls:
+                authenticate: https://localhost:10013/zss/saf/authenticate
+                verify: https://localhost:10013/zss/saf/verify
 
 spring:
     application:

gateway-service/src/test/java/org/zowe/apiml/acceptance/DeterministicUserBasedRoutingTest.java

@@ -54,8 +54,6 @@ class GivenAuthenticatedUserAndMoreInstancesOfService {
         @Nested
         class WhenCallingToServiceMultipleTimes {
 
-            boolean initialized = false;
-
             @RepeatedTest(10)
             void thenCallTheSameInstance(RepetitionInfo repetitionInfo) throws IOException {
 

gateway-service/src/test/java/org/zowe/apiml/acceptance/SafIdtSchemeTest.java

@@ -16,8 +16,13 @@
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.web.client.RestTemplate;
 import org.zowe.apiml.acceptance.common.AcceptanceTest;
 import org.zowe.apiml.acceptance.common.AcceptanceTestWithTwoServices;
+import org.zowe.apiml.gateway.security.service.saf.SafRestAuthenticationService;
 
 import java.io.IOException;
 
@@ -32,6 +37,17 @@
  */
 @AcceptanceTest
 class SafIdtSchemeTest extends AcceptanceTestWithTwoServices {
+    @Autowired
+    protected SafRestAuthenticationService safRestAuthenticationService;
+
+    private RestTemplate mockTemplate;
+
+    @BeforeEach
+    void prepareTemplate() {
+        mockTemplate = mock(RestTemplate.class);
+        ReflectionTestUtils.setField(safRestAuthenticationService, "restTemplate", mockTemplate);
+    }
+
     @Nested
     class GivenValidJwtToken {
         Cookie validJwtToken;
@@ -45,6 +61,9 @@ void setUp() {
         class WhenSafIdtRequestedByService {
             @BeforeEach
             void prepareService() throws IOException {
+                applicationRegistry.clearApplications();
+                applicationRegistry.addApplication(serviceWithDefaultConfiguration, false, true, false, "authentication", true);
+                applicationRegistry.addApplication(serviceWithCustomConfiguration, true, false, true, "authentication", true);
                 applicationRegistry.setCurrentApplication(serviceWithDefaultConfiguration.getId());
 
                 reset(mockClient);
@@ -54,6 +73,15 @@ void prepareService() throws IOException {
             // Valid token is provided within the headers.
             @Test
             void thenValidTokenIsProvided() throws IOException {
+                String resultSafToken = "resultSafToken";
+
+                ResponseEntity<Object> response = mock(ResponseEntity.class);
+                when(mockTemplate.postForEntity(any(), any(), any())).thenReturn(response);
+                when(response.getStatusCode()).thenReturn(org.springframework.http.HttpStatus.CREATED);
+                SafRestAuthenticationService.Token responseBody = new SafRestAuthenticationService.Token();
+                responseBody.setJwt(resultSafToken);
+                when(response.getBody()).thenReturn(responseBody);
+
                 given()
                     .cookie(validJwtToken)
                 .when()
@@ -64,7 +92,7 @@ void thenValidTokenIsProvided() throws IOException {
                 ArgumentCaptor<HttpUriRequest> captor = ArgumentCaptor.forClass(HttpUriRequest.class);
                 verify(mockClient, times(1)).execute(captor.capture());
 
-                assertHeaderWithValue(captor.getValue(), "X-SAF-Token", "validToken" + validJwtToken.getValue());
+                assertHeaderWithValue(captor.getValue(), "X-SAF-Token", resultSafToken);
             }
         }
     }
@@ -82,17 +110,17 @@ void prepareService() throws IOException {
             }
 
             @Test
-            void givenInvalidJwtToken() throws IOException {
+            void givenInvalidJwtToken() {
                 Cookie withInvalidToken = new Cookie.Builder("apimlAuthenticationToken=invalidValue").build();
 
                 given()
                     .cookie(withInvalidToken)
                 .when()
                     .get(basePath + serviceWithDefaultConfiguration.getPath())
                 .then()
-                    .statusCode(is(HttpStatus.SC_UNAUTHORIZED));
+                    .statusCode(is(HttpStatus.SC_OK));
 
-                verify(mockClient, times(0)).execute(any());
+                verify(mockTemplate, times(0)).postForEntity(any(), any(), any());
             }
         }
     }

gateway-service/src/test/java/org/zowe/apiml/acceptance/netflix/ApplicationRegistry.java

@@ -49,6 +49,10 @@ public void addApplication(Service service, boolean addTimeout, boolean corsEnab
         addApplication(service, addTimeout, corsEnabled, multipleInstances, "headerRequest");
     }
 
+    public void addApplication(Service service, boolean addTimeout, boolean corsEnabled, boolean multipleInstances, String loadBalancerStrategy) {
+        addApplication(service, addTimeout, corsEnabled, multipleInstances, loadBalancerStrategy, false);
+    }
+
     /**
      * Add new route to a service.
      *
@@ -58,15 +62,15 @@ public void addApplication(Service service, boolean addTimeout, boolean corsEnab
      * @param loadBalancerStrategy What strategy should be applied by LoadBalancer. E.g use header, base the
      *                             authentication on the user and so on.
      */
-    public void addApplication(Service service, boolean addTimeout, boolean corsEnabled, boolean multipleInstances, String loadBalancerStrategy) {
+    public void addApplication(Service service, boolean addTimeout, boolean corsEnabled, boolean multipleInstances, String loadBalancerStrategy, boolean safIdt) {
         String id = service.getId();
         String locationPattern = service.getLocationPattern();
         String serviceRoute = service.getServiceRoute();
 
         Applications applications = new Applications();
         Application withMetadata = new Application(id);
 
-        Map<String, String> metadata = createMetadata(addTimeout, corsEnabled, loadBalancerStrategy);
+        Map<String, String> metadata = createMetadata(addTimeout, corsEnabled, loadBalancerStrategy, safIdt);
 
         withMetadata.addInstance(getStandardInstance(metadata, id, id));
         if (multipleInstances) {
@@ -149,7 +153,7 @@ private InstanceInfo getStandardInstance(Map<String, String> metadata, String se
             .build();
     }
 
-    private Map<String, String> createMetadata(boolean addRibbonConfig, boolean corsEnabled, String loadBalancerStrategy) {
+    private Map<String, String> createMetadata(boolean addRibbonConfig, boolean corsEnabled, String loadBalancerStrategy, boolean safIdt) {
         Map<String, String> metadata = new HashMap<>();
         if (addRibbonConfig) {
             metadata.put("apiml.connectTimeout", "5000");
@@ -161,7 +165,9 @@ private Map<String, String> createMetadata(boolean addRibbonConfig, boolean cors
         metadata.put("apiml.lb.cacheRecordExpirationTimeInHours", "8");
         metadata.put("apiml.corsEnabled", String.valueOf(corsEnabled));
         metadata.put("apiml.routes.gateway-url", "/");
-        metadata.put("apiml.authentication.scheme", "safIdt");
+        if (safIdt) {
+            metadata.put("apiml.authentication.scheme", "safIdt");
+        }
         return metadata;
     }