feat: Caching Service can store invalidated token rules (#2460)

* feat: Caching Service can store invalidated tokens and revocation rules for users and services

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* fix integration tests

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* Add revokation of tokens using rules

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* add more integration tests

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* Add validation based on rule

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove condition for duplicated rules

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove unused method

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Increase code coverage

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix code smells

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix check for rules matching either userId or serviceId during validation

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* The isInvalidated() function also check for timestamp value in rules.

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

Co-authored-by: Petr Weinfurt <weipe03@ca.com>
Co-authored-by: Andrea Tabone <andrea.tabone@broadcom.com>
Co-authored-by: Andrea Tabone <39694626+taban03@users.noreply.github.com>

Author: 3 people

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AccessTokenProviderConfig.java

@@ -30,7 +30,7 @@ public void invalidateToken(String token) {
             }
 
             @Override
-            public boolean isInvalidated(String token) {
+            public boolean isInvalidated(String token, String serviceId) {
                 throw new NotImplementedException();
             }
 
@@ -43,6 +43,11 @@ public String getToken(String username, int expirationTime, Set<String> scopes)
             public boolean isValidForScopes(String token, String serviceId) {
                 throw new NotImplementedException();
             }
+
+            @Override
+            public void invalidateTokensUsingRules(String ruleId, long timeStamp) {
+                throw new NotImplementedException();
+            }
         };
     }
 }

apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/AccessTokenProvider.java

@@ -14,7 +14,8 @@
 public interface AccessTokenProvider {
 
     void invalidateToken(String token) throws Exception;
-    boolean isInvalidated(String token) throws Exception;
+    boolean isInvalidated(String token, String serviceId) throws Exception;
     String getToken(String username, int expirationTime, Set<String> scopes);
     boolean isValidForScopes(String token, String serviceId);
+    void invalidateTokensUsingRules(String ruleId, long timeStamp) throws Exception;
 }

caching-service/src/main/java/org/zowe/apiml/caching/api/CachingController.java

@@ -106,26 +106,43 @@ public ResponseEntity<Object> createKey(@RequestBody KeyValue keyValue, HttpServ
             keyValue, request, HttpStatus.CREATED);
     }
 
-    @PostMapping(value = "/cache-list", produces = MediaType.APPLICATION_JSON_VALUE)
-    @Operation(summary = "Add a new list item in the cache",
-        description = "A new key-value pair will be added to the cache")
+    @PostMapping(value = "/cache-list/{mapKey}", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Add a new item in the cache map",
+        description = "A new key-value pair will be added to the specific cache map with given map key.")
     @ResponseBody
     @HystrixCommand
-    public ResponseEntity<Object> storeListItem(@RequestBody KeyValue keyValue, HttpServletRequest request) {
-        return keyValueRequest(storage::storeListItem,
-            keyValue, request, HttpStatus.CREATED);
+    public ResponseEntity<Object> storeMapItem(@PathVariable String mapKey, @RequestBody KeyValue keyValue, HttpServletRequest request) {
+        return mapKeyValueRequest(storage::storeMapItem,
+            mapKey, keyValue, request, HttpStatus.CREATED);
     }
 
-    @GetMapping(value = "/cache-list/{key}", produces = MediaType.APPLICATION_JSON_VALUE)
-    @Operation(summary = "Retrieves all the list items in the cache",
+    @GetMapping(value = "/cache-list/{mapKey}", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Retrieves all the items in the cache map",
+        description = "Values returned for the calling service and specific cache map.")
+    @ResponseBody
+    @HystrixCommand
+    public ResponseEntity<Object> getAllMapItems(@PathVariable String mapKey, HttpServletRequest request) {
+        return getServiceId(request).<ResponseEntity<Object>>map(
+            s -> {
+                try {
+                    return new ResponseEntity<>(storage.getAllMapItems(s, mapKey), HttpStatus.OK);
+                } catch (Exception exception) {
+                    return handleIncompatibleStorageMethod(exception, request.getRequestURL());
+                }
+            }
+        ).orElseGet(this::getUnauthorizedResponse);
+    }
+
+    @GetMapping(value = "/cache-list", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Retrieves all the maps in the cache",
         description = "Values returned for the calling service")
     @ResponseBody
     @HystrixCommand
-    public ResponseEntity<Object> getAllListItems(@PathVariable String key, HttpServletRequest request) {
+    public ResponseEntity<Object> getAllMaps(HttpServletRequest request) {
         return getServiceId(request).<ResponseEntity<Object>>map(
             s -> {
                 try {
-                    return new ResponseEntity<>(storage.getAllMapItems(s, key), HttpStatus.OK);
+                    return new ResponseEntity<>(storage.getAllMaps(s), HttpStatus.OK);
                 } catch (Exception exception) {
                     return handleIncompatibleStorageMethod(exception, request.getRequestURL());
                 }
@@ -201,6 +218,26 @@ private ResponseEntity<Object> keyValueRequest(KeyValueOperation keyValueOperati
         }
     }
 
+    private ResponseEntity<Object> mapKeyValueRequest(MapKeyValueOperation operation, String mapKey, KeyValue keyValue,
+                                                      HttpServletRequest request, HttpStatus successStatus) {
+        Optional<String> serviceId = getServiceId(request);
+        if (!serviceId.isPresent()) {
+            return getUnauthorizedResponse();
+        }
+
+        try {
+            checkForInvalidPayload(keyValue);
+
+            operation.storageRequest(serviceId.get(), mapKey, keyValue);
+
+            return new ResponseEntity<>(successStatus);
+        } catch (StorageException exception) {
+            return exceptionToResponse(exception);
+        } catch (Exception exception) {
+            return handleInternalError(exception, request.getRequestURL());
+        }
+    }
+
     private Optional<String> getServiceId(HttpServletRequest request) {
         Optional<String> certificateServiceId = getHeader(request, "X-Certificate-DistinguishedName");
         Optional<String> specificServiceId = getHeader(request, "X-CS-Service-ID");
@@ -268,4 +305,9 @@ interface KeyOperation {
     interface KeyValueOperation {
         KeyValue storageRequest(String serviceId, KeyValue keyValue) throws StorageException;
     }
+
+    @FunctionalInterface
+    interface MapKeyValueOperation {
+        KeyValue storageRequest(String serviceId, String mapKey, KeyValue keyValue);
+    }
 }

caching-service/src/main/java/org/zowe/apiml/caching/service/Storage.java

@@ -27,21 +27,30 @@ public interface Storage {
     KeyValue create(String serviceId, KeyValue toCreate);
 
     /**
-     * Store new KeyValue pair in the storage. The entry will be stored in a list for a specific key.
+     * Store new KeyValue pair in the storage. The entry will be stored in a map under a specific map key.
      *
      * @param serviceId Id of the service to store the value for
+     * @param mapKey key of the specific map underneath the key-value pair should be stored
      * @param toCreate  KeyValue pair to be created.
      */
-    KeyValue storeListItem(String serviceId, KeyValue toCreate) throws StorageException;
+    KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate) throws StorageException;
 
     /**
-     * Return all the items in the list for a specific key.
+     * Return all the items in the specific map for a specific service.
      *
      * @param serviceId Id of the service to load all key/value pairs
-     * @param key       key to lookup
+     * @param mapKey key of the specific map to return
      * @return Map with the key/value pairs or null if there is none existing.
      */
-    Map<String, String> getAllMapItems(String serviceId, String key) throws StorageException;
+    Map<String, String> getAllMapItems(String serviceId, String mapKey) throws StorageException;
+
+    /**
+     * Return all the items in all the maps for specific service
+     *
+     * @param serviceId Id of the service to load all key/value pairs
+     * @return Map of all lists with the key/value pairs or null if there is none existing.
+     */
+    Map<String, Map<String, String>> getAllMaps(String serviceId) throws StorageException;
 
     /**
      * Returns the keys associated with the provided keys.

caching-service/src/main/java/org/zowe/apiml/caching/service/infinispan/storage/InfinispanStorage.java

@@ -22,6 +22,7 @@
 import java.util.concurrent.CompletionException;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 
 @Slf4j
 public class InfinispanStorage implements Storage {
@@ -51,22 +52,18 @@ public KeyValue create(String serviceId, KeyValue toCreate) {
     }
 
     @Override
-    public KeyValue storeListItem(String serviceId, KeyValue toCreate) {
+    public KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate) {
         CompletableFuture<Boolean> complete = lock.tryLock(4, TimeUnit.SECONDS).whenComplete((r, ex) -> {
             if (Boolean.TRUE.equals(r)) {
                 try {
-                    String cacheKey = serviceId + "invalidTokens";
-                    if (tokenCache.get(cacheKey) != null &&
-                        tokenCache.get(cacheKey).containsKey(toCreate.getKey())) {
-                        throw new StorageException(Messages.DUPLICATE_VALUE.getKey(), Messages.DUPLICATE_VALUE.getStatus(), toCreate.getValue());
+                    String cacheKey = serviceId + mapKey;
+                    log.info("Storing the item into token cache: {} -> {}|{}", cacheKey, toCreate.getKey(), toCreate.getValue());
+                    Map<String, String> tokenCacheItem = tokenCache.get(cacheKey);
+                    if (tokenCacheItem == null) {
+                        tokenCacheItem = new HashMap<>();
                     }
-                    log.info("Storing the invalidated token: {}|{}|{}", serviceId, toCreate.getKey(), toCreate.getValue());
-                    Map<String, String> tokensList = tokenCache.get(cacheKey);
-                    if (tokensList == null) {
-                        tokensList = new HashMap<>();
-                    }
-                    tokensList.put(toCreate.getKey(), toCreate.getValue());
-                    tokenCache.put(cacheKey, tokensList);
+                    tokenCacheItem.put(toCreate.getKey(), toCreate.getValue());
+                    tokenCache.put(cacheKey, tokenCacheItem);
                 } finally {
                     lock.unlock();
                 }
@@ -86,9 +83,18 @@ public KeyValue storeListItem(String serviceId, KeyValue toCreate) {
     }
 
     @Override
-    public Map<String, String> getAllMapItems(String serviceId, String key) {
-        log.info("Reading all revoked tokens for service {} ", serviceId);
-        return tokenCache.get(serviceId + key);
+    public Map<String, String> getAllMapItems(String serviceId, String mapKey) {
+        log.info("Reading all records from token cache for service {} under the {} key.", serviceId, mapKey);
+        return tokenCache.get(serviceId + mapKey);
+    }
+
+    @Override
+    public Map<String, Map<String, String>> getAllMaps(String serviceId) {
+        log.info("Reading all records from token cache for service {} ", serviceId);
+        // filter all maps which belong given service and remove the service name from key names.
+        return tokenCache.entrySet().stream().filter(
+            entry -> entry.getKey().startsWith(serviceId))
+            .collect(Collectors.toMap(e -> e.getKey().substring(serviceId.length()), Map.Entry::getValue));
     }
 
     @Override

caching-service/src/main/java/org/zowe/apiml/caching/service/inmemory/InMemoryStorage.java

@@ -62,12 +62,17 @@ public KeyValue create(String serviceId, KeyValue toCreate) {
     }
 
     @Override
-    public KeyValue storeListItem(String serviceId, KeyValue toCreate) throws StorageException {
+    public KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }
 
     @Override
-    public Map<String, String> getAllMapItems(String serviceId, String key) throws StorageException {
+    public Map<String, String> getAllMapItems(String serviceId, String mapKey) throws StorageException {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public Map<String, Map<String, String>> getAllMaps(String serviceId) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }
 

caching-service/src/main/java/org/zowe/apiml/caching/service/redis/RedisStorage.java

@@ -59,12 +59,17 @@ public KeyValue create(String serviceId, KeyValue toCreate) {
     }
 
     @Override
-    public KeyValue storeListItem(String serviceId, KeyValue toCreate) throws StorageException {
+    public KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }
 
     @Override
-    public Map<String, String> getAllMapItems(String serviceId, String key) throws StorageException {
+    public Map<String, String> getAllMapItems(String serviceId, String mapKey) throws StorageException {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public Map<String, Map<String, String>> getAllMaps(String serviceId) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }
 

caching-service/src/main/java/org/zowe/apiml/caching/service/vsam/VsamStorage.java

@@ -95,12 +95,17 @@ public KeyValue create(String serviceId, KeyValue toCreate) {
     }
 
     @Override
-    public KeyValue storeListItem(String serviceId, KeyValue toCreate) throws StorageException {
+    public KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }
 
     @Override
-    public Map<String, String> getAllMapItems(String serviceId, String key) throws StorageException {
+    public Map<String, String> getAllMapItems(String serviceId, String mapKey) throws StorageException {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public Map<String, Map<String, String>> getAllMaps(String serviceId) throws StorageException {
         throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
     }