fix: timing issue with loading jwt secret (#1301)

* Move ZosmfConfiguration into AuthConfigurationProperties

Cleans up code and improves handling of zosmfJwtAutoconfiguration so case does not matter

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Immediately load jwt secret if zosmf set to ltpa

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add event listener for new service registration

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add unit tests for event listener

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add timeout to event listening

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Cleanup zosmf listener code

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Improve unit testing

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Fix code smells

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Immediately load jwt secret then validate when needed

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Clarify log message that GW shuts down

Signed-off-by: Carson Cook <carson.cook@ibm.com>

Author: CarsonCook

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -10,14 +10,13 @@
 package org.zowe.apiml.security.common.config;
 
 import lombok.Data;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.stereotype.Component;
+import org.zowe.apiml.auth.AuthenticationScheme;
 import org.zowe.apiml.constants.ApimlConstants;
 import org.zowe.apiml.message.log.ApimlLogger;
 import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
-import org.zowe.apiml.auth.AuthenticationScheme;
 
 
 /**
@@ -54,9 +53,15 @@ public class AuthConfigurationProperties {
     private AuthConfigurationProperties.PassTicket passTicket;
 
     private String jwtKeyAlias;
+    private String zosmfJwtEndpoint = "/jwt/ibm/api/zOSMFBuilder/jwk";
 
-    @Value("${apiml.security.auth.zosmfJwtEndpoint:/jwt/ibm/api/zOSMFBuilder/jwk}")
-    private String zosmfJwtEndpoint;
+    private JWT_AUTOCONFIGURATION_MODE zosmfJwtAutoconfiguration = JWT_AUTOCONFIGURATION_MODE.AUTO;
+
+    public enum JWT_AUTOCONFIGURATION_MODE {
+        AUTO,
+        LTPA,
+        JWT
+    }
 
     //Token properties
     @Data

gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/ComponentsConfiguration.java

@@ -10,10 +10,11 @@
 package org.zowe.apiml.gateway.security.config;
 
 import org.springframework.cloud.client.discovery.DiscoveryClient;
-import org.springframework.context.annotation.*;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.zowe.apiml.gateway.security.login.Providers;
-import org.zowe.apiml.gateway.security.login.zosmf.ZosmfConfiguration;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.passticket.PassTicketService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
@@ -51,10 +52,9 @@ public Providers loginProviders(
         DiscoveryClient discoveryClient,
         AuthConfigurationProperties authConfigurationProperties,
         ZosmfService zosmfService,
-        @Lazy CompoundAuthProvider compoundAuthProvider,
-        ZosmfConfiguration zosmfConfiguration
+        @Lazy CompoundAuthProvider compoundAuthProvider
     ) {
-        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider, zosmfService, zosmfConfiguration);
+        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider, zosmfService);
     }
 
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/Providers.java

@@ -14,7 +14,6 @@
 import org.springframework.cloud.client.discovery.DiscoveryClient;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.zowe.apiml.gateway.security.config.CompoundAuthProvider;
-import org.zowe.apiml.gateway.security.login.zosmf.ZosmfConfiguration;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
@@ -26,10 +25,10 @@ public class Providers {
     private final AuthConfigurationProperties authConfigurationProperties;
     private final CompoundAuthProvider compoundAuthProvider;
     private final ZosmfService zosmfService;
-    private final ZosmfConfiguration zosmfConfiguration;
 
     /**
      * This method decides whether the Zosmf service is available.
+     *
      * @return Availability of the ZOSMF service in the system.
      * @throws AuthenticationServiceException if the z/OSMF service id is not configured
      */
@@ -41,6 +40,7 @@ public boolean isZosmfAvailable() {
 
     /**
      * Verify that the zOSMF is registered in the Discovery service and that we can actually reach it.
+     *
      * @return true if the service is registered and properly responds.
      */
     public boolean isZosmfAvailableAndOnline() {
@@ -59,6 +59,7 @@ public boolean isZosmfAvailableAndOnline() {
 
     /**
      * This method decides whether the Zosmf is used for authentication
+     *
      * @return Usage of the ZOSMF service in the system.
      */
     public boolean isZosfmUsed() {
@@ -67,17 +68,27 @@ public boolean isZosfmUsed() {
 
     /**
      * This method decides whether used zOSMF instance supports JWT tokens.
+     *
      * @return True is the instance support JWT
      */
     public boolean zosmfSupportsJwt() {
-        switch (zosmfConfiguration.jwtAutoconfigurationMode) {
+        switch (authConfigurationProperties.getZosmfJwtAutoconfiguration()) {
             case JWT:
                 return true;
             case LTPA:
                 return false;
             default: // AUTO
                 return zosmfService.loginEndpointExists() && zosmfService.jwtBuilderEndpointExists();
         }
+    }
 
+    /**
+     * This method is used to access configuration provided by the user to determine if zOSMF supports LTPA token
+     * instead of JWT.
+     *
+     * @return true if configuration was set to indicate zOSMF supports LTPA.
+     */
+    public boolean isZosmfConfigurationSetToLtpa() {
+        return authConfigurationProperties.getZosmfJwtAutoconfiguration() == AuthConfigurationProperties.JWT_AUTOCONFIGURATION_MODE.LTPA;
     }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProvider.java

@@ -15,6 +15,7 @@
 import org.springframework.stereotype.Component;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
+import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
 import static org.zowe.apiml.gateway.security.service.zosmf.ZosmfService.TokenType.JWT;
@@ -29,7 +30,7 @@ public class ZosmfAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthenticationService authenticationService;
     private final ZosmfService zosmfService;
-    private final ZosmfConfiguration zosmfConfiguration;
+    private final AuthConfigurationProperties authConfigurationProperties;
 
     /**
      * Authenticate the credentials with the z/OSMF service
@@ -43,7 +44,7 @@ public Authentication authenticate(Authentication authentication) {
 
         final ZosmfService.AuthenticationResponse ar = zosmfService.authenticate(authentication);
 
-        switch (zosmfConfiguration.jwtAutoconfigurationMode) {
+        switch (authConfigurationProperties.getZosmfJwtAutoconfiguration()) {
             case LTPA:
                 if (ar.getTokens().containsKey(LTPA)) {
                     return getApimlJwtToken(user, ar);