feat: Support SAF IDT as authentication scheme (#1688)

* Add safIdt among the supported Schemas
* Create stub for SafAuthenticationService providing the token
* Create initial version of the Scheme providing the SafIdtCommand
* Working test verifying the valid JWT token is exchanged for SAF IDT token as generated by Stub implementation at the time.
* Reject expired token
* Reject non-authenticated JWT token

Signed-off-by: Jakub Balhar <jakub@balhar.net>

Author: balhar-jakub

common-service-core/src/main/java/org/zowe/apiml/auth/Authentication.java

@@ -47,6 +47,7 @@ public boolean supportsSso() {
             case ZOWE_JWT:
             case X509:
             case HTTP_BASIC_PASSTICKET:
+            case SAF_IDT:
             case ZOSMF:
                 return supportsSso == null || supportsSso;
             case BYPASS:

common-service-core/src/main/java/org/zowe/apiml/auth/AuthenticationScheme.java

@@ -28,7 +28,10 @@ public enum AuthenticationScheme {
     ZOSMF("zosmf"),
 
     @JsonProperty("x509")
-    X509("x509");
+    X509("x509"),
+
+    @JsonProperty("safIdt")
+    SAF_IDT("safIdt");
 
     public final String scheme;
 

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/SafAuthenticationService.java

@@ -0,0 +1,22 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * Authentication service
+ */
+@Component
+public class SafAuthenticationService {
+    public String generateSafIdt(String jwtToken) {
+        return "validToken" + jwtToken;
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java

@@ -0,0 +1,83 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service.schema;
+
+import com.netflix.appinfo.InstanceInfo;
+import com.netflix.zuul.context.RequestContext;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Component;
+import org.zowe.apiml.auth.Authentication;
+import org.zowe.apiml.auth.AuthenticationScheme;
+import org.zowe.apiml.gateway.security.service.AuthenticationService;
+import org.zowe.apiml.gateway.security.service.SafAuthenticationService;
+import org.zowe.apiml.security.common.token.QueryResponse;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+
+import java.util.Date;
+import java.util.Optional;
+import java.util.function.Supplier;
+
+/**
+ * The scheme allowing for the safIdt authentication scheme.
+ * It adds new header with the SAF IDT token in case of valid JWT provided.
+ */
+@Component
+@RequiredArgsConstructor
+public class SafIdtScheme implements AbstractAuthenticationScheme {
+    private final AuthenticationService authenticationService;
+    private final SafAuthenticationService safAuthenticationService;
+
+    @Override
+    public AuthenticationScheme getScheme() {
+        return AuthenticationScheme.SAF_IDT;
+    }
+
+    @Override
+    public AuthenticationCommand createCommand(Authentication authentication, Supplier<QueryResponse> tokenSupplier) {
+        // Same behavior as for the ZosmfScheme.
+        final QueryResponse queryResponse = tokenSupplier.get();
+        final Date expiration = queryResponse == null ? null : queryResponse.getExpiration();
+        final Long expirationTime = expiration == null ? null : expiration.getTime();
+        return new SafIdtCommand(expirationTime);
+    }
+
+    @RequiredArgsConstructor
+    public class SafIdtCommand extends AuthenticationCommand {
+        private final Long expireAt;
+
+        @Override
+        public void apply(InstanceInfo instanceInfo) {
+            final RequestContext context = RequestContext.getCurrentContext();
+
+            Optional<String> jwtToken = authenticationService.getJwtTokenFromRequest(context.getRequest());
+            jwtToken.ifPresent(token -> {
+                TokenAuthentication authentication = authenticationService.validateJwtToken(jwtToken.get());
+                if (authentication.isAuthenticated()) {
+                    String safIdt = safAuthenticationService.generateSafIdt(token);
+
+                    // TODO: Verify whether authentication should be used.
+                    context.addZuulRequestHeader("X-SAF-Token", safIdt);
+                }
+            });
+        }
+
+        @Override
+        public boolean isExpired() {
+            if (expireAt == null) return false;
+
+            return System.currentTimeMillis() > expireAt;
+        }
+
+        @Override
+        public boolean isRequiredValidJwt() {
+            return true;
+        }
+    }
+}

gateway-service/src/test/java/org/zowe/apiml/acceptance/DeterministicUserBasedRoutingTest.java

@@ -15,7 +15,9 @@
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.message.BasicStatusLine;
-import org.junit.jupiter.api.*;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.RepeatedTest;
+import org.junit.jupiter.api.RepetitionInfo;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;

gateway-service/src/test/java/org/zowe/apiml/acceptance/SafIdtSchemeTest.java

@@ -0,0 +1,104 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.acceptance;
+
+import io.restassured.http.Cookie;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import org.zowe.apiml.acceptance.common.AcceptanceTest;
+import org.zowe.apiml.acceptance.common.AcceptanceTestWithTwoServices;
+
+import java.io.IOException;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.Is.is;
+import static org.mockito.Mockito.*;
+
+/**
+ * This test verifies that the token was exchanged. The input is a valid apimlJwtToken. The output to be tested is
+ * the saf idt token.
+ */
+@AcceptanceTest
+class SafIdtSchemeTest extends AcceptanceTestWithTwoServices {
+    @Nested
+    class GivenValidJwtToken {
+        Cookie validJwtToken;
+
+        @BeforeEach
+        void setUp() {
+            validJwtToken = securityRequests.validJwtToken();
+        }
+
+        @Nested
+        class WhenSafIdtRequestedByService {
+            @BeforeEach
+            void prepareService() throws IOException {
+                applicationRegistry.setCurrentApplication(serviceWithDefaultConfiguration.getId());
+
+                reset(mockClient);
+                mockValid200HttpResponse();
+            }
+
+            // Valid token is provided within the headers.
+            @Test
+            void thenValidTokenIsProvided() throws IOException {
+                given()
+                    .cookie(validJwtToken)
+                .when()
+                    .get(basePath + serviceWithDefaultConfiguration.getPath())
+                .then()
+                    .statusCode(is(HttpStatus.SC_OK));
+
+                ArgumentCaptor<HttpUriRequest> captor = ArgumentCaptor.forClass(HttpUriRequest.class);
+                verify(mockClient, times(1)).execute(captor.capture());
+
+                assertHeaderWithValue(captor.getValue(), "X-SAF-Token", "validToken" + validJwtToken.getValue());
+            }
+        }
+    }
+
+    @Nested
+    class ThenNoTokenIsProvided {
+        @Nested
+        class WhenSafIdtRequestedByService {
+            @BeforeEach
+            void prepareService() throws IOException {
+                applicationRegistry.setCurrentApplication(serviceWithDefaultConfiguration.getId());
+
+                reset(mockClient);
+                mockValid200HttpResponse();
+            }
+
+            @Test
+            void givenInvalidJwtToken() throws IOException {
+                Cookie withInvalidToken = new Cookie.Builder("apimlAuthenticationToken=invalidValue").build();
+
+                given()
+                    .cookie(withInvalidToken)
+                .when()
+                    .get(basePath + serviceWithDefaultConfiguration.getPath())
+                .then()
+                    .statusCode(is(HttpStatus.SC_UNAUTHORIZED));
+
+                verify(mockClient, times(0)).execute(any());
+            }
+        }
+    }
+
+    private void assertHeaderWithValue(HttpUriRequest request, String header, String value) {
+        assertThat(request.getHeaders(header).length, is(1));
+        assertThat(request.getFirstHeader(header).getValue(), is(value));
+    }
+}

gateway-service/src/test/java/org/zowe/apiml/acceptance/netflix/ApplicationRegistry.java

@@ -161,6 +161,7 @@ private Map<String, String> createMetadata(boolean addRibbonConfig, boolean cors
         metadata.put("apiml.lb.cacheRecordExpirationTimeInHours", "8");
         metadata.put("apiml.corsEnabled", String.valueOf(corsEnabled));
         metadata.put("apiml.routes.gateway-url", "/");
+        metadata.put("apiml.authentication.scheme", "safIdt");
         return metadata;
     }
 

gateway-service/src/test/java/org/zowe/apiml/gateway/security/service/schema/SafIdtSchemeTest.java

@@ -0,0 +1,110 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.gateway.security.service.schema;
+
+import com.netflix.appinfo.InstanceInfo;
+import com.netflix.zuul.context.RequestContext;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.zowe.apiml.gateway.security.service.AuthenticationService;
+import org.zowe.apiml.gateway.security.service.SafAuthenticationService;
+import org.zowe.apiml.security.common.token.QueryResponse;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+
+import java.util.Optional;
+import java.util.function.Supplier;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class SafIdtSchemeTest {
+    private SafIdtScheme underTest;
+    private AuthenticationService authenticationService;
+    private SafAuthenticationService safAuthenticationService;
+
+    @BeforeEach
+    void setUp() {
+        authenticationService = mock(AuthenticationService.class);
+        safAuthenticationService = mock(SafAuthenticationService.class);
+        underTest = new SafIdtScheme(authenticationService, safAuthenticationService);
+    }
+
+    @Nested
+    class WhenTokenIsRequested {
+        AuthenticationCommand commandUnderTest;
+
+        @BeforeEach
+        void setCommandUnderTest() {
+            QueryResponse response = mock(QueryResponse.class);
+            Supplier<QueryResponse> supplier = () -> response;
+            commandUnderTest = underTest.createCommand(null, supplier);
+        }
+
+        @Nested
+        class ThenValidSafTokenIsProduced {
+            @Test
+            void givenAuthenticatedJwtToken() {
+                InstanceInfo info = mock(InstanceInfo.class);
+
+                TokenAuthentication authentication = new TokenAuthentication("validJwtToken");
+                authentication.setAuthenticated(true);
+
+                when(authenticationService.getJwtTokenFromRequest(any())).thenReturn(Optional.of("validJwtToken"));
+                when(authenticationService.validateJwtToken("validJwtToken")).thenReturn(authentication);
+                when(safAuthenticationService.generateSafIdt("validJwtToken")).thenReturn("validTokenValidJwtToken");
+
+                commandUnderTest.apply(info);
+
+                assertThat(getValueOfZuulHeader(), is("validTokenValidJwtToken"));
+            }
+        }
+
+        @Nested
+        class ThenNoTokenIsProduced {
+            @Test
+            void givenNoJwtToken() {
+                InstanceInfo info = mock(InstanceInfo.class);
+
+                when(authenticationService.getJwtTokenFromRequest(any())).thenReturn(Optional.empty());
+
+                commandUnderTest.apply(info);
+
+                assertThat(getValueOfZuulHeader(), is(nullValue()));
+            }
+
+            @Test
+            void givenInvalidJwtToken() {
+                InstanceInfo info = mock(InstanceInfo.class);
+
+                when(authenticationService.getJwtTokenFromRequest(any())).thenReturn(Optional.of("invalidJwtToken"));
+                when(authenticationService.validateJwtToken("invalidJwtToken")).thenReturn(new TokenAuthentication("invalidJwtToken"));
+
+                commandUnderTest.apply(info);
+
+                assertThat(getValueOfZuulHeader(), is(nullValue()));
+            }
+        }
+    }
+
+    private String getValueOfZuulHeader() {
+        final RequestContext context = RequestContext.getCurrentContext();
+        String valueOfHeader = context.getZuulRequestHeaders().get("x-saf-token");
+        if (valueOfHeader == null) {
+            return null;
+        }
+
+        return valueOfHeader.replace("x-saf-token=", "");
+    }
+}