fix(authentication): Support specific zOSMF version, allow override (#1241)

* Setup jwt builder endpoint test

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Implement zosmf jwt check

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Make zosmf jwt endpoint configurable

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Update Jwt keys endpoint behavior.

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Split Jwt related logic to separate Controller
Add Apar specific for JWt keys

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Add authenticate endpoint as separate Apar

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Add another set of tests for the Authenticate endpoint without JWT support.

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* JWT configuration override

Signed-off-by: jandadav <janda.david@gmail.com>

* Update the authentication endpoint apar

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* ZosmfAuthenticationProvider respect override

Signed-off-by: jandadav <janda.david@gmail.com>

* consume zowe config

Signed-off-by: jandadav <janda.david@gmail.com>

* Improve the name of the Action

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Remove zosmf, used only for testing locally

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Remove smell

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Add unit tests for Authentication Apar

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.com>

* Remove hardcoded jwt builder path

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Fix styling

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Fix AuthenticateApar and its unit tests

Signed-off-by: Carson Cook <carson.cook@ibm.com>

Co-authored-by: Carson Cook <carson.cook@ibm.com>
Co-authored-by: jandadav <janda.david@gmail.com>

Author: 3 people

.github/workflows/ci-tests-without-jwt-with-authenticate.yml

@@ -0,0 +1,55 @@
+# This workflow will build a Java project with Gradle
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+
+name: CI Testing with zOSMF without JWT APAR applied with /zosmf/services/authenticate present
+
+on:
+    push:
+        branches: [ master ]
+    pull_request:
+        branches: [ master ]
+
+jobs:
+    build:
+
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v2
+              with:
+                  ref: ${{ github.head_ref }}
+            - name: Set up JDK 1.8
+              uses: actions/setup-java@v1
+              with:
+                  java-version: 1.8
+            - name: Grant execute permission for gradlew
+              run: chmod +x gradlew
+            - name: Cache Gradle packages
+              uses: actions/cache@v2
+              with:
+                  path: |
+                      ~/.gradle/caches
+                      ~/.gradle/wrapper
+                  key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+                  restore-keys: |
+                      ${{ runner.os }}-gradle-
+            - name: Build with Gradle
+              run: ./gradlew build runCITests -x test --scan --info -Pgradle.cache.push=true -DexternalJenkinsToggle="true" -Penabler=v1 -DauxiliaryUserList.value="unauthorized,USER1,validPassword;servicesinfo-authorized,USER,validPassword;servicesinfo-unauthorized,USER1,validPassword" -Dcredentials.user=USER -Dcredentials.password=validPassword -Dzosmf.host=localhost -Dzosmf.port=10013 -Dzosmf.serviceId=mockzosmf -Dinternal.gateway.port=10017 -Dzosmf.appliedApars=AuthenticateApar
+            - name: Store results
+              uses: actions/upload-artifact@v2
+              with:
+                  name: Package
+                  path: |
+                      api-catalog-services/build/reports/tests/test/
+                      discovery-service/build/reports/tests/test/
+                      gateway-service/build/reports/tests/test/
+                      ./**/test-results/**/*.xml
+                      api-catalog-ui/frontend/test-results/
+                      api-layer.tar.gz
+            - name: Cleanup Gradle Cache
+                # Remove some files from the Gradle cache, so they aren't cached by GitHub Actions.
+                # Restoring these files from a GitHub Actions cache might cause problems for future builds.
+              run: |
+                  rm -f ~/.gradle/caches/modules-2/modules-2.lock
+                  rm -f ~/.gradle/caches/modules-2/gc.properties
+

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -10,6 +10,7 @@
 package org.zowe.apiml.security.common.config;
 
 import lombok.Data;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.stereotype.Component;
@@ -54,6 +55,9 @@ public class AuthConfigurationProperties {
 
     private String jwtKeyAlias;
 
+    @Value("${apiml.security.auth.zosmfJwtEndpoint:/jwt/ibm/api/zOSMFBuilder/jwk}")
+    private String zosmfJwtEndpoint;
+
     //Token properties
     @Data
     public static class TokenProperties {

gateway-package/src/main/resources/bin/start.sh

@@ -107,6 +107,7 @@ _BPX_JOBNAME=${ZOWE_PREFIX}${GATEWAY_CODE} java \
     -Dserver.ssl.trustStore=${TRUSTSTORE} \
     -Dserver.ssl.trustStoreType=${KEYSTORE_TYPE} \
     -Dserver.ssl.trustStorePassword=${KEYSTORE_PASSWORD} \
+    -Dapiml.security.auth.zosmfJwtAutoconfiguration=${APIML_SECURITY_ZOSMF_JWT_AUTOCONFIGURATION_MODE:auto}
     -Dapiml.security.x509.enabled=${APIML_SECURITY_X509_ENABLED:-false} \
     -Dapiml.security.x509.externalMapperUrl=http://localhost:${ZOWE_ZSS_SERVER_PORT}/certificate/x509/map \
     -Dapiml.security.x509.externalMapperUser=ZWESVUSR \

gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/ComponentsConfiguration.java

@@ -13,6 +13,7 @@
 import org.springframework.context.annotation.*;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.zowe.apiml.gateway.security.login.Providers;
+import org.zowe.apiml.gateway.security.login.zosmf.ZosmfConfiguration;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.passticket.PassTicketService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
@@ -50,9 +51,10 @@ public Providers loginProviders(
         DiscoveryClient discoveryClient,
         AuthConfigurationProperties authConfigurationProperties,
         ZosmfService zosmfService,
-        @Lazy CompoundAuthProvider compoundAuthProvider
+        @Lazy CompoundAuthProvider compoundAuthProvider,
+        ZosmfConfiguration zosmfConfiguration
     ) {
-        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider, zosmfService);
+        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider, zosmfService, zosmfConfiguration);
     }
 
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/Providers.java

@@ -14,6 +14,7 @@
 import org.springframework.cloud.client.discovery.DiscoveryClient;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.zowe.apiml.gateway.security.config.CompoundAuthProvider;
+import org.zowe.apiml.gateway.security.login.zosmf.ZosmfConfiguration;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
@@ -25,6 +26,7 @@ public class Providers {
     private final AuthConfigurationProperties authConfigurationProperties;
     private final CompoundAuthProvider compoundAuthProvider;
     private final ZosmfService zosmfService;
+    private final ZosmfConfiguration zosmfConfiguration;
 
     /**
      * This method decides whether the Zosmf service is available.
@@ -68,6 +70,14 @@ public boolean isZosfmUsed() {
      * @return True is the instance support JWT
      */
     public boolean zosmfSupportsJwt() {
-        return zosmfService.loginEndpointExists();
+        switch (zosmfConfiguration.jwtAutoconfigurationMode) {
+            case JWT:
+                return true;
+            case LTPA:
+                return false;
+            default: // AUTO
+                return zosmfService.loginEndpointExists() && zosmfService.jwtBuilderEndpointExists();
+        }
+
     }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/SaveZosmfPublicKeyConsoleApplication.java

@@ -37,7 +37,8 @@ public static void main(String[] args) {
 
         String jwkUrl = args[0];
         String filename = args[1];
-        ZosmfJwkToPublicKey zosmfJwkToPublicKey = new ZosmfJwkToPublicKey(restTemplate);
+        String zosmfJwtBuilderPath = System.getProperty("apiml.security.auth.zosmfJwtEndpoint", "/jwt/ibm/api/zOSMFBuilder/jwk");
+        ZosmfJwkToPublicKey zosmfJwkToPublicKey = new ZosmfJwkToPublicKey(restTemplate, zosmfJwtBuilderPath);
 
         System.out.printf("Loading public key of z/OSMF at %s%n", jwkUrl);
         try {

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProvider.java

@@ -10,16 +10,15 @@
 package org.zowe.apiml.gateway.security.login.zosmf;
 
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.*;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
 
-import static  org.zowe.apiml.gateway.security.service.zosmf.ZosmfService.TokenType.JWT;
-import static  org.zowe.apiml.gateway.security.service.zosmf.ZosmfService.TokenType.LTPA;
+import static org.zowe.apiml.gateway.security.service.zosmf.ZosmfService.TokenType.JWT;
+import static org.zowe.apiml.gateway.security.service.zosmf.ZosmfService.TokenType.LTPA;
 
 /**
  * Authentication provider that verifies credentials against z/OSMF service
@@ -30,6 +29,7 @@ public class ZosmfAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthenticationService authenticationService;
     private final ZosmfService zosmfService;
+    private final ZosmfConfiguration zosmfConfiguration;
 
     /**
      * Authenticate the credentials with the z/OSMF service
@@ -43,23 +43,43 @@ public Authentication authenticate(Authentication authentication) {
 
         final ZosmfService.AuthenticationResponse ar = zosmfService.authenticate(authentication);
 
-        // if z/OSMF support JWT, use it as Zowe JWT token
-        if (ar.getTokens().containsKey(JWT)) {
-            return authenticationService.createTokenAuthentication(user, ar.getTokens().get(JWT));
-        }
-
-        if (ar.getTokens().containsKey(LTPA)) {
-            // construct own JWT token, including LTPA from z/OSMF
-            final String domain = ar.getDomain();
-            final String jwtToken = authenticationService.createJwtToken(user, domain, ar.getTokens().get(LTPA));
+        switch (zosmfConfiguration.jwtAutoconfigurationMode) {
+            case LTPA:
+                if (ar.getTokens().containsKey(LTPA)) {
+                    return getApimlJwtToken(user, ar);
+                }
+                break;
+            case JWT:
+                if (ar.getTokens().containsKey(JWT)) {
+                    return getZosmfJwtToken(user, ar);
+                }
+                break;
+            default: //AUTO
+                if (ar.getTokens().containsKey(JWT)) {
+                    return getZosmfJwtToken(user, ar);
+                }
 
-            return authenticationService.createTokenAuthentication(user, jwtToken);
+                if (ar.getTokens().containsKey(LTPA)) {
+                    return getApimlJwtToken(user, ar);
+                }
+                break;
         }
 
         // JWT and LTPA tokens are missing, authentication was wrong
         throw new BadCredentialsException("Username or password are invalid.");
     }
 
+    public TokenAuthentication getZosmfJwtToken(String user, ZosmfService.AuthenticationResponse ar) {
+        return authenticationService.createTokenAuthentication(user, ar.getTokens().get(JWT));
+    }
+
+    private TokenAuthentication getApimlJwtToken(String user, ZosmfService.AuthenticationResponse ar) {
+        final String domain = ar.getDomain();
+        final String jwtToken = authenticationService.createJwtToken(user, domain, ar.getTokens().get(LTPA));
+
+        return authenticationService.createTokenAuthentication(user, jwtToken);
+    }
+
     @Override
     public boolean supports(Class<?> auth) {
         return auth == UsernamePasswordAuthenticationToken.class;

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfConfiguration.java

@@ -0,0 +1,34 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.login.zosmf;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ZosmfConfiguration {
+
+    public enum JWT_AUTOCONFIGURATION_MODE {
+        AUTO,
+        LTPA,
+        JWT
+    }
+
+    @Value("${apiml.security.auth.zosmfJwtAutoconfiguration:AUTO}")
+    public JWT_AUTOCONFIGURATION_MODE jwtAutoconfigurationMode;
+
+    public static ZosmfConfiguration of(JWT_AUTOCONFIGURATION_MODE mode) {
+        ZosmfConfiguration configuration = new ZosmfConfiguration();
+        configuration.jwtAutoconfigurationMode = mode;
+        return configuration;
+    }
+
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfJwkToPublicKey.java

@@ -9,43 +9,43 @@
  */
 package org.zowe.apiml.gateway.security.login.zosmf;
 
-import java.io.FileNotFoundException;
-import java.io.PrintWriter;
-
-import org.springframework.stereotype.Component;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
 
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
+import java.io.FileNotFoundException;
+import java.io.PrintWriter;
 
-@Component
 @RequiredArgsConstructor
 @Slf4j
 public class ZosmfJwkToPublicKey {
 
     protected final RestTemplate restTemplateWithoutKeystore;
+    private final String zosmfJwtBuilderPath;
 
     /**
      * Write public key that can be used to validate z/OSMF JWT tokens.
+     *
      * @param zosmfUrl Base URL of z/OSMF without trailing /
      * @param filename File name of the resulting PEM file
      * @return True when the file has been updated
      * @throws FileNotFoundException when the filename is invalid
      */
     public boolean updateJwtPublicKeyFile(String zosmfUrl, String filename, String caAlias, String caKeyStore,
-    String caKeyStoreType, char[] caKeyStorePassword, char[] caKeyPassword) throws FileNotFoundException {
+                                          String caKeyStoreType, char[] caKeyStorePassword, char[] caKeyPassword) throws FileNotFoundException {
         try {
-            String jwkJson = restTemplateWithoutKeystore.getForObject(zosmfUrl + "/jwt/ibm/api/zOSMFBuilder/jwk",
-                    String.class);
+            String jwkJson = restTemplateWithoutKeystore.getForObject(zosmfUrl + zosmfJwtBuilderPath,
+                String.class);
             JwkToPublicKeyConverter converter = new JwkToPublicKeyConverter();
-            String pem = converter.convertFirstPublicKeyJwkToPem(jwkJson, caAlias, caKeyStore, caKeyStoreType, caKeyStorePassword, caKeyPassword) ;
+            String pem = converter.convertFirstPublicKeyJwkToPem(jwkJson, caAlias, caKeyStore, caKeyStoreType, caKeyStorePassword, caKeyPassword);
             try (PrintWriter out = new PrintWriter(filename)) {
                 out.println(pem);
             }
             return true;
         } catch (HttpClientErrorException.NotFound e) {
-            log.warn("Unable to read z/OSMF JWT public key. JWT support might be not configured in z/OSMF: {}", e.getMessage());;
+            log.warn("Unable to read z/OSMF JWT public key. JWT support might be not configured in z/OSMF: {}", e.getMessage());
+            ;
             return false;
         }
     }