feat: change pass via saf (#1471)

* skip zosmf login tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* debug logs

Signed-off-by: achmelo <a.chmelo@gmail.com>

* revert auth login tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* query logs

Signed-off-by: achmelo <a.chmelo@gmail.com>

* login logs

Signed-off-by: achmelo <a.chmelo@gmail.com>

* disable timeout

Signed-off-by: achmelo <a.chmelo@gmail.com>

* run authtest only

Signed-off-by: achmelo <a.chmelo@gmail.com>

* disable cert test

Signed-off-by: achmelo <a.chmelo@gmail.com>

* imports

Signed-off-by: achmelo <a.chmelo@gmail.com>

* try old format only

Signed-off-by: achmelo <a.chmelo@gmail.com>

* only inbox for validation

Signed-off-by: achmelo <a.chmelo@gmail.com>

* logout old path only

Signed-off-by: achmelo <a.chmelo@gmail.com>

* only 1 logout

Signed-off-by: achmelo <a.chmelo@gmail.com>

* dont verify login

Signed-off-by: achmelo <a.chmelo@gmail.com>

* do not run login

Signed-off-by: achmelo <a.chmelo@gmail.com>

* sleep after logout

Signed-off-by: achmelo <a.chmelo@gmail.com>

* sleep after logout

Signed-off-by: achmelo <a.chmelo@gmail.com>

* retry login when invalid jwt is returned

Signed-off-by: achmelo <a.chmelo@gmail.com>

* backoff 4s

Signed-off-by: achmelo <a.chmelo@gmail.com>

* return back all tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* enable retry

Signed-off-by: achmelo <a.chmelo@gmail.com>

* only auth tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* invalidate ltpa

Signed-off-by: achmelo <a.chmelo@gmail.com>

* all tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* cleanup

Signed-off-by: achmelo <a.chmelo@gmail.com>

* use cache instead of service

Signed-off-by: achmelo <a.chmelo@gmail.com>

* test new auth flow

Signed-off-by: achmelo <a.chmelo@gmail.com>

* rename test

Signed-off-by: achmelo <a.chmelo@gmail.com>

* cleanup

Signed-off-by: achmelo <a.chmelo@gmail.com>

* update password with saf

Signed-off-by: achmelo <a.chmelo@gmail.com>

* fix merge

Signed-off-by: achmelo <a.chmelo@gmail.com>

* sanitize values

Signed-off-by: achmelo <a.chmelo@gmail.com>

* change password method from jzos

Signed-off-by: achmelo <a.chmelo@gmail.com>

* fix styles

Signed-off-by: achmelo <a.chmelo@gmail.com>

* update usernamepassword token in unit tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* Add unit test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* check source of password

Signed-off-by: achmelo <a.chmelo@gmail.com>

* Fix check in the MockPlatform and add unit tests

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* change password code coverage

Signed-off-by: achmelo <a.chmelo@gmail.com>

* styles

Signed-off-by: achmelo <a.chmelo@gmail.com>

* verify change password and loginrequest appearance in auth

Signed-off-by: achmelo <a.chmelo@gmail.com>

* Add unit test for ZosmfServiceTest

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove unused import

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* address PR review comments

Signed-off-by: achmelo <a.chmelo@gmail.com>

Co-authored-by: Andrea Tabone <andrea.tabone@broadcom.com>

Author: achmelo

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/LoginFilter.java

@@ -81,7 +81,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         }
 
         UsernamePasswordAuthenticationToken authentication
-            = new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword());
+            = new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest);
 
         Authentication auth = null;
 

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/LoginRequest.java

@@ -9,17 +9,27 @@
  */
 package org.zowe.apiml.security.common.login;
 
-import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
 /**
  * Represents the login JSON with credentials
  */
 @Data
-@AllArgsConstructor
 @NoArgsConstructor
 public class LoginRequest {
     private String username;
     private String password;
+    private String newPassword;
+
+    public LoginRequest(String username, String password) {
+        this.username = username;
+        this.password = password;
+    }
+
+    public LoginRequest(String username, String password, String newPassword) {
+        this.username = username;
+        this.password = password;
+        this.newPassword = newPassword;
+    }
 }

apiml-security-common/src/test/java/org/zowe/apiml/security/common/login/LoginFilterTest.java

@@ -46,9 +46,13 @@
 @ExtendWith(MockitoExtension.class)
 class LoginFilterTest {
     private static final String VALID_JSON = "{\"username\": \"user\", \"password\": \"pwd\"}";
+    private static final String JSON_WITH_NEW_PW = "{\"username\": \"user\", \"password\": \"pwd\", \"newPassword\": \"newPwd\"}";
     private static final String EMPTY_JSON = "{\"username\": \"\", \"password\": \"\"}";
     private static final String VALID_AUTH_HEADER = "Basic dXNlcjpwd2Q=";
     private static final String INVALID_AUTH_HEADER = "Basic dXNlcj11c2Vy";
+    private static final String USER = "user";
+    private static final String PASSWORD = "pwd";
+    private static final String NEW_PASSWORD = "newPwd";
 
     private MockHttpServletRequest httpServletRequest;
     private MockHttpServletResponse httpServletResponse;
@@ -87,7 +91,7 @@ void shouldCallAuthenticationManagerAuthenticateWithAuthHeader() throws ServletE
         loginFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
 
         UsernamePasswordAuthenticationToken authentication
-            = new UsernamePasswordAuthenticationToken("user", "pwd");
+            = new UsernamePasswordAuthenticationToken(USER, new LoginRequest(USER,PASSWORD));
         verify(authenticationManager).authenticate(authentication);
     }
 
@@ -101,7 +105,21 @@ void shouldCallAuthenticationManagerAuthenticateWithJson() throws ServletExcepti
         loginFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
 
         UsernamePasswordAuthenticationToken authentication
-            = new UsernamePasswordAuthenticationToken("user", "pwd");
+            = new UsernamePasswordAuthenticationToken(USER, new LoginRequest(USER,PASSWORD));
+        verify(authenticationManager).authenticate(authentication);
+    }
+
+    @Test
+    void shouldCallAuthenticationManagerAuthenticateWithNewPasswordInJson() throws ServletException {
+        httpServletRequest = new MockHttpServletRequest();
+        httpServletRequest.setMethod(HttpMethod.POST.name());
+        httpServletRequest.setContent(JSON_WITH_NEW_PW.getBytes());
+        httpServletResponse = new MockHttpServletResponse();
+
+        loginFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
+
+        UsernamePasswordAuthenticationToken authentication
+            = new UsernamePasswordAuthenticationToken(USER, new LoginRequest(USER,PASSWORD, NEW_PASSWORD));
         verify(authenticationManager).authenticate(authentication);
     }
 
@@ -173,7 +191,7 @@ private void testFailWithResourceAccessError(RuntimeException exception, ErrorTy
             authenticationFailureHandler, objectMapper, authenticationManager,
             resourceAccessExceptionHandler);
 
-        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("user", "pwd");
+        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(USER, new LoginRequest(USER,PASSWORD));
         when(authenticationManager.authenticate(authentication)).thenThrow(exception);
 
         httpServletRequest = new MockHttpServletRequest();

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/MockPlatformUser.java

@@ -27,4 +27,12 @@ public PlatformReturned authenticate(String userid, String password) {
         }
     }
 
+    @Override
+    public Object changePassword(String userid, String password, String newPassword) {
+        if (userid.equalsIgnoreCase(VALID_USERID) && password.equalsIgnoreCase(VALID_PASSWORD) && !newPassword.equalsIgnoreCase(password)) {
+            return null;
+        } else {
+            return PlatformReturned.builder().success(false).build();
+        }
+    }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/PlatformUser.java

@@ -16,4 +16,11 @@ public interface PlatformUser {
      * If successful, a null object is returned. If not successful an instance of the PlatformReturned class is returned.
      */
     Object authenticate(java.lang.String userid, java.lang.String password);
+
+    /**
+     *If successful, a null object is returned. If NOT successful, an instance of the PlatformReturned class is returned
+     * with the class variables errno, errno2 and errnoMsg set from the values returned by the OS/390 services __passwd,
+     * strerror(errno), and __errno2().
+     */
+    Object changePassword(java.lang.String userid, java.lang.String password, java.lang.String newPassword);
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/SafPlatformUser.java

@@ -22,16 +22,20 @@ public class SafPlatformUser implements PlatformUser {
     private final PlatformClassFactory platformClassFactory;
     private final PlatformReturnedHelper<Object> platformReturnedHelper;
     private final MethodHandle authenticateMethodHandle;
+    private final MethodHandle changePasswordHandle;
 
     public SafPlatformUser(PlatformClassFactory platformClassFactory)
-        throws IllegalAccessException, ClassNotFoundException, NoSuchFieldException, NoSuchMethodException
-    {
+        throws IllegalAccessException, ClassNotFoundException, NoSuchFieldException, NoSuchMethodException {
         this.platformClassFactory = platformClassFactory;
         this.platformReturnedHelper = new PlatformReturnedHelper<>((Class<Object>) platformClassFactory.getPlatformReturnedClass());
 
         Method method = platformClassFactory.getPlatformUserClass()
             .getMethod("authenticate", String.class, String.class);
         authenticateMethodHandle = MethodHandles.lookup().unreflect(method);
+
+        Method changeMethod = platformClassFactory.getPlatformUserClass()
+            .getMethod("changePassword", String.class, String.class, String.class);
+        changePasswordHandle = MethodHandles.lookup().unreflect(changeMethod);
     }
 
     @Override
@@ -44,4 +48,14 @@ public PlatformReturned authenticate(String userid, String password) {
         }
     }
 
+    @Override
+    public PlatformReturned changePassword(String userid, String password, String newPassword) {
+        try {
+            Object safReturned = changePasswordHandle.invokeWithArguments(platformClassFactory.getPlatformUser(),
+                userid, password, newPassword);
+            return platformReturnedHelper.convert(safReturned);
+        } catch (Throwable throwable) {
+            throw new AuthenticationServiceException("Error occurred while changing password.", throwable);
+        }
+    }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/ZosAuthenticationProvider.java

@@ -11,6 +11,7 @@
 package org.zowe.apiml.gateway.security.login.saf;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -21,6 +22,7 @@
 import org.zowe.apiml.gateway.security.login.LoginProvider;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+import org.zowe.apiml.security.common.login.LoginRequest;
 
 @Component
 @Slf4j
@@ -39,8 +41,13 @@ public ZosAuthenticationProvider(AuthenticationService authenticationService,
     @Override
     public Authentication authenticate(Authentication authentication) {
         String userid = authentication.getName();
-        String password = authentication.getCredentials().toString();
-        PlatformReturned returned = (PlatformReturned) getPlatformUser().authenticate(userid, password);
+        LoginRequest credentials = (LoginRequest) authentication.getCredentials();
+        PlatformReturned returned;
+        if (StringUtils.isNotEmpty(credentials.getNewPassword())) {
+            returned = (PlatformReturned) getPlatformUser().changePassword(userid, credentials.getPassword(), credentials.getNewPassword());
+        } else {
+            returned = (PlatformReturned) getPlatformUser().authenticate(userid, credentials.getPassword());
+        }
 
         if ((returned == null) || (returned.isSuccess())) {
             final String domain = "security-domain";

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/AbstractZosmfService.java

@@ -16,14 +16,21 @@
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
-import org.springframework.web.client.*;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.ResourceAccessException;
+import org.springframework.web.client.RestClientException;
+import org.springframework.web.client.RestTemplate;
 import org.zowe.apiml.message.log.ApimlLogger;
 import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
+import org.zowe.apiml.security.common.login.LoginRequest;
 import org.zowe.apiml.util.EurekaUtils;
 
-import java.util.*;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.function.Supplier;
 
 @Slf4j
@@ -63,13 +70,19 @@ protected String getZosmfServiceId() {
 
     /**
      * Methods construct the value of authentication header by credentials
+     *
      * @param authentication credentials to generates header value
      * @return prepared header value (see header Authentication)
      */
     protected String getAuthenticationValue(Authentication authentication) {
         final String user = authentication.getPrincipal().toString();
-        final String password = authentication.getCredentials().toString();
-
+        final String password;
+        if (authentication.getCredentials() instanceof LoginRequest) {
+            LoginRequest loginRequest = (LoginRequest) authentication.getCredentials();
+            password = loginRequest.getPassword();
+        } else {
+            password = (String) authentication.getCredentials();
+        }
         final String credentials = user + ":" + password;
         return "Basic " + Base64.getEncoder().encodeToString(credentials.getBytes());
     }
@@ -101,7 +114,7 @@ protected String getURI(String zosmf) {
      * custom one with better messages and types for subsequent treatment.
      *
      * @param url URL of invoked REST endpoint
-     * @param re original exception
+     * @param re  original exception
      * @return translated exception
      */
     protected RuntimeException handleExceptionOnCall(String url, RuntimeException re) {

gateway-service/src/test/java/org/zowe/apiml/gateway/security/login/saf/MockPlatformUserTest.java

@@ -0,0 +1,81 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.login.saf;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class MockPlatformUserTest {
+
+    private static MockPlatformUser mockPlatformUser;
+    @BeforeAll
+    static void setup() {
+        mockPlatformUser = new MockPlatformUser();
+    }
+
+    @Nested
+    class WhenAuthenticate {
+        @Nested
+        class Success {
+            @Test
+            void givenValidCredentials_whenAuthenticate_thenReturnNull() {
+                assertEquals(null, mockPlatformUser.authenticate("USER", "validPassword"));
+            }
+        }
+
+        @Nested
+        class Fails {
+            @Test
+            void givenInValidCredentials_whenAuthenticate_thenReturnPlatformReturnedSuccessFalse() {
+                PlatformReturned platformReturned = PlatformReturned.builder().success(false).build();
+                assertEquals(platformReturned, mockPlatformUser.authenticate("USER", "invalidPassword"));
+            }
+        }
+
+    }
+
+    @Nested
+    class WhenChangingPassword {
+        @Nested
+        class Success {
+            @Test
+            void givenValidCredentialsAndNewValidPassword_whenChangePassword_thenReturnNull() {
+                assertNull( mockPlatformUser.changePassword("USER", "validPassword", "newPassword"));
+            }
+        }
+
+        @Nested
+        class Fails {
+            @Test
+            void givenInvalidCredentialsAndNewValidPassword_whenChangePassword_thenReturnPlatformReturnedSuccessFalse() {
+                PlatformReturned platformReturned = PlatformReturned.builder().success(false).build();
+                assertEquals(platformReturned, mockPlatformUser.changePassword("InvalidUser", "validPassword", "newPassword"));
+            }
+
+            @Test
+            void givenValidCredentialsAndInvalidNewPassword_whenChangePassword_thenReturnPlatformReturnedSuccessFalse() {
+                PlatformReturned platformReturned = PlatformReturned.builder().success(false).build();
+                assertEquals(platformReturned, mockPlatformUser.changePassword("USER", "validPassword", "validPassword"));
+            }
+        }
+    }
+
+
+
+
+
+
+
+}

gateway-service/src/test/java/org/zowe/apiml/gateway/security/login/saf/SafPlatformUserTests.java

@@ -39,4 +39,16 @@ void returnsDetailsForInvalidAuthentication() {
         assertFalse(returned.isSuccess());
     }
 
+    @Test
+    void returnsNullForChangePassword() {
+        PlatformReturned returned = safPlatformUser.changePassword(VALID_USERID, VALID_PASSWORD, "newPassword" );
+        assertNull(returned);
+    }
+
+    @Test
+    void whenNewPasswordEqualsOld_thenReturnsNotSuccess() {
+        PlatformReturned returned = safPlatformUser.changePassword(VALID_USERID, VALID_PASSWORD, VALID_PASSWORD );
+        assertFalse(returned.isSuccess());
+    }
+
 }