feat: Add support to change password via zOSMF (#2095)

* Add change password support to z/OSMF provider

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add unit tests + refactoring

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix checkstyle

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix change password request body

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Authenticate with new pw in case of change password success

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add forgotten files to git

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove unused constructor

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove code smells

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add unit tests

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

Author: taban03

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/ChangePasswordRequest.java

@@ -0,0 +1,34 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.security.common.login;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+/**
+ * Represents the change password body request in JSON format
+ */
+@Data
+@NoArgsConstructor
+public class ChangePasswordRequest {
+    @JsonProperty("userID")
+    private String username;
+    @JsonProperty("oldPwd")
+    private String password;
+    @JsonProperty("newPwd")
+    private String newPassword;
+
+    public ChangePasswordRequest(LoginRequest loginRequest) {
+        this.username = loginRequest.getUsername();
+        this.password = loginRequest.getPassword();
+        this.newPassword = loginRequest.getNewPassword();
+    }
+}

apiml-security-common/src/test/java/org/zowe/apiml/security/common/login/ChangePasswordRequestTest.java

@@ -0,0 +1,34 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.security.common.login;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class ChangePasswordRequestTest {
+    public static final String NEW_PASS = "newPass";
+    public static final String PASS = "pass";
+    public static final String USERNAME = "user";
+
+    @Nested
+    class WhenPassingLoginRequestObject {
+        LoginRequest loginRequest = new LoginRequest(USERNAME, PASS, NEW_PASS);
+        ChangePasswordRequest changePasswordRequest = new ChangePasswordRequest(loginRequest);
+
+        @Test
+        void thenMapConstructor() {
+            assertEquals(loginRequest.getUsername(), changePasswordRequest.getUsername());
+            assertEquals(loginRequest.getPassword(), changePasswordRequest.getPassword());
+            assertEquals(loginRequest.getNewPassword(), changePasswordRequest.getNewPassword());
+        }
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProvider.java

@@ -10,6 +10,7 @@
 package org.zowe.apiml.gateway.security.login.zosmf;
 
 import lombok.RequiredArgsConstructor;
+import org.apache.commons.lang.StringUtils;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -18,6 +19,7 @@
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.login.LoginRequest;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 import org.zowe.apiml.security.common.token.InvalidTokenTypeException;
 
@@ -44,7 +46,11 @@ public class ZosmfAuthenticationProvider implements AuthenticationProvider {
     @Override
     public Authentication authenticate(Authentication authentication) {
         final String user = authentication.getPrincipal().toString();
-
+        final String newPassword = LoginRequest.getNewPassword(authentication);
+        if (StringUtils.isNotEmpty(newPassword)) {
+            zosmfService.changePassword(authentication);
+            authentication = new UsernamePasswordAuthenticationToken(user, newPassword);
+        }
         final ZosmfService.AuthenticationResponse ar = zosmfService.authenticate(authentication);
 
         switch (authConfigurationProperties.getZosmf().getJwtAutoconfiguration()) {

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService.java

@@ -30,6 +30,8 @@
 import org.springframework.web.client.*;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
+import org.zowe.apiml.security.common.login.ChangePasswordRequest;
+import org.zowe.apiml.security.common.login.LoginRequest;
 import org.zowe.apiml.security.common.token.TokenNotValidException;
 
 import javax.annotation.PostConstruct;
@@ -146,6 +148,16 @@ public AuthenticationResponse authenticate(Authentication authentication) {
         return authenticationResponse;
     }
 
+    @Retryable(maxAttempts = 2, backoff = @Backoff(value = 1500))
+    public ResponseEntity<String> changePassword(Authentication authentication) {
+        ResponseEntity<String> changePasswordResponse;
+        changePasswordResponse = issueChangePasswordRequest(
+            authentication,
+            getURI(getZosmfServiceId()) + ZOSMF_AUTHENTICATE_END_POINT,
+            HttpMethod.PUT);
+        return changePasswordResponse;
+    }
+
     /**
      * Checks if jwtToken is in the list of invalidated tokens.
      *
@@ -237,6 +249,30 @@ protected AuthenticationResponse issueAuthenticationRequest(Authentication authe
         }
     }
 
+    /**
+     * PUT to provided url and return authentication response
+     *
+     * @param authentication
+     * @param url            String containing change password endpoint to be used
+     * @return ResponseEntity
+     */
+    protected ResponseEntity<String> issueChangePasswordRequest(Authentication authentication, String url, HttpMethod httpMethod) {
+        log.debug("Changing password via z/OSMF");
+        final HttpHeaders headers = new HttpHeaders();
+        headers.add(ZOSMF_CSRF_HEADER, "");
+        headers.setContentType(MediaType.APPLICATION_JSON);
+        try {
+            return restTemplateWithoutKeystore.exchange(
+                url,
+                httpMethod,
+                new HttpEntity<>(new ChangePasswordRequest((LoginRequest) authentication.getCredentials()), headers), String.class);
+        } catch (RuntimeException re) {
+            log.warn("The check of z/OSMF JWT authentication endpoint has failed, ensure that the PTF for APAR PH34912 " +
+                "(https://www.ibm.com/support/pages/apar/PH34912) has been installed. ");
+            throw handleExceptionOnCall(url, re);
+        }
+    }
+
     /**
      * Check if call to ZOSMF_AUTHENTICATE_END_POINT resolves
      *

gateway-service/src/test/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProviderTest.java

@@ -35,6 +35,7 @@
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
+import org.zowe.apiml.security.common.login.LoginRequest;
 import org.zowe.apiml.security.common.token.InvalidTokenTypeException;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
@@ -52,6 +53,7 @@ class ZosmfAuthenticationProviderTest {
 
     private static final String USERNAME = "user";
     private static final String PASSWORD = "password";
+    private static final String NEW_PASSWORD = "newPassword";
     private static final String SERVICE_ID = "service";
     private static final String HOST = "localhost";
     private static final int PORT = 0;
@@ -179,6 +181,39 @@ void thenThrowException() {
             }
         }
 
+        @Nested
+        class WhenNewPasswordProvided {
+            @Test
+            void thenChangePasswordAndAuthenticate() {
+                authConfigurationProperties.getZosmf().setServiceId(ZOSMF);
+                LoginRequest loginRequest = new LoginRequest(USERNAME, PASSWORD, NEW_PASSWORD);
+                usernamePasswordAuthentication = new UsernamePasswordAuthenticationToken(USERNAME, loginRequest);
+                final Application application = createApplication(zosmfInstance);
+                when(discovery.getApplication(ZOSMF)).thenReturn(application);
+
+                HttpHeaders headers = new HttpHeaders();
+                headers.add(HttpHeaders.SET_COOKIE, COOKIE1);
+                headers.add(HttpHeaders.SET_COOKIE, COOKIE2);
+                when(restTemplate.exchange(Mockito.anyString(),
+                    Mockito.eq(HttpMethod.GET),
+                    Mockito.any(),
+                    Mockito.<Class<Object>>any()))
+                    .thenReturn(new ResponseEntity<>(getResponse(true), headers, HttpStatus.OK));
+
+                ZosmfService zosmfService = createZosmfService();
+                ZosmfAuthenticationProvider zosmfAuthenticationProvider =
+                    new ZosmfAuthenticationProvider(authenticationService, zosmfService, authConfigurationProperties);
+
+                mockZosmfRealmRestCallResponse();
+                Authentication tokenAuthentication
+                    = zosmfAuthenticationProvider.authenticate(usernamePasswordAuthentication);
+
+                assertTrue(tokenAuthentication.isAuthenticated());
+                verify(zosmfService, times(1)).changePassword(any());
+                assertEquals(USERNAME, tokenAuthentication.getPrincipal());
+            }
+        }
+
         @Nested
         class WhenNoZosmfInstance {
             @Test