fix: disable x509 (#2659)

achmelo · web-flow · commit 5f32c097bdd5 · 2022-11-11T10:48:31.000+01:00
* fix: enable hsts (#2565) Signed-off-by: achmelo <a.chmelo@gmail.com> Signed-off-by: achmelo <a.chmelo@gmail.com> (cherry picked from commit 4cffe97) * use flag to disable x509 for SSO Signed-off-by: achmelo <a.chmelo@gmail.com> * remove transitive servlet-api Signed-off-by: achmelo <a.chmelo@gmail.com> * fix unit tests Signed-off-by: achmelo <a.chmelo@gmail.com> * use PR number for publish task Signed-off-by: achmelo <a.chmelo@gmail.com> * snapshot version in properties Signed-off-by: achmelo <a.chmelo@gmail.com> Signed-off-by: achmelo <a.chmelo@gmail.com>
diff --git a/.github/workflows/pull-request-snapshot-release.yml b/.github/workflows/pull-request-snapshot-release.yml
@@ -6,7 +6,7 @@ on:
     workflow_dispatch:
         inputs:
             pull_request:
-                description: 'The pull request snapshot that is going to be released (i.e PR-XXXX)'
+                description: 'The pull request snapshot that is going to be released (i.e XXXX)'
                 required: true
 
 env:
@@ -19,20 +19,22 @@ jobs:
         timeout-minutes: 30
 
         steps:
-            - uses: actions/checkout@v2
+            - uses: actions/checkout@v3
               with:
                   ref: ${{ github.head_ref }}
 
             - uses: ./.github/actions/setup
 
             - name: Release with Gradle
               run: |
-                  BRANCH_NAME=PR-${{ env.PR_NUMBER }}
-                  sed -i '/version=/ s/-SNAPSHOT/-'"$BRANCH_NAME"'-SNAPSHOT/' ./gradle.properties
-                  ./gradlew build publishAllVersions -Pzowe.deploy.username=$ARTIFACTORY_USERNAME -Pzowe.deploy.password=$ARTIFACTORY_PASSWORD -Partifactory_user=$ARTIFACTORY_USERNAME -Partifactory_password=$ARTIFACTORY_USERNAME -PpullRequest=$BRANCH_NAME
+                  PR_NUMBER=PR-${{ env.PR_NUMBER }}
+                  sed -i '/version=/ s/-SNAPSHOT/-'"$PR_NUMBER"'-SNAPSHOT/' ./gradle.properties
+                  ./gradlew build publishAllVersions -Pzowe.deploy.username=$ARTIFACTORY_USERNAME -Pzowe.deploy.password=$ARTIFACTORY_PASSWORD -Partifactory_user=$ARTIFACTORY_USERNAME -Partifactory_password=$ARTIFACTORY_USERNAME -PpullRequest=$PR_NUMBER
               env:
                   ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
                   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+                  BRANCH_NAME: ${{ github.ref_name }}
+                  BUILD_NUMBER: ${{ github.run_number }}
 
             - uses: ./.github/actions/teardown
 
diff --git a/discovery-service/build.gradle b/discovery-service/build.gradle
@@ -57,7 +57,9 @@ configurations.all {
 }
 
 dependencies {
-    implementation(project(':security-service-client-spring'))
+    implementation(project(':security-service-client-spring')) {
+        exclude group: "javax.servlet", module: "servlet-api"
+    }
     implementation(libraries.spring_boot_starter_web) {
         exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-el"
     }
@@ -76,6 +78,7 @@ dependencies {
     }
     implementation(libraries.eureka_core) {
         exclude group: "com.amazonaws", module: "aws-java-sdk-core"
+        exclude group: "javax.servlet", module: "servlet-api"
     }
     implementation libraries.aws_sdk_core
     implementation libraries.gson
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/DefaultAuthSourceService.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/DefaultAuthSourceService.java
@@ -12,6 +12,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.context.annotation.Primary;
 import org.springframework.context.annotation.Scope;
@@ -41,6 +42,9 @@
 public class DefaultAuthSourceService implements AuthSourceService {
     private final Map<AuthSourceType, AuthSourceService> map = new EnumMap<>(AuthSourceType.class);
 
+    @Value("${apiml.security.x509.enabled:false}")
+    private boolean isClientCertEnabled;
+
     /**
      * Build the map of the specific implementations of {@link AuthSourceService} for processing of different type of authentications
      *
@@ -67,7 +71,7 @@ public DefaultAuthSourceService(@Autowired JwtAuthSourceService jwtAuthSourceSer
     public Optional<AuthSource> getAuthSourceFromRequest() {
         AuthSourceService service = getService(AuthSourceType.JWT);
         Optional<AuthSource> authSource = service.getAuthSourceFromRequest();
-        if (!authSource.isPresent()) {
+        if (!authSource.isPresent() && isClientCertEnabled) {
             service = getService(AuthSourceType.CLIENT_CERT);
             authSource = service.getAuthSourceFromRequest();
         }
diff --git a/gateway-service/src/test/java/org/zowe/apiml/gateway/security/service/schema/source/DefaultAuthSourceServiceTest.java b/gateway-service/src/test/java/org/zowe/apiml/gateway/security/service/schema/source/DefaultAuthSourceServiceTest.java
@@ -9,29 +9,23 @@
  */
 package org.zowe.apiml.gateway.security.service.schema.source;
 
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyNoInteractions;
-import static org.mockito.Mockito.when;
-
-import java.security.cert.X509Certificate;
-import java.util.Date;
-import java.util.Optional;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.*;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSource.Origin;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSource.Parsed;
 import org.zowe.apiml.gateway.utils.CleanCurrentRequestContextTest;
 
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Optional;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
 @ExtendWith(MockitoExtension.class)
 public class DefaultAuthSourceServiceTest extends CleanCurrentRequestContextTest {
     private X509Certificate x509Certificate;
@@ -46,6 +40,7 @@ void init() {
         x509MFAuthSourceService = mock(X509AuthSourceService.class);
         serviceUnderTest = new DefaultAuthSourceService(jwtAuthSourceService, x509MFAuthSourceService);
         x509Certificate = mock(X509Certificate.class);
+        ReflectionTestUtils.setField(serviceUnderTest, "isClientCertEnabled", true);
     }
 
     @Nested
@@ -114,7 +109,6 @@ void thenX509AuthSourceIsPresent() {
             when(x509MFAuthSourceService.getAuthSourceFromRequest()).thenReturn(Optional.of(x509AuthSource));
 
             Optional<AuthSource> authSource = serviceUnderTest.getAuthSourceFromRequest();
-
             verify(jwtAuthSourceService, times(1)).getAuthSourceFromRequest();
             verify(x509MFAuthSourceService, times(1)).getAuthSourceFromRequest();
 
@@ -184,6 +178,7 @@ void thenX509AuthSourceIsPresent() {
     @TestInstance(TestInstance.Lifecycle.PER_CLASS)
     class WhenUnknownAuthSource {
         private final DummyAuthSource dummyAuthSource = new DummyAuthSource();
+
         @Test
         void thenAuthSourceIsInvalid() {
             Assertions.assertThrows(IllegalArgumentException.class, () -> serviceUnderTest.isValid(dummyAuthSource));
diff --git a/gateway-service/src/test/resources/application.yml b/gateway-service/src/test/resources/application.yml
@@ -36,6 +36,7 @@ apiml:
         x509:
             externalMapperUrl: http://localhost:8542/certificate/x509/map
             externalMapperUser: validUserForMap
+            enabled: true
         auth:
             provider: dummy
             zosmf:
diff --git a/gradle.properties b/gradle.properties
@@ -17,7 +17,7 @@ artifactoryPublishingMavenRepo=https://zowe.jfrog.io/zowe/libs-release-local
 artifactoryPublishingMavenSnapshotRepo=https://zowe.jfrog.io/zowe/libs-snapshot-local
 
 # Artifacts version
-version=1.28.14
+version=1.28.14-SNAPSHOT
 
 defaultSpringBootVersion=2.0.2.RELEASE
 defaultSpringBootCloudVersion=2.0.0.RELEASE

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,9 @@ configurations.all {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`dependencies {`
`60`		`- implementation(project(':security-service-client-spring'))`
	`60`	`+ implementation(project(':security-service-client-spring')) {`
	`61`	`+ exclude group: "javax.servlet", module: "servlet-api"`
	`62`	`+ }`
`61`	`63`	`implementation(libraries.spring_boot_starter_web) {`
`62`	`64`	`exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-el"`
`63`	`65`	`}`
`@@ -76,6 +78,7 @@ dependencies {`
`76`	`78`	`}`
`77`	`79`	`implementation(libraries.eureka_core) {`
`78`	`80`	`exclude group: "com.amazonaws", module: "aws-java-sdk-core"`
	`81`	`+ exclude group: "javax.servlet", module: "servlet-api"`
`79`	`82`	`}`
`80`	`83`	`implementation libraries.aws_sdk_core`
`81`	`84`	`implementation libraries.gson`