feat: Fix SAF IDT scheme and service (#2224)

* Finish the movement of the SAF IDT related PR

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.net>

* Add applid related behavior in mock

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.net>

* Fix the configuration

Signed-off-by: Jakub Balhar <jakub.balhar@broadcom.net>

Co-authored-by: Jakub Balhar <jakub.balhar@broadcom.net>
Co-authored-by: achmelo <a.chmelo@gmail.com>
Co-authored-by: achmelo <37397715+achmelo@users.noreply.github.com>

Author: 3 people

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/saf/SafProviderBeansConfig.java

@@ -14,19 +14,13 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.client.RestTemplate;
-import org.zowe.apiml.gateway.security.service.AuthenticationService;
-import org.zowe.apiml.passticket.PassTicketService;
 
 @Configuration
 @RequiredArgsConstructor
 public class SafProviderBeansConfig {
     @Bean
     @ConditionalOnProperty(name = "apiml.security.saf.provider", havingValue = "rest")
-    public SafIdtProvider restSafProvider(
-        RestTemplate restTemplate,
-        AuthenticationService authenticationService,
-        PassTicketService passTicketService
-    ) {
-        return new SafRestAuthenticationService(restTemplate, authenticationService, passTicketService);
+    public SafIdtProvider restSafProvider(RestTemplate restTemplate) {
+        return new SafRestAuthenticationService(restTemplate);
     }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/saf/SafRestAuthenticationService.java

@@ -9,21 +9,18 @@
  */
 package org.zowe.apiml.gateway.security.service.saf;
 
-import com.netflix.zuul.context.RequestContext;
-import lombok.Data;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.databind.ser.std.StdArraySerializers;
+import lombok.*;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseEntity;
+import org.springframework.http.*;
 import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
-import org.zowe.apiml.gateway.security.service.AuthenticationService;
-import org.zowe.apiml.passticket.IRRPassTicketGenerationException;
-import org.zowe.apiml.passticket.PassTicketService;
-import org.zowe.apiml.security.common.token.TokenAuthentication;
 
 import java.net.URI;
-import java.util.Optional;
+import java.util.Collections;
 
 import static org.springframework.util.StringUtils.isEmpty;
 
@@ -37,84 +34,82 @@
  * - apiml.security.saf.urls.verify - URL to verify the validity of the token
  */
 @RequiredArgsConstructor
-@Slf4j
 public class SafRestAuthenticationService implements SafIdtProvider {
+
     private final RestTemplate restTemplate;
-    private final AuthenticationService authenticationService;
-    private final PassTicketService passTicketService;
+
+    static final HttpHeaders HEADERS = new HttpHeaders();
+
+    static {
+        HEADERS.setContentType(MediaType.APPLICATION_JSON);
+        HEADERS.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
+    }
 
     @Value("${apiml.security.saf.urls.authenticate}")
     String authenticationUrl;
     @Value("${apiml.security.saf.urls.verify}")
     String verifyUrl;
-    @Value("${apiml.security.zosmf.applid:IZUDFLT}")
-    protected String zosmfApplId;
 
     @Override
     public String generate(String username, char[] password, String applId) {
-        final RequestContext context = RequestContext.getCurrentContext();
-        Optional<String> jwtToken = authenticationService.getJwtTokenFromRequest(context.getRequest());
-        if (!jwtToken.isPresent()) {
-            throw new SafIdtException("Provided no JWT token");
-        }
-
-        TokenAuthentication tokenAuthentication = authenticationService.validateJwtToken(jwtToken.get());
-        if (!tokenAuthentication.isAuthenticated()) {
-            throw new SafIdtException("Provided invalid JWT token");
-        }
+        Authentication authentication = Authentication.builder()
+                .username(username)
+                .pass(password)
+                .appl(applId)
+                .build();
 
         try {
-            Authentication authentication = new Authentication();
-            authentication.setJwt(jwtToken.get());
-            authentication.setUsername(username);
-            String passTicket = passTicketService.generate(username, zosmfApplId);
-            log.debug("Generated passticket: {}", passTicket);
-            authentication.setPass(passTicket);
-
-            ResponseEntity<Token> re = restTemplate.postForEntity(URI.create(authenticationUrl), authentication, Token.class);
-
-            if (!re.getStatusCode().is2xxSuccessful()) {
-                throw new SafIdtException("ZSS authentication service has not returned the Identity token");
-            }
-
-            Token responseBody = re.getBody();
-            if (responseBody == null) {
+            ResponseEntity<Token> response = restTemplate.exchange(
+                    URI.create(authenticationUrl),
+                    HttpMethod.POST,
+                    new HttpEntity<>(authentication, HEADERS),
+                    Token.class);
+
+            Token responseBody = response.getBody();
+            if (responseBody == null || StringUtils.isEmpty(responseBody.getJwt())) {
                 throw new SafIdtException("ZSS authentication service has not returned the Identity token");
             }
 
             return responseBody.getJwt();
-        } catch (HttpClientErrorException.Unauthorized | HttpClientErrorException.Forbidden | IRRPassTicketGenerationException e) {
+        } catch (HttpClientErrorException.Unauthorized | HttpClientErrorException.Forbidden e) {
             throw new SafIdtAuthException("Authentication to ZSS failed", e);
         }
     }
 
     @Override
-    public boolean verify(String safToken, String applId) {
+    public boolean verify(String safToken, String applid) {
         if (isEmpty(safToken)) {
             return false;
         }
 
         try {
-            Token token = new Token();
-            token.setJwt(safToken);
-
-            ResponseEntity<String> re = restTemplate.postForEntity(URI.create(verifyUrl), token, String.class);
-
-            return re.getStatusCode().is2xxSuccessful();
-        } catch (HttpClientErrorException.Unauthorized e) {
+            ResponseEntity<Void> response = restTemplate.exchange(
+                    URI.create(verifyUrl),
+                    HttpMethod.POST,
+                    new HttpEntity<>(new Token(safToken, applid), HEADERS),
+                    Void.class);
+
+            return response.getStatusCode().is2xxSuccessful();
+        } catch (RestClientException e) {
             return false;
         }
     }
 
     @Data
+    @NoArgsConstructor
+    @AllArgsConstructor
     public static class Token {
         String jwt;
+        String appl;
     }
 
-    @Data
+    @lombok.Value
+    @Builder
     public static class Authentication {
-        String jwt;
         String username;
-        String pass;
+        @JsonSerialize(using = StdArraySerializers.CharArraySerializer.class)
+        char[] pass;
+        String appl;
     }
+
 }

gateway-service/src/test/java/org/zowe/apiml/acceptance/SafIdtSchemeTest.java

@@ -98,11 +98,11 @@ void thenValidTokenIsProvided() throws IOException {
                     .signWith(Keys.secretKeyFor(SignatureAlgorithm.HS256))
                     .compact();
 
-                ResponseEntity<Object> response = mock(ResponseEntity.class);
-                when(mockTemplate.postForEntity(any(), any(), any())).thenReturn(response);
-                when(response.getStatusCode()).thenReturn(org.springframework.http.HttpStatus.CREATED);
-                SafRestAuthenticationService.Token responseBody = new SafRestAuthenticationService.Token();
-                responseBody.setJwt(resultSafToken);
+                ResponseEntity<SafRestAuthenticationService.Token> response = mock(ResponseEntity.class);
+                when(mockTemplate.exchange(any(), eq(HttpMethod.POST), any(), eq(SafRestAuthenticationService.Token.class)))
+                    .thenReturn(response);
+                SafRestAuthenticationService.Token responseBody =
+                    new SafRestAuthenticationService.Token(resultSafToken, "applid");
                 when(response.getBody()).thenReturn(responseBody);
 
                 given()