feat: Catalog: authenticate with client certificate for /apidoc/** endpoints (#1568)

* Add integration tests

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add x509 cert for all ac endpoints

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Configure cert for only apidoc route

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add cert for not apidoc route integration test

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add AT-TLS filter

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Make verifying cert configurable

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Clean code smells

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Remove duplicate WebSecurity config

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add integration tests for cert and basic auth

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Reset ssl config for each integration test

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* fix docker config for catalog

Signed-off-by: jandadav <janda.david@gmail.com>

Co-authored-by: jandadav <janda.david@gmail.com>

Author: CarsonCook

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java

@@ -11,18 +11,25 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.zowe.apiml.product.filter.AttlsFilter;
 import org.zowe.apiml.security.client.EnableApimlAuth;
 import org.zowe.apiml.security.client.login.GatewayLoginProvider;
 import org.zowe.apiml.security.client.token.GatewayTokenProvider;
@@ -33,6 +40,8 @@
 import org.zowe.apiml.security.common.login.LoginFilter;
 import org.zowe.apiml.security.common.login.ShouldBeAlreadyAuthenticatedFilter;
 
+import java.util.Collections;
+
 /**
  * Main configuration class of Spring web security for Api Catalog
  * binds authentication managers
@@ -44,35 +53,100 @@
 @EnableWebSecurity
 @RequiredArgsConstructor
 @EnableApimlAuth
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SecurityConfiguration {
+    private static final String APIDOC_ROUTES = "/apidoc/**";
 
     private final ObjectMapper securityObjectMapper;
     private final AuthConfigurationProperties authConfigurationProperties;
     private final HandlerInitializer handlerInitializer;
     private final GatewayLoginProvider gatewayLoginProvider;
     private final GatewayTokenProvider gatewayTokenProvider;
 
-    @Override
-    protected void configure(AuthenticationManagerBuilder auth) {
-        auth.authenticationProvider(gatewayLoginProvider);
-        auth.authenticationProvider(gatewayTokenProvider);
+    /**
+     * Filter chain for protecting /apidoc/** endpoints with MF credentials for client certificate.
+     */
+    @Configuration
+    @Order(1)
+    public class FilterChainBasicAuthOrTokenOrCertForApiDoc extends WebSecurityConfigurerAdapter {
+
+        @Value("${apiml.security.ssl.verifySslCertificatesOfServices:true}")
+        private boolean verifySslCertificatesOfServices;
+
+        @Value("${apiml.security.ssl.nonStrictVerifySslCertificatesOfServices:false}")
+        private boolean nonStrictVerifySslCertificatesOfServices;
+
+        @Value("${server.attls.enabled:false}")
+        private boolean isAttlsEnabled;
+
+        @Override
+        protected void configure(AuthenticationManagerBuilder auth) {
+            auth.authenticationProvider(gatewayLoginProvider);
+            auth.authenticationProvider(gatewayTokenProvider);
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            mainframeCredentialsConfiguration(
+                baseConfiguration(http.antMatcher(APIDOC_ROUTES)),
+                authenticationManager()
+            )
+                .authorizeRequests()
+                .antMatchers(APIDOC_ROUTES).authenticated();
+
+            if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) {
+                http.x509().userDetailsService(x509UserDetailsService());
+                if (isAttlsEnabled) {
+                    http.addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
+                }
+            }
+        }
+
+        private UserDetailsService x509UserDetailsService() {
+            return username -> new User(username, "", Collections.emptyList());
+        }
     }
 
-    @Override
-    public void configure(WebSecurity web) {
-        // skip security filters matchers
-        String[] noSecurityAntMatchers = {
-            "/",
-            "/static/**",
-            "/favicon.ico",
-            "/api-doc"
-        };
-
-        web.ignoring().antMatchers(noSecurityAntMatchers);
+    /**
+     * Default filter chain to protect all routes with MF credentials.
+     */
+    @Configuration
+    public class FilterChainBasicAuthOrTokenAllEndpoints extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(AuthenticationManagerBuilder auth) {
+            auth.authenticationProvider(gatewayLoginProvider);
+            auth.authenticationProvider(gatewayTokenProvider);
+        }
+
+        @Override
+        public void configure(WebSecurity web) {
+            // skip security filters matchers
+            String[] noSecurityAntMatchers = {
+                "/",
+                "/static/**",
+                "/favicon.ico",
+                "/api-doc"
+            };
+
+            web.ignoring().antMatchers(noSecurityAntMatchers);
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            mainframeCredentialsConfiguration(
+                baseConfiguration(http),
+                authenticationManager()
+            )
+                .authorizeRequests()
+                .antMatchers("/static-api/**").authenticated()
+                .antMatchers("/containers/**").authenticated()
+                .antMatchers(APIDOC_ROUTES).authenticated()
+                .antMatchers("/application/health", "/application/info").permitAll()
+                .antMatchers("/application/**").authenticated();
+        }
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    private HttpSecurity baseConfiguration(HttpSecurity http) throws Exception {
         http
             .csrf().disable()   // NOSONAR
             .headers()
@@ -85,20 +159,24 @@ protected void configure(HttpSecurity http) throws Exception {
                 handlerInitializer.getBasicAuthUnauthorizedHandler(), new AntPathRequestMatcher("/application/**")
             )
             .defaultAuthenticationEntryPointFor(
-                handlerInitializer.getBasicAuthUnauthorizedHandler(), new AntPathRequestMatcher("/apidoc/**")
+                handlerInitializer.getBasicAuthUnauthorizedHandler(), new AntPathRequestMatcher(APIDOC_ROUTES)
             )
             .defaultAuthenticationEntryPointFor(
                 handlerInitializer.getUnAuthorizedHandler(), new AntPathRequestMatcher("/**")
             )
 
             .and()
             .sessionManagement()
-            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
 
+        return http;
+    }
+
+    private HttpSecurity mainframeCredentialsConfiguration(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
+        http
             // login endpoint
-            .and()
             .addFilterBefore(new ShouldBeAlreadyAuthenticatedFilter(authConfigurationProperties.getServiceLoginEndpoint(), handlerInitializer.getAuthenticationFailureHandler()), UsernamePasswordAuthenticationFilter.class)
-            .addFilterBefore(loginFilter(authConfigurationProperties.getServiceLoginEndpoint()), ShouldBeAlreadyAuthenticatedFilter.class)
+            .addFilterBefore(loginFilter(authConfigurationProperties.getServiceLoginEndpoint(), authenticationManager), ShouldBeAlreadyAuthenticatedFilter.class)
             .authorizeRequests()
             .antMatchers(HttpMethod.POST, authConfigurationProperties.getServiceLoginEndpoint()).permitAll()
 
@@ -110,33 +188,29 @@ protected void configure(HttpSecurity http) throws Exception {
 
             // endpoints protection
             .and()
-            .addFilterBefore(basicFilter(), UsernamePasswordAuthenticationFilter.class)
-            .addFilterBefore(cookieFilter(), UsernamePasswordAuthenticationFilter.class)
-            .authorizeRequests()
-            .antMatchers("/static-api/**").authenticated()
-            .antMatchers("/containers/**").authenticated()
-            .antMatchers("/apidoc/**").authenticated()
-            .antMatchers("/application/health", "/application/info").permitAll()
-            .antMatchers("/application/**").authenticated();
+            .addFilterBefore(basicFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(cookieFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
+
+        return http;
     }
 
-    private LoginFilter loginFilter(String loginEndpoint) throws Exception {
+    private LoginFilter loginFilter(String loginEndpoint, AuthenticationManager authenticationManager) {
         return new LoginFilter(
             loginEndpoint,
             handlerInitializer.getSuccessfulLoginHandler(),
             handlerInitializer.getAuthenticationFailureHandler(),
             securityObjectMapper,
-            authenticationManager(),
+            authenticationManager,
             handlerInitializer.getResourceAccessExceptionHandler()
         );
     }
 
     /**
      * Secures content with a basic authentication
      */
-    private BasicContentFilter basicFilter() throws Exception {
+    private BasicContentFilter basicFilter(AuthenticationManager authenticationManager) {
         return new BasicContentFilter(
-            authenticationManager(),
+            authenticationManager,
             handlerInitializer.getAuthenticationFailureHandler(),
             handlerInitializer.getResourceAccessExceptionHandler()
         );
@@ -145,9 +219,9 @@ private BasicContentFilter basicFilter() throws Exception {
     /**
      * Secures content with a token stored in a cookie
      */
-    private CookieContentFilter cookieFilter() throws Exception {
+    private CookieContentFilter cookieFilter(AuthenticationManager authenticationManager) {
         return new CookieContentFilter(
-            authenticationManager(),
+            authenticationManager,
             handlerInitializer.getAuthenticationFailureHandler(),
             handlerInitializer.getResourceAccessExceptionHandler(),
             authConfigurationProperties);

api-catalog-services/src/main/resources/application.yml

@@ -91,6 +91,7 @@ server:
         trustStore: ${apiml.security.ssl.trustStore}
         trustStoreType: ${apiml.security.ssl.trustStoreType}
         trustStorePassword: ${apiml.security.ssl.trustStorePassword}
+        clientAuth: want
     error:
         whitelabel:
             enabled: false

config/docker/api-catalog-services.yml

@@ -16,7 +16,7 @@ server:
         keyStore: /docker/all-services.keystore.p12
         keyStorePassword: password
         keyStoreType: PKCS12
-        clientAuth:
+        clientAuth: want
 
 apiml:
     service: