feat: Accept all tokens in the Bearer header or in the APIML cookie (#2908)

* feat: Accept PAT and OIDC tokens in Authorization Bearer header and in apimlAuthenticationToken cookie.

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

* Add integration tests with token in cookie.

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

* Test PAT also in bearer header and apiml cookie.

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

* Fix unit test.

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

* Refactor retrieving token by services. Add more tests.

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

* Rollback the usage of x509.enabled. Add more tests for getTokenOrigin

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

---------

Signed-off-by: Petr Weinfurt <petr.weinfurt@broadcom.com>

Author: Petr Weinfurt

common-service-core/src/main/java/org/zowe/apiml/constants/ApimlConstants.java

@@ -22,8 +22,6 @@ private ApimlConstants() {
     public static final String BASIC_AUTHENTICATION_PREFIX = "Basic";
     public static final String BEARER_AUTHENTICATION_PREFIX = "Bearer";
     public static final String PAT_COOKIE_AUTH_NAME = "personalAccessToken";
-
-    public static final String OIDC_HEADER_NAME = "OIDC-TOKEN";
     public static final String PAT_HEADER_NAME = "PRIVATE-TOKEN";
     public static final String AUTH_FAIL_HEADER = "X-Zowe-Auth-Failure";
 }

gateway-service/build.gradle

@@ -177,6 +177,7 @@ dependencies {
     annotationProcessor libraries.spring_boot_configuration_processor
 
     testImplementation libraries.mockito_core
+    testImplementation libraries.mockito_inline
     testImplementation libraries.spring_mock_mvc
     testImplementation libraries.spring_boot_starter_test
     testImplementation libraries.json_smart

gateway-service/src/main/java/org/zowe/apiml/gateway/filters/pre/ServiceAuthenticationFilter.java

@@ -83,7 +83,9 @@ public Object run() {
                 throw new AuthSchemeException("org.zowe.apiml.gateway.security.invalidAuthentication");
             }
         } catch (TokenExpireException tee) {
-            cmd = null;
+            String error = this.messageService.createMessage("org.zowe.apiml.gateway.security.expiredToken").mapToLogMessage();
+            sendErrorMessage(error, context);
+            return null;
         } catch (TokenNotValidException notValidException) {
             String error = this.messageService.createMessage("org.zowe.apiml.gateway.security.invalidToken").mapToLogMessage();
             sendErrorMessage(error, context);

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/AuthenticationService.java

@@ -38,6 +38,7 @@
 import org.springframework.web.client.RestTemplate;
 import org.zowe.apiml.constants.ApimlConstants;
 import org.zowe.apiml.gateway.controllers.AuthController;
+import org.zowe.apiml.gateway.security.service.schema.source.AuthSource;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.product.constants.CoreService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
@@ -354,6 +355,17 @@ public QueryResponse parseQueryResponse(Claims claims) {
         );
     }
 
+    /**
+     * This method resolves the token origin directly by decoding token claims.
+     * @param jwtToken the JWT token
+     * @return AuthSource.Origin value based on the iss token claim.
+     */
+    public AuthSource.Origin getTokenOrigin(String jwtToken) {
+        Claims claims = getJwtClaims(jwtToken);
+        QueryResponse.Source source = QueryResponse.Source.valueByIssuer(claims.getIssuer());
+        return AuthSource.Origin.valueByTokenSource(source);
+    }
+
     /**
      * This method validates if JWT token is valid and if yes, then get claim from LTPA token.
      * For purpose, when is not needed validation, you can use method {@link #getLtpaToken(String)}
@@ -404,16 +416,6 @@ private Optional<String> getAccessTokenFromHeader(String header) {
         return header != null ? Optional.of(header) : Optional.empty();
     }
 
-    /**
-     * Extract the OIDC token from the request.
-     *
-     * @param request http request
-     * @return the OIDC token from different supported sources: header.
-     */
-    public Optional<String> getOIDCTokenFromRequest(@NonNull HttpServletRequest request) {
-        return getAccessTokenFromHeader(request.getHeader(ApimlConstants.OIDC_HEADER_NAME));
-    }
-
     private Optional<String> getTokenFromCookie(HttpServletRequest request, String cookieName) {
         Cookie[] cookies = request.getCookies();
         if (cookies == null) return Optional.empty();

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/JwtAuthSourceService.java

@@ -51,7 +51,14 @@ public Function<String, AuthSource> getMapper() {
 
     @Override
     public Optional<String> getToken(RequestContext context) {
-        return authenticationService.getJwtTokenFromRequest(context.getRequest());
+        Optional<String> tokenOptional = authenticationService.getJwtTokenFromRequest(context.getRequest());
+        if (tokenOptional.isPresent()) {
+            AuthSource.Origin origin = authenticationService.getTokenOrigin(tokenOptional.get());
+            if (Origin.ZOSMF == origin || Origin.ZOWE == origin) {
+                return tokenOptional;
+            }
+        }
+        return Optional.empty();
     }
 
     /**

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/OIDCAuthSourceService.java

@@ -10,9 +10,8 @@
 
 package org.zowe.apiml.gateway.security.service.schema.source;
 
-import java.util.Optional;
-import java.util.function.Function;
-
+import com.netflix.zuul.context.RequestContext;
+import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -28,9 +27,8 @@
 import org.zowe.apiml.security.common.token.QueryResponse;
 import org.zowe.apiml.security.common.token.TokenNotValidException;
 
-import com.netflix.zuul.context.RequestContext;
-
-import lombok.RequiredArgsConstructor;
+import java.util.Optional;
+import java.util.function.Function;
 
 @Service
 @RequiredArgsConstructor
@@ -57,7 +55,14 @@ public Function<String, AuthSource> getMapper() {
 
     @Override
     public Optional<String> getToken(RequestContext context) {
-        return authenticationService.getOIDCTokenFromRequest(context.getRequest());
+        Optional<String> tokenOptional = authenticationService.getJwtTokenFromRequest(context.getRequest());
+        if (tokenOptional.isPresent()) {
+            AuthSource.Origin origin = authenticationService.getTokenOrigin(tokenOptional.get());
+            if (AuthSource.Origin.OIDC == origin) {
+                return tokenOptional;
+            }
+        }
+        return Optional.empty();
     }
 
     @Override
@@ -117,7 +122,7 @@ private AuthSource.Parsed parseOIDCToken(OIDCAuthSource oidcAuthSource, Authenti
     @Override
     public String getLtpaToken(AuthSource authSource) {
         String zosmfToken = getJWT(authSource);
-        AuthSource.Origin origin = getTokenOrigin(zosmfToken);
+        AuthSource.Origin origin = authenticationService.getTokenOrigin(zosmfToken);
         if (AuthSource.Origin.ZOWE.equals(origin)) {
             zosmfToken = authenticationService.getLtpaToken(zosmfToken);
         }
@@ -130,9 +135,4 @@ public String getJWT(AuthSource authSource) {
         return tokenService.createJwtTokenWithoutCredentials(parsed.getUserId());
     }
 
-    public AuthSource.Origin getTokenOrigin(String zosmfToken) {
-        QueryResponse response = authenticationService.parseJwtToken(zosmfToken);
-        return AuthSource.Origin.valueByTokenSource(response.getSource());
-    }
-
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/PATAuthSourceService.java

@@ -51,7 +51,18 @@ public Function<String, AuthSource> getMapper() {
 
     @Override
     public Optional<String> getToken(RequestContext context) {
-        return authenticationService.getPATFromRequest(context.getRequest());
+        Optional<String> tokenOptional = authenticationService.getJwtTokenFromRequest(context.getRequest());
+        if (!tokenOptional.isPresent()) {
+            // try to get token also from PAT specific cookie or header
+            tokenOptional = authenticationService.getPATFromRequest(context.getRequest());
+        }
+        if (tokenOptional.isPresent()) {
+            AuthSource.Origin origin = authenticationService.getTokenOrigin(tokenOptional.get());
+            if (AuthSource.Origin.ZOWE_PAT == origin) {
+                return tokenOptional;
+            }
+        }
+        return Optional.empty();
     }
 
     @Override
@@ -86,7 +97,7 @@ public AuthSource.Parsed parse(AuthSource authSource) {
     @Override
     public String getLtpaToken(AuthSource authSource) {
         String zosmfToken = getJWT(authSource);
-        AuthSource.Origin origin = getTokenOrigin(zosmfToken);
+        AuthSource.Origin origin = authenticationService.getTokenOrigin(zosmfToken);
         if (AuthSource.Origin.ZOWE.equals(origin)) {
             zosmfToken = authenticationService.getLtpaToken(zosmfToken);
         }
@@ -99,8 +110,4 @@ public String getJWT(AuthSource authSource) {
         return tokenService.createJwtTokenWithoutCredentials(parsed.getUserId());
     }
 
-    public AuthSource.Origin getTokenOrigin(String zosmfToken) {
-        QueryResponse response = authenticationService.parseJwtToken(zosmfToken);
-        return AuthSource.Origin.valueByTokenSource(response.getSource());
-    }
 }

gateway-service/src/test/java/org/zowe/apiml/acceptance/SafIdtSchemeTest.java

@@ -52,7 +52,11 @@
  * The output to be tested is the saf idt token.
  */
 @AcceptanceTest
-@TestPropertySource(properties = {"spring.profiles.active=debug", "apiml.security.x509.externalMapperUrl="})
+@TestPropertySource(properties = {
+    "spring.profiles.active=debug",
+    "apiml.security.x509.enabled=true",
+    "apiml.security.x509.externalMapperUrl="
+})
 class SafIdtSchemeTest extends AcceptanceTestWithTwoServices {
     @Value("${server.ssl.keyStorePassword:password}")
     private char[] keystorePassword;

gateway-service/src/test/java/org/zowe/apiml/acceptance/ZosmfSchemeTest.java

@@ -44,7 +44,12 @@
  * The output to be tested is the Zosmf token.
  */
 @AcceptanceTest
-@TestPropertySource(properties = {"apiml.security.auth.provider=zosmf", "spring.profiles.active=debug", "apiml.security.x509.externalMapperUrl="})
+@TestPropertySource(properties = {
+    "apiml.security.auth.provider=zosmf",
+    "spring.profiles.active=debug",
+    "apiml.security.x509.enabled=true",
+    "apiml.security.x509.externalMapperUrl="
+})
 class ZosmfSchemeTest extends AcceptanceTestWithTwoServices {
     @Value("${server.ssl.keyStorePassword:password}")
     private char[] keystorePassword;

gateway-service/src/test/java/org/zowe/apiml/gateway/filters/pre/ServiceAuthenticationFilterTest.java

@@ -196,6 +196,10 @@ public void increment(String name) {
     @ParameterizedTest
     @MethodSource("provideAuthSources")
     void givenExpiredJwt_thenCallThrought(AuthSource authSource) {
+        MessageTemplate messageTemplate = new MessageTemplate("key", "number", MessageType.ERROR, "text");
+        Message message = Message.of("requestedKey", messageTemplate, new Object[0]);
+        doReturn(message).when(messageService).createMessage(anyString(), (Object) any());
+
         AuthenticationCommand cmd = createValidationCommand(authSource);
         doThrow(new TokenExpireException("Token is expired.")).when(authSourceService).isValid(any());