Allow Zowe to run without a jwtsecret (#1203)

feat: Allow Zowe to run without a jwtsecret
When jwtsecret is not required, API Mediation Layer can start without it.

Author: balhar-jakub

common-service-core/src/main/java/org/zowe/apiml/security/SecurityUtils.java

@@ -14,10 +14,7 @@
 import org.zowe.apiml.message.log.ApimlLogger;
 import org.zowe.apiml.message.yaml.YamlMessageServiceInstance;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.*;
@@ -33,31 +30,6 @@ public class SecurityUtils {
 
     public static final String SAFKEYRING = "safkeyring";
 
-    /**
-     * Reads secret key from keystore or key ring, if keystore URL starts with {@value #SAFKEYRING}, and encode to Base64
-     * @param config - {@link HttpsConfig} with mandatory filled fields: keyStore, keyStoreType, keyStorePassword, keyPassword,
-     *                                 and optional filled: keyAlias and trustStore
-     * @return Base64 encoded secret key in {@link String}
-     */
-    public static String readSecret(HttpsConfig config) {
-        if (config.getKeyStore() != null) {
-            try {
-                Key key = loadKey(config);
-                if (key == null) {
-                    throw new UnrecoverableKeyException(String.format(
-                        "No key with private key entry could be used in the keystore. Provided key alias: %s",
-                        config.getKeyAlias() == null ? "<not provided>" : config.getKeyAlias()));
-                }
-                return Base64.getEncoder().encodeToString(key.getEncoded());
-            } catch (UnrecoverableKeyException e) {
-                apimlLog.log("org.zowe.apiml.common.errorReadingSecretKey", e.getMessage());
-                throw new HttpsConfigError("Error reading secret key: " + e.getMessage(), e,
-                    HttpsConfigError.ErrorCode.HTTP_CLIENT_INITIALIZATION_FAILED, config);
-            }
-        }
-        return null;
-    }
-
     /**
      * Loads secret key from keystore or key ring, if keystore URL starts with {@value #SAFKEYRING}
      * @param config - {@link HttpsConfig} with mandatory filled fields: keyStore, keyStoreType, keyStorePassword, keyPassword,
@@ -73,7 +45,7 @@ public static Key loadKey(HttpsConfig config) {
                 if (config.getKeyAlias() != null) {
                     key = ks.getKey(config.getKeyAlias(), keyPasswordInChars);
                 } else {
-                    key = findFirstSecretKey(ks, keyPasswordInChars);
+                    throw new KeyStoreException("No key alias provided.");
                 }
                 return key;
             } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException
@@ -124,22 +96,6 @@ public static Set<String> loadCertificateChainBase64(HttpsConfig config) throws
         return out;
     }
 
-    private static Key findFirstSecretKey(KeyStore keyStore, char[] keyPasswordInChars) throws KeyStoreException, NoSuchAlgorithmException {
-        Key key = null;
-        for (Enumeration<String> e = keyStore.aliases(); e.hasMoreElements(); ) {
-            String alias = e.nextElement();
-            try {
-                key = keyStore.getKey(alias, keyPasswordInChars);
-                if (key != null) {
-                    break;
-                }
-            } catch (UnrecoverableKeyException uke) {
-                log.debug("Key with alias {} could not be used: {}", alias, uke.getMessage());
-            }
-        }
-        return key;
-    }
-
     /**
      * Loads public key from keystore or key ring, if keystore URL starts with {@value #SAFKEYRING}
      * @param config - {@link HttpsConfig} with mandatory filled fields: keyStore, keyStoreType, keyStorePassword, keyPassword,

common-service-core/src/test/java/org/zowe/apiml/security/SecurityUtilsTest.java

@@ -43,20 +43,6 @@ void setUp() {
         httpsConfigBuilder = SecurityTestUtils.correctHttpsSettings();
     }
 
-    @Test
-    void testReadSecret() {
-        HttpsConfig httpsConfig = httpsConfigBuilder.keyAlias(KEY_ALIAS).build();
-        String secretKey = SecurityUtils.readSecret(httpsConfig);
-        assertNotNull(secretKey);
-    }
-
-    @Test
-    void testReadSecretWithIncorrectKeyAlias() {
-        HttpsConfig httpsConfig = httpsConfigBuilder.keyAlias(WRONG_PARAMETER).build();
-        assertThrows(HttpsConfigError.class, () -> SecurityUtils.readSecret(httpsConfig));
-
-    }
-
     @Test
     void testLoadKey() {
         HttpsConfig httpsConfig = httpsConfigBuilder.keyAlias(JWT_KEY_ALIAS).build();

config/local/gateway-service.yml

@@ -13,8 +13,6 @@ apiml:
                 timeout: 360 # [s] - default timeout to expire (z/OS has 10 mins as default)
         ssl:
             verifySslCertificatesOfServices: true
-        zosmf:
-            useJwtToken: true # if true and z/OSMF returns JWT token use it, otherwise create Zowe JWT token with LTPA token from z/OSMF, default is true
         x509:
             enabled: true
     banner: console

gateway-service/build.gradle

@@ -70,6 +70,8 @@ dependencies {
     implementation libraries.nimbusJoseJwt
     implementation libraries.eh_cache
     implementation libraries.spring_retry
+    implementation libraries.awaitility
+
     compileOnly libraries.javax_inject
     compileOnly libraries.lombok
     annotationProcessor libraries.lombok

gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java

@@ -12,9 +12,7 @@
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.JWKSet;
 import lombok.RequiredArgsConstructor;
-import lombok.Setter;
 import net.minidev.json.JSONObject;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.*;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.gateway.security.service.JwtSecurityInitializer;
@@ -25,6 +23,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Optional;
 
 import static org.apache.http.HttpStatus.*;
 
@@ -37,10 +36,6 @@
 @RequestMapping(AuthController.CONTROLLER_PATH)
 public class AuthController {
 
-    @Setter
-    @Value("${apiml.security.zosmf.useJwtToken:true}")
-    protected boolean useZosmfJwtToken;
-
     private final AuthenticationService authenticationService;
 
     private final JwtSecurityInitializer jwtSecurityInitializer;
@@ -87,19 +82,19 @@ public void distributeInvalidate(HttpServletRequest request, HttpServletResponse
     public JSONObject getAllPublicKeys() {
         final List<JWK> keys = new LinkedList<>();
         keys.addAll(zosmfService.getPublicKeys().getKeys());
-        keys.add(jwtSecurityInitializer.getJwkPublicKey());
+        Optional<JWK> key = jwtSecurityInitializer.getJwkPublicKey();
+        key.ifPresent(keys::add);
         return new JWKSet(keys).toJSONObject(true);
     }
 
     @GetMapping(path = CURRENT_PUBLIC_KEYS_PATH)
     @ResponseBody
     public JSONObject getCurrentPublicKeys() {
-        final List<JWK> keys = new LinkedList<>();
-        if (useZosmfJwtToken) {
-            keys.addAll(zosmfService.getPublicKeys().getKeys());
-        }
+        final List<JWK> keys = new LinkedList<>(zosmfService.getPublicKeys().getKeys());
+
         if (keys.isEmpty()) {
-            keys.add(jwtSecurityInitializer.getJwkPublicKey());
+            Optional<JWK> key = jwtSecurityInitializer.getJwkPublicKey();
+            key.ifPresent(keys::add);
         }
         return new JWKSet(keys).toJSONObject(true);
     }

gateway-service/src/main/java/org/zowe/apiml/gateway/health/GatewayHealthIndicator.java

@@ -54,7 +54,7 @@ protected void doHealthCheck(Health.Builder builder) {
         boolean authUp = true;
         if (loginProviders.isZosfmUsed()) {
             try {
-                authUp = loginProviders.isZosmfAvailable();
+                authUp = loginProviders.isZosmfAvailableAndOnline();
             } catch (AuthenticationServiceException ex) {
                 System.exit(-1);
             }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/ComponentsConfiguration.java

@@ -13,6 +13,7 @@
 import org.springframework.context.annotation.*;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.zowe.apiml.gateway.security.login.Providers;
+import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.passticket.PassTicketService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 
@@ -48,9 +49,10 @@ public PassTicketService passTicketService() {
     public Providers loginProviders(
         DiscoveryClient discoveryClient,
         AuthConfigurationProperties authConfigurationProperties,
+        ZosmfService zosmfService,
         @Lazy CompoundAuthProvider compoundAuthProvider
     ) {
-        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider);
+        return new Providers(discoveryClient, authConfigurationProperties, compoundAuthProvider, zosmfService);
     }
 
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/Providers.java

@@ -10,24 +10,49 @@
 package org.zowe.apiml.gateway.security.login;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.cloud.client.discovery.DiscoveryClient;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.zowe.apiml.gateway.security.config.CompoundAuthProvider;
+import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
 
+@Slf4j
 @RequiredArgsConstructor
 public class Providers {
     private final DiscoveryClient discoveryClient;
     private final AuthConfigurationProperties authConfigurationProperties;
     private final CompoundAuthProvider compoundAuthProvider;
+    private final ZosmfService zosmfService;
 
     /**
      * This method decides whether the Zosmf service is available.
      * @return Availability of the ZOSMF service in the system.
      * @throws AuthenticationServiceException if the z/OSMF service id is not configured
      */
     public boolean isZosmfAvailable() {
-        return !this.discoveryClient.getInstances(authConfigurationProperties.validatedZosmfServiceId()).isEmpty();
+        boolean isZosmfRegisteredAndPropagated = !this.discoveryClient.getInstances(authConfigurationProperties.validatedZosmfServiceId()).isEmpty();
+        log.debug("zOSMF registered with the Discovery Service and propagated to Gateway: {}", isZosmfRegisteredAndPropagated);
+        return isZosmfRegisteredAndPropagated;
+    }
+
+    /**
+     * Verify that the zOSMF is registered in the Discovery service and that we can actually reach it.
+     * @return true if the service is registered and properly responds.
+     */
+    public boolean isZosmfAvailableAndOnline() {
+        try {
+            boolean isAvailable = isZosmfAvailable();
+            boolean isAccessible = zosmfService.isAccessible();
+            log.debug("zOSMF is registered and propagated to the DS: {} and is accessible based on the information: {}", isAvailable, isAccessible);
+
+            return isAvailable && isAccessible;
+        } catch (ServiceNotAccessibleException exception) {
+            log.debug("zOSMF isn't registered to the Gateway yet");
+
+            return false;
+        }
     }
 
     /**
@@ -37,4 +62,12 @@ public boolean isZosmfAvailable() {
     public boolean isZosfmUsed() {
         return compoundAuthProvider.getLoginAuthProviderName().equalsIgnoreCase(LoginProvider.ZOSMF.toString());
     }
+
+    /**
+     * This method decides whether used zOSMF instance supports JWT tokens.
+     * @return True is the instance support JWT
+     */
+    public boolean zosmfSupportsJwt() {
+        return zosmfService.loginEndpointExists();
+    }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProvider.java

@@ -10,7 +10,6 @@
 package org.zowe.apiml.gateway.security.login.zosmf;
 
 import lombok.RequiredArgsConstructor;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -29,9 +28,6 @@
 @RequiredArgsConstructor
 public class ZosmfAuthenticationProvider implements AuthenticationProvider {
 
-    @Value("${apiml.security.zosmf.useJwtToken:true}")
-    private boolean useJwtToken;
-
     private final AuthenticationService authenticationService;
     private final ZosmfService zosmfService;
 
@@ -48,7 +44,7 @@ public Authentication authenticate(Authentication authentication) {
         final ZosmfService.AuthenticationResponse ar = zosmfService.authenticate(authentication);
 
         // if z/OSMF support JWT, use it as Zowe JWT token
-        if (ar.getTokens().containsKey(JWT) && useJwtToken) {
+        if (ar.getTokens().containsKey(JWT)) {
             return authenticationService.createTokenAuthentication(user, ar.getTokens().get(JWT));
         }