Introduce token validation providers (#1142)

Author: jandadav

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/AuthenticationService.java

@@ -12,22 +12,15 @@
 import com.netflix.appinfo.InstanceInfo;
 import com.netflix.discovery.EurekaClient;
 import com.netflix.discovery.shared.Application;
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.ExpiredJwtException;
-import io.jsonwebtoken.JwtException;
-import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.*;
 import lombok.NonNull;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.cache.CacheManager;
-import org.springframework.cache.annotation.CacheEvict;
-import org.springframework.cache.annotation.CachePut;
-import org.springframework.cache.annotation.Cacheable;
+import org.springframework.cache.annotation.*;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.EnableAspectJAutoProxy;
-import org.springframework.context.annotation.Scope;
-import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.context.annotation.*;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Service;
@@ -248,7 +241,7 @@ public TokenAuthentication validateJwtToken(String jwtToken) {
                 isValid = true;
                 break;
             case ZOSMF:
-               isValid = zosmfService.validate(JWT, jwtToken);
+               isValid = zosmfService.validate(jwtToken);
                 break;
             default:
                 throw new TokenNotValidException("Unknown token type.");

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/AuthenticateEndpointStrategy.java

@@ -0,0 +1,62 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.zosmf;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.*;
+import org.springframework.web.client.RestTemplate;
+import org.zowe.apiml.message.log.ApimlLogger;
+import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
+import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
+import org.zowe.apiml.security.common.token.TokenNotValidException;
+
+import static org.zowe.apiml.gateway.security.service.zosmf.AbstractZosmfService.ZOSMF_CSRF_HEADER;
+
+/**
+ * Strategy to validate token through Authentication endpoint of zOSMF
+ */
+@RequiredArgsConstructor
+public class AuthenticateEndpointStrategy implements TokenValidationStrategy {
+
+    private final RestTemplate restTemplateWithoutKeystore;
+
+    @InjectApimlLogger
+    protected ApimlLogger apimlLog = ApimlLogger.empty();
+
+    protected static final String ZOSMF_AUTHENTICATE_END_POINT = "/zosmf/services/authenticate";
+
+    @Override
+    public boolean validate(ZosmfService zosmfService, String token) {
+        if (zosmfService.loginEndpointExists()) {
+            final String url = zosmfService.getURI(zosmfService.getZosmfServiceId()) + ZOSMF_AUTHENTICATE_END_POINT;
+
+            final HttpHeaders headers = new HttpHeaders();
+            headers.add(ZOSMF_CSRF_HEADER, "");
+            headers.add(HttpHeaders.COOKIE, ZosmfService.TokenType.JWT.getCookieName() + "=" + token);
+
+
+            ResponseEntity<String> re = restTemplateWithoutKeystore.exchange(url, HttpMethod.POST,
+                new HttpEntity<>(null, headers), String.class);
+
+            if (re.getStatusCode().is2xxSuccessful())
+                return true;
+            if (HttpStatus.UNAUTHORIZED.equals(re.getStatusCode())) {
+                throw new TokenNotValidException("Token is not valid.");
+            }
+            apimlLog.log("org.zowe.apiml.security.serviceUnavailable", url, re.getStatusCodeValue());
+            throw new ServiceNotAccessibleException("Could not get an access to z/OSMF service.");
+
+        } else {
+            return false;
+        }
+    }
+
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/TokenValidationStrategy.java

@@ -0,0 +1,19 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.zosmf;
+
+/**
+ * General strategy for token validation
+ *
+ */
+public interface TokenValidationStrategy {
+    boolean validate(ZosmfService zosmfService, String token);
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/ZosmfBeans.java

@@ -0,0 +1,28 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.zosmf;
+
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.client.RestTemplate;
+
+/**
+ * Config for zOSMF beans
+ */
+@Configuration
+public class ZosmfBeans {
+
+    @Bean
+    TokenValidationStrategy tokenValidationStrategy(@Qualifier("restTemplateWithoutKeystore") RestTemplate restTemplateWithoutKeystore) {
+        return new AuthenticateEndpointStrategy(restTemplateWithoutKeystore);
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService.java

@@ -14,35 +14,24 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.netflix.discovery.DiscoveryClient;
 import com.nimbusds.jose.jwk.JWKSet;
-import lombok.AllArgsConstructor;
-import lombok.Data;
-import lombok.Getter;
-import lombok.RequiredArgsConstructor;
+import lombok.*;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.EnableAspectJAutoProxy;
-import org.springframework.context.annotation.Primary;
-import org.springframework.context.annotation.Scope;
-import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.context.annotation.*;
 import org.springframework.http.*;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Service;
-import org.springframework.web.client.HttpClientErrorException;
-import org.springframework.web.client.HttpServerErrorException;
-import org.springframework.web.client.RestTemplate;
+import org.springframework.web.client.*;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
-import org.zowe.apiml.security.common.token.TokenNotValidException;
 
 import javax.annotation.PostConstruct;
 import java.text.ParseException;
-import java.util.EnumMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 @Primary
 @Service
@@ -64,25 +53,25 @@ public enum TokenType {
         private final String cookieName;
 
     }
-
     /**
      * Response of authentication, contains all data to next processing
      */
     @Data
     @AllArgsConstructor
     @RequiredArgsConstructor
     public static class AuthenticationResponse {
+
         private String domain;
         private final Map<TokenType, String> tokens;
     }
-
     /**
      * DTO with base information about z/OSMF (version and realm/domain)
      */
     @Data
     @JsonIgnoreProperties(ignoreUnknown = true)
     public static class ZosmfInfo {
 
+
         @JsonProperty("zosmf_version")
         private int version;
 
@@ -96,13 +85,15 @@ public static class ZosmfInfo {
 
     private static final String PUBLIC_JWK_ENDPOINT = "/jwt/ibm/api/zOSMFBuilder/jwk";
     private final ApplicationContext applicationContext;
+    private final TokenValidationStrategy tokenValidationStrategy;
 
     public ZosmfService(
         final AuthConfigurationProperties authConfigurationProperties,
         final DiscoveryClient discovery,
         final @Qualifier("restTemplateWithoutKeystore") RestTemplate restTemplateWithoutKeystore,
         final ObjectMapper securityObjectMapper,
-        final ApplicationContext applicationContext
+        final ApplicationContext applicationContext,
+        TokenValidationStrategy tokenValidationStrategy
     ) {
         super(
             authConfigurationProperties,
@@ -111,10 +102,11 @@ public ZosmfService(
             securityObjectMapper
         );
         this.applicationContext = applicationContext;
+        this.tokenValidationStrategy = tokenValidationStrategy;
     }
 
-    private ZosmfService meAsProxy;
 
+    private ZosmfService meAsProxy;
     @PostConstruct
     public void afterPropertiesSet() {
         meAsProxy = applicationContext.getBean(ZosmfService.class);
@@ -244,30 +236,12 @@ public boolean logoutEndpointExists() {
         return meAsProxy.authenticationEndpointExists(HttpMethod.DELETE, null);
     }
 
-    public boolean validate(TokenType type, String token) {
-        if (loginEndpointExists()) {
-            final String url = getURI(getZosmfServiceId()) + ZOSMF_AUTHENTICATE_END_POINT;
-
-            final HttpHeaders headers = new HttpHeaders();
-            headers.add(ZOSMF_CSRF_HEADER, "");
-            headers.add(HttpHeaders.COOKIE, type.getCookieName() + "=" + token);
-
-            try {
-                ResponseEntity<String> re = restTemplateWithoutKeystore.exchange(url, HttpMethod.POST,
-                    new HttpEntity<>(null, headers), String.class);
-
-                if (re.getStatusCode().is2xxSuccessful())
-                    return true;
-                if (re.getStatusCodeValue() == 401) {
-                    throw new TokenNotValidException("Token is not valid.");
-                }
-                apimlLog.log("org.zowe.apiml.security.serviceUnavailable", url, re.getStatusCodeValue());
-                throw new ServiceNotAccessibleException("Could not get an access to z/OSMF service.");
-            } catch (RuntimeException re) {
-                throw handleExceptionOnCall(url, re);
-            }
-        } else {
-            return false;
+    public boolean validate(String token) {
+        try {
+            return tokenValidationStrategy.validate(this, token);
+        } catch (RuntimeException re) {
+            //TODO handle returns
+            throw handleExceptionOnCall(null ,re);
         }
     }
 

gateway-service/src/test/java/org/zowe/apiml/config/service/security/MockedAuthenticationServiceContext.java

@@ -16,9 +16,8 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.web.client.RestTemplate;
-import org.zowe.apiml.gateway.security.service.AuthenticationService;
-import org.zowe.apiml.gateway.security.service.AuthenticationServiceTest;
-import org.zowe.apiml.gateway.security.service.JwtSecurityInitializer;
+import org.zowe.apiml.gateway.security.service.*;
+import org.zowe.apiml.gateway.security.service.zosmf.TokenValidationStrategy;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.util.CacheUtils;
@@ -59,7 +58,8 @@ public ZosmfService getZosmfService() {
             getAuthConfigurationProperties(),
             getDiscoveryClient(),
             getRestTemplate(),
-            AuthenticationServiceTest.securityObjectMapper,applicationContext
+            AuthenticationServiceTest.securityObjectMapper,applicationContext,
+            mock(TokenValidationStrategy.class)
         );
     }
 

gateway-service/src/test/java/org/zowe/apiml/gateway/security/login/zosmf/ZosmfAuthenticationProviderTest.java

@@ -20,26 +20,20 @@
 import org.mockito.stubbing.Answer;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.*;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.authentication.AuthenticationServiceException;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.*;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.web.client.ResourceAccessException;
-import org.springframework.web.client.RestClientException;
-import org.springframework.web.client.RestTemplate;
+import org.springframework.web.client.*;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
+import org.zowe.apiml.gateway.security.service.zosmf.TokenValidationStrategy;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
 import java.io.IOException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.EnumMap;
+import java.util.*;
 
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
@@ -100,7 +94,12 @@ private Application createApplication(InstanceInfo... instanceInfos) {
 
     private ZosmfService createZosmfService() {
         ApplicationContext applicationContext = mock(ApplicationContext.class);
-        ZosmfService zosmfService = new ZosmfService(authConfigurationProperties, discovery, restTemplate, securityObjectMapper, applicationContext);
+        ZosmfService zosmfService = new ZosmfService(authConfigurationProperties,
+            discovery,
+            restTemplate,
+            securityObjectMapper,
+            applicationContext,
+            mock(TokenValidationStrategy.class));
         ReflectionTestUtils.setField(zosmfService, "meAsProxy", zosmfService);
         ZosmfService output = spy(zosmfService);
         when(applicationContext.getBean(ZosmfService.class)).thenReturn(output);

gateway-service/src/test/java/org/zowe/apiml/gateway/security/query/SuccessfulQueryHandlerTest.java

@@ -26,6 +26,7 @@
 import org.springframework.web.client.RestTemplate;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.gateway.security.service.JwtSecurityInitializer;
+import org.zowe.apiml.gateway.security.service.zosmf.TokenValidationStrategy;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.security.SecurityUtils;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
@@ -36,6 +37,7 @@
 import java.security.KeyPair;
 
 import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
@@ -76,7 +78,12 @@ void setup() {
         if (keyPair != null) {
             privateKey = keyPair.getPrivate();
         }
-        ZosmfService zosmfService = new ZosmfService(authConfigurationProperties, discoveryClient, restTemplate, new ObjectMapper(),applicationContext);
+        ZosmfService zosmfService = new ZosmfService(authConfigurationProperties,
+            discoveryClient,
+            restTemplate,
+            new ObjectMapper(),
+            applicationContext,
+            mock(TokenValidationStrategy.class));
         AuthenticationService authenticationService = new AuthenticationService(
             applicationContext, authConfigurationProperties, jwtSecurityInitializer, zosmfService,
             discoveryClient, restTemplate, cacheManager, new CacheUtils()