feat: introduce error codes for saf authentication (#1692)

* introduce error codes for saf auth

Signed-off-by: jandadav <janda.david@gmail.com>

* improve coverage

Signed-off-by: jandadav <janda.david@gmail.com>

Author: jandadav

apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/AuthExceptionHandler.java

@@ -9,20 +9,15 @@
  */
 package org.zowe.apiml.security.common.error;
 
-import org.zowe.apiml.security.common.token.TokenExpireException;
-import org.zowe.apiml.security.common.token.TokenFormatNotValidException;
-import org.zowe.apiml.security.common.token.TokenNotProvidedException;
-import org.zowe.apiml.security.common.token.TokenNotValidException;
-import org.zowe.apiml.message.api.ApiMessageView;
-import org.zowe.apiml.message.core.MessageService;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
-import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authentication.*;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
+import org.zowe.apiml.message.api.ApiMessageView;
+import org.zowe.apiml.message.core.MessageService;
+import org.zowe.apiml.security.common.token.*;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -69,14 +64,24 @@ public void handleException(HttpServletRequest request, HttpServletResponse resp
         }
         else if (ex instanceof InvalidCertificateException) {
             handleInvalidCertificate(response, ex);
-        } else if (ex instanceof AuthenticationException) {
+        }
+        else if (ex instanceof ZosAuthenticationException) {
+            handleZosAuthenticationException(response, (ZosAuthenticationException) ex);
+        }
+        else if (ex instanceof AuthenticationException) {
             handleAuthenticationException(request, response, ex);
         }
         else {
             throw new ServletException(ex);
         }
     }
 
+    private void handleZosAuthenticationException(HttpServletResponse response, ZosAuthenticationException ex) throws ServletException {
+        final ApiMessageView message = messageService.createMessage(ex.getPlatformError().errorMessage, ex.getMessage()).mapToView();
+        final HttpStatus status = ex.getPlatformError().responseCode;
+        writeErrorResponse(message, status, response);
+    }
+
     // 400
     private void handleAuthenticationRequired(HttpServletRequest request, HttpServletResponse response, RuntimeException ex) throws ServletException {
         log.debug(ERROR_MESSAGE_400, ex.getMessage());

apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/PlatformPwdErrno.java

@@ -0,0 +1,73 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security.common.error;
+
+import org.springframework.http.HttpStatus;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Provides explanation for error codes for authentication as described at
+ * documentation for BPX4PWD:
+ * https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb100/pwd.htm
+ */
+@SuppressWarnings("squid:S1192") //literal repeated for readability
+public enum PlatformPwdErrno {
+    UNKNOWN("UNKNOWN", 0, "Unknown error",
+        "org.zowe.apiml.security.platform.errno.UNKNOWN", HttpStatus.INTERNAL_SERVER_ERROR),
+    EACCES("EACCES", 111, "Permission is denied; the specified password is incorrect",
+        "org.zowe.apiml.security.platform.errno.EACCES", HttpStatus.UNAUTHORIZED),
+    EINVAL("EINVAL", 121, "Invalid user name or password is invalid",
+        "org.zowe.apiml.security.platform.errno.EINVAL", HttpStatus.UNAUTHORIZED),
+    EMVSERR("EMVSERR", 157, "An MVS environmental error has been detected",
+        "org.zowe.apiml.security.platform.errno.ERROR", HttpStatus.INTERNAL_SERVER_ERROR),
+    EMVSEXPIRE("EMVSEXPIRE", 168, "The password for the specified identity has expired",
+        "org.zowe.apiml.security.platform.errno.EMVSEXPIRE", HttpStatus.UNAUTHORIZED),
+    EMVSPASSWORD("EMVSPASSWORD", 169, "The new password is not valid",
+        "org.zowe.apiml.security.platform.errno.EMVSPASSWORD", HttpStatus.BAD_REQUEST),
+    EMVSSAF2ERR("EMVSSAF2ERR", 164, "An error occurred in the security product",
+        "org.zowe.apiml.security.platform.errno.ERROR", HttpStatus.UNAUTHORIZED),
+    EMVSSAFEXTRERR("EMVSSAFEXTRERR", 163, "The username access has been revoked",
+        "org.zowe.apiml.security.platform.errno.EMVSSAFEXTRERR", HttpStatus.UNAUTHORIZED),
+    ENOSYS("ENOSYS", 134, "The function is not supported on this system",
+        "org.zowe.apiml.security.platform.errno.ERROR", HttpStatus.INTERNAL_SERVER_ERROR),
+    EPERM("EPERM", 139, "The calling address space is not authorized to use this service or a load from a not program-controlled library was done in the address space",
+        "org.zowe.apiml.security.platform.errno.ERROR", HttpStatus.INTERNAL_SERVER_ERROR),
+    ESRCH("ESRCH", 143, "The identity that was specified is not defined to the security product",
+        "org.zowe.apiml.security.platform.errno.ESRCH", HttpStatus.UNAUTHORIZED);
+
+    private static final Map<Integer, PlatformPwdErrno> BY_ERRNO = new HashMap<>();
+
+    static {
+        for (PlatformPwdErrno e : values()) {
+            BY_ERRNO.put(e.errno, e);
+        }
+    }
+
+    public final String shortErrorName;
+    public final int errno;
+    public final String explanation;
+    public final String errorMessage;
+    public final HttpStatus responseCode;
+
+    private PlatformPwdErrno(String shortErrorName, int errno, String explanation, String errorMessage, HttpStatus responseCode) {
+        this.shortErrorName = shortErrorName;
+        this.errno = errno;
+        this.explanation = explanation;
+        this.errorMessage = errorMessage;
+        this.responseCode = responseCode;
+    }
+
+    public static PlatformPwdErrno valueOfErrno(int errno) {
+        return BY_ERRNO.getOrDefault(errno, null);
+    }
+}

apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ZosAuthenticationException.java

@@ -0,0 +1,37 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.security.common.error;
+
+import org.springframework.security.core.AuthenticationException;
+import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+
+public class ZosAuthenticationException extends AuthenticationException {
+
+    protected final PlatformPwdErrno platformPwdErrno;
+
+    private static final long serialVersionUID = 6652673387938170807L;
+
+    public ZosAuthenticationException(PlatformReturned platformReturned) {
+        super("z/OS Authentication exception");
+        if (platformReturned == null) {
+            throw new IllegalArgumentException("PlatformReturned must not be null");
+        }
+        this.platformPwdErrno = PlatformPwdErrno.valueOfErrno(platformReturned.getErrno());
+    }
+
+    @Override
+    public String getMessage() {
+        return platformPwdErrno.shortErrorName + ": " + platformPwdErrno.explanation;
+    }
+
+    public PlatformPwdErrno getPlatformError() {
+        return platformPwdErrno;
+    }
+}

apiml-security-common/src/main/resources/security-common-log-messages.yml

@@ -29,6 +29,62 @@ messages:
       reason: "The service has accepted the authentication of the user but the user does not have access rights to the resource."
       action: "Contact your security administrator to give you access."
 
+    - key: org.zowe.apiml.security.platform.errno.UNKNOWN
+      number: ZWEAT409
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The platform responded with unknown errno code."
+      action: "Please submit an issue with this message."
+
+    - key: org.zowe.apiml.security.platform.errno.EACCES
+      number: ZWEAT410
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The specified password is incorrect."
+      action: "Provide correct password."
+
+    - key: org.zowe.apiml.security.platform.errno.ERROR
+      number: ZWEAT411
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The platform returned error, specified in the error message."
+      action: "Contact your security administrator with the message."
+
+    - key: org.zowe.apiml.security.platform.errno.EMVSEXPIRE
+      number: ZWEAT412
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The specified password is expired."
+      action: "Contact your security administrator to reset your password."
+
+    - key: org.zowe.apiml.security.platform.errno.EMVSPASSWORD
+      number: ZWEAT413
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The new password is not valid."
+      action: "Provide valid password."
+
+    - key: org.zowe.apiml.security.platform.errno.EMVSSAFEXTRERR
+      number: ZWEAT414
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The user name access has been revoked."
+      action: "Contact your security administrator to unsuspend your account."
+
+    - key: org.zowe.apiml.security.platform.errno.ESRCH
+      number: ZWEAT415
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The user name does not exist in the system."
+      action: "Provide correct user name."
+
+    - key: org.zowe.apiml.security.platform.errno.EINVAL
+      number: ZWEAT416
+      type: ERROR
+      text: "The platform returned error: %s"
+      reason: "The specified user name or password is invalid."
+      action: "Provide correct user name or password."
+
     # TLS,Certificate messages
     # 500-599
 

apiml-security-common/src/test/java/org/zowe/apiml/security/common/error/AuthExceptionHandlerTest.java

@@ -9,12 +9,6 @@
  */
 package org.zowe.apiml.security.common.error;
 
-import org.zowe.apiml.security.common.token.TokenFormatNotValidException;
-import org.zowe.apiml.security.common.token.TokenNotProvidedException;
-import org.zowe.apiml.security.common.token.TokenNotValidException;
-import org.zowe.apiml.message.core.Message;
-import org.zowe.apiml.message.core.MessageService;
-import org.zowe.apiml.message.yaml.YamlMessageService;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -27,11 +21,13 @@
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
-import org.springframework.security.authentication.AuthenticationServiceException;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authentication.*;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.zowe.apiml.message.core.Message;
+import org.zowe.apiml.message.core.MessageService;
+import org.zowe.apiml.message.yaml.YamlMessageService;
+import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+import org.zowe.apiml.security.common.token.*;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -178,6 +174,13 @@ void testInvalidCertificateException() throws ServletException {
         assertEquals(HttpStatus.FORBIDDEN.value(), httpServletResponse.getStatus());
     }
 
+    @Test
+    void testZosAuthenticationExceptionException() throws ServletException {
+        PlatformReturned platformReturned = PlatformReturned.builder().success(false).errno(PlatformPwdErrno.EACCES.errno).build();
+        authExceptionHandler.handleException(httpServletRequest, httpServletResponse, new ZosAuthenticationException(platformReturned));
+        assertEquals(HttpStatus.UNAUTHORIZED.value(), httpServletResponse.getStatus());
+    }
+
     @Test
     void testAuthenticationFailure_whenOccurUnexpectedException() throws ServletException {
         assertThrows(ServletException.class, () -> {

apiml-security-common/src/test/java/org/zowe/apiml/security/common/error/ZosAuthenticationExceptionTest.java

@@ -0,0 +1,41 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security.common.error;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+class ZosAuthenticationExceptionTest {
+
+    private final PlatformReturned returned = PlatformReturned.builder().errno(PlatformPwdErrno.EACCES.errno).build();
+    private final ZosAuthenticationException underTest = new ZosAuthenticationException(returned);
+
+    @Nested
+    class GivenPlatformReturned {
+
+        @Test
+        void messageSourcedFromEnum() {
+            assertThat(underTest.getMessage(),
+                is(PlatformPwdErrno.EACCES.shortErrorName
+                    + ": " + PlatformPwdErrno.EACCES.explanation));
+        }
+
+        @Test
+        void enumValueCanBeRetrieved() {
+            assertThat(underTest.getPlatformError(), is(PlatformPwdErrno.EACCES));
+        }
+    }
+
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/MockPlatformUser.java

@@ -10,6 +10,7 @@
 package org.zowe.apiml.gateway.security.login.saf;
 
 import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+import org.zowe.apiml.security.common.error.PlatformPwdErrno;
 
 public class MockPlatformUser implements PlatformUser {
     public static final String VALID_USERID = "USER";
@@ -23,7 +24,7 @@ public PlatformReturned authenticate(String userid, String password) {
             return null;
         }
         else {
-            return PlatformReturned.builder().success(false).build();
+            return PlatformReturned.builder().success(false).errno(PlatformPwdErrno.EACCES.errno).build();
         }
     }
 
@@ -32,7 +33,7 @@ public Object changePassword(String userid, String password, String newPassword)
         if (userid.equalsIgnoreCase(VALID_USERID) && password.equalsIgnoreCase(VALID_PASSWORD) && !newPassword.equalsIgnoreCase(password)) {
             return null;
         } else {
-            return PlatformReturned.builder().success(false).build();
+            return PlatformReturned.builder().success(false).errno(PlatformPwdErrno.EMVSPASSWORD.errno).build();
         }
     }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/login/saf/ZosAuthenticationException.java

@@ -15,13 +15,13 @@
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 import org.zowe.apiml.gateway.security.login.LoginProvider;
 import org.zowe.apiml.gateway.security.service.AuthenticationService;
 import org.zowe.apiml.security.common.auth.saf.PlatformReturned;
+import org.zowe.apiml.security.common.error.ZosAuthenticationException;
 import org.zowe.apiml.security.common.login.LoginRequest;
 
 @Component
@@ -55,7 +55,7 @@ public Authentication authenticate(Authentication authentication) {
             final String jwtToken = authenticationService.createJwtToken(userid, domain, null);
             return authenticationService.createTokenAuthentication(userid, jwtToken);
         } else {
-            throw new BadCredentialsException("Username or password are invalid.");
+            throw new ZosAuthenticationException(returned);
         }
     }