feat: accept PAT for SSO (#2499)

* include PAT in SSO

Signed-off-by: achmelo <a.chmelo@gmail.com>

* PAT ITs

Signed-off-by: achmelo <a.chmelo@gmail.com>

* separate cookie for PAT

Signed-off-by: achmelo <a.chmelo@gmail.com>

* parse PAT with signature

Signed-off-by: achmelo <a.chmelo@gmail.com>

* exclude infinispan tests from zosmftests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* export infinispan coverage results, fix code smells, PAT feature flag

Signed-off-by: achmelo <a.chmelo@gmail.com>

* PAT feature flag

Signed-off-by: achmelo <a.chmelo@gmail.com>

* styles

Signed-off-by: achmelo <a.chmelo@gmail.com>

* parsed auth source refactoring

Signed-off-by: achmelo <a.chmelo@gmail.com>

* pat source service unit tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* code review comments, additional tests, feature flag in start script

Signed-off-by: achmelo <a.chmelo@gmail.com>

* do not return null when parsing pat

Signed-off-by: achmelo <a.chmelo@gmail.com>

Author: achmelo

.github/workflows/containers.yml

@@ -1035,6 +1035,7 @@ jobs:
                     name: CITestsWithInfinispan-${{ env.JOB_ID }}
                     path: |
                         integration-tests/build/reports/**
+                        results/**
 
             -   uses: ./.github/actions/teardown
 

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -80,6 +80,7 @@ public static class TokenProperties {
     @Data
     public static class CookieProperties {
         private String cookieName = ApimlConstants.COOKIE_AUTH_NAME;
+        private String cookieNamePAT = ApimlConstants.PAT_COOKIE_AUTH_NAME;
         private boolean cookieSecure = true;
         private String cookiePath = "/";
         private String cookieComment = "API Mediation Layer security token";

common-service-core/src/main/java/org/zowe/apiml/constants/ApimlConstants.java

@@ -22,4 +22,6 @@ private ApimlConstants() {
     public static final String BASIC_AUTHENTICATION_PREFIX = "Basic";
     public static final String BEARER_AUTHENTICATION_PREFIX = "Bearer";
     public static final String COOKIE_AUTH_NAME = "apimlAuthenticationToken";
+    public static final String PAT_COOKIE_AUTH_NAME = "personalAccessToken";
+    public static final String PAT_HEADER_NAME = "PRIVATE-TOKEN";
 }

config/docker/gateway-service.yml

@@ -4,6 +4,8 @@ apiml:
         discoveryServiceUrls: https://discovery-service:10011/eureka/
     security:
         allowTokenRefresh: true
+        personalAccessToken:
+            enabled: true
         auth:
             zosmf:
                 serviceId: mockzosmf  # Replace me with the correct z/OSMF service id

config/local-multi/gateway-service-1.yml

@@ -6,6 +6,8 @@ apiml:
         port: 10010
         discoveryServiceUrls: https://localhost:10011/eureka/,https://localhost2:10021/eureka/
     security:
+        personalAccessToken:
+            enabled: true
         auth:
             provider: zosmf
             zosmf:

config/local-multi/gateway-service-2.yml

@@ -6,6 +6,8 @@ apiml:
         port: 10020
         discoveryServiceUrls: https://localhost:10011/eureka/,https://localhost2:10021/eureka/
     security:
+        personalAccessToken:
+            enabled: true
         auth:
             provider: zosmf
             zosmf:

config/local/gateway-service.yml

@@ -7,6 +7,8 @@ apiml:
         discoveryServiceUrls: https://localhost:10011/eureka/
     security:
         allowTokenRefresh: true
+        personalAccessToken:
+            enabled: true
         auth:
             provider: zosmf
             zosmf:

gateway-package/src/main/resources/bin/start.sh

@@ -186,6 +186,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \
     -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \
     -Dapiml.security.auth.zosmf.serviceId=${ZWE_configs_apiml_security_auth_zosmf_serviceId:-zosmf} \
     -Dapiml.security.auth.provider=${ZWE_configs_apiml_security_auth_provider:-zosmf} \
+    -Dapiml.security.personalAccessToken.enabled=${ZWE_configs_apiml_security_personalAccessToken_enabled:-false} \
     -Dapiml.zoweManifest=${ZWE_zowe_runtimeDirectory}/manifest.json \
     -Dserver.address=0.0.0.0 \
     -Dserver.maxConnectionsPerRoute=${ZWE_configs_server_maxConnectionsPerRoute:-100} \

gateway-service/build.gradle

@@ -169,7 +169,7 @@ dependencies {
 
     testImplementation(testFixtures(project(":integration-tests")))
 
-    runtime libraries.jjwt_impl
+    implementation libraries.jjwt_impl
     runtime libraries.jjwt_jackson
 }
 

gateway-service/src/main/java/org/zowe/apiml/gateway/error/check/TimeoutErrorCheck.java

@@ -39,7 +39,7 @@ public ResponseEntity<ApiMessageView> checkError(HttpServletRequest request, Thr
             Throwable rootCause = ExceptionUtils.getRootCause(zuulException);
 
             if ((zuulException.nStatusCode == HttpStatus.GATEWAY_TIMEOUT.value())
-                    || zuulException.errorCause.equals(ERROR_CAUSE_TIMEOUT)) {
+                    || ERROR_CAUSE_TIMEOUT.equals(zuulException.errorCause)) {
                 Throwable cause = zuulException.getCause();
                 String causeMessage;
                 if (cause != null) {