feat: AT-TLS aware API ML (#1621)

Signed-off-by: achmelo <a.chmelo@gmail.com>

Author: achmelo

.github/workflows/ci-tests.yml

@@ -9,7 +9,7 @@ on:
 jobs:
     BuildAndTest:
         runs-on: ubuntu-latest
-        timeout-minutes: 10
+        timeout-minutes: 13
 
         steps:
             -   uses: actions/checkout@v2

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java

@@ -11,6 +11,7 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -29,18 +30,21 @@
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.zowe.apiml.product.filter.AttlsFilter;
+import org.zowe.apiml.filter.AttlsFilter;
 import org.zowe.apiml.security.client.EnableApimlAuth;
 import org.zowe.apiml.security.client.login.GatewayLoginProvider;
 import org.zowe.apiml.security.client.token.GatewayTokenProvider;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.config.CertificateAuthenticationProvider;
 import org.zowe.apiml.security.common.config.HandlerInitializer;
 import org.zowe.apiml.security.common.content.BasicContentFilter;
 import org.zowe.apiml.security.common.content.CookieContentFilter;
+import org.zowe.apiml.security.common.filter.ApimlX509Filter;
 import org.zowe.apiml.security.common.login.LoginFilter;
 import org.zowe.apiml.security.common.login.ShouldBeAlreadyAuthenticatedFilter;
 
 import java.util.Collections;
+import java.util.Set;
 
 /**
  * Main configuration class of Spring web security for Api Catalog
@@ -61,6 +65,8 @@ public class SecurityConfiguration {
     private final HandlerInitializer handlerInitializer;
     private final GatewayLoginProvider gatewayLoginProvider;
     private final GatewayTokenProvider gatewayTokenProvider;
+    @Qualifier("publicKeyCertificatesBase64")
+    private final Set<String> publicKeyCertificatesBase64;
 
     /**
      * Filter chain for protecting /apidoc/** endpoints with MF credentials for client certificate.
@@ -78,10 +84,12 @@ public class FilterChainBasicAuthOrTokenOrCertForApiDoc extends WebSecurityConfi
         @Value("${server.attls.enabled:false}")
         private boolean isAttlsEnabled;
 
+
         @Override
         protected void configure(AuthenticationManagerBuilder auth) {
             auth.authenticationProvider(gatewayLoginProvider);
             auth.authenticationProvider(gatewayTokenProvider);
+            auth.authenticationProvider(new CertificateAuthenticationProvider());
         }
 
         @Override
@@ -94,16 +102,30 @@ protected void configure(HttpSecurity http) throws Exception {
                 .antMatchers(APIDOC_ROUTES).authenticated();
 
             if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) {
-                http.x509().userDetailsService(x509UserDetailsService());
                 if (isAttlsEnabled) {
-                    http.addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
+                    http.x509()
+                        .x509AuthenticationFilter(apimlX509Filter(authenticationManager())) // filter out API ML certificate
+                        .userDetailsService(x509UserDetailsService())
+                        .and()
+                        .addFilterBefore(new AttlsFilter(), X509AuthenticationFilter.class);
+                } else {
+                    http.x509()
+                        .userDetailsService(x509UserDetailsService());
                 }
             }
         }
 
         private UserDetailsService x509UserDetailsService() {
             return username -> new User(username, "", Collections.emptyList());
         }
+
+        private ApimlX509Filter apimlX509Filter(AuthenticationManager authenticationManager) {
+            ApimlX509Filter out = new ApimlX509Filter(publicKeyCertificatesBase64);
+            out.setCertificateForClientAuth(crt -> out.getPublicKeyCertificatesBase64().contains(out.base64EncodePublicKey(crt)));
+            out.setNotCertificateForClientAuth(crt -> !out.getPublicKeyCertificatesBase64().contains(out.base64EncodePublicKey(crt)));
+            out.setAuthenticationManager(authenticationManager);
+            return out;
+        }
     }
 
     /**

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/swagger/api/ApiDocV2Service.java

@@ -17,6 +17,7 @@
 import io.swagger.parser.SwaggerParser;
 import io.swagger.util.Json;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.zowe.apiml.apicatalog.services.cached.model.ApiDocInfo;
 import org.zowe.apiml.apicatalog.swagger.ApiDocTransformationException;
 import org.zowe.apiml.product.gateway.GatewayClient;
@@ -29,6 +30,9 @@
 @Slf4j
 public class ApiDocV2Service extends AbstractApiDocService<Swagger, Path> {
 
+    @Value("${gateway.scheme.external:https}")
+    private String scheme;
+
     public ApiDocV2Service(GatewayClient gatewayClient) {
         super(gatewayClient);
     }
@@ -64,9 +68,9 @@ public String transformApiDoc(String serviceId, ApiDocInfo apiDocInfo) {
      */
     private void updateSchemeHostAndLink(Swagger swagger, String serviceId, boolean hidden) {
         GatewayConfigProperties gatewayConfigProperties = gatewayClient.getGatewayConfigProperties();
-        String swaggerLink = OpenApiUtil.getOpenApiLink(serviceId, gatewayConfigProperties);
+        String swaggerLink = OpenApiUtil.getOpenApiLink(serviceId, gatewayConfigProperties, scheme);
         log.debug("Updating host for service with id: " + serviceId + " to: " + gatewayConfigProperties.getHostname());
-        swagger.setSchemes(Collections.singletonList(Scheme.forValue(gatewayConfigProperties.getScheme())));
+        swagger.setSchemes(Collections.singletonList(Scheme.forValue(scheme)));
         swagger.setHost(gatewayConfigProperties.getHostname());
         if (!hidden) {
             swagger.getInfo().setDescription(swagger.getInfo().getDescription() + swaggerLink);

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/swagger/api/ApiDocV3Service.java

@@ -24,6 +24,7 @@
 import io.swagger.v3.parser.OpenAPIV3Parser;
 import io.swagger.v3.parser.core.models.SwaggerParseResult;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.zowe.apiml.apicatalog.services.cached.model.ApiDocInfo;
 import org.zowe.apiml.apicatalog.swagger.ApiDocTransformationException;
 import org.zowe.apiml.apicatalog.swagger.SecuritySchemeSerializer;
@@ -40,6 +41,8 @@
 
 @Slf4j
 public class ApiDocV3Service extends AbstractApiDocService<OpenAPI, PathItem> {
+    @Value("${gateway.scheme.external:https}")
+    private String scheme;
 
     public ApiDocV3Service(GatewayClient gatewayClient) {
         super(gatewayClient);
@@ -75,12 +78,12 @@ public String transformApiDoc(String serviceId, ApiDocInfo apiDocInfo) {
 
     private void updateServerAndLink(OpenAPI openAPI, String serviceId, boolean hidden) {
         GatewayConfigProperties gatewayConfigProperties = gatewayClient.getGatewayConfigProperties();
-        String swaggerLink = OpenApiUtil.getOpenApiLink(serviceId, gatewayConfigProperties);
+        String swaggerLink = OpenApiUtil.getOpenApiLink(serviceId, gatewayConfigProperties, scheme);
 
         if (openAPI.getServers() != null) {
             openAPI.getServers()
                 .forEach(server -> server.setUrl(
-                    String.format("%s://%s/%s", gatewayConfigProperties.getScheme(), gatewayConfigProperties.getHostname(), server.getUrl())));
+                    String.format("%s://%s/%s", scheme, gatewayConfigProperties.getHostname(), server.getUrl())));
         }
         if (!hidden) {
             openAPI.getInfo().setDescription(openAPI.getInfo().getDescription() + swaggerLink);

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/swagger/api/OpenApiUtil.java

@@ -22,8 +22,8 @@ public class OpenApiUtil {
     private static final String HARDCODED_VERSION = "/v1";
     public static final String SEPARATOR = "/";
 
-    public static String getOpenApiLink(String serviceId, GatewayConfigProperties gatewayConfigProperties) {
-        String link = gatewayConfigProperties.getScheme() + "://" + gatewayConfigProperties.getHostname()
+    public static String getOpenApiLink(String serviceId, GatewayConfigProperties gatewayConfigProperties, String scheme) {
+        String link = scheme + "://" + gatewayConfigProperties.getHostname()
             + SEPARATOR + CoreService.API_CATALOG.getServiceId() + CATALOG_VERSION
             + CATALOG_APIDOC_ENDPOINT + SEPARATOR + serviceId + HARDCODED_VERSION;
         return "\n\n" + SWAGGER_LOCATION_LINK + "(" + link + ")";

api-catalog-services/src/main/resources/application.yml

@@ -217,6 +217,7 @@ eureka:
         secureHealthCheckUrl: http://${apiml.service.hostname}:${apiml.service.port}${apiml.service.contextPath}/application/health
         metadata-map:
             apiml:
+                corsEnabled: true
                 apiInfo:
                     - apiId: zowe.apiml.apicatalog
                       version: 1.0.0
@@ -227,4 +228,3 @@ apiml:
         scheme: http
         nonSecurePortEnabled: true
         securePortEnabled: false
-        discoveryServiceUrls: http://localhost:10001/eureka/

api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/swagger/api/ApiDocV2ServiceTest.java

@@ -21,6 +21,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.mockito.junit.jupiter.MockitoSettings;
 import org.mockito.quality.Strictness;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.zowe.apiml.apicatalog.services.cached.model.ApiDocInfo;
 import org.zowe.apiml.config.ApiInfo;
 import org.zowe.apiml.product.constants.CoreService;
@@ -61,6 +62,7 @@ void setUp() {
         gatewayConfigProperties = getProperties();
         gatewayClient = new GatewayClient(gatewayConfigProperties);
         apiDocV2Service = new ApiDocV2Service(gatewayClient);
+        ReflectionTestUtils.setField(apiDocV2Service,"scheme","https");
     }
 
     @Test

api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/swagger/api/ApiDocV3ServiceTest.java

@@ -21,6 +21,7 @@
 import io.swagger.v3.oas.models.tags.Tag;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.zowe.apiml.apicatalog.services.cached.model.ApiDocInfo;
 import org.zowe.apiml.config.ApiInfo;
 import org.zowe.apiml.product.constants.CoreService;
@@ -57,6 +58,7 @@ void setUp() {
         GatewayConfigProperties gatewayConfigProperties = getProperties();
         gatewayClient = new GatewayClient(gatewayConfigProperties);
         apiDocV3Service = new ApiDocV3Service(gatewayClient);
+        ReflectionTestUtils.setField(apiDocV3Service,"scheme","https");
     }
 
     @Test

apiml-common/build.gradle

@@ -1,13 +1,14 @@
 dependencies {
     compile project(':apiml-utility')
-
+    compile project(':apiml-tomcat-common')
     compile libraries.spring_boot_starter_web
     compile libraries.spring_boot_starter_validation
     compile libraries.jackson_databind
     compile libraries.apache_commons_lang3
     compile libraries.http_client
     compile libraries.http_core
 
+
     compileOnly libraries.spring_boot_configuration_processor
     compileOnly libraries.lombok
     annotationProcessor libraries.lombok