feat: static api enpoints protected by SAF check (#1764)

* protect static def api with saf resource check

Signed-off-by: achmelo <a.chmelo@gmail.com>

* correct SC

Signed-off-by: achmelo <a.chmelo@gmail.com>

* remove access with cert

Signed-off-by: achmelo <a.chmelo@gmail.com>

Author: achmelo

api-catalog-package/src/main/resources/bin/start.sh

@@ -104,6 +104,10 @@ _BPX_JOBNAME=${ZOWE_PREFIX}${CATALOG_CODE} java \
     -Dapiml.discovery.staticApiDefinitionsDirectories=${APIML_STATIC_DEF} \
     -Dapiml.security.ssl.verifySslCertificatesOfServices=${VERIFY_CERTIFICATES:-false} \
     -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${NONSTRICT_VERIFY_CERTIFICATES:-false} \
+    -Dapiml.security.authorization.provider=${APIML_SECURITY_AUTHORIZATION_PROVIDER:-} \
+    -Dapiml.security.authorization.endpoint.enabled=${APIML_SECURITY_AUTHORIZATION_ENDPOINT_ENABLED:-false} \
+    -Dapiml.security.authorization.endpoint.url=${APIML_SECURITY_AUTHORIZATION_ENDPOINT_URL:-"https://${EXPLORER_HOST}:${GATEWAY_SERVICE_PORT}/zss/api/v1/saf-auth"} \
+    -Dapiml.security.authorization.resourceClass=${RESOURCE_CLASS:-ZOWE} \
     -Dspring.profiles.include=$LOG_LEVEL \
     -Dserver.address=0.0.0.0 \
     -Dserver.ssl.enabled=${APIML_SSL_ENABLED:-true}  \

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/staticapi/StaticDefinitionController.java

@@ -13,6 +13,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
@@ -24,6 +25,7 @@
 @RestController
 @RequestMapping("/static-api")
 @RequiredArgsConstructor
+@PreAuthorize("hasSafServiceResourceAccess('SERVICES', 'READ')")
 public class StaticDefinitionController {
     private final StaticDefinitionGenerator staticDefinitionGenerator;
 

integration-tests/src/test/java/org/zowe/apiml/functional/apicatalog/ApiCatalogEndpointIntegrationTest.java

@@ -24,8 +24,12 @@
 import org.springframework.http.MediaType;
 import org.zowe.apiml.util.TestWithStartedInstances;
 import org.zowe.apiml.util.categories.CatalogTest;
-import org.zowe.apiml.util.config.*;
-import org.zowe.apiml.util.http.*;
+import org.zowe.apiml.util.config.ConfigReader;
+import org.zowe.apiml.util.config.GatewayServiceConfiguration;
+import org.zowe.apiml.util.config.SslContext;
+import org.zowe.apiml.util.http.HttpClientUtils;
+import org.zowe.apiml.util.http.HttpRequestUtils;
+import org.zowe.apiml.util.http.HttpSecurityUtils;
 
 import java.io.IOException;
 import java.net.URI;
@@ -51,6 +55,11 @@ class ApiCatalogEndpointIntegrationTest implements TestWithStartedInstances {
     private static final String GET_API_CATALOG_API_DOC_ENDPOINT = "/apicatalog/api/v1/apidoc/apicatalog/v1";
     private static final String INVALID_API_CATALOG_API_DOC_ENDPOINT = "/apicatalog/api/v1/apidoc/apicatalog/v2";
 
+    private final static String UNAUTHORIZED_USERNAME = ConfigReader.environmentConfiguration().getAuxiliaryUserList().getCredentials("servicesinfo-unauthorized").get(0).getUser();
+    private final static String UNAUTHORIZED_PASSWORD = ConfigReader.environmentConfiguration().getAuxiliaryUserList().getCredentials("servicesinfo-unauthorized").get(0).getPassword();
+    private final static String USERNAME = ConfigReader.environmentConfiguration().getAuxiliaryUserList().getCredentials("servicesinfo-authorized").get(0).getUser();
+    private final static String PASSWORD = ConfigReader.environmentConfiguration().getAuxiliaryUserList().getCredentials("servicesinfo-authorized").get(0).getPassword();
+
     private String baseHost;
 
     @BeforeEach
@@ -169,23 +178,30 @@ void cleanupStaticDefinition() {
         @Test
         @Order(1)
         void whenCallStaticApiRefresh_thenResponseOk() throws IOException {
-            getStaticApiResponse(REFRESH_STATIC_APIS_ENDPOINT, null, HttpStatus.SC_OK, null);
+            getStaticApiResponse(REFRESH_STATIC_APIS_ENDPOINT, null, HttpStatus.SC_OK, null, gatewayToken(USERNAME, PASSWORD));
         }
 
         @Test
         @Order(30)
         void whenCallStaticDefinitionGenerate_thenResponse201() throws IOException {
             String json = "# Dummy content";
-            getStaticApiResponse(STATIC_DEFINITION_GENERATE_ENDPOINT, staticDefinitionServiceId ,HttpStatus.SC_CREATED, json);
+            getStaticApiResponse(STATIC_DEFINITION_GENERATE_ENDPOINT, staticDefinitionServiceId, HttpStatus.SC_CREATED, json, gatewayToken(USERNAME, PASSWORD));
+        }
+
+        @Test
+        @Order(31)
+        void whenCallStaticDefinitionGenerateWithUnauthorizedUser_thenResponse403() throws IOException {
+            String json = "# Dummy content";
+            getStaticApiResponse(STATIC_DEFINITION_GENERATE_ENDPOINT, staticDefinitionServiceId, HttpStatus.SC_FORBIDDEN, json, gatewayToken(UNAUTHORIZED_USERNAME, UNAUTHORIZED_PASSWORD));
         }
 
-        private Response getStaticApiResponse(String endpoint, String definitionFileName, int returnCode, String body) throws IOException {
+        private Response getStaticApiResponse(String endpoint, String definitionFileName, int returnCode, String body, String JWT) throws IOException {
             URI uri = getUriFromGateway(endpoint);
             RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 
             RequestSpecification requestSpecification = given().config(SslContext.tlsWithoutCert).relaxedHTTPSValidation()
                 .when()
-                .cookie(COOKIE_NAME, gatewayToken())
+                .cookie(COOKIE_NAME, JWT)
                 .header("Accept", MediaType.APPLICATION_JSON_VALUE);
             if (body != null) {
                 requestSpecification