feat: revoke PAT by admin (#2476)

* tomcat security update

Signed-off-by: achmelo <a.chmelo@gmail.com>

* secure endpoints with basic auth and x509

Signed-off-by: achmelo <a.chmelo@gmail.com>

* refactor, unauth IT

Signed-off-by: achmelo <a.chmelo@gmail.com>

* separate endpoints for scope and user

Signed-off-by: achmelo <a.chmelo@gmail.com>

* unit tests for controllers

Signed-off-by: achmelo <a.chmelo@gmail.com>

* chores

Signed-off-by: achmelo <a.chmelo@gmail.com>

* IT for revocation by scope

Signed-off-by: achmelo <a.chmelo@gmail.com>

* Separate cache rules for users and scopes.

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* default timestamp

Signed-off-by: achmelo <a.chmelo@gmail.com>

* Ignore new field in QueryResponse when building JSON

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* QueryResponse fix

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* QueryResponse fix

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* Resolve code smells

Signed-off-by: Petr Weinfurt <weipe03@ca.com>

* fix scope validation, add tests

Signed-off-by: achmelo <a.chmelo@gmail.com>

* address comments from code review

Signed-off-by: achmelo <a.chmelo@gmail.com>

Co-authored-by: achmelo <a.chmelo@gmail.com>
Co-authored-by: Petr Weinfurt <weipe03@ca.com>
Co-authored-by: achmelo <37397715+achmelo@users.noreply.github.com>

Author: 3 people

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AccessTokenProviderConfig.java

@@ -30,7 +30,7 @@ public void invalidateToken(String token) {
             }
 
             @Override
-            public boolean isInvalidated(String token, String serviceId) {
+            public boolean isInvalidated(String token) {
                 throw new NotImplementedException();
             }
 
@@ -45,7 +45,12 @@ public boolean isValidForScopes(String token, String serviceId) {
             }
 
             @Override
-            public void invalidateTokensUsingRules(String ruleId, long timeStamp) {
+            public void invalidateAllTokensForUser(String userId, long timestamp) {
+                throw new NotImplementedException();
+            }
+
+            @Override
+            public void invalidateAllTokensForService(String serviceId, long timestamp) {
                 throw new NotImplementedException();
             }
         };

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -44,6 +44,8 @@ public class AuthConfigurationProperties {
 
     private String gatewayAccessTokenEndpoint = "/gateway/api/v1/auth/access-token/generate";
 
+    private String revokeMultipleAccessTokens = "/gateway/auth/access-token/revoke/tokens";
+
     private String gatewayRefreshEndpointOldFormat = "/api/v1/gateway/auth/refresh";
     private String gatewayRefreshEndpoint = "/gateway/api/v1/auth/refresh";
 

apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ErrorType.java

@@ -17,6 +17,7 @@ public enum ErrorType {
     BAD_CREDENTIALS("org.zowe.apiml.security.login.invalidCredentials", "Invalid Credentials", "Provide a valid username and password."),
     TOKEN_NOT_VALID("org.zowe.apiml.security.query.invalidToken", "Token is not valid.", "Provide a valid token."),
     BAD_ACCESS_TOKEN_BODY("org.zowe.apiml.security.query.invalidAccessTokenBody", "Personal Access Token body in the request is not valid.", "Use a valid body in the request. Format of a message: {validity: int , scopes: [string]}."),
+    BAD_REVOKE_REQUEST_BODY("org.zowe.apiml.security.query.invalidRevokeRequestBody", "Body in the revoke request is not valid.", "Use a valid body in the request. Format of a message: {userId: string, (optional)timestamp: long} or {serviceId: string, (optional)timestamp: long}."),
     ACCESS_TOKEN_BODY_MISSING_SCOPES("org.zowe.apiml.security.query.accessTokenBodyMissingScopes", "Body in the HTTP request for Personal Access Token does not contain scopes.", "Provide a list of services for which this token will be valid."),
     TOKEN_NOT_PROVIDED("org.zowe.apiml.security.query.tokenNotProvided", "No authorization token provided.", "Provide a valid authorization token."),
     TOKEN_EXPIRED("org.zowe.apiml.security.expiredToken", "Token is expired.", "Obtain a new token by performing an authentication request."),

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/BasicAuthFilter.java

@@ -0,0 +1,55 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.security.common.login;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.zowe.apiml.security.common.error.ResourceAccessExceptionHandler;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Optional;
+
+public class BasicAuthFilter extends LoginFilter {
+
+    public BasicAuthFilter(String authEndpoint, AuthenticationFailureHandler failureHandler, ObjectMapper mapper, AuthenticationManager authenticationManager, ResourceAccessExceptionHandler resourceAccessExceptionHandler) {
+//no need for success handler implementation, we just need to continue in process chain, this is the reason for lambda rather than pass null
+        super(authEndpoint, ((request, response, authentication) -> {
+        }), failureHandler, mapper, authenticationManager, resourceAccessExceptionHandler);
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+        Optional<LoginRequest> credentialFromHeader = LoginFilter.getCredentialFromAuthorizationHeader(request);
+        LoginRequest loginRequest = credentialFromHeader.orElse(null);
+        return doAuth(request, response, loginRequest);
+    }
+
+    /**
+     * Calls successful login handler
+     */
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request,
+                                            HttpServletResponse response,
+                                            FilterChain chain,
+                                            Authentication authResult) throws ServletException, IOException {
+        SecurityContext context = SecurityContextHolder.createEmptyContext();
+        context.setAuthentication(authResult);
+        SecurityContextHolder.setContext(context);
+        chain.doFilter(request, response);
+    }
+}

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/LoginFilter.java

@@ -13,7 +13,10 @@
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.authentication.*;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -73,8 +76,12 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
         Optional<LoginRequest> credentialFromHeader = getCredentialFromAuthorizationHeader(request);
         Optional<LoginRequest> credentialsFromBody = getCredentialsFromBody(request);
-
         LoginRequest loginRequest = credentialFromHeader.orElse(credentialsFromBody.orElse(null));
+        return doAuth(request, response, loginRequest);
+
+    }
+
+    public Authentication doAuth(HttpServletRequest request, HttpServletResponse response, LoginRequest loginRequest) throws ServletException {
 
         if (loginRequest == null) {
             return null;
@@ -95,7 +102,6 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
             resourceAccessExceptionHandler.handleException(request, response, ex);
         }
         return auth;
-
     }
 
 
@@ -127,16 +133,16 @@ protected void unsuccessfulAuthentication(HttpServletRequest request,
      * @param request the http request
      * @return the decoded credentials
      */
-    private Optional<LoginRequest> getCredentialFromAuthorizationHeader(HttpServletRequest request) {
+    public static Optional<LoginRequest> getCredentialFromAuthorizationHeader(HttpServletRequest request) {
         return Optional.ofNullable(
-            request.getHeader(HttpHeaders.AUTHORIZATION)
-        ).filter(
-            header -> header.startsWith(ApimlConstants.BASIC_AUTHENTICATION_PREFIX)
-        ).map(
-            header -> header.replaceFirst(ApimlConstants.BASIC_AUTHENTICATION_PREFIX, "").trim()
-        )
+                request.getHeader(HttpHeaders.AUTHORIZATION)
+            ).filter(
+                header -> header.startsWith(ApimlConstants.BASIC_AUTHENTICATION_PREFIX)
+            ).map(
+                header -> header.replaceFirst(ApimlConstants.BASIC_AUTHENTICATION_PREFIX, "").trim()
+            )
             .filter(base64Credentials -> !base64Credentials.isEmpty())
-            .map(this::mapBase64Credentials);
+            .map(LoginFilter::mapBase64Credentials);
     }
 
     /**
@@ -145,7 +151,7 @@ private Optional<LoginRequest> getCredentialFromAuthorizationHeader(HttpServletR
      * @param base64Credentials the credentials encoded in base64
      * @return the decoded credentials in {@link LoginRequest}
      */
-    private LoginRequest mapBase64Credentials(String base64Credentials) {
+    private static LoginRequest mapBase64Credentials(String base64Credentials) {
         String credentials = new String(Base64.getDecoder().decode(base64Credentials), StandardCharsets.UTF_8);
         int i = credentials.indexOf(':');
         if (i > 0) {

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/X509AuthAwareFilter.java

@@ -0,0 +1,52 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.security.common.login;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class X509AuthAwareFilter extends X509AuthenticationFilter {
+    private final AuthenticationFailureHandler failureHandler;
+
+    public X509AuthAwareFilter(String endpoint, AuthenticationFailureHandler failureHandler, AuthenticationProvider authenticationProvider) {
+        //no need for success handler implementation, we just need to continue in process chain, this is the reason for lambda rather than pass null
+        super(endpoint, ((request, response, authentication) -> {
+        }), authenticationProvider);
+        this.failureHandler = failureHandler;
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request,
+                                            HttpServletResponse response,
+                                            FilterChain chain,
+                                            Authentication authResult) throws IOException, ServletException {
+        if (SecurityContextHolder.getContext().getAuthentication() == null || !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
+            SecurityContext context = SecurityContextHolder.createEmptyContext();
+            context.setAuthentication(authResult);
+            SecurityContextHolder.setContext(context);
+        }
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
+        failureHandler.onAuthenticationFailure(request, response, failed);
+    }
+}

gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/X509AuthenticationFilter.java renamed to apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/X509AuthenticationFilter.java

@@ -7,13 +7,12 @@
  *
  * Copyright Contributors to the Zowe Project.
  */
-package org.zowe.apiml.gateway.security.config;
+package org.zowe.apiml.security.common.login;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.zowe.apiml.security.common.login.NonCompulsoryAuthenticationProcessingFilter;
 import org.zowe.apiml.security.common.token.X509AuthenticationToken;
 
 import javax.servlet.FilterChain;

apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/AccessTokenProvider.java

@@ -9,13 +9,15 @@
  */
 package org.zowe.apiml.security.common.token;
 
+import java.io.IOException;
 import java.util.Set;
 
 public interface AccessTokenProvider {
 
-    void invalidateToken(String token) throws Exception;
-    boolean isInvalidated(String token, String serviceId) throws Exception;
+    void invalidateToken(String token) throws IOException;
+    boolean isInvalidated(String token);
     String getToken(String username, int expirationTime, Set<String> scopes);
     boolean isValidForScopes(String token, String serviceId);
-    void invalidateTokensUsingRules(String ruleId, long timeStamp) throws Exception;
+    void invalidateAllTokensForUser(String userId, long timeStamp);
+    void invalidateAllTokensForService(String serviceId, long timeStamp);
 }

apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/QueryResponse.java

@@ -17,6 +17,7 @@
 import org.zowe.apiml.cache.EntryExpiration;
 
 import java.util.Date;
+import java.util.List;
 
 /**
  * Represents the query JSON response with the token information
@@ -31,6 +32,8 @@ public class QueryResponse implements EntryExpiration {
     private Date creation;
     private Date expiration;
     @JsonIgnore
+    private List<String> scopes;
+    @JsonIgnore
     private Source source;
 
     @Override

apiml-security-common/src/main/resources/security-common-log-messages.yml

@@ -128,12 +128,21 @@ messages:
       action: "Use a valid body in the request. Format of a message: {validity: int , scopes: [string]}."
 
     # Personal access token messages
+
     - key: org.zowe.apiml.security.token.accessTokenBodyMissingScopes
       number: ZWEAT606
       type: ERROR
       text: "Body in the HTTP request for Personal Access Token does not contain scopes"
       reason: "The request body is not valid"
       action: "Provide a list of services for which this token will be valid"
+
+    # Revoke personal access token
+    - key: org.zowe.apiml.security.query.invalidRevokeRequestBody
+      number: ZWEAT607
+      type: ERROR
+      text: "Body in the revoke request is not valid."
+      reason: "The request body is not valid"
+      action: "Use a valid body in the request. Format of a message: {userId: string, (optional)timestamp: long} or {serviceId: string, (optional)timestamp: long}."
     # Service specific messages
     # 700-999