feat: Evict non relevant tokens and rules (#2554)

* Create controller to evict non relevant tokens and rules

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove expired token

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* refactoring

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* remove irrelevant items from rules

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add more tests

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* fix license

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* fix code smell

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix code smells pt.2

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Remove print from test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add additional checks in the test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Address PR request changes

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add integration test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix IT

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* remove body from request

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix code smell

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add auth for to execute request

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix IT and address reviews

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Refactoring

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

Author: taban03

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AccessTokenProviderConfig.java

@@ -56,6 +56,11 @@ public void invalidateAllTokensForUser(String userId, long timestamp) {
             public void invalidateAllTokensForService(String serviceId, long timestamp) {
                 throw new NotImplementedException(NOT_IMPLEMENTED);
             }
+
+            @Override
+            public void evictNonRelevantTokensAndRules() {
+                throw new NotImplementedException(NOT_IMPLEMENTED);
+            }
         };
     }
 }

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -47,6 +47,8 @@ public class AuthConfigurationProperties {
 
     private String revokeMultipleAccessTokens = "/gateway/auth/access-token/revoke/tokens";
 
+    private String evictAccessTokensAndRules = "/gateway/auth/access-token/evict";
+
     private String gatewayRefreshEndpointOldFormat = "/api/v1/gateway/auth/refresh";
     private String gatewayRefreshEndpoint = "/gateway/api/v1/auth/refresh";
 

apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/AccessTokenProvider.java

@@ -21,4 +21,5 @@ public interface AccessTokenProvider {
     boolean isValidForScopes(String token, String serviceId);
     void invalidateAllTokensForUser(String userId, long timeStamp);
     void invalidateAllTokensForService(String serviceId, long timeStamp);
+    void evictNonRelevantTokensAndRules();
 }

caching-service/src/main/java/org/zowe/apiml/caching/api/CachingController.java

@@ -151,6 +151,42 @@ public ResponseEntity<Object> getAllMaps(HttpServletRequest request) {
         ).orElseGet(this::getUnauthorizedResponse);
     }
 
+    @DeleteMapping(value = "/cache-list/evict/rules/{mapKey}", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Delete a record from a rules map in the cache",
+        description = "Will delete a key-value pair from a specific rules map")
+    @ResponseBody
+    @HystrixCommand
+    public ResponseEntity<Object> evictRules(@PathVariable String mapKey, HttpServletRequest request) {
+        return getServiceId(request).map(
+            s -> {
+                try {
+                    storage.removeNonRelevantRules(s, mapKey);
+                    return new ResponseEntity<>(HttpStatus.NO_CONTENT);
+                } catch (Exception exception) {
+                    return handleInternalError(exception, request.getRequestURL());
+                }
+            }
+        ).orElseGet(this::getUnauthorizedResponse);
+    }
+
+    @DeleteMapping(value = "/cache-list/evict/tokens/{mapKey}", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Delete a record from an invalid tokens map in the cache",
+        description = "Will delete a key-value pair from a specific tokens map")
+    @ResponseBody
+    @HystrixCommand
+    public ResponseEntity<Object> evictTokens(@PathVariable String mapKey, HttpServletRequest request) {
+        return getServiceId(request).map(
+            s -> {
+                try {
+                    storage.removeNonRelevantTokens(s, mapKey);
+                    return new ResponseEntity<>(HttpStatus.NO_CONTENT);
+                } catch (Exception exception) {
+                    return handleInternalError(exception, request.getRequestURL());
+                }
+            }
+        ).orElseGet(this::getUnauthorizedResponse);
+    }
+
     @PutMapping(value = "/cache", produces = MediaType.APPLICATION_JSON_VALUE)
     @Operation(summary = "Update key in the cache",
         description = "Value at the key in the provided key-value pair will be updated to the provided value")

caching-service/src/main/java/org/zowe/apiml/caching/service/Storage.java

@@ -95,4 +95,18 @@ public interface Storage {
      * @param serviceId Id of the service to delete all key/value pairs for.
      */
     void deleteForService(String serviceId);
+
+    /**
+     * Delete a key/value pair from the rules map
+     * @param serviceId the id of the service to identify the correct map
+     * @param mapKey the map key
+     */
+    void removeNonRelevantRules(String serviceId, String mapKey);
+
+    /**
+     * Delete a key/value pair from the invalid tokens map
+     * @param serviceId the id of the service to identify the correct map
+     * @param mapKey the map key
+     */
+    void removeNonRelevantTokens(String serviceId, String mapKey);
 }

caching-service/src/main/java/org/zowe/apiml/caching/service/infinispan/storage/InfinispanStorage.java

@@ -10,19 +10,21 @@
 
 package org.zowe.apiml.caching.service.infinispan.storage;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import lombok.extern.slf4j.Slf4j;
 import org.infinispan.lock.api.ClusteredLock;
 import org.zowe.apiml.caching.model.KeyValue;
 import org.zowe.apiml.caching.service.Messages;
 import org.zowe.apiml.caching.service.Storage;
 import org.zowe.apiml.caching.service.StorageException;
+import org.zowe.apiml.models.AccessTokenContainer;
 
+import java.time.LocalDateTime;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.CompletionException;
-import java.util.concurrent.ConcurrentMap;
-import java.util.concurrent.TimeUnit;
+import java.util.concurrent.*;
 import java.util.stream.Collectors;
 
 @Slf4j
@@ -32,13 +34,18 @@ public class InfinispanStorage implements Storage {
     private final ConcurrentMap<String, KeyValue> cache;
     private final ConcurrentMap<String, Map<String, String>> tokenCache;
     private final ClusteredLock lock;
+    private static final ObjectMapper objectMapper = new ObjectMapper();
 
     public InfinispanStorage(ConcurrentMap<String, KeyValue> cache, ConcurrentMap<String, Map<String, String>> tokenCache, ClusteredLock lock) {
         this.cache = cache;
         this.tokenCache = tokenCache;
         this.lock = lock;
     }
 
+    static {
+        objectMapper.registerModule(new JavaTimeModule());
+    }
+
     @Override
     public KeyValue create(String serviceId, KeyValue toCreate) {
         toCreate.setServiceId(serviceId);
@@ -70,16 +77,7 @@ public KeyValue storeMapItem(String serviceId, String mapKey, KeyValue toCreate)
                 }
             }
         });
-        try {
-            complete.join();
-        } catch (CompletionException e) {
-            if (e.getCause() instanceof StorageException) {
-                throw (StorageException) e.getCause();
-            } else {
-                log.error("Unexpected error while acquiring the lock ", e);
-                throw e;
-            }
-        }
+        completeJoin(complete);
         return null;
     }
 
@@ -153,4 +151,70 @@ public void deleteForService(String serviceId) {
             }
         });
     }
+
+    @Override
+    public void removeNonRelevantTokens(String serviceId, String mapKey) {
+        CompletableFuture<Boolean> complete = lock.tryLock(4, TimeUnit.SECONDS).whenComplete((r, ex) -> {
+            if (Boolean.TRUE.equals(r)) {
+                try {
+                    removeToken(serviceId, mapKey);
+                } finally {
+                    lock.unlock();
+                }
+            }
+        });
+        completeJoin(complete);
+    }
+
+    private void removeToken(String serviceId, String mapKey) {
+        Map<String, String> map = tokenCache.get(serviceId + mapKey);
+        if (map != null && !map.isEmpty()) {
+            Map<String,String> result = map.entrySet().stream().filter(entry -> {
+                try {
+                    AccessTokenContainer c = objectMapper.readValue(entry.getValue(), AccessTokenContainer.class);
+                    return !c.getExpiresAt().isBefore(LocalDateTime.now());
+                } catch (JsonProcessingException e) {
+                    log.error("Not able to parse invalidToken json value.", e);
+                    return true;
+                }
+            }).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+            tokenCache.put(serviceId + mapKey, result);
+        }
+    }
+
+    @Override
+    public void removeNonRelevantRules(String serviceId, String mapKey) {
+        CompletableFuture<Boolean> complete = lock.tryLock(4, TimeUnit.SECONDS).whenComplete((r, ex) -> {
+            if (Boolean.TRUE.equals(r)) {
+                try {
+                    long timestamp = System.currentTimeMillis();
+                    Map<String, String> map = tokenCache.get(serviceId + mapKey);
+                    if (map != null && !map.isEmpty()) {
+                        Map<String,String> result = map.entrySet().stream().filter(entry -> {
+                            long delta = timestamp - Long.parseLong(entry.getValue());
+                            long deltaToDays = TimeUnit.MILLISECONDS.toDays(delta);
+                            return deltaToDays <= 90;
+                        }).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+                        tokenCache.put(serviceId + mapKey, result);
+                    }
+                } finally {
+                    lock.unlock();
+                }
+            }
+        });
+        completeJoin(complete);
+    }
+
+    private void completeJoin(CompletableFuture<Boolean> complete) {
+        try {
+            complete.join();
+        } catch (CompletionException e) {
+            if (e.getCause() instanceof StorageException) {
+                throw (StorageException) e.getCause();
+            } else {
+                log.error("Unexpected error while acquiring the lock ", e);
+                throw e;
+            }
+        }
+    }
 }

caching-service/src/main/java/org/zowe/apiml/caching/service/inmemory/InMemoryStorage.java

@@ -126,6 +126,16 @@ public void deleteForService(String serviceId) {
         storage.remove(serviceId);
     }
 
+    @Override
+    public void removeNonRelevantTokens(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public void removeNonRelevantRules(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
     private boolean isKeyNotInCache(String serviceId, String keyToTest) {
         Map<String, KeyValue> serviceSpecificStorage = storage.get(serviceId);
         return serviceSpecificStorage == null || serviceSpecificStorage.get(keyToTest) == null;

caching-service/src/main/java/org/zowe/apiml/caching/service/redis/RedisStorage.java

@@ -142,4 +142,14 @@ public void deleteForService(String serviceId) {
             log.info("No entries were deleted for {}", serviceId);
         }
     }
+
+    @Override
+    public void removeNonRelevantTokens(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public void removeNonRelevantRules(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
 }

caching-service/src/main/java/org/zowe/apiml/caching/service/vsam/VsamStorage.java

@@ -208,4 +208,14 @@ public void deleteForService(String serviceId) {
             file.deleteForService(serviceId);
         }
     }
+
+    @Override
+    public void removeNonRelevantTokens(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
+
+    @Override
+    public void removeNonRelevantRules(String serviceId, String mapKey) {
+        throw new StorageException(Messages.INCOMPATIBLE_STORAGE_METHOD.getKey(), Messages.INCOMPATIBLE_STORAGE_METHOD.getStatus());
+    }
 }

caching-service/src/test/java/org/zowe/apiml/caching/api/CachingControllerTest.java

@@ -387,11 +387,34 @@ void givenNoCertificateInformation_thenReturnUnauthorized() throws StorageExcept
         }
 
         @Test
-        void givenErrorReadingStorage_thenResponseInternalError() throws StorageException {
+        void givenErrorReadingStorage_thenResponseBadRequest() throws StorageException {
             when(mockStorage.getAllMapItems(any(), any())).thenThrow(new RuntimeException("error"));
 
             ResponseEntity<?> response = underTest.getAllMapItems(any(), mockRequest);
             assertThat(response.getStatusCode(), is(HttpStatus.BAD_REQUEST));
         }
     }
+
+    @Nested
+    class WhenEvictRecord {
+        @Test
+        void givenCorrectRequest_thenRemoveTokensAndRules() throws StorageException {
+            ResponseEntity<?> responseTokenEviction = underTest.evictTokens(MAP_KEY, mockRequest);
+            ResponseEntity<?> responseScopesEviction = underTest.evictRules(MAP_KEY, mockRequest);
+            verify(mockStorage).removeNonRelevantTokens(SERVICE_ID, MAP_KEY);
+            verify(mockStorage).removeNonRelevantRules(SERVICE_ID, MAP_KEY);
+            assertThat(responseTokenEviction.getStatusCode(), is(HttpStatus.NO_CONTENT));
+            assertThat(responseScopesEviction.getStatusCode(), is(HttpStatus.NO_CONTENT));
+        }
+
+        @Test
+        void givenInCorrectRequest_thenReturn500() throws StorageException {
+            doThrow(new RuntimeException()).when(mockStorage).removeNonRelevantTokens(SERVICE_ID, MAP_KEY);
+            doThrow(new RuntimeException()).when(mockStorage).removeNonRelevantRules(SERVICE_ID, MAP_KEY);
+            ResponseEntity<?> responseScopesEviction = underTest.evictRules(MAP_KEY, mockRequest);
+            ResponseEntity<?> responseTokenEviction = underTest.evictTokens(MAP_KEY, mockRequest);
+            assertThat(responseTokenEviction.getStatusCode(), is(HttpStatus.INTERNAL_SERVER_ERROR));
+            assertThat(responseScopesEviction.getStatusCode(), is(HttpStatus.INTERNAL_SERVER_ERROR));
+        }
+    }
 }