fix: Add handling in case of PassTicketException (#1810)

* Add handling in case of PassTicketException

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix unit test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix integration test

* Import

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* import

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Fix

* Add acceptance test

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

* Add license

Signed-off-by: at670475 <andrea.tabone@broadcom.com>

Author: taban03

common-service-core/src/main/java/org/zowe/apiml/passticket/AbstractIRRPassTicketException.java

@@ -54,7 +54,7 @@ public enum ErrorCode {
         ERR_8_8_4(8, 8, 4, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Parameter list error."),
         ERR_8_8_8(8, 8, 8, HttpStatus.SC_INTERNAL_SERVER_ERROR, "An internal error was encountered."),
         ERR_8_8_12(8, 8, 12, HttpStatus.SC_INTERNAL_SERVER_ERROR, "A recovery environment could not be established."),
-        ERR_8_8_16(8, 8, 16, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Not authorized to use this service."),
+        ERR_8_8_16(8, 8, 16, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Not authorized to use this service. Verify that the user and the application name are valid, and check that corresponding permissions have been set up."),
         ERR_8_8_20(8, 8, 20, HttpStatus.SC_INTERNAL_SERVER_ERROR, "High order bit was not set to indicate last parameter."),
         ERR_8_12_8(8, 12, 8, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Invocation of the Security Server Network Authentication Service Program Call (PC) interface failed with a 'parameter buffer overflow' return code. This indicates an internal error in IRRSPK00."),
         ERR_8_12_12(8, 12, 12, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Invocation of the Security Server Network Authentication Service Program Call (PC) interface failed with an 'unable to allocate storage' return code. The region size for the Security Server Network Authentication Service started task (SKRBKDC) should be increased."),

common-service-core/src/test/java/org/zowe/apiml/passticket/PassTicketServiceTest.java

@@ -156,7 +156,7 @@ void testDefaultPassTicketImpl_GenerateUnknownUser() {
         assertEquals(16, e.getRacfRsn());
         assertNotNull(e.getErrorCode());
         assertEquals(AbstractIRRPassTicketException.ErrorCode.ERR_8_8_16, e.getErrorCode());
-        assertEquals("Error on generation of PassTicket: Not authorized to use this service.", e.getMessage());
+        assertEquals("Error on generation of PassTicket: Not authorized to use this service. Verify that the user and the application name are valid, and check that corresponding permissions have been set up.", e.getMessage());
     }
 
     @Test

gateway-service/src/main/java/org/zowe/apiml/gateway/error/check/SecurityErrorCheck.java

@@ -17,6 +17,7 @@
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.AuthenticationException;
 import org.zowe.apiml.gateway.error.ErrorUtils;
+import org.zowe.apiml.gateway.security.service.PassTicketException;
 import org.zowe.apiml.message.api.ApiMessageView;
 import org.zowe.apiml.message.core.MessageService;
 import org.zowe.apiml.security.common.token.TokenExpireException;
@@ -51,6 +52,11 @@ public ResponseEntity<ApiMessageView> checkError(HttpServletRequest request, Thr
                 messageView = messageService.createMessage("org.zowe.apiml.security.login.invalidCredentials",
                     ErrorUtils.getGatewayUri(request)
                 ).mapToView();
+            } else if (cause instanceof PassTicketException) {
+                messageView = messageService.createMessage("org.zowe.apiml.security.ticket.generateFailed",
+                    cause.getMessage() + ". " + cause.getCause()
+                ).mapToView();
+                return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).contentType(MediaType.APPLICATION_JSON).body(messageView);
             }
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).contentType(MediaType.APPLICATION_JSON).body(messageView);
         }

gateway-service/src/main/java/org/zowe/apiml/gateway/ribbon/http/ServiceAuthenticationDecorator.java

@@ -31,8 +31,6 @@ public class ServiceAuthenticationDecorator {
     private final ServiceAuthenticationService serviceAuthenticationService;
     private final AuthenticationService authenticationService;
 
-    private static final String INVALID_JWT_MESSAGE = "Invalid JWT token";
-
     /**
      * If a service requires authentication,
      *   verify that the specific instance was selected upfront

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/PassTicketException.java

@@ -19,4 +19,7 @@ public PassTicketException(String message, Throwable cause) {
         super(message, cause);
     }
 
+    public PassTicketException(String message) {
+        super(message);
+    }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/ticket/SuccessfulTicketHandler.java

@@ -9,6 +9,7 @@
  */
 package org.zowe.apiml.gateway.security.ticket;
 
+import lombok.extern.slf4j.Slf4j;
 import org.zowe.apiml.security.common.ticket.TicketRequest;
 import org.zowe.apiml.security.common.ticket.TicketResponse;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
@@ -35,6 +36,7 @@
  */
 @Component
 @RequiredArgsConstructor
+@Slf4j
 public class SuccessfulTicketHandler implements AuthenticationSuccessHandler {
     private final ObjectMapper mapper;
     private final PassTicketService passTicketService;
@@ -64,6 +66,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
             ApiMessageView messageView = messageService.createMessage("org.zowe.apiml.security.ticket.generateFailed",
                 e.getErrorCode().getMessage()).mapToView();
             mapper.writeValue(response.getWriter(), messageView);
+            log.debug("The generation of the PassTicket failed. Please supply a valid user and application name, and check that corresponding permissions have been set up.");
         }
 
         response.getWriter().flush();

gateway-service/src/test/java/org/zowe/apiml/acceptance/PassTicketSchemeTest.java

@@ -0,0 +1,64 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.acceptance;
+
+import io.restassured.http.Cookie;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.context.annotation.Import;
+import org.zowe.apiml.acceptance.common.AcceptanceTest;
+import org.zowe.apiml.acceptance.common.AcceptanceTestWithTwoServices;
+import org.zowe.apiml.acceptance.config.PassTicketFailureConfig;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.core.Is.is;
+
+/**
+ * This test verifies that a REST message is returned in case of failure during generation of PassTicket.
+ */
+@AcceptanceTest
+@Import(PassTicketFailureConfig.class)
+public class PassTicketSchemeTest extends AcceptanceTestWithTwoServices {
+
+    @Nested
+    class GivenValidJwtToken {
+        Cookie validJwtToken;
+
+        @BeforeEach
+        void setUp() {
+            validJwtToken = securityRequests.validJwtToken();
+        }
+
+        @Nested
+        class WhenPassTicketRequestedByService {
+
+            @BeforeEach
+            void prepareService() {
+                applicationRegistry.setCurrentApplication(serviceWithDefaultConfiguration.getId());
+            }
+
+            @Test
+            void thenPassTicketErrorMessageIsReturned() {
+
+                given()
+                    .log().all()
+                    .cookie(validJwtToken)
+                    .when()
+                    .get(basePath + serviceWithDefaultConfiguration.getPath())
+                    .then()
+                    .log().all()
+                    .statusCode(is(HttpStatus.SC_INTERNAL_SERVER_ERROR)).body("messages[0].messageKey",is("org.zowe.apiml.security.ticket.generateFailed"));
+            }
+        }
+    }
+}
+

gateway-service/src/test/java/org/zowe/apiml/acceptance/config/PassTicketFailureConfig.java

@@ -0,0 +1,47 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.acceptance.config;
+
+import com.netflix.zuul.ZuulFilter;
+import org.springframework.context.annotation.Bean;
+import org.zowe.apiml.gateway.security.service.PassTicketException;
+
+import static org.springframework.cloud.netflix.zuul.filters.support.FilterConstants.PRE_TYPE;
+
+/**
+ * Configuration that creates a Zuul filter which throws a PassTicketException to test the error handler.
+ */
+public class PassTicketFailureConfig {
+
+    @Bean
+    public ZuulFilter zuulFilter() {
+        return new ZuulFilter() {
+            @Override
+            public String filterType() {
+                return PRE_TYPE;
+            }
+
+            @Override
+            public int filterOrder() {
+                return 0;
+            }
+
+            @Override
+            public boolean shouldFilter() {
+                return true;
+            }
+
+            @Override
+            public Object run() {
+                throw new PassTicketException("problem");
+            }
+        };
+    }
+}