Penetration testing of JWT

[JirkaAichler]

Based on the following article:

https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6

[plavjanik]

I am glad to see these tests and the fact that they have passed too! It will help us to keep Zowe secure in the future!

[JirkaAichler]

Do you think parametrizing tests would make them even more readable? I've done it for some other tests where I am testing the same thing, just with the different endpoints.

I can't approve since I created PR.

[plavjanik]

> Task :integration-tests:licenseTest FAILED



FAILURE: Build failed with an exception.



* What went wrong:

Execution failed for task ':integration-tests:licenseTest'.

> License violations were found: /home/jenkins/workspace/API_Mediation_PR-549-QEOVRR6CH2CI3XQBQUZGS3NSOUSGSWHPMNXVL6YJ5IERVA34R6FQ/integration-tests/src/test/java/org/zowe/apiml/penetration/JwtPenTest.java}

[codecov]

Codecov Report

Merging #549 into master will increase coverage by 0.27%.
The diff coverage is 91.66%.

@@            Coverage Diff             @@
##           master     #549      +/-   ##
==========================================
+ Coverage   77.77%   78.05%   +0.27%     
==========================================
  Files         315      311       -4     
  Lines        6151     6010     -141     
  Branches      737      724      -13     
==========================================
- Hits         4784     4691      -93     
+ Misses       1176     1128      -48     
  Partials      191      191              

Impacted Files	Coverage Δ
...zowe/apiml/gateway/routing/ApimlRoutingConfig.java	0.00% <0.00%> (ø)
.../apiml/gateway/filters/pre/JwtValidatorFilter.java	100.00% <100.00%> (ø)
...teway/security/service/JwtSecurityInitializer.java	84.21% <0.00%> (-9.13%)	⬇️
...java/org/zowe/apiml/discovery/GatewayNotifier.java	88.00% <0.00%> (-1.34%)	⬇️
...zowe/apiml/gateway/controllers/AuthController.java	100.00% <0.00%> (ø)
...way/security/service/zosmf/ZosmfServiceFacade.java	100.00% <0.00%> (ø)
.../security/login/zosmf/JwkToPublicKeyConverter.java
...eway/security/login/zosmf/ZosmfJwkToPublicKey.java
...in/zosmf/SaveZosmfPublicKeyConsoleApplication.java
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba4976d...e1b0e16. Read the comment docs.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

93.8% Coverage
0.0% Duplication

[JirkaAichler]

What happens when I sent my own token for my service in Authorization bearer header? I suppose it will be rejected by Gateway. However, I think Gateway should not modify other tokens ...

[pavel-jares-bcm]

What happens when I sent my own token for my service in Authorization bearer header? I suppose it will be rejected by Gateway. However, I think Gateway should not modify other tokens ...

It is a good question. It is not fully working (also before this PR). Of course, the main case is to use SSO, but if you use the header bearer of a service, it is validated as APIML(z/OSMF) token. There is only one workaround. Cookie has a higher priority that Authorization header, so in this case is necessary to login to APIML (although it is not required for a service), save token into the APIML cookie and then use header authorization for service. It means, each request will contains both authorization (cookies for APIML, header authorization for a service)

[plavjanik]

What happens when I sent my own token for my service in Authorization bearer header? I suppose it will be rejected by Gateway. However, I think Gateway should not modify other tokens ...

That is true, the gateway should not modify tokens unless the service wants it (provides metadata that is using Zowe JWT or PassTickets). Otherwise, the gateway should not process authorization headers.