fix: update gateway schema with oidc config parameters (#3867)

* update gateway schema with oidc config parameters Signed-off-by: ac892247 <a.chmelo@gmail.com> * remove unused imports Signed-off-by: ac892247 <a.chmelo@gmail.com> --------- Signed-off-by: ac892247 <a.chmelo@gmail.com>
zowe · Oct 23, 2024 · 19ece5e · 19ece5e
1 parent b727bdd
commit 19ece5e
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 33 deletions.
diff --git a/schemas/gateway-schema.json b/schemas/gateway-schema.json
@@ -364,6 +364,57 @@
                                                                     }
                                                                 }
                                                             ]
+                                                        },
+                                                        "oidc": {
+                                                            "type": "object",
+                                                            "description": "OIDC configuration.",
+                                                            "properties": {
+                                                                "enabled": {
+                                                                    "type": "boolean",
+                                                                    "description": "Enable authentication with OIDC token.",
+                                                                    "default": false
+                                                                },
+                                                                "registry": {
+                                                                    "type": "string",
+                                                                    "description": "Registry name."
+                                                                },
+                                                                "jwks": {
+                                                                    "type": "object",
+                                                                    "description": "JWKS configuration",
+                                                                    "properties": {
+                                                                        "uri": {
+                                                                            "type": "string",
+                                                                            "description": "JWK set URL for OIDC token validation."
+                                                                        },
+                                                                        "refreshInternalHours": {
+                                                                            "type": "integer",
+                                                                            "description": "How often are JWKs renewed.",
+                                                                            "default": 1
+                                                                        }
+                                                                    }
+                                                                },
+                                                                "userInfo": {
+                                                                    "type": "object",
+                                                                    "description": "OIDC user info endpoint configuration",
+                                                                    "properties": {
+                                                                        "uri": {
+                                                                            "type": "string",
+                                                                            "description": "OIDC user info endpoint URL."
+                                                                        }
+                                                                    }
+                                                                },
+                                                                "validationType": {
+                                                                    "type": "string",
+                                                                    "description": "How OIDC token is validated.",
+                                                                    "enum": ["JWK","endpoint"],
+                                                                    "default": "JWK"
+                                                                }
+                                                            }
+                                                        },
+                                                        "allowtokenrefresh": {
+                                                            "type": "boolean",
+                                                            "description": "Allow JWT to refresh.",
+                                                            "default": false
                                                         }
                                                     }
                                                 },

diff --git a/zaas-package/src/main/resources/bin/start.sh b/zaas-package/src/main/resources/bin/start.sh
@@ -344,8 +344,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${ZAAS_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.authorization.resourceNamePrefix=${ZWE_configs_apiml_security_authorization_resourceNamePrefix:-${ZWE_components_gateway_apiml_security_authorization_resourceNamePrefix:-APIML.}} \
     -Dapiml.security.zosmf.applid=${ZWE_configs_apiml_security_zosmf_applid:-${ZWE_components_gateway_apiml_security_zosmf_applid:-IZUDFLT}} \
     -Dapiml.security.oidc.enabled=${ZWE_configs_apiml_security_oidc_enabled:-${ZWE_components_gateway_apiml_security_oidc_enabled:-false}} \
-    -Dapiml.security.oidc.clientId=${ZWE_configs_apiml_security_oidc_clientId:-${ZWE_components_gateway_apiml_security_oidc_clientId:-}} \
-    -Dapiml.security.oidc.clientSecret=${ZWE_configs_apiml_security_oidc_clientSecret:-${ZWE_components_gateway_apiml_security_oidc_clientSecret:-}} \
     -Dapiml.security.oidc.registry=${ZWE_configs_apiml_security_oidc_registry:-${ZWE_components_gateway_apiml_security_oidc_registry:-}} \
     -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/dn"}} \
     -Dapiml.security.oidc.identityMapperUser=${ZWE_configs_apiml_security_oidc_identityMapperUser:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \

diff --git a/...ervice/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java b/...ervice/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java
@@ -58,12 +58,6 @@ public class OIDCTokenProviderJWK implements OIDCProvider {
     @Value("${apiml.security.oidc.registry:}")
     String registry;
 
-    @Value("${apiml.security.oidc.clientId:}")
-    String clientId;
-
-    @Value("${apiml.security.oidc.clientSecret:}")
-    String clientSecret;
-
     @Value("${apiml.security.oidc.jwks.uri}")
     private String jwksUri;
 

diff --git a/...ce/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java b/...ce/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java
@@ -19,9 +19,6 @@
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.EmptySource;
-import org.junit.jupiter.params.provider.NullSource;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
@@ -59,8 +56,6 @@ void setup() throws CachingServiceClientException {
         oidcTokenProviderJwk = new OIDCTokenProviderJWK(new DefaultClock());
         ReflectionTestUtils.setField(oidcTokenProviderJwk, "jwkRefreshInterval", 1);
         ReflectionTestUtils.setField(oidcTokenProviderJwk, "jwksUri", "https://jwksurl");
-        oidcTokenProviderJwk.clientId = "client_id";
-        oidcTokenProviderJwk.clientSecret = "client_secret";
     }
 
     @Nested
@@ -164,26 +159,6 @@ void whenTokenIsEmpty_thenReturnInvalid() {
         }
     }
 
-    @Nested
-    class GivenInvalidConfiguration {
-
-        @ParameterizedTest
-        @NullSource
-        @EmptySource
-        void whenInvalidClientId_thenReturnInvalid(String id) {
-            oidcTokenProviderJwk.clientId = id;
-            assertFalse(oidcTokenProviderJwk.isValid(TOKEN));
-        }
-
-        @ParameterizedTest
-        @NullSource
-        @EmptySource
-        void whenInvalidClientSecret_thenReturnInvalid(String secret) {
-            oidcTokenProviderJwk.clientSecret = secret;
-            assertFalse(oidcTokenProviderJwk.isValid(TOKEN));
-        }
-    }
-
     @Nested
     class JwksUriLoad {