fix: handle exceptions that could arise in the passticket authentication schema

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/controllers/handlers/NotFoundErrorController.java

@@ -15,7 +15,6 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.zowe.apiml.product.compatibility.ApimlErrorController;
 
 import jakarta.servlet.RequestDispatcher;
 import jakarta.servlet.http.HttpServletRequest;
@@ -26,7 +25,7 @@
  */
 @Controller
 @Order(Ordered.HIGHEST_PRECEDENCE)
-public class NotFoundErrorController implements ApimlErrorController {
+public class NotFoundErrorController {
 
 
     private static final String PATH = "/not_found";    // NOSONAR
@@ -48,10 +47,6 @@ public String handleError(HttpServletRequest request) {
         return "error";
     }
 
-    @Override
-    public String getErrorPath() {
-        return PATH;
-    }
 }
 
 

apiml-security-common/src/main/java/org/zowe/apiml/security/common/auth/saf/EndpointImproprietyConfigureException.java → apiml-security-common/src/main/java/org/zowe/apiml/security/common/auth/saf/EndpointImproperlyConfigureException.java

@@ -12,19 +12,19 @@
 
 import lombok.Getter;
 
-public class EndpointImproprietyConfigureException extends RuntimeException {
+public class EndpointImproperlyConfigureException extends RuntimeException {
 
     private static final long serialVersionUID = -4582785501782402751L;
 
     @Getter
     private final String endpoint;
 
-    public EndpointImproprietyConfigureException(String message, String endpoint) {
+    public EndpointImproperlyConfigureException(String message, String endpoint) {
         super(message);
         this.endpoint = endpoint;
     }
 
-    public EndpointImproprietyConfigureException(String message, String endpoint, Throwable cause) {
+    public EndpointImproperlyConfigureException(String message, String endpoint, Throwable cause) {
         super(message, cause);
         this.endpoint = endpoint;
     }

apiml-security-common/src/main/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessEndpoint.java

@@ -61,13 +61,13 @@ public boolean hasSafResourceAccess(Authentication authentication, String resour
             );
             Response response = responseEntity.getBody();
             if (response != null && response.isError()) {
-                throw new EndpointImproprietyConfigureException("Endpoint " + endpointUrl + " is not properly configured: " + response.getMessage(), endpointUrl);
+                throw new EndpointImproperlyConfigureException("Endpoint " + endpointUrl + " is not properly configured: " + response.getMessage(), endpointUrl);
             }
             return response != null && !response.isError() && response.isAuthorized();
-        } catch (EndpointImproprietyConfigureException e) {
+        } catch (EndpointImproperlyConfigureException e) {
             throw e;
         } catch (Exception e) {
-            throw new EndpointImproprietyConfigureException("Endpoint " + endpointUrl + " is not properly configured.", endpointUrl, e);
+            throw new EndpointImproperlyConfigureException("Endpoint " + endpointUrl + " is not properly configured.", endpointUrl, e);
         }
     }
 

apiml-security-common/src/test/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessEndpointTest.java

@@ -82,7 +82,7 @@ void testHasSafResourceAccess_whenErrorHappened_thenFalse(boolean authorized) {
         ).when(restTemplate).exchange(
                 eq(TEST_URI_ARGS), eq(HttpMethod.GET), any(), eq(SafResourceAccessEndpoint.Response.class), eq(RESOURCE), eq(LEVEL)
         );
-        assertThrows(EndpointImproprietyConfigureException.class, () -> safResourceAccessEndpoint.hasSafResourceAccess(authentication, SUPPORTED_CLASS, RESOURCE, LEVEL));
+        assertThrows(EndpointImproperlyConfigureException.class, () -> safResourceAccessEndpoint.hasSafResourceAccess(authentication, SUPPORTED_CLASS, RESOURCE, LEVEL));
     }
 
     @Test
@@ -107,7 +107,7 @@ void givenExceptionOnRestCall_whenVerifying_thenEndpointImproprietyConfigureExce
         ).when(restTemplate).exchange(
             anyString(), any(), any(), eq(SafResourceAccessEndpoint.Response.class), anyString(), anyString()
         );
-        assertThrows(EndpointImproprietyConfigureException.class, () -> safResourceAccessEndpoint.hasSafResourceAccess(authentication, SUPPORTED_CLASS, RESOURCE, LEVEL));
+        assertThrows(EndpointImproperlyConfigureException.class, () -> safResourceAccessEndpoint.hasSafResourceAccess(authentication, SUPPORTED_CLASS, RESOURCE, LEVEL));
     }
 
 }

config/local/api-defs/staticclient.yml

@@ -111,6 +111,7 @@ services:
                 serviceRelativeUrl: /api/v3 # relativePath that is added to baseUrl of an instance
         authentication:
             scheme: httpBasicPassTicket
+            applid: ZOWEAPPL
         apiInfo:
             -   apiId: zowe.apiml.discoverableclient
                 gatewayUrl: api/v3

config/local/mock-services.yml

@@ -1,2 +1,14 @@
 zosmf:
     timeout: 1800
+
+server:
+    ssl:
+        keyAlias: localhost
+        keyPassword: password
+        keyStore: keystore/localhost/localhost.keystore.p12
+        keyStorePassword: password
+        keyStoreType: PKCS12
+        trustStore: keystore/localhost/localhost.truststore.p12
+        trustStorePassword: password
+        trustStoreType: PKCS12
+

config/local/zaas-service.yml

@@ -47,12 +47,6 @@ spring:
             enabled: always
 
 server:
-    internal:
-        enabled: true
-        port: 10017
-        ssl:
-            keyAlias: localhost-multi
-            keyStore: keystore/localhost/localhost-multi.keystore.p12
     ssl:
         keyAlias: localhost
         keyPassword: password

gateway-service/src/main/java/org/zowe/apiml/gateway/filters/AbstractAuthSchemeFactory.java

@@ -37,6 +37,7 @@
 import java.util.*;
 import java.util.function.Function;
 import java.util.function.Predicate;
+import java.util.function.Supplier;
 import java.util.stream.Stream;
 
 import static org.apache.hc.core5.http.HttpStatus.SC_OK;
@@ -172,14 +173,14 @@ private Mono<AuthorizationResponse<R>> requestWithHa(
         Function<ServiceInstance, WebClient.RequestHeadersSpec<?>> requestCreator
     ) {
         return requestCreator.apply(serviceInstanceIterator.next())
-            .exchangeToMono(clientResp -> switch (clientResp.statusCode().value()) {
-                case SC_UNAUTHORIZED -> Mono.just(new AuthorizationResponse<R>(clientResp.headers(), null));
-                case SC_OK -> clientResp.bodyToMono(getResponseClass()).map(b -> new AuthorizationResponse<R>(clientResp.headers(), b));
-                default -> Mono.empty();
-            })
-            .switchIfEmpty(serviceInstanceIterator.hasNext() ?
-                requestWithHa(serviceInstanceIterator, requestCreator) : Mono.empty()
-            );
+            .exchangeToMono(clientResp -> {
+                Supplier<Mono<AuthorizationResponse<R>>> authResponseSupplier = () -> clientResp.bodyToMono(getResponseClass()).map(b -> new AuthorizationResponse<>(clientResp.headers(), b));
+                return switch (clientResp.statusCode().value()) {
+                    case SC_UNAUTHORIZED -> Mono.just(new AuthorizationResponse<R>(clientResp.headers(), null));
+                    case SC_OK -> authResponseSupplier.get();
+                    default -> serviceInstanceIterator.hasNext() ? requestWithHa(serviceInstanceIterator, requestCreator) : authResponseSupplier.get();
+                };
+            });
     }
 
     protected Mono<Void> invoke(
@@ -192,7 +193,7 @@ protected Mono<Void> invoke(
             throw new ServiceNotAccessibleException("There are no instance of ZAAS available");
         }
 
-        return requestWithHa(i, requestCreator).flatMap(responseProcessor);
+        return requestWithHa(i, requestCreator).switchIfEmpty(Mono.just(new AuthorizationResponse<>(null,null))).flatMap(responseProcessor);
     }
 
     /**

gateway-service/src/main/java/org/zowe/apiml/gateway/service/scheme/HttpBasicPassticket.java

@@ -10,6 +10,7 @@
 
 package org.zowe.apiml.gateway.service.scheme;
 
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.cloud.client.ServiceInstance;
 import org.springframework.cloud.gateway.filter.FilterDefinition;
@@ -18,6 +19,7 @@
 import org.zowe.apiml.auth.Authentication;
 import org.zowe.apiml.auth.AuthenticationScheme;
 
+@Slf4j
 @Component
 public class HttpBasicPassticket implements SchemeHandler {
 
@@ -28,6 +30,11 @@ public AuthenticationScheme getAuthenticationScheme() {
 
     @Override
     public void apply(ServiceInstance serviceInstance, RouteDefinition routeDefinition, Authentication auth) {
+        if (StringUtils.isEmpty(auth.getApplid())) {
+            log.debug("Service {} does not have configured APPLID. The authorization scheme will be ignored", serviceInstance.getServiceId());
+            return;
+        }
+
         FilterDefinition filterDef = new FilterDefinition();
         filterDef.setName("PassticketFilterFactory");
         filterDef.addArg("applicationName", auth.getApplid());

gateway-service/src/test/java/org/zowe/apiml/gateway/acceptance/PassticketTest.java

@@ -10,11 +10,13 @@
 
 package org.zowe.apiml.gateway.acceptance;
 
+import lombok.AllArgsConstructor;
+import lombok.Data;
 import org.apache.http.HttpHeaders;
 import org.hamcrest.Matchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.zowe.apiml.auth.AuthenticationScheme;
 import org.zowe.apiml.gateway.acceptance.common.AcceptanceTest;
 import org.zowe.apiml.gateway.acceptance.common.AcceptanceTestWithMockServices;
@@ -27,7 +29,9 @@
 
 import static io.restassured.RestAssured.given;
 import static org.apache.http.HttpStatus.SC_OK;
+import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 
 @AcceptanceTest
 public class PassticketTest extends AcceptanceTestWithMockServices {
@@ -38,8 +42,9 @@ public class PassticketTest extends AcceptanceTestWithMockServices {
     private static final String JWT = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiaWF0IjoxNjcxNDYxNjIzLCJleHAiOjE2NzE0OTA0MjMsImlzcyI6IkFQSU1MIiwianRpIjoiYmFlMTkyZTYtYTYxMi00MThhLWI2ZGMtN2I0NWI5NzM4ODI3IiwiZG9tIjoiRHVtbXkgcHJvdmlkZXIifQ.Vt5UjJUlbmuzmmEIodAACtj_AOxlsWqkFrFyWh4_MQRRPCj_zMIwnzpqRN-NJvKtUg1zxOCzXv2ypYNsglrXc7cH9wU3leK1gjYxK7IJjn2SBEb0dUL5m7-h4tFq2zNhcGH2GOmTpE2gTQGSTvDIdja-TIj_lAvUtbkiorm1RqrNu2MGC0WfgOGiak3tj2tNJLv_Y1ZMxNjzyHgXBMuNPozQrd4Vtnew3x4yy85LrTYF7jJM3U-e3AD2yImftxwycQvbkjNb-lWadejTVH0MgHMr04wVdDd8Nq5q7yrZf7YPzhias8ehNbew5CHiKut9SseZ1sO2WwgfhpEfsN4okg";
     private static final String PASSTICKET = "ZOWE_DUMMY_PASS_TICKET";
 
-    @BeforeEach
-    void setup() throws IOException {
+
+    @Test
+    void whenRequestingPassticketForAllowedAPPLID_thenTranslate() throws IOException {
         TicketResponse response = new TicketResponse();
         response.setToken(JWT);
         response.setUserId(USER_ID);
@@ -48,34 +53,60 @@ void setup() throws IOException {
 
         mockService("zaas").scope(MockService.Scope.CLASS)
             .addEndpoint("/zaas/scheme/ticket")
-                .assertion(he -> assertEquals(SERVICE_ID, he.getRequestHeaders().getFirst("X-Service-Id")))
-                .assertion(he -> assertEquals(COOKIE_NAME + "=" + JWT, he.getRequestHeaders().getFirst("Cookie")))
-                .bodyJson(response)
+            .assertion(he -> assertEquals(SERVICE_ID, he.getRequestHeaders().getFirst("X-Service-Id")))
+            .assertion(he -> assertEquals(COOKIE_NAME + "=" + JWT, he.getRequestHeaders().getFirst("Cookie")))
+            .bodyJson(response)
             .and().start();
-    }
 
-    @Nested
-    class GivenValidAuthentication {
-
-        @Test
-        void whenRequestingPassticketForAllowedAPPLID_thenTranslate() throws IOException {
-            String expectedAuthHeader = "Basic " + Base64.getEncoder().encodeToString((USER_ID + ":" + PASSTICKET).getBytes(StandardCharsets.UTF_8));
-            var mockService = mockService(SERVICE_ID)
-                .authenticationScheme(AuthenticationScheme.HTTP_BASIC_PASSTICKET).applid("IZUDFLT")
-                .addEndpoint("/" + SERVICE_ID + "/test")
-                    .assertion(he -> assertEquals(expectedAuthHeader, he.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION)))
-                .and().start();
+        String expectedAuthHeader = "Basic " + Base64.getEncoder().encodeToString((USER_ID + ":" + PASSTICKET).getBytes(StandardCharsets.UTF_8));
+        var mockService = mockService(SERVICE_ID)
+            .authenticationScheme(AuthenticationScheme.HTTP_BASIC_PASSTICKET).applid("IZUDFLT")
+            .addEndpoint("/" + SERVICE_ID + "/test")
+            .assertion(he -> assertEquals(expectedAuthHeader, he.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION)))
+            .and().start();
 
-            given()
-                .cookie(COOKIE_NAME, JWT)
+        given()
+            .cookie(COOKIE_NAME, JWT)
             .when()
-                .get(basePath + "/" + SERVICE_ID + "/api/v1/test")
+            .get(basePath + "/" + SERVICE_ID + "/api/v1/test")
             .then()
-                .statusCode(Matchers.is(SC_OK));
+            .statusCode(Matchers.is(SC_OK));
+        assertEquals(1, mockService.getEndpoint().getCounter());
+    }
 
-            assertEquals(1, mockService.getEndpoint().getCounter());
-        }
 
+    @ParameterizedTest
+    @ValueSource(ints = {400, 401, 403, 404, 405, 500})
+    void whenCannotGeneratePassticket_thenIgnoreTransformation(int responseCode) throws IOException {
+        mockService("zaas").scope(MockService.Scope.TEST)
+            .addEndpoint("/zaas/scheme/ticket")
+            .responseCode(responseCode)
+            .and().start();
+        var mockService = mockService(SERVICE_ID).scope(MockService.Scope.TEST)
+            .authenticationScheme(AuthenticationScheme.HTTP_BASIC_PASSTICKET).applid("IZUDFLT")
+            .addEndpoint("/" + SERVICE_ID + "/test")
+            .responseCode(401)
+            .bodyJson(new ResponseDto("ok"))
+            .assertion(he -> assertFalse(he.getRequestHeaders().containsKey(HttpHeaders.AUTHORIZATION)))
+            .and().start();
+        given()
+            .cookie(COOKIE_NAME, JWT)
+            .when()
+            .get(basePath + "/" + SERVICE_ID + "/api/v1/test")
+            .then()
+            .statusCode(Matchers.is(SC_UNAUTHORIZED))
+            .body("status", Matchers.is("ok"));
+        assertEquals(1, mockService.getEndpoint().getCounter());
     }
 
+    @Data
+    @AllArgsConstructor
+    static class ResponseDto {
+
+        private String status;
+
+    }
 }
+
+
+

gateway-service/src/test/java/org/zowe/apiml/gateway/service/scheme/HttpBasicPassticketTest.java

@@ -18,6 +18,7 @@
 import org.zowe.apiml.auth.AuthenticationScheme;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 
@@ -44,4 +45,18 @@ void givenRouteDefinition_whenApply_thenFulfillFilterFactorArgs() {
         assertEquals("PassticketFilterFactory", filterDefinition.getName());
     }
 
+    @Test
+    void givenNoApplid_whenApply_thenSkipConfiguration() {
+        RouteDefinition routeDefinition = new RouteDefinition();
+        new HttpBasicPassticket().apply(mock(ServiceInstance.class), routeDefinition, new Authentication(AuthenticationScheme.HTTP_BASIC_PASSTICKET, null));
+        assertTrue(routeDefinition.getFilters().isEmpty());
+    }
+
+    @Test
+    void givenEmptyApplid_whenApply_thenSkipConfiguration() {
+        RouteDefinition routeDefinition = new RouteDefinition();
+        new HttpBasicPassticket().apply(mock(ServiceInstance.class), routeDefinition, new Authentication(AuthenticationScheme.HTTP_BASIC_PASSTICKET, ""));
+        assertTrue(routeDefinition.getFilters().isEmpty());
+    }
+
 }

integration-tests/build.gradle

@@ -436,6 +436,7 @@ task runZaasTest(type: Test) {
     description "Run Zaas tests only"
 
     outputs.cacheIf { false }
+    systemProperty "environment.offPlatform", true
 
     systemProperties System.getProperties()
     useJUnitPlatform {

integration-tests/src/test/java/org/zowe/apiml/functional/gateway/GatewayRoutingTest.java

@@ -13,12 +13,13 @@
 import io.restassured.RestAssured;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
 import org.zowe.apiml.util.TestWithStartedInstances;
 import org.zowe.apiml.util.categories.DiscoverableClientDependentTest;
-import org.zowe.apiml.util.config.GatewayServiceConfiguration;
 import org.zowe.apiml.util.config.ConfigReader;
+import org.zowe.apiml.util.config.GatewayServiceConfiguration;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -104,4 +105,9 @@ void testWrongRoutingWithBasePath(String basePath) throws URISyntaxException {
         given().get(new URI(scgUrl)).then().statusCode(404);
     }
 
+    @Test
+    void givenEndpointDoesNotExistOnRegisteredService() throws URISyntaxException {
+        String scgUrl = String.format("%s://%s:%s%s", conf.getScheme(), conf.getHost(), conf.getPort(), "/dcpassticket/api/v1/unknown");
+        given().get(new URI(scgUrl)).then().statusCode(404);
+    }
 }