diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index b6b301f8e2..f95880a4a3 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -139,7 +139,7 @@ jobs: ./gradlew :integration-tests:runOidcTests --info -Denvironment.config=-docker -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} - -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} + -DidpConfiguration.host=${{secrets.OKTA_HOST}} - uses: ./.github/actions/teardown @@ -466,7 +466,7 @@ jobs: -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} - -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} + -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -DidpConfiguration.host=${{secrets.OKTA_HOST}} - name: Dump DC jacoco data run: > diff --git a/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java b/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java index b96d6a945e..c93431dabd 100644 --- a/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java +++ b/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java @@ -14,6 +14,7 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; import org.apache.tomcat.util.codec.binary.Base64; import org.springframework.web.filter.OncePerRequestFilter; import org.zowe.commons.attls.InboundAttls; @@ -25,9 +26,11 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; + /** * This filter will add X509 certificate from InboundAttls */ +@Slf4j public class AttlsFilter extends OncePerRequestFilter { @Override @@ -35,6 +38,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse try { byte[] certificate = InboundAttls.getCertificate(); if (certificate != null && certificate.length > 0) { + log.debug("Certificate length: {}", certificate.length); populateRequestWithCertificate(request, certificate); } } catch (Exception e) { diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java index 4dfdd4cc88..0243d51d4c 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java @@ -433,6 +433,7 @@ public static String validOktaAccessToken(boolean userHasMappingDefined) { .when() .get(OKTA_HOSTNAME + "/oauth2/v1/authorize") .then() + .log().ifValidationFails() .statusCode(200) .extract().response(); diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java index 2aea353ce8..3a5708462e 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java @@ -146,6 +146,7 @@ public static EnvironmentConfiguration environmentConfiguration() { configuration.getIdpConfiguration().setPassword(System.getProperty("oidc.test.pass", configuration.getIdpConfiguration().getPassword())); configuration.getIdpConfiguration().setAlternateUser(System.getProperty("oidc.test.alt_user", configuration.getIdpConfiguration().getAlternateUser())); configuration.getIdpConfiguration().setAlternatePassword(System.getProperty("oidc.test.alt_pass", configuration.getIdpConfiguration().getAlternatePassword())); + configuration.getIdpConfiguration().setHost(System.getProperty("idpConfiguration.host", configuration.getIdpConfiguration().getHost())); configuration.getSafIdtConfiguration().setEnabled(Boolean.parseBoolean(System.getProperty("safidt.enabled", String.valueOf(configuration.getSafIdtConfiguration().isEnabled())))); diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java index 7f0dc9a512..4e32264b01 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java @@ -328,7 +328,7 @@ public void distributeInvalidate(HttpServletRequest request, HttpServletResponse * Return all public keys involved at the moment in the ZAAS as well as in zOSMF. Keys used for verification of * tokens * - * @return List of keys composed of zOSMF and ZAAS ones + * @return Map of keys composed of zOSMF and ZAAS ones */ @GetMapping(path = ALL_PUBLIC_KEYS_PATH, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody @@ -469,6 +469,7 @@ private List getCurrentKey() { @ApiResponse(responseCode = "401", description = "Invalid token or OIDC provider is not defined") }) public ResponseEntity validateOIDCToken(@RequestBody ValidateRequestModel validateRequestModel) { + log.debug("Validating OIDC token using provider {}", oidcProvider); String token = validateRequestModel.getToken(); if (oidcProvider != null && oidcProvider.isValid(token)) { return new ResponseEntity<>(HttpStatus.NO_CONTENT); @@ -527,13 +528,13 @@ private ResponseEntity badRequestForPATInvalidation() throws JsonProcess } @Data - private static class ValidateRequestModel { + public static class ValidateRequestModel { private String token; private String serviceId; } @Data - private static class RulesRequestModel { + public static class RulesRequestModel { private String serviceId; private String userId; private long timestamp; diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java index 5a17013d99..11e52a4653 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java @@ -39,12 +39,14 @@ public class OIDCTokenProviderEndpoint implements OIDCProvider { @Override public boolean isValid(String token) { try { + log.debug("Validating the token against URL: {}", endpointUrl); HttpGet httpGet = new HttpGet(endpointUrl); httpGet.addHeader(HttpHeaders.AUTHORIZATION, ApimlConstants.BEARER_AUTHENTICATION_PREFIX + " " + token); HttpResponse httpResponse = secureHttpClientWithKeystore.execute(httpGet); int responseCode = httpResponse.getStatusLine().getStatusCode(); + log.debug("Response code: {}", responseCode); return HttpStatus.valueOf(responseCode).is2xxSuccessful(); } catch (IOException e) { log.error("An error occurred during validation of OIDC token using userInfo URI {}: {}", endpointUrl, e.getMessage()); diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java index 31e60fa203..bd322d3ca1 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java @@ -117,8 +117,10 @@ private Map processKeys(JWKSet jwkKeys) { @Override public boolean isValid(String token) { try { + log.debug("Validating the token with JWK: {}", jwksUri); return !getClaims(token).isEmpty(); } catch (JwtException jwte) { + log.debug("JWK token validation failed with the exception {}", jwte.getMessage(), jwte.getCause()); return false; } }