From d65194e8bba164f0e5521e32f02cf45b90d8d5db Mon Sep 17 00:00:00 2001 From: ac892247 Date: Tue, 26 Nov 2024 18:41:02 +0100 Subject: [PATCH 1/6] update okta conf Signed-off-by: ac892247 --- .github/workflows/integration-tests.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index b6b301f8e2..28167ef5bc 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -140,6 +140,7 @@ jobs: -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} + -PidpConfiguration.host=${{secrets.OKTA_HOST}} - uses: ./.github/actions/teardown @@ -466,7 +467,7 @@ jobs: -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} - -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} + -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -PidpConfiguration.host=${{secrets.OKTA_HOST}} - name: Dump DC jacoco data run: > From a12321a1e1b96b1960a25be0e955485d0d4d0083 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Tue, 26 Nov 2024 18:52:02 +0100 Subject: [PATCH 2/6] read host from command line Signed-off-by: ac892247 --- .../src/test/java/org/zowe/apiml/util/config/ConfigReader.java | 1 + 1 file changed, 1 insertion(+) diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java index 2aea353ce8..3a5708462e 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java @@ -146,6 +146,7 @@ public static EnvironmentConfiguration environmentConfiguration() { configuration.getIdpConfiguration().setPassword(System.getProperty("oidc.test.pass", configuration.getIdpConfiguration().getPassword())); configuration.getIdpConfiguration().setAlternateUser(System.getProperty("oidc.test.alt_user", configuration.getIdpConfiguration().getAlternateUser())); configuration.getIdpConfiguration().setAlternatePassword(System.getProperty("oidc.test.alt_pass", configuration.getIdpConfiguration().getAlternatePassword())); + configuration.getIdpConfiguration().setHost(System.getProperty("idpConfiguration.host", configuration.getIdpConfiguration().getHost())); configuration.getSafIdtConfiguration().setEnabled(Boolean.parseBoolean(System.getProperty("safidt.enabled", String.valueOf(configuration.getSafIdtConfiguration().isEnabled())))); From 22374a5460dab798dcc12f124858b39af96e0d11 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Wed, 27 Nov 2024 09:40:47 +0100 Subject: [PATCH 3/6] typo Signed-off-by: ac892247 --- .github/workflows/integration-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 28167ef5bc..41574a13c5 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -467,7 +467,7 @@ jobs: -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} - -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -PidpConfiguration.host=${{secrets.OKTA_HOST}} + -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -DidpConfiguration.host=${{secrets.OKTA_HOST}} - name: Dump DC jacoco data run: > From 22b633de6c80dc0e96cab5477253848cd3d33a64 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Wed, 27 Nov 2024 10:45:02 +0100 Subject: [PATCH 4/6] log oauth token request Signed-off-by: ac892247 --- .github/workflows/integration-tests.yml | 3 +-- .../src/test/java/org/zowe/apiml/util/SecurityUtils.java | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 41574a13c5..f95880a4a3 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -139,8 +139,7 @@ jobs: ./gradlew :integration-tests:runOidcTests --info -Denvironment.config=-docker -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} - -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }} - -PidpConfiguration.host=${{secrets.OKTA_HOST}} + -DidpConfiguration.host=${{secrets.OKTA_HOST}} - uses: ./.github/actions/teardown diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java index 4dfdd4cc88..09d2c8d7a6 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java @@ -429,7 +429,7 @@ public static String validOktaAccessToken(boolean userHasMappingDefined) { queryParams.put("nonce", "TEST"); Response authResponse = given() .config(RestAssured.config().httpClient(HttpClientConfig.httpClientConfig().setParam("http.connection.timeout", 30 * 1000))) - .queryParams(queryParams) + .queryParams(queryParams).log().all() .when() .get(OKTA_HOSTNAME + "/oauth2/v1/authorize") .then() From 8d1bb956efe8d2a2bcc4f17b30c17d65b92082d7 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Wed, 27 Nov 2024 13:57:59 +0100 Subject: [PATCH 5/6] add debug logs Signed-off-by: ac892247 --- .../src/main/java/org/zowe/apiml/filter/AttlsFilter.java | 4 ++++ .../src/test/java/org/zowe/apiml/util/SecurityUtils.java | 3 ++- .../org/zowe/apiml/zaas/controllers/AuthController.java | 7 ++++--- .../security/service/token/OIDCTokenProviderEndpoint.java | 2 ++ .../zaas/security/service/token/OIDCTokenProviderJWK.java | 2 ++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java b/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java index b96d6a945e..c93431dabd 100644 --- a/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java +++ b/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java @@ -14,6 +14,7 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; import org.apache.tomcat.util.codec.binary.Base64; import org.springframework.web.filter.OncePerRequestFilter; import org.zowe.commons.attls.InboundAttls; @@ -25,9 +26,11 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; + /** * This filter will add X509 certificate from InboundAttls */ +@Slf4j public class AttlsFilter extends OncePerRequestFilter { @Override @@ -35,6 +38,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse try { byte[] certificate = InboundAttls.getCertificate(); if (certificate != null && certificate.length > 0) { + log.debug("Certificate length: {}", certificate.length); populateRequestWithCertificate(request, certificate); } } catch (Exception e) { diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java index 09d2c8d7a6..fcfd85086b 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java @@ -429,10 +429,11 @@ public static String validOktaAccessToken(boolean userHasMappingDefined) { queryParams.put("nonce", "TEST"); Response authResponse = given() .config(RestAssured.config().httpClient(HttpClientConfig.httpClientConfig().setParam("http.connection.timeout", 30 * 1000))) - .queryParams(queryParams).log().all() + .queryParams(queryParams) .when() .get(OKTA_HOSTNAME + "/oauth2/v1/authorize") .then() + .log().all() .statusCode(200) .extract().response(); diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java index 7f0dc9a512..4e32264b01 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java @@ -328,7 +328,7 @@ public void distributeInvalidate(HttpServletRequest request, HttpServletResponse * Return all public keys involved at the moment in the ZAAS as well as in zOSMF. Keys used for verification of * tokens * - * @return List of keys composed of zOSMF and ZAAS ones + * @return Map of keys composed of zOSMF and ZAAS ones */ @GetMapping(path = ALL_PUBLIC_KEYS_PATH, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody @@ -469,6 +469,7 @@ private List getCurrentKey() { @ApiResponse(responseCode = "401", description = "Invalid token or OIDC provider is not defined") }) public ResponseEntity validateOIDCToken(@RequestBody ValidateRequestModel validateRequestModel) { + log.debug("Validating OIDC token using provider {}", oidcProvider); String token = validateRequestModel.getToken(); if (oidcProvider != null && oidcProvider.isValid(token)) { return new ResponseEntity<>(HttpStatus.NO_CONTENT); @@ -527,13 +528,13 @@ private ResponseEntity badRequestForPATInvalidation() throws JsonProcess } @Data - private static class ValidateRequestModel { + public static class ValidateRequestModel { private String token; private String serviceId; } @Data - private static class RulesRequestModel { + public static class RulesRequestModel { private String serviceId; private String userId; private long timestamp; diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java index 5a17013d99..11e52a4653 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java @@ -39,12 +39,14 @@ public class OIDCTokenProviderEndpoint implements OIDCProvider { @Override public boolean isValid(String token) { try { + log.debug("Validating the token against URL: {}", endpointUrl); HttpGet httpGet = new HttpGet(endpointUrl); httpGet.addHeader(HttpHeaders.AUTHORIZATION, ApimlConstants.BEARER_AUTHENTICATION_PREFIX + " " + token); HttpResponse httpResponse = secureHttpClientWithKeystore.execute(httpGet); int responseCode = httpResponse.getStatusLine().getStatusCode(); + log.debug("Response code: {}", responseCode); return HttpStatus.valueOf(responseCode).is2xxSuccessful(); } catch (IOException e) { log.error("An error occurred during validation of OIDC token using userInfo URI {}: {}", endpointUrl, e.getMessage()); diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java index 31e60fa203..bd322d3ca1 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java @@ -117,8 +117,10 @@ private Map processKeys(JWKSet jwkKeys) { @Override public boolean isValid(String token) { try { + log.debug("Validating the token with JWK: {}", jwksUri); return !getClaims(token).isEmpty(); } catch (JwtException jwte) { + log.debug("JWK token validation failed with the exception {}", jwte.getMessage(), jwte.getCause()); return false; } } From 2037a453354c8cadda05f99209c1261983155c37 Mon Sep 17 00:00:00 2001 From: achmelo <37397715+achmelo@users.noreply.github.com> Date: Wed, 27 Nov 2024 14:26:15 +0100 Subject: [PATCH 6/6] Update integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Pavel Jareš <58428711+pj892031@users.noreply.github.com> Signed-off-by: achmelo <37397715+achmelo@users.noreply.github.com> --- .../src/test/java/org/zowe/apiml/util/SecurityUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java index fcfd85086b..0243d51d4c 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java @@ -433,7 +433,7 @@ public static String validOktaAccessToken(boolean userHasMappingDefined) { .when() .get(OKTA_HOSTNAME + "/oauth2/v1/authorize") .then() - .log().all() + .log().ifValidationFails() .statusCode(200) .extract().response();