zowe · pj892031 · Nov 27, 2024 · Nov 26, 2024 · Nov 26, 2024 · Nov 27, 2024
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -139,7 +139,7 @@ jobs:
                     ./gradlew :integration-tests:runOidcTests --info -Denvironment.config=-docker -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }}
                     -Doidc.test.user=${{ secrets.OIDC_TEST_USER }} -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }}
                     -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }} -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }}
-                    -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }}
+                    -DidpConfiguration.host=${{secrets.OKTA_HOST}}
 
             -   uses: ./.github/actions/teardown
 
@@ -466,7 +466,7 @@ jobs:
                     -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }}
                     -Dokta.client.id=${{ secrets.OKTA_CLIENT_ID }} -Doidc.test.user=${{ secrets.OIDC_TEST_USER }}
                     -Doidc.test.pass=${{ secrets.OIDC_TEST_PASS }} -Doidc.test.alt_user=${{ secrets.OKTA_WINNIE_USER }}
-                    -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }}
+                    -Doidc.test.alt_pass=${{ secrets.OKTA_WINNIE_PASS }} -DidpConfiguration.host=${{secrets.OKTA_HOST}}
 
             -   name: Dump DC jacoco data
                 run: >

diff --git a/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java b/apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java
@@ -14,6 +14,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.tomcat.util.codec.binary.Base64;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.zowe.commons.attls.InboundAttls;
@@ -25,16 +26,19 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 
+
 /**
  * This filter will add X509 certificate from InboundAttls
  */
+@Slf4j
 public class AttlsFilter extends OncePerRequestFilter {
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
         try {
             byte[] certificate = InboundAttls.getCertificate();
             if (certificate != null && certificate.length > 0) {
+                log.debug("Certificate length: {}", certificate.length);
                 populateRequestWithCertificate(request, certificate);
             }
         } catch (Exception e) {

diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java b/integration-tests/src/test/java/org/zowe/apiml/util/SecurityUtils.java
@@ -433,6 +433,7 @@ public static String validOktaAccessToken(boolean userHasMappingDefined) {
             .when()
                 .get(OKTA_HOSTNAME + "/oauth2/v1/authorize")
             .then()
+            .log().ifValidationFails()
                 .statusCode(200)
                 .extract().response();
 

diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java
@@ -146,6 +146,7 @@ public static EnvironmentConfiguration environmentConfiguration() {
                     configuration.getIdpConfiguration().setPassword(System.getProperty("oidc.test.pass", configuration.getIdpConfiguration().getPassword()));
                     configuration.getIdpConfiguration().setAlternateUser(System.getProperty("oidc.test.alt_user", configuration.getIdpConfiguration().getAlternateUser()));
                     configuration.getIdpConfiguration().setAlternatePassword(System.getProperty("oidc.test.alt_pass", configuration.getIdpConfiguration().getAlternatePassword()));
+                    configuration.getIdpConfiguration().setHost(System.getProperty("idpConfiguration.host", configuration.getIdpConfiguration().getHost()));
 
                     configuration.getSafIdtConfiguration().setEnabled(Boolean.parseBoolean(System.getProperty("safidt.enabled", String.valueOf(configuration.getSafIdtConfiguration().isEnabled()))));
 

diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java
@@ -328,7 +328,7 @@ public void distributeInvalidate(HttpServletRequest request, HttpServletResponse
      * Return all public keys involved at the moment in the ZAAS as well as in zOSMF. Keys used for verification of
      * tokens
      *
-     * @return List of keys composed of zOSMF and ZAAS ones
+     * @return Map of keys composed of zOSMF and ZAAS ones
      */
     @GetMapping(path = ALL_PUBLIC_KEYS_PATH, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
@@ -469,6 +469,7 @@ private List<JWK> getCurrentKey() {
         @ApiResponse(responseCode = "401", description = "Invalid token or OIDC provider is not defined")
     })
     public ResponseEntity<Void> validateOIDCToken(@RequestBody ValidateRequestModel validateRequestModel) {
+        log.debug("Validating OIDC token using provider {}", oidcProvider);
         String token = validateRequestModel.getToken();
         if (oidcProvider != null && oidcProvider.isValid(token)) {
             return new ResponseEntity<>(HttpStatus.NO_CONTENT);
@@ -527,13 +528,13 @@ private ResponseEntity<String> badRequestForPATInvalidation() throws JsonProcess
     }
 
     @Data
-    private static class ValidateRequestModel {
+    public static class ValidateRequestModel {
         private String token;
         private String serviceId;
     }
 
     @Data
-    private static class RulesRequestModel {
+    public static class RulesRequestModel {
         private String serviceId;
         private String userId;
         private long timestamp;

diff --git a/...e/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java b/...e/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderEndpoint.java
@@ -39,12 +39,14 @@ public class OIDCTokenProviderEndpoint implements OIDCProvider {
     @Override
     public boolean isValid(String token) {
         try {
+            log.debug("Validating the token against URL: {}", endpointUrl);
             HttpGet httpGet = new HttpGet(endpointUrl);
             httpGet.addHeader(HttpHeaders.AUTHORIZATION, ApimlConstants.BEARER_AUTHENTICATION_PREFIX + " " + token);
 
             HttpResponse httpResponse = secureHttpClientWithKeystore.execute(httpGet);
 
             int responseCode = httpResponse.getStatusLine().getStatusCode();
+            log.debug("Response code: {}", responseCode);
             return HttpStatus.valueOf(responseCode).is2xxSuccessful();
         } catch (IOException e) {
             log.error("An error occurred during validation of OIDC token using userInfo URI {}: {}", endpointUrl, e.getMessage());

diff --git a/...ervice/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java b/...ervice/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java
@@ -117,8 +117,10 @@ private Map<String, PublicKey> processKeys(JWKSet jwkKeys) {
     @Override
     public boolean isValid(String token) {
         try {
+            log.debug("Validating the token with JWK: {}", jwksUri);
             return !getClaims(token).isEmpty();
         } catch (JwtException jwte) {
+            log.debug("JWK token validation failed with the exception {}", jwte.getMessage(), jwte.getCause());
             return false;
         }
     }