wip

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

Author: richard-salac

zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/AuthenticationService.java

@@ -67,6 +67,7 @@
 import java.util.Optional;
 import java.util.Set;
 
+import static org.zowe.apiml.security.common.token.QueryResponse.Source.ZOWE;
 import static org.zowe.apiml.security.common.util.JwtUtils.getJwtClaims;
 import static org.zowe.apiml.security.common.util.JwtUtils.handleJwtParserException;
 import static org.zowe.apiml.zaas.security.service.zosmf.ZosmfService.TokenType.JWT;
@@ -381,17 +382,16 @@ public TokenAuthentication validateJwtToken(String jwtToken) {
         }
 
         QueryResponse queryResponse = parseJwtToken(jwtToken);
-        boolean isValid = switch (queryResponse.getSource()) {
-            case ZOWE -> {
-                validateAndParseLocalJwtToken(jwtToken);
-                yield true;
-            }
+
+        switch (queryResponse.getSource()) {
+            case ZOWE -> validateAndParseLocalJwtToken(jwtToken);
             case ZOSMF -> zosmfService.validate(jwtToken);
             default -> throw new TokenNotValidException("Unknown token type.");
-        };
+        }
+
         boolean notInvalidated = !isInvalidated(jwtToken);
         TokenAuthentication tokenAuthentication = new TokenAuthentication(queryResponse.getUserId(), jwtToken, TokenAuthentication.Type.JWT);
-        tokenAuthentication.setAuthenticated(notInvalidated && isValid);
+        tokenAuthentication.setAuthenticated(notInvalidated);
 
         putValidationCache(jwtToken, tokenAuthentication);
         log.debug("JWT validation result: {}", tokenAuthentication.isAuthenticated());
@@ -457,9 +457,9 @@ public TokenAuthentication validateJwtToken(TokenAuthentication token) {
             throw new TokenNotValidException("Null token.");
         }
         parseJwtToken(token.getCredentials()); // throws on expired token, this needs to happen before cache
-        
+
         var tokenAuth = validateJwtToken(token.getCredentials());
-        
+
         return tokenAuth;
     }
 

zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/zosmf/ZosmfService.java

@@ -60,11 +60,7 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.util.Collections;
-import java.util.EnumMap;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import static org.zowe.apiml.zaas.security.service.zosmf.ZosmfService.TokenType.JWT;
 import static org.zowe.apiml.zaas.security.service.zosmf.ZosmfService.TokenType.LTPA;
@@ -487,24 +483,47 @@ public boolean jwtBuilderEndpointExists() {
         return meAsProxy.jwtEndpointExists(headers);
     }
 
+    /**
+     * Validates jwt token with all available strategies.
+     *
+     * @param token
+     * @return true if at least one validation strategy evaluates token as valid
+     * @throws ServiceNotAccessibleException if all validation strategies failed because of an error
+     * @throws TokenNotValidException if all token validation strategies evaluate token as invalid
+     */
     public boolean validate(String token) {
         log.debug("ZosmfService validating token: ....{}", StringUtils.right(token, 15));
         TokenValidationRequest request = new TokenValidationRequest(TokenType.JWT, token, getURI(getZosmfServiceId()), getEndpointMap());
 
+        var isTokenValid = Optional.<Boolean>empty();
+
         for (TokenValidationStrategy s : tokenValidationStrategy) {
             log.debug("Trying to validate token with strategy: {}", s.toString());
             try {
                 s.validate(request);
                 if (requestIsAuthenticated(request)) {
                     log.debug("Token validity has been successfully determined: {}", request.getAuthenticated());
-                    return true;
+                    isTokenValid = Optional.of(true);
+                    break;
+                } else {
+                    isTokenValid = Optional.of(false);
                 }
             } catch (RuntimeException re) {
                 log.debug("Exception during token validation:", re);
             }
         }
+
         log.debug("Token validation strategies exhausted, final validation status: {}", request.getAuthenticated());
-        return false;
+
+        if (isTokenValid.isPresent()) {
+            if (isTokenValid.get()) {
+                return true;
+            } else {
+                throw new TokenNotValidException("Token is not valid by any of zosmf validation strategies");
+            }
+        }
+
+        throw new ServiceNotAccessibleException("All token validation strategies has failed with " + request.getZosmfBaseUrl());
     }
 
     private boolean requestIsAuthenticated(TokenValidationRequest request) {

zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/AuthenticationServiceTest.java

@@ -140,7 +140,7 @@ class GivenCorrectInputsTest {
         @BeforeEach
         void setup() {
             stubJWTSecurityForSign();
-            
+
         }
 
         @Test

zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/zosmf/ZosmfServiceTest.java

@@ -93,7 +93,6 @@
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
-import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
@@ -523,33 +522,66 @@ void setUp() {
         }
 
         @Test
-        void givenException_thenHandleExceptions() {
-            ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(Collections.singletonList(tokenValidationStrategy1));
+        void givenFirstValidationStrategyFailed_thenSecondSucceeds() {
+            ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(validationStrategyList);
 
             doThrow(RuntimeException.class).when(tokenValidationStrategy1).validate(any());
-            assertDoesNotThrow(() -> zosmfService.validate("TOKN"));
+            doValidate(tokenValidationStrategy2, TokenValidationRequest.STATUS.AUTHENTICATED);
+
+            var validationResult = assertDoesNotThrow(() -> zosmfService.validate("TOKN"));
+            assertTrue(validationResult);
+
+            verify(tokenValidationStrategy1, times(1)).validate(any());
+            verify(tokenValidationStrategy2, times(1)).validate(any());
+        }
+
+        @Test
+        void givenAllValidationStrategiesFail_thenThrowException() {
+            ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(validationStrategyList);
+
+            doThrow(RuntimeException.class).when(tokenValidationStrategy1).validate(any());
+            doThrow(RuntimeException.class).when(tokenValidationStrategy2).validate(any());
+
+            assertThrows(ServiceNotAccessibleException.class, () -> zosmfService.validate("TOKN"));
+
+            verify(tokenValidationStrategy1, times(1)).validate(any());
+            verify(tokenValidationStrategy2, times(1)).validate(any());
         }
 
+        @Test
+        void givenAllValidationStrategiesReturnInvalid_thenReturnFalse() {
+            ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(validationStrategyList);
+
+            doValidate(tokenValidationStrategy1, TokenValidationRequest.STATUS.INVALID);
+            doValidate(tokenValidationStrategy2, TokenValidationRequest.STATUS.INVALID);
+
+            assertThrows(TokenNotValidException.class, () -> zosmfService.validate("TOKN"));
+
+            verify(tokenValidationStrategy1, times(1)).validate(any());
+            verify(tokenValidationStrategy2, times(1)).validate(any());
+        }
+
+
         @Test
         void givenOneValidationStrategy_thenReturnValidationStrategyResult() {
             ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(Collections.singletonList(tokenValidationStrategy1));
 
             //UNKNOWN by default
-            assertThat(zosmfService.validate("TOKN"), is(false));
+            assertThrows(TokenNotValidException.class, () -> zosmfService.validate("TOKN"));
 
             doValidate(tokenValidationStrategy1, TokenValidationRequest.STATUS.AUTHENTICATED);
 
             assertThat(zosmfService.validate("TOKN"), is(true));
 
             doValidate(tokenValidationStrategy1, TokenValidationRequest.STATUS.INVALID);
-            assertThat(zosmfService.validate("TOKN"), is(false));
+            assertThrows(TokenNotValidException.class, () -> zosmfService.validate("TOKN"));
         }
 
         @Test
         void givenFirstValidationStrategyAuthentications_thenDontUseSecondValidationStrategy() {
             ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(validationStrategyList);
 
-            assertThat(zosmfService.validate("TOKN"), is(false));
+            assertThrows(TokenNotValidException.class, () -> zosmfService.validate("TOKN"));
             verify(tokenValidationStrategy1, times(1)).validate(any());
             verify(tokenValidationStrategy2, times(1)).validate(any());
 
@@ -571,19 +603,10 @@ void givenFirstStrategyInvalidAndSecondValid_thenTokenIsValid() {
             verify(tokenValidationStrategy2, times(1)).validate(any());
         }
 
-        @Test
-        void doesNotRethrowExceptionsFromValidationStrategies() {
-            ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(Collections.singletonList(tokenValidationStrategy1));
-            TokenValidationRequest request = mock(TokenValidationRequest.class);
-
-            lenient().doThrow(RuntimeException.class).when(tokenValidationStrategy1).validate(request);
-            assertDoesNotThrow(() -> zosmfService.validate("TOKN"));
-        }
-
         @Test
         void suppliesValidationRequestWithVerifiedEndpointsList() {
             ZosmfService zosmfService = getZosmfServiceWithValidationStrategy(validationStrategyList);
-            zosmfService.validate("TOKN");
+            assertThrows(TokenNotValidException.class, () -> zosmfService.validate("TOKN"));
             verify(tokenValidationStrategy1).validate(argThat(request -> !request.getEndpointExistenceMap().isEmpty()));
         }