chore: Integration tests runnable with API ML v2 on z/OS

.github/workflows/integration-tests.yml

@@ -1352,8 +1352,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
             mock-services:
                 image: ghcr.io/balhar-jakub/mock-services:${{ github.run_id }}-${{ github.run_number }}
-                env:
-                    ZOSMF_APPLIEDAPARS: AuthenticateApar
 
         steps:
             -   uses: actions/checkout@v4

apiml-security-common/src/main/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessSaf.java

@@ -11,6 +11,7 @@
 package org.zowe.apiml.security.common.auth.saf;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.core.Authentication;
 
 import java.lang.invoke.MethodHandle;
@@ -96,6 +97,9 @@ private boolean checkPermission(String userId, String resourceType, String resou
     @Override
     public boolean hasSafResourceAccess(Authentication authentication, String resourceClass, String resourceName, String accessLevel) {
         String userid = authentication.getName();
+        if (StringUtils.isEmpty(userid)) {
+            return false;
+        }
         AccessLevel level = AccessLevel.valueOf(accessLevel);
         log.debug("Evaluating access of user {} to resource {} in class {} level {}", userid, resourceClass, resourceName, level);
         return checkPermission(userid, resourceClass, resourceName, level.getValue(), true);

apiml-security-common/src/test/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessSafTest.java

@@ -21,7 +21,9 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.spy;
 
@@ -88,6 +90,11 @@ void testHasSafResourceAccess_whenNoResponse_thenTrue() {
         assertTrue(safResourceAccessVerifying.hasSafResourceAccess(authentication, CLASS, RESOURCE, LEVEL.name()));
     }
 
+    @Test
+    void testHasSafResourceAccess_whenUseridEmpty_thenFalse() {
+        assertFalse(safResourceAccessVerifying.hasSafResourceAccess(new UsernamePasswordAuthenticationToken("", "token"), CLASS, RESOURCE, LEVEL.name()));
+    }
+
     @Builder
     public static class TestPlatformReturned {
 

common-service-core/src/main/java/org/zowe/apiml/passticket/AbstractIRRPassTicketException.java

@@ -68,7 +68,7 @@ public enum ErrorCode {
         ERR_8_12_16(8, 12, 16, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Invocation of the Security Server Network Authentication Service Program Call (PC) interface failed with a 'local services are not available' return code. This indicates that the Security Server Network Authentication Service started task (SKRBKDC) address space has not been started or is terminating."),
         ERR_8_12_20(8, 12, 20, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Invocation of the Security Server Network Authentication Service Program Call (PC) interface failed with an 'abend in the PC service routine' return code. The symptom record associated with this abend can be found in the logrec data set."),
         ERR_8_12_24(8, 12, 24, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Invocation of the Security Server Network Authentication Service Program Call (PC) interface failed with an 'unable to obtain control lock' return code. This can occur if the task holding the lock is not being dispatched (for example, a dump is in progress)."),
-        ERR_8_16_28(8, 16, 28, HttpStatus.SC_BAD_REQUEST, "Unable to generate PassTicket. Verify that the secured signon (PassTicket) function and application ID is configured properly by referring to Using PassTickets in z/OS Security Server RACF Security Administrator's Guide."),
+        ERR_8_16_28(8, 16, 28, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unable to generate PassTicket. Verify that the secured signon (PassTicket) function and application ID is configured properly by referring to Using PassTickets in z/OS Security Server RACF Security Administrator's Guide."),
         ERR_8_16_32(8, 16, 32, HttpStatus.SC_INTERNAL_SERVER_ERROR, "PassTicket evaluation failure. Possible reasons include: " +
             "PassTicket to be evaluated is not a successful PassTicket. "
             + "The PassTicket to be evaluated was already evaluated before and replay protection is in effect. "

common-service-core/src/test/java/org/zowe/apiml/passticket/AbstractIRRPassTicketExceptionTest.java

@@ -34,7 +34,7 @@ void testErrorCode() {
 
         te = new TestException(8, 16, 28);
         assertSame(AbstractIRRPassTicketException.ErrorCode.ERR_8_16_28, te.getErrorCode());
-        assertEquals(HttpStatus.SC_BAD_REQUEST, te.getHttpStatus());
+        assertEquals(HttpStatus.SC_INTERNAL_SERVER_ERROR, te.getHttpStatus());
     }
 
     class TestException extends AbstractIRRPassTicketException {

config/local/gateway-service.yml

@@ -54,6 +54,11 @@ server:
         ssl:
             keyAlias: localhost-multi
             keyStore: keystore/localhost/localhost-multi.keystore.p12
+
+    webSocket:
+        requestBufferSize: 16348
+    max-http-request-header-size: 16348
+
     ssl:
         keyAlias: localhost
         keyPassword: password

discoverable-client/build.gradle

@@ -10,6 +10,11 @@ plugins {
     alias(libs.plugins.gradle.git.properties)
 }
 
+java {
+    sourceCompatibility = JavaVersion.VERSION_1_8
+    targetCompatibility = JavaVersion.VERSION_1_8
+}
+
 normalization {
     runtimeClasspath {
         ignore("**/*git.properties*")

gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java

@@ -125,6 +125,7 @@ public ResponseEntity<String> revokeAllUserAccessTokens(@RequestBody(required =
             return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
         }
         String userId = SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString();
+        log.debug("revokeAllUserAccessTokens: userId={}", userId);
         long timeStamp = 0;
         if (rulesRequestModel != null) {
             timeStamp = rulesRequestModel.getTimestamp();
@@ -143,6 +144,7 @@ public ResponseEntity<String> revokeAccessTokensForUser(@RequestBody() RulesRequ
         if (userId == null) {
             return badRequestForPATInvalidation();
         }
+        log.debug("revokeAccessTokensForUser: userId={}", userId);
         tokenProvider.invalidateAllTokensForUser(userId, timeStamp);
 
         return new ResponseEntity<>(HttpStatus.NO_CONTENT);

gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java

@@ -267,7 +267,6 @@ public SecurityFilterChain authProtectedEndpointsFilterChain(HttpSecurity http)
                 )))
                         .authorizeRequests(requests -> requests
                                 .anyRequest().authenticated())
-                        .x509(x509 -> x509.userDetailsService(x509UserDetailsService()))
                         .authenticationProvider(compoundAuthProvider) // for authenticating credentials
                         .apply(new CustomSecurityFilters());
                 return http.build();
@@ -314,7 +313,6 @@ public SecurityFilterChain authZaasEndpointsFilterChain(HttpSecurity http) throw
                 )))
                         .authorizeRequests(requests -> requests
                                 .anyRequest().authenticated())
-                        .x509(x509 -> x509.userDetailsService(x509UserDetailsService()))
                         .addFilterAfter(new CategorizeCertsFilter(publicKeyCertificatesBase64, certificateValidator), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class)
                         .addFilterAfter(new ExtractAuthSourceFilter(authSourceService, authExceptionHandler), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class)
                         .addFilterAfter(new ZaasAuthenticationFilter(authSourceService, authExceptionHandler), CategorizeCertsFilter.class);

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/source/PATAuthSourceService.java

@@ -91,12 +91,12 @@ public boolean isValid(AuthSource authSource) {
                 serviceId = ((PATAuthSource) authSource).getDefaultServiceId();
             }
             boolean validForScopes = tokenProvider.isValidForScopes(token, serviceId);
-            logger.log(MessageType.DEBUG, "PAT is %s for scope: %s ", validForScopes ? "valid" : "not valid", serviceId);
+            logger.log(MessageType.DEBUG, "PAT is {} for scope: {} ", validForScopes ? "valid" : "not valid", serviceId);
             boolean invalidate = tokenProvider.isInvalidated(token);
-            logger.log(MessageType.DEBUG, "PAT was %s", invalidate ? "invalidated" : "not invalidated");
+            logger.log(MessageType.DEBUG, "PAT was {}", invalidate ? "invalidated" : "not invalidated");
             return validForScopes && !invalidate;
         } catch (Exception e) {
-            logger.log(MessageType.ERROR, "PAT is not valid due to the exception: %s", e.getMessage());
+            logger.log(MessageType.ERROR, "PAT is not valid due to the exception: {}", e.getMessage());
             return false;
         }
     }

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/ApimlAccessTokenProvider.java

@@ -64,15 +64,15 @@ public void invalidateToken(String token) throws CachingServiceClientException,
     }
 
     public void invalidateAllTokensForUser(String userId, long timestamp) throws CachingServiceClientException {
-        String hashedUserId = getHash(userId);
+        String hashedUserId = getHash(userId.trim().toUpperCase());
         if (timestamp == 0) {
             timestamp = System.currentTimeMillis();
         }
         cachingServiceClient.appendList(INVALID_USERS_KEY, new CachingServiceClient.KeyValue(hashedUserId, Long.toString(timestamp)));
     }
 
     public void invalidateAllTokensForService(String serviceId, long timestamp) throws CachingServiceClientException {
-        String hashedServiceId = getHash(serviceId);
+        String hashedServiceId = getHash(serviceId.trim().toLowerCase());
         if (timestamp == 0) {
             timestamp = System.currentTimeMillis();
         }
@@ -82,7 +82,7 @@ public void invalidateAllTokensForService(String serviceId, long timestamp) thro
     public boolean isInvalidated(String token) throws CachingServiceClientException {
         QueryResponse parsedToken = authenticationService.parseJwtWithSignature(token);
         String hashedToken = getHash(token);
-        String hashedUserId = getHash(parsedToken.getUserId());
+        String hashedUserId = getHash(parsedToken.getUserId().trim().toUpperCase());
         List<String> hashedServiceIds = parsedToken.getScopes().stream().map(this::getHash).collect(Collectors.toList());
 
         Map<String, Map<String, String>> cacheMap = cachingServiceClient.readAllMaps();

gateway-service/src/test/java/org/zowe/apiml/gateway/security/service/ticket/SuccessfulTicketHandlerTest.java

@@ -89,7 +89,7 @@ void shouldFailWhenGenerationFails() throws JsonProcessingException, Unsupported
         successfulTicketHandlerHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, tokenAuthentication);
 
         assertEquals(MediaType.APPLICATION_JSON_VALUE, httpServletResponse.getContentType());
-        assertEquals(HttpStatus.BAD_REQUEST.value(), httpServletResponse.getStatus());
+        assertEquals(HttpStatus.INTERNAL_SERVER_ERROR.value(), httpServletResponse.getStatus());
         assertTrue(httpServletResponse.getContentAsString().contains("ZWEAG141E"));
         assertTrue(httpServletResponse.isCommitted());
     }

integration-tests/build.gradle

@@ -78,7 +78,7 @@ test {
 
 task startUpCheck(type: Test) {
     group 'integration tests'
-    description "Check that the API Mediation Layer is up and runnig"
+    description "Check that the API Mediation Layer is up and running"
 
     systemProperties System.properties
     systemProperty "environment.offPlatform", true
@@ -100,7 +100,6 @@ task environmentCheck(type: Test) {
     outputs.upToDateWhen { false }
 }
 
-
 task runStartUpCheck(type: Test) {
     group 'integration tests'
     description "Check that the API Mediation Layer is up and running"
@@ -176,14 +175,14 @@ task runAllIntegrationTests(type: Test) {
     outputs.upToDateWhen { false }
 }
 
-task runAllIntegrationTestsForZoweTestingOnZos(type: Test) {
+task runAllIntegrationTestsForZoweNonHaTestingOnZos(type: Test) {
     // This task is intended to run on z/OS systems with some limitations:
-    // Only 1 Gateway
+    // Only 1 Gateway (Non-HA mode)
     // z/OSMF Authentication provider only
     // No support for SAF ID Tokens
 
     group "Integration tests"
-    description "Run all integration tests for Zowe testing on z/OS (limited)"
+    description "Run all integration tests for Zowe Non-HA testing on z/OS (limited)"
 
     def targetSystem = System.getenv("ZOS_TARGET_SYS") ? "-" + System.getenv("ZOS_TARGET_SYS") : ""
     systemProperty "environment.config", targetSystem
@@ -210,7 +209,58 @@ task runAllIntegrationTestsForZoweTestingOnZos(type: Test) {
             'SafIdTokenTest'
         )
     }
+
+    debugOptions {
+        port = 5005
+        suspend = true
+        server = true
+    }
+    outputs.upToDateWhen { false }
+}
+
+task runAllIntegrationTestsForZoweHaTestingOnZos(type: Test) {
+    // This task is intended to run on z/OS systems with some limitations:
+    // More than 1 Gateway (HA mode)
+    // z/OSMF Authentication provider only
+    // No support for SAF ID Tokens
+
+    group "Integration tests"
+    description "Run all integration tests for Zowe HA testing on z/OS (limited)"
+
+    def targetSystem = System.getenv("ZOS_TARGET_SYS") ? "-" + System.getenv("ZOS_TARGET_SYS") : ""
+    systemProperty "environment.config", targetSystem
+    systemProperty "environment.zos.target", "true"
+    systemProperty "environment.ha", true
+    systemProperties System.properties
+    systemProperties.remove('java.endorsed.dirs')
+
+    useJUnitPlatform {
+        excludeTags(
+            'StartupCheck',
+            'EnvironmentCheck',
+            'AdditionalLocalTest',
+            'TestsNotMeantForZowe',
+            'DiscoverableClientDependentTest',
+            'OktaOauth2Test',
+            'MultipleRegistrationsTest',
+            'NotForMainframeTest',
+            'ApiCatalogStandaloneTest',
+            'SAFProviderTest',
+            'CloudGatewayProxyTest',
+            'SafIdTokenTest',
+            'ChaoticHATest',
+            'GraphQLTest'
+        )
+    }
+
+    debugOptions {
+        port = 5005
+        suspend = true
+        server = true
+    }
+
     outputs.upToDateWhen { false }
+    outputs.cacheIf { false }
 }
 
 task runAllIntegrationTestsForZoweTesting(type: Test) {
@@ -362,6 +412,7 @@ task runCloudGatewayProxyTest(type: Test) {
         )
     }
 }
+
 task runCloudGatewayServiceRoutingTest(type: Test) {
     group "integration tests"
     description "Run tests verifying cloud gateway can locate service and translate auth scheme"
@@ -529,11 +580,14 @@ task runLbHaTests(type: Test) {
 task runChaoticHATests(type: Test) {
     group "Integration tests"
     description "Run Chaotic tests verifying High Availability"
-    dependsOn startUpCheck
+
+    def targetSystem = System.getenv("ZOS_TARGET_SYS") ? "-" + System.getenv("ZOS_TARGET_SYS") : ""
+    systemProperty "environment.config", targetSystem
+    systemProperty "environment.zos.target", "true"
+    systemProperty "environment.ha", true
 
     outputs.cacheIf { false }
 
-    systemProperty "environment.ha", true
     systemProperties System.getProperties()
     useJUnitPlatform {
         includeTags(