feat: ZAAS /safIdt endpoint to generate SAF ID token for authenticated user

gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/TokenCreationService.java

@@ -18,12 +18,14 @@
 import org.springframework.stereotype.Service;
 import org.zowe.apiml.gateway.security.login.Providers;
 import org.zowe.apiml.gateway.security.login.zosmf.ZosmfAuthenticationProvider;
+import org.zowe.apiml.gateway.security.service.saf.SafIdtProvider;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.passticket.IRRPassTicketGenerationException;
 import org.zowe.apiml.passticket.PassTicketService;
 import org.zowe.apiml.security.common.error.AuthenticationTokenException;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
@@ -37,6 +39,7 @@ public class TokenCreationService {
     private final ZosmfService zosmfService;
     private final PassTicketService passTicketService;
     private final AuthenticationService authenticationService;
+    private final SafIdtProvider safIdtProvider;
 
     @Value("${apiml.security.zosmf.applid:IZUDFLT}")
     protected String zosmfApplId;
@@ -74,6 +77,17 @@ public Map<ZosmfService.TokenType, String> createZosmfTokensWithoutCredentials(S
         return zosmfService.authenticate(new UsernamePasswordAuthenticationToken(user, passTicket)).getTokens();
     }
 
+    public String createSafIdTokenWithoutCredentials(String user, String applId) throws IRRPassTicketGenerationException {
+
+        char[] passTicket = "".toCharArray();
+        try {
+            passTicket = passTicketService.generate(user, applId).toCharArray();
+            return safIdtProvider.generate(user, passTicket, applId);
+        } finally {
+            Arrays.fill(passTicket, (char) 0);
+        }
+    }
+
     private boolean isZosmfAvailable() {
         try {
             return providers.isZosfmUsed() && providers.isZosmfAvailable();

gateway-service/src/main/java/org/zowe/apiml/gateway/zaas/ZaasController.java

@@ -18,6 +18,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
+import org.zowe.apiml.gateway.security.service.TokenCreationService;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSource;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
@@ -44,6 +45,7 @@ public class ZaasController {
     private final MessageService messageService;
     private final PassTicketService passTicketService;
     private final ZosmfService zosmfService;
+    private final TokenCreationService tokenCreationService;
 
     @PostMapping(path = "ticket", produces = MediaType.APPLICATION_JSON_VALUE)
     @Operation(summary = "Provides PassTicket for authenticated user.")
@@ -116,4 +118,43 @@ public ResponseEntity<Object> getZoweJwt(@RequestAttribute(AUTH_SOURCE_ATTR) Aut
         }
     }
 
+    @PostMapping(path = "safIdt", produces = MediaType.APPLICATION_JSON_VALUE)
+    @Operation(summary = "Provides SAF Identity Token for authenticated user.")
+    public ResponseEntity<Object> getSafIdToken(@RequestBody TicketRequest ticketRequest, @RequestAttribute(AUTH_SOURCE_PARSED_ATTR) AuthSource.Parsed authSourceParsed) {
+
+        final String userId = authSourceParsed.getUserId();
+        if (StringUtils.isEmpty(userId)) {
+            return ResponseEntity
+                .status(HttpStatus.UNAUTHORIZED)
+                .build();
+        }
+
+        final String applicationName = ticketRequest.getApplicationName();
+        if (StringUtils.isBlank(applicationName)) {
+            ApiMessageView messageView = messageService.createMessage("org.zowe.apiml.security.ticket.invalidApplicationName").mapToView();
+            return ResponseEntity
+                .status(HttpStatus.BAD_REQUEST)
+                .body(messageView);
+        }
+
+        try {
+            String safIdToken = tokenCreationService.createSafIdTokenWithoutCredentials(userId, applicationName);
+            return ResponseEntity
+                .status(HttpStatus.OK)
+                .body(new ZaasTokenResponse(null, safIdToken));
+
+        } catch (IRRPassTicketGenerationException e) {
+            ApiMessageView messageView = messageService.createMessage("org.zowe.apiml.security.ticket.generateFailed",
+                e.getErrorCode().getMessage()).mapToView();
+            return ResponseEntity
+                .status(e.getHttpStatus())
+                .body(messageView);
+        } catch (Exception e) {
+            ApiMessageView messageView = messageService.createMessage("org.zowe.apiml.security.idt.failed", e.getMessage()).mapToView();
+            return ResponseEntity
+                .status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(messageView);
+        }
+    }
+
 }

gateway-service/src/test/java/org/zowe/apiml/gateway/security/service/TokenCreationServiceTest.java

@@ -19,6 +19,8 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.zowe.apiml.gateway.security.login.Providers;
 import org.zowe.apiml.gateway.security.login.zosmf.ZosmfAuthenticationProvider;
+import org.zowe.apiml.gateway.security.service.saf.SafIdtException;
+import org.zowe.apiml.gateway.security.service.saf.SafIdtProvider;
 import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
 import org.zowe.apiml.passticket.IRRPassTicketGenerationException;
 import org.zowe.apiml.passticket.PassTicketService;
@@ -58,15 +60,19 @@ class TokenCreationServiceTest {
     @Mock
     private ZosmfService zosmfService;
 
+    @Mock
+    private SafIdtProvider safIdtProvider;
+
     private final String VALID_USER_ID = "validUserId";
     private final String VALID_ZOSMF_TOKEN = "validZosmfToken";
     private final String VALID_APIML_TOKEN = "validApimlToken";
     private final String PASSTICKET = "passTicket";
     private final String VALID_ZOSMF_APPLID = "IZUDFLT";
+    private final String VALID_SAFIDT = "validSAFIdentityToken";
 
     @BeforeEach
     void setUp() {
-        underTest = new TokenCreationService(providers, Optional.of(zosmfAuthenticationProvider), zosmfService, passTicketService, authenticationService);
+        underTest = new TokenCreationService(providers, Optional.of(zosmfAuthenticationProvider), zosmfService, passTicketService, authenticationService, safIdtProvider);
         underTest.zosmfApplId = "IZUDFLT";
     }
 
@@ -140,4 +146,36 @@ void givenZosmfAvailable_whenCreatingZosmfToken_thenReturnEmptyResult() throws I
         assertEquals(expectedTokens, tokens);
     }
 
+    @Test
+    void givenPassTicketGenerated_whenCreatingSafIdToken_thenTokenReturned() throws IRRPassTicketGenerationException {
+        when(passTicketService.generate(VALID_USER_ID, VALID_ZOSMF_APPLID)).thenReturn(PASSTICKET);
+        when(safIdtProvider.generate(VALID_USER_ID, PASSTICKET.toCharArray(), VALID_ZOSMF_APPLID)).thenReturn(VALID_SAFIDT);
+
+        String safIdt = underTest.createSafIdTokenWithoutCredentials(VALID_USER_ID, VALID_ZOSMF_APPLID);
+
+        assertEquals(VALID_SAFIDT, safIdt);
+    }
+
+    @Test
+    void givenPassTicketException_whenCreatingSafIdToken_thenExceptionThrown() throws IRRPassTicketGenerationException {
+        when(passTicketService.generate(VALID_USER_ID, VALID_ZOSMF_APPLID)).thenThrow(new IRRPassTicketGenerationException(8, 8, 8));
+
+        Exception e = assertThrows(IRRPassTicketGenerationException.class, () -> {
+                underTest.createSafIdTokenWithoutCredentials(VALID_USER_ID, VALID_ZOSMF_APPLID);
+            });
+
+        assertEquals(e.getMessage(), "Error on generation of PassTicket: An internal error was encountered.");
+    }
+
+    @Test
+    void givenSafIdtException_whenCreatingSafIdToken_thenExceptionThrown() throws IRRPassTicketGenerationException {
+        when(passTicketService.generate(VALID_USER_ID, VALID_ZOSMF_APPLID)).thenReturn(PASSTICKET);
+        when(safIdtProvider.generate(VALID_USER_ID, PASSTICKET.toCharArray(), VALID_ZOSMF_APPLID)).thenThrow(new SafIdtException("Test exception"));
+
+        Exception e = assertThrows(SafIdtException.class, () -> {
+            underTest.createSafIdTokenWithoutCredentials(VALID_USER_ID, VALID_ZOSMF_APPLID);
+        });
+
+        assertEquals(e.getMessage(), "Test exception");
+    }
 }

gateway-service/src/test/java/org/zowe/apiml/gateway/zaas/ZaasControllerTest.java

@@ -23,6 +23,8 @@
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.zowe.apiml.gateway.security.service.TokenCreationService;
+import org.zowe.apiml.gateway.security.service.saf.SafIdtException;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSource;
 import org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService;
 import org.zowe.apiml.gateway.security.service.schema.source.JwtAuthSource;
@@ -62,6 +64,9 @@ class ZaasControllerTest {
     @Mock
     private ZosmfService zosmfService;
 
+    @Mock
+    private TokenCreationService tokenCreationService;
+
     private MockMvc mockMvc;
     private JSONObject ticketBody;
     private AuthSource authSource;
@@ -70,18 +75,20 @@ class ZaasControllerTest {
     private static final String PASSTICKET_URL = "/gateway/zaas/ticket";
     private static final String ZOSMF_TOKEN_URL = "/gateway/zaas/zosmf";
     private static final String ZOWE_TOKEN_URL = "/gateway/zaas/zoweJwt";
+    private static final String SAFIDT_URL = "/gateway/zaas/safIdt";
 
     private static final String USER = "test_user";
     private static final String PASSTICKET = "test_passticket";
     private static final String APPLID = "test_applid";
     private static final String JWT_TOKEN = "jwt_test_token";
+    private static final String SAFIDT = "saf_id_token";
 
     @BeforeEach
     void setUp() throws IRRPassTicketGenerationException, JSONException {
         MessageService messageService = new YamlMessageService("/gateway-messages.yml");
 
         when(passTicketService.generate(anyString(), anyString())).thenReturn(PASSTICKET);
-        ZaasController zaasController = new ZaasController(authSourceService, messageService, passTicketService, zosmfService);
+        ZaasController zaasController = new ZaasController(authSourceService, messageService, passTicketService, zosmfService, tokenCreationService);
         mockMvc = MockMvcBuilders.standaloneSetup(zaasController).build();
         ticketBody = new JSONObject()
             .put("applicationName", APPLID);
@@ -146,16 +153,40 @@ void whenRequestPassticketAndNoApplNameProvided_thenBadRequest() throws Exceptio
                 .andExpect(jsonPath("$.messages[0].messageContent", is("The 'applicationName' parameter name is missing.")));
         }
 
+        @Test
+        void whenRequestSafIdtAndApplNameProvided_thenResponseOk() throws Exception {
+            when(tokenCreationService.createSafIdTokenWithoutCredentials(USER, APPLID)).thenReturn(SAFIDT);
+            mockMvc.perform(post(SAFIDT_URL)
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(ticketBody.toString())
+                    .requestAttr(AUTH_SOURCE_PARSED_ATTR, authParsedSource))
+                .andExpect(status().is(SC_OK))
+                .andExpect(jsonPath("$.safIdToken", is(SAFIDT)));
+        }
+
+        @Test
+        void whenRequestSafIdtAndNoApplNameProvided_thenBadRequest() throws Exception {
+            when(tokenCreationService.createSafIdTokenWithoutCredentials(USER, APPLID)).thenReturn(SAFIDT);
+            ticketBody.put("applicationName", "");
+
+            mockMvc.perform(post(SAFIDT_URL)
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(ticketBody.toString())
+                    .requestAttr(AUTH_SOURCE_PARSED_ATTR, authParsedSource))
+                .andExpect(status().is(SC_BAD_REQUEST))
+                .andExpect(jsonPath("$.messages", hasSize(1)))
+                .andExpect(jsonPath("$.messages[0].messageType").value("ERROR"))
+                .andExpect(jsonPath("$.messages[0].messageNumber").value("ZWEAG140E"))
+                .andExpect(jsonPath("$.messages[0].messageContent", is("The 'applicationName' parameter name is missing.")));
+        }
+
         @Nested
         class WhenExceptionOccurs {
 
-            @BeforeEach
-            void setUp() throws IRRPassTicketGenerationException {
-                when(passTicketService.generate(anyString(), anyString())).thenThrow(new IRRPassTicketGenerationException(8, 8, 8));
-            }
-
             @Test
             void whenRequestingPassticket_thenInternalServerError() throws Exception {
+                when(passTicketService.generate(USER, APPLID)).thenThrow(new IRRPassTicketGenerationException(8, 8, 8));
+
                 mockMvc.perform(post(PASSTICKET_URL)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ticketBody.toString())
@@ -196,6 +227,35 @@ void whenRequestingZoweTokens_thenInternalServerError() throws Exception {
                     .andExpect(jsonPath("$.messages[0].messageContent", containsString(expectedMessage)));
             }
 
+            @Test
+            void whenRequestingSafIdtAndPassticketException_thenInternalServerError() throws Exception {
+                when(passTicketService.generate(USER, APPLID)).thenThrow(new IRRPassTicketGenerationException(8, 8, 8));
+
+                mockMvc.perform(post(SAFIDT_URL)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ticketBody.toString())
+                        .requestAttr(AUTH_SOURCE_PARSED_ATTR, authParsedSource))
+                    .andExpect(status().is(SC_INTERNAL_SERVER_ERROR))
+                    .andExpect(jsonPath("$.messages", hasSize(1)))
+                    .andExpect(jsonPath("$.messages[0].messageType").value("ERROR"))
+                    .andExpect(jsonPath("$.messages[0].messageNumber").value("ZWEAG141E"))
+                    .andExpect(jsonPath("$.messages[0].messageContent", is("The generation of the PassTicket failed. Reason: An internal error was encountered.")));
+            }
+
+            @Test
+            void whenRequestingSafIdtAndSafIdtException_thenInternalServerError() throws Exception {
+                when(tokenCreationService.createSafIdTokenWithoutCredentials(USER, APPLID)).thenThrow(new SafIdtException("Test exception message."));
+
+                mockMvc.perform(post(SAFIDT_URL)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ticketBody.toString())
+                        .requestAttr(AUTH_SOURCE_PARSED_ATTR, authParsedSource))
+                    .andExpect(status().is(SC_INTERNAL_SERVER_ERROR))
+                    .andExpect(jsonPath("$.messages", hasSize(1)))
+                    .andExpect(jsonPath("$.messages[0].messageType").value("ERROR"))
+                    .andExpect(jsonPath("$.messages[0].messageNumber").value("ZWEAG150E"))
+                    .andExpect(jsonPath("$.messages[0].messageContent", is("SAF IDT generation failed. Reason: Test exception message.")));
+            }
         }
     }
 
@@ -208,7 +268,7 @@ void setUp() {
         }
 
         @ParameterizedTest
-        @ValueSource(strings = {PASSTICKET_URL})
+        @ValueSource(strings = {PASSTICKET_URL, SAFIDT_URL})
         void thenRespondUnauthorized(String url) throws Exception {
             mockMvc.perform(post(url)
                     .contentType(MediaType.APPLICATION_JSON)