zowe · achmelo · Jul 18, 2024 · Jul 16, 2024 · Jul 16, 2024 · Jul 17, 2024
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -714,66 +714,6 @@ jobs:
 
             -   uses: ./.github/actions/teardown
 
-    CITestsInternalPort:
-        needs: PublishJibContainers
-        runs-on: ubuntu-latest
-        container: ubuntu:latest
-        timeout-minutes: 15
-
-        services:
-            api-catalog-services:
-                image: ghcr.io/balhar-jakub/api-catalog-services:${{ github.run_id }}-${{ github.run_number }}
-                volumes:
-                    - /api-defs:/api-defs
-            caching-service:
-                image: ghcr.io/balhar-jakub/caching-service:${{ github.run_id }}-${{ github.run_number }}
-            discoverable-client:
-                image: ghcr.io/balhar-jakub/discoverable-client:${{ github.run_id }}-${{ github.run_number }}
-            discovery-service:
-                image: ghcr.io/balhar-jakub/discovery-service:${{ github.run_id }}-${{ github.run_number }}
-                volumes:
-                    - /api-defs:/api-defs
-            zaas-service:
-                image: ghcr.io/balhar-jakub/zaas-service:${{ github.run_id }}-${{ github.run_number }}
-                env:
-                    APIML_SECURITY_X509_ENABLED: true
-                    APIML_SECURITY_X509_ACCEPTFORWARDEDCERT: true
-                    APIML_SECURITY_X509_CERTIFICATESURL: https://gateway-service:10010/gateway/certificates
-            gateway-service:
-                image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
-                env:
-                    APIML_SECURITY_AUTH_JWT_CUSTOMAUTHHEADER: customJwtHeader
-                    APIML_SECURITY_AUTH_PASSTICKET_CUSTOMUSERHEADER: customUserHeader
-                    APIML_SECURITY_AUTH_PASSTICKET_CUSTOMAUTHHEADER: customPassticketHeader
-            mock-services:
-                image: ghcr.io/balhar-jakub/mock-services:${{ github.run_id }}-${{ github.run_number }}
-
-        steps:
-            -   uses: actions/checkout@v4
-                with:
-                    ref: ${{ github.head_ref }}
-
-            -   uses: ./.github/actions/setup
-
-            -   name: Build with Gradle
-                run: >
-                    ./gradlew :integration-tests:runBaseTestsInternalPort --info -Denvironment.config=-docker -Denvironment.offPlatform=true
-                    -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }}
-
-            -   uses: ./.github/actions/dump-jacoco
-                if: always()
-
-            -   name: Store results
-                uses: actions/upload-artifact@v4
-                if: always()
-                with:
-                    name: ContainerCITestsInternalPort-${{ env.JOB_ID }}
-                    path: |
-                        integration-tests/build/reports/**
-                        results/**
-
-            -   uses: ./.github/actions/teardown
-
     CITestsWithRedisReplica:
         needs: PublishJibContainers
         runs-on: ubuntu-latest
@@ -964,7 +904,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
         steps:
             -   uses: actions/checkout@v4
@@ -1046,7 +985,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
                     APIML_ROUTING_INSTANCEIDHEADER: true
                     APIML_LOADBALANCER_DISTRIBUTE: true
@@ -1136,7 +1074,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
         steps:
             -   uses: actions/checkout@v4
@@ -1210,7 +1147,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
         steps:
             -   uses: actions/checkout@v4
@@ -1288,7 +1224,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
         steps:
             -   uses: actions/checkout@v4
@@ -1366,7 +1301,6 @@ jobs:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
                 env:
                     APIML_SERVICE_HOSTNAME: gateway-service-2
-                    SERVER_INTERNAL_PORT: 10027
                     APIML_SERVICE_DISCOVERYSERVICEURLS: https://discovery-service:10011/eureka/,https://discovery-service-2:10011/eureka/
         steps:
             -   uses: actions/checkout@v4
@@ -1611,7 +1545,7 @@ jobs:
             -   uses: ./.github/actions/teardown
 
     PublishResults:
-        needs: [ CITests,CITestsWithInfinispan,CITestsZosmfRsu2012,CITestsZaas,CITestsInternalPort,GatewayProxy,GatewayServiceRouting ]
+        needs: [ CITests,CITestsWithInfinispan,CITestsZosmfRsu2012,CITestsZaas,GatewayProxy,GatewayServiceRouting ]
         runs-on: ubuntu-latest
         timeout-minutes: 20
 
@@ -1635,10 +1569,6 @@ jobs:
                 with:
                     name: ContainerCITestsZosmfRsu2012-${{ env.JOB_ID }}
                     path: containercitestszosmfrsu2012
-            -   uses: actions/download-artifact@v4
-                with:
-                    name: ContainerCITestsInternalPort-${{ env.JOB_ID }}
-                    path: containercitestsinternalport
             -   uses: actions/download-artifact@v4
                 with:
                     name: GatewayProxy-${{ env.JOB_ID }}
@@ -1654,7 +1584,7 @@ jobs:
 
             -   name: Code coverage and publish results
                 run: >
-                    ./gradlew --info coverage sonar -Dresults="containercitests/results,citestswithinfinispan/results,containercitestszosmfrsu2012/results,containercitestsinternalport/results,GatewayProxy/results,citestswebsocketchaoticha/results,GatewayServiceRouting/results,containercitestszaas/results"
+                    ./gradlew --info coverage sonar -Dresults="containercitests/results,citestswithinfinispan/results,containercitestszosmfrsu2012/results,GatewayProxy/results,citestswebsocketchaoticha/results,GatewayServiceRouting/results,containercitestszaas/results"
                     -Psonar.host.url=$SONAR_HOST_URL -Dsonar.token=$SONAR_TOKEN -Partifactory_user=$ARTIFACTORY_USERNAME -Partifactory_password=$ARTIFACTORY_PASSWORD
                 env:
                     ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}

diff --git a/api-catalog-ui/frontend/cypress/e2e/detail-page/detail-page.cy.js b/api-catalog-ui/frontend/cypress/e2e/detail-page/detail-page.cy.js
@@ -67,7 +67,7 @@ describe('>>> Detail page test', () => {
             '#root > div > div.content > div.main > div.main-content2.detail-content > div.content-description-container > div.tabs-swagger > div.serviceTab > div.header > a'
         )
             .should('have.attr', 'href')
-            .should('contain', `${baseUrl.match(/^https?:\/\/([^/?#]+)(?:[/?#]|$)/i)[1]}/apicatalog/ui/v1`);
+            .should('contain', `${baseUrl.match(/^https?:\/\/([^/?#]+)(?:[/?#]|$)/i)[1]}/apicatalog/ui/v1`); // TODO This originally /ui/v1 but now /ui is selected for service homepage URL, see https://github.com/zowe/api-layer/issues/3652 to verify if it needs to be restored
 
         cy.get('pre.version').should('contain', '1.0.0');
 

diff --git a/api-catalog-ui/frontend/public/index.html b/api-catalog-ui/frontend/public/index.html
@@ -4,7 +4,6 @@
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <meta name="theme-color" content="#000000">
-    <meta name="referrer" content="origin">
     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
     <!--
       manifest.json provides metadata used when your web app is added to the

diff --git a/common-service-core/src/main/java/org/zowe/apiml/product/routing/RoutedServices.java b/common-service-core/src/main/java/org/zowe/apiml/product/routing/RoutedServices.java
@@ -53,7 +53,6 @@ public RoutedService getBestMatchingServiceUrl(String serviceUrl, ServiceType ty
             if (isServiceTypeMatch(serviceEntry, type)) {
                 RoutedService value = serviceEntry.getValue();
                 int size = value.getServiceUrl().length();
-                //Remove last slash for service url
                 String routeServiceUrl = UrlUtils.removeLastSlash(value.getServiceUrl().toLowerCase());
                 if (size > maxSize && serviceUrl.toLowerCase().startsWith(routeServiceUrl)) {
                     result = value;

diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh
@@ -186,15 +186,15 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \
     -Dapiml.security.x509.registry.allowedUsers=${ZWE_configs_apiml_security_x509_registry_allowedUsers:-} \
     -Dapiml.service.hostname=${ZWE_haInstance_hostname:-localhost} \
     -Dapiml.service.port=${ZWE_configs_port:-7554} \
-    -Dapiml.service.forwardClientCertEnabled=${ZWE_configs_apiml_service_forwardClientCertEnabled:-false} \
+    -Dapiml.service.forwardClientCertEnabled=${ZWE_configs_apiml_security_x509_enabled:-false} \
     -Dapiml.service.externalUrl="${externalProtocol}://${ZWE_zowe_externalDomains_0}:${ZWE_zowe_externalPort}" \
     -Dapiml.security.x509.registry.allowedUsers=${ZWE_configs_apiml_security_x509_registry_allowedUsers:-} \
     -Dapiml.service.allowEncodedSlashes=${ZWE_configs_apiml_service_allowEncodedSlashes:-true} \
     -Dapiml.connection.timeout=${ZWE_configs_apiml_connection_timeout:-60000} \
     -Dapiml.connection.idleConnectionTimeoutSeconds=${ZWE_configs_apiml_connection_idleConnectionTimeoutSeconds:-5} \
     -Dapiml.connection.timeToLive=${ZWE_configs_apiml_connection_timeToLive:-10000} \
     -Dapiml.logs.location=${ZWE_zowe_logDirectory} \
-    -Dapiml.security.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices:-false} \
+    -Dapiml.security.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices} \
     -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \
     -Dapiml.security.auth.cookieProperties.cookieName=${cookieName:-apimlAuthenticationToken} \
     -Dapiml.security.auth.jwt.customAuthHeader=${ZWE_configs_apiml_security_auth_jwt_customAuthHeader:-} \
@@ -204,9 +204,9 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \
     -Dapiml.gateway.registry.enabled=${ZWE_configs_gateway_registry_enabled:-false} \
     -Dserver.address=0.0.0.0 \
     -Deureka.client.serviceUrl.defaultZone=${ZWE_DISCOVERY_SERVICES_LIST} \
-    -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \
     -Dserver.maxConnectionsPerRoute=${ZWE_configs_server_maxConnectionsPerRoute:-100} \
     -Dserver.maxTotalConnections=${ZWE_configs_server_maxTotalConnections:-1000} \
+    -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \
     -Dserver.ssl.keyStore="${keystore_location}" \
     -Dserver.ssl.keyStoreType="${keystore_type}" \
     -Dserver.ssl.keyStorePassword="${keystore_pass}" \

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java
@@ -66,6 +66,8 @@
 import org.zowe.apiml.security.SecurityUtils;
 import org.zowe.apiml.util.CorsUtils;
 import reactor.netty.http.client.HttpClient;
+import reactor.netty.http.client.HttpClientSecurityUtils;
+import reactor.netty.tcp.SslProvider;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -189,13 +191,23 @@ public BeanPostProcessor routingFilterHandler(HttpClient httpClient, ObjectProvi
         SslContext justTruststore = sslContext(false);
         SslContext withKeystore = sslContext(true);
 
+        var builderJustTruststore = SslProvider.builder().sslContext(justTruststore);
+        var builderWithKeystore = SslProvider.builder().sslContext(withKeystore);
+        if (!nonStrictVerifySslCertificatesOfServices) {
+            builderJustTruststore.handlerConfigurator(HttpClientSecurityUtils.HOSTNAME_VERIFICATION_CONFIGURER);
+            builderWithKeystore.handlerConfigurator(HttpClientSecurityUtils.HOSTNAME_VERIFICATION_CONFIGURER);
+        }
+
+        // construct http clients with different SSL configuration - with / without client certs
+        var httpClientNoCert = httpClient.secure(builderJustTruststore.build());
+        var httpClientClientCert = httpClient.secure(builderWithKeystore.build());
         return new BeanPostProcessor() {
             @Override
             public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
                 if ("routingFilter".equals(beanName)) {
                     log.debug("Updating routing bean {}", NettyRoutingFilterApiml.class);
                     // once is creating original bean by autoconfiguration replace it with custom implementation
-                    return new NettyRoutingFilterApiml(httpClient, headersFiltersProvider, properties, justTruststore, withKeystore);
+                    return new NettyRoutingFilterApiml(httpClientNoCert, httpClientClientCert, headersFiltersProvider, properties);
                 }
                 // do not touch any other bean
                 return bean;

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/config/NettyRoutingFilterApiml.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/config/NettyRoutingFilterApiml.java
@@ -11,7 +11,6 @@
 package org.zowe.apiml.gateway.config;
 
 import io.netty.channel.ChannelOption;
-import io.netty.handler.ssl.SslContext;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Value;
@@ -39,17 +38,15 @@ public class NettyRoutingFilterApiml extends NettyRoutingFilter {
     private int requestTimeout;
 
     public NettyRoutingFilterApiml(
-        HttpClient httpClient,
+        HttpClient httpClientNoCert,
+        HttpClient httpClientClientCert,
         ObjectProvider<List<HttpHeadersFilter>> headersFiltersProvider,
-        HttpClientProperties properties,
-        SslContext justTruststore,
-        SslContext withKeystore
+        HttpClientProperties properties
     ) {
         super(null, headersFiltersProvider, properties);
+        this.httpClientNoCert = httpClientNoCert;
+        this.httpClientClientCert = httpClientClientCert;
 
-        // construct http clients with different SSL configuration - with / without client certs
-        httpClientNoCert = httpClient.secure(sslContextSpec -> sslContextSpec.sslContext(justTruststore));
-        httpClientClientCert = httpClient.secure(sslContextSpec -> sslContextSpec.sslContext(withKeystore));
     }
 
     static Integer getInteger(Object connectTimeoutAttr) {
@@ -74,14 +71,14 @@ protected HttpClient getHttpClient(Route route, ServerWebExchange exchange) {
             // if there is configured timeout, respect it
             Integer connectTimeout = getInteger(connectTimeoutAttr);
             return httpClient
-                    .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, connectTimeout)
-                    .responseTimeout(Duration.ofMillis(connectTimeout));
+                .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, connectTimeout)
+                .responseTimeout(Duration.ofMillis(connectTimeout));
         }
 
         // otherwise just return selected HttpClient with the default configured timeouts
         return httpClient
-                .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, requestTimeout)
-                .responseTimeout(Duration.ofMillis(requestTimeout));
+            .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, requestTimeout)
+            .responseTimeout(Duration.ofMillis(requestTimeout));
     }
 
 }
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/config/RoutingConfig.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/config/RoutingConfig.java
@@ -47,6 +47,10 @@ public List<FilterDefinition> filters() {
             filters.add(allowEncodedSlashes);
         }
 
+        var secureHeaders = new FilterDefinition();
+        secureHeaders.setName("SecureHeaders");
+        filters.add(secureHeaders);
+
         FilterDefinition circuitBreakerFilter = new FilterDefinition();
         circuitBreakerFilter.setName("CircuitBreaker");
         filters.add(circuitBreakerFilter);

diff --git a/...y-service/src/main/java/org/zowe/apiml/gateway/controllers/GatewayHomepageController.java b/...y-service/src/main/java/org/zowe/apiml/gateway/controllers/GatewayHomepageController.java
@@ -161,11 +161,7 @@ private int authorizationServiceCount() {
     private String getCatalogLink(ServiceInstance catalogInstance) {
         String gatewayUrl = catalogInstance.getMetadata().get(String.format(UI_V1_ROUTE, ROUTES, ROUTES_GATEWAY_URL));
         String serviceUrl = catalogInstance.getMetadata().get(String.format(UI_V1_ROUTE, ROUTES, ROUTES_SERVICE_URL));
-        String catalogLink = serviceUrl + gatewayUrl;
-        if (catalogLink.endsWith("/")) {
-            return catalogLink;
-        }
-        return catalogLink + "/";
+        return serviceUrl + gatewayUrl;
     }
 
 }
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/service/routing/ByBasePath.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/service/routing/ByBasePath.java
@@ -21,10 +21,9 @@
 
 /**
  * Routing rule by path modify the path of the request. It makes this replacement:
- *
- *  from: /<serviceId>/<gatewayUrl>/<path>
- *  to: /<serviceUrl>/<path>
- *
+ * <p>
+ * from: /<serviceId>/<gatewayUrl>/<path>
+ * to: /<serviceUrl>/<path>
  */
 @Component
 public class ByBasePath extends RouteDefinitionProducer {
@@ -35,7 +34,7 @@ public ByBasePath(DiscoveryLocatorProperties properties) {
         super(properties);
     }
 
-    static String constructUrl(String...parts) {
+    static String constructUrl(String... parts) {
         StringBuilder sb = new StringBuilder();
         for (String part : parts) {
             part = StringUtils.removeFirstAndLastOccurrence(part, "/");
@@ -63,13 +62,17 @@ protected void setCondition(RouteDefinition routeDefinition, ServiceInstance ser
 
     @Override
     protected void setFilters(RouteDefinition routeDefinition, ServiceInstance serviceInstance, RoutedService routedService) {
-        FilterDefinition filter = new FilterDefinition();
-        filter.setName("RewritePath");
-
-        filter.addArg("regexp", constructUrl(serviceInstance.getServiceId(), routedService.getGatewayUrl(), "?(?<remaining>.*)"));
-        filter.addArg("replacement", constructUrl(routedService.getServiceUrl(), "${remaining}"));
+        var rewriteWithSlash = new FilterDefinition();
+        rewriteWithSlash.setName("RewritePath");
+        rewriteWithSlash.addArg("regexp", constructUrl(serviceInstance.getServiceId(), routedService.getGatewayUrl(), "/(?<remaining>.*)"));
+        rewriteWithSlash.addArg("replacement", constructUrl(routedService.getServiceUrl(), "${remaining}"));
+        routeDefinition.getFilters().add(rewriteWithSlash);
 
-        routeDefinition.getFilters().add(filter);
+        var rewriteWithoutSlash = new FilterDefinition();
+        rewriteWithoutSlash.setName("RewritePath");
+        rewriteWithoutSlash.addArg("regexp", constructUrl(serviceInstance.getServiceId(), routedService.getGatewayUrl()));
+        rewriteWithoutSlash.addArg("replacement", constructUrl(routedService.getServiceUrl()));
+        routeDefinition.getFilters().add(rewriteWithoutSlash);
     }
 
     @Override

diff --git a/gateway-service/src/main/resources/application.yml b/gateway-service/src/main/resources/application.yml
@@ -45,6 +45,13 @@ eureka:
             enabled: true
 
 spring:
+    cloud:
+        gateway:
+            filter:
+                secure-headers:
+                    disable: content-security-policy,permitted-cross-domain-policies,download-options
+                    referrer-policy: strict-origin-when-cross-origin
+                    frame-options: sameorigin
     application:
         name: gateway
     security:
@@ -85,7 +92,7 @@ apiml:
     security:
         headersToBeCleared: X-Certificate-Public,X-Certificate-DistinguishedName,X-Certificate-CommonName
         ssl:
-            nonStrictVerifySslCertificatesOfServices: true
+            nonStrictVerifySslCertificatesOfServices: false
 
 server:
     http2:
@@ -113,7 +120,7 @@ server:
     main:
         allow-circular-references: true
 
-logbackServiceName: ZWEAG1
+logbackServiceName: ZWEAGW1
 
 logging:
     level: