Issues about aplying authentication scheme in GW v3

[pj892031]

There are a couple of issues. All of them lead that the passticket scheme works well just in case everything is configured correctly. If there is any error the behaviour is strange. The bugs described below are probably valid also for other authentication schemes (if it is applicable).

The most critical issue for customers is that passticket is misconfigured (on z/OS level or invalid service configuration). The user tries to call the service endpoint through GW. The GW tries to obtain passticket, but it fails and the response of GW is weird (response code 200 without body) and the service is not called.

To fix the issue please consider extra validation during the generation of passticket filter in the case of missing applid. RouteLocator should check if the applid is set. If not it should issue a warning message and skip configure authentication scheme filter.

Calling non-existing endpoint

Steps to Reproduce

1. open https://localhost:10023/unknownEndpoint

• the body (message) is correct
• the response code is 500

Expected behavior

The response code should be 404

Wrong method type

Steps to Reproduce

1. open https://localhost:10023/zaas/scheme/ticket with method type GET

• the response code is 404
• there is an empty body

Expected behavior

• the response should be 405
• the body should contain a JSON with a message about the unsupported method type

Missing applicationName (applid)

Steps to Reproduce

1. call POST https://localhost:10023/zaas/scheme/ticket with JSON {} (with a signed request by Zowe client certificate)

• response code is 400
• there is an empty body

Expected behavior

• there should be a body with a message about the missing argument

Wrongly configured passtickets

Steps to Reproduce

1. call POST https://localhost:10023/zaas/scheme/ticket with JSON {"applicationName":"XBADAPPL"} (with a signed request by Zowe client certificate)

• response code is 400
• there is an empty body
• there is no message about passticket configuration in the log

Expected behavior

• the response code should be 500
• there should be a body with a message about the missing argument
• log contains a message with details about passticket misconfiguration

Attempt to generate passticket event there are no credentials in the request

Steps to Reproduce

1. call POST https://localhost:10023/zaas/scheme/ticket with JSON {"applicationName":"APPLID"} (with a signed request by Zowe client certificate)

• the response has a body:
  {
  "token": "",
  "userId": "usilca3x.lvn.broadcom.net",
  "applicationName": "XBADAPP",
  "ticket": "ZOWE_DUMMY_PASS_TICKET_XBADAPP_USILCA3X.LVN.BROADCOM.NET_2"
  }
• the response code is 200
• it tries to generate a passticket, in real the user shouldn't exist and therefore it fails, but it should be stopped even before

Expected behavior

• response code 401
• body with a message about lack of credentials

Invalid transformation of credentials

Steps to Reproduce

1. statically onboard service with an authentication scheme httpBasicPassTicket with applid XBADAPPL or leave applid empty
2. call an endpoint of the service through the Gateway

• the response code is 200
• the service was not called
• there is an empty body

Expected behavior

• the service is called without any credential transformation
• alternatively, the response from GW has a status 500

Details

• Version and build number: Zowe 3.0.0 / APIML 3.0.36