Endpoint /zaas/api/v1/auth/keys/public does not support PAT

There is an endpoint to obtain public keys used for signing JWT, but it doesn't support all cases. Basically it returns APIML or z/OSMF one. There is even a check that only one key is available at one moment. It should support also the situation when z/OSMF is used and PAT are enabled. It this scenario both keys should be returned. I theory we can take care about OIDC provider too.

The implementation that is trying to identify what type of token is used is not bad in general, but it is not helping at all. We should return Zowe certificate if PAT is enabled, SAF provider or z/OSMF provides just LPTA2 token and z/OSMF if the provider is set to zosmf. I guess the simplifacation to return always Zowe certificate and z/OSMF one in case it is set as provider is good enough.

api-layer/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java

Lines 400 to 452 in 1bd74f9

    
           @GetMapping(path = PUBLIC_KEYS_PATH, produces = MediaType.APPLICATION_JSON_VALUE) 
        
           @ResponseBody 
        
           @Operation(summary = "Get the public key of certificate that is used by the Gateway to sign tokens", 
        
               tags = {"Security"}, 
        
               operationId = "getCurrentPublicKeys", 
        
               description = "This endpoint returns JWK of currently used key, which can verify sign outside the Gateway for this moment. It filters JWK by current settings of Zowe and z/OSMF." 
        
           ) 
        
           @ApiResponses(value = { 
        
               @ApiResponse(responseCode = "200", description = "OK", 
        
                   content = @Content( 
        
                       mediaType = MediaType.APPLICATION_JSON_VALUE, 
        
                       schema = @Schema(type = "string", description = "Certificate in the PEM format") 
        
                   ) 
        
               ) 
        
           }) 
        
           public ResponseEntity<Object> getPublicKeyUsedForSigning() { 
        
               List<JWK> publicKeys = getCurrentKey(); 
        
               if (publicKeys.isEmpty()) { 
        
                   log.debug("JWT setup was not yet initialized so there is no public key for response."); 
        
                   return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.keys.unknownState").mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR); 
        
               } 
        
               if (publicKeys.size() != 1) { 
        
                   log.error("There are incorrect number of public keys returned from JWT producer: {}. Number of entries: {}", jwtSecurity.actualJwtProducer(), publicKeys.size()); 
        
                   return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.keys.wrongAmount", publicKeys.size()).mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR); 
        
               } 
        
               try { 
        
                   PublicKey key = publicKeys.get(0) 
        
                       .toRSAKey() 
        
                       .toPublicKey(); 
        
                   return new ResponseEntity<>(getPublicKeyAsPem(key), HttpStatus.OK); 
        
               } catch (IOException | JOSEException ex) { 
        
                   log.error("It was not possible to get public key for JWK, exception message: {}", ex.getMessage()); 
        
                   return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.unknown").mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR); 
        
               } 
        
           } 
        
           private List<JWK> getCurrentKey() { 
        
               JwtSecurity.JwtProducer producer = jwtSecurity.actualJwtProducer(); 
        
               JWKSet currentKey; 
        
               switch (producer) { 
        
                   case ZOSMF: 
        
                       currentKey = zosmfService.getPublicKeys(); 
        
                       break; 
        
                   case APIML: 
        
                       currentKey = jwtSecurity.getPublicKeyInSet(); 
        
                       break; 
        
                   default: 
        
                       //return 500 as we just don't know yet. 
        
                       return Collections.emptyList(); 
        
               } 
        
               return currentKey.getKeys(); 
        
           }

The same code was used also during Modulith implementation, so you can find the same code in there (see methods getCurrentKey and public Mono<ResponseEntity<Object>> getPublicKeyUsedForSigning()). The code part of PR #4108: https://github.com/zowe/api-layer/pull/4108/files/410ac68fd0290887542c8704eb2a7041d6bc1b0e#diff-49b0848928548b8f36fe20747dcd2935c7d17114a60c64c6beee2ba0ba4f9f21

This issue is based on the conversation https://github.com/zowe/api-layer/pull/4108/files/410ac68fd0290887542c8704eb2a7041d6bc1b0e#r2142632267.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	@GetMapping(path = PUBLIC_KEYS_PATH, produces = MediaType.APPLICATION_JSON_VALUE)
	@ResponseBody
	@Operation(summary = "Get the public key of certificate that is used by the Gateway to sign tokens",
	tags = {"Security"},
	operationId = "getCurrentPublicKeys",
	description = "This endpoint returns JWK of currently used key, which can verify sign outside the Gateway for this moment. It filters JWK by current settings of Zowe and z/OSMF."
	)
	@ApiResponses(value = {
	@ApiResponse(responseCode = "200", description = "OK",
	content = @Content(
	mediaType = MediaType.APPLICATION_JSON_VALUE,
	schema = @Schema(type = "string", description = "Certificate in the PEM format")
	)
	)
	})
	public ResponseEntity<Object> getPublicKeyUsedForSigning() {
	List<JWK> publicKeys = getCurrentKey();
	if (publicKeys.isEmpty()) {
	log.debug("JWT setup was not yet initialized so there is no public key for response.");
	return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.keys.unknownState").mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
	}
	if (publicKeys.size() != 1) {
	log.error("There are incorrect number of public keys returned from JWT producer: {}. Number of entries: {}", jwtSecurity.actualJwtProducer(), publicKeys.size());
	return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.keys.wrongAmount", publicKeys.size()).mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
	}
	try {
	PublicKey key = publicKeys.get(0)
	.toRSAKey()
	.toPublicKey();
	return new ResponseEntity<>(getPublicKeyAsPem(key), HttpStatus.OK);
	} catch (IOException \| JOSEException ex) {
	log.error("It was not possible to get public key for JWK, exception message: {}", ex.getMessage());
	return new ResponseEntity<>(messageService.createMessage("org.zowe.apiml.zaas.unknown").mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
	}
	}

	private List<JWK> getCurrentKey() {
	JwtSecurity.JwtProducer producer = jwtSecurity.actualJwtProducer();

	JWKSet currentKey;
	switch (producer) {
	case ZOSMF:
	currentKey = zosmfService.getPublicKeys();
	break;
	case APIML:
	currentKey = jwtSecurity.getPublicKeyInSet();
	break;
	default:
	//return 500 as we just don't know yet.
	return Collections.emptyList();
	}
	return currentKey.getKeys();
	}

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions