Skip to content

feat: apiml Spring-Modulith based module with ZAAS service #4108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 394 commits into
base: v3.x.x
Choose a base branch
from
Open

feat: apiml Spring-Modulith based module with ZAAS service #4108

wants to merge 394 commits into from

Conversation

taban03
Copy link
Contributor

@taban03 taban03 commented May 19, 2025
edited by pablocarle
Loading

Description

Include ZAAS service as part of Spring Modulith API ML module.

Linked to # (issue)
Part of the # (epic)

Type of change

  • feat: New feature (non-breaking change which adds functionality)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

Pablo Carle and others added 30 commits April 10, 2025 13:31
ubuntu:latest
7c55ee5 
Signed-off-by: Pablo Carle <[email protected]>
add required dependency to publishResults
e6eff8d 
Signed-off-by: Pablo Carle <[email protected]>
remove internal port inexistant references
fbd7533 
Signed-off-by: Pablo Carle <[email protected]>
improve startup checker
f2d0ec6 
Signed-off-by: Pablo Carle <[email protected]>
info level
28bed10 
Signed-off-by: Pablo Carle <[email protected]>
expect two gateway instances for central registry tests
5bdf4bf 
Signed-off-by: Pablo Carle <[email protected]>
add unit tests
2ccd8b2 
Signed-off-by: Pablo Carle <[email protected]>
try different jib image
bebd634 
Signed-off-by: Pablo Carle <[email protected]>
fix image
0a55e92 
Signed-off-by: Pablo Carle <[email protected]>
change when static services are registered in modulith
f587617 
Signed-off-by: Pablo Carle <[email protected]>
jacoco fix for dump of discoverable client
5d27656 
Signed-off-by: Pablo Carle <[email protected]>
use gateway test fixtures - add eureka homepage test
4cc5ad9 
Signed-off-by: Pablo Carle <[email protected]>
add unit tests for coverage
5a7742d 
Signed-off-by: Pablo Carle <[email protected]>
use spring cloud discovery client
6b18176 
Signed-off-by: Pablo Carle <[email protected]>
Merge remote-tracking branch 'origin/v3.x.x' into reboot/modulith
0f5ae19
remove outdated TODO comment
8c02f41 
Signed-off-by: Pablo Carle <[email protected]>
try ignore sonar in EurekaConfiguration class copied
61340ca 
Signed-off-by: Pablo Carle <[email protected]>
@pablocarle
Merge branch 'v3.x.x' into reboot/modulith
c13c6a0
add static definition processing to apiml component
0e6988b 
Signed-off-by: Pablo Carle <[email protected]>
@pablocarle
Merge branch 'v3.x.x' into reboot/modulith
c39aef4
@pablocarle
Merge branch 'v3.x.x' into reboot/modulith
fa252e0
@pablocarle
Merge branch 'v3.x.x' into reboot/modulith
243cc16
suprerss warnings for generic type wildcard
dcd3745 
Signed-off-by: Pablo Carle <[email protected]>
Merge branch 'reboot/modulith' of https://github.com/zowe/api-layer i…
cde2278 
…nto reboot/modulith
fix sonar issues
78f5ade 
Signed-off-by: Pablo Carle <[email protected]>
fix low sonar issues
c4b2d69 
Signed-off-by: Pablo Carle <[email protected]>
@pablocarle
Merge branch 'v3.x.x' into reboot/modulith
3f34725
@Shobhajayanna
zaas to modulith
36016e3 
Signed-off-by: sj895092 <[email protected]>
@pj892031 @Shobhajayanna
zaas to modulith
0bd3957 
Signed-off-by: sj895092 <[email protected]>
@pj892031 @Shobhajayanna
refactor of usage ZAAS from the routing
26d4bed 
Signed-off-by: Pavel Jareš <[email protected]>
pj892031
pj892031 reviewed Jun 19, 2025
View reviewed changes
...mon/src/main/java/org/zowe/apiml/security/common/error/AccessTokenBodyNotValidException.java Outdated
private final Reason reason;

public AccessTokenBodyNotValidException(Reason reason) {
super(reason.getMessageKey());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we replace this with a human-readable message? Actually, the exception is never thrown. It is maybe a question of whether we need it. Maybe calling a method that just generates a message is enough.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@achmelo is on this one I think

pj892031
pj892031 reviewed Jun 19, 2025
View reviewed changes
apiml/src/main/java/org/zowe/apiml/controller/ReactivePassTicketController.java
.map(SecurityContext::getAuthentication)
.filter(Objects::nonNull)
.filter(Authentication::isAuthenticated)
.filter(TokenAuthentication.class::isInstance)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is not true (ie. x509), what is the response? 404 because of Mono.empty? Do we really need to define the type of authentication? Method `getPrincipal is everywhere, so I consider it redundant.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comes from the original implementation in zaas-service's SuccessfulTicketHandler
I believe the /ticket endpoint doesn't have user mapping x509 authentication supported, it only has certificate like /eureka/** endpoints do

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to add suppot for the additional method we should probably create a feature

@taban03
add missing code
ea773e0 
Signed-off-by: Andrea Tabone <[email protected]>
pj892031
pj892031 reviewed Jun 19, 2025
View reviewed changes
pr review
5e45e20 
Signed-off-by: Pablo Carle <[email protected]>
pj892031
pj892031 reviewed Jun 19, 2025
View reviewed changes
apiml/src/main/java/org/zowe/apiml/filter/CategorizeCertsWebFilter.java
new X509Certificate[]{clientCertFromHeader.get()},
certificateForClientAuth
);
exchange.getAttributes().put(ATTR_NAME_CLIENT_AUTH_X509_CERTIFICATE, clientAuthCerts);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are in the WebFlux we should mainly focus on SslInfo and replace it like here:

api-layer/gateway-service/src/main/java/org/zowe/apiml/gateway/attls/AttlsHttpHandler.java

Lines 105 to 106 in 2ce6e5b

var sslInfo = AttlsSslInfo.builder().peerCertificates(certs).build();
return request.mutate().sslInfo(sslInfo).build();

The attributes look more-less like back-compatibility with Servlets, but do not forget these attributes are not the same as on the request level (see https://github.com/zowe/api-layer/blob/2ce6e5bb44f5862a1fe91a6a4cd8398aff6f7a08/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/RequestAttributesProvider.java).

I am not sure if this is the best way to handle client certificates now. Maybe we should think about a custom implementation of SslInfo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of ignorance here, you are claiming they are not the same, however by tests it seems they are set. Can you explain the differences? What are the pitfalls of the current implementation?

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
21 New issues
0 Accepted issues

Measures
0 Security Hotspots
81.3% Coverage on New Code
0.6% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pablocarle pablocarle pablocarle left review comments

@achmelo achmelo achmelo left review comments

@pj892031 pj892031 pj892031 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Sensitive Sensitive change that requires peer review size/XXL
Projects
API Mediation Layer Backlog Management
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@taban03 @pablocarle @achmelo @pj892031 @Shobhajayanna