DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies

api-catalog-services/src/main/resources/application.yml

@@ -10,8 +10,6 @@ spring:
         gateway:
             mvc.enabled: false
             enabled: false
-    mvc:
-        throw-exception-if-no-handler-found: true
     output:
         ansi:
             enabled: detect

api-catalog-services/src/test/resources/application.yml

@@ -10,8 +10,6 @@ spring:
         client:
             hostname: ${apiml.service.hostname}
             ipAddress: ${apiml.service.ipAddress}
-    mvc:
-        throw-exception-if-no-handler-found: true
     output:
         ansi:
             enabled: detect

apiml-security-common/src/main/java/org/zowe/apiml/security/common/verify/CertificateValidator.java

@@ -57,6 +57,8 @@ public CertificateValidator(TrustedCertificatesProvider trustedCertificatesProvi
      * @return true if all given certificates are known false otherwise
      */
     public boolean hasGatewayChain(X509Certificate[] certs) {
+        if (certs == null || certs.length == 0) return false;
+
         if ((proxyCertificatesEndpoints == null) || (proxyCertificatesEndpoints.length == 0)) {
             log.debug("No endpoint configured to retrieve trusted certificates. Provide URL via apiml.security.x509.certificatesUrls");
             return false;

apiml/src/main/resources/application.yml

@@ -16,15 +16,17 @@ eureka:
 spring:
     cloud:
         gateway:
-            route-refresh-listener.enabled: false
-            x-forwarded:
-                prefix-append: false
-                prefix-enabled: true
-            filter:
-                secure-headers:
-                    disable: content-security-policy,permitted-cross-domain-policies,download-options
-                    referrer-policy: strict-origin-when-cross-origin
-                    frame-options: sameorigin
+            server:
+                webflux:
+                    route-refresh-listener.enabled: false
+                    x-forwarded:
+                        prefix-append: false
+                        prefix-enabled: true
+                    filter:
+                        secure-headers:
+                            disable: content-security-policy,permitted-cross-domain-policies,download-options
+                            referrer-policy: strict-origin-when-cross-origin
+                            frame-options: sameorigin
     application:
         name: gateway
     security:
@@ -187,16 +189,14 @@ logging:
 management:
     endpoint:
         gateway:
-            enabled: false
+            access: none
         health:
             showDetails: always
-        shutdown:
-            enabled: true
     endpoints:
         web:
             base-path: /application
             exposure:
-                include: health,info,gateway,shutdown
+                include: health,info,gateway
 ---
 spring.config.activate.on-profile: debug
 

common-service-core/src/main/java/org/zowe/apiml/security/SecurityUtils.java

@@ -24,6 +24,7 @@
 import java.security.*;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Enumeration;
@@ -126,6 +127,10 @@ public static Set<String> loadCertificateChainBase64(HttpsConfig config) throws
         return out;
     }
 
+    public String base64EncodePublicKey(X509Certificate cert) {
+        return Base64.getEncoder().encodeToString(cert.getPublicKey().getEncoded());
+    }
+
     /**
      * Loads public key from keystore or key ring, if keystore URL has proper format {@link #KEYRING_PATTERN}
      *

config/docker/apiml.yml

@@ -22,6 +22,16 @@ eureka:
         initialInstanceInfoReplicationIntervalSeconds: 1
         registryFetchIntervalSeconds: 1
 
+management:
+    endpoints:
+        migrate-legacy-ids: true
+        web:
+            exposure:
+                include: "*"
+    endpoint:
+        shutdown:
+            access: unrestricted
+
 server:
     address: 0.0.0.0
     max-http-header-size: 40000

config/docker/discovery-service.yml

@@ -20,6 +20,17 @@ eureka:
     client:
         initialInstanceInfoReplicationIntervalSeconds: 1
         registryFetchIntervalSeconds: 1
+
+management:
+    endpoints:
+        migrate-legacy-ids: true
+        web:
+            exposure:
+                include: "*"
+    endpoint:
+        shutdown:
+            access: unrestricted
+
 ---
 spring.config.activate.on-profile: https
 

config/docker/gateway-service.yml

@@ -14,6 +14,16 @@ spring:
         ansi:
             enabled: always
 
+management:
+    endpoints:
+        migrate-legacy-ids: true
+        web:
+            exposure:
+                include: "*"
+    endpoint:
+        shutdown:
+            access: unrestricted
+
 server:
     address: 0.0.0.0
     max-http-header-size: 40000

config/docker/zaas-service.yml

@@ -37,7 +37,15 @@ spring:
   output:
     ansi:
       enabled: always
-
+management:
+    endpoints:
+        migrate-legacy-ids: true
+        web:
+            exposure:
+                include: "*"
+    endpoint:
+        shutdown:
+            access: unrestricted
 
 server:
   address: 0.0.0.0

discoverable-client/src/main/resources/application.yml

@@ -21,8 +21,6 @@ spring:
             enabled: false # Should be removed when upgrade to Spring Cloud 3.x
     application:
         name: ${apiml.service.serviceId}
-    mvc:
-        throw-exception-if-no-handler-found: true
     output:
         ansi:
             enabled: detect
@@ -34,7 +32,8 @@ spring:
     graphql:
         graphiql:
             enabled: true
-        path:  "/api/v3/graphql"
+        http:
+            path:  "/api/v3/graphql"
 
 eureka:
     client:
@@ -183,7 +182,7 @@ management:
             enabled: true
     endpoint:
         shutdown:
-            enabled: true
+            access: unrestricted
 
 ---
 spring.config.activate.on-profile: diag
@@ -197,7 +196,7 @@ management:
                 include: "*"
     endpoint:
         shutdown:
-            enabled: true
+            access: unrestricted
 
 ---
 spring.config.activate.on-profile: debug

discoverable-client/src/test/resources/application.yml

@@ -18,7 +18,6 @@ spring:
     application:
         name: ${apiml.service.serviceId}
     mvc:
-        throw-exception-if-no-handler-found: true
         pathmatch:
             matchingStrategy: ant-path-matcher # used to resolve spring fox path matching issue
     output:

discovery-service/src/main/resources/application.yml

@@ -98,13 +98,11 @@ management:
         web:
             base-path: /application
             exposure:
-                include: health,info,shutdown,hystrixstream
+                include: health,info,hystrixstream
     health:
         defaults:
             enabled: false
     endpoint:
-        shutdown:
-            enabled: true
         health:
             show-details: always
 
@@ -155,10 +153,7 @@ management:
         web:
             base-path: /application
             exposure:
-                include: health,info,loggers,shutdown
-    endpoint:
-        shutdown:
-            enabled: true
+                include: health,info,loggers
 
 logging:
     level:

gateway-package/src/main/resources/bin/start.sh

@@ -321,6 +321,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.x509.certificatesUrls=${ZWE_configs_apiml_security_x509_certificatesUrls:-${ZWE_configs_apiml_security_x509_certificatesUrl:-}} \
     -Dapiml.security.x509.enabled=${ZWE_configs_apiml_security_x509_enabled:-false} \
     -Dapiml.security.x509.registry.allowedUsers=${ZWE_configs_apiml_security_x509_registry_allowedUsers:-} \
+    -Dapiml.security.forwardHeader.trustedProxies=${ZWE_configs_apiml_security_forwardHeader_trustedProxies:-${ZWE_components_cloudGateway_apiml_security_forwardHeader_trustedProxies:-}} \
     -Dapiml.service.allowEncodedSlashes=${ZWE_configs_apiml_service_allowEncodedSlashes:-true} \
     -Dapiml.service.apimlId=${ZWE_configs_apimlId:-} \
     -Dapiml.service.corsEnabled=${ZWE_configs_apiml_service_corsEnabled:-false} \

gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java

@@ -20,6 +20,7 @@
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.resolver.DefaultAddressResolverGroup;
 import jakarta.annotation.PostConstruct;
+import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.experimental.Delegate;
 import lombok.extern.slf4j.Slf4j;
@@ -149,6 +150,8 @@ public class ConnectionsConfig {
     private boolean corsEnabled;
     private final ApplicationContext context;
     private static final ApimlLogger apimlLog = ApimlLogger.of(ConnectionsConfig.class, YamlMessageServiceInstance.getInstance());
+    private HttpsConfig httpsConfig;
+    @Getter
     private HttpsFactory httpsFactory;
 
     public ConnectionsConfig(ApplicationContext context) {
@@ -171,22 +174,23 @@ public void updateConfigParameters() {
             serverProperties.getSsl().setTrustStore(trustStorePath);
             if (trustStorePassword == null) trustStorePassword = KEYRING_PASSWORD;
         }
-        httpsFactory = factory();
-    }
 
-    public HttpsFactory factory() {
-        HttpsConfig config = HttpsConfig.builder()
+        httpsConfig = HttpsConfig.builder()
             .protocol(protocol)
             .verifySslCertificatesOfServices(verifySslCertificatesOfServices)
             .nonStrictVerifySslCertificatesOfServices(nonStrictVerifySslCertificatesOfServices)
             .trustStorePassword(trustStorePassword).trustStoreRequired(trustStoreRequired)
-            .idleConnTimeoutSeconds(idleConnTimeoutSeconds).requestConnectionTimeout(requestTimeout)
             .trustStore(trustStorePath).trustStoreType(trustStoreType)
             .keyAlias(keyAlias).keyStore(keyStorePath).keyPassword(keyPassword)
             .keyStorePassword(keyStorePassword).keyStoreType(keyStoreType).build();
-        log.info("Using HTTPS configuration: {}", config.toString());
+        log.info("Using HTTPS configuration: {}", httpsConfig.toString());
+
+        httpsFactory = new HttpsFactory(httpsConfig);
+    }
 
-        return new HttpsFactory(config);
+    @Bean
+    public HttpsConfig httpsConfig() {
+        return httpsConfig;
     }
 
     /**
@@ -270,7 +274,7 @@ SslContext getSslContext(boolean setKeystore) {
         } catch (Exception e) {
             apimlLog.log("org.zowe.apiml.common.sslContextInitializationError", e.getMessage());
             throw new HttpsConfigError("Error initializing SSL Context: " + e.getMessage(), e,
-                HttpsConfigError.ErrorCode.HTTP_CLIENT_INITIALIZATION_FAILED, factory().getConfig());
+                HttpsConfigError.ErrorCode.HTTP_CLIENT_INITIALIZATION_FAILED, httpsFactory.getConfig());
         }
     }
 

gateway-service/src/main/java/org/zowe/apiml/gateway/config/WebSecurity.java

@@ -16,7 +16,9 @@
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.cloud.gateway.filter.headers.XForwardedHeadersFilter;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -58,20 +60,25 @@
 import org.springframework.web.server.WebFilter;
 import org.zowe.apiml.gateway.config.oidc.ClientConfiguration;
 import org.zowe.apiml.gateway.controllers.GatewayExceptionHandler;
+import org.zowe.apiml.gateway.filters.X509awareXForwardedHeadersFilter;
 import org.zowe.apiml.gateway.filters.security.AuthExceptionHandlerReactive;
 import org.zowe.apiml.gateway.filters.security.BasicAuthFilter;
 import org.zowe.apiml.gateway.filters.security.TokenAuthFilter;
 import org.zowe.apiml.gateway.service.BasicAuthProvider;
 import org.zowe.apiml.gateway.service.TokenProvider;
 import org.zowe.apiml.gateway.x509.X509Util;
 import org.zowe.apiml.product.constants.CoreService;
+import org.zowe.apiml.security.HttpsConfig;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.config.SafSecurityConfigurationProperties;
 import reactor.core.publisher.Mono;
 
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.security.KeyStoreException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.util.*;
 import java.util.function.Predicate;
 import java.util.regex.Pattern;
@@ -514,4 +521,13 @@ public StrictServerWebExchangeFirewall httpFirewall() {
         return firewall;
     }
 
+    @Bean
+    @Primary
+    @ConditionalOnProperty(name = "spring.cloud.gateway.x-forwarded.enabled", matchIfMissing = true)
+    public XForwardedHeadersFilter xForwardedHeadersFilter(
+        HttpsConfig httpsConfig,
+        @Value("${apiml.security.forwardHeader.trustedProxies:#{null}}") String trustedProxies) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
+        return new X509awareXForwardedHeadersFilter(httpsConfig, trustedProxies);
+    }
+
 }