fix: Make "native" the default SAF authorization provider (#3937)

* make native default provider Signed-off-by: Andrea Tabone <[email protected]> * make native default provider Signed-off-by: Andrea Tabone <[email protected]> * revert Signed-off-by: Andrea Tabone <[email protected]> * fix tests Signed-off-by: Andrea Tabone <[email protected]> * address comment Signed-off-by: Andrea Tabone <[email protected]> * attempt Signed-off-by: Andrea Tabone <[email protected]> * attempt Signed-off-by: Andrea Tabone <[email protected]> * use endpoint for saf auth provider when native is not available Signed-off-by: ac892247 <[email protected]> * both env options Signed-off-by: ac892247 <[email protected]> --------- Signed-off-by: Andrea Tabone <[email protected]> Signed-off-by: ac892247 <[email protected]> Co-authored-by: achmelo <[email protected]> Co-authored-by: ac892247 <[email protected]>
zowe · Jan 3, 2025 · f4aafe6 · f4aafe6
1 parent d998b5a
commit f4aafe6
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 6 deletions.
diff --git a/api-catalog-package/src/main/resources/bin/start.sh b/api-catalog-package/src/main/resources/bin/start.sh
@@ -269,7 +269,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CATALOG_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.discovery.staticApiDefinitionsDirectories=${ZWE_STATIC_DEFINITIONS_DIR} \
     -Dapiml.security.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices:-false} \
     -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \
-    -Dapiml.security.authorization.provider=${ZWE_components_gateway_apiml_security_authorization_provider:-} \
+    -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-${ZWE_components_gateway_apiml_security_authorization_provider:-"native"}} \
     -Dapiml.security.authorization.endpoint.enabled=${ZWE_components_gateway_apiml_security_authorization_endpoint_enabled:-false} \
     -Dapiml.security.authorization.endpoint.url=${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port}/zss/api/v1/saf-auth"} \
     -Dapiml.security.authorization.resourceClass=${ZWE_components_gateway_apiml_security_authorization_resourceClass:-ZOWE} \

diff --git a/...common/src/main/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessConfig.java b/...common/src/main/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessConfig.java
@@ -29,7 +29,7 @@ public class SafResourceAccessConfig {
     private static final String NATIVE = "native";
     private static final String DUMMY = "dummy";
 
-    private static final String[] PROVIDERS = new String[] { ENDPOINT, NATIVE, DUMMY };
+    private static final String[] PROVIDERS = new String[] { NATIVE, ENDPOINT, DUMMY };
 
     @Value("${apiml.security.authorization.provider:}")
     private String provider;

diff --git a/...on/src/test/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessConfigTest.java b/...on/src/test/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessConfigTest.java
@@ -37,7 +37,7 @@ private SafResourceAccessVerifying getSafResourceAccessConfig(
         SafResourceAccessConfig output = new SafResourceAccessConfigMock(endpointAvailable, nativeAvailable, dummyAvailable);
         ReflectionTestUtils.setField(output, "provider", provider);
         ReflectionTestUtils.setField(output, "endpointEnabled", endpointEnabled);
-        return output.safResourceAccessVerifying(restTemplate,authConfigurationProperties);
+        return output.safResourceAccessVerifying(restTemplate, authConfigurationProperties);
     }
 
     @Test

diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh
@@ -312,8 +312,8 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.auth.passticket.customUserHeader=${ZWE_configs_apiml_security_auth_passticket_customUserHeader:-} \
     -Dapiml.security.auth.passticket.customAuthHeader=${ZWE_configs_apiml_security_auth_passticket_customAuthHeader:-} \
     -Dapiml.security.authorization.endpoint.enabled=${ZWE_configs_apiml_security_authorization_endpoint_enabled:-false} \
-    -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-} \
-    -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-} \
+    -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"}} \
+    -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-"native"} \
     -Dapiml.zoweManifest=${ZWE_zowe_runtimeDirectory}/manifest.json \
     -Dapiml.gateway.cachePeriodSec=${ZWE_configs_apiml_gateway_registry_cachePeriodSec:-120} \
     -Dapiml.gateway.registry.enabled=${ZWE_configs_apiml_gateway_registry_enabled:-false} \

diff --git a/integration-tests/src/test/resources/environment-configuration.yml b/integration-tests/src/test/resources/environment-configuration.yml
@@ -106,5 +106,7 @@ instanceEnv:
     ZWE_configs_apiml_security_auth_passticket_customUserHeader: customUserHeader
     ZWE_configs_apiml_security_auth_passticket_customAuthHeader: customPassticketHeader
     ZWE_configs_apiml_health_protected: false
+    ZWE_components_gateway_apiml_security_authorization_provider: endpoint
+    ZWE_configs_apiml_security_authorization_provider: endpoint
     # set the value to "authentication" if you want to test the sticky session load balancing
     APIML_SERVICE_CUSTOMMETADATA_APIML_LB_TYPE: headerRequest
diff --git a/zaas-package/src/main/resources/bin/start.sh b/zaas-package/src/main/resources/bin/start.sh
@@ -338,7 +338,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${ZAAS_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.x509.externalMapperUser=${ZWE_configs_apiml_security_x509_externalMapperUser:-${ZWE_components_gateway_apiml_security_x509_externalMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \
     -Dapiml.security.x509.acceptForwardedCert=${ZWE_configs_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-true}}} \
     -Dapiml.security.x509.certificatesUrls=${CERTIFICATES_URLS} \
-    -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-${ZWE_components_gateway_apiml_security_authorization_provider:-}} \
+    -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-${ZWE_components_gateway_apiml_security_authorization_provider:-"native"}} \
     -Dapiml.security.authorization.endpoint.enabled=${ZWE_configs_apiml_security_authorization_endpoint_enabled:-${ZWE_components_gateway_apiml_security_authorization_endpoint_enabled:-false}} \
     -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"}} \
     -Dapiml.security.saf.provider=${ZWE_configs_apiml_security_saf_provider:-${ZWE_components_gateway_apiml_security_saf_provider:-"rest"}} \