api-layer
api-layer copied to clipboard
zowe
Fix 401 responses
Describe the bug
The APIML returns 401 with a description to help a user with configuration. The error message is placed in the response header X-Zowe-Auth-Failure. It looks like a potential security risk because in the case application cannot authorize a request there should be one general message with response code 401, otherwise, there is an indication for an attacker how to customize the request and exploit a potential issue. This general rule has just one exception - an expired password. In case of an expired password, we know that the user knows at least the correct latest valid one.
The 401 could contain information about misconfigured passticket for example. This is not an issue of the user's credentials and therefore response code 500 makes more sense. The error message could contain more clues. Anyway, it is necessary to clarify each source of the error message (each potential exception generating those messages).
There are many places generating these headers:
ServiceAuthenticationFilter - general filter of authentication
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/pre/ServiceAuthenticationFilter.java#L127-L131
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/pre/ServiceAuthenticationFilter.java#L85-L104
TokenExpireException
- the message could be a part of 401 (error message ZWEAG103)
- this could be used as a response body, but just in the header
TokenNotValidException
- no message should be provided (or only as a trace/debug message in the log)
AuthSchemeException - there are many reasons for this exception:
-
org.zowe.apiml.gateway.security.invalidAuthentication
- this message should not be returned - could lead to scanning of services configuration
- it could be a logger with debug level
-
org.zowe.apiml.gateway.security.schema.missingX509Authentication
- this message says to the attacker only the visited piece of code, anyway shouldn't be returned
-
org.zowe.apiml.gateway.security.invalidAuthentication
- there is no reason to reply to this message, could be a part of the log file (trace/debug)
-
org.zowe.apiml.gateway.security.schema.missingAuthentication
- it describes a configuration issue
- should be 500 with the message
-
org.zowe.apiml.gateway.security.schema.x509.mappingFailed
- ZSS responded, but without a mapping value, which means that the client certificate was valid, but not mapped to a user ID
- response should be 403
-
org.zowe.apiml.gateway.security.invalidToken
- the message should not be in the response
-
org.zowe.apiml.gateway.security.expiredToken
- it could be retuned as 401 (not as header, but as the body - for user readability)
-
org.zowe.apiml.security.ticket.generateFailed
- it points to an invalid configuration about passtickets
- it should return 500 with the message
-
org.zowe.apiml.gateway.security.schema.missingAuthentication
- there is no reason to reply to this message, could be a part of the log file (trace/debug)
-
org.zowe.apiml.gateway.security.scheme.missingApplid
- it is about misconfiguration of a service
- it should return 500
-
org.zowe.apiml.security.ticket.generateFailed
- it points to an invalid configuration about passtickets
- it should return 500 with the message
-
org.zowe.apiml.security.idt.failed
- it collects two exceptions SafIdtException and SafIdtAuthException
- SafIdtException is about misconfiguration - it should return 500
- SafIdtAuthException is about invalid credentials - it should return 401
- IDT could indicate also an expired password (see a general and customized message - commonly used)
-
org.zowe.apiml.gateway.security.scheme.zosmfSchemeNotSupported
- misconfiguration (wants to use z/OSMF even if it is not configured)
- it should return 500
-
org.zowe.apiml.gateway.security.token.authenticationFailed
- cannot generate a token
- the reason is very probably a misconfiguration
- it should return 500
** X509FilterFactory **
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/cloud-gateway-service/src/main/java/org/zowe/apiml/cloudgatewayservice/filters/X509FilterFactory.java#L66-L71
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/cloud-gateway-service/src/main/java/org/zowe/apiml/cloudgatewayservice/filters/X509FilterFactory.java#L56
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/cloud-gateway-service/src/main/java/org/zowe/apiml/cloudgatewayservice/filters/X509FilterFactory.java#L62
- org.zowe.apiml.gateway.security.schema.missingX509Authentication
- this message says to the attacker only the visited piece of code, anyway shouldn't be returned
** PassticketFilterFactory **
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/cloud-gateway-service/src/main/java/org/zowe/apiml/cloudgatewayservice/filters/PassticketFilterFactory.java#L86-L90
https://github.com/zowe/api-layer/blob/995d837f2fe4a86ed6f00bfec7d24b280cb01f47/cloud-gateway-service/src/main/java/org/zowe/apiml/cloudgatewayservice/filters/PassticketFilterFactory.java#L66-L83
-
org.zowe.apiml.security.ticket.generateFailed
- it points to an invalid configuration about passtickets
- it should return 500 with the message
-
review also #2902 (if there is another source code to be fixed)
Steps to Reproduce
There are many scenarios, one of them:
- create a static client with non-configured passtickets
- send a response to this static client
- the response contains information about the configuration issue in the response header
Expected behavior
- All responses about invalid credentials return a general 401 response without any additional information.
- All responses about expired credentials return one generic message about expired credentials with response code 401
- All exceptions about misconfiguration will produce 500. It could contain base information about the exception
Details
- Version and build number: 2.10
https://github.com/zowe/api-layer/wiki/Issue-management
Also, issue #3226 describes a case where the should be changed response code from 400 to 401.