api-layer icon indicating copy to clipboard operation
api-layer copied to clipboard

Published 20 hours ago verified publisher icon zowe

NPE with 500 when generating zosmf token with client certificate authentication

Open richard-salac opened this issue 9 months ago • 0 comments

Describe the bug

When integration test org.zowe.apiml.integration.zaas.ZosmfTokensTest.WhenGeneratingZosmfTokens_returnValidZosmfToken#givenX509Certificate
is executed in negative scenario - with a client certificate that is trusted, but not mapped to a user, a NPE occurs resulting in 500 return code.

Steps to Reproduce

  1. Prepare a trusted certificate, that is not mapped to a user.
  2. Update the environment configuration to use trusted, but unmapped certificate
  3. Run the integration test

Expected behavior 401 is expected

Logs

				2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.JwtAuthSourceService)) Getting JWT token from request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.JwtAuthSourceService)) JWT token not found in request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.PATAuthSourceService)) Getting JWT token from request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.PATAuthSourceService)) JWT token not found in request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.OIDCAuthSourceService)) Getting JWT token from request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.OIDCAuthSourceService)) JWT token not found in request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) Getting X509 client certificate from custom attribute 'client.auth.X509Certificate'.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) Validating X509 client certificate.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) X509 client certificate found in request.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.DefaultAuthSourceService)) Authentication request towards the southbound service /zaas/scheme/zosmf using the auth source CLIENT_CERT
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) Parsing X509 client certificate.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-
                0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) Validating X509 client certificate.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.m.NativeMapper)) CertificateResponse(userId=, rc=-1, errno=143, errno2=318833740)
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.s.s.X509AuthSourceService)) Validating X509 client certificate.
                2025-01-13 12:38:14.775 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.s.s.w.FilterChainProxy)) Secured POST /zaas/scheme/zosmf
                2025-01-13 12:38:14.776 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.l.Providers)) z/OSMF registered with the Discovery Service and propagated to ZAAS: true
                2025-01-13 12:38:14.776 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.TokenCreationService)) ZOSMF is available and used. Attempt to authenticate with PassTicket
                2025-01-13 12:38:14.776 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.s.s.TokenCreationService)) Generating PassTicket for user: null and ZOSMF applid: IZUDFLT
                2025-01-13 12:38:14.776 <ZWEAZS1:https-jsse-nio-0.0.0.0-10018-exec-2:67174549> [35mZWESVUSR[0;39m [36mDEBUG[0;39m ((o.z.a.z.z.ZaasExceptionHandler)) Unexpected internal error
                java.lang.NullPointerException: Cannot invoke "java.lang.String.toUpperCase()" because "userId" is null
                	at org.zowe.apiml.passticket.PassTicketService.generate(PassTicketService.java:50)
                	at org.zowe.apiml.zaas.security.service.TokenCreationService.generatePassTicket(TokenCreationService.java:105)
                	at org.zowe.apiml.zaas.security.service.TokenCreationService.createZosmfTokensWithoutCredentials(TokenCreationService.java:76)
                	at org.zowe.apiml.zaas.security.service.zosmf.ZosmfService.exchangeAuthenticationForZosmfToken(ZosmfService.java:244)
                	at jdk.internal.reflect.GeneratedMethodAccessor85.invoke(Unknown Source)

Details

  • Version and build number: v3
  • Test environment: miniplex

Additional context Found during miniplex setup for integration tests

richard-salac avatar Jan 13 '25 14:01 richard-salac