Merge pull request #401 from zowe/update-v2

Update v2 with v1

.github/workflows/build-core.yml

@@ -99,4 +99,3 @@ jobs:
 
       - name: '[Prep 7] deploy'
         uses: zowe-actions/zlux-builds/core/[email protected]/main
-

CHANGELOG.md

@@ -3,6 +3,16 @@
 All notable changes to the Zlux Server Framework package will be documented in this file.
 This repo is part of the app-server Zowe Component, and the change logs here may appear on Zowe.org in that section.
 
+## 1.28.0
+
+- Bugfix: keyring_js did not worked properly for finding CAs due to using an older version in package.json than needed for the listKeyring function
+- Bugfix: Prevent loop upon EACCES error encountered when doing a TCP port bind
+- Bugfix: Avoid retrying APIML login if initial attempt fails for any reason
+
+## 1.27.0
+
+- Bugfix: Added small check on agent network configuration to avoid throwing an exception if the agent configuration included JWT information, but not network information
+
 ## 1.25.0
 
 - Enhancement: Improved callRootService when targeting agents such as ZSS to issue the request direct to the destination rather than using an additional loopback request to the app-server first. This should improve performance, reduce the need for the app-server being a client of itself, and allow for more request options when calling the agent.

lib/assets/i18n/log/messages_en.json

@@ -50,7 +50,7 @@
   "ZWED0067I":"%s: serving library files at %s",
   "ZWED0068I":"Creating composite swagger endpoint for %s",
   "ZWED0069I":"Creating swagger endpoint for %s:%s",
-  "ZWED0070I":"%s: Session security call %s succesful for auth handler %s. Plugin response: %s",
+  "ZWED0070I":"User=%s (%s): Session %s successful. Plugin response: %s",
   "ZWED0071I":"Using PFX: %s",
   "ZWED0072I":"Using Certificate: %s",
   "ZWED0073I":"HTTP config valid, will listen on: %s",
@@ -155,15 +155,15 @@
   "ZWED0194I":"Callservice: Data received",
   "ZWED0195I":"Callservice: Service call completed.",
   "ZWED0196I":"Callservice: Issuing request to service: %s",
-  "ZWED0197I":"%s: %s service called: %s, %s %s",
-  "ZWED0198I":"%s: Service called: %s::%s, %s %s",
+  "ZWED0197I":"User=%s: %s service called: %s, %s %s",
+  "ZWED0198I":"User=%s: Service called: %s::%s, %s %s",
   "ZWED0199I":"%s: service %s",
   "ZWED0200I":"%s: %s %s handled by %s",
   "ZWED0201I":"About to call myProxy",
   "ZWED0202I":"After myProxy call",
   "ZWED0203I":"Referrer proxying miss. Resource not found, sending 404 because referrer (%s) didn't match an existing proxy service",
   "ZWED0204I":"Referrer proxying miss. Resource not found, sending 404 because referrer (%s) didn't match a plugin pattern",
-  "ZWED0205I":"%s: User logout for auth handler %s",
+  "ZWED0205I":"User=%s (%s): User logout",
   "ZWED0206I":"Writing: %s, Size=%s",
   "ZWED0207I":"Wrote: %s",
   "ZWED0210I":"UNUSED",
@@ -188,7 +188,7 @@
   "ZWED0301I": "Found %s in config for '%s'",
   "ZWED0302I": "HA mode is %s",
 
-  "ZWED0003W":"%s: Session security call %s failed for auth handler %s. Plugin response: %s",
+  "ZWED0003W":"User=%s (%s): Session %s failed. Plugin response: %s",
   "ZWED0004W":"Tomcat for ID=%s not starting, no services succeeded loading",
   "ZWED0005W":"",
   "ZWED0006W":"RBAC is disabled in the configuration. All authenticated users will have access to all services. Enable RBAC in the configuration to control users' access to individual services.",
@@ -377,5 +377,6 @@
   "ZWED0154E":"RESERVED: (%s) is not a supported architecture for %s. Skipping (%s)... Supported: %s",
   "ZWED0155E":"RESERVED: (%s) is not a supported endpoint for %s. Skipping (%s)... Supported: %s",
   "ZWED0156E":"RESERVED: Could not register default plugins into app-server",
-  "ZWED0157E":"RESERVED: Could not register default plugin %s into app-server"
+  "ZWED0157E":"RESERVED: Could not register default plugin %s into app-server",
+  "ZWED0158E":"Could not listen on address %s:%s. Insufficient permissions to perform port bind."
 }

lib/url.js

@@ -28,11 +28,12 @@ function makeServiceSubURL(service, latest, omitVersion, path) {
     const version = latest? '_current' : service.version;
     url = `/services/${nameForURL}/${version}`;
   }
-  if (path) {
+  if(path) {
     return `${url}/${path}`;
   } else {
     return url;
   }
+
 }
 
 function join(baseUrl, relativePath) {

lib/util.js

@@ -99,7 +99,7 @@ function getPrefixForService(serviceName, type, version) {
 };
 
 module.exports.getAgentRequestOptions = function(serverConfig, tlsOptions, includeCert, path) {
-  if (serverConfig && serverConfig.node && serverConfig.agent) {
+  if (serverConfig && serverConfig.node && serverConfig.agent && (serverConfig.agent.https || serverConfig.agent.http)) {
     const agentConfig = serverConfig.agent;
     const useApiml = !!(agentConfig.mediationLayer &&
                         agentConfig.mediationLayer.enabled &&
@@ -402,14 +402,15 @@ module.exports.getRemoteIframeTemplate = function(remoteUrl) {
 
 module.exports.makeRemoteUrl = function(destination, req, serverConfig) {
   let referer = req.get('Referer');
+  let hostname = referer === '' ? '' : new URL(referer).hostname;
   loggers.utilLogger.debug(`referer: ${referer}`);
 
   let zoweExternalHost;
   let zoweExternalPort;
-  
+
   if(destination.includes('ZOWE_EXTERNAL_HOST') || destination.includes('ZWE_EXTERNAL_HOST')) {
-    if( referer > '') {
-      zoweExternalHost = referer.split(':')[1].substring(2); 
+    if( hostname > '') {
+      zoweExternalHost = hostname; 
     } else if (process.env.ZWE_EXTERNAL_HOST) {
       zoweExternalHost = process.env.ZWE_EXTERNAL_HOST;
     } else if (process.env.ZOWE_EXTERNAL_HOST) {

lib/webapp.js

@@ -1026,7 +1026,6 @@ WebServiceHandle.prototype = {
           if (!req.headers['content-length']) {
             req.headers['content-length']='0';
           }
-
 
           res.end = (body)=> {
             utilLog.debug('router returned with body=',body.length);
@@ -1305,15 +1304,15 @@ headers: {
   logRootServiceCall(proxied, serviceName) {
     const type = proxied? "Proxied root" : "root"
     return function logRouting(req, res, next) {
-      routingLog.debug(`ZWED0197I`, req.session.id, type, serviceName, req.method, req.url); //routingLog.debug(`${req.session.id}: ${type} service called: `
+      routingLog.debug(`ZWED0197I`, req.username, type, serviceName, req.method, req.url); //routingLog.debug(`${req.username}: ${type} service called: `
           //+`${serviceName}, ${req.method} ${req.url}`);
       next();
     }
   },
 
   logServiceCall(pluginId, serviceName) {
     return function logRouting(req, res, next) {
-      routingLog.debug(`ZWED0198I`, req.session.id, pluginId, serviceName, req.method, req.url); //routingLog.debug(`${req.session.id}: Service called: `
+      routingLog.debug(`ZWED0198I`, req.username, pluginId, serviceName, req.method, req.url); //routingLog.debug(`${req.username}: Service called: `
           //+`${pluginId}::${serviceName}, ${req.method} ${req.url}`);
       next();
     }

lib/webauth.js

@@ -41,6 +41,10 @@ function getAuthHandler(req, authManager) {
   return authManager.getBestAuthenticationHandler(null);
 }
 
+function getHandlerSessionUsername(handlerResult) {
+  return handlerResult ? handlerResult.username : undefined;
+}
+
 function getAuthPluginSession(req, pluginID, dflt) {
   if (req.session && req.session.authPlugins) {
     let value = req.session.authPlugins[pluginID];
@@ -221,17 +225,23 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
     const result = new LoginResult();      
     for (const handler of handlers) {
       const pluginID = handler.pluginID;
-      authLogger.info("ZWED0205I", req.session.id, pluginID);
+
       let handlerResult;
       if (handler.getCapabilities) {
         try {
           let authPluginSession = getAuthPluginSession(req, pluginID, {});
           let caps = handler.getCapabilities();
+          let status;
+          if (caps.canGetStatus === true) {
+            status = handler.getStatus(authPluginSession);
+          }
           if (caps.canLogout === true) {
+            authLogger.debug(`${req.session.id}: Initiating logout with ${handler.pluginID}`);            
             handlerResult = yield handler.logout(req, authPluginSession);
           } else {
             handlerResult = {success: true};
           }
+          authLogger.info("ZWED0205I", getHandlerSessionUsername(status), pluginID);
         } catch (e) {
           handlerResult = {success: false, reason: e.message};
         }
@@ -272,6 +282,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
             let authPluginSession = getAuthPluginSession(req, pluginID, {});
             let caps = handler.getCapabilities();
             if (caps.canResetPassword == true) {
+              authLogger.debug(`${req.session.id}: Initiating passwordReset with ${handler.pluginID}`);
               handlerResult = yield handler.passwordReset(req, authPluginSession);
             } else {
               handlerResult = { success: false, response: "Password reset not available"};
@@ -302,6 +313,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
       return;
     }
     try {
+      authLogger.debug(`${req.session.id}: Initiating ${functionName}`);
       const result = new LoginResult();
       const handlers = getRelevantHandlers(authManager, req.body);
       const authServiceHandleMaps = 
@@ -349,12 +361,12 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
         delete resultCopy.cookies;
         delete resultCopy.password;
         if (handlerResult.success) {
-          authLogger.info(`ZWED0070I`, req.session.id, functionName, pluginID, JSON.stringify(resultCopy)); //authLogger.info(`${req.session.id}: Session security call ${functionName} succesful for auth ` + `handler ${pluginID}. Plugin response: ` + JSON.stringify(handlerResult));
+          authLogger.info(`ZWED0070I`, getHandlerSessionUsername(resultCopy), pluginID, functionName, JSON.stringify(resultCopy)); //User=%s (%s): Session %s successful. Plugin response: %s
         } else {
           //new sessions get a refresh call which always fails unless sso is involved, so don't warn for this.
           authLogger[type === SESSION_ACTION_TYPE_AUTHENTICATE ? 'warn' : 'debug'](`ZWED0003W`,
-            req.session.id, functionName, pluginID, JSON.stringify(resultCopy));
-          //authLogger.info(`${req.session.id}: Session security call ${functionName} failed for auth ` + `handler ${pluginID}. Plugin response: ` + JSON.stringify(handlerResult));
+            getHandlerSessionUsername(resultCopy), pluginID, functionName, JSON.stringify(resultCopy));
+          //User=%s (%s): Session %s failed. Plugin response: %s
         }
         //do not modify session if not authenticated or deauthenticated
         if (wasAuthenticated || handlerResult.success) {
@@ -397,6 +409,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
       }
       const authPluginSession = getAuthPluginSession(req1, handler.pluginID, {});
       try {
+        authLogger.debug(`${req1.session.id}: Initiating addProxyAuthorizations with ${handler.pluginID}`);
         handler.addProxyAuthorizations(req1, req2Options, authPluginSession);
       } catch (e) {
         authLogger.warn(`ZWED0068W`,e); //authLogger.warn(`Failed to set proxy authorizations. Error=`,e);
@@ -408,6 +421,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
       if (handler && handler.processProxiedHeaders) {
         const authPluginSession = getAuthPluginSession(req, handler.pluginID, {});
         try {
+          authLogger.debug(`${req.session.id}: Initiating processProxiedHeaders with ${handler.pluginID}`);
           return handler.processProxiedHeaders(req, headers, authPluginSession);
         } catch (e) {
           return headers;
@@ -425,6 +439,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
         const authPluginSession = getAuthPluginSession(req, pluginID, {});
         let status;
         try {
+          authLogger.debug(`${req.session.id}: Initiating getStatus with ${handler.pluginID}`);
           status = handler.getStatus(authPluginSession);
         } catch (error) {
           status = {
@@ -471,6 +486,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
         const authPluginID = handler.pluginID;
         let result;
         const authPluginSession = getAuthPluginSession(req, authPluginID, {});
+        authLogger.debug(`${req.session.id}: Initiating isAuthorized check with ${handler.pluginID}`);        
         result = yield handler.authorized(req, authPluginSession, {
           syncOnly: isWebsocket,
           bypassAuthorizatonCheck: !authManager.isRbacEnabled
@@ -516,6 +532,7 @@ module.exports = function(authManager, cookiePort, isSecurePort) {
           if (haveToRestoreHaSession && capabilities && capabilities.haCompatible) {
             yield restorePluginHaSession(req, handler, authPluginID, authPluginSession);
           }
+          authLogger.debug(`${req.session.id}: Initiating isAuthorized check with ${handler.pluginID}`);
           result = yield handler.authorized(req, authPluginSession, {
             syncOnly: isWebsocket,
             bypassAuthorizatonCheck: !authManager.isRbacEnabled()

lib/webserver.js

@@ -220,6 +220,10 @@ WebServer.prototype = {
     //making logging poor unless passed
     server.on('error',(e)=> {
       switch (e.code) {
+      case 'EACCES':
+        networkLogger.severe(`ZWED0158E`, ipAddress, port); //Could not listen on address %s:%s. Insufficient permissions to perform port bind.
+        process.exit(constants.EXIT_HTTPS_LOAD);
+        break;
       case 'EADDRINUSE':
         networkLogger.severe(`ZWED0004E`, ipAddress, port); //networkLogger.severe(`Could not listen on address ${ipAddress}:${port}. It is already in use by another process.`);
         process.exit(constants.EXIT_HTTPS_LOAD);