fix: disable infinispan diagnostics by default (#4157)

achmelo · pablocarle · web-flow · commit d1b697258ccd · 2025-06-16T16:21:09.000+02:00
Signed-off-by: ac892247 &lt;a.chmelo@gmail.com&gt;
Co-authored-by: Pablo Carle &lt;pablocarle@users.noreply.github.com&gt;
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -162,7 +162,7 @@ jobs:
 
             -   name: Run CI Tests
                 run: >
-                    ./gradlew :integration-tests:runContainerTests --info
+                    ./gradlew runStartUpCheck :integration-tests:runContainerTests --info -Denvironment.config=-docker
                     -Partifactory_user=${{ secrets.ARTIFACTORY_USERNAME }} -Partifactory_password=${{ secrets.ARTIFACTORY_PASSWORD }}
             -   uses: ./.github/actions/dump-jacoco
                 if: always()
diff --git a/apiml-utility/src/main/resources/logback-spring.xml b/apiml-utility/src/main/resources/logback-spring.xml
@@ -14,6 +14,7 @@
         <turboFilter class="org.zowe.apiml.product.logging.LogLevelInfoFilter"/>
         <turboFilter class="org.zowe.apiml.product.logging.ApimlDuplicateMessagesFilter">
             <AllowedRepetitions>0</AllowedRepetitions>
+            <cacheSize>3000</cacheSize>
         </turboFilter>
     </springProfile>
 
diff --git a/caching-service-package/src/main/resources/bin/start.sh b/caching-service-package/src/main/resources/bin/start.sh
@@ -271,6 +271,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CACHING_CODE} ${JAVA_BIN_DIR}java \
   -Djgroups.bind.address=${ZWE_configs_storage_infinispan_jgroups_host:-${ZWE_haInstance_hostname:-localhost}} \
   -Djgroups.bind.port=${ZWE_configs_storage_infinispan_jgroups_port:-7600} \
   -Djgroups.keyExchange.port=${ZWE_configs_storage_infinispan_jgroups_keyExchange_port:-7601} \
+  -Djgroups.tcp.diag.enabled=${ZWE_configs_storage_infinispan_jgroups_tcp_diag_enabled:-false} \
   -Dcaching.storage.infinispan.initialHosts=${ZWE_configs_storage_infinispan_initialHosts:-localhost[7600]} \
   -Dserver.address=${ZWE_configs_zowe_network_server_listenAddresses_0:-${ZWE_zowe_network_server_listenAddresses_0:-"0.0.0.0"}} \
   -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true}  \
diff --git a/caching-service/src/main/java/org/zowe/apiml/caching/service/infinispan/config/InfinispanConfig.java b/caching-service/src/main/java/org/zowe/apiml/caching/service/infinispan/config/InfinispanConfig.java
@@ -60,6 +60,8 @@ public class InfinispanConfig {
     private String address;
     @Value("${jgroups.keyExchange.port:7601}")
     private String keyExchangePort;
+    @Value("${jgroups.tcp.diag.enabled:false}")
+    private String tcpDiagEnabled;
 
     @PostConstruct
     void updateKeyring() {
@@ -93,6 +95,7 @@ DefaultCacheManager cacheManager(ResourceLoader resourceLoader) {
         System.setProperty("server.ssl.keyStoreType", keyStoreType);
         System.setProperty("server.ssl.keyStore", keyStore);
         System.setProperty("server.ssl.keyStorePassword", keyStorePass);
+        System.setProperty("jgroups.tcp.diag.enabled", String.valueOf(Boolean.parseBoolean(tcpDiagEnabled)));
         ConfigurationBuilderHolder holder;
 
         try (InputStream configurationStream = resourceLoader.getResource(
diff --git a/caching-service/src/main/resources/infinispan.xml b/caching-service/src/main/resources/infinispan.xml
@@ -20,6 +20,7 @@
                  thread_pool.min_threads="${jgroups.thread_pool.min_threads:0}"
                  thread_pool.max_threads="${jgroups.thread_pool.max_threads:200}"
                  thread_pool.keep_alive_time="60000"
+                 diag.enabled="${jgroups.tcp.diag.enabled:false}"
             />
             <TCPPING
                     initial_hosts="${jgroups.tcpping.initial_hosts}"
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/AuthExceptionHandlerReactive.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/AuthExceptionHandlerReactive.java
@@ -13,7 +13,6 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.RequiredArgsConstructor;
-import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ServerWebExchange;
 import org.zowe.apiml.constants.ApimlConstants;
@@ -23,6 +22,11 @@
 
 import java.nio.charset.StandardCharsets;
 
+import static org.apache.http.HttpHeaders.CONTENT_TYPE;
+import static org.springframework.http.HttpStatus.SERVICE_UNAVAILABLE;
+import static org.springframework.http.HttpStatus.UNAUTHORIZED;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
 @Component
 @RequiredArgsConstructor
 public class AuthExceptionHandlerReactive {
@@ -32,9 +36,9 @@ public class AuthExceptionHandlerReactive {
 
     public Mono<Void> handleTokenNotValid(ServerWebExchange exchange) {
         var response = exchange.getResponse();
-        response.setStatusCode(HttpStatus.UNAUTHORIZED);
+        response.setStatusCode(UNAUTHORIZED);
         response.getHeaders().add(ApimlConstants.AUTH_FAIL_HEADER, "Invalid token");
-        response.getHeaders().add("Content-Type", "application/json");
+        response.getHeaders().add(CONTENT_TYPE, APPLICATION_JSON_VALUE);
 
         ApiMessageView message = messageService
             .createMessage("org.zowe.apiml.common.unauthorized", exchange.getRequest().getPath())
@@ -49,4 +53,23 @@ public Mono<Void> handleTokenNotValid(ServerWebExchange exchange) {
 
         return response.writeWith(Mono.just(response.bufferFactory().wrap(bytes)));
     }
+
+    public Mono<Void> handleServiceUnavailable(ServerWebExchange exchange) {
+        var response = exchange.getResponse();
+        response.setStatusCode(SERVICE_UNAVAILABLE);
+        response.getHeaders().add(CONTENT_TYPE, APPLICATION_JSON_VALUE);
+
+        ApiMessageView message = messageService
+            .createMessage("org.zowe.apiml.common.serviceUnavailable", exchange.getRequest().getPath())
+            .mapToView();
+
+        byte[] bytes;
+        try {
+            bytes = objectMapper.writeValueAsBytes(message);
+        } catch (JsonProcessingException e) {
+            bytes = "{\"message\":\"service unavailable\"}".getBytes(StandardCharsets.UTF_8);
+        }
+
+        return response.writeWith(Mono.just(response.bufferFactory().wrap(bytes)));
+    }
 }
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java
@@ -37,6 +37,7 @@ public class TokenAuthFilter implements WebFilter {
     private final TokenProvider tokenProvider;
     private final AuthConfigurationProperties authConfigurationProperties;
     private final AuthExceptionHandlerReactive authExceptionHandlerReactive;
+
     @Override
     public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
         var token = resolveToken(exchange.getRequest()).filter(StringUtils::isNotBlank);
@@ -50,7 +51,7 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
                 }
                 return authExceptionHandlerReactive.handleTokenNotValid(exchange);
 
-            })
+            }).onErrorResume(ex -> authExceptionHandlerReactive.handleServiceUnavailable(exchange))
         ).orElseGet(() -> chain.filter(exchange));
     }
 
diff --git a/gateway-service/src/test/java/org/zowe/apiml/gateway/filters/security/AuthExceptionHandlerReactiveTest.java b/gateway-service/src/test/java/org/zowe/apiml/gateway/filters/security/AuthExceptionHandlerReactiveTest.java
@@ -13,6 +13,7 @@
 import com.fasterxml.jackson.core.JsonParseException;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.http.HttpHeaders;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
@@ -21,6 +22,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.server.RequestPath;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
@@ -41,8 +43,10 @@
 @ExtendWith(MockitoExtension.class)
 public class AuthExceptionHandlerReactiveTest {
 
-    @Mock private MessageService messageService;
-    @Mock private ObjectMapper objectMapper;
+    @Mock
+    private MessageService messageService;
+    @Mock
+    private ObjectMapper objectMapper;
 
     private AuthExceptionHandlerReactive handler;
 
@@ -54,10 +58,12 @@ void setUp() {
     @Nested
     class GivenHandler {
 
-        @Mock private ServerWebExchange exchange;
+        @Mock
+        private ServerWebExchange exchange;
 
         private MockServerHttpResponse response;
 
+
         @BeforeEach
         void setUp() {
             response = new MockServerHttpResponse();
@@ -69,9 +75,8 @@ void setUp() {
 
         @AfterEach
         void assertResponse() {
-            assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
-            assertEquals(List.of("Invalid token"), response.getHeaders().get("X-Zowe-Auth-Failure"));
-            assertEquals(List.of("application/json"), response.getHeaders().get("Content-Type"));
+
+            assertEquals(List.of(MediaType.APPLICATION_JSON_VALUE), response.getHeaders().get(HttpHeaders.CONTENT_TYPE));
         }
 
         @Test
@@ -89,6 +94,8 @@ void whenHandleInvalidToken_thenUpdateResponse() throws JsonProcessingException
                 .verify();
 
             assertEquals("{\"code\":\"ZWEA11\"}", response.getBodyAsString().block());
+            assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
+            assertEquals(List.of("Invalid token"), response.getHeaders().get("X-Zowe-Auth-Failure"));
         }
 
         @Test
@@ -106,8 +113,45 @@ void whenHandleInvalidToken_AndException_thenDefaultMessage() throws JsonProcess
                 .verify();
 
             assertEquals("{\"message\":\"Invalid token\"}", response.getBodyAsString().block());
+            assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
+            assertEquals(List.of("Invalid token"), response.getHeaders().get("X-Zowe-Auth-Failure"));
+        }
+
+        @Test
+        void whenHandleUnavailableService_thenUpdateResponse() throws JsonProcessingException {
+            var view = mock(ApiMessageView.class);
+            var correctMessage = mock(Message.class);
+            when(messageService.createMessage(eq("org.zowe.apiml.common.serviceUnavailable"), any(RequestPath.class)))
+                .thenReturn(correctMessage);
+            when(correctMessage.mapToView()).thenReturn(view);
+
+            when(objectMapper.writeValueAsBytes(view)).thenReturn("{\"code\":\"ZWEAO503\"}".getBytes());
+
+            StepVerifier.create(handler.handleServiceUnavailable(exchange))
+                .expectComplete()
+                .verify();
+
+            assertEquals("{\"code\":\"ZWEAO503\"}", response.getBodyAsString().block());
+            assertEquals(HttpStatus.SERVICE_UNAVAILABLE, response.getStatusCode());
         }
 
+        @Test
+        void whenHandleUnavailableService_AndException_thenDefaultMessage() throws JsonProcessingException {
+            var view = mock(ApiMessageView.class);
+            var correctMessage = mock(Message.class);
+            when(messageService.createMessage(eq("org.zowe.apiml.common.serviceUnavailable"), any(RequestPath.class)))
+                .thenReturn(correctMessage);
+            when(correctMessage.mapToView()).thenReturn(view);
+
+            when(objectMapper.writeValueAsBytes(view)).thenThrow(new JsonParseException("exception"));
+
+            StepVerifier.create(handler.handleServiceUnavailable(exchange))
+                .expectComplete()
+                .verify();
+
+            assertEquals("{\"message\":\"service unavailable\"}", response.getBodyAsString().block());
+            assertEquals(HttpStatus.SERVICE_UNAVAILABLE, response.getStatusCode());
+        }
     }
 
 }
diff --git a/gateway-service/src/test/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilterTest.java b/gateway-service/src/test/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilterTest.java
@@ -32,7 +32,6 @@
 
 import static java.util.Arrays.asList;
 import static java.util.Collections.singletonMap;
-import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
 import static org.springframework.util.CollectionUtils.toMultiValueMap;
@@ -130,14 +129,14 @@ void givenTokenIsInCookieValid_thenCreateAuthentication() {
             }
 
             @Test
-            void givenTokenIsInvalidError_thenStopChainAndReturnError() {
+            void givenTokenIsInvalidError_thenCompletesWithCorrectHandler() {
                 mockTokenInCookie();
-
+                when(authExceptionHandlerReactive.handleServiceUnavailable(any()))
+                    .thenReturn(Mono.empty());
                 when(tokenProvider.validateToken("token")).thenReturn(Mono.error(new RuntimeException("error in validation")));
                 StepVerifier.create(tokenAuthFilter.filter(serverWebExchange, chain))
-                    .expectErrorSatisfies(error -> assertEquals("error in validation", error.getMessage()))
-                    .verify();
-
+                    .verifyComplete();
+                verify(authExceptionHandlerReactive, times(1)).handleServiceUnavailable(any());
                 verify(chain, never()).filter(serverWebExchange);
             }
 
@@ -157,7 +156,7 @@ void givenTokenIsInvalidEmpty_thenStopChainAndReturnEmpty() {
             void givenTokenIsInvalidEmptyUser_thenHandleException() {
                 mockTokenInCookie();
                 when(tokenProvider.validateToken("token")).thenReturn(Mono.just(new QueryResponse()));
-                when(authExceptionHandlerReactive.handleTokenNotValid(any()))
+                when(authExceptionHandlerReactive.handleServiceUnavailable(any()))
                     .thenReturn(Mono.error(new TokenNotValidException("Invalid token")));
 
                 StepVerifier.create(tokenAuthFilter.filter(serverWebExchange, chain))
diff --git a/schemas/caching-schema.json b/schemas/caching-schema.json
@@ -82,6 +82,22 @@
                                                                         "default": 7601
                                                                     }
                                                                 }
+                                                            },
+                                                            "tcp": {
+                                                                "type": "object",
+                                                                "description": "TCP stack",
+                                                                "properties": {
+                                                                    "diag": {
+                                                                        "type": "object",
+                                                                        "description": "Cluster diagnostics",
+                                                                        "properties": {
+                                                                            "enabled": {
+                                                                                "type": "boolean",
+                                                                                "description": "Enable diagnostics of infinispan cluster"
+                                                                            }
+                                                                        }
+                                                                    }
+                                                                }
                                                             }
                                                         }
                                                     },

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ public class TokenAuthFilter implements WebFilter {`
`37`	`37`	`private final TokenProvider tokenProvider;`
`38`	`38`	`private final AuthConfigurationProperties authConfigurationProperties;`
`39`	`39`	`private final AuthExceptionHandlerReactive authExceptionHandlerReactive;`
	`40`	`+`
`40`	`41`	`@Override`
`41`	`42`	`public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {`
`42`	`43`	`var token = resolveToken(exchange.getRequest()).filter(StringUtils::isNotBlank);`
`@@ -50,7 +51,7 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {`
`50`	`51`	`}`
`51`	`52`	`return authExceptionHandlerReactive.handleTokenNotValid(exchange);`
`52`	`53`
`53`		`- })`
	`54`	`+ }).onErrorResume(ex -> authExceptionHandlerReactive.handleServiceUnavailable(exchange))`
`54`	`55`	`).orElseGet(() -> chain.filter(exchange));`
`55`	`56`	`}`
`56`	`57`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,22 @@`
`82`	`82`	`"default": 7601`
`83`	`83`	`}`
`84`	`84`	`}`
	`85`	`+ },`
	`86`	`+ "tcp": {`
	`87`	`+ "type": "object",`
	`88`	`+ "description": "TCP stack",`
	`89`	`+ "properties": {`
	`90`	`+ "diag": {`
	`91`	`+ "type": "object",`
	`92`	`+ "description": "Cluster diagnostics",`
	`93`	`+ "properties": {`
	`94`	`+ "enabled": {`
	`95`	`+ "type": "boolean",`
	`96`	`+ "description": "Enable diagnostics of infinispan cluster"`
	`97`	`+ }`
	`98`	`+ }`
	`99`	`+ }`
	`100`	`+ }`
`85`	`101`	`}`
`86`	`102`	`}`
`87`	`103`	`},`