X.509 Client authentication fail with 400 when the certificate is not mapped

[richard-salac]

Describe the bug
APIML v2.18
When login using client certificate authentication fails because of the certificate is not mapped to any user, the response code is 400. This should be an invalid credentials like scenario and return 401 instead. Also, the returned message is not valid for the case:

{"messages":[{"messageType":"ERROR","messageNumber":"ZWEAG121E","messageContent":"Authorization header is missing, or the request body is missing or invalid for URL '/gateway/api/v1/auth/login'","messageAction":"Provide valid authentication.","messageReason":"The authorization header is missing, or the request body is missing or invalid.","messageKey":"org.zowe.apiml.security.login.invalidInput"}]}

Steps to Reproduce

1. Lets' have a client certificate that is trusted by the server, but not mapped to any user
2. call:

curl -v --key ./key.pem \
--cert cert.pem -X POST 'https://hostname:port/gateway/api/v1/auth/login' \
-H 'accept: */*' \
-H 'Content-Type: application/json'

3. The ssl connection is initiated (the certificate is trusted), but the return code is 400 even though the request is valid.

Expected behavior
When the authentication using a client certificate fails because the certificate is not mapped to any user, the return code should be 401 with clear message.

Full Curl output

* Host XXX was resolved.
* IPv6: (none)
* IPv4: XXX
*   Trying XXX..
* Connected to XXXXX
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: XXXX/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, CERT verify (15):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: XXXXX
*  start date: Jul 25 00:00:00 2024 GMT
*  expire date: Aug 25 23:59:59 2025 GMT
*  subjectAltName: host "XXXX"
*  issuer: XXXX
*  SSL certificate verify ok.
* using HTTP/1.x
> POST /gateway/api/v1/auth/login HTTP/1.1
> Host: XXX
> User-Agent: curl/8.7.1
> accept: */*
> Content-Type: application/json
>
* Request completely sent off
< HTTP/1.1 400
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Content-Type: application/json;charset=ISO-8859-1
< Content-Length: 401
< Date: Tue, 26 Nov 2024 15:23:47 GMT
< Connection: close
<
* Closing connection
{"messages":[{"messageType":"ERROR","messageNumber":"ZWEAG121E","messageContent":"Authorization header is missing, or the request body is missing or invalid for URL '/gateway/api/v1/auth/login'","messageAction":"Provide valid authentication.","messageReason":"The authorization header is missing, or the request body is missing or invalid.","messageKey":"org.zowe.apiml.security.login.invalidInput"}]}