Merge pull request #1013 from qbicsoftware/development

Release PR

Author: sven1103

.gitignore

@@ -1,3 +1,6 @@
+# Any local PKCS12 stores
+*.p12
+
 */target/
 .idea/
 .settings

README.md

@@ -45,7 +45,8 @@ that enables FAIR-compliant data access.
 
 ## Style Guide
 
-Please find the [styleguide](https://github.com/qbicsoftware/data-manager-app-design-system) in its own repository.
+Please find the [styleguide](https://github.com/qbicsoftware/data-manager-app-design-system) in its
+own repository.
 
 ## How to Run
 
@@ -124,7 +125,8 @@ spring.mail.host=${MAIL_HOST:smtp.gmail.com}
 spring.mail.port=${MAIL_PORT:587}
 ```
 
-For user email confirmation a specific endpoint and context-path (for example if the app runs in a different context than the root path) is addressed. This endpoint can be configured using
+For user email confirmation a specific endpoint and context-path (for example if the app runs in a
+different context than the root path) is addressed. This endpoint can be configured using
 the following properties:
 
 | environment variable           | description                                                       |
@@ -219,6 +221,93 @@ openbis.datasource.url=${OPENBIS_DATASOURCE_URL:openbis-url}
 
 ```
 
+### Secret handling
+
+Data Manager uses a custom vault concept for storing application secrets, that builds upon
+a [Java Keystore](https://docs.oracle.com/javase/17/docs/api/java/security/KeyStore.html) in its
+core.
+
+We currently stick to a PKCS12 store type and encrypt every secret with AES.
+
+Therefore, in order to be able to run the application, a keystore must be set-up beforehand.
+
+#### Setup keystore
+
+Before the Java keystore can be referenced in Data Manager's configuration, it has to be created in the first place.
+
+You will need [keytool](https://docs.oracle.com/en/java/javase/11/tools/keytool.html) for this step.
+
+Start the setup with a dummy entry for creation of a keystore file in PKSC12 format:
+
+```bash
+ keytool -genkeypair -alias dummy -keyalg RSA -keysize 2048 -keystore keystore.p12 -storetype PKCS12 -storepass mysecretpassword -dname "CN=Dummy, OU=Test, O=Company, L=City, ST=State, C=US"
+```
+
+This secures the keystore with the `mysecretpassword` password. Change it to something only you have
+access and with
+Please choose a strong password. The application will fail for passwords with entropy below 100. The entropy of your password is calculated as follows
+
+$$
+H = -\sum_{i=1}^{n} P(x_i) \log_2 P(x_i) \times n > 100.,
+$$
+
+$$
+\begin{aligned}
+\text{where } & \text{ P(x_i) is the probability of character } x_i, \\
+& n \text{ is the total length of the password}.
+\end{aligned}
+$$
+$$
+H = -\sum_{i=1}^{n} P(x_i) \log_2 P(x_i) \times n > 100.,
+$$
+
+$$
+\begin{aligned}
+\text{where } & \text{ P(x_i) is the probability of character } x_i, \\
+& n \text{ is the total length of the password}.
+\end{aligned}
+$$
+
+The application will fail starting, if the total entropy is below 100.
+
+Now remove the dummy entry, to have a true empty keystore:
+
+```bash
+ keytool -delete -alias dummy -keystore keystore.p12 -storetype PKCS12 -storepass mysecretpassword
+```
+
+Verify:
+
+```bash
+keytool -list -keystore keystore.p12 -storetype PKCS12 -storepass mysecretpassword
+```
+which should show something like:
+```text
+Keystore type: PKCS12
+Keystore provider: SUN
+
+Your keystore contains 0 entries
+```
+
+#### Configure vault in Data Manager
+
+You need these three properties configured properly to operate the vault within the app. The secret
+for the vault is available in a local environment variable `DATAMANAGER_VAULT_KEY` and get more
+hardened with future releases.
+
+For the secret entries themselves, define a strong secret in the `DATAMANAGER_VAULT_ENTRY_PASSWORD`
+environment variable. The same
+strength requirements apply here as well.
+
+```properties
+# Sets the environment variable that contains the vault key
+qbic.security.vault.key.env=DATAMANAGER_VAULT_KEY
+# Since it will be a PKCS12 file, let the file end with *.p12
+qbic.security.vault.path=${DATAMANAGER_VAULT_PATH:keystore.p12}
+# The password used for encrypting entries in the vault. Must be longer than 20 characters.
+qbic.security.vault.entry.password.env=DATAMANAGER_VAULT_ENTRY_PASSWORD
+```
+
 ### Local testing
 
 The default configuration of the app binds to the local port 8080 to the systems localhost. \
@@ -346,4 +435,5 @@ This work is licensed under the [MIT license](https://mit-license.org/).
 This work uses the [Vaadin Framework](https://github.com/vaadin), which is licensed
 under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0).
 
-The University of Tübingen logo is a registered trademark and the copyright is owned by the [University of Tübingen](https://uni-tuebingen.de/).
+The University of Tübingen logo is a registered trademark and the copyright is owned by
+the [University of Tübingen](https://uni-tuebingen.de/).

finances-infrastructure/pom.xml

@@ -27,12 +27,6 @@
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-core</artifactId>
     </dependency>
-    <dependency>
-      <groupId>life.qbic.identity</groupId>
-      <artifactId>project-management-infrastructure</artifactId>
-      <version>0.34.0</version>
-      <scope>compile</scope>
-    </dependency>
   </dependencies>
 
 </project>

project-management-infrastructure/src/main/java/life/qbic/projectmanagement/infrastructure/DataManagerVault.java

@@ -0,0 +1,198 @@
+package life.qbic.projectmanagement.infrastructure;
+
+import static life.qbic.logging.service.LoggerFactory.logger;
+
+import java.io.BufferedOutputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.KeyStore.PasswordProtection;
+import java.security.KeyStore.SecretKeyEntry;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import javax.crypto.spec.SecretKeySpec;
+import life.qbic.logging.api.Logger;
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+/**
+ * Container for a Java keystore to maintain secrets within the application.
+ *
+ * @since 1.8.0
+ */
+@Component
+public class DataManagerVault implements DisposableBean {
+
+  public static final String UNEXPECTED_VAULT_EXCEPTION = "Unexpected vault exception";
+  private static final Logger log = logger(DataManagerVault.class);
+  private static final String KEY_GENERATOR_ALGORITHM = "AES";
+  private static final double MIN_ENTROPY = 100; // Shannon entropy * length of secret
+  private final KeyStore keyStore;
+  private final String envVarKeystorePassword;
+  private final String envVarKeystoreEntryPassword;
+  private final Path keystorePath;
+
+  public DataManagerVault(@Value("${qbic.security.vault.key.env}") String vaultKeyEnvVar,
+      @Value("${qbic.security.vault.path}") String vaultPathString,
+      @Value("${qbic.security.vault.entry.password.env}") String vaultEntryPassword)
+      throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
+    if (System.getenv(vaultKeyEnvVar) == null) {
+      throw new DataManagerVaultException(
+          "Cannot find value for environment variable: %s".formatted(vaultKeyEnvVar));
+    }
+    if (System.getenv(vaultEntryPassword) == null) {
+      throw new DataManagerVaultException(
+          "Cannot find value for environment variable: %s".formatted(vaultEntryPassword)
+      );
+    }
+    this.envVarKeystoreEntryPassword = vaultEntryPassword;
+    this.envVarKeystorePassword = vaultKeyEnvVar;
+
+    double entropy;
+    if ((entropy = calculateEntropy(System.getenv(envVarKeystorePassword))) < MIN_ENTROPY) {
+      throw new DataManagerVaultException(
+          "Entry of password for keystore was to low: %f (min: %f)".formatted(entropy,
+              MIN_ENTROPY));
+    }
+    if ((entropy = calculateEntropy(System.getenv(envVarKeystoreEntryPassword))) < MIN_ENTROPY) {
+      throw new DataManagerVaultException(
+          "Entry of password for keystore entries was to low: %f (min: %f)".formatted(entropy,
+              MIN_ENTROPY));
+    }
+
+    this.keystorePath = fromString(vaultPathString);
+    this.keyStore = createVault(vaultKeyEnvVar, keystorePath);
+  }
+
+  // Calculates the product of Shannon entropy and secret length
+  // See https://en.wikipedia.org/wiki/Entropy_(information_theory)
+  private static double calculateEntropy(String secret) {
+    if (secret == null || secret.isEmpty()) {
+      return 0.0;
+    }
+
+    Map<Character, Integer> frequencyMap = new HashMap<>();
+    int length = secret.length();
+
+    // Count character frequencies
+    for (char c : secret.toCharArray()) {
+      frequencyMap.put(c, frequencyMap.getOrDefault(c, 0) + 1);
+    }
+
+    // Compute entropy
+    double entropy = 0.0;
+    for (Integer count : frequencyMap.values()) {
+      double probability = (double) count / length;
+      entropy += probability * (Math.log(probability) / Math.log(2));
+    }
+
+    return -entropy * secret.length(); // Negate since log probabilities are negative
+  }
+
+  private static Path fromString(String path) {
+    Path p = Paths.get(path);
+    if (p.isAbsolute()) {
+      return p;
+    }
+    return Path.of(System.getProperty("user.dir")).resolve(path);
+  }
+
+  private static KeyStore createVault(String vaultKeyEnvVar, Path vaultPath)
+      throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
+
+    return KeyStore.getInstance(vaultPath.toFile(),
+        System.getenv(vaultKeyEnvVar).toCharArray());
+  }
+
+  /**
+   * Adds a secret under a given alias to the vault and stores the vault content into the configured
+   * file.
+   * <p>
+   * {@link DataManagerVault} applies an AES encryption on the provided secret.
+   *
+   * @param alias  the reference the entry can be retrieved again with
+   *               {@link DataManagerVault#read(String)}.
+   * @param secret the secret to store in the vault
+   * @since 1.8.0
+   */
+  public void add(String alias, String secret) {
+    try {
+      this.keyStore.setEntry(alias, new SecretKeyEntry(new SecretKeySpec(secret.getBytes(
+              StandardCharsets.UTF_8), KEY_GENERATOR_ALGORITHM)),
+          new PasswordProtection(System.getenv(envVarKeystoreEntryPassword).toCharArray()));
+    } catch (KeyStoreException e) {
+      throw new DataManagerVaultException(UNEXPECTED_VAULT_EXCEPTION, e);
+    }
+
+    writeToFileSystem();
+  }
+
+  private void writeToFileSystem() {
+    try (var bos = new BufferedOutputStream(new FileOutputStream(keystorePath.toFile()))) {
+      keyStore.store(bos, System.getenv(envVarKeystorePassword).toCharArray());
+      bos.flush();
+    } catch (IOException e) {
+      throw new DataManagerVaultException("Unexpected vault exception when writing to the keystore",
+          e);
+    } catch (CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
+      throw new DataManagerVaultException(UNEXPECTED_VAULT_EXCEPTION, e);
+    }
+  }
+
+  /**
+   * Read looks for a matching entry for the provided alias.
+   * <p>
+   * If no entry for the given alias is found, the vault returns an {@link Optional#empty()}.
+   * <p>
+   * If the decryption of the secret fails, an {@link DataManagerVaultException} is thrown.
+   *
+   * @param alias the reference for the entry to retrieve
+   * @return an {@link Optional<String>} with the potential secret.
+   * @throws DataManagerVaultException if the decryption fails.
+   * @since 1.8.0
+   */
+  public Optional<String> read(String alias) throws DataManagerVaultException {
+    try {
+      return Optional.ofNullable(
+              this.keyStore.getKey(alias, System.getenv(envVarKeystoreEntryPassword).toCharArray()))
+          .map(k -> new String(k.getEncoded(), StandardCharsets.UTF_8));
+    } catch (KeyStoreException | NoSuchAlgorithmException e) {
+      throw new DataManagerVaultException(UNEXPECTED_VAULT_EXCEPTION, e);
+    } catch (UnrecoverableKeyException e) {
+      throw new DataManagerVaultException("Recovering alias entry failed", e);
+    }
+  }
+
+  @Override
+  public void destroy() throws Exception {
+    log.debug("Destroying vault keystore " + this);
+    // Ensure current cached entries are written to the file system
+    writeToFileSystem();
+  }
+
+  /**
+   * Used for exceptions occurring during interactions with the {@link DataManagerVault}.
+   *
+   * @since 1.8.0
+   */
+  public static class DataManagerVaultException extends RuntimeException {
+
+    public DataManagerVaultException(String message) {
+      super(message);
+    }
+
+    public DataManagerVaultException(String message, Throwable cause) {
+      super(message, cause);
+    }
+  }
+
+}

project-management-infrastructure/src/main/java/life/qbic/projectmanagement/infrastructure/batch/BatchJpaRepository.java

@@ -14,7 +14,7 @@
 import life.qbic.projectmanagement.domain.model.experiment.ExperimentId;
 import life.qbic.projectmanagement.domain.model.sample.Sample;
 import life.qbic.projectmanagement.domain.repository.BatchRepository;
-import life.qbic.projectmanagement.infrastructure.sample.QbicSampleRepository;
+import life.qbic.projectmanagement.infrastructure.sample.SampleJpaRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Repository;
 
@@ -31,11 +31,11 @@ public class BatchJpaRepository implements BatchRepository {
   private static final Logger log = logger(BatchJpaRepository.class);
 
   private final QbicBatchRepo qbicBatchRepo;
-  private final QbicSampleRepository qbicSampleRepository;
+  private final SampleJpaRepository qbicSampleRepository;
 
   @Autowired
   public BatchJpaRepository(QbicBatchRepo qbicBatchRepo,
-      QbicSampleRepository qbicSampleRepository) {
+      SampleJpaRepository qbicSampleRepository) {
     this.qbicBatchRepo = qbicBatchRepo;
     this.qbicSampleRepository = qbicSampleRepository;
   }

project-management-infrastructure/src/main/java/life/qbic/projectmanagement/infrastructure/confounding/ConfoundingVariableJpaRepository.java

@@ -0,0 +1,16 @@
+package life.qbic.projectmanagement.infrastructure.confounding;
+
+import java.util.Collection;
+import java.util.List;
+import life.qbic.projectmanagement.domain.model.confounding.jpa.ConfoundingVariableData;
+import org.springframework.data.repository.ListCrudRepository;
+
+public interface ConfoundingVariableJpaRepository extends
+    ListCrudRepository<ConfoundingVariableData, Long> {
+
+  long countByExperimentIdEquals(String experimentId);
+
+  List<ConfoundingVariableData> findAllByExperimentIdEquals(String experimentId);
+
+  boolean existsDistinctByIdIsIn(Collection<Long> ids);
+}