Merge branch 'api_token_encryption_3_4_0-846' into 'main'

Encrypt API token

See merge request softwares-pkp/plugins_ojs/dataverse!211

Author: thiagolepidus

.gitlab-ci.yml

@@ -9,7 +9,11 @@ include:
       - 'templates/groups/ojs/unit_tests.yml'
       - 'templates/groups/ojs/cypress_tests.yml'
 
+.integration_tests_template:
+  before_script:
+    - sed -i "s/api_key_secret = \"\"/api_key_secret = \"$API_KEY_SECRET\"/" /var/www/$APPLICATION/config.inc.php
+
 # Desabilita os jobs de testes de aceitação da aplicação, por enquanto
 ojs_integration_tests:
   rules:
-    - when: never
+    - when: never

DataverseSettingsForm.php

@@ -11,6 +11,7 @@
 use PKP\form\validation\FormValidator;
 use PKP\form\validation\FormValidatorCustom;
 use PKP\form\validation\FormValidatorPost;
+use APP\plugins\generic\dataverse\classes\DataEncryption;
 use APP\plugins\generic\dataverse\classes\exception\DataverseException;
 use APP\plugins\generic\dataverse\classes\dataverseConfiguration\DataverseConfiguration;
 use APP\plugins\generic\dataverse\classes\dataverseConfiguration\DataverseConfigurationDAO;
@@ -31,7 +32,9 @@ class DataverseSettingsForm extends Form
 
     public function __construct(Plugin $plugin, int $contextId)
     {
-        parent::__construct($plugin->getTemplateResource('dataverseConfigurationForm.tpl'));
+        $encryption = new DataEncryption();
+        $template = $encryption->secretConfigExists() ? 'dataverseConfigurationForm.tpl' : 'emptySecretKey.tpl';
+        parent::__construct($plugin->getTemplateResource($template));
 
         $this->plugin = $plugin;
         $this->contextId = $contextId;
@@ -103,6 +106,7 @@ public function fetch($request, $template = null, $display = false)
     public function execute(...$functionArgs)
     {
         $this->setDefaultAdditionalInstructions();
+        $this->encryptApiToken();
         foreach (self::CONFIG_VARS as $configVar => $type) {
             $this->plugin->updateSetting($this->contextId, $configVar, $this->getData($configVar), $type);
         }
@@ -140,4 +144,15 @@ private function setDefaultAdditionalInstructions(): void
 
         $this->setData('additionalInstructions', $additionalInstructions);
     }
+
+    private function encryptApiToken(): void
+    {
+        $encryption = new DataEncryption();
+        $apiToken = $this->getData('apiToken');
+
+        if (!$encryption->textIsEncrypted($apiToken)) {
+            $encryptedToken = $encryption->encryptString($apiToken);
+            $this->setData('apiToken', $encryptedToken);
+        }
+    }
 }

README.md

@@ -15,6 +15,14 @@ Check the latest compatible version for your application on the [Releases page](
 
 All versions are compatible with Dataverse 5.x and 6.x.
 
+## Requirements for usage
+
+1. **api_key_secret**
+
+The OJS instance must have the `api_key_secret` configuration set up, you may contact your system administrator to do that (see [this post](https://forum.pkp.sfu.ca/t/how-to-generate-a-api-key-secret-code-in-ojs-3/72008)).
+
+This is required to use the API credentials provided, that are stored encrypted in the OJS database.
+
 ## Installation
 
 This plugin is available for installation via the [PKP Plugin Gallery](https://docs.pkp.sfu.ca/plugin-inventory/en/). For installation, follow these steps:

classes/DataEncryption.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace APP\plugins\generic\dataverse\classes;
+
+use PKP\config\Config;
+use Illuminate\Encryption\Encrypter;
+use Exception;
+
+class DataEncryption
+{
+    private const ENCRYPTION_CIPHER = 'aes-256-cbc';
+    private const BASE64_PREFIX = 'base64:';
+
+    public function secretConfigExists(): bool
+    {
+        try {
+            $this->getSecretFromConfig();
+        } catch (Exception $e) {
+            return false;
+        }
+        return true;
+    }
+
+    private function getSecretFromConfig(): string
+    {
+        $secret = Config::getVar('security', 'api_key_secret');
+        if ($secret === "") {
+            throw new Exception("Dataverse Error: A secret must be set in the config file ('api_key_secret') so that keys can be encrypted and decrypted");
+        }
+
+        return $this->normalizeSecret($secret);
+    }
+
+    private function normalizeSecret(string $secret): string
+    {
+        return hash('sha256', $secret, true);
+    }
+
+    public function textIsEncrypted(string $text): bool
+    {
+        if (!str_starts_with($text, self::BASE64_PREFIX)) {
+            return false;
+        }
+
+        try {
+            $this->decryptString($text);
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+
+    public function encryptString(string $plainText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        try {
+            $encryptedString = $encrypter->encrypt($plainText);
+        } catch (Exception $e) {
+            throw new Exception("DEIA Survey - Failed to encrypt string");
+        }
+
+        return self::BASE64_PREFIX . base64_encode($encryptedString);
+    }
+
+    public function decryptString(string $encryptedText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        $encryptedText = str_replace(self::BASE64_PREFIX, '', $encryptedText);
+        $payload = base64_decode($encryptedText);
+
+        try {
+            $decryptedString = $encrypter->decrypt($payload);
+        } catch (Exception $e) {
+            throw new Exception("Dataverse Error: Failed to decrypt string");
+        }
+
+        return $decryptedString;
+    }
+}

classes/dataverseConfiguration/DataverseConfigurationDAO.php

@@ -5,6 +5,7 @@
 use Illuminate\Support\Facades\DB;
 use PKP\db\DAORegistry;
 use APP\plugins\generic\dataverse\classes\dataverseConfiguration\DataverseConfiguration;
+use APP\plugins\generic\dataverse\classes\DataEncryption;
 
 class DataverseConfigurationDAO
 {
@@ -36,6 +37,7 @@ public function hasConfiguration(int $contextId): bool
     public function get(int $contextId): DataverseConfiguration
     {
         $settings = $this->dao->getPluginSettings($contextId, $this->pluginName);
+        $settings = $this->decryptApiToken($settings);
         $configuration = $this->newDataObject();
         $configuration->setAllData($settings);
         return $configuration;
@@ -53,4 +55,15 @@ public function insert(int $contextId, DataverseConfiguration $configuration): v
             );
         }
     }
+
+    private function decryptApiToken(array $settings): array
+    {
+        if (isset($settings['apiToken'])) {
+            $encryption = new DataEncryption();
+            if ($encryption->textIsEncrypted($settings['apiToken'])) {
+                $settings['apiToken'] = $encryption->decryptString($settings['apiToken']);
+            }
+        }
+        return $settings;
+    }
 }

classes/migrations/APITokenEncryptionMigration.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace APP\plugins\generic\dataverse\classes\migrations;
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+use APP\plugins\generic\dataverse\classes\DataEncryption;
+
+class APITokenEncryptionMigration extends Migration
+{
+    public function up(): void
+    {
+        $encrypter = new DataEncryption();
+        if (!$encrypter->secretConfigExists()) {
+            return;
+        }
+
+        DB::table('plugin_settings')
+            ->where('plugin_name', 'dataverseplugin')
+            ->where('setting_name', 'apiToken')
+            ->get(['context_id', 'setting_value'])
+            ->each(function ($row) use ($encrypter) {
+                if (empty($row->setting_value) || $encrypter->textIsEncrypted($row->setting_value)) {
+                    return;
+                }
+
+                $encryptedValue = $encrypter->encryptString($row->setting_value);
+                DB::table('plugin_settings')
+                    ->where('plugin_name', 'dataverseplugin')
+                    ->where('context_id', $row->context_id)
+                    ->where('setting_name', 'apiToken')
+                    ->update(['setting_value' => $encryptedValue]);
+            });
+    }
+
+}

docs/README-es.md

@@ -13,6 +13,14 @@ Este plugin es compatible con las siguientes aplicaciones PKP:
 
 Consulte la última versión compatible con su aplicación en la [Página de Versiones](https://github.com/lepidus/dataversePlugin/releases).
 
+## Requisitos para uso
+
+1. **api_key_secret**
+
+La instancia de OJS debe tener la configuración `api_key_secret` configurada, puedes contactar a tu administrador de sistema para hacerlo (ver [esta publicación](https://forum.pkp.sfu.ca/t/how-to-generate-a-api-key-secret-code-in-ojs-3/72008)).
+
+Esto es necesario para utilizar las credenciales de API proporcionadas, que se almacenan cifradas en la base de datos de OJS.
+
 ## Instalación
 
 ### Instrucciones

docs/README-pt_BR.md

@@ -17,6 +17,14 @@ Verifique a última versão compatível com a sua aplicação na [Página de Ver
 
 Todas as versões são compatíveis com Dataverse 5.x e 6.x.
 
+## Requisitos para uso
+
+1. **api_key_secret**
+
+A instância do OJS deve ter a configuração `api_key_secret` configurada, você pode contatar o administrador do sistema para fazer isso (consulte [este post](https://forum.pkp.sfu.ca/t/how-to-generate-a-api-key-secret-code-in-ojs-3/72008)).
+
+Isso é necessário para utilizar as credenciais de API fornecidas, que são armazenadas criptografadas no banco de dados do OJS.
+
 ## Instalação
 
 Este plugin está disponível para instalação através da [Galeria de Plugins da PKP](https://docs.pkp.sfu.ca/plugin-inventory/en/). Para fazer a instalação, siga os seguintes passos:

locale/en/locale.po

@@ -17,6 +17,9 @@ msgstr "Dataverse Plugin"
 msgid "plugins.generic.dataverse.description"
 msgstr "Deposit data sets and/or other supplementary files to a Dataverse."
 
+msgid "plugins.generic.dataverse.settings.emptyApiSecretKey"
+msgstr "The administrator must set a secret in the site configuration file ('api_key_secret')."
+
 msgid "plugins.generic.dataverse.settings.description"
 msgstr ""
 "Configure the Dataverse API to deposit research data into a Dataverse repository.<br>"

locale/es/locale.po

@@ -17,6 +17,9 @@ msgstr "Módulo Dataverse"
 msgid "plugins.generic.dataverse.description"
 msgstr "Deposita conjuntos de datos y/u otros documentos complementarios en Dataverse."
 
+msgid "plugins.generic.dataverse.settings.emptyApiSecretKey"
+msgstr "Es necesario que el administrador establezca un secreto en el archivo de configuración del sitio ('api_key_secret')."
+
 msgid "plugins.generic.dataverse.settings.description"
 msgstr ""
 "Configure la API Dataverse para depositar datos de investigación en un repositorio de Dataverse.<br>"