Merge branch 'api_token_encryption_3_3_0-846' into 'stable-3_3_0'

Encrypt Dataverse API Token

See merge request softwares-pkp/plugins_ojs/dataverse!212

Author: thiagolepidus

.gitlab-ci.yml

@@ -9,3 +9,7 @@ include:
       - 'templates/groups/ops/unit_tests.yml'
       - 'templates/groups/ojs/unit_tests.yml'
       - 'templates/groups/ojs/cypress_tests.yml'
+
+.integration_tests_template:
+  before_script:
+    - sed -i "s/api_key_secret = \"\"/api_key_secret = \"$API_KEY_SECRET\"/" /var/www/$CY_APPLICATION/config.inc.php

README.md

@@ -13,6 +13,14 @@ The latest release of this plugin is compatible with the following PKP applicati
 
 Using PHP between 7.3 and 8.1.
 
+## Requirements for usage
+
+1. **api_key_secret**
+
+The OJS/OPS instance must have the `api_key_secret` configuration set up, you may contact your system administrator to do that (see [this post](https://forum.pkp.sfu.ca/t/how-to-generate-a-api-key-secret-code-in-ojs-3/72008)).
+
+This is required to use the API credentials provided, that are stored encrypted in the OJS/OPS database.
+
 ## Plugin Download
 
 To download the plugin, go to the [Releases page](https://github.com/lepidus/dataversePlugin/releases) and download the tar.gz package of the latest release compatible with your website.

classes/DataEncryption.inc.php

@@ -0,0 +1,79 @@
+<?php
+
+use Illuminate\Encryption\Encrypter;
+
+class DataEncryption
+{
+    private const ENCRYPTION_CIPHER = 'AES-256-CBC';
+    private const BASE64_PREFIX = 'base64:';
+
+    public function secretConfigExists(): bool
+    {
+        try {
+            $this->getSecretFromConfig();
+        } catch (Exception $e) {
+            return false;
+        }
+        return true;
+    }
+
+    private function getSecretFromConfig(): string
+    {
+        $secret = \Config::getVar('security', 'api_key_secret');
+        if ($secret === "") {
+            throw new Exception("Dataverse Error: A secret must be set in the config file ('api_key_secret') so that keys can be encrypted and decrypted");
+        }
+
+        return $this->normalizeSecret($secret);
+    }
+
+    private function normalizeSecret(string $secret): string
+    {
+        return hash('sha256', $secret, true);
+    }
+
+    public function textIsEncrypted(string $text): bool
+    {
+        if (!str_starts_with($text, self::BASE64_PREFIX)) {
+            return false;
+        }
+
+        try {
+            $this->decryptString($text);
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+
+    public function encryptString(string $plainText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        try {
+            $encryptedString = $encrypter->encrypt($plainText);
+        } catch (Exception $e) {
+            throw new Exception("Dataverse Error: Failed to encrypt string");
+        }
+
+        return self::BASE64_PREFIX . base64_encode($encryptedString);
+    }
+
+    public function decryptString(string $encryptedText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        $encryptedText = str_replace(self::BASE64_PREFIX, '', $encryptedText);
+        $payload = base64_decode($encryptedText);
+
+        try {
+            $decryptedString = $encrypter->decrypt($payload);
+        } catch (Exception $e) {
+            throw new Exception("Dataverse Error: Failed to decrypt string");
+        }
+
+        return $decryptedString;
+    }
+}

classes/dataverseConfiguration/DataverseConfigurationDAO.inc.php

@@ -2,6 +2,7 @@
 
 use Illuminate\Database\Capsule\Manager as Capsule;
 
+import('plugins.generic.dataverse.classes.DataEncryption');
 import('plugins.generic.dataverse.classes.dataverseConfiguration.DataverseConfiguration');
 
 class DataverseConfigurationDAO
@@ -35,6 +36,7 @@ public function hasConfiguration(int $contextId): bool
     public function get(int $contextId): DataverseConfiguration
     {
         $settings = $this->dao->getPluginSettings($contextId, $this->pluginName);
+        $settings = $this->decryptApiToken($settings);
         $configuration = $this->newDataObject();
         $configuration->setAllData($settings);
         return $configuration;
@@ -52,4 +54,15 @@ public function insert(int $contextId, DataverseConfiguration $configuration): v
             );
         }
     }
+
+    private function decryptApiToken(array $settings): array
+    {
+        if (isset($settings['apiToken'])) {
+            $encryption = new DataEncryption();
+            if ($encryption->textIsEncrypted($settings['apiToken'])) {
+                $settings['apiToken'] = $encryption->decryptString($settings['apiToken']);
+            }
+        }
+        return $settings;
+    }
 }

classes/migration/APITokenEncryptionMigration.inc.php

@@ -0,0 +1,34 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Capsule\Manager as Capsule;
+
+import('plugins.generic.dataverse.classes.DataEncryption');
+
+class APITokenEncryptionMigration extends Migration
+{
+    public function up(): void
+    {
+        $encrypter = new DataEncryption();
+        if (!$encrypter->secretConfigExists()) {
+            return;
+        }
+
+        Capsule::table('plugin_settings')
+            ->where('plugin_name', 'dataverseplugin')
+            ->where('setting_name', 'apiToken')
+            ->get(['context_id', 'setting_value'])
+            ->each(function ($row) use ($encrypter) {
+                if (empty($row->setting_value) || $encrypter->textIsEncrypted($row->setting_value)) {
+                    return;
+                }
+
+                $encryptedValue = $encrypter->encryptString($row->setting_value);
+                Capsule::table('plugin_settings')
+                    ->where('plugin_name', 'dataverseplugin')
+                    ->where('context_id', $row->context_id)
+                    ->where('setting_name', 'apiToken')
+                    ->update(['setting_value' => $encryptedValue]);
+            });
+    }
+}

locale/en_US/locale.po

@@ -17,6 +17,9 @@ msgstr "Dataverse Plugin"
 msgid "plugins.generic.dataverse.description"
 msgstr "Deposit data sets and/or other supplementary files to a Dataverse."
 
+msgid "plugins.generic.dataverse.settings.emptyApiSecretKey"
+msgstr "The administrator must set a secret in the site configuration file ('api_key_secret')."
+
 msgid "plugins.generic.dataverse.settings.description"
 msgstr ""
 "Configure the Dataverse API to deposit research data into a Dataverse repository.<br>"

locale/es_ES/locale.po

@@ -17,6 +17,9 @@ msgstr "Módulo Dataverse"
 msgid "plugins.generic.dataverse.description"
 msgstr "Deposita conjuntos de datos y/u otros documentos complementarios en Dataverse."
 
+msgid "plugins.generic.dataverse.settings.emptyApiSecretKey"
+msgstr "Es necesario que el administrador establezca un secreto en el archivo de configuración del sitio ('api_key_secret')."
+
 msgid "plugins.generic.dataverse.settings.description"
 msgstr ""
 "Configure la API Dataverse para depositar datos de investigación en un repositorio de Dataverse.<br>"

locale/pt_BR/locale.po

@@ -17,6 +17,9 @@ msgstr "Plugin Dataverse"
 msgid "plugins.generic.dataverse.description"
 msgstr "Deposita conjuntos de dados e/ou outros documentos suplementares no Dataverse."
 
+msgid "plugins.generic.dataverse.settings.emptyApiSecretKey"
+msgstr "É necessário que o administrador defina um segredo no arquivo de configuração do site ('api_key_secret')."
+
 msgid "plugins.generic.dataverse.settings.description"
 msgstr ""
 "Configure a API Dataverse para depositar dados de pesquisa em um repositório Dataverse.<br>"

settings/DataverseSettingsForm.inc.php

@@ -1,6 +1,7 @@
 <?php
 
 import('lib.pkp.classes.form.Form');
+import('plugins.generic.dataverse.classes.DataEncryption');
 import('plugins.generic.dataverse.classes.dataverseConfiguration.DataverseConfigurationDAO');
 import('plugins.generic.dataverse.dataverseAPI.actions.DataverseCollectionActions');
 import('plugins.generic.dataverse.settings.DefaultAdditionalInstructions');
@@ -19,7 +20,9 @@ class DataverseSettingsForm extends Form
 
     public function __construct(Plugin $plugin, int $contextId)
     {
-        parent::__construct($plugin->getTemplateResource('dataverseConfigurationForm.tpl'));
+        $encryption = new DataEncryption();
+        $template = $encryption->secretConfigExists() ? 'dataverseConfigurationForm.tpl' : 'emptySecretKey.tpl';
+        parent::__construct($plugin->getTemplateResource($template));
 
         $this->plugin = $plugin;
         $this->contextId = $contextId;
@@ -92,6 +95,7 @@ public function fetch($request, $template = null, $display = false)
     public function execute(...$functionArgs)
     {
         $this->setDefaultAdditionalInstructions();
+        $this->encryptApiToken();
         foreach (self::CONFIG_VARS as $configVar => $type) {
             $this->plugin->updateSetting($this->contextId, $configVar, $this->getData($configVar), $type);
         }
@@ -129,4 +133,15 @@ private function setDefaultAdditionalInstructions(): void
 
         $this->setData('additionalInstructions', $additionalInstructions);
     }
+
+    private function encryptApiToken(): void
+    {
+        $encryption = new DataEncryption();
+        $apiToken = $this->getData('apiToken');
+
+        if (!$encryption->textIsEncrypted($apiToken)) {
+            $encryptedToken = $encryption->encryptString($apiToken);
+            $this->setData('apiToken', $encryptedToken);
+        }
+    }
 }

templates/emptySecretKey.tpl

@@ -0,0 +1,12 @@
+{**
+ * templates/dataverseConfigurationForm.tpl
+ *
+ * Copyright (c) 2019-2025 Lepidus Tecnologia
+ * Copyright (c) 2020-2025 SciELO
+ * Distributed under the GNU GPL v3. For full terms see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt
+ *
+ * Dataverse plugin empty secret key warning template
+ *
+ *}
+
+{translate key="plugins.generic.dataverse.settings.emptyApiSecretKey"}