Merge branch 'encryptCredentials-850' into 'main'

Adiciona criptografia das credenciais

See merge request softwares-pkp/plugins_ojs/doiscielo!30

Author: JhonathanLepidus

.gitlab-ci.yml

@@ -15,6 +15,7 @@ include:
 
 .integration_tests_template:
   before_script:
+    - sed -i 's/api_key_secret = ""/api_key_secret = "$API_KEY_SECRET"/' /var/www/$APPLICATION/config.inc.php
     - apt update && apt install poppler-utils -yqq
 
 ops_integration_tests:

ScieloScreeningPlugin.php

@@ -22,11 +22,13 @@
 use APP\template\TemplateManager;
 use PKP\core\JSONMessage;
 use APP\pages\submission\SubmissionHandler;
+use Illuminate\Database\Migrations\Migration;
 use APP\plugins\generic\scieloScreening\classes\components\forms\NumberContributorsForm;
 use APP\plugins\generic\scieloScreening\classes\ScreeningExecutor;
 use APP\plugins\generic\scieloScreening\classes\ScreeningChecker;
 use APP\plugins\generic\scieloScreening\classes\DocumentChecker;
 use APP\plugins\generic\scieloScreening\classes\OrcidClient;
+use APP\plugins\generic\scieloScreening\classes\migration\EncryptLegacyCredentials;
 use APP\plugins\generic\scieloScreening\ScieloScreeningSettingsForm;
 
 class ScieloScreeningPlugin extends GenericPlugin
@@ -66,6 +68,11 @@ public function getDescription()
         return __('plugins.generic.scieloScreening.description');
     }
 
+    public function getInstallMigration(): Migration
+    {
+        return new EncryptLegacyCredentials();
+    }
+
     public function getActions($request, $actionArgs)
     {
         $router = $request->getRouter();

ScieloScreeningSettingsForm.php

@@ -23,6 +23,7 @@
 use PKP\form\validation\FormValidatorPost;
 use PKP\form\validation\FormValidatorCSRF;
 use PKP\form\validation\FormValidatorCustom;
+use APP\plugins\generic\scieloScreening\classes\APIKeyEncryption;
 
 class ScieloScreeningSettingsForm extends Form
 {
@@ -31,15 +32,19 @@ class ScieloScreeningSettingsForm extends Form
         'orcidClientId' => 'string',
         'orcidClientSecret' => 'string',
     );
-
     public $contextId;
     public $plugin;
+    private $encrypter;
 
     public function __construct($plugin, $contextId)
     {
         $this->contextId = $contextId;
         $this->plugin = $plugin;
-        parent::__construct($plugin->getTemplateResource('settingsForm.tpl'));
+        $this->encrypter = new APIKeyEncryption();
+
+        $template = $this->encrypter->secretConfigExists() ? 'settingsForm.tpl' : 'settingsFormEmptySecret.tpl';
+        parent::__construct($plugin->getTemplateResource($template));
+
         $this->addCheck(new FormValidatorPost($this));
         $this->addCheck(new FormValidatorCSRF($this));
 
@@ -59,8 +64,17 @@ public function initData()
         $contextId = $this->contextId;
         $plugin = &$this->plugin;
         $this->_data = array();
+
         foreach (self::CONFIG_VARS as $configVar => $type) {
-            $this->_data[$configVar] = $plugin->getSetting($contextId, $configVar);
+            $settingValue = $plugin->getSetting($contextId, $configVar);
+
+            if ($configVar == 'orcidClientId' || $configVar == 'orcidClientSecret') {
+                if (!empty($settingValue) && $this->encrypter->textIsEncrypted($settingValue)) {
+                    $settingValue = $this->encrypter->decryptString($settingValue);
+                }
+            }
+
+            $this->_data[$configVar] = $settingValue;
         }
     }
 
@@ -86,7 +100,8 @@ public function execute(...$functionArgs)
             if ($configVar === 'orcidAPIPath') {
                 $plugin->updateSetting($contextId, $configVar, trim($this->getData($configVar), "\"\';"), $type);
             } else {
-                $plugin->updateSetting($contextId, $configVar, $this->getData($configVar), $type);
+                $encryptedValue = $this->encrypter->encryptString($this->getData($configVar));
+                $plugin->updateSetting($contextId, $configVar, $encryptedValue, $type);
             }
         }
 

classes/APIKeyEncryption.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace APP\plugins\generic\scieloScreening\classes;
+
+use Exception;
+use Illuminate\Encryption\Encrypter;
+use PKP\config\Config;
+
+class APIKeyEncryption
+{
+    private const ENCRYPTION_CIPHER = 'AES-256-CBC';
+    private const BASE64_PREFIX = 'base64:';
+
+    public function secretConfigExists(): bool
+    {
+        try {
+            $this->getSecretFromConfig();
+        } catch (Exception $e) {
+            return false;
+        }
+        return true;
+    }
+
+    private function getSecretFromConfig(): string
+    {
+        $secret = Config::getVar('security', 'api_key_secret');
+        if ($secret === "") {
+            throw new Exception("A secret must be set in the config file ('api_key_secret') so that keys can be encrypted and decrypted");
+        }
+
+        return $this->normalizeSecret($secret);
+    }
+
+    private function normalizeSecret(string $secret): string
+    {
+        return hash('sha256', $secret, true);
+    }
+
+    public function textIsEncrypted(string $text): bool
+    {
+        if (!str_starts_with($text, self::BASE64_PREFIX)) {
+            return false;
+        }
+
+        try {
+            $this->decryptString($text);
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+
+    public function encryptString(string $plainText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        try {
+            $encryptedString = $encrypter->encrypt($plainText);
+        } catch (Exception $e) {
+            throw new Exception("Failed to encrypt string");
+        }
+
+        return self::BASE64_PREFIX . base64_encode($encryptedString);
+    }
+
+    public function decryptString(string $encryptedText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        $encryptedText = str_replace(self::BASE64_PREFIX, '', $encryptedText);
+        $payload = base64_decode($encryptedText);
+
+        try {
+            $decryptedString = $encrypter->decrypt($payload);
+        } catch (Exception $e) {
+            throw new Exception("Failed to decrypt string");
+        }
+
+        return $decryptedString;
+    }
+}

classes/OrcidClient.php

@@ -3,6 +3,7 @@
 namespace APP\plugins\generic\scieloScreening\classes;
 
 use APP\core\Application;
+use APP\plugins\generic\scieloScreening\classes\APIKeyEncryption;
 
 class OrcidClient
 {
@@ -24,15 +25,28 @@ public function __construct($plugin, $contextId)
         $this->contextId = $contextId;
     }
 
+    private function getPluginSetting($settingName)
+    {
+        $settingValue = $this->plugin->getSetting($this->contextId, $settingName);
+        if ($settingName == 'orcidClientId' || $settingName == 'orcidClientSecret') {
+            $encrypter = new APIKeyEncryption();
+            if (!empty($settingValue) && $encrypter->textIsEncrypted($settingValue)) {
+                $settingValue = $encrypter->decryptString($settingValue);
+            }
+        }
+
+        return $settingValue;
+    }
+
     public function getReadPublicAccessToken(): string
     {
         $httpClient = Application::get()->getHttpClient();
 
-        $tokenUrl = $this->plugin->getSetting($this->contextId, 'orcidAPIPath') . 'oauth/token';
+        $tokenUrl = $this->getPluginSetting('orcidAPIPath') . 'oauth/token';
         $requestHeaders = ['Accept' => 'application/json'];
         $requestData = [
-            'client_id' => $this->plugin->getSetting($this->contextId, 'orcidClientId'),
-            'client_secret' => $this->plugin->getSetting($this->contextId, 'orcidClientSecret'),
+            'client_id' => $this->getPluginSetting('orcidClientId'),
+            'client_secret' => $this->getPluginSetting('orcidClientSecret'),
             'grant_type' => 'client_credentials',
             'scope' => '/read-public'
         ];
@@ -54,7 +68,7 @@ public function getOrcidWorks(string $orcid, string $accessToken): array
     {
         $httpClient = Application::get()->getHttpClient();
 
-        $worksUrl = $this->plugin->getSetting($this->contextId, 'orcidAPIPath') . 'v3.0/' . urlencode($orcid) . '/works';
+        $worksUrl = $this->getPluginSetting('orcidAPIPath') . 'v3.0/' . urlencode($orcid) . '/works';
         $response = $httpClient->request(
             'GET',
             $worksUrl,

classes/migration/EncryptLegacyCredentials.php

@@ -0,0 +1,60 @@
+<?php
+
+namespace APP\plugins\generic\scieloScreening\classes\migration;
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+use PKP\install\DowngradeNotSupportedException;
+use APP\plugins\generic\scieloScreening\classes\APIKeyEncryption;
+
+class EncryptLegacyCredentials extends Migration
+{
+    private const PLUGIN_NAME_SETTINGS = 'scieloscreeningplugin';
+    private const PLUGIN_CREDENTIALS_SETTINGS = [
+        'orcidClientId',
+        'orcidClientSecret'
+    ];
+
+    public function up(): void
+    {
+        $credentialSettings = $this->getCredentialSettings();
+
+        if (!empty($credentialSettings)) {
+            $encrypter = new APIKeyEncryption();
+
+            foreach ($credentialSettings as $credentialSetting) {
+                $credentialSetting = get_object_vars($credentialSetting);
+
+                if ($encrypter->textIsEncrypted($credentialSetting['setting_value'])) {
+                    continue;
+                }
+                $this->encryptCredential($credentialSetting);
+            }
+        }
+    }
+
+    public function down(): void
+    {
+        throw new DowngradeNotSupportedException();
+    }
+
+    private function getCredentialSettings()
+    {
+        return DB::table('plugin_settings')
+            ->where('plugin_name', self::PLUGIN_NAME_SETTINGS)
+            ->whereIn('setting_name', self::PLUGIN_CREDENTIALS_SETTINGS)
+            ->get();
+    }
+
+    private function encryptCredential($credentialSetting)
+    {
+        $encrypter = new APIKeyEncryption();
+        $encryptedSettingValue = $encrypter->encryptString($credentialSetting['setting_value']);
+
+        DB::table('plugin_settings')
+            ->where('context_id', $credentialSetting['context_id'])
+            ->where('plugin_name', self::PLUGIN_NAME_SETTINGS)
+            ->where('setting_name', $credentialSetting['setting_name'])
+            ->update(['setting_value' => $encryptedSettingValue]);
+    }
+}

cypress/tests/Test1_submissionWizard.cy.js

@@ -25,7 +25,6 @@ function addContributor(contributorData, toUpperCase = false) {
     cy.get('select[name="country"]').select(contributorData.country);
 
     if ('orcid' in contributorData) {
-        cy.get('.pkpFormField__control_top > .pkpButton').contains("Override").click();
         cy.get('input[name="orcid"]').type(contributorData.orcid, {delay: 0});
     }
 

locale/en/locale.po

@@ -157,6 +157,9 @@ msgstr "ORCID API Settings"
 msgid "plugins.generic.scieloScreening.settings.description"
 msgstr "Please configure the ORCID API access for use in pulling ORCID records information"
 
+msgid "plugins.generic.scieloScreening.settings.emptyApiSecretKey"
+msgstr "The administrator must set a secret in the site configuration file ('api_key_secret')."
+
 msgid "plugins.generic.scieloScreening.settings.globallyconfigured"
 msgstr "The ORCID API was configured globally by the host. The following credentials have been saved."
 

locale/es/locale.po

@@ -157,6 +157,9 @@ msgstr "Configuración de la API de ORCID"
 msgid "plugins.generic.scieloScreening.settings.description"
 msgstr "Por favor configure el acceso a la API de ORCID para extraer información del registro de ORCID."
 
+msgid "plugins.generic.scieloScreening.settings.emptyApiSecretKey"
+msgstr "Es necesario que el administrador establezca un secreto en el archivo de configuración del sitio ('api_key_secret')."
+
 msgid "plugins.generic.scieloScreening.settings.globallyconfigured"
 msgstr "El host configuró globalmente la API de ORCID. Se han guardado las siguientes credenciales."
 

locale/pt_BR/locale.po

@@ -156,6 +156,9 @@ msgstr "Configurações da API ORCID"
 msgid "plugins.generic.scieloScreening.settings.description"
 msgstr "Por favor, configure o acesso a API do ORCID para recuperar informações de registros ORCID"
 
+msgid "plugins.generic.scieloScreening.settings.emptyApiSecretKey"
+msgstr "É necessário que o administrador defina um segredo no arquivo de configuração do site ('api_key_secret')."
+
 msgid "plugins.generic.scieloScreening.settings.globallyconfigured"
 msgstr "A API ORCID foi configurada globalmente pelo host. As seguintes credenciais foram salvas."