Austin token encryption #1432

JoshuaSBrown · 2025-05-15T20:49:22Z

PR Description

Tasks

- A description of the PR has been provided, and a diagram included if it is a new feature.
- Formatter has been run
- CHANGELOG comment has been added
- Labels have been assigned to the pr
- A reviwer has been added
- A user has been assigned to work on the pr
- If new feature a unit test has been added

Summary by Sourcery

Implement AES-256-CBC token encryption support and integrate it across the system

New Features:

Add CipherEngine component for token encryption/decryption using OpenSSL
Encrypt access and refresh tokens in DatabaseAPI and decrypt them in TaskWorker
Extend Foxx user_router token/set and token/get endpoints to include IV and length parameters

Enhancements:

Add readFile utility to load encryption key from file
Update shell scripts to install and configure OpenSSL, and adjust dependency installation for libssl/libcrypto
Modify Dockerfile for debug build configuration and include valgrind

Build:

Include OpenSSL in CMake build, link common library against libssl and libcrypto
Update copy_dependency.sh and dependency_install_functions.sh to handle OpenSSL setup

Tests:

Add unit tests for CipherEngine and TaskWorker token encryption/decryption
Update Foxx microservice tests to validate IV and length query parameters for tokens

Chores:

Apply formatting and whitespace cleanup across various shell scripts and CMake files

…dpoint-browse

…ollection-endpoint-browse Revert "[DLT-1110] Mapped Collection Endpoint Browse (1/4)"

1209 feature add jsdoc linter

Co-authored-by: Anthony Ramirez <ramirezat@ornl.gov>

…p-script Throw error if OpenStack error code returned from API

[DAPS, Foxx] - 1180 refactor Part 2 authz

* Add conditional switch and stub some logic for handling other resources in callbacks * Fix order of logging. Add redirect * Debug logging for web service. Attempt to set token. * Remove incorrect method call to data, use data attribute. * Add some TODOs and logging * Give setAccessToken ability to accept additional params to pass to protobuf * Add additional params to DatabaseAPI::userSetAccessToken to pass message with addtional info on to database API. * Add convenience method with old type signature of DatabaseAPI::userSetAccessToken for compatibility * Conditionally add other token options param when calling dbGetRaw. * Pass token type along to Database API. * Pass token type from message. * Stub logic for updating related edge in router function for token/set * Include logic for conditionally updating token data and pushing data to edge. * Change token_key to remove illegal characters * Fix object attribute call * Prettier formatting for datafed-ws.js * Roll back changes to DatabaseAPI.hpp and DatabaseAPI.cpp that are covered in #1127 * Refactor new inclusions in datafed-ws.js to use as much existing code as possible, only diverge where necessary. * datafed-ws.js change scopes to scope * datafed-ws.js log user ID array * datafed-ws.js clarify uid assignment at ui/authn endpoint, add note on error cases, remove incorrect comment about uid, add appropriate error if collection_id not present * datafed-ws.js Extract AccessTokenType enum, add comment about fetching from protobuf; remove unnecessary commented code * datafed-ws.js Extract transfer set logic when calling setAccessToken to improve readability of router. * datafed-ws.js Create function for resolving token type; create function to handle logic in building optional_data for setAccessToken; reduce unneccessary nesting in ui/authn endpoint * datafed-ws.js Fix spacing, fix typo in variable name * datafed-ws.js Fix bug referring to request session * datafed-ws.js Nesting was necessary. * datafed-ws.js Address some TODOs, set token type with more context * datafed-ws.js Remove some additional extraneous logging * datafed-ws.js Formatting * Add comment about token set * datafed-ws.js Update deprecated substring method, Fix order for error case when new user receives transfer token * TokenHandler.js Refactor token handling logic out of web server main. datafed-ws.js User new OAuthTokenHandler class to handle token logic. * TokenHandler.js Implement token validator; move OAuthTransferToken def to top. TokenHandler.test.js Minimal testing of token handler * TokenHandler.test.js Add tests for case when resource server is auth * TokenHandler.test.js Add testing for Globus transfer resource server * TokenHandler.js Implement validation for existence of required keys. TokenHandler.test.js Adjust other_tokens fixtures to be nested according to incoming data; formatting. * datafed-ws.js formatting * TokenHandler.js Update error messages, remove unnecessary code in getTokenType, returns in resolveTokenType * datafed-ws.js Add error handling around token_handler construction; add errors and handling for setAccessToken, JSDoc. * datafed-ws.js Remove hard coded collection_id. * datafed-ws.js Remove thrown errors in nested functions; single redirect. --------- Co-authored-by: Anthony Ramirez <ramirezat@ornl.gov>

* datafed-ws.js Reverse order of LogLevel object properties * datafed-ws.js Throw error so stack trace is adequately populated * Revert line number * TokenHandler.js Fix linting errors. --------- Co-authored-by: Anthony Ramirez <ramirezat@ornl.gov>

core/server/CoreServer.cpp

core/server/DatabaseAPI.cpp

core/server/TaskMgr.cpp

core/server/TaskWorker.cpp

core/server/AuthMap.cpp

core/server/Config.cpp

core/docker/Dockerfile

common/include/common/Util.hpp

JoshuaSBrown · 2025-08-12T11:46:16Z

scripts/compose_build_images.sh

  fi
  docker build -f \
-    "${PROJECT_ROOT}/core/docker/Dockerfile" \
+    "${PROJECT_ROOT}/core/docker/Dockerfile" --no-cache \


Suggested change

"${PROJECT_ROOT}/core/docker/Dockerfile" --no-cache \

"${PROJECT_ROOT}/core/docker/Dockerfile" \

AronPerez and others added 30 commits January 14, 2025 13:46

[DLT-1110] Dependency injection

870f1fc

[DLT-1110] Update if statements

3679a4f

[DLT-1110] Update style

474673e

Merge pull request #1208 from ORNL/feat/DLT-1110/mapped-collection-en…

48199c5

…dpoint-browse

Revert "[DLT-1110] Mapped Collection Endpoint Browse (1/4)"

f12bbc3

Merge pull request #1231 from ORNL/revert-1208-feat/DLT-1110/mapped-c…

80f5201

…ollection-endpoint-browse Revert "[DLT-1110] Mapped Collection Endpoint Browse (1/4)"

Merge branch 'devel' into 1209-feature-add-jsdoc-linter

d8985b8

Merge pull request #1210 from ORNL/1209-feature-add-jsdoc-linter

4bd8cab

1209 feature add jsdoc linter

Merge branch 'devel' into 1180-refactor-authz

76da5d7

Address eslint

21c3ee7

Address remaining eslint items

0f078c2

Fix bug on task_router.js abort function (#1234)

39814b4

Co-authored-by: Anthony Ramirez <ramirezat@ornl.gov>

Address Aaron feedback

33c44e9

applied potential fix to deprecation warning

5c70a5e

Reorder createRecord

8866891

Apply formatting

4e20244

Throw error if OpenStack error code returned from API

443ee5f

Add dependency between logs

3a50b2f

Add dependencies on end to end jobs as well

03aa9a6

Job rule is not supported

df1e436

Remove always run log

ebecfab

add end to end signal job

3222810

Fix tag of signal

23eca53

Merge pull request #1238 from ORNL/1236-bug-job-not-failing-with-setu…

812c2bf

…p-script Throw error if OpenStack error code returned from API

Merge branch 'devel' into 1180-refactor-authz

5ca6bcf

Merge branch '1236-bug-job-not-failing-with-setup-script' into devel

049a4f4

Merge branch 'devel' into 1180-refactor-authz

c7cdae3

Merge pull request #1224 from ORNL/1180-refactor-authz

e7972b8

[DAPS, Foxx] - 1180 refactor Part 2 authz