Merge pull request #663 from overture-stack/rc/4.3.0

Release Candidate 4.3.0

Author: rtisma

docker-compose.yml

@@ -1,7 +1,7 @@
 version: '3.7'
 services:
   ego-api:
-    image: "overture/ego:latest"
+    image: "overture/ego:3.1.0"
     environment:
       SERVER_PORT: 8080
       SPRING_DATASOURCE_URL: jdbc:postgresql://ego-postgres:5432/ego?stringtype=unspecified
@@ -18,7 +18,7 @@ services:
     depends_on:
       - ego-postgres
   ego-postgres:
-    image: postgres:9.5
+    image: postgres:11.1
     environment:
       - POSTGRES_DB=ego
       - POSTGRES_PASSWORD=password
@@ -43,7 +43,7 @@ services:
     ports:
       - "8085:9000"
   score-server:
-    image: overture/score-server:latest
+    image: overture/score-server:5.0.0
     user: "$MY_UID:$MY_GID"
     environment:
       SPRING_PROFILES_ACTIVE: amazon,collaboratory,prod,secure
@@ -57,11 +57,16 @@ services:
       S3_ACCESSKEY: minio
       S3_SECRETKEY: minio123
       S3_SIGV4ENABLED: "true"
-      AUTH_SERVER_URL: http://ego-api:8080/o/check_token/
+      AUTH_SERVER_URL: http://ego-api:8080/o/check_api_key/
       AUTH_SERVER_CLIENTID: score
       AUTH_SERVER_CLIENTSECRET: scoresecret
-      AUTH_SERVER_UPLOADSCOPE: score.WRITE
-      AUTH_SERVER_DOWNLOADSCOPE: score.READ
+      AUTH_SERVER_TOKENNAME: apiKey
+      AUTH_SERVER_SCOPE_DOWNLOAD_SYSTEM: score.READ
+      AUTH_SERVER_SCOPE_DOWNLOAD_STUDY_PREFIX: score.
+      AUTH_SERVER_SCOPE_DOWNLOAD_STUDY_SUFFIX: .READ
+      AUTH_SERVER_SCOPE_UPLOAD_SYSTEM: score.WRITE
+      AUTH_SERVER_SCOPE_UPLOAD_STUDY_PREFIX: score.
+      AUTH_SERVER_SCOPE_UPLOAD_STUDY_SUFFIX: .WRITE
       SERVER_SSL_ENABLED: "false"
       UPLOAD_PARTSIZE: 1073741824
       UPLOAD_CONNECTION_TIMEOUT: 1200000
@@ -78,8 +83,9 @@ services:
       - ego-api
     volumes:
       - "./docker/scratch/score-server-logs:/score-server/logs"
+
   score-client:
-    image: overture/score:latest
+    image: overture/score:5.0.0
     environment:
       ACCESSTOKEN: f69b726d-d40f-4261-b105-1ec7e6bf04d5
       METADATA_URL: http://song-server:8080
@@ -90,8 +96,9 @@ services:
       - "./docker/scratch/song-client-output:/song-client/output"
     command: bin/score-client
     user: "$MY_UID:$MY_GID"
+
   song-db:
-    image: "postgres:9.6"
+    image: postgres:11.1
     environment:
       POSTGRES_DB: song
       POSTGRES_USER: postgres
@@ -100,6 +107,7 @@ services:
       - "8432:5432"
     volumes:
       - "./docker/song-db-init:/docker-entrypoint-initdb.d"
+
   aws-cli:
     image: "mesosphere/aws-cli:latest"
     environment:
@@ -108,6 +116,7 @@ services:
       AWS_DEFAULT_REGION: us-east-1
     volumes:
       - "./docker/object-storage-init/data/oicr.icgc.test/data:/score-data:ro"
+
   song-client:
     build:
       context: ./
@@ -127,6 +136,7 @@ services:
       - "./docker/scratch/song-client-output:/song-client/output"
     command: bin/sing
     user: "$MY_UID:$MY_GID"
+
   song-server:
     build:
       context: ./

docker/ego-init/init.sql

@@ -374,7 +374,7 @@ COPY public.policy (id, owner, name) FROM stdin;
 --
 
 COPY public.token (id, name, owner, issuedate, isrevoked, description, expirydate) FROM stdin;
-5408ff40-77d3-4196-b745-e48532e39463	f69b726d-d40f-4261-b105-1ec7e6bf04d5	c6608c3e-1181-4957-99c4-094493391096	2019-10-22 15:39:19.683	f	\N	3020-10-21 15:39:19.683
+5408ff40-77d3-4196-b745-e48532e39463	f69b726d-d40f-4261-b105-1ec7e6bf04d5	c6608c3e-1181-4957-99c4-094493391096	2019-10-22 15:39:19.683	f	\N	2060-10-21 15:39:19.683
 \.
 
 

docker/tools/generate-application-jwt.sh

@@ -0,0 +1,5 @@
+curl --location --request POST 'http://localhost:9082/oauth/token' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'grant_type=client_credentials' \
+--data-urlencode 'client_id=ego' \
+--data-urlencode 'client_secret=ego'

docker/user_jwt.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1NjU3MTM0NjEsImV4cCI6MTk4NTczMDgzNCwic3ViIjoiMTYwZmZlYzctNDk0Zi00ZGU3LWFjMDItOGRlYjEwM2I3MDU3IiwiaXNzIjoiZWdvIiwiYXVkIjpbXSwianRpIjoiYTIwMzY2OTItYzFkNy00NTYyLWIxNmYtMjMxM2I2MmEwYWRkIiwiY29udGV4dCI6eyJzY29wZSI6WyJzb25nLldSSVRFIiwic2NvcmUuV1JJVEUiLCJpZC5XUklURSJdLCJ1c2VyIjp7Im5hbWUiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsImVtYWlsIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJzdGF0dXMiOiJBUFBST1ZFRCIsImZpcnN0TmFtZSI6IkpvaG4iLCJsYXN0TmFtZSI6IkRvZSIsImNyZWF0ZWRBdCI6MTU2NTcxMzQ2MSwibGFzdExvZ2luIjpudWxsLCJwcmVmZXJyZWRMYW5ndWFnZSI6IkVOR0xJU0giLCJ0eXBlIjoiQURNSU4ifX19.TlLcRrYwDTo9_jRr1lU6QNkhPFu-aZ65mWxV9-VEf_FSWhs_hjNcpzDKjOviM0lIymG_uMaDeqD7h-kvdurkfjsWebEr6kLeoVy99UGhcV2pyKr7slwbeoyke04VmWjid3hS_Jq0sVvL4uBsSetXzSugi6powJgcnilOA7-gyUFnZUTikdzLfO9hlSPVR-lhL_oYpdrRtTG9Vl6t6XNhvitri4yOoQrWQe8HC5UxLfpFGEKEqJF7L-KAlMGrhrnv2h7aLjMh-T5m01wxse-_M8FG10nIK2OtrDn--fqhzjtkb403hQvN_xBKUJuHjHKJi6Du0OjAYpqEFV80lSmT7w

pom.xml

@@ -21,7 +21,7 @@
     <groupId>bio.overture</groupId>
     <artifactId>song</artifactId>
     <packaging>pom</packaging>
-    <version>4.2.4</version>
+    <version>4.3.0</version>
     <modules>
         <module>song-core</module>
         <module>song-java-sdk</module>
@@ -98,6 +98,11 @@
                 <artifactId>spring-data-commons-core</artifactId>
                 <version>${spring-data-commons-core.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-jwt</artifactId>
+                <version>${spring-security-jwt.version}</version>
+            </dependency>
 
             <!-- Spring Cloud -->
             <dependency>
@@ -280,6 +285,12 @@
                 <artifactId>java-uuid-generator</artifactId>
                 <version>${java-uuid-generator.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.jsonwebtoken</groupId>
+                <artifactId>jjwt</artifactId>
+                <version>${jwt.version}</version>
+            </dependency>
+
 
             <!--Logging-->
             <dependency>
@@ -294,6 +305,12 @@
             </dependency>
 
             <!--Testing-->
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-test</artifactId>
+				<version>${spring-framework.version}</version>
+				<scope>test</scope>
+            </dependency>
             <dependency>
                 <groupId>org.testcontainers</groupId>
                 <artifactId>testcontainers</artifactId>
@@ -477,8 +494,10 @@
         <java-uuid-generator.version>3.1.5</java-uuid-generator.version>
         <wiremock.version>2.14.0</wiremock.version>
         <springfox.version>2.9.0</springfox.version>
-        <spring-security-oauth2.version>2.1.0.RELEASE</spring-security-oauth2.version>
+        <spring-security-oauth2.version>2.3.5.RELEASE</spring-security-oauth2.version>
         <hibernate-native-json.version>0.4</hibernate-native-json.version>
+        <spring-security-jwt.version>1.1.1.RELEASE</spring-security-jwt.version>
+        <jwt.version>0.9.1</jwt.version>
 
         <hibernate-validator.version>6.0.13.Final</hibernate-validator.version>
         <javax.validation.version>2.0.1.Final</javax.validation.version>

song-client/pom.xml

@@ -18,7 +18,7 @@
 	<parent>
 		<artifactId>song</artifactId>
 		<groupId>bio.overture</groupId>
-		<version>4.2.4</version>
+		<version>4.3.0</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 
@@ -35,12 +35,12 @@
 		<dependency>
 			<groupId>bio.overture</groupId>
 			<artifactId>song-java-sdk</artifactId>
-			<version>4.2.4</version>
+			<version>4.3.0</version>
 		</dependency>
 		<dependency>
 			<groupId>bio.overture</groupId>
 			<artifactId>song-core</artifactId>
-			<version>4.2.4</version>
+			<version>4.3.0</version>
 		</dependency>
 
 		<!-- CLI -->

song-core/pom.xml

@@ -19,7 +19,7 @@
 	<parent>
 		<artifactId>song</artifactId>
 		<groupId>bio.overture</groupId>
-		<version>4.2.4</version>
+		<version>4.3.0</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 

song-core/src/main/java/bio/overture/song/core/exceptions/ServerErrors.java

@@ -21,6 +21,7 @@
 import static org.springframework.http.HttpStatus.BAD_GATEWAY;
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
 import static org.springframework.http.HttpStatus.CONFLICT;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
 import static org.springframework.http.HttpStatus.GATEWAY_TIMEOUT;
 import static org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR;
 import static org.springframework.http.HttpStatus.NOT_FOUND;
@@ -72,6 +73,7 @@ public enum ServerErrors implements ServerError {
   SEQUENCING_READ_NOT_FOUND(NOT_FOUND),
   VARIANT_CALL_NOT_FOUND(NOT_FOUND),
   UNAUTHORIZED_TOKEN(UNAUTHORIZED),
+  FORBIDDEN_TOKEN(FORBIDDEN),
   GATEWAY_IS_DOWN(GATEWAY_TIMEOUT),
   GATEWAY_TIMED_OUT(GATEWAY_TIMEOUT),
   BAD_REPLY_FROM_GATEWAY(BAD_GATEWAY),

song-core/src/main/java/bio/overture/song/core/utils/Joiners.java

@@ -0,0 +1,12 @@
+package bio.overture.song.core.utils;
+
+import static lombok.AccessLevel.PRIVATE;
+
+import com.google.common.base.Joiner;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor(access = PRIVATE)
+public class Joiners {
+
+  public static final Joiner WHITESPACE = Joiner.on(" ");
+}

song-java-sdk/pom.xml

@@ -18,7 +18,7 @@
 	<parent>
 		<artifactId>song</artifactId>
 		<groupId>bio.overture</groupId>
-		<version>4.2.4</version>
+		<version>4.3.0</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 

song-server/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <artifactId>song</artifactId>
         <groupId>bio.overture</groupId>
-        <version>4.2.4</version>
+        <version>4.3.0</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -37,7 +37,7 @@
         <dependency>
             <groupId>bio.overture</groupId>
             <artifactId>song-core</artifactId>
-            <version>4.2.4</version>
+            <version>4.3.0</version>
         </dependency>
 
         <!-- Spring -->
@@ -82,6 +82,10 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-vault-config</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-jwt</artifactId>
+        </dependency>
 
         <!-- JDBC -->
         <dependency>
@@ -158,6 +162,11 @@
         </dependency>
 
         <!-- Testing -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
         <dependency>
             <groupId>com.github.tomakehurst</groupId>
             <artifactId>wiremock</artifactId>
@@ -177,6 +186,11 @@
             <artifactId>json-unit</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>

song-server/src/main/java/bio/overture/song/server/config/JWTConfig.java

@@ -0,0 +1,58 @@
+package bio.overture.song.server.config;
+
+import bio.overture.song.server.security.CustomResourceServerTokenServices;
+import bio.overture.song.server.security.DefaultPublicKeyFetcher;
+import bio.overture.song.server.security.JWTTokenConverter;
+import bio.overture.song.server.security.PublicKeyFetcher;
+import lombok.NonNull;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+import org.springframework.context.annotation.Profile;
+import org.springframework.retry.support.RetryTemplate;
+import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
+import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
+import org.springframework.web.client.RestTemplate;
+
+@Profile("jwt")
+@Configuration
+public class JWTConfig {
+
+  private final String publicKeyUrl;
+  private final RetryTemplate retryTemplate;
+  private final RemoteTokenServices remoteTokenServices;
+
+  @Autowired
+  public JWTConfig(
+      @NonNull @Value("${auth.jwt.public-key-url}") String publicKeyUrl,
+      @NonNull RemoteTokenServices remoteTokenServices,
+      @NonNull RetryTemplate retryTemplate) {
+    this.publicKeyUrl = publicKeyUrl;
+    this.retryTemplate = retryTemplate;
+    this.remoteTokenServices = remoteTokenServices;
+  }
+
+  @Bean
+  @Primary
+  public CustomResourceServerTokenServices customResourceServerTokenServices(
+      @Autowired PublicKeyFetcher publicKeyFetcher) {
+    return new CustomResourceServerTokenServices(
+        remoteTokenServices, buildJwtTokenStore(publicKeyFetcher), retryTemplate);
+  }
+
+  private JwtTokenStore buildJwtTokenStore(@Autowired PublicKeyFetcher publicKeyFetcher) {
+    return new JwtTokenStore(jwtTokenConverter(publicKeyFetcher));
+  }
+
+  public JWTTokenConverter jwtTokenConverter(@Autowired PublicKeyFetcher publicKeyFetcher) {
+    return new JWTTokenConverter(publicKeyFetcher.getPublicKey());
+  }
+
+  @Bean
+  @Profile("!test")
+  public PublicKeyFetcher publicKeyFetcher() {
+    return new DefaultPublicKeyFetcher(publicKeyUrl, new RestTemplate(), retryTemplate);
+  }
+}

song-server/src/main/java/bio/overture/song/server/config/TokenServiceConfig.java

@@ -28,7 +28,7 @@
 
 @NoArgsConstructor
 @Configuration
-@Profile("secure")
+@Profile({"secure", "!jwt"})
 public class TokenServiceConfig {
 
   @Bean

song-server/src/main/java/bio/overture/song/server/kafka/AnalysisMessage.java

@@ -21,19 +21,13 @@
 import static lombok.AccessLevel.PRIVATE;
 
 import bio.overture.song.core.model.enums.AnalysisStates;
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
-import lombok.Builder;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
-import lombok.RequiredArgsConstructor;
 import lombok.Value;
 
 @Value
-//Note: although the AllArgs and NoArgs combination below seems odd,
+// Note: although the AllArgs and NoArgs combination below seems odd,
 // it allows Jackson to deserialize to an immutable object without using any additional annotations.
 @AllArgsConstructor
 @NoArgsConstructor(force = true, access = PRIVATE)

song-server/src/main/java/bio/overture/song/server/model/entity/AnalysisSchema.java

@@ -5,7 +5,7 @@
 import static bio.overture.song.server.model.enums.TableAttributeNames.SCHEMA;
 import static bio.overture.song.server.model.enums.TableAttributeNames.VERSION;
 import static bio.overture.song.server.repository.CustomJsonType.CUSTOM_JSON_TYPE_PKG_PATH;
-import static org.assertj.core.util.Sets.newHashSet;
+import static com.google.common.collect.Sets.newHashSet;
 
 import bio.overture.song.server.model.analysis.Analysis;
 import bio.overture.song.server.model.enums.ModelAttributeNames;