Merge commit from fork

* fix regex checking to use find instead of matches

* cleanup regex handling

* add argon2 hashing for api keys

* add api key version prefix in order to establish transition strategy
fix update to do a delete+insert to match schema

* update to not hash the first 12 characters of the apikey

this allows for quicker filtering on read and only needing to check hashes that match

* split prefix into separately randomly generated string

* fix keyId flipflop

* fix off-by-one error

* add backwards compatibility support enabled by feature flag

Author: adamkorynta

compose_files/sql/users.sql

@@ -1,6 +1,5 @@
    set define on
 define OFFICE_EROC=&1
-defin API_KEY=&2
 begin
    cwms_sec.add_user_to_group('&&OFFICE_EROC.webtest', 'All Users', 'HQ');
    cwms_sec.add_user_to_group('&&OFFICE_EROC.webtest', 'All Users', 'SPK');
@@ -36,17 +35,6 @@ begin
    cwms_sec.add_user_to_group('q0hectest', 'CWMS PD Users', 'LRL');
    cwms_sec.add_user_to_group('q0hectest', 'TS ID Creator', 'LRL');
    execute immediate 'grant execute on cwms_20.cwms_upass to web_user';
-   insert into "CWMS_20"."AT_API_KEYS" (
-      userid,
-      key_name,
-      apikey,
-      created,
-      expires
-   ) values ( 'Q0HECTEST',
-              'test',
-              '&&API_KEY',
-              to_date('2025-06-10 16:10:42','YYYY-MM-DD HH24:MI:SS'),
-              to_date('2029-06-16 16:10:46','YYYY-MM-DD HH24:MI:SS') );
 
     cwms_sec.add_cwms_user('m5hectest',NULL,'SWT');
     cwms_sec.add_user_to_group('m5hectest','All Users', 'SWT');

cwms-data-api/build.gradle

@@ -129,7 +129,7 @@ dependencies {
     implementation(libs.swagger.core) {
         exclude group: "jakarta.xml.bind", module: "*"
     }
-
+    implementation(libs.password4j)
     implementation 'cz.jirutka.rsql:rsql-parser:2.1.0'
 
     compileOnly(libs.javaee.web.api)
@@ -272,6 +272,7 @@ task run(type: JavaExec) {
     jvmArgs += "-Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.EnvironmentPropertySource"
     jvmArgs += "-Dcatalina.base=$buildDir/tomcat"
     jvmArgs += "-DwarContext=/" + context
+    jvmArgs += "-DAUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT=true"
     // If you have the docker-compose environment up and are trying to run
     // CDA from run to debug uncomment the following lines.
     //jvmArgs += "-Dcwms.dataapi.access.providers=KeyAccessManager,CwmsAccessManager,OpenID"

cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java

@@ -1,6 +1,8 @@
 package cwms.cda.data.dao;
 
 import com.google.common.flogger.FluentLogger;
+import com.password4j.Hash;
+import com.password4j.HashUpdate;
 import cwms.cda.ApiServlet;
 import cwms.cda.data.dto.auth.ApiKey;
 import cwms.cda.datasource.ConnectionPreparer;
@@ -10,14 +12,17 @@
 import cwms.cda.datasource.SessionOfficePreparer;
 import cwms.cda.datasource.SessionTimeZonePreparer;
 import cwms.cda.helpers.ResourceHelper;
+import cwms.cda.features.CdaFeatures;
 import cwms.cda.security.CwmsAuthException;
 import cwms.cda.security.DataApiPrincipal;
 import cwms.cda.security.MissingRolesException;
 import cwms.cda.security.Role;
 import io.javalin.core.security.RouteRole;
 import io.javalin.http.Context;
 import io.javalin.http.HttpCode;
+import org.togglz.core.context.FeatureContext;
 
+import com.password4j.Password;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.sql.Connection;
@@ -56,6 +61,8 @@ public class AuthDao extends Dao<DataApiPrincipal> {
                                              + "23.03.16 or later to handle authorization operations.";
     public static final String DATA_API_PRINCIPAL = "DataApiPrincipal";
     public static final String AUTH_ERROR_MSG = "Authentication failed. The API Key may be invalid or no longer active.";
+    private static final String API_KEY_V1_PREFIX = "ak1_";
+    private static final int API_KEY_ID_LENGTH = 12;
     // At this level we just care that the user has permissions in *any* office
     private static final String RETRIEVE_GROUPS_OF_USER =
             ResourceHelper.getResourceAsString("/cwms/data/sql/user_groups.sql", AuthDao.class);
@@ -68,7 +75,8 @@ public class AuthDao extends Dao<DataApiPrincipal> {
         + "cwms_env.set_session_user_direct(upper(?),upper(?)); end;";
 
     private static final String CHECK_API_KEY =
-        "select userid from cwms_20.at_api_keys where apikey = ? and (expires is null or expires >= systimestamp)";
+        "select userid, apikey, key_name, expires from cwms_20.at_api_keys where (expires is null or expires >= systimestamp) " +
+            "and apikey like ?";
 
     private static final String USER_FOR_EDIPI =
         "select userid from cwms_20.at_sec_cwms_users where edipi = ?";
@@ -194,30 +202,82 @@ static void setSessionForAuthCheck(Connection conn) throws SQLException {
         }
     }
 
+    private static String hashApiKey(String apiKey) {
+        return Password.hash(apiKey)
+            .withArgon2()
+            .getResult();
+    }
+
     private String checkKey(String key) throws CwmsAuthException {
         try {
             return dsl.connectionResult(c -> {
                 setSessionForAuthCheck(c);
-                try (PreparedStatement checkForKey = c.prepareStatement(CHECK_API_KEY)) {
-                    checkForKey.setString(1,key);
-                    try (ResultSet rs = checkForKey.executeQuery()) {
-                        if (rs.next()) {
-                            return rs.getString(1);
-                        } else {
-                            throw new CwmsAuthException(AUTH_ERROR_MSG);
+
+                boolean legacySupport = FeatureContext.getFeatureManager()
+                        .isActive(CdaFeatures.AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT);
+
+                if (key.startsWith(API_KEY_V1_PREFIX) && key.length() > API_KEY_ID_LENGTH) {
+                    try (PreparedStatement checkForKey = c.prepareStatement(CHECK_API_KEY)) {
+                        String keyId = key.substring(0, API_KEY_ID_LENGTH);
+                        checkForKey.setString(1, keyId + "%");
+                        try (ResultSet rs = checkForKey.executeQuery()) {
+                            if (rs.next()) {
+                                String secretKey = key.substring(API_KEY_ID_LENGTH);
+                                String persistentHash = rs.getString(2).substring(API_KEY_ID_LENGTH);
+                                HashUpdate hashUpdate = checkKey(secretKey, persistentHash);
+                                if (hashUpdate.isVerified()) {
+                                    String userId = rs.getString(1);
+                                    if (hashUpdate.isUpdated()) {
+                                        Hash newHash = hashUpdate.getHash();
+                                        String newHashedApiKey = keyId + newHash.getResult();
+                                        String keyName = rs.getString(3);
+                                        Date expires = rs.getDate(4);
+                                        updateHash(c, userId, keyName, expires, newHashedApiKey);
+                                    }
+                                    return userId;
+                                }
+                            }
+                        }
+                    }
+                } else if (legacySupport) {
+                    try (PreparedStatement checkForKey = c.prepareStatement(CHECK_API_KEY)) {
+                        checkForKey.setString(1, key);
+                        try (ResultSet rs = checkForKey.executeQuery()) {
+                            if (rs.next()) {
+                                return rs.getString(1);
+                            }
                         }
                     }
-                } catch (SQLException ex) {
-                    throw new CwmsAuthException("Failed API key check",ex);
                 }
+                throw new CwmsAuthException(AUTH_ERROR_MSG);
             });
-        } catch (DataAccessException ex) {
-            Throwable t = ex.getCause();
-            if (t instanceof CwmsAuthException) {
-                throw (CwmsAuthException)t;
-            } else {
-                throw ex;
-            }
+        } catch (RuntimeException ex) {
+            // Don't expose internal database errors
+            logger.atWarning().withCause(ex).log("Error verifying API key.");
+            throw new CwmsAuthException(AUTH_ERROR_MSG);
+        }
+    }
+
+    private static HashUpdate checkKey(String keyFromClient, String persistentHash) {
+        return Password.check(keyFromClient, persistentHash)
+            .andUpdate()
+            .withArgon2();
+    }
+
+    private void updateHash(Connection c, String userId, String keyName, Date expires, String apiKey)
+        throws SQLException {
+        //Schema does not allow for row updates. Delete + recreate
+        try (PreparedStatement deleteKey = c.prepareStatement(REMOVE_API_KEY)) {
+            deleteKey.setString(1, userId);
+            deleteKey.setString(2, keyName);
+            deleteKey.execute();
+        }
+        try (PreparedStatement createKey = c.prepareStatement(CREATE_API_KEY)) {
+            createKey.setString(1, userId);
+            createKey.setString(2, keyName);
+            createKey.setString(3, apiKey);
+            createKey.setDate(4, expires);
+            createKey.execute();
         }
     }
 
@@ -412,15 +472,13 @@ public ApiKey createApiKey(DataApiPrincipal p, ApiKey sourceData) throws CwmsAut
                 throw new CwmsAuthException(ONLY_OWN_KEY_MESSAGE, HttpCode.UNAUTHORIZED.getStatus());
             }
             SecureRandom randomSource = SecureRandom.getInstanceStrong();
-            String key = randomSource.ints((char)'0',(char)'z') // allow a-zA-Z0-9
-                                 .filter(i -> (i <= 57 || i >= 65) && (i <= 90 || i >= 97)) // actually filter to above
-                                 .limit(256)
-                                 .collect(StringBuilder::new,StringBuilder::appendCodePoint, StringBuilder::append)
-                                 .toString();
+            String secretKey = generateSecretKey(randomSource);
+            String keyId = generateKeyId(randomSource);
+            String fullApiKey = keyId + secretKey;
             final ApiKey newKey = new ApiKey(
                     sourceData.getUserId().toUpperCase(),
                     sourceData.getKeyName(),
-                    key,
+                    fullApiKey,
                     ZonedDateTime.now(ZoneId.of("UTC")),
                     sourceData.getExpires()
             );
@@ -429,7 +487,7 @@ public ApiKey createApiKey(DataApiPrincipal p, ApiKey sourceData) throws CwmsAut
                 try (PreparedStatement createKey = c.prepareStatement(CREATE_API_KEY)) {
                     createKey.setString(1, newKey.getUserId());
                     createKey.setString(2, newKey.getKeyName());
-                    createKey.setString(3, newKey.getApiKey());
+                    createKey.setString(3, keyId + hashApiKey(secretKey));
                     createKey.setDate(4, new Date(newKey.getCreated().toInstant().toEpochMilli()),
                             Calendar.getInstance(TimeZone.getTimeZone("UTC")));
                     if (newKey.getExpires() != null) {
@@ -453,6 +511,22 @@ public ApiKey createApiKey(DataApiPrincipal p, ApiKey sourceData) throws CwmsAut
 
     }
 
+    private static String generateSecretKey(SecureRandom randomSource) {
+        return randomSource.ints('0', 'z') // allow a-zA-Z0-9
+            .filter(i -> (i <= 57 || i >= 65) && (i <= 90 || i >= 97)) // actually filter to above
+            .limit(256)
+            .collect(StringBuilder::new, StringBuilder::appendCodePoint, StringBuilder::append)
+            .toString();
+    }
+
+    private static String generateKeyId(SecureRandom randomSource) {
+        return API_KEY_V1_PREFIX + randomSource.ints('0', 'z') // allow a-zA-Z0-9
+            .filter(i -> (i <= 57 || i >= 65) && (i <= 90 || i >= 97)) // actually filter to above
+            .limit(API_KEY_ID_LENGTH - API_KEY_V1_PREFIX.length())
+            .collect(StringBuilder::new, StringBuilder::appendCodePoint, StringBuilder::append)
+            .toString();
+    }
+
     /**
      * Return all API Keys for a given user.
      * @param p User for which we want the keys

cwms-data-api/src/main/java/cwms/cda/features/CdaFeatures.java

@@ -5,5 +5,7 @@
 
 public enum CdaFeatures implements Feature {
     @Label("Use object-storage backed Blob DAO in BlobController")
-    USE_OBJECT_STORAGE_BLOBS
+    USE_OBJECT_STORAGE_BLOBS,
+    @Label("Re-enable non-hash key support")
+    AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT
 }

cwms-data-api/src/main/resources/features.properties

@@ -1 +1,2 @@
-USE_OBJECT_STORAGE_BLOBS=false
+USE_OBJECT_STORAGE_BLOBS=false
+AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT=false

cwms-data-api/src/test/java/cwms/cda/api/DataApiTestIT.java

@@ -29,16 +29,19 @@
 
 import com.atlassian.oai.validator.restassured.OpenApiValidationFilter;
 import com.google.common.flogger.FluentLogger;
+import cwms.cda.data.dao.AuthDao;
 import cwms.cda.data.dao.DeleteRule;
 import cwms.cda.data.dao.StreamDao;
 import cwms.cda.data.dao.VerticalDatum;
 import cwms.cda.data.dao.basin.BasinDao;
 import cwms.cda.data.dto.Location;
 import cwms.cda.data.dto.LocationCategory;
 import cwms.cda.data.dto.LocationGroup;
+import cwms.cda.data.dto.auth.ApiKey;
 import cwms.cda.data.dto.basin.Basin;
 import cwms.cda.data.dto.stream.Stream;
 import cwms.cda.helpers.ZoneIdHelper;
+import cwms.cda.security.DataApiPrincipal;
 import fixtures.CwmsDataApiSetupCallback;
 import fixtures.IntegrationTestNameGenerator;
 import fixtures.KeyCloakExtension;
@@ -59,11 +62,13 @@
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.Consumer;
 import mil.army.usace.hec.test.database.CwmsDatabaseContainer;
 import org.apache.catalina.Manager;
@@ -99,8 +104,7 @@ public class DataApiTestIT {
     protected static String createLocationQuery = null;
     protected static String createTimeseriesQuery = null;
     protected static String createTimeseriesOffsetQuery = null;
-    protected static final String registerApiKey = "insert into at_api_keys(userid,key_name,apikey,expires) values(UPPER(?),?,?, null)";
-    protected static final String removeApiKeys = "delete from at_api_keys where UPPER(userid) = UPPER(?) and apikey = ?";
+    protected static final String removeApiKeys = "delete from at_api_keys where UPPER(userid) = UPPER(?) and key_name = ?";
 
     protected static final Configuration freemarkerConfig = new Configuration(Configuration.VERSION_2_3_32);
 
@@ -182,7 +186,7 @@ public static void register_users() throws Exception {
             final Manager tsm = CwmsDataApiSetupCallback.getTestSessionManager();
             CwmsDatabaseContainer<?> db = CwmsDataApiSetupCallback.getDatabaseLink();
             for (TestAccounts.KeyUser user : TestAccounts.KeyUser.values()) {
-                if (user.getApikey() == null) {
+                if (user.getKeyName() == null) {
                     continue;
                 }
                 if (user == TestAccounts.KeyUser.SPK_OTHER_NORMAL_SAME_ROLES) {
@@ -207,14 +211,11 @@ public static void register_users() throws Exception {
                 }
 
                 db.connection((c) -> {
-                    try (PreparedStatement stmt = c.prepareStatement(registerApiKey)) {
-                        stmt.setString(1, user.getName());
-                        stmt.setString(2, user.getName() + "TestKey");
-                        stmt.setString(3, user.getApikey());
-                        stmt.execute();
-                    } catch (SQLException ex) {
-                        throw new RuntimeException("Unable to register user:" + user.getName(), ex);
-                    }
+                    String key = AuthDao.getInstance(DSL.using(c), null)
+                        .createApiKey(new DataApiPrincipal(user.getName(), Set.of()),
+                            new ApiKey(user.getName(), user.getKeyName(), null,
+                                ZonedDateTime.now(), null)).getApiKey();
+                    user.setApiKey(key);
                 }, "cwms_20");
 
                 StandardSession session = (StandardSession) tsm.createSession(user.getJSessionId());
@@ -258,7 +259,7 @@ public static void deregister_users() throws Exception {
                 db.connection((c) -> {
                     try (PreparedStatement stmt = c.prepareStatement(removeApiKeys)) {
                         stmt.setString(1, user.getName());
-                        stmt.setString(2, user.getApikey());
+                        stmt.setString(2, user.getKeyName());
                         stmt.execute();
                     } catch (SQLException ex) {
                         throw new RuntimeException("Unable to delete api key", ex);

cwms-data-api/src/test/java/cwms/cda/features/CdaFeatureManagerProviderTest.java

@@ -50,7 +50,8 @@ void testUseObjectStorageBlobsFeature() throws IOException {
         tempFile.deleteOnExit();
 
         try (FileWriter writer = new FileWriter(tempFile)) {
-            writer.write(CdaFeatures.USE_OBJECT_STORAGE_BLOBS.name() + " = true");
+            writer.write(CdaFeatures.USE_OBJECT_STORAGE_BLOBS.name() + " = true" + System.lineSeparator());
+            writer.write(CdaFeatures.AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT.name() + " = true");
         }
 
         System.setProperty(CdaFeatureManagerProvider.PROPERTIES_FILE, tempFile.getAbsolutePath());
@@ -59,6 +60,7 @@ void testUseObjectStorageBlobsFeature() throws IOException {
         FeatureManager manager = provider.getFeatureManager();
 
         assertTrue(manager.isActive(CdaFeatures.USE_OBJECT_STORAGE_BLOBS));
+        assertTrue(manager.isActive(CdaFeatures.AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT));
     }
 
     @Test
@@ -73,5 +75,6 @@ void testFeatureDisabledByDefault() throws IOException {
         FeatureManager manager = provider.getFeatureManager();
 
         assertFalse(manager.isActive(CdaFeatures.USE_OBJECT_STORAGE_BLOBS));
+        assertFalse(manager.isActive(CdaFeatures.AUTH_RE_ENABLE_NON_HASH_KEY_SUPPORT));
     }
 }