Merge pull request #2488 from opencb/TASK-6494

TASK-6494 - Improve our current Password Policy for built-in authentication in OpenCGA

opencga-app/src/main/java/org/opencb/opencga/app/cli/main/executors/OrganizationsCommandExecutor.java

@@ -301,7 +301,6 @@ private RestResponse<User> updateUser() throws Exception {
             putNestedIfNotNull(beanParams, "quota.cpuUsage", commandOptions.quotaCpuUsage, true);
             putNestedIfNotNull(beanParams, "quota.maxDisk", commandOptions.quotaMaxDisk, true);
             putNestedIfNotNull(beanParams, "quota.maxCpu", commandOptions.quotaMaxCpu, true);
-            putNestedIfNotEmpty(beanParams, "account.expirationDate", commandOptions.accountExpirationDate, true);
             putNestedMapIfNotEmpty(beanParams, "attributes", commandOptions.attributes, true);
 
             organizationUserUpdateParams = JacksonUtils.getDefaultObjectMapper().copy()

opencga-app/src/main/java/org/opencb/opencga/app/cli/main/options/OrganizationsCommandOptions.java

@@ -305,9 +305,6 @@ public class UpdateUserCommandOptions {
         @Parameter(names = {"--quota-max-cpu"}, description = "The body web service maxCpu parameter", required = false, arity = 1)
         public Integer quotaMaxCpu;
 
-        @Parameter(names = {"--account-expiration-date"}, description = "The body web service expirationDate parameter", required = false, arity = 1)
-        public String accountExpirationDate;
-
         @DynamicParameter(names = {"--attributes"}, description = "The body web service attributes parameter. Use: --attributes key=value", required = false)
         public java.util.Map<java.lang.String,java.lang.Object> attributes = new HashMap<>(); //Dynamic parameters must be initialized;
 

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2_12_4/catalog/FixStatusIndexesMigration.java → opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2/v2_12_4/catalog/FixStatusIndexesMigration.java

@@ -1,4 +1,4 @@
-package org.opencb.opencga.app.migrations.v2_12_4.catalog;
+package org.opencb.opencga.app.migrations.v2.v2_12_4.catalog;
 
 import org.bson.Document;
 import org.opencb.opencga.catalog.db.mongodb.OrganizationMongoDBAdaptorFactory;

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2_12_5/storage/AddAllelesColumnToPhoenix.java → opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2/v2_12_5/storage/AddAllelesColumnToPhoenix.java

@@ -1,4 +1,4 @@
-package org.opencb.opencga.app.migrations.v2_12_5.storage;
+package org.opencb.opencga.app.migrations.v2.v2_12_5.storage;
 
 import org.opencb.opencga.app.migrations.StorageMigrationTool;
 import org.opencb.opencga.catalog.migration.Migration;

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2_12_5/storage/DetectIllegalConcurrentFileLoadingsMigration.java → opencga-app/src/main/java/org/opencb/opencga/app/migrations/v2/v2_12_5/storage/DetectIllegalConcurrentFileLoadingsMigration.java

@@ -1,4 +1,4 @@
-package org.opencb.opencga.app.migrations.v2_12_5.storage;
+package org.opencb.opencga.app.migrations.v2.v2_12_5.storage;
 
 import org.opencb.commons.datastore.core.ObjectMap;
 import org.opencb.commons.datastore.core.Query;

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v3/v3_2_1/AddPasswordHistoryMigration.java

@@ -0,0 +1,45 @@
+package org.opencb.opencga.app.migrations.v3.v3_2_1;
+
+import com.mongodb.client.model.Filters;
+import com.mongodb.client.model.Projections;
+import com.mongodb.client.model.UpdateOneModel;
+import org.bson.Document;
+import org.bson.conversions.Bson;
+import org.opencb.opencga.catalog.db.mongodb.MongoDBAdaptor;
+import org.opencb.opencga.catalog.db.mongodb.OrganizationMongoDBAdaptorFactory;
+import org.opencb.opencga.catalog.migration.Migration;
+import org.opencb.opencga.catalog.migration.MigrationTool;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import static org.opencb.opencga.catalog.db.mongodb.UserMongoDBAdaptor.*;
+
+@Migration(id = "add_archivePasswords_array",
+        description = "Add password history #6494", version = "3.2.1",
+        language = Migration.MigrationLanguage.JAVA, domain = Migration.MigrationDomain.CATALOG, date = 20240723)
+public class AddPasswordHistoryMigration extends MigrationTool {
+
+    @Override
+    protected void run() throws Exception {
+        Bson query = Filters.exists(PRIVATE_PASSWORD_ARCHIVE, false);
+        Bson projection = Projections.include(PRIVATE_PASSWORD);
+        migrateCollection(Arrays.asList(OrganizationMongoDBAdaptorFactory.USER_COLLECTION, OrganizationMongoDBAdaptorFactory.DELETED_USER_COLLECTION),
+                query, projection, (document, bulk) -> {
+                    String currentPassword = document.getString("_password");
+
+                    Document passwordDoc = new Document()
+                            .append(HASH, currentPassword)
+                            .append(SALT, "");
+                    Document privatePassword = new Document();
+                    privatePassword.put(CURRENT, passwordDoc);
+                    privatePassword.put(ARCHIVE, Collections.singletonList(passwordDoc));
+
+                    MongoDBAdaptor.UpdateDocument updateDocument = new MongoDBAdaptor.UpdateDocument();
+                    updateDocument.getSet().put(PRIVATE_PASSWORD, privatePassword);
+
+                    bulk.add(new UpdateOneModel<>(Filters.eq("_id", document.get("_id")), updateDocument.toFinalUpdateDocument()));
+                });
+    }
+
+}

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v3/v3_2_1/MoveUserAccountToInternalMigration.java

@@ -0,0 +1,50 @@
+package org.opencb.opencga.app.migrations.v3.v3_2_1;
+
+import com.mongodb.client.model.Filters;
+import com.mongodb.client.model.Projections;
+import com.mongodb.client.model.UpdateOneModel;
+import org.bson.Document;
+import org.bson.conversions.Bson;
+import org.opencb.opencga.catalog.db.mongodb.MongoDBAdaptor;
+import org.opencb.opencga.catalog.db.mongodb.OrganizationMongoDBAdaptorFactory;
+import org.opencb.opencga.catalog.migration.Migration;
+import org.opencb.opencga.catalog.migration.MigrationTool;
+
+import java.util.Arrays;
+
+@Migration(id = "move_user_account_to_internal",
+        description = "Move account to internal.account #6494", version = "3.2.1",
+        language = Migration.MigrationLanguage.JAVA, domain = Migration.MigrationDomain.CATALOG, date = 20240723)
+public class MoveUserAccountToInternalMigration extends MigrationTool {
+
+    @Override
+    protected void run() throws Exception {
+        Bson query = Filters.exists("account", true);
+        Bson projection = Projections.include("internal", "account");
+        migrateCollection(Arrays.asList(OrganizationMongoDBAdaptorFactory.USER_COLLECTION,
+                        OrganizationMongoDBAdaptorFactory.DELETED_USER_COLLECTION),
+                query, projection, (document, bulk) -> {
+                    MongoDBAdaptor.UpdateDocument updateDocument = new MongoDBAdaptor.UpdateDocument();
+
+                    Document account = document.get("account", Document.class);
+                    Document internal = document.get("internal", Document.class);
+                    internal.put("account", account);
+
+                    updateDocument.getSet().put("modificationDate", internal.get("lastModified"));
+                    updateDocument.getSet().put("creationDate", account.get("creationDate"));
+                    account.remove("creationDate");
+
+                    Document password = new Document()
+                            .append("expirationDate", null)
+                            .append("lastModified", internal.get("lastModified"));
+                    account.put("password", password);
+                    account.put("failedAttempts", internal.get("failedAttempts"));
+                    internal.remove("failedAttempts");
+
+                    updateDocument.getSet().put("internal", internal);
+                    updateDocument.getUnset().add("account");
+
+                    bulk.add(new UpdateOneModel<>(Filters.eq("_id", document.get("_id")), updateDocument.toFinalUpdateDocument()));
+                });
+    }
+}

opencga-catalog/pom.xml

@@ -61,6 +61,11 @@
         </dependency>
 
         <!-- Added dependencies -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>

opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/AzureADAuthenticationManager.java

@@ -39,6 +39,7 @@
 import org.opencb.opencga.catalog.auth.authentication.azure.AuthenticationProvider;
 import org.opencb.opencga.catalog.exceptions.CatalogAuthenticationException;
 import org.opencb.opencga.catalog.exceptions.CatalogException;
+import org.opencb.opencga.core.common.TimeUtils;
 import org.opencb.opencga.core.config.AuthenticationOrigin;
 import org.opencb.opencga.core.models.JwtPayload;
 import org.opencb.opencga.core.models.user.*;
@@ -382,8 +383,9 @@ private List<User> extractUserInformation(List<com.microsoft.graph.models.extens
                     .append("AdditionalProperties", additionalProperties);
             attributes.put("OPENCGA_REGISTRATION_TOKEN", azureADMap);
 
-            User user = new User(id, name, mail, "", new Account().setAuthentication(new Account.AuthenticationOrigin(originId, false)),
-                    new UserInternal(new UserStatus()), new UserQuota(-1, -1, -1, -1), Collections.emptyList(),
+            Account account = new Account().setAuthentication(new Account.AuthenticationOrigin(originId, false));
+            User user = new User(id, name, mail, "", TimeUtils.getTime(), TimeUtils.getTime(),
+                    new UserInternal(new UserStatus(), account), new UserQuota(-1, -1, -1, -1),
                     Collections.emptyMap(), new LinkedList<>(), attributes);
 
             userList.add(user);

opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/CatalogAuthenticationManager.java

@@ -17,7 +17,6 @@
 package org.opencb.opencga.catalog.auth.authentication;
 
 import io.jsonwebtoken.SignatureAlgorithm;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.opencb.commons.datastore.core.QueryOptions;
 import org.opencb.opencga.catalog.db.DBAdaptorFactory;
 import org.opencb.opencga.catalog.db.api.UserDBAdaptor;
@@ -26,6 +25,7 @@
 import org.opencb.opencga.catalog.exceptions.CatalogException;
 import org.opencb.opencga.catalog.utils.ParamUtils;
 import org.opencb.opencga.core.common.MailUtils;
+import org.opencb.opencga.core.common.PasswordUtils;
 import org.opencb.opencga.core.config.AuthenticationOrigin;
 import org.opencb.opencga.core.config.Email;
 import org.opencb.opencga.core.models.user.AuthenticationResponse;
@@ -125,7 +125,7 @@ public String createNonExpiringToken(String organizationId, String userId, Map<S
     public OpenCGAResult resetPassword(String organizationId, String userId) throws CatalogException {
         ParamUtils.checkParameter(userId, "userId");
         OpenCGAResult result = null;
-        String newPassword = RandomStringUtils.randomAlphanumeric(12);
+        String newPassword = PasswordUtils.getStrongRandomPassword();
 
         OpenCGAResult<User> user =
                 dbAdaptorFactory.getCatalogUserDBAdaptor(organizationId)

opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/LDAPAuthenticationManager.java

@@ -198,9 +198,11 @@ public List<User> getRemoteUserInformation(List<String> userStringList) throws C
 
             Map<String, Object> attributes = new HashMap<>();
             attributes.put("LDAP_RDN", rdn);
-            User user = new User(uid, displayName, mail, usersSearch, new Account()
-                    .setAuthentication(new Account.AuthenticationOrigin(originId, false)), new UserInternal(new UserStatus()),
-                    new UserQuota(-1, -1, -1, -1), new ArrayList<>(), new HashMap<>(), new LinkedList<>(), attributes);
+            Account account = new Account()
+                    .setAuthentication(new Account.AuthenticationOrigin(originId, false));
+            User user = new User(uid, displayName, mail, usersSearch, TimeUtils.getTime(), TimeUtils.getTime(),
+                    new UserInternal(new UserStatus(), account),
+                    new UserQuota(-1, -1, -1, -1), new HashMap<>(), new LinkedList<>(), attributes);
 
             userList.add(user);
         }

opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authorization/AuthorizationDBAdaptor.java

@@ -16,10 +16,8 @@
 
 package org.opencb.opencga.catalog.auth.authorization;
 
-import org.opencb.opencga.catalog.exceptions.CatalogAuthorizationException;
 import org.opencb.opencga.catalog.exceptions.CatalogDBException;
 import org.opencb.opencga.catalog.exceptions.CatalogException;
-import org.opencb.opencga.catalog.exceptions.CatalogParameterException;
 import org.opencb.opencga.core.models.Acl;
 import org.opencb.opencga.core.models.AclEntryList;
 import org.opencb.opencga.core.models.common.Enums;
@@ -80,27 +78,21 @@ <T extends Enum<T>> OpenCGAResult<AclEntryList<T>> get(List<Long> resourceIds, L
      */
     OpenCGAResult removeFromStudy(long studyId, String member, Enums.Resource entry) throws CatalogException;
 
-    OpenCGAResult setToMembers(long studyId, List<String> members,
-                               List<AuthorizationManager.CatalogAclParams> aclParams)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult setToMembers(long studyId, List<String> members, List<AuthorizationManager.CatalogAclParams> aclParams)
+            throws CatalogException;
 
     // Special method only to set acls in study
-    OpenCGAResult setToMembers(List<Long> studyIds, List<String> members, List<String> permissions)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult setToMembers(List<Long> studyIds, List<String> members, List<String> permissions) throws CatalogException;
 
-    OpenCGAResult addToMembers(long studyId, List<String> members,
-                               List<AuthorizationManager.CatalogAclParams> aclParams)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult addToMembers(long studyId, List<String> members, List<AuthorizationManager.CatalogAclParams> aclParams)
+            throws CatalogException;
 
     // Special method only to add acls in study
-    OpenCGAResult addToMembers(List<Long> studyIds, List<String> members, List<String> permissions)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult addToMembers(List<Long> studyIds, List<String> members, List<String> permissions) throws CatalogException;
 
-    OpenCGAResult removeFromMembers(List<String> members, List<AuthorizationManager.CatalogAclParams> aclParams)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult removeFromMembers(List<String> members, List<AuthorizationManager.CatalogAclParams> aclParams) throws CatalogException;
 
-    OpenCGAResult resetMembersFromAllEntries(long studyId, List<String> members)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult resetMembersFromAllEntries(long studyId, List<String> members) throws CatalogException;
 
     OpenCGAResult setAcls(List<Long> resourceIds, AclEntryList<?> aclEntryList, Enums.Resource resource)
             throws CatalogDBException;

opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/DBAdaptorFactory.java

@@ -19,10 +19,8 @@
 import org.apache.commons.lang3.StringUtils;
 import org.opencb.commons.datastore.core.QueryOptions;
 import org.opencb.opencga.catalog.db.api.*;
-import org.opencb.opencga.catalog.exceptions.CatalogAuthorizationException;
 import org.opencb.opencga.catalog.exceptions.CatalogDBException;
 import org.opencb.opencga.catalog.exceptions.CatalogException;
-import org.opencb.opencga.catalog.exceptions.CatalogParameterException;
 import org.opencb.opencga.core.config.Admin;
 import org.opencb.opencga.core.config.Configuration;
 import org.opencb.opencga.core.models.organizations.Organization;
@@ -83,8 +81,7 @@ default String getCatalogDatabase(String prefix, String organization) {
 
     MetaDBAdaptor getCatalogMetaDBAdaptor(String organization) throws CatalogDBException;
 
-    OpenCGAResult<Organization> createOrganization(Organization organization, QueryOptions options, String userId)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult<Organization> createOrganization(Organization organization, QueryOptions options, String userId) throws CatalogException;
 
     void deleteOrganization(Organization organization) throws CatalogDBException;
 

opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/api/AnnotationSetDBAdaptor.java

@@ -21,6 +21,7 @@
 import org.opencb.commons.datastore.core.QueryOptions;
 import org.opencb.opencga.catalog.exceptions.CatalogAuthorizationException;
 import org.opencb.opencga.catalog.exceptions.CatalogDBException;
+import org.opencb.opencga.catalog.exceptions.CatalogException;
 import org.opencb.opencga.catalog.exceptions.CatalogParameterException;
 import org.opencb.opencga.core.models.common.AnnotationSet;
 import org.opencb.opencga.core.models.study.Variable;
@@ -62,12 +63,10 @@ OpenCGAResult update(Query query, ObjectMap parameters, List<VariableSet> variab
      * @param variableSetId variable set id to identify the annotations that will add a new annotation.
      * @param variable      new variable that will be added.
      * @return a OpenCGAResult object.
-     * @throws CatalogDBException if the variable could not be added to an existing annotationSet.
-     * @throws CatalogParameterException if there is any unexpected parameter.
-     * @throws CatalogAuthorizationException if the operation is not authorized.
+     * @throws CatalogException if the variable could not be added to an existing annotationSet, there is any unexpected parameter or
+     *                          the operation is not authorized.
      */
-    OpenCGAResult addVariableToAnnotations(long studyUid, long variableSetId, Variable variable)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult addVariableToAnnotations(long studyUid, long variableSetId, Variable variable) throws CatalogException;
 
 //    /**
 //     * This method will rename the id of all the annotations corresponding to the variableSetId changing oldName per newName.
@@ -88,12 +87,10 @@ OpenCGAResult addVariableToAnnotations(long studyUid, long variableSetId, Variab
      * @param variableSetId  variable set id for which the annotationSets have to delete the annotation.
      * @param annotationName Annotation name.
      * @return a OpenCGAResult object.
-     * @throws CatalogDBException when there is an error in the database.
-     * @throws CatalogParameterException if there is any unexpected parameter.
-     * @throws CatalogAuthorizationException if the operation is not authorized.
+     * @throws CatalogException when there is an error in the database, there is any unexpected parameter or the operation is not
+     *                          authorized.
      */
-    OpenCGAResult removeAnnotationField(long studyUid, long variableSetId, String annotationName)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult removeAnnotationField(long studyUid, long variableSetId, String annotationName) throws CatalogException;
 
     /**
      * Makes a groupBy to obtain the different values that every annotation has and the total number of each.

opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/api/ClinicalAnalysisDBAdaptor.java

@@ -235,8 +235,7 @@ default void checkId(long clinicalAnalysisId) throws CatalogDBException, Catalog
     OpenCGAResult nativeInsert(Map<String, Object> clinicalAnalysis, String userId) throws CatalogDBException;
 
     OpenCGAResult insert(long studyId, ClinicalAnalysis clinicalAnalysis, List<VariableSet> variableSetList,
-                         List<ClinicalAudit> clinicalAuditList, QueryOptions options)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+                         List<ClinicalAudit> clinicalAuditList, QueryOptions options) throws CatalogException;
 
     OpenCGAResult<ClinicalAnalysis> update(long id, ObjectMap parameters, List<VariableSet> variableSetList,
                                            List<ClinicalAudit> clinicalAuditList, QueryOptions queryOptions)

opencga-catalog/src/main/java/org/opencb/opencga/catalog/db/api/CohortDBAdaptor.java

@@ -133,8 +133,7 @@ default void checkId(long cohortId) throws CatalogDBException, CatalogParameterE
 
     OpenCGAResult nativeInsert(Map<String, Object> cohort, String userId) throws CatalogDBException;
 
-    OpenCGAResult insert(long studyId, Cohort cohort, List<VariableSet> variableSetList, QueryOptions options)
-            throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;
+    OpenCGAResult insert(long studyId, Cohort cohort, List<VariableSet> variableSetList, QueryOptions options) throws CatalogException;
 
     OpenCGAResult<Cohort> get(long cohortId, QueryOptions options)
             throws CatalogDBException, CatalogParameterException, CatalogAuthorizationException;