Merge Thrift Services, Switch OpenJPA to Hibernate, Create Main Class to Launch Airavata#556
Closed
Merge Thrift Services, Switch OpenJPA to Hibernate, Create Main Class to Launch Airavata#556
Conversation
…t use to external services
…multiplexing for all services.
…nd a @joincolumn for the same item.
* update column types for mariadb. * reorganize database init scripts. * update to mariadb 10.11 and use MariaDBDialect.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
yasithdev
changed the title
Contributor
Author
|
Closing — the core goals of this PR have been fully implemented in master through the server consolidation work:
Two items from this branch are not yet in master and will be extracted as separate PRs:
|
yasithdev
added a commit
that referenced
this pull request
Mar 30, 2026
Replace AES/CBC/PKCS5Padding with AES/GCM/NoPadding for credential store encryption. The old code used a static zero IV which is insecure. GCM provides authenticated encryption with random IVs prepended to the ciphertext. Extracted from #556.
yasithdev
added a commit
that referenced
this pull request
Mar 30, 2026
Extracted from #556. Provides convenience targets: - make build: full Maven build (skip tests) - make serve: build + run fat JAR - make compile: fast compile only - make serve-dev: compile + spring-boot:run (hot reload) - make test: run test suite
yasithdev
added a commit
that referenced
this pull request
Mar 30, 2026
Extracted from #556. Provides convenience targets: - make build: full Maven build (skip tests) - make serve: build + run fat JAR - make compile: fast compile only - make serve-dev: compile + spring-boot:run (hot reload) - make test: run test suite
yasithdev
added a commit
that referenced
this pull request
Mar 31, 2026
* security: upgrade credential encryption from AES/CBC to AES/GCM Replace AES/CBC/PKCS5Padding with AES/GCM/NoPadding for credential store encryption. The old code used a static zero IV which is insecure. GCM provides authenticated encryption with random IVs prepended to the ciphertext. Extracted from #556. * security: add legacy AES/CBC fallback for transparent migration On decrypt, try GCM first. If the auth tag fails (AEADBadTagException), fall back to the old AES/CBC/PKCS5Padding with static zero IV. This allows existing credentials to be read without re-encryption. Credentials will migrate to GCM format on next update/rotation — writes always use AES/GCM. * test: add unit tests for GCM/CBC encryption and legacy fallback - testFallbackDecryptsLegacyCBC: CBC-encrypted data decrypted via fallback - testFallbackDecryptsNewGCM: GCM-encrypted data decrypted via fallback - testGcmDecryptRejectsLegacyData: GCM decrypt throws on CBC data * security: remove fallback, add migration script instead Replace transparent fallback with a one-time migration script (MigrateCredentialEncryption) that re-encrypts all CREDENTIALS rows from legacy AES/CBC to AES/GCM. Run before deploying the GCM-only code. Usage: java MigrateCredentialEncryption <jdbcUrl> <dbUser> <dbPass> \ <keystorePath> <keyAlias> <keystorePass> The script skips rows already in GCM format. * style: spotless:apply on MigrateCredentialEncryption * Potential fix for code scanning alert no. 129: Use of a broken or risky cryptographic algorithm Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * fix: make decryptLegacy public for cross-package access from migration script --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR merges all Airavata Thrift services into airavata-api, and adds a main launcher (org.apache.airavata.Main) that boots the API, recurring tasks, monitoring components, and state machines. Switched from OpenJPA+DBCP2 to Hibernate+HikariCP to simplify the dependencies, configuration, and maintenance of airavata services.
Key changes:
make serve- builds airavata-api distribution and starts./bin/airavata.shmake serve-dev- compiles airavata-api and starts it usingmvn exec:java