DependencyTrack
diff --git a/‎dev/docker-compose.yml‎
Lines changed: 3 additions & 0 deletions b/‎dev/docker-compose.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/resources/v1/TeamResource.java‎
Lines changed: 26 additions & 23 deletions b/‎src/main/java/org/dependencytrack/resources/v1/TeamResource.java‎
Lines changed: 26 additions & 23 deletions
diff --git a/‎src/main/java/org/dependencytrack/upgrade/PreUpgradeHook.java‎
Lines changed: 36 additions & 0 deletions b/‎src/main/java/org/dependencytrack/upgrade/PreUpgradeHook.java‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/upgrade/UpgradeInitializer.java‎
Lines changed: 50 additions & 3 deletions b/‎src/main/java/org/dependencytrack/upgrade/UpgradeInitializer.java‎
Lines changed: 50 additions & 3 deletions
diff --git a/‎src/main/java/org/dependencytrack/upgrade/UpgradeItems.java‎
Lines changed: 1 addition & 0 deletions b/‎src/main/java/org/dependencytrack/upgrade/UpgradeItems.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/upgrade/v4130/v4130PreUpgradeHook.java‎
Lines changed: 79 additions & 0 deletions b/‎src/main/java/org/dependencytrack/upgrade/v4130/v4130PreUpgradeHook.java‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/upgrade/v4130/v4130Updater.java‎
Lines changed: 8 additions & 58 deletions b/‎src/main/java/org/dependencytrack/upgrade/v4130/v4130Updater.java‎
Lines changed: 8 additions & 58 deletions
@@ -19,6 +19,9 @@ name: "dependency-track"
 services:
   apiserver:
     image: dependencytrack/apiserver:snapshot
+    environment:
+      # Speed up password hashing for faster initial login (default is 14 rounds).
+      ALPINE_BCRYPT_ROUNDS: "4"
     ports:
     - "127.0.0.1:8080:8080"
     volumes:
 
@@ -23,6 +23,8 @@
 import alpine.model.ApiKey;
 import alpine.model.Team;
 import alpine.model.UserPrincipal;
+import alpine.security.ApiKeyDecoder;
+import alpine.security.InvalidApiKeyFormatException;
 import alpine.server.auth.PermissionRequired;
 import alpine.server.resources.AlpineResource;
 import io.swagger.v3.oas.annotations.Operation;
@@ -36,7 +38,6 @@
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import io.swagger.v3.oas.annotations.security.SecurityRequirements;
 import io.swagger.v3.oas.annotations.tags.Tag;
-
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.model.validation.ValidUuid;
 import org.dependencytrack.persistence.QueryManager;
@@ -59,8 +60,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import static org.datanucleus.PropertyNames.PROPERTY_RETAIN_VALUES;
-
 /**
  * JAX-RS resources for processing teams.
  *
@@ -308,12 +307,14 @@ public Response regenerateApiKey(
             @Parameter(description = "The public ID for the API key or for Legacy the complete Key to regenerate", required = true)
             @PathParam("publicIdOrKey") String publicIdOrKey) {
         try (QueryManager qm = new QueryManager()) {
-            boolean isLegacy = publicIdOrKey.length() == ApiKey.LEGACY_FULL_KEY_LENGTH;
-            ApiKey apiKey;
-            if (publicIdOrKey.length() == ApiKey.FULL_KEY_LENGTH || isLegacy) {
-                 apiKey = qm.getApiKeyByPublicId(ApiKey.getPublicId(publicIdOrKey, isLegacy));
-            } else {
-                 apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+            ApiKey apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+            if (apiKey == null) {
+                try {
+                    final ApiKey deocdedApiKey = ApiKeyDecoder.decode(publicIdOrKey);
+                    apiKey = qm.getApiKeyByPublicId(deocdedApiKey.getPublicId());
+                } catch (InvalidApiKeyFormatException e) {
+                    LOGGER.debug("Failed to decode value as API key", e);
+                }
             }
             if (apiKey != null) {
                 apiKey = qm.regenerateApiKey(apiKey);
@@ -349,15 +350,15 @@ public Response updateApiKeyComment(
             @PathParam("publicIdOrKey") final String publicIdOrKey,
             final String comment) {
         try (final var qm = new QueryManager()) {
-            qm.getPersistenceManager().setProperty(PROPERTY_RETAIN_VALUES, "true");
-
             return qm.callInTransaction(() -> {
-                boolean isLegacy = publicIdOrKey.length() == ApiKey.LEGACY_FULL_KEY_LENGTH;
-                ApiKey apiKey;
-                if (publicIdOrKey.length() == ApiKey.FULL_KEY_LENGTH || isLegacy) {
-                    apiKey = qm.getApiKeyByPublicId(ApiKey.getPublicId(publicIdOrKey, isLegacy));
-                } else {
-                    apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+                ApiKey apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+                if (apiKey == null) {
+                    try {
+                        final ApiKey deocdedApiKey = ApiKeyDecoder.decode(publicIdOrKey);
+                        apiKey = qm.getApiKeyByPublicId(deocdedApiKey.getPublicId());
+                    } catch (InvalidApiKeyFormatException e) {
+                        LOGGER.debug("Failed to decode value as API key", e);
+                    }
                 }
                 if (apiKey == null) {
                     return Response
@@ -388,12 +389,14 @@ public Response deleteApiKey(
             @Parameter(description = "The public ID for the API key or for Legacy the full Key to delete", required = true)
             @PathParam("publicIdOrKey") String publicIdOrKey) {
         try (QueryManager qm = new QueryManager()) {
-            boolean isLegacy = publicIdOrKey.length() == ApiKey.LEGACY_FULL_KEY_LENGTH;
-            ApiKey apiKey;
-            if (publicIdOrKey.length() == ApiKey.FULL_KEY_LENGTH || isLegacy) {
-                 apiKey = qm.getApiKeyByPublicId(ApiKey.getPublicId(publicIdOrKey, isLegacy));
-            } else {
-                 apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+            ApiKey apiKey = qm.getApiKeyByPublicId(publicIdOrKey);
+            if (apiKey == null) {
+                try {
+                    final ApiKey deocdedApiKey = ApiKeyDecoder.decode(publicIdOrKey);
+                    apiKey = qm.getApiKeyByPublicId(deocdedApiKey.getPublicId());
+                } catch (InvalidApiKeyFormatException e) {
+                    LOGGER.debug("Failed to decode value as API key", e);
+                }
             }
             if (apiKey != null) {
                 qm.delete(apiKey);
 
@@ -0,0 +1,36 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.upgrade;
+
+import alpine.server.upgrade.UpgradeMetaProcessor;
+
+import java.sql.Connection;
+
+/**
+ * @since 4.13.0
+ */
+public interface PreUpgradeHook {
+
+    int priority();
+
+    boolean shouldExecute(final UpgradeMetaProcessor upgradeProcessor);
+
+    void execute(final Connection connection) throws Exception;
+
+}
@@ -38,8 +38,15 @@
 import jakarta.servlet.ServletContextListener;
 import javax.jdo.JDOHelper;
 import javax.jdo.PersistenceManager;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Comparator;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Properties;
+import java.util.ServiceLoader;
 import java.util.Set;
 
 public class UpgradeInitializer implements ServletContextListener {
@@ -52,19 +59,32 @@ public class UpgradeInitializer implements ServletContextListener {
     @Override
     public void contextInitialized(final ServletContextEvent event) {
         LOGGER.info("Initializing upgrade framework");
-        try {
-            final UpgradeMetaProcessor ump = new UpgradeMetaProcessor();
+        final var preUpgradeHooks = new ArrayList<PreUpgradeHook>();
+        try (final UpgradeMetaProcessor ump = new UpgradeMetaProcessor()) {
             final VersionComparator currentVersion = ump.getSchemaVersion();
-            ump.close();
             if (currentVersion != null && currentVersion.isOlderThan(new VersionComparator("4.0.0"))) {
                 LOGGER.error("Unable to upgrade Dependency-Track versions prior to v4.0.0. Please refer to documentation for migration details. Halting.");
+                ump.close();
                 Runtime.getRuntime().halt(-1);
             }
+
+            ServiceLoader.load(PreUpgradeHook.class).stream()
+                    .map(ServiceLoader.Provider::get)
+                    .sorted(Comparator.comparingInt(PreUpgradeHook::priority))
+                    .filter(hook -> hook.shouldExecute(ump))
+                    .forEach(preUpgradeHooks::add);
         } catch (UpgradeException e) {
             LOGGER.error("An error occurred determining database schema version. Unable to continue.", e);
             Runtime.getRuntime().halt(-1);
         }
 
+        try {
+            executePreUpgradeHooks(preUpgradeHooks);
+        } catch (RuntimeException e) {
+            LOGGER.error("Failed to execute pre-upgrade hooks", e);
+            Runtime.getRuntime().halt(-1);
+        }
+
         try (final JDOPersistenceManagerFactory pmf = createPersistenceManagerFactory()) {
             // Ensure that the UpgradeMetaProcessor and SchemaVersion tables are created NOW, not dynamically at runtime.
             final PersistenceNucleusContext ctx = pmf.getNucleusContext();
@@ -121,4 +141,31 @@ private JDOPersistenceManagerFactory createPersistenceManagerFactory() {
         return (JDOPersistenceManagerFactory) JDOHelper.getPersistenceManagerFactory(dnProps, "Alpine");
     }
 
+    private void executePreUpgradeHooks(final List<PreUpgradeHook> hooks) {
+        if (hooks.isEmpty()) {
+            return;
+        }
+
+        final String dbUrl = Config.getInstance().getProperty(Config.AlpineKey.DATABASE_URL);
+        final String dbUser = Config.getInstance().getProperty(Config.AlpineKey.DATABASE_USERNAME);
+        final String dbPassword = Config.getInstance().getPropertyOrFile(Config.AlpineKey.DATABASE_PASSWORD);
+        try (final Connection connection = DriverManager.getConnection(dbUrl, dbUser, dbPassword)) {
+            connection.setAutoCommit(false);
+
+            for (final PreUpgradeHook hook : hooks) {
+                LOGGER.info("Executing pre-upgrade hook: " + hook.getClass().getName());
+                try {
+                    hook.execute(connection);
+                    connection.commit();
+                } catch (Exception e) {
+                    throw new IllegalStateException("Failed to execute pre-upgrade hook: " + hook.getClass().getName(), e);
+                } finally {
+                    connection.rollback();
+                }
+            }
+        } catch (SQLException e) {
+            throw new IllegalStateException("Failed to create database connection", e);
+        }
+    }
+
 }
@@ -43,6 +43,7 @@ class UpgradeItems {
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4122.v4122Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4123.v4123Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130Updater.class);
+        UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130_1Updater.class);
     }
 
     static List<Class<? extends UpgradeItem>> getUpgradeItems() {
 
@@ -0,0 +1,79 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.upgrade.v4130;
+
+import alpine.common.logging.Logger;
+import alpine.common.util.VersionComparator;
+import alpine.server.upgrade.UpgradeMetaProcessor;
+import org.dependencytrack.upgrade.PreUpgradeHook;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.Statement;
+
+/**
+ * Hook to create the {@code APIKEY.PUBLIC_ID} column and accompanying {@code UNIQUE} index
+ * for MSSQL <em>before</em> the main schema migration is executed. The index is partial
+ * to allow for multiple {@code NULL} values, which is necessary for the duration of the
+ * API key migration performed in {@link v4130_1Updater}.
+ *
+ * @see <a href="https://github.com/DependencyTrack/dependency-track/issues/4683">GitHub Issue</a>
+ * @since 4.13.0
+ */
+public class v4130PreUpgradeHook implements PreUpgradeHook {
+
+    private static final Logger LOGGER = Logger.getLogger(v4130PreUpgradeHook.class);
+
+    @Override
+    public int priority() {
+        return 1;
+    }
+
+    @Override
+    public boolean shouldExecute(final UpgradeMetaProcessor upgradeProcessor) {
+        final VersionComparator currentSchemaVersion = upgradeProcessor.getSchemaVersion();
+        return currentSchemaVersion != null && currentSchemaVersion.isOlderThan(new VersionComparator("4.13.0"));
+    }
+
+    @Override
+    public void execute(final Connection connection) throws Exception {
+        if (!connection.getMetaData().getDatabaseProductName().equals("Microsoft SQL Server")) {
+            LOGGER.info("Database is not MSSQL; Nothing to do");
+            return;
+        }
+
+        try (final PreparedStatement ps = connection.prepareStatement("""
+                SELECT 1
+                  FROM INFORMATION_SCHEMA.COLUMNS
+                 WHERE UPPER(TABLE_NAME) = 'APIKEY'
+                   AND UPPER(COLUMN_NAME) = 'PUBLIC_ID'
+                """)) {
+            if (ps.executeQuery().next()) {
+                LOGGER.info("PUBLIC_ID column already exists in APIKEY table; Nothing to do");
+                return;
+            }
+        }
+
+        try (final Statement stmt = connection.createStatement()) {
+            stmt.execute("ALTER TABLE \"APIKEY\" ADD \"PUBLIC_ID\" VARCHAR(8) NULL");
+            stmt.execute("CREATE UNIQUE INDEX \"APIKEY_PUBLIC_IDX\" ON \"APIKEY\"(\"PUBLIC_ID\") WHERE \"PUBLIC_ID\" IS NOT NULL");
+        }
+    }
+
+}
@@ -18,76 +18,26 @@
  */
 package org.dependencytrack.upgrade.v4130;
 
-import java.security.MessageDigest;
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.Statement;
-import java.util.HexFormat;
-
-import alpine.common.logging.Logger;
-import alpine.model.ApiKey;
 import alpine.persistence.AlpineQueryManager;
 import alpine.server.upgrade.AbstractUpgradeItem;
-import alpine.server.util.DbUtil;
 
-public class v4130Updater extends AbstractUpgradeItem {
+import java.sql.Connection;
 
-    private static final Logger LOGGER = Logger.getLogger(v4130Updater.class);
+public class v4130Updater extends AbstractUpgradeItem {
 
     @Override
     public String getSchemaVersion() {
         return "4.13.0";
     }
 
     @Override
-    public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
-        migrateToHashedApiKey(connection);
+    public boolean shouldUpgrade(final AlpineQueryManager qm, final Connection connection) {
+        return false; // Revised upgrade logic moved to v4130_1Updater.
     }
 
-    private void migrateToHashedApiKey(final Connection connection) throws Exception {
-        LOGGER.info("Store API keys in hashed format!");
-
-         try (final PreparedStatement ps = connection.prepareStatement("""
-                UPDATE "APIKEY"
-                   SET "APIKEY" = ?, "PUBLIC_ID" = ?, "IS_LEGACY" = ?
-                 WHERE "ID" = ?
-                """)) {
-
-            if (DbUtil.isMysql() || DbUtil.isMssql()) {
-                ps.setInt(3, 1);
-            } else {
-                ps.setBoolean(3, true);
-            }
-
-            try (final Statement statement = connection.createStatement()) {
-                statement.execute("""
-                    SELECT "ID", "APIKEY"
-                      FROM "APIKEY"
-                """);
-                try (final ResultSet rs = statement.getResultSet()) {
-                    String clearKey;
-                    int id;
-                    String hashedKey;
-                    String publicId;
-                    while (rs.next()) {
-                        clearKey = rs.getString("apikey");
-                        if (clearKey.length() != ApiKey.LEGACY_FULL_KEY_LENGTH) {
-                            continue;
-                        }
-                        final MessageDigest digest = MessageDigest.getInstance("SHA3-256");
-                        id = rs.getInt("id");
-                        hashedKey = HexFormat.of().formatHex(digest.digest(ApiKey.getOnlyKeyAsBytes(clearKey, true)));
-                        publicId = ApiKey.getPublicId(clearKey, true);
-
-                        ps.setString(1, hashedKey);
-                        ps.setString(2, publicId);
-                        ps.setInt(4, id);
-
-                        ps.executeUpdate();
-                    }
-                }
-            }
-        }
+    @Override
+    public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
+        // Revised upgrade logic moved to v4130_1Updater.
     }
+
 }
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ class UpgradeItems {`
`43`	`43`	`UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4122.v4122Updater.class);`
`44`	`44`	`UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4123.v4123Updater.class);`
`45`	`45`	`UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130Updater.class);`
	`46`	`+ UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v4130.v4130_1Updater.class);`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`static List<Class<? extends UpgradeItem>> getUpgradeItems() {`