Autocreate Zenodo DOIs and create shared access links

[kathy-t]

Description

Updated PR Description

Zenodo swagger PR: https://github.com/dockstore/swagger-java-zenodo-client/pull/21

This PR has been updated with the feedback from the story time discussion.

This PR requires the creation of a Dockstore-owned personal access token on Zenodo as well as a Dockstore community on Zenodo. This personal access token is used to automatically create DOIs.

Automatic DOI Creation Behaviour

• DOIs are automatically created for valid published tags for Workflow-based entries on refresh, GitHub App release, and on publish. During automatic DOI creation, we skip creating a snapshot.
• The DOI is only created the first time it is invoked. If tags are recreated, we do not create a new DOI. This can be an enhancement if we want to go down that route.
  • I originally didn't do it on publish but after manual testing, the user experience to automatically create DOIs for a new workflows that aren't originally published felt clunky. For example, a user creates a new GitHub app workflow that isn't published so no DOIs are created. They publish it. They must now generate push events for DOIs to be automatically created.
• There is no option to opt-out.
• A new Doi entity is added so that we can track multiple DOIs from multiple sources (user, GitHub, Dockstore). This means that users can have both user-generated and Dockstore-generated DOIs, along with GitHub DOIs.
  • I have deprecated the old DOI columns instead of removing them so that there is no down time during the release. There is no trigger to keep the new and old columns in sync. Is it worth it to add a trigger?
• Note that we don't allow the deletion of entries that were previously published. Since the auto DOI creation only occurs for published tags, this means that DOIs in our database won't be orphaned.
• Tags with only Dockstore-generated DOIs can be deleted since they are not frozen...this can result in an orphaned DOI.

Dockstore Zenodo Community

• New DOIs, whether user or Dockstore generated, are added to the Dockstore Zenodo community. We do not add old records to the community retro-actively.

Shared Access Links

• Three endpoints are added to manage shared access links that allow users to edit the Dockstore-generated DOIs. The access link returns an ID and a token. When this token is appended to the Zenodo DOI URL, the user is able to edit the record if they are logged into Zenodo. I did not store this token in the database because I feared that we could accidentally expose it. Only the link ID is stored and when requested, we can retrieve the token from Zenodo. This editing feature will likely not be used often.
• The link has edit permissions and no expiration date. There is an endpoint to delete the access link.
• The access link ID is stored in the concept DOI object because this link is applicable to all versions of the DOI

Hoverfly Tests

• Created a few Zenodo tests using Hoverfly. These tests aren't super complex due to the limitations of mocked responses, but it's something 🙂
• Created a new testing profile for tests that use Hoverfly because it needs the localtruststore in CircleCI

Follow-up

• Hook up to the UI: https://ucsc-cgl.atlassian.net/browse/SEAB-6462

Draft PR Description

Currently in draft mode to get feedback as I figure out some Hoverfly test weirdness in CircleCI.

Zenodo swagger PR: dockstore/swagger-java-zenodo-client#21

This PR adds a enableAutomaticDoiCreation boolean to Entry that is set to true by default.

When set to true, it automatically creates DOIs using Dockstore's own Zenodo personal access token, specified in the web.yml. The auto-creation occurs during refresh and GitHub App release for valid, published tags and involves snapshotting the version prior to creating the DOI. This boolean can be updated using a new endpoint, allowing users to opt-out in the UI. For GitHub app entries, they will need to specify it in their .dockstore.yml.

• Should this feature include hosted entries?

This boolean can be updated using a new endpoint, allowing users to opt-out in the UI. For GitHub app entries, they will need to specify it in their .dockstore.yml.

This PR also adds an endpoint to create a shared access link with edit permissions so entry owners can modify their DOIs if they want. There is an option to set an expiration date, but I set it to never expire. The idea is that in the UI, the entry owner can click a button that creates this shared access link. After the first time, the UI can display this link somewhere so the user can modify their DOI. UI PR will be in follow-up ticket.

• Should we allow the user to delete this access link?

This PR also adds DOIs to the Dockstore community, using the community ID specified in the web.yml. This is for all DOIs, whether Dockstore-created or end-user-created.

Some questions and thoughts
There is a potential exception if an end user has already requested a DOI for an entry version and our Dockstore user tries to create a DOI for a different version because our Dockstore user does not have permissions to modify some one else's DOI. Due to this, there is a check to see if the entry has 0 DOIs or if all DOIs are Dockstore-owned to ensure that no exception occurs. I think there's a bigger conversation here about how we want to handle this situation so this PR takes the simplest route for now, i.e., not allowing the mixing of end-user-created and Dockstore-created DOIs. Below are some thoughts about it, but I think we should have a follow-up ticket to decide what to do.

• Do we solve this with communities? Using a one-time endpoint, we could try to add all DOIs to the Dockstore community. This would give the Dockstore Zenodo user permission to edit the DOI and create versions for DOIs that are owned by end users.
• Do we allow multiple users to create DOIs and we store multiple DOIs? (similar ticket https://ucsc-cgl.atlassian.net/browse/DOCK-1922)
• How about the reverse where the Dockstore Zenodo user creates the DOI first and the end user wants to create their own DOI?
  • Shared access links would allow them to create new versions of the DOI, but they would not "own" the DOI

Review Instructions
Describe if this ticket needs review and if so, how one may go about it in qa and/or staging environments.
For example, a ticket based on Security Hub, Snyk, or Dependabot may not need review since those services
will generate new warnings if the issue has not been resolved properly. On the other hand, an infrastructure
ticket that results in visible changes to the end-user will definitely require review.
Many tickets will likely be between these two extremes, so some judgement may be required.

Issue
https://ucsc-cgl.atlassian.net/browse/SEAB-5929
https://ucsc-cgl.atlassian.net/browse/SEAB-6371

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

• Security and Privacy assessed

e.g. Does this change...

• Any user data we collect, or data location?
• Access control, authentication or authorization?
• Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

• Check that you pass the basic style checks and unit tests by running mvn clean install
• Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
• Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
• If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
• Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
• Do not serve user-uploaded binary images through the Dockstore API
• Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
• Do not create cookies, although this may change in the future
• If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

[kathy-t]

Removed this because the DOI is automatically reserved the first time a deposit is created eblondel/zen4R#37 (comment)

[kathy-t]

Tackled this TODO comment due to updating the zenodo swagger version

[denis-yuen]

Due to this, there is a check to see if the entry has 0 DOIs or if all DOIs are Dockstore-owned to ensure that no exception occurs. I think there's a bigger conversation here about how we want to handle this situation so this PR takes the simplest route for now, i.e., not allowing the mixing of end-user-created and Dockstore-created DOIs.

I think this makes sense, basically allowing users to go from automatic to user-created but not vice versa

Do we allow multiple users to create DOIs and we store multiple DOIs?

A good observation, I guess we basically had this problem in some way already.

How about the reverse where the Dockstore Zenodo user creates the DOI first and the end user wants to create their own DOI?

I think we should allow this, there's a good chance the user may not know about the automatic doi feature until after it issues one, so we need to allow for this direction (automatic to end-user created)

[denis-yuen]

Will double-back, but starting the conversation

[denis-yuen]

nitpick, since this is the default, maybe this should be flipped to disableAutomaticDoiCreation or enableEndUserDoiCreation

[denis-yuen]

Just setting reminder to fix before merging

[denis-yuen]

There's a relationship between these two columns that can be enforced through a check constraint

[svonworl]

This PR also adds an endpoint to create a shared access link with edit permissions so entry owners can modify their DOIs if they want. There is an option to set an expiration date, but I set it to never expire. The idea is that in the UI, the entry owner can click a button that creates this shared access link. After the first time, the UI can display this link somewhere so the user can modify their DOI. UI PR will be in follow-up ticket.

• Should we allow the user to delete this access link?

Whatever the editing mechanism, if it "leaks" (as the above link sounds like it could), it'd be great if there was a way to neutralize it.

[svonworl]

Regarding the concept of auto-snapshotting before generating the DOI, some thoughts:

Will automatically snapshotting all tags mess up anyone's release flow? Once the version is snapshotted, it's frozen. Our assumption is that a github tag is a permanent fixture, but does everyone use it that way? For example, imagine a repo where the stable tag is attached to the latest stable release and moves around. The first stable tag would be snapshotted, and then Dockstore would reject subsequent retaggings. Do people do stuff like that, and if so, should we support it?

If the answer to the last question above is yes, we might need to figure out what to do if a user accidentally/inadvertently freezes a version before they opt-out.

[svonworl]

This new DOI creation code appears to run in the same database transaction that will create the version. So, if the transaction is rolled back or fails, a DOI will be created that references a version that doesn't exist in the Dockstore database. Recommend that the DOI creation code is executed after successful version creation.

[svonworl]

Regarding multiple DOIs, we've been discussing at least three sources of DOIs:

• github-generated
• user-generated Zenodo
• dockstore-generated Zenodo

If you count "generate our own" custom DOIs, four sources. :)

Would be great if we could track all of them. Time for a new "DOI" database entity?

[kathy-t]

This is a many to many relationship because I recall during the DOI harvesting storytime that @denis-yuen said we shouldn't have duplicate DOIs if we assign multiple workflows to a single DOI

[denis-yuen]

• Is it worth it to add a trigger?

Does not seem like it, we can schedule a 1.16.1 ticket for example to delete the old columns

[denis-yuen]

some initial questions, this one is a big one so will probably do one (at least) more pass

[denis-yuen]

Is there a reason this is tagged when there are no other changes in the file?

[kathy-t]

There's a test in the file that uses hoverfly, but I realized it's an ORCID test so I'm going to move it to ORCIDIT

[denis-yuen]

How many versions does this go back?
Will likely be answered later

[kathy-t]

On publish, it will look at all versions

dockstore/dockstore-webservice/src/main/java/io/dockstore/webservice/resources/WorkflowResource.java

Line 760 in 7d1b34a

publishedWorkflow.getWorkflowVersions().forEach(version -> automaticallyRegisterDockstoreOwnedZenodoDOI(workflow, version, user, this));

[denis-yuen]

See comment elsewhere, can be follow-up ticket

[denis-yuen]

Probably need a real release for this

[denis-yuen]

Reminder for this before merging

[denis-yuen]

can add examples to openapi, I think this is the 10.1080/10509585.2015.1092083 bit?

[kathy-t]

Yeah, I'll add an example. I think the existing DOI column calls it doiUrl which is a little misleading because it's not a URL. Figured name was more appropriate based on the description on doi.org

A DOI name is a digital identifier of an object, any object — physical, digital, or abstract. DOIs solve a common problem: keeping track of things. Things can be matter, material, content, or activities.

[denis-yuen]

Does it also work out to a limit of three here?

[kathy-t]

Yeah

[svonworl]

Could you please elaborate on https://github.com/dockstore/dockstore/pull/5879/files/6333c924f9561b0443c2134ca3993a16c58adaa1#r1612139110 with a concrete example maybe? Want to make sure I understand what we're trying to prevent...

[kathy-t]

Could you please elaborate on https://github.com/dockstore/dockstore/pull/5879/files/6333c924f9561b0443c2134ca3993a16c58adaa1#r1612139110 with a concrete example maybe? Want to make sure I understand what we're trying to prevent...

With @coverbeck's GitHub DOI harvesting work, if a multi-workflow repository has a GitHub DOI then we are going to assign it to all workflows in the repository.

Suppose that the DOI is 10.foo/bar and we have workflow A and workflow B that belong to the same repository. I believe the scenario we are trying to prevent is having duplicate DOI entities in our table, like two instances of DOI 10.foo/bar, one for workflow A and one for workflow B. We want a single DOI entity that is referenced by both workflow A and workflow B

[denis-yuen]

Hmmm, wonder if this means we will need to re-migrate qa

[kathy-t]

Hmm, I'm not sure, but doesn't hurt. Realized while writing the migrations that this value wasn't accurate

[coverbeck]

These changes do mean we'll have downtime when we deploy 1.16, right? The old web service couldn't run against the new schema? If yes, please update the 1.16 checklist.

[kathy-t]

These changes do mean we'll have downtime when we deploy 1.16, right? The old web service couldn't run against the new schema? If yes, please update the 1.16 checklist.

I don't think there should be any downtime because the old DOI columns still exist (they're just deprecated in this PR)

[coverbeck]

My comment about the number of DOIs that could get issued by Zenodo might require a bit work if we decide to tackle it, so I sort skimmed the rest of the PR. I'll do a more thorough review once we decide how to handle that.

[coverbeck]

It could be useful to log the workflow, although maybe we'll already know it from earlier in the logs.

[coverbeck]

Neat (and the Request.Path[3] further as well)! How did I not know about this? Where is the documented? I couldn't find it in a quick google search.

[kathy-t]

It's documented here 🙂 https://docs.hoverfly.io/en/latest/pages/keyconcepts/templating/templating.html

[coverbeck]

These changes do mean we'll have downtime when we deploy 1.16, right? The old web service couldn't run against the new schema? If yes, please update the 1.16 checklist.

[svonworl]

Could you please elaborate on https://github.com/dockstore/dockstore/pull/5879/files/6333c924f9561b0443c2134ca3993a16c58adaa1#r1612139110 with a concrete example maybe? Want to make sure I understand what we're trying to prevent...

[svonworl]

As part of https://ucsc-cgl.atlassian.net/browse/SEAB-6449, I can modify TransactionHelper to include a method that allows us to run a method in a transaction that returns a result. Then, we don't need to track the ids with the AtomicLongs if we opt not to.

[kathy-t]

This code allows user to modify the DOI URL. I don't believe this is used and we probably shouldn't allow the user to edit DOI data so I removed this line

[denis-yuen]

Looks good as a first past, will be good to iterate/extend

[denis-yuen]

I'm a little doubtful about the utility of automatically creating a DOI for all versions of a workflow without limit.
Thinking things like a hard limit of the most recent 30 versions, or 20 tags (since only tags should be eligible), etc.
Partly a performance thing, can be a follow-up ticket. Think manually testing with a fork of the gatk repo for example.

[kathy-t]

I changed it so it only looks at the 10 most recent tags

[denis-yuen]

Ditto with above comment

[denis-yuen]

See comment elsewhere, can be follow-up ticket

[coverbeck]

This is going to fail silently for the end user and we probably won't notice it either. I wonder if it's worth capturing this somehow?

• A CloudWatch Alarm based on this message?
• Add it as a warning to validations, if possible?

[svonworl]

If I understand correctly, "concept" and "version" are Zenodo concepts. The DOI standard has no such abstractions, you can point a DOI at whatever you want. No change necessary here.

[svonworl]

From a maintainability/extensibility point of view, I'd probably make this a Set, because the above Map implementation forecloses supporting a future scheme where an entry/version could have multiple DOIs from the same creator (could happen someday, maybe an "UNKNOWN" creator). But, it's not wired into the database representation, which wouldn't make it super hard to change. I'm registering this thought here more to document it, less to press for a change...

[sonarcloud]

Quality Gate failed

Failed conditions
79.4% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud

[denis-yuen]

Could add the explanation for the user message though we'll have it in the logs. UI requires a snapshot anyway, so not big deal