Forem: Rodrigo Silva

Kotlin in the backend, Spring with Kotlin Part 2 — Exception Handling

Rodrigo Silva — Thu, 01 Apr 2021 20:08:31 +0000

Handling exceptions is a crucial part when developing any sort of application, certain errors occur by calling a method of a library with invalid arguments, others happen just for doing something wrong. However, some exceptions can be thrown by ourselves because what was asked to be done by us is not possible.

In the previous post, we developed a simple Web API using Kotlin and Spring, this API allowed us to request and alter information about books in our system, however, when errors are thrown, the information sent to the API client is not the clearest, who becomes unaware of what really went wrong.

Rest of this article:
https://rodrigo-silva96.medium.com/kotlin-in-the-backend-spring-with-kotlin-part-2-exception-handling-55524414e154

Kotlin in the backend, Spring with Kotlin

Rodrigo Silva — Tue, 23 Mar 2021 16:28:57 +0000

For those of you who don’t know, Kotlin is a statically typed programming language designed by Jetbrains, it’s the official language for the development of native android applications, but what you may not know is that you can use Kotlin to develop your server-side applications.
There are many libraries and frameworks which allow you to create your backend using Kotlin, such as Ktor and Spring.
In this article, we will take a look into using Kotlin together with the Spring framework.

Rest of this article:
https://rodrigo-silva96.medium.com/kotlin-in-the-backend-spring-with-kotlin-7a6b25e3a771

Android: Repository pattern using Room, Retrofit and Coroutines

Rodrigo Silva — Sun, 07 Feb 2021 21:06:07 +0000

The repository pattern is an abstraction used to hide the multiple data sources we may have in our application, data in an application may come from an internal database, or, an external service such as a Web API.
This pattern is adopted and widely used when developing Android applications, it's also the recommended approach to creating an application.
The following diagram displays a generic mobile application architecture on Android.

What we can take from this diagram is the following:
Our Activity/Fragment may or may not have one, or multiple instances of different ViewModels, each view model has a dependency to a specific repository, this repository can be shared by multiple view models.
The repository knows the data sources from where to retrieve information, in this case, the repository knows the Model, which is Room, a layer on top of SQLite, and a service interface, which is provided by Retrofit in order to communicate to a web service.
Each layer only knows the layer below. The ViewModel doesn't know who the repository interacts with.
Let's give a concrete implementation example.
We will start with a sample activity, an EditText to write a reminder and a button to add the reminder.

CreateReminderActivity



class CreateReminderActivity : AppCompatActivity() {

    val viewModel: CreateReminderViewModel by lazy {
        val app = application as ReminderApp
        val viewModelProviderFactory =
            CreateReminderViewModelProviderFactory(
                app,
                intent
            )
        ViewModelProvider(
            this,
            viewModelProviderFactory
        )[CreateReminderViewModel::class.java]
    }

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.createreminderactivity)

        val reminderEditText: EditText = findViewById(R.id.reminderEditTextView)
        val createReminderButton: Button = findViewById(R.id.createReminderButton)


        createReminderButton.setOnClickListener {
            createReminder(
                text = reminderEditText.text.toString()
            )
        }
    }

    private fun createReminder(text: String) {
        if (text.isEmpty()) {
            showToast(message = "Reminder text field is empty")
        } else {
            viewModel.createReminder(text = text)
        }
    }

    private fun showToast(message: String) {
        ...
    }
}

ReminderApp



class ReminderApp : Application() {

    companion object {
        lateinit var retrofit: Retrofit
        lateinit var reminderDb: ReminderDb
    }

    override fun onCreate() {
        super.onCreate()
        reminderDb = Room
            .databaseBuilder(
                applicationContext,
                ReminderDb::class.java,
                "Reminder-Db"
            )
            .build()

        retrofit = Retrofit.Builder()
            .baseUrl(REMINDERS_API_HOST)
            .addConverterFactory(GsonConverterFactory.create())
            .build()
    }
}

ViewModelFactory



class CreateReminderViewModelProviderFactory(val app: ReminderApp, val intent: Intent) :
    ViewModelProvider.Factory {
    override fun <T : ViewModel?> create(modelClass: Class<T>): T {

        val reminderDao = ReminderApp.reminderDb.reminderDao()
        val reminderService = ReminderApp.retrofit.create(ReminderService::class.java)
        val reminderRepository = ReminderRepository(
            reminderDao = reminderDao,
            reminderService = reminderService
        )
        val viewModel = CreateReminderViewModel(reminderRepository)
        return viewModel as T
    }
}

ViewModel



class CreateReminderViewModel(private val reminderRepository: ReminderRepository) : ViewModel() {

    fun createReminder(text: String) =
        viewModelScope.launch {
            reminderRepository.createReminder(text = text)
        }
}

createReminder uses viewModelScope in order to launch a coroutine.
Any coroutine launched in this scope is automatically cancelled if the ViewModel is cleared. Coroutines are useful here for when you have work that needs to be done only if the ViewModel is active. For example, if you are computing some data for a layout, you should scope the work to them ViewModel so that if the ViewModel is cleared, the work is cancelled automatically to avoid consuming resources.

Repository



class ReminderRepository(
    private val reminderService: ReminderService,
    private val reminderDao: ReminderDao
) {

    suspend fun getReminders(): LiveData<List<Programme>> = liveData {
        emitSource(reminderDao.getReminders())
        val reminders = reminderService.getReminders().toReminders()
        reminderDao.createReminder(*reminders.toTypedArray())
    }
    ...

    suspend fun createReminders(text: String): Reminder {
        val reminderToBeCreated = ReminderInputModelDto(text = text)
        val reminder = reminderService.createReminder(reminderToBeCreated).toReminder()
        reminderDao.createReminder(reminder)
        return reminder
    }

ReminderDao(Room)



@Dao
interface ReminderDao {

    @Query("SELECT * FROM REMINDER")
    fun getAllReminders(): LiveData<List<Reminder>>

    @Insert(onConflict = OnConflictStrategy.IGNORE)
    suspend fun createReminder(vararg reminders: Reminder)

}

ReminderService(Retrofit)



interface ReminderService {

    @GET("reminders")
    suspend fun getReminders(): RemindersOutputModelDto

    @POST("reminders")
    suspend fun createReminder(@Body reminder: ReminderInputModelDto): ReminderOutputModelDto

}

This article tries to give a possible implementation of the recommended approach when designing an Android application.

Message Integrity, Authentication, and Non-Repudiation

Rodrigo Silva — Sat, 03 Oct 2020 19:10:18 +0000

So let's say you send messages to your friends through your own personal communication channel, you won't send confidential information so you really don't care if someone else sees it, however, you want to receive exactly what your friends send to you, you don't want to receive something else. And sometimes, you really want to guarantee that it was that specific friend who sent you that message.

The code used in the examples was written in Java, using the JCA (Java Cryptography Architecture).

What's integrity?

Integrity is the absence of an invalid system or data modifications by non-authorized parties.

How can we guarantee the integrity of the data that we sent through our communication channel?

Let's split the procedure into two major parts:

The sender should protect the data to send;
The receiver must verify if the received data was not tampered.

Integrity

Let's say we just want to guarantee that the data was no tampered(we don't care about the identity of the sender for now).

Let's introduce the idea of hash functions.

A.k.a. cryptographic hash functions or collision-resistant hash functions

Do not confuse with hash functions used in hash tables data structures;
They are cryptographic, but not cyphers.
- Are not used to encrypt;
- Example: SHA2.

Hashes don't require a key, as we can see in the following code, we are using SHA-256, which will generate a hash with a fixed size(256 bits).

public byte[] hash(byte[] dataBytes) throws NoSuchAlgorithmException {
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");        
    byte[] dataHash = sha256.digest(dataBytes);
    return dataHash;
}

After generating the hash, what the sender should do is send the message with the hash.

Let's say M is the data, and H is the hash of M.
The sender should send MH through the communication channel.

The receiver on the other end received M'H. M' means the received message bytes, which could have been tampered.

The receiver should hash M', generating H', then he should compare H with H', if they both match, the message was not tampered.

Authentication

If we want to guarantee authentication, there must be a certain something which can authenticate the sender of a message.

That something is a symmetric key, a key which can be used to cypher and decypher in symmetrical ciphering algorithms.

In the previous example, we used a hash, which didn't require any sort of key, however, now we want to authenticate the sender, and for this, we'll use a MAC (Message Authentication Code).

As in the previous example, we send the message + MAC.

For this, we'll use a Hash-based MAC (hash of data and secret value).
It requires only a hash – more efficient
– Example: HMAC-SHA2

public byte[] mac(byte[] dataBytes) throws NoSuchAlgorithmException {
      Key key = getKey(keyFilePath);
      // get a MAC object and print the provider
      Mac mac = Mac.getInstance("HmacSHA256");            
      //Creating Mac ...
      mac.init(key);
      return mac.doFinal(dataBytes);
}

Let's say M is the data, and H is the MAC of M, using the key K.
The sender should send MH through the communication channel, the receiver on the other end received M'H. M' means the received message bytes, which could have been tampered.

The receiver should produce the MAC of M', using the same key K, generating H', then he should compare H with H', if they both match, the message was not tampered.

With this, we can authenticate the user, and check if the sent data was not changed.

Non-repudian

We want to guarantee all the previous properties, and also, guarantee that the sender cannot say that he wasn't the one who sent that message.
So we want:

Authenticate the content of a document;
Authenticate its signer;
Being able to assure authentication towards a third party;
Signer cannot repudiate the signature.

With this comes the notion of Digital Signature.

Digital Signature uses asymmetrical keys, a public key and a private key.

The public key can be public and shared among other people, however, only the owner of the private key can have it.

We use the private key to sign the hash of the data, which allows saying that only the owner of the private key could sign that data, meaning that that person can't deny signing.

Get Signature

public static byte[] generateDigitalSignature(byte[] data, String privateKeyFilePath) throws Exception {
            Key privateKey = readPrivateKey(privateKeyFilePath);
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(privateKey);
            signature.update(data);
            byte[] sign = signature.sign();
            return sign;
    }

The person who wishes to verify the integrity, authentication and signature of the received message, must know the public key, as shown in the following example :

Verify Signature

 public static boolean verifySignature(byte[] messageBytes, byte[] dataSignature, String publicKeyFilePath) throws Exception {
            Key publicKey = readPublicKey(publicKeyFilePath);
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            signature.update(messageBytes);
            return signature.verify(dataSignature);
    }

Summary

The are many properties we may want to preserve while sending messages through the many communication channels. They are usually incremental, which means if we want to add a new property, we usually guarantee the previous ones.

The following table is a summary of the whole post.

Cryptographic primitive | Hash |    MAC    | Digital
Security Goal           |      |           | signature
-----------------------------+------+-----------+-------------
Integrity               |  Yes |    Yes    |   Yes
Authentication          |  No  |    Yes    |   Yes
Non-repudiation         |  No  |    No     |   Yes
-----------------------------+------+-----------+-------------
Kind of keys            | none | symmetric | asymmetric
                        |      |    keys   |    keys

This was my first post, so I hope that you enjoyed it!
If you find something wrong please say so in the comments :).
You can find me at twitter.