From 095ed7c95df600880fb9133b96d9b8d24dc508e1 Mon Sep 17 00:00:00 2001
From: Ramin Haeri Azad <rhaeri@maelstrom-reseach.org>
Date: Thu, 1 Aug 2024 17:47:12 -0400
Subject: [PATCH 1/2] Started the UI for key-pair

---
 .../providers/AddIdentityProviderDialog.vue   |   2 +-
 .../components/admin/users/AddUserDialog.vue  |   2 +-
 .../src/components/profile/AddTokenDialog.vue |   2 +-
 .../components/project/AddKeyPairDialog.vue   | 113 +++++++++++++++
 .../src/components/project/KeyPairsList.vue   | 129 ++++++++++++++++++
 opal-ui/src/i18n/en/index.js                  |  13 +-
 opal-ui/src/pages/ProjectAdminPage.vue        |  14 +-
 opal-ui/src/stores/projects.ts                |  17 ++-
 8 files changed, 281 insertions(+), 11 deletions(-)
 create mode 100644 opal-ui/src/components/project/AddKeyPairDialog.vue
 create mode 100644 opal-ui/src/components/project/KeyPairsList.vue

diff --git a/opal-ui/src/components/admin/providers/AddIdentityProviderDialog.vue b/opal-ui/src/components/admin/providers/AddIdentityProviderDialog.vue
index c32eefd306..cf78ab7383 100644
--- a/opal-ui/src/components/admin/providers/AddIdentityProviderDialog.vue
+++ b/opal-ui/src/components/admin/providers/AddIdentityProviderDialog.vue
@@ -17,7 +17,7 @@
             :hint="$t('identity_provider.name_hint')"
             class="q-mb-md"
             lazy-rules
-            :rules="[validateRequiredField('validation.identity_provider.name_required')]"
+            :rules="[validateRequiredField('validation.name_required')]"
             :disable="editMode"
           >
           </q-input>
diff --git a/opal-ui/src/components/admin/users/AddUserDialog.vue b/opal-ui/src/components/admin/users/AddUserDialog.vue
index cc37e47bad..f631ff3cd5 100644
--- a/opal-ui/src/components/admin/users/AddUserDialog.vue
+++ b/opal-ui/src/components/admin/users/AddUserDialog.vue
@@ -168,7 +168,7 @@ function addGroup(val: string, done: any) {
 }
 
 // Validation rules
-const validateRequiredName = (val: string) => (val && val.trim().length > 0) || t('validation.user.name_required');
+const validateRequiredName = (val: string) => (val && val.trim().length > 0) || t('validation.name_required');
 const validateRequiredCertificate = (val: string) =>
   (editMode.value && (!val || val.length === 0)) ||
   (val && val.trim().length > 0) ||
diff --git a/opal-ui/src/components/profile/AddTokenDialog.vue b/opal-ui/src/components/profile/AddTokenDialog.vue
index d02d426dcd..b67bd49c77 100644
--- a/opal-ui/src/components/profile/AddTokenDialog.vue
+++ b/opal-ui/src/components/profile/AddTokenDialog.vue
@@ -153,7 +153,7 @@ watch(
 );
 
 // Validations
-const validateRequiredName = (val: string) => (val && val.trim().length > 0) || t('validation.token.name_required');
+const validateRequiredName = (val: string) => (val && val.trim().length > 0) || t('validation.name_required');
 
 // Group options
 const taskGroupOptions: { label: string; value: string }[] = [];
diff --git a/opal-ui/src/components/project/AddKeyPairDialog.vue b/opal-ui/src/components/project/AddKeyPairDialog.vue
new file mode 100644
index 0000000000..1af21589f7
--- /dev/null
+++ b/opal-ui/src/components/project/AddKeyPairDialog.vue
@@ -0,0 +1,113 @@
+<template>
+  <q-dialog v-model="showDialog" @hide="onHide" persistent>
+    <q-card class="dialog-sm">
+      <q-card-section>
+        <div class="text-h6">{{ $t('project_admin.import_key') }}</div>
+      </q-card-section>
+
+      <q-separator />
+
+      <q-card-section style="max-height: 75vh" class="scroll">
+        <q-form ref="formRef" class="q-gutter-sm" persistent>
+          <q-input
+            v-model="keyPair.alias"
+            dense
+            type="text"
+            :label="$t('name')"
+            lazy-rules
+            :rules="[validateRequiredField('validation.name_required')]"
+          >
+          </q-input>
+          <q-input
+            v-model="keyPair.privateImport"
+            dense
+            type="textarea"
+            rows="10"
+            :label="$t('project_admin.private_key')"
+            lazy-rules
+            :rules="[validateRequiredField('validation.project_admin.private_key_required')]"
+          >
+          </q-input>
+          <q-input
+            v-model="keyPair.publicImport"
+            dense
+            type="textarea"
+            rows="10"
+            :label="$t('project_admin.public_key')"
+            lazy-rules
+            :rules="[validateRequiredField('validation.project_admin.public_key_required')]"
+          >
+          </q-input>
+          <div class="text-help">{{ $t('project_admin.import_key_info') }}</div>
+        </q-form>
+      </q-card-section>
+      <q-separator />
+
+      <q-card-actions align="right" class="bg-grey-3"
+        ><q-btn flat :label="$t('cancel')" color="secondary" v-close-popup />
+        <q-btn flat :label="$t('add')" type="submit" color="primary" @click="onAdd" />
+      </q-card-actions>
+    </q-card>
+  </q-dialog>
+</template>
+
+<script lang="ts">
+export default defineComponent({
+  name: 'AddKeyPairDialog',
+});
+</script>
+
+<script setup lang="ts">
+import { ProjectDto } from 'src/models/Projects';
+import { notifyError } from 'src/utils/notify';
+import { KeyForm, KeyType } from 'src/models/Opal';
+
+interface DialogProps {
+  modelValue: boolean;
+  project: ProjectDto;
+}
+
+const projectsStore = useProjectsStore();
+const emptyKeyForm = {
+  alias: '',
+  publicImport: '',
+  privateImport: '',
+  keyType: KeyType.KEY_PAIR,
+} as KeyForm;
+
+const { t } = useI18n();
+const props = defineProps<DialogProps>();
+const showDialog = ref(props.modelValue);
+const formRef = ref();
+const emit = defineEmits(['update:modelValue', 'update']);
+const keyPair = ref({ ...emptyKeyForm } as KeyForm);
+const validateRequiredField = (id: string) => (val: string) => (val && val.trim().length > 0) || t(id);
+
+watch(
+  () => props.modelValue,
+  (value) => {
+    if (value) {
+      showDialog.value = value;
+    }
+  }
+);
+
+function onHide() {
+  showDialog.value = false;
+  keyPair.value = { ...emptyKeyForm };
+  emit('update:modelValue', false);
+}
+
+async function onAdd() {
+  const valid = await formRef.value.validate();
+  if (valid) {
+    try {
+      await projectsStore.addKeyPair(props.project.name, keyPair.value);
+      emit('update');
+      onHide();
+    } catch (error) {
+      notifyError(error);
+    }
+  }
+}
+</script>
diff --git a/opal-ui/src/components/project/KeyPairsList.vue b/opal-ui/src/components/project/KeyPairsList.vue
new file mode 100644
index 0000000000..ee07e2adc9
--- /dev/null
+++ b/opal-ui/src/components/project/KeyPairsList.vue
@@ -0,0 +1,129 @@
+<template>
+  <slot name="title"></slot>
+
+  <!-- TODO: instead of disabling Add button, put a message and a link to admin/id mappings page if has permission -->
+
+  <q-table
+    flat
+    :rows="keyPairs"
+    :columns="columns"
+    row-key="name"
+    :pagination="initialPagination"
+    :hide-pagination="keyPairs.length <= initialPagination.rowsPerPage"
+    :loading="loading"
+  >
+    <template v-slot:top-left>
+      <q-btn
+        color="primary"
+        :label="$t('add')"
+        icon="add"
+        size="sm"
+        @click.prevent="onAdd"
+      />
+    </template>
+    <template v-slot:body-cell-type="props">
+      <q-td :props="props" @mouseover="onOverRow(props.row)" @mouseleave="onLeaveRow(props.row)">
+        {{ props.value }}
+        <div class="float-right">
+          <q-btn
+            rounded
+            dense
+            flat
+            size="sm"
+            color="secondary"
+            :title="$t('delete')"
+            :icon="toolsVisible[props.row.name] ? 'delete' : 'none'"
+            class="q-ml-xs"
+            @click="onDelete(props.row)"
+          />
+        </div>
+      </q-td>
+    </template>
+    <template v-slot:body-cell-mapping="props">
+      <q-td :props="props" @mouseover="onOverRow(props.row)" @mouseleave="onLeaveRow(props.row)">
+        {{ props.value }}
+      </q-td>
+    </template>
+  </q-table>
+
+  <add-key-pair-dialog v-model="showAddDialog" :project="project" @update="$emit('update')" />
+</template>
+
+<script lang="ts">
+export default defineComponent({
+  name: 'KeyPairsList',
+});
+</script>
+
+<script setup lang="ts">
+import { t } from 'src/boot/i18n';
+import { ProjectDto, ProjectDto_IdentifiersMappingDto } from 'src/models/Projects';
+import { notifyError } from 'src/utils/notify';
+import AddKeyPairDialog from 'src/components/project/AddKeyPairDialog.vue';
+
+interface Props {
+  project: ProjectDto;
+}
+
+const emit = defineEmits(['update']);
+const props = defineProps<Props>();
+const projectsStore = useProjectsStore();
+const showAddDialog = ref(false);
+const keyPairs = ref([]);
+const loading = ref(false);
+const toolsVisible = ref<{ [key: string]: boolean }>({});
+const initialPagination = ref({
+  sortBy: 'type',
+  descending: false,
+  page: 1,
+  rowsPerPage: 10,
+  minRowsForPagination: 10,
+});
+
+const columns = computed(() => [
+  {
+    name: 'name',
+    required: true,
+    label: t('name'),
+    align: 'left',
+    field: 'alias',
+    style: 'width: 30%',
+  },
+  {
+    name: 'type',
+    label: t('type'),
+    align: 'left',
+    field: 'keyType',
+    format: (val: KeyType) => val.toString(),
+  },
+]);
+
+// Handlers
+
+function onOverRow(row: ProjectDto_IdentifiersMappingDto) {
+  toolsVisible.value[row.name] = true;
+}
+
+function onLeaveRow(row: ProjectDto_IdentifiersMappingDto) {
+  toolsVisible.value[row.name] = false;
+}
+
+function onAdd() {
+  showAddDialog.value = true;
+}
+
+async function onDelete(row: ProjectDto_IdentifiersMappingDto) {
+  try {
+    await projectsStore.deleteIdMappings(props.project, row);
+    emit('update');
+  } catch (error) {
+    notifyError(error);
+  }
+}
+
+onMounted(() => {
+  projectsStore.getKeyPairs(props.project.name).then((response) => {
+    keyPairs.value = response;
+  });
+});
+</script>
diff --git a/opal-ui/src/i18n/en/index.js b/opal-ui/src/i18n/en/index.js
index 4c06bfe1b8..a935af09a0 100644
--- a/opal-ui/src/i18n/en/index.js
+++ b/opal-ui/src/i18n/en/index.js
@@ -334,6 +334,12 @@ export default {
     id_mappings_info: 'Identifiers mappings listed below that match the entity type of the data are automatically selected during an import/export process.',
     id_mappings_hint: 'The name of the mapping.',
     id_mapping: 'Identifiers Mapping',
+    encryption_keys: 'Encryption Keys',
+    encryption_keys_info: 'Encrypted data will be automatically decrypted at importation time using the key pairs registered within the project.',
+    import_key: 'Import Key Pair',
+    import_key_info: 'Paste encryption key in PEM format.',
+    private_key: 'Private Key',
+    public_key: 'Public Key',
   },
   user_profile: {
     title: 'My profile',
@@ -389,8 +395,8 @@ export default {
     deleteProject: 'Delete',
   },
   validation: {
+    name_required: 'Name is required',
     user: {
-      name_required: 'Name is required',
       password_required: 'Password is required and must be at least 8 characters long',
       certificate_required: 'Certificate is required',
       confirm_password_required: 'Confirm password is required',
@@ -410,9 +416,6 @@ export default {
       old_password: 'Old password is required',
       new_password: 'New password is required and must be at least 8 characters long',
     },
-    token: {
-      name_required: 'Token name is required',
-    },
     text_required: 'A text is required',
     github: {
       org_required: 'Github organization or username is required',
@@ -420,6 +423,8 @@ export default {
     },
     project_admin: {
       backup_folder_required: 'Backup folder is required',
+      private_key_required: 'Private Key in PEM format is required',
+      public_key_required: 'Public Key in PEM format is required',
     },
   },
   main: {
diff --git a/opal-ui/src/pages/ProjectAdminPage.vue b/opal-ui/src/pages/ProjectAdminPage.vue
index 1fd4936c08..17f7fe81c5 100644
--- a/opal-ui/src/pages/ProjectAdminPage.vue
+++ b/opal-ui/src/pages/ProjectAdminPage.vue
@@ -44,12 +44,19 @@
           </q-card-section>
         </q-card>
 
+        <q-card flat>
+          <q-card-section class="q-px-none">
+            <div class="text-h5">{{ $t('project_admin.encryption_keys') }}</div>
+            <div class="text-help q-mb-sm">{{ $t('project_admin.encryption_keys') }}</div>
+            <KeyPairsList :project="project" @update="onProjectUpdate" />
+          </q-card-section>
+        </q-card>
+
         <q-card flat>
           <q-card-section class="q-px-none">
             <div class="text-h5">{{ $t('id_mappings') }}</div>
             <div class="text-help q-mb-sm">{{ $t('project_admin.id_mappings_info') }}</div>
-            <id-mappings-list :project="project" @update="onIdMappingsUpdate">
-            </id-mappings-list>
+            <id-mappings-list :project="project" @update="onProjectUpdate" />
           </q-card-section>
         </q-card>
 
@@ -171,6 +178,7 @@ import BackupProjectDialog from 'src/components/project/BackupProjectDialog.vue'
 import RestoreProjectDialog from 'src/components/project/RestoreProjectDialog.vue';
 import AddProjectDialog from 'src/components/project/AddProjectDialog.vue';
 import IdMappingsList from 'src/components/project/IdMappingsList.vue';
+import KeyPairsList from 'src/components/project/KeyPairsList.vue';
 
 const route = useRoute();
 const router = useRouter();
@@ -295,7 +303,7 @@ function onEdit() {
   showEditProject.value = true;
 }
 
-async function onIdMappingsUpdate() {
+async function onProjectUpdate() {
   try {
     await projectsStore.refreshProject(name.value);
     await getState();
diff --git a/opal-ui/src/stores/projects.ts b/opal-ui/src/stores/projects.ts
index 6a28df5b40..e78b0a03bb 100644
--- a/opal-ui/src/stores/projects.ts
+++ b/opal-ui/src/stores/projects.ts
@@ -7,7 +7,7 @@ import {
   ProjectDto_IdentifiersMappingDto,
 } from 'src/models/Projects';
 import { Acl } from 'src/models/Opal';
-import { Subject } from 'src/models/Opal';
+import { Subject, KeyForm } from 'src/models/Opal';
 import {
   CommandStateDto,
   CommandStateDto_Status,
@@ -261,6 +261,18 @@ export const useProjectsStore = defineStore('projects', () => {
     return updateProject(project);
   }
 
+  async function getKeyPairs(name: string) {
+    return api.get(`/project/${name}/keystore`).then((response) => response.data);
+  }
+
+  async function addKeyPair(name: string, keyPair: KeyForm) {
+    return api.post(`/project/${name}/keystore`, keyPair);
+  }
+
+  async function deleteKeyPair(name: string, alias: string) {
+    return api.delete(`/project/${name}/keystore/${alias}`);
+  }
+
   return {
     projects,
     project,
@@ -296,5 +308,8 @@ export const useProjectsStore = defineStore('projects', () => {
     getIdMappings,
     addIdMappings,
     deleteIdMappings,
+    getKeyPairs,
+    addKeyPair,
+    deleteKeyPair,
   };
 });

From 3f10fc5aa015a0fde8f0b0d9b7f2da927d03b155 Mon Sep 17 00:00:00 2001
From: Ramin Haeri Azad <rhaeri@maelstrom-reseach.org>
Date: Fri, 2 Aug 2024 16:07:44 -0400
Subject: [PATCH 2/2] Added KeyPair in project admin pg + fix for private key

---
 .../opal/web/security/KeyStoreResource.java   |  3 +-
 .../src/components/project/IdMappingsList.vue |  3 +-
 .../src/components/project/KeyPairsList.vue   | 24 +++++++------
 opal-ui/src/i18n/en/index.js                  | 10 ++++--
 opal-ui/src/i18n/fr/index.js                  | 21 ++++++++----
 opal-ui/src/pages/ProjectAdminPage.vue        | 34 ++++++++++++++-----
 opal-ui/src/pages/ProjectPermsPage.vue        | 12 +++----
 opal-ui/src/stores/projects.ts                | 15 ++++++--
 pom.xml                                       |  2 +-
 9 files changed, 85 insertions(+), 39 deletions(-)

diff --git a/opal-core-ws/src/main/java/org/obiba/opal/web/security/KeyStoreResource.java b/opal-core-ws/src/main/java/org/obiba/opal/web/security/KeyStoreResource.java
index 6875db43d7..5f6f56e8a1 100644
--- a/opal-core-ws/src/main/java/org/obiba/opal/web/security/KeyStoreResource.java
+++ b/opal-core-ws/src/main/java/org/obiba/opal/web/security/KeyStoreResource.java
@@ -36,6 +36,7 @@
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.obiba.opal.core.security.OpalKeyStore;
 import org.obiba.opal.core.service.security.KeyStoreService;
+import org.obiba.opal.web.BaseResource;
 import org.obiba.opal.web.magma.ClientErrorDtos;
 import org.obiba.opal.web.model.Opal;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -52,7 +53,7 @@
 
 @Component
 @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
-public class KeyStoreResource {
+public class KeyStoreResource implements BaseResource {
 
   private OpalKeyStore keyStore;
 
diff --git a/opal-ui/src/components/project/IdMappingsList.vue b/opal-ui/src/components/project/IdMappingsList.vue
index 5c87af2209..acad3e6d30 100644
--- a/opal-ui/src/components/project/IdMappingsList.vue
+++ b/opal-ui/src/components/project/IdMappingsList.vue
@@ -89,7 +89,8 @@ const columns = computed(() => [
     label: t('project_admin.entity_type'),
     align: 'left',
     field: 'entityType',
-    style: 'width: 30%',
+    headerStyle: 'width: 30%; white-space: normal;',
+    style: 'width: 30%; white-space: normal;',
   },
   {
     name: 'mapping',
diff --git a/opal-ui/src/components/project/KeyPairsList.vue b/opal-ui/src/components/project/KeyPairsList.vue
index ee07e2adc9..2ffb2b9de5 100644
--- a/opal-ui/src/components/project/KeyPairsList.vue
+++ b/opal-ui/src/components/project/KeyPairsList.vue
@@ -21,7 +21,7 @@
         @click.prevent="onAdd"
       />
     </template>
-    <template v-slot:body-cell-type="props">
+    <template v-slot:body-cell-name="props">
       <q-td :props="props" @mouseover="onOverRow(props.row)" @mouseleave="onLeaveRow(props.row)">
         {{ props.value }}
         <div class="float-right">
@@ -32,7 +32,7 @@
             size="sm"
             color="secondary"
             :title="$t('delete')"
-            :icon="toolsVisible[props.row.name] ? 'delete' : 'none'"
+            :icon="toolsVisible[props.row.alias] ? 'delete' : 'none'"
             class="q-ml-xs"
             @click="onDelete(props.row)"
           />
@@ -57,7 +57,8 @@ export default defineComponent({
 
 <script setup lang="ts">
 import { t } from 'src/boot/i18n';
-import { ProjectDto, ProjectDto_IdentifiersMappingDto } from 'src/models/Projects';
+import { ProjectDto } from 'src/models/Projects';
+import { KeyForm, KeyType } from 'src/models/Opal';
 import { notifyError } from 'src/utils/notify';
 import AddKeyPairDialog from 'src/components/project/AddKeyPairDialog.vue';
 
@@ -87,34 +88,35 @@ const columns = computed(() => [
     label: t('name'),
     align: 'left',
     field: 'alias',
-    style: 'width: 30%',
+    headerStyle: 'width: 30%; white-space: normal;',
+    style: 'width: 30%; white-space: normal;',
   },
   {
     name: 'type',
     label: t('type'),
     align: 'left',
     field: 'keyType',
-    format: (val: KeyType) => val.toString(),
+    format: (val: KeyType) => t(`key_type.${val}`),
   },
 ]);
 
 // Handlers
 
-function onOverRow(row: ProjectDto_IdentifiersMappingDto) {
-  toolsVisible.value[row.name] = true;
+function onOverRow(row: KeyForm) {
+  toolsVisible.value[row.alias] = true;
 }
 
-function onLeaveRow(row: ProjectDto_IdentifiersMappingDto) {
-  toolsVisible.value[row.name] = false;
+function onLeaveRow(row: KeyForm) {
+  toolsVisible.value[row.alias] = false;
 }
 
 function onAdd() {
   showAddDialog.value = true;
 }
 
-async function onDelete(row: ProjectDto_IdentifiersMappingDto) {
+async function onDelete(row: KeyForm) {
   try {
-    await projectsStore.deleteIdMappings(props.project, row);
+    await projectsStore.deleteKeyPair(props.project.name, row.alias);
     emit('update');
   } catch (error) {
     notifyError(error);
diff --git a/opal-ui/src/i18n/en/index.js b/opal-ui/src/i18n/en/index.js
index a935af09a0..6c1da84d8c 100644
--- a/opal-ui/src/i18n/en/index.js
+++ b/opal-ui/src/i18n/en/index.js
@@ -304,6 +304,11 @@ export default {
       title: 'Commit Details',
     },
   },
+  key_type: {
+    KEY_PAIR: 'Key Pair',
+    CERTIFICATE: 'Certificate',
+    UNRECOGNIZED: 'Unrecognized',
+  },
   project_admin: {
     properties: 'Project properties',
     db_hint: 'Project tables (dictionaries and data) are stored in the database:',
@@ -339,7 +344,7 @@ export default {
     import_key: 'Import Key Pair',
     import_key_info: 'Paste encryption key in PEM format.',
     private_key: 'Private Key',
-    public_key: 'Public Key',
+    public_key: 'Public Key (Certificate)',
   },
   user_profile: {
     title: 'My profile',
@@ -403,7 +408,6 @@ export default {
       passwords_not_matching: 'Passwords do not match',
     },
     identity_provider: {
-      name_required: 'Name is required',
       clientId_required: 'Client ID is required',
       secret_required: 'Secret is required',
       discovery_uri_required: 'Discovery URI is required',
@@ -424,7 +428,7 @@ export default {
     project_admin: {
       backup_folder_required: 'Backup folder is required',
       private_key_required: 'Private Key in PEM format is required',
-      public_key_required: 'Public Key in PEM format is required',
+      public_key_required: 'Public Key (Certificate) in PEM format is required',
     },
   },
   main: {
diff --git a/opal-ui/src/i18n/fr/index.js b/opal-ui/src/i18n/fr/index.js
index 3112180adc..c965b3bde9 100644
--- a/opal-ui/src/i18n/fr/index.js
+++ b/opal-ui/src/i18n/fr/index.js
@@ -304,6 +304,11 @@ export default {
       titre: 'Détails de la validation',
     }
   },
+  key_type: {
+    KEY_PAIR: 'Paire de clés',
+    CERTIFICATE: 'Certificat',
+    UNRECOGNIZED: 'Non reconnu',
+  },
   project_admin: {
     properties: 'Propriétés du projet',
     db_hint: 'Les tables de projet (dictionnaires et données) sont stockées dans la base de données:',
@@ -334,6 +339,12 @@ export default {
     id_mappings_info: 'Les mappages d\'identifiants énumérés ci-dessous qui correspondent au type d\'entité des données sont automatiquement sélectionnés au cours d\'un processus d\'importation/exportation.',
     id_mappings_hint: 'Le nom du mappage.',
     id_mapping: 'Mappage des identifiants',
+    encryption_keys: 'Clés de chiffrement',
+    encryption_keys_info: 'Les données chiffrées seront automatiquement déchiffrées au moment de l\'importation en utilisant les paires de clés enregistrées dans le projet.',
+    import_key: 'Importer une paire de clés',
+    import_key_info: 'Collez la clé de chiffrement au format PEM.',
+    private_key: 'Clé privée',
+    public_key: 'Clé publique (certificat)"  ',
   },
   user_profile: {
     title: 'Mon profil',
@@ -389,15 +400,14 @@ export default {
     deleteProject : 'Supprimer',
   },
   validation: {
+    name_required: 'Le nom est requis',
     user: {
-      name_required: 'Le nom est requis',
       password_required: 'Le mot de passe est requis et doit comporter au moins 8 caractères',
       certificate_required: 'Le certificat est requis',
       confirm_password_required: 'La confirmation du mot de passe est requise',
       passwords_not_matching: 'Les mots de passe ne correspondent pas',
     },
     identity_provider: {
-      name_required: 'Le nom est requis',
       clientId_required: "L'ID client est requis",
       secret_required: 'Le secret est requis',
       discovery_uri_required: "L'URI de découverte est requis",
@@ -410,9 +420,6 @@ export default {
       old_password: 'L\'ancien mot de passe est requis',
       new_password: 'Un nouveau mot de passe est requis et doit comporter au moins 8 caractères.',
     },
-    token : {
-      name_required : 'Le nom du jeton est obligatoire',
-    },
     text_required: 'Un texte est requis',
     github: {
       org_required: 'L\'organisation ou le nom d\'utilisateur Github est requis',
@@ -420,7 +427,9 @@ export default {
     },
     project_admin: {
       backup_folder_required: 'Le dossier de sauvegarde est requis',
-    },
+      private_key_required: 'Clé privée au format PEM requise',
+      public_key_required: 'Clé publique (certificat) au format PEM requis'
+  },
   },
   main: {
     brand: 'Opal',
diff --git a/opal-ui/src/pages/ProjectAdminPage.vue b/opal-ui/src/pages/ProjectAdminPage.vue
index 17f7fe81c5..e6dfd3fd42 100644
--- a/opal-ui/src/pages/ProjectAdminPage.vue
+++ b/opal-ui/src/pages/ProjectAdminPage.vue
@@ -43,15 +43,19 @@
             </q-banner>
           </q-card-section>
         </q-card>
+      </template>
 
+      <template v-if="hasKeystorePermission">
         <q-card flat>
           <q-card-section class="q-px-none">
             <div class="text-h5">{{ $t('project_admin.encryption_keys') }}</div>
-            <div class="text-help q-mb-sm">{{ $t('project_admin.encryption_keys') }}</div>
+            <div class="text-help q-mb-sm">{{ $t('project_admin.encryption_keys_info') }}</div>
             <KeyPairsList :project="project" @update="onProjectUpdate" />
           </q-card-section>
         </q-card>
+      </template>
 
+      <template v-if="hasAdminPermission">
         <q-card flat>
           <q-card-section class="q-px-none">
             <div class="text-h5">{{ $t('id_mappings') }}</div>
@@ -59,7 +63,10 @@
             <id-mappings-list :project="project" @update="onProjectUpdate" />
           </q-card-section>
         </q-card>
+      </template>
 
+      <!-- FIXME use /project/PROJ/permissions/project when fixed -->
+      <template v-if="hasAdminPermission">
         <q-card flat>
           <q-card-section class="q-px-none">
             <span class="text-h5">{{ $t('permissions') }}</span>
@@ -69,7 +76,9 @@
             />
           </q-card-section>
         </q-card>
+      </template>
 
+      <template v-if="hasReloadPermission">
         <q-card flat>
           <q-card-section class="q-px-none">
             <span class="text-h5"
@@ -89,7 +98,9 @@
             <q-btn size="sm" icon="cached" color="primary" :label="$t('state')" @click="getState"></q-btn>
           </q-card-section>
         </q-card>
+      </template>
 
+      <template v-if="hasAdminPermission">
         <q-card flat>
           <q-card-section class="q-px-none q-pb-none">
             <span class="text-h5">{{ $t('project_admin.backup_restore') }}</span>
@@ -150,17 +161,17 @@
             </q-card-section>
           </q-card>
         </div>
+      </template>
 
-        <!-- Dialogs -->
+      <!-- Dialogs -->
 
-        <confirm-dialog v-model="showConfirm" :title="$t('delete')" :text="confirmText" @confirm="onConfirmed" />
+      <confirm-dialog v-model="showConfirm" :title="$t('delete')" :text="confirmText" @confirm="onConfirmed" />
 
-        <backup-project-dialog v-model="showBackup" :project="project" @update:model-value="onBackedUp" />
+      <backup-project-dialog v-model="showBackup" :project="project" @update:model-value="onBackedUp" />
 
-        <restore-project-dialog v-model="showRestore" :project="project" @update:model-value="onRestored" />
+      <restore-project-dialog v-model="showRestore" :project="project" @update:model-value="onRestored" />
 
-        <add-project-dialog v-model="showEditProject" :project="project" @update="onProjectEdited" />
-      </template>
+      <add-project-dialog v-model="showEditProject" :project="project" @update="onProjectEdited" />
     </q-page>
   </div>
 </template>
@@ -193,7 +204,14 @@ const onConfirmed = ref(() => ({}));
 const state = ref(ProjectDatasourceStatusDto.NONE);
 const project = computed(() => projectsStore.project);
 const name = computed(() => route.params.id as string);
-const hasAdminPermission = computed(() => projectsStore.perms.project?.canUpdate() || false);
+const hasAdminPermission = computed(
+  () =>
+    projectsStore.perms.project?.canCreate() ||
+    projectsStore.perms.project?.canUpdate() ||
+    projectsStore.perms.project?.canDelete()
+);
+const hasReloadPermission = computed(() => projectsStore.perms.reload?.canCreate() || false);
+const hasKeystorePermission = computed(() => projectsStore.perms.keystore?.canCreate() || false);
 const hasDatabase = computed(() => !!project.value.database);
 
 const properties: FieldItem<ProjectDto>[] = [
diff --git a/opal-ui/src/pages/ProjectPermsPage.vue b/opal-ui/src/pages/ProjectPermsPage.vue
index f30cb8e5d9..097a3ad538 100644
--- a/opal-ui/src/pages/ProjectPermsPage.vue
+++ b/opal-ui/src/pages/ProjectPermsPage.vue
@@ -11,8 +11,8 @@
     <q-page class="q-pa-md">
       <div v-if="hasSubjects" class="row q-gutter-md">
         <div class="col">
-          <div v-for="(subjects, type, index) in subjectTypes" :key="type">
-            <div :class="{ 'q-mt-lg': index !== 0 }">
+          <div v-for="(type, index) in [Subject_SubjectType.USER, Subject_SubjectType.GROUP]" :key="type">
+            <div v-if="subjectTypes[type]" :class="{ 'q-mt-lg': index !== 0 }">
               <div class="col-2 q-px-md bg-grey-1">
                 <div class="text-h5">
                   <q-icon :name="ICONS[type]" size="sm" class="q-mb-xs"></q-icon
@@ -24,7 +24,7 @@
                     clickable
                     active-class="bg-light-blue-1"
                     :active="selectedSubject.principal === subject.principal"
-                    v-for="subject in subjects"
+                    v-for="subject in subjectTypes[type]"
                     :key="subject.principal"
                     @click="onSubject(subject)"
                   >
@@ -62,7 +62,7 @@
 </template>
 
 <script setup lang="ts">
-import { Subject, Acl } from 'src/models/Opal';
+import { Subject, Acl, Subject_SubjectType } from 'src/models/Opal';
 import { notifyError } from 'src/utils/notify';
 import AccessControlTable from 'src/components/permissions/AccessControlTable.vue';
 import ConfirmDialog from 'src/components/ConfirmDialog.vue';
@@ -97,7 +97,7 @@ async function doDeleteAcls() {
       await projectsStore.deleteSubject(selectedSubject.value);
       await loadSubjects();
     } else {
-      await Promise.all(toDelete.map((acl) => projectsStore.deleteSubjectPermissions(selectedSubject.value, acl)));
+      await Promise.all(toDelete.map((acl) => projectsStore.deleteSubjectPermission(selectedSubject.value, acl)));
       onSubject(selectedSubject.value);
     }
     await projectsStore.loadSubjects();
@@ -116,7 +116,7 @@ function initializeSubjectTypes() {
 }
 
 function findCandidateSubject() {
-  const candidates = Object.values(subjectTypes.value).flat();
+  const candidates = subjectTypes.value[Subject_SubjectType.USER] || subjectTypes.value[Subject_SubjectType.GROUP] || [];
   return candidates[0] || null;
 }
 
diff --git a/opal-ui/src/stores/projects.ts b/opal-ui/src/stores/projects.ts
index e78b0a03bb..e3f6de750e 100644
--- a/opal-ui/src/stores/projects.ts
+++ b/opal-ui/src/stores/projects.ts
@@ -25,6 +25,8 @@ interface ProjectPerms {
   import: Perms | undefined;
   projects: Perms | undefined;
   project: Perms | undefined;
+  keystore: Perms | undefined;
+  reload: Perms | undefined;
 }
 
 export const useProjectsStore = defineStore('projects', () => {
@@ -94,6 +96,14 @@ export const useProjectsStore = defineStore('projects', () => {
           perms.value.copy = new Perms(response);
           return response;
         }),
+        api.options(`/project/${project.value.name}/commands/_reload`).then((response) => {
+          perms.value.reload = new Perms(response);
+          return response;
+        }),
+        api.options(`/project/${project.value.name}/keystore`).then((response) => {
+          perms.value.keystore = new Perms(response);
+          return response;
+        }),
         api.options(`/project/${project.value.name}`).then((response) => {
           perms.value.project = new Perms(response);
           return response;
@@ -213,7 +223,8 @@ export const useProjectsStore = defineStore('projects', () => {
   async function deleteSubjectPermission(subject: Subject, acl: Acl) {
     const resource = acl.resource
       .replace(/^\//, '')
-      .replace(/^datasource.*/, 'datasource')
+      .replace(/^project.*/, 'project')
+      .replace(/^datasource\/[^\/]+$/, 'datasource')
       .replace(/.*(table|view)/, 'table')
       .replace(/.*report-template/, 'report-template');
 
@@ -293,7 +304,7 @@ export const useProjectsStore = defineStore('projects', () => {
     loadSubjects,
     deleteSubject,
     getSubjectPermissions,
-    deleteSubjectPermissions: deleteSubjectPermission,
+    deleteSubjectPermission,
     clearCommandStates,
     cancelCommandState,
     copyCommand,
diff --git a/pom.xml b/pom.xml
index ca80e17cc2..f94bac1175 100644
--- a/pom.xml
+++ b/pom.xml
@@ -89,7 +89,7 @@
     <mysql-connector-java.version>8.0.30</mysql-connector-java.version>
     <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
     <oauth-oidc-sdk.version>11.12</oauth-oidc-sdk.version>
-    <obiba-commons.version>4.1.0</obiba-commons.version>
+    <obiba-commons.version>4.2-SNAPSHOT</obiba-commons.version>
     <opal-oda.version>1.2.3</opal-oda.version>
     <opencsv.version>2.3</opencsv.version>
     <orientdb.version>3.2.27</orientdb.version>