Merge pull request #267 from DP-3T/develop

Merge into master for release 2.0.0

.github/workflows/close_issue.yaml

@@ -0,0 +1,48 @@
+name: close-issues
+
+# (c) 2020 by Linus Gasser for C4DT.org
+# This action closes issues referenced in the PR in the case the merge
+# does not happen on the 'default' branch.
+# It searches for the same tags as the original github closers.
+
+on:
+  pull_request:
+    types: [closed]
+    branches: [develop]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: script
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr = context.payload.pull_request;
+            if (!pr.merged){
+              console.log("Don't close issues when PR is not merged");
+              return;
+            }
+
+            const body = pr.body;
+            const lines = body.split('\n').map((l)=>l.trim());
+            const closers = new RegExp(
+              /(close|closes|closed|fix|fixes|fixed|resolve|resolves|resolved)/i);
+            const issues = lines.filter((l)=>l.match(closers));
+            const issue_nbrs = issues.map((i) => i.replace(/.*#/, ''));
+            issue_nbrs.forEach((i) => {
+              console.log("Closing issue " + i);
+              github.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: i,
+                body: `Closed by PR #${pr.number} ${pr.title}`
+              });
+              github.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: i,
+                state: 'closed'
+              });
+            });

.github/workflows/pre-commit.yaml

@@ -0,0 +1,17 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [develop]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-python@v2
+    - uses: actions/setup-java@v1
+      with:
+        java-version: '11'
+    - uses: pre-commit/[email protected]

.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+- repo: https://github.com/c4dt/google-style-precommit-hook
+  rev: v1.0
+  hooks:
+  - id: google-style-java

GenerateKeyPair.java

@@ -1,34 +1,30 @@
 /**
- * This file only serves as an example on how to get keys in the right encoding. 
- * This outputs the keys in the PKCS8 format for the private key and the X509 format for the publickey
- * 
- * DO NOT USE THEM IN PRODUCTION UNLESS THE KEYSPECS ARE OK FOR YOU
+ * This file only serves as an example on how to get keys in the right encoding. This outputs the
+ * keys in the PKCS8 format for the private key and the X509 format for the publickey
+ *
+ * <p>DO NOT USE THEM IN PRODUCTION UNLESS THE KEYSPECS ARE OK FOR YOU
  */
 import java.io.FileOutputStream;
-import java.io.IOException;
-import java.security.Key;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.Security;
 import java.util.Base64;
 
-import java.security.Security;
+public class GenerateKeyPair {
+  public static void main(String[] args) throws Exception {
+    Security.setProperty("crypto.policy", "unlimited");
+    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+    KeyPair pair = generator.genKeyPair();
+    PrivateKey privateKey = pair.getPrivate();
+    PublicKey publicKey = pair.getPublic();
+    FileOutputStream outputStream = new FileOutputStream("generated_pub.pem");
+    outputStream.write(Base64.getEncoder().encode(publicKey.getEncoded()));
+    outputStream.close();
 
-public class GenerateKeyPair{
-    public static void main(String[] args) throws Exception {
-		Security.setProperty("crypto.policy", "unlimited");
-		KeyPairGenerator generator =  KeyPairGenerator.getInstance("RSA");
-		KeyPair pair = generator.genKeyPair();
-		PrivateKey privateKey = pair.getPrivate();
-		PublicKey publicKey = pair.getPublic();
-		FileOutputStream outputStream = new FileOutputStream("generated_pub.pem");
-		outputStream.write(Base64.getEncoder().encode(publicKey.getEncoded()));
-        outputStream.close();
-
-        outputStream = new FileOutputStream("generated_private.pem");
-		outputStream.write(Base64.getEncoder().encode(privateKey.getEncoded()));
-		outputStream.close();
-    }
-}
+    outputStream = new FileOutputStream("generated_private.pem");
+    outputStream.write(Base64.getEncoder().encode(privateKey.getEncoded()));
+    outputStream.close();
+  }
+}

GenerateKeyPairEC.java

@@ -1,59 +1,51 @@
 /**
- * This file only serves as an example on how to get keys in the right encoding. 
- * In order to use it you need BouncyCastle on the classpath!
- * 
- * DO NOT USE THEM IN PRODUCTION UNLESS THE KEYSPECS ARE OK FOR YOU
+ * This file only serves as an example on how to get keys in the right encoding. In order to use it
+ * you need BouncyCastle on the classpath!
+ *
+ * <p>DO NOT USE THEM IN PRODUCTION UNLESS THE KEYSPECS ARE OK FOR YOU
  */
 import java.io.FileOutputStream;
-import java.io.IOException;
-import java.security.Key;
+import java.io.StringWriter;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.util.Base64;
-import java.security.spec.ECGenParameterSpec;
-import java.io.StringWriter;
-
 import java.security.Security;
+import java.security.spec.ECGenParameterSpec;
+import java.util.Base64;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.util.io.pem.PemWriter;
 import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+public class GenerateKeyPairEC {
+  public static void main(String[] args) throws Exception {
+    Security.addProvider(new BouncyCastleProvider());
+    Security.setProperty("crypto.policy", "unlimited");
+    KeyPairGenerator generator = KeyPairGenerator.getInstance("ECDSA", "BC");
+    ECGenParameterSpec spec = new ECGenParameterSpec("secp256r1");
+    generator.initialize(spec);
+    KeyPair pair = generator.genKeyPair();
+    PrivateKey privateKey = pair.getPrivate();
+    PublicKey publicKey = pair.getPublic();
 
-public class GenerateKeyPairEC{
-    public static void main(String[] args) throws Exception {
-        Security.addProvider(new BouncyCastleProvider());
-        Security.setProperty("crypto.policy", "unlimited");
-        KeyPairGenerator generator =  KeyPairGenerator.getInstance("ECDSA", "BC");
-        ECGenParameterSpec spec = new ECGenParameterSpec("secp256r1");
-        generator.initialize(spec);
-        KeyPair pair = generator.genKeyPair();
-        PrivateKey privateKey = pair.getPrivate();
-        PublicKey publicKey = pair.getPublic();
+    StringWriter privateKeyWriter = new StringWriter();
+    PemWriter privateKeyPemWriter = new PemWriter(privateKeyWriter);
+    privateKeyPemWriter.writeObject(new PemObject("PRIVATE KEY", privateKey.getEncoded()));
+    privateKeyPemWriter.flush();
+    privateKeyPemWriter.close();
 
-        StringWriter privateKeyWriter = new StringWriter();
-        PemWriter privateKeyPemWriter = new PemWriter(privateKeyWriter);
-        privateKeyPemWriter.writeObject(new PemObject("PRIVATE KEY", privateKey.getEncoded()));
-        privateKeyPemWriter.flush();
-        privateKeyPemWriter.close();
+    StringWriter publicKeyWriter = new StringWriter();
+    PemWriter publicKeyPemWriter = new PemWriter(publicKeyWriter);
+    publicKeyPemWriter.writeObject(new PemObject("PUBLIC KEY", publicKey.getEncoded()));
+    publicKeyPemWriter.flush();
+    publicKeyPemWriter.close();
 
-        StringWriter publicKeyWriter = new StringWriter();
-        PemWriter publicKeyPemWriter = new PemWriter(publicKeyWriter);
-        publicKeyPemWriter.writeObject(new PemObject("PUBLIC KEY", publicKey.getEncoded()));
-        publicKeyPemWriter.flush();
-        publicKeyPemWriter.close();
+    FileOutputStream outputStream = new FileOutputStream("generated_pub.pem");
+    outputStream.write(Base64.getEncoder().encode(publicKeyWriter.toString().getBytes()));
+    outputStream.close();
 
-        FileOutputStream outputStream = new FileOutputStream("generated_pub.pem");
-        outputStream.write(Base64.getEncoder().encode(
-            publicKeyWriter.toString().getBytes()
-        ));
-        outputStream.close();
-
-        outputStream = new FileOutputStream("generated_private.pem");
-        outputStream.write(Base64.getEncoder().encode(
-            privateKeyWriter.toString().getBytes()
-        ));
-        outputStream.close();
-    }
-}
+    outputStream = new FileOutputStream("generated_private.pem");
+    outputStream.write(Base64.getEncoder().encode(privateKeyWriter.toString().getBytes()));
+    outputStream.close();
+  }
+}

Makefile

@@ -2,6 +2,9 @@
 #      Makefile      #
 ######################
 
+DP3T_SDK = dpppt-backend-sdk
+DP3T_SDK_WS = $(DP3T_SDK)/dpppt-backend-sdk-ws
+
 FILE_NAME = documentation.tex
 
 LATEX = xelatex
@@ -13,17 +16,23 @@ all1: clean updateproject updatedoc swagger la la2 la3
 no: clean updateproject updatedoc swagger la la2 
 docker-build: updateproject docker
 doc: updatedoc swagger la la2 la3
+test: clean run-test
+run-test:
+	mvn -f $(DP3T_SDK)/pom.xml test
+
+package:
+	mvn -f $(DP3T_SDK)/pom.xml clean package
 
 updateproject:
-	mvn -f dpppt-backend-sdk/pom.xml install
+	mvn -f $(DP3T_SDK)/pom.xml package -DskipTests
 
 updatedoc:
-	mvn -f dpppt-backend-sdk/pom.xml install -Dmaven.test.skip=true
-	mvn springboot-swagger-3:springboot-swagger-3 -f dpppt-backend-sdk/dpppt-backend-sdk-ws/pom.xml
-	cp dpppt-backend-sdk/dpppt-backend-sdk-ws/generated/swagger/swagger.yaml documentation/yaml/sdk.yaml
+	mvn -f $(DP3T_SDK)/pom.xml package -Dmaven.test.skip=true
+	mvn springboot-swagger-3:springboot-swagger-3 -f $(DP3T_SDK_WS)/pom.xml
+	cp $(DP3T_SDK_WS)/generated/swagger/swagger.yaml documentation/yaml/sdk.yaml
 
 swagger:
-	cd documentation; $(RUSTY_SWAGGER) --file ../dpppt-backend-sdk/dpppt-backend-sdk-ws/generated/swagger/swagger.yaml
+	cd documentation; $(RUSTY_SWAGGER) --file ../$(DP3T_SDK_WS)/generated/swagger/swagger.yaml
 
 la:
 	cd documentation;$(LATEX) $(FILE_NAME)
@@ -37,10 +46,12 @@ show:
 	cd documentation; open $(FILE_NAME).pdf &
 
 docker:
-	cp dpppt-backend-sdk/dpppt-backend-sdk-ws/target/dpppt-backend-sdk-ws-1.0.0-SNAPSHOT.jar ws-sdk/ws/bin/dpppt-backend-sdk-ws-1.0.0.jar
-	docker build -t 979586646521.dkr.ecr.eu-west-1.amazonaws.com/ubiquevscovid19-ws:test ws-sdk/
-
-
+	cp $(DP3T_SDK_WS)/target/dpppt-backend-sdk-ws.jar ws-sdk/ws/bin/dpppt-backend-sdk-ws-1.0.0.jar
+	docker build -t dp3t-docker ws-sdk/
+	@printf '\033[33m DO NOT USE THIS IN PRODUCTION \033[0m \n'
+	@printf "\033[32m docker run -p 8080:8080 -v $(PWD)/$(DP3T_SDK_WS)/src/main/resources/logback.xml:/home/ws/conf/dpppt-backend-sdk-ws-logback.xml -v $(PWD)/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/main/resources/application.properties:/home/ws/conf/dpppt-backend-sdk-ws.properties dp3t-docker \033[0m\n"
 
 clean:
+	mvn -f $(DP3T_SDK)/pom.xml clean
+	@rm -f $(DP3T_SDK_WS)/dp3t-ws.log*
 	@rm -f documentation/*.log documentation/*.aux documentation/*.dvi documentation/*.ps documentation/*.blg documentation/*.bbl documentation/*.out documentation/*.bcf documentation/*.run.xml documentation/*.fdb_latexmk documentation/*.fls documentation/*.toc

README.md

@@ -32,7 +32,7 @@ This documentation describes the backend used for the SwissCovid application. It
 In order to have reproducible builds the [io.github.zlika](https://github.com/zlika/reproducible-build-maven-plugin) maven plugin is used. It replaces all timestamp with the timestamp of the last commit, and orders the entries in the JAR alphabetically. The github action then computes the sha256sum of the resulting JAR and adds the output as an build artifact.
 
 ## Dependencies
-* Spring Boot 2.2.6
+* Spring Boot 2.2.10
 * Java 11 (or higher)
 * Logback
 * [Springboot-Swagger-3](https://github.com/Ubique-OSS/springboot-swagger3)
@@ -91,7 +91,7 @@ In order to minimize the risk of timing attacks, to find out whether a request w
 Clients pad the number of keys with fake keys, if not enough keys are provided by the framework (e.g. the app is installed for less than 14 days). On fake keys the web-service should not validate any dates. The key payload though needs to be the exact same size!
 
 ## GAEN/DP3T
-We started with the project before Google and Apple announced the Exposure Notifications. Hence, there is a custom format and implementation provided. It is recommended to adopt the new Exposure Notification format, since support on clients is much better.
+We started with the project before Google and Apple announced the Exposure Notifications. For some time we supported both the old DP3T protocol and the new GAEN protocol, which is based on DP3T. Now that GAEN has become available on most of the versions, we removed DP3T support in the backend to lower the attack surface and make development easier.
 
 ### Legacy Notifications
 Since the Exposure Notifications format has been adopted, we drop support for legacy notifications. Currently no feature-requests are implemented for the old format, but if a PR is provided, it can still be merged.
@@ -218,3 +218,13 @@ To build the docker image run
 
 ```bash
 make docker-build
+```
+
+This will build the jar and copy it into the `ws-sdk/ws/bin` folder, from where it is then added to the container image.
+The image will be tagged as `dp3t-docker`. 
+
+An example `logback.xml` is found in the `resources` folder for the `dpppt-backend-sdk-ws` Java module.
+
+An example `application.properties` file is found at the same location. 
+Just make sure the configuration matches with your deployment (c.f. `WSBaseConfig` for possible properties
+and `WSCloudBaseConfig` for some `CloudFoundry` specific properties) 

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Currently eligble versions for patches are the following
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+Please report (suspected) security vulnerabilities to [email protected]. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

dpppt-backend-sdk/dpppt-backend-sdk-data/pom.xml

@@ -21,7 +21,6 @@
 	<name>DP3T Backend SDK Data</name>
 
 	<properties>
-		<org.testcontainers.version>1.14.2</org.testcontainers.version>
 		<sonar.projectKey>DP-3T_dp3t-sdk-data</sonar.projectKey>
 	</properties>
 
@@ -31,7 +30,6 @@
 		<dependency>
 			<groupId>org.dpppt</groupId>
 			<artifactId>dpppt-backend-sdk-model</artifactId>
-			<version>1.0.0-SNAPSHOT</version>
 		</dependency>
 
 		<!-- database -->
@@ -47,6 +45,7 @@
 		<dependency>
 			<groupId>org.postgresql</groupId>
 			<artifactId>postgresql</artifactId>
+			<version>42.2.14</version>
 		</dependency>
 		<dependency>
 			<groupId>org.hsqldb</groupId>
@@ -59,7 +58,6 @@
 		<dependency>
 			<groupId>org.testcontainers</groupId>
 			<artifactId>postgresql</artifactId>
-			<version>${org.testcontainers.version}</version>
 			<scope>test</scope>
 		</dependency>