Merge pull request #140 from wultra/issues/merge-upstream

Merge upstream

.github/workflows/codeql-analysis.yml

@@ -18,4 +18,5 @@ jobs:
       languages: "['java']"
       # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
       # Use only 'java' to analyze code written in Java, Kotlin or both
-      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      java_version: 21

.github/workflows/maven-deploy.yml

@@ -34,6 +34,7 @@ jobs:
     with:
       environment: internal-publish
       release_type: snapshot
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
@@ -45,6 +46,7 @@ jobs:
     with:
       environment: ${{ inputs.environment }}
       release_type: ${{ inputs.release_type }}
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}

.github/workflows/maven-test.yml

@@ -15,4 +15,6 @@ on:
 jobs:
   maven-tests:
     uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
-    secrets: inherit
+    secrets: inherit
+    with:
+      java_version: 21

Dockerfile

@@ -1,4 +1,4 @@
-FROM ibm-semeru-runtimes:open-21.0.1_12-jre
+FROM ibm-semeru-runtimes:open-21.0.2_13-jre
 LABEL maintainer="[email protected]"
 
 # Prepare environment variables
@@ -8,7 +8,7 @@ ENV JAVA_HOME=/opt/java/openjdk \
     PKG_RELEASE=1~jammy \
     TOMCAT_HOME=/usr/local/tomcat \
     TOMCAT_MAJOR=10 \
-    TOMCAT_VERSION=10.1.17 \
+    TOMCAT_VERSION=10.1.19 \
     TZ=UTC
 
 ENV PATH=$PATH:$LB_HOME:$TOMCAT_HOME/bin
@@ -20,7 +20,7 @@ RUN apt-get -y update  \
 
 # Install tomcat
 RUN curl -jkSL -o /tmp/apache-tomcat.tar.gz http://archive.apache.org/dist/tomcat/tomcat-${TOMCAT_MAJOR}/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz \
-    && [ "ff9670f9cd49a604e47edfbcfb5855fe59342048c3278ea8736276b51327adf2d076973f3ad1b8aa7870ef26c28cf7111527be810b445c9927f2a457795f5cb6  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
+    && [ "7264da6196a510b0bba74469d215d61a464331302239256477f78b6bec067f7f4d90f671b96a440061ae0e20d16b1be8ca1dbd547dab9927383366dbc677f590  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
     && gunzip /tmp/apache-tomcat.tar.gz \
     && tar -C /opt -xf /tmp/apache-tomcat.tar \
     && ln -s /opt/apache-tomcat-$TOMCAT_VERSION $TOMCAT_HOME

deploy/enrollment-server.xml

@@ -29,6 +29,12 @@
     <Parameter name="enrollment-server.mtoken.enabled" value="${ENROLLMENT_SERVER_MTOKEN_ENABLED:true}"/>
     <Parameter name="enrollment-server.inbox.enabled" value="${ENROLLMENT_SERVER_INBOX_ENABLED:true}"/>
     <Parameter name="enrollment-server.activation-spawn.enabled" value="${ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED:false}"/>
+    <Parameter name="enrollment-server.admin.enabled" value="${ENROLLMENT_SERVER_ADMIN_ENABLED:false}"/>
+    <Parameter name="enrollment-server.auth-type" value="${ENROLLMENT_SERVER_AUTH_TYPE:NONE}"/>
+    <Parameter name="spring.security.user.name" value="${ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_NAME:}" />
+    <Parameter name="spring.security.user.password" value="${ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_PASSWORD:}" />
+    <Parameter name="spring.security.oauth2.resource-server.jwt.issuer-uri" value="${ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_ISSUER_URI:}" />
+    <Parameter name="spring.security.oauth2.resource-server.jwt.audiences" value="${ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_AUDIENCES:}" />
 
     <!--  User-info configuration  -->
     <Parameter name="enrollment-server.user-info.provider" value="${ENROLLMENT_SERVER_USER_INFO_PROVIDER:}"/>

deploy/env.list.tmp

@@ -5,6 +5,12 @@ ENROLLMENT_SERVER_PUSH_SERVER_URL=
 ENROLLMENT_SERVER_MTOKEN_ENABLED=true
 ENROLLMENT_SERVER_INBOX_ENABLED=true
 ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED=false
+ENROLLMENT_SERVER_ADMIN_ENABLED=false
+ENROLLMENT_SERVER_AUTH_TYPE=NONE
+ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_NAME=
+ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_PASSWORD=
+ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_ISSUER_URI=
+ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_AUDIENCES=
 ENROLLMENT_SERVER_CORRELATION_HEADER_ENABLED=false
 ENROLLMENT_SERVER_CORRELATION_HEADER_NAME=X-Correlation-ID
 ENROLLMENT_SERVER_CORRELATION_HEADER_VALUE_VALIDATION_REGEXP=[a-zA-Z0-9\\-]{8,1024}

docs/Configuration-Properties.md

@@ -29,11 +29,17 @@ The Enrollment Server uses the following public configuration properties:
 
 ## Enrollment Server Configuration
 
-| Property | Default | Note |
-|---|---|---|
-| `enrollment-server.mtoken.enabled` | `true` | Publishing of Mobile Token endpoints can be enabled or disabled using this property. |
-| `enrollment-server.inbox.enabled` | `true` | Publishing of Inbox endpoints can be enabled or disabled using this property. |
-| `enrollment-server.activation-spawn.enabled` | `false` | The activation spawn functionality can be enabled or disabled using this property. |
+| Property                                                | Default | Note                                                                                                                                                                                                                                       |
+|---------------------------------------------------------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `enrollment-server.mtoken.enabled`                      | `true`  | Publishing of Mobile Token endpoints can be enabled or disabled using this property.                                                                                                                                                       |
+| `enrollment-server.inbox.enabled`                       | `true`  | Publishing of Inbox endpoints can be enabled or disabled using this property.                                                                                                                                                              |
+| `enrollment-server.activation-spawn.enabled`            | `false` | The activation spawn functionality can be enabled or disabled using this property.                                                                                                                                                         |
+| `enrollment-server.admin.enabled`                       | `false` | The admin API can be enabled or disabled using this property.                                                                                                                                                                              |
+| `enrollment-server.auth-type`                           | `NONE`  | `BASIC_HTTP` for basic HTTP authentication or `OIDC` for OpenID Connect. If authentication enabled, the corresponding properties bellow must be configured.                                                                                |
+| `spring.security.user.name`                             |         | Basic HTTP property, user name                                                                                                                                                                                                             |
+| `spring.security.user.password`                         |         | Basic HTTP property, user password `{id}encodedPassword`, see [Spring Password Storage Format](https://docs.spring.io/spring-security/reference/features/authentication/password-storage.html#authentication-password-storage-dpe-format). | 
+| `spring.security.oauth2.resource-server.jwt.issuer-uri` |         | OIDC property, URL of the provider, e.g. `https://sts.windows.net/example/`                                                                                                                                                                |
+| `spring.security.oauth2.resource-server.jwt.audiences`  |         | OIDC property, a comma-separated list of allowed `aud` JWT claim values to be validated.                                                                                                                                                   |
 
 ## UserInfoProvider Configuration
 

enrollment-server-api-model/src/main/java/com/wultra/app/enrollmentserver/api/model/enrollment/response/TemplateListResponse.java

@@ -0,0 +1,41 @@
+/*
+ * PowerAuth Enrollment Server
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package com.wultra.app.enrollmentserver.api.model.enrollment.response;
+
+import lombok.Builder;
+import lombok.EqualsAndHashCode;
+
+import java.io.Serial;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Template list response.
+ *
+ * @author Lubos Racansky, [email protected]
+ */
+@EqualsAndHashCode(callSuper = true)
+public class TemplateListResponse extends ArrayList<TemplateListResponse.TemplateDetail> {
+
+    @Serial
+    private static final long serialVersionUID = -5446919236567435144L;
+
+    @Builder
+    public record TemplateDetail(String name, String title, String message, List<Object> attributes, String language) {
+    }
+}

enrollment-server-onboarding-common/src/main/java/com/wultra/app/onboardingserver/common/database/IdentityVerificationRepository.java

@@ -55,28 +55,36 @@ public interface IdentityVerificationRepository extends CrudRepository<IdentityV
     /**
      * Return all identity verifications eligible for change to next state.
      *
+     * @param documentVerificationProvider Document verification production name.
      * @return identity verifications
      */
-    @Query("SELECT id FROM IdentityVerificationEntity id WHERE" +
-            " (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_UPLOAD" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_UPLOAD" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.VERIFICATION_PENDING)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION_FINAL" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION_FINAL" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.CLIENT_EVALUATION" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.CLIENT_EVALUATION" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)" +
-            " OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.PRESENCE_CHECK" +
-            "   AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.VERIFICATION_PENDING)"
+    @Query("""
+            SELECT id
+                FROM IdentityVerificationEntity id
+                WHERE ((id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_UPLOAD
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_UPLOAD
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.VERIFICATION_PENDING)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION_FINAL
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.DOCUMENT_VERIFICATION_FINAL
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.CLIENT_EVALUATION
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.IN_PROGRESS)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.CLIENT_EVALUATION
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.ACCEPTED)
+                   OR (id.phase = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationPhase.PRESENCE_CHECK
+                    AND id.status = com.wultra.app.enrollmentserver.model.enumeration.IdentityVerificationStatus.VERIFICATION_PENDING))
+                   AND EXISTS (
+                       SELECT 1
+                       FROM id.documentVerifications documentVerification
+                       WHERE documentVerification.providerName = :documentVerificationProvider
+                   )
+            """
     )
-    Stream<IdentityVerificationEntity> streamAllIdentityVerificationsToChangeState();
-
+    Stream<IdentityVerificationEntity> streamAllIdentityVerificationsToChangeState(final String documentVerificationProvider);
 
     /**
      * Return identity verification IDs by the given process ID. Include only not yet finished entities.

enrollment-server-onboarding/pom.xml

@@ -200,10 +200,6 @@
 
     <build>
         <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-war-plugin</artifactId>
-            </plugin>
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>

enrollment-server-onboarding/src/main/java/com/wultra/app/onboardingserver/errorhandling/DefaultExceptionHandler.java

@@ -32,6 +32,7 @@
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.servlet.resource.NoResourceFoundException;
 
 /**
  * Exception handler for RESTful API issues.
@@ -236,4 +237,18 @@ public class DefaultExceptionHandler {
         logger.warn("Error occurred.", e);
         return new ErrorResponse("INVALID_REQUEST", "Invalid request sent.");
     }
+
+    /**
+     * Exception handler for no resource found.
+     *
+     * @param e Exception.
+     * @return Response with error details.
+     */
+    @ExceptionHandler(NoResourceFoundException.class)
+    @ResponseStatus(HttpStatus.NOT_FOUND)
+    public @ResponseBody ErrorResponse handleNoResourceFoundException(final NoResourceFoundException e) {
+        logger.warn("Error occurred when calling an API: {}", e.getMessage());
+        logger.debug("Exception detail: ", e);
+        return new ErrorResponse("ERROR_NOT_FOUND", "Resource not found.");
+    }
 }

enrollment-server-onboarding/src/main/java/com/wultra/app/onboardingserver/impl/service/IdentityVerificationService.java

@@ -559,7 +559,7 @@ public VerificationSdkInfo initVerificationSdk(OwnerId ownerId, Map<String, Stri
      * @return identity verifications
      */
     public Stream<IdentityVerificationEntity> streamAllIdentityVerificationsToChangeState() {
-        return identityVerificationRepository.streamAllIdentityVerificationsToChangeState();
+        return identityVerificationRepository.streamAllIdentityVerificationsToChangeState(identityVerificationConfig.getDocumentVerificationProvider());
     }
 
     private void moveToDocumentUpload(final OwnerId ownerId, final IdentityVerificationEntity idVerification, final IdentityVerificationStatus status) {