Merge pull request #1016 from wultra/develop

Merge develop to master

.github/workflows/codeql-analysis.yml

@@ -18,4 +18,5 @@ jobs:
       languages: "['java']"
       # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
       # Use only 'java' to analyze code written in Java, Kotlin or both
-      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      java_version: 21

.github/workflows/maven-deploy.yml

@@ -34,6 +34,7 @@ jobs:
     with:
       environment: internal-publish
       release_type: snapshot
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
@@ -45,6 +46,7 @@ jobs:
     with:
       environment: ${{ inputs.environment }}
       release_type: ${{ inputs.release_type }}
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}

.github/workflows/maven-test.yml

@@ -15,4 +15,6 @@ on:
 jobs:
   maven-tests:
     uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
-    secrets: inherit
+    secrets: inherit
+    with:
+      java_version: 21

Dockerfile

@@ -1,4 +1,4 @@
-FROM ibm-semeru-runtimes:open-17.0.9_9-jre
+FROM ibm-semeru-runtimes:open-21.0.2_13-jre
 LABEL maintainer="petr@wultra.com"
 
 # Prepare environment variables
@@ -8,7 +8,7 @@ ENV JAVA_HOME=/opt/java/openjdk \
     PKG_RELEASE=1~jammy \
     TOMCAT_HOME=/usr/local/tomcat \
     TOMCAT_MAJOR=10 \
-    TOMCAT_VERSION=10.1.17 \
+    TOMCAT_VERSION=10.1.19 \
     TZ=UTC
 
 ENV PATH=$PATH:$LB_HOME:$TOMCAT_HOME/bin
@@ -20,7 +20,7 @@ RUN apt-get -y update  \
 
 # Install tomcat
 RUN curl -jkSL -o /tmp/apache-tomcat.tar.gz http://archive.apache.org/dist/tomcat/tomcat-${TOMCAT_MAJOR}/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz \
-    && [ "ff9670f9cd49a604e47edfbcfb5855fe59342048c3278ea8736276b51327adf2d076973f3ad1b8aa7870ef26c28cf7111527be810b445c9927f2a457795f5cb6  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
+    && [ "7264da6196a510b0bba74469d215d61a464331302239256477f78b6bec067f7f4d90f671b96a440061ae0e20d16b1be8ca1dbd547dab9927383366dbc677f590  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
     && gunzip /tmp/apache-tomcat.tar.gz \
     && tar -C /opt -xf /tmp/apache-tomcat.tar \
     && ln -s /opt/apache-tomcat-$TOMCAT_VERSION $TOMCAT_HOME

deploy/enrollment-server.xml

@@ -29,6 +29,12 @@
     <Parameter name="enrollment-server.mtoken.enabled" value="${ENROLLMENT_SERVER_MTOKEN_ENABLED:true}"/>
     <Parameter name="enrollment-server.inbox.enabled" value="${ENROLLMENT_SERVER_INBOX_ENABLED:true}"/>
     <Parameter name="enrollment-server.activation-spawn.enabled" value="${ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED:false}"/>
+    <Parameter name="enrollment-server.admin.enabled" value="${ENROLLMENT_SERVER_ADMIN_ENABLED:false}"/>
+    <Parameter name="enrollment-server.auth-type" value="${ENROLLMENT_SERVER_AUTH_TYPE:NONE}"/>
+    <Parameter name="spring.security.user.name" value="${ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_NAME:}" />
+    <Parameter name="spring.security.user.password" value="${ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_PASSWORD:}" />
+    <Parameter name="spring.security.oauth2.resource-server.jwt.issuer-uri" value="${ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_ISSUER_URI:}" />
+    <Parameter name="spring.security.oauth2.resource-server.jwt.audiences" value="${ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_AUDIENCES:}" />
 
     <!--  User-info configuration  -->
     <Parameter name="enrollment-server.user-info.provider" value="${ENROLLMENT_SERVER_USER_INFO_PROVIDER:}"/>

deploy/env.list.tmp

@@ -5,6 +5,12 @@ ENROLLMENT_SERVER_PUSH_SERVER_URL=
 ENROLLMENT_SERVER_MTOKEN_ENABLED=true
 ENROLLMENT_SERVER_INBOX_ENABLED=true
 ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED=false
+ENROLLMENT_SERVER_ADMIN_ENABLED=false
+ENROLLMENT_SERVER_AUTH_TYPE=NONE
+ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_NAME=
+ENROLLMENT_SERVER_SECURITY_AUTH_HTTP_BASIC_USER_PASSWORD=
+ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_ISSUER_URI=
+ENROLLMENT_SERVER_SECURITY_AUTH_OIDC_AUDIENCES=
 ENROLLMENT_SERVER_CORRELATION_HEADER_ENABLED=false
 ENROLLMENT_SERVER_CORRELATION_HEADER_NAME=X-Correlation-ID
 ENROLLMENT_SERVER_CORRELATION_HEADER_VALUE_VALIDATION_REGEXP=[a-zA-Z0-9\\-]{8,1024}

docs/Configuration-Properties.md

@@ -9,7 +9,6 @@ The Enrollment Server uses the following public configuration properties:
 | `spring.datasource.url` | `_empty_` | Database JDBC URL |
 | `spring.datasource.username` | `_empty_` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
-| `spring.datasource.driver-class-name` | `_empty_` | Datasource JDBC class name | 
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation | 
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `_empty_` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `_empty_` | Character encoding - Unicode support |
@@ -30,11 +29,17 @@ The Enrollment Server uses the following public configuration properties:
 
 ## Enrollment Server Configuration
 
-| Property | Default | Note |
-|---|---|---|
-| `enrollment-server.mtoken.enabled` | `true` | Publishing of Mobile Token endpoints can be enabled or disabled using this property. |
-| `enrollment-server.inbox.enabled` | `true` | Publishing of Inbox endpoints can be enabled or disabled using this property. |
-| `enrollment-server.activation-spawn.enabled` | `false` | The activation spawn functionality can be enabled or disabled using this property. |
+| Property                                                | Default | Note                                                                                                                                                                                                                                       |
+|---------------------------------------------------------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `enrollment-server.mtoken.enabled`                      | `true`  | Publishing of Mobile Token endpoints can be enabled or disabled using this property.                                                                                                                                                       |
+| `enrollment-server.inbox.enabled`                       | `true`  | Publishing of Inbox endpoints can be enabled or disabled using this property.                                                                                                                                                              |
+| `enrollment-server.activation-spawn.enabled`            | `false` | The activation spawn functionality can be enabled or disabled using this property.                                                                                                                                                         |
+| `enrollment-server.admin.enabled`                       | `false` | The admin API can be enabled or disabled using this property.                                                                                                                                                                              |
+| `enrollment-server.auth-type`                           | `NONE`  | `BASIC_HTTP` for basic HTTP authentication or `OIDC` for OpenID Connect. If authentication enabled, the corresponding properties bellow must be configured.                                                                                |
+| `spring.security.user.name`                             |         | Basic HTTP property, user name                                                                                                                                                                                                             |
+| `spring.security.user.password`                         |         | Basic HTTP property, user password `{id}encodedPassword`, see [Spring Password Storage Format](https://docs.spring.io/spring-security/reference/features/authentication/password-storage.html#authentication-password-storage-dpe-format). | 
+| `spring.security.oauth2.resource-server.jwt.issuer-uri` |         | OIDC property, URL of the provider, e.g. `https://sts.windows.net/example/`                                                                                                                                                                |
+| `spring.security.oauth2.resource-server.jwt.audiences`  |         | OIDC property, a comma-separated list of allowed `aud` JWT claim values to be validated.                                                                                                                                                   |
 
 ## UserInfoProvider Configuration
 
@@ -63,6 +68,8 @@ logging.pattern.console=%clr(%d{${LOG_DATEFORMAT_PATTERN:yyyy-MM-dd HH:mm:ss.SSS
 
 
 ## Monitoring and Observability
-
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/Migration-Instructions.md

@@ -2,6 +2,7 @@
 
 This page contains PowerAuth Enrollment Server migration instructions.
 
+- [PowerAuth Enrollment Server 1.7.0](./PowerAuth-Enrollment-Server-1.7.0.md)
 - [PowerAuth Enrollment Server 1.6.0](./PowerAuth-Enrollment-Server-1.6.0.md)
 - [PowerAuth Enrollment Server 1.5.0](./PowerAuth-Enrollment-Server-1.5.0.md)
 - [PowerAuth Enrollment Server 1.4.0](./PowerAuth-Enrollment-Server-1.4.0.md)

docs/PowerAuth-Enrollment-Server-1.7.0.md

@@ -0,0 +1,12 @@
+# Migration from 1.6.x to 1.7.x
+
+This guide contains instructions for migration from PowerAuth Enrollment Server version `1.6.x` to version `1.7.0`.
+
+
+## REST API
+
+
+### Register for Push Messages (Token)
+
+The endpoint `POST /api/push/device/register/token` now strictly validates `platform` against values `ios`, `android` or `huawei`.
+If you use the PowerAuth SDK, you should not be affected.

docs/onboarding/Configuration-Properties.md

@@ -9,7 +9,6 @@ The Onboarding Server uses the following public configuration properties:
 | `spring.datasource.url` | `jdbc:postgresql://localhost:5432/powerauth` | Database JDBC URL |
 | `spring.datasource.username` | `powerauth` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
-| `spring.datasource.driver-class-name` | `org.postgresql.Driver` | Datasource JDBC class name | 
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation | 
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `utf8` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `true` | Character encoding - Unicode support |
@@ -46,7 +45,6 @@ The Onboarding Server uses the following public configuration properties:
 | `enrollment-server-onboarding.identity-verification.otp.enabled` | `true` | Whether OTP verification is enabled during identity verification. |
 | `enrollment-server-onboarding.identity-verification.max-failed-attempts` | `5` | Maximum failed attempts for identity verification. |
 | `enrollment-server-onboarding.identity-verification.max-failed-attempts-document-upload` | `5` | Maximum failed attempts for document upload. |
-| `enrollment-server-onboarding.client-evaluation.max-failed-attempts` | `5` | Maximum failed attempts for client evaluation. |
 
 ## Digital Onboarding Adapter Configuration
 
@@ -69,6 +67,7 @@ The Onboarding Server uses the following public configuration properties:
 | Property | Default | Note |
 |---|---|---|
 | `enrollment-server-onboarding.client-evaluation.max-failed-attempts` | 5 | Number of maximum failed attempts for client evaluation. |
+| `enrollment-server-onboarding.client-evaluation.include-extracted-data` | `false` | Include extracted data to the evaluate client request. The format of extracted data is defined by the provider of document verification. |
 
 ## Document Verification Provider Configuration
 
@@ -170,6 +169,8 @@ logging.pattern.console=%clr(%d{${LOG_DATEFORMAT_PATTERN:yyyy-MM-dd HH:mm:ss.SSS
 
 
 ## Monitoring and Observability
-
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/onboarding/Configuration-Verification-Providers.md

@@ -11,7 +11,7 @@ The document verification process is currently supported for following providers
 
 ### ZenID
 
-#### Configuration - API key
+#### API key
 
 The authorization of all API calls is secured by an API key value. It has to be sent as the `Authorization: api_key VALUE` header value.
 Check the bottom of the `Manual/Configuration` page for more details.
@@ -21,7 +21,7 @@ The API key value can be configured/get from the `Access` page configuration:
 - Condition: `ApiKeyEqualsValue`
 - Value: the value here is the value of the API key
 
-#### Configuration - Validators
+#### Validators
 
 It is recommended to create a custom validation profile. The sensitivity of selected validators can be tuned-up or disabled completely at the `Sensitivity` page.
 The profile can be then set as the default or specified in the configuration properties.
@@ -32,14 +32,49 @@ When calling `document-verification/init-sdk` following implementation fields ar
 - Init token - send a token value `sdk-init-token` in the request body `attributes` map field
 - SDK response - receive the value under `zenid-sdk-init-response` from the response `attributes` map field
 
+### Innovatrics
+
+Innovatrics documentation for developers can be found at [this link](https://developers.innovatrics.com/digital-onboarding/technical/remote/dot-dis/latest/documentation/).
+
+#### OCR Threshold
+
+During a document validation Innovatrics provides a list of fields extracted from the document, that have OCR
+confidence lower than configurable threshold. If the list is not empty, there is a high probability that some
+information is read incorrectly. For that reason, this document will be rejected. The OCR confidence threshold is `0.92`
+by default, and can be tuned using `innovatrics.dot.dis.customer.document.inspection.ocr-text-field-threshold`.
+
+#### Text Consistency
+
+For each document Innovatrics tries to read visual zone, machine-readable zone and barcode. These isolated parts are
+cross-checked during a document validation by Innovatrics. If there are inconsistency between visual zone and
+machine-readable zone, or between visual-zone and barcode, the document will be rejected. However, some editions of
+identification documents are inconsistent by design. To prevent false rejection of those document modify the
+configuration.   
+Following example excludes `issuingAuthority` field of Czech identity card 2005 edition from text consistency check:
+
+```yml
+innovatrics:
+  dot:
+    dis:
+      customer:
+        document:
+          inspection:
+            text-consistency-check:
+              CZE_identity-card_2005-01-01:
+                exclusions:
+                  - issuingAuthority
+```
+
+The format of the document name is `{country}_{type}_{edition}` according to the response of `/metadata` request.
+
 ## Presence Check
 
 The document verification process is currently supported for following providers:
 - [iProov](https://www.iproov.com/) - use value `iproov` in configuration
 - [Innovatrics](https://www.innovatrics.com/) - use value `innovatrics` in configuration
 - Mock - useful for simple testing and local runs - use value `mock` in configuration
 
-#### Configuration
+### iProov
 
 There are a few needed configuration changes to bring a successful integration. All the following configuration tuning
 has to be requested from the iProov's [support team](https://iproov.freshdesk.com/support/login) on a per-service basis:

enrollment-server-api-model/pom.xml

@@ -30,7 +30,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0</version>
     </parent>
 
     <dependencies>
@@ -43,6 +43,11 @@
             <groupId>io.swagger.core.v3</groupId>
             <artifactId>swagger-annotations-jakarta</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
     </dependencies>
 
     <profiles>

enrollment-server-api-model/src/main/java/com/wultra/app/enrollmentserver/api/model/enrollment/request/PushRegisterRequest.java

@@ -18,19 +18,44 @@
 
 package com.wultra.app.enrollmentserver.api.model.enrollment.request;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import lombok.Data;
+import lombok.ToString;
 
 /**
- * Class representing a device registration request. The supported platform
- * values are 'ios' and 'android'. The push token is the value received from
- * APNS or FCM services without any modification.
+ * Class representing a device registration request.
  *
  * @author Petr Dvorak, petr@wultra.com
  */
 @Data
 public class PushRegisterRequest {
 
-    private String platform;
+    /**
+     * The platform.
+     */
+    @NotNull
+    private Platform platform;
+
+    /**
+     * The push token is the value received from APNS, FCM, or HMS services without any modification.
+     */
+    @NotBlank
+    @ToString.Exclude
+    @Schema(description = "The push token is the value received from APNS, FCM, or HMS services without any modification.")
     private String token;
 
+    public enum Platform {
+        @JsonProperty("ios")
+        IOS,
+
+        @JsonProperty("android")
+        ANDROID,
+
+        @JsonProperty("huawei")
+        HUAWEI
+    }
+
 }