Merge develop to master

Dockerfile

@@ -1,4 +1,4 @@
-FROM ibm-semeru-runtimes:open-17.0.9_9-jre
+FROM ibm-semeru-runtimes:open-21.0.1_12-jre
 LABEL maintainer="petr@wultra.com"
 
 # Prepare environment variables

docs/Configuration-Properties.md

@@ -9,7 +9,6 @@ The Enrollment Server uses the following public configuration properties:
 | `spring.datasource.url` | `_empty_` | Database JDBC URL |
 | `spring.datasource.username` | `_empty_` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
-| `spring.datasource.driver-class-name` | `_empty_` | Datasource JDBC class name | 
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation | 
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `_empty_` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `_empty_` | Character encoding - Unicode support |
@@ -63,6 +62,8 @@ logging.pattern.console=%clr(%d{${LOG_DATEFORMAT_PATTERN:yyyy-MM-dd HH:mm:ss.SSS
 
 
 ## Monitoring and Observability
-
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/Migration-Instructions.md

@@ -2,6 +2,7 @@
 
 This page contains PowerAuth Enrollment Server migration instructions.
 
+- [PowerAuth Enrollment Server 1.7.0](./PowerAuth-Enrollment-Server-1.7.0.md)
 - [PowerAuth Enrollment Server 1.6.0](./PowerAuth-Enrollment-Server-1.6.0.md)
 - [PowerAuth Enrollment Server 1.5.0](./PowerAuth-Enrollment-Server-1.5.0.md)
 - [PowerAuth Enrollment Server 1.4.0](./PowerAuth-Enrollment-Server-1.4.0.md)

docs/PowerAuth-Enrollment-Server-1.7.0.md

@@ -0,0 +1,12 @@
+# Migration from 1.6.x to 1.7.x
+
+This guide contains instructions for migration from PowerAuth Enrollment Server version `1.6.x` to version `1.7.0`.
+
+
+## REST API
+
+
+### Register for Push Messages (Token)
+
+The endpoint `POST /api/push/device/register/token` now strictly validates `platform` against values `ios`, `android` or `huawei`.
+If you use the PowerAuth SDK, you should not be affected.

docs/onboarding/Configuration-Properties.md

@@ -9,7 +9,6 @@ The Onboarding Server uses the following public configuration properties:
 | `spring.datasource.url` | `jdbc:postgresql://localhost:5432/powerauth` | Database JDBC URL |
 | `spring.datasource.username` | `powerauth` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
-| `spring.datasource.driver-class-name` | `org.postgresql.Driver` | Datasource JDBC class name | 
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation | 
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `utf8` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `true` | Character encoding - Unicode support |
@@ -46,7 +45,6 @@ The Onboarding Server uses the following public configuration properties:
 | `enrollment-server-onboarding.identity-verification.otp.enabled` | `true` | Whether OTP verification is enabled during identity verification. |
 | `enrollment-server-onboarding.identity-verification.max-failed-attempts` | `5` | Maximum failed attempts for identity verification. |
 | `enrollment-server-onboarding.identity-verification.max-failed-attempts-document-upload` | `5` | Maximum failed attempts for document upload. |
-| `enrollment-server-onboarding.client-evaluation.max-failed-attempts` | `5` | Maximum failed attempts for client evaluation. |
 
 ## Digital Onboarding Adapter Configuration
 
@@ -69,6 +67,7 @@ The Onboarding Server uses the following public configuration properties:
 | Property | Default | Note |
 |---|---|---|
 | `enrollment-server-onboarding.client-evaluation.max-failed-attempts` | 5 | Number of maximum failed attempts for client evaluation. |
+| `enrollment-server-onboarding.client-evaluation.include-extracted-data` | `false` | Include extracted data to the evaluate client request. The format of extracted data is defined by the provider of document verification. |
 
 ## Document Verification Provider Configuration
 
@@ -170,6 +169,8 @@ logging.pattern.console=%clr(%d{${LOG_DATEFORMAT_PATTERN:yyyy-MM-dd HH:mm:ss.SSS
 
 
 ## Monitoring and Observability
-
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/onboarding/Configuration-Verification-Providers.md

@@ -11,7 +11,7 @@ The document verification process is currently supported for following providers
 
 ### ZenID
 
-#### Configuration - API key
+#### API key
 
 The authorization of all API calls is secured by an API key value. It has to be sent as the `Authorization: api_key VALUE` header value.
 Check the bottom of the `Manual/Configuration` page for more details.
@@ -21,7 +21,7 @@ The API key value can be configured/get from the `Access` page configuration:
 - Condition: `ApiKeyEqualsValue`
 - Value: the value here is the value of the API key
 
-#### Configuration - Validators
+#### Validators
 
 It is recommended to create a custom validation profile. The sensitivity of selected validators can be tuned-up or disabled completely at the `Sensitivity` page.
 The profile can be then set as the default or specified in the configuration properties.
@@ -32,14 +32,49 @@ When calling `document-verification/init-sdk` following implementation fields ar
 - Init token - send a token value `sdk-init-token` in the request body `attributes` map field
 - SDK response - receive the value under `zenid-sdk-init-response` from the response `attributes` map field
 
+### Innovatrics
+
+Innovatrics documentation for developers can be found at [this link](https://developers.innovatrics.com/digital-onboarding/technical/remote/dot-dis/latest/documentation/).
+
+#### OCR Threshold
+
+During a document validation Innovatrics provides a list of fields extracted from the document, that have OCR
+confidence lower than configurable threshold. If the list is not empty, there is a high probability that some
+information is read incorrectly. For that reason, this document will be rejected. The OCR confidence threshold is `0.92`
+by default, and can be tuned using `innovatrics.dot.dis.customer.document.inspection.ocr-text-field-threshold`.
+
+#### Text Consistency
+
+For each document Innovatrics tries to read visual zone, machine-readable zone and barcode. These isolated parts are
+cross-checked during a document validation by Innovatrics. If there are inconsistency between visual zone and
+machine-readable zone, or between visual-zone and barcode, the document will be rejected. However, some editions of
+identification documents are inconsistent by design. To prevent false rejection of those document modify the
+configuration.   
+Following example excludes `issuingAuthority` field of Czech identity card 2005 edition from text consistency check:
+
+```yml
+innovatrics:
+  dot:
+    dis:
+      customer:
+        document:
+          inspection:
+            text-consistency-check:
+              CZE_identity-card_2005-01-01:
+                exclusions:
+                  - issuingAuthority
+```
+
+The format of the document name is `{country}_{type}_{edition}` according to the response of `/metadata` request.
+
 ## Presence Check
 
 The document verification process is currently supported for following providers:
 - [iProov](https://www.iproov.com/) - use value `iproov` in configuration
 - [Innovatrics](https://www.innovatrics.com/) - use value `innovatrics` in configuration
 - Mock - useful for simple testing and local runs - use value `mock` in configuration
 
-#### Configuration
+### iProov
 
 There are a few needed configuration changes to bring a successful integration. All the following configuration tuning
 has to be requested from the iProov's [support team](https://iproov.freshdesk.com/support/login) on a per-service basis:

enrollment-server-api-model/pom.xml

@@ -30,7 +30,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <dependencies>
@@ -43,6 +43,11 @@
             <groupId>io.swagger.core.v3</groupId>
             <artifactId>swagger-annotations-jakarta</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
     </dependencies>
 
     <profiles>

enrollment-server-api-model/src/main/java/com/wultra/app/enrollmentserver/api/model/enrollment/request/PushRegisterRequest.java

@@ -18,19 +18,44 @@
 
 package com.wultra.app.enrollmentserver.api.model.enrollment.request;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import lombok.Data;
+import lombok.ToString;
 
 /**
- * Class representing a device registration request. The supported platform
- * values are 'ios' and 'android'. The push token is the value received from
- * APNS or FCM services without any modification.
+ * Class representing a device registration request.
  *
  * @author Petr Dvorak, petr@wultra.com
  */
 @Data
 public class PushRegisterRequest {
 
-    private String platform;
+    /**
+     * The platform.
+     */
+    @NotNull
+    private Platform platform;
+
+    /**
+     * The push token is the value received from APNS, FCM, or HMS services without any modification.
+     */
+    @NotBlank
+    @ToString.Exclude
+    @Schema(description = "The push token is the value received from APNS, FCM, or HMS services without any modification.")
     private String token;
 
+    public enum Platform {
+        @JsonProperty("ios")
+        IOS,
+
+        @JsonProperty("android")
+        ANDROID,
+
+        @JsonProperty("huawei")
+        HUAWEI
+    }
+
 }

enrollment-server-onboarding-adapter-mock/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>enrollment-server-onboarding-adapter-mock</artifactId>

enrollment-server-onboarding-api-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>enrollment-server-onboarding-api-model</artifactId>

enrollment-server-onboarding-api/pom.xml

@@ -25,7 +25,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <groupId>com.wultra.security</groupId>

enrollment-server-onboarding-common/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>enrollment-server-onboarding-common</artifactId>

enrollment-server-onboarding-common/src/test/resources/application-test.properties

@@ -1,5 +1,4 @@
 spring.datasource.url=jdbc:h2:mem:testdb;DB_CLOSE_ON_EXIT=FALSE
 spring.datasource.username=sa
 spring.datasource.password=password
-spring.datasource.driver-class-name=org.h2.Driver
 spring.jpa.hibernate.ddl-auto=create

enrollment-server-onboarding-domain-model/pom.xml

@@ -30,14 +30,27 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <dependencies>
         <dependency>
             <groupId>io.getlime.security</groupId>
             <artifactId>powerauth-java-crypto</artifactId>
         </dependency>
+
+        <!-- Bouncy Castle -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+        </dependency>
+
+        <!-- Test Dependencies -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <profiles>

enrollment-server-onboarding-domain-model/src/main/java/com/wultra/app/enrollmentserver/model/integration/OwnerId.java

@@ -17,13 +17,14 @@
  */
 package com.wultra.app.enrollmentserver.model.integration;
 
-import com.google.common.io.BaseEncoding;
 import io.getlime.security.powerauth.crypto.lib.util.Hash;
 import lombok.AccessLevel;
 import lombok.Data;
 import lombok.Setter;
 import lombok.ToString;
+import org.bouncycastle.util.encoders.Base32;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 
 /**
@@ -73,9 +74,8 @@ public String getUserIdSecured() {
             throw new IllegalStateException("Missing userId value");
         }
         if (userIdSecured == null) {
-            userIdSecured = BaseEncoding.base32()
-                    .omitPadding()
-                    .encode(Hash.sha256(userId));
+            userIdSecured = new String(Base32.encode(Hash.sha256(userId)), StandardCharsets.UTF_8)
+                    .replace("=", "");
             if (userIdSecured.length() > USER_ID_MAX_LENGTH) {
                 userIdSecured = userIdSecured.substring(0, USER_ID_MAX_LENGTH);
             }

enrollment-server-onboarding-domain-model/src/test/java/com/wultra/app/enrollmentserver/model/integration/OwnerIdTest.java

@@ -0,0 +1,40 @@
+/*
+ * PowerAuth Enrollment Server
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package com.wultra.app.enrollmentserver.model.integration;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+/**
+ * Test for {@link OwnerId}.
+ *
+ * @author Lubos Racansky, lubos.racansky@wultra.com
+ */
+class OwnerIdTest {
+
+    @Test
+    void testUserIdSecured() {
+        final OwnerId tested = new OwnerId();
+        tested.setUserId("Joe");
+
+        final String result = tested.getUserIdSecured();
+
+        assertEquals("NXMLPV6TYXCGRGZT4UNZ6EF4NKN6RH7I7IVBE7EMNQB42BOWRLHA", result);
+    }
+}

enrollment-server-onboarding-provider-innovatrics/pom.xml

@@ -25,7 +25,7 @@
     <parent>
         <groupId>com.wultra.security</groupId>
         <artifactId>enrollment-server-parent</artifactId>
-        <version>1.6.0</version>
+        <version>1.7.0-SNAPSHOT</version>
     </parent>
 
     <groupId>com.wultra.security</groupId>