Merge develop to master

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/coverity-scan.yml

@@ -0,0 +1,16 @@
+name: Run Coverity scan and upload results
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 10 1 * *'    # monthly
+
+
+jobs:
+  coverity-scan:
+    uses: wultra/wultra-infrastructure/.github/workflows/coverity-scan.yml@develop
+    secrets: inherit
+    with:
+      project-name: ${{ github.event.repository.name }}
+      version: ${{ github.sha }}
+      description: ${{ github.ref }}

.github/workflows/maven-deploy.yml

@@ -0,0 +1,52 @@
+name: Deploy with Maven
+
+on:
+  workflow_dispatch:
+    branches:
+      - 'develop'
+      - 'master'
+      - 'releases/*'
+      - 'test/ci'
+    inputs:
+      release_type:
+        type: choice
+        description: releasing to snapshot or release
+        default: snapshot
+        options:
+          - snapshot
+          - release
+      environment:
+        type: environment
+        default: internal-publish
+        description: internal or external repository
+  push:
+    branches:
+     - 'develop'
+     - 'test/ci'
+
+
+
+jobs:
+  maven-deploy-push:
+    if: ${{ github.event_name == 'push' }}
+    name: Deploy to jfrog
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-deploy.yml@develop
+    with:
+      environment: internal-publish
+      release_type: snapshot
+    secrets:
+      username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+      password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+
+  maven-deploy-manual:
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    name: Deploy by parameter
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-deploy.yml@develop
+    with:
+      environment: ${{ inputs.environment }}
+      release_type: ${{ inputs.release_type }}
+    secrets:
+      username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+      password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+      gpg_passphrase: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+      gpg_key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}

.github/workflows/maven-test.yml

@@ -0,0 +1,18 @@
+name: Test with Maven
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/**'
+  pull_request:
+    branches:
+      - 'develop'
+      - 'master'
+      - 'releases/**'
+
+jobs:
+  maven-tests:
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
+    secrets: inherit

.github/workflows/owasp-dependecy-check.yml

@@ -0,0 +1,12 @@
+name: Run OWASP Dependency Check
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - 'develop'
+
+jobs:
+  owasp-check:
+      uses: wultra/wultra-infrastructure/.github/workflows/owasp-dependency-check.yml@develop
+      secrets: inherit

.gitignore

@@ -22,3 +22,7 @@ dist/
 
 ### JRebel
 rebel.xml
+
+### Swagger
+.swagger-codegen
+.swagger-codegen-ignore

.run/EnrollmentServerApplication.run.xml

@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="EnrollmentServerApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
+    <envs>
+      <env name="JDBC_DATABASE_SCHEMA" value="powerauth" />
+      <env name="JDBC_DATABASE_USERNAME" value="powerauth" />
+      <env name="JDBC_DATABASE_PASSWORD" value="" />
+    </envs>
+    <module name="enrollment-server" />
+    <option name="SPRING_BOOT_MAIN_CLASS" value="com.wultra.app.enrollmentserver.EnrollmentServerApplication" />
+    <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/enrollment-server -Dserver.port=8081" />
+    <method v="2">
+      <option name="Make" enabled="true" />
+    </method>
+  </configuration>
+</component>

.run/EnrollmentServerOnboardingApplication.run.xml

@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="EnrollmentServerOnboardingApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
+    <envs>
+      <env name="JDBC_DATABASE_SCHEMA" value="powerauth" />
+      <env name="JDBC_DATABASE_USERNAME" value="powerauth" />
+      <env name="JDBC_DATABASE_PASSWORD" value="" />
+    </envs>
+    <module name="enrollment-server-onboarding" />
+    <option name="SPRING_BOOT_MAIN_CLASS" value="com.wultra.app.onboardingserver.OnboardingServerApplication" />
+    <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/enrollment-server-onboarding -Dserver.port=8083" />
+    <method v="2">
+      <option name="Make" enabled="true" />
+    </method>
+  </configuration>
+</component>

Dockerfile

@@ -0,0 +1,25 @@
+FROM tomcat:jdk11-adoptopenjdk-openj9
+LABEL maintainer="petr@wultra.com"
+
+# Prepare environment variables
+ENV JAVA_HOME /opt/java/openjdk
+ENV TOMCAT_HOME /usr/local/tomcat
+ENV WAR_VERSION 1.4.0
+
+# Clear root context
+RUN rm -rf $TOMCAT_HOME/webapps/*
+
+# Add valve for proxy with SSL termination
+RUN sed -i 's/<\/Host>/<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto"\/><\/Host>/' $TOMCAT_HOME/conf/server.xml
+
+# Deploy and run applications
+COPY docker/enrollment-server.xml $TOMCAT_HOME/conf/Catalina/localhost/
+COPY target/enrollment-server-$WAR_VERSION.war $TOMCAT_HOME/webapps/enrollment-server.war
+
+# Create user tomcat and run Tomcat under this user
+RUN groupadd -r tomcat
+RUN useradd -r -g tomcat -d $TOMCAT_HOME -s /sbin/nologin tomcat
+RUN chown -R tomcat:tomcat $TOMCAT_HOME
+
+USER tomcat
+CMD ["catalina.sh", "run"]

docker/enrollment-server.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+
+    <!-- Database Configuration - JDBC -->
+    <Parameter name="spring.datasource.url" value="${ENROLLMENT_SERVER_DATASOURCE_URL}"/>
+    <Parameter name="spring.datasource.username" value="${ENROLLMENT_SERVER_DATASOURCE_USERNAME}"/>
+    <Parameter name="spring.datasource.password" value="${ENROLLMENT_SERVER_DATASOURCE_PASSWORD}"/>
+    <Parameter name="spring.datasource.driver-class-name" value="${ENROLLMENT_SERVER_DATASOURCE_DRIVER}"/>
+    <Parameter name="spring.jpa.hibernate.ddl-auto" value="${ENROLLMENT_SERVER_JPA_DDL_AUTO}"/>
+
+    <!-- Configuration of Database Charset -->
+    <Parameter name="spring.jpa.properties.hibernate.connection.CharSet" value="${ENROLLMENT_SERVER_JPA_CHARSET}"/>
+    <Parameter name="spring.jpa.properties.hibernate.connection.characterEncoding" value="${ENROLLMENT_SERVER_JPA_CHARACTER_ENCODING}"/>
+    <Parameter name="spring.jpa.properties.hibernate.connection.useUnicode" value="${ENROLLMENT_SERVER_JPA_USE_UNICODE}"/>
+
+    <!-- Additional JPA Configuration -->
+    <Parameter name="spring.jpa.database-platform" value="${ENROLLMENT_SERVER_JPA_DATABASE_PLATFORM}"/>
+
+    <!-- Database Lock Timeout Configuration -->
+    <Parameter name="spring.jpa.properties.lock.timeout" value="${ENROLLMENT_SERVER_JPA_LOCK_TIMEOUT}"/>
+
+    <!-- Database Configuration - JNDI -->
+    <Parameter name="spring.datasource.jndi-name" value="${ENROLLMENT_SERVER_DATASOURCE_JNDI_NAME}"/>
+
+    <!-- JMX Configuration -->
+    <Parameter name="spring.jmx.enabled" value="${ENROLLMENT_SERVER_SPRING_JMX_ENABLED}"/>
+    <Parameter name="spring.jmx.default-domain" value="${ENROLLMENT_SERVER_SPRING_JMX_DEFAULT_DOMAIN}"/>
+
+    <!-- PowerAuth Service Configuration -->
+    <Parameter name="powerauth.service.url" value="${ENROLLMENT_SERVER_POWERAUTH_SERVICE_URL}"/>
+    <Parameter name="powerauth.service.security.clientToken" value="${ENROLLMENT_SERVER_SECURITY_CLIENT_TOKEN}"/>
+    <Parameter name="powerauth.service.security.clientSecret" value="${ENROLLMENT_SERVER_SECURITY_CLIENT_SECRET}"/>
+
+    <!-- PowerAuth Push Service Configuration -->
+    <Parameter name="powerauth.push.service.url" value="${ENROLLMENT_SERVER_PUSH_SERVER_URL}"/>
+
+    <!-- Enrollment Server Configuration -->
+    <Parameter name="enrollment-server.mtoken.enabled" value="${ENROLLMENT_SERVER_MTOKEN_ENABLED}"/>
+    <Parameter name="enrollment-server.inbox.enabled" value="${ENROLLMENT_SERVER_INBOX_ENABLED}"/>
+    <Parameter name="enrollment-server.activation-spawn.enabled" value="${ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED}"/>
+    <Parameter name="enrollment-server.mobile-application.ios.current-version" value="${ENROLLMENT_SERVER_MOBILE_APPLICATION_IOS_CURRENT_VERSION}"/>
+    <Parameter name="enrollment-server.mobile-application.ios.minimal-version" value="${ENROLLMENT_SERVER_MOBILE_APPLICATION_IOS_MINIMAL_VERSION}"/>
+    <Parameter name="enrollment-server.mobile-application.android.current-version" value="${ENROLLMENT_SERVER_MOBILE_APPLICATION_ANDROID_CURRENT_VERSION}"/>
+    <Parameter name="enrollment-server.mobile-application.android.minimal-version" value="${ENROLLMENT_SERVER_MOBILE_APPLICATION_ANDROID_MINIMAL_VERSION}"/>
+
+    <!--  Correlation HTTP Header Configuration  -->
+    <Parameter name="powerauth.service.correlation-header.enabled" value="${ENROLLMENT_SERVER_CORRELATION_HEADER_ENABLED}"/>
+    <Parameter name="powerauth.service.correlation-header.name" value="${ENROLLMENT_SERVER_CORRELATION_HEADER_NAME}"/>
+    <Parameter name="powerauth.service.correlation-header.value.validation-regexp" value="${ENROLLMENT_SERVER_CORRELATION_HEADER_VALUE_VALIDATION_REGEXP}"/>
+</Context>

docker/env.list.tmp

@@ -0,0 +1,27 @@
+ENROLLMENT_SERVER_POWERAUTH_SERVICE_URL=http://localhost:8080/powerauth-java-server/rest
+ENROLLMENT_SERVER_SECURITY_CLIENT_TOKEN=
+ENROLLMENT_SERVER_SECURITY_CLIENT_SECRET=
+ENROLLMENT_SERVER_PUSH_SERVER_URL=
+ENROLLMENT_SERVER_MTOKEN_ENABLED=true
+ENROLLMENT_SERVER_INBOX_ENABLED=true
+ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED=false
+ENROLLMENT_SERVER_MOBILE_APPLICATION_IOS_CURRENT_VERSION=2.0.0
+ENROLLMENT_SERVER_MOBILE_APPLICATION_IOS_MINIMAL_VERSION=1.5.4
+ENROLLMENT_SERVER_MOBILE_APPLICATION_ANDROID_CURRENT_VERSION=1.5.4
+ENROLLMENT_SERVER_MOBILE_APPLICATION_ANDROID_MINIMAL_VERSION=1.4.0
+ENROLLMENT_SERVER_CORRELATION_HEADER_ENABLED=false
+ENROLLMENT_SERVER_CORRELATION_HEADER_NAME=X-Correlation-ID
+ENROLLMENT_SERVER_CORRELATION_HEADER_VALUE_VALIDATION_REGEXP=[a-zA-Z0-9\\-]{8,1024}
+ENROLLMENT_SERVER_DATASOURCE_URL=
+ENROLLMENT_SERVER_DATASOURCE_USERNAME=
+ENROLLMENT_SERVER_DATASOURCE_PASSWORD=
+ENROLLMENT_SERVER_DATASOURCE_DRIVER=
+ENROLLMENT_SERVER_JPA_DDL_AUTO=
+ENROLLMENT_SERVER_JPA_CHARSET=
+ENROLLMENT_SERVER_JPA_CHARACTER_ENCODING=
+ENROLLMENT_SERVER_JPA_USE_UNICODE=
+ENROLLMENT_SERVER_JPA_DATABASE_PLATFORM=
+ENROLLMENT_SERVER_JPA_LOCK_TIMEOUT=
+ENROLLMENT_SERVER_DATASOURCE_JNDI_NAME=
+ENROLLMENT_SERVER_SPRING_JMX_ENABLED=
+ENROLLMENT_SERVER_SPRING_JMX_DEFAULT_DOMAIN=

docs-private/Developer-How-To-Start.md

@@ -0,0 +1,22 @@
+# Developer - How to Start Guide
+
+
+## Enrollment Server
+
+
+### Standalone Run
+
+- Enable maven profile `standalone`
+- Use IntelliJ Idea run configuration at `../.run/EnrollmentServerApplication.run.xml`
+- Open [http://localhost:8081/enrollment-server/actuator/health](http://localhost:8081/enrollment-server/actuator/health) and you should get `{"status":"UP"}`
+
+
+## Enrollment Server Onboarding
+
+
+### Standalone Run
+
+- Enable maven profile `standalone`
+- Use IntelliJ Idea run configuration at `../.run/EnrollmentServerOnboardingApplication.run.xml`
+- Open [http://localhost:8083/enrollment-server-onboarding/actuator/health](http://localhost:8083/enrollment-server-onboarding/actuator/health) and you should get `{"status":"UP"}`
+

docs-private/Integration.md

@@ -0,0 +1,23 @@
+# External providers
+
+## API schema
+To update API schema use `https://editor.swagger.io/#/` to get the yaml version
+1. File -> Import
+2. File -> Save as YAML
+3. Update the schema files in the `src/main/resources/api` 
+
+## Presence check providers
+
+### iProov
+The [iProov](https://www.iproov.com/) solution can be used for the presence check phase.
+
+There has to be enabled per service feature to get the user's selfie from the verified person check.
+
+[claim validation response](https://secure.iproov.me/docs.html#operation/userVerifyValidate)
+- frame_available
+```
+Present and True if there is frame available for returning to the integrator.
+
+Enabled on a per service provider basis. Contact support@iproov.com to request this functionality.
+```
+- the jpeg is base64 encoded with escaped slashes (https://stackoverflow.com/questions/1580647/json-why-are-forward-slashes-escaped)

docs-private/Testing.md

@@ -0,0 +1,28 @@
+# Testing guidelines and approaches
+
+## Integration tests on external services
+
+There are prepared basic integration tests on external services. All such tests 
+are [tagged](https://junit.org/junit5/docs/current/user-guide/#writing-tests-tagging-and-filtering) with `external-service`.
+None of these tests is run during a standard build by default. Run maven command with `-Dgroups="external-service"` to include
+also all tests on external services.
+
+Following subchapters list needed system variables to be defined before run of the tests.
+
+### iProov
+
+Following system variables need to be defined:
+- IPROOV_API_KEY - api key value
+- IPROOV_API_SECRET - api secret value
+- IPROOV_ASSURANCE_TYPE - assurance type of the claim, accepts `genuine_presence` (default) or `liveness` values
+- IPROOV_RISK_PROFILE - optional configuration of risk tolerance for an authentication attempt
+- IPROOV_SERVICE_BASE_URL - e.g. `https://secure.iproov.me/api/v2`
+- IPROOV_SERVICE_HOSTNAME - hostname value where the service runs, used in the `Host` header, e.g. `secure.iproov.me`
+
+### ZenID
+
+Following system variables need to be defined:
+- ZENID_ASYNC_PROCESSING_ENABLED - allows asynchronous processing, accepts `true` or `false` values
+- ZENID_NTLM_USERNAME - a username value for the ntlm authentication
+- ZENID_NTLM_PASSWORD - a password value for the ntlm authentication
+- ZENID_SERVICE_BASE_URL - hostname value where the service runs, used in the `Host` header, e.g. `secure.iproov.me`

docs/Configuration-Properties.md

@@ -0,0 +1,51 @@
+# Configuration Properties
+
+The Enrollment Server uses the following public configuration properties:
+
+## Database Configuration
+
+| Property | Default | Note |
+|---|---|---|
+| `spring.datasource.url` | `_empty_` | Database JDBC URL |
+| `spring.datasource.username` | `_empty_` | Database JDBC username |
+| `spring.datasource.password` | `_empty_` | Database JDBC password |
+| `spring.datasource.driver-class-name` | `_empty_` | Datasource JDBC class name | 
+| `spring.jpa.database-platform` | `_empty_` | Database dialect | 
+| `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation | 
+| `spring.jpa.properties.hibernate.connection.characterEncoding` | `_empty_` | Character encoding |
+| `spring.jpa.properties.hibernate.connection.useUnicode` | `_empty_` | Character encoding - Unicode support |
+
+## PowerAuth Service Configuration
+
+| Property | Default | Note |
+|---|---|---|
+| `powerauth.service.url` | `http://localhost:8080/powerauth-java-server/rest` | PowerAuth service REST API base URL. | 
+| `powerauth.service.security.clientToken` | `_empty_` | PowerAuth REST API authentication token. | 
+| `powerauth.service.security.clientSecret` | `_empty_` | PowerAuth REST API authentication secret / password. |
+
+## PowerAuth Push Service Configuration
+
+| Property | Default | Note |
+|---|---|---|
+| `powerauth.push.service.url` | `http://localhost:8080/powerauth-push-server` | PowerAuth Push service REST API base URL. |
+
+## Enrollment Server Configuration
+
+| Property | Default | Note |
+|---|---|---|
+| `enrollment-server.mtoken.enabled` | `true` | Publishing of Mobile Token endpoints can be enabled or disabled using this property. |
+| `enrollment-server.inbox.enabled` | `true` | Publishing of Inbox endpoints can be enabled or disabled using this property. |
+| `enrollment-server.activation-spawn.enabled` | `false` | The activation spawn functionality can be enabled or disabled using this property. |
+| `enrollment-server.mobile-application.ios.current-version` | `2.0.0` | Current version of iOS mobile app. |
+| `enrollment-server.mobile-application.ios.minimal-version` | `1.5.4` | Optional minimal version of iOS mobile app. | 
+| `enrollment-server.mobile-application.android.current-version` | `1.5.4` | Current version of Android mobile app. |
+| `enrollment-server.mobile-application.android.minimal-version` | `1.4.0` | Optional minimal version of android mobile app. |
+
+## Correlation HTTP Header Configuration
+
+| Property | Default | Note |
+|---|---|---|
+| `powerauth.service.correlation-header.enabled` | `false` | Whether correlation header is enabled |
+| `powerauth.service.correlation-header.name` | `X-Correlation-ID` | Correlation header name |
+| `powerauth.service.correlation-header.value.validation-regexp` | `[a-zA-Z0-9\\-]{8,1024}` | Regular expression for correlation header value validation |
+| `logging.pattern.console` | [See application.properties](https://github.com/wultra/enrollment-server/blob/develop/enrollment-server/src/main/resources/application.properties#L160) | Logging pattern for console which includes the correlation header value |