Merge pull request #983 from wultra/develop

Merge develop to master

Author: romanstrobl

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -1,67 +1,21 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
 name: "CodeQL"
 
 on:
+  workflow_dispatch:
   push:
-    branches: [ develop, master ]
+    branches: [ 'develop', 'master', 'releases/**' ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ develop ]
+    branches: [ 'develop', 'master', 'releases/**' ]
   schedule:
-    - cron: '19 8 * * 5'
+    - cron: '0 2 * * 4'
 
 jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'java', 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+  codeql-analysis:
+    uses: wultra/wultra-infrastructure/.github/workflows/codeql-analysis.yml@develop
+    secrets: inherit
+    with:
+      languages: "['java', 'javascript']"
+      # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+      # Use only 'java' to analyze code written in Java, Kotlin or both
+      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both

.github/workflows/owas-dependecy-check.yml

@@ -1,6 +1,6 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="PowerAuthAdminApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
-    <option name="ACTIVE_PROFILES" />
+    <option name="ACTIVE_PROFILES" value="dev" />
     <option name="DEBUG_MODE" value="true" />
     <module name="powerauth-admin" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.app.admin.PowerAuthAdminApplication" />

.run/PowerAuthAdminApplication.run.xml

@@ -1,10 +1,14 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="PowerAuthServerApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
+    <option name="DEBUG_MODE" value="true" />
     <module name="powerauth-java-server" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.server.Application" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/powerauth-java-server" />
+    <option name="WORKING_DIRECTORY" value="file://$MODULE_WORKING_DIR$" />
     <method v="2">
       <option name="Make" enabled="true" />
+      <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-java-server/pom.xml" goal="process-resources" />
     </method>
   </configuration>
 </component>

.run/PowerAuthServerApplication.run.xml

@@ -11,6 +11,19 @@
 - Open [http://localhost:8080/powerauth-java-server/actuator/health](http://localhost:8080/powerauth-java-server/actuator/health) and you should get `{"status":"UP"}`
 
 
+### Database
+
+Database changes are driven by Liquibase.
+
+This is an example how to manually check the Liquibase status.
+Important and fixed parameter is `changelog-file`.
+Others (like URL, username, password) depend on your environment.
+
+```shell
+liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth status
+``` 
+
+
 ## PowerAuth Admin Server
 
 

docs-private/Developer-How-To-Start.md

@@ -1,11 +1,11 @@
 # Configuration of Activation Recovery
 
-PowerAuth Server supports activation recovery in case user loses mobile device or it gets stolen. Activation recovery
+PowerAuth Server supports activation recovery in case user loses mobile device, or it gets stolen. Activation recovery
 can be enabled using PowerAuth Admin.
 
 ## Enabling Activation Recovery
 
-By default activation recovery is disabled, which means that if the user loses the mobile device a new activation needs
+By default, activation recovery is disabled, which means that if the user loses the mobile device a new activation needs
 to be created.
 
 Activation recovery allows recovering the activation using a recovery code and recovery PUK without going through
@@ -26,7 +26,7 @@ You can enable Activation Recovery for Activations using following steps in Powe
 - Enable the `Activation Recovery Enabled` checkbox
 
 From now on the PowerAuth Server will generate recovery codes and PUKs for new activations. Users will be asked
-to write down the recovery code and PUK during an activation and they can use these details to recover an activation
+to write down the recovery code and PUK during an activation, and they can use these details to recover an activation
 later on.
 
 ### Enabling Activation Recovery using Recovery Postcard
@@ -39,14 +39,14 @@ You can enable Activation Recovery using Recovery Postcard using following steps
 - Enabled the `Recovery Postcard Enabled` checkbox
 
 The `Recovery Postcard Public Key` value contains public key for key exchange with Recovery Postcard printing center which represents PowerAuth server.
-This key needs to be entered into the Recovery Postcard Printing Center application and it enables secure sharing of recovery code and PUK data.
+This key needs to be entered into the Recovery Postcard Printing Center application, and it enables secure sharing of recovery code and PUK data.
 
 You need to configure the `Recovery Postcard Printing Center Public Key` which represents the Recovery Postcard printing center.
 This key is provided by the Recovery Postcard Printing Center application and is also required for secure sharing of recovery code and PUK  data.
 
 The checkbox `Allow Multiple Recovery Codes for User` is used to configure whether existing recovery codes for the user need to be revoked before 
 creating another recovery code. In case the checkbox is enabled, it is not necessary to revoke existing codes and multiple recovery postcards can exist.
-Otherwise revoking recovery code is necessary before creating a new recovery code.
+Otherwise, revoking recovery code is necessary before creating a new recovery code.
 
 Once activation recovery using recovery postcard is configured it is possible to create recovery postcards with
 recovery codes and PUKs and distribute them securely to users.

docs/Activation-Recovery.md

@@ -26,24 +26,33 @@ The PowerAuth Server uses the following public configuration properties:
 
 ## Activation and Cryptography Configuration
 
-| Property | Default | Note |
-|---|---|---|
-| `powerauth.service.crypto.activationValidityInMilliseconds` | `120000` | Default activation validity period in miliseconds |
-| `powerauth.service.crypto.signatureMaxFailedAttempts` | `5` | Maximum failed attempts for signature verification |
-| `powerauth.service.token.timestamp.validity` | `7200000` |PowerAuth MAC token timestamp validity in miliseconds |
-| `powerauth.service.recovery.maxFailedAttempts` | `5` | Maximum failed attempts for activation recovery |
-| `powerauth.service.secureVault.enableBiometricAuthentication` | `false` | Whether biometric authentication is enabled when accessing Secure Vault |
-| `powerauth.server.db.master.encryption.key` | `_empty_` | Master DB encryption key for decryption of server private key in database |
+| Property                                                           | Default   | Note                                                                                    |
+|--------------------------------------------------------------------|-----------|-----------------------------------------------------------------------------------------|
+| `powerauth.service.crypto.activationValidityInMilliseconds`        | `120000`  | Default activation validity period in miliseconds                                       |
+| `powerauth.service.crypto.signatureMaxFailedAttempts`              | `5`       | Maximum failed attempts for signature verification                                      |
+| `powerauth.service.crypto.requestExpirationInMilliseconds`         | `60000`   | Expiration for ECIES and MAC token requests.                                            |
+| `powerauth.service.crypto.requestExpirationInMillisecondsExtended` | `7200000` | Expiration for ECIES and MAC token requests for protocol versions 3.1 and older.        |
+| `powerauth.service.crypto.replayVerificationService`               | `default` | Request replay verification service, options: `default`, `none`                         |
+| `powerauth.service.token.timestamp.validity`                       | `7200000` | PowerAuth MAC token timestamp validity in miliseconds                                   |
+| `powerauth.service.recovery.maxFailedAttempts`                     | `5`       | Maximum failed attempts for activation recovery                                         |
+| `powerauth.service.secureVault.enableBiometricAuthentication`      | `false`   | Whether biometric authentication is enabled when accessing Secure Vault                 |
+| `powerauth.server.db.master.encryption.key`                        | `_empty_` | Master DB encryption key for decryption of server private key in database               |
+| `powerauth.service.proximity-check.otp.length`                     | `8`       | Length of OTP generated for proximity check                                             |
+| `powerauth.service.pagination.default-page-size`                   | `100`     | The default number of records per page when paginated results are requested             |
+| `powerauth.service.pagination.default-page-number`                 | `0`       | The default page number when paginated results are requested. Page numbers start from 0 |
 
 ## HTTP Configuration
 
-| Property | Default | Note |
-|---|---|---|
-| `powerauth.service.http.proxy.enabled` | `false` | Whether proxy is enabled for outgoing HTTP requests |
-| `powerauth.service.http.proxy.host` | `127.0.0.1` | Proxy host for outgoing HTTP requests |
-| `powerauth.service.http.proxy.port` | `8080` | Proxy port for outgoing HTTP requests |
-| `powerauth.service.http.proxy.username` | `_emtpy_` | Proxy username for outgoing HTTP requests |
-| `powerauth.service.http.proxy.password` | `_empty_` | Proxy password for outgoing HTTP requests |
+| Property                                          | Default     | Note                                                |
+|---------------------------------------------------|-------------|-----------------------------------------------------|
+| `powerauth.service.http.proxy.enabled`            | `false`     | Whether proxy is enabled for outgoing HTTP requests |
+| `powerauth.service.http.proxy.host`               | `127.0.0.1` | Proxy host for outgoing HTTP requests               |
+| `powerauth.service.http.proxy.port`               | `8080`      | Proxy port for outgoing HTTP requests               |
+| `powerauth.service.http.proxy.username`           | `_emtpy_`   | Proxy username for outgoing HTTP requests           |
+| `powerauth.service.http.proxy.password`           | `_empty_`   | Proxy password for outgoing HTTP requests           |
+| `powerauth.service.http.connection.timeout`       | `5s`        | HTTP connection timeout                             |
+| `powerauth.service.http.response.timeout`         | `60s`       | HTTP response timeout                               |
+| `powerauth.service.http.connection.max-idle-time` | `200s`      | HTTP max idle time                                  |
 
 ## Spring Vault Configuration