Merge pull request #1196 from wultra/develop

Merge develop to master

Author: banterCZ

.github/workflows/scp-deploy.yml

@@ -0,0 +1,39 @@
+name: Run SCP deploy
+
+on:
+  workflow_dispatch:
+
+jobs:
+  scp-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: 'temurin'
+          server-id: jfrog-central
+          server-username: INTERNAL_USERNAME
+          server-password: INTERNAL_PASSWORD
+          cache: maven
+      - name: Run Maven Package Step
+        run: |
+          mvn -B -U package -Dmaven.test.skip=true
+        env:
+          INTERNAL_USERNAME: ${{ secrets.JFROG_USERNAME }}
+          INTERNAL_PASSWORD: ${{ secrets.JFROG_PASSWORD }}
+      - name: Set up SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SCP_CERTIFICATE }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -t rsa ${{ secrets.SCP_HOST }} >> ~/.ssh/known_hosts
+      - name: Deploy powerauth-java-server.war
+        shell: bash
+        run: |
+          scp -i ~/.ssh/id_rsa **/target/powerauth-java-server-*.war ${{ secrets.SCP_USERNAME }}@${{ secrets.SCP_HOST }}:/opt/apache-tomcat/webapps/powerauth-java-server.war
+      - name: Deploy powerauth-admin.war
+        shell: bash
+        run: |
+          scp -i ~/.ssh/id_rsa **/target/powerauth-admin-*.war ${{ secrets.SCP_USERNAME }}@${{ secrets.SCP_HOST }}:/opt/apache-tomcat/webapps/powerauth-admin.war

docs-private/Developer-How-To-Start.md

@@ -21,7 +21,13 @@ Others (like URL, username, password) depend on your environment.
 
 ```shell
 liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth status
-``` 
+```
+
+To generate SQL script run this command.
+
+```shell
+liquibase --changeLogFile=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --output-file=./docs/sql/oracle/generated-oracle-script.sql updateSQL --url=offline:oracle
+```
 
 
 ## PowerAuth Admin Server

docs/Configuration-Properties-Admin.md

@@ -38,3 +38,9 @@ The PowerAuth Admin application uses the following public configuration properti
 | `powerauth.admin.security.ldap.ldif`               | `_empty_` | Specifies an ldif to load at startup for an embedded LDAP server.                                                                                                                                                                                                                   |
 | `powerauth.admin.security.ldap.managerDN`          | `_empty_` | Username (DN) of the "manager" user identity (i.e. "uid=admin,ou=system") which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.                                                                                            |
 | `powerauth.admin.security.ldap.managerPassword`    | `_empty_` | The password for the manager DN. This is required if the `managerDN` property is set.                                                                                                                                                                                               |
+
+
+## Monitoring and Observability
+
+The WAR file includes the `micrometer-registry-prometheus` dependency.
+Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/Configuration-Properties.md

@@ -10,7 +10,6 @@ The PowerAuth Server uses the following public configuration properties:
 | `spring.datasource.username` | `powerauth` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
 | `spring.datasource.driver-class-name` | `org.postgresql.Driver` | Datasource JDBC class name |
-| `spring.jpa.database-platform` | `org.hibernate.dialect.PostgreSQLDialect` | Database dialect |
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation |
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `utf8` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `true` | Character encoding - Unicode support |
@@ -38,7 +37,7 @@ The PowerAuth Server uses the following public configuration properties:
 | `powerauth.service.secureVault.enableBiometricAuthentication`      | `false`   | Whether biometric authentication is enabled when accessing Secure Vault                 |
 | `powerauth.server.db.master.encryption.key`                        | `_empty_` | Master DB encryption key for decryption of server private key in database               |
 | `powerauth.service.proximity-check.otp.length`                     | `8`       | Length of OTP generated for proximity check                                             |
-| `powerauth.service.pagination.default-page-size`                   | `100`     | The default number of records per page when paginated results are requested             |
+| `powerauth.service.pagination.default-page-size`                   | `500`     | The default number of records per page when paginated results are requested             |
 | `powerauth.service.pagination.default-page-number`                 | `0`       | The default page number when paginated results are requested. Page numbers start from 0 |
 
 ## HTTP Configuration
@@ -69,3 +68,9 @@ The PowerAuth Server uses the following public configuration properties:
 | `powerauth.service.correlation-header.name` | `X-Correlation-ID` | Correlation header name |
 | `powerauth.service.correlation-header.value.validation-regexp` | `[a-zA-Z0-9\\-]{8,1024}` | Regular expression for correlation header value validation |
 | `logging.pattern.console` | [See value in application.properties](https://github.com/wultra/powerauth-server/blob/develop/powerauth-java-server/src/main/resources/application.properties#docucheck-keep-link) | Logging pattern for console which includes the correlation header value |
+
+
+## Monitoring and Observability
+
+The WAR file includes the `micrometer-registry-prometheus` dependency.
+Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/Deploying-PowerAuth-Server.md

@@ -43,7 +43,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
 spring.datasource.driver-class-name=org.postgresql.Driver
-spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
 spring.jpa.hibernate.ddl-auto=none
 spring.jpa.properties.hibernate.connection.characterEncoding=utf8
 spring.jpa.properties.hibernate.connection.useUnicode=true
@@ -59,7 +58,6 @@ spring.datasource.url=jdbc:oracle:thin:@//[HOST]:[PORT]/[SERVICENAME]
 spring.datasource.username=powerauth
 spring.datasource.password=*********
 spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
-spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
 spring.jpa.hibernate.ddl-auto=none
 ```
 
@@ -71,7 +69,6 @@ spring.datasource.url=jdbc:postgresql://[HOST]:[PORT]/[DATABASE]
 spring.datasource.username=powerauth
 spring.datasource.password=*********
 spring.datasource.driver-class-name=org.postgresql.Driver
-spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
 spring.jpa.hibernate.ddl-auto=none
 ```
 
@@ -140,7 +137,6 @@ You can specify the individual properties directly in the server configuration.
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value=""/>
     <Parameter name="spring.datasource.driver-class-name" value="org.postgresql.Driver"/>
-    <Parameter name="spring.jpa.database-platform" value="org.hibernate.dialect.PostgreSQLDialect"/>
 </Context>
 ```
 
@@ -162,7 +158,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
 spring.datasource.driver-class-name=org.postgresql.Driver
-spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
 ```
 
 ## Generating Your First Application

docs/Deploying-Wildfly.md

@@ -97,7 +97,6 @@ spring.datasource.url=jdbc:oracle:thin:@//[host]:[port]/[servicename]
 spring.datasource.username=powerauth
 spring.datasource.password=powerauth
 spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
-spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
 
 # Application Service Configuration
 powerauth.service.applicationEnvironment=TEST

docs/Installing-Bouncy-Castle.md

@@ -1,169 +1,3 @@
 # Installing Bouncy Castle
 
 Since PowerAuth Server in version 1.1.x, installing the Bouncy Castle in OS or Java container is no longer required. The latest version is bundled with the app and cryptographic primitives should work out of the box.
-
-## Legacy: Installing Before 1.1.x
-
-In order to function correctly, PowerAuth software requires Bouncy Castle to be available.
-
-Bouncy Castle library installation depends on Java version and used web container.
-
-PowerAuth server uses dynamic initialization of Bouncy Castle provider, so it is not required to configure security provider statically in the Java Runtime configuration.
-
-You can get the Bouncy Castle provider here:
-https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on
-
-### Installing on Java 11
-
-Java 11 no longer provides a library extension mechanism and thus Bouncy Castle library must be installed in the web container.
-
-#### Bouncy Castle on Tomcat
-
-Copy [`bcprov-jdk18on-176.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${CATALINA_HOME}/lib` folder.
-
-<!-- begin box warning -->
-Bouncy Castle library will not work properly in case any war file deployed to Tomcat contains another copy of the Bouncy Castle library, even if the war file is not related to PowerAuth.
-Bouncy Castle library must be only present in the `${CATALINA_HOME}/lib` folder. The `key spec not recognized` error message will appear in Tomcat log in this case.
-<!-- end -->
-
-#### Bouncy Castle on JBoss / Wildfly
-
-PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-176.jar`
-
-In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server
-by adding the `<global-modules>` element in the `standalone.xml` file:
-
-```xml
-<subsystem xmlns="urn:jboss:domain:ee:4.0">
-    <global-modules>
-        <module name="org.bouncycastle.external" slot="main"/>
-    </global-modules>
-</subsystem>
-```
-
-The module should be defined using a new module XML file in JBoss folder `modules/system/layers/base/org/bouncycastle/external/main`:
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8">
-    <resources>
-        <resource-root path="bcprov-jdk18on-176.jar"/>
-    </resources>
-</module>
-```
-
-Finally, copy the Bouncy Castle library `bcprov-jdk18on-176.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
-
-<!-- begin box warning -->
-Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth.
-<!-- end -->
-
-#### Testing the Installation
-
-You can test the installation in web container using our simple [bc-check.war application](https://github.com/wultra/powerauth-crypto/releases/download/0.23.0/check-bc.war).
-
-The application performs following checks after startup:
-- Check whether BC provider is correctly installed.
-- Generate an ECSDA keypair.
-- Compute and validate an ECSDA signature.
-
-Once you deploy the application to the web container, you should see following messages in container log:
-```
-BC provider is installed.
-ECSDA signature validation succeeded.
-```
-
-In case of any error or different output, please check the troubleshooting guide below.
-
-### Installing on Java 8
-
-Java 8 provides a library extension mechanism which can be used to installed Bouncy Castle with exception of JBoss / Wildfly which has it's own mechanism for installing Bouncy Castle.  
-
-#### Bouncy Castle on Tomcat
-
-##### Standalone Tomcat
-
-When running a standalone Tomcat instance, all you need to do is to copy [`bcprov-jdk18on-176.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${JDK_HOME}/jre/lib/ext` folder.
-
-##### Embedded Tomcat
-
-In case you are running Spring Boot application with the embedded Tomcat server, you also might need to register the provider in the Java security configuration file. To do this, add a new line to `$JAVA_HOME/jre/lib/security/java.security` and enable Bouncy Castle security provider on a system level:
-
-```
-security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
-```
-
-Make sure to add the provider to the top of the list (ideally, N=2).
-
-#### Bouncy Castle on JBoss / Wildfly
-
-PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-176.jar`
-
-In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server
-by adding the `<global-modules>` element in the `standalone.xml` file:
-
-```xml
-<subsystem xmlns="urn:jboss:domain:ee:4.0">
-    <global-modules>
-        <module name="org.bouncycastle.external" slot="main"/>
-    </global-modules>
-</subsystem>
-```
-
-The module should be defined using a new module XML file in JBoss folder `modules/system/layers/base/org/bouncycastle/external/main`:
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8">
-    <resources>
-        <resource-root path="bcprov-jdk18on-176.jar"/>
-    </resources>
-</module>
-```
-
-Finally, copy the Bouncy Castle library `bcprov-jdk18on-176.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
-
-<!-- begin box warning -->
-Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth.
-<!-- end -->
-
-Note that when Bouncy Castle module for JBoss / Wildfly is used, Bouncy Castle should not be present in the `lib/ext` folder of the Java runtime, otherwise the following error can occur: `key spec not recognized` due to clash of Bouncy Castle libraries.
-
-#### Testing the Installation
-
-You can test the installation using our [simple Java utility](./util/check-bc.jar):
-
-```sh
-$ java -jar check-bc.jar
-```
-
-The utility uses following source code to check the provider installation:
-
-```java
-import java.security.Security;
-
-public class SimpleTest
-{
-    public static void main(String[] args)
-    {
-        String name = "BC";
-        if (Security.getProvider(name) == null)
-        {
-            System.out.println("not installed");
-        }
-        else
-        {
-            System.out.println("installed");
-        }
-    }
-}
-```
-
-## Troubleshooting Bouncy Castle Installation Issues
-
-In case you get the following error: `key spec not recognized`, there are possible issues:
-
-- Tomcat on Java 11: Check that Bouncy Castle library is installed in `${CATALINA_HOME}/lib`.
-- Tomcat on Java 8: Check that Bouncy Castle library is installed in `${JDK_HOME}/jre/lib/ext` and it is not present in `${CATALINA_HOME}/lib`.
-- JBoss / Wildfly on Java 11: Check that Bouncy Castle library is installed as a module in JBoss / Wildfly.
-- JBoss / Wildfly on Java 8: Check that Bouncy Castle library is not installed in `${JDK_HOME}/jre/lib/ext` and it is installed as an external module in JBoss / Wildfly.
-- All containers on Java 8/11: Check that none of the deployed war files contains Bouncy Castle library, even if the war file is not related to PowerAuth.
-Another copy of Bouncy Castle library would clash with the globally installed version of the library. This rule applies only for PowerAuth `2019.05` or later.

docs/Migration-Instructions.md

@@ -6,6 +6,7 @@ This page contains PowerAuth Server migration instructions.
 When updating across multiple versions, you need to perform all migration steps additively.
 <!-- end -->
 
+- [PowerAuth Server 1.6.0](./PowerAuth-Server-1.6.0.md)
 - [PowerAuth Server 1.5.0](./PowerAuth-Server-1.5.0.md)
 - [PowerAuth Server 1.4.0](./PowerAuth-Server-1.4.0.md)
 - [PowerAuth Server 1.3.0](./PowerAuth-Server-1.3.0.md)

docs/PowerAuth-Server-0.22.0.md

@@ -36,7 +36,7 @@ Java 11 no longer supports installing Bouncy Castle using library extension mech
 longer contains the Bouncy Castle library in war files to avoid classloader issues in some web containers (e.g. Tomcat).
 
 The Bouncy Castle provider needs to be installed using mechanism supported by the web container.
-See the [Installing Bouncy Castle](./Installing-Bouncy-Castle.md#installing-on-java-11) chapter in documentation.
+See the [Installing Bouncy Castle](./Installing-Bouncy-Castle.md) chapter in documentation.
 
 ### Tomcat on Java 11
 

docs/PowerAuth-Server-1.5.0.md

@@ -27,7 +27,7 @@ This release adds support for PowerAuth protocol version 3.2, which adds several
 
 ### Simplified Configuration of PowerAuth Mobile SDK. 
 
-You can use the `mobileSdkConfig` value from `POST /rest/v3/application/detail`, see [REST API documentation](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-getapplicationdetail). This value contains encoded master public key, application key and application secret.
+You can use the `mobileSdkConfig` value from `POST /rest/v3/application/detail`, see [REST API documentation](WebServices-Methods.md#method-getapplicationdetail). This value contains encoded master public key, application key and application secret.
 
 Starting with version 1.5.x you can use this single configuration Base-64 encoded string for configuring the PowerAuth mobile SDK instead of using three separated configuration parameters.
 

docs/PowerAuth-Server-1.6.0.md

@@ -0,0 +1,49 @@
+# Migration from 1.5.x to 1.6.0
+
+This guide contains instructions for migration from PowerAuth Server version `1.5.x` to version `1.6.0`.
+
+## Database Changes
+
+For convenience you can use liquibase for your database migration.
+
+For manual changes use SQL scripts:
+
+- [PostgreSQL script](./sql/postgresql/migration_1.5.3_1.6.0.sql)
+- [Oracle script](./sql/oracle/migration_1.5.3_1.6.0.sql)
+- [MSSQL script](./sql/mssql/migration_1.5.3_1.6.0.sql)
+
+### Allow Non-personalized Operations
+
+The column `user_id` in table `pa_operation` is nullable now.
+
+### Forbid name duplication for operation templates.
+
+Add unique constraint to `templateName` column in `pa_operation_template` table.
+
+Applying this change may fail if there are duplicates in the `pa_operation_template` table. Please make sure there are
+no two records with the same name `templateName`. If necessary, remove any duplicities from the table manually. Consider
+creating a backup before this operation.
+
+### Add foreign key constraints to operations and applications relation.
+
+Add foreign key constraints to relating table `pa_operation_application`.
+
+Applying this change may fail if there is an inconsistency between tables `pa_operation_application`
+and `pa_application` or `pa_operation`. Make sure that `pa_operation_application.application_id` contains references to
+existing `pa_application.id` and `pa_operation_application.operation_id` contains references to
+existing `pa_operation.id`. If necessary, manually remove orphaned records in `pa_operation_application`. Consider
+creating a backup before this operation.
+
+### Add activation_id Column
+
+Add a new column `activation_id` to the `pa_operation` table. This column is a foreign key that references
+the `activation_id` column in the `pa_activation` table. Storing the `activation_id` in the `pa_operation` table
+provides several enhancements:
+
+* It allows the creation of a new operation tied to a specific mobile device, identified by its activation ID.
+* It ensures that the operation can only be approved on that specific mobile device, again identified by its activation ID.
+
+### Add activation_name Column to pa_activation_history
+
+Add a new column `activation_name` to the `pa_activation_history` table.
+Since it is possible to change the activation name, it is recorded in the history.