Merge pull request #812 from wultra/develop

Merge develop to master

.github/workflows/coverity-scan.yml

@@ -0,0 +1,16 @@
+name: Run Coverity scan and upload results
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 10 1 * *'    # monthly
+
+
+jobs:
+  coverity-scan:
+    uses: wultra/wultra-infrastructure/.github/workflows/coverity-scan.yml@develop
+    secrets: inherit
+    with:
+      project-name: ${{ github.event.repository.name }}
+      version: ${{ github.sha }}
+      description: ${{ github.ref }}

.github/workflows/maven-deploy.yml

@@ -0,0 +1,50 @@
+name: Deploy with Maven
+
+on:
+  workflow_dispatch:
+    branches:
+      - 'develop'
+      - 'master'
+      - 'releases/*'
+      - 'test/ci'
+    inputs:
+      release_type:
+        type: choice
+        description:
+        default: snapshot
+        options:
+          - snapshot
+          - release
+      environment:
+        type: environment
+        default: internal-publish
+        description: internal or external repository
+  push:
+    branches:
+      - 'develop'
+      - 'test/ci'
+
+jobs:
+  maven-deploy-jfrog:
+    if: ${{ github.event_name == 'push' }}
+    name: Deploy to jfrog
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-deploy.yml@develop
+    with:
+      environment: internal-publish
+      release_type: snapshot
+    secrets:
+      username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+      password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+
+  maven-deploy-manual:
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    name: Deploy by parameter
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-deploy.yml@develop
+    with:
+      environment: ${{ inputs.environment }}
+      release_type: ${{ inputs.release_type }}
+    secrets:
+      username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+      password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+      gpg_passphrase: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+      gpg_key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}

.github/workflows/maven-test.yml

@@ -0,0 +1,18 @@
+name: Test with Maven
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/**'
+  pull_request:
+    branches:
+      - 'develop'
+      - 'master'
+      - 'releases/**'
+
+jobs:
+  maven-tests:
+    uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
+    secrets: inherit

.github/workflows/owas-dependecy-check.yml

@@ -0,0 +1,12 @@
+name: Run OWASP Dependency Check
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - 'develop'
+
+jobs:
+  owasp-check:
+      uses: wultra/wultra-infrastructure/.github/workflows/owasp-dependency-check.yml@develop
+      secrets: inherit

README.md

@@ -1,6 +1,6 @@
 # PowerAuth Server
 
-[![Build Status](https://travis-ci.org/wultra/powerauth-server.svg?branch=master)](https://travis-ci.org/wultra/powerauth-server)
+[![Build Status](https://github.com/wultra/powerauth-server/actions/workflows/maven-test.yml/badge.svg?branch=master)](https://github.com/wultra/powerauth-server/actions/workflows/maven-test.yml?query=branch%3Amaster)
 [![Status](https://scan.coverity.com/projects/16632/badge.svg)](https://scan.coverity.com/projects/wultra-powerauth-server)
 [![GitHub issues](https://img.shields.io/github/issues/wultra/powerauth-server.svg?maxAge=2592000)](https://github.com/wultra/powerauth-server/issues)
 [![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)

docs/powerauth-server/Database-Structure.md → docs/Database-Structure.md

@@ -492,7 +492,8 @@ CREATE TABLE "pa_operation" (
     "max_failure_count"     BIGINT NOT NULL,
     "timestamp_created"     TIMESTAMP NOT NULL,
     "timestamp_expires"     TIMESTAMP NOT NULL,
-    "timestamp_finalized"   TIMESTAMP
+    "timestamp_finalized"   TIMESTAMP,
+    "risk_flags"            VARCHAR(255)
 );
 ```
 
@@ -514,6 +515,7 @@ CREATE TABLE "pa_operation" (
 | timestamp_created | timestamp | - | Timestamp of when the operation was created. |
 | timestamp_expires | timestamp | - | Timestamp of when the operation will expire. |
 | timestamp_finalized | timestamp | - | Timestamp of when the operation reached the terminal state (approved, rejected, expired, etc.). |
+| risk_flages | varchar(255) | - | Risk flags for offline QR code. Uppercase letters without separator, e.g. `XFC`. |
 <!-- end -->
 
 <!-- begin database table pa_operation_template -->
@@ -531,7 +533,8 @@ CREATE TABLE "pa_operation_template" (
     "data_template"         VARCHAR(255) NOT NULL,
     "signature_type"        VARCHAR(255) NOT NULL,
     "max_failure_count"     BIGINT NOT NULL,
-    "expiration"            BIGINT NOT NULL
+    "expiration"            BIGINT NOT NULL,
+    "risk_flags"            VARCHAR(255)
 );
 ```
 
@@ -546,6 +549,7 @@ CREATE TABLE "pa_operation_template" (
 | signature_type | varchar(255)  | - | Comma-separated list of allowed signature types. |
 | max_failure_count | bigint | - | Maximum allowed number of failed attempts when approving the operation. |
 | expiration | bigint | - | Operation expiration in seconds (300 = 5 minutes). |
+| risk_flages | varchar(255) | - | Risk flags for offline QR code. Uppercase letters without separator, e.g. `XFC`. |
 <!-- end -->
 
 <!-- begin database table pa_operation_application -->

docs/powerauth-admin/Deploying-PowerAuth-Admin.md → docs/Deploying-PowerAuth-Admin.md

@@ -2,9 +2,12 @@
 
 This chapter explains how to deploy PowerAuth Admin.
 
-PowerAuth Admin is a Java EE application (packaged as an executable WAR file) that you can use to work with the PowerAuth Server services in a easy to use visual way. Also, PowerAuth Admin project may serve as a simple example application for the Internet banking integrators, since in essence, it performs the very same tasks.
+PowerAuth Admin is a web administration console for the [PowerAuth Server](https://github.com/wultra/powerauth-server).
+It allows an easy application setup, an activation management and integration configurations.
 
-*__Important note: Since PowerAuth Admin is a very simple application with direct access to the PowerAuth Server REST services, it must not be under any circumstances published publicly and must be constrained to the in-house closed infrastructure.__*
+<!-- begin box warning -->
+Important note: Since PowerAuth Admin is a very simple application with direct access to the PowerAuth Server REST services, it must not be under any circumstances published publicly and must be constrained to the in-house closed infrastructure.
+<!-- end -->
 
 ## Downloading PowerAuth Admin
 
@@ -29,7 +32,9 @@ powerauth.service.security.clientSecret=
 
 The credentials are stored in the `pa_integration` table.
 
-_Note: The RESTful interface is secured using Basic HTTP Authentication (pre-emptive)._
+<!-- begin box info -->
+Note: The RESTful interface is secured using Basic HTTP Authentication (pre-emptive).
+<!-- end -->
 
 ## Disabling SSL Validation During Development
 
@@ -55,7 +60,9 @@ To deploy PowerAuth Admin to Apache Tomcat, simply copy the WAR file in your `we
 
 Running PowerAuth Admin application from console using the `java -jar` command is not supported.
 
-*__Important note: Since PowerAuth Admin is a very simple application with direct access to the PowerAuth Server REST services, it must not be under any circumstances published publicly and must be constrained to the in-house closed infrastructure.__*
+<!-- begin box warning -->
+Important note: Since PowerAuth Admin is a very simple application with direct access to the PowerAuth Server REST services, it must not be under any circumstances published publicly and must be constrained to the in-house closed infrastructure.
+<!-- end -->
 
 ## Deploying PowerAuth Admin On JBoss / Wildfly
 

docs/powerauth-server/Deploying-PowerAuth-Server.md → docs/Deploying-PowerAuth-Server.md

@@ -258,3 +258,12 @@ Follow the extra instructions in chapter [Deploying PowerAuth Server on JBoss /
 
 PowerAuth Server uses Bouncy Castle as a Java cryptography provider. If you encounter any issues that may point to an incorrectly installed cryptography provider, please follow our tutorial [how to configure Bouncy Castle](./Installing-Bouncy-Castle.md).
 
+### How to Disable Display of Tomcat Version
+
+It case you do not want to show Tomcat version on error pages when deploying PowerAuth server, you can use the following configuration:
+
+- Edit the file `<install-directory>/conf/server.xml`.
+- Search for the parameters `<Host name="..."/>`.
+- Just below that line, insert the following parameters `<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>`.
+- Restart Tomcat.
+

docs/powerauth-server/Deploying-Wildfly.md → docs/Deploying-Wildfly.md

@@ -19,7 +19,7 @@ PowerAuth server contains the following configuration in `jboss-deployment-struc
 
         <resources>
             <!-- use WAR provided Bouncy Castle -->
-            <resource-root path="WEB-INF/lib/bcprov-jdk15on-${BC_VERSION}.jar" use-physical-code-source="true"/>
+            <resource-root path="WEB-INF/lib/bcprov-jdk18on-${BC_VERSION}.jar" use-physical-code-source="true"/>
         </resources>
 
         <dependencies>

docs/powerauth-server/Installing-Bouncy-Castle.md → docs/Installing-Bouncy-Castle.md

@@ -11,15 +11,15 @@ Bouncy Castle library installation depends on Java version and used web containe
 PowerAuth server uses dynamic initialization of Bouncy Castle provider, so it is not required to configure security provider statically in the Java Runtime configuration.
 
 You can get the Bouncy Castle provider here:
-https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on
+https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on
 
 ### Installing on Java 11
 
 Java 11 no longer provides a library extension mechanism and thus Bouncy Castle library must be installed in the web container.
 
 #### Bouncy Castle on Tomcat
 
-Copy [`bcprov-jdk15on-168.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) to your `${CATALINA_HOME}/lib` folder.
+Copy [`bcprov-jdk18on-172.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${CATALINA_HOME}/lib` folder.
 
 <!-- begin box warning -->
 Bouncy Castle library will not work properly in case any war file deployed to Tomcat contains another copy of the Bouncy Castle library, even if the war file is not related to PowerAuth.
@@ -28,7 +28,7 @@ Bouncy Castle library must be only present in the `${CATALINA_HOME}/lib` folder.
 
 #### Bouncy Castle on JBoss / Wildfly
 
-PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk15on-168.jar`
+PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-172.jar`
 
 In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server
 by adding the `<global-modules>` element in the `standalone.xml` file:
@@ -46,12 +46,12 @@ The module should be defined using a new module XML file in JBoss folder `module
 <?xml version="1.0" encoding="UTF-8"?>
 <module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8">
     <resources>
-        <resource-root path="bcprov-jdk15on-167.jar"/>
+        <resource-root path="bcprov-jdk18on-172.jar"/>
     </resources>
 </module>
 ```
 
-Finally, copy the Bouncy Castle library `bcprov-jdk15on-167.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
+Finally, copy the Bouncy Castle library `bcprov-jdk18on-172.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
 
 <!-- begin box warning -->
 Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth.
@@ -82,7 +82,7 @@ Java 8 provides a library extension mechanism which can be used to installed Bou
 
 ##### Standalone Tomcat
 
-When running a standalone Tomcat instance, all you need to do is to copy [`bcprov-jdk15on-167.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) to your `${JDK_HOME}/jre/lib/ext` folder.
+When running a standalone Tomcat instance, all you need to do is to copy [`bcprov-jdk18on-172.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${JDK_HOME}/jre/lib/ext` folder.
 
 ##### Embedded Tomcat
 
@@ -96,7 +96,7 @@ Make sure to add the provider to the top of the list (ideally, N=2).
 
 #### Bouncy Castle on JBoss / Wildfly
 
-PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk15on-167.jar`
+PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-172.jar`
 
 In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server
 by adding the `<global-modules>` element in the `standalone.xml` file:
@@ -114,12 +114,12 @@ The module should be defined using a new module XML file in JBoss folder `module
 <?xml version="1.0" encoding="UTF-8"?>
 <module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8">
     <resources>
-        <resource-root path="bcprov-jdk15on-167.jar"/>
+        <resource-root path="bcprov-jdk18on-172.jar"/>
     </resources>
 </module>
 ```
 
-Finally, copy the Bouncy Castle library `bcprov-jdk15on-167.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
+Finally, copy the Bouncy Castle library `bcprov-jdk18on-172.jar` into folder  `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module.
 
 <!-- begin box warning -->
 Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth.

docs/powerauth-server/Migration-Instructions.md → docs/Migration-Instructions.md

@@ -6,6 +6,7 @@ This page contains PowerAuth Server migration instructions.
 When updating across multiple versions, you need to perform all migration steps additively.
 <!-- end -->
 
+- [PowerAuth Server 1.3.0](./PowerAuth-Server-1.3.0.md)
 - [PowerAuth Server 1.2.5](./PowerAuth-Server-1.2.5.md)
 - [PowerAuth Server 1.2.0](./PowerAuth-Server-1.2.0.md)
 - [PowerAuth Server 1.1.0](./PowerAuth-Server-1.1.0.md)

docs/PowerAuth-Server-1.2.5.md

@@ -0,0 +1,65 @@
+# Migration from 1.2.x to 1.2.5
+
+This guide contains instructions for migration from PowerAuth Server version `1.2.x` to version `1.2.5`.
+
+_Warning: release `1.2.5` of PowerAuth server requires application of database migration steps. Usually we do not require a database migration for minor releases, however in release `1.2.5` such migration is necessary._
+
+## Create New Columns in Operation Table
+
+Create a new columns in the operations table:
+
+- `template_name` - Stores the original template name.
+- `activation_flag` - Stores the activation flag that must be present on activation in order to return / approve / reject the operation.
+- `additional_data` - Stores attributes related to the approval / rejection / cancellation event.
+
+### Oracle
+
+```sql
+ALTER TABLE PA_OPERATION ADD TEMPLATE_NAME VARCHAR2(255);
+
+ALTER TABLE PA_OPERATION ADD ACTIVATION_FLAG VARCHAR2(255);
+
+ALTER TABLE PA_OPERATION ADD ADDITIONAL_DATA CLOB;
+```
+
+### PostgreSQL
+
+```sql
+ALTER TABLE pa_operation ADD template_name VARCHAR(255);
+
+ALTER TABLE pa_operation ADD activation_flag VARCHAR(255);
+
+ALTER TABLE pa_operation ADD additional_data TEXT;
+```
+
+### MySQL
+
+```sql
+ALTER TABLE pa_operation ADD template_name VARCHAR(255) NULL;
+
+ALTER TABLE pa_operation ADD activation_flag VARCHAR(255) NULL;
+
+ALTER TABLE pa_operation ADD additional_data TEXT NULL;
+```
+
+## Create New Column in Activation History Table
+
+The `pa_activation_history` table was updated to include activation version.
+
+### Oracle
+
+```sql
+ALTER TABLE PA_ACTIVATION_HISTORY ADD activation_version NUMBER(2,0);
+```
+
+### PostgreSQL
+
+```sql
+ALTER TABLE pa_activation_history ADD activation_version INTEGER;
+```
+
+### MySQL
+
+```sql
+ALTER TABLE pa_activation_history ADD activation_version int(2);
+```