Merge pull request #115 from wultra/issues/merge-upstream

Merge upstream

.github/workflows/codeql-analysis.yml

@@ -1,13 +1,9 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-#
 name: "CodeQL"
 
 on:
+  workflow_dispatch:
+    branches:
+      - 'develop'
   push:
     branches: [ develop, main ]
   pull_request:
@@ -17,63 +13,12 @@ on:
     - cron: '0 2 * * 4'
 
 jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'java' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Use only 'java' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@v3
-        with:
-          java-version: 17
-          distribution: 'temurin'
-          cache: maven
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
-
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-        with:
-          category: "/language:${{matrix.language}}"
+  codeql-analysis:
+    uses: wultra/wultra-infrastructure/.github/workflows/codeql-analysis.yml@develop
+    secrets: inherit
+    with:
+      languages: "['java']"
+      # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+      # Use only 'java' to analyze code written in Java, Kotlin or both
+      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

docs/Database-Structure.md

@@ -0,0 +1,42 @@
+# Database Structure
+
+<!-- TEMPLATE database -->
+
+You can download DDL scripts for supported databases:
+
+- [PostgreSQL - Create Database Schema](./sql/postgresql/enrollment/create-schema.sql)
+- [Oracle - Create Database Schema](./sql/oracle/enrollment/create-schema.sql)
+
+
+## Auditing
+
+The DDL files contain an `audit_log` table definition. The table differs slightly per database.
+
+Only one `audit_log` table is required per PowerAuth stack in case the same schema is used for all deployed applications.
+
+For more information about auditing library, see the [Wultra auditing library documentation](https://github.com/wultra/lime-java-core#wultra-auditing-library).
+
+
+## Table Documentation
+
+This chapter explains individual tables and their columns. The column types are used from PostgreSQL dialect, other databases use types that are equivalent (mapping is usually straight-forward).
+
+<!-- begin database table es_operation_template -->
+### Operation Template Table
+
+Stores operation templates to be shown by the mobile application.
+For more information, see [Operation Extensions](Operation-Extensions.md) and [Customizing Operation Form Data](Operation-Form-Data.md).
+
+#### Schema
+
+| Name          | Type           | Info                   | Note                                                                                     |
+|---------------|----------------|------------------------|------------------------------------------------------------------------------------------|
+| `id`          | `BIGINT`       | `NOT NULL PRIMARY KEY` | Autogenerated record identifier.                                                         |
+| `placeholder` | `VARCHAR(255)` | `NOT NULL`             | Operation type at PowerAuth server.                                                      |
+| `language`    | `VARCHAR(8)`   | `NOT NULL`             | Language of the template.                                                                |
+| `title`       | `VARCHAR(255)` | `NOT NULL`             | Title of the operation.                                                                  |
+| `message`     | `TEXT`         | `NOT NULL`             | Message for the user related to the operation.                                           |
+| `attributes`  | `TEXT`         |                        | Structured custom form data attributes as JSON.                                          |
+| `ui`          | `TEXT`         |                        | JSON configuration which may affect behavior or visual aspect of the mobile application. |
+
+<!-- end -->

docs/Home.md

@@ -6,6 +6,7 @@ PowerAuth Enrollment Server is an easy to deploy backend service used for bootst
 
 - [Deploying Enrollment Server](./Deploying-Enrollment-Server.md)
 - [Deploying Enrollment Server on JBoss/Wildfly](./Deploying-Wildfly.md)
+- [Database Structure](./Database-Structure.md)
 - [Migration Instructions](./Migration-Instructions.md)
 - [Configuration Properties](./Configuration-Properties.md)
 - [Documentation for Onboarding Server](./onboarding/Home.md)

docs/PowerAuth-Enrollment-Server-1.5.0.md

@@ -24,6 +24,19 @@ Make sure that you use dialect without version.
 
 Since version `1.5.0`, MySQL database is not supported anymore.
 
+### Oracle
+
+#### Operation Template
+
+In the `1.5.0` version, the `ES_OPERATION_TEMPLATE` table in the **Oracle** database had a change in the data type of the `MESSAGE` and `ATTRIBUTES` columns. They have been altered from `BLOB` to `CLOB`.
+
+You need to execute the following commands to alter the columns:
+
+```sql
+ALTER TABLE ES_OPERATION_TEMPLATE MODIFY (MESSAGE CLOB);
+ALTER TABLE ES_OPERATION_TEMPLATE MODIFY (ATTRIBUTES CLOB);
+```
+
 ## API Extensions
 
 Since version `1.5.0`, the API supports new cell types in operation responses. These are:

docs/_Sidebar.md

@@ -2,6 +2,7 @@
 
 - [Deploying Enrollment Server](./Deploying-Enrollment-Server.md)
 - [Deploying Enrollment Server on JBoss/Wildfly](./Deploying-Wildfly.md)
+- [Database Structure](./Database-Structure.md)
 - [Migration Instructions](./Migration-Instructions.md)
 - [Configuration Properties](./Configuration-Properties.md)
 - [Documentation for Onboarding Server](./onboarding/Home.md)

docs/db/changelog/changesets/enrollment-server-onboarding/1.5.x/20230614-add-sca-result.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <changeSet id="1" logicalFilePath="enrollment-server-onboarding/1.5.x/20230614-add-sca-result.xml" author="Lubos Racansky">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <sequenceExists sequenceName="es_sca_result_seq"/>
+            </not>
+        </preConditions>
+        <comment>Create a new sequence es_sca_result_seq</comment>
+        <createSequence sequenceName="es_sca_result_seq" incrementBy="50"/>
+    </changeSet>
+
+    <changeSet id="2" logicalFilePath="enrollment-server-onboarding/1.5.x/20230614-add-sca-result.xml" author="Lubos Racansky">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <tableExists tableName="es_sca_result"/>
+            </not>
+        </preConditions>
+        <comment>Create a new table es_onboarding_process</comment>
+        <createTable tableName="es_sca_result">
+            <column name="id" type="bigint">
+                <constraints primaryKey="true"/>
+            </column>
+            <column name="identity_verification_id" type="varchar(36)">
+                <constraints nullable="false" foreignKeyName="fk_es_identity_verification_id" referencedTableName="es_identity_verification" referencedColumnNames="id"/>
+            </column>
+            <column name="process_id" type="varchar(36)">
+                <constraints nullable="false" foreignKeyName="fk_es_onboarding_process_id" referencedTableName="es_onboarding_process" referencedColumnNames="id" />
+            </column>
+            <column name="presence_check_result" type="varchar(32)" />
+            <column name="otp_verification_result" type="varchar(32)" />
+            <column name="sca_result" type="varchar(32)" />
+            <column name="timestamp_created" type="timestamp" defaultValueDate="${now}">
+                <constraints nullable="false" />
+            </column>
+            <column name="timestamp_last_updated" type="timestamp" />
+        </createTable>
+    </changeSet>
+
+    <changeSet id="3" logicalFilePath="enrollment-server-onboarding/1.5.x/20230614-add-sca-result.xml" author="Lubos Racansky">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <indexExists tableName="es_sca_result" indexName="identity_verification_id" />
+            </not>
+        </preConditions>
+        <comment>Create a new index on es_sca_result(identity_verification_id)</comment>
+        <createIndex tableName="es_sca_result" indexName="identity_verification_id">
+            <column name="identity_verification_id" />
+        </createIndex>
+    </changeSet>
+
+    <changeSet id="4" logicalFilePath="enrollment-server-onboarding/1.5.x/20230614-add-sca-result.xml" author="Lubos Racansky">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <indexExists tableName="es_sca_result" indexName="process_id" />
+            </not>
+        </preConditions>
+        <comment>Create a new index on es_sca_result(process_id)</comment>
+        <createIndex tableName="es_sca_result" indexName="process_id">
+            <column name="process_id" />
+        </createIndex>
+    </changeSet>
+
+</databaseChangeLog>

docs/db/changelog/changesets/enrollment-server-onboarding/1.5.x/db.changelog-version.xml

@@ -5,5 +5,6 @@
 
     <include file="20230315-add-column-fds-data.xml" relativeToChangelogFile="true" />
     <include file="20230530-add-column-total-attempts.xml" relativeToChangelogFile="true" />
+    <include file="20230614-add-sca-result.xml" relativeToChangelogFile="true" />
 
 </databaseChangeLog>

docs/onboarding/Database-Structure.md

@@ -190,3 +190,24 @@ Stores result of document verification.
 | `timestamp_created` | `TEXT` |  | Timestamp when record was created. |
 
 <!-- end -->
+
+
+<!-- begin database table es_sca_result -->
+### SCA Result Table
+
+Stores result of SCA (Strong Customer Authentication) steps (presence check and OTP verification).
+
+#### Schema
+
+| Name                       | Type          | Info                                 | Note                                                                                              |
+|----------------------------|---------------|--------------------------------------|---------------------------------------------------------------------------------------------------|
+| `id`                       | `BIGINT`      | `NOT NULL PRIMARY KEY`               | Autogenerated record identifier (Long).                                                           |
+| `identity_verification_id` | `VARCHAR(36)` | `NOT NULL`                           | Identity verification identifier.                                                                 |
+| `process_id`               | `VARCHAR(36)` | `NOT NULL`                           | Process identifier (UUID).                                                                        |
+| `presence_check_result`    | `VARCHAR(32)` |                                      | Result of presence check (`SUCCESS`, `FAILED`).                                                   |
+| `otp_verification_result`  | `VARCHAR(32)` |                                      | Result of the last OTP verification (`SUCCESS`, `FAILED`).                                        |
+| `sca_result`               | `VARCHAR(32)` |                                      | Aggregated result of `presence_check_result` and `otp_verification_result` (`SUCCESS`, `FAILED`). |
+| `timestamp_created`        | `TIMESTAMP`   | `NOT NULL DEFAULT CURRENT_TIMESTAMP` | Timestamp when the SCA was started.                                                               |
+| `timestamp_last_updated`   | `TIMESTAMP`   |                                      | Timestamp when record was last updated.                                                           |
+
+<!-- end -->

docs/onboarding/PowerAuth-Enrollment-Onboarding-Server-1.5.0.md

@@ -62,19 +62,72 @@ A new column `total_attempts` has been added to the table `es_onboarding_otp`.
 #### PostgreSQL
 
 ```sql
-ALTER TABLE es_onboarding_process
+ALTER TABLE es_onboarding_otp
     ADD COLUMN TOTAL_ATTEMPTS INTEGER DEFAULT 0;
 ```
 
 
 #### Oracle
 
 ```sql
-ALTER TABLE es_onboarding_process
+ALTER TABLE es_onboarding_otp
     ADD total_attempts INTEGER DEFAULT 0;
 ```
 
 
+### SCA Result
+
+A new table `es_sca_result` has been created.
+
+
+#### PostgreSQL
+
+```sql
+CREATE SEQUENCE es_sca_result_seq INCREMENT BY 50 START WITH 1;
+
+CREATE TABLE es_sca_result
+(
+    id                       BIGINT      NOT NULL PRIMARY KEY,
+    identity_verification_id VARCHAR(36) NOT NULL,
+    process_id               VARCHAR(36) NOT NULL,
+    presence_check_result    VARCHAR(32),
+    otp_verification_result  VARCHAR(32),
+    sca_result               VARCHAR(32),
+    timestamp_created        TIMESTAMP   NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    timestamp_last_updated   TIMESTAMP,
+    FOREIGN KEY (identity_verification_id) REFERENCES es_identity_verification (id),
+    FOREIGN KEY (process_id) REFERENCES es_onboarding_process (id)
+);
+
+CREATE INDEX identity_verification_id ON es_sca_result (identity_verification_id);
+CREATE INDEX process_id ON es_sca_result (process_id);
+```
+
+
+#### Oracle
+
+```sql
+CREATE SEQUENCE ES_SCA_RESULT_SEQ INCREMENT BY 50 START WITH 1;
+
+CREATE TABLE ES_SCA_RESULT
+(
+    ID                       NUMBER(19)        NOT NULL PRIMARY KEY,
+    IDENTITY_VERIFICATION_ID VARCHAR2(36 CHAR) NOT NULL,
+    PROCESS_ID               VARCHAR2(36 CHAR) NOT NULL,
+    PRESENCE_CHECK_RESULT    VARCHAR2(32 CHAR),
+    OTP_VERIFICATION_RESULT  VARCHAR2(32 CHAR),
+    SCA_RESULT               VARCHAR2(32 CHAR),
+    TIMESTAMP_CREATED        TIMESTAMP(6)      NOT NULL,
+    TIMESTAMP_LAST_UPDATED   TIMESTAMP(6),
+    FOREIGN KEY (IDENTITY_VERIFICATION_ID) REFERENCES ES_IDENTITY_VERIFICATION (ID),
+    FOREIGN KEY (PROCESS_ID) REFERENCES ES_ONBOARDING_PROCESS (ID)
+);
+
+CREATE INDEX IDENTITY_VERIFICATION_ID ON ES_SCA_RESULT (IDENTITY_VERIFICATION_ID);
+CREATE INDEX PROCESS_ID ON ES_SCA_RESULT (PROCESS_ID);
+```
+
+
 ## Dependencies
 
 PostgreSQL JDBC driver is already included in the WAR file.

docs/sql/oracle/onboarding/create-schema.sql

@@ -158,6 +158,25 @@ CREATE TABLE ES_DOCUMENT_RESULT (
 -- Oracle does not create indexes on foreign keys automatically
 CREATE INDEX DOCUMENT_VERIF_RESULT ON ES_DOCUMENT_RESULT (DOCUMENT_VERIFICATION_ID);
 
+CREATE SEQUENCE ES_SCA_RESULT_SEQ INCREMENT BY 50 START WITH 1;
+
+CREATE TABLE ES_SCA_RESULT
+(
+    ID                       NUMBER(19)        NOT NULL PRIMARY KEY,
+    IDENTITY_VERIFICATION_ID VARCHAR2(36 CHAR) NOT NULL,
+    PROCESS_ID               VARCHAR2(36 CHAR) NOT NULL,
+    PRESENCE_CHECK_RESULT    VARCHAR2(32 CHAR),
+    OTP_VERIFICATION_RESULT  VARCHAR2(32 CHAR),
+    SCA_RESULT               VARCHAR2(32 CHAR),
+    TIMESTAMP_CREATED        TIMESTAMP(6)      NOT NULL,
+    TIMESTAMP_LAST_UPDATED   TIMESTAMP(6),
+    FOREIGN KEY (IDENTITY_VERIFICATION_ID) REFERENCES ES_IDENTITY_VERIFICATION (ID),
+    FOREIGN KEY (PROCESS_ID) REFERENCES ES_ONBOARDING_PROCESS (ID)
+);
+
+CREATE INDEX IDENTITY_VERIFICATION_ID ON ES_SCA_RESULT (IDENTITY_VERIFICATION_ID);
+CREATE INDEX PROCESS_ID ON ES_SCA_RESULT (PROCESS_ID);
+
 -- Scheduler lock table - https://github.com/lukas-krecan/ShedLock#configure-lockprovider
 BEGIN EXECUTE IMMEDIATE 'CREATE TABLE shedlock (
     name VARCHAR2(64 CHAR) NOT NULL,