Merge branch 'rel/0.5.1' into release

# Conflicts:
#	common/persistence/pom.xml
#	common/pom.xml
#	common/protocols/pom.xml
#	pom.xml
#	services/distribution/pom.xml
#	services/pom.xml
#	services/submission/pom.xml

.circleci/config.yml

@@ -15,6 +15,9 @@ jobs:
       - restore_cache:
           key: cwa-server-{{ checksum "~/pom-checksum" }}
       - run: mvn --batch-mode dependency:go-offline
+      - run:
+          name: Analyze on SonarCloud
+          command: mvn --batch-mode verify sonar:sonar --fail-never
       - save_cache:
           paths:
             - ~/.m2
@@ -30,9 +33,6 @@ jobs:
           path: ~/test-results
       - store_artifacts:
           path: ~/test-results/junit
-      - run:
-          name: Analyze on SonarCloud
-          command: mvn --batch-mode verify sonar:sonar --fail-never
 
 workflows:
   main:

.env

@@ -16,4 +16,3 @@ OBJECTSTORE_SECRETKEY=verySecretKey1
 
 # Docker Compose Secrets settings
 SECRET_PRIVATE=file:/secrets/private.pem
-SECRET_CERTIFICATE=file:/secrets/certificate.crt

.gitignore

@@ -38,5 +38,7 @@ out/
 .settings
 .project
 .classpath
-pom.xml.versionsBackup
 .factorypath
+
+pom.xml.versionsBackup
+**/.flattened-pom.xml

.mvn/maven.config

@@ -0,0 +1 @@
+-Drevision=0.5.1

README.md

@@ -1,3 +1,4 @@
+<!-- markdownlint-disable MD041 -->
 <h1 align="center">
     Corona-Warn-App Server
 </h1>
@@ -57,7 +58,7 @@ The docker-compose contains the following services:
 
 Service           | Description | Endpoint and Default Credentials
 ------------------|-------------|-----------
-submission        | The Corona-Warn-App submission service                                                      | `http://localhost:8000` <br> `http://localhost:8005` (for actuator endpoint)
+submission        | The Corona-Warn-App submission service                                                      | `http://localhost:8000` <br> `http://localhost:8006` (for actuator endpoint)
 distribution      | The Corona-Warn-App distribution service                                                    | NO ENDPOINT
 postgres          | A [postgres] database installation                                                          | `postgres:8001` <br> Username: postgres <br> Password: postgres
 pgadmin           | A [pgadmin](https://www.pgadmin.org/) installation for the postgres database                | `http://localhost:8002` <br> Username: [email protected] <br> Password: password
@@ -102,9 +103,8 @@ After you made sure that the specified dependencies are running, configure them
 
 * Configure the Postgres connection in the [submission config](./services/submission/src/main/resources/application.yaml) and in the [distribution config](./services/distribution/src/main/resources/application.yaml)
 * Configure the S3 compatible object storage in the [distribution config](./services/distribution/src/main/resources/application.yaml)
-* Configure the certificate and private key for the distribution service, the paths need to be prefixed with `file:`
+* Configure the private key for the distribution service, the path need to be prefixed with `file:`
   * `VAULT_FILESIGNING_SECRET` should be the path to the private key, example available in `<repo-root>/docker-compose-test-secrets/private.pem`
-  * `VAULT_FILESIGNING_CERT` should be the path to the certificate, example available in `<repo-root>/docker-compose-test-secrets/certificate.cert`
 
 #### Build
 
@@ -146,7 +146,7 @@ Distribution Service      | [services/distribution/api_v1.json)](https://github.
 
 Profile      | Effect
 -------------|-------------
-`dev`        | Turns the log level to `DEBUG`.
+`dev`        | Turns the log level to `DEBUG` and sets the app package ID in the export packages' signature info to `de.rki.coronawarnapp-dev` so that test certificates (instead of production certificates) will be used for client-side validation.
 `cloud`      | Removes default values for the `datasource` and `objectstore` configurations.
 `demo`       | Includes incomplete days and hours into the distribution run, thus creating aggregates for the current day and the current hour (and including both in the respective indices). When running multiple distributions in one hour with this profile, the date aggregate for today and the hours aggregate for the current hour will be updated and overwritten.
 `testdata`   | Causes test data to be inserted into the database before each distribution run. By default, around 1000 random diagnosis keys will be generated per hour. If there are no diagnosis keys in the database yet, random keys will be generated for every hour from the beginning of the retention period (14 days ago at 00:00 UTC) until one hour before the present hour. If there are already keys in the database, the random keys will be generated for every hour from the latest diagnosis key in the database (by submission timestamp) until one hour before the present hour (or none at all, if the latest diagnosis key in the database was submitted one hour ago or later).

SECURITY.md

@@ -1,16 +1,20 @@
-# Reporting Security Vulnerabilities
+# Security Vulnerabilities
 
-The Corona-Warn-App is built with security and data privacy in mind to ensure your data is safe. We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.
+The Corona-Warn-App is built with security and data privacy in mind to ensure your data is safe.
+
+## Reporting
+
+We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.
 
 **Please do not report security vulnerabilities directly on GitHub. GitHub Issues can be publicly seen and therefore would result in a direct disclosure.**
 
 * Please address questions about data privacy, security concepts, and other media requests to the [email protected] mailbox.
-* For reporting a vulnerability, please use the Vulnerability Report Form for Security Researchers on [SAP Trust Center](https://www.sap.com/about/trust-center/incident-management.html). 
+* For reporting a vulnerability, please use the Vulnerability Report Form for Security Researchers on [SAP Trust Center](https://www.sap.com/about/trust-center/incident-management.html).
   * Please select "Corona-Warn-App" in the _product_ list.
   * In the _versions_ field, either note the specific [release version](https://github.com/corona-warn-app/cwa-server/releases) or commit id of the master branch you investigated.
-  * The affected repository should be mentioned in the _vulnerability description_. 
+  * The affected repository should be mentioned in the _vulnerability description_.
   * Please use this channel only for reporting vulnerabilities of the _cwa-server_ component and check the security of the respective repositories for other components.
 
-# Disclosure Handling
+## Disclosure Handling
 
 SAP is committed to timely review and respond to your request. The resolution of code defects will be handled by a dedicated group of security experts and prepared in a private GitHub repository. The project will inform the public about resolved security vulnerabilities. For more information on the disclosure guidelines, please consult [SAP security information page](https://www.sap.com/about/trust-center/security/incident-management.html).

THIRD-PARTY-NOTICES

@@ -55,6 +55,11 @@ Licensor:  MinIO Inc.
 Website:   https://min.io/
 License:   Apache License 2.0
 
+Component: MojoHaus Flatten Maven Plugin
+Licensor:  MojoHaus
+Website:   https://www.mojohaus.org/flatten-maven-plugin/
+License:   Apache License 2.0
+
 Component: PostgreSQL
 Licensor:  PostgreSQL
 Website:   https://www.postgresql.org/
@@ -87,7 +92,7 @@ License:   Apache License 2.0
 
 --------------------------------------------------------------------------------
 Apache License 2.0 (Commons IO, Commons Math 3, flyway, JSON-Simple,
-Maven, MinIO Object Storage, snakeyaml, Spring Boot, Zenko CloudServer)
+Maven, MinIO Object Storage, MojoHaus Flatten Maven Plugin, snakeyaml, Spring Boot, Zenko CloudServer)
 
                                  Apache License
                            Version 2.0, January 2004
@@ -715,4 +720,4 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
---------------------------------------------------------------------------------
+--------------------------------------------------------------------------------

codestyle/.markdownlint.yml

@@ -2,4 +2,3 @@ default: true
 
 MD013: false #https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md013
 MD033: false #https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md033
-MD034: false #https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md034

common/persistence/pom.xml

@@ -12,7 +12,7 @@
 
   <groupId>org.opencwa</groupId>
   <artifactId>persistence</artifactId>
-  <version>0.5.0</version>
+  <version>${revision}</version>
 
   <properties>
     <java.version>11</java.version>
@@ -27,7 +27,7 @@
     <dependency>
       <groupId>org.opencwa</groupId>
       <artifactId>protocols</artifactId>
-      <version>0.5.0</version>
+      <version>${project.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -105,6 +105,28 @@
 
   <build>
     <plugins>
+      <plugin>
+        <!-- see https://maven.apache.org/maven-ci-friendly.html#install-deploy -->
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>flatten-maven-plugin</artifactId>
+        <version>1.1.0</version>
+        <configuration>
+          <updatePomFile>true</updatePomFile>
+          <flattenMode>resolveCiFriendliesOnly</flattenMode>
+        </configuration>
+        <executions>
+          <execution>
+            <id>flatten</id>
+            <phase>process-resources</phase>
+            <goals><goal>flatten</goal></goals>
+          </execution>
+          <execution>
+            <id>flatten-clean</id>
+            <phase>clean</phase>
+            <goals><goal>clean</goal></goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-checkstyle-plugin</artifactId>

common/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <artifactId>server</artifactId>
     <groupId>org.opencwa</groupId>
-    <version>0.5.0</version>
+    <version>${revision}</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 
@@ -17,7 +17,6 @@
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>common</artifactId>
-  <version>0.5.0</version>
 
   <packaging>pom</packaging>
   <modules>

common/protocols/pom.xml

@@ -5,13 +5,12 @@
   <parent>
     <artifactId>common</artifactId>
     <groupId>org.opencwa</groupId>
-    <version>0.5.0</version>
+    <version>${revision}</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>protocols</artifactId>
-  <version>0.5.0</version>
 
   <properties>
     <sonar.projectKey>corona-warn-app_cwa-server_common_protocols</sonar.projectKey>
@@ -53,4 +52,4 @@
     </plugins>
   </build>
 
-</project>
+</project>

common/protocols/src/main/proto/app/coronawarn/server/common/protocols/external/exposurenotification/temporary_exposure_key_export.proto

@@ -21,17 +21,15 @@ message TemporaryExposureKeyExport {
 message SignatureInfo {
   // Apple App Store Application Bundle ID
   optional string app_bundle_id = 1;
-  // Android App package name
-  optional string android_package = 2;
   // Key version for rollovers
   // Must be in character class [a-zA-Z0-9_]
-  optional string verification_key_version = 3;
+  optional string verification_key_version = 2;
   // Alias with which to identify public key to be used for verification
   // Must be in character class [a-zA-Z0-9_]
-  optional string verification_key_id = 4;
+  optional string verification_key_id = 3;
   // ASN.1 OID for Algorithm Identifier. Supported algorithms are
   // either 1.2.840.10045.4.3.2 or 1.2.840.10045.4.3.4
-  optional string signature_algorithm = 5;
+  optional string signature_algorithm = 4;
 }
 message TemporaryExposureKey {
   // Key of infected user

docker-compose-test-secrets/private.pem

@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEILQRQFlGcfeTAclubtjQ1rBjtmIOB/d7PITZyDe1r81/oAoGCCqGSM49
-AwEHoUQDQgAEYQJ+sReY1L8z851VFRpLu4PCusj/7Ruvi879KjrQJ12kKKsfeRWy
-tmrE65Jok1lsYqpFhRWcxG6VV5FX0yG+Eg==
+MHcCAQEEINOQcM6jChvjAwf0B3C2ex7Ronsc2VH4qIZK91n1/tgJoAoGCCqGSM49
+AwEHoUQDQgAE9/HUs+ssvOdmv+BZPjubaUiYOWYTd5iRMopbdBzpEPXbyQBSmOFe
+sVJ7y3GTU/1ql9FuIrqB7YBkhZZExPEqEw==
 -----END EC PRIVATE KEY-----

docker-compose.yml

@@ -8,7 +8,7 @@ services:
       - postgres
     ports:
       - "8000:8080"
-      - "8005:8081"
+      - "8006:8081"
     environment:
       SPRING_PROFILES_ACTIVE: dev
       POSTGRESQL_SERVICE_PORT: '5432'
@@ -38,9 +38,8 @@ services:
       CWA_OBJECTSTORE_BUCKET: cwa
       CWA_OBJECTSTORE_PORT: 8000
       services.distribution.paths.output: /tmp/distribution
-      # Settings for cryptographic artefacts
+      # Settings for cryptographic artifacts
       VAULT_FILESIGNING_SECRET: ${SECRET_PRIVATE}
-      VAULT_FILESIGNING_CERT: ${SECRET_CERTIFICATE}
     volumes:
       - ./docker-compose-test-secrets:/secrets
   postgres:
@@ -84,10 +83,10 @@ services:
     environment:
       - AWS_ACCESS_KEY_ID=${OBJECTSTORE_ACCESSKEY}
       - AWS_SECRET_ACCESS_KEY=${OBJECTSTORE_SECRETKEY}
-    entrypoint: ["/root/scripts/wait-for-it/wait-for-it.sh", "objectstore:8000", "-t", "30", "--"]
+    #entrypoint: ["/root/scripts/wait-for-it/wait-for-it.sh", "objectstore:8000", "-t", "30", "--"]
     volumes:
       - ./scripts/wait-for-it:/root/scripts/wait-for-it
-    command: aws s3api create-bucket --bucket cwa --endpoint-url http://objectstore:8000 --acl public-read
+    command: s3api create-bucket --bucket cwa --endpoint-url http://objectstore:8000 --acl public-read
     depends_on:
       - objectstore
   verification-fake:

pom.xml

@@ -10,7 +10,7 @@
   </modules>
   <groupId>org.opencwa</groupId>
   <artifactId>server</artifactId>
-  <version>0.5.0</version>
+  <version>${revision}</version>
   <name>server</name>
   <description>CWA Server</description>
   <url>https://www.coronawarn.app/</url>
@@ -37,6 +37,28 @@
 
   <build>
     <plugins>
+      <plugin>
+        <!-- see https://maven.apache.org/maven-ci-friendly.html#install-deploy -->
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>flatten-maven-plugin</artifactId>
+        <version>1.1.0</version>
+        <configuration>
+          <updatePomFile>true</updatePomFile>
+          <flattenMode>resolveCiFriendliesOnly</flattenMode>
+        </configuration>
+        <executions>
+          <execution>
+            <id>flatten</id>
+            <phase>process-resources</phase>
+            <goals><goal>flatten</goal></goals>
+          </execution>
+          <execution>
+            <id>flatten-clean</id>
+            <phase>clean</phase>
+            <goals><goal>clean</goal></goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-checkstyle-plugin</artifactId>

scripts/.gitignore

@@ -1 +1 @@
-/certificates/
+keys/