Merge pull request #309 from wultra/develop

Merge develop to master

.github/workflows/maven-integration-test.yml

@@ -44,7 +44,7 @@ jobs:
           POWERAUTH_ENROLLMENT_ONBOARDING_SERVICE_URL: ${{ secrets.POWERAUTH_ENROLLMENT_ONBOARDING_SERVICE_URL }}
           POWERAUTH_SERVICE_SECURITY_CLIENTTOKEN: ${{ secrets.POWERAUTH_SERVICE_SECURITY_CLIENTTOKEN }}
           POWERAUTH_SERVICE_SECURITY_CLIENTSECRET: ${{ secrets.POWERAUTH_SERVICE_SECURITY_CLIENTSECRET }}
-          POWERAUTH_TEST_INCLUDECUSTOMTESTS: ${{ inputs.includeCustomTests }}
+          POWERAUTH_TEST_INCLUDECUSTOMTESTS: ${{ inputs.includeCustomTests == '' || inputs.includeCustomTests }} # default includeCustomTests=true even for 'schedule' event
       - name: Publish Test Report
         uses: mikepenz/action-junit-report@v3
         if: always()

.run/TestServerApplication.run.xml

@@ -0,0 +1,11 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="TestServerApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
+    <module name="powerauth-test-server" />
+    <option name="SPRING_BOOT_MAIN_CLASS" value="com.wultra.security.powerauth.app.testserver.TestServerApplication" />
+    <method v="2">
+      <option name="Make" enabled="true" />
+      <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-test-server/pom.xml" goal="process-resources" />
+    </method>
+  </configuration>
+</component>

docs-private/Developer-How-To-Start.md

@@ -0,0 +1,20 @@
+# Developer - How to Start Guide
+
+
+## Standalone Run
+
+- Use IntelliJ Idea run configuration at `../.run/TestServerApplication.run.xml`
+- Open [http://localhost:8080/actuator/health](http://localhost:8080/actuator/health) and you should get `{"status":"UP"}`
+
+
+## Database
+
+Database changes are driven by Liquibase.
+
+This is an example how to manually check the Liquibase status.
+Important and fixed parameter is `changelog-file`.
+Others (like URL, username, password) depend on your environment.
+
+```shell
+liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-test-server/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth status
+```

pom.xml

@@ -8,13 +8,13 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.1.3</version>
+        <version>3.1.6</version>
         <relativePath /> <!-- lookup parent from repository -->
     </parent>
 
     <groupId>com.wultra</groupId>
     <artifactId>powerauth-backend-tests-parent</artifactId>
-    <version>1.5.0</version>
+    <version>1.6.0</version>
     <packaging>pom</packaging>
 
     <description>Parent pom for backend tests</description>
@@ -45,16 +45,18 @@
     </developers>
 
     <properties>
-        <enrollment-server.version>1.5.0</enrollment-server.version>
-        <powerauth-cmd.version>1.5.0</powerauth-cmd.version>
-        <powerauth-crypto.version>1.5.1</powerauth-crypto.version>
-        <powerauth-restful-integration.version>1.5.0</powerauth-restful-integration.version>
-        <powerauth-webflow.version>1.5.0</powerauth-webflow.version>
-        <wultra-core.version>1.7.0</wultra-core.version>
-
-        <bc.version>1.76</bc.version>
-        <springdoc-openapi-starter-webmvc-ui.version>2.2.0</springdoc-openapi-starter-webmvc-ui.version>
+        <enrollment-server.version>1.6.0</enrollment-server.version>
+        <powerauth-cmd.version>1.6.0</powerauth-cmd.version>
+        <powerauth-crypto.version>1.6.0</powerauth-crypto.version>
+        <powerauth-restful-integration.version>1.6.0</powerauth-restful-integration.version>
+        <powerauth-webflow.version>1.6.0</powerauth-webflow.version>
+        <wultra-core.version>1.8.0</wultra-core.version>
+
+        <bc.version>1.77</bc.version>
+        <springdoc-openapi-starter-webmvc-ui.version>2.3.0</springdoc-openapi-starter-webmvc-ui.version>
         <logstash.version>7.4</logstash.version>
+        <!--  TODO (racansky, 2023-12-08) temporarily override the version 1.4.11 from spring boot version because of CVE  -->
+        <logback.version>1.4.14</logback.version>
     </properties>
 
     <modules>
@@ -79,12 +81,6 @@
                 <version>${powerauth-webflow.version}</version>
             </dependency>
 
-            <dependency>
-                <groupId>io.getlime.security</groupId>
-                <artifactId>powerauth-mtoken-model</artifactId>
-                <version>${powerauth-webflow.version}</version>
-            </dependency>
-
             <!-- PowerAuth Crypto  -->
             <dependency>
                 <groupId>io.getlime.security</groupId>
@@ -143,12 +139,30 @@
                 <version>${enrollment-server.version}</version>
             </dependency>
 
+            <dependency>
+                <groupId>com.wultra.security</groupId>
+                <artifactId>mtoken-model</artifactId>
+                <version>${enrollment-server.version}</version>
+            </dependency>
+
             <!-- Logging -->
             <dependency>
                 <groupId>net.logstash.logback</groupId>
                 <artifactId>logstash-logback-encoder</artifactId>
                 <version>${logstash.version}</version>
             </dependency>
+
+            <!-- Standalone run -->
+            <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-starter-tomcat</artifactId>
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-el</artifactId>
+                <scope>provided</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

powerauth-backend-tests/README.md

@@ -61,7 +61,6 @@ File `powerauth-java.server.xml`:
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="[PASSWORD]"/>
     <Parameter name="spring.datasource.driver-class-name" value="org.postgresql.Driver"/>
-    <Parameter name="spring.jpa.database-platform" value="org.hibernate.dialect.PostgreSQLDialect"/>
 </Context>
 ```
 

powerauth-backend-tests/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>com.wultra</groupId>
         <artifactId>powerauth-backend-tests-parent</artifactId>
-        <version>1.5.0</version>
+        <version>1.6.0</version>
     </parent>
 
     <groupId>com.wultra</groupId>

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/shared/PowerAuthEncryptionShared.java

@@ -19,8 +19,18 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.wultra.security.powerauth.client.PowerAuthClient;
+import com.wultra.security.powerauth.client.model.error.PowerAuthClientException;
+import com.wultra.security.powerauth.client.model.request.GetEciesDecryptorRequest;
+import com.wultra.security.powerauth.client.model.response.GetEciesDecryptorResponse;
 import com.wultra.security.powerauth.configuration.PowerAuthTestConfiguration;
 import io.getlime.core.rest.model.base.response.ErrorResponse;
+import io.getlime.security.powerauth.crypto.lib.encryptor.ClientEncryptor;
+import io.getlime.security.powerauth.crypto.lib.encryptor.EncryptorFactory;
+import io.getlime.security.powerauth.crypto.lib.encryptor.exception.EncryptorException;
+import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptedRequest;
+import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorId;
+import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters;
+import io.getlime.security.powerauth.crypto.lib.encryptor.model.v3.ClientEncryptorSecrets;
 import io.getlime.security.powerauth.crypto.lib.enums.PowerAuthSignatureTypes;
 import io.getlime.security.powerauth.crypto.lib.generator.HashBasedCounter;
 import io.getlime.security.powerauth.lib.cmd.logging.ObjectStepLogger;
@@ -51,6 +61,8 @@
  */
 public class PowerAuthEncryptionShared {
 
+    private static final EncryptorFactory ENCRYPTOR_FACTORY = new EncryptorFactory();
+
     public static void encryptInActivationScopeTest(PowerAuthTestConfiguration config, EncryptStepModel encryptModel, ObjectStepLogger stepLogger) throws Exception {
         encryptModel.setUriString(config.getEnrollmentServiceUrl() + "/exchange/v3/activation");
         encryptModel.setScope("activation");
@@ -487,6 +499,54 @@ public static void signAndEncryptThreeFactorTest(PowerAuthTestConfiguration conf
         assertEquals(200, stepLogger.getResponse().statusCode());
     }
 
+    public static void replayAttackEciesDecryptorTest(final PowerAuthClient powerAuthClient, final PowerAuthTestConfiguration config, String version) throws EncryptorException, PowerAuthClientException {
+        String requestData = "test_data";
+        ClientEncryptor clientEncryptor = ENCRYPTOR_FACTORY.getClientEncryptor(
+                EncryptorId.APPLICATION_SCOPE_GENERIC,
+                new EncryptorParameters(version, config.getApplicationKey(), null),
+                new ClientEncryptorSecrets(config.getMasterPublicKey(), config.getApplicationSecret())
+        );
+        EncryptedRequest encryptedRequest = clientEncryptor.encryptRequest(requestData.getBytes(StandardCharsets.UTF_8));
+        final GetEciesDecryptorRequest eciesDecryptorRequest = new GetEciesDecryptorRequest();
+        eciesDecryptorRequest.setProtocolVersion(version);
+        eciesDecryptorRequest.setActivationId(null);
+        eciesDecryptorRequest.setApplicationKey(config.getApplicationKey());
+        eciesDecryptorRequest.setEphemeralPublicKey(encryptedRequest.getEphemeralPublicKey());
+        eciesDecryptorRequest.setNonce(encryptedRequest.getNonce());
+        eciesDecryptorRequest.setTimestamp(encryptedRequest.getTimestamp());
+        GetEciesDecryptorResponse decryptorResponse = powerAuthClient.getEciesDecryptor(eciesDecryptorRequest);
+        assertNotNull(decryptorResponse.getSecretKey());
+        assertNotNull(decryptorResponse.getSharedInfo2());
+
+        // Replay attack simulation - send the same request twice, expect error ERR0024
+        final PowerAuthClientException ex = assertThrows(PowerAuthClientException.class, () ->
+                powerAuthClient.getEciesDecryptor(eciesDecryptorRequest));
+        assertEquals("ERR0024", ex.getPowerAuthError().get().getCode());
+    }
+
+    public static void encryptedResponseTest(final PowerAuthTestConfiguration config, EncryptStepModel encryptModel, ObjectStepLogger stepLogger, String version) throws Exception {
+        encryptModel.setUriString(config.getEnrollmentServiceUrl() + "/exchange/v3/activation");
+        encryptModel.setScope("activation");
+
+        new EncryptStep().execute(stepLogger, encryptModel.toMap());
+        assertTrue(stepLogger.getResult().success());
+        assertEquals(200, stepLogger.getResponse().statusCode());
+        EciesEncryptedResponse responseObject = (EciesEncryptedResponse) stepLogger.getResponse().responseObject();
+        assertNotNull(responseObject.getEncryptedData());
+        assertNotNull(responseObject.getMac());
+        switch (version) {
+            case "3.0", "3.1" -> {
+                assertNull(responseObject.getNonce());
+                assertNull(responseObject.getTimestamp());
+            }
+            case "3.2" -> {
+                assertNotNull(responseObject.getNonce());
+                assertNotNull(responseObject.getTimestamp());
+            }
+            default -> fail("Unsupported version");
+        }
+    }
+
     private static String generateRandomString() {
         SecureRandom secureRandom = new SecureRandom();
         StringBuilder alphabetBuilder = new StringBuilder();

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/shared/PowerAuthUserInfoShared.java → powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/shared/PowerAuthInfoShared.java

@@ -21,13 +21,18 @@
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
+import com.wultra.core.rest.client.base.DefaultRestClient;
+import com.wultra.core.rest.client.base.RestClient;
 import com.wultra.security.powerauth.configuration.PowerAuthTestConfiguration;
+import io.getlime.core.rest.model.base.request.ObjectRequest;
+import io.getlime.core.rest.model.base.response.ObjectResponse;
 import io.getlime.security.powerauth.lib.cmd.logging.ObjectStepLogger;
 import io.getlime.security.powerauth.lib.cmd.logging.model.StepItem;
 import io.getlime.security.powerauth.lib.cmd.steps.model.EncryptStepModel;
 import io.getlime.security.powerauth.lib.cmd.steps.v3.EncryptStep;
 import io.getlime.security.powerauth.rest.api.model.request.UserInfoRequest;
 import io.getlime.security.powerauth.rest.api.model.response.EciesEncryptedResponse;
+import io.getlime.security.powerauth.rest.api.model.response.ServerStatusResponse;
 import org.opentest4j.AssertionFailedError;
 
 import java.util.Map;
@@ -37,14 +42,17 @@
 import static org.junit.jupiter.api.Assertions.*;
 
 /**
- * PowerAuth user info test shared logic.
+ * PowerAuth server info test shared logic.
  *
  * @author Roman Strobl, [email protected]
  */
-public class PowerAuthUserInfoShared {
+public class PowerAuthInfoShared {
 
     private static final ObjectMapper objectMapper = new ObjectMapper().disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);
 
+    // Tolerate 60 seconds time difference between client and server in tests
+    private static final long SERVER_CLIENT_TIME_DIFF_TOLERANCE_MILLIS = 60000;
+
     public static void testUserInfo(final PowerAuthTestConfiguration config, final EncryptStepModel encryptModel, final String version) throws Exception {
         encryptModel.setUriString(config.getEnrollmentServiceUrl() + "/pa/v3/user/info");
         encryptModel.setScope("activation");
@@ -73,6 +81,12 @@ public static void testUserInfo(final PowerAuthTestConfiguration config, final E
         assertEquals(config.getUser(version), decryptedData.get("sub"));
     }
 
+    public static void testServerStatus(final PowerAuthTestConfiguration config) throws Exception {
+        final RestClient restClient = new DefaultRestClient(config.getEnrollmentServiceUrl());
+        final ObjectResponse<ServerStatusResponse> objectResponse = restClient.postObject("/pa/v3/status", new ObjectRequest<>(), ServerStatusResponse.class);
+        assertTrue(Math.abs(objectResponse.getResponseObject().serverTime() - System.currentTimeMillis()) < SERVER_CLIENT_TIME_DIFF_TOLERANCE_MILLIS);
+    }
+
     private static Predicate<StepItem> isStepItemDecryptedResponse() {
         return stepItem -> "Decrypted Response".equals(stepItem.name());
     }

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/v30/PowerAuthEncryptionTest.java

@@ -219,4 +219,9 @@ void signAndEncryptThreeFactorTest() throws Exception {
         PowerAuthEncryptionShared.signAndEncryptThreeFactorTest(config, signatureModel, stepLogger);
     }
 
+    @Test
+    void encryptedResponseTest() throws Exception {
+        PowerAuthEncryptionShared.encryptedResponseTest(config, encryptModel, stepLogger, VERSION);
+    }
+
 }

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/v31/PowerAuthEncryptionTest.java

@@ -219,4 +219,9 @@ void signAndEncryptThreeFactorTest() throws Exception {
         PowerAuthEncryptionShared.signAndEncryptThreeFactorTest(config, signatureModel, stepLogger);
     }
 
+    @Test
+    void encryptedResponseTest() throws Exception {
+        PowerAuthEncryptionShared.encryptedResponseTest(config, encryptModel, stepLogger, VERSION);
+    }
+
 }

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/v32/PowerAuthEncryptionTest.java

@@ -219,4 +219,14 @@ void signAndEncryptThreeFactorTest() throws Exception {
         PowerAuthEncryptionShared.signAndEncryptThreeFactorTest(config, signatureModel, stepLogger);
     }
 
+    @Test
+    void replayAttackEciesDecryptorTest() throws Exception {
+        PowerAuthEncryptionShared.replayAttackEciesDecryptorTest(powerAuthClient, config, VERSION);
+    }
+
+    @Test
+    void encryptedResponseTest() throws Exception {
+        PowerAuthEncryptionShared.encryptedResponseTest(config, encryptModel, stepLogger, VERSION);
+    }
+
 }

powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/v3x/PowerAuthUserInfoTest.java → powerauth-backend-tests/src/test/java/com/wultra/security/powerauth/test/v3x/PowerAuthInfoTest.java

@@ -18,7 +18,7 @@
 package com.wultra.security.powerauth.test.v3x;
 
 import com.wultra.security.powerauth.configuration.PowerAuthTestConfiguration;
-import com.wultra.security.powerauth.test.shared.PowerAuthUserInfoShared;
+import com.wultra.security.powerauth.test.shared.PowerAuthInfoShared;
 import io.getlime.security.powerauth.lib.cmd.steps.model.EncryptStepModel;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -40,7 +40,7 @@
 @SpringBootTest(classes = PowerAuthTestConfiguration.class)
 @EnableConfigurationProperties
 @EnabledIf(expression = "${powerauth.test.includeCustomTests}", loadContext = true)
-class PowerAuthUserInfoTest {
+class PowerAuthInfoTest {
 
     private final static String VERSION = "3.2";
 
@@ -62,7 +62,12 @@ void setUp() {
 
     @Test
     void testUserInfo() throws Exception {
-        PowerAuthUserInfoShared.testUserInfo(config, encryptModel, VERSION);
+        PowerAuthInfoShared.testUserInfo(config, encryptModel, VERSION);
+    }
+
+    @Test
+    void testServerStatus() throws Exception {
+        PowerAuthInfoShared.testServerStatus(config);
     }
 
 }

powerauth-load-tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>com.wultra</groupId>
         <artifactId>powerauth-backend-tests-parent</artifactId>
-        <version>1.5.0</version>
+        <version>1.6.0</version>
     </parent>
 
     <groupId>com.wultra</groupId>
@@ -41,10 +41,10 @@
         <scala.version>2.13.6</scala.version>
         <scala.minor.version>2.13.6</scala.minor.version>
 
-        <maven-plugin-gatling.version>3.1.2</maven-plugin-gatling.version>
-        <maven-plugin-scala.version>4.5.4</maven-plugin-scala.version>
+        <maven-plugin-gatling.version>4.7.0</maven-plugin-gatling.version>
+        <maven-plugin-scala.version>4.8.1</maven-plugin-scala.version>
 
-        <gatling.version>3.6.1</gatling.version>
+        <gatling.version>3.10.3</gatling.version>
     </properties>
 
     <dependencies>

powerauth-test-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM ibm-semeru-runtimes:open-17.0.8_7-jre
+FROM ibm-semeru-runtimes:open-17.0.9_9-jre
 LABEL maintainer="[email protected]"
 
 # Prepare environment variables
@@ -8,7 +8,7 @@ ENV JAVA_HOME=/opt/java/openjdk \
     LB_VERSION=4.23.2 \
     TOMCAT_HOME=/usr/local/tomcat \
     TOMCAT_MAJOR=10 \
-    TOMCAT_VERSION=10.1.13 \
+    TOMCAT_VERSION=10.1.17 \
     LOGBACK_CONF=/opt/logback/conf \
     TZ=UTC
 
@@ -21,7 +21,7 @@ RUN apt-get -y update  \
 
 # Install tomcat
 RUN curl -jkSL -o /tmp/apache-tomcat.tar.gz http://archive.apache.org/dist/tomcat/tomcat-${TOMCAT_MAJOR}/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz \
-    && [ "406c0c367ac6ad95bb724ecc3a3c340ad7ded8c62287d657811eeec496eaaca1f5add52d2f46111da1426ae67090c543f6deccfeb5fdf4bdae32f9b39e773265  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
+    && [ "ff9670f9cd49a604e47edfbcfb5855fe59342048c3278ea8736276b51327adf2d076973f3ad1b8aa7870ef26c28cf7111527be810b445c9927f2a457795f5cb6  /tmp/apache-tomcat.tar.gz" = "$(sha512sum /tmp/apache-tomcat.tar.gz)" ] \
     && gunzip /tmp/apache-tomcat.tar.gz \
     && tar -C /opt -xf /tmp/apache-tomcat.tar \
     && ln -s /opt/apache-tomcat-$TOMCAT_VERSION $TOMCAT_HOME