Merge branch 'main' into fix/callback

README.md

@@ -30,23 +30,70 @@
 
 This repository contains the source code of the EU Digital COVID Certificate Validation Decorator.
 
-The Validation Decorator is a template. To make your own adjustments, the three interfaces `KeyProvider`, `BackendRepository` and `AccessTokenPayloadBuilder` should be implemented.
+The Validation Decorator is an interface between the [validation service](https://github.com/eu-digital-green-certificates/dgca-validation-service) and an internal [backend system](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend) (demo) for the exchange of digital covid certificate information.
+
+The validation has complex work flow that involves
 
-- [ ] TODO: Describe Component
+- [dgca-validation-service](https://github.com/eu-digital-green-certificates/dgca-validation-service) - additional service on travel system 
+- [dgca-booking-demo](https://github.com/eu-digital-green-certificates/dgca-booking-demo) - travel system mock
+- [dgca-booking-demo-frontend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-frontend)
+- [dgca-verifier-app-android](https://github.com/eu-digital-green-certificates/dgca-verifier-app-android) - provide dcc
+- [dgca-booking-demo-backend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend)
 
 ## Development
 
 ### Prerequisites
 
-- [ ] TODO: Prerequisites
+- [Open JDK 11](https://openjdk.java.net)
+- [Maven](https://maven.apache.org)
+- [Docker](https://www.docker.com)
+- Authenticate to [Github Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)
+
+#### Authenticating in to GitHub Packages
+
+As some of the required libraries (and/or versions are pinned/available only from GitHub Packages) You need to authenticate
+to [GitHub Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)
+The following steps need to be followed
+
+- Create [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with scopes:
+    - `read:packages` for downloading packages
+
+##### GitHub Maven
+
+- Copy/Augment `~/.m2/settings.xml` with the contents of `settings.xml` present in this repository
+    - Replace `${app.packages.username}` with your github username
+    - Replace `${app.packages.password}` with the generated PAT
+
+##### GitHub Docker Registry
+
+- Run `docker login docker.pkg.github.com/eu-digital-green-certificates` before running further docker commands.
+    - Use your GitHub username as username
+    - Use the generated PAT as password
 
 ### Build
 
-- [ ] TODO: Build
+Whether you cloned or downloaded the 'zipped' sources you will either find the sources in the chosen checkout-directory or get a zip file with the source code, which you can expand to a folder of your choice.
+
+In either case open a terminal pointing to the directory you put the sources in. The local build process is described afterwards depending on the way you choose.
+
+### Build with maven
+* Check [settings.xml](settings.xml) in root folder and copy the servers to your own `~/.m2/settings.xml` to connect the GitHub repositories we use in our code. Provide your GitHub username and access token (see [GitHub Help](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)) under the variables suggested.
+* Run `mvn clean package` from the project root folder
+
+### Run with docker
+* Perform maven build as described above
+* Run `docker-compose up` from the project root folder
 
+After all containers have started you will be able to reach the application on your [local machine](http://localhost:8080/dgci/status) under port 8080.
 ## Documentation
 
-- [ ] TODO: Documentation
+The Validation Decorator is a template. To make your own adjustments, the three interfaces `KeyProvider`, `BackendRepository` and `AccessTokenPayloadBuilder` should be implemented.
+
+`KeyProvider` provides the necessary keys and certificates. Separate keys for JWT, certificates for Validation Service and others are provided.
+
+`BackendRepository` provides the interface to the internal service. In this example [dgca-booking-demo-backend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend) is connected and should demonstrate an airline.
+
+`AccessTokenPayloadBuilder` basically serves as a converter to create the `AccessTokenPayload` from the given data.
 
 ## Support and feedback
 

owasp/suppressions.xml

@@ -29,7 +29,9 @@
     <cve>CVE-2021-22118</cve>
   </suppress>
   <suppress>
-    <!-- tomcat-embed-core-9.0.52.jar : CVE-2020-0822-->
+    <!-- tomcat-embed-core-9.0.52.jar: CVE-2020-0822 -->
 	<cve>CVE-2020-0822</cve>
+	<!-- tomcat-embed-core-9.0.52.jar: CVE-2021-42340 -->
+	<cve>CVE-2021-42340</cve> 
   </suppress>
 </suppressions>

pom.xml

@@ -35,10 +35,7 @@
     	<bcpkix.version>1.68</bcpkix.version>
     	<okhttp.version>4.9.1</okhttp.version>
     	<shedlock.version>4.25.0</shedlock.version>
-        <nimbusds.version>9.9.2</nimbusds.version>
         <dgc.lib.version>1.1.3</dgc.lib.version>
-        <dgc-certlogic.version>0.0.0-3834d93</dgc-certlogic.version>
-        <dgc-decoder.version>0.1</dgc-decoder.version>
         <!-- plugins -->
         <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
         <plugin.sonar.version>3.9.0.2155</plugin.sonar.version>
@@ -213,16 +210,6 @@
             <artifactId>spring-security-web</artifactId>
             <version>${spring.security.version}</version><!--$NO-MVN-MAN-VER$-->
         </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-certlogic</artifactId>
-            <version>${dgc-certlogic.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-decoder</artifactId>
-            <version>${dgc-decoder.version}</version>
-        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
@@ -236,11 +223,6 @@
             <groupId>com.sap.hcp.cf.logging</groupId>
             <artifactId>cf-java-logging-support-logback</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.nimbusds</groupId>
-            <artifactId>nimbus-jose-jwt</artifactId>
-            <version>${nimbusds.version}</version><!--$NO-MVN-MAN-VER$-->
-        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>

src/main/java/eu/europa/ec/dgc/validation/decorator/config/DccVerificationConfig.java

@@ -20,17 +20,8 @@
 
 package eu.europa.ec.dgc.validation.decorator.config;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
-import dgca.verifier.app.decoder.JsonSchemaKt;
-import dgca.verifier.app.engine.AffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.CertLogicEngine;
-import dgca.verifier.app.engine.DefaultAffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.DefaultCertLogicEngine;
-import dgca.verifier.app.engine.DefaultJsonLogicValidator;
-import dgca.verifier.app.engine.JsonLogicValidator;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -50,22 +41,4 @@ public ObjectMapper objectMapper() {
         objectMapper.registerModule(new JavaTimeModule());
         return objectMapper;
     }
-
-    @Bean
-    public AffectedFieldsDataRetriever affectedFieldsDataRetriever(ObjectMapper objectMapper)
-            throws JsonProcessingException {
-        JsonNode jsonNode = objectMapper.readTree(JsonSchemaKt.JSON_SCHEMA_V1);
-        return new DefaultAffectedFieldsDataRetriever(jsonNode, objectMapper);
-    }
-
-    @Bean
-    public JsonLogicValidator jsonLogicValidator() {
-        return new DefaultJsonLogicValidator();
-    }
-
-    @Bean
-    public CertLogicEngine certLogicEngine(AffectedFieldsDataRetriever affectedFieldsDataRetriever,
-            JsonLogicValidator jsonLogicValidator) {
-        return new DefaultCertLogicEngine(affectedFieldsDataRetriever, jsonLogicValidator);
-    }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/entity/ValidationServiceIdentityResponse.java

@@ -20,38 +20,40 @@
 
 package eu.europa.ec.dgc.validation.decorator.entity;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Data;
 
 @Data
 public class ValidationServiceIdentityResponse {
-    
+
     private String id;
-    
+
     private List<VerificationMethod> verificationMethod = new ArrayList<>();
-    
+
     @Data
+    @JsonIgnoreProperties(ignoreUnknown = true)
     public static final class VerificationMethod {
-        
+
         private String id;
-        
+
         private String type;
-        
+
         private String controller;
-        
+
         private PublicKeyJwk publicKeyJwk;
     }
-    
+
     @Data
     public static final class PublicKeyJwk {
-        
+
         private String x5c;
-        
+
         private String kid;
-        
+
         private String alg;
-        
+
         private String use;
     }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/repository/ValidationServiceRepository.java

@@ -64,7 +64,14 @@ public ValidationServiceIdentityResponse identity(final ServiceProperties servic
         log.debug("REST Call to '{}' starting", url);
         final ResponseEntity<ValidationServiceIdentityResponse> response = restTpl
                 .getForEntity(url, ValidationServiceIdentityResponse.class);
-        return response.getBody();
+
+        // Workaround: remove unsupported VerificationMethod
+        final ValidationServiceIdentityResponse resBody = response.getBody();
+        if (resBody.getVerificationMethod() != null) {
+            resBody.getVerificationMethod().removeIf(method -> method.getPublicKeyJwk() == null);    
+        }
+
+        return resBody;
     }
 
     /**

src/main/java/eu/europa/ec/dgc/validation/decorator/service/AccessTokenPayloadBuilderImpl.java

@@ -62,9 +62,10 @@ public AccessTokenPayload build(
         accessTokenConditions.setDob(this.parseBirthDay(subjectResponse.getBirthDate()));
 
         final OffsetDateTime departureTime = occurrenceInfo.getDepartureTime();
-        accessTokenConditions.setValidFrom(departureTime.format(FORMATTER));
-        accessTokenConditions.setValidationClock(occurrenceInfo.getArrivalTime().format(FORMATTER));
-        accessTokenConditions.setValidTo(departureTime.plusDays(2).format(FORMATTER));
+        final OffsetDateTime arrivalTime = occurrenceInfo.getArrivalTime();
+        accessTokenConditions.setValidFrom(departureTime.format(FORMATTER));        
+        accessTokenConditions.setValidationClock(arrivalTime.format(FORMATTER));
+        accessTokenConditions.setValidTo(arrivalTime.format(FORMATTER));
 
         final AccessTokenPayload accessTokenPayload = new AccessTokenPayload();
         accessTokenPayload.setJti(subjectResponse.getJti());