Merge develop to master

docs/Configuration-Properties.md

@@ -9,7 +9,6 @@ The PowerAuth Server uses the following public configuration properties:
 | `spring.datasource.url` | `jdbc:postgresql://localhost:5432/powerauth` | Database JDBC URL |
 | `spring.datasource.username` | `powerauth` | Database JDBC username |
 | `spring.datasource.password` | `_empty_` | Database JDBC password |
-| `spring.datasource.driver-class-name` | `org.postgresql.Driver` | Datasource JDBC class name |
 | `spring.jpa.hibernate.ddl-auto` | `none` | Configuration of automatic database schema creation |
 | `spring.jpa.properties.hibernate.connection.characterEncoding` | `utf8` | Character encoding |
 | `spring.jpa.properties.hibernate.connection.useUnicode` | `true` | Character encoding - Unicode support |
@@ -71,6 +70,9 @@ The PowerAuth Server uses the following public configuration properties:
 
 
 ## Monitoring and Observability
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
 
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).

docs/Database-Structure.md

@@ -6,11 +6,7 @@ You can download DDL scripts for supported databases:
 
 - [Oracle - Create Database Schema](./sql/oracle/create_schema.sql)
 - [PostgreSQL - Create Database Schema](./sql/postgresql/create_schema.sql)
-
-The drop scripts are available for supported databases:
-
-- [Oracle - Drop Tables and Sequences](./sql/oracle/delete_schema.sql)
-- [PostgreSQL - Drop Tables and Sequences](./sql/postgresql/delete_schema.sql)
+- [MS SQL - Create Database Schema](./sql/mssql/create_schema.sql)
 
 See the overall database schema:
 
@@ -90,6 +86,33 @@ CREATE TABLE pa_application_version
 | supported | INT(11) | - | Flag indicating if this version is supported or not (0 = not supported, 1..N = supported)                                               |
 <!-- end -->
 
+<!-- begin database table pa_application_config -->
+### Application Configuration Table
+
+Stores configurations for the applications stored in `pa_application` table.
+
+#### Schema
+
+```sql
+CREATE TABLE pa_application_config
+(
+    id                 INTEGER NOT NULL PRIMARY KEY,
+    application_id     INTEGER NOT NULL,
+    config_key         VARCHAR(255),
+    config_values      TEXT
+);
+```
+
+#### Columns
+
+| Name | Type | Info | Note                                                                                                                                    |
+|------|------|---------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| id | BIGINT(20)  | primary key, autoincrement | Unique application configuration identifier. |
+| application_id | BIGINT(20)  | foreign key: pa\_application.id | Related application ID. |
+| config_key | VARCHAR(255) | index | Configuration key names such as `fido2_attestation_fmt_allowed` and `fido2_aaguids_allowed`. |
+| config_values | TEXT | - | Configuration values serialized in JSON format. |
+<!-- end -->
+
 <!-- begin database table pa_activation -->
 ### Activations Table
 

docs/Deploying-PowerAuth-Server.md

@@ -42,7 +42,6 @@ The default database connectivity parameters in `powerauth-java-server.war` are
 spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
-spring.datasource.driver-class-name=org.postgresql.Driver
 spring.jpa.hibernate.ddl-auto=none
 spring.jpa.properties.hibernate.connection.characterEncoding=utf8
 spring.jpa.properties.hibernate.connection.useUnicode=true
@@ -57,7 +56,6 @@ For Oracle database use following connectivity parameters (example):
 spring.datasource.url=jdbc:oracle:thin:@//[HOST]:[PORT]/[SERVICENAME]
 spring.datasource.username=powerauth
 spring.datasource.password=*********
-spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
 spring.jpa.hibernate.ddl-auto=none
 ```
 
@@ -68,7 +66,6 @@ For PostgreSQL use following connectivity parameters (example):
 spring.datasource.url=jdbc:postgresql://[HOST]:[PORT]/[DATABASE]
 spring.datasource.username=powerauth
 spring.datasource.password=*********
-spring.datasource.driver-class-name=org.postgresql.Driver
 spring.jpa.hibernate.ddl-auto=none
 ```
 
@@ -136,7 +133,6 @@ You can specify the individual properties directly in the server configuration.
     <Parameter name="spring.datasource.url" value="jdbc:postgresql://localhost:5432"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value=""/>
-    <Parameter name="spring.datasource.driver-class-name" value="org.postgresql.Driver"/>
 </Context>
 ```
 
@@ -157,7 +153,6 @@ To match the previous example, the contents of `/path/to/come/custom.properties`
 spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
-spring.datasource.driver-class-name=org.postgresql.Driver
 ```
 
 ## Generating Your First Application
@@ -234,7 +229,6 @@ Some application servers, such as **WildFly** by JBoss, are very restrictive in
 spring.datasource.url=
 spring.datasource.username=
 spring.datasource.password=
-spring.datasource.driver-class-name=
 spring.jpa.database-platform=
 spring.jpa.hibernate.ddl-auto=none
 spring.datasource.jndi-name=java:/jdbc/powerauth

docs/Deploying-Wildfly.md

@@ -96,7 +96,6 @@ The `application-ext.properties` file is used to override default configuration
 spring.datasource.url=jdbc:oracle:thin:@//[host]:[port]/[servicename]
 spring.datasource.username=powerauth
 spring.datasource.password=powerauth
-spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
 
 # Application Service Configuration
 powerauth.service.applicationEnvironment=TEST

docs/Migration-Instructions.md

@@ -6,6 +6,7 @@ This page contains PowerAuth Server migration instructions.
 When updating across multiple versions, you need to perform all migration steps additively.
 <!-- end -->
 
+- [PowerAuth Server 1.7.0](./PowerAuth-Server-1.7.0.md)
 - [PowerAuth Server 1.6.0](./PowerAuth-Server-1.6.0.md)
 - [PowerAuth Server 1.5.0](./PowerAuth-Server-1.5.0.md)
 - [PowerAuth Server 1.4.0](./PowerAuth-Server-1.4.0.md)

docs/Offline-Signatures.md

@@ -17,6 +17,15 @@ For Web Flow the format of request `data` is documented in the [Offline Signatur
 
 The `offlineData` in response already contains all data required to display a QR code. The validity of the QR code should be verified by computing the ECDSA signature of `offlineData` content before the computed signature and comparing it with the `ECDSA_SIGNATURE` in `offlineData`. The `nonce` in response will be required during offline signature verification step.
 
+
+### Proximity anti-fraud check
+
+If you want to use the proximity anti-fraud feature in offline mode, you have to specify `nonce`, `proximityCheck.seed`, and `proximityCheck.stepLength` in `CreatePersonalizedOfflineSignaturePayloadRequest`.
+In that case, `CreatePersonalizedOfflineSignaturePayloadResponse#offlineData` contains `CreatePersonalizedOfflineSignaturePayloadRequest#data` plus a generated TOTP.
+The structure is following `{DATA})\n{TOTP}\n{NONCE}\n{KEY_SERVER_PRIVATE_INDICATOR}{ECDSA_SIGNATURE}`.
+This value is transparent for you and is handled by Mobile SDK.
+
+
 ## Generating non-personalized offline signature payload
 
 Non-personalized offline signatures are used when activation ID is not known. A typical use case is offline verification for login operation.

docs/PowerAuth-Server-1.7.0.md

@@ -0,0 +1,33 @@
+# Migration from 1.6.x to 1.7.0
+
+This guide contains instructions for migration from PowerAuth Server version `1.6.x` to version `1.7.0`.
+
+## Database Changes
+
+For convenience you can use liquibase for your database migration.
+
+For manual changes use SQL scripts:
+
+- [PostgreSQL script](./sql/postgresql/migration_1.6.0_1.7.0.sql)
+- [Oracle script](./sql/oracle/migration_1.6.0_1.7.0.sql)
+- [MSSQL script](./sql/mssql/migration_1.6.0_1.7.0.sql)
+
+### Updated DB Schema for FIDO2 Support
+
+Following columns have been added to table `pa_activation` for FIDO2 support:
+- `external_id` - external identifier of the activation
+- `protocol` - protocol enumeration: `powerauth` or `fido2`
+
+The data type for column `extras` in table `pa_activation` was changed to `TEXT` / `CLOB` to support larger data.
+
+### New Database Table for Application Configuration
+
+A new database table `pa_application_config` has been added: 
+- `id` - application configuration row identifier
+- `application_id` - application identifier
+- `config_key` - configuration key
+- `config_values` - list of configuration values
+
+Following parameters can be configured:
+- `fido2_attestation_fmt_allowed` - allowed attestation formats for FIDO2 registrations, unset value means all attestation formats are allowed
+- `fido2_aaguids_allowed` - allowed AAGUIDs for FIDO2 registration, unset value means all AAGUIDs are allowed

docs/System-Requirements.md

@@ -60,3 +60,22 @@ You need following software versions:
 Deployment is described in a separate documentation:
 
 - [Docker Images for PowerAuth](https://github.com/wultra/powerauth-docker)
+
+
+## Entropy
+
+The PowerAuth stack requires significant amount of entropy because of random number generators (RNG) used for cryptography.
+When not enough entropy is available, the whole system may dramatically slow down or even get stuck.
+That may happen especially in virtualized environment.
+
+For Linux Kernel lower than 5.4, the minimal required entropy is 256, ideally more than 1024.
+For Linux Kernel 5.4 and higher: the minimal required entropy is 256 (it does not report more anyway).
+
+Command to get available entropy bits:
+
+```shell
+cat /proc/sys/kernel/random/entropy_avail
+```
+
+We recommend using Linux Kernel 5.4 and newer, where `/dev/random` does not block anymore.
+If you must run an older version, consider another source of entropy such as [haveged](https://github.com/jirka-h/haveged).

docs/WebServices-Methods.md

@@ -19,6 +19,9 @@ The following `v3` methods are published using the service:
     - [createApplicationVersion](#method-createapplicationversion)
     - [unsupportApplicationVersion](#method-unsupportapplicationversion)
     - [supportApplicationVersion](#method-supportapplicationversion)
+    - [getApplicationConfig](#method-getapplicationconfig)
+    - [createApplicationConfig](#method-createapplicationconfig)
+    - [removeApplicationConfig](#method-removeapplicationconfig)
 - Activation Management
     - [getActivationListForUser](#method-getactivationlistforuser)
     - [initActivation](#method-initactivation)
@@ -343,6 +346,82 @@ REST endpoint: `POST /rest/v3/application/version/support`
 | `String`  | `applicationVersionId` | An identifier of an application version |
 | `Boolean` | `supported` | Flag indicating if this application is supported |
 
+### Method 'getApplicationConfig'
+
+Get application configuration detail.
+
+#### Request
+
+REST endpoint: `POST /rest/v3/application/config/detail`
+
+`GetApplicationConfigRequest`
+
+| Type     | Name | Description |
+|----------|------|-------------|
+| `String` | `applicationId` | An identifier of an application |
+
+#### Response
+
+`GetApplicationConfigResponse`
+
+| Type      | Name | Description |
+|-----------|------|-------------|
+| `String`  | `applicationId` | An identifier of an application |
+| `List<ApplicationConfigurationItem>` | `applicationConfigs` | List of application configurations |
+
+The `ApplicationConfigurationItem` record contains following parameters: 
+  - `String key` - configuration key name
+  - `List<String> values` - configuration values 
+
+### Method 'createApplicationConfig'
+
+Create application configuration.
+
+#### Request
+
+REST endpoint: `POST /rest/v3/application/config/create`
+
+`CreateApplicationConfigRequest`
+
+| Type     | Name | Description |
+|----------|------|-------------|
+| `String` | `applicationId` | An identifier of an application |
+| `String` | `key` | Application configuration key name |
+| `List<String>` | `values` | Application configuration values |
+
+Following configuration keys are accepted:
+- `fido2_attestation_fmt_allowed` - allowed attestation formats for FIDO2 registrations, unset value means all attestation formats are allowed
+- `fido2_aaguids_allowed` - allowed AAGUIDs for FIDO2 registration, unset value means all AAGUIDs are allowed
+
+#### Response
+
+`CreateApplicationConfigResponse`
+
+| Type     | Name | Description |
+|----------|------|-------------|
+| `String` | `applicationId` | An identifier of an application |
+| `String` | `key` | Application configuration key name |
+| `List<String>` | `values` | Application configuration values |
+
+### Method 'removeApplicationConfig'
+
+Delete an application configuration.
+
+#### Request
+
+REST endpoint: `POST /rest/v3/application/config/remove`
+
+`RemoveApplicationConfigRequest`
+
+| Type     | Name | Description |
+|----------|------|-------------|
+| `String` | `applicationId` | An identifier of an application |
+| `String` | `key` | Application configuration key name |
+
+#### Response
+
+_empty response_
+
 ## Activation management
 
 Methods related to activation management.
@@ -885,7 +964,7 @@ REST endpoint: `POST /rest/v3/signature/offline/personalized/create`
 |-----------|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `String`  | `activationId`              | An identifier of an activation                                                                                                                                                                |
 | `String`  | `data`                      | Data for the signature, for normalized value see the [Offline Signatures QR code](https://github.com/wultra/powerauth-webflow/blob/develop/docs/Off-line-Signatures-QR-Code.md) documentation |
-| `String`  | `nonce`                     | Optional nonce, otherwise it will be generated by PowerAuth server. Needed to be set when proximity check is enabled.                                                                         |
+| `String`  | `nonce`                     | Optional nonce (16 bytes base64 encoded into 24 characters), otherwise it will be generated by PowerAuth server. Needed to be set when proximity check is enabled.                            |
 | `Object`  | `proximityCheck`            | Optional parameters for proximity TOTP.                                                                                                                                                       |
 | `String`  | `proximityCheck.seed`       | Seed for TOTP, base64 encoded.                                                                                                                                                                |
 | `Integer` | `proximityCheck.stepLength` | Length of the TOTP step in seconds.                                                                                                                                                           |

docs/_Sidebar.md

@@ -12,8 +12,8 @@
 
 **Implementation Tutorials**
 
-- [Authentication in Mobile Banking Apps (SCA)](https://developers.wultra.com/products/mobile-security-suite/develop/tutorials/Authentication-in-Mobile-Apps)
-- [Verifying PowerAuth Signatures On The Server](https://developers.wultra.com/products/mobile-security-suite/develop/tutorials/Manual-Signature-Verification)
+- [Mobile-First Authentication in Banking (SCA)](https://developers.wultra.com/tutorials/posts/Mobile-First-Authentication/)
+- [Verifying PowerAuth Signatures On The Server](https://developers.wultra.com/tutorials/posts/Manual-Signature-Verification/)
 
 **Reference Manual**
 

docs/db/changelog/changesets/powerauth-java-server/1.4.x/20230322-init-db.xml

@@ -557,23 +557,6 @@
         </createTable>
     </changeSet>
 
-    <changeSet id="25" logicalFilePath="powerauth-java-server/1.4.x/20230322-init-db.xml" author="Lubos Racansky">
-        <preConditions onFail="MARK_RAN">
-            <not>
-                <tableExists tableName="pa_operation_application"/>
-            </not>
-        </preConditions>
-        <comment>Create a new table pa_operation_application</comment>
-        <createTable tableName="pa_operation_application">
-            <column name="application_id" type="bigint">
-                <constraints primaryKey="true" />
-            </column>
-            <column name="operation_id" type="varchar(255)">
-                <constraints primaryKey="true" />
-            </column>
-        </createTable>
-    </changeSet>
-
     <changeSet id="26" logicalFilePath="powerauth-java-server/1.4.x/20230322-init-db.xml" author="Lubos Racansky">
         <preConditions onFail="MARK_RAN">
             <not>

docs/db/changelog/changesets/powerauth-java-server/1.7.x/20240115-add-columns-fido2.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ PowerAuth Server and related software components
+  ~ Copyright (C) 2024 Wultra s.r.o.
+  ~
+  ~ This program is free software: you can redistribute it and/or modify
+  ~ it under the terms of the GNU Affero General Public License as published
+  ~ by the Free Software Foundation, either version 3 of the License, or
+  ~ (at your option) any later version.
+  ~
+  ~ This program is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  ~ GNU Affero General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Affero General Public License
+  ~ along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  -->
+
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <changeSet id="1" logicalFilePath="powerauth-java-server/1.7.x/20240115-add-columns-fido2" author="Roman Strobl">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <columnExists tableName="pa_activation" columnName="external_id"/>
+            </not>
+        </preConditions>
+        <comment>Add external_id column</comment>
+        <addColumn tableName="pa_activation">
+            <column name="external_id" type="varchar(255)" />
+        </addColumn>
+    </changeSet>
+
+    <changeSet id="2" logicalFilePath="powerauth-java-server/1.7.x/20240115-add-columns-fido2" author="Roman Strobl">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <columnExists tableName="pa_activation" columnName="protocol"/>
+            </not>
+        </preConditions>
+        <comment>Add protocol column</comment>
+        <addColumn tableName="pa_activation">
+            <column name="protocol" type="varchar(32)" defaultValue="powerauth" />
+        </addColumn>
+    </changeSet>
+
+    <changeSet id="3" logicalFilePath="powerauth-java-server/1.7.x/20240115-add-columns-fido2" author="Roman Strobl">
+        <modifyDataType tableName="pa_activation" columnName="extras" newDataType="TEXT"/>
+    </changeSet>
+
+</databaseChangeLog>