Merge pull request #42 from mosip/develop

[INJICERT-37] move develop changes to release branch

.github/workflows/push-trigger.yml

@@ -20,7 +20,7 @@ on:
       - develop
       - MOSIP*
       - release*
-      - INJICERT-13
+      - INJICERT-*
 
 jobs:
   build-maven-inji-certify:

certify-core/pom.xml

@@ -30,10 +30,28 @@
             <artifactId>commons-validator</artifactId>
             <version>${commons.validator.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>${google.guava.version}</version>
+        </dependency>
         <dependency>
             <groupId>io.mosip.certify</groupId>
             <artifactId>certify-integration-api</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-redis</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-cache</artifactId>
+        </dependency>
     </dependencies>
 </project>

certify-core/src/main/java/io/mosip/certify/core/config/RedisCacheConfig.java

@@ -0,0 +1,40 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.certify.core.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.cache.RedisCacheManagerBuilderCustomizer;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.cache.RedisCacheConfiguration;
+
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+
+
+@ConditionalOnProperty(value = "spring.cache.type", havingValue = "redis")
+@Configuration
+public class RedisCacheConfig {
+
+    @Value("#{${mosip.certify.cache.expire-in-seconds}}")
+    private Map<String, Integer> cacheNamesWithTTLMap;
+
+    @Bean
+    public RedisCacheManagerBuilderCustomizer redisCacheManagerBuilderCustomizer() {
+        return (builder) -> {
+            Map<String, RedisCacheConfiguration> configurationMap = new HashMap<>();
+            cacheNamesWithTTLMap.forEach((cacheName, ttl) -> {
+                configurationMap.put(cacheName, RedisCacheConfiguration
+                                .defaultCacheConfig()
+                                    .disableCachingNullValues()
+                                    .entryTtl(Duration.ofSeconds(ttl)));
+            });
+            builder.withInitialCacheConfigurations(configurationMap);
+        };
+    }
+}

certify-core/src/main/java/io/mosip/certify/core/config/SimpleCacheConfig.java

@@ -0,0 +1,58 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.certify.core.config;
+
+import com.google.common.cache.CacheBuilder;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.cache.Cache;
+import org.springframework.cache.CacheManager;
+import org.springframework.cache.annotation.CachingConfigurerSupport;
+import org.springframework.cache.concurrent.ConcurrentMapCache;
+import org.springframework.cache.support.SimpleCacheManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+@ConditionalOnProperty(value = "spring.cache.type", havingValue = "simple")
+@Configuration
+public class SimpleCacheConfig extends CachingConfigurerSupport {
+
+    @Value("${mosip.certify.cache.names}")
+    private List<String> cacheNames;
+
+    @Value("#{${mosip.certify.cache.size}}")
+    private Map<String, Integer> cacheMaxSize;
+
+    @Value("#{${mosip.certify.cache.expire-in-seconds}}")
+    private Map<String, Integer> cacheExpireInSeconds;
+
+
+    @Bean
+    @Override
+    public CacheManager cacheManager() {
+        SimpleCacheManager cacheManager = new SimpleCacheManager();
+        List<Cache> caches = new ArrayList<>();
+        for(String name : cacheNames) {
+            caches.add(buildMapCache(name));
+        }
+        cacheManager.setCaches(caches);
+        return cacheManager;
+    }
+
+    private ConcurrentMapCache buildMapCache(String name) {
+        return new ConcurrentMapCache(name,
+                CacheBuilder.newBuilder()
+                        .expireAfterWrite(cacheExpireInSeconds.getOrDefault(name, 60), TimeUnit.SECONDS)
+                        .maximumSize(cacheMaxSize.getOrDefault(name, 100))
+                        .build()
+                        .asMap(), true);
+    }
+}

certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java

@@ -13,4 +13,7 @@ public class Constants {
     public static final String C_NONCE = "c_nonce";
     public static final String C_NONCE_EXPIRES_IN = "c_nonce_expires_in";
     public static final String CLIENT_ID = "client_id";
+    public static final String CERTIFY_PARTNER_APP_ID = "CERTIFY_PARTNER";
+    public static final String CERTIFY_SERVICE_APP_ID = "CERTIFY_SERVICE";
+    public static final String ROOT_KEY = "ROOT";
 }

certify-core/src/main/java/io/mosip/certify/core/util/AuditHelper.java

@@ -9,6 +9,14 @@
 
 public class AuditHelper {
 
+    public static AuditDTO buildAuditDto(String clientId) {
+        AuditDTO auditDTO = new AuditDTO();
+        auditDTO.setClientId(clientId);
+        auditDTO.setTransactionId(clientId);
+        auditDTO.setIdType("ClientId");
+        return auditDTO;
+    }
+
     public static AuditDTO buildAuditDto(String transactionId, String idType) {
         AuditDTO auditDTO = new AuditDTO();
         auditDTO.setTransactionId(transactionId);

certify-integration-api/src/main/java/io/mosip/certify/api/dto/AuditDTO.java

@@ -13,5 +13,6 @@
 public class AuditDTO {
 
     String transactionId;
+    String clientId;
     String idType;
 }

certify-service/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:21-jre-alpine
+FROM eclipse-temurin:21-jre
 
 ARG SOURCE
 ARG COMMIT_HASH
@@ -24,6 +24,12 @@ ARG is_glowroot
 # can be passed during Docker build as build time environment for artifactory URL
 ARG artifactory_url
 
+# can be passed during Docker build as build time environment for hsm client zip file path
+ARG hsm_client_zip_path
+
+# environment variable to pass hsm client zip file path, at docker runtime
+ENV hsm_zip_file_path=${hsm_client_zip_path}
+
 # environment variable to pass active profile such as DEV, QA etc at docker runtime
 ENV active_profile_env=${active_profile}
 
@@ -42,6 +48,9 @@ ENV artifactory_url_env=${artifactory_url}
 # environment variable for certify artifactory plugins to pass at docker run time
 ENV enable_certify_artifactory="true"
 
+# environment variable for downloading hsm client in certify, to pass at docker run time
+ENV download_hsm_client="true"
+
 # can be passed during Docker build as build time environment for github branch to pickup configuration from.
 ARG container_user=mosip
 
@@ -55,13 +64,18 @@ ARG container_user_uid=1001
 ARG container_user_gid=1001
 
 
+ARG hsm_local_dir=hsm-client
+
+ENV hsm_local_dir_name=${hsm_local_dir}
+
 # install packages and create user
-RUN apk -q update \
-&& apk add -q unzip sudo bash curl \
-&& addgroup -g ${container_user_gid} ${container_user_group} \
-&& adduser -s /bin/sh -u ${container_user_uid} -G ${container_user_group} -h /home/${container_user} --disabled-password ${container_user}
+RUN apt-get -y update \
+&& apt-get install -y unzip sudo\
+&& groupadd -g ${container_user_gid} ${container_user_group} \
+&& useradd -u ${container_user_uid} -g ${container_user_group} -s /bin/sh -m ${container_user} \
+&& adduser ${container_user} sudo \
+&& echo "%sudo ALL=(ALL) NOPASSWD:/home/${container_user}/${hsm_local_dir}/install.sh" >> /etc/sudoers
 
-RUN id -u ${container_user}
 # set working directory for the user
 WORKDIR /home/${container_user}
 
@@ -77,6 +91,8 @@ ADD configure_start.sh configure_start.sh
 
 RUN chmod +x configure_start.sh
 
+RUN chmod a-w /home/${container_user}/configure_start.sh
+
 COPY ./target/certify-service-*.jar certify-service.jar
 
 # change permissions of file inside working dir

certify-service/configure_start.sh

@@ -5,28 +5,66 @@ set -e
 download_and_extract() {
   local url=$1
   local dest_dir=$2
-  shift 2
-  local files_to_extract=("$@")
   local temp_zip=$(mktemp)
 
   wget -q "$url" -O "$temp_zip"
 
-  for file in "${files_to_extract[@]}"; do
-    unzip -o -j "$temp_zip" "$file" -d "$dest_dir"
+  echo "Installation of plugins started"
+  local files=$(unzip -l "$temp_zip" | awk 'NR>3 {print $4}' | sed '$d')
+
+  unzip -o -j "$temp_zip" -d "$dest_dir"
+
+  for file in $files; do
+    echo "Extracted file $file"
   done
 
+  echo "Installation of plugins completed"
+
   rm -f "$temp_zip"
 }
 
-#if [ "$enable_esignet_artifactory" = "true" ]; then
-#  download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/esignet/esignet-wrapper.zip" "${loader_path_env}" "esignet-mock-wrapper.jar" "sunbird-rc-esignet-integration-impl.jar"
-#fi
-
 if [ "$enable_certify_artifactory" = "true" ]; then
-  download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/certify/certify-plugin.zip" "${loader_path_env}" "certify-sunbird-plugin.jar"
+  download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/certify/certify-plugin.zip" "${loader_path_env}"
 fi
 
-echo "Installation complete"
+#installs the pkcs11 libraries.
+if [ "$download_hsm_client" = "true" ]; then
+  set -e
+
+  DEFAULT_ZIP_PATH=artifactory/libs-release-local/hsm/client-21.zip
+  [ -z "$hsm_zip_file_path" ] && zip_path="$DEFAULT_ZIP_PATH" || zip_path="$hsm_zip_file_path"
+
+  echo "Download the client from $artifactory_url_env"
+  echo "Zip File Path: $zip_path"
+
+  wget -q "$artifactory_url_env/$zip_path"
+  echo "Downloaded $artifactory_url_env/$zip_path"
+
+  FILE_NAME=${zip_path##*/}
+
+  DIR_NAME=$hsm_local_dir_name
+
+  has_parent=$(zipinfo -1 "$FILE_NAME" | awk '{split($NF,a,"/");print a[1]}' | sort -u | wc -l)
+  if test "$has_parent" -eq 1; then
+    echo "Zip has a parent directory inside"
+    dirname=$(zipinfo -1 "$FILE_NAME" | awk '{split($NF,a,"/");print a[1]}' | sort -u | head -n 1)
+    echo "Unzip directory"
+    unzip $FILE_NAME
+    echo "Renaming directory"
+    mv -v $dirname $DIR_NAME
+  else
+    echo "Zip has no parent directory inside"
+    echo "Creating destination directory"
+    mkdir "$DIR_NAME"
+    echo "Unzip to destination directory"
+    unzip -d "$DIR_NAME" $FILE_NAME
+  fi
+
+  echo "Attempting to install"
+  cd ./$DIR_NAME && chmod +x install.sh && sudo ./install.sh
+
+  echo "Installation complete"
+fi
 cd $work_dir
 
 exec "$@"

certify-service/pom.xml

@@ -36,7 +36,32 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-bootstrap</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.mosip.kernel</groupId>
+            <artifactId>kernel-keymanager-service</artifactId>
+            <version>1.2.1-java21-SNAPSHOT</version>
+            <classifier>lib</classifier>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.cloud</groupId>
+                    <artifactId>spring-cloud-starter-sleuth</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.springframework.security</groupId>
+                    <artifactId>spring-security-test</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>info.weboftrust</groupId>
+            <artifactId>ld-signatures-java</artifactId>
+            <version>1.0.0</version>
+        </dependency>
     </dependencies>
 
     <build>

certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java

@@ -14,6 +14,20 @@
 @EnableAsync
 @EnableCaching
 @SpringBootApplication(scanBasePackages = "io.mosip.certify,"+
+        "io.mosip.kernel.crypto," +
+        "io.mosip.kernel.keymanager.hsm," +
+        "io.mosip.kernel.cryptomanager.util," +
+        "io.mosip.kernel.keymanagerservice.helper," +
+        "io.mosip.kernel.keymanagerservice.repository," +
+        "io.mosip.kernel.keymanagerservice.service," +
+        "io.mosip.kernel.keymanagerservice.util," +
+        "io.mosip.kernel.keygenerator.bouncycastle," +
+        "io.mosip.kernel.signature.service," +
+        "io.mosip.kernel.pdfgenerator.itext.impl,"+
+        "io.mosip.kernel.partnercertservice.service," +
+        "io.mosip.kernel.keymanagerservice.repository,"+
+        "io.mosip.kernel.keymanagerservice.entity,"+
+        "io.mosip.kernel.partnercertservice.helper," +
         "${mosip.certify.integration.scan-base-package}")
 public class CertifyServiceApplication {
     public static void main(String[] args) {