Merge branch 'main' into feat/doc

# Conflicts:
#	README.md

README.md

@@ -56,20 +56,35 @@ to [GitHub Packages](https://docs.github.com/en/packages/working-with-a-github-p
 The following steps need to be followed
 
 - Create [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with scopes:
-  - `read:packages` for downloading packages
+    - `read:packages` for downloading packages
 
-#### GitHub Maven
+##### GitHub Maven
 
 - Copy/Augment `~/.m2/settings.xml` with the contents of `settings.xml` present in this repository
-  - Replace `${app.packages.username}` with your github username
-  - Replace `${app.packages.password}` with the generated PAT
+    - Replace `${app.packages.username}` with your github username
+    - Replace `${app.packages.password}` with the generated PAT
 
-### Build
+##### GitHub Docker Registry
 
 - Run `docker login docker.pkg.github.com/eu-digital-green-certificates` before running further docker commands.
-  - Use your GitHub username as username
-  - Use the generated PAT as password
+    - Use your GitHub username as username
+    - Use the generated PAT as password
+
+### Build
+
+Whether you cloned or downloaded the 'zipped' sources you will either find the sources in the chosen checkout-directory or get a zip file with the source code, which you can expand to a folder of your choice.
+
+In either case open a terminal pointing to the directory you put the sources in. The local build process is described afterwards depending on the way you choose.
+
+### Build with maven
+* Check [settings.xml](settings.xml) in root folder and copy the servers to your own `~/.m2/settings.xml` to connect the GitHub repositories we use in our code. Provide your GitHub username and access token (see [GitHub Help](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)) under the variables suggested.
+* Run `mvn clean package` from the project root folder
+
+### Run with docker
+* Perform maven build as described above
+* Run `docker-compose up` from the project root folder
 
+After all containers have started you will be able to reach the application on your [local machine](http://localhost:8080/dgci/status) under port 8080.
 ## Documentation
 
 The Validation Decorator is a template. To make your own adjustments, the three interfaces `KeyProvider`, `BackendRepository` and `AccessTokenPayloadBuilder` should be implemented.

owasp/suppressions.xml

@@ -29,7 +29,9 @@
     <cve>CVE-2021-22118</cve>
   </suppress>
   <suppress>
-    <!-- tomcat-embed-core-9.0.52.jar : CVE-2020-0822-->
+    <!-- tomcat-embed-core-9.0.52.jar: CVE-2020-0822 -->
 	<cve>CVE-2020-0822</cve>
+	<!-- tomcat-embed-core-9.0.52.jar: CVE-2021-42340 -->
+	<cve>CVE-2021-42340</cve> 
   </suppress>
 </suppressions>

pom.xml

@@ -35,10 +35,7 @@
     	<bcpkix.version>1.68</bcpkix.version>
     	<okhttp.version>4.9.1</okhttp.version>
     	<shedlock.version>4.25.0</shedlock.version>
-        <nimbusds.version>9.9.2</nimbusds.version>
         <dgc.lib.version>1.1.3</dgc.lib.version>
-        <dgc-certlogic.version>0.0.0-3834d93</dgc-certlogic.version>
-        <dgc-decoder.version>0.1</dgc-decoder.version>
         <!-- plugins -->
         <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
         <plugin.sonar.version>3.9.0.2155</plugin.sonar.version>
@@ -213,16 +210,6 @@
             <artifactId>spring-security-web</artifactId>
             <version>${spring.security.version}</version><!--$NO-MVN-MAN-VER$-->
         </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-certlogic</artifactId>
-            <version>${dgc-certlogic.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-decoder</artifactId>
-            <version>${dgc-decoder.version}</version>
-        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
@@ -236,11 +223,6 @@
             <groupId>com.sap.hcp.cf.logging</groupId>
             <artifactId>cf-java-logging-support-logback</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.nimbusds</groupId>
-            <artifactId>nimbus-jose-jwt</artifactId>
-            <version>${nimbusds.version}</version><!--$NO-MVN-MAN-VER$-->
-        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>

src/main/java/eu/europa/ec/dgc/validation/decorator/config/DccVerificationConfig.java

@@ -20,17 +20,8 @@
 
 package eu.europa.ec.dgc.validation.decorator.config;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
-import dgca.verifier.app.decoder.JsonSchemaKt;
-import dgca.verifier.app.engine.AffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.CertLogicEngine;
-import dgca.verifier.app.engine.DefaultAffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.DefaultCertLogicEngine;
-import dgca.verifier.app.engine.DefaultJsonLogicValidator;
-import dgca.verifier.app.engine.JsonLogicValidator;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -50,22 +41,4 @@ public ObjectMapper objectMapper() {
         objectMapper.registerModule(new JavaTimeModule());
         return objectMapper;
     }
-
-    @Bean
-    public AffectedFieldsDataRetriever affectedFieldsDataRetriever(ObjectMapper objectMapper)
-            throws JsonProcessingException {
-        JsonNode jsonNode = objectMapper.readTree(JsonSchemaKt.JSON_SCHEMA_V1);
-        return new DefaultAffectedFieldsDataRetriever(jsonNode, objectMapper);
-    }
-
-    @Bean
-    public JsonLogicValidator jsonLogicValidator() {
-        return new DefaultJsonLogicValidator();
-    }
-
-    @Bean
-    public CertLogicEngine certLogicEngine(AffectedFieldsDataRetriever affectedFieldsDataRetriever,
-            JsonLogicValidator jsonLogicValidator) {
-        return new DefaultCertLogicEngine(affectedFieldsDataRetriever, jsonLogicValidator);
-    }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/entity/ValidationServiceIdentityResponse.java

@@ -20,38 +20,40 @@
 
 package eu.europa.ec.dgc.validation.decorator.entity;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Data;
 
 @Data
 public class ValidationServiceIdentityResponse {
-    
+
     private String id;
-    
+
     private List<VerificationMethod> verificationMethod = new ArrayList<>();
-    
+
     @Data
+    @JsonIgnoreProperties(ignoreUnknown = true)
     public static final class VerificationMethod {
-        
+
         private String id;
-        
+
         private String type;
-        
+
         private String controller;
-        
+
         private PublicKeyJwk publicKeyJwk;
     }
-    
+
     @Data
     public static final class PublicKeyJwk {
-        
+
         private String x5c;
-        
+
         private String kid;
-        
+
         private String alg;
-        
+
         private String use;
     }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/repository/ValidationServiceRepository.java

@@ -64,7 +64,14 @@ public ValidationServiceIdentityResponse identity(final ServiceProperties servic
         log.debug("REST Call to '{}' starting", url);
         final ResponseEntity<ValidationServiceIdentityResponse> response = restTpl
                 .getForEntity(url, ValidationServiceIdentityResponse.class);
-        return response.getBody();
+
+        // Workaround: remove unsupported VerificationMethod
+        final ValidationServiceIdentityResponse resBody = response.getBody();
+        if (resBody.getVerificationMethod() != null) {
+            resBody.getVerificationMethod().removeIf(method -> method.getPublicKeyJwk() == null);    
+        }
+
+        return resBody;
     }
 
     /**

src/main/java/eu/europa/ec/dgc/validation/decorator/service/AccessTokenPayloadBuilderImpl.java

@@ -50,9 +50,9 @@ public AccessTokenPayload build(
             final SubjectResponse subjectResponse,
             final OccurrenceInfoResponse occurrenceInfo) {
         final AccessTokenConditions accessTokenConditions = new AccessTokenConditions();
-        accessTokenConditions.setLang(occurrenceInfo.getLanguage());
-        accessTokenConditions.setFnt(subjectResponse.getForename());
-        accessTokenConditions.setGnt(subjectResponse.getLastname());
+        accessTokenConditions.setLang(occurrenceInfo.getLanguage());        
+        accessTokenConditions.setGnt(subjectResponse.getForename());
+        accessTokenConditions.setFnt(subjectResponse.getLastname());
         accessTokenConditions.setCoa(occurrenceInfo.getCountryOfArrival());
         accessTokenConditions.setCod(occurrenceInfo.getCountryOfDeparture());
         accessTokenConditions.setRoa(occurrenceInfo.getRegionOfArrival());
@@ -62,9 +62,10 @@ public AccessTokenPayload build(
         accessTokenConditions.setDob(this.parseBirthDay(subjectResponse.getBirthDate()));
 
         final OffsetDateTime departureTime = occurrenceInfo.getDepartureTime();
-        accessTokenConditions.setValidFrom(departureTime.format(FORMATTER));
-        accessTokenConditions.setValidationClock(occurrenceInfo.getArrivalTime().format(FORMATTER));
-        accessTokenConditions.setValidTo(departureTime.plusDays(2).format(FORMATTER));
+        final OffsetDateTime arrivalTime = occurrenceInfo.getArrivalTime();
+        accessTokenConditions.setValidFrom(departureTime.format(FORMATTER));        
+        accessTokenConditions.setValidationClock(arrivalTime.format(FORMATTER));
+        accessTokenConditions.setValidTo(arrivalTime.format(FORMATTER));
 
         final AccessTokenPayload accessTokenPayload = new AccessTokenPayload();
         accessTokenPayload.setJti(subjectResponse.getJti());