Release eumw-3.3.0

.hgignore

@@ -9,8 +9,11 @@ target$
 .rej$
 .log$
 .iml
+databasemigration/config$
+databasemigration/doc/build$
 doc/_build$
 eidas-demo/config$
+eidas-middleware/block-list-data
 eidas-middleware/config$
 .envrc
 

.hgtags

@@ -103,3 +103,8 @@ e3145707b105cce63259d183e2ec70bc1f9f96e8 eumw-3.2.0-BPR-TEST
 f001469fa9675ee204d1714f2288b3c0ad1a03db eumw-3.2.0-BPRTEST2
 a307cf05c48d525548123ae0961968a96224e9d4 eumw-3.2.0-RC1
 10b8ac1a45568277afa57411fc6466ec30368fa3 eumw-3.2.0-RC2
+a21c7b56c9056412994d52d73b66117ca5b77d96 eumw-3.2.0
+7cb8bcc8e863f3bf1b4d721ad9a694833df0c664 eumw-3.3.0-RC1
+e291572a5ba1f664391ca2aea0c7c8b90218a567 eumw-3.3.0-RC2
+110069405608a1282c3c4a3a1deeda1e228ef494 eumw-3.3.0-RC3
+7417c15517dbc8b820751fd5f29f8f6d9177cde5 eumw-3.3.0-RC4

configuration-migration/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>3.2.0</version>
+        <version>3.3.0</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

configuration-migration/src/main/java/de/governikus/eumw/configuration/migration/service/ConfigurationMigrationService.java

@@ -378,7 +378,6 @@ private DvcaConfigurationType createNewDvcaConf(PkiConnectorConfigurationDto pki
     UriComponents url = UriComponentsBuilder.fromHttpUrl(pkiConf.getPassiveAuthService().getUrl()).build();
     newDvcaConfiguration.setName(url.getHost());
     newDvcaConfiguration.setPassiveAuthServiceUrl(pkiConf.getPassiveAuthService().getUrl());
-    newDvcaConfiguration.setDvcaCertificateDescriptionServiceUrl(pkiConf.getDvcaCertDescriptionService().getUrl());
 
     String restrictedIdUrl = pkiConf.getRestrictedIdService().getUrl();
     if (StringUtils.startsWith(restrictedIdUrl, "https://berca-p1.d-trust.net/ps/dvsd_v2"))
@@ -452,9 +451,6 @@ private boolean isSameDvcaConf(PkiConnectorConfigurationDto pkiConf, DvcaConfigu
   {
     return pkiConf.getPassiveAuthService().getUrl().equals(dvcaConfigurationType.getPassiveAuthServiceUrl())
            && pkiConf.getTerminalAuthService().getUrl().equals(dvcaConfigurationType.getTerminalAuthServiceUrl())
-           && pkiConf.getDvcaCertDescriptionService()
-                     .getUrl()
-                     .equals(dvcaConfigurationType.getDvcaCertificateDescriptionServiceUrl())
            && pkiConf.getRestrictedIdService().getUrl().equals(dvcaConfigurationType.getRestrictedIdServiceUrl());
   }
 

configuration-migration/src/test/java/de/governikus/eumw/configuration/migration/service/ConfigurationMigrationServiceTest.java

@@ -262,7 +262,6 @@ private void assertDvca(List<DvcaConfigurationType> dvcaConfigurationList,
     Assertions.assertEquals(terminalAuthUrl, dvca.get(0).getTerminalAuthServiceUrl());
     Assertions.assertEquals(restrictedIdUrl, dvca.get(0).getRestrictedIdServiceUrl());
     Assertions.assertEquals(passiveAuthUrl, dvca.get(0).getPassiveAuthServiceUrl());
-    Assertions.assertEquals(certDescUrl, dvca.get(0).getDvcaCertificateDescriptionServiceUrl());
     Assertions.assertEquals(name + BLACK_LIST_TRUST_ANCHOR, dvca.get(0).getBlackListTrustAnchorCertificateName());
     Assertions.assertEquals(name + MASTER_LIST_TRUST_ANCHOR, dvca.get(0).getMasterListTrustAnchorCertificateName());
     Assertions.assertEquals(name + SERVER_CERTIFICATE, dvca.get(0).getServerSSLCertificateName());

databasemigration/doc/Makefile

@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = source
+BUILDDIR      = build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

databasemigration/doc/make.bat

@@ -0,0 +1,35 @@
+@ECHO OFF
+
+pushd %~dp0
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set SOURCEDIR=source
+set BUILDDIR=build
+
+%SPHINXBUILD% >NUL 2>NUL
+if errorlevel 9009 (
+	echo.
+	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+	echo.installed, then set the SPHINXBUILD environment variable to point
+	echo.to the full path of the 'sphinx-build' executable. Alternatively you
+	echo.may add the Sphinx directory to PATH.
+	echo.
+	echo.If you don't have Sphinx installed, grab it from
+	echo.https://www.sphinx-doc.org/
+	exit /b 1
+)
+
+if "%1" == "" goto help
+
+%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+goto end
+
+:help
+%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+
+:end
+popd

databasemigration/doc/source/chapter/Image.rst

@@ -0,0 +1,111 @@
+.. _image:
+
+Migrating using Docker Image
+============================
+
+This section describes the migration process for eIDAS Middleware deployments where the Docker Image is used.
+
+Run the Migration Tool
+----------------------
+
+The Migration Tool must be configured for the old and new database. In case of the Docker Image, this is done using
+volumes and environment variables.
+
+First, you must define the mounts for the old and new database. There are two directories prepared in the Docker Image
+to mount the database directories: `/opt/eidas-middleware/database-migration/h2` and
+`/opt/eidas-middleware/database-migration/hsql`.
+
+The parameter for mounting a volume in docker is "-v". Here are two examples for different mounting options. Choose
+the appropriate option for you local deployment.
+
+To mount an existing named volume, in this example to the h2 directory: ::
+
+    docker run -v <your_named_volume>:/opt/eidas-middleware/database-migration/h2 [...]
+
+To mount a directory from the host machine, in this example to the h2 directory: ::
+
+    docker run -v /path/on/the/host:/opt/eidas-middleware/database-migration/h2 [...]
+
+Secondly, after the mounts for the old and new database are prepared, the configuration for the Migration Tool can be
+specified using environment variables. These environment variables must be specified: ::
+
+    H2_DATASOURCE_URL=jdbc:h2:file:/opt/eidas-middleware/database-migration/h2/<database-name>;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
+    H2_DATASOURCE_USERNAME=<username>
+    H2_DATASOURCE_PASSWORD=<password>
+    HSQL_DATASOURCE_URL=jdbc:hsqldb:file:/opt/eidas-middleware/database-migration/hsql/<database-name>
+    HSQL_DATASOURCE_USERNAME=<username>
+    HSQL_DATASOURCE_PASSWORD=<password>
+
+In case the recommended mount paths are used, only the `database-name`, `username` and `password` for both the old and
+the new database must be adapted to your local deployment. If another mount path inside of the container is used, the
+path of the `DATASOURCE_URL` must be adapted as well.
+
+This is an example with all necessary parameters to execute the Migration Tool: ::
+
+    docker run --rm \
+        -v middleware-h2-database:/opt/eidas-middleware/database-migration/h2 \
+        -v middleware-hsql-database:/opt/eidas-middleware/database-migration/hsql \
+        -e H2_DATASOURCE_URL=jdbc:h2:file:/opt/eidas-middleware/database-migration/h2/eumw-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE \
+        -e H2_DATASOURCE_USERNAME=<username> \
+        -e H2_DATASOURCE_PASSWORD=<password> \
+        -e HSQL_DATASOURCE_URL=jdbc:hsqldb:file:/opt/eidas-middleware/database-migration/hsql/eumw-db; \
+        -e HSQL_DATASOURCE_USERNAME=<username> \
+        -e HSQL_DATASOURCE_PASSWORD=<password> \
+        governikus/eidas-middleware-databasemigration:3.3.0
+
+
+Before running the Migration Tool, please stop the eIDAS Middleware to prevent data inconsistencies.
+
+The migration tool does not delete or modify data in the old 'H2' database. In case the migration was not successful,
+you can start the old eIDAS Middleware again.
+
+The tool should exit without errors. In case the tool did encounter a problem and did not exit cleanly, please
+contact the eIDAS Middleware support at Governikus with the log from the Migration Tool.
+
+Prepare and start the eIDAS Middleware Configuration
+----------------------------------------------------
+
+The database configuration of the eIDAS Middleware must be updated to use the new 'HSQL' database. Therefore, make the
+following changes in the `application.properties` of the eIDAS Middleware: ::
+
+    # Old H2 database configuration which should be deleted:
+    spring.datasource.url=jdbc:h2:file:/path/to/your/h2-database;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
+    spring.datasource.username=<username>
+    spring.datasource.password=<password>
+
+    # The new HSQL database configuration:
+    spring.datasource.url=jdbc:hsqldb:file:/path/to/your/hsql-database
+    spring.datasource.username=<username>
+    spring.datasource.password=<password>
+
+The values of the HSQL database environment variables of the Migration Tool may be reused for these properties.
+In case the same mount point for the volume of the 'HSQL' database is used as during the migration, the same URL can be
+used for this deployment. Otherwise, adapt the URL to your local deployment.
+
+Afterwards, you can start the eIDAS Middleware application.
+
+With version 3.3.0 of the eIDAS Middleware, a newer API version of the DVCA interface is used. This version is available
+at different endpoints, which means that the DVCA configuration must be updated for the new version.
+
+For eIDAS Middlewares in test environments: ::
+
+    Terminal Authentication service URL
+    Old: https://dvca-r1.governikus-eid.de/gov_dvca/ta-service
+    New: https://dvca-r1.governikus-eid.de/gov_dvca/ta-service-140
+
+    Passive Authentication service URL
+    Old: https://dvca-r1.governikus-eid.de/gov_dvca/pa-service
+    New: https://dvca-r1.governikus-eid.de/gov_dvca/pa-service-140
+
+For eIDAS Middlewares in productive environments: ::
+
+    Terminal Authentication service URL
+    Old: https://berca-p1.d-trust.net/ps/dvca-at/v1_1
+    New: https://berca-p1.d-trust.net/ps/dvca-at/v1_4
+
+    Passive Authentication service URL
+    Old: https://berca-p1.d-trust.net/ps/scs/v1_1
+    New: https://berca-p1.d-trust.net/ps/scs/v1_4
+
+After this change, the connection to the DVCA should be working again, which can be verified by manually renewing
+the CVC and renewing the Master and Defect List.

databasemigration/doc/source/chapter/Jar.rst

@@ -0,0 +1,87 @@
+.. _jar:
+
+Migrating using the JAR file
+============================
+
+This section describes the migration process for eIDAS Middleware deployments where the JAR is directly used, e.g.
+when you are using the OVA image or you have deployed the eIDAS Middleware on any virtual machine.
+
+Setup the applications.properties
+---------------------------------
+
+The Migration Tool must be configured for the old and new database. Please see the following example, which must be
+adapted to your local deployment:
+
+.. literalinclude:: application.properties
+
+This file should be created in the working directory of the Migration Tool, typically in the same directory as the
+Migration Tool JAR file.
+
+The values for the 'H2' database can be copied from the `application.properties` of your eIDAS Middleware deployment,
+the property names however are slightly different in the Migration Tool.
+We suggest to define a new directory for the 'HSQL' database. The directory should be empty and will be created if
+necessary.
+
+Run the Migration Tool
+----------------------
+
+Before running the Migration Tool, please stop the eIDAS Middleware to prevent data inconsistencies.
+
+The migration tool does not delete or modify data in the old 'H2' database. In case the migration was not successful,
+you can start the old eIDAS Middleware again.
+
+To run the Migration Tool, execute the following command from the directory where the Migration Tool JAR file is stored.
+Please make sure that the application.properties for the Migration Tool is stored in the same directory.
+
+::
+
+    java -jar database-migration-3.3.0.jar
+
+The tool should exit without errors. In case the tool did encounter a problem and did not exit cleanly, please
+contact the eIDAS Middleware support at Governikus with the log from the Migration Tool.
+
+Prepare and start the eIDAS Middleware Configuration
+----------------------------------------------------
+
+The database configuration of the eIDAS Middleware must be updated to use the new 'HSQL' database. Therefore, make the
+following changes in the `application.properties` of the eIDAS Middleware: ::
+
+    # Old H2 database configuration which should be deleted:
+    spring.datasource.url=jdbc:h2:file:/path/to/your/h2-database;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
+    spring.datasource.username=<username>
+    spring.datasource.password=<password>
+
+    # The new HSQL database configuration:
+    spring.datasource.url=jdbc:hsqldb:file:/path/to/your/hsql-database
+    spring.datasource.username=<username>
+    spring.datasource.password=<password>
+
+The values for the HSQL database can be copied from the `application.properties` of the Migration Tool.
+
+Afterwards, you can start the eIDAS Middleware application.
+
+With version 3.3.0 of the eIDAS Middleware, a newer API version of the DVCA interface is used. This version is available
+at different endpoints, which means that the DVCA configuration must be updated for the new version.
+
+For eIDAS Middlewares in test environments: ::
+
+    Terminal Authentication service URL
+    Old: https://dvca-r1.governikus-eid.de/gov_dvca/ta-service
+    New: https://dvca-r1.governikus-eid.de/gov_dvca/ta-service-140
+
+    Passive Authentication service URL
+    Old: https://dvca-r1.governikus-eid.de/gov_dvca/pa-service
+    New: https://dvca-r1.governikus-eid.de/gov_dvca/pa-service-140
+
+For eIDAS Middlewares in productive environments: ::
+
+    Terminal Authentication service URL
+    Old: https://berca-p1.d-trust.net/ps/dvca-at/v1_1
+    New: https://berca-p1.d-trust.net/ps/dvca-at/v1_4
+
+    Passive Authentication service URL
+    Old: https://berca-p1.d-trust.net/ps/scs/v1_1
+    New: https://berca-p1.d-trust.net/ps/scs/v1_4
+
+After this change, the connection to the DVCA should be working again, which can be verified by manually renewing
+the CVC and renewing the Master and Defect List.

databasemigration/doc/source/chapter/Overview.rst

@@ -0,0 +1,18 @@
+====================================
+Overview
+====================================
+In version 3.3.0 of the eIDAS Middleware, the used database changes from 'H2' to 'HSQL'.
+A migration tool is provided to migrate the data from an old 'H2' database to a new 'HSQL' database.
+
+There are two options for the usage of the Migration Tool, depending on the type of deployment of your eIDAS Middleware.
+
+#. Executable JAR file for JAR deployments of the eIDAS Middleware
+#. Docker Image for Docker deployments of the eIDAS Middleware
+
+The following documentation will provide guidance for both options.
+
+The migration is tested and supported for versions 3.0.x, 3.1.x and 3.2.x to 3.3.0. Older versions are not officially
+supported.
+
+:ref:`jar` describes the migration with the Executable JAR file, while :ref:`image` describes the Docker Image
+migration.

databasemigration/config/application.properties → databasemigration/doc/source/chapter/application.properties

@@ -8,13 +8,13 @@
 # limitations under the Licence.
 #
 
-# datasource
-spring.datasource.url=jdbc:h2:file:/tmp/eidasmw;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
-spring.datasource.username=root
-spring.datasource.password=fallturm
-spring.datasource.driver-class-name=org.h2.Driver
-spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
-spring.jpa.hibernate.ddl-auto=update
-spring.jpa.hibernate.naming.implicit-strategy=org.hibernate.boot.model.naming.ImplicitNamingStrategyLegacyJpaImpl
-spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+# H2 Database
+h2.datasource.url=jdbc:h2:file:/opt/eidas-middleware/database/eidas-middleware-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE;IFEXISTS=TRUE
+h2.datasource.username=<username>
+h2.datasource.password=<password>
+
+# HSQL Database
+hsql.datasource.url=jdbc:hsqldb:file:/opt/eidas-middleware/database/eidas-middleware-db;DB_CLOSE_DELAY=-1
+hsql.datasource.username=<username>
+hsql.datasource.password=<password>