This repository has been archived by the owner on May 16, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
/
application.yaml
145 lines (141 loc) · 7.26 KB
/
application.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
---
spring:
flyway:
enabled: true
locations: classpath:/db/migration
schemas: data_donation
# Postgres configuration
datasource:
driver-class-name: org.postgresql.Driver
url: jdbc:postgresql://${POSTGRESQL_SERVICE_HOST}:${POSTGRESQL_SERVICE_PORT}/${POSTGRESQL_DATABASE}
username: postgres
password: postgres
hikari:
schema: data_donation
server:
shutdown: graceful
ssl:
enabled: true
enabled-protocols: TLSv1.2+TLSv1.3
protocol: TLS
ciphers: >-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_CCM_SHA256
key-password: ${SSL_DATA_KEYSTORE_PASSWORD}
key-store: ${SSL_DATA_KEYSTORE_PATH}
key-store-password: ${SSL_DATA_KEYSTORE_PASSWORD}
key-store-provider: SUN
key-store-type: JKS
# Actuator configuration
management:
server:
port: 8081
endpoints:
web:
exposure:
include: metrics, prometheus, health
endpoint:
metrics:
enabled: true
prometheus:
enabled: true
health:
group:
readiness:
include: db
show-details: always
probes:
enabled: true
metrics:
export:
prometheus:
enabled: true
# PpacConfiguration.java
ppac:
otp-validity-in-hours: ${PPAC_OTP_VALIDITY_IN_HOURS:1}
srs-time-between-submissions-in-days: ${SRS_TIME_BETWEEN_SUBMISSIONS_IN_DAYS:90}
srs-otp-validity-in-minutes: ${SRS_OTP_VALIDITY_IN_MINUTES:30}
# The maximum number of exposure windows to store per submission. (672 = 24 hours per day * 0,5 hours per Exposure Window * 14 days)
max-exposure-windows-to-store: ${PPAC_MAX_EXPOSURE_WINDOWS_TO_STORE:672}
# The maximum number of exposure windows per submission before a request is rejected. (2688 = 4 x 672)
max-exposure-windows-to-reject-submission: ${PPAC_MAX_EXPOSURE_WINDOWS_TO_REJECT_SUBMISSION:2688}
# The initial value of the moving average for fake request delays.
initial-fake-delay-milliseconds: 10
# The number of samples for the calculation of the moving average for fake request delays.
fake-delay-moving-average-samples: 10
# The batch size (number of requests) to use for monitoring request count.
monitoring-batch-size: 5
ios:
missing-or-incorrectly-formatted-device-token-payload: Missing or incorrectly formatted device token payload
ppac-ios-jwt-key-id: ${PPAC_IOS_JWT_KEY_ID}
ppac-ios-jwt-signing-key: ${PPAC_IOS_JWT_SIGNING_KEY}
ppac-ios-jwt-team-id: ${PPAC_IOS_JWT_TEAM_ID}
device-api-url: ${APPLE_DEVICE_API_URL:https://api.devicecheck.apple.com/v1}
min_device_token_length: ${PPAC_IOS_DEVICE_TOKEN_MIN_LENGTH:2500}
max_device_token_length: ${PPAC_IOS_DEVICE_TOKEN_MAX_LENGTH:3500}
api-token-rate-limit-seconds: ${PPAC_IOS_API_TOKEN_RATE_LIMIT_SECONDS:86100}
android:
certificate-hostname: ${PPAC_ANDROID_CERTIFICATE_HOSTNAME:attest.android.com}
attestation-validity: ${PPAC_ANDROID_ATTESTATION_VALIDITY_IN_SECONDS:7200}
allowed-apk-package-names: ${PPAC_ANDROID_ALLOWED_APK_PACKAGE_NAMES:de.rki.coronawarnapp}
allowed-apk-certificate-digests: ${PPAC_ANDROID_ALLOWED_APK_CERTIFICATE_DIGESTS:Dday+17d9vY5YtsnHu1+9QTHd9l3LUhEcqzweVOe5zk=}
disable-apk-certificate-digests-check: ${DISABLE_APK_CERTIFICATE_DIGESTS_CHECK:false}
disable-nonce-check: ${DISABLE_NONCE_CHECK:false}
android-id-pepper: ${ANDROID_ID_PEPPER:bd8e720977960a3f2c5f844bbed2ca0a}
otp:
# True to require basicIntegrity for PPAC to pass, false otherwise.
require-basic-integrity: ${ANDROID_OTP_REQUIRE_BASIC_INTEGRITY:false}
# True to require ctsProfileMatch for PPAC to pass, false otherwise.
require-cts-profile-match: ${ANDROID_OTP_REQUIRE_CTS_PROFILE_MATCH:false}
# True to require evaluationType to contain BASIC for PPAC to pass, false otherwise.
require-evaluation-type-basic: ${ANDROID_OTP_REQUIRE_EVALUATION_TYPE_BASIC:false}
# True to require evaluationType to contain HARDWARE_BACKED for PPAC to pass, false otherwise.
require-evaluation-type-hardware-backed: ${ANDROID_OTP_REQUIRE_EVALUATION_TYPE_HARDWARE_BACKED:false}
# True to require android ID syntax check
require-android-id-syntax-check: ${ANDROID_OTP_REQUIRE_ANDROID_ID_SYNTAX_CHECK:false}
dat:
# True to require basicIntegrity for PPAC to pass, false otherwise.
require-basic-integrity: ${ANDROID_DAT_REQUIRE_BASIC_INTEGRITY:false}
# True to require ctsProfileMatch for PPAC to pass, false otherwise.
require-cts-profile-match: ${ANDROID_DAT_REQUIRE_CTS_PROFILE_MATCH:false}
# True to require evaluationType to contain BASIC for PPAC to pass, false otherwise.
require-evaluation-type-basic: ${ANDROID_DAT_REQUIRE_EVALUATION_TYPE_BASIC:false}
# True to require evaluationType to contain HARDWARE_BACKED for PPAC to pass, false otherwise.
require-evaluation-type-hardware-backed: ${ANDROID_DAT_REQUIRE_EVALUATION_TYPE_HARDWARE_BACKED:false}
# True to require android ID syntax check
require-android-id-syntax-check: ${ANDROID_DAT_REQUIRE_ANDROID_ID_SYNTAX_CHECK:false}
log:
# True to require basicIntegrity for PPAC to pass, false otherwise.
require-basic-integrity: ${ANDROID_LOG_REQUIRE_BASIC_INTEGRITY:true}
# True to require ctsProfileMatch for PPAC to pass, false otherwise.
require-cts-profile-match: ${ANDROID_LOG_REQUIRE_CTS_PROFILE_MATCH:true}
# True to require evaluationType to contain BASIC for PPAC to pass, false otherwise.
require-evaluation-type-basic: ${ANDROID_LOG_REQUIRE_EVALUATION_TYPE_BASIC:false}
# True to require evaluationType to contain HARDWARE_BACKED for PPAC to pass, false otherwise.
require-evaluation-type-hardware-backed: ${ANDROID_LOG_REQUIRE_EVALUATION_TYPE_HARDWARE_BACKED:true}
# True to require android ID syntax check
require-android-id-syntax-check: ${ANDROID_LOG_REQUIRE_ANDROID_ID_SYNTAX_CHECK:false}
srs:
# True to require basicIntegrity for PPAC to pass, false otherwise.
require-basic-integrity: ${ANDROID_SRS_REQUIRE_BASIC_INTEGRITY:true}
# True to require ctsProfileMatch for PPAC to pass, false otherwise.
require-cts-profile-match: ${ANDROID_SRS_REQUIRE_CTS_PROFILE_MATCH:true}
# True to require evaluationType to contain BASIC for PPAC to pass, false otherwise.
require-evaluation-type-basic: ${ANDROID_SRS_REQUIRE_EVALUATION_TYPE_BASIC:true} # true according to spec
# True to require evaluationType to contain HARDWARE_BACKED for PPAC to pass, false otherwise.
require-evaluation-type-hardware-backed: ${ANDROID_SRS_REQUIRE_EVALUATION_TYPE_HARDWARE_BACKED:true}
# True to require android ID syntax check
require-android-id-syntax-check: ${ANDROID_SRS_REQUIRE_ANDROID_ID_SYNTAX_CHECK:true}
# normally the AndroidId should be a long value, stored in byte array - Long.BYTES...
min-android-id-length: ${MIN_ANDROID_ID_LENGTH:8}
# ... but for some reasons Android devices send also AndroidIds with 16 bytes size!?!
max-android-id-length: ${MAX_ANDROID_ID_LENGTH:16}