Merge tag 'v1.9.1'

Author: Zangetsu101

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 1.9.1
+
+### Breaking changes
+
+- **Remove Unused Scopes**: Removed `RECORD_PRINT_RECORDS_SUPPORTING_DOCUMENTS` and `RECORD_EXPORT_RECORDS` scopes from `REGISTRATION_AGENT`, `LOCAL_REGISTRAR` and `NATIONAL_REGISTRAR`
+
+### Improvements
+
+- Make encryption step optional [#1123](https://github.com/opencrvs/opencrvs-countryconfig/pull/1123)
+- Added validation for ENCRYPTION_KEY [#10896](https://github.com/opencrvs/opencrvs-core/issues/10896)
+
 ## 1.9.0
 
 ### New features
@@ -24,15 +35,13 @@
 - Store system monitoring data for 1 month [#10515](https://github.com/opencrvs/opencrvs-core/issues/10515)
 
 - Restricted filesystem usage for journal service and file rotation strategy [#10518](https://github.com/opencrvs/opencrvs-core/issues/10518))
-
 - Tiltfile: Improved Kubernetes support for development environment [#10672](https://github.com/opencrvs/opencrvs-core/issues/10672)
 
 ### Bug fixes
 
 - Allow non-interactive upgrades with apt [#10204](https://github.com/opencrvs/opencrvs-core/issues/10204)
 - Don't restart events service after data cleanup [#10704](https://github.com/opencrvs/opencrvs-core/issues/10704)
 
-
 ## 1.8.1
 
 ### Bug fixes

infrastructure/docker-compose.deploy.yml

@@ -11,7 +11,7 @@ services:
   # Note: these published port will override UFW rules as Docker manages it's own iptables
   # Only publish the exact ports that are required for OpenCRVS to work
   traefik:
-    image: 'traefik:v2.10'
+    image: 'traefik:v2.11'
     ports:
       - target: 80
         published: 80

infrastructure/environments/setup-environment.ts

@@ -386,7 +386,7 @@ const countryQuestions = [
   }
 ]
 
-const infrastructureQuestions = [
+const diskQuestions = [
   {
     name: 'diskSpace',
     type: 'text' as const,
@@ -397,8 +397,10 @@ const infrastructureQuestions = [
     validate: notEmpty,
     valueLabel: 'DISK_SPACE',
     initial: process.env.DISK_SPACE || '200g',
-    scope: 'ENVIRONMENT' as const
+    scope: 'ENVIRONMENT' as const,
   },
+]
+const infrastructureQuestions = [
   {
     name: 'domain',
     type: 'text' as const,
@@ -780,6 +782,7 @@ ALL_QUESTIONS.push(
   ...dockerhubQuestions,
   ...sshQuestions,
   ...sshKeyQuestions,
+  ...diskQuestions,
   ...infrastructureQuestions,
   ...countryQuestions,
   ...databaseAndMonitoringQuestions,
@@ -887,7 +890,7 @@ const SPECIAL_NON_APPLICATION_ENVIRONMENTS = ['jump', 'backup']
     ...existingRepositoryVariable,
     ...existingEnvironmentSecrets
   ]
-
+  let enableEncryption = true
   if (
     existingEnvironmentVariables.length > 0 ||
     existingEnvironmentSecrets.length > 0
@@ -967,7 +970,32 @@ const SPECIAL_NON_APPLICATION_ENVIRONMENTS = ['jump', 'backup']
       )
     }
   } else {
-    log('\n', kleur.bold().underline('Server setup'))
+    log('\n', kleur.bold().underline('Server setup'), '\n')
+    const encryption_key_defined = findExistingValue(
+            'ENCRYPTION_KEY',
+            'SECRET',
+            'ENVIRONMENT',
+            existingValues
+    )
+
+    if (!encryption_key_defined) {
+        const answers_enable_encryption = await prompts(
+          [
+            {
+              name: 'enableEncryption',
+              type: 'confirm' as const,
+              message: 'Do you want to enable disk encryption?',
+              scope: 'ENVIRONMENT' as const,
+              initial: Boolean(process.env.ENABLE_ENCRYPTION)
+            }
+          ].map(questionToPrompt)
+        )
+        enableEncryption = answers_enable_encryption.enableEncryption
+    }
+    if (enableEncryption) {
+      console.log('\n', kleur.bold().green('✔'), kleur.bold().yellow(' Disk encryption is enabled'))
+      await promptAndStoreAnswer(environment, diskQuestions, existingValues)
+    }
     const { domain } = await promptAndStoreAnswer(
       environment,
       infrastructureQuestions,
@@ -1101,6 +1129,26 @@ const SPECIAL_NON_APPLICATION_ENVIRONMENTS = ['jump', 'backup']
     }
   ]
 
+  if (enableEncryption){
+    derivedUpdates.push({
+      name: 'ENCRYPTION_KEY',
+      type: 'SECRET' as const,
+      didExist: findExistingValue(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        existingValues
+      ),
+      value: findExistingOrDefine(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        generateLongPassword()
+      ),
+      scope: 'ENVIRONMENT' as const
+    })
+  }
+
   if (['production', 'staging'].includes(environment)) {
     derivedUpdates.push({
       name: 'BACKUP_ENCRYPTION_PASSPHRASE',
@@ -1275,23 +1323,6 @@ const SPECIAL_NON_APPLICATION_ENVIRONMENTS = ['jump', 'backup']
       ),
       scope: 'ENVIRONMENT' as const
     },
-    {
-      name: 'ENCRYPTION_KEY',
-      type: 'SECRET' as const,
-      didExist: findExistingValue(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        existingValues
-      ),
-      value: findExistingOrDefine(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        generateLongPassword()
-      ),
-      scope: 'ENVIRONMENT' as const
-    },
     {
       type: 'VARIABLE' as const,
       name: 'ACTIVATE_USERS',

infrastructure/server-setup/playbook.yml

@@ -114,6 +114,16 @@
       tags:
         - data-partition
 
+    - include_tasks:
+        file: tasks/validate-data-partition.yml
+        apply:
+          tags:
+            - data-partition
+            - decrypt-on-boot
+      tags:
+        - data-partition
+        - decrypt-on-boot
+
     - include_tasks:
         file: tasks/swap.yml
         apply:

infrastructure/server-setup/tasks/decrypt-on-boot.yml

@@ -1,4 +1,39 @@
-- name: Save disk encryption key into a file as an example (in production use a hardware security module)
+- name: Ensure 'cryptsetup' utility is installed
+  ansible.builtin.package:
+    name: cryptsetup
+    state: present
+  when: disk_encryption_key is defined
+
+- name: 'Register encrypted file system'
+  stat:
+    path: /cryptfs_file_sparse.img
+    get_checksum: False
+  register: encryptedFileSystemPostCheck
+  when: disk_encryption_key is defined
+
+- name: Check if Disk encryption key file exists
+  ansible.builtin.stat:
+    path: /root/disk-encryption-key.txt
+  register: encryption_keyfile_stat
+  when: disk_encryption_key is defined
+
+- name: Read existing Disk encryption key
+  ansible.builtin.slurp:
+    src: /root/disk-encryption-key.txt
+  register: existing_disk_encryption_key
+  when:
+    - disk_encryption_key is defined
+    - encryption_keyfile_stat.stat.exists
+
+- name: Fail if key exists and differs
+  ansible.builtin.fail:
+    msg: "Disk encryption key on disk does not match ansible variable! GitHub secret ENCRYPTION_KEY was updated!"
+  when:
+    - disk_encryption_key is defined
+    - encryption_keyfile_stat.stat.exists
+    - existing_disk_encryption_key['content'] | b64decode != ("DISK_ENCRYPTION_KEY=" ~ disk_encryption_key ~ "\n")
+
+- name: Save disk encryption key into a file
   when: disk_encryption_key is defined
   ansible.builtin.copy:
     dest: /root/disk-encryption-key.txt
@@ -8,6 +43,23 @@
     content: |
       DISK_ENCRYPTION_KEY={{ disk_encryption_key }}
 
+- name: Ensure destination directory exists
+  ansible.builtin.file:
+    path: /opt/opencrvs/scripts/cryptfs
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+    recurse: yes
+
+- name: Install k8s-help script
+  copy:
+    src: ../cryptfs/decrypt.sh
+    dest: "/opt/opencrvs/scripts/cryptfs/decrypt.sh"
+    owner: "{{ ansible_user }}"
+    group: 'application'
+    mode: '0755'
+
 - name: Copy reboot.service systemd file. Must decrypt disk on reboot
   ansible.builtin.copy:
     dest: /etc/systemd/system/reboot.service
@@ -28,7 +80,6 @@
    - encryptedFileSystemPostCheck.stat.exists
 
 - name: 'Setup systemd to mount encrypted folder'
-  when: disk_encryption_key is defined
   shell: systemctl daemon-reload && systemctl enable reboot.service
   when:
     - disk_encryption_key is defined

infrastructure/server-setup/tasks/validate-data-partition.yml

@@ -0,0 +1,26 @@
+- name: Verify LUKS disk encryption key
+  when: disk_encryption_key is defined
+  block:
+    - name: Backup LUKS header
+      shell: |
+        loop_device=$(losetup -j /cryptfs_file_sparse.img | cut -d: -f1)
+        rm -vf /tmp/luks-header.img
+        cryptsetup luksHeaderBackup $loop_device --header-backup-file /tmp/luks-header.img
+
+    - name: Test disk encryption key for LUKS header
+      when: disk_encryption_key is defined
+      shell: 'echo "{{ disk_encryption_key }}" | cryptsetup -d - luksOpen /tmp/luks-header.img test --test-passphrase'
+      register: luks_test
+
+    - name: Display success message
+      debug:
+        msg: "✓ LUKS passphrase test successful - the disk encryption key is valid: {{ luks_test.stdout }}"
+  rescue:
+    - name: DO NOT REBOOT the SERVER
+      fail:
+        msg: |
+          {% if luks_test.rc == 2 and 'No key available with this passphrase' in luks_test.stderr -%}
+          LUKS passphrase test failed: Please make sure your key in GitHub secret is correct. Otherwise system will not be able to decrypt /data. MAKE SURE DATA BACKUP IS RESTORABLE BEFORE SERVER REBOOT.
+          {%- else -%}
+          cryptsetup error (RC: {{ luks_test.rc }}) - {{ luks_test.stderr | default('Unknown error') }}
+          {%- endif %}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencrvs/countryconfig",
-  "version": "1.9.0",
+  "version": "1.9.1",
   "description": "OpenCRVS country configuration for reference data",
   "os": [
     "darwin",
@@ -69,7 +69,7 @@
     "@hapi/boom": "^9.1.1",
     "@hapi/hapi": "^20.0.1",
     "@hapi/inert": "^6.0.3",
-    "@opencrvs/toolkit": "1.9.0",
+    "@opencrvs/toolkit": "1.9.0-rc.79b0f42",
     "@types/chalk": "^2.2.0",
     "@types/csv2json": "^1.4.0",
     "@types/fhir": "^0.0.30",

src/api/notification/testData.ts

@@ -137,9 +137,7 @@ const RequestBirthNotificationAction = {
     'mother.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'informant.email': '[email protected]',
     'informant.phoneNo': '0734231245',
@@ -175,9 +173,7 @@ const RequestBirthDeclarationAction = {
     'mother.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'informant.email': '[email protected]',
     'informant.phoneNo': '0734231245',
@@ -213,9 +209,7 @@ const BirthDeclarationAction = {
     'mother.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'informant.email': '[email protected]',
     'informant.phoneNo': '0734231245',
@@ -284,9 +278,7 @@ const RequestDeathNotificationAction = {
     'deceased.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'informant.relation': 'SPOUSE'
   },
@@ -311,13 +303,13 @@ const RequestDeathDeclarationAction = {
   createdByRole: 'LOCAL_REGISTRAR',
   createdAtLocation: '9e069dda-0d83-4f67-a4f2-9adbf5658e2e' as unknown as UUID,
   declaration: {
-    'spouse.age': { age: '41', asOfDateRef: 'eventDetails.date' },
+    'spouse.age': { age: 41, asOfDateRef: 'eventDetails.date' },
     'spouse.name': {
       firstname: 'Toki',
       surname: 'Kozuki',
       middlename: ''
     },
-    'deceased.age': { age: '31', asOfDateRef: 'eventDetails.date' },
+    'deceased.age': { age: 31, asOfDateRef: 'eventDetails.date' },
     'deceased.name': {
       firstname: 'Oden',
       surname: 'Kozuki',
@@ -332,9 +324,7 @@ const RequestDeathDeclarationAction = {
     'deceased.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'eventDetails.date': '2025-08-19',
     'spouse.dobUnknown': true,
@@ -367,13 +357,13 @@ const DeathDeclarationAction = {
   createdByRole: 'LOCAL_REGISTRAR',
   createdAtLocation: '9e069dda-0d83-4f67-a4f2-9adbf5658e2e' as unknown as UUID,
   declaration: {
-    'spouse.age': { age: '41', asOfDateRef: 'eventDetails.date' },
+    'spouse.age': { age: 41, asOfDateRef: 'eventDetails.date' },
     'spouse.name': {
       firstname: 'Toki',
       surname: 'Kozuki',
       middlename: ''
     },
-    'deceased.age': { age: '31', asOfDateRef: 'eventDetails.date' },
+    'deceased.age': { age: 31, asOfDateRef: 'eventDetails.date' },
     'deceased.name': {
       firstname: 'Oden',
       surname: 'Kozuki',
@@ -388,9 +378,7 @@ const DeathDeclarationAction = {
     'deceased.address': {
       country: 'FAR',
       addressType: 'DOMESTIC',
-      province: '05cbe3a1-9020-47bd-b558-807607c2f119',
-      district: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284',
-      urbanOrRural: 'URBAN'
+      administrativeArea: 'afaead2b-7ef5-4adb-b4bf-3d2b8437c284'
     },
     'eventDetails.date': '2025-08-19',
     'spouse.dobUnknown': true,