From 06dd4c50266639fa35583ae9c8e47d525919ff52 Mon Sep 17 00:00:00 2001
From: gram-signal <84339875+gram-signal@users.noreply.github.com>
Date: Mon, 2 May 2022 08:41:38 -0600
Subject: [PATCH] Derive username from ACI for CDS{H,I} (#989)

* Derive username from ACI for CDS{H,I}

* Update sample YAML.
---
 service/config/sample.yml                              |  1 +
 .../textsecuregcm/WhisperServerService.java            |  5 +++--
 .../auth/ExternalServiceCredentialGenerator.java       |  2 +-
 .../configuration/DirectoryV2ClientConfiguration.java  |  9 ++++++++-
 .../controllers/DirectoryV2Controller.java             | 10 +---------
 .../tests/controllers/DirectoryControllerV2Test.java   |  9 +++------
 6 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/service/config/sample.yml b/service/config/sample.yml
index 5725c654c..faf683410 100644
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -134,6 +134,7 @@ directory:
 directoryV2:
   client: # Configuration for interfacing with Contact Discovery Service v2 cluster
     userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+    userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
 
 messageCache: # Redis server configuration for message store cache
   persistDelayMinutes: 1
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
index a0384d5cd..a014960ae 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
@@ -420,8 +420,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenSharedSecret(),
         config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret());
     ExternalServiceCredentialGenerator directoryV2CredentialsGenerator = new ExternalServiceCredentialGenerator(
-        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration()
-            .getUserAuthenticationTokenSharedSecret(), false);
+        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration().getUserAuthenticationTokenSharedSecret(),
+        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration().getUserIdTokenSharedSecret(),
+        true, false);
 
     dynamicConfigurationManager.start();
 
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java
index f3fcdc428..b46b9643a 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java
@@ -35,7 +35,7 @@ public class ExternalServiceCredentialGenerator {
     this(key, userIdKey, usernameDerivation, true);
   }
 
-  private ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
       boolean prependUsername) {
     this(key, userIdKey, usernameDerivation, prependUsername, Clock.systemUTC());
   }
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java
index 9d2ee263e..9beba5d63 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java
@@ -11,11 +11,14 @@ import org.whispersystems.textsecuregcm.util.ExactlySize;
 public class DirectoryV2ClientConfiguration {
 
   private final byte[] userAuthenticationTokenSharedSecret;
+  private final byte[] userIdTokenSharedSecret;
 
   @JsonCreator
   public DirectoryV2ClientConfiguration(
-      @JsonProperty("userAuthenticationTokenSharedSecret") final byte[] userAuthenticationTokenSharedSecret) {
+      @JsonProperty("userAuthenticationTokenSharedSecret") final byte[] userAuthenticationTokenSharedSecret,
+      @JsonProperty("userIdTokenSharedSecret") final byte[] userIdTokenSharedSecret) {
     this.userAuthenticationTokenSharedSecret = userAuthenticationTokenSharedSecret;
+    this.userIdTokenSharedSecret = userIdTokenSharedSecret;
   }
 
   @ExactlySize({32})
@@ -23,4 +26,8 @@ public class DirectoryV2ClientConfiguration {
     return userAuthenticationTokenSharedSecret;
   }
 
+  @ExactlySize({32})
+  public byte[] getUserIdTokenSharedSecret() {
+    return userIdTokenSharedSecret;
+  }
 }
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/DirectoryV2Controller.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/DirectoryV2Controller.java
index bec497c7d..33775a27f 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/DirectoryV2Controller.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/DirectoryV2Controller.java
@@ -34,16 +34,8 @@ public class DirectoryV2Controller {
   @Path("/auth")
   @Produces(MediaType.APPLICATION_JSON)
   public Response getAuthToken(@Auth AuthenticatedAccount auth) {
-
     final UUID uuid = auth.getAccount().getUuid();
-    final String e164 = auth.getAccount().getNumber();
-    final long e164AsLong = Long.parseLong(e164, e164.indexOf('+'), e164.length() - 1, 10);
-
-    final byte[] uuidAndNumber = ByteUtil.combine(UUIDUtil.toBytes(uuid), Util.longToByteArray(e164AsLong));
-    final String username = Base64.getEncoder().encodeToString(uuidAndNumber);
-
-    final ExternalServiceCredentials credentials = directoryServiceTokenGenerator.generateFor(username);
-
+    final ExternalServiceCredentials credentials = directoryServiceTokenGenerator.generateFor(uuid.toString());
     return Response.ok().entity(credentials).build();
   }
 }
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DirectoryControllerV2Test.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DirectoryControllerV2Test.java
index 93461ad52..c6c31b42d 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DirectoryControllerV2Test.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DirectoryControllerV2Test.java
@@ -27,7 +27,7 @@ class DirectoryControllerV2Test {
   @Test
   void testAuthToken() {
     final ExternalServiceCredentialGenerator credentialGenerator = new ExternalServiceCredentialGenerator(
-        new byte[]{0x1}, new byte[0], false, false,
+        new byte[]{0x1}, new byte[]{0x2}, true, false,
         Clock.fixed(Instant.ofEpochSecond(1633738643L), ZoneId.of("Etc/UTC")));
 
     final DirectoryV2Controller controller = new DirectoryV2Controller(credentialGenerator);
@@ -35,15 +35,12 @@ class DirectoryControllerV2Test {
     final Account account = mock(Account.class);
     final UUID uuid = UUID.fromString("11111111-1111-1111-1111-111111111111");
     when(account.getUuid()).thenReturn(uuid);
-    when(account.getNumber()).thenReturn("+15055551111");
 
     final ExternalServiceCredentials credentials = (ExternalServiceCredentials) controller.getAuthToken(
         new AuthenticatedAccount(() -> new Pair<>(account, mock(Device.class)))).getEntity();
 
-    assertEquals(credentials.getUsername(), "EREREREREREREREREREREQAAAABZvPKn");
-    assertEquals(credentials.getPassword(), "1633738643:ff03669c64f3f938a279");
-    assertEquals(32, credentials.getUsername().length());
-    assertEquals(31, credentials.getPassword().length());
+    assertEquals(credentials.getUsername(), "d369bc712e2e0dd36258");
+    assertEquals(credentials.getPassword(), "1633738643:4433b0fab41f25f79dd4");
   }
 
 }