MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't produce zkgroup auth creds with PNI as ACI

This commit is contained in:
Alex Konradi 2024-03-13 17:22:45 -04:00 committed by GitHub
parent 8574494573
commit 0ab2428d87
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
View File

@ -8,10 +8,8 @@ package org.whispersystems.textsecuregcm.controllers;
import static com.codahale.metrics.MetricRegistry.name;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.net.HttpHeaders;
import io.dropwizard.auth.Auth;
import io.micrometer.core.instrument.Metrics;
import io.micrometer.core.instrument.Tags;
import io.swagger.v3.oas.annotations.tags.Tag;
import java.security.InvalidKeyException;
import java.time.Clock;
@ -25,7 +23,6 @@ import javax.annotation.Nonnull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
@ -42,8 +39,6 @@ import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
import org.whispersystems.textsecuregcm.entities.DeliveryCertificate;
import org.whispersystems.textsecuregcm.entities.GroupCredentials;
import org.whispersystems.textsecuregcm.identity.IdentityType;
import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
import org.whispersystems.websocket.auth.ReadOnly;
@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
@ -60,8 +55,6 @@ public class CertificateController {
public static final Duration MAX_REDEMPTION_DURATION = Duration.ofDays(7);
private static final String GENERATE_DELIVERY_CERTIFICATE_COUNTER_NAME = name(CertificateGenerator.class, "generateCertificate");
private static final String INCLUDE_E164_TAG_NAME = "includeE164";
private static final String GET_GROUP_AUTHENTICATION_CREDENTIALS_COUNTER_NAME =
MetricsUtil.name(CertificateController.class, "getGroupAuthenticationCredentials");
public CertificateController(
@Nonnull CertificateGenerator certificateGenerator,
@ -97,10 +90,8 @@ public class CertificateController {
@Path("/auth/group")
public GroupCredentials getGroupAuthenticationCredentials(
@ReadOnly @Auth AuthenticatedAccount auth,
@HeaderParam(HttpHeaders.USER_AGENT) String userAgent,
@QueryParam("redemptionStartSeconds") long startSeconds,
@QueryParam("redemptionEndSeconds") long endSeconds,
@QueryParam("pniAsServiceId") boolean pniAsServiceId) {
@QueryParam("redemptionEndSeconds") long endSeconds) {
final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);
final Instant redemptionStart = Instant.ofEpochSecond(startSeconds);
@ -124,12 +115,7 @@ public class CertificateController {
ServiceId.Pni pni = new ServiceId.Pni(auth.getAccount().getPhoneNumberIdentifier());
while (!redemption.isAfter(redemptionEnd)) {
AuthCredentialWithPniResponse authCredentialWithPni;
if (pniAsServiceId) {
authCredentialWithPni = serverZkAuthOperations.issueAuthCredentialWithPniAsServiceId(aci, pni, redemption);
} else {
authCredentialWithPni = serverZkAuthOperations.issueAuthCredentialWithPniAsAci(aci, pni, redemption);
}
AuthCredentialWithPniResponse authCredentialWithPni = serverZkAuthOperations.issueAuthCredentialWithPniAsServiceId(aci, pni, redemption);
credentials.add(new GroupCredentials.GroupCredential(
authCredentialWithPni.serialize(),
(int) redemption.getEpochSecond()));
@ -141,10 +127,6 @@ public class CertificateController {
redemption = redemption.plus(Duration.ofDays(1));
}
Metrics.counter(GET_GROUP_AUTHENTICATION_CREDENTIALS_COUNTER_NAME,
Tags.of(UserAgentTagUtil.getPlatformTag(userAgent)).and("pniAsServiceId", String.valueOf(pniAsServiceId)))
.increment();
return new GroupCredentials(credentials, callLinkAuthCredentials, pni.getRawUUID());
}
}

36
service/src/test/java/org/whispersystems/textsecuregcm/controllers/CertificateControllerTest.java
View File

@ -204,42 +204,6 @@ class CertificateControllerTest {
assertEquals(response.getStatus(), 401);
}
@Test
void testGetSingleGroupCredentialWithPniAsAci() {
final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);
final GroupCredentials credentials = resources.getJerseyTest()
.target("/v1/certificate/auth/group")
.queryParam("redemptionStartSeconds", startOfDay.getEpochSecond())
.queryParam("redemptionEndSeconds", startOfDay.getEpochSecond())
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
.get(GroupCredentials.class);
assertEquals(1, credentials.credentials().size());
assertEquals(1, credentials.callLinkAuthCredentials().size());
assertEquals(AuthHelper.VALID_PNI, credentials.pni());
assertEquals(startOfDay.getEpochSecond(), credentials.credentials().get(0).redemptionTime());
assertEquals(startOfDay.getEpochSecond(), credentials.callLinkAuthCredentials().get(0).redemptionTime());
final ClientZkAuthOperations clientZkAuthOperations =
new ClientZkAuthOperations(serverSecretParams.getPublicParams());
assertDoesNotThrow(() -> {
clientZkAuthOperations.receiveAuthCredentialWithPniAsAci(
new ServiceId.Aci(AuthHelper.VALID_UUID),
new ServiceId.Pni(AuthHelper.VALID_PNI),
(int) startOfDay.getEpochSecond(),
new AuthCredentialWithPniResponse(credentials.credentials().get(0).credential()));
});
assertDoesNotThrow(() -> {
new CallLinkAuthCredentialResponse(credentials.callLinkAuthCredentials().get(0).credential())
.receive(new ServiceId.Aci(AuthHelper.VALID_UUID), startOfDay, genericServerSecretParams.getPublicParams());
});
}
@Test
void testGetSingleGroupCredentialWithPniAsServiceId() {
final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);