From 3090de56b8c21de2ce01a42968cb28b950b827ac Mon Sep 17 00:00:00 2001 From: Chris Eager Date: Fri, 1 Dec 2023 11:06:56 -0600 Subject: [PATCH] Set TLS keystore password from secrets configuration --- service/config/sample-secrets-bundle.yml | 2 ++ service/config/sample.yml | 4 +++- .../textsecuregcm/WhisperServerConfiguration.java | 13 ++++++++++++- .../textsecuregcm/WhisperServerService.java | 11 +++++++++++ .../configuration/TlsKeyStoreConfiguration.java | 12 ++++++++++++ 5 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 service/src/main/java/org/whispersystems/textsecuregcm/configuration/TlsKeyStoreConfiguration.java diff --git a/service/config/sample-secrets-bundle.yml b/service/config/sample-secrets-bundle.yml index 556a526fb..54cbf0967 100644 --- a/service/config/sample-secrets-bundle.yml +++ b/service/config/sample-secrets-bundle.yml @@ -93,3 +93,5 @@ currentReportingKey.salt: AAAAAAAAAAA= turn.secret: AAAAAAAAAAA= linkDevice.secret: AAAAAAAAAAA= + +tlsKeyStore.password: unset diff --git a/service/config/sample.yml b/service/config/sample.yml index e03175117..b51fa3e99 100644 --- a/service/config/sample.yml +++ b/service/config/sample.yml @@ -42,6 +42,9 @@ metrics: grpcPort: 8080 +tlsKeyStore: + password: secret://tlsKeyStore.password + stripe: apiKey: secret://stripe.apiKey idempotencyKeyGenerator: secret://stripe.idempotencyKeyGenerator @@ -54,7 +57,6 @@ stripe: SEPA_DEBIT: - eur - braintree: merchantId: unset publicKey: unset diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java index 21209a717..e42753a64 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java @@ -26,8 +26,8 @@ import org.whispersystems.textsecuregcm.configuration.CdnConfiguration; import org.whispersystems.textsecuregcm.configuration.ClientCdnConfiguration; import org.whispersystems.textsecuregcm.configuration.ClientReleaseConfiguration; import org.whispersystems.textsecuregcm.configuration.CommandStopListenerConfiguration; -import org.whispersystems.textsecuregcm.configuration.DogstatsdConfiguration; import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration; +import org.whispersystems.textsecuregcm.configuration.DogstatsdConfiguration; import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration; import org.whispersystems.textsecuregcm.configuration.DynamoDbTables; import org.whispersystems.textsecuregcm.configuration.FcmConfiguration; @@ -53,6 +53,7 @@ import org.whispersystems.textsecuregcm.configuration.ShortCodeExpanderConfigura import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration; import org.whispersystems.textsecuregcm.configuration.StripeConfiguration; import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration; +import org.whispersystems.textsecuregcm.configuration.TlsKeyStoreConfiguration; import org.whispersystems.textsecuregcm.configuration.TurnSecretConfiguration; import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration; import org.whispersystems.textsecuregcm.configuration.ZkConfig; @@ -62,6 +63,11 @@ import org.whispersystems.websocket.configuration.WebSocketConfiguration; /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */ public class WhisperServerConfiguration extends Configuration { + @NotNull + @Valid + @JsonProperty + private TlsKeyStoreConfiguration tlsKeyStore; + @NotNull @Valid @JsonProperty @@ -310,6 +316,11 @@ public class WhisperServerConfiguration extends Configuration { @JsonProperty private LinkDeviceSecretConfiguration linkDevice; + public TlsKeyStoreConfiguration getTlsKeyStoreConfiguration() { + return tlsKeyStore; + } + + public StripeConfiguration getStripe() { return stripe; } diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java index 7c2d350d5..c0e8323ea 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java @@ -16,8 +16,10 @@ import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider; import io.dropwizard.auth.basic.BasicCredentialAuthFilter; import io.dropwizard.auth.basic.BasicCredentials; import io.dropwizard.core.Application; +import io.dropwizard.core.server.DefaultServerFactory; import io.dropwizard.core.setup.Bootstrap; import io.dropwizard.core.setup.Environment; +import io.dropwizard.jetty.HttpsConnectorFactory; import io.grpc.ServerBuilder; import io.grpc.ServerInterceptors; import io.lettuce.core.metrics.MicrometerCommandLatencyRecorder; @@ -298,6 +300,15 @@ public class WhisperServerService extends Application { + if (connectorFactory instanceof HttpsConnectorFactory h) { + h.setKeyStorePassword(config.getTlsKeyStoreConfiguration().password().value()); + } + }); + } + HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup = new HeaderControlledResourceBundleLookup(); ConfiguredProfileBadgeConverter profileBadgeConverter = new ConfiguredProfileBadgeConverter( diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/TlsKeyStoreConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/TlsKeyStoreConfiguration.java new file mode 100644 index 000000000..6b52e31f4 --- /dev/null +++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/TlsKeyStoreConfiguration.java @@ -0,0 +1,12 @@ +/* + * Copyright 2023 Signal Messenger, LLC + * SPDX-License-Identifier: AGPL-3.0-only + */ + +package org.whispersystems.textsecuregcm.configuration; + +import org.whispersystems.textsecuregcm.configuration.secrets.SecretString; +import javax.validation.constraints.NotNull; + +public record TlsKeyStoreConfiguration(@NotNull SecretString password) { +}