From 39c09733d331b818ebdd67ea0430316b2bff91f0 Mon Sep 17 00:00:00 2001
From: Curt Brune <47334179+cbrune-signal@users.noreply.github.com>
Date: Thu, 8 Oct 2020 07:51:01 -0700
Subject: [PATCH] Add /v1/payments/auth endpoint

---
 service/config/sample.yml                     |  3 +
 .../WhisperServerConfiguration.java           | 10 +++
 .../textsecuregcm/WhisperServerService.java   |  7 +-
 .../PaymentsServiceConfiguration.java         | 19 +++++
 .../controllers/PaymentsController.java       | 30 +++++++
 .../controllers/PaymentsControllerTest.java   | 81 +++++++++++++++++++
 6 files changed, 148 insertions(+), 2 deletions(-)
 create mode 100644 service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java
 create mode 100644 service/src/main/java/org/whispersystems/textsecuregcm/controllers/PaymentsController.java
 create mode 100644 service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/PaymentsControllerTest.java

diff --git a/service/config/sample.yml b/service/config/sample.yml
index b08f10b99..1179f2f37 100644
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -140,3 +140,6 @@ featureFlag:
     - # 2nd authorized token
     - # ...
     - # Nth authorized token
+
+paymentService:
+  userAuthenticationTokenSharedSecret: # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
index 24c2d59c0..0850e79ae 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
@@ -31,6 +31,7 @@ import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguratio
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MicrometerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PushConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
@@ -202,6 +203,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private SecureBackupServiceConfiguration backupService;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private PaymentsServiceConfiguration paymentsService;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -353,6 +359,10 @@ public class WhisperServerConfiguration extends Configuration {
     return backupService;
   }
 
+  public PaymentsServiceConfiguration getPaymentsServiceConfiguration() {
+    return paymentsService;
+  }
+
   public ZkConfig getZkConfig() {
     return zkConfig;
   }
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
index e4c3925a7..064739c98 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
@@ -69,6 +69,7 @@ import org.whispersystems.textsecuregcm.controllers.FeatureFlagsController;
 import org.whispersystems.textsecuregcm.controllers.KeepAliveController;
 import org.whispersystems.textsecuregcm.controllers.KeysController;
 import org.whispersystems.textsecuregcm.controllers.MessageController;
+import org.whispersystems.textsecuregcm.controllers.PaymentsController;
 import org.whispersystems.textsecuregcm.controllers.ProfileController;
 import org.whispersystems.textsecuregcm.controllers.ProvisioningController;
 import org.whispersystems.textsecuregcm.controllers.RemoteConfigController;
@@ -315,8 +316,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
                                                                                                               config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret(),
                                                                                                               true);
 
-    ExternalServiceCredentialGenerator storageCredentialsGenerator = new ExternalServiceCredentialGenerator(config.getSecureStorageServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
-    ExternalServiceCredentialGenerator backupCredentialsGenerator  = new ExternalServiceCredentialGenerator(config.getSecureBackupServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    ExternalServiceCredentialGenerator storageCredentialsGenerator   = new ExternalServiceCredentialGenerator(config.getSecureStorageServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    ExternalServiceCredentialGenerator backupCredentialsGenerator    = new ExternalServiceCredentialGenerator(config.getSecureBackupServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    ExternalServiceCredentialGenerator paymentsCredentialsGenerator  = new ExternalServiceCredentialGenerator(config.getPaymentsServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
 
     ApnFallbackManager       apnFallbackManager = new ApnFallbackManager(pushSchedulerClient, apnSender, accountsManager);
     TwilioSmsSender          twilioSmsSender    = new TwilioSmsSender(config.getTwilioConfiguration());
@@ -391,6 +393,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(), config.getVoiceVerificationConfiguration().getLocales()));
     environment.jersey().register(new SecureStorageController(storageCredentialsGenerator));
     environment.jersey().register(new SecureBackupController(backupCredentialsGenerator));
+    environment.jersey().register(new PaymentsController(paymentsCredentialsGenerator));
     environment.jersey().register(attachmentControllerV1);
     environment.jersey().register(attachmentControllerV2);
     environment.jersey().register(attachmentControllerV3);
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java
new file mode 100644
index 000000000..422de791a
--- /dev/null
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java
@@ -0,0 +1,19 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
+
+import javax.validation.constraints.NotEmpty;
+
+public class PaymentsServiceConfiguration {
+
+  @NotEmpty
+  @JsonProperty
+  private String userAuthenticationTokenSharedSecret;
+
+  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
+    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
+  }
+
+}
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/PaymentsController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/PaymentsController.java
new file mode 100644
index 000000000..e2d2c7033
--- /dev/null
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/PaymentsController.java
@@ -0,0 +1,30 @@
+package org.whispersystems.textsecuregcm.controllers;
+
+import com.codahale.metrics.annotation.Timed;
+import io.dropwizard.auth.Auth;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.storage.Account;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+@Path("/v1/payments")
+public class PaymentsController {
+
+  private final ExternalServiceCredentialGenerator paymentsServiceCredentialGenerator;
+
+  public PaymentsController(ExternalServiceCredentialGenerator paymentsServiceCredentialGenerator) {
+    this.paymentsServiceCredentialGenerator = paymentsServiceCredentialGenerator;
+  }
+
+  @Timed
+  @GET
+  @Path("/auth")
+  @Produces(MediaType.APPLICATION_JSON)
+  public ExternalServiceCredentials getAuth(@Auth Account account) {
+    return paymentsServiceCredentialGenerator.generateFor(account.getUuid().toString());
+  }
+}
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/PaymentsControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/PaymentsControllerTest.java
new file mode 100644
index 000000000..06b324b30
--- /dev/null
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/PaymentsControllerTest.java
@@ -0,0 +1,81 @@
+package org.whispersystems.textsecuregcm.tests.controllers;
+
+import com.google.common.collect.ImmutableSet;
+import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
+import io.dropwizard.testing.junit.ResourceTestRule;
+import org.assertj.core.api.Assertions;
+import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccount;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.controllers.PaymentsController;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
+
+import javax.ws.rs.core.Response;
+
+
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.*;
+
+public class PaymentsControllerTest {
+
+  private static final ExternalServiceCredentialGenerator paymentsCredentialGenerator = mock(ExternalServiceCredentialGenerator.class);
+
+  private final ExternalServiceCredentials validCredentials = new ExternalServiceCredentials("username", "password");
+
+  @ClassRule
+  public static final ResourceTestRule resources = ResourceTestRule.builder()
+                                                                   .addProvider(AuthHelper.getAuthFilter())
+                                                                   .addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)))
+                                                                   .setTestContainerFactory(new GrizzlyWebTestContainerFactory())
+                                                                   .addResource(new PaymentsController(paymentsCredentialGenerator))
+                                                                   .build();
+
+
+  @Before
+  public void setup() {
+    when(paymentsCredentialGenerator.generateFor(eq(AuthHelper.VALID_UUID.toString()))).thenReturn(validCredentials);
+  }
+
+  @Test
+  public void testGetAuthToken() {
+    ExternalServiceCredentials token =
+        resources.getJerseyTest()
+            .target("/v1/payments/auth")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
+            .get(ExternalServiceCredentials.class);
+
+    assertThat(token.getUsername()).isEqualTo(validCredentials.getUsername());
+    assertThat(token.getPassword()).isEqualTo(validCredentials.getPassword());
+  }
+
+  @Test
+  public void testInvalidAuthGetAuthToken() {
+    Response response =
+        resources.getJerseyTest()
+            .target("/v1/payments/auth")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.INVVALID_NUMBER, AuthHelper.INVALID_PASSWORD))
+            .get();
+
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
+  @Test
+  public void testDisabledGetAuthToken() {
+    Response response =
+        resources.getJerseyTest()
+            .target("/v1/payments/auth")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.DISABLED_NUMBER, AuthHelper.DISABLED_PASSWORD))
+            .get();
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
+}