Add support for getting (limited) profiles by phone number identifier

2022-04-13 10:35:54 -04:00 · 2022-04-13 10:35:54 -04:00 · 5816f76bbe
parent 355996bafc
commit 5816f76bbe
3 changed files with 108 additions and 15 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
@ -13,6 +13,7 @@ import java.time.Duration;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Locale;
@ -228,7 +229,7 @@ public class ProfileController {
      throws RateLimitExceededException {

    final Optional<Account> maybeRequester = auth.map(AuthenticatedAccount::getAccount);
-    final Account targetAccount = verifyPermissionToReceiveProfile(maybeRequester, accessKey, uuid);
+    final Account targetAccount = verifyPermissionToReceiveAccountIdentityProfile(maybeRequester, accessKey, uuid);

    return buildVersionedProfileResponse(targetAccount,
        version,
@ -251,7 +252,7 @@ public class ProfileController {
      throws RateLimitExceededException {

    final Optional<Account> maybeRequester = auth.map(AuthenticatedAccount::getAccount);
-    final Account targetAccount = verifyPermissionToReceiveProfile(maybeRequester, accessKey, uuid);
+    final Account targetAccount = verifyPermissionToReceiveAccountIdentityProfile(maybeRequester, accessKey, uuid);
    final boolean isSelf = isSelfProfileRequest(maybeRequester, uuid);

    switch (credentialType) {
@ -293,12 +294,30 @@ public class ProfileController {
      @QueryParam("ca") boolean useCaCertificate)
      throws RateLimitExceededException {

+    final Optional<Account> maybeAccountByPni = accountsManager.getByPhoneNumberIdentifier(identifier);
    final Optional<Account> maybeRequester = auth.map(AuthenticatedAccount::getAccount);
-    final Account targetAccount = verifyPermissionToReceiveProfile(maybeRequester, accessKey, identifier);

-    return buildBaseProfileResponse(targetAccount,
-        isSelfProfileRequest(maybeRequester, identifier),
-        containerRequestContext);
+    final BaseProfileResponse profileResponse;
+
+    if (maybeAccountByPni.isPresent()) {
+      if (maybeRequester.isEmpty()) {
+        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+      } else {
+        rateLimiters.getProfileLimiter().validate(maybeRequester.get().getUuid());
+      }
+
+      OptionalAccess.verify(maybeRequester, Optional.empty(), maybeAccountByPni);
+
+      profileResponse = buildBaseProfileResponseForPhoneNumberIdentity(maybeAccountByPni.get());
+    } else {
+      final Account targetAccount = verifyPermissionToReceiveAccountIdentityProfile(maybeRequester, accessKey, identifier);
+
+      profileResponse = buildBaseProfileResponseForAccountIdentity(targetAccount,
+          isSelfProfileRequest(maybeRequester, identifier),
+          containerRequestContext);
+    }
+
+    return profileResponse;
  }

  private ProfileKeyCredentialProfileResponse buildProfileKeyCredentialProfileResponse(final Account account,
@ -354,11 +373,12 @@ public class ProfileController {
        .map(VersionedProfile::getPaymentAddress)
        .orElse(null);

-    return new VersionedProfileResponse(buildBaseProfileResponse(account, isSelf, containerRequestContext),
+    return new VersionedProfileResponse(
+        buildBaseProfileResponseForAccountIdentity(account, isSelf, containerRequestContext),
        name, about, aboutEmoji, avatar, paymentAddress);
  }

-  private BaseProfileResponse buildBaseProfileResponse(final Account account,
+  private BaseProfileResponse buildBaseProfileResponseForAccountIdentity(final Account account,
      final boolean isSelf,
      final ContainerRequestContext containerRequestContext) {

@ -373,6 +393,15 @@ public class ProfileController {
        account.getUuid());
  }

+  private BaseProfileResponse buildBaseProfileResponseForPhoneNumberIdentity(final Account account) {
+    return new BaseProfileResponse(account.getPhoneNumberIdentityKey(),
+        null,
+        false,
+        UserCapabilities.createForAccount(account),
+        Collections.emptyList(),
+        account.getPhoneNumberIdentifier());
+  }
+
  @Timed
  @GET
  @Produces(MediaType.APPLICATION_JSON)
@ -388,7 +417,7 @@ public class ProfileController {
    final Account targetAccount = accountsManager.getByUsername(username).orElseThrow(NotFoundException::new);
    final boolean isSelf = auth.getAccount().getUuid().equals(targetAccount.getUuid());

-    return buildBaseProfileResponse(targetAccount, isSelf, containerRequestContext);
+    return buildBaseProfileResponseForAccountIdentity(targetAccount, isSelf, containerRequestContext);
  }

  private ProfileKeyCredentialResponse getProfileCredential(final String encodedProfileCredentialRequest,
@ -507,7 +536,7 @@ public class ProfileController {
   * @throws NotAuthorizedException if the requester is not authorized to receive the target account's profile or if the
   * requester was not authenticated and did not present an anonymous access key
   */
-  private Account verifyPermissionToReceiveProfile(final Optional<Account> maybeRequester,
+  private Account verifyPermissionToReceiveAccountIdentityProfile(final Optional<Account> maybeRequester,
      final Optional<Anonymous> maybeAccessKey,
      final UUID targetUuid) throws RateLimitExceededException {

--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java
@ -172,7 +172,9 @@ class ProfileControllerTest {
    profileAccount = mock(Account.class);

    when(profileAccount.getIdentityKey()).thenReturn("bar");
+    when(profileAccount.getPhoneNumberIdentityKey()).thenReturn("baz");
    when(profileAccount.getUuid()).thenReturn(AuthHelper.VALID_UUID_TWO);
+    when(profileAccount.getPhoneNumberIdentifier()).thenReturn(AuthHelper.VALID_PNI_TWO);
    when(profileAccount.isEnabled()).thenReturn(true);
    when(profileAccount.isGroupsV2Supported()).thenReturn(false);
    when(profileAccount.isGv1MigrationSupported()).thenReturn(false);
@ -195,6 +197,7 @@ class ProfileControllerTest {

    when(accountsManager.getByE164(AuthHelper.VALID_NUMBER_TWO)).thenReturn(Optional.of(profileAccount));
    when(accountsManager.getByAccountIdentifier(AuthHelper.VALID_UUID_TWO)).thenReturn(Optional.of(profileAccount));
+    when(accountsManager.getByPhoneNumberIdentifier(AuthHelper.VALID_PNI_TWO)).thenReturn(Optional.of(profileAccount));
    when(accountsManager.getByUsername("n00bkiller")).thenReturn(Optional.of(profileAccount));

    when(accountsManager.getByE164(AuthHelper.VALID_NUMBER)).thenReturn(Optional.of(capabilitiesAccount));
@ -218,7 +221,7 @@ class ProfileControllerTest {
  }

  @Test
-  void testProfileGetByUuid() throws RateLimitExceededException {
+  void testProfileGetByAci() throws RateLimitExceededException {
    BaseProfileResponse profile = resources.getJerseyTest()
                              .target("/v1/profile/" + AuthHelper.VALID_UUID_TWO)
                              .request()
@ -234,7 +237,7 @@ class ProfileControllerTest {
  }

  @Test
-  void testProfileGetByUuidRateLimited() throws RateLimitExceededException {
+  void testProfileGetByAciRateLimited() throws RateLimitExceededException {
    doThrow(new RateLimitExceededException(Duration.ofSeconds(13))).when(rateLimiter).validate(AuthHelper.VALID_UUID);

    Response response= resources.getJerseyTest()
@ -248,7 +251,7 @@ class ProfileControllerTest {
  }

  @Test
-  void testProfileGetByUuidUnidentified() throws RateLimitExceededException {
+  void testProfileGetByAciUnidentified() throws RateLimitExceededException {
    BaseProfileResponse profile = resources.getJerseyTest()
        .target("/v1/profile/" + AuthHelper.VALID_UUID_TWO)
        .request()
@ -264,7 +267,7 @@ class ProfileControllerTest {
  }

  @Test
-  void testProfileGetByUuidUnidentifiedBadKey() {
+  void testProfileGetByAciUnidentifiedBadKey() {
    final Response response = resources.getJerseyTest()
        .target("/v1/profile/" + AuthHelper.VALID_UUID_TWO)
        .request()
@ -275,7 +278,7 @@ class ProfileControllerTest {
  }

  @Test
-  void testProfileGetByUuidUnidentifiedAccountNotFound() {
+  void testProfileGetByAciUnidentifiedAccountNotFound() {
    final Response response = resources.getJerseyTest()
        .target("/v1/profile/" + UUID.randomUUID())
        .request()
@ -285,6 +288,64 @@ class ProfileControllerTest {
    assertThat(response.getStatus()).isEqualTo(401);
  }

+  @Test
+  void testProfileGetByPni() throws RateLimitExceededException {
+    BaseProfileResponse profile = resources.getJerseyTest()
+        .target("/v1/profile/" + AuthHelper.VALID_PNI_TWO)
+        .request()
+        .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+        .get(BaseProfileResponse.class);
+
+    assertThat(profile.getIdentityKey()).isEqualTo("baz");
+    assertThat(profile.getBadges()).isEmpty();
+    assertThat(profile.getUuid()).isEqualTo(AuthHelper.VALID_PNI_TWO);
+    assertThat(profile.getCapabilities()).isNotNull();
+    assertThat(profile.isUnrestrictedUnidentifiedAccess()).isFalse();
+    assertThat(profile.getUnidentifiedAccess()).isNull();
+
+    verify(accountsManager).getByPhoneNumberIdentifier(AuthHelper.VALID_PNI_TWO);
+    verify(rateLimiter, times(1)).validate(AuthHelper.VALID_UUID);
+  }
+
+  @Test
+  void testProfileGetByPniRateLimited() throws RateLimitExceededException {
+    doThrow(new RateLimitExceededException(Duration.ofSeconds(13))).when(rateLimiter).validate(AuthHelper.VALID_UUID);
+
+    Response response= resources.getJerseyTest()
+        .target("/v1/profile/" + AuthHelper.VALID_PNI_TWO)
+        .request()
+        .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+        .get();
+
+    assertThat(response.getStatus()).isEqualTo(413);
+    assertThat(response.getHeaderString("Retry-After")).isEqualTo(String.valueOf(Duration.ofSeconds(13).toSeconds()));
+  }
+
+  @Test
+  void testProfileGetByPniUnidentified() throws RateLimitExceededException {
+    final Response response = resources.getJerseyTest()
+        .target("/v1/profile/" + AuthHelper.VALID_PNI_TWO)
+        .request()
+        .header(OptionalAccess.UNIDENTIFIED, AuthHelper.getUnidentifiedAccessHeader("1337".getBytes()))
+        .get();
+
+    assertThat(response.getStatus()).isEqualTo(401);
+
+    verify(accountsManager).getByPhoneNumberIdentifier(AuthHelper.VALID_PNI_TWO);
+    verify(rateLimiter, never()).validate(AuthHelper.VALID_UUID);
+  }
+
+  @Test
+  void testProfileGetByPniUnidentifiedBadKey() {
+    final Response response = resources.getJerseyTest()
+        .target("/v1/profile/" + AuthHelper.VALID_PNI_TWO)
+        .request()
+        .header(OptionalAccess.UNIDENTIFIED, AuthHelper.getUnidentifiedAccessHeader("incorrect".getBytes()))
+        .get();
+
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
  @Test
  void testProfileGetByUsername() throws RateLimitExceededException {
    BaseProfileResponse profile = resources.getJerseyTest()
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/util/AuthHelper.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/util/AuthHelper.java
@ -42,6 +42,7 @@ public class AuthHelper {

  public static final String VALID_NUMBER_TWO = "+201511111110";
  public static final UUID   VALID_UUID_TWO    = UUID.randomUUID();
+  public static final UUID   VALID_PNI_TWO     = UUID.randomUUID();
  public static final String VALID_PASSWORD_TWO = "baz";

  public static final String VALID_NUMBER_3           = "+14445556666";
@ -139,6 +140,7 @@ public class AuthHelper {
    when(VALID_ACCOUNT.getPhoneNumberIdentifier()).thenReturn(VALID_PNI);
    when(VALID_ACCOUNT_TWO.getNumber()).thenReturn(VALID_NUMBER_TWO);
    when(VALID_ACCOUNT_TWO.getUuid()).thenReturn(VALID_UUID_TWO);
+    when(VALID_ACCOUNT_TWO.getPhoneNumberIdentifier()).thenReturn(VALID_PNI_TWO);
    when(DISABLED_ACCOUNT.getNumber()).thenReturn(DISABLED_NUMBER);
    when(DISABLED_ACCOUNT.getUuid()).thenReturn(DISABLED_UUID);
    when(UNDISCOVERABLE_ACCOUNT.getNumber()).thenReturn(UNDISCOVERABLE_NUMBER);
@ -169,6 +171,7 @@ public class AuthHelper {

    when(ACCOUNTS_MANAGER.getByE164(VALID_NUMBER_TWO)).thenReturn(Optional.of(VALID_ACCOUNT_TWO));
    when(ACCOUNTS_MANAGER.getByAccountIdentifier(VALID_UUID_TWO)).thenReturn(Optional.of(VALID_ACCOUNT_TWO));
+    when(ACCOUNTS_MANAGER.getByPhoneNumberIdentifier(VALID_PNI_TWO)).thenReturn(Optional.of(VALID_ACCOUNT_TWO));

    when(ACCOUNTS_MANAGER.getByE164(DISABLED_NUMBER)).thenReturn(Optional.of(DISABLED_ACCOUNT));
    when(ACCOUNTS_MANAGER.getByAccountIdentifier(DISABLED_UUID)).thenReturn(Optional.of(DISABLED_ACCOUNT));