MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove the PQ key check from `IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter` 

All devices now have PQ keys
This commit is contained in:
Jon Chambers 2025-06-18 15:31:34 -04:00 committed by Jon Chambers
parent 7709e1313c
commit 68b84dd56b
3 changed files with 7 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
View File

@ -986,7 +986,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
webSocketEnvironment.jersey().register(new VirtualExecutorServiceProvider("managed-async-websocket-virtual-thread-")); webSocketEnvironment.jersey().register(new VirtualExecutorServiceProvider("managed-async-websocket-virtual-thread-"));
webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator)); webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator));
webSocketEnvironment.setAuthenticatedWebSocketUpgradeFilter(new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter( webSocketEnvironment.setAuthenticatedWebSocketUpgradeFilter(new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(
keysManager, config.idlePrimaryDeviceReminderConfiguration().minIdleDuration(), Clock.systemUTC())); config.idlePrimaryDeviceReminderConfiguration().minIdleDuration(), Clock.systemUTC()));
webSocketEnvironment.setConnectListener( webSocketEnvironment.setConnectListener(
new AuthenticatedConnectListener(accountsManager, receiptSender, messagesManager, messageMetrics, pushNotificationManager, new AuthenticatedConnectListener(accountsManager, receiptSender, messagesManager, messageMetrics, pushNotificationManager,
pushNotificationScheduler, webSocketConnectionEventManager, websocketScheduledExecutor, pushNotificationScheduler, webSocketConnectionEventManager, websocketScheduledExecutor,

26
service/src/main/java/org/whispersystems/textsecuregcm/auth/IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.java
View File

@ -16,14 +16,11 @@ import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse; import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
import org.whispersystems.textsecuregcm.metrics.MetricsUtil; import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
import org.whispersystems.textsecuregcm.storage.Device; import org.whispersystems.textsecuregcm.storage.Device;
import org.whispersystems.textsecuregcm.storage.KeysManager;
import org.whispersystems.websocket.auth.AuthenticatedWebSocketUpgradeFilter; import org.whispersystems.websocket.auth.AuthenticatedWebSocketUpgradeFilter;
public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
AuthenticatedWebSocketUpgradeFilter<AuthenticatedDevice> { AuthenticatedWebSocketUpgradeFilter<AuthenticatedDevice> {
private final KeysManager keysManager;
private final Duration minIdleDuration; private final Duration minIdleDuration;
private final Clock clock; private final Clock clock;
@ -33,25 +30,11 @@ public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
@VisibleForTesting @VisibleForTesting
static final String IDLE_PRIMARY_DEVICE_ALERT = "idle-primary-device"; static final String IDLE_PRIMARY_DEVICE_ALERT = "idle-primary-device";
@VisibleForTesting
static final String CRITICAL_IDLE_PRIMARY_DEVICE_ALERT = "critical-idle-primary-device";
@VisibleForTesting
static final Duration PQ_KEY_CHECK_THRESHOLD = Duration.ofDays(120);
private static final Counter IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter( private static final Counter IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter(
MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"), MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"),
"critical", "false"); "critical", "false");
private static final Counter CRITICAL_IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter( public IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(final Duration minIdleDuration, final Clock clock) {
MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"),
"critical", "true");
public IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(final KeysManager keysManager,
final Duration minIdleDuration,
final Clock clock) {
this.keysManager = keysManager;
this.minIdleDuration = minIdleDuration; this.minIdleDuration = minIdleDuration;
this.clock = clock; this.clock = clock;
} }
@ -68,12 +51,7 @@ public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
.ifPresent(authenticatedDevice -> { .ifPresent(authenticatedDevice -> {
final Instant primaryDeviceLastSeen = authenticatedDevice.getPrimaryDeviceLastSeen(); final Instant primaryDeviceLastSeen = authenticatedDevice.getPrimaryDeviceLastSeen();
if (primaryDeviceLastSeen.isBefore(clock.instant().minus(PQ_KEY_CHECK_THRESHOLD)) && if (primaryDeviceLastSeen.isBefore(clock.instant().minus(minIdleDuration))) {
keysManager.getLastResort(authenticatedDevice.getAccountIdentifier(), Device.PRIMARY_ID).join().isEmpty()) {
response.addHeader(ALERT_HEADER, CRITICAL_IDLE_PRIMARY_DEVICE_ALERT);
CRITICAL_IDLE_PRIMARY_WARNING_COUNTER.increment();
} else if (primaryDeviceLastSeen.isBefore(clock.instant().minus(minIdleDuration))) {
response.addHeader(ALERT_HEADER, IDLE_PRIMARY_DEVICE_ALERT); response.addHeader(ALERT_HEADER, IDLE_PRIMARY_DEVICE_ALERT);
IDLE_PRIMARY_WARNING_COUNTER.increment(); IDLE_PRIMARY_WARNING_COUNTER.increment();
} }

65
service/src/test/java/org/whispersystems/textsecuregcm/auth/IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest.java
View File

@ -5,11 +5,7 @@
package org.whispersystems.textsecuregcm.auth; package org.whispersystems.textsecuregcm.auth;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyByte;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions; import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
@ -18,7 +14,6 @@ import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.List; import java.util.List;
import java.util.Optional; import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest; import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse; import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
@ -26,35 +21,26 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource; import org.junit.jupiter.params.provider.MethodSource;
import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
import org.whispersystems.textsecuregcm.storage.Account; import org.whispersystems.textsecuregcm.storage.Account;
import org.whispersystems.textsecuregcm.storage.Device; import org.whispersystems.textsecuregcm.storage.Device;
import org.whispersystems.textsecuregcm.storage.KeysManager;
import org.whispersystems.textsecuregcm.util.TestClock; import org.whispersystems.textsecuregcm.util.TestClock;
class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest { class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
private KeysManager keysManager;
private IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter filter; private IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter filter;
private static final Duration MIN_IDLE_DURATION = private static final Duration MIN_IDLE_DURATION = Duration.ofDays(30);
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.PQ_KEY_CHECK_THRESHOLD.dividedBy(2);
private static final TestClock CLOCK = TestClock.pinned(Instant.now()); private static final TestClock CLOCK = TestClock.pinned(Instant.now());
@BeforeEach @BeforeEach
void setUp() { void setUp() {
keysManager = mock(KeysManager.class); filter = new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(MIN_IDLE_DURATION, CLOCK);
filter = new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(keysManager, MIN_IDLE_DURATION, CLOCK);
} }
@ParameterizedTest @ParameterizedTest
@MethodSource @MethodSource
void handleAuthentication(@Nullable final AuthenticatedDevice authenticatedDevice, void handleAuthentication(@Nullable final AuthenticatedDevice authenticatedDevice,
final boolean primaryDeviceHasPqKeys,
final boolean expectPqKeyCheck,
@Nullable final String expectedAlertHeader) { @Nullable final String expectedAlertHeader) {
final Optional<AuthenticatedDevice> reusableAuth = authenticatedDevice != null final Optional<AuthenticatedDevice> reusableAuth = authenticatedDevice != null
@ -63,22 +49,10 @@ class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
final JettyServerUpgradeResponse response = mock(JettyServerUpgradeResponse.class); final JettyServerUpgradeResponse response = mock(JettyServerUpgradeResponse.class);
when(keysManager.getLastResort(any(), eq(Device.PRIMARY_ID)))
.thenReturn(CompletableFuture.completedFuture(primaryDeviceHasPqKeys
? Optional.of(mock(KEMSignedPreKey.class))
: Optional.empty()));
filter.handleAuthentication(reusableAuth, mock(JettyServerUpgradeRequest.class), response); filter.handleAuthentication(reusableAuth, mock(JettyServerUpgradeRequest.class), response);
if (expectPqKeyCheck) {
verify(keysManager).getLastResort(any(), eq(Device.PRIMARY_ID));
} else {
verify(keysManager, never()).getLastResort(any(), anyByte());
}
if (expectedAlertHeader != null) { if (expectedAlertHeader != null) {
verify(response) verify(response).addHeader(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.ALERT_HEADER, expectedAlertHeader);
.addHeader(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.ALERT_HEADER, expectedAlertHeader);
} else { } else {
verifyNoInteractions(response); verifyNoInteractions(response);
} }
@ -96,12 +70,6 @@ class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
when(minIdlePrimaryDevice.getLastSeen()) when(minIdlePrimaryDevice.getLastSeen())
.thenReturn(CLOCK.instant().minus(MIN_IDLE_DURATION).minusSeconds(1).toEpochMilli()); .thenReturn(CLOCK.instant().minus(MIN_IDLE_DURATION).minusSeconds(1).toEpochMilli());
final Device longIdlePrimaryDevice = mock(Device.class);
when(longIdlePrimaryDevice.getId()).thenReturn(Device.PRIMARY_ID);
when(longIdlePrimaryDevice.isPrimary()).thenReturn(true);
when(longIdlePrimaryDevice.getLastSeen())
.thenReturn(CLOCK.instant().minus(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.PQ_KEY_CHECK_THRESHOLD).minusSeconds(1).toEpochMilli());
final Device linkedDevice = mock(Device.class); final Device linkedDevice = mock(Device.class);
when(linkedDevice.getId()).thenReturn((byte) (Device.PRIMARY_ID + 1)); when(linkedDevice.getId()).thenReturn((byte) (Device.PRIMARY_ID + 1));
when(linkedDevice.isPrimary()).thenReturn(false); when(linkedDevice.isPrimary()).thenReturn(false);
@ -112,51 +80,26 @@ class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
final Account accountWithMinIdlePrimaryDevice = mock(Account.class); final Account accountWithMinIdlePrimaryDevice = mock(Account.class);
when(accountWithMinIdlePrimaryDevice.getPrimaryDevice()).thenReturn(minIdlePrimaryDevice); when(accountWithMinIdlePrimaryDevice.getPrimaryDevice()).thenReturn(minIdlePrimaryDevice);
final Account accountWithLongIdlePrimaryDevice = mock(Account.class);
when(accountWithLongIdlePrimaryDevice.getPrimaryDevice()).thenReturn(longIdlePrimaryDevice);
return List.of( return List.of(
Arguments.argumentSet("Anonymous", Arguments.argumentSet("Anonymous",
null, null,
true,
false,
null), null),
Arguments.argumentSet("Authenticated as active primary device", Arguments.argumentSet("Authenticated as active primary device",
new AuthenticatedDevice(accountWithActivePrimaryDevice, activePrimaryDevice), new AuthenticatedDevice(accountWithActivePrimaryDevice, activePrimaryDevice),
true,
false,
null), null),
Arguments.argumentSet("Authenticated as idle primary device", Arguments.argumentSet("Authenticated as idle primary device",
new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, minIdlePrimaryDevice), new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, minIdlePrimaryDevice),
true,
false,
null), null),
Arguments.argumentSet("Authenticated as linked device with active primary device", Arguments.argumentSet("Authenticated as linked device with active primary device",
new AuthenticatedDevice(accountWithActivePrimaryDevice, linkedDevice), new AuthenticatedDevice(accountWithActivePrimaryDevice, linkedDevice),
true,
false,
null), null),
Arguments.argumentSet("Authenticated as linked device with min-idle primary device", Arguments.argumentSet("Authenticated as linked device with min-idle primary device",
new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, linkedDevice), new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, linkedDevice),
true, IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT)
false,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT),
Arguments.argumentSet("Authenticated as linked device with long-idle primary device with PQ keys",
new AuthenticatedDevice(accountWithLongIdlePrimaryDevice, linkedDevice),
true,
true,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT),
Arguments.argumentSet("Authenticated as linked device with long-idle primary device without PQ keys",
new AuthenticatedDevice(accountWithLongIdlePrimaryDevice, linkedDevice),
false,
true,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.CRITICAL_IDLE_PRIMARY_DEVICE_ALERT)
); );
} }
} }