From 75fc35ee4b48b93b150fb970ded3ddba63cf54b7 Mon Sep 17 00:00:00 2001
From: Moxie Marlinspike <moxie+github@signal.org>
Date: Tue, 21 Jan 2020 11:29:08 -0800
Subject: [PATCH] Parameterize access to zk operations

---
 .../textsecuregcm/WhisperServerService.java           |  5 +++--
 .../textsecuregcm/configuration/ZkConfig.java         |  8 ++++++++
 .../controllers/CertificateController.java            |  5 ++++-
 .../textsecuregcm/controllers/ProfileController.java  | 11 ++++++++++-
 .../tests/controllers/CertificateControllerTest.java  |  7 +------
 .../tests/controllers/ProfileControllerTest.java      |  3 ++-
 6 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
index 0fd59a500..e7d6397b4 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
@@ -255,12 +255,13 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     ServerSecretParams        zkSecretParams      = new ServerSecretParams(config.getZkConfig().getServerSecret());
     ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams);
     ServerZkAuthOperations    zkAuthOperations    = new ServerZkAuthOperations(zkSecretParams);
+    boolean                   isZkEnabled         = config.getZkConfig().isEnabled();
 
     AttachmentControllerV1 attachmentControllerV1 = new AttachmentControllerV1(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getBucket()                                                  );
     AttachmentControllerV2 attachmentControllerV2 = new AttachmentControllerV2(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getRegion(), config.getAttachmentsConfiguration().getBucket());
     KeysController         keysController         = new KeysController(rateLimiters, keys, accountsManager, directoryQueue);
     MessageController      messageController      = new MessageController(rateLimiters, pushSender, receiptSender, accountsManager, messagesManager, apnFallbackManager);
-    ProfileController      profileController      = new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, cdnS3Client, cdnPolicyGenerator, cdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations);
+    ProfileController      profileController      = new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, cdnS3Client, cdnPolicyGenerator, cdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations, isZkEnabled);
     StickerController      stickerController      = new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(), config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(), config.getCdnConfiguration().getBucket());
 
     AuthFilter<BasicCredentials, Account>                  accountAuthFilter                  = new BasicCredentialAuthFilter.Builder<Account>().setAuthenticator(accountAuthenticator).buildAuthFilter                                  ();
@@ -274,7 +275,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     environment.jersey().register(new DeviceController(pendingDevicesManager, accountsManager, messagesManager, directoryQueue, rateLimiters, config.getMaxDevices()));
     environment.jersey().register(new DirectoryController(rateLimiters, directory, directoryCredentialsGenerator));
     environment.jersey().register(new ProvisioningController(rateLimiters, pushSender));
-    environment.jersey().register(new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations));
+    environment.jersey().register(new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, isZkEnabled));
     environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(), config.getVoiceVerificationConfiguration().getLocales()));
     environment.jersey().register(new SecureStorageController(storageCredentialsGenerator));
     environment.jersey().register(new SecureBackupController(backupCredentialsGenerator));
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java
index 5add13794..0b4e4fb24 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java
@@ -21,6 +21,10 @@ public class ZkConfig {
   @NotNull
   private byte[] serverPublic;
 
+  @JsonProperty
+  @NotNull
+  private Boolean enabled;
+
   public byte[] getServerSecret() {
     return serverSecret;
   }
@@ -28,4 +32,8 @@ public class ZkConfig {
   public byte[] getServerPublic() {
     return serverPublic;
   }
+
+  public boolean isEnabled() {
+    return enabled;
+  }
 }
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
index 44ee87cd3..5bdb37e7e 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
@@ -34,10 +34,12 @@ public class CertificateController {
 
   private final CertificateGenerator   certificateGenerator;
   private final ServerZkAuthOperations serverZkAuthOperations;
+  private final boolean                isZkEnabled;
 
-  public CertificateController(CertificateGenerator certificateGenerator, ServerZkAuthOperations serverZkAuthOperations) {
+  public CertificateController(CertificateGenerator certificateGenerator, ServerZkAuthOperations serverZkAuthOperations, boolean isZkEnabled) {
     this.certificateGenerator   = certificateGenerator;
     this.serverZkAuthOperations = serverZkAuthOperations;
+    this.isZkEnabled            = isZkEnabled;
   }
 
   @Timed
@@ -65,6 +67,7 @@ public class CertificateController {
                                                        @PathParam("startRedemptionTime") int startRedemptionTime,
                                                        @PathParam("endRedemptionTime") int endRedemptionTime)
   {
+    if (!isZkEnabled)                                         throw new WebApplicationException(Response.Status.NOT_FOUND);
     if (startRedemptionTime > endRedemptionTime)              throw new WebApplicationException(Response.Status.BAD_REQUEST);
     if (endRedemptionTime > Util.currentDaysSinceEpoch() + 7) throw new WebApplicationException(Response.Status.BAD_REQUEST);
     if (startRedemptionTime < Util.currentDaysSinceEpoch())   throw new WebApplicationException(Response.Status.BAD_REQUEST);
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
index 9f5cd8ada..3796d0158 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
@@ -68,6 +68,7 @@ public class ProfileController {
   private final PolicySigner              policySigner;
   private final PostPolicyGenerator       policyGenerator;
   private final ServerZkProfileOperations zkProfileOperations;
+  private final boolean                   isZkEnabled;
 
   private final AmazonS3            s3client;
   private final String              bucket;
@@ -80,7 +81,8 @@ public class ProfileController {
                            PostPolicyGenerator policyGenerator,
                            PolicySigner policySigner,
                            String bucket,
-                           ServerZkProfileOperations zkProfileOperations)
+                           ServerZkProfileOperations zkProfileOperations,
+                           boolean isZkEnabled)
   {
     this.rateLimiters        = rateLimiters;
     this.accountsManager     = accountsManager;
@@ -91,6 +93,7 @@ public class ProfileController {
     this.s3client            = s3client;
     this.policyGenerator     = policyGenerator;
     this.policySigner        = policySigner;
+    this.isZkEnabled         = isZkEnabled;
   }
 
   @Timed
@@ -98,6 +101,8 @@ public class ProfileController {
   @Produces(MediaType.APPLICATION_JSON)
   @Consumes(MediaType.APPLICATION_JSON)
   public Response setProfile(@Auth Account account, @Valid CreateProfileRequest request) {
+    if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
+
     Optional<VersionedProfile>              currentProfile = profilesManager.get(account.getUuid(), request.getVersion());
     String                                  avatar         = request.isAvatar() ? generateAvatarObjectName() : null;
     Optional<ProfileAvatarUploadAttributes> response       = Optional.empty();
@@ -138,6 +143,7 @@ public class ProfileController {
                                       @PathParam("version")                     String version)
       throws RateLimitExceededException
   {
+    if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
     return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.empty());
   }
 
@@ -152,6 +158,7 @@ public class ProfileController {
                                       @PathParam("credentialRequest")           String credentialRequest)
       throws RateLimitExceededException
   {
+    if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
     return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.of(credentialRequest));
   }
 
@@ -163,6 +170,8 @@ public class ProfileController {
                                                 Optional<String> credentialRequest)
       throws RateLimitExceededException
   {
+    if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
+
     try {
       if (!requestAccount.isPresent() && !accessKey.isPresent()) {
         throw new WebApplicationException(Response.Status.UNAUTHORIZED);
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/CertificateControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/CertificateControllerTest.java
index cdf96326a..4fcb79cd5 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/CertificateControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/CertificateControllerTest.java
@@ -65,10 +65,9 @@ public class CertificateControllerTest {
                                                                    .addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)))
                                                                    .setMapper(SystemMapper.getMapper())
                                                                    .setTestContainerFactory(new GrizzlyWebTestContainerFactory())
-                                                                   .addResource(new CertificateController(certificateGenerator, serverZkAuthOperations))
+                                                                   .addResource(new CertificateController(certificateGenerator, serverZkAuthOperations, true))
                                                                    .build();
 
-
   @Test
   public void testValidCertificate() throws Exception {
     DeliveryCertificate certificateObject = resources.getJerseyTest()
@@ -228,8 +227,4 @@ public class CertificateControllerTest {
 
     assertThat(response.getStatus()).isEqualTo(401);
   }
-
-
-
-
 }
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java
index eaf5179b0..cad13abf4 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/ProfileControllerTest.java
@@ -73,7 +73,8 @@ public class ProfileControllerTest {
                                                                                                       postPolicyGenerator,
                                                                                                       policySigner,
                                                                                                       "profilesBucket",
-                                                                                                      zkProfileOperations))
+                                                                                                      zkProfileOperations,
+                                                                                                      true))
                                                                    .build();
 
   @Before