Parameterize access to zk operations

This commit is contained in:
Moxie Marlinspike 2020-01-21 11:29:08 -08:00
parent ba3102d667
commit 75fc35ee4b
6 changed files with 28 additions and 11 deletions

View File

@ -255,12 +255,13 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().getServerSecret()); ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().getServerSecret());
ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams); ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams);
ServerZkAuthOperations zkAuthOperations = new ServerZkAuthOperations(zkSecretParams); ServerZkAuthOperations zkAuthOperations = new ServerZkAuthOperations(zkSecretParams);
boolean isZkEnabled = config.getZkConfig().isEnabled();
AttachmentControllerV1 attachmentControllerV1 = new AttachmentControllerV1(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getBucket() ); AttachmentControllerV1 attachmentControllerV1 = new AttachmentControllerV1(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getBucket() );
AttachmentControllerV2 attachmentControllerV2 = new AttachmentControllerV2(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getRegion(), config.getAttachmentsConfiguration().getBucket()); AttachmentControllerV2 attachmentControllerV2 = new AttachmentControllerV2(rateLimiters, config.getAttachmentsConfiguration().getAccessKey(), config.getAttachmentsConfiguration().getAccessSecret(), config.getAttachmentsConfiguration().getRegion(), config.getAttachmentsConfiguration().getBucket());
KeysController keysController = new KeysController(rateLimiters, keys, accountsManager, directoryQueue); KeysController keysController = new KeysController(rateLimiters, keys, accountsManager, directoryQueue);
MessageController messageController = new MessageController(rateLimiters, pushSender, receiptSender, accountsManager, messagesManager, apnFallbackManager); MessageController messageController = new MessageController(rateLimiters, pushSender, receiptSender, accountsManager, messagesManager, apnFallbackManager);
ProfileController profileController = new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, cdnS3Client, cdnPolicyGenerator, cdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations); ProfileController profileController = new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, cdnS3Client, cdnPolicyGenerator, cdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations, isZkEnabled);
StickerController stickerController = new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(), config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(), config.getCdnConfiguration().getBucket()); StickerController stickerController = new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(), config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(), config.getCdnConfiguration().getBucket());
AuthFilter<BasicCredentials, Account> accountAuthFilter = new BasicCredentialAuthFilter.Builder<Account>().setAuthenticator(accountAuthenticator).buildAuthFilter (); AuthFilter<BasicCredentials, Account> accountAuthFilter = new BasicCredentialAuthFilter.Builder<Account>().setAuthenticator(accountAuthenticator).buildAuthFilter ();
@ -274,7 +275,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
environment.jersey().register(new DeviceController(pendingDevicesManager, accountsManager, messagesManager, directoryQueue, rateLimiters, config.getMaxDevices())); environment.jersey().register(new DeviceController(pendingDevicesManager, accountsManager, messagesManager, directoryQueue, rateLimiters, config.getMaxDevices()));
environment.jersey().register(new DirectoryController(rateLimiters, directory, directoryCredentialsGenerator)); environment.jersey().register(new DirectoryController(rateLimiters, directory, directoryCredentialsGenerator));
environment.jersey().register(new ProvisioningController(rateLimiters, pushSender)); environment.jersey().register(new ProvisioningController(rateLimiters, pushSender));
environment.jersey().register(new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations)); environment.jersey().register(new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, isZkEnabled));
environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(), config.getVoiceVerificationConfiguration().getLocales())); environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(), config.getVoiceVerificationConfiguration().getLocales()));
environment.jersey().register(new SecureStorageController(storageCredentialsGenerator)); environment.jersey().register(new SecureStorageController(storageCredentialsGenerator));
environment.jersey().register(new SecureBackupController(backupCredentialsGenerator)); environment.jersey().register(new SecureBackupController(backupCredentialsGenerator));

View File

@ -21,6 +21,10 @@ public class ZkConfig {
@NotNull @NotNull
private byte[] serverPublic; private byte[] serverPublic;
@JsonProperty
@NotNull
private Boolean enabled;
public byte[] getServerSecret() { public byte[] getServerSecret() {
return serverSecret; return serverSecret;
} }
@ -28,4 +32,8 @@ public class ZkConfig {
public byte[] getServerPublic() { public byte[] getServerPublic() {
return serverPublic; return serverPublic;
} }
public boolean isEnabled() {
return enabled;
}
} }

View File

@ -34,10 +34,12 @@ public class CertificateController {
private final CertificateGenerator certificateGenerator; private final CertificateGenerator certificateGenerator;
private final ServerZkAuthOperations serverZkAuthOperations; private final ServerZkAuthOperations serverZkAuthOperations;
private final boolean isZkEnabled;
public CertificateController(CertificateGenerator certificateGenerator, ServerZkAuthOperations serverZkAuthOperations) { public CertificateController(CertificateGenerator certificateGenerator, ServerZkAuthOperations serverZkAuthOperations, boolean isZkEnabled) {
this.certificateGenerator = certificateGenerator; this.certificateGenerator = certificateGenerator;
this.serverZkAuthOperations = serverZkAuthOperations; this.serverZkAuthOperations = serverZkAuthOperations;
this.isZkEnabled = isZkEnabled;
} }
@Timed @Timed
@ -65,6 +67,7 @@ public class CertificateController {
@PathParam("startRedemptionTime") int startRedemptionTime, @PathParam("startRedemptionTime") int startRedemptionTime,
@PathParam("endRedemptionTime") int endRedemptionTime) @PathParam("endRedemptionTime") int endRedemptionTime)
{ {
if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
if (startRedemptionTime > endRedemptionTime) throw new WebApplicationException(Response.Status.BAD_REQUEST); if (startRedemptionTime > endRedemptionTime) throw new WebApplicationException(Response.Status.BAD_REQUEST);
if (endRedemptionTime > Util.currentDaysSinceEpoch() + 7) throw new WebApplicationException(Response.Status.BAD_REQUEST); if (endRedemptionTime > Util.currentDaysSinceEpoch() + 7) throw new WebApplicationException(Response.Status.BAD_REQUEST);
if (startRedemptionTime < Util.currentDaysSinceEpoch()) throw new WebApplicationException(Response.Status.BAD_REQUEST); if (startRedemptionTime < Util.currentDaysSinceEpoch()) throw new WebApplicationException(Response.Status.BAD_REQUEST);

View File

@ -68,6 +68,7 @@ public class ProfileController {
private final PolicySigner policySigner; private final PolicySigner policySigner;
private final PostPolicyGenerator policyGenerator; private final PostPolicyGenerator policyGenerator;
private final ServerZkProfileOperations zkProfileOperations; private final ServerZkProfileOperations zkProfileOperations;
private final boolean isZkEnabled;
private final AmazonS3 s3client; private final AmazonS3 s3client;
private final String bucket; private final String bucket;
@ -80,7 +81,8 @@ public class ProfileController {
PostPolicyGenerator policyGenerator, PostPolicyGenerator policyGenerator,
PolicySigner policySigner, PolicySigner policySigner,
String bucket, String bucket,
ServerZkProfileOperations zkProfileOperations) ServerZkProfileOperations zkProfileOperations,
boolean isZkEnabled)
{ {
this.rateLimiters = rateLimiters; this.rateLimiters = rateLimiters;
this.accountsManager = accountsManager; this.accountsManager = accountsManager;
@ -91,6 +93,7 @@ public class ProfileController {
this.s3client = s3client; this.s3client = s3client;
this.policyGenerator = policyGenerator; this.policyGenerator = policyGenerator;
this.policySigner = policySigner; this.policySigner = policySigner;
this.isZkEnabled = isZkEnabled;
} }
@Timed @Timed
@ -98,6 +101,8 @@ public class ProfileController {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
public Response setProfile(@Auth Account account, @Valid CreateProfileRequest request) { public Response setProfile(@Auth Account account, @Valid CreateProfileRequest request) {
if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
Optional<VersionedProfile> currentProfile = profilesManager.get(account.getUuid(), request.getVersion()); Optional<VersionedProfile> currentProfile = profilesManager.get(account.getUuid(), request.getVersion());
String avatar = request.isAvatar() ? generateAvatarObjectName() : null; String avatar = request.isAvatar() ? generateAvatarObjectName() : null;
Optional<ProfileAvatarUploadAttributes> response = Optional.empty(); Optional<ProfileAvatarUploadAttributes> response = Optional.empty();
@ -138,6 +143,7 @@ public class ProfileController {
@PathParam("version") String version) @PathParam("version") String version)
throws RateLimitExceededException throws RateLimitExceededException
{ {
if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.empty()); return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.empty());
} }
@ -152,6 +158,7 @@ public class ProfileController {
@PathParam("credentialRequest") String credentialRequest) @PathParam("credentialRequest") String credentialRequest)
throws RateLimitExceededException throws RateLimitExceededException
{ {
if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.of(credentialRequest)); return getVersionedProfile(requestAccount, accessKey, uuid, version, Optional.of(credentialRequest));
} }
@ -163,6 +170,8 @@ public class ProfileController {
Optional<String> credentialRequest) Optional<String> credentialRequest)
throws RateLimitExceededException throws RateLimitExceededException
{ {
if (!isZkEnabled) throw new WebApplicationException(Response.Status.NOT_FOUND);
try { try {
if (!requestAccount.isPresent() && !accessKey.isPresent()) { if (!requestAccount.isPresent() && !accessKey.isPresent()) {
throw new WebApplicationException(Response.Status.UNAUTHORIZED); throw new WebApplicationException(Response.Status.UNAUTHORIZED);

View File

@ -65,10 +65,9 @@ public class CertificateControllerTest {
.addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class))) .addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)))
.setMapper(SystemMapper.getMapper()) .setMapper(SystemMapper.getMapper())
.setTestContainerFactory(new GrizzlyWebTestContainerFactory()) .setTestContainerFactory(new GrizzlyWebTestContainerFactory())
.addResource(new CertificateController(certificateGenerator, serverZkAuthOperations)) .addResource(new CertificateController(certificateGenerator, serverZkAuthOperations, true))
.build(); .build();
@Test @Test
public void testValidCertificate() throws Exception { public void testValidCertificate() throws Exception {
DeliveryCertificate certificateObject = resources.getJerseyTest() DeliveryCertificate certificateObject = resources.getJerseyTest()
@ -228,8 +227,4 @@ public class CertificateControllerTest {
assertThat(response.getStatus()).isEqualTo(401); assertThat(response.getStatus()).isEqualTo(401);
} }
} }

View File

@ -73,7 +73,8 @@ public class ProfileControllerTest {
postPolicyGenerator, postPolicyGenerator,
policySigner, policySigner,
"profilesBucket", "profilesBucket",
zkProfileOperations)) zkProfileOperations,
true))
.build(); .build();
@Before @Before