Create call link credential endpoint

This commit is contained in:
Katherine Yen 2023-05-04 14:33:45 -07:00 committed by GitHub
parent b2b0aee4b7
commit 7ba86b40aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 149 additions and 47 deletions

View File

@ -467,9 +467,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
config.getArtServiceConfiguration()); config.getArtServiceConfiguration());
ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator( ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator(
config.getSvr2Configuration()); config.getSvr2Configuration());
ExternalServiceCredentialsGenerator callLinkCredentialsGenerator = CallLinkController.credentialsGenerator(
config.getCallLinkConfiguration()
);
dynamicConfigurationManager.start(); dynamicConfigurationManager.start();
@ -721,7 +718,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
new ArtController(rateLimiters, artCredentialsGenerator), new ArtController(rateLimiters, artCredentialsGenerator),
new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()), new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()), new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
new CallLinkController(callLinkCredentialsGenerator), new CallLinkController(rateLimiters, genericZkSecretParams),
new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, genericZkSecretParams, clock), new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, genericZkSecretParams, clock),
new ChallengeController(rateLimitChallengeManager), new ChallengeController(rateLimitChallengeManager),
new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()), new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),

View File

@ -1,56 +1,74 @@
package org.whispersystems.textsecuregcm.controllers; package org.whispersystems.textsecuregcm.controllers;
import com.codahale.metrics.annotation.Timed; import com.codahale.metrics.annotation.Timed;
import com.google.common.annotations.VisibleForTesting;
import io.dropwizard.auth.Auth; import io.dropwizard.auth.Auth;
import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.responses.ApiResponse; import io.swagger.v3.oas.annotations.responses.ApiResponse;
import org.signal.libsignal.zkgroup.GenericServerSecretParams;
import org.signal.libsignal.zkgroup.InvalidInputException;
import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequest;
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount; import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials; import org.whispersystems.textsecuregcm.entities.CreateCallLinkCredential;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator; import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration; import org.whispersystems.textsecuregcm.limits.RateLimiters;
import javax.ws.rs.GET; import javax.validation.constraints.NotNull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.POST;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.Produces; import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import java.time.Clock; import java.time.Instant;
import java.time.temporal.ChronoUnit; import java.time.temporal.ChronoUnit;
import java.util.Optional;
@Path("/v1/call-link") @Path("/v1/call-link")
@io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink") @io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink")
public class CallLinkController { public class CallLinkController {
@VisibleForTesting private final RateLimiters rateLimiters;
public static final String ANONYMOUS_CREDENTIAL_PREFIX = "anon"; private final GenericServerSecretParams genericServerSecretParams;
private final ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator;
public CallLinkController( public CallLinkController(
ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator final RateLimiters rateLimiters,
final GenericServerSecretParams genericServerSecretParams
) { ) {
this.callingFrontendServiceCredentialGenerator = callingFrontendServiceCredentialGenerator; this.rateLimiters = rateLimiters;
this.genericServerSecretParams = genericServerSecretParams;
} }
public static ExternalServiceCredentialsGenerator credentialsGenerator(final CallLinkConfiguration cfg) {
return ExternalServiceCredentialsGenerator
.builder(cfg.userAuthenticationTokenSharedSecret())
.withUsernameTimestampTruncatorAndPrefix(timestamp -> timestamp.truncatedTo(ChronoUnit.DAYS), ANONYMOUS_CREDENTIAL_PREFIX)
.build();
}
@Timed @Timed
@GET @POST
@Path("/auth") @Path("/create-auth")
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@Operation( @Operation(
summary = "Generate credentials for calling frontend", summary = "Generate a credential for creating call links",
description = """ description = """
These credentials enable clients to prove to calling frontend that they were a Signal user within the last day. Generate a credential over a truncated timestamp, room ID, and account UUID. With zero knowledge
For client privacy, timestamps are truncated to 1 day granularity and the token does not include or derive from an ACI. group infrastructure, the server does not know the room ID.
""" """
) )
@ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true) @ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
@ApiResponse(responseCode = "400", description = "Invalid create call link credential request.")
@ApiResponse(responseCode = "401", description = "Account authentication check failed.") @ApiResponse(responseCode = "401", description = "Account authentication check failed.")
public ExternalServiceCredentials getAuth(@Auth AuthenticatedAccount auth) { @ApiResponse(responseCode = "422", description = "Invalid request format.")
return callingFrontendServiceCredentialGenerator.generateWithTimestampAsUsername(); @ApiResponse(responseCode = "429", description = "Ratelimited.")
public CreateCallLinkCredential getCreateAuth(
final @Auth AuthenticatedAccount auth,
final @NotNull GetCreateCallLinkCredentialsRequest request
) throws RateLimitExceededException {
rateLimiters.getCreateCallLinkLimiter().validate(auth.getAccount().getUuid());
final Instant truncatedDayTimestamp = Instant.now().truncatedTo(ChronoUnit.DAYS);
CreateCallLinkCredentialRequest createCallLinkCredentialRequest;
try {
createCallLinkCredentialRequest = new CreateCallLinkCredentialRequest(request.createCallLinkCredentialRequest());
} catch (InvalidInputException e) {
throw new BadRequestException("Invalid create call link credential request", e);
}
return new CreateCallLinkCredential(
createCallLinkCredentialRequest.issueCredential(auth.getAccount().getUuid(), truncatedDayTimestamp, genericServerSecretParams).serialize(),
truncatedDayTimestamp.getEpochSecond()
);
} }
} }

View File

@ -0,0 +1,3 @@
package org.whispersystems.textsecuregcm.entities;
public record CreateCallLinkCredential(byte[] credential, long redemptionTime){}

View File

@ -0,0 +1,5 @@
package org.whispersystems.textsecuregcm.entities;
import javax.validation.constraints.NotNull;
public record GetCreateCallLinkCredentialsRequest(@NotNull byte[] createCallLinkCredentialRequest) {}

View File

@ -73,6 +73,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
PUSH_CHALLENGE_ATTEMPT("pushChallengeAttempt", true, new RateLimiterConfig(10, 10.0 / (60 * 24))), PUSH_CHALLENGE_ATTEMPT("pushChallengeAttempt", true, new RateLimiterConfig(10, 10.0 / (60 * 24))),
PUSH_CHALLENGE_SUCCESS("pushChallengeSuccess", true, new RateLimiterConfig(2, 2.0 / (60 * 24))), PUSH_CHALLENGE_SUCCESS("pushChallengeSuccess", true, new RateLimiterConfig(2, 2.0 / (60 * 24))),
CREATE_CALL_LINK("createCallLink", false, new RateLimiterConfig(100, 100 / (60 * 24)));
; ;
private final String id; private final String id;
@ -232,4 +234,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
public RateLimiter getVerificationCaptchaLimiter() { public RateLimiter getVerificationCaptchaLimiter() {
return forDescriptor(For.VERIFICATION_CAPTCHA); return forDescriptor(For.VERIFICATION_CAPTCHA);
} }
public RateLimiter getCreateCallLinkLimiter() {
return forDescriptor(For.CREATE_CALL_LINK);
}
} }

View File

@ -1,44 +1,117 @@
package org.whispersystems.textsecuregcm.tests.controllers; package org.whispersystems.textsecuregcm.tests.controllers;
import com.google.common.collect.ImmutableSet;
import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
import io.dropwizard.testing.junit5.DropwizardExtensionsSupport; import io.dropwizard.testing.junit5.DropwizardExtensionsSupport;
import io.dropwizard.testing.junit5.ResourceExtension; import io.dropwizard.testing.junit5.ResourceExtension;
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory; import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mockito;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials; import org.signal.libsignal.protocol.util.Hex;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator; import org.signal.libsignal.zkgroup.GenericServerSecretParams;
import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration; import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequestContext;
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
import org.whispersystems.textsecuregcm.controllers.CallLinkController; import org.whispersystems.textsecuregcm.controllers.CallLinkController;
import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
import org.whispersystems.textsecuregcm.limits.RateLimiter;
import org.whispersystems.textsecuregcm.limits.RateLimiters;
import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
import org.whispersystems.textsecuregcm.tests.util.AuthHelper; import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
import org.whispersystems.textsecuregcm.util.MockUtils;
import org.whispersystems.textsecuregcm.util.SystemMapper; import org.whispersystems.textsecuregcm.util.SystemMapper;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Response;
import static org.assertj.core.api.AssertionsForClassTypes.assertThat; import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
@ExtendWith(DropwizardExtensionsSupport.class) @ExtendWith(DropwizardExtensionsSupport.class)
public class CallLinkControllerTest { public class CallLinkControllerTest {
private static final CallLinkConfiguration callLinkConfiguration = MockUtils.buildMock( private static final GenericServerSecretParams genericServerSecretParams = GenericServerSecretParams.generate();
CallLinkConfiguration.class, private static final RateLimiters rateLimiters = mock(RateLimiters.class);
cfg -> Mockito.when(cfg.userAuthenticationTokenSharedSecret()).thenReturn(new byte[32]) private static final RateLimiter createCallLinkLimiter = mock(RateLimiter.class);
); private static final byte[] roomId = Hex.fromStringCondensedAssert("c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7");
private static final ExternalServiceCredentialsGenerator callLinkCredentialsGenerator = CallLinkController.credentialsGenerator(callLinkConfiguration); private static final CreateCallLinkCredentialRequestContext createCallLinkRequestContext = CreateCallLinkCredentialRequestContext.forRoom(roomId);
private static final byte[] createCallLinkRequestSerialized = createCallLinkRequestContext.getRequest().serialize();
private static final ResourceExtension resources = ResourceExtension.builder() private static final ResourceExtension resources = ResourceExtension.builder()
.addProvider(AuthHelper.getAuthFilter())
.addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(
ImmutableSet.of(AuthenticatedAccount.class, DisabledPermittedAuthenticatedAccount.class)))
.addProvider(new RateLimitExceededExceptionMapper())
.setMapper(SystemMapper.jsonMapper()) .setMapper(SystemMapper.jsonMapper())
.setTestContainerFactory(new GrizzlyWebTestContainerFactory()) .setTestContainerFactory(new GrizzlyWebTestContainerFactory())
.addResource(new CallLinkController(callLinkCredentialsGenerator)) .addResource(new CallLinkController(rateLimiters, genericServerSecretParams))
.build(); .build();
@BeforeEach
void setup() {
when(rateLimiters.getCreateCallLinkLimiter()).thenReturn(createCallLinkLimiter);
}
@Test @Test
void testGetAuth() { void testGetCreateAuth() {
ExternalServiceCredentials credentials = resources.getJerseyTest() try (Response response = resources.getJerseyTest()
.target("/v1/call-link/auth") .target("/v1/call-link/create-auth")
.request() .request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD)) .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
.get(ExternalServiceCredentials.class); .post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
assertThat(response.getStatus()).isEqualTo(200);
}
}
assertThat(credentials.username()).isNotEmpty(); @Test
assertThat(credentials.password()).isNotEmpty(); void testGetCreateAuthInvalidInput() {
try (Response response = resources.getJerseyTest()
.target("/v1/call-link/create-auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(new byte[10])))) {
assertThat(response.getStatus()).isEqualTo(400);
}
}
@Test
void testGetCreateAuthInvalidAuth() {
try (Response response = resources.getJerseyTest()
.target("/v1/call-link/create-auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.INVALID_UUID, AuthHelper.VALID_PASSWORD))
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
assertThat(response.getStatus()).isEqualTo(401);
}
}
@Test
void testGetCreateAuthInvalidRequest() {
try (Response response = resources.getJerseyTest()
.target("/v1/call-link/create-auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
.post(Entity.json(""))) {
assertThat(response.getStatus()).isEqualTo(422);
}
}
@Test
void testGetCreateAuthRatelimited() throws RateLimitExceededException{
doThrow(new RateLimitExceededException(null, false))
.when(createCallLinkLimiter).validate(AuthHelper.VALID_UUID);
try (Response response = resources.getJerseyTest()
.target("/v1/call-link/create-auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
assertThat(response.getStatus()).isEqualTo(429);
}
} }
} }