Create call link credential endpoint
This commit is contained in:
parent
b2b0aee4b7
commit
7ba86b40aa
|
@ -467,9 +467,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
|
||||||
config.getArtServiceConfiguration());
|
config.getArtServiceConfiguration());
|
||||||
ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator(
|
ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator(
|
||||||
config.getSvr2Configuration());
|
config.getSvr2Configuration());
|
||||||
ExternalServiceCredentialsGenerator callLinkCredentialsGenerator = CallLinkController.credentialsGenerator(
|
|
||||||
config.getCallLinkConfiguration()
|
|
||||||
);
|
|
||||||
|
|
||||||
dynamicConfigurationManager.start();
|
dynamicConfigurationManager.start();
|
||||||
|
|
||||||
|
@ -721,7 +718,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
|
||||||
new ArtController(rateLimiters, artCredentialsGenerator),
|
new ArtController(rateLimiters, artCredentialsGenerator),
|
||||||
new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
|
new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
|
||||||
new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
|
new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
|
||||||
new CallLinkController(callLinkCredentialsGenerator),
|
new CallLinkController(rateLimiters, genericZkSecretParams),
|
||||||
new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, genericZkSecretParams, clock),
|
new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, genericZkSecretParams, clock),
|
||||||
new ChallengeController(rateLimitChallengeManager),
|
new ChallengeController(rateLimitChallengeManager),
|
||||||
new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),
|
new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),
|
||||||
|
|
|
@ -1,56 +1,74 @@
|
||||||
package org.whispersystems.textsecuregcm.controllers;
|
package org.whispersystems.textsecuregcm.controllers;
|
||||||
|
|
||||||
import com.codahale.metrics.annotation.Timed;
|
import com.codahale.metrics.annotation.Timed;
|
||||||
import com.google.common.annotations.VisibleForTesting;
|
|
||||||
import io.dropwizard.auth.Auth;
|
import io.dropwizard.auth.Auth;
|
||||||
import io.swagger.v3.oas.annotations.Operation;
|
import io.swagger.v3.oas.annotations.Operation;
|
||||||
import io.swagger.v3.oas.annotations.responses.ApiResponse;
|
import io.swagger.v3.oas.annotations.responses.ApiResponse;
|
||||||
|
import org.signal.libsignal.zkgroup.GenericServerSecretParams;
|
||||||
|
import org.signal.libsignal.zkgroup.InvalidInputException;
|
||||||
|
import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequest;
|
||||||
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
|
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
|
||||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
|
import org.whispersystems.textsecuregcm.entities.CreateCallLinkCredential;
|
||||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
|
import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
|
||||||
import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration;
|
import org.whispersystems.textsecuregcm.limits.RateLimiters;
|
||||||
import javax.ws.rs.GET;
|
import javax.validation.constraints.NotNull;
|
||||||
|
import javax.ws.rs.BadRequestException;
|
||||||
|
import javax.ws.rs.POST;
|
||||||
import javax.ws.rs.Path;
|
import javax.ws.rs.Path;
|
||||||
import javax.ws.rs.Produces;
|
import javax.ws.rs.Produces;
|
||||||
import javax.ws.rs.core.MediaType;
|
import javax.ws.rs.core.MediaType;
|
||||||
import java.time.Clock;
|
import java.time.Instant;
|
||||||
import java.time.temporal.ChronoUnit;
|
import java.time.temporal.ChronoUnit;
|
||||||
import java.util.Optional;
|
|
||||||
|
|
||||||
@Path("/v1/call-link")
|
@Path("/v1/call-link")
|
||||||
@io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink")
|
@io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink")
|
||||||
public class CallLinkController {
|
public class CallLinkController {
|
||||||
@VisibleForTesting
|
private final RateLimiters rateLimiters;
|
||||||
public static final String ANONYMOUS_CREDENTIAL_PREFIX = "anon";
|
private final GenericServerSecretParams genericServerSecretParams;
|
||||||
|
|
||||||
private final ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator;
|
|
||||||
|
|
||||||
public CallLinkController(
|
public CallLinkController(
|
||||||
ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator
|
final RateLimiters rateLimiters,
|
||||||
|
final GenericServerSecretParams genericServerSecretParams
|
||||||
) {
|
) {
|
||||||
this.callingFrontendServiceCredentialGenerator = callingFrontendServiceCredentialGenerator;
|
this.rateLimiters = rateLimiters;
|
||||||
|
this.genericServerSecretParams = genericServerSecretParams;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static ExternalServiceCredentialsGenerator credentialsGenerator(final CallLinkConfiguration cfg) {
|
|
||||||
return ExternalServiceCredentialsGenerator
|
|
||||||
.builder(cfg.userAuthenticationTokenSharedSecret())
|
|
||||||
.withUsernameTimestampTruncatorAndPrefix(timestamp -> timestamp.truncatedTo(ChronoUnit.DAYS), ANONYMOUS_CREDENTIAL_PREFIX)
|
|
||||||
.build();
|
|
||||||
}
|
|
||||||
@Timed
|
@Timed
|
||||||
@GET
|
@POST
|
||||||
@Path("/auth")
|
@Path("/create-auth")
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
@Operation(
|
@Operation(
|
||||||
summary = "Generate credentials for calling frontend",
|
summary = "Generate a credential for creating call links",
|
||||||
description = """
|
description = """
|
||||||
These credentials enable clients to prove to calling frontend that they were a Signal user within the last day.
|
Generate a credential over a truncated timestamp, room ID, and account UUID. With zero knowledge
|
||||||
For client privacy, timestamps are truncated to 1 day granularity and the token does not include or derive from an ACI.
|
group infrastructure, the server does not know the room ID.
|
||||||
"""
|
"""
|
||||||
)
|
)
|
||||||
@ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
|
@ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
|
||||||
|
@ApiResponse(responseCode = "400", description = "Invalid create call link credential request.")
|
||||||
@ApiResponse(responseCode = "401", description = "Account authentication check failed.")
|
@ApiResponse(responseCode = "401", description = "Account authentication check failed.")
|
||||||
public ExternalServiceCredentials getAuth(@Auth AuthenticatedAccount auth) {
|
@ApiResponse(responseCode = "422", description = "Invalid request format.")
|
||||||
return callingFrontendServiceCredentialGenerator.generateWithTimestampAsUsername();
|
@ApiResponse(responseCode = "429", description = "Ratelimited.")
|
||||||
|
public CreateCallLinkCredential getCreateAuth(
|
||||||
|
final @Auth AuthenticatedAccount auth,
|
||||||
|
final @NotNull GetCreateCallLinkCredentialsRequest request
|
||||||
|
) throws RateLimitExceededException {
|
||||||
|
|
||||||
|
rateLimiters.getCreateCallLinkLimiter().validate(auth.getAccount().getUuid());
|
||||||
|
|
||||||
|
final Instant truncatedDayTimestamp = Instant.now().truncatedTo(ChronoUnit.DAYS);
|
||||||
|
|
||||||
|
CreateCallLinkCredentialRequest createCallLinkCredentialRequest;
|
||||||
|
try {
|
||||||
|
createCallLinkCredentialRequest = new CreateCallLinkCredentialRequest(request.createCallLinkCredentialRequest());
|
||||||
|
} catch (InvalidInputException e) {
|
||||||
|
throw new BadRequestException("Invalid create call link credential request", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return new CreateCallLinkCredential(
|
||||||
|
createCallLinkCredentialRequest.issueCredential(auth.getAccount().getUuid(), truncatedDayTimestamp, genericServerSecretParams).serialize(),
|
||||||
|
truncatedDayTimestamp.getEpochSecond()
|
||||||
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
package org.whispersystems.textsecuregcm.entities;
|
||||||
|
|
||||||
|
public record CreateCallLinkCredential(byte[] credential, long redemptionTime){}
|
|
@ -0,0 +1,5 @@
|
||||||
|
package org.whispersystems.textsecuregcm.entities;
|
||||||
|
|
||||||
|
import javax.validation.constraints.NotNull;
|
||||||
|
|
||||||
|
public record GetCreateCallLinkCredentialsRequest(@NotNull byte[] createCallLinkCredentialRequest) {}
|
|
@ -73,6 +73,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
|
||||||
PUSH_CHALLENGE_ATTEMPT("pushChallengeAttempt", true, new RateLimiterConfig(10, 10.0 / (60 * 24))),
|
PUSH_CHALLENGE_ATTEMPT("pushChallengeAttempt", true, new RateLimiterConfig(10, 10.0 / (60 * 24))),
|
||||||
|
|
||||||
PUSH_CHALLENGE_SUCCESS("pushChallengeSuccess", true, new RateLimiterConfig(2, 2.0 / (60 * 24))),
|
PUSH_CHALLENGE_SUCCESS("pushChallengeSuccess", true, new RateLimiterConfig(2, 2.0 / (60 * 24))),
|
||||||
|
|
||||||
|
CREATE_CALL_LINK("createCallLink", false, new RateLimiterConfig(100, 100 / (60 * 24)));
|
||||||
;
|
;
|
||||||
|
|
||||||
private final String id;
|
private final String id;
|
||||||
|
@ -232,4 +234,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
|
||||||
public RateLimiter getVerificationCaptchaLimiter() {
|
public RateLimiter getVerificationCaptchaLimiter() {
|
||||||
return forDescriptor(For.VERIFICATION_CAPTCHA);
|
return forDescriptor(For.VERIFICATION_CAPTCHA);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public RateLimiter getCreateCallLinkLimiter() {
|
||||||
|
return forDescriptor(For.CREATE_CALL_LINK);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,44 +1,117 @@
|
||||||
package org.whispersystems.textsecuregcm.tests.controllers;
|
package org.whispersystems.textsecuregcm.tests.controllers;
|
||||||
|
|
||||||
|
import com.google.common.collect.ImmutableSet;
|
||||||
|
import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
|
||||||
import io.dropwizard.testing.junit5.DropwizardExtensionsSupport;
|
import io.dropwizard.testing.junit5.DropwizardExtensionsSupport;
|
||||||
import io.dropwizard.testing.junit5.ResourceExtension;
|
import io.dropwizard.testing.junit5.ResourceExtension;
|
||||||
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
|
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
|
||||||
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.junit.jupiter.api.extension.ExtendWith;
|
import org.junit.jupiter.api.extension.ExtendWith;
|
||||||
import org.mockito.Mockito;
|
|
||||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
|
import org.signal.libsignal.protocol.util.Hex;
|
||||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
|
import org.signal.libsignal.zkgroup.GenericServerSecretParams;
|
||||||
import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration;
|
import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequestContext;
|
||||||
|
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
|
||||||
|
import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
|
||||||
import org.whispersystems.textsecuregcm.controllers.CallLinkController;
|
import org.whispersystems.textsecuregcm.controllers.CallLinkController;
|
||||||
|
import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
|
||||||
|
import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
|
||||||
|
import org.whispersystems.textsecuregcm.limits.RateLimiter;
|
||||||
|
import org.whispersystems.textsecuregcm.limits.RateLimiters;
|
||||||
|
import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
|
||||||
import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
|
import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
|
||||||
import org.whispersystems.textsecuregcm.util.MockUtils;
|
|
||||||
import org.whispersystems.textsecuregcm.util.SystemMapper;
|
import org.whispersystems.textsecuregcm.util.SystemMapper;
|
||||||
|
|
||||||
|
import javax.ws.rs.client.Entity;
|
||||||
|
import javax.ws.rs.core.Response;
|
||||||
|
|
||||||
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
|
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
|
||||||
|
import static org.mockito.Mockito.doThrow;
|
||||||
|
import static org.mockito.Mockito.mock;
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
@ExtendWith(DropwizardExtensionsSupport.class)
|
@ExtendWith(DropwizardExtensionsSupport.class)
|
||||||
public class CallLinkControllerTest {
|
public class CallLinkControllerTest {
|
||||||
private static final CallLinkConfiguration callLinkConfiguration = MockUtils.buildMock(
|
private static final GenericServerSecretParams genericServerSecretParams = GenericServerSecretParams.generate();
|
||||||
CallLinkConfiguration.class,
|
private static final RateLimiters rateLimiters = mock(RateLimiters.class);
|
||||||
cfg -> Mockito.when(cfg.userAuthenticationTokenSharedSecret()).thenReturn(new byte[32])
|
private static final RateLimiter createCallLinkLimiter = mock(RateLimiter.class);
|
||||||
);
|
private static final byte[] roomId = Hex.fromStringCondensedAssert("c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7");
|
||||||
private static final ExternalServiceCredentialsGenerator callLinkCredentialsGenerator = CallLinkController.credentialsGenerator(callLinkConfiguration);
|
private static final CreateCallLinkCredentialRequestContext createCallLinkRequestContext = CreateCallLinkCredentialRequestContext.forRoom(roomId);
|
||||||
|
private static final byte[] createCallLinkRequestSerialized = createCallLinkRequestContext.getRequest().serialize();
|
||||||
|
|
||||||
private static final ResourceExtension resources = ResourceExtension.builder()
|
private static final ResourceExtension resources = ResourceExtension.builder()
|
||||||
|
.addProvider(AuthHelper.getAuthFilter())
|
||||||
|
.addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(
|
||||||
|
ImmutableSet.of(AuthenticatedAccount.class, DisabledPermittedAuthenticatedAccount.class)))
|
||||||
|
.addProvider(new RateLimitExceededExceptionMapper())
|
||||||
.setMapper(SystemMapper.jsonMapper())
|
.setMapper(SystemMapper.jsonMapper())
|
||||||
.setTestContainerFactory(new GrizzlyWebTestContainerFactory())
|
.setTestContainerFactory(new GrizzlyWebTestContainerFactory())
|
||||||
.addResource(new CallLinkController(callLinkCredentialsGenerator))
|
.addResource(new CallLinkController(rateLimiters, genericServerSecretParams))
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
|
@BeforeEach
|
||||||
|
void setup() {
|
||||||
|
when(rateLimiters.getCreateCallLinkLimiter()).thenReturn(createCallLinkLimiter);
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testGetAuth() {
|
void testGetCreateAuth() {
|
||||||
ExternalServiceCredentials credentials = resources.getJerseyTest()
|
try (Response response = resources.getJerseyTest()
|
||||||
.target("/v1/call-link/auth")
|
.target("/v1/call-link/create-auth")
|
||||||
.request()
|
.request()
|
||||||
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
|
||||||
.get(ExternalServiceCredentials.class);
|
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
|
||||||
|
assertThat(response.getStatus()).isEqualTo(200);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
assertThat(credentials.username()).isNotEmpty();
|
@Test
|
||||||
assertThat(credentials.password()).isNotEmpty();
|
void testGetCreateAuthInvalidInput() {
|
||||||
|
try (Response response = resources.getJerseyTest()
|
||||||
|
.target("/v1/call-link/create-auth")
|
||||||
|
.request()
|
||||||
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
|
||||||
|
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(new byte[10])))) {
|
||||||
|
assertThat(response.getStatus()).isEqualTo(400);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testGetCreateAuthInvalidAuth() {
|
||||||
|
try (Response response = resources.getJerseyTest()
|
||||||
|
.target("/v1/call-link/create-auth")
|
||||||
|
.request()
|
||||||
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.INVALID_UUID, AuthHelper.VALID_PASSWORD))
|
||||||
|
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
|
||||||
|
assertThat(response.getStatus()).isEqualTo(401);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testGetCreateAuthInvalidRequest() {
|
||||||
|
try (Response response = resources.getJerseyTest()
|
||||||
|
.target("/v1/call-link/create-auth")
|
||||||
|
.request()
|
||||||
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
|
||||||
|
.post(Entity.json(""))) {
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(422);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testGetCreateAuthRatelimited() throws RateLimitExceededException{
|
||||||
|
doThrow(new RateLimitExceededException(null, false))
|
||||||
|
.when(createCallLinkLimiter).validate(AuthHelper.VALID_UUID);
|
||||||
|
|
||||||
|
try (Response response = resources.getJerseyTest()
|
||||||
|
.target("/v1/call-link/create-auth")
|
||||||
|
.request()
|
||||||
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
|
||||||
|
.post(Entity.json(new GetCreateCallLinkCredentialsRequest(createCallLinkRequestSerialized)))) {
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(429);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue