MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a "critical" warning tier for primary devices missing PQ keys

This commit is contained in:
Jon Chambers 2025-03-05 08:51:10 -05:00 committed by GitHub
parent 8955e31a1e
commit 8517eef3fe
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 114 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
View File

@ -982,7 +982,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
webSocketEnvironment.jersey().register(new VirtualExecutorServiceProvider("managed-async-websocket-virtual-thread-")); webSocketEnvironment.jersey().register(new VirtualExecutorServiceProvider("managed-async-websocket-virtual-thread-"));
webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator, new AccountPrincipalSupplier(accountsManager))); webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator, new AccountPrincipalSupplier(accountsManager)));
webSocketEnvironment.setAuthenticatedWebSocketUpgradeFilter(new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter( webSocketEnvironment.setAuthenticatedWebSocketUpgradeFilter(new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(
config.idlePrimaryDeviceReminderConfiguration().minIdleDuration(), Clock.systemUTC())); keysManager, config.idlePrimaryDeviceReminderConfiguration().minIdleDuration(), Clock.systemUTC()));
webSocketEnvironment.setConnectListener( webSocketEnvironment.setConnectListener(
new AuthenticatedConnectListener(receiptSender, messagesManager, messageMetrics, pushNotificationManager, new AuthenticatedConnectListener(receiptSender, messagesManager, messageMetrics, pushNotificationManager,
pushNotificationScheduler, webSocketConnectionEventManager, websocketScheduledExecutor, pushNotificationScheduler, webSocketConnectionEventManager, websocketScheduledExecutor,

37
service/src/main/java/org/whispersystems/textsecuregcm/auth/IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.java
View File

@ -6,8 +6,14 @@
package org.whispersystems.textsecuregcm.auth; package org.whispersystems.textsecuregcm.auth;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import io.micrometer.core.instrument.Counter;
import io.micrometer.core.instrument.Metrics;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest; import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse; import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
import org.whispersystems.textsecuregcm.identity.IdentityType;
import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
import org.whispersystems.textsecuregcm.storage.Device;
import org.whispersystems.textsecuregcm.storage.KeysManager;
import org.whispersystems.websocket.ReusableAuth; import org.whispersystems.websocket.ReusableAuth;
import org.whispersystems.websocket.auth.AuthenticatedWebSocketUpgradeFilter; import org.whispersystems.websocket.auth.AuthenticatedWebSocketUpgradeFilter;
import java.time.Clock; import java.time.Clock;
@ -17,6 +23,8 @@ import java.time.Instant;
public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
AuthenticatedWebSocketUpgradeFilter<AuthenticatedDevice> { AuthenticatedWebSocketUpgradeFilter<AuthenticatedDevice> {
private final KeysManager keysManager;
private final Duration minIdleDuration; private final Duration minIdleDuration;
private final Clock clock; private final Clock clock;
@ -26,7 +34,25 @@ public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
@VisibleForTesting @VisibleForTesting
static final String IDLE_PRIMARY_DEVICE_ALERT = "idle-primary-device"; static final String IDLE_PRIMARY_DEVICE_ALERT = "idle-primary-device";
public IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(final Duration minIdleDuration, final Clock clock) { @VisibleForTesting
static final String CRITICAL_IDLE_PRIMARY_DEVICE_ALERT = "critical-idle-primary-device";
@VisibleForTesting
static final Duration PQ_KEY_CHECK_THRESHOLD = Duration.ofDays(120);
private static final Counter IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter(
MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"),
"critical", "false");
private static final Counter CRITICAL_IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter(
MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"),
"critical", "true");
public IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(final KeysManager keysManager,
final Duration minIdleDuration,
final Clock clock) {
this.keysManager = keysManager;
this.minIdleDuration = minIdleDuration; this.minIdleDuration = minIdleDuration;
this.clock = clock; this.clock = clock;
} }
@ -44,8 +70,15 @@ public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
final Instant primaryDeviceLastSeen = final Instant primaryDeviceLastSeen =
Instant.ofEpochMilli(authenticatedDevice.getAccount().getPrimaryDevice().getLastSeen()); Instant.ofEpochMilli(authenticatedDevice.getAccount().getPrimaryDevice().getLastSeen());
if (primaryDeviceLastSeen.isBefore(clock.instant().minus(minIdleDuration))) { if (primaryDeviceLastSeen.isBefore(clock.instant().minus(PQ_KEY_CHECK_THRESHOLD)) &&
keysManager.getLastResort(authenticatedDevice.getAccount().getIdentifier(IdentityType.ACI), Device.PRIMARY_ID)
.join().isEmpty()) {
response.addHeader(ALERT_HEADER, CRITICAL_IDLE_PRIMARY_DEVICE_ALERT);
CRITICAL_IDLE_PRIMARY_WARNING_COUNTER.increment();
} else if (primaryDeviceLastSeen.isBefore(clock.instant().minus(minIdleDuration))) {
response.addHeader(ALERT_HEADER, IDLE_PRIMARY_DEVICE_ALERT); response.addHeader(ALERT_HEADER, IDLE_PRIMARY_DEVICE_ALERT);
IDLE_PRIMARY_WARNING_COUNTER.increment();
} }
}); });
} }

97
service/src/test/java/org/whispersystems/textsecuregcm/auth/IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest.java
View File

@ -5,7 +5,11 @@
package org.whispersystems.textsecuregcm.auth; package org.whispersystems.textsecuregcm.auth;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyByte;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions; import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
@ -13,6 +17,8 @@ import static org.mockito.Mockito.when;
import java.time.Duration; import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.List; import java.util.List;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest; import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse; import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
@ -20,38 +26,61 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource; import org.junit.jupiter.params.provider.MethodSource;
import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
import org.whispersystems.textsecuregcm.storage.Account; import org.whispersystems.textsecuregcm.storage.Account;
import org.whispersystems.textsecuregcm.storage.Device; import org.whispersystems.textsecuregcm.storage.Device;
import org.whispersystems.textsecuregcm.storage.KeysManager;
import org.whispersystems.textsecuregcm.util.TestClock; import org.whispersystems.textsecuregcm.util.TestClock;
import org.whispersystems.websocket.ReusableAuth; import org.whispersystems.websocket.ReusableAuth;
import org.whispersystems.websocket.auth.PrincipalSupplier; import org.whispersystems.websocket.auth.PrincipalSupplier;
class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest { class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
private KeysManager keysManager;
private IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter filter; private IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter filter;
private static final Duration MIN_IDLE_DURATION = Duration.ofDays(30); private static final Duration MIN_IDLE_DURATION =
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.PQ_KEY_CHECK_THRESHOLD.dividedBy(2);
private static final TestClock CLOCK = TestClock.pinned(Instant.now()); private static final TestClock CLOCK = TestClock.pinned(Instant.now());
@BeforeEach @BeforeEach
void setUp() { void setUp() {
filter = new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(MIN_IDLE_DURATION, CLOCK); keysManager = mock(KeysManager.class);
filter = new IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(keysManager, MIN_IDLE_DURATION, CLOCK);
} }
@ParameterizedTest @ParameterizedTest
@MethodSource @MethodSource
void handleAuthentication(@Nullable final AuthenticatedDevice authenticatedDevice, final boolean expectAlertHeader) { void handleAuthentication(@Nullable final AuthenticatedDevice authenticatedDevice,
final boolean primaryDeviceHasPqKeys,
final boolean expectPqKeyCheck,
@Nullable final String expectedAlertHeader) {
final ReusableAuth<AuthenticatedDevice> reusableAuth = authenticatedDevice != null final ReusableAuth<AuthenticatedDevice> reusableAuth = authenticatedDevice != null
? ReusableAuth.authenticated(authenticatedDevice, PrincipalSupplier.forImmutablePrincipal()) ? ReusableAuth.authenticated(authenticatedDevice, PrincipalSupplier.forImmutablePrincipal())
: ReusableAuth.anonymous(); : ReusableAuth.anonymous();
final JettyServerUpgradeResponse response = mock(JettyServerUpgradeResponse.class); final JettyServerUpgradeResponse response = mock(JettyServerUpgradeResponse.class);
when(keysManager.getLastResort(any(), eq(Device.PRIMARY_ID)))
.thenReturn(CompletableFuture.completedFuture(primaryDeviceHasPqKeys
? Optional.of(mock(KEMSignedPreKey.class))
: Optional.empty()));
filter.handleAuthentication(reusableAuth, mock(JettyServerUpgradeRequest.class), response); filter.handleAuthentication(reusableAuth, mock(JettyServerUpgradeRequest.class), response);
if (expectAlertHeader) { if (expectPqKeyCheck) {
verify(response).addHeader(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.ALERT_HEADER, verify(keysManager).getLastResort(any(), eq(Device.PRIMARY_ID));
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT); } else {
verify(keysManager, never()).getLastResort(any(), anyByte());
}
if (expectedAlertHeader != null) {
verify(response)
.addHeader(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.ALERT_HEADER, expectedAlertHeader);
} else { } else {
verifyNoInteractions(response); verifyNoInteractions(response);
} }
@ -62,40 +91,70 @@ class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilterTest {
when(activePrimaryDevice.isPrimary()).thenReturn(true); when(activePrimaryDevice.isPrimary()).thenReturn(true);
when(activePrimaryDevice.getLastSeen()).thenReturn(CLOCK.millis()); when(activePrimaryDevice.getLastSeen()).thenReturn(CLOCK.millis());
final Device idlePrimaryDevice = mock(Device.class); final Device minIdlePrimaryDevice = mock(Device.class);
when(idlePrimaryDevice.isPrimary()).thenReturn(true); when(minIdlePrimaryDevice.isPrimary()).thenReturn(true);
when(idlePrimaryDevice.getLastSeen()) when(minIdlePrimaryDevice.getLastSeen())
.thenReturn(CLOCK.instant().minus(MIN_IDLE_DURATION).minusSeconds(1).toEpochMilli()); .thenReturn(CLOCK.instant().minus(MIN_IDLE_DURATION).minusSeconds(1).toEpochMilli());
final Device longIdlePrimaryDevice = mock(Device.class);
when(longIdlePrimaryDevice.isPrimary()).thenReturn(true);
when(longIdlePrimaryDevice.getLastSeen())
.thenReturn(CLOCK.instant().minus(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.PQ_KEY_CHECK_THRESHOLD).minusSeconds(1).toEpochMilli());
final Device linkedDevice = mock(Device.class); final Device linkedDevice = mock(Device.class);
when(linkedDevice.isPrimary()).thenReturn(false); when(linkedDevice.isPrimary()).thenReturn(false);
final Account accountWithActivePrimaryDevice = mock(Account.class); final Account accountWithActivePrimaryDevice = mock(Account.class);
when(accountWithActivePrimaryDevice.getPrimaryDevice()).thenReturn(activePrimaryDevice); when(accountWithActivePrimaryDevice.getPrimaryDevice()).thenReturn(activePrimaryDevice);
final Account accountWithIdlePrimaryDevice = mock(Account.class); final Account accountWithMinIdlePrimaryDevice = mock(Account.class);
when(accountWithIdlePrimaryDevice.getPrimaryDevice()).thenReturn(idlePrimaryDevice); when(accountWithMinIdlePrimaryDevice.getPrimaryDevice()).thenReturn(minIdlePrimaryDevice);
final Account accountWithLongIdlePrimaryDevice = mock(Account.class);
when(accountWithLongIdlePrimaryDevice.getPrimaryDevice()).thenReturn(longIdlePrimaryDevice);
return List.of( return List.of(
Arguments.argumentSet("Anonymous", Arguments.argumentSet("Anonymous",
null, null,
false), true,
false,
null),
Arguments.argumentSet("Authenticated as active primary device", Arguments.argumentSet("Authenticated as active primary device",
new AuthenticatedDevice(accountWithActivePrimaryDevice, activePrimaryDevice), new AuthenticatedDevice(accountWithActivePrimaryDevice, activePrimaryDevice),
false), true,
false,
null),
Arguments.argumentSet("Authenticated as idle primary device", Arguments.argumentSet("Authenticated as idle primary device",
new AuthenticatedDevice(accountWithIdlePrimaryDevice, idlePrimaryDevice), new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, minIdlePrimaryDevice),
false), true,
false,
null),
Arguments.argumentSet("Authenticated as linked device with active primary device", Arguments.argumentSet("Authenticated as linked device with active primary device",
new AuthenticatedDevice(accountWithActivePrimaryDevice, linkedDevice), new AuthenticatedDevice(accountWithActivePrimaryDevice, linkedDevice),
false), true,
false,
null),
Arguments.argumentSet("Authenticated as linked device with idle primary device", Arguments.argumentSet("Authenticated as linked device with min-idle primary device",
new AuthenticatedDevice(accountWithIdlePrimaryDevice, linkedDevice), new AuthenticatedDevice(accountWithMinIdlePrimaryDevice, linkedDevice),
true) true,
false,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT),
Arguments.argumentSet("Authenticated as linked device with long-idle primary device with PQ keys",
new AuthenticatedDevice(accountWithLongIdlePrimaryDevice, linkedDevice),
true,
true,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.IDLE_PRIMARY_DEVICE_ALERT),
Arguments.argumentSet("Authenticated as linked device with long-idle primary device without PQ keys",
new AuthenticatedDevice(accountWithLongIdlePrimaryDevice, linkedDevice),
false,
true,
IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.CRITICAL_IDLE_PRIMARY_DEVICE_ALERT)
); );
} }
} }