MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Parameterize sitekey

This commit is contained in:
Chris Eager 2022-02-28 09:49:31 -08:00 committed by Chris Eager
parent 3a1c716c73
commit 935e268dec
7 changed files with 115 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
service/config/sample.yml
View File

@ -246,7 +246,6 @@ recaptcha:
secret: unset
recaptchaV2:
siteKey: unset
scoreFloor: 1.0
projectPath: projects/example
credentialConfigurationJson: "{ }" # service account configuration for backend authentication

3
service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2013-2021 Signal Messenger, LLC
* Copyright 2013-2022 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
package org.whispersystems.textsecuregcm;
@ -477,7 +477,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
LegacyRecaptchaClient legacyRecaptchaClient = new LegacyRecaptchaClient(config.getRecaptchaConfiguration().getSecret());
EnterpriseRecaptchaClient enterpriseRecaptchaClient = new EnterpriseRecaptchaClient(
config.getRecaptchaV2Configuration().getScoreFloor().doubleValue(),
config.getRecaptchaV2Configuration().getSiteKey(),
config.getRecaptchaV2Configuration().getProjectPath(),
config.getRecaptchaV2Configuration().getCredentialConfigurationJson());
TransitionalRecaptchaClient transitionalRecaptchaClient = new TransitionalRecaptchaClient(legacyRecaptchaClient, enterpriseRecaptchaClient);

8
service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaV2Configuration.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021 Signal Messenger, LLC
* Copyright 2021-2022 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
@ -15,7 +15,6 @@ public class RecaptchaV2Configuration {
private BigDecimal scoreFloor;
private String projectPath;
private String siteKey;
private String credentialConfigurationJson;
@DecimalMin("0")
@ -30,11 +29,6 @@ public class RecaptchaV2Configuration {
return projectPath;
}
@NotEmpty
public String getSiteKey() {
return siteKey;
}
@NotEmpty
public String getCredentialConfigurationJson() {
return credentialConfigurationJson;

51
service/src/main/java/org/whispersystems/textsecuregcm/recaptcha/EnterpriseRecaptchaClient.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021 Signal Messenger, LLC
* Copyright 2021-2022 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
@ -9,33 +9,34 @@ import com.google.api.gax.core.FixedCredentialsProvider;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceClient;
import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceSettings;
import com.google.common.annotations.VisibleForTesting;
import com.google.recaptchaenterprise.v1.Assessment;
import com.google.recaptchaenterprise.v1.Event;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.ws.rs.BadRequestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class EnterpriseRecaptchaClient implements RecaptchaClient {
@VisibleForTesting
static final String SEPARATOR = ".";
private static final Logger logger = LoggerFactory.getLogger(EnterpriseRecaptchaClient.class);
private final double scoreFloor;
private final String siteKey;
private final String projectPath;
private final RecaptchaEnterpriseServiceClient client;
public EnterpriseRecaptchaClient(
final double scoreFloor,
@Nonnull final String siteKey,
@Nonnull final String projectPath,
@Nonnull final String recaptchaCredentialConfigurationJson) {
try {
this.scoreFloor = scoreFloor;
this.siteKey = Objects.requireNonNull(siteKey);
this.projectPath = Objects.requireNonNull(projectPath);
this.client = RecaptchaEnterpriseServiceClient.create(RecaptchaEnterpriseServiceSettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(GoogleCredentials.fromStream(
@ -46,14 +47,38 @@ public class EnterpriseRecaptchaClient implements RecaptchaClient {
}
}
@Override
public boolean verify(final String token, final String ip) {
return verify(token, ip, null);
/**
* Parses the token and action (if any) from {@code input}. The expected input format is: {@code [action:]token}.
* <p>
* For action to be optional, there is a strong assumption that the token will never contain a {@value SEPARATOR}.
* Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
* dont need to be strict.
*/
static String[] parseInputToken(final String input) {
String[] keyActionAndToken = input.split("\\" + SEPARATOR, 3);
if (keyActionAndToken.length == 1) {
throw new BadRequestException("too few parts");
}
if (keyActionAndToken.length == 2) {
// there was no ":" delimiter; assume we only have a token
return new String[]{keyActionAndToken[0], null, keyActionAndToken[1]};
}
return keyActionAndToken;
}
public boolean verify(final String token, final String ip, @Nullable final String expectedAction) {
@Override
public boolean verify(final String input, final String ip) {
final String[] parts = parseInputToken(input);
final String sitekey = parts[0];
final String expectedAction = parts[1];
final String token = parts[2];
Event.Builder eventBuilder = Event.newBuilder()
.setSiteKey(siteKey)
.setSiteKey(sitekey)
.setToken(token)
.setUserIpAddress(ip);

26
service/src/main/java/org/whispersystems/textsecuregcm/recaptcha/TransitionalRecaptchaClient.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021 Signal Messenger, LLC
* Copyright 2021-2022 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
@ -12,9 +12,7 @@ import javax.annotation.Nonnull;
public class TransitionalRecaptchaClient implements RecaptchaClient {
@VisibleForTesting
static final String SEPARATOR = ".";
@VisibleForTesting
static final String V2_PREFIX = "signal-recaptcha-v2" + SEPARATOR;
static final String V2_PREFIX = "signal-recaptcha-v2" + EnterpriseRecaptchaClient.SEPARATOR;
private final LegacyRecaptchaClient legacyRecaptchaClient;
private final EnterpriseRecaptchaClient enterpriseRecaptchaClient;
@ -29,28 +27,10 @@ public class TransitionalRecaptchaClient implements RecaptchaClient {
@Override
public boolean verify(@Nonnull final String token, @Nonnull final String ip) {
if (token.startsWith(V2_PREFIX)) {
final String[] actionAndToken = parseV2ActionAndToken(token.substring(V2_PREFIX.length()));
return enterpriseRecaptchaClient.verify(actionAndToken[1], ip, actionAndToken[0]);
return enterpriseRecaptchaClient.verify(token.substring(V2_PREFIX.length()), ip);
} else {
return legacyRecaptchaClient.verify(token, ip);
}
}
/**
* Parses the token and action (if any) from {@code input}. The expected input format is: {@code [action:]token}.
* <p>
* For action to be optional, there is a strong assumption that the token will never contain a {@value SEPARATOR}.
* Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
* dont need to be strict.
*/
static String[] parseV2ActionAndToken(final String input) {
String[] actionAndToken = input.split("\\" + SEPARATOR, 2);
if (actionAndToken.length == 1) {
// there was no ":" delimiter; assume we only have a token
return new String[]{null, actionAndToken[0]};
}
return actionAndToken;
}
}

63
service/src/test/java/org/whispersystems/textsecuregcm/recaptcha/EnterpriseRecaptchaClientTest.java Normal file
View File

@ -0,0 +1,63 @@
/*
* Copyright 2022 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
package org.whispersystems.textsecuregcm.recaptcha;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.whispersystems.textsecuregcm.recaptcha.EnterpriseRecaptchaClient.SEPARATOR;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.ws.rs.BadRequestException;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
class EnterpriseRecaptchaClientTest {
private static final String SITE_KEY = "site-key";
private static final String TOKEN = "some-token";
@ParameterizedTest
@MethodSource
void parseInputToken(final String input, final String expectedToken, final String siteKey,
@Nullable final String expectedAction) {
final String[] parts = EnterpriseRecaptchaClient.parseInputToken(input);
assertEquals(siteKey, parts[0]);
assertEquals(expectedAction, parts[1]);
assertEquals(expectedToken, parts[2]);
}
@Test
void parseInputTokenBadRequest() {
assertThrows(BadRequestException.class, () -> {
EnterpriseRecaptchaClient.parseInputToken(TOKEN);
});
}
static Stream<Arguments> parseInputToken() {
return Stream.of(
Arguments.of(
String.join(SEPARATOR, SITE_KEY, TOKEN),
TOKEN,
SITE_KEY,
null),
Arguments.of(
String.join(SEPARATOR, SITE_KEY, "an-action", TOKEN),
TOKEN,
SITE_KEY,
"an-action"),
Arguments.of(
String.join(SEPARATOR, SITE_KEY, "an-action", TOKEN, "something-else"),
TOKEN + SEPARATOR + "something-else",
SITE_KEY,
"an-action")
);
}
}

22
service/src/test/java/org/whispersystems/textsecuregcm/recaptcha/TransitionalRecaptchaClientTest.java
View File

@ -8,7 +8,7 @@ package org.whispersystems.textsecuregcm.recaptcha;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.whispersystems.textsecuregcm.recaptcha.TransitionalRecaptchaClient.SEPARATOR;
import static org.whispersystems.textsecuregcm.recaptcha.EnterpriseRecaptchaClient.SEPARATOR;
import java.util.stream.Stream;
import org.junit.jupiter.api.BeforeEach;
@ -36,8 +36,7 @@ class TransitionalRecaptchaClientTest {
@ParameterizedTest
@MethodSource
void testVerify(final String inputToken, final boolean expectLegacy, final String expectedToken,
final String expectedAction) {
void testVerify(final String inputToken, final boolean expectLegacy, final String expectedToken) {
transitionalRecaptchaClient.verify(inputToken, IP_ADDRESS);
@ -46,7 +45,7 @@ class TransitionalRecaptchaClientTest {
verify(legacyRecaptchaClient).verify(expectedToken, IP_ADDRESS);
} else {
verifyNoInteractions(legacyRecaptchaClient);
verify(enterpriseRecaptchaClient).verify(expectedToken, IP_ADDRESS, expectedAction);
verify(enterpriseRecaptchaClient).verify(expectedToken, IP_ADDRESS);
}
}
@ -56,23 +55,20 @@ class TransitionalRecaptchaClientTest {
Arguments.of(
TOKEN,
true,
TOKEN,
null),
TOKEN),
Arguments.of(
String.join(SEPARATOR, PREFIX, TOKEN),
false,
TOKEN,
null),
TOKEN),
Arguments.of(
String.join(SEPARATOR, PREFIX, "an-action", TOKEN),
String.join(SEPARATOR, PREFIX, "site-key", "an-action", TOKEN),
false,
TOKEN,
String.join(SEPARATOR, "site-key", "an-action", TOKEN),
"an-action"),
Arguments.of(
String.join(SEPARATOR, PREFIX, "an-action", TOKEN, "something-else"),
String.join(SEPARATOR, PREFIX, "site-key", "an-action", TOKEN, "something-else"),
false,
TOKEN + SEPARATOR + "something-else",
"an-action")
"site-key" + SEPARATOR + "an-action" + SEPARATOR + TOKEN + SEPARATOR + "something-else")
);
}