From a01fcdad28c145e9fe9f8cf91d9a8713899168cd Mon Sep 17 00:00:00 2001
From: gram-signal <84339875+gram-signal@users.noreply.github.com>
Date: Fri, 27 Jan 2023 09:15:52 -0700
Subject: [PATCH] Add in controller for SVR2 auth.

---
 service/config/sample.yml                     |  4 ++
 .../WhisperServerConfiguration.java           | 10 +++++
 .../textsecuregcm/WhisperServerService.java   |  6 ++-
 .../SecureValueRecovery2Configuration.java    | 12 +++++
 .../SecureValueRecovery2Controller.java       | 44 +++++++++++++++++++
 5 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureValueRecovery2Configuration.java
 create mode 100644 service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java

diff --git a/service/config/sample.yml b/service/config/sample.yml
index c68f168a1..c542cb79c 100644
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -140,6 +140,10 @@ directoryV2:
     userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
     userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
 
+svr2:
+  userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
+  userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+
 messageCache: # Redis server configuration for message store cache
   persistDelayMinutes: 1
   cluster:
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
index a0ca5710e..9fd5d632b 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
@@ -43,6 +43,7 @@ import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
@@ -125,6 +126,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private DirectoryV2Configuration directoryV2;
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private SecureValueRecovery2Configuration svr2;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -329,6 +335,10 @@ public class WhisperServerConfiguration extends Configuration {
     return directory;
   }
 
+  public SecureValueRecovery2Configuration getSvr2Configuration() {
+    return svr2;
+  }
+
   public DirectoryV2Configuration getDirectoryV2Configuration() {
     return directoryV2;
   }
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
index a1fbad00c..2aca3c011 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
@@ -109,6 +109,7 @@ import org.whispersystems.textsecuregcm.controllers.ProvisioningController;
 import org.whispersystems.textsecuregcm.controllers.RemoteConfigController;
 import org.whispersystems.textsecuregcm.controllers.SecureBackupController;
 import org.whispersystems.textsecuregcm.controllers.SecureStorageController;
+import org.whispersystems.textsecuregcm.controllers.SecureValueRecovery2Controller;
 import org.whispersystems.textsecuregcm.controllers.StickerController;
 import org.whispersystems.textsecuregcm.controllers.SubscriptionController;
 import org.whispersystems.textsecuregcm.controllers.VoiceVerificationController;
@@ -462,7 +463,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getPaymentsServiceConfiguration());
     ExternalServiceCredentialsGenerator artCredentialsGenerator = ArtController.credentialsGenerator(
         config.getArtServiceConfiguration());
-    
+    ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator(
+        config.getSvr2Configuration());
+
     dynamicConfigurationManager.start();
 
     ExperimentEnrollmentManager experimentEnrollmentManager = new ExperimentEnrollmentManager(dynamicConfigurationManager);
@@ -752,6 +755,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
             config.getRemoteConfigConfiguration().getGlobalConfig()),
         new SecureBackupController(backupCredentialsGenerator),
         new SecureStorageController(storageCredentialsGenerator),
+        new SecureValueRecovery2Controller(svr2CredentialsGenerator),
         new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(),
             config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(),
             config.getCdnConfiguration().getBucket())
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureValueRecovery2Configuration.java b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureValueRecovery2Configuration.java
new file mode 100644
index 000000000..fc46f5918
--- /dev/null
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureValueRecovery2Configuration.java
@@ -0,0 +1,12 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+
+public record SecureValueRecovery2Configuration(
+    @ExactlySize({32}) byte[] userAuthenticationTokenSharedSecret,
+    @ExactlySize({32}) byte[] userIdTokenSharedSecret) {
+}
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java
new file mode 100644
index 000000000..7f785f56b
--- /dev/null
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.controllers;
+
+import com.codahale.metrics.annotation.Timed;
+import io.dropwizard.auth.Auth;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import org.apache.commons.codec.DecoderException;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
+
+@Path("/v2/backup")
+public class SecureValueRecovery2Controller {
+
+  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecovery2Configuration cfg)
+      throws DecoderException {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .withUserDerivationKey(cfg.userIdTokenSharedSecret())
+        .build();
+  }
+
+  private final ExternalServiceCredentialsGenerator backupServiceCredentialGenerator;
+
+  public SecureValueRecovery2Controller(ExternalServiceCredentialsGenerator backupServiceCredentialGenerator) {
+    this.backupServiceCredentialGenerator = backupServiceCredentialGenerator;
+  }
+
+  @Timed
+  @GET
+  @Path("/auth")
+  @Produces(MediaType.APPLICATION_JSON)
+  public ExternalServiceCredentials getAuth(@Auth AuthenticatedAccount auth) {
+    return backupServiceCredentialGenerator.generateFor(auth.getAccount().getUuid().toString());
+  }
+}