Add support for environment-dependent secondary OAuth2 credentials JSON

service/config/sample.yml

@@ -44,6 +44,10 @@ adminEventLoggingConfiguration:
     {
       "key": "value"
     }
+  secondaryCredentials: |
+    {
+      "key": "value"
+    }
   projectId: some-project-id
   logName: some-log-name
 
@@ -225,6 +229,7 @@ unidentifiedDelivery:
 recaptcha:
   projectPath: projects/example
   credentialConfigurationJson: "{ }" # service account configuration for backend authentication
+  secondaryCredentialConfigurationJson: "{ }" # service account configuration for backend authentication
 
 hCaptcha:
   apiKey: secret://hCaptcha.apiKey
@@ -376,6 +381,10 @@ registrationService:
     {
       "example": "example"
     }
+  secondaryCredentialConfigurationJson: |
+    {
+      "example": "example"
+    }
   identityTokenAudience: https://registration.example.com
   registrationCaCertificate: | # Registration service TLS certificate trust root
     -----BEGIN CERTIFICATE-----

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -311,6 +311,10 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
       Metrics.addRegistry(datadogMeterRegistry);
     }
 
+    final boolean useSecondaryCredentialsJson = Optional.ofNullable(
+            System.getenv("SIGNAL_USE_SECONDARY_CREDENTIALS_JSON"))
+        .isPresent();
+
     environment.lifecycle().manage(new MicrometerRegistryManager(Metrics.globalRegistry));
 
     HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup =
@@ -463,7 +467,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     final AdminEventLogger adminEventLogger = new GoogleCloudAdminEventLogger(
         LoggingOptions.newBuilder().setProjectId(config.getAdminEventLoggingConfiguration().projectId())
             .setCredentials(GoogleCredentials.fromStream(new ByteArrayInputStream(
-                config.getAdminEventLoggingConfiguration().credentials().getBytes(StandardCharsets.UTF_8))))
+                useSecondaryCredentialsJson
+                    ? config.getAdminEventLoggingConfiguration().secondaryCredentials().getBytes(StandardCharsets.UTF_8)
+                    : config.getAdminEventLoggingConfiguration().credentials().getBytes(StandardCharsets.UTF_8))))
             .build().getService(),
         config.getAdminEventLoggingConfiguration().projectId(),
         config.getAdminEventLoggingConfiguration().logName());
@@ -500,7 +506,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     RegistrationServiceClient registrationServiceClient = new RegistrationServiceClient(
         config.getRegistrationServiceConfiguration().host(),
         config.getRegistrationServiceConfiguration().port(),
-        config.getRegistrationServiceConfiguration().credentialConfigurationJson(),
+        useSecondaryCredentialsJson
+            ? config.getRegistrationServiceConfiguration().secondaryCredentialConfigurationJson()
+            : config.getRegistrationServiceConfiguration().credentialConfigurationJson(),
         config.getRegistrationServiceConfiguration().identityTokenAudience(),
         config.getRegistrationServiceConfiguration().registrationCaCertificate(),
         registrationCallbackExecutor);
@@ -573,8 +581,10 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     final TurnTokenGenerator turnTokenGenerator = new TurnTokenGenerator(dynamicConfigurationManager);
 
     RecaptchaClient recaptchaClient = new RecaptchaClient(
-        config.getRecaptchaConfiguration().getProjectPath(),
+        config.getRecaptchaConfiguration().projectPath(),
-        config.getRecaptchaConfiguration().getCredentialConfigurationJson(),
+        useSecondaryCredentialsJson
+            ? config.getRecaptchaConfiguration().secondaryCredentialConfigurationJson()
+            : config.getRecaptchaConfiguration().credentialConfigurationJson(),
         dynamicConfigurationManager);
     HttpClient hcaptchaHttpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2)
         .connectTimeout(Duration.ofSeconds(10)).build();

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AdminEventLoggingConfiguration.java

@@ -10,6 +10,7 @@ import javax.validation.constraints.NotEmpty;
 
 public record AdminEventLoggingConfiguration(
     @NotBlank String credentials,
+    @NotBlank String secondaryCredentials,
     @NotEmpty String projectId,
     @NotEmpty String logName) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaConfiguration.java

@@ -7,18 +7,7 @@ package org.whispersystems.textsecuregcm.configuration;
 
 import javax.validation.constraints.NotEmpty;
 
-public class RecaptchaConfiguration {
+public record RecaptchaConfiguration(@NotEmpty String projectPath, @NotEmpty String credentialConfigurationJson,
+                                     @NotEmpty String secondaryCredentialConfigurationJson) {
 
-  private String projectPath;
-  private String credentialConfigurationJson;
-
-  @NotEmpty
-  public String getProjectPath() {
-    return projectPath;
-  }
-
-  @NotEmpty
-  public String getCredentialConfigurationJson() {
-    return credentialConfigurationJson;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RegistrationServiceConfiguration.java

@@ -5,6 +5,7 @@ import javax.validation.constraints.NotBlank;
 public record RegistrationServiceConfiguration(@NotBlank String host,
                                                int port,
                                                @NotBlank String credentialConfigurationJson,
+                                               @NotBlank String secondaryCredentialConfigurationJson,
                                                @NotBlank String identityTokenAudience,
                                                @NotBlank String registrationCaCertificate) {
 }