Treat APNs team/key IDs as secrets so they can change atomically with the key itself

2023-10-12 12:23:26 -04:00 · 2023-10-12 12:23:26 -04:00 · f2a3b8dba4
parent 207ae6129b
commit f2a3b8dba4
4 changed files with 7 additions and 5 deletions
--- a/service/config/sample-secrets-bundle.yml
+++ b/service/config/sample-secrets-bundle.yml
@ -46,6 +46,8 @@ gcpAttachments.rsaSigningKey: |
  AAAAAAAA
  -----END PRIVATE KEY-----

+apn.teamId: team-id
+apn.keyId: key-id
 apn.signingKey: |
  -----BEGIN PRIVATE KEY-----
  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@ -208,8 +208,8 @@ accountDatabaseCrawler:
 apn: # Apple Push Notifications configuration
  sandbox: true
  bundleId: com.example.textsecuregcm
-  keyId: unset
-  teamId: unset
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
  signingKey: secret://apn.signingKey

 fcm: # FCM configuration
--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
@ -9,8 +9,8 @@ import javax.validation.constraints.NotNull;
 import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;


-public record ApnConfiguration(@NotBlank String teamId,
-                               @NotBlank String keyId,
+public record ApnConfiguration(@NotNull SecretString teamId,
+                               @NotNull SecretString keyId,
                               @NotNull SecretString signingKey,
                               @NotBlank String bundleId,
                               boolean sandbox) {
--- a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
@ -64,7 +64,7 @@ public class APNSender implements Managed, PushNotificationSender {
    this.bundleId = configuration.bundleId();
    this.apnsClient = new ApnsClientBuilder().setSigningKey(
            ApnsSigningKey.loadFromInputStream(new ByteArrayInputStream(configuration.signingKey().value().getBytes()),
-                configuration.teamId(), configuration.keyId()))
+                configuration.teamId().value(), configuration.keyId().value()))
        .setTrustedServerCertificateChain(getClass().getResourceAsStream(APNS_CA_FILENAME))
        .setApnsServer(configuration.sandbox() ? ApnsClientBuilder.DEVELOPMENT_APNS_HOST : ApnsClientBuilder.PRODUCTION_APNS_HOST)
        .build();