Add some extra request validation to `/v1/archives/keys`

2023-12-06 13:25:20 -06:00 · 2023-12-06 13:25:20 -06:00 · fc0bc85f4d
parent 5ae2e5281a
commit fc0bc85f4d
2 changed files with 17 additions and 1 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ArchiveController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ArchiveController.java
@ -276,6 +276,7 @@ public class ArchiveController {
  public record SetPublicKeyRequest(
      @JsonSerialize(using = ECPublicKeyAdapter.Serializer.class)
      @JsonDeserialize(using = ECPublicKeyAdapter.Deserializer.class)
+      @NotNull
      @Schema(type = "string", description = "The public key, serialized in libsignal's elliptic-curve public key format, and encoded in standard padded base64.")
      ECPublicKey backupIdPublicKey) {}

@ -304,7 +305,7 @@ public class ArchiveController {
      @NotNull
      @HeaderParam(X_SIGNAL_ZK_AUTH_SIGNATURE) final BackupAuthCredentialPresentationSignature signature,

-      @NotNull SetPublicKeyRequest setPublicKeyRequest) {
+      @Valid @NotNull SetPublicKeyRequest setPublicKeyRequest) {
    return backupManager
        .setPublicKey(presentation.presentation, signature.signature, setPublicKeyRequest.backupIdPublicKey)
        .thenApply(Util.ASYNC_EMPTY_RESPONSE);
--- a/service/src/test/java/org/whispersystems/textsecuregcm/controllers/ArchiveControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/controllers/ArchiveControllerTest.java
@ -170,6 +170,21 @@ public class ArchiveControllerTest {
    assertThat(response.getStatus()).isEqualTo(400);
  }

+  @Test
+  public void setMissingPublicKey() throws VerificationFailedException {
+    when(backupManager.setPublicKey(any(), any(), any())).thenReturn(CompletableFuture.completedFuture(null));
+
+    final BackupAuthCredentialPresentation presentation = backupAuthTestUtil.getPresentation(
+        BackupTier.MEDIA, backupKey, aci);
+    final Response response = resources.getJerseyTest()
+        .target("v1/archives/keys")
+        .request()
+        .header("X-Signal-ZK-Auth", Base64.getEncoder().encodeToString(presentation.serialize()))
+        .header("X-Signal-ZK-Auth-Signature", "aaa")
+        .put(Entity.entity("{}", MediaType.APPLICATION_JSON_TYPE));
+    assertThat(response.getStatus()).isEqualTo(422);
+  }
+
  @Test
  public void setPublicKey() throws VerificationFailedException {
    when(backupManager.setPublicKey(any(), any(), any())).thenReturn(CompletableFuture.completedFuture(null));