Signal/Signal-Server
1
0
Fork 0
mirror of https://github.com/signalapp/Signal-Server synced 2026-04-21 14:08:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Support for v2 registration lock

Browse Source
This commit is contained in:
Moxie Marlinspike
2019-06-07 15:19:11 -07:00
parent 4fdbe9b9ff
commit 11902dec3c
22 changed files with 538 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
service/src/test/java/org/whispersystems/textsecuregcm/tests/auth/AuthenticationCredentialsTest.java Normal file
View File

@@ -0,0 +1,35 @@
package org.whispersystems.textsecuregcm.tests.auth;
import org.junit.Test;
import org.whispersystems.textsecuregcm.auth.AuthenticationCredentials;
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
public class AuthenticationCredentialsTest {
@Test
public void testCreating() {
AuthenticationCredentials credentials = new AuthenticationCredentials("mypassword");
assertThat(credentials.getSalt()).isNotEmpty();
assertThat(credentials.getHashedAuthenticationToken()).isNotEmpty();
assertThat(credentials.getHashedAuthenticationToken().length()).isEqualTo(40);
}
@Test
public void testMatching() {
AuthenticationCredentials credentials = new AuthenticationCredentials("mypassword");
AuthenticationCredentials provided = new AuthenticationCredentials(credentials.getHashedAuthenticationToken(), credentials.getSalt());
assertThat(provided.verify("mypassword")).isTrue();
}
@Test
public void testMisMatching() {
AuthenticationCredentials credentials = new AuthenticationCredentials("mypassword");
AuthenticationCredentials provided = new AuthenticationCredentials(credentials.getHashedAuthenticationToken(), credentials.getSalt());
assertThat(provided.verify("wrong")).isFalse();
}
}

29
service/src/test/java/org/whispersystems/textsecuregcm/tests/auth/ExternalServiceCredentialsGeneratorTest.java Normal file
View File

@@ -0,0 +1,29 @@
package org.whispersystems.textsecuregcm.tests.auth;
import org.junit.Test;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
public class ExternalServiceCredentialsGeneratorTest {
@Test
public void testGenerateDerivedUsername() {
ExternalServiceCredentialGenerator generator = new ExternalServiceCredentialGenerator(new byte[32], new byte[32], true);
ExternalServiceCredentials credentials = generator.generateFor("+14152222222");
assertThat(credentials.getUsername()).isNotEqualTo("+14152222222");
assertThat(credentials.getPassword().startsWith("+14152222222")).isFalse();
}
@Test
public void testGenerateNoDerivedUsername() {
ExternalServiceCredentialGenerator generator = new ExternalServiceCredentialGenerator(new byte[32], new byte[32], false);
ExternalServiceCredentials credentials = generator.generateFor("+14152222222");
assertThat(credentials.getUsername()).isEqualTo("+14152222222");
assertThat(credentials.getPassword().startsWith("+14152222222")).isTrue();
}
}

138
service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
View File

@@ -1,13 +1,14 @@
package org.whispersystems.textsecuregcm.tests.controllers;
import com.google.common.collect.ImmutableSet;
import net.sourceforge.argparse4j.inf.Argument;
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.whispersystems.textsecuregcm.auth.AuthenticationCredentials;
import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccount;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
import org.whispersystems.textsecuregcm.auth.StoredVerificationCode;
import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
import org.whispersystems.textsecuregcm.controllers.AccountController;
@@ -15,6 +16,7 @@ import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
import org.whispersystems.textsecuregcm.entities.AccountAttributes;
import org.whispersystems.textsecuregcm.entities.ApnRegistrationId;
import org.whispersystems.textsecuregcm.entities.GcmRegistrationId;
import org.whispersystems.textsecuregcm.entities.DeprecatedPin;
import org.whispersystems.textsecuregcm.entities.RegistrationLock;
import org.whispersystems.textsecuregcm.entities.RegistrationLockFailure;
import org.whispersystems.textsecuregcm.limits.RateLimiter;
@@ -35,12 +37,14 @@ import org.whispersystems.textsecuregcm.storage.AccountsManager;
import org.whispersystems.textsecuregcm.storage.MessagesManager;
import org.whispersystems.textsecuregcm.storage.PendingAccountsManager;
import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
import org.whispersystems.textsecuregcm.util.Hex;
import org.whispersystems.textsecuregcm.util.SystemMapper;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.HashMap;
import java.util.Optional;
@@ -60,6 +64,7 @@ public class AccountControllerTest {
private static final String SENDER_OVER_PIN = "+14154444444";
private static final String SENDER_OVER_PREFIX = "+14156666666";
private static final String SENDER_PREAUTH = "+14157777777";
private static final String SENDER_REG_LOCK = "+14158888888";
private static final String ABUSIVE_HOST = "192.168.1.1";
private static final String RESTRICTED_HOST = "192.168.1.2";
@@ -86,10 +91,14 @@ public class AccountControllerTest {
private TimeProvider timeProvider = mock(TimeProvider.class );
private TurnTokenGenerator turnTokenGenerator = mock(TurnTokenGenerator.class);
private Account senderPinAccount = mock(Account.class);
private Account senderRegLockAccount = mock(Account.class);
private RecaptchaClient recaptchaClient = mock(RecaptchaClient.class);
private GCMSender gcmSender = mock(GCMSender.class);
private APNSender apnSender = mock(APNSender.class);
private byte[] registration_lock_key = new byte[32];
private ExternalServiceCredentialGenerator storageCredentialGenerator = new ExternalServiceCredentialGenerator(new byte[32], new byte[32], false);
@Rule
public final ResourceTestRule resources = ResourceTestRule.builder()
.addProvider(AuthHelper.getAuthFilter())
@@ -108,12 +117,16 @@ public class AccountControllerTest {
new HashMap<>(),
recaptchaClient,
gcmSender,
apnSender))
apnSender,
storageCredentialGenerator))
.build();
@Before
public void setup() throws Exception {
new SecureRandom().nextBytes(registration_lock_key);
AuthenticationCredentials registrationLockCredentials = new AuthenticationCredentials(Hex.toStringCondensed(registration_lock_key));
when(rateLimiters.getSmsDestinationLimiter()).thenReturn(rateLimiter);
when(rateLimiters.getVoiceDestinationLimiter()).thenReturn(rateLimiter);
when(rateLimiters.getVerifyLimiter()).thenReturn(rateLimiter);
@@ -127,13 +140,20 @@ public class AccountControllerTest {
when(senderPinAccount.getPin()).thenReturn(Optional.of("31337"));
when(senderPinAccount.getLastSeen()).thenReturn(System.currentTimeMillis());
when(senderRegLockAccount.getPin()).thenReturn(Optional.empty());
when(senderRegLockAccount.getRegistrationLock()).thenReturn(Optional.of(registrationLockCredentials.getHashedAuthenticationToken()));
when(senderRegLockAccount.getRegistrationLockSalt()).thenReturn(Optional.of(registrationLockCredentials.getSalt()));
when(senderRegLockAccount.getLastSeen()).thenReturn(System.currentTimeMillis());
when(pendingAccountsManager.getCodeForNumber(SENDER)).thenReturn(Optional.of(new StoredVerificationCode("1234", System.currentTimeMillis(), null)));
when(pendingAccountsManager.getCodeForNumber(SENDER_OLD)).thenReturn(Optional.of(new StoredVerificationCode("1234", System.currentTimeMillis() - TimeUnit.MINUTES.toMillis(31), null)));
when(pendingAccountsManager.getCodeForNumber(SENDER_PIN)).thenReturn(Optional.of(new StoredVerificationCode("333333", System.currentTimeMillis(), null)));
when(pendingAccountsManager.getCodeForNumber(SENDER_REG_LOCK)).thenReturn(Optional.of(new StoredVerificationCode("666666", System.currentTimeMillis(), null)));
when(pendingAccountsManager.getCodeForNumber(SENDER_OVER_PIN)).thenReturn(Optional.of(new StoredVerificationCode("444444", System.currentTimeMillis(), null)));
when(pendingAccountsManager.getCodeForNumber(SENDER_PREAUTH)).thenReturn(Optional.of(new StoredVerificationCode("555555", System.currentTimeMillis(), "validchallenge")));
when(accountsManager.get(eq(SENDER_PIN))).thenReturn(Optional.of(senderPinAccount));
when(accountsManager.get(eq(SENDER_REG_LOCK))).thenReturn(Optional.of(senderRegLockAccount));
when(accountsManager.get(eq(SENDER_OVER_PIN))).thenReturn(Optional.of(senderPinAccount));
when(accountsManager.get(eq(SENDER))).thenReturn(Optional.empty());
when(accountsManager.get(eq(SENDER_OLD))).thenReturn(Optional.empty());
@@ -502,6 +522,21 @@ public class AccountControllerTest {
verify(pinLimiter).validate(eq(SENDER_PIN));
}
@Test
public void testVerifyRegistrationLock() throws Exception {
Response response =
resources.getJerseyTest()
.target(String.format("/v1/accounts/code/%s", "666666"))
.request()
.header("Authorization", AuthHelper.getAuthHeader(SENDER_REG_LOCK, "bar"))
.put(Entity.entity(new AccountAttributes("keykeykeykey", false, 3333, null, null, Hex.toStringCondensed(registration_lock_key)),
MediaType.APPLICATION_JSON_TYPE));
assertThat(response.getStatus()).isEqualTo(204);
verify(pinLimiter).validate(eq(SENDER_REG_LOCK));
}
@Test
public void testVerifyWrongPin() throws Exception {
Response response =
@@ -517,6 +552,21 @@ public class AccountControllerTest {
verify(pinLimiter).validate(eq(SENDER_PIN));
}
@Test
public void testVerifyWrongRegistrationLock() throws Exception {
Response response =
resources.getJerseyTest()
.target(String.format("/v1/accounts/code/%s", "666666"))
.request()
.header("Authorization", AuthHelper.getAuthHeader(SENDER_REG_LOCK, "bar"))
.put(Entity.entity(new AccountAttributes("keykeykeykey", false, 3333, Hex.toStringCondensed(new byte[32])),
MediaType.APPLICATION_JSON_TYPE));
assertThat(response.getStatus()).isEqualTo(423);
verify(pinLimiter).validate(eq(SENDER_REG_LOCK));
}
@Test
public void testVerifyNoPin() throws Exception {
Response response =
@@ -530,10 +580,34 @@ public class AccountControllerTest {
assertThat(response.getStatus()).isEqualTo(423);
RegistrationLockFailure failure = response.readEntity(RegistrationLockFailure.class);
assertThat(failure.getStorageCredentials()).isNull();
verifyNoMoreInteractions(pinLimiter);
}
@Test
public void testVerifyNoRegistrationLock() throws Exception {
Response response =
resources.getJerseyTest()
.target(String.format("/v1/accounts/code/%s", "666666"))
.request()
.header("Authorization", AuthHelper.getAuthHeader(SENDER_REG_LOCK, "bar"))
.put(Entity.entity(new AccountAttributes("keykeykeykey", false, 3333, null),
MediaType.APPLICATION_JSON_TYPE));
assertThat(response.getStatus()).isEqualTo(423);
RegistrationLockFailure failure = response.readEntity(RegistrationLockFailure.class);
assertThat(failure.getStorageCredentials()).isNotNull();
assertThat(failure.getStorageCredentials().getUsername()).isEqualTo(SENDER_REG_LOCK);
assertThat(failure.getStorageCredentials().getPassword()).isNotEmpty();
assertThat(failure.getStorageCredentials().getPassword().startsWith(SENDER_REG_LOCK)).isTrue();
assertThat(failure.getTimeRemaining()).isGreaterThan(0);
verifyNoMoreInteractions(pinLimiter);
}
@Test
public void testVerifyLimitPin() throws Exception {
Response response =
@@ -577,20 +651,47 @@ public class AccountControllerTest {
.target("/v1/accounts/pin/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.put(Entity.json(new RegistrationLock("31337")));
.put(Entity.json(new DeprecatedPin("31337")));
assertThat(response.getStatus()).isEqualTo(204);
verify(AuthHelper.VALID_ACCOUNT).setPin(eq("31337"));
verify(AuthHelper.VALID_ACCOUNT).setRegistrationLock(eq(null));
verify(AuthHelper.VALID_ACCOUNT).setRegistrationLockSalt(eq(null));
}
@Test
public void testSetRegistrationLock() throws Exception {
Response response =
resources.getJerseyTest()
.target("/v1/accounts/registration_lock/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.put(Entity.json(new RegistrationLock("1234567890123456789012345678901234567890123456789012345678901234")));
assertThat(response.getStatus()).isEqualTo(204);
ArgumentCaptor<String> pinCapture = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<String> pinSaltCapture = ArgumentCaptor.forClass(String.class);
verify(AuthHelper.VALID_ACCOUNT, times(1)).setPin(eq(null));
verify(AuthHelper.VALID_ACCOUNT, times(1)).setRegistrationLock(pinCapture.capture());
verify(AuthHelper.VALID_ACCOUNT, times(1)).setRegistrationLockSalt(pinSaltCapture.capture());
assertThat(pinCapture.getValue()).isNotEmpty();
assertThat(pinSaltCapture.getValue()).isNotEmpty();
assertThat(pinCapture.getValue().length()).isEqualTo(40);
}
@Test
public void testSetPinUnauthorized() throws Exception {
Response response =
resources.getJerseyTest()
.target("/v1/accounts/pin/")
.request()
.put(Entity.json(new RegistrationLock("31337")));
.put(Entity.json(new DeprecatedPin("31337")));
assertThat(response.getStatus()).isEqualTo(401);
}
@@ -602,13 +703,24 @@ public class AccountControllerTest {
.target("/v1/accounts/pin/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.put(Entity.json(new DeprecatedPin("313")));
assertThat(response.getStatus()).isEqualTo(422);
}
@Test
public void testSetShortRegistrationLock() throws Exception {
Response response =
resources.getJerseyTest()
.target("/v1/accounts/registration_lock/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.put(Entity.json(new RegistrationLock("313")));
assertThat(response.getStatus()).isEqualTo(422);
verify(AuthHelper.VALID_ACCOUNT, never()).setPin(anyString());
}
@Test
public void testSetPinDisabled() throws Exception {
Response response =
@@ -616,11 +728,21 @@ public class AccountControllerTest {
.target("/v1/accounts/pin/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.DISABLED_NUMBER, AuthHelper.DISABLED_PASSWORD))
.put(Entity.json(new RegistrationLock("31337")));
.put(Entity.json(new DeprecatedPin("31337")));
assertThat(response.getStatus()).isEqualTo(401);
}
verify(AuthHelper.VALID_ACCOUNT, never()).setPin(anyString());
@Test
public void testSetRegistrationLockDisabled() throws Exception {
Response response =
resources.getJerseyTest()
.target("/v1/accounts/registration_lock/")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.DISABLED_NUMBER, AuthHelper.DISABLED_PASSWORD))
.put(Entity.json(new RegistrationLock("1234567890123456789012345678901234567890123456789012345678901234")));
assertThat(response.getStatus()).isEqualTo(401);
}

2
service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DeviceControllerTest.java
View File

@@ -212,7 +212,7 @@ public class DeviceControllerTest {
.target("/v1/devices/5678901")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, "password1"))
.put(Entity.entity(new AccountAttributes("keykeykeykey", false, 1234, "this is a really long name that is longer than 80 characters it's so long that it's even longer than 204 characters. that's a lot of characters. we're talking lots and lots and lots of characters. 12345678", true, true, null),
.put(Entity.entity(new AccountAttributes("keykeykeykey", false, 1234, "this is a really long name that is longer than 80 characters it's so long that it's even longer than 204 characters. that's a lot of characters. we're talking lots and lots and lots of characters. 12345678", null, null),
MediaType.APPLICATION_JSON_TYPE));
assertEquals(response.getStatus(), 422);

12
service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/DirectoryControllerTest.java
View File

@@ -7,8 +7,8 @@ import org.junit.Rule;
import org.junit.Test;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import org.whispersystems.textsecuregcm.auth.DirectoryCredentials;
import org.whispersystems.textsecuregcm.auth.DirectoryCredentialsGenerator;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccount;
import org.whispersystems.textsecuregcm.controllers.DirectoryController;
import org.whispersystems.textsecuregcm.entities.ClientContactTokens;
@@ -42,9 +42,9 @@ public class DirectoryControllerTest {
private final RateLimiters rateLimiters = mock(RateLimiters.class);
private final RateLimiter rateLimiter = mock(RateLimiter.class);
private final DirectoryManager directoryManager = mock(DirectoryManager.class);
private final DirectoryCredentialsGenerator directoryCredentialsGenerator = mock(DirectoryCredentialsGenerator.class);
private final ExternalServiceCredentialGenerator directoryCredentialsGenerator = mock(ExternalServiceCredentialGenerator.class);
private final DirectoryCredentials validCredentials = new DirectoryCredentials("username", "password");
private final ExternalServiceCredentials validCredentials = new ExternalServiceCredentials("username", "password");
@Rule
public final ResourceTestRule resources = ResourceTestRule.builder()
@@ -140,12 +140,12 @@ public class DirectoryControllerTest {
@Test
public void testGetAuthToken() {
DirectoryCredentials token =
ExternalServiceCredentials token =
resources.getJerseyTest()
.target("/v1/directory/auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.get(DirectoryCredentials.class);
.get(ExternalServiceCredentials.class);
assertThat(token.getUsername()).isEqualTo(validCredentials.getUsername());
assertThat(token.getPassword()).isEqualTo(validCredentials.getPassword());
}

59
service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/SecureStorageControllerTest.java Normal file
View File

@@ -0,0 +1,59 @@
package org.whispersystems.textsecuregcm.tests.controllers;
import com.google.common.collect.ImmutableSet;
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
import org.junit.ClassRule;
import org.junit.Test;
import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccount;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
import org.whispersystems.textsecuregcm.controllers.SecureStorageController;
import org.whispersystems.textsecuregcm.storage.Account;
import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
import org.whispersystems.textsecuregcm.util.SystemMapper;
import javax.ws.rs.core.Response;
import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
import io.dropwizard.testing.junit.ResourceTestRule;
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
public class SecureStorageControllerTest {
private static final ExternalServiceCredentialGenerator storageCredentialGenerator = new ExternalServiceCredentialGenerator(new byte[32], new byte[32], false);
@ClassRule
public static final ResourceTestRule resources = ResourceTestRule.builder()
.addProvider(AuthHelper.getAuthFilter())
.addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)))
.setMapper(SystemMapper.getMapper())
.setTestContainerFactory(new GrizzlyWebTestContainerFactory())
.addResource(new SecureStorageController(storageCredentialGenerator))
.build();
@Test
public void testGetCredentials() throws Exception {
ExternalServiceCredentials credentials = resources.getJerseyTest()
.target("/v1/storage/auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
.get(ExternalServiceCredentials.class);
assertThat(credentials.getPassword()).isNotEmpty();
assertThat(credentials.getUsername()).isNotEmpty();
}
@Test
public void testGetCredentialsBadAuth() throws Exception {
Response response = resources.getJerseyTest()
.target("/v1/storage/auth")
.request()
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.INVVALID_NUMBER, AuthHelper.INVALID_PASSWORD))
.get();
assertThat(response.getStatus()).isEqualTo(401);
}
}