Add a secure backup service client.

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureBackupServiceConfiguration.java

@@ -6,7 +6,11 @@
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.Valid;
+import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
 
@@ -16,8 +20,51 @@ public class SecureBackupServiceConfiguration {
   @JsonProperty
   private String userAuthenticationTokenSharedSecret;
 
+  @NotBlank
+  @JsonProperty
+  private String uri;
+
+  @NotBlank
+  @JsonProperty
+  private String backupCaCertificate;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RetryConfiguration retry = new RetryConfiguration();
+
   public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
     return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
   }
 
+  @VisibleForTesting
+  public void setUri(final String uri) {
+    this.uri = uri;
+  }
+
+  public String getUri() {
+    return uri;
+  }
+
+  @VisibleForTesting
+  public void setBackupCaCertificate(final String backupCaCertificate) {
+    this.backupCaCertificate = backupCaCertificate;
+  }
+
+  public String getBackupCaCertificate() {
+    return backupCaCertificate;
+  }
+
+  public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
+    return circuitBreaker;
+  }
+
+  public RetryConfiguration getRetryConfiguration() {
+    return retry;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/securebackup/SecureBackupClient.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.securebackup;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.CertificateException;
+import java.time.Duration;
+import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Executor;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.util.Base64;
+
+/**
+ * A client for sending requests to Signal's secure value recovery service on behalf of authenticated users.
+ */
+public class SecureBackupClient {
+
+    private final ExternalServiceCredentialGenerator secureBackupCredentialGenerator;
+    private final URI                                deleteUri;
+    private final FaultTolerantHttpClient            httpClient;
+
+    @VisibleForTesting
+    static final String DELETE_PATH = "/v1/backup";
+
+    public SecureBackupClient(final ExternalServiceCredentialGenerator secureBackupCredentialGenerator, final Executor executor, final SecureBackupServiceConfiguration configuration) throws CertificateException {
+        this.secureBackupCredentialGenerator   = secureBackupCredentialGenerator;
+        this.deleteUri                         = URI.create(configuration.getUri()).resolve(DELETE_PATH);
+        this.httpClient                        = FaultTolerantHttpClient.newBuilder()
+                                                                        .withCircuitBreaker(configuration.getCircuitBreakerConfiguration())
+                                                                        .withRetry(configuration.getRetryConfiguration())
+                                                                        .withVersion(HttpClient.Version.HTTP_1_1)
+                                                                        .withConnectTimeout(Duration.ofSeconds(10))
+                                                                        .withRedirect(HttpClient.Redirect.NEVER)
+                                                                        .withExecutor(executor)
+                                                                        .withName("secure-backup")
+                                                                        .withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_2)
+                                                                        .withTrustedServerCertificate(configuration.getBackupCaCertificate())
+                                                                        .build();
+    }
+
+    public CompletableFuture<Void> deleteBackups(final UUID accountUuid) {
+        final ExternalServiceCredentials credentials = secureBackupCredentialGenerator.generateFor(accountUuid.toString());
+
+        final HttpRequest request = HttpRequest.newBuilder()
+                .uri(deleteUri)
+                .DELETE()
+                .header("Authorization", "Basic " + Base64.encodeBytes((credentials.getUsername() + ":" + credentials.getPassword()).getBytes(StandardCharsets.UTF_8)))
+                .build();
+
+        return httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString()).thenApply(response -> {
+            if (response.statusCode() >= 200 && response.statusCode() < 300) {
+                return null;
+            }
+
+            throw new SecureBackupException("Failed to delete backup: " + response.statusCode());
+        });
+    }
+}

service/src/main/java/org/whispersystems/textsecuregcm/securebackup/SecureBackupException.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.securebackup;
+
+public class SecureBackupException extends RuntimeException {
+
+    public SecureBackupException(final String message) {
+        super(message);
+    }
+}