support REST deprecation by platform for all requests with % rollout

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicConfiguration.java

@@ -64,7 +64,7 @@ public class DynamicConfiguration {
 
   @JsonProperty
   @Valid
-  Map<ClientPlatform, Semver> minimumRestFreeVersion = Map.of();
+  DynamicRestDeprecationConfiguration restDeprecation = new DynamicRestDeprecationConfiguration(Map.of());
 
   public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(
       final String experimentName) {
@@ -112,8 +112,8 @@ public class DynamicConfiguration {
     return svrStatusCodesToIgnoreForAccountDeletion;
   }
 
-  public Map<ClientPlatform, Semver> minimumRestFreeVersion() {
-    return minimumRestFreeVersion;
+  public DynamicRestDeprecationConfiguration restDeprecation() {
+    return restDeprecation;
   }
 
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicRestDeprecationConfiguration.java

@@ -0,0 +1,14 @@
+/*
+ * Copyright 2025 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.vdurmont.semver4j.Semver;
+import java.util.Map;
+import org.whispersystems.textsecuregcm.util.ua.ClientPlatform;
+
+public record DynamicRestDeprecationConfiguration(Map<ClientPlatform, PlatformConfiguration> platforms) {
+  public record PlatformConfiguration(Semver minimumRestFreeVersion, int universalRolloutPercent) {}
+}

service/src/main/java/org/whispersystems/textsecuregcm/filters/RestDeprecationFilter.java

@@ -5,6 +5,7 @@
 
 package org.whispersystems.textsecuregcm.filters;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.net.HttpHeaders;
 import com.vdurmont.semver4j.Semver;
 import io.micrometer.core.instrument.Metrics;
@@ -14,11 +15,14 @@ import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.core.SecurityContext;
 import java.io.IOException;
-import java.util.Map;
+import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
+import java.util.function.Supplier;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedDevice;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicRestDeprecationConfiguration.PlatformConfiguration;
 import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
@@ -29,51 +33,48 @@ import org.whispersystems.textsecuregcm.util.ua.UserAgentUtil;
 
 public class RestDeprecationFilter implements ContainerRequestFilter {
 
-  private static final String EXPERIMENT_NAME = "restDeprecation";
+  private static final String AUTHENTICATED_EXPERIMENT_NAME = "restDeprecation";
   private static final String DEPRECATED_REST_COUNTER_NAME = MetricsUtil.name(RestDeprecationFilter.class, "blockedRestRequest");
 
   private static final Logger log = LoggerFactory.getLogger(RestDeprecationFilter.class);
 
   final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
   final ExperimentEnrollmentManager experimentEnrollmentManager;
+  final Supplier<Random> random;
 
   public RestDeprecationFilter(
       final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
       final ExperimentEnrollmentManager experimentEnrollmentManager) {
+    this(dynamicConfigurationManager, experimentEnrollmentManager, ThreadLocalRandom::current);
+  }
+
+  @VisibleForTesting
+  public RestDeprecationFilter(
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
+      final ExperimentEnrollmentManager experimentEnrollmentManager,
+      final Supplier<Random> random) {
     this.dynamicConfigurationManager = dynamicConfigurationManager;
     this.experimentEnrollmentManager = experimentEnrollmentManager;
+    this.random = random;
   }
 
   @Override
   public void filter(final ContainerRequestContext requestContext) throws IOException {
 
-    final SecurityContext securityContext = requestContext.getSecurityContext();
-
-    if (securityContext == null || securityContext.getUserPrincipal() == null) {
-      // We can't check if an unauthenticated request is in the experiment
-      return;
-    }
-
-    if (securityContext.getUserPrincipal() instanceof AuthenticatedDevice ad) {
-      if (!experimentEnrollmentManager.isEnrolled(ad.getAccount().getUuid(), EXPERIMENT_NAME)) {
-        return;
-      }
-    } else {
-      log.error("Security context was not null but user principal was of type {}", securityContext.getUserPrincipal().getClass().getName());
-      return;
-    }
-
-    final Map<ClientPlatform, Semver> minimumRestFreeVersion = dynamicConfigurationManager.getConfiguration().minimumRestFreeVersion();
     final String userAgentString = requestContext.getHeaderString(HttpHeaders.USER_AGENT);
 
     try {
       final UserAgent userAgent = UserAgentUtil.parseUserAgentString(userAgentString);
       final ClientPlatform platform = userAgent.platform();
       final Semver version = userAgent.version();
-      if (!minimumRestFreeVersion.containsKey(platform)) {
+      final PlatformConfiguration config = dynamicConfigurationManager.getConfiguration().restDeprecation().platforms().get(platform);
+      if (config == null) {
         return;
       }
-      if (version.isGreaterThanOrEqualTo(minimumRestFreeVersion.get(platform))) {
+      if (!isEnrolled(requestContext, config.universalRolloutPercent())) {
+        return;
+      }
+      if (version.isGreaterThanOrEqualTo(config.minimumRestFreeVersion())) {
         Metrics.counter(
             DEPRECATED_REST_COUNTER_NAME, Tags.of("platform", platform.name().toLowerCase(), "version", version.toString()))
             .increment();
@@ -83,4 +84,23 @@ public class RestDeprecationFilter implements ContainerRequestFilter {
       return;                   // at present we're only interested in experimenting on known clients
     }
   }
+
+  private boolean isEnrolled(final ContainerRequestContext requestContext, int universalRolloutPercent) {
+    if (random.get().nextInt(100) < universalRolloutPercent) {
+      return true;
+    }
+
+    final SecurityContext securityContext = requestContext.getSecurityContext();
+
+    if (securityContext == null || securityContext.getUserPrincipal() == null) {
+      return false;
+    }
+
+    if (securityContext.getUserPrincipal() instanceof AuthenticatedDevice ad) {
+      return experimentEnrollmentManager.isEnrolled(ad.getAccount().getUuid(), AUTHENTICATED_EXPERIMENT_NAME);
+    } else {
+      log.error("Security context was not null but user principal was of type {}", securityContext.getUserPrincipal().getClass().getName());
+      return false;
+    }
+  }
 }