Validate registration ids for new accounts

2026-04-22 10:38:01 +01:00 · 2023-06-06 10:08:54 -05:00
parent 099932ae68
commit 2b266c7beb
6 changed files with 80 additions and 2 deletions
--- a/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerTest.java
@@ -1081,11 +1081,13 @@ class AccountControllerTest {
    when(registrationServiceClient.checkVerificationCode(sessionId, "1234", AccountController.REGISTRATION_RPC_TIMEOUT))
        .thenReturn(CompletableFuture.completedFuture(true));

+    final AccountAttributes attrs = new AccountAttributes(true, 1, "test", "", true, new Device.DeviceCapabilities());
+
    resources.getJerseyTest()
        .target("/v1/accounts/code/1234")
        .request()
        .header(HttpHeaders.AUTHORIZATION, AuthHelper.getProvisioningAuthHeader(SENDER, "bar"))
-        .put(Entity.entity(new AccountAttributes(), MediaType.APPLICATION_JSON_TYPE), AccountIdentityResponse.class);
+        .put(Entity.entity(attrs, MediaType.APPLICATION_JSON_TYPE), AccountIdentityResponse.class);

    verify(accountsManager).create(eq(SENDER), eq("bar"), any(), any(), anyList());

--- a/service/src/test/java/org/whispersystems/textsecuregcm/controllers/RegistrationControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/controllers/RegistrationControllerTest.java
@@ -16,12 +16,14 @@ import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.google.i18n.phonenumbers.PhoneNumberUtil;
 import io.dropwizard.testing.junit5.DropwizardExtensionsSupport;
 import io.dropwizard.testing.junit5.ResourceExtension;
 import java.nio.charset.StandardCharsets;
 import java.time.Duration;
 import java.util.Base64;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
@@ -129,6 +131,51 @@ class RegistrationControllerTest {
    }
  }

+  static Stream<Arguments> invalidRegistrationId() {
+    return Stream.of(
+        Arguments.of(Optional.of(1), Optional.of(1), 200),
+        Arguments.of(Optional.of(1), Optional.empty(), 200),
+        Arguments.of(Optional.of(0x3FFF), Optional.empty(), 200),
+        Arguments.of(Optional.empty(), Optional.of(1), 422),
+        Arguments.of(Optional.of(Integer.MAX_VALUE), Optional.empty(), 422),
+        Arguments.of(Optional.of(0x3FFF + 1), Optional.empty(), 422),
+        Arguments.of(Optional.of(1), Optional.of(0x3FFF + 1), 422)
+    );
+  }
+
+  @ParameterizedTest
+  @MethodSource()
+  void invalidRegistrationId(Optional<Integer> registrationId, Optional<Integer> pniRegistrationId, int statusCode) throws InterruptedException, JsonProcessingException {
+    final Invocation.Builder request = resources.getJerseyTest()
+        .target("/v1/registration")
+        .request()
+        .header(HttpHeaders.AUTHORIZATION, AuthHelper.getProvisioningAuthHeader(NUMBER, PASSWORD));
+    when(registrationServiceClient.getSession(any(), any()))
+        .thenReturn(
+            CompletableFuture.completedFuture(
+                Optional.of(new RegistrationServiceSession(new byte[16], NUMBER, true, null, null, null,
+                    SESSION_EXPIRATION_SECONDS))));
+    when(accountsManager.create(any(), any(), any(), any(), any()))
+        .thenReturn(mock(Account.class));
+
+    final String recoveryPassword = encodeRecoveryPassword(new byte[0]);
+
+    final Map<String, Object> accountAttrs = new HashMap<>();
+    accountAttrs.put("recoveryPassword", recoveryPassword);
+    registrationId.ifPresent(id -> accountAttrs.put("registrationId", id));
+    pniRegistrationId.ifPresent(id -> accountAttrs.put("pniRegistrationId", id));
+    final String json = SystemMapper.jsonMapper().writeValueAsString(Map.of(
+        "sessionId", encodeSessionId("sessionId"),
+        "recoveryPassword", recoveryPassword,
+        "accountAttributes", accountAttrs,
+        "skipDeviceTransfer", true
+    ));
+
+    try (Response response = request.post(Entity.json(json))) {
+      assertEquals(statusCode, response.getStatus());
+    }
+  }
+
  @Test
  void missingBasicAuthorization() {
    final Invocation.Builder request = resources.getJerseyTest()
@@ -745,7 +792,8 @@ class RegistrationControllerTest {
          "sessionId": "%s",
          "recoveryPassword": "%s",
          "accountAttributes": {
-            "recoveryPassword": "%s"
+            "recoveryPassword": "%s",
+            "registrationId": 1
          },
          "skipDeviceTransfer": %s
        }