Add hCaptcha support

service/src/main/java/org/whispersystems/textsecuregcm/captcha/AssessmentResult.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+/**
+ * A captcha assessment
+ *
+ * @param valid whether the captcha was passed
+ * @param score string representation of the risk level
+ */
+public record AssessmentResult(boolean valid, String score) {
+
+  public static AssessmentResult invalid() {
+    return new AssessmentResult(false, "");
+  }
+
+  /**
+   * Map a captcha score in [0.0, 1.0] to a low cardinality discrete space in [0, 100] suitable for use in metrics
+   */
+  static String scoreString(final float score) {
+    final int x = Math.round(score * 10); // [0, 10]
+    return Integer.toString(x * 10); // [0, 100] in increments of 10
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.Metrics;
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import javax.ws.rs.BadRequestException;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+public class CaptchaChecker {
+  private static final String ASSESSMENTS_COUNTER_NAME = name(RecaptchaClient.class, "assessments");
+
+  @VisibleForTesting
+  static final String SEPARATOR = ".";
+
+  private final Map<String, CaptchaClient> captchaClientMap;
+
+  public CaptchaChecker(final List<CaptchaClient> captchaClients) {
+    this.captchaClientMap = captchaClients.stream()
+        .collect(Collectors.toMap(CaptchaClient::scheme, Function.identity()));
+  }
+
+  /**
+   * Check if a solved captcha should be accepted
+   * <p>
+   *
+   * @param input expected to contain a prefix indicating the captcha scheme, sitekey, token, and action. The expected
+   *              format is {@code version-prefix.sitekey.[action.]token}
+   * @param ip    IP of the solver
+   * @return An {@link AssessmentResult} indicating whether the solution should be accepted, and a score that can be
+   * used for metrics
+   * @throws IOException         if there is an error validating the captcha with the underlying service
+   * @throws BadRequestException if input is not in the expected format
+   */
+  public AssessmentResult verify(final String input, final String ip) throws IOException {
+    /*
+     * For action to be optional, there is a strong assumption that the token will never contain a {@value  SEPARATOR}.
+     * Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
+     * don’t need to be strict.
+     */
+    final String[] parts = input.split("\\" + SEPARATOR, 4);
+
+    // we allow missing actions, if we're missing 1 part, assume it's the action
+    if (parts.length < 3) {
+      throw new BadRequestException("too few parts");
+    }
+
+    int idx = 0;
+    final String prefix = parts[idx++];
+    final String siteKey = parts[idx++];
+    final String action = parts.length == 3 ? null : parts[idx++];
+    final String token = parts[idx];
+
+    final CaptchaClient client = this.captchaClientMap.get(prefix);
+    if (client == null) {
+      throw new BadRequestException("invalid captcha scheme");
+    }
+    final AssessmentResult result = client.verify(siteKey, action, token, ip);
+    Metrics.counter(ASSESSMENTS_COUNTER_NAME,
+            "action", String.valueOf(action),
+            "valid", String.valueOf(result.valid()),
+            "score", result.score(),
+            "provider", prefix)
+        .increment();
+    return result;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaClient.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import javax.annotation.Nullable;
+import java.io.IOException;
+
+public interface CaptchaClient {
+
+  /**
+   * @return the identifying captcha scheme that this CaptchaClient handles
+   */
+  String scheme();
+
+  /**
+   * Verify a provided captcha solution
+   *
+   * @param siteKey identifying string for the captcha service
+   * @param action  an optional action indicating the purpose of the captcha
+   * @param token   the captcha solution that will be verified
+   * @param ip      the ip of the captcha solve
+   * @return An {@link AssessmentResult} indicating whether the solution should be accepted
+   * @throws IOException if the underlying captcha provider returns an error
+   */
+  AssessmentResult verify(
+      final String siteKey,
+      final @Nullable String action,
+      final String token,
+      final String ip) throws IOException;
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/HCaptchaClient.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright 2021-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import io.micrometer.core.instrument.Metrics;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import javax.annotation.Nullable;
+import javax.ws.rs.core.Response;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public class HCaptchaClient implements CaptchaClient {
+
+  private static final Logger logger = LoggerFactory.getLogger(HCaptchaClient.class);
+  private static final String PREFIX = "signal-hcaptcha";
+  private static final String ASSESSMENT_REASON_COUNTER_NAME = name(HCaptchaClient.class, "assessmentReason");
+  private static final String INVALID_REASON_COUNTER_NAME = name(HCaptchaClient.class, "invalidReason");
+  private final String apiKey;
+  private final HttpClient client;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
+
+  public HCaptchaClient(
+      final String apiKey,
+      final HttpClient client,
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager) {
+    this.apiKey = apiKey;
+    this.client = client;
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+  }
+
+  @Override
+  public String scheme() {
+    return PREFIX;
+  }
+
+  @Override
+  public AssessmentResult verify(final String siteKey, final @Nullable String action, final String token,
+      final String ip)
+      throws IOException {
+
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    if (!config.isAllowHCaptcha()) {
+      logger.warn("Received request to verify an hCaptcha, but hCaptcha is not enabled");
+      return AssessmentResult.invalid();
+    }
+
+    final String body = String.format("response=%s&secret=%s&remoteip=%s",
+        URLEncoder.encode(token, StandardCharsets.UTF_8),
+        URLEncoder.encode(this.apiKey, StandardCharsets.UTF_8),
+        ip);
+    HttpRequest request = HttpRequest.newBuilder()
+        .uri(URI.create("https://hcaptcha.com/siteverify"))
+        .header("Content-Type", "application/x-www-form-urlencoded")
+        .POST(HttpRequest.BodyPublishers.ofString(body))
+        .build();
+
+    HttpResponse<String> response;
+    try {
+      response = this.client.send(request, HttpResponse.BodyHandlers.ofString());
+    } catch (InterruptedException e) {
+      throw new IOException(e);
+    }
+
+    if (response.statusCode() != Response.Status.OK.getStatusCode()) {
+      logger.warn("failure submitting token to hCaptcha (code={}): {}", response.statusCode(), response);
+      throw new IOException("hCaptcha http failure : " + response.statusCode());
+    }
+
+    final HCaptchaResponse hCaptchaResponse = SystemMapper.getMapper()
+        .readValue(response.body(), HCaptchaResponse.class);
+
+    logger.debug("received hCaptcha response: {}", hCaptchaResponse);
+
+    if (!hCaptchaResponse.success) {
+      for (String errorCode : hCaptchaResponse.errorCodes) {
+        Metrics.counter(INVALID_REASON_COUNTER_NAME,
+            "action", String.valueOf(action),
+            "reason", errorCode).increment();
+      }
+      return AssessmentResult.invalid();
+    }
+
+    // hcaptcha uses the inverse scheme of recaptcha (for hcaptcha, a low score is less risky)
+    float score = 1.0f - hCaptchaResponse.score;
+    if (score < 0.0f || score > 1.0f) {
+      logger.error("Invalid score {} from hcaptcha response {}", hCaptchaResponse.score, hCaptchaResponse);
+      return AssessmentResult.invalid();
+    }
+    final String scoreString = AssessmentResult.scoreString(score);
+
+    for (String reason : hCaptchaResponse.scoreReasons) {
+      Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
+          "action", String.valueOf(action),
+          "reason", reason,
+          "score", scoreString).increment();
+    }
+    return new AssessmentResult(score >= config.getScoreFloor().floatValue(), scoreString);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/HCaptchaResponse.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Verify response returned by hcaptcha
+ * <p>
+ * see <a href="https://docs.hcaptcha.com/#verify-the-user-response-server-side">...</a>
+ */
+public class HCaptchaResponse {
+
+  @JsonProperty
+  boolean success;
+
+  @JsonProperty(value = "challenge-ts")
+  Duration challengeTs;
+
+  @JsonProperty
+  String hostname;
+
+  @JsonProperty
+  boolean credit;
+
+  @JsonProperty(value = "error-codes")
+  List<String> errorCodes = Collections.emptyList();
+
+  @JsonProperty
+  float score;
+
+  @JsonProperty(value = "score-reasons")
+  List<String> scoreReasons = Collections.emptyList();
+
+  public HCaptchaResponse() {
+  }
+
+  @Override
+  public String toString() {
+    return "HCaptchaResponse{" +
+        "success=" + success +
+        ", challengeTs=" + challengeTs +
+        ", hostname='" + hostname + '\'' +
+        ", credit=" + credit +
+        ", errorCodes=" + errorCodes +
+        ", score=" + score +
+        ", scoreReasons=" + scoreReasons +
+        '}';
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/RecaptchaClient.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2021-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import com.google.api.gax.core.FixedCredentialsProvider;
+import com.google.api.gax.rpc.ApiException;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceClient;
+import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceSettings;
+import com.google.recaptchaenterprise.v1.Assessment;
+import com.google.recaptchaenterprise.v1.Event;
+import com.google.recaptchaenterprise.v1.RiskAnalysis;
+import io.micrometer.core.instrument.Metrics;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Objects;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+
+public class RecaptchaClient implements CaptchaClient {
+
+  private static final Logger log = LoggerFactory.getLogger(RecaptchaClient.class);
+
+  private static final String V2_PREFIX = "signal-recaptcha-v2";
+  private static final String INVALID_REASON_COUNTER_NAME = name(RecaptchaClient.class, "invalidReason");
+  private static final String ASSESSMENT_REASON_COUNTER_NAME = name(RecaptchaClient.class, "assessmentReason");
+
+  private final String projectPath;
+  private final RecaptchaEnterpriseServiceClient client;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
+
+  public RecaptchaClient(
+      @Nonnull final String projectPath,
+      @Nonnull final String recaptchaCredentialConfigurationJson,
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager) {
+    try {
+      this.projectPath = Objects.requireNonNull(projectPath);
+      this.client = RecaptchaEnterpriseServiceClient.create(RecaptchaEnterpriseServiceSettings.newBuilder()
+          .setCredentialsProvider(FixedCredentialsProvider.create(GoogleCredentials.fromStream(
+              new ByteArrayInputStream(recaptchaCredentialConfigurationJson.getBytes(StandardCharsets.UTF_8)))))
+          .build());
+
+      this.dynamicConfigurationManager = dynamicConfigurationManager;
+    } catch (IOException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  @Override
+  public String scheme() {
+    return V2_PREFIX;
+  }
+
+  @Override
+  public org.whispersystems.textsecuregcm.captcha.AssessmentResult verify(final String sitekey,
+      final @Nullable String expectedAction,
+      final String token, final String ip) throws IOException {
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    if (!config.isAllowRecaptcha()) {
+      log.warn("Received request to verify a recaptcha, but recaptcha is not enabled");
+      return AssessmentResult.invalid();
+    }
+
+    Event.Builder eventBuilder = Event.newBuilder()
+        .setSiteKey(sitekey)
+        .setToken(token)
+        .setUserIpAddress(ip);
+
+    if (expectedAction != null) {
+      eventBuilder.setExpectedAction(expectedAction);
+    }
+
+    final Event event = eventBuilder.build();
+    final Assessment assessment;
+    try {
+      assessment = client.createAssessment(projectPath, Assessment.newBuilder().setEvent(event).build());
+    } catch (ApiException e) {
+      throw new IOException(e);
+    }
+
+    if (assessment.getTokenProperties().getValid()) {
+      final float score = assessment.getRiskAnalysis().getScore();
+      log.debug("assessment for {} was valid, score: {}", expectedAction, score);
+      for (RiskAnalysis.ClassificationReason reason : assessment.getRiskAnalysis().getReasonsList()) {
+        Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
+                "action", String.valueOf(expectedAction),
+                "score", AssessmentResult.scoreString(score),
+                "reason", reason.name())
+            .increment();
+      }
+      return new AssessmentResult(
+          score >= config.getScoreFloor().floatValue(),
+          AssessmentResult.scoreString(score));
+    } else {
+      Metrics.counter(INVALID_REASON_COUNTER_NAME,
+              "action", String.valueOf(expectedAction),
+              "reason", assessment.getTokenProperties().getInvalidReason().name())
+          .increment();
+      return AssessmentResult.invalid();
+    }
+  }
+}