Create call link credential endpoint

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -467,9 +467,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getArtServiceConfiguration());
     ExternalServiceCredentialsGenerator svr2CredentialsGenerator = SecureValueRecovery2Controller.credentialsGenerator(
         config.getSvr2Configuration());
-    ExternalServiceCredentialsGenerator callLinkCredentialsGenerator = CallLinkController.credentialsGenerator(
-        config.getCallLinkConfiguration()
-    );
 
     dynamicConfigurationManager.start();
 
@@ -721,7 +718,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         new ArtController(rateLimiters, artCredentialsGenerator),
         new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
         new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
-        new CallLinkController(callLinkCredentialsGenerator),
+        new CallLinkController(rateLimiters, genericZkSecretParams),
         new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, genericZkSecretParams, clock),
         new ChallengeController(rateLimitChallengeManager),
         new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),

service/src/main/java/org/whispersystems/textsecuregcm/controllers/CallLinkController.java

@@ -1,56 +1,74 @@
 package org.whispersystems.textsecuregcm.controllers;
 
 import com.codahale.metrics.annotation.Timed;
-import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.Auth;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import org.signal.libsignal.zkgroup.GenericServerSecretParams;
+import org.signal.libsignal.zkgroup.InvalidInputException;
+import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequest;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
-import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
-import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
-import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration;
-import javax.ws.rs.GET;
+import org.whispersystems.textsecuregcm.entities.CreateCallLinkCredential;
+import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import javax.validation.constraints.NotNull;
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
-import java.time.Clock;
+import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.Optional;
 
 @Path("/v1/call-link")
 @io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink")
 public class CallLinkController {
-  @VisibleForTesting
-  public static final String ANONYMOUS_CREDENTIAL_PREFIX = "anon";
-
-  private final ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator;
+  private final RateLimiters rateLimiters;
+  private final GenericServerSecretParams genericServerSecretParams;
 
   public CallLinkController(
-      ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator
+      final RateLimiters rateLimiters,
+      final GenericServerSecretParams genericServerSecretParams
   ) {
-    this.callingFrontendServiceCredentialGenerator = callingFrontendServiceCredentialGenerator;
+    this.rateLimiters = rateLimiters;
+    this.genericServerSecretParams = genericServerSecretParams;
   }
 
-  public static ExternalServiceCredentialsGenerator credentialsGenerator(final CallLinkConfiguration cfg) {
-    return ExternalServiceCredentialsGenerator
-        .builder(cfg.userAuthenticationTokenSharedSecret())
-        .withUsernameTimestampTruncatorAndPrefix(timestamp -> timestamp.truncatedTo(ChronoUnit.DAYS), ANONYMOUS_CREDENTIAL_PREFIX)
-        .build();
-  }
   @Timed
-  @GET
-  @Path("/auth")
+  @POST
+  @Path("/create-auth")
   @Produces(MediaType.APPLICATION_JSON)
   @Operation(
-      summary = "Generate credentials for calling frontend",
+      summary = "Generate a credential for creating call links",
       description = """
-          These credentials enable clients to prove to calling frontend that they were a Signal user within the last day.
-          For client privacy, timestamps are truncated to 1 day granularity and the token does not include or derive from an ACI.
+          Generate a credential over a truncated timestamp, room ID, and account UUID. With zero knowledge
+          group infrastructure, the server does not know the room ID.
           """
   )
   @ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
+  @ApiResponse(responseCode = "400", description = "Invalid create call link credential request.")
   @ApiResponse(responseCode = "401", description = "Account authentication check failed.")
-  public ExternalServiceCredentials getAuth(@Auth AuthenticatedAccount auth) {
-    return callingFrontendServiceCredentialGenerator.generateWithTimestampAsUsername();
+  @ApiResponse(responseCode = "422", description = "Invalid request format.")
+  @ApiResponse(responseCode = "429", description = "Ratelimited.")
+  public CreateCallLinkCredential getCreateAuth(
+      final @Auth AuthenticatedAccount auth,
+      final @NotNull GetCreateCallLinkCredentialsRequest request
+  ) throws RateLimitExceededException {
+
+    rateLimiters.getCreateCallLinkLimiter().validate(auth.getAccount().getUuid());
+
+    final Instant truncatedDayTimestamp = Instant.now().truncatedTo(ChronoUnit.DAYS);
+
+    CreateCallLinkCredentialRequest createCallLinkCredentialRequest;
+    try {
+      createCallLinkCredentialRequest = new CreateCallLinkCredentialRequest(request.createCallLinkCredentialRequest());
+    } catch (InvalidInputException e) {
+      throw new BadRequestException("Invalid create call link credential request", e);
+    }
+
+    return new CreateCallLinkCredential(
+        createCallLinkCredentialRequest.issueCredential(auth.getAccount().getUuid(), truncatedDayTimestamp, genericServerSecretParams).serialize(),
+        truncatedDayTimestamp.getEpochSecond()
+    );
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/entities/CreateCallLinkCredential.java

@@ -0,0 +1,3 @@
+package org.whispersystems.textsecuregcm.entities;
+
+public record CreateCallLinkCredential(byte[] credential, long redemptionTime){}

service/src/main/java/org/whispersystems/textsecuregcm/entities/GetCreateCallLinkCredentialsRequest.java

@@ -0,0 +1,5 @@
+package org.whispersystems.textsecuregcm.entities;
+
+import javax.validation.constraints.NotNull;
+
+public record GetCreateCallLinkCredentialsRequest(@NotNull byte[] createCallLinkCredentialRequest) {}

service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimiters.java

@@ -73,6 +73,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
     PUSH_CHALLENGE_ATTEMPT("pushChallengeAttempt", true, new RateLimiterConfig(10, 10.0 / (60 * 24))),
 
     PUSH_CHALLENGE_SUCCESS("pushChallengeSuccess", true, new RateLimiterConfig(2, 2.0 / (60 * 24))),
+
+    CREATE_CALL_LINK("createCallLink", false, new RateLimiterConfig(100, 100 / (60 * 24)));
     ;
 
     private final String id;
@@ -232,4 +234,8 @@ public class RateLimiters extends BaseRateLimiters<RateLimiters.For> {
   public RateLimiter getVerificationCaptchaLimiter() {
     return forDescriptor(For.VERIFICATION_CAPTCHA);
   }
+
+  public RateLimiter getCreateCallLinkLimiter() {
+    return forDescriptor(For.CREATE_CALL_LINK);
+  }
 }