Add svr3 share-set store/retrieve

2026-04-20 16:08:03 +01:00 · 2024-05-17 10:45:18 -05:00
parent 1182d159aa
commit ce1c5be940
18 changed files with 493 additions and 92 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckRequest.java
@@ -5,6 +5,8 @@

 package org.whispersystems.textsecuregcm.entities;

+import com.fasterxml.jackson.annotation.JsonAlias;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import io.swagger.v3.oas.annotations.media.Schema;
 import java.util.List;
 import javax.validation.constraints.NotEmpty;
@@ -14,6 +16,10 @@ import org.whispersystems.textsecuregcm.util.E164;

 public record AuthCheckRequest(@Schema(description = "The e164-formatted phone number.")
                               @NotNull @E164 String number,
-                               @Schema(description = "A list of SVR auth values, previously retrieved from `/v1/backup/auth`; may contain at most 10.")
-                               @NotEmpty @Size(max = 10) List<String> passwords) {
+                               @Schema(description = """
+                               A list of SVR tokens, previously retrieved from `backup/auth`. Tokens should be the
+                               of the form "username:password". May contain at most 10 tokens.""")
+                               @JsonProperty("tokens")
+                               @JsonAlias("passwords") // deprecated
+                               @NotEmpty @Size(max = 10) List<String> tokens) {
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckResponseV2.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckResponseV2.java
@@ -10,8 +10,8 @@ import io.swagger.v3.oas.annotations.media.Schema;
 import java.util.Map;
 import javax.validation.constraints.NotNull;

-public record AuthCheckResponse(@Schema(description = "A dictionary with the auth check results: `KBS Credentials -> 'match'/'no-match'/'invalid'`")
-                                @NotNull Map<String, Result> matches) {
+public record AuthCheckResponseV2(@Schema(description = "A dictionary with the auth check results: `SVR Credentials -> 'match'/'no-match'/'invalid'`")
+                                  @NotNull Map<String, Result> matches) {

  public enum Result {
    MATCH("match"),
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckResponseV3.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AuthCheckResponseV3.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.entities;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+import io.swagger.v3.oas.annotations.media.Schema;
+import java.util.Map;
+import javax.annotation.Nullable;
+import javax.validation.constraints.NotNull;
+
+public record AuthCheckResponseV3(
+    @Schema(description = """
+    A dictionary with the auth check results, keyed by the token corresponding token provided in the request.
+    """)
+    @NotNull Map<String, Result> matches) {
+
+  public record Result(
+      @Schema(description = "The status of the credential, either match, no-match, or invalid")
+      CredentialStatus status,
+
+      @Schema(description = """
+      If the credential was a match, the stored shareSet that can be used to restore a value from SVR. Encoded as 
+      """)
+      @Nullable byte[] shareSet) {
+
+    public static Result invalid() {
+      return new Result(CredentialStatus.INVALID, null);
+    }
+
+    public static Result noMatch() {
+      return new Result(CredentialStatus.NO_MATCH, null);
+    }
+
+    public static Result match(@Nullable final byte[] shareSet) {
+      return new Result(CredentialStatus.MATCH, shareSet);
+    }
+  }
+
+  public enum CredentialStatus {
+    MATCH("match"),
+    NO_MATCH("no-match"),
+    INVALID("invalid");
+
+    private final String clientCode;
+
+    CredentialStatus(final String clientCode) {
+      this.clientCode = clientCode;
+    }
+
+    @JsonValue
+    public String clientCode() {
+      return clientCode;
+    }
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/RegistrationLockFailure.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/RegistrationLockFailure.java
@@ -8,11 +8,15 @@ package org.whispersystems.textsecuregcm.entities;
 import io.swagger.v3.oas.annotations.media.Schema;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;

-@Schema(description = "A token provided to the client via a push payload")
-
+@Schema(description = """
+    Information about the current Registration lock and SVR credentials. With a correct PIN, the credentials can
+    be used to recover the secret used to derive the registration lock password.
+    """)
 public record RegistrationLockFailure(
    @Schema(description = "Time remaining in milliseconds before the existing registration lock expires")
    long timeRemaining,
    @Schema(description = "Credentials that can be used with SVR2")
-    ExternalServiceCredentials svr2Credentials) {
+    ExternalServiceCredentials svr2Credentials,
+    @Schema(description = "Credentials that can be used with SVR3")
+    Svr3Credentials svr3Credentials) {
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/SetShareSetRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/SetShareSetRequest.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.entities;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import io.swagger.v3.oas.annotations.media.Schema;
+import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+import javax.validation.constraints.NotEmpty;
+
+public record SetShareSetRequest(
+    @Schema(description = """
+        A share-set generated by a client after storing a value in SVR3, serialized in un-padded standard base64
+        """, implementation = String.class)
+    @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
+    @NotEmpty
+    @ExactlySize(SHARE_SET_SIZE)
+    byte[] shareSet) {
+  public static final int SHARE_SET_SIZE = 169;
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/Svr3Credentials.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/Svr3Credentials.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.entities;
+
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import io.swagger.v3.oas.annotations.media.Schema;
+import javax.annotation.Nullable;
+import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+
+@Schema(description = """
+    A time limited external service credential that can be used to authenticate and restore from SVR3.
+    """)
+public record Svr3Credentials(
+
+    @Schema(description = "The credential username")
+    String username,
+
+    @Schema(description = "The credential password")
+    String password,
+
+    @Schema(requiredMode = Schema.RequiredMode.NOT_REQUIRED, description = """
+        If present, a shareSet previously stored for this account via /v3/backups/shareSet. Required to restore a value
+        from SVR3. Encoded in standard un-padded base64.
+        """, implementation = String.class)
+    @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
+    @Nullable byte[] shareSet) {}