Check for IdentityType.PNI in OptionalAccess#verify

service/src/main/java/org/whispersystems/textsecuregcm/auth/OptionalAccess.java

@@ -5,28 +5,30 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.Device;
-
+import java.security.MessageDigest;
+import java.util.Optional;
 import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.NotFoundException;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
-import java.security.MessageDigest;
-import java.util.Optional;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
+import org.whispersystems.textsecuregcm.identity.ServiceIdentifier;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class OptionalAccess {
 
   public static String ALL_DEVICES_SELECTOR = "*";
 
-  public static void verify(Optional<Account>   requestAccount,
-                            Optional<Anonymous> accessKey,
-                            Optional<Account>   targetAccount,
-                            String              deviceSelector)
-  {
+  public static void verify(Optional<Account> requestAccount,
+      Optional<Anonymous> accessKey,
+      Optional<Account> targetAccount,
+      ServiceIdentifier targetIdentifier,
+      String deviceSelector) {
+
     try {
-      verify(requestAccount, accessKey, targetAccount);
+      verify(requestAccount, accessKey, targetAccount, targetIdentifier);
 
       if (!ALL_DEVICES_SELECTOR.equals(deviceSelector)) {
         byte deviceId = Byte.parseByte(deviceSelector);
@@ -48,9 +50,11 @@ public class OptionalAccess {
     }
   }
 
-  public static void verify(Optional<Account>   requestAccount,
-                            Optional<Anonymous> accessKey,
-                            Optional<Account>   targetAccount) {
+  public static void verify(Optional<Account> requestAccount,
+      Optional<Anonymous> accessKey,
+      Optional<Account> targetAccount,
+      ServiceIdentifier targetIdentifier) {
+
     if (requestAccount.isPresent()) {
       // Authenticated requests are never unauthorized; if the target exists, return OK, otherwise throw not-found.
       if (targetAccount.isPresent()) {
@@ -74,6 +78,15 @@ public class OptionalAccess {
       return;
     }
 
+    if (!targetAccount.get().isIdentifiedBy(targetIdentifier)) {
+      throw new IllegalArgumentException("Target account is not identified by the given identifier");
+    }
+
+    // Unidentified access is only for ACI identities
+    if (IdentityType.PNI.equals(targetIdentifier.identityType())) {
+      throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
+    }
+
     // At this point, any successful authentication requires a real access key on the target account
     if (targetAccount.get().getUnidentifiedAccessKey().isEmpty()) {
       throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);

service/src/main/java/org/whispersystems/textsecuregcm/controllers/KeysController.java

@@ -349,7 +349,7 @@ public class KeysController {
         throw new NotAuthorizedException(e);
       }
     } else {
-      OptionalAccess.verify(account, accessKey, maybeTarget, deviceId);
+      OptionalAccess.verify(account, accessKey, maybeTarget, targetIdentifier, deviceId);
     }
     final Account target = maybeTarget.orElseThrow(NotFoundException::new);
 

service/src/main/java/org/whispersystems/textsecuregcm/controllers/MessageController.java

@@ -374,7 +374,8 @@ public class MessageController {
             throw new NotFoundException();
           }
         } else {
-          OptionalAccess.verify(source.map(AuthenticatedAccount::getAccount), accessKey, destination);
+          OptionalAccess.verify(source.map(AuthenticatedAccount::getAccount), accessKey, destination,
+              destinationIdentifier);
         }
 
         boolean needsSync = !isSyncMessage && source.isPresent() && source.get().getAccount().getDevices().size() > 1;

service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java

@@ -19,7 +19,6 @@ import java.time.Clock;
 import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HexFormat;
@@ -32,7 +31,6 @@ import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.Executor;
 import java.util.function.Function;
 import java.util.stream.Collectors;
-import javax.annotation.Nullable;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 import javax.ws.rs.BadRequestException;
@@ -48,7 +46,6 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.ProcessingException;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
-import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
@@ -503,7 +500,7 @@ public class ProfileController {
 
     final Optional<Account> maybeTargetAccount = accountsManager.getByServiceIdentifier(accountIdentifier);
 
-    OptionalAccess.verify(maybeRequester, maybeAccessKey, maybeTargetAccount);
+    OptionalAccess.verify(maybeRequester, maybeAccessKey, maybeTargetAccount, accountIdentifier);
     assert maybeTargetAccount.isPresent();
 
     return maybeTargetAccount.get();
@@ -520,19 +517,4 @@ public class ProfileController {
         now.format(PostPolicyGenerator.AWS_DATE_TIME), policy.second(), signature);
   }
 
-  @Nullable
-  private static byte[] decodeFromBase64(@Nullable final String input) {
-    if (input == null) {
-      return null;
-    }
-    return Base64.getDecoder().decode(input);
-  }
-
-  @Nullable
-  private static String encodeToBase64(@Nullable final byte[] input) {
-    if (input == null) {
-      return null;
-    }
-    return Base64.getEncoder().encodeToString(input);
-  }
 }