Tune mismatch logging

use BigDecimal instead of double for accuracy

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# Copyright 2021 Signal Messenger, LLC
+# SPDX-License-Identifier: AGPL-3.0-only
+
+custom: https://signal.org/donate/

.github/workflows/test.yml

@@ -0,0 +1,18 @@
+name: Service CI
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@3bc31aaf88e8fc94dc1e632d48af61be5ca8721c
+        with:
+          distribution: 'adopt'
+          java-version: 11
+          cache: 'maven'
+      - name: Build with Maven
+        run: mvn -e -B verify

.gitignore

@@ -7,3 +7,18 @@ run.sh
 local.yml
 config/production.yml
 config/federated.yml
+config/staging.yml
+config/testing.yml
+config/deploy.properties
+/service/config/production.yml
+/service/config/federated.yml
+/service/config/staging.yml
+/service/config/testing.yml
+/service/config/deploy.properties
+/service/dependency-reduced-pom.xml
+.opsmanage
+put.sh
+deployer-staging.properties
+deployer-production.properties
+deployer.log
+/service/src/main/resources/org/signal/badges/Badges_*.properties

.mvn/extensions.xml

@@ -0,0 +1,9 @@
+<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
+  <extension>
+    <groupId>fr.brouillard.oss</groupId>
+    <artifactId>jgitver-maven-plugin</artifactId>
+    <version>1.7.1</version>
+  </extension>
+</extensions>

.mvn/jgitver.config.xml

@@ -0,0 +1,14 @@
+<configuration xmlns="http://jgitver.github.io/maven/configuration/1.1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://jgitver.github.io/maven/configuration/1.1.0 https://jgitver.github.io/maven/configuration/jgitver-configuration-v1_1_0.xsd">
+  <useDirty>true</useDirty>
+  <useDefaultBranchingPolicy>false</useDefaultBranchingPolicy>
+  <branchPolicies>
+    <branchPolicy>
+      <pattern>(.*)</pattern>
+      <transformations>
+        <transformation>IGNORE</transformation>
+      </transformations>
+    </branchPolicy>
+  </branchPolicies>
+</configuration>

LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

Procfile

@@ -1,2 +0,0 @@
-web:    java $JAVA_OPTS -Ddw.http.port=$PORT -Ddw.http.adminPort=$PORT -Ddw.federation.name=$FEDERATION_NAME -Ddw.federation.herokuPeers="$FEDERATED_PEERS" -Ddw.twilio.accountId=$TWILIO_ACCOUNT_SID -Ddw.twilio.accountToken=$TWILIO_ACCOUNT_TOKEN -Ddw.twilio.number=$TWILIO_NUMBER -Ddw.nexmo.apiKey=$NEXMO_KEY -Ddw.nexmo.apiSecret=$NEXMO_SECRET -Ddw.nexmo.number=$NEXMO_NUMBER -Ddw.gcm.apiKey=$GCM_KEY -Ddw.apn.certificate="$APN_CERTIFICATE" -Ddw.apn.key="$APN_KEY" -Ddw.s3.accessKey=$AWS_ACCESS_KEY -Ddw.s3.accessSecret=$AWS_SECRET_KEY -Ddw.s3.attachmentsBucket=$AWS_ATTACHMENTS_BUCKET -Ddw.memcache.servers=$MEMCACHIER_SERVERS -Ddw.memcache.user=$MEMCACHIER_USERNAME -Ddw.memcache.password=$MEMCACHIER_PASSWORD -Ddw.redis.url=$REDIS_URL -Ddw.database.driverClass=org.postgresql.Driver -Ddw.database.user=`echo $DATABASE_URL | awk -F'://' {'print $2'} | awk -F':' {'print $1'}` -Ddw.database.password=`echo $DATABASE_URL | awk -F'://' {'print $2'} | awk -F':' {'print $2'} | awk -F'@' {'print $1'}` -Ddw.database.url=jdbc:postgresql://`echo $DATABASE_URL | awk -F'@' {'print $2'}` -jar target/TextSecure-MGCM-1.0-SNAPSHOT.jar server
-dir:    java $JAVA_OPTS -Ddw.http.port=$PORT -Ddw.http.adminPort=$PORT -Ddw.federation.name=$FEDERATION_NAME -Ddw.federation.herokuPeers="$FEDERATED_PEERS" -Ddw.twilio.accountId=$TWILIO_ACCOUNT_SID -Ddw.twilio.accountToken=$TWILIO_ACCOUNT_TOKEN -Ddw.twilio.number=$TWILIO_NUMBER -Ddw.nexmo.apiKey=$NEXMO_KEY -Ddw.nexmo.apiSecret=$NEXMO_SECRET -Ddw.nexmo.number=$NEXMO_NUMBER -Ddw.gcm.apiKey=$GCM_KEY -Ddw.apn.certificate="$APN_CERTIFICATE" -Ddw.apn.key="$APN_KEY" -Ddw.s3.accessKey=$AWS_ACCESS_KEY -Ddw.s3.accessSecret=$AWS_SECRET_KEY -Ddw.s3.attachmentsBucket=$AWS_ATTACHMENTS_BUCKET -Ddw.memcache.servers=$MEMCACHIER_SERVERS -Ddw.memcache.user=$MEMCACHIER_USERNAME -Ddw.memcache.password=$MEMCACHIER_PASSWORD -Ddw.redis.url=$REDIS_URL -Ddw.database.driverClass=org.postgresql.Driver -Ddw.database.user=`echo $DATABASE_URL | awk -F'://' {'print $2'} | awk -F':' {'print $1'}` -Ddw.database.password=`echo $DATABASE_URL | awk -F'://' {'print $2'} | awk -F':' {'print $2'} | awk -F'@' {'print $1'}` -Ddw.database.url=jdbc:postgresql://`echo $DATABASE_URL | awk -F'@' {'print $2'}` -jar target/TextSecure-MGCM-1.0-SNAPSHOT.jar directory

README.md

@@ -1,39 +1,12 @@
-TextSecure-Server
+Signal-Server
 =================
 
-The server that handles message routing for the
-[TextSecure](https://github.com/whispersystems/TextSecure/) data channel.  Communication
-is handled by a REST API and Push messaging (both GCM and APN).
-
 Documentation
 -------------
 
-Looking for protocol documentation? Check out the wiki!
-
-https://github.com/WhisperSystems/TextSecure-Server/wiki/API-Protocol
-
-
-Bug tracker
------------
-
-Have a bug? Please create an issue here on GitHub!
-
-https://github.com/WhisperSystems/TextSecure-Server/issues
-
-
-Mailing list
-------------
-
-Have a question? Ask on our mailing list!
-
-whispersystems@lists.riseup.net
-
-https://lists.riseup.net/www/info/whispersystems
-
-Current BitHub Payment Per Commit:
-=================
-![Current Price](https://bithub.herokuapp.com/v1/status/payment/commit)
+Looking for protocol documentation? Check out the website!
 
+https://signal.org/docs/
 
 Cryptography Notice
 ------------
@@ -48,6 +21,6 @@ The form and manner of this distribution makes it eligible for export under the
 License
 ---------------------
 
-Copyright 2013 Open Whisper Systems
+Copyright 2013-2021 Signal Messenger, LLC
 
 Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html

config/sample.yml

@@ -1,98 +0,0 @@
-twilio:
-  accountId: 
-  accountToken:
-  number:
-  localDomain: # The domain Twilio can call back to.
-  international: # Boolean specifying Twilio for international delivery
-
-# Optional. If specified, Nexmo will be used for non-US SMS and 
-# voice verification if twilio.international is false. Otherwise,
-# Nexmo, if specified, Nexmo will only be used as a fallback
-# for failed Twilio deliveries.
-nexmo:
-  apiKey:
-  apiSecret:
-  number:
-
-gcm:
-  apiKey: 
-
-# Optional. Only if iOS clients are supported.
-apn:
-  # In PEM format.
-  certificate: 
-  
-  # In PEM format.
-  key: 
-
-s3:
-  accessKey: 
-  accessSecret: 
-
-  # Name of the S3 bucket (needs to have been created)
-  # for attachments to go.  Should be configured with
-  # correct permissions.
-  attachmentsBucket:
-
-memcache:
-  servers: 
-  user: 
-  password: 
-
-redis:
-  url: 
-
-federation:
-  name:
-  peers: 
-    -
-      name: somepeer
-      url: https://foo.com
-      authenticationToken: foo
-      certificate: in pem format 
-
-# Optional address of graphite server to report metrics
-graphite:
-  host:
-  port:
-
-http:
-  shutdownGracePeriod: 0s
-
-database:
-  # the name of your JDBC driver
-  driverClass: org.postgresql.Driver
-
-  # the username
-  user: 
-
-  # the password
-  password: 
-
-  # the JDBC URL
-  url: jdbc:postgresql://somehost:somport/somedb
-
-  # any properties specific to your JDBC driver:
-  properties:
-    charSet: UTF-8
-
-  # the maximum amount of time to wait on an empty pool before throwing an exception
-  maxWaitForConnection: 1s
-
-  # the SQL query to run when validating a connection's liveness
-  validationQuery: "/* MyService Health Check */ SELECT 1"
-
-  # the minimum number of connections to keep open
-  minSize: 8
-
-  # the maximum number of connections to keep open
-  maxSize: 32
-
-  # whether or not idle connections should be validated
-  checkConnectionWhileIdle: false
-
-  # how long a connection must be held before it can be validated
-  checkConnectionHealthWhenIdleFor: 10s
-
-  # the maximum lifetime of an idle connection
-  closeConnectionIfIdleFor: 1 minute

gcm-sender-async/pom.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>gcm-sender-async</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-retry</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>jcl-over-slf4j</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-nop</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
+

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/AuthenticationFailedException.java

@@ -0,0 +1,9 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+
+public class AuthenticationFailedException extends Exception {
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/InvalidRequestException.java

@@ -0,0 +1,9 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+
+public class InvalidRequestException extends Exception {
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Message.java

@@ -0,0 +1,144 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.whispersystems.gcm.server.internal.GcmRequestEntity;
+
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+public class Message {
+
+  private static final ObjectMapper objectMapper = new ObjectMapper();
+
+  private final String              collapseKey;
+  private final Long                ttl;
+  private final Boolean             delayWhileIdle;
+  private final Map<String, String> data;
+  private final List<String>        registrationIds;
+  private final String              priority;
+
+  private Message(String collapseKey, Long ttl, Boolean delayWhileIdle,
+                  Map<String, String> data, List<String> registrationIds,
+                  String priority)
+  {
+    this.collapseKey     = collapseKey;
+    this.ttl             = ttl;
+    this.delayWhileIdle  = delayWhileIdle;
+    this.data            = data;
+    this.registrationIds = registrationIds;
+    this.priority        = priority;
+  }
+
+  public String serialize() throws JsonProcessingException {
+    GcmRequestEntity requestEntity = new GcmRequestEntity(collapseKey, ttl, delayWhileIdle,
+                                                          data, registrationIds, priority);
+
+    return objectMapper.writeValueAsString(requestEntity);
+  }
+
+  /**
+   * Construct a new Message using a Builder.
+   * @return A new Builder.
+   */
+  public static Builder newBuilder() {
+    return new Builder();
+  }
+
+  public static class Builder {
+
+    private String              collapseKey     = null;
+    private Long                ttl             = null;
+    private Boolean             delayWhileIdle  = null;
+    private Map<String, String> data            = null;
+    private List<String>        registrationIds = new LinkedList<>();
+    private String              priority        = null;
+
+    private Builder() {}
+
+    /**
+     * @param collapseKey The GCM collapse key to use (optional).
+     * @return The Builder.
+     */
+    public Builder withCollapseKey(String collapseKey) {
+      this.collapseKey = collapseKey;
+      return this;
+    }
+
+    /**
+     * @param seconds The TTL (in seconds) for this message (optional).
+     * @return The Builder.
+     */
+    public Builder withTtl(long seconds) {
+      this.ttl = seconds;
+      return this;
+    }
+
+    /**
+     * @param delayWhileIdle Set GCM delay_while_idle (optional).
+     * @return The Builder.
+     */
+    public Builder withDelayWhileIdle(boolean delayWhileIdle) {
+      this.delayWhileIdle = delayWhileIdle;
+      return this;
+    }
+
+    /**
+     * Set a key in the GCM JSON payload delivered to the application (optional).
+     * @param key The key to set.
+     * @param value The value to set.
+     * @return The Builder.
+     */
+    public Builder withDataPart(String key, String value) {
+      if (data == null) {
+        data = new HashMap<>();
+      }
+      data.put(key, value);
+      return this;
+    }
+
+    /**
+     * Set the destination GCM registration ID (mandatory).
+     * @param registrationId The destination GCM registration ID.
+     * @return The Builder.
+     */
+    public Builder withDestination(String registrationId) {
+      this.registrationIds.clear();
+      this.registrationIds.add(registrationId);
+      return this;
+    }
+
+    /**
+     * Set the GCM message priority (optional).
+     *
+     * @param priority Valid values are "normal" and "high."
+     *                 On iOS, these correspond to APNs priority 5 and 10.
+     * @return The Builder.
+     */
+    public Builder withPriority(String priority) {
+      this.priority = priority;
+      return this;
+    }
+
+    /**
+     * Construct a message object.
+     *
+     * @return An immutable message object, as configured by this builder.
+     */
+    public Message build() {
+      if (registrationIds.isEmpty()) {
+        throw new IllegalArgumentException("You must specify a destination!");
+      }
+
+      return new Message(collapseKey, ttl, delayWhileIdle, data, registrationIds, priority);
+    }
+  }
+
+
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Result.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+/**
+ * The result of a GCM send operation.
+ */
+public class Result {
+
+  private final String canonicalRegistrationId;
+  private final String messageId;
+  private final String error;
+
+  Result(String canonicalRegistrationId, String messageId, String error) {
+    this.canonicalRegistrationId = canonicalRegistrationId;
+    this.messageId               = messageId;
+    this.error                   = error;
+  }
+
+  /**
+   * Returns the "canonical" GCM registration ID for this destination.
+   * See GCM documentation for details.
+   * @return The canonical GCM registration ID.
+   */
+  public String getCanonicalRegistrationId() {
+    return canonicalRegistrationId;
+  }
+
+  /**
+   * @return If a "canonical" GCM registration ID is present in the response.
+   */
+  public boolean hasCanonicalRegistrationId() {
+    return canonicalRegistrationId != null && !canonicalRegistrationId.isEmpty();
+  }
+
+  /**
+   * @return The assigned GCM message ID, if successful.
+   */
+  public String getMessageId() {
+    return messageId;
+  }
+
+  /**
+   * @return The raw error string, if present.
+   */
+  public String getError() {
+    return error;
+  }
+
+  /**
+   * @return If the send was a success.
+   */
+  public boolean isSuccess() {
+    return messageId != null && !messageId.isEmpty() && (error == null || error.isEmpty());
+  }
+
+  /**
+   * @return If the destination GCM registration ID is no longer registered.
+   */
+  public boolean isUnregistered() {
+    return "NotRegistered".equals(error);
+  }
+
+  /**
+   * @return If messages to this device are being throttled.
+   */
+  public boolean isThrottled() {
+    return "DeviceMessageRateExceeded".equals(error);
+  }
+
+  /**
+   * @return If the destination GCM registration ID is invalid.
+   */
+  public boolean isInvalidRegistrationId() {
+    return "InvalidRegistration".equals(error);
+  }
+
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Sender.java

@@ -0,0 +1,154 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.annotations.VisibleForTesting;
+import io.github.resilience4j.retry.IntervalFunction;
+import io.github.resilience4j.retry.Retry;
+import io.github.resilience4j.retry.RetryConfig;
+import org.whispersystems.gcm.server.internal.GcmResponseEntity;
+import org.whispersystems.gcm.server.internal.GcmResponseListEntity;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse.BodyHandlers;
+import java.security.SecureRandom;
+import java.time.Duration;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeoutException;
+
+/**
+ * The main interface to sending GCM messages.  Thread safe.
+ *
+ * @author Moxie Marlinspike
+ */
+public class Sender {
+
+  private static final String PRODUCTION_URL = "https://fcm.googleapis.com/fcm/send";
+
+  private final String                   authorizationHeader;
+  private final URI                      uri;
+  private final Retry                    retry;
+  private final ObjectMapper             mapper;
+  private final ScheduledExecutorService executorService;
+
+  private final HttpClient[] clients = new HttpClient[10];
+  private final SecureRandom random  = new SecureRandom();
+
+  /**
+   * Construct a Sender instance.
+   *
+   * @param apiKey Your application's GCM API key.
+   */
+  public Sender(String apiKey, ObjectMapper mapper) {
+    this(apiKey, mapper, 10);
+  }
+
+  /**
+   * Construct a Sender instance with a specified retry count.
+   *
+   * @param apiKey Your application's GCM API key.
+   * @param retryCount The number of retries to attempt on a network error or 500 response.
+   */
+  public Sender(String apiKey, ObjectMapper mapper, int retryCount) {
+    this(apiKey, mapper, retryCount, PRODUCTION_URL);
+  }
+
+  @VisibleForTesting
+  public Sender(String apiKey, ObjectMapper mapper, int retryCount, String url) {
+    this.mapper              = mapper;
+    this.executorService     = Executors.newSingleThreadScheduledExecutor();
+    this.uri                 = URI.create(url);
+    this.authorizationHeader = String.format("key=%s", apiKey);
+    this.retry               = Retry.of("fcm-sender", RetryConfig.custom()
+                                                                       .maxAttempts(retryCount)
+                                                                       .intervalFunction(IntervalFunction.ofExponentialRandomBackoff(Duration.ofMillis(100), 2.0))
+                                                                       .retryOnException(this::isRetryableException)
+                                                                       .build());
+
+    for (int i=0;i<clients.length;i++) {
+      this.clients[i] = HttpClient.newBuilder()
+                                  .version(HttpClient.Version.HTTP_2)
+                                  .connectTimeout(Duration.ofSeconds(10))
+                                  .build();
+    }
+  }
+
+  private boolean isRetryableException(Throwable throwable) {
+    while (throwable instanceof  CompletionException) {
+      throwable = throwable.getCause();
+    }
+
+    return throwable instanceof ServerFailedException ||
+           throwable instanceof  TimeoutException     ||
+           throwable instanceof  IOException;
+  }
+
+  /**
+   * Asynchronously send a message.
+   *
+   * @param message The message to send.
+   * @return A future.
+   */
+  public CompletableFuture<Result> send(Message message) {
+    try {
+      HttpRequest request = HttpRequest.newBuilder()
+                                       .uri(uri)
+                                       .header("Authorization", authorizationHeader)
+                                       .header("Content-Type", "application/json")
+                                       .POST(HttpRequest.BodyPublishers.ofString(message.serialize()))
+                                       .timeout(Duration.ofSeconds(10))
+                                       .build();
+
+      return retry.executeCompletionStage(executorService,
+                                          () -> getClient().sendAsync(request, BodyHandlers.ofByteArray())
+                                                      .thenApply(response -> {
+                                                        switch (response.statusCode()) {
+                                                          case 400: throw new CompletionException(new InvalidRequestException());
+                                                          case 401: throw new CompletionException(new AuthenticationFailedException());
+                                                          case 204:
+                                                          case 200: return response.body();
+                                                          default:  throw new CompletionException(new ServerFailedException("Bad status: " + response.statusCode()));
+                                                        }
+                                                      })
+                                                      .thenApply(responseBytes -> {
+                                                        try {
+                                                          List<GcmResponseEntity> responseList = mapper.readValue(responseBytes, GcmResponseListEntity.class).getResults();
+
+                                                          if (responseList == null || responseList.size() == 0) {
+                                                            throw new CompletionException(new IOException("Empty response list!"));
+                                                          }
+
+                                                          GcmResponseEntity responseEntity = responseList.get(0);
+
+                                                          return new Result(responseEntity.getCanonicalRegistrationId(),
+                                                                            responseEntity.getMessageId(),
+                                                                            responseEntity.getError());
+                                                        } catch (IOException e) {
+                                                          throw new CompletionException(e);
+                                                        }
+                                                      })).toCompletableFuture();
+    } catch (JsonProcessingException e) {
+      return CompletableFuture.failedFuture(e);
+    }
+  }
+
+  public Retry getRetry() {
+    return retry;
+  }
+
+  private HttpClient getClient() {
+    return clients[random.nextInt(clients.length)];
+  }
+
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/ServerFailedException.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+public class ServerFailedException extends Exception {
+  public ServerFailedException(String message) {
+    super(message);
+  }
+
+  public ServerFailedException(Exception e) {
+    super(e);
+  }
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmRequestEntity.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server.internal;
+
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Map;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class GcmRequestEntity {
+
+  @JsonProperty(value = "collapse_key")
+  private String collapseKey;
+
+  @JsonProperty(value = "time_to_live")
+  private Long ttl;
+
+  @JsonProperty(value = "delay_while_idle")
+  private Boolean delayWhileIdle;
+
+  @JsonProperty(value = "data")
+  private Map<String, String> data;
+
+  @JsonProperty(value = "registration_ids")
+  private List<String> registrationIds;
+
+  @JsonProperty
+  private String priority;
+
+  public GcmRequestEntity(String collapseKey, Long ttl, Boolean delayWhileIdle,
+                          Map<String, String> data, List<String> registrationIds,
+                          String priority)
+  {
+    this.collapseKey     = collapseKey;
+    this.ttl             = ttl;
+    this.delayWhileIdle  = delayWhileIdle;
+    this.data            = data;
+    this.registrationIds = registrationIds;
+    this.priority        = priority;
+  }
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseEntity.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server.internal;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class GcmResponseEntity {
+
+  @JsonProperty(value = "message_id")
+  private String messageId;
+
+  @JsonProperty(value = "registration_id")
+  private String canonicalRegistrationId;
+
+  @JsonProperty
+  private String error;
+
+  public String getMessageId() {
+    return messageId;
+  }
+
+  public String getCanonicalRegistrationId() {
+    return canonicalRegistrationId;
+  }
+
+  public String getError() {
+    return error;
+  }
+}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseListEntity.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server.internal;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+public class GcmResponseListEntity {
+
+  @JsonProperty
+  private List<GcmResponseEntity> results;
+
+  public List<GcmResponseEntity> getResults() {
+    return results;
+  }
+}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/MessageTest.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
+
+public class MessageTest {
+
+  @Test
+  public void testMinimal() throws IOException {
+    Message message = Message.newBuilder()
+                             .withDestination("1")
+                             .build();
+
+    assertEquals(message.serialize(), jsonFixture("fixtures/message-minimal.json"));
+  }
+
+  @Test
+  public void testComplete() throws IOException {
+    Message message = Message.newBuilder()
+                             .withDestination("1")
+                             .withCollapseKey("collapse")
+                             .withDelayWhileIdle(true)
+                             .withTtl(10)
+                             .withPriority("high")
+                             .build();
+
+    assertEquals(message.serialize(), jsonFixture("fixtures/message-complete.json"));
+  }
+
+  @Test
+  public void testWithData() throws IOException {
+    Message message = Message.newBuilder()
+                             .withDestination("2")
+                             .withDataPart("key1", "value1")
+                             .withDataPart("key2", "value2")
+                             .build();
+
+    assertEquals(message.serialize(), jsonFixture("fixtures/message-data.json"));
+  }
+
+}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SenderTest.java

@@ -0,0 +1,200 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.any;
+import static com.github.tomakehurst.wiremock.client.WireMock.anyRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.ok;
+import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.tomakehurst.wiremock.client.CountMatchingStrategy;
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import java.io.IOException;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import org.junit.Rule;
+import org.junit.Test;
+
+public class SenderTest {
+
+  @Rule
+  public WireMockRule wireMock = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
+
+  private static final ObjectMapper mapper = new ObjectMapper();
+
+  static {
+    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
+    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+  }
+
+  @Test
+  public void testSuccess() throws InterruptedException, ExecutionException, TimeoutException, IOException {
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(200)
+            .withBody(fixture("fixtures/response-success.json"))));
+
+
+    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    Result result = future.get(10, TimeUnit.SECONDS);
+
+    assertTrue(result.isSuccess());
+    assertFalse(result.isThrottled());
+    assertFalse(result.isUnregistered());
+    assertEquals(result.getMessageId(), "1:08");
+    assertNull(result.getError());
+    assertNull(result.getCanonicalRegistrationId());
+
+    verify(1, postRequestedFor(urlEqualTo("/gcm/send"))
+        .withHeader("Authorization", equalTo("key=foobarbaz"))
+        .withHeader("Content-Type", equalTo("application/json"))
+        .withRequestBody(equalTo(jsonFixture("fixtures/message-minimal.json"))));
+  }
+
+  @Test
+  public void testBadApiKey() throws InterruptedException, TimeoutException {
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(401)));
+
+    Sender                    sender = new Sender("foobar", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    try {
+      future.get(10, TimeUnit.SECONDS);
+      throw new AssertionError();
+    } catch (ExecutionException ee) {
+      assertTrue(ee.getCause() instanceof AuthenticationFailedException);
+    }
+
+    verify(1, anyRequestedFor(anyUrl()));
+  }
+
+  @Test
+  public void testBadRequest() throws TimeoutException, InterruptedException {
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(400)));
+
+    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    try {
+      future.get(10, TimeUnit.SECONDS);
+      throw new AssertionError();
+    } catch (ExecutionException e) {
+      assertTrue(e.getCause() instanceof InvalidRequestException);
+    }
+
+    verify(1, anyRequestedFor(anyUrl()));
+  }
+
+  @Test
+  public void testServerError() throws TimeoutException, InterruptedException {
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(503)));
+
+    Sender                    sender = new Sender("foobarbaz", mapper, 3, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    try {
+      future.get(10, TimeUnit.SECONDS);
+      throw new AssertionError();
+    } catch (ExecutionException ee) {
+      assertTrue(ee.getCause() instanceof ServerFailedException);
+    }
+
+    verify(3, anyRequestedFor(anyUrl()));
+  }
+
+  @Test
+  public void testServerErrorRecovery() throws InterruptedException, ExecutionException, TimeoutException {
+
+    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(503)));
+
+    Sender                    sender = new Sender("foobarbaz", mapper, 4, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    // up to three failures can happen, with 100ms exponential backoff
+    // if we end up using the fourth, and finaly try, it would be after ~700 ms
+    CompletableFuture.delayedExecutor(300, TimeUnit.MILLISECONDS).execute(() ->
+        wireMock.stubFor(any(anyUrl())
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withBody(fixture("fixtures/response-success.json"))))
+    );
+
+    Result result = future.get(10, TimeUnit.SECONDS);
+
+    verify(new CountMatchingStrategy(CountMatchingStrategy.GREATER_THAN, 1), anyRequestedFor(anyUrl()));
+    assertTrue(result.isSuccess());
+    assertFalse(result.isThrottled());
+    assertFalse(result.isUnregistered());
+    assertEquals(result.getMessageId(), "1:08");
+    assertNull(result.getError());
+    assertNull(result.getCanonicalRegistrationId());
+  }
+
+  @Test
+  public void testNetworkError() throws TimeoutException, InterruptedException {
+
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(ok()));
+
+    Sender sender = new Sender("foobarbaz", mapper ,2, "http://localhost:" + wireMock.port() + "/gcm/send");
+
+    wireMock.stop();
+
+    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
+
+    try {
+      future.get(10, TimeUnit.SECONDS);
+    } catch (ExecutionException e) {
+      assertTrue(e.getCause() instanceof IOException);
+    }
+  }
+
+  @Test
+  public void testNotRegistered() throws InterruptedException, ExecutionException, TimeoutException {
+
+    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(200)
+        .withBody(fixture("fixtures/response-not-registered.json"))));
+
+    Sender                    sender = new Sender("foobarbaz", mapper,2, "http://localhost:" + wireMock.port() + "/gcm/send");
+    CompletableFuture<Result> future = sender.send(Message.newBuilder()
+                                                         .withDestination("2")
+                                                         .withDataPart("message", "new message!")
+                                                         .build());
+
+    Result result = future.get(10, TimeUnit.SECONDS);
+
+    assertFalse(result.isSuccess());
+    assertTrue(result.isUnregistered());
+    assertFalse(result.isThrottled());
+    assertEquals(result.getError(), "NotRegistered");
+  }
+}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SimultaneousSenderTest.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.post;
+import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
+import static junit.framework.TestCase.assertTrue;
+import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import org.junit.Ignore;
+import org.junit.Rule;
+import org.junit.Test;
+
+public class SimultaneousSenderTest {
+
+  @Rule
+  public WireMockRule wireMock = new WireMockRule(WireMockConfiguration.options().dynamicPort().dynamicHttpsPort());
+
+  private static final ObjectMapper mapper = new ObjectMapper();
+
+  static {
+    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
+    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+  }
+
+  @Test
+  public void testSimultaneousSuccess() throws TimeoutException, InterruptedException, ExecutionException, JsonProcessingException {
+    stubFor(post(urlPathEqualTo("/gcm/send"))
+                .willReturn(aResponse()
+                                .withStatus(200)
+                                .withBody(fixture("fixtures/response-success.json"))));
+
+    Sender                          sender  = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
+    List<CompletableFuture<Result>> results = new LinkedList<>();
+
+    for (int i=0;i<1000;i++) {
+      results.add(sender.send(Message.newBuilder().withDestination("1").build()));
+    }
+
+    for (CompletableFuture<Result> future : results) {
+      Result result = future.get(60, TimeUnit.SECONDS);
+
+      if (!result.isSuccess()) {
+        throw new AssertionError(result.getError());
+      }
+    }
+  }
+
+  @Test
+  @Ignore
+  public void testSimultaneousFailure() throws TimeoutException, InterruptedException {
+    stubFor(post(urlPathEqualTo("/gcm/send"))
+                .willReturn(aResponse()
+                                .withStatus(503)));
+
+    Sender                         sender   = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
+    List<CompletableFuture<Result>> futures = new LinkedList<>();
+
+    for (int i=0;i<1000;i++) {
+      futures.add(sender.send(Message.newBuilder().withDestination("1").build()));
+    }
+
+    for (CompletableFuture<Result> future : futures) {
+      try {
+        Result result = future.get(60, TimeUnit.SECONDS);
+      } catch (ExecutionException e) {
+        assertTrue(e.getCause().toString(), e.getCause() instanceof ServerFailedException);
+      }
+    }
+  }
+}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/FixtureHelpers.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server.util;
+
+import com.google.common.base.Charsets;
+import com.google.common.io.Resources;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+
+/**
+ * A set of helper method for fixture files.
+ */
+public class FixtureHelpers {
+  private FixtureHelpers() { /* singleton */ }
+
+  /**
+   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
+   * and returns its contents as a UTF-8 string.
+   *
+   * @param filename the filename of the fixture file
+   * @return the contents of {@code src/test/resources/{filename}}
+   * @throws IllegalArgumentException if an I/O error occurs.
+   */
+  public static String fixture(String filename) {
+    return fixture(filename, Charsets.UTF_8);
+  }
+
+  /**
+   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
+   * and returns its contents as a string.
+   *
+   * @param filename the filename of the fixture file
+   * @param charset  the character set of {@code filename}
+   * @return the contents of {@code src/test/resources/{filename}}
+   * @throws IllegalArgumentException if an I/O error occurs.
+   */
+  private static String fixture(String filename, Charset charset) {
+    try {
+      return Resources.toString(Resources.getResource(filename), charset).trim();
+    } catch (IOException e) {
+      throw new IllegalArgumentException(e);
+    }
+  }
+}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/JsonHelpers.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.gcm.server.util;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+
+import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+
+public class JsonHelpers {
+
+  private static final ObjectMapper objectMapper = new ObjectMapper();
+
+  public static String asJson(Object object) throws JsonProcessingException {
+    return objectMapper.writeValueAsString(object);
+  }
+
+  public static <T> T fromJson(String value, Class<T> clazz) throws IOException {
+    return objectMapper.readValue(value, clazz);
+  }
+
+  public static String jsonFixture(String filename) throws IOException {
+    return objectMapper.writeValueAsString(objectMapper.readValue(fixture(filename), JsonNode.class));
+  }
+}

gcm-sender-async/src/test/resources/fixtures/message-complete.json

@@ -0,0 +1,7 @@
+{
+  "priority" : "high",
+  "collapse_key" : "collapse",
+  "time_to_live" : 10,
+  "delay_while_idle" : true,
+  "registration_ids" : ["1"]
+}

gcm-sender-async/src/test/resources/fixtures/message-data.json

@@ -0,0 +1,7 @@
+{
+  "data" : {
+    "key1" : "value1",
+    "key2" : "value2"
+  },
+  "registration_ids" : ["2"]
+}

gcm-sender-async/src/test/resources/fixtures/message-minimal.json

@@ -0,0 +1,3 @@
+{
+  "registration_ids" : ["1"]
+}

gcm-sender-async/src/test/resources/fixtures/response-not-registered.json

@@ -0,0 +1,8 @@
+{ "multicast_id": 216,
+  "success": 0,
+  "failure": 1,
+  "canonical_ids": 0,
+  "results": [
+    { "error": "NotRegistered"}
+  ]
+}

gcm-sender-async/src/test/resources/fixtures/response-success.json

@@ -0,0 +1,8 @@
+{ "multicast_id": 108,
+  "success": 1,
+  "failure": 0,
+  "canonical_ids": 0,
+  "results": [
+    { "message_id": "1:08" }
+  ]
+}

gcm-sender-async/src/test/resources/logback-test.xml

@@ -0,0 +1,8 @@
+<configuration>
+  <!-- Turning down the wiremock logging -->
+  <logger name="com.github.tomakehurst.wiremock" level="WARN"/>
+  <logger name="wiremock.org" level="ERROR"/>
+  <logger name="WireMock" level="WARN"/>
+  <!-- wiremock has per endpoint servlet logging -->
+  <logger name="/" level="WARN"/>
+</configuration>

pom.xml

@@ -1,224 +1,409 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <prerequisites>
-        <maven>3.0.0</maven>
-    </prerequisites>
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>pom</packaging>
 
-    <groupId>org.whispersystems.textsecure</groupId>
-    <artifactId>TextSecureServer</artifactId>
-    <version>0.4</version>
+  <repositories>
+    <repository>
+      <id>central</id>
+      <name>Central Repository</name>
+      <url>https://repo.maven.apache.org/maven2</url>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+    </repository>
+    <repository>
+      <id>dynamodb-local-oregon</id>
+      <name>DynamoDB Local Release Repository</name>
+      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
+    </repository>
+  </repositories>
 
+  <modules>
+    <module>redis-dispatch</module>
+    <module>websocket-resources</module>
+    <module>gcm-sender-async</module>
+    <module>service</module>
+  </modules>
+
+  <properties>
+    <aws.sdk.version>1.11.939</aws.sdk.version>
+    <aws.sdk2.version>2.16.66</aws.sdk2.version>
+    <commons-codec.version>1.15</commons-codec.version>
+    <commons-csv.version>1.8</commons-csv.version>
+    <commons-io.version>2.9.0</commons-io.version>
+    <dropwizard.version>2.0.22</dropwizard.version>
+    <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
+    <guava.version>30.1.1-jre</guava.version>
+    <jaxb.version>2.3.1</jaxb.version>
+    <jedis.version>2.9.0</jedis.version>
+    <lettuce.version>6.0.4.RELEASE</lettuce.version>
+    <libphonenumber.version>8.12.23</libphonenumber.version>
+    <logstash.logback.version>6.6</logstash.logback.version>
+    <micrometer.version>1.5.3</micrometer.version>
+    <mockito.version>3.11.1</mockito.version>
+    <netty.version>4.1.65.Final</netty.version>
+    <netty.tcnative-boringssl-static.version>2.0.39.Final</netty.tcnative-boringssl-static.version>
+    <opentest4j.version>1.2.0</opentest4j.version>
+    <postgresql.version>9.4-1201-jdbc41</postgresql.version>
+    <protobuf.version>3.17.1</protobuf.version>
+    <pushy.version>0.15.0</pushy.version>
+    <resilience4j.version>1.5.0</resilience4j.version>
+    <semver4j.version>3.1.0</semver4j.version>
+    <slf4j.version>1.7.30</slf4j.version>
+
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <groupId>org.whispersystems.textsecure</groupId>
+  <artifactId>TextSecureServer</artifactId>
+  <version>JGITVER</version>
+
+  <dependencyManagement>
     <dependencies>
-        <dependency>
-            <groupId>bouncycastle</groupId>
-            <artifactId>bcprov-jdk16</artifactId>
-            <version>140</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-core</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.metrics</groupId>
-            <artifactId>metrics-graphite</artifactId>
-            <version>2.2.0</version>
-        </dependency>
-        <dependency>
-            <groupId>com.google.android.gcm</groupId>
-            <artifactId>gcm-server</artifactId>
-            <version>1.0.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <version>2.2.2</version>
-        </dependency>
-        <dependency>
-            <groupId>net.spy</groupId>
-            <artifactId>spymemcached</artifactId>
-            <version>2.10.1</version>
-        </dependency>
-        <dependency>
-            <groupId>com.notnoop.apns</groupId>
-            <artifactId>apns</artifactId>
-            <version>0.2.3</version>
-        </dependency>
+      <dependency>
+        <groupId>io.dropwizard</groupId>
+        <artifactId>dropwizard-dependencies</artifactId>
+        <version>${dropwizard.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>com.amazonaws</groupId>
+        <artifactId>aws-java-sdk-bom</artifactId>
+        <version>${aws.sdk.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>software.amazon.awssdk</groupId>
+        <artifactId>bom</artifactId>
+        <version>${aws.sdk2.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>com.google.cloud</groupId>
+        <artifactId>libraries-bom</artifactId>
+        <version>20.9.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.github.resilience4j</groupId>
+        <artifactId>resilience4j-bom</artifactId>
+        <version>${resilience4j.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.micrometer</groupId>
+        <artifactId>micrometer-bom</artifactId>
+        <version>${micrometer.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
 
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk</artifactId>
-            <version>1.4.1</version>
-        </dependency>
-        <dependency>
-            <groupId>com.google.protobuf</groupId>
-            <artifactId>protobuf-java</artifactId>
-            <version>2.4.1</version>
-        </dependency>
-
-        <dependency>
-            <groupId>redis.clients</groupId>
-            <artifactId>jedis</artifactId>
-            <version>2.2.1</version>
-            <type>jar</type>
-            <scope>compile</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-jdbi</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-auth</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-client</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-migrations</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.yammer.dropwizard</groupId>
-            <artifactId>dropwizard-testing</artifactId>
-            <version>0.6.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.twilio.sdk</groupId>
-            <artifactId>twilio-java-sdk</artifactId>
-            <version>3.4.1</version>
-        </dependency>
-
-        <dependency>
-            <groupId>postgresql</groupId>
-            <artifactId>postgresql</artifactId>
-            <version>9.1-901.jdbc4</version>
-        </dependency>
-
-        <dependency>
-            <groupId>com.sun.jersey</groupId>
-            <artifactId>jersey-json</artifactId>
-            <version>1.17.1</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-websocket</artifactId>
-            <version>8.1.14.v20131031</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.coursera</groupId>
-            <artifactId>metrics-datadog</artifactId>
-            <version>0.1.5</version>
-        </dependency>
+      <dependency>
+        <groupId>com.eatthepath</groupId>
+        <artifactId>pushy</artifactId>
+        <version>${pushy.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.eatthepath</groupId>
+        <artifactId>pushy-dropwizard-metrics-listener</artifactId>
+        <version>${pushy.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>${guava.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.protobuf</groupId>
+        <artifactId>protobuf-java</artifactId>
+        <version>${protobuf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.googlecode.libphonenumber</groupId>
+        <artifactId>libphonenumber</artifactId>
+        <version>${libphonenumber.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.vdurmont</groupId>
+        <artifactId>semver4j</artifactId>
+        <version>${semver4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-codec</groupId>
+        <artifactId>commons-codec</artifactId>
+        <version>${commons-codec.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commons-io.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.lettuce</groupId>
+        <artifactId>lettuce-core</artifactId>
+        <version>${lettuce.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty.tcnative-boringssl-static.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>javax.xml.bind</groupId>
+        <artifactId>jaxb-api</artifactId>
+        <version>${jaxb.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>net.logstash.logback</groupId>
+        <artifactId>logstash-logback-encoder</artifactId>
+        <version>${logstash.logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-csv</artifactId>
+        <version>${commons-csv.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.coursera</groupId>
+        <artifactId>dropwizard-metrics-datadog</artifactId>
+        <version>${dropwizard-metrics-datadog.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.glassfish.jaxb</groupId>
+        <artifactId>jaxb-runtime</artifactId>
+        <version>${jaxb.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-core</artifactId>
+        <version>${mockito.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-inline</artifactId>
+        <version>${mockito.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.opentest4j</groupId>
+        <artifactId>opentest4j</artifactId>
+        <version>${opentest4j.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.postgresql</groupId>
+        <artifactId>postgresql</artifactId>
+        <version>${postgresql.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-api</artifactId>
+        <version>${slf4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-nop</artifactId>
+        <version>${slf4j.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>redis.clients</groupId>
+        <artifactId>jedis</artifactId>
+        <version>${jedis.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-logging</groupId>
+        <artifactId>commons-logging</artifactId>
+        <version>1.2</version>
+      </dependency>
     </dependencies>
+  </dependencyManagement>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <configuration>
-                    <source>1.7</source>
-                    <target>1.7</target>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-source-plugin</artifactId>
-                <version>2.2.1</version>
-                <executions>
-                    <execution>
-                        <id>attach-sources</id>
-                        <goals>
-                            <goal>jar</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-shade-plugin</artifactId>
-                <version>1.6</version>
-                <configuration>
-                    <createDependencyReducedPom>true</createDependencyReducedPom>
-                    <filters>
-                        <filter>
-                            <artifact>*:*</artifact>
-                            <excludes>
-                                <exclude>META-INF/*.SF</exclude>
-                                <exclude>META-INF/*.DSA</exclude>
-                                <exclude>META-INF/*.RSA</exclude>
-                            </excludes>
-                        </filter>
-                    </filters>
-                </configuration>
-                <executions>
-                    <execution>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>shade</goal>
-                        </goals>
-                        <configuration>
-                            <transformers>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
-                                    <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
-                                </transformer>
-                            </transformers>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
+  <dependencies>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest-all</artifactId>
+      <version>1.3</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock-jre8</artifactId>
+      <version>2.28.1</version>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.hamcrest</groupId>
+          <artifactId>hamcrest-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>javax.xml.bind</groupId>
+          <artifactId>jaxb-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>${mockito.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
 
-            <plugin>
-                <artifactId>maven-assembly-plugin</artifactId>
-                <version>2.4</version>
-                <configuration>
-                    <descriptors>
-                        <descriptor>assembly.xml</descriptor>
-                    </descriptors>
-                </configuration>
-                <executions>
-                    <execution>
-                        <id>make-assembly</id> <!-- this is used for inheritance merges -->
-                        <phase>package</phase> <!-- bind to the packaging phase -->
-                        <goals>
-                            <goal>single</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
+  </dependencies>
 
-        </plugins>
-    </build>
+  <build>
+    <extensions>
+      <extension>
+        <groupId>kr.motd.maven</groupId>
+        <artifactId>os-maven-plugin</artifactId>
+        <version>1.7.0</version>
+      </extension>
+    </extensions>
+    <plugins>
 
-    <repositories>
-        <repository>
-            <id>gcm-server-repository</id>
-            <url>https://raw.github.com/whispersystems/maven/master/gcm-server/releases/</url>
-        </repository>
-    </repositories>
+      <plugin>
+        <groupId>org.xolstice.maven.plugins</groupId>
+        <artifactId>protobuf-maven-plugin</artifactId>
+        <version>0.6.1</version>
+        <configuration>
+          <protocArtifact>com.google.protobuf:protoc:3.17.2:exe:${os.detected.classifier}</protocArtifact>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>compile</goal>
+              <goal>test-compile</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.1</version>
+        <configuration>
+          <source>11</source>
+          <target>11</target>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>3.2.0</version>
+        <configuration>
+          <archive>
+            <manifest>
+              <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+            </manifest>
+          </archive>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-dependency-plugin</artifactId>
+        <version>3.1.2</version>
+        <executions>
+          <execution>
+            <id>copy</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>copy-dependencies</goal>
+            </goals>
+            <configuration>
+              <includeScope>test</includeScope>
+              <includeTypes>so,dll,dylib</includeTypes>
+              <outputDirectory>${project.build.directory}/lib</outputDirectory>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.0.0-M5</version>
+        <configuration>
+          <systemProperties>
+            <property>
+              <name>sqlite4java.library.path</name>
+              <value>${project.build.directory}/lib</value>
+            </property>
+          </systemProperties>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-enforcer-plugin</artifactId>
+        <version>3.0.0-M3</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <configuration>
+              <rules>
+                <dependencyConvergence/>
+                <requireMavenVersion>
+                  <version>3.0.0</version>
+                </requireMavenVersion>
+              </rules>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-install-plugin</artifactId>
+        <version>3.0.0-M1</version>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-deploy-plugin</artifactId>
+        <version>3.0.0-M1</version>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+
+    </plugins>
+  </build>
 
 </project>

protobuf/Makefile

@@ -1,3 +0,0 @@
-
-all:
-	protoc --java_out=../src/main/java/ OutgoingMessageSignal.proto

protobuf/OutgoingMessageSignal.proto

@@ -1,30 +0,0 @@
-/**
- * Copyright (C) 2013 Open WhisperSystems
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-package textsecure;
-
-option java_package = "org.whispersystems.textsecuregcm.entities";
-option java_outer_classname = "MessageProtos";
-
-message OutgoingMessageSignal {
-  optional uint32 type = 1;
-  optional string source = 2;
-  optional  uint32 sourceDevice = 7;
-  optional string relay = 3;
-//  repeated string destinations = 4;
-  optional uint64 timestamp = 5;
-  optional bytes message = 6;
-}

redis-dispatch/pom.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>redis-dispatch</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java

@@ -0,0 +1,11 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch;
+
+public interface DispatchChannel {
+  void onDispatchMessage(String channel, byte[] message);
+  void onDispatchSubscribed(String channel);
+  void onDispatchUnsubscribed(String channel);
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java

@@ -0,0 +1,157 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
+import org.whispersystems.dispatch.redis.PubSubConnection;
+import org.whispersystems.dispatch.redis.PubSubReply;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.Executor;
+import java.util.concurrent.Executors;
+
+@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+public class DispatchManager extends Thread {
+
+  private final Logger                       logger        = LoggerFactory.getLogger(DispatchManager.class);
+  private final Executor                     executor      = Executors.newCachedThreadPool();
+  private final Map<String, DispatchChannel> subscriptions = new ConcurrentHashMap<>();
+
+  private final Optional<DispatchChannel>    deadLetterChannel;
+  private final RedisPubSubConnectionFactory redisPubSubConnectionFactory;
+
+  private          PubSubConnection pubSubConnection;
+  private volatile boolean          running;
+
+  public DispatchManager(RedisPubSubConnectionFactory redisPubSubConnectionFactory,
+                         Optional<DispatchChannel> deadLetterChannel)
+  {
+    this.redisPubSubConnectionFactory = redisPubSubConnectionFactory;
+    this.deadLetterChannel            = deadLetterChannel;
+  }
+
+  @Override
+  public void start() {
+    this.pubSubConnection = redisPubSubConnectionFactory.connect();
+    this.running          = true;
+    super.start();
+  }
+
+  public void shutdown() {
+    this.running = false;
+    this.pubSubConnection.close();
+  }
+
+  public synchronized void subscribe(String name, DispatchChannel dispatchChannel) {
+    Optional<DispatchChannel> previous = Optional.ofNullable(subscriptions.get(name));
+    subscriptions.put(name, dispatchChannel);
+
+    try {
+      pubSubConnection.subscribe(name);
+    } catch (IOException e) {
+      logger.warn("Subscription error", e);
+    }
+
+    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
+  }
+
+  public synchronized void unsubscribe(String name, DispatchChannel channel) {
+    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(name));
+
+    if (subscription.isPresent() && subscription.get() == channel) {
+      subscriptions.remove(name);
+
+      try {
+        pubSubConnection.unsubscribe(name);
+      } catch (IOException e) {
+        logger.warn("Unsubscribe error", e);
+      }
+
+      dispatchUnsubscription(name, subscription.get());
+    }
+  }
+
+  public boolean hasSubscription(String name) {
+    return subscriptions.containsKey(name);
+  }
+  
+  @Override
+  public void run() {
+    while (running) {
+      try {
+        PubSubReply reply = pubSubConnection.read();
+
+        switch (reply.getType()) {
+          case UNSUBSCRIBE:                             break;
+          case SUBSCRIBE:   dispatchSubscribe(reply);   break;
+          case MESSAGE:     dispatchMessage(reply);     break;
+          default:          throw new AssertionError("Unknown pubsub reply type! " + reply.getType());
+        }
+      } catch (IOException e) {
+        logger.warn("***** PubSub Connection Error *****", e);
+        if (running) {
+          this.pubSubConnection.close();
+          this.pubSubConnection = redisPubSubConnectionFactory.connect();
+          resubscribeAll();
+        }
+      }
+    }
+
+    logger.warn("DispatchManager Shutting Down...");
+  }
+
+  private void dispatchSubscribe(final PubSubReply reply) {
+    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
+
+    if (subscription.isPresent()) {
+      dispatchSubscription(reply.getChannel(), subscription.get());
+    } else {
+      logger.info("Received subscribe event for non-existing channel: " + reply.getChannel());
+    }
+  }
+
+  private void dispatchMessage(PubSubReply reply) {
+    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
+
+    if (subscription.isPresent()) {
+      dispatchMessage(reply.getChannel(), subscription.get(), reply.getContent().get());
+    } else if (deadLetterChannel.isPresent()) {
+      dispatchMessage(reply.getChannel(), deadLetterChannel.get(), reply.getContent().get());
+    } else {
+      logger.warn("Received message for non-existing channel, with no dead letter handler: " + reply.getChannel());
+    }
+  }
+
+  private void resubscribeAll() {
+    new Thread(() -> {
+      synchronized (DispatchManager.this) {
+        try {
+          for (String name : subscriptions.keySet()) {
+            pubSubConnection.subscribe(name);
+          }
+        } catch (IOException e) {
+          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
+        }
+      }
+    }).start();
+  }
+
+  private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
+    executor.execute(() -> channel.onDispatchMessage(name, message));
+  }
+
+  private void dispatchSubscription(final String name, final DispatchChannel channel) {
+    executor.execute(() -> channel.onDispatchSubscribed(name));
+  }
+
+  private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
+    executor.execute(() -> channel.onDispatchUnsubscribed(name));
+  }
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class RedisInputStream {
+
+  private static final byte CR = 0x0D;
+  private static final byte LF = 0x0A;
+
+  private final InputStream inputStream;
+
+  public RedisInputStream(InputStream inputStream) {
+    this.inputStream = inputStream;
+  }
+
+  public String readLine() throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+    boolean foundCr = false;
+
+    while (true) {
+      int character = inputStream.read();
+
+      if (character == -1) {
+        throw new IOException("Stream closed!");
+      }
+
+      baos.write(character);
+
+      if      (foundCr && character == LF) break;
+      else if (character == CR)            foundCr = true;
+      else if (foundCr)                    foundCr = false;
+    }
+
+    byte[] data = baos.toByteArray();
+    return new String(data, 0, data.length-2);
+  }
+
+  public byte[] readFully(int size) throws IOException {
+    byte[] result    = new byte[size];
+    int    offset    = 0;
+    int    remaining = result.length;
+
+    while (remaining > 0) {
+      int read = inputStream.read(result, offset, remaining);
+
+      if (read < 0) {
+        throw new IOException("Stream closed!");
+      }
+
+      offset    += read;
+      remaining -= read;
+    }
+
+    return result;
+  }
+
+  public void close() throws IOException {
+    inputStream.close();
+  }
+
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.io;
+
+import org.whispersystems.dispatch.redis.PubSubConnection;
+
+public interface RedisPubSubConnectionFactory {
+
+  PubSubConnection connect();
+
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.dispatch.io.RedisInputStream;
+import org.whispersystems.dispatch.redis.protocol.ArrayReplyHeader;
+import org.whispersystems.dispatch.redis.protocol.IntReply;
+import org.whispersystems.dispatch.redis.protocol.StringReplyHeader;
+import org.whispersystems.dispatch.util.Util;
+
+import java.io.BufferedInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.net.Socket;
+import java.util.Arrays;
+import java.util.Optional;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+public class PubSubConnection {
+
+  private final Logger logger = LoggerFactory.getLogger(PubSubConnection.class);
+
+  private static final byte[] UNSUBSCRIBE_TYPE    = {'u', 'n', 's', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'     };
+  private static final byte[] SUBSCRIBE_TYPE      = {'s', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'               };
+  private static final byte[] MESSAGE_TYPE        = {'m', 'e', 's', 's', 'a', 'g', 'e'                         };
+
+  private static final byte[] SUBSCRIBE_COMMAND   = {'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '          };
+  private static final byte[] UNSUBSCRIBE_COMMAND = {'U', 'N', 'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '};
+  private static final byte[] CRLF                = {'\r', '\n'                                                };
+
+  private final OutputStream     outputStream;
+  private final RedisInputStream inputStream;
+  private final Socket           socket;
+  private final AtomicBoolean    closed;
+
+  public PubSubConnection(Socket socket) throws IOException {
+    this.socket       = socket;
+    this.outputStream = socket.getOutputStream();
+    this.inputStream  = new RedisInputStream(new BufferedInputStream(socket.getInputStream()));
+    this.closed       = new AtomicBoolean(false);
+  }
+
+  public void subscribe(String channelName) throws IOException {
+    if (closed.get()) throw new IOException("Connection closed!");
+
+    byte[] command = Util.combine(SUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
+    outputStream.write(command);
+  }
+
+  public void unsubscribe(String channelName) throws IOException {
+    if (closed.get()) throw new IOException("Connection closed!");
+
+    byte[] command = Util.combine(UNSUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
+    outputStream.write(command);
+  }
+
+  public PubSubReply read() throws IOException {
+    if (closed.get()) throw new IOException("Connection closed!");
+
+    ArrayReplyHeader replyHeader = new ArrayReplyHeader(inputStream.readLine());
+
+    if (replyHeader.getElementCount() != 3) {
+      throw new IOException("Received array reply header with strange count: " + replyHeader.getElementCount());
+    }
+
+    StringReplyHeader replyTypeHeader = new StringReplyHeader(inputStream.readLine());
+    byte[]            replyType       = inputStream.readFully(replyTypeHeader.getStringLength());
+    inputStream.readLine();
+
+    if      (Arrays.equals(SUBSCRIBE_TYPE, replyType))   return readSubscribeReply();
+    else if (Arrays.equals(UNSUBSCRIBE_TYPE, replyType)) return readUnsubscribeReply();
+    else if (Arrays.equals(MESSAGE_TYPE, replyType))     return readMessageReply();
+    else throw new IOException("Unknown reply type: " + new String(replyType));
+  }
+
+  public void close() {
+    try {
+      this.closed.set(true);
+      this.inputStream.close();
+      this.outputStream.close();
+      this.socket.close();
+    } catch (IOException e) {
+      logger.warn("Exception while closing", e);
+    }
+  }
+
+  private PubSubReply readMessageReply() throws IOException {
+    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
+    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
+    inputStream.readLine();
+
+    StringReplyHeader messageHeader = new StringReplyHeader(inputStream.readLine());
+    byte[]            message       = inputStream.readFully(messageHeader.getStringLength());
+    inputStream.readLine();
+
+    return new PubSubReply(PubSubReply.Type.MESSAGE, new String(channelName), Optional.of(message));
+  }
+
+  private PubSubReply readUnsubscribeReply() throws IOException {
+    String channelName = readSubscriptionReply();
+    return new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, channelName, Optional.empty());
+  }
+
+  private PubSubReply readSubscribeReply() throws IOException {
+    String channelName = readSubscriptionReply();
+    return new PubSubReply(PubSubReply.Type.SUBSCRIBE, channelName, Optional.empty());
+  }
+
+  private String readSubscriptionReply() throws IOException {
+    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
+    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
+    inputStream.readLine();
+
+    IntReply subscriptionCount = new IntReply(inputStream.readLine());
+
+    return new String(channelName);
+  }
+
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis;
+
+import java.util.Optional;
+
+@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+public class PubSubReply {
+
+  public enum Type {
+    MESSAGE,
+    SUBSCRIBE,
+    UNSUBSCRIBE
+  }
+
+  private final Type             type;
+  private final String           channel;
+  private final Optional<byte[]> content;
+
+  public PubSubReply(Type type, String channel, Optional<byte[]> content) {
+    this.type    = type;
+    this.channel = channel;
+    this.content = content;
+  }
+
+  public Type getType() {
+    return type;
+  }
+
+  public String getChannel() {
+    return channel;
+  }
+
+  public Optional<byte[]> getContent() {
+    return content;
+  }
+
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+import java.io.IOException;
+
+public class ArrayReplyHeader {
+
+  private final int elementCount;
+
+  public ArrayReplyHeader(String header) throws IOException {
+    if (header == null || header.length() < 2 || header.charAt(0) != '*') {
+      throw new IOException("Invalid array reply header: " + header);
+    }
+
+    try {
+      this.elementCount = Integer.parseInt(header.substring(1));
+    } catch (NumberFormatException e) {
+      throw new IOException(e);
+    }
+  }
+
+  public int getElementCount() {
+    return elementCount;
+  }
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+import java.io.IOException;
+
+public class IntReply {
+
+  private final int value;
+
+  public IntReply(String reply) throws IOException {
+    if (reply == null || reply.length() < 2 || reply.charAt(0) != ':') {
+      throw new IOException("Invalid int reply: " + reply);
+    }
+
+    try {
+      this.value = Integer.parseInt(reply.substring(1));
+    } catch (NumberFormatException e) {
+      throw new IOException(e);
+    }
+  }
+
+  public int getValue() {
+    return value;
+  }
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+import java.io.IOException;
+
+public class StringReplyHeader {
+
+  private final int stringLength;
+
+  public StringReplyHeader(String header) throws IOException {
+    if (header == null || header.length() < 2 || header.charAt(0) != '$') {
+      throw new IOException("Invalid string reply header: " + header);
+    }
+
+    try {
+      this.stringLength = Integer.parseInt(header.substring(1));
+    } catch (NumberFormatException e) {
+      throw new IOException(e);
+    }
+  }
+
+  public int getStringLength() {
+    return stringLength;
+  }
+}

redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+public class Util {
+
+  public static byte[] combine(byte[]... elements) {
+    try {
+      int sum = 0;
+
+      for (byte[] element : elements) {
+        sum += element.length;
+      }
+
+      ByteArrayOutputStream baos = new ByteArrayOutputStream(sum);
+
+      for (byte[] element : elements) {
+        baos.write(element);
+      }
+
+      return baos.toByteArray();
+    } catch (IOException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+
+  public static void sleep(long millis) {
+    try {
+      Thread.sleep(millis);
+    } catch (InterruptedException e) {
+      throw new AssertionError(e);
+    }
+  }
+}

redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExternalResource;
+import org.mockito.ArgumentCaptor;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
+import org.whispersystems.dispatch.redis.PubSubConnection;
+import org.whispersystems.dispatch.redis.PubSubReply;
+
+import java.io.IOException;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Optional;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.mockito.Mockito.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.timeout;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class DispatchManagerTest {
+
+  private PubSubConnection             pubSubConnection;
+  private RedisPubSubConnectionFactory socketFactory;
+  private DispatchManager              dispatchManager;
+  private PubSubReplyInputStream       pubSubReplyInputStream;
+
+  @Rule
+  public ExternalResource resource = new ExternalResource() {
+    @Override
+    protected void before() throws Throwable {
+      pubSubConnection       = mock(PubSubConnection.class  );
+      socketFactory          = mock(RedisPubSubConnectionFactory.class);
+      pubSubReplyInputStream = new PubSubReplyInputStream();
+
+      when(socketFactory.connect()).thenReturn(pubSubConnection);
+      when(pubSubConnection.read()).thenAnswer(new Answer<PubSubReply>() {
+        @Override
+        public PubSubReply answer(InvocationOnMock invocationOnMock) throws Throwable {
+          return pubSubReplyInputStream.read();
+        }
+      });
+
+      dispatchManager = new DispatchManager(socketFactory, Optional.empty());
+      dispatchManager.start();
+    }
+
+    @Override
+    protected void after() {
+
+    }
+  };
+
+  @Test
+  public void testConnect() {
+    verify(socketFactory).connect();
+  }
+
+  @Test
+  public void testSubscribe() throws IOException {
+    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
+    dispatchManager.subscribe("foo", dispatchChannel);
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
+
+    verify(dispatchChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
+  }
+
+  @Test
+  public void testSubscribeUnsubscribe() throws IOException {
+    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
+    dispatchManager.subscribe("foo", dispatchChannel);
+    dispatchManager.unsubscribe("foo", dispatchChannel);
+
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, "foo", Optional.empty()));
+
+    verify(dispatchChannel, timeout(1000)).onDispatchUnsubscribed(eq("foo"));
+  }
+
+  @Test
+  public void testMessages() throws IOException {
+    DispatchChannel fooChannel = mock(DispatchChannel.class);
+    DispatchChannel barChannel = mock(DispatchChannel.class);
+
+    dispatchManager.subscribe("foo", fooChannel);
+    dispatchManager.subscribe("bar", barChannel);
+
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "bar", Optional.empty()));
+
+    verify(fooChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
+    verify(barChannel, timeout(1000)).onDispatchSubscribed(eq("bar"));
+
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "foo", Optional.of("hello".getBytes())));
+    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "bar", Optional.of("there".getBytes())));
+
+    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
+    verify(fooChannel, timeout(1000)).onDispatchMessage(eq("foo"), captor.capture());
+
+    assertArrayEquals("hello".getBytes(), captor.getValue());
+
+    verify(barChannel, timeout(1000)).onDispatchMessage(eq("bar"), captor.capture());
+
+    assertArrayEquals("there".getBytes(), captor.getValue());
+  }
+
+  private static class PubSubReplyInputStream {
+
+    private final List<PubSubReply> pubSubReplyList = new LinkedList<>();
+
+    public synchronized PubSubReply read() {
+      try {
+        while (pubSubReplyList.isEmpty()) wait();
+        return pubSubReplyList.remove(0);
+      } catch (InterruptedException e) {
+        throw new AssertionError(e);
+      }
+    }
+
+    public synchronized void write(PubSubReply pubSubReply) {
+      pubSubReplyList.add(pubSubReply);
+      notifyAll();
+    }
+  }
+
+}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java

@@ -0,0 +1,265 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+import java.security.SecureRandom;
+import org.junit.Test;
+import org.mockito.ArgumentCaptor;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+
+public class PubSubConnectionTest {
+
+  private static final String REPLY = "*3\r\n" +
+      "$9\r\n" +
+      "subscribe\r\n" +
+      "$5\r\n" +
+      "abcde\r\n" +
+      ":1\r\n" +
+      "*3\r\n" +
+      "$9\r\n" +
+      "subscribe\r\n" +
+      "$5\r\n" +
+      "fghij\r\n" +
+      ":2\r\n" +
+      "*3\r\n" +
+      "$9\r\n" +
+      "subscribe\r\n" +
+      "$5\r\n" +
+      "klmno\r\n" +
+      ":2\r\n" +
+      "*3\r\n" +
+      "$7\r\n" +
+      "message\r\n" +
+      "$5\r\n" +
+      "abcde\r\n" +
+      "$10\r\n" +
+      "1234567890\r\n" +
+      "*3\r\n" +
+      "$7\r\n" +
+      "message\r\n" +
+      "$5\r\n" +
+      "klmno\r\n" +
+      "$10\r\n" +
+      "0987654321\r\n";
+
+
+  @Test
+  public void testSubscribe() throws IOException {
+//    ByteChannel      byteChannel = mock(ByteChannel.class);
+    OutputStream outputStream = mock(OutputStream.class);
+    Socket       socket       = mock(Socket.class      );
+    when(socket.getOutputStream()).thenReturn(outputStream);
+    PubSubConnection connection  = new PubSubConnection(socket);
+
+    connection.subscribe("foobar");
+
+    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
+    verify(outputStream).write(captor.capture());
+
+    assertArrayEquals(captor.getValue(), "SUBSCRIBE foobar\r\n".getBytes());
+  }
+
+  @Test
+  public void testUnsubscribe() throws IOException {
+    OutputStream outputStream = mock(OutputStream.class);
+    Socket       socket       = mock(Socket.class      );
+    when(socket.getOutputStream()).thenReturn(outputStream);
+    PubSubConnection connection  = new PubSubConnection(socket);
+
+    connection.unsubscribe("bazbar");
+
+    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
+    verify(outputStream).write(captor.capture());
+
+    assertArrayEquals(captor.getValue(), "UNSUBSCRIBE bazbar\r\n".getBytes());
+  }
+
+  @Test
+  public void testTricklyResponse() throws Exception {
+    InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
+    OutputStream outputStream = mock(OutputStream.class);
+    Socket       socket       = mock(Socket.class      );
+    when(socket.getOutputStream()).thenReturn(outputStream);
+    when(socket.getInputStream()).thenReturn(inputStream);
+
+    PubSubConnection pubSubConnection = new PubSubConnection(socket);
+    readResponses(pubSubConnection);
+  }
+
+  @Test
+  public void testFullResponse() throws Exception {
+    InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
+    OutputStream outputStream = mock(OutputStream.class);
+    Socket       socket       = mock(Socket.class      );
+    when(socket.getOutputStream()).thenReturn(outputStream);
+    when(socket.getInputStream()).thenReturn(inputStream);
+
+    PubSubConnection pubSubConnection = new PubSubConnection(socket);
+    readResponses(pubSubConnection);
+  }
+
+  @Test
+  public void testRandomLengthResponse() throws Exception {
+    InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
+    OutputStream outputStream = mock(OutputStream.class);
+    Socket       socket       = mock(Socket.class      );
+    when(socket.getOutputStream()).thenReturn(outputStream);
+    when(socket.getInputStream()).thenReturn(inputStream);
+
+    PubSubConnection pubSubConnection = new PubSubConnection(socket);
+    readResponses(pubSubConnection);
+  }
+
+  private InputStream mockInputStreamFor(final MockInputStream stub) throws IOException {
+    InputStream result = mock(InputStream.class);
+
+    when(result.read()).thenAnswer(new Answer<Integer>() {
+      @Override
+      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
+        return stub.read();
+      }
+    });
+
+    when(result.read(any(byte[].class))).thenAnswer(new Answer<Integer>() {
+      @Override
+      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
+        byte[] buffer = (byte[])invocationOnMock.getArguments()[0];
+        return stub.read(buffer, 0, buffer.length);
+      }
+    });
+
+    when(result.read(any(byte[].class), anyInt(), anyInt())).thenAnswer(new Answer<Integer>() {
+      @Override
+      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
+        byte[] buffer = (byte[]) invocationOnMock.getArguments()[0];
+        int offset = (int) invocationOnMock.getArguments()[1];
+        int length = (int) invocationOnMock.getArguments()[2];
+
+        return stub.read(buffer, offset, length);
+      }
+    });
+
+    return result;
+  }
+
+  private void readResponses(PubSubConnection pubSubConnection) throws Exception {
+    PubSubReply reply = pubSubConnection.read();
+
+    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
+    assertEquals(reply.getChannel(), "abcde");
+    assertFalse(reply.getContent().isPresent());
+
+    reply = pubSubConnection.read();
+
+    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
+    assertEquals(reply.getChannel(), "fghij");
+    assertFalse(reply.getContent().isPresent());
+
+    reply = pubSubConnection.read();
+
+    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
+    assertEquals(reply.getChannel(), "klmno");
+    assertFalse(reply.getContent().isPresent());
+
+    reply = pubSubConnection.read();
+
+    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
+    assertEquals(reply.getChannel(), "abcde");
+    assertArrayEquals(reply.getContent().get(), "1234567890".getBytes());
+
+    reply = pubSubConnection.read();
+
+    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
+    assertEquals(reply.getChannel(), "klmno");
+    assertArrayEquals(reply.getContent().get(), "0987654321".getBytes());
+  }
+
+  private interface MockInputStream {
+    public int read();
+    public int read(byte[] input, int offset, int length);
+  }
+
+  private static class TrickleInputStream implements MockInputStream {
+
+    private final byte[] data;
+    private int index = 0;
+
+    private TrickleInputStream(byte[] data) {
+      this.data = data;
+    }
+
+    public int read() {
+      return data[index++];
+    }
+
+    public int read(byte[] input, int offset, int length) {
+      input[offset] = data[index++];
+      return 1;
+    }
+
+  }
+
+  private static class FullInputStream implements MockInputStream {
+
+    private final byte[] data;
+    private int index = 0;
+
+    private FullInputStream(byte[] data) {
+      this.data = data;
+    }
+
+    public int read() {
+      return data[index++];
+    }
+
+    public int read(byte[] input, int offset, int length) {
+      int amount = Math.min(data.length - index, length);
+      System.arraycopy(data, index, input, offset, amount);
+      index += length;
+
+      return amount;
+    }
+  }
+
+  private static class RandomInputStream implements MockInputStream {
+    private final byte[] data;
+    private int index = 0;
+
+    private RandomInputStream(byte[] data) {
+      this.data = data;
+    }
+
+    public int read() {
+      return data[index++];
+    }
+
+    public int read(byte[] input, int offset, int length) {
+      int maxCopy    = Math.min(data.length - index, length);
+      int randomCopy = new SecureRandom().nextInt(maxCopy) + 1;
+      int copyAmount = Math.min(maxCopy, randomCopy);
+
+      System.arraycopy(data, index, input, offset, copyAmount);
+      index += copyAmount;
+
+      return copyAmount;
+    }
+
+  }
+
+}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+
+public class ArrayReplyHeaderTest {
+
+
+  @Test(expected = IOException.class)
+  public void testNull() throws IOException {
+    new ArrayReplyHeader(null);
+  }
+
+  @Test(expected = IOException.class)
+  public void testBadPrefix() throws IOException {
+    new ArrayReplyHeader(":3");
+  }
+
+  @Test(expected = IOException.class)
+  public void testEmpty() throws IOException {
+    new ArrayReplyHeader("");
+  }
+
+  @Test(expected = IOException.class)
+  public void testTruncated() throws IOException {
+    new ArrayReplyHeader("*");
+  }
+
+  @Test(expected = IOException.class)
+  public void testBadNumber() throws IOException {
+    new ArrayReplyHeader("*ABC");
+  }
+
+  @Test
+  public void testValid() throws IOException {
+    assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
+  }
+
+
+
+
+
+
+
+
+
+}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+
+public class IntReplyHeaderTest {
+
+  @Test(expected = IOException.class)
+  public void testNull() throws IOException {
+    new IntReply(null);
+  }
+
+  @Test(expected = IOException.class)
+  public void testEmpty() throws IOException {
+    new IntReply("");
+  }
+
+  @Test(expected = IOException.class)
+  public void testBadNumber() throws IOException {
+    new IntReply(":A");
+  }
+
+  @Test(expected = IOException.class)
+  public void testBadFormat() throws IOException {
+    new IntReply("*");
+  }
+
+  @Test
+  public void testValid() throws IOException {
+    assertEquals(23, new IntReply(":23").getValue());
+  }
+}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.dispatch.redis.protocol;
+
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+
+public class StringReplyHeaderTest {
+
+  @Test
+  public void testNull() {
+    try {
+      new StringReplyHeader(null);
+      throw new AssertionError();
+    } catch (IOException e) {
+      // good
+    }
+  }
+
+  @Test
+  public void testBadNumber() {
+    try {
+      new StringReplyHeader("$100A");
+      throw new AssertionError();
+    } catch (IOException e) {
+      // good
+    }
+  }
+
+  @Test
+  public void testBadPrefix() {
+    try {
+      new StringReplyHeader("*");
+      throw new AssertionError();
+    } catch (IOException e) {
+      // good
+    }
+  }
+
+  @Test
+  public void testValid() throws IOException {
+    assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
+  }
+
+
+}

service/assembly.xml

@@ -1,6 +1,6 @@
-<assembly xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.1.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-          xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0 http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.1.0 http://maven.apache.org/xsd/assembly-2.1.0.xsd">
     <id>bin</id>
     <includeBaseDirectory>false</includeBaseDirectory>
     <formats>
@@ -18,8 +18,8 @@
             <directory>${project.build.directory}</directory>
             <outputDirectory>/</outputDirectory>
             <includes>
-                <include>${project.name}-${project.version}.jar</include>
+                <include>${parent.artifactId}-${project.version}.jar</include>
             </includes>
         </fileSet>
     </fileSets>
-</assembly>
+</assembly>

service/config/sample.yml

@@ -0,0 +1,265 @@
+twilio: # Twilio gateway configuration
+  accountId: 
+  accountToken: 
+  nanpaMessagingServiceSid: # Twilio SID for the messaging service to use for NANPA.
+  messagingServiceSid: # Twilio SID for the message service to use for non-NANPA.
+  verifyServiceSid: # Twilio SID for a Verify service
+  localDomain: # Domain Twilio can connect back to for calls. Should be domain of your service.
+  defaultClientVerificationTexts:
+    ios: # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
+    androidNg: # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
+    android202001: # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
+    android202103: # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
+    generic: # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
+  regionalClientVerificationTexts: # Map of country codes to custom texts
+    999: # example country code
+      ios:
+      # … all keys from defaultClientVerificationTexts are required
+  androidAppHash: # Hash appended to Android
+  verifyServiceFriendlyName: # Service name used in template. Requires Twilio account rep to enable
+
+push:
+  queueSize: # Size of push pending queue
+
+turn: # TURN server configuration
+  secret: # TURN server secret
+  uris:
+    - stun:yourdomain:80
+    - stun:yourdomain.com:443
+    - turn:yourdomain:443?transport=udp
+    - turn:etc.com:80?transport=udp
+
+cacheCluster: # Redis server configuration for cache cluster
+  urls:
+    - redis://redis.example.com:6379/
+
+clientPresenceCluster: # Redis server configuration for client presence cluster
+  urls:
+    - redis://redis.example.com:6379/
+
+pubsub: # Redis server configuration for pubsub cluster
+  url: redis://redis.example.com:6379/
+  replicaUrls:
+    - redis://redis.example.com:6379/
+
+pushSchedulerCluster: # Redis server configuration for push scheduler cluster
+  urls:
+    - redis://redis.example.com:6379/
+
+rateLimitersCluster: # Redis server configuration for rate limiters cluster
+  urls:
+    - redis://redis.example.com:6379/
+
+directory:
+  client: # Configuration for interfacing with Contact Discovery Service cluster
+    userAuthenticationTokenSharedSecret: # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
+    userAuthenticationTokenUserIdSecret: # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
+  sqs:
+    accessKey:      # AWS SQS accessKey
+    accessSecret:   # AWS SQS accessSecret
+    queueUrls:      # AWS SQS queue urls
+      - https://sqs.example.com/directory.fifo
+  server: # One or more CDS servers
+    - replicationName:               # CDS replication name
+      replicationUrl:                # CDS replication endpoint base url
+      replicationPassword:           # CDS replication endpoint password
+      replicationCaCertificate:      # CDS replication endpoint TLS certificate trust root
+
+messageCache: # Redis server configuration for message store cache
+  persistDelayMinutes:
+
+  cluster:
+    urls:
+      - redis://redis.example.com:6379/
+
+metricsCluster:
+  urls:
+    - redis://redis.example.com:6379/
+
+messageDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+keysDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+accountsDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+  phoneNumberTableName:
+
+deletedAccountsDynamoDb: # DynamoDb table configuration
+  region:
+  tableName:
+  needsReconciliationIndexName:
+
+deletedAccountsLockDynamoDb: # DynamoDb table configuration
+  region:
+  tableName:
+
+migrationDeletedAccountsDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+migrationRetryAccountsDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+pendingAccountsDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+pendingDevicesDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+pushChallengeDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+reportMessageDynamoDb: # DynamoDB table configuration
+  region:
+  tableName:
+
+awsAttachments: # AWS S3 configuration
+  accessKey:
+  accessSecret:
+  bucket:
+  region:
+
+gcpAttachments: # GCP Storage configuration
+  domain:
+  email:
+  maxSizeInBytes:
+  pathPrefix:
+  rsaSigningKey:
+
+abuseDatabase: # Postgresql database configuration
+  driverClass: org.postgresql.Driver
+  user:
+  password:
+  url:
+
+accountsDatabase: # Postgresql database configuration
+  driverClass: org.postgresql.Driver
+  user:
+  password:
+  url:
+
+accountDatabaseCrawler:
+  chunkSize: # accounts per run
+  chunkIntervalMs: # time per run
+
+dynamoDbMigrationCrawler:
+  chunkSize: # accounts per run
+  chunkIntervalMs: # time per run
+
+apn: # Apple Push Notifications configuration
+  sandbox: true
+  bundleId:
+  keyId:
+  teamId:
+  signingKey:
+
+gcm: # GCM Configuration
+  senderId:
+  apiKey:
+
+cdn:
+  accessKey: # AWS Access Key ID
+  accessSecret: # AWS Access Secret
+  bucket: # S3 Bucket name
+  region: # AWS region
+
+datadog:
+  apiKey:
+  environment:
+
+unidentifiedDelivery:
+  certificate:
+  privateKey:
+  expiresDays:
+
+voiceVerification:
+  url: https://cdn-ca.signal.org/verification/
+  locales:
+    - en
+
+recaptcha:
+  secret:
+
+recaptchaV2:
+  siteKey:
+  scoreFloor:
+  projectPath:
+  credentialConfigurationJson:
+
+storageService:
+  uri:
+  userAuthenticationTokenSharedSecret:
+  storageCaCertificate:
+
+backupService:
+  uri:
+  userAuthenticationTokenSharedSecret:
+  backupCaCertificate:
+
+zkConfig:
+  serverPublic:
+  serverSecret:
+  enabled:
+
+appConfig:
+  application:
+  environment:
+  configuration:
+
+remoteConfig:
+  authorizedTokens:
+    - # 1st authorized token
+    - # 2nd authorized token
+    - # ...
+    - # Nth authorized token
+  globalConfig: # keys and values that are given to clients on GET /v1/config
+
+
+paymentsService:
+  userAuthenticationTokenSharedSecret: # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+  fixerApiKey:
+  paymentCurrencies:
+    -
+
+torExitNodeList:
+  s3Region:
+  s3Bucket:
+  objectKey:
+  maxSize:
+
+asnTable:
+  s3Region:
+  s3Bucket:
+  objectKey:
+  maxSize:
+
+donation:
+  uri: # value
+  apiKey: # value
+  supportedCurrencies:
+    - # 1st supported currency
+    - # 2nd supported currency
+    - # ...
+    - # Nth supported currency
+  circuitBreaker:
+    failureRateThreshold: # value
+    ringBufferSizeInHalfOpenState: # value
+    ringBufferSizeInClosedState: # value
+    waitDurationInOpenStateInSeconds: # value
+  retry:
+    maxAttempts: # value
+    waitDuration: # value
+
+badges:
+  badges:
+    - name: TEST
+      imageUrl: https://example.com/test-badge

service/pom.xml

@@ -0,0 +1,573 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>service</artifactId>
+
+  <pluginRepositories>
+    <pluginRepository>
+      <id>ossrh-snapshots</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
+  </pluginRepositories>
+
+  <dependencies>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.validation</groupId>
+      <artifactId>jakarta.validation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.ws.rs</groupId>
+      <artifactId>jakarta.ws.rs-api</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>redis-dispatch</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>websocket-resources</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>gcm-sender-async</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.signal</groupId>
+      <artifactId>zkgroup-java</artifactId>
+      <version>0.7.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems</groupId>
+      <artifactId>curve25519-java</artifactId>
+      <version>0.5.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jdbi3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-auth</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-db</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-logging</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-metrics</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-util</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-servlets</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-lifecycle</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jersey</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jetty</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-validation</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-migrations</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-access</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>net.logstash.logback</groupId>
+      <artifactId>logstash-logback-encoder</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jdbi</groupId>
+      <artifactId>jdbi3-core</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.liquibase</groupId>
+      <artifactId>liquibase-core</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-jdbi3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-healthchecks</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-annotation</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-server</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-runtime</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-testing</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.eclipse.jetty.websocket</groupId>
+      <artifactId>websocket-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-servlets</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-csv</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.code.findbugs</groupId>
+      <artifactId>jsr305</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-circuitbreaker</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-retry</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.micrometer</groupId>
+      <artifactId>micrometer-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.micrometer</groupId>
+      <artifactId>micrometer-registry-datadog</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.coursera</groupId>
+      <artifactId>dropwizard-metrics-datadog</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.dataformat</groupId>
+      <artifactId>jackson-dataformat-yaml</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jsr310</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.jaxrs</groupId>
+      <artifactId>jackson-jaxrs-json-provider</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>sts</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>s3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>sqs</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>appconfig</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-s3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>dynamodb-lock-client</artifactId>
+      <version>1.1.0</version>
+      <exclusions>
+        <exclusion>
+          <groupId>commons-logging</groupId>
+          <artifactId>commons-logging</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>redis.clients</groupId>
+      <artifactId>jedis</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.lettuce</groupId>
+      <artifactId>lettuce-core</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.postgresql</groupId>
+      <artifactId>postgresql</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.eatthepath</groupId>
+      <artifactId>pushy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.eatthepath</groupId>
+      <artifactId>pushy-dropwizard-metrics-listener</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.vdurmont</groupId>
+      <artifactId>semver4j</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.googlecode.libphonenumber</groupId>
+      <artifactId>libphonenumber</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>net.sourceforge.argparse4j</groupId>
+      <artifactId>argparse4j</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.glassfish.jersey.test-framework</groupId>
+      <artifactId>jersey-test-framework-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.test-framework.providers</groupId>
+      <artifactId>jersey-test-framework-provider-grizzly2</artifactId>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.servlet</groupId>
+          <artifactId>javax.servlet-api</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>junit</groupId>
+          <artifactId>junit</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.opentable.components</groupId>
+      <artifactId>otj-pg-embedded</artifactId>
+      <version>0.13.3</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.almworks.sqlite4java</groupId>
+      <artifactId>sqlite4java</artifactId>
+      <version>1.0.392</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core</artifactId>
+      <version>3.3.16.RELEASE</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.vintage</groupId>
+      <artifactId>junit-vintage-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.signal</groupId>
+      <artifactId>embedded-redis</artifactId>
+      <version>0.8.1</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.fasterxml.uuid</groupId>
+      <artifactId>java-uuid-generator</artifactId>
+      <version>3.2.0</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>DynamoDBLocal</artifactId>
+      <version>1.16.0</version>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.antlr</groupId>
+          <artifactId>antlr4-runtime</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-recaptchaenterprise</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>pl.pragmatists</groupId>
+      <artifactId>JUnitParams</artifactId>
+      <version>1.1.1</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+
+  <build>
+    <finalName>${project.parent.artifactId}-${project.version}</finalName>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.2.4</version>
+        <configuration>
+          <createDependencyReducedPom>true</createDependencyReducedPom>
+          <filters>
+            <filter>
+              <artifact>*:*</artifact>
+              <excludes>
+                <exclude>META-INF/*.SF</exclude>
+                <exclude>META-INF/*.DSA</exclude>
+                <exclude>META-INF/*.RSA</exclude>
+              </excludes>
+            </filter>
+          </filters>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <transformers>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                  <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                </transformer>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <version>3.3.0</version>
+        <configuration>
+          <descriptors>
+            <descriptor>assembly.xml</descriptor>
+          </descriptors>
+        </configuration>
+        <executions>
+          <execution>
+            <id>make-assembly</id> <!-- this is used for inheritance merges -->
+            <phase>package</phase> <!-- bind to the packaging phase -->
+            <goals>
+              <goal>single</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>properties-maven-plugin</artifactId>
+        <version>1.0.0</version>
+        <executions>
+          <execution>
+            <id>read-deploy-configuration</id>
+            <phase>deploy</phase>
+            <goals>
+              <goal>read-project-properties</goal>
+            </goals>
+            <configuration>
+              <files>${project.basedir}/config/deploy.properties</files>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.signal</groupId>
+        <artifactId>s3-upload-maven-plugin</artifactId>
+        <version>1.6-SNAPSHOT</version>
+        <configuration>
+          <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
+          <bucketName>${deploy.bucketName}</bucketName>
+          <region>${deploy.bucketRegion}</region>
+          <destination>${project.build.finalName}-bin.tar.gz</destination>
+        </configuration>
+        <executions>
+          <execution>
+            <id>deploy-to-s3</id>
+            <phase>deploy</phase>
+            <goals>
+              <goal>s3-upload</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>templating-maven-plugin</artifactId>
+        <version>1.0.0</version>
+        <executions>
+          <execution>
+            <id>filter-src</id>
+            <goals>
+              <goal>filter-sources</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>

service/src/main/java-templates/org/whispersystems/textsecuregcm/WhisperServerVersion.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm;
+
+public class WhisperServerVersion {
+
+  private static final String VERSION = "${project.version}";
+
+  public static String getServerVersion() {
+    return VERSION;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -0,0 +1,544 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.dropwizard.Configuration;
+import io.dropwizard.client.JerseyClientConfiguration;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AccountsDatabaseConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AccountsDynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
+import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DatabaseConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DeletedAccountsDynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DonationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GcmConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MessageDynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MonitoredS3ObjectConfiguration;
+import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.PushConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RecaptchaV2Configuration;
+import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TwilioConfiguration;
+import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ZkConfig;
+import org.whispersystems.websocket.configuration.WebSocketConfiguration;
+
+/** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
+public class WhisperServerConfiguration extends Configuration {
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private TwilioConfiguration twilio;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private PushConfiguration push;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private AwsAttachmentsConfiguration awsAttachments;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private GcpAttachmentsConfiguration gcpAttachments;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private CdnConfiguration cdn;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DatadogConfiguration datadog;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration cacheCluster;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisConfiguration pubsub;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration metricsCluster;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DirectoryConfiguration directory;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private AccountDatabaseCrawlerConfiguration accountDatabaseCrawler;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private AccountDatabaseCrawlerConfiguration dynamoDbMigrationCrawler;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration pushSchedulerCluster;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration rateLimitersCluster;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private MessageCacheConfiguration messageCache;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration clientPresenceCluster;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MessageDynamoDbConfiguration messageDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration keysDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private AccountsDynamoDbConfiguration accountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration migrationDeletedAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration migrationMismatchedAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration migrationRetryAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DeletedAccountsDynamoDbConfiguration deletedAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration deletedAccountsLockDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pushChallengeDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration reportMessageDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pendingAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pendingDevicesDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DatabaseConfiguration abuseDatabase;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private List<TestDeviceConfiguration> testDevices = new LinkedList<>();
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private List<MaxDeviceConfiguration> maxDevices = new LinkedList<>();
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private AccountsDatabaseConfiguration accountsDatabase;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RateLimitsConfiguration limits = new RateLimitsConfiguration();
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private JerseyClientConfiguration httpClient = new JerseyClientConfiguration();
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private WebSocketConfiguration webSocket = new WebSocketConfiguration();
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TurnConfiguration turn;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GcmConfiguration gcm;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ApnConfiguration apn;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private UnidentifiedDeliveryConfiguration unidentifiedDelivery;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private VoiceVerificationConfiguration voiceVerification;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RecaptchaConfiguration recaptcha;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RecaptchaV2Configuration recaptchaV2;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private SecureStorageServiceConfiguration storageService;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private SecureBackupServiceConfiguration backupService;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private PaymentsServiceConfiguration paymentsService;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ZkConfig zkConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RemoteConfigConfiguration remoteConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private AppConfigConfiguration appConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration torExitNodeList;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration asnTable;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DonationConfiguration donation;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private BadgesConfiguration badges;
+
+  private Map<String, String> transparentDataIndex = new HashMap<>();
+
+  public RecaptchaConfiguration getRecaptchaConfiguration() {
+    return recaptcha;
+  }
+
+  public RecaptchaV2Configuration getRecaptchaV2Configuration() {
+    return recaptchaV2;
+  }
+
+  public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
+    return voiceVerification;
+  }
+
+  public WebSocketConfiguration getWebSocketConfiguration() {
+    return webSocket;
+  }
+
+  public TwilioConfiguration getTwilioConfiguration() {
+    return twilio;
+  }
+
+  public PushConfiguration getPushConfiguration() {
+    return push;
+  }
+
+  public JerseyClientConfiguration getJerseyClientConfiguration() {
+    return httpClient;
+  }
+
+  public AwsAttachmentsConfiguration getAwsAttachmentsConfiguration() {
+    return awsAttachments;
+  }
+
+  public GcpAttachmentsConfiguration getGcpAttachmentsConfiguration() {
+    return gcpAttachments;
+  }
+
+  public RedisClusterConfiguration getCacheClusterConfiguration() {
+    return cacheCluster;
+  }
+
+  public RedisConfiguration getPubsubCacheConfiguration() {
+    return pubsub;
+  }
+
+  public RedisClusterConfiguration getMetricsClusterConfiguration() {
+    return metricsCluster;
+  }
+
+  public DirectoryConfiguration getDirectoryConfiguration() {
+    return directory;
+  }
+
+  public SecureStorageServiceConfiguration getSecureStorageServiceConfiguration() {
+    return storageService;
+  }
+
+  public AccountDatabaseCrawlerConfiguration getAccountDatabaseCrawlerConfiguration() {
+    return accountDatabaseCrawler;
+  }
+
+  public AccountDatabaseCrawlerConfiguration getDynamoDbMigrationCrawlerConfiguration() {
+    return dynamoDbMigrationCrawler;
+  }
+
+  public MessageCacheConfiguration getMessageCacheConfiguration() {
+    return messageCache;
+  }
+
+  public RedisClusterConfiguration getClientPresenceClusterConfiguration() {
+    return clientPresenceCluster;
+  }
+
+  public RedisClusterConfiguration getPushSchedulerCluster() {
+    return pushSchedulerCluster;
+  }
+
+  public RedisClusterConfiguration getRateLimitersCluster() {
+    return rateLimitersCluster;
+  }
+
+  public MessageDynamoDbConfiguration getMessageDynamoDbConfiguration() {
+    return messageDynamoDb;
+  }
+
+  public DynamoDbConfiguration getKeysDynamoDbConfiguration() {
+    return keysDynamoDb;
+  }
+
+  public AccountsDynamoDbConfiguration getAccountsDynamoDbConfiguration() {
+    return accountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getMigrationDeletedAccountsDynamoDbConfiguration() {
+    return migrationDeletedAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getMigrationMismatchedAccountsDynamoDbConfiguration() {
+    return migrationMismatchedAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getMigrationRetryAccountsDynamoDbConfiguration() {
+    return migrationRetryAccountsDynamoDb;
+  }
+
+  public DeletedAccountsDynamoDbConfiguration getDeletedAccountsDynamoDbConfiguration() {
+    return deletedAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getDeletedAccountsLockDynamoDbConfiguration() {
+    return deletedAccountsLockDynamoDb;
+  }
+
+  public DatabaseConfiguration getAbuseDatabaseConfiguration() {
+    return abuseDatabase;
+  }
+
+  public AccountsDatabaseConfiguration getAccountsDatabaseConfiguration() {
+    return accountsDatabase;
+  }
+
+  public RateLimitsConfiguration getLimitsConfiguration() {
+    return limits;
+  }
+
+  public TurnConfiguration getTurnConfiguration() {
+    return turn;
+  }
+
+  public GcmConfiguration getGcmConfiguration() {
+    return gcm;
+  }
+
+  public ApnConfiguration getApnConfiguration() {
+    return apn;
+  }
+
+  public CdnConfiguration getCdnConfiguration() {
+    return cdn;
+  }
+
+  public DatadogConfiguration getDatadogConfiguration() {
+    return datadog;
+  }
+
+  public UnidentifiedDeliveryConfiguration getDeliveryCertificate() {
+    return unidentifiedDelivery;
+  }
+
+  public Map<String, Integer> getTestDevices() {
+    Map<String, Integer> results = new HashMap<>();
+
+    for (TestDeviceConfiguration testDeviceConfiguration : testDevices) {
+      results.put(testDeviceConfiguration.getNumber(),
+                  testDeviceConfiguration.getCode());
+    }
+
+    return results;
+  }
+
+  public Map<String, Integer> getMaxDevices() {
+    Map<String, Integer> results = new HashMap<>();
+
+    for (MaxDeviceConfiguration maxDeviceConfiguration : maxDevices) {
+      results.put(maxDeviceConfiguration.getNumber(),
+                  maxDeviceConfiguration.getCount());
+    }
+
+    return results;
+  }
+
+  public Map<String, String> getTransparentDataIndex() {
+    return transparentDataIndex;
+  }
+
+  public SecureBackupServiceConfiguration getSecureBackupServiceConfiguration() {
+    return backupService;
+  }
+
+  public PaymentsServiceConfiguration getPaymentsServiceConfiguration() {
+    return paymentsService;
+  }
+
+  public ZkConfig getZkConfig() {
+    return zkConfig;
+  }
+
+  public RemoteConfigConfiguration getRemoteConfigConfiguration() {
+    return remoteConfig;
+  }
+
+  public AppConfigConfiguration getAppConfig() {
+    return appConfig;
+  }
+
+  public DynamoDbConfiguration getPushChallengeDynamoDbConfiguration() {
+    return pushChallengeDynamoDb;
+  }
+
+  public DynamoDbConfiguration getReportMessageDynamoDbConfiguration() {
+    return reportMessageDynamoDb;
+  }
+
+  public DynamoDbConfiguration getPendingAccountsDynamoDbConfiguration() {
+    return pendingAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getPendingDevicesDynamoDbConfiguration() {
+    return pendingDevicesDynamoDb;
+  }
+
+  public MonitoredS3ObjectConfiguration getTorExitNodeListConfiguration() {
+    return torExitNodeList;
+  }
+
+  public MonitoredS3ObjectConfiguration getAsnTableConfiguration() {
+    return asnTable;
+  }
+
+  public DonationConfiguration getDonationConfiguration() {
+    return donation;
+  }
+
+  public BadgesConfiguration getBadges() {
+    return badges;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -0,0 +1,760 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm;
+
+import static com.codahale.metrics.MetricRegistry.name;
+
+import com.amazonaws.ClientConfiguration;
+import com.amazonaws.auth.InstanceProfileCredentialsProvider;
+import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
+import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
+import com.codahale.metrics.SharedMetricRegistries;
+import com.codahale.metrics.jdbi3.strategies.DefaultNameStrategy;
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import io.dropwizard.Application;
+import io.dropwizard.auth.AuthFilter;
+import io.dropwizard.auth.PolymorphicAuthDynamicFeature;
+import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
+import io.dropwizard.auth.basic.BasicCredentialAuthFilter;
+import io.dropwizard.auth.basic.BasicCredentials;
+import io.dropwizard.db.DataSourceFactory;
+import io.dropwizard.db.PooledDataSourceFactory;
+import io.dropwizard.jdbi3.JdbiFactory;
+import io.dropwizard.setup.Bootstrap;
+import io.dropwizard.setup.Environment;
+import io.lettuce.core.resource.ClientResources;
+import io.micrometer.core.instrument.Clock;
+import io.micrometer.core.instrument.Meter.Id;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
+import io.micrometer.core.instrument.config.MeterFilter;
+import io.micrometer.core.instrument.distribution.DistributionStatisticConfig;
+import io.micrometer.datadog.DatadogMeterRegistry;
+import java.net.http.HttpClient;
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.ArrayBlockingQueue;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.LinkedBlockingDeque;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
+import javax.servlet.DispatcherType;
+import javax.servlet.FilterRegistration;
+import javax.servlet.ServletRegistration;
+import org.eclipse.jetty.servlets.CrossOriginFilter;
+import org.jdbi.v3.core.Jdbi;
+import org.signal.zkgroup.ServerSecretParams;
+import org.signal.zkgroup.auth.ServerZkAuthOperations;
+import org.signal.zkgroup.profiles.ServerZkProfileOperations;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.dispatch.DispatchManager;
+import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
+import org.whispersystems.textsecuregcm.auth.AuthEnablementApplicationEventListener;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccountAuthenticator;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
+import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
+import org.whispersystems.textsecuregcm.badges.ProfileBadgeConverter;
+import org.whispersystems.textsecuregcm.configuration.DirectoryServerConfiguration;
+import org.whispersystems.textsecuregcm.controllers.AccountController;
+import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV1;
+import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV2;
+import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV3;
+import org.whispersystems.textsecuregcm.controllers.CertificateController;
+import org.whispersystems.textsecuregcm.controllers.ChallengeController;
+import org.whispersystems.textsecuregcm.controllers.DeviceController;
+import org.whispersystems.textsecuregcm.controllers.DirectoryController;
+import org.whispersystems.textsecuregcm.controllers.DonationController;
+import org.whispersystems.textsecuregcm.controllers.KeepAliveController;
+import org.whispersystems.textsecuregcm.controllers.KeysController;
+import org.whispersystems.textsecuregcm.controllers.MessageController;
+import org.whispersystems.textsecuregcm.controllers.PaymentsController;
+import org.whispersystems.textsecuregcm.controllers.ProfileController;
+import org.whispersystems.textsecuregcm.controllers.ProvisioningController;
+import org.whispersystems.textsecuregcm.controllers.RemoteConfigController;
+import org.whispersystems.textsecuregcm.controllers.SecureBackupController;
+import org.whispersystems.textsecuregcm.controllers.SecureStorageController;
+import org.whispersystems.textsecuregcm.controllers.StickerController;
+import org.whispersystems.textsecuregcm.controllers.VoiceVerificationController;
+import org.whispersystems.textsecuregcm.currency.CurrencyConversionManager;
+import org.whispersystems.textsecuregcm.currency.FixerClient;
+import org.whispersystems.textsecuregcm.currency.FtxClient;
+import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
+import org.whispersystems.textsecuregcm.filters.ContentLengthFilter;
+import org.whispersystems.textsecuregcm.filters.RemoteDeprecationFilter;
+import org.whispersystems.textsecuregcm.filters.TimestampResponseFilter;
+import org.whispersystems.textsecuregcm.limits.PreKeyRateLimiter;
+import org.whispersystems.textsecuregcm.limits.PushChallengeManager;
+import org.whispersystems.textsecuregcm.limits.RateLimitChallengeManager;
+import org.whispersystems.textsecuregcm.limits.RateLimitResetMetricsManager;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.limits.UnsealedSenderRateLimiter;
+import org.whispersystems.textsecuregcm.liquibase.NameableMigrationsBundle;
+import org.whispersystems.textsecuregcm.mappers.DeviceLimitExceededExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.IOExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.InvalidWebsocketAddressExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RateLimitChallengeExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RetryLaterExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.ServerRejectedExceptionMapper;
+import org.whispersystems.textsecuregcm.metrics.ApplicationShutdownMonitor;
+import org.whispersystems.textsecuregcm.metrics.BufferPoolGauges;
+import org.whispersystems.textsecuregcm.metrics.CpuUsageGauge;
+import org.whispersystems.textsecuregcm.metrics.FileDescriptorGauge;
+import org.whispersystems.textsecuregcm.metrics.FreeMemoryGauge;
+import org.whispersystems.textsecuregcm.metrics.GarbageCollectionGauges;
+import org.whispersystems.textsecuregcm.metrics.MaxFileDescriptorGauge;
+import org.whispersystems.textsecuregcm.metrics.MetricsApplicationEventListener;
+import org.whispersystems.textsecuregcm.metrics.MetricsRequestEventListener;
+import org.whispersystems.textsecuregcm.metrics.NetworkReceivedGauge;
+import org.whispersystems.textsecuregcm.metrics.NetworkSentGauge;
+import org.whispersystems.textsecuregcm.metrics.OperatingSystemMemoryGauge;
+import org.whispersystems.textsecuregcm.metrics.PushLatencyManager;
+import org.whispersystems.textsecuregcm.metrics.TrafficSource;
+import org.whispersystems.textsecuregcm.providers.MultiRecipientMessageProvider;
+import org.whispersystems.textsecuregcm.providers.RedisClientFactory;
+import org.whispersystems.textsecuregcm.providers.RedisClusterHealthCheck;
+import org.whispersystems.textsecuregcm.push.APNSender;
+import org.whispersystems.textsecuregcm.push.ApnFallbackManager;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+import org.whispersystems.textsecuregcm.push.GCMSender;
+import org.whispersystems.textsecuregcm.push.MessageSender;
+import org.whispersystems.textsecuregcm.push.ProvisioningManager;
+import org.whispersystems.textsecuregcm.push.ReceiptSender;
+import org.whispersystems.textsecuregcm.recaptcha.EnterpriseRecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.LegacyRecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.TransitionalRecaptchaClient;
+import org.whispersystems.textsecuregcm.redis.ConnectionEventLogger;
+import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisCluster;
+import org.whispersystems.textsecuregcm.redis.ReplicatedJedisPool;
+import org.whispersystems.textsecuregcm.s3.PolicySigner;
+import org.whispersystems.textsecuregcm.s3.PostPolicyGenerator;
+import org.whispersystems.textsecuregcm.securebackup.SecureBackupClient;
+import org.whispersystems.textsecuregcm.securestorage.SecureStorageClient;
+import org.whispersystems.textsecuregcm.sms.SmsSender;
+import org.whispersystems.textsecuregcm.sms.TwilioSmsSender;
+import org.whispersystems.textsecuregcm.sms.TwilioVerifyExperimentEnrollmentManager;
+import org.whispersystems.textsecuregcm.sqs.DirectoryQueue;
+import org.whispersystems.textsecuregcm.storage.AbusiveHostRules;
+import org.whispersystems.textsecuregcm.storage.AccountCleaner;
+import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawler;
+import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerCache;
+import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerListener;
+import org.whispersystems.textsecuregcm.storage.Accounts;
+import org.whispersystems.textsecuregcm.storage.AccountsDynamoDb;
+import org.whispersystems.textsecuregcm.storage.AccountsDynamoDbMigrator;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.ContactDiscoveryWriter;
+import org.whispersystems.textsecuregcm.storage.DeletedAccounts;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsDirectoryReconciler;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsManager;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsTableCrawler;
+import org.whispersystems.textsecuregcm.storage.DirectoryReconciler;
+import org.whispersystems.textsecuregcm.storage.DirectoryReconciliationClient;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.storage.FaultTolerantDatabase;
+import org.whispersystems.textsecuregcm.storage.KeysDynamoDb;
+import org.whispersystems.textsecuregcm.storage.MessagePersister;
+import org.whispersystems.textsecuregcm.storage.MessagesCache;
+import org.whispersystems.textsecuregcm.storage.MessagesDynamoDb;
+import org.whispersystems.textsecuregcm.storage.MessagesManager;
+import org.whispersystems.textsecuregcm.storage.MigrationDeletedAccounts;
+import org.whispersystems.textsecuregcm.storage.MigrationMismatchedAccounts;
+import org.whispersystems.textsecuregcm.storage.MigrationMismatchedAccountsTableCrawler;
+import org.whispersystems.textsecuregcm.storage.MigrationRetryAccounts;
+import org.whispersystems.textsecuregcm.storage.MigrationRetryAccountsTableCrawler;
+import org.whispersystems.textsecuregcm.storage.Profiles;
+import org.whispersystems.textsecuregcm.storage.ProfilesManager;
+import org.whispersystems.textsecuregcm.storage.PubSubManager;
+import org.whispersystems.textsecuregcm.storage.PushChallengeDynamoDb;
+import org.whispersystems.textsecuregcm.storage.PushFeedbackProcessor;
+import org.whispersystems.textsecuregcm.storage.RemoteConfigs;
+import org.whispersystems.textsecuregcm.storage.RemoteConfigsManager;
+import org.whispersystems.textsecuregcm.storage.ReportMessageDynamoDb;
+import org.whispersystems.textsecuregcm.storage.ReportMessageManager;
+import org.whispersystems.textsecuregcm.storage.ReservedUsernames;
+import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
+import org.whispersystems.textsecuregcm.storage.Usernames;
+import org.whispersystems.textsecuregcm.storage.UsernamesManager;
+import org.whispersystems.textsecuregcm.storage.VerificationCodeStore;
+import org.whispersystems.textsecuregcm.util.AsnManager;
+import org.whispersystems.textsecuregcm.util.Constants;
+import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
+import org.whispersystems.textsecuregcm.util.HostnameUtil;
+import org.whispersystems.textsecuregcm.util.TorExitNodeManager;
+import org.whispersystems.textsecuregcm.util.logging.LoggingUnhandledExceptionMapper;
+import org.whispersystems.textsecuregcm.util.logging.UncaughtExceptionHandler;
+import org.whispersystems.textsecuregcm.websocket.AuthenticatedConnectListener;
+import org.whispersystems.textsecuregcm.websocket.DeadLetterHandler;
+import org.whispersystems.textsecuregcm.websocket.ProvisioningConnectListener;
+import org.whispersystems.textsecuregcm.websocket.WebSocketAccountAuthenticator;
+import org.whispersystems.textsecuregcm.workers.CertificateCommand;
+import org.whispersystems.textsecuregcm.workers.CheckDynamicConfigurationCommand;
+import org.whispersystems.textsecuregcm.workers.DeleteUserCommand;
+import org.whispersystems.textsecuregcm.workers.ServerVersionCommand;
+import org.whispersystems.textsecuregcm.workers.SetCrawlerAccelerationTask;
+import org.whispersystems.textsecuregcm.workers.SetRequestLoggingEnabledTask;
+import org.whispersystems.textsecuregcm.workers.SetUserDiscoverabilityCommand;
+import org.whispersystems.textsecuregcm.workers.VacuumCommand;
+import org.whispersystems.textsecuregcm.workers.ZkParamsCommand;
+import org.whispersystems.websocket.WebSocketResourceProviderFactory;
+import org.whispersystems.websocket.setup.WebSocketEnvironment;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+import software.amazon.awssdk.services.s3.S3Client;
+
+public class WhisperServerService extends Application<WhisperServerConfiguration> {
+
+  private static final Logger log = LoggerFactory.getLogger(WhisperServerService.class);
+
+  @Override
+  public void initialize(Bootstrap<WhisperServerConfiguration> bootstrap) {
+    bootstrap.addCommand(new VacuumCommand());
+    bootstrap.addCommand(new DeleteUserCommand());
+    bootstrap.addCommand(new CertificateCommand());
+    bootstrap.addCommand(new ZkParamsCommand());
+    bootstrap.addCommand(new ServerVersionCommand());
+    bootstrap.addCommand(new CheckDynamicConfigurationCommand());
+    bootstrap.addCommand(new SetUserDiscoverabilityCommand());
+
+    bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("accountdb", "accountsdb.xml") {
+      @Override
+      public DataSourceFactory getDataSourceFactory(WhisperServerConfiguration configuration) {
+        return configuration.getAccountsDatabaseConfiguration();
+      }
+    });
+
+
+    bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("abusedb", "abusedb.xml") {
+      @Override
+      public PooledDataSourceFactory getDataSourceFactory(WhisperServerConfiguration configuration) {
+        return configuration.getAbuseDatabaseConfiguration();
+      }
+    });
+  }
+
+  @Override
+  public String getName() {
+    return "whisper-server";
+  }
+
+  @Override
+  public void run(WhisperServerConfiguration config, Environment environment)
+      throws Exception {
+
+    UncaughtExceptionHandler.register();
+
+    SharedMetricRegistries.add(Constants.METRICS_NAME, environment.metrics());
+
+    final DistributionStatisticConfig defaultDistributionStatisticConfig = DistributionStatisticConfig.builder()
+        .percentiles(.75, .95, .99, .999)
+        .build();
+
+    {
+      final DatadogMeterRegistry datadogMeterRegistry = new DatadogMeterRegistry(config.getDatadogConfiguration(), Clock.SYSTEM);
+
+      datadogMeterRegistry.config().commonTags(
+          Tags.of(
+              "service", "chat",
+              "host", HostnameUtil.getLocalHostname(),
+              "version", WhisperServerVersion.getServerVersion(),
+              "env", config.getDatadogConfiguration().getEnvironment()))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.ANDROID_REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.DESKTOP_REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.IOS_REQUEST_COUNTER_NAME))
+          .meterFilter(new MeterFilter() {
+            @Override
+            public DistributionStatisticConfig configure(final Id id, final DistributionStatisticConfig config) {
+              return defaultDistributionStatisticConfig.merge(config);
+            }
+          });
+
+      Metrics.addRegistry(datadogMeterRegistry);
+    }
+
+    environment.getObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+    environment.getObjectMapper().setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
+    environment.getObjectMapper().setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+
+    ProfileBadgeConverter profileBadgeConverter = (acceptableLanguages, accountBadges) -> List.of();  // TODO: Provide an actual implementation.
+
+    JdbiFactory jdbiFactory = new JdbiFactory(DefaultNameStrategy.CHECK_EMPTY);
+    Jdbi        accountJdbi = jdbiFactory.build(environment, config.getAccountsDatabaseConfiguration(), "accountdb");
+    Jdbi        abuseJdbi   = jdbiFactory.build(environment, config.getAbuseDatabaseConfiguration(), "abusedb"  );
+
+    FaultTolerantDatabase accountDatabase = new FaultTolerantDatabase("accounts_database", accountJdbi, config.getAccountsDatabaseConfiguration().getCircuitBreakerConfiguration());
+    FaultTolerantDatabase abuseDatabase   = new FaultTolerantDatabase("abuse_database", abuseJdbi, config.getAbuseDatabaseConfiguration().getCircuitBreakerConfiguration());
+
+    DynamoDbClient messageDynamoDb = DynamoDbFromConfig.client(config.getMessageDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient preKeyDynamoDb = DynamoDbFromConfig.client(config.getKeysDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient accountsDynamoDbClient = DynamoDbFromConfig.client(config.getAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    // The thread pool core & max sizes are set via dynamic configuration within AccountsDynamoDb
+    ThreadPoolExecutor accountsDynamoDbMigrationThreadPool = new ThreadPoolExecutor(1, 1, 0, TimeUnit.SECONDS,
+        new LinkedBlockingDeque<>());
+
+    DynamoDbAsyncClient accountsDynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(config.getAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create(),
+        accountsDynamoDbMigrationThreadPool);
+
+    DynamoDbClient deletedAccountsDynamoDbClient = DynamoDbFromConfig.client(config.getDeletedAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient recentlyDeletedAccountsDynamoDb = DynamoDbFromConfig.client(config.getMigrationDeletedAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pushChallengeDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPushChallengeDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient reportMessageDynamoDbClient = DynamoDbFromConfig.client(
+        config.getReportMessageDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient migrationRetryAccountsDynamoDb = DynamoDbFromConfig.client(
+        config.getMigrationRetryAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient migrationMismatchedAccountsDynamoDb = DynamoDbFromConfig.client(
+        config.getMigrationMismatchedAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pendingAccountsDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPendingAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pendingDevicesDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPendingDevicesDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    AmazonDynamoDB deletedAccountsLockDynamoDbClient = AmazonDynamoDBClientBuilder.standard()
+        .withRegion(config.getDeletedAccountsLockDynamoDbConfiguration().getRegion())
+        .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(
+                ((int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientExecutionTimeout().toMillis()))
+            .withRequestTimeout(
+                (int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientRequestTimeout().toMillis()))
+        .withCredentials(InstanceProfileCredentialsProvider.getInstance())
+        .build();
+
+    DeletedAccounts deletedAccounts = new DeletedAccounts(deletedAccountsDynamoDbClient,
+        config.getDeletedAccountsDynamoDbConfiguration().getTableName(),
+        config.getDeletedAccountsDynamoDbConfiguration().getNeedsReconciliationIndexName());
+    MigrationDeletedAccounts migrationDeletedAccounts = new MigrationDeletedAccounts(recentlyDeletedAccountsDynamoDb,
+        config.getMigrationDeletedAccountsDynamoDbConfiguration().getTableName());
+    MigrationRetryAccounts migrationRetryAccounts = new MigrationRetryAccounts(migrationRetryAccountsDynamoDb,
+        config.getMigrationRetryAccountsDynamoDbConfiguration().getTableName());
+    MigrationMismatchedAccounts mismatchedAccounts = new MigrationMismatchedAccounts(
+        migrationMismatchedAccountsDynamoDb,
+        config.getMigrationMismatchedAccountsDynamoDbConfiguration().getTableName());
+
+    Accounts accounts = new Accounts(accountDatabase);
+    AccountsDynamoDb accountsDynamoDb = new AccountsDynamoDb(accountsDynamoDbClient, accountsDynamoDbAsyncClient,
+        accountsDynamoDbMigrationThreadPool, config.getAccountsDynamoDbConfiguration().getTableName(),
+        config.getAccountsDynamoDbConfiguration().getPhoneNumberTableName(), migrationDeletedAccounts,
+        migrationRetryAccounts);
+    Usernames usernames = new Usernames(accountDatabase);
+    ReservedUsernames reservedUsernames = new ReservedUsernames(accountDatabase);
+    Profiles profiles = new Profiles(accountDatabase);
+    KeysDynamoDb keysDynamoDb = new KeysDynamoDb(preKeyDynamoDb, config.getKeysDynamoDbConfiguration().getTableName());
+    MessagesDynamoDb messagesDynamoDb = new MessagesDynamoDb(messageDynamoDb,
+        config.getMessageDynamoDbConfiguration().getTableName(),
+        config.getMessageDynamoDbConfiguration().getTimeToLive());
+    AbusiveHostRules abusiveHostRules = new AbusiveHostRules(abuseDatabase);
+    RemoteConfigs remoteConfigs = new RemoteConfigs(accountDatabase);
+    PushChallengeDynamoDb pushChallengeDynamoDb = new PushChallengeDynamoDb(pushChallengeDynamoDbClient, config.getPushChallengeDynamoDbConfiguration().getTableName());
+    ReportMessageDynamoDb reportMessageDynamoDb = new ReportMessageDynamoDb(reportMessageDynamoDbClient, config.getReportMessageDynamoDbConfiguration().getTableName());
+    VerificationCodeStore pendingAccounts = new VerificationCodeStore(pendingAccountsDynamoDbClient, config.getPendingAccountsDynamoDbConfiguration().getTableName());
+    VerificationCodeStore pendingDevices = new VerificationCodeStore(pendingDevicesDynamoDbClient, config.getPendingDevicesDynamoDbConfiguration().getTableName());
+
+    RedisClientFactory  pubSubClientFactory = new RedisClientFactory("pubsub_cache", config.getPubsubCacheConfiguration().getUrl(), config.getPubsubCacheConfiguration().getReplicaUrls(), config.getPubsubCacheConfiguration().getCircuitBreakerConfiguration());
+    ReplicatedJedisPool pubsubClient        = pubSubClientFactory.getRedisClientPool();
+
+    ClientResources generalCacheClientResources       = ClientResources.builder().build();
+    ClientResources messageCacheClientResources       = ClientResources.builder().build();
+    ClientResources presenceClientResources           = ClientResources.builder().build();
+    ClientResources metricsCacheClientResources       = ClientResources.builder().build();
+    ClientResources pushSchedulerCacheClientResources = ClientResources.builder().ioThreadPoolSize(4).build();
+    ClientResources rateLimitersCacheClientResources =  ClientResources.builder().build();
+
+    ConnectionEventLogger.logConnectionEvents(generalCacheClientResources);
+    ConnectionEventLogger.logConnectionEvents(messageCacheClientResources);
+    ConnectionEventLogger.logConnectionEvents(presenceClientResources);
+    ConnectionEventLogger.logConnectionEvents(metricsCacheClientResources);
+
+    FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), generalCacheClientResources);
+    FaultTolerantRedisCluster messagesCluster          = new FaultTolerantRedisCluster("messages_cluster", config.getMessageCacheConfiguration().getRedisClusterConfiguration(), messageCacheClientResources);
+    FaultTolerantRedisCluster clientPresenceCluster    = new FaultTolerantRedisCluster("client_presence_cluster", config.getClientPresenceClusterConfiguration(), presenceClientResources);
+    FaultTolerantRedisCluster metricsCluster           = new FaultTolerantRedisCluster("metrics_cluster", config.getMetricsClusterConfiguration(), metricsCacheClientResources);
+    FaultTolerantRedisCluster pushSchedulerCluster     = new FaultTolerantRedisCluster("push_scheduler", config.getPushSchedulerCluster(), pushSchedulerCacheClientResources);
+    FaultTolerantRedisCluster rateLimitersCluster      = new FaultTolerantRedisCluster("rate_limiters", config.getRateLimitersCluster(), rateLimitersCacheClientResources);
+
+    BlockingQueue<Runnable> keyspaceNotificationDispatchQueue = new ArrayBlockingQueue<>(10_000);
+    Metrics.gaugeCollectionSize(name(getClass(), "keyspaceNotificationDispatchQueueSize"), Collections.emptyList(), keyspaceNotificationDispatchQueue);
+
+    ScheduledExecutorService recurringJobExecutor = environment.lifecycle()
+        .scheduledExecutorService(name(getClass(), "recurringJob-%d")).threads(6).build();
+    ScheduledExecutorService declinedMessageReceiptExecutor = environment.lifecycle()
+        .scheduledExecutorService(name(getClass(), "declined-receipt-%d")).threads(2).build();
+    ScheduledExecutorService retrySchedulingExecutor              = environment.lifecycle().scheduledExecutorService(name(getClass(), "retry-%d")).threads(2).build();
+    ExecutorService          keyspaceNotificationDispatchExecutor = environment.lifecycle().executorService(name(getClass(), "keyspaceNotification-%d")).maxThreads(16).workQueue(keyspaceNotificationDispatchQueue).build();
+    ExecutorService          apnSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "apnSender-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          gcmSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "gcmSender-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          backupServiceExecutor                = environment.lifecycle().executorService(name(getClass(), "backupService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          storageServiceExecutor               = environment.lifecycle().executorService(name(getClass(), "storageService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          donationExecutor                     = environment.lifecycle().executorService(name(getClass(), "donation-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService multiRecipientMessageExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "multiRecipientMessage-%d")).minThreads(64).maxThreads(64).build();
+    ExecutorService accountsCrawlerChunkPreReadExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "accountsCrawler-%d")).maxThreads(2).minThreads(2).build();
+
+    ExternalServiceCredentialGenerator directoryCredentialsGenerator = new ExternalServiceCredentialGenerator(config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenSharedSecret(),
+            config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret(),
+            true);
+
+    DynamicConfigurationManager dynamicConfigurationManager = new DynamicConfigurationManager(config.getAppConfig().getApplication(), config.getAppConfig().getEnvironment(), config.getAppConfig().getConfigurationName());
+    dynamicConfigurationManager.start();
+
+    ExperimentEnrollmentManager experimentEnrollmentManager = new ExperimentEnrollmentManager(dynamicConfigurationManager);
+
+    TwilioVerifyExperimentEnrollmentManager verifyExperimentEnrollmentManager = new TwilioVerifyExperimentEnrollmentManager(
+        config.getVoiceVerificationConfiguration(), experimentEnrollmentManager);
+
+    ExternalServiceCredentialGenerator storageCredentialsGenerator   = new ExternalServiceCredentialGenerator(config.getSecureStorageServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    ExternalServiceCredentialGenerator backupCredentialsGenerator    = new ExternalServiceCredentialGenerator(config.getSecureBackupServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    ExternalServiceCredentialGenerator paymentsCredentialsGenerator  = new ExternalServiceCredentialGenerator(config.getPaymentsServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+
+    SecureBackupClient         secureBackupClient         = new SecureBackupClient(backupCredentialsGenerator, backupServiceExecutor, config.getSecureBackupServiceConfiguration());
+    SecureStorageClient        secureStorageClient        = new SecureStorageClient(storageCredentialsGenerator, storageServiceExecutor, config.getSecureStorageServiceConfiguration());
+    ClientPresenceManager      clientPresenceManager      = new ClientPresenceManager(clientPresenceCluster, recurringJobExecutor, keyspaceNotificationDispatchExecutor);
+    DirectoryQueue             directoryQueue             = new DirectoryQueue(config.getDirectoryConfiguration().getSqsConfiguration());
+    StoredVerificationCodeManager pendingAccountsManager  = new StoredVerificationCodeManager(pendingAccounts);
+    StoredVerificationCodeManager pendingDevicesManager   = new StoredVerificationCodeManager(pendingDevices);
+    UsernamesManager           usernamesManager           = new UsernamesManager(usernames, reservedUsernames, cacheCluster);
+    ProfilesManager            profilesManager            = new ProfilesManager(profiles, cacheCluster);
+    MessagesCache              messagesCache              = new MessagesCache(messagesCluster, messagesCluster, keyspaceNotificationDispatchExecutor);
+    PushLatencyManager         pushLatencyManager         = new PushLatencyManager(metricsCluster);
+    ReportMessageManager       reportMessageManager       = new ReportMessageManager(reportMessageDynamoDb, Metrics.globalRegistry);
+    MessagesManager            messagesManager            = new MessagesManager(messagesDynamoDb, messagesCache, pushLatencyManager, reportMessageManager);
+    DeletedAccountsManager deletedAccountsManager = new DeletedAccountsManager(deletedAccounts,
+        deletedAccountsLockDynamoDbClient, config.getDeletedAccountsLockDynamoDbConfiguration().getTableName());
+    AccountsManager accountsManager = new AccountsManager(accounts, accountsDynamoDb, cacheCluster,
+        deletedAccountsManager, directoryQueue, keysDynamoDb, messagesManager, mismatchedAccounts, usernamesManager,
+        profilesManager, pendingAccountsManager, secureStorageClient, secureBackupClient, experimentEnrollmentManager,
+        dynamicConfigurationManager);
+    RemoteConfigsManager remoteConfigsManager = new RemoteConfigsManager(remoteConfigs);
+    DeadLetterHandler          deadLetterHandler          = new DeadLetterHandler(accountsManager, messagesManager);
+    DispatchManager            dispatchManager            = new DispatchManager(pubSubClientFactory, Optional.of(deadLetterHandler));
+    PubSubManager              pubSubManager              = new PubSubManager(pubsubClient, dispatchManager);
+    APNSender                  apnSender                  = new APNSender(apnSenderExecutor, accountsManager, config.getApnConfiguration());
+    GCMSender                  gcmSender                  = new GCMSender(gcmSenderExecutor, accountsManager, config.getGcmConfiguration().getApiKey());
+    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), dynamicConfigurationManager, rateLimitersCluster);
+    ProvisioningManager        provisioningManager        = new ProvisioningManager(pubSubManager);
+    TorExitNodeManager         torExitNodeManager         = new TorExitNodeManager(recurringJobExecutor, config.getTorExitNodeListConfiguration());
+    AsnManager                 asnManager                 = new AsnManager(recurringJobExecutor, config.getAsnTableConfiguration());
+
+    AccountAuthenticator                  accountAuthenticator                  = new AccountAuthenticator(accountsManager);
+    DisabledPermittedAccountAuthenticator disabledPermittedAccountAuthenticator = new DisabledPermittedAccountAuthenticator(accountsManager);
+
+    RateLimitResetMetricsManager rateLimitResetMetricsManager = new RateLimitResetMetricsManager(metricsCluster, Metrics.globalRegistry);
+
+    UnsealedSenderRateLimiter unsealedSenderRateLimiter = new UnsealedSenderRateLimiter(rateLimiters, rateLimitersCluster, dynamicConfigurationManager, rateLimitResetMetricsManager);
+    PreKeyRateLimiter preKeyRateLimiter = new PreKeyRateLimiter(rateLimiters, dynamicConfigurationManager, rateLimitResetMetricsManager);
+
+    ApnFallbackManager       apnFallbackManager = new ApnFallbackManager(pushSchedulerCluster, apnSender, accountsManager);
+    TwilioSmsSender          twilioSmsSender    = new TwilioSmsSender(config.getTwilioConfiguration(), dynamicConfigurationManager);
+    SmsSender                smsSender          = new SmsSender(twilioSmsSender);
+    MessageSender            messageSender      = new MessageSender(apnFallbackManager, clientPresenceManager, messagesManager, gcmSender, apnSender, pushLatencyManager);
+    ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender);
+    TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(config.getTurnConfiguration());
+    LegacyRecaptchaClient legacyRecaptchaClient = new LegacyRecaptchaClient(config.getRecaptchaConfiguration().getSecret());
+    EnterpriseRecaptchaClient enterpriseRecaptchaClient = new EnterpriseRecaptchaClient(
+        config.getRecaptchaV2Configuration().getScoreFloor().doubleValue(),
+        config.getRecaptchaV2Configuration().getSiteKey(),
+        config.getRecaptchaV2Configuration().getProjectPath(),
+        config.getRecaptchaV2Configuration().getCredentialConfigurationJson());
+    TransitionalRecaptchaClient transitionalRecaptchaClient = new TransitionalRecaptchaClient(legacyRecaptchaClient, enterpriseRecaptchaClient);
+    PushChallengeManager     pushChallengeManager = new PushChallengeManager(apnSender, gcmSender, pushChallengeDynamoDb);
+    RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
+        transitionalRecaptchaClient, preKeyRateLimiter, unsealedSenderRateLimiter, rateLimiters,
+        dynamicConfigurationManager);
+
+    MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager, dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()));
+
+    // TODO listeners must be ordered so that ones that directly update accounts come last, so that read-only ones are not working with stale data
+    final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = new ArrayList<>();
+
+    final List<DeletedAccountsDirectoryReconciler> deletedAccountsDirectoryReconcilers = new ArrayList<>();
+    for (DirectoryServerConfiguration directoryServerConfiguration : config.getDirectoryConfiguration()
+        .getDirectoryServerConfiguration()) {
+      final DirectoryReconciliationClient directoryReconciliationClient = new DirectoryReconciliationClient(
+          directoryServerConfiguration);
+      final DirectoryReconciler directoryReconciler = new DirectoryReconciler(
+          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
+      // reconcilers are read-only
+      accountDatabaseCrawlerListeners.add(directoryReconciler);
+
+      final DeletedAccountsDirectoryReconciler deletedAccountsDirectoryReconciler = new DeletedAccountsDirectoryReconciler(
+          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
+      deletedAccountsDirectoryReconcilers.add(deletedAccountsDirectoryReconciler);
+    }
+    accountDatabaseCrawlerListeners.add(new ContactDiscoveryWriter(accountsManager));
+    // PushFeedbackProcessor may update device properties
+    accountDatabaseCrawlerListeners.add(new PushFeedbackProcessor(accountsManager));
+    // delete accounts last
+    accountDatabaseCrawlerListeners.add(new AccountCleaner(accountsManager));
+
+    HttpClient                currencyClient  = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
+    FixerClient               fixerClient     = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().getFixerApiKey());
+    FtxClient                 ftxClient       = new FtxClient(currencyClient);
+    CurrencyConversionManager currencyManager = new CurrencyConversionManager(fixerClient, ftxClient, config.getPaymentsServiceConfiguration().getPaymentCurrencies());
+
+    AccountDatabaseCrawlerCache accountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster);
+    AccountDatabaseCrawler accountDatabaseCrawler = new AccountDatabaseCrawler(accountsManager,
+        accountDatabaseCrawlerCache, accountDatabaseCrawlerListeners,
+        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs(),
+        accountsCrawlerChunkPreReadExecutor,
+        dynamicConfigurationManager);
+
+    AccountDatabaseCrawlerCache dynamoDbMigrationCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster);
+    dynamoDbMigrationCrawlerCache.setPrefix("DynamoMigration");
+    AccountDatabaseCrawler accountDynamoDbMigrationCrawler = new AccountDatabaseCrawler(accountsManager,
+        dynamoDbMigrationCrawlerCache,
+        List.of(new AccountsDynamoDbMigrator(accountsDynamoDb, dynamicConfigurationManager)),
+        config.getDynamoDbMigrationCrawlerConfiguration().getChunkSize(),
+        config.getDynamoDbMigrationCrawlerConfiguration().getChunkIntervalMs(),
+        accountsCrawlerChunkPreReadExecutor,
+        dynamicConfigurationManager);
+
+    DeletedAccountsTableCrawler deletedAccountsTableCrawler = new DeletedAccountsTableCrawler(deletedAccountsManager, deletedAccountsDirectoryReconcilers, cacheCluster, recurringJobExecutor);
+    MigrationRetryAccountsTableCrawler migrationRetryAccountsTableCrawler = new MigrationRetryAccountsTableCrawler(
+        migrationRetryAccounts, accountsManager, accountsDynamoDb, cacheCluster, recurringJobExecutor);
+    MigrationMismatchedAccountsTableCrawler migrationMismatchedAccountsTableCrawler = new MigrationMismatchedAccountsTableCrawler(
+        mismatchedAccounts, accountsManager, accounts, accountsDynamoDb, dynamicConfigurationManager, cacheCluster,
+        recurringJobExecutor);
+
+    apnSender.setApnFallbackManager(apnFallbackManager);
+    environment.lifecycle().manage(new ApplicationShutdownMonitor());
+    environment.lifecycle().manage(apnFallbackManager);
+    environment.lifecycle().manage(pubSubManager);
+    environment.lifecycle().manage(messageSender);
+    environment.lifecycle().manage(accountDatabaseCrawler);
+    environment.lifecycle().manage(accountDynamoDbMigrationCrawler);
+    environment.lifecycle().manage(deletedAccountsTableCrawler);
+    environment.lifecycle().manage(migrationRetryAccountsTableCrawler);
+    environment.lifecycle().manage(migrationMismatchedAccountsTableCrawler);
+    environment.lifecycle().manage(remoteConfigsManager);
+    environment.lifecycle().manage(messagesCache);
+    environment.lifecycle().manage(messagePersister);
+    environment.lifecycle().manage(clientPresenceManager);
+    environment.lifecycle().manage(currencyManager);
+    environment.lifecycle().manage(torExitNodeManager);
+    environment.lifecycle().manage(asnManager);
+    environment.lifecycle().manage(directoryQueue);
+
+    StaticCredentialsProvider cdnCredentialsProvider = StaticCredentialsProvider
+        .create(AwsBasicCredentials.create(
+            config.getCdnConfiguration().getAccessKey(),
+            config.getCdnConfiguration().getAccessSecret()));
+    S3Client cdnS3Client               = S3Client.builder()
+        .credentialsProvider(cdnCredentialsProvider)
+        .region(Region.of(config.getCdnConfiguration().getRegion()))
+        .build();
+    PostPolicyGenerator profileCdnPolicyGenerator = new PostPolicyGenerator(config.getCdnConfiguration().getRegion(),
+        config.getCdnConfiguration().getBucket(), config.getCdnConfiguration().getAccessKey());
+    PolicySigner profileCdnPolicySigner = new PolicySigner(config.getCdnConfiguration().getAccessSecret(),
+        config.getCdnConfiguration().getRegion());
+
+    ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().getServerSecret());
+    ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams);
+    ServerZkAuthOperations zkAuthOperations = new ServerZkAuthOperations(zkSecretParams);
+    boolean isZkEnabled = config.getZkConfig().isEnabled();
+
+    AuthFilter<BasicCredentials, AuthenticatedAccount> accountAuthFilter = new BasicCredentialAuthFilter.Builder<AuthenticatedAccount>().setAuthenticator(
+        accountAuthenticator).buildAuthFilter();
+    AuthFilter<BasicCredentials, DisabledPermittedAuthenticatedAccount> disabledPermittedAccountAuthFilter = new BasicCredentialAuthFilter.Builder<DisabledPermittedAuthenticatedAccount>().setAuthenticator(
+        disabledPermittedAccountAuthenticator).buildAuthFilter();
+
+    environment.servlets()
+        .addFilter("RemoteDeprecationFilter", new RemoteDeprecationFilter(dynamicConfigurationManager))
+        .addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, "/*");
+
+    environment.jersey().register(new ContentLengthFilter(TrafficSource.HTTP));
+    environment.jersey().register(MultiRecipientMessageProvider.class);
+    environment.jersey().register(new MetricsApplicationEventListener(TrafficSource.HTTP));
+    environment.jersey()
+        .register(new PolymorphicAuthDynamicFeature<>(ImmutableMap.of(AuthenticatedAccount.class, accountAuthFilter,
+            DisabledPermittedAuthenticatedAccount.class, disabledPermittedAccountAuthFilter)));
+    environment.jersey().register(new PolymorphicAuthValueFactoryProvider.Binder<>(
+        ImmutableSet.of(AuthenticatedAccount.class, DisabledPermittedAuthenticatedAccount.class)));
+    environment.jersey().register(new AuthEnablementApplicationEventListener(clientPresenceManager));
+    environment.jersey().register(new TimestampResponseFilter());
+    environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(),
+        config.getVoiceVerificationConfiguration().getLocales()));
+
+    ///
+    WebSocketEnvironment<AuthenticatedAccount> webSocketEnvironment = new WebSocketEnvironment<>(environment,
+        config.getWebSocketConfiguration(), 90000);
+    webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator));
+    webSocketEnvironment.setConnectListener(
+        new AuthenticatedConnectListener(receiptSender, messagesManager, messageSender, apnFallbackManager,
+            clientPresenceManager, retrySchedulingExecutor));
+    webSocketEnvironment.jersey().register(new AuthEnablementApplicationEventListener(clientPresenceManager));
+    webSocketEnvironment.jersey().register(new ContentLengthFilter(TrafficSource.WEBSOCKET));
+    webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class);
+    webSocketEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET));
+    webSocketEnvironment.jersey().register(new KeepAliveController(clientPresenceManager));
+
+    // these should be common, but use @Auth DisabledPermittedAccount, which isn’t supported yet on websocket
+    environment.jersey().register(
+        new AccountController(pendingAccountsManager, accountsManager, usernamesManager, abusiveHostRules, rateLimiters,
+            smsSender, dynamicConfigurationManager, turnTokenGenerator, config.getTestDevices(),
+            transitionalRecaptchaClient, gcmSender, apnSender, backupCredentialsGenerator,
+            verifyExperimentEnrollmentManager));
+    environment.jersey().register(new KeysController(rateLimiters, keysDynamoDb, accountsManager, preKeyRateLimiter, rateLimitChallengeManager));
+
+    final List<Object> commonControllers = List.of(
+        new AttachmentControllerV1(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getBucket()),
+        new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
+        new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
+        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, isZkEnabled),
+        new ChallengeController(rateLimitChallengeManager),
+        new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keysDynamoDb, rateLimiters, config.getMaxDevices()),
+        new DirectoryController(directoryCredentialsGenerator),
+        new DonationController(donationExecutor, config.getDonationConfiguration()),
+        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, messagesManager, unsealedSenderRateLimiter, apnFallbackManager, dynamicConfigurationManager, rateLimitChallengeManager, reportMessageManager, metricsCluster, declinedMessageReceiptExecutor, multiRecipientMessageExecutor),
+        new PaymentsController(currencyManager, paymentsCredentialsGenerator),
+        new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, dynamicConfigurationManager, profileBadgeConverter, cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations, isZkEnabled),
+        new ProvisioningController(rateLimiters, provisioningManager),
+        new RemoteConfigController(remoteConfigsManager, config.getRemoteConfigConfiguration().getAuthorizedTokens(), config.getRemoteConfigConfiguration().getGlobalConfig()),
+        new SecureBackupController(backupCredentialsGenerator),
+        new SecureStorageController(storageCredentialsGenerator),
+        new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(),
+            config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(),
+            config.getCdnConfiguration().getBucket())
+    );
+
+    for (Object controller : commonControllers) {
+      environment.jersey().register(controller);
+      webSocketEnvironment.jersey().register(controller);
+    }
+
+    WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment = new WebSocketEnvironment<>(environment,
+        webSocketEnvironment.getRequestLog(), 60000);
+    provisioningEnvironment.jersey().register(new AuthEnablementApplicationEventListener(clientPresenceManager));
+    provisioningEnvironment.setConnectListener(new ProvisioningConnectListener(pubSubManager));
+    provisioningEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET));
+    provisioningEnvironment.jersey().register(new KeepAliveController(clientPresenceManager));
+
+    registerCorsFilter(environment);
+    registerExceptionMappers(environment, webSocketEnvironment, provisioningEnvironment);
+
+    RateLimitChallengeExceptionMapper rateLimitChallengeExceptionMapper = new RateLimitChallengeExceptionMapper(
+        rateLimitChallengeManager);
+
+    environment.jersey().register(rateLimitChallengeExceptionMapper);
+    webSocketEnvironment.jersey().register(rateLimitChallengeExceptionMapper);
+    provisioningEnvironment.jersey().register(rateLimitChallengeExceptionMapper);
+
+    WebSocketResourceProviderFactory<AuthenticatedAccount> webSocketServlet = new WebSocketResourceProviderFactory<>(
+        webSocketEnvironment, AuthenticatedAccount.class, config.getWebSocketConfiguration());
+    WebSocketResourceProviderFactory<AuthenticatedAccount> provisioningServlet = new WebSocketResourceProviderFactory<>(
+        provisioningEnvironment, AuthenticatedAccount.class, config.getWebSocketConfiguration());
+
+    ServletRegistration.Dynamic websocket = environment.servlets().addServlet("WebSocket", webSocketServlet);
+    ServletRegistration.Dynamic provisioning = environment.servlets().addServlet("Provisioning", provisioningServlet);
+
+    websocket.addMapping("/v1/websocket/");
+    websocket.setAsyncSupported(true);
+
+    provisioning.addMapping("/v1/websocket/provisioning/");
+    provisioning.setAsyncSupported(true);
+
+    environment.admin().addTask(new SetRequestLoggingEnabledTask());
+    environment.admin().addTask(new SetCrawlerAccelerationTask(accountDatabaseCrawlerCache));
+
+///
+
+    environment.healthChecks().register("cacheCluster", new RedisClusterHealthCheck(cacheCluster));
+
+    environment.metrics().register(name(CpuUsageGauge.class, "cpu"), new CpuUsageGauge(3, TimeUnit.SECONDS));
+    environment.metrics().register(name(FreeMemoryGauge.class, "free_memory"), new FreeMemoryGauge());
+    environment.metrics().register(name(NetworkSentGauge.class, "bytes_sent"), new NetworkSentGauge());
+    environment.metrics().register(name(NetworkReceivedGauge.class, "bytes_received"), new NetworkReceivedGauge());
+    environment.metrics().register(name(FileDescriptorGauge.class, "fd_count"), new FileDescriptorGauge());
+    environment.metrics().register(name(MaxFileDescriptorGauge.class, "max_fd_count"), new MaxFileDescriptorGauge());
+    environment.metrics()
+        .register(name(OperatingSystemMemoryGauge.class, "buffers"), new OperatingSystemMemoryGauge("Buffers"));
+    environment.metrics()
+        .register(name(OperatingSystemMemoryGauge.class, "cached"), new OperatingSystemMemoryGauge("Cached"));
+
+    BufferPoolGauges.registerMetrics();
+    GarbageCollectionGauges.registerMetrics();
+  }
+
+  private void registerExceptionMappers(Environment environment,
+      WebSocketEnvironment<AuthenticatedAccount> webSocketEnvironment,
+      WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment) {
+    environment.jersey().register(new LoggingUnhandledExceptionMapper());
+    environment.jersey().register(new IOExceptionMapper());
+    environment.jersey().register(new RateLimitExceededExceptionMapper());
+    environment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
+    environment.jersey().register(new DeviceLimitExceededExceptionMapper());
+    environment.jersey().register(new RetryLaterExceptionMapper());
+    environment.jersey().register(new ServerRejectedExceptionMapper());
+
+    webSocketEnvironment.jersey().register(new LoggingUnhandledExceptionMapper());
+    webSocketEnvironment.jersey().register(new IOExceptionMapper());
+    webSocketEnvironment.jersey().register(new RateLimitExceededExceptionMapper());
+    webSocketEnvironment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
+    webSocketEnvironment.jersey().register(new DeviceLimitExceededExceptionMapper());
+    webSocketEnvironment.jersey().register(new RetryLaterExceptionMapper());
+    webSocketEnvironment.jersey().register(new ServerRejectedExceptionMapper());
+
+    provisioningEnvironment.jersey().register(new LoggingUnhandledExceptionMapper());
+    provisioningEnvironment.jersey().register(new IOExceptionMapper());
+    provisioningEnvironment.jersey().register(new RateLimitExceededExceptionMapper());
+    provisioningEnvironment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
+    provisioningEnvironment.jersey().register(new DeviceLimitExceededExceptionMapper());
+    provisioningEnvironment.jersey().register(new RetryLaterExceptionMapper());
+    provisioningEnvironment.jersey().register(new ServerRejectedExceptionMapper());
+  }
+
+  private void registerCorsFilter(Environment environment) {
+    FilterRegistration.Dynamic filter = environment.servlets().addFilter("CORS", CrossOriginFilter.class);
+    filter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
+    filter.setInitParameter("allowedOrigins", "*");
+    filter.setInitParameter("allowedHeaders", "Content-Type,Authorization,X-Requested-With,Content-Length,Accept,Origin,X-Signal-Agent");
+    filter.setInitParameter("allowedMethods", "GET,PUT,POST,DELETE,OPTIONS");
+    filter.setInitParameter("preflightMaxAge", "5184000");
+    filter.setInitParameter("allowCredentials", "true");
+  }
+
+  public static void main(String[] args) throws Exception {
+    new WhisperServerService().run(args);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAndAuthenticatedDeviceHolder.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public interface AccountAndAuthenticatedDeviceHolder {
+
+  Account getAccount();
+
+  Device getAuthenticatedDevice();
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+import io.dropwizard.auth.Authenticator;
+import io.dropwizard.auth.basic.BasicCredentials;
+import java.util.Optional;
+import io.micrometer.core.instrument.Metrics;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+
+import static com.codahale.metrics.MetricRegistry.name;
+
+public class AccountAuthenticator extends BaseAccountAuthenticator implements
+    Authenticator<BasicCredentials, AuthenticatedAccount> {
+
+  private static final String AUTHENTICATION_COUNTER_NAME = name(AccountAuthenticator.class, "authenticate");
+
+  public AccountAuthenticator(AccountsManager accountsManager) {
+    super(accountsManager);
+  }
+
+  @Override
+  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials) {
+    final Optional<AuthenticatedAccount> maybeAuthenticatedAccount = super.authenticate(basicCredentials, true);
+
+    // TODO Remove after announcement groups have launched
+    maybeAuthenticatedAccount.ifPresent(authenticatedAccount ->
+        Metrics.counter(AUTHENTICATION_COUNTER_NAME,
+            "supportsAnnouncementGroups",
+            String.valueOf(authenticatedAccount.getAccount().isAnnouncementGroupSupported()))
+            .increment());
+
+    return maybeAuthenticatedAccount;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/Anonymous.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Base64;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+
+public class Anonymous {
+
+  private final byte[] unidentifiedSenderAccessKey;
+
+  public Anonymous(String header) {
+    try {
+      this.unidentifiedSenderAccessKey = Base64.getDecoder().decode(header);
+    } catch (IllegalArgumentException e) {
+      throw new WebApplicationException(e, Response.Status.UNAUTHORIZED);
+    }
+  }
+
+  public byte[] getAccessKey() {
+    return unidentifiedSenderAccessKey;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementApplicationEventListener.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.glassfish.jersey.server.monitoring.ApplicationEvent;
+import org.glassfish.jersey.server.monitoring.ApplicationEventListener;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.glassfish.jersey.server.monitoring.RequestEventListener;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+
+/**
+ * Delegates request events to a listener that handles auth-enablement changes
+ */
+public class AuthEnablementApplicationEventListener implements ApplicationEventListener {
+
+  private final AuthEnablementRequestEventListener authEnablementRequestEventListener;
+
+  public AuthEnablementApplicationEventListener(final ClientPresenceManager clientPresenceManager) {
+    this.authEnablementRequestEventListener = new AuthEnablementRequestEventListener(clientPresenceManager);
+  }
+
+  @Override
+  public void onEvent(final ApplicationEvent event) {
+  }
+
+  @Override
+  public RequestEventListener onRequest(final RequestEvent requestEvent) {
+    return authEnablementRequestEventListener;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRequestEventListener.java

@@ -0,0 +1,152 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Metrics;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.ws.rs.core.SecurityContext;
+import org.glassfish.jersey.server.ContainerRequest;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.glassfish.jersey.server.monitoring.RequestEvent.Type;
+import org.glassfish.jersey.server.monitoring.RequestEventListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+/**
+ * This {@link RequestEventListener} observes intra-request changes in {@link Account#isEnabled()} and {@link
+ * Device#isEnabled()}.
+ * <p>
+ * If a change in {@link Account#isEnabled()} is observed, then any active WebSocket connections for the account must be
+ * closed, in order for clients to get a refreshed {@link io.dropwizard.auth.Auth} object.
+ * <p>
+ * If a change in {@link Device#isEnabled()} is observed, including deletion of the {@link Device}, then any active
+ * WebSocket connections for the device must be closed and re-authenticated.
+ *
+ * @see AuthenticatedAccount
+ * @see DisabledPermittedAuthenticatedAccount
+ */
+public class AuthEnablementRequestEventListener implements RequestEventListener {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthEnablementRequestEventListener.class);
+
+  private static final String ACCOUNT_ENABLED = AuthEnablementRequestEventListener.class.getName() + ".accountEnabled";
+  private static final String DEVICES_ENABLED = AuthEnablementRequestEventListener.class.getName() + ".devicesEnabled";
+
+  private static final Counter DISPLACED_ACCOUNTS = Metrics.counter(
+      name(AuthEnablementRequestEventListener.class, "displacedAccounts"));
+  private static final Counter DISPLACED_DEVICES = Metrics.counter(
+      name(AuthEnablementRequestEventListener.class, "displacedDevices"));
+
+  private final ClientPresenceManager clientPresenceManager;
+
+  public AuthEnablementRequestEventListener(final ClientPresenceManager clientPresenceManager) {
+    this.clientPresenceManager = clientPresenceManager;
+  }
+
+  @Override
+  public void onEvent(final RequestEvent event) {
+
+    if (event.getType() == Type.REQUEST_FILTERED) {
+      // The authenticated principal, if any, will be available after filters have run.
+      // Now that the account is known, capture a snapshot of `isEnabled` for the account and its devices,
+      // before carrying out the request’s business logic.
+      findAccount(event.getContainerRequest())
+          .ifPresent(
+              account -> {
+                event.getContainerRequest().setProperty(ACCOUNT_ENABLED, account.isEnabled());
+                event.getContainerRequest().setProperty(DEVICES_ENABLED, buildDevicesEnabledMap(account));
+              });
+
+    } else if (event.getType() == Type.FINISHED) {
+      // Now that the request is finished, check whether `isEnabled` changed for any of the devices, or the account
+      // as a whole. If the value did change, the affected device(s) must disconnect and reauthenticate.
+      // If a device was removed, it must also disconnect.
+      if (event.getContainerRequest().getProperty(ACCOUNT_ENABLED) != null &&
+          event.getContainerRequest().getProperty(DEVICES_ENABLED) != null) {
+
+        final boolean accountInitiallyEnabled = (boolean) event.getContainerRequest().getProperty(ACCOUNT_ENABLED);
+        @SuppressWarnings("unchecked") final Map<Long, Boolean> initialDevicesEnabled = (Map<Long, Boolean>) event.getContainerRequest()
+            .getProperty(DEVICES_ENABLED);
+
+        findAccount(event.getContainerRequest()).ifPresentOrElse(account -> {
+              final Set<Long> deviceIdsToDisplace;
+
+              if (account.isEnabled() != accountInitiallyEnabled) {
+                // the @Auth for all active connections must change when account.isEnabled() changes
+                deviceIdsToDisplace = account.getDevices().stream()
+                    .map(Device::getId).collect(Collectors.toSet());
+
+                deviceIdsToDisplace.addAll(initialDevicesEnabled.keySet());
+
+                DISPLACED_ACCOUNTS.increment();
+
+              } else if (!initialDevicesEnabled.isEmpty()) {
+
+                deviceIdsToDisplace = new HashSet<>();
+                final Map<Long, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
+
+                initialDevicesEnabled.forEach((deviceId, enabled) -> {
+                  // `null` indicates the device was removed from the account. Any active presence should be removed.
+                  final boolean enabledMatches = Objects.equals(enabled,
+                      currentDevicesEnabled.getOrDefault(deviceId, null));
+
+                  if (!enabledMatches) {
+                    deviceIdsToDisplace.add(deviceId);
+
+                    DISPLACED_DEVICES.increment();
+                  }
+                });
+              } else {
+                deviceIdsToDisplace = Collections.emptySet();
+              }
+
+              deviceIdsToDisplace.forEach(deviceId -> {
+                try {
+                  // displacing presence will cause a reauthorization for the device’s active connections
+                  clientPresenceManager.displacePresence(account.getUuid(), deviceId);
+                } catch (final Exception e) {
+                  logger.error("Could not displace device presence", e);
+                }
+              });
+            },
+            () -> logger.error("Request had account, but it is no longer present")
+        );
+      }
+    }
+  }
+
+  private Optional<Account> findAccount(final ContainerRequest containerRequest) {
+    return Optional.ofNullable(containerRequest.getSecurityContext())
+        .map(SecurityContext::getUserPrincipal)
+        .map(principal -> {
+          if (principal instanceof AccountAndAuthenticatedDeviceHolder) {
+            return ((AccountAndAuthenticatedDeviceHolder) principal).getAccount();
+          }
+          return null;
+        });
+  }
+
+  @VisibleForTesting
+  Map<Long, Boolean> buildDevicesEnabledMap(final Account account) {
+    return account.getDevices().stream()
+        .collect(() -> new HashMap<>(account.getDevices().size()),
+            (map, device) -> map.put(device.getId(), device.isEnabled()), HashMap::putAll);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedAccount.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.security.Principal;
+import java.util.function.Supplier;
+import javax.security.auth.Subject;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+public class AuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+
+  private final Supplier<Pair<Account, Device>> accountAndDevice;
+
+  public AuthenticatedAccount(final Supplier<Pair<Account, Device>> accountAndDevice) {
+    this.accountAndDevice = accountAndDevice;
+  }
+
+  @Override
+  public Account getAccount() {
+    return accountAndDevice.get().first();
+  }
+
+  @Override
+  public Device getAuthenticatedDevice() {
+    return accountAndDevice.get().second();
+  }
+
+  // Principal implementation
+
+  @Override
+  public String getName() {
+    return null;
+  }
+
+  @Override
+  public boolean implies(final Subject subject) {
+    return false;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticationCredentials.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+import org.apache.commons.codec.binary.Hex;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+public class AuthenticationCredentials {
+
+  private final String hashedAuthenticationToken;
+  private final String salt;
+
+  public AuthenticationCredentials(String hashedAuthenticationToken, String salt) {
+    this.hashedAuthenticationToken = hashedAuthenticationToken;
+    this.salt                      = salt;
+  }
+
+  public AuthenticationCredentials(String authenticationToken) {
+    this.salt                      = String.valueOf(Math.abs(new SecureRandom().nextInt()));
+    this.hashedAuthenticationToken = getHashedValue(salt, authenticationToken);
+  }
+
+  public String getHashedAuthenticationToken() {
+    return hashedAuthenticationToken;
+  }
+
+  public String getSalt() {
+    return salt;
+  }
+
+  public boolean verify(String authenticationToken) {
+    String theirValue = getHashedValue(salt, authenticationToken);
+    return MessageDigest.isEqual(theirValue.getBytes(StandardCharsets.UTF_8), this.hashedAuthenticationToken.getBytes(StandardCharsets.UTF_8));
+  }
+
+  private static String getHashedValue(String salt, String token) {
+    try {
+      return new String(Hex.encodeHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8))));
+    } catch (NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java

@@ -0,0 +1,146 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static com.codahale.metrics.MetricRegistry.name;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.dropwizard.auth.basic.BasicCredentials;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+import java.util.Optional;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.storage.RefreshingAccountAndDeviceSupplier;
+import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.Util;
+
+public class BaseAccountAuthenticator {
+
+  private static final String AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "authentication");
+  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
+  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
+  private static final String AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME = "enabledRequired";
+
+  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(BaseAccountAuthenticator.class, "daysSinceLastSeen");
+  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
+
+  private final AccountsManager accountsManager;
+  private final Clock           clock;
+
+  public BaseAccountAuthenticator(AccountsManager accountsManager) {
+    this(accountsManager, Clock.systemUTC());
+  }
+
+  @VisibleForTesting
+  public BaseAccountAuthenticator(AccountsManager accountsManager, Clock clock) {
+    this.accountsManager = accountsManager;
+    this.clock           = clock;
+  }
+
+  static Pair<String, Long> getIdentifierAndDeviceId(final String basicUsername) {
+    final String identifier;
+    final long deviceId;
+
+    final int deviceIdSeparatorIndex = basicUsername.indexOf('.');
+
+    if (deviceIdSeparatorIndex == -1) {
+      identifier = basicUsername;
+      deviceId = Device.MASTER_ID;
+    } else {
+      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
+      deviceId = Long.parseLong(basicUsername.substring(deviceIdSeparatorIndex + 1));
+    }
+
+    return new Pair<>(identifier, deviceId);
+  }
+
+  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials, boolean enabledRequired) {
+    boolean succeeded = false;
+    String failureReason = null;
+
+    try {
+      final UUID accountUuid;
+      final long deviceId;
+      {
+        final Pair<String, Long> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
+
+        accountUuid = UUID.fromString(identifierAndDeviceId.first());
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      Optional<Account> account = accountsManager.get(accountUuid);
+
+      if (account.isEmpty()) {
+        failureReason = "noSuchAccount";
+        return Optional.empty();
+      }
+
+      Optional<Device> device = account.get().getDevice(deviceId);
+
+      if (device.isEmpty()) {
+        failureReason = "noSuchDevice";
+        return Optional.empty();
+      }
+
+      if (enabledRequired) {
+        if (!device.get().isEnabled()) {
+          failureReason = "deviceDisabled";
+          return Optional.empty();
+        }
+
+        if (!account.get().isEnabled()) {
+          failureReason = "accountDisabled";
+          return Optional.empty();
+        }
+      }
+
+      if (device.get().getAuthenticationCredentials().verify(basicCredentials.getPassword())) {
+        succeeded = true;
+        final Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        return Optional.of(new AuthenticatedAccount(
+            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
+      }
+
+      return Optional.empty();
+    } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
+      failureReason = "invalidHeader";
+      return Optional.empty();
+    } finally {
+      Tags tags = Tags.of(
+          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded),
+          AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME, String.valueOf(enabledRequired));
+
+      if (StringUtils.isNotBlank(failureReason)) {
+        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
+      }
+
+      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
+    }
+  }
+
+  @VisibleForTesting
+  public Account updateLastSeen(Account account, Device device) {
+    final long lastSeenOffsetSeconds   = Math.abs(account.getUuid().getLeastSignificantBits()) % ChronoUnit.DAYS.getDuration().toSeconds();
+    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock, Duration.ofSeconds(lastSeenOffsetSeconds).negated());
+
+    if (device.getLastSeen() < todayInMillisWithOffset) {
+      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isMaster()))
+          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
+
+      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
+    }
+
+    return account;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BasicAuthorizationHeader.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Base64;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+public class BasicAuthorizationHeader {
+
+  private final String username;
+  private final long deviceId;
+  private final String password;
+
+  private BasicAuthorizationHeader(final String username, final long deviceId, final String password) {
+    this.username = username;
+    this.deviceId = deviceId;
+    this.password = password;
+  }
+
+  public static BasicAuthorizationHeader fromString(final String header) throws InvalidAuthorizationHeaderException {
+    try {
+      if (StringUtils.isBlank(header)) {
+        throw new InvalidAuthorizationHeaderException("Blank header");
+      }
+
+      final int spaceIndex = header.indexOf(' ');
+
+      if (spaceIndex == -1) {
+        throw new InvalidAuthorizationHeaderException("Invalid authorization header: " + header);
+      }
+
+      final String authorizationType = header.substring(0, spaceIndex);
+
+      if (!"Basic".equals(authorizationType)) {
+        throw new InvalidAuthorizationHeaderException("Unsupported authorization method: " + authorizationType);
+      }
+
+      final String credentials;
+
+      try {
+        credentials = new String(Base64.getDecoder().decode(header.substring(spaceIndex + 1)));
+      } catch (final IndexOutOfBoundsException e) {
+        throw new InvalidAuthorizationHeaderException("Missing credentials");
+      }
+
+      if (StringUtils.isEmpty(credentials)) {
+        throw new InvalidAuthorizationHeaderException("Bad decoded value: " + credentials);
+      }
+
+      final int credentialSeparatorIndex = credentials.indexOf(':');
+
+      if (credentialSeparatorIndex == -1) {
+        throw new InvalidAuthorizationHeaderException("Badly-formatted credentials: " + credentials);
+      }
+
+      final String usernameComponent = credentials.substring(0, credentialSeparatorIndex);
+
+      final String username;
+      final long deviceId;
+      {
+        final Pair<String, Long> identifierAndDeviceId =
+            BaseAccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
+
+        username = identifierAndDeviceId.first();
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      final String password = credentials.substring(credentialSeparatorIndex + 1);
+
+      if (StringUtils.isAnyBlank(username, password)) {
+        throw new InvalidAuthorizationHeaderException("Username or password were blank");
+      }
+
+      return new BasicAuthorizationHeader(username, deviceId, password);
+    } catch (final IllegalArgumentException | IndexOutOfBoundsException e) {
+      throw new InvalidAuthorizationHeaderException(e);
+    }
+  }
+
+  public String getUsername() {
+    return username;
+  }
+
+  public long getDeviceId() {
+    return deviceId;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.google.protobuf.ByteString;
+import com.google.protobuf.InvalidProtocolBufferException;
+import org.whispersystems.textsecuregcm.crypto.Curve;
+import org.whispersystems.textsecuregcm.crypto.ECPrivateKey;
+import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate;
+import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.util.Base64;
+import java.util.concurrent.TimeUnit;
+
+public class CertificateGenerator {
+
+  private final ECPrivateKey      privateKey;
+  private final int               expiresDays;
+  private final ServerCertificate serverCertificate;
+
+  public CertificateGenerator(byte[] serverCertificate, ECPrivateKey privateKey, int expiresDays)
+      throws InvalidProtocolBufferException
+  {
+    this.privateKey        = privateKey;
+    this.expiresDays       = expiresDays;
+    this.serverCertificate = ServerCertificate.parseFrom(serverCertificate);
+  }
+
+  public byte[] createFor(Account account, Device device, boolean includeE164) throws InvalidKeyException {
+    SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
+                                                                                 .setSenderDevice(Math.toIntExact(device.getId()))
+                                                                                 .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
+                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
+                                                                                 .setSigner(serverCertificate)
+                                                                                 .setSenderUuid(account.getUuid().toString());
+
+    if (includeE164) {
+      builder.setSender(account.getNumber());
+    }
+
+    byte[] certificate = builder.build().toByteArray();
+    byte[] signature   = Curve.calculateSignature(privateKey, certificate);
+
+    return SenderCertificate.newBuilder()
+                            .setCertificate(ByteString.copyFrom(certificate))
+                            .setSignature(ByteString.copyFrom(signature))
+                            .build()
+                            .toByteArray();
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Base64;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+
+public class CombinedUnidentifiedSenderAccessKeys {
+  private final byte[] combinedUnidentifiedSenderAccessKeys;
+
+  public CombinedUnidentifiedSenderAccessKeys(String header) {
+    try {
+      this.combinedUnidentifiedSenderAccessKeys = Base64.getDecoder().decode(header);
+      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != 16) {
+        throw new WebApplicationException("Invalid combined unidentified sender access keys", Status.UNAUTHORIZED);
+      }
+    } catch (IllegalArgumentException e) {
+      throw new WebApplicationException(e, Response.Status.UNAUTHORIZED);
+    }
+  }
+
+  public byte[] getAccessKeys() {
+    return combinedUnidentifiedSenderAccessKeys;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccountAuthenticator.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import io.dropwizard.auth.Authenticator;
+import io.dropwizard.auth.basic.BasicCredentials;
+import java.util.Optional;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+
+public class DisabledPermittedAccountAuthenticator extends BaseAccountAuthenticator implements
+    Authenticator<BasicCredentials, DisabledPermittedAuthenticatedAccount> {
+
+  public DisabledPermittedAccountAuthenticator(AccountsManager accountsManager) {
+    super(accountsManager);
+  }
+
+  @Override
+  public Optional<DisabledPermittedAuthenticatedAccount> authenticate(BasicCredentials credentials) {
+    Optional<AuthenticatedAccount> account = super.authenticate(credentials, false);
+    return account.map(DisabledPermittedAuthenticatedAccount::new);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAuthenticatedAccount.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.security.Principal;
+import javax.security.auth.Subject;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class DisabledPermittedAuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+
+  private final AuthenticatedAccount authenticatedAccount;
+
+  public DisabledPermittedAuthenticatedAccount(final AuthenticatedAccount authenticatedAccount) {
+    this.authenticatedAccount = authenticatedAccount;
+  }
+
+  @Override
+  public Account getAccount() {
+    return authenticatedAccount.getAccount();
+  }
+
+  @Override
+  public Device getAuthenticatedDevice() {
+    return authenticatedAccount.getAuthenticatedDevice();
+  }
+
+  // Principal implementation
+
+  @Override
+  public String getName() {
+    return null;
+  }
+
+  @Override
+  public boolean implies(Subject subject) {
+    return false;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.util.Util;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.TimeUnit;
+
+public class ExternalServiceCredentialGenerator {
+
+  private final Logger logger = LoggerFactory.getLogger(ExternalServiceCredentialGenerator.class);
+
+  private final byte[] key;
+  private final byte[] userIdKey;
+  private final boolean usernameDerivation;
+
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation) {
+    this.key                = key;
+    this.userIdKey          = userIdKey;
+    this.usernameDerivation = usernameDerivation;
+  }
+
+  public ExternalServiceCredentials generateFor(String number) {
+    Mac    mac                = getMacInstance();
+    String username           = getUserId(number, mac, usernameDerivation);
+    long   currentTimeSeconds = System.currentTimeMillis() / 1000;
+    String prefix             = username + ":"  + currentTimeSeconds;
+    String output             = Hex.encodeHexString(Util.truncate(getHmac(key, prefix.getBytes(), mac), 10));
+    String token              = prefix + ":" + output;
+
+    return new ExternalServiceCredentials(username, token);
+  }
+
+
+  public boolean isValid(String token, String number, long currentTimeMillis) {
+    String[] parts = token.split(":");
+    Mac      mac   = getMacInstance();
+
+    if (parts.length != 3) {
+      return false;
+    }
+
+    if (!getUserId(number, mac, usernameDerivation).equals(parts[0])) {
+      return false;
+    }
+
+    if (!isValidTime(parts[1], currentTimeMillis)) {
+      return false;
+    }
+
+    return isValidSignature(parts[0] + ":" + parts[1], parts[2], mac);
+  }
+
+  private String getUserId(String number, Mac mac, boolean usernameDerivation) {
+    if (usernameDerivation) return Hex.encodeHexString(Util.truncate(getHmac(userIdKey, number.getBytes(), mac), 10));
+    else                    return number;
+  }
+
+  private boolean isValidTime(String timeString, long currentTimeMillis) {
+    try {
+      long tokenTime = Long.parseLong(timeString);
+      long ourTime   = TimeUnit.MILLISECONDS.toSeconds(currentTimeMillis);
+
+      return TimeUnit.SECONDS.toHours(Math.abs(ourTime - tokenTime)) < 24;
+    } catch (NumberFormatException e) {
+      logger.warn("Number Format", e);
+      return false;
+    }
+  }
+
+  private boolean isValidSignature(String prefix, String suffix, Mac mac) {
+    try {
+      byte[] ourSuffix   = Util.truncate(getHmac(key, prefix.getBytes(), mac), 10);
+      byte[] theirSuffix = Hex.decodeHex(suffix.toCharArray());
+
+      return MessageDigest.isEqual(ourSuffix, theirSuffix);
+    } catch (DecoderException e) {
+      logger.warn("DirectoryCredentials", e);
+      return false;
+    }
+  }
+
+  private Mac getMacInstance() {
+    try {
+      return Mac.getInstance("HmacSHA256");
+    } catch (NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private byte[] getHmac(byte[] key, byte[] input, Mac mac) {
+    try {
+      mac.init(new SecretKeySpec(key, "HmacSHA256"));
+      return mac.doFinal(input);
+    } catch (InvalidKeyException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentials.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class ExternalServiceCredentials {
+
+  @JsonProperty
+  private String username;
+
+  @JsonProperty
+  private String password;
+
+  public ExternalServiceCredentials(String username, String password) {
+    this.username = username;
+    this.password = password;
+  }
+
+  public ExternalServiceCredentials() {}
+
+  public String getUsername() {
+    return username;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/InvalidAuthorizationHeaderException.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response.Status;
+
+public class InvalidAuthorizationHeaderException extends WebApplicationException {
+  public InvalidAuthorizationHeaderException(String s) {
+    super(s, Status.UNAUTHORIZED);
+  }
+
+  public InvalidAuthorizationHeaderException(Exception e) {
+    super(e, Status.UNAUTHORIZED);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/OptionalAccess.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import java.security.MessageDigest;
+import java.util.Optional;
+
+@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+public class OptionalAccess {
+
+  public static final String UNIDENTIFIED = "Unidentified-Access-Key";
+
+  public static void verify(Optional<Account>   requestAccount,
+                            Optional<Anonymous> accessKey,
+                            Optional<Account>   targetAccount,
+                            String              deviceSelector)
+  {
+    try {
+      verify(requestAccount, accessKey, targetAccount);
+
+      if (!deviceSelector.equals("*")) {
+        long deviceId = Long.parseLong(deviceSelector);
+
+        Optional<Device> targetDevice = targetAccount.get().getDevice(deviceId);
+
+        if (targetDevice.isPresent() && targetDevice.get().isEnabled()) {
+          return;
+        }
+
+        if (requestAccount.isPresent()) {
+          throw new WebApplicationException(Response.Status.NOT_FOUND);
+        } else {
+          throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+        }
+      }
+    } catch (NumberFormatException e) {
+      throw new WebApplicationException(Response.status(422).build());
+    }
+  }
+
+  public static void verify(Optional<Account>   requestAccount,
+                            Optional<Anonymous> accessKey,
+                            Optional<Account>   targetAccount)
+  {
+    if (requestAccount.isPresent() && targetAccount.isPresent() && targetAccount.get().isEnabled()) {
+      return;
+    }
+
+    //noinspection ConstantConditions
+    if (requestAccount.isPresent() && (targetAccount.isEmpty() || (targetAccount.isPresent() && !targetAccount.get().isEnabled()))) {
+      throw new WebApplicationException(Response.Status.NOT_FOUND);
+    }
+
+    if (accessKey.isPresent() && targetAccount.isPresent() && targetAccount.get().isEnabled() && targetAccount.get().isUnrestrictedUnidentifiedAccess()) {
+      return;
+    }
+
+    if (accessKey.isPresent()                                      &&
+        targetAccount.isPresent()                                  &&
+        targetAccount.get().getUnidentifiedAccessKey().isPresent() &&
+        targetAccount.get().isEnabled()                            &&
+        MessageDigest.isEqual(accessKey.get().getAccessKey(), targetAccount.get().getUnidentifiedAccessKey().get()))
+    {
+      return;
+    }
+
+    throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredRegistrationLock.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.google.common.annotations.VisibleForTesting;
+import org.whispersystems.textsecuregcm.util.Util;
+
+import javax.annotation.Nullable;
+import java.util.Optional;
+import java.util.concurrent.TimeUnit;
+
+@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+public class StoredRegistrationLock {
+
+  private final Optional<String> registrationLock;
+
+  private final Optional<String> registrationLockSalt;
+
+  private final long             lastSeen;
+
+  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, long lastSeen) {
+    this.registrationLock     = registrationLock;
+    this.registrationLockSalt = registrationLockSalt;
+    this.lastSeen             = lastSeen;
+  }
+
+  public boolean requiresClientRegistrationLock() {
+    return registrationLock.isPresent() && registrationLockSalt.isPresent() && System.currentTimeMillis() - lastSeen < TimeUnit.DAYS.toMillis(7);
+  }
+
+  public boolean needsFailureCredentials() {
+    return registrationLock.isPresent() && registrationLockSalt.isPresent();
+  }
+
+  public long getTimeRemaining() {
+    return TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - lastSeen);
+  }
+
+  public boolean verify(@Nullable String clientRegistrationLock) {
+    if (Util.isEmpty(clientRegistrationLock)) {
+      return false;
+    }
+
+    if (registrationLock.isPresent() && registrationLockSalt.isPresent() && !Util.isEmpty(clientRegistrationLock)) {
+      return new AuthenticationCredentials(registrationLock.get(), registrationLockSalt.get()).verify(clientRegistrationLock);
+    } else {
+      return false;
+    }
+  }
+
+  @VisibleForTesting
+  public StoredRegistrationLock forTime(long timestamp) {
+    return new StoredRegistrationLock(registrationLock, registrationLockSalt, timestamp);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredVerificationCode.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.security.MessageDigest;
+import java.time.Duration;
+import java.util.Optional;
+import javax.annotation.Nullable;
+import org.whispersystems.textsecuregcm.util.Util;
+
+public class StoredVerificationCode {
+
+  @JsonProperty
+  private final String code;
+
+  @JsonProperty
+  private final long timestamp;
+
+  @JsonProperty
+  private final String pushCode;
+
+  @JsonProperty
+  @Nullable
+  private final String twilioVerificationSid;
+
+  public static final Duration EXPIRATION = Duration.ofMinutes(10);
+
+  @JsonCreator
+  public StoredVerificationCode(
+      @JsonProperty("code") final String code,
+      @JsonProperty("timestamp") final long timestamp,
+      @JsonProperty("pushCode") final String pushCode,
+      @JsonProperty("twilioVerificationSid") @Nullable final String twilioVerificationSid) {
+
+    this.code = code;
+    this.timestamp = timestamp;
+    this.pushCode = pushCode;
+    this.twilioVerificationSid = twilioVerificationSid;
+  }
+
+  public String getCode() {
+    return code;
+  }
+
+  public long getTimestamp() {
+    return timestamp;
+  }
+
+  public String getPushCode() {
+    return pushCode;
+  }
+
+  public Optional<String> getTwilioVerificationSid() {
+    return Optional.ofNullable(twilioVerificationSid);
+  }
+
+  public boolean isValid(String theirCodeString) {
+    if (Util.isEmpty(code) || Util.isEmpty(theirCodeString)) {
+      return false;
+    }
+
+    byte[] ourCode = code.getBytes();
+    byte[] theirCode = theirCodeString.getBytes();
+
+    return MessageDigest.isEqual(ourCode, theirCode);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnToken.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+public class TurnToken {
+
+  @JsonProperty
+  private String username;
+
+  @JsonProperty
+  private String password;
+
+  @JsonProperty
+  private List<String> urls;
+
+  public TurnToken(String username, String password, List<String> urls) {
+    this.username = username;
+    this.password = password;
+    this.urls     = urls;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+public class TurnTokenGenerator {
+
+  private final byte[]       key;
+  private final List<String> urls;
+
+  public TurnTokenGenerator(TurnConfiguration configuration) {
+    this.key  = configuration.getSecret().getBytes();
+    this.urls = configuration.getUris();
+  }
+
+  public TurnToken generate() {
+    try {
+      Mac    mac                = Mac.getInstance("HmacSHA1");
+      long   validUntilSeconds  = (System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)) / 1000;
+      long   user               = Math.abs(new SecureRandom().nextInt());
+      String userTime           = validUntilSeconds + ":"  + user;
+
+      mac.init(new SecretKeySpec(key, "HmacSHA1"));
+      String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));
+
+      return new TurnToken(userTime, password, urls);
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new AssertionError(e);
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessChecksum.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Optional;
+
+@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+public class UnidentifiedAccessChecksum {
+
+  public static String generateFor(Optional<byte[]> unidentifiedAccessKey) {
+    try {
+      if (!unidentifiedAccessKey.isPresent()|| unidentifiedAccessKey.get().length != 16) return null;
+
+      Mac mac = Mac.getInstance("HmacSHA256");
+      mac.init(new SecretKeySpec(unidentifiedAccessKey.get(), "HmacSHA256"));
+
+      return Base64.getEncoder().encodeToString(mac.doFinal(new byte[32]));
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ConfiguredProfileBadgeConverter.java

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+import java.util.ResourceBundle;
+import java.util.ResourceBundle.Control;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import org.whispersystems.textsecuregcm.configuration.BadgeConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
+import org.whispersystems.textsecuregcm.entities.Badge;
+import org.whispersystems.textsecuregcm.storage.AccountBadge;
+
+public class ConfiguredProfileBadgeConverter implements ProfileBadgeConverter {
+
+  private static final int MAX_LOCALES = 15;
+  @VisibleForTesting
+  static final String BASE_NAME = "org.signal.badges.Badges";
+
+  private final Clock clock;
+  private final Map<String, BadgeConfiguration> knownBadges;
+  private final ResourceBundleFactory resourceBundleFactory;
+
+  public ConfiguredProfileBadgeConverter(
+      final Clock clock,
+      final BadgesConfiguration badgesConfiguration) {
+    this(clock, badgesConfiguration, ResourceBundle::getBundle);
+  }
+
+  @VisibleForTesting
+  public ConfiguredProfileBadgeConverter(
+      final Clock clock,
+      final BadgesConfiguration badgesConfiguration,
+      final ResourceBundleFactory resourceBundleFactory) {
+    this.clock = clock;
+    this.knownBadges = badgesConfiguration.getBadges().stream()
+        .collect(Collectors.toMap(BadgeConfiguration::getName, Function.identity()));
+    this.resourceBundleFactory = resourceBundleFactory;
+  }
+
+  @Override
+  public List<Badge> convert(
+      final List<Locale> acceptableLanguages,
+      final List<AccountBadge> accountBadges) {
+    if (accountBadges.isEmpty()) {
+      return List.of();
+    }
+
+    final Instant now = clock.instant();
+
+    final List<Locale> acceptableLocales = acceptableLanguages.stream().limit(MAX_LOCALES).distinct()
+        .collect(Collectors.toList());
+    final Locale desiredLocale = acceptableLocales.isEmpty() ? Locale.getDefault() : acceptableLocales.get(0);
+
+    // define a control with a fallback order as specified in the header
+    ResourceBundle.Control control = new Control() {
+      @Override
+      public List<String> getFormats(final String baseName) {
+        Objects.requireNonNull(baseName);
+        return Control.FORMAT_PROPERTIES;
+      }
+
+      @Override
+      public Locale getFallbackLocale(final String baseName, final Locale locale) {
+        Objects.requireNonNull(baseName);
+        if (locale.equals(Locale.getDefault())) {
+          return null;
+        }
+        final int localeIndex = acceptableLocales.indexOf(locale);
+        if (localeIndex < 0 || localeIndex >= acceptableLocales.size() - 1) {
+          return Locale.getDefault();
+        }
+        // [0, acceptableLocales.size() - 2] is now the possible range for localeIndex
+        return acceptableLocales.get(localeIndex + 1);
+      }
+    };
+
+    final ResourceBundle resourceBundle = resourceBundleFactory.createBundle(BASE_NAME, desiredLocale, control);
+    return accountBadges.stream()
+        .filter(accountBadge -> accountBadge.isVisible()
+            && now.isBefore(accountBadge.getExpiration())
+            && knownBadges.containsKey(accountBadge.getName()))
+        .map(accountBadge -> new Badge(knownBadges.get(accountBadge.getName()).getImageUrl(),
+            resourceBundle.getString(accountBadge.getName() + "_name"),
+            resourceBundle.getString(accountBadge.getName() + "_description")))
+        .collect(Collectors.toList());
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ProfileBadgeConverter.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.List;
+import java.util.Locale;
+import org.whispersystems.textsecuregcm.entities.Badge;
+import org.whispersystems.textsecuregcm.storage.AccountBadge;
+
+public interface ProfileBadgeConverter {
+
+  /**
+   * Converts the {@link AccountBadge}s for an account into the objects
+   * that can be returned on a profile fetch.
+   */
+  List<Badge> convert(List<Locale> acceptableLanguages, List<AccountBadge> accountBadges);
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ResourceBundleFactory.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.Locale;
+import java.util.ResourceBundle;
+
+public interface ResourceBundleFactory {
+  ResourceBundle createBundle(String baseName, Locale locale, ResourceBundle.Control control);
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountDatabaseCrawlerConfiguration.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class AccountDatabaseCrawlerConfiguration {
+
+  @JsonProperty
+  private int chunkSize = 1000;
+
+  @JsonProperty
+  private long chunkIntervalMs = 8000L;
+
+  public int getChunkSize() {
+    return chunkSize;
+  }
+
+  public long getChunkIntervalMs() {
+    return chunkIntervalMs;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsDatabaseConfiguration.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+
+public class AccountsDatabaseConfiguration extends DatabaseConfiguration {
+
+    @JsonProperty
+    @NotNull
+    @Valid
+    private RetryConfiguration keyOperationRetry = new RetryConfiguration();
+
+    public RetryConfiguration getKeyOperationRetryConfiguration() {
+        return keyOperationRetry;
+    }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsDynamoDbConfiguration.java

@@ -0,0 +1,13 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotNull;
+
+public class AccountsDynamoDbConfiguration extends DynamoDbConfiguration {
+
+  @NotNull
+  private String phoneNumberTableName;
+
+  public String getPhoneNumberTableName() {
+    return phoneNumberTableName;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+
+
+public class ApnConfiguration {
+
+  @NotEmpty
+  @JsonProperty
+  private String teamId;
+
+  @NotEmpty
+  @JsonProperty
+  private String keyId;
+
+  @NotEmpty
+  @JsonProperty
+  private String signingKey;
+
+  @NotEmpty
+  @JsonProperty
+  private String bundleId;
+
+  @JsonProperty
+  private boolean sandbox = false;
+
+  public String getTeamId() {
+    return teamId;
+  }
+
+  public String getKeyId() {
+    return keyId;
+  }
+
+  public String getSigningKey() {
+    return signingKey;
+  }
+
+  public String getBundleId() {
+    return bundleId;
+  }
+
+  public boolean isSandboxEnabled() {
+    return sandbox;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AppConfigConfiguration.java

@@ -0,0 +1,32 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import javax.validation.constraints.NotEmpty;
+
+public class AppConfigConfiguration {
+
+  @JsonProperty
+  @NotEmpty
+  private String application;
+
+  @JsonProperty
+  @NotEmpty
+  private String environment;
+
+  @JsonProperty
+  @NotEmpty
+  private String configuration;
+
+  public String getApplication() {
+    return application;
+  }
+
+  public String getEnvironment() {
+    return environment;
+  }
+
+  public String getConfigurationName() {
+    return configuration;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AwsAttachmentsConfiguration.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+
+public class AwsAttachmentsConfiguration {
+
+  @NotEmpty
+  @JsonProperty
+  private String accessKey;
+
+  @NotEmpty
+  @JsonProperty
+  private String accessSecret;
+
+  @NotEmpty
+  @JsonProperty
+  private String bucket;
+
+  @NotEmpty
+  @JsonProperty
+  private String region;
+
+  public String getAccessKey() {
+    return accessKey;
+  }
+
+  public String getAccessSecret() {
+    return accessSecret;
+  }
+
+  public String getBucket() {
+    return bucket;
+  }
+
+  public String getRegion() {
+    return region;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BadgeConfiguration.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.net.URL;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class BadgeConfiguration {
+  private final String name;
+  private final URL imageUrl;
+
+  @JsonCreator
+  public BadgeConfiguration(
+      @JsonProperty("name") final String name,
+      @JsonProperty("imageUrl") @JsonDeserialize(converter = URLDeserializationConverter.class) final URL imageUrl) {
+    this.name = name;
+    this.imageUrl = imageUrl;
+  }
+
+  @NotEmpty
+  public String getName() {
+    return name;
+  }
+
+  @NotNull
+  @JsonSerialize(converter = URLSerializationConverter.class)
+  public URL getImageUrl() {
+    return imageUrl;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BadgesConfiguration.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonSetter;
+import com.fasterxml.jackson.annotation.Nulls;
+import java.util.List;
+import java.util.Objects;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+
+public class BadgesConfiguration {
+  private final List<BadgeConfiguration> badges;
+
+  @JsonCreator
+  public BadgesConfiguration(
+      @JsonProperty("badges") @JsonSetter(nulls = Nulls.AS_EMPTY) final List<BadgeConfiguration> badges) {
+    this.badges = Objects.requireNonNull(badges);
+  }
+
+  @Valid
+  @NotNull
+  public List<BadgeConfiguration> getBadges() {
+    return badges;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/CdnConfiguration.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+
+public class CdnConfiguration {
+  @NotEmpty
+  @JsonProperty
+  private String accessKey;
+
+  @NotEmpty
+  @JsonProperty
+  private String accessSecret;
+
+  @NotEmpty
+  @JsonProperty
+  private String bucket;
+
+  @NotEmpty
+  @JsonProperty
+  private String region;
+
+  public String getAccessKey() {
+    return accessKey;
+  }
+
+  public String getAccessSecret() {
+    return accessSecret;
+  }
+
+  public String getBucket() {
+    return bucket;
+  }
+
+  public String getRegion() {
+    return region;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/CircuitBreakerConfiguration.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
+import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+import javax.validation.constraints.Max;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotNull;
+
+public class CircuitBreakerConfiguration {
+
+  @JsonProperty
+  @NotNull
+  @Min(1)
+  @Max(100)
+  private int failureRateThreshold = 50;
+
+  @JsonProperty
+  @NotNull
+  @Min(1)
+  private int ringBufferSizeInHalfOpenState = 10;
+
+  @JsonProperty
+  @NotNull
+  @Min(1)
+  private int ringBufferSizeInClosedState = 100;
+
+  @JsonProperty
+  @NotNull
+  @Min(1)
+  private long waitDurationInOpenStateInSeconds = 10;
+
+  @JsonProperty
+  private List<String> ignoredExceptions = Collections.emptyList();
+
+
+  public int getFailureRateThreshold() {
+    return failureRateThreshold;
+  }
+
+  public int getRingBufferSizeInHalfOpenState() {
+    return ringBufferSizeInHalfOpenState;
+  }
+
+  public int getRingBufferSizeInClosedState() {
+    return ringBufferSizeInClosedState;
+  }
+
+  public long getWaitDurationInOpenStateInSeconds() {
+    return waitDurationInOpenStateInSeconds;
+  }
+
+  public List<Class> getIgnoredExceptions() {
+      return ignoredExceptions.stream()
+          .map(name -> {
+             try {
+               return Class.forName(name);
+             } catch (final ClassNotFoundException e) {
+               throw new RuntimeException(e);
+             }
+          })
+          .collect(Collectors.toList());
+  }
+
+  @VisibleForTesting
+  public void setFailureRateThreshold(int failureRateThreshold) {
+    this.failureRateThreshold = failureRateThreshold;
+  }
+
+  @VisibleForTesting
+  public void setRingBufferSizeInClosedState(int size) {
+    this.ringBufferSizeInClosedState = size;
+  }
+
+  @VisibleForTesting
+  public void setRingBufferSizeInHalfOpenState(int size) {
+    this.ringBufferSizeInHalfOpenState = size;
+  }
+
+  @VisibleForTesting
+  public void setWaitDurationInOpenStateInSeconds(int seconds) {
+    this.waitDurationInOpenStateInSeconds = seconds;
+  }
+
+  @VisibleForTesting
+  public void setIgnoredExceptions(final List<String> ignoredExceptions) {
+    this.ignoredExceptions = ignoredExceptions;
+  }
+
+  public CircuitBreakerConfig toCircuitBreakerConfig() {
+    return CircuitBreakerConfig.custom()
+                        .failureRateThreshold(getFailureRateThreshold())
+                        .ignoreExceptions(getIgnoredExceptions().toArray(new Class[0]))
+                        .ringBufferSizeInHalfOpenState(getRingBufferSizeInHalfOpenState())
+                        .waitDurationInOpenState(Duration.ofSeconds(getWaitDurationInOpenStateInSeconds()))
+                        .ringBufferSizeInClosedState(getRingBufferSizeInClosedState())
+                        .build();
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DatabaseConfiguration.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import javax.validation.constraints.NotNull;
+
+import io.dropwizard.db.DataSourceFactory;
+
+public class DatabaseConfiguration extends DataSourceFactory {
+
+  @NotNull
+  @JsonProperty
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+
+  public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
+    return circuitBreaker;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DatadogConfiguration.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.micrometer.datadog.DatadogConfig;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import java.time.Duration;
+
+public class DatadogConfiguration implements DatadogConfig {
+
+  @JsonProperty
+  @NotBlank
+  private String apiKey;
+
+  @JsonProperty
+  @NotNull
+  private Duration step = Duration.ofSeconds(10);
+
+  @JsonProperty
+  @NotBlank
+  private String environment;
+
+  @JsonProperty
+  @Min(1)
+  private int batchSize = 5_000;
+
+  @Override
+  public String apiKey() {
+    return apiKey;
+  }
+
+  @Override
+  public Duration step() {
+    return step;
+  }
+
+  public String getEnvironment() {
+    return environment;
+  }
+
+  @Override
+  public int batchSize() {
+    return batchSize;
+  }
+
+  @Override
+  public String hostTag() {
+    return "host";
+  }
+
+  @Override
+  public String get(final String key) {
+    return null;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DeletedAccountsDynamoDbConfiguration.java

@@ -0,0 +1,13 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotNull;
+
+public class DeletedAccountsDynamoDbConfiguration extends DynamoDbConfiguration {
+
+  @NotNull
+  private String needsReconciliationIndexName;
+
+  public String getNeedsReconciliationIndexName() {
+    return needsReconciliationIndexName;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryClientConfiguration.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
+
+public class DirectoryClientConfiguration {
+
+  @NotEmpty
+  @JsonProperty
+  private String userAuthenticationTokenSharedSecret;
+
+  @NotEmpty
+  @JsonProperty
+  private String userAuthenticationTokenUserIdSecret;
+
+  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
+    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
+  }
+
+  public byte[] getUserAuthenticationTokenUserIdSecret() throws DecoderException {
+    return Hex.decodeHex(userAuthenticationTokenUserIdSecret.toCharArray());
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryConfiguration.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import java.util.List;
+
+public class DirectoryConfiguration {
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  private SqsConfiguration sqs;
+    
+  @JsonProperty
+  @NotNull
+  @Valid
+  private DirectoryClientConfiguration client;
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  private List<DirectoryServerConfiguration> server;
+
+  public SqsConfiguration getSqsConfiguration() {
+    return sqs;
+  }
+
+  public DirectoryClientConfiguration getDirectoryClientConfiguration() {
+    return client;
+  }
+
+  public List<DirectoryServerConfiguration> getDirectoryServerConfiguration() {
+    return server;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryServerConfiguration.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+
+public class DirectoryServerConfiguration {
+
+  @NotEmpty
+  @JsonProperty
+  private String replicationName;
+
+  @NotEmpty
+  @JsonProperty
+  private String replicationUrl;
+
+  @NotEmpty
+  @JsonProperty
+  private String replicationPassword;
+
+  @NotEmpty
+  @JsonProperty
+  private String replicationCaCertificate;
+
+  public String getReplicationName() {
+    return replicationName;
+  }
+
+  public String getReplicationUrl() {
+    return replicationUrl;
+  }
+
+  public String getReplicationPassword() {
+    return replicationPassword;
+  }
+
+  public String getReplicationCaCertificate() {
+    return replicationCaCertificate;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DonationConfiguration.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
+import java.util.Set;
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class DonationConfiguration {
+
+  private String uri;
+  private String apiKey;
+  private String description;
+  private Set<String> supportedCurrencies;
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+  private RetryConfiguration retry = new RetryConfiguration();
+
+  @JsonProperty
+  @NotEmpty
+  public String getUri() {
+    return uri;
+  }
+
+  @VisibleForTesting
+  public void setUri(final String uri) {
+    this.uri = uri;
+  }
+
+  @JsonProperty
+  @NotEmpty
+  public String getApiKey() {
+    return apiKey;
+  }
+
+  @VisibleForTesting
+  public void setApiKey(final String apiKey) {
+    this.apiKey = apiKey;
+  }
+
+  @JsonProperty
+  public String getDescription() {
+    return description;
+  }
+
+  @VisibleForTesting
+  public void setDescription(final String description) {
+    this.description = description;
+  }
+
+  @JsonProperty
+  @NotEmpty
+  public Set<String> getSupportedCurrencies() {
+    return supportedCurrencies;
+  }
+
+  @VisibleForTesting
+  public void setSupportedCurrencies(final Set<String> supportedCurrencies) {
+    this.supportedCurrencies = supportedCurrencies;
+  }
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  public CircuitBreakerConfiguration getCircuitBreaker() {
+    return circuitBreaker;
+  }
+
+  @VisibleForTesting
+  public void setCircuitBreaker(final CircuitBreakerConfiguration circuitBreaker) {
+    this.circuitBreaker = circuitBreaker;
+  }
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  public RetryConfiguration getRetry() {
+    return retry;
+  }
+
+  @VisibleForTesting
+  public void setRetry(final RetryConfiguration retry) {
+    this.retry = retry;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbConfiguration.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import java.time.Duration;
+
+public class DynamoDbConfiguration {
+
+    private String   region;
+    private String   tableName;
+    private Duration clientExecutionTimeout = Duration.ofSeconds(30);
+    private Duration clientRequestTimeout   = Duration.ofSeconds(10);
+
+    @Valid
+    @NotEmpty
+    @JsonProperty
+    public String getRegion() {
+        return region;
+    }
+
+    @Valid
+    @NotEmpty
+    @JsonProperty
+    public String getTableName() {
+        return tableName;
+    }
+
+    @JsonProperty
+    public Duration getClientExecutionTimeout() {
+        return clientExecutionTimeout;
+    }
+
+    @JsonProperty
+    public Duration getClientRequestTimeout() {
+        return clientRequestTimeout;
+    }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/GcmConfiguration.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class GcmConfiguration {
+
+  @NotNull
+  @JsonProperty
+  private long senderId;
+
+  @NotEmpty
+  @JsonProperty
+  private String apiKey;
+
+  public String getApiKey() {
+    return apiKey;
+  }
+
+  public long getSenderId() {
+    return senderId;
+  }
+
+}