Update micrometer to 1.9.3

All accounts now have UAKs in top-level attributes

.editorconfig

@@ -146,7 +146,7 @@ ij_java_generate_final_parameters = true
 ij_java_if_brace_force = always
 ij_java_imports_layout = $*,|,*
 ij_java_indent_case_from_switch = true
-ij_java_insert_inner_class_imports = true
+ij_java_insert_inner_class_imports = false
 ij_java_insert_override_annotation = true
 ij_java_keep_blank_lines_before_right_brace = 2
 ij_java_keep_blank_lines_between_package_declaration_and_header = 2

.github/workflows/test.yml

@@ -8,11 +8,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@3bc31aaf88e8fc94dc1e632d48af61be5ca8721c
         with:
-          distribution: 'adopt'
-          java-version: 11
+          distribution: 'temurin'
+          java-version: 17
           cache: 'maven'
       - name: Build with Maven
         run: mvn -e -B verify

.gitmodules

@@ -1,4 +1,4 @@
-# Note that the implmentation of the abusive message filter is private; internal
+# Note that the implementation of the abusive message filter is private; internal
 # developers will need to override this URL with:
 #
 # ```

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   https://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar

README.md

@@ -13,7 +13,7 @@ Cryptography Notice
 
 This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software.
 BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted.
-See <http://www.wassenaar.org/> for more information.
+See <https://www.wassenaar.org/> for more information.
 
 The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms.
 The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
@@ -21,6 +21,6 @@ The form and manner of this distribution makes it eligible for export under the
 License
 ---------------------
 
-Copyright 2013-2021 Signal Messenger, LLC
+Copyright 2013-2022 Signal Messenger, LLC
 
 Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html

gcm-sender-async/pom.xml

@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>gcm-sender-async</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>io.github.resilience4j</groupId>
-      <artifactId>resilience4j-retry</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-core</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-annotations</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-databind</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>jcl-over-slf4j</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-nop</artifactId>
-      <scope>test</scope>
-    </dependency>
-  </dependencies>
-
-</project>
-

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/AuthenticationFailedException.java

@@ -1,9 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-
-public class AuthenticationFailedException extends Exception {
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/InvalidRequestException.java

@@ -1,9 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-
-public class InvalidRequestException extends Exception {
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Message.java

@@ -1,144 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.whispersystems.gcm.server.internal.GcmRequestEntity;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
-public class Message {
-
-  private static final ObjectMapper objectMapper = new ObjectMapper();
-
-  private final String              collapseKey;
-  private final Long                ttl;
-  private final Boolean             delayWhileIdle;
-  private final Map<String, String> data;
-  private final List<String>        registrationIds;
-  private final String              priority;
-
-  private Message(String collapseKey, Long ttl, Boolean delayWhileIdle,
-                  Map<String, String> data, List<String> registrationIds,
-                  String priority)
-  {
-    this.collapseKey     = collapseKey;
-    this.ttl             = ttl;
-    this.delayWhileIdle  = delayWhileIdle;
-    this.data            = data;
-    this.registrationIds = registrationIds;
-    this.priority        = priority;
-  }
-
-  public String serialize() throws JsonProcessingException {
-    GcmRequestEntity requestEntity = new GcmRequestEntity(collapseKey, ttl, delayWhileIdle,
-                                                          data, registrationIds, priority);
-
-    return objectMapper.writeValueAsString(requestEntity);
-  }
-
-  /**
-   * Construct a new Message using a Builder.
-   * @return A new Builder.
-   */
-  public static Builder newBuilder() {
-    return new Builder();
-  }
-
-  public static class Builder {
-
-    private String              collapseKey     = null;
-    private Long                ttl             = null;
-    private Boolean             delayWhileIdle  = null;
-    private Map<String, String> data            = null;
-    private List<String>        registrationIds = new LinkedList<>();
-    private String              priority        = null;
-
-    private Builder() {}
-
-    /**
-     * @param collapseKey The GCM collapse key to use (optional).
-     * @return The Builder.
-     */
-    public Builder withCollapseKey(String collapseKey) {
-      this.collapseKey = collapseKey;
-      return this;
-    }
-
-    /**
-     * @param seconds The TTL (in seconds) for this message (optional).
-     * @return The Builder.
-     */
-    public Builder withTtl(long seconds) {
-      this.ttl = seconds;
-      return this;
-    }
-
-    /**
-     * @param delayWhileIdle Set GCM delay_while_idle (optional).
-     * @return The Builder.
-     */
-    public Builder withDelayWhileIdle(boolean delayWhileIdle) {
-      this.delayWhileIdle = delayWhileIdle;
-      return this;
-    }
-
-    /**
-     * Set a key in the GCM JSON payload delivered to the application (optional).
-     * @param key The key to set.
-     * @param value The value to set.
-     * @return The Builder.
-     */
-    public Builder withDataPart(String key, String value) {
-      if (data == null) {
-        data = new HashMap<>();
-      }
-      data.put(key, value);
-      return this;
-    }
-
-    /**
-     * Set the destination GCM registration ID (mandatory).
-     * @param registrationId The destination GCM registration ID.
-     * @return The Builder.
-     */
-    public Builder withDestination(String registrationId) {
-      this.registrationIds.clear();
-      this.registrationIds.add(registrationId);
-      return this;
-    }
-
-    /**
-     * Set the GCM message priority (optional).
-     *
-     * @param priority Valid values are "normal" and "high."
-     *                 On iOS, these correspond to APNs priority 5 and 10.
-     * @return The Builder.
-     */
-    public Builder withPriority(String priority) {
-      this.priority = priority;
-      return this;
-    }
-
-    /**
-     * Construct a message object.
-     *
-     * @return An immutable message object, as configured by this builder.
-     */
-    public Message build() {
-      if (registrationIds.isEmpty()) {
-        throw new IllegalArgumentException("You must specify a destination!");
-      }
-
-      return new Message(collapseKey, ttl, delayWhileIdle, data, registrationIds, priority);
-    }
-  }
-
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Result.java

@@ -1,80 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-/**
- * The result of a GCM send operation.
- */
-public class Result {
-
-  private final String canonicalRegistrationId;
-  private final String messageId;
-  private final String error;
-
-  Result(String canonicalRegistrationId, String messageId, String error) {
-    this.canonicalRegistrationId = canonicalRegistrationId;
-    this.messageId               = messageId;
-    this.error                   = error;
-  }
-
-  /**
-   * Returns the "canonical" GCM registration ID for this destination.
-   * See GCM documentation for details.
-   * @return The canonical GCM registration ID.
-   */
-  public String getCanonicalRegistrationId() {
-    return canonicalRegistrationId;
-  }
-
-  /**
-   * @return If a "canonical" GCM registration ID is present in the response.
-   */
-  public boolean hasCanonicalRegistrationId() {
-    return canonicalRegistrationId != null && !canonicalRegistrationId.isEmpty();
-  }
-
-  /**
-   * @return The assigned GCM message ID, if successful.
-   */
-  public String getMessageId() {
-    return messageId;
-  }
-
-  /**
-   * @return The raw error string, if present.
-   */
-  public String getError() {
-    return error;
-  }
-
-  /**
-   * @return If the send was a success.
-   */
-  public boolean isSuccess() {
-    return messageId != null && !messageId.isEmpty() && (error == null || error.isEmpty());
-  }
-
-  /**
-   * @return If the destination GCM registration ID is no longer registered.
-   */
-  public boolean isUnregistered() {
-    return "NotRegistered".equals(error);
-  }
-
-  /**
-   * @return If messages to this device are being throttled.
-   */
-  public boolean isThrottled() {
-    return "DeviceMessageRateExceeded".equals(error);
-  }
-
-  /**
-   * @return If the destination GCM registration ID is invalid.
-   */
-  public boolean isInvalidRegistrationId() {
-    return "InvalidRegistration".equals(error);
-  }
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Sender.java

@@ -1,154 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.annotations.VisibleForTesting;
-import io.github.resilience4j.retry.IntervalFunction;
-import io.github.resilience4j.retry.Retry;
-import io.github.resilience4j.retry.RetryConfig;
-import org.whispersystems.gcm.server.internal.GcmResponseEntity;
-import org.whispersystems.gcm.server.internal.GcmResponseListEntity;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.http.HttpResponse.BodyHandlers;
-import java.security.SecureRandom;
-import java.time.Duration;
-import java.util.List;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.CompletionException;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeoutException;
-
-/**
- * The main interface to sending GCM messages.  Thread safe.
- *
- * @author Moxie Marlinspike
- */
-public class Sender {
-
-  private static final String PRODUCTION_URL = "https://fcm.googleapis.com/fcm/send";
-
-  private final String                   authorizationHeader;
-  private final URI                      uri;
-  private final Retry                    retry;
-  private final ObjectMapper             mapper;
-  private final ScheduledExecutorService executorService;
-
-  private final HttpClient[] clients = new HttpClient[10];
-  private final SecureRandom random  = new SecureRandom();
-
-  /**
-   * Construct a Sender instance.
-   *
-   * @param apiKey Your application's GCM API key.
-   */
-  public Sender(String apiKey, ObjectMapper mapper) {
-    this(apiKey, mapper, 10);
-  }
-
-  /**
-   * Construct a Sender instance with a specified retry count.
-   *
-   * @param apiKey Your application's GCM API key.
-   * @param retryCount The number of retries to attempt on a network error or 500 response.
-   */
-  public Sender(String apiKey, ObjectMapper mapper, int retryCount) {
-    this(apiKey, mapper, retryCount, PRODUCTION_URL);
-  }
-
-  @VisibleForTesting
-  public Sender(String apiKey, ObjectMapper mapper, int retryCount, String url) {
-    this.mapper              = mapper;
-    this.executorService     = Executors.newSingleThreadScheduledExecutor();
-    this.uri                 = URI.create(url);
-    this.authorizationHeader = String.format("key=%s", apiKey);
-    this.retry               = Retry.of("fcm-sender", RetryConfig.custom()
-                                                                       .maxAttempts(retryCount)
-                                                                       .intervalFunction(IntervalFunction.ofExponentialRandomBackoff(Duration.ofMillis(100), 2.0))
-                                                                       .retryOnException(this::isRetryableException)
-                                                                       .build());
-
-    for (int i=0;i<clients.length;i++) {
-      this.clients[i] = HttpClient.newBuilder()
-                                  .version(HttpClient.Version.HTTP_2)
-                                  .connectTimeout(Duration.ofSeconds(10))
-                                  .build();
-    }
-  }
-
-  private boolean isRetryableException(Throwable throwable) {
-    while (throwable instanceof  CompletionException) {
-      throwable = throwable.getCause();
-    }
-
-    return throwable instanceof ServerFailedException ||
-           throwable instanceof  TimeoutException     ||
-           throwable instanceof  IOException;
-  }
-
-  /**
-   * Asynchronously send a message.
-   *
-   * @param message The message to send.
-   * @return A future.
-   */
-  public CompletableFuture<Result> send(Message message) {
-    try {
-      HttpRequest request = HttpRequest.newBuilder()
-                                       .uri(uri)
-                                       .header("Authorization", authorizationHeader)
-                                       .header("Content-Type", "application/json")
-                                       .POST(HttpRequest.BodyPublishers.ofString(message.serialize()))
-                                       .timeout(Duration.ofSeconds(10))
-                                       .build();
-
-      return retry.executeCompletionStage(executorService,
-                                          () -> getClient().sendAsync(request, BodyHandlers.ofByteArray())
-                                                      .thenApply(response -> {
-                                                        switch (response.statusCode()) {
-                                                          case 400: throw new CompletionException(new InvalidRequestException());
-                                                          case 401: throw new CompletionException(new AuthenticationFailedException());
-                                                          case 204:
-                                                          case 200: return response.body();
-                                                          default:  throw new CompletionException(new ServerFailedException("Bad status: " + response.statusCode()));
-                                                        }
-                                                      })
-                                                      .thenApply(responseBytes -> {
-                                                        try {
-                                                          List<GcmResponseEntity> responseList = mapper.readValue(responseBytes, GcmResponseListEntity.class).getResults();
-
-                                                          if (responseList == null || responseList.size() == 0) {
-                                                            throw new CompletionException(new IOException("Empty response list!"));
-                                                          }
-
-                                                          GcmResponseEntity responseEntity = responseList.get(0);
-
-                                                          return new Result(responseEntity.getCanonicalRegistrationId(),
-                                                                            responseEntity.getMessageId(),
-                                                                            responseEntity.getError());
-                                                        } catch (IOException e) {
-                                                          throw new CompletionException(e);
-                                                        }
-                                                      })).toCompletableFuture();
-    } catch (JsonProcessingException e) {
-      return CompletableFuture.failedFuture(e);
-    }
-  }
-
-  public Retry getRetry() {
-    return retry;
-  }
-
-  private HttpClient getClient() {
-    return clients[random.nextInt(clients.length)];
-  }
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/ServerFailedException.java

@@ -1,15 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-public class ServerFailedException extends Exception {
-  public ServerFailedException(String message) {
-    super(message);
-  }
-
-  public ServerFailedException(Exception e) {
-    super(e);
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmRequestEntity.java

@@ -1,46 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import java.util.List;
-import java.util.Map;
-
-@JsonInclude(JsonInclude.Include.NON_NULL)
-public class GcmRequestEntity {
-
-  @JsonProperty(value = "collapse_key")
-  private String collapseKey;
-
-  @JsonProperty(value = "time_to_live")
-  private Long ttl;
-
-  @JsonProperty(value = "delay_while_idle")
-  private Boolean delayWhileIdle;
-
-  @JsonProperty(value = "data")
-  private Map<String, String> data;
-
-  @JsonProperty(value = "registration_ids")
-  private List<String> registrationIds;
-
-  @JsonProperty
-  private String priority;
-
-  public GcmRequestEntity(String collapseKey, Long ttl, Boolean delayWhileIdle,
-                          Map<String, String> data, List<String> registrationIds,
-                          String priority)
-  {
-    this.collapseKey     = collapseKey;
-    this.ttl             = ttl;
-    this.delayWhileIdle  = delayWhileIdle;
-    this.data            = data;
-    this.registrationIds = registrationIds;
-    this.priority        = priority;
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseEntity.java

@@ -1,31 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class GcmResponseEntity {
-
-  @JsonProperty(value = "message_id")
-  private String messageId;
-
-  @JsonProperty(value = "registration_id")
-  private String canonicalRegistrationId;
-
-  @JsonProperty
-  private String error;
-
-  public String getMessageId() {
-    return messageId;
-  }
-
-  public String getCanonicalRegistrationId() {
-    return canonicalRegistrationId;
-  }
-
-  public String getError() {
-    return error;
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseListEntity.java

@@ -1,19 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import java.util.List;
-
-public class GcmResponseListEntity {
-
-  @JsonProperty
-  private List<GcmResponseEntity> results;
-
-  public List<GcmResponseEntity> getResults() {
-    return results;
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/MessageTest.java

@@ -1,49 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import org.junit.Test;
-
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
-
-public class MessageTest {
-
-  @Test
-  public void testMinimal() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("1")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-minimal.json"));
-  }
-
-  @Test
-  public void testComplete() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("1")
-                             .withCollapseKey("collapse")
-                             .withDelayWhileIdle(true)
-                             .withTtl(10)
-                             .withPriority("high")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-complete.json"));
-  }
-
-  @Test
-  public void testWithData() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("2")
-                             .withDataPart("key1", "value1")
-                             .withDataPart("key2", "value2")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-data.json"));
-  }
-
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SenderTest.java

@@ -1,200 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.any;
-import static com.github.tomakehurst.wiremock.client.WireMock.anyRequestedFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
-import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.ok;
-import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.verify;
-import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.PropertyAccessor;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.tomakehurst.wiremock.client.CountMatchingStrategy;
-import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import java.io.IOException;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-import org.junit.Rule;
-import org.junit.Test;
-
-public class SenderTest {
-
-  @Rule
-  public WireMockRule wireMock = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
-
-  private static final ObjectMapper mapper = new ObjectMapper();
-
-  static {
-    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
-    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
-    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-  }
-
-  @Test
-  public void testSuccess() throws InterruptedException, ExecutionException, TimeoutException, IOException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(200)
-            .withBody(fixture("fixtures/response-success.json"))));
-
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    assertTrue(result.isSuccess());
-    assertFalse(result.isThrottled());
-    assertFalse(result.isUnregistered());
-    assertEquals(result.getMessageId(), "1:08");
-    assertNull(result.getError());
-    assertNull(result.getCanonicalRegistrationId());
-
-    verify(1, postRequestedFor(urlEqualTo("/gcm/send"))
-        .withHeader("Authorization", equalTo("key=foobarbaz"))
-        .withHeader("Content-Type", equalTo("application/json"))
-        .withRequestBody(equalTo(jsonFixture("fixtures/message-minimal.json"))));
-  }
-
-  @Test
-  public void testBadApiKey() throws InterruptedException, TimeoutException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(401)));
-
-    Sender                    sender = new Sender("foobar", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException ee) {
-      assertTrue(ee.getCause() instanceof AuthenticationFailedException);
-    }
-
-    verify(1, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testBadRequest() throws TimeoutException, InterruptedException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(400)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException e) {
-      assertTrue(e.getCause() instanceof InvalidRequestException);
-    }
-
-    verify(1, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testServerError() throws TimeoutException, InterruptedException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(503)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 3, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException ee) {
-      assertTrue(ee.getCause() instanceof ServerFailedException);
-    }
-
-    verify(3, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testServerErrorRecovery() throws InterruptedException, ExecutionException, TimeoutException {
-
-    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(503)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 4, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    // up to three failures can happen, with 100ms exponential backoff
-    // if we end up using the fourth, and finaly try, it would be after ~700 ms
-    CompletableFuture.delayedExecutor(300, TimeUnit.MILLISECONDS).execute(() ->
-        wireMock.stubFor(any(anyUrl())
-            .willReturn(aResponse()
-                .withStatus(200)
-                .withBody(fixture("fixtures/response-success.json"))))
-    );
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    verify(new CountMatchingStrategy(CountMatchingStrategy.GREATER_THAN, 1), anyRequestedFor(anyUrl()));
-    assertTrue(result.isSuccess());
-    assertFalse(result.isThrottled());
-    assertFalse(result.isUnregistered());
-    assertEquals(result.getMessageId(), "1:08");
-    assertNull(result.getError());
-    assertNull(result.getCanonicalRegistrationId());
-  }
-
-  @Test
-  public void testNetworkError() throws TimeoutException, InterruptedException {
-
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(ok()));
-
-    Sender sender = new Sender("foobarbaz", mapper ,2, "http://localhost:" + wireMock.port() + "/gcm/send");
-
-    wireMock.stop();
-
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-    } catch (ExecutionException e) {
-      assertTrue(e.getCause() instanceof IOException);
-    }
-  }
-
-  @Test
-  public void testNotRegistered() throws InterruptedException, ExecutionException, TimeoutException {
-
-    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(200)
-        .withBody(fixture("fixtures/response-not-registered.json"))));
-
-    Sender                    sender = new Sender("foobarbaz", mapper,2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder()
-                                                         .withDestination("2")
-                                                         .withDataPart("message", "new message!")
-                                                         .build());
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    assertFalse(result.isSuccess());
-    assertTrue(result.isUnregistered());
-    assertFalse(result.isThrottled());
-    assertEquals(result.getError(), "NotRegistered");
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SimultaneousSenderTest.java

@@ -1,89 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.post;
-import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
-import static junit.framework.TestCase.assertTrue;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.PropertyAccessor;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
-import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-import org.junit.Ignore;
-import org.junit.Rule;
-import org.junit.Test;
-
-public class SimultaneousSenderTest {
-
-  @Rule
-  public WireMockRule wireMock = new WireMockRule(WireMockConfiguration.options().dynamicPort().dynamicHttpsPort());
-
-  private static final ObjectMapper mapper = new ObjectMapper();
-
-  static {
-    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
-    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
-    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-  }
-
-  @Test
-  public void testSimultaneousSuccess() throws TimeoutException, InterruptedException, ExecutionException, JsonProcessingException {
-    stubFor(post(urlPathEqualTo("/gcm/send"))
-                .willReturn(aResponse()
-                                .withStatus(200)
-                                .withBody(fixture("fixtures/response-success.json"))));
-
-    Sender                          sender  = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    List<CompletableFuture<Result>> results = new LinkedList<>();
-
-    for (int i=0;i<1000;i++) {
-      results.add(sender.send(Message.newBuilder().withDestination("1").build()));
-    }
-
-    for (CompletableFuture<Result> future : results) {
-      Result result = future.get(60, TimeUnit.SECONDS);
-
-      if (!result.isSuccess()) {
-        throw new AssertionError(result.getError());
-      }
-    }
-  }
-
-  @Test
-  @Ignore
-  public void testSimultaneousFailure() throws TimeoutException, InterruptedException {
-    stubFor(post(urlPathEqualTo("/gcm/send"))
-                .willReturn(aResponse()
-                                .withStatus(503)));
-
-    Sender                         sender   = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    List<CompletableFuture<Result>> futures = new LinkedList<>();
-
-    for (int i=0;i<1000;i++) {
-      futures.add(sender.send(Message.newBuilder().withDestination("1").build()));
-    }
-
-    for (CompletableFuture<Result> future : futures) {
-      try {
-        Result result = future.get(60, TimeUnit.SECONDS);
-      } catch (ExecutionException e) {
-        assertTrue(e.getCause().toString(), e.getCause() instanceof ServerFailedException);
-      }
-    }
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/FixtureHelpers.java

@@ -1,47 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.util;
-
-import com.google.common.base.Charsets;
-import com.google.common.io.Resources;
-
-import java.io.IOException;
-import java.nio.charset.Charset;
-
-/**
- * A set of helper method for fixture files.
- */
-public class FixtureHelpers {
-  private FixtureHelpers() { /* singleton */ }
-
-  /**
-   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
-   * and returns its contents as a UTF-8 string.
-   *
-   * @param filename the filename of the fixture file
-   * @return the contents of {@code src/test/resources/{filename}}
-   * @throws IllegalArgumentException if an I/O error occurs.
-   */
-  public static String fixture(String filename) {
-    return fixture(filename, Charsets.UTF_8);
-  }
-
-  /**
-   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
-   * and returns its contents as a string.
-   *
-   * @param filename the filename of the fixture file
-   * @param charset  the character set of {@code filename}
-   * @return the contents of {@code src/test/resources/{filename}}
-   * @throws IllegalArgumentException if an I/O error occurs.
-   */
-  private static String fixture(String filename, Charset charset) {
-    try {
-      return Resources.toString(Resources.getResource(filename), charset).trim();
-    } catch (IOException e) {
-      throw new IllegalArgumentException(e);
-    }
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/JsonHelpers.java

@@ -1,30 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.util;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import java.io.IOException;
-
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-
-public class JsonHelpers {
-
-  private static final ObjectMapper objectMapper = new ObjectMapper();
-
-  public static String asJson(Object object) throws JsonProcessingException {
-    return objectMapper.writeValueAsString(object);
-  }
-
-  public static <T> T fromJson(String value, Class<T> clazz) throws IOException {
-    return objectMapper.readValue(value, clazz);
-  }
-
-  public static String jsonFixture(String filename) throws IOException {
-    return objectMapper.writeValueAsString(objectMapper.readValue(fixture(filename), JsonNode.class));
-  }
-}

gcm-sender-async/src/test/resources/fixtures/message-complete.json

@@ -1,7 +0,0 @@
-{
-  "priority" : "high",
-  "collapse_key" : "collapse",
-  "time_to_live" : 10,
-  "delay_while_idle" : true,
-  "registration_ids" : ["1"]
-}

gcm-sender-async/src/test/resources/fixtures/message-data.json

@@ -1,7 +0,0 @@
-{
-  "data" : {
-    "key1" : "value1",
-    "key2" : "value2"
-  },
-  "registration_ids" : ["2"]
-}

gcm-sender-async/src/test/resources/fixtures/message-minimal.json

@@ -1,3 +0,0 @@
-{
-  "registration_ids" : ["1"]
-}

gcm-sender-async/src/test/resources/fixtures/response-not-registered.json

@@ -1,8 +0,0 @@
-{ "multicast_id": 216,
-  "success": 0,
-  "failure": 1,
-  "canonical_ids": 0,
-  "results": [
-    { "error": "NotRegistered"}
-  ]
-}

gcm-sender-async/src/test/resources/fixtures/response-success.json

@@ -1,8 +0,0 @@
-{ "multicast_id": 108,
-  "success": 1,
-  "failure": 0,
-  "canonical_ids": 0,
-  "results": [
-    { "message_id": "1:08" }
-  ]
-}

gcm-sender-async/src/test/resources/logback-test.xml

@@ -1,8 +0,0 @@
-<configuration>
-  <!-- Turning down the wiremock logging -->
-  <logger name="com.github.tomakehurst.wiremock" level="WARN"/>
-  <logger name="wiremock.org" level="ERROR"/>
-  <logger name="WireMock" level="WARN"/>
-  <!-- wiremock has per endpoint servlet logging -->
-  <logger name="/" level="WARN"/>
-</configuration>

mvnw

@@ -0,0 +1,316 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /usr/local/etc/mavenrc ] ; then
+    . /usr/local/etc/mavenrc
+  fi
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+
+  saveddir=`pwd`
+
+  M2_HOME=`dirname "$PRG"`/..
+
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`\\unset -f command; \\command -v java`"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+else
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    if [ -n "$MVNW_REPOURL" ]; then
+      jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    else
+      jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    fi
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    if $cygwin; then
+      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+    fi
+
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        else
+            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        fi
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl -o "$wrapperJarPath" "$jarUrl" -f
+        else
+            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+        fi
+
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaClass=`cygpath --path --windows "$javaClass"`
+        fi
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+  echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  $MAVEN_DEBUG_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" \
+  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

mvnw.cmd

@@ -0,0 +1,188 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
+if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %DOWNLOAD_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+)
+@REM End of extension
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% ^
+  %JVM_CONFIG_MAVEN_PROPS% ^
+  %MAVEN_OPTS% ^
+  %MAVEN_DEBUG_OPTS% ^
+  -classpath %WRAPPER_JAR% ^
+  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
+  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%"=="on" pause
+
+if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+
+cmd /C exit /B %ERROR_CODE%

pom.xml

@@ -21,40 +21,52 @@
     </repository>
   </repositories>
 
+  <pluginRepositories>
+    <pluginRepository>
+      <id>ossrh-snapshots</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
+  </pluginRepositories>
+
   <modules>
     <module>redis-dispatch</module>
     <module>websocket-resources</module>
-    <module>gcm-sender-async</module>
     <module>service</module>
   </modules>
 
   <properties>
-    <aws.sdk.version>1.11.939</aws.sdk.version>
-    <aws.sdk2.version>2.16.66</aws.sdk2.version>
+    <aws.sdk.version>1.12.287</aws.sdk.version>
+    <aws.sdk2.version>2.17.258</aws.sdk2.version>
     <commons-codec.version>1.15</commons-codec.version>
     <commons-csv.version>1.8</commons-csv.version>
     <commons-io.version>2.9.0</commons-io.version>
-    <dropwizard.version>2.0.22</dropwizard.version>
+    <dropwizard.version>2.0.32</dropwizard.version>
     <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
-    <gson.version>2.8.8</gson.version>
+    <gson.version>2.9.0</gson.version>
     <guava.version>30.1.1-jre</guava.version>
+    <jackson.version>2.13.3</jackson.version>
     <jaxb.version>2.3.1</jaxb.version>
     <jedis.version>2.9.0</jedis.version>
-    <lettuce.version>6.0.4.RELEASE</lettuce.version>
-    <libphonenumber.version>8.12.33</libphonenumber.version>
-    <logstash.logback.version>6.6</logstash.logback.version>
-    <micrometer.version>1.5.3</micrometer.version>
-    <mockito.version>3.11.1</mockito.version>
-    <netty.version>4.1.65.Final</netty.version>
-    <netty.tcnative-boringssl-static.version>2.0.39.Final</netty.tcnative-boringssl-static.version>
+    <lettuce.version>6.1.9.RELEASE</lettuce.version>
+    <libphonenumber.version>8.12.54</libphonenumber.version>
+    <logstash.logback.version>7.0.1</logstash.logback.version>
+    <micrometer.version>1.9.3</micrometer.version>
+    <mockito.version>4.7.0</mockito.version>
+    <netty.version>4.1.79.Final</netty.version>
     <opentest4j.version>1.2.0</opentest4j.version>
-    <postgresql.version>9.4-1201-jdbc41</postgresql.version>
-    <protobuf.version>3.17.1</protobuf.version>
-    <pushy.version>0.15.0</pushy.version>
+    <protobuf.version>3.19.4</protobuf.version>
+    <pushy.version>0.15.1</pushy.version>
     <resilience4j.version>1.5.0</resilience4j.version>
     <semver4j.version>3.1.0</semver4j.version>
     <slf4j.version>1.7.30</slf4j.version>
-    <stripe.version>20.79.0</stripe.version>
+    <stripe.version>21.2.0</stripe.version>
+    <vavr.version>0.10.4</vavr.version>
 
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
@@ -65,6 +77,13 @@
 
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>com.fasterxml.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>2.13.3</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>io.dropwizard</groupId>
         <artifactId>dropwizard-dependencies</artifactId>
@@ -161,10 +180,9 @@
         <version>${lettuce.version}</version>
       </dependency>
       <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-tcnative-boringssl-static</artifactId>
-        <version>${netty.tcnative-boringssl-static.version}</version>
-        <scope>runtime</scope>
+        <groupId>io.vavr</groupId>
+        <artifactId>vavr</artifactId>
+        <version>${vavr.version}</version>
       </dependency>
       <dependency>
         <groupId>javax.xml.bind</groupId>
@@ -210,12 +228,6 @@
         <version>${opentest4j.version}</version>
         <scope>test</scope>
       </dependency>
-      <dependency>
-        <groupId>org.postgresql</groupId>
-        <artifactId>postgresql</artifactId>
-        <version>${postgresql.version}</version>
-        <scope>runtime</scope>
-      </dependency>
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-api</artifactId>
@@ -253,6 +265,24 @@
         <artifactId>gson</artifactId>
         <version>${gson.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.signal</groupId>
+        <artifactId>embedded-redis</artifactId>
+        <version>0.8.3</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.signal</groupId>
+        <artifactId>libsignal-server</artifactId>
+        <version>0.18.0</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-bom</artifactId>
+        <version>2.17.1</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -266,7 +296,7 @@
     <dependency>
       <groupId>com.github.tomakehurst</groupId>
       <artifactId>wiremock-jre8</artifactId>
-      <version>2.31.0</version>
+      <version>2.33.2</version>
       <scope>test</scope>
       <exclusions>
         <exclusion>
@@ -291,8 +321,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
       <scope>test</scope>
     </dependency>
 
@@ -337,6 +367,7 @@
         <version>0.6.1</version>
         <configuration>
           <protocArtifact>com.google.protobuf:protoc:3.18.0:exe:${os.detected.classifier}</protocArtifact>
+          <checkStaleness>true</checkStaleness>
         </configuration>
         <executions>
           <execution>
@@ -353,8 +384,7 @@
         <artifactId>maven-compiler-plugin</artifactId>
         <version>3.8.1</version>
         <configuration>
-          <source>11</source>
-          <target>11</target>
+          <release>17</release>
         </configuration>
       </plugin>
 
@@ -418,7 +448,7 @@
               <rules>
                 <dependencyConvergence/>
                 <requireMavenVersion>
-                  <version>3.0.0</version>
+                  <version>3.8.3</version>
                 </requireMavenVersion>
               </rules>
             </configuration>

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java

@@ -115,7 +115,7 @@ public class PubSubConnection {
     byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
     inputStream.readLine();
 
-    IntReply subscriptionCount = new IntReply(inputStream.readLine());
+    new IntReply(inputStream.readLine());
 
     return new String(channelName);
   }

redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java

@@ -4,28 +4,25 @@
  */
 package org.whispersystems.dispatch;
 
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.ExternalResource;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-
-import static org.junit.Assert.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.mockito.Mockito.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.timeout;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Optional;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import org.mockito.stubbing.Answer;
+import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
+import org.whispersystems.dispatch.redis.PubSubConnection;
+import org.whispersystems.dispatch.redis.PubSubReply;
+
 public class DispatchManagerTest {
 
   private PubSubConnection             pubSubConnection;
@@ -33,31 +30,23 @@ public class DispatchManagerTest {
   private DispatchManager              dispatchManager;
   private PubSubReplyInputStream       pubSubReplyInputStream;
 
-  @Rule
-  public ExternalResource resource = new ExternalResource() {
-    @Override
-    protected void before() throws Throwable {
-      pubSubConnection       = mock(PubSubConnection.class  );
-      socketFactory          = mock(RedisPubSubConnectionFactory.class);
-      pubSubReplyInputStream = new PubSubReplyInputStream();
+  @BeforeEach
+  void setUp() throws Exception {
+    pubSubConnection       = mock(PubSubConnection.class  );
+    socketFactory          = mock(RedisPubSubConnectionFactory.class);
+    pubSubReplyInputStream = new PubSubReplyInputStream();
 
-      when(socketFactory.connect()).thenReturn(pubSubConnection);
-      when(pubSubConnection.read()).thenAnswer(new Answer<PubSubReply>() {
-        @Override
-        public PubSubReply answer(InvocationOnMock invocationOnMock) throws Throwable {
-          return pubSubReplyInputStream.read();
-        }
-      });
+    when(socketFactory.connect()).thenReturn(pubSubConnection);
+    when(pubSubConnection.read()).thenAnswer((Answer<PubSubReply>) invocationOnMock -> pubSubReplyInputStream.read());
 
-      dispatchManager = new DispatchManager(socketFactory, Optional.empty());
-      dispatchManager.start();
-    }
+    dispatchManager = new DispatchManager(socketFactory, Optional.empty());
+    dispatchManager.start();
+  }
 
-    @Override
-    protected void after() {
-
-    }
-  };
+  @AfterEach
+  void tearDown() {
+    dispatchManager.shutdown();
+  }
 
   @Test
   public void testConnect() {
@@ -65,7 +54,7 @@ public class DispatchManagerTest {
   }
 
   @Test
-  public void testSubscribe() throws IOException {
+  public void testSubscribe() {
     DispatchChannel dispatchChannel = mock(DispatchChannel.class);
     dispatchManager.subscribe("foo", dispatchChannel);
     pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
@@ -74,7 +63,7 @@ public class DispatchManagerTest {
   }
 
   @Test
-  public void testSubscribeUnsubscribe() throws IOException {
+  public void testSubscribeUnsubscribe() {
     DispatchChannel dispatchChannel = mock(DispatchChannel.class);
     dispatchManager.subscribe("foo", dispatchChannel);
     dispatchManager.unsubscribe("foo", dispatchChannel);
@@ -86,7 +75,7 @@ public class DispatchManagerTest {
   }
 
   @Test
-  public void testMessages() throws IOException {
+  public void testMessages() {
     DispatchChannel fooChannel = mock(DispatchChannel.class);
     DispatchChannel barChannel = mock(DispatchChannel.class);
 

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java

@@ -4,9 +4,9 @@
  */
 package org.whispersystems.dispatch.redis;
 
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.Mockito.mock;
@@ -18,12 +18,12 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.Socket;
 import java.security.SecureRandom;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
-public class PubSubConnectionTest {
+class PubSubConnectionTest {
 
   private static final String REPLY = "*3\r\n" +
       "$9\r\n" +
@@ -60,8 +60,7 @@ public class PubSubConnectionTest {
 
 
   @Test
-  public void testSubscribe() throws IOException {
-//    ByteChannel      byteChannel = mock(ByteChannel.class);
+  void testSubscribe() throws IOException {
     OutputStream outputStream = mock(OutputStream.class);
     Socket       socket       = mock(Socket.class      );
     when(socket.getOutputStream()).thenReturn(outputStream);
@@ -76,7 +75,7 @@ public class PubSubConnectionTest {
   }
 
   @Test
-  public void testUnsubscribe() throws IOException {
+  void testUnsubscribe() throws IOException {
     OutputStream outputStream = mock(OutputStream.class);
     Socket       socket       = mock(Socket.class      );
     when(socket.getOutputStream()).thenReturn(outputStream);
@@ -91,7 +90,7 @@ public class PubSubConnectionTest {
   }
 
   @Test
-  public void testTricklyResponse() throws Exception {
+  void testTricklyResponse() throws Exception {
     InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
     OutputStream outputStream = mock(OutputStream.class);
     Socket       socket       = mock(Socket.class      );
@@ -103,7 +102,7 @@ public class PubSubConnectionTest {
   }
 
   @Test
-  public void testFullResponse() throws Exception {
+  void testFullResponse() throws Exception {
     InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
     OutputStream outputStream = mock(OutputStream.class);
     Socket       socket       = mock(Socket.class      );
@@ -115,7 +114,7 @@ public class PubSubConnectionTest {
   }
 
   @Test
-  public void testRandomLengthResponse() throws Exception {
+  void testRandomLengthResponse() throws Exception {
     InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
     OutputStream outputStream = mock(OutputStream.class);
     Socket       socket       = mock(Socket.class      );

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java

@@ -5,42 +5,41 @@
 package org.whispersystems.dispatch.redis.protocol;
 
 
-import org.junit.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
+import org.junit.jupiter.api.Test;
 
-import static org.junit.Assert.assertEquals;
+class ArrayReplyHeaderTest {
 
-public class ArrayReplyHeaderTest {
-
-
-  @Test(expected = IOException.class)
-  public void testNull() throws IOException {
-    new ArrayReplyHeader(null);
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadPrefix() throws IOException {
-    new ArrayReplyHeader(":3");
-  }
-
-  @Test(expected = IOException.class)
-  public void testEmpty() throws IOException {
-    new ArrayReplyHeader("");
-  }
-
-  @Test(expected = IOException.class)
-  public void testTruncated() throws IOException {
-    new ArrayReplyHeader("*");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadNumber() throws IOException {
-    new ArrayReplyHeader("*ABC");
+  @Test
+  void testNull() {
+    assertThrows(IOException.class, () -> new ArrayReplyHeader(null));
   }
 
   @Test
-  public void testValid() throws IOException {
+  void testBadPrefix() {
+    assertThrows(IOException.class, () -> new ArrayReplyHeader(":3"));
+  }
+
+  @Test
+  void testEmpty() {
+    assertThrows(IOException.class, () -> new ArrayReplyHeader(""));
+  }
+
+  @Test
+  void testTruncated() {
+    assertThrows(IOException.class, () -> new ArrayReplyHeader("*"));
+  }
+
+  @Test
+  void testBadNumber() {
+    assertThrows(IOException.class, () -> new ArrayReplyHeader("*ABC"));
+  }
+
+  @Test
+  void testValid() throws IOException {
     assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
   }
 

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java

@@ -4,36 +4,36 @@
  */
 package org.whispersystems.dispatch.redis.protocol;
 
-import org.junit.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
+import org.junit.jupiter.api.Test;
 
-import static org.junit.Assert.assertEquals;
+class IntReplyHeaderTest {
 
-public class IntReplyHeaderTest {
-
-  @Test(expected = IOException.class)
-  public void testNull() throws IOException {
-    new IntReply(null);
-  }
-
-  @Test(expected = IOException.class)
-  public void testEmpty() throws IOException {
-    new IntReply("");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadNumber() throws IOException {
-    new IntReply(":A");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadFormat() throws IOException {
-    new IntReply("*");
+  @Test
+  void testNull() {
+    assertThrows(IOException.class, () -> new IntReply(null));
   }
 
   @Test
-  public void testValid() throws IOException {
+  void testEmpty() {
+    assertThrows(IOException.class, () -> new IntReply(""));
+  }
+
+  @Test
+  void testBadNumber() {
+    assertThrows(IOException.class, () -> new IntReply(":A"));
+  }
+
+  @Test
+  void testBadFormat() {
+    assertThrows(IOException.class, () -> new IntReply("*"));
+  }
+
+  @Test
+  void testValid() throws IOException {
     assertEquals(23, new IntReply(":23").getValue());
   }
 }

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java

@@ -4,48 +4,32 @@
  */
 package org.whispersystems.dispatch.redis.protocol;
 
-import org.junit.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
+import org.junit.jupiter.api.Test;
 
-import static org.junit.Assert.assertEquals;
-
-public class StringReplyHeaderTest {
+class StringReplyHeaderTest {
 
   @Test
-  public void testNull() {
-    try {
-      new StringReplyHeader(null);
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
+  void testNull() {
+    assertThrows(IOException.class, () -> new StringReplyHeader(null));
   }
 
   @Test
-  public void testBadNumber() {
-    try {
-      new StringReplyHeader("$100A");
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
+  void testBadNumber() {
+    assertThrows(IOException.class, () -> new StringReplyHeader("$100A"));
   }
 
   @Test
-  public void testBadPrefix() {
-    try {
-      new StringReplyHeader("*");
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
+  void testBadPrefix() {
+    assertThrows(IOException.class, () -> new StringReplyHeader("*"));
   }
 
   @Test
-  public void testValid() throws IOException {
+  void testValid() throws IOException {
     assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
   }
 
-
 }

service/config/sample.yml

@@ -1,59 +1,88 @@
+# Example, relatively minimal, configuration that passes validation (see `io.dropwizard.cli.CheckCommand`)
+#
+# `unset` values will need to be set to work properly.
+# Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.
+
 stripe:
-  apiKey:
-  idempotencyKeyGenerator:
+  apiKey: unset
+  idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+  boostDescription: >
+    Example
 
 dynamoDbClientConfiguration:
-  region: # AWS Region
+  region: us-west-2 # AWS Region
 
 dynamoDbTables:
+  accounts:
+    tableName: Example_Accounts
+    phoneNumberTableName: Example_Accounts_PhoneNumbers
+    phoneNumberIdentifierTableName: Example_Accounts_PhoneNumberIdentifiers
+    usernamesTableName: Example_Accounts_Usernames
+    scanPageSize: 100
+  deletedAccounts:
+    tableName: Example_DeletedAccounts
+    needsReconciliationIndexName: NeedsReconciliation
+  deletedAccountsLock:
+    tableName: Example_DeletedAccountsLock
   issuedReceipts:
-    tableName: # DDB Table Name
-    expiration: # Duration of time until rows expire
-    generator: # random binary sequence
+    tableName: Example_IssuedReceipts
+    expiration: P30D # Duration of time until rows expire
+    generator: abcdefg12345678= # random base64-encoded binary sequence
+  keys:
+    tableName: Example_Keys
+  messages:
+    tableName: Example_Messages
+    expiration: P30D # Duration of time until rows expire
+  pendingAccounts:
+    tableName: Example_PendingAccounts
+  pendingDevices:
+    tableName: Example_PendingDevices
+  phoneNumberIdentifiers:
+    tableName: Example_PhoneNumberIdentifiers
+  profiles:
+    tableName: Example_Profiles
+  pushChallenge:
+    tableName: Example_PushChallenge
   redeemedReceipts:
-    tableName: # DDB Table Name
-    expiration: # Duration of time until rows expire
+    tableName: Example_RedeemedReceipts
+    expiration: P30D # Duration of time until rows expire
+  remoteConfig:
+    tableName: Example_RemoteConfig
+  reportMessage:
+    tableName: Example_ReportMessage
+  reservedUsernames:
+    tableName: Example_ReservedUsernames
   subscriptions:
-    tableName: # DDB Table Name
+    tableName: Example_Subscriptions
 
 twilio: # Twilio gateway configuration
-  accountId: 
-  accountToken: 
-  nanpaMessagingServiceSid: # Twilio SID for the messaging service to use for NANPA.
-  messagingServiceSid: # Twilio SID for the message service to use for non-NANPA.
-  verifyServiceSid: # Twilio SID for a Verify service
-  localDomain: # Domain Twilio can connect back to for calls. Should be domain of your service.
+  accountId: unset
+  accountToken: unset
+  nanpaMessagingServiceSid: unset # Twilio SID for the messaging service to use for NANPA.
+  messagingServiceSid: unset # Twilio SID for the message service to use for non-NANPA.
+  verifyServiceSid: unset # Twilio SID for a Verify service
+  localDomain: example.com # Domain Twilio can connect back to for calls. Should be domain of your service.
   defaultClientVerificationTexts:
-    ios: # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
-    androidNg: # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
-    android202001: # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
-    android202103: # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
-    generic: # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
+    ios: example %1$s # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
+    androidNg: example %1$s # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
+    android202001: example %1$s # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
+    android202103: example %1$s # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
+    generic: example %1$s # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
   regionalClientVerificationTexts: # Map of country codes to custom texts
     999: # example country code
-      ios:
-      # … all keys from defaultClientVerificationTexts are required
-  androidAppHash: # Hash appended to Android
-  verifyServiceFriendlyName: # Service name used in template. Requires Twilio account rep to enable
-
-push:
-  queueSize: # Size of push pending queue
-
-turn: # TURN server configuration
-  secret: # TURN server secret
-  uris:
-    - stun:yourdomain:80
-    - stun:yourdomain.com:443
-    - turn:yourdomain:443?transport=udp
-    - turn:etc.com:80?transport=udp
+      ios: example %1$s # all keys from defaultClientVerificationTexts are required
+      androidNg: example %1$s
+      android202001: example %1$s
+      android202103: example %1$s
+      generic: example %1$s
+  androidAppHash: example # Hash appended to Android
+  verifyServiceFriendlyName: example # Service name used in template. Requires Twilio account rep to enable
 
 cacheCluster: # Redis server configuration for cache cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 clientPresenceCluster: # Redis server configuration for client presence cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 pubsub: # Redis server configuration for pubsub cluster
   url: redis://redis.example.com:6379/
@@ -61,152 +90,136 @@ pubsub: # Redis server configuration for pubsub cluster
     - redis://redis.example.com:6379/
 
 pushSchedulerCluster: # Redis server configuration for push scheduler cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 rateLimitersCluster: # Redis server configuration for rate limiters cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 directory:
   client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
+    userAuthenticationTokenSharedSecret: 00000f # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
+    userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
   sqs:
-    accessKey:      # AWS SQS accessKey
-    accessSecret:   # AWS SQS accessSecret
-    queueUrls:      # AWS SQS queue urls
+    accessKey: test     # AWS SQS accessKey
+    accessSecret: test  # AWS SQS accessSecret
+    queueUrls: # AWS SQS queue urls
       - https://sqs.example.com/directory.fifo
   server: # One or more CDS servers
-    - replicationName:               # CDS replication name
-      replicationUrl:                # CDS replication endpoint base url
-      replicationPassword:           # CDS replication endpoint password
-      replicationCaCertificate:      # CDS replication endpoint TLS certificate trust root
+    - replicationName: example           # CDS replication name
+      replicationUrl: cds.example.com    # CDS replication endpoint base url
+      replicationPassword: example       # CDS replication endpoint password
+      replicationCaCertificate: |        # CDS replication endpoint TLS certificate trust root
+        -----BEGIN CERTIFICATE-----
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        AAAAAAAAAAAAAAAAAAAA
+        -----END CERTIFICATE-----
 
 directoryV2:
   client: # Configuration for interfacing with Contact Discovery Service v2 cluster
-    userAuthenticationTokenSharedSecret: # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+    userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+    userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
 
 messageCache: # Redis server configuration for message store cache
-  persistDelayMinutes:
-
+  persistDelayMinutes: 1
   cluster:
-    urls:
-      - redis://redis.example.com:6379/
+    configurationUri: redis://redis.example.com:6379/
 
 metricsCluster:
-  urls:
-    - redis://redis.example.com:6379/
-
-messageDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-keysDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-accountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-  phoneNumberTableName:
-
-deletedAccountsDynamoDb: # DynamoDb table configuration
-  region:
-  tableName:
-  needsReconciliationIndexName:
-
-deletedAccountsLockDynamoDb: # DynamoDb table configuration
-  region:
-  tableName:
-
-redeemedReceiptsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-  expirationTime: # ISO8601 Duration
-
-migrationDeletedAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-migrationRetryAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pendingAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pendingDevicesDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pushChallengeDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-reportMessageDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
+  configurationUri: redis://redis.example.com:6379/
 
 awsAttachments: # AWS S3 configuration
-  accessKey:
-  accessSecret:
-  bucket:
-  region:
+  accessKey: test
+  accessSecret: test
+  bucket: aws-attachments
+  region: us-west-2
 
 gcpAttachments: # GCP Storage configuration
-  domain:
-  email:
-  maxSizeInBytes:
+  domain: example.com
+  email: user@example.cocm
+  maxSizeInBytes: 1024
   pathPrefix:
-  rsaSigningKey:
-
-abuseDatabase: # Postgresql database configuration
-  driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
-
-accountsDatabase: # Postgresql database configuration
-  driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
+  rsaSigningKey: |
+    -----BEGIN PRIVATE KEY-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAA
+    -----END PRIVATE KEY-----
 
 accountDatabaseCrawler:
-  chunkSize: # accounts per run
-  chunkIntervalMs: # time per run
-
-dynamoDbMigrationCrawler:
-  chunkSize: # accounts per run
-  chunkIntervalMs: # time per run
+  chunkSize: 10           # accounts per run
+  chunkIntervalMs: 60000  # time per run
 
 apn: # Apple Push Notifications configuration
   sandbox: true
-  bundleId:
-  keyId:
-  teamId:
-  signingKey:
+  bundleId: com.example.textsecuregcm
+  keyId: unset
+  teamId: unset
+  signingKey: |
+    -----BEGIN PRIVATE KEY-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAA
+    -----END PRIVATE KEY-----
 
-gcm: # GCM Configuration
-  senderId:
-  apiKey:
+fcm: # FCM configuration
+  credentials: |
+    { "json": true }
 
 cdn:
-  accessKey: # AWS Access Key ID
-  accessSecret: # AWS Access Secret
-  bucket: # S3 Bucket name
-  region: # AWS region
+  accessKey: test    # AWS Access Key ID
+  accessSecret: test # AWS Access Secret
+  bucket: cdn        # S3 Bucket name
+  region: us-west-2  # AWS region
 
 datadog:
-  apiKey:
-  environment:
+  apiKey: unset
+  environment: dev
 
 unidentifiedDelivery:
-  certificate:
-  privateKey:
-  expiresDays:
+  certificate: ABCD1234
+  privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+  expiresDays: 7
 
 voiceVerification:
   url: https://cdn-ca.signal.org/verification/
@@ -214,33 +227,69 @@ voiceVerification:
     - en
 
 recaptcha:
-  secret:
-
-recaptchaV2:
-  siteKey:
-  scoreFloor:
-  projectPath:
-  credentialConfigurationJson:
+  projectPath: projects/example
+  credentialConfigurationJson: "{ }" # service account configuration for backend authentication
 
 storageService:
-  uri:
-  userAuthenticationTokenSharedSecret:
-  storageCaCertificate:
+  uri: storage.example.com
+  userAuthenticationTokenSharedSecret: 00000f
+  storageCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
 
 backupService:
-  uri:
-  userAuthenticationTokenSharedSecret:
-  backupCaCertificate:
+  uri: backup.example.com
+  userAuthenticationTokenSharedSecret: 00000f
+  backupCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
 
 zkConfig:
-  serverPublic:
-  serverSecret:
-  enabled:
+  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
 
 appConfig:
-  application:
-  environment:
-  configuration:
+  application: example
+  environment: example
+  configuration: example
 
 remoteConfig:
   authorizedTokens:
@@ -249,48 +298,72 @@ remoteConfig:
     - # ...
     - # Nth authorized token
   globalConfig: # keys and values that are given to clients on GET /v1/config
-
+    EXAMPLE_KEY: VALUE
 
 paymentsService:
-  userAuthenticationTokenSharedSecret: # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
-  fixerApiKey:
+  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+  fixerApiKey: unset
   paymentCurrencies:
-    -
-
-torExitNodeList:
-  s3Region:
-  s3Bucket:
-  objectKey:
-  maxSize:
-
-asnTable:
-  s3Region:
-  s3Bucket:
-  objectKey:
-  maxSize:
+    # list of symbols for supported currencies
+    - MOB
 
 donation:
-  uri: # value
+  uri: donation.example.com # value
   supportedCurrencies:
     - # 1st supported currency
     - # 2nd supported currency
     - # ...
     - # Nth supported currency
-  circuitBreaker:
-    failureRateThreshold: # value
-    ringBufferSizeInHalfOpenState: # value
-    ringBufferSizeInClosedState: # value
-    waitDurationInOpenStateInSeconds: # value
-  retry:
-    maxAttempts: # value
-    waitDuration: # value
 
 badges:
   badges:
     - id: TEST
-      imageUrl: https://example.com/test-badge
       category: other
+      sprites: # exactly 6
+        - sprite-1.png
+        - sprite-2.png
+        - sprite-3.png
+        - sprite-4.png
+        - sprite-5.png
+        - sprite-6.png
+      svg: example.svg
+      svgs:
+        - light: example-light.svg
+          dark: example-dark.svg
   badgeIdsEnabledForAll:
     - TEST
   receiptLevels:
     '1': TEST
+
+subscription: # configuration for Stripe subscriptions
+  badgeGracePeriod: P15D
+  levels:
+    500:
+      badge: EXAMPLE
+      prices:
+        # list of ISO 4217 currency codes and amounts for the given badge level
+        xts:
+          amount: '10'
+          id: price_example # stripe ID
+
+boost:
+  level: 1
+  expiration: P90D
+  badge: EXAMPLE
+  currencies:
+    # ISO 4217 currency codes and amounts in those currencies
+    xts:
+      - '1'
+      - '2'
+      - '4'
+      - '8'
+      - '20'
+      - '40'
+
+gift:
+  level: 10
+  expiration: P90D
+  badge: EXAMPLE
+  currencies:
+    # ISO 4217 currency codes and amounts in those currencies
+    xts: '2'

service/pom.xml

@@ -10,19 +10,6 @@
   <modelVersion>4.0.0</modelVersion>
   <artifactId>service</artifactId>
 
-  <pluginRepositories>
-    <pluginRepository>
-      <id>ossrh-snapshots</id>
-      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-      <releases>
-        <enabled>false</enabled>
-      </releases>
-      <snapshots>
-        <enabled>true</enabled>
-      </snapshots>
-    </pluginRepository>
-  </pluginRepositories>
-
   <dependencies>
     <dependency>
       <groupId>jakarta.servlet</groupId>
@@ -47,30 +34,15 @@
       <artifactId>websocket-resources</artifactId>
       <version>${project.version}</version>
     </dependency>
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>gcm-sender-async</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>org.signal</groupId>
-      <artifactId>zkgroup-java</artifactId>
-      <version>0.8.2</version>
-    </dependency>
-    <dependency>
-      <groupId>org.whispersystems</groupId>
-      <artifactId>curve25519-java</artifactId>
-      <version>0.5.0</version>
+      <artifactId>libsignal-server</artifactId>
     </dependency>
 
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-core</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-jdbi3</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-auth</artifactId>
@@ -142,24 +114,10 @@
       <artifactId>logstash-logback-encoder</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.jdbi</groupId>
-      <artifactId>jdbi3-core</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.liquibase</groupId>
-      <artifactId>liquibase-core</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>io.dropwizard.metrics</groupId>
       <artifactId>metrics-core</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.dropwizard.metrics</groupId>
-      <artifactId>metrics-jdbi3</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.dropwizard.metrics</groupId>
       <artifactId>metrics-healthchecks</artifactId>
@@ -189,6 +147,12 @@
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-testing</artifactId>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>junit</groupId>
+          <artifactId>junit</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -213,6 +177,39 @@
       <artifactId>commons-csv</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>com.google.firebase</groupId>
+      <artifactId>firebase-admin</artifactId>
+      <version>9.0.0</version>
+
+      <!-- firebase-admin has conflicting versions of these artifacts in its dependency tree; for firebase-admin
+      9.0.0, we'll need to depend directly on com.google.api-client:google-api-client:1.35.1 and
+      com.google.oauth-client:google-oauth-client:1.34.1 -->
+      <exclusions>
+        <exclusion>
+          <groupId>com.google.api-client</groupId>
+          <artifactId>google-api-client</artifactId>
+        </exclusion>
+
+        <exclusion>
+          <groupId>com.google.oauth-client</groupId>
+          <artifactId>google-oauth-client</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.api-client</groupId>
+      <artifactId>google-api-client</artifactId>
+      <version>1.35.1</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.oauth-client</groupId>
+      <artifactId>google-oauth-client</artifactId>
+      <version>1.34.1</version>
+    </dependency>
+
     <dependency>
       <groupId>com.google.code.findbugs</groupId>
       <artifactId>jsr305</artifactId>
@@ -284,6 +281,10 @@
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>appconfig</artifactId>
     </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>appconfigdata</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>aws-java-sdk-core</artifactId>
@@ -314,12 +315,6 @@
       <artifactId>lettuce-core</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.postgresql</groupId>
-      <artifactId>postgresql</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.eatthepath</groupId>
       <artifactId>pushy</artifactId>
@@ -329,12 +324,6 @@
       <artifactId>pushy-dropwizard-metrics-listener</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-tcnative-boringssl-static</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.vdurmont</groupId>
       <artifactId>semver4j</artifactId>
@@ -364,6 +353,12 @@
       <groupId>org.glassfish.jersey.test-framework</groupId>
       <artifactId>jersey-test-framework-core</artifactId>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>junit</groupId>
+          <artifactId>junit</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.glassfish.jersey.test-framework.providers</groupId>
@@ -381,13 +376,6 @@
       </exclusions>
     </dependency>
 
-    <dependency>
-      <groupId>com.opentable.components</groupId>
-      <artifactId>otj-pg-embedded</artifactId>
-      <version>0.13.3</version>
-      <scope>test</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.almworks.sqlite4java</groupId>
       <artifactId>sqlite4java</artifactId>
@@ -398,29 +386,22 @@
     <dependency>
       <groupId>io.projectreactor</groupId>
       <artifactId>reactor-core</artifactId>
-      <version>3.3.16.RELEASE</version>
+      <version>3.3.22.RELEASE</version>
+    </dependency>
+    <dependency>
+      <groupId>io.vavr</groupId>
+      <artifactId>vavr</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.junit.jupiter</groupId>
-      <artifactId>junit-jupiter-api</artifactId>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-params</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.junit.vintage</groupId>
-      <artifactId>junit-vintage-engine</artifactId>
-      <scope>test</scope>
-    </dependency>
 
     <dependency>
       <groupId>org.signal</groupId>
       <artifactId>embedded-redis</artifactId>
-      <version>0.8.1</version>
       <scope>test</scope>
     </dependency>
 
@@ -434,14 +415,8 @@
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>DynamoDBLocal</artifactId>
-      <version>1.16.0</version>
+      <version>1.17.2</version>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.antlr</groupId>
-          <artifactId>antlr4-runtime</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
 
     <dependency>
@@ -453,13 +428,6 @@
       <groupId>com.stripe</groupId>
       <artifactId>stripe-java</artifactId>
     </dependency>
-
-    <dependency>
-      <groupId>pl.pragmatists</groupId>
-      <artifactId>JUnitParams</artifactId>
-      <version>1.1.1</version>
-      <scope>test</scope>
-    </dependency>
   </dependencies>
 
   <profiles>
@@ -593,6 +561,28 @@
           </execution>
         </executions>
       </plugin>
+
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.0.0</version>
+        <executions>
+          <execution>
+            <id>check-all-service-config</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>java</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <mainClass>org.whispersystems.textsecuregcm.CheckServiceConfigurations</mainClass>
+          <classpathScope>test</classpathScope>
+          <arguments>
+            <argument>${project.basedir}/config</argument>
+          </arguments>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 </project>

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -6,7 +6,6 @@ package org.whispersystems.textsecuregcm;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
-import io.dropwizard.client.JerseyClientConfiguration;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
@@ -15,33 +14,26 @@ import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 import org.whispersystems.textsecuregcm.configuration.AbusiveMessageFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountsDatabaseConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountsDynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BoostConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DatabaseConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DeletedAccountsDynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
 import org.whispersystems.textsecuregcm.configuration.DonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
-import org.whispersystems.textsecuregcm.configuration.GcmConfiguration;
+import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GiftConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
-import org.whispersystems.textsecuregcm.configuration.MessageDynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.PushConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RecaptchaV2Configuration;
 import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
@@ -51,9 +43,9 @@ import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfig
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TwilioConfiguration;
 import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.UsernameConfiguration;
 import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;
@@ -81,11 +73,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private TwilioConfiguration twilio;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private PushConfiguration push;
-
   @NotNull
   @Valid
   @JsonProperty
@@ -156,56 +143,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RedisClusterConfiguration clientPresenceCluster;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private MessageDynamoDbConfiguration messageDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration keysDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private AccountsDynamoDbConfiguration accountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DeletedAccountsDynamoDbConfiguration deletedAccountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration deletedAccountsLockDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pushChallengeDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration reportMessageDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pendingAccountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pendingDevicesDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DatabaseConfiguration abuseDatabase;
-
   @Valid
   @NotNull
   @JsonProperty
@@ -216,21 +153,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private List<MaxDeviceConfiguration> maxDevices = new LinkedList<>();
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private AccountsDatabaseConfiguration accountsDatabase;
-
   @Valid
   @NotNull
   @JsonProperty
   private RateLimitsConfiguration limits = new RateLimitsConfiguration();
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private JerseyClientConfiguration httpClient = new JerseyClientConfiguration();
-
   @Valid
   @NotNull
   @JsonProperty
@@ -239,12 +166,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private TurnConfiguration turn;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private GcmConfiguration gcm;
+  private FcmConfiguration fcm;
 
   @Valid
   @NotNull
@@ -266,11 +188,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RecaptchaConfiguration recaptcha;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private RecaptchaV2Configuration recaptchaV2;
-
   @Valid
   @NotNull
   @JsonProperty
@@ -321,17 +238,25 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   private BoostConfiguration boost;
 
+  @Valid
+  @JsonProperty
+  @NotNull
+  private GiftConfiguration gift;
+
   @Valid
   @NotNull
   @JsonProperty
   private ReportMessageConfiguration reportMessage = new ReportMessageConfiguration();
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private UsernameConfiguration username = new UsernameConfiguration();
+
   @Valid
   @JsonProperty
   private AbusiveMessageFilterConfiguration abusiveMessageFilter;
 
-  private Map<String, String> transparentDataIndex = new HashMap<>();
-
   public StripeConfiguration getStripe() {
     return stripe;
   }
@@ -348,10 +273,6 @@ public class WhisperServerConfiguration extends Configuration {
     return recaptcha;
   }
 
-  public RecaptchaV2Configuration getRecaptchaV2Configuration() {
-    return recaptchaV2;
-  }
-
   public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
     return voiceVerification;
   }
@@ -364,14 +285,6 @@ public class WhisperServerConfiguration extends Configuration {
     return twilio;
   }
 
-  public PushConfiguration getPushConfiguration() {
-    return push;
-  }
-
-  public JerseyClientConfiguration getJerseyClientConfiguration() {
-    return httpClient;
-  }
-
   public AwsAttachmentsConfiguration getAwsAttachmentsConfiguration() {
     return awsAttachments;
   }
@@ -424,44 +337,12 @@ public class WhisperServerConfiguration extends Configuration {
     return rateLimitersCluster;
   }
 
-  public MessageDynamoDbConfiguration getMessageDynamoDbConfiguration() {
-    return messageDynamoDb;
-  }
-
-  public DynamoDbConfiguration getKeysDynamoDbConfiguration() {
-    return keysDynamoDb;
-  }
-
-  public AccountsDynamoDbConfiguration getAccountsDynamoDbConfiguration() {
-    return accountsDynamoDb;
-  }
-
-  public DeletedAccountsDynamoDbConfiguration getDeletedAccountsDynamoDbConfiguration() {
-    return deletedAccountsDynamoDb;
-  }
-
-  public DynamoDbConfiguration getDeletedAccountsLockDynamoDbConfiguration() {
-    return deletedAccountsLockDynamoDb;
-  }
-
-  public DatabaseConfiguration getAbuseDatabaseConfiguration() {
-    return abuseDatabase;
-  }
-
-  public AccountsDatabaseConfiguration getAccountsDatabaseConfiguration() {
-    return accountsDatabase;
-  }
-
   public RateLimitsConfiguration getLimitsConfiguration() {
     return limits;
   }
 
-  public TurnConfiguration getTurnConfiguration() {
-    return turn;
-  }
-
-  public GcmConfiguration getGcmConfiguration() {
-    return gcm;
+  public FcmConfiguration getFcmConfiguration() {
+    return fcm;
   }
 
   public ApnConfiguration getApnConfiguration() {
@@ -502,10 +383,6 @@ public class WhisperServerConfiguration extends Configuration {
     return results;
   }
 
-  public Map<String, String> getTransparentDataIndex() {
-    return transparentDataIndex;
-  }
-
   public SecureBackupServiceConfiguration getSecureBackupServiceConfiguration() {
     return backupService;
   }
@@ -526,22 +403,6 @@ public class WhisperServerConfiguration extends Configuration {
     return appConfig;
   }
 
-  public DynamoDbConfiguration getPushChallengeDynamoDbConfiguration() {
-    return pushChallengeDynamoDb;
-  }
-
-  public DynamoDbConfiguration getReportMessageDynamoDbConfiguration() {
-    return reportMessageDynamoDb;
-  }
-
-  public DynamoDbConfiguration getPendingAccountsDynamoDbConfiguration() {
-    return pendingAccountsDynamoDb;
-  }
-
-  public DynamoDbConfiguration getPendingDevicesDynamoDbConfiguration() {
-    return pendingDevicesDynamoDb;
-  }
-
   public DonationConfiguration getDonationConfiguration() {
     return donation;
   }
@@ -558,6 +419,10 @@ public class WhisperServerConfiguration extends Configuration {
     return boost;
   }
 
+  public GiftConfiguration getGift() {
+    return gift;
+  }
+
   public ReportMessageConfiguration getReportMessageConfiguration() {
     return reportMessage;
   }
@@ -565,4 +430,8 @@ public class WhisperServerConfiguration extends Configuration {
   public AbusiveMessageFilterConfiguration getAbusiveMessageFilterConfiguration() {
     return abusiveMessageFilter;
   }
+
+  public UsernameConfiguration getUsername() {
+    return username;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013-2022 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm;
@@ -11,7 +11,6 @@ import com.amazonaws.auth.InstanceProfileCredentialsProvider;
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
 import com.codahale.metrics.SharedMetricRegistries;
-import com.codahale.metrics.jdbi3.strategies.DefaultNameStrategy;
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.DeserializationFeature;
@@ -24,11 +23,10 @@ import io.dropwizard.auth.PolymorphicAuthDynamicFeature;
 import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
 import io.dropwizard.auth.basic.BasicCredentialAuthFilter;
 import io.dropwizard.auth.basic.BasicCredentials;
-import io.dropwizard.db.DataSourceFactory;
-import io.dropwizard.db.PooledDataSourceFactory;
-import io.dropwizard.jdbi3.JdbiFactory;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
+import io.lettuce.core.metrics.MicrometerCommandLatencyRecorder;
+import io.lettuce.core.metrics.MicrometerOptions;
 import io.lettuce.core.resource.ClientResources;
 import io.micrometer.core.instrument.Meter.Id;
 import io.micrometer.core.instrument.Metrics;
@@ -48,25 +46,27 @@ import java.util.ServiceLoader;
 import java.util.concurrent.ArrayBlockingQueue;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.ExecutorService;
+import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
 import javax.servlet.DispatcherType;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletRegistration;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
 import org.glassfish.jersey.server.ServerProperties;
-import org.jdbi.v3.core.Jdbi;
 import org.signal.i18n.HeaderControlledResourceBundleLookup;
-import org.signal.zkgroup.ServerSecretParams;
-import org.signal.zkgroup.auth.ServerZkAuthOperations;
-import org.signal.zkgroup.profiles.ServerZkProfileOperations;
-import org.signal.zkgroup.receipts.ReceiptCredentialPresentation;
-import org.signal.zkgroup.receipts.ServerZkReceiptOperations;
+import org.signal.libsignal.zkgroup.ServerSecretParams;
+import org.signal.libsignal.zkgroup.auth.ServerZkAuthOperations;
+import org.signal.libsignal.zkgroup.profiles.ServerZkProfileOperations;
+import org.signal.libsignal.zkgroup.receipts.ReceiptCredentialPresentation;
+import org.signal.libsignal.zkgroup.receipts.ServerZkReceiptOperations;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.dispatch.DispatchManager;
 import org.whispersystems.textsecuregcm.abuse.AbusiveMessageFilter;
 import org.whispersystems.textsecuregcm.abuse.FilterAbusiveMessages;
+import org.whispersystems.textsecuregcm.abuse.RateLimitChallengeListener;
 import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
@@ -108,13 +108,11 @@ import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.filters.ContentLengthFilter;
 import org.whispersystems.textsecuregcm.filters.RemoteDeprecationFilter;
 import org.whispersystems.textsecuregcm.filters.TimestampResponseFilter;
-import org.whispersystems.textsecuregcm.limits.PreKeyRateLimiter;
+import org.whispersystems.textsecuregcm.limits.DynamicRateLimiters;
 import org.whispersystems.textsecuregcm.limits.PushChallengeManager;
 import org.whispersystems.textsecuregcm.limits.RateLimitChallengeManager;
-import org.whispersystems.textsecuregcm.limits.RateLimitResetMetricsManager;
+import org.whispersystems.textsecuregcm.limits.RateLimitChallengeOptionManager;
 import org.whispersystems.textsecuregcm.limits.RateLimiters;
-import org.whispersystems.textsecuregcm.limits.UnsealedSenderRateLimiter;
-import org.whispersystems.textsecuregcm.liquibase.NameableMigrationsBundle;
 import org.whispersystems.textsecuregcm.mappers.CompletionExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.DeviceLimitExceededExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.IOExceptionMapper;
@@ -123,7 +121,6 @@ import org.whispersystems.textsecuregcm.mappers.InvalidWebsocketAddressException
 import org.whispersystems.textsecuregcm.mappers.NonNormalizedPhoneNumberExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.RateLimitChallengeExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
-import org.whispersystems.textsecuregcm.mappers.RetryLaterExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.ServerRejectedExceptionMapper;
 import org.whispersystems.textsecuregcm.metrics.ApplicationShutdownMonitor;
 import org.whispersystems.textsecuregcm.metrics.BufferPoolGauges;
@@ -131,27 +128,29 @@ import org.whispersystems.textsecuregcm.metrics.CpuUsageGauge;
 import org.whispersystems.textsecuregcm.metrics.FileDescriptorGauge;
 import org.whispersystems.textsecuregcm.metrics.FreeMemoryGauge;
 import org.whispersystems.textsecuregcm.metrics.GarbageCollectionGauges;
+import org.whispersystems.textsecuregcm.metrics.LettuceMetricsMeterFilter;
 import org.whispersystems.textsecuregcm.metrics.MaxFileDescriptorGauge;
 import org.whispersystems.textsecuregcm.metrics.MetricsApplicationEventListener;
 import org.whispersystems.textsecuregcm.metrics.MetricsRequestEventListener;
+import org.whispersystems.textsecuregcm.metrics.MicrometerRegistryManager;
 import org.whispersystems.textsecuregcm.metrics.NetworkReceivedGauge;
 import org.whispersystems.textsecuregcm.metrics.NetworkSentGauge;
 import org.whispersystems.textsecuregcm.metrics.OperatingSystemMemoryGauge;
-import org.whispersystems.textsecuregcm.metrics.PushLatencyManager;
+import org.whispersystems.textsecuregcm.push.PushLatencyManager;
+import org.whispersystems.textsecuregcm.metrics.ReportedMessageMetricsListener;
 import org.whispersystems.textsecuregcm.metrics.TrafficSource;
 import org.whispersystems.textsecuregcm.providers.MultiRecipientMessageProvider;
 import org.whispersystems.textsecuregcm.providers.RedisClientFactory;
 import org.whispersystems.textsecuregcm.providers.RedisClusterHealthCheck;
 import org.whispersystems.textsecuregcm.push.APNSender;
-import org.whispersystems.textsecuregcm.push.ApnFallbackManager;
+import org.whispersystems.textsecuregcm.push.ApnPushNotificationScheduler;
 import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
-import org.whispersystems.textsecuregcm.push.GCMSender;
+import org.whispersystems.textsecuregcm.push.FcmSender;
 import org.whispersystems.textsecuregcm.push.MessageSender;
 import org.whispersystems.textsecuregcm.push.ProvisioningManager;
+import org.whispersystems.textsecuregcm.push.PushNotificationManager;
 import org.whispersystems.textsecuregcm.push.ReceiptSender;
-import org.whispersystems.textsecuregcm.recaptcha.EnterpriseRecaptchaClient;
-import org.whispersystems.textsecuregcm.recaptcha.LegacyRecaptchaClient;
-import org.whispersystems.textsecuregcm.recaptcha.TransitionalRecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
 import org.whispersystems.textsecuregcm.redis.ConnectionEventLogger;
 import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisCluster;
 import org.whispersystems.textsecuregcm.redis.ReplicatedJedisPool;
@@ -170,6 +169,7 @@ import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerCache;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerListener;
 import org.whispersystems.textsecuregcm.storage.Accounts;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.ChangeNumberManager;
 import org.whispersystems.textsecuregcm.storage.ContactDiscoveryWriter;
 import org.whispersystems.textsecuregcm.storage.DeletedAccounts;
 import org.whispersystems.textsecuregcm.storage.DeletedAccountsDirectoryReconciler;
@@ -178,14 +178,14 @@ import org.whispersystems.textsecuregcm.storage.DeletedAccountsTableCrawler;
 import org.whispersystems.textsecuregcm.storage.DirectoryReconciler;
 import org.whispersystems.textsecuregcm.storage.DirectoryReconciliationClient;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
-import org.whispersystems.textsecuregcm.storage.FaultTolerantDatabase;
 import org.whispersystems.textsecuregcm.storage.IssuedReceiptsManager;
-import org.whispersystems.textsecuregcm.storage.KeysDynamoDb;
+import org.whispersystems.textsecuregcm.storage.Keys;
 import org.whispersystems.textsecuregcm.storage.MessagePersister;
 import org.whispersystems.textsecuregcm.storage.MessagesCache;
 import org.whispersystems.textsecuregcm.storage.MessagesDynamoDb;
 import org.whispersystems.textsecuregcm.storage.MessagesManager;
 import org.whispersystems.textsecuregcm.storage.NonNormalizedAccountCrawlerListener;
+import org.whispersystems.textsecuregcm.storage.PhoneNumberIdentifiers;
 import org.whispersystems.textsecuregcm.storage.Profiles;
 import org.whispersystems.textsecuregcm.storage.ProfilesManager;
 import org.whispersystems.textsecuregcm.storage.PubSubManager;
@@ -199,22 +199,22 @@ import org.whispersystems.textsecuregcm.storage.ReportMessageManager;
 import org.whispersystems.textsecuregcm.storage.ReservedUsernames;
 import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
 import org.whispersystems.textsecuregcm.storage.SubscriptionManager;
-import org.whispersystems.textsecuregcm.storage.Usernames;
-import org.whispersystems.textsecuregcm.storage.UsernamesManager;
 import org.whispersystems.textsecuregcm.storage.VerificationCodeStore;
 import org.whispersystems.textsecuregcm.stripe.StripeManager;
 import org.whispersystems.textsecuregcm.util.Constants;
 import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
 import org.whispersystems.textsecuregcm.util.HostnameUtil;
+import org.whispersystems.textsecuregcm.util.UsernameGenerator;
 import org.whispersystems.textsecuregcm.util.logging.LoggingUnhandledExceptionMapper;
 import org.whispersystems.textsecuregcm.util.logging.UncaughtExceptionHandler;
 import org.whispersystems.textsecuregcm.websocket.AuthenticatedConnectListener;
-import org.whispersystems.textsecuregcm.websocket.DeadLetterHandler;
 import org.whispersystems.textsecuregcm.websocket.ProvisioningConnectListener;
 import org.whispersystems.textsecuregcm.websocket.WebSocketAccountAuthenticator;
+import org.whispersystems.textsecuregcm.workers.AssignUsernameCommand;
 import org.whispersystems.textsecuregcm.workers.CertificateCommand;
 import org.whispersystems.textsecuregcm.workers.CheckDynamicConfigurationCommand;
 import org.whispersystems.textsecuregcm.workers.DeleteUserCommand;
+import org.whispersystems.textsecuregcm.workers.ReserveUsernameCommand;
 import org.whispersystems.textsecuregcm.workers.ServerVersionCommand;
 import org.whispersystems.textsecuregcm.workers.SetCrawlerAccelerationTask;
 import org.whispersystems.textsecuregcm.workers.SetRequestLoggingEnabledTask;
@@ -241,20 +241,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     bootstrap.addCommand(new ServerVersionCommand());
     bootstrap.addCommand(new CheckDynamicConfigurationCommand());
     bootstrap.addCommand(new SetUserDiscoverabilityCommand());
-
-    bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("accountdb", "accountsdb.xml") {
-      @Override
-      public DataSourceFactory getDataSourceFactory(WhisperServerConfiguration configuration) {
-        return configuration.getAccountsDatabaseConfiguration();
-      }
-    });
-
-    bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("abusedb", "abusedb.xml") {
-      @Override
-      public PooledDataSourceFactory getDataSourceFactory(WhisperServerConfiguration configuration) {
-        return configuration.getAbuseDatabaseConfiguration();
-      }
-    });
+    bootstrap.addCommand(new ReserveUsernameCommand());
+    bootstrap.addCommand(new AssignUsernameCommand());
   }
 
   @Override
@@ -280,15 +268,16 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
           config.getDatadogConfiguration(), io.micrometer.core.instrument.Clock.SYSTEM);
 
       datadogMeterRegistry.config().commonTags(
-          Tags.of(
-              "service", "chat",
-              "host", HostnameUtil.getLocalHostname(),
-              "version", WhisperServerVersion.getServerVersion(),
-              "env", config.getDatadogConfiguration().getEnvironment()))
+              Tags.of(
+                  "service", "chat",
+                  "host", HostnameUtil.getLocalHostname(),
+                  "version", WhisperServerVersion.getServerVersion(),
+                  "env", config.getDatadogConfiguration().getEnvironment()))
           .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.REQUEST_COUNTER_NAME))
           .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.ANDROID_REQUEST_COUNTER_NAME))
           .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.DESKTOP_REQUEST_COUNTER_NAME))
           .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.IOS_REQUEST_COUNTER_NAME))
+          .meterFilter(new LettuceMetricsMeterFilter())
           .meterFilter(new MeterFilter() {
             @Override
             public DistributionStatisticConfig configure(final Id id, final DistributionStatisticConfig config) {
@@ -299,6 +288,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
       Metrics.addRegistry(datadogMeterRegistry);
     }
 
+    environment.lifecycle().manage(new MicrometerRegistryManager(Metrics.globalRegistry));
+
     environment.getObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
     environment.getObjectMapper().setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
     environment.getObjectMapper().setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
@@ -310,109 +301,97 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     ResourceBundleLevelTranslator resourceBundleLevelTranslator = new ResourceBundleLevelTranslator(
         headerControlledResourceBundleLookup);
 
-    JdbiFactory jdbiFactory = new JdbiFactory(DefaultNameStrategy.CHECK_EMPTY);
-    Jdbi        accountJdbi = jdbiFactory.build(environment, config.getAccountsDatabaseConfiguration(), "accountdb");
-    Jdbi        abuseJdbi   = jdbiFactory.build(environment, config.getAbuseDatabaseConfiguration(), "abusedb"  );
-
-    FaultTolerantDatabase accountDatabase = new FaultTolerantDatabase("accounts_database", accountJdbi, config.getAccountsDatabaseConfiguration().getCircuitBreakerConfiguration());
-    FaultTolerantDatabase abuseDatabase   = new FaultTolerantDatabase("abuse_database", abuseJdbi, config.getAbuseDatabaseConfiguration().getCircuitBreakerConfiguration());
-
     DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
         config.getDynamoDbClientConfiguration(),
         software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
 
-    DynamoDbClient messageDynamoDb = DynamoDbFromConfig.client(config.getMessageDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient preKeyDynamoDb = DynamoDbFromConfig.client(config.getKeysDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient accountsDynamoDbClient = DynamoDbFromConfig.client(config.getAccountsDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient deletedAccountsDynamoDbClient = DynamoDbFromConfig.client(config.getDeletedAccountsDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient pushChallengeDynamoDbClient = DynamoDbFromConfig.client(
-        config.getPushChallengeDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient reportMessageDynamoDbClient = DynamoDbFromConfig.client(
-        config.getReportMessageDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient pendingAccountsDynamoDbClient = DynamoDbFromConfig.client(
-        config.getPendingAccountsDynamoDbConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
-
-    DynamoDbClient pendingDevicesDynamoDbClient = DynamoDbFromConfig.client(
-        config.getPendingDevicesDynamoDbConfiguration(),
+    DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(
+        config.getDynamoDbClientConfiguration(),
         software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
 
     AmazonDynamoDB deletedAccountsLockDynamoDbClient = AmazonDynamoDBClientBuilder.standard()
-        .withRegion(config.getDeletedAccountsLockDynamoDbConfiguration().getRegion())
+        .withRegion(config.getDynamoDbClientConfiguration().getRegion())
         .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(
-                ((int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientExecutionTimeout().toMillis()))
+                ((int) config.getDynamoDbClientConfiguration().getClientExecutionTimeout().toMillis()))
             .withRequestTimeout(
-                (int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientRequestTimeout().toMillis()))
+                (int) config.getDynamoDbClientConfiguration().getClientRequestTimeout().toMillis()))
         .withCredentials(InstanceProfileCredentialsProvider.getInstance())
         .build();
 
-    DeletedAccounts deletedAccounts = new DeletedAccounts(deletedAccountsDynamoDbClient,
-        config.getDeletedAccountsDynamoDbConfiguration().getTableName(),
-        config.getDeletedAccountsDynamoDbConfiguration().getNeedsReconciliationIndexName());
+    DeletedAccounts deletedAccounts = new DeletedAccounts(dynamoDbClient,
+        config.getDynamoDbTables().getDeletedAccounts().getTableName(),
+        config.getDynamoDbTables().getDeletedAccounts().getNeedsReconciliationIndexName());
 
-    Accounts accounts = new Accounts(accountsDynamoDbClient,
-        config.getAccountsDynamoDbConfiguration().getTableName(),
-        config.getAccountsDynamoDbConfiguration().getPhoneNumberTableName(),
-        config.getAccountsDynamoDbConfiguration().getScanPageSize());
-    Usernames usernames = new Usernames(accountDatabase);
-    ReservedUsernames reservedUsernames = new ReservedUsernames(accountDatabase);
-    Profiles profiles = new Profiles(accountDatabase);
-    KeysDynamoDb keysDynamoDb = new KeysDynamoDb(preKeyDynamoDb, config.getKeysDynamoDbConfiguration().getTableName());
-    MessagesDynamoDb messagesDynamoDb = new MessagesDynamoDb(messageDynamoDb,
-        config.getMessageDynamoDbConfiguration().getTableName(),
-        config.getMessageDynamoDbConfiguration().getTimeToLive());
-    AbusiveHostRules abusiveHostRules = new AbusiveHostRules(abuseDatabase);
-    RemoteConfigs remoteConfigs = new RemoteConfigs(accountDatabase);
-    PushChallengeDynamoDb pushChallengeDynamoDb = new PushChallengeDynamoDb(pushChallengeDynamoDbClient, config.getPushChallengeDynamoDbConfiguration().getTableName());
-    ReportMessageDynamoDb reportMessageDynamoDb = new ReportMessageDynamoDb(reportMessageDynamoDbClient, config.getReportMessageDynamoDbConfiguration().getTableName(), config.getReportMessageConfiguration().getReportTtl());
-    VerificationCodeStore pendingAccounts = new VerificationCodeStore(pendingAccountsDynamoDbClient, config.getPendingAccountsDynamoDbConfiguration().getTableName());
-    VerificationCodeStore pendingDevices = new VerificationCodeStore(pendingDevicesDynamoDbClient, config.getPendingDevicesDynamoDbConfiguration().getTableName());
+    DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager =
+        new DynamicConfigurationManager<>(config.getAppConfig().getApplication(),
+            config.getAppConfig().getEnvironment(),
+            config.getAppConfig().getConfigurationName(),
+            DynamicConfiguration.class);
+
+    Accounts accounts = new Accounts(dynamicConfigurationManager,
+        dynamoDbClient,
+        dynamoDbAsyncClient,
+        config.getDynamoDbTables().getAccounts().getTableName(),
+        config.getDynamoDbTables().getAccounts().getPhoneNumberTableName(),
+        config.getDynamoDbTables().getAccounts().getPhoneNumberIdentifierTableName(),
+        config.getDynamoDbTables().getAccounts().getUsernamesTableName(),
+        config.getDynamoDbTables().getAccounts().getScanPageSize());
+    PhoneNumberIdentifiers phoneNumberIdentifiers = new PhoneNumberIdentifiers(dynamoDbClient,
+        config.getDynamoDbTables().getPhoneNumberIdentifiers().getTableName());
+    ReservedUsernames reservedUsernames = new ReservedUsernames(dynamoDbClient,
+        config.getDynamoDbTables().getReservedUsernames().getTableName());
+    Profiles profiles = new Profiles(dynamoDbClient, dynamoDbAsyncClient,
+        config.getDynamoDbTables().getProfiles().getTableName());
+    Keys keys = new Keys(dynamoDbClient, config.getDynamoDbTables().getKeys().getTableName());
+    MessagesDynamoDb messagesDynamoDb = new MessagesDynamoDb(dynamoDbClient,
+        config.getDynamoDbTables().getMessages().getTableName(),
+        config.getDynamoDbTables().getMessages().getExpiration());
+    RemoteConfigs remoteConfigs = new RemoteConfigs(dynamoDbClient,
+        config.getDynamoDbTables().getRemoteConfig().getTableName());
+    PushChallengeDynamoDb pushChallengeDynamoDb = new PushChallengeDynamoDb(dynamoDbClient,
+        config.getDynamoDbTables().getPushChallenge().getTableName());
+    ReportMessageDynamoDb reportMessageDynamoDb = new ReportMessageDynamoDb(dynamoDbClient,
+        config.getDynamoDbTables().getReportMessage().getTableName(),
+        config.getReportMessageConfiguration().getReportTtl());
+    VerificationCodeStore pendingAccounts = new VerificationCodeStore(dynamoDbClient,
+        config.getDynamoDbTables().getPendingAccounts().getTableName());
+    VerificationCodeStore pendingDevices = new VerificationCodeStore(dynamoDbClient,
+        config.getDynamoDbTables().getPendingDevices().getTableName());
 
     RedisClientFactory  pubSubClientFactory = new RedisClientFactory("pubsub_cache", config.getPubsubCacheConfiguration().getUrl(), config.getPubsubCacheConfiguration().getReplicaUrls(), config.getPubsubCacheConfiguration().getCircuitBreakerConfiguration());
     ReplicatedJedisPool pubsubClient        = pubSubClientFactory.getRedisClientPool();
 
-    ClientResources generalCacheClientResources       = ClientResources.builder().build();
-    ClientResources messageCacheClientResources       = ClientResources.builder().build();
-    ClientResources presenceClientResources           = ClientResources.builder().build();
-    ClientResources metricsCacheClientResources       = ClientResources.builder().build();
-    ClientResources pushSchedulerCacheClientResources = ClientResources.builder().ioThreadPoolSize(4).build();
-    ClientResources rateLimitersCacheClientResources =  ClientResources.builder().build();
+    MicrometerOptions options = MicrometerOptions.builder().build();
+    ClientResources redisClientResources = ClientResources.builder()
+        .commandLatencyRecorder(new MicrometerCommandLatencyRecorder(Metrics.globalRegistry, options)).build();
+    ConnectionEventLogger.logConnectionEvents(redisClientResources);
 
-    ConnectionEventLogger.logConnectionEvents(generalCacheClientResources);
-    ConnectionEventLogger.logConnectionEvents(messageCacheClientResources);
-    ConnectionEventLogger.logConnectionEvents(presenceClientResources);
-    ConnectionEventLogger.logConnectionEvents(metricsCacheClientResources);
-
-    FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), generalCacheClientResources);
-    FaultTolerantRedisCluster messagesCluster          = new FaultTolerantRedisCluster("messages_cluster", config.getMessageCacheConfiguration().getRedisClusterConfiguration(), messageCacheClientResources);
-    FaultTolerantRedisCluster clientPresenceCluster    = new FaultTolerantRedisCluster("client_presence_cluster", config.getClientPresenceClusterConfiguration(), presenceClientResources);
-    FaultTolerantRedisCluster metricsCluster           = new FaultTolerantRedisCluster("metrics_cluster", config.getMetricsClusterConfiguration(), metricsCacheClientResources);
-    FaultTolerantRedisCluster pushSchedulerCluster     = new FaultTolerantRedisCluster("push_scheduler", config.getPushSchedulerCluster(), pushSchedulerCacheClientResources);
-    FaultTolerantRedisCluster rateLimitersCluster      = new FaultTolerantRedisCluster("rate_limiters", config.getRateLimitersCluster(), rateLimitersCacheClientResources);
+    FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster messagesCluster          = new FaultTolerantRedisCluster("messages_cluster", config.getMessageCacheConfiguration().getRedisClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster clientPresenceCluster    = new FaultTolerantRedisCluster("client_presence_cluster", config.getClientPresenceClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster metricsCluster           = new FaultTolerantRedisCluster("metrics_cluster", config.getMetricsClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster pushSchedulerCluster     = new FaultTolerantRedisCluster("push_scheduler", config.getPushSchedulerCluster(), redisClientResources);
+    FaultTolerantRedisCluster rateLimitersCluster      = new FaultTolerantRedisCluster("rate_limiters", config.getRateLimitersCluster(), redisClientResources);
 
     BlockingQueue<Runnable> keyspaceNotificationDispatchQueue = new ArrayBlockingQueue<>(10_000);
     Metrics.gaugeCollectionSize(name(getClass(), "keyspaceNotificationDispatchQueueSize"), Collections.emptyList(), keyspaceNotificationDispatchQueue);
+    final ArrayBlockingQueue<Runnable> receiptSenderQueue = new ArrayBlockingQueue<>(10_000);
+    Metrics.gaugeCollectionSize(name(getClass(), "receiptSenderQueue"), Collections.emptyList(), receiptSenderQueue);
+
+    final BlockingQueue<Runnable> fcmSenderQueue = new LinkedBlockingQueue<>();
+    Metrics.gaugeCollectionSize(name(getClass(), "fcmSenderQueue"), Collections.emptyList(), fcmSenderQueue);
 
     ScheduledExecutorService recurringJobExecutor = environment.lifecycle()
         .scheduledExecutorService(name(getClass(), "recurringJob-%d")).threads(6).build();
-    ScheduledExecutorService retrySchedulingExecutor              = environment.lifecycle().scheduledExecutorService(name(getClass(), "retry-%d")).threads(2).build();
+    ScheduledExecutorService websocketScheduledExecutor           = environment.lifecycle().scheduledExecutorService(name(getClass(), "websocket-%d")).threads(8).build();
     ExecutorService          keyspaceNotificationDispatchExecutor = environment.lifecycle().executorService(name(getClass(), "keyspaceNotification-%d")).maxThreads(16).workQueue(keyspaceNotificationDispatchQueue).build();
     ExecutorService          apnSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "apnSender-%d")).maxThreads(1).minThreads(1).build();
-    ExecutorService          gcmSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "gcmSender-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          fcmSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "fcmSender-%d")).maxThreads(32).minThreads(32).workQueue(fcmSenderQueue).build();
     ExecutorService          backupServiceExecutor                = environment.lifecycle().executorService(name(getClass(), "backupService-%d")).maxThreads(1).minThreads(1).build();
     ExecutorService          storageServiceExecutor               = environment.lifecycle().executorService(name(getClass(), "storageService-%d")).maxThreads(1).minThreads(1).build();
+
+    // TODO: generally speaking this is a DynamoDB I/O executor for the accounts table; we should eventually have a general executor for speaking to the accounts table, but most of the server is still synchronous so this isn't widely useful yet
+    ExecutorService batchIdentityCheckExecutor = environment.lifecycle().executorService(name(getClass(), "batchIdentityCheck-%d")).minThreads(32).maxThreads(32).build();
     ExecutorService multiRecipientMessageExecutor = environment.lifecycle()
         .executorService(name(getClass(), "multiRecipientMessage-%d")).minThreads(64).maxThreads(64).build();
     ExecutorService stripeExecutor = environment.lifecycle().executorService(name(getClass(), "stripe-%d")).
@@ -420,22 +399,24 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         minThreads(availableProcessors).  // mostly this is IO bound so tying to number of processors is tenuous at best
         allowCoreThreadTimeOut(true).
         build();
+    ExecutorService receiptSenderExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "receiptSender-%d"))
+        .maxThreads(2)
+        .minThreads(2)
+        .workQueue(receiptSenderQueue)
+        .rejectedExecutionHandler(new ThreadPoolExecutor.CallerRunsPolicy())
+        .build();
 
     StripeManager stripeManager = new StripeManager(config.getStripe().getApiKey(), stripeExecutor,
-        config.getStripe().getIdempotencyKeyGenerator());
+        config.getStripe().getIdempotencyKeyGenerator(), config.getStripe().getBoostDescription());
 
     ExternalServiceCredentialGenerator directoryCredentialsGenerator = new ExternalServiceCredentialGenerator(
         config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenSharedSecret(),
         config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret());
     ExternalServiceCredentialGenerator directoryV2CredentialsGenerator = new ExternalServiceCredentialGenerator(
-        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration()
-            .getUserAuthenticationTokenSharedSecret(), false);
-
-    DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager =
-        new DynamicConfigurationManager<>(config.getAppConfig().getApplication(),
-            config.getAppConfig().getEnvironment(),
-            config.getAppConfig().getConfigurationName(),
-            DynamicConfiguration.class);
+        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration().getUserAuthenticationTokenSharedSecret(),
+        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration().getUserIdTokenSharedSecret(),
+        true, false);
 
     dynamicConfigurationManager.start();
 
@@ -451,30 +432,34 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     ExternalServiceCredentialGenerator paymentsCredentialsGenerator = new ExternalServiceCredentialGenerator(
         config.getPaymentsServiceConfiguration().getUserAuthenticationTokenSharedSecret(), true);
 
+    AbusiveHostRules           abusiveHostRules           = new AbusiveHostRules(rateLimitersCluster, dynamicConfigurationManager);
     SecureBackupClient         secureBackupClient         = new SecureBackupClient(backupCredentialsGenerator, backupServiceExecutor, config.getSecureBackupServiceConfiguration());
     SecureStorageClient        secureStorageClient        = new SecureStorageClient(storageCredentialsGenerator, storageServiceExecutor, config.getSecureStorageServiceConfiguration());
     ClientPresenceManager      clientPresenceManager      = new ClientPresenceManager(clientPresenceCluster, recurringJobExecutor, keyspaceNotificationDispatchExecutor);
     DirectoryQueue             directoryQueue             = new DirectoryQueue(config.getDirectoryConfiguration().getSqsConfiguration());
     StoredVerificationCodeManager pendingAccountsManager  = new StoredVerificationCodeManager(pendingAccounts);
     StoredVerificationCodeManager pendingDevicesManager   = new StoredVerificationCodeManager(pendingDevices);
-    UsernamesManager           usernamesManager           = new UsernamesManager(usernames, reservedUsernames, cacheCluster);
     ProfilesManager            profilesManager            = new ProfilesManager(profiles, cacheCluster);
     MessagesCache              messagesCache              = new MessagesCache(messagesCluster, messagesCluster, keyspaceNotificationDispatchExecutor);
-    PushLatencyManager         pushLatencyManager         = new PushLatencyManager(metricsCluster);
-    ReportMessageManager       reportMessageManager       = new ReportMessageManager(reportMessageDynamoDb, rateLimitersCluster, Metrics.globalRegistry, config.getReportMessageConfiguration().getCounterTtl());
-    MessagesManager            messagesManager            = new MessagesManager(messagesDynamoDb, messagesCache, pushLatencyManager, reportMessageManager);
+    PushLatencyManager         pushLatencyManager         = new PushLatencyManager(metricsCluster, dynamicConfigurationManager);
+    ReportMessageManager       reportMessageManager       = new ReportMessageManager(reportMessageDynamoDb, rateLimitersCluster, config.getReportMessageConfiguration().getCounterTtl());
+    MessagesManager            messagesManager            = new MessagesManager(messagesDynamoDb, messagesCache, reportMessageManager);
+    UsernameGenerator          usernameGenerator          = new UsernameGenerator(config.getUsername());
     DeletedAccountsManager deletedAccountsManager = new DeletedAccountsManager(deletedAccounts,
-        deletedAccountsLockDynamoDbClient, config.getDeletedAccountsLockDynamoDbConfiguration().getTableName());
-    AccountsManager accountsManager = new AccountsManager(accounts, cacheCluster, deletedAccountsManager,
-        directoryQueue, keysDynamoDb, messagesManager, usernamesManager, profilesManager, pendingAccountsManager,
-        secureStorageClient, secureBackupClient, clientPresenceManager, clock);
-    RemoteConfigsManager remoteConfigsManager = new RemoteConfigsManager(remoteConfigs);
-    DeadLetterHandler          deadLetterHandler          = new DeadLetterHandler(accountsManager, messagesManager);
-    DispatchManager            dispatchManager            = new DispatchManager(pubSubClientFactory, Optional.of(deadLetterHandler));
+        deletedAccountsLockDynamoDbClient, config.getDynamoDbTables().getDeletedAccountsLock().getTableName());
+    AccountsManager accountsManager = new AccountsManager(accounts, phoneNumberIdentifiers, cacheCluster,
+        deletedAccountsManager, directoryQueue, keys, messagesManager, reservedUsernames, profilesManager,
+        pendingAccountsManager, secureStorageClient, secureBackupClient, clientPresenceManager, usernameGenerator,
+        experimentEnrollmentManager, clock);
+    RemoteConfigsManager       remoteConfigsManager       = new RemoteConfigsManager(remoteConfigs);
+    DispatchManager            dispatchManager            = new DispatchManager(pubSubClientFactory, Optional.empty());
     PubSubManager              pubSubManager              = new PubSubManager(pubsubClient, dispatchManager);
-    APNSender                  apnSender                  = new APNSender(apnSenderExecutor, accountsManager, config.getApnConfiguration());
-    GCMSender                  gcmSender                  = new GCMSender(gcmSenderExecutor, accountsManager, config.getGcmConfiguration().getApiKey());
-    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), dynamicConfigurationManager, rateLimitersCluster);
+    APNSender                  apnSender                  = new APNSender(apnSenderExecutor, config.getApnConfiguration());
+    FcmSender                  fcmSender                  = new FcmSender(fcmSenderExecutor, config.getFcmConfiguration().credentials());
+    ApnPushNotificationScheduler apnPushNotificationScheduler = new ApnPushNotificationScheduler(pushSchedulerCluster, apnSender, accountsManager);
+    PushNotificationManager    pushNotificationManager    = new PushNotificationManager(accountsManager, apnSender, fcmSender, apnPushNotificationScheduler, pushLatencyManager, dynamicConfigurationManager);
+    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), rateLimitersCluster);
+    DynamicRateLimiters        dynamicRateLimiters        = new DynamicRateLimiters(rateLimitersCluster, dynamicConfigurationManager);
     ProvisioningManager        provisioningManager        = new ProvisioningManager(pubSubManager);
     IssuedReceiptsManager issuedReceiptsManager = new IssuedReceiptsManager(
         config.getDynamoDbTables().getIssuedReceipts().getTableName(),
@@ -489,37 +474,31 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     SubscriptionManager subscriptionManager = new SubscriptionManager(
         config.getDynamoDbTables().getSubscriptions().getTableName(), dynamoDbAsyncClient);
 
+    ReportedMessageMetricsListener reportedMessageMetricsListener = new ReportedMessageMetricsListener(accountsManager);
+    reportMessageManager.addListener(reportedMessageMetricsListener);
+
     AccountAuthenticator                  accountAuthenticator                  = new AccountAuthenticator(accountsManager);
     DisabledPermittedAccountAuthenticator disabledPermittedAccountAuthenticator = new DisabledPermittedAccountAuthenticator(accountsManager);
 
-    RateLimitResetMetricsManager rateLimitResetMetricsManager = new RateLimitResetMetricsManager(metricsCluster, Metrics.globalRegistry);
-
-    UnsealedSenderRateLimiter unsealedSenderRateLimiter = new UnsealedSenderRateLimiter(rateLimiters, rateLimitersCluster, dynamicConfigurationManager, rateLimitResetMetricsManager);
-    PreKeyRateLimiter preKeyRateLimiter = new PreKeyRateLimiter(rateLimiters, dynamicConfigurationManager, rateLimitResetMetricsManager);
-
-    ApnFallbackManager       apnFallbackManager = new ApnFallbackManager(pushSchedulerCluster, apnSender, accountsManager);
     TwilioSmsSender          twilioSmsSender    = new TwilioSmsSender(config.getTwilioConfiguration(), dynamicConfigurationManager);
     SmsSender                smsSender          = new SmsSender(twilioSmsSender);
-    MessageSender            messageSender      = new MessageSender(apnFallbackManager, clientPresenceManager, messagesManager, gcmSender, apnSender, pushLatencyManager);
-    ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender);
-    TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(config.getTurnConfiguration());
-    LegacyRecaptchaClient legacyRecaptchaClient = new LegacyRecaptchaClient(config.getRecaptchaConfiguration().getSecret());
-    EnterpriseRecaptchaClient enterpriseRecaptchaClient = new EnterpriseRecaptchaClient(
-        config.getRecaptchaV2Configuration().getScoreFloor().doubleValue(),
-        config.getRecaptchaV2Configuration().getSiteKey(),
-        config.getRecaptchaV2Configuration().getProjectPath(),
-        config.getRecaptchaV2Configuration().getCredentialConfigurationJson());
-    TransitionalRecaptchaClient transitionalRecaptchaClient = new TransitionalRecaptchaClient(legacyRecaptchaClient, enterpriseRecaptchaClient);
-    PushChallengeManager     pushChallengeManager = new PushChallengeManager(apnSender, gcmSender, pushChallengeDynamoDb);
-    RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
-        transitionalRecaptchaClient, preKeyRateLimiter, unsealedSenderRateLimiter, rateLimiters,
+    MessageSender            messageSender      = new MessageSender(clientPresenceManager, messagesManager, pushNotificationManager, pushLatencyManager);
+    ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender, receiptSenderExecutor);
+    TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(dynamicConfigurationManager);
+    RecaptchaClient recaptchaClient = new RecaptchaClient(
+        config.getRecaptchaConfiguration().getProjectPath(),
+        config.getRecaptchaConfiguration().getCredentialConfigurationJson(),
         dynamicConfigurationManager);
+    PushChallengeManager pushChallengeManager = new PushChallengeManager(pushNotificationManager, pushChallengeDynamoDb);
+    RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
+        recaptchaClient, dynamicRateLimiters);
+    RateLimitChallengeOptionManager rateLimitChallengeOptionManager =
+        new RateLimitChallengeOptionManager(dynamicRateLimiters, dynamicConfigurationManager);
 
     MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager, dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()));
+    ChangeNumberManager changeNumberManager = new ChangeNumberManager(messageSender, accountsManager);
 
-    // TODO listeners must be ordered so that ones that directly update accounts come last, so that read-only ones are not working with stale data
-    final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = new ArrayList<>();
-
+    final List<AccountDatabaseCrawlerListener> directoryReconciliationAccountDatabaseCrawlerListeners = new ArrayList<>();
     final List<DeletedAccountsDirectoryReconciler> deletedAccountsDirectoryReconcilers = new ArrayList<>();
     for (DirectoryServerConfiguration directoryServerConfiguration : config.getDirectoryConfiguration()
         .getDirectoryServerConfiguration()) {
@@ -529,26 +508,43 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
           directoryServerConfiguration.getReplicationName(), directoryReconciliationClient,
           dynamicConfigurationManager);
       // reconcilers are read-only
-      accountDatabaseCrawlerListeners.add(directoryReconciler);
+      directoryReconciliationAccountDatabaseCrawlerListeners.add(directoryReconciler);
 
       final DeletedAccountsDirectoryReconciler deletedAccountsDirectoryReconciler = new DeletedAccountsDirectoryReconciler(
           directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
       deletedAccountsDirectoryReconcilers.add(deletedAccountsDirectoryReconciler);
     }
-    accountDatabaseCrawlerListeners.add(new NonNormalizedAccountCrawlerListener(accountsManager, metricsCluster));
-    accountDatabaseCrawlerListeners.add(new ContactDiscoveryWriter(accountsManager));
-    // PushFeedbackProcessor may update device properties
-    accountDatabaseCrawlerListeners.add(new PushFeedbackProcessor(accountsManager));
-    // delete accounts last
-    accountDatabaseCrawlerListeners.add(new AccountCleaner(accountsManager));
 
-    HttpClient                currencyClient  = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
-    FixerClient               fixerClient     = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().getFixerApiKey());
-    FtxClient                 ftxClient       = new FtxClient(currencyClient);
-    CurrencyConversionManager currencyManager = new CurrencyConversionManager(fixerClient, ftxClient, config.getPaymentsServiceConfiguration().getPaymentCurrencies());
+    AccountDatabaseCrawlerCache directoryReconciliationAccountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(
+        cacheCluster, AccountDatabaseCrawlerCache.DIRECTORY_RECONCILER_PREFIX);
+    AccountDatabaseCrawler directoryReconciliationAccountDatabaseCrawler = new AccountDatabaseCrawler(
+        "Reconciliation crawler",
+        accountsManager,
+        directoryReconciliationAccountDatabaseCrawlerCache, directoryReconciliationAccountDatabaseCrawlerListeners,
+        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+    );
 
-    AccountDatabaseCrawlerCache accountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster);
-    AccountDatabaseCrawler accountDatabaseCrawler = new AccountDatabaseCrawler(accountsManager,
+    AccountDatabaseCrawlerCache accountCleanerAccountDatabaseCrawlerCache =
+        new AccountDatabaseCrawlerCache(cacheCluster, AccountDatabaseCrawlerCache.ACCOUNT_CLEANER_PREFIX);
+    AccountDatabaseCrawler accountCleanerAccountDatabaseCrawler = new AccountDatabaseCrawler("Account cleaner crawler",
+        accountsManager,
+        accountCleanerAccountDatabaseCrawlerCache, List.of(new AccountCleaner(accountsManager)),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+    );
+
+    // TODO listeners must be ordered so that ones that directly update accounts come last, so that read-only ones are not working with stale data
+    final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = List.of(
+        new NonNormalizedAccountCrawlerListener(accountsManager, metricsCluster),
+        new ContactDiscoveryWriter(accountsManager),
+        // PushFeedbackProcessor may update device properties
+        new PushFeedbackProcessor(accountsManager));
+
+    AccountDatabaseCrawlerCache accountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster,
+        AccountDatabaseCrawlerCache.GENERAL_PURPOSE_PREFIX);
+    AccountDatabaseCrawler accountDatabaseCrawler = new AccountDatabaseCrawler("General-purpose account crawler",
+        accountsManager,
         accountDatabaseCrawlerCache, accountDatabaseCrawlerListeners,
         config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
         config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
@@ -556,14 +552,18 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
     DeletedAccountsTableCrawler deletedAccountsTableCrawler = new DeletedAccountsTableCrawler(deletedAccountsManager, deletedAccountsDirectoryReconcilers, cacheCluster, recurringJobExecutor);
 
-    apnSender.setApnFallbackManager(apnFallbackManager);
-    environment.lifecycle().manage(new ApplicationShutdownMonitor());
-    environment.lifecycle().manage(apnFallbackManager);
+    HttpClient                currencyClient  = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
+    FixerClient               fixerClient     = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().getFixerApiKey());
+    FtxClient                 ftxClient       = new FtxClient(currencyClient);
+    CurrencyConversionManager currencyManager = new CurrencyConversionManager(fixerClient, ftxClient, config.getPaymentsServiceConfiguration().getPaymentCurrencies());
+
+    environment.lifecycle().manage(apnSender);
+    environment.lifecycle().manage(apnPushNotificationScheduler);
     environment.lifecycle().manage(pubSubManager);
-    environment.lifecycle().manage(messageSender);
     environment.lifecycle().manage(accountDatabaseCrawler);
+    environment.lifecycle().manage(directoryReconciliationAccountDatabaseCrawler);
+    environment.lifecycle().manage(accountCleanerAccountDatabaseCrawler);
     environment.lifecycle().manage(deletedAccountsTableCrawler);
-    environment.lifecycle().manage(remoteConfigsManager);
     environment.lifecycle().manage(messagesCache);
     environment.lifecycle().manage(messagePersister);
     environment.lifecycle().manage(clientPresenceManager);
@@ -615,8 +615,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getWebSocketConfiguration(), 90000);
     webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator));
     webSocketEnvironment.setConnectListener(
-        new AuthenticatedConnectListener(receiptSender, messagesManager, messageSender, apnFallbackManager,
-            clientPresenceManager, retrySchedulingExecutor));
+        new AuthenticatedConnectListener(receiptSender, messagesManager, pushNotificationManager,
+            clientPresenceManager, websocketScheduledExecutor));
     webSocketEnvironment.jersey().register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
     webSocketEnvironment.jersey().register(new ContentLengthFilter(TrafficSource.WEBSOCKET));
     webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class);
@@ -625,27 +625,26 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
     // these should be common, but use @Auth DisabledPermittedAccount, which isn’t supported yet on websocket
     environment.jersey().register(
-        new AccountController(pendingAccountsManager, accountsManager, usernamesManager, abusiveHostRules, rateLimiters,
+        new AccountController(pendingAccountsManager, accountsManager, abusiveHostRules, rateLimiters,
             smsSender, dynamicConfigurationManager, turnTokenGenerator, config.getTestDevices(),
-            transitionalRecaptchaClient, gcmSender, apnSender, backupCredentialsGenerator,
-            verifyExperimentEnrollmentManager));
-    environment.jersey().register(new KeysController(rateLimiters, keysDynamoDb, accountsManager, preKeyRateLimiter, rateLimitChallengeManager));
+            recaptchaClient, pushNotificationManager, verifyExperimentEnrollmentManager,
+            changeNumberManager, backupCredentialsGenerator));
+    environment.jersey().register(new KeysController(rateLimiters, keys, accountsManager));
 
     final List<Object> commonControllers = Lists.newArrayList(
         new AttachmentControllerV1(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getBucket()),
         new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
         new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
-        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations),
+        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, clock),
         new ChallengeController(rateLimitChallengeManager),
-        new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keysDynamoDb, rateLimiters, config.getMaxDevices()),
+        new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),
         new DirectoryController(directoryCredentialsGenerator),
         new DirectoryV2Controller(directoryV2CredentialsGenerator),
         new DonationController(clock, zkReceiptOperations, redeemedReceiptsManager, accountsManager, config.getBadges(),
             ReceiptCredentialPresentation::new, stripeExecutor, config.getDonationConfiguration(), config.getStripe()),
-        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, messagesManager, unsealedSenderRateLimiter, apnFallbackManager,
-            rateLimitChallengeManager, reportMessageManager, multiRecipientMessageExecutor),
+        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, deletedAccountsManager, messagesManager, pushNotificationManager, reportMessageManager, multiRecipientMessageExecutor),
         new PaymentsController(currencyManager, paymentsCredentialsGenerator),
-        new ProfileController(clock, rateLimiters, accountsManager, profilesManager, usernamesManager, dynamicConfigurationManager, profileBadgeConverter, config.getBadges(), cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations),
+        new ProfileController(clock, rateLimiters, accountsManager, profilesManager, dynamicConfigurationManager, profileBadgeConverter, config.getBadges(), cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations, batchIdentityCheckExecutor),
         new ProvisioningController(rateLimiters, provisioningManager),
         new RemoteConfigController(remoteConfigsManager, config.getRemoteConfigConfiguration().getAuthorizedTokens(), config.getRemoteConfigConfiguration().getGlobalConfig()),
         new SecureBackupController(backupCredentialsGenerator),
@@ -656,8 +655,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     );
     if (config.getSubscription() != null && config.getBoost() != null) {
       commonControllers.add(new SubscriptionController(clock, config.getSubscription(), config.getBoost(),
-          subscriptionManager, stripeManager, zkReceiptOperations, issuedReceiptsManager, profileBadgeConverter,
-          resourceBundleLevelTranslator));
+          config.getGift(), subscriptionManager, stripeManager, zkReceiptOperations, issuedReceiptsManager,
+          profileBadgeConverter, resourceBundleLevelTranslator));
     }
 
     for (Object controller : commonControllers) {
@@ -685,6 +684,11 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         log.warn("Abusive message filter {} not annotated with @FilterAbusiveMessages and will not be installed",
             filter.getClass().getName());
       }
+
+      if (filter instanceof RateLimitChallengeListener) {
+        log.info("Registered rate limit challenge listener: {}", filter.getClass().getName());
+        rateLimitChallengeManager.addListener((RateLimitChallengeListener) filter);
+      }
     }
 
     if (!registeredAbusiveMessageFilter) {
@@ -701,8 +705,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     registerCorsFilter(environment);
     registerExceptionMappers(environment, webSocketEnvironment, provisioningEnvironment);
 
-    RateLimitChallengeExceptionMapper rateLimitChallengeExceptionMapper = new RateLimitChallengeExceptionMapper(
-        rateLimitChallengeManager);
+    RateLimitChallengeExceptionMapper rateLimitChallengeExceptionMapper =
+        new RateLimitChallengeExceptionMapper(rateLimitChallengeOptionManager);
 
     environment.jersey().register(rateLimitChallengeExceptionMapper);
     webSocketEnvironment.jersey().register(rateLimitChallengeExceptionMapper);
@@ -731,6 +735,8 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
     environment.healthChecks().register("cacheCluster", new RedisClusterHealthCheck(cacheCluster));
 
+    environment.lifecycle().manage(new ApplicationShutdownMonitor(Metrics.globalRegistry));
+
     environment.metrics().register(name(CpuUsageGauge.class, "cpu"), new CpuUsageGauge(3, TimeUnit.SECONDS));
     environment.metrics().register(name(FreeMemoryGauge.class, "free_memory"), new FreeMemoryGauge());
     environment.metrics().register(name(NetworkSentGauge.class, "bytes_sent"), new NetworkSentGauge());
@@ -757,7 +763,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         new RateLimitExceededExceptionMapper(),
         new InvalidWebsocketAddressExceptionMapper(),
         new DeviceLimitExceededExceptionMapper(),
-        new RetryLaterExceptionMapper(),
         new ServerRejectedExceptionMapper(),
         new ImpossiblePhoneNumberExceptionMapper(),
         new NonNormalizedPhoneNumberExceptionMapper()

service/src/main/java/org/whispersystems/textsecuregcm/abuse/RateLimitChallengeListener.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.abuse;
+
+
+import org.whispersystems.textsecuregcm.storage.Account;
+import java.io.IOException;
+
+public interface RateLimitChallengeListener {
+
+  void handleRateLimitChallengeAnswered(Account account);
+
+  /**
+   * Configures this rate limit challenge listener. This method will be called before the service begins processing any
+   * challenges.
+   *
+   * @param environmentName the name of the environment in which this listener is running (e.g. "staging" or "production")
+   * @throws IOException if the listener could not read its configuration source for any reason
+   */
+  void configure(String environmentName) throws IOException;
+}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/RateLimitChallengeType.java

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.abuse;
+
+public enum RateLimitChallengeType {
+
+  PUSH_CHALLENGE,
+  RECAPTCHA
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -7,32 +7,18 @@ package org.whispersystems.textsecuregcm.auth;
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
 import java.util.Optional;
-import io.micrometer.core.instrument.Metrics;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
 
-import static com.codahale.metrics.MetricRegistry.name;
-
 public class AccountAuthenticator extends BaseAccountAuthenticator implements
     Authenticator<BasicCredentials, AuthenticatedAccount> {
 
-  private static final String AUTHENTICATION_COUNTER_NAME = name(AccountAuthenticator.class, "authenticate");
-
   public AccountAuthenticator(AccountsManager accountsManager) {
     super(accountsManager);
   }
 
   @Override
   public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials) {
-    final Optional<AuthenticatedAccount> maybeAuthenticatedAccount = super.authenticate(basicCredentials, true);
-
-    // TODO Remove after announcement groups have launched
-    maybeAuthenticatedAccount.ifPresent(authenticatedAccount ->
-        Metrics.counter(AUTHENTICATION_COUNTER_NAME,
-            "supportsAnnouncementGroups",
-            String.valueOf(authenticatedAccount.getAccount().isAnnouncementGroupSupported()))
-            .increment());
-
-    return maybeAuthenticatedAccount;
+    return super.authenticate(basicCredentials, true);
   }
 
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRefreshRequirementProvider.java

@@ -76,7 +76,7 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
       @SuppressWarnings("unchecked") final Map<Long, Boolean> initialDevicesEnabled =
           (Map<Long, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
 
-      return accountsManager.get((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
+      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
         final Set<Long> deviceIdsToDisplace;
         final Map<Long, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
 

service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java

@@ -78,7 +78,7 @@ public class BaseAccountAuthenticator {
         deviceId = identifierAndDeviceId.second();
       }
 
-      Optional<Account> account = accountsManager.get(accountUuid);
+      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
 
       if (account.isEmpty()) {
         failureReason = "noSuchAccount";

service/src/main/java/org/whispersystems/textsecuregcm/auth/BasicAuthorizationHeader.java

@@ -5,9 +5,7 @@
 package org.whispersystems.textsecuregcm.auth;
 
 import java.util.Base64;
-import java.util.UUID;
 import org.apache.commons.lang3.StringUtils;
-import org.whispersystems.textsecuregcm.storage.Device;
 import org.whispersystems.textsecuregcm.util.Pair;
 
 public class BasicAuthorizationHeader {

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -7,18 +7,16 @@ package org.whispersystems.textsecuregcm.auth;
 
 import com.google.protobuf.ByteString;
 import com.google.protobuf.InvalidProtocolBufferException;
-import org.whispersystems.textsecuregcm.crypto.Curve;
-import org.whispersystems.textsecuregcm.crypto.ECPrivateKey;
+import java.security.InvalidKeyException;
+import java.util.Base64;
+import java.util.concurrent.TimeUnit;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPrivateKey;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
 
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.util.Base64;
-import java.util.concurrent.TimeUnit;
-
 public class CertificateGenerator {
 
   private final ECPrivateKey      privateKey;
@@ -46,7 +44,12 @@ public class CertificateGenerator {
     }
 
     byte[] certificate = builder.build().toByteArray();
-    byte[] signature   = Curve.calculateSignature(privateKey, certificate);
+    byte[] signature;
+    try {
+      signature = Curve.calculateSignature(privateKey, certificate);
+    } catch (org.signal.libsignal.protocol.InvalidKeyException e) {
+      throw new InvalidKeyException(e);
+    }
 
     return SenderCertificate.newBuilder()
                             .setCertificate(ByteString.copyFrom(certificate))

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java

@@ -35,7 +35,7 @@ public class ExternalServiceCredentialGenerator {
     this(key, userIdKey, usernameDerivation, true);
   }
 
-  private ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
       boolean prependUsername) {
     this(key, userIdKey, usernameDerivation, prependUsername, Clock.systemUTC());
   }

service/src/main/java/org/whispersystems/textsecuregcm/auth/OptionalAccess.java

@@ -8,6 +8,8 @@ package org.whispersystems.textsecuregcm.auth;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
 
+import javax.ws.rs.NotAuthorizedException;
+import javax.ws.rs.NotFoundException;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
 import java.security.MessageDigest;
@@ -36,9 +38,9 @@ public class OptionalAccess {
         }
 
         if (requestAccount.isPresent()) {
-          throw new WebApplicationException(Response.Status.NOT_FOUND);
+          throw new NotFoundException();
         } else {
-          throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+          throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
         }
       }
     } catch (NumberFormatException e) {
@@ -56,7 +58,7 @@ public class OptionalAccess {
 
     //noinspection ConstantConditions
     if (requestAccount.isPresent() && (targetAccount.isEmpty() || (targetAccount.isPresent() && !targetAccount.get().isEnabled()))) {
-      throw new WebApplicationException(Response.Status.NOT_FOUND);
+      throw new NotFoundException();
     }
 
     if (accessKey.isPresent() && targetAccount.isPresent() && targetAccount.get().isEnabled() && targetAccount.get().isUnrestrictedUnidentifiedAccess()) {
@@ -72,7 +74,7 @@ public class OptionalAccess {
       return;
     }
 
-    throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+    throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
   }
 
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneNumberChangeRefreshRequirementProvider.java

@@ -10,7 +10,6 @@ import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.stream.Collectors;
-import org.glassfish.jersey.server.ContainerRequest;
 import org.glassfish.jersey.server.monitoring.RequestEvent;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.util.Pair;

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnToken.java

@@ -6,6 +6,7 @@
 package org.whispersystems.textsecuregcm.auth;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
 
 import java.util.List;
 
@@ -25,4 +26,9 @@ public class TurnToken {
     this.password = password;
     this.urls     = urls;
   }
+
+  @VisibleForTesting
+  List<String> getUrls() {
+    return urls;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java

@@ -5,7 +5,12 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnUriConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicTurnConfiguration;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.WeightedRandomSelect;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
@@ -14,20 +19,21 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Base64;
 import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 public class TurnTokenGenerator {
 
-  private final byte[]       key;
-  private final List<String> urls;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfiguration;
 
-  public TurnTokenGenerator(TurnConfiguration configuration) {
-    this.key  = configuration.getSecret().getBytes();
-    this.urls = configuration.getUris();
+  public TurnTokenGenerator(final DynamicConfigurationManager<DynamicConfiguration> config) {
+    this.dynamicConfiguration = config;
   }
 
-  public TurnToken generate() {
+  public TurnToken generate(final String e164) {
     try {
+      byte[] key                = dynamicConfiguration.getConfiguration().getTurnConfiguration().getSecret().getBytes();
+      List<String> urls         = urls(e164);
       Mac    mac                = Mac.getInstance("HmacSHA1");
       long   validUntilSeconds  = (System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)) / 1000;
       long   user               = Math.abs(new SecureRandom().nextInt());
@@ -41,4 +47,22 @@ public class TurnTokenGenerator {
       throw new AssertionError(e);
     }
   }
+
+  private List<String> urls(final String e164) {
+    final DynamicTurnConfiguration turnConfig = dynamicConfiguration.getConfiguration().getTurnConfiguration();
+
+    // Check if number is enrolled to test out specific turn servers
+    final Optional<TurnUriConfiguration> enrolled = turnConfig.getUriConfigs().stream()
+        .filter(config -> config.getEnrolledNumbers().contains(e164))
+        .findFirst();
+    if (enrolled.isPresent()) {
+      return enrolled.get().getUris();
+    }
+
+    // Otherwise, select from turn server sets by weighted choice
+    return WeightedRandomSelect.select(turnConfig
+        .getUriConfigs()
+        .stream()
+        .map(c -> new Pair<List<String>, Long>(c.getUris(), c.getWeight())).toList());
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshRequestEventListener.java

@@ -5,10 +5,14 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicInteger;
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
 import io.micrometer.core.instrument.Counter;
 import io.micrometer.core.instrument.Metrics;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicInteger;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
 import org.glassfish.jersey.server.monitoring.RequestEvent;
 import org.glassfish.jersey.server.monitoring.RequestEvent.Type;
 import org.glassfish.jersey.server.monitoring.RequestEventListener;
@@ -16,11 +20,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
 
-import javax.ws.rs.container.ResourceInfo;
-import javax.ws.rs.core.Context;
-
-import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
-
 public class WebsocketRefreshRequestEventListener implements RequestEventListener {
 
   private final ClientPresenceManager clientPresenceManager;
@@ -60,7 +59,7 @@ public class WebsocketRefreshRequestEventListener implements RequestEventListene
           .forEach(pair -> {
             try {
               displacedDevices.incrementAndGet();
-              clientPresenceManager.displacePresence(pair.first(), pair.second());
+              clientPresenceManager.disconnectPresence(pair.first(), pair.second());
             } catch (final Exception e) {
               logger.error("Could not displace device presence", e);
             }

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshRequirementProvider.java

@@ -7,7 +7,6 @@ package org.whispersystems.textsecuregcm.auth;
 
 import java.util.List;
 import java.util.UUID;
-import org.glassfish.jersey.server.ContainerRequest;
 import org.glassfish.jersey.server.monitoring.RequestEvent;
 import org.whispersystems.textsecuregcm.util.Pair;
 

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsDatabaseConfiguration.java

@@ -1,23 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.Valid;
-import javax.validation.constraints.NotNull;
-
-public class AccountsDatabaseConfiguration extends DatabaseConfiguration {
-
-    @JsonProperty
-    @NotNull
-    @Valid
-    private RetryConfiguration keyOperationRetry = new RetryConfiguration();
-
-    public RetryConfiguration getKeyOperationRetryConfiguration() {
-        return keyOperationRetry;
-    }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsDynamoDbConfiguration.java

@@ -1,23 +0,0 @@
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotNull;
-
-public class AccountsDynamoDbConfiguration extends DynamoDbConfiguration {
-
-  @NotNull
-  private String phoneNumberTableName;
-
-  private int scanPageSize = 100;
-
-  @JsonProperty
-  public String getPhoneNumberTableName() {
-    return phoneNumberTableName;
-  }
-
-  @JsonProperty
-  public int getScanPageSize() {
-    return scanPageSize;
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsTableConfiguration.java

@@ -0,0 +1,49 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbTables.Table;
+import javax.validation.constraints.NotBlank;
+
+public class AccountsTableConfiguration extends Table {
+
+  private final String phoneNumberTableName;
+  private final String phoneNumberIdentifierTableName;
+  private final String usernamesTableName;
+  private final int scanPageSize;
+
+  @JsonCreator
+  public AccountsTableConfiguration(
+      @JsonProperty("tableName") final String tableName,
+      @JsonProperty("phoneNumberTableName") final String phoneNumberTableName,
+      @JsonProperty("phoneNumberIdentifierTableName") final String phoneNumberIdentifierTableName,
+      @JsonProperty("usernamesTableName") final String usernamesTableName,
+      @JsonProperty("scanPageSize") final int scanPageSize) {
+
+    super(tableName);
+
+    this.phoneNumberTableName = phoneNumberTableName;
+    this.phoneNumberIdentifierTableName = phoneNumberIdentifierTableName;
+    this.usernamesTableName = usernamesTableName;
+    this.scanPageSize = scanPageSize;
+  }
+
+  @NotBlank
+  public String getPhoneNumberTableName() {
+    return phoneNumberTableName;
+  }
+
+  @NotBlank
+  public String getPhoneNumberIdentifierTableName() {
+    return phoneNumberIdentifierTableName;
+  }
+
+  @NotBlank
+  public String getUsernamesTableName() {
+    return usernamesTableName;
+  }
+
+  public int getScanPageSize() {
+    return scanPageSize;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DeletedAccountsDynamoDbConfiguration.java

@@ -1,13 +0,0 @@
-package org.whispersystems.textsecuregcm.configuration;
-
-import javax.validation.constraints.NotNull;
-
-public class DeletedAccountsDynamoDbConfiguration extends DynamoDbConfiguration {
-
-  @NotNull
-  private String needsReconciliationIndexName;
-
-  public String getNeedsReconciliationIndexName() {
-    return needsReconciliationIndexName;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DeletedAccountsTableConfiguration.java

@@ -0,0 +1,25 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotBlank;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbTables.Table;
+
+public class DeletedAccountsTableConfiguration extends Table {
+
+  private final String needsReconciliationIndexName;
+
+  @JsonCreator
+  public DeletedAccountsTableConfiguration(
+      @JsonProperty("tableName") final String tableName,
+      @JsonProperty("needsReconciliationIndexName") final String needsReconciliationIndexName) {
+
+    super(tableName);
+    this.needsReconciliationIndexName = needsReconciliationIndexName;
+  }
+
+  @NotBlank
+  public String getNeedsReconciliationIndexName() {
+    return needsReconciliationIndexName;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java

@@ -11,11 +11,14 @@ import org.whispersystems.textsecuregcm.util.ExactlySize;
 public class DirectoryV2ClientConfiguration {
 
   private final byte[] userAuthenticationTokenSharedSecret;
+  private final byte[] userIdTokenSharedSecret;
 
   @JsonCreator
   public DirectoryV2ClientConfiguration(
-      @JsonProperty("userAuthenticationTokenSharedSecret") final byte[] userAuthenticationTokenSharedSecret) {
+      @JsonProperty("userAuthenticationTokenSharedSecret") final byte[] userAuthenticationTokenSharedSecret,
+      @JsonProperty("userIdTokenSharedSecret") final byte[] userIdTokenSharedSecret) {
     this.userAuthenticationTokenSharedSecret = userAuthenticationTokenSharedSecret;
+    this.userIdTokenSharedSecret = userIdTokenSharedSecret;
   }
 
   @ExactlySize({32})
@@ -23,4 +26,8 @@ public class DirectoryV2ClientConfiguration {
     return userAuthenticationTokenSharedSecret;
   }
 
+  @ExactlySize({32})
+  public byte[] getUserIdTokenSharedSecret() {
+    return userIdTokenSharedSecret;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbConfiguration.java

@@ -1,44 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.Valid;
-import javax.validation.constraints.NotEmpty;
-import java.time.Duration;
-
-public class DynamoDbConfiguration {
-
-    private String   region;
-    private String   tableName;
-    private Duration clientExecutionTimeout = Duration.ofSeconds(30);
-    private Duration clientRequestTimeout   = Duration.ofSeconds(10);
-
-    @Valid
-    @NotEmpty
-    @JsonProperty
-    public String getRegion() {
-        return region;
-    }
-
-    @Valid
-    @NotEmpty
-    @JsonProperty
-    public String getTableName() {
-        return tableName;
-    }
-
-    @JsonProperty
-    public Duration getClientExecutionTimeout() {
-        return clientExecutionTimeout;
-    }
-
-    @JsonProperty
-    public Duration getClientRequestTimeout() {
-        return clientRequestTimeout;
-    }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbTables.java

@@ -46,34 +46,151 @@ public class DynamoDbTables {
     }
   }
 
+  private final AccountsTableConfiguration accounts;
+  private final DeletedAccountsTableConfiguration deletedAccounts;
+  private final Table deletedAccountsLock;
   private final IssuedReceiptsTableConfiguration issuedReceipts;
+  private final Table keys;
+  private final TableWithExpiration messages;
+  private final Table pendingAccounts;
+  private final Table pendingDevices;
+  private final Table phoneNumberIdentifiers;
+  private final Table profiles;
+  private final Table pushChallenge;
   private final TableWithExpiration redeemedReceipts;
+  private final Table remoteConfig;
+  private final Table reportMessage;
+  private final Table reservedUsernames;
   private final Table subscriptions;
 
-  @JsonCreator
   public DynamoDbTables(
+      @JsonProperty("accounts") final AccountsTableConfiguration accounts,
+      @JsonProperty("deletedAccounts") final DeletedAccountsTableConfiguration deletedAccounts,
+      @JsonProperty("deletedAccountsLock") final Table deletedAccountsLock,
       @JsonProperty("issuedReceipts") final IssuedReceiptsTableConfiguration issuedReceipts,
+      @JsonProperty("keys") final Table keys,
+      @JsonProperty("messages") final TableWithExpiration messages,
+      @JsonProperty("pendingAccounts") final Table pendingAccounts,
+      @JsonProperty("pendingDevices") final Table pendingDevices,
+      @JsonProperty("phoneNumberIdentifiers") final Table phoneNumberIdentifiers,
+      @JsonProperty("profiles") final Table profiles,
+      @JsonProperty("pushChallenge") final Table pushChallenge,
       @JsonProperty("redeemedReceipts") final TableWithExpiration redeemedReceipts,
+      @JsonProperty("remoteConfig") final Table remoteConfig,
+      @JsonProperty("reportMessage") final Table reportMessage,
+      @JsonProperty("reservedUsernames") final Table reservedUsernames,
       @JsonProperty("subscriptions") final Table subscriptions) {
+
+    this.accounts = accounts;
+    this.deletedAccounts = deletedAccounts;
+    this.deletedAccountsLock = deletedAccountsLock;
     this.issuedReceipts = issuedReceipts;
+    this.keys = keys;
+    this.messages = messages;
+    this.pendingAccounts = pendingAccounts;
+    this.pendingDevices = pendingDevices;
+    this.phoneNumberIdentifiers = phoneNumberIdentifiers;
+    this.profiles = profiles;
+    this.pushChallenge = pushChallenge;
     this.redeemedReceipts = redeemedReceipts;
+    this.remoteConfig = remoteConfig;
+    this.reportMessage = reportMessage;
+    this.reservedUsernames = reservedUsernames;
     this.subscriptions = subscriptions;
   }
 
-  @Valid
   @NotNull
+  @Valid
+  public AccountsTableConfiguration getAccounts() {
+    return accounts;
+  }
+
+  @NotNull
+  @Valid
+  public DeletedAccountsTableConfiguration getDeletedAccounts() {
+    return deletedAccounts;
+  }
+
+  @NotNull
+  @Valid
+  public Table getDeletedAccountsLock() {
+    return deletedAccountsLock;
+  }
+
+  @NotNull
+  @Valid
   public IssuedReceiptsTableConfiguration getIssuedReceipts() {
     return issuedReceipts;
   }
 
-  @Valid
   @NotNull
+  @Valid
+  public Table getKeys() {
+    return keys;
+  }
+
+  @NotNull
+  @Valid
+  public TableWithExpiration getMessages() {
+    return messages;
+  }
+
+  @NotNull
+  @Valid
+  public Table getPendingAccounts() {
+    return pendingAccounts;
+  }
+
+  @NotNull
+  @Valid
+  public Table getPendingDevices() {
+    return pendingDevices;
+  }
+
+  @NotNull
+  @Valid
+  public Table getPhoneNumberIdentifiers() {
+    return phoneNumberIdentifiers;
+  }
+
+  @NotNull
+  @Valid
+  public Table getProfiles() {
+    return profiles;
+  }
+
+  @NotNull
+  @Valid
+  public Table getPushChallenge() {
+    return pushChallenge;
+  }
+
+  @NotNull
+  @Valid
   public TableWithExpiration getRedeemedReceipts() {
     return redeemedReceipts;
   }
 
-  @Valid
   @NotNull
+  @Valid
+  public Table getRemoteConfig() {
+    return remoteConfig;
+  }
+
+  @NotNull
+  @Valid
+  public Table getReportMessage() {
+    return reportMessage;
+  }
+
+  @NotNull
+  @Valid
+  public Table getReservedUsernames() {
+    return reservedUsernames;
+  }
+
+  @NotNull
+  @Valid
   public Table getSubscriptions() {
     return subscriptions;
   }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/FcmConfiguration.java

@@ -0,0 +1,11 @@
+/*
+ * Copyright 2013-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotBlank;
+
+public record FcmConfiguration(@NotBlank String credentials) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/GcmConfiguration.java

@@ -1,29 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.NotNull;
-
-public class GcmConfiguration {
-
-  @NotNull
-  @JsonProperty
-  private long senderId;
-
-  @NotEmpty
-  @JsonProperty
-  private String apiKey;
-
-  public String getApiKey() {
-    return apiKey;
-  }
-
-  public long getSenderId() {
-    return senderId;
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/GiftConfiguration.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import java.math.BigDecimal;
+import java.time.Duration;
+import java.util.Map;
+import javax.validation.Valid;
+import javax.validation.constraints.DecimalMin;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public record GiftConfiguration(
+    long level,
+    @NotNull Duration expiration,
+    @Valid @NotNull Map<@NotEmpty String, @DecimalMin("0.01") @NotNull BigDecimal> currencies,
+    @NotEmpty String badge) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/MessageDynamoDbConfiguration.java

@@ -1,19 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import java.time.Duration;
-import javax.validation.Valid;
-
-public class MessageDynamoDbConfiguration extends DynamoDbConfiguration {
-
-  private Duration timeToLive = Duration.ofDays(14);
-
-  @Valid
-  public Duration getTimeToLive() {
-    return timeToLive;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/PushConfiguration.java

@@ -1,20 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.Min;
-
-public class PushConfiguration {
-
-  @JsonProperty
-  @Min(0)
-  private int queueSize = 200;
-
-  public int getQueueSize() {
-    return queueSize;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RateLimitsConfiguration.java

@@ -5,7 +5,6 @@
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import java.time.Duration;
 
 public class RateLimitsConfiguration {
 
@@ -37,7 +36,7 @@ public class RateLimitsConfiguration {
   private RateLimitConfiguration attachments = new RateLimitConfiguration(50, 50);
 
   @JsonProperty
-  private RateLimitConfiguration prekeys = new RateLimitConfiguration(3, 1.0 / 10.0);
+  private RateLimitConfiguration prekeys = new RateLimitConfiguration(6, 1.0 / 10.0);
 
   @JsonProperty
   private RateLimitConfiguration messages = new RateLimitConfiguration(60, 60);
@@ -46,7 +45,7 @@ public class RateLimitsConfiguration {
   private RateLimitConfiguration allocateDevice = new RateLimitConfiguration(2, 1.0 / 2.0);
 
   @JsonProperty
-  private RateLimitConfiguration verifyDevice = new RateLimitConfiguration(2, 2);
+  private RateLimitConfiguration verifyDevice = new RateLimitConfiguration(6, 1.0 / 10.0);
 
   @JsonProperty
   private RateLimitConfiguration turnAllocations = new RateLimitConfiguration(60, 60);
@@ -63,6 +62,9 @@ public class RateLimitsConfiguration {
   @JsonProperty
   private RateLimitConfiguration usernameSet = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
 
+  @JsonProperty
+  private RateLimitConfiguration checkAccountExistence = new RateLimitConfiguration(1_000, 1_000 / 60.0);
+
   public RateLimitConfiguration getAutoBlock() {
     return autoBlock;
   }
@@ -135,6 +137,10 @@ public class RateLimitsConfiguration {
     return usernameSet;
   }
 
+  public RateLimitConfiguration getCheckAccountExistence() {
+    return checkAccountExistence;
+  }
+
   public static class RateLimitConfiguration {
     @JsonProperty
     private int bucketSize;
@@ -157,28 +163,4 @@ public class RateLimitsConfiguration {
       return leakRatePerMinute;
     }
   }
-
-  public static class CardinalityRateLimitConfiguration {
-    @JsonProperty
-    private int maxCardinality;
-
-    @JsonProperty
-    private Duration ttl;
-
-    public CardinalityRateLimitConfiguration() {
-    }
-
-    public CardinalityRateLimitConfiguration(int maxCardinality, Duration ttl) {
-      this.maxCardinality = maxCardinality;
-      this.ttl = ttl;
-    }
-
-    public int getMaxCardinality() {
-      return maxCardinality;
-    }
-
-    public Duration getTtl() {
-      return ttl;
-    }
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaConfiguration.java

@@ -1,21 +1,24 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2021-2022 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
 import javax.validation.constraints.NotEmpty;
 
 public class RecaptchaConfiguration {
 
-  @JsonProperty
-  @NotEmpty
-  private String secret;
+  private String projectPath;
+  private String credentialConfigurationJson;
 
-  public String getSecret() {
-    return secret;
+  @NotEmpty
+  public String getProjectPath() {
+    return projectPath;
   }
 
+  @NotEmpty
+  public String getCredentialConfigurationJson() {
+    return credentialConfigurationJson;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaV2Configuration.java

@@ -1,42 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import java.math.BigDecimal;
-import javax.validation.constraints.DecimalMax;
-import javax.validation.constraints.DecimalMin;
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.NotNull;
-
-public class RecaptchaV2Configuration {
-
-  private BigDecimal scoreFloor;
-  private String projectPath;
-  private String siteKey;
-  private String credentialConfigurationJson;
-
-  @DecimalMin("0")
-  @DecimalMax("1")
-  @NotNull
-  public BigDecimal getScoreFloor() {
-    return scoreFloor;
-  }
-
-  @NotEmpty
-  public String getProjectPath() {
-    return projectPath;
-  }
-
-  @NotEmpty
-  public String getSiteKey() {
-    return siteKey;
-  }
-
-  @NotEmpty
-  public String getCredentialConfigurationJson() {
-    return credentialConfigurationJson;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/StripeConfiguration.java

@@ -13,13 +13,16 @@ public class StripeConfiguration {
 
   private final String apiKey;
   private final byte[] idempotencyKeyGenerator;
+  private final String boostDescription;
 
   @JsonCreator
   public StripeConfiguration(
       @JsonProperty("apiKey") final String apiKey,
-      @JsonProperty("idempotencyKeyGenerator") final byte[] idempotencyKeyGenerator) {
+      @JsonProperty("idempotencyKeyGenerator") final byte[] idempotencyKeyGenerator,
+      @JsonProperty("boostDescription") final String boostDescription) {
     this.apiKey = apiKey;
     this.idempotencyKeyGenerator = idempotencyKeyGenerator;
+    this.boostDescription = boostDescription;
   }
 
   @NotEmpty
@@ -31,4 +34,9 @@ public class StripeConfiguration {
   public byte[] getIdempotencyKeyGenerator() {
     return idempotencyKeyGenerator;
   }
+
+  @NotEmpty
+  public String getBoostDescription() {
+    return boostDescription;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TurnConfiguration.java

@@ -1,30 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import java.util.List;
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.NotNull;
-
-public class TurnConfiguration {
-
-  @JsonProperty
-  @NotEmpty
-  private String secret;
-
-  @JsonProperty
-  @NotNull
-  private List<String> uris;
-
-  public List<String> getUris() {
-    return uris;
-  }
-
-  public String getSecret() {
-    return secret;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TurnUriConfiguration.java

@@ -0,0 +1,38 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotNull;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+public class TurnUriConfiguration {
+  @JsonProperty
+  @NotNull
+  private List<String> uris;
+
+  /**
+   * The weight of this entry for weighted random selection
+   */
+  @JsonProperty
+  @Min(0)
+  private long weight = 1;
+
+  /**
+   * Enrolled numbers will always get this uri list
+   */
+  private Set<String> enrolledNumbers = Collections.emptySet();
+
+  public List<String> getUris() {
+    return uris;
+  }
+
+  public long getWeight() {
+    return weight;
+  }
+
+  public Set<String> getEnrolledNumbers() {
+    return Collections.unmodifiableSet(enrolledNumbers);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TwilioVerificationTextConfiguration.java

@@ -1,9 +1,6 @@
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.PropertyNamingStrategy;
-import com.fasterxml.jackson.databind.annotation.JsonNaming;
-
 import javax.validation.constraints.NotEmpty;
 
 public class TwilioVerificationTextConfiguration {

service/src/main/java/org/whispersystems/textsecuregcm/configuration/UnidentifiedDeliveryConfiguration.java

@@ -8,8 +8,8 @@ package org.whispersystems.textsecuregcm.configuration;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
-import org.whispersystems.textsecuregcm.crypto.Curve;
-import org.whispersystems.textsecuregcm.crypto.ECPrivateKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPrivateKey;
 import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
 
 import javax.validation.constraints.NotNull;

service/src/main/java/org/whispersystems/textsecuregcm/configuration/UsernameConfiguration.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.Min;
+
+public class UsernameConfiguration {
+
+  @JsonProperty
+  @Min(1)
+  private int discriminatorInitialWidth = 4;
+
+  @JsonProperty
+  @Min(1)
+  private int discriminatorMaxWidth = 9;
+
+  @JsonProperty
+  @Min(1)
+  private int attemptsPerWidth = 10;
+
+  public int getDiscriminatorInitialWidth() {
+    return discriminatorInitialWidth;
+  }
+
+  public int getDiscriminatorMaxWidth() {
+    return discriminatorMaxWidth;
+  }
+
+  public int getAttemptsPerWidth() {
+    return attemptsPerWidth;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicAbusiveHostRulesConfiguration.java

@@ -0,0 +1,14 @@
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.time.Duration;
+
+public class DynamicAbusiveHostRulesConfiguration {
+
+  @JsonProperty
+  private Duration expirationTime = Duration.ofDays(1);
+
+  public Duration getExpirationTime() {
+    return expirationTime;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicCaptchaConfiguration.java

@@ -0,0 +1,36 @@
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
+import java.math.BigDecimal;
+import java.util.Collections;
+import java.util.Set;
+import javax.validation.constraints.DecimalMax;
+import javax.validation.constraints.DecimalMin;
+import javax.validation.constraints.NotNull;
+
+public class DynamicCaptchaConfiguration {
+
+  @JsonProperty
+  @DecimalMin("0")
+  @DecimalMax("1")
+  @NotNull
+  private BigDecimal scoreFloor;
+
+  @JsonProperty
+  @NotNull
+  private Set<String> signupCountryCodes = Collections.emptySet();
+
+  public Set<String> getSignupCountryCodes() {
+    return signupCountryCodes;
+  }
+
+  @VisibleForTesting
+  public void setSignupCountryCodes(Set<String> numbers) {
+    this.signupCountryCodes = numbers;
+  }
+
+  public BigDecimal getScoreFloor() {
+    return scoreFloor;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicConfiguration.java

@@ -5,7 +5,6 @@ import com.google.common.annotations.VisibleForTesting;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
 import javax.validation.Valid;
 
 public class DynamicConfiguration {
@@ -26,23 +25,17 @@ public class DynamicConfiguration {
   @Valid
   private DynamicRemoteDeprecationConfiguration remoteDeprecation = new DynamicRemoteDeprecationConfiguration();
 
-  @JsonProperty
-  @Valid
-  private DynamicMessageRateConfiguration messageRate = new DynamicMessageRateConfiguration();
-
   @JsonProperty
   @Valid
   private DynamicPaymentsConfiguration payments = new DynamicPaymentsConfiguration();
 
-  @JsonProperty
-  private Set<String> featureFlags = Collections.emptySet();
-
   @JsonProperty
   @Valid
   private DynamicTwilioConfiguration twilio = new DynamicTwilioConfiguration();
 
   @JsonProperty
-  private DynamicSignupCaptchaConfiguration signupCaptcha = new DynamicSignupCaptchaConfiguration();
+  @Valid
+  private DynamicCaptchaConfiguration captcha = new DynamicCaptchaConfiguration();
 
   @JsonProperty
   @Valid
@@ -51,6 +44,26 @@ public class DynamicConfiguration {
   @JsonProperty
   private DynamicDirectoryReconcilerConfiguration directoryReconciler = new DynamicDirectoryReconcilerConfiguration();
 
+  @JsonProperty
+  @Valid
+  private DynamicPushLatencyConfiguration pushLatency = new DynamicPushLatencyConfiguration(Collections.emptyMap());
+
+  @JsonProperty
+  @Valid
+  private DynamicTurnConfiguration turn = new DynamicTurnConfiguration();
+
+  @JsonProperty
+  @Valid
+  DynamicAbusiveHostRulesConfiguration abusiveHostRules = new DynamicAbusiveHostRulesConfiguration();
+
+  @JsonProperty
+  @Valid
+  DynamicMessagePersisterConfiguration messagePersister = new DynamicMessagePersisterConfiguration();
+
+  @JsonProperty
+  @Valid
+  DynamicPushNotificationConfiguration pushNotifications = new DynamicPushNotificationConfiguration();
+
   public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(
       final String experimentName) {
     return Optional.ofNullable(experiments.get(experimentName));
@@ -69,18 +82,10 @@ public class DynamicConfiguration {
     return remoteDeprecation;
   }
 
-  public DynamicMessageRateConfiguration getMessageRateConfiguration() {
-    return messageRate;
-  }
-
   public DynamicPaymentsConfiguration getPaymentsConfiguration() {
     return payments;
   }
 
-  public Set<String> getActiveFeatureFlags() {
-    return featureFlags;
-  }
-
   public DynamicTwilioConfiguration getTwilioConfiguration() {
     return twilio;
   }
@@ -90,8 +95,8 @@ public class DynamicConfiguration {
     this.twilio = twilioConfiguration;
   }
 
-  public DynamicSignupCaptchaConfiguration getSignupCaptchaConfiguration() {
-    return signupCaptcha;
+  public DynamicCaptchaConfiguration getCaptchaConfiguration() {
+    return captcha;
   }
 
   public DynamicRateLimitChallengeConfiguration getRateLimitChallengeConfiguration() {
@@ -101,4 +106,24 @@ public class DynamicConfiguration {
   public DynamicDirectoryReconcilerConfiguration getDirectoryReconcilerConfiguration() {
     return directoryReconciler;
   }
+
+  public DynamicPushLatencyConfiguration getPushLatencyConfiguration() {
+    return pushLatency;
+  }
+
+  public DynamicTurnConfiguration getTurnConfiguration() {
+    return turn;
+  }
+
+  public DynamicAbusiveHostRulesConfiguration getAbusiveHostRules() {
+    return abusiveHostRules;
+  }
+
+  public DynamicMessagePersisterConfiguration getMessagePersisterConfiguration() {
+    return messagePersister;
+  }
+
+  public DynamicPushNotificationConfiguration getPushNotificationConfiguration() {
+    return pushNotifications;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicMessagePersisterConfiguration.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class DynamicMessagePersisterConfiguration {
+
+  @JsonProperty
+  private boolean persistenceEnabled = true;
+
+  public boolean isPersistenceEnabled() {
+    return persistenceEnabled;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicMessageRateConfiguration.java

@@ -1,18 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration.dynamic;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class DynamicMessageRateConfiguration {
-
-  @JsonProperty
-  private boolean enforceUnsealedSenderRateLimit = false;
-
-  public boolean isEnforceUnsealedSenderRateLimit() {
-    return enforceUnsealedSenderRateLimit;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPaymentsConfiguration.java

@@ -7,14 +7,14 @@ package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.Collections;
-import java.util.Set;
+import java.util.List;
 
 public class DynamicPaymentsConfiguration {
 
   @JsonProperty
-  private Set<String> allowedCountryCodes = Collections.emptySet();
+  private List<String> disallowedPrefixes = Collections.emptyList();
 
-  public Set<String> getAllowedCountryCodes() {
-    return allowedCountryCodes;
+  public List<String> getDisallowedPrefixes() {
+    return disallowedPrefixes;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPushLatencyConfiguration.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.vdurmont.semver4j.Semver;
+import org.whispersystems.textsecuregcm.util.ua.ClientPlatform;
+import java.util.Map;
+import java.util.Set;
+
+public class DynamicPushLatencyConfiguration {
+
+  private final Map<ClientPlatform, Set<Semver>> instrumentedVersions;
+
+  @JsonCreator
+  public DynamicPushLatencyConfiguration(@JsonProperty("instrumentedVersions") final Map<ClientPlatform, Set<Semver>> instrumentedVersions) {
+    this.instrumentedVersions = instrumentedVersions;
+  }
+
+  public Map<ClientPlatform, Set<Semver>> getInstrumentedVersions() {
+    return instrumentedVersions;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPushNotificationConfiguration.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright 2013-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class DynamicPushNotificationConfiguration {
+
+  @JsonProperty
+  private boolean lowUrgencyEnabled = false;
+
+  public boolean isLowUrgencyEnabled() {
+    return lowUrgencyEnabled;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicRateLimitChallengeConfiguration.java

@@ -11,12 +11,6 @@ import javax.validation.constraints.NotNull;
 
 public class DynamicRateLimitChallengeConfiguration {
 
-  @JsonProperty
-  private boolean preKeyLimitEnforced = false;
-
-  @JsonProperty
-  boolean unsealedSenderLimitEnforced = false;
-
   @JsonProperty
   @NotNull
   private Map<ClientPlatform, Semver> clientSupportedVersions = Collections.emptyMap();
@@ -29,12 +23,4 @@ public class DynamicRateLimitChallengeConfiguration {
   public Optional<Semver> getMinimumSupportedVersion(final ClientPlatform platform) {
     return Optional.ofNullable(clientSupportedVersions.get(platform));
   }
-
-  public boolean isPreKeyLimitEnforced() {
-    return preKeyLimitEnforced;
-  }
-
-  public boolean isUnsealedSenderLimitEnforced() {
-    return unsealedSenderLimitEnforced;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicRateLimitsConfiguration.java

@@ -1,24 +1,10 @@
 package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration.CardinalityRateLimitConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration.RateLimitConfiguration;
-import java.time.Duration;
 
 public class DynamicRateLimitsConfiguration {
 
-  @JsonProperty
-  private CardinalityRateLimitConfiguration unsealedSenderNumber = new CardinalityRateLimitConfiguration(100, Duration.ofDays(1));
-
-  @JsonProperty
-  private int unsealedSenderDefaultCardinalityLimit = 100;
-
-  @JsonProperty
-  private int unsealedSenderPermitIncrement = 50;
-
-  @JsonProperty
-  private RateLimitConfiguration unsealedSenderIp = new RateLimitConfiguration(120, 2.0 / 60);
-
   @JsonProperty
   private RateLimitConfiguration rateLimitReset = new RateLimitConfiguration(2, 2.0 / (60 * 24));
 
@@ -34,17 +20,6 @@ public class DynamicRateLimitsConfiguration {
   @JsonProperty
   private RateLimitConfiguration pushChallengeSuccess = new RateLimitConfiguration(2, 2.0 / (60 * 24));
 
-  @JsonProperty
-  private RateLimitConfiguration dailyPreKeys = new RateLimitConfiguration(50, 50.0 / (24.0 * 60));
-
-  public RateLimitConfiguration getUnsealedSenderIp() {
-    return unsealedSenderIp;
-  }
-
-  public CardinalityRateLimitConfiguration getUnsealedSenderNumber() {
-    return unsealedSenderNumber;
-  }
-
   public RateLimitConfiguration getRateLimitReset() {
     return rateLimitReset;
   }
@@ -64,16 +39,4 @@ public class DynamicRateLimitsConfiguration {
   public RateLimitConfiguration getPushChallengeSuccess() {
     return pushChallengeSuccess;
   }
-
-  public int getUnsealedSenderDefaultCardinalityLimit() {
-    return unsealedSenderDefaultCardinalityLimit;
-  }
-
-  public int getUnsealedSenderPermitIncrement() {
-    return unsealedSenderPermitIncrement;
-  }
-
-  public RateLimitConfiguration getDailyPreKeys() {
-    return dailyPreKeys;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicSignupCaptchaConfiguration.java

@@ -1,23 +0,0 @@
-package org.whispersystems.textsecuregcm.configuration.dynamic;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.google.common.annotations.VisibleForTesting;
-import java.util.Collections;
-import java.util.Set;
-import javax.validation.constraints.NotNull;
-
-public class DynamicSignupCaptchaConfiguration {
-
-  @JsonProperty
-  @NotNull
-  private Set<String> countryCodes = Collections.emptySet();
-
-  public Set<String> getCountryCodes() {
-    return countryCodes;
-  }
-
-  @VisibleForTesting
-  public void setCountryCodes(Set<String> numbers) {
-    this.countryCodes = numbers;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicTurnConfiguration.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Collections;
+import java.util.List;
+import javax.validation.Valid;
+import org.whispersystems.textsecuregcm.configuration.TurnUriConfiguration;
+
+public class DynamicTurnConfiguration {
+
+  @JsonProperty
+  private String secret;
+
+  @JsonProperty
+  private List<@Valid TurnUriConfiguration> uriConfigs = Collections.emptyList();
+
+  public List<TurnUriConfiguration> getUriConfigs() {
+    return uriConfigs;
+  }
+
+  public String getSecret() {
+    return secret;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java

@@ -14,21 +14,28 @@ import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.Auth;
 import io.micrometer.core.instrument.Metrics;
 import io.micrometer.core.instrument.Tag;
+import io.micrometer.core.instrument.Tags;
 import java.security.SecureRandom;
-import java.time.Instant;
+import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
+import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.TimeUnit;
 import javax.annotation.Nullable;
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import javax.ws.rs.BadRequestException;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
+import javax.ws.rs.DefaultValue;
+import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.GET;
+import javax.ws.rs.HEAD;
 import javax.ws.rs.HeaderParam;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -36,8 +43,11 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
@@ -51,38 +61,43 @@ import org.whispersystems.textsecuregcm.auth.StoredRegistrationLock;
 import org.whispersystems.textsecuregcm.auth.StoredVerificationCode;
 import org.whispersystems.textsecuregcm.auth.TurnToken;
 import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
-import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicSignupCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.entities.AccountAttributes;
-import org.whispersystems.textsecuregcm.entities.AccountCreationResult;
+import org.whispersystems.textsecuregcm.entities.AccountIdentifierResponse;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
 import org.whispersystems.textsecuregcm.entities.ApnRegistrationId;
 import org.whispersystems.textsecuregcm.entities.ChangePhoneNumberRequest;
 import org.whispersystems.textsecuregcm.entities.DeviceName;
 import org.whispersystems.textsecuregcm.entities.GcmRegistrationId;
+import org.whispersystems.textsecuregcm.entities.MismatchedDevices;
 import org.whispersystems.textsecuregcm.entities.RegistrationLock;
 import org.whispersystems.textsecuregcm.entities.RegistrationLockFailure;
+import org.whispersystems.textsecuregcm.entities.StaleDevices;
+import org.whispersystems.textsecuregcm.entities.UsernameRequest;
+import org.whispersystems.textsecuregcm.entities.UsernameResponse;
+import org.whispersystems.textsecuregcm.limits.RateLimiter;
 import org.whispersystems.textsecuregcm.limits.RateLimiters;
 import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
-import org.whispersystems.textsecuregcm.push.APNSender;
-import org.whispersystems.textsecuregcm.push.ApnMessage;
-import org.whispersystems.textsecuregcm.push.GCMSender;
-import org.whispersystems.textsecuregcm.push.GcmMessage;
+import org.whispersystems.textsecuregcm.push.PushNotification;
+import org.whispersystems.textsecuregcm.push.PushNotificationManager;
 import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
 import org.whispersystems.textsecuregcm.sms.SmsSender;
 import org.whispersystems.textsecuregcm.sms.TwilioVerifyExperimentEnrollmentManager;
-import org.whispersystems.textsecuregcm.storage.AbusiveHostRule;
 import org.whispersystems.textsecuregcm.storage.AbusiveHostRules;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.ChangeNumberManager;
 import org.whispersystems.textsecuregcm.storage.Device;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
 import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
-import org.whispersystems.textsecuregcm.storage.UsernamesManager;
+import org.whispersystems.textsecuregcm.storage.UsernameNotAvailableException;
 import org.whispersystems.textsecuregcm.util.Constants;
 import org.whispersystems.textsecuregcm.util.ForwardedIpUtil;
 import org.whispersystems.textsecuregcm.util.Hex;
 import org.whispersystems.textsecuregcm.util.ImpossiblePhoneNumberException;
 import org.whispersystems.textsecuregcm.util.NonNormalizedPhoneNumberException;
+import org.whispersystems.textsecuregcm.util.UsernameGenerator;
 import org.whispersystems.textsecuregcm.util.Util;
 import org.whispersystems.textsecuregcm.util.VerificationCode;
 
@@ -90,32 +105,36 @@ import org.whispersystems.textsecuregcm.util.VerificationCode;
 @Path("/v1/accounts")
 public class AccountController {
 
-  private final Logger         logger                 = LoggerFactory.getLogger(AccountController.class);
-  private final MetricRegistry metricRegistry         = SharedMetricRegistries.getOrCreate(Constants.METRICS_NAME);
-  private final Meter          blockedHostMeter       = metricRegistry.meter(name(AccountController.class, "blocked_host"       ));
-  private final Meter          filteredHostMeter      = metricRegistry.meter(name(AccountController.class, "filtered_host"      ));
-  private final Meter          rateLimitedHostMeter   = metricRegistry.meter(name(AccountController.class, "rate_limited_host"  ));
-  private final Meter          rateLimitedPrefixMeter = metricRegistry.meter(name(AccountController.class, "rate_limited_prefix"));
-  private final Meter          captchaRequiredMeter   = metricRegistry.meter(name(AccountController.class, "captcha_required"   ));
-  private final Meter          captchaSuccessMeter    = metricRegistry.meter(name(AccountController.class, "captcha_success"    ));
-  private final Meter          captchaFailureMeter    = metricRegistry.meter(name(AccountController.class, "captcha_failure"    ));
+  private final Logger         logger                   = LoggerFactory.getLogger(AccountController.class);
+  private final MetricRegistry metricRegistry           = SharedMetricRegistries.getOrCreate(Constants.METRICS_NAME);
+  private final Meter          blockedHostMeter         = metricRegistry.meter(name(AccountController.class, "blocked_host"             ));
+  private final Meter          countryFilterApplicable  = metricRegistry.meter(name(AccountController.class, "country_filter_applicable"));
+  private final Meter          countryFilteredHostMeter = metricRegistry.meter(name(AccountController.class, "country_limited_host"     ));
+  private final Meter          rateLimitedHostMeter     = metricRegistry.meter(name(AccountController.class, "rate_limited_host"        ));
+  private final Meter          rateLimitedPrefixMeter   = metricRegistry.meter(name(AccountController.class, "rate_limited_prefix"      ));
+  private final Meter          captchaRequiredMeter     = metricRegistry.meter(name(AccountController.class, "captcha_required"         ));
 
   private static final String PUSH_CHALLENGE_COUNTER_NAME = name(AccountController.class, "pushChallenge");
   private static final String ACCOUNT_CREATE_COUNTER_NAME = name(AccountController.class, "create");
   private static final String ACCOUNT_VERIFY_COUNTER_NAME = name(AccountController.class, "verify");
+  private static final String CAPTCHA_ATTEMPT_COUNTER_NAME = name(AccountController.class, "captcha");
+  private static final String CHALLENGE_ISSUED_COUNTER_NAME = name(AccountController.class, "challengeIssued");
 
   private static final String TWILIO_VERIFY_ERROR_COUNTER_NAME = name(AccountController.class, "twilioVerifyError");
 
+  private static final String INVALID_ACCEPT_LANGUAGE_COUNTER_NAME = name(AccountController.class, "invalidAcceptLanguage");
+  private static final String NONSTANDARD_USERNAME_COUNTER_NAME = name(AccountController.class, "nonStandardUsername");
+
   private static final String CHALLENGE_PRESENT_TAG_NAME = "present";
   private static final String CHALLENGE_MATCH_TAG_NAME = "matches";
   private static final String COUNTRY_CODE_TAG_NAME = "countryCode";
-  private static final String VERFICATION_TRANSPORT_TAG_NAME = "transport";
+  private static final String VERIFICATION_TRANSPORT_TAG_NAME = "transport";
 
   private static final String VERIFY_EXPERIMENT_TAG_NAME = "twilioVerify";
 
+
   private final StoredVerificationCodeManager      pendingAccounts;
   private final AccountsManager                    accounts;
-  private final UsernamesManager                   usernames;
   private final AbusiveHostRules                   abusiveHostRules;
   private final RateLimiters                       rateLimiters;
   private final SmsSender                          smsSender;
@@ -123,15 +142,14 @@ public class AccountController {
   private final TurnTokenGenerator                 turnTokenGenerator;
   private final Map<String, Integer>               testDevices;
   private final RecaptchaClient recaptchaClient;
-  private final GCMSender                          gcmSender;
-  private final APNSender                          apnSender;
+  private final PushNotificationManager            pushNotificationManager;
   private final ExternalServiceCredentialGenerator backupServiceCredentialGenerator;
 
   private final TwilioVerifyExperimentEnrollmentManager verifyExperimentEnrollmentManager;
+  private final ChangeNumberManager changeNumberManager;
 
   public AccountController(StoredVerificationCodeManager pendingAccounts,
                            AccountsManager accounts,
-                           UsernamesManager usernames,
                            AbusiveHostRules abusiveHostRules,
                            RateLimiters rateLimiters,
                            SmsSender smsSenderFactory,
@@ -139,14 +157,13 @@ public class AccountController {
                            TurnTokenGenerator turnTokenGenerator,
                            Map<String, Integer> testDevices,
                            RecaptchaClient recaptchaClient,
-                           GCMSender gcmSender,
-                           APNSender apnSender,
-                           ExternalServiceCredentialGenerator backupServiceCredentialGenerator,
-                           TwilioVerifyExperimentEnrollmentManager verifyExperimentEnrollmentManager)
+                           PushNotificationManager pushNotificationManager,
+                           TwilioVerifyExperimentEnrollmentManager verifyExperimentEnrollmentManager,
+                           ChangeNumberManager changeNumberManager,
+                           ExternalServiceCredentialGenerator backupServiceCredentialGenerator)
   {
     this.pendingAccounts                   = pendingAccounts;
     this.accounts                          = accounts;
-    this.usernames                         = usernames;
     this.abusiveHostRules                  = abusiveHostRules;
     this.rateLimiters                      = rateLimiters;
     this.smsSender                         = smsSenderFactory;
@@ -154,25 +171,27 @@ public class AccountController {
     this.testDevices                       = testDevices;
     this.turnTokenGenerator                = turnTokenGenerator;
     this.recaptchaClient = recaptchaClient;
-    this.gcmSender                         = gcmSender;
-    this.apnSender                         = apnSender;
-    this.backupServiceCredentialGenerator  = backupServiceCredentialGenerator;
+    this.pushNotificationManager           = pushNotificationManager;
     this.verifyExperimentEnrollmentManager = verifyExperimentEnrollmentManager;
+    this.backupServiceCredentialGenerator = backupServiceCredentialGenerator;
+    this.changeNumberManager = changeNumberManager;
   }
 
   @Timed
   @GET
   @Path("/{type}/preauth/{token}/{number}")
   @Produces(MediaType.APPLICATION_JSON)
-  public Response getPreAuth(@PathParam("type")   String pushType,
-                             @PathParam("token")  String pushToken,
+  public Response getPreAuth(@PathParam("type") String pushType,
+                             @PathParam("token") String pushToken,
                              @PathParam("number") String number,
-                             @QueryParam("voip")  Optional<Boolean> useVoip)
+                             @QueryParam("voip") @DefaultValue("true") boolean useVoip)
       throws ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException {
 
-    if (!"apn".equals(pushType) && !"fcm".equals(pushType)) {
-      return Response.status(400).build();
-    }
+    final PushNotification.TokenType tokenType = switch(pushType) {
+      case "apn" -> useVoip ? PushNotification.TokenType.APN_VOIP : PushNotification.TokenType.APN;
+      case "fcm" -> PushNotification.TokenType.FCM;
+      default -> throw new BadRequestException();
+    };
 
     Util.requireNormalizedNumber(number);
 
@@ -183,14 +202,7 @@ public class AccountController {
                                                                                null);
 
     pendingAccounts.store(number, storedVerificationCode);
-
-    if ("fcm".equals(pushType)) {
-      gcmSender.sendMessage(new GcmMessage(pushToken, null, 0, GcmMessage.Type.CHALLENGE, Optional.of(storedVerificationCode.getPushCode())));
-    } else if ("apn".equals(pushType)) {
-      apnSender.sendMessage(new ApnMessage(pushToken, null, 0, useVoip.orElse(true), ApnMessage.Type.CHALLENGE, Optional.of(storedVerificationCode.getPushCode())));
-    } else {
-      throw new AssertionError();
-    }
+    pushNotificationManager.sendRegistrationChallengeNotification(pushToken, tokenType, storedVerificationCode.getPushCode());
 
     return Response.ok().build();
   }
@@ -207,44 +219,40 @@ public class AccountController {
                                 @QueryParam("client")           Optional<String> client,
                                 @QueryParam("captcha")          Optional<String> captcha,
                                 @QueryParam("challenge")        Optional<String> pushChallenge)
-      throws RateLimitExceededException, RetryLaterException, ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException {
+      throws RateLimitExceededException, ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException {
 
     Util.requireNormalizedNumber(number);
 
     String sourceHost = ForwardedIpUtil.getMostRecentProxy(forwardedFor).orElseThrow();
 
     Optional<StoredVerificationCode> storedChallenge = pendingAccounts.getCodeForNumber(number);
-    CaptchaRequirement               requirement     = requiresCaptcha(number, transport, forwardedFor, sourceHost, captcha, storedChallenge, pushChallenge);
+    CaptchaRequirement requirement = requiresCaptcha(number, transport, forwardedFor, sourceHost, captcha,
+        storedChallenge, pushChallenge, userAgent);
 
     if (requirement.isCaptchaRequired()) {
       captchaRequiredMeter.mark();
 
+      final Tags tags = Tags.of(
+          UserAgentTagUtil.getPlatformTag(userAgent),
+          Tag.of(COUNTRY_CODE_TAG_NAME, Util.getCountryCode(number)));
+
+      Metrics.counter(CHALLENGE_ISSUED_COUNTER_NAME, tags).increment();
+
       if (requirement.isAutoBlock() && shouldAutoBlock(sourceHost)) {
         logger.info("Auto-block: {}", sourceHost);
-        abusiveHostRules.setBlockedHost(sourceHost, "Auto-Block");
+        abusiveHostRules.setBlockedHost(sourceHost);
       }
 
       return Response.status(402).build();
     }
 
-    try {
-      switch (transport) {
-        case "sms":
-          rateLimiters.getSmsDestinationLimiter().validate(number);
-          break;
-        case "voice":
-          rateLimiters.getVoiceDestinationLimiter().validate(number);
-          rateLimiters.getVoiceDestinationDailyLimiter().validate(number);
-          break;
-        default:
-          throw new WebApplicationException(Response.status(422).build());
-      }
-    } catch (RateLimitExceededException e) {
-      if (!e.getRetryDuration().isNegative()) {
-        throw new RetryLaterException(e);
-      } else {
-        throw e;
+    switch (transport) {
+      case "sms" -> rateLimiters.getSmsDestinationLimiter().validate(number);
+      case "voice" -> {
+        rateLimiters.getVoiceDestinationLimiter().validate(number);
+        rateLimiters.getVoiceDestinationDailyLimiter().validate(number);
       }
+      default -> throw new WebApplicationException(Response.status(422).build());
     }
 
     VerificationCode       verificationCode       = generateVerificationCode(number);
@@ -255,12 +263,17 @@ public class AccountController {
 
     pendingAccounts.store(number, storedVerificationCode);
 
-    final List<Locale.LanguageRange> languageRanges;
-
+    List<Locale.LanguageRange> languageRanges;
     try {
       languageRanges = acceptLanguage.map(Locale.LanguageRange::parse).orElse(Collections.emptyList());
     } catch (final IllegalArgumentException e) {
-      return Response.status(400).build();
+      logger.debug("Could not get acceptable languages; Accept-Language: {}; User-Agent: {}",
+          acceptLanguage.orElse(""),
+          userAgent,
+          e);
+
+      Metrics.counter(INVALID_ACCEPT_LANGUAGE_COUNTER_NAME, Tags.of(UserAgentTagUtil.getPlatformTag(userAgent))).increment();
+      languageRanges = Collections.emptyList();
     }
 
     final boolean enrolledInVerifyExperiment = verifyExperimentEnrollmentManager.isEnrolled(client, number, languageRanges, transport);
@@ -313,7 +326,7 @@ public class AccountController {
     {
       final List<Tag> tags = new ArrayList<>();
       tags.add(Tag.of(COUNTRY_CODE_TAG_NAME, Util.getCountryCode(number)));
-      tags.add(Tag.of(VERFICATION_TRANSPORT_TAG_NAME, transport));
+      tags.add(Tag.of(VERIFICATION_TRANSPORT_TAG_NAME, transport));
       tags.add(UserAgentTagUtil.getPlatformTag(userAgent));
       tags.add(Tag.of(VERIFY_EXPERIMENT_TAG_NAME, String.valueOf(enrolledInVerifyExperiment)));
 
@@ -328,12 +341,12 @@ public class AccountController {
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
   @Path("/code/{verification_code}")
-  public AccountCreationResult verifyAccount(@PathParam("verification_code") String verificationCode,
+  public AccountIdentityResponse verifyAccount(@PathParam("verification_code") String verificationCode,
                                              @HeaderParam("Authorization") BasicAuthorizationHeader authorizationHeader,
                                              @HeaderParam("X-Signal-Agent") String signalAgent,
                                              @HeaderParam("User-Agent") String userAgent,
                                              @QueryParam("transfer") Optional<Boolean> availableForTransfer,
-                                             @Valid AccountAttributes accountAttributes)
+                                             @NotNull @Valid AccountAttributes accountAttributes)
       throws RateLimitExceededException, InterruptedException {
 
     String number = authorizationHeader.getUsername();
@@ -351,9 +364,10 @@ public class AccountController {
     }
 
     storedVerificationCode.flatMap(StoredVerificationCode::getTwilioVerificationSid)
-        .ifPresent(smsSender::reportVerificationSucceeded);
+        .ifPresent(
+            verificationSid -> smsSender.reportVerificationSucceeded(verificationSid, userAgent, "registration"));
 
-    Optional<Account> existingAccount = accounts.get(number);
+    Optional<Account> existingAccount = accounts.getByE164(number);
 
     if (existingAccount.isPresent()) {
       verifyRegistrationLock(existingAccount.get(), accountAttributes.getRegistrationLock());
@@ -377,50 +391,86 @@ public class AccountController {
       tags.add(Tag.of(VERIFY_EXPERIMENT_TAG_NAME, String.valueOf(storedVerificationCode.get().getTwilioVerificationSid().isPresent())));
 
       Metrics.counter(ACCOUNT_VERIFY_COUNTER_NAME, tags).increment();
-
-      Metrics.timer(name(AccountController.class, "verifyDuration"), tags)
-          .record(Instant.now().toEpochMilli() - storedVerificationCode.get().getTimestamp(), TimeUnit.MILLISECONDS);
     }
 
-    return new AccountCreationResult(account.getUuid(), account.getNumber(), existingAccount.map(Account::isStorageSupported).orElse(false));
+    return new AccountIdentityResponse(account.getUuid(),
+        account.getNumber(),
+        account.getPhoneNumberIdentifier(),
+        account.getUsername().orElse(null),
+        existingAccount.map(Account::isStorageSupported).orElse(false));
   }
 
   @Timed
   @PUT
   @Path("/number")
   @Produces(MediaType.APPLICATION_JSON)
-  public void changeNumber(@Auth final AuthenticatedAccount authenticatedAccount, @Valid final ChangePhoneNumberRequest request)
+  public AccountIdentityResponse changeNumber(@Auth final AuthenticatedAccount authenticatedAccount,
+      @NotNull @Valid final ChangePhoneNumberRequest request,
+      @HeaderParam("User-Agent") String userAgent)
       throws RateLimitExceededException, InterruptedException, ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException {
 
-    if (request.getNumber().equals(authenticatedAccount.getAccount().getNumber())) {
-      // This may be a request that got repeated due to poor network conditions or other client error; take no action,
-      // but report success since the account is in the desired state
-      return;
+    if (!authenticatedAccount.getAuthenticatedDevice().isMaster()) {
+      throw new ForbiddenException();
     }
 
-    Util.requireNormalizedNumber(request.getNumber());
+    final String number = request.number();
 
-    rateLimiters.getVerifyLimiter().validate(request.getNumber());
+    // Only "bill" for rate limiting if we think there's a change to be made...
+    if (!authenticatedAccount.getAccount().getNumber().equals(number)) {
+      Util.requireNormalizedNumber(number);
 
-    final Optional<StoredVerificationCode> storedVerificationCode =
-        pendingAccounts.getCodeForNumber(request.getNumber());
+      rateLimiters.getVerifyLimiter().validate(number);
 
-    if (storedVerificationCode.isEmpty() || !storedVerificationCode.get().isValid(request.getCode())) {
-      throw new WebApplicationException(Response.status(403).build());
+      final Optional<StoredVerificationCode> storedVerificationCode =
+          pendingAccounts.getCodeForNumber(number);
+
+      if (storedVerificationCode.isEmpty() || !storedVerificationCode.get().isValid(request.code())) {
+        throw new ForbiddenException();
+      }
+
+      storedVerificationCode.flatMap(StoredVerificationCode::getTwilioVerificationSid)
+          .ifPresent(
+              verificationSid -> smsSender.reportVerificationSucceeded(verificationSid, userAgent, "changeNumber"));
+
+      final Optional<Account> existingAccount = accounts.getByE164(number);
+
+      if (existingAccount.isPresent()) {
+        verifyRegistrationLock(existingAccount.get(), request.registrationLock());
+      }
+
+      rateLimiters.getVerifyLimiter().clear(number);
     }
 
-    storedVerificationCode.flatMap(StoredVerificationCode::getTwilioVerificationSid)
-        .ifPresent(smsSender::reportVerificationSucceeded);
+    // ...but always attempt to make the change in case a client retries and needs to re-send messages
+    try {
+      final Account updatedAccount = changeNumberManager.changeNumber(
+          authenticatedAccount.getAccount(),
+          request.number(),
+          request.pniIdentityKey(),
+          request.devicePniSignedPrekeys(),
+          request.deviceMessages(),
+          request.pniRegistrationIds());
 
-    final Optional<Account> existingAccount = accounts.get(request.getNumber());
-
-    if (existingAccount.isPresent()) {
-      verifyRegistrationLock(existingAccount.get(), request.getRegistrationLock());
+      return new AccountIdentityResponse(
+          updatedAccount.getUuid(),
+          updatedAccount.getNumber(),
+          updatedAccount.getPhoneNumberIdentifier(),
+          updatedAccount.getUsername().orElse(null),
+          updatedAccount.isStorageSupported());
+    } catch (MismatchedDevicesException e) {
+      throw new WebApplicationException(Response.status(409)
+          .type(MediaType.APPLICATION_JSON_TYPE)
+          .entity(new MismatchedDevices(e.getMissingDevices(),
+              e.getExtraDevices()))
+          .build());
+    } catch (StaleDevicesException e) {
+      throw new WebApplicationException(Response.status(410)
+          .type(MediaType.APPLICATION_JSON)
+          .entity(new StaleDevices(e.getStaleDevices()))
+          .build());
+    } catch (IllegalArgumentException e) {
+      throw new BadRequestException(e);
     }
-
-    rateLimiters.getVerifyLimiter().clear(request.getNumber());
-
-    accounts.changeNumber(authenticatedAccount.getAccount(), request.getNumber());
   }
 
   @Timed
@@ -429,7 +479,7 @@ public class AccountController {
   @Produces(MediaType.APPLICATION_JSON)
   public TurnToken getTurnToken(@Auth AuthenticatedAccount auth) throws RateLimitExceededException {
     rateLimiters.getTurnLimiter().validate(auth.getAccount().getUuid());
-    return turnTokenGenerator.generate();
+    return turnTokenGenerator.generate(auth.getAccount().getNumber());
   }
 
   @Timed
@@ -438,7 +488,7 @@ public class AccountController {
   @Consumes(MediaType.APPLICATION_JSON)
   @ChangesDeviceEnabledState
   public void setGcmRegistrationId(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
-      @Valid GcmRegistrationId registrationId) {
+      @NotNull @Valid GcmRegistrationId registrationId) {
     Account account = disabledPermittedAuth.getAccount();
     Device device = disabledPermittedAuth.getAuthenticatedDevice();
 
@@ -476,7 +526,7 @@ public class AccountController {
   @Consumes(MediaType.APPLICATION_JSON)
   @ChangesDeviceEnabledState
   public void setApnRegistrationId(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
-      @Valid ApnRegistrationId registrationId) {
+      @NotNull @Valid ApnRegistrationId registrationId) {
     Account account = disabledPermittedAuth.getAccount();
     Device device = disabledPermittedAuth.getAuthenticatedDevice();
 
@@ -511,7 +561,7 @@ public class AccountController {
   @PUT
   @Produces(MediaType.APPLICATION_JSON)
   @Path("/registration_lock")
-  public void setRegistrationLock(@Auth AuthenticatedAccount auth, @Valid RegistrationLock accountLock) {
+  public void setRegistrationLock(@Auth AuthenticatedAccount auth, @NotNull @Valid RegistrationLock accountLock) {
     AuthenticationCredentials credentials = new AuthenticationCredentials(accountLock.getRegistrationLock());
 
     accounts.update(auth.getAccount(),
@@ -528,7 +578,7 @@ public class AccountController {
   @Timed
   @PUT
   @Path("/name/")
-  public void setName(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth, @Valid DeviceName deviceName) {
+  public void setName(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth, @NotNull @Valid DeviceName deviceName) {
     Account account = disabledPermittedAuth.getAccount();
     Device device = disabledPermittedAuth.getAuthenticatedDevice();
     accounts.updateDevice(account, device.getId(), d -> d.setName(deviceName.getDeviceName()));
@@ -544,18 +594,14 @@ public class AccountController {
   @PUT
   @Path("/attributes/")
   @Consumes(MediaType.APPLICATION_JSON)
+  @Produces(MediaType.APPLICATION_JSON)
   @ChangesDeviceEnabledState
   public void setAccountAttributes(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
       @HeaderParam("X-Signal-Agent") String userAgent,
-      @Valid AccountAttributes attributes) {
+      @NotNull @Valid AccountAttributes attributes) {
     Account account = disabledPermittedAuth.getAccount();
     long deviceId = disabledPermittedAuth.getAuthenticatedDevice().getId();
 
-    // temporary: For deterministic updates during the DynamoDB migration, use a fully parameterized registration lock
-    @Nullable final AuthenticationCredentials registrationLockCredentials =
-        Util.isEmpty(attributes.getRegistrationLock()) ? null
-            : new AuthenticationCredentials(attributes.getRegistrationLock());
-
     accounts.update(account, a -> {
       a.getDevice(deviceId).ifPresent(d -> {
         d.setFetchesMessages(attributes.getFetchesMessages());
@@ -563,18 +609,11 @@ public class AccountController {
         d.setLastSeen(Util.todayInMillis());
         d.setCapabilities(attributes.getCapabilities());
         d.setRegistrationId(attributes.getRegistrationId());
+        attributes.getPhoneNumberIdentityRegistrationId().ifPresent(d::setPhoneNumberIdentityRegistrationId);
         d.setUserAgent(userAgent);
       });
 
-      // temporary: for deterministic updates during the DynamoDB migration, use a fully parameterized registration lock
-      // a.setRegistrationLockFromAttributes(attributes);
-      if (registrationLockCredentials != null) {
-        a.setRegistrationLock(registrationLockCredentials.getHashedAuthenticationToken(),
-            registrationLockCredentials.getSalt());
-      } else {
-        a.setRegistrationLock(null, null);
-      }
-
+      a.setRegistrationLockFromAttributes(attributes);
       a.setUnidentifiedAccessKey(attributes.getUnidentifiedAccessKey());
       a.setUnrestrictedUnidentifiedAccess(attributes.isUnrestrictedUnidentifiedAccess());
       a.setDiscoverableByPhoneNumber(attributes.isDiscoverableByPhoneNumber());
@@ -584,46 +623,122 @@ public class AccountController {
   @GET
   @Path("/me")
   @Produces(MediaType.APPLICATION_JSON)
-  public AccountCreationResult getMe(@Auth AuthenticatedAccount auth) {
+  public AccountIdentityResponse getMe(@Auth AuthenticatedAccount auth) {
     return whoAmI(auth);
   }
 
   @GET
   @Path("/whoami")
   @Produces(MediaType.APPLICATION_JSON)
-  public AccountCreationResult whoAmI(@Auth AuthenticatedAccount auth) {
-    return new AccountCreationResult(auth.getAccount().getUuid(), auth.getAccount().getNumber(), auth.getAccount().isStorageSupported());
+  public AccountIdentityResponse whoAmI(@Auth AuthenticatedAccount auth) {
+    return new AccountIdentityResponse(auth.getAccount().getUuid(),
+        auth.getAccount().getNumber(),
+        auth.getAccount().getPhoneNumberIdentifier(),
+        auth.getAccount().getUsername().orElse(null),
+        auth.getAccount().isStorageSupported());
   }
 
+  @Timed
   @DELETE
   @Path("/username")
   @Produces(MediaType.APPLICATION_JSON)
   public void deleteUsername(@Auth AuthenticatedAccount auth) {
-    usernames.delete(auth.getAccount().getUuid());
+    accounts.clearUsername(auth.getAccount());
   }
 
+  @Timed
   @PUT
-  @Path("/username/{username}")
+  @Path("/username")
   @Produces(MediaType.APPLICATION_JSON)
-  public Response setUsername(@Auth AuthenticatedAccount auth, @PathParam("username") String username)
-      throws RateLimitExceededException {
+  @Consumes(MediaType.APPLICATION_JSON)
+  public UsernameResponse setUsername(
+      @Auth AuthenticatedAccount auth,
+      @HeaderParam("X-Signal-Agent") String userAgent,
+      @NotNull @Valid UsernameRequest usernameRequest) throws RateLimitExceededException {
     rateLimiters.getUsernameSetLimiter().validate(auth.getAccount().getUuid());
 
-    if (username == null || username.isEmpty()) {
-      return Response.status(Response.Status.BAD_REQUEST).build();
+    if (StringUtils.isNotBlank(usernameRequest.existingUsername()) &&
+        !UsernameGenerator.isStandardFormat(usernameRequest.existingUsername())) {
+      // Technically, a username may not be in the nickname#discriminator format
+      // if created through some out-of-band mechanism, but it is atypical.
+      Metrics.counter(NONSTANDARD_USERNAME_COUNTER_NAME, Tags.of(UserAgentTagUtil.getPlatformTag(userAgent)))
+          .increment();
     }
 
-    username = username.toLowerCase();
+    try {
+      final Account account = accounts.setUsername(auth.getAccount(), usernameRequest.nickname(),
+          usernameRequest.existingUsername());
+      return account
+          .getUsername()
+          .map(UsernameResponse::new)
+          .orElseThrow(() -> new IllegalStateException("Could not get username after setting"));
+    } catch (final UsernameNotAvailableException e) {
+      throw new WebApplicationException(Status.CONFLICT);
+    }
+  }
 
-    if (!username.matches("^[a-z_][a-z0-9_]+$")) {
-      return Response.status(Response.Status.BAD_REQUEST).build();
+  @Timed
+  @GET
+  @Path("/username/{username}")
+  @Produces(MediaType.APPLICATION_JSON)
+  public AccountIdentifierResponse lookupUsername(
+      @HeaderParam("X-Signal-Agent") final String userAgent,
+      @HeaderParam("X-Forwarded-For") final String forwardedFor,
+      @PathParam("username") final String username,
+      @Context final HttpServletRequest request) throws RateLimitExceededException {
+
+    // Disallow clients from making authenticated requests to this endpoint
+    if (StringUtils.isNotBlank(request.getHeader("Authorization"))) {
+      throw new BadRequestException();
     }
 
-    if (!usernames.put(auth.getAccount().getUuid(), username)) {
-      return Response.status(Response.Status.CONFLICT).build();
+    if (!UsernameGenerator.isStandardFormat(username)) {
+      // Technically, a username may not be in the nickname#discriminator format
+      // if created through some out-of-band mechanism, but it is atypical.
+      Metrics.counter(NONSTANDARD_USERNAME_COUNTER_NAME, Tags.of(UserAgentTagUtil.getPlatformTag(userAgent)))
+          .increment();
     }
 
-    return Response.ok().build();
+    rateLimitByClientIp(rateLimiters.getUsernameLookupLimiter(), forwardedFor);
+
+    return accounts
+        .getByUsername(username)
+        .map(Account::getUuid)
+        .map(AccountIdentifierResponse::new)
+        .orElseThrow(() -> new WebApplicationException(Status.NOT_FOUND));
+  }
+
+  @HEAD
+  @Path("/account/{uuid}")
+  public Response accountExists(
+      @HeaderParam("X-Forwarded-For") final String forwardedFor,
+      @PathParam("uuid") final UUID uuid,
+      @Context HttpServletRequest request) throws RateLimitExceededException {
+
+    // Disallow clients from making authenticated requests to this endpoint
+    if (StringUtils.isNotBlank(request.getHeader("Authorization"))) {
+      throw new BadRequestException();
+    }
+    rateLimitByClientIp(rateLimiters.getCheckAccountExistenceLimiter(), forwardedFor);
+
+    final Status status = accounts.getByAccountIdentifier(uuid)
+        .or(() -> accounts.getByPhoneNumberIdentifier(uuid))
+        .isPresent() ? Status.OK : Status.NOT_FOUND;
+
+    return Response.status(status).build();
+  }
+
+  private void rateLimitByClientIp(final RateLimiter rateLimiter, final String forwardedFor) throws RateLimitExceededException {
+    final String mostRecentProxy = ForwardedIpUtil.getMostRecentProxy(forwardedFor)
+        .orElseThrow(() -> {
+          // Missing/malformed Forwarded-For, so we cannot check for a rate-limit.
+          // This shouldn't happen, so conservatively assume we're over the rate-limit
+          // and indicate that the client should retry
+          logger.error("Missing/bad Forwarded-For: {}", forwardedFor);
+          return new RateLimitExceededException(Duration.ofHours(1));
+        });
+
+    rateLimiter.validate(mostRecentProxy);
   }
 
   private void verifyRegistrationLock(final Account existingAccount, @Nullable final String clientRegistrationLock)
@@ -650,25 +765,35 @@ public class AccountController {
   }
 
   private CaptchaRequirement requiresCaptcha(String number, String transport, String forwardedFor,
-                                             String                           sourceHost,
-                                             Optional<String>                 captchaToken,
-                                             Optional<StoredVerificationCode> storedVerificationCode,
-                                             Optional<String>                 pushChallenge)
+      String sourceHost,
+      Optional<String> captchaToken,
+      Optional<StoredVerificationCode> storedVerificationCode,
+      Optional<String> pushChallenge,
+      String userAgent)
   {
+    if (testDevices.containsKey(number)) {
+      return new CaptchaRequirement(false, false);
+    }
 
+    final String countryCode = Util.getCountryCode(number);
     if (captchaToken.isPresent()) {
       boolean validToken = recaptchaClient.verify(captchaToken.get(), sourceHost);
 
+      {
+        final List<Tag> tags = new ArrayList<>();
+        tags.add(Tag.of("success", String.valueOf(validToken)));
+        tags.add(UserAgentTagUtil.getPlatformTag(userAgent));
+        tags.add(Tag.of(COUNTRY_CODE_TAG_NAME, countryCode));
+        Metrics.counter(CAPTCHA_ATTEMPT_COUNTER_NAME, tags).increment();
+      }
+
       if (validToken) {
-        captchaSuccessMeter.mark();
         return new CaptchaRequirement(false, false);
       } else {
-        captchaFailureMeter.mark();
         return new CaptchaRequirement(true, false);
       }
     }
 
-    final String countryCode = Util.getCountryCode(number);
     {
       final List<Tag> tags = new ArrayList<>();
       tags.add(Tag.of(COUNTRY_CODE_TAG_NAME, countryCode));
@@ -695,22 +820,19 @@ public class AccountController {
       }
     }
 
-    List<AbusiveHostRule> abuseRules = abusiveHostRules.getAbusiveHostRulesFor(sourceHost);
+    DynamicCaptchaConfiguration captchaConfig = dynamicConfigurationManager.getConfiguration()
+        .getCaptchaConfiguration();
+    boolean countryFiltered = captchaConfig.getSignupCountryCodes().contains(countryCode);
 
-    for (AbusiveHostRule abuseRule : abuseRules) {
-      if (abuseRule.isBlocked()) {
-        logger.info("Blocked host: {}, {}, {} ({})", transport, number, sourceHost, forwardedFor);
-        blockedHostMeter.mark();
-        return new CaptchaRequirement(true, false);
-      }
-
-      if (!abuseRule.getRegions().isEmpty()) {
-        if (abuseRule.getRegions().stream().noneMatch(number::startsWith)) {
-          logger.info("Restricted host: {}, {}, {} ({})", transport, number, sourceHost, forwardedFor);
-          filteredHostMeter.mark();
-          return new CaptchaRequirement(true, false);
-        }
+    if (abusiveHostRules.isBlocked(sourceHost)) {
+      blockedHostMeter.mark();
+      logger.info("Blocked host: {}, {}, {} ({})", transport, number, sourceHost, forwardedFor);
+      if (countryFiltered) {
+        // this host was caught in the abusiveHostRules filter, but
+        // would be caught by country filter as well
+        countryFilterApplicable.mark();
       }
+      return new CaptchaRequirement(true, false);
     }
 
     try {
@@ -729,8 +851,8 @@ public class AccountController {
       return new CaptchaRequirement(true, true);
     }
 
-    DynamicSignupCaptchaConfiguration signupCaptchaConfig = dynamicConfigurationManager.getConfiguration().getSignupCaptchaConfiguration();
-    if (signupCaptchaConfig.getCountryCodes().contains(countryCode)) {
+    if (countryFiltered) {
+      countryFilteredHostMeter.mark();
       return new CaptchaRequirement(true, false);
     }
 

service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV1.java

@@ -7,7 +7,6 @@ package org.whispersystems.textsecuregcm.controllers;
 import com.amazonaws.HttpMethod;
 import com.codahale.metrics.annotation.Timed;
 import io.dropwizard.auth.Auth;
-import java.io.IOException;
 import java.net.URL;
 import java.util.stream.Stream;
 import javax.ws.rs.GET;
@@ -43,18 +42,15 @@ public class AttachmentControllerV1 extends AttachmentControllerBase {
   @Timed
   @GET
   @Produces(MediaType.APPLICATION_JSON)
-  public AttachmentDescriptorV1 allocateAttachment(@Auth AuthenticatedAccount auth)
-      throws RateLimitExceededException {
-    if (auth.getAccount().isRateLimited()) {
-      rateLimiters.getAttachmentLimiter().validate(auth.getAccount().getUuid());
-    }
+  public AttachmentDescriptorV1 allocateAttachment(@Auth AuthenticatedAccount auth) throws RateLimitExceededException {
+
+    rateLimiters.getAttachmentLimiter().validate(auth.getAccount().getUuid());
 
     long attachmentId = generateAttachmentId();
     URL url = urlSigner.getPreSignedUrl(attachmentId, HttpMethod.PUT,
         Stream.of(UNACCELERATED_REGIONS).anyMatch(region -> auth.getAccount().getNumber().startsWith(region)));
 
     return new AttachmentDescriptorV1(attachmentId, url.toExternalForm());
-
   }
 
   @Timed
@@ -62,8 +58,7 @@ public class AttachmentControllerV1 extends AttachmentControllerBase {
   @Produces(MediaType.APPLICATION_JSON)
   @Path("/{attachmentId}")
   public AttachmentUri redirectToAttachment(@Auth AuthenticatedAccount auth,
-      @PathParam("attachmentId") long attachmentId)
-      throws IOException {
+      @PathParam("attachmentId") long attachmentId) {
     return new AttachmentUri(urlSigner.getPreSignedUrl(attachmentId, HttpMethod.GET,
         Stream.of(UNACCELERATED_REGIONS).anyMatch(region -> auth.getAccount().getNumber().startsWith(region))));
   }

service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java

@@ -14,7 +14,6 @@ import java.security.spec.InvalidKeySpecException;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 import java.util.Base64;
-import java.util.HashMap;
 import java.util.Map;
 import javax.annotation.Nonnull;
 import javax.ws.rs.GET;

service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013-2022 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
@@ -8,12 +8,22 @@ package org.whispersystems.textsecuregcm.controllers;
 import static com.codahale.metrics.MetricRegistry.name;
 
 import com.codahale.metrics.annotation.Timed;
+import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.Auth;
 import io.micrometer.core.instrument.Metrics;
 import java.security.InvalidKeyException;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
+import java.util.UUID;
+import javax.annotation.Nonnull;
+import javax.ws.rs.BadRequestException;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
@@ -22,7 +32,7 @@ import javax.ws.rs.QueryParam;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-import org.signal.zkgroup.auth.ServerZkAuthOperations;
+import org.signal.libsignal.zkgroup.auth.ServerZkAuthOperations;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
 import org.whispersystems.textsecuregcm.entities.DeliveryCertificate;
@@ -33,15 +43,22 @@ import org.whispersystems.textsecuregcm.util.Util;
 @Path("/v1/certificate")
 public class CertificateController {
 
-  private final CertificateGenerator   certificateGenerator;
+  private final CertificateGenerator certificateGenerator;
   private final ServerZkAuthOperations serverZkAuthOperations;
+  private final Clock clock;
 
+  @VisibleForTesting
+  public static final Duration MAX_REDEMPTION_DURATION = Duration.ofDays(7);
   private static final String GENERATE_DELIVERY_CERTIFICATE_COUNTER_NAME = name(CertificateGenerator.class, "generateCertificate");
   private static final String INCLUDE_E164_TAG_NAME = "includeE164";
 
-  public CertificateController(CertificateGenerator certificateGenerator, ServerZkAuthOperations serverZkAuthOperations) {
-    this.certificateGenerator   = certificateGenerator;
-    this.serverZkAuthOperations = serverZkAuthOperations;
+  public CertificateController(
+      @Nonnull CertificateGenerator certificateGenerator,
+      @Nonnull ServerZkAuthOperations serverZkAuthOperations,
+      @Nonnull Clock clock) {
+    this.certificateGenerator = Objects.requireNonNull(certificateGenerator);
+    this.serverZkAuthOperations = Objects.requireNonNull(serverZkAuthOperations);
+    this.clock = Objects.requireNonNull(clock);
   }
 
   @Timed
@@ -68,29 +85,74 @@ public class CertificateController {
   @GET
   @Produces(MediaType.APPLICATION_JSON)
   @Path("/group/{startRedemptionTime}/{endRedemptionTime}")
+  @Deprecated(forRemoval = true) // Clients should now use getGroupAuthenticationCredentials instead
+  // TODO Assess readiness for removal on or after 2022-11-01
   public GroupCredentials getAuthenticationCredentials(@Auth AuthenticatedAccount auth,
       @PathParam("startRedemptionTime") int startRedemptionTime,
-      @PathParam("endRedemptionTime") int endRedemptionTime) {
+      @PathParam("endRedemptionTime") int endRedemptionTime,
+      @QueryParam("identity") Optional<String> identityType) {
     if (startRedemptionTime > endRedemptionTime) {
       throw new WebApplicationException(Response.Status.BAD_REQUEST);
     }
-    if (endRedemptionTime > Util.currentDaysSinceEpoch() + 7) {
+    final int currentDaysSinceEpoch = Util.currentDaysSinceEpoch(clock);
+    if (endRedemptionTime > currentDaysSinceEpoch + 7) {
       throw new WebApplicationException(Response.Status.BAD_REQUEST);
     }
-    if (startRedemptionTime < Util.currentDaysSinceEpoch()) {
+    if (startRedemptionTime < currentDaysSinceEpoch) {
       throw new WebApplicationException(Response.Status.BAD_REQUEST);
     }
 
     List<GroupCredentials.GroupCredential> credentials = new LinkedList<>();
 
+    final UUID identifier = identityType.map(String::toLowerCase).orElse("aci").equals("pni") ?
+        auth.getAccount().getPhoneNumberIdentifier() :
+        auth.getAccount().getUuid();
+
     for (int i = startRedemptionTime; i <= endRedemptionTime; i++) {
       credentials.add(new GroupCredentials.GroupCredential(
-          serverZkAuthOperations.issueAuthCredential(auth.getAccount().getUuid(), i)
-              .serialize(),
+          serverZkAuthOperations.issueAuthCredential(identifier, i).serialize(),
           i));
     }
 
-    return new GroupCredentials(credentials);
+    return new GroupCredentials(credentials, null);
   }
 
+  @Timed
+  @GET
+  @Produces(MediaType.APPLICATION_JSON)
+  @Path("/auth/group")
+  public GroupCredentials getGroupAuthenticationCredentials(
+      @Auth AuthenticatedAccount auth,
+      @QueryParam("redemptionStartSeconds") int startSeconds,
+      @QueryParam("redemptionEndSeconds") int endSeconds) {
+
+    final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);
+    final Instant redemptionStart = Instant.ofEpochSecond(startSeconds);
+    final Instant redemptionEnd = Instant.ofEpochSecond(endSeconds);
+
+    if (redemptionStart.isAfter(redemptionEnd) ||
+        redemptionStart.isBefore(startOfDay) ||
+        redemptionEnd.isAfter(startOfDay.plus(MAX_REDEMPTION_DURATION)) ||
+        !redemptionStart.equals(redemptionStart.truncatedTo(ChronoUnit.DAYS)) ||
+        !redemptionEnd.equals(redemptionEnd.truncatedTo(ChronoUnit.DAYS))) {
+
+      throw new BadRequestException();
+    }
+
+    final List<GroupCredentials.GroupCredential> credentials = new ArrayList<>();
+
+    Instant redemption = redemptionStart;
+
+    UUID aci = auth.getAccount().getUuid();
+    UUID pni = auth.getAccount().getPhoneNumberIdentifier();
+    while (!redemption.isAfter(redemptionEnd)) {
+      credentials.add(new GroupCredentials.GroupCredential(
+          serverZkAuthOperations.issueAuthCredentialWithPni(aci, pni, redemption).serialize(),
+          (int) redemption.getEpochSecond()));
+
+      redemption = redemption.plus(Duration.ofDays(1));
+    }
+
+    return new GroupCredentials(credentials, pni);
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/controllers/ChallengeController.java

@@ -5,8 +5,12 @@
 
 package org.whispersystems.textsecuregcm.controllers;
 
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
 import com.codahale.metrics.annotation.Timed;
 import io.dropwizard.auth.Auth;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
 import java.util.NoSuchElementException;
 import javax.validation.Valid;
 import javax.ws.rs.Consumes;
@@ -15,6 +19,7 @@ import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
@@ -22,6 +27,7 @@ import org.whispersystems.textsecuregcm.entities.AnswerChallengeRequest;
 import org.whispersystems.textsecuregcm.entities.AnswerPushChallengeRequest;
 import org.whispersystems.textsecuregcm.entities.AnswerRecaptchaChallengeRequest;
 import org.whispersystems.textsecuregcm.limits.RateLimitChallengeManager;
+import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
 import org.whispersystems.textsecuregcm.push.NotPushRegisteredException;
 import org.whispersystems.textsecuregcm.util.ForwardedIpUtil;
 
@@ -30,6 +36,9 @@ public class ChallengeController {
 
   private final RateLimitChallengeManager rateLimitChallengeManager;
 
+  private static final String CHALLENGE_RESPONSE_COUNTER_NAME = name(ChallengeController.class, "challengeResponse");
+  private static final String CHALLENGE_TYPE_TAG = "type";
+
   public ChallengeController(final RateLimitChallengeManager rateLimitChallengeManager) {
     this.rateLimitChallengeManager = rateLimitChallengeManager;
   }
@@ -40,28 +49,34 @@ public class ChallengeController {
   @Consumes(MediaType.APPLICATION_JSON)
   public Response handleChallengeResponse(@Auth final AuthenticatedAccount auth,
       @Valid final AnswerChallengeRequest answerRequest,
-      @HeaderParam("X-Forwarded-For") String forwardedFor) throws RetryLaterException {
+      @HeaderParam("X-Forwarded-For") final String forwardedFor,
+      @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) throws RateLimitExceededException {
+
+    Tags tags = Tags.of(UserAgentTagUtil.getPlatformTag(userAgent));
 
     try {
-      if (answerRequest instanceof AnswerPushChallengeRequest) {
-        final AnswerPushChallengeRequest pushChallengeRequest = (AnswerPushChallengeRequest) answerRequest;
+      if (answerRequest instanceof final AnswerPushChallengeRequest pushChallengeRequest) {
+        tags = tags.and(CHALLENGE_TYPE_TAG, "push");
 
         rateLimitChallengeManager.answerPushChallenge(auth.getAccount(), pushChallengeRequest.getChallenge());
       } else if (answerRequest instanceof AnswerRecaptchaChallengeRequest) {
-        try {
+        tags = tags.and(CHALLENGE_TYPE_TAG, "recaptcha");
 
+        try {
           final AnswerRecaptchaChallengeRequest recaptchaChallengeRequest = (AnswerRecaptchaChallengeRequest) answerRequest;
           final String mostRecentProxy = ForwardedIpUtil.getMostRecentProxy(forwardedFor).orElseThrow();
 
           rateLimitChallengeManager.answerRecaptchaChallenge(auth.getAccount(), recaptchaChallengeRequest.getCaptcha(),
-              mostRecentProxy);
+              mostRecentProxy, userAgent);
 
         } catch (final NoSuchElementException e) {
           return Response.status(400).build();
         }
+      } else {
+        tags = tags.and(CHALLENGE_TYPE_TAG, "unrecognized");
       }
-    } catch (final RateLimitExceededException e) {
-      throw new RetryLaterException(e);
+    } finally {
+      Metrics.counter(CHALLENGE_RESPONSE_COUNTER_NAME, tags).increment();
     }
 
     return Response.status(200).build();

service/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013-2022 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.controllers;
@@ -13,6 +13,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
@@ -41,7 +42,7 @@ import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
 import org.whispersystems.textsecuregcm.storage.Device;
 import org.whispersystems.textsecuregcm.storage.Device.DeviceCapabilities;
-import org.whispersystems.textsecuregcm.storage.KeysDynamoDb;
+import org.whispersystems.textsecuregcm.storage.Keys;
 import org.whispersystems.textsecuregcm.storage.MessagesManager;
 import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
 import org.whispersystems.textsecuregcm.util.Util;
@@ -57,22 +58,21 @@ public class DeviceController {
   private final StoredVerificationCodeManager pendingDevices;
   private final AccountsManager       accounts;
   private final MessagesManager       messages;
-  private final KeysDynamoDb          keys;
+  private final Keys keys;
   private final RateLimiters          rateLimiters;
   private final Map<String, Integer>  maxDeviceConfiguration;
 
   public DeviceController(StoredVerificationCodeManager pendingDevices,
-                          AccountsManager accounts,
-                          MessagesManager messages,
-                          KeysDynamoDb keys,
-                          RateLimiters rateLimiters,
-                          Map<String, Integer> maxDeviceConfiguration)
-  {
-    this.pendingDevices         = pendingDevices;
-    this.accounts               = accounts;
-    this.messages               = messages;
-    this.keys                   = keys;
-    this.rateLimiters           = rateLimiters;
+      AccountsManager accounts,
+      MessagesManager messages,
+      Keys keys,
+      RateLimiters rateLimiters,
+      Map<String, Integer> maxDeviceConfiguration) {
+    this.pendingDevices = pendingDevices;
+    this.accounts = accounts;
+    this.messages = messages;
+    this.keys = keys;
+    this.rateLimiters = rateLimiters;
     this.maxDeviceConfiguration = maxDeviceConfiguration;
   }
 
@@ -150,12 +150,11 @@ public class DeviceController {
   @Path("/{verification_code}")
   @ChangesDeviceEnabledState
   public DeviceResponse verifyDeviceToken(@PathParam("verification_code") String verificationCode,
-                                          @HeaderParam("Authorization") BasicAuthorizationHeader authorizationHeader,
-                                          @HeaderParam("User-Agent") String userAgent,
-                                          @Valid AccountAttributes accountAttributes,
-                                          @Context ContainerRequest containerRequest)
-      throws RateLimitExceededException, DeviceLimitExceededException
-  {
+      @HeaderParam("Authorization") BasicAuthorizationHeader authorizationHeader,
+      @HeaderParam("User-Agent") String userAgent,
+      @NotNull @Valid AccountAttributes accountAttributes,
+      @Context ContainerRequest containerRequest)
+      throws RateLimitExceededException, DeviceLimitExceededException {
 
     String number = authorizationHeader.getUsername();
     String password = authorizationHeader.getPassword();
@@ -164,17 +163,17 @@ public class DeviceController {
 
     Optional<StoredVerificationCode> storedVerificationCode = pendingDevices.getCodeForNumber(number);
 
-    if (!storedVerificationCode.isPresent() || !storedVerificationCode.get().isValid(verificationCode)) {
+    if (storedVerificationCode.isEmpty() || !storedVerificationCode.get().isValid(verificationCode)) {
       throw new WebApplicationException(Response.status(403).build());
     }
 
-    Optional<Account> account = accounts.get(number);
+    Optional<Account> account = accounts.getByE164(number);
 
-    if (!account.isPresent()) {
+    if (account.isEmpty()) {
       throw new WebApplicationException(Response.status(403).build());
     }
 
-    // Normally, the the "do we need to refresh somebody's websockets" listener can do this on its own. In this case,
+    // Normally, the "do we need to refresh somebody's websockets" listener can do this on its own. In this case,
     // we're not using the conventional authentication system, and so we need to give it a hint so it knows who the
     // active user is and what their device states look like.
     AuthEnablementRefreshRequirementProvider.setAccount(containerRequest, account.get());
@@ -199,11 +198,12 @@ public class DeviceController {
     device.setAuthenticationCredentials(new AuthenticationCredentials(password));
     device.setFetchesMessages(accountAttributes.getFetchesMessages());
     device.setRegistrationId(accountAttributes.getRegistrationId());
+    accountAttributes.getPhoneNumberIdentityRegistrationId().ifPresent(device::setPhoneNumberIdentityRegistrationId);
     device.setLastSeen(Util.todayInMillis());
     device.setCreated(System.currentTimeMillis());
     device.setCapabilities(accountAttributes.getCapabilities());
 
-    accounts.update(account.get(), a -> {
+    final Account updatedAccount = accounts.update(account.get(), a -> {
       device.setId(a.getNextDeviceId());
       messages.clear(a.getUuid(), device.getId());
       a.addDevice(device);
@@ -211,7 +211,7 @@ public class DeviceController {
 
     pendingDevices.remove(number);
 
-    return new DeviceResponse(device.getId());
+    return new DeviceResponse(updatedAccount.getUuid(), updatedAccount.getPhoneNumberIdentifier(), device.getId());
   }
 
   @Timed
@@ -225,7 +225,7 @@ public class DeviceController {
   @Timed
   @PUT
   @Path("/capabilities")
-  public void setCapabiltities(@Auth AuthenticatedAccount auth, @Valid DeviceCapabilities capabilities) {
+  public void setCapabiltities(@Auth AuthenticatedAccount auth, @NotNull @Valid DeviceCapabilities capabilities) {
     assert (auth.getAuthenticatedDevice() != null);
     final long deviceId = auth.getAuthenticatedDevice().getId();
     accounts.updateDevice(auth.getAccount(), deviceId, d -> d.setCapabilities(capabilities));
@@ -240,10 +240,14 @@ public class DeviceController {
   private boolean isCapabilityDowngrade(Account account, DeviceCapabilities capabilities, String userAgent) {
     boolean isDowngrade = false;
 
+    // TODO stories capability
+    // isDowngrade |= account.isStoriesSupported() && !capabilities.isStories();
+    isDowngrade |= account.isPniSupported() && !capabilities.isPni();
     isDowngrade |= account.isChangeNumberSupported() && !capabilities.isChangeNumber();
     isDowngrade |= account.isAnnouncementGroupSupported() && !capabilities.isAnnouncementGroup();
     isDowngrade |= account.isSenderKeySupported() && !capabilities.isSenderKey();
     isDowngrade |= account.isGv1MigrationSupported() && !capabilities.isGv1Migration();
+    isDowngrade |= account.isGiftBadgesSupported() && !capabilities.isGiftBadges();
 
     if (account.isGroupsV2Supported()) {
       try {

service/src/main/java/org/whispersystems/textsecuregcm/controllers/DirectoryV2Controller.java

@@ -6,7 +6,6 @@ package org.whispersystems.textsecuregcm.controllers;
 
 import com.codahale.metrics.annotation.Timed;
 import io.dropwizard.auth.Auth;
-import java.util.Base64;
 import java.util.UUID;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
@@ -16,9 +15,6 @@ import javax.ws.rs.core.Response;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
-import org.whispersystems.textsecuregcm.util.ByteUtil;
-import org.whispersystems.textsecuregcm.util.UUIDUtil;
-import org.whispersystems.textsecuregcm.util.Util;
 
 @Path("/v2/directory")
 public class DirectoryV2Controller {
@@ -34,16 +30,8 @@ public class DirectoryV2Controller {
   @Path("/auth")
   @Produces(MediaType.APPLICATION_JSON)
   public Response getAuthToken(@Auth AuthenticatedAccount auth) {
-
     final UUID uuid = auth.getAccount().getUuid();
-    final String e164 = auth.getAccount().getNumber();
-    final long e164AsLong = Long.parseLong(e164, e164.indexOf('+'), e164.length() - 1, 10);
-
-    final byte[] uuidAndNumber = ByteUtil.combine(UUIDUtil.toBytes(uuid), Util.longToByteArray(e164AsLong));
-    final String username = Base64.getEncoder().encodeToString(uuidAndNumber);
-
-    final ExternalServiceCredentials credentials = directoryServiceTokenGenerator.generateFor(username);
-
+    final ExternalServiceCredentials credentials = directoryServiceTokenGenerator.generateFor(uuid.toString());
     return Response.ok().entity(credentials).build();
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/controllers/DonationController.java

@@ -35,6 +35,7 @@ import java.util.concurrent.ForkJoinPool.ManagedBlocker;
 import java.util.function.Function;
 import javax.annotation.Nonnull;
 import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
@@ -42,11 +43,11 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
-import org.signal.zkgroup.InvalidInputException;
-import org.signal.zkgroup.VerificationFailedException;
-import org.signal.zkgroup.receipts.ReceiptCredentialPresentation;
-import org.signal.zkgroup.receipts.ReceiptSerial;
-import org.signal.zkgroup.receipts.ServerZkReceiptOperations;
+import org.signal.libsignal.zkgroup.InvalidInputException;
+import org.signal.libsignal.zkgroup.VerificationFailedException;
+import org.signal.libsignal.zkgroup.receipts.ReceiptCredentialPresentation;
+import org.signal.libsignal.zkgroup.receipts.ReceiptSerial;
+import org.signal.libsignal.zkgroup.receipts.ServerZkReceiptOperations;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
@@ -124,7 +125,7 @@ public class DonationController {
   @Produces({MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN})
   public CompletionStage<Response> redeemReceipt(
       @Auth final AuthenticatedAccount auth,
-      @Valid final RedeemReceiptRequest request) {
+      @NotNull @Valid final RedeemReceiptRequest request) {
     return CompletableFuture.supplyAsync(() -> {
       ReceiptCredentialPresentation receiptCredentialPresentation;
       try {
@@ -159,7 +160,7 @@ public class DonationController {
 
             @Override
             public boolean block() {
-              final Optional<Account> optionalAccount = accountsManager.get(auth.getAccount().getUuid());
+              final Optional<Account> optionalAccount = accountsManager.getByAccountIdentifier(auth.getAccount().getUuid());
               optionalAccount.ifPresent(account -> {
                 accountsManager.update(account, a -> {
                   a.addBadge(clock, new AccountBadge(badgeId, receiptExpiration, request.isVisible()));
@@ -192,7 +193,7 @@ public class DonationController {
   @Path("/authorize-apple-pay")
   @Consumes(MediaType.APPLICATION_JSON)
   @Produces(MediaType.APPLICATION_JSON)
-  public CompletableFuture<Response> getApplePayAuthorization(@Auth AuthenticatedAccount auth, @Valid ApplePayAuthorizationRequest request) {
+  public CompletableFuture<Response> getApplePayAuthorization(@Auth AuthenticatedAccount auth, @NotNull @Valid ApplePayAuthorizationRequest request) {
     if (!supportedCurrencies.contains(request.getCurrency())) {
       return CompletableFuture.completedFuture(Response.status(422).build());
     }