Update to the latest version of the spam filter

Pass in the same information to the spam-filter, but just use explicit
method calls rather than jersey request filters.

.editorconfig

@@ -146,7 +146,7 @@ ij_java_generate_final_parameters = true
 ij_java_if_brace_force = always
 ij_java_imports_layout = $*,|,*
 ij_java_indent_case_from_switch = true
-ij_java_insert_inner_class_imports = true
+ij_java_insert_inner_class_imports = false
 ij_java_insert_override_annotation = true
 ij_java_keep_blank_lines_before_right_brace = 2
 ij_java_keep_blank_lines_between_package_declaration_and_header = 2
@@ -158,7 +158,7 @@ ij_java_keep_indents_on_empty_lines = false
 ij_java_keep_line_breaks = true
 ij_java_keep_multiple_expressions_in_one_line = false
 ij_java_keep_simple_blocks_in_one_line = false
-ij_java_keep_simple_classes_in_one_line = false
+ij_java_keep_simple_classes_in_one_line = true
 ij_java_keep_simple_lambdas_in_one_line = false
 ij_java_keep_simple_methods_in_one_line = false
 ij_java_label_indent_absolute = false
@@ -1135,7 +1135,7 @@ ij_kotlin_field_annotation_wrap = split_into_lines
 ij_kotlin_finally_on_new_line = false
 ij_kotlin_if_rparen_on_new_line = false
 ij_kotlin_import_nested_classes = false
-ij_kotlin_imports_layout = *,java.**,javax.**,kotlin.**,^
+ij_kotlin_imports_layout = *
 ij_kotlin_insert_whitespaces_in_simple_one_line_method = true
 ij_kotlin_keep_blank_lines_before_right_brace = 2
 ij_kotlin_keep_blank_lines_in_code = 2
@@ -1151,9 +1151,9 @@ ij_kotlin_method_call_chain_wrap = off
 ij_kotlin_method_parameters_new_line_after_left_paren = false
 ij_kotlin_method_parameters_right_paren_on_new_line = false
 ij_kotlin_method_parameters_wrap = off
-ij_kotlin_name_count_to_use_star_import = 5
-ij_kotlin_name_count_to_use_star_import_for_members = 3
-ij_kotlin_packages_to_use_import_on_demand = java.util.*,kotlinx.android.synthetic.**,io.ktor.**
+ij_kotlin_name_count_to_use_star_import = 999
+ij_kotlin_name_count_to_use_star_import_for_members = 999
+ij_kotlin_packages_to_use_import_on_demand =
 ij_kotlin_parameter_annotation_wrap = off
 ij_kotlin_space_after_comma = true
 ij_kotlin_space_after_extend_colon = true

.github/workflows/documentation.yml

@@ -0,0 +1,33 @@
+name: Update Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
+      - name: Compile and Build OpenAPI file
+        run: ./mvnw compile
+      - name: Update Documentation
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cp -r api-doc/target/openapi/signal-server-openapi.yaml /tmp/
+          git config user.email "github@signal.org"
+          git config user.name "Documentation Updater"
+          git fetch origin gh-pages
+          git checkout gh-pages
+          cp /tmp/signal-server-openapi.yaml .
+          git diff --quiet || git commit -a -m "Updating documentation"
+          git push origin gh-pages -q

.github/workflows/integration-tests.yml

@@ -0,0 +1,34 @@
+name: Integration Tests
+
+on:
+  schedule:
+    - cron: '30 19 * * MON-FRI'
+  workflow_dispatch:
+
+jobs:
+  build:
+    if: ${{ vars.INTEGRATION_TESTS_BUCKET != '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
+      - uses: aws-actions/configure-aws-credentials@v2
+        name: Configure AWS credentials from Test account
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Fetch integration utils library
+        run: |
+          mkdir -p integration-tests/.libs
+          mkdir -p integration-tests/src/main/resources
+          wget -O integration-tests/.libs/software.amazon.awssdk-sso.jar https://repo1.maven.org/maven2/software/amazon/awssdk/sso/2.19.8/sso-2.19.8.jar
+          aws s3 cp "s3://${{ vars.INTEGRATION_TESTS_BUCKET }}/config-latest.yml" integration-tests/src/main/resources/config.yml
+      - name: Run and verify integration tests
+        run: ./mvnw clean compile test-compile failsafe:integration-test failsafe:verify

.github/workflows/test.yml

@@ -1,18 +1,26 @@
 name: Service CI
 
-on: [push]
+on:
+  push:
+    branches-ignore:
+      - gh-pages
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    container: ubuntu:22.04
 
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up JDK 11
-        uses: actions/setup-java@3bc31aaf88e8fc94dc1e632d48af61be5ca8721c
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: Set up JDK 21
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
-          distribution: 'adopt'
-          java-version: 11
+          distribution: 'temurin'
+          java-version: 21
           cache: 'maven'
+        env:
+          # work around an issue with actions/runner setting an incorrect HOME in containers, which breaks maven caching
+          # https://github.com/actions/setup-java/issues/356
+          HOME: /root
       - name: Build with Maven
-        run: mvn -e -B verify
+        run: ./mvnw -e -B verify

.gitignore

@@ -16,6 +16,7 @@ config/deploy.properties
 /service/config/testing.yml
 /service/config/deploy.properties
 /service/dependency-reduced-pom.xml
+.java-version
 .opsmanage
 put.sh
 deployer-staging.properties
@@ -25,4 +26,7 @@ deployer.log
 !/service/src/main/resources/org/signal/badges/Badges_en.properties
 /service/src/main/resources/org/signal/subscriptions/Subscriptions_*.properties
 !/service/src/main/resources/org/signal/subscriptions/Subscriptions_en.properties
-/.tx/config
+.project
+.classpath
+.settings
+.DS_Store

.gitmodules

@@ -1,11 +1,11 @@
-# Note that the implmentation of the abusive message filter is private; internal
+# Note that the implementation of the spam filter is private; internal
 # developers will need to override this URL with:
 #
 # ```
-# git config submodule.abusive-message-filter.url PRIVATE_URL
+# git config submodule.spam-filter.url PRIVATE_URL
 # ```
 #
 # External developers may safely ignore this submodule.
-[submodule "abusive-message-filter"]
-	path = abusive-message-filter
+[submodule "spam-filter"]
+	path = spam-filter
 	url = REDACTED

.mvn/extensions.xml

@@ -4,6 +4,6 @@
   <extension>
     <groupId>fr.brouillard.oss</groupId>
     <artifactId>jgitver-maven-plugin</artifactId>
-    <version>1.7.1</version>
+    <version>1.9.0</version>
   </extension>
 </extensions>

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar
+distributionSha256Sum=e896b60329a71b719d77bb4388b251a50aebcd73c62f69d510c858ce360afe0f
+wrapperSha256Sum=e63a53cfb9c4d291ebe3c2b0edacb7622bbc480326beaa5a0456e412f52f066a

LICENSE

@@ -296,7 +296,7 @@ commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
 
   "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
+procedures, authorization keysManager, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object

README.md

@@ -13,7 +13,7 @@ Cryptography Notice
 
 This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software.
 BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted.
-See <http://www.wassenaar.org/> for more information.
+See <https://www.wassenaar.org/> for more information.
 
 The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms.
 The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
@@ -21,6 +21,6 @@ The form and manner of this distribution makes it eligible for export under the
 License
 ---------------------
 
-Copyright 2013-2021 Signal Messenger, LLC
+Copyright 2013-2023 Signal Messenger, LLC
 
 Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html

api-doc/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>api-doc</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.swagger.core.v3</groupId>
+        <artifactId>swagger-maven-plugin</artifactId>
+        <version>${swagger.version}</version>
+        <configuration>
+          <outputFileName>signal-server-openapi</outputFileName>
+          <outputPath>${project.build.directory}/openapi</outputPath>
+          <outputFormat>YAML</outputFormat>
+          <configurationFilePath>${project.basedir}/src/main/resources/openapi/openapi-configuration.yaml
+          </configurationFilePath>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>compile</phase>
+            <goals>
+              <goal>resolve</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

api-doc/src/main/java/org/signal/openapi/OpenApiExtension.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.SimpleType;
+import io.dropwizard.auth.Auth;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.jaxrs2.ext.AbstractOpenAPIExtension;
+import io.swagger.v3.jaxrs2.ext.OpenAPIExtension;
+import io.swagger.v3.oas.models.Components;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.ServiceLoader;
+import java.util.Set;
+import javax.ws.rs.Consumes;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link AbstractOpenAPIExtension} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a lower level.
+ * This extension works in coordination with {@link OpenApiReader} that has access to the model on a higher level.
+ * <p/>
+ * The extension is enabled by being listed in {@code META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension} file.
+ * @see ServiceLoader
+ * @see OpenApiReader
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiExtension extends AbstractOpenAPIExtension {
+
+  public static final ResolvedParameter AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  /**
+   * When parsing endpoint methods, Swagger will treat the first parameter not annotated as header/path/query param
+   * as a request body (and will ignore other not annotated parameters). In our case, this behavior conflicts with
+   * the {@code @Auth}-annotated parameters. Here we're checking if parameters are known to be anything other than
+   * a body and return an appropriate {@link ResolvedParameter} representation.
+   */
+  @Override
+  public ResolvedParameter extractParameters(
+      final List<Annotation> annotations,
+      final Type type,
+      final Set<Type> typesToSkip,
+      final Components components,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final boolean includeRequestBody,
+      final JsonView jsonViewAnnotation,
+      final Iterator<OpenAPIExtension> chain) {
+
+    if (annotations.stream().anyMatch(a -> a.annotationType().equals(Auth.class))) {
+      // this is the case of authenticated endpoint,
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(AuthenticatedAccount.class)) {
+        return AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, AuthenticatedAccount.class)) {
+        return OPTIONAL_AUTHENTICATED_ACCOUNT;
+      }
+    }
+
+    return super.extractParameters(
+        annotations,
+        type,
+        typesToSkip,
+        components,
+        classConsumes,
+        methodConsumes,
+        includeRequestBody,
+        jsonViewAnnotation,
+        chain);
+  }
+
+  private static boolean isOptionalOfType(final SimpleType simpleType, final Class<?> expectedType) {
+    if (!simpleType.getRawClass().equals(Optional.class)) {
+      return false;
+    }
+    final List<JavaType> typeParameters = simpleType.getBindings().getTypeParameters();
+    if (typeParameters.isEmpty()) {
+      return false;
+    }
+    return typeParameters.get(0) instanceof SimpleType optionalParameterType
+        && optionalParameterType.getRawClass().equals(expectedType);
+  }
+}

api-doc/src/main/java/org/signal/openapi/OpenApiReader.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.signal.openapi.OpenApiExtension.AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_AUTHENTICATED_ACCOUNT;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.google.common.collect.ImmutableList;
+import io.swagger.v3.jaxrs2.Reader;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.oas.models.Operation;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Collections;
+import java.util.List;
+import javax.ws.rs.Consumes;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link Reader} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a higher level.
+ * This extension works in coordination with {@link OpenApiExtension} that has access to the model on a lower level.
+ * <p/>
+ * The extension is enabled by being listed in {@code resources/openapi/openapi-configuration.yaml} file.
+ * @see OpenApiExtension
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiReader extends Reader {
+
+  private static final String AUTHENTICATED_ACCOUNT_AUTH_SCHEMA = "authenticatedAccount";
+
+
+  /**
+   * Overriding this method allows converting a resolved parameter into other operation entities,
+   * in this case, into security requirements.
+   */
+  @Override
+  protected ResolvedParameter getParameters(
+      final Type type,
+      final List<Annotation> annotations,
+      final Operation operation,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final JsonView jsonViewAnnotation) {
+    final ResolvedParameter resolved = super.getParameters(
+        type, annotations, operation, classConsumes, methodConsumes, jsonViewAnnotation);
+
+    if (resolved == AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .build());
+    }
+    if (resolved == OPTIONAL_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .add(new SecurityRequirement())
+          .build());
+    }
+
+    return resolved;
+  }
+}

api-doc/src/main/resources/META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension

@@ -0,0 +1 @@
+org.signal.openapi.OpenApiExtension

api-doc/src/main/resources/openapi/openapi-configuration.yaml

@@ -0,0 +1,25 @@
+resourcePackages:
+  - org.whispersystems.textsecuregcm
+prettyPrint: true
+cacheTTL: 0
+readerClass: org.signal.openapi.OpenApiReader
+openAPI:
+  info:
+    title: Signal Server API
+    license:
+      name: AGPL-3.0-only
+      url: https://www.gnu.org/licenses/agpl-3.0.txt
+  servers:
+    - url: https://chat.signal.org
+      description: Production service
+    - url: https://chat.staging.signal.org
+      description: Staging service
+  components:
+    securitySchemes:
+      authenticatedAccount:
+        type: http
+        scheme: basic
+        description: |
+          Account authentication is based on Basic authentication schema, 
+          where `username` has a format of `<user_id>[.<device_id>]`. If `device_id` is not specified,
+          user's `main` device is assumed.

gcm-sender-async/pom.xml

@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>gcm-sender-async</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>io.github.resilience4j</groupId>
-      <artifactId>resilience4j-retry</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-core</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-annotations</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-databind</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>jcl-over-slf4j</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-nop</artifactId>
-      <scope>test</scope>
-    </dependency>
-  </dependencies>
-
-</project>
-

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/AuthenticationFailedException.java

@@ -1,9 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-
-public class AuthenticationFailedException extends Exception {
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/InvalidRequestException.java

@@ -1,9 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-
-public class InvalidRequestException extends Exception {
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Message.java

@@ -1,144 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.whispersystems.gcm.server.internal.GcmRequestEntity;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
-public class Message {
-
-  private static final ObjectMapper objectMapper = new ObjectMapper();
-
-  private final String              collapseKey;
-  private final Long                ttl;
-  private final Boolean             delayWhileIdle;
-  private final Map<String, String> data;
-  private final List<String>        registrationIds;
-  private final String              priority;
-
-  private Message(String collapseKey, Long ttl, Boolean delayWhileIdle,
-                  Map<String, String> data, List<String> registrationIds,
-                  String priority)
-  {
-    this.collapseKey     = collapseKey;
-    this.ttl             = ttl;
-    this.delayWhileIdle  = delayWhileIdle;
-    this.data            = data;
-    this.registrationIds = registrationIds;
-    this.priority        = priority;
-  }
-
-  public String serialize() throws JsonProcessingException {
-    GcmRequestEntity requestEntity = new GcmRequestEntity(collapseKey, ttl, delayWhileIdle,
-                                                          data, registrationIds, priority);
-
-    return objectMapper.writeValueAsString(requestEntity);
-  }
-
-  /**
-   * Construct a new Message using a Builder.
-   * @return A new Builder.
-   */
-  public static Builder newBuilder() {
-    return new Builder();
-  }
-
-  public static class Builder {
-
-    private String              collapseKey     = null;
-    private Long                ttl             = null;
-    private Boolean             delayWhileIdle  = null;
-    private Map<String, String> data            = null;
-    private List<String>        registrationIds = new LinkedList<>();
-    private String              priority        = null;
-
-    private Builder() {}
-
-    /**
-     * @param collapseKey The GCM collapse key to use (optional).
-     * @return The Builder.
-     */
-    public Builder withCollapseKey(String collapseKey) {
-      this.collapseKey = collapseKey;
-      return this;
-    }
-
-    /**
-     * @param seconds The TTL (in seconds) for this message (optional).
-     * @return The Builder.
-     */
-    public Builder withTtl(long seconds) {
-      this.ttl = seconds;
-      return this;
-    }
-
-    /**
-     * @param delayWhileIdle Set GCM delay_while_idle (optional).
-     * @return The Builder.
-     */
-    public Builder withDelayWhileIdle(boolean delayWhileIdle) {
-      this.delayWhileIdle = delayWhileIdle;
-      return this;
-    }
-
-    /**
-     * Set a key in the GCM JSON payload delivered to the application (optional).
-     * @param key The key to set.
-     * @param value The value to set.
-     * @return The Builder.
-     */
-    public Builder withDataPart(String key, String value) {
-      if (data == null) {
-        data = new HashMap<>();
-      }
-      data.put(key, value);
-      return this;
-    }
-
-    /**
-     * Set the destination GCM registration ID (mandatory).
-     * @param registrationId The destination GCM registration ID.
-     * @return The Builder.
-     */
-    public Builder withDestination(String registrationId) {
-      this.registrationIds.clear();
-      this.registrationIds.add(registrationId);
-      return this;
-    }
-
-    /**
-     * Set the GCM message priority (optional).
-     *
-     * @param priority Valid values are "normal" and "high."
-     *                 On iOS, these correspond to APNs priority 5 and 10.
-     * @return The Builder.
-     */
-    public Builder withPriority(String priority) {
-      this.priority = priority;
-      return this;
-    }
-
-    /**
-     * Construct a message object.
-     *
-     * @return An immutable message object, as configured by this builder.
-     */
-    public Message build() {
-      if (registrationIds.isEmpty()) {
-        throw new IllegalArgumentException("You must specify a destination!");
-      }
-
-      return new Message(collapseKey, ttl, delayWhileIdle, data, registrationIds, priority);
-    }
-  }
-
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Result.java

@@ -1,80 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-/**
- * The result of a GCM send operation.
- */
-public class Result {
-
-  private final String canonicalRegistrationId;
-  private final String messageId;
-  private final String error;
-
-  Result(String canonicalRegistrationId, String messageId, String error) {
-    this.canonicalRegistrationId = canonicalRegistrationId;
-    this.messageId               = messageId;
-    this.error                   = error;
-  }
-
-  /**
-   * Returns the "canonical" GCM registration ID for this destination.
-   * See GCM documentation for details.
-   * @return The canonical GCM registration ID.
-   */
-  public String getCanonicalRegistrationId() {
-    return canonicalRegistrationId;
-  }
-
-  /**
-   * @return If a "canonical" GCM registration ID is present in the response.
-   */
-  public boolean hasCanonicalRegistrationId() {
-    return canonicalRegistrationId != null && !canonicalRegistrationId.isEmpty();
-  }
-
-  /**
-   * @return The assigned GCM message ID, if successful.
-   */
-  public String getMessageId() {
-    return messageId;
-  }
-
-  /**
-   * @return The raw error string, if present.
-   */
-  public String getError() {
-    return error;
-  }
-
-  /**
-   * @return If the send was a success.
-   */
-  public boolean isSuccess() {
-    return messageId != null && !messageId.isEmpty() && (error == null || error.isEmpty());
-  }
-
-  /**
-   * @return If the destination GCM registration ID is no longer registered.
-   */
-  public boolean isUnregistered() {
-    return "NotRegistered".equals(error);
-  }
-
-  /**
-   * @return If messages to this device are being throttled.
-   */
-  public boolean isThrottled() {
-    return "DeviceMessageRateExceeded".equals(error);
-  }
-
-  /**
-   * @return If the destination GCM registration ID is invalid.
-   */
-  public boolean isInvalidRegistrationId() {
-    return "InvalidRegistration".equals(error);
-  }
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/Sender.java

@@ -1,154 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.annotations.VisibleForTesting;
-import io.github.resilience4j.retry.IntervalFunction;
-import io.github.resilience4j.retry.Retry;
-import io.github.resilience4j.retry.RetryConfig;
-import org.whispersystems.gcm.server.internal.GcmResponseEntity;
-import org.whispersystems.gcm.server.internal.GcmResponseListEntity;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.http.HttpResponse.BodyHandlers;
-import java.security.SecureRandom;
-import java.time.Duration;
-import java.util.List;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.CompletionException;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeoutException;
-
-/**
- * The main interface to sending GCM messages.  Thread safe.
- *
- * @author Moxie Marlinspike
- */
-public class Sender {
-
-  private static final String PRODUCTION_URL = "https://fcm.googleapis.com/fcm/send";
-
-  private final String                   authorizationHeader;
-  private final URI                      uri;
-  private final Retry                    retry;
-  private final ObjectMapper             mapper;
-  private final ScheduledExecutorService executorService;
-
-  private final HttpClient[] clients = new HttpClient[10];
-  private final SecureRandom random  = new SecureRandom();
-
-  /**
-   * Construct a Sender instance.
-   *
-   * @param apiKey Your application's GCM API key.
-   */
-  public Sender(String apiKey, ObjectMapper mapper) {
-    this(apiKey, mapper, 10);
-  }
-
-  /**
-   * Construct a Sender instance with a specified retry count.
-   *
-   * @param apiKey Your application's GCM API key.
-   * @param retryCount The number of retries to attempt on a network error or 500 response.
-   */
-  public Sender(String apiKey, ObjectMapper mapper, int retryCount) {
-    this(apiKey, mapper, retryCount, PRODUCTION_URL);
-  }
-
-  @VisibleForTesting
-  public Sender(String apiKey, ObjectMapper mapper, int retryCount, String url) {
-    this.mapper              = mapper;
-    this.executorService     = Executors.newSingleThreadScheduledExecutor();
-    this.uri                 = URI.create(url);
-    this.authorizationHeader = String.format("key=%s", apiKey);
-    this.retry               = Retry.of("fcm-sender", RetryConfig.custom()
-                                                                       .maxAttempts(retryCount)
-                                                                       .intervalFunction(IntervalFunction.ofExponentialRandomBackoff(Duration.ofMillis(100), 2.0))
-                                                                       .retryOnException(this::isRetryableException)
-                                                                       .build());
-
-    for (int i=0;i<clients.length;i++) {
-      this.clients[i] = HttpClient.newBuilder()
-                                  .version(HttpClient.Version.HTTP_2)
-                                  .connectTimeout(Duration.ofSeconds(10))
-                                  .build();
-    }
-  }
-
-  private boolean isRetryableException(Throwable throwable) {
-    while (throwable instanceof  CompletionException) {
-      throwable = throwable.getCause();
-    }
-
-    return throwable instanceof ServerFailedException ||
-           throwable instanceof  TimeoutException     ||
-           throwable instanceof  IOException;
-  }
-
-  /**
-   * Asynchronously send a message.
-   *
-   * @param message The message to send.
-   * @return A future.
-   */
-  public CompletableFuture<Result> send(Message message) {
-    try {
-      HttpRequest request = HttpRequest.newBuilder()
-                                       .uri(uri)
-                                       .header("Authorization", authorizationHeader)
-                                       .header("Content-Type", "application/json")
-                                       .POST(HttpRequest.BodyPublishers.ofString(message.serialize()))
-                                       .timeout(Duration.ofSeconds(10))
-                                       .build();
-
-      return retry.executeCompletionStage(executorService,
-                                          () -> getClient().sendAsync(request, BodyHandlers.ofByteArray())
-                                                      .thenApply(response -> {
-                                                        switch (response.statusCode()) {
-                                                          case 400: throw new CompletionException(new InvalidRequestException());
-                                                          case 401: throw new CompletionException(new AuthenticationFailedException());
-                                                          case 204:
-                                                          case 200: return response.body();
-                                                          default:  throw new CompletionException(new ServerFailedException("Bad status: " + response.statusCode()));
-                                                        }
-                                                      })
-                                                      .thenApply(responseBytes -> {
-                                                        try {
-                                                          List<GcmResponseEntity> responseList = mapper.readValue(responseBytes, GcmResponseListEntity.class).getResults();
-
-                                                          if (responseList == null || responseList.size() == 0) {
-                                                            throw new CompletionException(new IOException("Empty response list!"));
-                                                          }
-
-                                                          GcmResponseEntity responseEntity = responseList.get(0);
-
-                                                          return new Result(responseEntity.getCanonicalRegistrationId(),
-                                                                            responseEntity.getMessageId(),
-                                                                            responseEntity.getError());
-                                                        } catch (IOException e) {
-                                                          throw new CompletionException(e);
-                                                        }
-                                                      })).toCompletableFuture();
-    } catch (JsonProcessingException e) {
-      return CompletableFuture.failedFuture(e);
-    }
-  }
-
-  public Retry getRetry() {
-    return retry;
-  }
-
-  private HttpClient getClient() {
-    return clients[random.nextInt(clients.length)];
-  }
-
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/ServerFailedException.java

@@ -1,15 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-public class ServerFailedException extends Exception {
-  public ServerFailedException(String message) {
-    super(message);
-  }
-
-  public ServerFailedException(Exception e) {
-    super(e);
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmRequestEntity.java

@@ -1,46 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import java.util.List;
-import java.util.Map;
-
-@JsonInclude(JsonInclude.Include.NON_NULL)
-public class GcmRequestEntity {
-
-  @JsonProperty(value = "collapse_key")
-  private String collapseKey;
-
-  @JsonProperty(value = "time_to_live")
-  private Long ttl;
-
-  @JsonProperty(value = "delay_while_idle")
-  private Boolean delayWhileIdle;
-
-  @JsonProperty(value = "data")
-  private Map<String, String> data;
-
-  @JsonProperty(value = "registration_ids")
-  private List<String> registrationIds;
-
-  @JsonProperty
-  private String priority;
-
-  public GcmRequestEntity(String collapseKey, Long ttl, Boolean delayWhileIdle,
-                          Map<String, String> data, List<String> registrationIds,
-                          String priority)
-  {
-    this.collapseKey     = collapseKey;
-    this.ttl             = ttl;
-    this.delayWhileIdle  = delayWhileIdle;
-    this.data            = data;
-    this.registrationIds = registrationIds;
-    this.priority        = priority;
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseEntity.java

@@ -1,31 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class GcmResponseEntity {
-
-  @JsonProperty(value = "message_id")
-  private String messageId;
-
-  @JsonProperty(value = "registration_id")
-  private String canonicalRegistrationId;
-
-  @JsonProperty
-  private String error;
-
-  public String getMessageId() {
-    return messageId;
-  }
-
-  public String getCanonicalRegistrationId() {
-    return canonicalRegistrationId;
-  }
-
-  public String getError() {
-    return error;
-  }
-}

gcm-sender-async/src/main/java/org/whispersystems/gcm/server/internal/GcmResponseListEntity.java

@@ -1,19 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.internal;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import java.util.List;
-
-public class GcmResponseListEntity {
-
-  @JsonProperty
-  private List<GcmResponseEntity> results;
-
-  public List<GcmResponseEntity> getResults() {
-    return results;
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/MessageTest.java

@@ -1,49 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import org.junit.Test;
-
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
-
-public class MessageTest {
-
-  @Test
-  public void testMinimal() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("1")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-minimal.json"));
-  }
-
-  @Test
-  public void testComplete() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("1")
-                             .withCollapseKey("collapse")
-                             .withDelayWhileIdle(true)
-                             .withTtl(10)
-                             .withPriority("high")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-complete.json"));
-  }
-
-  @Test
-  public void testWithData() throws IOException {
-    Message message = Message.newBuilder()
-                             .withDestination("2")
-                             .withDataPart("key1", "value1")
-                             .withDataPart("key2", "value2")
-                             .build();
-
-    assertEquals(message.serialize(), jsonFixture("fixtures/message-data.json"));
-  }
-
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SenderTest.java

@@ -1,200 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.any;
-import static com.github.tomakehurst.wiremock.client.WireMock.anyRequestedFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
-import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.ok;
-import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.verify;
-import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.PropertyAccessor;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.tomakehurst.wiremock.client.CountMatchingStrategy;
-import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import java.io.IOException;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-import org.junit.Rule;
-import org.junit.Test;
-
-public class SenderTest {
-
-  @Rule
-  public WireMockRule wireMock = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
-
-  private static final ObjectMapper mapper = new ObjectMapper();
-
-  static {
-    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
-    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
-    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-  }
-
-  @Test
-  public void testSuccess() throws InterruptedException, ExecutionException, TimeoutException, IOException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(200)
-            .withBody(fixture("fixtures/response-success.json"))));
-
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    assertTrue(result.isSuccess());
-    assertFalse(result.isThrottled());
-    assertFalse(result.isUnregistered());
-    assertEquals(result.getMessageId(), "1:08");
-    assertNull(result.getError());
-    assertNull(result.getCanonicalRegistrationId());
-
-    verify(1, postRequestedFor(urlEqualTo("/gcm/send"))
-        .withHeader("Authorization", equalTo("key=foobarbaz"))
-        .withHeader("Content-Type", equalTo("application/json"))
-        .withRequestBody(equalTo(jsonFixture("fixtures/message-minimal.json"))));
-  }
-
-  @Test
-  public void testBadApiKey() throws InterruptedException, TimeoutException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(401)));
-
-    Sender                    sender = new Sender("foobar", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException ee) {
-      assertTrue(ee.getCause() instanceof AuthenticationFailedException);
-    }
-
-    verify(1, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testBadRequest() throws TimeoutException, InterruptedException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(400)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException e) {
-      assertTrue(e.getCause() instanceof InvalidRequestException);
-    }
-
-    verify(1, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testServerError() throws TimeoutException, InterruptedException {
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(aResponse()
-            .withStatus(503)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 3, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-      throw new AssertionError();
-    } catch (ExecutionException ee) {
-      assertTrue(ee.getCause() instanceof ServerFailedException);
-    }
-
-    verify(3, anyRequestedFor(anyUrl()));
-  }
-
-  @Test
-  public void testServerErrorRecovery() throws InterruptedException, ExecutionException, TimeoutException {
-
-    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(503)));
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 4, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    // up to three failures can happen, with 100ms exponential backoff
-    // if we end up using the fourth, and finaly try, it would be after ~700 ms
-    CompletableFuture.delayedExecutor(300, TimeUnit.MILLISECONDS).execute(() ->
-        wireMock.stubFor(any(anyUrl())
-            .willReturn(aResponse()
-                .withStatus(200)
-                .withBody(fixture("fixtures/response-success.json"))))
-    );
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    verify(new CountMatchingStrategy(CountMatchingStrategy.GREATER_THAN, 1), anyRequestedFor(anyUrl()));
-    assertTrue(result.isSuccess());
-    assertFalse(result.isThrottled());
-    assertFalse(result.isUnregistered());
-    assertEquals(result.getMessageId(), "1:08");
-    assertNull(result.getError());
-    assertNull(result.getCanonicalRegistrationId());
-  }
-
-  @Test
-  public void testNetworkError() throws TimeoutException, InterruptedException {
-
-    wireMock.stubFor(any(anyUrl())
-        .willReturn(ok()));
-
-    Sender sender = new Sender("foobarbaz", mapper ,2, "http://localhost:" + wireMock.port() + "/gcm/send");
-
-    wireMock.stop();
-
-    CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
-
-    try {
-      future.get(10, TimeUnit.SECONDS);
-    } catch (ExecutionException e) {
-      assertTrue(e.getCause() instanceof IOException);
-    }
-  }
-
-  @Test
-  public void testNotRegistered() throws InterruptedException, ExecutionException, TimeoutException {
-
-    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(200)
-        .withBody(fixture("fixtures/response-not-registered.json"))));
-
-    Sender                    sender = new Sender("foobarbaz", mapper,2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    CompletableFuture<Result> future = sender.send(Message.newBuilder()
-                                                         .withDestination("2")
-                                                         .withDataPart("message", "new message!")
-                                                         .build());
-
-    Result result = future.get(10, TimeUnit.SECONDS);
-
-    assertFalse(result.isSuccess());
-    assertTrue(result.isUnregistered());
-    assertFalse(result.isThrottled());
-    assertEquals(result.getError(), "NotRegistered");
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SimultaneousSenderTest.java

@@ -1,89 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.post;
-import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
-import static junit.framework.TestCase.assertTrue;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.PropertyAccessor;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
-import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-import org.junit.Ignore;
-import org.junit.Rule;
-import org.junit.Test;
-
-public class SimultaneousSenderTest {
-
-  @Rule
-  public WireMockRule wireMock = new WireMockRule(WireMockConfiguration.options().dynamicPort().dynamicHttpsPort());
-
-  private static final ObjectMapper mapper = new ObjectMapper();
-
-  static {
-    mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
-    mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
-    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-  }
-
-  @Test
-  public void testSimultaneousSuccess() throws TimeoutException, InterruptedException, ExecutionException, JsonProcessingException {
-    stubFor(post(urlPathEqualTo("/gcm/send"))
-                .willReturn(aResponse()
-                                .withStatus(200)
-                                .withBody(fixture("fixtures/response-success.json"))));
-
-    Sender                          sender  = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    List<CompletableFuture<Result>> results = new LinkedList<>();
-
-    for (int i=0;i<1000;i++) {
-      results.add(sender.send(Message.newBuilder().withDestination("1").build()));
-    }
-
-    for (CompletableFuture<Result> future : results) {
-      Result result = future.get(60, TimeUnit.SECONDS);
-
-      if (!result.isSuccess()) {
-        throw new AssertionError(result.getError());
-      }
-    }
-  }
-
-  @Test
-  @Ignore
-  public void testSimultaneousFailure() throws TimeoutException, InterruptedException {
-    stubFor(post(urlPathEqualTo("/gcm/send"))
-                .willReturn(aResponse()
-                                .withStatus(503)));
-
-    Sender                         sender   = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
-    List<CompletableFuture<Result>> futures = new LinkedList<>();
-
-    for (int i=0;i<1000;i++) {
-      futures.add(sender.send(Message.newBuilder().withDestination("1").build()));
-    }
-
-    for (CompletableFuture<Result> future : futures) {
-      try {
-        Result result = future.get(60, TimeUnit.SECONDS);
-      } catch (ExecutionException e) {
-        assertTrue(e.getCause().toString(), e.getCause() instanceof ServerFailedException);
-      }
-    }
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/FixtureHelpers.java

@@ -1,47 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.util;
-
-import com.google.common.base.Charsets;
-import com.google.common.io.Resources;
-
-import java.io.IOException;
-import java.nio.charset.Charset;
-
-/**
- * A set of helper method for fixture files.
- */
-public class FixtureHelpers {
-  private FixtureHelpers() { /* singleton */ }
-
-  /**
-   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
-   * and returns its contents as a UTF-8 string.
-   *
-   * @param filename the filename of the fixture file
-   * @return the contents of {@code src/test/resources/{filename}}
-   * @throws IllegalArgumentException if an I/O error occurs.
-   */
-  public static String fixture(String filename) {
-    return fixture(filename, Charsets.UTF_8);
-  }
-
-  /**
-   * Reads the given fixture file from the classpath (e. g. {@code src/test/resources})
-   * and returns its contents as a string.
-   *
-   * @param filename the filename of the fixture file
-   * @param charset  the character set of {@code filename}
-   * @return the contents of {@code src/test/resources/{filename}}
-   * @throws IllegalArgumentException if an I/O error occurs.
-   */
-  private static String fixture(String filename, Charset charset) {
-    try {
-      return Resources.toString(Resources.getResource(filename), charset).trim();
-    } catch (IOException e) {
-      throw new IllegalArgumentException(e);
-    }
-  }
-}

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/util/JsonHelpers.java

@@ -1,30 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.gcm.server.util;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import java.io.IOException;
-
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-
-public class JsonHelpers {
-
-  private static final ObjectMapper objectMapper = new ObjectMapper();
-
-  public static String asJson(Object object) throws JsonProcessingException {
-    return objectMapper.writeValueAsString(object);
-  }
-
-  public static <T> T fromJson(String value, Class<T> clazz) throws IOException {
-    return objectMapper.readValue(value, clazz);
-  }
-
-  public static String jsonFixture(String filename) throws IOException {
-    return objectMapper.writeValueAsString(objectMapper.readValue(fixture(filename), JsonNode.class));
-  }
-}

gcm-sender-async/src/test/resources/fixtures/message-complete.json

@@ -1,7 +0,0 @@
-{
-  "priority" : "high",
-  "collapse_key" : "collapse",
-  "time_to_live" : 10,
-  "delay_while_idle" : true,
-  "registration_ids" : ["1"]
-}

gcm-sender-async/src/test/resources/fixtures/message-data.json

@@ -1,7 +0,0 @@
-{
-  "data" : {
-    "key1" : "value1",
-    "key2" : "value2"
-  },
-  "registration_ids" : ["2"]
-}

gcm-sender-async/src/test/resources/fixtures/message-minimal.json

@@ -1,3 +0,0 @@
-{
-  "registration_ids" : ["1"]
-}

gcm-sender-async/src/test/resources/fixtures/response-not-registered.json

@@ -1,8 +0,0 @@
-{ "multicast_id": 216,
-  "success": 0,
-  "failure": 1,
-  "canonical_ids": 0,
-  "results": [
-    { "error": "NotRegistered"}
-  ]
-}

gcm-sender-async/src/test/resources/fixtures/response-success.json

@@ -1,8 +0,0 @@
-{ "multicast_id": 108,
-  "success": 1,
-  "failure": 0,
-  "canonical_ids": 0,
-  "results": [
-    { "message_id": "1:08" }
-  ]
-}

gcm-sender-async/src/test/resources/logback-test.xml

@@ -1,8 +0,0 @@
-<configuration>
-  <!-- Turning down the wiremock logging -->
-  <logger name="com.github.tomakehurst.wiremock" level="WARN"/>
-  <logger name="wiremock.org" level="ERROR"/>
-  <logger name="WireMock" level="WARN"/>
-  <!-- wiremock has per endpoint servlet logging -->
-  <logger name="/" level="WARN"/>
-</configuration>

integration-tests/.gitignore

@@ -0,0 +1,2 @@
+.libs
+src/main/resources/config.yml

integration-tests/pom.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>integration-tests</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <excludes>
+            <exclude>**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <additionalClasspathElements>
+            <additionalClasspathElement>${project.basedir}/.libs/software.amazon.awssdk-sso.jar</additionalClasspathElement>
+          </additionalClasspathElements>
+          <includes>
+            <include>**/*.java</include>
+          </includes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

integration-tests/src/main/java/org/signal/integration/Codecs.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import java.io.IOException;
+import java.util.Base64;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+
+public final class Codecs {
+
+  private Codecs() {
+    // utility class
+  }
+
+  @FunctionalInterface
+  public interface CheckedFunction<T, R> {
+    R apply(T t) throws Exception;
+  }
+
+  public static class Base64BasedSerializer<T> extends JsonSerializer<T> {
+
+    private final CheckedFunction<T, byte[]> mapper;
+
+    public Base64BasedSerializer(final CheckedFunction<T, byte[]> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public void serialize(final T value, final JsonGenerator gen, final SerializerProvider serializers) throws IOException {
+      try {
+        gen.writeString(Base64.getEncoder().withoutPadding().encodeToString(mapper.apply(value)));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class Base64BasedDeserializer<T> extends JsonDeserializer<T> {
+
+    private final CheckedFunction<byte[], T> mapper;
+
+    public Base64BasedDeserializer(final CheckedFunction<byte[], T> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public T deserialize(final JsonParser p, final DeserializationContext ctxt) throws IOException {
+      try {
+        return mapper.apply(Base64.getDecoder().decode(p.getValueAsString()));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class ByteArraySerializer extends Base64BasedSerializer<byte[]> {
+    public ByteArraySerializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ByteArrayDeserializer extends Base64BasedDeserializer<byte[]> {
+    public ByteArrayDeserializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ECPublicKeySerializer extends Base64BasedSerializer<ECPublicKey> {
+    public ECPublicKeySerializer() {
+      super(ECPublicKey::serialize);
+    }
+  }
+
+  public static class ECPublicKeyDeserializer extends Base64BasedDeserializer<ECPublicKey> {
+    public ECPublicKeyDeserializer() {
+      super(bytes -> Curve.decodePoint(bytes, 0));
+    }
+  }
+
+  public static class IdentityKeySerializer extends Base64BasedSerializer<IdentityKey> {
+    public IdentityKeySerializer() {
+      super(IdentityKey::serialize);
+    }
+  }
+
+  public static class IdentityKeyDeserializer extends Base64BasedDeserializer<IdentityKey> {
+    public IdentityKeyDeserializer() {
+      super(bytes -> new IdentityKey(bytes, 0));
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/IntegrationTools.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import org.signal.integration.config.Config;
+import org.whispersystems.textsecuregcm.registration.VerificationSession;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswords;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessionManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessions;
+import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+
+public class IntegrationTools {
+
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  private final VerificationSessionManager verificationSessionManager;
+
+
+  public static IntegrationTools create(final Config config) {
+    final AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder().build();
+
+    final DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final RegistrationRecoveryPasswords registrationRecoveryPasswords = new RegistrationRecoveryPasswords(
+        config.dynamoDbTables().registrationRecovery(), Duration.ofDays(1), dynamoDbClient, dynamoDbAsyncClient);
+
+    final VerificationSessions verificationSessions = new VerificationSessions(
+        dynamoDbAsyncClient, config.dynamoDbTables().verificationSessions(), Clock.systemUTC());
+
+    return new IntegrationTools(
+        new RegistrationRecoveryPasswordsManager(registrationRecoveryPasswords),
+        new VerificationSessionManager(verificationSessions)
+    );
+  }
+
+  private IntegrationTools(
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final VerificationSessionManager verificationSessionManager) {
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.verificationSessionManager = verificationSessionManager;
+  }
+
+  public CompletableFuture<Void> populateRecoveryPassword(final String e164, final byte[] password) {
+    return registrationRecoveryPasswordsManager.storeForCurrentNumber(e164, password);
+  }
+
+  public CompletableFuture<Optional<String>> peekVerificationSessionPushChallenge(final String sessionId) {
+    return verificationSessionManager.findForId(sessionId)
+        .thenApply(maybeSession -> maybeSession.map(VerificationSession::pushChallenge));
+  }
+}

integration-tests/src/main/java/org/signal/integration/Operations.java

@@ -0,0 +1,326 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.google.common.io.Resources;
+import com.google.common.net.HttpHeaders;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import java.net.URI;
+import java.net.URL;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.Executors;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.integration.config.Config;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.kem.KEMKeyPair;
+import org.signal.libsignal.protocol.kem.KEMKeyType;
+import org.signal.libsignal.protocol.kem.KEMPublicKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.CircuitBreakerConfiguration;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ECSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.RegistrationRequest;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public final class Operations {
+
+  private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+  private static final Config CONFIG = loadConfigFromClasspath("config.yml");
+
+  private static final IntegrationTools INTEGRATION_TOOLS = IntegrationTools.create(CONFIG);
+
+  private static final String USER_AGENT = "integration-test";
+
+  private static final FaultTolerantHttpClient CLIENT = buildClient();
+
+
+  private Operations() {
+    // utility class
+  }
+
+  public static TestUser newRegisteredUser(final String number) {
+    final byte[] registrationPassword = randomBytes(32);
+    final String accountPassword = Base64.getEncoder().encodeToString(randomBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, registrationPassword).join();
+
+    final ECKeyPair aciIdentityKeyPair = Curve.generateKeyPair();
+    final ECKeyPair pniIdentityKeyPair = Curve.generateKeyPair();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(null,
+        registrationPassword,
+        accountAttributes,
+        true,
+        new IdentityKey(aciIdentityKeyPair.getPublicKey()),
+        new IdentityKey(pniIdentityKeyPair.getPublicKey()),
+        generateSignedECPreKey(1, aciIdentityKeyPair),
+        generateSignedECPreKey(2, pniIdentityKeyPair),
+        generateSignedKEMPreKey(3, aciIdentityKeyPair),
+        generateSignedKEMPreKey(4, pniIdentityKeyPair),
+        Optional.empty(),
+        Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    return user;
+  }
+
+  public record PrescribedVerificationNumber(String number, String verificationCode) {}
+  public static PrescribedVerificationNumber prescribedVerificationNumber() {
+      return new PrescribedVerificationNumber(
+          CONFIG.prescribedRegistrationNumber(),
+          CONFIG.prescribedRegistrationCode());
+  }
+
+  public static void deleteUser(final TestUser user) {
+    apiDelete("/v1/accounts/me").authorized(user).executeExpectSuccess();
+  }
+
+  public static String peekVerificationSessionPushChallenge(final String sessionId) {
+    return INTEGRATION_TOOLS.peekVerificationSessionPushChallenge(sessionId).join()
+        .orElseThrow(() -> new RuntimeException("push challenge not found for the verification session"));
+  }
+
+  public static <T> T sendEmptyRequestAuthenticated(
+      final String endpoint,
+      final String method,
+      final String username,
+      final String password,
+      final Class<T> outputType) {
+    try {
+      final HttpRequest request = HttpRequest.newBuilder()
+          .uri(serverUri(endpoint, Collections.emptyList()))
+          .method(method, HttpRequest.BodyPublishers.noBody())
+          .header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password))
+          .header(HttpHeaders.CONTENT_TYPE, "application/json")
+          .build();
+      return CLIENT.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            } else {
+              logger.info("response: {}", response.statusCode());
+              System.out.println("response: " + response.statusCode() + ", " + response.body());
+            }
+          })
+          .thenApply(response -> {
+            try {
+              return outputType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), outputType);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .get();
+    } catch (final Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static byte[] randomBytes(int numBytes) {
+    final byte[] bytes = new byte[numBytes];
+    new SecureRandom().nextBytes(bytes);
+    return bytes;
+  }
+
+  public static RequestBuilder apiGet(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().GET(), endpoint);
+  }
+
+  public static RequestBuilder apiDelete(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().DELETE(), endpoint);
+  }
+
+  public static <R> RequestBuilder apiPost(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "POST", input);
+  }
+
+  public static <R> RequestBuilder apiPut(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PUT", input);
+  }
+
+  public static <R> RequestBuilder apiPatch(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PATCH", input);
+  }
+
+  private static URI serverUri(final String endpoint, final List<String> queryParams) {
+    final String query = queryParams.isEmpty()
+        ? StringUtils.EMPTY
+        : "?" + String.join("&", queryParams);
+    return URI.create("https://" + CONFIG.domain() + endpoint + query);
+  }
+
+  public static class RequestBuilder {
+
+    private final HttpRequest.Builder builder;
+
+    private final String endpoint;
+
+    private final List<String> queryParams = new ArrayList<>();
+
+
+    private RequestBuilder(final HttpRequest.Builder builder, final String endpoint) {
+      this.builder = builder;
+      this.endpoint = endpoint;
+    }
+
+    private static <R> RequestBuilder withJsonBody(final String endpoint, final String method, final R input) {
+      try {
+        final byte[] body = SystemMapper.jsonMapper().writeValueAsBytes(input);
+        return new RequestBuilder(HttpRequest.newBuilder()
+            .header(HttpHeaders.CONTENT_TYPE, "application/json")
+            .method(method, HttpRequest.BodyPublishers.ofByteArray(body)), endpoint);
+      } catch (final JsonProcessingException e) {
+        throw new RuntimeException(e);
+      }
+    }
+
+    public RequestBuilder authorized(final TestUser user) {
+      return authorized(user, Device.PRIMARY_ID);
+    }
+
+    public RequestBuilder authorized(final TestUser user, final byte deviceId) {
+      final String username = "%s.%d".formatted(user.aciUuid().toString(), deviceId);
+      return authorized(username, user.accountPassword());
+    }
+
+    public RequestBuilder authorized(final String username, final String password) {
+      builder.header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password));
+      return this;
+    }
+
+    public RequestBuilder queryParam(final String key, final String value) {
+      queryParams.add("%s=%s".formatted(key, value));
+      return this;
+    }
+
+    public RequestBuilder header(final String name, final String value) {
+      builder.header(name, value);
+      return this;
+    }
+
+    public Pair<Integer, Void> execute() {
+      return execute(Void.class);
+    }
+
+    public Pair<Integer, Void> executeExpectSuccess() {
+      final Pair<Integer, Void> execute = execute();
+      Validate.isTrue(
+          execute.getLeft() >= 200 && execute.getLeft() < 300,
+          "Unexpected response code: %d",
+          execute.getLeft());
+      return execute;
+    }
+
+    public <T> T executeExpectSuccess(final Class<T> expectedType) {
+      final Pair<Integer, T> execute = execute(expectedType);
+      return requireNonNull(execute.getRight());
+    }
+
+    public void executeExpectStatusCode(final int expectedStatusCode) {
+      final Pair<Integer, Void> execute = execute(Void.class);
+      Validate.isTrue(
+          execute.getLeft() == expectedStatusCode,
+          "Unexpected response code: %d",
+          execute.getLeft()
+      );
+    }
+
+    public <T> Pair<Integer, T> execute(final Class<T> expectedType) {
+      builder.uri(serverUri(endpoint, queryParams))
+          .header(HttpHeaders.USER_AGENT, USER_AGENT);
+      return CLIENT.sendAsync(builder.build(), HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            }
+          })
+          .thenApply(response -> {
+            try {
+              final T result = expectedType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), expectedType);
+              return Pair.of(response.statusCode(), result);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .join();
+    }
+  }
+
+  private static FaultTolerantHttpClient buildClient() {
+    try {
+      return FaultTolerantHttpClient.newBuilder()
+          .withName("integration-test")
+          .withExecutor(Executors.newFixedThreadPool(16))
+          .withRetryExecutor(Executors.newSingleThreadScheduledExecutor())
+          .withCircuitBreaker(new CircuitBreakerConfiguration())
+          .withTrustedServerCertificates(CONFIG.rootCert())
+          .build();
+    } catch (final CertificateException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Config loadConfigFromClasspath(final String filename) {
+    try {
+      final URL configFileUrl = Resources.getResource(filename);
+      return SystemMapper.yamlMapper().readValue(Resources.toByteArray(configFileUrl), Config.class);
+    } catch (final IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static ECSignedPreKey generateSignedECPreKey(long id, final ECKeyPair identityKeyPair) {
+    final ECPublicKey pubKey = Curve.generateKeyPair().getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new ECSignedPreKey(id, pubKey, sig);
+  }
+
+  private static KEMSignedPreKey generateSignedKEMPreKey(long id, final ECKeyPair identityKeyPair) {
+    final KEMPublicKey pubKey = KEMKeyPair.generate(KEMKeyType.KYBER_1024).getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new KEMSignedPreKey(id, pubKey, sig);
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestDevice.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+
+public class TestDevice {
+
+  private final byte deviceId;
+
+  private final Map<Integer, Pair<IdentityKeyPair, SignedPreKeyRecord>> signedPreKeys = new ConcurrentHashMap<>();
+
+
+  public static TestDevice create(
+      final byte deviceId,
+      final IdentityKeyPair aciIdentityKeyPair,
+      final IdentityKeyPair pniIdentityKeyPair) {
+    final TestDevice device = new TestDevice(deviceId);
+    device.addSignedPreKey(aciIdentityKeyPair);
+    device.addSignedPreKey(pniIdentityKeyPair);
+    return device;
+  }
+
+  public TestDevice(final byte deviceId) {
+    this.deviceId = deviceId;
+  }
+
+  public byte deviceId() {
+    return deviceId;
+  }
+
+  public SignedPreKeyRecord latestSignedPreKey(final IdentityKeyPair identity) {
+    final int id = signedPreKeys.entrySet()
+        .stream()
+        .filter(p -> p.getValue().getLeft().equals(identity))
+        .mapToInt(Map.Entry::getKey)
+        .max()
+        .orElseThrow();
+    return signedPreKeys.get(id).getRight();
+  }
+
+  public SignedPreKeyRecord addSignedPreKey(final IdentityKeyPair identity) {
+    try {
+      final int nextId = signedPreKeys.keySet().stream().mapToInt(k -> k + 1).max().orElse(0);
+      final ECKeyPair keyPair = Curve.generateKeyPair();
+      final byte[] signature = Curve.calculateSignature(identity.getPrivateKey(), keyPair.getPublicKey().serialize());
+      final SignedPreKeyRecord signedPreKeyRecord = new SignedPreKeyRecord(nextId, System.currentTimeMillis(), keyPair, signature);
+      signedPreKeys.put(nextId, Pair.of(identity, signedPreKeyRecord));
+      return signedPreKeyRecord;
+    } catch (InvalidKeyException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestUser.java

@@ -0,0 +1,192 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.security.SecureRandom;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+import org.signal.libsignal.protocol.util.KeyHelper;
+import org.whispersystems.textsecuregcm.auth.UnidentifiedAccessUtil;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class TestUser {
+
+  private final int registrationId;
+
+  private final int pniRegistrationId;
+
+  private final IdentityKeyPair aciIdentityKey;
+
+  private final Map<Byte, TestDevice> devices = new ConcurrentHashMap<>();
+
+  private final byte[] unidentifiedAccessKey;
+
+  private String phoneNumber;
+
+  private IdentityKeyPair pniIdentityKey;
+
+  private String accountPassword;
+
+  private byte[] registrationPassword;
+
+  private UUID aciUuid;
+
+  private UUID pniUuid;
+
+
+  public static TestUser create(final String phoneNumber, final String accountPassword, final byte[] registrationPassword) {
+    // ACI identity key pair
+    final IdentityKeyPair aciIdentityKey = IdentityKeyPair.generate();
+    // PNI identity key pair
+    final IdentityKeyPair pniIdentityKey = IdentityKeyPair.generate();
+    // registration id
+    final int registrationId = KeyHelper.generateRegistrationId(false);
+    final int pniRegistrationId = KeyHelper.generateRegistrationId(false);
+    // uak
+    final byte[] unidentifiedAccessKey = new byte[UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH];
+    new SecureRandom().nextBytes(unidentifiedAccessKey);
+
+    return new TestUser(
+        registrationId,
+        pniRegistrationId,
+        aciIdentityKey,
+        phoneNumber,
+        pniIdentityKey,
+        unidentifiedAccessKey,
+        accountPassword,
+        registrationPassword);
+  }
+
+  public TestUser(
+      final int registrationId,
+      final int pniRegistrationId,
+      final IdentityKeyPair aciIdentityKey,
+      final String phoneNumber,
+      final IdentityKeyPair pniIdentityKey,
+      final byte[] unidentifiedAccessKey,
+      final String accountPassword,
+      final byte[] registrationPassword) {
+    this.registrationId = registrationId;
+    this.pniRegistrationId = pniRegistrationId;
+    this.aciIdentityKey = aciIdentityKey;
+    this.phoneNumber = phoneNumber;
+    this.pniIdentityKey = pniIdentityKey;
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+    this.accountPassword = accountPassword;
+    this.registrationPassword = registrationPassword;
+    devices.put(Device.PRIMARY_ID, TestDevice.create(Device.PRIMARY_ID, aciIdentityKey, pniIdentityKey));
+  }
+
+  public int registrationId() {
+    return registrationId;
+  }
+
+  public IdentityKeyPair aciIdentityKey() {
+    return aciIdentityKey;
+  }
+
+  public String phoneNumber() {
+    return phoneNumber;
+  }
+
+  public IdentityKeyPair pniIdentityKey() {
+    return pniIdentityKey;
+  }
+
+  public String accountPassword() {
+    return accountPassword;
+  }
+
+  public byte[] registrationPassword() {
+    return registrationPassword;
+  }
+
+  public UUID aciUuid() {
+    return aciUuid;
+  }
+
+  public UUID pniUuid() {
+    return pniUuid;
+  }
+
+  public AccountAttributes accountAttributes() {
+    return new AccountAttributes(true, registrationId, pniRegistrationId, "".getBytes(StandardCharsets.UTF_8), "", true, new Device.DeviceCapabilities(false, false, false))
+        .withUnidentifiedAccessKey(unidentifiedAccessKey)
+        .withRecoveryPassword(registrationPassword);
+  }
+
+  public void setAciUuid(final UUID aciUuid) {
+    this.aciUuid = aciUuid;
+  }
+
+  public void setPniUuid(final UUID pniUuid) {
+    this.pniUuid = pniUuid;
+  }
+
+  public void setPhoneNumber(final String phoneNumber) {
+    this.phoneNumber = phoneNumber;
+  }
+
+  public void setPniIdentityKey(final IdentityKeyPair pniIdentityKey) {
+    this.pniIdentityKey = pniIdentityKey;
+  }
+
+  public void setAccountPassword(final String accountPassword) {
+    this.accountPassword = accountPassword;
+  }
+
+  public void setRegistrationPassword(final byte[] registrationPassword) {
+    this.registrationPassword = registrationPassword;
+  }
+
+  public PreKeySetPublicView preKeys(final byte deviceId, final boolean pni) {
+    final IdentityKeyPair identity = pni
+        ? pniIdentityKey
+        : aciIdentityKey;
+    final TestDevice device = requireNonNull(devices.get(deviceId));
+    final SignedPreKeyRecord signedPreKeyRecord = device.latestSignedPreKey(identity);
+    return new PreKeySetPublicView(
+        Collections.emptyList(),
+        identity.getPublicKey(),
+        new SignedPreKeyPublicView(
+            signedPreKeyRecord.getId(),
+            signedPreKeyRecord.getKeyPair().getPublicKey(),
+            signedPreKeyRecord.getSignature()
+        )
+    );
+  }
+
+  public record SignedPreKeyPublicView(
+      int keyId,
+      @JsonSerialize(using = Codecs.ECPublicKeySerializer.class)
+      @JsonDeserialize(using = Codecs.ECPublicKeyDeserializer.class)
+      ECPublicKey publicKey,
+      @JsonSerialize(using = Codecs.ByteArraySerializer.class)
+      @JsonDeserialize(using = Codecs.ByteArrayDeserializer.class)
+      byte[] signature) {
+  }
+
+  public record PreKeySetPublicView(
+      List<String> preKeys,
+      @JsonSerialize(using = Codecs.IdentityKeySerializer.class)
+      @JsonDeserialize(using = Codecs.IdentityKeyDeserializer.class)
+      IdentityKey identityKey,
+      SignedPreKeyPublicView signedPreKey) {
+  }
+}

integration-tests/src/main/java/org/signal/integration/config/Config.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
+
+public record Config(String domain,
+                     String rootCert,
+                     DynamoDbClientConfiguration dynamoDbClientConfiguration,
+                     DynamoDbTables dynamoDbTables,
+                     String prescribedRegistrationNumber,
+                     String prescribedRegistrationCode) {
+}

integration-tests/src/main/java/org/signal/integration/config/DynamoDbTables.java

@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+public record DynamoDbTables(String registrationRecovery,
+                             String verificationSessions) {
+}

integration-tests/src/test/java/org/signal/integration/AccountTest.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+import org.signal.libsignal.usernames.BaseUsernameException;
+import org.signal.libsignal.usernames.Username;
+import org.whispersystems.textsecuregcm.entities.AccountIdentifierResponse;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ConfirmUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashResponse;
+import org.whispersystems.textsecuregcm.entities.UsernameHashResponse;
+import org.whispersystems.textsecuregcm.identity.AciServiceIdentifier;
+
+public class AccountTest {
+
+  @Test
+  public void testCreateAccount() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550101");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testCreateAccountAtomic() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550201");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testUsernameOperations() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550102");
+    try {
+      verifyFullUsernameLifecycle(user);
+      // no do it again to check changing usernames
+      verifyFullUsernameLifecycle(user);
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  private static void verifyFullUsernameLifecycle(final TestUser user) throws BaseUsernameException {
+    final String preferred = "test";
+    final List<Username> candidates = Username.candidatesFrom(preferred, preferred.length(), preferred.length() + 1);
+
+    // reserve a username
+    final ReserveUsernameHashRequest reserveUsernameHashRequest = new ReserveUsernameHashRequest(
+        candidates.stream().map(Username::getHash).toList());
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+
+    final ReserveUsernameHashResponse reserveUsernameHashResponse = Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(ReserveUsernameHashResponse.class);
+
+    // find which one is the reserved username
+    final byte[] reservedHash = reserveUsernameHashResponse.usernameHash();
+    final Username reservedUsername = candidates.stream()
+        .filter(u -> Arrays.equals(u.getHash(), reservedHash))
+        .findAny()
+        .orElseThrow();
+
+    // confirm a username
+   final ConfirmUsernameHashRequest confirmUsernameHashRequest = new ConfirmUsernameHashRequest(
+        reservedUsername.getHash(),
+        reservedUsername.generateProof(),
+        "cluck cluck i'm a parrot".getBytes()
+    );
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(UsernameHashResponse.class);
+
+
+    // lookup username
+    final AccountIdentifierResponse accountIdentifierResponse = Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .executeExpectSuccess(AccountIdentifierResponse.class);
+    assertEquals(new AciServiceIdentifier(user.aciUuid()), accountIdentifierResponse.uuid());
+    // try authorized
+    Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .authorized(user)
+        .executeExpectStatusCode(HttpStatus.SC_BAD_REQUEST);
+
+    // delete username
+    Operations
+        .apiDelete("/v1/accounts/username_hash")
+        .authorized(user)
+        .executeExpectSuccess();
+  }
+}

integration-tests/src/test/java/org/signal/integration/MessagingTest.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.IncomingMessage;
+import org.whispersystems.textsecuregcm.entities.IncomingMessageList;
+import org.whispersystems.textsecuregcm.entities.OutgoingMessageEntityList;
+import org.whispersystems.textsecuregcm.entities.SendMessageResponse;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class MessagingTest {
+
+  @Test
+  public void testSendMessageUnsealed() {
+    final TestUser userA = Operations.newRegisteredUser("+19995550102");
+    final TestUser userB = Operations.newRegisteredUser("+19995550103");
+
+    try {
+      final byte[] expectedContent = "Hello, World!".getBytes(StandardCharsets.UTF_8);
+      final String contentBase64 = Base64.getEncoder().encodeToString(expectedContent);
+      final IncomingMessage message = new IncomingMessage(1, Device.PRIMARY_ID, userB.registrationId(), contentBase64);
+      final IncomingMessageList messages = new IncomingMessageList(List.of(message), false, true, System.currentTimeMillis());
+
+      final Pair<Integer, SendMessageResponse> sendMessage = Operations
+          .apiPut("/v1/messages/%s".formatted(userB.aciUuid().toString()), messages)
+          .authorized(userA)
+          .execute(SendMessageResponse.class);
+
+      final Pair<Integer, OutgoingMessageEntityList> receiveMessages = Operations.apiGet("/v1/messages")
+          .authorized(userB)
+          .execute(OutgoingMessageEntityList.class);
+
+      final byte[] actualContent = receiveMessages.getRight().messages().get(0).content();
+      assertArrayEquals(expectedContent, actualContent);
+    } finally {
+      Operations.deleteUser(userA);
+      Operations.deleteUser(userB);
+    }
+  }
+}

integration-tests/src/test/java/org/signal/integration/RegistrationTest.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.CreateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.SubmitVerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.UpdateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationSessionResponse;
+
+public class RegistrationTest {
+
+  @Test
+  public void testRegistration() throws Exception {
+    final UpdateVerificationSessionRequest originalRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, null, null, null, null);
+
+    final Operations.PrescribedVerificationNumber params = Operations.prescribedVerificationNumber();
+    final CreateVerificationSessionRequest input = new CreateVerificationSessionRequest(params.number(),
+        originalRequest);
+
+    final VerificationSessionResponse verificationSessionResponse = Operations
+        .apiPost("/v1/verification/session", input)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    final String sessionId = verificationSessionResponse.id();
+    final String pushChallenge = Operations.peekVerificationSessionPushChallenge(sessionId);
+
+    // supply push challenge
+    final UpdateVerificationSessionRequest updatedRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, pushChallenge, null, null, null);
+    final VerificationSessionResponse pushChallengeSupplied = Operations
+        .apiPatch("/v1/verification/session/%s".formatted(sessionId), updatedRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    Assertions.assertTrue(pushChallengeSupplied.allowedToRequestCode());
+
+    // request code
+    final VerificationCodeRequest verificationCodeRequest = new VerificationCodeRequest(
+        VerificationCodeRequest.Transport.SMS, "android-ng");
+
+    final VerificationSessionResponse codeRequested = Operations
+        .apiPost("/v1/verification/session/%s/code".formatted(sessionId), verificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    // verify code
+    final SubmitVerificationCodeRequest submitVerificationCodeRequest = new SubmitVerificationCodeRequest(
+        params.verificationCode());
+    final VerificationSessionResponse codeVerified = Operations
+        .apiPut("/v1/verification/session/%s/code".formatted(sessionId), submitVerificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+  }
+}

mvnw

@@ -0,0 +1,308 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Apache Maven Wrapper startup batch script, version 3.2.0
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /usr/local/etc/mavenrc ] ; then
+    . /usr/local/etc/mavenrc
+  fi
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "$(uname)" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        JAVA_HOME="$(/usr/libexec/java_home)"; export JAVA_HOME
+      else
+        JAVA_HOME="/Library/Java/Home"; export JAVA_HOME
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=$(java-config --jre-home)
+  fi
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] &&
+    JAVA_HOME="$(cd "$JAVA_HOME" || (echo "cannot cd into $JAVA_HOME."; exit 1); pwd)"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="$(which javac)"
+  if [ -n "$javaExecutable" ] && ! [ "$(expr "\"$javaExecutable\"" : '\([^ ]*\)')" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=$(which readlink)
+    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
+      if $darwin ; then
+        javaHome="$(dirname "\"$javaExecutable\"")"
+        javaExecutable="$(cd "\"$javaHome\"" && pwd -P)/javac"
+      else
+        javaExecutable="$(readlink -f "\"$javaExecutable\"")"
+      fi
+      javaHome="$(dirname "\"$javaExecutable\"")"
+      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="$(\unset -f command 2>/dev/null; \command -v java)"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=$(cd "$wdir/.." || exit 1; pwd)
+    fi
+    # end of workaround
+  done
+  printf '%s' "$(cd "$basedir" || exit 1; pwd)"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    # Remove \r in case we run on Windows within Git Bash
+    # and check out the repository with auto CRLF management
+    # enabled. Otherwise, we may read lines that are delimited with
+    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
+    # splitting rules.
+    tr -s '\r\n' ' ' < "$1"
+  fi
+}
+
+log() {
+  if [ "$MVNW_VERBOSE" = true ]; then
+    printf '%s\n' "$1"
+  fi
+}
+
+BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}; export MAVEN_PROJECTBASEDIR
+log "$MAVEN_PROJECTBASEDIR"
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
+if [ -r "$wrapperJarPath" ]; then
+    log "Found $wrapperJarPath"
+else
+    log "Couldn't find $wrapperJarPath, downloading it ..."
+
+    if [ -n "$MVNW_REPOURL" ]; then
+      wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
+    else
+      wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
+    fi
+    while IFS="=" read -r key value; do
+      # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
+      safeValue=$(echo "$value" | tr -d '\r')
+      case "$key" in (wrapperUrl) wrapperUrl="$safeValue"; break ;;
+      esac
+    done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+    log "Downloading from: $wrapperUrl"
+
+    if $cygwin; then
+      wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
+    fi
+
+    if command -v wget > /dev/null; then
+        log "Found wget ... using wget"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        else
+            wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        fi
+    elif command -v curl > /dev/null; then
+        log "Found curl ... using curl"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+        else
+            curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+        fi
+    else
+        log "Falling back to using Java to download"
+        javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaSource=$(cygpath --path --windows "$javaSource")
+          javaClass=$(cygpath --path --windows "$javaClass")
+        fi
+        if [ -e "$javaSource" ]; then
+            if [ ! -e "$javaClass" ]; then
+                log " - Compiling MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/javac" "$javaSource")
+            fi
+            if [ -e "$javaClass" ]; then
+                log " - Running MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read -r key value; do
+  case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+  esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+  wrapperSha256Result=false
+  if command -v sha256sum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  elif command -v shasum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available."
+    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties."
+    exit 1
+  fi
+  if [ $wrapperSha256Result = false ]; then
+    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
+    exit 1
+  fi
+fi
+
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+# shellcheck disable=SC2086 # safe args
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  $MAVEN_DEBUG_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

mvnw.cmd

@@ -0,0 +1,205 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Apache Maven Wrapper startup batch script, version 3.2.0
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
+if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
+
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %WRAPPER_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+)
+@REM End of extension
+
+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    powershell -Command "&{"^
+       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+       "  Write-Output 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+       "  Write-Output 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+       "  Write-Output 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+       "  exit 1;"^
+       "}"^
+       "}"
+    if ERRORLEVEL 1 goto error
+)
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% ^
+  %JVM_CONFIG_MAVEN_PROPS% ^
+  %MAVEN_OPTS% ^
+  %MAVEN_DEBUG_OPTS% ^
+  -classpath %WRAPPER_JAR% ^
+  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
+  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%"=="on" pause
+
+if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+
+cmd /C exit /B %ERROR_CODE%

pom.xml

@@ -14,47 +14,68 @@
         <enabled>false</enabled>
       </snapshots>
     </repository>
-    <repository>
-      <id>dynamodb-local-oregon</id>
-      <name>DynamoDB Local Release Repository</name>
-      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
-    </repository>
   </repositories>
 
+  <pluginRepositories>
+    <pluginRepository>
+      <id>ossrh-snapshots</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
+  </pluginRepositories>
+
   <modules>
-    <module>redis-dispatch</module>
-    <module>websocket-resources</module>
-    <module>gcm-sender-async</module>
+    <module>api-doc</module>
+    <module>integration-tests</module>
     <module>service</module>
+    <module>websocket-resources</module>
   </modules>
 
   <properties>
-    <aws.sdk.version>1.11.939</aws.sdk.version>
-    <aws.sdk2.version>2.16.66</aws.sdk2.version>
-    <commons-codec.version>1.15</commons-codec.version>
-    <commons-csv.version>1.8</commons-csv.version>
-    <commons-io.version>2.9.0</commons-io.version>
-    <dropwizard.version>2.0.22</dropwizard.version>
+    <aws.sdk2.version>2.23.8</aws.sdk2.version>
+    <braintree.version>3.27.0</braintree.version>
+    <commons-csv.version>1.10.0</commons-csv.version>
+    <commons-io.version>2.14.0</commons-io.version>
+    <dropwizard.version>3.0.4</dropwizard.version>
     <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
-    <gson.version>2.8.8</gson.version>
-    <guava.version>30.1.1-jre</guava.version>
+    <google-cloud-libraries.version>26.25.0</google-cloud-libraries.version>
+    <grpc.version>1.58.0</grpc.version> <!-- should be kept in sync with the value from Google libraries-bom -->
+    <gson.version>2.10.1</gson.version>
+    <!-- several libraries (AWS, Google Cloud) use Apache http components transitively, and we need to align them -->
+    <httpcore.version>4.4.16</httpcore.version>
+    <httpclient.version>4.5.14</httpclient.version>
+    <jackson.version>2.16.0</jackson.version>
     <jaxb.version>2.3.1</jaxb.version>
-    <jedis.version>2.9.0</jedis.version>
-    <lettuce.version>6.0.4.RELEASE</lettuce.version>
-    <libphonenumber.version>8.12.33</libphonenumber.version>
-    <logstash.logback.version>6.6</logstash.logback.version>
-    <micrometer.version>1.5.3</micrometer.version>
-    <mockito.version>3.11.1</mockito.version>
-    <netty.version>4.1.65.Final</netty.version>
-    <netty.tcnative-boringssl-static.version>2.0.39.Final</netty.tcnative-boringssl-static.version>
-    <opentest4j.version>1.2.0</opentest4j.version>
-    <postgresql.version>9.4-1201-jdbc41</postgresql.version>
-    <protobuf.version>3.17.1</protobuf.version>
-    <pushy.version>0.15.0</pushy.version>
-    <resilience4j.version>1.5.0</resilience4j.version>
+    <junit-pioneer.version>2.1.0</junit-pioneer.version>
+    <jsr305.version>3.0.2</jsr305.version>
+    <kotlin.version>1.9.10</kotlin.version>
+    <kotlinx-serialization.version>1.5.1</kotlinx-serialization.version>
+    <lettuce.version>6.2.6.RELEASE</lettuce.version>
+    <libphonenumber.version>8.13.23</libphonenumber.version>
+    <logstash.logback.version>7.3</logstash.logback.version>
+    <log4j-bom.version>2.21.0</log4j-bom.version>
+    <luajava.version>3.4.0</luajava.version>
+    <micrometer.version>1.10.10</micrometer.version>
+    <netty.version>4.1.96.Final</netty.version>
+    <opentest4j.version>1.3.0</opentest4j.version>
+    <protobuf.version>3.24.3</protobuf.version> <!-- should be kept in sync with the value from Google libraries-bom -->
+    <pushy.version>0.15.2</pushy.version>
+    <reactive.grpc.version>1.2.4</reactive.grpc.version>
+    <reactor-bom.version>2022.0.12</reactor-bom.version> <!-- 3.5.x, see https://github.com/reactor/reactor#bom-versioning-scheme -->
+    <resilience4j.version>1.7.0</resilience4j.version>
     <semver4j.version>3.1.0</semver4j.version>
-    <slf4j.version>1.7.30</slf4j.version>
-    <stripe.version>20.79.0</stripe.version>
+    <slf4j.version>2.0.9</slf4j.version>
+    <stripe.version>23.10.0</stripe.version>
+    <swagger.version>2.2.17</swagger.version>
+    <vavr.version>0.10.4</vavr.version>
+
+    <!-- 21.0.1_12-jre-jammy -->
+    <docker.image.sha256>2d00f6910282a7a20ae7747b8f5e2371f7d55f06daed6bf60a323fcc7eaa3da8</docker.image.sha256>
 
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
@@ -65,6 +86,13 @@
 
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>com.fasterxml.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>${jackson.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>io.dropwizard</groupId>
         <artifactId>dropwizard-dependencies</artifactId>
@@ -72,6 +100,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <!-- Needed for gRPC with Java 9+ -->
+      <dependency>
+        <groupId>org.apache.tomcat</groupId>
+        <artifactId>annotations-api</artifactId>
+        <version>6.0.53</version>
+        <scope>provided</scope>
+      </dependency>
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-bom</artifactId>
@@ -79,13 +114,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>com.amazonaws</groupId>
-        <artifactId>aws-java-sdk-bom</artifactId>
-        <version>${aws.sdk.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
@@ -96,10 +124,15 @@
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>libraries-bom</artifactId>
-        <version>20.9.0</version>
+        <version>${google-cloud-libraries.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>com.salesforce.servicelibs</groupId>
+        <artifactId>reactor-grpc-stub</artifactId>
+        <version>${reactive.grpc.version}</version>
+      </dependency>
       <dependency>
         <groupId>io.github.resilience4j</groupId>
         <artifactId>resilience4j-bom</artifactId>
@@ -114,7 +147,20 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-
+      <dependency>
+        <groupId>io.projectreactor</groupId>
+        <artifactId>reactor-bom</artifactId>
+        <version>${reactor-bom.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-bom</artifactId>
+        <version>${kotlin.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>com.eatthepath</groupId>
         <artifactId>pushy</artifactId>
@@ -125,11 +171,6 @@
         <artifactId>pushy-dropwizard-metrics-listener</artifactId>
         <version>${pushy.version}</version>
       </dependency>
-      <dependency>
-        <groupId>com.google.guava</groupId>
-        <artifactId>guava</artifactId>
-        <version>${guava.version}</version>
-      </dependency>
       <dependency>
         <groupId>com.google.protobuf</groupId>
         <artifactId>protobuf-java</artifactId>
@@ -145,11 +186,6 @@
         <artifactId>semver4j</artifactId>
         <version>${semver4j.version}</version>
       </dependency>
-      <dependency>
-        <groupId>commons-codec</groupId>
-        <artifactId>commons-codec</artifactId>
-        <version>${commons-codec.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>
@@ -161,10 +197,9 @@
         <version>${lettuce.version}</version>
       </dependency>
       <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-tcnative-boringssl-static</artifactId>
-        <version>${netty.tcnative-boringssl-static.version}</version>
-        <scope>runtime</scope>
+        <groupId>io.vavr</groupId>
+        <artifactId>vavr</artifactId>
+        <version>${vavr.version}</version>
       </dependency>
       <dependency>
         <groupId>javax.xml.bind</groupId>
@@ -192,30 +227,12 @@
         <version>${jaxb.version}</version>
         <scope>runtime</scope>
       </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-core</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-inline</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
       <dependency>
         <groupId>org.opentest4j</groupId>
         <artifactId>opentest4j</artifactId>
         <version>${opentest4j.version}</version>
         <scope>test</scope>
       </dependency>
-      <dependency>
-        <groupId>org.postgresql</groupId>
-        <artifactId>postgresql</artifactId>
-        <version>${postgresql.version}</version>
-        <scope>runtime</scope>
-      </dependency>
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-api</artifactId>
@@ -227,11 +244,6 @@
         <version>${slf4j.version}</version>
         <scope>test</scope>
       </dependency>
-      <dependency>
-        <groupId>redis.clients</groupId>
-        <artifactId>jedis</artifactId>
-        <version>${jedis.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-logging</groupId>
         <artifactId>commons-logging</artifactId>
@@ -240,7 +252,7 @@
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.2</version>
+        <version>9.5</version>
         <scope>test</scope>
       </dependency>
       <dependency>
@@ -248,11 +260,54 @@
         <artifactId>stripe-java</artifactId>
         <version>${stripe.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.braintreepayments.gateway</groupId>
+        <artifactId>braintree-java</artifactId>
+        <version>${braintree.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.code.findbugs</groupId>
+        <artifactId>jsr305</artifactId>
+        <version>${jsr305.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.google.code.gson</groupId>
         <artifactId>gson</artifactId>
         <version>${gson.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.signal</groupId>
+        <artifactId>embedded-redis</artifactId>
+        <version>0.8.3</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.signal</groupId>
+        <artifactId>libsignal-server</artifactId>
+        <version>0.39.0</version>
+      </dependency>
+      <dependency>
+        <groupId>org.signal.forks</groupId>
+        <artifactId>noise-java</artifactId>
+        <version>0.1.0</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-bom</artifactId>
+        <version>${log4j-bom.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpcore</artifactId>
+        <version>${httpcore.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpclient</artifactId>
+        <version>${httpclient.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -264,9 +319,14 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>com.github.tomakehurst</groupId>
-      <artifactId>wiremock-jre8</artifactId>
-      <version>2.31.0</version>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>aws-crt-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.wiremock</groupId>
+      <!-- use standalone until Dropwizard 4 + jakarta.* -->
+      <artifactId>wiremock-standalone</artifactId>
+      <version>3.3.1</version>
       <scope>test</scope>
       <exclusions>
         <exclusion>
@@ -282,7 +342,6 @@
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
-      <version>${mockito.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -291,8 +350,14 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit-pioneer</groupId>
+      <artifactId>junit-pioneer</artifactId>
+      <version>${junit-pioneer.version}</version>
       <scope>test</scope>
     </dependency>
 
@@ -300,22 +365,22 @@
 
   <profiles>
     <profile>
-      <id>include-abusive-message-filter</id>
+      <id>include-spam-filter</id>
       <activation>
         <file>
-          <exists>abusive-message-filter/pom.xml</exists>
+          <exists>spam-filter/pom.xml</exists>
         </file>
       </activation>
       <modules>
-        <module>abusive-message-filter</module>
+        <module>spam-filter</module>
       </modules>
     </profile>
 
     <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
       <activation>
         <file>
-          <missing>abusive-message-filter/pom.xml</missing>
+          <missing>spam-filter/pom.xml</missing>
         </file>
       </activation>
     </profile>
@@ -329,6 +394,15 @@
         <version>1.7.0</version>
       </extension>
     </extensions>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>com.google.cloud.tools</groupId>
+          <artifactId>jib-maven-plugin</artifactId>
+          <version>3.4.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
     <plugins>
 
       <plugin>
@@ -336,14 +410,28 @@
         <artifactId>protobuf-maven-plugin</artifactId>
         <version>0.6.1</version>
         <configuration>
-          <protocArtifact>com.google.protobuf:protoc:3.18.0:exe:${os.detected.classifier}</protocArtifact>
-          <checkStaleness>true</checkStaleness>
+          <checkStaleness>false</checkStaleness>
+          <protocArtifact>com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
+          <pluginId>grpc-java</pluginId>
+          <pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+
+          <protocPlugins>
+            <protocPlugin>
+              <id>reactor-grpc</id>
+              <groupId>com.salesforce.servicelibs</groupId>
+              <artifactId>reactor-grpc</artifactId>
+              <version>${reactive.grpc.version}</version>
+              <mainClass>com.salesforce.reactorgrpc.ReactorGrpcGenerator</mainClass>
+            </protocPlugin>
+          </protocPlugins>
         </configuration>
         <executions>
           <execution>
             <goals>
               <goal>compile</goal>
+              <goal>compile-custom</goal>
               <goal>test-compile</goal>
+              <goal>test-compile-custom</goal>
             </goals>
           </execution>
         </executions>
@@ -352,17 +440,16 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version>
+        <version>3.11.0</version>
         <configuration>
-          <source>11</source>
-          <target>11</target>
+          <release>21</release>
         </configuration>
       </plugin>
 
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
-        <version>3.2.0</version>
+        <version>3.3.0</version>
         <configuration>
           <archive>
             <manifest>
@@ -375,7 +462,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-dependency-plugin</artifactId>
-        <version>3.1.2</version>
+        <version>3.3.0</version>
         <executions>
           <execution>
             <id>copy</id>
@@ -395,7 +482,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.0.0-M5</version>
+        <version>3.1.2</version>
         <configuration>
           <systemProperties>
             <property>
@@ -409,7 +496,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0-M3</version>
+        <version>3.3.0</version>
         <executions>
           <execution>
             <goals>
@@ -419,7 +506,7 @@
               <rules>
                 <dependencyConvergence/>
                 <requireMavenVersion>
-                  <version>3.0.0</version>
+                  <version>3.8.6</version>
                 </requireMavenVersion>
               </rules>
             </configuration>
@@ -430,7 +517,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-install-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.1</version>
         <configuration>
           <skip>true</skip>
         </configuration>
@@ -439,7 +526,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-deploy-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.1</version>
         <configuration>
           <skip>true</skip>
         </configuration>

redis-dispatch/pom.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>redis-dispatch</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-    </dependency>
-  </dependencies>
-
-</project>

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java

@@ -1,11 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-public interface DispatchChannel {
-  void onDispatchMessage(String channel, byte[] message);
-  void onDispatchSubscribed(String channel);
-  void onDispatchUnsubscribed(String channel);
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java

@@ -1,157 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.Map;
-import java.util.Optional;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.Executor;
-import java.util.concurrent.Executors;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class DispatchManager extends Thread {
-
-  private final Logger                       logger        = LoggerFactory.getLogger(DispatchManager.class);
-  private final Executor                     executor      = Executors.newCachedThreadPool();
-  private final Map<String, DispatchChannel> subscriptions = new ConcurrentHashMap<>();
-
-  private final Optional<DispatchChannel>    deadLetterChannel;
-  private final RedisPubSubConnectionFactory redisPubSubConnectionFactory;
-
-  private          PubSubConnection pubSubConnection;
-  private volatile boolean          running;
-
-  public DispatchManager(RedisPubSubConnectionFactory redisPubSubConnectionFactory,
-                         Optional<DispatchChannel> deadLetterChannel)
-  {
-    this.redisPubSubConnectionFactory = redisPubSubConnectionFactory;
-    this.deadLetterChannel            = deadLetterChannel;
-  }
-
-  @Override
-  public void start() {
-    this.pubSubConnection = redisPubSubConnectionFactory.connect();
-    this.running          = true;
-    super.start();
-  }
-
-  public void shutdown() {
-    this.running = false;
-    this.pubSubConnection.close();
-  }
-
-  public synchronized void subscribe(String name, DispatchChannel dispatchChannel) {
-    Optional<DispatchChannel> previous = Optional.ofNullable(subscriptions.get(name));
-    subscriptions.put(name, dispatchChannel);
-
-    try {
-      pubSubConnection.subscribe(name);
-    } catch (IOException e) {
-      logger.warn("Subscription error", e);
-    }
-
-    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
-  }
-
-  public synchronized void unsubscribe(String name, DispatchChannel channel) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(name));
-
-    if (subscription.isPresent() && subscription.get() == channel) {
-      subscriptions.remove(name);
-
-      try {
-        pubSubConnection.unsubscribe(name);
-      } catch (IOException e) {
-        logger.warn("Unsubscribe error", e);
-      }
-
-      dispatchUnsubscription(name, subscription.get());
-    }
-  }
-
-  public boolean hasSubscription(String name) {
-    return subscriptions.containsKey(name);
-  }
-  
-  @Override
-  public void run() {
-    while (running) {
-      try {
-        PubSubReply reply = pubSubConnection.read();
-
-        switch (reply.getType()) {
-          case UNSUBSCRIBE:                             break;
-          case SUBSCRIBE:   dispatchSubscribe(reply);   break;
-          case MESSAGE:     dispatchMessage(reply);     break;
-          default:          throw new AssertionError("Unknown pubsub reply type! " + reply.getType());
-        }
-      } catch (IOException e) {
-        logger.warn("***** PubSub Connection Error *****", e);
-        if (running) {
-          this.pubSubConnection.close();
-          this.pubSubConnection = redisPubSubConnectionFactory.connect();
-          resubscribeAll();
-        }
-      }
-    }
-
-    logger.warn("DispatchManager Shutting Down...");
-  }
-
-  private void dispatchSubscribe(final PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchSubscription(reply.getChannel(), subscription.get());
-    } else {
-      logger.info("Received subscribe event for non-existing channel: " + reply.getChannel());
-    }
-  }
-
-  private void dispatchMessage(PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchMessage(reply.getChannel(), subscription.get(), reply.getContent().get());
-    } else if (deadLetterChannel.isPresent()) {
-      dispatchMessage(reply.getChannel(), deadLetterChannel.get(), reply.getContent().get());
-    } else {
-      logger.warn("Received message for non-existing channel, with no dead letter handler: " + reply.getChannel());
-    }
-  }
-
-  private void resubscribeAll() {
-    new Thread(() -> {
-      synchronized (DispatchManager.this) {
-        try {
-          for (String name : subscriptions.keySet()) {
-            pubSubConnection.subscribe(name);
-          }
-        } catch (IOException e) {
-          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
-        }
-      }
-    }).start();
-  }
-
-  private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
-    executor.execute(() -> channel.onDispatchMessage(name, message));
-  }
-
-  private void dispatchSubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchSubscribed(name));
-  }
-
-  private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchUnsubscribed(name));
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java

@@ -1,68 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-public class RedisInputStream {
-
-  private static final byte CR = 0x0D;
-  private static final byte LF = 0x0A;
-
-  private final InputStream inputStream;
-
-  public RedisInputStream(InputStream inputStream) {
-    this.inputStream = inputStream;
-  }
-
-  public String readLine() throws IOException {
-    ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
-    boolean foundCr = false;
-
-    while (true) {
-      int character = inputStream.read();
-
-      if (character == -1) {
-        throw new IOException("Stream closed!");
-      }
-
-      baos.write(character);
-
-      if      (foundCr && character == LF) break;
-      else if (character == CR)            foundCr = true;
-      else if (foundCr)                    foundCr = false;
-    }
-
-    byte[] data = baos.toByteArray();
-    return new String(data, 0, data.length-2);
-  }
-
-  public byte[] readFully(int size) throws IOException {
-    byte[] result    = new byte[size];
-    int    offset    = 0;
-    int    remaining = result.length;
-
-    while (remaining > 0) {
-      int read = inputStream.read(result, offset, remaining);
-
-      if (read < 0) {
-        throw new IOException("Stream closed!");
-      }
-
-      offset    += read;
-      remaining -= read;
-    }
-
-    return result;
-  }
-
-  public void close() throws IOException {
-    inputStream.close();
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java

@@ -1,13 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import org.whispersystems.dispatch.redis.PubSubConnection;
-
-public interface RedisPubSubConnectionFactory {
-
-  PubSubConnection connect();
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisInputStream;
-import org.whispersystems.dispatch.redis.protocol.ArrayReplyHeader;
-import org.whispersystems.dispatch.redis.protocol.IntReply;
-import org.whispersystems.dispatch.redis.protocol.StringReplyHeader;
-import org.whispersystems.dispatch.util.Util;
-
-import java.io.BufferedInputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.util.Arrays;
-import java.util.Optional;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-public class PubSubConnection {
-
-  private final Logger logger = LoggerFactory.getLogger(PubSubConnection.class);
-
-  private static final byte[] UNSUBSCRIBE_TYPE    = {'u', 'n', 's', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'     };
-  private static final byte[] SUBSCRIBE_TYPE      = {'s', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'               };
-  private static final byte[] MESSAGE_TYPE        = {'m', 'e', 's', 's', 'a', 'g', 'e'                         };
-
-  private static final byte[] SUBSCRIBE_COMMAND   = {'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '          };
-  private static final byte[] UNSUBSCRIBE_COMMAND = {'U', 'N', 'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '};
-  private static final byte[] CRLF                = {'\r', '\n'                                                };
-
-  private final OutputStream     outputStream;
-  private final RedisInputStream inputStream;
-  private final Socket           socket;
-  private final AtomicBoolean    closed;
-
-  public PubSubConnection(Socket socket) throws IOException {
-    this.socket       = socket;
-    this.outputStream = socket.getOutputStream();
-    this.inputStream  = new RedisInputStream(new BufferedInputStream(socket.getInputStream()));
-    this.closed       = new AtomicBoolean(false);
-  }
-
-  public void subscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(SUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public void unsubscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(UNSUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public PubSubReply read() throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    ArrayReplyHeader replyHeader = new ArrayReplyHeader(inputStream.readLine());
-
-    if (replyHeader.getElementCount() != 3) {
-      throw new IOException("Received array reply header with strange count: " + replyHeader.getElementCount());
-    }
-
-    StringReplyHeader replyTypeHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            replyType       = inputStream.readFully(replyTypeHeader.getStringLength());
-    inputStream.readLine();
-
-    if      (Arrays.equals(SUBSCRIBE_TYPE, replyType))   return readSubscribeReply();
-    else if (Arrays.equals(UNSUBSCRIBE_TYPE, replyType)) return readUnsubscribeReply();
-    else if (Arrays.equals(MESSAGE_TYPE, replyType))     return readMessageReply();
-    else throw new IOException("Unknown reply type: " + new String(replyType));
-  }
-
-  public void close() {
-    try {
-      this.closed.set(true);
-      this.inputStream.close();
-      this.outputStream.close();
-      this.socket.close();
-    } catch (IOException e) {
-      logger.warn("Exception while closing", e);
-    }
-  }
-
-  private PubSubReply readMessageReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    StringReplyHeader messageHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            message       = inputStream.readFully(messageHeader.getStringLength());
-    inputStream.readLine();
-
-    return new PubSubReply(PubSubReply.Type.MESSAGE, new String(channelName), Optional.of(message));
-  }
-
-  private PubSubReply readUnsubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private PubSubReply readSubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.SUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private String readSubscriptionReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    IntReply subscriptionCount = new IntReply(inputStream.readLine());
-
-    return new String(channelName);
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import java.util.Optional;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class PubSubReply {
-
-  public enum Type {
-    MESSAGE,
-    SUBSCRIBE,
-    UNSUBSCRIBE
-  }
-
-  private final Type             type;
-  private final String           channel;
-  private final Optional<byte[]> content;
-
-  public PubSubReply(Type type, String channel, Optional<byte[]> content) {
-    this.type    = type;
-    this.channel = channel;
-    this.content = content;
-  }
-
-  public Type getType() {
-    return type;
-  }
-
-  public String getChannel() {
-    return channel;
-  }
-
-  public Optional<byte[]> getContent() {
-    return content;
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class ArrayReplyHeader {
-
-  private final int elementCount;
-
-  public ArrayReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '*') {
-      throw new IOException("Invalid array reply header: " + header);
-    }
-
-    try {
-      this.elementCount = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getElementCount() {
-    return elementCount;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class IntReply {
-
-  private final int value;
-
-  public IntReply(String reply) throws IOException {
-    if (reply == null || reply.length() < 2 || reply.charAt(0) != ':') {
-      throw new IOException("Invalid int reply: " + reply);
-    }
-
-    try {
-      this.value = Integer.parseInt(reply.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getValue() {
-    return value;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class StringReplyHeader {
-
-  private final int stringLength;
-
-  public StringReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '$') {
-      throw new IOException("Invalid string reply header: " + header);
-    }
-
-    try {
-      this.stringLength = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getStringLength() {
-    return stringLength;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.util;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
-public class Util {
-
-  public static byte[] combine(byte[]... elements) {
-    try {
-      int sum = 0;
-
-      for (byte[] element : elements) {
-        sum += element.length;
-      }
-
-      ByteArrayOutputStream baos = new ByteArrayOutputStream(sum);
-
-      for (byte[] element : elements) {
-        baos.write(element);
-      }
-
-      return baos.toByteArray();
-    } catch (IOException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-
-  public static void sleep(long millis) {
-    try {
-      Thread.sleep(millis);
-    } catch (InterruptedException e) {
-      throw new AssertionError(e);
-    }
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java

@@ -1,134 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.ExternalResource;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-
-import static org.junit.Assert.assertArrayEquals;
-import static org.mockito.Mockito.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.timeout;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class DispatchManagerTest {
-
-  private PubSubConnection             pubSubConnection;
-  private RedisPubSubConnectionFactory socketFactory;
-  private DispatchManager              dispatchManager;
-  private PubSubReplyInputStream       pubSubReplyInputStream;
-
-  @Rule
-  public ExternalResource resource = new ExternalResource() {
-    @Override
-    protected void before() throws Throwable {
-      pubSubConnection       = mock(PubSubConnection.class  );
-      socketFactory          = mock(RedisPubSubConnectionFactory.class);
-      pubSubReplyInputStream = new PubSubReplyInputStream();
-
-      when(socketFactory.connect()).thenReturn(pubSubConnection);
-      when(pubSubConnection.read()).thenAnswer(new Answer<PubSubReply>() {
-        @Override
-        public PubSubReply answer(InvocationOnMock invocationOnMock) throws Throwable {
-          return pubSubReplyInputStream.read();
-        }
-      });
-
-      dispatchManager = new DispatchManager(socketFactory, Optional.empty());
-      dispatchManager.start();
-    }
-
-    @Override
-    protected void after() {
-
-    }
-  };
-
-  @Test
-  public void testConnect() {
-    verify(socketFactory).connect();
-  }
-
-  @Test
-  public void testSubscribe() throws IOException {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testSubscribeUnsubscribe() throws IOException {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    dispatchManager.unsubscribe("foo", dispatchChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchUnsubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testMessages() throws IOException {
-    DispatchChannel fooChannel = mock(DispatchChannel.class);
-    DispatchChannel barChannel = mock(DispatchChannel.class);
-
-    dispatchManager.subscribe("foo", fooChannel);
-    dispatchManager.subscribe("bar", barChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "bar", Optional.empty()));
-
-    verify(fooChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-    verify(barChannel, timeout(1000)).onDispatchSubscribed(eq("bar"));
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "foo", Optional.of("hello".getBytes())));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "bar", Optional.of("there".getBytes())));
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(fooChannel, timeout(1000)).onDispatchMessage(eq("foo"), captor.capture());
-
-    assertArrayEquals("hello".getBytes(), captor.getValue());
-
-    verify(barChannel, timeout(1000)).onDispatchMessage(eq("bar"), captor.capture());
-
-    assertArrayEquals("there".getBytes(), captor.getValue());
-  }
-
-  private static class PubSubReplyInputStream {
-
-    private final List<PubSubReply> pubSubReplyList = new LinkedList<>();
-
-    public synchronized PubSubReply read() {
-      try {
-        while (pubSubReplyList.isEmpty()) wait();
-        return pubSubReplyList.remove(0);
-      } catch (InterruptedException e) {
-        throw new AssertionError(e);
-      }
-    }
-
-    public synchronized void write(PubSubReply pubSubReply) {
-      pubSubReplyList.add(pubSubReply);
-      notifyAll();
-    }
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java

@@ -1,265 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.security.SecureRandom;
-import org.junit.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-public class PubSubConnectionTest {
-
-  private static final String REPLY = "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      ":1\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "fghij\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      "$10\r\n" +
-      "1234567890\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      "$10\r\n" +
-      "0987654321\r\n";
-
-
-  @Test
-  public void testSubscribe() throws IOException {
-//    ByteChannel      byteChannel = mock(ByteChannel.class);
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.subscribe("foobar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "SUBSCRIBE foobar\r\n".getBytes());
-  }
-
-  @Test
-  public void testUnsubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.unsubscribe("bazbar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "UNSUBSCRIBE bazbar\r\n".getBytes());
-  }
-
-  @Test
-  public void testTricklyResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  public void testFullResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  public void testRandomLengthResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  private InputStream mockInputStreamFor(final MockInputStream stub) throws IOException {
-    InputStream result = mock(InputStream.class);
-
-    when(result.read()).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return stub.read();
-      }
-    });
-
-    when(result.read(any(byte[].class))).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[])invocationOnMock.getArguments()[0];
-        return stub.read(buffer, 0, buffer.length);
-      }
-    });
-
-    when(result.read(any(byte[].class), anyInt(), anyInt())).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[]) invocationOnMock.getArguments()[0];
-        int offset = (int) invocationOnMock.getArguments()[1];
-        int length = (int) invocationOnMock.getArguments()[2];
-
-        return stub.read(buffer, offset, length);
-      }
-    });
-
-    return result;
-  }
-
-  private void readResponses(PubSubConnection pubSubConnection) throws Exception {
-    PubSubReply reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "fghij");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertArrayEquals(reply.getContent().get(), "1234567890".getBytes());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertArrayEquals(reply.getContent().get(), "0987654321".getBytes());
-  }
-
-  private interface MockInputStream {
-    public int read();
-    public int read(byte[] input, int offset, int length);
-  }
-
-  private static class TrickleInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private TrickleInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      input[offset] = data[index++];
-      return 1;
-    }
-
-  }
-
-  private static class FullInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private FullInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int amount = Math.min(data.length - index, length);
-      System.arraycopy(data, index, input, offset, amount);
-      index += length;
-
-      return amount;
-    }
-  }
-
-  private static class RandomInputStream implements MockInputStream {
-    private final byte[] data;
-    private int index = 0;
-
-    private RandomInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int maxCopy    = Math.min(data.length - index, length);
-      int randomCopy = new SecureRandom().nextInt(maxCopy) + 1;
-      int copyAmount = Math.min(maxCopy, randomCopy);
-
-      System.arraycopy(data, index, input, offset, copyAmount);
-      index += copyAmount;
-
-      return copyAmount;
-    }
-
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java

@@ -1,55 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-
-import org.junit.Test;
-
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-
-public class ArrayReplyHeaderTest {
-
-
-  @Test(expected = IOException.class)
-  public void testNull() throws IOException {
-    new ArrayReplyHeader(null);
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadPrefix() throws IOException {
-    new ArrayReplyHeader(":3");
-  }
-
-  @Test(expected = IOException.class)
-  public void testEmpty() throws IOException {
-    new ArrayReplyHeader("");
-  }
-
-  @Test(expected = IOException.class)
-  public void testTruncated() throws IOException {
-    new ArrayReplyHeader("*");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadNumber() throws IOException {
-    new ArrayReplyHeader("*ABC");
-  }
-
-  @Test
-  public void testValid() throws IOException {
-    assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
-  }
-
-
-
-
-
-
-
-
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java

@@ -1,39 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import org.junit.Test;
-
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-
-public class IntReplyHeaderTest {
-
-  @Test(expected = IOException.class)
-  public void testNull() throws IOException {
-    new IntReply(null);
-  }
-
-  @Test(expected = IOException.class)
-  public void testEmpty() throws IOException {
-    new IntReply("");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadNumber() throws IOException {
-    new IntReply(":A");
-  }
-
-  @Test(expected = IOException.class)
-  public void testBadFormat() throws IOException {
-    new IntReply("*");
-  }
-
-  @Test
-  public void testValid() throws IOException {
-    assertEquals(23, new IntReply(":23").getValue());
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java

@@ -1,51 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import org.junit.Test;
-
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-
-public class StringReplyHeaderTest {
-
-  @Test
-  public void testNull() {
-    try {
-      new StringReplyHeader(null);
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
-  }
-
-  @Test
-  public void testBadNumber() {
-    try {
-      new StringReplyHeader("$100A");
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
-  }
-
-  @Test
-  public void testBadPrefix() {
-    try {
-      new StringReplyHeader("*");
-      throw new AssertionError();
-    } catch (IOException e) {
-      // good
-    }
-  }
-
-  @Test
-  public void testValid() throws IOException {
-    assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
-  }
-
-
-}

service/config/sample-secrets-bundle.yml

@@ -0,0 +1,97 @@
+datadog.apiKey: unset
+
+stripe.apiKey: unset
+stripe.idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+
+braintree.privateKey: unset
+
+directoryV2.client.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+directoryV2.client.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+
+svr2.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
+svr2.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+
+svr3.userAuthenticationTokenSharedSecret: cbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR3 to generate auth tokens for Signal users
+svr3.userIdTokenSharedSecret: dbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR3 to generate auth identity tokens for Signal users
+
+tus.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG=
+
+awsAttachments.accessKey: test
+awsAttachments.accessSecret: test
+
+gcpAttachments.rsaSigningKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+apn.teamId: team-id
+apn.keyId: key-id
+apn.signingKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+fcm.credentials: |
+  { "json": true }
+
+cdn.accessKey: test    # AWS Access Key ID
+cdn.accessSecret: test # AWS Access Secret
+
+cdn3StorageManager.clientSecret: test
+
+unidentifiedDelivery.certificate: ABCD1234
+unidentifiedDelivery.privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+
+hCaptcha.apiKey: unset
+
+storageService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+zkConfig-libsignal-0.37.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+genericZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+callingZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+backupsZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+paymentsService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+paymentsService.fixerApiKey: unset
+paymentsService.coinMarketCapApiKey: unset
+
+artService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret not shared with any external service, but used in ArtController
+artService.userAuthenticationTokenUserIdSecret: AAAAAAAAAAA= # base64-encoded secret to obscure user phone numbers from Sticker Creator
+
+currentReportingKey.secret: AAAAAAAAAAA=
+currentReportingKey.salt: AAAAAAAAAAA=
+
+turn.secret: AAAAAAAAAAA=
+
+linkDevice.secret: AAAAAAAAAAA=
+
+tlsKeyStore.password: unset

service/config/sample.yml

@@ -1,296 +1,474 @@
+# Example, relatively minimal, configuration that passes validation (see `io.dropwizard.cli.CheckCommand`)
+#
+# `unset` values will need to be set to work properly.
+# Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.
+
+logging:
+  level: INFO
+  appenders:
+    - type: console
+      threshold: ALL
+      timeZone: UTC
+      target: stdout
+    - type: logstashtcpsocket
+      destination: example.com:10516
+      apiKey: secret://datadog.apiKey
+      environment: staging
+
+metrics:
+  reporters:
+    - type: signal-datadog
+      frequency: 10 seconds
+      tags:
+        - "env:staging"
+        - "service:chat"
+      udpTransport:
+        statsdHost: localhost
+        port: 8125
+      excludesAttributes:
+        - m1_rate
+        - m5_rate
+        - m15_rate
+        - mean_rate
+        - stddev
+      useRegexFilters: true
+      excludes:
+        - ^.+\.total$
+        - ^.+\.request\.filtering$
+        - ^.+\.response\.filtering$
+        - ^executor\..+$
+        - ^lettuce\..+$
+  reportOnStop: true
+
+tlsKeyStore:
+  password: secret://tlsKeyStore.password
+
 stripe:
-  apiKey:
-  idempotencyKeyGenerator:
+  apiKey: secret://stripe.apiKey
+  idempotencyKeyGenerator: secret://stripe.idempotencyKeyGenerator
+  boostDescription: >
+    Example
+  supportedCurrenciesByPaymentMethod:
+    CARD:
+      - usd
+      - eur
+    SEPA_DEBIT:
+      - eur
+
+braintree:
+  merchantId: unset
+  publicKey: unset
+  privateKey: secret://braintree.privateKey
+  environment: unset
+  graphqlUrl: unset
+  merchantAccounts:
+    # ISO 4217 currency code and its corresponding sub-merchant account
+    'xts': unset
+  supportedCurrenciesByPaymentMethod:
+    PAYPAL:
+      - usd
 
 dynamoDbClientConfiguration:
-  region: # AWS Region
+  region: us-west-2 # AWS Region
 
 dynamoDbTables:
+  accounts:
+    tableName: Example_Accounts
+    phoneNumberTableName: Example_Accounts_PhoneNumbers
+    phoneNumberIdentifierTableName: Example_Accounts_PhoneNumberIdentifiers
+    usernamesTableName: Example_Accounts_Usernames
+  backups:
+    tableName: Example_Backups
+  clientReleases:
+    tableName: Example_ClientReleases
+  deletedAccounts:
+    tableName: Example_DeletedAccounts
+  deletedAccountsLock:
+    tableName: Example_DeletedAccountsLock
   issuedReceipts:
-    tableName: # DDB Table Name
-    expiration: # Duration of time until rows expire
-    generator: # random binary sequence
+    tableName: Example_IssuedReceipts
+    expiration: P30D # Duration of time until rows expire
+    generator: abcdefg12345678= # random base64-encoded binary sequence
+  ecKeys:
+    tableName: Example_Keys
+  ecSignedPreKeys:
+    tableName: Example_EC_Signed_Pre_Keys
+  pqKeys:
+    tableName: Example_PQ_Keys
+  pqLastResortKeys:
+    tableName: Example_PQ_Last_Resort_Keys
+  messages:
+    tableName: Example_Messages
+    expiration: P30D # Duration of time until rows expire
+  onetimeDonations:
+    tableName: Example_OnetimeDonations
+    expiration: P90D
+  phoneNumberIdentifiers:
+    tableName: Example_PhoneNumberIdentifiers
+  profiles:
+    tableName: Example_Profiles
+  pushChallenge:
+    tableName: Example_PushChallenge
   redeemedReceipts:
-    tableName: # DDB Table Name
-    expiration: # Duration of time until rows expire
+    tableName: Example_RedeemedReceipts
+    expiration: P30D # Duration of time until rows expire
+  registrationRecovery:
+    tableName: Example_RegistrationRecovery
+    expiration: P300D # Duration of time until rows expire
+  remoteConfig:
+    tableName: Example_RemoteConfig
+  reportMessage:
+    tableName: Example_ReportMessage
   subscriptions:
-    tableName: # DDB Table Name
-
-twilio: # Twilio gateway configuration
-  accountId: 
-  accountToken: 
-  nanpaMessagingServiceSid: # Twilio SID for the messaging service to use for NANPA.
-  messagingServiceSid: # Twilio SID for the message service to use for non-NANPA.
-  verifyServiceSid: # Twilio SID for a Verify service
-  localDomain: # Domain Twilio can connect back to for calls. Should be domain of your service.
-  defaultClientVerificationTexts:
-    ios: # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
-    androidNg: # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
-    android202001: # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
-    android202103: # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
-    generic: # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
-  regionalClientVerificationTexts: # Map of country codes to custom texts
-    999: # example country code
-      ios:
-      # … all keys from defaultClientVerificationTexts are required
-  androidAppHash: # Hash appended to Android
-  verifyServiceFriendlyName: # Service name used in template. Requires Twilio account rep to enable
-
-push:
-  queueSize: # Size of push pending queue
-
-turn: # TURN server configuration
-  secret: # TURN server secret
-  uris:
-    - stun:yourdomain:80
-    - stun:yourdomain.com:443
-    - turn:yourdomain:443?transport=udp
-    - turn:etc.com:80?transport=udp
+    tableName: Example_Subscriptions
+  clientPublicKeys:
+    tableName: Example_ClientPublicKeys
+  verificationSessions:
+    tableName: Example_VerificationSessions
 
 cacheCluster: # Redis server configuration for cache cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 clientPresenceCluster: # Redis server configuration for client presence cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 pubsub: # Redis server configuration for pubsub cluster
-  url: redis://redis.example.com:6379/
-  replicaUrls:
-    - redis://redis.example.com:6379/
+  uri: redis://redis.example.com:6379/
 
 pushSchedulerCluster: # Redis server configuration for push scheduler cluster
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
 
 rateLimitersCluster: # Redis server configuration for rate limiters cluster
-  urls:
-    - redis://redis.example.com:6379/
-
-directory:
-  client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
-  sqs:
-    accessKey:      # AWS SQS accessKey
-    accessSecret:   # AWS SQS accessSecret
-    queueUrls:      # AWS SQS queue urls
-      - https://sqs.example.com/directory.fifo
-  server: # One or more CDS servers
-    - replicationName:               # CDS replication name
-      replicationUrl:                # CDS replication endpoint base url
-      replicationPassword:           # CDS replication endpoint password
-      replicationCaCertificate:      # CDS replication endpoint TLS certificate trust root
+  configurationUri: redis://redis.example.com:6379/
 
 directoryV2:
   client: # Configuration for interfacing with Contact Discovery Service v2 cluster
-    userAuthenticationTokenSharedSecret: # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+    userAuthenticationTokenSharedSecret: secret://directoryV2.client.userAuthenticationTokenSharedSecret
+    userIdTokenSharedSecret: secret://directoryV2.client.userIdTokenSharedSecret
+
+svr2:
+  uri: svr2.example.com
+  userAuthenticationTokenSharedSecret: secret://svr2.userAuthenticationTokenSharedSecret
+  userIdTokenSharedSecret: secret://svr2.userIdTokenSharedSecret
+  svrCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
+
+svr3:
+  uri: svr3.example.com
+  userAuthenticationTokenSharedSecret: secret://svr3.userAuthenticationTokenSharedSecret
+  userIdTokenSharedSecret: secret://svr3.userIdTokenSharedSecret
+  svrCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
+
 
 messageCache: # Redis server configuration for message store cache
-  persistDelayMinutes:
-
+  persistDelayMinutes: 1
   cluster:
-    urls:
-      - redis://redis.example.com:6379/
+    configurationUri: redis://redis.example.com:6379/
 
 metricsCluster:
-  urls:
-    - redis://redis.example.com:6379/
-
-messageDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-keysDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-accountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-  phoneNumberTableName:
-
-deletedAccountsDynamoDb: # DynamoDb table configuration
-  region:
-  tableName:
-  needsReconciliationIndexName:
-
-deletedAccountsLockDynamoDb: # DynamoDb table configuration
-  region:
-  tableName:
-
-redeemedReceiptsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-  expirationTime: # ISO8601 Duration
-
-migrationDeletedAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-migrationRetryAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pendingAccountsDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pendingDevicesDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-pushChallengeDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
-
-reportMessageDynamoDb: # DynamoDB table configuration
-  region:
-  tableName:
+  configurationUri: redis://redis.example.com:6379/
 
 awsAttachments: # AWS S3 configuration
-  accessKey:
-  accessSecret:
-  bucket:
-  region:
+  accessKey: secret://awsAttachments.accessKey
+  accessSecret: secret://awsAttachments.accessSecret
+  bucket: aws-attachments
+  region: us-west-2
 
 gcpAttachments: # GCP Storage configuration
-  domain:
-  email:
-  maxSizeInBytes:
+  domain: example.com
+  email: user@example.cocm
+  maxSizeInBytes: 1024
   pathPrefix:
-  rsaSigningKey:
+  rsaSigningKey: secret://gcpAttachments.rsaSigningKey
 
-abuseDatabase: # Postgresql database configuration
-  driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
-
-accountsDatabase: # Postgresql database configuration
-  driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
-
-accountDatabaseCrawler:
-  chunkSize: # accounts per run
-  chunkIntervalMs: # time per run
-
-dynamoDbMigrationCrawler:
-  chunkSize: # accounts per run
-  chunkIntervalMs: # time per run
+tus:
+  uploadUri: https://example.org/upload
+  userAuthenticationTokenSharedSecret: secret://tus.userAuthenticationTokenSharedSecret
 
 apn: # Apple Push Notifications configuration
   sandbox: true
-  bundleId:
-  keyId:
-  teamId:
-  signingKey:
+  bundleId: com.example.textsecuregcm
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
+  signingKey: secret://apn.signingKey
 
-gcm: # GCM Configuration
-  senderId:
-  apiKey:
+fcm: # FCM configuration
+  credentials: secret://fcm.credentials
 
 cdn:
-  accessKey: # AWS Access Key ID
-  accessSecret: # AWS Access Secret
-  bucket: # S3 Bucket name
-  region: # AWS region
+  accessKey: secret://cdn.accessKey
+  accessSecret: secret://cdn.accessSecret
+  bucket: cdn        # S3 Bucket name
+  region: us-west-2  # AWS region
 
-datadog:
-  apiKey:
-  environment:
+clientCdn:
+  attachmentUrls:
+    2: https://cdn2.example.com/attachments/
+  caCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
+
+cdn3StorageManager:
+  baseUri: https://storage-manager.example.com
+  clientId: example
+  clientSecret: secret://cdn3StorageManager.clientSecret
+
+dogstatsd:
+  environment: dev
+  host: 127.0.0.1
 
 unidentifiedDelivery:
-  certificate:
-  privateKey:
-  expiresDays:
-
-voiceVerification:
-  url: https://cdn-ca.signal.org/verification/
-  locales:
-    - en
+  certificate: secret://unidentifiedDelivery.certificate
+  privateKey: secret://unidentifiedDelivery.privateKey
+  expiresDays: 7
 
 recaptcha:
-  secret:
+  projectPath: projects/example
+  credentialConfigurationJson: "{ }" # service account configuration for backend authentication
 
-recaptchaV2:
-  siteKey:
-  scoreFloor:
-  projectPath:
-  credentialConfigurationJson:
+hCaptcha:
+  apiKey: secret://hCaptcha.apiKey
+
+shortCode:
+  baseUrl: https://example.com/shortcodes/
 
 storageService:
-  uri:
-  userAuthenticationTokenSharedSecret:
-  storageCaCertificate:
-
-backupService:
-  uri:
-  userAuthenticationTokenSharedSecret:
-  backupCaCertificate:
+  uri: storage.example.com
+  userAuthenticationTokenSharedSecret: secret://storageService.userAuthenticationTokenSharedSecret
+  storageCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
 
 zkConfig:
-  serverPublic:
-  serverSecret:
-  enabled:
+  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  serverSecret: secret://zkConfig-libsignal-0.37.serverSecret
+
+callingZkConfig:
+  serverSecret: secret://callingZkConfig.serverSecret
+
+backupsZkConfig:
+  serverSecret: secret://backupsZkConfig.serverSecret
 
 appConfig:
-  application:
-  environment:
-  configuration:
+  application: example
+  environment: example
+  configuration: example
 
 remoteConfig:
-  authorizedTokens:
-    - # 1st authorized token
-    - # 2nd authorized token
-    - # ...
-    - # Nth authorized token
   globalConfig: # keys and values that are given to clients on GET /v1/config
-
+    EXAMPLE_KEY: VALUE
 
 paymentsService:
-  userAuthenticationTokenSharedSecret: # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
-  fixerApiKey:
+  userAuthenticationTokenSharedSecret: secret://paymentsService.userAuthenticationTokenSharedSecret
+  fixerApiKey: secret://paymentsService.fixerApiKey
+  coinMarketCapApiKey: secret://paymentsService.coinMarketCapApiKey
+  coinMarketCapCurrencyIds:
+    MOB: 7878
   paymentCurrencies:
-    -
+    # list of symbols for supported currencies
+    - MOB
 
-torExitNodeList:
-  s3Region:
-  s3Bucket:
-  objectKey:
-  maxSize:
-
-asnTable:
-  s3Region:
-  s3Bucket:
-  objectKey:
-  maxSize:
-
-donation:
-  uri: # value
-  supportedCurrencies:
-    - # 1st supported currency
-    - # 2nd supported currency
-    - # ...
-    - # Nth supported currency
-  circuitBreaker:
-    failureRateThreshold: # value
-    ringBufferSizeInHalfOpenState: # value
-    ringBufferSizeInClosedState: # value
-    waitDurationInOpenStateInSeconds: # value
-  retry:
-    maxAttempts: # value
-    waitDuration: # value
+artService:
+  userAuthenticationTokenSharedSecret: secret://artService.userAuthenticationTokenSharedSecret
+  userAuthenticationTokenUserIdSecret: secret://artService.userAuthenticationTokenUserIdSecret
 
 badges:
   badges:
     - id: TEST
-      imageUrl: https://example.com/test-badge
       category: other
+      sprites: # exactly 6
+        - sprite-1.png
+        - sprite-2.png
+        - sprite-3.png
+        - sprite-4.png
+        - sprite-5.png
+        - sprite-6.png
+      svg: example.svg
+      svgs:
+        - light: example-light.svg
+          dark: example-dark.svg
   badgeIdsEnabledForAll:
     - TEST
   receiptLevels:
     '1': TEST
+
+subscription: # configuration for Stripe subscriptions
+  badgeExpiration: P30D
+  badgeGracePeriod: P15D
+  levels:
+    500:
+      badge: EXAMPLE
+      prices:
+        # list of ISO 4217 currency codes and amounts for the given badge level
+        xts:
+          amount: '10'
+          processorIds:
+            STRIPE: price_example   # stripe Price ID
+            BRAINTREE: plan_example # braintree Plan ID
+
+oneTimeDonations:
+  sepaMaximumEuros: '10000'
+  boost:
+    level: 1
+    expiration: P90D
+    badge: EXAMPLE
+  gift:
+    level: 10
+    expiration: P90D
+    badge: EXAMPLE
+  currencies:
+    # ISO 4217 currency codes and amounts in those currencies
+    xts:
+      minimum: '0.5'
+      gift: '2'
+      boosts:
+        - '1'
+        - '2'
+        - '4'
+        - '8'
+        - '20'
+        - '40'
+
+registrationService:
+  host: registration.example.com
+  port: 443
+  credentialConfigurationJson: |
+    {
+      "example": "example"
+    }
+  identityTokenAudience: https://registration.example.com
+  registrationCaCertificate: | # Registration service TLS certificate trust root
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+
+turn:
+  secret: secret://turn.secret
+
+linkDevice:
+  secret: secret://linkDevice.secret
+
+maxmindCityDatabase:
+  s3Region: a-region
+  s3Bucket: a-bucket
+  objectKey: an-object.tar.gz
+  maxSize: 32777216
+
+callingTurnDnsRecords:
+  s3Region: a-region
+  s3Bucket: a-bucket
+  objectKey: an-object.tar.gz
+  maxSize: 32777216
+
+callingTurnPerformanceTable:
+  s3Region: a-region
+  s3Bucket: a-bucket
+  objectKey: an-object.tar.gz
+  maxSize: 32777216
+
+callingTurnManualTable:
+  s3Region: a-region
+  s3Bucket: a-bucket
+  objectKey: an-object.tar.gz
+  maxSize: 32777216

service/pom.xml

@@ -10,20 +10,25 @@
   <modelVersion>4.0.0</modelVersion>
   <artifactId>service</artifactId>
 
-  <pluginRepositories>
-    <pluginRepository>
-      <id>ossrh-snapshots</id>
-      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-      <releases>
-        <enabled>false</enabled>
-      </releases>
-      <snapshots>
-        <enabled>true</enabled>
-      </snapshots>
-    </pluginRepository>
-  </pluginRepositories>
+  <properties>
+    <firebase-admin.version>9.2.0</firebase-admin.version>
+    <java-uuid-generator.version>4.3.0</java-uuid-generator.version>
+    <sqlite4java.version>1.0.392</sqlite4java.version>
+  </properties>
 
   <dependencies>
+    <dependency>
+      <groupId>io.swagger.core.v3</groupId>
+      <artifactId>swagger-jaxrs2</artifactId>
+      <version>${swagger.version}</version>
+      <exclusions>
+        <!-- org.yaml:snakeyaml is causing a dependency convergence error -->
+        <exclusion>
+          <groupId>org.yaml</groupId>
+          <artifactId>snakeyaml</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
     <dependency>
       <groupId>jakarta.servlet</groupId>
       <artifactId>jakarta.servlet-api</artifactId>
@@ -37,40 +42,25 @@
       <artifactId>jakarta.ws.rs-api</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>redis-dispatch</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>org.whispersystems.textsecure</groupId>
       <artifactId>websocket-resources</artifactId>
       <version>${project.version}</version>
     </dependency>
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>gcm-sender-async</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>org.signal</groupId>
-      <artifactId>zkgroup-java</artifactId>
-      <version>0.8.2</version>
+      <artifactId>libsignal-server</artifactId>
     </dependency>
+
     <dependency>
-      <groupId>org.whispersystems</groupId>
-      <artifactId>curve25519-java</artifactId>
-      <version>0.5.0</version>
+      <groupId>org.signal.forks</groupId>
+      <artifactId>noise-java</artifactId>
     </dependency>
 
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-core</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-jdbi3</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-auth</artifactId>
@@ -81,7 +71,7 @@
     </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-db</artifactId>
+      <artifactId>dropwizard-http2</artifactId>
     </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
@@ -142,24 +132,10 @@
       <artifactId>logstash-logback-encoder</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.jdbi</groupId>
-      <artifactId>jdbi3-core</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.liquibase</groupId>
-      <artifactId>liquibase-core</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>io.dropwizard.metrics</groupId>
       <artifactId>metrics-core</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.dropwizard.metrics</groupId>
-      <artifactId>metrics-jdbi3</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.dropwizard.metrics</groupId>
       <artifactId>metrics-healthchecks</artifactId>
@@ -191,26 +167,64 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>luajava</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51-platform</artifactId>
+      <version>${luajava.version}</version>
+      <classifier>natives-desktop</classifier>
+      <scope>runtime</scope>
+    </dependency>
+
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
-      <artifactId>websocket-api</artifactId>
+      <artifactId>websocket-jetty-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-servlets</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.websocket</groupId>
+      <artifactId>websocket-jetty-client</artifactId>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
     <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-csv</artifactId>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
-      <artifactId>commons-csv</artifactId>
+      <artifactId>commons-compress</artifactId>
+      <version>1.26.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.maxmind.geoip2</groupId>
+      <artifactId>geoip2</artifactId>
+      <version>4.2.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.firebase</groupId>
+      <artifactId>firebase-admin</artifactId>
+      <version>${firebase-admin.version}</version>
     </dependency>
 
     <dependency>
@@ -226,6 +240,29 @@
       <groupId>io.github.resilience4j</groupId>
       <artifactId>resilience4j-retry</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-reactor</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-netty</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-protobuf</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-stub</artifactId>
+    </dependency>
+    <!-- Needed for gRPC with Java 9+ -->
+    <dependency>
+      <groupId>org.apache.tomcat</groupId>
+      <artifactId>annotations-api</artifactId>
+      <scope>provided</scope>
+    </dependency>
 
     <dependency>
       <groupId>io.micrometer</groupId>
@@ -233,7 +270,7 @@
     </dependency>
     <dependency>
       <groupId>io.micrometer</groupId>
-      <artifactId>micrometer-registry-datadog</artifactId>
+      <artifactId>micrometer-registry-statsd</artifactId>
     </dependency>
     <dependency>
       <groupId>org.coursera</groupId>
@@ -264,6 +301,19 @@
       <artifactId>jackson-jaxrs-json-provider</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>com.salesforce.servicelibs</groupId>
+      <artifactId>reactor-grpc-stub</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>apache-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>netty-nio-client</artifactId>
+    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
@@ -272,10 +322,6 @@
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>sqs</artifactId>
-    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>dynamodb</artifactId>
@@ -285,17 +331,13 @@
       <artifactId>appconfig</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-core</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-s3</artifactId>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>appconfigdata</artifactId>
     </dependency>
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>dynamodb-lock-client</artifactId>
-      <version>1.1.0</version>
+      <version>1.2.0</version>
       <exclusions>
         <exclusion>
           <groupId>commons-logging</groupId>
@@ -304,22 +346,11 @@
       </exclusions>
     </dependency>
 
-    <dependency>
-      <groupId>redis.clients</groupId>
-      <artifactId>jedis</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>io.lettuce</groupId>
       <artifactId>lettuce-core</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.postgresql</groupId>
-      <artifactId>postgresql</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.eatthepath</groupId>
       <artifactId>pushy</artifactId>
@@ -329,12 +360,6 @@
       <artifactId>pushy-dropwizard-metrics-listener</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-tcnative-boringssl-static</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.vdurmont</groupId>
       <artifactId>semver4j</artifactId>
@@ -374,74 +399,70 @@
           <groupId>javax.servlet</groupId>
           <artifactId>javax.servlet-api</artifactId>
         </exclusion>
-        <exclusion>
-          <groupId>junit</groupId>
-          <artifactId>junit</artifactId>
-        </exclusion>
       </exclusions>
     </dependency>
 
-    <dependency>
-      <groupId>com.opentable.components</groupId>
-      <artifactId>otj-pg-embedded</artifactId>
-      <version>0.13.3</version>
-      <scope>test</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.almworks.sqlite4java</groupId>
       <artifactId>sqlite4java</artifactId>
-      <version>1.0.392</version>
+      <version>${sqlite4java.version}</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>io.projectreactor</groupId>
       <artifactId>reactor-core</artifactId>
-      <version>3.3.16.RELEASE</version>
+    </dependency>
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core-micrometer</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.vavr</groupId>
+      <artifactId>vavr</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.junit.jupiter</groupId>
-      <artifactId>junit-jupiter-api</artifactId>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-params</artifactId>
       <scope>test</scope>
     </dependency>
+
     <dependency>
-      <groupId>org.junit.vintage</groupId>
-      <artifactId>junit-vintage-engine</artifactId>
-      <scope>test</scope>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-test</artifactId>
     </dependency>
 
     <dependency>
       <groupId>org.signal</groupId>
       <artifactId>embedded-redis</artifactId>
-      <version>0.8.1</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>com.fasterxml.uuid</groupId>
       <artifactId>java-uuid-generator</artifactId>
-      <version>3.2.0</version>
+      <version>${java-uuid-generator.version}</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>DynamoDBLocal</artifactId>
-      <version>1.16.0</version>
+      <version>1.23.0</version>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.antlr</groupId>
-          <artifactId>antlr4-runtime</artifactId>
-        </exclusion>
-      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>io.github.ganadist.sqlite4java</groupId>
+      <artifactId>libsqlite4java-osx-aarch64</artifactId>
+      <version>${sqlite4java.version}</version>
+      <type>dylib</type>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
     </dependency>
 
     <dependency>
@@ -455,22 +476,34 @@
     </dependency>
 
     <dependency>
-      <groupId>pl.pragmatists</groupId>
-      <artifactId>JUnitParams</artifactId>
-      <version>1.1.1</version>
-      <scope>test</scope>
+      <groupId>com.braintreepayments.gateway</groupId>
+      <artifactId>braintree-java</artifactId>
     </dependency>
+
+    <dependency>
+      <groupId>com.apollographql.apollo3</groupId>
+      <artifactId>apollo-api-jvm</artifactId>
+      <version>3.8.2</version>
+
+      <exclusions>
+        <exclusion>
+          <groupId>org.jetbrains</groupId>
+          <artifactId>annotations</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
   </dependencies>
 
   <profiles>
     <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
       <build>
         <plugins>
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-shade-plugin</artifactId>
-            <version>3.2.4</version>
+            <version>3.5.1</version>
             <configuration>
               <createDependencyReducedPom>true</createDependencyReducedPom>
               <filters>
@@ -505,7 +538,7 @@
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-assembly-plugin</artifactId>
-            <version>3.3.0</version>
+            <version>3.6.0</version>
             <configuration>
               <descriptors>
                 <descriptor>assembly.xml</descriptor>
@@ -525,7 +558,7 @@
           <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>properties-maven-plugin</artifactId>
-            <version>1.0.0</version>
+            <version>1.2.0</version>
             <executions>
               <execution>
                 <id>read-deploy-configuration</id>
@@ -541,24 +574,64 @@
           </plugin>
 
           <plugin>
-            <groupId>org.signal</groupId>
-            <artifactId>s3-upload-maven-plugin</artifactId>
-            <version>1.6-SNAPSHOT</version>
-            <configuration>
-              <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
-              <bucketName>${deploy.bucketName}</bucketName>
-              <region>${deploy.bucketRegion}</region>
-              <destination>${project.build.finalName}-bin.tar.gz</destination>
-            </configuration>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
             <executions>
               <execution>
-                <id>deploy-to-s3</id>
                 <phase>deploy</phase>
                 <goals>
-                  <goal>s3-upload</goal>
+                  <goal>build</goal>
                 </goals>
               </execution>
             </executions>
+            <configuration>
+              <from>
+                <image>eclipse-temurin@sha256:${docker.image.sha256}</image>
+              </from>
+              <to>
+                <image>${docker.repo}:${project.version}</image>
+              </to>
+              <container>
+                <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                <jvmFlags>
+                  <jvmFlag>-server</jvmFlag>
+                  <jvmFlag>-Djava.awt.headless=true</jvmFlag>
+                  <jvmFlag>-Djdk.nio.maxCachedBufferSize=262144</jvmFlag>
+                  <jvmFlag>-Dlog4j2.formatMsgNoLookups=true</jvmFlag>
+                  <jvmFlag>-XX:MaxRAMPercentage=75</jvmFlag>
+                  <jvmFlag>-XX:+HeapDumpOnOutOfMemoryError</jvmFlag>
+                  <jvmFlag>-XX:HeapDumpPath=/tmp/heapdump.bin</jvmFlag>
+                </jvmFlags>
+                <ports>
+                  <port>8080</port>
+                </ports>
+                <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
+              </container>
+              <extraDirectories>
+                <paths>
+                  <path>
+                    <from>${project.basedir}/config</from>
+                    <includes>*.yml</includes>
+                    <into>/usr/share/signal/</into>
+                  </path>
+                </paths>
+              </extraDirectories>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>include-spam-filter</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
+            <configuration>
+              <!-- we don't want jib to execute on this module -->
+              <skip>true</skip>
+            </configuration>
           </plugin>
         </plugins>
       </build>
@@ -582,6 +655,16 @@
         </executions>
       </plugin>
 
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <!-- work around PATCH not being a supported method on HttpUrlConnection -->
+          <argLine>--add-opens=java.base/java.net=ALL-UNNAMED</argLine>
+        </configuration>
+      </plugin>
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
@@ -593,6 +676,53 @@
           </execution>
         </executions>
       </plugin>
+
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <id>check-all-service-config</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>java</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <mainClass>org.whispersystems.textsecuregcm.CheckServiceConfigurations</mainClass>
+          <classpathScope>test</classpathScope>
+          <arguments>
+            <argument>${project.basedir}/config</argument>
+          </arguments>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>com.github.aoudiamoncef</groupId>
+        <artifactId>apollo-client-maven-plugin</artifactId>
+        <version>5.0.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>generate</goal>
+            </goals>
+            <configuration>
+              <services>
+                <braintree>
+                  <compilationUnit>
+                    <name>braintree</name>
+                    <compilerParams>
+                      <schemaPackageName>com.braintree.graphql.client</schemaPackageName>
+                    </compilerParams>
+                  </compilationUnit>
+                </braintree>
+              </services>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 </project>

service/src/main/graphql/braintree/ChargePayPalOneTimePayment.graphql

@@ -0,0 +1,9 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--chargePaymentMethod
+mutation ChargePayPalOneTimePayment($input: ChargePaymentMethodInput!) {
+  chargePaymentMethod(input: $input) {
+    transaction {
+      id,
+      status
+    }
+  }
+}

service/src/main/graphql/braintree/CreatePayPalBillingAgreement.graphql

@@ -0,0 +1,6 @@
+mutation CreatePayPalBillingAgreement($input: CreatePayPalBillingAgreementInput!) {
+  createPayPalBillingAgreement(input: $input) {
+    approvalUrl,
+    billingAgreementToken
+  }
+}

service/src/main/graphql/braintree/CreatePayPalOneTimePayment.graphql

@@ -0,0 +1,7 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--createPayPalOneTimePayment
+mutation CreatePayPalOneTimePayment($input: CreatePayPalOneTimePaymentInput!) {
+  createPayPalOneTimePayment(input: $input) {
+    approvalUrl,
+    paymentId
+  }
+}

service/src/main/graphql/braintree/TokenizePayPalBillingAgreement.graphql

@@ -0,0 +1,7 @@
+mutation TokenizePayPalBillingAgreement($input: TokenizePayPalBillingAgreementInput!) {
+  tokenizePayPalBillingAgreement(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/graphql/braintree/TokenizePayPalOneTimePayment.graphql

@@ -0,0 +1,8 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--tokenizePayPalOneTimePayment
+mutation TokenizePayPalOneTimePayment($input: TokenizePayPalOneTimePaymentInput!) {
+  tokenizePayPalOneTimePayment(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/graphql/braintree/VaultPaymentMethod.graphql

@@ -0,0 +1,7 @@
+mutation VaultPaymentMethod($input: VaultPaymentMethodInput!) {
+  vaultPaymentMethod(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -1,71 +1,85 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import io.dropwizard.Configuration;
-import io.dropwizard.client.JerseyClientConfiguration;
+import io.dropwizard.core.Configuration;
+import java.time.Duration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
-import org.whispersystems.textsecuregcm.configuration.AbusiveMessageFilterConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountsDatabaseConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountsDynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.attachments.TusConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ArtServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
-import org.whispersystems.textsecuregcm.configuration.BoostConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BraintreeConfiguration;
+import org.whispersystems.textsecuregcm.configuration.Cdn3StorageManagerConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DatabaseConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DeletedAccountsDynamoDbConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ClientCdnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ClientReleaseConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
-import org.whispersystems.textsecuregcm.configuration.DonationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DogstatsdConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
-import org.whispersystems.textsecuregcm.configuration.GcmConfiguration;
+import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GenericZkConfig;
+import org.whispersystems.textsecuregcm.configuration.HCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.LinkDeviceSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MessageByteLimitCardinalityEstimatorConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
-import org.whispersystems.textsecuregcm.configuration.MessageDynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MonitoredS3ObjectConfiguration;
+import org.whispersystems.textsecuregcm.configuration.OneTimeDonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.PushConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RecaptchaV2Configuration;
 import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RegistrationServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration;
-import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery3Configuration;
+import org.whispersystems.textsecuregcm.configuration.ShortCodeExpanderConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TwilioConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TlsKeyStoreConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
-import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.VirtualThreadConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
+import org.whispersystems.textsecuregcm.limits.RateLimiterConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;
 
 /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
 public class WhisperServerConfiguration extends Configuration {
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private TlsKeyStoreConfiguration tlsKeyStore;
+
   @NotNull
   @Valid
   @JsonProperty
   private StripeConfiguration stripe;
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private BraintreeConfiguration braintree;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -76,16 +90,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private DynamoDbTables dynamoDbTables;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private TwilioConfiguration twilio;
-
-  @NotNull
-  @Valid
-  @JsonProperty
-  private PushConfiguration push;
-
   @NotNull
   @Valid
   @JsonProperty
@@ -104,7 +108,17 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private DatadogConfiguration datadog;
+  private ClientCdnConfiguration clientCdn;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private Cdn3StorageManagerConfiguration cdn3StorageManager;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DogstatsdConfiguration dogstatsd = new DogstatsdConfiguration();
 
   @NotNull
   @Valid
@@ -121,11 +135,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RedisClusterConfiguration metricsCluster;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private DirectoryConfiguration directory;
-
   @NotNull
   @Valid
   @JsonProperty
@@ -134,7 +143,11 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private AccountDatabaseCrawlerConfiguration accountDatabaseCrawler;
+  private SecureValueRecovery2Configuration svr2;
+  @NotNull
+  @Valid
+  @JsonProperty
+  private SecureValueRecovery3Configuration svr3;
 
   @NotNull
   @Valid
@@ -159,62 +172,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private MessageDynamoDbConfiguration messageDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration keysDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private AccountsDynamoDbConfiguration accountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration phoneNumberIdentifiersDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DeletedAccountsDynamoDbConfiguration deletedAccountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration deletedAccountsLockDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pushChallengeDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration reportMessageDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pendingAccountsDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DynamoDbConfiguration pendingDevicesDynamoDb;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DatabaseConfiguration abuseDatabase;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private List<TestDeviceConfiguration> testDevices = new LinkedList<>();
+  private Set<String> testDevices = new HashSet<>();
 
   @Valid
   @NotNull
@@ -224,17 +182,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private AccountsDatabaseConfiguration accountsDatabase;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private RateLimitsConfiguration limits = new RateLimitsConfiguration();
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private JerseyClientConfiguration httpClient = new JerseyClientConfiguration();
+  private Map<String, RateLimiterConfig> limits = new HashMap<>();
 
   @Valid
   @NotNull
@@ -244,12 +192,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private TurnConfiguration turn;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private GcmConfiguration gcm;
+  private FcmConfiguration fcm;
 
   @Valid
   @NotNull
@@ -261,11 +204,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private UnidentifiedDeliveryConfiguration unidentifiedDelivery;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private VoiceVerificationConfiguration voiceVerification;
-
   @Valid
   @NotNull
   @JsonProperty
@@ -274,28 +212,43 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private RecaptchaV2Configuration recaptchaV2;
+  private HCaptchaConfiguration hCaptcha;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ShortCodeExpanderConfiguration shortCode;
 
   @Valid
   @NotNull
   @JsonProperty
   private SecureStorageServiceConfiguration storageService;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private SecureBackupServiceConfiguration backupService;
-
   @Valid
   @NotNull
   @JsonProperty
   private PaymentsServiceConfiguration paymentsService;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ArtServiceConfiguration artService;
+
   @Valid
   @NotNull
   @JsonProperty
   private ZkConfig zkConfig;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig callingZkConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig backupsZkConfig;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -306,11 +259,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private AppConfigConfiguration appConfig;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private DonationConfiguration donation;
-
   @Valid
   @NotNull
   @JsonProperty
@@ -324,7 +272,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @JsonProperty
   @NotNull
-  private BoostConfiguration boost;
+  private OneTimeDonationConfiguration oneTimeDonations;
 
   @Valid
   @NotNull
@@ -333,14 +281,76 @@ public class WhisperServerConfiguration extends Configuration {
 
   @Valid
   @JsonProperty
-  private AbusiveMessageFilterConfiguration abusiveMessageFilter;
+  private SpamFilterConfiguration spamFilterConfiguration;
 
-  private Map<String, String> transparentDataIndex = new HashMap<>();
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RegistrationServiceConfiguration registrationService;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TurnSecretConfiguration turn;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TusConfiguration tus;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ClientReleaseConfiguration clientRelease = new ClientReleaseConfiguration(Duration.ofHours(4));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MessageByteLimitCardinalityEstimatorConfiguration messageByteLimitCardinalityEstimator = new MessageByteLimitCardinalityEstimatorConfiguration(Duration.ofDays(1));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private LinkDeviceSecretConfiguration linkDevice;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private VirtualThreadConfiguration virtualThreadConfiguration = new VirtualThreadConfiguration(Duration.ofMillis(1));
+
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration maxmindCityDatabase;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration callingTurnDnsRecords;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration callingTurnPerformanceTable;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MonitoredS3ObjectConfiguration callingTurnManualTable;
+
+  public TlsKeyStoreConfiguration getTlsKeyStoreConfiguration() {
+    return tlsKeyStore;
+  }
 
   public StripeConfiguration getStripe() {
     return stripe;
   }
 
+  public BraintreeConfiguration getBraintree() {
+    return braintree;
+  }
+
   public DynamoDbClientConfiguration getDynamoDbClientConfiguration() {
     return dynamoDbClientConfiguration;
   }
@@ -353,30 +363,18 @@ public class WhisperServerConfiguration extends Configuration {
     return recaptcha;
   }
 
-  public RecaptchaV2Configuration getRecaptchaV2Configuration() {
-    return recaptchaV2;
+  public HCaptchaConfiguration getHCaptchaConfiguration() {
+    return hCaptcha;
   }
 
-  public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
-    return voiceVerification;
+  public ShortCodeExpanderConfiguration getShortCodeRetrieverConfiguration() {
+    return shortCode;
   }
 
   public WebSocketConfiguration getWebSocketConfiguration() {
     return webSocket;
   }
 
-  public TwilioConfiguration getTwilioConfiguration() {
-    return twilio;
-  }
-
-  public PushConfiguration getPushConfiguration() {
-    return push;
-  }
-
-  public JerseyClientConfiguration getJerseyClientConfiguration() {
-    return httpClient;
-  }
-
   public AwsAttachmentsConfiguration getAwsAttachmentsConfiguration() {
     return awsAttachments;
   }
@@ -397,8 +395,12 @@ public class WhisperServerConfiguration extends Configuration {
     return metricsCluster;
   }
 
-  public DirectoryConfiguration getDirectoryConfiguration() {
-    return directory;
+
+  public SecureValueRecovery2Configuration getSvr2Configuration() {
+    return svr2;
+  }
+  public SecureValueRecovery3Configuration getSvr3Configuration() {
+    return svr3;
   }
 
   public DirectoryV2Configuration getDirectoryV2Configuration() {
@@ -409,10 +411,6 @@ public class WhisperServerConfiguration extends Configuration {
     return storageService;
   }
 
-  public AccountDatabaseCrawlerConfiguration getAccountDatabaseCrawlerConfiguration() {
-    return accountDatabaseCrawler;
-  }
-
   public MessageCacheConfiguration getMessageCacheConfiguration() {
     return messageCache;
   }
@@ -429,48 +427,12 @@ public class WhisperServerConfiguration extends Configuration {
     return rateLimitersCluster;
   }
 
-  public MessageDynamoDbConfiguration getMessageDynamoDbConfiguration() {
-    return messageDynamoDb;
-  }
-
-  public DynamoDbConfiguration getKeysDynamoDbConfiguration() {
-    return keysDynamoDb;
-  }
-
-  public AccountsDynamoDbConfiguration getAccountsDynamoDbConfiguration() {
-    return accountsDynamoDb;
-  }
-
-  public DynamoDbConfiguration getPhoneNumberIdentifiersDynamoDbConfiguration() {
-    return phoneNumberIdentifiersDynamoDb;
-  }
-
-  public DeletedAccountsDynamoDbConfiguration getDeletedAccountsDynamoDbConfiguration() {
-    return deletedAccountsDynamoDb;
-  }
-
-  public DynamoDbConfiguration getDeletedAccountsLockDynamoDbConfiguration() {
-    return deletedAccountsLockDynamoDb;
-  }
-
-  public DatabaseConfiguration getAbuseDatabaseConfiguration() {
-    return abuseDatabase;
-  }
-
-  public AccountsDatabaseConfiguration getAccountsDatabaseConfiguration() {
-    return accountsDatabase;
-  }
-
-  public RateLimitsConfiguration getLimitsConfiguration() {
+  public Map<String, RateLimiterConfig> getLimitsConfiguration() {
     return limits;
   }
 
-  public TurnConfiguration getTurnConfiguration() {
-    return turn;
-  }
-
-  public GcmConfiguration getGcmConfiguration() {
-    return gcm;
+  public FcmConfiguration getFcmConfiguration() {
+    return fcm;
   }
 
   public ApnConfiguration getApnConfiguration() {
@@ -481,23 +443,24 @@ public class WhisperServerConfiguration extends Configuration {
     return cdn;
   }
 
-  public DatadogConfiguration getDatadogConfiguration() {
-    return datadog;
+  public ClientCdnConfiguration getClientCdnConfiguration() {
+    return clientCdn;
+  }
+
+  public Cdn3StorageManagerConfiguration getCdn3StorageManagerConfiguration() {
+    return cdn3StorageManager;
+  }
+
+  public DogstatsdConfiguration getDatadogConfiguration() {
+    return dogstatsd;
   }
 
   public UnidentifiedDeliveryConfiguration getDeliveryCertificate() {
     return unidentifiedDelivery;
   }
 
-  public Map<String, Integer> getTestDevices() {
-    Map<String, Integer> results = new HashMap<>();
-
-    for (TestDeviceConfiguration testDeviceConfiguration : testDevices) {
-      results.put(testDeviceConfiguration.getNumber(),
-                  testDeviceConfiguration.getCode());
-    }
-
-    return results;
+  public Set<String> getTestDevices() {
+    return testDevices;
   }
 
   public Map<String, Integer> getMaxDevices() {
@@ -511,22 +474,26 @@ public class WhisperServerConfiguration extends Configuration {
     return results;
   }
 
-  public Map<String, String> getTransparentDataIndex() {
-    return transparentDataIndex;
-  }
-
-  public SecureBackupServiceConfiguration getSecureBackupServiceConfiguration() {
-    return backupService;
-  }
-
   public PaymentsServiceConfiguration getPaymentsServiceConfiguration() {
     return paymentsService;
   }
 
+  public ArtServiceConfiguration getArtServiceConfiguration() {
+    return artService;
+  }
+
   public ZkConfig getZkConfig() {
     return zkConfig;
   }
 
+  public GenericZkConfig getCallingZkConfig() {
+    return callingZkConfig;
+  }
+
+  public GenericZkConfig getBackupsZkConfig() {
+    return backupsZkConfig;
+  }
+
   public RemoteConfigConfiguration getRemoteConfigConfiguration() {
     return remoteConfig;
   }
@@ -535,26 +502,6 @@ public class WhisperServerConfiguration extends Configuration {
     return appConfig;
   }
 
-  public DynamoDbConfiguration getPushChallengeDynamoDbConfiguration() {
-    return pushChallengeDynamoDb;
-  }
-
-  public DynamoDbConfiguration getReportMessageDynamoDbConfiguration() {
-    return reportMessageDynamoDb;
-  }
-
-  public DynamoDbConfiguration getPendingAccountsDynamoDbConfiguration() {
-    return pendingAccountsDynamoDb;
-  }
-
-  public DynamoDbConfiguration getPendingDevicesDynamoDbConfiguration() {
-    return pendingDevicesDynamoDb;
-  }
-
-  public DonationConfiguration getDonationConfiguration() {
-    return donation;
-  }
-
   public BadgesConfiguration getBadges() {
     return badges;
   }
@@ -563,15 +510,59 @@ public class WhisperServerConfiguration extends Configuration {
     return subscription;
   }
 
-  public BoostConfiguration getBoost() {
-    return boost;
+  public OneTimeDonationConfiguration getOneTimeDonations() {
+    return oneTimeDonations;
   }
 
   public ReportMessageConfiguration getReportMessageConfiguration() {
     return reportMessage;
   }
 
-  public AbusiveMessageFilterConfiguration getAbusiveMessageFilterConfiguration() {
-    return abusiveMessageFilter;
+  public SpamFilterConfiguration getSpamFilterConfiguration() {
+    return spamFilterConfiguration;
+  }
+
+  public RegistrationServiceConfiguration getRegistrationServiceConfiguration() {
+    return registrationService;
+  }
+
+  public TurnSecretConfiguration getTurnSecretConfiguration() {
+    return turn;
+  }
+
+  public TusConfiguration getTus() {
+    return tus;
+  }
+
+  public ClientReleaseConfiguration getClientReleaseConfiguration() {
+    return clientRelease;
+  }
+
+  public MessageByteLimitCardinalityEstimatorConfiguration getMessageByteLimitCardinalityEstimator() {
+    return messageByteLimitCardinalityEstimator;
+  }
+
+  public LinkDeviceSecretConfiguration getLinkDeviceSecretConfiguration() {
+    return linkDevice;
+  }
+
+  public VirtualThreadConfiguration getVirtualThreadConfiguration() {
+    return virtualThreadConfiguration;
+  }
+
+  public MonitoredS3ObjectConfiguration getMaxmindCityDatabase() {
+    return maxmindCityDatabase;
+  }
+
+  public MonitoredS3ObjectConfiguration getCallingTurnDnsRecords() {
+    return callingTurnDnsRecords;
+  }
+
+  public MonitoredS3ObjectConfiguration getCallingTurnPerformanceTable() {
+    return callingTurnPerformanceTable;
+  }
+
+  public MonitoredS3ObjectConfiguration getCallingTurnManualTable() {
+    return callingTurnManualTable;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/abuse/AbusiveMessageFilter.java

@@ -1,33 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-import io.dropwizard.lifecycle.Managed;
-import javax.ws.rs.container.ContainerRequestFilter;
-import java.io.IOException;
-
-/**
- * An abusive message filter is a {@link ContainerRequestFilter} that filters requests to message-sending endpoints to
- * detect and respond to patterns of abusive behavior.
- * <p/>
- * Abusive message filters are managed components that are generally loaded dynamically via a
- * {@link java.util.ServiceLoader}. Their {@link #configure(String)} method will be called prior to be adding to the
- * server's pool of {@link Managed} objects.
- * <p/>
- * Abusive message filters must be annotated with {@link FilterAbusiveMessages}, a name binding annotation that
- * restricts the endpoints to which the filter may apply.
- */
-public interface AbusiveMessageFilter extends ContainerRequestFilter, Managed {
-
-  /**
-   * Configures this abusive message filter. This method will be called before the filter is added to the server's pool
-   * of managed objects and before the server processes any requests.
-   *
-   * @param environmentName the name of the environment in which this filter is running (e.g. "staging" or "production")
-   * @throws IOException if the filter could not read its configuration source for any reason
-   */
-  void configure(String environmentName) throws IOException;
-}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/FilterAbusiveMessages.java

@@ -1,21 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-import javax.ws.rs.NameBinding;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- * A name-binding annotation that associates {@link AbusiveMessageFilter}s with resource methods.
- */
-@NameBinding
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.TYPE, ElementType.METHOD})
-public @interface FilterAbusiveMessages {
-}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/AttachmentGenerator.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+import java.util.Map;
+
+public interface AttachmentGenerator {
+
+  record Descriptor(Map<String, String> headers, String signedUploadLocation) {}
+
+  Descriptor generateAttachment(final String key);
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/GcsAttachmentGenerator.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequest;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestGenerator;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestSigner;
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.spec.InvalidKeySpecException;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Map;
+
+public class GcsAttachmentGenerator implements AttachmentGenerator {
+  @Nonnull
+  private final CanonicalRequestGenerator canonicalRequestGenerator;
+
+  @Nonnull
+  private final CanonicalRequestSigner canonicalRequestSigner;
+
+  public GcsAttachmentGenerator(@Nonnull String domain, @Nonnull String email,
+      int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
+      throws IOException, InvalidKeyException, InvalidKeySpecException {
+    this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
+    this.canonicalRequestSigner = new CanonicalRequestSigner(rsaSigningKey);
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
+    final CanonicalRequest canonicalRequest = canonicalRequestGenerator.createFor(key, now);
+    return new Descriptor(getHeaderMap(canonicalRequest), getSignedUploadLocation(canonicalRequest));
+  }
+
+  private String getSignedUploadLocation(@Nonnull CanonicalRequest canonicalRequest) {
+    return "https://" + canonicalRequest.getDomain() + canonicalRequest.getResourcePath()
+        + '?' + canonicalRequest.getCanonicalQuery()
+        + "&X-Goog-Signature=" + canonicalRequestSigner.sign(canonicalRequest);
+  }
+
+  private static Map<String, String> getHeaderMap(@Nonnull CanonicalRequest canonicalRequest) {
+    return Map.of(
+        "host", canonicalRequest.getDomain(),
+        "x-goog-content-length-range", "1," + canonicalRequest.getMaxSizeInBytes(),
+        "x-goog-resumable", "start");
+  }
+
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusAttachmentGenerator.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.apache.http.HttpHeaders;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.util.Base64;
+import java.util.Map;
+
+public class TusAttachmentGenerator implements AttachmentGenerator {
+
+  private static final String ATTACHMENTS = "attachments";
+
+  final ExternalServiceCredentialsGenerator credentialsGenerator;
+  final String tusUri;
+
+  public TusAttachmentGenerator(final TusConfiguration cfg) {
+    this.tusUri = cfg.uploadUri();
+    this.credentialsGenerator = credentialsGenerator(Clock.systemUTC(), cfg);
+  }
+
+  private static ExternalServiceCredentialsGenerator credentialsGenerator(final Clock clock, final TusConfiguration cfg) {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .prependUsername(false)
+        .withClock(clock)
+        .build();
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ExternalServiceCredentials credentials = credentialsGenerator.generateFor(ATTACHMENTS + "/" + key);
+    final String b64Key = Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8));
+    final Map<String, String> headers = Map.of(
+        HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(credentials),
+        "Upload-Metadata", String.format("filename %s", b64Key)
+    );
+    return new Descriptor(headers, tusUri + "/" +  ATTACHMENTS);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusConfiguration.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+import javax.validation.constraints.NotEmpty;
+
+public record TusConfiguration(
+  @ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+  @NotEmpty String uploadUri
+){}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -1,38 +1,153 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
-package org.whispersystems.textsecuregcm.auth;
 
-import io.dropwizard.auth.Authenticator;
-import io.dropwizard.auth.basic.BasicCredentials;
-import java.util.Optional;
-import io.micrometer.core.instrument.Metrics;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
+package org.whispersystems.textsecuregcm.auth;
 
 import static com.codahale.metrics.MetricRegistry.name;
 
-public class AccountAuthenticator extends BaseAccountAuthenticator implements
-    Authenticator<BasicCredentials, AuthenticatedAccount> {
+import com.google.common.annotations.VisibleForTesting;
+import io.dropwizard.auth.Authenticator;
+import io.dropwizard.auth.basic.BasicCredentials;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+import java.util.Optional;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.Util;
 
-  private static final String AUTHENTICATION_COUNTER_NAME = name(AccountAuthenticator.class, "authenticate");
+public class AccountAuthenticator implements Authenticator<BasicCredentials, AuthenticatedAccount> {
+
+  private static final String LEGACY_NAME_PREFIX = "org.whispersystems.textsecuregcm.auth.BaseAccountAuthenticator";
+
+  private static final String AUTHENTICATION_COUNTER_NAME = name(LEGACY_NAME_PREFIX, "authentication");
+  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
+  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
+
+  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(LEGACY_NAME_PREFIX, "daysSinceLastSeen");
+  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
+
+  @VisibleForTesting
+  static final char DEVICE_ID_SEPARATOR = '.';
+
+  private final AccountsManager accountsManager;
+  private final Clock clock;
 
   public AccountAuthenticator(AccountsManager accountsManager) {
-    super(accountsManager);
+    this(accountsManager, Clock.systemUTC());
+  }
+
+  @VisibleForTesting
+  public AccountAuthenticator(AccountsManager accountsManager, Clock clock) {
+    this.accountsManager = accountsManager;
+    this.clock = clock;
+  }
+
+  static Pair<String, Byte> getIdentifierAndDeviceId(final String basicUsername) {
+    final String identifier;
+    final byte deviceId;
+
+    final int deviceIdSeparatorIndex = basicUsername.indexOf(DEVICE_ID_SEPARATOR);
+
+    if (deviceIdSeparatorIndex == -1) {
+      identifier = basicUsername;
+      deviceId = Device.PRIMARY_ID;
+    } else {
+      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
+      deviceId = Byte.parseByte(basicUsername.substring(deviceIdSeparatorIndex + 1));
+    }
+
+    return new Pair<>(identifier, deviceId);
   }
 
   @Override
   public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials) {
-    final Optional<AuthenticatedAccount> maybeAuthenticatedAccount = super.authenticate(basicCredentials, true);
+    boolean succeeded = false;
+    String failureReason = null;
 
-    // TODO Remove after announcement groups have launched
-    maybeAuthenticatedAccount.ifPresent(authenticatedAccount ->
-        Metrics.counter(AUTHENTICATION_COUNTER_NAME,
-            "supportsAnnouncementGroups",
-            String.valueOf(authenticatedAccount.getAccount().isAnnouncementGroupSupported()))
-            .increment());
+    try {
+      final UUID accountUuid;
+      final byte deviceId;
+      {
+        final Pair<String, Byte> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
 
-    return maybeAuthenticatedAccount;
+        accountUuid = UUID.fromString(identifierAndDeviceId.first());
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
+
+      if (account.isEmpty()) {
+        failureReason = "noSuchAccount";
+        return Optional.empty();
+      }
+
+      Optional<Device> device = account.get().getDevice(deviceId);
+
+      if (device.isEmpty()) {
+        failureReason = "noSuchDevice";
+        return Optional.empty();
+      }
+
+      SaltedTokenHash deviceSaltedTokenHash = device.get().getAuthTokenHash();
+      if (deviceSaltedTokenHash.verify(basicCredentials.getPassword())) {
+        succeeded = true;
+        Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        if (deviceSaltedTokenHash.getVersion() != SaltedTokenHash.CURRENT_VERSION) {
+          authenticatedAccount = accountsManager.updateDeviceAuthentication(
+              authenticatedAccount,
+              device.get(),
+              SaltedTokenHash.generateFor(basicCredentials.getPassword()));  // new credentials have current version
+        }
+        return Optional.of(new AuthenticatedAccount(authenticatedAccount, device.get()));
+      }
+
+      return Optional.empty();
+    } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
+      failureReason = "invalidHeader";
+      return Optional.empty();
+    } finally {
+      Tags tags = Tags.of(
+          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded));
+
+      if (StringUtils.isNotBlank(failureReason)) {
+        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
+      }
+
+      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
+    }
   }
 
+  @VisibleForTesting
+  public Account updateLastSeen(Account account, Device device) {
+    // compute a non-negative integer between 0 and 86400.
+    long n = Util.ensureNonNegativeLong(account.getUuid().getLeastSignificantBits());
+    final long lastSeenOffsetSeconds = n % ChronoUnit.DAYS.getDuration().toSeconds();
+
+    // produce a truncated timestamp which is either today at UTC midnight
+    // or yesterday at UTC midnight, based on per-user randomized offset used.
+    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock,
+        Duration.ofSeconds(lastSeenOffsetSeconds).negated());
+
+    // only update the device's last seen time when it falls behind the truncated timestamp.
+    // this ensures a few things:
+    //   (1) each account will only update last-seen at most once per day
+    //   (2) these updates will occur throughout the day rather than all occurring at UTC midnight.
+    if (device.getLastSeen() < todayInMillisWithOffset) {
+      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isPrimary()))
+          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
+
+      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
+    }
+
+    return account;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRefreshRequirementProvider.java

@@ -5,7 +5,6 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import com.google.common.annotations.VisibleForTesting;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -31,7 +30,6 @@ import org.whispersystems.textsecuregcm.util.Pair;
  * {@link io.dropwizard.auth.Auth} object with a current device list.
  *
  * @see AuthenticatedAccount
- * @see DisabledPermittedAuthenticatedAccount
  */
 public class AuthEnablementRefreshRequirementProvider implements WebsocketRefreshRequirementProvider {
 
@@ -46,10 +44,6 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
     this.accountsManager = accountsManager;
   }
 
-  @VisibleForTesting
-  static Map<Long, Boolean> buildDevicesEnabledMap(final Account account) {
-    return account.getDevices().stream().collect(Collectors.toMap(Device::getId, Device::isEnabled));
-  }
 
   @Override
   public void handleRequestFiltered(final RequestEvent requestEvent) {
@@ -61,40 +55,46 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
           setAccount(requestEvent.getContainerRequest(), account));
     }
   }
-
   public static void setAccount(final ContainerRequest containerRequest, final Account account) {
-    containerRequest.setProperty(ACCOUNT_UUID, account.getUuid());
-    containerRequest.setProperty(DEVICES_ENABLED, buildDevicesEnabledMap(account));
+    setAccount(containerRequest, ContainerRequestUtil.AccountInfo.fromAccount(account));
+  }
+
+  private static void setAccount(final ContainerRequest containerRequest, final ContainerRequestUtil.AccountInfo info) {
+    containerRequest.setProperty(ACCOUNT_UUID, info.accountId());
+    containerRequest.setProperty(DEVICES_ENABLED, info.devicesEnabled());
   }
 
   @Override
-  public List<Pair<UUID, Long>> handleRequestFinished(final RequestEvent requestEvent) {
+  public List<Pair<UUID, Byte>> handleRequestFinished(final RequestEvent requestEvent) {
     // Now that the request is finished, check whether `isEnabled` changed for any of the devices. If the value did
     // change or if a devices was added or removed, all devices must disconnect and reauthenticate.
     if (requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED) != null) {
 
-      @SuppressWarnings("unchecked") final Map<Long, Boolean> initialDevicesEnabled =
-          (Map<Long, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
+      @SuppressWarnings("unchecked") final Map<Byte, Boolean> initialDevicesEnabled =
+          (Map<Byte, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
 
-      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
-        final Set<Long> deviceIdsToDisplace;
-        final Map<Long, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
+      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID))
+          .map(ContainerRequestUtil.AccountInfo::fromAccount)
+          .map(account -> {
+            final Set<Byte> deviceIdsToDisplace;
+            final Map<Byte, Boolean> currentDevicesEnabled = account.devicesEnabled();
 
-        if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
-          deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
-          deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
-        } else {
-          deviceIdsToDisplace = Collections.emptySet();
-        }
+            if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
+              deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
+              deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
+            } else {
+              deviceIdsToDisplace = Collections.emptySet();
+            }
 
-        return deviceIdsToDisplace.stream()
-            .map(deviceId -> new Pair<>(account.getUuid(), deviceId))
-            .collect(Collectors.toList());
-      }).orElseGet(() -> {
-        logger.error("Request had account, but it is no longer present");
-        return Collections.emptyList();
-      });
-    } else
+            return deviceIdsToDisplace.stream()
+                .map(deviceId -> new Pair<>(account.accountId(), deviceId))
+                .collect(Collectors.toList());
+          }).orElseGet(() -> {
+            logger.error("Request had account, but it is no longer present");
+            return Collections.emptyList();
+          });
+    } else {
       return Collections.emptyList();
+    }
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedAccount.java

@@ -10,24 +10,24 @@ import java.util.function.Supplier;
 import javax.security.auth.Subject;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Pair;
 
 public class AuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+  private final Account account;
+  private final Device device;
 
-  private final Supplier<Pair<Account, Device>> accountAndDevice;
-
-  public AuthenticatedAccount(final Supplier<Pair<Account, Device>> accountAndDevice) {
-    this.accountAndDevice = accountAndDevice;
+ public AuthenticatedAccount(final Account account, final Device device) {
+    this.account = account;
+    this.device = device;
   }
 
   @Override
   public Account getAccount() {
-    return accountAndDevice.get().first();
+    return account;
   }
 
   @Override
   public Device getAuthenticatedDevice() {
-    return accountAndDevice.get().second();
+    return device;
   }
 
   // Principal implementation

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedBackupUser.java

@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.backup.BackupTier;
+
+public record AuthenticatedBackupUser(byte[] backupId, BackupTier backupTier) {}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticationCredentials.java

@@ -1,50 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.auth;
-
-import org.apache.commons.codec.binary.Hex;
-
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-public class AuthenticationCredentials {
-
-  private final String hashedAuthenticationToken;
-  private final String salt;
-
-  public AuthenticationCredentials(String hashedAuthenticationToken, String salt) {
-    this.hashedAuthenticationToken = hashedAuthenticationToken;
-    this.salt                      = salt;
-  }
-
-  public AuthenticationCredentials(String authenticationToken) {
-    this.salt                      = String.valueOf(Math.abs(new SecureRandom().nextInt()));
-    this.hashedAuthenticationToken = getHashedValue(salt, authenticationToken);
-  }
-
-  public String getHashedAuthenticationToken() {
-    return hashedAuthenticationToken;
-  }
-
-  public String getSalt() {
-    return salt;
-  }
-
-  public boolean verify(String authenticationToken) {
-    String theirValue = getHashedValue(salt, authenticationToken);
-    return MessageDigest.isEqual(theirValue.getBytes(StandardCharsets.UTF_8), this.hashedAuthenticationToken.getBytes(StandardCharsets.UTF_8));
-  }
-
-  private static String getHashedValue(String salt, String token) {
-    try {
-      return new String(Hex.encodeHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8))));
-    } catch (NoSuchAlgorithmException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java

@@ -1,146 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import static com.codahale.metrics.MetricRegistry.name;
-
-import com.google.common.annotations.VisibleForTesting;
-import io.dropwizard.auth.basic.BasicCredentials;
-import io.micrometer.core.instrument.Metrics;
-import io.micrometer.core.instrument.Tags;
-import java.time.Clock;
-import java.time.Duration;
-import java.time.temporal.ChronoUnit;
-import java.util.Optional;
-import java.util.UUID;
-import org.apache.commons.lang3.StringUtils;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.storage.RefreshingAccountAndDeviceSupplier;
-import org.whispersystems.textsecuregcm.util.Pair;
-import org.whispersystems.textsecuregcm.util.Util;
-
-public class BaseAccountAuthenticator {
-
-  private static final String AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "authentication");
-  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
-  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
-  private static final String AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME = "enabledRequired";
-
-  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(BaseAccountAuthenticator.class, "daysSinceLastSeen");
-  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
-
-  private final AccountsManager accountsManager;
-  private final Clock           clock;
-
-  public BaseAccountAuthenticator(AccountsManager accountsManager) {
-    this(accountsManager, Clock.systemUTC());
-  }
-
-  @VisibleForTesting
-  public BaseAccountAuthenticator(AccountsManager accountsManager, Clock clock) {
-    this.accountsManager = accountsManager;
-    this.clock           = clock;
-  }
-
-  static Pair<String, Long> getIdentifierAndDeviceId(final String basicUsername) {
-    final String identifier;
-    final long deviceId;
-
-    final int deviceIdSeparatorIndex = basicUsername.indexOf('.');
-
-    if (deviceIdSeparatorIndex == -1) {
-      identifier = basicUsername;
-      deviceId = Device.MASTER_ID;
-    } else {
-      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
-      deviceId = Long.parseLong(basicUsername.substring(deviceIdSeparatorIndex + 1));
-    }
-
-    return new Pair<>(identifier, deviceId);
-  }
-
-  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials, boolean enabledRequired) {
-    boolean succeeded = false;
-    String failureReason = null;
-
-    try {
-      final UUID accountUuid;
-      final long deviceId;
-      {
-        final Pair<String, Long> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
-
-        accountUuid = UUID.fromString(identifierAndDeviceId.first());
-        deviceId = identifierAndDeviceId.second();
-      }
-
-      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
-
-      if (account.isEmpty()) {
-        failureReason = "noSuchAccount";
-        return Optional.empty();
-      }
-
-      Optional<Device> device = account.get().getDevice(deviceId);
-
-      if (device.isEmpty()) {
-        failureReason = "noSuchDevice";
-        return Optional.empty();
-      }
-
-      if (enabledRequired) {
-        if (!device.get().isEnabled()) {
-          failureReason = "deviceDisabled";
-          return Optional.empty();
-        }
-
-        if (!account.get().isEnabled()) {
-          failureReason = "accountDisabled";
-          return Optional.empty();
-        }
-      }
-
-      if (device.get().getAuthenticationCredentials().verify(basicCredentials.getPassword())) {
-        succeeded = true;
-        final Account authenticatedAccount = updateLastSeen(account.get(), device.get());
-        return Optional.of(new AuthenticatedAccount(
-            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
-      }
-
-      return Optional.empty();
-    } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
-      failureReason = "invalidHeader";
-      return Optional.empty();
-    } finally {
-      Tags tags = Tags.of(
-          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded),
-          AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME, String.valueOf(enabledRequired));
-
-      if (StringUtils.isNotBlank(failureReason)) {
-        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
-      }
-
-      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
-    }
-  }
-
-  @VisibleForTesting
-  public Account updateLastSeen(Account account, Device device) {
-    final long lastSeenOffsetSeconds   = Math.abs(account.getUuid().getLeastSignificantBits()) % ChronoUnit.DAYS.getDuration().toSeconds();
-    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock, Duration.ofSeconds(lastSeenOffsetSeconds).negated());
-
-    if (device.getLastSeen() < todayInMillisWithOffset) {
-      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isMaster()))
-          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
-
-      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
-    }
-
-    return account;
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BasicAuthorizationHeader.java

@@ -5,18 +5,16 @@
 package org.whispersystems.textsecuregcm.auth;
 
 import java.util.Base64;
-import java.util.UUID;
 import org.apache.commons.lang3.StringUtils;
-import org.whispersystems.textsecuregcm.storage.Device;
 import org.whispersystems.textsecuregcm.util.Pair;
 
 public class BasicAuthorizationHeader {
 
   private final String username;
-  private final long deviceId;
+  private final byte deviceId;
   private final String password;
 
-  private BasicAuthorizationHeader(final String username, final long deviceId, final String password) {
+  private BasicAuthorizationHeader(final String username, final byte deviceId, final String password) {
     this.username = username;
     this.deviceId = deviceId;
     this.password = password;
@@ -61,10 +59,10 @@ public class BasicAuthorizationHeader {
       final String usernameComponent = credentials.substring(0, credentialSeparatorIndex);
 
       final String username;
-      final long deviceId;
+      final byte deviceId;
       {
-        final Pair<String, Long> identifierAndDeviceId =
-            BaseAccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
+        final Pair<String, Byte> identifierAndDeviceId =
+            AccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
 
         username = identifierAndDeviceId.first();
         deviceId = identifierAndDeviceId.second();

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -7,18 +7,16 @@ package org.whispersystems.textsecuregcm.auth;
 
 import com.google.protobuf.ByteString;
 import com.google.protobuf.InvalidProtocolBufferException;
-import org.whispersystems.textsecuregcm.crypto.Curve;
-import org.whispersystems.textsecuregcm.crypto.ECPrivateKey;
+import java.security.InvalidKeyException;
+import java.util.concurrent.TimeUnit;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPrivateKey;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
 
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.util.Base64;
-import java.util.concurrent.TimeUnit;
-
 public class CertificateGenerator {
 
   private final ECPrivateKey      privateKey;
@@ -35,18 +33,23 @@ public class CertificateGenerator {
 
   public byte[] createFor(Account account, Device device, boolean includeE164) throws InvalidKeyException {
     SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
-                                                                                 .setSenderDevice(Math.toIntExact(device.getId()))
-                                                                                 .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
-                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
-                                                                                 .setSigner(serverCertificate)
-                                                                                 .setSenderUuid(account.getUuid().toString());
+        .setSenderDevice(Math.toIntExact(device.getId()))
+        .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
+        .setIdentityKey(ByteString.copyFrom(account.getIdentityKey(IdentityType.ACI).serialize()))
+        .setSigner(serverCertificate)
+        .setSenderUuid(account.getUuid().toString());
 
     if (includeE164) {
       builder.setSender(account.getNumber());
     }
 
     byte[] certificate = builder.build().toByteArray();
-    byte[] signature   = Curve.calculateSignature(privateKey, certificate);
+    byte[] signature;
+    try {
+      signature = Curve.calculateSignature(privateKey, certificate);
+    } catch (org.signal.libsignal.protocol.InvalidKeyException e) {
+      throw new InvalidKeyException(e);
+    }
 
     return SenderCertificate.newBuilder()
                             .setCertificate(ByteString.copyFrom(certificate))

service/src/main/java/org/whispersystems/textsecuregcm/auth/ChangesPhoneNumber.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Indicates that an endpoint changes the phone number and PNI keys associated with an account, and that
+ * any websockets associated with the account may need to be refreshed after a call to that endpoint.
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ChangesPhoneNumber {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java

@@ -16,7 +16,7 @@ public class CombinedUnidentifiedSenderAccessKeys {
   public CombinedUnidentifiedSenderAccessKeys(String header) {
     try {
       this.combinedUnidentifiedSenderAccessKeys = Base64.getDecoder().decode(header);
-      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != 16) {
+      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH) {
         throw new WebApplicationException("Invalid combined unidentified sender access keys", Status.UNAUTHORIZED);
       }
     } catch (IllegalArgumentException e) {