Update to the latest version of the spam filter

All devices now have PQ keys

.editorconfig

@@ -158,7 +158,7 @@ ij_java_keep_indents_on_empty_lines = false
 ij_java_keep_line_breaks = true
 ij_java_keep_multiple_expressions_in_one_line = false
 ij_java_keep_simple_blocks_in_one_line = false
-ij_java_keep_simple_classes_in_one_line = false
+ij_java_keep_simple_classes_in_one_line = true
 ij_java_keep_simple_lambdas_in_one_line = false
 ij_java_keep_simple_methods_in_one_line = false
 ij_java_label_indent_absolute = false

.github/workflows/documentation.yml

@@ -0,0 +1,33 @@
+name: Update Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
+      - name: Compile and Build OpenAPI file
+        run: ./mvnw compile
+      - name: Update Documentation
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cp -r api-doc/target/openapi/signal-server-openapi.yaml /tmp/
+          git config user.email "github@signal.org"
+          git config user.name "Documentation Updater"
+          git fetch origin gh-pages
+          git checkout gh-pages
+          cp /tmp/signal-server-openapi.yaml .
+          git diff --quiet || git commit -a -m "Updating documentation"
+          git push origin gh-pages -q

.github/workflows/integration-tests.yml

@@ -0,0 +1,37 @@
+name: Integration Tests
+
+on:
+  schedule:
+    - cron: '30 19 * * MON-FRI'
+  workflow_dispatch:
+
+env:
+  # This may seem a little redundant, but copying the configuration to an environment variable makes it easier and safer
+  # to then write its contents to a file
+  INTEGRATION_TEST_CONFIG: ${{ vars.INTEGRATION_TEST_CONFIG }}
+
+jobs:
+  build:
+    if: ${{ vars.INTEGRATION_TEST_CONFIG != '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
+      - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        name: Configure AWS credentials from Test account
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Write integration test configuration
+        run: |
+          mkdir -p integration-tests/src/main/resources
+          echo "${INTEGRATION_TEST_CONFIG}" > integration-tests/src/main/resources/config.yml
+      - name: Run and verify integration tests
+        run: ./mvnw clean compile test-compile failsafe:integration-test failsafe:verify -P aws-sso

.github/workflows/test.yml

@@ -1,23 +1,31 @@
 name: Service CI
 
-on: [push]
+on:
+  pull_request:
+  push:
+    branches-ignore:
+      - gh-pages
 
 jobs:
   build:
     runs-on: ubuntu-latest
     container: ubuntu:22.04
+    timeout-minutes: 20
 
     steps:
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
-      - name: Set up JDK 17
-        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # v3.6.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up JDK 21
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: 'temurin'
-          java-version: 17
+          java-version: 21
           cache: 'maven'
         env:
           # work around an issue with actions/runner setting an incorrect HOME in containers, which breaks maven caching
           # https://github.com/actions/setup-java/issues/356
           HOME: /root
+      - name: Install APT packages
+        # ca-certificates: required for AWS CRT client
+        run: apt update && apt install -y ca-certificates
       - name: Build with Maven
         run: ./mvnw -e -B verify

.gitignore

@@ -26,3 +26,7 @@ deployer.log
 !/service/src/main/resources/org/signal/badges/Badges_en.properties
 /service/src/main/resources/org/signal/subscriptions/Subscriptions_*.properties
 !/service/src/main/resources/org/signal/subscriptions/Subscriptions_en.properties
+.project
+.classpath
+.settings
+.DS_Store

.gitmodules

@@ -1,11 +1,11 @@
-# Note that the implementation of the abusive message filter is private; internal
+# Note that the implementation of the spam filter is private; internal
 # developers will need to override this URL with:
 #
 # ```
-# git config submodule.abusive-message-filter.url PRIVATE_URL
+# git config submodule.spam-filter.url PRIVATE_URL
 # ```
 #
 # External developers may safely ignore this submodule.
-[submodule "abusive-message-filter"]
-	path = abusive-message-filter
+[submodule "spam-filter"]
+	path = spam-filter
 	url = REDACTED

.mvn/extensions.xml

@@ -4,6 +4,6 @@
   <extension>
     <groupId>fr.brouillard.oss</groupId>
     <artifactId>jgitver-maven-plugin</artifactId>
-    <version>1.7.1</version>
+    <version>1.9.0</version>
   </extension>
 </extensions>

.mvn/wrapper/maven-wrapper.properties

@@ -5,14 +5,16 @@
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
-# 
+#
 #   https://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
+distributionSha256Sum=4ec3f26fb1a692473aea0235c300bd20f0f9fe741947c82c1234cefd76ac3a3c
+wrapperSha256Sum=3d8f20ce6103913be8b52aef6d994e0c54705fb527324ceb9b835b338739c7a8

LICENSE

@@ -296,7 +296,7 @@ commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
 
   "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
+procedures, authorization keysManager, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object

README.md

@@ -8,9 +8,26 @@ Looking for protocol documentation? Check out the website!
 
 https://signal.org/docs/
 
-Cryptography Notice
+How to Build
 ------------
 
+```shell script
+$ ./mvnw clean test
+```
+
+Security
+--------
+
+Security issues should be sent to <a href=mailto:security@signal.org>security@signal.org</a>.
+
+Help
+----
+
+We cannot provide direct technical support. Get help running this software in your own environment in our [unofficial community forum][community forum].
+
+Cryptography Notice
+-------------------
+
 This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software.
 BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted.
 See <https://www.wassenaar.org/> for more information.
@@ -19,8 +36,10 @@ The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS
 The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
 
 License
----------------------
+-------
 
-Copyright 2013-2022 Signal Messenger, LLC
+Copyright 2013 Signal Messenger, LLC
 
-Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html
+Licensed under the GNU AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html
+
+[community forum]: https://community.signalusers.org

TESTING.md

@@ -0,0 +1,30 @@
+# Testing
+
+## Automated tests
+
+The full suite of automated tests can be run using Maven from the project root:
+
+```sh
+./mvnw verify
+```
+
+## Test server
+
+The service can be run in a feature-limited test mode by running the Maven `integration-test`
+goal with the `test-server` profile activated:
+
+```sh
+./mvnw integration-test -Ptest-server [-DskipTests=true]
+```
+
+This runs [`LocalWhisperServerService`][lwss] with [test configuration][test.yml] and [secrets][test secrets]. External
+registration clients are stubbed so that:
+
+- a captcha requirement can be satisfied with `noop.noop.registration.noop`
+- any string will be accepted for a phone verification code
+
+[lwss]: service/src/test/java/org/whispersystems/textsecuregcm/LocalWhisperServerService.java
+
+[test.yml]: service/src/test/resources/config/test.yml
+
+[test secrets]: service/src/test/resources/config/test-secrets-bundle.yml

api-doc/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>api-doc</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.swagger.core.v3</groupId>
+        <artifactId>swagger-maven-plugin-jakarta</artifactId>
+        <version>${swagger.version}</version>
+        <configuration>
+          <outputFileName>signal-server-openapi</outputFileName>
+          <outputPath>${project.build.directory}/openapi</outputPath>
+          <outputFormat>YAML</outputFormat>
+          <configurationFilePath>${project.basedir}/src/main/resources/openapi/openapi-configuration.yaml
+          </configurationFilePath>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>compile</phase>
+            <goals>
+              <goal>resolve</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

api-doc/src/main/java/org/signal/openapi/OpenApiExtension.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.SimpleType;
+import io.dropwizard.auth.Auth;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.jaxrs2.ext.AbstractOpenAPIExtension;
+import io.swagger.v3.jaxrs2.ext.OpenAPIExtension;
+import io.swagger.v3.oas.models.Components;
+import jakarta.ws.rs.Consumes;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.ServiceLoader;
+import java.util.Set;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedDevice;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link AbstractOpenAPIExtension} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a lower level.
+ * This extension works in coordination with {@link OpenApiReader} that has access to the model on a higher level.
+ * <p/>
+ * The extension is enabled by being listed in {@code META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension} file.
+ * @see ServiceLoader
+ * @see OpenApiReader
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiExtension extends AbstractOpenAPIExtension {
+
+  public static final ResolvedParameter AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  /**
+   * When parsing endpoint methods, Swagger will treat the first parameter not annotated as header/path/query param
+   * as a request body (and will ignore other not annotated parameters). In our case, this behavior conflicts with
+   * the {@code @Auth}-annotated parameters. Here we're checking if parameters are known to be anything other than
+   * a body and return an appropriate {@link ResolvedParameter} representation.
+   */
+  @Override
+  public ResolvedParameter extractParameters(
+      final List<Annotation> annotations,
+      final Type type,
+      final Set<Type> typesToSkip,
+      final Components components,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final boolean includeRequestBody,
+      final JsonView jsonViewAnnotation,
+      final Iterator<OpenAPIExtension> chain) {
+
+    if (annotations.stream().anyMatch(a -> a.annotationType().equals(Auth.class))) {
+      // this is the case of authenticated endpoint,
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(AuthenticatedDevice.class)) {
+        return AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, AuthenticatedDevice.class)) {
+        return OPTIONAL_AUTHENTICATED_ACCOUNT;
+      }
+    }
+
+    return super.extractParameters(
+        annotations,
+        type,
+        typesToSkip,
+        components,
+        classConsumes,
+        methodConsumes,
+        includeRequestBody,
+        jsonViewAnnotation,
+        chain);
+  }
+
+  private static boolean isOptionalOfType(final SimpleType simpleType, final Class<?> expectedType) {
+    if (!simpleType.getRawClass().equals(Optional.class)) {
+      return false;
+    }
+    final List<JavaType> typeParameters = simpleType.getBindings().getTypeParameters();
+    if (typeParameters.isEmpty()) {
+      return false;
+    }
+    return typeParameters.get(0) instanceof SimpleType optionalParameterType
+        && optionalParameterType.getRawClass().equals(expectedType);
+  }
+}

api-doc/src/main/java/org/signal/openapi/OpenApiReader.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.signal.openapi.OpenApiExtension.AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_AUTHENTICATED_ACCOUNT;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.google.common.collect.ImmutableList;
+import io.swagger.v3.jaxrs2.Reader;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.oas.models.Operation;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import jakarta.ws.rs.Consumes;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link Reader} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a higher level.
+ * This extension works in coordination with {@link OpenApiExtension} that has access to the model on a lower level.
+ * <p/>
+ * The extension is enabled by being listed in {@code resources/openapi/openapi-configuration.yaml} file.
+ * @see OpenApiExtension
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiReader extends Reader {
+
+  private static final String AUTHENTICATED_ACCOUNT_AUTH_SCHEMA = "authenticatedAccount";
+
+
+  /**
+   * Overriding this method allows converting a resolved parameter into other operation entities,
+   * in this case, into security requirements.
+   */
+  @Override
+  protected ResolvedParameter getParameters(
+      final Type type,
+      final List<Annotation> annotations,
+      final Operation operation,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final JsonView jsonViewAnnotation) {
+    final ResolvedParameter resolved = super.getParameters(
+        type, annotations, operation, classConsumes, methodConsumes, jsonViewAnnotation);
+
+    if (resolved == AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .build());
+    }
+    if (resolved == OPTIONAL_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .add(new SecurityRequirement())
+          .build());
+    }
+
+    return resolved;
+  }
+}

api-doc/src/main/resources/META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension

@@ -0,0 +1 @@
+org.signal.openapi.OpenApiExtension

api-doc/src/main/resources/openapi/openapi-configuration.yaml

@@ -0,0 +1,25 @@
+resourcePackages:
+  - org.whispersystems.textsecuregcm
+prettyPrint: true
+cacheTTL: 0
+readerClass: org.signal.openapi.OpenApiReader
+openAPI:
+  info:
+    title: Signal Server API
+    license:
+      name: AGPL-3.0-only
+      url: https://www.gnu.org/licenses/agpl-3.0.txt
+  servers:
+    - url: https://chat.signal.org
+      description: Production service
+    - url: https://chat.staging.signal.org
+      description: Staging service
+  components:
+    securitySchemes:
+      authenticatedAccount:
+        type: http
+        scheme: basic
+        description: |
+          Account authentication is based on Basic authentication schema, 
+          where `username` has a format of `<user_id>[.<device_id>]`. If `device_id` is not specified,
+          user's `main` device is assumed.

event-logger/pom.xml

@@ -1,77 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Copyright 2022 Signal Messenger, LLC
-  ~ SPDX-License-Identifier: AGPL-3.0-only
-  -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>event-logger</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>com.google.cloud</groupId>
-      <artifactId>google-cloud-logging</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.jetbrains.kotlin</groupId>
-      <artifactId>kotlin-stdlib</artifactId>
-      <version>${kotlin.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.jetbrains.kotlinx</groupId>
-      <artifactId>kotlinx-serialization-json</artifactId>
-      <version>${kotlinx-serialization.version}</version>
-    </dependency>
-  </dependencies>
-
-  <build>
-    <sourceDirectory>${project.basedir}/src/main/kotlin</sourceDirectory>
-    <testSourceDirectory>${project.basedir}/src/test/kotlin</testSourceDirectory>
-
-    <plugins>
-      <plugin>
-        <groupId>org.jetbrains.kotlin</groupId>
-        <artifactId>kotlin-maven-plugin</artifactId>
-        <version>${kotlin.version}</version>
-
-        <executions>
-          <execution>
-            <id>compile</id>
-            <goals>
-              <goal>compile</goal>
-            </goals>
-          </execution>
-
-          <execution>
-            <id>test-compile</id>
-            <goals>
-              <goal>test-compile</goal>
-            </goals>
-          </execution>
-        </executions>
-        <configuration>
-          <compilerPlugins>
-            <plugin>kotlinx-serialization</plugin>
-          </compilerPlugins>
-        </configuration>
-        <dependencies>
-          <dependency>
-            <groupId>org.jetbrains.kotlin</groupId>
-            <artifactId>kotlin-maven-serialization</artifactId>
-            <version>${kotlin.version}</version>
-          </dependency>
-        </dependencies>
-      </plugin>
-    </plugins>
-  </build>
-
-</project>

event-logger/src/main/kotlin/events.kt

@@ -1,40 +0,0 @@
-/*
- * Copyright 2022 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.signal.event
-
-import java.util.Collections
-import kotlinx.serialization.Serializable
-import kotlinx.serialization.json.Json
-import kotlinx.serialization.modules.SerializersModule
-import kotlinx.serialization.modules.polymorphic
-import kotlinx.serialization.modules.subclass
-
-val module = SerializersModule {
-    polymorphic(Event::class) {
-        subclass(RemoteConfigSetEvent::class)
-        subclass(RemoteConfigDeleteEvent::class)
-    }
-}
-val jsonFormat = Json { serializersModule = module }
-
-sealed interface Event
-
-@Serializable
-data class RemoteConfigSetEvent(
-        val token: String,
-        val name: String,
-        val percentage: Int,
-        val defaultValue: String? = null,
-        val value: String? = null,
-        val hashKey: String? = null,
-        val uuids: Collection<String> = Collections.emptyList(),
-) : Event
-
-@Serializable
-data class RemoteConfigDeleteEvent(
-        val token: String,
-        val name: String,
-) : Event

event-logger/src/main/kotlin/loggers.kt

@@ -1,41 +0,0 @@
-/*
- * Copyright 2022 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.signal.event
-
-import com.google.cloud.logging.LogEntry
-import com.google.cloud.logging.Logging
-import com.google.cloud.logging.MonitoredResourceUtil
-import com.google.cloud.logging.Payload.JsonPayload
-import com.google.cloud.logging.Severity
-import com.google.protobuf.Struct
-import com.google.protobuf.util.JsonFormat
-import kotlinx.serialization.encodeToString
-
-interface AdminEventLogger {
-    fun logEvent(event: Event, labels: Map<String, String>?)
-    fun logEvent(event: Event) = logEvent(event, null)
-}
-
-class NoOpAdminEventLogger : AdminEventLogger {
-    override fun logEvent(event: Event, labels: Map<String, String>?) {}
-}
-
-class GoogleCloudAdminEventLogger(private val logging: Logging, private val projectId: String, private val logName: String) : AdminEventLogger {
-    override fun logEvent(event: Event, labels: Map<String, String>?) {
-        val structBuilder = Struct.newBuilder()
-        JsonFormat.parser().merge(jsonFormat.encodeToString(event), structBuilder)
-        val struct = structBuilder.build()
-
-        val logEntryBuilder = LogEntry.newBuilder(JsonPayload.of(struct))
-                .setLogName(logName)
-                .setSeverity(Severity.NOTICE)
-                .setResource(MonitoredResourceUtil.getResource(projectId, "project"));
-        if (labels != null) {
-            logEntryBuilder.setLabels(labels);
-        }
-        logging.write(listOf(logEntryBuilder.build()))
-    }
-}

integration-tests/.gitignore

@@ -0,0 +1,2 @@
+.libs
+src/main/resources/config.yml

integration-tests/pom.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>integration-tests</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <configuration>
+          <additionalClasspathElements>
+            <additionalClasspathElement>${project.basedir}/.libs/software.amazon.awssdk-sso.jar</additionalClasspathElement>
+          </additionalClasspathElements>
+          <includes>
+            <include>**/*.java</include>
+          </includes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <profiles>
+    <profile>
+      <id>aws-sso</id>
+
+      <dependencies>
+        <dependency>
+          <groupId>software.amazon.awssdk</groupId>
+          <artifactId>sso</artifactId>
+        </dependency>
+      </dependencies>
+    </profile>
+  </profiles>
+</project>

integration-tests/src/main/java/org/signal/integration/Codecs.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import java.io.IOException;
+import java.util.Base64;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+
+public final class Codecs {
+
+  private Codecs() {
+    // utility class
+  }
+
+  @FunctionalInterface
+  public interface CheckedFunction<T, R> {
+    R apply(T t) throws Exception;
+  }
+
+  public static class Base64BasedSerializer<T> extends JsonSerializer<T> {
+
+    private final CheckedFunction<T, byte[]> mapper;
+
+    public Base64BasedSerializer(final CheckedFunction<T, byte[]> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public void serialize(final T value, final JsonGenerator gen, final SerializerProvider serializers) throws IOException {
+      try {
+        gen.writeString(Base64.getEncoder().withoutPadding().encodeToString(mapper.apply(value)));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class Base64BasedDeserializer<T> extends JsonDeserializer<T> {
+
+    private final CheckedFunction<byte[], T> mapper;
+
+    public Base64BasedDeserializer(final CheckedFunction<byte[], T> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public T deserialize(final JsonParser p, final DeserializationContext ctxt) throws IOException {
+      try {
+        return mapper.apply(Base64.getDecoder().decode(p.getValueAsString()));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class ByteArraySerializer extends Base64BasedSerializer<byte[]> {
+    public ByteArraySerializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ByteArrayDeserializer extends Base64BasedDeserializer<byte[]> {
+    public ByteArrayDeserializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ECPublicKeySerializer extends Base64BasedSerializer<ECPublicKey> {
+    public ECPublicKeySerializer() {
+      super(ECPublicKey::serialize);
+    }
+  }
+
+  public static class ECPublicKeyDeserializer extends Base64BasedDeserializer<ECPublicKey> {
+    public ECPublicKeyDeserializer() {
+      super(bytes -> Curve.decodePoint(bytes, 0));
+    }
+  }
+
+  public static class IdentityKeySerializer extends Base64BasedSerializer<IdentityKey> {
+    public IdentityKeySerializer() {
+      super(IdentityKey::serialize);
+    }
+  }
+
+  public static class IdentityKeyDeserializer extends Base64BasedDeserializer<IdentityKey> {
+    public IdentityKeyDeserializer() {
+      super(bytes -> new IdentityKey(bytes, 0));
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/IntegrationTools.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
+import org.signal.integration.config.Config;
+import org.whispersystems.textsecuregcm.metrics.NoopAwsSdkMetricPublisher;
+import org.whispersystems.textsecuregcm.registration.VerificationSession;
+import org.whispersystems.textsecuregcm.storage.PhoneNumberIdentifiers;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswords;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessionManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessions;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+
+public class IntegrationTools {
+
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  private final VerificationSessionManager verificationSessionManager;
+
+  private final PhoneNumberIdentifiers phoneNumberIdentifiers;
+
+
+  public static IntegrationTools create(final Config config) {
+    final AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder().build();
+
+    final DynamoDbAsyncClient dynamoDbAsyncClient =
+        config.dynamoDbClient().buildAsyncClient(credentialsProvider, new NoopAwsSdkMetricPublisher());
+
+    final RegistrationRecoveryPasswords registrationRecoveryPasswords = new RegistrationRecoveryPasswords(
+        config.dynamoDbTables().registrationRecovery(), Duration.ofDays(1), dynamoDbAsyncClient, Clock.systemUTC());
+
+    final VerificationSessions verificationSessions = new VerificationSessions(
+        dynamoDbAsyncClient, config.dynamoDbTables().verificationSessions(), Clock.systemUTC());
+
+    return new IntegrationTools(
+        new RegistrationRecoveryPasswordsManager(registrationRecoveryPasswords),
+        new VerificationSessionManager(verificationSessions),
+        new PhoneNumberIdentifiers(dynamoDbAsyncClient, config.dynamoDbTables().phoneNumberIdentifiers())
+    );
+  }
+
+  private IntegrationTools(
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final VerificationSessionManager verificationSessionManager,
+      final PhoneNumberIdentifiers phoneNumberIdentifiers) {
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.verificationSessionManager = verificationSessionManager;
+    this.phoneNumberIdentifiers = phoneNumberIdentifiers;
+  }
+
+  public CompletableFuture<Void> populateRecoveryPassword(final String phoneNumber, final byte[] password) {
+    return phoneNumberIdentifiers
+        .getPhoneNumberIdentifier(phoneNumber)
+        .thenCompose(pni -> registrationRecoveryPasswordsManager.store(pni, password));
+  }
+
+  public CompletableFuture<Optional<String>> peekVerificationSessionPushChallenge(final String sessionId) {
+    return verificationSessionManager.findForId(sessionId)
+        .thenApply(maybeSession -> maybeSession.map(VerificationSession::pushChallenge));
+  }
+}

integration-tests/src/main/java/org/signal/integration/Operations.java

@@ -0,0 +1,349 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.google.common.io.Resources;
+import com.google.common.net.HttpHeaders;
+import io.dropwizard.configuration.ConfigurationValidationException;
+import io.dropwizard.jersey.validation.Validators;
+import jakarta.validation.ConstraintViolation;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import java.net.URI;
+import java.net.URL;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.Executors;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.integration.config.Config;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.kem.KEMKeyPair;
+import org.signal.libsignal.protocol.kem.KEMKeyType;
+import org.signal.libsignal.protocol.kem.KEMPublicKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.CircuitBreakerConfiguration;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ECSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.RegistrationRequest;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import org.whispersystems.textsecuregcm.util.HttpUtils;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public final class Operations {
+
+  private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+  private static final Config CONFIG = loadConfigFromClasspath("config.yml");
+
+  private static final IntegrationTools INTEGRATION_TOOLS = IntegrationTools.create(CONFIG);
+
+  private static final String USER_AGENT = "integration-test";
+
+  private static final FaultTolerantHttpClient CLIENT = buildClient();
+
+
+  private Operations() {
+    // utility class
+  }
+
+  public static TestUser newRegisteredUser(final String number) {
+    final byte[] registrationPassword = populateRandomRecoveryPassword(number);
+    final String accountPassword = Base64.getEncoder().encodeToString(randomBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    final ECKeyPair aciIdentityKeyPair = Curve.generateKeyPair();
+    final ECKeyPair pniIdentityKeyPair = Curve.generateKeyPair();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(null,
+        registrationPassword,
+        accountAttributes,
+        true,
+        new IdentityKey(aciIdentityKeyPair.getPublicKey()),
+        new IdentityKey(pniIdentityKeyPair.getPublicKey()),
+        generateSignedECPreKey(1, aciIdentityKeyPair),
+        generateSignedECPreKey(2, pniIdentityKeyPair),
+        generateSignedKEMPreKey(3, aciIdentityKeyPair),
+        generateSignedKEMPreKey(4, pniIdentityKeyPair),
+        Optional.empty(),
+        Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    return user;
+  }
+
+  public record PrescribedVerificationNumber(String number, String verificationCode) {}
+
+  public static PrescribedVerificationNumber prescribedVerificationNumber() {
+      return new PrescribedVerificationNumber(
+          CONFIG.prescribedRegistrationNumber(),
+          CONFIG.prescribedRegistrationCode());
+  }
+
+  public static void deleteUser(final TestUser user) {
+    apiDelete("/v1/accounts/me").authorized(user).executeExpectSuccess();
+  }
+
+  public static String peekVerificationSessionPushChallenge(final String sessionId) {
+    return INTEGRATION_TOOLS.peekVerificationSessionPushChallenge(sessionId).join()
+        .orElseThrow(() -> new RuntimeException("push challenge not found for the verification session"));
+  }
+
+  public static byte[] populateRandomRecoveryPassword(final String number) {
+    final byte[] recoveryPassword = randomBytes(32);
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, recoveryPassword).join();
+
+    return recoveryPassword;
+  }
+
+  public static <T> T sendEmptyRequestAuthenticated(
+      final String endpoint,
+      final String method,
+      final String username,
+      final String password,
+      final Class<T> outputType) {
+    try {
+      final HttpRequest request = HttpRequest.newBuilder()
+          .uri(serverUri(endpoint, Collections.emptyList()))
+          .method(method, HttpRequest.BodyPublishers.noBody())
+          .header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password))
+          .header(HttpHeaders.CONTENT_TYPE, "application/json")
+          .build();
+      return CLIENT.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            } else {
+              logger.info("response: {}", response.statusCode());
+              System.out.println("response: " + response.statusCode() + ", " + response.body());
+            }
+          })
+          .thenApply(response -> {
+            try {
+              return outputType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), outputType);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .get();
+    } catch (final Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static byte[] randomBytes(int numBytes) {
+    final byte[] bytes = new byte[numBytes];
+    new SecureRandom().nextBytes(bytes);
+    return bytes;
+  }
+
+  public static RequestBuilder apiGet(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().GET(), endpoint);
+  }
+
+  public static RequestBuilder apiDelete(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().DELETE(), endpoint);
+  }
+
+  public static <R> RequestBuilder apiPost(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "POST", input);
+  }
+
+  public static <R> RequestBuilder apiPut(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PUT", input);
+  }
+
+  public static <R> RequestBuilder apiPatch(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PATCH", input);
+  }
+
+  private static URI serverUri(final String endpoint, final List<String> queryParams) {
+    final String query = queryParams.isEmpty()
+        ? StringUtils.EMPTY
+        : "?" + String.join("&", queryParams);
+    return URI.create("https://" + CONFIG.domain() + endpoint + query);
+  }
+
+  public static class RequestBuilder {
+
+    private final HttpRequest.Builder builder;
+
+    private final String endpoint;
+
+    private final List<String> queryParams = new ArrayList<>();
+
+
+    private RequestBuilder(final HttpRequest.Builder builder, final String endpoint) {
+      this.builder = builder;
+      this.endpoint = endpoint;
+    }
+
+    private static <R> RequestBuilder withJsonBody(final String endpoint, final String method, final R input) {
+      try {
+        final byte[] body = SystemMapper.jsonMapper().writeValueAsBytes(input);
+        return new RequestBuilder(HttpRequest.newBuilder()
+            .header(HttpHeaders.CONTENT_TYPE, "application/json")
+            .method(method, HttpRequest.BodyPublishers.ofByteArray(body)), endpoint);
+      } catch (final JsonProcessingException e) {
+        throw new RuntimeException(e);
+      }
+    }
+
+    public RequestBuilder authorized(final TestUser user) {
+      return authorized(user, Device.PRIMARY_ID);
+    }
+
+    public RequestBuilder authorized(final TestUser user, final byte deviceId) {
+      final String username = "%s.%d".formatted(user.aciUuid().toString(), deviceId);
+      return authorized(username, user.accountPassword());
+    }
+
+    public RequestBuilder authorized(final String username, final String password) {
+      builder.header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password));
+      return this;
+    }
+
+    public RequestBuilder queryParam(final String key, final String value) {
+      queryParams.add("%s=%s".formatted(key, value));
+      return this;
+    }
+
+    public RequestBuilder header(final String name, final String value) {
+      builder.header(name, value);
+      return this;
+    }
+
+    public Pair<Integer, Void> execute() {
+      return execute(Void.class);
+    }
+
+    public Pair<Integer, Void> executeExpectSuccess() {
+      final Pair<Integer, Void> execute = execute();
+      Validate.isTrue(
+          HttpUtils.isSuccessfulResponse(execute.getLeft()),
+          "Unexpected response code: %d",
+          execute.getLeft());
+      return execute;
+    }
+
+    public <T> T executeExpectSuccess(final Class<T> expectedType) {
+      final Pair<Integer, T> execute = execute(expectedType);
+      Validate.isTrue(
+          HttpUtils.isSuccessfulResponse(execute.getLeft()),
+          "Unexpected response code: %d : %s",
+          execute.getLeft(), execute.getRight());
+      return requireNonNull(execute.getRight());
+    }
+
+    public void executeExpectStatusCode(final int expectedStatusCode) {
+      final Pair<Integer, Void> execute = execute(Void.class);
+      Validate.isTrue(
+          execute.getLeft() == expectedStatusCode,
+          "Unexpected response code: %d",
+          execute.getLeft()
+      );
+    }
+
+    public <T> Pair<Integer, T> execute(final Class<T> expectedType) {
+      builder.uri(serverUri(endpoint, queryParams))
+          .header(HttpHeaders.USER_AGENT, USER_AGENT);
+      return CLIENT.sendAsync(builder.build(), HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            }
+          })
+          .thenApply(response -> {
+            try {
+              final T result = expectedType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), expectedType);
+              return Pair.of(response.statusCode(), result);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .join();
+    }
+  }
+
+  private static FaultTolerantHttpClient buildClient() {
+    try {
+      return FaultTolerantHttpClient.newBuilder()
+          .withName("integration-test")
+          .withExecutor(Executors.newFixedThreadPool(16))
+          .withRetryExecutor(Executors.newSingleThreadScheduledExecutor())
+          .withCircuitBreaker(new CircuitBreakerConfiguration())
+          .withTrustedServerCertificates(CONFIG.rootCert())
+          .build();
+    } catch (final CertificateException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Config loadConfigFromClasspath(final String filename) {
+    try {
+      final URL configFileUrl = Resources.getResource(filename);
+      final Config config = SystemMapper.yamlMapper().readValue(Resources.toByteArray(configFileUrl), Config.class);
+
+      final Set<ConstraintViolation<Config>> constraintViolations = Validators.newValidator().validate(config);
+
+      if (!constraintViolations.isEmpty()) {
+        throw new ConfigurationValidationException(filename, constraintViolations);
+      }
+
+      return config;
+    } catch (final Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static ECSignedPreKey generateSignedECPreKey(final long id, final ECKeyPair identityKeyPair) {
+    final ECPublicKey pubKey = Curve.generateKeyPair().getPublicKey();
+    final byte[] signature = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new ECSignedPreKey(id, pubKey, signature);
+  }
+
+  public static KEMSignedPreKey generateSignedKEMPreKey(final long id, final ECKeyPair identityKeyPair) {
+    final KEMPublicKey pubKey = KEMKeyPair.generate(KEMKeyType.KYBER_1024).getPublicKey();
+    final byte[] signature = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new KEMSignedPreKey(id, pubKey, signature);
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestDevice.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+
+public class TestDevice {
+
+  private final byte deviceId;
+
+  private final Map<Integer, Pair<IdentityKeyPair, SignedPreKeyRecord>> signedPreKeys = new ConcurrentHashMap<>();
+
+
+  public static TestDevice create(
+      final byte deviceId,
+      final IdentityKeyPair aciIdentityKeyPair,
+      final IdentityKeyPair pniIdentityKeyPair) {
+    final TestDevice device = new TestDevice(deviceId);
+    device.addSignedPreKey(aciIdentityKeyPair);
+    device.addSignedPreKey(pniIdentityKeyPair);
+    return device;
+  }
+
+  public TestDevice(final byte deviceId) {
+    this.deviceId = deviceId;
+  }
+
+  public byte deviceId() {
+    return deviceId;
+  }
+
+  public SignedPreKeyRecord latestSignedPreKey(final IdentityKeyPair identity) {
+    final int id = signedPreKeys.entrySet()
+        .stream()
+        .filter(p -> p.getValue().getLeft().equals(identity))
+        .mapToInt(Map.Entry::getKey)
+        .max()
+        .orElseThrow();
+    return signedPreKeys.get(id).getRight();
+  }
+
+  public SignedPreKeyRecord addSignedPreKey(final IdentityKeyPair identity) {
+    try {
+      final int nextId = signedPreKeys.keySet().stream().mapToInt(k -> k + 1).max().orElse(0);
+      final ECKeyPair keyPair = Curve.generateKeyPair();
+      final byte[] signature = Curve.calculateSignature(identity.getPrivateKey(), keyPair.getPublicKey().serialize());
+      final SignedPreKeyRecord signedPreKeyRecord = new SignedPreKeyRecord(nextId, System.currentTimeMillis(), keyPair, signature);
+      signedPreKeys.put(nextId, Pair.of(identity, signedPreKeyRecord));
+      return signedPreKeyRecord;
+    } catch (InvalidKeyException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestUser.java

@@ -0,0 +1,198 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.security.SecureRandom;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+import org.signal.libsignal.protocol.util.KeyHelper;
+import org.whispersystems.textsecuregcm.auth.UnidentifiedAccessUtil;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class TestUser {
+
+  private final int registrationId;
+
+  private final int pniRegistrationId;
+
+  private final IdentityKeyPair aciIdentityKey;
+
+  private final Map<Byte, TestDevice> devices = new ConcurrentHashMap<>();
+
+  private final byte[] unidentifiedAccessKey;
+
+  private String phoneNumber;
+
+  private IdentityKeyPair pniIdentityKey;
+
+  private String accountPassword;
+
+  private byte[] registrationPassword;
+
+  private UUID aciUuid;
+
+  private UUID pniUuid;
+
+
+  public static TestUser create(final String phoneNumber, final String accountPassword, final byte[] registrationPassword) {
+    // ACI identity key pair
+    final IdentityKeyPair aciIdentityKey = IdentityKeyPair.generate();
+    // PNI identity key pair
+    final IdentityKeyPair pniIdentityKey = IdentityKeyPair.generate();
+    // registration id
+    final int registrationId = KeyHelper.generateRegistrationId(false);
+    final int pniRegistrationId = KeyHelper.generateRegistrationId(false);
+    // uak
+    final byte[] unidentifiedAccessKey = new byte[UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH];
+    new SecureRandom().nextBytes(unidentifiedAccessKey);
+
+    return new TestUser(
+        registrationId,
+        pniRegistrationId,
+        aciIdentityKey,
+        phoneNumber,
+        pniIdentityKey,
+        unidentifiedAccessKey,
+        accountPassword,
+        registrationPassword);
+  }
+
+  public TestUser(
+      final int registrationId,
+      final int pniRegistrationId,
+      final IdentityKeyPair aciIdentityKey,
+      final String phoneNumber,
+      final IdentityKeyPair pniIdentityKey,
+      final byte[] unidentifiedAccessKey,
+      final String accountPassword,
+      final byte[] registrationPassword) {
+    this.registrationId = registrationId;
+    this.pniRegistrationId = pniRegistrationId;
+    this.aciIdentityKey = aciIdentityKey;
+    this.phoneNumber = phoneNumber;
+    this.pniIdentityKey = pniIdentityKey;
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+    this.accountPassword = accountPassword;
+    this.registrationPassword = registrationPassword;
+    devices.put(Device.PRIMARY_ID, TestDevice.create(Device.PRIMARY_ID, aciIdentityKey, pniIdentityKey));
+  }
+
+  public int registrationId() {
+    return registrationId;
+  }
+
+  public IdentityKeyPair aciIdentityKey() {
+    return aciIdentityKey;
+  }
+
+  public String phoneNumber() {
+    return phoneNumber;
+  }
+
+  public IdentityKeyPair pniIdentityKey() {
+    return pniIdentityKey;
+  }
+
+  public String accountPassword() {
+    return accountPassword;
+  }
+
+  public byte[] registrationPassword() {
+    return registrationPassword;
+  }
+
+  public UUID aciUuid() {
+    return aciUuid;
+  }
+
+  public UUID pniUuid() {
+    return pniUuid;
+  }
+
+  public AccountAttributes accountAttributes() {
+    return new AccountAttributes(true, registrationId, pniRegistrationId, "".getBytes(StandardCharsets.UTF_8), "", true, Set.of())
+        .withUnidentifiedAccessKey(unidentifiedAccessKey)
+        .withRecoveryPassword(registrationPassword);
+  }
+
+  public void setAciUuid(final UUID aciUuid) {
+    this.aciUuid = aciUuid;
+  }
+
+  public void setPniUuid(final UUID pniUuid) {
+    this.pniUuid = pniUuid;
+  }
+
+  public void setPhoneNumber(final String phoneNumber) {
+    this.phoneNumber = phoneNumber;
+  }
+
+  public void setPniIdentityKey(final IdentityKeyPair pniIdentityKey) {
+    this.pniIdentityKey = pniIdentityKey;
+  }
+
+  public void setAccountPassword(final String accountPassword) {
+    this.accountPassword = accountPassword;
+  }
+
+  public void setRegistrationPassword(final byte[] registrationPassword) {
+    this.registrationPassword = registrationPassword;
+  }
+
+  public PreKeySetPublicView preKeys(final byte deviceId, final boolean pni) {
+    final IdentityKeyPair identity = pni
+        ? pniIdentityKey
+        : aciIdentityKey;
+    final TestDevice device = requireNonNull(devices.get(deviceId));
+    final SignedPreKeyRecord signedPreKeyRecord = device.latestSignedPreKey(identity);
+    try {
+      return new PreKeySetPublicView(
+          Collections.emptyList(),
+          identity.getPublicKey(),
+          new SignedPreKeyPublicView(
+              signedPreKeyRecord.getId(),
+              signedPreKeyRecord.getKeyPair().getPublicKey(),
+              signedPreKeyRecord.getSignature()
+          )
+      );
+    } catch (InvalidKeyException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public record SignedPreKeyPublicView(
+      int keyId,
+      @JsonSerialize(using = Codecs.ECPublicKeySerializer.class)
+      @JsonDeserialize(using = Codecs.ECPublicKeyDeserializer.class)
+      ECPublicKey publicKey,
+      @JsonSerialize(using = Codecs.ByteArraySerializer.class)
+      @JsonDeserialize(using = Codecs.ByteArrayDeserializer.class)
+      byte[] signature) {
+  }
+
+  public record PreKeySetPublicView(
+      List<String> preKeys,
+      @JsonSerialize(using = Codecs.IdentityKeySerializer.class)
+      @JsonDeserialize(using = Codecs.IdentityKeyDeserializer.class)
+      IdentityKey identityKey,
+      SignedPreKeyPublicView signedPreKey) {
+  }
+}

integration-tests/src/main/java/org/signal/integration/config/Config.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientFactory;
+
+public record Config(@NotBlank String domain,
+                     @NotBlank String rootCert,
+                     @NotNull @Valid DynamoDbClientFactory dynamoDbClient,
+                     @NotNull @Valid DynamoDbTables dynamoDbTables,
+                     @NotBlank String prescribedRegistrationNumber,
+                     @NotBlank String prescribedRegistrationCode) {
+}

integration-tests/src/main/java/org/signal/integration/config/DynamoDbTables.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record DynamoDbTables(@NotBlank String registrationRecovery,
+                             @NotBlank String verificationSessions,
+                             @NotBlank String phoneNumberIdentifiers) {
+}

integration-tests/src/test/java/org/signal/integration/AccountTest.java

@@ -0,0 +1,158 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.usernames.BaseUsernameException;
+import org.signal.libsignal.usernames.Username;
+import org.whispersystems.textsecuregcm.entities.AccountIdentifierResponse;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ChangeNumberRequest;
+import org.whispersystems.textsecuregcm.entities.ConfirmUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashResponse;
+import org.whispersystems.textsecuregcm.entities.UsernameHashResponse;
+import org.whispersystems.textsecuregcm.identity.AciServiceIdentifier;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class AccountTest {
+
+  @Test
+  public void testCreateAccount() {
+    final TestUser user = Operations.newRegisteredUser("+19995550101");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testCreateAccountAtomic() {
+    final TestUser user = Operations.newRegisteredUser("+19995550201");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void changePhoneNumber() {
+    final TestUser user = Operations.newRegisteredUser("+19995550301");
+    final String targetNumber = "+19995550302";
+
+    final ECKeyPair pniIdentityKeyPair = Curve.generateKeyPair();
+
+    final ChangeNumberRequest changeNumberRequest = new ChangeNumberRequest(null,
+        Operations.populateRandomRecoveryPassword(targetNumber),
+        targetNumber,
+        null,
+        new IdentityKey(pniIdentityKeyPair.getPublicKey()),
+        Collections.emptyList(),
+        Map.of(Device.PRIMARY_ID, Operations.generateSignedECPreKey(1, pniIdentityKeyPair)),
+        Map.of(Device.PRIMARY_ID, Operations.generateSignedKEMPreKey(2, pniIdentityKeyPair)),
+        Map.of(Device.PRIMARY_ID, 17));
+
+    final AccountIdentityResponse accountIdentityResponse =
+        Operations.apiPut("/v2/accounts/number", changeNumberRequest)
+            .authorized(user)
+            .executeExpectSuccess(AccountIdentityResponse.class);
+
+    assertEquals(user.aciUuid(), accountIdentityResponse.uuid());
+    assertNotEquals(user.pniUuid(), accountIdentityResponse.pni());
+    assertEquals(targetNumber, accountIdentityResponse.number());
+  }
+
+  @Test
+  public void testUsernameOperations() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550102");
+    try {
+      verifyFullUsernameLifecycle(user);
+      // no do it again to check changing usernames
+      verifyFullUsernameLifecycle(user);
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  private static void verifyFullUsernameLifecycle(final TestUser user) throws BaseUsernameException {
+    final String preferred = "test";
+    final List<Username> candidates = Username.candidatesFrom(preferred, preferred.length(), preferred.length() + 1);
+
+    // reserve a username
+    final ReserveUsernameHashRequest reserveUsernameHashRequest = new ReserveUsernameHashRequest(
+        candidates.stream().map(Username::getHash).toList());
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+
+    final ReserveUsernameHashResponse reserveUsernameHashResponse = Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(ReserveUsernameHashResponse.class);
+
+    // find which one is the reserved username
+    final byte[] reservedHash = reserveUsernameHashResponse.usernameHash();
+    final Username reservedUsername = candidates.stream()
+        .filter(u -> Arrays.equals(u.getHash(), reservedHash))
+        .findAny()
+        .orElseThrow();
+
+    // confirm a username
+   final ConfirmUsernameHashRequest confirmUsernameHashRequest = new ConfirmUsernameHashRequest(
+        reservedUsername.getHash(),
+        reservedUsername.generateProof(),
+        "cluck cluck i'm a parrot".getBytes()
+    );
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(UsernameHashResponse.class);
+
+
+    // lookup username
+    final AccountIdentifierResponse accountIdentifierResponse = Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .executeExpectSuccess(AccountIdentifierResponse.class);
+    assertEquals(new AciServiceIdentifier(user.aciUuid()), accountIdentifierResponse.uuid());
+    // try authorized
+    Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .authorized(user)
+        .executeExpectStatusCode(HttpStatus.SC_BAD_REQUEST);
+
+    // delete username
+    Operations
+        .apiDelete("/v1/accounts/username_hash")
+        .authorized(user)
+        .executeExpectSuccess();
+  }
+}

integration-tests/src/test/java/org/signal/integration/MessagingTest.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.IncomingMessage;
+import org.whispersystems.textsecuregcm.entities.IncomingMessageList;
+import org.whispersystems.textsecuregcm.entities.OutgoingMessageEntityList;
+import org.whispersystems.textsecuregcm.entities.SendMessageResponse;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class MessagingTest {
+
+  @Test
+  public void testSendMessageUnsealed() {
+    final TestUser userA = Operations.newRegisteredUser("+19995550102");
+    final TestUser userB = Operations.newRegisteredUser("+19995550103");
+
+    try {
+      final byte[] expectedContent = "Hello, World!".getBytes(StandardCharsets.UTF_8);
+      final IncomingMessage message = new IncomingMessage(1, Device.PRIMARY_ID, userB.registrationId(), expectedContent);
+      final IncomingMessageList messages = new IncomingMessageList(List.of(message), false, true, System.currentTimeMillis());
+
+      Operations
+          .apiPut("/v1/messages/%s".formatted(userB.aciUuid().toString()), messages)
+          .authorized(userA)
+          .execute(SendMessageResponse.class);
+
+      final Pair<Integer, OutgoingMessageEntityList> receiveMessages = Operations.apiGet("/v1/messages")
+          .authorized(userB)
+          .execute(OutgoingMessageEntityList.class);
+
+      final byte[] actualContent = receiveMessages.getRight().messages().getFirst().content();
+      assertArrayEquals(expectedContent, actualContent);
+    } finally {
+      Operations.deleteUser(userA);
+      Operations.deleteUser(userB);
+    }
+  }
+}

integration-tests/src/test/java/org/signal/integration/RegistrationTest.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import io.micrometer.common.util.StringUtils;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.CreateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.SubmitVerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.UpdateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationSessionResponse;
+
+public class RegistrationTest {
+
+  @Test
+  public void testRegistration() throws Exception {
+    final UpdateVerificationSessionRequest originalRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, null, null, null, null);
+
+    final Operations.PrescribedVerificationNumber params = Operations.prescribedVerificationNumber();
+    final CreateVerificationSessionRequest input = new CreateVerificationSessionRequest(params.number(),
+        originalRequest);
+
+    final VerificationSessionResponse verificationSessionResponse = Operations
+        .apiPost("/v1/verification/session", input)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    final String sessionId = verificationSessionResponse.id();
+    Assertions.assertTrue(StringUtils.isNotBlank(sessionId));
+
+    final String pushChallenge = Operations.peekVerificationSessionPushChallenge(sessionId);
+
+    // supply push challenge
+    final UpdateVerificationSessionRequest updatedRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, pushChallenge, null, null, null);
+    final VerificationSessionResponse pushChallengeSupplied = Operations
+        .apiPatch("/v1/verification/session/%s".formatted(sessionId), updatedRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    Assertions.assertTrue(pushChallengeSupplied.allowedToRequestCode());
+
+    // request code
+    final VerificationCodeRequest verificationCodeRequest = new VerificationCodeRequest(
+        VerificationCodeRequest.Transport.SMS, "android-ng");
+
+    final VerificationSessionResponse codeRequested = Operations
+        .apiPost("/v1/verification/session/%s/code".formatted(sessionId), verificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    // verify code
+    final SubmitVerificationCodeRequest submitVerificationCodeRequest = new SubmitVerificationCodeRequest(
+        params.verificationCode());
+    final VerificationSessionResponse codeVerified = Operations
+        .apiPut("/v1/verification/session/%s/code".formatted(sessionId), submitVerificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+  }
+}

mvnw

@@ -19,7 +19,7 @@
 # ----------------------------------------------------------------------------
 
 # ----------------------------------------------------------------------------
-# Maven Start Up Batch script
+# Apache Maven Wrapper startup batch script, version 3.2.0
 #
 # Required ENV vars:
 # ------------------
@@ -27,7 +27,6 @@
 #
 # Optional ENV vars
 # -----------------
-#   M2_HOME - location of maven2's installed home dir
 #   MAVEN_OPTS - parameters passed to the Java VM when running Maven
 #     e.g. to debug Maven itself, use
 #       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@@ -54,7 +53,7 @@ fi
 cygwin=false;
 darwin=false;
 mingw=false
-case "`uname`" in
+case "$(uname)" in
   CYGWIN*) cygwin=true ;;
   MINGW*) mingw=true;;
   Darwin*) darwin=true
@@ -62,9 +61,9 @@ case "`uname`" in
     # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
     if [ -z "$JAVA_HOME" ]; then
       if [ -x "/usr/libexec/java_home" ]; then
-        export JAVA_HOME="`/usr/libexec/java_home`"
+        JAVA_HOME="$(/usr/libexec/java_home)"; export JAVA_HOME
       else
-        export JAVA_HOME="/Library/Java/Home"
+        JAVA_HOME="/Library/Java/Home"; export JAVA_HOME
       fi
     fi
     ;;
@@ -72,68 +71,38 @@ esac
 
 if [ -z "$JAVA_HOME" ] ; then
   if [ -r /etc/gentoo-release ] ; then
-    JAVA_HOME=`java-config --jre-home`
+    JAVA_HOME=$(java-config --jre-home)
   fi
 fi
 
-if [ -z "$M2_HOME" ] ; then
-  ## resolve links - $0 may be a link to maven's home
-  PRG="$0"
-
-  # need this for relative symlinks
-  while [ -h "$PRG" ] ; do
-    ls=`ls -ld "$PRG"`
-    link=`expr "$ls" : '.*-> \(.*\)$'`
-    if expr "$link" : '/.*' > /dev/null; then
-      PRG="$link"
-    else
-      PRG="`dirname "$PRG"`/$link"
-    fi
-  done
-
-  saveddir=`pwd`
-
-  M2_HOME=`dirname "$PRG"`/..
-
-  # make it fully qualified
-  M2_HOME=`cd "$M2_HOME" && pwd`
-
-  cd "$saveddir"
-  # echo Using m2 at $M2_HOME
-fi
-
 # For Cygwin, ensure paths are in UNIX format before anything is touched
 if $cygwin ; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME=`cygpath --unix "$M2_HOME"`
   [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+    JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
   [ -n "$CLASSPATH" ] &&
-    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+    CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
 fi
 
 # For Mingw, ensure paths are in UNIX format before anything is touched
 if $mingw ; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME="`(cd "$M2_HOME"; pwd)`"
-  [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] &&
+    JAVA_HOME="$(cd "$JAVA_HOME" || (echo "cannot cd into $JAVA_HOME."; exit 1); pwd)"
 fi
 
 if [ -z "$JAVA_HOME" ]; then
-  javaExecutable="`which javac`"
-  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+  javaExecutable="$(which javac)"
+  if [ -n "$javaExecutable" ] && ! [ "$(expr "\"$javaExecutable\"" : '\([^ ]*\)')" = "no" ]; then
     # readlink(1) is not available as standard on Solaris 10.
-    readLink=`which readlink`
-    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+    readLink=$(which readlink)
+    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
       if $darwin ; then
-        javaHome="`dirname \"$javaExecutable\"`"
-        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+        javaHome="$(dirname "\"$javaExecutable\"")"
+        javaExecutable="$(cd "\"$javaHome\"" && pwd -P)/javac"
       else
-        javaExecutable="`readlink -f \"$javaExecutable\"`"
+        javaExecutable="$(readlink -f "\"$javaExecutable\"")"
       fi
-      javaHome="`dirname \"$javaExecutable\"`"
-      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      javaHome="$(dirname "\"$javaExecutable\"")"
+      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
       JAVA_HOME="$javaHome"
       export JAVA_HOME
     fi
@@ -149,7 +118,7 @@ if [ -z "$JAVACMD" ] ; then
       JAVACMD="$JAVA_HOME/bin/java"
     fi
   else
-    JAVACMD="`\\unset -f command; \\command -v java`"
+    JAVACMD="$(\unset -f command 2>/dev/null; \command -v java)"
   fi
 fi
 
@@ -163,12 +132,9 @@ if [ -z "$JAVA_HOME" ] ; then
   echo "Warning: JAVA_HOME environment variable is not set."
 fi
 
-CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
-
 # traverses directory structure from process work directory to filesystem root
 # first directory with .mvn subdirectory is considered project base directory
 find_maven_basedir() {
-
   if [ -z "$1" ]
   then
     echo "Path not specified to find_maven_basedir"
@@ -184,96 +150,99 @@ find_maven_basedir() {
     fi
     # workaround for JBEAP-8937 (on Solaris 10/Sparc)
     if [ -d "${wdir}" ]; then
-      wdir=`cd "$wdir/.."; pwd`
+      wdir=$(cd "$wdir/.." || exit 1; pwd)
     fi
     # end of workaround
   done
-  echo "${basedir}"
+  printf '%s' "$(cd "$basedir" || exit 1; pwd)"
 }
 
 # concatenates all lines of a file
 concat_lines() {
   if [ -f "$1" ]; then
-    echo "$(tr -s '\n' ' ' < "$1")"
+    # Remove \r in case we run on Windows within Git Bash
+    # and check out the repository with auto CRLF management
+    # enabled. Otherwise, we may read lines that are delimited with
+    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
+    # splitting rules.
+    tr -s '\r\n' ' ' < "$1"
   fi
 }
 
-BASE_DIR=`find_maven_basedir "$(pwd)"`
+log() {
+  if [ "$MVNW_VERBOSE" = true ]; then
+    printf '%s\n' "$1"
+  fi
+}
+
+BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
 if [ -z "$BASE_DIR" ]; then
   exit 1;
 fi
 
+MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}; export MAVEN_PROJECTBASEDIR
+log "$MAVEN_PROJECTBASEDIR"
+
 ##########################################################################################
 # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
 # This allows using the maven wrapper in projects that prohibit checking in binary data.
 ##########################################################################################
-if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Found .mvn/wrapper/maven-wrapper.jar"
-    fi
+wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
+if [ -r "$wrapperJarPath" ]; then
+    log "Found $wrapperJarPath"
 else
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
-    fi
+    log "Couldn't find $wrapperJarPath, downloading it ..."
+
     if [ -n "$MVNW_REPOURL" ]; then
-      jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+      wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
     else
-      jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+      wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
     fi
-    while IFS="=" read key value; do
-      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+    while IFS="=" read -r key value; do
+      # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
+      safeValue=$(echo "$value" | tr -d '\r')
+      case "$key" in (wrapperUrl) wrapperUrl="$safeValue"; break ;;
       esac
-    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Downloading from: $jarUrl"
-    fi
-    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+    log "Downloading from: $wrapperUrl"
+
     if $cygwin; then
-      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+      wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
     fi
 
     if command -v wget > /dev/null; then
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Found wget ... using wget"
-        fi
+        log "Found wget ... using wget"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
         if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-            wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+            wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
         else
-            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+            wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
         fi
     elif command -v curl > /dev/null; then
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Found curl ... using curl"
-        fi
+        log "Found curl ... using curl"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
         if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-            curl -o "$wrapperJarPath" "$jarUrl" -f
+            curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
         else
-            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+            curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
         fi
-
     else
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Falling back to using Java to download"
-        fi
-        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        log "Falling back to using Java to download"
+        javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
         # For Cygwin, switch paths to Windows format before running javac
         if $cygwin; then
-          javaClass=`cygpath --path --windows "$javaClass"`
+          javaSource=$(cygpath --path --windows "$javaSource")
+          javaClass=$(cygpath --path --windows "$javaClass")
         fi
-        if [ -e "$javaClass" ]; then
-            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
-                if [ "$MVNW_VERBOSE" = true ]; then
-                  echo " - Compiling MavenWrapperDownloader.java ..."
-                fi
-                # Compiling the Java class
-                ("$JAVA_HOME/bin/javac" "$javaClass")
+        if [ -e "$javaSource" ]; then
+            if [ ! -e "$javaClass" ]; then
+                log " - Compiling MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/javac" "$javaSource")
             fi
-            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
-                # Running the downloader
-                if [ "$MVNW_VERBOSE" = true ]; then
-                  echo " - Running MavenWrapperDownloader.java ..."
-                fi
-                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            if [ -e "$javaClass" ]; then
+                log " - Running MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
             fi
         fi
     fi
@@ -282,35 +251,58 @@ fi
 # End of extension
 ##########################################################################################
 
-export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
-if [ "$MVNW_VERBOSE" = true ]; then
-  echo $MAVEN_PROJECTBASEDIR
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read -r key value; do
+  case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+  esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+  wrapperSha256Result=false
+  if command -v sha256sum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c - > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  elif command -v shasum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available."
+    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties."
+    exit 1
+  fi
+  if [ $wrapperSha256Result = false ]; then
+    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
+    exit 1
+  fi
 fi
+
 MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
 
 # For Cygwin, switch paths to Windows format before running java
 if $cygwin; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME=`cygpath --path --windows "$M2_HOME"`
   [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+    JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
   [ -n "$CLASSPATH" ] &&
-    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+    CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
   [ -n "$MAVEN_PROJECTBASEDIR" ] &&
-    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+    MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
 fi
 
 # Provide a "standardized" way to retrieve the CLI args that will
 # work with both Windows and non-Windows executions.
-MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
 export MAVEN_CMD_LINE_ARGS
 
 WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 
+# shellcheck disable=SC2086 # safe args
 exec "$JAVACMD" \
   $MAVEN_OPTS \
   $MAVEN_DEBUG_OPTS \
   -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
-  "-Dmaven.home=${M2_HOME}" \
   "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
   ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

mvnw.cmd

@@ -18,13 +18,12 @@
 @REM ----------------------------------------------------------------------------
 
 @REM ----------------------------------------------------------------------------
-@REM Maven Start Up Batch script
+@REM Apache Maven Wrapper startup batch script, version 3.2.0
 @REM
 @REM Required ENV vars:
 @REM JAVA_HOME - location of a JDK home dir
 @REM
 @REM Optional ENV vars
-@REM M2_HOME - location of maven2's installed home dir
 @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
 @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
 @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
@@ -120,10 +119,10 @@ SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
 set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
 set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 
-set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
 
 FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
-    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
 )
 
 @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
@@ -134,11 +133,11 @@ if exist %WRAPPER_JAR% (
     )
 ) else (
     if not "%MVNW_REPOURL%" == "" (
-        SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
     )
     if "%MVNW_VERBOSE%" == "true" (
         echo Couldn't find %WRAPPER_JAR%, downloading it ...
-        echo Downloading from: %DOWNLOAD_URL%
+        echo Downloading from: %WRAPPER_URL%
     )
 
     powershell -Command "&{"^
@@ -146,7 +145,7 @@ if exist %WRAPPER_JAR% (
 		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
 		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
 		"}"^
-		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
 		"}"
     if "%MVNW_VERBOSE%" == "true" (
         echo Finished downloading %WRAPPER_JAR%
@@ -154,6 +153,24 @@ if exist %WRAPPER_JAR% (
 )
 @REM End of extension
 
+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    powershell -Command "&{"^
+       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+       "  Write-Output 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+       "  Write-Output 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+       "  Write-Output 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+       "  exit 1;"^
+       "}"^
+       "}"
+    if ERRORLEVEL 1 goto error
+)
+
 @REM Provide a "standardized" way to retrieve the CLI args that will
 @REM work with both Windows and non-Windows executions.
 set MAVEN_CMD_LINE_ARGS=%*

pom.xml

@@ -14,11 +14,6 @@
         <enabled>false</enabled>
       </snapshots>
     </repository>
-    <repository>
-      <id>dynamodb-local-oregon</id>
-      <name>DynamoDB Local Release Repository</name>
-      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
-    </repository>
   </repositories>
 
   <pluginRepositories>
@@ -35,42 +30,56 @@
   </pluginRepositories>
 
   <modules>
-    <module>event-logger</module>
-    <module>redis-dispatch</module>
-    <module>websocket-resources</module>
+    <module>api-doc</module>
+    <module>integration-tests</module>
     <module>service</module>
+    <module>websocket-resources</module>
   </modules>
 
   <properties>
-    <aws.sdk.version>1.12.287</aws.sdk.version>
-    <aws.sdk2.version>2.17.258</aws.sdk2.version>
-    <commons-codec.version>1.15</commons-codec.version>
-    <commons-csv.version>1.8</commons-csv.version>
-    <commons-io.version>2.9.0</commons-io.version>
-    <dropwizard.version>2.0.32</dropwizard.version>
-    <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
-    <grpc.version>1.49.2</grpc.version>
-    <gson.version>2.9.0</gson.version>
-    <guava.version>30.1.1-jre</guava.version>
-    <jackson.version>2.13.4</jackson.version>
-    <jaxb.version>2.3.1</jaxb.version>
-    <jedis.version>2.9.0</jedis.version>
-    <kotlin.version>1.7.10</kotlin.version>
-    <kotlinx-serialization.version>1.4.0</kotlinx-serialization.version>
-    <lettuce.version>6.2.0.RELEASE</lettuce.version>
-    <libphonenumber.version>8.12.54</libphonenumber.version>
-    <logstash.logback.version>7.0.1</logstash.logback.version>
-    <micrometer.version>1.9.3</micrometer.version>
-    <mockito.version>4.7.0</mockito.version>
-    <netty.version>4.1.82.Final</netty.version>
-    <opentest4j.version>1.2.0</opentest4j.version>
-    <protobuf.version>3.21.7</protobuf.version>
-    <pushy.version>0.15.1</pushy.version>
-    <resilience4j.version>1.7.0</resilience4j.version>
+    <aws.sdk2.version>2.31.9</aws.sdk2.version>
+    <braintree.version>3.40.0</braintree.version>
+    <commons-csv.version>1.14.0</commons-csv.version>
+    <commons-io.version>2.18.0</commons-io.version>
+    <dropwizard.version>4.0.12</dropwizard.version>
+    <dropwizard-metrics-datadog.version>1.1.14</dropwizard-metrics-datadog.version>
+    <!-- can be updated to latest version with Dropwizard 5 (Jetty 12); will then need to disable telemetry -->
+    <dynamodblocal.version>2.2.1</dynamodblocal.version>
+    <google-cloud-libraries.version>26.57.0</google-cloud-libraries.version>
+    <grpc.version>1.70.0</grpc.version> <!-- should be kept in sync with the value from Google libraries-bom -->
+    <gson.version>2.12.1</gson.version>
+    <!-- several libraries (AWS, Google Cloud) use Apache http components transitively, and we need to align them -->
+    <httpcore.version>4.4.16</httpcore.version>
+    <httpclient.version>4.5.14</httpclient.version>
+    <jackson.version>2.18.3</jackson.version>
+    <junit-pioneer.version>2.3.0</junit-pioneer.version>
+    <jsr305.version>3.0.2</jsr305.version>
+    <kotlin.version>2.1.20</kotlin.version>
+    <!-- Logback 1.5.14+ has a null pointer bug: https://github.com/qos-ch/logback/issues/929. -->
+    <logback.version>1.5.13</logback.version>
+    <logback-access.version>2.0.5</logback-access.version>
+    <lettuce.version>6.5.5.RELEASE</lettuce.version>
+    <libphonenumber.version>9.0.2</libphonenumber.version>
+    <logstash.logback.version>7.3</logstash.logback.version>
+    <log4j-bom.version>2.24.3</log4j-bom.version>
+    <luajava.version>3.5.0</luajava.version>
+    <micrometer.version>1.14.5</micrometer.version>
+    <netty.version>4.1.119.Final</netty.version>
+    <!-- Must be less than or equal to the value from Google libraries-bom which controls the protobuf runtime version.
+    See https://protobuf.dev/support/cross-version-runtime-guarantee/. -->
+    <protoc.version>4.29.4</protoc.version>
+    <pushy.version>0.15.4</pushy.version>
+    <reactive.grpc.version>1.2.4</reactive.grpc.version>
+    <reactor-bom.version>2024.0.4</reactor-bom.version> <!-- 3.7.4, see https://github.com/reactor/reactor#bom-versioning-scheme -->
+    <resilience4j.version>2.3.0</resilience4j.version>
     <semver4j.version>3.1.0</semver4j.version>
-    <slf4j.version>1.7.30</slf4j.version>
-    <stripe.version>21.2.0</stripe.version>
-    <vavr.version>0.10.4</vavr.version>
+    <simple-grpc.version>0.1.0</simple-grpc.version>
+    <slf4j.version>2.0.17</slf4j.version>
+    <stripe.version>23.10.0</stripe.version>
+    <swagger.version>2.2.27</swagger.version>
+
+    <!-- eclipse-temurin:21.0.6_7-jre-jammy (note: always use the multi-arch manifest *LIST* here) -->
+    <docker.image.sha256>02fc89fa8766a9ba221e69225f8d1c10bb91885ddbd3c112448e23488ba40ab6</docker.image.sha256>
 
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
@@ -95,13 +104,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>io.grpc</groupId>
-        <artifactId>grpc-bom</artifactId>
-        <version>${grpc.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <!-- Needed for gRPC with Java 9+ -->
       <dependency>
         <groupId>org.apache.tomcat</groupId>
@@ -116,13 +118,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>com.amazonaws</groupId>
-        <artifactId>aws-java-sdk-bom</artifactId>
-        <version>${aws.sdk.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
@@ -133,10 +128,15 @@
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>libraries-bom</artifactId>
-        <version>26.1.0</version>
+        <version>${google-cloud-libraries.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>com.salesforce.servicelibs</groupId>
+        <artifactId>reactor-grpc-stub</artifactId>
+        <version>${reactive.grpc.version}</version>
+      </dependency>
       <dependency>
         <groupId>io.github.resilience4j</groupId>
         <artifactId>resilience4j-bom</artifactId>
@@ -154,7 +154,14 @@
       <dependency>
         <groupId>io.projectreactor</groupId>
         <artifactId>reactor-bom</artifactId>
-        <version>2020.0.23</version> <!-- 3.4.x, see https://github.com/reactor/reactor#bom-versioning-scheme -->
+        <version>${reactor-bom.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-bom</artifactId>
+        <version>${kotlin.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -168,16 +175,6 @@
         <artifactId>pushy-dropwizard-metrics-listener</artifactId>
         <version>${pushy.version}</version>
       </dependency>
-      <dependency>
-        <groupId>com.google.guava</groupId>
-        <artifactId>guava</artifactId>
-        <version>${guava.version}</version>
-      </dependency>
-      <dependency>
-        <groupId>com.google.protobuf</groupId>
-        <artifactId>protobuf-java</artifactId>
-        <version>${protobuf.version}</version>
-      </dependency>
       <dependency>
         <groupId>com.googlecode.libphonenumber</groupId>
         <artifactId>libphonenumber</artifactId>
@@ -188,11 +185,6 @@
         <artifactId>semver4j</artifactId>
         <version>${semver4j.version}</version>
       </dependency>
-      <dependency>
-        <groupId>commons-codec</groupId>
-        <artifactId>commons-codec</artifactId>
-        <version>${commons-codec.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>
@@ -203,16 +195,6 @@
         <artifactId>lettuce-core</artifactId>
         <version>${lettuce.version}</version>
       </dependency>
-      <dependency>
-        <groupId>io.vavr</groupId>
-        <artifactId>vavr</artifactId>
-        <version>${vavr.version}</version>
-      </dependency>
-      <dependency>
-        <groupId>javax.xml.bind</groupId>
-        <artifactId>jaxb-api</artifactId>
-        <version>${jaxb.version}</version>
-      </dependency>
       <dependency>
         <groupId>net.logstash.logback</groupId>
         <artifactId>logstash-logback-encoder</artifactId>
@@ -228,30 +210,6 @@
         <artifactId>dropwizard-metrics-datadog</artifactId>
         <version>${dropwizard-metrics-datadog.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.glassfish.jaxb</groupId>
-        <artifactId>jaxb-runtime</artifactId>
-        <version>${jaxb.version}</version>
-        <scope>runtime</scope>
-      </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-core</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-inline</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
-      <dependency>
-        <groupId>org.opentest4j</groupId>
-        <artifactId>opentest4j</artifactId>
-        <version>${opentest4j.version}</version>
-        <scope>test</scope>
-      </dependency>
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-api</artifactId>
@@ -263,20 +221,15 @@
         <version>${slf4j.version}</version>
         <scope>test</scope>
       </dependency>
-      <dependency>
-        <groupId>redis.clients</groupId>
-        <artifactId>jedis</artifactId>
-        <version>${jedis.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-logging</groupId>
         <artifactId>commons-logging</artifactId>
-        <version>1.2</version>
+        <version>1.3.5</version>
       </dependency>
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.2</version>
+        <version>9.7.1 </version>
         <scope>test</scope>
       </dependency>
       <dependency>
@@ -284,6 +237,16 @@
         <artifactId>stripe-java</artifactId>
         <version>${stripe.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.braintreepayments.gateway</groupId>
+        <artifactId>braintree-java</artifactId>
+        <version>${braintree.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.code.findbugs</groupId>
+        <artifactId>jsr305</artifactId>
+        <version>${jsr305.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.google.code.gson</groupId>
         <artifactId>gson</artifactId>
@@ -292,21 +255,62 @@
       <dependency>
         <groupId>org.signal</groupId>
         <artifactId>embedded-redis</artifactId>
-        <version>0.8.3</version>
+        <version>0.9.1</version>
         <scope>test</scope>
       </dependency>
       <dependency>
         <groupId>org.signal</groupId>
         <artifactId>libsignal-server</artifactId>
-        <version>0.21.1</version>
+        <version>0.67.6</version>
+      </dependency>
+      <dependency>
+        <groupId>org.signal</groupId>
+        <artifactId>simple-grpc-runtime</artifactId>
+        <version>${simple-grpc.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.signal.forks</groupId>
+        <artifactId>noise-java</artifactId>
+        <version>0.1.1</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-bom</artifactId>
-        <version>2.17.1</version>
+        <version>${log4j-bom.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpcore</artifactId>
+        <version>${httpcore.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpclient</artifactId>
+        <version>${httpclient.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.amazonaws</groupId>
+        <artifactId>DynamoDBLocal</artifactId>
+        <version>${dynamodblocal.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-core</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-classic</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>ch.qos.logback.access</groupId>
+        <artifactId>logback-access-common</artifactId>
+        <version>${logback-access.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -318,25 +322,18 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>com.github.tomakehurst</groupId>
-      <artifactId>wiremock-jre8</artifactId>
-      <version>2.34.0</version>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>aws-crt-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.wiremock</groupId>
+      <artifactId>wiremock</artifactId>
+      <version>3.12.1</version>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.hamcrest</groupId>
-          <artifactId>hamcrest-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.xml.bind</groupId>
-          <artifactId>jaxb-api</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
-      <version>${mockito.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -349,27 +346,33 @@
       <artifactId>junit-jupiter-api</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.junit-pioneer</groupId>
+      <artifactId>junit-pioneer</artifactId>
+      <version>${junit-pioneer.version}</version>
+      <scope>test</scope>
+    </dependency>
 
   </dependencies>
 
   <profiles>
     <profile>
-      <id>include-abusive-message-filter</id>
+      <id>include-spam-filter</id>
       <activation>
         <file>
-          <exists>abusive-message-filter/pom.xml</exists>
+          <exists>spam-filter/pom.xml</exists>
         </file>
       </activation>
       <modules>
-        <module>abusive-message-filter</module>
+        <module>spam-filter</module>
       </modules>
     </profile>
 
     <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
       <activation>
         <file>
-          <missing>abusive-message-filter/pom.xml</missing>
+          <missing>spam-filter/pom.xml</missing>
         </file>
       </activation>
     </profile>
@@ -383,6 +386,50 @@
         <version>1.7.0</version>
       </extension>
     </extensions>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>com.google.cloud.tools</groupId>
+          <artifactId>jib-maven-plugin</artifactId>
+          <version>3.4.4</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>3.5.2</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-failsafe-plugin</artifactId>
+          <version>3.5.2</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.4.2</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-shade-plugin</artifactId>
+          <version>3.6.0</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-assembly-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <groupId>org.codehaus.mojo</groupId>
+          <artifactId>exec-maven-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <plugin>
+          <groupId>org.codehaus.mojo</groupId>
+          <artifactId>properties-maven-plugin</artifactId>
+          <version>1.2.1</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
     <plugins>
 
       <plugin>
@@ -391,9 +438,27 @@
         <version>0.6.1</version>
         <configuration>
           <checkStaleness>false</checkStaleness>
-          <protocArtifact>com.google.protobuf:protoc:3.21.1:exe:${os.detected.classifier}</protocArtifact>
+          <protocArtifact>com.google.protobuf:protoc:${protoc.version}:exe:${os.detected.classifier}</protocArtifact>
           <pluginId>grpc-java</pluginId>
           <pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+
+          <protocPlugins>
+            <protocPlugin>
+              <id>reactor-grpc</id>
+              <groupId>com.salesforce.servicelibs</groupId>
+              <artifactId>reactor-grpc</artifactId>
+              <version>${reactive.grpc.version}</version>
+              <mainClass>com.salesforce.reactorgrpc.ReactorGrpcGenerator</mainClass>
+            </protocPlugin>
+
+            <protocPlugin>
+              <id>simple</id>
+              <groupId>org.signal</groupId>
+              <artifactId>simple-grpc-generator</artifactId>
+              <version>${simple-grpc.version}</version>
+              <mainClass>org.signal.grpc.simple.SimpleGrpcGenerator</mainClass>
+            </protocPlugin>
+          </protocPlugins>
         </configuration>
         <executions>
           <execution>
@@ -401,6 +466,7 @@
               <goal>compile</goal>
               <goal>compile-custom</goal>
               <goal>test-compile</goal>
+              <goal>test-compile-custom</goal>
             </goals>
           </execution>
         </executions>
@@ -409,16 +475,16 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version>
+        <version>3.13.0</version>
         <configuration>
-          <release>17</release>
+          <release>21</release>
         </configuration>
       </plugin>
 
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
-        <version>3.2.0</version>
+        <version>3.4.2</version>
         <configuration>
           <archive>
             <manifest>
@@ -431,41 +497,27 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-dependency-plugin</artifactId>
-        <version>3.1.2</version>
+        <version>3.8.1</version>
         <executions>
           <execution>
-            <id>copy</id>
-            <phase>test-compile</phase>
+            <!--
+              Set dependencies as properties for use in argLine property for mockito jar.
+              The property isn't needed until the test phase, and deferring it from the default
+              `initialize` addresses issues running lifecycle phases that precede `test` in isolation.
+            -->
+            <phase>process-test-classes</phase>
             <goals>
-              <goal>copy-dependencies</goal>
+              <goal>properties</goal>
             </goals>
-            <configuration>
-              <includeScope>test</includeScope>
-              <includeTypes>so,dll,dylib</includeTypes>
-              <outputDirectory>${project.build.directory}/lib</outputDirectory>
-            </configuration>
           </execution>
         </executions>
-      </plugin>
 
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.0.0-M5</version>
-        <configuration>
-          <systemProperties>
-            <property>
-              <name>sqlite4java.library.path</name>
-              <value>${project.build.directory}/lib</value>
-            </property>
-          </systemProperties>
-        </configuration>
       </plugin>
 
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0-M3</version>
+        <version>3.5.0</version>
         <executions>
           <execution>
             <goals>
@@ -475,7 +527,7 @@
               <rules>
                 <dependencyConvergence/>
                 <requireMavenVersion>
-                  <version>3.8.3</version>
+                  <version>3.9.9</version>
                 </requireMavenVersion>
               </rules>
             </configuration>
@@ -486,7 +538,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-install-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.3</version>
         <configuration>
           <skip>true</skip>
         </configuration>
@@ -495,7 +547,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-deploy-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.3</version>
         <configuration>
           <skip>true</skip>
         </configuration>

redis-dispatch/pom.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>redis-dispatch</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-    </dependency>
-  </dependencies>
-
-</project>

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java

@@ -1,11 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-public interface DispatchChannel {
-  void onDispatchMessage(String channel, byte[] message);
-  void onDispatchSubscribed(String channel);
-  void onDispatchUnsubscribed(String channel);
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java

@@ -1,157 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.Map;
-import java.util.Optional;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.Executor;
-import java.util.concurrent.Executors;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class DispatchManager extends Thread {
-
-  private final Logger                       logger        = LoggerFactory.getLogger(DispatchManager.class);
-  private final Executor                     executor      = Executors.newCachedThreadPool();
-  private final Map<String, DispatchChannel> subscriptions = new ConcurrentHashMap<>();
-
-  private final Optional<DispatchChannel>    deadLetterChannel;
-  private final RedisPubSubConnectionFactory redisPubSubConnectionFactory;
-
-  private          PubSubConnection pubSubConnection;
-  private volatile boolean          running;
-
-  public DispatchManager(RedisPubSubConnectionFactory redisPubSubConnectionFactory,
-                         Optional<DispatchChannel> deadLetterChannel)
-  {
-    this.redisPubSubConnectionFactory = redisPubSubConnectionFactory;
-    this.deadLetterChannel            = deadLetterChannel;
-  }
-
-  @Override
-  public void start() {
-    this.pubSubConnection = redisPubSubConnectionFactory.connect();
-    this.running          = true;
-    super.start();
-  }
-
-  public void shutdown() {
-    this.running = false;
-    this.pubSubConnection.close();
-  }
-
-  public synchronized void subscribe(String name, DispatchChannel dispatchChannel) {
-    Optional<DispatchChannel> previous = Optional.ofNullable(subscriptions.get(name));
-    subscriptions.put(name, dispatchChannel);
-
-    try {
-      pubSubConnection.subscribe(name);
-    } catch (IOException e) {
-      logger.warn("Subscription error", e);
-    }
-
-    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
-  }
-
-  public synchronized void unsubscribe(String name, DispatchChannel channel) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(name));
-
-    if (subscription.isPresent() && subscription.get() == channel) {
-      subscriptions.remove(name);
-
-      try {
-        pubSubConnection.unsubscribe(name);
-      } catch (IOException e) {
-        logger.warn("Unsubscribe error", e);
-      }
-
-      dispatchUnsubscription(name, subscription.get());
-    }
-  }
-
-  public boolean hasSubscription(String name) {
-    return subscriptions.containsKey(name);
-  }
-  
-  @Override
-  public void run() {
-    while (running) {
-      try {
-        PubSubReply reply = pubSubConnection.read();
-
-        switch (reply.getType()) {
-          case UNSUBSCRIBE:                             break;
-          case SUBSCRIBE:   dispatchSubscribe(reply);   break;
-          case MESSAGE:     dispatchMessage(reply);     break;
-          default:          throw new AssertionError("Unknown pubsub reply type! " + reply.getType());
-        }
-      } catch (IOException e) {
-        logger.warn("***** PubSub Connection Error *****", e);
-        if (running) {
-          this.pubSubConnection.close();
-          this.pubSubConnection = redisPubSubConnectionFactory.connect();
-          resubscribeAll();
-        }
-      }
-    }
-
-    logger.warn("DispatchManager Shutting Down...");
-  }
-
-  private void dispatchSubscribe(final PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchSubscription(reply.getChannel(), subscription.get());
-    } else {
-      logger.info("Received subscribe event for non-existing channel: " + reply.getChannel());
-    }
-  }
-
-  private void dispatchMessage(PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchMessage(reply.getChannel(), subscription.get(), reply.getContent().get());
-    } else if (deadLetterChannel.isPresent()) {
-      dispatchMessage(reply.getChannel(), deadLetterChannel.get(), reply.getContent().get());
-    } else {
-      logger.warn("Received message for non-existing channel, with no dead letter handler: " + reply.getChannel());
-    }
-  }
-
-  private void resubscribeAll() {
-    new Thread(() -> {
-      synchronized (DispatchManager.this) {
-        try {
-          for (String name : subscriptions.keySet()) {
-            pubSubConnection.subscribe(name);
-          }
-        } catch (IOException e) {
-          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
-        }
-      }
-    }).start();
-  }
-
-  private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
-    executor.execute(() -> channel.onDispatchMessage(name, message));
-  }
-
-  private void dispatchSubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchSubscribed(name));
-  }
-
-  private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchUnsubscribed(name));
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java

@@ -1,68 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-public class RedisInputStream {
-
-  private static final byte CR = 0x0D;
-  private static final byte LF = 0x0A;
-
-  private final InputStream inputStream;
-
-  public RedisInputStream(InputStream inputStream) {
-    this.inputStream = inputStream;
-  }
-
-  public String readLine() throws IOException {
-    ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
-    boolean foundCr = false;
-
-    while (true) {
-      int character = inputStream.read();
-
-      if (character == -1) {
-        throw new IOException("Stream closed!");
-      }
-
-      baos.write(character);
-
-      if      (foundCr && character == LF) break;
-      else if (character == CR)            foundCr = true;
-      else if (foundCr)                    foundCr = false;
-    }
-
-    byte[] data = baos.toByteArray();
-    return new String(data, 0, data.length-2);
-  }
-
-  public byte[] readFully(int size) throws IOException {
-    byte[] result    = new byte[size];
-    int    offset    = 0;
-    int    remaining = result.length;
-
-    while (remaining > 0) {
-      int read = inputStream.read(result, offset, remaining);
-
-      if (read < 0) {
-        throw new IOException("Stream closed!");
-      }
-
-      offset    += read;
-      remaining -= read;
-    }
-
-    return result;
-  }
-
-  public void close() throws IOException {
-    inputStream.close();
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java

@@ -1,13 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import org.whispersystems.dispatch.redis.PubSubConnection;
-
-public interface RedisPubSubConnectionFactory {
-
-  PubSubConnection connect();
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisInputStream;
-import org.whispersystems.dispatch.redis.protocol.ArrayReplyHeader;
-import org.whispersystems.dispatch.redis.protocol.IntReply;
-import org.whispersystems.dispatch.redis.protocol.StringReplyHeader;
-import org.whispersystems.dispatch.util.Util;
-
-import java.io.BufferedInputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.util.Arrays;
-import java.util.Optional;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-public class PubSubConnection {
-
-  private final Logger logger = LoggerFactory.getLogger(PubSubConnection.class);
-
-  private static final byte[] UNSUBSCRIBE_TYPE    = {'u', 'n', 's', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'     };
-  private static final byte[] SUBSCRIBE_TYPE      = {'s', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'               };
-  private static final byte[] MESSAGE_TYPE        = {'m', 'e', 's', 's', 'a', 'g', 'e'                         };
-
-  private static final byte[] SUBSCRIBE_COMMAND   = {'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '          };
-  private static final byte[] UNSUBSCRIBE_COMMAND = {'U', 'N', 'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '};
-  private static final byte[] CRLF                = {'\r', '\n'                                                };
-
-  private final OutputStream     outputStream;
-  private final RedisInputStream inputStream;
-  private final Socket           socket;
-  private final AtomicBoolean    closed;
-
-  public PubSubConnection(Socket socket) throws IOException {
-    this.socket       = socket;
-    this.outputStream = socket.getOutputStream();
-    this.inputStream  = new RedisInputStream(new BufferedInputStream(socket.getInputStream()));
-    this.closed       = new AtomicBoolean(false);
-  }
-
-  public void subscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(SUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public void unsubscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(UNSUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public PubSubReply read() throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    ArrayReplyHeader replyHeader = new ArrayReplyHeader(inputStream.readLine());
-
-    if (replyHeader.getElementCount() != 3) {
-      throw new IOException("Received array reply header with strange count: " + replyHeader.getElementCount());
-    }
-
-    StringReplyHeader replyTypeHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            replyType       = inputStream.readFully(replyTypeHeader.getStringLength());
-    inputStream.readLine();
-
-    if      (Arrays.equals(SUBSCRIBE_TYPE, replyType))   return readSubscribeReply();
-    else if (Arrays.equals(UNSUBSCRIBE_TYPE, replyType)) return readUnsubscribeReply();
-    else if (Arrays.equals(MESSAGE_TYPE, replyType))     return readMessageReply();
-    else throw new IOException("Unknown reply type: " + new String(replyType));
-  }
-
-  public void close() {
-    try {
-      this.closed.set(true);
-      this.inputStream.close();
-      this.outputStream.close();
-      this.socket.close();
-    } catch (IOException e) {
-      logger.warn("Exception while closing", e);
-    }
-  }
-
-  private PubSubReply readMessageReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    StringReplyHeader messageHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            message       = inputStream.readFully(messageHeader.getStringLength());
-    inputStream.readLine();
-
-    return new PubSubReply(PubSubReply.Type.MESSAGE, new String(channelName), Optional.of(message));
-  }
-
-  private PubSubReply readUnsubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private PubSubReply readSubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.SUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private String readSubscriptionReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    new IntReply(inputStream.readLine());
-
-    return new String(channelName);
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import java.util.Optional;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class PubSubReply {
-
-  public enum Type {
-    MESSAGE,
-    SUBSCRIBE,
-    UNSUBSCRIBE
-  }
-
-  private final Type             type;
-  private final String           channel;
-  private final Optional<byte[]> content;
-
-  public PubSubReply(Type type, String channel, Optional<byte[]> content) {
-    this.type    = type;
-    this.channel = channel;
-    this.content = content;
-  }
-
-  public Type getType() {
-    return type;
-  }
-
-  public String getChannel() {
-    return channel;
-  }
-
-  public Optional<byte[]> getContent() {
-    return content;
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class ArrayReplyHeader {
-
-  private final int elementCount;
-
-  public ArrayReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '*') {
-      throw new IOException("Invalid array reply header: " + header);
-    }
-
-    try {
-      this.elementCount = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getElementCount() {
-    return elementCount;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class IntReply {
-
-  private final int value;
-
-  public IntReply(String reply) throws IOException {
-    if (reply == null || reply.length() < 2 || reply.charAt(0) != ':') {
-      throw new IOException("Invalid int reply: " + reply);
-    }
-
-    try {
-      this.value = Integer.parseInt(reply.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getValue() {
-    return value;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class StringReplyHeader {
-
-  private final int stringLength;
-
-  public StringReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '$') {
-      throw new IOException("Invalid string reply header: " + header);
-    }
-
-    try {
-      this.stringLength = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getStringLength() {
-    return stringLength;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.util;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
-public class Util {
-
-  public static byte[] combine(byte[]... elements) {
-    try {
-      int sum = 0;
-
-      for (byte[] element : elements) {
-        sum += element.length;
-      }
-
-      ByteArrayOutputStream baos = new ByteArrayOutputStream(sum);
-
-      for (byte[] element : elements) {
-        baos.write(element);
-      }
-
-      return baos.toByteArray();
-    } catch (IOException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-
-  public static void sleep(long millis) {
-    try {
-      Thread.sleep(millis);
-    } catch (InterruptedException e) {
-      throw new AssertionError(e);
-    }
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.mockito.Mockito.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.timeout;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.stubbing.Answer;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-public class DispatchManagerTest {
-
-  private PubSubConnection             pubSubConnection;
-  private RedisPubSubConnectionFactory socketFactory;
-  private DispatchManager              dispatchManager;
-  private PubSubReplyInputStream       pubSubReplyInputStream;
-
-  @BeforeEach
-  void setUp() throws Exception {
-    pubSubConnection       = mock(PubSubConnection.class  );
-    socketFactory          = mock(RedisPubSubConnectionFactory.class);
-    pubSubReplyInputStream = new PubSubReplyInputStream();
-
-    when(socketFactory.connect()).thenReturn(pubSubConnection);
-    when(pubSubConnection.read()).thenAnswer((Answer<PubSubReply>) invocationOnMock -> pubSubReplyInputStream.read());
-
-    dispatchManager = new DispatchManager(socketFactory, Optional.empty());
-    dispatchManager.start();
-  }
-
-  @AfterEach
-  void tearDown() {
-    dispatchManager.shutdown();
-  }
-
-  @Test
-  public void testConnect() {
-    verify(socketFactory).connect();
-  }
-
-  @Test
-  public void testSubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testSubscribeUnsubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    dispatchManager.unsubscribe("foo", dispatchChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchUnsubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testMessages() {
-    DispatchChannel fooChannel = mock(DispatchChannel.class);
-    DispatchChannel barChannel = mock(DispatchChannel.class);
-
-    dispatchManager.subscribe("foo", fooChannel);
-    dispatchManager.subscribe("bar", barChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "bar", Optional.empty()));
-
-    verify(fooChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-    verify(barChannel, timeout(1000)).onDispatchSubscribed(eq("bar"));
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "foo", Optional.of("hello".getBytes())));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "bar", Optional.of("there".getBytes())));
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(fooChannel, timeout(1000)).onDispatchMessage(eq("foo"), captor.capture());
-
-    assertArrayEquals("hello".getBytes(), captor.getValue());
-
-    verify(barChannel, timeout(1000)).onDispatchMessage(eq("bar"), captor.capture());
-
-    assertArrayEquals("there".getBytes(), captor.getValue());
-  }
-
-  private static class PubSubReplyInputStream {
-
-    private final List<PubSubReply> pubSubReplyList = new LinkedList<>();
-
-    public synchronized PubSubReply read() {
-      try {
-        while (pubSubReplyList.isEmpty()) wait();
-        return pubSubReplyList.remove(0);
-      } catch (InterruptedException e) {
-        throw new AssertionError(e);
-      }
-    }
-
-    public synchronized void write(PubSubReply pubSubReply) {
-      pubSubReplyList.add(pubSubReply);
-      notifyAll();
-    }
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java

@@ -1,264 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.security.SecureRandom;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-class PubSubConnectionTest {
-
-  private static final String REPLY = "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      ":1\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "fghij\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      "$10\r\n" +
-      "1234567890\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      "$10\r\n" +
-      "0987654321\r\n";
-
-
-  @Test
-  void testSubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.subscribe("foobar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "SUBSCRIBE foobar\r\n".getBytes());
-  }
-
-  @Test
-  void testUnsubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.unsubscribe("bazbar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "UNSUBSCRIBE bazbar\r\n".getBytes());
-  }
-
-  @Test
-  void testTricklyResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testFullResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testRandomLengthResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  private InputStream mockInputStreamFor(final MockInputStream stub) throws IOException {
-    InputStream result = mock(InputStream.class);
-
-    when(result.read()).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return stub.read();
-      }
-    });
-
-    when(result.read(any(byte[].class))).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[])invocationOnMock.getArguments()[0];
-        return stub.read(buffer, 0, buffer.length);
-      }
-    });
-
-    when(result.read(any(byte[].class), anyInt(), anyInt())).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[]) invocationOnMock.getArguments()[0];
-        int offset = (int) invocationOnMock.getArguments()[1];
-        int length = (int) invocationOnMock.getArguments()[2];
-
-        return stub.read(buffer, offset, length);
-      }
-    });
-
-    return result;
-  }
-
-  private void readResponses(PubSubConnection pubSubConnection) throws Exception {
-    PubSubReply reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "fghij");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertArrayEquals(reply.getContent().get(), "1234567890".getBytes());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertArrayEquals(reply.getContent().get(), "0987654321".getBytes());
-  }
-
-  private interface MockInputStream {
-    public int read();
-    public int read(byte[] input, int offset, int length);
-  }
-
-  private static class TrickleInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private TrickleInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      input[offset] = data[index++];
-      return 1;
-    }
-
-  }
-
-  private static class FullInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private FullInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int amount = Math.min(data.length - index, length);
-      System.arraycopy(data, index, input, offset, amount);
-      index += length;
-
-      return amount;
-    }
-  }
-
-  private static class RandomInputStream implements MockInputStream {
-    private final byte[] data;
-    private int index = 0;
-
-    private RandomInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int maxCopy    = Math.min(data.length - index, length);
-      int randomCopy = new SecureRandom().nextInt(maxCopy) + 1;
-      int copyAmount = Math.min(maxCopy, randomCopy);
-
-      System.arraycopy(data, index, input, offset, copyAmount);
-      index += copyAmount;
-
-      return copyAmount;
-    }
-
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java

@@ -1,54 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class ArrayReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(null));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(":3"));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(""));
-  }
-
-  @Test
-  void testTruncated() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*"));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*ABC"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
-  }
-
-
-
-
-
-
-
-
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java

@@ -1,39 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class IntReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new IntReply(null));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new IntReply(""));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new IntReply(":A"));
-  }
-
-  @Test
-  void testBadFormat() {
-    assertThrows(IOException.class, () -> new IntReply("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(23, new IntReply(":23").getValue());
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java

@@ -1,35 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class StringReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new StringReplyHeader(null));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("$100A"));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
-  }
-
-}

service/config/sample-secrets-bundle.yml

@@ -0,0 +1,104 @@
+datadog.apiKey: unset
+
+stripe.apiKey: unset
+stripe.idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+
+braintree.privateKey: unset
+
+googlePlayBilling.credentialsJson: |
+  { "json": true }
+
+appleAppStore.encodedKey: unset
+
+directoryV2.client.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+directoryV2.client.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+
+svr2.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
+svr2.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+
+tus.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG=
+
+gcpAttachments.rsaSigningKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+apn.teamId: team-id
+apn.keyId: key-id
+apn.signingKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+fcm.credentials: |
+  { "json": true }
+
+cdn.accessKey: test    # AWS Access Key ID
+cdn.accessSecret: test # AWS Access Secret
+
+cdn3StorageManager.clientSecret: test
+
+unidentifiedDelivery.privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+
+keyTransparencyService.clientPrivateKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+storageService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+zkConfig-libsignal-0.42.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdef
+
+genericZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+callingZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+backupsZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+paymentsService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+paymentsService.fixerApiKey: unset
+paymentsService.coinGeckoApiKey: unset
+
+currentReportingKey.secret: AAAAAAAAAAA=
+currentReportingKey.salt: AAAAAAAAAAA=
+
+registrationService.collationKeySalt: AAAAAAAAAAA=
+
+turn.cloudflare.apiToken: ABCDEFGHIJKLM
+
+linkDevice.secret: AAAAAAAAAAA=
+
+tlsKeyStore.password: unset
+
+noiseTunnel.tlsKeyStorePassword: ABCDEFGHIJKLMNOPQRSTUVWXYZ
+noiseTunnel.noiseStaticPrivateKey: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+noiseTunnel.recognizedProxySecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA

service/config/sample.yml

@@ -3,20 +3,105 @@
 # `unset` values will need to be set to work properly.
 # Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.
 
-adminEventLoggingConfiguration:
-  credentials: |
-    Some credentials text
-    blah blah blah
-  projectId: some-project-id
-  logName: some-log-name
+logging:
+  level: INFO
+  appenders:
+    - type: console
+      threshold: ALL
+      timeZone: UTC
+      target: stdout
+    - type: logstashtcpsocket
+      destination: example.com:10516
+      apiKey: secret://datadog.apiKey
+      environment: staging
+
+metrics:
+  reporters:
+    - type: signal-datadog
+      frequency: 10 seconds
+      tags:
+        - "env:staging"
+        - "service:chat"
+      udpTransport:
+        statsdHost: localhost
+        port: 8125
+      excludesAttributes:
+        - m1_rate
+        - m5_rate
+        - m15_rate
+        - mean_rate
+        - stddev
+      useRegexFilters: true
+      excludes:
+        - ^.+\.total$
+        - ^.+\.request\.filtering$
+        - ^.+\.response\.filtering$
+        - ^executor\..+$
+        - ^lettuce\..+$
+  reportOnStop: true
+
+tlsKeyStore:
+  password: secret://tlsKeyStore.password
 
 stripe:
-  apiKey: unset
-  idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+  apiKey: secret://stripe.apiKey
+  idempotencyKeyGenerator: secret://stripe.idempotencyKeyGenerator
   boostDescription: >
     Example
+  supportedCurrenciesByPaymentMethod:
+    CARD:
+      - usd
+      - eur
+    SEPA_DEBIT:
+      - eur
 
-dynamoDbClientConfiguration:
+braintree:
+  merchantId: unset
+  publicKey: unset
+  privateKey: secret://braintree.privateKey
+  environment: unset
+  graphqlUrl: unset
+  merchantAccounts:
+    # ISO 4217 currency code and its corresponding sub-merchant account
+    'xts': unset
+  supportedCurrenciesByPaymentMethod:
+    PAYPAL:
+      - usd
+  pubSubPublisher:
+    project: example-project
+    topic: example-topic
+    credentialConfiguration: |
+      {
+        "credential": "configuration"
+      }
+
+googlePlayBilling:
+  credentialsJson: secret://googlePlayBilling.credentialsJson
+  packageName: package.name
+  applicationName: test
+  productIdToLevel: {}
+
+appleAppStore:
+  env: SANDBOX
+  bundleId: bundle.name
+  appAppleId: 12345
+  issuerId: abcdefg
+  keyId: abcdefg
+  encodedKey: secret://appleAppStore.encodedKey
+  subscriptionGroupId: example_subscriptionGroupId
+  productIdToLevel: {}
+  appleRootCerts: []
+
+appleDeviceCheck:
+  production: false
+  teamId: 0123456789
+  bundleId: bundle.name
+
+deviceCheck:
+  backupRedemptionDuration: P30D
+  backupRedemptionLevel: 201
+
+dynamoDbClient:
   region: us-west-2 # AWS Region
 
 dynamoDbTables:
@@ -25,53 +110,75 @@ dynamoDbTables:
     phoneNumberTableName: Example_Accounts_PhoneNumbers
     phoneNumberIdentifierTableName: Example_Accounts_PhoneNumberIdentifiers
     usernamesTableName: Example_Accounts_Usernames
-    scanPageSize: 100
+    usedLinkDeviceTokensTableName: Example_Accounts_UsedLinkDeviceTokens
+  appleDeviceChecks:
+    tableName: Example_AppleDeviceChecks
+  appleDeviceCheckPublicKeys:
+    tableName: Example_AppleDeviceCheckPublicKeys
+  backups:
+    tableName: Example_Backups
+  clientReleases:
+    tableName: Example_ClientReleases
   deletedAccounts:
     tableName: Example_DeletedAccounts
-    needsReconciliationIndexName: NeedsReconciliation
   deletedAccountsLock:
     tableName: Example_DeletedAccountsLock
   issuedReceipts:
     tableName: Example_IssuedReceipts
     expiration: P30D # Duration of time until rows expire
     generator: abcdefg12345678= # random base64-encoded binary sequence
-  keys:
+    maxIssuedReceiptsPerPaymentId:
+      STRIPE: 1
+      BRAINTREE: 1
+      GOOGLE_PLAY_BILLING: 1
+      APPLE_APP_STORE: 1
+  ecKeys:
     tableName: Example_Keys
+  ecSignedPreKeys:
+    tableName: Example_EC_Signed_Pre_Keys
+  pqKeys:
+    tableName: Example_PQ_Keys
+  pqLastResortKeys:
+    tableName: Example_PQ_Last_Resort_Keys
   messages:
     tableName: Example_Messages
     expiration: P30D # Duration of time until rows expire
-  pendingAccounts:
-    tableName: Example_PendingAccounts
-  pendingDevices:
-    tableName: Example_PendingDevices
+  onetimeDonations:
+    tableName: Example_OnetimeDonations
+    expiration: P90D
   phoneNumberIdentifiers:
     tableName: Example_PhoneNumberIdentifiers
   profiles:
     tableName: Example_Profiles
   pushChallenge:
     tableName: Example_PushChallenge
+  pushNotificationExperimentSamples:
+    tableName: Example_PushNotificationExperimentSamples
   redeemedReceipts:
     tableName: Example_RedeemedReceipts
     expiration: P30D # Duration of time until rows expire
+  registrationRecovery:
+    tableName: Example_RegistrationRecovery
+    expiration: P300D # Duration of time until rows expire
   remoteConfig:
     tableName: Example_RemoteConfig
   reportMessage:
     tableName: Example_ReportMessage
-  reservedUsernames:
-    tableName: Example_ReservedUsernames
+  scheduledJobs:
+    tableName: Example_ScheduledJobs
+    expiration: P7D
   subscriptions:
     tableName: Example_Subscriptions
+  clientPublicKeys:
+    tableName: Example_ClientPublicKeys
+  verificationSessions:
+    tableName: Example_VerificationSessions
 
 cacheCluster: # Redis server configuration for cache cluster
   configurationUri: redis://redis.example.com:6379/
 
-clientPresenceCluster: # Redis server configuration for client presence cluster
-  configurationUri: redis://redis.example.com:6379/
-
 pubsub: # Redis server configuration for pubsub cluster
-  url: redis://redis.example.com:6379/
-  replicaUrls:
-    - redis://redis.example.com:6379/
+  uri: redis://redis.example.com:6379/
 
 pushSchedulerCluster: # Redis server configuration for push scheduler cluster
   configurationUri: redis://redis.example.com:6379/
@@ -79,145 +186,95 @@ pushSchedulerCluster: # Redis server configuration for push scheduler cluster
 rateLimitersCluster: # Redis server configuration for rate limiters cluster
   configurationUri: redis://redis.example.com:6379/
 
-directory:
-  client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: 00000f # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
-  sqs:
-    accessKey: test     # AWS SQS accessKey
-    accessSecret: test  # AWS SQS accessSecret
-    queueUrls: # AWS SQS queue urls
-      - https://sqs.example.com/directory.fifo
-  server: # One or more CDS servers
-    - replicationName: example           # CDS replication name
-      replicationUrl: cds.example.com    # CDS replication endpoint base url
-      replicationPassword: example       # CDS replication endpoint password
-      replicationCaCertificates:         # CDS replication endpoint TLS certificate trust root
-        - |
-          -----BEGIN CERTIFICATE-----
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          AAAAAAAAAAAAAAAAAAAA
-          -----END CERTIFICATE-----
-
 directoryV2:
   client: # Configuration for interfacing with Contact Discovery Service v2 cluster
-    userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
-    userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+    userAuthenticationTokenSharedSecret: secret://directoryV2.client.userAuthenticationTokenSharedSecret
+    userIdTokenSharedSecret: secret://directoryV2.client.userIdTokenSharedSecret
+
+svr2:
+  uri: svr2.example.com
+  userAuthenticationTokenSharedSecret: secret://svr2.userAuthenticationTokenSharedSecret
+  userIdTokenSharedSecret: secret://svr2.userIdTokenSharedSecret
+  svrCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
 
 messageCache: # Redis server configuration for message store cache
   persistDelayMinutes: 1
   cluster:
     configurationUri: redis://redis.example.com:6379/
 
-metricsCluster:
-  configurationUri: redis://redis.example.com:6379/
-
-awsAttachments: # AWS S3 configuration
-  accessKey: test
-  accessSecret: test
-  bucket: aws-attachments
-  region: us-west-2
-
 gcpAttachments: # GCP Storage configuration
   domain: example.com
   email: user@example.cocm
   maxSizeInBytes: 1024
   pathPrefix:
-  rsaSigningKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  rsaSigningKey: secret://gcpAttachments.rsaSigningKey
 
-accountDatabaseCrawler:
-  chunkSize: 10           # accounts per run
-  chunkIntervalMs: 60000  # time per run
+tus:
+  uploadUri: https://example.org/upload
+  userAuthenticationTokenSharedSecret: secret://tus.userAuthenticationTokenSharedSecret
 
 apn: # Apple Push Notifications configuration
   sandbox: true
   bundleId: com.example.textsecuregcm
-  keyId: unset
-  teamId: unset
-  signingKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
+  signingKey: secret://apn.signingKey
 
 fcm: # FCM configuration
-  credentials: |
-    { "json": true }
+  credentials: secret://fcm.credentials
 
 cdn:
-  accessKey: test    # AWS Access Key ID
-  accessSecret: test # AWS Access Secret
   bucket: cdn        # S3 Bucket name
+  credentials:
+    accessKeyId: secret://cdn.accessKey
+    secretAccessKey: secret://cdn.accessSecret
   region: us-west-2  # AWS region
 
-datadog:
-  apiKey: unset
+cdn3StorageManager:
+  baseUri: https://storage-manager.example.com
+  clientId: example
+  clientSecret: secret://cdn3StorageManager.clientSecret
+  sourceSchemes:
+    2: gcs
+    3: r2
+
+dogstatsd:
   environment: dev
+  host: 127.0.0.1
 
 unidentifiedDelivery:
-  certificate: ABCD1234
-  privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+  certificate: CgIIAQ==
+  privateKey: secret://unidentifiedDelivery.privateKey
   expiresDays: 7
 
-voiceVerification:
-  url: https://cdn-ca.signal.org/verification/
-  locales:
-    - en
-
-recaptcha:
-  projectPath: projects/example
-  credentialConfigurationJson: "{ }" # service account configuration for backend authentication
+shortCode:
+  baseUrl: https://example.com/shortcodes/
 
 storageService:
   uri: storage.example.com
-  userAuthenticationTokenSharedSecret: 00000f
+  userAuthenticationTokenSharedSecret: secret://storageService.userAuthenticationTokenSharedSecret
   storageCaCertificates:
     - |
       -----BEGIN CERTIFICATE-----
@@ -242,57 +299,37 @@ storageService:
       AAAAAAAAAAAAAAAAAAAA
       -----END CERTIFICATE-----
 
-backupService:
-  uri: backup.example.com
-  userAuthenticationTokenSharedSecret: 00000f
-  backupCaCertificates:
-    - |
-      -----BEGIN CERTIFICATE-----
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-      AAAAAAAAAAAAAAAAAAAA
-      -----END CERTIFICATE-----
-
 zkConfig:
-  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-  serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAB==
+  serverSecret: secret://zkConfig-libsignal-0.42.serverSecret
 
-appConfig:
-  application: example
-  environment: example
-  configuration: example
+callingZkConfig:
+  serverSecret: secret://callingZkConfig.serverSecret
+
+backupsZkConfig:
+  serverSecret: secret://backupsZkConfig.serverSecret
+
+dynamicConfig:
+  s3Region: a-region
+  s3Bucket: a-bucket
+  objectKey: dynamic-config.yaml
+  maxSize: 100000
+  refreshInterval: PT10S
 
 remoteConfig:
-  authorizedTokens:
-    - # 1st authorized token
-    - # 2nd authorized token
-    - # ...
-    - # Nth authorized token
   globalConfig: # keys and values that are given to clients on GET /v1/config
     EXAMPLE_KEY: VALUE
 
 paymentsService:
-  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
-  fixerApiKey: unset
+  userAuthenticationTokenSharedSecret: secret://paymentsService.userAuthenticationTokenSharedSecret
   paymentCurrencies:
     # list of symbols for supported currencies
     - MOB
+  externalClients:
+    fixerApiKey: secret://paymentsService.fixerApiKey
+    coinGeckoApiKey: secret://paymentsService.coinGeckoApiKey
+    coinGeckoCurrencyIds:
+      MOB: mobilecoin
 
 badges:
   badges:
@@ -315,7 +352,11 @@ badges:
     '1': TEST
 
 subscription: # configuration for Stripe subscriptions
+  badgeExpiration: P30D
   badgeGracePeriod: P15D
+  backupExpiration: P30D
+  backupGracePeriod: P15D
+  backupFreeTierMediaDuration: P30D
   levels:
     500:
       badge: EXAMPLE
@@ -323,33 +364,42 @@ subscription: # configuration for Stripe subscriptions
         # list of ISO 4217 currency codes and amounts for the given badge level
         xts:
           amount: '10'
-          id: price_example # stripe ID
+          processorIds:
+            STRIPE: price_example   # stripe Price ID
+            BRAINTREE: plan_example # braintree Plan ID
 
-boost:
-  level: 1
-  expiration: P90D
-  badge: EXAMPLE
+oneTimeDonations:
+  sepaMaximumEuros: '10000'
+  boost:
+    level: 1
+    expiration: P90D
+    badge: EXAMPLE
+  gift:
+    level: 10
+    expiration: P90D
+    badge: EXAMPLE
   currencies:
     # ISO 4217 currency codes and amounts in those currencies
     xts:
-      - '1'
-      - '2'
-      - '4'
-      - '8'
-      - '20'
-      - '40'
-
-gift:
-  level: 10
-  expiration: P90D
-  badge: EXAMPLE
-  currencies:
-    # ISO 4217 currency codes and amounts in those currencies
-    xts: '2'
+      minimum: '0.5'
+      gift: '2'
+      boosts:
+        - '1'
+        - '2'
+        - '4'
+        - '8'
+        - '20'
+        - '40'
 
 registrationService:
   host: registration.example.com
-  apiKey: EXAMPLE
+  port: 443
+  credentialConfigurationJson: |
+    {
+      "example": "example"
+    }
+  identityTokenAudience: https://registration.example.com
+  collationKeySalt: secret://registrationService.collationKeySalt
   registrationCaCertificate: | # Registration service TLS certificate trust root
     -----BEGIN CERTIFICATE-----
     ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
@@ -372,3 +422,90 @@ registrationService:
     ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
     AAAAAAAAAAAAAAAAAAAA
     -----END CERTIFICATE-----
+
+keyTransparencyService:
+  host: kt.example.com
+  port: 443
+  tlsCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+  clientCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+  clientPrivateKey: secret://keyTransparencyService.clientPrivateKey
+
+turn:
+  cloudflare:
+    apiToken: secret://turn.cloudflare.apiToken
+    endpoint: https://rtc.live.cloudflare.com/v1/turn/keys/LMNOP/credentials/generate
+    urls:
+      - turn:turn.example.com:80
+    urlsWithIps:
+      - turn:%s
+      - turn:%s:80?transport=tcp
+      - turns:%s:443?transport=tcp
+    requestedCredentialTtl: PT24H
+    clientCredentialTtl: PT12H
+    hostname: turn.cloudflare.example.com
+    numHttpClients: 1
+
+linkDevice:
+  secret: secret://linkDevice.secret
+
+noiseTunnel:
+  webSocketPort: 8444
+  directPort: 8445
+  tlsKeyStoreFile: /path/to/file.p12
+  tlsKeyStoreEntryAlias: example.com
+  tlsKeyStorePassword: secret://noiseTunnel.tlsKeyStorePassword
+  noiseStaticPrivateKey: secret://noiseTunnel.noiseStaticPrivateKey
+  recognizedProxySecret: secret://noiseTunnel.recognizedProxySecret
+
+externalRequestFilter:
+  grpcMethods:
+    - com.example.grpc.ExampleService/exampleMethod
+  paths:
+    - /example
+  permittedInternalRanges:
+    - 127.0.0.0/8
+
+idlePrimaryDeviceReminder:
+  minIdleDuration: P30D

service/pom.xml

@@ -10,7 +10,48 @@
   <modelVersion>4.0.0</modelVersion>
   <artifactId>service</artifactId>
 
+  <properties>
+    <firebase-admin.version>9.4.3</firebase-admin.version>
+    <java-uuid-generator.version>5.1.0</java-uuid-generator.version>
+    <google-androidpublisher.version>v3-rev20250318-2.0.0</google-androidpublisher.version>
+    <storekit.version>3.4.0</storekit.version>
+    <webauthn4j.version>0.28.6.RELEASE</webauthn4j.version>
+    <java-jwt.version>4.5.0</java-jwt.version>
+  </properties>
+
   <dependencies>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>${java-jwt.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.apis</groupId>
+      <artifactId>google-api-services-androidpublisher</artifactId>
+      <version>${google-androidpublisher.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.apple.itunes.storekit</groupId>
+      <artifactId>app-store-server-library</artifactId>
+      <version>${storekit.version}</version>
+      <exclusions>
+        <!-- conflicts with okio-jvm from apollo-api-jvm -->
+        <exclusion>
+          <groupId>com.squareup.okio</groupId>
+          <artifactId>okio-jvm</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>com.webauthn4j</groupId>
+      <artifactId>webauthn4j-appattest</artifactId>
+      <version>${webauthn4j.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.swagger.core.v3</groupId>
+      <artifactId>swagger-jaxrs2-jakarta</artifactId>
+      <version>${swagger.version}</version>
+    </dependency>
     <dependency>
       <groupId>jakarta.servlet</groupId>
       <artifactId>jakarta.servlet-api</artifactId>
@@ -24,16 +65,6 @@
       <artifactId>jakarta.ws.rs-api</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>event-logger</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>redis-dispatch</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>org.whispersystems.textsecure</groupId>
       <artifactId>websocket-resources</artifactId>
@@ -44,6 +75,16 @@
       <artifactId>libsignal-server</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.signal.forks</groupId>
+      <artifactId>noise-java</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.signal</groupId>
+      <artifactId>simple-grpc-runtime</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-core</artifactId>
@@ -58,7 +99,7 @@
     </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-db</artifactId>
+      <artifactId>dropwizard-http2</artifactId>
     </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
@@ -107,8 +148,8 @@
       <artifactId>logback-core</artifactId>
     </dependency>
     <dependency>
-      <groupId>ch.qos.logback</groupId>
-      <artifactId>logback-access</artifactId>
+      <groupId>ch.qos.logback.access</groupId>
+      <artifactId>logback-access-common</artifactId>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
@@ -143,76 +184,92 @@
       <groupId>org.glassfish.jersey.core</groupId>
       <artifactId>jersey-client</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.glassfish.jaxb</groupId>
-      <artifactId>jaxb-runtime</artifactId>
-    </dependency>
 
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-testing</artifactId>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>junit</groupId>
-          <artifactId>junit</artifactId>
-        </exclusion>
-      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>luajava</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51-platform</artifactId>
+      <version>${luajava.version}</version>
+      <classifier>natives-desktop</classifier>
+      <scope>runtime</scope>
     </dependency>
 
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
-      <artifactId>websocket-api</artifactId>
+      <artifactId>websocket-jetty-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-servlets</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.websocket</groupId>
+      <artifactId>websocket-jetty-client</artifactId>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-csv</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+      <version>1.27.1</version>
+    </dependency>
 
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-pubsub</artifactId>
+    </dependency>
+
+    <!-- resolve opentelemetry-semconv conflicts from lower in firebase-admin and firestore dependency trees -->
     <dependency>
       <groupId>com.google.firebase</groupId>
       <artifactId>firebase-admin</artifactId>
-      <version>9.0.0</version>
-
-      <!-- firebase-admin has conflicting versions of these artifacts in its dependency tree; for firebase-admin
-      9.0.0, we'll need to depend directly on com.google.api-client:google-api-client:1.35.1 and
-      com.google.oauth-client:google-oauth-client:1.34.1 -->
+      <version>${firebase-admin.version}</version>
       <exclusions>
         <exclusion>
-          <groupId>com.google.api-client</groupId>
-          <artifactId>google-api-client</artifactId>
-        </exclusion>
-
-        <exclusion>
-          <groupId>com.google.oauth-client</groupId>
-          <artifactId>google-oauth-client</artifactId>
+          <groupId>io.opentelemetry.semconv</groupId>
+          <artifactId>opentelemetry-semconv</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
-
     <dependency>
-      <groupId>com.google.api-client</groupId>
-      <artifactId>google-api-client</artifactId>
-      <version>1.35.1</version>
+      <groupId>io.opentelemetry.semconv</groupId>
+      <artifactId>opentelemetry-semconv</artifactId>
+      <version>1.30.0</version>
     </dependency>
-
     <dependency>
-      <groupId>com.google.oauth-client</groupId>
-      <artifactId>google-oauth-client</artifactId>
-      <version>1.34.1</version>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-firestore</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>io.opentelemetry.semconv</groupId>
+          <artifactId>opentelemetry-semconv</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -235,8 +292,7 @@
 
     <dependency>
       <groupId>io.grpc</groupId>
-      <artifactId>grpc-netty-shaded</artifactId>
-      <scope>runtime</scope>
+      <artifactId>grpc-netty</artifactId>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
@@ -259,7 +315,7 @@
     </dependency>
     <dependency>
       <groupId>io.micrometer</groupId>
-      <artifactId>micrometer-registry-datadog</artifactId>
+      <artifactId>micrometer-registry-statsd</artifactId>
     </dependency>
     <dependency>
       <groupId>org.coursera</groupId>
@@ -290,6 +346,19 @@
       <artifactId>jackson-jaxrs-json-provider</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>com.salesforce.servicelibs</groupId>
+      <artifactId>reactor-grpc-stub</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>apache-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>netty-nio-client</artifactId>
+    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
@@ -298,41 +367,14 @@
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>sqs</artifactId>
-    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>dynamodb</artifactId>
     </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>appconfig</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>appconfigdata</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-core</artifactId>
-    </dependency>
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>dynamodb-lock-client</artifactId>
-      <version>1.1.0</version>
-      <exclusions>
-        <exclusion>
-          <groupId>commons-logging</groupId>
-          <artifactId>commons-logging</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-
-    <dependency>
-      <groupId>redis.clients</groupId>
-      <artifactId>jedis</artifactId>
+      <version>1.3.0</version>
     </dependency>
 
     <dependency>
@@ -369,11 +411,24 @@
       <artifactId>libphonenumber</artifactId>
     </dependency>
 
+    <!-- Provides tools for mapping phone numbers to time zones, which is helpful for scheduling push notifications
+    during waking hours -->
+    <dependency>
+      <groupId>com.googlecode.libphonenumber</groupId>
+      <artifactId>geocoder</artifactId>
+      <version>3.2</version>
+    </dependency>
+
     <dependency>
       <groupId>net.sourceforge.argparse4j</groupId>
       <artifactId>argparse4j</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-codec-haproxy</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.glassfish.jersey.test-framework</groupId>
       <artifactId>jersey-test-framework-core</artifactId>
@@ -389,23 +444,6 @@
       <groupId>org.glassfish.jersey.test-framework.providers</groupId>
       <artifactId>jersey-test-framework-provider-grizzly2</artifactId>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>javax.servlet-api</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>junit</groupId>
-          <artifactId>junit</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-
-    <dependency>
-      <groupId>com.almworks.sqlite4java</groupId>
-      <artifactId>sqlite4java</artifactId>
-      <version>1.0.392</version>
-      <scope>test</scope>
     </dependency>
 
     <dependency>
@@ -413,8 +451,8 @@
       <artifactId>reactor-core</artifactId>
     </dependency>
     <dependency>
-      <groupId>io.vavr</groupId>
-      <artifactId>vavr</artifactId>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core-micrometer</artifactId>
     </dependency>
 
     <dependency>
@@ -437,37 +475,54 @@
     <dependency>
       <groupId>com.fasterxml.uuid</groupId>
       <artifactId>java-uuid-generator</artifactId>
-      <version>4.0.1</version>
+      <version>${java-uuid-generator.version}</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>DynamoDBLocal</artifactId>
-      <version>1.19.0</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
-      <groupId>com.google.cloud</groupId>
-      <artifactId>google-cloud-recaptchaenterprise</artifactId>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
     </dependency>
 
     <dependency>
       <groupId>com.stripe</groupId>
       <artifactId>stripe-java</artifactId>
     </dependency>
+
+    <dependency>
+      <groupId>com.braintreepayments.gateway</groupId>
+      <artifactId>braintree-java</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.apollographql.apollo3</groupId>
+      <artifactId>apollo-api-jvm</artifactId>
+      <version>3.8.5</version>
+
+      <exclusions>
+        <exclusion>
+          <groupId>org.jetbrains</groupId>
+          <artifactId>annotations</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
   </dependencies>
 
   <profiles>
     <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
       <build>
         <plugins>
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-shade-plugin</artifactId>
-            <version>3.2.4</version>
             <configuration>
               <createDependencyReducedPom>true</createDependencyReducedPom>
               <filters>
@@ -502,7 +557,6 @@
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-assembly-plugin</artifactId>
-            <version>3.3.0</version>
             <configuration>
               <descriptors>
                 <descriptor>assembly.xml</descriptor>
@@ -522,7 +576,6 @@
           <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>properties-maven-plugin</artifactId>
-            <version>1.0.0</version>
             <executions>
               <execution>
                 <id>read-deploy-configuration</id>
@@ -538,24 +591,98 @@
           </plugin>
 
           <plugin>
-            <groupId>org.signal</groupId>
-            <artifactId>s3-upload-maven-plugin</artifactId>
-            <version>1.6-SNAPSHOT</version>
-            <configuration>
-              <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
-              <bucketName>${deploy.bucketName}</bucketName>
-              <region>${deploy.bucketRegion}</region>
-              <destination>${project.build.finalName}-bin.tar.gz</destination>
-            </configuration>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
             <executions>
               <execution>
-                <id>deploy-to-s3</id>
                 <phase>deploy</phase>
                 <goals>
-                  <goal>s3-upload</goal>
+                  <goal>build</goal>
                 </goals>
               </execution>
             </executions>
+            <configuration>
+              <from>
+                <image>eclipse-temurin@sha256:${docker.image.sha256}</image>
+                <platforms>
+                  <platform>
+                    <architecture>amd64</architecture>
+                    <os>linux</os>
+                  </platform>
+                  <platform>
+                    <architecture>arm64</architecture>
+                    <os>linux</os>
+                  </platform>
+                </platforms>
+              </from>
+              <to>
+                <image>${docker.repo}:${project.version}</image>
+              </to>
+              <container>
+                <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                <jvmFlags>
+                  <jvmFlag>-server</jvmFlag>
+                  <jvmFlag>-Djava.awt.headless=true</jvmFlag>
+                  <jvmFlag>-Djdk.nio.maxCachedBufferSize=262144</jvmFlag>
+                  <jvmFlag>-Dlog4j2.formatMsgNoLookups=true</jvmFlag>
+                  <jvmFlag>-XX:MaxRAMPercentage=75</jvmFlag>
+                  <jvmFlag>-XX:+HeapDumpOnOutOfMemoryError</jvmFlag>
+                  <jvmFlag>-XX:HeapDumpPath=/tmp/heapdump.bin</jvmFlag>
+                </jvmFlags>
+                <ports>
+                  <port>8080</port>
+                </ports>
+                <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
+              </container>
+              <extraDirectories>
+                <paths>
+                  <path>
+                    <from>${project.basedir}/config</from>
+                    <includes>*.yml</includes>
+                    <into>/usr/share/signal/</into>
+                  </path>
+                </paths>
+              </extraDirectories>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>include-spam-filter</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
+            <configuration>
+              <!-- we don't want jib to execute on this module -->
+              <skip>true</skip>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>test-server</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.codehaus.mojo</groupId>
+            <artifactId>exec-maven-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>start-test-server</id>
+                <phase>integration-test</phase>
+                <goals>
+                  <goal>java</goal>
+                </goals>
+                <configuration>
+                  <mainClass>org.whispersystems.textsecuregcm.LocalWhisperServerService</mainClass>
+                  <classpathScope>test</classpathScope>
+                </configuration>
+              </execution>
+            </executions>
           </plugin>
         </plugins>
       </build>
@@ -568,7 +695,7 @@
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>templating-maven-plugin</artifactId>
-        <version>1.0.0</version>
+        <version>3.0.0</version>
         <executions>
           <execution>
             <id>filter-src</id>
@@ -579,6 +706,15 @@
         </executions>
       </plugin>
 
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <!-- add-opens: work around PATCH not being a supported method on HttpUrlConnection -->
+          <argLine>-javaagent:${org.mockito:mockito-core:jar} --add-opens=java.base/java.net=ALL-UNNAMED</argLine>
+        </configuration>
+      </plugin>
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
@@ -594,7 +730,6 @@
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>exec-maven-plugin</artifactId>
-        <version>3.0.0</version>
         <executions>
           <execution>
             <id>check-all-service-config</id>
@@ -602,15 +737,40 @@
             <goals>
               <goal>java</goal>
             </goals>
+            <configuration>
+              <mainClass>org.whispersystems.textsecuregcm.CheckServiceConfigurations</mainClass>
+              <classpathScope>test</classpathScope>
+              <arguments>
+                <argument>${project.basedir}/config</argument>
+              </arguments>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>com.github.aoudiamoncef</groupId>
+        <artifactId>apollo-client-maven-plugin</artifactId>
+        <version>5.0.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>generate</goal>
+            </goals>
+            <configuration>
+              <services>
+                <braintree>
+                  <compilationUnit>
+                    <name>braintree</name>
+                    <compilerParams>
+                      <schemaPackageName>com.braintree.graphql.client</schemaPackageName>
+                    </compilerParams>
+                  </compilationUnit>
+                </braintree>
+              </services>
+            </configuration>
           </execution>
         </executions>
-        <configuration>
-          <mainClass>org.whispersystems.textsecuregcm.CheckServiceConfigurations</mainClass>
-          <classpathScope>test</classpathScope>
-          <arguments>
-            <argument>${project.basedir}/config</argument>
-          </arguments>
-        </configuration>
       </plugin>
     </plugins>
   </build>

service/src/main/graphql/braintree/ChargePayPalOneTimePayment.graphql

@@ -0,0 +1,9 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--chargePaymentMethod
+mutation ChargePayPalOneTimePayment($input: ChargePaymentMethodInput!) {
+  chargePaymentMethod(input: $input) {
+    transaction {
+      id,
+      status
+    }
+  }
+}

service/src/main/graphql/braintree/CreatePayPalBillingAgreement.graphql

@@ -0,0 +1,6 @@
+mutation CreatePayPalBillingAgreement($input: CreatePayPalBillingAgreementInput!) {
+  createPayPalBillingAgreement(input: $input) {
+    approvalUrl,
+    billingAgreementToken
+  }
+}

service/src/main/graphql/braintree/CreatePayPalOneTimePayment.graphql

@@ -0,0 +1,7 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--createPayPalOneTimePayment
+mutation CreatePayPalOneTimePayment($input: CreatePayPalOneTimePaymentInput!) {
+  createPayPalOneTimePayment(input: $input) {
+    approvalUrl,
+    paymentId
+  }
+}

service/src/main/graphql/braintree/TokenizePayPalBillingAgreement.graphql

@@ -0,0 +1,7 @@
+mutation TokenizePayPalBillingAgreement($input: TokenizePayPalBillingAgreementInput!) {
+  tokenizePayPalBillingAgreement(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/graphql/braintree/TokenizePayPalOneTimePayment.graphql

@@ -0,0 +1,8 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--tokenizePayPalOneTimePayment
+mutation TokenizePayPalOneTimePayment($input: TokenizePayPalOneTimePaymentInput!) {
+  tokenizePayPalOneTimePayment(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/graphql/braintree/VaultPaymentMethod.graphql

@@ -0,0 +1,7 @@
+mutation VaultPaymentMethod($input: VaultPaymentMethodInput!) {
+  vaultPaymentMethod(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -1,53 +1,67 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import io.dropwizard.Configuration;
+import io.dropwizard.core.Configuration;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotNull;
+import java.time.Duration;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import javax.validation.Valid;
-import javax.validation.constraints.NotNull;
-import org.whispersystems.textsecuregcm.configuration.AbusiveMessageFilterConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AdminEventLoggingConfiguration;
+import org.whispersystems.textsecuregcm.attachments.TusConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AppleAppStoreConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AppleDeviceCheckConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AwsCredentialsProviderFactory;
 import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
-import org.whispersystems.textsecuregcm.configuration.BoostConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BraintreeConfiguration;
+import org.whispersystems.textsecuregcm.configuration.Cdn3StorageManagerConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ClientReleaseConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DefaultAwsCredentialsFactory;
+import org.whispersystems.textsecuregcm.configuration.DeviceCheckConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
-import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DogstatsdConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientFactory;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
+import org.whispersystems.textsecuregcm.configuration.ExternalRequestFilterConfiguration;
+import org.whispersystems.textsecuregcm.configuration.FaultTolerantRedisClientFactory;
+import org.whispersystems.textsecuregcm.configuration.FaultTolerantRedisClusterFactory;
 import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
-import org.whispersystems.textsecuregcm.configuration.GiftConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GenericZkConfig;
+import org.whispersystems.textsecuregcm.configuration.GooglePlayBillingConfiguration;
+import org.whispersystems.textsecuregcm.configuration.IdlePrimaryDeviceReminderConfiguration;
+import org.whispersystems.textsecuregcm.configuration.KeyTransparencyServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.LinkDeviceSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MessageByteLimitCardinalityEstimatorConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
+import org.whispersystems.textsecuregcm.configuration.NoiseTunnelConfiguration;
+import org.whispersystems.textsecuregcm.configuration.OneTimeDonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RegistrationServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RegistrationServiceClientFactory;
 import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration;
-import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.S3ObjectMonitorFactory;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
+import org.whispersystems.textsecuregcm.configuration.ShortCodeExpanderConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TlsKeyStoreConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
-import org.whispersystems.textsecuregcm.configuration.UsernameConfiguration;
-import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.VirtualThreadConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
+import org.whispersystems.textsecuregcm.limits.RateLimiterConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;
 
 /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
@@ -56,7 +70,12 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private AdminEventLoggingConfiguration adminEventLoggingConfiguration;
+  private TlsKeyStoreConfiguration tlsKeyStore;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  AwsCredentialsProviderFactory awsCredentialsProvider = new DefaultAwsCredentialsFactory();
 
   @NotNull
   @Valid
@@ -66,18 +85,38 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private DynamoDbClientConfiguration dynamoDbClientConfiguration;
+  private BraintreeConfiguration braintree;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private GooglePlayBillingConfiguration googlePlayBilling;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private AppleAppStoreConfiguration appleAppStore;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private AppleDeviceCheckConfiguration appleDeviceCheck;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DeviceCheckConfiguration deviceCheck;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DynamoDbClientFactory dynamoDbClient;
 
   @NotNull
   @Valid
   @JsonProperty
   private DynamoDbTables dynamoDbTables;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private AwsAttachmentsConfiguration awsAttachments;
-
   @NotNull
   @Valid
   @JsonProperty
@@ -91,27 +130,22 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private DatadogConfiguration datadog;
+  private Cdn3StorageManagerConfiguration cdn3StorageManager;
 
   @NotNull
   @Valid
   @JsonProperty
-  private RedisClusterConfiguration cacheCluster;
+  private DatadogConfiguration dogstatsd = new DogstatsdConfiguration();
 
   @NotNull
   @Valid
   @JsonProperty
-  private RedisConfiguration pubsub;
+  private FaultTolerantRedisClusterFactory cacheCluster;
 
   @NotNull
   @Valid
   @JsonProperty
-  private RedisClusterConfiguration metricsCluster;
-
-  @NotNull
-  @Valid
-  @JsonProperty
-  private DirectoryConfiguration directory;
+  private FaultTolerantRedisClientFactory pubsub;
 
   @NotNull
   @Valid
@@ -121,33 +155,23 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private AccountDatabaseCrawlerConfiguration accountDatabaseCrawler;
+  private SecureValueRecovery2Configuration svr2;
 
   @NotNull
   @Valid
   @JsonProperty
-  private RedisClusterConfiguration pushSchedulerCluster;
+  private FaultTolerantRedisClusterFactory pushSchedulerCluster;
 
   @NotNull
   @Valid
   @JsonProperty
-  private RedisClusterConfiguration rateLimitersCluster;
+  private FaultTolerantRedisClusterFactory rateLimitersCluster;
 
   @NotNull
   @Valid
   @JsonProperty
   private MessageCacheConfiguration messageCache;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private RedisClusterConfiguration clientPresenceCluster;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private List<TestDeviceConfiguration> testDevices = new LinkedList<>();
-
   @Valid
   @NotNull
   @JsonProperty
@@ -156,7 +180,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private RateLimitsConfiguration limits = new RateLimitsConfiguration();
+  private Map<String, RateLimiterConfig> limits = new HashMap<>();
 
   @Valid
   @NotNull
@@ -181,23 +205,13 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private VoiceVerificationConfiguration voiceVerification;
-
-  @Valid
-  @NotNull
-  @JsonProperty
-  private RecaptchaConfiguration recaptcha;
+  private ShortCodeExpanderConfiguration shortCode;
 
   @Valid
   @NotNull
   @JsonProperty
   private SecureStorageServiceConfiguration storageService;
 
-  @Valid
-  @NotNull
-  @JsonProperty
-  private SecureBackupServiceConfiguration backupService;
-
   @Valid
   @NotNull
   @JsonProperty
@@ -208,6 +222,16 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private ZkConfig zkConfig;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig callingZkConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig backupsZkConfig;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -216,7 +240,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private AppConfigConfiguration appConfig;
+  private S3ObjectMonitorFactory dynamicConfig;
 
   @Valid
   @NotNull
@@ -231,12 +255,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @JsonProperty
   @NotNull
-  private BoostConfiguration boost;
-
-  @Valid
-  @JsonProperty
-  @NotNull
-  private GiftConfiguration gift;
+  private OneTimeDonationConfiguration oneTimeDonations;
 
   @Valid
   @NotNull
@@ -244,69 +263,128 @@ public class WhisperServerConfiguration extends Configuration {
   private ReportMessageConfiguration reportMessage = new ReportMessageConfiguration();
 
   @Valid
-  @NotNull
   @JsonProperty
-  private UsernameConfiguration username = new UsernameConfiguration();
-
-  @Valid
-  @JsonProperty
-  private AbusiveMessageFilterConfiguration abusiveMessageFilter;
+  private SpamFilterConfiguration spamFilter;
 
   @Valid
   @NotNull
   @JsonProperty
-  private RegistrationServiceConfiguration registrationService;
+  private RegistrationServiceClientFactory registrationService;
 
-  public AdminEventLoggingConfiguration getAdminEventLoggingConfiguration() {
-    return adminEventLoggingConfiguration;
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TurnConfiguration turn;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TusConfiguration tus;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ClientReleaseConfiguration clientRelease = new ClientReleaseConfiguration(Duration.ofHours(4));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MessageByteLimitCardinalityEstimatorConfiguration messageByteLimitCardinalityEstimator = new MessageByteLimitCardinalityEstimatorConfiguration(Duration.ofDays(1));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private LinkDeviceSecretConfiguration linkDevice;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private VirtualThreadConfiguration virtualThread = new VirtualThreadConfiguration(Duration.ofMillis(1));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private NoiseTunnelConfiguration noiseTunnel;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ExternalRequestFilterConfiguration externalRequestFilter;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private KeyTransparencyServiceConfiguration keyTransparencyService;
+
+  @JsonProperty
+  private boolean logMessageDeliveryLoops;
+
+  @JsonProperty
+  private IdlePrimaryDeviceReminderConfiguration idlePrimaryDeviceReminder =
+      new IdlePrimaryDeviceReminderConfiguration(Duration.ofDays(30));
+
+  public TlsKeyStoreConfiguration getTlsKeyStoreConfiguration() {
+    return tlsKeyStore;
+  }
+
+  public AwsCredentialsProviderFactory getAwsCredentialsConfiguration() {
+    return awsCredentialsProvider;
   }
 
   public StripeConfiguration getStripe() {
     return stripe;
   }
 
-  public DynamoDbClientConfiguration getDynamoDbClientConfiguration() {
-    return dynamoDbClientConfiguration;
+  public BraintreeConfiguration getBraintree() {
+    return braintree;
+  }
+
+  public GooglePlayBillingConfiguration getGooglePlayBilling() {
+    return googlePlayBilling;
+  }
+
+  public AppleAppStoreConfiguration getAppleAppStore() {
+    return appleAppStore;
+  }
+
+  public AppleDeviceCheckConfiguration getAppleDeviceCheck() {
+    return appleDeviceCheck;
+  }
+
+  public DeviceCheckConfiguration getDeviceCheck() {
+    return deviceCheck;
+  }
+
+  public DynamoDbClientFactory getDynamoDbClientConfiguration() {
+    return dynamoDbClient;
   }
 
   public DynamoDbTables getDynamoDbTables() {
     return dynamoDbTables;
   }
 
-  public RecaptchaConfiguration getRecaptchaConfiguration() {
-    return recaptcha;
-  }
-
-  public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
-    return voiceVerification;
+  public ShortCodeExpanderConfiguration getShortCodeRetrieverConfiguration() {
+    return shortCode;
   }
 
   public WebSocketConfiguration getWebSocketConfiguration() {
     return webSocket;
   }
 
-  public AwsAttachmentsConfiguration getAwsAttachmentsConfiguration() {
-    return awsAttachments;
-  }
-
   public GcpAttachmentsConfiguration getGcpAttachmentsConfiguration() {
     return gcpAttachments;
   }
 
-  public RedisClusterConfiguration getCacheClusterConfiguration() {
+  public FaultTolerantRedisClusterFactory getCacheClusterConfiguration() {
     return cacheCluster;
   }
 
-  public RedisConfiguration getPubsubCacheConfiguration() {
+  public FaultTolerantRedisClientFactory getRedisPubSubConfiguration() {
     return pubsub;
   }
 
-  public RedisClusterConfiguration getMetricsClusterConfiguration() {
-    return metricsCluster;
-  }
-
-  public DirectoryConfiguration getDirectoryConfiguration() {
-    return directory;
+  public SecureValueRecovery2Configuration getSvr2Configuration() {
+    return svr2;
   }
 
   public DirectoryV2Configuration getDirectoryV2Configuration() {
@@ -317,30 +395,18 @@ public class WhisperServerConfiguration extends Configuration {
     return storageService;
   }
 
-  public AccountDatabaseCrawlerConfiguration getAccountDatabaseCrawlerConfiguration() {
-    return accountDatabaseCrawler;
-  }
-
   public MessageCacheConfiguration getMessageCacheConfiguration() {
     return messageCache;
   }
 
-  public RedisClusterConfiguration getClientPresenceClusterConfiguration() {
-    return clientPresenceCluster;
-  }
-
-  public RedisClusterConfiguration getPushSchedulerCluster() {
+  public FaultTolerantRedisClusterFactory getPushSchedulerCluster() {
     return pushSchedulerCluster;
   }
 
-  public RedisClusterConfiguration getRateLimitersCluster() {
+  public FaultTolerantRedisClusterFactory getRateLimitersCluster() {
     return rateLimitersCluster;
   }
 
-  public RateLimitsConfiguration getLimitsConfiguration() {
-    return limits;
-  }
-
   public FcmConfiguration getFcmConfiguration() {
     return fcm;
   }
@@ -353,25 +419,18 @@ public class WhisperServerConfiguration extends Configuration {
     return cdn;
   }
 
+  public Cdn3StorageManagerConfiguration getCdn3StorageManagerConfiguration() {
+    return cdn3StorageManager;
+  }
+
   public DatadogConfiguration getDatadogConfiguration() {
-    return datadog;
+    return dogstatsd;
   }
 
   public UnidentifiedDeliveryConfiguration getDeliveryCertificate() {
     return unidentifiedDelivery;
   }
 
-  public Map<String, Integer> getTestDevices() {
-    Map<String, Integer> results = new HashMap<>();
-
-    for (TestDeviceConfiguration testDeviceConfiguration : testDevices) {
-      results.put(testDeviceConfiguration.getNumber(),
-                  testDeviceConfiguration.getCode());
-    }
-
-    return results;
-  }
-
   public Map<String, Integer> getMaxDevices() {
     Map<String, Integer> results = new HashMap<>();
 
@@ -383,10 +442,6 @@ public class WhisperServerConfiguration extends Configuration {
     return results;
   }
 
-  public SecureBackupServiceConfiguration getSecureBackupServiceConfiguration() {
-    return backupService;
-  }
-
   public PaymentsServiceConfiguration getPaymentsServiceConfiguration() {
     return paymentsService;
   }
@@ -395,12 +450,20 @@ public class WhisperServerConfiguration extends Configuration {
     return zkConfig;
   }
 
+  public GenericZkConfig getCallingZkConfig() {
+    return callingZkConfig;
+  }
+
+  public GenericZkConfig getBackupsZkConfig() {
+    return backupsZkConfig;
+  }
+
   public RemoteConfigConfiguration getRemoteConfigConfiguration() {
     return remoteConfig;
   }
 
-  public AppConfigConfiguration getAppConfig() {
-    return appConfig;
+  public S3ObjectMonitorFactory getDynamicConfig() {
+    return dynamicConfig;
   }
 
   public BadgesConfiguration getBadges() {
@@ -411,27 +474,63 @@ public class WhisperServerConfiguration extends Configuration {
     return subscription;
   }
 
-  public BoostConfiguration getBoost() {
-    return boost;
-  }
-
-  public GiftConfiguration getGift() {
-    return gift;
+  public OneTimeDonationConfiguration getOneTimeDonations() {
+    return oneTimeDonations;
   }
 
   public ReportMessageConfiguration getReportMessageConfiguration() {
     return reportMessage;
   }
 
-  public AbusiveMessageFilterConfiguration getAbusiveMessageFilterConfiguration() {
-    return abusiveMessageFilter;
+  public SpamFilterConfiguration getSpamFilterConfiguration() {
+    return spamFilter;
   }
 
-  public UsernameConfiguration getUsername() {
-    return username;
-  }
-
-  public RegistrationServiceConfiguration getRegistrationServiceConfiguration() {
+  public RegistrationServiceClientFactory getRegistrationServiceConfiguration() {
     return registrationService;
   }
+
+  public TurnConfiguration getTurnConfiguration() {
+    return turn;
+  }
+
+  public TusConfiguration getTus() {
+    return tus;
+  }
+
+  public ClientReleaseConfiguration getClientReleaseConfiguration() {
+    return clientRelease;
+  }
+
+  public MessageByteLimitCardinalityEstimatorConfiguration getMessageByteLimitCardinalityEstimator() {
+    return messageByteLimitCardinalityEstimator;
+  }
+
+  public LinkDeviceSecretConfiguration getLinkDeviceSecretConfiguration() {
+    return linkDevice;
+  }
+
+  public VirtualThreadConfiguration getVirtualThreadConfiguration() {
+    return virtualThread;
+  }
+
+  public NoiseTunnelConfiguration getNoiseTunnelConfiguration() {
+    return noiseTunnel;
+  }
+
+  public ExternalRequestFilterConfiguration getExternalRequestFilterConfiguration() {
+    return externalRequestFilter;
+  }
+
+  public KeyTransparencyServiceConfiguration getKeyTransparencyServiceConfiguration() {
+    return keyTransparencyService;
+  }
+
+  public boolean logMessageDeliveryLoops() {
+    return logMessageDeliveryLoops;
+  }
+
+  public IdlePrimaryDeviceReminderConfiguration idlePrimaryDeviceReminderConfiguration() {
+    return idlePrimaryDeviceReminder;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/abuse/AbusiveMessageFilter.java

@@ -1,33 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-import io.dropwizard.lifecycle.Managed;
-import javax.ws.rs.container.ContainerRequestFilter;
-import java.io.IOException;
-
-/**
- * An abusive message filter is a {@link ContainerRequestFilter} that filters requests to message-sending endpoints to
- * detect and respond to patterns of abusive behavior.
- * <p/>
- * Abusive message filters are managed components that are generally loaded dynamically via a
- * {@link java.util.ServiceLoader}. Their {@link #configure(String)} method will be called prior to be adding to the
- * server's pool of {@link Managed} objects.
- * <p/>
- * Abusive message filters must be annotated with {@link FilterAbusiveMessages}, a name binding annotation that
- * restricts the endpoints to which the filter may apply.
- */
-public interface AbusiveMessageFilter extends ContainerRequestFilter, Managed {
-
-  /**
-   * Configures this abusive message filter. This method will be called before the filter is added to the server's pool
-   * of managed objects and before the server processes any requests.
-   *
-   * @param environmentName the name of the environment in which this filter is running (e.g. "staging" or "production")
-   * @throws IOException if the filter could not read its configuration source for any reason
-   */
-  void configure(String environmentName) throws IOException;
-}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/FilterAbusiveMessages.java

@@ -1,21 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-import javax.ws.rs.NameBinding;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- * A name-binding annotation that associates {@link AbusiveMessageFilter}s with resource methods.
- */
-@NameBinding
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.TYPE, ElementType.METHOD})
-public @interface FilterAbusiveMessages {
-}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/RateLimitChallengeListener.java

@@ -1,24 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-
-import org.whispersystems.textsecuregcm.storage.Account;
-import java.io.IOException;
-
-public interface RateLimitChallengeListener {
-
-  void handleRateLimitChallengeAnswered(Account account);
-
-  /**
-   * Configures this rate limit challenge listener. This method will be called before the service begins processing any
-   * challenges.
-   *
-   * @param environmentName the name of the environment in which this listener is running (e.g. "staging" or "production")
-   * @throws IOException if the listener could not read its configuration source for any reason
-   */
-  void configure(String environmentName) throws IOException;
-}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/RateLimitChallengeType.java

@@ -1,12 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-public enum RateLimitChallengeType {
-
-  PUSH_CHALLENGE,
-  RECAPTCHA
-}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/AttachmentGenerator.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+import java.util.Map;
+
+public interface AttachmentGenerator {
+
+  record Descriptor(Map<String, String> headers, String signedUploadLocation) {}
+
+  Descriptor generateAttachment(final String key);
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/GcsAttachmentGenerator.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequest;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestGenerator;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestSigner;
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.spec.InvalidKeySpecException;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Map;
+
+public class GcsAttachmentGenerator implements AttachmentGenerator {
+  @Nonnull
+  private final CanonicalRequestGenerator canonicalRequestGenerator;
+
+  @Nonnull
+  private final CanonicalRequestSigner canonicalRequestSigner;
+
+  public GcsAttachmentGenerator(@Nonnull String domain, @Nonnull String email,
+      int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
+      throws IOException, InvalidKeyException, InvalidKeySpecException {
+    this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
+    this.canonicalRequestSigner = new CanonicalRequestSigner(rsaSigningKey);
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
+    final CanonicalRequest canonicalRequest = canonicalRequestGenerator.createFor(key, now);
+    return new Descriptor(getHeaderMap(canonicalRequest), getSignedUploadLocation(canonicalRequest));
+  }
+
+  private String getSignedUploadLocation(@Nonnull CanonicalRequest canonicalRequest) {
+    return "https://" + canonicalRequest.getDomain() + canonicalRequest.getResourcePath()
+        + '?' + canonicalRequest.getCanonicalQuery()
+        + "&X-Goog-Signature=" + canonicalRequestSigner.sign(canonicalRequest);
+  }
+
+  private static Map<String, String> getHeaderMap(@Nonnull CanonicalRequest canonicalRequest) {
+    return Map.of(
+        "host", canonicalRequest.getDomain(),
+        "x-goog-content-length-range", "1," + canonicalRequest.getMaxSizeInBytes(),
+        "x-goog-resumable", "start");
+  }
+
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusAttachmentGenerator.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.apache.http.HttpHeaders;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.util.Base64;
+import java.util.Map;
+
+public class TusAttachmentGenerator implements AttachmentGenerator {
+
+  private static final String ATTACHMENTS = "attachments";
+
+  final ExternalServiceCredentialsGenerator credentialsGenerator;
+  final String tusUri;
+
+  public TusAttachmentGenerator(final TusConfiguration cfg) {
+    this.tusUri = cfg.uploadUri();
+    this.credentialsGenerator = credentialsGenerator(Clock.systemUTC(), cfg);
+  }
+
+  private static ExternalServiceCredentialsGenerator credentialsGenerator(final Clock clock, final TusConfiguration cfg) {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .prependUsername(false)
+        .withClock(clock)
+        .build();
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ExternalServiceCredentials credentials = credentialsGenerator.generateFor(ATTACHMENTS + "/" + key);
+    final String b64Key = Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8));
+    final Map<String, String> headers = Map.of(
+        HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(credentials),
+        "Upload-Metadata", String.format("filename %s", b64Key)
+    );
+    return new Descriptor(headers, tusUri + "/" +  ATTACHMENTS);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusConfiguration.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import jakarta.validation.constraints.NotEmpty;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+
+public record TusConfiguration(
+  @ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+  @NotEmpty String uploadUri
+){}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAndAuthenticatedDeviceHolder.java

@@ -1,16 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.Device;
-
-public interface AccountAndAuthenticatedDeviceHolder {
-
-  Account getAccount();
-
-  Device getAuthenticatedDevice();
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -1,25 +1,163 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
+
 package org.whispersystems.textsecuregcm.auth;
 
+import static com.codahale.metrics.MetricRegistry.name;
+
+import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Optional;
-import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
+import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.Util;
 
-public class AccountAuthenticator extends BaseAccountAuthenticator implements
-    Authenticator<BasicCredentials, AuthenticatedAccount> {
+public class AccountAuthenticator implements Authenticator<BasicCredentials, AuthenticatedDevice> {
+
+  private static final String LEGACY_NAME_PREFIX = "org.whispersystems.textsecuregcm.auth.BaseAccountAuthenticator";
+
+  private static final String AUTHENTICATION_COUNTER_NAME = name(LEGACY_NAME_PREFIX, "authentication");
+  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
+  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
+
+  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(LEGACY_NAME_PREFIX, "daysSinceLastSeen");
+  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
+
+  private static final Counter OLD_TOKEN_VERSION_COUNTER =
+      Metrics.counter(name(AccountAuthenticator.class, "oldTokenVersionCounter"));
+
+  @VisibleForTesting
+  static final char DEVICE_ID_SEPARATOR = '.';
+
+  private final AccountsManager accountsManager;
+  private final Clock clock;
 
   public AccountAuthenticator(AccountsManager accountsManager) {
-    super(accountsManager);
+    this(accountsManager, Clock.systemUTC());
+  }
+
+  @VisibleForTesting
+  public AccountAuthenticator(AccountsManager accountsManager, Clock clock) {
+    this.accountsManager = accountsManager;
+    this.clock = clock;
+  }
+
+  static Pair<String, Byte> getIdentifierAndDeviceId(final String basicUsername) {
+    final String identifier;
+    final byte deviceId;
+
+    final int deviceIdSeparatorIndex = basicUsername.indexOf(DEVICE_ID_SEPARATOR);
+
+    if (deviceIdSeparatorIndex == -1) {
+      identifier = basicUsername;
+      deviceId = Device.PRIMARY_ID;
+    } else {
+      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
+      deviceId = Byte.parseByte(basicUsername.substring(deviceIdSeparatorIndex + 1));
+    }
+
+    return new Pair<>(identifier, deviceId);
   }
 
   @Override
-  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials) {
-    return super.authenticate(basicCredentials, true);
+  public Optional<AuthenticatedDevice> authenticate(BasicCredentials basicCredentials) {
+    boolean succeeded = false;
+    String failureReason = null;
+
+    try {
+      final UUID accountUuid;
+      final byte deviceId;
+      {
+        final Pair<String, Byte> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
+
+        accountUuid = UUID.fromString(identifierAndDeviceId.first());
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
+
+      if (account.isEmpty()) {
+        failureReason = "noSuchAccount";
+        return Optional.empty();
+      }
+
+      Optional<Device> device = account.get().getDevice(deviceId);
+
+      if (device.isEmpty()) {
+        failureReason = "noSuchDevice";
+        return Optional.empty();
+      }
+
+      SaltedTokenHash deviceSaltedTokenHash = device.get().getAuthTokenHash();
+      if (deviceSaltedTokenHash.verify(basicCredentials.getPassword())) {
+        succeeded = true;
+        Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        if (deviceSaltedTokenHash.getVersion() != SaltedTokenHash.CURRENT_VERSION) {
+          OLD_TOKEN_VERSION_COUNTER.increment();
+          authenticatedAccount = accountsManager.updateDeviceAuthentication(
+              authenticatedAccount,
+              device.get(),
+              SaltedTokenHash.generateFor(basicCredentials.getPassword()));  // new credentials have current version
+        }
+        return Optional.of(new AuthenticatedDevice(authenticatedAccount.getIdentifier(IdentityType.ACI),
+            device.get().getId(),
+            Instant.ofEpochMilli(authenticatedAccount.getPrimaryDevice().getLastSeen())));
+      } else {
+        failureReason = "incorrectPassword";
+        return Optional.empty();
+      }
+    } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
+      failureReason = "invalidHeader";
+      return Optional.empty();
+    } finally {
+      Tags tags = Tags.of(
+          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded));
+
+      if (StringUtils.isNotBlank(failureReason)) {
+        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
+      }
+
+      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
+    }
   }
 
+  @VisibleForTesting
+  public Account updateLastSeen(Account account, Device device) {
+    // compute a non-negative integer between 0 and 86400.
+    long n = Util.ensureNonNegativeLong(account.getUuid().getLeastSignificantBits());
+    final long lastSeenOffsetSeconds = n % ChronoUnit.DAYS.getDuration().toSeconds();
+
+    // produce a truncated timestamp which is either today at UTC midnight
+    // or yesterday at UTC midnight, based on per-user randomized offset used.
+    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock,
+        Duration.ofSeconds(lastSeenOffsetSeconds).negated());
+
+    // only update the device's last seen time when it falls behind the truncated timestamp.
+    // this ensures a few things:
+    //   (1) each account will only update last-seen at most once per day
+    //   (2) these updates will occur throughout the day rather than all occurring at UTC midnight.
+    if (device.getLastSeen() < todayInMillisWithOffset) {
+      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isPrimary()))
+          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
+
+      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
+    }
+
+    return account;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/Anonymous.java

@@ -5,9 +5,9 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response;
 import java.util.Base64;
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Response;
 
 public class Anonymous {
 

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRefreshRequirementProvider.java

@@ -1,100 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import com.google.common.annotations.VisibleForTesting;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.UUID;
-import java.util.stream.Collectors;
-import org.glassfish.jersey.server.ContainerRequest;
-import org.glassfish.jersey.server.monitoring.RequestEvent;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Pair;
-
-/**
- * This {@link WebsocketRefreshRequirementProvider} observes intra-request changes in {@link Account#isEnabled()} and
- * {@link Device#isEnabled()}.
- * <p>
- * If a change in {@link Account#isEnabled()} or any associated {@link Device#isEnabled()} is observed, then any active
- * WebSocket connections for the account must be closed in order for clients to get a refreshed
- * {@link io.dropwizard.auth.Auth} object with a current device list.
- *
- * @see AuthenticatedAccount
- * @see DisabledPermittedAuthenticatedAccount
- */
-public class AuthEnablementRefreshRequirementProvider implements WebsocketRefreshRequirementProvider {
-
-  private final AccountsManager accountsManager;
-
-  private static final Logger logger = LoggerFactory.getLogger(AuthEnablementRefreshRequirementProvider.class);
-
-  private static final String ACCOUNT_UUID = AuthEnablementRefreshRequirementProvider.class.getName() + ".accountUuid";
-  private static final String DEVICES_ENABLED = AuthEnablementRefreshRequirementProvider.class.getName() + ".devicesEnabled";
-
-  public AuthEnablementRefreshRequirementProvider(final AccountsManager accountsManager) {
-    this.accountsManager = accountsManager;
-  }
-
-  @VisibleForTesting
-  static Map<Long, Boolean> buildDevicesEnabledMap(final Account account) {
-    return account.getDevices().stream().collect(Collectors.toMap(Device::getId, Device::isEnabled));
-  }
-
-  @Override
-  public void handleRequestFiltered(final RequestEvent requestEvent) {
-    if (requestEvent.getUriInfo().getMatchedResourceMethod().getInvocable().getHandlingMethod().getAnnotation(ChangesDeviceEnabledState.class) != null) {
-      // The authenticated principal, if any, will be available after filters have run.
-      // Now that the account is known, capture a snapshot of `isEnabled` for the account's devices before carrying out
-      // the request’s business logic.
-      ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest()).ifPresent(account ->
-          setAccount(requestEvent.getContainerRequest(), account));
-    }
-  }
-
-  public static void setAccount(final ContainerRequest containerRequest, final Account account) {
-    containerRequest.setProperty(ACCOUNT_UUID, account.getUuid());
-    containerRequest.setProperty(DEVICES_ENABLED, buildDevicesEnabledMap(account));
-  }
-
-  @Override
-  public List<Pair<UUID, Long>> handleRequestFinished(final RequestEvent requestEvent) {
-    // Now that the request is finished, check whether `isEnabled` changed for any of the devices. If the value did
-    // change or if a devices was added or removed, all devices must disconnect and reauthenticate.
-    if (requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED) != null) {
-
-      @SuppressWarnings("unchecked") final Map<Long, Boolean> initialDevicesEnabled =
-          (Map<Long, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
-
-      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
-        final Set<Long> deviceIdsToDisplace;
-        final Map<Long, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
-
-        if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
-          deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
-          deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
-        } else {
-          deviceIdsToDisplace = Collections.emptySet();
-        }
-
-        return deviceIdsToDisplace.stream()
-            .map(deviceId -> new Pair<>(account.getUuid(), deviceId))
-            .collect(Collectors.toList());
-      }).orElseGet(() -> {
-        logger.error("Request had account, but it is no longer present");
-        return Collections.emptyList();
-      });
-    } else
-      return Collections.emptyList();
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedAccount.java

@@ -1,44 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import java.security.Principal;
-import java.util.function.Supplier;
-import javax.security.auth.Subject;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Pair;
-
-public class AuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
-
-  private final Supplier<Pair<Account, Device>> accountAndDevice;
-
-  public AuthenticatedAccount(final Supplier<Pair<Account, Device>> accountAndDevice) {
-    this.accountAndDevice = accountAndDevice;
-  }
-
-  @Override
-  public Account getAccount() {
-    return accountAndDevice.get().first();
-  }
-
-  @Override
-  public Device getAuthenticatedDevice() {
-    return accountAndDevice.get().second();
-  }
-
-  // Principal implementation
-
-  @Override
-  public String getName() {
-    return null;
-  }
-
-  @Override
-  public boolean implies(final Subject subject) {
-    return false;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedBackupUser.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.signal.libsignal.zkgroup.backups.BackupCredentialType;
+import org.signal.libsignal.zkgroup.backups.BackupLevel;
+import org.whispersystems.textsecuregcm.util.ua.UserAgent;
+import javax.annotation.Nullable;
+
+public record AuthenticatedBackupUser(
+    byte[] backupId,
+    BackupCredentialType credentialType,
+    BackupLevel backupLevel,
+    String backupDir,
+    String mediaDir,
+    @Nullable UserAgent userAgent) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedDevice.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.security.Principal;
+import java.time.Instant;
+import java.util.UUID;
+import javax.security.auth.Subject;
+
+public record AuthenticatedDevice(UUID accountIdentifier, byte deviceId, Instant primaryDeviceLastSeen)
+    implements Principal {
+
+  @Override
+  public String getName() {
+    return null;
+  }
+
+  @Override
+  public boolean implies(final Subject subject) {
+    return false;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticationCredentials.java

@@ -1,85 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.auth;
-
-import com.google.common.annotations.VisibleForTesting;
-import org.apache.commons.codec.binary.Hex;
-import org.signal.libsignal.protocol.kdf.HKDF;
-
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-public class AuthenticationCredentials {
-  private static final String V2_PREFIX = "2.";
-
-  private final String hashedAuthenticationToken;
-  private final String salt;
-
-  public enum Version {
-    V1,
-    V2,
-  }
-
-  public static final Version CURRENT_VERSION = Version.V2;
-
-  public AuthenticationCredentials(String hashedAuthenticationToken, String salt) {
-    this.hashedAuthenticationToken = hashedAuthenticationToken;
-    this.salt                      = salt;
-  }
-
-  public AuthenticationCredentials(String authenticationToken) {
-    this.salt                      = String.valueOf(Math.abs(new SecureRandom().nextInt()));
-    this.hashedAuthenticationToken = getV2HashedValue(salt, authenticationToken);
-  }
-
-  @VisibleForTesting
-  public AuthenticationCredentials v1ForTesting(String authenticationToken) {
-    String salt = String.valueOf(Math.abs(new SecureRandom().nextInt()));
-    return new AuthenticationCredentials(getV1HashedValue(salt, authenticationToken), salt);
-  }
-
-  public Version getVersion() {
-    if (this.hashedAuthenticationToken.startsWith(V2_PREFIX)) {
-      return Version.V2;
-    }
-    return Version.V1;
-  }
-
-  public String getHashedAuthenticationToken() {
-    return hashedAuthenticationToken;
-  }
-
-  public String getSalt() {
-    return salt;
-  }
-
-  public boolean verify(String authenticationToken) {
-    final String theirValue = switch (getVersion()) {
-      case V1 -> getV1HashedValue(salt, authenticationToken);
-      case V2 -> getV2HashedValue(salt, authenticationToken);
-    };
-    return MessageDigest.isEqual(theirValue.getBytes(StandardCharsets.UTF_8), this.hashedAuthenticationToken.getBytes(StandardCharsets.UTF_8));
-  }
-
-  private static String getV1HashedValue(String salt, String token) {
-    try {
-      return new String(Hex.encodeHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8))));
-    } catch (NoSuchAlgorithmException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-  private static final byte[] AUTH_TOKEN_HKDF_INFO = "authtoken".getBytes(StandardCharsets.UTF_8);
-  private static String getV2HashedValue(String salt, String token) {
-    byte[] secret = HKDF.deriveSecrets(
-        token.getBytes(StandardCharsets.UTF_8),  // key
-        salt.getBytes(StandardCharsets.UTF_8),  // salt
-        AUTH_TOKEN_HKDF_INFO,
-        32);
-    return V2_PREFIX + Hex.encodeHexString(secret);
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java

@@ -1,161 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import static com.codahale.metrics.MetricRegistry.name;
-
-import com.google.common.annotations.VisibleForTesting;
-import io.dropwizard.auth.basic.BasicCredentials;
-import io.micrometer.core.instrument.Metrics;
-import io.micrometer.core.instrument.Tags;
-import java.time.Clock;
-import java.time.Duration;
-import java.time.temporal.ChronoUnit;
-import java.util.Optional;
-import java.util.UUID;
-import org.apache.commons.lang3.StringUtils;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.storage.RefreshingAccountAndDeviceSupplier;
-import org.whispersystems.textsecuregcm.util.Pair;
-import org.whispersystems.textsecuregcm.util.Util;
-
-public class BaseAccountAuthenticator {
-
-  private static final String AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "authentication");
-  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
-  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
-  private static final String AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME = "enabledRequired";
-  private static final String AUTHENTICATION_HAS_STORY_CAPABILITY = "hasStoryCapability";
-
-  private static final String STORY_ADOPTION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "storyAdoption");
-
-  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(BaseAccountAuthenticator.class, "daysSinceLastSeen");
-  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
-
-  private final AccountsManager accountsManager;
-  private final Clock           clock;
-
-  public BaseAccountAuthenticator(AccountsManager accountsManager) {
-    this(accountsManager, Clock.systemUTC());
-  }
-
-  @VisibleForTesting
-  public BaseAccountAuthenticator(AccountsManager accountsManager, Clock clock) {
-    this.accountsManager   = accountsManager;
-    this.clock             = clock;
-  }
-
-  static Pair<String, Long> getIdentifierAndDeviceId(final String basicUsername) {
-    final String identifier;
-    final long deviceId;
-
-    final int deviceIdSeparatorIndex = basicUsername.indexOf('.');
-
-    if (deviceIdSeparatorIndex == -1) {
-      identifier = basicUsername;
-      deviceId = Device.MASTER_ID;
-    } else {
-      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
-      deviceId = Long.parseLong(basicUsername.substring(deviceIdSeparatorIndex + 1));
-    }
-
-    return new Pair<>(identifier, deviceId);
-  }
-
-  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials, boolean enabledRequired) {
-    boolean succeeded = false;
-    String failureReason = null;
-    boolean hasStoryCapability = false;
-
-    try {
-      final UUID accountUuid;
-      final long deviceId;
-      {
-        final Pair<String, Long> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
-
-        accountUuid = UUID.fromString(identifierAndDeviceId.first());
-        deviceId = identifierAndDeviceId.second();
-      }
-
-      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
-
-      if (account.isEmpty()) {
-        failureReason = "noSuchAccount";
-        return Optional.empty();
-      }
-
-      hasStoryCapability = account.map(Account::isStoriesSupported).orElse(false);
-
-      Optional<Device> device = account.get().getDevice(deviceId);
-
-      if (device.isEmpty()) {
-        failureReason = "noSuchDevice";
-        return Optional.empty();
-      }
-
-      if (enabledRequired) {
-        if (!device.get().isEnabled()) {
-          failureReason = "deviceDisabled";
-          return Optional.empty();
-        }
-
-        if (!account.get().isEnabled()) {
-          failureReason = "accountDisabled";
-          return Optional.empty();
-        }
-      }
-
-      AuthenticationCredentials deviceAuthenticationCredentials = device.get().getAuthenticationCredentials();
-      if (deviceAuthenticationCredentials.verify(basicCredentials.getPassword())) {
-        succeeded = true;
-        Account authenticatedAccount = updateLastSeen(account.get(), device.get());
-        if (deviceAuthenticationCredentials.getVersion() != AuthenticationCredentials.CURRENT_VERSION) {
-          authenticatedAccount = accountsManager.updateDeviceAuthentication(
-              authenticatedAccount,
-              device.get(),
-              new AuthenticationCredentials(basicCredentials.getPassword()));  // new credentials have current version
-        }
-        return Optional.of(new AuthenticatedAccount(
-            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
-      }
-
-      return Optional.empty();
-    } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
-      failureReason = "invalidHeader";
-      return Optional.empty();
-    } finally {
-      Tags tags = Tags.of(
-          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded),
-          AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME, String.valueOf(enabledRequired));
-
-      if (StringUtils.isNotBlank(failureReason)) {
-        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
-      }
-
-      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
-
-      Tags storyTags = Tags.of(AUTHENTICATION_HAS_STORY_CAPABILITY, String.valueOf(hasStoryCapability));
-      Metrics.counter(STORY_ADOPTION_COUNTER_NAME, storyTags).increment();
-    }
-  }
-
-  @VisibleForTesting
-  public Account updateLastSeen(Account account, Device device) {
-    final long lastSeenOffsetSeconds   = Math.abs(account.getUuid().getLeastSignificantBits()) % ChronoUnit.DAYS.getDuration().toSeconds();
-    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock, Duration.ofSeconds(lastSeenOffsetSeconds).negated());
-
-    if (device.getLastSeen() < todayInMillisWithOffset) {
-      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isMaster()))
-          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
-
-      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
-    }
-
-    return account;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BasicAuthorizationHeader.java

@@ -11,10 +11,10 @@ import org.whispersystems.textsecuregcm.util.Pair;
 public class BasicAuthorizationHeader {
 
   private final String username;
-  private final long deviceId;
+  private final byte deviceId;
   private final String password;
 
-  private BasicAuthorizationHeader(final String username, final long deviceId, final String password) {
+  private BasicAuthorizationHeader(final String username, final byte deviceId, final String password) {
     this.username = username;
     this.deviceId = deviceId;
     this.password = password;
@@ -59,10 +59,10 @@ public class BasicAuthorizationHeader {
       final String usernameComponent = credentials.substring(0, credentialSeparatorIndex);
 
       final String username;
-      final long deviceId;
+      final byte deviceId;
       {
-        final Pair<String, Long> identifierAndDeviceId =
-            BaseAccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
+        final Pair<String, Byte> identifierAndDeviceId =
+            AccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
 
         username = identifierAndDeviceId.first();
         deviceId = identifierAndDeviceId.second();

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -8,12 +8,12 @@ package org.whispersystems.textsecuregcm.auth;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.InvalidProtocolBufferException;
 import java.security.InvalidKeyException;
-import java.util.Base64;
 import java.util.concurrent.TimeUnit;
 import org.signal.libsignal.protocol.ecc.Curve;
 import org.signal.libsignal.protocol.ecc.ECPrivateKey;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
 
@@ -31,13 +31,13 @@ public class CertificateGenerator {
     this.serverCertificate = ServerCertificate.parseFrom(serverCertificate);
   }
 
-  public byte[] createFor(Account account, Device device, boolean includeE164) throws InvalidKeyException {
+  public byte[] createFor(final Account account, final byte deviceId, boolean includeE164) throws InvalidKeyException {
     SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
-                                                                                 .setSenderDevice(Math.toIntExact(device.getId()))
-                                                                                 .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
-                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
-                                                                                 .setSigner(serverCertificate)
-                                                                                 .setSenderUuid(account.getUuid().toString());
+        .setSenderDevice(Math.toIntExact(deviceId))
+        .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
+        .setIdentityKey(ByteString.copyFrom(account.getIdentityKey(IdentityType.ACI).serialize()))
+        .setSigner(serverCertificate)
+        .setSenderUuid(account.getUuid().toString());
 
     if (includeE164) {
       builder.setSender(account.getNumber());

service/src/main/java/org/whispersystems/textsecuregcm/auth/ChangesLinkedDevices.java

@@ -16,5 +16,5 @@ import java.lang.annotation.Target;
  */
 @Target(ElementType.METHOD)
 @Retention(RetentionPolicy.RUNTIME)
-public @interface ChangesDeviceEnabledState {
+public @interface ChangesLinkedDevices {
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/ChangesPhoneNumber.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Indicates that an endpoint changes the phone number and PNI keys associated with an account, and that
+ * any websockets associated with the account may need to be refreshed after a call to that endpoint.
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ChangesPhoneNumber {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CloudflareTurnCredentialsManager.java

@@ -0,0 +1,156 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Timer;
+import io.netty.resolver.dns.DnsNameResolver;
+import jakarta.ws.rs.core.Response;
+import java.io.IOException;
+import java.net.Inet6Address;
+import java.net.URI;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.CompletionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.ScheduledExecutorService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.CircuitBreakerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RetryConfiguration;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
+import org.whispersystems.textsecuregcm.util.ExceptionUtils;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public class CloudflareTurnCredentialsManager {
+
+  private static final Logger logger = LoggerFactory.getLogger(CloudflareTurnCredentialsManager.class);
+
+  private static final String CREDENTIAL_FETCH_TIMER_NAME = MetricsUtil.name(CloudflareTurnCredentialsManager.class,
+      "credentialFetchLatency");
+
+  private final List<String> cloudflareTurnUrls;
+  private final List<String> cloudflareTurnUrlsWithIps;
+  private final String cloudflareTurnHostname;
+  private final HttpRequest getCredentialsRequest;
+
+  private final FaultTolerantHttpClient cloudflareTurnClient;
+  private final DnsNameResolver dnsNameResolver;
+
+  private final Duration clientCredentialTtl;
+
+  private record CredentialRequest(long ttl) {}
+
+  private record CloudflareTurnResponse(IceServer iceServers) {
+
+    private record IceServer(
+        String username,
+        String credential,
+        List<String> urls) {
+    }
+  }
+
+  public CloudflareTurnCredentialsManager(final String cloudflareTurnApiToken,
+      final String cloudflareTurnEndpoint,
+      final Duration requestedCredentialTtl,
+      final Duration clientCredentialTtl,
+      final List<String> cloudflareTurnUrls,
+      final List<String> cloudflareTurnUrlsWithIps,
+      final String cloudflareTurnHostname,
+      final int cloudflareTurnNumHttpClients,
+      final CircuitBreakerConfiguration circuitBreaker,
+      final ExecutorService executor,
+      final RetryConfiguration retry,
+      final ScheduledExecutorService retryExecutor,
+      final DnsNameResolver dnsNameResolver) {
+
+    this.cloudflareTurnClient = FaultTolerantHttpClient.newBuilder()
+        .withName("cloudflare-turn")
+        .withCircuitBreaker(circuitBreaker)
+        .withExecutor(executor)
+        .withRetry(retry)
+        .withRetryExecutor(retryExecutor)
+        .withNumClients(cloudflareTurnNumHttpClients)
+        .build();
+    this.cloudflareTurnUrls = cloudflareTurnUrls;
+    this.cloudflareTurnUrlsWithIps = cloudflareTurnUrlsWithIps;
+    this.cloudflareTurnHostname = cloudflareTurnHostname;
+    this.dnsNameResolver = dnsNameResolver;
+
+    final String credentialsRequestBody;
+
+    try {
+      credentialsRequestBody =
+          SystemMapper.jsonMapper().writeValueAsString(new CredentialRequest(requestedCredentialTtl.toSeconds()));
+    } catch (final JsonProcessingException e) {
+      throw new IllegalArgumentException(e);
+    }
+
+    // We repeat the same request to Cloudflare every time, so we can construct it once and re-use it
+    this.getCredentialsRequest = HttpRequest.newBuilder()
+        .uri(URI.create(cloudflareTurnEndpoint))
+        .header("Content-Type", "application/json")
+        .header("Authorization", String.format("Bearer %s", cloudflareTurnApiToken))
+        .POST(HttpRequest.BodyPublishers.ofString(credentialsRequestBody))
+        .build();
+
+    this.clientCredentialTtl = clientCredentialTtl;
+  }
+
+  public TurnToken retrieveFromCloudflare() throws IOException {
+    final List<String> cloudflareTurnComposedUrls;
+    try {
+      cloudflareTurnComposedUrls = dnsNameResolver.resolveAll(cloudflareTurnHostname).get().stream()
+          .map(i -> switch (i) {
+            case Inet6Address i6 -> "[" + i6.getHostAddress() + "]";
+            default -> i.getHostAddress();
+          })
+          .flatMap(i -> cloudflareTurnUrlsWithIps.stream().map(u -> u.formatted(i)))
+          .toList();
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+
+    final Timer.Sample sample = Timer.start();
+    final HttpResponse<String> response;
+    try {
+      response = cloudflareTurnClient.sendAsync(getCredentialsRequest, HttpResponse.BodyHandlers.ofString()).join();
+      sample.stop(Timer.builder(CREDENTIAL_FETCH_TIMER_NAME)
+          .publishPercentileHistogram(true)
+          .tags("outcome", "success")
+          .register(Metrics.globalRegistry));
+    } catch (CompletionException e) {
+      logger.warn("failed to make http request to Cloudflare Turn: {}", e.getMessage());
+      sample.stop(Timer.builder(CREDENTIAL_FETCH_TIMER_NAME)
+          .publishPercentileHistogram(true)
+          .tags("outcome", "failure")
+          .register(Metrics.globalRegistry));
+      throw new IOException(ExceptionUtils.unwrap(e));
+    }
+
+    if (response.statusCode() != Response.Status.CREATED.getStatusCode()) {
+      logger.warn("failure request credentials from Cloudflare Turn (code={}): {}", response.statusCode(), response);
+      throw new IOException("Cloudflare Turn http failure : " + response.statusCode());
+    }
+
+    final CloudflareTurnResponse cloudflareTurnResponse = SystemMapper.jsonMapper()
+        .readValue(response.body(), CloudflareTurnResponse.class);
+
+    return new TurnToken(
+        cloudflareTurnResponse.iceServers().username(),
+        cloudflareTurnResponse.iceServers().credential(),
+        clientCredentialTtl.toSeconds(),
+        cloudflareTurnUrls == null ? Collections.emptyList() : cloudflareTurnUrls,
+        cloudflareTurnComposedUrls,
+        cloudflareTurnHostname
+    );
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java

@@ -5,10 +5,10 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response.Status;
 import java.util.Base64;
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.Response.Status;
 
 public class CombinedUnidentifiedSenderAccessKeys {
   private final byte[] combinedUnidentifiedSenderAccessKeys;
@@ -16,7 +16,7 @@ public class CombinedUnidentifiedSenderAccessKeys {
   public CombinedUnidentifiedSenderAccessKeys(String header) {
     try {
       this.combinedUnidentifiedSenderAccessKeys = Base64.getDecoder().decode(header);
-      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != 16) {
+      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH) {
         throw new WebApplicationException("Invalid combined unidentified sender access keys", Status.UNAUTHORIZED);
       }
     } catch (IllegalArgumentException e) {

service/src/main/java/org/whispersystems/textsecuregcm/auth/ContainerRequestUtil.java

@@ -1,21 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import org.glassfish.jersey.server.ContainerRequest;
-import org.whispersystems.textsecuregcm.storage.Account;
-import javax.ws.rs.core.SecurityContext;
-import java.util.Optional;
-
-class ContainerRequestUtil {
-
-  static Optional<Account> getAuthenticatedAccount(final ContainerRequest request) {
-    return Optional.ofNullable(request.getSecurityContext())
-        .map(SecurityContext::getUserPrincipal)
-        .map(principal -> principal instanceof AccountAndAuthenticatedDeviceHolder
-            ? ((AccountAndAuthenticatedDeviceHolder) principal).getAccount() : null);
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccountAuthenticator.java

@@ -1,26 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import io.dropwizard.auth.Authenticator;
-import io.dropwizard.auth.basic.BasicCredentials;
-import java.util.Optional;
-import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-
-public class DisabledPermittedAccountAuthenticator extends BaseAccountAuthenticator implements
-    Authenticator<BasicCredentials, DisabledPermittedAuthenticatedAccount> {
-
-  public DisabledPermittedAccountAuthenticator(AccountsManager accountsManager) {
-    super(accountsManager);
-  }
-
-  @Override
-  public Optional<DisabledPermittedAuthenticatedAccount> authenticate(BasicCredentials credentials) {
-    Optional<AuthenticatedAccount> account = super.authenticate(credentials, false);
-    return account.map(DisabledPermittedAuthenticatedAccount::new);
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAuthenticatedAccount.java

@@ -1,42 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import java.security.Principal;
-import javax.security.auth.Subject;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.Device;
-
-public class DisabledPermittedAuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
-
-  private final AuthenticatedAccount authenticatedAccount;
-
-  public DisabledPermittedAuthenticatedAccount(final AuthenticatedAccount authenticatedAccount) {
-    this.authenticatedAccount = authenticatedAccount;
-  }
-
-  @Override
-  public Account getAccount() {
-    return authenticatedAccount.getAccount();
-  }
-
-  @Override
-  public Device getAuthenticatedDevice() {
-    return authenticatedAccount.getAuthenticatedDevice();
-  }
-
-  // Principal implementation
-
-  @Override
-  public String getName() {
-    return null;
-  }
-
-  @Override
-  public boolean implies(Subject subject) {
-    return false;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisconnectionRequestListener.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Collection;
+import java.util.UUID;
+
+/**
+ * A disconnection request listener receives and handles requests to close authenticated client network connections.
+ */
+public interface DisconnectionRequestListener {
+
+  /**
+   * Handles a request to close authenticated network connections for one or more authenticated devices. Requests are
+   * dispatched on dedicated threads, and implementations may safely block.
+   *
+   * @param accountIdentifier the account identifier for which to close authenticated connections
+   * @param deviceIds the device IDs within the identified account for which to close authenticated connections
+   */
+  void handleDisconnectionRequest(UUID accountIdentifier, Collection<Byte> deviceIds);
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisconnectionRequestManager.java

@@ -0,0 +1,165 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.google.protobuf.InvalidProtocolBufferException;
+import io.dropwizard.lifecycle.Managed;
+import io.lettuce.core.pubsub.RedisPubSubAdapter;
+import java.nio.charset.StandardCharsets;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.UUID;
+import java.util.concurrent.CompletionStage;
+import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.concurrent.Executor;
+import javax.annotation.Nullable;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Metrics;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
+import org.whispersystems.textsecuregcm.redis.FaultTolerantPubSubConnection;
+import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisClient;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.UUIDUtil;
+
+/**
+ * A disconnection request manager broadcasts and dispatches requests for servers to close authenticated connections
+ * from specific clients.
+ *
+ * @see DisconnectionRequestListener
+ */
+public class DisconnectionRequestManager extends RedisPubSubAdapter<byte[], byte[]> implements Managed {
+
+  private final FaultTolerantRedisClient pubSubClient;
+  private final Executor listenerEventExecutor;
+
+  // We expect just a couple listeners to get added at startup time and not at all at steady-state. There are several
+  // reasonable ways to model this, but a copy-on-write list gives us good flexibility with minimal performance cost.
+  private final List<DisconnectionRequestListener> listeners = new CopyOnWriteArrayList<>();
+
+  @Nullable
+  private FaultTolerantPubSubConnection<byte[], byte[]> pubSubConnection;
+
+  private static final byte[] DISCONNECTION_REQUEST_CHANNEL = "disconnection_requests".getBytes(StandardCharsets.UTF_8);
+
+  private static final Counter DISCONNECTION_REQUESTS_SENT_COUNTER =
+      Metrics.counter(MetricsUtil.name(DisconnectionRequestManager.class, "requestsSent"));
+
+  private static final Counter DISCONNECTION_REQUESTS_RECEIVED_COUNTER =
+      Metrics.counter(MetricsUtil.name(DisconnectionRequestManager.class, "requestsReceived"));
+
+  private static final Logger logger = LoggerFactory.getLogger(DisconnectionRequestManager.class);
+
+  public DisconnectionRequestManager(final FaultTolerantRedisClient pubSubClient,
+      final Executor listenerEventExecutor) {
+
+    this.pubSubClient = pubSubClient;
+    this.listenerEventExecutor = listenerEventExecutor;
+  }
+
+  @Override
+  public synchronized void start() {
+    this.pubSubConnection = pubSubClient.createBinaryPubSubConnection();
+    this.pubSubConnection.usePubSubConnection(connection -> {
+      connection.addListener(this);
+      connection.sync().subscribe(DISCONNECTION_REQUEST_CHANNEL);
+    });
+  }
+
+  @Override
+  public synchronized void stop() {
+    if (pubSubConnection != null) {
+      pubSubConnection.usePubSubConnection(connection -> {
+        connection.removeListener(this);
+        connection.close();
+      });
+    }
+
+    pubSubConnection = null;
+  }
+
+  /**
+   * Adds a listener for disconnection requests. Listeners will receive all broadcast disconnection requests regardless
+   * of whether the device in connection is connected to this server.
+   *
+   * @param listener the listener to register
+   */
+  public void addListener(final DisconnectionRequestListener listener) {
+    listeners.add(listener);
+  }
+
+  /**
+   * Broadcasts a request to close all connections associated with the given account identifier to all servers.
+   *
+   * @param accountIdentifier the account for which to close connections
+   *
+   * @return a future that completes when the request has been broadcast
+   */
+  public CompletionStage<Void> requestDisconnection(final UUID accountIdentifier) {
+    return requestDisconnection(accountIdentifier, Collections.emptyList());
+  }
+
+  /**
+   * Broadcasts a request to close connections associated with the given account identifier and device IDs to all
+   * servers.
+   *
+   * @param accountIdentifier the account for which to close connections
+   * @param deviceIds the device IDs for which to close connections
+   *
+   * @return a future that completes when the request has been broadcast
+   */
+  public CompletionStage<Void> requestDisconnection(final UUID accountIdentifier, final Collection<Byte> deviceIds) {
+    final DisconnectionRequest disconnectionRequest = DisconnectionRequest.newBuilder()
+        .setAccountIdentifier(UUIDUtil.toByteString(accountIdentifier))
+        .addAllDeviceIds(deviceIds.stream().mapToInt(Byte::intValue).boxed().toList())
+        .build();
+
+    return pubSubClient.withBinaryConnection(connection ->
+            connection.async().publish(DISCONNECTION_REQUEST_CHANNEL, disconnectionRequest.toByteArray()))
+        .toCompletableFuture()
+        .thenRun(DISCONNECTION_REQUESTS_SENT_COUNTER::increment);
+  }
+
+  @Override
+  public void message(final byte[] channel, final byte[] message) {
+    final UUID accountIdentifier;
+    final List<Byte> deviceIds;
+
+    try {
+      final DisconnectionRequest disconnectionRequest = DisconnectionRequest.parseFrom(message);
+      DISCONNECTION_REQUESTS_RECEIVED_COUNTER.increment();
+
+      accountIdentifier = UUIDUtil.fromByteString(disconnectionRequest.getAccountIdentifier());
+      deviceIds = disconnectionRequest.getDeviceIdsCount() > 0
+          ? disconnectionRequest.getDeviceIdsList().stream()
+          .map(deviceIdInt -> {
+            if (deviceIdInt == null || deviceIdInt < Device.PRIMARY_ID || deviceIdInt > Byte.MAX_VALUE) {
+              throw new IllegalArgumentException("Invalid device ID: " + deviceIdInt);
+            }
+
+            return deviceIdInt.byteValue();
+          })
+          .toList()
+          : Device.ALL_POSSIBLE_DEVICE_IDS;
+    } catch (final InvalidProtocolBufferException e) {
+      logger.error("Could not parse disconnection request protobuf", e);
+      return;
+    } catch (final IllegalArgumentException e) {
+      logger.error("Could not parse part of disconnection request", e);
+      return;
+    }
+
+    for (final DisconnectionRequestListener listener : listeners) {
+      try {
+        listenerEventExecutor.execute(() -> listener.handleDisconnectionRequest(accountIdentifier, deviceIds));
+      } catch (final Exception e) {
+        logger.warn("Listener failed to handle disconnection request", e);
+      }
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java

@@ -1,86 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import com.google.common.annotations.VisibleForTesting;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.time.Clock;
-import javax.crypto.Mac;
-import javax.crypto.spec.SecretKeySpec;
-import org.apache.commons.codec.binary.Hex;
-import org.whispersystems.textsecuregcm.util.Util;
-
-public class ExternalServiceCredentialGenerator {
-
-  private final byte[] key;
-  private final byte[] userIdKey;
-  private final boolean usernameDerivation;
-  private final boolean prependUsername;
-  private final Clock clock;
-
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey) {
-    this(key, userIdKey, true, true);
-  }
-
-  public ExternalServiceCredentialGenerator(byte[] key, boolean prependUsername) {
-    this(key, new byte[0], false, prependUsername);
-  }
-
-  @VisibleForTesting
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation) {
-    this(key, userIdKey, usernameDerivation, true);
-  }
-
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
-      boolean prependUsername) {
-    this(key, userIdKey, usernameDerivation, prependUsername, Clock.systemUTC());
-  }
-
-  @VisibleForTesting
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
-      boolean prependUsername, Clock clock) {
-    this.key = key;
-    this.userIdKey = userIdKey;
-    this.usernameDerivation = usernameDerivation;
-    this.prependUsername = prependUsername;
-    this.clock = clock;
-  }
-
-  public ExternalServiceCredentials generateFor(String identity) {
-    Mac mac = getMacInstance();
-    String username = getUserId(identity, mac, usernameDerivation);
-    long currentTimeSeconds = clock.millis() / 1000;
-    String prefix = username + ":" + currentTimeSeconds;
-    String output = Hex.encodeHexString(Util.truncate(getHmac(key, prefix.getBytes(), mac), 10));
-    String token = (prependUsername ? prefix : currentTimeSeconds) + ":" + output;
-
-    return new ExternalServiceCredentials(username, token);
-  }
-
-  private String getUserId(String number, Mac mac, boolean usernameDerivation) {
-    if (usernameDerivation) return Hex.encodeHexString(Util.truncate(getHmac(userIdKey, number.getBytes(), mac), 10));
-    else                    return number;
-  }
-
-  private Mac getMacInstance() {
-    try {
-      return Mac.getInstance("HmacSHA256");
-    } catch (NoSuchAlgorithmException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-  private byte[] getHmac(byte[] key, byte[] input, Mac mac) {
-    try {
-      mac.init(new SecretKeySpec(key, "HmacSHA256"));
-      return mac.doFinal(input);
-    } catch (InvalidKeyException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentials.java

@@ -6,28 +6,6 @@
 package org.whispersystems.textsecuregcm.auth;
 
 
-import com.fasterxml.jackson.annotation.JsonProperty;
+public record ExternalServiceCredentials(String username, String password) {
 
-public class ExternalServiceCredentials {
-
-  @JsonProperty
-  private String username;
-
-  @JsonProperty
-  private String password;
-
-  public ExternalServiceCredentials(String username, String password) {
-    this.username = username;
-    this.password = password;
-  }
-
-  public ExternalServiceCredentials() {}
-
-  public String getUsername() {
-    return username;
-  }
-
-  public String getPassword() {
-    return password;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsGenerator.java

@@ -0,0 +1,293 @@
+/*
+ * Copyright 2013 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static java.util.Objects.requireNonNull;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256ToHexString;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256TruncatedToHexString;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmacHexStringsEqual;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.function.Function;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+
+public class ExternalServiceCredentialsGenerator {
+
+  private static final String DELIMITER = ":";
+
+  private static final int TRUNCATED_SIGNATURE_LENGTH = 10;
+
+  private final byte[] key;
+
+  private final byte[] userDerivationKey;
+
+  private final boolean prependUsername;
+
+  private final boolean truncateSignature;
+
+  private final String usernameTimestampPrefix;
+
+  private final Function<Instant, Instant> usernameTimestampTruncator;
+
+  private final Clock clock;
+
+  private final int derivedUsernameTruncateLength;
+
+
+  public static ExternalServiceCredentialsGenerator.Builder builder(final SecretBytes key) {
+    return builder(key.value());
+  }
+
+  @VisibleForTesting
+  public static ExternalServiceCredentialsGenerator.Builder builder(final byte[] key) {
+    return new Builder(key);
+  }
+
+  private ExternalServiceCredentialsGenerator(
+      final byte[] key,
+      final byte[] userDerivationKey,
+      final boolean prependUsername,
+      final boolean truncateSignature,
+      final int derivedUsernameTruncateLength,
+      final String usernameTimestampPrefix,
+      final Function<Instant, Instant> usernameTimestampTruncator,
+      final Clock clock) {
+    this.key = requireNonNull(key);
+    this.userDerivationKey = requireNonNull(userDerivationKey);
+    this.prependUsername = prependUsername;
+    this.truncateSignature = truncateSignature;
+    this.usernameTimestampPrefix = usernameTimestampPrefix;
+    this.usernameTimestampTruncator = usernameTimestampTruncator;
+    this.clock = requireNonNull(clock);
+    this.derivedUsernameTruncateLength = derivedUsernameTruncateLength;
+
+    if (hasUsernameTimestampPrefix() ^ hasUsernameTimestampTruncator()) {
+      throw new RuntimeException("Configured to have only one of (usernameTimestampPrefix, usernameTimestampTruncator)");
+    }
+  }
+
+  /**
+   * A convenience method for the case of identity in the form of {@link UUID}.
+   * @param uuid identity to generate credentials for
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateForUuid(final UUID uuid) {
+    return generateFor(uuid.toString());
+  }
+
+  /**
+   * Generates `ExternalServiceCredentials` for the given identity following this generator's configuration.
+   * @param identity identity string to generate credentials for
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateFor(final String identity) {
+    if (usernameIsTimestamp()) {
+      throw new RuntimeException("Configured to use timestamp as username");
+    }
+
+    return generate(identity);
+  }
+
+  /**
+   * Generates `ExternalServiceCredentials` using a prefix concatenated with a truncated timestamp as the username, following this generator's configuration.
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateWithTimestampAsUsername() {
+    if (!usernameIsTimestamp()) {
+      throw new RuntimeException("Not configured to use timestamp as username");
+    }
+
+    final String truncatedTimestampSeconds = String.valueOf(usernameTimestampTruncator.apply(clock.instant()).getEpochSecond());
+    return generate(usernameTimestampPrefix + DELIMITER + truncatedTimestampSeconds);
+  }
+
+  private ExternalServiceCredentials generate(final String identity) {
+    final String username = shouldDeriveUsername()
+        ? hmac256TruncatedToHexString(userDerivationKey, identity, derivedUsernameTruncateLength)
+        : identity;
+
+    final long currentTimeSeconds = currentTimeSeconds();
+
+    final String dataToSign = usernameIsTimestamp() ? username : username + DELIMITER + currentTimeSeconds;
+
+    final String signature = truncateSignature
+        ? hmac256TruncatedToHexString(key, dataToSign, TRUNCATED_SIGNATURE_LENGTH)
+        : hmac256ToHexString(key, dataToSign);
+
+    final String token = (prependUsername ? dataToSign : currentTimeSeconds) + DELIMITER + signature;
+
+    return new ExternalServiceCredentials(username, token);
+  }
+
+  /**
+   * In certain cases, identity (as it was passed to `generate` method)
+   * is a part of the signature (`password`, in terms of `ExternalServiceCredentials`) string itself.
+   * For such cases, this method returns the value of the identity string.
+   * @param password `password` part of `ExternalServiceCredentials`
+   * @return non-empty optional with an identity string value, or empty if value can't be extracted.
+   */
+  public Optional<String> identityFromSignature(final String password) {
+    // for some generators, identity in the clear is just not a part of the password
+    if (!prependUsername || shouldDeriveUsername() || StringUtils.isBlank(password)) {
+      return Optional.empty();
+    }
+    // checking for the case of unexpected format
+    if (StringUtils.countMatches(password, DELIMITER) == 2) {
+      if (usernameIsTimestamp()) {
+        final int indexOfSecondDelimiter = password.indexOf(DELIMITER, password.indexOf(DELIMITER) + 1);
+        return Optional.of(password.substring(0, indexOfSecondDelimiter));
+      } else {
+        return Optional.of(password.substring(0, password.indexOf(DELIMITER)));
+      }
+    }
+    return Optional.empty();
+  }
+
+  /**
+   * Given an instance of {@link ExternalServiceCredentials} object, checks that the password
+   * matches the username taking into account this generator's configuration.
+   * @param credentials an instance of {@link ExternalServiceCredentials}
+   * @return An optional with a timestamp (seconds) of when the credentials were generated,
+   *         or an empty optional if the password doesn't match the username for any reason (including malformed data)
+   */
+  public Optional<Long> validateAndGetTimestamp(final ExternalServiceCredentials credentials) {
+    final String[] parts = requireNonNull(credentials).password().split(DELIMITER);
+    final String timestampSeconds;
+    final String actualSignature;
+
+    // making sure password format matches our expectations based on the generator configuration
+    if (parts.length == 3 && prependUsername) {
+      final String username = usernameIsTimestamp() ? parts[0] + DELIMITER + parts[1] : parts[0];
+      // username has to match the one from `credentials`
+      if (!credentials.username().equals(username)) {
+        return Optional.empty();
+      }
+      timestampSeconds = parts[1];
+      actualSignature = parts[2];
+    } else if (parts.length == 2 && !prependUsername) {
+      timestampSeconds = parts[0];
+      actualSignature = parts[1];
+    } else {
+      // unexpected password format
+      return Optional.empty();
+    }
+
+    final String signedData = usernameIsTimestamp() ? credentials.username() : credentials.username() + DELIMITER + timestampSeconds;
+    final String expectedSignature = truncateSignature
+        ? hmac256TruncatedToHexString(key, signedData, TRUNCATED_SIGNATURE_LENGTH)
+        : hmac256ToHexString(key, signedData);
+
+    // if the signature is valid it's safe to parse the `timestampSeconds` string into Long
+    return hmacHexStringsEqual(expectedSignature, actualSignature)
+        ? Optional.of(Long.valueOf(timestampSeconds))
+        : Optional.empty();
+  }
+
+  /**
+   * Given an instance of {@link ExternalServiceCredentials} object and the max allowed age for those credentials,
+   * checks if credentials are valid and not expired.
+   * @param credentials an instance of {@link ExternalServiceCredentials}
+   * @param maxAgeSeconds age in seconds
+   * @return An optional with a timestamp (seconds) of when the credentials were generated,
+   *         or an empty optional if the password doesn't match the username for any reason (including malformed data)
+   */
+  public Optional<Long> validateAndGetTimestamp(final ExternalServiceCredentials credentials, final long maxAgeSeconds) {
+    return validateAndGetTimestamp(credentials)
+        .filter(ts -> currentTimeSeconds() - ts <= maxAgeSeconds);
+  }
+
+  private boolean shouldDeriveUsername() {
+    return userDerivationKey.length > 0;
+  }
+
+  private boolean hasUsernameTimestampPrefix() {
+    return usernameTimestampPrefix != null;
+  }
+
+  private boolean hasUsernameTimestampTruncator() {
+    return usernameTimestampTruncator != null;
+  }
+
+  private boolean usernameIsTimestamp() {
+    return hasUsernameTimestampPrefix() && hasUsernameTimestampTruncator();
+  }
+
+  private long currentTimeSeconds() {
+    return clock.instant().getEpochSecond();
+  }
+
+  public static class Builder {
+
+    private final byte[] key;
+
+    private byte[] userDerivationKey = new byte[0];
+
+    private boolean prependUsername = true;
+
+    private boolean truncateSignature = true;
+
+    private int derivedUsernameTruncateLength = 10;
+
+    private String usernameTimestampPrefix = null;
+
+    private Function<Instant, Instant> usernameTimestampTruncator = null;
+
+    private Clock clock = Clock.systemUTC();
+
+
+    private Builder(final byte[] key) {
+      this.key = requireNonNull(key);
+    }
+
+    public Builder withUserDerivationKey(final SecretBytes userDerivationKey) {
+      return withUserDerivationKey(userDerivationKey.value());
+    }
+
+    public Builder withUserDerivationKey(final byte[] userDerivationKey) {
+      Validate.isTrue(requireNonNull(userDerivationKey).length > 0, "userDerivationKey must not be empty");
+      this.userDerivationKey = userDerivationKey;
+      return this;
+    }
+
+    public Builder withClock(final Clock clock) {
+      this.clock = requireNonNull(clock);
+      return this;
+    }
+
+    public Builder withDerivedUsernameTruncateLength(int truncateLength) {
+      Validate.inclusiveBetween(10, 32, truncateLength);
+      this.derivedUsernameTruncateLength = truncateLength;
+      return this;
+    }
+
+    public Builder prependUsername(final boolean prependUsername) {
+      this.prependUsername = prependUsername;
+      return this;
+    }
+
+    public Builder truncateSignature(final boolean truncateSignature) {
+      this.truncateSignature = truncateSignature;
+      return this;
+    }
+
+    public Builder withUsernameTimestampTruncatorAndPrefix(final Function<Instant, Instant> truncator, final String prefix) {
+      this.usernameTimestampTruncator = truncator;
+      this.usernameTimestampPrefix = prefix;
+      return this;
+    }
+
+    public ExternalServiceCredentialsGenerator build() {
+      return new ExternalServiceCredentialsGenerator(
+          key, userDerivationKey, prependUsername, truncateSignature, derivedUsernameTruncateLength, usernameTimestampPrefix, usernameTimestampTruncator, clock);
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsSelector.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+public class ExternalServiceCredentialsSelector {
+
+  private ExternalServiceCredentialsSelector() {}
+
+  public record CredentialInfo(String token, boolean valid, ExternalServiceCredentials credentials, long timestamp) {
+    /**
+     * @return a copy of this record with valid=false
+     */
+    private CredentialInfo invalidate() {
+      return new CredentialInfo(token, false, credentials, timestamp);
+    }
+  }
+
+  /**
+   * Validate a list of username:password credentials.
+   * A credential is valid if it passes validation by the provided credentialsGenerator AND it is the most recent
+   * credential in the provided list for a username.
+   *
+   * @param tokens A list of credentials, potentially with different usernames
+   * @param credentialsGenerator To validate these credentials
+   * @param maxAgeSeconds The maximum allowable age of the credential
+   * @return A {@link CredentialInfo} for each provided token
+   */
+  public static List<CredentialInfo> check(
+      final List<String> tokens,
+      final ExternalServiceCredentialsGenerator credentialsGenerator,
+      final long maxAgeSeconds) {
+
+    // the credential for the username with the latest timestamp (so far)
+    final Map<String, CredentialInfo> bestForUsername = new HashMap<>();
+    final List<CredentialInfo> results = new ArrayList<>();
+    for (String token : tokens) {
+      // each token is supposed to be in a "${username}:${password}" form,
+      // (note that password part may also contain ':' characters)
+      final String[] parts = token.split(":", 2);
+      if (parts.length != 2) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+      final ExternalServiceCredentials credentials = new ExternalServiceCredentials(parts[0], parts[1]);
+      final Optional<Long> maybeTimestamp = credentialsGenerator.validateAndGetTimestamp(credentials, maxAgeSeconds);
+      if (maybeTimestamp.isEmpty()) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+
+      // now that we validated signature and token age, we will also find the latest of the tokens
+      // for each username
+      final long timestamp = maybeTimestamp.get();
+      final CredentialInfo best = bestForUsername.get(credentials.username());
+      if (best == null) {
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        continue;
+      }
+      if (best.timestamp() < timestamp) {
+        // we found a better credential for the username
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        // mark the previous best as an invalid credential, since we have a better credential now
+        results.add(best.invalidate());
+      } else {
+        // the credential we already had was more recent, this one can be marked invalid
+        results.add(new CredentialInfo(token, false, null, 0L));
+      }
+    }
+
+    // all invalid tokens should be in results, just add the valid ones
+    results.addAll(bestForUsername.values());
+    return results;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/GroupSendTokenHeader.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response.Status;
+import java.util.Base64;
+import org.signal.libsignal.zkgroup.InvalidInputException;
+import org.signal.libsignal.zkgroup.groupsend.GroupSendFullToken;
+
+public record GroupSendTokenHeader(GroupSendFullToken token) {
+
+  public static GroupSendTokenHeader valueOf(String header) {
+    try {
+      return new GroupSendTokenHeader(new GroupSendFullToken(Base64.getDecoder().decode(header)));
+    } catch (InvalidInputException | IllegalArgumentException e) {
+      // Base64 throws IllegalArgumentException; GroupSendFullToken ctor throws InvalidInputException
+      throw new WebApplicationException(e, Status.UNAUTHORIZED);
+    }
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2025 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Metrics;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Optional;
+import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
+import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
+import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.websocket.auth.AuthenticatedWebSocketUpgradeFilter;
+
+public class IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter implements
+    AuthenticatedWebSocketUpgradeFilter<AuthenticatedDevice> {
+
+  private final Duration minIdleDuration;
+  private final Clock clock;
+
+  @VisibleForTesting
+  static final String ALERT_HEADER = "X-Signal-Alert";
+
+  @VisibleForTesting
+  static final String IDLE_PRIMARY_DEVICE_ALERT = "idle-primary-device";
+
+  private static final Counter IDLE_PRIMARY_WARNING_COUNTER = Metrics.counter(
+      MetricsUtil.name(IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter.class, "idlePrimaryDeviceWarning"),
+      "critical", "false");
+
+  public IdlePrimaryDeviceAuthenticatedWebSocketUpgradeFilter(final Duration minIdleDuration, final Clock clock) {
+    this.minIdleDuration = minIdleDuration;
+    this.clock = clock;
+  }
+
+  @Override
+  public void handleAuthentication(final Optional<AuthenticatedDevice> authenticated,
+      final JettyServerUpgradeRequest request,
+      final JettyServerUpgradeResponse response) {
+
+    // No action needed if the connection is unauthenticated (in which case we don't know when we've last seen the
+    // primary device) or if the authenticated device IS the primary device
+    authenticated
+        .filter(authenticatedDevice -> authenticatedDevice.deviceId() != Device.PRIMARY_ID)
+        .ifPresent(authenticatedDevice -> {
+          if (authenticatedDevice.primaryDeviceLastSeen().isBefore(clock.instant().minus(minIdleDuration))) {
+            response.addHeader(ALERT_HEADER, IDLE_PRIMARY_DEVICE_ALERT);
+            IDLE_PRIMARY_WARNING_COUNTER.increment();
+          }
+        });
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/InvalidAuthorizationHeaderException.java

@@ -5,8 +5,8 @@
 package org.whispersystems.textsecuregcm.auth;
 
 
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Response.Status;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response.Status;
 
 public class InvalidAuthorizationHeaderException extends WebApplicationException {
   public InvalidAuthorizationHeaderException(String s) {

service/src/main/java/org/whispersystems/textsecuregcm/auth/OptionalAccess.java

@@ -5,35 +5,37 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.Device;
-
-import javax.ws.rs.NotAuthorizedException;
-import javax.ws.rs.NotFoundException;
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.NotAuthorizedException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response;
 import java.security.MessageDigest;
 import java.util.Optional;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
+import org.whispersystems.textsecuregcm.identity.ServiceIdentifier;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class OptionalAccess {
 
-  public static final String UNIDENTIFIED = "Unidentified-Access-Key";
+  public static String ALL_DEVICES_SELECTOR = "*";
+
+  public static void verify(Optional<Account> requestAccount,
+      Optional<Anonymous> accessKey,
+      Optional<Account> targetAccount,
+      ServiceIdentifier targetIdentifier,
+      String deviceSelector) {
 
-  public static void verify(Optional<Account>   requestAccount,
-                            Optional<Anonymous> accessKey,
-                            Optional<Account>   targetAccount,
-                            String              deviceSelector)
-  {
     try {
-      verify(requestAccount, accessKey, targetAccount);
+      verify(requestAccount, accessKey, targetAccount, targetIdentifier);
 
-      if (!deviceSelector.equals("*")) {
-        long deviceId = Long.parseLong(deviceSelector);
+      if (!ALL_DEVICES_SELECTOR.equals(deviceSelector)) {
+        byte deviceId = Byte.parseByte(deviceSelector);
 
         Optional<Device> targetDevice = targetAccount.get().getDevice(deviceId);
 
-        if (targetDevice.isPresent() && targetDevice.get().isEnabled()) {
+        if (targetDevice.isPresent()) {
           return;
         }
 
@@ -48,29 +50,50 @@ public class OptionalAccess {
     }
   }
 
-  public static void verify(Optional<Account>   requestAccount,
-                            Optional<Anonymous> accessKey,
-                            Optional<Account>   targetAccount)
-  {
-    if (requestAccount.isPresent() && targetAccount.isPresent() && targetAccount.get().isEnabled()) {
+  public static void verify(Optional<Account> requestAccount,
+      Optional<Anonymous> accessKey,
+      Optional<Account> targetAccount,
+      ServiceIdentifier targetIdentifier) {
+
+    if (requestAccount.isPresent()) {
+      // Authenticated requests are never unauthorized; if the target exists, return OK, otherwise throw not-found.
+      if (targetAccount.isPresent()) {
+        return;
+      } else {
+        throw new NotFoundException();
+      }
+    }
+
+    // Anything past this point can only be authenticated by an access key. Even when the target
+    // has unrestricted unidentified access, callers need to supply a fake access key. Likewise, if
+    // the target account does not exist, we *also* report unauthorized here (*not* not-found,
+    // since that would provide a free exists check).
+    if (accessKey.isEmpty() || targetAccount.isEmpty()) {
+      throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
+    }
+
+    // Unrestricted unidentified access does what it says on the tin: we don't check if the key the
+    // caller provided is right or not.
+    if (targetAccount.get().isUnrestrictedUnidentifiedAccess()) {
       return;
     }
 
-    //noinspection ConstantConditions
-    if (requestAccount.isPresent() && (targetAccount.isEmpty() || (targetAccount.isPresent() && !targetAccount.get().isEnabled()))) {
-      throw new NotFoundException();
+    if (!targetAccount.get().isIdentifiedBy(targetIdentifier)) {
+      throw new IllegalArgumentException("Target account is not identified by the given identifier");
     }
 
-    if (accessKey.isPresent() && targetAccount.isPresent() && targetAccount.get().isEnabled() && targetAccount.get().isUnrestrictedUnidentifiedAccess()) {
-      return;
+    // Unidentified access is only for ACI identities
+    if (IdentityType.PNI.equals(targetIdentifier.identityType())) {
+      throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
     }
 
-    if (accessKey.isPresent()                                      &&
-        targetAccount.isPresent()                                  &&
-        targetAccount.get().getUnidentifiedAccessKey().isPresent() &&
-        targetAccount.get().isEnabled()                            &&
-        MessageDigest.isEqual(accessKey.get().getAccessKey(), targetAccount.get().getUnidentifiedAccessKey().get()))
-    {
+    // At this point, any successful authentication requires a real access key on the target account
+    if (targetAccount.get().getUnidentifiedAccessKey().isEmpty()) {
+      throw new NotAuthorizedException(Response.Status.UNAUTHORIZED);
+    }
+
+    // Otherwise, access is gated by the caller having the unidentified-access key matching the target account.
+    if (MessageDigest.isEqual(accessKey.get().getAccessKey(), targetAccount.get().getUnidentifiedAccessKey().get())) {
       return;
     }