Update to the latest version of the spam filter

This reverts commit 024dd02628a7d989424273501528b52fe18c3ee9.

.github/workflows/documentation.yml

@@ -0,0 +1,33 @@
+name: Update Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+      - name: Compile and Build OpenAPI file
+        run: ./mvnw compile
+      - name: Update Documentation
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cp -r api-doc/target/openapi/signal-server-openapi.yaml /tmp/
+          git config user.email "github@signal.org"
+          git config user.name "Documentation Updater"
+          git fetch origin gh-pages
+          git checkout gh-pages
+          cp /tmp/signal-server-openapi.yaml .
+          git diff --quiet || git commit -a -m "Updating documentation"
+          git push origin gh-pages -q

.github/workflows/integration-tests.yml

@@ -0,0 +1,30 @@
+name: Integration Tests
+
+on: [workflow_dispatch]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+      - uses: aws-actions/configure-aws-credentials@v2
+        name: Configure AWS credentials from Test account
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Fetch integration utils library
+        run: |
+          mkdir -p integration-tests/.libs
+          mkdir -p integration-tests/src/main/resources
+          wget -O integration-tests/.libs/software.amazon.awssdk-sso.jar https://repo1.maven.org/maven2/software/amazon/awssdk/sso/2.19.8/sso-2.19.8.jar
+          aws s3 cp "s3://${{ vars.INTEGRATION_TESTS_BUCKET }}/config-latest.yml" integration-tests/src/main/resources/config.yml
+      - name: Run and verify integration tests
+        run: ./mvnw clean compile test-compile failsafe:integration-test failsafe:verify

.github/workflows/test.yml

@@ -1,6 +1,9 @@
 name: Service CI
 
-on: [push]
+on:
+  push:
+    branches-ignore:
+      - gh-pages
 
 jobs:
   build:
@@ -8,9 +11,9 @@ jobs:
     container: ubuntu:22.04
 
     steps:
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
       - name: Set up JDK 17
-        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # v3.6.0
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           distribution: 'temurin'
           java-version: 17

LICENSE

@@ -296,7 +296,7 @@ commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
 
   "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
+procedures, authorization keysManager, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object

README.md

@@ -21,6 +21,6 @@ The form and manner of this distribution makes it eligible for export under the
 License
 ---------------------
 
-Copyright 2013-2022 Signal Messenger, LLC
+Copyright 2013-2023 Signal Messenger, LLC
 
 Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html

api-doc/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>api-doc</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.swagger.core.v3</groupId>
+        <artifactId>swagger-maven-plugin</artifactId>
+        <version>2.2.8</version>
+        <configuration>
+          <outputFileName>signal-server-openapi</outputFileName>
+          <outputPath>${project.build.directory}/openapi</outputPath>
+          <outputFormat>YAML</outputFormat>
+          <configurationFilePath>${project.basedir}/src/main/resources/openapi/openapi-configuration.yaml
+          </configurationFilePath>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>compile</phase>
+            <goals>
+              <goal>resolve</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

api-doc/src/main/java/org/signal/openapi/OpenApiExtension.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.SimpleType;
+import io.dropwizard.auth.Auth;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.jaxrs2.ext.AbstractOpenAPIExtension;
+import io.swagger.v3.jaxrs2.ext.OpenAPIExtension;
+import io.swagger.v3.oas.models.Components;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.ServiceLoader;
+import java.util.Set;
+import javax.ws.rs.Consumes;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link AbstractOpenAPIExtension} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a lower level.
+ * This extension works in coordination with {@link OpenApiReader} that has access to the model on a higher level.
+ * <p/>
+ * The extension is enabled by being listed in {@code META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension} file.
+ * @see ServiceLoader
+ * @see OpenApiReader
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiExtension extends AbstractOpenAPIExtension {
+
+  public static final ResolvedParameter AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  /**
+   * When parsing endpoint methods, Swagger will treat the first parameter not annotated as header/path/query param
+   * as a request body (and will ignore other not annotated parameters). In our case, this behavior conflicts with
+   * the {@code @Auth}-annotated parameters. Here we're checking if parameters are known to be anything other than
+   * a body and return an appropriate {@link ResolvedParameter} representation.
+   */
+  @Override
+  public ResolvedParameter extractParameters(
+      final List<Annotation> annotations,
+      final Type type,
+      final Set<Type> typesToSkip,
+      final Components components,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final boolean includeRequestBody,
+      final JsonView jsonViewAnnotation,
+      final Iterator<OpenAPIExtension> chain) {
+
+    if (annotations.stream().anyMatch(a -> a.annotationType().equals(Auth.class))) {
+      // this is the case of authenticated endpoint,
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(AuthenticatedAccount.class)) {
+        return AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(DisabledPermittedAuthenticatedAccount.class)) {
+        return DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, AuthenticatedAccount.class)) {
+        return OPTIONAL_AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, DisabledPermittedAuthenticatedAccount.class)) {
+        return OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+      }
+    }
+
+    return super.extractParameters(
+        annotations,
+        type,
+        typesToSkip,
+        components,
+        classConsumes,
+        methodConsumes,
+        includeRequestBody,
+        jsonViewAnnotation,
+        chain);
+  }
+
+  private static boolean isOptionalOfType(final SimpleType simpleType, final Class<?> expectedType) {
+    if (!simpleType.getRawClass().equals(Optional.class)) {
+      return false;
+    }
+    final List<JavaType> typeParameters = simpleType.getBindings().getTypeParameters();
+    if (typeParameters.isEmpty()) {
+      return false;
+    }
+    return typeParameters.get(0) instanceof SimpleType optionalParameterType
+        && optionalParameterType.getRawClass().equals(expectedType);
+  }
+}

api-doc/src/main/java/org/signal/openapi/OpenApiReader.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.signal.openapi.OpenApiExtension.AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.google.common.collect.ImmutableList;
+import io.swagger.v3.jaxrs2.Reader;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.oas.models.Operation;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Collections;
+import java.util.List;
+import javax.ws.rs.Consumes;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link Reader} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a higher level.
+ * This extension works in coordination with {@link OpenApiExtension} that has access to the model on a lower level.
+ * <p/>
+ * The extension is enabled by being listed in {@code resources/openapi/openapi-configuration.yaml} file.
+ * @see OpenApiExtension
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiReader extends Reader {
+
+  private static final String AUTHENTICATED_ACCOUNT_AUTH_SCHEMA = "authenticatedAccount";
+
+
+  /**
+   * Overriding this method allows converting a resolved parameter into other operation entities,
+   * in this case, into security requirements.
+   */
+  @Override
+  protected ResolvedParameter getParameters(
+      final Type type,
+      final List<Annotation> annotations,
+      final Operation operation,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final JsonView jsonViewAnnotation) {
+    final ResolvedParameter resolved = super.getParameters(
+        type, annotations, operation, classConsumes, methodConsumes, jsonViewAnnotation);
+
+    if (resolved == AUTHENTICATED_ACCOUNT || resolved == DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .build());
+    }
+    if (resolved == OPTIONAL_AUTHENTICATED_ACCOUNT || resolved == OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .add(new SecurityRequirement())
+          .build());
+    }
+
+    return resolved;
+  }
+}

api-doc/src/main/resources/META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension

@@ -0,0 +1 @@
+org.signal.openapi.OpenApiExtension

api-doc/src/main/resources/openapi/openapi-configuration.yaml

@@ -0,0 +1,25 @@
+resourcePackages:
+  - org.whispersystems.textsecuregcm
+prettyPrint: true
+cacheTTL: 0
+readerClass: org.signal.openapi.OpenApiReader
+openAPI:
+  info:
+    title: Signal Server API
+    license:
+      name: AGPL-3.0-only
+      url: https://www.gnu.org/licenses/agpl-3.0.txt
+  servers:
+    - url: https://chat.signal.org
+      description: Production service
+    - url: https://chat.staging.signal.org
+      description: Staging service
+  components:
+    securitySchemes:
+      authenticatedAccount:
+        type: http
+        scheme: basic
+        description: |
+          Account authentication is based on Basic authentication schema, 
+          where `username` has a format of `<user_id>[.<device_id>]`. If `device_id` is not specified,
+          user's `main` device is assumed.

event-logger/pom.xml

@@ -80,6 +80,14 @@
           </dependency>
         </dependencies>
       </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 

event-logger/src/main/kotlin/events.kt

@@ -24,7 +24,7 @@ sealed interface Event
 
 @Serializable
 data class RemoteConfigSetEvent(
-        val token: String,
+        val identity: String,
         val name: String,
         val percentage: Int,
         val defaultValue: String? = null,
@@ -35,6 +35,6 @@ data class RemoteConfigSetEvent(
 
 @Serializable
 data class RemoteConfigDeleteEvent(
-        val token: String,
+        val identity: String,
         val name: String,
 ) : Event

integration-tests/.gitignore

@@ -0,0 +1,2 @@
+.libs
+src/main/resources/config.yml

integration-tests/pom.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>integration-tests</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.0.0-M7</version>
+        <configuration>
+          <excludes>
+            <exclude>**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <version>3.0.0</version>
+        <configuration>
+          <additionalClasspathElements>
+            <additionalClasspathElement>${project.basedir}/.libs/software.amazon.awssdk-sso.jar</additionalClasspathElement>
+          </additionalClasspathElements>
+          <includes>
+            <include>**/*.java</include>
+          </includes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

integration-tests/src/main/java/org/signal/integration/Codecs.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import java.io.IOException;
+import java.util.Base64;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+
+public final class Codecs {
+
+  private Codecs() {
+    // utility class
+  }
+
+  @FunctionalInterface
+  public interface CheckedFunction<T, R> {
+    R apply(T t) throws Exception;
+  }
+
+  public static class Base64BasedSerializer<T> extends JsonSerializer<T> {
+
+    private final CheckedFunction<T, byte[]> mapper;
+
+    public Base64BasedSerializer(final CheckedFunction<T, byte[]> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public void serialize(final T value, final JsonGenerator gen, final SerializerProvider serializers) throws IOException {
+      try {
+        gen.writeString(Base64.getEncoder().withoutPadding().encodeToString(mapper.apply(value)));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class Base64BasedDeserializer<T> extends JsonDeserializer<T> {
+
+    private final CheckedFunction<byte[], T> mapper;
+
+    public Base64BasedDeserializer(final CheckedFunction<byte[], T> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public T deserialize(final JsonParser p, final DeserializationContext ctxt) throws IOException {
+      try {
+        return mapper.apply(Base64.getDecoder().decode(p.getValueAsString()));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class ByteArraySerializer extends Base64BasedSerializer<byte[]> {
+    public ByteArraySerializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ByteArrayDeserializer extends Base64BasedDeserializer<byte[]> {
+    public ByteArrayDeserializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ECPublicKeySerializer extends Base64BasedSerializer<ECPublicKey> {
+    public ECPublicKeySerializer() {
+      super(ECPublicKey::serialize);
+    }
+  }
+
+  public static class ECPublicKeyDeserializer extends Base64BasedDeserializer<ECPublicKey> {
+    public ECPublicKeyDeserializer() {
+      super(bytes -> Curve.decodePoint(bytes, 0));
+    }
+  }
+
+  public static class IdentityKeySerializer extends Base64BasedSerializer<IdentityKey> {
+    public IdentityKeySerializer() {
+      super(IdentityKey::serialize);
+    }
+  }
+
+  public static class IdentityKeyDeserializer extends Base64BasedDeserializer<IdentityKey> {
+    public IdentityKeyDeserializer() {
+      super(bytes -> new IdentityKey(bytes, 0));
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/IntegrationTools.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import org.signal.integration.config.Config;
+import org.whispersystems.textsecuregcm.registration.VerificationSession;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswords;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessionManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessions;
+import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+
+public class IntegrationTools {
+
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  private final VerificationSessionManager verificationSessionManager;
+
+
+  public static IntegrationTools create(final Config config) {
+    final AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder().build();
+
+    final DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final RegistrationRecoveryPasswords registrationRecoveryPasswords = new RegistrationRecoveryPasswords(
+        config.dynamoDbTables().registrationRecovery(), Duration.ofDays(1), dynamoDbClient, dynamoDbAsyncClient);
+
+    final VerificationSessions verificationSessions = new VerificationSessions(
+        dynamoDbAsyncClient, config.dynamoDbTables().verificationSessions(), Clock.systemUTC());
+
+    return new IntegrationTools(
+        new RegistrationRecoveryPasswordsManager(registrationRecoveryPasswords),
+        new VerificationSessionManager(verificationSessions)
+    );
+  }
+
+  private IntegrationTools(
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final VerificationSessionManager verificationSessionManager) {
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.verificationSessionManager = verificationSessionManager;
+  }
+
+  public CompletableFuture<Void> populateRecoveryPassword(final String e164, final byte[] password) {
+    return registrationRecoveryPasswordsManager.storeForCurrentNumber(e164, password);
+  }
+
+  public CompletableFuture<Optional<String>> peekVerificationSessionPushChallenge(final String sessionId) {
+    return verificationSessionManager.findForId(sessionId)
+        .thenApply(maybeSession -> maybeSession.map(VerificationSession::pushChallenge));
+  }
+}

integration-tests/src/main/java/org/signal/integration/Operations.java

@@ -0,0 +1,342 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.google.common.io.Resources;
+import com.google.common.net.HttpHeaders;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import java.net.URI;
+import java.net.URL;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.Executors;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.integration.config.Config;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.kem.KEMKeyPair;
+import org.signal.libsignal.protocol.kem.KEMKeyType;
+import org.signal.libsignal.protocol.kem.KEMPublicKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.CircuitBreakerConfiguration;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ECSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.RegistrationRequest;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public final class Operations {
+
+  private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+  private static final Config CONFIG = loadConfigFromClasspath("config.yml");
+
+  private static final IntegrationTools INTEGRATION_TOOLS = IntegrationTools.create(CONFIG);
+
+  private static final String USER_AGENT = "integration-test";
+
+  private static final FaultTolerantHttpClient CLIENT = buildClient();
+
+
+  private Operations() {
+    // utility class
+  }
+
+  public static TestUser newRegisteredUser(final String number) {
+    final byte[] registrationPassword = RandomUtils.nextBytes(32);
+    final String accountPassword = Base64.getEncoder().encodeToString(RandomUtils.nextBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, registrationPassword).join();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(
+        null, registrationPassword, accountAttributes, true,
+        Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    // upload pre-key
+    final TestUser.PreKeySetPublicView preKeySetPublicView = user.preKeys(Device.MASTER_ID, false);
+    apiPut("/v2/keys", preKeySetPublicView)
+        .authorized(user, Device.MASTER_ID)
+        .executeExpectSuccess();
+
+    return user;
+  }
+
+  public static TestUser newRegisteredUserAtomic(final String number) {
+    final byte[] registrationPassword = RandomUtils.nextBytes(32);
+    final String accountPassword = Base64.getEncoder().encodeToString(RandomUtils.nextBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, registrationPassword).join();
+
+    final ECKeyPair aciIdentityKeyPair = Curve.generateKeyPair();
+    final ECKeyPair pniIdentityKeyPair = Curve.generateKeyPair();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(null,
+        registrationPassword,
+        accountAttributes,
+        true,
+        Optional.of(new IdentityKey(aciIdentityKeyPair.getPublicKey())),
+        Optional.of(new IdentityKey(pniIdentityKeyPair.getPublicKey())),
+        Optional.of(generateSignedECPreKey(1, aciIdentityKeyPair)),
+        Optional.of(generateSignedECPreKey(2, pniIdentityKeyPair)),
+        Optional.of(generateSignedKEMPreKey(3, aciIdentityKeyPair)),
+        Optional.of(generateSignedKEMPreKey(4, pniIdentityKeyPair)),
+        Optional.empty(),
+        Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    return user;
+  }
+
+  public static void deleteUser(final TestUser user) {
+    apiDelete("/v1/accounts/me").authorized(user).executeExpectSuccess();
+  }
+
+  public static String peekVerificationSessionPushChallenge(final String sessionId) {
+    return INTEGRATION_TOOLS.peekVerificationSessionPushChallenge(sessionId).join()
+        .orElseThrow(() -> new RuntimeException("push challenge not found for the verification session"));
+  }
+
+  public static <T> T sendEmptyRequestAuthenticated(
+      final String endpoint,
+      final String method,
+      final String username,
+      final String password,
+      final Class<T> outputType) {
+    try {
+      final HttpRequest request = HttpRequest.newBuilder()
+          .uri(serverUri(endpoint, Collections.emptyList()))
+          .method(method, HttpRequest.BodyPublishers.noBody())
+          .header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password))
+          .header(HttpHeaders.CONTENT_TYPE, "application/json")
+          .build();
+      return CLIENT.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            } else {
+              logger.info("response: {}", response.statusCode());
+              System.out.println("response: " + response.statusCode() + ", " + response.body());
+            }
+          })
+          .thenApply(response -> {
+            try {
+              return outputType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), outputType);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .get();
+    } catch (final Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static RequestBuilder apiGet(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().GET(), endpoint);
+  }
+
+  public static RequestBuilder apiDelete(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().DELETE(), endpoint);
+  }
+
+  public static <R> RequestBuilder apiPost(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "POST", input);
+  }
+
+  public static <R> RequestBuilder apiPut(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PUT", input);
+  }
+
+  public static <R> RequestBuilder apiPatch(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PATCH", input);
+  }
+
+  private static URI serverUri(final String endpoint, final List<String> queryParams) {
+    final String query = queryParams.isEmpty()
+        ? StringUtils.EMPTY
+        : "?" + String.join("&", queryParams);
+    return URI.create("https://" + CONFIG.domain() + endpoint + query);
+  }
+
+  public static class RequestBuilder {
+
+    private final HttpRequest.Builder builder;
+
+    private final String endpoint;
+
+    private final List<String> queryParams = new ArrayList<>();
+
+
+    private RequestBuilder(final HttpRequest.Builder builder, final String endpoint) {
+      this.builder = builder;
+      this.endpoint = endpoint;
+    }
+
+    private static <R> RequestBuilder withJsonBody(final String endpoint, final String method, final R input) {
+      try {
+        final byte[] body = SystemMapper.jsonMapper().writeValueAsBytes(input);
+        return new RequestBuilder(HttpRequest.newBuilder()
+            .header(HttpHeaders.CONTENT_TYPE, "application/json")
+            .method(method, HttpRequest.BodyPublishers.ofByteArray(body)), endpoint);
+      } catch (final JsonProcessingException e) {
+        throw new RuntimeException(e);
+      }
+    }
+
+    public RequestBuilder authorized(final TestUser user) {
+      return authorized(user, Device.MASTER_ID);
+    }
+
+    public RequestBuilder authorized(final TestUser user, final long deviceId) {
+      final String username = "%s.%d".formatted(user.aciUuid().toString(), deviceId);
+      return authorized(username, user.accountPassword());
+    }
+
+    public RequestBuilder authorized(final String username, final String password) {
+      builder.header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password));
+      return this;
+    }
+
+    public RequestBuilder queryParam(final String key, final String value) {
+      queryParams.add("%s=%s".formatted(key, value));
+      return this;
+    }
+
+    public RequestBuilder header(final String name, final String value) {
+      builder.header(name, value);
+      return this;
+    }
+
+    public Pair<Integer, Void> execute() {
+      return execute(Void.class);
+    }
+
+    public Pair<Integer, Void> executeExpectSuccess() {
+      final Pair<Integer, Void> execute = execute();
+      Validate.isTrue(
+          execute.getLeft() >= 200 && execute.getLeft() < 300,
+          "Unexpected response code: %d",
+          execute.getLeft());
+      return execute;
+    }
+
+    public <T> T executeExpectSuccess(final Class<T> expectedType) {
+      final Pair<Integer, T> execute = execute(expectedType);
+      return requireNonNull(execute.getRight());
+    }
+
+    public void executeExpectStatusCode(final int expectedStatusCode) {
+      final Pair<Integer, Void> execute = execute(Void.class);
+      Validate.isTrue(
+          execute.getLeft() == expectedStatusCode,
+          "Unexpected response code: %d",
+          execute.getLeft()
+      );
+    }
+
+    public <T> Pair<Integer, T> execute(final Class<T> expectedType) {
+      builder.uri(serverUri(endpoint, queryParams))
+          .header(HttpHeaders.USER_AGENT, USER_AGENT);
+      return CLIENT.sendAsync(builder.build(), HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            }
+          })
+          .thenApply(response -> {
+            try {
+              final T result = expectedType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), expectedType);
+              return Pair.of(response.statusCode(), result);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .join();
+    }
+  }
+
+  private static FaultTolerantHttpClient buildClient() {
+    try {
+      return FaultTolerantHttpClient.newBuilder()
+          .withName("integration-test")
+          .withExecutor(Executors.newFixedThreadPool(16))
+          .withCircuitBreaker(new CircuitBreakerConfiguration())
+          .withTrustedServerCertificates(CONFIG.rootCert())
+          .build();
+    } catch (final CertificateException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Config loadConfigFromClasspath(final String filename) {
+    try {
+      final URL configFileUrl = Resources.getResource(filename);
+      return SystemMapper.yamlMapper().readValue(Resources.toByteArray(configFileUrl), Config.class);
+    } catch (final IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static ECSignedPreKey generateSignedECPreKey(long id, final ECKeyPair identityKeyPair) {
+    final ECPublicKey pubKey = Curve.generateKeyPair().getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new ECSignedPreKey(id, pubKey, sig);
+  }
+
+  private static KEMSignedPreKey generateSignedKEMPreKey(long id, final ECKeyPair identityKeyPair) {
+    final KEMPublicKey pubKey = KEMKeyPair.generate(KEMKeyType.KYBER_1024).getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new KEMSignedPreKey(id, pubKey, sig);
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestDevice.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+
+public class TestDevice {
+
+  private final long deviceId;
+
+  private final Map<Integer, Pair<IdentityKeyPair, SignedPreKeyRecord>> signedPreKeys = new ConcurrentHashMap<>();
+
+
+  public static TestDevice create(
+      final long deviceId,
+      final IdentityKeyPair aciIdentityKeyPair,
+      final IdentityKeyPair pniIdentityKeyPair) {
+    final TestDevice device = new TestDevice(deviceId);
+    device.addSignedPreKey(aciIdentityKeyPair);
+    device.addSignedPreKey(pniIdentityKeyPair);
+    return device;
+  }
+
+  public TestDevice(final long deviceId) {
+    this.deviceId = deviceId;
+  }
+
+  public long deviceId() {
+    return deviceId;
+  }
+
+  public SignedPreKeyRecord latestSignedPreKey(final IdentityKeyPair identity) {
+    final int id = signedPreKeys.entrySet()
+        .stream()
+        .filter(p -> p.getValue().getLeft().equals(identity))
+        .mapToInt(Map.Entry::getKey)
+        .max()
+        .orElseThrow();
+    return signedPreKeys.get(id).getRight();
+  }
+
+  public SignedPreKeyRecord addSignedPreKey(final IdentityKeyPair identity) {
+    try {
+      final int nextId = signedPreKeys.keySet().stream().mapToInt(k -> k + 1).max().orElse(0);
+      final ECKeyPair keyPair = Curve.generateKeyPair();
+      final byte[] signature = Curve.calculateSignature(identity.getPrivateKey(), keyPair.getPublicKey().serialize());
+      final SignedPreKeyRecord signedPreKeyRecord = new SignedPreKeyRecord(nextId, System.currentTimeMillis(), keyPair, signature);
+      signedPreKeys.put(nextId, Pair.of(identity, signedPreKeyRecord));
+      return signedPreKeyRecord;
+    } catch (InvalidKeyException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}

integration-tests/src/main/java/org/signal/integration/TestUser.java

@@ -0,0 +1,183 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.RandomUtils;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+import org.signal.libsignal.protocol.util.KeyHelper;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class TestUser {
+
+  private final int registrationId;
+
+  private final IdentityKeyPair aciIdentityKey;
+
+  private final Map<Long, TestDevice> devices = new ConcurrentHashMap<>();
+
+  private final byte[] unidentifiedAccessKey;
+
+  private String phoneNumber;
+
+  private IdentityKeyPair pniIdentityKey;
+
+  private String accountPassword;
+
+  private byte[] registrationPassword;
+
+  private UUID aciUuid;
+
+  private UUID pniUuid;
+
+
+  public static TestUser create(final String phoneNumber, final String accountPassword, final byte[] registrationPassword) {
+    // ACI identity key pair
+    final IdentityKeyPair aciIdentityKey = IdentityKeyPair.generate();
+    // PNI identity key pair
+    final IdentityKeyPair pniIdentityKey = IdentityKeyPair.generate();
+    // registration id
+    final int registrationId = KeyHelper.generateRegistrationId(false);
+    // uak
+    final byte[] unidentifiedAccessKey = RandomUtils.nextBytes(16);
+
+    return new TestUser(
+        registrationId,
+        aciIdentityKey,
+        phoneNumber,
+        pniIdentityKey,
+        unidentifiedAccessKey,
+        accountPassword,
+        registrationPassword);
+  }
+
+  public TestUser(
+      final int registrationId,
+      final IdentityKeyPair aciIdentityKey,
+      final String phoneNumber,
+      final IdentityKeyPair pniIdentityKey,
+      final byte[] unidentifiedAccessKey,
+      final String accountPassword,
+      final byte[] registrationPassword) {
+    this.registrationId = registrationId;
+    this.aciIdentityKey = aciIdentityKey;
+    this.phoneNumber = phoneNumber;
+    this.pniIdentityKey = pniIdentityKey;
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+    this.accountPassword = accountPassword;
+    this.registrationPassword = registrationPassword;
+    devices.put(Device.MASTER_ID, TestDevice.create(Device.MASTER_ID, aciIdentityKey, pniIdentityKey));
+  }
+
+  public int registrationId() {
+    return registrationId;
+  }
+
+  public IdentityKeyPair aciIdentityKey() {
+    return aciIdentityKey;
+  }
+
+  public String phoneNumber() {
+    return phoneNumber;
+  }
+
+  public IdentityKeyPair pniIdentityKey() {
+    return pniIdentityKey;
+  }
+
+  public String accountPassword() {
+    return accountPassword;
+  }
+
+  public byte[] registrationPassword() {
+    return registrationPassword;
+  }
+
+  public UUID aciUuid() {
+    return aciUuid;
+  }
+
+  public UUID pniUuid() {
+    return pniUuid;
+  }
+
+  public AccountAttributes accountAttributes() {
+    return new AccountAttributes(true, registrationId, "", "", true, new Device.DeviceCapabilities())
+        .withUnidentifiedAccessKey(unidentifiedAccessKey)
+        .withRecoveryPassword(registrationPassword);
+  }
+
+  public void setAciUuid(final UUID aciUuid) {
+    this.aciUuid = aciUuid;
+  }
+
+  public void setPniUuid(final UUID pniUuid) {
+    this.pniUuid = pniUuid;
+  }
+
+  public void setPhoneNumber(final String phoneNumber) {
+    this.phoneNumber = phoneNumber;
+  }
+
+  public void setPniIdentityKey(final IdentityKeyPair pniIdentityKey) {
+    this.pniIdentityKey = pniIdentityKey;
+  }
+
+  public void setAccountPassword(final String accountPassword) {
+    this.accountPassword = accountPassword;
+  }
+
+  public void setRegistrationPassword(final byte[] registrationPassword) {
+    this.registrationPassword = registrationPassword;
+  }
+
+  public PreKeySetPublicView preKeys(final long deviceId, final boolean pni) {
+    final IdentityKeyPair identity = pni
+        ? pniIdentityKey
+        : aciIdentityKey;
+    final TestDevice device = requireNonNull(devices.get(deviceId));
+    final SignedPreKeyRecord signedPreKeyRecord = device.latestSignedPreKey(identity);
+    return new PreKeySetPublicView(
+        Collections.emptyList(),
+        identity.getPublicKey(),
+        new SignedPreKeyPublicView(
+            signedPreKeyRecord.getId(),
+            signedPreKeyRecord.getKeyPair().getPublicKey(),
+            signedPreKeyRecord.getSignature()
+        )
+    );
+  }
+
+  public record SignedPreKeyPublicView(
+      int keyId,
+      @JsonSerialize(using = Codecs.ECPublicKeySerializer.class)
+      @JsonDeserialize(using = Codecs.ECPublicKeyDeserializer.class)
+      ECPublicKey publicKey,
+      @JsonSerialize(using = Codecs.ByteArraySerializer.class)
+      @JsonDeserialize(using = Codecs.ByteArrayDeserializer.class)
+      byte[] signature) {
+  }
+
+  public record PreKeySetPublicView(
+      List<String> preKeys,
+      @JsonSerialize(using = Codecs.IdentityKeySerializer.class)
+      @JsonDeserialize(using = Codecs.IdentityKeyDeserializer.class)
+      IdentityKey identityKey,
+      SignedPreKeyPublicView signedPreKey) {
+  }
+}

integration-tests/src/main/java/org/signal/integration/config/Config.java

@@ -0,0 +1,14 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
+
+public record Config(String domain,
+                     String rootCert,
+                     DynamoDbClientConfiguration dynamoDbClientConfiguration,
+                     DynamoDbTables dynamoDbTables) {
+}

integration-tests/src/main/java/org/signal/integration/config/DynamoDbTables.java

@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+public record DynamoDbTables(String registrationRecovery,
+                             String verificationSessions) {
+}

integration-tests/src/test/java/org/signal/integration/AccountTest.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+import org.signal.libsignal.usernames.BaseUsernameException;
+import org.signal.libsignal.usernames.Username;
+import org.whispersystems.textsecuregcm.entities.AccountIdentifierResponse;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ConfirmUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashResponse;
+import org.whispersystems.textsecuregcm.entities.UsernameHashResponse;
+
+public class AccountTest {
+
+  @Test
+  public void testCreateAccount() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550101");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testCreateAccountAtomic() throws Exception {
+    final TestUser user = Operations.newRegisteredUserAtomic("+19995550201");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testUsernameOperations() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550102");
+    try {
+      verifyFullUsernameLifecycle(user);
+      // no do it again to check changing usernames
+      verifyFullUsernameLifecycle(user);
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  private static void verifyFullUsernameLifecycle(final TestUser user) throws BaseUsernameException {
+    final String preferred = "test";
+    final List<Username> candidates = Username.candidatesFrom(preferred, preferred.length(), preferred.length() + 1);
+
+    // reserve a username
+    final ReserveUsernameHashRequest reserveUsernameHashRequest = new ReserveUsernameHashRequest(
+        candidates.stream().map(Username::getHash).toList());
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+
+    final ReserveUsernameHashResponse reserveUsernameHashResponse = Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(ReserveUsernameHashResponse.class);
+
+    // find which one is the reserved username
+    final byte[] reservedHash = reserveUsernameHashResponse.usernameHash();
+    final Username reservedUsername = candidates.stream()
+        .filter(u -> Arrays.equals(u.getHash(), reservedHash))
+        .findAny()
+        .orElseThrow();
+
+    // confirm a username
+    final ConfirmUsernameHashRequest confirmUsernameHashRequest = new ConfirmUsernameHashRequest(
+        reservedUsername.getHash(),
+        reservedUsername.generateProof()
+    );
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(UsernameHashResponse.class);
+
+
+    // lookup username
+    final AccountIdentifierResponse accountIdentifierResponse = Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .executeExpectSuccess(AccountIdentifierResponse.class);
+    assertEquals(user.aciUuid(), accountIdentifierResponse.uuid());
+    // try authorized
+    Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .authorized(user)
+        .executeExpectStatusCode(HttpStatus.SC_BAD_REQUEST);
+
+    // delete username
+    Operations
+        .apiDelete("/v1/accounts/username_hash")
+        .authorized(user)
+        .executeExpectSuccess();
+  }
+}

integration-tests/src/test/java/org/signal/integration/MessagingTest.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.whispersystems.textsecuregcm.entities.IncomingMessage;
+import org.whispersystems.textsecuregcm.entities.IncomingMessageList;
+import org.whispersystems.textsecuregcm.entities.OutgoingMessageEntityList;
+import org.whispersystems.textsecuregcm.entities.SendMessageResponse;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class MessagingTest {
+
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  public void testSendMessageUnsealed(final boolean atomicAccountCreation) throws Exception {
+    final TestUser userA;
+    final TestUser userB;
+
+    if (atomicAccountCreation) {
+      userA = Operations.newRegisteredUserAtomic("+19995550102");
+      userB = Operations.newRegisteredUserAtomic("+19995550103");
+    } else {
+      userA = Operations.newRegisteredUser("+19995550104");
+      userB = Operations.newRegisteredUser("+19995550105");
+    }
+
+    try {
+      final byte[] expectedContent = "Hello, World!".getBytes(StandardCharsets.UTF_8);
+      final String contentBase64 = Base64.getEncoder().encodeToString(expectedContent);
+      final IncomingMessage message = new IncomingMessage(1, Device.MASTER_ID, userB.registrationId(), contentBase64);
+      final IncomingMessageList messages = new IncomingMessageList(List.of(message), false, true, System.currentTimeMillis());
+
+      final Pair<Integer, SendMessageResponse> sendMessage = Operations
+          .apiPut("/v1/messages/%s".formatted(userB.aciUuid().toString()), messages)
+          .authorized(userA)
+          .execute(SendMessageResponse.class);
+
+      final Pair<Integer, OutgoingMessageEntityList> receiveMessages = Operations.apiGet("/v1/messages")
+          .authorized(userB)
+          .execute(OutgoingMessageEntityList.class);
+
+      final byte[] actualContent = receiveMessages.getRight().messages().get(0).content();
+      assertArrayEquals(expectedContent, actualContent);
+    } finally {
+      Operations.deleteUser(userA);
+      Operations.deleteUser(userB);
+    }
+  }
+}

integration-tests/src/test/java/org/signal/integration/RegistrationTest.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.CreateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.SubmitVerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.UpdateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationSessionResponse;
+
+public class RegistrationTest {
+
+  @Test
+  public void testRegistration() throws Exception {
+    final UpdateVerificationSessionRequest originalRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, null, null, null, null);
+    final CreateVerificationSessionRequest input = new CreateVerificationSessionRequest("+19995550102", originalRequest);
+
+    final VerificationSessionResponse verificationSessionResponse = Operations
+        .apiPost("/v1/verification/session", input)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    final String sessionId = verificationSessionResponse.id();
+    final String pushChallenge = Operations.peekVerificationSessionPushChallenge(sessionId);
+
+    // supply push challenge
+    final UpdateVerificationSessionRequest updatedRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, pushChallenge, null, null, null);
+    final VerificationSessionResponse pushChallengeSupplied = Operations
+        .apiPatch("/v1/verification/session/%s".formatted(sessionId), updatedRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    Assertions.assertTrue(pushChallengeSupplied.allowedToRequestCode());
+
+    // request code
+    final VerificationCodeRequest verificationCodeRequest = new VerificationCodeRequest(
+        VerificationCodeRequest.Transport.SMS, "android-ng");
+
+    final VerificationSessionResponse codeRequested = Operations
+        .apiPost("/v1/verification/session/%s/code".formatted(sessionId), verificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    // verify code
+    final SubmitVerificationCodeRequest submitVerificationCodeRequest = new SubmitVerificationCodeRequest("265402");
+    final VerificationSessionResponse codeVerified = Operations
+        .apiPut("/v1/verification/session/%s/code".formatted(sessionId), submitVerificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+  }
+}

pom.xml

@@ -14,14 +14,6 @@
         <enabled>false</enabled>
       </snapshots>
     </repository>
-    <repository>
-      <id>dynamodb-local-oregon</id>
-      <name>DynamoDB Local Release Repository</name>
-      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
-      <snapshots>
-        <enabled>false</enabled>
-      </snapshots>
-    </repository>
   </repositories>
 
   <pluginRepositories>
@@ -38,17 +30,17 @@
   </pluginRepositories>
 
   <modules>
+    <module>api-doc</module>
     <module>event-logger</module>
-    <module>redis-dispatch</module>
-    <module>websocket-resources</module>
+    <module>integration-tests</module>
     <module>service</module>
+    <module>websocket-resources</module>
   </modules>
 
   <properties>
     <aws.sdk.version>1.12.376</aws.sdk.version>
     <aws.sdk2.version>2.19.8</aws.sdk2.version>
     <braintree.version>3.19.0</braintree.version>
-    <commons-codec.version>1.15</commons-codec.version>
     <commons-csv.version>1.9.0</commons-csv.version>
     <commons-io.version>2.9.0</commons-io.version>
     <dropwizard.version>2.0.34</dropwizard.version>
@@ -64,6 +56,7 @@
     <lettuce.version>6.2.1.RELEASE</lettuce.version>
     <libphonenumber.version>8.12.54</libphonenumber.version>
     <logstash.logback.version>7.2</logstash.logback.version>
+    <luajava.version>3.4.0</luajava.version>
     <micrometer.version>1.10.3</micrometer.version>
     <mockito.version>4.11.0</mockito.version>
     <netty.version>4.1.82.Final</netty.version>
@@ -76,6 +69,9 @@
     <stripe.version>21.2.0</stripe.version>
     <vavr.version>0.10.4</vavr.version>
 
+    <!-- 17.0.7_7-jre-jammy -->
+    <docker.image.sha256>ddf36656dc8920621fddf4928bdcb4b98c0d0e7bc9672f0cea8115c10ad5cbc6</docker.image.sha256>
+
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
 
@@ -151,7 +147,7 @@
       <dependency>
         <groupId>io.projectreactor</groupId>
         <artifactId>reactor-bom</artifactId>
-        <version>2020.0.24</version> <!-- 3.4.x, see https://github.com/reactor/reactor#bom-versioning-scheme -->
+        <version>2022.0.3</version> <!-- 3.5.x, see https://github.com/reactor/reactor#bom-versioning-scheme -->
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -187,11 +183,6 @@
         <artifactId>semver4j</artifactId>
         <version>${semver4j.version}</version>
       </dependency>
-      <dependency>
-        <groupId>commons-codec</groupId>
-        <artifactId>commons-codec</artifactId>
-        <version>${commons-codec.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>
@@ -302,7 +293,7 @@
       <dependency>
         <groupId>org.signal</groupId>
         <artifactId>libsignal-server</artifactId>
-        <version>0.21.1</version>
+        <version>0.26.0</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
@@ -393,6 +384,15 @@
         <version>1.7.0</version>
       </extension>
     </extensions>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>com.google.cloud.tools</groupId>
+          <artifactId>jib-maven-plugin</artifactId>
+          <version>3.3.1</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
     <plugins>
 
       <plugin>
@@ -401,7 +401,7 @@
         <version>0.6.1</version>
         <configuration>
           <checkStaleness>false</checkStaleness>
-          <protocArtifact>com.google.protobuf:protoc:3.21.1:exe:${os.detected.classifier}</protocArtifact>
+          <protocArtifact>com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
           <pluginId>grpc-java</pluginId>
           <pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
         </configuration>

redis-dispatch/pom.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>redis-dispatch</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-    </dependency>
-  </dependencies>
-
-</project>

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java

@@ -1,11 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-public interface DispatchChannel {
-  void onDispatchMessage(String channel, byte[] message);
-  void onDispatchSubscribed(String channel);
-  void onDispatchUnsubscribed(String channel);
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java

@@ -1,157 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.Map;
-import java.util.Optional;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.Executor;
-import java.util.concurrent.Executors;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class DispatchManager extends Thread {
-
-  private final Logger                       logger        = LoggerFactory.getLogger(DispatchManager.class);
-  private final Executor                     executor      = Executors.newCachedThreadPool();
-  private final Map<String, DispatchChannel> subscriptions = new ConcurrentHashMap<>();
-
-  private final Optional<DispatchChannel>    deadLetterChannel;
-  private final RedisPubSubConnectionFactory redisPubSubConnectionFactory;
-
-  private          PubSubConnection pubSubConnection;
-  private volatile boolean          running;
-
-  public DispatchManager(RedisPubSubConnectionFactory redisPubSubConnectionFactory,
-                         Optional<DispatchChannel> deadLetterChannel)
-  {
-    this.redisPubSubConnectionFactory = redisPubSubConnectionFactory;
-    this.deadLetterChannel            = deadLetterChannel;
-  }
-
-  @Override
-  public void start() {
-    this.pubSubConnection = redisPubSubConnectionFactory.connect();
-    this.running          = true;
-    super.start();
-  }
-
-  public void shutdown() {
-    this.running = false;
-    this.pubSubConnection.close();
-  }
-
-  public synchronized void subscribe(String name, DispatchChannel dispatchChannel) {
-    Optional<DispatchChannel> previous = Optional.ofNullable(subscriptions.get(name));
-    subscriptions.put(name, dispatchChannel);
-
-    try {
-      pubSubConnection.subscribe(name);
-    } catch (IOException e) {
-      logger.warn("Subscription error", e);
-    }
-
-    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
-  }
-
-  public synchronized void unsubscribe(String name, DispatchChannel channel) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(name));
-
-    if (subscription.isPresent() && subscription.get() == channel) {
-      subscriptions.remove(name);
-
-      try {
-        pubSubConnection.unsubscribe(name);
-      } catch (IOException e) {
-        logger.warn("Unsubscribe error", e);
-      }
-
-      dispatchUnsubscription(name, subscription.get());
-    }
-  }
-
-  public boolean hasSubscription(String name) {
-    return subscriptions.containsKey(name);
-  }
-  
-  @Override
-  public void run() {
-    while (running) {
-      try {
-        PubSubReply reply = pubSubConnection.read();
-
-        switch (reply.getType()) {
-          case UNSUBSCRIBE:                             break;
-          case SUBSCRIBE:   dispatchSubscribe(reply);   break;
-          case MESSAGE:     dispatchMessage(reply);     break;
-          default:          throw new AssertionError("Unknown pubsub reply type! " + reply.getType());
-        }
-      } catch (IOException e) {
-        logger.warn("***** PubSub Connection Error *****", e);
-        if (running) {
-          this.pubSubConnection.close();
-          this.pubSubConnection = redisPubSubConnectionFactory.connect();
-          resubscribeAll();
-        }
-      }
-    }
-
-    logger.warn("DispatchManager Shutting Down...");
-  }
-
-  private void dispatchSubscribe(final PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchSubscription(reply.getChannel(), subscription.get());
-    } else {
-      logger.info("Received subscribe event for non-existing channel: " + reply.getChannel());
-    }
-  }
-
-  private void dispatchMessage(PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchMessage(reply.getChannel(), subscription.get(), reply.getContent().get());
-    } else if (deadLetterChannel.isPresent()) {
-      dispatchMessage(reply.getChannel(), deadLetterChannel.get(), reply.getContent().get());
-    } else {
-      logger.warn("Received message for non-existing channel, with no dead letter handler: " + reply.getChannel());
-    }
-  }
-
-  private void resubscribeAll() {
-    new Thread(() -> {
-      synchronized (DispatchManager.this) {
-        try {
-          for (String name : subscriptions.keySet()) {
-            pubSubConnection.subscribe(name);
-          }
-        } catch (IOException e) {
-          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
-        }
-      }
-    }).start();
-  }
-
-  private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
-    executor.execute(() -> channel.onDispatchMessage(name, message));
-  }
-
-  private void dispatchSubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchSubscribed(name));
-  }
-
-  private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchUnsubscribed(name));
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java

@@ -1,68 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-public class RedisInputStream {
-
-  private static final byte CR = 0x0D;
-  private static final byte LF = 0x0A;
-
-  private final InputStream inputStream;
-
-  public RedisInputStream(InputStream inputStream) {
-    this.inputStream = inputStream;
-  }
-
-  public String readLine() throws IOException {
-    ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
-    boolean foundCr = false;
-
-    while (true) {
-      int character = inputStream.read();
-
-      if (character == -1) {
-        throw new IOException("Stream closed!");
-      }
-
-      baos.write(character);
-
-      if      (foundCr && character == LF) break;
-      else if (character == CR)            foundCr = true;
-      else if (foundCr)                    foundCr = false;
-    }
-
-    byte[] data = baos.toByteArray();
-    return new String(data, 0, data.length-2);
-  }
-
-  public byte[] readFully(int size) throws IOException {
-    byte[] result    = new byte[size];
-    int    offset    = 0;
-    int    remaining = result.length;
-
-    while (remaining > 0) {
-      int read = inputStream.read(result, offset, remaining);
-
-      if (read < 0) {
-        throw new IOException("Stream closed!");
-      }
-
-      offset    += read;
-      remaining -= read;
-    }
-
-    return result;
-  }
-
-  public void close() throws IOException {
-    inputStream.close();
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java

@@ -1,13 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import org.whispersystems.dispatch.redis.PubSubConnection;
-
-public interface RedisPubSubConnectionFactory {
-
-  PubSubConnection connect();
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisInputStream;
-import org.whispersystems.dispatch.redis.protocol.ArrayReplyHeader;
-import org.whispersystems.dispatch.redis.protocol.IntReply;
-import org.whispersystems.dispatch.redis.protocol.StringReplyHeader;
-import org.whispersystems.dispatch.util.Util;
-
-import java.io.BufferedInputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.util.Arrays;
-import java.util.Optional;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-public class PubSubConnection {
-
-  private final Logger logger = LoggerFactory.getLogger(PubSubConnection.class);
-
-  private static final byte[] UNSUBSCRIBE_TYPE    = {'u', 'n', 's', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'     };
-  private static final byte[] SUBSCRIBE_TYPE      = {'s', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'               };
-  private static final byte[] MESSAGE_TYPE        = {'m', 'e', 's', 's', 'a', 'g', 'e'                         };
-
-  private static final byte[] SUBSCRIBE_COMMAND   = {'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '          };
-  private static final byte[] UNSUBSCRIBE_COMMAND = {'U', 'N', 'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '};
-  private static final byte[] CRLF                = {'\r', '\n'                                                };
-
-  private final OutputStream     outputStream;
-  private final RedisInputStream inputStream;
-  private final Socket           socket;
-  private final AtomicBoolean    closed;
-
-  public PubSubConnection(Socket socket) throws IOException {
-    this.socket       = socket;
-    this.outputStream = socket.getOutputStream();
-    this.inputStream  = new RedisInputStream(new BufferedInputStream(socket.getInputStream()));
-    this.closed       = new AtomicBoolean(false);
-  }
-
-  public void subscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(SUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public void unsubscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(UNSUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public PubSubReply read() throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    ArrayReplyHeader replyHeader = new ArrayReplyHeader(inputStream.readLine());
-
-    if (replyHeader.getElementCount() != 3) {
-      throw new IOException("Received array reply header with strange count: " + replyHeader.getElementCount());
-    }
-
-    StringReplyHeader replyTypeHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            replyType       = inputStream.readFully(replyTypeHeader.getStringLength());
-    inputStream.readLine();
-
-    if      (Arrays.equals(SUBSCRIBE_TYPE, replyType))   return readSubscribeReply();
-    else if (Arrays.equals(UNSUBSCRIBE_TYPE, replyType)) return readUnsubscribeReply();
-    else if (Arrays.equals(MESSAGE_TYPE, replyType))     return readMessageReply();
-    else throw new IOException("Unknown reply type: " + new String(replyType));
-  }
-
-  public void close() {
-    try {
-      this.closed.set(true);
-      this.inputStream.close();
-      this.outputStream.close();
-      this.socket.close();
-    } catch (IOException e) {
-      logger.warn("Exception while closing", e);
-    }
-  }
-
-  private PubSubReply readMessageReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    StringReplyHeader messageHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            message       = inputStream.readFully(messageHeader.getStringLength());
-    inputStream.readLine();
-
-    return new PubSubReply(PubSubReply.Type.MESSAGE, new String(channelName), Optional.of(message));
-  }
-
-  private PubSubReply readUnsubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private PubSubReply readSubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.SUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private String readSubscriptionReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    new IntReply(inputStream.readLine());
-
-    return new String(channelName);
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import java.util.Optional;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class PubSubReply {
-
-  public enum Type {
-    MESSAGE,
-    SUBSCRIBE,
-    UNSUBSCRIBE
-  }
-
-  private final Type             type;
-  private final String           channel;
-  private final Optional<byte[]> content;
-
-  public PubSubReply(Type type, String channel, Optional<byte[]> content) {
-    this.type    = type;
-    this.channel = channel;
-    this.content = content;
-  }
-
-  public Type getType() {
-    return type;
-  }
-
-  public String getChannel() {
-    return channel;
-  }
-
-  public Optional<byte[]> getContent() {
-    return content;
-  }
-
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class ArrayReplyHeader {
-
-  private final int elementCount;
-
-  public ArrayReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '*') {
-      throw new IOException("Invalid array reply header: " + header);
-    }
-
-    try {
-      this.elementCount = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getElementCount() {
-    return elementCount;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class IntReply {
-
-  private final int value;
-
-  public IntReply(String reply) throws IOException {
-    if (reply == null || reply.length() < 2 || reply.charAt(0) != ':') {
-      throw new IOException("Invalid int reply: " + reply);
-    }
-
-    try {
-      this.value = Integer.parseInt(reply.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getValue() {
-    return value;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java

@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class StringReplyHeader {
-
-  private final int stringLength;
-
-  public StringReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '$') {
-      throw new IOException("Invalid string reply header: " + header);
-    }
-
-    try {
-      this.stringLength = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getStringLength() {
-    return stringLength;
-  }
-}

redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java

@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.util;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
-public class Util {
-
-  public static byte[] combine(byte[]... elements) {
-    try {
-      int sum = 0;
-
-      for (byte[] element : elements) {
-        sum += element.length;
-      }
-
-      ByteArrayOutputStream baos = new ByteArrayOutputStream(sum);
-
-      for (byte[] element : elements) {
-        baos.write(element);
-      }
-
-      return baos.toByteArray();
-    } catch (IOException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-
-  public static void sleep(long millis) {
-    try {
-      Thread.sleep(millis);
-    } catch (InterruptedException e) {
-      throw new AssertionError(e);
-    }
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.mockito.Mockito.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.timeout;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.stubbing.Answer;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-public class DispatchManagerTest {
-
-  private PubSubConnection             pubSubConnection;
-  private RedisPubSubConnectionFactory socketFactory;
-  private DispatchManager              dispatchManager;
-  private PubSubReplyInputStream       pubSubReplyInputStream;
-
-  @BeforeEach
-  void setUp() throws Exception {
-    pubSubConnection       = mock(PubSubConnection.class  );
-    socketFactory          = mock(RedisPubSubConnectionFactory.class);
-    pubSubReplyInputStream = new PubSubReplyInputStream();
-
-    when(socketFactory.connect()).thenReturn(pubSubConnection);
-    when(pubSubConnection.read()).thenAnswer((Answer<PubSubReply>) invocationOnMock -> pubSubReplyInputStream.read());
-
-    dispatchManager = new DispatchManager(socketFactory, Optional.empty());
-    dispatchManager.start();
-  }
-
-  @AfterEach
-  void tearDown() {
-    dispatchManager.shutdown();
-  }
-
-  @Test
-  public void testConnect() {
-    verify(socketFactory).connect();
-  }
-
-  @Test
-  public void testSubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testSubscribeUnsubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    dispatchManager.unsubscribe("foo", dispatchChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchUnsubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testMessages() {
-    DispatchChannel fooChannel = mock(DispatchChannel.class);
-    DispatchChannel barChannel = mock(DispatchChannel.class);
-
-    dispatchManager.subscribe("foo", fooChannel);
-    dispatchManager.subscribe("bar", barChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "bar", Optional.empty()));
-
-    verify(fooChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-    verify(barChannel, timeout(1000)).onDispatchSubscribed(eq("bar"));
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "foo", Optional.of("hello".getBytes())));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "bar", Optional.of("there".getBytes())));
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(fooChannel, timeout(1000)).onDispatchMessage(eq("foo"), captor.capture());
-
-    assertArrayEquals("hello".getBytes(), captor.getValue());
-
-    verify(barChannel, timeout(1000)).onDispatchMessage(eq("bar"), captor.capture());
-
-    assertArrayEquals("there".getBytes(), captor.getValue());
-  }
-
-  private static class PubSubReplyInputStream {
-
-    private final List<PubSubReply> pubSubReplyList = new LinkedList<>();
-
-    public synchronized PubSubReply read() {
-      try {
-        while (pubSubReplyList.isEmpty()) wait();
-        return pubSubReplyList.remove(0);
-      } catch (InterruptedException e) {
-        throw new AssertionError(e);
-      }
-    }
-
-    public synchronized void write(PubSubReply pubSubReply) {
-      pubSubReplyList.add(pubSubReply);
-      notifyAll();
-    }
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java

@@ -1,264 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.security.SecureRandom;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-class PubSubConnectionTest {
-
-  private static final String REPLY = "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      ":1\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "fghij\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      "$10\r\n" +
-      "1234567890\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      "$10\r\n" +
-      "0987654321\r\n";
-
-
-  @Test
-  void testSubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.subscribe("foobar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "SUBSCRIBE foobar\r\n".getBytes());
-  }
-
-  @Test
-  void testUnsubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.unsubscribe("bazbar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "UNSUBSCRIBE bazbar\r\n".getBytes());
-  }
-
-  @Test
-  void testTricklyResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testFullResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testRandomLengthResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  private InputStream mockInputStreamFor(final MockInputStream stub) throws IOException {
-    InputStream result = mock(InputStream.class);
-
-    when(result.read()).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return stub.read();
-      }
-    });
-
-    when(result.read(any(byte[].class))).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[])invocationOnMock.getArguments()[0];
-        return stub.read(buffer, 0, buffer.length);
-      }
-    });
-
-    when(result.read(any(byte[].class), anyInt(), anyInt())).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[]) invocationOnMock.getArguments()[0];
-        int offset = (int) invocationOnMock.getArguments()[1];
-        int length = (int) invocationOnMock.getArguments()[2];
-
-        return stub.read(buffer, offset, length);
-      }
-    });
-
-    return result;
-  }
-
-  private void readResponses(PubSubConnection pubSubConnection) throws Exception {
-    PubSubReply reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "fghij");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertArrayEquals(reply.getContent().get(), "1234567890".getBytes());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertArrayEquals(reply.getContent().get(), "0987654321".getBytes());
-  }
-
-  private interface MockInputStream {
-    public int read();
-    public int read(byte[] input, int offset, int length);
-  }
-
-  private static class TrickleInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private TrickleInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      input[offset] = data[index++];
-      return 1;
-    }
-
-  }
-
-  private static class FullInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private FullInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int amount = Math.min(data.length - index, length);
-      System.arraycopy(data, index, input, offset, amount);
-      index += length;
-
-      return amount;
-    }
-  }
-
-  private static class RandomInputStream implements MockInputStream {
-    private final byte[] data;
-    private int index = 0;
-
-    private RandomInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int maxCopy    = Math.min(data.length - index, length);
-      int randomCopy = new SecureRandom().nextInt(maxCopy) + 1;
-      int copyAmount = Math.min(maxCopy, randomCopy);
-
-      System.arraycopy(data, index, input, offset, copyAmount);
-      index += copyAmount;
-
-      return copyAmount;
-    }
-
-  }
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java

@@ -1,54 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class ArrayReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(null));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(":3"));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(""));
-  }
-
-  @Test
-  void testTruncated() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*"));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*ABC"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
-  }
-
-
-
-
-
-
-
-
-
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java

@@ -1,39 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class IntReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new IntReply(null));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new IntReply(""));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new IntReply(":A"));
-  }
-
-  @Test
-  void testBadFormat() {
-    assertThrows(IOException.class, () -> new IntReply("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(23, new IntReply(":23").getValue());
-  }
-}

redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java

@@ -1,35 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class StringReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new StringReplyHeader(null));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("$100A"));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
-  }
-
-}

service/config/sample-secrets-bundle.yml

@@ -0,0 +1,84 @@
+datadog.apiKey: unset
+
+stripe.apiKey: unset
+stripe.idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+
+braintree.privateKey: unset
+
+directoryV2.client.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+directoryV2.client.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+
+svr2.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
+svr2.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+
+awsAttachments.accessKey: test
+awsAttachments.accessSecret: test
+
+gcpAttachments.rsaSigningKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+apn.signingKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+fcm.credentials: |
+  { "json": true }
+
+cdn.accessKey: test    # AWS Access Key ID
+cdn.accessSecret: test # AWS Access Secret
+
+unidentifiedDelivery.certificate: ABCD1234
+unidentifiedDelivery.privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+
+hCaptcha.apiKey: unset
+
+storageService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+backupService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+zkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+genericZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+paymentsService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+paymentsService.fixerApiKey: unset
+paymentsService.coinMarketCapApiKey: unset
+
+artService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret not shared with any external service, but used in ArtController
+artService.userAuthenticationTokenUserIdSecret: AAAAAAAAAAA= # base64-encoded secret to obscure user phone numbers from Sticker Creator
+
+currentReportingKey.secret: AAAAAAAAAAA=
+currentReportingKey.salt: AAAAAAAAAAA=
+
+turn.secret: AAAAAAAAAAA=

service/config/sample.yml

@@ -3,16 +3,57 @@
 # `unset` values will need to be set to work properly.
 # Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.
 
+logging:
+  level: INFO
+  appenders:
+    - type: console
+      threshold: ALL
+      timeZone: UTC
+      target: stdout
+    - type: logstashtcpsocket
+      destination: example.com:10516
+      apiKey: secret://datadog.apiKey
+      environment: staging
+
+metrics:
+  reporters:
+    - type: signal-datadog
+      frequency: 10 seconds
+      tags:
+        - "env:staging"
+        - "service:chat"
+      transport:
+        apiKey: secret://datadog.apiKey
+      excludesAttributes:
+        - m1_rate
+        - m5_rate
+        - m15_rate
+        - mean_rate
+        - stddev
+      useRegexFilters: true
+      excludes:
+        - ^.+\.total$
+        - ^.+\.request\.filtering$
+        - ^.+\.response\.filtering$
+        - ^executor\..+$
+        - ^lettuce\..+$
+  reportOnStop: true
+
 adminEventLoggingConfiguration:
   credentials: |
-    Some credentials text
-    blah blah blah
+    {
+      "key": "value"
+    }
+  secondaryCredentials: |
+    {
+      "key": "value"
+    }
   projectId: some-project-id
   logName: some-log-name
 
 stripe:
-  apiKey: unset
-  idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+  apiKey: secret://stripe.apiKey
+  idempotencyKeyGenerator: secret://stripe.idempotencyKeyGenerator
   boostDescription: >
     Example
   supportedCurrencies:
@@ -24,7 +65,7 @@ stripe:
 braintree:
   merchantId: unset
   publicKey: unset
-  privateKey: unset
+  privateKey: secret://braintree.privateKey
   environment: unset
   graphqlUrl: unset
   merchantAccounts:
@@ -47,15 +88,18 @@ dynamoDbTables:
     scanPageSize: 100
   deletedAccounts:
     tableName: Example_DeletedAccounts
-    needsReconciliationIndexName: NeedsReconciliation
   deletedAccountsLock:
     tableName: Example_DeletedAccountsLock
   issuedReceipts:
     tableName: Example_IssuedReceipts
     expiration: P30D # Duration of time until rows expire
     generator: abcdefg12345678= # random base64-encoded binary sequence
-  keys:
+  ecKeys:
     tableName: Example_Keys
+  pqKeys:
+    tableName: Example_PQ_Keys
+  pqLastResortKeys:
+    tableName: Example_PQ_Last_Resort_Keys
   messages:
     tableName: Example_Messages
     expiration: P30D # Duration of time until rows expire
@@ -72,14 +116,17 @@ dynamoDbTables:
   redeemedReceipts:
     tableName: Example_RedeemedReceipts
     expiration: P30D # Duration of time until rows expire
+  registrationRecovery:
+    tableName: Example_RegistrationRecovery
+    expiration: P300D # Duration of time until rows expire
   remoteConfig:
     tableName: Example_RemoteConfig
   reportMessage:
     tableName: Example_ReportMessage
-  reservedUsernames:
-    tableName: Example_ReservedUsernames
   subscriptions:
     tableName: Example_Subscriptions
+  verificationSessions:
+    tableName: Example_VerificationSessions
 
 cacheCluster: # Redis server configuration for cache cluster
   configurationUri: redis://redis.example.com:6379/
@@ -88,9 +135,7 @@ clientPresenceCluster: # Redis server configuration for client presence cluster
   configurationUri: redis://redis.example.com:6379/
 
 pubsub: # Redis server configuration for pubsub cluster
-  url: redis://redis.example.com:6379/
-  replicaUrls:
-    - redis://redis.example.com:6379/
+  uri: redis://redis.example.com:6379/
 
 pushSchedulerCluster: # Redis server configuration for push scheduler cluster
   configurationUri: redis://redis.example.com:6379/
@@ -98,51 +143,39 @@ pushSchedulerCluster: # Redis server configuration for push scheduler cluster
 rateLimitersCluster: # Redis server configuration for rate limiters cluster
   configurationUri: redis://redis.example.com:6379/
 
-directory:
-  client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: 00000f # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
-  sqs:
-    accessKey: test     # AWS SQS accessKey
-    accessSecret: test  # AWS SQS accessSecret
-    queueUrls: # AWS SQS queue urls
-      - https://sqs.example.com/directory.fifo
-  server: # One or more CDS servers
-    - replicationName: example           # CDS replication name
-      replicationUrl: cds.example.com    # CDS replication endpoint base url
-      replicationPassword: example       # CDS replication endpoint password
-      replicationCaCertificates:         # CDS replication endpoint TLS certificate trust root
-        - |
-          -----BEGIN CERTIFICATE-----
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-          AAAAAAAAAAAAAAAAAAAA
-          -----END CERTIFICATE-----
-
 directoryV2:
   client: # Configuration for interfacing with Contact Discovery Service v2 cluster
-    userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
-    userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+    userAuthenticationTokenSharedSecret: secret://directoryV2.client.userAuthenticationTokenSharedSecret
+    userIdTokenSharedSecret: secret://directoryV2.client.userIdTokenSharedSecret
 
 svr2:
-  userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
-  userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+  uri: svr2.example.com
+  userAuthenticationTokenSharedSecret: secret://svr2.userAuthenticationTokenSharedSecret
+  userIdTokenSharedSecret: secret://svr2.userIdTokenSharedSecret
+  svrCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
+
 
 messageCache: # Redis server configuration for message store cache
   persistDelayMinutes: 1
@@ -153,8 +186,8 @@ metricsCluster:
   configurationUri: redis://redis.example.com:6379/
 
 awsAttachments: # AWS S3 configuration
-  accessKey: test
-  accessSecret: test
+  accessKey: secret://awsAttachments.accessKey
+  accessSecret: secret://awsAttachments.accessSecret
   bucket: aws-attachments
   region: us-west-2
 
@@ -163,82 +196,47 @@ gcpAttachments: # GCP Storage configuration
   email: user@example.cocm
   maxSizeInBytes: 1024
   pathPrefix:
-  rsaSigningKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  rsaSigningKey: secret://gcpAttachments.rsaSigningKey
 
 accountDatabaseCrawler:
   chunkSize: 10           # accounts per run
-  chunkIntervalMs: 60000  # time per run
 
 apn: # Apple Push Notifications configuration
   sandbox: true
   bundleId: com.example.textsecuregcm
   keyId: unset
   teamId: unset
-  signingKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  signingKey: secret://apn.signingKey
 
 fcm: # FCM configuration
-  credentials: |
-    { "json": true }
+  credentials: secret://fcm.credentials
 
 cdn:
-  accessKey: test    # AWS Access Key ID
-  accessSecret: test # AWS Access Secret
+  accessKey: secret://cdn.accessKey
+  accessSecret: secret://cdn.accessSecret
   bucket: cdn        # S3 Bucket name
   region: us-west-2  # AWS region
 
 datadog:
-  apiKey: unset
+  apiKey: secret://datadog.apiKey
   environment: dev
 
 unidentifiedDelivery:
-  certificate: ABCD1234
-  privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+  certificate: secret://unidentifiedDelivery.certificate
+  privateKey: secret://unidentifiedDelivery.privateKey
   expiresDays: 7
 
 recaptcha:
   projectPath: projects/example
   credentialConfigurationJson: "{ }" # service account configuration for backend authentication
+  secondaryCredentialConfigurationJson: "{ }" # service account configuration for backend authentication
 
 hCaptcha:
-  apiKey: unset
+  apiKey: secret://hCaptcha.apiKey
 
 storageService:
   uri: storage.example.com
-  userAuthenticationTokenSharedSecret: 00000f
+  userAuthenticationTokenSharedSecret: secret://storageService.userAuthenticationTokenSharedSecret
   storageCaCertificates:
     - |
       -----BEGIN CERTIFICATE-----
@@ -265,7 +263,7 @@ storageService:
 
 backupService:
   uri: backup.example.com
-  userAuthenticationTokenSharedSecret: 00000f
+  userAuthenticationTokenSharedSecret: secret://backupService.userAuthenticationTokenSharedSecret
   backupCaCertificates:
     - |
       -----BEGIN CERTIFICATE-----
@@ -292,7 +290,10 @@ backupService:
 
 zkConfig:
   serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-  serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+  serverSecret: secret://zkConfig.serverSecret
+
+genericZkConfig:
+  serverSecret: secret://genericZkConfig.serverSecret
 
 appConfig:
   application: example
@@ -300,18 +301,24 @@ appConfig:
   configuration: example
 
 remoteConfig:
-  authorizedTokens:
-    - # 1st authorized token
-    - # 2nd authorized token
+  authorizedUsers:
+    - # 1st authorized user
+    - # 2nd authorized user
     - # ...
-    - # Nth authorized token
+    - # Nth authorized user
+  requiredHostedDomain: example.com
+  audiences:
+    - # 1st audience
+    - # 2nd audience
+    - # ...
+    - # Nth audience
   globalConfig: # keys and values that are given to clients on GET /v1/config
     EXAMPLE_KEY: VALUE
 
 paymentsService:
-  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
-  fixerApiKey: unset
-  coinMarketCapApiKey: unset
+  userAuthenticationTokenSharedSecret: secret://paymentsService.userAuthenticationTokenSharedSecret
+  fixerApiKey: secret://paymentsService.fixerApiKey
+  coinMarketCapApiKey: secret://paymentsService.coinMarketCapApiKey
   coinMarketCapCurrencyIds:
     MOB: 7878
   paymentCurrencies:
@@ -319,8 +326,8 @@ paymentsService:
     - MOB
 
 artService:
-  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret not shared with any external service, but used in ArtController
-  userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret to obscure user phone numbers from Sticker Creator
+  userAuthenticationTokenSharedSecret: secret://artService.userAuthenticationTokenSharedSecret
+  userAuthenticationTokenUserIdSecret: secret://artService.userAuthenticationTokenUserIdSecret
 
 badges:
   badges:
@@ -379,7 +386,16 @@ oneTimeDonations:
 
 registrationService:
   host: registration.example.com
-  apiKey: EXAMPLE
+  port: 443
+  credentialConfigurationJson: |
+    {
+      "example": "example"
+    }
+  secondaryCredentialConfigurationJson: |
+    {
+      "example": "example"
+    }
+  identityTokenAudience: https://registration.example.com
   registrationCaCertificate: | # Registration service TLS certificate trust root
     -----BEGIN CERTIFICATE-----
     ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
@@ -402,3 +418,6 @@ registrationService:
     ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
     AAAAAAAAAAAAAAAAAAAA
     -----END CERTIFICATE-----
+
+turn:
+  secret: secret://turn.secret

service/pom.xml

@@ -11,6 +11,18 @@
   <artifactId>service</artifactId>
 
   <dependencies>
+    <dependency>
+      <groupId>io.swagger.core.v3</groupId>
+      <artifactId>swagger-jaxrs2</artifactId>
+      <version>2.2.8</version>
+      <exclusions>
+        <!-- org.yaml:snakeyaml is causing a dependency convergence error -->
+        <exclusion>
+          <groupId>org.yaml</groupId>
+          <artifactId>snakeyaml</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
     <dependency>
       <groupId>jakarta.servlet</groupId>
       <artifactId>jakarta.servlet-api</artifactId>
@@ -29,11 +41,6 @@
       <artifactId>event-logger</artifactId>
       <version>${project.version}</version>
     </dependency>
-    <dependency>
-      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>redis-dispatch</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>org.whispersystems.textsecure</groupId>
       <artifactId>websocket-resources</artifactId>
@@ -160,6 +167,26 @@
       </exclusions>
     </dependency>
 
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>luajava</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51-platform</artifactId>
+      <version>${luajava.version}</version>
+      <classifier>natives-desktop</classifier>
+      <scope>runtime</scope>
+    </dependency>
+
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
       <artifactId>websocket-api</artifactId>
@@ -173,10 +200,6 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-csv</artifactId>
@@ -271,10 +294,6 @@
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>sqs</artifactId>
-    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>dynamodb</artifactId>
@@ -291,6 +310,10 @@
       <groupId>com.amazonaws</groupId>
       <artifactId>aws-java-sdk-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-sts</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>dynamodb-lock-client</artifactId>
@@ -385,6 +408,10 @@
       <groupId>io.projectreactor</groupId>
       <artifactId>reactor-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core-micrometer</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.vavr</groupId>
       <artifactId>vavr</artifactId>
@@ -417,9 +444,21 @@
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>DynamoDBLocal</artifactId>
-      <version>1.20.0</version>
+      <version>1.21.1</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.ganadist.sqlite4java</groupId>
+      <artifactId>libsqlite4java-osx-aarch64</artifactId>
+      <version>1.0.392</version>
+      <type>dylib</type>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
+    </dependency>
 
     <dependency>
       <groupId>com.google.cloud</groupId>
@@ -523,9 +562,9 @@
           </plugin>
 
           <plugin>
-            <groupId>org.signal</groupId>
+            <groupId>com.bazaarvoice.maven.plugins</groupId>
             <artifactId>s3-upload-maven-plugin</artifactId>
-            <version>1.6-SNAPSHOT</version>
+            <version>2.0.1</version>
             <configuration>
               <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
               <bucketName>${deploy.bucketName}</bucketName>
@@ -542,6 +581,67 @@
               </execution>
             </executions>
           </plugin>
+
+          <plugin>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
+            <executions>
+              <execution>
+                <phase>deploy</phase>
+                <goals>
+                  <goal>build</goal>
+                </goals>
+              </execution>
+            </executions>
+            <configuration>
+              <from>
+                <image>eclipse-temurin@sha256:${docker.image.sha256}</image>
+              </from>
+              <to>
+                <image>${docker.repo}:${project.version}</image>
+              </to>
+              <container>
+                <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                <jvmFlags>
+                  <jvmFlag>-server</jvmFlag>
+                  <jvmFlag>-Djava.awt.headless=true</jvmFlag>
+                  <jvmFlag>-Djdk.nio.maxCachedBufferSize=262144</jvmFlag>
+                  <jvmFlag>-Dlog4j2.formatMsgNoLookups=true</jvmFlag>
+                  <jvmFlag>-XX:MaxRAMPercentage=75</jvmFlag>
+                  <jvmFlag>-XX:+HeapDumpOnOutOfMemoryError</jvmFlag>
+                  <jvmFlag>-XX:HeapDumpPath=/tmp/heapdump.bin</jvmFlag>
+                </jvmFlags>
+                <ports>
+                  <port>8080</port>
+                </ports>
+                <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
+              </container>
+              <extraDirectories>
+                <paths>
+                  <path>
+                    <from>${project.basedir}/config</from>
+                    <includes>*.yml</includes>
+                    <into>/usr/share/signal/</into>
+                  </path>
+                </paths>
+              </extraDirectories>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>include-spam-filter</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
+            <configuration>
+              <!-- we don't want jib to execute on this module -->
+              <skip>true</skip>
+            </configuration>
+          </plugin>
         </plugins>
       </build>
     </profile>
@@ -564,6 +664,16 @@
         </executions>
       </plugin>
 
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.0.0-M7</version>
+        <configuration>
+          <!-- work around PATCH not being a supported method on HttpUrlConnection -->
+          <argLine>--add-opens=java.base/java.net=ALL-UNNAMED</argLine>
+        </configuration>
+      </plugin>
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -7,34 +7,34 @@ package org.whispersystems.textsecuregcm;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
-import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AdminEventLoggingConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ArtServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BraintreeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
 import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GenericZkConfig;
 import org.whispersystems.textsecuregcm.configuration.HCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
 import org.whispersystems.textsecuregcm.configuration.OneTimeDonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.ArtServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
@@ -44,11 +44,13 @@ import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration
 import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
+import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
+import org.whispersystems.textsecuregcm.limits.RateLimiterConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;
 
 /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
@@ -114,11 +116,6 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RedisClusterConfiguration metricsCluster;
 
-  @NotNull
-  @Valid
-  @JsonProperty
-  private DirectoryConfiguration directory;
-
   @NotNull
   @Valid
   @JsonProperty
@@ -157,7 +154,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private List<TestDeviceConfiguration> testDevices = new LinkedList<>();
+  private Set<String> testDevices = new HashSet<>();
 
   @Valid
   @NotNull
@@ -167,7 +164,7 @@ public class WhisperServerConfiguration extends Configuration {
   @Valid
   @NotNull
   @JsonProperty
-  private RateLimitsConfiguration limits = new RateLimitsConfiguration();
+  private Map<String, RateLimiterConfig> limits = new HashMap<>();
 
   @Valid
   @NotNull
@@ -224,6 +221,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private ZkConfig zkConfig;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig genericZkConfig;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -263,6 +265,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RegistrationServiceConfiguration registrationService;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TurnSecretConfiguration turn;
+
   public AdminEventLoggingConfiguration getAdminEventLoggingConfiguration() {
     return adminEventLoggingConfiguration;
   }
@@ -315,10 +322,6 @@ public class WhisperServerConfiguration extends Configuration {
     return metricsCluster;
   }
 
-  public DirectoryConfiguration getDirectoryConfiguration() {
-    return directory;
-  }
-
   public SecureValueRecovery2Configuration getSvr2Configuration() {
     return svr2;
   }
@@ -351,7 +354,7 @@ public class WhisperServerConfiguration extends Configuration {
     return rateLimitersCluster;
   }
 
-  public RateLimitsConfiguration getLimitsConfiguration() {
+  public Map<String, RateLimiterConfig> getLimitsConfiguration() {
     return limits;
   }
 
@@ -375,15 +378,8 @@ public class WhisperServerConfiguration extends Configuration {
     return unidentifiedDelivery;
   }
 
-  public Map<String, Integer> getTestDevices() {
-    Map<String, Integer> results = new HashMap<>();
-
-    for (TestDeviceConfiguration testDeviceConfiguration : testDevices) {
-      results.put(testDeviceConfiguration.getNumber(),
-                  testDeviceConfiguration.getCode());
-    }
-
-    return results;
+  public Set<String> getTestDevices() {
+    return testDevices;
   }
 
   public Map<String, Integer> getMaxDevices() {
@@ -413,6 +409,10 @@ public class WhisperServerConfiguration extends Configuration {
     return zkConfig;
   }
 
+  public GenericZkConfig getGenericZkConfig() {
+    return genericZkConfig;
+  }
+
   public RemoteConfigConfiguration getRemoteConfigConfiguration() {
     return remoteConfig;
   }
@@ -444,4 +444,8 @@ public class WhisperServerConfiguration extends Configuration {
   public RegistrationServiceConfiguration getRegistrationServiceConfiguration() {
     return registrationService;
   }
+
+  public TurnSecretConfiguration getTurnSecretConfiguration() {
+    return turn;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -5,15 +5,15 @@
 package org.whispersystems.textsecuregcm;
 
 import static com.codahale.metrics.MetricRegistry.name;
+import static java.util.Objects.requireNonNull;
 
 import com.amazonaws.ClientConfiguration;
-import com.amazonaws.auth.InstanceProfileCredentialsProvider;
+import com.amazonaws.auth.AWSCredentialsProviderChain;
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
-import com.codahale.metrics.SharedMetricRegistries;
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.PropertyAccessor;
-import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.http.apache.v2.ApacheHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.logging.LoggingOptions;
 import com.google.common.collect.ImmutableMap;
@@ -27,21 +27,14 @@ import io.dropwizard.auth.basic.BasicCredentialAuthFilter;
 import io.dropwizard.auth.basic.BasicCredentials;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
-import io.lettuce.core.metrics.MicrometerCommandLatencyRecorder;
-import io.lettuce.core.metrics.MicrometerOptions;
 import io.lettuce.core.resource.ClientResources;
-import io.micrometer.core.instrument.Meter.Id;
 import io.micrometer.core.instrument.Metrics;
-import io.micrometer.core.instrument.Tags;
-import io.micrometer.core.instrument.config.MeterFilter;
-import io.micrometer.core.instrument.distribution.DistributionStatisticConfig;
-import io.micrometer.datadog.DatadogMeterRegistry;
+import io.micrometer.core.instrument.binder.jvm.ExecutorServiceMetrics;
 import java.io.ByteArrayInputStream;
 import java.net.http.HttpClient;
 import java.nio.charset.StandardCharsets;
 import java.time.Clock;
 import java.time.Duration;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
@@ -53,7 +46,6 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadPoolExecutor;
-import java.util.concurrent.TimeUnit;
 import javax.servlet.DispatcherType;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletRegistration;
@@ -62,6 +54,7 @@ import org.glassfish.jersey.server.ServerProperties;
 import org.signal.event.AdminEventLogger;
 import org.signal.event.GoogleCloudAdminEventLogger;
 import org.signal.i18n.HeaderControlledResourceBundleLookup;
+import org.signal.libsignal.zkgroup.GenericServerSecretParams;
 import org.signal.libsignal.zkgroup.ServerSecretParams;
 import org.signal.libsignal.zkgroup.auth.ServerZkAuthOperations;
 import org.signal.libsignal.zkgroup.profiles.ServerZkProfileOperations;
@@ -69,13 +62,14 @@ import org.signal.libsignal.zkgroup.receipts.ReceiptCredentialPresentation;
 import org.signal.libsignal.zkgroup.receipts.ServerZkReceiptOperations;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.DispatchManager;
 import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
 import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccountAuthenticator;
 import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.auth.PhoneVerificationTokenManager;
+import org.whispersystems.textsecuregcm.auth.RegistrationLockVerificationManager;
 import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
 import org.whispersystems.textsecuregcm.auth.WebsocketRefreshApplicationEventListener;
 import org.whispersystems.textsecuregcm.badges.ConfiguredProfileBadgeConverter;
@@ -83,16 +77,19 @@ import org.whispersystems.textsecuregcm.badges.ResourceBundleLevelTranslator;
 import org.whispersystems.textsecuregcm.captcha.CaptchaChecker;
 import org.whispersystems.textsecuregcm.captcha.HCaptchaClient;
 import org.whispersystems.textsecuregcm.captcha.RecaptchaClient;
-import org.whispersystems.textsecuregcm.configuration.DirectoryServerConfiguration;
+import org.whispersystems.textsecuregcm.captcha.RegistrationCaptchaManager;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretStore;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretsModule;
 import org.whispersystems.textsecuregcm.controllers.AccountController;
+import org.whispersystems.textsecuregcm.controllers.AccountControllerV2;
 import org.whispersystems.textsecuregcm.controllers.ArtController;
 import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV2;
 import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV3;
+import org.whispersystems.textsecuregcm.controllers.CallLinkController;
 import org.whispersystems.textsecuregcm.controllers.CertificateController;
 import org.whispersystems.textsecuregcm.controllers.ChallengeController;
 import org.whispersystems.textsecuregcm.controllers.DeviceController;
-import org.whispersystems.textsecuregcm.controllers.DirectoryController;
 import org.whispersystems.textsecuregcm.controllers.DirectoryV2Controller;
 import org.whispersystems.textsecuregcm.controllers.DonationController;
 import org.whispersystems.textsecuregcm.controllers.KeepAliveController;
@@ -101,12 +98,14 @@ import org.whispersystems.textsecuregcm.controllers.MessageController;
 import org.whispersystems.textsecuregcm.controllers.PaymentsController;
 import org.whispersystems.textsecuregcm.controllers.ProfileController;
 import org.whispersystems.textsecuregcm.controllers.ProvisioningController;
+import org.whispersystems.textsecuregcm.controllers.RegistrationController;
 import org.whispersystems.textsecuregcm.controllers.RemoteConfigController;
 import org.whispersystems.textsecuregcm.controllers.SecureBackupController;
 import org.whispersystems.textsecuregcm.controllers.SecureStorageController;
 import org.whispersystems.textsecuregcm.controllers.SecureValueRecovery2Controller;
 import org.whispersystems.textsecuregcm.controllers.StickerController;
 import org.whispersystems.textsecuregcm.controllers.SubscriptionController;
+import org.whispersystems.textsecuregcm.controllers.VerificationController;
 import org.whispersystems.textsecuregcm.currency.CoinMarketCapClient;
 import org.whispersystems.textsecuregcm.currency.CurrencyConversionManager;
 import org.whispersystems.textsecuregcm.currency.FixerClient;
@@ -114,7 +113,6 @@ import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.filters.RemoteDeprecationFilter;
 import org.whispersystems.textsecuregcm.filters.RequestStatisticsFilter;
 import org.whispersystems.textsecuregcm.filters.TimestampResponseFilter;
-import org.whispersystems.textsecuregcm.limits.DynamicRateLimiters;
 import org.whispersystems.textsecuregcm.limits.PushChallengeManager;
 import org.whispersystems.textsecuregcm.limits.RateLimitChallengeManager;
 import org.whispersystems.textsecuregcm.limits.RateLimiters;
@@ -126,25 +124,13 @@ import org.whispersystems.textsecuregcm.mappers.InvalidWebsocketAddressException
 import org.whispersystems.textsecuregcm.mappers.JsonMappingExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.NonNormalizedPhoneNumberExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RegistrationServiceSenderExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.ServerRejectedExceptionMapper;
-import org.whispersystems.textsecuregcm.metrics.ApplicationShutdownMonitor;
-import org.whispersystems.textsecuregcm.metrics.BufferPoolGauges;
-import org.whispersystems.textsecuregcm.metrics.CpuUsageGauge;
-import org.whispersystems.textsecuregcm.metrics.FileDescriptorGauge;
-import org.whispersystems.textsecuregcm.metrics.FreeMemoryGauge;
-import org.whispersystems.textsecuregcm.metrics.GarbageCollectionGauges;
-import org.whispersystems.textsecuregcm.metrics.LettuceMetricsMeterFilter;
-import org.whispersystems.textsecuregcm.metrics.MaxFileDescriptorGauge;
 import org.whispersystems.textsecuregcm.metrics.MetricsApplicationEventListener;
-import org.whispersystems.textsecuregcm.metrics.MetricsRequestEventListener;
-import org.whispersystems.textsecuregcm.metrics.MicrometerRegistryManager;
-import org.whispersystems.textsecuregcm.metrics.NetworkReceivedGauge;
-import org.whispersystems.textsecuregcm.metrics.NetworkSentGauge;
-import org.whispersystems.textsecuregcm.metrics.OperatingSystemMemoryGauge;
+import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
 import org.whispersystems.textsecuregcm.metrics.ReportedMessageMetricsListener;
 import org.whispersystems.textsecuregcm.metrics.TrafficSource;
 import org.whispersystems.textsecuregcm.providers.MultiRecipientMessageProvider;
-import org.whispersystems.textsecuregcm.providers.RedisClientFactory;
 import org.whispersystems.textsecuregcm.providers.RedisClusterHealthCheck;
 import org.whispersystems.textsecuregcm.push.APNSender;
 import org.whispersystems.textsecuregcm.push.ApnPushNotificationScheduler;
@@ -157,34 +143,29 @@ import org.whispersystems.textsecuregcm.push.PushNotificationManager;
 import org.whispersystems.textsecuregcm.push.ReceiptSender;
 import org.whispersystems.textsecuregcm.redis.ConnectionEventLogger;
 import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisCluster;
-import org.whispersystems.textsecuregcm.redis.ReplicatedJedisPool;
 import org.whispersystems.textsecuregcm.registration.RegistrationServiceClient;
 import org.whispersystems.textsecuregcm.s3.PolicySigner;
 import org.whispersystems.textsecuregcm.s3.PostPolicyGenerator;
 import org.whispersystems.textsecuregcm.securebackup.SecureBackupClient;
 import org.whispersystems.textsecuregcm.securestorage.SecureStorageClient;
+import org.whispersystems.textsecuregcm.securevaluerecovery.SecureValueRecovery2Client;
 import org.whispersystems.textsecuregcm.spam.FilterSpam;
 import org.whispersystems.textsecuregcm.spam.RateLimitChallengeListener;
 import org.whispersystems.textsecuregcm.spam.ReportSpamTokenProvider;
+import org.whispersystems.textsecuregcm.spam.ScoreThresholdProvider;
 import org.whispersystems.textsecuregcm.spam.SpamFilter;
-import org.whispersystems.textsecuregcm.sqs.DirectoryQueue;
 import org.whispersystems.textsecuregcm.storage.AccountCleaner;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawler;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerCache;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerListener;
+import org.whispersystems.textsecuregcm.storage.AccountLockManager;
 import org.whispersystems.textsecuregcm.storage.Accounts;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
 import org.whispersystems.textsecuregcm.storage.ChangeNumberManager;
-import org.whispersystems.textsecuregcm.storage.ContactDiscoveryWriter;
 import org.whispersystems.textsecuregcm.storage.DeletedAccounts;
-import org.whispersystems.textsecuregcm.storage.DeletedAccountsDirectoryReconciler;
-import org.whispersystems.textsecuregcm.storage.DeletedAccountsManager;
-import org.whispersystems.textsecuregcm.storage.DeletedAccountsTableCrawler;
-import org.whispersystems.textsecuregcm.storage.DirectoryReconciler;
-import org.whispersystems.textsecuregcm.storage.DirectoryReconciliationClient;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
 import org.whispersystems.textsecuregcm.storage.IssuedReceiptsManager;
-import org.whispersystems.textsecuregcm.storage.Keys;
+import org.whispersystems.textsecuregcm.storage.KeysManager;
 import org.whispersystems.textsecuregcm.storage.MessagePersister;
 import org.whispersystems.textsecuregcm.storage.MessagesCache;
 import org.whispersystems.textsecuregcm.storage.MessagesDynamoDb;
@@ -193,10 +174,11 @@ import org.whispersystems.textsecuregcm.storage.NonNormalizedAccountCrawlerListe
 import org.whispersystems.textsecuregcm.storage.PhoneNumberIdentifiers;
 import org.whispersystems.textsecuregcm.storage.Profiles;
 import org.whispersystems.textsecuregcm.storage.ProfilesManager;
-import org.whispersystems.textsecuregcm.storage.PubSubManager;
 import org.whispersystems.textsecuregcm.storage.PushChallengeDynamoDb;
 import org.whispersystems.textsecuregcm.storage.PushFeedbackProcessor;
 import org.whispersystems.textsecuregcm.storage.RedeemedReceiptsManager;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswords;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
 import org.whispersystems.textsecuregcm.storage.RemoteConfigs;
 import org.whispersystems.textsecuregcm.storage.RemoteConfigsManager;
 import org.whispersystems.textsecuregcm.storage.ReportMessageDynamoDb;
@@ -204,11 +186,13 @@ import org.whispersystems.textsecuregcm.storage.ReportMessageManager;
 import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
 import org.whispersystems.textsecuregcm.storage.SubscriptionManager;
 import org.whispersystems.textsecuregcm.storage.VerificationCodeStore;
+import org.whispersystems.textsecuregcm.storage.VerificationSessionManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessions;
 import org.whispersystems.textsecuregcm.subscriptions.BraintreeManager;
 import org.whispersystems.textsecuregcm.subscriptions.StripeManager;
-import org.whispersystems.textsecuregcm.util.Constants;
 import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
-import org.whispersystems.textsecuregcm.util.HostnameUtil;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+import org.whispersystems.textsecuregcm.util.UsernameHashZkProofVerifier;
 import org.whispersystems.textsecuregcm.util.logging.LoggingUnhandledExceptionMapper;
 import org.whispersystems.textsecuregcm.util.logging.UncaughtExceptionHandler;
 import org.whispersystems.textsecuregcm.websocket.AuthenticatedConnectListener;
@@ -217,18 +201,24 @@ import org.whispersystems.textsecuregcm.websocket.WebSocketAccountAuthenticator;
 import org.whispersystems.textsecuregcm.workers.AssignUsernameCommand;
 import org.whispersystems.textsecuregcm.workers.CertificateCommand;
 import org.whispersystems.textsecuregcm.workers.CheckDynamicConfigurationCommand;
+import org.whispersystems.textsecuregcm.workers.CrawlAccountsCommand;
 import org.whispersystems.textsecuregcm.workers.DeleteUserCommand;
-import org.whispersystems.textsecuregcm.workers.ReserveUsernameCommand;
+import org.whispersystems.textsecuregcm.workers.MessagePersisterServiceCommand;
+import org.whispersystems.textsecuregcm.workers.ScheduledApnPushNotificationSenderServiceCommand;
 import org.whispersystems.textsecuregcm.workers.ServerVersionCommand;
-import org.whispersystems.textsecuregcm.workers.SetCrawlerAccelerationTask;
 import org.whispersystems.textsecuregcm.workers.SetRequestLoggingEnabledTask;
 import org.whispersystems.textsecuregcm.workers.SetUserDiscoverabilityCommand;
+import org.whispersystems.textsecuregcm.workers.UnlinkDeviceCommand;
 import org.whispersystems.textsecuregcm.workers.ZkParamsCommand;
 import org.whispersystems.websocket.WebSocketResourceProviderFactory;
 import org.whispersystems.websocket.setup.WebSocketEnvironment;
+import reactor.core.scheduler.Scheduler;
 import reactor.core.scheduler.Schedulers;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain;
+import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
@@ -238,16 +228,42 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
   private static final Logger log = LoggerFactory.getLogger(WhisperServerService.class);
 
+  public static final String SECRETS_BUNDLE_FILE_NAME_PROPERTY = "secrets.bundle.filename";
+
+  public static final software.amazon.awssdk.auth.credentials.AwsCredentialsProvider AWSSDK_CREDENTIALS_PROVIDER =
+      AwsCredentialsProviderChain.of(
+          InstanceProfileCredentialsProvider.create(),
+          WebIdentityTokenFileCredentialsProvider.create());
+
+  public static final AWSCredentialsProviderChain AWSSDK_V1_CREDENTIALS_PROVIDER_CHAIN = new AWSCredentialsProviderChain(
+      com.amazonaws.auth.InstanceProfileCredentialsProvider.getInstance(),
+      com.amazonaws.auth.WebIdentityTokenCredentialsProvider.create()
+  );
+
+
   @Override
-  public void initialize(Bootstrap<WhisperServerConfiguration> bootstrap) {
+  public void initialize(final Bootstrap<WhisperServerConfiguration> bootstrap) {
+    // `SecretStore` needs to be initialized before Dropwizard reads the main application config file.
+    final String secretsBundleFileName = requireNonNull(
+        System.getProperty(SECRETS_BUNDLE_FILE_NAME_PROPERTY),
+        "Application requires property [%s] to be provided".formatted(SECRETS_BUNDLE_FILE_NAME_PROPERTY));
+    final SecretStore secretStore = SecretStore.fromYamlFileSecretsBundle(secretsBundleFileName);
+    SecretsModule.INSTANCE.setSecretStore(secretStore);
+
+    // Initializing SystemMapper here because parsing of the main application config happens before `run()` method is called.
+    SystemMapper.configureMapper(bootstrap.getObjectMapper());
+
     bootstrap.addCommand(new DeleteUserCommand());
     bootstrap.addCommand(new CertificateCommand());
     bootstrap.addCommand(new ZkParamsCommand());
     bootstrap.addCommand(new ServerVersionCommand());
     bootstrap.addCommand(new CheckDynamicConfigurationCommand());
     bootstrap.addCommand(new SetUserDiscoverabilityCommand());
-    bootstrap.addCommand(new ReserveUsernameCommand());
     bootstrap.addCommand(new AssignUsernameCommand());
+    bootstrap.addCommand(new UnlinkDeviceCommand());
+    bootstrap.addCommand(new CrawlAccountsCommand());
+    bootstrap.addCommand(new ScheduledApnPushNotificationSenderServiceCommand());
+    bootstrap.addCommand(new MessagePersisterServiceCommand());
   }
 
   @Override
@@ -262,42 +278,11 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
     UncaughtExceptionHandler.register();
 
-    SharedMetricRegistries.add(Constants.METRICS_NAME, environment.metrics());
+    MetricsUtil.configureRegistries(config, environment);
 
-    final DistributionStatisticConfig defaultDistributionStatisticConfig = DistributionStatisticConfig.builder()
-        .percentiles(.75, .95, .99, .999)
-        .build();
-
-    {
-      final DatadogMeterRegistry datadogMeterRegistry = new DatadogMeterRegistry(
-          config.getDatadogConfiguration(), io.micrometer.core.instrument.Clock.SYSTEM);
-
-      datadogMeterRegistry.config().commonTags(
-              Tags.of(
-                  "service", "chat",
-                  "host", HostnameUtil.getLocalHostname(),
-                  "version", WhisperServerVersion.getServerVersion(),
-                  "env", config.getDatadogConfiguration().getEnvironment()))
-          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.REQUEST_COUNTER_NAME))
-          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.ANDROID_REQUEST_COUNTER_NAME))
-          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.DESKTOP_REQUEST_COUNTER_NAME))
-          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.IOS_REQUEST_COUNTER_NAME))
-          .meterFilter(new LettuceMetricsMeterFilter())
-          .meterFilter(new MeterFilter() {
-            @Override
-            public DistributionStatisticConfig configure(final Id id, final DistributionStatisticConfig config) {
-              return defaultDistributionStatisticConfig.merge(config);
-            }
-          });
-
-      Metrics.addRegistry(datadogMeterRegistry);
-    }
-
-    environment.lifecycle().manage(new MicrometerRegistryManager(Metrics.globalRegistry));
-
-    environment.getObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-    environment.getObjectMapper().setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
-    environment.getObjectMapper().setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+    final boolean useSecondaryCredentialsJson = Optional.ofNullable(
+            System.getenv("SIGNAL_USE_SECONDARY_CREDENTIALS_JSON"))
+        .isPresent();
 
     HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup =
         new HeaderControlledResourceBundleLookup();
@@ -306,13 +291,11 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     ResourceBundleLevelTranslator resourceBundleLevelTranslator = new ResourceBundleLevelTranslator(
         headerControlledResourceBundleLookup);
 
-    DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
-        config.getDynamoDbClientConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+    DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(config.getDynamoDbClientConfiguration(),
+        AWSSDK_CREDENTIALS_PROVIDER);
 
-    DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(
-        config.getDynamoDbClientConfiguration(),
-        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+    DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(config.getDynamoDbClientConfiguration(),
+        AWSSDK_CREDENTIALS_PROVIDER);
 
     AmazonDynamoDB deletedAccountsLockDynamoDbClient = AmazonDynamoDBClientBuilder.standard()
         .withRegion(config.getDynamoDbClientConfiguration().getRegion())
@@ -320,12 +303,11 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
                 ((int) config.getDynamoDbClientConfiguration().getClientExecutionTimeout().toMillis()))
             .withRequestTimeout(
                 (int) config.getDynamoDbClientConfiguration().getClientRequestTimeout().toMillis()))
-        .withCredentials(InstanceProfileCredentialsProvider.getInstance())
+        .withCredentials(AWSSDK_V1_CREDENTIALS_PROVIDER_CHAIN)
         .build();
 
     DeletedAccounts deletedAccounts = new DeletedAccounts(dynamoDbClient,
-        config.getDynamoDbTables().getDeletedAccounts().getTableName(),
-        config.getDynamoDbTables().getDeletedAccounts().getNeedsReconciliationIndexName());
+        config.getDynamoDbTables().getDeletedAccounts().getTableName());
 
     DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager =
         new DynamicConfigurationManager<>(config.getAppConfig().getApplication(),
@@ -352,7 +334,11 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getDynamoDbTables().getPhoneNumberIdentifiers().getTableName());
     Profiles profiles = new Profiles(dynamoDbClient, dynamoDbAsyncClient,
         config.getDynamoDbTables().getProfiles().getTableName());
-    Keys keys = new Keys(dynamoDbClient, config.getDynamoDbTables().getKeys().getTableName());
+    KeysManager keys = new KeysManager(
+            dynamoDbAsyncClient,
+        config.getDynamoDbTables().getEcKeys().getTableName(),
+        config.getDynamoDbTables().getKemKeys().getTableName(),
+        config.getDynamoDbTables().getKemLastResortKeys().getTableName());
     MessagesDynamoDb messagesDynamoDb = new MessagesDynamoDb(dynamoDbClient, dynamoDbAsyncClient,
         config.getDynamoDbTables().getMessages().getTableName(),
         config.getDynamoDbTables().getMessages().getExpiration(),
@@ -368,18 +354,17 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         config.getDynamoDbTables().getPendingAccounts().getTableName());
     VerificationCodeStore pendingDevices = new VerificationCodeStore(dynamoDbClient,
         config.getDynamoDbTables().getPendingDevices().getTableName());
+    RegistrationRecoveryPasswords registrationRecoveryPasswords = new RegistrationRecoveryPasswords(
+        config.getDynamoDbTables().getRegistrationRecovery().getTableName(),
+        config.getDynamoDbTables().getRegistrationRecovery().getExpiration(),
+        dynamoDbClient,
+        dynamoDbAsyncClient
+    );
 
-    reactor.util.Metrics.MicrometerConfiguration.useRegistry(Metrics.globalRegistry);
-    Schedulers.enableMetrics();
+    final VerificationSessions verificationSessions = new VerificationSessions(dynamoDbAsyncClient,
+        config.getDynamoDbTables().getVerificationSessions().getTableName(), clock);
 
-    RedisClientFactory pubSubClientFactory = new RedisClientFactory("pubsub_cache",
-        config.getPubsubCacheConfiguration().getUrl(), config.getPubsubCacheConfiguration().getReplicaUrls(),
-        config.getPubsubCacheConfiguration().getCircuitBreakerConfiguration());
-    ReplicatedJedisPool pubsubClient = pubSubClientFactory.getRedisClientPool();
-
-    MicrometerOptions options = MicrometerOptions.builder().build();
-    ClientResources redisClientResources = ClientResources.builder()
-        .commandLatencyRecorder(new MicrometerCommandLatencyRecorder(Metrics.globalRegistry, options)).build();
+    ClientResources redisClientResources = ClientResources.builder().build();
     ConnectionEventLogger.logConnectionEvents(redisClientResources);
 
     FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), redisClientResources);
@@ -390,23 +375,38 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     FaultTolerantRedisCluster rateLimitersCluster      = new FaultTolerantRedisCluster("rate_limiters", config.getRateLimitersCluster(), redisClientResources);
 
     final BlockingQueue<Runnable> keyspaceNotificationDispatchQueue = new ArrayBlockingQueue<>(100_000);
-    Metrics.gaugeCollectionSize(name(getClass(), "keyspaceNotificationDispatchQueueSize"), Collections.emptyList(), keyspaceNotificationDispatchQueue);
+    Metrics.gaugeCollectionSize(name(getClass(), "keyspaceNotificationDispatchQueueSize"), Collections.emptyList(),
+        keyspaceNotificationDispatchQueue);
     final BlockingQueue<Runnable> receiptSenderQueue = new LinkedBlockingQueue<>();
     Metrics.gaugeCollectionSize(name(getClass(), "receiptSenderQueue"), Collections.emptyList(), receiptSenderQueue);
-
     final BlockingQueue<Runnable> fcmSenderQueue = new LinkedBlockingQueue<>();
     Metrics.gaugeCollectionSize(name(getClass(), "fcmSenderQueue"), Collections.emptyList(), fcmSenderQueue);
+    final BlockingQueue<Runnable> messageDeliveryQueue = new LinkedBlockingQueue<>();
+    Metrics.gaugeCollectionSize(MetricsUtil.name(getClass(), "messageDeliveryQueue"), Collections.emptyList(),
+        messageDeliveryQueue);
 
     ScheduledExecutorService recurringJobExecutor = environment.lifecycle()
         .scheduledExecutorService(name(getClass(), "recurringJob-%d")).threads(6).build();
     ScheduledExecutorService websocketScheduledExecutor           = environment.lifecycle().scheduledExecutorService(name(getClass(), "websocket-%d")).threads(8).build();
     ExecutorService          keyspaceNotificationDispatchExecutor = environment.lifecycle().executorService(name(getClass(), "keyspaceNotification-%d")).maxThreads(16).workQueue(keyspaceNotificationDispatchQueue).build();
     ExecutorService          apnSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "apnSender-%d")).maxThreads(1).minThreads(1).build();
-    ExecutorService          fcmSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "fcmSender-%d")).maxThreads(32).minThreads(32).workQueue(fcmSenderQueue).build();
-    ExecutorService          backupServiceExecutor                = environment.lifecycle().executorService(name(getClass(), "backupService-%d")).maxThreads(1).minThreads(1).build();
-    ExecutorService          storageServiceExecutor               = environment.lifecycle().executorService(name(getClass(), "storageService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService fcmSenderExecutor = environment.lifecycle().executorService(name(getClass(), "fcmSender-%d"))
+        .maxThreads(32).minThreads(32).workQueue(fcmSenderQueue).build();
+    ExecutorService secureValueRecoveryServiceExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "secureValueRecoveryService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService storageServiceExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "storageService-%d")).maxThreads(1).minThreads(1).build();
     ExecutorService          accountDeletionExecutor              = environment.lifecycle().executorService(name(getClass(), "accountCleaner-%d")).maxThreads(16).minThreads(16).build();
 
+    Scheduler messageDeliveryScheduler = Schedulers.fromExecutorService(
+            ExecutorServiceMetrics.monitor(Metrics.globalRegistry,
+                    environment.lifecycle().executorService(name(getClass(), "messageDelivery-%d"))
+                            .minThreads(20)
+                            .maxThreads(20)
+                            .workQueue(messageDeliveryQueue)
+                            .build(),
+                    MetricsUtil.name(getClass(), "messageDeliveryExecutor"), MetricsUtil.PREFIX),
+            "messageDelivery");
     // TODO: generally speaking this is a DynamoDB I/O executor for the accounts table; we should eventually have a general executor for speaking to the accounts table, but most of the server is still synchronous so this isn't widely useful yet
     ExecutorService batchIdentityCheckExecutor = environment.lifecycle().executorService(name(getClass(), "batchIdentityCheck-%d")).minThreads(32).maxThreads(32).build();
     ExecutorService multiRecipientMessageExecutor = environment.lifecycle()
@@ -433,21 +433,21 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     final AdminEventLogger adminEventLogger = new GoogleCloudAdminEventLogger(
         LoggingOptions.newBuilder().setProjectId(config.getAdminEventLoggingConfiguration().projectId())
             .setCredentials(GoogleCredentials.fromStream(new ByteArrayInputStream(
-                config.getAdminEventLoggingConfiguration().credentials().getBytes(StandardCharsets.UTF_8))))
+                useSecondaryCredentialsJson
+                    ? config.getAdminEventLoggingConfiguration().secondaryCredentials().getBytes(StandardCharsets.UTF_8)
+                    : config.getAdminEventLoggingConfiguration().credentials().getBytes(StandardCharsets.UTF_8))))
             .build().getService(),
         config.getAdminEventLoggingConfiguration().projectId(),
         config.getAdminEventLoggingConfiguration().logName());
 
-    StripeManager stripeManager = new StripeManager(config.getStripe().apiKey(), subscriptionProcessorExecutor,
-        config.getStripe().idempotencyKeyGenerator(), config.getStripe().boostDescription(), config.getStripe()
+    StripeManager stripeManager = new StripeManager(config.getStripe().apiKey().value(), subscriptionProcessorExecutor,
+        config.getStripe().idempotencyKeyGenerator().value(), config.getStripe().boostDescription(), config.getStripe()
         .supportedCurrencies());
     BraintreeManager braintreeManager = new BraintreeManager(config.getBraintree().merchantId(),
-        config.getBraintree().publicKey(), config.getBraintree().privateKey(), config.getBraintree().environment(),
+        config.getBraintree().publicKey(), config.getBraintree().privateKey().value(), config.getBraintree().environment(),
         config.getBraintree().supportedCurrencies(), config.getBraintree().merchantAccounts(),
         config.getBraintree().graphqlUrl(), config.getBraintree().circuitBreaker(), subscriptionProcessorExecutor);
 
-    ExternalServiceCredentialsGenerator directoryCredentialsGenerator = DirectoryController.credentialsGenerator(
-        config.getDirectoryConfiguration().getDirectoryClientConfiguration());
     ExternalServiceCredentialsGenerator directoryV2CredentialsGenerator = DirectoryV2Controller.credentialsGenerator(
         config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration());
     ExternalServiceCredentialsGenerator storageCredentialsGenerator = SecureStorageController.credentialsGenerator(
@@ -463,117 +463,124 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
 
     dynamicConfigurationManager.start();
 
-    ExperimentEnrollmentManager experimentEnrollmentManager = new ExperimentEnrollmentManager(dynamicConfigurationManager);
+    ExperimentEnrollmentManager experimentEnrollmentManager = new ExperimentEnrollmentManager(
+        dynamicConfigurationManager);
+    RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager = new RegistrationRecoveryPasswordsManager(
+        registrationRecoveryPasswords);
+    UsernameHashZkProofVerifier usernameHashZkProofVerifier = new UsernameHashZkProofVerifier();
 
-    RegistrationServiceClient  registrationServiceClient  = new RegistrationServiceClient(config.getRegistrationServiceConfiguration().getHost(), config.getRegistrationServiceConfiguration().getPort(), config.getRegistrationServiceConfiguration().getApiKey(), config.getRegistrationServiceConfiguration().getRegistrationCaCertificate(), registrationCallbackExecutor);
-    SecureBackupClient         secureBackupClient         = new SecureBackupClient(backupCredentialsGenerator, backupServiceExecutor, config.getSecureBackupServiceConfiguration());
-    SecureStorageClient        secureStorageClient        = new SecureStorageClient(storageCredentialsGenerator, storageServiceExecutor, config.getSecureStorageServiceConfiguration());
-    ClientPresenceManager      clientPresenceManager      = new ClientPresenceManager(clientPresenceCluster, recurringJobExecutor, keyspaceNotificationDispatchExecutor);
-    DirectoryQueue             directoryQueue             = new DirectoryQueue(config.getDirectoryConfiguration().getSqsConfiguration());
-    StoredVerificationCodeManager pendingAccountsManager  = new StoredVerificationCodeManager(pendingAccounts);
-    StoredVerificationCodeManager pendingDevicesManager   = new StoredVerificationCodeManager(pendingDevices);
+    RegistrationServiceClient registrationServiceClient = new RegistrationServiceClient(
+        config.getRegistrationServiceConfiguration().host(),
+        config.getRegistrationServiceConfiguration().port(),
+        useSecondaryCredentialsJson
+            ? config.getRegistrationServiceConfiguration().secondaryCredentialConfigurationJson()
+            : config.getRegistrationServiceConfiguration().credentialConfigurationJson(),
+        config.getRegistrationServiceConfiguration().identityTokenAudience(),
+        config.getRegistrationServiceConfiguration().registrationCaCertificate(),
+        registrationCallbackExecutor);
+    SecureBackupClient secureBackupClient = new SecureBackupClient(backupCredentialsGenerator,
+        secureValueRecoveryServiceExecutor, config.getSecureBackupServiceConfiguration());
+    SecureValueRecovery2Client secureValueRecovery2Client = new SecureValueRecovery2Client(svr2CredentialsGenerator,
+        secureValueRecoveryServiceExecutor, config.getSvr2Configuration());
+    SecureStorageClient secureStorageClient = new SecureStorageClient(storageCredentialsGenerator,
+        storageServiceExecutor, config.getSecureStorageServiceConfiguration());
+    ClientPresenceManager clientPresenceManager = new ClientPresenceManager(clientPresenceCluster, recurringJobExecutor,
+        keyspaceNotificationDispatchExecutor);
+    StoredVerificationCodeManager pendingAccountsManager = new StoredVerificationCodeManager(pendingAccounts);
+    StoredVerificationCodeManager pendingDevicesManager = new StoredVerificationCodeManager(pendingDevices);
     ProfilesManager profilesManager = new ProfilesManager(profiles, cacheCluster);
-    MessagesCache messagesCache = new MessagesCache(messagesCluster, messagesCluster, Clock.systemUTC(),
-        keyspaceNotificationDispatchExecutor, messageDeletionAsyncExecutor);
+    MessagesCache messagesCache = new MessagesCache(messagesCluster, messagesCluster,
+        keyspaceNotificationDispatchExecutor, messageDeliveryScheduler, messageDeletionAsyncExecutor, clock);
     PushLatencyManager pushLatencyManager = new PushLatencyManager(metricsCluster, dynamicConfigurationManager);
     ReportMessageManager reportMessageManager = new ReportMessageManager(reportMessageDynamoDb, rateLimitersCluster,
         config.getReportMessageConfiguration().getCounterTtl());
     MessagesManager messagesManager = new MessagesManager(messagesDynamoDb, messagesCache, reportMessageManager,
         messageDeletionAsyncExecutor);
-    DeletedAccountsManager deletedAccountsManager = new DeletedAccountsManager(deletedAccounts,
-        deletedAccountsLockDynamoDbClient, config.getDynamoDbTables().getDeletedAccountsLock().getTableName());
+    AccountLockManager accountLockManager = new AccountLockManager(deletedAccountsLockDynamoDbClient, config.getDynamoDbTables().getDeletedAccountsLock().getTableName());
     AccountsManager accountsManager = new AccountsManager(accounts, phoneNumberIdentifiers, cacheCluster,
-        deletedAccountsManager, directoryQueue, keys, messagesManager, profilesManager,
-        pendingAccountsManager, secureStorageClient, secureBackupClient, clientPresenceManager,
-        experimentEnrollmentManager, clock);
-    RemoteConfigsManager       remoteConfigsManager       = new RemoteConfigsManager(remoteConfigs);
-    DispatchManager            dispatchManager            = new DispatchManager(pubSubClientFactory, Optional.empty());
-    PubSubManager              pubSubManager              = new PubSubManager(pubsubClient, dispatchManager);
-    APNSender                  apnSender                  = new APNSender(apnSenderExecutor, config.getApnConfiguration());
-    FcmSender                  fcmSender                  = new FcmSender(fcmSenderExecutor, config.getFcmConfiguration().credentials());
-    ApnPushNotificationScheduler apnPushNotificationScheduler = new ApnPushNotificationScheduler(pushSchedulerCluster, apnSender, accountsManager);
-    PushNotificationManager    pushNotificationManager    = new PushNotificationManager(accountsManager, apnSender, fcmSender, apnPushNotificationScheduler, pushLatencyManager, dynamicConfigurationManager);
-    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), rateLimitersCluster);
-    DynamicRateLimiters        dynamicRateLimiters        = new DynamicRateLimiters(rateLimitersCluster, dynamicConfigurationManager);
-    ProvisioningManager        provisioningManager        = new ProvisioningManager(pubSubManager);
+        accountLockManager, deletedAccounts, keys, messagesManager, profilesManager,
+        pendingAccountsManager, secureStorageClient, secureBackupClient, secureValueRecovery2Client,
+        clientPresenceManager,
+        experimentEnrollmentManager, registrationRecoveryPasswordsManager, clock);
+    RemoteConfigsManager remoteConfigsManager = new RemoteConfigsManager(remoteConfigs);
+    APNSender apnSender = new APNSender(apnSenderExecutor, config.getApnConfiguration());
+    FcmSender fcmSender = new FcmSender(fcmSenderExecutor, config.getFcmConfiguration().credentials().value());
+    ApnPushNotificationScheduler apnPushNotificationScheduler = new ApnPushNotificationScheduler(pushSchedulerCluster,
+        apnSender, accountsManager, Optional.empty(), dynamicConfigurationManager);
+    PushNotificationManager pushNotificationManager = new PushNotificationManager(accountsManager, apnSender, fcmSender,
+        apnPushNotificationScheduler, pushLatencyManager);
+    RateLimiters rateLimiters = RateLimiters.createAndValidate(config.getLimitsConfiguration(),
+        dynamicConfigurationManager, rateLimitersCluster);
+    ProvisioningManager provisioningManager = new ProvisioningManager(config.getPubsubCacheConfiguration().getUri(),
+        redisClientResources, config.getPubsubCacheConfiguration().getTimeout(),
+        config.getPubsubCacheConfiguration().getCircuitBreakerConfiguration());
     IssuedReceiptsManager issuedReceiptsManager = new IssuedReceiptsManager(
         config.getDynamoDbTables().getIssuedReceipts().getTableName(),
         config.getDynamoDbTables().getIssuedReceipts().getExpiration(),
         dynamoDbAsyncClient,
         config.getDynamoDbTables().getIssuedReceipts().getGenerator());
-    RedeemedReceiptsManager redeemedReceiptsManager = new RedeemedReceiptsManager(
-        clock,
+    RedeemedReceiptsManager redeemedReceiptsManager = new RedeemedReceiptsManager(clock,
         config.getDynamoDbTables().getRedeemedReceipts().getTableName(),
         dynamoDbAsyncClient,
         config.getDynamoDbTables().getRedeemedReceipts().getExpiration());
     SubscriptionManager subscriptionManager = new SubscriptionManager(
         config.getDynamoDbTables().getSubscriptions().getTableName(), dynamoDbAsyncClient);
 
-    ReportedMessageMetricsListener reportedMessageMetricsListener = new ReportedMessageMetricsListener(accountsManager);
+    final RegistrationLockVerificationManager registrationLockVerificationManager = new RegistrationLockVerificationManager(
+        accountsManager, clientPresenceManager, backupCredentialsGenerator, svr2CredentialsGenerator, registrationRecoveryPasswordsManager, pushNotificationManager, rateLimiters);
+    final PhoneVerificationTokenManager phoneVerificationTokenManager = new PhoneVerificationTokenManager(
+        registrationServiceClient, registrationRecoveryPasswordsManager);
+
+    final ReportedMessageMetricsListener reportedMessageMetricsListener = new ReportedMessageMetricsListener(
+        accountsManager);
     reportMessageManager.addListener(reportedMessageMetricsListener);
 
-    AccountAuthenticator                  accountAuthenticator                  = new AccountAuthenticator(accountsManager);
-    DisabledPermittedAccountAuthenticator disabledPermittedAccountAuthenticator = new DisabledPermittedAccountAuthenticator(accountsManager);
+    final AccountAuthenticator accountAuthenticator = new AccountAuthenticator(accountsManager);
+    final DisabledPermittedAccountAuthenticator disabledPermittedAccountAuthenticator = new DisabledPermittedAccountAuthenticator(
+        accountsManager);
 
-    MessageSender            messageSender      = new MessageSender(clientPresenceManager, messagesManager, pushNotificationManager, pushLatencyManager);
-    ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender, receiptSenderExecutor);
-    TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(dynamicConfigurationManager);
+    final MessageSender messageSender = new MessageSender(clientPresenceManager, messagesManager,
+        pushNotificationManager,
+        pushLatencyManager);
+    final ReceiptSender receiptSender = new ReceiptSender(accountsManager, messageSender, receiptSenderExecutor);
+    final TurnTokenGenerator turnTokenGenerator = new TurnTokenGenerator(dynamicConfigurationManager,
+        config.getTurnSecretConfiguration().secret().value());
 
     RecaptchaClient recaptchaClient = new RecaptchaClient(
-        config.getRecaptchaConfiguration().getProjectPath(),
-        config.getRecaptchaConfiguration().getCredentialConfigurationJson(),
+        config.getRecaptchaConfiguration().projectPath(),
+        useSecondaryCredentialsJson
+            ? config.getRecaptchaConfiguration().secondaryCredentialConfigurationJson()
+            : config.getRecaptchaConfiguration().credentialConfigurationJson(),
+        dynamicConfigurationManager);
+    HttpClient hcaptchaHttpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2)
+        .connectTimeout(Duration.ofSeconds(10)).build();
+    HCaptchaClient hCaptchaClient = new HCaptchaClient(config.getHCaptchaConfiguration().apiKey().value(), hcaptchaHttpClient,
         dynamicConfigurationManager);
-    HttpClient hcaptchaHttpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
-    HCaptchaClient hCaptchaClient = new HCaptchaClient(config.getHCaptchaConfiguration().apiKey(), hcaptchaHttpClient, dynamicConfigurationManager);
     CaptchaChecker captchaChecker = new CaptchaChecker(List.of(recaptchaClient, hCaptchaClient));
 
-    PushChallengeManager pushChallengeManager = new PushChallengeManager(pushNotificationManager, pushChallengeDynamoDb);
+    PushChallengeManager pushChallengeManager = new PushChallengeManager(pushNotificationManager,
+        pushChallengeDynamoDb);
     RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
-        captchaChecker, dynamicRateLimiters);
+        captchaChecker, rateLimiters);
 
-    MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager, dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()));
+    MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager,
+        dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()),
+        Optional.empty());
     ChangeNumberManager changeNumberManager = new ChangeNumberManager(messageSender, accountsManager);
 
-    final List<AccountDatabaseCrawlerListener> directoryReconciliationAccountDatabaseCrawlerListeners = new ArrayList<>();
-    final List<DeletedAccountsDirectoryReconciler> deletedAccountsDirectoryReconcilers = new ArrayList<>();
-    for (DirectoryServerConfiguration directoryServerConfiguration : config.getDirectoryConfiguration()
-        .getDirectoryServerConfiguration()) {
-      final DirectoryReconciliationClient directoryReconciliationClient = new DirectoryReconciliationClient(
-          directoryServerConfiguration);
-      final DirectoryReconciler directoryReconciler = new DirectoryReconciler(
-          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient,
-          dynamicConfigurationManager);
-      // reconcilers are read-only
-      directoryReconciliationAccountDatabaseCrawlerListeners.add(directoryReconciler);
-
-      final DeletedAccountsDirectoryReconciler deletedAccountsDirectoryReconciler = new DeletedAccountsDirectoryReconciler(
-          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
-      deletedAccountsDirectoryReconcilers.add(deletedAccountsDirectoryReconciler);
-    }
-
-    AccountDatabaseCrawlerCache directoryReconciliationAccountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(
-        cacheCluster, AccountDatabaseCrawlerCache.DIRECTORY_RECONCILER_PREFIX);
-    AccountDatabaseCrawler directoryReconciliationAccountDatabaseCrawler = new AccountDatabaseCrawler(
-        "Reconciliation crawler",
-        accountsManager,
-        directoryReconciliationAccountDatabaseCrawlerCache, directoryReconciliationAccountDatabaseCrawlerListeners,
-        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
-        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
-    );
-
     AccountDatabaseCrawlerCache accountCleanerAccountDatabaseCrawlerCache =
         new AccountDatabaseCrawlerCache(cacheCluster, AccountDatabaseCrawlerCache.ACCOUNT_CLEANER_PREFIX);
     AccountDatabaseCrawler accountCleanerAccountDatabaseCrawler = new AccountDatabaseCrawler("Account cleaner crawler",
         accountsManager,
-        accountCleanerAccountDatabaseCrawlerCache, List.of(new AccountCleaner(accountsManager, accountDeletionExecutor)),
+        accountCleanerAccountDatabaseCrawlerCache,
+        List.of(new AccountCleaner(accountsManager, accountDeletionExecutor)),
         config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
-        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+        dynamicConfigurationManager
     );
 
     // TODO listeners must be ordered so that ones that directly update accounts come last, so that read-only ones are not working with stale data
     final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = List.of(
         new NonNormalizedAccountCrawlerListener(accountsManager, metricsCluster),
-        new ContactDiscoveryWriter(accountsManager),
         // PushFeedbackProcessor may update device properties
         new PushFeedbackProcessor(accountsManager));
 
@@ -583,45 +590,44 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         accountsManager,
         accountDatabaseCrawlerCache, accountDatabaseCrawlerListeners,
         config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
-        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+        dynamicConfigurationManager
     );
 
-    DeletedAccountsTableCrawler deletedAccountsTableCrawler = new DeletedAccountsTableCrawler(deletedAccountsManager, deletedAccountsDirectoryReconcilers, cacheCluster, recurringJobExecutor);
-
     HttpClient currencyClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
-    FixerClient fixerClient = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().getFixerApiKey());
-    CoinMarketCapClient coinMarketCapClient = new CoinMarketCapClient(currencyClient, config.getPaymentsServiceConfiguration().getCoinMarketCapApiKey(), config.getPaymentsServiceConfiguration().getCoinMarketCapCurrencyIds());
+    FixerClient fixerClient = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().fixerApiKey().value());
+    CoinMarketCapClient coinMarketCapClient = new CoinMarketCapClient(currencyClient, config.getPaymentsServiceConfiguration().coinMarketCapApiKey().value(), config.getPaymentsServiceConfiguration().coinMarketCapCurrencyIds());
     CurrencyConversionManager currencyManager = new CurrencyConversionManager(fixerClient, coinMarketCapClient,
-        cacheCluster, config.getPaymentsServiceConfiguration().getPaymentCurrencies(), Clock.systemUTC());
+        cacheCluster, config.getPaymentsServiceConfiguration().paymentCurrencies(), Clock.systemUTC());
 
     environment.lifecycle().manage(apnSender);
     environment.lifecycle().manage(apnPushNotificationScheduler);
-    environment.lifecycle().manage(pubSubManager);
+    environment.lifecycle().manage(provisioningManager);
     environment.lifecycle().manage(accountDatabaseCrawler);
-    environment.lifecycle().manage(directoryReconciliationAccountDatabaseCrawler);
     environment.lifecycle().manage(accountCleanerAccountDatabaseCrawler);
-    environment.lifecycle().manage(deletedAccountsTableCrawler);
     environment.lifecycle().manage(messagesCache);
     environment.lifecycle().manage(messagePersister);
     environment.lifecycle().manage(clientPresenceManager);
     environment.lifecycle().manage(currencyManager);
-    environment.lifecycle().manage(directoryQueue);
     environment.lifecycle().manage(registrationServiceClient);
 
+    final RegistrationCaptchaManager registrationCaptchaManager = new RegistrationCaptchaManager(captchaChecker,
+        rateLimiters, config.getTestDevices(), dynamicConfigurationManager);
+
     StaticCredentialsProvider cdnCredentialsProvider = StaticCredentialsProvider
         .create(AwsBasicCredentials.create(
-            config.getCdnConfiguration().getAccessKey(),
-            config.getCdnConfiguration().getAccessSecret()));
-    S3Client cdnS3Client               = S3Client.builder()
+            config.getCdnConfiguration().accessKey().value(),
+            config.getCdnConfiguration().accessSecret().value()));
+    S3Client cdnS3Client = S3Client.builder()
         .credentialsProvider(cdnCredentialsProvider)
-        .region(Region.of(config.getCdnConfiguration().getRegion()))
+        .region(Region.of(config.getCdnConfiguration().region()))
         .build();
-    PostPolicyGenerator profileCdnPolicyGenerator = new PostPolicyGenerator(config.getCdnConfiguration().getRegion(),
-        config.getCdnConfiguration().getBucket(), config.getCdnConfiguration().getAccessKey());
-    PolicySigner profileCdnPolicySigner = new PolicySigner(config.getCdnConfiguration().getAccessSecret(),
-        config.getCdnConfiguration().getRegion());
+    PostPolicyGenerator profileCdnPolicyGenerator = new PostPolicyGenerator(config.getCdnConfiguration().region(),
+        config.getCdnConfiguration().bucket(), config.getCdnConfiguration().accessKey().value());
+    PolicySigner profileCdnPolicySigner = new PolicySigner(config.getCdnConfiguration().accessSecret().value(),
+        config.getCdnConfiguration().region());
 
-    ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().getServerSecret());
+    ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().serverSecret().value());
+    GenericServerSecretParams genericZkSecretParams = new GenericServerSecretParams(config.getGenericZkConfig().serverSecret().value());
     ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams);
     ServerZkAuthOperations zkAuthOperations = new ServerZkAuthOperations(zkSecretParams);
     ServerZkReceiptOperations zkReceiptOperations = new ServerZkReceiptOperations(zkSecretParams);
@@ -652,7 +658,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator));
     webSocketEnvironment.setConnectListener(
         new AuthenticatedConnectListener(receiptSender, messagesManager, pushNotificationManager,
-            clientPresenceManager, websocketScheduledExecutor));
+            clientPresenceManager, websocketScheduledExecutor, messageDeliveryScheduler));
     webSocketEnvironment.jersey()
         .register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
     webSocketEnvironment.jersey().register(new RequestStatisticsFilter(TrafficSource.WEBSOCKET));
@@ -663,9 +669,9 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     // these should be common, but use @Auth DisabledPermittedAccount, which isn’t supported yet on websocket
     environment.jersey().register(
         new AccountController(pendingAccountsManager, accountsManager, rateLimiters,
-            registrationServiceClient, dynamicConfigurationManager, turnTokenGenerator, config.getTestDevices(),
-            captchaChecker, pushNotificationManager, changeNumberManager, backupCredentialsGenerator,
-            clientPresenceManager, clock));
+            registrationServiceClient, dynamicConfigurationManager, turnTokenGenerator,
+            registrationCaptchaManager, pushNotificationManager, changeNumberManager,
+            registrationLockVerificationManager, registrationRecoveryPasswordsManager, usernameHashZkProofVerifier, clock));
 
     environment.jersey().register(new KeysController(rateLimiters, keys, accountsManager));
 
@@ -711,36 +717,48 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     }
 
     if (reportSpamTokenProvider == null) {
+      log.warn("No spam-reporting token providers found; using default (no-op) provider as a default");
       reportSpamTokenProvider = ReportSpamTokenProvider.noop();
     }
 
     final List<Object> commonControllers = Lists.newArrayList(
+        new AccountControllerV2(accountsManager, changeNumberManager, phoneVerificationTokenManager,
+            registrationLockVerificationManager, rateLimiters),
         new ArtController(rateLimiters, artCredentialsGenerator),
-        new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
-        new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
-        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, clock),
+        new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().accessKey().value(), config.getAwsAttachmentsConfiguration().accessSecret().value(), config.getAwsAttachmentsConfiguration().region(), config.getAwsAttachmentsConfiguration().bucket()),
+        new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().domain(), config.getGcpAttachmentsConfiguration().email(), config.getGcpAttachmentsConfiguration().maxSizeInBytes(), config.getGcpAttachmentsConfiguration().pathPrefix(), config.getGcpAttachmentsConfiguration().rsaSigningKey().value()),
+        new CallLinkController(rateLimiters, genericZkSecretParams),
+        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().certificate().value(), config.getDeliveryCertificate().ecPrivateKey(), config.getDeliveryCertificate().expiresDays()), zkAuthOperations, genericZkSecretParams, clock),
         new ChallengeController(rateLimitChallengeManager),
         new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),
-        new DirectoryController(directoryCredentialsGenerator),
         new DirectoryV2Controller(directoryV2CredentialsGenerator),
         new DonationController(clock, zkReceiptOperations, redeemedReceiptsManager, accountsManager, config.getBadges(),
             ReceiptCredentialPresentation::new),
-        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, deletedAccountsManager, messagesManager, pushNotificationManager, reportMessageManager, multiRecipientMessageExecutor,
-            reportSpamTokenProvider),
+        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, deletedAccounts,
+            messagesManager, pushNotificationManager, reportMessageManager, multiRecipientMessageExecutor,
+            messageDeliveryScheduler, reportSpamTokenProvider),
         new PaymentsController(currencyManager, paymentsCredentialsGenerator),
         new ProfileController(clock, rateLimiters, accountsManager, profilesManager, dynamicConfigurationManager,
             profileBadgeConverter, config.getBadges(), cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner,
-            config.getCdnConfiguration().getBucket(), zkProfileOperations, batchIdentityCheckExecutor),
+            config.getCdnConfiguration().bucket(), zkProfileOperations, batchIdentityCheckExecutor),
         new ProvisioningController(rateLimiters, provisioningManager),
+        new RegistrationController(accountsManager, phoneVerificationTokenManager, registrationLockVerificationManager,
+            keys, rateLimiters),
         new RemoteConfigController(remoteConfigsManager, adminEventLogger,
-            config.getRemoteConfigConfiguration().getAuthorizedTokens(),
-            config.getRemoteConfigConfiguration().getGlobalConfig()),
+            config.getRemoteConfigConfiguration().authorizedUsers(),
+            config.getRemoteConfigConfiguration().requiredHostedDomain(),
+            config.getRemoteConfigConfiguration().audiences(),
+            new GoogleIdTokenVerifier.Builder(new ApacheHttpTransport(), new GsonFactory()),
+            config.getRemoteConfigConfiguration().globalConfig()),
         new SecureBackupController(backupCredentialsGenerator, accountsManager),
         new SecureStorageController(storageCredentialsGenerator),
-        new SecureValueRecovery2Controller(svr2CredentialsGenerator),
-        new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(),
-            config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(),
-            config.getCdnConfiguration().getBucket())
+        new SecureValueRecovery2Controller(svr2CredentialsGenerator, accountsManager),
+        new StickerController(rateLimiters, config.getCdnConfiguration().accessKey().value(),
+            config.getCdnConfiguration().accessSecret().value(), config.getCdnConfiguration().region(),
+            config.getCdnConfiguration().bucket()),
+        new VerificationController(registrationServiceClient, new VerificationSessionManager(verificationSessions),
+            pushNotificationManager, registrationCaptchaManager, registrationRecoveryPasswordsManager, rateLimiters,
+            accountsManager, clock)
     );
     if (config.getSubscription() != null && config.getOneTimeDonations() != null) {
       commonControllers.add(new SubscriptionController(clock, config.getSubscription(), config.getOneTimeDonations(),
@@ -756,12 +774,13 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment = new WebSocketEnvironment<>(environment,
         webSocketEnvironment.getRequestLog(), 60000);
     provisioningEnvironment.jersey().register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
-    provisioningEnvironment.setConnectListener(new ProvisioningConnectListener(pubSubManager));
+    provisioningEnvironment.setConnectListener(new ProvisioningConnectListener(provisioningManager));
     provisioningEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET));
     provisioningEnvironment.jersey().register(new KeepAliveController(clientPresenceManager));
 
     registerCorsFilter(environment);
     registerExceptionMappers(environment, webSocketEnvironment, provisioningEnvironment);
+    registerProviders(environment, webSocketEnvironment, provisioningEnvironment);
 
     environment.jersey().property(ServerProperties.UNWRAP_COMPLETION_STAGE_IN_WRITER_ENABLE, Boolean.TRUE);
     webSocketEnvironment.jersey().property(ServerProperties.UNWRAP_COMPLETION_STAGE_IN_WRITER_ENABLE, Boolean.TRUE);
@@ -782,25 +801,19 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     provisioning.setAsyncSupported(true);
 
     environment.admin().addTask(new SetRequestLoggingEnabledTask());
-    environment.admin().addTask(new SetCrawlerAccelerationTask(accountDatabaseCrawlerCache));
 
     environment.healthChecks().register("cacheCluster", new RedisClusterHealthCheck(cacheCluster));
 
-    environment.lifecycle().manage(new ApplicationShutdownMonitor(Metrics.globalRegistry));
+    MetricsUtil.registerSystemResourceMetrics(environment);
+  }
 
-    environment.metrics().register(name(CpuUsageGauge.class, "cpu"), new CpuUsageGauge(3, TimeUnit.SECONDS));
-    environment.metrics().register(name(FreeMemoryGauge.class, "free_memory"), new FreeMemoryGauge());
-    environment.metrics().register(name(NetworkSentGauge.class, "bytes_sent"), new NetworkSentGauge());
-    environment.metrics().register(name(NetworkReceivedGauge.class, "bytes_received"), new NetworkReceivedGauge());
-    environment.metrics().register(name(FileDescriptorGauge.class, "fd_count"), new FileDescriptorGauge());
-    environment.metrics().register(name(MaxFileDescriptorGauge.class, "max_fd_count"), new MaxFileDescriptorGauge());
-    environment.metrics()
-        .register(name(OperatingSystemMemoryGauge.class, "buffers"), new OperatingSystemMemoryGauge("Buffers"));
-    environment.metrics()
-        .register(name(OperatingSystemMemoryGauge.class, "cached"), new OperatingSystemMemoryGauge("Cached"));
 
-    BufferPoolGauges.registerMetrics();
-    GarbageCollectionGauges.registerMetrics();
+  private void registerProviders(Environment environment,
+      WebSocketEnvironment<AuthenticatedAccount> webSocketEnvironment,
+      WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment) {
+    environment.jersey().register(ScoreThresholdProvider.ScoreThresholdFeature.class);
+    webSocketEnvironment.jersey().register(ScoreThresholdProvider.ScoreThresholdFeature.class);
+    provisioningEnvironment.jersey().register(ScoreThresholdProvider.ScoreThresholdFeature.class);
   }
 
   private void registerExceptionMappers(Environment environment,
@@ -817,6 +830,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
         new ServerRejectedExceptionMapper(),
         new ImpossiblePhoneNumberExceptionMapper(),
         new NonNormalizedPhoneNumberExceptionMapper(),
+        new RegistrationServiceSenderExceptionMapper(),
         new JsonMappingExceptionMapper()
     ).forEach(exceptionMapper -> {
       environment.jersey().register(exceptionMapper);

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -8,7 +8,6 @@ package org.whispersystems.textsecuregcm.auth;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.InvalidProtocolBufferException;
 import java.security.InvalidKeyException;
-import java.util.Base64;
 import java.util.concurrent.TimeUnit;
 import org.signal.libsignal.protocol.ecc.Curve;
 import org.signal.libsignal.protocol.ecc.ECPrivateKey;
@@ -35,7 +34,7 @@ public class CertificateGenerator {
     SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
                                                                                  .setSenderDevice(Math.toIntExact(device.getId()))
                                                                                  .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
-                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
+                                                                                 .setIdentityKey(ByteString.copyFrom(account.getIdentityKey().serialize()))
                                                                                  .setSigner(serverCertificate)
                                                                                  .setSenderUuid(account.getUuid().toString());
 

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsGenerator.java

@@ -10,18 +10,22 @@ import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256ToHexString
 import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256TruncatedToHexString;
 import static org.whispersystems.textsecuregcm.util.HmacUtils.hmacHexStringsEqual;
 
+import com.google.common.annotations.VisibleForTesting;
 import java.time.Clock;
+import java.time.Instant;
 import java.util.Optional;
 import java.util.UUID;
+import java.util.function.Function;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Validate;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 
 public class ExternalServiceCredentialsGenerator {
 
-  private static final int TRUNCATE_LENGTH = 10;
-
   private static final String DELIMITER = ":";
 
+  private static final int TRUNCATED_SIGNATURE_LENGTH = 10;
+
   private final byte[] key;
 
   private final byte[] userDerivationKey;
@@ -30,9 +34,20 @@ public class ExternalServiceCredentialsGenerator {
 
   private final boolean truncateSignature;
 
+  private final String usernameTimestampPrefix;
+
+  private final Function<Instant, Instant> usernameTimestampTruncator;
+
   private final Clock clock;
 
+  private final int derivedUsernameTruncateLength;
 
+
+  public static ExternalServiceCredentialsGenerator.Builder builder(final SecretBytes key) {
+    return builder(key.value());
+  }
+
+  @VisibleForTesting
   public static ExternalServiceCredentialsGenerator.Builder builder(final byte[] key) {
     return new Builder(key);
   }
@@ -42,12 +57,22 @@ public class ExternalServiceCredentialsGenerator {
       final byte[] userDerivationKey,
       final boolean prependUsername,
       final boolean truncateSignature,
+      final int derivedUsernameTruncateLength,
+      final String usernameTimestampPrefix,
+      final Function<Instant, Instant> usernameTimestampTruncator,
       final Clock clock) {
     this.key = requireNonNull(key);
     this.userDerivationKey = requireNonNull(userDerivationKey);
     this.prependUsername = prependUsername;
     this.truncateSignature = truncateSignature;
+    this.usernameTimestampPrefix = usernameTimestampPrefix;
+    this.usernameTimestampTruncator = usernameTimestampTruncator;
     this.clock = requireNonNull(clock);
+    this.derivedUsernameTruncateLength = derivedUsernameTruncateLength;
+
+    if (hasUsernameTimestampPrefix() ^ hasUsernameTimestampTruncator()) {
+      throw new RuntimeException("Configured to have only one of (usernameTimestampPrefix, usernameTimestampTruncator)");
+    }
   }
 
   /**
@@ -65,16 +90,37 @@ public class ExternalServiceCredentialsGenerator {
    * @return an instance of {@link ExternalServiceCredentials}
    */
   public ExternalServiceCredentials generateFor(final String identity) {
+    if (usernameIsTimestamp()) {
+      throw new RuntimeException("Configured to use timestamp as username");
+    }
+
+    return generate(identity);
+  }
+
+  /**
+   * Generates `ExternalServiceCredentials` using a prefix concatenated with a truncated timestamp as the username, following this generator's configuration.
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateWithTimestampAsUsername() {
+    if (!usernameIsTimestamp()) {
+      throw new RuntimeException("Not configured to use timestamp as username");
+    }
+
+    final String truncatedTimestampSeconds = String.valueOf(usernameTimestampTruncator.apply(clock.instant()).getEpochSecond());
+    return generate(usernameTimestampPrefix + DELIMITER + truncatedTimestampSeconds);
+  }
+
+  private ExternalServiceCredentials generate(final String identity) {
     final String username = shouldDeriveUsername()
-        ? hmac256TruncatedToHexString(userDerivationKey, identity, TRUNCATE_LENGTH)
+        ? hmac256TruncatedToHexString(userDerivationKey, identity, derivedUsernameTruncateLength)
         : identity;
 
     final long currentTimeSeconds = currentTimeSeconds();
 
-    final String dataToSign = username + DELIMITER + currentTimeSeconds;
+    final String dataToSign = usernameIsTimestamp() ? username : username + DELIMITER + currentTimeSeconds;
 
     final String signature = truncateSignature
-        ? hmac256TruncatedToHexString(key, dataToSign, TRUNCATE_LENGTH)
+        ? hmac256TruncatedToHexString(key, dataToSign, TRUNCATED_SIGNATURE_LENGTH)
         : hmac256ToHexString(key, dataToSign);
 
     final String token = (prependUsername ? dataToSign : currentTimeSeconds) + DELIMITER + signature;
@@ -83,7 +129,7 @@ public class ExternalServiceCredentialsGenerator {
   }
 
   /**
-   * In certain cases, identity (as it was passed to `generateFor` method)
+   * In certain cases, identity (as it was passed to `generate` method)
    * is a part of the signature (`password`, in terms of `ExternalServiceCredentials`) string itself.
    * For such cases, this method returns the value of the identity string.
    * @param password `password` part of `ExternalServiceCredentials`
@@ -95,9 +141,15 @@ public class ExternalServiceCredentialsGenerator {
       return Optional.empty();
     }
     // checking for the case of unexpected format
-    return StringUtils.countMatches(password, DELIMITER) == 2
-        ? Optional.of(password.substring(0, password.indexOf(DELIMITER)))
-        : Optional.empty();
+    if (StringUtils.countMatches(password, DELIMITER) == 2) {
+      if (usernameIsTimestamp()) {
+        final int indexOfSecondDelimiter = password.indexOf(DELIMITER, password.indexOf(DELIMITER) + 1);
+        return Optional.of(password.substring(0, indexOfSecondDelimiter));
+      } else {
+        return Optional.of(password.substring(0, password.indexOf(DELIMITER)));
+      }
+    }
+    return Optional.empty();
   }
 
   /**
@@ -114,7 +166,7 @@ public class ExternalServiceCredentialsGenerator {
 
     // making sure password format matches our expectations based on the generator configuration
     if (parts.length == 3 && prependUsername) {
-      final String username = parts[0];
+      final String username = usernameIsTimestamp() ? parts[0] + DELIMITER + parts[1] : parts[0];
       // username has to match the one from `credentials`
       if (!credentials.username().equals(username)) {
         return Optional.empty();
@@ -129,9 +181,9 @@ public class ExternalServiceCredentialsGenerator {
       return Optional.empty();
     }
 
-    final String signedData = credentials.username() + DELIMITER + timestampSeconds;
+    final String signedData = usernameIsTimestamp() ? credentials.username() : credentials.username() + DELIMITER + timestampSeconds;
     final String expectedSignature = truncateSignature
-        ? hmac256TruncatedToHexString(key, signedData, TRUNCATE_LENGTH)
+        ? hmac256TruncatedToHexString(key, signedData, TRUNCATED_SIGNATURE_LENGTH)
         : hmac256ToHexString(key, signedData);
 
     // if the signature is valid it's safe to parse the `timestampSeconds` string into Long
@@ -157,6 +209,18 @@ public class ExternalServiceCredentialsGenerator {
     return userDerivationKey.length > 0;
   }
 
+  private boolean hasUsernameTimestampPrefix() {
+    return usernameTimestampPrefix != null;
+  }
+
+  private boolean hasUsernameTimestampTruncator() {
+    return usernameTimestampTruncator != null;
+  }
+
+  private boolean usernameIsTimestamp() {
+    return hasUsernameTimestampPrefix() && hasUsernameTimestampTruncator();
+  }
+
   private long currentTimeSeconds() {
     return clock.instant().getEpochSecond();
   }
@@ -171,6 +235,12 @@ public class ExternalServiceCredentialsGenerator {
 
     private boolean truncateSignature = true;
 
+    private int derivedUsernameTruncateLength = 10;
+
+    private String usernameTimestampPrefix = null;
+
+    private Function<Instant, Instant> usernameTimestampTruncator = null;
+
     private Clock clock = Clock.systemUTC();
 
 
@@ -178,6 +248,10 @@ public class ExternalServiceCredentialsGenerator {
       this.key = requireNonNull(key);
     }
 
+    public Builder withUserDerivationKey(final SecretBytes userDerivationKey) {
+      return withUserDerivationKey(userDerivationKey.value());
+    }
+
     public Builder withUserDerivationKey(final byte[] userDerivationKey) {
       Validate.isTrue(requireNonNull(userDerivationKey).length > 0, "userDerivationKey must not be empty");
       this.userDerivationKey = userDerivationKey;
@@ -189,6 +263,12 @@ public class ExternalServiceCredentialsGenerator {
       return this;
     }
 
+    public Builder withDerivedUsernameTruncateLength(int truncateLength) {
+      Validate.inclusiveBetween(10, 32, truncateLength);
+      this.derivedUsernameTruncateLength = truncateLength;
+      return this;
+    }
+
     public Builder prependUsername(final boolean prependUsername) {
       this.prependUsername = prependUsername;
       return this;
@@ -199,9 +279,15 @@ public class ExternalServiceCredentialsGenerator {
       return this;
     }
 
+    public Builder withUsernameTimestampTruncatorAndPrefix(final Function<Instant, Instant> truncator, final String prefix) {
+      this.usernameTimestampTruncator = truncator;
+      this.usernameTimestampPrefix = prefix;
+      return this;
+    }
+
     public ExternalServiceCredentialsGenerator build() {
       return new ExternalServiceCredentialsGenerator(
-          key, userDerivationKey, prependUsername, truncateSignature, clock);
+          key, userDerivationKey, prependUsername, truncateSignature, derivedUsernameTruncateLength, usernameTimestampPrefix, usernameTimestampTruncator, clock);
     }
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsSelector.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+public class ExternalServiceCredentialsSelector {
+
+  private ExternalServiceCredentialsSelector() {}
+
+  public record CredentialInfo(String token, boolean valid, ExternalServiceCredentials credentials, long timestamp) {
+    /**
+     * @return a copy of this record with valid=false
+     */
+    private CredentialInfo invalidate() {
+      return new CredentialInfo(token, false, credentials, timestamp);
+    }
+  }
+
+  /**
+   * Validate a list of username:password credentials.
+   * A credential is valid if it passes validation by the provided credentialsGenerator AND it is the most recent
+   * credential in the provided list for a username.
+   *
+   * @param tokens A list of credentials, potentially with different usernames
+   * @param credentialsGenerator To validate these credentials
+   * @param maxAgeSeconds The maximum allowable age of the credential
+   * @return A {@link CredentialInfo} for each provided token
+   */
+  public static List<CredentialInfo> check(
+      final List<String> tokens,
+      final ExternalServiceCredentialsGenerator credentialsGenerator,
+      final long maxAgeSeconds) {
+
+    // the credential for the username with the latest timestamp (so far)
+    final Map<String, CredentialInfo> bestForUsername = new HashMap<>();
+    final List<CredentialInfo> results = new ArrayList<>();
+    for (String token : tokens) {
+      // each token is supposed to be in a "${username}:${password}" form,
+      // (note that password part may also contain ':' characters)
+      final String[] parts = token.split(":", 2);
+      if (parts.length != 2) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+      final ExternalServiceCredentials credentials = new ExternalServiceCredentials(parts[0], parts[1]);
+      final Optional<Long> maybeTimestamp = credentialsGenerator.validateAndGetTimestamp(credentials, maxAgeSeconds);
+      if (maybeTimestamp.isEmpty()) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+
+      // now that we validated signature and token age, we will also find the latest of the tokens
+      // for each username
+      final long timestamp = maybeTimestamp.get();
+      final CredentialInfo best = bestForUsername.get(credentials.username());
+      if (best == null) {
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        continue;
+      }
+      if (best.timestamp() < timestamp) {
+        // we found a better credential for the username
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        // mark the previous best as an invalid credential, since we have a better credential now
+        results.add(best.invalidate());
+      } else {
+        // the credential we already had was more recent, this one can be marked invalid
+        results.add(new CredentialInfo(token, false, null, 0L));
+      }
+    }
+
+    // all invalid tokens should be in results, just add the valid ones
+    results.addAll(bestForUsername.values());
+    return results;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneVerificationTokenManager.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import java.security.MessageDigest;
+import java.time.Duration;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.NotAuthorizedException;
+import javax.ws.rs.ServerErrorException;
+import javax.ws.rs.core.Response;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.entities.PhoneVerificationRequest;
+import org.whispersystems.textsecuregcm.entities.RegistrationServiceSession;
+import org.whispersystems.textsecuregcm.registration.RegistrationServiceClient;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+
+public class PhoneVerificationTokenManager {
+
+  private static final Logger logger = LoggerFactory.getLogger(PhoneVerificationTokenManager.class);
+  private static final Duration REGISTRATION_RPC_TIMEOUT = Duration.ofSeconds(15);
+  private static final long VERIFICATION_TIMEOUT_SECONDS = REGISTRATION_RPC_TIMEOUT.plusSeconds(1).getSeconds();
+
+  private final RegistrationServiceClient registrationServiceClient;
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  public PhoneVerificationTokenManager(final RegistrationServiceClient registrationServiceClient,
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager) {
+    this.registrationServiceClient = registrationServiceClient;
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+  }
+
+  /**
+   * Checks if a {@link PhoneVerificationRequest} has a token that verifies the caller has confirmed access to the e164
+   * number
+   *
+   * @param number  the e164 presented for verification
+   * @param request the request with exactly one verification token (RegistrationService sessionId or registration
+   *                recovery password)
+   * @return if verification was successful, returns the verification type
+   * @throws BadRequestException    if the number does not match the sessionId’s number, or the remote service rejects
+   *                                the session ID as invalid
+   * @throws NotAuthorizedException if the session is not verified
+   * @throws ForbiddenException     if the recovery password is not valid
+   * @throws InterruptedException   if verification did not complete before a timeout
+   */
+  public PhoneVerificationRequest.VerificationType verify(final String number, final PhoneVerificationRequest request)
+      throws InterruptedException {
+
+    final PhoneVerificationRequest.VerificationType verificationType = request.verificationType();
+    switch (verificationType) {
+      case SESSION -> verifyBySessionId(number, request.decodeSessionId());
+      case RECOVERY_PASSWORD -> verifyByRecoveryPassword(number, request.recoveryPassword());
+    }
+
+    return verificationType;
+  }
+
+  private void verifyBySessionId(final String number, final byte[] sessionId) throws InterruptedException {
+    try {
+      final RegistrationServiceSession session = registrationServiceClient
+          .getSession(sessionId, REGISTRATION_RPC_TIMEOUT)
+          .get(VERIFICATION_TIMEOUT_SECONDS, TimeUnit.SECONDS)
+          .orElseThrow(() -> new NotAuthorizedException("session not verified"));
+
+      if (!MessageDigest.isEqual(number.getBytes(), session.number().getBytes())) {
+        throw new BadRequestException("number does not match session");
+      }
+      if (!session.verified()) {
+        throw new NotAuthorizedException("session not verified");
+      }
+    } catch (final ExecutionException e) {
+
+      if (e.getCause() instanceof StatusRuntimeException grpcRuntimeException) {
+        if (grpcRuntimeException.getStatus().getCode() == Status.Code.INVALID_ARGUMENT) {
+          throw new BadRequestException();
+        }
+      }
+
+      logger.error("Registration service failure", e);
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+
+    } catch (final CancellationException | TimeoutException e) {
+
+      logger.error("Registration service failure", e);
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+    }
+  }
+
+  private void verifyByRecoveryPassword(final String number, final byte[] recoveryPassword)
+      throws InterruptedException {
+    try {
+      final boolean verified = registrationRecoveryPasswordsManager.verify(number, recoveryPassword)
+          .get(VERIFICATION_TIMEOUT_SECONDS, TimeUnit.SECONDS);
+      if (!verified) {
+        throw new ForbiddenException("recoveryPassword couldn't be verified");
+      }
+    } catch (final ExecutionException | TimeoutException e) {
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+    }
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/RegistrationLockVerificationManager.java

@@ -0,0 +1,183 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.DistributionSummary;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tag;
+import io.micrometer.core.instrument.Tags;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.List;
+import javax.annotation.Nullable;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
+import org.whispersystems.textsecuregcm.entities.PhoneVerificationRequest;
+import org.whispersystems.textsecuregcm.entities.RegistrationLockFailure;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+import org.whispersystems.textsecuregcm.push.NotPushRegisteredException;
+import org.whispersystems.textsecuregcm.push.PushNotificationManager;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+import org.whispersystems.textsecuregcm.util.Util;
+
+public class RegistrationLockVerificationManager {
+  public enum Flow {
+    REGISTRATION,
+    CHANGE_NUMBER
+  }
+
+  @VisibleForTesting
+  public static final int FAILURE_HTTP_STATUS = 423;
+
+  private static final String EXPIRED_REGISTRATION_LOCK_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "expiredRegistrationLock");
+  private static final String REQUIRED_REGISTRATION_LOCK_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "requiredRegistrationLock");
+  private static final String CHALLENGED_DEVICE_NOT_PUSH_REGISTERED_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "challengedDeviceNotPushRegistered");
+  private static final String ALREADY_LOCKED_TAG_NAME = "alreadyLocked";
+  private static final String REGISTRATION_LOCK_VERIFICATION_FLOW_TAG_NAME = "flow";
+  private static final String REGISTRATION_LOCK_MATCHES_TAG_NAME = "registrationLockMatches";
+  private static final String PHONE_VERIFICATION_TYPE_TAG_NAME = "phoneVerificationType";
+
+  private final AccountsManager accounts;
+  private final ClientPresenceManager clientPresenceManager;
+  private final ExternalServiceCredentialsGenerator svr1CredentialGenerator;
+  private final ExternalServiceCredentialsGenerator svr2CredentialGenerator;
+  private final RateLimiters rateLimiters;
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+  private final PushNotificationManager pushNotificationManager;
+
+  public RegistrationLockVerificationManager(
+      final AccountsManager accounts, final ClientPresenceManager clientPresenceManager,
+      final ExternalServiceCredentialsGenerator svr1CredentialGenerator,
+      final ExternalServiceCredentialsGenerator svr2CredentialGenerator,
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final PushNotificationManager pushNotificationManager,
+      final RateLimiters rateLimiters) {
+    this.accounts = accounts;
+    this.clientPresenceManager = clientPresenceManager;
+    this.svr1CredentialGenerator = svr1CredentialGenerator;
+    this.svr2CredentialGenerator = svr2CredentialGenerator;
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.pushNotificationManager = pushNotificationManager;
+    this.rateLimiters = rateLimiters;
+  }
+
+  /**
+   * Verifies the given registration lock credentials against the account’s current registration lock, if any
+   *
+   * @param account
+   * @param clientRegistrationLock
+   * @throws RateLimitExceededException
+   * @throws WebApplicationException
+   */
+  public void verifyRegistrationLock(final Account account, @Nullable final String clientRegistrationLock,
+      final String userAgent,
+      final Flow flow,
+      final PhoneVerificationRequest.VerificationType phoneVerificationType
+  ) throws RateLimitExceededException, WebApplicationException {
+
+    final Tags expiredTags = Tags.of(UserAgentTagUtil.getPlatformTag(userAgent),
+        Tag.of(REGISTRATION_LOCK_VERIFICATION_FLOW_TAG_NAME, flow.name()),
+        Tag.of(PHONE_VERIFICATION_TYPE_TAG_NAME, phoneVerificationType.name())
+    );
+
+    final StoredRegistrationLock existingRegistrationLock = account.getRegistrationLock();
+
+    switch (existingRegistrationLock.getStatus()) {
+      case EXPIRED:
+        Metrics.counter(EXPIRED_REGISTRATION_LOCK_COUNTER_NAME, expiredTags).increment();
+        return;
+      case ABSENT:
+        return;
+      case REQUIRED:
+        break;
+      default:
+        throw new RuntimeException("Unexpected status: " + existingRegistrationLock.getStatus());
+    }
+
+    if (!Util.isEmpty(clientRegistrationLock)) {
+      rateLimiters.getPinLimiter().validate(account.getNumber());
+    }
+
+    final String phoneNumber = account.getNumber();
+    final boolean registrationLockMatches = existingRegistrationLock.verify(clientRegistrationLock);
+    final boolean alreadyLocked = account.hasLockedCredentials();
+
+    final Tags additionalTags = expiredTags.and(
+        REGISTRATION_LOCK_MATCHES_TAG_NAME, Boolean.toString(registrationLockMatches),
+        ALREADY_LOCKED_TAG_NAME, Boolean.toString(alreadyLocked)
+    );
+
+    Metrics.counter(REQUIRED_REGISTRATION_LOCK_COUNTER_NAME, additionalTags).increment();
+
+    final DistributionSummary registrationLockIdleDays = DistributionSummary
+        .builder(name(RegistrationLockVerificationManager.class, "registrationLockIdleDays"))
+        .tags(additionalTags)
+        .publishPercentiles(0.75, 0.95, 0.99, 0.999)
+        .distributionStatisticExpiry(Duration.ofHours(2))
+        .register(Metrics.globalRegistry);
+
+    final Instant accountLastSeen = Instant.ofEpochMilli(account.getLastSeen());
+    final Duration timeSinceLastSeen = Duration.between(accountLastSeen, Instant.now());
+
+    registrationLockIdleDays.record(timeSinceLastSeen.toDays());
+
+    if (!registrationLockMatches) {
+      // At this point, the client verified ownership of the phone number but doesn’t have the reglock PIN.
+      // Freezing the existing account credentials will definitively start the reglock timeout.
+      // Until the timeout, the current reglock can still be supplied,
+      // along with phone number verification, to restore access.
+      final ExternalServiceCredentials existingSvr1Credentials = svr1CredentialGenerator.generateForUuid(account.getUuid());
+      final ExternalServiceCredentials existingSvr2Credentials = svr2CredentialGenerator.generateForUuid(account.getUuid());
+
+      final Account updatedAccount;
+      if (!alreadyLocked) {
+        updatedAccount = accounts.update(account, Account::lockAuthTokenHash);
+      } else {
+        updatedAccount = account;
+      }
+
+      // The client often sends an empty registration lock token on the first request
+      // and sends an actual token if the server returns a 423 indicating that one is required.
+      // This logic accounts for that behavior by not deleting the registration recovery password
+      // if the user verified correctly via registration recovery password and sent an empty token.
+      // This allows users to re-register via registration recovery password
+      // instead of always being forced to fall back to SMS verification.
+      if (!phoneVerificationType.equals(PhoneVerificationRequest.VerificationType.RECOVERY_PASSWORD) || clientRegistrationLock != null) {
+        registrationRecoveryPasswordsManager.removeForNumber(updatedAccount.getNumber());
+      }
+
+      final List<Long> deviceIds = updatedAccount.getDevices().stream().map(Device::getId).toList();
+      clientPresenceManager.disconnectAllPresences(updatedAccount.getUuid(), deviceIds);
+
+      try {
+        // Send a push notification that prompts the client to attempt login and fail due to locked credentials
+        pushNotificationManager.sendAttemptLoginNotification(updatedAccount, "failedRegistrationLock");
+      } catch (final NotPushRegisteredException e) {
+        Metrics.counter(CHALLENGED_DEVICE_NOT_PUSH_REGISTERED_COUNTER_NAME).increment();
+      }
+
+      throw new WebApplicationException(Response.status(FAILURE_HTTP_STATUS)
+          .entity(new RegistrationLockFailure(existingRegistrationLock.getTimeRemaining().toMillis(),
+              existingRegistrationLock.needsFailureCredentials() ? existingSvr1Credentials : null,
+              existingRegistrationLock.needsFailureCredentials() ? existingSvr2Credentials : null))
+          .build());
+    }
+
+    rateLimiters.getPinLimiter().clear(phoneNumber);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/SaltedTokenHash.java

@@ -8,7 +8,7 @@ import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import org.apache.commons.codec.binary.Hex;
+import java.util.HexFormat;
 import org.signal.libsignal.protocol.kdf.HKDF;
 
 public record SaltedTokenHash(String hash, String salt) {
@@ -52,13 +52,13 @@ public record SaltedTokenHash(String hash, String salt) {
   private static String generateSalt() {
     final byte[] salt = new byte[SALT_SIZE];
     SECURE_RANDOM.nextBytes(salt);
-    return Hex.encodeHexString(salt);
+    return HexFormat.of().formatHex(salt);
   }
 
   private static String calculateV1Hash(final String salt, final String token) {
     try {
-      return new String(
-          Hex.encodeHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8))));
+      return HexFormat.of()
+          .formatHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8)));
     } catch (final NoSuchAlgorithmException e) {
       throw new AssertionError(e);
     }
@@ -70,6 +70,6 @@ public record SaltedTokenHash(String hash, String salt) {
         salt.getBytes(StandardCharsets.UTF_8),  // salt
         AUTH_TOKEN_HKDF_INFO,
         32);
-    return V2_PREFIX + Hex.encodeHexString(secret);
+    return V2_PREFIX + HexFormat.of().formatHex(secret);
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredRegistrationLock.java

@@ -6,25 +6,35 @@
 package org.whispersystems.textsecuregcm.auth;
 
 import com.google.common.annotations.VisibleForTesting;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Optional;
-import java.util.concurrent.TimeUnit;
 import javax.annotation.Nullable;
 import org.whispersystems.textsecuregcm.util.Util;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class StoredRegistrationLock {
+  public enum Status {
+    REQUIRED,
+    EXPIRED,
+    ABSENT
+  }
+
+  @VisibleForTesting
+  static final Duration REGISTRATION_LOCK_EXPIRATION_DAYS = Duration.ofDays(7);
 
   private final Optional<String> registrationLock;
 
   private final Optional<String> registrationLockSalt;
 
-  private final long             lastSeen;
+  private final Instant lastSeen;
 
   /**
    * @return milliseconds since the last time the account was seen.
    */
   private long timeSinceLastSeen() {
-    return System.currentTimeMillis() - lastSeen;
+    return System.currentTimeMillis() - lastSeen.toEpochMilli();
   }
 
   /**
@@ -34,23 +44,32 @@ public class StoredRegistrationLock {
     return registrationLock.isPresent() && registrationLockSalt.isPresent();
   }
 
-  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, long lastSeen) {
+  public boolean isPresent() {
+    return hasLockAndSalt();
+  }
+
+  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, Instant lastSeen) {
     this.registrationLock     = registrationLock;
     this.registrationLockSalt = registrationLockSalt;
     this.lastSeen             = lastSeen;
   }
 
-  public boolean requiresClientRegistrationLock() {
-    boolean hasTimeRemaining = getTimeRemaining() >= 0;
-    return hasLockAndSalt() && hasTimeRemaining;
+  public Status getStatus() {
+    if (!isPresent()) {
+      return Status.ABSENT;
+    }
+    if (getTimeRemaining().toMillis() > 0) {
+      return Status.REQUIRED;
+    }
+    return Status.EXPIRED;
   }
 
   public boolean needsFailureCredentials() {
     return hasLockAndSalt();
   }
 
-  public long getTimeRemaining() {
-    return TimeUnit.DAYS.toMillis(7) - timeSinceLastSeen();
+  public Duration getTimeRemaining() {
+    return REGISTRATION_LOCK_EXPIRATION_DAYS.minus(timeSinceLastSeen(), ChronoUnit.MILLIS);
   }
 
   public boolean verify(@Nullable String clientRegistrationLock) {
@@ -64,6 +83,6 @@ public class StoredRegistrationLock {
 
   @VisibleForTesting
   public StoredRegistrationLock forTime(long timestamp) {
-    return new StoredRegistrationLock(registrationLock, registrationLockSalt, timestamp);
+    return new StoredRegistrationLock(registrationLock, registrationLockSalt, Instant.ofEpochMilli(timestamp));
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredVerificationCode.java

@@ -10,9 +10,9 @@ import java.time.Duration;
 import javax.annotation.Nullable;
 import org.whispersystems.textsecuregcm.util.Util;
 
-public record StoredVerificationCode(String code,
+public record StoredVerificationCode(@Nullable String code,
                                      long timestamp,
-                                     String pushCode,
+                                     @Nullable String pushCode,
                                      @Nullable byte[] sessionId) {
 
   public static final Duration EXPIRATION = Duration.ofMinutes(10);

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java

@@ -18,44 +18,52 @@ import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.Base64;
 import java.util.List;
 import java.util.Optional;
-import java.util.concurrent.TimeUnit;
 
 public class TurnTokenGenerator {
 
-  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfiguration;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
 
-  public TurnTokenGenerator(final DynamicConfigurationManager<DynamicConfiguration> config) {
-    this.dynamicConfiguration = config;
+  private final byte[] turnSecret;
+
+  private static final String ALGORITHM = "HmacSHA1";
+
+  public TurnTokenGenerator(final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
+      final byte[] turnSecret) {
+
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+    this.turnSecret = turnSecret;
   }
 
   public TurnToken generate(final String e164) {
     try {
-      byte[] key                = dynamicConfiguration.getConfiguration().getTurnConfiguration().getSecret().getBytes();
-      List<String> urls         = urls(e164);
-      Mac    mac                = Mac.getInstance("HmacSHA1");
-      long   validUntilSeconds  = (System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)) / 1000;
-      long   user               = Util.ensureNonNegativeInt(new SecureRandom().nextInt());
-      String userTime           = validUntilSeconds + ":"  + user;
+      final List<String> urls = urls(e164);
+      final Mac mac = Mac.getInstance(ALGORITHM);
+      final long validUntilSeconds = Instant.now().plus(Duration.ofDays(1)).getEpochSecond();
+      final long user = Util.ensureNonNegativeInt(new SecureRandom().nextInt());
+      final String userTime = validUntilSeconds + ":" + user;
 
-      mac.init(new SecretKeySpec(key, "HmacSHA1"));
-      String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));
+      mac.init(new SecretKeySpec(turnSecret, ALGORITHM));
+      final String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));
 
       return new TurnToken(userTime, password, urls);
-    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+    } catch (final NoSuchAlgorithmException | InvalidKeyException e) {
       throw new AssertionError(e);
     }
   }
 
   private List<String> urls(final String e164) {
-    final DynamicTurnConfiguration turnConfig = dynamicConfiguration.getConfiguration().getTurnConfiguration();
+    final DynamicTurnConfiguration turnConfig = dynamicConfigurationManager.getConfiguration().getTurnConfiguration();
 
     // Check if number is enrolled to test out specific turn servers
     final Optional<TurnUriConfiguration> enrolled = turnConfig.getUriConfigs().stream()
         .filter(config -> config.getEnrolledNumbers().contains(e164))
         .findFirst();
+
     if (enrolled.isPresent()) {
       return enrolled.get().getUris();
     }
@@ -64,6 +72,6 @@ public class TurnTokenGenerator {
     return WeightedRandomSelect.select(turnConfig
         .getUriConfigs()
         .stream()
-        .map(c -> new Pair<List<String>, Long>(c.getUris(), c.getWeight())).toList());
+        .map(c -> new Pair<>(c.getUris(), c.getWeight())).toList());
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/captcha/Action.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+public enum Action {
+  CHALLENGE("challenge"),
+  REGISTRATION("registration");
+
+  private final String actionName;
+
+  Action(String actionName) {
+    this.actionName = actionName;
+  }
+
+  public String getActionName() {
+    return actionName;
+  }
+
+  private static final Map<String, Action> ENUM_MAP = Arrays
+      .stream(Action.values())
+      .collect(Collectors.toMap(
+          a -> a.actionName,
+          Function.identity()));
+  @JsonCreator
+  public static Action fromString(String key) {
+    return ENUM_MAP.get(key.toLowerCase(Locale.ROOT).strip());
+  }
+
+  static Optional<Action> parse(final String action) {
+    return Optional.ofNullable(fromString(action));
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/AssessmentResult.java

@@ -5,23 +5,111 @@
 
 package org.whispersystems.textsecuregcm.captcha;
 
-/**
- * A captcha assessment
- *
- * @param valid whether the captcha was passed
- * @param score string representation of the risk level
- */
-public record AssessmentResult(boolean valid, String score) {
+import java.util.Objects;
+import java.util.Optional;
 
-  public static AssessmentResult invalid() {
-    return new AssessmentResult(false, "");
+public class AssessmentResult {
+
+  private final boolean solved;
+  private final float actualScore;
+  private final float defaultScoreThreshold;
+  private final String scoreString;
+
+  /**
+   * A captcha assessment
+   *
+   * @param solved if false, the captcha was not successfully completed
+   * @param actualScore float representation of the risk level from [0, 1.0], with 1.0 being the least risky
+   * @param defaultScoreThreshold  the score threshold which the score will be evaluated against by default
+   * @param scoreString a quantized string representation of the risk level, suitable for use in metrics
+   */
+  private AssessmentResult(boolean solved, float actualScore, float defaultScoreThreshold, final String scoreString) {
+    this.solved = solved;
+    this.actualScore = actualScore;
+    this.defaultScoreThreshold = defaultScoreThreshold;
+    this.scoreString = scoreString;
   }
 
+  /**
+   * Construct an {@link AssessmentResult} from a captcha evaluation score
+   *
+   * @param actualScore the score
+   * @param defaultScoreThreshold the threshold to compare the score against by default
+   */
+  public static AssessmentResult fromScore(float actualScore, float defaultScoreThreshold) {
+    if (actualScore < 0 || actualScore > 1.0 || defaultScoreThreshold < 0 || defaultScoreThreshold > 1.0) {
+      throw new IllegalArgumentException("invalid captcha score");
+    }
+    return new AssessmentResult(true, actualScore, defaultScoreThreshold, AssessmentResult.scoreString(actualScore));
+  }
+
+  /**
+   * Construct a captcha assessment that will always be invalid
+   */
+  public static AssessmentResult invalid() {
+    return new AssessmentResult(false, 0.0f, 0.0f, "");
+  }
+
+  /**
+   * Construct a captcha assessment that will always be valid
+   */
+  public static AssessmentResult alwaysValid() {
+    return new AssessmentResult(true, 1.0f, 0.0f, "1.0");
+  }
+
+  /**
+   * Check if the captcha assessment should be accepted using the default score threshold
+   *
+   * @return true if this assessment should be accepted under the default score threshold
+   */
+  public boolean isValid() {
+    return isValid(Optional.empty());
+  }
+
+  /**
+   * Check if the captcha assessment should be accepted
+   *
+   * @param scoreThreshold the minimum score the assessment requires to pass, uses default if empty
+   * @return true if the assessment scored higher than the provided scoreThreshold
+   */
+  public boolean isValid(Optional<Float> scoreThreshold) {
+    if (!solved) {
+      return false;
+    }
+    return this.actualScore >= scoreThreshold.orElse(this.defaultScoreThreshold);
+  }
+
+  public String getScoreString() {
+    return scoreString;
+  }
+
+  public float getScore() {
+    return this.actualScore;
+  }
+
+
   /**
    * Map a captcha score in [0.0, 1.0] to a low cardinality discrete space in [0, 100] suitable for use in metrics
    */
-  static String scoreString(final float score) {
+  private static String scoreString(final float score) {
     final int x = Math.round(score * 10); // [0, 10]
     return Integer.toString(x * 10); // [0, 100] in increments of 10
   }
+
+  @Override
+  public boolean equals(final Object o) {
+    if (this == o)
+      return true;
+    if (o == null || getClass() != o.getClass())
+      return false;
+    AssessmentResult that = (AssessmentResult) o;
+    return solved == that.solved && Float.compare(that.actualScore, actualScore) == 0
+        && Float.compare(that.defaultScoreThreshold, defaultScoreThreshold) == 0 && Objects.equals(scoreString,
+        that.scoreString);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(solved, actualScore, defaultScoreThreshold, scoreString);
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java

@@ -5,19 +5,26 @@
 
 package org.whispersystems.textsecuregcm.captcha;
 
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
 import com.google.common.annotations.VisibleForTesting;
 import io.micrometer.core.instrument.Metrics;
 import java.io.IOException;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import javax.ws.rs.BadRequestException;
-
-import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class CaptchaChecker {
+  private static final Logger logger = LoggerFactory.getLogger(CaptchaChecker.class);
+  private static final String INVALID_SITEKEY_COUNTER_NAME = name(CaptchaChecker.class, "invalidSiteKey");
   private static final String ASSESSMENTS_COUNTER_NAME = name(RecaptchaClient.class, "assessments");
+  private static final String INVALID_ACTION_COUNTER_NAME = name(CaptchaChecker.class, "invalidActions");
 
   @VisibleForTesting
   static final String SEPARATOR = ".";
@@ -29,46 +36,62 @@ public class CaptchaChecker {
         .collect(Collectors.toMap(CaptchaClient::scheme, Function.identity()));
   }
 
+
   /**
    * Check if a solved captcha should be accepted
-   * <p>
    *
-   * @param input expected to contain a prefix indicating the captcha scheme, sitekey, token, and action. The expected
-   *              format is {@code version-prefix.sitekey.[action.]token}
-   * @param ip    IP of the solver
+   * @param expectedAction the {@link Action} for which this captcha solution is intended
+   * @param input          expected to contain a prefix indicating the captcha scheme, sitekey, token, and action. The
+   *                       expected format is {@code version-prefix.sitekey.action.token}
+   * @param ip             IP of the solver
    * @return An {@link AssessmentResult} indicating whether the solution should be accepted, and a score that can be
    * used for metrics
    * @throws IOException         if there is an error validating the captcha with the underlying service
    * @throws BadRequestException if input is not in the expected format
    */
-  public AssessmentResult verify(final String input, final String ip) throws IOException {
-    /*
-     * For action to be optional, there is a strong assumption that the token will never contain a {@value  SEPARATOR}.
-     * Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
-     * don’t need to be strict.
-     */
+  public AssessmentResult verify(
+      final Action expectedAction,
+      final String input,
+      final String ip) throws IOException {
     final String[] parts = input.split("\\" + SEPARATOR, 4);
 
     // we allow missing actions, if we're missing 1 part, assume it's the action
-    if (parts.length < 3) {
+    if (parts.length < 4) {
       throw new BadRequestException("too few parts");
     }
 
-    int idx = 0;
-    final String prefix = parts[idx++];
-    final String siteKey = parts[idx++];
-    final String action = parts.length == 3 ? null : parts[idx++];
-    final String token = parts[idx];
+    final String prefix = parts[0];
+    final String siteKey = parts[1].toLowerCase(Locale.ROOT).strip();
+    final String action = parts[2];
+    final String token = parts[3];
 
     final CaptchaClient client = this.captchaClientMap.get(prefix);
     if (client == null) {
       throw new BadRequestException("invalid captcha scheme");
     }
-    final AssessmentResult result = client.verify(siteKey, action, token, ip);
+
+    final Action parsedAction = Action.parse(action)
+        .orElseThrow(() -> {
+          Metrics.counter(INVALID_ACTION_COUNTER_NAME, "action", action).increment();
+          throw new BadRequestException("invalid captcha action");
+        });
+
+    if (!parsedAction.equals(expectedAction)) {
+      Metrics.counter(INVALID_ACTION_COUNTER_NAME, "action", action).increment();
+      throw new BadRequestException("invalid captcha action");
+    }
+
+    final Set<String> allowedSiteKeys = client.validSiteKeys(parsedAction);
+    if (!allowedSiteKeys.contains(siteKey)) {
+      logger.debug("invalid site-key {}, action={}, token={}", siteKey, action, token);
+      Metrics.counter(INVALID_SITEKEY_COUNTER_NAME, "action", action).increment();
+      throw new BadRequestException("invalid captcha site-key");
+    }
+
+    final AssessmentResult result = client.verify(siteKey, parsedAction, token, ip);
     Metrics.counter(ASSESSMENTS_COUNTER_NAME,
-            "action", String.valueOf(action),
-            "valid", String.valueOf(result.valid()),
-            "score", result.score(),
+            "action", action,
+            "score", result.getScoreString(),
             "provider", prefix)
         .increment();
     return result;

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaClient.java

@@ -5,29 +5,37 @@
 
 package org.whispersystems.textsecuregcm.captcha;
 
-import javax.annotation.Nullable;
 import java.io.IOException;
+import java.util.Optional;
+import java.util.Set;
 
 public interface CaptchaClient {
 
+
   /**
    * @return the identifying captcha scheme that this CaptchaClient handles
    */
   String scheme();
 
+  /**
+   * @param action the action to retrieve site keys for
+   * @return siteKeys this client is willing to accept
+   */
+  Set<String> validSiteKeys(final Action action);
+
   /**
    * Verify a provided captcha solution
    *
    * @param siteKey identifying string for the captcha service
-   * @param action  an optional action indicating the purpose of the captcha
+   * @param action  an action indicating the purpose of the captcha
    * @param token   the captcha solution that will be verified
-   * @param ip      the ip of the captcha solve
+   * @param ip      the ip of the captcha solver
    * @return An {@link AssessmentResult} indicating whether the solution should be accepted
    * @throws IOException if the underlying captcha provider returns an error
    */
   AssessmentResult verify(
       final String siteKey,
-      final @Nullable String action,
+      final Action action,
       final String token,
       final String ip) throws IOException;
 }

service/src/main/java/org/whispersystems/textsecuregcm/captcha/HCaptchaClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2021-2022 Signal Messenger, LLC
+ * Copyright 2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
@@ -9,13 +9,16 @@ import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
 
 import io.micrometer.core.instrument.Metrics;
 import java.io.IOException;
+import java.math.BigDecimal;
 import java.net.URI;
 import java.net.URLEncoder;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
-import javax.annotation.Nullable;
+import java.util.Collections;
+import java.util.Optional;
+import java.util.Set;
 import javax.ws.rs.core.Response;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -49,21 +52,31 @@ public class HCaptchaClient implements CaptchaClient {
   }
 
   @Override
-  public AssessmentResult verify(final String siteKey, final @Nullable String action, final String token,
+  public Set<String> validSiteKeys(final Action action) {
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    if (!config.isAllowHCaptcha()) {
+      logger.warn("Received request to verify an hCaptcha, but hCaptcha is not enabled");
+      return Collections.emptySet();
+    }
+    return Optional
+        .ofNullable(config.getHCaptchaSiteKeys().get(action))
+        .orElse(Collections.emptySet());
+  }
+
+  @Override
+  public AssessmentResult verify(
+      final String siteKey,
+      final Action action,
+      final String token,
       final String ip)
       throws IOException {
 
     final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
-    if (!config.isAllowHCaptcha()) {
-      logger.warn("Received request to verify an hCaptcha, but hCaptcha is not enabled");
-      return AssessmentResult.invalid();
-    }
-
     final String body = String.format("response=%s&secret=%s&remoteip=%s",
         URLEncoder.encode(token, StandardCharsets.UTF_8),
         URLEncoder.encode(this.apiKey, StandardCharsets.UTF_8),
         ip);
-    HttpRequest request = HttpRequest.newBuilder()
+    final HttpRequest request = HttpRequest.newBuilder()
         .uri(URI.create("https://hcaptcha.com/siteverify"))
         .header("Content-Type", "application/x-www-form-urlencoded")
         .POST(HttpRequest.BodyPublishers.ofString(body))
@@ -81,7 +94,7 @@ public class HCaptchaClient implements CaptchaClient {
       throw new IOException("hCaptcha http failure : " + response.statusCode());
     }
 
-    final HCaptchaResponse hCaptchaResponse = SystemMapper.getMapper()
+    final HCaptchaResponse hCaptchaResponse = SystemMapper.jsonMapper()
         .readValue(response.body(), HCaptchaResponse.class);
 
     logger.debug("received hCaptcha response: {}", hCaptchaResponse);
@@ -89,26 +102,27 @@ public class HCaptchaClient implements CaptchaClient {
     if (!hCaptchaResponse.success) {
       for (String errorCode : hCaptchaResponse.errorCodes) {
         Metrics.counter(INVALID_REASON_COUNTER_NAME,
-            "action", String.valueOf(action),
+            "action", action.getActionName(),
             "reason", errorCode).increment();
       }
       return AssessmentResult.invalid();
     }
 
     // hcaptcha uses the inverse scheme of recaptcha (for hcaptcha, a low score is less risky)
-    float score = 1.0f - hCaptchaResponse.score;
+    final float score = 1.0f - hCaptchaResponse.score;
     if (score < 0.0f || score > 1.0f) {
       logger.error("Invalid score {} from hcaptcha response {}", hCaptchaResponse.score, hCaptchaResponse);
       return AssessmentResult.invalid();
     }
-    final String scoreString = AssessmentResult.scoreString(score);
+    final BigDecimal threshold = config.getScoreFloorByAction().getOrDefault(action, config.getScoreFloor());
+    final AssessmentResult assessmentResult = AssessmentResult.fromScore(score, threshold.floatValue());
 
     for (String reason : hCaptchaResponse.scoreReasons) {
       Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
-          "action", String.valueOf(action),
+          "action", action.getActionName(),
           "reason", reason,
-          "score", scoreString).increment();
+          "score", assessmentResult.getScoreString()).increment();
     }
-    return new AssessmentResult(score >= config.getScoreFloor().floatValue(), scoreString);
+    return assessmentResult;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/captcha/RecaptchaClient.java

@@ -18,10 +18,13 @@ import com.google.recaptchaenterprise.v1.RiskAnalysis;
 import io.micrometer.core.instrument.Metrics;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.math.BigDecimal;
 import java.nio.charset.StandardCharsets;
+import java.util.Collections;
 import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
 import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
@@ -34,8 +37,10 @@ public class RecaptchaClient implements CaptchaClient {
 
   private static final String V2_PREFIX = "signal-recaptcha-v2";
   private static final String INVALID_REASON_COUNTER_NAME = name(RecaptchaClient.class, "invalidReason");
+  private static final String INVALID_SITEKEY_COUNTER_NAME = name(RecaptchaClient.class, "invalidSiteKey");
   private static final String ASSESSMENT_REASON_COUNTER_NAME = name(RecaptchaClient.class, "assessmentReason");
 
+
   private final String projectPath;
   private final RecaptchaEnterpriseServiceClient client;
   private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
@@ -63,12 +68,28 @@ public class RecaptchaClient implements CaptchaClient {
   }
 
   @Override
-  public org.whispersystems.textsecuregcm.captcha.AssessmentResult verify(final String sitekey,
-      final @Nullable String expectedAction,
-      final String token, final String ip) throws IOException {
+  public Set<String> validSiteKeys(final Action action) {
     final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
     if (!config.isAllowRecaptcha()) {
       log.warn("Received request to verify a recaptcha, but recaptcha is not enabled");
+      return Collections.emptySet();
+    }
+    return Optional
+        .ofNullable(config.getRecaptchaSiteKeys().get(action))
+        .orElse(Collections.emptySet());
+  }
+
+  @Override
+  public org.whispersystems.textsecuregcm.captcha.AssessmentResult verify(
+      final String sitekey,
+      final Action action,
+      final String token,
+      final String ip) throws IOException {
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    final Set<String> allowedSiteKeys = config.getRecaptchaSiteKeys().get(action);
+    if (allowedSiteKeys != null && !allowedSiteKeys.contains(sitekey)) {
+      log.info("invalid recaptcha sitekey {}, action={}, token={}", action, token);
+      Metrics.counter(INVALID_SITEKEY_COUNTER_NAME, "action", action.getActionName()).increment();
       return AssessmentResult.invalid();
     }
 
@@ -77,8 +98,8 @@ public class RecaptchaClient implements CaptchaClient {
         .setToken(token)
         .setUserIpAddress(ip);
 
-    if (expectedAction != null) {
-      eventBuilder.setExpectedAction(expectedAction);
+    if (action != null) {
+      eventBuilder.setExpectedAction(action.getActionName());
     }
 
     final Event event = eventBuilder.build();
@@ -91,20 +112,20 @@ public class RecaptchaClient implements CaptchaClient {
 
     if (assessment.getTokenProperties().getValid()) {
       final float score = assessment.getRiskAnalysis().getScore();
-      log.debug("assessment for {} was valid, score: {}", expectedAction, score);
+      log.debug("assessment for {} was valid, score: {}", action.getActionName(), score);
+      final BigDecimal threshold = config.getScoreFloorByAction().getOrDefault(action, config.getScoreFloor());
+      final AssessmentResult assessmentResult = AssessmentResult.fromScore(score, threshold.floatValue());
       for (RiskAnalysis.ClassificationReason reason : assessment.getRiskAnalysis().getReasonsList()) {
         Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
-                "action", String.valueOf(expectedAction),
-                "score", AssessmentResult.scoreString(score),
+                "action", action.getActionName(),
+                "score", assessmentResult.getScoreString(),
                 "reason", reason.name())
             .increment();
       }
-      return new AssessmentResult(
-          score >= config.getScoreFloor().floatValue(),
-          AssessmentResult.scoreString(score));
+      return assessmentResult;
     } else {
       Metrics.counter(INVALID_REASON_COUNTER_NAME,
-              "action", String.valueOf(expectedAction),
+              "action", action.getActionName(),
               "reason", assessment.getTokenProperties().getInvalidReason().name())
           .increment();
       return AssessmentResult.invalid();

service/src/main/java/org/whispersystems/textsecuregcm/captcha/RegistrationCaptchaManager.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import static com.codahale.metrics.MetricRegistry.name;
+
+import com.codahale.metrics.Meter;
+import com.codahale.metrics.MetricRegistry;
+import com.codahale.metrics.SharedMetricRegistries;
+import java.io.IOException;
+import java.util.Optional;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.controllers.AccountController;
+import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.util.Constants;
+import org.whispersystems.textsecuregcm.util.Util;
+
+public class RegistrationCaptchaManager {
+
+  private static final Logger logger = LoggerFactory.getLogger(RegistrationCaptchaManager.class);
+
+  private final MetricRegistry metricRegistry = SharedMetricRegistries.getOrCreate(Constants.METRICS_NAME);
+  private final Meter countryFilteredHostMeter = metricRegistry.meter(
+      name(AccountController.class, "country_limited_host"));
+  private final Meter rateLimitedHostMeter = metricRegistry.meter(name(AccountController.class, "rate_limited_host"));
+  private final Meter rateLimitedPrefixMeter = metricRegistry.meter(
+      name(AccountController.class, "rate_limited_prefix"));
+
+  private final CaptchaChecker captchaChecker;
+  private final RateLimiters rateLimiters;
+  private final Set<String> testDevices;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
+
+
+  public RegistrationCaptchaManager(final CaptchaChecker captchaChecker, final RateLimiters rateLimiters,
+      final Set<String> testDevices,
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager) {
+    this.captchaChecker = captchaChecker;
+    this.rateLimiters = rateLimiters;
+    this.testDevices = testDevices;
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+  }
+
+  @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+  public Optional<AssessmentResult> assessCaptcha(final Optional<String> captcha, final String sourceHost)
+      throws IOException {
+    return captcha.isPresent()
+        ? Optional.of(captchaChecker.verify(Action.REGISTRATION, captcha.get(), sourceHost))
+        : Optional.empty();
+  }
+
+  public boolean requiresCaptcha(final String number, final String forwardedFor, String sourceHost,
+      final boolean pushChallengeMatch) {
+    if (testDevices.contains(number)) {
+      return false;
+    }
+
+    if (!pushChallengeMatch) {
+      return true;
+    }
+
+    final String countryCode = Util.getCountryCode(number);
+    final String region = Util.getRegion(number);
+
+    DynamicCaptchaConfiguration captchaConfig = dynamicConfigurationManager.getConfiguration()
+        .getCaptchaConfiguration();
+
+    boolean countryFiltered = captchaConfig.getSignupCountryCodes().contains(countryCode) ||
+        captchaConfig.getSignupRegions().contains(region);
+
+    try {
+      rateLimiters.getSmsVoiceIpLimiter().validate(sourceHost);
+    } catch (RateLimitExceededException e) {
+      logger.info("Rate limit exceeded: {}, {} ({})", number, sourceHost, forwardedFor);
+      rateLimitedHostMeter.mark();
+
+      return true;
+    }
+
+    try {
+      rateLimiters.getSmsVoicePrefixLimiter().validate(Util.getNumberPrefix(number));
+    } catch (RateLimitExceededException e) {
+      logger.info("Prefix rate limit exceeded: {}, {} ({})", number, sourceHost, forwardedFor);
+      rateLimitedPrefixMeter.mark();
+
+      return true;
+    }
+
+    if (countryFiltered) {
+      countryFilteredHostMeter.mark();
+      return true;
+    }
+
+    return false;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountDatabaseCrawlerConfiguration.java

@@ -11,14 +11,8 @@ public class AccountDatabaseCrawlerConfiguration {
   @JsonProperty
   private int chunkSize = 1000;
 
-  @JsonProperty
-  private long chunkIntervalMs = 8000L;
-
   public int getChunkSize() {
     return chunkSize;
   }
 
-  public long getChunkIntervalMs() {
-    return chunkIntervalMs;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AdminEventLoggingConfiguration.java

@@ -5,10 +5,12 @@
 
 package org.whispersystems.textsecuregcm.configuration;
 
+import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
 
 public record AdminEventLoggingConfiguration(
-    @NotEmpty String credentials,
+    @NotBlank String credentials,
+    @NotBlank String secondaryCredentials,
     @NotEmpty String projectId,
     @NotEmpty String logName) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java

@@ -1,51 +1,17 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
 
-public class ApnConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String teamId;
-
-  @NotEmpty
-  @JsonProperty
-  private String keyId;
-
-  @NotEmpty
-  @JsonProperty
-  private String signingKey;
-
-  @NotEmpty
-  @JsonProperty
-  private String bundleId;
-
-  @JsonProperty
-  private boolean sandbox = false;
-
-  public String getTeamId() {
-    return teamId;
-  }
-
-  public String getKeyId() {
-    return keyId;
-  }
-
-  public String getSigningKey() {
-    return signingKey;
-  }
-
-  public String getBundleId() {
-    return bundleId;
-  }
-
-  public boolean isSandboxEnabled() {
-    return sandbox;
-  }
+public record ApnConfiguration(@NotBlank String teamId,
+                               @NotBlank String keyId,
+                               @NotNull SecretString signingKey,
+                               @NotBlank String bundleId,
+                               boolean sandbox) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ArtServiceConfiguration.java

@@ -5,37 +5,17 @@
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
+import static org.apache.commons.lang3.ObjectUtils.firstNonNull;
 
 import java.time.Duration;
-import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
 
-public class ArtServiceConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String userAuthenticationTokenSharedSecret;
-
-  @NotEmpty
-  @JsonProperty
-  private String userAuthenticationTokenUserIdSecret;
-
-  @JsonProperty
-  @NotNull
-  private Duration tokenExpiration = Duration.ofDays(1);
-
-  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
-  }
-
-  public byte[] getUserAuthenticationTokenUserIdSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenUserIdSecret.toCharArray());
-  }
-
-  public Duration getTokenExpiration() {
-    return tokenExpiration;
+public record ArtServiceConfiguration(@ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+                                      @NotNull SecretBytes userAuthenticationTokenUserIdSecret,
+                                      @NotNull Duration tokenExpiration) {
+  public ArtServiceConfiguration {
+    tokenExpiration = firstNonNull(tokenExpiration, Duration.ofDays(1));
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AwsAttachmentsConfiguration.java

@@ -1,43 +1,15 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
-public class AwsAttachmentsConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String accessKey;
-
-  @NotEmpty
-  @JsonProperty
-  private String accessSecret;
-
-  @NotEmpty
-  @JsonProperty
-  private String bucket;
-
-  @NotEmpty
-  @JsonProperty
-  private String region;
-
-  public String getAccessKey() {
-    return accessKey;
-  }
-
-  public String getAccessSecret() {
-    return accessSecret;
-  }
-
-  public String getBucket() {
-    return bucket;
-  }
-
-  public String getRegion() {
-    return region;
-  }
+public record AwsAttachmentsConfiguration(@NotNull SecretString accessKey,
+                                          @NotNull SecretString accessSecret,
+                                          @NotBlank String bucket,
+                                          @NotBlank String region) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BraintreeConfiguration.java

@@ -11,6 +11,7 @@ import javax.validation.Valid;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
 /**
  * @param merchantId          the Braintree merchant ID
@@ -24,7 +25,7 @@ import javax.validation.constraints.NotNull;
  */
 public record BraintreeConfiguration(@NotBlank String merchantId,
                                      @NotBlank String publicKey,
-                                     @NotBlank String privateKey,
+                                     @NotNull SecretString privateKey,
                                      @NotBlank String environment,
                                      @NotEmpty Set<@NotBlank String> supportedCurrencies,
                                      @NotBlank String graphqlUrl,

service/src/main/java/org/whispersystems/textsecuregcm/configuration/CdnConfiguration.java

@@ -1,44 +1,16 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
-
-public class CdnConfiguration {
-  @NotEmpty
-  @JsonProperty
-  private String accessKey;
-
-  @NotEmpty
-  @JsonProperty
-  private String accessSecret;
-
-  @NotEmpty
-  @JsonProperty
-  private String bucket;
-
-  @NotEmpty
-  @JsonProperty
-  private String region;
-
-  public String getAccessKey() {
-    return accessKey;
-  }
-
-  public String getAccessSecret() {
-    return accessSecret;
-  }
-
-  public String getBucket() {
-    return bucket;
-  }
-
-  public String getRegion() {
-    return region;
-  }
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
+public record CdnConfiguration(@NotNull SecretString accessKey,
+                               @NotNull SecretString accessSecret,
+                               @NotBlank String bucket,
+                               @NotBlank String region) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DatadogConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
@@ -7,16 +7,17 @@ package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.micrometer.datadog.DatadogConfig;
+import java.time.Duration;
 import javax.validation.constraints.Min;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
-import java.time.Duration;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
 public class DatadogConfiguration implements DatadogConfig {
 
   @JsonProperty
-  @NotBlank
-  private String apiKey;
+  @NotNull
+  private SecretString apiKey;
 
   @JsonProperty
   @NotNull
@@ -32,7 +33,7 @@ public class DatadogConfiguration implements DatadogConfig {
 
   @Override
   public String apiKey() {
-    return apiKey;
+    return apiKey.value();
   }
 
   @Override

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DeletedAccountsTableConfiguration.java

@@ -1,25 +0,0 @@
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotBlank;
-import org.whispersystems.textsecuregcm.configuration.DynamoDbTables.Table;
-
-public class DeletedAccountsTableConfiguration extends Table {
-
-  private final String needsReconciliationIndexName;
-
-  @JsonCreator
-  public DeletedAccountsTableConfiguration(
-      @JsonProperty("tableName") final String tableName,
-      @JsonProperty("needsReconciliationIndexName") final String needsReconciliationIndexName) {
-
-    super(tableName);
-    this.needsReconciliationIndexName = needsReconciliationIndexName;
-  }
-
-  @NotBlank
-  public String getNeedsReconciliationIndexName() {
-    return needsReconciliationIndexName;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryClientConfiguration.java

@@ -1,30 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
-
-public class DirectoryClientConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String userAuthenticationTokenSharedSecret;
-
-  @NotEmpty
-  @JsonProperty
-  private String userAuthenticationTokenUserIdSecret;
-
-  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
-  }
-
-  public byte[] getUserAuthenticationTokenUserIdSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenUserIdSecret.toCharArray());
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryConfiguration.java

@@ -1,41 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.Valid;
-import javax.validation.constraints.NotNull;
-import java.util.List;
-
-public class DirectoryConfiguration {
-
-  @JsonProperty
-  @NotNull
-  @Valid
-  private SqsConfiguration sqs;
-    
-  @JsonProperty
-  @NotNull
-  @Valid
-  private DirectoryClientConfiguration client;
-
-  @JsonProperty
-  @NotNull
-  @Valid
-  private List<DirectoryServerConfiguration> server;
-
-  public SqsConfiguration getSqsConfiguration() {
-    return sqs;
-  }
-
-  public DirectoryClientConfiguration getDirectoryClientConfiguration() {
-    return client;
-  }
-
-  public List<DirectoryServerConfiguration> getDirectoryServerConfiguration() {
-    return server;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryServerConfiguration.java

@@ -1,46 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotBlank;
-import javax.validation.constraints.NotEmpty;
-import java.util.List;
-
-public class DirectoryServerConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String replicationName;
-
-  @NotEmpty
-  @JsonProperty
-  private String replicationUrl;
-
-  @NotEmpty
-  @JsonProperty
-  private String replicationPassword;
-
-  @NotEmpty
-  @JsonProperty
-  private List<@NotBlank String> replicationCaCertificates;
-
-  public String getReplicationName() {
-    return replicationName;
-  }
-
-  public String getReplicationUrl() {
-    return replicationUrl;
-  }
-
-  public String getReplicationPassword() {
-    return replicationPassword;
-  }
-
-  public List<String> getReplicationCaCertificates() {
-    return replicationCaCertificates;
-  }
-
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java

@@ -1,11 +1,12 @@
 /*
- * Copyright 2013-2023 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.configuration;
 
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 import org.whispersystems.textsecuregcm.util.ExactlySize;
 
-public record DirectoryV2ClientConfiguration(@ExactlySize({32}) byte[] userAuthenticationTokenSharedSecret,
-                                             @ExactlySize({32}) byte[] userIdTokenSharedSecret) {
+public record DirectoryV2ClientConfiguration(@ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+                                             @ExactlySize(32) SecretBytes userIdTokenSharedSecret) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbTables.java

@@ -47,10 +47,12 @@ public class DynamoDbTables {
   }
 
   private final AccountsTableConfiguration accounts;
-  private final DeletedAccountsTableConfiguration deletedAccounts;
+  private final Table deletedAccounts;
   private final Table deletedAccountsLock;
   private final IssuedReceiptsTableConfiguration issuedReceipts;
-  private final Table keys;
+  private final Table ecKeys;
+  private final Table kemKeys;
+  private final Table kemLastResortKeys;
   private final TableWithExpiration messages;
   private final Table pendingAccounts;
   private final Table pendingDevices;
@@ -58,17 +60,20 @@ public class DynamoDbTables {
   private final Table profiles;
   private final Table pushChallenge;
   private final TableWithExpiration redeemedReceipts;
+  private final TableWithExpiration registrationRecovery;
   private final Table remoteConfig;
   private final Table reportMessage;
-  private final Table reservedUsernames;
   private final Table subscriptions;
+  private final Table verificationSessions;
 
   public DynamoDbTables(
       @JsonProperty("accounts") final AccountsTableConfiguration accounts,
-      @JsonProperty("deletedAccounts") final DeletedAccountsTableConfiguration deletedAccounts,
+      @JsonProperty("deletedAccounts") final Table deletedAccounts,
       @JsonProperty("deletedAccountsLock") final Table deletedAccountsLock,
       @JsonProperty("issuedReceipts") final IssuedReceiptsTableConfiguration issuedReceipts,
-      @JsonProperty("keys") final Table keys,
+      @JsonProperty("ecKeys") final Table ecKeys,
+      @JsonProperty("pqKeys") final Table kemKeys,
+      @JsonProperty("pqLastResortKeys") final Table kemLastResortKeys,
       @JsonProperty("messages") final TableWithExpiration messages,
       @JsonProperty("pendingAccounts") final Table pendingAccounts,
       @JsonProperty("pendingDevices") final Table pendingDevices,
@@ -76,16 +81,19 @@ public class DynamoDbTables {
       @JsonProperty("profiles") final Table profiles,
       @JsonProperty("pushChallenge") final Table pushChallenge,
       @JsonProperty("redeemedReceipts") final TableWithExpiration redeemedReceipts,
+      @JsonProperty("registrationRecovery") final TableWithExpiration registrationRecovery,
       @JsonProperty("remoteConfig") final Table remoteConfig,
       @JsonProperty("reportMessage") final Table reportMessage,
-      @JsonProperty("reservedUsernames") final Table reservedUsernames,
-      @JsonProperty("subscriptions") final Table subscriptions) {
+      @JsonProperty("subscriptions") final Table subscriptions,
+      @JsonProperty("verificationSessions") final Table verificationSessions) {
 
     this.accounts = accounts;
     this.deletedAccounts = deletedAccounts;
     this.deletedAccountsLock = deletedAccountsLock;
     this.issuedReceipts = issuedReceipts;
-    this.keys = keys;
+    this.ecKeys = ecKeys;
+    this.kemKeys = kemKeys;
+    this.kemLastResortKeys = kemLastResortKeys;
     this.messages = messages;
     this.pendingAccounts = pendingAccounts;
     this.pendingDevices = pendingDevices;
@@ -93,10 +101,11 @@ public class DynamoDbTables {
     this.profiles = profiles;
     this.pushChallenge = pushChallenge;
     this.redeemedReceipts = redeemedReceipts;
+    this.registrationRecovery = registrationRecovery;
     this.remoteConfig = remoteConfig;
     this.reportMessage = reportMessage;
-    this.reservedUsernames = reservedUsernames;
     this.subscriptions = subscriptions;
+    this.verificationSessions = verificationSessions;
   }
 
   @NotNull
@@ -107,7 +116,7 @@ public class DynamoDbTables {
 
   @NotNull
   @Valid
-  public DeletedAccountsTableConfiguration getDeletedAccounts() {
+  public Table getDeletedAccounts() {
     return deletedAccounts;
   }
 
@@ -125,8 +134,20 @@ public class DynamoDbTables {
 
   @NotNull
   @Valid
-  public Table getKeys() {
-    return keys;
+  public Table getEcKeys() {
+    return ecKeys;
+  }
+
+  @NotNull
+  @Valid
+  public Table getKemKeys() {
+    return kemKeys;
+  }
+
+  @NotNull
+  @Valid
+  public Table getKemLastResortKeys() {
+    return kemLastResortKeys;
   }
 
   @NotNull
@@ -171,6 +192,12 @@ public class DynamoDbTables {
     return redeemedReceipts;
   }
 
+  @NotNull
+  @Valid
+  public TableWithExpiration getRegistrationRecovery() {
+    return registrationRecovery;
+  }
+
   @NotNull
   @Valid
   public Table getRemoteConfig() {
@@ -185,13 +212,13 @@ public class DynamoDbTables {
 
   @NotNull
   @Valid
-  public Table getReservedUsernames() {
-    return reservedUsernames;
+  public Table getSubscriptions() {
+    return subscriptions;
   }
 
   @NotNull
   @Valid
-  public Table getSubscriptions() {
-    return subscriptions;
+  public Table getVerificationSessions() {
+    return verificationSessions;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/FcmConfiguration.java

@@ -1,11 +1,12 @@
 /*
- * Copyright 2013-2022 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
-public record FcmConfiguration(@NotBlank String credentials) {
+public record FcmConfiguration(@NotNull SecretString credentials) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/GcpAttachmentsConfiguration.java

@@ -1,57 +1,22 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.util.Strings;
 import io.dropwizard.validation.ValidationMethod;
 import javax.validation.constraints.Min;
-import javax.validation.constraints.NotEmpty;
-
-public class GcpAttachmentsConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String domain;
-
-  @NotEmpty
-  @JsonProperty
-  private String email;
-
-  @JsonProperty
-  @Min(1)
-  private int maxSizeInBytes;
-
-  @JsonProperty
-  private String pathPrefix;
-
-  @NotEmpty
-  @JsonProperty
-  private String rsaSigningKey;
-
-  public String getDomain() {
-    return domain;
-  }
-
-  public String getEmail() {
-    return email;
-  }
-
-  public int getMaxSizeInBytes() {
-    return maxSizeInBytes;
-  }
-
-  public String getPathPrefix() {
-    return pathPrefix;
-  }
-
-  public String getRsaSigningKey() {
-    return rsaSigningKey;
-  }
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
+public record GcpAttachmentsConfiguration(@NotBlank String domain,
+                                          @NotBlank String email,
+                                          @Min(1) int maxSizeInBytes,
+                                          String pathPrefix,
+                                          @NotNull SecretString rsaSigningKey) {
   @SuppressWarnings("unused")
   @ValidationMethod(message = "pathPrefix must be empty or start with /")
   public boolean isPathPrefixValid() {

service/src/main/java/org/whispersystems/textsecuregcm/configuration/GenericZkConfig.java

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+
+public record GenericZkConfig(@NotNull SecretBytes serverSecret) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/HCaptchaConfiguration.java

@@ -1,11 +1,12 @@
 /*
- * Copyright 2021-2022 Signal Messenger, LLC
+ * Copyright 2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
-public record HCaptchaConfiguration(@NotBlank String apiKey) {
+public record HCaptchaConfiguration(@NotNull SecretString apiKey) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java

@@ -1,58 +1,21 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
-
-import javax.validation.constraints.NotBlank;
-import javax.validation.constraints.NotEmpty;
 import java.util.List;
 import java.util.Map;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
-public class PaymentsServiceConfiguration {
-
-  @NotEmpty
-  @JsonProperty
-  private String userAuthenticationTokenSharedSecret;
-
-  @NotBlank
-  @JsonProperty
-  private String coinMarketCapApiKey;
-
-  @JsonProperty
-  @NotEmpty
-  private Map<@NotBlank String, Integer> coinMarketCapCurrencyIds;
-
-  @NotEmpty
-  @JsonProperty
-  private String fixerApiKey;
-
-  @NotEmpty
-  @JsonProperty
-  private List<String> paymentCurrencies;
-
-  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
-  }
-
-  public String getCoinMarketCapApiKey() {
-    return coinMarketCapApiKey;
-  }
-
-  public Map<String, Integer> getCoinMarketCapCurrencyIds() {
-    return coinMarketCapCurrencyIds;
-  }
-
-  public String getFixerApiKey() {
-    return fixerApiKey;
-  }
-
-  public List<String> getPaymentCurrencies() {
-    return paymentCurrencies;
-  }
+public record PaymentsServiceConfiguration(@NotNull SecretBytes userAuthenticationTokenSharedSecret,
+                                           @NotNull SecretString coinMarketCapApiKey,
+                                           @NotNull SecretString fixerApiKey,
+                                           @NotEmpty Map<@NotBlank String, Integer> coinMarketCapCurrencyIds,
+                                           @NotEmpty List<String> paymentCurrencies) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RateLimitsConfiguration.java

@@ -1,194 +0,0 @@
-/*
- * Copyright 2013 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class RateLimitsConfiguration {
-
-  @JsonProperty
-  private RateLimitConfiguration smsDestination = new RateLimitConfiguration(2, 2);
-
-  @JsonProperty
-  private RateLimitConfiguration voiceDestination = new RateLimitConfiguration(2, 1.0 / 2.0);
-
-  @JsonProperty
-  private RateLimitConfiguration voiceDestinationDaily = new RateLimitConfiguration(10, 10.0 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration smsVoiceIp = new RateLimitConfiguration(1000, 1000);
-
-  @JsonProperty
-  private RateLimitConfiguration smsVoicePrefix = new RateLimitConfiguration(1000, 1000);
-
-  @JsonProperty
-  private RateLimitConfiguration autoBlock = new RateLimitConfiguration(500, 500);
-
-  @JsonProperty
-  private RateLimitConfiguration verifyNumber = new RateLimitConfiguration(2, 2);
-
-  @JsonProperty
-  private RateLimitConfiguration verifyPin = new RateLimitConfiguration(10, 1 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration attachments = new RateLimitConfiguration(50, 50);
-
-  @JsonProperty
-  private RateLimitConfiguration prekeys = new RateLimitConfiguration(6, 1.0 / 10.0);
-
-  @JsonProperty
-  private RateLimitConfiguration messages = new RateLimitConfiguration(60, 60);
-
-  @JsonProperty
-  private RateLimitConfiguration allocateDevice = new RateLimitConfiguration(2, 1.0 / 2.0);
-
-  @JsonProperty
-  private RateLimitConfiguration verifyDevice = new RateLimitConfiguration(6, 1.0 / 10.0);
-
-  @JsonProperty
-  private RateLimitConfiguration turnAllocations = new RateLimitConfiguration(60, 60);
-
-  @JsonProperty
-  private RateLimitConfiguration profile = new RateLimitConfiguration(4320, 3);
-
-  @JsonProperty
-  private RateLimitConfiguration stickerPack = new RateLimitConfiguration(50, 20 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration artPack = new RateLimitConfiguration(50, 20 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration usernameLookup = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration usernameSet = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration usernameReserve = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration checkAccountExistence = new RateLimitConfiguration(1_000, 1_000 / 60.0);
-
-  @JsonProperty
-  private RateLimitConfiguration stories = new RateLimitConfiguration(10_000, 10_000 / (24.0 * 60.0));
-
-  @JsonProperty
-  private RateLimitConfiguration backupAuthCheck = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
-
-  public RateLimitConfiguration getAutoBlock() {
-    return autoBlock;
-  }
-
-  public RateLimitConfiguration getAllocateDevice() {
-    return allocateDevice;
-  }
-
-  public RateLimitConfiguration getVerifyDevice() {
-    return verifyDevice;
-  }
-
-  public RateLimitConfiguration getMessages() {
-    return messages;
-  }
-
-  public RateLimitConfiguration getPreKeys() {
-    return prekeys;
-  }
-
-  public RateLimitConfiguration getAttachments() {
-    return attachments;
-  }
-
-  public RateLimitConfiguration getSmsDestination() {
-    return smsDestination;
-  }
-
-  public RateLimitConfiguration getVoiceDestination() {
-    return voiceDestination;
-  }
-
-  public RateLimitConfiguration getVoiceDestinationDaily() {
-    return voiceDestinationDaily;
-  }
-
-  public RateLimitConfiguration getSmsVoiceIp() {
-    return smsVoiceIp;
-  }
-
-  public RateLimitConfiguration getSmsVoicePrefix() {
-    return smsVoicePrefix;
-  }
-
-  public RateLimitConfiguration getVerifyNumber() {
-    return verifyNumber;
-  }
-
-  public RateLimitConfiguration getVerifyPin() {
-    return verifyPin;
-  }
-
-  public RateLimitConfiguration getTurnAllocations() {
-    return turnAllocations;
-  }
-
-  public RateLimitConfiguration getProfile() {
-    return profile;
-  }
-
-  public RateLimitConfiguration getStickerPack() {
-    return stickerPack;
-  }
-
-  public RateLimitConfiguration getArtPack() {
-    return artPack;
-  }
-
-  public RateLimitConfiguration getUsernameLookup() {
-    return usernameLookup;
-  }
-
-  public RateLimitConfiguration getUsernameSet() {
-    return usernameSet;
-  }
-
-  public RateLimitConfiguration getUsernameReserve() {
-    return usernameReserve;
-  }
-
-  public RateLimitConfiguration getCheckAccountExistence() {
-    return checkAccountExistence;
-  }
-
-  public RateLimitConfiguration getStories() {
-    return stories;
-  }
-
-  public RateLimitConfiguration getBackupAuthCheck() {
-    return backupAuthCheck;
-  }
-
-  public static class RateLimitConfiguration {
-    @JsonProperty
-    private int bucketSize;
-
-    @JsonProperty
-    private double leakRatePerMinute;
-
-    public RateLimitConfiguration(int bucketSize, double leakRatePerMinute) {
-      this.bucketSize        = bucketSize;
-      this.leakRatePerMinute = leakRatePerMinute;
-    }
-
-    public RateLimitConfiguration() {}
-
-    public int getBucketSize() {
-      return bucketSize;
-    }
-
-    public double getLeakRatePerMinute() {
-      return leakRatePerMinute;
-    }
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaConfiguration.java

@@ -7,18 +7,7 @@ package org.whispersystems.textsecuregcm.configuration;
 
 import javax.validation.constraints.NotEmpty;
 
-public class RecaptchaConfiguration {
+public record RecaptchaConfiguration(@NotEmpty String projectPath, @NotEmpty String credentialConfigurationJson,
+                                     @NotEmpty String secondaryCredentialConfigurationJson) {
 
-  private String projectPath;
-  private String credentialConfigurationJson;
-
-  @NotEmpty
-  public String getProjectPath() {
-    return projectPath;
-  }
-
-  @NotEmpty
-  public String getCredentialConfigurationJson() {
-    return credentialConfigurationJson;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RedisConfiguration.java

@@ -16,11 +16,7 @@ public class RedisConfiguration {
 
   @JsonProperty
   @NotEmpty
-  private String url;
-
-  @JsonProperty
-  @NotNull
-  private List<String> replicaUrls;
+  private String uri;
 
   @JsonProperty
   @NotNull
@@ -31,12 +27,8 @@ public class RedisConfiguration {
   @Valid
   private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
 
-  public String getUrl() {
-    return url;
-  }
-
-  public List<String> getReplicaUrls() {
-    return replicaUrls;
+  public String getUri() {
+    return uri;
   }
 
   public Duration getTimeout() {

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RegistrationServiceConfiguration.java

@@ -2,48 +2,10 @@ package org.whispersystems.textsecuregcm.configuration;
 
 import javax.validation.constraints.NotBlank;
 
-public class RegistrationServiceConfiguration {
-
-  @NotBlank
-  private String host;
-
-  private int port = 443;
-
-  @NotBlank
-  private String apiKey;
-
-  @NotBlank
-  private String registrationCaCertificate;
-
-  public String getHost() {
-    return host;
-  }
-
-  public void setHost(final String host) {
-    this.host = host;
-  }
-
-  public int getPort() {
-    return port;
-  }
-
-  public void setPort(final int port) {
-    this.port = port;
-  }
-
-  public String getApiKey() {
-    return apiKey;
-  }
-
-  public void setApiKey(final String apiKey) {
-    this.apiKey = apiKey;
-  }
-
-  public String getRegistrationCaCertificate() {
-    return registrationCaCertificate;
-  }
-
-  public void setRegistrationCaCertificate(final String registrationCaCertificate) {
-    this.registrationCaCertificate = registrationCaCertificate;
-  }
+public record RegistrationServiceConfiguration(@NotBlank String host,
+                                               int port,
+                                               @NotBlank String credentialConfigurationJson,
+                                               @NotBlank String secondaryCredentialConfigurationJson,
+                                               @NotBlank String identityTokenAudience,
+                                               @NotBlank String registrationCaCertificate) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RemoteConfigConfiguration.java

@@ -1,33 +1,19 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.constraints.NotNull;
-import java.util.HashMap;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
 
-public class RemoteConfigConfiguration {
+public record RemoteConfigConfiguration(@NotNull Set<String> authorizedUsers,
+                                        @NotNull String requiredHostedDomain,
+                                        @NotNull @NotEmpty List<String> audiences,
+                                        @NotNull Map<String, String> globalConfig) {
 
-  @JsonProperty
-  @NotNull
-  private List<String> authorizedTokens = new LinkedList<>();
-
-  @NotNull
-  @JsonProperty
-  private Map<String, String> globalConfig = new HashMap<>();
-
-  public List<String> getAuthorizedTokens() {
-    return authorizedTokens;
-  }
-
-  public Map<String, String> getGlobalConfig() {
-    return globalConfig;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureBackupServiceConfiguration.java

@@ -1,25 +1,24 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
+import java.util.List;
 import javax.validation.Valid;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
-import com.google.common.annotations.VisibleForTesting;
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
-import java.util.List;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 
 public class SecureBackupServiceConfiguration {
 
-  @NotEmpty
+  @NotNull
   @JsonProperty
-  private String userAuthenticationTokenSharedSecret;
+  private SecretBytes userAuthenticationTokenSharedSecret;
 
   @NotBlank
   @JsonProperty
@@ -39,8 +38,8 @@ public class SecureBackupServiceConfiguration {
   @JsonProperty
   private RetryConfiguration retry = new RetryConfiguration();
 
-  public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
+  public SecretBytes userAuthenticationTokenSharedSecret() {
+    return userAuthenticationTokenSharedSecret;
   }
 
   @VisibleForTesting

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureStorageServiceConfiguration.java

@@ -9,15 +9,14 @@ import java.util.List;
 import javax.validation.Valid;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 
-public record SecureStorageServiceConfiguration(@NotEmpty String userAuthenticationTokenSharedSecret,
+public record SecureStorageServiceConfiguration(@NotNull SecretBytes userAuthenticationTokenSharedSecret,
                                                 @NotBlank String uri,
                                                 @NotEmpty List<@NotBlank String> storageCaCertificates,
                                                 @Valid CircuitBreakerConfiguration circuitBreaker,
                                                 @Valid RetryConfiguration retry) {
-
   public SecureStorageServiceConfiguration {
     if (circuitBreaker == null) {
       circuitBreaker = new CircuitBreakerConfiguration();
@@ -26,8 +25,4 @@ public record SecureStorageServiceConfiguration(@NotEmpty String userAuthenticat
       retry = new RetryConfiguration();
     }
   }
-
-  public byte[] decodeUserAuthenticationTokenSharedSecret() throws DecoderException {
-    return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureValueRecovery2Configuration.java

@@ -1,12 +1,32 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2023 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.configuration;
 
+import java.util.List;
+import javax.validation.Valid;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 import org.whispersystems.textsecuregcm.util.ExactlySize;
 
 public record SecureValueRecovery2Configuration(
-    @ExactlySize({32}) byte[] userAuthenticationTokenSharedSecret,
-    @ExactlySize({32}) byte[] userIdTokenSharedSecret) {
+    @NotBlank String uri,
+    @ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+    @ExactlySize(32) SecretBytes userIdTokenSharedSecret,
+    @NotEmpty List<@NotBlank String> svrCaCertificates,
+    @NotNull @Valid CircuitBreakerConfiguration circuitBreaker,
+    @NotNull @Valid RetryConfiguration retry) {
+
+  public SecureValueRecovery2Configuration {
+    if (circuitBreaker == null) {
+      circuitBreaker = new CircuitBreakerConfiguration();
+    }
+
+    if (retry == null) {
+      retry = new RetryConfiguration();
+    }
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/StripeConfiguration.java

@@ -8,10 +8,12 @@ package org.whispersystems.textsecuregcm.configuration;
 import java.util.Set;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
 
-public record StripeConfiguration(@NotBlank String apiKey,
-                                  @NotEmpty byte[] idempotencyKeyGenerator,
+public record StripeConfiguration(@NotNull SecretString apiKey,
+                                  @NotNull SecretBytes idempotencyKeyGenerator,
                                   @NotBlank String boostDescription,
                                   @NotEmpty Set<@NotBlank String> supportedCurrencies) {
-
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TestDeviceConfiguration.java

@@ -1,29 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.NotNull;
-
-public class TestDeviceConfiguration {
-
-  @JsonProperty
-  @NotEmpty
-  private String number;
-
-  @JsonProperty
-  @NotNull
-  private int code;
-
-  public String getNumber() {
-    return number;
-  }
-
-  public int getCode() {
-    return code;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TurnSecretConfiguration.java

@@ -0,0 +1,11 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+
+public record TurnSecretConfiguration(SecretBytes secret) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/UnidentifiedDeliveryConfiguration.java

@@ -1,47 +1,21 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import javax.validation.constraints.NotNull;
+import org.signal.libsignal.protocol.InvalidKeyException;
 import org.signal.libsignal.protocol.ecc.Curve;
 import org.signal.libsignal.protocol.ecc.ECPrivateKey;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Size;
-
-public class UnidentifiedDeliveryConfiguration {
-
-  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  @NotNull
-  private byte[] certificate;
-
-  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  @NotNull
-  @Size(min = 32, max = 32)
-  private byte[] privateKey;
-
-  @NotNull
-  private int expiresDays;
-
-  public byte[] getCertificate() {
-    return certificate;
-  }
-
-  public ECPrivateKey getPrivateKey() {
-    return Curve.decodePrivatePoint(privateKey);
-  }
-
-  public int getExpiresDays() {
-    return expiresDays;
+public record UnidentifiedDeliveryConfiguration(@NotNull SecretBytes certificate,
+                                                @ExactlySize(32) SecretBytes privateKey,
+                                                int expiresDays) {
+  public ECPrivateKey ecPrivateKey() throws InvalidKeyException {
+    return Curve.decodePrivatePoint(privateKey.value());
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java

@@ -1,36 +1,14 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
-
+import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
 
-public class ZkConfig {
-
-  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  @NotNull
-  private byte[] serverSecret;
-
-  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  @NotNull
-  private byte[] serverPublic;
-
-  public byte[] getServerSecret() {
-    return serverSecret;
-  }
-
-  public byte[] getServerPublic() {
-    return serverPublic;
-  }
+public record ZkConfig(@NotNull SecretBytes serverSecret,
+                       @NotEmpty byte[] serverPublic) {
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicAccountDatabaseCrawlerConfiguration.java

@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+public record DynamicAccountDatabaseCrawlerConfiguration(boolean periodicWorkEnabled, boolean crawlAllEnabled) {
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicCaptchaConfiguration.java

@@ -7,8 +7,11 @@ package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.annotations.VisibleForTesting;
+import org.whispersystems.textsecuregcm.captcha.Action;
 import java.math.BigDecimal;
 import java.util.Collections;
+import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import javax.validation.constraints.DecimalMax;
 import javax.validation.constraints.DecimalMin;
@@ -28,6 +31,18 @@ public class DynamicCaptchaConfiguration {
   @JsonProperty
   private boolean allowRecaptcha = true;
 
+  @JsonProperty
+  @NotNull
+  private Map<Action, Set<String>> hCaptchaSiteKeys = Collections.emptyMap();
+
+  @JsonProperty
+  @NotNull
+  private Map<Action, Set<String>> recaptchaSiteKeys = Collections.emptyMap();
+
+  @JsonProperty
+  @NotNull
+  private Map<Action, BigDecimal> scoreFloorByAction = Collections.emptyMap();
+
   @JsonProperty
   @NotNull
   private Set<String> signupCountryCodes = Collections.emptySet();
@@ -66,6 +81,10 @@ public class DynamicCaptchaConfiguration {
     return allowRecaptcha;
   }
 
+  public Map<Action, BigDecimal> getScoreFloorByAction() {
+    return scoreFloorByAction;
+  }
+
   @VisibleForTesting
   public void setAllowHCaptcha(final boolean allowHCaptcha) {
     this.allowHCaptcha = allowHCaptcha;
@@ -75,4 +94,24 @@ public class DynamicCaptchaConfiguration {
   public void setScoreFloor(final BigDecimal scoreFloor) {
     this.scoreFloor = scoreFloor;
   }
+
+  public Map<Action, Set<String>> getHCaptchaSiteKeys() {
+    return hCaptchaSiteKeys;
+  }
+
+  @VisibleForTesting
+  public void setHCaptchaSiteKeys(final Map<Action, Set<String>> hCaptchaSiteKeys) {
+    this.hCaptchaSiteKeys = hCaptchaSiteKeys;
+  }
+
+  public Map<Action, Set<String>> getRecaptchaSiteKeys() {
+    return recaptchaSiteKeys;
+  }
+
+  @VisibleForTesting
+  public void setRecaptchaSiteKeys(final Map<Action, Set<String>> recaptchaSiteKeys) {
+    this.recaptchaSiteKeys = recaptchaSiteKeys;
+  }
+
+
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicConfiguration.java

@@ -1,10 +1,17 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
 package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.validation.Valid;
+import org.whispersystems.textsecuregcm.limits.RateLimiterConfig;
 
 public class DynamicConfiguration {
 
@@ -18,7 +25,7 @@ public class DynamicConfiguration {
 
   @JsonProperty
   @Valid
-  private DynamicRateLimitsConfiguration limits = new DynamicRateLimitsConfiguration();
+  private Map<String, RateLimiterConfig> limits = new HashMap<>();
 
   @JsonProperty
   @Valid
@@ -32,13 +39,6 @@ public class DynamicConfiguration {
   @Valid
   private DynamicCaptchaConfiguration captcha = new DynamicCaptchaConfiguration();
 
-  @JsonProperty
-  @Valid
-  private DynamicRateLimitChallengeConfiguration rateLimitChallenge = new DynamicRateLimitChallengeConfiguration();
-
-  @JsonProperty
-  private DynamicDirectoryReconcilerConfiguration directoryReconciler = new DynamicDirectoryReconcilerConfiguration();
-
   @JsonProperty
   @Valid
   private DynamicPushLatencyConfiguration pushLatency = new DynamicPushLatencyConfiguration(Collections.emptyMap());
@@ -49,11 +49,22 @@ public class DynamicConfiguration {
 
   @JsonProperty
   @Valid
-  DynamicMessagePersisterConfiguration messagePersister = new DynamicMessagePersisterConfiguration();
+  DynamicScheduledApnNotificationSendingConfiguration scheduledApnNotificationSending = new DynamicScheduledApnNotificationSendingConfiguration(
+      true, false);
 
   @JsonProperty
   @Valid
-  DynamicPushNotificationConfiguration pushNotifications = new DynamicPushNotificationConfiguration();
+  DynamicMessagePersisterConfiguration messagePersister = new DynamicMessagePersisterConfiguration();
+
+
+  @JsonProperty
+  @Valid
+  DynamicRateLimitPolicy rateLimitPolicy = new DynamicRateLimitPolicy(false);
+
+  @JsonProperty
+  @Valid
+  DynamicAccountDatabaseCrawlerConfiguration accountDatabaseCrawler = new DynamicAccountDatabaseCrawlerConfiguration(
+      true, false);
 
   public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(
       final String experimentName) {
@@ -65,7 +76,7 @@ public class DynamicConfiguration {
     return Optional.ofNullable(preRegistrationExperiments.get(experimentName));
   }
 
-  public DynamicRateLimitsConfiguration getLimits() {
+  public Map<String, RateLimiterConfig> getLimits() {
     return limits;
   }
 
@@ -81,14 +92,6 @@ public class DynamicConfiguration {
     return captcha;
   }
 
-  public DynamicRateLimitChallengeConfiguration getRateLimitChallengeConfiguration() {
-    return rateLimitChallenge;
-  }
-
-  public DynamicDirectoryReconcilerConfiguration getDirectoryReconcilerConfiguration() {
-    return directoryReconciler;
-  }
-
   public DynamicPushLatencyConfiguration getPushLatencyConfiguration() {
     return pushLatency;
   }
@@ -97,11 +100,19 @@ public class DynamicConfiguration {
     return turn;
   }
 
+  public DynamicScheduledApnNotificationSendingConfiguration getScheduledApnNotificationSendingConfiguration() {
+    return scheduledApnNotificationSending;
+  }
+
   public DynamicMessagePersisterConfiguration getMessagePersisterConfiguration() {
     return messagePersister;
   }
 
-  public DynamicPushNotificationConfiguration getPushNotificationConfiguration() {
-    return pushNotifications;
+  public DynamicRateLimitPolicy getRateLimitPolicy() {
+    return rateLimitPolicy;
+  }
+
+  public DynamicAccountDatabaseCrawlerConfiguration getAccountDatabaseCrawlerConfiguration() {
+    return accountDatabaseCrawler;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicDirectoryReconcilerConfiguration.java

@@ -1,18 +0,0 @@
-/*
- * Copyright 2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration.dynamic;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class DynamicDirectoryReconcilerConfiguration {
-
-  @JsonProperty
-  private boolean enabled = true;
-
-  public boolean isEnabled() {
-    return enabled;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicMessagePersisterConfiguration.java

@@ -10,9 +10,16 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 public class DynamicMessagePersisterConfiguration {
 
   @JsonProperty
-  private boolean persistenceEnabled = true;
+  private boolean serverPersistenceEnabled = true;
 
-  public boolean isPersistenceEnabled() {
-    return persistenceEnabled;
+  @JsonProperty
+  private boolean dedicatedProcessEnabled = false;
+
+  public boolean isServerPersistenceEnabled() {
+    return serverPersistenceEnabled;
+  }
+
+  public boolean isDedicatedProcessEnabled() {
+    return dedicatedProcessEnabled;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPushNotificationConfiguration.java

@@ -1,18 +0,0 @@
-/*
- * Copyright 2013-2022 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration.dynamic;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-public class DynamicPushNotificationConfiguration {
-
-  @JsonProperty
-  private boolean lowUrgencyEnabled = false;
-
-  public boolean isLowUrgencyEnabled() {
-    return lowUrgencyEnabled;
-  }
-}