Treat APNs team/key IDs as secrets so they can change atomically with the key itself

f2a3b8db · Jon Chambers · Jon Chambers · 207ae612 · f2a3b8db · f2a3b8db
Commit f2a3b8db authored 1 year ago by Jon Chambers Committed by Jon Chambers 1 year ago
--- a/service/config/sample-secrets-bundle.yml
+++ b/service/config/sample-secrets-bundle.yml
@@ -46,6 +46,8 @@ gcpAttachments.rsaSigningKey: |
  AAAAAAAA
  -----END PRIVATE KEY-----
+apn.teamId: team-id
+apn.keyId: key-id
 apn.signingKey: |
  -----BEGIN PRIVATE KEY-----
  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz

--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -208,8 +208,8 @@ accountDatabaseCrawler:
 apn: # Apple Push Notifications configuration
  sandbox: true
  bundleId: com.example.textsecuregcm
-  keyId: unset
+  keyId: secret://apn.keyId
-  teamId: unset
+  teamId: secret://apn.teamId
  signingKey: secret://apn.signingKey
 fcm: # FCM configuration

--- a/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/configuration/ApnConfiguration.java
@@ -9,8 +9,8 @@ import javax.validation.constraints.NotNull;
 import org.whispersystems.textsecuregcm.configuration.secrets.SecretString;
-public record ApnConfiguration(@NotBlank String teamId,
+public record ApnConfiguration(@NotNull SecretString teamId,
-                               @NotBlank String keyId,
+                               @NotNull SecretString keyId,
                               @NotNull SecretString signingKey,
                               @NotBlank String bundleId,
                               boolean sandbox) {

--- a/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/push/APNSender.java
@@ -64,7 +64,7 @@ public class APNSender implements Managed, PushNotificationSender {
    this.bundleId = configuration.bundleId();
    this.apnsClient = new ApnsClientBuilder().setSigningKey(
            ApnsSigningKey.loadFromInputStream(new ByteArrayInputStream(configuration.signingKey().value().getBytes()),
-                configuration.teamId(), configuration.keyId()))
+                configuration.teamId().value(), configuration.keyId().value()))
        .setTrustedServerCertificateChain(getClass().getResourceAsStream(APNS_CA_FILENAME))
        .setApnsServer(configuration.sandbox() ? ApnsClientBuilder.DEVELOPMENT_APNS_HOST : ApnsClientBuilder.PRODUCTION_APNS_HOST)
        .build();