Merge pull request #559 from IABTechLab/cbc-UID2-2987-ensure-disablin…

…g-cstg-works Adding the ability to diable CSTG key
IABTechLab · May 21, 2024 · c1f2651 · c1f2651
2 parents b8afc57 + 1ead5cd
commit c1f2651
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 1 deletion.
diff --git a/src/main/java/com/uid2/operator/monitoring/TokenResponseStatsCollector.java b/src/main/java/com/uid2/operator/monitoring/TokenResponseStatsCollector.java
@@ -38,7 +38,8 @@ public enum ResponseStatus {
         PayloadHasNoBody,
         /* End of CSTG-related Status */
         Unknown,
-        NoActiveKey
+        NoActiveKey,
+        Unauthorized
     }
 
     public static void record(ISiteStore siteStore, Integer siteId, Endpoint endpoint, TokenVersion advertisingTokenVersion, ResponseStatus responseStatus) {

diff --git a/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java b/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java
@@ -348,6 +348,12 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
+        if(clientSideKeypair.isDisabled()) {
+            SendClientErrorResponseAndRecordStats(ResponseStatus.Unauthorized, 401, rc, "Unauthorized",
+                        clientSideKeypair.getSiteId(), TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2, TokenResponseStatsCollector.ResponseStatus.Unauthorized, siteProvider);
+            return;
+        }
+
         if (!hasValidOriginOrAppName(rc, request, clientSideKeypair)) {
             return;
         }

diff --git a/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java b/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java
@@ -3194,6 +3194,51 @@ void cstgLogsInvalidAppName(String appName, Vertx vertx, VertxTestContext testCo
                 });
     }
 
+    @Test
+    void cstgDisabledAsUnauthorized(Vertx vertx, VertxTestContext testContext) throws NoSuchAlgorithmException, InvalidKeyException {
+        ListAppender<ILoggingEvent> logWatcher = new ListAppender<>();
+        logWatcher.start();
+        ((Logger) LoggerFactory.getLogger(UIDOperatorVerticle.class)).addAppender(logWatcher);
+        this.uidOperatorVerticle.setLastInvalidOriginProcessTime(Instant.now().minusSeconds(3600));
+
+        setupCstgBackend();
+        String subscriptionID = "PpRrE5YY84";
+        ClientSideKeypair keypairDisabled = new ClientSideKeypair(subscriptionID, clientSideTokenGeneratePublicKey, clientSideTokenGeneratePrivateKey, clientSideTokenGenerateSiteId, "", Instant.now(), true, "");
+        when(clientSideKeypairProvider.getSnapshot()).thenReturn(clientSideKeypairSnapshot);
+        when(clientSideKeypairSnapshot.getKeypair(subscriptionID)).thenReturn(keypairDisabled);
+
+        final KeyFactory kf = KeyFactory.getInstance("EC");
+        final PublicKey serverPublicKey = ClientSideTokenGenerateTestUtil.stringToPublicKey(clientSideTokenGeneratePublicKey, kf);
+        final PrivateKey clientPrivateKey = ClientSideTokenGenerateTestUtil.stringToPrivateKey("MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDsqxZicsGytVqN2HZqNDHtV422Lxio8m1vlflq4Jb47Q==", kf);
+        final SecretKey secretKey = ClientSideTokenGenerateTestUtil.deriveKey(serverPublicKey, clientPrivateKey);
+        final long timestamp = Instant.now().toEpochMilli();
+
+
+        JsonObject requestJson = new JsonObject();
+        requestJson.put("payload", "");
+        requestJson.put("iv", "");
+        requestJson.put("public_key", serverPublicKey.toString());
+        requestJson.put("timestamp", timestamp);
+        requestJson.put("subscription_id", subscriptionID);
+
+        Tuple.Tuple2<JsonObject, SecretKey> data = createClientSideTokenGenerateRequest(IdentityType.Email, "[email protected]", Instant.now().toEpochMilli(), false, null);
+        sendCstg(vertx,
+                "v2/token/client-generate",
+                null,
+                requestJson,
+                secretKey,
+                401,
+                testContext,
+                respJson -> {
+                    assertEquals("Unauthorized", respJson.getString("message"));
+                    assertTokenStatusMetrics(
+                            clientSideTokenGenerateSiteId,
+                            TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2,
+                            TokenResponseStatsCollector.ResponseStatus.Unauthorized);
+                    testContext.completeNow();
+                });
+    }
+
     @ParameterizedTest
     @CsvSource({
             "true,http://gototest.com",