Allow any DII to be validated in token validate

Author: vishalegbert-ttd

src/main/java/com/uid2/operator/model/AdvertisingToken.java

@@ -7,13 +7,21 @@ public class AdvertisingToken extends VersionedToken {
     public final OperatorIdentity operatorIdentity;
     public final PublisherIdentity publisherIdentity;
     public final UserIdentity userIdentity;
+    public Integer siteKeyId;
 
     public AdvertisingToken(TokenVersion version, Instant createdAt, Instant expiresAt, OperatorIdentity operatorIdentity,
                             PublisherIdentity publisherIdentity, UserIdentity userIdentity) {
         super(version, createdAt, expiresAt);
         this.operatorIdentity = operatorIdentity;
         this.publisherIdentity = publisherIdentity;
         this.userIdentity = userIdentity;
+        this.siteKeyId = null;
+    }
+
+    public AdvertisingToken(TokenVersion version, Instant createdAt, Instant expiresAt, OperatorIdentity operatorIdentity,
+                            PublisherIdentity publisherIdentity, UserIdentity userIdentity, Integer siteKeyId) {
+        this(version, createdAt, expiresAt, operatorIdentity, publisherIdentity, userIdentity);
+        this.siteKeyId = siteKeyId;
     }
 }
 

src/main/java/com/uid2/operator/model/TokenValidateResult.java

@@ -0,0 +1,8 @@
+package com.uid2.operator.model;
+
+public enum TokenValidateResult {
+    MATCH,
+    MISMATCH,
+    UNAUTHORIZED,
+    INVALID_TOKEN,
+}

src/main/java/com/uid2/operator/service/EncryptedTokenEncoder.java

@@ -225,7 +225,8 @@ public AdvertisingToken decodeAdvertisingTokenV2(Buffer b) {
                     Instant.ofEpochMilli(expiresMillis),
                     new OperatorIdentity(0, OperatorType.Service, 0, masterKeyId),
                     new PublisherIdentity(siteId, siteKeyId, 0),
-                    new UserIdentity(IdentityScope.UID2, IdentityType.Email, advertisingId, privacyBits, Instant.ofEpochMilli(establishedMillis), null)
+                    new UserIdentity(IdentityScope.UID2, IdentityType.Email, advertisingId, privacyBits, Instant.ofEpochMilli(establishedMillis), null),
+                    siteKeyId
             );
 
         } catch (Exception e) {
@@ -263,7 +264,8 @@ public AdvertisingToken decodeAdvertisingTokenV3orV4(Buffer b, byte[] bytes, Tok
 
         return new AdvertisingToken(
                 tokenVersion, createdAt, expiresAt, operatorIdentity, publisherIdentity,
-                new UserIdentity(identityScope, identityType, id, privacyBits, establishedAt, refreshedAt)
+                new UserIdentity(identityScope, identityType, id, privacyBits, establishedAt, refreshedAt),
+                siteKeyId
         );
     }
 

src/main/java/com/uid2/operator/service/IUIDOperatorService.java

@@ -25,5 +25,5 @@ void invalidateTokensAsync(UserIdentity userIdentity, Instant asOf, String uidTr
                                String email, String phone, String clientIp,
                                Handler<AsyncResult<Instant>> handler);
 
-    boolean advertisingTokenMatches(String advertisingToken, UserIdentity userIdentity, Instant asOf, IdentityEnvironment env);
+    TokenValidateResult validateAdvertisingToken(int participantSiteId, String advertisingToken, UserIdentity userIdentity, Instant asOf, IdentityEnvironment env);
 }

src/main/java/com/uid2/operator/service/UIDOperatorService.java

@@ -57,16 +57,18 @@ public class UIDOperatorService implements IUIDOperatorService {
 
     private final Handler<Boolean> saltRetrievalResponseHandler;
     private final UidInstanceIdProvider uidInstanceIdProvider;
+    private final KeyManager keyManager;
 
     public UIDOperatorService(IOptOutStore optOutStore, ISaltProvider saltProvider, ITokenEncoder encoder, Clock clock,
-                              IdentityScope identityScope, Handler<Boolean> saltRetrievalResponseHandler, boolean identityV3Enabled, UidInstanceIdProvider uidInstanceIdProvider) {
+                              IdentityScope identityScope, Handler<Boolean> saltRetrievalResponseHandler, boolean identityV3Enabled, UidInstanceIdProvider uidInstanceIdProvider, KeyManager keyManager) {
         this.saltProvider = saltProvider;
         this.encoder = encoder;
         this.optOutStore = optOutStore;
         this.clock = clock;
         this.identityScope = identityScope;
         this.saltRetrievalResponseHandler = saltRetrievalResponseHandler;
         this.uidInstanceIdProvider = uidInstanceIdProvider;
+        this.keyManager = keyManager;
 
         this.testOptOutIdentityForEmail = getFirstLevelHashIdentity(identityScope, IdentityType.Email,
                 InputUtil.normalizeEmail(OptOutIdentityForEmail).getIdentityInput(), Instant.now());
@@ -197,12 +199,27 @@ public void invalidateTokensAsync(UserIdentity userIdentity, Instant asOf, Strin
     }
 
     @Override
-    public boolean advertisingTokenMatches(String advertisingToken, UserIdentity userIdentity, Instant asOf, IdentityEnvironment env) {
+    public TokenValidateResult validateAdvertisingToken(int participantSiteId, String advertisingToken, UserIdentity userIdentity, Instant asOf, IdentityEnvironment env) {
         final UserIdentity firstLevelHashIdentity = getFirstLevelHashIdentity(userIdentity, asOf);
         final MappedIdentity mappedIdentity = getMappedIdentity(firstLevelHashIdentity, asOf, env);
 
-        final AdvertisingToken token = this.encoder.decodeAdvertisingToken(advertisingToken);
-        return Arrays.equals(mappedIdentity.advertisingId, token.userIdentity.id);
+        final AdvertisingToken token;
+        try {
+            token = this.encoder.decodeAdvertisingToken(advertisingToken);
+        } catch (Exception e) {
+            return TokenValidateResult.INVALID_TOKEN;
+        }
+
+        int tokenSiteId = this.keyManager.getSiteIdFromKeyId(token.siteKeyId);
+        if (tokenSiteId != participantSiteId) {
+            return TokenValidateResult.UNAUTHORIZED;
+        }
+
+        if (!Arrays.equals(mappedIdentity.advertisingId, token.userIdentity.id)) {
+            return TokenValidateResult.MISMATCH;
+        }
+
+        return TokenValidateResult.MATCH;
     }
 
     private void validateTokenDurations(Duration refreshIdentityAfter, Duration refreshExpiresAfter, Duration identityExpiresAfter) {

src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java

@@ -117,6 +117,7 @@ public class UIDOperatorVerticle extends AbstractVerticle {
     private final Map<String, Tuple.Tuple2<Counter, Counter>> _identityMapUnmappedIdentifiers = new HashMap<>();
     private final Map<String, Counter> _identityMapRequestWithUnmapped = new HashMap<>();
     private final Map<Tuple.Tuple2<String, String>, Counter> _clientVersions = new HashMap<>();
+    private final Map<Tuple.Tuple2<String, String>, Counter> _tokenValidateCounters = new HashMap<>();
 
     private final Map<String, DistributionSummary> optOutStatusCounters = new HashMap<>();
     private final IdentityScope identityScope;
@@ -210,7 +211,8 @@ public void start(Promise<Void> startPromise) throws Exception {
                 this.identityScope,
                 this.saltRetrievalResponseHandler,
                 this.identityV3Enabled,
-                this.uidInstanceIdProvider
+                this.uidInstanceIdProvider,
+                this.keyManager
         );
 
         final Router router = createRoutesSetup();
@@ -807,6 +809,22 @@ private void recordOperatorServedSdkUsage(RoutingContext rc, Integer siteId, Str
         }
     }
 
+    private void recordTokenValidateStats(Integer siteId, String result) {
+        final String siteIdStr = siteId != null ? String.valueOf(siteId) : "unknown";
+        _tokenValidateCounters.computeIfAbsent(
+                new Tuple.Tuple2<>(siteIdStr, result),
+                tuple -> Counter
+                        .builder("uid2_token_validate_total")
+                        .description("counter for token validate endpoint results")
+                        .tags(
+                            "site_id", tuple.getItem1(), 
+                            "site_name", getSiteName(siteProvider, Integer.valueOf(tuple.getItem1())), 
+                            "result", tuple.getItem2()
+                        )
+                        .register(Metrics.globalRegistry)
+        ).increment();
+    }
+
     private void handleTokenRefreshV2(RoutingContext rc) {
         Integer siteId = null;
         TokenResponseStatsCollector.PlatformType platformType = TokenResponseStatsCollector.PlatformType.Other;
@@ -848,33 +866,38 @@ private void handleTokenRefreshV2(RoutingContext rc) {
     private void handleTokenValidateV2(RoutingContext rc) {
         RuntimeConfig config = this.getConfigFromRc(rc);
         IdentityEnvironment env = config.getIdentityEnvironment();
+        final Integer participantSiteId = AuthMiddleware.getAuthClient(rc).getSiteId();
 
         try {
             final JsonObject req = (JsonObject) rc.data().get("request");
 
             final InputUtil.InputVal input = getTokenInputV2(req);
             if (!isTokenInputValid(input, rc)) {
+                recordTokenValidateStats(participantSiteId, "invalid_input");
                 return;
             }
-            if ((input.getIdentityType() == IdentityType.Email && Arrays.equals(ValidateIdentityForEmailHash, input.getIdentityInput()))
-                    || (input.getIdentityType() == IdentityType.Phone && Arrays.equals(ValidateIdentityForPhoneHash, input.getIdentityInput()))) {
-                try {
-                    final Instant now = Instant.now();
-                    final String token = req.getString("token");
-
-                    if (this.idService.advertisingTokenMatches(token, input.toUserIdentity(this.identityScope, 0, now), now, env)) {
-                        ResponseUtil.SuccessV2(rc, Boolean.TRUE);
-                    } else {
-                        ResponseUtil.SuccessV2(rc, Boolean.FALSE);
-                    }
-                } catch (Exception e) {
-                    ResponseUtil.SuccessV2(rc, Boolean.FALSE);
-                }
-            } else {
+
+            final Instant now = Instant.now();
+            final String token = req.getString("token");
+
+            final TokenValidateResult result = this.idService.validateAdvertisingToken(participantSiteId, token, input.toUserIdentity(this.identityScope, 0, now), now, env);
+
+            if (result == TokenValidateResult.MATCH) {
+                recordTokenValidateStats(participantSiteId, "match");
+                ResponseUtil.SuccessV2(rc, Boolean.TRUE);
+            } else if (result == TokenValidateResult.MISMATCH) {
+                recordTokenValidateStats(participantSiteId, "mismatch");
                 ResponseUtil.SuccessV2(rc, Boolean.FALSE);
+            } else if (result == TokenValidateResult.UNAUTHORIZED) {
+                recordTokenValidateStats(participantSiteId, "unauthorized");
+                ResponseUtil.LogInfoAndSend400Response(rc, "Unauthorised to validate token");
+            } else if (result == TokenValidateResult.INVALID_TOKEN) {
+                recordTokenValidateStats(participantSiteId, "invalid_token");
+                ResponseUtil.LogInfoAndSend400Response(rc, "Invalid token");
             }
         } catch (Exception e) {
-            LOGGER.error("Unknown error while validating token v2", e);
+            recordTokenValidateStats(participantSiteId, "error");
+            LOGGER.error("Unknown error while validating token", e);
             rc.fail(500);
         }
     }

src/test/java/com/uid2/operator/UIDOperatorServiceTest.java

@@ -54,6 +54,7 @@ class UIDOperatorServiceTest {
     @Mock private OperatorShutdownHandler shutdownHandler;
 
     private EncryptedTokenEncoder tokenEncoder;
+    private KeyManager keyManager;
     private UidInstanceIdProvider uidInstanceIdProvider;
     private JsonObject uid2Config;
     private JsonObject euidConfig;
@@ -62,8 +63,8 @@ class UIDOperatorServiceTest {
     private Instant now;
 
     static class ExtendedUIDOperatorService extends UIDOperatorService {
-        public ExtendedUIDOperatorService(IOptOutStore optOutStore, ISaltProvider saltProvider, ITokenEncoder encoder, Clock clock, IdentityScope identityScope, Handler<Boolean> saltRetrievalResponseHandler, boolean identityV3Enabled, UidInstanceIdProvider uidInstanceIdProvider) {
-            super(optOutStore, saltProvider, encoder, clock, identityScope, saltRetrievalResponseHandler, identityV3Enabled, uidInstanceIdProvider);
+        public ExtendedUIDOperatorService(IOptOutStore optOutStore, ISaltProvider saltProvider, ITokenEncoder encoder, Clock clock, IdentityScope identityScope, Handler<Boolean> saltRetrievalResponseHandler, boolean identityV3Enabled, UidInstanceIdProvider uidInstanceIdProvider, KeyManager keyManager) {
+            super(optOutStore, saltProvider, encoder, clock, identityScope, saltRetrievalResponseHandler, identityV3Enabled, uidInstanceIdProvider, keyManager);
         }
     }
 
@@ -88,7 +89,8 @@ void setup() throws Exception {
                 "/com.uid2.core/test/salts/metadata.json");
         saltProvider.loadContent();
 
-        tokenEncoder = new EncryptedTokenEncoder(new KeyManager(keysetKeyStore, keysetProvider));
+        keyManager = new KeyManager(keysetKeyStore, keysetProvider);
+        tokenEncoder = new EncryptedTokenEncoder(keyManager);
 
         setNow(Instant.now());
 
@@ -108,7 +110,8 @@ void setup() throws Exception {
                 IdentityScope.UID2,
                 this.shutdownHandler::handleSaltRetrievalResponse,
                 uid2Config.getBoolean(IdentityV3Prop),
-                uidInstanceIdProvider
+                uidInstanceIdProvider,
+                keyManager
         );
 
         euidConfig = new JsonObject();
@@ -125,7 +128,8 @@ void setup() throws Exception {
                 IdentityScope.EUID,
                 this.shutdownHandler::handleSaltRetrievalResponse,
                 euidConfig.getBoolean(IdentityV3Prop),
-                uidInstanceIdProvider
+                uidInstanceIdProvider,
+                keyManager
         );
     }
 
@@ -154,7 +158,8 @@ private RotatingSaltProvider.SaltSnapshot setUpMockSalts() {
                 IdentityScope.UID2,
                 this.shutdownHandler::handleSaltRetrievalResponse,
                 uid2Config.getBoolean(IdentityV3Prop),
-                uidInstanceIdProvider
+                uidInstanceIdProvider,
+                keyManager
         );
 
         return saltSnapshot;
@@ -820,7 +825,8 @@ void testExpiredSaltsNotifiesShutdownHandler(TestIdentityInputType type, String
                 IdentityScope.UID2,
                 this.shutdownHandler::handleSaltRetrievalResponse,
                 uid2Config.getBoolean(IdentityV3Prop),
-                uidInstanceIdProvider
+                uidInstanceIdProvider,
+                keyManager
         );
 
         UIDOperatorService euidService = new UIDOperatorService(
@@ -831,7 +837,8 @@ void testExpiredSaltsNotifiesShutdownHandler(TestIdentityInputType type, String
                 IdentityScope.EUID,
                 this.shutdownHandler::handleSaltRetrievalResponse,
                 euidConfig.getBoolean(IdentityV3Prop),
-                uidInstanceIdProvider
+                uidInstanceIdProvider,
+                keyManager
         );
 
         when(this.optOutStore.getLatestEntry(any())).thenReturn(null);

src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java

@@ -1543,11 +1543,6 @@ void tokenGenerateOptOutToken(String policyParameterKey, String identity, Identi
                     assertArrayEquals(advertisingId, advertisingToken.userIdentity.id);
                     assertArrayEquals(firstLevelHash, refreshToken.userIdentity.id);
 
-                    String advertisingTokenString = body.getString("advertising_token");
-                    final Instant now = Instant.now();
-                    final String token = advertisingTokenString;
-                    final boolean matchedOptedOutIdentity = this.uidOperatorVerticle.getIdService().advertisingTokenMatches(token, optOutTokenInput.toUserIdentity(getIdentityScope(), 0, now), now, IdentityEnvironment.TEST);
-                    assertTrue(matchedOptedOutIdentity);
                     assertFalse(PrivacyBits.fromInt(advertisingToken.userIdentity.privacyBits).isClientSideTokenGenerated());
                     assertTrue(PrivacyBits.fromInt(advertisingToken.userIdentity.privacyBits).isClientSideTokenOptedOut());
 
@@ -1931,6 +1926,36 @@ void tokenGenerateThenValidateWithEmailHash_Match(Vertx vertx, VertxTestContext
         });
     }
 
+    @Test
+    void tokenGenerateThenValidate_Unauthorized(Vertx vertx, VertxTestContext testContext) {
+        final int clientSiteId = 201;
+        fakeAuth(clientSiteId, Role.GENERATOR);
+        setupSalts();
+        setupKeys();
+
+        generateTokens(vertx, "email", ValidateIdentityForEmail, genRespJson -> {
+            assertEquals("success", genRespJson.getString("status"));
+            JsonObject genBody = genRespJson.getJsonObject("body");
+            assertNotNull(genBody);
+
+            String advertisingTokenString = genBody.getString("advertising_token");
+
+            // This site ID did not generate the token and is therefore not authorised to validate the token
+            fakeAuth(999, Role.GENERATOR);
+
+            JsonObject v2Payload = new JsonObject();
+            v2Payload.put("token", advertisingTokenString);
+            v2Payload.put("email", ValidateIdentityForEmail);
+
+            send(vertx, "v2/token/validate", v2Payload, 400, json -> {
+                assertEquals("client_error", json.getString("status"));
+                assertEquals("Unauthorised to validate token", json.getString("message"));
+
+                testContext.completeNow();
+            });
+        });
+    }
+
     @Test
     void tokenGenerateThenValidateWithBothEmailAndEmailHash(Vertx vertx, VertxTestContext testContext) {
         final int clientSiteId = 201;
@@ -2258,10 +2283,10 @@ void tokenValidateWithEmail_Mismatch(String contentType, Vertx vertx, VertxTestC
         setupKeys();
 
         send(vertx, "v2/token/validate", new JsonObject().put("token", "abcdef").put("email", emailAddress),
-                200,
+                400,
                 respJson -> {
-                    assertFalse(respJson.getBoolean("body"));
-                    assertEquals("success", respJson.getString("status"));
+                    assertEquals("client_error", respJson.getString("status"));
+                    assertEquals("Invalid token", respJson.getString("message"));
 
                     testContext.completeNow();
                 },
@@ -2277,10 +2302,10 @@ void tokenValidateWithEmailHash_Mismatch(Vertx vertx, VertxTestContext testConte
 
         send(vertx, "v2/token/validate",
                 new JsonObject().put("token", "abcdef").put("email_hash", EncodingUtils.toBase64String(ValidateIdentityForEmailHash)),
-                200,
+                400,
                 respJson -> {
-                    assertFalse(respJson.getBoolean("body"));
-                    assertEquals("success", respJson.getString("status"));
+                    assertEquals("client_error", respJson.getString("status"));
+                    assertEquals("Invalid token", respJson.getString("message"));
 
                     testContext.completeNow();
                 });

src/test/java/com/uid2/operator/benchmark/BenchmarkCommon.java

@@ -69,7 +69,8 @@ public static IUIDOperatorService createUidOperatorService() throws Exception {
                 "/com.uid2.core/test/salts/metadata.json");
         saltProvider.loadContent();
 
-        final EncryptedTokenEncoder tokenEncoder = new EncryptedTokenEncoder(new KeyManager(keysetKeyStore, keysetProvider));
+        final KeyManager keyManager = new KeyManager(keysetKeyStore, keysetProvider);
+        final EncryptedTokenEncoder tokenEncoder = new EncryptedTokenEncoder(keyManager);
         final List<String> optOutPartitionFiles = new ArrayList<>();
         final ICloudStorage optOutLocalStorage = make1mOptOutEntryStorage(
                 saltProvider.getSnapshot(Instant.now()).getFirstLevelSalt(),
@@ -84,7 +85,8 @@ public static IUIDOperatorService createUidOperatorService() throws Exception {
                 IdentityScope.UID2,
                 shutdownHandler::handleSaltRetrievalResponse,
                 false,
-                new UidInstanceIdProvider("test-instance", "id")
+                new UidInstanceIdProvider("test-instance", "id"),
+                keyManager
         );
     }