mirror of
				https://github.com/openimsdk/open-im-server.git
				synced 2025-10-25 12:42:12 +08:00 
			
		
		
		
	feat: add end-to-end encryption support
This commit is contained in:
		
							parent
							
								
									5e813ef079
								
							
						
					
					
						commit
						b4c925e910
					
				
							
								
								
									
										79
									
								
								cmd/openim-rpc/encryption/main.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										79
									
								
								cmd/openim-rpc/encryption/main.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,79 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package main | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"flag" | ||||
| 	"fmt" | ||||
| 	"log" | ||||
| 	"os" | ||||
| 	"path/filepath" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/internal/rpc/encryption" | ||||
| 	"gopkg.in/yaml.v3" | ||||
| ) | ||||
| 
 | ||||
| func main() { | ||||
| 	var configPath = flag.String("config", "./config", "path to config directory") | ||||
| 	flag.Parse() | ||||
| 
 | ||||
| 	// Load encryption service config independently | ||||
| 	config, err := loadEncryptionConfig(*configPath) | ||||
| 	if err != nil { | ||||
| 		log.Fatalf("Failed to load encryption config: %v", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Start the encryption service | ||||
| 	ctx := context.Background() | ||||
| 	if err := encryption.Start(ctx, config); err != nil { | ||||
| 		log.Fatalf("Failed to start encryption service: %v", err) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // loadEncryptionConfig loads configuration from multiple files following OpenIM pattern | ||||
| func loadEncryptionConfig(configDir string) (*encryption.Config, error) { | ||||
| 	config := &encryption.Config{} | ||||
| 
 | ||||
| 	// Load main encryption config (only contains rpc, prometheus, and encryption-specific settings) | ||||
| 	encryptionConfigFile := filepath.Join(configDir, "openim-rpc-encryption.yml") | ||||
| 	if err := loadYAMLFile(encryptionConfigFile, config); err != nil { | ||||
| 		return nil, fmt.Errorf("failed to load encryption config: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Load shared MongoDB configuration | ||||
| 	mongoConfigFile := filepath.Join(configDir, "mongodb.yml") | ||||
| 	if err := loadYAMLFile(mongoConfigFile, &config.MongodbConfig); err != nil { | ||||
| 		return nil, fmt.Errorf("failed to load mongodb config: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Load shared Discovery configuration | ||||
| 	discoveryConfigFile := filepath.Join(configDir, "discovery.yml") | ||||
| 	if err := loadYAMLFile(discoveryConfigFile, &config.Discovery); err != nil { | ||||
| 		return nil, fmt.Errorf("failed to load discovery config: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	return config, nil | ||||
| } | ||||
| 
 | ||||
| // loadYAMLFile loads a YAML file into the given struct | ||||
| func loadYAMLFile(filename string, out interface{}) error { | ||||
| 	data, err := os.ReadFile(filename) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	return yaml.Unmarshal(data, out) | ||||
| } | ||||
| @ -20,3 +20,4 @@ rpcService: | ||||
|   auth: auth-rpc-service | ||||
|   conversation: conversation-rpc-service | ||||
|   third: third-rpc-service | ||||
|   encryption: encryption-rpc-service | ||||
|  | ||||
							
								
								
									
										59
									
								
								config/openim-rpc-encryption.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								config/openim-rpc-encryption.yml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,59 @@ | ||||
| # Copyright © 2024 OpenIM. All rights reserved. | ||||
| # | ||||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| # you may not use this file except in compliance with the License. | ||||
| # You may obtain a copy of the License at | ||||
| # | ||||
| #     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| # | ||||
| # Unless required by applicable law or agreed to in writing, software | ||||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| # See the License for the specific language governing permissions and | ||||
| # limitations under the License. | ||||
| 
 | ||||
| # RPC Configuration (following OpenIM standard format) | ||||
| rpc: | ||||
|   # API or other RPCs can access this RPC through this IP; if left blank, the internal network IP is obtained by default | ||||
|   registerIP:  | ||||
|   # Listening IP; 0.0.0.0 means both internal and external IPs are listened to, if blank, the internal network IP is automatically obtained by default | ||||
|   listenIP: 0.0.0.0 | ||||
|   # autoSetPorts indicates whether to automatically set the ports | ||||
|   # if you use in kubernetes, set it to false | ||||
|   autoSetPorts: true | ||||
|   # List of ports that the RPC service listens on; configuring multiple ports will launch multiple instances. These must match the number of configured prometheus ports | ||||
|   # It will only take effect when autoSetPorts is set to false. | ||||
|   ports: [ 10800 ] | ||||
| 
 | ||||
| prometheus: | ||||
|   # Whether to enable prometheus | ||||
|   enable: true | ||||
|   # Prometheus listening ports, must be consistent with the number of rpc.ports | ||||
|   # It will only take effect when autoSetPorts is set to false. | ||||
|   ports: [ 20800 ] | ||||
| 
 | ||||
| # Encryption Configuration | ||||
| encryption: | ||||
|   # Encryption mode: "aes", "signal", "hybrid" | ||||
|   mode: "aes"  # Default to AES for compatibility | ||||
|    | ||||
|   # AES encryption settings (existing) | ||||
|   aes: | ||||
|     enabled: true | ||||
|      | ||||
|   # Signal Protocol settings | ||||
|   signal: | ||||
|     enabled: false  # Set to true when ready to use Signal Protocol | ||||
|     preKeyBatch: 100                    # Max one-time prekeys per upload | ||||
|     keyRotationInterval: "168h"         # 7 days | ||||
|     sessionCleanupInterval: "720h"      # 30 days | ||||
|     prekeyCleanupInterval: "168h"       # 7 days | ||||
|      | ||||
|     # Security settings | ||||
|     maxOneTimePreKeys: 100 | ||||
|     maxSessionsPerDevice: 1000 | ||||
|      | ||||
|     # Validation settings | ||||
|     validateSignatures: true | ||||
|     requireIdentityKeys: true | ||||
| 
 | ||||
							
								
								
									
										111
									
								
								internal/rpc/encryption/config.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										111
									
								
								internal/rpc/encryption/config.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,111 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package encryption | ||||
| 
 | ||||
| import ( | ||||
| 	"time" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/config" | ||||
| ) | ||||
| 
 | ||||
| // PrometheusConfig contains Prometheus configuration | ||||
| type PrometheusConfig struct { | ||||
| 	Enable bool  `yaml:"enable"` | ||||
| 	Ports  []int `yaml:"ports"` | ||||
| } | ||||
| 
 | ||||
| // Config represents the configuration for encryption service | ||||
| type Config struct { | ||||
| 	RpcConfig        config.RPC       `yaml:"rpc"` | ||||
| 	MongodbConfig    config.Mongo     `yaml:"mongo"` | ||||
| 	Discovery        config.Discovery `yaml:"discovery"` | ||||
| 	PrometheusConfig PrometheusConfig `yaml:"prometheus"` | ||||
| 	EncryptionConfig EncryptionConfig `yaml:"encryption"` | ||||
| } | ||||
| 
 | ||||
| // EncryptionConfig contains encryption-specific configuration | ||||
| type EncryptionConfig struct { | ||||
| 	Mode   string       `yaml:"mode"` // "aes", "signal", "hybrid" | ||||
| 	AES    AESConfig    `yaml:"aes"` | ||||
| 	Signal SignalConfig `yaml:"signal"` | ||||
| } | ||||
| 
 | ||||
| // AESConfig contains AES encryption configuration | ||||
| type AESConfig struct { | ||||
| 	Enabled bool `yaml:"enabled"` | ||||
| } | ||||
| 
 | ||||
| // SignalConfig contains Signal Protocol configuration | ||||
| type SignalConfig struct { | ||||
| 	Enabled                bool          `yaml:"enabled"` | ||||
| 	PreKeyBatch            int           `yaml:"preKeyBatch"` | ||||
| 	KeyRotationInterval    time.Duration `yaml:"keyRotationInterval"` | ||||
| 	SessionCleanupInterval time.Duration `yaml:"sessionCleanupInterval"` | ||||
| 	PrekeyCleanupInterval  time.Duration `yaml:"prekeyCleanupInterval"` | ||||
| 
 | ||||
| 	// Security settings | ||||
| 	MaxOneTimePreKeys    int `yaml:"maxOneTimePreKeys"` | ||||
| 	MaxSessionsPerDevice int `yaml:"maxSessionsPerDevice"` | ||||
| 
 | ||||
| 	// Validation settings | ||||
| 	ValidateSignatures  bool `yaml:"validateSignatures"` | ||||
| 	RequireIdentityKeys bool `yaml:"requireIdentityKeys"` | ||||
| } | ||||
| 
 | ||||
| // GetEncryptionMode returns the current encryption mode | ||||
| func (c *Config) GetEncryptionMode() string { | ||||
| 	if c.EncryptionConfig.Mode == "" { | ||||
| 		return "aes" // default to AES for compatibility | ||||
| 	} | ||||
| 	return c.EncryptionConfig.Mode | ||||
| } | ||||
| 
 | ||||
| // IsSignalEnabled returns true if Signal Protocol is enabled | ||||
| func (c *Config) IsSignalEnabled() bool { | ||||
| 	return c.EncryptionConfig.Signal.Enabled && | ||||
| 		(c.EncryptionConfig.Mode == "signal" || c.EncryptionConfig.Mode == "hybrid") | ||||
| } | ||||
| 
 | ||||
| // IsAESEnabled returns true if AES encryption is enabled | ||||
| func (c *Config) IsAESEnabled() bool { | ||||
| 	return c.EncryptionConfig.AES.Enabled || | ||||
| 		c.EncryptionConfig.Mode == "aes" || | ||||
| 		c.EncryptionConfig.Mode == "hybrid" | ||||
| } | ||||
| 
 | ||||
| // GetSignalConfig returns Signal Protocol configuration | ||||
| func (c *Config) GetSignalConfig() *SignalConfig { | ||||
| 	// Set defaults if not specified | ||||
| 	if c.EncryptionConfig.Signal.PreKeyBatch == 0 { | ||||
| 		c.EncryptionConfig.Signal.PreKeyBatch = 100 | ||||
| 	} | ||||
| 	if c.EncryptionConfig.Signal.KeyRotationInterval == 0 { | ||||
| 		c.EncryptionConfig.Signal.KeyRotationInterval = 7 * 24 * time.Hour // 7 days | ||||
| 	} | ||||
| 	if c.EncryptionConfig.Signal.SessionCleanupInterval == 0 { | ||||
| 		c.EncryptionConfig.Signal.SessionCleanupInterval = 30 * 24 * time.Hour // 30 days | ||||
| 	} | ||||
| 	if c.EncryptionConfig.Signal.PrekeyCleanupInterval == 0 { | ||||
| 		c.EncryptionConfig.Signal.PrekeyCleanupInterval = 7 * 24 * time.Hour // 7 days | ||||
| 	} | ||||
| 	if c.EncryptionConfig.Signal.MaxOneTimePreKeys == 0 { | ||||
| 		c.EncryptionConfig.Signal.MaxOneTimePreKeys = 100 | ||||
| 	} | ||||
| 	if c.EncryptionConfig.Signal.MaxSessionsPerDevice == 0 { | ||||
| 		c.EncryptionConfig.Signal.MaxSessionsPerDevice = 1000 | ||||
| 	} | ||||
| 
 | ||||
| 	return &c.EncryptionConfig.Signal | ||||
| } | ||||
							
								
								
									
										348
									
								
								internal/rpc/encryption/handlers.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										348
									
								
								internal/rpc/encryption/handlers.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,348 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package encryption | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/base64" | ||||
| 	"net/http" | ||||
| 	"strconv" | ||||
| 
 | ||||
| 	"github.com/gin-gonic/gin" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| // Request/Response structures for HTTP API | ||||
| type GetPreKeysResponse struct { | ||||
| 	IdentityKey   *IdentityKeyInfo    `json:"identityKey"` | ||||
| 	SignedPreKey  *SignedPreKeyInfo   `json:"signedPreKey"` | ||||
| 	OneTimePreKey *PreKeyInfo         `json:"oneTimePreKey,omitempty"` | ||||
| 	RegistrationID int32              `json:"registrationId"` | ||||
| } | ||||
| 
 | ||||
| type IdentityKeyInfo struct { | ||||
| 	IdentityKey    string `json:"identityKey"` | ||||
| 	RegistrationID int32  `json:"registrationId"` | ||||
| 	CreatedTime    int64  `json:"createdTime"` | ||||
| } | ||||
| 
 | ||||
| type PreKeyInfo struct { | ||||
| 	KeyID     uint32 `json:"keyId"` | ||||
| 	PublicKey string `json:"publicKey"` | ||||
| } | ||||
| 
 | ||||
| type SignedPreKeyInfo struct { | ||||
| 	KeyID       uint32 `json:"keyId"` | ||||
| 	PublicKey   string `json:"publicKey"` | ||||
| 	Signature   string `json:"signature"` | ||||
| 	CreatedTime int64  `json:"createdTime"` | ||||
| } | ||||
| 
 | ||||
| type SetPreKeysRequest struct { | ||||
| 	IdentityKey     string             `json:"identityKey,omitempty"` | ||||
| 	SignedPreKey    *SignedPreKeyInfo  `json:"signedPreKey,omitempty"` | ||||
| 	OneTimePreKeys  []PreKeyInfo       `json:"oneTimePreKeys,omitempty"` | ||||
| 	RegistrationID  int32              `json:"registrationId,omitempty"` | ||||
| } | ||||
| 
 | ||||
| type APIResponse struct { | ||||
| 	Code    int         `json:"code"` | ||||
| 	Message string      `json:"message"` | ||||
| 	Data    interface{} `json:"data,omitempty"` | ||||
| } | ||||
| 
 | ||||
| // GetPreKeys handles GET /api/v1/encryption/prekeys/:user_id/:device_id | ||||
| func (s *Server) GetPreKeys(c *gin.Context) { | ||||
| 	userID := c.Param("user_id") | ||||
| 	deviceIDStr := c.Param("device_id") | ||||
| 	 | ||||
| 	deviceID, err := strconv.ParseInt(deviceIDStr, 10, 32) | ||||
| 	if err != nil { | ||||
| 		c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 			Code:    400, | ||||
| 			Message: "Invalid device_id", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	log.ZInfo(c.Request.Context(), "GetPreKeys", "userID", userID, "deviceID", deviceID) | ||||
| 	 | ||||
| 	// Get identity key | ||||
| 	identityKey, err := s.keysManager.GetIdentityKey(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		log.ZError(c.Request.Context(), "failed to get identity key", err) | ||||
| 		c.JSON(http.StatusNotFound, APIResponse{ | ||||
| 			Code:    404, | ||||
| 			Message: "Identity key not found", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	// Get signed prekey | ||||
| 	signedPreKey, err := s.keysManager.GetActiveSignedPreKey(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		log.ZError(c.Request.Context(), "failed to get signed prekey", err) | ||||
| 		c.JSON(http.StatusNotFound, APIResponse{ | ||||
| 			Code:    404, | ||||
| 			Message: "Signed prekey not found", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	// Get one-time prekey (optional) | ||||
| 	oneTimePreKey, err := s.keysManager.GetOneTimePreKey(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(c.Request.Context(), "no one-time prekey available", err) | ||||
| 		oneTimePreKey = nil | ||||
| 	} | ||||
| 	 | ||||
| 	response := &GetPreKeysResponse{ | ||||
| 		IdentityKey: &IdentityKeyInfo{ | ||||
| 			IdentityKey:    base64.StdEncoding.EncodeToString(identityKey.IdentityKey), | ||||
| 			RegistrationID: identityKey.RegistrationID, | ||||
| 			CreatedTime:    identityKey.CreatedTime.Unix(), | ||||
| 		}, | ||||
| 		SignedPreKey: &SignedPreKeyInfo{ | ||||
| 			KeyID:       signedPreKey.KeyID, | ||||
| 			PublicKey:   base64.StdEncoding.EncodeToString(signedPreKey.PublicKey), | ||||
| 			Signature:   base64.StdEncoding.EncodeToString(signedPreKey.Signature), | ||||
| 			CreatedTime: signedPreKey.CreatedTime.Unix(), | ||||
| 		}, | ||||
| 		RegistrationID: identityKey.RegistrationID, | ||||
| 	} | ||||
| 	 | ||||
| 	if oneTimePreKey != nil { | ||||
| 		response.OneTimePreKey = &PreKeyInfo{ | ||||
| 			KeyID:     oneTimePreKey.KeyID, | ||||
| 			PublicKey: base64.StdEncoding.EncodeToString(oneTimePreKey.PublicKey), | ||||
| 		} | ||||
| 	} | ||||
| 	 | ||||
| 	c.JSON(http.StatusOK, APIResponse{ | ||||
| 		Code:    0, | ||||
| 		Message: "success", | ||||
| 		Data:    response, | ||||
| 	}) | ||||
| } | ||||
| 
 | ||||
| // SetPreKeys handles POST /api/v1/encryption/prekeys/:user_id/:device_id | ||||
| func (s *Server) SetPreKeys(c *gin.Context) { | ||||
| 	userID := c.Param("user_id") | ||||
| 	deviceIDStr := c.Param("device_id") | ||||
| 	 | ||||
| 	deviceID, err := strconv.ParseInt(deviceIDStr, 10, 32) | ||||
| 	if err != nil { | ||||
| 		c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 			Code:    400, | ||||
| 			Message: "Invalid device_id", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	var req SetPreKeysRequest | ||||
| 	if err := c.ShouldBindJSON(&req); err != nil { | ||||
| 		c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 			Code:    400, | ||||
| 			Message: "Invalid request body", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	log.ZInfo(c.Request.Context(), "SetPreKeys", "userID", userID, "deviceID", deviceID) | ||||
| 	 | ||||
| 	// Set identity key if provided | ||||
| 	if req.IdentityKey != "" { | ||||
| 		identityKeyBytes, err := base64.StdEncoding.DecodeString(req.IdentityKey) | ||||
| 		if err != nil { | ||||
| 			c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 				Code:    400, | ||||
| 				Message: "Invalid identity key encoding", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 		 | ||||
| 		err = s.keysManager.SetIdentityKey(c.Request.Context(), userID, int32(deviceID), identityKeyBytes, req.RegistrationID) | ||||
| 		if err != nil { | ||||
| 			log.ZError(c.Request.Context(), "failed to set identity key", err) | ||||
| 			c.JSON(http.StatusInternalServerError, APIResponse{ | ||||
| 				Code:    500, | ||||
| 				Message: "Failed to set identity key", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
| 	 | ||||
| 	// Set signed prekey if provided | ||||
| 	if req.SignedPreKey != nil { | ||||
| 		publicKeyBytes, err := base64.StdEncoding.DecodeString(req.SignedPreKey.PublicKey) | ||||
| 		if err != nil { | ||||
| 			c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 				Code:    400, | ||||
| 				Message: "Invalid signed prekey public key encoding", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 		 | ||||
| 		signatureBytes, err := base64.StdEncoding.DecodeString(req.SignedPreKey.Signature) | ||||
| 		if err != nil { | ||||
| 			c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 				Code:    400, | ||||
| 				Message: "Invalid signed prekey signature encoding", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 		 | ||||
| 		signedPreKeyData := &SignedPreKeyResponse{ | ||||
| 			KeyId:     req.SignedPreKey.KeyID, | ||||
| 			PublicKey: publicKeyBytes, | ||||
| 			Signature: signatureBytes, | ||||
| 		} | ||||
| 		 | ||||
| 		err = s.keysManager.SetSignedPreKey(c.Request.Context(), userID, int32(deviceID), signedPreKeyData) | ||||
| 		if err != nil { | ||||
| 			log.ZError(c.Request.Context(), "failed to set signed prekey", err) | ||||
| 			c.JSON(http.StatusInternalServerError, APIResponse{ | ||||
| 				Code:    500, | ||||
| 				Message: "Failed to set signed prekey", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
| 	 | ||||
| 	// Set one-time prekeys | ||||
| 	if len(req.OneTimePreKeys) > 0 { | ||||
| 		var preKeyData []*PreKeyResponse | ||||
| 		for _, pk := range req.OneTimePreKeys { | ||||
| 			publicKeyBytes, err := base64.StdEncoding.DecodeString(pk.PublicKey) | ||||
| 			if err != nil { | ||||
| 				c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 					Code:    400, | ||||
| 					Message: "Invalid one-time prekey public key encoding", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			 | ||||
| 			preKeyData = append(preKeyData, &PreKeyResponse{ | ||||
| 				KeyId:     pk.KeyID, | ||||
| 				PublicKey: publicKeyBytes, | ||||
| 			}) | ||||
| 		} | ||||
| 		 | ||||
| 		acceptedCount, err := s.keysManager.SetOneTimePreKeys(c.Request.Context(), userID, int32(deviceID), preKeyData) | ||||
| 		if err != nil { | ||||
| 			log.ZError(c.Request.Context(), "failed to set one-time prekeys", err) | ||||
| 			c.JSON(http.StatusInternalServerError, APIResponse{ | ||||
| 				Code:    500, | ||||
| 				Message: "Failed to set one-time prekeys", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 		 | ||||
| 		c.JSON(http.StatusOK, APIResponse{ | ||||
| 			Code:    0, | ||||
| 			Message: "success", | ||||
| 			Data: map[string]interface{}{ | ||||
| 				"preKeysAccepted": acceptedCount, | ||||
| 			}, | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	c.JSON(http.StatusOK, APIResponse{ | ||||
| 		Code:    0, | ||||
| 		Message: "success", | ||||
| 	}) | ||||
| } | ||||
| 
 | ||||
| // GetPreKeyCount handles GET /api/v1/encryption/prekeys/:user_id/:device_id/count | ||||
| func (s *Server) GetPreKeyCount(c *gin.Context) { | ||||
| 	userID := c.Param("user_id") | ||||
| 	deviceIDStr := c.Param("device_id") | ||||
| 	 | ||||
| 	deviceID, err := strconv.ParseInt(deviceIDStr, 10, 32) | ||||
| 	if err != nil { | ||||
| 		c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 			Code:    400, | ||||
| 			Message: "Invalid device_id", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	count, err := s.keysManager.GetPreKeyCount(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		log.ZError(c.Request.Context(), "failed to get prekey count", err) | ||||
| 		c.JSON(http.StatusInternalServerError, APIResponse{ | ||||
| 			Code:    500, | ||||
| 			Message: "Failed to get prekey count", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	signedPreKeyExists, lastRotation, err := s.keysManager.GetSignedPreKeyInfo(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		signedPreKeyExists = false | ||||
| 	} | ||||
| 	 | ||||
| 	data := map[string]interface{}{ | ||||
| 		"oneTimePreKeyCount": count, | ||||
| 		"signedPreKeyExists": signedPreKeyExists, | ||||
| 	} | ||||
| 	 | ||||
| 	if !lastRotation.IsZero() { | ||||
| 		data["lastSignedPreKeyRotation"] = lastRotation.Unix() | ||||
| 	} | ||||
| 	 | ||||
| 	c.JSON(http.StatusOK, APIResponse{ | ||||
| 		Code:    0, | ||||
| 		Message: "success", | ||||
| 		Data:    data, | ||||
| 	}) | ||||
| } | ||||
| 
 | ||||
| // GetIdentityKey handles GET /api/v1/encryption/identity/:user_id/:device_id | ||||
| func (s *Server) GetIdentityKey(c *gin.Context) { | ||||
| 	userID := c.Param("user_id") | ||||
| 	deviceIDStr := c.Param("device_id") | ||||
| 	 | ||||
| 	deviceID, err := strconv.ParseInt(deviceIDStr, 10, 32) | ||||
| 	if err != nil { | ||||
| 		c.JSON(http.StatusBadRequest, APIResponse{ | ||||
| 			Code:    400, | ||||
| 			Message: "Invalid device_id", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	identityKey, err := s.keysManager.GetIdentityKey(c.Request.Context(), userID, int32(deviceID)) | ||||
| 	if err != nil { | ||||
| 		log.ZError(c.Request.Context(), "failed to get identity key", err) | ||||
| 		c.JSON(http.StatusNotFound, APIResponse{ | ||||
| 			Code:    404, | ||||
| 			Message: "Identity key not found", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	 | ||||
| 	response := &IdentityKeyInfo{ | ||||
| 		IdentityKey:    base64.StdEncoding.EncodeToString(identityKey.IdentityKey), | ||||
| 		RegistrationID: identityKey.RegistrationID, | ||||
| 		CreatedTime:    identityKey.CreatedTime.Unix(), | ||||
| 	} | ||||
| 	 | ||||
| 	c.JSON(http.StatusOK, APIResponse{ | ||||
| 		Code:    0, | ||||
| 		Message: "success", | ||||
| 		Data:    response, | ||||
| 	}) | ||||
| } | ||||
							
								
								
									
										287
									
								
								internal/rpc/encryption/keys_manager.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										287
									
								
								internal/rpc/encryption/keys_manager.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,287 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package encryption | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/internal/rpc/encryption/stores" | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model/signal" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	// Maximum number of one-time prekeys that can be uploaded at once | ||||
| 	MaxOneTimePreKeys = 100 | ||||
| ) | ||||
| 
 | ||||
| type KeysManager struct { | ||||
| 	identityStore     stores.IdentityStoreInterface | ||||
| 	preKeyStore       stores.PreKeyStoreInterface | ||||
| 	signedPreKeyStore stores.SignedPreKeyStoreInterface | ||||
| } | ||||
| 
 | ||||
| func NewKeysManager( | ||||
| 	identityStore stores.IdentityStoreInterface, | ||||
| 	preKeyStore stores.PreKeyStoreInterface, | ||||
| 	signedPreKeyStore stores.SignedPreKeyStoreInterface, | ||||
| ) *KeysManager { | ||||
| 	return &KeysManager{ | ||||
| 		identityStore:     identityStore, | ||||
| 		preKeyStore:       preKeyStore, | ||||
| 		signedPreKeyStore: signedPreKeyStore, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // GetIdentityKey retrieves the identity key for a user/device | ||||
| func (km *KeysManager) GetIdentityKey(ctx context.Context, userID string, deviceID int32) (*signal.SignalIdentityKey, error) { | ||||
| 	return km.identityStore.Get(ctx, userID, deviceID) | ||||
| } | ||||
| 
 | ||||
| // SetIdentityKey sets the identity key for a user/device | ||||
| func (km *KeysManager) SetIdentityKey(ctx context.Context, userID string, deviceID int32, identityKey []byte, registrationID int32) error { | ||||
| 	now := time.Now() | ||||
| 
 | ||||
| 	// Check if identity key already exists | ||||
| 	existing, err := km.identityStore.Get(ctx, userID, deviceID) | ||||
| 	if err == nil && existing != nil { | ||||
| 		// Update existing identity key | ||||
| 		existing.IdentityKey = identityKey | ||||
| 		existing.RegistrationID = registrationID | ||||
| 		existing.UpdatedTime = now | ||||
| 		return km.identityStore.Update(ctx, userID, deviceID, existing) | ||||
| 	} | ||||
| 
 | ||||
| 	// Create new identity key | ||||
| 	identityKeyRecord := &signal.SignalIdentityKey{ | ||||
| 		UserID:         userID, | ||||
| 		DeviceID:       deviceID, | ||||
| 		IdentityKey:    identityKey, | ||||
| 		RegistrationID: registrationID, | ||||
| 		CreatedTime:    now, | ||||
| 		UpdatedTime:    now, | ||||
| 	} | ||||
| 
 | ||||
| 	return km.identityStore.Create(ctx, identityKeyRecord) | ||||
| } | ||||
| 
 | ||||
| // GetActiveSignedPreKey retrieves the active signed prekey for a user/device | ||||
| func (km *KeysManager) GetActiveSignedPreKey(ctx context.Context, userID string, deviceID int32) (*signal.SignalSignedPreKey, error) { | ||||
| 	return km.signedPreKeyStore.GetActive(ctx, userID, deviceID) | ||||
| } | ||||
| 
 | ||||
| // SetSignedPreKey sets a signed prekey for a user/device | ||||
| func (km *KeysManager) SetSignedPreKey(ctx context.Context, userID string, deviceID int32, signedPreKey *SignedPreKeyResponse) error { | ||||
| 	now := time.Now() | ||||
| 
 | ||||
| 	signedPreKeyRecord := &signal.SignalSignedPreKey{ | ||||
| 		UserID:      userID, | ||||
| 		DeviceID:    deviceID, | ||||
| 		KeyID:       signedPreKey.KeyId, | ||||
| 		PublicKey:   signedPreKey.PublicKey, | ||||
| 		Signature:   signedPreKey.Signature, | ||||
| 		CreatedTime: now, | ||||
| 		Active:      true, | ||||
| 	} | ||||
| 
 | ||||
| 	// Deactivate existing signed prekeys and set this one as active | ||||
| 	err := km.signedPreKeyStore.SetActive(ctx, userID, deviceID, signedPreKey.KeyId) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(ctx, "failed to deactivate existing signed prekeys", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Create or update the signed prekey | ||||
| 	existing, err := km.signedPreKeyStore.GetByKeyID(ctx, userID, deviceID, signedPreKey.KeyId) | ||||
| 	if err == nil && existing != nil { | ||||
| 		return km.signedPreKeyStore.Update(ctx, userID, deviceID, signedPreKey.KeyId, signedPreKeyRecord) | ||||
| 	} | ||||
| 
 | ||||
| 	return km.signedPreKeyStore.Create(ctx, signedPreKeyRecord) | ||||
| } | ||||
| 
 | ||||
| // GetOneTimePreKey retrieves an available one-time prekey and marks it as used | ||||
| func (km *KeysManager) GetOneTimePreKey(ctx context.Context, userID string, deviceID int32) (*signal.SignalPreKey, error) { | ||||
| 	preKey, err := km.preKeyStore.GetAvailable(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		return nil, fmt.Errorf("no available one-time prekey: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Mark the prekey as used | ||||
| 	err = km.preKeyStore.MarkUsed(ctx, userID, deviceID, preKey.KeyID) | ||||
| 	if err != nil { | ||||
| 		log.ZError(ctx, "failed to mark prekey as used", err, "userID", userID, "deviceID", deviceID, "keyID", preKey.KeyID) | ||||
| 		// Don't fail the request, but log the error | ||||
| 	} | ||||
| 
 | ||||
| 	return preKey, nil | ||||
| } | ||||
| 
 | ||||
| // SetOneTimePreKeys sets multiple one-time prekeys for a user/device | ||||
| func (km *KeysManager) SetOneTimePreKeys(ctx context.Context, userID string, deviceID int32, preKeys []*PreKeyResponse) (int, error) { | ||||
| 	if len(preKeys) > MaxOneTimePreKeys { | ||||
| 		return 0, fmt.Errorf("too many one-time prekeys: %d (max: %d)", len(preKeys), MaxOneTimePreKeys) | ||||
| 	} | ||||
| 
 | ||||
| 	now := time.Now() | ||||
| 	var preKeyRecords []*signal.SignalPreKey | ||||
| 
 | ||||
| 	for _, preKey := range preKeys { | ||||
| 		preKeyRecord := &signal.SignalPreKey{ | ||||
| 			UserID:      userID, | ||||
| 			DeviceID:    deviceID, | ||||
| 			KeyID:       preKey.KeyId, | ||||
| 			PublicKey:   preKey.PublicKey, | ||||
| 			Used:        false, | ||||
| 			CreatedTime: now, | ||||
| 		} | ||||
| 		preKeyRecords = append(preKeyRecords, preKeyRecord) | ||||
| 	} | ||||
| 
 | ||||
| 	err := km.preKeyStore.CreateBatch(ctx, preKeyRecords) | ||||
| 	if err != nil { | ||||
| 		return 0, fmt.Errorf("failed to create one-time prekeys: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	return len(preKeyRecords), nil | ||||
| } | ||||
| 
 | ||||
| // GetPreKeyCount returns the count of available one-time prekeys for a user/device | ||||
| func (km *KeysManager) GetPreKeyCount(ctx context.Context, userID string, deviceID int32) (int64, error) { | ||||
| 	return km.preKeyStore.CountAvailable(ctx, userID, deviceID) | ||||
| } | ||||
| 
 | ||||
| // GetSignedPreKeyInfo returns information about signed prekey existence and last rotation | ||||
| func (km *KeysManager) GetSignedPreKeyInfo(ctx context.Context, userID string, deviceID int32) (exists bool, lastRotation time.Time, err error) { | ||||
| 	signedPreKey, err := km.signedPreKeyStore.GetActive(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		return false, time.Time{}, err | ||||
| 	} | ||||
| 
 | ||||
| 	if signedPreKey != nil { | ||||
| 		return true, signedPreKey.CreatedTime, nil | ||||
| 	} | ||||
| 
 | ||||
| 	return false, time.Time{}, nil | ||||
| } | ||||
| 
 | ||||
| // CleanupExpiredKeys removes expired keys from storage | ||||
| func (km *KeysManager) CleanupExpiredKeys(ctx context.Context) error { | ||||
| 	// Cleanup used one-time prekeys older than 7 days | ||||
| 	usedPreKeysCleanedCount, err := km.preKeyStore.CleanupUsed(ctx, 7*24*time.Hour) | ||||
| 	if err != nil { | ||||
| 		log.ZError(ctx, "failed to cleanup used prekeys", err) | ||||
| 	} else { | ||||
| 		log.ZInfo(ctx, "cleaned up used prekeys", "count", usedPreKeysCleanedCount) | ||||
| 	} | ||||
| 
 | ||||
| 	// Cleanup inactive signed prekeys older than 30 days | ||||
| 	inactiveSignedPreKeysCount, err := km.signedPreKeyStore.CleanupInactive(ctx, 30*24*time.Hour) | ||||
| 	if err != nil { | ||||
| 		log.ZError(ctx, "failed to cleanup inactive signed prekeys", err) | ||||
| 	} else { | ||||
| 		log.ZInfo(ctx, "cleaned up inactive signed prekeys", "count", inactiveSignedPreKeysCount) | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // ValidateSignedPreKey validates the signature of a signed prekey | ||||
| func (km *KeysManager) ValidateSignedPreKey(ctx context.Context, userID string, deviceID int32, signedPreKey *SignedPreKeyResponse) error { | ||||
| 	// Get the identity key to verify the signature | ||||
| 	_, err := km.GetIdentityKey(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to get identity key for signature validation: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// TODO: Implement actual signature validation using Signal Protocol | ||||
| 	// This would require integrating with the Signal Protocol library | ||||
| 	// For now, we'll skip the validation | ||||
| 	log.ZInfo(ctx, "signed prekey signature validation skipped (not implemented)", | ||||
| 		"userID", userID, "deviceID", deviceID, "keyID", signedPreKey.KeyId) | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // RotateSignedPreKey creates a new signed prekey and deactivates the old one | ||||
| func (km *KeysManager) RotateSignedPreKey(ctx context.Context, userID string, deviceID int32, newSignedPreKey *SignedPreKeyResponse) error { | ||||
| 	// Validate the new signed prekey | ||||
| 	err := km.ValidateSignedPreKey(ctx, userID, deviceID, newSignedPreKey) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("signed prekey validation failed: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Set the new signed prekey (this will automatically deactivate the old one) | ||||
| 	return km.SetSignedPreKey(ctx, userID, deviceID, newSignedPreKey) | ||||
| } | ||||
| 
 | ||||
| // GetPreKeyBundleForUser retrieves all necessary keys for X3DH key agreement | ||||
| func (km *KeysManager) GetPreKeyBundleForUser(ctx context.Context, userID string, deviceID int32) (map[string]interface{}, error) { | ||||
| 	// Get identity key | ||||
| 	identityKey, err := km.GetIdentityKey(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		return nil, fmt.Errorf("failed to get identity key: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Get signed prekey | ||||
| 	signedPreKey, err := km.GetActiveSignedPreKey(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		return nil, fmt.Errorf("failed to get signed prekey: %w", err) | ||||
| 	} | ||||
| 
 | ||||
| 	// Get one-time prekey (optional) | ||||
| 	oneTimePreKey, err := km.GetOneTimePreKey(ctx, userID, deviceID) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(ctx, "no one-time prekey available", err) | ||||
| 		oneTimePreKey = nil | ||||
| 	} | ||||
| 
 | ||||
| 	bundle := map[string]interface{}{ | ||||
| 		"identityKey": map[string]interface{}{ | ||||
| 			"identityKey":    identityKey.IdentityKey, | ||||
| 			"registrationId": identityKey.RegistrationID, | ||||
| 			"createdTime":    identityKey.CreatedTime.Unix(), | ||||
| 		}, | ||||
| 		"signedPreKey": map[string]interface{}{ | ||||
| 			"keyId":       signedPreKey.KeyID, | ||||
| 			"publicKey":   signedPreKey.PublicKey, | ||||
| 			"signature":   signedPreKey.Signature, | ||||
| 			"createdTime": signedPreKey.CreatedTime.Unix(), | ||||
| 		}, | ||||
| 		"registrationId": identityKey.RegistrationID, | ||||
| 	} | ||||
| 
 | ||||
| 	if oneTimePreKey != nil { | ||||
| 		bundle["oneTimePreKey"] = map[string]interface{}{ | ||||
| 			"keyId":     oneTimePreKey.KeyID, | ||||
| 			"publicKey": oneTimePreKey.PublicKey, | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return bundle, nil | ||||
| } | ||||
| 
 | ||||
| // Response structures used in key manager | ||||
| type SignedPreKeyResponse struct { | ||||
| 	KeyId     uint32 `json:"keyId"` | ||||
| 	PublicKey []byte `json:"publicKey"` | ||||
| 	Signature []byte `json:"signature"` | ||||
| } | ||||
| 
 | ||||
| type PreKeyResponse struct { | ||||
| 	KeyId     uint32 `json:"keyId"` | ||||
| 	PublicKey []byte `json:"publicKey"` | ||||
| } | ||||
							
								
								
									
										178
									
								
								internal/rpc/encryption/server.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										178
									
								
								internal/rpc/encryption/server.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,178 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package encryption | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
| 	"net/http" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"github.com/gin-gonic/gin" | ||||
| 	"github.com/openimsdk/open-im-server/v3/internal/rpc/encryption/stores" | ||||
| 	kdisc "github.com/openimsdk/open-im-server/v3/pkg/common/discovery" | ||||
| 	"github.com/openimsdk/tools/db/mongoutil" | ||||
| 	"github.com/openimsdk/tools/discovery" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| type Server struct { | ||||
| 	*Config | ||||
| 	keysManager   *KeysManager | ||||
| 	discoveryConn discovery.Conn | ||||
| 	httpServer    *http.Server | ||||
| } | ||||
| 
 | ||||
| func Start(ctx context.Context, cfg *Config) error { | ||||
| 	log.ZInfo(ctx, "encryption server start") | ||||
| 
 | ||||
| 	// Initialize service registry | ||||
| 	client, err := kdisc.NewDiscoveryRegister(&cfg.Discovery, nil) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	// Initialize MongoDB | ||||
| 	mongoClient, err := mongoutil.NewMongoDB(ctx, cfg.MongodbConfig.Build()) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	// Get the specific database | ||||
| 	db := mongoClient.GetDB() | ||||
| 
 | ||||
| 	// Initialize stores | ||||
| 	identityStore := stores.NewIdentityStore(db) | ||||
| 	preKeyStore := stores.NewPreKeyStore(db) | ||||
| 	signedPreKeyStore := stores.NewSignedPreKeyStore(db) | ||||
| 
 | ||||
| 	// Initialize managers | ||||
| 	keysManager := NewKeysManager(identityStore, preKeyStore, signedPreKeyStore) | ||||
| 
 | ||||
| 	server := &Server{ | ||||
| 		Config:        cfg, | ||||
| 		keysManager:   keysManager, | ||||
| 		discoveryConn: client, | ||||
| 	} | ||||
| 
 | ||||
| 	// Setup HTTP server | ||||
| 	if err := server.setupHTTPServer(); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	// Start HTTP server | ||||
| 	go func() { | ||||
| 		if err := server.httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed { | ||||
| 			log.ZError(ctx, "HTTP server failed to start", err) | ||||
| 		} | ||||
| 	}() | ||||
| 
 | ||||
| 	log.ZInfo(ctx, "encryption server started successfully", "port", cfg.RpcConfig.Ports[0]) | ||||
| 
 | ||||
| 	// Keep the service running | ||||
| 	select { | ||||
| 	case <-ctx.Done(): | ||||
| 		return server.shutdown(ctx) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func (s *Server) setupHTTPServer() error { | ||||
| 	gin.SetMode(gin.ReleaseMode) | ||||
| 	router := gin.Default() | ||||
| 
 | ||||
| 	// Add middleware | ||||
| 	router.Use(gin.Recovery()) | ||||
| 	router.Use(s.corsMiddleware()) | ||||
| 	router.Use(s.loggingMiddleware()) | ||||
| 
 | ||||
| 	// API routes | ||||
| 	api := router.Group("/api/v1/encryption") | ||||
| 	{ | ||||
| 		// Key management endpoints | ||||
| 		api.GET("/prekeys/:user_id/:device_id", s.GetPreKeys) | ||||
| 		api.POST("/prekeys/:user_id/:device_id", s.SetPreKeys) | ||||
| 		api.GET("/prekeys/:user_id/:device_id/count", s.GetPreKeyCount) | ||||
| 		api.GET("/identity/:user_id/:device_id", s.GetIdentityKey) | ||||
| 
 | ||||
| 		// Health check | ||||
| 		api.GET("/health", s.HealthCheck) | ||||
| 	} | ||||
| 
 | ||||
| 	// Create HTTP server | ||||
| 	port := fmt.Sprintf(":%d", s.Config.RpcConfig.Ports[0]) | ||||
| 	s.httpServer = &http.Server{ | ||||
| 		Addr:         port, | ||||
| 		Handler:      router, | ||||
| 		ReadTimeout:  30 * time.Second, | ||||
| 		WriteTimeout: 30 * time.Second, | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (s *Server) shutdown(ctx context.Context) error { | ||||
| 	log.ZInfo(ctx, "shutting down encryption server") | ||||
| 
 | ||||
| 	// Shutdown HTTP server | ||||
| 	if s.httpServer != nil { | ||||
| 		shutdownCtx, cancel := context.WithTimeout(ctx, 5*time.Second) | ||||
| 		defer cancel() | ||||
| 		if err := s.httpServer.Shutdown(shutdownCtx); err != nil { | ||||
| 			log.ZError(ctx, "failed to shutdown HTTP server", err) | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (s *Server) corsMiddleware() gin.HandlerFunc { | ||||
| 	return func(c *gin.Context) { | ||||
| 		c.Header("Access-Control-Allow-Origin", "*") | ||||
| 		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS") | ||||
| 		c.Header("Access-Control-Allow-Headers", "Content-Type, Authorization") | ||||
| 
 | ||||
| 		if c.Request.Method == "OPTIONS" { | ||||
| 			c.AbortWithStatus(204) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		c.Next() | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func (s *Server) loggingMiddleware() gin.HandlerFunc { | ||||
| 	return gin.LoggerWithFormatter(func(param gin.LogFormatterParams) string { | ||||
| 		return fmt.Sprintf("[%s] %s %s %d %s\n", | ||||
| 			param.TimeStamp.Format("2006/01/02 - 15:04:05"), | ||||
| 			param.Method, | ||||
| 			param.Path, | ||||
| 			param.StatusCode, | ||||
| 			param.Latency, | ||||
| 		) | ||||
| 	}) | ||||
| } | ||||
| 
 | ||||
| // HealthCheck handles GET /api/v1/encryption/health | ||||
| func (s *Server) HealthCheck(c *gin.Context) { | ||||
| 	c.JSON(200, APIResponse{ | ||||
| 		Code:    0, | ||||
| 		Message: "success", | ||||
| 		Data: map[string]interface{}{ | ||||
| 			"status":    "healthy", | ||||
| 			"mode":      s.Config.GetEncryptionMode(), | ||||
| 			"timestamp": time.Now().Unix(), | ||||
| 		}, | ||||
| 	}) | ||||
| } | ||||
							
								
								
									
										91
									
								
								internal/rpc/encryption/stores/identity_store.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										91
									
								
								internal/rpc/encryption/stores/identity_store.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,91 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package stores | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
| 
 | ||||
| 	"go.mongodb.org/mongo-driver/bson" | ||||
| 	"go.mongodb.org/mongo-driver/mongo" | ||||
| 	"go.mongodb.org/mongo-driver/mongo/options" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model/signal" | ||||
| 	"github.com/openimsdk/tools/db/mongoutil" | ||||
| 	"github.com/openimsdk/tools/errs" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| type IdentityStore struct { | ||||
| 	coll *mongo.Collection | ||||
| } | ||||
| 
 | ||||
| func NewIdentityStore(db *mongo.Database) IdentityStoreInterface { | ||||
| 	coll := db.Collection(signal.SignalIdentityKeyCollection) | ||||
| 	// Create indexes | ||||
| 	_, err := coll.Indexes().CreateMany(context.Background(), []mongo.IndexModel{ | ||||
| 		{ | ||||
| 			Keys:    bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}}, | ||||
| 			Options: options.Index().SetUnique(true), | ||||
| 		}, | ||||
| 		{Keys: bson.D{{Key: "user_id", Value: 1}}}, | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(context.Background(), "failed to create indexes for identity store", err) | ||||
| 	} | ||||
| 	 | ||||
| 	return &IdentityStore{coll: coll} | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) Create(ctx context.Context, identityKey *signal.SignalIdentityKey) error { | ||||
| 	return mongoutil.InsertOne(ctx, s.coll, identityKey) | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) Update(ctx context.Context, userID string, deviceID int32, identityKey *signal.SignalIdentityKey) error { | ||||
| 	filter := bson.M{"user_id": userID, "device_id": deviceID} | ||||
| 	update := bson.M{"$set": identityKey} | ||||
| 	return mongoutil.UpdateOne(ctx, s.coll, filter, update, false) | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) Get(ctx context.Context, userID string, deviceID int32) (*signal.SignalIdentityKey, error) { | ||||
| 	filter := bson.M{"user_id": userID, "device_id": deviceID} | ||||
| 	identityKey, err := mongoutil.FindOne[*signal.SignalIdentityKey](ctx, s.coll, filter) | ||||
| 	if err != nil { | ||||
| 		if errs.ErrRecordNotFound.Is(err) { | ||||
| 			return nil, fmt.Errorf("identity key not found for user %s device %d", userID, deviceID) | ||||
| 		} | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	return identityKey, nil | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) Delete(ctx context.Context, userID string, deviceID int32) error { | ||||
| 	filter := bson.M{"user_id": userID, "device_id": deviceID} | ||||
| 	return mongoutil.DeleteOne(ctx, s.coll, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) GetByUserID(ctx context.Context, userID string) ([]*signal.SignalIdentityKey, error) { | ||||
| 	filter := bson.M{"user_id": userID} | ||||
| 	return mongoutil.Find[*signal.SignalIdentityKey](ctx, s.coll, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *IdentityStore) Exists(ctx context.Context, userID string, deviceID int32) (bool, error) { | ||||
| 	filter := bson.M{"user_id": userID, "device_id": deviceID} | ||||
| 	count, err := s.coll.CountDocuments(ctx, filter) | ||||
| 	if err != nil { | ||||
| 		return false, err | ||||
| 	} | ||||
| 	return count > 0, nil | ||||
| } | ||||
							
								
								
									
										59
									
								
								internal/rpc/encryption/stores/interfaces.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								internal/rpc/encryption/stores/interfaces.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,59 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package stores | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model/signal" | ||||
| ) | ||||
| 
 | ||||
| // IdentityStoreInterface defines the interface for identity key storage operations | ||||
| type IdentityStoreInterface interface { | ||||
| 	Create(ctx context.Context, identityKey *signal.SignalIdentityKey) error | ||||
| 	Update(ctx context.Context, userID string, deviceID int32, identityKey *signal.SignalIdentityKey) error | ||||
| 	Get(ctx context.Context, userID string, deviceID int32) (*signal.SignalIdentityKey, error) | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32) error | ||||
| 	GetByUserID(ctx context.Context, userID string) ([]*signal.SignalIdentityKey, error) | ||||
| 	Exists(ctx context.Context, userID string, deviceID int32) (bool, error) | ||||
| } | ||||
| 
 | ||||
| // PreKeyStoreInterface defines the interface for one-time prekey storage operations | ||||
| type PreKeyStoreInterface interface { | ||||
| 	Create(ctx context.Context, prekey *signal.SignalPreKey) error | ||||
| 	CreateBatch(ctx context.Context, prekeys []*signal.SignalPreKey) error | ||||
| 	GetAvailable(ctx context.Context, userID string, deviceID int32) (*signal.SignalPreKey, error) | ||||
| 	MarkUsed(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	DeleteAllByUserDevice(ctx context.Context, userID string, deviceID int32) error | ||||
| 	CountAvailable(ctx context.Context, userID string, deviceID int32) (int64, error) | ||||
| 	GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*signal.SignalPreKey, error) | ||||
| 	CleanupUsed(ctx context.Context, olderThan time.Duration) (int64, error) | ||||
| } | ||||
| 
 | ||||
| // SignedPreKeyStoreInterface defines the interface for signed prekey storage operations | ||||
| type SignedPreKeyStoreInterface interface { | ||||
| 	Create(ctx context.Context, signedPrekey *signal.SignalSignedPreKey) error | ||||
| 	Update(ctx context.Context, userID string, deviceID int32, keyID uint32, signedPrekey *signal.SignalSignedPreKey) error | ||||
| 	GetActive(ctx context.Context, userID string, deviceID int32) (*signal.SignalSignedPreKey, error) | ||||
| 	GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*signal.SignalSignedPreKey, error) | ||||
| 	SetActive(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	GetAll(ctx context.Context, userID string, deviceID int32) ([]*signal.SignalSignedPreKey, error) | ||||
| 	CleanupInactive(ctx context.Context, olderThan time.Duration) (int64, error) | ||||
| 	Exists(ctx context.Context, userID string, deviceID int32) (bool, error) | ||||
| } | ||||
| 
 | ||||
							
								
								
									
										157
									
								
								internal/rpc/encryption/stores/prekey_store.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										157
									
								
								internal/rpc/encryption/stores/prekey_store.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,157 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package stores | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"go.mongodb.org/mongo-driver/bson" | ||||
| 	"go.mongodb.org/mongo-driver/mongo" | ||||
| 	"go.mongodb.org/mongo-driver/mongo/options" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model/signal" | ||||
| 	"github.com/openimsdk/tools/db/mongoutil" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| type PreKeyStore struct { | ||||
| 	coll *mongo.Collection | ||||
| } | ||||
| 
 | ||||
| func NewPreKeyStore(db *mongo.Database) PreKeyStoreInterface { | ||||
| 	coll := db.Collection(signal.SignalPreKeyCollection) | ||||
| 	// Create indexes | ||||
| 	_, err := coll.Indexes().CreateMany(context.Background(), []mongo.IndexModel{ | ||||
| 		{ | ||||
| 			Keys:    bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}, {Key: "key_id", Value: 1}}, | ||||
| 			Options: options.Index().SetUnique(true), | ||||
| 		}, | ||||
| 		{Keys: bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}, {Key: "used", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "created_time", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "used_time", Value: 1}}}, | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(context.Background(), "failed to create indexes for prekey store", err) | ||||
| 	} | ||||
| 	 | ||||
| 	return &PreKeyStore{coll: coll} | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) Create(ctx context.Context, prekey *signal.SignalPreKey) error { | ||||
| 	return mongoutil.InsertOne(ctx, s.coll, prekey) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) CreateBatch(ctx context.Context, prekeys []*signal.SignalPreKey) error { | ||||
| 	if len(prekeys) == 0 { | ||||
| 		return nil | ||||
| 	} | ||||
| 	return mongoutil.InsertMany(ctx, s.coll, prekeys) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) GetAvailable(ctx context.Context, userID string, deviceID int32) (*signal.SignalPreKey, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"used":      false, | ||||
| 	} | ||||
| 	 | ||||
| 	// Get one available prekey, sorted by creation time (FIFO) | ||||
| 	opts := options.FindOne().SetSort(bson.D{{Key: "created_time", Value: 1}}) | ||||
| 	prekey, err := mongoutil.FindOne[*signal.SignalPreKey](ctx, s.coll, filter, opts) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	 | ||||
| 	return prekey, nil | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) MarkUsed(ctx context.Context, userID string, deviceID int32, keyID uint32) error { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	now := time.Now() | ||||
| 	update := bson.M{ | ||||
| 		"$set": bson.M{ | ||||
| 			"used":      true, | ||||
| 			"used_time": now, | ||||
| 		}, | ||||
| 	} | ||||
| 	 | ||||
| 	return mongoutil.UpdateOne(ctx, s.coll, filter, update, false) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	return mongoutil.DeleteOne(ctx, s.coll, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) DeleteAllByUserDevice(ctx context.Context, userID string, deviceID int32) error { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 	} | ||||
| 	 | ||||
| 	return mongoutil.DeleteMany(ctx, s.coll, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) CountAvailable(ctx context.Context, userID string, deviceID int32) (int64, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"used":      false, | ||||
| 	} | ||||
| 	 | ||||
| 	return s.coll.CountDocuments(ctx, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*signal.SignalPreKey, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	prekey, err := mongoutil.FindOne[*signal.SignalPreKey](ctx, s.coll, filter) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	 | ||||
| 	return prekey, nil | ||||
| } | ||||
| 
 | ||||
| func (s *PreKeyStore) CleanupUsed(ctx context.Context, olderThan time.Duration) (int64, error) { | ||||
| 	cutoffTime := time.Now().Add(-olderThan) | ||||
| 	filter := bson.M{ | ||||
| 		"used":      true, | ||||
| 		"used_time": bson.M{"$lt": cutoffTime}, | ||||
| 	} | ||||
| 	 | ||||
| 	result, err := s.coll.DeleteMany(ctx, filter) | ||||
| 	if err != nil { | ||||
| 		return 0, err | ||||
| 	} | ||||
| 	 | ||||
| 	return result.DeletedCount, nil | ||||
| } | ||||
							
								
								
									
										187
									
								
								internal/rpc/encryption/stores/signed_prekey_store.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										187
									
								
								internal/rpc/encryption/stores/signed_prekey_store.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,187 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package stores | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"go.mongodb.org/mongo-driver/bson" | ||||
| 	"go.mongodb.org/mongo-driver/mongo" | ||||
| 	"go.mongodb.org/mongo-driver/mongo/options" | ||||
| 
 | ||||
| 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model/signal" | ||||
| 	"github.com/openimsdk/tools/db/mongoutil" | ||||
| 	"github.com/openimsdk/tools/log" | ||||
| ) | ||||
| 
 | ||||
| type SignedPreKeyStore struct { | ||||
| 	coll *mongo.Collection | ||||
| } | ||||
| 
 | ||||
| func NewSignedPreKeyStore(db *mongo.Database) SignedPreKeyStoreInterface { | ||||
| 	coll := db.Collection(signal.SignalSignedPreKeyCollection) | ||||
| 	// Create indexes | ||||
| 	_, err := coll.Indexes().CreateMany(context.Background(), []mongo.IndexModel{ | ||||
| 		{ | ||||
| 			Keys:    bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}, {Key: "key_id", Value: 1}}, | ||||
| 			Options: options.Index().SetUnique(true), | ||||
| 		}, | ||||
| 		{Keys: bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "user_id", Value: 1}, {Key: "device_id", Value: 1}, {Key: "active", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "active", Value: 1}, {Key: "created_time", Value: 1}}}, | ||||
| 		{Keys: bson.D{{Key: "created_time", Value: 1}}}, | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		log.ZWarn(context.Background(), "failed to create indexes for signed prekey store", err) | ||||
| 	} | ||||
| 	 | ||||
| 	return &SignedPreKeyStore{coll: coll} | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) Create(ctx context.Context, signedPrekey *signal.SignalSignedPreKey) error { | ||||
| 	return mongoutil.InsertOne(ctx, s.coll, signedPrekey) | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) Update(ctx context.Context, userID string, deviceID int32, keyID uint32, signedPrekey *signal.SignalSignedPreKey) error { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	update := bson.M{"$set": signedPrekey} | ||||
| 	return mongoutil.UpdateOne(ctx, s.coll, filter, update, false) | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) GetActive(ctx context.Context, userID string, deviceID int32) (*signal.SignalSignedPreKey, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"active":    true, | ||||
| 	} | ||||
| 	 | ||||
| 	// Get the most recent active signed prekey | ||||
| 	opts := options.FindOne().SetSort(bson.D{{Key: "created_time", Value: -1}}) | ||||
| 	signedPrekey, err := mongoutil.FindOne[*signal.SignalSignedPreKey](ctx, s.coll, filter, opts) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	 | ||||
| 	return signedPrekey, nil | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*signal.SignalSignedPreKey, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	signedPrekey, err := mongoutil.FindOne[*signal.SignalSignedPreKey](ctx, s.coll, filter) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	 | ||||
| 	return signedPrekey, nil | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) SetActive(ctx context.Context, userID string, deviceID int32, keyID uint32) error { | ||||
| 	session, err := s.coll.Database().Client().StartSession() | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	defer session.EndSession(ctx) | ||||
| 	 | ||||
| 	// Use transaction to ensure atomicity | ||||
| 	_, err = session.WithTransaction(ctx, func(sc mongo.SessionContext) (interface{}, error) { | ||||
| 		// First, deactivate all existing signed prekeys for this user/device | ||||
| 		deactivateFilter := bson.M{ | ||||
| 			"user_id":   userID, | ||||
| 			"device_id": deviceID, | ||||
| 		} | ||||
| 		deactivateUpdate := bson.M{ | ||||
| 			"$set": bson.M{"active": false}, | ||||
| 		} | ||||
| 		_, err := s.coll.UpdateMany(sc, deactivateFilter, deactivateUpdate) | ||||
| 		if err != nil { | ||||
| 			return nil, err | ||||
| 		} | ||||
| 		 | ||||
| 		// Then, activate the specified signed prekey | ||||
| 		activateFilter := bson.M{ | ||||
| 			"user_id":   userID, | ||||
| 			"device_id": deviceID, | ||||
| 			"key_id":    keyID, | ||||
| 		} | ||||
| 		activateUpdate := bson.M{ | ||||
| 			"$set": bson.M{"active": true}, | ||||
| 		} | ||||
| 		return s.coll.UpdateOne(sc, activateFilter, activateUpdate) | ||||
| 	}) | ||||
| 	 | ||||
| 	return err | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"key_id":    keyID, | ||||
| 	} | ||||
| 	 | ||||
| 	return mongoutil.DeleteOne(ctx, s.coll, filter) | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) GetAll(ctx context.Context, userID string, deviceID int32) ([]*signal.SignalSignedPreKey, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 	} | ||||
| 	 | ||||
| 	// Sort by creation time, newest first | ||||
| 	opts := options.Find().SetSort(bson.D{{Key: "created_time", Value: -1}}) | ||||
| 	return mongoutil.Find[*signal.SignalSignedPreKey](ctx, s.coll, filter, opts) | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) CleanupInactive(ctx context.Context, olderThan time.Duration) (int64, error) { | ||||
| 	cutoffTime := time.Now().Add(-olderThan) | ||||
| 	filter := bson.M{ | ||||
| 		"active":       false, | ||||
| 		"created_time": bson.M{"$lt": cutoffTime}, | ||||
| 	} | ||||
| 	 | ||||
| 	result, err := s.coll.DeleteMany(ctx, filter) | ||||
| 	if err != nil { | ||||
| 		return 0, err | ||||
| 	} | ||||
| 	 | ||||
| 	return result.DeletedCount, nil | ||||
| } | ||||
| 
 | ||||
| func (s *SignedPreKeyStore) Exists(ctx context.Context, userID string, deviceID int32) (bool, error) { | ||||
| 	filter := bson.M{ | ||||
| 		"user_id":   userID, | ||||
| 		"device_id": deviceID, | ||||
| 		"active":    true, | ||||
| 	} | ||||
| 	 | ||||
| 	count, err := s.coll.CountDocuments(ctx, filter) | ||||
| 	if err != nil { | ||||
| 		return false, err | ||||
| 	} | ||||
| 	 | ||||
| 	return count > 0, nil | ||||
| } | ||||
| @ -385,6 +385,7 @@ type RpcService struct { | ||||
| 	Auth           string `yaml:"auth"` | ||||
| 	Conversation   string `yaml:"conversation"` | ||||
| 	Third          string `yaml:"third"` | ||||
| 	Encryption     string `yaml:"encryption"` | ||||
| } | ||||
| 
 | ||||
| func (r *RpcService) GetServiceNames() []string { | ||||
| @ -398,6 +399,7 @@ func (r *RpcService) GetServiceNames() []string { | ||||
| 		r.Auth, | ||||
| 		r.Conversation, | ||||
| 		r.Third, | ||||
| 		r.Encryption, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										67
									
								
								pkg/common/storage/model/signal/signal_identity_keys.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										67
									
								
								pkg/common/storage/model/signal/signal_identity_keys.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,67 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package signal | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	SignalIdentityKeyCollection = "signal_identity_keys" | ||||
| ) | ||||
| 
 | ||||
| // SignalIdentityKey represents the identity key for Signal protocol | ||||
| type SignalIdentityKey struct { | ||||
| 	UserID         string    `bson:"user_id" json:"userID"` | ||||
| 	DeviceID       int32     `bson:"device_id" json:"deviceID"` | ||||
| 	IdentityKey    []byte    `bson:"identity_key" json:"identityKey"` | ||||
| 	RegistrationID int32     `bson:"registration_id" json:"registrationID"` | ||||
| 	CreatedTime    time.Time `bson:"created_time" json:"createdTime"` | ||||
| 	UpdatedTime    time.Time `bson:"updated_time" json:"updatedTime"` | ||||
| } | ||||
| 
 | ||||
| type SignalIdentityKeyModelInterface interface { | ||||
| 	// Create creates a new identity key record | ||||
| 	Create(ctx context.Context, identityKey *SignalIdentityKey) error | ||||
| 	 | ||||
| 	// Update updates an existing identity key | ||||
| 	Update(ctx context.Context, userID string, deviceID int32, identityKey *SignalIdentityKey) error | ||||
| 	 | ||||
| 	// Get retrieves an identity key by user ID and device ID | ||||
| 	Get(ctx context.Context, userID string, deviceID int32) (*SignalIdentityKey, error) | ||||
| 	 | ||||
| 	// Delete removes an identity key | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32) error | ||||
| 	 | ||||
| 	// GetByUserID retrieves all identity keys for a user | ||||
| 	GetByUserID(ctx context.Context, userID string) ([]*SignalIdentityKey, error) | ||||
| 	 | ||||
| 	// Exists checks if an identity key exists | ||||
| 	Exists(ctx context.Context, userID string, deviceID int32) (bool, error) | ||||
| } | ||||
| 
 | ||||
| func (SignalIdentityKey) TableName() string { | ||||
| 	return SignalIdentityKeyCollection | ||||
| } | ||||
| 
 | ||||
| // Indexes returns the indexes for the collection | ||||
| func (SignalIdentityKey) Indexes() []string { | ||||
| 	return []string{ | ||||
| 		"user_id", | ||||
| 		"user_id_device_id", // compound index for (user_id, device_id) | ||||
| 		"created_time", | ||||
| 	} | ||||
| } | ||||
							
								
								
									
										80
									
								
								pkg/common/storage/model/signal/signal_prekeys.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								pkg/common/storage/model/signal/signal_prekeys.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,80 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package signal | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	SignalPreKeyCollection = "signal_prekeys" | ||||
| ) | ||||
| 
 | ||||
| // SignalPreKey represents one-time prekeys for Signal protocol | ||||
| type SignalPreKey struct { | ||||
| 	UserID      string    `bson:"user_id" json:"userID"` | ||||
| 	DeviceID    int32     `bson:"device_id" json:"deviceID"` | ||||
| 	KeyID       uint32    `bson:"key_id" json:"keyID"` | ||||
| 	PublicKey   []byte    `bson:"public_key" json:"publicKey"` | ||||
| 	Used        bool      `bson:"used" json:"used"` | ||||
| 	CreatedTime time.Time `bson:"created_time" json:"createdTime"` | ||||
| 	UsedTime    *time.Time `bson:"used_time,omitempty" json:"usedTime,omitempty"` | ||||
| } | ||||
| 
 | ||||
| type SignalPreKeyModelInterface interface { | ||||
| 	// Create creates a new prekey record | ||||
| 	Create(ctx context.Context, prekey *SignalPreKey) error | ||||
| 	 | ||||
| 	// CreateBatch creates multiple prekey records in batch | ||||
| 	CreateBatch(ctx context.Context, prekeys []*SignalPreKey) error | ||||
| 	 | ||||
| 	// GetAvailable retrieves an available (unused) prekey for a user/device | ||||
| 	GetAvailable(ctx context.Context, userID string, deviceID int32) (*SignalPreKey, error) | ||||
| 	 | ||||
| 	// MarkUsed marks a prekey as used | ||||
| 	MarkUsed(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	 | ||||
| 	// Delete removes a prekey | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	 | ||||
| 	// DeleteAllByUserDevice removes all prekeys for a user/device | ||||
| 	DeleteAllByUserDevice(ctx context.Context, userID string, deviceID int32) error | ||||
| 	 | ||||
| 	// CountAvailable returns the count of available prekeys for a user/device | ||||
| 	CountAvailable(ctx context.Context, userID string, deviceID int32) (int64, error) | ||||
| 	 | ||||
| 	// GetByKeyID retrieves a specific prekey by key ID | ||||
| 	GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*SignalPreKey, error) | ||||
| 	 | ||||
| 	// CleanupUsed removes used prekeys older than the specified duration | ||||
| 	CleanupUsed(ctx context.Context, olderThan time.Duration) (int64, error) | ||||
| } | ||||
| 
 | ||||
| func (SignalPreKey) TableName() string { | ||||
| 	return SignalPreKeyCollection | ||||
| } | ||||
| 
 | ||||
| // Indexes returns the indexes for the collection | ||||
| func (SignalPreKey) Indexes() []string { | ||||
| 	return []string{ | ||||
| 		"user_id", | ||||
| 		"user_id_device_id", // compound index for (user_id, device_id) | ||||
| 		"user_id_device_id_key_id", // compound unique index for (user_id, device_id, key_id) | ||||
| 		"user_id_device_id_used", // compound index for (user_id, device_id, used) | ||||
| 		"used_time", | ||||
| 		"created_time", | ||||
| 	} | ||||
| } | ||||
							
								
								
									
										80
									
								
								pkg/common/storage/model/signal/signal_signed_prekeys.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								pkg/common/storage/model/signal/signal_signed_prekeys.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,80 @@ | ||||
| // Copyright © 2024 OpenIM. All rights reserved. | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package signal | ||||
| 
 | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	SignalSignedPreKeyCollection = "signal_signed_prekeys" | ||||
| ) | ||||
| 
 | ||||
| // SignalSignedPreKey represents signed prekeys for Signal protocol | ||||
| type SignalSignedPreKey struct { | ||||
| 	UserID      string    `bson:"user_id" json:"userID"` | ||||
| 	DeviceID    int32     `bson:"device_id" json:"deviceID"` | ||||
| 	KeyID       uint32    `bson:"key_id" json:"keyID"` | ||||
| 	PublicKey   []byte    `bson:"public_key" json:"publicKey"` | ||||
| 	Signature   []byte    `bson:"signature" json:"signature"` | ||||
| 	CreatedTime time.Time `bson:"created_time" json:"createdTime"` | ||||
| 	Active      bool      `bson:"active" json:"active"` // Whether this is the active signed prekey | ||||
| } | ||||
| 
 | ||||
| type SignalSignedPreKeyModelInterface interface { | ||||
| 	// Create creates a new signed prekey record | ||||
| 	Create(ctx context.Context, signedPrekey *SignalSignedPreKey) error | ||||
| 	 | ||||
| 	// Update updates an existing signed prekey (for rotation) | ||||
| 	Update(ctx context.Context, userID string, deviceID int32, keyID uint32, signedPrekey *SignalSignedPreKey) error | ||||
| 	 | ||||
| 	// GetActive retrieves the active signed prekey for a user/device | ||||
| 	GetActive(ctx context.Context, userID string, deviceID int32) (*SignalSignedPreKey, error) | ||||
| 	 | ||||
| 	// GetByKeyID retrieves a specific signed prekey by key ID | ||||
| 	GetByKeyID(ctx context.Context, userID string, deviceID int32, keyID uint32) (*SignalSignedPreKey, error) | ||||
| 	 | ||||
| 	// SetActive marks a signed prekey as active and deactivates others | ||||
| 	SetActive(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	 | ||||
| 	// Delete removes a signed prekey | ||||
| 	Delete(ctx context.Context, userID string, deviceID int32, keyID uint32) error | ||||
| 	 | ||||
| 	// GetAll retrieves all signed prekeys for a user/device | ||||
| 	GetAll(ctx context.Context, userID string, deviceID int32) ([]*SignalSignedPreKey, error) | ||||
| 	 | ||||
| 	// CleanupInactive removes inactive signed prekeys older than the specified duration | ||||
| 	CleanupInactive(ctx context.Context, olderThan time.Duration) (int64, error) | ||||
| 	 | ||||
| 	// Exists checks if a signed prekey exists | ||||
| 	Exists(ctx context.Context, userID string, deviceID int32) (bool, error) | ||||
| } | ||||
| 
 | ||||
| func (SignalSignedPreKey) TableName() string { | ||||
| 	return SignalSignedPreKeyCollection | ||||
| } | ||||
| 
 | ||||
| // Indexes returns the indexes for the collection | ||||
| func (SignalSignedPreKey) Indexes() []string { | ||||
| 	return []string{ | ||||
| 		"user_id", | ||||
| 		"user_id_device_id", // compound index for (user_id, device_id) | ||||
| 		"user_id_device_id_key_id", // compound unique index for (user_id, device_id, key_id) | ||||
| 		"user_id_device_id_active", // compound index for (user_id, device_id, active) | ||||
| 		"active_created_time", // compound index for (active, created_time) | ||||
| 		"created_time", | ||||
| 	} | ||||
| } | ||||
| @ -11,6 +11,7 @@ serviceBinaries: | ||||
|   openim-rpc-friend: 1 | ||||
|   openim-rpc-msg: 1 | ||||
|   openim-rpc-third: 1 | ||||
|   openim-rpc-encryption: 1 | ||||
| toolBinaries: | ||||
|   - check-free-memory | ||||
|   - check-component | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user