Add Client-side OAuth2 to HTTP connections

Implement client-side OAuth in non-local HTTP connections. Also add tests to verify that the different modes of connection are set up correctly. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=147636222
2025-06-27 06:44:51 +02:00 · 2017-02-15 13:22:54 -08:00 · 2017-02-15 13:22:54 -08:00 · 177bf4a5f1
commit 177bf4a5f1
parent 32b236e940
9 changed files with 303 additions and 6 deletions
--- a/java/google/registry/tools/DefaultRequestFactoryModule.java
+++ b/java/google/registry/tools/DefaultRequestFactoryModule.java
@ -14,14 +14,34 @@

 package google.registry.tools;

+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
+import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
+import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
+import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.util.store.AbstractDataStoreFactory;
+import com.google.api.client.util.store.FileDataStoreFactory;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.lang.annotation.Documented;
+import java.util.Collections;
 import javax.inject.Named;
+import javax.inject.Provider;
+import javax.inject.Qualifier;
+import javax.inject.Singleton;

 /**
 * Module for providing the default HttpRequestFactory.
@ -40,9 +60,50 @@ import javax.inject.Named;
@Module
 class DefaultRequestFactoryModule {

+  // TODO(mmuller): Use @Config("requiredOauthScopes")
+  private static final String DEFAULT_SCOPE =
+      "https://www.googleapis.com/auth/userinfo.email";
+
+  private static final File DATA_STORE_DIR =
+      new File(System.getProperty("user.home"), ".config/nomulus/credentials");
+
+  // TODO(mmuller): replace with a config parameter.
+  private static final String CLIENT_SECRET_FILENAME =
+      "/google/registry/tools/resources/client_secret.json";
+
+  @Provides
+  @ClientSecretFilename
+  String provideClientSecretFilename() {
+    return CLIENT_SECRET_FILENAME;
+  }
+
+  /** Returns the credential object for the user. */
+  @Provides
+  Credential provideCredential(
+      AbstractDataStoreFactory dataStoreFactory,
+      Authorizer authorizer,
+      @ClientSecretFilename String clientSecretFilename) {
+    try {
+      // Load the client secrets file.
+      JacksonFactory jsonFactory = new JacksonFactory();
+      InputStream secretResourceStream = getClass().getResourceAsStream(clientSecretFilename);
+      if (secretResourceStream == null) {
+        throw new RuntimeException("No client secret file found: " + clientSecretFilename);
+      }
+      GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(jsonFactory,
+          new InputStreamReader(secretResourceStream, UTF_8));
+
+      return authorizer.authorize(clientSecrets);
+    } catch (IOException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
  @Provides
  @Named("default")
-  public HttpRequestFactory provideHttpRequestFactory(AppEngineConnectionFlags connectionFlags) {
+  public HttpRequestFactory provideHttpRequestFactory(
+      AppEngineConnectionFlags connectionFlags,
+      Provider<Credential> credentialProvider) {
    if (connectionFlags.getServer().getHost().equals("localhost")) {
      return new NetHttpTransport()
          .createRequestFactory(
@ -55,7 +116,7 @@ class DefaultRequestFactoryModule {
                }
              });
    } else {
-      return new NetHttpTransport().createRequestFactory();
+      return new NetHttpTransport().createRequestFactory(credentialProvider.get());
    }
  }

@ -63,14 +124,77 @@ class DefaultRequestFactoryModule {
   * Module for providing HttpRequestFactory.
   *
   * <p>Localhost connections go to the App Engine dev server. The dev server differs from most HTTP
-   * connections in that they don't require OAuth2 credentials, but instead require a special
-   * cookie.
+   * connections in that the types whose annotations affect the use of annotaty don't require
+   * OAuth2 credentials, but instead require a special cookie.
   */
  @Module
-  abstract class RequestFactoryModule {
+  abstract static class RequestFactoryModule {

    @Binds
    public abstract HttpRequestFactory provideHttpRequestFactory(
        @Named("default") HttpRequestFactory requestFactory);
  }
+
+  @Module
+  static class DataStoreFactoryModule {
+    @Provides
+    @Singleton
+    public AbstractDataStoreFactory provideDataStoreFactory() {
+      try {
+        return new FileDataStoreFactory(DATA_STORE_DIR);
+      } catch (IOException ex) {
+        throw new RuntimeException(ex);
+      }
+    }
+  }
+
+  /**
+   * Module to create the Authorizer used by DefaultRequestFactoryModule.
+   */
+  @Module
+  static class AuthorizerModule {
+    @Provides
+    public Authorizer provideAuthorizer(
+        final JsonFactory jsonFactory, final AbstractDataStoreFactory dataStoreFactory) {
+      return new Authorizer() {
+        @Override
+        public Credential authorize(GoogleClientSecrets clientSecrets) {
+          try {
+            // Run a new auth flow.
+            GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
+                    new NetHttpTransport(), jsonFactory, clientSecrets,
+                    Collections.singleton(DEFAULT_SCOPE))
+                .setDataStoreFactory(dataStoreFactory)
+                .build();
+
+            // TODO(mmuller): "credentials" directory needs to be qualified with the scopes and
+            // client id.
+
+            // We pass client id to the authorize method so we can safely persist credentials for
+            // multiple client ids.
+            return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
+                .authorize(clientSecrets.getDetails().getClientId());
+          } catch (Exception ex) {
+            throw new RuntimeException(ex);
+          }
+        }
+      };
+    }
+  }
+
+  /**
+   * Interface that encapsulates the authorization logic to produce a credential for the user,
+   * allowing us to override the behavior for unit tests.
+   */
+  interface Authorizer {
+    Credential authorize(GoogleClientSecrets clientSecrets);
+  }
+
+  /** Dagger qualifier for the client secret filename.
+   *
+   * <p>TODO(mmuller): move this to config.
+   */
+  @Qualifier
+  @Documented
+  public @interface ClientSecretFilename {}
 }