Set correct auth settings for all actions

A test has been added to RequestHandlerTest, making sure that, while we merely log errors for the time being, the correct dummy AuthResult is being created. Most actions use the default settings, which have been changed to INTERNAL / APP / IGNORED. Actions with non-default settings are: INTERNAL/NONE/PUBLIC (non-auth public endpoints) CheckApiAction WhoisHttpServer Rdap*Action INTERNAL,API/APP/ADMIN (things currently protected by web.xml) EppTlsAction EppToolAction CreateGroupsAction CreatePremiumListAction DeleteEntityAction List*sAction UpdatePremiumListAction VerifyOteAction WhoisServer INTERNAL,API,LEGACY/USER/PUBLIC (registrar console) RegistrarPaymentAction RegistrarPaymentSetupAction RegistrarSettingsAction EppConsoleAction INTERNAL,API,LEGACY/NONE/PUBLIC (registrar console main page) ConsoleUiAction ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=149761652
2025-05-14 16:37:13 +02:00 · 2017-03-10 08:47:52 -08:00 · 2017-03-10 08:47:52 -08:00 · 1f000b94e6
commit 1f000b94e6
parent f5e76868f0
38 changed files with 450 additions and 133 deletions
--- a/java/google/registry/tools/server/BUILD
+++ b/java/google/registry/tools/server/BUILD
@ -17,6 +17,7 @@ java_library(
        "//java/google/registry/mapreduce/inputs",
        "//java/google/registry/model",
        "//java/google/registry/request",
+        "//java/google/registry/request/auth",
        "//java/google/registry/util",
        "//third_party/java/objectify:objectify-v4_1",
        "@com_beust_jcommander",
--- a/java/google/registry/tools/server/CreateGroupsAction.java
+++ b/java/google/registry/tools/server/CreateGroupsAction.java
@ -32,6 +32,8 @@ import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.HttpException.InternalServerErrorException;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.Concurrent;
 import google.registry.util.FormattingLogger;
 import java.io.PrintWriter;
@ -41,7 +43,16 @@ import javax.annotation.Nullable;
 import javax.inject.Inject;

 /** Action that creates Google Groups for a registrar's mailing lists. */
-@Action(path = CreateGroupsAction.PATH, method = POST)
+@Action(
+  path = CreateGroupsAction.PATH,
+  method = POST,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class CreateGroupsAction implements Runnable {

  public static final String PATH = "/_dr/admin/createGroups";
--- a/java/google/registry/tools/server/CreatePremiumListAction.java
+++ b/java/google/registry/tools/server/CreatePremiumListAction.java
@ -25,6 +25,8 @@ import com.google.common.collect.ImmutableMap;
 import google.registry.model.registry.label.PremiumList;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import java.util.List;
 import javax.inject.Inject;

@ -32,7 +34,16 @@ import javax.inject.Inject;
 * An action that creates a premium list, for use by the {@code nomulus create_premium_list}
 * command.
 */
-@Action(path = CreatePremiumListAction.PATH, method = POST)
+@Action(
+  path = CreatePremiumListAction.PATH,
+  method = POST,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class CreatePremiumListAction extends CreateOrUpdatePremiumListAction {

  public static final String OVERRIDE_PARAM = "override";
--- a/java/google/registry/tools/server/DeleteEntityAction.java
+++ b/java/google/registry/tools/server/DeleteEntityAction.java
@ -31,13 +31,15 @@ import google.registry.request.Action;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.FormattingLogger;
 import javax.inject.Inject;

 /**
 * An action to delete entities in Datastore specified by raw key ids, which can be found in
- * Datastore Viewer in the AppEngine console - it's the really long alphanumeric key that is
- * labeled "Entity key" on the page for an individual entity.
+ * Datastore Viewer in the AppEngine console - it's the really long alphanumeric key that is labeled
+ * "Entity key" on the page for an individual entity.
 *
 * <p>rawKeys is the only required parameter. It is a comma-delimited list of Strings.
 *
@ -47,7 +49,15 @@ import javax.inject.Inject;
 * malformed data that cannot be properly deleted using existing tools. Generally, if there already
 * exists an entity-specific deletion command, then use that one instead.
 */
-@Action(path = DeleteEntityAction.PATH)
+@Action(
+  path = DeleteEntityAction.PATH,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class DeleteEntityAction implements Runnable {

  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
--- a/java/google/registry/tools/server/ListDomainsAction.java
+++ b/java/google/registry/tools/server/ListDomainsAction.java
@ -26,13 +26,24 @@ import com.google.common.collect.Lists;
 import google.registry.model.domain.DomainResource;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.Clock;
 import java.util.Comparator;
 import java.util.List;
 import javax.inject.Inject;

 /** An action that lists domains, for use by the {@code nomulus list_domains} command. */
-@Action(path = ListDomainsAction.PATH, method = {GET, POST})
+@Action(
+  path = ListDomainsAction.PATH,
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public final class ListDomainsAction extends ListObjectsAction<DomainResource> {

  /** An App Engine limitation on how many subqueries can be used in a single query. */
--- a/java/google/registry/tools/server/ListHostsAction.java
+++ b/java/google/registry/tools/server/ListHostsAction.java
@ -24,13 +24,24 @@ import com.google.common.collect.ImmutableSet;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.host.HostResource;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.Clock;
 import java.util.Comparator;
 import javax.inject.Inject;
 import org.joda.time.DateTime;

 /** An action that lists hosts, for use by the {@code nomulus list_hosts} command. */
-@Action(path = ListHostsAction.PATH, method = {GET, POST})
+@Action(
+  path = ListHostsAction.PATH,
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public final class ListHostsAction extends ListObjectsAction<HostResource> {

  public static final String PATH = "/_dr/admin/list/hosts";
--- a/java/google/registry/tools/server/ListPremiumListsAction.java
+++ b/java/google/registry/tools/server/ListPremiumListsAction.java
@ -22,6 +22,8 @@ import static google.registry.request.Action.Method.POST;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.registry.label.PremiumList;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import javax.inject.Inject;

 /**
@ -29,7 +31,13 @@ import javax.inject.Inject;
 */
@Action(
  path = ListPremiumListsAction.PATH,
-  method = {GET, POST}
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
 )
 public final class ListPremiumListsAction extends ListObjectsAction<PremiumList> {

--- a/java/google/registry/tools/server/ListRegistrarsAction.java
+++ b/java/google/registry/tools/server/ListRegistrarsAction.java
@ -22,10 +22,21 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import javax.inject.Inject;

 /** An action that lists registrars, for use by the {@code nomulus list_registrars} command. */
-@Action(path = ListRegistrarsAction.PATH, method = {GET, POST})
+@Action(
+  path = ListRegistrarsAction.PATH,
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public final class ListRegistrarsAction extends ListObjectsAction<Registrar> {

  public static final String PATH = "/_dr/admin/list/registrars";
--- a/java/google/registry/tools/server/ListReservedListsAction.java
+++ b/java/google/registry/tools/server/ListReservedListsAction.java
@ -22,10 +22,21 @@ import static google.registry.request.Action.Method.POST;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.registry.label.ReservedList;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import javax.inject.Inject;

 /** A that lists reserved lists, for use by the {@code nomulus list_reserved_lists} command. */
-@Action(path = ListReservedListsAction.PATH, method = {GET, POST})
+@Action(
+  path = ListReservedListsAction.PATH,
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public final class ListReservedListsAction extends ListObjectsAction<ReservedList> {

  public static final String PATH = "/_dr/admin/list/reservedLists";
--- a/java/google/registry/tools/server/ListTldsAction.java
+++ b/java/google/registry/tools/server/ListTldsAction.java
@ -25,12 +25,23 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.registry.Registry;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.Clock;
 import javax.inject.Inject;
 import org.joda.time.DateTime;

 /** An action that lists top-level domains, for use by the {@code nomulus list_tlds} command. */
-@Action(path = ListTldsAction.PATH, method = {GET, POST})
+@Action(
+  path = ListTldsAction.PATH,
+  method = {GET, POST},
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public final class ListTldsAction extends ListObjectsAction<Registry> {

  public static final String PATH = "/_dr/admin/list/tlds";
--- a/java/google/registry/tools/server/UpdatePremiumListAction.java
+++ b/java/google/registry/tools/server/UpdatePremiumListAction.java
@ -23,6 +23,8 @@ import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.registry.label.PremiumList;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import java.util.List;
 import javax.inject.Inject;

@ -30,7 +32,16 @@ import javax.inject.Inject;
 * An action that creates a premium list, for use by the {@code nomulus create_premium_list}
 * command.
 */
-@Action(path = UpdatePremiumListAction.PATH, method = POST)
+@Action(
+  path = UpdatePremiumListAction.PATH,
+  method = POST,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class UpdatePremiumListAction extends CreateOrUpdatePremiumListAction {

  public static final String PATH = "/_dr/admin/updatePremiumList";
--- a/java/google/registry/tools/server/VerifyOteAction.java
+++ b/java/google/registry/tools/server/VerifyOteAction.java
@ -67,6 +67,8 @@ import google.registry.model.reporting.HistoryEntry;
 import google.registry.request.Action;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.JsonActionRunner.JsonAction;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import java.util.ArrayList;
 import java.util.EnumSet;
 import java.util.List;
@ -79,10 +81,17 @@ import javax.inject.Inject;
 * OT&amp;E commands that have been run just previously to verification may not be picked up yet.
 */
@Action(
-    path = VerifyOteAction.PATH,
-    method = Action.Method.POST,
-    xsrfProtection = true,
-    xsrfScope = "admin")
+  path = VerifyOteAction.PATH,
+  method = Action.Method.POST,
+  xsrfProtection = true,
+  xsrfScope = "admin",
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class VerifyOteAction implements Runnable, JsonAction {

  public static final String PATH = "/_dr/admin/verifyOte";