Add console-api/settings/security endpoint (#2057)

This commit is contained in:
Pavlo Tkach 2023-07-12 16:19:20 -04:00 committed by GitHub
parent 3ea31d024e
commit 304e7c9726
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 396 additions and 3 deletions

View file

@ -50,6 +50,7 @@ import com.google.common.collect.Maps;
import com.google.common.collect.Range;
import com.google.common.collect.Sets;
import com.google.common.collect.Streams;
import com.google.gson.annotations.Expose;
import com.google.re2j.Pattern;
import google.registry.model.Buildable;
import google.registry.model.CreateAutoTimestamp;
@ -253,7 +254,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
// Authentication.
/** X.509 PEM client certificate(s) used to authenticate registrar to EPP service. */
String clientCertificate;
@Expose String clientCertificate;
/** Base64 encoded SHA256 hash of {@link #clientCertificate}. */
String clientCertificateHash;
@ -263,13 +264,13 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
*
* <p>This allows registrars to migrate certificates without downtime.
*/
String failoverClientCertificate;
@Expose String failoverClientCertificate;
/** Base64 encoded SHA256 hash of {@link #failoverClientCertificate}. */
String failoverClientCertificateHash;
/** An allow list of netmasks (in CIDR notation) which the client is allowed to connect from. */
List<CidrAddressBlock> ipAddressAllowList;
@Expose List<CidrAddressBlock> ipAddressAllowList;
/** A hashed password for EPP access. The hash is a base64 encoded SHA256 string. */
String passwordHash;

View file

@ -28,6 +28,7 @@ import google.registry.request.RequestScope;
import google.registry.ui.server.console.ConsoleDomainGetAction;
import google.registry.ui.server.console.RegistrarsAction;
import google.registry.ui.server.console.settings.ContactAction;
import google.registry.ui.server.console.settings.SecurityAction;
import google.registry.ui.server.registrar.ConsoleOteSetupAction;
import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
import google.registry.ui.server.registrar.ConsoleUiAction;
@ -70,6 +71,8 @@ interface FrontendRequestComponent {
RegistrarsAction registrarsAction();
SecurityAction securityAction();
@Subcomponent.Builder
abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
@Override public abstract Builder requestModule(RequestModule requestModule);

View file

@ -0,0 +1,171 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.ui.server.console.settings;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import static google.registry.request.Action.Method.GET;
import static google.registry.request.Action.Method.POST;
import avro.shaded.com.google.common.collect.ImmutableList;
import com.google.api.client.http.HttpStatusCodes;
import com.google.gson.Gson;
import google.registry.flows.certs.CertificateChecker;
import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
import google.registry.model.console.ConsolePermission;
import google.registry.model.console.User;
import google.registry.model.registrar.Registrar;
import google.registry.request.Action;
import google.registry.request.Parameter;
import google.registry.request.Response;
import google.registry.request.auth.Auth;
import google.registry.request.auth.AuthResult;
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
import google.registry.ui.server.registrar.JsonGetAction;
import java.util.Optional;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
@Action(
service = Action.Service.DEFAULT,
path = SecurityAction.PATH,
method = {GET, POST},
auth = Auth.AUTH_PUBLIC_LOGGED_IN)
public class SecurityAction implements JsonGetAction {
static final String PATH = "/console-api/settings/security";
private final HttpServletRequest req;
private final AuthResult authResult;
private final Response response;
private final Gson gson;
private final String registrarId;
private AuthenticatedRegistrarAccessor registrarAccessor;
private Optional<Registrar> registrar;
private CertificateChecker certificateChecker;
@Inject
public SecurityAction(
HttpServletRequest req,
AuthResult authResult,
Response response,
Gson gson,
CertificateChecker certificateChecker,
AuthenticatedRegistrarAccessor registrarAccessor,
@Parameter("registrarId") String registrarId,
@Parameter("registrar") Optional<Registrar> registrar) {
this.req = req;
this.authResult = authResult;
this.response = response;
this.gson = gson;
this.registrarId = registrarId;
this.registrarAccessor = registrarAccessor;
this.registrar = registrar;
this.certificateChecker = certificateChecker;
}
@Override
public void run() {
if (req.getMethod().equals(GET.toString())) {
getHandler();
} else {
postHandler();
}
}
private void getHandler() {
try {
Registrar registrar = registrarAccessor.getRegistrar(registrarId);
response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
response.setPayload(gson.toJson(registrar));
} catch (RegistrarAccessDeniedException e) {
response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
response.setPayload(e.getMessage());
}
}
private void postHandler() {
User user = authResult.userAuthInfo().get().consoleUser().get();
if (!user.getUserRoles().hasPermission(registrarId, ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
return;
}
if (!registrar.isPresent()) {
response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
response.setPayload(gson.toJson("'registrar' parameter is not present"));
return;
}
Registrar savedRegistrar;
try {
savedRegistrar = registrarAccessor.getRegistrar(registrarId);
} catch (RegistrarAccessDeniedException e) {
response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
response.setPayload(e.getMessage());
return;
}
tm().transact(() -> setResponse(savedRegistrar));
}
private void setResponse(Registrar savedRegistrar) {
Registrar registrarParameter = registrar.get();
Registrar.Builder updatedRegistrar =
savedRegistrar
.asBuilder()
.setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
boolean hasInvalidCerts =
ImmutableList.of(
registrarParameter.getClientCertificate(),
registrarParameter.getFailoverClientCertificate())
.stream()
.filter(Optional::isPresent)
.map(Optional::get)
.anyMatch(
cert -> {
try {
certificateChecker.validateCertificate(cert);
return false;
} catch (InsecureCertificateException e) {
return true;
}
});
if (hasInvalidCerts) {
response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
response.setPayload("Insecure Certificate in parameter");
return;
}
registrarParameter
.getClientCertificate()
.ifPresent(
newClientCert -> {
updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime());
});
registrarParameter
.getFailoverClientCertificate()
.ifPresent(
failoverCert -> {
updatedRegistrar.setFailoverClientCertificate(
failoverCert, tm().getTransactionTime());
});
tm().put(updatedRegistrar.build());
response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
}
}

View file

@ -24,6 +24,7 @@ import com.google.gson.Gson;
import com.google.gson.JsonObject;
import dagger.Module;
import dagger.Provides;
import google.registry.model.registrar.Registrar;
import google.registry.model.registrar.RegistrarPoc;
import google.registry.request.OptionalJsonPayload;
import google.registry.request.Parameter;
@ -187,4 +188,15 @@ public final class RegistrarConsoleModule {
static String provideRegistrarId(HttpServletRequest req) {
return extractRequiredParameter(req, "registrarId");
}
@Provides
@Parameter("registrar")
public static Optional<Registrar> provideRegistrar(
Gson gson, @OptionalJsonPayload Optional<JsonObject> payload) {
if (payload.isPresent() && payload.get().has("registrar")) {
return Optional.of(gson.fromJson(payload.get().get("registrar"), Registrar.class));
}
return Optional.empty();
}
}

View file

@ -0,0 +1,183 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.ui.server.console.settings;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.CertificateSamples.SAMPLE_CERT;
import static google.registry.testing.CertificateSamples.SAMPLE_CERT2;
import static google.registry.testing.DatabaseHelper.loadRegistrar;
import static google.registry.testing.DatabaseHelper.persistResource;
import static google.registry.testing.SqlHelper.saveRegistrar;
import static google.registry.util.DateTimeUtils.START_OF_TIME;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import com.google.api.client.http.HttpStatusCodes;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
import com.google.common.collect.ImmutableSortedMap;
import com.google.common.net.InetAddresses;
import com.google.gson.Gson;
import google.registry.flows.certs.CertificateChecker;
import google.registry.model.console.GlobalRole;
import google.registry.model.console.User;
import google.registry.model.console.UserRoles;
import google.registry.model.registrar.Registrar;
import google.registry.persistence.transaction.JpaTestExtensions;
import google.registry.request.Action;
import google.registry.request.RequestModule;
import google.registry.request.auth.AuthResult;
import google.registry.request.auth.AuthSettings.AuthLevel;
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
import google.registry.request.auth.UserAuthInfo;
import google.registry.testing.FakeClock;
import google.registry.testing.FakeResponse;
import google.registry.ui.server.registrar.RegistrarConsoleModule;
import google.registry.util.CidrAddressBlock;
import google.registry.util.UtilsModule;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import org.joda.time.DateTime;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;
/** Tests for {@link google.registry.ui.server.console.settings.SecurityAction}. */
class SecurityActionTest {
private static String jsonRegistrar1 =
String.format(
"{\"registrarId\": \"registrarId\", \"clientCertificate\": \"%s\","
+ " \"ipAddressAllowList\": [\"192.168.1.1/32\"]}",
SAMPLE_CERT2);
private static final Gson GSON = UtilsModule.provideGson();
private final HttpServletRequest request = mock(HttpServletRequest.class);
private final FakeClock clock = new FakeClock();
private Registrar testRegistrar;
private FakeResponse response = new FakeResponse();
private AuthenticatedRegistrarAccessor registrarAccessor =
AuthenticatedRegistrarAccessor.createForTesting(
ImmutableSetMultimap.of("registrarId", AuthenticatedRegistrarAccessor.Role.ADMIN));
private CertificateChecker certificateChecker =
new CertificateChecker(
ImmutableSortedMap.of(START_OF_TIME, 20825, DateTime.parse("2020-09-01T00:00:00Z"), 398),
30,
15,
2048,
ImmutableSet.of("secp256r1", "secp384r1"),
clock);
@RegisterExtension
final JpaTestExtensions.JpaIntegrationTestExtension jpa =
new JpaTestExtensions.Builder().withClock(clock).buildIntegrationTestExtension();
@BeforeEach
void beforeEach() {
testRegistrar = saveRegistrar("registrarId");
}
@Test
void testSuccess_getRegistrarInfo() throws IOException {
persistResource(
testRegistrar
.asBuilder()
.setClientCertificate(SAMPLE_CERT, clock.nowUtc())
.setIpAddressAllowList(
ImmutableSet.of(
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
SecurityAction action =
createAction(
Action.Method.GET,
AuthResult.create(
AuthLevel.USER,
UserAuthInfo.create(
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
testRegistrar.getRegistrarId());
action.run();
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
String payload = response.getPayload().replace("\\n", "").replace("\\u003d", "=");
assertThat(payload).contains(SAMPLE_CERT.replace("\n", ""));
assertThat(payload).contains("192.168.1.1/32");
assertThat(payload).contains("2001:db8:0:0:0:0:0:1/128");
}
@Test
void testSuccess_postRegistrarInfo() throws IOException {
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
SecurityAction action =
createAction(
Action.Method.POST,
AuthResult.create(
AuthLevel.USER,
UserAuthInfo.create(
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
testRegistrar.getRegistrarId());
action.run();
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
Registrar r = loadRegistrar(testRegistrar.getRegistrarId());
assertThat(r.getClientCertificateHash().get())
.isEqualTo("GNd6ZP8/n91t9UTnpxR8aH7aAW4+CpvufYx9ViGbcMY");
assertThat(r.getIpAddressAllowList().get(0).getIp()).isEqualTo("192.168.1.1");
assertThat(r.getIpAddressAllowList().get(0).getNetmask()).isEqualTo(32);
}
private User createUser(UserRoles userRoles) {
return new User.Builder()
.setEmailAddress("email@email.com")
.setGaiaId("TestUserId")
.setUserRoles(userRoles)
.build();
}
private SecurityAction createAction(
Action.Method method, AuthResult authResult, String registrarId) throws IOException {
when(request.getMethod()).thenReturn(method.toString());
if (method.equals(Action.Method.GET)) {
return new SecurityAction(
request,
authResult,
response,
GSON,
certificateChecker,
registrarAccessor,
registrarId,
Optional.empty());
} else {
doReturn(new BufferedReader(new StringReader("{\"registrar\":" + jsonRegistrar1 + "}")))
.when(request)
.getReader();
Optional<Registrar> maybeRegistrar =
RegistrarConsoleModule.provideRegistrar(
GSON, RequestModule.provideJsonBody(request, GSON));
return new SecurityAction(
request,
authResult,
response,
GSON,
certificateChecker,
registrarAccessor,
registrarId,
maybeRegistrar);
}
}
}

View file

@ -3,6 +3,7 @@ PATH CLASS METHODS OK AUTH_ME
/console-api/domain ConsoleDomainGetAction GET n API,LEGACY USER PUBLIC
/console-api/registrars RegistrarsAction GET n API,LEGACY USER PUBLIC
/console-api/settings/contacts ContactAction GET,POST n API,LEGACY USER PUBLIC
/console-api/settings/security SecurityAction GET,POST n API,LEGACY USER PUBLIC
/registrar ConsoleUiAction GET n API,LEGACY NONE PUBLIC
/registrar-create ConsoleRegistrarCreatorAction POST,GET n API,LEGACY NONE PUBLIC
/registrar-ote-setup ConsoleOteSetupAction POST,GET n API,LEGACY NONE PUBLIC

View file

@ -19,6 +19,10 @@ import static com.google.common.base.Preconditions.checkArgument;
import com.google.common.collect.AbstractSequentialIterator;
import com.google.common.flogger.FluentLogger;
import com.google.common.net.InetAddresses;
import com.google.gson.TypeAdapter;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonWriter;
import java.io.IOException;
import java.io.Serializable;
import java.net.InetAddress;
import java.net.UnknownHostException;
@ -476,4 +480,20 @@ public class CidrAddressBlock implements Iterable<InetAddress>, Serializable {
public String toString() {
return getCidrString(ip, netmask);
}
public static class CidrAddressBlockAdapter extends TypeAdapter<CidrAddressBlock> {
@Override
public CidrAddressBlock read(JsonReader reader) throws IOException {
String stringValue = reader.nextString();
if (stringValue.equals("null")) {
return null;
}
return new CidrAddressBlock(stringValue);
}
@Override
public void write(JsonWriter writer, CidrAddressBlock cidrAddressBlock) throws IOException {
writer.value(cidrAddressBlock.toString());
}
}
}

View file

@ -19,6 +19,7 @@ import com.google.gson.GsonBuilder;
import dagger.Binds;
import dagger.Module;
import dagger.Provides;
import google.registry.util.CidrAddressBlock.CidrAddressBlockAdapter;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.security.SecureRandom;
@ -79,6 +80,7 @@ public abstract class UtilsModule {
public static Gson provideGson() {
return new GsonBuilder()
.registerTypeAdapter(DateTime.class, new DateTimeTypeAdapter())
.registerTypeAdapter(CidrAddressBlock.class, new CidrAddressBlockAdapter())
.excludeFieldsWithoutExposeAnnotation()
.create();
}