From 36ab0cb45c487f5a2efe0aa9bddb39762dbbc9d4 Mon Sep 17 00:00:00 2001 From: Shicong Huang Date: Fri, 27 Sep 2019 15:58:18 -0400 Subject: [PATCH] Add Cloud SQL configs for nomulus tool (#288) We will use a different user for nomulus tool to connect to Cloud SQL. This PR added corresponding configurations for that. --- .../java/google/registry/config/RegistryConfig.java | 12 ++++++++++++ .../registry/config/RegistryConfigSettings.java | 2 ++ .../google/registry/config/files/default-config.yaml | 3 +++ .../registry/keyring/api/DummyKeyringModule.java | 1 + .../google/registry/keyring/api/InMemoryKeyring.java | 10 +++++++++- .../java/google/registry/keyring/api/KeyModule.java | 6 ++++++ .../java/google/registry/keyring/api/Keyring.java | 5 ++++- .../java/google/registry/keyring/kms/KmsKeyring.java | 8 +++++++- .../java/google/registry/keyring/kms/KmsUpdater.java | 5 +++++ .../registry/tools/GetKeyringSecretCommand.java | 3 +++ .../registry/tools/UpdateKmsKeyringCommand.java | 3 +++ .../google/registry/tools/params/KeyringKeyName.java | 2 +- .../google/registry/keyring/kms/KmsKeyringTest.java | 9 +++++++++ .../google/registry/keyring/kms/KmsUpdaterTest.java | 10 ++++++++++ .../google/registry/testing/FakeKeyringModule.java | 6 ++++++ 15 files changed, 81 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/google/registry/config/RegistryConfig.java b/core/src/main/java/google/registry/config/RegistryConfig.java index 28382a1a3..47f713360 100644 --- a/core/src/main/java/google/registry/config/RegistryConfig.java +++ b/core/src/main/java/google/registry/config/RegistryConfig.java @@ -1296,6 +1296,18 @@ public final class RegistryConfig { return config.registryTool.clientSecret; } + @Provides + @Config("toolsCloudSqlJdbcUrl") + public static String providesToolsCloudSqlJdbcUrl(RegistryConfigSettings config) { + return config.registryTool.jdbcUrl; + } + + @Provides + @Config("toolsCloudSqlUsername") + public static String providesToolsCloudSqlUsername(RegistryConfigSettings config) { + return config.registryTool.username; + } + @Provides @Config("rdapTos") public static ImmutableList provideRdapTos(RegistryConfigSettings config) { diff --git a/core/src/main/java/google/registry/config/RegistryConfigSettings.java b/core/src/main/java/google/registry/config/RegistryConfigSettings.java index cb7e873b8..540239b9c 100644 --- a/core/src/main/java/google/registry/config/RegistryConfigSettings.java +++ b/core/src/main/java/google/registry/config/RegistryConfigSettings.java @@ -213,5 +213,7 @@ public class RegistryConfigSettings { public static class RegistryTool { public String clientId; public String clientSecret; + public String jdbcUrl; + public String username; } } diff --git a/core/src/main/java/google/registry/config/files/default-config.yaml b/core/src/main/java/google/registry/config/files/default-config.yaml index ca46e04bf..67f8c39d2 100644 --- a/core/src/main/java/google/registry/config/files/default-config.yaml +++ b/core/src/main/java/google/registry/config/files/default-config.yaml @@ -422,3 +422,6 @@ registryTool: clientId: YOUR_CLIENT_ID # OAuth client secret used by the tool. clientSecret: YOUR_CLIENT_SECRET + # Nomulus tool uses a different jdbc url and user to connect to Cloud SQL + jdbcUrl: jdbc:postgresql://localhost/tool + username: toolusername diff --git a/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java b/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java index 45f5ef645..8eeea48d8 100644 --- a/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java +++ b/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java @@ -123,6 +123,7 @@ public abstract class DummyKeyringModule { "not a real password", "not a real login", "not a real credential", + "not a real password", "not a real password"); } diff --git a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java index f6a2cf3bf..9780610de 100644 --- a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java +++ b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java @@ -40,6 +40,7 @@ public final class InMemoryKeyring implements Keyring { private final String marksdbSmdrlLoginAndPassword; private final String jsonCredential; private final String cloudSqlPassword; + private final String toolsCloudSqlPassword; public InMemoryKeyring( PGPKeyPair rdeStagingKey, @@ -55,7 +56,8 @@ public final class InMemoryKeyring implements Keyring { String marksdbLordnPassword, String marksdbSmdrlLoginAndPassword, String jsonCredential, - String cloudSqlPassword) { + String cloudSqlPassword, + String toolsCloudSqlPassword) { checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()), "RDE signing key must support signing: %s", rdeSigningKey.getKeyID()); checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(), @@ -82,6 +84,7 @@ public final class InMemoryKeyring implements Keyring { checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword"); this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential"); this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword"); + this.toolsCloudSqlPassword = checkNotNull(toolsCloudSqlPassword, "toolsCloudSqlPassword"); } @Override @@ -159,6 +162,11 @@ public final class InMemoryKeyring implements Keyring { return cloudSqlPassword; } + @Override + public String getToolsCloudSqlPassword() { + return toolsCloudSqlPassword; + } + /** Does nothing. */ @Override public void close() {} diff --git a/core/src/main/java/google/registry/keyring/api/KeyModule.java b/core/src/main/java/google/registry/keyring/api/KeyModule.java index 3876f7f72..754801362 100644 --- a/core/src/main/java/google/registry/keyring/api/KeyModule.java +++ b/core/src/main/java/google/registry/keyring/api/KeyModule.java @@ -42,6 +42,12 @@ public final class KeyModule { return keyring.getCloudSqlPassword(); } + @Provides + @Key("toolsCloudSqlPassword") + static String providesToolsCloudSqlPassword(Keyring keyring) { + return keyring.getToolsCloudSqlPassword(); + } + @Provides @Key("brdaReceiverKey") static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) { diff --git a/core/src/main/java/google/registry/keyring/api/Keyring.java b/core/src/main/java/google/registry/keyring/api/Keyring.java index c982d5797..9abe04c68 100644 --- a/core/src/main/java/google/registry/keyring/api/Keyring.java +++ b/core/src/main/java/google/registry/keyring/api/Keyring.java @@ -28,9 +28,12 @@ import org.bouncycastle.openpgp.PGPPublicKey; @ThreadSafe public interface Keyring extends AutoCloseable { - /** Returns the password which is used to connect to the Cloud SQL database. */ + /** Returns the password which is used by App Engine to connect to the Cloud SQL database. */ String getCloudSqlPassword(); + /** Returns the password which is used by nomulus tool to connect to the Cloud SQL database. */ + String getToolsCloudSqlPassword(); + /** * Returns the key which should be used to sign RDE deposits being uploaded to a third-party. * diff --git a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java index e8ffc156c..212c2ee1f 100644 --- a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java +++ b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java @@ -75,7 +75,8 @@ public class KmsKeyring implements Keyring { MARKSDB_LORDN_PASSWORD_STRING, MARKSDB_SMDRL_LOGIN_STRING, RDE_SSH_CLIENT_PRIVATE_STRING, - RDE_SSH_CLIENT_PUBLIC_STRING; + RDE_SSH_CLIENT_PUBLIC_STRING, + TOOLS_CLOUD_SQL_PASSWORD_STRING; String getLabel() { return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name()); @@ -94,6 +95,11 @@ public class KmsKeyring implements Keyring { return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING); } + @Override + public String getToolsCloudSqlPassword() { + return getString(StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING); + } + @Override public PGPKeyPair getRdeSigningKey() { return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE); diff --git a/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java b/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java index 5710de442..1bc6763c9 100644 --- a/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java +++ b/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java @@ -33,6 +33,7 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDR import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY; +import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING; import static google.registry.model.ofy.ObjectifyService.ofy; import static google.registry.model.transaction.TransactionManagerFactory.tm; import static google.registry.util.PreconditionsUtils.checkArgumentNotNull; @@ -106,6 +107,10 @@ public final class KmsUpdater { return setString(apiKey, SAFE_BROWSING_API_KEY); } + public KmsUpdater setToolsCloudSqlPassword(String password) { + return setString(password, TOOLS_CLOUD_SQL_PASSWORD_STRING); + } + public KmsUpdater setIcannReportingPassword(String password) { return setString(password, ICANN_REPORTING_PASSWORD_STRING); } diff --git a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java index bc7d82d56..6118bb532 100644 --- a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java +++ b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java @@ -68,6 +68,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi { case CLOUD_SQL_PASSWORD: out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword())); break; + case TOOLS_CLOUD_SQL_PASSWORD: + out.write(KeySerializer.serializeString(keyring.getToolsCloudSqlPassword())); + break; case ICANN_REPORTING_PASSWORD: out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword())); break; diff --git a/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java b/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java index 74e03be4c..2fb459b3f 100644 --- a/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java +++ b/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java @@ -68,6 +68,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi { case CLOUD_SQL_PASSWORD: kmsUpdater.setCloudSqlPassword(deserializeString(input)); break; + case TOOLS_CLOUD_SQL_PASSWORD: + kmsUpdater.setToolsCloudSqlPassword(deserializeString(input)); + break; case ICANN_REPORTING_PASSWORD: kmsUpdater.setIcannReportingPassword(deserializeString(input)); break; diff --git a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java index 6534191eb..25a7fc1d5 100644 --- a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java +++ b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java @@ -38,5 +38,5 @@ public enum KeyringKeyName { RDE_STAGING_KEY_PAIR, RDE_STAGING_PUBLIC_KEY, SAFE_BROWSING_API_KEY, + TOOLS_CLOUD_SQL_PASSWORD, } - diff --git a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java index 77ffc10f0..0c6605adb 100644 --- a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java +++ b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java @@ -55,6 +55,15 @@ public class KmsKeyringTest { assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo"); } + @Test + public void test_getToolsCloudSqlPassword() throws Exception { + saveCleartextSecret("tools-cloud-sql-password-string"); + + String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword(); + + assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo"); + } + @Test public void test_getRdeSigningKey() throws Exception { saveKeyPairSecret("rde-signing-public", "rde-signing-private"); diff --git a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java index da0817dc3..e5094d502 100644 --- a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java +++ b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java @@ -99,6 +99,16 @@ public class KmsUpdaterTest { "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1")); } + @Test + public void test_setToolsCloudSqlPassword() { + updater.setToolsCloudSqlPassword("value1").update(); + + verifySecretAndSecretRevisionWritten( + "tools-cloud-sql-password-string", + "tools-cloud-sql-password-string/foo", + getCiphertext("value1")); + } + @Test public void test_setIcannReportingPassword() { updater.setIcannReportingPassword("value1").update(); diff --git a/core/src/test/java/google/registry/testing/FakeKeyringModule.java b/core/src/test/java/google/registry/testing/FakeKeyringModule.java index b729c1fe9..ccce65ee6 100644 --- a/core/src/test/java/google/registry/testing/FakeKeyringModule.java +++ b/core/src/test/java/google/registry/testing/FakeKeyringModule.java @@ -57,6 +57,7 @@ public final class FakeKeyringModule { private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo"; private static final String JSON_CREDENTIAL = "json123"; private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw"; + private static final String TOOLS_CLOUD_SQL_PASSWORD = "toolscloudsqlpw"; @Provides public Keyring get() { @@ -86,6 +87,11 @@ public final class FakeKeyringModule { return CLOUD_SQL_PASSWORD; } + @Override + public String getToolsCloudSqlPassword() { + return TOOLS_CLOUD_SQL_PASSWORD; + } + @Override public PGPPublicKey getRdeStagingEncryptionKey() { return rdeStagingKey.getPublicKey();