Add Cloud SQL configs for nomulus tool (#288)

We will use a different user for nomulus tool to connect to Cloud SQL. 
This PR added corresponding configurations for that.

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -1296,6 +1296,18 @@ public final class RegistryConfig {
       return config.registryTool.clientSecret;
     }
 
+    @Provides
+    @Config("toolsCloudSqlJdbcUrl")
+    public static String providesToolsCloudSqlJdbcUrl(RegistryConfigSettings config) {
+      return config.registryTool.jdbcUrl;
+    }
+
+    @Provides
+    @Config("toolsCloudSqlUsername")
+    public static String providesToolsCloudSqlUsername(RegistryConfigSettings config) {
+      return config.registryTool.username;
+    }
+
     @Provides
     @Config("rdapTos")
     public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) {

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -213,5 +213,7 @@ public class RegistryConfigSettings {
   public static class RegistryTool {
     public String clientId;
     public String clientSecret;
+    public String jdbcUrl;
+    public String username;
   }
 }

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -422,3 +422,6 @@ registryTool:
   clientId: YOUR_CLIENT_ID
   # OAuth client secret used by the tool.
   clientSecret: YOUR_CLIENT_SECRET
+  # Nomulus tool uses a different jdbc url and user to connect to Cloud SQL
+  jdbcUrl: jdbc:postgresql://localhost/tool
+  username: toolusername

core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java

@@ -123,6 +123,7 @@ public abstract class DummyKeyringModule {
         "not a real password",
         "not a real login",
         "not a real credential",
+        "not a real password",
         "not a real password");
   }
 

core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java

@@ -40,6 +40,7 @@ public final class InMemoryKeyring implements Keyring {
   private final String marksdbSmdrlLoginAndPassword;
   private final String jsonCredential;
   private final String cloudSqlPassword;
+  private final String toolsCloudSqlPassword;
 
   public InMemoryKeyring(
       PGPKeyPair rdeStagingKey,
@@ -55,7 +56,8 @@ public final class InMemoryKeyring implements Keyring {
       String marksdbLordnPassword,
       String marksdbSmdrlLoginAndPassword,
       String jsonCredential,
-      String cloudSqlPassword) {
+      String cloudSqlPassword,
+      String toolsCloudSqlPassword) {
     checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
         "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
     checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@@ -82,6 +84,7 @@ public final class InMemoryKeyring implements Keyring {
         checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
     this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
     this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
+    this.toolsCloudSqlPassword = checkNotNull(toolsCloudSqlPassword, "toolsCloudSqlPassword");
   }
 
   @Override
@@ -159,6 +162,11 @@ public final class InMemoryKeyring implements Keyring {
     return cloudSqlPassword;
   }
 
+  @Override
+  public String getToolsCloudSqlPassword() {
+    return toolsCloudSqlPassword;
+  }
+
   /** Does nothing. */
   @Override
   public void close() {}

core/src/main/java/google/registry/keyring/api/KeyModule.java

@@ -42,6 +42,12 @@ public final class KeyModule {
     return keyring.getCloudSqlPassword();
   }
 
+  @Provides
+  @Key("toolsCloudSqlPassword")
+  static String providesToolsCloudSqlPassword(Keyring keyring) {
+    return keyring.getToolsCloudSqlPassword();
+  }
+
   @Provides
   @Key("brdaReceiverKey")
   static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {

core/src/main/java/google/registry/keyring/api/Keyring.java

@@ -28,9 +28,12 @@ import org.bouncycastle.openpgp.PGPPublicKey;
 @ThreadSafe
 public interface Keyring extends AutoCloseable {
 
-  /** Returns the password which is used to connect to the Cloud SQL database. */
+  /** Returns the password which is used by App Engine to connect to the Cloud SQL database. */
   String getCloudSqlPassword();
 
+  /** Returns the password which is used by nomulus tool to connect to the Cloud SQL database. */
+  String getToolsCloudSqlPassword();
+
   /**
    * Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
    *

core/src/main/java/google/registry/keyring/kms/KmsKeyring.java

@@ -75,7 +75,8 @@ public class KmsKeyring implements Keyring {
     MARKSDB_LORDN_PASSWORD_STRING,
     MARKSDB_SMDRL_LOGIN_STRING,
     RDE_SSH_CLIENT_PRIVATE_STRING,
-    RDE_SSH_CLIENT_PUBLIC_STRING;
+    RDE_SSH_CLIENT_PUBLIC_STRING,
+    TOOLS_CLOUD_SQL_PASSWORD_STRING;
 
     String getLabel() {
       return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
@@ -94,6 +95,11 @@ public class KmsKeyring implements Keyring {
     return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
   }
 
+  @Override
+  public String getToolsCloudSqlPassword() {
+    return getString(StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING);
+  }
+
   @Override
   public PGPKeyPair getRdeSigningKey() {
     return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);

core/src/main/java/google/registry/keyring/kms/KmsUpdater.java

@@ -33,6 +33,7 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDR
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
@@ -106,6 +107,10 @@ public final class KmsUpdater {
     return setString(apiKey, SAFE_BROWSING_API_KEY);
   }
 
+  public KmsUpdater setToolsCloudSqlPassword(String password) {
+    return setString(password, TOOLS_CLOUD_SQL_PASSWORD_STRING);
+  }
+
   public KmsUpdater setIcannReportingPassword(String password) {
     return setString(password, ICANN_REPORTING_PASSWORD_STRING);
   }

core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java

@@ -68,6 +68,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi {
       case CLOUD_SQL_PASSWORD:
         out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
         break;
+      case TOOLS_CLOUD_SQL_PASSWORD:
+        out.write(KeySerializer.serializeString(keyring.getToolsCloudSqlPassword()));
+        break;
       case ICANN_REPORTING_PASSWORD:
         out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
         break;

core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java

@@ -68,6 +68,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi {
       case CLOUD_SQL_PASSWORD:
         kmsUpdater.setCloudSqlPassword(deserializeString(input));
         break;
+      case TOOLS_CLOUD_SQL_PASSWORD:
+        kmsUpdater.setToolsCloudSqlPassword(deserializeString(input));
+        break;
       case ICANN_REPORTING_PASSWORD:
         kmsUpdater.setIcannReportingPassword(deserializeString(input));
         break;

core/src/main/java/google/registry/tools/params/KeyringKeyName.java

@@ -38,5 +38,5 @@ public enum KeyringKeyName {
   RDE_STAGING_KEY_PAIR,
   RDE_STAGING_PUBLIC_KEY,
   SAFE_BROWSING_API_KEY,
+  TOOLS_CLOUD_SQL_PASSWORD,
 }
-

core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java

@@ -55,6 +55,15 @@ public class KmsKeyringTest {
     assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
   }
 
+  @Test
+  public void test_getToolsCloudSqlPassword() throws Exception {
+    saveCleartextSecret("tools-cloud-sql-password-string");
+
+    String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword();
+
+    assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo");
+  }
+
   @Test
   public void test_getRdeSigningKey() throws Exception {
     saveKeyPairSecret("rde-signing-public", "rde-signing-private");

core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java

@@ -99,6 +99,16 @@ public class KmsUpdaterTest {
         "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
   }
 
+  @Test
+  public void test_setToolsCloudSqlPassword() {
+    updater.setToolsCloudSqlPassword("value1").update();
+
+    verifySecretAndSecretRevisionWritten(
+        "tools-cloud-sql-password-string",
+        "tools-cloud-sql-password-string/foo",
+        getCiphertext("value1"));
+  }
+
   @Test
   public void test_setIcannReportingPassword() {
     updater.setIcannReportingPassword("value1").update();

core/src/test/java/google/registry/testing/FakeKeyringModule.java

@@ -57,6 +57,7 @@ public final class FakeKeyringModule {
   private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
   private static final String JSON_CREDENTIAL = "json123";
   private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";
+  private static final String TOOLS_CLOUD_SQL_PASSWORD = "toolscloudsqlpw";
 
   @Provides
   public Keyring get() {
@@ -86,6 +87,11 @@ public final class FakeKeyringModule {
         return CLOUD_SQL_PASSWORD;
       }
 
+      @Override
+      public String getToolsCloudSqlPassword() {
+        return TOOLS_CLOUD_SQL_PASSWORD;
+      }
+
       @Override
       public PGPPublicKey getRdeStagingEncryptionKey() {
         return rdeStagingKey.getPublicKey();