Add Cloud SQL configs for nomulus tool (#288)

We will use a different user for nomulus tool to connect to Cloud SQL. 
This PR added corresponding configurations for that.
This commit is contained in:
Shicong Huang 2019-09-27 15:58:18 -04:00 committed by GitHub
parent 34da498958
commit 36ab0cb45c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 81 additions and 4 deletions

View file

@ -1296,6 +1296,18 @@ public final class RegistryConfig {
return config.registryTool.clientSecret; return config.registryTool.clientSecret;
} }
@Provides
@Config("toolsCloudSqlJdbcUrl")
public static String providesToolsCloudSqlJdbcUrl(RegistryConfigSettings config) {
return config.registryTool.jdbcUrl;
}
@Provides
@Config("toolsCloudSqlUsername")
public static String providesToolsCloudSqlUsername(RegistryConfigSettings config) {
return config.registryTool.username;
}
@Provides @Provides
@Config("rdapTos") @Config("rdapTos")
public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) { public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) {

View file

@ -213,5 +213,7 @@ public class RegistryConfigSettings {
public static class RegistryTool { public static class RegistryTool {
public String clientId; public String clientId;
public String clientSecret; public String clientSecret;
public String jdbcUrl;
public String username;
} }
} }

View file

@ -422,3 +422,6 @@ registryTool:
clientId: YOUR_CLIENT_ID clientId: YOUR_CLIENT_ID
# OAuth client secret used by the tool. # OAuth client secret used by the tool.
clientSecret: YOUR_CLIENT_SECRET clientSecret: YOUR_CLIENT_SECRET
# Nomulus tool uses a different jdbc url and user to connect to Cloud SQL
jdbcUrl: jdbc:postgresql://localhost/tool
username: toolusername

View file

@ -123,6 +123,7 @@ public abstract class DummyKeyringModule {
"not a real password", "not a real password",
"not a real login", "not a real login",
"not a real credential", "not a real credential",
"not a real password",
"not a real password"); "not a real password");
} }

View file

@ -40,6 +40,7 @@ public final class InMemoryKeyring implements Keyring {
private final String marksdbSmdrlLoginAndPassword; private final String marksdbSmdrlLoginAndPassword;
private final String jsonCredential; private final String jsonCredential;
private final String cloudSqlPassword; private final String cloudSqlPassword;
private final String toolsCloudSqlPassword;
public InMemoryKeyring( public InMemoryKeyring(
PGPKeyPair rdeStagingKey, PGPKeyPair rdeStagingKey,
@ -55,7 +56,8 @@ public final class InMemoryKeyring implements Keyring {
String marksdbLordnPassword, String marksdbLordnPassword,
String marksdbSmdrlLoginAndPassword, String marksdbSmdrlLoginAndPassword,
String jsonCredential, String jsonCredential,
String cloudSqlPassword) { String cloudSqlPassword,
String toolsCloudSqlPassword) {
checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()), checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
"RDE signing key must support signing: %s", rdeSigningKey.getKeyID()); "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(), checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@ -82,6 +84,7 @@ public final class InMemoryKeyring implements Keyring {
checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword"); checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential"); this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword"); this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
this.toolsCloudSqlPassword = checkNotNull(toolsCloudSqlPassword, "toolsCloudSqlPassword");
} }
@Override @Override
@ -159,6 +162,11 @@ public final class InMemoryKeyring implements Keyring {
return cloudSqlPassword; return cloudSqlPassword;
} }
@Override
public String getToolsCloudSqlPassword() {
return toolsCloudSqlPassword;
}
/** Does nothing. */ /** Does nothing. */
@Override @Override
public void close() {} public void close() {}

View file

@ -42,6 +42,12 @@ public final class KeyModule {
return keyring.getCloudSqlPassword(); return keyring.getCloudSqlPassword();
} }
@Provides
@Key("toolsCloudSqlPassword")
static String providesToolsCloudSqlPassword(Keyring keyring) {
return keyring.getToolsCloudSqlPassword();
}
@Provides @Provides
@Key("brdaReceiverKey") @Key("brdaReceiverKey")
static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) { static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {

View file

@ -28,9 +28,12 @@ import org.bouncycastle.openpgp.PGPPublicKey;
@ThreadSafe @ThreadSafe
public interface Keyring extends AutoCloseable { public interface Keyring extends AutoCloseable {
/** Returns the password which is used to connect to the Cloud SQL database. */ /** Returns the password which is used by App Engine to connect to the Cloud SQL database. */
String getCloudSqlPassword(); String getCloudSqlPassword();
/** Returns the password which is used by nomulus tool to connect to the Cloud SQL database. */
String getToolsCloudSqlPassword();
/** /**
* Returns the key which should be used to sign RDE deposits being uploaded to a third-party. * Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
* *

View file

@ -75,7 +75,8 @@ public class KmsKeyring implements Keyring {
MARKSDB_LORDN_PASSWORD_STRING, MARKSDB_LORDN_PASSWORD_STRING,
MARKSDB_SMDRL_LOGIN_STRING, MARKSDB_SMDRL_LOGIN_STRING,
RDE_SSH_CLIENT_PRIVATE_STRING, RDE_SSH_CLIENT_PRIVATE_STRING,
RDE_SSH_CLIENT_PUBLIC_STRING; RDE_SSH_CLIENT_PUBLIC_STRING,
TOOLS_CLOUD_SQL_PASSWORD_STRING;
String getLabel() { String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name()); return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
@ -94,6 +95,11 @@ public class KmsKeyring implements Keyring {
return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING); return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
} }
@Override
public String getToolsCloudSqlPassword() {
return getString(StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING);
}
@Override @Override
public PGPKeyPair getRdeSigningKey() { public PGPKeyPair getRdeSigningKey() {
return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE); return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);

View file

@ -33,6 +33,7 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDR
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING;
import static google.registry.model.ofy.ObjectifyService.ofy; import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.model.transaction.TransactionManagerFactory.tm; import static google.registry.model.transaction.TransactionManagerFactory.tm;
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull; import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
@ -106,6 +107,10 @@ public final class KmsUpdater {
return setString(apiKey, SAFE_BROWSING_API_KEY); return setString(apiKey, SAFE_BROWSING_API_KEY);
} }
public KmsUpdater setToolsCloudSqlPassword(String password) {
return setString(password, TOOLS_CLOUD_SQL_PASSWORD_STRING);
}
public KmsUpdater setIcannReportingPassword(String password) { public KmsUpdater setIcannReportingPassword(String password) {
return setString(password, ICANN_REPORTING_PASSWORD_STRING); return setString(password, ICANN_REPORTING_PASSWORD_STRING);
} }

View file

@ -68,6 +68,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi {
case CLOUD_SQL_PASSWORD: case CLOUD_SQL_PASSWORD:
out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword())); out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
break; break;
case TOOLS_CLOUD_SQL_PASSWORD:
out.write(KeySerializer.serializeString(keyring.getToolsCloudSqlPassword()));
break;
case ICANN_REPORTING_PASSWORD: case ICANN_REPORTING_PASSWORD:
out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword())); out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
break; break;

View file

@ -68,6 +68,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi {
case CLOUD_SQL_PASSWORD: case CLOUD_SQL_PASSWORD:
kmsUpdater.setCloudSqlPassword(deserializeString(input)); kmsUpdater.setCloudSqlPassword(deserializeString(input));
break; break;
case TOOLS_CLOUD_SQL_PASSWORD:
kmsUpdater.setToolsCloudSqlPassword(deserializeString(input));
break;
case ICANN_REPORTING_PASSWORD: case ICANN_REPORTING_PASSWORD:
kmsUpdater.setIcannReportingPassword(deserializeString(input)); kmsUpdater.setIcannReportingPassword(deserializeString(input));
break; break;

View file

@ -38,5 +38,5 @@ public enum KeyringKeyName {
RDE_STAGING_KEY_PAIR, RDE_STAGING_KEY_PAIR,
RDE_STAGING_PUBLIC_KEY, RDE_STAGING_PUBLIC_KEY,
SAFE_BROWSING_API_KEY, SAFE_BROWSING_API_KEY,
TOOLS_CLOUD_SQL_PASSWORD,
} }

View file

@ -55,6 +55,15 @@ public class KmsKeyringTest {
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo"); assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
} }
@Test
public void test_getToolsCloudSqlPassword() throws Exception {
saveCleartextSecret("tools-cloud-sql-password-string");
String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword();
assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo");
}
@Test @Test
public void test_getRdeSigningKey() throws Exception { public void test_getRdeSigningKey() throws Exception {
saveKeyPairSecret("rde-signing-public", "rde-signing-private"); saveKeyPairSecret("rde-signing-public", "rde-signing-private");

View file

@ -99,6 +99,16 @@ public class KmsUpdaterTest {
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1")); "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
} }
@Test
public void test_setToolsCloudSqlPassword() {
updater.setToolsCloudSqlPassword("value1").update();
verifySecretAndSecretRevisionWritten(
"tools-cloud-sql-password-string",
"tools-cloud-sql-password-string/foo",
getCiphertext("value1"));
}
@Test @Test
public void test_setIcannReportingPassword() { public void test_setIcannReportingPassword() {
updater.setIcannReportingPassword("value1").update(); updater.setIcannReportingPassword("value1").update();

View file

@ -57,6 +57,7 @@ public final class FakeKeyringModule {
private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo"; private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
private static final String JSON_CREDENTIAL = "json123"; private static final String JSON_CREDENTIAL = "json123";
private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw"; private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";
private static final String TOOLS_CLOUD_SQL_PASSWORD = "toolscloudsqlpw";
@Provides @Provides
public Keyring get() { public Keyring get() {
@ -86,6 +87,11 @@ public final class FakeKeyringModule {
return CLOUD_SQL_PASSWORD; return CLOUD_SQL_PASSWORD;
} }
@Override
public String getToolsCloudSqlPassword() {
return TOOLS_CLOUD_SQL_PASSWORD;
}
@Override @Override
public PGPPublicKey getRdeStagingEncryptionKey() { public PGPPublicKey getRdeStagingEncryptionKey() {
return rdeStagingKey.getPublicKey(); return rdeStagingKey.getPublicKey();