mirror of
https://github.com/google/nomulus.git
synced 2025-07-10 21:23:22 +02:00
Add Cloud SQL configs for nomulus tool (#288)
We will use a different user for nomulus tool to connect to Cloud SQL. This PR added corresponding configurations for that.
This commit is contained in:
parent
34da498958
commit
36ab0cb45c
15 changed files with 81 additions and 4 deletions
|
@ -1296,6 +1296,18 @@ public final class RegistryConfig {
|
||||||
return config.registryTool.clientSecret;
|
return config.registryTool.clientSecret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Provides
|
||||||
|
@Config("toolsCloudSqlJdbcUrl")
|
||||||
|
public static String providesToolsCloudSqlJdbcUrl(RegistryConfigSettings config) {
|
||||||
|
return config.registryTool.jdbcUrl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Provides
|
||||||
|
@Config("toolsCloudSqlUsername")
|
||||||
|
public static String providesToolsCloudSqlUsername(RegistryConfigSettings config) {
|
||||||
|
return config.registryTool.username;
|
||||||
|
}
|
||||||
|
|
||||||
@Provides
|
@Provides
|
||||||
@Config("rdapTos")
|
@Config("rdapTos")
|
||||||
public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) {
|
public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) {
|
||||||
|
|
|
@ -213,5 +213,7 @@ public class RegistryConfigSettings {
|
||||||
public static class RegistryTool {
|
public static class RegistryTool {
|
||||||
public String clientId;
|
public String clientId;
|
||||||
public String clientSecret;
|
public String clientSecret;
|
||||||
|
public String jdbcUrl;
|
||||||
|
public String username;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -422,3 +422,6 @@ registryTool:
|
||||||
clientId: YOUR_CLIENT_ID
|
clientId: YOUR_CLIENT_ID
|
||||||
# OAuth client secret used by the tool.
|
# OAuth client secret used by the tool.
|
||||||
clientSecret: YOUR_CLIENT_SECRET
|
clientSecret: YOUR_CLIENT_SECRET
|
||||||
|
# Nomulus tool uses a different jdbc url and user to connect to Cloud SQL
|
||||||
|
jdbcUrl: jdbc:postgresql://localhost/tool
|
||||||
|
username: toolusername
|
||||||
|
|
|
@ -123,6 +123,7 @@ public abstract class DummyKeyringModule {
|
||||||
"not a real password",
|
"not a real password",
|
||||||
"not a real login",
|
"not a real login",
|
||||||
"not a real credential",
|
"not a real credential",
|
||||||
|
"not a real password",
|
||||||
"not a real password");
|
"not a real password");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -40,6 +40,7 @@ public final class InMemoryKeyring implements Keyring {
|
||||||
private final String marksdbSmdrlLoginAndPassword;
|
private final String marksdbSmdrlLoginAndPassword;
|
||||||
private final String jsonCredential;
|
private final String jsonCredential;
|
||||||
private final String cloudSqlPassword;
|
private final String cloudSqlPassword;
|
||||||
|
private final String toolsCloudSqlPassword;
|
||||||
|
|
||||||
public InMemoryKeyring(
|
public InMemoryKeyring(
|
||||||
PGPKeyPair rdeStagingKey,
|
PGPKeyPair rdeStagingKey,
|
||||||
|
@ -55,7 +56,8 @@ public final class InMemoryKeyring implements Keyring {
|
||||||
String marksdbLordnPassword,
|
String marksdbLordnPassword,
|
||||||
String marksdbSmdrlLoginAndPassword,
|
String marksdbSmdrlLoginAndPassword,
|
||||||
String jsonCredential,
|
String jsonCredential,
|
||||||
String cloudSqlPassword) {
|
String cloudSqlPassword,
|
||||||
|
String toolsCloudSqlPassword) {
|
||||||
checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
|
checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
|
||||||
"RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
|
"RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
|
||||||
checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
|
checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
|
||||||
|
@ -82,6 +84,7 @@ public final class InMemoryKeyring implements Keyring {
|
||||||
checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
|
checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
|
||||||
this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
|
this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
|
||||||
this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
|
this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
|
||||||
|
this.toolsCloudSqlPassword = checkNotNull(toolsCloudSqlPassword, "toolsCloudSqlPassword");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -159,6 +162,11 @@ public final class InMemoryKeyring implements Keyring {
|
||||||
return cloudSqlPassword;
|
return cloudSqlPassword;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getToolsCloudSqlPassword() {
|
||||||
|
return toolsCloudSqlPassword;
|
||||||
|
}
|
||||||
|
|
||||||
/** Does nothing. */
|
/** Does nothing. */
|
||||||
@Override
|
@Override
|
||||||
public void close() {}
|
public void close() {}
|
||||||
|
|
|
@ -42,6 +42,12 @@ public final class KeyModule {
|
||||||
return keyring.getCloudSqlPassword();
|
return keyring.getCloudSqlPassword();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Provides
|
||||||
|
@Key("toolsCloudSqlPassword")
|
||||||
|
static String providesToolsCloudSqlPassword(Keyring keyring) {
|
||||||
|
return keyring.getToolsCloudSqlPassword();
|
||||||
|
}
|
||||||
|
|
||||||
@Provides
|
@Provides
|
||||||
@Key("brdaReceiverKey")
|
@Key("brdaReceiverKey")
|
||||||
static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {
|
static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {
|
||||||
|
|
|
@ -28,9 +28,12 @@ import org.bouncycastle.openpgp.PGPPublicKey;
|
||||||
@ThreadSafe
|
@ThreadSafe
|
||||||
public interface Keyring extends AutoCloseable {
|
public interface Keyring extends AutoCloseable {
|
||||||
|
|
||||||
/** Returns the password which is used to connect to the Cloud SQL database. */
|
/** Returns the password which is used by App Engine to connect to the Cloud SQL database. */
|
||||||
String getCloudSqlPassword();
|
String getCloudSqlPassword();
|
||||||
|
|
||||||
|
/** Returns the password which is used by nomulus tool to connect to the Cloud SQL database. */
|
||||||
|
String getToolsCloudSqlPassword();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
|
* Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
|
||||||
*
|
*
|
||||||
|
|
|
@ -75,7 +75,8 @@ public class KmsKeyring implements Keyring {
|
||||||
MARKSDB_LORDN_PASSWORD_STRING,
|
MARKSDB_LORDN_PASSWORD_STRING,
|
||||||
MARKSDB_SMDRL_LOGIN_STRING,
|
MARKSDB_SMDRL_LOGIN_STRING,
|
||||||
RDE_SSH_CLIENT_PRIVATE_STRING,
|
RDE_SSH_CLIENT_PRIVATE_STRING,
|
||||||
RDE_SSH_CLIENT_PUBLIC_STRING;
|
RDE_SSH_CLIENT_PUBLIC_STRING,
|
||||||
|
TOOLS_CLOUD_SQL_PASSWORD_STRING;
|
||||||
|
|
||||||
String getLabel() {
|
String getLabel() {
|
||||||
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
|
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
|
||||||
|
@ -94,6 +95,11 @@ public class KmsKeyring implements Keyring {
|
||||||
return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
|
return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getToolsCloudSqlPassword() {
|
||||||
|
return getString(StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public PGPKeyPair getRdeSigningKey() {
|
public PGPKeyPair getRdeSigningKey() {
|
||||||
return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
|
return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
|
||||||
|
|
|
@ -33,6 +33,7 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDR
|
||||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
|
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
|
||||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
|
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
|
||||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
|
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
|
||||||
|
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING;
|
||||||
import static google.registry.model.ofy.ObjectifyService.ofy;
|
import static google.registry.model.ofy.ObjectifyService.ofy;
|
||||||
import static google.registry.model.transaction.TransactionManagerFactory.tm;
|
import static google.registry.model.transaction.TransactionManagerFactory.tm;
|
||||||
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
|
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
|
||||||
|
@ -106,6 +107,10 @@ public final class KmsUpdater {
|
||||||
return setString(apiKey, SAFE_BROWSING_API_KEY);
|
return setString(apiKey, SAFE_BROWSING_API_KEY);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public KmsUpdater setToolsCloudSqlPassword(String password) {
|
||||||
|
return setString(password, TOOLS_CLOUD_SQL_PASSWORD_STRING);
|
||||||
|
}
|
||||||
|
|
||||||
public KmsUpdater setIcannReportingPassword(String password) {
|
public KmsUpdater setIcannReportingPassword(String password) {
|
||||||
return setString(password, ICANN_REPORTING_PASSWORD_STRING);
|
return setString(password, ICANN_REPORTING_PASSWORD_STRING);
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,6 +68,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi {
|
||||||
case CLOUD_SQL_PASSWORD:
|
case CLOUD_SQL_PASSWORD:
|
||||||
out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
|
out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
|
||||||
break;
|
break;
|
||||||
|
case TOOLS_CLOUD_SQL_PASSWORD:
|
||||||
|
out.write(KeySerializer.serializeString(keyring.getToolsCloudSqlPassword()));
|
||||||
|
break;
|
||||||
case ICANN_REPORTING_PASSWORD:
|
case ICANN_REPORTING_PASSWORD:
|
||||||
out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
|
out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -68,6 +68,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi {
|
||||||
case CLOUD_SQL_PASSWORD:
|
case CLOUD_SQL_PASSWORD:
|
||||||
kmsUpdater.setCloudSqlPassword(deserializeString(input));
|
kmsUpdater.setCloudSqlPassword(deserializeString(input));
|
||||||
break;
|
break;
|
||||||
|
case TOOLS_CLOUD_SQL_PASSWORD:
|
||||||
|
kmsUpdater.setToolsCloudSqlPassword(deserializeString(input));
|
||||||
|
break;
|
||||||
case ICANN_REPORTING_PASSWORD:
|
case ICANN_REPORTING_PASSWORD:
|
||||||
kmsUpdater.setIcannReportingPassword(deserializeString(input));
|
kmsUpdater.setIcannReportingPassword(deserializeString(input));
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -38,5 +38,5 @@ public enum KeyringKeyName {
|
||||||
RDE_STAGING_KEY_PAIR,
|
RDE_STAGING_KEY_PAIR,
|
||||||
RDE_STAGING_PUBLIC_KEY,
|
RDE_STAGING_PUBLIC_KEY,
|
||||||
SAFE_BROWSING_API_KEY,
|
SAFE_BROWSING_API_KEY,
|
||||||
|
TOOLS_CLOUD_SQL_PASSWORD,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -55,6 +55,15 @@ public class KmsKeyringTest {
|
||||||
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
|
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void test_getToolsCloudSqlPassword() throws Exception {
|
||||||
|
saveCleartextSecret("tools-cloud-sql-password-string");
|
||||||
|
|
||||||
|
String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword();
|
||||||
|
|
||||||
|
assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo");
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void test_getRdeSigningKey() throws Exception {
|
public void test_getRdeSigningKey() throws Exception {
|
||||||
saveKeyPairSecret("rde-signing-public", "rde-signing-private");
|
saveKeyPairSecret("rde-signing-public", "rde-signing-private");
|
||||||
|
|
|
@ -99,6 +99,16 @@ public class KmsUpdaterTest {
|
||||||
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
|
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void test_setToolsCloudSqlPassword() {
|
||||||
|
updater.setToolsCloudSqlPassword("value1").update();
|
||||||
|
|
||||||
|
verifySecretAndSecretRevisionWritten(
|
||||||
|
"tools-cloud-sql-password-string",
|
||||||
|
"tools-cloud-sql-password-string/foo",
|
||||||
|
getCiphertext("value1"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void test_setIcannReportingPassword() {
|
public void test_setIcannReportingPassword() {
|
||||||
updater.setIcannReportingPassword("value1").update();
|
updater.setIcannReportingPassword("value1").update();
|
||||||
|
|
|
@ -57,6 +57,7 @@ public final class FakeKeyringModule {
|
||||||
private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
|
private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
|
||||||
private static final String JSON_CREDENTIAL = "json123";
|
private static final String JSON_CREDENTIAL = "json123";
|
||||||
private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";
|
private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";
|
||||||
|
private static final String TOOLS_CLOUD_SQL_PASSWORD = "toolscloudsqlpw";
|
||||||
|
|
||||||
@Provides
|
@Provides
|
||||||
public Keyring get() {
|
public Keyring get() {
|
||||||
|
@ -86,6 +87,11 @@ public final class FakeKeyringModule {
|
||||||
return CLOUD_SQL_PASSWORD;
|
return CLOUD_SQL_PASSWORD;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getToolsCloudSqlPassword() {
|
||||||
|
return TOOLS_CLOUD_SQL_PASSWORD;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public PGPPublicKey getRdeStagingEncryptionKey() {
|
public PGPPublicKey getRdeStagingEncryptionKey() {
|
||||||
return rdeStagingKey.getPublicKey();
|
return rdeStagingKey.getPublicKey();
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue