Narrowly scope privileges for API service objects

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=129099520

java/google/registry/bigquery/BigqueryModule.java

@@ -20,25 +20,16 @@ import com.google.api.client.json.JsonFactory;
 import com.google.api.services.bigquery.Bigquery;
 import com.google.api.services.bigquery.BigqueryScopes;
 import com.google.api.services.bigquery.model.TableFieldSchema;
+import com.google.common.base.Function;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
-import dagger.multibindings.ElementsIntoSet;
 import dagger.multibindings.Multibinds;
 import google.registry.config.ConfigModule.Config;
-import google.registry.request.OAuthScopes;
 import java.util.Map;
 import java.util.Set;
 
-/**
- * Dagger module for Google {@link Bigquery} connection objects.
- *
- * @see google.registry.config.ConfigModule
- * @see google.registry.request.Modules.UrlFetchTransportModule
- * @see google.registry.request.Modules.Jackson2Module
- * @see google.registry.request.Modules.AppIdentityCredentialModule
- * @see google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule
- */
+/** Dagger module for Google {@link Bigquery} connection objects. */
 @Module
 public abstract class BigqueryModule {
 
@@ -46,21 +37,13 @@ public abstract class BigqueryModule {
   @Multibinds
   abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
 
-  /** Provides OAuth2 scopes for the Bigquery service needed by Domain Registry. */
-  @Provides
-  @ElementsIntoSet
-  @OAuthScopes
-  static Set<String> provideBigqueryOAuthScopes() {
-    return BigqueryScopes.all();
-  }
-
   @Provides
   static Bigquery provideBigquery(
       HttpTransport transport,
       JsonFactory jsonFactory,
-      HttpRequestInitializer httpRequestInitializer,
+      Function<Set<String>, ? extends HttpRequestInitializer> credential,
       @Config("projectId") String projectId) {
-    return new Bigquery.Builder(transport, jsonFactory, httpRequestInitializer)
+    return new Bigquery.Builder(transport, jsonFactory, credential.apply(BigqueryScopes.all()))
         .setApplicationName(projectId)
         .build();
   }

java/google/registry/export/DriveModule.java

@@ -19,40 +19,23 @@ import com.google.api.client.http.HttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.services.drive.Drive;
 import com.google.api.services.drive.DriveScopes;
+import com.google.common.base.Function;
 import dagger.Module;
 import dagger.Provides;
-import dagger.multibindings.ElementsIntoSet;
 import google.registry.config.ConfigModule.Config;
-import google.registry.request.OAuthScopes;
 import java.util.Set;
 
-/**
- * Dagger module for Google {@link Drive} service connection objects.
- *
- * @see google.registry.config.ConfigModule
- * @see google.registry.request.Modules.UrlFetchTransportModule
- * @see google.registry.request.Modules.Jackson2Module
- * @see google.registry.request.Modules.AppIdentityCredentialModule
- * @see google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule
- */
+/** Dagger module for Google {@link Drive} service connection objects. */
 @Module
 public final class DriveModule {
 
-  /** Provides OAuth2 scopes for the Drive service needed by Domain Registry. */
-  @Provides
-  @ElementsIntoSet
-  @OAuthScopes
-  static Set<String> provideDriveOAuthScopes() {
-    return DriveScopes.all();
-  }
-
   @Provides
   static Drive provideDrive(
       HttpTransport transport,
       JsonFactory jsonFactory,
-      HttpRequestInitializer httpRequestInitializer,
+      Function<Set<String>, ? extends HttpRequestInitializer> credential,
       @Config("projectId") String projectId) {
-    return new Drive.Builder(transport, jsonFactory, httpRequestInitializer)
+    return new Drive.Builder(transport, jsonFactory, credential.apply(DriveScopes.all()))
         .setApplicationName(projectId)
         .build();
   }

java/google/registry/groups/DirectoryModule.java

@@ -20,39 +20,24 @@ import com.google.api.services.admin.directory.DirectoryScopes;
 import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
-import dagger.multibindings.ElementsIntoSet;
 import google.registry.config.ConfigModule.Config;
-import google.registry.request.DelegatedOAuthScopes;
-import java.util.Set;
 import javax.inject.Named;
 
-/**
- * Dagger module for the Google {@link Directory} service.
- *
- * @see google.registry.config.ConfigModule
- * @see google.registry.request.Modules.UrlFetchTransportModule
- * @see google.registry.request.Modules.Jackson2Module
- * @see google.registry.request.Modules.AppIdentityCredentialModule
- * @see google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule
- */
+/** Dagger module for the Google {@link Directory} service. */
 @Module
 public final class DirectoryModule {
 
-  /** Provides OAuth2 scopes for the Directory service needed by Domain Registry. */
-  @Provides
-  @ElementsIntoSet
-  @DelegatedOAuthScopes
-  static Set<String> provideDirectoryOAuthScopes() {
-    return ImmutableSet.of(
-        DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER,
-        DirectoryScopes.ADMIN_DIRECTORY_GROUP);
-  }
-
   @Provides
   static Directory provideDirectory(
       @Named("delegatedAdmin") GoogleCredential credential,
       @Config("projectId") String projectId) {
-    return new Directory.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+    return new Directory.Builder(
+            credential.getTransport(),
+            credential.getJsonFactory(),
+            credential.createScoped(
+                ImmutableSet.of(
+                    DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER,
+                    DirectoryScopes.ADMIN_DIRECTORY_GROUP)))
         .setApplicationName(projectId)
         .build();
   }

java/google/registry/groups/GroupssettingsModule.java

@@ -20,38 +20,21 @@ import com.google.api.services.groupssettings.GroupssettingsScopes;
 import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
-import dagger.multibindings.ElementsIntoSet;
 import google.registry.config.ConfigModule.Config;
-import google.registry.request.DelegatedOAuthScopes;
-import java.util.Set;
 import javax.inject.Named;
 
-/**
- * Dagger module for the Google {@link Groupssettings} service.
- *
- * @see google.registry.config.ConfigModule
- * @see google.registry.request.Modules.UrlFetchTransportModule
- * @see google.registry.request.Modules.Jackson2Module
- * @see google.registry.request.Modules.AppIdentityCredentialModule
- * @see google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule
- */
+/** Dagger module for the Google {@link Groupssettings} service. */
 @Module
 public final class GroupssettingsModule {
 
-  /** Provides OAuth2 scopes for the Groupssettings service needed by Domain Registry. */
   @Provides
-  @ElementsIntoSet
-  @DelegatedOAuthScopes
-  static Set<String> provideGroupssettingsOAuthScopes() {
-    return ImmutableSet.of(GroupssettingsScopes.APPS_GROUPS_SETTINGS);
-  }
-
-  @Provides
-  static Groupssettings provideGroupssettings(
+  static Groupssettings provideDirectory(
       @Named("delegatedAdmin") GoogleCredential credential,
       @Config("projectId") String projectId) {
-    return new Groupssettings
-        .Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+    return new Groupssettings.Builder(
+            credential.getTransport(),
+            credential.getJsonFactory(),
+            credential.createScoped(ImmutableSet.of(GroupssettingsScopes.APPS_GROUPS_SETTINGS)))
         .setApplicationName(projectId)
         .build();
   }

java/google/registry/monitoring/whitebox/StackdriverModule.java

@@ -19,32 +19,23 @@ import com.google.api.client.http.HttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.MonitoringScopes;
+import com.google.common.base.Function;
 import dagger.Module;
 import dagger.Provides;
-import dagger.multibindings.ElementsIntoSet;
 import google.registry.config.ConfigModule.Config;
-import google.registry.request.OAuthScopes;
 import java.util.Set;
 
 /** Dagger module for Google Stackdriver service connection objects. */
 @Module
 public final class StackdriverModule {
 
-  /** Provides OAuth2 scopes for the Stackdriver service needed by Domain Registry. */
-  @Provides
-  @ElementsIntoSet
-  @OAuthScopes
-  static Set<String> provideStackdriverOAuthScopes() {
-    return MonitoringScopes.all();
-  }
-
   @Provides
   static Monitoring provideMonitoring(
       HttpTransport transport,
       JsonFactory jsonFactory,
-      HttpRequestInitializer httpRequestInitializer,
+      Function<Set<String>, ? extends HttpRequestInitializer> credential,
       @Config("projectId") String projectId) {
-    return new Monitoring.Builder(transport, jsonFactory, httpRequestInitializer)
+    return new Monitoring.Builder(transport, jsonFactory, credential.apply(MonitoringScopes.all()))
         .setApplicationName(projectId)
         .build();
   }

java/google/registry/request/BUILD

@@ -35,13 +35,13 @@ java_library(
     srcs = ["Modules.java"],
     visibility = ["//visibility:public"],
     deps = [
-        ":request",
         "//java/com/google/api/client/extensions/appengine/http",
         "//java/com/google/api/client/googleapis/auth/oauth2",
         "//java/com/google/api/client/googleapis/extensions/appengine/auth/oauth2",
         "//java/com/google/api/client/http",
         "//java/com/google/api/client/json",
         "//java/com/google/api/client/json/jackson2",
+        "//java/com/google/common/base",
         "//third_party/java/appengine:appengine-api",
         "//third_party/java/dagger",
         "//java/google/registry/config",

java/google/registry/request/DelegatedOAuthScopes.java

@@ -1,27 +0,0 @@
-// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request;
-
-import java.lang.annotation.Documented;
-import java.util.Set;
-import javax.inject.Qualifier;
-
-/**
- * Dagger qualifier for the {@link Set} of OAuth2 scope strings used for authorization on APIs that
- * are connected to using a delegated user account (the serviceAccountUser in GoogleCredential).
- */
-@Qualifier
-@Documented
-public @interface DelegatedOAuthScopes {}

java/google/registry/request/Modules.java

@@ -31,6 +31,7 @@ import com.google.appengine.api.urlfetch.URLFetchService;
 import com.google.appengine.api.urlfetch.URLFetchServiceFactory;
 import com.google.appengine.api.users.UserService;
 import com.google.appengine.api.users.UserServiceFactory;
+import com.google.common.base.Function;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
@@ -40,6 +41,7 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Set;
 import javax.inject.Named;
+import javax.inject.Provider;
 import javax.inject.Singleton;
 
 /** Dagger modules for App Engine services and other vendor classes. */
@@ -124,20 +126,41 @@ public final class Modules {
   @Module
   public static final class AppIdentityCredentialModule {
     @Provides
-    static AppIdentityCredential provideAppIdentityCredential(@OAuthScopes Set<String> scopes) {
+    static Function<Set<String>, AppIdentityCredential> provideAppIdentityCredential() {
+      return new Function<Set<String>, AppIdentityCredential>() {
+        @Override
+        public AppIdentityCredential apply(Set<String> scopes) {
           return new AppIdentityCredential(scopes);
         }
+      };
+    }
   }
 
   /**
    * Dagger module causing Google APIs requests to be authorized with your GAE app identity.
    *
-   * <p>You must also use the {@link AppIdentityCredential} module.
+   * <p>You must also use the {@link AppIdentityCredentialModule}.
    */
   @Module
   public abstract static class UseAppIdentityCredentialForGoogleApisModule {
     @Binds
-    abstract HttpRequestInitializer provideHttpRequestInitializer(AppIdentityCredential credential);
+    abstract Function<Set<String>, ? extends HttpRequestInitializer>
+        provideHttpRequestInitializer(Function<Set<String>, AppIdentityCredential> credential);
+  }
+
+  /**
+   * Module indicating Google API requests should be authorized with JSON {@link GoogleCredential}.
+   *
+   * <p>This is useful when configuring a component that runs the registry outside of the App Engine
+   * environment, for example, in a command line environment.
+   *
+   * <p>You must also use the {@link GoogleCredentialModule}.
+   */
+  @Module
+  public abstract static class UseGoogleCredentialForGoogleApisModule {
+    @Binds
+    abstract Function<Set<String>, ? extends HttpRequestInitializer>
+        provideHttpRequestInitializer(Function<Set<String>, GoogleCredential> credential);
   }
 
   /**
@@ -160,6 +183,7 @@ public final class Modules {
   public static final class GoogleCredentialModule {
 
     @Provides
+    @Singleton
     static GoogleCredential provideGoogleCredential(
         HttpTransport httpTransport,
         JsonFactory jsonFactory,
@@ -172,6 +196,17 @@ public final class Modules {
       }
     }
 
+    @Provides
+    static Function<Set<String>, GoogleCredential> provideScopedGoogleCredential(
+        final Provider<GoogleCredential> googleCredentialProvider) {
+      return new Function<Set<String>, GoogleCredential>() {
+        @Override
+        public GoogleCredential apply(Set<String> scopes) {
+          return googleCredentialProvider.get().createScoped(scopes);
+        }
+      };
+    }
+
     /**
      * Provides a GoogleCredential that will connect to GAE using delegated admin access.  This is
      * needed for API calls requiring domain admin access to the relevant GAFYD using delegated
@@ -183,14 +218,12 @@ public final class Modules {
     static GoogleCredential provideDelegatedAdminGoogleCredential(
         GoogleCredential googleCredential,
         HttpTransport httpTransport,
-        @DelegatedOAuthScopes Set<String> scopes,
         @Config("googleAppsAdminEmailAddress") String googleAppsAdminEmailAddress) {
       return new GoogleCredential.Builder()
           .setTransport(httpTransport)
           .setJsonFactory(googleCredential.getJsonFactory())
           .setServiceAccountId(googleCredential.getServiceAccountId())
           .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
-          .setServiceAccountScopes(scopes)
           .setServiceAccountUser(googleAppsAdminEmailAddress)
           .build();
     }

java/google/registry/request/OAuthScopes.java

@@ -1,24 +0,0 @@
-// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request;
-
-import java.lang.annotation.Documented;
-import java.util.Set;
-import javax.inject.Qualifier;
-
-/** Dagger qualifier for the {@link Set} of OAuth2 scope strings, used for API authorization. */
-@Qualifier
-@Documented
-public @interface OAuthScopes {}