Move GCP proxy code to the old [] proxy's location

1. Moved code for the GCP proxy to where the [] proxy code used to live. 3. Corrected reference to the GCP proxy location. 4. Misc changes to make ErrorProne and various tools happy. +diekmann to LGTM terraform whitelist change. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=213630560
2025-07-25 03:58:34 +02:00 · 2018-09-19 08:20:21 -07:00 · 2018-09-19 08:20:21 -07:00 · 3fc7271145
commit 3fc7271145
parent 961e5cc7c7
102 changed files with 296 additions and 11 deletions
--- a/java/google/registry/proxy/config/default-config.yaml
+++ b/java/google/registry/proxy/config/default-config.yaml
@ -0,0 +1,215 @@
+# This is the default configuration file for the proxy. Do not make changes to
+# it unless you are writing new features that requires you to. To customize an
+# individual deployment or environment, create a proxy-config.yaml file in the
+# same directory overriding only the values you wish to change. You may need
+# to override some of these values to configure and enable some services used in
+# production environments.
+
+# GCP project ID
+projectId: your-gcp-project-id
+
+# OAuth scope that the GoogleCredential will be constructed with. This list
+# should include all service scopes that the proxy depends on.
+gcpScopes:
+  # The default OAuth scope granted to GCE instances. Local development instance
+  # needs this scope to mimic running on GCE. Currently it is used to access
+  # Cloud KMS and Stackdriver Monitoring APIs.
+  - https://www.googleapis.com/auth/cloud-platform
+
+  # The OAuth scope required to be included in the access token for the GAE app
+  # to authenticate.
+  - https://www.googleapis.com/auth/userinfo.email
+
+# Refresh the access token 5 minutes before it expires.
+#
+# Depending on how the credential is obtained, its renewal behavior is
+# different. A credential backed by a private key (like the ADC obtained
+# locally) will get a different token when #refreshToken() is called. On GCE,
+# the credential is just a wrapper around tokens sent from the metadata server,
+# which is valid from 3599 seconds to 1699 seconds (this is no documentation on
+# this, I got this number by logging in a GCE VM, calling curl on the metatdata
+# server every minute, and check the expiration time of the response). Calling
+# refreshToken() does *not* get a new token. The token is only refreshed by
+# metadata server itself (every 3599 - 1699 = 1900 seconds).
+#
+# We refresh the token 5 minutes before it expires, which should work in both
+# cases. This is better than caching the token for a pre-defined period, because
+# even right after #refreshToken() is called on the client side, tokens obtained
+# from GCE metadata server may not be valid for the entirety of 3599 seconds.
+
+accessTokenRefreshBeforeExpirationSeconds: 300
+
+# Server certificate is cached for 30 minutes.
+#
+# Encrypted server server certificate and private keys are stored on GCS. They
+# are cached and shared for all connections for 30 minutes. We not not cache
+# the certificate indefinitely because if we upload a new one to GCS, all
+# existing instances need to be killed if they cache the old one indefinitely.
+serverCertificateCacheSeconds: 1800
+
+gcs:
+  # GCS bucket that stores the encrypted PEM file.
+  bucket: your-gcs-bucket
+  # Name of the encrypted PEM file.
+  sslPemFilename: your-pem-filename
+
+# Strings used to construct the KMS crypto key URL.
+# See: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
+kms:
+  # Location where your key ring is stored (global, us-east1, etc).
+  location: your-kms-location
+
+  # Name of the KeyRing that contains the CryptoKey file.
+  keyRing: your-kms-keyRing
+
+  # Name of the CryptoKey used to encrypt the PEM file.
+  cryptoKey: your-kms-cryptoKey
+
+epp:
+  port: 30002
+  relayHost: registry-project-id.appspot.com
+  relayPath: /_dr/epp
+
+  # Maximum input message length in bytes.
+  #
+  # The first 4 bytes in a message is the total length of message, in bytes.
+  #
+  # We accept a message up to 1 GB, which should be plentiful, if not over the
+  # top. In fact we should probably limit this to a more reasonable number, as a
+  # 1 GB message will likely cause the proxy to go out of memory.
+  #
+  # See also: RFC 5734 4 Data Unit Format
+  # (https://tools.ietf.org/html/rfc5734#section-4).
+  maxMessageLengthBytes: 1073741824
+
+  # Length of the header field in bytes.
+  #
+  # Note that value of the header field is the total length (in bytes) of the
+  # message, including the header itself, the length of the epp xml instance is
+  # therefore 4 bytes shorter than this value.
+  headerLengthBytes: 4
+
+  # Time after which an idle connection will be closed.
+  #
+  # The RFC gives registry discretionary power to set a timeout period. 1 hr
+  # should be reasonable enough for any registrar to login and submit their
+  # request.
+  readTimeoutSeconds: 3600
+
+  # Quota configuration for EPP
+  quota:
+
+    # Token database refresh period. Set to 0 to disable refresh.
+    #
+    # After the set time period, inactive userIds will be deleted.
+    refreshSeconds: 0
+
+    # Default quota for any userId not matched in customQuota.
+    defaultQuota:
+
+      # List of identifiers, e. g. IP address, certificate hash.
+      #
+      # userId for defaultQuota should always be an empty list. Any value
+      # in the list will be discarded.
+      #
+      # There should be no duplicate userIds, either within this list, or
+      # across quota groups within customQuota. Any duplication will result
+      # in an error when constructing QuotaConfig.
+      userId: []
+
+      # Number of tokens allotted to the matched user. Set to -1 to allow
+      # infinite quota.
+      tokenAmount: 100
+
+      # Token refill period. Set to 0 to disable refill.
+      #
+      # After the set time period, the token for the user will be
+      # reset to tokenAmount.
+      refillSeconds: 0
+
+    # List of custom quotas for specific userId. Use the same schema as
+    # defaultQuota for list entries.
+    customQuota: []
+
+whois:
+  port: 30001
+  relayHost: registry-project-id.appspot.com
+  relayPath: /_dr/whois
+
+  # Maximum input message length in bytes.
+  #
+  # Domain name cannot be longer than 256 characters. 512-character message
+  # length should be safe for most cases, including registrar queries.
+  #
+  # See also: RFC 1035 2.3.4 Size limits
+  # (http://www.freesoft.org/CIE/RFC/1035/9.htm).
+  maxMessageLengthBytes: 512
+
+  # Whois protocol is transient, the client should not establish a long lasting
+  # idle connection.
+  readTimeoutSeconds: 60
+
+  # Quota configuration for WHOIS
+  quota:
+
+    # Token database refresh period. Set to 0 to disable refresh.
+    #
+    # After the set time period, inactive token buckets will be deleted.
+    refreshSeconds: 3600
+
+    # Default quota for any userId not matched in customQuota.
+    defaultQuota:
+
+      # List of identifiers, e. g. IP address, certificate hash.
+      #
+      # userId for defaultQuota should always be an empty list.
+      userId: []
+
+      # Number of tokens allotted to the matched user. Set to -1 to allow
+      # infinite quota.
+      tokenAmount: 100
+
+      # Token refill period. Set to 0 to disable refill.
+      #
+      # After the set time period, the token for the given user will be
+      # reset to tokenAmount.
+      refillSeconds: 600
+
+    # List of custom quotas for specific userId. Use the same schema as
+    # defaultQuota for list entries.
+    customQuota: []
+
+healthCheck:
+  port: 30000
+
+  # Health checker request message, defined in GCP load balancer backend.
+  checkRequest: HEALTH_CHECK_REQUEST
+
+  # Health checker response message, defined in GCP load balancer backend.
+  checkResponse: HEALTH_CHECK_RESPONSE
+
+httpsRelay:
+  port: 443
+
+  # Maximum size of an HTTP message in bytes.
+  maxMessageLengthBytes: 524288
+
+webWhois:
+  httpPort: 30010
+  httpsPort: 30011
+
+  # The 302 redirect destination of HTTPS web WHOIS GET requests.
+  # HTTP web WHOIS GET requests will be 301 redirected to HTTPS first.
+  redirectHost: whois.yourdomain.tld
+
+metrics:
+  # Max queries per second for the Google Cloud Monitoring V3 (aka Stackdriver)
+  # API. The limit can be adjusted by contacting Cloud Support.
+  stackdriverMaxQps: 30
+
+  # Max number of points that can be sent to Stackdriver in a single
+  # TimeSeries.Create API call.
+  stackdriverMaxPointsPerRequest: 200
+
+  # How often metrics are written.
+  writeIntervalSeconds: 60
--- a/java/google/registry/proxy/config/proxy-config-alpha.yaml
+++ b/java/google/registry/proxy/config/proxy-config-alpha.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
--- a/java/google/registry/proxy/config/proxy-config-local.yaml
+++ b/java/google/registry/proxy/config/proxy-config-local.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
--- a/java/google/registry/proxy/config/proxy-config-production-canary.yaml
+++ b/java/google/registry/proxy/config/proxy-config-production-canary.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
--- a/java/google/registry/proxy/config/proxy-config-production.yaml
+++ b/java/google/registry/proxy/config/proxy-config-production.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
--- a/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
+++ b/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
--- a/java/google/registry/proxy/config/proxy-config-sandbox.yaml
+++ b/java/google/registry/proxy/config/proxy-config-sandbox.yaml
@ -0,0 +1 @@
+# Add environment-specific proxy configuration here.
				`@ -0,0 +1 @@`
				`# Add environment-specific proxy configuration here.`