Require SSL certificate hash on login by default

Note that it's possible to set a config option to disable this functionality
on a per-environment basis (we're disabling it for sandbox), but in general
SSL certificate hashes should be required for increased security.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=225053496

javatests/google/registry/flows/EppLoginTlsTest.java

@@ -33,15 +33,11 @@ import org.junit.runners.JUnit4;
 @RunWith(JUnit4.class)
 public class EppLoginTlsTest extends EppTestCase {
 
-  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
-
+  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
 
   void setClientCertificateHash(String clientCertificateHash) {
     setTransportCredentials(
-        new TlsCredentials(clientCertificateHash, Optional.of("192.168.1.100:54321")));
+        new TlsCredentials(true, clientCertificateHash, Optional.of("192.168.1.100:54321")));
   }
 
   @Before
@@ -160,7 +156,7 @@ public class EppLoginTlsTest extends EppTestCase {
   }
 
   @Test
-  public void testRegistrarHasNoCertificatesOnFile_disablesCertChecking() throws Exception {
+  public void testRegistrarHasNoCertificatesOnFile_fails() throws Exception {
     setClientCertificateHash("laffo");
     DateTime now = DateTime.now(UTC);
     persistResource(
@@ -169,6 +165,9 @@ public class EppLoginTlsTest extends EppTestCase {
             .setClientCertificate(null, now)
             .setFailoverClientCertificate(null, now)
             .build());
-    assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
+    assertThatLogin("NewRegistrar", "foo-BAR2")
+        .hasResponse(
+            "response_error.xml",
+            ImmutableMap.of("CODE", "2200", "MSG", "Registrar certificate is not configured"));
   }
 }

javatests/google/registry/flows/FlowRunnerTest.java

@@ -152,7 +152,7 @@ public class FlowRunnerTest extends ShardableTestCase {
 
   @Test
   public void testRun_loggingStatement_tlsCredentials() throws Exception {
-    flowRunner.credentials = new TlsCredentials("abc123def", Optional.of("127.0.0.1"));
+    flowRunner.credentials = new TlsCredentials(true, "abc123def", Optional.of("127.0.0.1"));
     flowRunner.run(eppMetricBuilder);
     assertThat(Splitter.on("\n\t").split(findFirstLogMessageByPrefix(handler, "EPP Command\n\t")))
         .contains("TlsCredentials{clientCertificateHash=abc123def, clientAddress=/127.0.0.1}");

javatests/google/registry/flows/TlsCredentialsTest.java

@@ -15,19 +15,31 @@
 package google.registry.flows;
 
 import static com.google.common.truth.Truth.assertThat;
+import static google.registry.testing.DatastoreHelper.loadRegistrar;
+import static google.registry.testing.DatastoreHelper.persistResource;
 import static google.registry.testing.JUnitBackports.assertThrows;
+import static org.joda.time.DateTimeZone.UTC;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import google.registry.model.registrar.Registrar;
 import google.registry.request.HttpException.BadRequestException;
+import google.registry.testing.AppEngineRule;
+import google.registry.testing.ShardableTestCase;
+import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
+import org.joda.time.DateTime;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
 /** Unit tests for {@link TlsCredentials}. */
 @RunWith(JUnit4.class)
-public final class TlsCredentialsTest {
+public final class TlsCredentialsTest extends ShardableTestCase {
+
+  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+
   @Test
   public void testProvideClientCertificateHash() {
     HttpServletRequest req = mock(HttpServletRequest.class);
@@ -46,8 +58,15 @@ public final class TlsCredentialsTest {
   }
 
   @Test
-  public void testNothing1() {}
-
-  @Test
-  public void testNothing2() {}
+  public void test_validateCertificate_canBeConfiguredToBypassCertHashes() throws Exception {
+    TlsCredentials tls = new TlsCredentials(false, "certHash", Optional.of("192.168.1.1"));
+    persistResource(
+        loadRegistrar("TheRegistrar")
+            .asBuilder()
+            .setClientCertificate(null, DateTime.now(UTC))
+            .setFailoverClientCertificate(null, DateTime.now(UTC))
+            .build());
+    // This would throw a RegistrarCertificateNotConfiguredException if cert hashes wren't bypassed.
+    tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get());
+  }
 }

javatests/google/registry/flows/session/LoginFlowViaTlsTest.java

@@ -49,7 +49,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
   @Test
   public void testSuccess_withGoodCredentials() throws Exception {
     persistResource(getRegistrarBuilder().build());
-    credentials = new TlsCredentials(GOOD_CERT, GOOD_IP);
+    credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IP);
     doSuccessfulTest("login_valid.xml");
   }
 
@@ -60,7 +60,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
             .setIpAddressWhitelist(ImmutableList.of(
                 CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, GOOD_IPV6);
+    credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IPV6);
     doSuccessfulTest("login_valid.xml");
   }
 
@@ -71,7 +71,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
             .setIpAddressWhitelist(ImmutableList.of(
                 CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, GOOD_IPV6);
+    credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IPV6);
     doSuccessfulTest("login_valid.xml");
   }
 
@@ -82,21 +82,21 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
             .setIpAddressWhitelist(ImmutableList.of(
                 CidrAddressBlock.create("192.168.1.255/24")))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, GOOD_IP);
+    credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IP);
     doSuccessfulTest("login_valid.xml");
   }
 
   @Test
   public void testFailure_incorrectClientCertificateHash() {
     persistResource(getRegistrarBuilder().build());
-    credentials = new TlsCredentials(BAD_CERT, GOOD_IP);
+    credentials = new TlsCredentials(true, BAD_CERT, GOOD_IP);
     doFailingTest("login_valid.xml", BadRegistrarCertificateException.class);
   }
 
   @Test
   public void testFailure_missingClientCertificateHash() {
     persistResource(getRegistrarBuilder().build());
-    credentials = new TlsCredentials(null, GOOD_IP);
+    credentials = new TlsCredentials(true, null, GOOD_IP);
     doFailingTest("login_valid.xml", MissingRegistrarCertificateException.class);
   }
 
@@ -108,7 +108,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
                 CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
                 CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, Optional.empty());
+    credentials = new TlsCredentials(true, GOOD_CERT, Optional.empty());
     doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
   }
 
@@ -120,7 +120,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
                 CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
                 CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, BAD_IP);
+    credentials = new TlsCredentials(true, GOOD_CERT, BAD_IP);
     doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
   }
 
@@ -132,7 +132,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
                 CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
                 CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
             .build());
-    credentials = new TlsCredentials(GOOD_CERT, BAD_IPV6);
+    credentials = new TlsCredentials(true, GOOD_CERT, BAD_IPV6);
     doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
   }
 }