From 47870f98eb87239395ef8a93f91ef0d6529440cc Mon Sep 17 00:00:00 2001
From: guyben <guyben@google.com>
Date: Wed, 5 Apr 2017 07:16:27 -0700
Subject: [PATCH] Add UpdateKmsKeyringCommand to update keys in the KMS Keyring

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=152253868
---
 java/google/registry/tools/BUILD              |   1 +
 .../tools/GetKeyringSecretCommand.java        |  18 +--
 java/google/registry/tools/RegistryTool.java  |   1 +
 .../registry/tools/RegistryToolComponent.java |  11 ++
 .../tools/UpdateKmsKeyringCommand.java        | 107 ++++++++++++++++++
 .../registry/tools/params/KeyringKeyName.java |  39 +++++++
 6 files changed, 160 insertions(+), 17 deletions(-)
 create mode 100644 java/google/registry/tools/UpdateKmsKeyringCommand.java
 create mode 100644 java/google/registry/tools/params/KeyringKeyName.java

diff --git a/java/google/registry/tools/BUILD b/java/google/registry/tools/BUILD
index fec9f6e4c..f814ce253 100644
--- a/java/google/registry/tools/BUILD
+++ b/java/google/registry/tools/BUILD
@@ -44,6 +44,7 @@ java_library(
         "//java/google/registry/flows",
         "//java/google/registry/gcs",
         "//java/google/registry/keyring/api",
+        "//java/google/registry/keyring/kms",
         "//java/google/registry/loadtest",
         "//java/google/registry/model",
         "//java/google/registry/pricing",
diff --git a/java/google/registry/tools/GetKeyringSecretCommand.java b/java/google/registry/tools/GetKeyringSecretCommand.java
index b58ba59c8..a50f8e959 100644
--- a/java/google/registry/tools/GetKeyringSecretCommand.java
+++ b/java/google/registry/tools/GetKeyringSecretCommand.java
@@ -19,6 +19,7 @@ import com.beust.jcommander.Parameters;
 import google.registry.keyring.api.KeySerializer;
 import google.registry.keyring.api.Keyring;
 import google.registry.tools.Command.RemoteApiCommand;
+import google.registry.tools.params.KeyringKeyName;
 import google.registry.tools.params.PathParameter;
 import java.io.FileOutputStream;
 import java.io.OutputStream;
@@ -40,23 +41,6 @@ final class GetKeyringSecretCommand implements RemoteApiCommand {
   @Inject
   GetKeyringSecretCommand() {}
 
-  private enum KeyringKeyName {
-    BRAINTREE_PRIVATE_KEY,
-    BRDA_RECEIVER_PUBLIC_KEY,
-    BRDA_SIGNING_KEY_PAIR,
-    ICANN_REPORTING_PASSWORD,
-    JSON_CREDENTIAL,
-    MARKSDB_DNL_LOGIN,
-    MARKSDB_LORDN_PASSWORD,
-    MARKSDB_SMDRL_LOGIN,
-    RDE_RECEIVER_PUBLIC_KEY,
-    RDE_SIGNING_KEY_PAIR,
-    RDE_SSH_CLIENT_PRIVATE_KEY,
-    RDE_SSH_CLIENT_PUBLIC_KEY,
-    RDE_STAGING_KEY_PAIR,
-    RDE_STAGING_PUBLIC_KEY,
-  }
-
   @Parameter(names = "--keyname", description = "The secret to load", required = true)
   private KeyringKeyName keyringKeyName;
 
diff --git a/java/google/registry/tools/RegistryTool.java b/java/google/registry/tools/RegistryTool.java
index 31ea49656..e82efa233 100644
--- a/java/google/registry/tools/RegistryTool.java
+++ b/java/google/registry/tools/RegistryTool.java
@@ -110,6 +110,7 @@ public final class RegistryTool {
           .put("update_application_status", UpdateApplicationStatusCommand.class)
           .put("update_claims_notice", UpdateClaimsNoticeCommand.class)
           .put("update_cursors", UpdateCursorsCommand.class)
+          .put("update_kms_keyring", UpdateKmsKeyringCommand.class)
           .put("update_premium_list", UpdatePremiumListCommand.class)
           .put("update_registrar", UpdateRegistrarCommand.class)
           .put("update_reserved_list", UpdateReservedListCommand.class)
diff --git a/java/google/registry/tools/RegistryToolComponent.java b/java/google/registry/tools/RegistryToolComponent.java
index cf6fca35d..8d0781bba 100644
--- a/java/google/registry/tools/RegistryToolComponent.java
+++ b/java/google/registry/tools/RegistryToolComponent.java
@@ -21,9 +21,13 @@ import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
 import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
+import google.registry.keyring.kms.KmsModule;
+import google.registry.request.Modules.AppIdentityCredentialModule;
 import google.registry.request.Modules.DatastoreServiceModule;
 import google.registry.request.Modules.Jackson2Module;
 import google.registry.request.Modules.URLFetchServiceModule;
+import google.registry.request.Modules.UrlFetchTransportModule;
+import google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule;
 import google.registry.request.Modules.UserServiceModule;
 import google.registry.util.SystemClock.SystemClockModule;
 import google.registry.util.SystemSleeper.SystemSleeperModule;
@@ -40,6 +44,8 @@ import javax.inject.Singleton;
 @Component(
   modules = {
     AppEngineConnectionFlags.FlagsModule.class,
+    // TODO(b/36866706): Find a way to replace this with a command-line friendly version
+    AppIdentityCredentialModule.class,
     AuthModule.class,
     ConfigModule.class,
     DatastoreServiceModule.class,
@@ -50,10 +56,14 @@ import javax.inject.Singleton;
     DummyKeyringModule.class,
     Jackson2Module.class,
     KeyModule.class,
+    KmsModule.class,
     RegistryToolModule.class,
     SystemClockModule.class,
     SystemSleeperModule.class,
     URLFetchServiceModule.class,
+    UrlFetchTransportModule.class,
+    // TODO(b/36866706): Find a way to replace this with a command-line friendly version
+    UseAppIdentityCredentialForGoogleApisModule.class,
     UserServiceModule.class,
     VoidDnsWriterModule.class,
     WhoisModule.class,
@@ -78,6 +88,7 @@ interface RegistryToolComponent {
   void inject(SendEscrowReportToIcannCommand command);
   void inject(SetupOteCommand command);
   void inject(UpdateCursorsCommand command);
+  void inject(UpdateKmsKeyringCommand command);
   void inject(UpdateTldCommand command);
   void inject(ValidateEscrowDepositCommand command);
   void inject(WhoisQueryCommand command);
diff --git a/java/google/registry/tools/UpdateKmsKeyringCommand.java b/java/google/registry/tools/UpdateKmsKeyringCommand.java
new file mode 100644
index 000000000..18c594c47
--- /dev/null
+++ b/java/google/registry/tools/UpdateKmsKeyringCommand.java
@@ -0,0 +1,107 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import static google.registry.keyring.api.KeySerializer.deserializeKeyPair;
+import static google.registry.keyring.api.KeySerializer.deserializePublicKey;
+import static google.registry.keyring.api.KeySerializer.deserializeString;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import google.registry.keyring.kms.KmsUpdater;
+import google.registry.tools.Command.RemoteApiCommand;
+import google.registry.tools.params.KeyringKeyName;
+import google.registry.tools.params.PathParameter;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import javax.inject.Inject;
+
+/** Command to set and update {@code KmsKeyring} values. */
+@Parameters(
+  separators = " =",
+  commandDescription = "Update values of secrets in KmsKeyring."
+)
+final class UpdateKmsKeyringCommand implements RemoteApiCommand {
+
+  @Inject KmsUpdater kmsUpdater;
+
+  @Inject
+  UpdateKmsKeyringCommand() {}
+
+  @Parameter(names  = "--keyname", description = "The secret to update", required = true)
+  private KeyringKeyName keyringKeyName;
+
+  @Parameter(
+    names = {"--input"},
+    description =
+        "Name of input file for key data.",
+    validateWith = PathParameter.InputFile.class
+  )
+  private Path inputPath = null;
+
+  @Override
+  public void run() throws Exception {
+    byte[] input = Files.readAllBytes(inputPath);
+
+    switch (keyringKeyName) {
+      case BRAINTREE_PRIVATE_KEY:
+        kmsUpdater.setBraintreePrivateKey(deserializeString(input));
+        break;
+      case BRDA_RECEIVER_PUBLIC_KEY:
+        kmsUpdater.setBrdaReceiverPublicKey(deserializePublicKey(input));
+        break;
+      case BRDA_SIGNING_KEY_PAIR:
+        kmsUpdater.setBrdaSigningKey(deserializeKeyPair(input));
+        break;
+      case ICANN_REPORTING_PASSWORD:
+        kmsUpdater.setIcannReportingPassword(deserializeString(input));
+        break;
+      case JSON_CREDENTIAL:
+        kmsUpdater.setJsonCredential(deserializeString(input));
+        break;
+      case MARKSDB_DNL_LOGIN:
+        kmsUpdater.setMarksdbDnlLogin(deserializeString(input));
+        break;
+      case MARKSDB_LORDN_PASSWORD:
+        kmsUpdater.setMarksdbLordnPassword(deserializeString(input));
+        break;
+      case MARKSDB_SMDRL_LOGIN:
+        kmsUpdater.setMarksdbSmdrlLogin(deserializeString(input));
+        break;
+      case RDE_RECEIVER_PUBLIC_KEY:
+        kmsUpdater.setRdeReceiverPublicKey(deserializePublicKey(input));
+        break;
+      case RDE_SIGNING_KEY_PAIR:
+        kmsUpdater.setRdeSigningKey(deserializeKeyPair(input));
+        break;
+      case RDE_SSH_CLIENT_PRIVATE_KEY:
+        kmsUpdater.setRdeSshClientPrivateKey(deserializeString(input));
+        break;
+      case RDE_SSH_CLIENT_PUBLIC_KEY:
+        kmsUpdater.setRdeSshClientPublicKey(deserializeString(input));
+        break;
+      case RDE_STAGING_KEY_PAIR:
+        kmsUpdater.setRdeStagingKey(deserializeKeyPair(input));
+        break;
+      case RDE_STAGING_PUBLIC_KEY:
+        throw new IllegalArgumentException(
+            "Can't update RDE_STAGING_PUBLIC_KEY directly."
+            + " Must update public and private keys together using RDE_STAGING_KEY_PAIR.");
+    }
+
+    kmsUpdater.update();
+  }
+}
+
diff --git a/java/google/registry/tools/params/KeyringKeyName.java b/java/google/registry/tools/params/KeyringKeyName.java
new file mode 100644
index 000000000..c0e841381
--- /dev/null
+++ b/java/google/registry/tools/params/KeyringKeyName.java
@@ -0,0 +1,39 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools.params;
+
+/**
+ * Names of all the keyrings we can save.
+ *
+ * <p>This is used in GetKeyringSecretCommand to select the secret to get. It can also be used in
+ * any secret update command such as UpdateKmsKeyringCommand.
+ */
+public enum KeyringKeyName {
+  BRAINTREE_PRIVATE_KEY,
+  BRDA_RECEIVER_PUBLIC_KEY,
+  BRDA_SIGNING_KEY_PAIR,
+  ICANN_REPORTING_PASSWORD,
+  JSON_CREDENTIAL,
+  MARKSDB_DNL_LOGIN,
+  MARKSDB_LORDN_PASSWORD,
+  MARKSDB_SMDRL_LOGIN,
+  RDE_RECEIVER_PUBLIC_KEY,
+  RDE_SIGNING_KEY_PAIR,
+  RDE_SSH_CLIENT_PRIVATE_KEY,
+  RDE_SSH_CLIENT_PUBLIC_KEY,
+  RDE_STAGING_KEY_PAIR,
+  RDE_STAGING_PUBLIC_KEY,
+}
+