diff --git a/core/src/main/java/google/registry/config/RegistryConfig.java b/core/src/main/java/google/registry/config/RegistryConfig.java index 3518f9467..28382a1a3 100644 --- a/core/src/main/java/google/registry/config/RegistryConfig.java +++ b/core/src/main/java/google/registry/config/RegistryConfig.java @@ -392,6 +392,24 @@ public final class RegistryConfig { return config.datastore.eppResourceIndexBucketsNum; } + @Provides + @Config("cloudSqlJdbcUrl") + public static String providesCloudSqlJdbcUrl(RegistryConfigSettings config) { + return config.cloudSql.jdbcUrl; + } + + @Provides + @Config("cloudSqlUsername") + public static String providesCloudSqlUsername(RegistryConfigSettings config) { + return config.cloudSql.username; + } + + @Provides + @Config("cloudSqlInstanceConnectionName") + public static String providesCloudSqlInstanceConnectionName(RegistryConfigSettings config) { + return config.cloudSql.instanceConnectionName; + } + @Provides @Config("cloudDnsRootUrl") public static Optional getCloudDnsRootUrl(RegistryConfigSettings config) { @@ -1469,11 +1487,6 @@ public final class RegistryConfig { return CONFIG_SETTINGS.get().hibernate.logSqlQueries; } - /** Returns true if schema modification is allowed. */ - public static String getHibernateHbm2ddlAuto() { - return CONFIG_SETTINGS.get().hibernate.hbm2ddlAuto; - } - /** Returns the connection timeout for HikariCP. */ public static String getHibernateHikariConnectionTimeout() { return CONFIG_SETTINGS.get().hibernate.hikariConnectionTimeout; diff --git a/core/src/main/java/google/registry/config/RegistryConfigSettings.java b/core/src/main/java/google/registry/config/RegistryConfigSettings.java index 3d802cb59..cb7e873b8 100644 --- a/core/src/main/java/google/registry/config/RegistryConfigSettings.java +++ b/core/src/main/java/google/registry/config/RegistryConfigSettings.java @@ -26,6 +26,7 @@ public class RegistryConfigSettings { public RegistryPolicy registryPolicy; public Datastore datastore; public Hibernate hibernate; + public CloudSql cloudSql; public CloudDns cloudDns; public Caching caching; public IcannReporting icannReporting; @@ -110,13 +111,19 @@ public class RegistryConfigSettings { public static class Hibernate { public String connectionIsolation; public String logSqlQueries; - public String hbm2ddlAuto; public String hikariConnectionTimeout; public String hikariMinimumIdle; public String hikariMaximumPoolSize; public String hikariIdleTimeout; } + /** Configuration for Cloud SQL. */ + public static class CloudSql { + public String jdbcUrl; + public String username; + public String instanceConnectionName; + } + /** Configuration for Apache Beam (Cloud Dataflow). */ public static class Beam { public String defaultJobZone; diff --git a/core/src/main/java/google/registry/config/files/default-config.yaml b/core/src/main/java/google/registry/config/files/default-config.yaml index cc41f28b4..ca46e04bf 100644 --- a/core/src/main/java/google/registry/config/files/default-config.yaml +++ b/core/src/main/java/google/registry/config/files/default-config.yaml @@ -211,6 +211,14 @@ hibernate: hikariMaximumPoolSize: 20 hikariIdleTimeout: 300000 +cloudSql: + # jdbc url for the Cloud SQL database. + jdbcUrl: jdbc:postgresql://localhost + # Username for the database user. + username: username + # This name is used by Cloud SQL when connecting to the database. + instanceConnectionName: project-id:region:instance-id + cloudDns: # Set both properties to null in Production. # The root url for the Cloud DNS API. Set this to a non-null value to diff --git a/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java b/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java index 9e2f2aec3..45f5ef645 100644 --- a/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java +++ b/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java @@ -122,7 +122,8 @@ public abstract class DummyKeyringModule { "not a real login", "not a real password", "not a real login", - "not a real credential"); + "not a real credential", + "not a real password"); } private DummyKeyringModule() {} diff --git a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java index b49b0f763..f6a2cf3bf 100644 --- a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java +++ b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java @@ -39,6 +39,7 @@ public final class InMemoryKeyring implements Keyring { private final String marksdbLordnPassword; private final String marksdbSmdrlLoginAndPassword; private final String jsonCredential; + private final String cloudSqlPassword; public InMemoryKeyring( PGPKeyPair rdeStagingKey, @@ -53,7 +54,8 @@ public final class InMemoryKeyring implements Keyring { String marksdbDnlLoginAndPassword, String marksdbLordnPassword, String marksdbSmdrlLoginAndPassword, - String jsonCredential) { + String jsonCredential, + String cloudSqlPassword) { checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()), "RDE signing key must support signing: %s", rdeSigningKey.getKeyID()); checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(), @@ -79,6 +81,7 @@ public final class InMemoryKeyring implements Keyring { this.marksdbSmdrlLoginAndPassword = checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword"); this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential"); + this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword"); } @Override @@ -151,6 +154,11 @@ public final class InMemoryKeyring implements Keyring { return jsonCredential; } + @Override + public String getCloudSqlPassword() { + return cloudSqlPassword; + } + /** Does nothing. */ @Override public void close() {} diff --git a/core/src/main/java/google/registry/keyring/api/KeyModule.java b/core/src/main/java/google/registry/keyring/api/KeyModule.java index dbadf2d16..3876f7f72 100644 --- a/core/src/main/java/google/registry/keyring/api/KeyModule.java +++ b/core/src/main/java/google/registry/keyring/api/KeyModule.java @@ -36,6 +36,12 @@ public final class KeyModule { String value(); } + @Provides + @Key("cloudSqlPassword") + static String providesCloudSqlPassword(Keyring keyring) { + return keyring.getCloudSqlPassword(); + } + @Provides @Key("brdaReceiverKey") static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) { diff --git a/core/src/main/java/google/registry/keyring/api/Keyring.java b/core/src/main/java/google/registry/keyring/api/Keyring.java index 5b44db049..c982d5797 100644 --- a/core/src/main/java/google/registry/keyring/api/Keyring.java +++ b/core/src/main/java/google/registry/keyring/api/Keyring.java @@ -28,6 +28,9 @@ import org.bouncycastle.openpgp.PGPPublicKey; @ThreadSafe public interface Keyring extends AutoCloseable { + /** Returns the password which is used to connect to the Cloud SQL database. */ + String getCloudSqlPassword(); + /** * Returns the key which should be used to sign RDE deposits being uploaded to a third-party. * diff --git a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java index 17245206e..e8ffc156c 100644 --- a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java +++ b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java @@ -67,6 +67,7 @@ public class KmsKeyring implements Keyring { /** Key labels for string secrets. */ enum StringKeyLabel { + CLOUD_SQL_PASSWORD_STRING, SAFE_BROWSING_API_KEY, ICANN_REPORTING_PASSWORD_STRING, JSON_CREDENTIAL_STRING, @@ -88,6 +89,11 @@ public class KmsKeyring implements Keyring { this.kmsConnection = kmsConnection; } + @Override + public String getCloudSqlPassword() { + return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING); + } + @Override public PGPKeyPair getRdeSigningKey() { return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE); diff --git a/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java b/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java index 2b522b2e7..5710de442 100644 --- a/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java +++ b/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java @@ -24,6 +24,7 @@ import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC; import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC; import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC; +import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.CLOUD_SQL_PASSWORD_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING; @@ -69,6 +70,10 @@ public final class KmsUpdater { this.secretValues = new LinkedHashMap<>(); } + public KmsUpdater setCloudSqlPassword(String password) { + return setString(password, CLOUD_SQL_PASSWORD_STRING); + } + public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException { return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC); } diff --git a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java index 63eb0d6d9..bc7d82d56 100644 --- a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java +++ b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java @@ -65,6 +65,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi { case BRDA_SIGNING_PUBLIC_KEY: out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey())); break; + case CLOUD_SQL_PASSWORD: + out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword())); + break; case ICANN_REPORTING_PASSWORD: out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword())); break; diff --git a/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java b/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java index 865643e20..74e03be4c 100644 --- a/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java +++ b/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java @@ -65,6 +65,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi { throw new IllegalArgumentException( "Can't update BRDA_SIGNING_PUBLIC_KEY directly." + " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR."); + case CLOUD_SQL_PASSWORD: + kmsUpdater.setCloudSqlPassword(deserializeString(input)); + break; case ICANN_REPORTING_PASSWORD: kmsUpdater.setIcannReportingPassword(deserializeString(input)); break; diff --git a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java index 8b3ecf7be..6534191eb 100644 --- a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java +++ b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java @@ -24,6 +24,7 @@ public enum KeyringKeyName { BRDA_RECEIVER_PUBLIC_KEY, BRDA_SIGNING_KEY_PAIR, BRDA_SIGNING_PUBLIC_KEY, + CLOUD_SQL_PASSWORD, ICANN_REPORTING_PASSWORD, JSON_CREDENTIAL, MARKSDB_DNL_LOGIN_AND_PASSWORD, diff --git a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java index 98e6da279..77ffc10f0 100644 --- a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java +++ b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java @@ -46,6 +46,15 @@ public class KmsKeyringTest { keyring = new KmsKeyring(new FakeKmsConnection()); } + @Test + public void test_getCloudSqlPassword() throws Exception { + saveCleartextSecret("cloud-sql-password-string"); + + String cloudSqlPassword = keyring.getCloudSqlPassword(); + + assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo"); + } + @Test public void test_getRdeSigningKey() throws Exception { saveKeyPairSecret("rde-signing-public", "rde-signing-private"); diff --git a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java index 4219468ce..da0817dc3 100644 --- a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java +++ b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java @@ -91,6 +91,14 @@ public class KmsUpdaterTest { getCiphertext(KmsTestHelper.getPublicKey())); } + @Test + public void test_setCloudSqlPassword() { + updater.setCloudSqlPassword("value1").update(); + + verifySecretAndSecretRevisionWritten( + "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1")); + } + @Test public void test_setIcannReportingPassword() { updater.setIcannReportingPassword("value1").update(); diff --git a/core/src/test/java/google/registry/testing/FakeKeyringModule.java b/core/src/test/java/google/registry/testing/FakeKeyringModule.java index ddac2d4bb..b729c1fe9 100644 --- a/core/src/test/java/google/registry/testing/FakeKeyringModule.java +++ b/core/src/test/java/google/registry/testing/FakeKeyringModule.java @@ -56,6 +56,7 @@ public final class FakeKeyringModule { private static final String MARKSDB_LORDN_PASSWORD = "yolo"; private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo"; private static final String JSON_CREDENTIAL = "json123"; + private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw"; @Provides public Keyring get() { @@ -80,6 +81,11 @@ public final class FakeKeyringModule { final String sshPrivate = loadFile(FakeKeyringModule.class, "registry-unittest.id_rsa"); return new Keyring() { + @Override + public String getCloudSqlPassword() { + return CLOUD_SQL_PASSWORD; + } + @Override public PGPPublicKey getRdeStagingEncryptionKey() { return rdeStagingKey.getPublicKey();