Add configurations for Cloud SQL secrets (#266)

2025-07-10 21:23:22 +02:00 · 2019-09-11 12:20:08 -04:00 · 2019-09-11 12:20:08 -04:00 · 48d8b1274f
commit 48d8b1274f
parent 401653ad4a
15 changed files with 95 additions and 8 deletions
--- a/core/src/main/java/google/registry/config/RegistryConfig.java
+++ b/core/src/main/java/google/registry/config/RegistryConfig.java
@ -392,6 +392,24 @@ public final class RegistryConfig {
      return config.datastore.eppResourceIndexBucketsNum;
    }

+    @Provides
+    @Config("cloudSqlJdbcUrl")
+    public static String providesCloudSqlJdbcUrl(RegistryConfigSettings config) {
+      return config.cloudSql.jdbcUrl;
+    }
+
+    @Provides
+    @Config("cloudSqlUsername")
+    public static String providesCloudSqlUsername(RegistryConfigSettings config) {
+      return config.cloudSql.username;
+    }
+
+    @Provides
+    @Config("cloudSqlInstanceConnectionName")
+    public static String providesCloudSqlInstanceConnectionName(RegistryConfigSettings config) {
+      return config.cloudSql.instanceConnectionName;
+    }
+
    @Provides
    @Config("cloudDnsRootUrl")
    public static Optional<String> getCloudDnsRootUrl(RegistryConfigSettings config) {
@ -1469,11 +1487,6 @@ public final class RegistryConfig {
    return CONFIG_SETTINGS.get().hibernate.logSqlQueries;
  }

-  /** Returns true if schema modification is allowed. */
-  public static String getHibernateHbm2ddlAuto() {
-    return CONFIG_SETTINGS.get().hibernate.hbm2ddlAuto;
-  }
-
  /** Returns the connection timeout for HikariCP. */
  public static String getHibernateHikariConnectionTimeout() {
    return CONFIG_SETTINGS.get().hibernate.hikariConnectionTimeout;
--- a/core/src/main/java/google/registry/config/RegistryConfigSettings.java
+++ b/core/src/main/java/google/registry/config/RegistryConfigSettings.java
@ -26,6 +26,7 @@ public class RegistryConfigSettings {
  public RegistryPolicy registryPolicy;
  public Datastore datastore;
  public Hibernate hibernate;
+  public CloudSql cloudSql;
  public CloudDns cloudDns;
  public Caching caching;
  public IcannReporting icannReporting;
@ -110,13 +111,19 @@ public class RegistryConfigSettings {
  public static class Hibernate {
    public String connectionIsolation;
    public String logSqlQueries;
-    public String hbm2ddlAuto;
    public String hikariConnectionTimeout;
    public String hikariMinimumIdle;
    public String hikariMaximumPoolSize;
    public String hikariIdleTimeout;
  }

+  /** Configuration for Cloud SQL. */
+  public static class CloudSql {
+    public String jdbcUrl;
+    public String username;
+    public String instanceConnectionName;
+  }
+
  /** Configuration for Apache Beam (Cloud Dataflow). */
  public static class Beam {
    public String defaultJobZone;
--- a/core/src/main/java/google/registry/config/files/default-config.yaml
+++ b/core/src/main/java/google/registry/config/files/default-config.yaml
@ -211,6 +211,14 @@ hibernate:
  hikariMaximumPoolSize: 20
  hikariIdleTimeout: 300000

+cloudSql:
+  # jdbc url for the Cloud SQL database.
+  jdbcUrl: jdbc:postgresql://localhost
+  # Username for the database user.
+  username: username
+  # This name is used by Cloud SQL when connecting to the database.
+  instanceConnectionName: project-id:region:instance-id
+
 cloudDns:
  # Set both properties to null in Production.
  # The root url for the Cloud DNS API.  Set this to a non-null value to
--- a/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java
+++ b/core/src/main/java/google/registry/keyring/api/DummyKeyringModule.java
@ -122,7 +122,8 @@ public abstract class DummyKeyringModule {
        "not a real login",
        "not a real password",
        "not a real login",
-        "not a real credential");
+        "not a real credential",
+        "not a real password");
  }

  private DummyKeyringModule() {}
--- a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java
+++ b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java
@ -39,6 +39,7 @@ public final class InMemoryKeyring implements Keyring {
  private final String marksdbLordnPassword;
  private final String marksdbSmdrlLoginAndPassword;
  private final String jsonCredential;
+  private final String cloudSqlPassword;

  public InMemoryKeyring(
      PGPKeyPair rdeStagingKey,
@ -53,7 +54,8 @@ public final class InMemoryKeyring implements Keyring {
      String marksdbDnlLoginAndPassword,
      String marksdbLordnPassword,
      String marksdbSmdrlLoginAndPassword,
-      String jsonCredential) {
+      String jsonCredential,
+      String cloudSqlPassword) {
    checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
        "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
    checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@ -79,6 +81,7 @@ public final class InMemoryKeyring implements Keyring {
    this.marksdbSmdrlLoginAndPassword =
        checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
    this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
+    this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
  }

  @Override
@ -151,6 +154,11 @@ public final class InMemoryKeyring implements Keyring {
    return jsonCredential;
  }

+  @Override
+  public String getCloudSqlPassword() {
+    return cloudSqlPassword;
+  }
+
  /** Does nothing. */
  @Override
  public void close() {}
--- a/core/src/main/java/google/registry/keyring/api/KeyModule.java
+++ b/core/src/main/java/google/registry/keyring/api/KeyModule.java
@ -36,6 +36,12 @@ public final class KeyModule {
    String value();
  }

+  @Provides
+  @Key("cloudSqlPassword")
+  static String providesCloudSqlPassword(Keyring keyring) {
+    return keyring.getCloudSqlPassword();
+  }
+
  @Provides
  @Key("brdaReceiverKey")
  static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {
--- a/core/src/main/java/google/registry/keyring/api/Keyring.java
+++ b/core/src/main/java/google/registry/keyring/api/Keyring.java
@ -28,6 +28,9 @@ import org.bouncycastle.openpgp.PGPPublicKey;
@ThreadSafe
 public interface Keyring extends AutoCloseable {

+  /** Returns the password which is used to connect to the Cloud SQL database. */
+  String getCloudSqlPassword();
+
  /**
   * Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
   *
--- a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java
@ -67,6 +67,7 @@ public class KmsKeyring implements Keyring {

  /** Key labels for string secrets. */
  enum StringKeyLabel {
+    CLOUD_SQL_PASSWORD_STRING,
    SAFE_BROWSING_API_KEY,
    ICANN_REPORTING_PASSWORD_STRING,
    JSON_CREDENTIAL_STRING,
@ -88,6 +89,11 @@ public class KmsKeyring implements Keyring {
    this.kmsConnection = kmsConnection;
  }

+  @Override
+  public String getCloudSqlPassword() {
+    return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
+  }
+
  @Override
  public PGPKeyPair getRdeSigningKey() {
    return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
--- a/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java
+++ b/core/src/main/java/google/registry/keyring/kms/KmsUpdater.java
@ -24,6 +24,7 @@ import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.CLOUD_SQL_PASSWORD_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
@ -69,6 +70,10 @@ public final class KmsUpdater {
    this.secretValues = new LinkedHashMap<>();
  }

+  public KmsUpdater setCloudSqlPassword(String password) {
+    return setString(password, CLOUD_SQL_PASSWORD_STRING);
+  }
+
  public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
    return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC);
  }
--- a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java
+++ b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java
@ -65,6 +65,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi {
      case BRDA_SIGNING_PUBLIC_KEY:
        out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey()));
        break;
+      case CLOUD_SQL_PASSWORD:
+        out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
+        break;
      case ICANN_REPORTING_PASSWORD:
        out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
        break;
--- a/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateKmsKeyringCommand.java
@ -65,6 +65,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi {
        throw new IllegalArgumentException(
            "Can't update BRDA_SIGNING_PUBLIC_KEY directly."
            + " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR.");
+      case CLOUD_SQL_PASSWORD:
+        kmsUpdater.setCloudSqlPassword(deserializeString(input));
+        break;
      case ICANN_REPORTING_PASSWORD:
        kmsUpdater.setIcannReportingPassword(deserializeString(input));
        break;
--- a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java
+++ b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java
@ -24,6 +24,7 @@ public enum KeyringKeyName {
  BRDA_RECEIVER_PUBLIC_KEY,
  BRDA_SIGNING_KEY_PAIR,
  BRDA_SIGNING_PUBLIC_KEY,
+  CLOUD_SQL_PASSWORD,
  ICANN_REPORTING_PASSWORD,
  JSON_CREDENTIAL,
  MARKSDB_DNL_LOGIN_AND_PASSWORD,
--- a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java
+++ b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java
@ -46,6 +46,15 @@ public class KmsKeyringTest {
    keyring = new KmsKeyring(new FakeKmsConnection());
  }

+  @Test
+  public void test_getCloudSqlPassword() throws Exception {
+    saveCleartextSecret("cloud-sql-password-string");
+
+    String cloudSqlPassword = keyring.getCloudSqlPassword();
+
+    assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
+  }
+
  @Test
  public void test_getRdeSigningKey() throws Exception {
    saveKeyPairSecret("rde-signing-public", "rde-signing-private");
--- a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java
+++ b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java
@ -91,6 +91,14 @@ public class KmsUpdaterTest {
        getCiphertext(KmsTestHelper.getPublicKey()));
  }

+  @Test
+  public void test_setCloudSqlPassword() {
+    updater.setCloudSqlPassword("value1").update();
+
+    verifySecretAndSecretRevisionWritten(
+        "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
+  }
+
  @Test
  public void test_setIcannReportingPassword() {
    updater.setIcannReportingPassword("value1").update();
--- a/core/src/test/java/google/registry/testing/FakeKeyringModule.java
+++ b/core/src/test/java/google/registry/testing/FakeKeyringModule.java
@ -56,6 +56,7 @@ public final class FakeKeyringModule {
  private static final String MARKSDB_LORDN_PASSWORD = "yolo";
  private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
  private static final String JSON_CREDENTIAL = "json123";
+  private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";

  @Provides
  public Keyring get() {
@ -80,6 +81,11 @@ public final class FakeKeyringModule {
    final String sshPrivate = loadFile(FakeKeyringModule.class, "registry-unittest.id_rsa");

    return new Keyring() {
+      @Override
+      public String getCloudSqlPassword() {
+        return CLOUD_SQL_PASSWORD;
+      }
+
      @Override
      public PGPPublicKey getRdeStagingEncryptionKey() {
        return rdeStagingKey.getPublicKey();