mirror of
https://github.com/google/nomulus.git
synced 2025-07-10 13:13:28 +02:00
Add configurations for Cloud SQL secrets (#266)
This commit is contained in:
parent
401653ad4a
commit
48d8b1274f
15 changed files with 95 additions and 8 deletions
|
@ -392,6 +392,24 @@ public final class RegistryConfig {
|
|||
return config.datastore.eppResourceIndexBucketsNum;
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Config("cloudSqlJdbcUrl")
|
||||
public static String providesCloudSqlJdbcUrl(RegistryConfigSettings config) {
|
||||
return config.cloudSql.jdbcUrl;
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Config("cloudSqlUsername")
|
||||
public static String providesCloudSqlUsername(RegistryConfigSettings config) {
|
||||
return config.cloudSql.username;
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Config("cloudSqlInstanceConnectionName")
|
||||
public static String providesCloudSqlInstanceConnectionName(RegistryConfigSettings config) {
|
||||
return config.cloudSql.instanceConnectionName;
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Config("cloudDnsRootUrl")
|
||||
public static Optional<String> getCloudDnsRootUrl(RegistryConfigSettings config) {
|
||||
|
@ -1469,11 +1487,6 @@ public final class RegistryConfig {
|
|||
return CONFIG_SETTINGS.get().hibernate.logSqlQueries;
|
||||
}
|
||||
|
||||
/** Returns true if schema modification is allowed. */
|
||||
public static String getHibernateHbm2ddlAuto() {
|
||||
return CONFIG_SETTINGS.get().hibernate.hbm2ddlAuto;
|
||||
}
|
||||
|
||||
/** Returns the connection timeout for HikariCP. */
|
||||
public static String getHibernateHikariConnectionTimeout() {
|
||||
return CONFIG_SETTINGS.get().hibernate.hikariConnectionTimeout;
|
||||
|
|
|
@ -26,6 +26,7 @@ public class RegistryConfigSettings {
|
|||
public RegistryPolicy registryPolicy;
|
||||
public Datastore datastore;
|
||||
public Hibernate hibernate;
|
||||
public CloudSql cloudSql;
|
||||
public CloudDns cloudDns;
|
||||
public Caching caching;
|
||||
public IcannReporting icannReporting;
|
||||
|
@ -110,13 +111,19 @@ public class RegistryConfigSettings {
|
|||
public static class Hibernate {
|
||||
public String connectionIsolation;
|
||||
public String logSqlQueries;
|
||||
public String hbm2ddlAuto;
|
||||
public String hikariConnectionTimeout;
|
||||
public String hikariMinimumIdle;
|
||||
public String hikariMaximumPoolSize;
|
||||
public String hikariIdleTimeout;
|
||||
}
|
||||
|
||||
/** Configuration for Cloud SQL. */
|
||||
public static class CloudSql {
|
||||
public String jdbcUrl;
|
||||
public String username;
|
||||
public String instanceConnectionName;
|
||||
}
|
||||
|
||||
/** Configuration for Apache Beam (Cloud Dataflow). */
|
||||
public static class Beam {
|
||||
public String defaultJobZone;
|
||||
|
|
|
@ -211,6 +211,14 @@ hibernate:
|
|||
hikariMaximumPoolSize: 20
|
||||
hikariIdleTimeout: 300000
|
||||
|
||||
cloudSql:
|
||||
# jdbc url for the Cloud SQL database.
|
||||
jdbcUrl: jdbc:postgresql://localhost
|
||||
# Username for the database user.
|
||||
username: username
|
||||
# This name is used by Cloud SQL when connecting to the database.
|
||||
instanceConnectionName: project-id:region:instance-id
|
||||
|
||||
cloudDns:
|
||||
# Set both properties to null in Production.
|
||||
# The root url for the Cloud DNS API. Set this to a non-null value to
|
||||
|
|
|
@ -122,7 +122,8 @@ public abstract class DummyKeyringModule {
|
|||
"not a real login",
|
||||
"not a real password",
|
||||
"not a real login",
|
||||
"not a real credential");
|
||||
"not a real credential",
|
||||
"not a real password");
|
||||
}
|
||||
|
||||
private DummyKeyringModule() {}
|
||||
|
|
|
@ -39,6 +39,7 @@ public final class InMemoryKeyring implements Keyring {
|
|||
private final String marksdbLordnPassword;
|
||||
private final String marksdbSmdrlLoginAndPassword;
|
||||
private final String jsonCredential;
|
||||
private final String cloudSqlPassword;
|
||||
|
||||
public InMemoryKeyring(
|
||||
PGPKeyPair rdeStagingKey,
|
||||
|
@ -53,7 +54,8 @@ public final class InMemoryKeyring implements Keyring {
|
|||
String marksdbDnlLoginAndPassword,
|
||||
String marksdbLordnPassword,
|
||||
String marksdbSmdrlLoginAndPassword,
|
||||
String jsonCredential) {
|
||||
String jsonCredential,
|
||||
String cloudSqlPassword) {
|
||||
checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
|
||||
"RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
|
||||
checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
|
||||
|
@ -79,6 +81,7 @@ public final class InMemoryKeyring implements Keyring {
|
|||
this.marksdbSmdrlLoginAndPassword =
|
||||
checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
|
||||
this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
|
||||
this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -151,6 +154,11 @@ public final class InMemoryKeyring implements Keyring {
|
|||
return jsonCredential;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getCloudSqlPassword() {
|
||||
return cloudSqlPassword;
|
||||
}
|
||||
|
||||
/** Does nothing. */
|
||||
@Override
|
||||
public void close() {}
|
||||
|
|
|
@ -36,6 +36,12 @@ public final class KeyModule {
|
|||
String value();
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Key("cloudSqlPassword")
|
||||
static String providesCloudSqlPassword(Keyring keyring) {
|
||||
return keyring.getCloudSqlPassword();
|
||||
}
|
||||
|
||||
@Provides
|
||||
@Key("brdaReceiverKey")
|
||||
static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {
|
||||
|
|
|
@ -28,6 +28,9 @@ import org.bouncycastle.openpgp.PGPPublicKey;
|
|||
@ThreadSafe
|
||||
public interface Keyring extends AutoCloseable {
|
||||
|
||||
/** Returns the password which is used to connect to the Cloud SQL database. */
|
||||
String getCloudSqlPassword();
|
||||
|
||||
/**
|
||||
* Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
|
||||
*
|
||||
|
|
|
@ -67,6 +67,7 @@ public class KmsKeyring implements Keyring {
|
|||
|
||||
/** Key labels for string secrets. */
|
||||
enum StringKeyLabel {
|
||||
CLOUD_SQL_PASSWORD_STRING,
|
||||
SAFE_BROWSING_API_KEY,
|
||||
ICANN_REPORTING_PASSWORD_STRING,
|
||||
JSON_CREDENTIAL_STRING,
|
||||
|
@ -88,6 +89,11 @@ public class KmsKeyring implements Keyring {
|
|||
this.kmsConnection = kmsConnection;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getCloudSqlPassword() {
|
||||
return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PGPKeyPair getRdeSigningKey() {
|
||||
return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
|
||||
|
|
|
@ -24,6 +24,7 @@ import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING
|
|||
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
|
||||
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
|
||||
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
|
||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.CLOUD_SQL_PASSWORD_STRING;
|
||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
|
||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
|
||||
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
|
||||
|
@ -69,6 +70,10 @@ public final class KmsUpdater {
|
|||
this.secretValues = new LinkedHashMap<>();
|
||||
}
|
||||
|
||||
public KmsUpdater setCloudSqlPassword(String password) {
|
||||
return setString(password, CLOUD_SQL_PASSWORD_STRING);
|
||||
}
|
||||
|
||||
public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
|
||||
return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC);
|
||||
}
|
||||
|
|
|
@ -65,6 +65,9 @@ final class GetKeyringSecretCommand implements CommandWithRemoteApi {
|
|||
case BRDA_SIGNING_PUBLIC_KEY:
|
||||
out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey()));
|
||||
break;
|
||||
case CLOUD_SQL_PASSWORD:
|
||||
out.write(KeySerializer.serializeString(keyring.getCloudSqlPassword()));
|
||||
break;
|
||||
case ICANN_REPORTING_PASSWORD:
|
||||
out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
|
||||
break;
|
||||
|
|
|
@ -65,6 +65,9 @@ final class UpdateKmsKeyringCommand implements CommandWithRemoteApi {
|
|||
throw new IllegalArgumentException(
|
||||
"Can't update BRDA_SIGNING_PUBLIC_KEY directly."
|
||||
+ " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR.");
|
||||
case CLOUD_SQL_PASSWORD:
|
||||
kmsUpdater.setCloudSqlPassword(deserializeString(input));
|
||||
break;
|
||||
case ICANN_REPORTING_PASSWORD:
|
||||
kmsUpdater.setIcannReportingPassword(deserializeString(input));
|
||||
break;
|
||||
|
|
|
@ -24,6 +24,7 @@ public enum KeyringKeyName {
|
|||
BRDA_RECEIVER_PUBLIC_KEY,
|
||||
BRDA_SIGNING_KEY_PAIR,
|
||||
BRDA_SIGNING_PUBLIC_KEY,
|
||||
CLOUD_SQL_PASSWORD,
|
||||
ICANN_REPORTING_PASSWORD,
|
||||
JSON_CREDENTIAL,
|
||||
MARKSDB_DNL_LOGIN_AND_PASSWORD,
|
||||
|
|
|
@ -46,6 +46,15 @@ public class KmsKeyringTest {
|
|||
keyring = new KmsKeyring(new FakeKmsConnection());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void test_getCloudSqlPassword() throws Exception {
|
||||
saveCleartextSecret("cloud-sql-password-string");
|
||||
|
||||
String cloudSqlPassword = keyring.getCloudSqlPassword();
|
||||
|
||||
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void test_getRdeSigningKey() throws Exception {
|
||||
saveKeyPairSecret("rde-signing-public", "rde-signing-private");
|
||||
|
|
|
@ -91,6 +91,14 @@ public class KmsUpdaterTest {
|
|||
getCiphertext(KmsTestHelper.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void test_setCloudSqlPassword() {
|
||||
updater.setCloudSqlPassword("value1").update();
|
||||
|
||||
verifySecretAndSecretRevisionWritten(
|
||||
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void test_setIcannReportingPassword() {
|
||||
updater.setIcannReportingPassword("value1").update();
|
||||
|
|
|
@ -56,6 +56,7 @@ public final class FakeKeyringModule {
|
|||
private static final String MARKSDB_LORDN_PASSWORD = "yolo";
|
||||
private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
|
||||
private static final String JSON_CREDENTIAL = "json123";
|
||||
private static final String CLOUD_SQL_PASSWORD = "cloudsqlpw";
|
||||
|
||||
@Provides
|
||||
public Keyring get() {
|
||||
|
@ -80,6 +81,11 @@ public final class FakeKeyringModule {
|
|||
final String sshPrivate = loadFile(FakeKeyringModule.class, "registry-unittest.id_rsa");
|
||||
|
||||
return new Keyring() {
|
||||
@Override
|
||||
public String getCloudSqlPassword() {
|
||||
return CLOUD_SQL_PASSWORD;
|
||||
}
|
||||
|
||||
@Override
|
||||
public PGPPublicKey getRdeStagingEncryptionKey() {
|
||||
return rdeStagingKey.getPublicKey();
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue