zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-08 20:23:24 +02:00
Code Issues Projects Releases Packages Wiki Activity

Validate SQL credentials in Secret Manager (#907)

Browse source 
* Validate SQL credentials in Secret Manager

Load SQL credentials from the SecretManager and compare them with the
ones currently in use in Nomulus server, beam pipeline, and the registry
tool. Normal operations are not affected by failures related to the
SecretManager, be it IOException, insufficient permission , or wrong or
missing credential.

The appengine and compute engine default service accounts must be
granted the permission to access the secret data. In the short term, we
will grant the secretmanager.secretAccessor role to these accounts. In
the long term, with the proposed privilege service, access will be granted
on per-secret basis.
This commit is contained in:
Weimin Yu 2020-12-16 10:57:03 -05:00 committed by GitHub
parent d7aab524e5
commit 495d7176d8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 94 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

7
core/src/test/java/google/registry/privileges/secretmanager/SecretManagerClientTest.java
View file

@ -17,6 +17,8 @@ package google.registry.privileges.secretmanager;
import static com.google.common.truth.Truth.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
import com.google.cloud.secretmanager.v1.SecretVersion.State;
import google.registry.privileges.secretmanager.SecretManagerClient.NoSuchSecretResourceException;
import google.registry.privileges.secretmanager.SecretManagerClient.SecretAlreadyExistsException;
@ -54,11 +56,14 @@ public class SecretManagerClientTest {
private String secretId;
@BeforeAll
static void beforeAll() {
static void beforeAll() throws IOException {
String environmentName = System.getProperty("test.gcp_integration.env");
if (environmentName != null) {
secretManagerClient =
SecretManagerModule.provideSecretManagerClient(
SecretManagerServiceSettings.newBuilder()
.setCredentialsProvider(() -> GoogleCredentials.getApplicationDefault())
.build(),
String.format("domain-registry-%s", environmentName),
new Retrier(new SystemSleeper(), 1));
isUnitTest = false;