mv com/google/domain/registry google/registry

This change renames directories in preparation for the great package
rename. The repository is now in a broken state because the code
itself hasn't been updated. However this should ensure that git
correctly preserves history for each file.

java/google/registry/security/BUILD

@@ -0,0 +1,42 @@
+package(
+    default_visibility = ["//java/com/google/domain/registry:registry_project"],
+)
+
+
+java_library(
+    name = "security",
+    srcs = glob(
+        ["*.java"],
+        exclude = glob(["*Servlet.java"]),
+    ),
+    visibility = ["//visibility:public"],
+    deps = [
+        "//java/com/google/common/base",
+        "//java/com/google/common/collect",
+        "//java/com/google/common/hash",
+        "//java/com/google/common/html",
+        "//java/com/google/common/io",
+        "//java/com/google/common/net",
+        "//java/com/google/domain/registry/model",
+        "//java/com/google/domain/registry/util",
+        "//third_party/java/appengine:appengine-api",
+        "//third_party/java/joda_time",
+        "//third_party/java/json_simple",
+        "//third_party/java/jsr305_annotations",
+        "//third_party/java/objectify:objectify-v4_1",
+        "//third_party/java/servlet/servlet_api",
+    ],
+)
+
+java_library(
+    name = "servlets",
+    srcs = glob(["*Servlet.java"]),
+    deps = [
+        ":security",
+        "//java/com/google/common/base",
+        "//java/com/google/domain/registry/request",
+        "//third_party/java/appengine:appengine-api",
+        "//third_party/java/joda_time",
+        "//third_party/java/servlet/servlet_api",
+    ],
+)

java/google/registry/security/JsonHttp.java

@@ -0,0 +1,97 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.net.HttpHeaders.CONTENT_DISPOSITION;
+import static com.google.common.net.HttpHeaders.X_CONTENT_TYPE_OPTIONS;
+import static com.google.common.net.MediaType.JSON_UTF_8;
+import static org.json.simple.JSONValue.writeJSONString;
+
+import com.google.common.net.MediaType;
+import com.google.domain.registry.util.FormattingLogger;
+
+import org.json.simple.JSONValue;
+import org.json.simple.parser.ParseException;
+
+import java.io.IOException;
+import java.io.Reader;
+import java.io.Writer;
+import java.util.Map;
+
+import javax.annotation.Nullable;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Helper class for servlets that read or write JSON.
+ *
+ * @see JsonResponseHelper
+ */
+public final class JsonHttp {
+
+  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
+
+  /** String prefixed to all JSON-like responses. */
+  public static final String JSON_SAFETY_PREFIX = ")]}'\n";
+
+  /**
+   * Extracts a JSON object from a servlet request.
+   *
+   * @return JSON object or {@code null} on error, in which case servlet should return.
+   * @throws IOException if we failed to read from {@code req}.
+   */
+  @Nullable
+  @SuppressWarnings("unchecked")
+  public static Map<String, ?> read(HttpServletRequest req) throws IOException {
+    if (!"POST".equals(req.getMethod())
+        && !"PUT".equals(req.getMethod())) {
+      logger.warning("JSON request payload only allowed for POST/PUT");
+      return null;
+    }
+    if (!JSON_UTF_8.is(MediaType.parse(req.getContentType()))) {
+      logger.warningfmt("Invalid JSON Content-Type: %s", req.getContentType());
+      return null;
+    }
+    try (Reader jsonReader = req.getReader()) {
+      try {
+        return checkNotNull((Map<String, ?>) JSONValue.parseWithException(jsonReader));
+      } catch (ParseException | NullPointerException | ClassCastException e) {
+        logger.warning(e, "Malformed JSON");
+        return null;
+      }
+    }
+  }
+
+  /**
+   * Writes a JSON servlet response securely with a parser breaker.
+   *
+   * @throws IOException if we failed to write to {@code rsp}.
+   */
+  public static void write(HttpServletResponse rsp, Map<String, ?> jsonObject) throws IOException {
+    checkNotNull(jsonObject);
+    rsp.setContentType(JSON_UTF_8.toString());
+    // This prevents IE from MIME-sniffing a response away from the declared Content-Type.
+    rsp.setHeader(X_CONTENT_TYPE_OPTIONS, "nosniff");
+    // This is a defense in depth that prevents browsers from trying to render the content of the
+    // response, even if all else fails. It's basically another anti-sniffing mechanism in the sense
+    // that if you hit this url directly, it would try to download the file instead of showing it.
+    rsp.setHeader(CONTENT_DISPOSITION, "attachment");
+    try (Writer writer = rsp.getWriter()) {
+      writer.write(JSON_SAFETY_PREFIX);
+      writeJSONString(jsonObject, writer);
+    }
+  }
+}

java/google/registry/security/JsonResponseHelper.java

@@ -0,0 +1,63 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+
+import java.util.Map;
+
+/**
+ * Helper class for JSON API servlets to send response messages.
+ *
+ * @see JsonHttp
+ */
+public final class JsonResponseHelper {
+
+  /** Possible results of an RPC operation. */
+  public enum Status { SUCCESS, ERROR }
+
+  /** Creates a JSON response message securely to the browser client with a parser breaker. */
+  public static ImmutableMap<String, Object> create(
+      Status status, String message, Iterable<? extends Map<String, ?>> results) {
+    return ImmutableMap.<String, Object>of(
+        "status", status.toString(),
+        "message", checkNotNull(message, "message"),
+        "results", ImmutableList.copyOf(results));
+  }
+
+  /** Same as {@link #create(Status, String, Iterable)} but with zero results. */
+  public static ImmutableMap<String, Object> create(Status status, String message) {
+    return create(status, message, ImmutableList.<Map<String, ?>>of());
+  }
+
+  /** Same as {@link #create(Status, String, Iterable)} but with only one results. */
+  public static ImmutableMap<String, Object> create(
+      Status status, String message, Map<String, ?> result) {
+    return create(status, message, ImmutableList.<Map<String, ?>>of(result));
+  }
+
+  /** Creates a JSON response message when a submitted form field is invalid. */
+  public static ImmutableMap<String, Object> createFormFieldError(
+      String message, String formFieldName) {
+    return ImmutableMap.<String, Object>of(
+        "status", Status.ERROR.toString(),
+        "message", checkNotNull(message, "message"),
+        "field", checkNotNull(formFieldName, "formFieldName"),
+        "results", ImmutableList.of());
+  }
+}

java/google/registry/security/JsonTransportServlet.java

@@ -0,0 +1,76 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.domain.registry.request.HttpException;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Secure servlet that speaks JSON for both input and output.
+ *
+ * <p>This servlet accepts only JSON inputs (using the payload) and returns only JSON
+ * responses, using and various security best practices such as a parser breaker,
+ * {@code Content-Disposition: attachment}, etc.
+ *
+ * @see JsonHttp
+ */
+public abstract class JsonTransportServlet extends XsrfProtectedServlet {
+
+  protected JsonTransportServlet(String xsrfScope, boolean requireAdmin) {
+    super(xsrfScope, requireAdmin);
+  }
+
+  /**
+   * Verify that this is a well-formed request and then execute it. A well-formed request will have
+   * either a JSON string in the "json" param that evaluates to a map, or nothing in "json".
+   */
+  @Override
+  protected final void doPost(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
+    Map<String, ?> input = JsonHttp.read(req);
+    if (input == null) {
+      rsp.sendError(SC_BAD_REQUEST, "Malformed JSON");
+      return;
+    }
+    Map<String, ?> output;
+    try {
+      output = doJsonPost(req, input);
+    } catch (HttpException e) {
+      e.send(rsp);
+      return;
+    }
+    checkNotNull(output, "doJsonPost() returned null");
+    rsp.setStatus(SC_OK);
+    JsonHttp.write(rsp, output);
+  }
+
+  /**
+   * Handler for HTTP POST requests.
+   *
+   * @param req Servlet request object.
+   * @param input JSON request object or empty if none was provided.
+   * @return an arbitrary JSON object. Must not be {@code null}.
+   * @throws HttpException in order to send a non-200 status code / message to the client.
+   */
+  public abstract Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input);
+}

java/google/registry/security/XsrfProtectedServlet.java

@@ -0,0 +1,86 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.appengine.api.users.UserServiceFactory.getUserService;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Strings.nullToEmpty;
+import static com.google.domain.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
+import static com.google.domain.registry.security.XsrfTokenManager.validateToken;
+import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+
+import com.google.appengine.api.users.UserService;
+
+import org.joda.time.Duration;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Servlet with Cross-Site Request Forgery (XSRF) protection.
+ *
+ * <p>This servlet enforces XSRF protection on all requests by checking the value provided in the
+ * "X-CSRF-Token" header. It can also optionally enforce that only admin users can call it.
+ *
+ * <p>All servlets that handle client requests should use XSRF protection.
+ */
+public abstract class XsrfProtectedServlet extends HttpServlet {
+
+  private static final Duration XSRF_VALIDITY = Duration.standardDays(1);
+
+  /** Used to validate XSRF tokens. */
+  private String xsrfScope;
+
+  /** Whether to do a security check for admin status. */
+  private boolean requireAdmin;
+
+  /** Gets the XSRF scope for this servlet. */
+  public String getScope() {
+    return xsrfScope;
+  }
+
+  protected XsrfProtectedServlet(String xsrfScope, boolean requireAdmin) {
+    this.xsrfScope = checkNotNull(xsrfScope);
+    this.requireAdmin = requireAdmin;
+  }
+
+  @Override
+  public final void service(HttpServletRequest req, HttpServletResponse rsp)
+      throws IOException, ServletException {
+    if (!validateToken(nullToEmpty(req.getHeader(X_CSRF_TOKEN)), xsrfScope, XSRF_VALIDITY)) {
+      rsp.sendError(SC_FORBIDDEN, "Invalid " + X_CSRF_TOKEN);
+      return;
+    }
+    if (!validateAdmin()) {
+      rsp.sendError(SC_FORBIDDEN, "Administrator access only");
+      return;
+    }
+    doPost(req, rsp);
+  }
+
+  /**
+   * If this is an admin-only servlet, require admin permissions or being in development mode. Such
+   * servlets should primarily be defended by being marked internal-only in web.xml, but it's worth
+   * adding a defense-in-depth.
+   */
+  private boolean validateAdmin() {
+    UserService userService = getUserService();
+    return requireAdmin ? (userService.isUserLoggedIn() && userService.isUserAdmin()) : true;
+  }
+}

java/google/registry/security/XsrfTokenManager.java

@@ -0,0 +1,106 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.appengine.api.users.UserServiceFactory.getUserService;
+import static com.google.common.io.BaseEncoding.base64Url;
+import static com.google.domain.registry.model.server.ServerSecret.getServerSecret;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.appengine.api.users.UserService;
+import com.google.common.base.Joiner;
+import com.google.common.base.Splitter;
+import com.google.common.hash.Hashing;
+import com.google.domain.registry.util.Clock;
+import com.google.domain.registry.util.FormattingLogger;
+import com.google.domain.registry.util.NonFinalForTesting;
+import com.google.domain.registry.util.SystemClock;
+
+import org.joda.time.DateTime;
+import org.joda.time.Duration;
+
+import java.util.List;
+
+/** Helper class for generating and validate XSRF tokens. */
+public final class XsrfTokenManager {
+
+  /** HTTP header used for transmitting XSRF tokens. */
+  public static final String X_CSRF_TOKEN = "X-CSRF-Token";
+
+  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
+
+  @NonFinalForTesting
+  private static Clock clock = new SystemClock();
+
+  private static String encodeToken(long creationTime, String scope, String userEmail) {
+    String token = Joiner.on('\t').join(getServerSecret(), userEmail, scope, creationTime);
+    return base64Url().encode(Hashing.sha256()
+        .newHasher(token.length())
+        .putString(token, UTF_8)
+        .hash()
+        .asBytes());
+  }
+
+  /**
+   * Generate an xsrf token for a given scope using the logged in user or else no user.
+   * <p>
+   * If there is no user, the entire xsrf check becomes basically a no-op, but that's ok because any
+   * callback that doesn't have a user shouldn't be able to access any per-user resources anyways.
+   */
+  public static String generateToken(String scope) {
+    return generateToken(scope, getLoggedInEmailOrEmpty());
+  }
+
+  /** Generate an xsrf token for a given scope and user. */
+  public static String generateToken(String scope, String email) {
+    long now = clock.nowUtc().getMillis();
+    return Joiner.on(':').join(encodeToken(now, scope, email), now);
+  }
+
+  private static String getLoggedInEmailOrEmpty() {
+    UserService userService = getUserService();
+    return userService.isUserLoggedIn() ? userService.getCurrentUser().getEmail() : "";
+  }
+
+  /** Validate an xsrf token, given the scope it was used for and an expiration duration. */
+  public static boolean validateToken(String token, String scope, Duration validLifetime) {
+    List<String> tokenParts = Splitter.on(':').splitToList(token);
+    if (tokenParts.size() != 2) {
+      logger.warningfmt("Malformed XSRF token: %s", token);
+      return false;
+    }
+    String encodedPart = tokenParts.get(0);
+    String timePart = tokenParts.get(1);
+    long creationTime;
+    try {
+      creationTime = Long.parseLong(timePart);
+    } catch (NumberFormatException e) {
+      logger.warningfmt("Bad timestamp in XSRF token: %s", token);
+      return false;
+    }
+    if (new DateTime(creationTime).plus(validLifetime).isBefore(clock.nowUtc())) {
+      logger.infofmt("Expired timestamp in XSRF token: %s", token);
+      return false;
+    }
+    String reconstructedToken = encodeToken(creationTime, scope, getLoggedInEmailOrEmpty());
+    if (!reconstructedToken.equals(encodedPart)) {
+      logger.warningfmt("Reconstructed XSRF mismatch: %s != %s", encodedPart, reconstructedToken);
+      return false;
+    }
+    return true;
+  }
+
+  private XsrfTokenManager() {}
+}

java/google/registry/security/package-info.java

@@ -0,0 +1,16 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@javax.annotation.ParametersAreNonnullByDefault
+package com.google.domain.registry.security;