From 54b6770ade9bc710b721e381e05b5acfd4cb7a67 Mon Sep 17 00:00:00 2001
From: jianglai <jianglai@google.com>
Date: Thu, 29 Nov 2018 13:09:50 -0800
Subject: [PATCH] Make DownloadServiceAccountCredentialAction only accept
 internal auth

This temporarily disables the ability to download service account credentials. We'd like this to go in to next week's release so that we do not expose this functionality to users who otherwise do not have the ability to download the service account credential, while we research on a more secure solution.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=223397754
---
 .../tools/server/DownloadServiceAccountCredentialAction.java    | 2 +-
 .../google/registry/module/tools/testdata/tools_routing.txt     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java b/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
index 9ac7e11a6..eb208a7d7 100644
--- a/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
+++ b/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
@@ -38,7 +38,7 @@ import javax.inject.Named;
 @Action(
     path = DownloadServiceAccountCredentialAction.PATH,
     method = {GET},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_INTERNAL_ONLY)
 public class DownloadServiceAccountCredentialAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/javatests/google/registry/module/tools/testdata/tools_routing.txt b/javatests/google/registry/module/tools/testdata/tools_routing.txt
index e36d76689..5673094cb 100644
--- a/javatests/google/registry/module/tools/testdata/tools_routing.txt
+++ b/javatests/google/registry/module/tools/testdata/tools_routing.txt
@@ -2,7 +2,7 @@ PATH                              CLASS                                  METHODS
 /_dr/admin/createGroups           CreateGroupsAction                     POST     n  INTERNAL,API APP ADMIN
 /_dr/admin/createPremiumList      CreatePremiumListAction                POST     n  INTERNAL,API APP ADMIN
 /_dr/admin/deleteEntity           DeleteEntityAction                     GET      n  INTERNAL,API APP ADMIN
-/_dr/admin/downloadCredential     DownloadServiceAccountCredentialAction GET      n  INTERNAL,API APP ADMIN
+/_dr/admin/downloadCredential     DownloadServiceAccountCredentialAction GET      n  INTERNAL     APP IGNORED
 /_dr/admin/list/domains           ListDomainsAction                      GET,POST n  INTERNAL,API APP ADMIN
 /_dr/admin/list/hosts             ListHostsAction                        GET,POST n  INTERNAL,API APP ADMIN
 /_dr/admin/list/premiumLists      ListPremiumListsAction                 GET,POST n  INTERNAL,API APP ADMIN