Add support G-Suite group whose members have ADMIN access to registrar console

After this CL, "support" accounts (accounts that are part of the "support" G-Suite group) will the same access to the registrar console as GCP "admins". However, they don't won't have access to the GCP project itself. We could give them their own Role in the future (say SUPPORT) and give them different access than "admins", but right now we don't need it and YAGNI or something :) NOTE: we identify users by their email (they need to be logged in to a google account). I don't know if that's best practice, since I guess different google accounts might have the same email address. However, G-Suite groups' membership is by email so there's not much we can do about it if we want to use G-Suite groups. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=220804273
2025-05-14 16:37:13 +02:00 · 2018-11-09 08:11:26 -08:00 · 2018-11-09 08:11:26 -08:00 · 557984bb75
commit 557984bb75
parent 783c010ab4
15 changed files with 285 additions and 25 deletions
--- a/java/google/registry/ui/server/registrar/AuthenticatedRegistrarAccessor.java
+++ b/java/google/registry/ui/server/registrar/AuthenticatedRegistrarAccessor.java
@ -17,11 +17,14 @@ package google.registry.ui.server.registrar;
 import static google.registry.model.ofy.ObjectifyService.ofy;

 import com.google.appengine.api.users.User;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.flogger.FluentLogger;
+import dagger.Lazy;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.groups.GroupsConnection;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarContact;
 import google.registry.request.HttpException.ForbiddenException;
@ -61,12 +64,44 @@ public class AuthenticatedRegistrarAccessor {
   */
  private final ImmutableSetMultimap<String, Role> roleMap;

+  /**
+   * Overriding the injected {@link GroupsConnection} for tests.
+   *
+   * <p>{@link GroupsConnection} needs the injected DelegatedCredential GoogleCredential. However,
+   * this can't be initialized in the test environment.
+   *
+   * <p>The test server used in the javatests/google/registry/webdriver/ tests will hang if we try
+   * to instantiate the {@link GroupsConnection}. So instead we inject a {@link Lazy} version and
+   * allow tests to override the injected instace with (presumabley) a mock insteance.
+   */
+  @VisibleForTesting public static GroupsConnection overrideGroupsConnection = null;
+
  @Inject
  public AuthenticatedRegistrarAccessor(
-      AuthResult authResult, @Config("registryAdminClientId") String registryAdminClientId) {
+      AuthResult authResult,
+      @Config("registryAdminClientId") String registryAdminClientId,
+      @Config("gSuiteSupportGroupEmailAddress") String gSuiteSupportGroupEmailAddress,
+      Lazy<GroupsConnection> groupsConnection) {
+    this(
+        authResult,
+        registryAdminClientId,
+        gSuiteSupportGroupEmailAddress,
+        overrideGroupsConnection != null ? overrideGroupsConnection : groupsConnection.get());
+  }
+
+  AuthenticatedRegistrarAccessor(
+      AuthResult authResult,
+      @Config("registryAdminClientId") String registryAdminClientId,
+      @Config("gSuiteSupportGroupEmailAddress") String gSuiteSupportGroupEmailAddress,
+      GroupsConnection groupsConnection) {
    this.authResult = authResult;
    this.registryAdminClientId = registryAdminClientId;
-    this.roleMap = createRoleMap(authResult, registryAdminClientId);
+    this.roleMap =
+        createRoleMap(
+            authResult,
+            registryAdminClientId,
+            groupsConnection,
+            gSuiteSupportGroupEmailAddress);

    logger.atInfo().log(
        "%s has the following roles: %s", authResult.userIdForLogging(), roleMap);
@ -156,8 +191,27 @@ public class AuthenticatedRegistrarAccessor {
    return registrar;
  }

+  private static boolean checkIsSupport(
+      GroupsConnection groupsConnection, String userEmail, String supportEmail) {
+    if (Strings.isNullOrEmpty(supportEmail)) {
+      return false;
+    }
+    try {
+      return groupsConnection.isMemberOfGroup(userEmail, supportEmail);
+    } catch (RuntimeException e) {
+      logger.atSevere().withCause(e).log(
+          "Error checking whether email %s belongs to support group %s."
+              + " Skipping support role check",
+          userEmail, supportEmail);
+      return false;
+    }
+  }
+
  private static ImmutableSetMultimap<String, Role> createRoleMap(
-      AuthResult authResult, String registryAdminClientId) {
+      AuthResult authResult,
+      String registryAdminClientId,
+      GroupsConnection groupsConnection,
+      String gSuiteSupportGroupEmailAddress) {

    if (!authResult.userAuthInfo().isPresent()) {
      return ImmutableSetMultimap.of();
@ -165,8 +219,10 @@ public class AuthenticatedRegistrarAccessor {

    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();

-    boolean isAdmin = userAuthInfo.isUserAdmin();
    User user = userAuthInfo.user();
+    boolean isAdmin = userAuthInfo.isUserAdmin();
+    boolean isSupport =
+        checkIsSupport(groupsConnection, user.getEmail(), gSuiteSupportGroupEmailAddress);

    ImmutableSetMultimap.Builder<String, Role> builder = new ImmutableSetMultimap.Builder<>();

@ -174,17 +230,13 @@ public class AuthenticatedRegistrarAccessor {
        .load()
        .type(RegistrarContact.class)
        .filter("gaeUserId", user.getUserId())
-        .forEach(
-            contact ->
-                builder
-                    .put(contact.getParent().getName(), Role.OWNER));
+        .forEach(contact -> builder.put(contact.getParent().getName(), Role.OWNER));
    if (isAdmin && !Strings.isNullOrEmpty(registryAdminClientId)) {
-      builder
-          .put(registryAdminClientId, Role.OWNER);
+      builder.put(registryAdminClientId, Role.OWNER);
    }

-    if (isAdmin) {
-      // Admins have access to all registrars
+    if (isAdmin || isSupport) {
+      // Admins and support have access to all registrars
      ofy()
          .load()
          .type(Registrar.class)
--- a/java/google/registry/ui/server/registrar/BUILD
+++ b/java/google/registry/ui/server/registrar/BUILD
@ -15,6 +15,7 @@ java_library(
        "//java/google/registry/config",
        "//java/google/registry/export/sheet",
        "//java/google/registry/flows",
+        "//java/google/registry/groups",
        "//java/google/registry/model",
        "//java/google/registry/request",
        "//java/google/registry/request/auth",
@ -24,6 +25,7 @@ java_library(
        "//java/google/registry/ui/soy:soy_java_wrappers",
        "//java/google/registry/ui/soy/registrar:soy_java_wrappers",
        "//java/google/registry/util",
+        "//third_party/java/inject_common",
        "//third_party/objectify:objectify-v4_1",
        "@com_google_appengine_api_1_0_sdk",
        "@com_google_auto_value",