Implement login/logout commands

Refactor the auth code into its own dagger module, add tests and use the new interfaces to implement the login and logout commands. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=149108266
2025-05-16 01:17:14 +02:00 · 2017-03-03 06:49:42 -08:00 · 2017-03-03 06:49:42 -08:00 · 5614760d53
commit 5614760d53
parent 80f0910899
10 changed files with 380 additions and 183 deletions
--- a/java/google/registry/tools/AuthModule.java
+++ b/java/google/registry/tools/AuthModule.java
@ -0,0 +1,155 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
+import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
+import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
+import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.util.store.AbstractDataStoreFactory;
+import com.google.api.client.util.store.FileDataStoreFactory;
+import com.google.common.base.Joiner;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Ordering;
+import dagger.Module;
+import dagger.Provides;
+import google.registry.config.RegistryConfig.Config;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import javax.inject.Qualifier;
+import javax.inject.Singleton;
+
+/**
+ * Module providing the dependency graph for authorization credentials.
+ */
+@Module
+public class AuthModule {
+
+  private static final File DATA_STORE_DIR =
+      new File(System.getProperty("user.home"), ".config/nomulus/credentials");
+
+  @Provides
+  public Credential provideCredential(
+      GoogleAuthorizationCodeFlow flow,
+      @ClientScopeQualifier String clientScopeQualifier) {
+    try {
+      // Try to load the credentials, throw an exception if we fail.
+      Credential credential = flow.loadCredential(clientScopeQualifier);
+      if (credential == null) {
+        throw new LoginRequiredException();
+      }
+      return credential;
+    } catch (IOException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  @Provides
+  GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
+      JsonFactory jsonFactory,
+      GoogleClientSecrets clientSecrets,
+      @Config("requiredOauthScopes") ImmutableSet<String> requiredOauthScopes,
+      AbstractDataStoreFactory dataStoreFactory) {
+    try {
+      return new GoogleAuthorizationCodeFlow.Builder(
+              new NetHttpTransport(), jsonFactory, clientSecrets, requiredOauthScopes)
+          .setDataStoreFactory(dataStoreFactory)
+          .build();
+    } catch (IOException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  @Provides
+  AuthorizationCodeInstalledApp provideAuthorizationCodeInstalledApp(
+      GoogleAuthorizationCodeFlow flow) {
+    return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver());
+  }
+
+  @Provides
+  GoogleClientSecrets provideClientSecrets(
+      @Config("clientSecretFilename") String clientSecretFilename, JsonFactory jsonFactory) {
+    try {
+      // Load the client secrets file.
+      InputStream secretResourceStream = getClass().getResourceAsStream(clientSecretFilename);
+      if (secretResourceStream == null) {
+        throw new RuntimeException("No client secret file found: " + clientSecretFilename);
+      }
+      return GoogleClientSecrets.load(jsonFactory,
+          new InputStreamReader(secretResourceStream, UTF_8));
+    } catch (IOException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  @Provides
+  @OAuthClientId String provideClientId(GoogleClientSecrets clientSecrets) {
+    return clientSecrets.getDetails().getClientId();
+  }
+
+  @Provides
+  @ClientScopeQualifier String provideClientScopeQualifier(
+      @OAuthClientId String clientId, @Config("requiredOauthScopes") ImmutableSet<String> scopes) {
+    return clientId + " " + Joiner.on(" ").join(Ordering.natural().sortedCopy(scopes));
+  }
+
+  @Provides
+  @Singleton
+  public AbstractDataStoreFactory provideDataStoreFactory() {
+    try {
+      return new FileDataStoreFactory(DATA_STORE_DIR);
+    } catch (IOException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  /** Wrapper class to hold the login() function. */
+  public static class Authorizer {
+    /** Initiate the login flow. */
+    public static void login(
+        GoogleAuthorizationCodeFlow flow,
+        @ClientScopeQualifier String clientScopeQualifier) throws Exception {
+      new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
+          .authorize(clientScopeQualifier);
+    }
+  }
+
+  /** Raised when we need a user login. */
+  public static class LoginRequiredException extends RuntimeException {
+    public LoginRequiredException() {}
+  }
+
+  /** Dagger qualifier for the credential qualifier consisting of client and scopes. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface ClientScopeQualifier {}
+
+  /** Dagger qualifier for the OAuth2 client id. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface OAuthClientId {}
+}
--- a/java/google/registry/tools/DefaultRequestFactoryModule.java
+++ b/java/google/registry/tools/DefaultRequestFactoryModule.java
@ -14,37 +14,16 @@

 package google.registry.tools;

-import static java.nio.charset.StandardCharsets.UTF_8;
-
 import com.google.api.client.auth.oauth2.Credential;
-import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
-import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
-import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
-import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.JsonFactory;
-import com.google.api.client.json.jackson2.JacksonFactory;
-import com.google.api.client.util.store.AbstractDataStoreFactory;
-import com.google.api.client.util.store.FileDataStoreFactory;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Joiner;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Ordering;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.RegistryConfig.Config;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.util.Collection;
 import javax.inject.Named;
 import javax.inject.Provider;
-import javax.inject.Singleton;

 /**
 * Module for providing the default HttpRequestFactory.
@ -63,31 +42,6 @@ import javax.inject.Singleton;
@Module
 class DefaultRequestFactoryModule {

-  private static final File DATA_STORE_DIR =
-      new File(System.getProperty("user.home"), ".config/nomulus/credentials");
-
-  /** Returns the credential object for the user. */
-  @Provides
-  Credential provideCredential(
-      AbstractDataStoreFactory dataStoreFactory,
-      Authorizer authorizer,
-      @Config("clientSecretFilename") String clientSecretFilename) {
-    try {
-      // Load the client secrets file.
-      JacksonFactory jsonFactory = new JacksonFactory();
-      InputStream secretResourceStream = getClass().getResourceAsStream(clientSecretFilename);
-      if (secretResourceStream == null) {
-        throw new RuntimeException("No client secret file found: " + clientSecretFilename);
-      }
-      GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(jsonFactory,
-          new InputStreamReader(secretResourceStream, UTF_8));
-
-      return authorizer.authorize(clientSecrets);
-    } catch (IOException ex) {
-      throw new RuntimeException(ex);
-    }
-  }
-
  @Provides
  @Named("default")
  public HttpRequestFactory provideHttpRequestFactory(
@ -123,66 +77,4 @@ class DefaultRequestFactoryModule {
    public abstract HttpRequestFactory provideHttpRequestFactory(
        @Named("default") HttpRequestFactory requestFactory);
  }
-
-  @Module
-  static class DataStoreFactoryModule {
-    @Provides
-    @Singleton
-    public AbstractDataStoreFactory provideDataStoreFactory() {
-      try {
-        return new FileDataStoreFactory(DATA_STORE_DIR);
-      } catch (IOException ex) {
-        throw new RuntimeException(ex);
-      }
-    }
-  }
-
-  /**
-   * Module to create the Authorizer used by DefaultRequestFactoryModule.
-   */
-  @Module
-  static class AuthorizerModule {
-    @Provides
-    public Authorizer provideAuthorizer(
-        final JsonFactory jsonFactory,
-        final AbstractDataStoreFactory dataStoreFactory,
-        @Config("requiredOauthScopes") final ImmutableSet<String> requiredOauthScopes) {
-      return new Authorizer() {
-        @Override
-        public Credential authorize(GoogleClientSecrets clientSecrets) {
-          try {
-            // Run a new auth flow.
-            GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
-                    new NetHttpTransport(), jsonFactory, clientSecrets, requiredOauthScopes)
-                .setDataStoreFactory(dataStoreFactory)
-                .build();
-
-
-            return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
-                .authorize(createClientScopeQualifier(
-                    clientSecrets.getDetails().getClientId(), requiredOauthScopes));
-          } catch (Exception ex) {
-            throw new RuntimeException(ex);
-          }
-        }
-      };
-    }
-  }
-
-  /**
-   * Create a unique identifier for a given client id and collection of scopes, to be used as an
-   * identifier for a credential.
-   */
-  @VisibleForTesting
-  static String createClientScopeQualifier(String clientId, Collection<String> scopes) {
-    return clientId + " " + Joiner.on(" ").join(Ordering.natural().sortedCopy(scopes));
-  }
-
-  /**
-   * Interface that encapsulates the authorization logic to produce a credential for the user,
-   * allowing us to override the behavior for unit tests.
-   */
-  interface Authorizer {
-    Credential authorize(GoogleClientSecrets clientSecrets);
-  }
 }
--- a/java/google/registry/tools/LoginCommand.java
+++ b/java/google/registry/tools/LoginCommand.java
@ -0,0 +1,33 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
+import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
+import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
+import javax.inject.Inject;
+
+/** Authorizes the nomulus tool for OAuth 2.0 access to remote resources. */
+final class LoginCommand implements Command {
+
+  @Inject GoogleAuthorizationCodeFlow flow;
+  @Inject @AuthModule.ClientScopeQualifier String clientScopeQualifier;
+
+  @Override
+  public void run() throws Exception {
+    new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
+        .authorize(clientScopeQualifier);
+  }
+}
--- a/java/google/registry/tools/LogoutCommand.java
+++ b/java/google/registry/tools/LogoutCommand.java
@ -0,0 +1,36 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import com.google.api.client.auth.oauth2.StoredCredential;
+import com.google.api.client.util.store.AbstractDataStoreFactory;
+import google.registry.util.FormattingLogger;
+import java.io.IOException;
+import javax.inject.Inject;
+
+/** Logout (invalidates OAuth credentials). */
+class LogoutCommand implements Command {
+
+  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
+
+  @Inject AbstractDataStoreFactory dataStoreFactory;
+  @Inject @AuthModule.ClientScopeQualifier String clientScopeQualifier;
+
+  @Override
+  public void run() throws IOException {
+    StoredCredential.getDefaultDataStore(dataStoreFactory).clear();
+    logger.infofmt("Logged out - credentials have been removed.");
+  }
+}
--- a/java/google/registry/tools/RegistryCli.java
+++ b/java/google/registry/tools/RegistryCli.java
@ -125,11 +125,23 @@ final class RegistryCli {
    injectReflectively(RegistryToolComponent.class, component, command);

    if (!(command instanceof RemoteApiCommand)) {
+      // TODO(mmuller): this should be in the try/catch LoginRequiredException in case future
+      // commands use our credential.
      command.run();
      return;
    }

-    AppEngineConnection connection = component.appEngineConnection();
+    // Get the App Engine connection, advise the user if they are not currently logged in..
+    AppEngineConnection connection;
+    try {
+      connection = component.appEngineConnection();
+    } catch (AuthModule.LoginRequiredException ex) {
+      System.err.println("===================================================================");
+      System.err.println("You must login using 'nomulus login' prior to running this command.");
+      System.err.println("===================================================================");
+      return;
+    }
+
    if (command instanceof ServerSideCommand) {
      ((ServerSideCommand) command).setConnection(connection);
    }
--- a/java/google/registry/tools/RegistryTool.java
+++ b/java/google/registry/tools/RegistryTool.java
@ -89,6 +89,8 @@ public final class RegistryTool {
          .put("list_reserved_lists", ListReservedListsCommand.class)
          .put("list_tlds", ListTldsCommand.class)
          .put("load_snapshot", LoadSnapshotCommand.class)
+          .put("login", LoginCommand.class)
+          .put("logout", LogoutCommand.class)
          .put("make_billing_tables", MakeBillingTablesCommand.class)
          .put("pending_escrow", PendingEscrowCommand.class)
          .put("publish_detail_report", PublishDetailReportCommand.class)
--- a/java/google/registry/tools/RegistryToolComponent.java
+++ b/java/google/registry/tools/RegistryToolComponent.java
@ -40,12 +40,11 @@ import javax.inject.Singleton;
@Component(
  modules = {
    AppEngineConnectionFlags.FlagsModule.class,
+    AuthModule.class,
    ConfigModule.class,
    DatastoreServiceModule.class,
    CloudDnsWriterModule.class,
    DefaultRequestFactoryModule.class,
-    DefaultRequestFactoryModule.AuthorizerModule.class,
-    DefaultRequestFactoryModule.DataStoreFactoryModule.class,
    DefaultRequestFactoryModule.RequestFactoryModule.class,
    DnsUpdateWriterModule.class,
    DummyKeyringModule.class,
@ -72,6 +71,8 @@ interface RegistryToolComponent {
  void inject(GenerateEscrowDepositCommand command);
  void inject(GhostrydeCommand command);
  void inject(ListCursorsCommand command);
+  void inject(LoginCommand command);
+  void inject(LogoutCommand command);
  void inject(PendingEscrowCommand command);
  void inject(SendEscrowReportToIcannCommand command);
  void inject(SetupOteCommand command);