Refactor DelegatedCredential provisioning for GSuite domains

Updated the registar contact group management, which is the only use case for this credential. Also updated GSuite domain delegated admin access config in admin dashboard for both sandbox (used by alpha and sandbox) and prod. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=212320157
2025-05-15 00:47:11 +02:00 · 2018-09-10 13:16:44 -07:00 · 2018-09-10 13:16:44 -07:00 · 5c1d9bd5c3
commit 5c1d9bd5c3
parent 1b3df82fb3
5 changed files with 30 additions and 57 deletions
--- a/java/google/registry/config/CredentialModule.java
+++ b/java/google/registry/config/CredentialModule.java
@ -79,6 +79,29 @@ public abstract class CredentialModule {
    return credential;
  }

+  /**
+   * Provides a {@link GoogleCredential} with delegated admin access for a G Suite domain.
+   *
+   * <p>The G Suite domain must grant delegated admin access to the registry service account with
+   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
+   */
+  @DelegatedCredential
+  @Provides
+  @Singleton
+  public static GoogleCredential provideDelegatedCredential(
+      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes,
+      @JsonCredential GoogleCredential googleCredential,
+      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
+    return new GoogleCredential.Builder()
+        .setTransport(Utils.getDefaultTransport())
+        .setJsonFactory(Utils.getDefaultJsonFactory())
+        .setServiceAccountId(googleCredential.getServiceAccountId())
+        .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
+        .setServiceAccountScopes(requiredScopes)
+        .setServiceAccountUser(gSuiteAdminAccountEmailAddress)
+        .build();
+  }
+
  /** Dagger qualifier for the Application Default Credential. */
  @Qualifier
  public @interface DefaultCredential {}