Use self-managed credential in remote api installer

RemoteApiOption has a package-private method that takes a Stream representing the content of a JSON and use a GoogleCredential created from it as its credential. This CL uses reflection to change the access modifier of that method in order to supply a credential stream that is self-managed. This is obviously not ideal and prone to breakage in case the getGoogleCredentialStream method is changed. Unfortunately upstream is not willing to make it public citing the reason that GoogleCredential.fromStream() (which getGoogleCredentialStream uses) is a @Beta annotated function (see https://groups.google.com[]forum/#!searchin/domain-registry-eng/remoteapioptions%7Csort:date/domain-registry-eng/Flsah6skszQ/CySZv2XEBwAJ). However this function is introduced 5 years ago as a public function (b857184bfa). I think at this point it is safe to assume that it is part of the widely used APIs and will not change without sufficient notice. Note here that RemoteApiOptions creates its own copy of GoogleCredential to be used to call App Engine APIs locally, whereas communications to Nomulus endpoints use the Credential provided in AuthModule. Even though both credentials are created from the same client id, client secret and refresh token (the three elements needed to construct a GoogleCredential this way, see https://github.com/googleapis/google-api-java-client/blob/master/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java#L842), their refreshes cycles are independent of each other. I verified that refreshing one of the credential does not invalidate the access token of the other credential, as long as it is not expired yet. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=224156131
2025-05-17 01:47:14 +02:00 · 2018-12-05 08:10:29 -08:00 · 2018-12-05 08:10:29 -08:00 · 6352b8a01a
commit 6352b8a01a
parent aeedc427ad
13 changed files with 229 additions and 74 deletions
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@ -1229,6 +1229,14 @@ public final class RegistryConfig {
      return ImmutableList.copyOf(config.credentialOAuth.delegatedCredentialOauthScopes);
    }

+    /** Provides the OAuth scopes required for credentials created locally for the nomulus tool. */
+    @Provides
+    @Config("localCredentialOauthScopes")
+    public static ImmutableList<String> provideLocalCredentialOauthScopes(
+        RegistryConfigSettings config) {
+      return ImmutableList.copyOf(config.credentialOAuth.localCredentialOauthScopes);
+    }
+
    /** Provides the OAuth scopes required for access to App Engine Admin API. */
    @Provides
    @Config("appEngineAdminApiCredentialOauthScopes")
--- a/java/google/registry/config/RegistryConfigSettings.java
+++ b/java/google/registry/config/RegistryConfigSettings.java
@ -58,6 +58,7 @@ public class RegistryConfigSettings {
  public static class CredentialOAuth {
    public List<String> defaultCredentialOauthScopes;
    public List<String> delegatedCredentialOauthScopes;
+    public List<String> localCredentialOauthScopes;
    public List<String> appEngineAdminApiCredentialOauthScopes;
  }

--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@ -283,6 +283,12 @@ credentialOAuth:
    - https://www.googleapis.com/auth/admin.directory.group
    # View and manage group settings in Group Settings API.
    - https://www.googleapis.com/auth/apps.groups.settings
+  # OAuth scopes required to create a credential locally in for the nomulus tool.
+  localCredentialOauthScopes:
+    # Call App Engine APIs.
+    - https://www.googleapis.com/auth/appengine.apis
+    # View your email address.
+    - https://www.googleapis.com/auth/userinfo.email
  # OAuth scopes required for accessing App Engine Admin API using the
  # AppIdentityCredential.
  appEngineAdminApiCredentialOauthScopes:
--- a/java/google/registry/repositories.bzl
+++ b/java/google/registry/repositories.bzl
@ -59,6 +59,7 @@ def domain_registry_repositories(
        omit_com_google_auto_factory = False,
        omit_com_google_auto_service = False,
        omit_com_google_auto_value = False,
+        omit_com_google_code_gson = False,
        omit_com_google_cloud_bigdataoss_gcsio = False,
        omit_com_google_cloud_bigdataoss_util = False,
        omit_com_google_code_findbugs_jsr305 = False,
@ -242,6 +243,8 @@ def domain_registry_repositories(
        com_google_auto_service()
    if not omit_com_google_auto_value:
        com_google_auto_value()
+    if not omit_com_google_code_gson:
+        com_google_code_gson()
    if not omit_com_google_cloud_bigdataoss_gcsio:
        com_google_cloud_bigdataoss_gcsio()
    if not omit_com_google_cloud_bigdataoss_util:
@ -1115,6 +1118,17 @@ def com_google_auto_value():
        ]),
    )

+def com_google_code_gson():
+    java_import_external(
+        name = "com_google_code_gson",
+        licenses = ["notice"],  # Apache 2.0
+        jar_sha256 = "233a0149fc365c9f6edbd683cfe266b19bdc773be98eabdaf6b3c924b48e7d81",
+        jar_urls = [
+            "http://repo1.maven.org/maven2/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar",
+            "http://maven.ibiblio.org/maven2/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar",
+        ],
+    )
+
 def com_google_cloud_bigdataoss_gcsio():
    java_import_external(
        name = "com_google_cloud_bigdataoss_gcsio",
--- a/java/google/registry/tools/AuthModule.java
+++ b/java/google/registry/tools/AuthModule.java
@ -26,11 +26,15 @@ import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.store.AbstractDataStoreFactory;
 import com.google.api.client.util.store.FileDataStoreFactory;
 import com.google.common.base.Joiner;
-import com.google.common.collect.ImmutableSet;
+import com.google.common.base.Supplier;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Ordering;
+import com.google.gson.Gson;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@ -51,9 +55,8 @@ public class AuthModule {
      new File(System.getProperty("user.home"), ".config/nomulus/credentials");

  @Provides
-  public Credential provideCredential(
-      GoogleAuthorizationCodeFlow flow,
-      @ClientScopeQualifier String clientScopeQualifier) {
+  public static Credential provideCredential(
+      GoogleAuthorizationCodeFlow flow, @ClientScopeQualifier String clientScopeQualifier) {
    try {
      // Try to load the credentials, throw an exception if we fail.
      Credential credential = flow.loadCredential(clientScopeQualifier);
@ -67,10 +70,10 @@ public class AuthModule {
  }

  @Provides
-  GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
+  public static GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
      JsonFactory jsonFactory,
      GoogleClientSecrets clientSecrets,
-      @Config("requiredOauthScopes") ImmutableSet<String> requiredOauthScopes,
+      @Config("localCredentialOauthScopes") ImmutableList<String> requiredOauthScopes,
      AbstractDataStoreFactory dataStoreFactory) {
    try {
      return new GoogleAuthorizationCodeFlow.Builder(
@ -83,17 +86,17 @@ public class AuthModule {
  }

  @Provides
-  AuthorizationCodeInstalledApp provideAuthorizationCodeInstalledApp(
+  public static AuthorizationCodeInstalledApp provideAuthorizationCodeInstalledApp(
      GoogleAuthorizationCodeFlow flow) {
    return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver());
  }

  @Provides
-  GoogleClientSecrets provideClientSecrets(
+  public static GoogleClientSecrets provideClientSecrets(
      @Config("clientSecretFilename") String clientSecretFilename, JsonFactory jsonFactory) {
    try {
      // Load the client secrets file.
-      InputStream secretResourceStream = getClass().getResourceAsStream(clientSecretFilename);
+      InputStream secretResourceStream = AuthModule.class.getResourceAsStream(clientSecretFilename);
      if (secretResourceStream == null) {
        throw new RuntimeException("No client secret file found: " + clientSecretFilename);
      }
@ -105,19 +108,39 @@ public class AuthModule {
  }

  @Provides
-  @OAuthClientId String provideClientId(GoogleClientSecrets clientSecrets) {
+  @LocalCredentialStream
+  public static Supplier<InputStream> provideLocalCredentialStream(
+      GoogleClientSecrets clientSecrets, Credential credential) {
+    String json =
+        new Gson()
+            .toJson(
+                ImmutableMap.<String, String>builder()
+                    .put("type", "authorized_user")
+                    .put("client_id", clientSecrets.getDetails().getClientId())
+                    .put("client_secret", clientSecrets.getDetails().getClientSecret())
+                    .put("refresh_token", credential.getRefreshToken())
+                    .build());
+    // A supplier is provided so that each binding gets a fresh stream, to avoid contention.
+    return () -> new ByteArrayInputStream(json.getBytes(UTF_8));
+  }
+
+  @Provides
+  @OAuthClientId
+  static String provideClientId(GoogleClientSecrets clientSecrets) {
    return clientSecrets.getDetails().getClientId();
  }

  @Provides
-  @ClientScopeQualifier String provideClientScopeQualifier(
-      @OAuthClientId String clientId, @Config("requiredOauthScopes") ImmutableSet<String> scopes) {
+  @ClientScopeQualifier
+  static String provideClientScopeQualifier(
+      @OAuthClientId String clientId,
+      @Config("localCredentialOauthScopes") ImmutableList<String> scopes) {
    return clientId + " " + Joiner.on(" ").join(Ordering.natural().sortedCopy(scopes));
  }

  @Provides
  @Singleton
-  public AbstractDataStoreFactory provideDataStoreFactory() {
+  public static AbstractDataStoreFactory provideDataStoreFactory() {
    try {
      return new FileDataStoreFactory(DATA_STORE_DIR);
    } catch (IOException ex) {
@ -125,31 +148,26 @@ public class AuthModule {
    }
  }

-  /** Wrapper class to hold the login() function. */
-  public static class Authorizer {
-    /** Initiate the login flow. */
-    public static void login(
-        GoogleAuthorizationCodeFlow flow,
-        @ClientScopeQualifier String clientScopeQualifier) throws IOException {
-      new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
-          .authorize(clientScopeQualifier);
-    }
+  /** Raised when we need a user login. */
+  static class LoginRequiredException extends RuntimeException {
+    LoginRequiredException() {}
  }

-  /** Raised when we need a user login. */
-  public static class LoginRequiredException extends RuntimeException {
-    public LoginRequiredException() {}
-  }
+  /** Dagger qualifier for the JSON stream used to create the local credential. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  @interface LocalCredentialStream {}

  /** Dagger qualifier for the credential qualifier consisting of client and scopes. */
  @Qualifier
  @Documented
  @Retention(RetentionPolicy.RUNTIME)
-  public @interface ClientScopeQualifier {}
+  @interface ClientScopeQualifier {}

  /** Dagger qualifier for the OAuth2 client id. */
  @Qualifier
  @Documented
  @Retention(RetentionPolicy.RUNTIME)
-  public @interface OAuthClientId {}
+  @interface OAuthClientId {}
 }
--- a/java/google/registry/tools/BUILD
+++ b/java/google/registry/tools/BUILD
@ -83,6 +83,7 @@ java_library(
        "@com_google_appengine_remote_api//:link",
        "@com_google_auto_value",
        "@com_google_code_findbugs_jsr305",
+        "@com_google_code_gson",
        "@com_google_dagger",
        "@com_google_flogger",
        "@com_google_flogger_system_backend",
--- a/java/google/registry/tools/RegistryCli.java
+++ b/java/google/registry/tools/RegistryCli.java
@ -197,7 +197,8 @@ final class RegistryCli implements AutoCloseable, CommandRunner {
          // Use dev credentials for localhost.
          options.useDevelopmentServerCredential();
        } else {
-          options.useApplicationDefaultCredential();
+          RemoteApiOptionsUtil.useGoogleCredentialStream(options, component
+          .googleCredentialStream().get());
        }
        installer.install(options);
      }
--- a/java/google/registry/tools/RegistryToolComponent.java
+++ b/java/google/registry/tools/RegistryToolComponent.java
@ -14,6 +14,7 @@

 package google.registry.tools;

+import com.google.common.base.Supplier;
 import dagger.Component;
 import google.registry.bigquery.BigqueryModule;
 import google.registry.config.CredentialModule;
@ -31,10 +32,12 @@ import google.registry.request.Modules.Jackson2Module;
 import google.registry.request.Modules.URLFetchServiceModule;
 import google.registry.request.Modules.UrlFetchTransportModule;
 import google.registry.request.Modules.UserServiceModule;
+import google.registry.tools.AuthModule.LocalCredentialStream;
 import google.registry.util.AppEngineServiceUtilsImpl.AppEngineServiceUtilsModule;
 import google.registry.util.SystemClock.SystemClockModule;
 import google.registry.util.SystemSleeper.SystemSleeperModule;
 import google.registry.whois.WhoisModule;
+import java.io.InputStream;
 import javax.inject.Singleton;

 /**
@ -110,4 +113,7 @@ interface RegistryToolComponent {
  void inject(WhoisQueryCommand command);

  AppEngineConnection appEngineConnection();
+
+  @LocalCredentialStream
+  Supplier<InputStream> googleCredentialStream();
 }
--- a/java/google/registry/tools/RemoteApiOptionsUtil.java
+++ b/java/google/registry/tools/RemoteApiOptionsUtil.java
@ -0,0 +1,43 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import static com.google.common.base.Preconditions.checkState;
+
+import com.google.appengine.tools.remoteapi.RemoteApiOptions;
+import java.io.InputStream;
+import java.lang.reflect.Method;
+
+/**
+ * Provides a method to access {@link RemoteApiOptions#useGoogleCredentialStream(InputStream)},
+ * which is a package private method.
+ *
+ * <p>This is obviously a hack, but until that method is exposed, we have to do this to set up the
+ * {@link RemoteApiOptions} with a JSON representing a user credential.
+ */
+public class RemoteApiOptionsUtil {
+  static RemoteApiOptions useGoogleCredentialStream(RemoteApiOptions options, InputStream stream)
+      throws Exception {
+    Method method =
+        options.getClass().getDeclaredMethod("useGoogleCredentialStream", InputStream.class);
+    checkState(
+        !method.isAccessible(),
+        "RemoteApiOptoins#useGoogleCredentialStream(InputStream) is accessible."
+            + " Stop using RemoteApiOptionsUtil.");
+    method.setAccessible(true);
+    method.invoke(options, stream);
+    return options;
+  }
+}
--- a/java/google/registry/tools/resources/client_secret_UNITTEST.json
+++ b/java/google/registry/tools/resources/client_secret_UNITTEST.json
@ -5,7 +5,7 @@
    "auth_uri":"https://accounts.google.com/o/oauth2/auth",
    "token_uri":"https://accounts.google.com/o/oauth2/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
-    "client_secret":"TBj4EcP5c0609ojiy2DIG6wE",
+    "client_secret":"UNITTEST-CLIENT-SECRET",
    "redirect_uris":["urn:ietf:wg:oauth:2.0:oob","http://localhost"]
  }
 }