From 72da4cc4930d15bd189c25f1ca56e0652d09c2b6 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Thu, 10 Nov 2022 10:44:25 -0500 Subject: [PATCH] Use keyless delegated credential (#1847) --- .../registry/config/CredentialModule.java | 66 ------------------- .../registry/groups/DirectoryModule.java | 4 +- .../registry/groups/GroupssettingsModule.java | 4 +- .../registry/keyring/api/KeyModule.java | 6 -- .../secretmanager/SecretManagerKeyring.java | 1 + 5 files changed, 5 insertions(+), 76 deletions(-) diff --git a/core/src/main/java/google/registry/config/CredentialModule.java b/core/src/main/java/google/registry/config/CredentialModule.java index 39a36bee7..85d3c6250 100644 --- a/core/src/main/java/google/registry/config/CredentialModule.java +++ b/core/src/main/java/google/registry/config/CredentialModule.java @@ -15,7 +15,6 @@ package google.registry.config; import static com.google.common.base.Preconditions.checkArgument; -import static java.nio.charset.StandardCharsets.UTF_8; import com.google.auth.ServiceAccountSigner; import com.google.auth.oauth2.GoogleCredentials; @@ -23,12 +22,9 @@ import com.google.common.collect.ImmutableList; import dagger.Module; import dagger.Provides; import google.registry.config.RegistryConfig.Config; -import google.registry.keyring.api.KeyModule.Key; import google.registry.util.Clock; import google.registry.util.GoogleCredentialsBundle; -import java.io.ByteArrayInputStream; import java.io.IOException; -import java.io.UncheckedIOException; import java.lang.annotation.Documented; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; @@ -118,50 +114,6 @@ public abstract class CredentialModule { return GoogleCredentialsBundle.create(credential); } - /** - * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file. - * - *

On App Engine, a thread created using Java's built-in API needs this credential when it - * calls App Engine API. The Google Sheets API also needs this credential. - */ - @JsonCredential - @Provides - @Singleton - public static GoogleCredentialsBundle provideJsonCredential( - @Config("defaultCredentialOauthScopes") ImmutableList requiredScopes, - @Key("jsonCredential") String jsonCredential) { - GoogleCredentials credential; - try { - credential = - GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8))); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - if (credential.createScopedRequired()) { - credential = credential.createScoped(requiredScopes); - } - return GoogleCredentialsBundle.create(credential); - } - - /** - * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain. - * - *

The G Suite domain must grant delegated admin access to the registry service account with - * all scopes in {@code requiredScopes}, including ones not related to G Suite. - */ - @DelegatedCredential - @Provides - @Singleton - public static GoogleCredentialsBundle provideDelegatedCredential( - @Config("delegatedCredentialOauthScopes") ImmutableList requiredScopes, - @JsonCredential GoogleCredentialsBundle credentialsBundle, - @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) { - return GoogleCredentialsBundle.create(credentialsBundle - .getGoogleCredentials() - .createDelegated(gSuiteAdminAccountEmailAddress) - .createScoped(requiredScopes)); - } - /** * Provides a {@link GoogleCredentialsBundle} with delegated access to Google Workspace APIs for * the application default credential user. @@ -223,24 +175,6 @@ public abstract class CredentialModule { @Retention(RetentionPolicy.RUNTIME) public @interface GoogleWorkspaceCredential {} - /** - * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request - * threads. - */ - @Qualifier - @Documented - @Retention(RetentionPolicy.RUNTIME) - public @interface JsonCredential {} - - /** - * Dagger qualifier for a credential with delegated admin access for a dasher domain (for G - * Suite). - */ - @Qualifier - @Documented - @Retention(RetentionPolicy.RUNTIME) - public @interface DelegatedCredential {} - /** * Dagger qualifier for a credential with delegated admin access for a dasher domain (for Google * Workspace) backed by the application default credential (ADC). diff --git a/core/src/main/java/google/registry/groups/DirectoryModule.java b/core/src/main/java/google/registry/groups/DirectoryModule.java index f31311ddf..dd08723f7 100644 --- a/core/src/main/java/google/registry/groups/DirectoryModule.java +++ b/core/src/main/java/google/registry/groups/DirectoryModule.java @@ -17,7 +17,7 @@ package google.registry.groups; import com.google.api.services.admin.directory.Directory; import dagger.Module; import dagger.Provides; -import google.registry.config.CredentialModule.DelegatedCredential; +import google.registry.config.CredentialModule.AdcDelegatedCredential; import google.registry.config.RegistryConfig.Config; import google.registry.util.GoogleCredentialsBundle; @@ -27,7 +27,7 @@ public final class DirectoryModule { @Provides static Directory provideDirectory( - @DelegatedCredential GoogleCredentialsBundle credentialsBundle, + @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle, @Config("projectId") String projectId) { return new Directory.Builder( credentialsBundle.getHttpTransport(), diff --git a/core/src/main/java/google/registry/groups/GroupssettingsModule.java b/core/src/main/java/google/registry/groups/GroupssettingsModule.java index e5a437073..e5b34a840 100644 --- a/core/src/main/java/google/registry/groups/GroupssettingsModule.java +++ b/core/src/main/java/google/registry/groups/GroupssettingsModule.java @@ -17,7 +17,7 @@ package google.registry.groups; import com.google.api.services.groupssettings.Groupssettings; import dagger.Module; import dagger.Provides; -import google.registry.config.CredentialModule.DelegatedCredential; +import google.registry.config.CredentialModule.AdcDelegatedCredential; import google.registry.config.RegistryConfig.Config; import google.registry.util.GoogleCredentialsBundle; @@ -27,7 +27,7 @@ public final class GroupssettingsModule { @Provides static Groupssettings provideDirectory( - @DelegatedCredential GoogleCredentialsBundle credentialsBundle, + @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle, @Config("projectId") String projectId) { return new Groupssettings.Builder( credentialsBundle.getHttpTransport(), diff --git a/core/src/main/java/google/registry/keyring/api/KeyModule.java b/core/src/main/java/google/registry/keyring/api/KeyModule.java index dbadf2d16..ef39243cc 100644 --- a/core/src/main/java/google/registry/keyring/api/KeyModule.java +++ b/core/src/main/java/google/registry/keyring/api/KeyModule.java @@ -120,10 +120,4 @@ public final class KeyModule { static String provideSafeBrowsingAPIKey(Keyring keyring) { return keyring.getSafeBrowsingAPIKey(); } - - @Provides - @Key("jsonCredential") - static String provideJsonCredential(Keyring keyring) { - return keyring.getJsonCredential(); - } } diff --git a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java index 56b2c217f..6e1aa973b 100644 --- a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java +++ b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java @@ -143,6 +143,7 @@ public class SecretManagerKeyring implements Keyring { return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING); } + // TODO(b/237305940): remove this method and all supports, including entry in secretmanager @Override public String getJsonCredential() { return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);