mirror of
https://github.com/google/nomulus.git
synced 2025-04-30 03:57:51 +02:00
Use keyless delegated credential (#1847)
This commit is contained in:
Weimin Yu
GitHub
parent
26190a2073
commit
7bfd9f42b7
5 changed files with 5 additions and 76 deletions
|
|
@ -15,7 +15,6 @@
|
||||||
package google.registry.config;
|
package google.registry.config;
|
||||||
|
|
||||||
import static com.google.common.base.Preconditions.checkArgument;
|
import static com.google.common.base.Preconditions.checkArgument;
|
||||||
import static java.nio.charset.StandardCharsets.UTF_8;
|
|
||||||
|
|
||||||
import com.google.auth.ServiceAccountSigner;
|
import com.google.auth.ServiceAccountSigner;
|
||||||
import com.google.auth.oauth2.GoogleCredentials;
|
import com.google.auth.oauth2.GoogleCredentials;
|
||||||
|
|
@ -23,12 +22,9 @@ import com.google.common.collect.ImmutableList;
|
||||||
import dagger.Module;
|
import dagger.Module;
|
||||||
import dagger.Provides;
|
import dagger.Provides;
|
||||||
import google.registry.config.RegistryConfig.Config;
|
import google.registry.config.RegistryConfig.Config;
|
||||||
import google.registry.keyring.api.KeyModule.Key;
|
|
||||||
import google.registry.util.Clock;
|
import google.registry.util.Clock;
|
||||||
import google.registry.util.GoogleCredentialsBundle;
|
import google.registry.util.GoogleCredentialsBundle;
|
||||||
import java.io.ByteArrayInputStream;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.UncheckedIOException;
|
|
||||||
import java.lang.annotation.Documented;
|
import java.lang.annotation.Documented;
|
||||||
import java.lang.annotation.Retention;
|
import java.lang.annotation.Retention;
|
||||||
import java.lang.annotation.RetentionPolicy;
|
import java.lang.annotation.RetentionPolicy;
|
||||||
|
|
@ -118,50 +114,6 @@ public abstract class CredentialModule {
|
||||||
return GoogleCredentialsBundle.create(credential);
|
return GoogleCredentialsBundle.create(credential);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
|
|
||||||
*
|
|
||||||
* <p>On App Engine, a thread created using Java's built-in API needs this credential when it
|
|
||||||
* calls App Engine API. The Google Sheets API also needs this credential.
|
|
||||||
*/
|
|
||||||
@JsonCredential
|
|
||||||
@Provides
|
|
||||||
@Singleton
|
|
||||||
public static GoogleCredentialsBundle provideJsonCredential(
|
|
||||||
@Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
|
|
||||||
@Key("jsonCredential") String jsonCredential) {
|
|
||||||
GoogleCredentials credential;
|
|
||||||
try {
|
|
||||||
credential =
|
|
||||||
GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
|
|
||||||
} catch (IOException e) {
|
|
||||||
throw new UncheckedIOException(e);
|
|
||||||
}
|
|
||||||
if (credential.createScopedRequired()) {
|
|
||||||
credential = credential.createScoped(requiredScopes);
|
|
||||||
}
|
|
||||||
return GoogleCredentialsBundle.create(credential);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
|
|
||||||
*
|
|
||||||
* <p>The G Suite domain must grant delegated admin access to the registry service account with
|
|
||||||
* all scopes in {@code requiredScopes}, including ones not related to G Suite.
|
|
||||||
*/
|
|
||||||
@DelegatedCredential
|
|
||||||
@Provides
|
|
||||||
@Singleton
|
|
||||||
public static GoogleCredentialsBundle provideDelegatedCredential(
|
|
||||||
@Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
|
|
||||||
@JsonCredential GoogleCredentialsBundle credentialsBundle,
|
|
||||||
@Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
|
|
||||||
return GoogleCredentialsBundle.create(credentialsBundle
|
|
||||||
.getGoogleCredentials()
|
|
||||||
.createDelegated(gSuiteAdminAccountEmailAddress)
|
|
||||||
.createScoped(requiredScopes));
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Provides a {@link GoogleCredentialsBundle} with delegated access to Google Workspace APIs for
|
* Provides a {@link GoogleCredentialsBundle} with delegated access to Google Workspace APIs for
|
||||||
* the application default credential user.
|
* the application default credential user.
|
||||||
|
|
@ -223,24 +175,6 @@ public abstract class CredentialModule {
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
public @interface GoogleWorkspaceCredential {}
|
public @interface GoogleWorkspaceCredential {}
|
||||||
|
|
||||||
/**
|
|
||||||
* Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
|
|
||||||
* threads.
|
|
||||||
*/
|
|
||||||
@Qualifier
|
|
||||||
@Documented
|
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
|
||||||
public @interface JsonCredential {}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Dagger qualifier for a credential with delegated admin access for a dasher domain (for G
|
|
||||||
* Suite).
|
|
||||||
*/
|
|
||||||
@Qualifier
|
|
||||||
@Documented
|
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
|
||||||
public @interface DelegatedCredential {}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Dagger qualifier for a credential with delegated admin access for a dasher domain (for Google
|
* Dagger qualifier for a credential with delegated admin access for a dasher domain (for Google
|
||||||
* Workspace) backed by the application default credential (ADC).
|
* Workspace) backed by the application default credential (ADC).
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ package google.registry.groups;
|
||||||
import com.google.api.services.admin.directory.Directory;
|
import com.google.api.services.admin.directory.Directory;
|
||||||
import dagger.Module;
|
import dagger.Module;
|
||||||
import dagger.Provides;
|
import dagger.Provides;
|
||||||
import google.registry.config.CredentialModule.DelegatedCredential;
|
import google.registry.config.CredentialModule.AdcDelegatedCredential;
|
||||||
import google.registry.config.RegistryConfig.Config;
|
import google.registry.config.RegistryConfig.Config;
|
||||||
import google.registry.util.GoogleCredentialsBundle;
|
import google.registry.util.GoogleCredentialsBundle;
|
||||||
|
|
||||||
|
|
@ -27,7 +27,7 @@ public final class DirectoryModule {
|
||||||
|
|
||||||
@Provides
|
@Provides
|
||||||
static Directory provideDirectory(
|
static Directory provideDirectory(
|
||||||
@DelegatedCredential GoogleCredentialsBundle credentialsBundle,
|
@AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
|
||||||
@Config("projectId") String projectId) {
|
@Config("projectId") String projectId) {
|
||||||
return new Directory.Builder(
|
return new Directory.Builder(
|
||||||
credentialsBundle.getHttpTransport(),
|
credentialsBundle.getHttpTransport(),
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ package google.registry.groups;
|
||||||
import com.google.api.services.groupssettings.Groupssettings;
|
import com.google.api.services.groupssettings.Groupssettings;
|
||||||
import dagger.Module;
|
import dagger.Module;
|
||||||
import dagger.Provides;
|
import dagger.Provides;
|
||||||
import google.registry.config.CredentialModule.DelegatedCredential;
|
import google.registry.config.CredentialModule.AdcDelegatedCredential;
|
||||||
import google.registry.config.RegistryConfig.Config;
|
import google.registry.config.RegistryConfig.Config;
|
||||||
import google.registry.util.GoogleCredentialsBundle;
|
import google.registry.util.GoogleCredentialsBundle;
|
||||||
|
|
||||||
|
|
@ -27,7 +27,7 @@ public final class GroupssettingsModule {
|
||||||
|
|
||||||
@Provides
|
@Provides
|
||||||
static Groupssettings provideDirectory(
|
static Groupssettings provideDirectory(
|
||||||
@DelegatedCredential GoogleCredentialsBundle credentialsBundle,
|
@AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
|
||||||
@Config("projectId") String projectId) {
|
@Config("projectId") String projectId) {
|
||||||
return new Groupssettings.Builder(
|
return new Groupssettings.Builder(
|
||||||
credentialsBundle.getHttpTransport(),
|
credentialsBundle.getHttpTransport(),
|
||||||
|
|
|
||||||
|
|
@ -120,10 +120,4 @@ public final class KeyModule {
|
||||||
static String provideSafeBrowsingAPIKey(Keyring keyring) {
|
static String provideSafeBrowsingAPIKey(Keyring keyring) {
|
||||||
return keyring.getSafeBrowsingAPIKey();
|
return keyring.getSafeBrowsingAPIKey();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Provides
|
|
||||||
@Key("jsonCredential")
|
|
||||||
static String provideJsonCredential(Keyring keyring) {
|
|
||||||
return keyring.getJsonCredential();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -143,6 +143,7 @@ public class SecretManagerKeyring implements Keyring {
|
||||||
return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
|
return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO(b/237305940): remove this method and all supports, including entry in secretmanager
|
||||||
@Override
|
@Override
|
||||||
public String getJsonCredential() {
|
public String getJsonCredential() {
|
||||||
return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
|
return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue