Use keyless delegated credential (#1847)

2025-04-30 03:57:51 +02:00 · 2022-11-10 10:44:25 -05:00 · 2022-11-10 10:44:25 -05:00 · 7bfd9f42b7
commit 7bfd9f42b7
parent 26190a2073
5 changed files with 5 additions and 76 deletions
--- a/core/src/main/java/google/registry/config/CredentialModule.java
+++ b/core/src/main/java/google/registry/config/CredentialModule.java
@ -15,7 +15,6 @@
 package google.registry.config;

 import static com.google.common.base.Preconditions.checkArgument;
-import static java.nio.charset.StandardCharsets.UTF_8;

 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.oauth2.GoogleCredentials;
@ -23,12 +22,9 @@ import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.keyring.api.KeyModule.Key;
 import google.registry.util.Clock;
 import google.registry.util.GoogleCredentialsBundle;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@ -118,50 +114,6 @@ public abstract class CredentialModule {
    return GoogleCredentialsBundle.create(credential);
  }

-  /**
-   * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
-   *
-   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
-   * calls App Engine API. The Google Sheets API also needs this credential.
-   */
-  @JsonCredential
-  @Provides
-  @Singleton
-  public static GoogleCredentialsBundle provideJsonCredential(
-      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @Key("jsonCredential") String jsonCredential) {
-    GoogleCredentials credential;
-    try {
-      credential =
-          GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
-    } catch (IOException e) {
-      throw new UncheckedIOException(e);
-    }
-    if (credential.createScopedRequired()) {
-      credential = credential.createScoped(requiredScopes);
-    }
-    return GoogleCredentialsBundle.create(credential);
-  }
-
-  /**
-   * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
-   *
-   * <p>The G Suite domain must grant delegated admin access to the registry service account with
-   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
-   */
-  @DelegatedCredential
-  @Provides
-  @Singleton
-  public static GoogleCredentialsBundle provideDelegatedCredential(
-      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @JsonCredential GoogleCredentialsBundle credentialsBundle,
-      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
-    return GoogleCredentialsBundle.create(credentialsBundle
-        .getGoogleCredentials()
-        .createDelegated(gSuiteAdminAccountEmailAddress)
-        .createScoped(requiredScopes));
-  }
-
  /**
   * Provides a {@link GoogleCredentialsBundle} with delegated access to Google Workspace APIs for
   * the application default credential user.
@ -223,24 +175,6 @@ public abstract class CredentialModule {
  @Retention(RetentionPolicy.RUNTIME)
  public @interface GoogleWorkspaceCredential {}

-  /**
-   * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
-   * threads.
-   */
-  @Qualifier
-  @Documented
-  @Retention(RetentionPolicy.RUNTIME)
-  public @interface JsonCredential {}
-
-  /**
-   * Dagger qualifier for a credential with delegated admin access for a dasher domain (for G
-   * Suite).
-   */
-  @Qualifier
-  @Documented
-  @Retention(RetentionPolicy.RUNTIME)
-  public @interface DelegatedCredential {}
-
  /**
   * Dagger qualifier for a credential with delegated admin access for a dasher domain (for Google
   * Workspace) backed by the application default credential (ADC).
--- a/core/src/main/java/google/registry/groups/DirectoryModule.java
+++ b/core/src/main/java/google/registry/groups/DirectoryModule.java
@ -17,7 +17,7 @@ package google.registry.groups;
 import com.google.api.services.admin.directory.Directory;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.CredentialModule.DelegatedCredential;
+import google.registry.config.CredentialModule.AdcDelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;

@ -27,7 +27,7 @@ public final class DirectoryModule {

  @Provides
  static Directory provideDirectory(
-      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Directory.Builder(
            credentialsBundle.getHttpTransport(),
--- a/core/src/main/java/google/registry/groups/GroupssettingsModule.java
+++ b/core/src/main/java/google/registry/groups/GroupssettingsModule.java
@ -17,7 +17,7 @@ package google.registry.groups;
 import com.google.api.services.groupssettings.Groupssettings;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.CredentialModule.DelegatedCredential;
+import google.registry.config.CredentialModule.AdcDelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;

@ -27,7 +27,7 @@ public final class GroupssettingsModule {

  @Provides
  static Groupssettings provideDirectory(
-      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Groupssettings.Builder(
            credentialsBundle.getHttpTransport(),
--- a/core/src/main/java/google/registry/keyring/api/KeyModule.java
+++ b/core/src/main/java/google/registry/keyring/api/KeyModule.java
@ -120,10 +120,4 @@ public final class KeyModule {
  static String provideSafeBrowsingAPIKey(Keyring keyring) {
    return keyring.getSafeBrowsingAPIKey();
  }
-
-  @Provides
-  @Key("jsonCredential")
-  static String provideJsonCredential(Keyring keyring) {
-    return keyring.getJsonCredential();
-  }
 }
--- a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java
+++ b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java
@ -143,6 +143,7 @@ public class SecretManagerKeyring implements Keyring {
    return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
  }

+  // TODO(b/237305940): remove this method and all supports, including entry in secretmanager
  @Override
  public String getJsonCredential() {
    return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);