zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-26 04:28:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

Move truely public endpoints to a separate Auth (#2200)

Browse source 
This allows us to more easily refactor public endpoints that still use
the legacy auth mechanism to identify logged-in users (for the legacy
console).
This commit is contained in:
Lai Jiang 2023-10-31 13:58:45 -04:00 committed by GitHub
parent 1d6b119340
commit 9330e3a50d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 30 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

19
core/src/main/java/google/registry/request/auth/Auth.java
View file

@ -30,16 +30,14 @@ public enum Auth {
* <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still * <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still
* granted, but NOT_AUTHENTICATED is returned. * granted, but NOT_AUTHENTICATED is returned.
* *
* <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS. * <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) use it. They
* * need to allow requests from signed-out users so that they can redirect users to the login page.
* <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) also use it. * After a user is logged in, they check if the user actually has access to the specific console
* They need to allow requests from signed-out users so that they can redirect users to the login * using {@link AuthenticatedRegistrarAccessor}.
* page. After a user is logged in, they check if the user actually has access to the specific
* console using {@link AuthenticatedRegistrarAccessor}.
* *
* @see HtmlAction * @see HtmlAction
*/ */
AUTH_PUBLIC( AUTH_PUBLIC_LEGACY(
ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.NONE, UserPolicy.PUBLIC), ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.NONE, UserPolicy.PUBLIC),
/** /**
@ -52,6 +50,13 @@ public enum Auth {
AUTH_PUBLIC_LOGGED_IN( AUTH_PUBLIC_LOGGED_IN(
ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC), ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),
/**
* Allows anyone to access.
*
* <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
*/
AUTH_PUBLIC(ImmutableList.of(AuthMethod.API), AuthLevel.NONE, UserPolicy.PUBLIC),
/** /**
* Allows only the app itself (via service accounts) or admins to access. * Allows only the app itself (via service accounts) or admins to access.
* *

2
core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
View file

@ -53,7 +53,7 @@ import javax.inject.Named;
service = Action.Service.DEFAULT, service = Action.Service.DEFAULT,
path = ConsoleOteSetupAction.PATH, path = ConsoleOteSetupAction.PATH,
method = {Method.POST, Method.GET}, method = {Method.POST, Method.GET},
auth = Auth.AUTH_PUBLIC) auth = Auth.AUTH_PUBLIC_LEGACY)
public final class ConsoleOteSetupAction extends HtmlAction { public final class ConsoleOteSetupAction extends HtmlAction {
public static final String PATH = "/registrar-ote-setup"; public static final String PATH = "/registrar-ote-setup";

2
core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
View file

@ -63,7 +63,7 @@ import org.joda.money.CurrencyUnit;
service = Service.DEFAULT, service = Service.DEFAULT,
path = ConsoleRegistrarCreatorAction.PATH, path = ConsoleRegistrarCreatorAction.PATH,
method = {Method.POST, Method.GET}, method = {Method.POST, Method.GET},
auth = Auth.AUTH_PUBLIC) auth = Auth.AUTH_PUBLIC_LEGACY)
public final class ConsoleRegistrarCreatorAction extends HtmlAction { public final class ConsoleRegistrarCreatorAction extends HtmlAction {
private static final int PASSWORD_LENGTH = 16; private static final int PASSWORD_LENGTH = 16;

5
core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
View file

@ -41,7 +41,10 @@ import java.util.Optional;
import javax.inject.Inject; import javax.inject.Inject;
/** Action that serves Registrar Console single HTML page (SPA). */ /** Action that serves Registrar Console single HTML page (SPA). */
@Action(service = Action.Service.DEFAULT, path = ConsoleUiAction.PATH, auth = Auth.AUTH_PUBLIC) @Action(
service = Action.Service.DEFAULT,
path = ConsoleUiAction.PATH,
auth = Auth.AUTH_PUBLIC_LEGACY)
public final class ConsoleUiAction extends HtmlAction { public final class ConsoleUiAction extends HtmlAction {
private static final FluentLogger logger = FluentLogger.forEnclosingClass(); private static final FluentLogger logger = FluentLogger.forEnclosingClass();

2
core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
View file

@ -34,7 +34,7 @@ import javax.inject.Inject;
@Action( @Action(
service = Action.Service.DEFAULT, service = Action.Service.DEFAULT,
path = RegistryLockVerifyAction.PATH, path = RegistryLockVerifyAction.PATH,
auth = Auth.AUTH_PUBLIC) auth = Auth.AUTH_PUBLIC_LEGACY)
public final class RegistryLockVerifyAction extends HtmlAction { public final class RegistryLockVerifyAction extends HtmlAction {
public static final String PATH = "/registry-lock-verify"; public static final String PATH = "/registry-lock-verify";

22
core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
View file

@ -1,13 +1,13 @@
PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
/_dr/whois WhoisAction POST n API APP ADMIN /_dr/whois WhoisAction POST n API APP ADMIN
/check CheckApiAction GET n API,LEGACY NONE PUBLIC /check CheckApiAction GET n API NONE PUBLIC
/rdap/autnum/(*) RdapAutnumAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/autnum/(*) RdapAutnumAction GET,HEAD n API NONE PUBLIC
/rdap/domain/(*) RdapDomainAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/domain/(*) RdapDomainAction GET,HEAD n API NONE PUBLIC
/rdap/domains RdapDomainSearchAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/domains RdapDomainSearchAction GET,HEAD n API NONE PUBLIC
/rdap/entities RdapEntitySearchAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/entities RdapEntitySearchAction GET,HEAD n API NONE PUBLIC
/rdap/entity/(*) RdapEntityAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/entity/(*) RdapEntityAction GET,HEAD n API NONE PUBLIC
/rdap/help(*) RdapHelpAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/help(*) RdapHelpAction GET,HEAD n API NONE PUBLIC
/rdap/ip/(*) RdapIpAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/ip/(*) RdapIpAction GET,HEAD n API NONE PUBLIC
/rdap/nameserver/(*) RdapNameserverAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/nameserver/(*) RdapNameserverAction GET,HEAD n API NONE PUBLIC
/rdap/nameservers RdapNameserverSearchAction GET,HEAD n API,LEGACY NONE PUBLIC /rdap/nameservers RdapNameserverSearchAction GET,HEAD n API NONE PUBLIC
/whois/(*) WhoisHttpAction GET n API,LEGACY NONE PUBLIC /whois/(*) WhoisHttpAction GET n API NONE PUBLIC