Introduce simplified Default credential provision

As the first step in credential consolidation, we replace
injection of application default credential in for KMS and
Drive.

Tests:
- for Drive, tested with exportDomainLists and exportReservedTerms.
- For KMS, used CLI commands (get_keyring_secret and update_kms_keyring) to change and
  restore secret for one key.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=211819859

java/google/registry/config/BUILD

@@ -10,6 +10,7 @@ java_library(
     resources = glob(["files/*.yaml"]),
     deps = [
         "//java/google/registry/util",
+        "@com_google_api_client",
         "@com_google_appengine_api_1_0_sdk",
         "@com_google_auto_value",
         "@com_google_code_findbugs_jsr305",

java/google/registry/config/CredentialModule.java

@@ -0,0 +1,68 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.config;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.common.collect.ImmutableList;
+import dagger.Module;
+import dagger.Provides;
+import google.registry.config.RegistryConfig.Config;
+import java.io.IOException;
+import javax.inject.Qualifier;
+import javax.inject.Singleton;
+
+/**
+ * Dagger module that provides all {@link GoogleCredential GoogleCredentials} used in the
+ * application.
+ */
+@Module
+public abstract class CredentialModule {
+
+  /** Provides the default {@link GoogleCredential} from the Google Cloud runtime. */
+  @DefaultCredential
+  @Provides
+  @Singleton
+  public static GoogleCredential provideDefaultCredential(
+      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes) {
+    GoogleCredential credential;
+    try {
+      credential = GoogleCredential.getApplicationDefault();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    if (credential.createScopedRequired()) {
+      return credential.createScoped(requiredScopes);
+    }
+    return credential;
+  }
+
+  /** Dagger qualifier for the Application Default Credential. */
+  @Qualifier
+  public @interface DefaultCredential {}
+
+  /**
+   * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
+   * threads.
+   */
+  @Qualifier
+  public @interface JsonCredential {}
+
+  /**
+   * Dagger qualifier for a credential with delegated admin access for a dasher domain (for G
+   * Suite).
+   */
+  @Qualifier
+  public @interface DelegatedCredential {}
+}

java/google/registry/config/RegistryConfig.java

@@ -1135,6 +1135,14 @@ public final class RegistryConfig {
       return ImmutableSet.copyOf(config.oAuth.allowedOauthClientIds);
     }
 
+    /** Provides the OAuth scopes required for accessing Google APIs. */
+    @Provides
+    @Config("credentialOauthScopes")
+    public static ImmutableList<String> provideCredentialOauthScopes(
+        RegistryConfigSettings config) {
+      return ImmutableList.copyOf(config.credentialOAuth.credentialOauthScopes);
+    }
+
     /**
      * Returns the help path for the RDAP terms of service.
      *

java/google/registry/config/RegistryConfigSettings.java

@@ -22,6 +22,7 @@ public class RegistryConfigSettings {
   public AppEngine appEngine;
   public GSuite gSuite;
   public OAuth oAuth;
+  public CredentialOAuth credentialOAuth;
   public RegistryPolicy registryPolicy;
   public Datastore datastore;
   public CloudDns cloudDns;
@@ -48,13 +49,18 @@ public class RegistryConfigSettings {
     }
   }
 
-  /** Configuration options for OAuth settings. */
+  /** Configuration options for OAuth settings for authenticating users. */
   public static class OAuth {
     public List<String> availableOauthScopes;
     public List<String> requiredOauthScopes;
     public List<String> allowedOauthClientIds;
   }
 
+  /** Configuration options for accessing Google APIs. */
+  public static class CredentialOAuth {
+    public List<String> credentialOauthScopes;
+  }
+
   /** Configuration options for the G Suite account used by Nomulus. */
   public static class GSuite {
     public String domainName;

java/google/registry/config/files/default-config.yaml

@@ -176,6 +176,21 @@ oAuth:
   # numbers-alphanumerics.apps.googleusercontent.com
   allowedOauthClientIds: []
 
+credentialOAuth:
+  # OAuth scopes required for accessing Google APIs.
+  credentialOauthScopes:
+    # View and manage data in all Google Cloud APIs.
+    - https://www.googleapis.com/auth/cloud-platform
+    # View and manage files in Google Drive.
+    - https://www.googleapis.com/auth/drive
+    # View and manage groups on your domain in Directory API.
+    - https://www.googleapis.com/auth/admin.directory.group
+    # Inherited from current code.
+    # TODO(weiminyu): verify if the scope above is sufficient by itself.
+    - https://www.googleapis.com/auth/admin.directory.group.member
+    # View and manage the settings of a Google Apps Group.
+    - https://www.googleapis.com/auth/apps.groups.settings
+
 icannReporting:
   # URL we PUT monthly ICANN transactions reports to.
   icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions