From a0fcd02ed27db3bfe60788bed99dd279f78b0e3c Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Mon, 26 Jul 2021 17:09:09 -0400 Subject: [PATCH] Remove KmsSecret model entities (#1252) * Remove KmsSecret model entities Now that we have been using the SecretManager for almost a month now, remove the KmsSecret and KmsSecretRevision entities from Java code base. A follow-up PR will drop the relevant tables in the schema. Also removed a few unused classes in the beam package. --- core/build.gradle | 2 - .../initsql/CloudSqlCredentialDecryptor.java | 50 ------ .../registry/beam/initsql/SqlAccessInfo.java | 45 ----- .../registry/keyring/kms/KmsKeyring.java | 10 +- .../google/registry/model/EntityClasses.java | 4 - .../registry/model/server/KmsSecret.java | 57 ------ .../model/server/KmsSecretRevision.java | 162 ------------------ .../model/server/KmsSecretRevisionSqlDao.java | 53 ------ .../JpaTransactionManagerImpl.java | 4 +- .../main/resources/META-INF/persistence.xml | 1 - .../server/KmsSecretRevisionSqlDaoTest.java | 86 ---------- .../model/server/KmsSecretRevisionTest.java | 68 -------- .../registry/model/server/KmsSecretTest.java | 52 ------ .../integration/SqlIntegrationTestSuite.java | 2 - .../registry/testing/ReplayExtension.java | 1 - .../google/registry/export/backup_kinds.txt | 2 - .../google/registry/export/crosstld_kinds.txt | 2 - .../registry/export/reporting_kinds.txt | 2 - .../google/registry/model/schema.txt | 12 -- .../sql/schema/db-schema.sql.generated | 10 -- 20 files changed, 3 insertions(+), 622 deletions(-) delete mode 100644 core/src/main/java/google/registry/beam/initsql/CloudSqlCredentialDecryptor.java delete mode 100644 core/src/main/java/google/registry/beam/initsql/SqlAccessInfo.java delete mode 100644 core/src/main/java/google/registry/model/server/KmsSecret.java delete mode 100644 core/src/main/java/google/registry/model/server/KmsSecretRevision.java delete mode 100644 core/src/main/java/google/registry/model/server/KmsSecretRevisionSqlDao.java delete mode 100644 core/src/test/java/google/registry/model/server/KmsSecretRevisionSqlDaoTest.java delete mode 100644 core/src/test/java/google/registry/model/server/KmsSecretRevisionTest.java delete mode 100644 core/src/test/java/google/registry/model/server/KmsSecretTest.java diff --git a/core/build.gradle b/core/build.gradle index f280b0f99..48e6429eb 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -74,8 +74,6 @@ def fragileTestPatterns = [ "google/registry/cron/TldFanoutActionTest.*", // Test Datastore inexplicably aborts transaction. "google/registry/model/tmch/ClaimsListShardTest.*", - // Creates large object (64MBytes), occasionally throws OOM error. - "google/registry/model/server/KmsSecretRevisionTest.*", // Changes cache timeouts and for some reason appears to have contention // with other tests. "google/registry/whois/WhoisCommandFactoryTest.*", diff --git a/core/src/main/java/google/registry/beam/initsql/CloudSqlCredentialDecryptor.java b/core/src/main/java/google/registry/beam/initsql/CloudSqlCredentialDecryptor.java deleted file mode 100644 index 4055747b4..000000000 --- a/core/src/main/java/google/registry/beam/initsql/CloudSqlCredentialDecryptor.java +++ /dev/null @@ -1,50 +0,0 @@ -// Copyright 2020 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.beam.initsql; - -import static com.google.common.base.Preconditions.checkArgument; - -import com.google.api.services.cloudkms.v1.model.DecryptRequest; -import com.google.common.base.Strings; -import google.registry.config.RegistryConfig.Config; -import google.registry.keyring.kms.KmsConnection; -import java.nio.charset.StandardCharsets; -import java.util.Base64; -import javax.inject.Inject; - -/** - * Decrypts data using Cloud KMS, with the same crypto key with which Cloud SQL credential files on - * GCS was encrypted. See {@link BackupPaths#getCloudSQLCredentialFilePatterns} for more - * information. - */ -public class CloudSqlCredentialDecryptor { - - private static final String CRYPTO_KEY_NAME = "nomulus-tool-key"; - private final KmsConnection kmsConnection; - - @Inject - CloudSqlCredentialDecryptor(@Config("beamKmsConnection") KmsConnection kmsConnection) { - this.kmsConnection = kmsConnection; - } - - public String decrypt(String data) { - checkArgument(!Strings.isNullOrEmpty(data), "Null or empty data."); - byte[] ciphertext = Base64.getDecoder().decode(data); - // Re-encode for Cloud KMS JSON REST API, invoked through kmsConnection. - String urlSafeCipherText = new DecryptRequest().encodeCiphertext(ciphertext).getCiphertext(); - return new String( - kmsConnection.decrypt(CRYPTO_KEY_NAME, urlSafeCipherText), StandardCharsets.UTF_8); - } -} diff --git a/core/src/main/java/google/registry/beam/initsql/SqlAccessInfo.java b/core/src/main/java/google/registry/beam/initsql/SqlAccessInfo.java deleted file mode 100644 index 7b055666d..000000000 --- a/core/src/main/java/google/registry/beam/initsql/SqlAccessInfo.java +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright 2020 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.beam.initsql; - -import com.google.auto.value.AutoValue; -import java.util.Optional; - -/** - * Information needed to connect to a database, including JDBC URL, user name, password, and in the - * case of Cloud SQL, the database instance's name. - */ -@AutoValue -abstract class SqlAccessInfo { - - abstract String jdbcUrl(); - - abstract String user(); - - abstract String password(); - - abstract Optional cloudSqlInstanceName(); - - public static SqlAccessInfo createCloudSqlAccessInfo( - String sqlInstanceName, String username, String password) { - return new AutoValue_SqlAccessInfo( - "jdbc:postgresql://google/postgres", username, password, Optional.of(sqlInstanceName)); - } - - public static SqlAccessInfo createLocalSqlAccessInfo( - String jdbcUrl, String username, String password) { - return new AutoValue_SqlAccessInfo(jdbcUrl, username, password, Optional.empty()); - } -} diff --git a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java index 82e9d800b..0232a191c 100644 --- a/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java +++ b/core/src/main/java/google/registry/keyring/kms/KmsKeyring.java @@ -28,14 +28,8 @@ import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; -/** - * A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them - * using encryption keys stored in Cloud KMS. - * - * @see Google Cloud Key Management Service - * Documentation - */ -// TODO(2021-07-01): rename this class to SecretManagerKeyring and delete KmsSecretRevision +/** A {@link Keyring} implementation which stores sensitive data in the Secret Manager. */ +// TODO(2021-08-01): rename this class to SecretManagerKeyring and update config files. public class KmsKeyring implements Keyring { /** Key labels for private key secrets. */ diff --git a/core/src/main/java/google/registry/model/EntityClasses.java b/core/src/main/java/google/registry/model/EntityClasses.java index ed2d08976..2ec069878 100644 --- a/core/src/main/java/google/registry/model/EntityClasses.java +++ b/core/src/main/java/google/registry/model/EntityClasses.java @@ -43,8 +43,6 @@ import google.registry.model.registry.Registry; import google.registry.model.registry.label.PremiumList; import google.registry.model.registry.label.ReservedList; import google.registry.model.reporting.HistoryEntry; -import google.registry.model.server.KmsSecret; -import google.registry.model.server.KmsSecretRevision; import google.registry.model.server.Lock; import google.registry.model.server.ServerSecret; import google.registry.model.tmch.ClaimsList; @@ -88,8 +86,6 @@ public final class EntityClasses { HistoryEntry.class, HostHistory.class, HostResource.class, - KmsSecret.class, - KmsSecretRevision.class, LastSqlTransaction.class, Lock.class, PollMessage.class, diff --git a/core/src/main/java/google/registry/model/server/KmsSecret.java b/core/src/main/java/google/registry/model/server/KmsSecret.java deleted file mode 100644 index 203256de7..000000000 --- a/core/src/main/java/google/registry/model/server/KmsSecret.java +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static google.registry.model.common.EntityGroupRoot.getCrossTldKey; - -import com.googlecode.objectify.Key; -import com.googlecode.objectify.annotation.Entity; -import com.googlecode.objectify.annotation.Id; -import com.googlecode.objectify.annotation.Parent; -import google.registry.model.ImmutableObject; -import google.registry.model.annotations.InCrossTld; -import google.registry.model.annotations.ReportedOn; -import google.registry.model.common.EntityGroupRoot; -import google.registry.schema.replay.DatastoreOnlyEntity; - -/** Pointer to the latest {@link KmsSecretRevision}. */ -@Entity -@ReportedOn -@InCrossTld -public class KmsSecret extends ImmutableObject implements DatastoreOnlyEntity { - - /** The unique name of this {@link KmsSecret}. */ - @Id String name; - - @Parent Key parent = getCrossTldKey(); - - /** The pointer to the latest {@link KmsSecretRevision}. */ - Key latestRevision; - - public String getName() { - return name; - } - - public Key getLatestRevision() { - return latestRevision; - } - - public static KmsSecret create(String name, KmsSecretRevision latestRevision) { - KmsSecret instance = new KmsSecret(); - instance.name = name; - instance.latestRevision = Key.create(latestRevision); - return instance; - } -} diff --git a/core/src/main/java/google/registry/model/server/KmsSecretRevision.java b/core/src/main/java/google/registry/model/server/KmsSecretRevision.java deleted file mode 100644 index a39002080..000000000 --- a/core/src/main/java/google/registry/model/server/KmsSecretRevision.java +++ /dev/null @@ -1,162 +0,0 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static com.google.common.base.Preconditions.checkArgument; -import static google.registry.model.common.EntityGroupRoot.getCrossTldKey; - -import com.googlecode.objectify.Key; -import com.googlecode.objectify.annotation.Entity; -import com.googlecode.objectify.annotation.Id; -import com.googlecode.objectify.annotation.Ignore; -import com.googlecode.objectify.annotation.OnLoad; -import com.googlecode.objectify.annotation.Parent; -import google.registry.model.Buildable; -import google.registry.model.CreateAutoTimestamp; -import google.registry.model.ImmutableObject; -import google.registry.model.annotations.InCrossTld; -import google.registry.model.annotations.ReportedOn; -import google.registry.schema.replay.NonReplicatedEntity; -import javax.persistence.Column; -import javax.persistence.Index; -import javax.persistence.PostLoad; -import javax.persistence.Table; -import javax.persistence.Transient; - -/** - * An encrypted value. - * - *

Used to store passwords and other sensitive information in Datastore. Multiple versions of a - * {@link KmsSecretRevision} may be persisted but only the latest version is primary. A key to the - * primary version is stored by {@link KmsSecret#latestRevision}. - * - *

The value can be encrypted and decrypted using Cloud KMS. - * - *

Note that the primary key of this entity is {@link #revisionKey}, which is auto-generated by - * the database. So, if a retry of insertion happens after the previous attempt unexpectedly - * succeeds, we will end up with having two exact same revisions that differ only by revisionKey. - * This is fine though, because we only use the revision with the highest revisionKey. - * - *

TODO(b/177567432): remove Datastore-specific fields post-Registry-3.0-migration and rename to - * KmsSecret. - * - * @see Google Cloud Key Management Service - * Documentation - * @see google.registry.keyring.kms.KmsKeyring - */ -@Entity -@ReportedOn -@javax.persistence.Entity(name = "KmsSecret") -@Table(indexes = {@Index(columnList = "secretName")}) -@InCrossTld -public class KmsSecretRevision extends ImmutableObject implements NonReplicatedEntity { - - /** - * The maximum allowable secret size. Although Datastore allows entities up to 1 MB in size, - * BigQuery imports of Datastore backups limit individual columns (entity attributes) to 64 KB. - */ - private static final int MAX_SECRET_SIZE_BYTES = 64 * 1024 * 1024; - - /** - * The revision of this secret. - * - *

TODO(b/177567432): change name of the variable to revisionId once we're off Datastore - */ - @Id - @javax.persistence.Id - @Column(name = "revisionId") - long revisionKey; - - /** The parent {@link KmsSecret} which contains metadata about this {@link KmsSecretRevision}. */ - @Parent @Transient Key parent; - @Column(nullable = false) - @Ignore - String secretName; - - /** - * The name of the {@code cryptoKeyVersion} associated with this {@link KmsSecretRevision}. - * - *

TODO: change name of the variable to cryptoKeyVersionName once we're off Datastore - * - * @see projects.locations.keyRings.cryptoKeys.cryptoKeyVersions - */ - @Column(nullable = false, name = "cryptoKeyVersionName") - String kmsCryptoKeyVersionName; - - /** - * The base64-encoded encrypted value of this {@link KmsSecretRevision} as returned by the Cloud - * KMS API. - * - * @see projects.locations.keyRings.cryptoKeys.encrypt - */ - @Column(nullable = false) - String encryptedValue; - - /** An automatically managed creation timestamp. */ - @Column(nullable = false) - CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null); - - public String getKmsCryptoKeyVersionName() { - return kmsCryptoKeyVersionName; - } - - public String getEncryptedValue() { - return encryptedValue; - } - - // When loading from SQL, fill out the Datastore-specific field - @PostLoad - void postLoad() { - parent = Key.create(getCrossTldKey(), KmsSecret.class, secretName); - } - - // When loading from Datastore, fill out the SQL-specific field - @OnLoad - void onLoad() { - secretName = parent.getName(); - } - - /** A builder for constructing {@link KmsSecretRevision} entities, since they are immutable. */ - public static class Builder extends Buildable.Builder { - - public Builder setKmsCryptoKeyVersionName(String kmsCryptoKeyVersionName) { - getInstance().kmsCryptoKeyVersionName = kmsCryptoKeyVersionName; - return this; - } - - public Builder setEncryptedValue(String encryptedValue) { - checkArgument( - encryptedValue.length() <= MAX_SECRET_SIZE_BYTES, - "Secret is greater than %s bytes", - MAX_SECRET_SIZE_BYTES); - - getInstance().encryptedValue = encryptedValue; - return this; - } - - /** - * Set the parent {@link KmsSecret}. - * - *

The secret may not exist yet, so it is referred to by name rather than by reference. - */ - public Builder setParent(String secretName) { - getInstance().parent = Key.create(getCrossTldKey(), KmsSecret.class, secretName); - getInstance().secretName = secretName; - return this; - } - } -} diff --git a/core/src/main/java/google/registry/model/server/KmsSecretRevisionSqlDao.java b/core/src/main/java/google/registry/model/server/KmsSecretRevisionSqlDao.java deleted file mode 100644 index b473c56c8..000000000 --- a/core/src/main/java/google/registry/model/server/KmsSecretRevisionSqlDao.java +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright 2020 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static com.google.common.base.Preconditions.checkArgument; -import static com.google.common.base.Strings.isNullOrEmpty; -import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm; -import static google.registry.util.PreconditionsUtils.checkArgumentNotNull; - -import java.util.Optional; - -/** - * A {@link KmsSecretRevision} DAO for Cloud SQL. - * - *

TODO(b/177567432): Rename this class to KmsSecretDao after migrating to Cloud SQL. - */ -public class KmsSecretRevisionSqlDao { - - private KmsSecretRevisionSqlDao() {} - - /** Saves the given KMS secret revision. */ - public static void save(KmsSecretRevision kmsSecretRevision) { - checkArgumentNotNull(kmsSecretRevision, "kmsSecretRevision cannot be null"); - jpaTm().assertInTransaction(); - jpaTm().put(kmsSecretRevision); - } - - /** Returns the latest revision for the secret name given, or absent if nonexistent. */ - public static Optional getLatestRevision(String secretName) { - checkArgument(!isNullOrEmpty(secretName), "secretName cannot be null or empty"); - jpaTm().assertInTransaction(); - return jpaTm() - .query( - "FROM KmsSecret ks WHERE ks.revisionKey IN (SELECT MAX(revisionKey) FROM " - + "KmsSecret subKs WHERE subKs.secretName = :secretName)", - KmsSecretRevision.class) - .setParameter("secretName", secretName) - .getResultStream() - .findFirst(); - } -} diff --git a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java index da8d1544f..05f2e5ee3 100644 --- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java +++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java @@ -37,7 +37,6 @@ import google.registry.model.index.ForeignKeyIndex.ForeignKeyContactIndex; import google.registry.model.index.ForeignKeyIndex.ForeignKeyDomainIndex; import google.registry.model.index.ForeignKeyIndex.ForeignKeyHostIndex; import google.registry.model.ofy.DatastoreTransactionManager; -import google.registry.model.server.KmsSecret; import google.registry.model.tmch.ClaimsList.ClaimsListSingleton; import google.registry.persistence.JpaRetries; import google.registry.persistence.VKey; @@ -94,8 +93,7 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager { EppResourceIndex.class, ForeignKeyContactIndex.class, ForeignKeyDomainIndex.class, - ForeignKeyHostIndex.class, - KmsSecret.class); + ForeignKeyHostIndex.class); // EntityManagerFactory is thread safe. private final EntityManagerFactory emf; diff --git a/core/src/main/resources/META-INF/persistence.xml b/core/src/main/resources/META-INF/persistence.xml index f19138f9b..ff0fa1332 100644 --- a/core/src/main/resources/META-INF/persistence.xml +++ b/core/src/main/resources/META-INF/persistence.xml @@ -65,7 +65,6 @@ google.registry.model.registry.Registry google.registry.model.reporting.DomainTransactionRecord google.registry.model.reporting.Spec11ThreatMatch - google.registry.model.server.KmsSecretRevision google.registry.model.server.Lock google.registry.model.server.ServerSecret google.registry.model.smd.SignedMarkRevocationList diff --git a/core/src/test/java/google/registry/model/server/KmsSecretRevisionSqlDaoTest.java b/core/src/test/java/google/registry/model/server/KmsSecretRevisionSqlDaoTest.java deleted file mode 100644 index 7281b8689..000000000 --- a/core/src/test/java/google/registry/model/server/KmsSecretRevisionSqlDaoTest.java +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static com.google.common.truth.Truth.assertThat; -import static google.registry.model.ImmutableObjectSubject.assertAboutImmutableObjects; -import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm; - -import google.registry.persistence.transaction.JpaTestRules; -import google.registry.persistence.transaction.JpaTestRules.JpaIntegrationWithCoverageExtension; -import google.registry.testing.DatastoreEntityExtension; -import google.registry.testing.FakeClock; -import java.util.Optional; -import org.junit.jupiter.api.Order; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.RegisterExtension; - -/** Tests for {@link google.registry.model.server.KmsSecretRevisionSqlDao}. */ -public class KmsSecretRevisionSqlDaoTest { - - private final FakeClock fakeClock = new FakeClock(); - - @RegisterExtension - @Order(value = 1) - DatastoreEntityExtension datastoreEntityExtension = new DatastoreEntityExtension(); - - @RegisterExtension - JpaIntegrationWithCoverageExtension jpa = - new JpaTestRules.Builder().withClock(fakeClock).buildIntegrationWithCoverageExtension(); - - @Test - void testSaveAndRetrieve() { - KmsSecretRevision revision = createRevision(); - jpaTm().transact(() -> KmsSecretRevisionSqlDao.save(revision)); - Optional fromSql = - jpaTm().transact(() -> KmsSecretRevisionSqlDao.getLatestRevision("secretName")); - assertThat(fromSql.isPresent()).isTrue(); - assertAboutImmutableObjects().that(revision).isEqualExceptFields(fromSql.get(), "creationTime"); - } - - @Test - void testMultipleRevisions() { - KmsSecretRevision revision = createRevision(); - jpaTm().transact(() -> KmsSecretRevisionSqlDao.save(revision)); - - KmsSecretRevision secondRevision = createRevision(); - secondRevision.encryptedValue = "someOtherValue"; - jpaTm().transact(() -> KmsSecretRevisionSqlDao.save(secondRevision)); - - Optional fromSql = - jpaTm().transact(() -> KmsSecretRevisionSqlDao.getLatestRevision("secretName")); - assertThat(fromSql.isPresent()).isTrue(); - assertThat(fromSql.get().getEncryptedValue()).isEqualTo("someOtherValue"); - } - - @Test - void testNonexistent() { - KmsSecretRevision revision = createRevision(); - jpaTm().transact(() -> KmsSecretRevisionSqlDao.save(revision)); - assertThat( - jpaTm() - .transact(() -> KmsSecretRevisionSqlDao.getLatestRevision("someOtherSecretName")) - .isPresent()) - .isFalse(); - } - - private KmsSecretRevision createRevision() { - return new KmsSecretRevision.Builder() - .setEncryptedValue("encrypted") - .setKmsCryptoKeyVersionName("version") - .setParent("secretName") - .build(); - } -} diff --git a/core/src/test/java/google/registry/model/server/KmsSecretRevisionTest.java b/core/src/test/java/google/registry/model/server/KmsSecretRevisionTest.java deleted file mode 100644 index da46fadf6..000000000 --- a/core/src/test/java/google/registry/model/server/KmsSecretRevisionTest.java +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static com.google.common.truth.Truth.assertThat; -import static google.registry.persistence.transaction.TransactionManagerFactory.ofyTm; -import static google.registry.testing.DatabaseHelper.persistResource; -import static org.junit.jupiter.api.Assertions.assertThrows; - -import com.google.common.base.Strings; -import google.registry.testing.AppEngineExtension; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.RegisterExtension; - -/** Unit tests for {@link google.registry.model.server.KmsSecretRevision}. */ -public class KmsSecretRevisionTest { - - @RegisterExtension - public final AppEngineExtension appEngine = - AppEngineExtension.builder().withDatastoreAndCloudSql().build(); - - private KmsSecretRevision secretRevision; - - @BeforeEach - void beforeEach() { - secretRevision = - persistResource( - new KmsSecretRevision.Builder() - .setKmsCryptoKeyVersionName("foo") - .setParent("bar") - .setEncryptedValue("blah") - .build()); - } - - @Test - void test_setEncryptedValue_tooLong_throwsException() { - IllegalArgumentException thrown = - assertThrows( - IllegalArgumentException.class, - () -> - secretRevision = - persistResource( - new KmsSecretRevision.Builder() - .setKmsCryptoKeyVersionName("foo") - .setParent("bar") - .setEncryptedValue(Strings.repeat("a", 64 * 1024 * 1024 + 1)) - .build())); - assertThat(thrown).hasMessageThat().contains("Secret is greater than 67108864 bytes"); - } - - @Test - void testPersistence() { - assertThat(ofyTm().loadByEntity(secretRevision)).isEqualTo(secretRevision); - } -} diff --git a/core/src/test/java/google/registry/model/server/KmsSecretTest.java b/core/src/test/java/google/registry/model/server/KmsSecretTest.java deleted file mode 100644 index 49c2e1052..000000000 --- a/core/src/test/java/google/registry/model/server/KmsSecretTest.java +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package google.registry.model.server; - -import static com.google.common.truth.Truth.assertThat; -import static google.registry.persistence.transaction.TransactionManagerFactory.ofyTm; -import static google.registry.testing.DatabaseHelper.persistResource; - -import google.registry.testing.AppEngineExtension; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.RegisterExtension; - -public class KmsSecretTest { - - @RegisterExtension - public final AppEngineExtension appEngine = - AppEngineExtension.builder().withDatastoreAndCloudSql().build(); - - private KmsSecret secret; - private KmsSecretRevision secretRevision; - - @BeforeEach - void setUp() { - secretRevision = - persistResource( - new KmsSecretRevision.Builder() - .setKmsCryptoKeyVersionName("foo") - .setParent("bar") - .setEncryptedValue("blah") - .build()); - - secret = persistResource(KmsSecret.create("someSecret", secretRevision)); - } - - @Test - void testPersistence() { - assertThat(ofyTm().loadByEntity(secret)).isEqualTo(secret); - } -} diff --git a/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java b/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java index e8d7471ad..37e751182 100644 --- a/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java +++ b/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java @@ -30,7 +30,6 @@ import google.registry.model.registry.RegistryLockDaoTest; import google.registry.model.registry.RegistryTest; import google.registry.model.registry.label.ReservedListDaoTest; import google.registry.model.reporting.Spec11ThreatMatchTest; -import google.registry.model.server.KmsSecretRevisionSqlDaoTest; import google.registry.model.server.LockTest; import google.registry.model.server.ServerSecretTest; import google.registry.model.smd.SignedMarkRevocationListDaoTest; @@ -89,7 +88,6 @@ import org.junit.runner.RunWith; DomainBaseSqlTest.class, DomainHistoryTest.class, HostHistoryTest.class, - KmsSecretRevisionSqlDaoTest.class, LockTest.class, PollMessageTest.class, PremiumListDaoTest.class, diff --git a/core/src/test/java/google/registry/testing/ReplayExtension.java b/core/src/test/java/google/registry/testing/ReplayExtension.java index 659d3e841..220e5aa5c 100644 --- a/core/src/test/java/google/registry/testing/ReplayExtension.java +++ b/core/src/test/java/google/registry/testing/ReplayExtension.java @@ -116,7 +116,6 @@ public class ReplayExtension implements BeforeEachCallback, AfterEachCallback { "PremiumListEntry", "ReservedList", "RdeRevision", - "KmsSecretRevision", "ServerSecret", "SignedMarkRevocationList", "ClaimsListShard", diff --git a/core/src/test/resources/google/registry/export/backup_kinds.txt b/core/src/test/resources/google/registry/export/backup_kinds.txt index 75d31e48c..c904af35a 100644 --- a/core/src/test/resources/google/registry/export/backup_kinds.txt +++ b/core/src/test/resources/google/registry/export/backup_kinds.txt @@ -11,8 +11,6 @@ ForeignKeyDomainIndex ForeignKeyHostIndex HistoryEntry HostResource -KmsSecret -KmsSecretRevision LastSqlTransaction Modification OneTime diff --git a/core/src/test/resources/google/registry/export/crosstld_kinds.txt b/core/src/test/resources/google/registry/export/crosstld_kinds.txt index b4eb5a638..357bbc0cc 100644 --- a/core/src/test/resources/google/registry/export/crosstld_kinds.txt +++ b/core/src/test/resources/google/registry/export/crosstld_kinds.txt @@ -2,8 +2,6 @@ ClaimsList ClaimsListSingleton Cursor DatabaseMigrationStateSchedule -KmsSecret -KmsSecretRevision PremiumList PremiumListEntry PremiumListRevision diff --git a/core/src/test/resources/google/registry/export/reporting_kinds.txt b/core/src/test/resources/google/registry/export/reporting_kinds.txt index 33b46174e..89a606ad2 100644 --- a/core/src/test/resources/google/registry/export/reporting_kinds.txt +++ b/core/src/test/resources/google/registry/export/reporting_kinds.txt @@ -8,8 +8,6 @@ ForeignKeyDomainIndex ForeignKeyHostIndex HistoryEntry HostResource -KmsSecret -KmsSecretRevision Modification OneTime PollMessage diff --git a/core/src/test/resources/google/registry/model/schema.txt b/core/src/test/resources/google/registry/model/schema.txt index fbaa96931..e45717468 100644 --- a/core/src/test/resources/google/registry/model/schema.txt +++ b/core/src/test/resources/google/registry/model/schema.txt @@ -825,18 +825,6 @@ enum google.registry.model.reporting.HistoryEntry$Type { RDE_IMPORT; SYNTHETIC; } -class google.registry.model.server.KmsSecret { - @Id java.lang.String name; - @Parent com.googlecode.objectify.Key parent; - com.googlecode.objectify.Key latestRevision; -} -class google.registry.model.server.KmsSecretRevision { - @Id long revisionKey; - @Parent com.googlecode.objectify.Key parent; - google.registry.model.CreateAutoTimestamp creationTime; - java.lang.String encryptedValue; - java.lang.String kmsCryptoKeyVersionName; -} class google.registry.model.server.Lock { @Id java.lang.String lockId; java.lang.String requestLogId; diff --git a/db/src/main/resources/sql/schema/db-schema.sql.generated b/db/src/main/resources/sql/schema/db-schema.sql.generated index 0960ec13b..f21f543cb 100644 --- a/db/src/main/resources/sql/schema/db-schema.sql.generated +++ b/db/src/main/resources/sql/schema/db-schema.sql.generated @@ -491,15 +491,6 @@ primary key (host_repo_id, history_revision_id) ); - create table "KmsSecret" ( - revision_id int8 not null, - creation_time timestamptz not null, - encrypted_value text not null, - crypto_key_version_name text not null, - secret_name text not null, - primary key (revision_id) - ); - create table "Lock" ( resource_name text not null, scope text not null, @@ -806,7 +797,6 @@ create index IDX1iy7njgb7wjmj9piml4l2g0qi on "HostHistory" (history_registrar_id create index IDXkkwbwcwvrdkkqothkiye4jiff on "HostHistory" (host_name); create index IDXknk8gmj7s47q56cwpa6rmpt5l on "HostHistory" (history_type); create index IDX67qwkjtlq5q8dv6egtrtnhqi7 on "HostHistory" (history_modification_time); -create index IDXli9nil3s4t4p21i3xluvvilb7 on "KmsSecret" (secret_name); create index IDXe7wu46c7wpvfmfnj4565abibp on "PollMessage" (registrar_id); create index IDXaydgox62uno9qx8cjlj5lauye on "PollMessage" (event_time); create index premiumlist_name_idx on "PremiumList" (name);