Add "pubapi" App Engine service for check API, WHOIS, and RDAP

The migration plan is as follows: 1. This CL, which adds the new "pubapi" service that serves the check API, WHOIS, and RDAP. 2a. Update our public facing sites to switch over to use the new service. 2b. (either order) Rewrite the check API to remove dependencies on flows. 3. ... eventually, once the frontend service is no longer being hit by this traffic, remove its handling of these public endpoints. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=197716346
2025-05-15 08:57:12 +02:00 · 2018-05-23 06:45:35 -07:00 · 2018-05-23 06:45:35 -07:00 · ac500652ac
commit ac500652ac
parent a5abb05761
22 changed files with 865 additions and 0 deletions
--- a/java/google/registry/env/common/pubapi/WEB-INF/dos.xml
+++ b/java/google/registry/env/common/pubapi/WEB-INF/dos.xml
@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<blacklistentries>
+
+  <!-- Example IPv4 CIDR Subnet
+  <blacklist>
+    <subnet>1.2.3.4/24</subnet>
+    <description>An IPv4 subnet</description>
+  </blacklist> -->
+
+  <!-- Example IPv6 CIDR Subnet
+  <blacklist>
+    <subnet>abcd::123:4567/48</subnet>
+    <description>An IPv6 subnet</description>
+  </blacklist> -->
+
+</blacklistentries>
--- a/java/google/registry/env/common/pubapi/WEB-INF/logging.properties
+++ b/java/google/registry/env/common/pubapi/WEB-INF/logging.properties
@ -0,0 +1,13 @@
+# A default java.util.logging configuration.
+# (All App Engine logging is through java.util.logging by default).
+#
+# To use this configuration, copy it into your application's WEB-INF
+# folder and add the following to your appengine-web.xml:
+#
+# <system-properties>
+#   <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
+# </system-properties>
+#
+
+# Set the default logging level for all loggers to INFO.
+.level = INFO
--- a/java/google/registry/env/common/pubapi/WEB-INF/web.xml
+++ b/java/google/registry/env/common/pubapi/WEB-INF/web.xml
@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+  <!-- Servlets -->
+
+  <!-- Servlet for injected frontend actions -->
+  <servlet>
+    <display-name>PubApiServlet</display-name>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <servlet-class>google.registry.module.pubapi.PubApiServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- HTTP WHOIS. -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/whois/*</url-pattern>
+  </servlet-mapping>
+
+  <!-- Protocol WHOIS. -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/_dr/whois</url-pattern>
+  </servlet-mapping>
+
+  <!-- RDAP (new WHOIS). -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/rdap/*</url-pattern>
+  </servlet-mapping>
+
+  <!-- Public API to do availability checks -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/check</url-pattern>
+  </servlet-mapping>
+
+  <!-- Security config -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Internal</web-resource-name>
+      <description>
+        Admin-only internal section.  Requests for paths covered by the URL patterns below will be
+        checked for a logged-in user account that's allowed to access the AppEngine admin console
+        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
+        App Engine Admin role.  See https://cloud.google.com/appengine/docs/java/access-control
+        specifically the "Access handlers that have a login:admin restriction" line.)
+
+        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
+        for endpoints that need to be accessed by open-source automated processes.
+      </description>
+
+      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
+      <url-pattern>/_ah/*</url-pattern>
+
+      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
+      <url-pattern>/assets/sources/*</url-pattern>
+
+      <!-- TODO(b/26776367): Move these files to /assets/sources. -->
+      <url-pattern>/assets/js/registrar_bin.js.map</url-pattern>
+      <url-pattern>/assets/js/registrar_dbg.js</url-pattern>
+      <url-pattern>/assets/js/brain_bin.js.map</url-pattern>
+      <url-pattern>/assets/css/registrar_dbg.css</url-pattern>
+
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>admin</role-name>
+    </auth-constraint>
+
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Registrar console</web-resource-name>
+      <description>
+        Registrar console requires user login.  This is in addition to the
+        code-level "requireLogin" configuration on individual @Actions.
+      </description>
+      <url-pattern>/registrar*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>*</role-name>
+    </auth-constraint>
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- Require TLS on all requests. -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Secure</web-resource-name>
+      <description>
+        Require encryption for all paths. http URLs will be redirected to https.
+      </description>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- See: https://code.google.com/p/objectify-appengine/wiki/Setup -->
+  <filter>
+    <filter-name>ObjectifyFilter</filter-name>
+    <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>ObjectifyFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <!-- Register types with Objectify. -->
+  <filter>
+    <filter-name>OfyFilter</filter-name>
+    <filter-class>google.registry.model.ofy.OfyFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>OfyFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+</web-app>