provideKeyringDecrypter(Keyring keyring) {
- return keyring::getDecryptedData;
- }
}
diff --git a/java/google/registry/keyring/api/Keyring.java b/java/google/registry/keyring/api/Keyring.java
index 1b7b583ca..ff6b51cc4 100644
--- a/java/google/registry/keyring/api/Keyring.java
+++ b/java/google/registry/keyring/api/Keyring.java
@@ -151,15 +151,6 @@ public interface Keyring extends AutoCloseable {
*/
String getJsonCredential();
- /**
- * Returns the encrypted data for the given key name. Only use this method when decryption is not
- * required.
- */
- String getEncryptedData(String keyName);
-
- /** Decrypts the given encrypted data using the key name. */
- byte[] getDecryptedData(String keyName, String encryptedData);
-
// Don't throw so try-with-resources works better.
@Override
void close();
diff --git a/java/google/registry/keyring/kms/KmsKeyring.java b/java/google/registry/keyring/kms/KmsKeyring.java
index c4d2f30d7..e8968784f 100644
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@@ -42,31 +42,31 @@ import org.bouncycastle.openpgp.PGPPublicKey;
public class KmsKeyring implements Keyring {
/** Key labels for private key secrets. */
- public enum PrivateKeyLabel {
+ enum PrivateKeyLabel {
BRDA_SIGNING_PRIVATE,
RDE_SIGNING_PRIVATE,
RDE_STAGING_PRIVATE;
- public String getLabel() {
+ String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
/** Key labels for public key secrets. */
- public enum PublicKeyLabel {
+ enum PublicKeyLabel {
BRDA_RECEIVER_PUBLIC,
BRDA_SIGNING_PUBLIC,
RDE_RECEIVER_PUBLIC,
RDE_SIGNING_PUBLIC,
RDE_STAGING_PUBLIC;
- public String getLabel() {
+ String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
/** Key labels for string secrets. */
- public enum StringKeyLabel {
+ enum StringKeyLabel {
SAFE_BROWSING_API_KEY,
ICANN_REPORTING_PASSWORD_STRING,
JSON_CREDENTIAL_STRING,
@@ -76,7 +76,7 @@ public class KmsKeyring implements Keyring {
RDE_SSH_CLIENT_PRIVATE_STRING,
RDE_SSH_CLIENT_PUBLIC_STRING;
- public String getLabel() {
+ String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
@@ -158,27 +158,10 @@ public class KmsKeyring implements Keyring {
return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
}
- @Override
- public String getEncryptedData(String keyName) {
- KmsSecret secret = getSecret(keyName);
- return ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
- }
-
- private String getEncryptedData(KmsSecret secret) {
- return ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
- }
-
/** No persistent resources are maintained for this Keyring implementation. */
@Override
public void close() {}
- private KmsSecret getSecret(String keyName) {
- KmsSecret secret =
- ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
- checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
- return secret;
- }
-
private String getString(StringKeyLabel keyLabel) {
return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel()));
}
@@ -205,27 +188,16 @@ public class KmsKeyring implements Keyring {
}
private byte[] getDecryptedData(String keyName) {
- String encryptedData = getEncryptedData(keyName);
- return getDecryptedData(keyName, encryptedData);
- }
+ KmsSecret secret =
+ ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
+ checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
+ String encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
- private byte[] getDecryptedData(KmsSecret secret) {
- String encryptedData = getEncryptedData(secret);
- return getDecryptedData(secret, encryptedData);
- }
-
- private byte[] getDecryptedData(KmsSecret secret, String encryptedData) {
try {
return kmsConnection.decrypt(secret.getName(), encryptedData);
} catch (Exception e) {
throw new KeyringException(
- String.format("CloudKMS decrypt operation failed for secret %s", secret.getName()), e);
+ String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
}
}
-
- @Override
- public byte[] getDecryptedData(String keyName, String encryptedData) {
- KmsSecret secret = getSecret(keyName);
- return getDecryptedData(secret);
- }
}
diff --git a/java/google/registry/module/tools/ToolsRequestComponent.java b/java/google/registry/module/tools/ToolsRequestComponent.java
index b0ae7d38c..633a38709 100644
--- a/java/google/registry/module/tools/ToolsRequestComponent.java
+++ b/java/google/registry/module/tools/ToolsRequestComponent.java
@@ -32,7 +32,6 @@ import google.registry.request.RequestScope;
import google.registry.tools.server.CreateGroupsAction;
import google.registry.tools.server.CreatePremiumListAction;
import google.registry.tools.server.DeleteEntityAction;
-import google.registry.tools.server.DownloadServiceAccountCredentialAction;
import google.registry.tools.server.GenerateZoneFilesAction;
import google.registry.tools.server.KillAllCommitLogsAction;
import google.registry.tools.server.KillAllEppResourcesAction;
@@ -65,7 +64,6 @@ import google.registry.tools.server.VerifyOteAction;
interface ToolsRequestComponent {
CreateGroupsAction createGroupsAction();
CreatePremiumListAction createPremiumListAction();
- DownloadServiceAccountCredentialAction downloadServiceAccountCredentialAction();
DeleteEntityAction deleteEntityAction();
EppToolAction eppToolAction();
FlowComponent.Builder flowComponentBuilder();
diff --git a/java/google/registry/tools/server/BUILD b/java/google/registry/tools/server/BUILD
index ba98ef8e4..0c2fa9cda 100644
--- a/java/google/registry/tools/server/BUILD
+++ b/java/google/registry/tools/server/BUILD
@@ -14,7 +14,6 @@ java_library(
"//java/google/registry/flows",
"//java/google/registry/gcs",
"//java/google/registry/groups",
- "//java/google/registry/keyring/kms",
"//java/google/registry/mapreduce",
"//java/google/registry/mapreduce/inputs",
"//java/google/registry/model",
diff --git a/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java b/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
deleted file mode 100644
index eb208a7d7..000000000
--- a/java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright 2018 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.tools.server;
-
-import static google.registry.request.Action.Method.GET;
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
-
-import com.google.common.flogger.FluentLogger;
-import com.google.common.io.BaseEncoding;
-import com.google.common.net.MediaType;
-import google.registry.keyring.kms.KmsKeyring.StringKeyLabel;
-import google.registry.request.Action;
-import google.registry.request.Response;
-import google.registry.request.auth.Auth;
-import java.util.function.Function;
-import javax.inject.Inject;
-import javax.inject.Named;
-
-/**
- * An action that returns KMS encrypted service account credential in its payload.
- *
- * This credential can be stored locally, and a {@code RemoteApiOptions} can use it to initialize
- * an {@code AppEngineConnection}.
- */
-@Action(
- path = DownloadServiceAccountCredentialAction.PATH,
- method = {GET},
- auth = Auth.AUTH_INTERNAL_ONLY)
-public class DownloadServiceAccountCredentialAction implements Runnable {
-
- private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
- public static final String PATH = "/_dr/admin/downloadCredential";
-
- @Inject
- @Named("encryptedDataRetriever")
- Function encryptedDataRetriever;
-
- @Inject Response response;
-
- @Inject
- DownloadServiceAccountCredentialAction() {}
-
- @Override
- public void run() {
- try {
- String encryptedJsonCredential =
- encryptedDataRetriever.apply(StringKeyLabel.JSON_CREDENTIAL_STRING.getLabel());
- response.setContentType(MediaType.APPLICATION_BINARY);
- response.setPayload(BaseEncoding.base64().encode(encryptedJsonCredential.getBytes(UTF_8)));
- } catch (Exception e) {
- logger.atSevere().withCause(e).log("Cannot retrieve encrypted service account credential.");
- response.setPayload(e.getMessage());
- response.setStatus(SC_INTERNAL_SERVER_ERROR);
- }
- }
-}
diff --git a/javatests/google/registry/keyring/kms/KmsKeyringTest.java b/javatests/google/registry/keyring/kms/KmsKeyringTest.java
index 94709f3f8..9bf52aca5 100644
--- a/javatests/google/registry/keyring/kms/KmsKeyringTest.java
+++ b/javatests/google/registry/keyring/kms/KmsKeyringTest.java
@@ -16,10 +16,8 @@ package google.registry.keyring.kms;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.DatastoreHelper.persistResources;
-import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.common.collect.ImmutableList;
-import com.google.common.io.BaseEncoding;
import google.registry.keyring.api.KeySerializer;
import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision;
@@ -29,7 +27,6 @@ import google.registry.testing.BouncyCastleProviderRule;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.util.Arrays;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -177,30 +174,6 @@ public class KmsKeyringTest {
assertThat(jsonCredential).isEqualTo("json-credential-stringmoo");
}
- @Test
- public void test_getEncryptedJsonCredential() {
- saveCleartextSecret("json-credential-string");
-
- String encryptedJsonCredential = keyring.getEncryptedData("json-credential-string");
-
- assertThat(
- new String(
- Arrays.reverse(BaseEncoding.base64().decode(encryptedJsonCredential)), UTF_8))
- .isEqualTo("json-credential-stringmoo");
- }
-
- @Test
- public void test_decryptJsonCredential() {
- saveCleartextSecret("json-credential-string");
-
- String encryptedJsonCredential = keyring.getEncryptedData("json-credential-string");
-
- assertThat(
- new String(
- keyring.getDecryptedData("json-credential-string", encryptedJsonCredential), UTF_8))
- .isEqualTo("json-credential-stringmoo");
- }
-
private static void persistSecret(String secretName, byte[] secretValue) {
KmsConnection kmsConnection = new FakeKmsConnection();
diff --git a/javatests/google/registry/module/tools/testdata/tools_routing.txt b/javatests/google/registry/module/tools/testdata/tools_routing.txt
index 5673094cb..40756e6f4 100644
--- a/javatests/google/registry/module/tools/testdata/tools_routing.txt
+++ b/javatests/google/registry/module/tools/testdata/tools_routing.txt
@@ -1,22 +1,21 @@
-PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
-/_dr/admin/createGroups CreateGroupsAction POST n INTERNAL,API APP ADMIN
-/_dr/admin/createPremiumList CreatePremiumListAction POST n INTERNAL,API APP ADMIN
-/_dr/admin/deleteEntity DeleteEntityAction GET n INTERNAL,API APP ADMIN
-/_dr/admin/downloadCredential DownloadServiceAccountCredentialAction GET n INTERNAL APP IGNORED
-/_dr/admin/list/domains ListDomainsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/list/hosts ListHostsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/list/registrars ListRegistrarsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/list/reservedLists ListReservedListsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/list/tlds ListTldsAction GET,POST n INTERNAL,API APP ADMIN
-/_dr/admin/updatePremiumList UpdatePremiumListAction POST n INTERNAL,API APP ADMIN
-/_dr/admin/verifyOte VerifyOteAction POST n INTERNAL,API APP ADMIN
-/_dr/epptool EppToolAction POST n INTERNAL,API APP ADMIN
-/_dr/loadtest LoadTestAction POST y INTERNAL,API APP ADMIN
-/_dr/task/generateZoneFiles GenerateZoneFilesAction POST n INTERNAL,API APP ADMIN
-/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL APP IGNORED
-/_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL APP IGNORED
-/_dr/task/pollMapreduce PollMapreduceAction POST n INTERNAL APP IGNORED
-/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET n INTERNAL,API APP ADMIN
-/_dr/task/resaveAllHistoryEntries ResaveAllHistoryEntriesAction GET n INTERNAL,API APP ADMIN
-/_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y INTERNAL,API APP ADMIN
+PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
+/_dr/admin/createGroups CreateGroupsAction POST n INTERNAL,API APP ADMIN
+/_dr/admin/createPremiumList CreatePremiumListAction POST n INTERNAL,API APP ADMIN
+/_dr/admin/deleteEntity DeleteEntityAction GET n INTERNAL,API APP ADMIN
+/_dr/admin/list/domains ListDomainsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/list/hosts ListHostsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/list/registrars ListRegistrarsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/list/reservedLists ListReservedListsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/list/tlds ListTldsAction GET,POST n INTERNAL,API APP ADMIN
+/_dr/admin/updatePremiumList UpdatePremiumListAction POST n INTERNAL,API APP ADMIN
+/_dr/admin/verifyOte VerifyOteAction POST n INTERNAL,API APP ADMIN
+/_dr/epptool EppToolAction POST n INTERNAL,API APP ADMIN
+/_dr/loadtest LoadTestAction POST y INTERNAL,API APP ADMIN
+/_dr/task/generateZoneFiles GenerateZoneFilesAction POST n INTERNAL,API APP ADMIN
+/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL APP IGNORED
+/_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL APP IGNORED
+/_dr/task/pollMapreduce PollMapreduceAction POST n INTERNAL APP IGNORED
+/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET n INTERNAL,API APP ADMIN
+/_dr/task/resaveAllHistoryEntries ResaveAllHistoryEntriesAction GET n INTERNAL,API APP ADMIN
+/_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y INTERNAL,API APP ADMIN
diff --git a/javatests/google/registry/testing/FakeKeyringModule.java b/javatests/google/registry/testing/FakeKeyringModule.java
index 916aad50c..f0328e6b6 100644
--- a/javatests/google/registry/testing/FakeKeyringModule.java
+++ b/javatests/google/registry/testing/FakeKeyringModule.java
@@ -150,17 +150,6 @@ public final class FakeKeyringModule {
return rdeReceiverKey;
}
- @Override
- public String getEncryptedData(String keyName) {
- throw new RuntimeException(
- "Fake keyring does not support the retrieval of encrypted data.");
- }
-
- @Override
- public byte[] getDecryptedData(String keyName, String encryptedData) {
- throw new RuntimeException("Fake keyring does not support decrypting of supplied data.");
- }
-
@Override
public void close() {}
};
diff --git a/javatests/google/registry/tools/server/DownloadServiceAccountCredentialActionTest.java b/javatests/google/registry/tools/server/DownloadServiceAccountCredentialActionTest.java
deleted file mode 100644
index ffbbef651..000000000
--- a/javatests/google/registry/tools/server/DownloadServiceAccountCredentialActionTest.java
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2018 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.tools.server;
-
-import static com.google.common.truth.Truth.assertThat;
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-
-import com.google.common.io.BaseEncoding;
-import com.google.common.net.MediaType;
-import google.registry.testing.FakeResponse;
-import java.util.function.Function;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.JUnit4;
-
-/** Unit tests for {@link google.registry.tools.server.DownloadServiceAccountCredentialAction}. */
-@RunWith(JUnit4.class)
-public class DownloadServiceAccountCredentialActionTest {
-
- private final DownloadServiceAccountCredentialAction action =
- new DownloadServiceAccountCredentialAction();
- private final FakeResponse response = new FakeResponse();
- private final Function encryptedDataRetriever = input -> input + "_mohaha";
-
- @Before
- public void setUp() {
- action.response = response;
- action.encryptedDataRetriever = encryptedDataRetriever;
- }
-
- @Test
- public void testSuccess_returnServiceAccountCredential() {
- action.run();
- assertThat(response.getStatus()).isEqualTo(SC_OK);
- assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_BINARY);
- assertThat(new String(BaseEncoding.base64().decode(response.getPayload()), UTF_8))
- .isEqualTo("json-credential-string_mohaha");
- }
-
- @Test
- public void testFailure_cannotGetEncryptedCredential() {
- action.encryptedDataRetriever =
- input -> {
- throw new RuntimeException("Something went wrong.");
- };
- action.run();
- assertThat(response.getStatus()).isEqualTo(SC_INTERNAL_SERVER_ERROR);
- assertThat(response.getContentType()).isEqualTo(MediaType.HTML_UTF_8);
- assertThat(response.getPayload()).isEqualTo("Something went wrong.");
- }
-}