zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-13 07:57:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Remove the ability to download service account credentials

Browse source 
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=224034254
This commit is contained in:
jianglai 2018-12-04 13:19:27 -08:00
parent 879c48b079
commit aeedc427ad
12 changed files with 32 additions and 278 deletions
Download patch file Download diff file Expand all files Collapse all files

5
java/google/registry/env/common/tools/WEB-INF/web.xml vendored
View file

@ -48,11 +48,6 @@
<url-pattern>/_dr/loadtest</url-pattern> <url-pattern>/_dr/loadtest</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping>
<servlet-name>tools-servlet</servlet-name>
<url-pattern>/_dr/admin/downloadCredential</url-pattern>
</servlet-mapping>
<!-- The nomulus command line tool uses this endpoint to write to Datastore. --> <!-- The nomulus command line tool uses this endpoint to write to Datastore. -->
<servlet> <servlet>
<display-name>Remote API Servlet</display-name> <display-name>Remote API Servlet</display-name>

11
java/google/registry/keyring/api/InMemoryKeyring.java
View file

@ -149,17 +149,6 @@ public final class InMemoryKeyring implements Keyring {
return jsonCredential; return jsonCredential;
} }
@Override
public String getEncryptedData(String keyName) {
throw new RuntimeException(
"In-memory keyring does not support the retrieval of encrypted data.");
}
@Override
public byte[] getDecryptedData(String keyName, String encryptedData) {
throw new RuntimeException("In-memory keyring does not support decrypting of supplied data.");
}
/** Does nothing. */ /** Does nothing. */
@Override @Override
public void close() {} public void close() {}

15
java/google/registry/keyring/api/KeyModule.java
View file

@ -20,9 +20,6 @@ import dagger.Module;
import dagger.Provides; import dagger.Provides;
import java.lang.annotation.Documented; import java.lang.annotation.Documented;
import java.util.Optional; import java.util.Optional;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.inject.Named;
import javax.inject.Qualifier; import javax.inject.Qualifier;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPrivateKey;
@ -129,16 +126,4 @@ public final class KeyModule {
static String provideJsonCredential(Keyring keyring) { static String provideJsonCredential(Keyring keyring) {
return keyring.getJsonCredential(); return keyring.getJsonCredential();
} }
@Provides
@Named("encryptedDataRetriever")
static Function<String, String> provideEncryptedDataRetriever(Keyring keyring) {
return keyring::getEncryptedData;
}
@Provides
@Named("keyringDecrypter")
static BiFunction<String, String, byte[]> provideKeyringDecrypter(Keyring keyring) {
return keyring::getDecryptedData;
}
} }

9
java/google/registry/keyring/api/Keyring.java
View file

@ -151,15 +151,6 @@ public interface Keyring extends AutoCloseable {
*/ */
String getJsonCredential(); String getJsonCredential();
/**
* Returns the encrypted data for the given key name. Only use this method when decryption is not
* required.
*/
String getEncryptedData(String keyName);
/** Decrypts the given encrypted data using the key name. */
byte[] getDecryptedData(String keyName, String encryptedData);
// Don't throw so try-with-resources works better. // Don't throw so try-with-resources works better.
@Override @Override
void close(); void close();

50
java/google/registry/keyring/kms/KmsKeyring.java
View file

@ -42,31 +42,31 @@ import org.bouncycastle.openpgp.PGPPublicKey;
public class KmsKeyring implements Keyring { public class KmsKeyring implements Keyring {
/** Key labels for private key secrets. */ /** Key labels for private key secrets. */
public enum PrivateKeyLabel { enum PrivateKeyLabel {
BRDA_SIGNING_PRIVATE, BRDA_SIGNING_PRIVATE,
RDE_SIGNING_PRIVATE, RDE_SIGNING_PRIVATE,
RDE_STAGING_PRIVATE; RDE_STAGING_PRIVATE;
public String getLabel() { String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name()); return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
} }
} }
/** Key labels for public key secrets. */ /** Key labels for public key secrets. */
public enum PublicKeyLabel { enum PublicKeyLabel {
BRDA_RECEIVER_PUBLIC, BRDA_RECEIVER_PUBLIC,
BRDA_SIGNING_PUBLIC, BRDA_SIGNING_PUBLIC,
RDE_RECEIVER_PUBLIC, RDE_RECEIVER_PUBLIC,
RDE_SIGNING_PUBLIC, RDE_SIGNING_PUBLIC,
RDE_STAGING_PUBLIC; RDE_STAGING_PUBLIC;
public String getLabel() { String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name()); return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
} }
} }
/** Key labels for string secrets. */ /** Key labels for string secrets. */
public enum StringKeyLabel { enum StringKeyLabel {
SAFE_BROWSING_API_KEY, SAFE_BROWSING_API_KEY,
ICANN_REPORTING_PASSWORD_STRING, ICANN_REPORTING_PASSWORD_STRING,
JSON_CREDENTIAL_STRING, JSON_CREDENTIAL_STRING,
@ -76,7 +76,7 @@ public class KmsKeyring implements Keyring {
RDE_SSH_CLIENT_PRIVATE_STRING, RDE_SSH_CLIENT_PRIVATE_STRING,
RDE_SSH_CLIENT_PUBLIC_STRING; RDE_SSH_CLIENT_PUBLIC_STRING;
public String getLabel() { String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name()); return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
} }
} }
@ -158,27 +158,10 @@ public class KmsKeyring implements Keyring {
return getString(StringKeyLabel.JSON_CREDENTIAL_STRING); return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
} }
@Override
public String getEncryptedData(String keyName) {
KmsSecret secret = getSecret(keyName);
return ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
}
private String getEncryptedData(KmsSecret secret) {
return ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
}
/** No persistent resources are maintained for this Keyring implementation. */ /** No persistent resources are maintained for this Keyring implementation. */
@Override @Override
public void close() {} public void close() {}
private KmsSecret getSecret(String keyName) {
KmsSecret secret =
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
return secret;
}
private String getString(StringKeyLabel keyLabel) { private String getString(StringKeyLabel keyLabel) {
return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel())); return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel()));
} }
@ -205,27 +188,16 @@ public class KmsKeyring implements Keyring {
} }
private byte[] getDecryptedData(String keyName) { private byte[] getDecryptedData(String keyName) {
String encryptedData = getEncryptedData(keyName); KmsSecret secret =
return getDecryptedData(keyName, encryptedData); ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
} checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
String encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
private byte[] getDecryptedData(KmsSecret secret) {
String encryptedData = getEncryptedData(secret);
return getDecryptedData(secret, encryptedData);
}
private byte[] getDecryptedData(KmsSecret secret, String encryptedData) {
try { try {
return kmsConnection.decrypt(secret.getName(), encryptedData); return kmsConnection.decrypt(secret.getName(), encryptedData);
} catch (Exception e) { } catch (Exception e) {
throw new KeyringException( throw new KeyringException(
String.format("CloudKMS decrypt operation failed for secret %s", secret.getName()), e); String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
} }
} }
@Override
public byte[] getDecryptedData(String keyName, String encryptedData) {
KmsSecret secret = getSecret(keyName);
return getDecryptedData(secret);
}
} }

2
java/google/registry/module/tools/ToolsRequestComponent.java
View file

@ -32,7 +32,6 @@ import google.registry.request.RequestScope;
import google.registry.tools.server.CreateGroupsAction; import google.registry.tools.server.CreateGroupsAction;
import google.registry.tools.server.CreatePremiumListAction; import google.registry.tools.server.CreatePremiumListAction;
import google.registry.tools.server.DeleteEntityAction; import google.registry.tools.server.DeleteEntityAction;
import google.registry.tools.server.DownloadServiceAccountCredentialAction;
import google.registry.tools.server.GenerateZoneFilesAction; import google.registry.tools.server.GenerateZoneFilesAction;
import google.registry.tools.server.KillAllCommitLogsAction; import google.registry.tools.server.KillAllCommitLogsAction;
import google.registry.tools.server.KillAllEppResourcesAction; import google.registry.tools.server.KillAllEppResourcesAction;
@ -65,7 +64,6 @@ import google.registry.tools.server.VerifyOteAction;
interface ToolsRequestComponent { interface ToolsRequestComponent {
CreateGroupsAction createGroupsAction(); CreateGroupsAction createGroupsAction();
CreatePremiumListAction createPremiumListAction(); CreatePremiumListAction createPremiumListAction();
DownloadServiceAccountCredentialAction downloadServiceAccountCredentialAction();
DeleteEntityAction deleteEntityAction(); DeleteEntityAction deleteEntityAction();
EppToolAction eppToolAction(); EppToolAction eppToolAction();
FlowComponent.Builder flowComponentBuilder(); FlowComponent.Builder flowComponentBuilder();

1
java/google/registry/tools/server/BUILD
View file

@ -14,7 +14,6 @@ java_library(
"//java/google/registry/flows", "//java/google/registry/flows",
"//java/google/registry/gcs", "//java/google/registry/gcs",
"//java/google/registry/groups", "//java/google/registry/groups",
"//java/google/registry/keyring/kms",
"//java/google/registry/mapreduce", "//java/google/registry/mapreduce",
"//java/google/registry/mapreduce/inputs", "//java/google/registry/mapreduce/inputs",
"//java/google/registry/model", "//java/google/registry/model",

70
java/google/registry/tools/server/DownloadServiceAccountCredentialAction.java
View file

@ -1,70 +0,0 @@
// Copyright 2018 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.tools.server;
import static google.registry.request.Action.Method.GET;
import static java.nio.charset.StandardCharsets.UTF_8;
import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
import com.google.common.flogger.FluentLogger;
import com.google.common.io.BaseEncoding;
import com.google.common.net.MediaType;
import google.registry.keyring.kms.KmsKeyring.StringKeyLabel;
import google.registry.request.Action;
import google.registry.request.Response;
import google.registry.request.auth.Auth;
import java.util.function.Function;
import javax.inject.Inject;
import javax.inject.Named;
/**
* An action that returns KMS encrypted service account credential in its payload.
*
* <p>This credential can be stored locally, and a {@code RemoteApiOptions} can use it to initialize
* an {@code AppEngineConnection}.
*/
@Action(
path = DownloadServiceAccountCredentialAction.PATH,
method = {GET},
auth = Auth.AUTH_INTERNAL_ONLY)
public class DownloadServiceAccountCredentialAction implements Runnable {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
public static final String PATH = "/_dr/admin/downloadCredential";
@Inject
@Named("encryptedDataRetriever")
Function<String, String> encryptedDataRetriever;
@Inject Response response;
@Inject
DownloadServiceAccountCredentialAction() {}
@Override
public void run() {
try {
String encryptedJsonCredential =
encryptedDataRetriever.apply(StringKeyLabel.JSON_CREDENTIAL_STRING.getLabel());
response.setContentType(MediaType.APPLICATION_BINARY);
response.setPayload(BaseEncoding.base64().encode(encryptedJsonCredential.getBytes(UTF_8)));
} catch (Exception e) {
logger.atSevere().withCause(e).log("Cannot retrieve encrypted service account credential.");
response.setPayload(e.getMessage());
response.setStatus(SC_INTERNAL_SERVER_ERROR);
}
}
}

27
javatests/google/registry/keyring/kms/KmsKeyringTest.java
View file

@ -16,10 +16,8 @@ package google.registry.keyring.kms;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.DatastoreHelper.persistResources; import static google.registry.testing.DatastoreHelper.persistResources;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
import com.google.common.io.BaseEncoding;
import google.registry.keyring.api.KeySerializer; import google.registry.keyring.api.KeySerializer;
import google.registry.model.server.KmsSecret; import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision; import google.registry.model.server.KmsSecretRevision;
@ -29,7 +27,6 @@ import google.registry.testing.BouncyCastleProviderRule;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.util.Arrays;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
@ -177,30 +174,6 @@ public class KmsKeyringTest {
assertThat(jsonCredential).isEqualTo("json-credential-stringmoo"); assertThat(jsonCredential).isEqualTo("json-credential-stringmoo");
} }
@Test
public void test_getEncryptedJsonCredential() {
saveCleartextSecret("json-credential-string");
String encryptedJsonCredential = keyring.getEncryptedData("json-credential-string");
assertThat(
new String(
Arrays.reverse(BaseEncoding.base64().decode(encryptedJsonCredential)), UTF_8))
.isEqualTo("json-credential-stringmoo");
}
@Test
public void test_decryptJsonCredential() {
saveCleartextSecret("json-credential-string");
String encryptedJsonCredential = keyring.getEncryptedData("json-credential-string");
assertThat(
new String(
keyring.getDecryptedData("json-credential-string", encryptedJsonCredential), UTF_8))
.isEqualTo("json-credential-stringmoo");
}
private static void persistSecret(String secretName, byte[] secretValue) { private static void persistSecret(String secretName, byte[] secretValue) {
KmsConnection kmsConnection = new FakeKmsConnection(); KmsConnection kmsConnection = new FakeKmsConnection();

43
javatests/google/registry/module/tools/testdata/tools_routing.txt vendored
View file

@ -1,22 +1,21 @@
PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
/_dr/admin/createGroups CreateGroupsAction POST n INTERNAL,API APP ADMIN /_dr/admin/createGroups CreateGroupsAction POST n INTERNAL,API APP ADMIN
/_dr/admin/createPremiumList CreatePremiumListAction POST n INTERNAL,API APP ADMIN /_dr/admin/createPremiumList CreatePremiumListAction POST n INTERNAL,API APP ADMIN
/_dr/admin/deleteEntity DeleteEntityAction GET n INTERNAL,API APP ADMIN /_dr/admin/deleteEntity DeleteEntityAction GET n INTERNAL,API APP ADMIN
/_dr/admin/downloadCredential DownloadServiceAccountCredentialAction GET n INTERNAL APP IGNORED /_dr/admin/list/domains ListDomainsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/domains ListDomainsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/list/hosts ListHostsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/hosts ListHostsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/list/registrars ListRegistrarsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/registrars ListRegistrarsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/list/reservedLists ListReservedListsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/reservedLists ListReservedListsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/list/tlds ListTldsAction GET,POST n INTERNAL,API APP ADMIN
/_dr/admin/list/tlds ListTldsAction GET,POST n INTERNAL,API APP ADMIN /_dr/admin/updatePremiumList UpdatePremiumListAction POST n INTERNAL,API APP ADMIN
/_dr/admin/updatePremiumList UpdatePremiumListAction POST n INTERNAL,API APP ADMIN /_dr/admin/verifyOte VerifyOteAction POST n INTERNAL,API APP ADMIN
/_dr/admin/verifyOte VerifyOteAction POST n INTERNAL,API APP ADMIN /_dr/epptool EppToolAction POST n INTERNAL,API APP ADMIN
/_dr/epptool EppToolAction POST n INTERNAL,API APP ADMIN /_dr/loadtest LoadTestAction POST y INTERNAL,API APP ADMIN
/_dr/loadtest LoadTestAction POST y INTERNAL,API APP ADMIN /_dr/task/generateZoneFiles GenerateZoneFilesAction POST n INTERNAL,API APP ADMIN
/_dr/task/generateZoneFiles GenerateZoneFilesAction POST n INTERNAL,API APP ADMIN /_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL APP IGNORED
/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL APP IGNORED /_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL APP IGNORED
/_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL APP IGNORED /_dr/task/pollMapreduce PollMapreduceAction POST n INTERNAL APP IGNORED
/_dr/task/pollMapreduce PollMapreduceAction POST n INTERNAL APP IGNORED /_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET n INTERNAL,API APP ADMIN
/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET n INTERNAL,API APP ADMIN /_dr/task/resaveAllHistoryEntries ResaveAllHistoryEntriesAction GET n INTERNAL,API APP ADMIN
/_dr/task/resaveAllHistoryEntries ResaveAllHistoryEntriesAction GET n INTERNAL,API APP ADMIN /_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y INTERNAL,API APP ADMIN
/_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y INTERNAL,API APP ADMIN

11
javatests/google/registry/testing/FakeKeyringModule.java
View file

@ -150,17 +150,6 @@ public final class FakeKeyringModule {
return rdeReceiverKey; return rdeReceiverKey;
} }
@Override
public String getEncryptedData(String keyName) {
throw new RuntimeException(
"Fake keyring does not support the retrieval of encrypted data.");
}
@Override
public byte[] getDecryptedData(String keyName, String encryptedData) {
throw new RuntimeException("Fake keyring does not support decrypting of supplied data.");
}
@Override @Override
public void close() {} public void close() {}
}; };

66
javatests/google/registry/tools/server/DownloadServiceAccountCredentialActionTest.java
View file

@ -1,66 +0,0 @@
// Copyright 2018 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.tools.server;
import static com.google.common.truth.Truth.assertThat;
import static java.nio.charset.StandardCharsets.UTF_8;
import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
import static javax.servlet.http.HttpServletResponse.SC_OK;
import com.google.common.io.BaseEncoding;
import com.google.common.net.MediaType;
import google.registry.testing.FakeResponse;
import java.util.function.Function;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
/** Unit tests for {@link google.registry.tools.server.DownloadServiceAccountCredentialAction}. */
@RunWith(JUnit4.class)
public class DownloadServiceAccountCredentialActionTest {
private final DownloadServiceAccountCredentialAction action =
new DownloadServiceAccountCredentialAction();
private final FakeResponse response = new FakeResponse();
private final Function<String, String> encryptedDataRetriever = input -> input + "_mohaha";
@Before
public void setUp() {
action.response = response;
action.encryptedDataRetriever = encryptedDataRetriever;
}
@Test
public void testSuccess_returnServiceAccountCredential() {
action.run();
assertThat(response.getStatus()).isEqualTo(SC_OK);
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_BINARY);
assertThat(new String(BaseEncoding.base64().decode(response.getPayload()), UTF_8))
.isEqualTo("json-credential-string_mohaha");
}
@Test
public void testFailure_cannotGetEncryptedCredential() {
action.encryptedDataRetriever =
input -> {
throw new RuntimeException("Something went wrong.");
};
action.run();
assertThat(response.getStatus()).isEqualTo(SC_INTERNAL_SERVER_ERROR);
assertThat(response.getContentType()).isEqualTo(MediaType.HTML_UTF_8);
assertThat(response.getPayload()).isEqualTo("Something went wrong.");
}
}