zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-12 22:18:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

Use Cloud SQL passwords from the Secret Manager (#959)

Browse source 
* Use Cloud SQL passwords from the Secret Manager

Continue fetching passwords from Keyring until this change is deployed.
This commit is contained in:
Weimin Yu 2021-02-08 21:59:00 -05:00 committed by GitHub
parent 578f14388e
commit b4a6da2a84
1 changed files with 34 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

66
core/src/main/java/google/registry/persistence/PersistenceModule.java
View file

@ -162,13 +162,12 @@ public abstract class PersistenceModule {
@PartialCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs, @PartialCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs,
Clock clock) { Clock clock) {
HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs); HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs);
overrides.put(Environment.USER, username); validateAndSetCredential(
overrides.put(Environment.PASS, kmsKeyring.getCloudSqlPassword());
validateCredentialStore(
credentialStore, credentialStore,
new RobotUser(RobotId.NOMULUS), new RobotUser(RobotId.NOMULUS),
overrides.get(Environment.USER), overrides,
overrides.get(Environment.PASS)); username,
kmsKeyring.getCloudSqlPassword());
return new JpaTransactionManagerImpl(create(overrides), clock); return new JpaTransactionManagerImpl(create(overrides), clock);
} }
@ -184,13 +183,12 @@ public abstract class PersistenceModule {
Clock clock) { Clock clock) {
CloudSqlCredentialSupplier.setupCredentialSupplier(credential); CloudSqlCredentialSupplier.setupCredentialSupplier(credential);
HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs); HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs);
overrides.put(Environment.USER, username); validateAndSetCredential(
overrides.put(Environment.PASS, kmsKeyring.getToolsCloudSqlPassword());
validateCredentialStore(
credentialStore, credentialStore,
new RobotUser(RobotId.TOOL), new RobotUser(RobotId.TOOL),
overrides.get(Environment.USER), overrides,
overrides.get(Environment.PASS)); username,
kmsKeyring.getToolsCloudSqlPassword());
return new JpaTransactionManagerImpl(create(overrides), clock); return new JpaTransactionManagerImpl(create(overrides), clock);
} }
@ -205,15 +203,10 @@ public abstract class PersistenceModule {
@BeamPipelineCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs, @BeamPipelineCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs,
Clock clock) { Clock clock) {
HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs); HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs);
overrides.put(Environment.USER, username);
overrides.put(Environment.PASS, password);
overrides.put(HIKARI_MAXIMUM_POOL_SIZE, String.valueOf(hikariMaximumPoolSize)); overrides.put(HIKARI_MAXIMUM_POOL_SIZE, String.valueOf(hikariMaximumPoolSize));
// TODO(b/175700623): consider assigning different logins to pipelines // TODO(b/175700623): consider assigning different logins to pipelines
validateCredentialStore( validateAndSetCredential(
credentialStore, credentialStore, new RobotUser(RobotId.NOMULUS), overrides, username, password);
new RobotUser(RobotId.NOMULUS),
overrides.get(Environment.USER),
overrides.get(Environment.PASS));
return new JpaTransactionManagerImpl(create(overrides), clock); return new JpaTransactionManagerImpl(create(overrides), clock);
} }
@ -258,24 +251,33 @@ public abstract class PersistenceModule {
return emf; return emf;
} }
/** Verifies that the credential from the Secret Manager matches the one currently in use. /**
* Verifies that the credential from the Secret Manager matches the one currently in use, and
* configures JPA with the credential from the Secret Manager.
* *
* <p>This is a helper for the transition to the Secret Manager, and will be removed once data * <p>This is a helper for the transition to the Secret Manager, and will be removed once data and
* and permissions are properly set up for all projects. * permissions are properly set up for all projects.
**/ */
private static void validateCredentialStore( private static void validateAndSetCredential(
SqlCredentialStore credentialStore, SqlUser sqlUser, String login, String password) { SqlCredentialStore credentialStore,
SqlUser sqlUser,
Map<String, String> overrides,
String expectedLogin,
String expectedPassword) {
try { try {
SqlCredential credential = credentialStore.getCredential(sqlUser); SqlCredential credential = credentialStore.getCredential(sqlUser);
if (!credential.login().equals(login)) { checkState(
logger.atWarning().log( credential.login().equals(expectedLogin),
"Wrong login for %s. Expecting %s, found %s.", "Wrong login for %s. Expecting %s, found %s.",
sqlUser.geUserName(), login, credential.login()); sqlUser.geUserName(),
return; expectedLogin,
} credential.login());
if (!credential.password().equals(password)) { checkState(
logger.atWarning().log("Wrong password for %s.", sqlUser.geUserName()); credential.password().equals(expectedPassword),
} "Wrong password for %s.",
sqlUser.geUserName());
overrides.put(Environment.USER, credential.login());
overrides.put(Environment.PASS, credential.password());
logger.atWarning().log("Credentials in the kerying and the secret manager match."); logger.atWarning().log("Credentials in the kerying and the secret manager match.");
} catch (Throwable e) { } catch (Throwable e) {
logger.atWarning().log(e.getMessage()); logger.atWarning().log(e.getMessage());