From bec7a91cfc90a97ea606841b630b340edad6d7fd Mon Sep 17 00:00:00 2001 From: mcilwain Date: Fri, 12 Oct 2018 11:55:23 -0700 Subject: [PATCH] Allow choice of Keyring to be configured in YAML This uses a Dagger-provided map of Keyring implementations, with two currently available, "KMS" and "Dummy". The active keyring is configured in the YAML file, so we no longer require MOE directives to choose which one to use for internal/external builds. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=216898058 --- .../registry/config/RegistryConfig.java | 10 +++++++-- .../config/RegistryConfigSettings.java | 20 +++++++++++------- .../registry/config/files/default-config.yaml | 19 ++++++++++------- .../nomulus-config-production-sample.yaml | 6 ++++-- java/google/registry/keyring/BUILD | 21 +++++++++++++++++++ .../keyring/{kms => }/KeyringModule.java | 18 ++++++++++++---- .../keyring/api/DummyKeyringModule.java | 18 ++++++++++++++-- .../registry/keyring/kms/KmsModule.java | 12 ++++++++++- java/google/registry/module/backend/BUILD | 1 + .../module/backend/BackendComponent.java | 5 ++++- java/google/registry/module/frontend/BUILD | 1 + .../module/frontend/FrontendComponent.java | 5 ++++- java/google/registry/module/pubapi/BUILD | 1 + .../module/pubapi/PubApiComponent.java | 5 ++++- java/google/registry/module/tools/BUILD | 1 + .../registry/module/tools/ToolsComponent.java | 5 ++++- java/google/registry/tools/BUILD | 1 + .../registry/tools/RegistryToolComponent.java | 5 ++++- 18 files changed, 124 insertions(+), 30 deletions(-) create mode 100644 java/google/registry/keyring/BUILD rename java/google/registry/keyring/{kms => }/KeyringModule.java (58%) diff --git a/java/google/registry/config/RegistryConfig.java b/java/google/registry/config/RegistryConfig.java index 1ad40e6ef..0fa174519 100644 --- a/java/google/registry/config/RegistryConfig.java +++ b/java/google/registry/config/RegistryConfig.java @@ -1021,6 +1021,12 @@ public final class RegistryConfig { return config.registryPolicy.greetingServerId; } + @Provides + @Config("activeKeyring") + public static String provideKeyring(RegistryConfigSettings config) { + return config.keyring.activeKeyring; + } + /** * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets. * @@ -1030,13 +1036,13 @@ public final class RegistryConfig { @Provides @Config("cloudKmsKeyRing") public static String provideCloudKmsKeyRing(RegistryConfigSettings config) { - return config.kms.keyringName; + return config.keyring.kms.keyringName; } @Provides @Config("cloudKmsProjectId") public static String provideCloudKmsProjectId(RegistryConfigSettings config) { - return config.kms.projectId; + return config.keyring.kms.projectId; } @Provides diff --git a/java/google/registry/config/RegistryConfigSettings.java b/java/google/registry/config/RegistryConfigSettings.java index 6f4d73465..15118679a 100644 --- a/java/google/registry/config/RegistryConfigSettings.java +++ b/java/google/registry/config/RegistryConfigSettings.java @@ -34,7 +34,7 @@ public class RegistryConfigSettings { public Monitoring monitoring; public Misc misc; public Beam beam; - public Kms kms; + public Keyring keyring; public RegistryTool registryTool; /** Configuration options that apply to the entire App Engine project. */ @@ -99,12 +99,6 @@ public class RegistryConfigSettings { public int baseOfyRetryMillis; } - /** Configuration for Cloud KMS. */ - public static class Kms { - public String keyringName; - public String projectId; - } - /** Configuration for Apache Beam (Cloud Dataflow). */ public static class Beam { public String defaultJobZone; @@ -170,6 +164,18 @@ public class RegistryConfigSettings { public int asyncDeleteDelaySeconds; } + /** Configuration for keyrings (used to store secrets outside of source). */ + public static class Keyring { + public String activeKeyring; + public Kms kms; + } + + /** Configuration for Cloud KMS. */ + public static class Kms { + public String keyringName; + public String projectId; + } + /** Configuration options for the registry tool. */ public static class RegistryTool { public String clientSecretFilename; diff --git a/java/google/registry/config/files/default-config.yaml b/java/google/registry/config/files/default-config.yaml index 8c51b0cfc..912353b48 100644 --- a/java/google/registry/config/files/default-config.yaml +++ b/java/google/registry/config/files/default-config.yaml @@ -322,14 +322,19 @@ beam: # The default zone to run Apache Beam (Cloud Dataflow) jobs in. defaultJobZone: us-east1-c -kms: - # GCP project containing the KMS keyring. Should only be used for KMS in - # order to keep a simple locked down IAM configuration. - projectId: registry-kms-project-id +keyring: + # The name of the active keyring, either "KMS" or "Dummy". + activeKeyring: Dummy - # The name to use for the Cloud KMS KeyRing which will store encryption keys - # for Nomulus secrets. - keyringName: nomulus + # Configuration options specific to Google Cloud KMS. + kms: + # GCP project containing the KMS keyring. Should only be used for KMS in + # order to keep a simple locked down IAM configuration. + projectId: registry-kms-project-id + + # The name to use for the Cloud KMS KeyRing which will store encryption keys + # for Nomulus secrets. + keyringName: nomulus # Configuration options relevant to the "nomulus" registry tool. registryTool: diff --git a/java/google/registry/config/files/nomulus-config-production-sample.yaml b/java/google/registry/config/files/nomulus-config-production-sample.yaml index 4a891e1d9..01a051f7c 100644 --- a/java/google/registry/config/files/nomulus-config-production-sample.yaml +++ b/java/google/registry/config/files/nomulus-config-production-sample.yaml @@ -61,5 +61,7 @@ cloudDns: rootUrl: null servicePath: null -kms: - projectId: placeholder +keyring: + activeKeyring: KMS + kms: + projectId: placeholder diff --git a/java/google/registry/keyring/BUILD b/java/google/registry/keyring/BUILD new file mode 100644 index 000000000..ec999ce7c --- /dev/null +++ b/java/google/registry/keyring/BUILD @@ -0,0 +1,21 @@ +package( + default_visibility = ["//visibility:public"], +) + +licenses(["notice"]) # Apache 2.0 + +java_library( + name = "keyring", + srcs = glob(["*.java"]), + deps = [ + "//java/google/registry/config", + "//java/google/registry/keyring/api", + "@com_google_code_findbugs_jsr305", + "@com_google_dagger", + "@com_google_flogger", + "@com_google_flogger_system_backend", + "@com_google_guava", + "@javax_inject", + "@org_bouncycastle_bcpg_jdk15on", + ], +) diff --git a/java/google/registry/keyring/kms/KeyringModule.java b/java/google/registry/keyring/KeyringModule.java similarity index 58% rename from java/google/registry/keyring/kms/KeyringModule.java rename to java/google/registry/keyring/KeyringModule.java index 7a9b53f80..28c525900 100644 --- a/java/google/registry/keyring/kms/KeyringModule.java +++ b/java/google/registry/keyring/KeyringModule.java @@ -1,4 +1,4 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. +// Copyright 2018 The Nomulus Authors. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -12,11 +12,15 @@ // See the License for the specific language governing permissions and // limitations under the License. -package google.registry.keyring.kms; +package google.registry.keyring; + +import static com.google.common.base.Preconditions.checkState; import dagger.Module; import dagger.Provides; +import google.registry.config.RegistryConfig.Config; import google.registry.keyring.api.Keyring; +import java.util.Map; import javax.inject.Singleton; /** Dagger module for {@link Keyring} */ @@ -25,7 +29,13 @@ public final class KeyringModule { @Provides @Singleton - public static Keyring provideKeyring(KmsKeyring kmsKeyring) { - return kmsKeyring; + public static Keyring provideKeyring( + Map keyrings, @Config("activeKeyring") String activeKeyring) { + checkState( + keyrings.containsKey(activeKeyring), + "Invalid Keyring %s is configured; valid choices are %s", + activeKeyring, + keyrings.keySet()); + return keyrings.get(activeKeyring); } } diff --git a/java/google/registry/keyring/api/DummyKeyringModule.java b/java/google/registry/keyring/api/DummyKeyringModule.java index 9e35c14fe..9e2f2aec3 100644 --- a/java/google/registry/keyring/api/DummyKeyringModule.java +++ b/java/google/registry/keyring/api/DummyKeyringModule.java @@ -21,11 +21,15 @@ import static google.registry.keyring.api.PgpHelper.lookupKeyPair; import com.google.common.base.VerifyException; import com.google.common.io.ByteSource; import com.google.common.io.Resources; +import dagger.Binds; import dagger.Module; import dagger.Provides; +import dagger.multibindings.IntoMap; +import dagger.multibindings.StringKey; import java.io.IOException; import java.io.InputStream; import javax.annotation.concurrent.Immutable; +import javax.inject.Named; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; @@ -68,7 +72,9 @@ import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRingCollection; */ @Module @Immutable -public final class DummyKeyringModule { +public abstract class DummyKeyringModule { + + public static final String NAME = "Dummy"; /** The contents of a dummy PGP public key stored in a file. */ private static final ByteSource PGP_PUBLIC_KEYRING = @@ -81,9 +87,15 @@ public final class DummyKeyringModule { /** The email address of the aforementioned PGP key. */ private static final String EMAIL_ADDRESS = "test-registry@example.com"; + @Binds + @IntoMap + @StringKey(NAME) + abstract Keyring provideKeyring(@Named("DummyKeyring") InMemoryKeyring keyring); + /** Always returns a {@link InMemoryKeyring} instance. */ @Provides - static Keyring provideKeyring() { + @Named("DummyKeyring") + static InMemoryKeyring provideDummyKeyring() { PGPKeyPair dummyKey; try (InputStream publicInput = PGP_PUBLIC_KEYRING.openStream(); InputStream privateInput = PGP_PRIVATE_KEYRING.openStream()) { @@ -112,4 +124,6 @@ public final class DummyKeyringModule { "not a real login", "not a real credential"); } + + private DummyKeyringModule() {} } diff --git a/java/google/registry/keyring/kms/KmsModule.java b/java/google/registry/keyring/kms/KmsModule.java index 1b63fff76..1c96ca50e 100644 --- a/java/google/registry/keyring/kms/KmsModule.java +++ b/java/google/registry/keyring/kms/KmsModule.java @@ -19,13 +19,23 @@ import com.google.api.services.cloudkms.v1.CloudKMS; import dagger.Binds; import dagger.Module; import dagger.Provides; +import dagger.multibindings.IntoMap; +import dagger.multibindings.StringKey; import google.registry.config.CredentialModule.DefaultCredential; import google.registry.config.RegistryConfig.Config; +import google.registry.keyring.api.Keyring; -/** Dagger module for Cloud KMS connection objects. */ +/** Dagger module for Cloud KMS. */ @Module public abstract class KmsModule { + public static final String NAME = "KMS"; + + @Binds + @IntoMap + @StringKey(NAME) + abstract Keyring provideKeyring(KmsKeyring keyring); + @Provides static CloudKMS provideKms( @DefaultCredential GoogleCredential credential, diff --git a/java/google/registry/module/backend/BUILD b/java/google/registry/module/backend/BUILD index d4527f2ea..75aa46b18 100644 --- a/java/google/registry/module/backend/BUILD +++ b/java/google/registry/module/backend/BUILD @@ -22,6 +22,7 @@ java_library( "//java/google/registry/flows", "//java/google/registry/gcs", "//java/google/registry/groups", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/mapreduce", diff --git a/java/google/registry/module/backend/BackendComponent.java b/java/google/registry/module/backend/BackendComponent.java index 9ef32033a..9844eee40 100644 --- a/java/google/registry/module/backend/BackendComponent.java +++ b/java/google/registry/module/backend/BackendComponent.java @@ -27,6 +27,8 @@ import google.registry.gcs.GcsServiceModule; import google.registry.groups.DirectoryModule; import google.registry.groups.GroupsModule; import google.registry.groups.GroupssettingsModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.backend.BackendRequestComponent.BackendRequestComponentModule; @@ -56,7 +58,7 @@ import javax.inject.Singleton; CredentialModule.class, DatastoreServiceModule.class, DirectoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, DriveModule.class, GcsServiceModule.class, GroupsModule.class, @@ -64,6 +66,7 @@ import javax.inject.Singleton; JSchModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, SheetsServiceModule.class, diff --git a/java/google/registry/module/frontend/BUILD b/java/google/registry/module/frontend/BUILD index 1f99a1b17..589a82287 100644 --- a/java/google/registry/module/frontend/BUILD +++ b/java/google/registry/module/frontend/BUILD @@ -11,6 +11,7 @@ java_library( "//java/google/registry/config", "//java/google/registry/dns", "//java/google/registry/flows", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/monitoring/whitebox", diff --git a/java/google/registry/module/frontend/FrontendComponent.java b/java/google/registry/module/frontend/FrontendComponent.java index ee2e04792..1c96edc5b 100644 --- a/java/google/registry/module/frontend/FrontendComponent.java +++ b/java/google/registry/module/frontend/FrontendComponent.java @@ -21,6 +21,8 @@ import google.registry.config.CredentialModule; import google.registry.config.RegistryConfig.ConfigModule; import google.registry.flows.ServerTridProviderModule; import google.registry.flows.custom.CustomLogicFactoryModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.frontend.FrontendRequestComponent.FrontendRequestComponentModule; @@ -46,10 +48,11 @@ import javax.inject.Singleton; ConsoleConfigModule.class, CredentialModule.class, CustomLogicFactoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, FrontendRequestComponentModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/module/pubapi/BUILD b/java/google/registry/module/pubapi/BUILD index 9af5ff86d..e3d388311 100644 --- a/java/google/registry/module/pubapi/BUILD +++ b/java/google/registry/module/pubapi/BUILD @@ -11,6 +11,7 @@ java_library( "//java/google/registry/config", "//java/google/registry/dns", "//java/google/registry/flows", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/monitoring/whitebox", diff --git a/java/google/registry/module/pubapi/PubApiComponent.java b/java/google/registry/module/pubapi/PubApiComponent.java index 383ba559c..ef5ffbc65 100644 --- a/java/google/registry/module/pubapi/PubApiComponent.java +++ b/java/google/registry/module/pubapi/PubApiComponent.java @@ -21,6 +21,8 @@ import google.registry.config.CredentialModule; import google.registry.config.RegistryConfig.ConfigModule; import google.registry.flows.ServerTridProviderModule; import google.registry.flows.custom.CustomLogicFactoryModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.pubapi.PubApiRequestComponent.PubApiRequestComponentModule; @@ -44,10 +46,11 @@ import javax.inject.Singleton; ConfigModule.class, CredentialModule.class, CustomLogicFactoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, PubApiRequestComponentModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/module/tools/BUILD b/java/google/registry/module/tools/BUILD index a76e62b89..a46e09e90 100644 --- a/java/google/registry/module/tools/BUILD +++ b/java/google/registry/module/tools/BUILD @@ -15,6 +15,7 @@ java_library( "//java/google/registry/flows", "//java/google/registry/gcs", "//java/google/registry/groups", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/loadtest", diff --git a/java/google/registry/module/tools/ToolsComponent.java b/java/google/registry/module/tools/ToolsComponent.java index bcf3b296b..605ddc95a 100644 --- a/java/google/registry/module/tools/ToolsComponent.java +++ b/java/google/registry/module/tools/ToolsComponent.java @@ -24,6 +24,8 @@ import google.registry.gcs.GcsServiceModule; import google.registry.groups.DirectoryModule; import google.registry.groups.GroupsModule; import google.registry.groups.GroupssettingsModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.tools.ToolsRequestComponent.ToolsRequestComponentModule; @@ -49,13 +51,14 @@ import javax.inject.Singleton; CustomLogicFactoryModule.class, DatastoreServiceModule.class, DirectoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, DriveModule.class, GcsServiceModule.class, GroupsModule.class, GroupssettingsModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/tools/BUILD b/java/google/registry/tools/BUILD index 90e9fb3dc..d4671b9b9 100644 --- a/java/google/registry/tools/BUILD +++ b/java/google/registry/tools/BUILD @@ -46,6 +46,7 @@ java_library( "//java/google/registry/export", "//java/google/registry/flows", "//java/google/registry/gcs", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/loadtest", diff --git a/java/google/registry/tools/RegistryToolComponent.java b/java/google/registry/tools/RegistryToolComponent.java index 6dbae7c08..42d65f523 100644 --- a/java/google/registry/tools/RegistryToolComponent.java +++ b/java/google/registry/tools/RegistryToolComponent.java @@ -21,6 +21,8 @@ import google.registry.config.RegistryConfig.ConfigModule; import google.registry.dns.writer.VoidDnsWriterModule; import google.registry.dns.writer.clouddns.CloudDnsWriterModule; import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.rde.RdeModule; @@ -52,13 +54,14 @@ import javax.inject.Singleton; ConfigModule.class, CredentialModule.class, DatastoreServiceModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, CloudDnsWriterModule.class, DefaultRequestFactoryModule.class, DefaultRequestFactoryModule.RequestFactoryModule.class, DnsUpdateWriterModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, RdeModule.class, RegistryToolModule.class,