Allow choice of Keyring to be configured in YAML

This uses a Dagger-provided map of Keyring implementations, with two currently available,
"KMS" and "Dummy". The active keyring is configured in the YAML file, so we no longer
require MOE directives to choose which one to use for internal/external builds.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=216898058

java/google/registry/config/RegistryConfig.java

@@ -1021,6 +1021,12 @@ public final class RegistryConfig {
       return config.registryPolicy.greetingServerId;
     }
 
+    @Provides
+    @Config("activeKeyring")
+    public static String provideKeyring(RegistryConfigSettings config) {
+      return config.keyring.activeKeyring;
+    }
+
     /**
      * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets.
      *
@@ -1030,13 +1036,13 @@ public final class RegistryConfig {
     @Provides
     @Config("cloudKmsKeyRing")
     public static String provideCloudKmsKeyRing(RegistryConfigSettings config) {
-      return config.kms.keyringName;
+      return config.keyring.kms.keyringName;
     }
 
     @Provides
     @Config("cloudKmsProjectId")
     public static String provideCloudKmsProjectId(RegistryConfigSettings config) {
-      return config.kms.projectId;
+      return config.keyring.kms.projectId;
     }
 
     @Provides

java/google/registry/config/RegistryConfigSettings.java

@@ -34,7 +34,7 @@ public class RegistryConfigSettings {
   public Monitoring monitoring;
   public Misc misc;
   public Beam beam;
-  public Kms kms;
+  public Keyring keyring;
   public RegistryTool registryTool;
 
   /** Configuration options that apply to the entire App Engine project. */
@@ -99,12 +99,6 @@ public class RegistryConfigSettings {
     public int baseOfyRetryMillis;
   }
 
-  /** Configuration for Cloud KMS. */
-  public static class Kms {
-    public String keyringName;
-    public String projectId;
-  }
-
   /** Configuration for Apache Beam (Cloud Dataflow). */
   public static class Beam {
     public String defaultJobZone;
@@ -170,6 +164,18 @@ public class RegistryConfigSettings {
     public int asyncDeleteDelaySeconds;
   }
 
+  /** Configuration for keyrings (used to store secrets outside of source). */
+  public static class Keyring {
+    public String activeKeyring;
+    public Kms kms;
+  }
+
+  /** Configuration for Cloud KMS. */
+  public static class Kms {
+    public String keyringName;
+    public String projectId;
+  }
+
   /** Configuration options for the registry tool. */
   public static class RegistryTool {
     public String clientSecretFilename;

java/google/registry/config/files/default-config.yaml

@@ -322,7 +322,12 @@ beam:
   # The default zone to run Apache Beam (Cloud Dataflow) jobs in.
   defaultJobZone: us-east1-c
 
-kms:
+keyring:
+  # The name of the active keyring, either "KMS" or "Dummy".
+  activeKeyring: Dummy
+
+  # Configuration options specific to Google Cloud KMS.
+  kms:
     # GCP project containing the KMS keyring. Should only be used for KMS in
     # order to keep a simple locked down IAM configuration.
     projectId: registry-kms-project-id

java/google/registry/config/files/nomulus-config-production-sample.yaml

@@ -61,5 +61,7 @@ cloudDns:
   rootUrl: null
   servicePath: null
 
-kms:
+keyring:
+  activeKeyring: KMS
+  kms:
     projectId: placeholder

java/google/registry/keyring/BUILD

@@ -0,0 +1,21 @@
+package(
+    default_visibility = ["//visibility:public"],
+)
+
+licenses(["notice"])  # Apache 2.0
+
+java_library(
+    name = "keyring",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//java/google/registry/config",
+        "//java/google/registry/keyring/api",
+        "@com_google_code_findbugs_jsr305",
+        "@com_google_dagger",
+        "@com_google_flogger",
+        "@com_google_flogger_system_backend",
+        "@com_google_guava",
+        "@javax_inject",
+        "@org_bouncycastle_bcpg_jdk15on",
+    ],
+)

java/google/registry/keyring/KeyringModule.java

@@ -1,4 +1,4 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,11 +12,15 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.keyring.kms;
+package google.registry.keyring;
 
+
+import static com.google.common.base.Preconditions.checkState;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
+import java.util.Map;
 import javax.inject.Singleton;
 
 /** Dagger module for {@link Keyring} */
@@ -25,7 +29,13 @@ public final class KeyringModule {
 
   @Provides
   @Singleton
-  public static Keyring provideKeyring(KmsKeyring kmsKeyring) {
-    return kmsKeyring;
+  public static Keyring provideKeyring(
+      Map<String, Keyring> keyrings, @Config("activeKeyring") String activeKeyring) {
+    checkState(
+        keyrings.containsKey(activeKeyring),
+        "Invalid Keyring %s is configured; valid choices are %s",
+        activeKeyring,
+        keyrings.keySet());
+    return keyrings.get(activeKeyring);
   }
 }

java/google/registry/keyring/api/DummyKeyringModule.java

@@ -21,11 +21,15 @@ import static google.registry.keyring.api.PgpHelper.lookupKeyPair;
 import com.google.common.base.VerifyException;
 import com.google.common.io.ByteSource;
 import com.google.common.io.Resources;
+import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
+import dagger.multibindings.IntoMap;
+import dagger.multibindings.StringKey;
 import java.io.IOException;
 import java.io.InputStream;
 import javax.annotation.concurrent.Immutable;
+import javax.inject.Named;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@@ -68,7 +72,9 @@ import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRingCollection;
  */
 @Module
 @Immutable
-public final class DummyKeyringModule {
+public abstract class DummyKeyringModule {
+
+  public static final String NAME = "Dummy";
 
   /** The contents of a dummy PGP public key stored in a file. */
   private static final ByteSource PGP_PUBLIC_KEYRING =
@@ -81,9 +87,15 @@ public final class DummyKeyringModule {
   /** The email address of the aforementioned PGP key. */
   private static final String EMAIL_ADDRESS = "test-registry@example.com";
 
+  @Binds
+  @IntoMap
+  @StringKey(NAME)
+  abstract Keyring provideKeyring(@Named("DummyKeyring") InMemoryKeyring keyring);
+
   /** Always returns a {@link InMemoryKeyring} instance. */
   @Provides
-  static Keyring provideKeyring() {
+  @Named("DummyKeyring")
+  static InMemoryKeyring provideDummyKeyring() {
     PGPKeyPair dummyKey;
     try (InputStream publicInput = PGP_PUBLIC_KEYRING.openStream();
         InputStream privateInput = PGP_PRIVATE_KEYRING.openStream()) {
@@ -112,4 +124,6 @@ public final class DummyKeyringModule {
         "not a real login",
         "not a real credential");
   }
+
+  private DummyKeyringModule() {}
 }

java/google/registry/keyring/kms/KmsModule.java

@@ -19,13 +19,23 @@ import com.google.api.services.cloudkms.v1.CloudKMS;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
+import dagger.multibindings.IntoMap;
+import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.keyring.api.Keyring;
 
-/** Dagger module for Cloud KMS connection objects. */
+/** Dagger module for Cloud KMS. */
 @Module
 public abstract class KmsModule {
 
+  public static final String NAME = "KMS";
+
+  @Binds
+  @IntoMap
+  @StringKey(NAME)
+  abstract Keyring provideKeyring(KmsKeyring keyring);
+
   @Provides
   static CloudKMS provideKms(
       @DefaultCredential GoogleCredential credential,

java/google/registry/module/backend/BUILD

@@ -22,6 +22,7 @@ java_library(
         "//java/google/registry/flows",
         "//java/google/registry/gcs",
         "//java/google/registry/groups",
+        "//java/google/registry/keyring",
         "//java/google/registry/keyring/api",
         "//java/google/registry/keyring/kms",
         "//java/google/registry/mapreduce",

java/google/registry/module/backend/BackendComponent.java

@@ -27,6 +27,8 @@ import google.registry.gcs.GcsServiceModule;
 import google.registry.groups.DirectoryModule;
 import google.registry.groups.GroupsModule;
 import google.registry.groups.GroupssettingsModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.module.backend.BackendRequestComponent.BackendRequestComponentModule;
@@ -56,7 +58,7 @@ import javax.inject.Singleton;
       CredentialModule.class,
       DatastoreServiceModule.class,
       DirectoryModule.class,
-      google.registry.keyring.api.DummyKeyringModule.class,
+      DummyKeyringModule.class,
       DriveModule.class,
       GcsServiceModule.class,
       GroupsModule.class,
@@ -64,6 +66,7 @@ import javax.inject.Singleton;
       JSchModule.class,
       Jackson2Module.class,
       KeyModule.class,
+      KeyringModule.class,
       KmsModule.class,
       NetHttpTransportModule.class,
       SheetsServiceModule.class,

java/google/registry/module/frontend/BUILD

@@ -11,6 +11,7 @@ java_library(
         "//java/google/registry/config",
         "//java/google/registry/dns",
         "//java/google/registry/flows",
+        "//java/google/registry/keyring",
         "//java/google/registry/keyring/api",
         "//java/google/registry/keyring/kms",
         "//java/google/registry/monitoring/whitebox",

java/google/registry/module/frontend/FrontendComponent.java

@@ -21,6 +21,8 @@ import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.flows.ServerTridProviderModule;
 import google.registry.flows.custom.CustomLogicFactoryModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.module.frontend.FrontendRequestComponent.FrontendRequestComponentModule;
@@ -46,10 +48,11 @@ import javax.inject.Singleton;
       ConsoleConfigModule.class,
       CredentialModule.class,
       CustomLogicFactoryModule.class,
-      google.registry.keyring.api.DummyKeyringModule.class,
+      DummyKeyringModule.class,
       FrontendRequestComponentModule.class,
       Jackson2Module.class,
       KeyModule.class,
+      KeyringModule.class,
       KmsModule.class,
       NetHttpTransportModule.class,
       ServerTridProviderModule.class,

java/google/registry/module/pubapi/BUILD

@@ -11,6 +11,7 @@ java_library(
         "//java/google/registry/config",
         "//java/google/registry/dns",
         "//java/google/registry/flows",
+        "//java/google/registry/keyring",
         "//java/google/registry/keyring/api",
         "//java/google/registry/keyring/kms",
         "//java/google/registry/monitoring/whitebox",

java/google/registry/module/pubapi/PubApiComponent.java

@@ -21,6 +21,8 @@ import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.flows.ServerTridProviderModule;
 import google.registry.flows.custom.CustomLogicFactoryModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.module.pubapi.PubApiRequestComponent.PubApiRequestComponentModule;
@@ -44,10 +46,11 @@ import javax.inject.Singleton;
       ConfigModule.class,
       CredentialModule.class,
       CustomLogicFactoryModule.class,
-      google.registry.keyring.api.DummyKeyringModule.class,
+      DummyKeyringModule.class,
       PubApiRequestComponentModule.class,
       Jackson2Module.class,
       KeyModule.class,
+      KeyringModule.class,
       KmsModule.class,
       NetHttpTransportModule.class,
       ServerTridProviderModule.class,

java/google/registry/module/tools/BUILD

@@ -15,6 +15,7 @@ java_library(
         "//java/google/registry/flows",
         "//java/google/registry/gcs",
         "//java/google/registry/groups",
+        "//java/google/registry/keyring",
         "//java/google/registry/keyring/api",
         "//java/google/registry/keyring/kms",
         "//java/google/registry/loadtest",

java/google/registry/module/tools/ToolsComponent.java

@@ -24,6 +24,8 @@ import google.registry.gcs.GcsServiceModule;
 import google.registry.groups.DirectoryModule;
 import google.registry.groups.GroupsModule;
 import google.registry.groups.GroupssettingsModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.module.tools.ToolsRequestComponent.ToolsRequestComponentModule;
@@ -49,13 +51,14 @@ import javax.inject.Singleton;
       CustomLogicFactoryModule.class,
       DatastoreServiceModule.class,
       DirectoryModule.class,
-      google.registry.keyring.api.DummyKeyringModule.class,
+      DummyKeyringModule.class,
       DriveModule.class,
       GcsServiceModule.class,
       GroupsModule.class,
       GroupssettingsModule.class,
       Jackson2Module.class,
       KeyModule.class,
+      KeyringModule.class,
       KmsModule.class,
       NetHttpTransportModule.class,
       ServerTridProviderModule.class,

java/google/registry/tools/BUILD

@@ -46,6 +46,7 @@ java_library(
         "//java/google/registry/export",
         "//java/google/registry/flows",
         "//java/google/registry/gcs",
+        "//java/google/registry/keyring",
         "//java/google/registry/keyring/api",
         "//java/google/registry/keyring/kms",
         "//java/google/registry/loadtest",

java/google/registry/tools/RegistryToolComponent.java

@@ -21,6 +21,8 @@ import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.dns.writer.VoidDnsWriterModule;
 import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.rde.RdeModule;
@@ -52,13 +54,14 @@ import javax.inject.Singleton;
       ConfigModule.class,
       CredentialModule.class,
       DatastoreServiceModule.class,
-      google.registry.keyring.api.DummyKeyringModule.class,
+      DummyKeyringModule.class,
       CloudDnsWriterModule.class,
       DefaultRequestFactoryModule.class,
       DefaultRequestFactoryModule.RequestFactoryModule.class,
       DnsUpdateWriterModule.class,
       Jackson2Module.class,
       KeyModule.class,
+      KeyringModule.class,
       KmsModule.class,
       RdeModule.class,
       RegistryToolModule.class,