Add GetKeyringSecretCommand to retrieve keyring secrets.

Cloned from CL 149476124 by 'g4 patch'.
Original change by shikhman@shikhman:registry-secrets-2:897:citc on 2017/03/07 15:37:09.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=151950797

java/google/registry/tools/GetKeyringSecretCommand.java

@@ -0,0 +1,124 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import google.registry.keyring.api.KeySerializer;
+import google.registry.keyring.api.Keyring;
+import google.registry.tools.Command.RemoteApiCommand;
+import google.registry.tools.params.PathParameter;
+import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.nio.file.Path;
+import java.security.Security;
+import javax.inject.Inject;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openpgp.PGPKeyPair;
+
+/** Retrieves ASCII-armored secrets from the active {@link Keyring} implementation. */
+@Parameters(
+  separators = " =",
+  commandDescription = "Retrieves the value of a secret from the keyring."
+)
+final class GetKeyringSecretCommand implements RemoteApiCommand {
+
+  @Inject Keyring keyring;
+
+  @Inject
+  GetKeyringSecretCommand() {}
+
+  private enum KeyringKeyName {
+    BRAINTREE_PRIVATE_KEY,
+    BRDA_RECEIVER_PUBLIC_KEY,
+    BRDA_SIGNING_KEY_PAIR,
+    ICANN_REPORTING_PASSWORD,
+    JSON_CREDENTIAL,
+    MARKSDB_DNL_LOGIN,
+    MARKSDB_LORDN_PASSWORD,
+    MARKSDB_SMDRL_LOGIN,
+    RDE_RECEIVER_PUBLIC_KEY,
+    RDE_SIGNING_KEY_PAIR,
+    RDE_SSH_CLIENT_PRIVATE_KEY,
+    RDE_SSH_CLIENT_PUBLIC_KEY,
+    RDE_STAGING_KEY_PAIR,
+    RDE_STAGING_PUBLIC_KEY,
+  }
+
+  @Parameter(names = "--keyname", description = "The secret to load", required = true)
+  private KeyringKeyName keyringKeyName;
+
+  @Parameter(
+    names = {"-o", "--output"},
+    description = "Name of output file for key data.",
+    validateWith = PathParameter.OutputFile.class
+  )
+  private Path outputPath = null;
+
+  @Override
+  public void run() throws Exception {
+    OutputStream out = outputPath != null ? new FileOutputStream(outputPath.toFile()) : System.out;
+    Security.addProvider(new BouncyCastleProvider());
+
+    switch (keyringKeyName) {
+      case BRAINTREE_PRIVATE_KEY:
+        out.write(KeySerializer.serializeString(keyring.getBraintreePrivateKey()));
+        break;
+      case BRDA_RECEIVER_PUBLIC_KEY:
+        out.write(KeySerializer.serializePublicKey(keyring.getBrdaReceiverKey()));
+        break;
+      case BRDA_SIGNING_KEY_PAIR:
+        out.write(KeySerializer.serializeKeyPair(keyring.getBrdaSigningKey()));
+        break;
+      case ICANN_REPORTING_PASSWORD:
+        out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
+        break;
+      case JSON_CREDENTIAL:
+        out.write(KeySerializer.serializeString(keyring.getJsonCredential()));
+        break;
+      case MARKSDB_DNL_LOGIN:
+        out.write(KeySerializer.serializeString(keyring.getMarksdbDnlLogin()));
+        break;
+      case MARKSDB_LORDN_PASSWORD:
+        out.write(KeySerializer.serializeString(keyring.getMarksdbLordnPassword()));
+        break;
+      case MARKSDB_SMDRL_LOGIN:
+        out.write(KeySerializer.serializeString(keyring.getMarksdbSmdrlLogin()));
+        break;
+      case RDE_RECEIVER_PUBLIC_KEY:
+        out.write(KeySerializer.serializePublicKey(keyring.getRdeReceiverKey()));
+        break;
+      case RDE_SIGNING_KEY_PAIR:
+        out.write(KeySerializer.serializeKeyPair(keyring.getRdeSigningKey()));
+        break;
+      case RDE_SSH_CLIENT_PRIVATE_KEY:
+        out.write(KeySerializer.serializeString(keyring.getRdeSshClientPrivateKey()));
+        break;
+      case RDE_SSH_CLIENT_PUBLIC_KEY:
+        out.write(KeySerializer.serializeString(keyring.getRdeSshClientPublicKey()));
+        break;
+      case RDE_STAGING_KEY_PAIR:
+        // Note that we're saving a key pair rather than just the private key because we can't
+        // serialize a private key on its own. See {@link KeySerializer}.
+        out.write(KeySerializer.serializeKeyPair(
+            new PGPKeyPair(
+                keyring.getRdeStagingEncryptionKey(), keyring.getRdeStagingDecryptionKey())));
+        break;
+      case RDE_STAGING_PUBLIC_KEY:
+        out.write(KeySerializer.serializePublicKey(keyring.getRdeStagingEncryptionKey()));
+        break;
+    }
+  }
+}

java/google/registry/tools/RegistryTool.java

@@ -73,6 +73,7 @@ public final class RegistryTool {
           .put("get_domain", GetDomainCommand.class)
           .put("get_history_entries", GetHistoryEntriesCommand.class)
           .put("get_host", GetHostCommand.class)
+          .put("get_keyring_secret", GetKeyringSecretCommand.class)
           .put("get_lrp_token", GetLrpTokenCommand.class)
           .put("get_registrar", GetRegistrarCommand.class)
           .put("get_resource_by_key", GetResourceByKeyCommand.class)

java/google/registry/tools/RegistryToolComponent.java

@@ -69,6 +69,7 @@ interface RegistryToolComponent {
   void inject(GenerateApplicationsReportCommand command);
   void inject(GenerateDnsReportCommand command);
   void inject(GenerateEscrowDepositCommand command);
+  void inject(GetKeyringSecretCommand command);
   void inject(GhostrydeCommand command);
   void inject(ListCursorsCommand command);
   void inject(LoginCommand command);