Change UserPolicy to PUBLIC on WHOIS and EPP endpoints

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=193407195
2025-04-29 19:47:51 +02:00 · 2018-04-18 13:29:15 -07:00 · 2018-04-18 13:29:15 -07:00 · f289259101
commit f289259101
parent 77bfa5f4b8
8 changed files with 15 additions and 32 deletions
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@ -145,15 +145,6 @@ oAuth:
    - <client_id>
 ```

-This service account also needs to be an ["App Engine Admin"](https://github.com/google/nomulus/blob/3dfd141e0fed650b5eb2631b4345220355221b77/java/google/registry/request/auth/UserAuthInfo.java#L31),
-which means it needs to granted a role like "Project Viewer":
-
-```bash
-$ gcloud add-iam-binding <nomulus-project> \
- --member=serviceAccount:<service-account-email> \
- --role=roles/viewer
- ```
-
 ### Setup nameservers

 The terraform output (run `terraform output` in the environment folder to show
@ -325,15 +316,6 @@ oAuth:

 Redeploy Nomulus for the change to take effect.

-The project that hosts Nomulus also needs to add this service account as a
-project viewer so that OAuth protected endpoints like `/_dr/epp` and
-`/_dr/whois` can be accessed by the proxy:
-
-```bash
-$ gcloud projects add-iam-policy-binding <project-id> \
--member serviceAccount:<service-account-email> --role roles/viewer
-```
-
 Also bind the "Logs Writer" and role to the proxy service account so that it can
 write logs to [Stackdriver Logging](https://cloud.google.com/logging/).

--- a/java/google/registry/flows/EppTlsAction.java
+++ b/java/google/registry/flows/EppTlsAction.java
@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
@Action(
  path = "/_dr/epp",
  method = Method.POST,
-  auth = Auth.AUTH_INTERNAL_OR_ADMIN
+  auth = Auth.AUTH_PUBLIC_OR_INTERNAL
 )
 public class EppTlsAction implements Runnable {

--- a/java/google/registry/proxy/terraform/example_config.tf
+++ b/java/google/registry/proxy/terraform/example_config.tf
@ -9,7 +9,6 @@ terraform {
 module "proxy" {
  source                   = "../../modules"
  proxy_project_name       = "YOUR_PROXY_PROJECT"
-  nomulus_project_name     = "YOUR_NOMULUS_GPROJECT"
  gcr_project_name         = "YOUR_GCR_PROJECT"
  proxy_domain_name        = "YOUR_PROXY_DOMAIN"
  proxy_certificate_bucket = "YOU_CERTIFICATE_BUCKET"
--- a/java/google/registry/proxy/terraform/modules/iam.tf
+++ b/java/google/registry/proxy/terraform/modules/iam.tf
@ -3,12 +3,6 @@ resource "google_service_account" "proxy_service_account" {
  display_name = "Nomulus proxy service account"
 }

-resource "google_project_iam_member" "nomulus_project_viewer" {
-  project = "${var.nomulus_project_name}"
-  role    = "roles/viewer"
-  member  = "serviceAccount:${google_service_account.proxy_service_account.email}"
-}
-
 resource "google_project_iam_member" "gcr_storage_viewer" {
  project = "${var.gcr_project_name}"
  role    = "roles/storage.objectViewer"
--- a/java/google/registry/proxy/terraform/modules/input.tf
+++ b/java/google/registry/proxy/terraform/modules/input.tf
@ -1,9 +1,6 @@
 # GCP project in which the proxy runs.
 variable "proxy_project_name" {}

-# GCP project in which Nomulus runs.
-variable "nomulus_project_name" {}
-
 # GCP project from which the proxy image is pulled.
 variable "gcr_project_name" {}

--- a/java/google/registry/request/auth/Auth.java
+++ b/java/google/registry/request/auth/Auth.java
@ -56,6 +56,17 @@ public enum Auth {
      AuthLevel.USER,
      UserPolicy.PUBLIC),

+  /**
+   * Allows anyone access, as long as they use OAuth to authenticate.
+   *
+   * Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
+   * whitelisted in the config file for OAuth-based authentication to succeed.
+   */
+  AUTH_PUBLIC_OR_INTERNAL(
+      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API),
+      AuthLevel.APP,
+      UserPolicy.PUBLIC),
+
  /**
   * Allows only admins or App Engine task-queue access.
   */
--- a/java/google/registry/whois/WhoisAction.java
+++ b/java/google/registry/whois/WhoisAction.java
@ -49,7 +49,7 @@ import org.joda.time.DateTime;
 * @see WhoisHttpAction
 * @see <a href="http://www.ietf.org/rfc/rfc3912.txt">RFC 3912: WHOIS Protocol Specification</a>
 */
-@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_PUBLIC_OR_INTERNAL)
 public class WhoisAction implements Runnable {

  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
--- a/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
+++ b/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
@ -1,6 +1,6 @@
 PATH                     CLASS                       METHODS  OK AUTH_METHODS        MIN  USER_POLICY
-/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  ADMIN
-/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  ADMIN
+/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  PUBLIC
+/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  PUBLIC
 /check                   CheckApiAction              GET      n  INTERNAL            NONE PUBLIC
 /rdap/autnum/(*)         RdapAutnumAction            GET,HEAD n  INTERNAL            NONE PUBLIC
 /rdap/domain/(*)         RdapDomainAction            GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC