From f289259101dc2a0e4df46a13c87022f28704b6f4 Mon Sep 17 00:00:00 2001
From: jianglai <jianglai@google.com>
Date: Wed, 18 Apr 2018 13:29:15 -0700
Subject: [PATCH] Change UserPolicy to PUBLIC on WHOIS and EPP endpoints

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=193407195
---
 docs/proxy-setup.md                            | 18 ------------------
 java/google/registry/flows/EppTlsAction.java   |  2 +-
 .../registry/proxy/terraform/example_config.tf |  1 -
 .../registry/proxy/terraform/modules/iam.tf    |  6 ------
 .../registry/proxy/terraform/modules/input.tf  |  3 ---
 java/google/registry/request/auth/Auth.java    | 11 +++++++++++
 java/google/registry/whois/WhoisAction.java    |  2 +-
 .../frontend/testdata/frontend_routing.txt     |  4 ++--
 8 files changed, 15 insertions(+), 32 deletions(-)

diff --git a/docs/proxy-setup.md b/docs/proxy-setup.md
index b3424d591..de38cb872 100644
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@@ -145,15 +145,6 @@ oAuth:
     - <client_id>
 ```
 
-This service account also needs to be an ["App Engine Admin"](https://github.com/google/nomulus/blob/3dfd141e0fed650b5eb2631b4345220355221b77/java/google/registry/request/auth/UserAuthInfo.java#L31),
-which means it needs to granted a role like "Project Viewer":
-
-```bash
-$ gcloud add-iam-binding <nomulus-project> \
- --member=serviceAccount:<service-account-email> \
- --role=roles/viewer
- ```
-
 ### Setup nameservers
 
 The terraform output (run `terraform output` in the environment folder to show
@@ -325,15 +316,6 @@ oAuth:
 
 Redeploy Nomulus for the change to take effect.
 
-The project that hosts Nomulus also needs to add this service account as a
-project viewer so that OAuth protected endpoints like `/_dr/epp` and
-`/_dr/whois` can be accessed by the proxy:
-
-```bash
-$ gcloud projects add-iam-policy-binding <project-id> \
---member serviceAccount:<service-account-email> --role roles/viewer
-```
-
 Also bind the "Logs Writer" and role to the proxy service account so that it can
 write logs to [Stackdriver Logging](https://cloud.google.com/logging/).
 
diff --git a/java/google/registry/flows/EppTlsAction.java b/java/google/registry/flows/EppTlsAction.java
index 8163eed76..259f1e85d 100644
--- a/java/google/registry/flows/EppTlsAction.java
+++ b/java/google/registry/flows/EppTlsAction.java
@@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
 @Action(
   path = "/_dr/epp",
   method = Method.POST,
-  auth = Auth.AUTH_INTERNAL_OR_ADMIN
+  auth = Auth.AUTH_PUBLIC_OR_INTERNAL
 )
 public class EppTlsAction implements Runnable {
 
diff --git a/java/google/registry/proxy/terraform/example_config.tf b/java/google/registry/proxy/terraform/example_config.tf
index 518bac7ad..7541f2731 100644
--- a/java/google/registry/proxy/terraform/example_config.tf
+++ b/java/google/registry/proxy/terraform/example_config.tf
@@ -9,7 +9,6 @@ terraform {
 module "proxy" {
   source                   = "../../modules"
   proxy_project_name       = "YOUR_PROXY_PROJECT"
-  nomulus_project_name     = "YOUR_NOMULUS_GPROJECT"
   gcr_project_name         = "YOUR_GCR_PROJECT"
   proxy_domain_name        = "YOUR_PROXY_DOMAIN"
   proxy_certificate_bucket = "YOU_CERTIFICATE_BUCKET"
diff --git a/java/google/registry/proxy/terraform/modules/iam.tf b/java/google/registry/proxy/terraform/modules/iam.tf
index aecc487ac..1e346a562 100644
--- a/java/google/registry/proxy/terraform/modules/iam.tf
+++ b/java/google/registry/proxy/terraform/modules/iam.tf
@@ -3,12 +3,6 @@ resource "google_service_account" "proxy_service_account" {
   display_name = "Nomulus proxy service account"
 }
 
-resource "google_project_iam_member" "nomulus_project_viewer" {
-  project = "${var.nomulus_project_name}"
-  role    = "roles/viewer"
-  member  = "serviceAccount:${google_service_account.proxy_service_account.email}"
-}
-
 resource "google_project_iam_member" "gcr_storage_viewer" {
   project = "${var.gcr_project_name}"
   role    = "roles/storage.objectViewer"
diff --git a/java/google/registry/proxy/terraform/modules/input.tf b/java/google/registry/proxy/terraform/modules/input.tf
index a39780e71..a573fd297 100644
--- a/java/google/registry/proxy/terraform/modules/input.tf
+++ b/java/google/registry/proxy/terraform/modules/input.tf
@@ -1,9 +1,6 @@
 # GCP project in which the proxy runs.
 variable "proxy_project_name" {}
 
-# GCP project in which Nomulus runs.
-variable "nomulus_project_name" {}
-
 # GCP project from which the proxy image is pulled.
 variable "gcr_project_name" {}
 
diff --git a/java/google/registry/request/auth/Auth.java b/java/google/registry/request/auth/Auth.java
index ccc065c9b..6d5ed24c5 100644
--- a/java/google/registry/request/auth/Auth.java
+++ b/java/google/registry/request/auth/Auth.java
@@ -56,6 +56,17 @@ public enum Auth {
       AuthLevel.USER,
       UserPolicy.PUBLIC),
 
+  /**
+   * Allows anyone access, as long as they use OAuth to authenticate.
+   *
+   * Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
+   * whitelisted in the config file for OAuth-based authentication to succeed.
+   */
+  AUTH_PUBLIC_OR_INTERNAL(
+      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API),
+      AuthLevel.APP,
+      UserPolicy.PUBLIC),
+
   /**
    * Allows only admins or App Engine task-queue access.
    */
diff --git a/java/google/registry/whois/WhoisAction.java b/java/google/registry/whois/WhoisAction.java
index dc11fdd31..c7836b46a 100644
--- a/java/google/registry/whois/WhoisAction.java
+++ b/java/google/registry/whois/WhoisAction.java
@@ -49,7 +49,7 @@ import org.joda.time.DateTime;
  * @see WhoisHttpAction
  * @see <a href="http://www.ietf.org/rfc/rfc3912.txt">RFC 3912: WHOIS Protocol Specification</a>
  */
-@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_PUBLIC_OR_INTERNAL)
 public class WhoisAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
diff --git a/javatests/google/registry/module/frontend/testdata/frontend_routing.txt b/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
index d95557c10..1b771c337 100644
--- a/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
+++ b/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
@@ -1,6 +1,6 @@
 PATH                     CLASS                       METHODS  OK AUTH_METHODS        MIN  USER_POLICY
-/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  ADMIN
-/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  ADMIN
+/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  PUBLIC
+/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  PUBLIC
 /check                   CheckApiAction              GET      n  INTERNAL            NONE PUBLIC
 /rdap/autnum/(*)         RdapAutnumAction            GET,HEAD n  INTERNAL            NONE PUBLIC
 /rdap/domain/(*)         RdapDomainAction            GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC