Change UserPolicy to PUBLIC on WHOIS and EPP endpoints

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=193407195
2025-06-05 12:07:25 +02:00 · 2018-04-18 13:29:15 -07:00 · 2018-04-18 13:29:15 -07:00 · f289259101
commit f289259101
parent 77bfa5f4b8
8 changed files with 15 additions and 32 deletions
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@ -145,15 +145,6 @@ oAuth:
    - <client_id>
 ```
 This service account also needs to be an ["App Engine Admin"](https://github.com/google/nomulus/blob/3dfd141e0fed650b5eb2631b4345220355221b77/java/google/registry/request/auth/UserAuthInfo.java#L31),
 which means it needs to granted a role like "Project Viewer":
 ```bash
 $ gcloud add-iam-binding <nomulus-project> \
 --member=serviceAccount:<service-account-email> \
 --role=roles/viewer
 ```
 ### Setup nameservers
 The terraform output (run `terraform output` in the environment folder to show
@ -325,15 +316,6 @@ oAuth:
 Redeploy Nomulus for the change to take effect.
 The project that hosts Nomulus also needs to add this service account as a
 project viewer so that OAuth protected endpoints like `/_dr/epp` and
 `/_dr/whois` can be accessed by the proxy:
 ```bash
 $ gcloud projects add-iam-policy-binding <project-id> \
 --member serviceAccount:<service-account-email> --role roles/viewer
 ```
 Also bind the "Logs Writer" and role to the proxy service account so that it can
 write logs to [Stackdriver Logging](https://cloud.google.com/logging/).
--- a/java/google/registry/flows/EppTlsAction.java
+++ b/java/google/registry/flows/EppTlsAction.java
@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
@Action(
  path = "/_dr/epp",
  method = Method.POST,
-  auth = Auth.AUTH_INTERNAL_OR_ADMIN
+  auth = Auth.AUTH_PUBLIC_OR_INTERNAL
 )
 public class EppTlsAction implements Runnable {
--- a/java/google/registry/proxy/terraform/example_config.tf
+++ b/java/google/registry/proxy/terraform/example_config.tf
@ -9,7 +9,6 @@ terraform {
 module "proxy" {
  source                   = "../../modules"
  proxy_project_name       = "YOUR_PROXY_PROJECT"
  nomulus_project_name     = "YOUR_NOMULUS_GPROJECT"
  gcr_project_name         = "YOUR_GCR_PROJECT"
  proxy_domain_name        = "YOUR_PROXY_DOMAIN"
  proxy_certificate_bucket = "YOU_CERTIFICATE_BUCKET"
--- a/java/google/registry/proxy/terraform/modules/iam.tf
+++ b/java/google/registry/proxy/terraform/modules/iam.tf
@ -3,12 +3,6 @@ resource "google_service_account" "proxy_service_account" {
  display_name = "Nomulus proxy service account"
 }
 resource "google_project_iam_member" "nomulus_project_viewer" {
  project = "${var.nomulus_project_name}"
  role    = "roles/viewer"
  member  = "serviceAccount:${google_service_account.proxy_service_account.email}"
 }
 resource "google_project_iam_member" "gcr_storage_viewer" {
  project = "${var.gcr_project_name}"
  role    = "roles/storage.objectViewer"
--- a/java/google/registry/proxy/terraform/modules/input.tf
+++ b/java/google/registry/proxy/terraform/modules/input.tf
@ -1,9 +1,6 @@
 # GCP project in which the proxy runs.
 variable "proxy_project_name" {}
 # GCP project in which Nomulus runs.
 variable "nomulus_project_name" {}
 # GCP project from which the proxy image is pulled.
 variable "gcr_project_name" {}
--- a/java/google/registry/request/auth/Auth.java
+++ b/java/google/registry/request/auth/Auth.java
@ -56,6 +56,17 @@ public enum Auth {
      AuthLevel.USER,
      UserPolicy.PUBLIC),
  /**
   * Allows anyone access, as long as they use OAuth to authenticate.
   *
   * Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
   * whitelisted in the config file for OAuth-based authentication to succeed.
   */
  AUTH_PUBLIC_OR_INTERNAL(
      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API),
      AuthLevel.APP,
      UserPolicy.PUBLIC),
  /**
   * Allows only admins or App Engine task-queue access.
   */
--- a/java/google/registry/whois/WhoisAction.java
+++ b/java/google/registry/whois/WhoisAction.java
@ -49,7 +49,7 @@ import org.joda.time.DateTime;
 * @see WhoisHttpAction
 * @see <a href="http://www.ietf.org/rfc/rfc3912.txt">RFC 3912: WHOIS Protocol Specification</a>
 */
-@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+@Action(path = "/_dr/whois", method = POST, auth = Auth.AUTH_PUBLIC_OR_INTERNAL)
 public class WhoisAction implements Runnable {
  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
--- a/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
+++ b/javatests/google/registry/module/frontend/testdata/frontend_routing.txt
@ -1,6 +1,6 @@
 PATH                     CLASS                       METHODS  OK AUTH_METHODS        MIN  USER_POLICY
-/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  ADMIN
+/_dr/epp                 EppTlsAction                POST     n  INTERNAL,API        APP  PUBLIC
-/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  ADMIN
+/_dr/whois               WhoisAction                 POST     n  INTERNAL,API        APP  PUBLIC
 /check                   CheckApiAction              GET      n  INTERNAL            NONE PUBLIC
 /rdap/autnum/(*)         RdapAutnumAction            GET,HEAD n  INTERNAL            NONE PUBLIC
 /rdap/domain/(*)         RdapDomainAction            GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC