diff --git a/core/src/main/java/google/registry/backup/CommitLogCheckpointAction.java b/core/src/main/java/google/registry/backup/CommitLogCheckpointAction.java index dc9e6485f..30033fcfc 100644 --- a/core/src/main/java/google/registry/backup/CommitLogCheckpointAction.java +++ b/core/src/main/java/google/registry/backup/CommitLogCheckpointAction.java @@ -47,7 +47,7 @@ import org.joda.time.DateTime; path = "/_dr/cron/commitLogCheckpoint", method = Action.Method.GET, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class CommitLogCheckpointAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/backup/DeleteOldCommitLogsAction.java b/core/src/main/java/google/registry/backup/DeleteOldCommitLogsAction.java index a64af7357..69ee4307b 100644 --- a/core/src/main/java/google/registry/backup/DeleteOldCommitLogsAction.java +++ b/core/src/main/java/google/registry/backup/DeleteOldCommitLogsAction.java @@ -65,7 +65,7 @@ import org.joda.time.Duration; @Action( service = Action.Service.BACKEND, path = "/_dr/task/deleteOldCommitLogs", - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class DeleteOldCommitLogsAction implements Runnable { private static final int NUM_MAP_SHARDS = 20; diff --git a/core/src/main/java/google/registry/backup/ExportCommitLogDiffAction.java b/core/src/main/java/google/registry/backup/ExportCommitLogDiffAction.java index 7e27f7915..b9d95e754 100644 --- a/core/src/main/java/google/registry/backup/ExportCommitLogDiffAction.java +++ b/core/src/main/java/google/registry/backup/ExportCommitLogDiffAction.java @@ -63,7 +63,7 @@ import org.joda.time.DateTime; path = ExportCommitLogDiffAction.PATH, method = Action.Method.POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class ExportCommitLogDiffAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java b/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java index 579a3e0a7..d45be62b1 100644 --- a/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java +++ b/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java @@ -111,7 +111,7 @@ import org.joda.time.Duration; @Action( service = Action.Service.BACKEND, path = "/_dr/task/deleteContactsAndHosts", - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class DeleteContactsAndHostsAction implements Runnable { static final String KIND_CONTACT = getKind(ContactResource.class); diff --git a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java index b31d61966..0c9a72beb 100644 --- a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java +++ b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java @@ -55,7 +55,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/task/deleteLoadTestData", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class DeleteLoadTestDataAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java index c03534c00..2d6d19011 100644 --- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java +++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java @@ -68,7 +68,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = "/_dr/task/deleteProberData", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class DeleteProberDataAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java b/core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java index 4c36782e9..afb2a10c0 100644 --- a/core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java +++ b/core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java @@ -75,7 +75,7 @@ import org.joda.time.DateTime; @Action( service = Action.Service.BACKEND, path = "/_dr/task/expandRecurringBillingEvents", - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class ExpandRecurringBillingEventsAction implements Runnable { public static final String PARAM_CURSOR_TIME = "cursorTime"; diff --git a/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java b/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java index ed5995f89..488b304f1 100644 --- a/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java +++ b/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java @@ -75,7 +75,7 @@ import org.joda.time.Duration; @Action( service = Action.Service.BACKEND, path = "/_dr/task/refreshDnsOnHostRename", - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class RefreshDnsOnHostRenameAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/cron/CommitLogFanoutAction.java b/core/src/main/java/google/registry/cron/CommitLogFanoutAction.java index 35df88bf3..a57d78000 100644 --- a/core/src/main/java/google/registry/cron/CommitLogFanoutAction.java +++ b/core/src/main/java/google/registry/cron/CommitLogFanoutAction.java @@ -33,7 +33,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/cron/commitLogFanout", automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class CommitLogFanoutAction implements Runnable { public static final String BUCKET_PARAM = "bucket"; diff --git a/core/src/main/java/google/registry/cron/TldFanoutAction.java b/core/src/main/java/google/registry/cron/TldFanoutAction.java index 49190c4a0..f957ea6dd 100644 --- a/core/src/main/java/google/registry/cron/TldFanoutAction.java +++ b/core/src/main/java/google/registry/cron/TldFanoutAction.java @@ -87,7 +87,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/cron/fanout", automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class TldFanoutAction implements Runnable { /** A set of control params to TldFanoutAction that aren't passed down to the executing action. */ diff --git a/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java b/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java index f118cd187..27a380077 100644 --- a/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java +++ b/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java @@ -52,7 +52,7 @@ import org.joda.time.Duration; path = PublishDnsUpdatesAction.PATH, method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class PublishDnsUpdatesAction implements Runnable, Callable { public static final String PATH = "/_dr/task/publishDnsUpdates"; diff --git a/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java b/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java index 9efd88397..b4c436e9f 100644 --- a/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java +++ b/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java @@ -80,7 +80,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = "/_dr/cron/readDnsQueue", automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class ReadDnsQueueAction implements Runnable { private static final String PARAM_JITTER_SECONDS = "jitterSeconds"; diff --git a/core/src/main/java/google/registry/dns/RefreshDnsAction.java b/core/src/main/java/google/registry/dns/RefreshDnsAction.java index 39ad4e142..3284dd382 100644 --- a/core/src/main/java/google/registry/dns/RefreshDnsAction.java +++ b/core/src/main/java/google/registry/dns/RefreshDnsAction.java @@ -35,7 +35,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/dnsRefresh", automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class RefreshDnsAction implements Runnable { private final Clock clock; diff --git a/core/src/main/java/google/registry/export/BackupDatastoreAction.java b/core/src/main/java/google/registry/export/BackupDatastoreAction.java index 1f03e3d99..02b3df5ee 100644 --- a/core/src/main/java/google/registry/export/BackupDatastoreAction.java +++ b/core/src/main/java/google/registry/export/BackupDatastoreAction.java @@ -45,7 +45,7 @@ import javax.inject.Inject; path = BackupDatastoreAction.PATH, method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class BackupDatastoreAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/BigqueryPollJobAction.java b/core/src/main/java/google/registry/export/BigqueryPollJobAction.java index 2395fa618..e662b23b6 100644 --- a/core/src/main/java/google/registry/export/BigqueryPollJobAction.java +++ b/core/src/main/java/google/registry/export/BigqueryPollJobAction.java @@ -51,7 +51,7 @@ import org.joda.time.Duration; path = BigqueryPollJobAction.PATH, method = {Action.Method.GET, Action.Method.POST}, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class BigqueryPollJobAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/CheckBackupAction.java b/core/src/main/java/google/registry/export/CheckBackupAction.java index 8fb8f0ee9..b1241bfce 100644 --- a/core/src/main/java/google/registry/export/CheckBackupAction.java +++ b/core/src/main/java/google/registry/export/CheckBackupAction.java @@ -59,7 +59,7 @@ import org.joda.time.format.PeriodFormat; path = CheckBackupAction.PATH, method = {POST, GET}, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class CheckBackupAction implements Runnable { /** Parameter names for passing parameters into this action. */ diff --git a/core/src/main/java/google/registry/export/ExportDomainListsAction.java b/core/src/main/java/google/registry/export/ExportDomainListsAction.java index f337cf575..8fc247485 100644 --- a/core/src/main/java/google/registry/export/ExportDomainListsAction.java +++ b/core/src/main/java/google/registry/export/ExportDomainListsAction.java @@ -65,7 +65,7 @@ import org.joda.time.DateTime; service = Action.Service.BACKEND, path = "/_dr/task/exportDomainLists", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class ExportDomainListsAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java b/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java index 1e339f3fc..5178728ed 100644 --- a/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java +++ b/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java @@ -49,7 +49,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/task/exportPremiumTerms", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class ExportPremiumTermsAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/ExportReservedTermsAction.java b/core/src/main/java/google/registry/export/ExportReservedTermsAction.java index c29f6022c..367fb03d0 100644 --- a/core/src/main/java/google/registry/export/ExportReservedTermsAction.java +++ b/core/src/main/java/google/registry/export/ExportReservedTermsAction.java @@ -37,7 +37,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/task/exportReservedTerms", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class ExportReservedTermsAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/SyncGroupMembersAction.java b/core/src/main/java/google/registry/export/SyncGroupMembersAction.java index 5c81470e5..db9285a8d 100644 --- a/core/src/main/java/google/registry/export/SyncGroupMembersAction.java +++ b/core/src/main/java/google/registry/export/SyncGroupMembersAction.java @@ -56,7 +56,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = "/_dr/task/syncGroupMembers", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class SyncGroupMembersAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/export/UpdateSnapshotViewAction.java b/core/src/main/java/google/registry/export/UpdateSnapshotViewAction.java index d3afca967..75e343df7 100644 --- a/core/src/main/java/google/registry/export/UpdateSnapshotViewAction.java +++ b/core/src/main/java/google/registry/export/UpdateSnapshotViewAction.java @@ -39,7 +39,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = UpdateSnapshotViewAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class UpdateSnapshotViewAction implements Runnable { /** Headers for passing parameters into the servlet. */ diff --git a/core/src/main/java/google/registry/export/UploadDatastoreBackupAction.java b/core/src/main/java/google/registry/export/UploadDatastoreBackupAction.java index 78a3f659b..5758f229f 100644 --- a/core/src/main/java/google/registry/export/UploadDatastoreBackupAction.java +++ b/core/src/main/java/google/registry/export/UploadDatastoreBackupAction.java @@ -52,7 +52,7 @@ import javax.inject.Inject; service = Action.Service.BACKEND, path = UploadDatastoreBackupAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class UploadDatastoreBackupAction implements Runnable { /** Parameter names for passing parameters into the servlet. */ diff --git a/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java b/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java index 745bc0452..e2b1ed249 100644 --- a/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java +++ b/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java @@ -60,7 +60,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = SyncRegistrarsSheetAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class SyncRegistrarsSheetAction implements Runnable { private enum Result { diff --git a/core/src/main/java/google/registry/rde/BrdaCopyAction.java b/core/src/main/java/google/registry/rde/BrdaCopyAction.java index bae83ffb7..8e935c1f6 100644 --- a/core/src/main/java/google/registry/rde/BrdaCopyAction.java +++ b/core/src/main/java/google/registry/rde/BrdaCopyAction.java @@ -58,7 +58,7 @@ import org.joda.time.DateTime; path = BrdaCopyAction.PATH, method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class BrdaCopyAction implements Runnable { static final String PATH = "/_dr/task/brdaCopy"; diff --git a/core/src/main/java/google/registry/rde/RdeReportAction.java b/core/src/main/java/google/registry/rde/RdeReportAction.java index 429240fbd..8a259fe64 100644 --- a/core/src/main/java/google/registry/rde/RdeReportAction.java +++ b/core/src/main/java/google/registry/rde/RdeReportAction.java @@ -53,7 +53,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = RdeReportAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class RdeReportAction implements Runnable, EscrowTask { static final String PATH = "/_dr/task/rdeReport"; diff --git a/core/src/main/java/google/registry/rde/RdeStagingAction.java b/core/src/main/java/google/registry/rde/RdeStagingAction.java index 96199dfa3..c3ac547a7 100644 --- a/core/src/main/java/google/registry/rde/RdeStagingAction.java +++ b/core/src/main/java/google/registry/rde/RdeStagingAction.java @@ -195,7 +195,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = RdeStagingAction.PATH, method = {GET, POST}, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class RdeStagingAction implements Runnable { public static final String PATH = "/_dr/task/rdeStaging"; diff --git a/core/src/main/java/google/registry/rde/RdeUploadAction.java b/core/src/main/java/google/registry/rde/RdeUploadAction.java index c1f5991a1..f01611f2c 100644 --- a/core/src/main/java/google/registry/rde/RdeUploadAction.java +++ b/core/src/main/java/google/registry/rde/RdeUploadAction.java @@ -84,7 +84,7 @@ import org.joda.time.Duration; service = Action.Service.BACKEND, path = RdeUploadAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class RdeUploadAction implements Runnable, EscrowTask { static final String PATH = "/_dr/task/rdeUpload"; diff --git a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java index e171d29a7..5f2e34db6 100644 --- a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java +++ b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java @@ -50,7 +50,7 @@ import org.joda.time.YearMonth; service = Action.Service.BACKEND, path = GenerateInvoicesAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class GenerateInvoicesAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java b/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java index 1815e16ec..4c3818f6d 100644 --- a/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java +++ b/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java @@ -68,7 +68,7 @@ import org.joda.time.format.DateTimeFormat; service = Action.Service.BACKEND, path = IcannReportingStagingAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class IcannReportingStagingAction implements Runnable { static final String PATH = "/_dr/task/icannReportingStaging"; diff --git a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java index 7eb250a0c..221590378 100644 --- a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java +++ b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java @@ -49,7 +49,7 @@ import org.joda.time.LocalDate; service = Action.Service.BACKEND, path = GenerateSpec11ReportAction.PATH, method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class GenerateSpec11ReportAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/request/auth/Auth.java b/core/src/main/java/google/registry/request/auth/Auth.java index 6d5ed24c5..4d8091f8b 100644 --- a/core/src/main/java/google/registry/request/auth/Auth.java +++ b/core/src/main/java/google/registry/request/auth/Auth.java @@ -73,15 +73,7 @@ public enum Auth { AUTH_INTERNAL_OR_ADMIN( ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API), AuthLevel.APP, - UserPolicy.ADMIN), - - /** - * Allows only internal (App Engine task-queue) access. - */ - AUTH_INTERNAL_ONLY( - ImmutableList.of(AuthMethod.INTERNAL), - AuthLevel.APP, - UserPolicy.IGNORED); + UserPolicy.ADMIN); private final AuthSettings authSettings; diff --git a/core/src/main/java/google/registry/tmch/NordnUploadAction.java b/core/src/main/java/google/registry/tmch/NordnUploadAction.java index ffe166542..df80682b2 100644 --- a/core/src/main/java/google/registry/tmch/NordnUploadAction.java +++ b/core/src/main/java/google/registry/tmch/NordnUploadAction.java @@ -74,7 +74,7 @@ import org.joda.time.Duration; path = NordnUploadAction.PATH, method = Action.Method.POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class NordnUploadAction implements Runnable { static final String PATH = "/_dr/task/nordnUpload"; diff --git a/core/src/main/java/google/registry/tmch/NordnVerifyAction.java b/core/src/main/java/google/registry/tmch/NordnVerifyAction.java index f35036780..528eeeb8e 100644 --- a/core/src/main/java/google/registry/tmch/NordnVerifyAction.java +++ b/core/src/main/java/google/registry/tmch/NordnVerifyAction.java @@ -56,7 +56,7 @@ import javax.inject.Inject; path = NordnVerifyAction.PATH, method = Action.Method.POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class NordnVerifyAction implements Runnable { static final String PATH = "/_dr/task/nordnVerify"; diff --git a/core/src/main/java/google/registry/tmch/TmchCrlAction.java b/core/src/main/java/google/registry/tmch/TmchCrlAction.java index dc9a0eb52..9857add2f 100644 --- a/core/src/main/java/google/registry/tmch/TmchCrlAction.java +++ b/core/src/main/java/google/registry/tmch/TmchCrlAction.java @@ -32,7 +32,7 @@ import javax.inject.Inject; path = "/_dr/task/tmchCrl", method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class TmchCrlAction implements Runnable { @Inject Marksdb marksdb; diff --git a/core/src/main/java/google/registry/tmch/TmchDnlAction.java b/core/src/main/java/google/registry/tmch/TmchDnlAction.java index 7b866d899..f04149eae 100644 --- a/core/src/main/java/google/registry/tmch/TmchDnlAction.java +++ b/core/src/main/java/google/registry/tmch/TmchDnlAction.java @@ -36,7 +36,7 @@ import org.bouncycastle.openpgp.PGPException; path = "/_dr/task/tmchDnl", method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class TmchDnlAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java b/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java index ef46f757d..00a90eb6e 100644 --- a/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java +++ b/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java @@ -34,7 +34,7 @@ import org.bouncycastle.openpgp.PGPException; path = "/_dr/task/tmchSmdrl", method = POST, automaticallyPrintOk = true, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public final class TmchSmdrlAction implements Runnable { private static final FluentLogger logger = FluentLogger.forEnclosingClass(); diff --git a/core/src/main/java/google/registry/tools/server/KillAllCommitLogsAction.java b/core/src/main/java/google/registry/tools/server/KillAllCommitLogsAction.java index e3a8dc4dc..0a491b8fe 100644 --- a/core/src/main/java/google/registry/tools/server/KillAllCommitLogsAction.java +++ b/core/src/main/java/google/registry/tools/server/KillAllCommitLogsAction.java @@ -48,7 +48,7 @@ import javax.inject.Inject; service = Action.Service.TOOLS, path = "/_dr/task/killAllCommitLogs", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class KillAllCommitLogsAction implements Runnable { @Inject MapreduceRunner mrRunner; diff --git a/core/src/main/java/google/registry/tools/server/KillAllEppResourcesAction.java b/core/src/main/java/google/registry/tools/server/KillAllEppResourcesAction.java index b14711e63..5f89b7add 100644 --- a/core/src/main/java/google/registry/tools/server/KillAllEppResourcesAction.java +++ b/core/src/main/java/google/registry/tools/server/KillAllEppResourcesAction.java @@ -44,7 +44,7 @@ import javax.inject.Inject; service = Action.Service.TOOLS, path = "/_dr/task/killAllEppResources", method = POST, - auth = Auth.AUTH_INTERNAL_ONLY) + auth = Auth.AUTH_INTERNAL_OR_ADMIN) public class KillAllEppResourcesAction implements Runnable { @Inject MapreduceRunner mrRunner; diff --git a/core/src/test/java/google/registry/request/RouterTest.java b/core/src/test/java/google/registry/request/RouterTest.java index 7a6149ab5..dea327637 100644 --- a/core/src/test/java/google/registry/request/RouterTest.java +++ b/core/src/test/java/google/registry/request/RouterTest.java @@ -16,7 +16,7 @@ package google.registry.request; import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth8.assertThat; -import static google.registry.request.auth.Auth.AUTH_INTERNAL_ONLY; +import static google.registry.request.auth.Auth.AUTH_INTERNAL_OR_ADMIN; import static google.registry.testing.JUnitBackports.assertThrows; import java.util.Optional; @@ -45,7 +45,7 @@ public final class RouterTest { //////////////////////////////////////////////////////////////////////////////////////////////// - @Action(service = Action.Service.DEFAULT, path = "/sloth", auth = AUTH_INTERNAL_ONLY) + @Action(service = Action.Service.DEFAULT, path = "/sloth", auth = AUTH_INTERNAL_OR_ADMIN) public static final class SlothTask implements Runnable { @Override public void run() {} @@ -79,7 +79,7 @@ public final class RouterTest { service = Action.Service.DEFAULT, path = "/prefix", isPrefix = true, - auth = AUTH_INTERNAL_ONLY) + auth = AUTH_INTERNAL_OR_ADMIN) public static final class PrefixTask implements Runnable { @Override public void run() {} @@ -109,7 +109,7 @@ public final class RouterTest { service = Action.Service.DEFAULT, path = "/prefix/long", isPrefix = true, - auth = AUTH_INTERNAL_ONLY) + auth = AUTH_INTERNAL_OR_ADMIN) public static final class LongTask implements Runnable { @Override public void run() {} @@ -164,7 +164,7 @@ public final class RouterTest { @Action( service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", - auth = AUTH_INTERNAL_ONLY) + auth = AUTH_INTERNAL_OR_ADMIN) public static final class DuplicateTask1 implements Runnable { @Override public void run() {} @@ -173,7 +173,7 @@ public final class RouterTest { @Action( service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", - auth = AUTH_INTERNAL_ONLY) + auth = AUTH_INTERNAL_OR_ADMIN) public static final class DuplicateTask2 implements Runnable { @Override public void run() {} diff --git a/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java b/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java index c1ad33eed..766dc5d1f 100644 --- a/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java +++ b/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java @@ -53,7 +53,7 @@ public class RequestAuthenticatorTest { AuthLevel.NONE, UserPolicy.IGNORED); - private static final AuthSettings AUTH_INTERNAL_ONLY = AuthSettings.create( + private static final AuthSettings AUTH_INTERNAL_OR_ADMIN = AuthSettings.create( ImmutableList.of(AuthMethod.INTERNAL), AuthLevel.APP, UserPolicy.IGNORED); @@ -157,7 +157,7 @@ public class RequestAuthenticatorTest { @Test public void testInternalAuth_notInvokedInternally() { - Optional authResult = runTest(mockUserService, AUTH_INTERNAL_ONLY); + Optional authResult = runTest(mockUserService, AUTH_INTERNAL_OR_ADMIN); verifyZeroInteractions(mockUserService); assertThat(authResult).isEmpty(); @@ -167,7 +167,7 @@ public class RequestAuthenticatorTest { public void testInternalAuth_success() { when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron"); - Optional authResult = runTest(mockUserService, AUTH_INTERNAL_ONLY); + Optional authResult = runTest(mockUserService, AUTH_INTERNAL_OR_ADMIN); verifyZeroInteractions(mockUserService); assertThat(authResult).isPresent(); diff --git a/core/src/test/java/google/registry/testing/GoldenFileTestHelper.java b/core/src/test/java/google/registry/testing/GoldenFileTestHelper.java index 91383ef24..23b5e489b 100644 --- a/core/src/test/java/google/registry/testing/GoldenFileTestHelper.java +++ b/core/src/test/java/google/registry/testing/GoldenFileTestHelper.java @@ -37,18 +37,18 @@ public class GoldenFileTestHelper { String goldenFileDescription = null; private static final String UPDATE_COMMAND = - "nomulus -e localhost %1$s > %2$s"; + "../gradlew nomulus && java -jar build/libs/nomulus.jar -e localhost %s > %s"; private static final String UPDATE_INSTRUCTIONS = Joiner.on('\n') .join( "", "-------------------------------------------------------------------------------", - "Your changes affect the %3$s. To update the checked-in version, run:", + "Your changes affect the %s. To update the checked-in version, run the following" + + " command in the core project:", UPDATE_COMMAND, ""); - public static GoldenFileTestHelper assertThat(String actualValue) { return new GoldenFileTestHelper().setActualValue(actualValue); } @@ -82,9 +82,9 @@ public class GoldenFileTestHelper { actualValue, expectedValue); assertWithMessage( UPDATE_INSTRUCTIONS, + goldenFileDescription, nomulusCommand, - filePath(context, filename), - goldenFileDescription) + filePath(context, filename)) .fail(); } } diff --git a/core/src/test/resources/google/registry/module/backend/backend_routing.txt b/core/src/test/resources/google/registry/module/backend/backend_routing.txt index 1c52860e6..4601b456e 100644 --- a/core/src/test/resources/google/registry/module/backend/backend_routing.txt +++ b/core/src/test/resources/google/registry/module/backend/backend_routing.txt @@ -1,43 +1,43 @@ PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY -/_dr/cron/commitLogCheckpoint CommitLogCheckpointAction GET y INTERNAL APP IGNORED -/_dr/cron/commitLogFanout CommitLogFanoutAction GET y INTERNAL APP IGNORED -/_dr/cron/fanout TldFanoutAction GET y INTERNAL APP IGNORED -/_dr/cron/readDnsQueue ReadDnsQueueAction GET y INTERNAL APP IGNORED -/_dr/dnsRefresh RefreshDnsAction GET y INTERNAL APP IGNORED -/_dr/task/backupDatastore BackupDatastoreAction POST y INTERNAL APP IGNORED -/_dr/task/brdaCopy BrdaCopyAction POST y INTERNAL APP IGNORED -/_dr/task/checkDatastoreBackup CheckBackupAction POST,GET y INTERNAL APP IGNORED +/_dr/cron/commitLogCheckpoint CommitLogCheckpointAction GET y INTERNAL,API APP ADMIN +/_dr/cron/commitLogFanout CommitLogFanoutAction GET y INTERNAL,API APP ADMIN +/_dr/cron/fanout TldFanoutAction GET y INTERNAL,API APP ADMIN +/_dr/cron/readDnsQueue ReadDnsQueueAction GET y INTERNAL,API APP ADMIN +/_dr/dnsRefresh RefreshDnsAction GET y INTERNAL,API APP ADMIN +/_dr/task/backupDatastore BackupDatastoreAction POST y INTERNAL,API APP ADMIN +/_dr/task/brdaCopy BrdaCopyAction POST y INTERNAL,API APP ADMIN +/_dr/task/checkDatastoreBackup CheckBackupAction POST,GET y INTERNAL,API APP ADMIN /_dr/task/copyDetailReports CopyDetailReportsAction POST n INTERNAL,API APP ADMIN -/_dr/task/deleteContactsAndHosts DeleteContactsAndHostsAction GET n INTERNAL APP IGNORED -/_dr/task/deleteLoadTestData DeleteLoadTestDataAction POST n INTERNAL APP IGNORED -/_dr/task/deleteOldCommitLogs DeleteOldCommitLogsAction GET n INTERNAL APP IGNORED -/_dr/task/deleteProberData DeleteProberDataAction POST n INTERNAL APP IGNORED -/_dr/task/expandRecurringBillingEvents ExpandRecurringBillingEventsAction GET n INTERNAL APP IGNORED -/_dr/task/exportCommitLogDiff ExportCommitLogDiffAction POST y INTERNAL APP IGNORED -/_dr/task/exportDomainLists ExportDomainListsAction POST n INTERNAL APP IGNORED -/_dr/task/exportPremiumTerms ExportPremiumTermsAction POST n INTERNAL APP IGNORED -/_dr/task/exportReservedTerms ExportReservedTermsAction POST n INTERNAL APP IGNORED -/_dr/task/generateInvoices GenerateInvoicesAction POST n INTERNAL APP IGNORED -/_dr/task/generateSpec11 GenerateSpec11ReportAction POST n INTERNAL APP IGNORED -/_dr/task/icannReportingStaging IcannReportingStagingAction POST n INTERNAL APP IGNORED +/_dr/task/deleteContactsAndHosts DeleteContactsAndHostsAction GET n INTERNAL,API APP ADMIN +/_dr/task/deleteLoadTestData DeleteLoadTestDataAction POST n INTERNAL,API APP ADMIN +/_dr/task/deleteOldCommitLogs DeleteOldCommitLogsAction GET n INTERNAL,API APP ADMIN +/_dr/task/deleteProberData DeleteProberDataAction POST n INTERNAL,API APP ADMIN +/_dr/task/expandRecurringBillingEvents ExpandRecurringBillingEventsAction GET n INTERNAL,API APP ADMIN +/_dr/task/exportCommitLogDiff ExportCommitLogDiffAction POST y INTERNAL,API APP ADMIN +/_dr/task/exportDomainLists ExportDomainListsAction POST n INTERNAL,API APP ADMIN +/_dr/task/exportPremiumTerms ExportPremiumTermsAction POST n INTERNAL,API APP ADMIN +/_dr/task/exportReservedTerms ExportReservedTermsAction POST n INTERNAL,API APP ADMIN +/_dr/task/generateInvoices GenerateInvoicesAction POST n INTERNAL,API APP ADMIN +/_dr/task/generateSpec11 GenerateSpec11ReportAction POST n INTERNAL,API APP ADMIN +/_dr/task/icannReportingStaging IcannReportingStagingAction POST n INTERNAL,API APP ADMIN /_dr/task/icannReportingUpload IcannReportingUploadAction POST n INTERNAL,API APP ADMIN -/_dr/task/nordnUpload NordnUploadAction POST y INTERNAL APP IGNORED -/_dr/task/nordnVerify NordnVerifyAction POST y INTERNAL APP IGNORED -/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y INTERNAL APP IGNORED -/_dr/task/publishDnsUpdates PublishDnsUpdatesAction POST y INTERNAL APP IGNORED +/_dr/task/nordnUpload NordnUploadAction POST y INTERNAL,API APP ADMIN +/_dr/task/nordnVerify NordnVerifyAction POST y INTERNAL,API APP ADMIN +/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y INTERNAL,API APP ADMIN +/_dr/task/publishDnsUpdates PublishDnsUpdatesAction POST y INTERNAL,API APP ADMIN /_dr/task/publishInvoices PublishInvoicesAction POST n INTERNAL,API APP ADMIN /_dr/task/publishSpec11 PublishSpec11ReportAction POST n INTERNAL,API APP ADMIN -/_dr/task/rdeReport RdeReportAction POST n INTERNAL APP IGNORED -/_dr/task/rdeStaging RdeStagingAction GET,POST n INTERNAL APP IGNORED -/_dr/task/rdeUpload RdeUploadAction POST n INTERNAL APP IGNORED -/_dr/task/refreshDnsOnHostRename RefreshDnsOnHostRenameAction GET n INTERNAL APP IGNORED +/_dr/task/rdeReport RdeReportAction POST n INTERNAL,API APP ADMIN +/_dr/task/rdeStaging RdeStagingAction GET,POST n INTERNAL,API APP ADMIN +/_dr/task/rdeUpload RdeUploadAction POST n INTERNAL,API APP ADMIN +/_dr/task/refreshDnsOnHostRename RefreshDnsOnHostRenameAction GET n INTERNAL,API APP ADMIN /_dr/task/resaveAllEppResources ResaveAllEppResourcesAction GET n INTERNAL,API APP ADMIN /_dr/task/resaveEntity ResaveEntityAction POST n INTERNAL,API APP ADMIN -/_dr/task/syncGroupMembers SyncGroupMembersAction POST n INTERNAL APP IGNORED -/_dr/task/syncRegistrarsSheet SyncRegistrarsSheetAction POST n INTERNAL APP IGNORED -/_dr/task/tmchCrl TmchCrlAction POST y INTERNAL APP IGNORED -/_dr/task/tmchDnl TmchDnlAction POST y INTERNAL APP IGNORED -/_dr/task/tmchSmdrl TmchSmdrlAction POST y INTERNAL APP IGNORED +/_dr/task/syncGroupMembers SyncGroupMembersAction POST n INTERNAL,API APP ADMIN +/_dr/task/syncRegistrarsSheet SyncRegistrarsSheetAction POST n INTERNAL,API APP ADMIN +/_dr/task/tmchCrl TmchCrlAction POST y INTERNAL,API APP ADMIN +/_dr/task/tmchDnl TmchDnlAction POST y INTERNAL,API APP ADMIN +/_dr/task/tmchSmdrl TmchSmdrlAction POST y INTERNAL,API APP ADMIN /_dr/task/updateRegistrarRdapBaseUrls UpdateRegistrarRdapBaseUrlsAction GET y INTERNAL,API APP ADMIN -/_dr/task/updateSnapshotView UpdateSnapshotViewAction POST n INTERNAL APP IGNORED -/_dr/task/uploadDatastoreBackup UploadDatastoreBackupAction POST n INTERNAL APP IGNORED +/_dr/task/updateSnapshotView UpdateSnapshotViewAction POST n INTERNAL,API APP ADMIN +/_dr/task/uploadDatastoreBackup UploadDatastoreBackupAction POST n INTERNAL,API APP ADMIN diff --git a/core/src/test/resources/google/registry/module/tools/tools_routing.txt b/core/src/test/resources/google/registry/module/tools/tools_routing.txt index 71546c1c9..71701edfd 100644 --- a/core/src/test/resources/google/registry/module/tools/tools_routing.txt +++ b/core/src/test/resources/google/registry/module/tools/tools_routing.txt @@ -13,8 +13,8 @@ PATH CLASS METHODS OK AUTH /_dr/epptool EppToolAction POST n INTERNAL,API APP ADMIN /_dr/loadtest LoadTestAction POST y INTERNAL,API APP ADMIN /_dr/task/generateZoneFiles GenerateZoneFilesAction POST n INTERNAL,API APP ADMIN -/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL APP IGNORED -/_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL APP IGNORED +/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n INTERNAL,API APP ADMIN +/_dr/task/killAllEppResources KillAllEppResourcesAction POST n INTERNAL,API APP ADMIN /_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET n INTERNAL,API APP ADMIN /_dr/task/resaveAllHistoryEntries ResaveAllHistoryEntriesAction GET n INTERNAL,API APP ADMIN /_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y INTERNAL,API APP ADMIN diff --git a/docs/authentication-framework.md b/docs/authentication-framework.md index 8e56e8e36..5b044447f 100644 --- a/docs/authentication-framework.md +++ b/docs/authentication-framework.md @@ -117,11 +117,6 @@ make sense. A master enumeration lists all the valid triplets. They are: because we don't require a user for internal requests, but the user policy is `ADMIN`, meaning that if there *is* a user, it needs to be an admin. -* `AUTH_INTERNAL_ONLY`: Only internal requests are allowed. This is appropriate - for actions which are only executed by cron jobs, and therefore have no - authenticated user. The method is `INTERNAL`, the minimum level is `APP`, - and the user policy is `IGNORED`. - * `AUTH_PUBLIC_OR_INTERNAL`: Allows anyone access, as long as they use OAuth to authenticate. Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be whitelisted in the config file for OAuth-based