Also made some refactoring to various Auth related classes to clean up things a bit and make the logic less convoluted:
1. In Auth, remove AUTH_API_PUBLIC as it is only used by the WHOIS and EPP endpoints accessed by the proxy. Previously, the proxy relies on OAuth and its service account is not given admin role (in OAuth parlance), so we made them accessible by a public user, deferring authorization to the actions themselves. In practice, OAuth checks for allowlisted client IDs and only the proxy client ID was allowlisted, which effectively limited access to only the proxy anyway.
2. In AuthResult, expose the service account email if it is at APP level. RequestAuthenticator will print out the auth result and therefore log the email, making it easy to identify which account was used. This field is mutually exclusive to the user auth info field. As a result, the factory methods are refactored to explicitly create either APP or USER level auth result.
3. Completely re-wrote RequestAuthenticatorTest. Previously, the test mingled testing functionalities of the target class with testing how various authentication mechanisms work. Now they are cleanly decoupled, and each method in RequestAuthenticator is tested individually.
4. Removed nomulus-config-production-sample.yaml as it is vastly out of date.
* Update terraform files and instructions
Update proxy terraform files based on current best practices and allow
exclusion of forwarding rules for HTTP endpoints. Specifically:
- Add a "public_web_whois" input to allow disabling the public HTTP
whois forwarding.
- Add "description" fields to all variables.
- Move outputs of the top-level module into "outputs.tf".
- Auto-reformat using hclfmt.
* Move terraform and kubernetes folder to be under proxy
There is no reason for them to be under proxy/src/... any more now that
we have a Gradle-idiomatic folder structure.
It is better to store it ASCII armored so that it can be easily diffed to see
if a file has changed
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=200045488
The proxy service account needs a role that is considered "App Engine Admin" for OAuth to work.
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=193049418
Include information on how to upload an encrypted key/cert combo to GCS
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=191782955
With terraform (https://terraform.io) we can convert most of the infrastructure setup into code. This simplifies setting up a new proxy as well as providing reproducibility in the setup, eliminating human errors as much as possible.
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=190634711
A step by step instruction is provided to set up the proxy. Also made some changes to the README file as both DNS and proxy are no longer "known issues"
A better approach to setting up the proxy manually is to codify the infrastructure with https://terraform.io. I will work on this next.
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=189648593
