mirror of
https://github.com/google/nomulus.git
synced 2025-05-01 20:47:52 +02:00
177bf4a5f1
Implement client-side OAuth in non-local HTTP connections. Also add tests to verify that the different modes of connection are set up correctly. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=147636222
200 lines
7.3 KiB
Java
200 lines
7.3 KiB
Java
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.tools;
|
|
|
|
import static java.nio.charset.StandardCharsets.UTF_8;
|
|
|
|
import com.google.api.client.auth.oauth2.Credential;
|
|
import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
|
|
import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
|
|
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
|
|
import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
|
|
import com.google.api.client.http.HttpRequest;
|
|
import com.google.api.client.http.HttpRequestFactory;
|
|
import com.google.api.client.http.HttpRequestInitializer;
|
|
import com.google.api.client.http.javanet.NetHttpTransport;
|
|
import com.google.api.client.json.JsonFactory;
|
|
import com.google.api.client.json.jackson2.JacksonFactory;
|
|
import com.google.api.client.util.store.AbstractDataStoreFactory;
|
|
import com.google.api.client.util.store.FileDataStoreFactory;
|
|
import dagger.Binds;
|
|
import dagger.Module;
|
|
import dagger.Provides;
|
|
import java.io.File;
|
|
import java.io.IOException;
|
|
import java.io.InputStream;
|
|
import java.io.InputStreamReader;
|
|
import java.lang.annotation.Documented;
|
|
import java.util.Collections;
|
|
import javax.inject.Named;
|
|
import javax.inject.Provider;
|
|
import javax.inject.Qualifier;
|
|
import javax.inject.Singleton;
|
|
|
|
/**
|
|
* Module for providing the default HttpRequestFactory.
|
|
*
|
|
*
|
|
* <p>This module provides a standard NetHttpTransport-based HttpRequestFactory binding.
|
|
* The binding is qualified with the name named "default" and is not consumed directly. The
|
|
* RequestFactoryModule module binds the "default" HttpRequestFactory to the unqualified
|
|
* HttpRequestFactory, allowing users to override the actual, unqualified HttpRequestFactory
|
|
* binding by replacing RequestFactoryfModule with their own module, optionally providing
|
|
* the "default" factory in some circumstances.
|
|
*
|
|
* <p>Localhost connections go to the App Engine dev server. The dev server differs from most HTTP
|
|
* connections in that they don't require OAuth2 credentials, but instead require a special cookie.
|
|
*/
|
|
@Module
|
|
class DefaultRequestFactoryModule {
|
|
|
|
// TODO(mmuller): Use @Config("requiredOauthScopes")
|
|
private static final String DEFAULT_SCOPE =
|
|
"https://www.googleapis.com/auth/userinfo.email";
|
|
|
|
private static final File DATA_STORE_DIR =
|
|
new File(System.getProperty("user.home"), ".config/nomulus/credentials");
|
|
|
|
// TODO(mmuller): replace with a config parameter.
|
|
private static final String CLIENT_SECRET_FILENAME =
|
|
"/google/registry/tools/resources/client_secret.json";
|
|
|
|
@Provides
|
|
@ClientSecretFilename
|
|
String provideClientSecretFilename() {
|
|
return CLIENT_SECRET_FILENAME;
|
|
}
|
|
|
|
/** Returns the credential object for the user. */
|
|
@Provides
|
|
Credential provideCredential(
|
|
AbstractDataStoreFactory dataStoreFactory,
|
|
Authorizer authorizer,
|
|
@ClientSecretFilename String clientSecretFilename) {
|
|
try {
|
|
// Load the client secrets file.
|
|
JacksonFactory jsonFactory = new JacksonFactory();
|
|
InputStream secretResourceStream = getClass().getResourceAsStream(clientSecretFilename);
|
|
if (secretResourceStream == null) {
|
|
throw new RuntimeException("No client secret file found: " + clientSecretFilename);
|
|
}
|
|
GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(jsonFactory,
|
|
new InputStreamReader(secretResourceStream, UTF_8));
|
|
|
|
return authorizer.authorize(clientSecrets);
|
|
} catch (IOException ex) {
|
|
throw new RuntimeException(ex);
|
|
}
|
|
}
|
|
|
|
@Provides
|
|
@Named("default")
|
|
public HttpRequestFactory provideHttpRequestFactory(
|
|
AppEngineConnectionFlags connectionFlags,
|
|
Provider<Credential> credentialProvider) {
|
|
if (connectionFlags.getServer().getHost().equals("localhost")) {
|
|
return new NetHttpTransport()
|
|
.createRequestFactory(
|
|
new HttpRequestInitializer() {
|
|
@Override
|
|
public void initialize(HttpRequest request) {
|
|
request
|
|
.getHeaders()
|
|
.setCookie("dev_appserver_login=test@example.com:true:1858047912411");
|
|
}
|
|
});
|
|
} else {
|
|
return new NetHttpTransport().createRequestFactory(credentialProvider.get());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Module for providing HttpRequestFactory.
|
|
*
|
|
* <p>Localhost connections go to the App Engine dev server. The dev server differs from most HTTP
|
|
* connections in that the types whose annotations affect the use of annotaty don't require
|
|
* OAuth2 credentials, but instead require a special cookie.
|
|
*/
|
|
@Module
|
|
abstract static class RequestFactoryModule {
|
|
|
|
@Binds
|
|
public abstract HttpRequestFactory provideHttpRequestFactory(
|
|
@Named("default") HttpRequestFactory requestFactory);
|
|
}
|
|
|
|
@Module
|
|
static class DataStoreFactoryModule {
|
|
@Provides
|
|
@Singleton
|
|
public AbstractDataStoreFactory provideDataStoreFactory() {
|
|
try {
|
|
return new FileDataStoreFactory(DATA_STORE_DIR);
|
|
} catch (IOException ex) {
|
|
throw new RuntimeException(ex);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Module to create the Authorizer used by DefaultRequestFactoryModule.
|
|
*/
|
|
@Module
|
|
static class AuthorizerModule {
|
|
@Provides
|
|
public Authorizer provideAuthorizer(
|
|
final JsonFactory jsonFactory, final AbstractDataStoreFactory dataStoreFactory) {
|
|
return new Authorizer() {
|
|
@Override
|
|
public Credential authorize(GoogleClientSecrets clientSecrets) {
|
|
try {
|
|
// Run a new auth flow.
|
|
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
|
|
new NetHttpTransport(), jsonFactory, clientSecrets,
|
|
Collections.singleton(DEFAULT_SCOPE))
|
|
.setDataStoreFactory(dataStoreFactory)
|
|
.build();
|
|
|
|
// TODO(mmuller): "credentials" directory needs to be qualified with the scopes and
|
|
// client id.
|
|
|
|
// We pass client id to the authorize method so we can safely persist credentials for
|
|
// multiple client ids.
|
|
return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver())
|
|
.authorize(clientSecrets.getDetails().getClientId());
|
|
} catch (Exception ex) {
|
|
throw new RuntimeException(ex);
|
|
}
|
|
}
|
|
};
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Interface that encapsulates the authorization logic to produce a credential for the user,
|
|
* allowing us to override the behavior for unit tests.
|
|
*/
|
|
interface Authorizer {
|
|
Credential authorize(GoogleClientSecrets clientSecrets);
|
|
}
|
|
|
|
/** Dagger qualifier for the client secret filename.
|
|
*
|
|
* <p>TODO(mmuller): move this to config.
|
|
*/
|
|
@Qualifier
|
|
@Documented
|
|
public @interface ClientSecretFilename {}
|
|
}
|