Add keyring support for BSA API key (#2208)

* Add keyring support for BSA API key

Also removing JSON_CREDENTIAL. It is an exported service account key,
which we no longer use.

core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java

@@ -38,7 +38,7 @@ public final class InMemoryKeyring implements Keyring {
   private final String marksdbDnlLoginAndPassword;
   private final String marksdbLordnPassword;
   private final String marksdbSmdrlLoginAndPassword;
-  private final String jsonCredential;
+  private final String bsaApiKey;
 
   public InMemoryKeyring(
       PGPKeyPair rdeStagingKey,
@@ -53,9 +53,9 @@ public final class InMemoryKeyring implements Keyring {
       String marksdbDnlLoginAndPassword,
       String marksdbLordnPassword,
       String marksdbSmdrlLoginAndPassword,
-      String jsonCredential,
       String cloudSqlPassword,
-      String toolsCloudSqlPassword) {
+      String toolsCloudSqlPassword,
+      String bsaApiKey) {
     checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
         "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
     checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@@ -80,7 +80,7 @@ public final class InMemoryKeyring implements Keyring {
     this.marksdbLordnPassword = checkNotNull(marksdbLordnPassword, "marksdbLordnPassword");
     this.marksdbSmdrlLoginAndPassword =
         checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
-    this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
+    this.bsaApiKey = checkNotNull(bsaApiKey, "bsaApiKey");
   }
 
   @Override
@@ -149,8 +149,8 @@ public final class InMemoryKeyring implements Keyring {
   }
 
   @Override
-  public String getJsonCredential() {
-    return jsonCredential;
+  public String getBsaApiKey() {
+    return bsaApiKey;
   }
 
   /** Does nothing. */

core/src/main/java/google/registry/keyring/api/Keyring.java

@@ -145,11 +145,8 @@ public interface Keyring extends AutoCloseable {
    */
   String getMarksdbSmdrlLoginAndPassword();
 
-  /**
-   * Returns the credentials for a service account on the Google AppEngine project downloaded from
-   * the Cloud Console dashboard in JSON format.
-   */
-  String getJsonCredential();
+  /** Returns the API_KEY for authentication with the BSA portal. */
+  String getBsaApiKey();
 
   // Don't throw so try-with-resources works better.
   @Override

core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java

@@ -58,8 +58,8 @@ public class SecretManagerKeyring implements Keyring {
   /** Key labels for string secrets. */
   enum StringKeyLabel {
     SAFE_BROWSING_API_KEY,
+    BSA_API_KEY_STRING,
     ICANN_REPORTING_PASSWORD_STRING,
-    JSON_CREDENTIAL_STRING,
     MARKSDB_DNL_LOGIN_STRING,
     MARKSDB_LORDN_PASSWORD_STRING,
     MARKSDB_SMDRL_LOGIN_STRING,
@@ -143,10 +143,9 @@ public class SecretManagerKeyring implements Keyring {
     return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
   }
 
-  // TODO(b/237305940): remove this method and all supports, including entry in secretmanager
   @Override
-  public String getJsonCredential() {
-    return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
+  public String getBsaApiKey() {
+    return getString(StringKeyLabel.BSA_API_KEY_STRING);
   }
 
   /** No persistent resources are maintained for this Keyring implementation. */

core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java

@@ -24,8 +24,8 @@ import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicK
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
+import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.BSA_API_KEY_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
-import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING;
@@ -120,8 +120,8 @@ public final class SecretManagerKeyringUpdater {
     return setString(login, MARKSDB_SMDRL_LOGIN_STRING);
   }
 
-  public SecretManagerKeyringUpdater setJsonCredential(String credential) {
-    return setString(credential, JSON_CREDENTIAL_STRING);
+  public SecretManagerKeyringUpdater setBsaApiKey(String credential) {
+    return setString(credential, BSA_API_KEY_STRING);
   }
 
   /**

core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java

@@ -64,15 +64,15 @@ final class GetKeyringSecretCommand implements Command {
       case BRDA_SIGNING_PUBLIC_KEY:
         out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey()));
         break;
+      case BSA_API_KEY:
+        out.write(KeySerializer.serializeString(keyring.getBsaApiKey()));
+        break;
       case ICANN_REPORTING_PASSWORD:
         out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
         break;
       case SAFE_BROWSING_API_KEY:
         out.write(KeySerializer.serializeString(keyring.getSafeBrowsingAPIKey()));
         break;
-      case JSON_CREDENTIAL:
-        out.write(KeySerializer.serializeString(keyring.getJsonCredential()));
-        break;
       case MARKSDB_DNL_LOGIN_AND_PASSWORD:
         out.write(KeySerializer.serializeString(keyring.getMarksdbDnlLoginAndPassword()));
         break;

core/src/main/java/google/registry/tools/UpdateKeyringSecretCommand.java

@@ -64,12 +64,12 @@ final class UpdateKeyringSecretCommand implements Command {
         throw new IllegalArgumentException(
             "Can't update BRDA_SIGNING_PUBLIC_KEY directly."
             + " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR.");
+      case BSA_API_KEY:
+        secretManagerKeyringUpdater.setBsaApiKey(deserializeString(input));
+        break;
       case ICANN_REPORTING_PASSWORD:
         secretManagerKeyringUpdater.setIcannReportingPassword(deserializeString(input));
         break;
-      case JSON_CREDENTIAL:
-        secretManagerKeyringUpdater.setJsonCredential(deserializeString(input));
-        break;
       case MARKSDB_DNL_LOGIN_AND_PASSWORD:
         secretManagerKeyringUpdater.setMarksdbDnlLoginAndPassword(deserializeString(input));
         break;

core/src/main/java/google/registry/tools/params/KeyringKeyName.java

@@ -24,8 +24,8 @@ public enum KeyringKeyName {
   BRDA_RECEIVER_PUBLIC_KEY,
   BRDA_SIGNING_KEY_PAIR,
   BRDA_SIGNING_PUBLIC_KEY,
+  BSA_API_KEY,
   ICANN_REPORTING_PASSWORD,
-  JSON_CREDENTIAL,
   MARKSDB_DNL_LOGIN_AND_PASSWORD,
   MARKSDB_LORDN_PASSWORD,
   MARKSDB_SMDRL_LOGIN_AND_PASSWORD,

core/src/test/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdaterTest.java

@@ -51,16 +51,16 @@ public class SecretManagerKeyringUpdaterTest {
     updater
         .setMarksdbDnlLoginAndPassword(secretPrefix + "marksdb")
         .setIcannReportingPassword(secretPrefix + "icann")
-        .setJsonCredential(secretPrefix + "json")
+        .setBsaApiKey(secretPrefix + "bsa")
         .update();
 
     assertThat(keyring.getMarksdbDnlLoginAndPassword()).isEqualTo(secretPrefix + "marksdb");
     assertThat(keyring.getIcannReportingPassword()).isEqualTo(secretPrefix + "icann");
-    assertThat(keyring.getJsonCredential()).isEqualTo(secretPrefix + "json");
+    assertThat(keyring.getBsaApiKey()).isEqualTo(secretPrefix + "bsa");
 
     verifyPersistedSecret("marksdb-dnl-login-string", secretPrefix + "marksdb");
     verifyPersistedSecret("icann-reporting-password-string", secretPrefix + "icann");
-    verifyPersistedSecret("json-credential-string", secretPrefix + "json");
+    verifyPersistedSecret("bsa-api-key-string", secretPrefix + "bsa");
   }
 
   @Test
@@ -94,12 +94,12 @@ public class SecretManagerKeyringUpdaterTest {
   }
 
   @Test
-  void jsonCredential() {
-    String secret = "jsonCredential";
-    updater.setJsonCredential(secret).update();
+  void bsaApiKey() {
+    String secret = "bsaApiKey";
+    updater.setBsaApiKey(secret).update();
 
-    assertThat(keyring.getJsonCredential()).isEqualTo(secret);
-    verifyPersistedSecret("json-credential-string", secret);
+    assertThat(keyring.getBsaApiKey()).isEqualTo(secret);
+    verifyPersistedSecret("bsa-api-key-string", secret);
   }
 
   @Test

core/src/test/java/google/registry/testing/FakeKeyringModule.java

@@ -55,7 +55,7 @@ public final class FakeKeyringModule {
   private static final String MARKSDB_DNL_LOGIN_AND_PASSWORD = "dnl:yolo";
   private static final String MARKSDB_LORDN_PASSWORD = "yolo";
   private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo";
-  private static final String JSON_CREDENTIAL = "json123";
+  private static final String BSA_API_KEY = "bsaapikey";
 
   @Provides
   public Keyring get() {
@@ -127,8 +127,8 @@ public final class FakeKeyringModule {
       }
 
       @Override
-      public String getJsonCredential() {
-        return JSON_CREDENTIAL;
+      public String getBsaApiKey() {
+        return BSA_API_KEY;
       }
 
       @Override