From 30accea383bdef8756428176cb34ac78b5ddab23 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Thu, 2 Nov 2023 14:08:50 -0400 Subject: [PATCH] Add keyring support for BSA API key (#2208) * Add keyring support for BSA API key Also removing JSON_CREDENTIAL. It is an exported service account key, which we no longer use. --- .../registry/keyring/api/InMemoryKeyring.java | 12 ++++++------ .../google/registry/keyring/api/Keyring.java | 7 ++----- .../secretmanager/SecretManagerKeyring.java | 7 +++---- .../SecretManagerKeyringUpdater.java | 6 +++--- .../registry/tools/GetKeyringSecretCommand.java | 6 +++--- .../tools/UpdateKeyringSecretCommand.java | 6 +++--- .../registry/tools/params/KeyringKeyName.java | 2 +- .../SecretManagerKeyringUpdaterTest.java | 16 ++++++++-------- .../registry/testing/FakeKeyringModule.java | 6 +++--- 9 files changed, 32 insertions(+), 36 deletions(-) diff --git a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java index e57abca3e..0185c179e 100644 --- a/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java +++ b/core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java @@ -38,7 +38,7 @@ public final class InMemoryKeyring implements Keyring { private final String marksdbDnlLoginAndPassword; private final String marksdbLordnPassword; private final String marksdbSmdrlLoginAndPassword; - private final String jsonCredential; + private final String bsaApiKey; public InMemoryKeyring( PGPKeyPair rdeStagingKey, @@ -53,9 +53,9 @@ public final class InMemoryKeyring implements Keyring { String marksdbDnlLoginAndPassword, String marksdbLordnPassword, String marksdbSmdrlLoginAndPassword, - String jsonCredential, String cloudSqlPassword, - String toolsCloudSqlPassword) { + String toolsCloudSqlPassword, + String bsaApiKey) { checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()), "RDE signing key must support signing: %s", rdeSigningKey.getKeyID()); checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(), @@ -80,7 +80,7 @@ public final class InMemoryKeyring implements Keyring { this.marksdbLordnPassword = checkNotNull(marksdbLordnPassword, "marksdbLordnPassword"); this.marksdbSmdrlLoginAndPassword = checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword"); - this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential"); + this.bsaApiKey = checkNotNull(bsaApiKey, "bsaApiKey"); } @Override @@ -149,8 +149,8 @@ public final class InMemoryKeyring implements Keyring { } @Override - public String getJsonCredential() { - return jsonCredential; + public String getBsaApiKey() { + return bsaApiKey; } /** Does nothing. */ diff --git a/core/src/main/java/google/registry/keyring/api/Keyring.java b/core/src/main/java/google/registry/keyring/api/Keyring.java index 5b44db049..0b278c53d 100644 --- a/core/src/main/java/google/registry/keyring/api/Keyring.java +++ b/core/src/main/java/google/registry/keyring/api/Keyring.java @@ -145,11 +145,8 @@ public interface Keyring extends AutoCloseable { */ String getMarksdbSmdrlLoginAndPassword(); - /** - * Returns the credentials for a service account on the Google AppEngine project downloaded from - * the Cloud Console dashboard in JSON format. - */ - String getJsonCredential(); + /** Returns the API_KEY for authentication with the BSA portal. */ + String getBsaApiKey(); // Don't throw so try-with-resources works better. @Override diff --git a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java index 6e1aa973b..e74abe967 100644 --- a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java +++ b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java @@ -58,8 +58,8 @@ public class SecretManagerKeyring implements Keyring { /** Key labels for string secrets. */ enum StringKeyLabel { SAFE_BROWSING_API_KEY, + BSA_API_KEY_STRING, ICANN_REPORTING_PASSWORD_STRING, - JSON_CREDENTIAL_STRING, MARKSDB_DNL_LOGIN_STRING, MARKSDB_LORDN_PASSWORD_STRING, MARKSDB_SMDRL_LOGIN_STRING, @@ -143,10 +143,9 @@ public class SecretManagerKeyring implements Keyring { return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING); } - // TODO(b/237305940): remove this method and all supports, including entry in secretmanager @Override - public String getJsonCredential() { - return getString(StringKeyLabel.JSON_CREDENTIAL_STRING); + public String getBsaApiKey() { + return getString(StringKeyLabel.BSA_API_KEY_STRING); } /** No persistent resources are maintained for this Keyring implementation. */ diff --git a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java index 42614ceda..d57b6782e 100644 --- a/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java +++ b/core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java @@ -24,8 +24,8 @@ import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicK import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC; import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC; import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC; +import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.BSA_API_KEY_STRING; import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING; -import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING; import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING; import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING; import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING; @@ -120,8 +120,8 @@ public final class SecretManagerKeyringUpdater { return setString(login, MARKSDB_SMDRL_LOGIN_STRING); } - public SecretManagerKeyringUpdater setJsonCredential(String credential) { - return setString(credential, JSON_CREDENTIAL_STRING); + public SecretManagerKeyringUpdater setBsaApiKey(String credential) { + return setString(credential, BSA_API_KEY_STRING); } /** diff --git a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java index bb5ac9973..f41db23ce 100644 --- a/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java +++ b/core/src/main/java/google/registry/tools/GetKeyringSecretCommand.java @@ -64,15 +64,15 @@ final class GetKeyringSecretCommand implements Command { case BRDA_SIGNING_PUBLIC_KEY: out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey())); break; + case BSA_API_KEY: + out.write(KeySerializer.serializeString(keyring.getBsaApiKey())); + break; case ICANN_REPORTING_PASSWORD: out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword())); break; case SAFE_BROWSING_API_KEY: out.write(KeySerializer.serializeString(keyring.getSafeBrowsingAPIKey())); break; - case JSON_CREDENTIAL: - out.write(KeySerializer.serializeString(keyring.getJsonCredential())); - break; case MARKSDB_DNL_LOGIN_AND_PASSWORD: out.write(KeySerializer.serializeString(keyring.getMarksdbDnlLoginAndPassword())); break; diff --git a/core/src/main/java/google/registry/tools/UpdateKeyringSecretCommand.java b/core/src/main/java/google/registry/tools/UpdateKeyringSecretCommand.java index 3185e85f8..96e7a80a9 100644 --- a/core/src/main/java/google/registry/tools/UpdateKeyringSecretCommand.java +++ b/core/src/main/java/google/registry/tools/UpdateKeyringSecretCommand.java @@ -64,12 +64,12 @@ final class UpdateKeyringSecretCommand implements Command { throw new IllegalArgumentException( "Can't update BRDA_SIGNING_PUBLIC_KEY directly." + " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR."); + case BSA_API_KEY: + secretManagerKeyringUpdater.setBsaApiKey(deserializeString(input)); + break; case ICANN_REPORTING_PASSWORD: secretManagerKeyringUpdater.setIcannReportingPassword(deserializeString(input)); break; - case JSON_CREDENTIAL: - secretManagerKeyringUpdater.setJsonCredential(deserializeString(input)); - break; case MARKSDB_DNL_LOGIN_AND_PASSWORD: secretManagerKeyringUpdater.setMarksdbDnlLoginAndPassword(deserializeString(input)); break; diff --git a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java index 5906acf9b..b66f5afe9 100644 --- a/core/src/main/java/google/registry/tools/params/KeyringKeyName.java +++ b/core/src/main/java/google/registry/tools/params/KeyringKeyName.java @@ -24,8 +24,8 @@ public enum KeyringKeyName { BRDA_RECEIVER_PUBLIC_KEY, BRDA_SIGNING_KEY_PAIR, BRDA_SIGNING_PUBLIC_KEY, + BSA_API_KEY, ICANN_REPORTING_PASSWORD, - JSON_CREDENTIAL, MARKSDB_DNL_LOGIN_AND_PASSWORD, MARKSDB_LORDN_PASSWORD, MARKSDB_SMDRL_LOGIN_AND_PASSWORD, diff --git a/core/src/test/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdaterTest.java b/core/src/test/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdaterTest.java index 5bbce4c80..a0d3397df 100644 --- a/core/src/test/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdaterTest.java +++ b/core/src/test/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdaterTest.java @@ -51,16 +51,16 @@ public class SecretManagerKeyringUpdaterTest { updater .setMarksdbDnlLoginAndPassword(secretPrefix + "marksdb") .setIcannReportingPassword(secretPrefix + "icann") - .setJsonCredential(secretPrefix + "json") + .setBsaApiKey(secretPrefix + "bsa") .update(); assertThat(keyring.getMarksdbDnlLoginAndPassword()).isEqualTo(secretPrefix + "marksdb"); assertThat(keyring.getIcannReportingPassword()).isEqualTo(secretPrefix + "icann"); - assertThat(keyring.getJsonCredential()).isEqualTo(secretPrefix + "json"); + assertThat(keyring.getBsaApiKey()).isEqualTo(secretPrefix + "bsa"); verifyPersistedSecret("marksdb-dnl-login-string", secretPrefix + "marksdb"); verifyPersistedSecret("icann-reporting-password-string", secretPrefix + "icann"); - verifyPersistedSecret("json-credential-string", secretPrefix + "json"); + verifyPersistedSecret("bsa-api-key-string", secretPrefix + "bsa"); } @Test @@ -94,12 +94,12 @@ public class SecretManagerKeyringUpdaterTest { } @Test - void jsonCredential() { - String secret = "jsonCredential"; - updater.setJsonCredential(secret).update(); + void bsaApiKey() { + String secret = "bsaApiKey"; + updater.setBsaApiKey(secret).update(); - assertThat(keyring.getJsonCredential()).isEqualTo(secret); - verifyPersistedSecret("json-credential-string", secret); + assertThat(keyring.getBsaApiKey()).isEqualTo(secret); + verifyPersistedSecret("bsa-api-key-string", secret); } @Test diff --git a/core/src/test/java/google/registry/testing/FakeKeyringModule.java b/core/src/test/java/google/registry/testing/FakeKeyringModule.java index 306ca4a0a..b5e8b541f 100644 --- a/core/src/test/java/google/registry/testing/FakeKeyringModule.java +++ b/core/src/test/java/google/registry/testing/FakeKeyringModule.java @@ -55,7 +55,7 @@ public final class FakeKeyringModule { private static final String MARKSDB_DNL_LOGIN_AND_PASSWORD = "dnl:yolo"; private static final String MARKSDB_LORDN_PASSWORD = "yolo"; private static final String MARKSDB_SMDRL_LOGIN_AND_PASSWORD = "smdrl:yolo"; - private static final String JSON_CREDENTIAL = "json123"; + private static final String BSA_API_KEY = "bsaapikey"; @Provides public Keyring get() { @@ -127,8 +127,8 @@ public final class FakeKeyringModule { } @Override - public String getJsonCredential() { - return JSON_CREDENTIAL; + public String getBsaApiKey() { + return BSA_API_KEY; } @Override