Require SSL certificate hash on login by default

Note that it's possible to set a config option to disable this functionality on a per-environment basis (we're disabling it for sandbox), but in general SSL certificate hashes should be required for increased security. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=225053496
2026-01-11 00:10:36 +00:00 · 2018-12-11 12:49:05 -08:00
parent 0a44ef0dca
commit 400994237c
9 changed files with 80 additions and 29 deletions
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@@ -573,6 +573,17 @@ public final class RegistryConfig {
      return beamBucketUrl + "/templates/spec11";
    }

+    /**
+     * Returns whether an SSL certificate hash is required to log in via EPP and run flows.
+     *
+     * @see google.registry.flows.TlsCredentials
+     */
+    @Provides
+    @Config("requireSslCertificates")
+    public static boolean provideRequireSslCertificates(RegistryConfigSettings config) {
+      return config.registryPolicy.requireSslCertificates;
+    }
+
    /**
     * Returns the default job zone to run Apache Beam (Cloud Dataflow) jobs in.
     *