Refactor DelegatedCredential provisioning for GSuite domains

Updated the registar contact group management, which is the only
use case for this credential.

Also updated GSuite domain delegated admin access config in admin
dashboard for both sandbox (used by alpha and sandbox) and prod.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=212320157

java/google/registry/config/CredentialModule.java

@@ -79,6 +79,29 @@ public abstract class CredentialModule {
     return credential;
   }
 
+  /**
+   * Provides a {@link GoogleCredential} with delegated admin access for a G Suite domain.
+   *
+   * <p>The G Suite domain must grant delegated admin access to the registry service account with
+   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
+   */
+  @DelegatedCredential
+  @Provides
+  @Singleton
+  public static GoogleCredential provideDelegatedCredential(
+      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes,
+      @JsonCredential GoogleCredential googleCredential,
+      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
+    return new GoogleCredential.Builder()
+        .setTransport(Utils.getDefaultTransport())
+        .setJsonFactory(Utils.getDefaultJsonFactory())
+        .setServiceAccountId(googleCredential.getServiceAccountId())
+        .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
+        .setServiceAccountScopes(requiredScopes)
+        .setServiceAccountUser(gSuiteAdminAccountEmailAddress)
+        .build();
+  }
+
   /** Dagger qualifier for the Application Default Credential. */
   @Qualifier
   public @interface DefaultCredential {}