diff --git a/java/google/registry/config/RegistryConfig.java b/java/google/registry/config/RegistryConfig.java index 1ad40e6ef..0fa174519 100644 --- a/java/google/registry/config/RegistryConfig.java +++ b/java/google/registry/config/RegistryConfig.java @@ -1021,6 +1021,12 @@ public final class RegistryConfig { return config.registryPolicy.greetingServerId; } + @Provides + @Config("activeKeyring") + public static String provideKeyring(RegistryConfigSettings config) { + return config.keyring.activeKeyring; + } + /** * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets. * @@ -1030,13 +1036,13 @@ public final class RegistryConfig { @Provides @Config("cloudKmsKeyRing") public static String provideCloudKmsKeyRing(RegistryConfigSettings config) { - return config.kms.keyringName; + return config.keyring.kms.keyringName; } @Provides @Config("cloudKmsProjectId") public static String provideCloudKmsProjectId(RegistryConfigSettings config) { - return config.kms.projectId; + return config.keyring.kms.projectId; } @Provides diff --git a/java/google/registry/config/RegistryConfigSettings.java b/java/google/registry/config/RegistryConfigSettings.java index 6f4d73465..15118679a 100644 --- a/java/google/registry/config/RegistryConfigSettings.java +++ b/java/google/registry/config/RegistryConfigSettings.java @@ -34,7 +34,7 @@ public class RegistryConfigSettings { public Monitoring monitoring; public Misc misc; public Beam beam; - public Kms kms; + public Keyring keyring; public RegistryTool registryTool; /** Configuration options that apply to the entire App Engine project. */ @@ -99,12 +99,6 @@ public class RegistryConfigSettings { public int baseOfyRetryMillis; } - /** Configuration for Cloud KMS. */ - public static class Kms { - public String keyringName; - public String projectId; - } - /** Configuration for Apache Beam (Cloud Dataflow). */ public static class Beam { public String defaultJobZone; @@ -170,6 +164,18 @@ public class RegistryConfigSettings { public int asyncDeleteDelaySeconds; } + /** Configuration for keyrings (used to store secrets outside of source). */ + public static class Keyring { + public String activeKeyring; + public Kms kms; + } + + /** Configuration for Cloud KMS. */ + public static class Kms { + public String keyringName; + public String projectId; + } + /** Configuration options for the registry tool. */ public static class RegistryTool { public String clientSecretFilename; diff --git a/java/google/registry/config/files/default-config.yaml b/java/google/registry/config/files/default-config.yaml index 8c51b0cfc..912353b48 100644 --- a/java/google/registry/config/files/default-config.yaml +++ b/java/google/registry/config/files/default-config.yaml @@ -322,14 +322,19 @@ beam: # The default zone to run Apache Beam (Cloud Dataflow) jobs in. defaultJobZone: us-east1-c -kms: - # GCP project containing the KMS keyring. Should only be used for KMS in - # order to keep a simple locked down IAM configuration. - projectId: registry-kms-project-id +keyring: + # The name of the active keyring, either "KMS" or "Dummy". + activeKeyring: Dummy - # The name to use for the Cloud KMS KeyRing which will store encryption keys - # for Nomulus secrets. - keyringName: nomulus + # Configuration options specific to Google Cloud KMS. + kms: + # GCP project containing the KMS keyring. Should only be used for KMS in + # order to keep a simple locked down IAM configuration. + projectId: registry-kms-project-id + + # The name to use for the Cloud KMS KeyRing which will store encryption keys + # for Nomulus secrets. + keyringName: nomulus # Configuration options relevant to the "nomulus" registry tool. registryTool: diff --git a/java/google/registry/config/files/nomulus-config-production-sample.yaml b/java/google/registry/config/files/nomulus-config-production-sample.yaml index 4a891e1d9..01a051f7c 100644 --- a/java/google/registry/config/files/nomulus-config-production-sample.yaml +++ b/java/google/registry/config/files/nomulus-config-production-sample.yaml @@ -61,5 +61,7 @@ cloudDns: rootUrl: null servicePath: null -kms: - projectId: placeholder +keyring: + activeKeyring: KMS + kms: + projectId: placeholder diff --git a/java/google/registry/keyring/BUILD b/java/google/registry/keyring/BUILD new file mode 100644 index 000000000..ec999ce7c --- /dev/null +++ b/java/google/registry/keyring/BUILD @@ -0,0 +1,21 @@ +package( + default_visibility = ["//visibility:public"], +) + +licenses(["notice"]) # Apache 2.0 + +java_library( + name = "keyring", + srcs = glob(["*.java"]), + deps = [ + "//java/google/registry/config", + "//java/google/registry/keyring/api", + "@com_google_code_findbugs_jsr305", + "@com_google_dagger", + "@com_google_flogger", + "@com_google_flogger_system_backend", + "@com_google_guava", + "@javax_inject", + "@org_bouncycastle_bcpg_jdk15on", + ], +) diff --git a/java/google/registry/keyring/kms/KeyringModule.java b/java/google/registry/keyring/KeyringModule.java similarity index 58% rename from java/google/registry/keyring/kms/KeyringModule.java rename to java/google/registry/keyring/KeyringModule.java index 7a9b53f80..28c525900 100644 --- a/java/google/registry/keyring/kms/KeyringModule.java +++ b/java/google/registry/keyring/KeyringModule.java @@ -1,4 +1,4 @@ -// Copyright 2017 The Nomulus Authors. All Rights Reserved. +// Copyright 2018 The Nomulus Authors. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -12,11 +12,15 @@ // See the License for the specific language governing permissions and // limitations under the License. -package google.registry.keyring.kms; +package google.registry.keyring; + +import static com.google.common.base.Preconditions.checkState; import dagger.Module; import dagger.Provides; +import google.registry.config.RegistryConfig.Config; import google.registry.keyring.api.Keyring; +import java.util.Map; import javax.inject.Singleton; /** Dagger module for {@link Keyring} */ @@ -25,7 +29,13 @@ public final class KeyringModule { @Provides @Singleton - public static Keyring provideKeyring(KmsKeyring kmsKeyring) { - return kmsKeyring; + public static Keyring provideKeyring( + Map keyrings, @Config("activeKeyring") String activeKeyring) { + checkState( + keyrings.containsKey(activeKeyring), + "Invalid Keyring %s is configured; valid choices are %s", + activeKeyring, + keyrings.keySet()); + return keyrings.get(activeKeyring); } } diff --git a/java/google/registry/keyring/api/DummyKeyringModule.java b/java/google/registry/keyring/api/DummyKeyringModule.java index 9e35c14fe..9e2f2aec3 100644 --- a/java/google/registry/keyring/api/DummyKeyringModule.java +++ b/java/google/registry/keyring/api/DummyKeyringModule.java @@ -21,11 +21,15 @@ import static google.registry.keyring.api.PgpHelper.lookupKeyPair; import com.google.common.base.VerifyException; import com.google.common.io.ByteSource; import com.google.common.io.Resources; +import dagger.Binds; import dagger.Module; import dagger.Provides; +import dagger.multibindings.IntoMap; +import dagger.multibindings.StringKey; import java.io.IOException; import java.io.InputStream; import javax.annotation.concurrent.Immutable; +import javax.inject.Named; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; @@ -68,7 +72,9 @@ import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRingCollection; */ @Module @Immutable -public final class DummyKeyringModule { +public abstract class DummyKeyringModule { + + public static final String NAME = "Dummy"; /** The contents of a dummy PGP public key stored in a file. */ private static final ByteSource PGP_PUBLIC_KEYRING = @@ -81,9 +87,15 @@ public final class DummyKeyringModule { /** The email address of the aforementioned PGP key. */ private static final String EMAIL_ADDRESS = "test-registry@example.com"; + @Binds + @IntoMap + @StringKey(NAME) + abstract Keyring provideKeyring(@Named("DummyKeyring") InMemoryKeyring keyring); + /** Always returns a {@link InMemoryKeyring} instance. */ @Provides - static Keyring provideKeyring() { + @Named("DummyKeyring") + static InMemoryKeyring provideDummyKeyring() { PGPKeyPair dummyKey; try (InputStream publicInput = PGP_PUBLIC_KEYRING.openStream(); InputStream privateInput = PGP_PRIVATE_KEYRING.openStream()) { @@ -112,4 +124,6 @@ public final class DummyKeyringModule { "not a real login", "not a real credential"); } + + private DummyKeyringModule() {} } diff --git a/java/google/registry/keyring/kms/KmsModule.java b/java/google/registry/keyring/kms/KmsModule.java index 1b63fff76..1c96ca50e 100644 --- a/java/google/registry/keyring/kms/KmsModule.java +++ b/java/google/registry/keyring/kms/KmsModule.java @@ -19,13 +19,23 @@ import com.google.api.services.cloudkms.v1.CloudKMS; import dagger.Binds; import dagger.Module; import dagger.Provides; +import dagger.multibindings.IntoMap; +import dagger.multibindings.StringKey; import google.registry.config.CredentialModule.DefaultCredential; import google.registry.config.RegistryConfig.Config; +import google.registry.keyring.api.Keyring; -/** Dagger module for Cloud KMS connection objects. */ +/** Dagger module for Cloud KMS. */ @Module public abstract class KmsModule { + public static final String NAME = "KMS"; + + @Binds + @IntoMap + @StringKey(NAME) + abstract Keyring provideKeyring(KmsKeyring keyring); + @Provides static CloudKMS provideKms( @DefaultCredential GoogleCredential credential, diff --git a/java/google/registry/module/backend/BUILD b/java/google/registry/module/backend/BUILD index d4527f2ea..75aa46b18 100644 --- a/java/google/registry/module/backend/BUILD +++ b/java/google/registry/module/backend/BUILD @@ -22,6 +22,7 @@ java_library( "//java/google/registry/flows", "//java/google/registry/gcs", "//java/google/registry/groups", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/mapreduce", diff --git a/java/google/registry/module/backend/BackendComponent.java b/java/google/registry/module/backend/BackendComponent.java index 9ef32033a..9844eee40 100644 --- a/java/google/registry/module/backend/BackendComponent.java +++ b/java/google/registry/module/backend/BackendComponent.java @@ -27,6 +27,8 @@ import google.registry.gcs.GcsServiceModule; import google.registry.groups.DirectoryModule; import google.registry.groups.GroupsModule; import google.registry.groups.GroupssettingsModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.backend.BackendRequestComponent.BackendRequestComponentModule; @@ -56,7 +58,7 @@ import javax.inject.Singleton; CredentialModule.class, DatastoreServiceModule.class, DirectoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, DriveModule.class, GcsServiceModule.class, GroupsModule.class, @@ -64,6 +66,7 @@ import javax.inject.Singleton; JSchModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, SheetsServiceModule.class, diff --git a/java/google/registry/module/frontend/BUILD b/java/google/registry/module/frontend/BUILD index 1f99a1b17..589a82287 100644 --- a/java/google/registry/module/frontend/BUILD +++ b/java/google/registry/module/frontend/BUILD @@ -11,6 +11,7 @@ java_library( "//java/google/registry/config", "//java/google/registry/dns", "//java/google/registry/flows", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/monitoring/whitebox", diff --git a/java/google/registry/module/frontend/FrontendComponent.java b/java/google/registry/module/frontend/FrontendComponent.java index ee2e04792..1c96edc5b 100644 --- a/java/google/registry/module/frontend/FrontendComponent.java +++ b/java/google/registry/module/frontend/FrontendComponent.java @@ -21,6 +21,8 @@ import google.registry.config.CredentialModule; import google.registry.config.RegistryConfig.ConfigModule; import google.registry.flows.ServerTridProviderModule; import google.registry.flows.custom.CustomLogicFactoryModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.frontend.FrontendRequestComponent.FrontendRequestComponentModule; @@ -46,10 +48,11 @@ import javax.inject.Singleton; ConsoleConfigModule.class, CredentialModule.class, CustomLogicFactoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, FrontendRequestComponentModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/module/pubapi/BUILD b/java/google/registry/module/pubapi/BUILD index 9af5ff86d..e3d388311 100644 --- a/java/google/registry/module/pubapi/BUILD +++ b/java/google/registry/module/pubapi/BUILD @@ -11,6 +11,7 @@ java_library( "//java/google/registry/config", "//java/google/registry/dns", "//java/google/registry/flows", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/monitoring/whitebox", diff --git a/java/google/registry/module/pubapi/PubApiComponent.java b/java/google/registry/module/pubapi/PubApiComponent.java index 383ba559c..ef5ffbc65 100644 --- a/java/google/registry/module/pubapi/PubApiComponent.java +++ b/java/google/registry/module/pubapi/PubApiComponent.java @@ -21,6 +21,8 @@ import google.registry.config.CredentialModule; import google.registry.config.RegistryConfig.ConfigModule; import google.registry.flows.ServerTridProviderModule; import google.registry.flows.custom.CustomLogicFactoryModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.pubapi.PubApiRequestComponent.PubApiRequestComponentModule; @@ -44,10 +46,11 @@ import javax.inject.Singleton; ConfigModule.class, CredentialModule.class, CustomLogicFactoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, PubApiRequestComponentModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/module/tools/BUILD b/java/google/registry/module/tools/BUILD index a76e62b89..a46e09e90 100644 --- a/java/google/registry/module/tools/BUILD +++ b/java/google/registry/module/tools/BUILD @@ -15,6 +15,7 @@ java_library( "//java/google/registry/flows", "//java/google/registry/gcs", "//java/google/registry/groups", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/loadtest", diff --git a/java/google/registry/module/tools/ToolsComponent.java b/java/google/registry/module/tools/ToolsComponent.java index bcf3b296b..605ddc95a 100644 --- a/java/google/registry/module/tools/ToolsComponent.java +++ b/java/google/registry/module/tools/ToolsComponent.java @@ -24,6 +24,8 @@ import google.registry.gcs.GcsServiceModule; import google.registry.groups.DirectoryModule; import google.registry.groups.GroupsModule; import google.registry.groups.GroupssettingsModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.module.tools.ToolsRequestComponent.ToolsRequestComponentModule; @@ -49,13 +51,14 @@ import javax.inject.Singleton; CustomLogicFactoryModule.class, DatastoreServiceModule.class, DirectoryModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, DriveModule.class, GcsServiceModule.class, GroupsModule.class, GroupssettingsModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, NetHttpTransportModule.class, ServerTridProviderModule.class, diff --git a/java/google/registry/tools/BUILD b/java/google/registry/tools/BUILD index 90e9fb3dc..d4671b9b9 100644 --- a/java/google/registry/tools/BUILD +++ b/java/google/registry/tools/BUILD @@ -46,6 +46,7 @@ java_library( "//java/google/registry/export", "//java/google/registry/flows", "//java/google/registry/gcs", + "//java/google/registry/keyring", "//java/google/registry/keyring/api", "//java/google/registry/keyring/kms", "//java/google/registry/loadtest", diff --git a/java/google/registry/tools/RegistryToolComponent.java b/java/google/registry/tools/RegistryToolComponent.java index 6dbae7c08..42d65f523 100644 --- a/java/google/registry/tools/RegistryToolComponent.java +++ b/java/google/registry/tools/RegistryToolComponent.java @@ -21,6 +21,8 @@ import google.registry.config.RegistryConfig.ConfigModule; import google.registry.dns.writer.VoidDnsWriterModule; import google.registry.dns.writer.clouddns.CloudDnsWriterModule; import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule; +import google.registry.keyring.KeyringModule; +import google.registry.keyring.api.DummyKeyringModule; import google.registry.keyring.api.KeyModule; import google.registry.keyring.kms.KmsModule; import google.registry.rde.RdeModule; @@ -52,13 +54,14 @@ import javax.inject.Singleton; ConfigModule.class, CredentialModule.class, DatastoreServiceModule.class, - google.registry.keyring.api.DummyKeyringModule.class, + DummyKeyringModule.class, CloudDnsWriterModule.class, DefaultRequestFactoryModule.class, DefaultRequestFactoryModule.RequestFactoryModule.class, DnsUpdateWriterModule.class, Jackson2Module.class, KeyModule.class, + KeyringModule.class, KmsModule.class, RdeModule.class, RegistryToolModule.class,