Change @Auth to an AutoValue, and created a set of predefined Auths

We want to be safer and more explicit about the authentication needed by the many actions that exist.

As such, we make the 'auth' parameter required in @Action (so it's always clear who can run a specific action) and we replace the @Auth with an enum so that only pre-approved configurations that are aptly named and documented can be used.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=162210306

java/google/registry/export/BigqueryPollJobAction.java

@@ -31,6 +31,7 @@ import google.registry.request.Header;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.HttpException.NotModifiedException;
 import google.registry.request.Payload;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import google.registry.util.TaskEnqueuer;
 import java.io.ByteArrayInputStream;
@@ -46,9 +47,11 @@ import org.joda.time.Duration;
  * completion state; otherwise it will return a failure code so that the task will be retried.
  */
 @Action(
-    path = BigqueryPollJobAction.PATH,
-    method = {Action.Method.GET, Action.Method.POST},
-    automaticallyPrintOk = true)
+  path = BigqueryPollJobAction.PATH,
+  method = {Action.Method.GET, Action.Method.POST},
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class BigqueryPollJobAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();

java/google/registry/export/CheckSnapshotAction.java

@@ -36,6 +36,7 @@ import google.registry.request.HttpException.NotModifiedException;
 import google.registry.request.Parameter;
 import google.registry.request.RequestMethod;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import java.util.Set;
 import javax.inject.Inject;
@@ -49,7 +50,8 @@ import org.joda.time.format.PeriodFormat;
 @Action(
   path = CheckSnapshotAction.PATH,
   method = {POST, GET},
-  automaticallyPrintOk = true
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
 )
 public class CheckSnapshotAction implements Runnable {
 

java/google/registry/export/ExportDomainListsAction.java

@@ -37,6 +37,7 @@ import google.registry.model.domain.DomainResource;
 import google.registry.model.registry.Registry.TldType;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -52,7 +53,11 @@ import org.joda.time.DateTime;
  * Each TLD's active domain names are exported as a newline-delimited flat text file with the name
  * TLD.txt into the domain-lists bucket.  Note that this overwrites the files in place.
  */
-@Action(path = "/_dr/task/exportDomainLists", method = POST)
+@Action(
+  path = "/_dr/task/exportDomainLists",
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class ExportDomainListsAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();

java/google/registry/export/ExportReservedTermsAction.java

@@ -27,12 +27,17 @@ import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.storage.drive.DriveConnection;
 import google.registry.util.FormattingLogger;
 import javax.inject.Inject;
 
 /** Action that exports the publicly viewable reserved terms list for a TLD to Google Drive. */
-@Action(path = "/_dr/task/exportReservedTerms", method = POST)
+@Action(
+  path = "/_dr/task/exportReservedTerms",
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class ExportReservedTermsAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();

java/google/registry/export/ExportSnapshotAction.java

@@ -20,6 +20,7 @@ import static google.registry.request.Action.Method.POST;
 import google.registry.config.RegistryConfig;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
 import google.registry.util.FormattingLogger;
 import javax.inject.Inject;
@@ -37,7 +38,12 @@ import javax.inject.Inject;
  *   <li>The {@link UpdateSnapshotViewAction} updates the view in latest_snapshot.
  * </ol>
  */
-@Action(path = ExportSnapshotAction.PATH, method = POST, automaticallyPrintOk = true)
+@Action(
+  path = ExportSnapshotAction.PATH,
+  method = POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class ExportSnapshotAction implements Runnable {
 
   /** Queue to use for enqueuing the task that will actually launch the backup. */

java/google/registry/export/LoadSnapshotAction.java

@@ -43,6 +43,7 @@ import google.registry.request.Action;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.HttpException.InternalServerErrorException;
 import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
 import google.registry.util.FormattingLogger;
 import java.io.IOException;
@@ -50,7 +51,11 @@ import javax.inject.Inject;
 import org.joda.time.DateTime;
 
 /** Action to load a Datastore snapshot from Google Cloud Storage into BigQuery. */
-@Action(path = LoadSnapshotAction.PATH, method = POST)
+@Action(
+  path = LoadSnapshotAction.PATH,
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class LoadSnapshotAction implements Runnable {
 
   /** Parameter names for passing parameters into the servlet. */

java/google/registry/export/PublishDetailReportAction.java

@@ -29,9 +29,6 @@ import google.registry.request.HttpException.InternalServerErrorException;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.JsonActionRunner.JsonAction;
 import google.registry.request.auth.Auth;
-import google.registry.request.auth.Auth.AuthMethod;
-import google.registry.request.auth.Auth.UserPolicy;
-import google.registry.request.auth.AuthLevel;
 import google.registry.storage.drive.DriveConnection;
 import google.registry.util.FormattingLogger;
 import java.io.FileNotFoundException;
@@ -43,12 +40,7 @@ import javax.inject.Inject;
 @Action(
   path = PublishDetailReportAction.PATH,
   method = Action.Method.POST,
-  auth =
-      @Auth(
-        methods = {AuthMethod.INTERNAL, Auth.AuthMethod.API},
-        minimumLevel = AuthLevel.APP,
-        userPolicy = UserPolicy.ADMIN
-      )
+  auth = Auth.AUTH_INTERNAL_OR_ADMIN
 )
 public final class PublishDetailReportAction implements Runnable, JsonAction {
 

java/google/registry/export/SyncGroupMembersAction.java

@@ -36,6 +36,7 @@ import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarContact;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import google.registry.util.Retrier;
 import java.io.IOException;
@@ -52,7 +53,11 @@ import javax.inject.Inject;
  *
  * <p>This uses the <a href="https://developers.google.com/admin-sdk/directory/">Directory API</a>.
  */
-@Action(path = "/_dr/task/syncGroupMembers", method = POST)
+@Action(
+  path = "/_dr/task/syncGroupMembers",
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class SyncGroupMembersAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();

java/google/registry/export/UpdateSnapshotViewAction.java

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 package google.registry.export;
+
 import static google.registry.request.Action.Method.POST;
 
 import com.google.api.client.googleapis.json.GoogleJsonResponseException;
@@ -27,13 +28,18 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.request.Action;
 import google.registry.request.HttpException.InternalServerErrorException;
 import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import google.registry.util.SqlTemplate;
 import java.io.IOException;
 import javax.inject.Inject;
 
 /** Update a well-known view to point at a certain Datastore snapshot table in BigQuery. */
-@Action(path = UpdateSnapshotViewAction.PATH, method = POST)
+@Action(
+  path = UpdateSnapshotViewAction.PATH,
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class UpdateSnapshotViewAction implements Runnable {
 
   /** Headers for passing parameters into the servlet. */

java/google/registry/export/sheet/BUILD

@@ -11,6 +11,7 @@ java_library(
         "//java/google/registry/config",
         "//java/google/registry/model",
         "//java/google/registry/request",
+        "//java/google/registry/request/auth",
         "//java/google/registry/util",
         "//third_party/java/objectify:objectify-v4_1",
         "@com_google_api_client",

java/google/registry/export/sheet/SyncRegistrarsSheetAction.java

@@ -34,6 +34,7 @@ import google.registry.model.server.Lock;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import google.registry.util.NonFinalForTesting;
 import java.io.IOException;
@@ -60,7 +61,11 @@ import org.joda.time.Duration;
  *
  * @see SyncRegistrarsSheet
  */
-@Action(path = SyncRegistrarsSheetAction.PATH, method = POST)
+@Action(
+  path = SyncRegistrarsSheetAction.PATH,
+  method = POST,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public class SyncRegistrarsSheetAction implements Runnable {
 
   private enum Result {