Change @Auth to an AutoValue, and created a set of predefined Auths

We want to be safer and more explicit about the authentication needed by the many actions that exist. As such, we make the 'auth' parameter required in @Action (so it's always clear who can run a specific action) and we replace the @Auth with an enum so that only pre-approved configurations that are aptly named and documented can be used. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=162210306
2026-05-25 09:10:51 +00:00 · 2017-07-17 07:34:17 -07:00
parent 5966d8077b
commit e224a67eda
94 changed files with 614 additions and 511 deletions
--- a/java/google/registry/tmch/BUILD
+++ b/java/google/registry/tmch/BUILD
@@ -17,6 +17,7 @@ java_library(
        "//java/google/registry/keyring/api",
        "//java/google/registry/model",
        "//java/google/registry/request",
+        "//java/google/registry/request/auth",
        "//java/google/registry/util",
        "//java/google/registry/xml",
        "//third_party/java/objectify:objectify-v4_1",
--- a/java/google/registry/tmch/NordnUploadAction.java
+++ b/java/google/registry/tmch/NordnUploadAction.java
@@ -39,6 +39,7 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
+import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
 import google.registry.util.FormattingLogger;
 import google.registry.util.UrlFetchException;
@@ -57,7 +58,12 @@ import org.joda.time.Duration;
 *
 * @see NordnVerifyAction
 */
-@Action(path = NordnUploadAction.PATH, method = Action.Method.POST, automaticallyPrintOk = true)
+@Action(
+  path = NordnUploadAction.PATH,
+  method = Action.Method.POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class NordnUploadAction implements Runnable {

  static final String PATH = "/_dr/task/nordnUpload";
--- a/java/google/registry/tmch/NordnVerifyAction.java
+++ b/java/google/registry/tmch/NordnVerifyAction.java
@@ -32,6 +32,7 @@ import google.registry.request.HttpException.ConflictException;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import google.registry.util.UrlFetchException;
 import java.io.IOException;
@@ -51,7 +52,12 @@ import javax.inject.Inject;
 * @see <a href="http://tools.ietf.org/html/draft-lozano-tmch-func-spec-08#section-5.2.3.3">
 *      http://tools.ietf.org/html/draft-lozano-tmch-func-spec-08#section-5.2.3.3</a>
 */
-@Action(path = NordnVerifyAction.PATH, method = Action.Method.POST, automaticallyPrintOk = true)
+@Action(
+  path = NordnVerifyAction.PATH,
+  method = Action.Method.POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class NordnVerifyAction implements Runnable {

  public static final String PARAM_CSV_DATA = "csvData";
--- a/java/google/registry/tmch/TmchCrlAction.java
+++ b/java/google/registry/tmch/TmchCrlAction.java
@@ -20,13 +20,19 @@ import static java.nio.charset.StandardCharsets.UTF_8;
 import com.google.common.base.Optional;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
 import java.io.IOException;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import javax.inject.Inject;

 /** Action to download the latest ICANN TMCH CRL from MarksDB. */
-@Action(path = "/_dr/task/tmchCrl", method = POST, automaticallyPrintOk = true)
+@Action(
+  path = "/_dr/task/tmchCrl",
+  method = POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class TmchCrlAction implements Runnable {

  @Inject Marksdb marksdb;
--- a/java/google/registry/tmch/TmchDnlAction.java
+++ b/java/google/registry/tmch/TmchDnlAction.java
@@ -20,6 +20,7 @@ import com.google.common.base.Optional;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.model.tmch.ClaimsListShard;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import java.io.IOException;
 import java.security.SignatureException;
@@ -28,7 +29,12 @@ import javax.inject.Inject;
 import org.bouncycastle.openpgp.PGPException;

 /** Action to download the latest domain name list (aka claims list) from MarksDB. */
-@Action(path = "/_dr/task/tmchDnl", method = POST, automaticallyPrintOk = true)
+@Action(
+  path = "/_dr/task/tmchDnl",
+  method = POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class TmchDnlAction implements Runnable {

  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
--- a/java/google/registry/tmch/TmchSmdrlAction.java
+++ b/java/google/registry/tmch/TmchSmdrlAction.java
@@ -20,6 +20,7 @@ import com.google.common.base.Optional;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.model.smd.SignedMarkRevocationList;
 import google.registry.request.Action;
+import google.registry.request.auth.Auth;
 import google.registry.util.FormattingLogger;
 import java.io.IOException;
 import java.security.SignatureException;
@@ -28,7 +29,12 @@ import javax.inject.Inject;
 import org.bouncycastle.openpgp.PGPException;

 /** Action to download the latest signed mark revocation list from MarksDB. */
-@Action(path = "/_dr/task/tmchSmdrl", method = POST, automaticallyPrintOk = true)
+@Action(
+  path = "/_dr/task/tmchSmdrl",
+  method = POST,
+  automaticallyPrintOk = true,
+  auth = Auth.AUTH_INTERNAL_ONLY
+)
 public final class TmchSmdrlAction implements Runnable {

  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();