1
0
mirror of https://github.com/google/nomulus synced 2026-06-09 16:33:02 +00:00

Compare commits

...

5 Commits

Author SHA1 Message Date
sarahcaseybot a87c4a31a3 Add breakglass handling to configureTldCommand (#2154)
* Add a breakglass flag to configureTldCommand

* Add tests

* small fixes
2023-09-22 11:51:02 -04:00
sarahcaseybot 58c7e3a52c Change __REMOVEDOMAIN__ token to __REMOVE_BULK_PRICING__ (#2152) 2023-09-21 16:03:39 -04:00
Pavlo Tkach dded258864 Add resources widget front-end (#2151) 2023-09-21 13:59:40 -04:00
Lai Jiang 759143535f Update proxy k8s manifest (#2153)
The beta API is deprecated.

TESTED=deployed the new manifest to alpha. Without the change, deploying
resulted in an error.

<!-- Reviewable:start -->
- - -
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/google/nomulus/2153)
<!-- Reviewable:end -->
2023-09-21 10:53:39 -04:00
Weimin Yu 46fdf2c996 Defend against deserialization-based attacks (#2150)
* Defend against deserialization-based attacks

Added the `SafeObjectInputStream` class that defends attacks using
malformed serialized data, including remote code execution and
denial-of-service attacks.

Started using the new class to handle EPP resource VKeys and
PendingDeposits, which are passed across credential-boundaries: between
TaskQueue and AppEngine server, and between AppEngine server and the RDE
pipeline on GCE. Note that the wireformat of VKeys do not change,
therefore existing tasks sitting in the TaskQueue are not affected.

Also removed an unused class: JaxbFragment.
2023-09-20 16:56:56 -04:00
38 changed files with 958 additions and 281 deletions
+10 -11
View File
@@ -24,6 +24,10 @@ import SettingsSecurityComponent from './settings/security/security.component';
import { RegistrarGuard } from './registrar/registrar.guard';
import { RegistrarComponent } from './registrar/registrarsTable.component';
import { EmptyRegistrar } from './registrar/emptyRegistrar.component';
import ContactComponent from './settings/contact/contact.component';
import WhoisComponent from './settings/whois/whois.component';
import SecurityComponent from './settings/security/security.component';
import UsersComponent from './settings/users/users.component';
const routes: Routes = [
{ path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -32,7 +36,7 @@ const routes: Routes = [
{ path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
{ path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
{
path: 'settings',
path: SettingsComponent.PATH,
component: SettingsComponent,
children: [
{
@@ -41,32 +45,27 @@ const routes: Routes = [
pathMatch: 'full',
},
{
path: 'contact',
path: ContactComponent.PATH,
component: SettingsContactComponent,
canActivate: [RegistrarGuard],
},
{
path: 'whois',
path: WhoisComponent.PATH,
component: SettingsWhoisComponent,
canActivate: [RegistrarGuard],
},
{
path: 'security',
path: SecurityComponent.PATH,
component: SettingsSecurityComponent,
canActivate: [RegistrarGuard],
},
{
path: 'epp-password',
component: SettingsSecurityComponent,
canActivate: [RegistrarGuard],
},
{
path: 'users',
path: UsersComponent.PATH,
component: SettingsUsersComponent,
canActivate: [RegistrarGuard],
},
{
path: 'registrars',
path: RegistrarComponent.PATH,
component: RegistrarComponent,
},
],
+2
View File
@@ -14,6 +14,7 @@
import { Component } from '@angular/core';
import { RegistrarService } from './registrar/registrar.service';
import { UserDataService } from './shared/services/userData.service';
import { GlobalLoaderService } from './shared/services/globalLoader.service';
@Component({
@@ -25,6 +26,7 @@ export class AppComponent {
renderRouter: boolean = true;
constructor(
protected registrarService: RegistrarService,
protected userDataService: UserDataService,
protected globalLoader: GlobalLoaderService
) {
registrarService.activeRegistrarIdChange.subscribe(() => {
+2
View File
@@ -46,6 +46,7 @@ import { EppWidgetComponent } from './home/widgets/epp-widget.component';
import { BillingWidgetComponent } from './home/widgets/billing-widget.component';
import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
import { UserDataService } from './shared/services/userData.service';
@NgModule({
declarations: [
@@ -81,6 +82,7 @@ import { SettingsWidgetComponent } from './home/widgets/settings-widget.componen
BackendService,
GlobalLoaderService,
RegistrarGuard,
UserDataService,
{
provide: MAT_FORM_FIELD_DEFAULT_OPTIONS,
useValue: {
@@ -13,13 +13,13 @@
Give us a Call
</button>
<p class="secondary-text">
Call Google Registry support at +1 (404) 978 8419
Call Google Registry support at <b>+1 (404) 978 8419</b>
</p>
<button mat-button color="primary" class="console-app__widget-link">
Send us an Email
</button>
<p class="secondary-text">
Email Google Registry at support@google.com
Email Google Registry at <b>support@google.com</b>
</p>
</div>
</div>
@@ -1,13 +1,16 @@
<mat-card>
<mat-card-content>
<div class="console-app__widget">
<div class="console-app__widget_left">
<a
class="console-app__widget_left"
href="{{ userDataService.userData?.technicalDocsUrl }}"
>
<mat-icon class="console-app__widget-icon">menu_book</mat-icon>
<h1 class="console-app__widget-title">Resources</h1>
<h4 class="secondary-text text-center">
Use Google Drive to view onboarding FAQs, and technical documentation.
</h4>
</div>
</a>
</div>
</mat-card-content>
</mat-card>
@@ -13,11 +13,12 @@
// limitations under the License.
import { Component } from '@angular/core';
import { UserDataService } from 'src/app/shared/services/userData.service';
@Component({
selector: '[app-resources-widget]',
templateUrl: './resources-widget.component.html',
})
export class ResourcesWidgetComponent {
constructor() {}
constructor(public userDataService: UserDataService) {}
}
@@ -10,11 +10,21 @@
</h4>
</div>
<div class="console-app__widget_right">
<button mat-button color="primary" class="console-app__widget-link">
<button
mat-button
color="primary"
class="console-app__widget-link"
(click)="openContactsPage()"
>
Contact Information
</button>
<p class="secondary-text">Manage Primary, Technical, etc contacts.</p>
<button mat-button color="primary" class="console-app__widget-link">
<button
mat-button
color="primary"
class="console-app__widget-link"
(click)="openSecurityPage()"
>
Security
</button>
<p class="secondary-text">
@@ -28,7 +38,12 @@
User Management
</button>
<p class="secondary-text">Create and manage console user accounts</p>
<button mat-button color="primary" class="console-app__widget-link">
<button
mat-button
color="primary"
class="console-app__widget-link"
(click)="openRegistrarsPage()"
>
Registrar Management
</button>
<p class="secondary-text">Create and manage registrar accounts</p>
@@ -13,11 +13,32 @@
// limitations under the License.
import { Component } from '@angular/core';
import { Router } from '@angular/router';
import { RegistrarComponent } from 'src/app/registrar/registrarsTable.component';
import ContactComponent from 'src/app/settings/contact/contact.component';
import SecurityComponent from 'src/app/settings/security/security.component';
import { SettingsComponent } from 'src/app/settings/settings.component';
@Component({
selector: '[app-settings-widget]',
templateUrl: './settings-widget.component.html',
})
export class SettingsWidgetComponent {
constructor() {}
constructor(private router: Router) {}
openRegistrarsPage() {
this.navigate(RegistrarComponent.PATH);
}
openSecurityPage() {
this.navigate(SecurityComponent.PATH);
}
openContactsPage() {
this.navigate(ContactComponent.PATH);
}
private navigate(route: string) {
this.router.navigate([SettingsComponent.PATH, route]);
}
}
@@ -19,6 +19,7 @@ import {
GlobalLoader,
GlobalLoaderService,
} from '../shared/services/globalLoader.service';
import { MatSnackBar } from '@angular/material/snack-bar';
interface Address {
street?: string[];
@@ -52,7 +53,8 @@ export class RegistrarService implements GlobalLoader {
constructor(
private backend: BackendService,
private globalLoader: GlobalLoaderService
private globalLoader: GlobalLoaderService,
private _snackBar: MatSnackBar
) {
this.loadRegistrars().subscribe((r) => {
this.globalLoader.stopGlobalLoader(this);
@@ -82,6 +84,8 @@ export class RegistrarService implements GlobalLoader {
}
loadingTimeout() {
// TODO: Decide what to do when timeout happens
this._snackBar.open('Timeout loading registrars', undefined, {
duration: 1500,
});
}
}
@@ -21,6 +21,7 @@ import { Registrar, RegistrarService } from './registrar.service';
styleUrls: ['./registrarsTable.component.scss'],
})
export class RegistrarComponent {
public static PATH = 'registrars';
columns = [
{
columnDef: 'registrarId',
@@ -143,6 +143,8 @@ export class ContactDetailsDialogComponent {
styleUrls: ['./contact.component.scss'],
})
export default class ContactComponent {
public static PATH = 'contact';
loading: boolean = false;
constructor(
private dialog: MatDialog,
@@ -29,6 +29,8 @@ import { RegistrarService } from 'src/app/registrar/registrar.service';
providers: [SecurityService],
})
export default class SecurityComponent {
public static PATH = 'security';
loading: boolean = false;
inEdit: boolean = false;
dataSource: SecuritySettings = {};
@@ -20,4 +20,6 @@ import { Component, ViewEncapsulation } from '@angular/core';
styleUrls: ['./settings.component.scss'],
encapsulation: ViewEncapsulation.None,
})
export class SettingsComponent {}
export class SettingsComponent {
public static PATH = 'settings';
}
@@ -19,4 +19,6 @@ import { Component } from '@angular/core';
templateUrl: './users.component.html',
styleUrls: ['./users.component.scss'],
})
export default class UsersComponent {}
export default class UsersComponent {
public static PATH = 'users';
}
@@ -19,4 +19,6 @@ import { Component } from '@angular/core';
templateUrl: './whois.component.html',
styleUrls: ['./whois.component.scss'],
})
export default class WhoisComponent {}
export default class WhoisComponent {
public static PATH = 'whois';
}
@@ -19,6 +19,7 @@ import { SecuritySettingsBackendModel } from 'src/app/settings/security/security
import { Contact } from '../../settings/contact/contact.service';
import { Registrar } from '../../registrar/registrar.service';
import { UserData } from './userData.service';
@Injectable()
export class BackendService {
@@ -90,4 +91,10 @@ export class BackendService {
securitySettings
);
}
getUserData(): Observable<UserData> {
return this.http
.get<UserData>(`/console-api/userdata`)
.pipe(catchError((err) => this.errorCatcher<UserData>(err)));
}
}
@@ -0,0 +1,56 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import { Injectable } from '@angular/core';
import { Observable, tap } from 'rxjs';
import { BackendService } from './backend.service';
import { MatSnackBar } from '@angular/material/snack-bar';
import { GlobalLoader, GlobalLoaderService } from './globalLoader.service';
export interface UserData {
isAdmin: boolean;
globalRole: string;
technicalDocsUrl: string;
}
@Injectable({
providedIn: 'root',
})
export class UserDataService implements GlobalLoader {
public userData?: UserData;
constructor(
private backend: BackendService,
protected globalLoader: GlobalLoaderService,
private _snackBar: MatSnackBar
) {
this.getUserData().subscribe(() => {
this.globalLoader.stopGlobalLoader(this);
});
this.globalLoader.startGlobalLoader(this);
}
getUserData(): Observable<UserData> {
return this.backend.getUserData().pipe(
tap((userData: UserData) => {
this.userData = userData;
})
);
}
loadingTimeout() {
this._snackBar.open('Timeout loading user data', undefined, {
duration: 1500,
});
}
}
+5 -4
View File
@@ -45,15 +45,16 @@ body {
padding: 0 !important;
text-align: left;
height: 20px !important;
min-width: auto !important;
}
&-title {
color: var(--primary) !important;
}
&-icon {
font-size: 4rem;
line-height: 4rem;
height: 4rem !important;
width: 4rem !important;
font-size: 5rem;
line-height: 5rem;
height: 5rem !important;
width: 5rem !important;
}
&_left {
flex: 1;
@@ -27,6 +27,10 @@ import static google.registry.beam.rde.RdePipeline.TupleTags.REVISION_ID;
import static google.registry.beam.rde.RdePipeline.TupleTags.SUPERORDINATE_DOMAINS;
import static google.registry.model.reporting.HistoryEntryDao.RESOURCE_TYPES_TO_HISTORY_TYPES;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import static google.registry.util.SafeSerializationUtils.safeDeserializeCollection;
import static google.registry.util.SafeSerializationUtils.serializeCollection;
import static google.registry.util.SerializeUtils.decodeBase64;
import static google.registry.util.SerializeUtils.encodeBase64;
import static org.apache.beam.sdk.values.TypeDescriptors.kvs;
import com.google.common.collect.ImmutableList;
@@ -65,11 +69,7 @@ import google.registry.rde.PendingDeposit.PendingDepositCoder;
import google.registry.rde.RdeMarshaller;
import google.registry.util.UtilsModule;
import google.registry.xml.ValidationMode;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.util.HashSet;
import javax.inject.Inject;
@@ -658,14 +658,8 @@ public class RdePipeline implements Serializable {
*/
@SuppressWarnings("unchecked")
static ImmutableSet<PendingDeposit> decodePendingDeposits(String encodedPendingDeposits) {
try (ObjectInputStream ois =
new ObjectInputStream(
new ByteArrayInputStream(
BaseEncoding.base64Url().omitPadding().decode(encodedPendingDeposits)))) {
return (ImmutableSet<PendingDeposit>) ois.readObject();
} catch (IOException | ClassNotFoundException e) {
throw new IllegalArgumentException("Unable to parse encoded pending deposit map.", e);
}
return ImmutableSet.copyOf(
safeDeserializeCollection(PendingDeposit.class, decodeBase64(encodedPendingDeposits)));
}
/**
@@ -674,12 +668,7 @@ public class RdePipeline implements Serializable {
*/
public static String encodePendingDeposits(ImmutableSet<PendingDeposit> pendingDeposits)
throws IOException {
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(pendingDeposits);
oos.flush();
return BaseEncoding.base64Url().omitPadding().encode(baos.toByteArray());
}
return encodeBase64(serializeCollection(pendingDeposits));
}
public static void main(String[] args) throws IOException, ClassNotFoundException {
@@ -53,8 +53,8 @@ import google.registry.flows.custom.DomainRenewFlowCustomLogic.BeforeResponseRet
import google.registry.flows.custom.DomainRenewFlowCustomLogic.BeforeSaveParameters;
import google.registry.flows.custom.EntityChanges;
import google.registry.flows.domain.token.AllocationTokenFlowUtils;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveDomainTokenOnBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveDomainTokenOnNonBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveBulkPricingTokenOnBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveBulkPricingTokenOnNonBulkPricingDomainException;
import google.registry.model.ImmutableObject;
import google.registry.model.billing.BillingBase.Reason;
import google.registry.model.billing.BillingEvent;
@@ -121,8 +121,8 @@ import org.joda.time.Duration;
* @error {@link DomainFlowUtils.RegistrarMustBeActiveForThisOperationException}
* @error {@link DomainFlowUtils.UnsupportedFeeAttributeException}
* @error {@link DomainRenewFlow.IncorrectCurrentExpirationDateException}
* @error {@link MissingRemoveDomainTokenOnBulkPricingDomainException}
* @error {@link RemoveDomainTokenOnNonBulkPricingDomainException}
* @error {@link MissingRemoveBulkPricingTokenOnBulkPricingDomainException}
* @error {@link RemoveBulkPricingTokenOnNonBulkPricingDomainException}
* @error {@link
* google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException}
* @error {@link
@@ -328,7 +328,7 @@ public final class DomainRenewFlow implements MutatingFlow {
checkHasBillingAccount(registrarId, existingDomain.getTld());
}
verifyUnitIsYears(command.getPeriod());
// We only allow __REMOVEDOMAIN__ token on bulk pricing domains for now
// We only allow __REMOVE_BULK_PRICING__ token on bulk pricing domains for now
verifyTokenAllowedOnDomain(existingDomain, allocationToken);
// If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
if (!command.getCurrentExpirationDate().equals(
@@ -243,21 +243,21 @@ public class AllocationTokenFlowUtils {
Domain domain, Optional<AllocationToken> allocationToken) throws EppException {
boolean domainHasBulkToken = domain.getCurrentBulkToken().isPresent();
boolean hasRemoveDomainToken =
boolean hasRemoveBulkPricingToken =
allocationToken.isPresent()
&& TokenBehavior.REMOVE_DOMAIN.equals(allocationToken.get().getTokenBehavior());
&& TokenBehavior.REMOVE_BULK_PRICING.equals(allocationToken.get().getTokenBehavior());
if (hasRemoveDomainToken && !domainHasBulkToken) {
throw new RemoveDomainTokenOnNonBulkPricingDomainException();
} else if (!hasRemoveDomainToken && domainHasBulkToken) {
throw new MissingRemoveDomainTokenOnBulkPricingDomainException();
if (hasRemoveBulkPricingToken && !domainHasBulkToken) {
throw new RemoveBulkPricingTokenOnNonBulkPricingDomainException();
} else if (!hasRemoveBulkPricingToken && domainHasBulkToken) {
throw new MissingRemoveBulkPricingTokenOnBulkPricingDomainException();
}
}
public static Domain maybeApplyBulkPricingRemovalToken(
Domain domain, Optional<AllocationToken> allocationToken) {
if (!allocationToken.isPresent()
|| !TokenBehavior.REMOVE_DOMAIN.equals(allocationToken.get().getTokenBehavior())) {
|| !TokenBehavior.REMOVE_BULK_PRICING.equals(allocationToken.get().getTokenBehavior())) {
return domain;
}
@@ -338,19 +338,19 @@ public class AllocationTokenFlowUtils {
}
}
/** The __REMOVEDOMAIN__ token is missing on a bulk pricing domain command */
public static class MissingRemoveDomainTokenOnBulkPricingDomainException
/** The __REMOVE_BULK_PRICING__ token is missing on a bulk pricing domain command */
public static class MissingRemoveBulkPricingTokenOnBulkPricingDomainException
extends AssociationProhibitsOperationException {
MissingRemoveDomainTokenOnBulkPricingDomainException() {
MissingRemoveBulkPricingTokenOnBulkPricingDomainException() {
super("Domains that are inside bulk pricing cannot be explicitly renewed or transferred");
}
}
/** The __REMOVEDOMAIN__ token is not allowed on non bulk pricing domains */
public static class RemoveDomainTokenOnNonBulkPricingDomainException
/** The __REMOVE_BULK_PRICING__ token is not allowed on non bulk pricing domains */
public static class RemoveBulkPricingTokenOnNonBulkPricingDomainException
extends AssociationProhibitsOperationException {
RemoveDomainTokenOnNonBulkPricingDomainException() {
super("__REMOVEDOMAIN__ token is not allowed on non bulk pricing domains");
RemoveBulkPricingTokenOnNonBulkPricingDomainException() {
super("__REMOVE_BULK_PRICING__ token is not allowed on non bulk pricing domains");
}
}
}
@@ -77,10 +77,10 @@ import org.joda.time.DateTime;
public class AllocationToken extends UpdateAutoTimestampEntity implements Buildable {
private static final long serialVersionUID = -3954475393220876903L;
private static final String REMOVE_DOMAIN = "__REMOVEDOMAIN__";
private static final String REMOVE_BULK_PRICING = "__REMOVE_BULK_PRICING__";
private static final ImmutableMap<String, TokenBehavior> STATIC_TOKEN_BEHAVIORS =
ImmutableMap.of(REMOVE_DOMAIN, TokenBehavior.REMOVE_DOMAIN);
ImmutableMap.of(REMOVE_BULK_PRICING, TokenBehavior.REMOVE_BULK_PRICING);
// Promotions should only move forward, and ENDED / CANCELLED are terminal states.
private static final ImmutableMultimap<TokenStatus, TokenStatus> VALID_TOKEN_STATUS_TRANSITIONS =
@@ -91,10 +91,10 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
private static final ImmutableMap<String, AllocationToken> BEHAVIORAL_TOKENS =
ImmutableMap.of(
REMOVE_DOMAIN,
REMOVE_BULK_PRICING,
new AllocationToken.Builder()
.setTokenType(TokenType.UNLIMITED_USE)
.setToken(REMOVE_DOMAIN)
.setToken(REMOVE_BULK_PRICING)
.build());
public static Optional<AllocationToken> maybeGetStaticTokenInstance(String name) {
@@ -142,10 +142,10 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
/** No special behavior */
DEFAULT,
/**
* REMOVE_DOMAIN triggers domain removal from a bulk pricing package, bypasses DEFAULT token
* validations.
* REMOVE_BULK_PRICING triggers domain removal from a bulk pricing package, bypasses DEFAULT
* token validations.
*/
REMOVE_DOMAIN
REMOVE_BULK_PRICING
}
/** The status of this token with regard to any potential promotion. */
@@ -16,6 +16,8 @@ package google.registry.persistence;
import static com.google.common.collect.ImmutableMap.toImmutableMap;
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
import static google.registry.util.SafeSerializationUtils.safeDeserialize;
import static google.registry.util.SerializeUtils.decodeBase64;
import static java.util.function.Function.identity;
import com.google.common.base.Joiner;
@@ -97,7 +99,7 @@ public class VKey<T> extends ImmutableObject implements Serializable {
throw new IllegalArgumentException(
String.format("\"%s\" missing from the string: %s", LOOKUP_KEY, keyString));
}
return VKey.create(classType, SerializeUtils.parse(Serializable.class, kvs.get(LOOKUP_KEY)));
return VKey.create(classType, safeDeserialize(decodeBase64(kvs.get(LOOKUP_KEY))));
}
/** Returns the type of the entity. */
@@ -14,18 +14,23 @@
package google.registry.rde;
import static com.google.common.base.Preconditions.checkState;
import com.google.auto.value.AutoValue;
import google.registry.model.common.Cursor.CursorType;
import google.registry.model.rde.RdeMode;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamException;
import java.io.OutputStream;
import java.io.Serializable;
import java.util.Optional;
import javax.annotation.Nullable;
import org.apache.beam.sdk.coders.AtomicCoder;
import org.apache.beam.sdk.coders.BooleanCoder;
import org.apache.beam.sdk.coders.NullableCoder;
import org.apache.beam.sdk.coders.SerializableCoder;
import org.apache.beam.sdk.coders.StringUtf8Coder;
import org.apache.beam.sdk.coders.VarIntCoder;
import org.joda.time.DateTime;
@@ -35,6 +40,12 @@ import org.joda.time.Duration;
* Container representing a single RDE or BRDA XML escrow deposit that needs to be created.
*
* <p>There are some {@code @Nullable} fields here because Optionals aren't Serializable.
*
* <p>Note that this class is serialized in two ways: by Beam pipelines using custom serialization
* mechanism and the {@code Coder} API, and by Java serialization when passed as command-line
* arguments (see {@code RdePipeline#decodePendingDeposits}). The latter requires safe
* deserialization because the data crosses credential boundaries (See {@code
* SafeObjectInputStream}).
*/
@AutoValue
public abstract class PendingDeposit implements Serializable {
@@ -95,11 +106,61 @@ public abstract class PendingDeposit implements Serializable {
PendingDeposit() {}
/**
* Specifies that {@link SerializedForm} be used for {@code SafeObjectInputStream}-compatible
* custom-serialization of {@link AutoValue_PendingDeposit the AutoValue implementation class}.
*
* <p>This method is package-protected so that the AutoValue implementation class inherits this
* behavior.
*
* <p>This method leverages {@link PendingDepositCoder} to serializes an instance. However, it is
* not invoked in Beam pipelines.
*/
Object writeReplace() throws ObjectStreamException {
return new SerializedForm(this);
}
/**
* Proxy for custom-serialization of {@link PendingDeposit}. This is necessary because the actual
* class to be (de)serialized is the generated AutoValue implementation. See also {@link
* #writeReplace}.
*
* <p>This class leverages {@link PendingDepositCoder} to safely deserializes an instance.
* However, it is not used in Beam pipelines.
*/
private static class SerializedForm implements Serializable {
private static final long serialVersionUID = 3141095605225904433L;
private PendingDeposit value;
private SerializedForm(PendingDeposit value) {
this.value = value;
}
private void writeObject(ObjectOutputStream os) throws IOException {
checkState(value != null, "Non-null value expected for serialization.");
PendingDepositCoder.INSTANCE.encode(value, os);
}
private void readObject(ObjectInputStream is) throws IOException, ClassNotFoundException {
checkState(value == null, "Non-null value unexpected for deserialization.");
this.value = PendingDepositCoder.INSTANCE.decode(is);
}
@SuppressWarnings("unused")
private Object readResolve() throws ObjectStreamException {
return this.value;
}
}
/**
* A deterministic coder for {@link PendingDeposit} used during a GroupBy transform.
*
* <p>We cannot use a {@link SerializableCoder} directly because it does not guarantee
* determinism, which is required by GroupBy.
* <p>We cannot use a {@code SerializableCoder} directly for two reasons: the default
* serialization does not guarantee determinism, which is required by GroupBy in Beam; and the
* default deserialization is not robust against deserialization-based attacks (See {@code
* SafeObjectInputStream} for more information).
*/
public static class PendingDepositCoder extends AtomicCoder<PendingDeposit> {
@@ -117,10 +178,15 @@ public abstract class PendingDeposit implements Serializable {
public void encode(PendingDeposit value, OutputStream outStream) throws IOException {
BooleanCoder.of().encode(value.manual(), outStream);
StringUtf8Coder.of().encode(value.tld(), outStream);
SerializableCoder.of(DateTime.class).encode(value.watermark(), outStream);
SerializableCoder.of(RdeMode.class).encode(value.mode(), outStream);
NullableCoder.of(SerializableCoder.of(CursorType.class)).encode(value.cursor(), outStream);
NullableCoder.of(SerializableCoder.of(Duration.class)).encode(value.interval(), outStream);
StringUtf8Coder.of().encode(value.watermark().toString(), outStream);
StringUtf8Coder.of().encode(value.mode().name(), outStream);
NullableCoder.of(StringUtf8Coder.of())
.encode(
Optional.ofNullable(value.cursor()).map(CursorType::name).orElse(null), outStream);
NullableCoder.of(StringUtf8Coder.of())
.encode(
Optional.ofNullable(value.interval()).map(Duration::toString).orElse(null),
outStream);
NullableCoder.of(StringUtf8Coder.of()).encode(value.directoryWithTrailingSlash(), outStream);
NullableCoder.of(VarIntCoder.of()).encode(value.revision(), outStream);
}
@@ -130,10 +196,14 @@ public abstract class PendingDeposit implements Serializable {
return new AutoValue_PendingDeposit(
BooleanCoder.of().decode(inStream),
StringUtf8Coder.of().decode(inStream),
SerializableCoder.of(DateTime.class).decode(inStream),
SerializableCoder.of(RdeMode.class).decode(inStream),
NullableCoder.of(SerializableCoder.of(CursorType.class)).decode(inStream),
NullableCoder.of(SerializableCoder.of(Duration.class)).decode(inStream),
DateTime.parse(StringUtf8Coder.of().decode(inStream)),
RdeMode.valueOf(StringUtf8Coder.of().decode(inStream)),
Optional.ofNullable(NullableCoder.of(StringUtf8Coder.of()).decode(inStream))
.map(CursorType::valueOf)
.orElse(null),
Optional.ofNullable(NullableCoder.of(StringUtf8Coder.of()).decode(inStream))
.map(Duration::parse)
.orElse(null),
NullableCoder.of(StringUtf8Coder.of()).decode(inStream),
NullableCoder.of(VarIntCoder.of()).decode(inStream));
}
@@ -63,6 +63,14 @@ public class ConfigureTldCommand extends MutatingCommand {
required = true)
Path inputFile;
@Parameter(
names = {"-b", "--breakglass"},
description =
"Sets the breakglass field on the TLD to true, preventing Cloud Build from overwriting"
+ " these new changes until the TLD configuration file stored internally matches the"
+ " configuration in the database.")
boolean breakglass;
@Inject ObjectMapper mapper;
@Inject
@@ -70,13 +78,13 @@ public class ConfigureTldCommand extends MutatingCommand {
Set<String> validDnsWriterNames;
/** Indicates if the passed in file contains new changes to the TLD */
boolean newDiff = false;
boolean newDiff = true;
// TODO(sarahbot@): Add a breakglass setting to this tool to indicate when a TLD has been modified
// outside of source control
// TODO(sarahbot@): Add a check for diffs between passed in file and current TLD and exit if there
// is no diff. Treat nulls and empty sets as the same value.
/**
* Indicates if the existing TLD is currently in breakglass mode and should not be modified unless
* the breakglass flag is used
*/
boolean oldTldInBreakglass = false;
@Override
protected void init() throws Exception {
@@ -86,20 +94,47 @@ public class ConfigureTldCommand extends MutatingCommand {
checkForMissingFields(tldData);
Tld oldTld = getTlds().contains(name) ? Tld.get(name) : null;
Tld newTld = mapper.readValue(inputFile.toFile(), Tld.class);
if (oldTld != null && oldTld.equalYaml(newTld)) {
if (oldTld != null) {
oldTldInBreakglass = oldTld.getBreakglassMode();
newDiff = !oldTld.equalYaml(newTld);
}
if (!newDiff && !oldTldInBreakglass) {
// Don't construct a new object if there is no new diff
return;
}
newDiff = true;
if (oldTldInBreakglass && !breakglass) {
checkArgument(
!newDiff,
"Changes can not be applied since TLD is in breakglass mode but the breakglass flag was"
+ " not used");
// if there are no new diffs, then the YAML file has caught up to the database and the
// breakglass mode should be removed
logger.atInfo().log("Breakglass mode removed from TLD: %s", name);
}
checkPremiumList(newTld);
checkDnsWriters(newTld);
checkCurrency(newTld);
// Set the new TLD to breakglass mode if breakglass flag was used
if (breakglass) {
newTld = newTld.asBuilder().setBreakglassMode(true).build();
}
stageEntityChange(oldTld, newTld);
}
@Override
protected boolean dontRunCommand() {
if (!newDiff) {
if (oldTldInBreakglass && !breakglass) {
// Run command to remove breakglass mode
return false;
}
logger.atInfo().log("TLD YAML file contains no new changes");
checkArgument(
!breakglass || oldTldInBreakglass,
"Breakglass mode can only be set when making new changes to a TLD configuration");
return true;
}
return false;
@@ -141,7 +176,9 @@ public class ConfigureTldCommand extends MutatingCommand {
private void checkPremiumList(Tld newTld) {
Optional<String> premiumListName = newTld.getPremiumListName();
if (!premiumListName.isPresent()) return;
if (!premiumListName.isPresent()) {
return;
}
Optional<PremiumList> premiumList = PremiumListDao.getLatestRevision(premiumListName.get());
checkArgument(
premiumList.isPresent(),
@@ -1,105 +0,0 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.xjc;
import static java.nio.charset.StandardCharsets.UTF_8;
import google.registry.xml.XmlException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
/**
* JAXB element wrapper for java object serialization.
*
* Instances of {@link JaxbFragment} wrap a non-serializable JAXB element instance, and provide
* hooks into the java object serialization process that allow the elements to be safely
* marshalled and unmarshalled using {@link ObjectOutputStream} and {@link ObjectInputStream},
* respectively.
*/
public class JaxbFragment<T> implements Serializable {
private static final long serialVersionUID = 5651243983008818813L;
private T instance;
/** Stores a JAXB element in a {@link JaxbFragment} */
public static <T> JaxbFragment<T> create(T object) {
JaxbFragment<T> fragment = new JaxbFragment<>();
fragment.instance = object;
return fragment;
}
/** Serializes a JAXB element into xml bytes. */
private static <T> byte[] freezeInstance(T instance) throws IOException {
try {
ByteArrayOutputStream bout = new ByteArrayOutputStream();
XjcXmlTransformer.marshalLenient(instance, bout, UTF_8);
return bout.toByteArray();
} catch (XmlException e) {
throw new IOException(e);
}
}
/** Deserializes a JAXB element from xml bytes. */
private static <T> T unfreezeInstance(byte[] instanceData, Class<T> instanceType)
throws IOException {
try {
ByteArrayInputStream bin = new ByteArrayInputStream(instanceData);
return XjcXmlTransformer.unmarshal(instanceType, bin);
} catch (XmlException e) {
throw new IOException(e);
}
}
/**
* Retrieves the JAXB element that is wrapped by this fragment.
*/
public T getInstance() {
return instance;
}
@Override
public String toString() {
try {
return new String(freezeInstance(instance), UTF_8);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
private void writeObject(ObjectOutputStream out) throws IOException {
// write instanceType, then instanceData
out.writeObject(instance.getClass());
out.writeObject(freezeInstance(instance));
}
@SuppressWarnings("unchecked")
private void readObject(ObjectInputStream in) throws IOException {
// read instanceType, then instanceData
Class<T> instanceType;
byte[] instanceData;
try {
instanceType = (Class<T>) in.readObject();
instanceData = (byte[]) in.readObject();
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
}
instance = unfreezeInstance(instanceData, instanceType);
}
}
@@ -77,8 +77,8 @@ import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTok
import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveDomainTokenOnBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveDomainTokenOnNonBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveBulkPricingTokenOnBulkPricingDomainException;
import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveBulkPricingTokenOnNonBulkPricingDomainException;
import google.registry.flows.exceptions.ResourceStatusProhibitsOperationException;
import google.registry.model.billing.BillingBase.Flag;
import google.registry.model.billing.BillingBase.Reason;
@@ -1276,12 +1276,13 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "token"));
EppException thrown =
assertThrows(MissingRemoveDomainTokenOnBulkPricingDomainException.class, this::runFlow);
assertThrows(
MissingRemoveBulkPricingTokenOnBulkPricingDomainException.class, this::runFlow);
assertAboutEppExceptions().that(thrown).marshalsToXml();
}
@Test
void testFailsToRenewBulkPricingDomainNoRemoveDomainToken() throws Exception {
void testFailsToRenewBulkPricingDomainNoRemoveBulkPricingToken() throws Exception {
AllocationToken token =
persistResource(
new AllocationToken.Builder()
@@ -1299,25 +1300,26 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
setEppInput("domain_renew.xml", ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "5"));
EppException thrown =
assertThrows(MissingRemoveDomainTokenOnBulkPricingDomainException.class, this::runFlow);
assertThrows(
MissingRemoveBulkPricingTokenOnBulkPricingDomainException.class, this::runFlow);
assertAboutEppExceptions().that(thrown).marshalsToXml();
}
@Test
void testFailsToRenewNonBulkPricingDomainWithRemoveDomainToken() throws Exception {
void testFailsToRenewNonBulkPricingDomainWithRemoveBulkPricingToken() throws Exception {
persistDomain();
setEppInput(
"domain_renew_allocationtoken.xml",
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVEDOMAIN__"));
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVE_BULK_PRICING__"));
EppException thrown =
assertThrows(RemoveDomainTokenOnNonBulkPricingDomainException.class, this::runFlow);
assertThrows(RemoveBulkPricingTokenOnNonBulkPricingDomainException.class, this::runFlow);
assertAboutEppExceptions().that(thrown).marshalsToXml();
}
@Test
void testSuccesfullyAppliesRemoveDomainToken() throws Exception {
void testSuccesfullyAppliesRemoveBulkPricingToken() throws Exception {
AllocationToken token =
persistResource(
new AllocationToken.Builder()
@@ -1333,7 +1335,7 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
reloadResourceByForeignKey().asBuilder().setCurrentBulkToken(token.createVKey()).build());
setEppInput(
"domain_renew_allocationtoken.xml",
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVEDOMAIN__"));
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVE_BULK_PRICING__"));
doSuccessfulTest(
"domain_renew_response.xml",
@@ -1347,7 +1349,7 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
}
@Test
void testDryRunRemoveDomainToken() throws Exception {
void testDryRunRemoveBulkPricingToken() throws Exception {
AllocationToken token =
persistResource(
new AllocationToken.Builder()
@@ -1364,7 +1366,7 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
setEppInput(
"domain_renew_allocationtoken.xml",
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVEDOMAIN__"));
ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "__REMOVE_BULK_PRICING__"));
dryRunFlowAssertResponse(
loadFile(
@@ -0,0 +1,59 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.rde;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.model.common.Cursor.CursorType.RDE_STAGING;
import static google.registry.model.rde.RdeMode.FULL;
import static google.registry.util.SafeSerializationUtils.safeDeserialize;
import static google.registry.util.SerializeUtils.deserialize;
import static google.registry.util.SerializeUtils.serialize;
import org.joda.time.DateTime;
import org.joda.time.Duration;
import org.junit.jupiter.api.Test;
/** Unit tests for {@link PendingDeposit}. */
public class PendingDepositTest {
private final DateTime now = DateTime.parse("2000-01-01TZ");
PendingDeposit pendingDeposit =
PendingDeposit.create("soy", now, FULL, RDE_STAGING, Duration.standardDays(1));
PendingDeposit manualPendingDeposit =
PendingDeposit.createInManualOperation("soy", now, FULL, "/", null);
@Test
void deserialize_normalDeposit_success() {
assertThat(deserialize(PendingDeposit.class, serialize(pendingDeposit)))
.isEqualTo(pendingDeposit);
}
@Test
void deserialize_manualDeposit_success() {
assertThat(deserialize(PendingDeposit.class, serialize(manualPendingDeposit)))
.isEqualTo(manualPendingDeposit);
}
@Test
void safeDeserialize_normalDeposit_success() {
assertThat(safeDeserialize(serialize(pendingDeposit))).isEqualTo(pendingDeposit);
}
@Test
void safeDeserialize_manualDeposit_success() {
assertThat(safeDeserialize(serialize(manualPendingDeposit))).isEqualTo(manualPendingDeposit);
}
}
@@ -64,6 +64,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
command.mapper = objectMapper;
premiumList = persistPremiumList("test", USD, "silver,USD 50", "gold,USD 80");
command.validDnsWriterNames = ImmutableSet.of("VoidDnsWriter", "FooDnsWriter");
logger.addHandler(logHandler);
}
private void testTldConfiguredSuccessfully(Tld tld, String filename)
@@ -82,6 +83,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
assertThat(tld.getDriveFolderId()).isEqualTo("driveFolder");
assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
testTldConfiguredSuccessfully(tld, "tld.yaml");
assertThat(tld.getBreakglassMode()).isFalse();
}
@Test
@@ -94,19 +96,17 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
Tld updatedTld = Tld.get("tld");
assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
assertThat(updatedTld.getBreakglassMode()).isFalse();
}
@Test
void testSuccess_noDiff() throws Exception {
logger.addHandler(logHandler);
Tld tld = createTld("idns");
tld =
persistResource(
tld.asBuilder()
.setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
.setAllowedFullyQualifiedHostNames(
ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
.build());
persistResource(
tld.asBuilder()
.setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
.setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
.build());
File tldFile = tmpDir.resolve("idns.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
runCommandForced("--input=" + tldFile);
@@ -473,4 +473,101 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
assertThrows(IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile));
assertThat(thrown.getMessage()).isEqualTo("The premium list must use the TLD's currency");
}
@Test
void testFailure_breakglassFlag_NoChanges() throws Exception {
Tld tld = createTld("idns");
persistResource(
tld.asBuilder()
.setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
.setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
.build());
File tldFile = tmpDir.resolve("idns.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
IllegalArgumentException thrown =
assertThrows(
IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile, "-b"));
assertThat(thrown.getMessage())
.isEqualTo(
"Breakglass mode can only be set when making new changes to a TLD configuration");
}
@Test
void testSuccess_breakglassFlag_startsBreakglassMode() throws Exception {
Tld tld = createTld("tld");
assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 13));
File tldFile = tmpDir.resolve("tld.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
runCommandForced("--input=" + tldFile, "--breakglass");
Tld updatedTld = Tld.get("tld");
assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
assertThat(updatedTld.getBreakglassMode()).isTrue();
}
@Test
void testSuccess_breakglassFlag_continuesBreakglassMode() throws Exception {
Tld tld = createTld("tld");
assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 13));
persistResource(tld.asBuilder().setBreakglassMode(true).build());
File tldFile = tmpDir.resolve("tld.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
runCommandForced("--input=" + tldFile, "--breakglass");
Tld updatedTld = Tld.get("tld");
assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
assertThat(updatedTld.getBreakglassMode()).isTrue();
}
@Test
void testSuccess_NoDiffNoBreakglassFlag_endsBreakglassMode() throws Exception {
Tld tld = createTld("idns");
persistResource(
tld.asBuilder()
.setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
.setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
.setBreakglassMode(true)
.build());
File tldFile = tmpDir.resolve("idns.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
runCommandForced("--input=" + tldFile);
Tld updatedTld = Tld.get("idns");
assertThat(updatedTld.getBreakglassMode()).isFalse();
assertAboutLogs()
.that(logHandler)
.hasLogAtLevelWithMessage(INFO, "Breakglass mode removed from TLD: idns");
}
@Test
void testSuccess_noDiffBreakglassFlag_continuesBreakglassMode() throws Exception {
Tld tld = createTld("idns");
persistResource(
tld.asBuilder()
.setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
.setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
.setBreakglassMode(true)
.build());
File tldFile = tmpDir.resolve("idns.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
runCommandForced("--input=" + tldFile, "-b");
Tld updatedTld = Tld.get("idns");
assertThat(updatedTld.getBreakglassMode()).isTrue();
assertAboutLogs()
.that(logHandler)
.hasLogAtLevelWithMessage(INFO, "TLD YAML file contains no new changes");
}
@Test
void testFailure_noBreakglassFlag_inBreakglassMode() throws Exception {
Tld tld = createTld("tld");
persistResource(tld.asBuilder().setBreakglassMode(true).build());
File tldFile = tmpDir.resolve("tld.yaml").toFile();
Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
IllegalArgumentException thrown =
assertThrows(IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile));
assertThat(thrown.getMessage())
.isEqualTo(
"Changes can not be applied since TLD is in breakglass mode but the breakglass flag"
+ " was not used");
}
}
@@ -1,56 +0,0 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.xjc;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.TestDataHelper.loadFile;
import static java.nio.charset.StandardCharsets.UTF_8;
import google.registry.xjc.rdehost.XjcRdeHostElement;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import org.junit.jupiter.api.Test;
/** Unit tests for {@link JaxbFragment}. */
class JaxbFragmentTest {
private static final String HOST_FRAGMENT = loadFile(XjcObjectTest.class, "host_fragment.xml");
/** Verifies that a {@link JaxbFragment} can be serialized and deserialized successfully. */
@SuppressWarnings("unchecked")
@Test
void testJavaSerialization() throws Exception {
// Load rdeHost xml fragment into a jaxb object, wrap it, marshal, unmarshal, verify host.
// The resulting host name should be "ns1.example1.test", from the original xml fragment.
try (InputStream source = new ByteArrayInputStream(HOST_FRAGMENT.getBytes(UTF_8))) {
// Load xml
JaxbFragment<XjcRdeHostElement> hostFragment =
JaxbFragment.create(XjcXmlTransformer.unmarshal(XjcRdeHostElement.class, source));
// Marshal
ByteArrayOutputStream bout = new ByteArrayOutputStream();
new ObjectOutputStream(bout).writeObject(hostFragment);
// Unmarshal
ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bout.toByteArray()));
JaxbFragment<XjcRdeHostElement> restoredHostFragment =
(JaxbFragment<XjcRdeHostElement>) in.readObject();
// Verify host name
assertThat(restoredHostFragment.getInstance().getValue().getName())
.isEqualTo("ns1.example1.test");
}
}
}
+4 -2
View File
@@ -499,8 +499,10 @@ comes in at the exact millisecond that the domain would have expired.
* Resource status prohibits this operation.
* The allocation token is not currently valid.
* 2305
* The __REMOVEDOMAIN__ token is missing on a bulk pricing domain command
* The __REMOVEDOMAIN__ token is not allowed on non bulk pricing domains
* The __REMOVE_BULK_PRICING__ token is missing on a bulk pricing domain
command
* The __REMOVE_BULK_PRICING__ token is not allowed on non bulk pricing
domains
* The allocation token is not valid for this domain.
* The allocation token is not valid for this registrar.
* The allocation token is not valid for this TLD.
+1 -1
View File
@@ -34,7 +34,7 @@ spec:
name: https-whois
type: NodePort
---
apiVersion: autoscaling/v2beta1
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
namespace: default
+1 -1
View File
@@ -34,7 +34,7 @@ spec:
name: https-whois
type: NodePort
---
apiVersion: autoscaling/v2beta1
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
namespace: default
@@ -0,0 +1,108 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.util;
import static com.google.common.collect.ImmutableSet.toImmutableSet;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.Collection;
import java.util.Map;
/**
* Safely deserializes Nomulus http request parameters.
*
* <p>Serialized Java objects may be passed between Nomulus components that hold different
* credentials. Deserialization of such objects should be protected against attacks through
* compromised accounts.
*
* <p>This class protects against three types of attacks by restricting the classes used for
* serialization:
*
* <ul>
* <li>Remote code execution by referencing bad classes in compromised jars. When a class with
* malicious code in the static initialization block or the deserialization code path (e.g.,
* the {@code readObject} method) is deserialized, such code will be executed. For Nomulus,
* this risk comes from third-party dependencies. To counter this risk, this class only allows
* Nomulus (google.registry.**) classes and specific core Java classes, and forbid others
* including third-party dependencies. (As a side note, this class does not use allow lists
* for Nomulus or third-party classes because it is infeasible in practice. Super classes of
* the instance being deserialized must be resolved, and therefore must be on the allow list;
* same for the field types of the instance. The allow list for the Joda {@code DateTime}
* class alone would have more than 10 classes. Generated classes, e.g., by AutoValue, present
* another problem: their real names are not meant to be a concern to the user).
* <li>CPU-targeting denial-of-service attacks. Containers and arrays may be used to construct
* object graphs that require enormous amount of computation during deserialization and/or
* during invocations of methods such as {@code hashCode} or {@code equals}, taking minutes or
* even hours to complete. See <a
* href="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data">
* here</a> for an example of such object graphs. To counter this risk, this class forbids
* lists, maps, and arrays for deserialization.
* <li>Memory-targeting denial-of-service attacks. By forbidding container and arrays, this class
* also prevents some memory-targeting attacks, e.g., using wire format that claims to be an
* array of a huge size, causing the JVM to preallocate excessive amount of memory and
* triggering the {@code OutOfMemoryError}. This is actually a small risk for Nomulus, since
* the impact of each error is limited to a single (spurious) request.
* </ul>
*
* <p>Nomulus classes with fields of array, container, or third-party Java types must implement
* their own serialization/deserialization methods to be safely deserialized. For the common use
* case of passing a collection of `safe` objects, {@link
* SafeSerializationUtils#serializeCollection} and {@link
* SafeSerializationUtils#safeDeserializeCollection} may be used.
*/
public final class SafeObjectInputStream extends ObjectInputStream {
/**
* Core Java classes allowed in deserialization. Add new classes as needed but do not add
* third-party classes.
*/
private static final ImmutableSet<String> ALLOWED_CORE_JAVA_CLASSES =
ImmutableSet.of(String.class, Byte.class, Short.class, Integer.class, Long.class).stream()
.map(Class::getName)
.collect(toImmutableSet());
public SafeObjectInputStream(InputStream in) throws IOException {
super(in);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc)
throws ClassNotFoundException, IOException {
String clazz = desc.getName();
if (isNomulusClass(clazz) || ALLOWED_CORE_JAVA_CLASSES.contains(clazz)) {
return checkNotArrayOrContainer(super.resolveClass(desc));
}
throw new ClassNotFoundException(clazz + " not found or not allowed in deserialization.");
}
private Class<?> checkNotArrayOrContainer(Class<?> clazz) throws ClassNotFoundException {
if (isContainer(clazz) || clazz.isArray()) {
throw new ClassNotFoundException(clazz.getName() + " not allowed as non-root object.");
}
return clazz;
}
private boolean isNomulusClass(String clazz) {
return clazz.startsWith("google.registry.");
}
private boolean isContainer(Class<?> clazz) {
return Collection.class.isAssignableFrom(clazz) || Map.class.isAssignableFrom(clazz);
}
}
@@ -0,0 +1,104 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.util;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import com.google.common.collect.ImmutableList;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collection;
import javax.annotation.Nullable;
/**
* Helpers for using {@link SafeObjectInputStream}.
*
* <p>Please refer to {@code SafeObjectInputStream} for more information.
*/
public final class SafeSerializationUtils {
private SafeSerializationUtils() {}
/**
* Maximum number of elements allowed in a serialized collection.
*
* <p>This value is sufficient for parameters embedded in a {@code URL} to typical cloud services.
* E.g., as of Fall 2023, AWS limits request line size to 16KB and GCP limits total header size to
* 64KB.
*/
public static final int MAX_COLLECTION_SIZE = 32768;
/**
* Serializes a collection of objects that can be safely deserialized using {@link
* #safeDeserializeCollection}.
*
* <p>If any element of the collection cannot be safely-deserialized, deserialization will fail.
*/
public static byte[] serializeCollection(Collection<?> collection) {
checkNotNull(collection, "collection");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
try (ObjectOutputStream os = new ObjectOutputStream(bos)) {
os.writeInt(collection.size());
for (Object obj : collection) {
os.writeObject(obj);
}
} catch (IOException e) {
throw new RuntimeException("Failed to serialize: " + collection, e);
}
return bos.toByteArray();
}
/** Safely deserializes an object using {@link SafeObjectInputStream}. */
@Nullable
public static Serializable safeDeserialize(@Nullable byte[] bytes) {
if (bytes == null) {
return null;
}
try (ObjectInputStream is = new SafeObjectInputStream(new ByteArrayInputStream(bytes))) {
Serializable ret = (Serializable) is.readObject();
return ret;
} catch (IOException | ClassNotFoundException e) {
throw new IllegalArgumentException("Failed to deserialize: " + Arrays.toString(bytes), e);
}
}
/**
* Safely deserializes a collection of objects previously serialized with {@link
* #serializeCollection}.
*/
public static <T> ImmutableList<T> safeDeserializeCollection(Class<T> elementType, byte[] bytes) {
checkNotNull(bytes, "Serialized list must not be null.");
try (ObjectInputStream is = new SafeObjectInputStream(new ByteArrayInputStream(bytes))) {
int size = is.readInt();
checkArgument(size >= 0, "Malformed data: negative collection size.");
if (size > MAX_COLLECTION_SIZE) {
throw new IllegalArgumentException("Too many elements in collection: " + size);
}
ImmutableList.Builder<T> builder = new ImmutableList.Builder<>();
for (int i = 0; i < size; i++) {
builder.add(elementType.cast(is.readObject()));
}
return builder.build();
} catch (IOException | ClassNotFoundException | ClassCastException e) {
throw new IllegalArgumentException("Failed to deserialize: " + Arrays.toString(bytes), e);
}
}
}
@@ -74,10 +74,20 @@ public final class SerializeUtils {
private SerializeUtils() {}
/** Encodes a byte array as a URL-safe string. */
public static String encodeBase64(byte[] bytes) {
return Base64.encodeBase64URLSafeString(bytes);
}
/** Turns a string encoded by {@link #encodeBase64} back into a byte array. */
public static byte[] decodeBase64(String objectString) {
return Base64.decodeBase64(objectString);
}
/** Turns an object into an encoded string that can be used safely as a URI query parameter. */
public static String stringify(Serializable object) {
checkNotNull(object, "Object cannot be null");
return Base64.encodeBase64URLSafeString(SerializeUtils.serialize(object));
return encodeBase64(SerializeUtils.serialize(object));
}
/** Turns a string encoded by stringify() into an object. */
@@ -86,6 +96,6 @@ public final class SerializeUtils {
checkNotNull(type, "Class type is not specified");
checkNotNull(objectString, "Object string cannot be null");
return SerializeUtils.deserialize(type, Base64.decodeBase64(objectString));
return SerializeUtils.deserialize(type, decodeBase64(objectString));
}
}
@@ -0,0 +1,126 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.util;
import static com.google.common.collect.Lists.newArrayList;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.util.SerializeUtils.serialize;
import static org.junit.jupiter.api.Assertions.assertThrows;
import com.google.common.base.Objects;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Maps;
import java.io.ByteArrayInputStream;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import org.joda.time.Duration;
import org.junit.jupiter.api.Test;
/** Unit tests for {@link SafeObjectInputStream}. */
public class SafeObjectInputStreamTest {
@Test
void javaUnitarySuccess() throws Exception {
String orig = "some string";
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
assertThat(sois.readObject()).isEqualTo(orig);
}
}
@Test
void javaCollectionFailure() throws Exception {
ArrayList<String> orig = newArrayList("a");
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
assertThrows(ClassNotFoundException.class, () -> sois.readObject());
}
}
@Test
void javaMapFailure() throws Exception {
HashMap<Object, Object> orig = Maps.newHashMap();
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
assertThrows(ClassNotFoundException.class, () -> sois.readObject());
}
}
@Test
void javaArrayFailure() throws Exception {
int[] orig = new int[] {1};
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
// For array, the parent class converts ClassNotFoundException in an undocumented way. Safer
// to catch Exception than the one thrown by the current JVM.
assertThrows(Exception.class, () -> sois.readObject());
}
}
@Test
void nonJavaNonNomulusUnitaryFailure() throws Exception {
Serializable orig = Duration.millis(1);
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
assertThrows(ClassNotFoundException.class, () -> sois.readObject());
}
}
@Test
void nonJavaCollectionFailure() throws Exception {
ImmutableList<String> orig = ImmutableList.of("a");
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialize(orig)))) {
assertThrows(ClassNotFoundException.class, () -> sois.readObject());
}
}
@Test
void nomulusEntitySuccess() throws Exception {
NomulusEntity orig = new NomulusEntity(1);
byte[] serialized = serialize(orig);
try (SafeObjectInputStream sois =
new SafeObjectInputStream(new ByteArrayInputStream(serialized))) {
Object deserialized = sois.readObject();
assertThat(deserialized).isEqualTo(orig);
}
}
static class NomulusEntity implements Serializable {
Integer value;
NomulusEntity(int value) {
this.value = value;
}
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof NomulusEntity)) {
return false;
}
NomulusEntity that = (NomulusEntity) o;
return Objects.equal(value, that.value);
}
@Override
public int hashCode() {
return Objects.hashCode(value);
}
}
}
@@ -0,0 +1,110 @@
// Copyright 2023 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.util;
import static com.google.common.collect.Lists.newArrayList;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.util.SafeSerializationUtils.safeDeserialize;
import static google.registry.util.SafeSerializationUtils.safeDeserializeCollection;
import static google.registry.util.SafeSerializationUtils.serializeCollection;
import static google.registry.util.SerializeUtils.serialize;
import static org.junit.jupiter.api.Assertions.assertThrows;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.util.ArrayList;
import java.util.Arrays;
import org.junit.jupiter.api.Test;
/** Unit tests for {@link SafeSerializationUtils}. */
public class SafeSerializationUtilsTest {
@Test
void deserialize_array_failure() {
assertThat(
assertThrows(
IllegalArgumentException.class, () -> safeDeserialize(serialize(new byte[0]))))
.hasMessageThat()
.contains("Failed to deserialize:");
}
@Test
void deserialize_null_success() {
assertThat(safeDeserialize(serialize(null))).isNull();
}
@Test
void deserialize_map_failure() {
assertThat(
assertThrows(
IllegalArgumentException.class,
() -> safeDeserialize(serialize(ImmutableMap.of()))))
.hasMessageThat()
.contains("Failed to deserialize:");
}
@Test
void serializeDeserialize_null_success() {
assertThat(safeDeserialize(null)).isNull();
}
@Test
void serializeDeserialize_notCollection_success() {
Integer orig = 1;
assertThat(safeDeserialize(serialize(orig))).isEqualTo(orig);
}
@Test
void serializeDeserializeCollection_success() {
ArrayList<Integer> orig = newArrayList(1, 2, 3);
ImmutableList<Integer> deserialized =
safeDeserializeCollection(Integer.class, serializeCollection(orig));
assertThat(deserialized).isEqualTo(orig);
}
@Test
void serializeDeserializeCollection_withMaxSize_success() {
Integer[] array = new Integer[SafeSerializationUtils.MAX_COLLECTION_SIZE];
Arrays.fill(array, 1);
ArrayList<Integer> orig = newArrayList(array);
assertThat(safeDeserializeCollection(Integer.class, serializeCollection(orig))).isEqualTo(orig);
}
@Test
void serializeDeserializeCollection_tooLarge_Failure() {
Integer[] array = new Integer[SafeSerializationUtils.MAX_COLLECTION_SIZE + 1];
Arrays.fill(array, 1);
ArrayList<Integer> orig = newArrayList(array);
assertThat(
assertThrows(
IllegalArgumentException.class,
() -> safeDeserializeCollection(Integer.class, serializeCollection(orig))))
.hasMessageThat()
.contains("Too many elements");
}
@Test
void serializeDeserializeCollection_wrong_elementType_success() {
ArrayList<Integer> orig = newArrayList(1, 2, 3);
assertThrows(
IllegalArgumentException.class,
() -> safeDeserializeCollection(Long.class, serializeCollection(orig)));
}
@Test
void deserializeCollection_null_failure() {
assertThrows(NullPointerException.class, () -> safeDeserializeCollection(Integer.class, null));
}
}