Package google.registry.keyring.secretmanager

Class SecretManagerKeyring

java.lang.Object
google.registry.keyring.secretmanager.SecretManagerKeyring
All Implemented Interfaces:
Keyring, AutoCloseable
public class SecretManagerKeyring extends Object implements Keyring
A Keyring implementation which stores sensitive data in the Secret Manager.

  • Method Details

    • getRdeSigningKey

      public org.bouncycastle.openpgp.PGPKeyPair getRdeSigningKey()
      Description copied from interface: Keyring
      Returns the key which should be used to sign RDE deposits being uploaded to a third-party.

      When we give all our data to the escrow provider, they'll need a signature to ensure the data is authentic.

      This keypair should only be known to the domain registry shared registry system.

      Specified by:
      getRdeSigningKey in interface Keyring
      See Also:

    • getRdeStagingEncryptionKey

      public org.bouncycastle.openpgp.PGPPublicKey getRdeStagingEncryptionKey()
      Description copied from interface: Keyring
      Returns public key for encrypting escrow deposits being staged to cloud storage.

      This adds an additional layer of security so cloud storage administrators won't be tempted to go poking around the App Engine Cloud Console and see a dump of the entire database.

      This keypair should only be known to the domain registry shared registry system.

      Specified by:
      getRdeStagingEncryptionKey in interface Keyring
      See Also:

    • getRdeStagingDecryptionKey

      public org.bouncycastle.openpgp.PGPPrivateKey getRdeStagingDecryptionKey()
      Description copied from interface: Keyring
      Returns private key for decrypting escrow deposits retrieved from cloud storage.

      This method may impose restrictions on who can call it. For example, we'd want to check that the caller isn't an HTTP request attacking a vulnerability in the admin console. The request should originate from a backend task queue servlet invocation of the RDE upload thing.

      Specified by:
      getRdeStagingDecryptionKey in interface Keyring
      See Also:

    • getRdeReceiverKey

      public org.bouncycastle.openpgp.PGPPublicKey getRdeReceiverKey()
      Description copied from interface: Keyring
      Returns public key of escrow agent for encrypting deposits as they're uploaded.
      Specified by:
      getRdeReceiverKey in interface Keyring
      See Also:

    • getBrdaSigningKey

      public org.bouncycastle.openpgp.PGPKeyPair getBrdaSigningKey()
      Description copied from interface: Keyring
      Returns the PGP key we use to sign Bulk Registration Data Access (BRDA) deposits.
      Specified by:
      getBrdaSigningKey in interface Keyring
      See Also:

    • getBrdaReceiverKey

      public org.bouncycastle.openpgp.PGPPublicKey getBrdaReceiverKey()
      Description copied from interface: Keyring
      Returns public key of receiver of Bulk Registration Data Access (BRDA) deposits.
      Specified by:
      getBrdaReceiverKey in interface Keyring
      See Also:

    • getRdeSshClientPublicKey

      public String getRdeSshClientPublicKey()
      Description copied from interface: Keyring
      Returns public key for SSH client connections made by RDE.

      This is a string containing what would otherwise be the contents of an ~/.ssh/id_rsa.pub file. It's usually a single line with the name of the algorithm, the base64 key, and the email address of the owner.

      Specified by:
      getRdeSshClientPublicKey in interface Keyring
      See Also:

    • getRdeSshClientPrivateKey

      public String getRdeSshClientPrivateKey()
      Description copied from interface: Keyring
      Returns private key for SSH client connections made by RDE.

      This is a string containing what would otherwise be the contents of an ~/.ssh/id_rsa file. It's ASCII-armored text.

      This method may impose restrictions on who can call it. For example, we'd want to check that the caller isn't an HTTP request attacking a vulnerability in the admin console. The request should originate from a backend task queue servlet invocation of the RDE upload thing.

      Specified by:
      getRdeSshClientPrivateKey in interface Keyring
      See Also:

    • getSafeBrowsingAPIKey

      public String getSafeBrowsingAPIKey()
      Description copied from interface: Keyring
      Returns the API key for accessing the SafeBrowsing API.
      Specified by:
      getSafeBrowsingAPIKey in interface Keyring
      See Also:

    • getIcannReportingPassword

      public String getIcannReportingPassword()
      Description copied from interface: Keyring
      Returns password to be used when uploading reports to ICANN.
      Specified by:
      getIcannReportingPassword in interface Keyring
      See Also:

    • getMarksdbDnlLoginAndPassword

      public String getMarksdbDnlLoginAndPassword()
      Description copied from interface: Keyring
      Returns user:password login for TMCH MarksDB HTTP server DNL interface.
      Specified by:
      getMarksdbDnlLoginAndPassword in interface Keyring
      See Also:

    • getMarksdbLordnPassword

      public String getMarksdbLordnPassword()
      Description copied from interface: Keyring
      Returns password for TMCH MarksDB HTTP server LORDN interface.
      Specified by:
      getMarksdbLordnPassword in interface Keyring
      See Also:
      • "google.registry.tmch.LordnRequestInitializer"

    • getMarksdbSmdrlLoginAndPassword

      public String getMarksdbSmdrlLoginAndPassword()
      Description copied from interface: Keyring
      Returns user:password login for TMCH MarksDB HTTP server SMDRL interface.
      Specified by:
      getMarksdbSmdrlLoginAndPassword in interface Keyring
      See Also:

    • getBsaApiKey

      public String getBsaApiKey()
      Description copied from interface: Keyring
      Returns the API_KEY for authentication with the BSA portal.
      Specified by:
      getBsaApiKey in interface Keyring

    • getSqlPrimaryConnectionName

      public String getSqlPrimaryConnectionName()
      Description copied from interface: Keyring
      Returns the Cloud SQL connection name of the primary database instance.
      Specified by:
      getSqlPrimaryConnectionName in interface Keyring

    • getSqlReplicaConnectionName

      public String getSqlReplicaConnectionName()
      Description copied from interface: Keyring
      Returns the Cloud SQL connection name of the replica database instance.
      Specified by:
      getSqlReplicaConnectionName in interface Keyring

    • close

      public void close()
      No persistent resources are maintained for this Keyring implementation.
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Keyring