Make GKE networking work more properly (#2531)

build.gradle

@@ -119,6 +119,7 @@ if (environment == '') {
 
 rootProject.ext.environment = environment
 rootProject.ext.gcpProject = gcpProject
+rootProject.ext.baseDomain = baseDomains[environment]
 rootProject.ext.prodOrSandboxEnv = environment in ['production', 'sandbox']
 
 // Function to verify that the deployment parameters have been set.

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -119,6 +119,18 @@ public final class RegistryConfig {
       return config.gcpProject.projectIdNumber;
     }
 
+    @Provides
+    @Config("backendServiceIds")
+    public static Map<String, Long> provideBackendServiceIds(RegistryConfigSettings config) {
+      return config.gcpProject.backendServiceIds;
+    }
+
+    @Provides
+    @Config("baseDomain")
+    public static String provideBaseDomain(RegistryConfigSettings config) {
+      return config.gcpProject.baseDomain;
+    }
+
     @Provides
     @Config("locationId")
     public static String provideLocationId(RegistryConfigSettings config) {
@@ -1259,12 +1271,6 @@ public final class RegistryConfig {
       return config.auth.oauthClientId;
     }
 
-    @Provides
-    @Config("fallbackOauthClientId")
-    public static String provideFallbackOauthClientId(RegistryConfigSettings config) {
-      return config.auth.fallbackOauthClientId;
-    }
-
     /**
      * Provides the OAuth scopes required for accessing Google APIs using the default credential.
      */

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -56,13 +56,14 @@ public class RegistryConfigSettings {
     public String bsaServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
+    public Map<String, Long> backendServiceIds;
+    public String baseDomain;
   }
 
   /** Configuration options for authenticating users. */
   public static class Auth {
     public List<String> allowedServiceAccountEmails;
     public String oauthClientId;
-    public String fallbackOauthClientId;
   }
 
   /** Configuration options for accessing Google APIs. */

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -1,5 +1,5 @@
 # This is the default configuration file for Nomulus. Do not make changes to it
-# unless you are writing new features that requires you to. To customize an
+# unless you are writing new features that require you to. To customize an
 # individual deployment or environment, create a nomulus-config.yaml file in the
 # WEB-INF/ directory overriding only the values you wish to change. You may need
 # to override some of these values to configure and enable some services used in
@@ -24,6 +24,17 @@ gcpProject:
   toolsServiceUrl: https://tools.example.com
   pubapiServiceUrl: https://pubapi.example.com
 
+  # The backend service IDs created when setting up GKE routes. They will be included in the
+  # audience field in the JWT that IAP creates.
+  # See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
+  backendServiceIds:
+    frontend: 12345
+    backend: 12345
+    pubapi: 12345
+    console: 12345
+
+  # The base domain name of the registry service. Services are reachable at [service].baseDomain.
+  baseDomain: registry.test
 
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
@@ -328,25 +339,21 @@ caching:
 # Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
 # Other fields are related to OAuth-based authentication and will be removed.
 auth:
-  # Service accounts (e.g. default service account, account used by Cloud
+  # Service accounts (e.g., default service account, account used by Cloud
   # Scheduler) allowed to send authenticated requests.
   allowedServiceAccountEmails:
   - default-service-account-email@email.com
   - cloud-scheduler-email@email.com
 
   # OAuth 2.0 client ID that will be used as the audience in OIDC ID tokens sent
-  # from clients (e.g. proxy, nomulus tool, cloud tasks) for authentication. The
+  # from clients (e.g., proxy, nomulus tool, cloud tasks) for authentication. The
   # same ID is the only one accepted by the regular OIDC or IAP authentication
-  # mechanisms. In most cases we should use the client ID created for IAP here,
+  # mechanisms. In most cases, we should use the client ID created for IAP here,
   # as it allows requests bearing a token with this audience to be accepted by
   # both IAP or regular OIDC. The clientId value in proxy config file should be
   # the same as this one.
   oauthClientId: iap-oauth-clientid
 
-  # Same as above, but serve as a fallback, so we can switch the client ID of
-  # the proxy without downtime.
-  fallbackOauthClientId: fallback-oauth-clientid
-
 credentialOAuth:
   # OAuth scopes required for accessing Google APIs using the default
   # credential.

core/src/main/java/google/registry/dns/RefreshDnsAction.java

@@ -36,7 +36,7 @@ import javax.inject.Inject;
 /** Action that manually triggers refresh of DNS information. */
 @Action(
     service = Action.Service.BACKEND,
-    path = "/_dr/dnsRefresh",
+    path = "/_dr/task/dnsRefresh",
     automaticallyPrintOk = true,
     auth = Auth.AUTH_ADMIN)
 public final class RefreshDnsAction implements Runnable {

core/src/main/java/google/registry/env/common/backend/WEB-INF/web.xml

@@ -165,7 +165,7 @@
   <!-- Manually refreshes DNS information. -->
   <servlet-mapping>
     <servlet-name>backend-servlet</servlet-name>
-    <url-pattern>/_dr/dnsRefresh</url-pattern>
+    <url-pattern>/_dr/task/dnsRefresh</url-pattern>
   </servlet-mapping>
 
   <!-- Fans out a cron task over an adjustable range of TLDs. -->

core/src/main/java/google/registry/module/RegistryComponent.java

@@ -102,9 +102,11 @@ interface RegistryComponent {
   class RegistryModule {
     @Provides
     static RequestHandler<RequestComponent> provideRequestHandler(
+        @Config("baseDomain") String baseDomain,
         Provider<RequestComponent.Builder> componentProvider,
         RequestAuthenticator requestAuthenticator) {
-      return RequestHandler.create(RequestComponent.class, componentProvider, requestAuthenticator);
+      return RequestHandler.create(
+          RequestComponent.class, baseDomain, componentProvider, requestAuthenticator);
     }
   }
 }

core/src/main/java/google/registry/module/RequestComponent.java

@@ -113,6 +113,7 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleModule;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
 import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
@@ -121,15 +122,6 @@ import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.settings.ContactAction;
 import google.registry.ui.server.console.settings.SecurityAction;
 import google.registry.ui.server.console.settings.WhoisRegistrarFieldsAction;
-import google.registry.ui.server.registrar.ConsoleOteSetupAction;
-import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
-import google.registry.ui.server.registrar.ConsoleUiAction;
-import google.registry.ui.server.registrar.OteStatusAction;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
-import google.registry.ui.server.registrar.RegistrarSettingsAction;
-import google.registry.ui.server.registrar.RegistryLockGetAction;
-import google.registry.ui.server.registrar.RegistryLockPostAction;
-import google.registry.ui.server.registrar.RegistryLockVerifyAction;
 import google.registry.whois.WhoisAction;
 import google.registry.whois.WhoisHttpAction;
 import google.registry.whois.WhoisModule;
@@ -142,6 +134,7 @@ import google.registry.whois.WhoisModule;
       BillingModule.class,
       CheckApiModule.class,
       CloudDnsWriterModule.class,
+      ConsoleModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
@@ -154,7 +147,6 @@ import google.registry.whois.WhoisModule;
       LoadTestModule.class,
       RdapModule.class,
       RdeModule.class,
-      RegistrarConsoleModule.class,
       ReportingModule.class,
       RequestModule.class,
       SheetModule.class,
@@ -186,16 +178,10 @@ interface RequestComponent {
 
   ConsoleEppPasswordAction consoleEppPasswordAction();
 
-  ConsoleOteSetupAction consoleOteSetupAction();
-
-  ConsoleRegistrarCreatorAction consoleRegistrarCreatorAction();
-
   ConsoleRegistryLockAction consoleRegistryLockAction();
 
   ConsoleRegistryLockVerifyAction consoleRegistryLockVerifyAction();
 
-  ConsoleUiAction consoleUiAction();
-
   ConsoleUpdateRegistrarAction consoleUpdateRegistrarAction();
 
   ConsoleUserDataAction consoleUserDataAction();
@@ -254,8 +240,6 @@ interface RequestComponent {
 
   NordnVerifyAction nordnVerifyAction();
 
-  OteStatusAction oteStatusAction();
-
   PublishDnsUpdatesAction publishDnsUpdatesAction();
 
   PublishInvoicesAction uploadInvoicesAction();
@@ -296,16 +280,8 @@ interface RequestComponent {
 
   RefreshDnsOnHostRenameAction refreshDnsOnHostRenameAction();
 
-  RegistrarSettingsAction registrarSettingsAction();
-
   RegistrarsAction registrarsAction();
 
-  RegistryLockGetAction registryLockGetAction();
-
-  RegistryLockPostAction registryLockPostAction();
-
-  RegistryLockVerifyAction registryLockVerifyAction();
-
   RelockDomainAction relockDomainAction();
 
   ResaveAllEppResourcesPipelineAction resaveAllEppResourcesPipelineAction();

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -29,6 +29,7 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleModule;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
 import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
@@ -41,7 +42,6 @@ import google.registry.ui.server.registrar.ConsoleOteSetupAction;
 import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
 import google.registry.ui.server.registrar.ConsoleUiAction;
 import google.registry.ui.server.registrar.OteStatusAction;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.ui.server.registrar.RegistrarSettingsAction;
 import google.registry.ui.server.registrar.RegistryLockGetAction;
 import google.registry.ui.server.registrar.RegistryLockPostAction;
@@ -54,7 +54,7 @@ import google.registry.ui.server.registrar.RegistryLockVerifyAction;
       BatchModule.class,
       DnsModule.class,
       EppTlsModule.class,
-      RegistrarConsoleModule.class,
+      ConsoleModule.class,
       RequestModule.class,
       WhiteboxModule.class,
     })

core/src/main/java/google/registry/request/Action.java

@@ -14,6 +14,8 @@
 
 package google.registry.request;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import google.registry.request.auth.Auth;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ -36,7 +38,6 @@ public @interface Action {
     BACKEND("backend"),
     PUBAPI("pubapi");
 
-
     private final String serviceId;
 
     Service(String serviceId) {
@@ -49,9 +50,33 @@ public @interface Action {
     }
   }
 
+  enum GkeService {
+    // This designation means that it defers to the GAE service, so we don't have to annotate EVERY
+    // action during the GKE migration.
+    SAME_AS_GAE("same_as_gae"),
+    FRONTEND("frontend"),
+    BACKEND("backend"),
+    PUBAPI("pubapi"),
+    CONSOLE("console");
+
+    private final String serviceId;
+
+    GkeService(String serviceId) {
+      this.serviceId = serviceId;
+    }
+
+    public String getServiceId() {
+      checkState(this != SAME_AS_GAE, "Cannot get service Id for SAME_AS_GAE");
+      return serviceId;
+    }
+  }
+
   /** Which App Engine service this action lives on. */
   Service service();
 
+  /** Which GKE service this action lives on. */
+  GkeService gkeService() default GkeService.SAME_AS_GAE;
+
   /** HTTP path to serve the action from. The path components must be percent-escaped. */
   String path();
 
@@ -72,4 +97,22 @@ public @interface Action {
 
   /** Authentication settings. */
   Auth auth();
+
+  // TODO(jianglai): Use Action.gkeService() directly once we are off GAE.
+  class ServiceGetter {
+    public static GkeService get(Action action) {
+      GkeService service = action.gkeService();
+      if (service != GkeService.SAME_AS_GAE) {
+        return service;
+      }
+      Service gaeService = action.service();
+      return switch (gaeService) {
+        case DEFAULT -> GkeService.FRONTEND;
+        case BACKEND -> GkeService.BACKEND;
+        case TOOLS -> GkeService.BACKEND;
+        case BSA -> GkeService.BACKEND;
+        case PUBAPI -> GkeService.PUBAPI;
+      };
+    }
+  }
 }

core/src/main/java/google/registry/request/RequestHandler.java

@@ -22,14 +22,17 @@ import static jakarta.servlet.http.HttpServletResponse.SC_METHOD_NOT_ALLOWED;
 import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 
 import com.google.common.flogger.FluentLogger;
+import google.registry.request.Action.GkeService;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.RequestAuthenticator;
 import google.registry.util.NonFinalForTesting;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.SystemClock;
 import google.registry.util.TypeUtils.TypeInstantiator;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Objects;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Provider;
@@ -69,6 +72,7 @@ public class RequestHandler<C> {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   private final Router router;
+  @Nullable private final String baseDomain;
   private final Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider;
   private final RequestAuthenticator requestAuthenticator;
   private final SystemClock clock = new SystemClock();
@@ -91,22 +95,22 @@ public class RequestHandler<C> {
   protected RequestHandler(
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
-    this(null, requestComponentBuilderProvider, requestAuthenticator);
+    this(null, null, requestComponentBuilderProvider, requestAuthenticator);
   }
 
   /** Creates a new RequestHandler with an explicit component class for test purposes. */
   public static <C> RequestHandler<C> create(
       Class<C> component,
+      @Nullable String baseDomain,
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
     return new RequestHandler<>(
-        checkNotNull(component),
-        requestComponentBuilderProvider,
-        requestAuthenticator);
+        checkNotNull(component), baseDomain, requestComponentBuilderProvider, requestAuthenticator);
   }
 
   private RequestHandler(
       @Nullable Class<C> component,
+      @Nullable String baseDomain,
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
     // If the component class isn't explicitly provided, infer it from the class's own typing.
@@ -114,6 +118,7 @@ public class RequestHandler<C> {
     // preserved at runtime, so only expose that option via the protected constructor.
     this.router = Router.create(
         component != null ? component : new TypeInstantiator<C>(getClass()){}.getExactType());
+    this.baseDomain = baseDomain;
     this.requestComponentBuilderProvider = checkNotNull(requestComponentBuilderProvider);
     this.requestAuthenticator = checkNotNull(requestAuthenticator);
   }
@@ -137,6 +142,17 @@ public class RequestHandler<C> {
       rsp.sendError(SC_NOT_FOUND);
       return;
     }
+    if (RegistryEnvironment.isOnJetty()) {
+      GkeService service = Action.ServiceGetter.get(route.get().action());
+      String expectedDomain = String.format("%s.%s", service.getServiceId(), baseDomain);
+      String actualDomain = req.getServerName();
+      if (!Objects.equals(actualDomain, expectedDomain)) {
+        logger.atWarning().log(
+            "Actual domain %s does not match expected domain %s", actualDomain, expectedDomain);
+        rsp.sendError(SC_NOT_FOUND);
+        return;
+      }
+    }
     if (!route.get().isMethodAllowed(method)) {
       logger.atWarning().log("Method %s not allowed for: %s", method, path);
       rsp.sendError(SC_METHOD_NOT_ALLOWED);

core/src/main/java/google/registry/request/RouterDisplayHelper.java

@@ -21,6 +21,7 @@ import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Streams;
+import java.util.Comparator;
 import java.util.Map;
 
 /**
@@ -37,6 +38,7 @@ import java.util.Map;
  * the content to be displayed. The columns are:
  *
  * <ol>
+ *   <li>the GKE service this action lives on
  *   <li>the URL path which maps to this action (with a "(*)" after it if the prefix flag is set)
  *   <li>the simple name of the action class
  *   <li>the allowable HTTP methods
@@ -49,12 +51,13 @@ import java.util.Map;
  */
 public class RouterDisplayHelper {
 
+  private static final String SERVICE = "service";
   private static final String PATH = "path";
   private static final String CLASS = "class";
   private static final String METHODS = "methods";
   private static final String MINIMUM_LEVEL = "minLevel";
 
-  private static final String FORMAT = "%%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%s";
+  private static final String FORMAT = "%%-%ds %%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%s";
 
   /** Returns a string representation of the routing map in the specified component. */
   public static String extractHumanReadableRoutesFromComponent(Class<?> componentClass) {
@@ -76,6 +79,7 @@ public class RouterDisplayHelper {
   private static String getFormatString(Map<String, Integer> columnWidths) {
     return String.format(
         FORMAT,
+        columnWidths.get(SERVICE),
         columnWidths.get(PATH),
         columnWidths.get(CLASS),
         columnWidths.get(METHODS),
@@ -84,18 +88,13 @@ public class RouterDisplayHelper {
 
   private static String headerToString(String formatString) {
     return String.format(
-        formatString,
-        "PATH",
-        "CLASS",
-        "METHODS",
-        "OK",
-        "MIN",
-        "USER_POLICY");
+        formatString, "SERVICE", "PATH", "CLASS", "METHODS", "OK", "MIN", "USER_POLICY");
   }
 
   private static String routeToString(Route route, String formatString) {
     return String.format(
         formatString,
+        Action.ServiceGetter.get(route.action()).name(),
         route.action().isPrefix() ? (route.action().path() + "(*)") : route.action().path(),
         route.actionClass().getSimpleName(),
         Joiner.on(",").join(route.action().method()),
@@ -107,12 +106,17 @@ public class RouterDisplayHelper {
   private static String formatRoutes(Iterable<Route> routes) {
 
     // Use the column header length as a minimum.
+    int serviceWidth = 7;
     int pathWidth = 4;
     int classWidth = 5;
     int methodsWidth = 7;
     int minLevelWidth = 3;
     for (Route route : routes) {
-      int len =
+      int len = Action.ServiceGetter.get(route.action()).name().length();
+      if (len > serviceWidth) {
+        serviceWidth = len;
+      }
+      len =
           route.action().isPrefix()
               ? (route.action().path().length() + 3)
               : route.action().path().length();
@@ -135,6 +139,7 @@ public class RouterDisplayHelper {
     final String formatString =
         getFormatString(
             new ImmutableMap.Builder<String, Integer>()
+                .put(SERVICE, serviceWidth)
                 .put(PATH, pathWidth)
                 .put(CLASS, classWidth)
                 .put(METHODS, methodsWidth)
@@ -143,6 +148,9 @@ public class RouterDisplayHelper {
     return headerToString(formatString)
         + String.format("%n")
         + Streams.stream(routes)
+            .sorted(
+                Comparator.comparing(
+                    (Route route) -> Action.ServiceGetter.get(route.action()).ordinal()))
             .map(route -> routeToString(route, formatString))
             .collect(joining(String.format("%n")));
   }

core/src/main/java/google/registry/request/auth/AuthModule.java

@@ -16,7 +16,6 @@ package google.registry.request.auth;
 
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 
-import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
@@ -24,6 +23,10 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.IapOidcAuthenticationMechanism;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.RegularOidcAuthenticationMechanism;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenExtractor;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenVerifier;
+import google.registry.util.RegistryEnvironment;
+import java.util.Map;
+import javax.annotation.Nullable;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
 
@@ -35,9 +38,10 @@ public class AuthModule {
   // See https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers.
   public static final String IAP_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
   public static final String BEARER_PREFIX = "Bearer ";
-  // TODO: Change the IAP audience format once we are on GKE.
+  // TODO (jianglai): Only use GKE audience once we are fully migrated to GKE.
   // See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
-  private static final String IAP_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
+  private static final String IAP_GAE_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
+  private static final String IAP_GKE_AUDIENCE_FORMAT = "/projects/%d/global/backendServices/%d";
   private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
   private static final String REGULAR_ISSUER_URL = "https://accounts.google.com";
 
@@ -62,24 +66,35 @@ public class AuthModule {
   @IapOidc
   @Singleton
   TokenVerifier provideIapTokenVerifier(
-      @Config("projectId") String projectId, @Config("projectIdNumber") long projectIdNumber) {
-    String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, projectId);
-    return TokenVerifier.newBuilder().setAudience(audience).setIssuer(IAP_ISSUER_URL).build();
+      @Config("projectId") String projectId,
+      @Config("projectIdNumber") long projectIdNumber,
+      @Config("backendServiceIds") Map<String, Long> backendServiceIds) {
+    com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder =
+        com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL);
+    return (String service, String token) -> {
+      String audience;
+      if (RegistryEnvironment.isOnJetty()) {
+        long backendServiceId = backendServiceIds.get(service);
+        audience = String.format(IAP_GKE_AUDIENCE_FORMAT, projectIdNumber, backendServiceId);
+      } else {
+        audience = String.format(IAP_GAE_AUDIENCE_FORMAT, projectIdNumber, projectId);
+      }
+      return tokenVerifierBuilder.setAudience(audience).build().verify(token);
+    };
   }
 
   @Provides
   @RegularOidc
   @Singleton
   TokenVerifier provideRegularTokenVerifier(@Config("oauthClientId") String clientId) {
-    return TokenVerifier.newBuilder().setAudience(clientId).setIssuer(REGULAR_ISSUER_URL).build();
-  }
-
-  @Provides
-  @RegularOidcFallback
-  @Singleton
-  TokenVerifier provideFallbackRegularTokenVerifier(
-      @Config("fallbackOauthClientId") String clientId) {
-    return TokenVerifier.newBuilder().setAudience(clientId).setIssuer(REGULAR_ISSUER_URL).build();
+    com.google.auth.oauth2.TokenVerifier tokenVerifier =
+        com.google.auth.oauth2.TokenVerifier.newBuilder()
+            .setAudience(clientId)
+            .setIssuer(REGULAR_ISSUER_URL)
+            .build();
+    return (@Nullable String service, String token) -> {
+      return tokenVerifier.verify(token);
+    };
   }
 
   @Provides

core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java

@@ -18,8 +18,9 @@ import static com.google.common.base.Preconditions.checkState;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.api.client.json.webtoken.JsonWebSignature;
-import com.google.auth.oauth2.TokenVerifier;
+import com.google.auth.oauth2.TokenVerifier.VerificationException;
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
@@ -27,7 +28,6 @@ import google.registry.model.console.User;
 import google.registry.persistence.VKey;
 import google.registry.request.auth.AuthModule.IapOidc;
 import google.registry.request.auth.AuthModule.RegularOidc;
-import google.registry.request.auth.AuthModule.RegularOidcFallback;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.util.RegistryEnvironment;
 import jakarta.servlet.http.HttpServletRequest;
@@ -51,27 +51,23 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
   public static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  // A workaround that allows "use" of the OIDC authenticator when running local testing, i.e.
+  // A workaround that allows "use" of the OIDC authenticator when running local testing, i.e.,
   // the RegistryTestServer
   private static AuthResult authResultForTesting = null;
 
-  protected final TokenVerifier tokenVerifier;
-
-  protected final Optional<TokenVerifier> fallbackTokenVerifier;
-
   protected final TokenExtractor tokenExtractor;
 
+  protected final TokenVerifier tokenVerifier;
+
   private final ImmutableSet<String> serviceAccountEmails;
 
   protected OidcTokenAuthenticationMechanism(
       ImmutableSet<String> serviceAccountEmails,
-      TokenVerifier tokenVerifier,
-      @Nullable TokenVerifier fallbackTokenVerifier,
-      TokenExtractor tokenExtractor) {
+      TokenExtractor tokenExtractor,
+      TokenVerifier tokenVerifier) {
     this.serviceAccountEmails = serviceAccountEmails;
-    this.tokenVerifier = tokenVerifier;
-    this.fallbackTokenVerifier = Optional.ofNullable(fallbackTokenVerifier);
     this.tokenExtractor = tokenExtractor;
+    this.tokenVerifier = tokenVerifier;
   }
 
   @Override
@@ -87,7 +83,12 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
     JsonWebSignature token = null;
     try {
-      token = tokenVerifier.verify(rawIdToken);
+      String service = null;
+      if (RegistryEnvironment.isOnJetty()) {
+        String hostname = request.getServerName();
+        service = Splitter.on('.').split(hostname).iterator().next();
+      }
+      token = tokenVerifier.verify(service, rawIdToken);
     } catch (Exception e) {
       logger.atInfo().withCause(e).log(
           "Failed OIDC verification attempt:\n%s",
@@ -97,20 +98,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
 
     if (token == null) {
-      if (fallbackTokenVerifier.isPresent()) {
-        try {
-          token = fallbackTokenVerifier.get().verify(rawIdToken);
-        } catch (Exception e) {
-          logger.atInfo().withCause(e).log(
-              "Failed OIDC fallback verification attempt:\n%s",
-              RegistryEnvironment.get().equals(RegistryEnvironment.PRODUCTION)
-                  ? "Raw token redacted in prod"
-                  : rawIdToken);
-          return AuthResult.NOT_AUTHENTICATED;
-        }
-      } else {
-        return AuthResult.NOT_AUTHENTICATED;
-      }
+      return AuthResult.NOT_AUTHENTICATED;
     }
 
     String email = (String) token.getPayload().get("email");
@@ -155,6 +143,12 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     String extract(HttpServletRequest request);
   }
 
+  @FunctionalInterface
+  protected interface TokenVerifier {
+    @Nullable
+    JsonWebSignature verify(@Nullable String service, String rawToken) throws VerificationException;
+  }
+
   /**
    * A mechanism to authenticate HTTP requests that have gone through the GCP Identity-Aware Proxy.
    *
@@ -171,9 +165,9 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     @Inject
     protected IapOidcAuthenticationMechanism(
         @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
-        @IapOidc TokenVerifier tokenVerifier,
-        @IapOidc TokenExtractor tokenExtractor) {
-      super(serviceAccountEmails, tokenVerifier, null, tokenExtractor);
+        @IapOidc TokenExtractor tokenExtractor,
+        @IapOidc TokenVerifier tokenVerifier) {
+      super(serviceAccountEmails, tokenExtractor, tokenVerifier);
     }
   }
 
@@ -192,10 +186,9 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     @Inject
     protected RegularOidcAuthenticationMechanism(
         @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
-        @RegularOidc TokenVerifier tokenVerifier,
-        @RegularOidcFallback TokenVerifier fallbackTokenVerifier,
-        @RegularOidc TokenExtractor tokenExtractor) {
-      super(serviceAccountEmails, tokenVerifier, fallbackTokenVerifier, tokenExtractor);
+        @RegularOidc TokenExtractor tokenExtractor,
+        @RegularOidc TokenVerifier tokenVerifier) {
+      super(serviceAccountEmails, tokenExtractor, tokenVerifier);
     }
   }
 }

core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java

@@ -44,7 +44,6 @@ import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.request.Action.Service;
 import google.registry.request.HttpException;
 import google.registry.security.XsrfTokenManager;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.ConsoleUiAction;
 import google.registry.util.DiffUtils;
 import google.registry.util.RegistryEnvironment;

core/src/main/java/google/registry/ui/server/console/ConsoleApiParams.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.ui.server.registrar;
+package google.registry.ui.server.console;
 
 import google.registry.request.Response;
 import google.registry.request.auth.AuthResult;

core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java

@@ -24,15 +24,16 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.inject.Inject;
 
 /** Returns a JSON representation of a domain to the registrar console. */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDomainGetAction.PATH,
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public class ConsoleDomainGetAction extends ConsoleApiAction {

core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java

@@ -27,9 +27,9 @@ import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.List;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -39,6 +39,7 @@ import org.joda.time.DateTime;
 /** Returns a (paginated) list of domains for a particular registrar. */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDomainListAction.PATH,
     method = Action.Method.GET,
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleDumDownloadAction.java

@@ -26,9 +26,9 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.Clock;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -40,6 +40,7 @@ import org.joda.time.DateTime;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDumDownloadAction.PATH,
     method = {GET},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleEppPasswordAction.java

@@ -30,17 +30,18 @@ import google.registry.flows.PasswordOnlyTransportCredentials;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.DiffUtils;
 import java.util.Optional;
 import javax.inject.Inject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleEppPasswordAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleModule.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.ui.server.registrar;
+package google.registry.ui.server.console;
 
 import static google.registry.request.RequestParameters.extractBooleanParameter;
 import static google.registry.request.RequestParameters.extractOptionalIntParameter;
@@ -41,8 +41,8 @@ import org.joda.time.DateTime;
 
 /** Dagger module for the Registrar Console parameters. */
 @Module
-public final class RegistrarConsoleModule {
-  static final String PARAM_CLIENT_ID = "clientId";
+public final class ConsoleModule {
+  public static final String PARAM_CLIENT_ID = "clientId";
 
   @Provides
   @RequestScope

core/src/main/java/google/registry/ui/server/console/ConsoleRegistryLockAction.java

@@ -35,11 +35,11 @@ import google.registry.model.domain.RegistryLock;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.tld.RegistryLockDao;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.tools.DomainLockUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.EmailMessage;
 import jakarta.mail.internet.AddressException;
 import jakarta.mail.internet.InternetAddress;
@@ -56,6 +56,7 @@ import org.joda.time.Duration;
  */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleRegistryLockAction.PATH,
     method = {GET, POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleRegistryLockVerifyAction.java

@@ -22,16 +22,17 @@ import com.google.gson.annotations.Expose;
 import google.registry.model.console.User;
 import google.registry.model.domain.RegistryLock;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.tools.DomainLockUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import jakarta.servlet.http.HttpServletResponse;
 import javax.inject.Inject;
 
 /** Handler for verifying registry lock requests, a form of 2FA. */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleRegistryLockVerifyAction.PATH,
     method = {GET},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleUpdateRegistrarAction.java

@@ -26,10 +26,10 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.DomainNameUtils;
 import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
@@ -38,6 +38,7 @@ import javax.inject.Inject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleUpdateRegistrarAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java

@@ -21,15 +21,16 @@ import com.google.common.collect.ImmutableMap;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.User;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.auth.Auth;
 import google.registry.security.XsrfTokenManager;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import jakarta.servlet.http.Cookie;
 import javax.inject.Inject;
 import org.json.JSONObject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleUserDataAction.PATH,
     method = {GET},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java

@@ -34,9 +34,9 @@ import google.registry.model.registrar.RegistrarBase;
 import google.registry.model.registrar.RegistrarBase.State;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.StringGenerator;
 import java.util.List;
 import java.util.Map;
@@ -46,6 +46,7 @@ import javax.inject.Named;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = RegistrarsAction.PATH,
     method = {GET, POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/settings/ContactAction.java

@@ -31,11 +31,12 @@ import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.persistence.transaction.QueryComposer.Comparator;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.ui.forms.FormException;
 import google.registry.ui.server.console.ConsoleApiAction;
-import google.registry.ui.server.registrar.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarSettingsAction;
 import java.util.Collections;
 import java.util.Optional;
@@ -43,6 +44,7 @@ import javax.inject.Inject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ContactAction.PATH,
     method = {GET, POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java

@@ -28,17 +28,19 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
 import google.registry.ui.server.console.ConsoleApiAction;
-import google.registry.ui.server.registrar.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleApiParams;
 import java.util.Optional;
 import javax.inject.Inject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = SecurityAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsAction.java

@@ -25,12 +25,13 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
 import google.registry.ui.server.console.ConsoleApiAction;
-import google.registry.ui.server.registrar.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleApiParams;
 import java.util.Objects;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -43,6 +44,7 @@ import javax.inject.Inject;
  */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = WhoisRegistrarFieldsAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java

@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
-import static google.registry.ui.server.registrar.RegistrarConsoleModule.PARAM_CLIENT_ID;
+import static google.registry.ui.server.console.ConsoleModule.PARAM_CLIENT_ID;
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 

core/src/test/java/google/registry/module/RequestComponentTest.java

@@ -19,6 +19,8 @@ import static com.google.common.truth.Truth.assertThat;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
 import google.registry.module.backend.BackendRequestComponent;
 import google.registry.module.bsa.BsaRequestComponent;
 import google.registry.module.frontend.FrontendRequestComponent;
@@ -26,8 +28,9 @@ import google.registry.module.pubapi.PubApiRequestComponent;
 import google.registry.module.tools.ToolsRequestComponent;
 import google.registry.testing.GoldenFileTestHelper;
 import google.registry.testing.TestDataHelper;
-import java.util.ArrayList;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
 import org.junit.jupiter.api.Test;
 
 /** Unit tests for {@link RequestComponent}. */
@@ -40,6 +43,18 @@ public class RequestComponentTest {
           PubApiRequestComponent.class, "pubapi",
           BsaRequestComponent.class, "bsa");
 
+  // Paths that do not route to Jetty (all for the legacy console).
+  private static final ImmutableSet<String> ignoredPaths =
+      ImmutableSet.of(
+          "/registrar",
+          "/registrar-create",
+          "/registrar-ote-setup",
+          "/registrar-ote-status",
+          "/registrar-settings",
+          "/registry-lock-get",
+          "/registry-lock-post",
+          "/registry-lock-verify");
+
   @Test
   void testRoutingMap() {
     GoldenFileTestHelper.assertThatRoutesFromComponent(RequestComponent.class)
@@ -49,32 +64,49 @@ public class RequestComponentTest {
 
   @Test
   void testGaeToJettyRoutingCoverage() {
-    List<Route> jettyRoutes = getRoutes(RequestComponent.class, "routing.txt");
-    List<Route> gaeRoutes = new ArrayList<>();
+    Set<Route> jettyRoutes = getRoutes(RequestComponent.class, "routing.txt");
+    Set<Route> gaeRoutes = new HashSet<>();
     for (var component : GaeComponents.entrySet()) {
       gaeRoutes.addAll(getRoutes(component.getKey(), component.getValue() + "_routing.txt"));
     }
-    assertThat(jettyRoutes).containsExactlyElementsIn(gaeRoutes);
+    assertThat(Sets.difference(jettyRoutes, gaeRoutes)).isEmpty();
+    assertThat(
+            Sets.difference(gaeRoutes, jettyRoutes).stream()
+                .map(Route::path)
+                .collect(Collectors.toSet()))
+        .containsExactlyElementsIn(ignoredPaths);
   }
 
-  private List<Route> getRoutes(Class<?> context, String filename) {
+  private Set<Route> getRoutes(Class<?> context, String filename) {
     return TestDataHelper.loadFile(context, filename)
         .trim()
         .lines()
         .skip(1) // Skip the headers
         .map(Route::create)
-        .toList();
+        .collect(Collectors.toSet());
   }
 
   private record Route(
-      String path, String clazz, String methods, String ok, String min, String userPolicy) {
+      String service,
+      String path,
+      String clazz,
+      String methods,
+      String ok,
+      String min,
+      String userPolicy) {
     private static final Splitter splitter = Splitter.on(' ').omitEmptyStrings().trimResults();
 
     static Route create(String line) {
       ImmutableList<String> parts = ImmutableList.copyOf(splitter.split(line));
-      assertThat(parts.size()).isEqualTo(6);
+      assertThat(parts.size()).isEqualTo(7);
       return new Route(
-          parts.get(0), parts.get(1), parts.get(2), parts.get(3), parts.get(4), parts.get(5));
+          parts.get(0),
+          parts.get(1),
+          parts.get(2),
+          parts.get(3),
+          parts.get(4),
+          parts.get(5),
+          parts.get(6));
     }
   }
 }

core/src/test/java/google/registry/request/RequestHandlerTest.java

@@ -204,6 +204,7 @@ public final class RequestHandlerTest {
     handler =
         RequestHandler.create(
             Component.class,
+            "registry.test",
             () ->
                 new Builder() {
                   @Override

core/src/test/java/google/registry/request/auth/OidcTokenAuthenticationMechanismTest.java

@@ -26,8 +26,8 @@ import static org.mockito.Mockito.when;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.json.webtoken.JsonWebSignature.Header;
-import com.google.auth.oauth2.TokenVerifier;
 import com.google.auth.oauth2.TokenVerifier.VerificationException;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import dagger.Component;
 import dagger.Module;
@@ -41,6 +41,7 @@ import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.IapOidcAuthenticationMechanism;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.RegularOidcAuthenticationMechanism;
 import jakarta.servlet.http.HttpServletRequest;
+import java.util.Map;
 import javax.inject.Singleton;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -59,13 +60,13 @@ public class OidcTokenAuthenticationMechanismTest {
   private final Payload payload = new Payload();
   private final JsonWebSignature jwt =
       new JsonWebSignature(new Header(), payload, new byte[0], new byte[0]);
-  private final TokenVerifier tokenVerifier = mock(TokenVerifier.class);
   private final HttpServletRequest request = mock(HttpServletRequest.class);
 
   private User user;
   private AuthResult authResult;
   private OidcTokenAuthenticationMechanism authenticationMechanism =
-      new OidcTokenAuthenticationMechanism(serviceAccounts, tokenVerifier, null, e -> rawToken) {};
+      new OidcTokenAuthenticationMechanism(
+          serviceAccounts, request -> rawToken, (service, token) -> jwt) {};
 
   @RegisterExtension
   public final JpaTestExtensions.JpaUnitTestExtension jpaExtension =
@@ -73,7 +74,6 @@ public class OidcTokenAuthenticationMechanismTest {
 
   @BeforeEach
   void beforeEach() throws Exception {
-    when(tokenVerifier.verify(rawToken)).thenReturn(jwt);
     payload.setEmail(email);
     payload.setSubject(gaiaId);
     user = createAdminUser(email);
@@ -93,28 +93,23 @@ public class OidcTokenAuthenticationMechanismTest {
   @Test
   void testAuthenticate_noTokenFromRequest() {
     authenticationMechanism =
-        new OidcTokenAuthenticationMechanism(serviceAccounts, tokenVerifier, null, e -> null) {};
+        new OidcTokenAuthenticationMechanism(
+            serviceAccounts, e -> null, (service, token) -> jwt) {};
     authResult = authenticationMechanism.authenticate(request);
     assertThat(authResult).isEqualTo(AuthResult.NOT_AUTHENTICATED);
   }
 
   @Test
   void testAuthenticate_invalidToken() throws Exception {
-    when(tokenVerifier.verify(rawToken)).thenThrow(new VerificationException("Bad token"));
-    authResult = authenticationMechanism.authenticate(request);
-    assertThat(authResult).isEqualTo(AuthResult.NOT_AUTHENTICATED);
-  }
-
-  @Test
-  void testAuthenticate_fallbackVerifier() throws Exception {
-    TokenVerifier fallbackVerifier = mock(TokenVerifier.class);
-    when(tokenVerifier.verify(rawToken)).thenThrow(new VerificationException("Bad token"));
-    when(fallbackVerifier.verify(rawToken)).thenReturn(jwt);
     authenticationMechanism =
         new OidcTokenAuthenticationMechanism(
-            serviceAccounts, tokenVerifier, fallbackVerifier, e -> rawToken) {};
+            serviceAccounts,
+            e -> null,
+            (service, token) -> {
+              throw new VerificationException("Bad token");
+            }) {};
     authResult = authenticationMechanism.authenticate(request);
-    assertThat(authResult.isAuthenticated()).isEqualTo(true);
+    assertThat(authResult).isEqualTo(AuthResult.NOT_AUTHENTICATED);
   }
 
   @Test
@@ -233,9 +228,9 @@ public class OidcTokenAuthenticationMechanismTest {
 
     @Provides
     @Singleton
-    @Config("fallbackOauthClientId")
-    String provideFallbackOauthClientId() {
-      return "fallback-client-id";
+    @Config("backendServiceIds")
+    Map<String, Long> provideBackendServiceIds() {
+      return ImmutableMap.of();
     }
   }
 }

core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java

@@ -23,7 +23,7 @@ import google.registry.model.console.User;
 import google.registry.request.auth.AuthResult;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.SendEmailUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleApiParams;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import org.joda.time.DateTime;

core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java

@@ -33,7 +33,6 @@ import google.registry.request.auth.AuthResult;
 import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;

core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java

@@ -36,7 +36,6 @@ import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.console.ConsoleDomainListAction.DomainListResult;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import org.joda.time.DateTime;

core/src/test/java/google/registry/ui/server/console/ConsoleDumDownloadActionTest.java

@@ -33,7 +33,6 @@ import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.io.IOException;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;

core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java

@@ -44,8 +44,6 @@ import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.console.ConsoleEppPasswordAction.EppPasswordData;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.util.EmailMessage;
 import jakarta.mail.internet.AddressException;
 import jakarta.mail.internet.InternetAddress;
@@ -167,7 +165,7 @@ class ConsoleEppPasswordActionTest {
         .when(consoleApiParams.request())
         .getReader();
     Optional<EppPasswordData> maybePasswordChangeRequest =
-        RegistrarConsoleModule.provideEppPasswordChangeRequest(
+        ConsoleModule.provideEppPasswordChangeRequest(
             GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
 
     return new ConsoleEppPasswordAction(

core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockActionTest.java

@@ -52,7 +52,6 @@ import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.DomainLockUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.EmailMessage;
 import google.registry.util.StringGenerator;
 import jakarta.mail.internet.InternetAddress;

core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockVerifyActionTest.java

@@ -40,7 +40,6 @@ import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.DomainLockUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.StringGenerator;
 import jakarta.servlet.http.HttpServletResponse;
 import org.joda.time.Duration;

core/src/test/java/google/registry/ui/server/console/ConsoleUpdateRegistrarActionTest.java

@@ -42,8 +42,6 @@ import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.tools.GsonUtils;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.util.EmailMessage;
 import google.registry.util.RegistryEnvironment;
 import jakarta.mail.internet.AddressException;
@@ -172,7 +170,7 @@ class ConsoleUpdateRegistrarActionTest {
         .when(consoleApiParams.request())
         .getReader();
     Optional<Registrar> maybeRegistrarUpdateData =
-        RegistrarConsoleModule.provideRegistrar(
+        ConsoleModule.provideRegistrar(
             GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
     return new ConsoleUpdateRegistrarAction(consoleApiParams, maybeRegistrarUpdateData);
   }

core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java

@@ -28,7 +28,6 @@ import google.registry.request.auth.AuthResult;
 import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import jakarta.servlet.http.Cookie;
 import java.io.IOException;
 import java.util.List;

core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java

@@ -41,8 +41,6 @@ import google.registry.request.auth.AuthResult;
 import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.util.StringGenerator;
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -253,7 +251,7 @@ class RegistrarsActionTest {
             passcodeGenerator);
       }
       Optional<Registrar> maybeRegistrar =
-          RegistrarConsoleModule.provideRegistrar(
+          ConsoleModule.provideRegistrar(
               GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
       return new RegistrarsAction(
           consoleApiParams, GSON, maybeRegistrar, passwordGenerator, passcodeGenerator);

core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java

@@ -45,8 +45,8 @@ import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
+import google.registry.ui.server.console.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleModule;
 import google.registry.util.EmailMessage;
 import jakarta.mail.internet.AddressException;
 import jakarta.mail.internet.InternetAddress;
@@ -296,7 +296,7 @@ class ContactActionTest {
           .when(consoleApiParams.request())
           .getReader();
       Optional<ImmutableSet<RegistrarPoc>> maybeContacts =
-          RegistrarConsoleModule.provideContacts(
+          ConsoleModule.provideContacts(
               GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
       return new ContactAction(consoleApiParams, GSON, registrarId, maybeContacts);
     }

core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java

@@ -38,8 +38,8 @@ import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
+import google.registry.ui.server.console.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleModule;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
@@ -108,7 +108,7 @@ class SecurityActionTest {
         .when(consoleApiParams.request())
         .getReader();
     Optional<Registrar> maybeRegistrar =
-        RegistrarConsoleModule.provideRegistrar(
+        ConsoleModule.provideRegistrar(
             GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
     return new SecurityAction(
         consoleApiParams, certificateChecker, registrarAccessor, registrarId, maybeRegistrar);

core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java

@@ -40,8 +40,8 @@ import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
-import google.registry.ui.server.registrar.ConsoleApiParams;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
+import google.registry.ui.server.console.ConsoleApiParams;
+import google.registry.ui.server.console.ConsoleModule;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
@@ -169,7 +169,7 @@ public class WhoisRegistrarFieldsActionTest {
     return new WhoisRegistrarFieldsAction(
         consoleApiParams,
         registrarAccessor,
-        RegistrarConsoleModule.provideRegistrar(
+        ConsoleModule.provideRegistrar(
             GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON)));
   }
 }

core/src/test/resources/google/registry/module/backend/backend_routing.txt

@@ -1,38 +1,38 @@
-PATH                                               CLASS                                          METHODS  OK MIN USER_POLICY
-/_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP ADMIN
-/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  APP ADMIN
-/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP ADMIN
-/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP ADMIN
-/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP ADMIN
-/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP ADMIN
-/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP ADMIN
-/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP ADMIN
-/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP ADMIN
-/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP ADMIN
-/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP ADMIN
-/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP ADMIN
-/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP ADMIN
-/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP ADMIN
-/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP ADMIN
-/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP ADMIN
-/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP ADMIN
-/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP ADMIN
-/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP ADMIN
-/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP ADMIN
-/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP ADMIN
-/_dr/task/rdeReport                                RdeReportAction                                POST     n  APP ADMIN
-/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP ADMIN
-/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP ADMIN
-/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP ADMIN
-/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP ADMIN
-/_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP ADMIN
-/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP ADMIN
-/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP ADMIN
-/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP ADMIN
-/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP ADMIN
-/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP ADMIN
-/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP ADMIN
-/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP ADMIN
-/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP ADMIN
-/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP ADMIN
-/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP ADMIN
+SERVICE PATH                                               CLASS                                          METHODS  OK MIN USER_POLICY
+BACKEND /_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP ADMIN
+BACKEND /_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP ADMIN
+BACKEND /_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP ADMIN
+BACKEND /_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP ADMIN
+BACKEND /_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP ADMIN
+BACKEND /_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP ADMIN
+BACKEND /_dr/task/dnsRefresh                               RefreshDnsAction                               GET      y  APP ADMIN
+BACKEND /_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP ADMIN
+BACKEND /_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP ADMIN
+BACKEND /_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP ADMIN
+BACKEND /_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP ADMIN
+BACKEND /_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP ADMIN
+BACKEND /_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP ADMIN
+BACKEND /_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP ADMIN
+BACKEND /_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP ADMIN
+BACKEND /_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP ADMIN
+BACKEND /_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP ADMIN
+BACKEND /_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP ADMIN
+BACKEND /_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP ADMIN
+BACKEND /_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP ADMIN
+BACKEND /_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP ADMIN
+BACKEND /_dr/task/rdeReport                                RdeReportAction                                POST     n  APP ADMIN
+BACKEND /_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP ADMIN
+BACKEND /_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP ADMIN
+BACKEND /_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP ADMIN
+BACKEND /_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP ADMIN
+BACKEND /_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP ADMIN
+BACKEND /_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP ADMIN
+BACKEND /_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP ADMIN
+BACKEND /_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP ADMIN
+BACKEND /_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP ADMIN
+BACKEND /_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP ADMIN
+BACKEND /_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP ADMIN
+BACKEND /_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP ADMIN
+BACKEND /_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP ADMIN
+BACKEND /_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP ADMIN
+BACKEND /_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP ADMIN

core/src/test/resources/google/registry/module/bsa/bsa_routing.txt

@@ -1,5 +1,5 @@
-PATH                                CLASS                             METHODS  OK MIN USER_POLICY
-/_dr/task/bsaDownload               BsaDownloadAction                 GET,POST n  APP ADMIN
-/_dr/task/bsaRefresh                BsaRefreshAction                  GET,POST n  APP ADMIN
-/_dr/task/bsaValidate               BsaValidateAction                 GET,POST n  APP ADMIN
-/_dr/task/uploadBsaUnavailableNames UploadBsaUnavailableDomainsAction GET,POST n  APP ADMIN
+SERVICE PATH                                CLASS                             METHODS  OK MIN USER_POLICY
+BACKEND /_dr/task/bsaDownload               BsaDownloadAction                 GET,POST n  APP ADMIN
+BACKEND /_dr/task/bsaRefresh                BsaRefreshAction                  GET,POST n  APP ADMIN
+BACKEND /_dr/task/bsaValidate               BsaValidateAction                 GET,POST n  APP ADMIN
+BACKEND /_dr/task/uploadBsaUnavailableNames UploadBsaUnavailableDomainsAction GET,POST n  APP ADMIN

core/src/test/resources/google/registry/module/frontend/frontend_routing.txt

@@ -1,22 +1,22 @@
-PATH                               CLASS                           METHODS  OK MIN  USER_POLICY
-/_dr/epp                           EppTlsAction                    POST     n  APP  ADMIN
-/console-api/domain                ConsoleDomainGetAction          GET      n  USER PUBLIC
-/console-api/domain-list           ConsoleDomainListAction         GET      n  USER PUBLIC
-/console-api/dum-download          ConsoleDumDownloadAction        GET      n  USER PUBLIC
-/console-api/eppPassword           ConsoleEppPasswordAction        POST     n  USER PUBLIC
-/console-api/registrar             ConsoleUpdateRegistrarAction    POST     n  USER PUBLIC
-/console-api/registrars            RegistrarsAction                GET,POST n  USER PUBLIC
-/console-api/registry-lock         ConsoleRegistryLockAction       GET,POST n  USER PUBLIC
-/console-api/registry-lock-verify  ConsoleRegistryLockVerifyAction GET      n  USER PUBLIC
-/console-api/settings/contacts     ContactAction                   GET,POST n  USER PUBLIC
-/console-api/settings/security     SecurityAction                  POST     n  USER PUBLIC
-/console-api/settings/whois-fields WhoisRegistrarFieldsAction      POST     n  USER PUBLIC
-/console-api/userdata              ConsoleUserDataAction           GET      n  USER PUBLIC
-/registrar                         ConsoleUiAction                 GET      n  USER PUBLIC
-/registrar-create                  ConsoleRegistrarCreatorAction   POST,GET n  USER PUBLIC
-/registrar-ote-setup               ConsoleOteSetupAction           POST,GET n  USER PUBLIC
-/registrar-ote-status              OteStatusAction                 POST     n  USER PUBLIC
-/registrar-settings                RegistrarSettingsAction         POST     n  USER PUBLIC
-/registry-lock-get                 RegistryLockGetAction           GET      n  USER PUBLIC
-/registry-lock-post                RegistryLockPostAction          POST     n  USER PUBLIC
-/registry-lock-verify              RegistryLockVerifyAction        GET      n  USER PUBLIC
+SERVICE  PATH                               CLASS                           METHODS  OK MIN  USER_POLICY
+FRONTEND /_dr/epp                           EppTlsAction                    POST     n  APP  ADMIN
+FRONTEND /registrar                         ConsoleUiAction                 GET      n  USER PUBLIC
+FRONTEND /registrar-create                  ConsoleRegistrarCreatorAction   POST,GET n  USER PUBLIC
+FRONTEND /registrar-ote-setup               ConsoleOteSetupAction           POST,GET n  USER PUBLIC
+FRONTEND /registrar-ote-status              OteStatusAction                 POST     n  USER PUBLIC
+FRONTEND /registrar-settings                RegistrarSettingsAction         POST     n  USER PUBLIC
+FRONTEND /registry-lock-get                 RegistryLockGetAction           GET      n  USER PUBLIC
+FRONTEND /registry-lock-post                RegistryLockPostAction          POST     n  USER PUBLIC
+FRONTEND /registry-lock-verify              RegistryLockVerifyAction        GET      n  USER PUBLIC
+CONSOLE  /console-api/domain                ConsoleDomainGetAction          GET      n  USER PUBLIC
+CONSOLE  /console-api/domain-list           ConsoleDomainListAction         GET      n  USER PUBLIC
+CONSOLE  /console-api/dum-download          ConsoleDumDownloadAction        GET      n  USER PUBLIC
+CONSOLE  /console-api/eppPassword           ConsoleEppPasswordAction        POST     n  USER PUBLIC
+CONSOLE  /console-api/registrar             ConsoleUpdateRegistrarAction    POST     n  USER PUBLIC
+CONSOLE  /console-api/registrars            RegistrarsAction                GET,POST n  USER PUBLIC
+CONSOLE  /console-api/registry-lock         ConsoleRegistryLockAction       GET,POST n  USER PUBLIC
+CONSOLE  /console-api/registry-lock-verify  ConsoleRegistryLockVerifyAction GET      n  USER PUBLIC
+CONSOLE  /console-api/settings/contacts     ContactAction                   GET,POST n  USER PUBLIC
+CONSOLE  /console-api/settings/security     SecurityAction                  POST     n  USER PUBLIC
+CONSOLE  /console-api/settings/whois-fields WhoisRegistrarFieldsAction      POST     n  USER PUBLIC
+CONSOLE  /console-api/userdata              ConsoleUserDataAction           GET      n  USER PUBLIC

core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt

@@ -1,13 +1,13 @@
-PATH                 CLASS                      METHODS  OK MIN  USER_POLICY
-/_dr/whois           WhoisAction                POST     n  APP  ADMIN
-/check               CheckApiAction             GET      n  NONE PUBLIC
-/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  NONE PUBLIC
-/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  NONE PUBLIC
-/rdap/domains        RdapDomainSearchAction     GET,HEAD n  NONE PUBLIC
-/rdap/entities       RdapEntitySearchAction     GET,HEAD n  NONE PUBLIC
-/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  NONE PUBLIC
-/rdap/help(*)        RdapHelpAction             GET,HEAD n  NONE PUBLIC
-/rdap/ip/(*)         RdapIpAction               GET,HEAD n  NONE PUBLIC
-/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  NONE PUBLIC
-/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  NONE PUBLIC
-/whois/(*)           WhoisHttpAction            GET      n  NONE PUBLIC
+SERVICE PATH                 CLASS                      METHODS  OK MIN  USER_POLICY
+PUBAPI  /_dr/whois           WhoisAction                POST     n  APP  ADMIN
+PUBAPI  /check               CheckApiAction             GET      n  NONE PUBLIC
+PUBAPI  /rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/domain/(*)     RdapDomainAction           GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/domains        RdapDomainSearchAction     GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/entities       RdapEntitySearchAction     GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/entity/(*)     RdapEntityAction           GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/help(*)        RdapHelpAction             GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/ip/(*)         RdapIpAction               GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  NONE PUBLIC
+PUBAPI  /rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  NONE PUBLIC
+PUBAPI  /whois/(*)           WhoisHttpAction            GET      n  NONE PUBLIC

core/src/test/resources/google/registry/module/routing.txt

@@ -1,88 +1,80 @@
-PATH                                               CLASS                                          METHODS  OK MIN  USER_POLICY
-/_dr/admin/createGroups                            CreateGroupsAction                             POST     n  APP  ADMIN
-/_dr/admin/list/domains                            ListDomainsAction                              GET,POST n  APP  ADMIN
-/_dr/admin/list/hosts                              ListHostsAction                                GET,POST n  APP  ADMIN
-/_dr/admin/list/premiumLists                       ListPremiumListsAction                         GET,POST n  APP  ADMIN
-/_dr/admin/list/registrars                         ListRegistrarsAction                           GET,POST n  APP  ADMIN
-/_dr/admin/list/reservedLists                      ListReservedListsAction                        GET,POST n  APP  ADMIN
-/_dr/admin/list/tlds                               ListTldsAction                                 GET,POST n  APP  ADMIN
-/_dr/admin/updateUserGroup                         UpdateUserGroupAction                          POST     n  APP  ADMIN
-/_dr/admin/verifyOte                               VerifyOteAction                                POST     n  APP  ADMIN
-/_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP  ADMIN
-/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  APP  ADMIN
-/_dr/epp                                           EppTlsAction                                   POST     n  APP  ADMIN
-/_dr/epptool                                       EppToolAction                                  POST     n  APP  ADMIN
-/_dr/loadtest                                      LoadTestAction                                 POST     y  APP  ADMIN
-/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP  ADMIN
-/_dr/task/bsaDownload                              BsaDownloadAction                              GET,POST n  APP  ADMIN
-/_dr/task/bsaRefresh                               BsaRefreshAction                               GET,POST n  APP  ADMIN
-/_dr/task/bsaValidate                              BsaValidateAction                              GET,POST n  APP  ADMIN
-/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP  ADMIN
-/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP  ADMIN
-/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP  ADMIN
-/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP  ADMIN
-/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP  ADMIN
-/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP  ADMIN
-/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP  ADMIN
-/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP  ADMIN
-/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP  ADMIN
-/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP  ADMIN
-/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP  ADMIN
-/_dr/task/generateZoneFiles                        GenerateZoneFilesAction                        POST     n  APP  ADMIN
-/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP  ADMIN
-/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP  ADMIN
-/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP  ADMIN
-/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP  ADMIN
-/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP  ADMIN
-/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP  ADMIN
-/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP  ADMIN
-/_dr/task/rdeReport                                RdeReportAction                                POST     n  APP  ADMIN
-/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP  ADMIN
-/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP  ADMIN
-/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP  ADMIN
-/_dr/task/refreshDnsForAllDomains                  RefreshDnsForAllDomainsAction                  GET      n  APP  ADMIN
-/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP  ADMIN
-/_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP  ADMIN
-/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP  ADMIN
-/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP  ADMIN
-/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP  ADMIN
-/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP  ADMIN
-/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP  ADMIN
-/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP  ADMIN
-/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP  ADMIN
-/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP  ADMIN
-/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP  ADMIN
-/_dr/task/uploadBsaUnavailableNames                UploadBsaUnavailableDomainsAction              GET,POST n  APP  ADMIN
-/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP  ADMIN
-/_dr/whois                                         WhoisAction                                    POST     n  APP  ADMIN
-/check                                             CheckApiAction                                 GET      n  NONE PUBLIC
-/console-api/domain                                ConsoleDomainGetAction                         GET      n  USER PUBLIC
-/console-api/domain-list                           ConsoleDomainListAction                        GET      n  USER PUBLIC
-/console-api/dum-download                          ConsoleDumDownloadAction                       GET      n  USER PUBLIC
-/console-api/eppPassword                           ConsoleEppPasswordAction                       POST     n  USER PUBLIC
-/console-api/registrar                             ConsoleUpdateRegistrarAction                   POST     n  USER PUBLIC
-/console-api/registrars                            RegistrarsAction                               GET,POST n  USER PUBLIC
-/console-api/registry-lock                         ConsoleRegistryLockAction                      GET,POST n  USER PUBLIC
-/console-api/registry-lock-verify                  ConsoleRegistryLockVerifyAction                GET      n  USER PUBLIC
-/console-api/settings/contacts                     ContactAction                                  GET,POST n  USER PUBLIC
-/console-api/settings/security                     SecurityAction                                 POST     n  USER PUBLIC
-/console-api/settings/whois-fields                 WhoisRegistrarFieldsAction                     POST     n  USER PUBLIC
-/console-api/userdata                              ConsoleUserDataAction                          GET      n  USER PUBLIC
-/rdap/autnum/(*)                                   RdapAutnumAction                               GET,HEAD n  NONE PUBLIC
-/rdap/domain/(*)                                   RdapDomainAction                               GET,HEAD n  NONE PUBLIC
-/rdap/domains                                      RdapDomainSearchAction                         GET,HEAD n  NONE PUBLIC
-/rdap/entities                                     RdapEntitySearchAction                         GET,HEAD n  NONE PUBLIC
-/rdap/entity/(*)                                   RdapEntityAction                               GET,HEAD n  NONE PUBLIC
-/rdap/help(*)                                      RdapHelpAction                                 GET,HEAD n  NONE PUBLIC
-/rdap/ip/(*)                                       RdapIpAction                                   GET,HEAD n  NONE PUBLIC
-/rdap/nameserver/(*)                               RdapNameserverAction                           GET,HEAD n  NONE PUBLIC
-/rdap/nameservers                                  RdapNameserverSearchAction                     GET,HEAD n  NONE PUBLIC
-/registrar                                         ConsoleUiAction                                GET      n  USER PUBLIC
-/registrar-create                                  ConsoleRegistrarCreatorAction                  POST,GET n  USER PUBLIC
-/registrar-ote-setup                               ConsoleOteSetupAction                          POST,GET n  USER PUBLIC
-/registrar-ote-status                              OteStatusAction                                POST     n  USER PUBLIC
-/registrar-settings                                RegistrarSettingsAction                        POST     n  USER PUBLIC
-/registry-lock-get                                 RegistryLockGetAction                          GET      n  USER PUBLIC
-/registry-lock-post                                RegistryLockPostAction                         POST     n  USER PUBLIC
-/registry-lock-verify                              RegistryLockVerifyAction                       GET      n  USER PUBLIC
-/whois/(*)                                         WhoisHttpAction                                GET      n  NONE PUBLIC
+SERVICE  PATH                                               CLASS                                          METHODS  OK MIN  USER_POLICY
+FRONTEND /_dr/epp                                           EppTlsAction                                   POST     n  APP  ADMIN
+BACKEND  /_dr/admin/createGroups                            CreateGroupsAction                             POST     n  APP  ADMIN
+BACKEND  /_dr/admin/list/domains                            ListDomainsAction                              GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/list/hosts                              ListHostsAction                                GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/list/premiumLists                       ListPremiumListsAction                         GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/list/registrars                         ListRegistrarsAction                           GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/list/reservedLists                      ListReservedListsAction                        GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/list/tlds                               ListTldsAction                                 GET,POST n  APP  ADMIN
+BACKEND  /_dr/admin/updateUserGroup                         UpdateUserGroupAction                          POST     n  APP  ADMIN
+BACKEND  /_dr/admin/verifyOte                               VerifyOteAction                                POST     n  APP  ADMIN
+BACKEND  /_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP  ADMIN
+BACKEND  /_dr/epptool                                       EppToolAction                                  POST     n  APP  ADMIN
+BACKEND  /_dr/loadtest                                      LoadTestAction                                 POST     y  APP  ADMIN
+BACKEND  /_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP  ADMIN
+BACKEND  /_dr/task/bsaDownload                              BsaDownloadAction                              GET,POST n  APP  ADMIN
+BACKEND  /_dr/task/bsaRefresh                               BsaRefreshAction                               GET,POST n  APP  ADMIN
+BACKEND  /_dr/task/bsaValidate                              BsaValidateAction                              GET,POST n  APP  ADMIN
+BACKEND  /_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP  ADMIN
+BACKEND  /_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP  ADMIN
+BACKEND  /_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP  ADMIN
+BACKEND  /_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP  ADMIN
+BACKEND  /_dr/task/dnsRefresh                               RefreshDnsAction                               GET      y  APP  ADMIN
+BACKEND  /_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP  ADMIN
+BACKEND  /_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP  ADMIN
+BACKEND  /_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP  ADMIN
+BACKEND  /_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP  ADMIN
+BACKEND  /_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP  ADMIN
+BACKEND  /_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP  ADMIN
+BACKEND  /_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP  ADMIN
+BACKEND  /_dr/task/generateZoneFiles                        GenerateZoneFilesAction                        POST     n  APP  ADMIN
+BACKEND  /_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP  ADMIN
+BACKEND  /_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP  ADMIN
+BACKEND  /_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP  ADMIN
+BACKEND  /_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP  ADMIN
+BACKEND  /_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP  ADMIN
+BACKEND  /_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP  ADMIN
+BACKEND  /_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP  ADMIN
+BACKEND  /_dr/task/rdeReport                                RdeReportAction                                POST     n  APP  ADMIN
+BACKEND  /_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP  ADMIN
+BACKEND  /_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP  ADMIN
+BACKEND  /_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP  ADMIN
+BACKEND  /_dr/task/refreshDnsForAllDomains                  RefreshDnsForAllDomainsAction                  GET      n  APP  ADMIN
+BACKEND  /_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP  ADMIN
+BACKEND  /_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP  ADMIN
+BACKEND  /_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP  ADMIN
+BACKEND  /_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP  ADMIN
+BACKEND  /_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP  ADMIN
+BACKEND  /_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP  ADMIN
+BACKEND  /_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP  ADMIN
+BACKEND  /_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP  ADMIN
+BACKEND  /_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP  ADMIN
+BACKEND  /_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP  ADMIN
+BACKEND  /_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP  ADMIN
+BACKEND  /_dr/task/uploadBsaUnavailableNames                UploadBsaUnavailableDomainsAction              GET,POST n  APP  ADMIN
+BACKEND  /_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP  ADMIN
+PUBAPI   /_dr/whois                                         WhoisAction                                    POST     n  APP  ADMIN
+PUBAPI   /check                                             CheckApiAction                                 GET      n  NONE PUBLIC
+PUBAPI   /rdap/autnum/(*)                                   RdapAutnumAction                               GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/domain/(*)                                   RdapDomainAction                               GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/domains                                      RdapDomainSearchAction                         GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/entities                                     RdapEntitySearchAction                         GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/entity/(*)                                   RdapEntityAction                               GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/help(*)                                      RdapHelpAction                                 GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/ip/(*)                                       RdapIpAction                                   GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/nameserver/(*)                               RdapNameserverAction                           GET,HEAD n  NONE PUBLIC
+PUBAPI   /rdap/nameservers                                  RdapNameserverSearchAction                     GET,HEAD n  NONE PUBLIC
+PUBAPI   /whois/(*)                                         WhoisHttpAction                                GET      n  NONE PUBLIC
+CONSOLE  /console-api/domain                                ConsoleDomainGetAction                         GET      n  USER PUBLIC
+CONSOLE  /console-api/domain-list                           ConsoleDomainListAction                        GET      n  USER PUBLIC
+CONSOLE  /console-api/dum-download                          ConsoleDumDownloadAction                       GET      n  USER PUBLIC
+CONSOLE  /console-api/eppPassword                           ConsoleEppPasswordAction                       POST     n  USER PUBLIC
+CONSOLE  /console-api/registrar                             ConsoleUpdateRegistrarAction                   POST     n  USER PUBLIC
+CONSOLE  /console-api/registrars                            RegistrarsAction                               GET,POST n  USER PUBLIC
+CONSOLE  /console-api/registry-lock                         ConsoleRegistryLockAction                      GET,POST n  USER PUBLIC
+CONSOLE  /console-api/registry-lock-verify                  ConsoleRegistryLockVerifyAction                GET      n  USER PUBLIC
+CONSOLE  /console-api/settings/contacts                     ContactAction                                  GET,POST n  USER PUBLIC
+CONSOLE  /console-api/settings/security                     SecurityAction                                 POST     n  USER PUBLIC
+CONSOLE  /console-api/settings/whois-fields                 WhoisRegistrarFieldsAction                     POST     n  USER PUBLIC
+CONSOLE  /console-api/userdata                              ConsoleUserDataAction                          GET      n  USER PUBLIC

core/src/test/resources/google/registry/module/tools/tools_routing.txt

@@ -1,14 +1,14 @@
-PATH                              CLASS                         METHODS  OK MIN USER_POLICY
-/_dr/admin/createGroups           CreateGroupsAction            POST     n  APP ADMIN
-/_dr/admin/list/domains           ListDomainsAction             GET,POST n  APP ADMIN
-/_dr/admin/list/hosts             ListHostsAction               GET,POST n  APP ADMIN
-/_dr/admin/list/premiumLists      ListPremiumListsAction        GET,POST n  APP ADMIN
-/_dr/admin/list/registrars        ListRegistrarsAction          GET,POST n  APP ADMIN
-/_dr/admin/list/reservedLists     ListReservedListsAction       GET,POST n  APP ADMIN
-/_dr/admin/list/tlds              ListTldsAction                GET,POST n  APP ADMIN
-/_dr/admin/updateUserGroup        UpdateUserGroupAction         POST     n  APP ADMIN
-/_dr/admin/verifyOte              VerifyOteAction               POST     n  APP ADMIN
-/_dr/epptool                      EppToolAction                 POST     n  APP ADMIN
-/_dr/loadtest                     LoadTestAction                POST     y  APP ADMIN
-/_dr/task/generateZoneFiles       GenerateZoneFilesAction       POST     n  APP ADMIN
-/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET      n  APP ADMIN
+SERVICE PATH                              CLASS                         METHODS  OK MIN USER_POLICY
+BACKEND /_dr/admin/createGroups           CreateGroupsAction            POST     n  APP ADMIN
+BACKEND /_dr/admin/list/domains           ListDomainsAction             GET,POST n  APP ADMIN
+BACKEND /_dr/admin/list/hosts             ListHostsAction               GET,POST n  APP ADMIN
+BACKEND /_dr/admin/list/premiumLists      ListPremiumListsAction        GET,POST n  APP ADMIN
+BACKEND /_dr/admin/list/registrars        ListRegistrarsAction          GET,POST n  APP ADMIN
+BACKEND /_dr/admin/list/reservedLists     ListReservedListsAction       GET,POST n  APP ADMIN
+BACKEND /_dr/admin/list/tlds              ListTldsAction                GET,POST n  APP ADMIN
+BACKEND /_dr/admin/updateUserGroup        UpdateUserGroupAction         POST     n  APP ADMIN
+BACKEND /_dr/admin/verifyOte              VerifyOteAction               POST     n  APP ADMIN
+BACKEND /_dr/epptool                      EppToolAction                 POST     n  APP ADMIN
+BACKEND /_dr/loadtest                     LoadTestAction                POST     y  APP ADMIN
+BACKEND /_dr/task/generateZoneFiles       GenerateZoneFilesAction       POST     n  APP ADMIN
+BACKEND /_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET      n  APP ADMIN

jetty/build.gradle

@@ -85,7 +85,7 @@ tasks.register('run', JavaExec) {
 tasks.register('deployNomulus', Exec) {
     dependsOn('pushNomulusImage', ':proxy:pushProxyImage')
     configure verifyDeploymentConfig
-    commandLine './deploy-nomulus-for-env.sh', "${rootProject.environment}"
+    commandLine './deploy-nomulus-for-env.sh', "${rootProject.environment}", "${rootProject.baseDomain}"
 }
 
 project.build.dependsOn(tasks.named('buildNomulusImage'))

jetty/deploy-nomulus-for-env.sh

@@ -17,12 +17,13 @@
 # kills all running pods to force k8s to create new pods using the just-pushed
 # manifest.
 
-if [[ $# -ne 1 ]]; then
-  echo "Usage: $0 alpha|crash|qa"
+if [[ $# -ne 2 ]]; then
+  echo "Usage: $0 alpha|crash|qa [base_domain]}"
   exit 1
 fi
 
 environment=${1}
+base_domain=${2}
 project="domain-registry-"${environment}
 current_context=$(kubectl config current-context)
 while read line
@@ -31,16 +32,25 @@ do
   echo "Updating cluster ${parts[0]} in location ${parts[1]}..."
   gcloud container clusters get-credentials "${parts[0]}" \
     --project "${project}" --location "${parts[1]}"
-  sed s/GCP_PROJECT/"${project}"/g "./kubernetes/nomulus-deployment.yaml" | \
-  sed s/ENVIRONMENT/"${environment}"/g | \
-  kubectl apply -f -
-  kubectl apply -f "./kubernetes/nomulus-service.yaml"
+  for service in frontend backend pubapi console
+  do
+    sed s/GCP_PROJECT/"${project}"/g "./kubernetes/nomulus-${service}.yaml" | \
+    sed s/ENVIRONMENT/"${environment}"/g | \
+    kubectl apply -f -
+  done
   # Kills all running pods, new pods created will be pulling the new image.
   kubectl delete pods --all
   # The multi-cluster gateway is only deployed to one cluster (the one in the US).
   if [[ "${parts[1]}" == us-* ]]
   then
-    kubectl apply -f "./kubernetes/nomulus-gateway.yaml"
+    kubectl apply -f "./kubernetes/gateway/nomulus-gateway.yaml"
+    for service in frontend backend pubapi console
+    do
+      sed s/BASE_DOMAIN/"${base_domain}"/g "./kubernetes/gateway/nomulus-route-${service}.yaml" | \
+      kubectl apply -f -
+      sed s/SERVICE/"${service}"/g "./kubernetes/gateway/nomulus-iap-${environment}.yaml" | \
+      kubectl apply -f -
+    done
   fi
 done < <(gcloud container clusters list --project "${project}" | grep nomulus)
 kubectl config use-context "$current_context"

jetty/kubernetes/gateway/nomulus-gateway.yaml

@@ -0,0 +1,17 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: nomulus
+spec:
+  gatewayClassName: gke-l7-global-external-managed-mc
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
+    tls:
+      mode: Terminate
+      options:
+        networking.gke.io/pre-shared-certs: nomulus
+    allowedRoutes:
+      kinds:
+      - kind: HTTPRoute

jetty/kubernetes/gateway/nomulus-route-backend.yaml

@@ -0,0 +1,47 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: nomulus
+  hostnames:
+    - "backend.BASE_DOMAIN"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /_dr/task
+    - path:
+        type: PathPrefix
+        value: /_dr/cron
+    - path:
+        type: PathPrefix
+        value: /_dr/admin
+    - path:
+        type: PathPrefix
+        value: /_dr/epptool
+    - path:
+        type: PathPrefix
+        value: /loadtest
+    backendRefs:
+    - group: net.gke.io
+      kind: ServiceImport
+      name: backend
+      port: 80
+---
+apiVersion: networking.gke.io/v1
+kind: HealthCheckPolicy
+metadata:
+  name: backend
+spec:
+  default:
+    config:
+      type: HTTP
+      httpHealthCheck:
+        requestPath: /healthz/
+  targetRef:
+    group: net.gke.io
+    kind: ServiceImport
+    name: backend

jetty/kubernetes/gateway/nomulus-route-console.yaml

@@ -1,38 +1,31 @@
-kind: Gateway
 apiVersion: gateway.networking.k8s.io/v1beta1
-metadata:
-  name: nomulus
-spec:
-  gatewayClassName: gke-l7-global-external-managed-mc
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    allowedRoutes:
-      kinds:
-      - kind: HTTPRoute
----
 kind: HTTPRoute
-apiVersion: gateway.networking.k8s.io/v1beta1
 metadata:
-  name: nomulus
-  labels:
-    app: nomulus
+  name: console
 spec:
   parentRefs:
   - kind: Gateway
     name: nomulus
+  hostnames:
+    - "console.BASE_DOMAIN"
   rules:
-  - backendRefs:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /console-api
+    - path:
+        type: PathPrefix
+        value: /console
+    backendRefs:
     - group: net.gke.io
       kind: ServiceImport
-      name: nomulus
+      name: console
       port: 80
 ---
 apiVersion: networking.gke.io/v1
 kind: HealthCheckPolicy
 metadata:
-  name: nomulus
+  name: console
 spec:
   default:
     config:
@@ -42,5 +35,4 @@ spec:
   targetRef:
     group: net.gke.io
     kind: ServiceImport
-    name: nomulus
-
+    name: console

jetty/kubernetes/gateway/nomulus-route-frontend.yaml

@@ -0,0 +1,35 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: frontend
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: nomulus
+  hostnames:
+    - "frontend.BASE_DOMAIN"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /_dr/epp
+    backendRefs:
+    - group: net.gke.io
+      kind: ServiceImport
+      name: frontend
+      port: 80
+---
+apiVersion: networking.gke.io/v1
+kind: HealthCheckPolicy
+metadata:
+  name: frontend
+spec:
+  default:
+    config:
+      type: HTTP
+      httpHealthCheck:
+        requestPath: /healthz/
+  targetRef:
+    group: net.gke.io
+    kind: ServiceImport
+    name: frontend

jetty/kubernetes/gateway/nomulus-route-pubapi.yaml

@@ -0,0 +1,44 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: pubapi
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: nomulus
+  hostnames:
+    - "pubapi.BASE_DOMAIN"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /_dr/whois
+    - path:
+        type: PathPrefix
+        value: /check
+    - path:
+        type: PathPrefix
+        value: /whois
+    - path:
+        type: PathPrefix
+        value: /rdap
+    backendRefs:
+    - group: net.gke.io
+      kind: ServiceImport
+      name: pubapi
+      port: 80
+---
+apiVersion: networking.gke.io/v1
+kind: HealthCheckPolicy
+metadata:
+  name: pubapi
+spec:
+  default:
+    config:
+      type: HTTP
+      httpHealthCheck:
+        requestPath: /healthz/
+  targetRef:
+    group: net.gke.io
+    kind: ServiceImport
+    name: pubapi

jetty/kubernetes/nomulus-backend.yaml

@@ -0,0 +1,60 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+spec:
+  selector:
+    matchLabels:
+      service: backend
+  template:
+    metadata:
+      labels:
+        service: backend
+    spec:
+      serviceAccountName: nomulus
+      containers:
+      - name: backend
+        image: gcr.io/GCP_PROJECT/nomulus
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: "500m"
+        args: [ENVIRONMENT]
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: backend
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: backend
+  minReplicas: 1
+  maxReplicas: 20
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 100
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+spec:
+  selector:
+    service: backend
+  ports:
+    - port: 80
+      targetPort: http
+      name: http
+---
+apiVersion: net.gke.io/v1
+kind: ServiceExport
+metadata:
+  name: backend

jetty/kubernetes/nomulus-console.yaml

@@ -0,0 +1,60 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: console
+spec:
+  selector:
+    matchLabels:
+      service: console
+  template:
+    metadata:
+      labels:
+        service: console
+    spec:
+      serviceAccountName: nomulus
+      containers:
+      - name: console
+        image: gcr.io/GCP_PROJECT/nomulus
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: "500m"
+        args: [ENVIRONMENT]
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: console
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: console
+  minReplicas: 1
+  maxReplicas: 20
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 100
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: console
+spec:
+  selector:
+    service: console
+  ports:
+    - port: 80
+      targetPort: http
+      name: http
+---
+apiVersion: net.gke.io/v1
+kind: ServiceExport
+metadata:
+  name: console

jetty/kubernetes/nomulus-frontend.yaml

@@ -1,21 +1,19 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nomulus
-  labels:
-    app: nomulus
+  name: frontend
 spec:
   selector:
     matchLabels:
-      app: nomulus
+      service: frontend
   template:
     metadata:
       labels:
-        app: nomulus
+        service: frontend
     spec:
       serviceAccountName: nomulus
       containers:
-      - name: nomulus
+      - name: frontend
         image: gcr.io/GCP_PROJECT/nomulus
         ports:
         - containerPort: 8080
@@ -50,14 +48,12 @@ spec:
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: nomulus
-  labels:
-    app: nomulus
+  name: frontend
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: nomulus
+    name: frontend
   minReplicas: 1
   maxReplicas: 20
   metrics:
@@ -67,4 +63,26 @@ spec:
         target:
           type: Utilization
           averageUtilization: 100
-
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+spec:
+  selector:
+    service: frontend
+  ports:
+    - port: 80
+      targetPort: http
+      name: http
+    - port: 43
+      targetPort: whois
+      name: whois
+    - port: 700
+      targetPort: epp
+      name: epp
+---
+apiVersion: net.gke.io/v1
+kind: ServiceExport
+metadata:
+  name: frontend

jetty/kubernetes/nomulus-pubapi.yaml

@@ -0,0 +1,60 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pubapi
+spec:
+  selector:
+    matchLabels:
+      service: pubapi
+  template:
+    metadata:
+      labels:
+        service: pubapi
+    spec:
+      serviceAccountName: nomulus
+      containers:
+      - name: pubapi
+        image: gcr.io/GCP_PROJECT/nomulus
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: "500m"
+        args: [ENVIRONMENT]
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: pubapi
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: pubapi
+  minReplicas: 1
+  maxReplicas: 20
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 100
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pubapi
+spec:
+  selector:
+    service: pubapi
+  ports:
+    - port: 80
+      targetPort: http
+      name: http
+---
+apiVersion: net.gke.io/v1
+kind: ServiceExport
+metadata:
+  name: pubapi

jetty/kubernetes/nomulus-service.yaml

@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nomulus
-spec:
-  selector:
-    app: nomulus
-  ports:
-    - port: 80
-      targetPort: http
-      name: http
-    - port: 43
-      targetPort: whois
-      name: whois
-    - port: 700
-      targetPort: epp
-      name: epp
----
-kind: ServiceExport
-apiVersion: net.gke.io/v1
-metadata:
-  name: nomulus

projects.gradle

@@ -25,3 +25,9 @@ rootProject.ext.projects = ['production': 'your-production-project',
 // The project to host your development/deployment infrastructure. It hosts
 // things like release artifacts, CI/CD system, etc.
 rootProject.ext.devProject = 'your-dev-project'
+
+rootProject.ext.baseDomains = ['production' : 'registry-production.test',
+                              'sandbox'   : 'registry-sandbox.test',
+                              'alpha'     : 'registry-alpha.test',
+                              'crash'     : 'registry-crash.test',
+                              'qa'        : 'registry-qa.test']