1
0
mirror of https://github.com/google/nomulus synced 2026-06-09 16:33:02 +00:00

119 Commits

Author SHA1 Message Date
Ben McIlwain 75524fd403 Restore default builds and fix Kokoro tests (#3081)
This commit reverts changes from 5599a0eb3d and most of 5286b1a0dc (PR #3068) that stripped essential dependencies (buildConsoleForAll, buildNomulusImage, buildToolImage, fragileTest) from the default './gradlew build' target, which broke downstream deployment pipelines. It restores the default build to correctly generate all necessary production artifacts and Docker images.

It introduces a new 'fastBuild' target designed explicitly for local developers and CI checks. This lightweight target disables the execution of heavy Docker image builds, Angular compilations, and fragile tests to provide rapid feedback. Sequential execution constraints for parallel Angular builds are maintained to prevent cache corruption.

It updates the ':core:generateSqlSchema' task to execute using the 'unittest' environment instead of 'alpha'. The 'alpha' configuration is a private, internal environment config that is not distributed in the open-source repository, which caused the task to fail for public contributors. By switching to 'unittest', the generator can successfully run using the public test configuration. With this fixed, it also includes the newly generated 'db-schema.sql.generated' file, which now correctly tracks the 'FORBID_INSECURE_ALGORITHMS_RFC_9904' feature flag that was recently added.

Finally, it implements a split-runner execution strategy for the 'sqlIntegrationTest' task to permanently resolve 'failed to discover tests' and 'NoSuchMethodError' exceptions on Kokoro. Because Kokoro tests cross-version compatibility against both legacy deployed artifacts (compiled with JUnit 4 @RunWith wrappers) and modern artifacts (compiled with JUnit 5 @Suite annotations), we cannot statically configure a single test runner. We now dynamically run both the legacy 'useJUnit()' and modern 'useJUnitPlatform()' runners sequentially with 'failOnNoDiscoveredTests' disabled, allowing the appropriate engine to discover and execute the suite without causing classpath collisions.
2026-06-04 15:38:03 +00:00
gbrodman a5b280838c Remove usages of json-simple (#3060)
We should use gson wherever possible. There's no point in having
unnecessary dependencies (we'll need to keep around jackson for YAML
parsing).
2026-06-01 20:16:32 +00:00
Ben McIlwain c5abd2a7c9 Uncap most remaining dependencies (#3073)
This commit relaxes the upper bounds on several dependencies that were previously hardcapped to specific versions:
- com.google.protobuf to [3.25.5,) and [3.17.3,)
- org.apache.beam to [2.72.0,)
- io.github.ss-bhatt to [1.0.0,)
- io.protostuff to [1.8.0,)
- redis.clients:jedis to [7.4.1,)
- org.junit.jupiter and org.junit.platform to [5.6.2,) and [1.6.2,)
- org.jcommander to [2.0,)
- org.jline to [3.0,)
- jakarta.servlet to [6.0,)

Upgrading to the modern versions of jline introduced a breaking change where DefaultParser().parse(line, line.length()) strips trailing spaces when using the default ParseContext.UNSPECIFIED. This caused the autocompletion to misbehave and tests to fail. This commit fixes ShellCommandTest.java by explicitly passing ParseContext.COMPLETE when parsing test strings to perfectly mimic the real-world JLine completion context.

Additionally, SqlIntegrationTestSuite was migrated to JUnit 5's @Suite annotation, fixing a NoClassDefFoundError introduced by uncapping the JUnit Platform dependencies, and the test suite was re-integrated into the standard :build lifecycle.

The following dependencies remain explicitly capped:
1. Hibernate & Jakarta Persistence (Blocked by -Werror):
   These are held back because newer Jakarta Persistence versions deprecate executeUpdate(), setMaxResults(), and getResultStream() on Query.
   - org.hibernate.orm:hibernate-core:7.3.4.Final
   - org.hibernate.orm:hibernate-hikaricp:7.3.4.Final
   - org.hibernate.orm:hibernate-ant:7.3.4.Final
   - jakarta.persistence:jakarta.persistence-api:[3.2.0,4.0.0)

2. Netty (Blocked by abandoned v5):
   Netty 5.0.0 was an experimental release abandoned in 2015. We explicitly cap beneath 5.0.0 so Gradle doesn't resolve dead-end alphas.
   - io.netty:netty-codec-http:[4.1.59.Final, 5.0.0)!!
   - io.netty:netty-codec:[4.1.59.Final, 5.0.0)!!
   - io.netty:netty-common:[4.1.59.Final, 5.0.0)!!
   - io.netty:netty-handler:[4.1.59.Final, 5.0.0)!!
   - io.netty:netty-transport:[4.1.59.Final, 5.0.0)!!
   - io.netty:netty-buffer:[4.1.59.Final, 5.0.0)!!

3. Google API Services:
   Capped beneath their respective unstable beta/v1b4 versions:
   - com.google.apis:google-api-services-dataflow:[v1b3-rev20240430-2.0.0, v1b4)!!
   - com.google.apis:google-api-services-dns:[v1-rev20240419-2.0.0, v2beta)

The lockfiles have been fully regenerated and all test suites ran successfully against the latest available transitive versions.
2026-05-30 02:33:02 +00:00
Ben McIlwain 5286b1a0dc Optimize build and fix fragile tests (#3068)
This commit dramatically optimizes the local Gradle build time, shaving over 5 minutes off a full build execution:
- Instrumented the build to identify fragileTest taking > 3 minutes.
- Refactored TestServer.java to dynamically bind to ephemeral port 0, resolving race conditions.
- Updated UploadBsaUnavailableDomainsActionTest to use the thread-safe TestServer, allowing it to run in parallel.
- Removed outdated exclusions for HostInfoFlowTest and RegistryPipelineWorkerInitializerTest.
- Moved these tests to the highly parallelized standardTest suite.
- Removed the redundant sqlIntegrationTest execution from the standard test phase.
- Stripped heavy Docker (buildNomulusImage) and 5x frontend (buildConsoleForAll) staging dependencies from the standard build task, ensuring they are only run when explicitly deployed.
2026-05-29 02:29:20 +00:00
Ben McIlwain beb7fcc16e Update dependencies and improve workflow docs (#3071)
- Relaxed Google Cloud and gRPC upper bounds to dynamic versions in dependencies.gradle.
- Relaxed JUnit testing framework bounds to < 6.0.0 and < 2.0.0.
- Aligned beam-runners-core-construction-java to 2.72.0!!
- Regenerated all gradle lockfiles across the project.
- Updated GEMINI.md and MEMORY.md with the optimized lockfile/dependency update workflow.
- Fixed presubmit errors in check_diff.py (added Apache 2.0 license header and fixed syntax).
2026-05-28 21:45:43 +00:00
Ben McIlwain 00ee62f877 Update Netty and OkHttp dependencies and resolve test failures (#3066)
This commit updates several dependencies in dependencies.gradle and resolves the resulting test failures:
- Netty: Updated strict upper bound from <4.2.0 to <5.0.0 (resolved to 4.2.14.Final).
- OkHttp: Removed strict upper bound of <5.0.0 and moved to dynamic versions section (resolved to 5.3.2).
- Cleaned up dependencies.gradle by moving strict dependencies (secretmanager, common-protos, gax) out of the dynamic versions section.
- Updated all gradle.lockfile files.

Resulting test fixes:
- Netty: Replaced NioEventLoopGroup with DefaultEventLoopGroup in NettyExtension and ProbingStepTest. In Netty 4.2+, LocalServerChannel no longer supports registration with NIO-backed event loops, throwing an IllegalArgumentException.
- OkHttp: Refactored ServiceMonitoringClient to safely handle empty responses using Optional.orElse(). In OkHttp 5.x, a 204 No Content response returns a non-null ResponseBody with an empty string, causing an assertion failure where MosApiException was incorrectly bypassed.
2026-05-28 15:39:16 +00:00
Juan Celhay 00522fb618 Change Kubernetes Services selectors to target "traffic" label (#3054)
* change spec.selector for kubernetes services

* now really change the selector
2026-05-27 18:59:37 +00:00
gbrodman c1ce73db49 Remove old unused GWT dependency (#3056) 2026-05-27 16:24:16 +00:00
gbrodman c731b18304 Replace unmaintained jsch dependency (#3061)
The old version https://mvnrepository.com/artifact/com.jcraft/jsch
hasn't been updated for like 8 years. This replaces it with the
community fork, https://github.com/mwiede/jsch.

It's theoretically possible to replace this with
https://github.com/apache/mina-sshd but it would require a lot more
changes and risk for not really any benefit.
2026-05-26 15:43:59 +00:00
Ben McIlwain 53b92d602e Migrate EPP/Email from Soy to JAXB/FreeMarker (#3038)
- Replace deprecated Soy templates for EPP XML with JAXB models and a refined Fluent DSL.
- Migrate Spec11 and administrative emails to FreeMarker with HTML auto-escaping.
- Remove Soy compiler, Gradle tasks, and library dependencies.
- Address PR feedback regarding shadowing, version locking, and security warnings.
- Enhance tests with comprehensive XML equality assertions using Java 15 text blocks.
- Improve Javadocs and maintain strict temporal consistency using java.time.

FreeMarker replaces Soy for email templating, providing native HTML auto-escaping and allowing the removal of the complex 'soyToJava' compilation step from the build process. This significantly simplifies the build system and reduces maintenance overhead. For EPP XML, migrating to JAXB allows tool-generated commands to use the same model classes as the server-side EPP flows. This ensures that tool-generated XML is always schema-compliant and eliminates the risk of divergence between tool templates and actual server-side implementation. This unified approach provides compile-time type safety and improves developer ergonomics via a refined fluent DSL.

The base ImmutableObject class now provides a public clone() override that correctly resets the cached hashCode to null. This centralizes the custom cloning logic previously handled by a static helper and ensures that all subclasses—including the newly added JAXB models—satisfy CodeQL security requirements without needing redundant per-class overrides. The legacy static clone(T) helper has been updated to delegate to this instance method to maintain compatibility and architectural consistency.
2026-05-22 19:33:47 +00:00
Juan Celhay 0998d5485c add additional label to nomulus deployments (#3046) 2026-05-14 20:01:18 +00:00
Ben McIlwain 56fe588b56 Complete Joda-Time to java.time migration (#3039)
This completes the exhaustive refactoring of foundational temporal types from Joda-Time to the native java.time API across the entire codebase.

- Replaced org.joda.time.DateTime, Instant, LocalDate, and Duration with java.time equivalents.
- Audited and updated Clock implementations (FakeClock, SystemClock). Added nowMillis(), nowDate(), and nowDateTime() to eliminate repetitive conversions and maintain parallel naming.
- Replaced ZonedDateTime with OffsetDateTime globally per go/avoid-zdt. OffsetDateTime is a better fit as we use a hardcoded ZoneOffset.UTC throughout the system, making geographical time zone rules (like daylight saving time) irrelevant and preventing serialization ambiguities. Added a presubmit check.
- Completely removed all transitional bridge methods from DateTimeUtils and deleted obsolete converters (e.g., DateTimeConverter).
- Updated testing infrastructure, Apache Beam pipelines, custom JCommander parameters, and networking modules to solely rely on java.time primitives.
- Retained the lone necessary org.joda.time.Instant usage in SafeBrowsingTransforms required by the Apache Beam API.
- Cleared Gradle lockfiles and removed the joda-time dependency entirely from the build configuration.
2026-05-13 16:07:19 +00:00
gbrodman b8f14fef8d Update Hibernate deps to 7.3.4 (#3040)
The fix for https://hibernate.atlassian.net/browse/HHH-20276 was
included in 7.3.4 and will be included in version 8 in the future. 8.x
is still in alpha though so we don't want to use it yet.
2026-05-12 17:58:49 +00:00
gbrodman 4a412546f9 Upgrade beam deps (#3027)
https://docs.cloud.google.com/dataflow/docs/support/beam-runtime-support
looks like we need a later version for java 25
2026-04-27 19:40:10 +00:00
gbrodman 8cf222d1c9 Add Jedis (for Valkey) caches for domains and hosts (#3013)
We add optional Valkey caching of hosts and domains for future use. Eventually, this will allow us to pre-warm large amounts of data in Valkey for quick retrieval during actions like RDAP.

Note: this doesn't actually use the caches yet.

We use Jedis instead of Redisson for speed purposes
(https://www.instaclustr.com/blog/redis-java-clients-and-client-side-caching/)
which means that we have to implement our own multilayer cache but
that's not the worst thing in the world.

Tested on crash with logging and RDAP code that's not included in this
PR -- it behaves as you'd expect, where the local cache works for
immediate re-lookups and the remote cache works after a restart.
2026-04-24 19:50:01 +00:00
gbrodman db733aa50f Fix XML parsing issues that occur on dependency update (#3012)
We want to make sure that we use the same XML factories no matter what,
so we use "newDefaultFactory" instead of "newFactory" (to avoid picking
up some random thing on the classpath).

This also fixes an exception that occurs if you haven't synced the
internal repo with the public repo.
2026-04-16 20:15:02 +00:00
Weimin Yu 409a7ba66f Change language and bytecode levels to Java 25 (#3009)
Release/Build tested in alpha.

Deployed in crash.
2026-04-15 16:34:52 +00:00
Weimin Yu d2881b47dc Upgrade to Java 25 (#3000)
Error-prone introduced many more checks in Java 25. We fixed a few
and suppressed most. A follow-up bug is opened to clean this up.
An ai agent should be able to clean up most of it.

This PR is created with gemini-cli. Summary of experience:

* The good: AI caught most compatibility issues, and with permission,
  suppressed them through compiler flags and errorprone options.
  It also caught many versio references in scripts.

* Where it didn't shine:
  - It did not find and update the target version spec in the custome
    VKey annotation processor source file.
  - It did not flag eclipse-temurin:21 docker image for upgrade.
  - When running into failure, its first instinct is to disable checks
    e.g., -Werror instead of fixing them.
2026-04-02 21:23:00 +00:00
Weimin Yu 03b3f9f5a0 Upgrade to Gradle 9 (#2993) 2026-03-30 17:15:55 +00:00
Pavlo Tkach 193ccb5ad3 Increase GKE resources for servicing pubapi (#2994) 2026-03-30 16:50:28 +00:00
Weimin Yu 3513364c97 Upgrade to Gradle 8.14.3 (#2988)
* More Gradle 9 preparations

Fix additional compatibility warnings after upgrading to Gradle 8.14.3
from 8.13.

* More Gradle 9 compatibility fix

More fixes after upgrading Gradle from 8.13 to 8.14.3.

Upgraded the gradle-license-report plugin, and handled config leaking
issues.

Researched using gemini web and manually applied the fixes. Gemini-cli
could not find the right solution.
2026-03-26 17:55:05 +00:00
gbrodman 59b44b60df Update Hibernate and various other dependencies (#2986)
This ended up being wayyyy more complicated than expected due to
issues with Hibernate, various dependencies having conflicts with the
proto dependency version, and other breaking changes.

Notes:
- Hibernate 7 switches up the user type / converter system and for us,
  this means we must be / want to be more explicit with how we convert
and store things. For example, we need to add Postgres types to @Column
definitions.
- Hibernate 7.3 has an issue with generic MappedSuperclasses -- we have
  issues with BaseDomainLabelList. I'll investigate that, but for now
let's stick with 7.2.x
- H7 is more strict with annotations and prevents us from storing mapped
  superclasses embedded within other objects. This kinda makes sense but
makes the History objects a bit more difficult. We had to add "concrete"
embeddable DomainBase and HostBase objects that we can store/retrieve
from the DB.
- We convert some of the calls to "Query" to "TypedQuery" -- in
  Hibernate 8 / JPA 4.0 these will be super-deprecated and we'll need to
shift everything over, so this is necessary.
- You aren't supposed to put callback listeners on embedded entities
  (because it can be not obvious what's happening). We don't like that,
so we add our own annotations that are processed recursively for
embedded entities, so we get things like the update / create
timestamps.
- Hibernate doesn't allow for multiple converters to be auto-applied to
  the same "type" and it counts all VKey converters as one type.
Unfortunately, this means we have to explicitly mark each one.
- A bunch of other dependency changes were required to keep from having
  the proto 3/4 conflict
2026-03-25 20:10:50 +00:00
Weimin Yu e24c90fea6 Use bash in the Nomulus image (#2959)
/bin/bash comes with the base image, jetty:jdk-??.
Use it in start.sh for safe scripting.
2026-02-18 17:26:51 +00:00
Weimin Yu 8ff4d7dc8a Fix Jetty start script (#2958)
Script broken by inlined comment in multi-line command with backslash.

Refactored into comment-safe format.
2026-02-17 18:17:58 +00:00
Juan Celhay bca05f3982 Set heap size flags in nomulus start script (#2956)
* Set heap size flags in nomulus start script

* Add comment for flags
2026-02-13 21:16:57 +00:00
Juan Celhay 4aadcf818a Run profiler in fronted/cosole containers only (#2951) 2026-02-09 04:15:00 +00:00
Juan Celhay 5725eb95e0 Add Cloud java profiler to nomulus docker images (#2919)
* add cloud profiler to dockerfile and start script

* add apt-get update

* change in cb machine type for nomulus

* fix typo

* add max worker limit to gradle tests

* Switch to root before doing apt-get

* correct dockerfile

* jetty/Dockerfile

* profiler service conditional to kubernetes container name
2026-01-12 15:19:05 +00:00
Pavlo Tkach aa12998276 Increase console workload memory allocation (#2929) 2026-01-09 19:27:07 +00:00
Pavlo Tkach fcdac3e86e Update nomulus-frontend.yaml memory requests (#2900) 2025-12-10 22:36:28 +00:00
Nilay Shah d98d65eee5 Add mosapi client to intract with ICANN's monitoring system (#2892)
* Add mosapi client to intract with ICANN's monitoring system

This change introduces a comprehensive client to interact with ICANN's Monitoring System API (MoSAPI). This provides direct, automated access to critical registry health and compliance data, moving Nomulus towards a more proactive monitoring posture.

A core, stateless MosApiClient that manages communication and authentication with the MoSAPI service using TLS client certificates.

* Resolve review feedback & upgrade to OkHttp3 client

This commit addresses and resolves all outstanding review comments, primarily encompassing a shift to OkHttp3, security configuration cleanup, and general code improvements.

* **Review:** Addressed and resolved all pending review comments.
* **Feature:** Switched the underlying HTTP client implementation to [OkHttp3](https://square.github.io/okhttp/).
* **Configuration:** Consolidated TLS Certificates-related configuration into the dedicated configuration area.
* **Cleanup:** Removed unused components (`HttpUtils` and `HttpModule`) and performed general code cleanup.
* **Quality:** Improved exception handling logic for better robustness.

* Refactor and fix Mosapi exception handling

Addresses code review feedback and resulting test failures.

- Flattens package structure by moving MosApiException and its test.
- Corrects exception handling to ensure MosApiAuthorizationException
  propagates correctly, before the general exception handler.
- Adds a default case to the MosApiException factory for robustness.
- Uses lowercase for placeholder TLDs in default-config.yaml.

* Refactor and improve Mosapi client implementation

Simplifying URL validation with Guava
Preconditions and refining exception handling to use `Throwables`.

* Refactor precondition checks using project specific utility
2025-12-09 16:29:05 +00:00
gbrodman 7149fd3307 Remove more references to GAE (#2894)
These are old/pointless now that we've migrated to GKE. Note that this
doesn't update anything in the docs/ folder, as that's a much larger
project that should be done on its own.
2025-12-01 16:43:49 +00:00
Pavlo Tkach 19e03dbd2e Update proxy and nomulus cluster resources (#2858) 2025-10-24 20:19:41 +00:00
Pavlo Tkach 6bbd7a2290 Update proxy resources, increase ssl handshake timeout (#2819) 2025-09-05 18:09:55 +00:00
Pavlo Tkach 5e1cd0120f Adjust proxy resource allocation and update nomulus compute class (#2814) 2025-08-28 18:49:16 +00:00
gbrodman bdaab9daa5 Tag more junit versions to <6.0 (#2809)
We're still picking up some 6.0.0-M2 jars which are causing failures at
least for me when trying to run individual tests in IDEA.
2025-08-22 02:55:59 +00:00
Weimin Yu 7c92928f2c Update gradle dependency locks (#2806)
Also emoved Junit-4.
2025-08-19 16:17:47 +00:00
Pavlo Tkach de8d205657 Make k8s adjustments (#2803)
This increases hikari fetch size to 40 from 20 in order to decrease the
amount of round trips
This also sets lower CPU as we seem to have overshot CPU consumtion
This also set min replicas to 8 for EPP and max to 16 as we've been
running on 8-10 for the last week
2025-08-19 14:24:11 +00:00
Pavlo Tkach cc347264f1 Revert "Remove nodeSelector from k8s deployments (#2798)" (#2799)
This reverts commit 5cef2dd8b5.
We faced CPU quota issue with standard machine type, so rolling back to c4
for now to monitor server performance and decide if we want to try to
downgrade again in the future.
2025-08-13 15:05:54 +00:00
Pavlo Tkach 5cef2dd8b5 Remove nodeSelector from k8s deployments (#2798)
nodeSelector can limit scheduling capabilities of k8s, which leads to delays in assigning new workloads. Since we do not require and particular machine for execution it can be removed.
2025-08-10 16:16:48 +00:00
gbrodman 62b2585220 Fix load-testing URL in backend routing k8s file (#2797) 2025-08-08 20:20:40 +00:00
Pavlo Tkach 18614ba11e Update resource allocation for all Nomulus GKE deployments (#2796)
ALl deployments received update to averageUtilization cpu. This should allow us to stay ahead of the curve of traffic and create instances before we cpu reached the limit.
Frontend cpu allocation has caused "noise neighbors" problem with pods assigned to nodes where there's not enough bursting capacity, so I increased it.
Adjusted rest of the deployments according to their utilization.
2025-08-08 17:55:08 +00:00
Pavlo Tkach b17125ae9a Disable k8s whois routing (#2740) 2025-04-17 15:20:32 +00:00
Pavlo Tkach dfef733360 Incerase memory request for pubapi and frontend to 1Gi (#2743) 2025-04-11 16:17:43 +00:00
Pavlo Tkach 03872b508f Exclude prober endoint from sed command canary (#2739) 2025-04-07 21:13:13 +00:00
Pavlo Tkach 1096f201cd Add GKE readiness probe (#2735) 2025-04-04 21:33:43 +00:00
Lai Jiang af321fb65e Make frontend deployment auto scale (#2736)
Now that we have effective global sessions thanks to #2734, there is no
longer a need to keep the number of pods on the EPP service static.

We are also not vulnerable to random pod restarts. K8s never guarantees
perpetual pod lifetime anyway, and not having to be at its mercy is
certainly a relief.
2025-04-02 18:58:52 +00:00
Lai Jiang a64dc21f96 make the deploy task deploy to GKE (#2734)
Also always pulls the latest images from repos instead of relying on
local cases. This makes it so that a local docker build is always fresh.
2025-03-31 22:38:53 +00:00
Pavlo Tkach 0381533a35 Set grace period to 1s for immediate pods restart (#2733) 2025-03-31 19:15:13 +00:00
Lai Jiang 4999a72d96 Save session data directly in a cookie (#2732) 2025-03-31 16:21:50 +00:00
Pavlo Tkach 2d072c3844 Update jetty console static files cache policies (#2731) 2025-03-28 19:53:02 +00:00