Set postgres package back to runtime dependency (#522 )

Add a registryLockEmailAddress field to RegistrarConctact objects (#523 )
* Add a registryLockEmailAddress field to RegistrarConctact objects Because we need to manage the login email, it should be on an account that we manage. However, for registry lock, we would want to send the verification emails to a separate email address that the user can use. As a result, we will use a second field for a user-accessible registry lock email address. This must be set on the contact when enabling registry lock for this contact. * Responses to CR * derp
2026-05-24 16:51:49 +00:00 · 2020-03-20 15:43:30 -04:00 · 2020-03-20 14:12:00 -04:00 · 2020-03-20 14:11:00 -04:00 · 2020-03-19 11:05:51 -04:00 · 2020-03-18 21:38:37 -04:00
318 changed files with 4496 additions and 2418 deletions
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # Nomulus

 | Internal Build | FOSS Build | LGTM | License | Code Search |
-|----------------|------------|------|---------|-------------|
-|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Source Graph](https://sourcegraph.com/.assets/img/sourcegraph-light-head-logo.svg)](https://sourcegraph.com/github.com/google/nomulus)|
+|:--------------:|:----------:|:----:|:-------:|:-----------:|
+|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Code Search](https://www.gstatic.com/devopsconsole/images/oss/favicons/oss-32x32.png)](https://cs.opensource.google/nomulus/nomulus)|

 ![Nomulus logo](./nomulus-logo.png)

--- a/build.gradle
+++ b/build.gradle
@@ -169,10 +169,10 @@ allprojects {
  if (project.name == 'services') return

  repositories {
-    if (rootProject.mavenUrl) {
+    if (!mavenUrl.isEmpty()) {
      maven {
-        println "Java dependencies: Using repo $pluginsUrl..."
-        url rootProject.mavenUrl
+        println "Java dependencies: Using repo ${mavenUrl}..."
+        url mavenUrl
      }
    } else {
      println "Java dependencies: Using Maven Central..."
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+import static com.google.common.base.Strings.isNullOrEmpty;
+
 buildscript {
  if (project.enableDependencyLocking.toBoolean()) {
    // Lock buildscript dependencies.
@@ -40,13 +42,13 @@ if (rootProject.enableDependencyLocking.toBoolean()) {
 }

 repositories {
-  if (project.ext.properties.mavenUrl == null) {
-    println "Plugin dependencies: Using Maven central..."
+  if (isNullOrEmpty(project.ext.properties.mavenUrl)) {
+    println "Java dependencies: Using Maven central..."
    mavenCentral()
    google()
  } else {
    maven {
-      println "Plugin dependencies: Using repo ${mavenUrl}..."
+      println "Java dependencies: Using repo ${mavenUrl}..."
      url mavenUrl
    }
  }
@@ -82,6 +84,7 @@ dependencies {
  testCompile deps['com.google.truth:truth']
  testCompile deps['com.google.truth.extensions:truth-java8-extension']
  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
  testCompile deps['org.mockito:mockito-core']
--- a/buildSrc/gradle/dependency-locks/checkstyle.lockfile
+++ b/buildSrc/gradle/dependency-locks/checkstyle.lockfile
@@ -5,14 +5,14 @@ antlr:antlr:2.7.7
 com.google.code.findbugs:jsr305:3.0.2
 com.google.errorprone:error_prone_annotations:2.3.2
 com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:28.0-jre
+com.google.guava:guava:28.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
-com.puppycrawl.tools:checkstyle:8.24
+com.puppycrawl.tools:checkstyle:8.27
 commons-beanutils:commons-beanutils:1.9.4
 commons-collections:commons-collections:3.2.2
-info.picocli:picocli:4.0.3
-net.sf.saxon:Saxon-HE:9.9.1-4
+info.picocli:picocli:4.1.1
+net.sf.saxon:Saxon-HE:9.9.1-5
 org.antlr:antlr4-runtime:4.7.2
 org.checkerframework:checker-qual:2.8.1
-org.codehaus.mojo:animal-sniffer-annotations:1.17
+org.codehaus.mojo:animal-sniffer-annotations:1.18
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -62,6 +62,7 @@ dependencies {
  testingCompile deps['io.github.java-diff-utils:java-diff-utils']

  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
 }
--- a/common/gradle/dependency-locks/checkstyle.lockfile
+++ b/common/gradle/dependency-locks/checkstyle.lockfile
@@ -5,14 +5,14 @@ antlr:antlr:2.7.7
 com.google.code.findbugs:jsr305:3.0.2
 com.google.errorprone:error_prone_annotations:2.3.2
 com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:28.0-jre
+com.google.guava:guava:28.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
-com.puppycrawl.tools:checkstyle:8.24
+com.puppycrawl.tools:checkstyle:8.27
 commons-beanutils:commons-beanutils:1.9.4
 commons-collections:commons-collections:3.2.2
-info.picocli:picocli:4.0.3
-net.sf.saxon:Saxon-HE:9.9.1-4
+info.picocli:picocli:4.1.1
+net.sf.saxon:Saxon-HE:9.9.1-5
 org.antlr:antlr4-runtime:4.7.2
 org.checkerframework:checker-qual:2.8.1
-org.codehaus.mojo:animal-sniffer-annotations:1.17
+org.codehaus.mojo:animal-sniffer-annotations:1.18
--- a/config/nom_build.py
+++ b/config/nom_build.py
@@ -0,0 +1,327 @@
+# Copyright 2020 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Script to generate dr-build and the properties file.
+"""
+
+import argparse
+import attr
+import io
+import os
+import subprocess
+import sys
+from typing import List, Union
+
+
+@attr.s(auto_attribs=True)
+class Property:
+    name : str = ''
+    desc : str = ''
+    default : str = ''
+    constraints : type = str
+
+    def validate(self, value: str):
+        """Verify that "value" is appropriate for the property."""
+        if type is bool:
+            if value not in ('true', 'false'):
+                raise ValidationError('value of {self.name} must be "true" or '
+                                      '"false".')
+
+@attr.s(auto_attribs=True)
+class GradleFlag:
+    flags : Union[str, List[str]]
+    desc : str
+    has_arg : bool = False
+
+
+PROPERTIES_HEADER = """\
+# This file defines properties used by the gradle build.  It must be kept in
+# sync with config/nom_build.py.
+#
+# To regenerate, run config/nom_build.py --generate-gradle-properties
+#
+# To view property descriptions (which are command line flags for
+# nom_build), run config/nom_build.py --help.
+#
+# DO NOT EDIT THIS FILE BY HAND
+org.gradle.jvmargs=-Xmx1024m
+"""
+
+# Define all of our special gradle properties here.
+PROPERTIES = [
+    Property('mavenUrl',
+             'URL to use for the main maven repository (defaults to maven '
+             'central).  This can be http(s) or a "gcs" repo.'),
+    Property('pluginsUrl',
+             'URL to use for the gradle plugins repository (defaults to maven '
+             'central, see also mavenUrl'),
+    Property('uploaderDestination',
+             'Location to upload test reports to.  Normally this should be a '
+             'GCS url (see also uploaderCredentialsFile)'),
+    Property('uploaderCredentialsFile',
+             'json credentials file to use to upload test reports.'),
+    Property('uploaderMultithreadedUpload',
+             'Whether to enable multithread upload.'),
+    Property('verboseTestOutput',
+             'If true, show all test output in near-realtime.',
+             'false',
+             bool),
+    Property('flowDocsFile',
+             'Output filename for the flowDocsTool command.'),
+    Property('enableDependencyLocking',
+             'Enables dependency locking.',
+             'true',
+             bool),
+    Property('enableCrossReferencing',
+             'generate metadata during java compile (used for kythe source '
+             'reference generation).',
+             'false'),
+    Property('testFilter',
+             'Comma separated list of test patterns, if specified run only '
+             'these.'),
+    Property('environment', 'GAE Environment for deployment and staging.'),
+
+    # Cloud SQL properties
+    Property('dbServer',
+             'A registry environment name (e.g., "alpha") or a host[:port] '
+             'string'),
+    Property('dbName',
+             'Database name to use in connection.',
+             'postgres'),
+    Property('dbUser', 'Database user name for use in connection'),
+    Property('dbPassword', 'Database password for use in connection'),
+
+    Property('publish_repo',
+             'Maven repository that hosts the Cloud SQL schema jar and the '
+             'registry server test jars. Such jars are needed for '
+             'server/schema integration tests. Please refer to <a '
+             'href="./integration/README.md">integration project</a> for more '
+             'information.'),
+    Property('schema_version',
+             'The nomulus version tag of the schema for use in a database'
+             'integration test.'),
+    Property('nomulus_version',
+             'The version of nomulus to test against in a database '
+             'integration test.'),
+]
+
+GRADLE_FLAGS = [
+    GradleFlag(['-a', '--no-rebuild'],
+               'Do not rebuild project dependencies.'),
+    GradleFlag(['-b', '--build-file'], 'Specify the build file.', True),
+    GradleFlag(['--build-cache'],
+               'Enables the Gradle build cache. Gradle will try to reuse '
+               'outputs from previous builds.'),
+    GradleFlag(['-c', '--settings-file'], 'Specify the settings file.', True),
+    GradleFlag(['--configure-on-demand'],
+               'Configure necessary projects only. Gradle will attempt to '
+               'reduce configuration time for large multi-project builds. '
+               '[incubating]'),
+    GradleFlag(['--console'],
+               'Specifies which type of console output to generate. Values '
+               "are 'plain', 'auto' (default), 'rich' or 'verbose'.",
+               True),
+    GradleFlag(['--continue'], 'Continue task execution after a task failure.'),
+    GradleFlag(['-D', '--system-prop'],
+               'Set system property of the JVM (e.g. -Dmyprop=myvalue).',
+               True),
+    GradleFlag(['-d', '--debug'],
+               'Log in debug mode (includes normal stacktrace).'),
+    GradleFlag(['--daemon'],
+               'Uses the Gradle Daemon to run the build. Starts the Daemon '
+               'if not running.'),
+    GradleFlag(['--foreground'], 'Starts the Gradle Daemon in the foreground.'),
+    GradleFlag(['-g', '--gradle-user-home'],
+               'Specifies the gradle user home directory.',
+               True),
+    GradleFlag(['-I', '--init-script'], 'Specify an initialization script.',
+               True),
+    GradleFlag(['-i', '--info'], 'Set log level to info.'),
+    GradleFlag(['--include-build'],
+               'Include the specified build in the composite.',
+               True),
+    GradleFlag(['-m', '--dry-run'],
+               'Run the builds with all task actions disabled.'),
+    GradleFlag(['--max-workers'],
+               'Configure the number of concurrent workers Gradle is '
+               'allowed to use.',
+               True),
+    GradleFlag(['--no-build-cache'], 'Disables the Gradle build cache.'),
+    GradleFlag(['--no-configure-on-demand'],
+               'Disables the use of configuration on demand. [incubating]'),
+    GradleFlag(['--no-daemon'],
+               'Do not use the Gradle daemon to run the build. Useful '
+               'occasionally if you have configured Gradle to always run '
+               'with the daemon by default.'),
+    GradleFlag(['--no-parallel'],
+               'Disables parallel execution to build projects.'),
+    GradleFlag(['--no-scan'],
+               'Disables the creation of a build scan. For more information '
+               'about build scans, please visit '
+               'https://gradle.com/build-scans.'),
+    GradleFlag(['--offline'],
+               'Execute the build without accessing network resources.'),
+    GradleFlag(['-P', '--project-prop'],
+               'Set project property for the build script (e.g. '
+               '-Pmyprop=myvalue).',
+               True),
+    GradleFlag(['-p', '--project-dir'],
+               'Specifies the start directory for Gradle. Defaults to '
+               'current directory.'),
+    GradleFlag(['--parallel'],
+               'Build projects in parallel. Gradle will attempt to '
+               'determine the optimal number of executor threads to use.'),
+    GradleFlag(['--priority'],
+               'Specifies the scheduling priority for the Gradle daemon and '
+               "all processes launched by it. Values are 'normal' (default) "
+               "or 'low' [incubating]",
+               True),
+    GradleFlag(['--profile'],
+               'Profile build execution time and generates a report in the '
+               '<build_dir>/reports/profile directory.'),
+    GradleFlag(['--project-cache-dir'],
+               'Specify the project-specific cache directory. Defaults to '
+               '.gradle in the root project directory.',
+               True),
+    GradleFlag(['-q', '--quiet'], 'Log errors only.'),
+    GradleFlag(['--refresh-dependencies'], 'Refresh the state of dependencies.'),
+    GradleFlag(['--rerun-tasks'], 'Ignore previously cached task results.'),
+    GradleFlag(['-S', '--full-stacktrace'],
+               'Print out the full (very verbose) stacktrace for all '
+               'exceptions.'),
+    GradleFlag(['-s', '--stacktrace'],
+               'Print out the stacktrace for all exceptions.'),
+    GradleFlag(['--scan'],
+               'Creates a build scan. Gradle will emit a warning if the '
+               'build scan plugin has not been applied. '
+               '(https://gradle.com/build-scans)'),
+    GradleFlag(['--status'],
+               'Shows status of running and recently stopped Gradle '
+               'Daemon(s).'),
+    GradleFlag(['--stop'], 'Stops the Gradle Daemon if it is running.'),
+    GradleFlag(['-t', '--continuous'],
+               'Enables continuous build. Gradle does not exit and will '
+               're-execute tasks when task file inputs change.'),
+    GradleFlag(['--update-locks'],
+               'Perform a partial update of the dependency lock, letting '
+               'passed in module notations change version. [incubating]'),
+    GradleFlag(['-v', '--version'], 'Print version info.'),
+    GradleFlag(['-w', '--warn'], 'Set log level to warn.'),
+    GradleFlag(['--warning-mode'],
+               'Specifies which mode of warnings to generate. Values are '
+               "'all', 'fail', 'summary'(default) or 'none'",
+               True),
+    GradleFlag(['--write-locks'],
+               'Persists dependency resolution for locked configurations, '
+               'ignoring existing locking information if it exists '
+               '[incubating]'),
+    GradleFlag(['-x', '--exclude-task'],
+               'Specify a task to be excluded from execution.',
+               True),
+]
+def generate_gradle_properties() -> str:
+    """Returns the expected contents of gradle.properties."""
+    out = io.StringIO()
+    out.write(PROPERTIES_HEADER)
+
+    for prop in PROPERTIES:
+        out.write(f'{prop.name}={prop.default}\n')
+
+    return out.getvalue()
+
+
+def get_root() -> str:
+    """Returns the root of the nomulus build tree."""
+    cur_dir = os.getcwd()
+    if not os.path.exists(os.path.join(cur_dir, '.git')) or \
+       not os.path.exists(os.path.join(cur_dir, 'core')) or \
+       not os.path.exists(os.path.join(cur_dir, 'gradle.properties')):
+        raise Exception('You must run this script from the root directory')
+    return cur_dir
+
+
+def main(args):
+    parser = argparse.ArgumentParser('nom_build')
+    for prop in PROPERTIES:
+        parser.add_argument('--' + prop.name, default=prop.default,
+                            help=prop.desc)
+
+    # Add Gradle flags.  We set 'dest' to the first flag to get a name that is
+    # predictable for getattr (even though it will have a leading '-' and thus
+    # we can't use normal python attribute syntax to get it).
+    for flag in GRADLE_FLAGS:
+        if flag.has_arg:
+            parser.add_argument(*flag.flags, dest=flag.flags[0],
+                                help=flag.desc)
+        else:
+            parser.add_argument(*flag.flags, dest=flag.flags[0],
+                                help=flag.desc,
+                                action='store_true')
+
+    # Add a flag to regenerate the gradle properties file.
+    parser.add_argument('--generate-gradle-properties',
+                        help='Regenerate the gradle.properties file.  This '
+                        'file must be regenerated when changes are made to '
+                        'config/nom_build.py, and should not be updated by '
+                        'hand.',
+                        action='store_true')
+
+    # Consume the remaining non-flag arguments.
+    parser.add_argument('non_flag_args', nargs='*')
+
+    # Parse command line arguments. Note that this exits the program and
+    # prints usage if either of the help options (-h, --help) are specified.
+    args = parser.parse_args(args)
+
+    gradle_properties = generate_gradle_properties()
+    root = get_root()
+
+    # If we're regenerating properties, do so and exit.
+    if args.generate_gradle_properties:
+        with open(f'{root}/gradle.properties', 'w') as dst:
+            dst.write(gradle_properties)
+        return
+
+    # Verify that the gradle properties file is what we expect it to be.
+    with open(f'{root}/gradle.properties') as src:
+        if src.read() != gradle_properties:
+            print('\033[33mWARNING:\033[0m Gradle properties out of sync '
+                  'with nom_build.  Run with --generate-gradle-properties '
+                  'to regenerate.')
+
+    # Add properties to the gradle argument list.
+    gradle_command = [f'{root}/gradlew']
+    for prop in PROPERTIES:
+        arg_val = getattr(args, prop.name)
+        if arg_val != prop.default:
+            prop.validate(arg_val)
+            gradle_command.extend(['-P', f'{prop.name}={arg_val}'])
+
+    # Add Gradle flags to the gradle argument list.
+    for flag in GRADLE_FLAGS:
+        arg_val = getattr(args, flag.flags[0])
+        if arg_val:
+            gradle_command.append(flag.flags[-1])
+            if flag.has_arg:
+                gradle_command.append(arg_val)
+
+    # Add the non-flag args (we exclude the first, which is the command name
+    # itself) and run.
+    gradle_command.extend(args.non_flag_args[1:])
+    subprocess.call(gradle_command)
+
+
+if __name__ == '__main__':
+    main(sys.argv)
+
--- a/config/nom_build_test.py
+++ b/config/nom_build_test.py
@@ -0,0 +1,109 @@
+# Copyright 2020 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import io
+import os
+import unittest
+from unittest import mock
+import nom_build
+import subprocess
+
+FAKE_PROPERTIES = [
+    nom_build.Property('foo', 'help text'),
+    nom_build.Property('bar', 'more text', 'true', bool),
+]
+
+FAKE_PROP_CONTENTS = nom_build.PROPERTIES_HEADER + 'foo=\nbar=true\n'
+PROPERTIES_FILENAME = '/tmp/rootdir/gradle.properties'
+GRADLEW = '/tmp/rootdir/gradlew'
+
+
+class FileFake(io.StringIO):
+    """File fake that writes file contents to the dictionary on close."""
+    def __init__(self, contents_dict, filename):
+        self.dict = contents_dict
+        self.filename = filename
+        super(FileFake, self).__init__()
+
+    def close(self):
+        self.dict[self.filename] = self.getvalue()
+        super(FileFake, self).close()
+
+
+class MyTest(unittest.TestCase):
+
+    def open_fake(self, filename, action='r'):
+        if action == 'r':
+            return io.StringIO(self.file_contents.get(filename, ''))
+        elif action == 'w':
+            result = self.file_contents[filename] = (
+                FileFake(self.file_contents, filename))
+            return result
+        else:
+            raise Exception(f'Unexpected action {action}')
+
+    def print_fake(self, data):
+        self.printed.append(data)
+
+    def setUp(self):
+        self.addCleanup(mock.patch.stopall)
+        self.exists_mock = mock.patch.object(os.path, 'exists').start()
+        self.getcwd_mock = mock.patch.object(os, 'getcwd').start()
+        self.getcwd_mock.return_value = '/tmp/rootdir'
+        self.open_mock = (
+            mock.patch.object(nom_build, 'open', self.open_fake).start())
+        self.print_mock = (
+            mock.patch.object(nom_build, 'print', self.print_fake).start())
+
+        self.call_mock = mock.patch.object(subprocess, 'call').start()
+
+        self.file_contents = {
+            # Prefil with the actual file contents.
+            PROPERTIES_FILENAME: nom_build.generate_gradle_properties()
+        }
+        self.printed = []
+
+    @mock.patch.object(nom_build, 'PROPERTIES', FAKE_PROPERTIES)
+    def test_property_generation(self):
+        self.assertEqual(nom_build.generate_gradle_properties(),
+                         FAKE_PROP_CONTENTS)
+
+    @mock.patch.object(nom_build, 'PROPERTIES', FAKE_PROPERTIES)
+    def test_property_file_write(self):
+        nom_build.main(['nom_build', '--generate-gradle-properties'])
+        self.assertEqual(self.file_contents[PROPERTIES_FILENAME],
+                         FAKE_PROP_CONTENTS)
+
+    def test_property_file_incorrect(self):
+        self.file_contents[PROPERTIES_FILENAME] = 'bad contents'
+        nom_build.main(['nom_build'])
+        self.assertIn('', self.printed[0])
+
+    def test_no_args(self):
+        nom_build.main(['nom_build'])
+        self.assertEqual(self.printed, [])
+        self.call_mock.assert_called_with([GRADLEW])
+
+    def test_property_calls(self):
+        nom_build.main(['nom_build', '--testFilter=foo'])
+        self.call_mock.assert_called_with([GRADLEW, '-P', 'testFilter=foo'])
+
+    def test_gradle_flags(self):
+        nom_build.main(['nom_build', '-d', '-b', 'foo'])
+        self.call_mock.assert_called_with([GRADLEW, '--build-file', 'foo',
+                                          '--debug'])
+
+unittest.main()
+
+
--- a/core/WEB-INF/appengine-generated/local_db.bin
+++ b/core/WEB-INF/appengine-generated/local_db.bin
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -197,6 +197,7 @@ dependencies {
  compile deps['com.google.appengine:appengine-remote-api']
  compile deps['com.google.auth:google-auth-library-credentials']
  compile deps['com.google.auth:google-auth-library-oauth2-http']
+  compile deps['com.google.cloud.sql:jdbc-socket-factory-core']
  runtimeOnly deps['com.google.cloud.sql:postgres-socket-factory']
  compile deps['com.google.code.gson:gson']
  compile deps['com.google.auto.value:auto-value-annotations']
@@ -300,6 +301,7 @@ dependencies {
  testCompile deps['org.hamcrest:hamcrest-library']
  compile deps['org.hibernate:hibernate-hikaricp']
  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
  testCompile deps['org.mockito:mockito-core']
@@ -869,7 +871,8 @@ test {
  // Don't run any tests from this task, all testing gets done in the
  // FilteringTest tasks.
  exclude "**"
-}.dependsOn(fragileTest, outcastTest, standardTest, registryToolIntegrationTest)
+  // TODO(weiminyu): Remove dependency on sqlIntegrationTest
+}.dependsOn(fragileTest, outcastTest, standardTest, registryToolIntegrationTest, sqlIntegrationTest)

 createUberJar('nomulus', 'nomulus', 'google.registry.tools.RegistryTool')

--- a/core/gradle/dependency-locks/checkstyle.lockfile
+++ b/core/gradle/dependency-locks/checkstyle.lockfile
@@ -5,14 +5,14 @@ antlr:antlr:2.7.7
 com.google.code.findbugs:jsr305:3.0.2
 com.google.errorprone:error_prone_annotations:2.3.2
 com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:28.0-jre
+com.google.guava:guava:28.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
-com.puppycrawl.tools:checkstyle:8.24
+com.puppycrawl.tools:checkstyle:8.27
 commons-beanutils:commons-beanutils:1.9.4
 commons-collections:commons-collections:3.2.2
-info.picocli:picocli:4.0.3
-net.sf.saxon:Saxon-HE:9.9.1-4
+info.picocli:picocli:4.1.1
+net.sf.saxon:Saxon-HE:9.9.1-5
 org.antlr:antlr4-runtime:4.7.2
 org.checkerframework:checker-qual:2.8.1
-org.codehaus.mojo:animal-sniffer-annotations:1.17
+org.codehaus.mojo:animal-sniffer-annotations:1.18
--- a/core/gradle/dependency-locks/compile.lockfile
+++ b/core/gradle/dependency-locks/compile.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -125,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -147,10 +156,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -184,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -213,11 +222,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/compileClasspath.lockfile
+++ b/core/gradle/dependency-locks/compileClasspath.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +93,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +133,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -145,10 +154,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -181,8 +190,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -208,11 +217,11 @@ org.jvnet.staxex:stax-ex:1.8
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/default.lockfile
+++ b/core/gradle/dependency-locks/default.lockfile
@@ -1,14 +1,13 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -19,11 +18,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.30.8
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -96,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -136,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -158,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -195,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
--- a/core/gradle/dependency-locks/deploy_jar.lockfile
+++ b/core/gradle/dependency-locks/deploy_jar.lockfile
@@ -1,14 +1,13 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -19,11 +18,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.30.8
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -96,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -136,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -158,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -194,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
--- a/core/gradle/dependency-locks/nonprodCompile.lockfile
+++ b/core/gradle/dependency-locks/nonprodCompile.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -125,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -147,10 +156,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -184,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -213,11 +222,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/nonprodCompileClasspath.lockfile
+++ b/core/gradle/dependency-locks/nonprodCompileClasspath.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +93,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +133,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -145,10 +154,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -182,8 +191,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -211,11 +220,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/nonprodRuntime.lockfile
+++ b/core/gradle/dependency-locks/nonprodRuntime.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -125,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -147,10 +156,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -184,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -213,11 +222,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -125,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -147,10 +156,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -184,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -213,11 +222,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/runtime.lockfile
+++ b/core/gradle/dependency-locks/runtime.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +74,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -125,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -147,10 +156,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -184,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -213,11 +222,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -1,14 +1,13 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -19,11 +18,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.30.8
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -96,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -136,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -158,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -194,8 +193,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
--- a/core/gradle/dependency-locks/testCompile.lockfile
+++ b/core/gradle/dependency-locks/testCompile.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -67,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -87,11 +96,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -99,11 +108,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -134,7 +143,7 @@ io.github.classgraph:classgraph:4.8.52
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -156,10 +165,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -199,8 +208,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -245,11 +254,11 @@ org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:2.6
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/testCompileClasspath.lockfile
+++ b/core/gradle/dependency-locks/testCompileClasspath.lockfile
@@ -1,21 +1,28 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.30.8
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -51,6 +58,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -67,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -86,11 +95,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -98,11 +107,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -133,7 +142,7 @@ io.github.classgraph:classgraph:4.8.52
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -154,10 +163,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -197,8 +206,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -243,11 +252,11 @@ org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:2.6
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/testRuntime.lockfile
+++ b/core/gradle/dependency-locks/testRuntime.lockfile
@@ -1,14 +1,13 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -19,11 +18,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.30.8
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -98,11 +97,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -110,11 +109,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -146,7 +145,7 @@ io.github.java-diff-utils:java-diff-utils:4.0
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -168,10 +167,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -211,8 +210,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
--- a/core/gradle/dependency-locks/testRuntimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/testRuntimeClasspath.lockfile
@@ -1,14 +1,13 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.10.2
+com.fasterxml.jackson.core:jackson-core:2.9.10
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -19,11 +18,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.30.8
+com.google.api-client:google-api-client-appengine:1.29.0
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.30.8
-com.google.api-client:google-api-client:1.30.8
+com.google.api-client:google-api-client-servlet:1.29.0
+com.google.api-client:google-api-client:1.29.2
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -98,11 +97,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.34.1
-com.google.http-client:google-http-client-jackson2:1.34.1
+com.google.http-client:google-http-client-appengine:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.34.1
+com.google.http-client:google-http-client:1.30.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -110,11 +109,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.30.5
+com.google.oauth-client:google-oauth-client-appengine:1.29.0
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.30.5
-com.google.oauth-client:google-oauth-client:1.30.5
+com.google.oauth-client:google-oauth-client-servlet:1.29.0
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -146,7 +145,7 @@ io.github.java-diff-utils:java-diff-utils:4.0
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.22.1
+io.grpc:grpc-context:1.19.0
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -168,10 +167,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.24.0
+io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.24.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -211,8 +210,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.11
-org.apache.httpcomponents:httpcore:4.4.13
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
--- a/core/src/main/java/google/registry/batch/BatchModule.java
+++ b/core/src/main/java/google/registry/batch/BatchModule.java
@@ -21,6 +21,7 @@ import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
+import static google.registry.request.RequestParameters.extractLongParameter;
 import static google.registry.request.RequestParameters.extractOptionalBooleanParameter;
 import static google.registry.request.RequestParameters.extractOptionalIntParameter;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
@@ -40,9 +41,7 @@ import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.DateTime;

-/**
- * Dagger module for injecting common settings for batch actions.
- */
+/** Dagger module for injecting common settings for batch actions. */
@Module
 public class BatchModule {

@@ -94,6 +93,12 @@ public class BatchModule {
    return extractSetOfDatetimeParameters(req, PARAM_RESAVE_TIMES);
  }

+  @Provides
+  @Parameter("oldUnlockRevisionId")
+  static long provideOldUnlockRevisionId(HttpServletRequest req) {
+    return extractLongParameter(req, "oldUnlockRevisionId");
+  }
+
  @Provides
  @Named(QUEUE_ASYNC_ACTIONS)
  static Queue provideAsyncActionsPushQueue() {
--- a/core/src/main/java/google/registry/batch/RelockDomainAction.java
+++ b/core/src/main/java/google/registry/batch/RelockDomainAction.java
@@ -0,0 +1,167 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.request.Action.Method.POST;
+import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.net.MediaType;
+import google.registry.model.domain.DomainBase;
+import google.registry.model.eppcommon.StatusValue;
+import google.registry.model.registry.RegistryLockDao;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.schema.domain.RegistryLock;
+import google.registry.tools.DomainLockUtils;
+import google.registry.util.DateTimeUtils;
+import javax.inject.Inject;
+
+/**
+ * Task that relocks a previously-Registry-Locked domain after some predetermined period of time.
+ */
+@Action(
+    service = Action.Service.BACKEND,
+    path = RelockDomainAction.PATH,
+    method = POST,
+    automaticallyPrintOk = true,
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class RelockDomainAction implements Runnable {
+
+  public static final String PATH = "/_dr/task/relockDomain";
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private final long oldUnlockRevisionId;
+  private final DomainLockUtils domainLockUtils;
+  private final Response response;
+
+  @Inject
+  public RelockDomainAction(
+      @Parameter("oldUnlockRevisionId") long oldUnlockRevisionId,
+      DomainLockUtils domainLockUtils,
+      Response response) {
+    this.oldUnlockRevisionId = oldUnlockRevisionId;
+    this.domainLockUtils = domainLockUtils;
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    jpaTm().transact(this::relockDomain);
+  }
+
+  private void relockDomain() {
+    RegistryLock oldLock;
+    try {
+      oldLock =
+          RegistryLockDao.getByRevisionId(oldUnlockRevisionId)
+              .orElseThrow(
+                  () ->
+                      new IllegalArgumentException(
+                          String.format("Unknown revision ID %d", oldUnlockRevisionId)));
+      DomainBase domain =
+          ofy()
+              .load()
+              .type(DomainBase.class)
+              .id(oldLock.getRepoId())
+              .now()
+              .cloneProjectedAtTime(jpaTm().getTransactionTime());
+
+      if (domain.getStatusValues().containsAll(REGISTRY_LOCK_STATUSES)
+          || oldLock.getRelock() != null) {
+        // The domain was manually locked, so we shouldn't worry about relocking
+        String message =
+            String.format(
+                "Domain %s is already manually relocked, skipping automated relock.",
+                domain.getFullyQualifiedDomainName());
+        logger.atInfo().log(message);
+        // SC_NO_CONTENT (204) skips retry -- see the comment below
+        response.setStatus(SC_NO_CONTENT);
+        response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+        response.setPayload(message);
+        return;
+      }
+      verifyDomainAndLockState(oldLock, domain);
+    } catch (Throwable t) {
+      /* If there's a bad verification code or the domain is in a bad state, we won't want to retry.
+       * AppEngine will retry on non-2xx error codes, so we return SC_NO_CONTENT (204) to avoid it.
+       *
+       * See https://cloud.google.com/appengine/docs/standard/java/taskqueue/push/retrying-tasks
+       * for more details on retry behavior. */
+      logger.atWarning().withCause(t).log(
+          "Exception when attempting to relock domain with old revision ID %d.",
+          oldUnlockRevisionId);
+      response.setStatus(SC_NO_CONTENT);
+      response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+      response.setPayload(String.format("Relock failed: %s", t.getMessage()));
+      return;
+    }
+    applyRelock(oldLock);
+  }
+
+  private void applyRelock(RegistryLock oldLock) {
+    try {
+      domainLockUtils.administrativelyApplyLock(
+          oldLock.getDomainName(),
+          oldLock.getRegistrarId(),
+          oldLock.getRegistrarPocId(),
+          oldLock.isSuperuser());
+      logger.atInfo().log("Relocked domain %s.", oldLock.getDomainName());
+      response.setStatus(SC_OK);
+    } catch (Throwable t) {
+      // Any errors that occur here are unexpected, so we should retry. Return a non-2xx
+      // error code to get AppEngine to retry
+      logger.atSevere().withCause(t).log(
+          "Exception when attempting to relock domain %s.", oldLock.getDomainName());
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+      response.setPayload(String.format("Relock failed: %s", t.getMessage()));
+    }
+  }
+
+  private void verifyDomainAndLockState(RegistryLock oldLock, DomainBase domain) {
+    // Domain shouldn't be deleted or have a pending transfer/delete
+    String domainName = domain.getFullyQualifiedDomainName();
+    checkArgument(
+        !DateTimeUtils.isAtOrAfter(jpaTm().getTransactionTime(), domain.getDeletionTime()),
+        "Domain %s has been deleted",
+        domainName);
+    ImmutableSet<StatusValue> statusValues = domain.getStatusValues();
+    checkArgument(
+        !statusValues.contains(StatusValue.PENDING_DELETE),
+        "Domain %s has a pending delete",
+        domainName);
+    checkArgument(
+        !statusValues.contains(StatusValue.PENDING_TRANSFER),
+        "Domain %s has a pending transfer",
+        domainName);
+    checkArgument(
+        domain.getCurrentSponsorClientId().equals(oldLock.getRegistrarId()),
+        "Domain %s has been transferred from registrar %s to registrar %s since the unlock",
+        domainName,
+        oldLock.getRegistrarId(),
+        domain.getCurrentSponsorClientId());
+  }
+}
--- a/core/src/main/java/google/registry/model/ofy/DatastoreTransactionManager.java
+++ b/core/src/main/java/google/registry/model/ofy/DatastoreTransactionManager.java
@@ -16,7 +16,11 @@ package google.registry.model.ofy;

 import static google.registry.model.ofy.ObjectifyService.ofy;

+import com.google.common.collect.ImmutableCollection;
+import com.google.common.collect.ImmutableList;
+import google.registry.persistence.VKey;
 import google.registry.persistence.transaction.TransactionManager;
+import java.util.Optional;
 import java.util.function.Supplier;
 import org.joda.time.DateTime;

@@ -83,4 +87,64 @@ public class DatastoreTransactionManager implements TransactionManager {
  public DateTime getTransactionTime() {
    return getOfy().getTransactionTime();
  }
+
+  @Override
+  public void saveNew(Object entity) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public void saveAllNew(ImmutableCollection<?> entities) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public void saveNewOrUpdate(Object entity) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public void saveNewOrUpdateAll(ImmutableCollection<?> entities) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public void update(Object entity) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public void updateAll(ImmutableCollection<?> entities) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public boolean checkExists(Object entity) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public <T> boolean checkExists(VKey<T> key) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public <T> Optional<T> load(VKey<T> key) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public <T> ImmutableList<T> loadAll(Class<T> clazz) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public <T> int delete(VKey<T> key) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
+
+  @Override
+  public <T> void assertDelete(VKey<T> key) {
+    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+  }
 }
--- a/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
+++ b/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
@@ -44,7 +44,9 @@ import google.registry.model.Jsonifiable;
 import google.registry.model.annotations.ReportedOn;
 import java.util.Arrays;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
+import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Table;
 import javax.persistence.Transient;
@@ -112,6 +114,9 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
  @Column(nullable = false)
  String emailAddress;

+  /** External email address of this contact used for registry lock confirmations. */
+  String registryLockEmailAddress;
+
  /** The voice number of the contact. */
  String phoneNumber;

@@ -212,6 +217,10 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    return emailAddress;
  }

+  public Optional<String> getRegistryLockEmailAddress() {
+    return Optional.ofNullable(registryLockEmailAddress);
+  }
+
  public String getPhoneNumber() {
    return phoneNumber;
  }
@@ -318,6 +327,7 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    return new JsonMapBuilder()
        .put("name", name)
        .put("emailAddress", emailAddress)
+        .put("registryLockEmailAddress", registryLockEmailAddress)
        .put("phoneNumber", phoneNumber)
        .put("faxNumber", faxNumber)
        .put("types", getTypes().stream().map(Object::toString).collect(joining(",")))
@@ -352,6 +362,14 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    public RegistrarContact build() {
      checkNotNull(getInstance().parent, "Registrar parent cannot be null");
      checkValidEmail(getInstance().emailAddress);
+      // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
+      // a registry lock password, we must also set up the correct registry lock email concurrently
+      // or beforehand.
+      if (getInstance().allowedToSetRegistryLockPassword) {
+        checkArgument(
+            !isNullOrEmpty(getInstance().registryLockEmailAddress),
+            "Registry lock email must not be null if allowing registry lock access");
+      }
      return cloneEmptyToNull(super.build());
    }

@@ -365,6 +383,11 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
      return this;
    }

+    public Builder setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+      getInstance().registryLockEmailAddress = registryLockEmailAddress;
+      return this;
+    }
+
    public Builder setPhoneNumber(String phoneNumber) {
      getInstance().phoneNumber = phoneNumber;
      return this;
--- a/core/src/main/java/google/registry/model/registry/RegistryLockDao.java
+++ b/core/src/main/java/google/registry/model/registry/RegistryLockDao.java
@@ -25,6 +25,12 @@ import javax.persistence.EntityManager;
 /** Data access object for {@link google.registry.schema.domain.RegistryLock}. */
 public final class RegistryLockDao {

+  /** Returns the {@link RegistryLock} referred to by this revision ID, or empty if none exists. */
+  public static Optional<RegistryLock> getByRevisionId(long revisionId) {
+    jpaTm().assertInTransaction();
+    return Optional.ofNullable(jpaTm().getEntityManager().find(RegistryLock.class, revisionId));
+  }
+
  /** Returns the most recent version of the {@link RegistryLock} referred to by the code. */
  public static Optional<RegistryLock> getByVerificationCode(String verificationCode) {
    jpaTm().assertInTransaction();
@@ -46,8 +52,10 @@ public final class RegistryLockDao {
        jpaTm()
            .getEntityManager()
            .createQuery(
-                "SELECT lock FROM RegistryLock lock WHERE lock.registrarId = :registrarId"
-                    + " AND lock.unlockCompletionTimestamp IS NULL",
+                "SELECT lock FROM RegistryLock lock"
+                    + " WHERE lock.registrarId = :registrarId"
+                    + " AND lock.unlockCompletionTimestamp IS NULL"
+                    + " ORDER BY lock.domainName ASC",
                RegistryLock.class)
            .setParameter("registrarId", registrarId)
            .getResultList());
@@ -84,7 +92,29 @@ public final class RegistryLockDao {
        .getEntityManager()
        .createQuery(
            "SELECT lock FROM RegistryLock lock WHERE lock.repoId = :repoId AND"
-                + " lock.lockCompletionTimestamp IS NOT NULL ORDER BY lock.revisionId"
+                + " lock.lockCompletionTimestamp IS NOT NULL AND"
+                + " lock.unlockCompletionTimestamp IS NULL ORDER BY lock.revisionId"
+                + " DESC",
+            RegistryLock.class)
+        .setParameter("repoId", repoId)
+        .setMaxResults(1)
+        .getResultStream()
+        .findFirst();
+  }
+
+  /**
+   * Returns the most recent verified unlock for a given domain specified by repo ID.
+   *
+   * <p>Returns empty if no unlock has ever been finalized for this domain. This is different from
+   * {@link #getMostRecentByRepoId(String)} in that it only returns verified unlocks.
+   */
+  public static Optional<RegistryLock> getMostRecentVerifiedUnlockByRepoId(String repoId) {
+    jpaTm().assertInTransaction();
+    return jpaTm()
+        .getEntityManager()
+        .createQuery(
+            "SELECT lock FROM RegistryLock lock WHERE lock.repoId = :repoId AND"
+                + " lock.unlockCompletionTimestamp IS NOT NULL ORDER BY lock.revisionId"
                + " DESC",
            RegistryLock.class)
        .setParameter("repoId", repoId)
--- a/core/src/main/java/google/registry/model/server/Lock.java
+++ b/core/src/main/java/google/registry/model/server/Lock.java
@@ -16,6 +16,7 @@ package google.registry.model.server;

 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;

@@ -28,6 +29,7 @@ import com.googlecode.objectify.annotation.Id;
 import google.registry.model.ImmutableObject;
 import google.registry.model.annotations.NotBackedUp;
 import google.registry.model.annotations.NotBackedUp.Reason;
+import google.registry.schema.server.LockDao;
 import google.registry.util.RequestStatusChecker;
 import google.registry.util.RequestStatusCheckerImpl;
 import java.io.Serializable;
@@ -76,6 +78,18 @@ public class Lock extends ImmutableObject implements Serializable {
  /** When the lock can be considered implicitly released. */
  DateTime expirationTime;

+  public String getRequestLogId() {
+    return requestLogId;
+  }
+
+  public DateTime getExpirationTime() {
+    return expirationTime;
+  }
+
+  public DateTime getAcquiredTime() {
+    return acquiredTime;
+  }
+
  /** When was the lock acquired. Used for logging. */
  DateTime acquiredTime;

@@ -87,10 +101,10 @@ public class Lock extends ImmutableObject implements Serializable {
  String tld;

  /**
-   * Create a new {@link Lock} for the given resource name in the specified tld (which can be
-   * null for cross-tld locks).
+   * Create a new {@link Lock} for the given resource name in the specified tld (which can be null
+   * for cross-tld locks).
   */
-  private static Lock create(
+  public static Lock create(
      String resourceName,
      @Nullable String tld,
      String requestLogId,
@@ -177,13 +191,24 @@ public class Lock extends ImmutableObject implements Serializable {
    // access to resources like GCS that can't be transactionally rolled back. Therefore, the lock
    // must be definitively acquired before it is used, even when called inside another transaction.
    AcquireResult acquireResult =
-        tm()
-            .transactNew(
+        tm().transactNew(
                () -> {
                  DateTime now = tm().getTransactionTime();

                  // Checking if an unexpired lock still exists - if so, the lock can't be acquired.
                  Lock lock = ofy().load().type(Lock.class).id(lockId).now();
+                  try {
+                    jpaTm()
+                        .transact(
+                            () -> {
+                              Optional<google.registry.schema.server.Lock> cloudSqlLockOptional =
+                                  LockDao.load(resourceName, tld);
+                              LockDao.compare(Optional.ofNullable(lock), cloudSqlLockOptional);
+                            });
+                  } catch (Exception e) {
+                    logger.atSevere().withCause(e).log(
+                        "Issue loading and comparing lock from Cloud SQL");
+                  }
                  if (lock != null) {
                    logger.atInfo().log(
                        "Loaded existing lock: %s for request: %s", lock.lockId, lock.requestLogId);
@@ -207,6 +232,26 @@ public class Lock extends ImmutableObject implements Serializable {
                  // contention) and
                  // don't need to be backed up.
                  ofy().saveWithoutBackup().entity(newLock);
+
+                  // create and save the lock to Cloud SQL
+                  try {
+                    jpaTm()
+                        .transact(
+                            () -> {
+                              google.registry.schema.server.Lock cloudSqlLock =
+                                  google.registry.schema.server.Lock.create(
+                                      resourceName,
+                                      Optional.ofNullable(tld).orElse("GLOBAL"),
+                                      requestStatusChecker.getLogId(),
+                                      now,
+                                      leaseLength);
+                              LockDao.save(cloudSqlLock);
+                            });
+                  } catch (Exception e) {
+                    logger.atSevere().withCause(e).log(
+                        "Error saving lock to Cloud SQL: %s", newLock);
+                  }
+
                  return AcquireResult.create(now, lock, newLock, lockState);
                });

@@ -218,19 +263,43 @@ public class Lock extends ImmutableObject implements Serializable {
  /** Release the lock. */
  public void release() {
    // Just use the default clock because we aren't actually doing anything that will use the clock.
-    tm()
-        .transact(
+    tm().transact(
            () -> {
              // To release a lock, check that no one else has already obtained it and if not
              // delete it. If the lock in Datastore was different then this lock is gone already;
              // this can happen if release() is called around the expiration time and the lock
              // expires underneath us.
              Lock loadedLock = ofy().load().type(Lock.class).id(lockId).now();
+              try {
+                jpaTm()
+                    .transact(
+                        () -> {
+                          Optional<google.registry.schema.server.Lock> cloudSqlLockOptional =
+                              LockDao.load(resourceName, tld);
+                          LockDao.compare(Optional.ofNullable(loadedLock), cloudSqlLockOptional);
+                        });
+              } catch (Exception e) {
+                logger.atSevere().withCause(e).log(
+                    "Issue loading and comparing lock from Cloud SQL");
+              }
              if (Lock.this.equals(loadedLock)) {
                // Use noBackupOfy() so that we don't create a commit log entry for deleting the
                // lock.
                logger.atInfo().log("Deleting lock: %s", lockId);
                ofy().deleteWithoutBackup().entity(Lock.this);
+
+                // Remove the lock from Cloud SQL
+                try {
+                  jpaTm()
+                      .transact(
+                          () ->
+                              LockDao.delete(
+                                  resourceName, Optional.ofNullable(tld).orElse("GLOBAL")));
+                } catch (Exception e) {
+                  logger.atSevere().withCause(e).log(
+                      "Error deleting lock from Cloud SQL: %s", loadedLock);
+                }
+
                lockMetrics.recordRelease(
                    resourceName, tld, new Duration(acquiredTime, tm().getTransactionTime()));
              } else {
--- a/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
+++ b/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
@@ -26,6 +26,7 @@ import google.registry.batch.DeleteLoadTestDataAction;
 import google.registry.batch.DeleteProberDataAction;
 import google.registry.batch.ExpandRecurringBillingEventsAction;
 import google.registry.batch.RefreshDnsOnHostRenameAction;
+import google.registry.batch.RelockDomainAction;
 import google.registry.batch.ResaveAllEppResourcesAction;
 import google.registry.batch.ResaveEntityAction;
 import google.registry.cron.CommitLogFanoutAction;
@@ -140,6 +141,7 @@ interface BackendRequestComponent {
  RdeReporter rdeReporter();
  RefreshDnsAction refreshDnsAction();
  RefreshDnsOnHostRenameAction refreshDnsOnHostRenameAction();
+  RelockDomainAction relockDomainAction();
  ResaveAllEppResourcesAction resaveAllEppResourcesAction();
  ResaveEntityAction resaveEntityAction();
  SyncGroupMembersAction syncGroupMembersAction();
--- a/core/src/main/java/google/registry/persistence/PersistenceComponent.java
+++ b/core/src/main/java/google/registry/persistence/PersistenceComponent.java
@@ -19,7 +19,6 @@ import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.persistence.PersistenceModule.AppEngineJpaTm;
-import google.registry.persistence.PersistenceModule.NomulusToolJpaTm;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -39,7 +38,4 @@ public interface PersistenceComponent {

  @AppEngineJpaTm
  JpaTransactionManager appEngineJpaTransactionManager();
-
-  @NomulusToolJpaTm
-  JpaTransactionManager nomulusToolJpaTransactionManager();
 }
--- a/core/src/main/java/google/registry/persistence/PersistenceModule.java
+++ b/core/src/main/java/google/registry/persistence/PersistenceModule.java
@@ -22,6 +22,7 @@ import static google.registry.config.RegistryConfig.getHibernateHikariMaximumPoo
 import static google.registry.config.RegistryConfig.getHibernateHikariMinimumIdle;
 import static google.registry.config.RegistryConfig.getHibernateLogSqlQueries;

+import com.google.api.client.auth.oauth2.Credential;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
@@ -29,8 +30,10 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.kms.KmsKeyring;
+import google.registry.persistence.transaction.CloudSqlCredentialSupplier;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.JpaTransactionManagerImpl;
+import google.registry.tools.AuthModule.CloudSqlClientCredential;
 import google.registry.util.Clock;
 import java.lang.annotation.Documented;
 import java.util.HashMap;
@@ -118,7 +121,9 @@ public class PersistenceModule {
      @Config("toolsCloudSqlUsername") String username,
      KmsKeyring kmsKeyring,
      @PartialCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs,
+      @CloudSqlClientCredential Credential credential,
      Clock clock) {
+    CloudSqlCredentialSupplier.setupCredentialSupplier(credential);
    HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs);
    overrides.put(Environment.USER, username);
    overrides.put(Environment.PASS, kmsKeyring.getToolsCloudSqlPassword());
@@ -158,7 +163,7 @@ public class PersistenceModule {
  /** Dagger qualifier for {@link JpaTransactionManager} used for Nomulus tool. */
  @Qualifier
  @Documented
-  @interface NomulusToolJpaTm {}
+  public @interface NomulusToolJpaTm {}

  /** Dagger qualifier for the partial Cloud SQL configs. */
  @Qualifier
--- a/core/src/main/java/google/registry/persistence/VKey.java
+++ b/core/src/main/java/google/registry/persistence/VKey.java
@@ -0,0 +1,68 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence;
+
+import google.registry.model.ImmutableObject;
+
+/**
+ * VKey is an abstraction that encapsulates the key concept.
+ *
+ * <p>A VKey instance must contain both the JPA primary key for the referenced entity class and the
+ * objectify key for the object.
+ */
+public class VKey<T> extends ImmutableObject {
+
+  // The primary key for the referenced entity.
+  private Object primaryKey;
+
+  // The objectify key for the referenced entity.
+  private com.googlecode.objectify.Key<T> ofyKey;
+
+  private Class<? extends T> kind;
+
+  private VKey(Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey, Object primaryKey) {
+    this.kind = kind;
+    this.ofyKey = ofyKey;
+    this.primaryKey = primaryKey;
+  }
+
+  public static <T> VKey<T> create(
+      Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey, Object primaryKey) {
+    return new VKey(kind, ofyKey, primaryKey);
+  }
+
+  public static <T> VKey<T> createSql(Class<? extends T> kind, Object primaryKey) {
+    return new VKey(kind, null, primaryKey);
+  }
+
+  public static <T> VKey<T> createOfy(
+      Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey) {
+    return new VKey(kind, ofyKey, null);
+  }
+
+  public Class<? extends T> getKind() {
+    return this.kind;
+  }
+
+  /** Returns the SQL primary key. */
+  public Object getSqlKey() {
+    return this.primaryKey;
+  }
+
+  /** Returns the objectify key. */
+  public com.googlecode.objectify.Key<T> getOfyKey() {
+    return this.ofyKey;
+  }
+}
--- a/core/src/main/java/google/registry/persistence/converter/DurationConverter.java
+++ b/core/src/main/java/google/registry/persistence/converter/DurationConverter.java
@@ -0,0 +1,37 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.converter;
+
+import javax.annotation.Nullable;
+import javax.persistence.AttributeConverter;
+import javax.persistence.Converter;
+import org.joda.time.Duration;
+
+/** JPA converter to for storing/retrieving {@link org.joda.time.DateTime} objects. */
+@Converter(autoApply = true)
+public class DurationConverter implements AttributeConverter<Duration, Long> {
+
+  @Override
+  @Nullable
+  public Long convertToDatabaseColumn(@Nullable Duration duration) {
+    return duration == null ? null : duration.getMillis();
+  }
+
+  @Override
+  @Nullable
+  public Duration convertToEntityAttribute(@Nullable Long dbData) {
+    return dbData == null ? null : new Duration(dbData);
+  }
+}
--- a/core/src/main/java/google/registry/persistence/transaction/CloudSqlCredentialSupplier.java
+++ b/core/src/main/java/google/registry/persistence/transaction/CloudSqlCredentialSupplier.java
@@ -0,0 +1,35 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.transaction;
+
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.cloud.sql.CredentialFactory;
+
+/** Supplier class to provide {@link Credential} for Cloud SQL library. */
+public class CloudSqlCredentialSupplier implements CredentialFactory {
+  private static Credential credential;
+
+  /** Initialize the supplier with given credential json and scopes. */
+  public static void setupCredentialSupplier(Credential credential) {
+    System.setProperty(
+        CredentialFactory.CREDENTIAL_FACTORY_PROPERTY, CloudSqlCredentialSupplier.class.getName());
+    CloudSqlCredentialSupplier.credential = credential;
+  }
+
+  @Override
+  public Credential create() {
+    return credential;
+  }
+}
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManager.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManager.java
@@ -18,6 +18,7 @@ import javax.persistence.EntityManager;

 /** Sub-interface of {@link TransactionManager} which defines JPA related methods. */
 public interface JpaTransactionManager extends TransactionManager {
+
  /** Returns the {@link EntityManager} for the current request. */
  EntityManager getEntityManager();
 }
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@@ -14,13 +14,28 @@

 package google.registry.persistence.transaction;

+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
+import static java.util.stream.Collectors.joining;
+
+import com.google.common.collect.ImmutableCollection;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
+import google.registry.persistence.VKey;
 import google.registry.util.Clock;
+import java.lang.reflect.Field;
+import java.util.Optional;
 import java.util.function.Supplier;
 import javax.persistence.EntityManager;
 import javax.persistence.EntityManagerFactory;
 import javax.persistence.EntityTransaction;
 import javax.persistence.PersistenceException;
+import javax.persistence.Query;
+import javax.persistence.TypedQuery;
+import javax.persistence.metamodel.EntityType;
+import javax.persistence.metamodel.SingularAttribute;
 import org.joda.time.DateTime;

 /** Implementation of {@link JpaTransactionManager} for JPA compatible database. */
@@ -142,6 +157,180 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
    return txnInfo.transactionTime;
  }

+  @Override
+  public void saveNew(Object entity) {
+    checkArgumentNotNull(entity, "entity must be specified");
+    assertInTransaction();
+    getEntityManager().persist(entity);
+  }
+
+  @Override
+  public void saveAllNew(ImmutableCollection<?> entities) {
+    checkArgumentNotNull(entities, "entities must be specified");
+    assertInTransaction();
+    entities.forEach(this::saveNew);
+  }
+
+  @Override
+  public void saveNewOrUpdate(Object entity) {
+    checkArgumentNotNull(entity, "entity must be specified");
+    assertInTransaction();
+    getEntityManager().merge(entity);
+  }
+
+  @Override
+  public void saveNewOrUpdateAll(ImmutableCollection<?> entities) {
+    checkArgumentNotNull(entities, "entities must be specified");
+    assertInTransaction();
+    entities.forEach(this::saveNewOrUpdate);
+  }
+
+  @Override
+  public void update(Object entity) {
+    checkArgumentNotNull(entity, "entity must be specified");
+    assertInTransaction();
+    checkArgument(checkExists(entity), "Given entity does not exist");
+    getEntityManager().merge(entity);
+  }
+
+  @Override
+  public void updateAll(ImmutableCollection<?> entities) {
+    checkArgumentNotNull(entities, "entities must be specified");
+    assertInTransaction();
+    entities.forEach(this::update);
+  }
+
+  @Override
+  public <T> boolean checkExists(VKey<T> key) {
+    checkArgumentNotNull(key, "key must be specified");
+    EntityType<?> entityType = getEntityType(key.getKind());
+    ImmutableSet<EntityId> entityIds = getEntityIdsFromSqlKey(entityType, key.getSqlKey());
+    return checkExists(entityType.getName(), entityIds);
+  }
+
+  @Override
+  public boolean checkExists(Object entity) {
+    checkArgumentNotNull(entity, "entity must be specified");
+    EntityType<?> entityType = getEntityType(entity.getClass());
+    ImmutableSet<EntityId> entityIds = getEntityIdsFromEntity(entityType, entity);
+    return checkExists(entityType.getName(), entityIds);
+  }
+
+  private boolean checkExists(String entityName, ImmutableSet<EntityId> entityIds) {
+    assertInTransaction();
+    TypedQuery<Integer> query =
+        getEntityManager()
+            .createQuery(
+                String.format("SELECT 1 FROM %s WHERE %s", entityName, getAndClause(entityIds)),
+                Integer.class)
+            .setMaxResults(1);
+    entityIds.forEach(entityId -> query.setParameter(entityId.name, entityId.value));
+    return query.getResultList().size() > 0;
+  }
+
+  @Override
+  public <T> Optional<T> load(VKey<T> key) {
+    checkArgumentNotNull(key, "key must be specified");
+    assertInTransaction();
+    return Optional.ofNullable(getEntityManager().find(key.getKind(), key.getSqlKey()));
+  }
+
+  @Override
+  public <T> ImmutableList<T> loadAll(Class<T> clazz) {
+    checkArgumentNotNull(clazz, "clazz must be specified");
+    assertInTransaction();
+    return ImmutableList.copyOf(
+        getEntityManager()
+            .createQuery(
+                String.format("SELECT entity FROM %s entity", getEntityType(clazz).getName()),
+                clazz)
+            .getResultList());
+  }
+
+  @Override
+  public <T> int delete(VKey<T> key) {
+    checkArgumentNotNull(key, "key must be specified");
+    assertInTransaction();
+    EntityType<?> entityType = getEntityType(key.getKind());
+    ImmutableSet<EntityId> entityIds = getEntityIdsFromSqlKey(entityType, key.getSqlKey());
+    String sql =
+        String.format("DELETE FROM %s WHERE %s", entityType.getName(), getAndClause(entityIds));
+    Query query = getEntityManager().createQuery(sql);
+    entityIds.forEach(entityId -> query.setParameter(entityId.name, entityId.value));
+    return query.executeUpdate();
+  }
+
+  @Override
+  public <T> void assertDelete(VKey<T> key) {
+    if (delete(key) != 1) {
+      throw new IllegalArgumentException(
+          String.format("Error deleting the entity of the key: %s", key.getSqlKey()));
+    }
+  }
+
+  private <T> EntityType<T> getEntityType(Class<T> clazz) {
+    return emf.getMetamodel().entity(clazz);
+  }
+
+  private static class EntityId {
+    private String name;
+    private Object value;
+
+    private EntityId(String name, Object value) {
+      this.name = name;
+      this.value = value;
+    }
+  }
+
+  private static ImmutableSet<EntityId> getEntityIdsFromEntity(
+      EntityType<?> entityType, Object entity) {
+    if (entityType.hasSingleIdAttribute()) {
+      String idName = entityType.getDeclaredId(entityType.getIdType().getJavaType()).getName();
+      Object idValue = getFieldValue(entity, idName);
+      return ImmutableSet.of(new EntityId(idName, idValue));
+    } else {
+      return getEntityIdsFromIdContainer(entityType, entity);
+    }
+  }
+
+  private static ImmutableSet<EntityId> getEntityIdsFromSqlKey(
+      EntityType<?> entityType, Object sqlKey) {
+    if (entityType.hasSingleIdAttribute()) {
+      String idName = entityType.getDeclaredId(entityType.getIdType().getJavaType()).getName();
+      return ImmutableSet.of(new EntityId(idName, sqlKey));
+    } else {
+      return getEntityIdsFromIdContainer(entityType, sqlKey);
+    }
+  }
+
+  private static ImmutableSet<EntityId> getEntityIdsFromIdContainer(
+      EntityType<?> entityType, Object idContainer) {
+    return entityType.getIdClassAttributes().stream()
+        .map(SingularAttribute::getName)
+        .map(
+            idName -> {
+              Object idValue = getFieldValue(idContainer, idName);
+              return new EntityId(idName, idValue);
+            })
+        .collect(toImmutableSet());
+  }
+
+  private String getAndClause(ImmutableSet<EntityId> entityIds) {
+    return entityIds.stream()
+        .map(entityId -> String.format("%s = :%s", entityId.name, entityId.name))
+        .collect(joining(" AND "));
+  }
+
+  private static Object getFieldValue(Object object, String fieldName) {
+    try {
+      Field field = object.getClass().getDeclaredField(fieldName);
+      field.setAccessible(true);
+      return field.get(object);
+    } catch (NoSuchFieldException | IllegalAccessException e) {
+      throw new IllegalArgumentException(e);
+    }
+  }
+
  private static class TransactionInfo {
    EntityManager entityManager;
    boolean inTransaction = false;
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManager.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManager.java
@@ -14,6 +14,10 @@

 package google.registry.persistence.transaction;

+import com.google.common.collect.ImmutableCollection;
+import com.google.common.collect.ImmutableList;
+import google.registry.persistence.VKey;
+import java.util.Optional;
 import java.util.function.Supplier;
 import org.joda.time.DateTime;

@@ -78,4 +82,40 @@ public interface TransactionManager {

  /** Returns the time associated with the start of this particular transaction attempt. */
  DateTime getTransactionTime();
+
+  /** Persists a new entity in the database, throws exception if the entity already exists. */
+  void saveNew(Object entity);
+
+  /** Persists all new entities in the database, throws exception if any entity already exists. */
+  void saveAllNew(ImmutableCollection<?> entities);
+
+  /** Persists a new entity or update the existing entity in the database. */
+  void saveNewOrUpdate(Object entity);
+
+  /** Persists all new entities or update the existing entities in the database. */
+  void saveNewOrUpdateAll(ImmutableCollection<?> entities);
+
+  /** Updates an entity in the database, throws exception if the entity does not exist. */
+  void update(Object entity);
+
+  /** Updates all entities in the database, throws exception if any entity does not exist. */
+  void updateAll(ImmutableCollection<?> entities);
+
+  /** Returns whether the given entity with same ID exists. */
+  boolean checkExists(Object entity);
+
+  /** Returns whether the entity of given key exists. */
+  <T> boolean checkExists(VKey<T> key);
+
+  /** Loads the entity by its id, returns empty if the entity doesn't exist. */
+  <T> Optional<T> load(VKey<T> key);
+
+  /** Loads all entities of the given type, returns empty if there is no such entity. */
+  <T> ImmutableList<T> loadAll(Class<T> clazz);
+
+  /** Deletes the entity by its id, returns the number of deleted entity. */
+  <T> int delete(VKey<T> key);
+
+  /** Deletes the entity by its id, throws exception if the entity is not deleted. */
+  <T> void assertDelete(VKey<T> key);
 }
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
@@ -16,11 +16,9 @@ package google.registry.persistence.transaction;

 import com.google.appengine.api.utils.SystemProperty;
 import com.google.appengine.api.utils.SystemProperty.Environment.Value;
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Suppliers;
 import google.registry.model.ofy.DatastoreTransactionManager;
 import google.registry.persistence.DaggerPersistenceComponent;
-import google.registry.tools.RegistryToolEnvironment;
 import google.registry.util.NonFinalForTesting;
 import java.util.function.Supplier;

@@ -38,11 +36,10 @@ public class TransactionManagerFactory {
  private TransactionManagerFactory() {}

  private static JpaTransactionManager createJpaTransactionManager() {
+    // If we are running a nomulus command, jpaTm will be injected in RegistryCli.java
+    // by calling setJpaTm().
    if (isInAppEngine()) {
      return DaggerPersistenceComponent.create().appEngineJpaTransactionManager();
-    } else if (RegistryToolEnvironment.isInRegistryTool()
-        && RegistryToolEnvironment.isJpaTmEnabled()) {
-      return DaggerPersistenceComponent.create().nomulusToolJpaTransactionManager();
    } else {
      return DummyJpaTransactionManager.create();
    }
@@ -78,8 +75,8 @@ public class TransactionManagerFactory {
    return jpaTm.get();
  }

-  @VisibleForTesting
-  static void setJpaTmForTesting(JpaTransactionManager newJpaTm) {
+  /** Sets the return of {@link #jpaTm()} to the given instance of {@link JpaTransactionManager}. */
+  public static void setJpaTm(JpaTransactionManager newJpaTm) {
    jpaTm = Suppliers.ofInstance(newJpaTm);
  }
 }
--- a/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
@@ -193,8 +193,7 @@ public class PublishSpec11ReportAction implements Runnable {
    // Group by email address then flat-map all of the ThreatMatch objects together
    return ImmutableMap.copyOf(
        Maps.transformValues(
-            Multimaps.index(registrarThreatMatches, RegistrarThreatMatches::clientId)
-                .asMap(),
+            Multimaps.index(registrarThreatMatches, RegistrarThreatMatches::clientId).asMap(),
            registrarThreatMatchesCollection ->
                registrarThreatMatchesCollection.stream()
                    .flatMap(matches -> matches.threatMatches().stream())
--- a/core/src/main/java/google/registry/request/RequestParameters.java
+++ b/core/src/main/java/google/registry/request/RequestParameters.java
@@ -44,11 +44,11 @@ public final class RequestParameters {
   * method to yield the following results:
   *
   * <ul>
-   * <li>/foo?bar=hello → hello
-   * <li>/foo?bar=hello&bar=there → hello
-   * <li>/foo?bar= → 400 error (empty)
-   * <li>/foo?bar=&bar=there → 400 error (empty)
-   * <li>/foo → 400 error (absent)
+   *   <li>/foo?bar=hello → hello
+   *   <li>/foo?bar=hello&bar=there → hello
+   *   <li>/foo?bar= → 400 error (empty)
+   *   <li>/foo?bar=&bar=there → 400 error (empty)
+   *   <li>/foo → 400 error (absent)
   * </ul>
   *
   * @throws BadRequestException if request parameter is absent or empty
@@ -88,10 +88,27 @@ public final class RequestParameters {
   * @throws BadRequestException if request parameter is absent, empty, or not a valid integer
   */
  public static int extractIntParameter(HttpServletRequest req, String name) {
+    String stringParam = req.getParameter(name);
    try {
-      return Integer.parseInt(nullToEmpty(req.getParameter(name)));
+      return Integer.parseInt(nullToEmpty(stringParam));
    } catch (NumberFormatException e) {
-      throw new BadRequestException("Expected integer: " + name);
+      throw new BadRequestException(
+          String.format("Expected int for parameter %s but received %s", name, stringParam));
+    }
+  }
+
+  /**
+   * Returns first GET or POST parameter associated with {@code name} as a long.
+   *
+   * @throws BadRequestException if request parameter is absent, empty, or not a valid long
+   */
+  public static long extractLongParameter(HttpServletRequest req, String name) {
+    String stringParam = req.getParameter(name);
+    try {
+      return Long.parseLong(nullToEmpty(stringParam));
+    } catch (NumberFormatException e) {
+      throw new BadRequestException(
+          String.format("Expected long for parameter %s but received %s", name, stringParam));
    }
  }

@@ -126,9 +143,7 @@ public final class RequestParameters {
    if (parameter == null || parameter.isEmpty()) {
      return ImmutableSet.of();
    }
-    return Splitter.on(',')
-        .splitToList(parameter)
-        .stream()
+    return Splitter.on(',').splitToList(parameter).stream()
        .filter(s -> !s.isEmpty())
        .collect(toImmutableSet());
  }
@@ -160,8 +175,8 @@ public final class RequestParameters {
   * @throws BadRequestException if request parameter named {@code name} is absent, empty, or not
   *     equal to any of the values in {@code enumClass}
   */
-  public static <C extends Enum<C>>
-      C extractEnumParameter(HttpServletRequest req, Class<C> enumClass, String name) {
+  public static <C extends Enum<C>> C extractEnumParameter(
+      HttpServletRequest req, Class<C> enumClass, String name) {
    return getEnumValue(enumClass, extractRequiredParameter(req, name), name);
  }

@@ -216,9 +231,9 @@ public final class RequestParameters {
  }

  /**
-   * Returns first request parameter associated with {@code name} parsed as an
-   * <a href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ},
-   * {@code 2000-01-01T16:20:00Z}.
+   * Returns first request parameter associated with {@code name} parsed as an <a
+   * href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ}, {@code
+   * 2000-01-01T16:20:00Z}.
   *
   * @throws BadRequestException if request parameter named {@code name} is absent, empty, or could
   *     not be parsed as an ISO 8601 timestamp
@@ -233,9 +248,9 @@ public final class RequestParameters {
  }

  /**
-   * Returns first request parameter associated with {@code name} parsed as an
-   * <a href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ},
-   * {@code 2000-01-01T16:20:00Z}.
+   * Returns first request parameter associated with {@code name} parsed as an <a
+   * href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ}, {@code
+   * 2000-01-01T16:20:00Z}.
   *
   * @throws BadRequestException if request parameter is present but not a valid {@link DateTime}.
   */
@@ -262,8 +277,7 @@ public final class RequestParameters {
  public static ImmutableSet<DateTime> extractSetOfDatetimeParameters(
      HttpServletRequest req, String name) {
    try {
-      return extractSetOfParameters(req, name)
-          .stream()
+      return extractSetOfParameters(req, name).stream()
          .filter(not(String::isEmpty))
          .map(DateTime::parse)
          .collect(toImmutableSet());
--- a/core/src/main/java/google/registry/schema/domain/RegistryLock.java
+++ b/core/src/main/java/google/registry/schema/domain/RegistryLock.java
@@ -26,14 +26,19 @@ import google.registry.model.UpdateAutoTimestamp;
 import google.registry.util.DateTimeUtils;
 import java.time.ZonedDateTime;
 import java.util.Optional;
+import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Entity;
+import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.Index;
+import javax.persistence.JoinColumn;
+import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;

 /**
 * Represents a registry lock/unlock object, meaning that the domain is locked on the registry
@@ -123,6 +128,14 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
  @Column(nullable = false)
  private boolean isSuperuser;

+  /** The lock that undoes this lock, if this lock has been unlocked and the domain locked again. */
+  @OneToOne(fetch = FetchType.LAZY)
+  @JoinColumn(name = "relockRevisionId", referencedColumnName = "revisionId")
+  private RegistryLock relock;
+
+  /** The duration after which we will re-lock this domain after it is unlocked. */
+  private Duration relockDuration;
+
  /** Time that this entity was last updated. */
  private UpdateAutoTimestamp lastUpdateTimestamp;

@@ -179,6 +192,21 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
    return revisionId;
  }

+  /**
+   * The lock that undoes this lock, if this lock has been unlocked and the domain locked again.
+   *
+   * <p>Note: this is lazily loaded, so it may not be initialized if referenced outside of the
+   * transaction in which this lock is loaded.
+   */
+  public RegistryLock getRelock() {
+    return relock;
+  }
+
+  /** The duration after which we will re-lock this domain after it is unlocked. */
+  public Optional<Duration> getRelockDuration() {
+    return Optional.ofNullable(relockDuration);
+  }
+
  public boolean isLocked() {
    return lockCompletionTimestamp != null && unlockCompletionTimestamp == null;
  }
@@ -266,5 +294,15 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
      getInstance().isSuperuser = isSuperuser;
      return this;
    }
+
+    public Builder setRelock(RegistryLock relock) {
+      getInstance().relock = relock;
+      return this;
+    }
+
+    public Builder setRelockDuration(@Nullable Duration relockDuration) {
+      getInstance().relockDuration = relockDuration;
+      return this;
+    }
  }
 }
--- a/core/src/main/java/google/registry/schema/registrar/RegistrarDao.java
+++ b/core/src/main/java/google/registry/schema/registrar/RegistrarDao.java
@@ -1,73 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.schema.registrar;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.model.registrar.Registrar;
-import java.util.Optional;
-
-/** Data access object for {@link Registrar}. */
-public class RegistrarDao {
-
-  private RegistrarDao() {}
-
-  /** Persists a new or updates an existing registrar in Cloud SQL. */
-  public static void saveNew(Registrar registrar) {
-    checkArgumentNotNull(registrar, "registrar must be specified");
-    jpaTm().transact(() -> jpaTm().getEntityManager().persist(registrar));
-  }
-
-  /** Updates an existing registrar in Cloud SQL, throws excpetion if it does not exist. */
-  public static void update(Registrar registrar) {
-    checkArgumentNotNull(registrar, "registrar must be specified");
-    jpaTm()
-        .transact(
-            () -> {
-              checkArgument(
-                  checkExists(registrar.getClientId()),
-                  "A registrar of this id does not exist: %s.",
-                  registrar.getClientId());
-              jpaTm().getEntityManager().merge(registrar);
-            });
-  }
-
-  /** Returns whether the registrar of the given id exists. */
-  public static boolean checkExists(String clientId) {
-    checkArgumentNotNull(clientId, "clientId must be specified");
-    return jpaTm()
-        .transact(
-            () ->
-                jpaTm()
-                        .getEntityManager()
-                        .createQuery(
-                            "SELECT 1 FROM Registrar WHERE clientIdentifier = :clientIdentifier",
-                            Integer.class)
-                        .setParameter("clientIdentifier", clientId)
-                        .setMaxResults(1)
-                        .getResultList()
-                        .size()
-                    > 0);
-  }
-
-  /** Loads the registrar by its id, returns empty if it doesn't exist. */
-  public static Optional<Registrar> load(String clientId) {
-    checkArgumentNotNull(clientId, "clientId must be specified");
-    return Optional.ofNullable(
-        jpaTm().transact(() -> jpaTm().getEntityManager().find(Registrar.class, clientId)));
-  }
-}
--- a/core/src/main/java/google/registry/schema/server/LockDao.java
+++ b/core/src/main/java/google/registry/schema/server/LockDao.java
@@ -18,18 +18,22 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.schema.server.Lock.GLOBAL;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

+import com.google.common.flogger.FluentLogger;
 import google.registry.schema.server.Lock.LockId;
+import google.registry.util.DateTimeUtils;
 import java.util.Optional;

 /** Data access object class for {@link Lock}. */
 public class LockDao {

+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
  /** Saves the {@link Lock} object to Cloud SQL. */
-  public static void saveNew(Lock lock) {
+  public static void save(Lock lock) {
    jpaTm()
        .transact(
            () -> {
-              jpaTm().getEntityManager().persist(lock);
+              jpaTm().getEntityManager().merge(lock);
            });
  }

@@ -51,26 +55,82 @@ public class LockDao {
   * else empty.
   */
  public static Optional<Lock> load(String resourceName) {
-    checkArgumentNotNull(resourceName, "The resource name of the lock to load cannot be null");
-    return Optional.ofNullable(
-        jpaTm()
-            .transact(
-                () ->
-                    jpaTm().getEntityManager().find(Lock.class, new LockId(resourceName, GLOBAL))));
+    return load(resourceName, GLOBAL);
  }

  /**
-   * Deletes the given {@link Lock} object from Cloud SQL. This method is idempotent and will simply
-   * return if the lock has already been deleted.
+   * Deletes the {@link Lock} object with the given resourceName and tld from Cloud SQL. This method
+   * is idempotent and will simply return if the lock has already been deleted.
   */
-  public static void delete(Lock lock) {
+  public static void delete(String resourceName, String tld) {
    jpaTm()
        .transact(
            () -> {
-              Optional<Lock> loadedLock = load(lock.resourceName, lock.tld);
+              Optional<Lock> loadedLock = load(resourceName, tld);
              if (loadedLock.isPresent()) {
                jpaTm().getEntityManager().remove(loadedLock.get());
              }
            });
  }
+
+  /**
+   * Deletes the global {@link Lock} object with the given resourceName from Cloud SQL. This method
+   * is idempotent and will simply return if the lock has already been deleted.
+   */
+  public static void delete(String resourceName) {
+    delete(resourceName, GLOBAL);
+  }
+
+  /**
+   * Compares a {@link google.registry.model.server.Lock} object with a {@link Lock} object, logging
+   * a warning if there are any differences.
+   */
+  public static void compare(
+      Optional<google.registry.model.server.Lock> datastoreLockOptional,
+      Optional<Lock> cloudSqlLockOptional) {
+    if (!datastoreLockOptional.isPresent()) {
+      cloudSqlLockOptional.ifPresent(
+          value ->
+              logger.atWarning().log(
+                  String.format(
+                      "Cloud SQL lock for %s with tld %s should be null",
+                      value.resourceName, value.tld)));
+      return;
+    }
+    google.registry.schema.server.Lock cloudSqlLock;
+    google.registry.model.server.Lock datastoreLock = datastoreLockOptional.get();
+    if (cloudSqlLockOptional.isPresent()) {
+      cloudSqlLock = cloudSqlLockOptional.get();
+      if (!datastoreLock.getRequestLogId().equals(cloudSqlLock.requestLogId)) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock requestLogId of %s does not equal Cloud SQL lock requestLogId of"
+                    + " %s",
+                datastoreLock.getRequestLogId(), cloudSqlLock.requestLogId));
+      }
+      if (!datastoreLock
+          .getAcquiredTime()
+          .equals(DateTimeUtils.toJodaDateTime(cloudSqlLock.acquiredTime))) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock acquiredTime of %s does not equal Cloud SQL lock acquiredTime of"
+                    + " %s",
+                datastoreLock.getAcquiredTime(),
+                DateTimeUtils.toJodaDateTime(cloudSqlLock.acquiredTime)));
+      }
+      if (!datastoreLock
+          .getExpirationTime()
+          .equals(DateTimeUtils.toJodaDateTime(cloudSqlLock.expirationTime))) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock expirationTime of %s does not equal Cloud SQL lock expirationTime"
+                    + " of %s",
+                datastoreLock.getExpirationTime(),
+                DateTimeUtils.toJodaDateTime(cloudSqlLock.expirationTime)));
+      }
+    } else {
+      logger.atWarning().log(
+          String.format("Datastore lock: %s was not found in Cloud SQL", datastoreLock));
+    }
+  }
 }
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@@ -20,6 +20,7 @@ import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets.Details;
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.store.AbstractDataStoreFactory;
@@ -42,6 +43,7 @@ import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@@ -92,6 +94,26 @@ public class AuthModule {
    }
  }

+  // TODO(b/138195359): Deprecate this credential once Cloud SQL socket library uses the new auth
+  // library.
+  @Provides
+  @CloudSqlClientCredential
+  public static Credential providesLocalCredentialForCloudSqlClient(
+      @LocalCredentialJson String credentialJson,
+      @Config("localCredentialOauthScopes") ImmutableList<String> credentialScopes) {
+    try {
+      GoogleCredential credential =
+          GoogleCredential.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
+      if (credential.createScopedRequired()) {
+        credential = credential.createScoped(credentialScopes);
+      }
+      return credential;
+    } catch (IOException e) {
+      throw new UncheckedIOException(
+          "Error occurred while creating a GoogleCredential for Cloud SQL client", e);
+    }
+  }
+
  @Provides
  public static GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
      JsonFactory jsonFactory,
@@ -184,6 +206,11 @@ public class AuthModule {
  @Retention(RetentionPolicy.RUNTIME)
  private @interface StoredCredential {}

+  /** Dagger qualifier for {@link Credential} used by the Cloud SQL client in the nomulus tool. */
+  @Qualifier
+  @Documented
+  public @interface CloudSqlClientCredential {}
+
  /** Dagger qualifier for the credential qualifier consisting of client and scopes. */
  @Qualifier
  @Documented
--- a/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
@@ -19,6 +19,7 @@ import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.collect.Iterables.getOnlyElement;
 import static google.registry.model.registrar.Registrar.State.ACTIVE;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.tools.RegistryToolEnvironment.PRODUCTION;
 import static google.registry.tools.RegistryToolEnvironment.SANDBOX;
 import static google.registry.tools.RegistryToolEnvironment.UNITTEST;
@@ -32,7 +33,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
-import google.registry.schema.registrar.RegistrarDao;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -72,7 +72,7 @@ final class CreateRegistrarCommand extends CreateOrUpdateRegistrarCommand

  @Override
  void saveToCloudSql(Registrar registrar) {
-    RegistrarDao.saveNew(registrar);
+    jpaTm().saveNew(registrar);
  }

  @Nullable
--- a/core/src/main/java/google/registry/tools/DomainLockUtils.java
+++ b/core/src/main/java/google/registry/tools/DomainLockUtils.java
@@ -106,6 +106,7 @@ public final class DomainLockUtils {

              RegistryLock newLock =
                  RegistryLockDao.save(lock.asBuilder().setLockCompletionTimestamp(now).build());
+              setAsRelock(newLock);
              tm().transact(() -> applyLockStatuses(newLock, now));
              return newLock;
            });
@@ -149,13 +150,14 @@ public final class DomainLockUtils {
        .transact(
            () -> {
              DateTime now = jpaTm().getTransactionTime();
-              RegistryLock result =
+              RegistryLock newLock =
                  RegistryLockDao.save(
                      createLockBuilder(domainName, registrarId, registrarPocId, isAdmin)
                          .setLockCompletionTimestamp(now)
                          .build());
-              tm().transact(() -> applyLockStatuses(result, now));
-              return result;
+              tm().transact(() -> applyLockStatuses(newLock, now));
+              setAsRelock(newLock);
+              return newLock;
            });
  }

@@ -179,6 +181,16 @@ public final class DomainLockUtils {
            });
  }

+  private void setAsRelock(RegistryLock newLock) {
+    jpaTm()
+        .transact(
+            () ->
+                RegistryLockDao.getMostRecentVerifiedUnlockByRepoId(newLock.getRepoId())
+                    .ifPresent(
+                        oldLock ->
+                            RegistryLockDao.save(oldLock.asBuilder().setRelock(newLock).build())));
+  }
+
  private RegistryLock.Builder createLockBuilder(
      String domainName, String registrarId, @Nullable String registrarPocId, boolean isAdmin) {
    DateTime now = jpaTm().getTransactionTime();
--- a/core/src/main/java/google/registry/tools/GenerateEscrowDepositCommand.java
+++ b/core/src/main/java/google/registry/tools/GenerateEscrowDepositCommand.java
@@ -28,11 +28,13 @@ import com.beust.jcommander.ParameterException;
 import com.beust.jcommander.Parameters;
 import com.google.appengine.api.taskqueue.Queue;
 import com.google.appengine.api.taskqueue.TaskOptions;
+import com.google.common.annotations.VisibleForTesting;
 import google.registry.model.rde.RdeMode;
 import google.registry.rde.RdeStagingAction;
 import google.registry.tools.params.DateTimeParameter;
 import google.registry.util.AppEngineServiceUtils;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -75,7 +77,16 @@ final class GenerateEscrowDepositCommand implements CommandWithRemoteApi {
  private String outdir;

  @Inject AppEngineServiceUtils appEngineServiceUtils;
-  @Inject @Named("rde-report") Queue queue;
+
+  @Inject
+  @Named("rde-report")
+  Queue queue;
+
+  // ETA is a required property for TaskOptions but we let the service to set it when submitting the
+  // task to the task queue. However, the local test service doesn't do that for us during the unit
+  // test, so we add this field here to let the unit test be able to inject the ETA to pass the
+  // test.
+  @VisibleForTesting Optional<Long> maybeEtaMillis = Optional.empty();

  @Override
  public void run() {
@@ -115,6 +126,9 @@ final class GenerateEscrowDepositCommand implements CommandWithRemoteApi {
    if (revision != null) {
      opts = opts.param(PARAM_REVISION, String.valueOf(revision));
    }
+    if (maybeEtaMillis.isPresent()) {
+      opts = opts.etaMillis(maybeEtaMillis.get());
+    }
    queue.add(opts);
  }
 }
--- a/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
+++ b/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
@@ -78,11 +78,15 @@ final class RegistrarContactCommand extends MutatingCommand {
  private List<String> contactTypeNames;

  @Nullable
-  @Parameter(
-      names = "--email",
-      description = "Contact email address.")
+  @Parameter(names = "--email", description = "Contact email address.")
  String email;

+  @Nullable
+  @Parameter(
+      names = "--registry_lock_email",
+      description = "Email address used for registry lock confirmation emails")
+  String registryLockEmail;
+
  @Nullable
  @Parameter(
      names = "--phone",
@@ -247,6 +251,9 @@ final class RegistrarContactCommand extends MutatingCommand {
    builder.setParent(registrar);
    builder.setName(name);
    builder.setEmailAddress(email);
+    if (!isNullOrEmpty(registryLockEmail)) {
+      builder.setRegistryLockEmailAddress(registryLockEmail);
+    }
    if (phone != null) {
      builder.setPhoneNumber(phone.orElse(null));
    }
@@ -277,14 +284,14 @@ final class RegistrarContactCommand extends MutatingCommand {

  private RegistrarContact updateContact(RegistrarContact contact, Registrar registrar) {
    checkNotNull(registrar);
-    checkNotNull(email, "--email is required when --mode=UPDATE");
-    RegistrarContact.Builder builder = contact.asBuilder();
-    builder.setParent(registrar);
+    checkArgument(!isNullOrEmpty(email), "--email is required when --mode=UPDATE");
+    RegistrarContact.Builder builder =
+        contact.asBuilder().setEmailAddress(email).setParent(registrar);
    if (!isNullOrEmpty(name)) {
      builder.setName(name);
    }
-    if (!isNullOrEmpty(email)) {
-      builder.setEmailAddress(email);
+    if (!isNullOrEmpty(registryLockEmail)) {
+      builder.setRegistryLockEmailAddress(registryLockEmail);
    }
    if (phone != null) {
      builder.setPhoneNumber(phone.orElse(null));
--- a/core/src/main/java/google/registry/tools/RegistryCli.java
+++ b/core/src/main/java/google/registry/tools/RegistryCli.java
@@ -31,6 +31,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Iterables;
 import google.registry.config.RegistryConfig;
 import google.registry.model.ofy.ObjectifyService;
+import google.registry.persistence.transaction.TransactionManagerFactory;
 import google.registry.tools.AuthModule.LoginRequiredException;
 import google.registry.tools.params.ParameterFactory;
 import java.io.ByteArrayInputStream;
@@ -237,7 +238,7 @@ final class RegistryCli implements AutoCloseable, CommandRunner {
      // Enable Cloud SQL for command that needs remote API as they will very likely use
      // Cloud SQL after the database migration. Note that the DB password is stored in Datastore
      // and it is already initialized above.
-      RegistryToolEnvironment.enableJpaTm();
+      TransactionManagerFactory.setJpaTm(component.nomulusToolJpaTransactionManager());
    }

    command.run();
--- a/core/src/main/java/google/registry/tools/RegistryToolComponent.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolComponent.java
@@ -27,6 +27,9 @@ import google.registry.keyring.KeyringModule;
 import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
+import google.registry.persistence.PersistenceModule;
+import google.registry.persistence.PersistenceModule.NomulusToolJpaTm;
+import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.rde.RdeModule;
 import google.registry.request.Modules.DatastoreServiceModule;
 import google.registry.request.Modules.Jackson2Module;
@@ -63,6 +66,7 @@ import javax.inject.Singleton;
      KeyringModule.class,
      KmsModule.class,
      LocalCredentialModule.class,
+      PersistenceModule.class,
      RdeModule.class,
      RequestFactoryModule.class,
      URLFetchServiceModule.class,
@@ -70,7 +74,7 @@ import javax.inject.Singleton;
      UserServiceModule.class,
      UtilsModule.class,
      VoidDnsWriterModule.class,
-      WhoisModule.class,
+      WhoisModule.class
    })
 interface RegistryToolComponent {
  void inject(AckPollMessagesCommand command);
@@ -117,6 +121,9 @@ interface RegistryToolComponent {
  @LocalCredentialJson
  String googleCredentialJson();

+  @NomulusToolJpaTm
+  JpaTransactionManager nomulusToolJpaTransactionManager();
+
  @Component.Builder
  interface Builder {
    @BindsInstance
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -23,7 +23,6 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import google.registry.config.RegistryEnvironment;
 import google.registry.config.SystemPropertySetter;
-import google.registry.persistence.transaction.TransactionManagerFactory;

 /** Enum of production environments, used for the {@code --environment} flag. */
 public enum RegistryToolEnvironment {
@@ -40,7 +39,6 @@ public enum RegistryToolEnvironment {

  private static final ImmutableList<String> FLAGS = ImmutableList.of("-e", "--environment");
  private static RegistryToolEnvironment instance;
-  private static boolean isJpaTmEnabled = false;
  private final RegistryEnvironment actualEnvironment;
  private final ImmutableMap<String, String> extraProperties;

@@ -100,26 +98,6 @@ public enum RegistryToolEnvironment {
    }
  }

-  /** Returns true if the RegistryToolEnvironment is set up. */
-  public static boolean isInRegistryTool() {
-    return instance != null;
-  }
-
-  /**
-   * Sets the flag to indicate that the running command needs JpaTransactionManager to be enabled.
-   */
-  public static void enableJpaTm() {
-    isJpaTmEnabled = true;
-  }
-
-  /**
-   * Returns true if the JpaTransactionManager is enabled. Note that JpaTm is actually enabled in
-   * {@link TransactionManagerFactory} by reading this flag.
-   */
-  public static boolean isJpaTmEnabled() {
-    return isJpaTmEnabled;
-  }
-
  /** Extracts value from command-line arguments associated with any {@code flags}. */
  private static String getFlagValue(String[] args, Iterable<String> flags) {
    for (String flag : flags) {
--- a/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
@@ -14,13 +14,13 @@

 package google.registry.tools;

+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;

 import com.beust.jcommander.Parameters;
 import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
-import google.registry.schema.registrar.RegistrarDao;
 import javax.annotation.Nullable;

 /** Command to update a Registrar. */
@@ -53,6 +53,6 @@ final class UpdateRegistrarCommand extends CreateOrUpdateRegistrarCommand {

  @Override
  void saveToCloudSql(Registrar registrar) {
-    RegistrarDao.update(registrar);
+    jpaTm().update(registrar);
  }
 }
--- a/core/src/main/java/google/registry/ui/server/RegistrarFormFields.java
+++ b/core/src/main/java/google/registry/ui/server/RegistrarFormFields.java
@@ -184,6 +184,11 @@ public final class RegistrarFormFields {
          .required()
          .build();

+  public static final FormField<String, String> REGISTRY_LOCK_EMAIL_ADDRESS_FIELD =
+      FormFields.EMAIL
+          .asBuilderNamed("registryLockEmailAddress")
+          .build();
+
  public static final FormField<Boolean, Boolean> CONTACT_VISIBLE_IN_WHOIS_AS_ADMIN_FIELD =
      FormField.named("visibleInWhoisAsAdmin", Boolean.class)
          .build();
@@ -377,6 +382,8 @@ public final class RegistrarFormFields {
      RegistrarContact.Builder builder, Map<String, ?> args) {
    builder.setName(CONTACT_NAME_FIELD.extractUntyped(args).orElse(null));
    builder.setEmailAddress(CONTACT_EMAIL_ADDRESS_FIELD.extractUntyped(args).orElse(null));
+    builder.setRegistryLockEmailAddress(
+        REGISTRY_LOCK_EMAIL_ADDRESS_FIELD.extractUntyped(args).orElse(null));
    builder.setVisibleInWhoisAsAdmin(
        CONTACT_VISIBLE_IN_WHOIS_AS_ADMIN_FIELD.extractUntyped(args).orElse(false));
    builder.setVisibleInWhoisAsTech(
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
@@ -41,7 +41,6 @@ import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.schema.domain.RegistryLock;
 import google.registry.security.JsonResponseHelper;
 import java.util.Optional;
@@ -117,41 +116,63 @@ public final class RegistryLockGetAction implements JsonGetAction {
    }
  }

-  private ImmutableMap<String, ?> getLockedDomainsMap(String clientId)
-      throws RegistrarAccessDeniedException {
-    // Note: admins always have access to the locks page
-    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
-    boolean isAdmin = registrarAccessor.isAdmin();
-    Registrar registrar = getRegistrarAndVerifyLockAccess(clientId, isAdmin);
-    User user = userAuthInfo.user();
-    boolean isRegistryLockAllowed =
-        isAdmin
-            || registrar.getContacts().stream()
-                .filter(contact -> contact.getEmailAddress().equals(user.getEmail()))
-                .findFirst()
-                .map(RegistrarContact::isRegistryLockAllowed)
-                .orElse(false);
-    return ImmutableMap.of(
-        LOCK_ENABLED_FOR_CONTACT_PARAM,
-        isRegistryLockAllowed,
-        EMAIL_PARAM,
-        user.getEmail(),
-        PARAM_CLIENT_ID,
-        registrar.getClientId(),
-        LOCKS_PARAM,
-        getLockedDomains(clientId, isAdmin));
+  static Optional<RegistrarContact> getContactMatchingLogin(User user, Registrar registrar) {
+    ImmutableList<RegistrarContact> matchingContacts =
+        registrar.getContacts().stream()
+            .filter(contact -> contact.getGaeUserId().equals(user.getUserId()))
+            .collect(toImmutableList());
+    if (matchingContacts.size() > 1) {
+      ImmutableList<String> matchingEmails =
+          matchingContacts.stream()
+              .map(RegistrarContact::getEmailAddress)
+              .collect(toImmutableList());
+      throw new IllegalArgumentException(
+          String.format(
+              "User ID %s had multiple matching contacts with email addresses %s",
+              user.getUserId(), matchingEmails));
+    }
+    return matchingContacts.stream().findFirst();
  }

-  private Registrar getRegistrarAndVerifyLockAccess(String clientId, boolean isAdmin)
+  static Registrar getRegistrarAndVerifyLockAccess(
+      AuthenticatedRegistrarAccessor registrarAccessor, String clientId, boolean isAdmin)
      throws RegistrarAccessDeniedException {
    Registrar registrar = registrarAccessor.getRegistrar(clientId);
    checkArgument(
        isAdmin || registrar.isRegistryLockAllowed(),
-        "Registry lock not allowed for this registrar");
+        "Registry lock not allowed for registrar %s",
+        clientId);
    return registrar;
  }

+  private ImmutableMap<String, ?> getLockedDomainsMap(String clientId)
+      throws RegistrarAccessDeniedException {
+    // Note: admins always have access to the locks page
+    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
+
+    boolean isAdmin = registrarAccessor.isAdmin();
+    Registrar registrar = getRegistrarAndVerifyLockAccess(registrarAccessor, clientId, isAdmin);
+    User user = authResult.userAuthInfo().get().user();
+
+    Optional<RegistrarContact> contactOptional = getContactMatchingLogin(user, registrar);
+    boolean isRegistryLockAllowed =
+        isAdmin || contactOptional.map(RegistrarContact::isRegistryLockAllowed).orElse(false);
+    // Use the contact's registry lock email if it's present, else use the login email (for admins)
+    String relevantEmail =
+        contactOptional
+            .map(contact -> contact.getRegistryLockEmailAddress().get())
+            .orElse(user.getEmail());
+    return ImmutableMap.of(
+        LOCK_ENABLED_FOR_CONTACT_PARAM,
+        isRegistryLockAllowed,
+        EMAIL_PARAM,
+        relevantEmail,
+        PARAM_CLIENT_ID,
+        registrar.getClientId(),
+        LOCKS_PARAM,
+        getLockedDomains(clientId, isAdmin));
+  }
+
  private ImmutableList<ImmutableMap<String, ?>> getLockedDomains(
      String clientId, boolean isAdmin) {
    return jpaTm()
@@ -159,12 +180,12 @@ public final class RegistryLockGetAction implements JsonGetAction {
            () ->
                RegistryLockDao.getLocksByRegistrarId(clientId).stream()
                    .filter(lock -> !lock.isLockRequestExpired(jpaTm().getTransactionTime()))
-                    .filter(lock -> !lock.isUnlockRequestExpired(jpaTm().getTransactionTime()))
                    .map(lock -> lockToMap(lock, isAdmin))
                    .collect(toImmutableList()));
  }

  private ImmutableMap<String, ?> lockToMap(RegistryLock lock, boolean isAdmin) {
+    DateTime now = jpaTm().getTransactionTime();
    return new ImmutableMap.Builder<String, Object>()
        .put(FULLY_QUALIFIED_DOMAIN_NAME_PARAM, lock.getDomainName())
        .put(
@@ -174,7 +195,8 @@ public final class RegistryLockGetAction implements JsonGetAction {
        .put(
            IS_UNLOCK_PENDING_PARAM,
            lock.getUnlockRequestTimestamp().isPresent()
-                && !lock.getUnlockCompletionTimestamp().isPresent())
+                && !lock.getUnlockCompletionTimestamp().isPresent()
+                && !lock.isUnlockRequestExpired(now))
        .put(USER_CAN_UNLOCK_PARAM, isAdmin || !lock.isSuperuser())
        .build();
  }
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
@@ -20,8 +20,11 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 import static google.registry.ui.server.registrar.RegistrarConsoleModule.PARAM_CLIENT_ID;
+import static google.registry.ui.server.registrar.RegistryLockGetAction.getContactMatchingLogin;
+import static google.registry.ui.server.registrar.RegistryLockGetAction.getRegistrarAndVerifyLockAccess;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

+import com.google.appengine.api.users.User;
 import com.google.common.base.Strings;
 import com.google.common.base.Throwables;
 import com.google.common.collect.ImmutableList;
@@ -124,11 +127,7 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
              .userAuthInfo()
              .orElseThrow(() -> new ForbiddenException("User is not logged in"));

-      boolean isAdmin = userAuthInfo.isUserAdmin();
-      String userEmail = userAuthInfo.user().getEmail();
-      if (!isAdmin) {
-        verifyRegistryLockPassword(postInput, userEmail);
-      }
+      String userEmail = verifyPasswordAndGetEmail(userAuthInfo, postInput);
      jpaTm()
          .transact(
              () -> {
@@ -138,9 +137,11 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
                            postInput.fullyQualifiedDomainName,
                            postInput.clientId,
                            userEmail,
-                            isAdmin)
+                            registrarAccessor.isAdmin())
                        : domainLockUtils.saveNewRegistryUnlockRequest(
-                            postInput.fullyQualifiedDomainName, postInput.clientId, isAdmin);
+                            postInput.fullyQualifiedDomainName,
+                            postInput.clientId,
+                            registrarAccessor.isAdmin());
                sendVerificationEmail(registryLock, userEmail, postInput.isLock);
              });
      String action = postInput.isLock ? "lock" : "unlock";
@@ -180,25 +181,35 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
    }
  }

-  private void verifyRegistryLockPassword(RegistryLockPostInput postInput, String userEmail)
+  private String verifyPasswordAndGetEmail(
+      UserAuthInfo userAuthInfo, RegistryLockPostInput postInput)
      throws RegistrarAccessDeniedException {
-    // Verify that the user can access the registrar and that the user has
-    // registry lock enabled and provided a correct password
-    Registrar registrar = registrarAccessor.getRegistrar(postInput.clientId);
-    checkArgument(
-        registrar.isRegistryLockAllowed(), "Registry lock not allowed for this registrar");
-    checkArgument(!Strings.isNullOrEmpty(postInput.password), "Missing key for password");
+    User user = userAuthInfo.user();
+    if (registrarAccessor.isAdmin()) {
+      return user.getEmail();
+    }
+    // Verify that the user can access the registrar, that the user has
+    // registry lock enabled, and that the user providjed a correct password
+    Registrar registrar =
+        getRegistrarAndVerifyLockAccess(registrarAccessor, postInput.clientId, false);
    RegistrarContact registrarContact =
-        registrar.getContacts().stream()
-            .filter(contact -> contact.getEmailAddress().equals(userEmail))
-            .findFirst()
+        getContactMatchingLogin(user, registrar)
            .orElseThrow(
                () ->
                    new IllegalArgumentException(
-                        String.format("Unknown user email %s", userEmail)));
+                        String.format(
+                            "Cannot match user %s to registrar contact", user.getUserId())));
    checkArgument(
        registrarContact.verifyRegistryLockPassword(postInput.password),
        "Incorrect registry lock password for contact");
+    return registrarContact
+        .getRegistryLockEmailAddress()
+        .orElseThrow(
+            () ->
+                new IllegalStateException(
+                    String.format(
+                        "Contact %s had no registry lock email address",
+                        registrarContact.getEmailAddress())));
  }

  /** Value class that represents the expected input body from the UI request. */
--- a/core/src/main/javascript/google/registry/ui/js/registrar/registry_lock.js
+++ b/core/src/main/javascript/google/registry/ui/js/registrar/registry_lock.js
@@ -45,6 +45,7 @@ registry.registrar.RegistryLock = function(console, resource) {
 goog.inherits(registry.registrar.RegistryLock, registry.ResourceComponent);

 registry.registrar.RegistryLock.prototype.runAfterRender = function(objArgs) {
+  this.isAdmin = objArgs.isAdmin;
  this.clientId = objArgs.clientId;
  this.xsrfToken = objArgs.xsrfToken;

@@ -55,8 +56,7 @@ registry.registrar.RegistryLock.prototype.runAfterRender = function(objArgs) {
  } else {
    goog.soy.renderElement(
        goog.dom.getRequiredElement('locks-content'),
-        registry.soy.registrar.registrylock.lockNotAllowedOnRegistrar,
-        {supportEmail: objArgs.supportEmail});
+        registry.soy.registrar.registrylock.lockNotAllowedOnRegistrar);
  }
 };

@@ -92,7 +92,7 @@ registry.registrar.RegistryLock.prototype.fillLocksPage_ = function(e) {
            lockEnabledForContact: locksDetails.lockEnabledForContact});

    if (locksDetails.lockEnabledForContact) {
-      // Listen to the lock-domain 'submit' button click as well as the enter key
+      // Listen to the lock-domain 'submit' button click
      var lockButton = goog.dom.getRequiredElement('button-lock-domain');
      goog.events.listen(lockButton, goog.events.EventType.CLICK, this.onLockDomain_, false, this);
      // For all unlock buttons, listen and perform the unlock action if they're clicked
@@ -115,7 +115,8 @@ registry.registrar.RegistryLock.prototype.showModal_ = function(targetElement, d
  var parentElement = targetElement.parentElement;
  // attach the modal to the parent element so focus remains correct if the user closes the modal
  var modalElement = goog.soy.renderAsElement(
-      registry.soy.registrar.registrylock.confirmModal, {domain: domain, isLock: isLock});
+      registry.soy.registrar.registrylock.confirmModal,
+      {domain: domain, isLock: isLock, isAdmin: this.isAdmin});
  parentElement.prepend(modalElement);
  if (domain == null) {
    goog.dom.getRequiredElement('domain-lock-input-value').focus();
@@ -130,12 +131,29 @@ registry.registrar.RegistryLock.prototype.showModal_ = function(targetElement, d
      false,
      this);

+  // Listen to the "submit" click and also the user hitting enter
  goog.events.listen(
      goog.dom.getRequiredElement('domain-lock-submit'),
      goog.events.EventType.CLICK,
      e => this.lockOrUnlockDomain_(isLock, e),
      false,
      this);
+
+  [goog.dom.getElement('domain-lock-password'),
+      goog.dom.getElement('domain-lock-input-value')].forEach(elem => {
+        if (elem != null) {
+          goog.events.listen(
+              elem,
+              goog.events.EventType.KEYPRESS,
+              e => {
+                if (e.keyCode === goog.events.KeyCodes.ENTER) {
+                  this.lockOrUnlockDomain_(isLock, e);
+                }
+              },
+              false,
+              this);
+        }
+      });
 }

 /**
--- a/core/src/main/resources/META-INF/persistence.xml
+++ b/core/src/main/resources/META-INF/persistence.xml
@@ -38,6 +38,7 @@
    <class>google.registry.persistence.converter.CreateAutoTimestampConverter</class>
    <class>google.registry.persistence.converter.CurrencyUnitConverter</class>
    <class>google.registry.persistence.converter.DateTimeConverter</class>
+    <class>google.registry.persistence.converter.DurationConverter</class>
    <class>google.registry.persistence.converter.RegistrarPocSetConverter</class>
    <class>google.registry.persistence.converter.StatusValueSetConverter</class>
    <class>google.registry.persistence.converter.StringListConverter</class>
--- a/core/src/main/resources/google/registry/ui/soy/registrar/RegistryLock.soy
+++ b/core/src/main/resources/google/registry/ui/soy/registrar/RegistryLock.soy
@@ -106,6 +106,7 @@
 /** Modal that confirms that the user wishes to lock/unlock a domain. */
 {template .confirmModal}
  {@param isLock: bool}
+  {@param isAdmin: bool}
  {@param? domain: string|null}
  <div id="lock-confirm-modal" class="{css('lock-confirm-modal')}">
    <div class="modal-content">
@@ -117,9 +118,11 @@
             value="{$domain}" disabled
          {/if}>
      <br>
-      <label for="domain-lock-password">Registry lock password: </label>
-      <input type="password" id="domain-lock-password">
-      <br>
+      {if not $isAdmin}
+        <label for="domain-lock-password">Registry lock password: </label>
+        <input type="password" id="domain-lock-password">
+        <br>
+      {/if}
      <div id="modal-error-message" hidden class="{css('kd-errormessage')}"></div>
      <div class="{css('buttons-div')}">
        <button id="domain-lock-cancel" class="{css('kd-button')}">Cancel</button>
@@ -133,7 +136,5 @@

 /** Content if the registrar is not allowed to use registry lock. */
 {template .lockNotAllowedOnRegistrar}
-  {@param supportEmail: string}
-  <h2>Sorry, your registrar hasn't enrolled in registry lock yet. To do so, please
-    contact {$supportEmail}.</h2>
+  <h2>Registry Lock is coming soon; please stay tuned for updates.</h2>
 {/template}
--- a/core/src/test/java/google/registry/backup/CommitLogCheckpointActionTest.java
+++ b/core/src/test/java/google/registry/backup/CommitLogCheckpointActionTest.java
@@ -46,10 +46,8 @@ public class CommitLogCheckpointActionTest {
  private static final String QUEUE_NAME = "export-commits";

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  CommitLogCheckpointStrategy strategy = mock(CommitLogCheckpointStrategy.class);

--- a/core/src/test/java/google/registry/backup/CommitLogCheckpointStrategyTest.java
+++ b/core/src/test/java/google/registry/backup/CommitLogCheckpointStrategyTest.java
@@ -47,9 +47,7 @@ import org.junit.runners.JUnit4;
 public class CommitLogCheckpointStrategyTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/backup/ExportCommitLogDiffActionTest.java
+++ b/core/src/test/java/google/registry/backup/ExportCommitLogDiffActionTest.java
@@ -50,9 +50,7 @@ import org.junit.runners.JUnit4;
 public class ExportCommitLogDiffActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  /** Local GCS service available for testing. */
  private final GcsService gcsService = GcsServiceFactory.createGcsService();
--- a/core/src/test/java/google/registry/backup/GcsDiffFileListerTest.java
+++ b/core/src/test/java/google/registry/backup/GcsDiffFileListerTest.java
@@ -62,9 +62,7 @@ public class GcsDiffFileListerTest {
  private final TestLogHandler logHandler = new TestLogHandler();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Before
  public void before() throws Exception {
--- a/core/src/test/java/google/registry/backup/RestoreCommitLogsActionTest.java
+++ b/core/src/test/java/google/registry/backup/RestoreCommitLogsActionTest.java
@@ -71,9 +71,7 @@ public class RestoreCommitLogsActionTest {
  final GcsService gcsService = createGcsService();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Before
  public void init() {
--- a/core/src/test/java/google/registry/batch/AsyncTaskEnqueuerTest.java
+++ b/core/src/test/java/google/registry/batch/AsyncTaskEnqueuerTest.java
@@ -61,7 +61,7 @@ public class AsyncTaskEnqueuerTest extends ShardableTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule public final InjectRule inject = new InjectRule();

--- a/core/src/test/java/google/registry/batch/RelockDomainActionTest.java
+++ b/core/src/test/java/google/registry/batch/RelockDomainActionTest.java
@@ -0,0 +1,176 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.eppcommon.StatusValue.PENDING_DELETE;
+import static google.registry.model.eppcommon.StatusValue.PENDING_TRANSFER;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.testing.DatastoreHelper.createTlds;
+import static google.registry.testing.DatastoreHelper.newDomainBase;
+import static google.registry.testing.DatastoreHelper.persistActiveHost;
+import static google.registry.testing.DatastoreHelper.persistDomainAsDeleted;
+import static google.registry.testing.DatastoreHelper.persistResource;
+import static google.registry.testing.SqlHelper.getMostRecentVerifiedRegistryLockByRepoId;
+import static google.registry.testing.SqlHelper.getRegistryLockByVerificationCode;
+import static google.registry.testing.SqlHelper.saveRegistryLock;
+import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+
+import com.google.common.collect.ImmutableSet;
+import google.registry.model.domain.DomainBase;
+import google.registry.model.host.HostResource;
+import google.registry.schema.domain.RegistryLock;
+import google.registry.testing.AppEngineRule;
+import google.registry.testing.DeterministicStringGenerator;
+import google.registry.testing.FakeClock;
+import google.registry.testing.FakeResponse;
+import google.registry.testing.UserInfo;
+import google.registry.tools.DomainLockUtils;
+import google.registry.util.StringGenerator.Alphabets;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link RelockDomainAction}. */
+@RunWith(JUnit4.class)
+public class RelockDomainActionTest {
+
+  private static final String DOMAIN_NAME = "example.tld";
+  private static final String CLIENT_ID = "TheRegistrar";
+  private static final String POC_ID = "marla.singer@example.com";
+
+  private final FakeResponse response = new FakeResponse();
+  private final FakeClock clock = new FakeClock();
+  private final DomainLockUtils domainLockUtils =
+      new DomainLockUtils(new DeterministicStringGenerator(Alphabets.BASE_58));
+
+  @Rule
+  public final AppEngineRule appEngineRule =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withUserService(UserInfo.create(POC_ID, "12345"))
+          .build();
+
+  private DomainBase domain;
+  private RegistryLock oldLock;
+  private RelockDomainAction action;
+
+  @Before
+  public void setup() {
+    createTlds("tld", "net");
+    HostResource host = persistActiveHost("ns1.example.net");
+    domain = persistResource(newDomainBase(DOMAIN_NAME, host));
+
+    oldLock = domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, POC_ID, false);
+    assertThat(reloadDomain(domain).getStatusValues())
+        .containsAtLeastElementsIn(REGISTRY_LOCK_STATUSES);
+    oldLock = domainLockUtils.administrativelyApplyUnlock(DOMAIN_NAME, CLIENT_ID, false);
+    assertThat(reloadDomain(domain).getStatusValues()).containsNoneIn(REGISTRY_LOCK_STATUSES);
+    action = createAction(oldLock.getRevisionId());
+  }
+
+  @Test
+  public void testLock() {
+    action.run();
+    assertThat(reloadDomain(domain).getStatusValues())
+        .containsAtLeastElementsIn(REGISTRY_LOCK_STATUSES);
+
+    // the old lock should have a reference to the relock
+    RegistryLock newLock = getMostRecentVerifiedRegistryLockByRepoId(domain.getRepoId()).get();
+    assertThat(getRegistryLockByVerificationCode(oldLock.getVerificationCode()).get().getRelock())
+        .isEqualTo(newLock);
+  }
+
+  @Test
+  public void testFailure_unknownCode() {
+    action = createAction(12128675309L);
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload()).isEqualTo("Relock failed: Unknown revision ID 12128675309");
+  }
+
+  @Test
+  public void testFailure_pendingDelete() {
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of(PENDING_DELETE)).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has a pending delete", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_pendingTransfer() {
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of(PENDING_TRANSFER)).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has a pending transfer", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_domainAlreadyLocked() {
+    domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, null, true);
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo("Domain example.tld is already manually relocked, skipping automated relock.");
+  }
+
+  @Test
+  public void testFailure_domainDeleted() {
+    persistDomainAsDeleted(domain, clock.nowUtc());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has been deleted", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_domainTransferred() {
+    persistResource(domain.asBuilder().setPersistedCurrentSponsorClientId("NewRegistrar").build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(
+            String.format(
+                "Relock failed: Domain %s has been transferred from registrar %s to registrar "
+                    + "%s since the unlock",
+                DOMAIN_NAME, CLIENT_ID, "NewRegistrar"));
+  }
+
+  @Test
+  public void testFailure_relockAlreadySet() {
+    RegistryLock newLock =
+        domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, null, true);
+    saveRegistryLock(oldLock.asBuilder().setRelock(newLock).build());
+    // Save the domain without the lock statuses so that we pass that check in the action
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of()).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo("Domain example.tld is already manually relocked, skipping automated relock.");
+  }
+
+  private DomainBase reloadDomain(DomainBase domain) {
+    return ofy().load().entity(domain).now();
+  }
+
+  private RelockDomainAction createAction(Long oldUnlockRevisionId) {
+    return new RelockDomainAction(oldUnlockRevisionId, domainLockUtils, response);
+  }
+}
--- a/core/src/test/java/google/registry/batch/ResaveEntityActionTest.java
+++ b/core/src/test/java/google/registry/batch/ResaveEntityActionTest.java
@@ -70,7 +70,7 @@ public class ResaveEntityActionTest extends ShardableTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule public final InjectRule inject = new InjectRule();
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();
--- a/core/src/test/java/google/registry/cron/CommitLogFanoutActionTest.java
+++ b/core/src/test/java/google/registry/cron/CommitLogFanoutActionTest.java
@@ -39,17 +39,20 @@ public class CommitLogFanoutActionTest {
  private static final String QUEUE = "the-queue";

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>the-queue</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "</queue-entries>"))
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>the-queue</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .build();

  @Test
  public void testSuccess() {
--- a/core/src/test/java/google/registry/cron/TldFanoutActionTest.java
+++ b/core/src/test/java/google/registry/cron/TldFanoutActionTest.java
@@ -54,17 +54,20 @@ public class TldFanoutActionTest {
  private final FakeResponse response = new FakeResponse();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>the-queue</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "</queue-entries>"))
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>the-queue</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .build();

  private static ImmutableListMultimap<String, String> getParamsMap(String... keysAndValues) {
    ImmutableListMultimap.Builder<String, String> params = new ImmutableListMultimap.Builder<>();
--- a/core/src/test/java/google/registry/dns/DnsInjectionTest.java
+++ b/core/src/test/java/google/registry/dns/DnsInjectionTest.java
@@ -46,10 +46,8 @@ import org.junit.runners.JUnit4;
 public final class DnsInjectionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/dns/DnsQueueTest.java
+++ b/core/src/test/java/google/registry/dns/DnsQueueTest.java
@@ -35,10 +35,9 @@ import org.junit.runners.JUnit4;
 public class DnsQueueTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();
+
  private DnsQueue dnsQueue;
  private final FakeClock clock = new FakeClock(DateTime.parse("2010-01-01T10:00:00Z"));

--- a/core/src/test/java/google/registry/dns/PublishDnsUpdatesActionTest.java
+++ b/core/src/test/java/google/registry/dns/PublishDnsUpdatesActionTest.java
@@ -55,10 +55,8 @@ import org.junit.runners.JUnit4;
 public class PublishDnsUpdatesActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/dns/ReadDnsQueueActionTest.java
+++ b/core/src/test/java/google/registry/dns/ReadDnsQueueActionTest.java
@@ -73,22 +73,25 @@ public class ReadDnsQueueActionTest {
  private FakeClock clock = new FakeClock(DateTime.parse("3000-01-01TZ"));

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>dns-publish</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "  <queue>",
-          "    <name>dns-pull</name>",
-          "    <mode>pull</mode>",
-          "  </queue>",
-          "</queue-entries>"))
-      .withClock(clock)
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>dns-publish</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "  <queue>",
+                      "    <name>dns-pull</name>",
+                      "    <mode>pull</mode>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .withClock(clock)
+          .build();

  @Before
  public void before() {
--- a/core/src/test/java/google/registry/dns/RefreshDnsActionTest.java
+++ b/core/src/test/java/google/registry/dns/RefreshDnsActionTest.java
@@ -42,7 +42,7 @@ public class RefreshDnsActionTest {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  private final DnsQueue dnsQueue = mock(DnsQueue.class);
  private final FakeClock clock = new FakeClock();
--- a/core/src/test/java/google/registry/dns/writer/clouddns/CloudDnsWriterTest.java
+++ b/core/src/test/java/google/registry/dns/writer/clouddns/CloudDnsWriterTest.java
@@ -69,7 +69,9 @@ import org.mockito.junit.MockitoRule;
@RunWith(JUnit4.class)
 public class CloudDnsWriterTest {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();
+
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();

  private static final Inet4Address IPv4 = (Inet4Address) InetAddresses.forString("127.0.0.1");
--- a/core/src/test/java/google/registry/dns/writer/dnsupdate/DnsUpdateWriterTest.java
+++ b/core/src/test/java/google/registry/dns/writer/dnsupdate/DnsUpdateWriterTest.java
@@ -76,7 +76,7 @@ public class DnsUpdateWriterTest {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule public final MockitoRule mocks = MockitoJUnit.rule();
  @Rule public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/export/BigqueryPollJobActionTest.java
+++ b/core/src/test/java/google/registry/export/BigqueryPollJobActionTest.java
@@ -62,10 +62,9 @@ import org.junit.runners.JUnit4;
 public class BigqueryPollJobActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();
+
  private static final String PROJECT_ID = "project_id";
  private static final String JOB_ID = "job_id";
  private static final String CHAINED_QUEUE_NAME = UpdateSnapshotViewAction.QUEUE;
--- a/core/src/test/java/google/registry/export/ExportPremiumTermsActionTest.java
+++ b/core/src/test/java/google/registry/export/ExportPremiumTermsActionTest.java
@@ -59,7 +59,8 @@ public class ExportPremiumTermsActionTest {
  private static final String EXPECTED_FILE_CONTENT =
      DISCLAIMER_WITH_NEWLINE + "0,USD 549.00\n" + "2048,USD 549.00\n";

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  private final DriveConnection driveConnection = mock(DriveConnection.class);
  private final Response response = mock(Response.class);
--- a/core/src/test/java/google/registry/export/ExportReservedTermsActionTest.java
+++ b/core/src/test/java/google/registry/export/ExportReservedTermsActionTest.java
@@ -48,7 +48,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public class ExportReservedTermsActionTest {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  private final DriveConnection driveConnection = mock(DriveConnection.class);
  private final Response response = mock(Response.class);
--- a/core/src/test/java/google/registry/export/ExportUtilsTest.java
+++ b/core/src/test/java/google/registry/export/ExportUtilsTest.java
@@ -32,9 +32,7 @@ import org.junit.runners.JUnit4;
 public class ExportUtilsTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void test_exportReservedTerms() {
--- a/core/src/test/java/google/registry/export/SyncGroupMembersActionTest.java
+++ b/core/src/test/java/google/registry/export/SyncGroupMembersActionTest.java
@@ -60,9 +60,7 @@ import org.junit.runners.JUnit4;
 public class SyncGroupMembersActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetActionTest.java
+++ b/core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetActionTest.java
@@ -40,10 +40,8 @@ import org.junit.runners.JUnit4;
 public class SyncRegistrarsSheetActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  private final FakeResponse response = new FakeResponse();
  private final SyncRegistrarsSheet syncRegistrarsSheet = mock(SyncRegistrarsSheet.class);
--- a/core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetTest.java
+++ b/core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetTest.java
@@ -58,7 +58,9 @@ import org.mockito.junit.MockitoRule;
@RunWith(JUnit4.class)
 public class SyncRegistrarsSheetTest {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();
+
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();
  @Rule public final InjectRule inject = new InjectRule();

--- a/core/src/test/java/google/registry/flows/CheckApiActionTest.java
+++ b/core/src/test/java/google/registry/flows/CheckApiActionTest.java
@@ -56,7 +56,9 @@ public class CheckApiActionTest {

  private static final DateTime START_TIME = DateTime.parse("2000-01-01T00:00:00.0Z");

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();
+
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();

  @Mock private CheckApiMetrics checkApiMetrics;
--- a/core/src/test/java/google/registry/flows/EppCommitLogsTest.java
+++ b/core/src/test/java/google/registry/flows/EppCommitLogsTest.java
@@ -48,10 +48,8 @@ import org.junit.runners.JUnit4;
 public class EppCommitLogsTest extends ShardableTestCase {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/flows/EppControllerTest.java
+++ b/core/src/test/java/google/registry/flows/EppControllerTest.java
@@ -66,7 +66,10 @@ import org.mockito.junit.MockitoRule;
@RunWith(JUnit4.class)
 public class EppControllerTest extends ShardableTestCase {

-  @Rule public AppEngineRule appEngineRule = new AppEngineRule.Builder().withDatastore().build();
+  @Rule
+  public AppEngineRule appEngineRule =
+      new AppEngineRule.Builder().withDatastoreAndCloudSql().build();
+
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();

  @Mock SessionMetadata sessionMetadata;
--- a/core/src/test/java/google/registry/flows/EppLifecycleContactTest.java
+++ b/core/src/test/java/google/registry/flows/EppLifecycleContactTest.java
@@ -32,10 +32,8 @@ import org.junit.runners.JUnit4;
 public class EppLifecycleContactTest extends EppTestCase {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Test
  public void testContactLifecycle() throws Exception {
--- a/core/src/test/java/google/registry/flows/EppLifecycleDomainTest.java
+++ b/core/src/test/java/google/registry/flows/EppLifecycleDomainTest.java
@@ -64,7 +64,7 @@ public class EppLifecycleDomainTest extends EppTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Before
  public void initTld() {
--- a/core/src/test/java/google/registry/flows/EppLifecycleHostTest.java
+++ b/core/src/test/java/google/registry/flows/EppLifecycleHostTest.java
@@ -39,10 +39,8 @@ import org.junit.runners.JUnit4;
 public class EppLifecycleHostTest extends EppTestCase {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Test
  public void testLifecycle() throws Exception {
--- a/core/src/test/java/google/registry/flows/EppLifecycleLoginTest.java
+++ b/core/src/test/java/google/registry/flows/EppLifecycleLoginTest.java
@@ -30,7 +30,7 @@ public class EppLifecycleLoginTest extends EppTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Test
  public void testLoginAndLogout_recordsEppMetric() throws Exception {
--- a/core/src/test/java/google/registry/flows/EppLoggedOutTest.java
+++ b/core/src/test/java/google/registry/flows/EppLoggedOutTest.java
@@ -30,9 +30,7 @@ import org.junit.runners.JUnit4;
 public class EppLoggedOutTest extends EppTestCase {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void testHello() throws Exception {
--- a/core/src/test/java/google/registry/flows/EppLoginTlsTest.java
+++ b/core/src/test/java/google/registry/flows/EppLoginTlsTest.java
@@ -33,7 +33,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public class EppLoginTlsTest extends EppTestCase {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  void setClientCertificateHash(String clientCertificateHash) {
    setTransportCredentials(
--- a/core/src/test/java/google/registry/flows/EppXxeAttackTest.java
+++ b/core/src/test/java/google/registry/flows/EppXxeAttackTest.java
@@ -26,9 +26,7 @@ import org.junit.runners.JUnit4;
 public class EppXxeAttackTest extends EppTestCase {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void testRemoteXmlExternalEntity() throws Exception {
--- a/core/src/test/java/google/registry/flows/ExtensionManagerTest.java
+++ b/core/src/test/java/google/registry/flows/ExtensionManagerTest.java
@@ -48,9 +48,7 @@ import org.junit.runners.JUnit4;
 public class ExtensionManagerTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void testDuplicateExtensionsForbidden() {
--- a/core/src/test/java/google/registry/flows/FlowTestCase.java
+++ b/core/src/test/java/google/registry/flows/FlowTestCase.java
@@ -83,10 +83,8 @@ public abstract class FlowTestCase<F extends Flow> extends ShardableTestCase {
  public enum UserPrivileges { NORMAL, SUPERUSER }

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
+++ b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
@@ -38,7 +38,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public final class TlsCredentialsTest extends ShardableTestCase {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void testProvideClientCertificateHash() {
--- a/core/src/test/java/google/registry/flows/domain/token/AllocationTokenFlowUtilsTest.java
+++ b/core/src/test/java/google/registry/flows/domain/token/AllocationTokenFlowUtilsTest.java
@@ -63,7 +63,8 @@ public class AllocationTokenFlowUtilsTest extends ShardableTestCase {
  private final AllocationTokenFlowUtils flowUtils =
      new AllocationTokenFlowUtils(new AllocationTokenCustomLogic());

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Before
  public void initTest() {
--- a/core/src/test/java/google/registry/flows/host/HostFlowUtilsTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostFlowUtilsTest.java
@@ -35,7 +35,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public class HostFlowUtilsTest {

-  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
+  @Rule
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Test
  public void test_validExternalHostName_validates() throws Exception {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Shicong Huang	fa9400ebc5	Set postgres package back to runtime dependency (#522 )	2020-03-20 15:43:30 -04:00
gbrodman	519a85af85	Add a registryLockEmailAddress field to RegistrarConctact objects (#523 ) * Add a registryLockEmailAddress field to RegistrarConctact objects Because we need to manage the login email, it should be on an account that we manage. However, for registry lock, we would want to send the verification emails to a separate email address that the user can use. As a result, we will use a second field for a user-accessible registry lock email address. This must be set on the contact when enabling registry lock for this contact. * Responses to CR * derp	2020-03-20 14:12:00 -04:00
sarahcaseybot	b2df127dc4	Add lock dual read (#517 ) * Add lock dual read * small changes	2020-03-20 14:11:00 -04:00
gbrodman	b21042bda9	Fix the test server (#521 ) * Fix the test server This rule isn't necessary any more since we merged the SQL-starting rule into the AppEngineRule logic. Furthermore, it actually causes the test server to crash because we try to drop-and-create the DB twice, the second time while the first instance is still connected.	2020-03-19 11:05:51 -04:00
Lai Jiang	36378f6b10	Upgrade to Gradle 6.2.2 (#518 )	2020-03-18 21:38:37 -04:00
Shicong Huang	d01f1f7604	Make jpaTm for nomulus tool use local credential (#515 ) * Make jpaTm for nomulus tool use local credential * Remove unused methods in RegistryToolEnvironment * Fix order of annotations * Remove unused method in PersistenceComponent * Move the creation of credential to the module * Move creadential creation to AuthModule * Add a TODO	2020-03-17 20:16:42 -04:00
gbrodman	e9610636e4	Add a relockDuration to the RegistryLock SQL object (#514 ) * Add a relockDuration to the RegistryLock SQL object This is the length of time after an unlock that we will re-lock the domain in question. * Sort by domain name for stability Note: this is likely not the best solution for the UI but we can iterate on this. * Add nullable * Add a converter for Duration	2020-03-16 17:44:25 -04:00
gbrodman	d09fc7ee05	Match logged-in GAE user ID with registrar POC user ID (#511 ) * Match logged-in GAE user ID with registrar POC user ID The reasoning for this is thus: We wish to have the users log in using Google-managed addresses--this is so that we can manage enforcement of things like 2FA, as well as generic account management. However, we wish for the registry-lock confirmation emails to go to their standard non-Google email addresses--e.g. johndoe@theregistrar.com, rather than johndoe@registry.google. As a result, for registry lock, we will enable it on the johndoe@registry.google account, but we will alter the email address of the corresponding Registrar POC account to contain johndoe@theregistrar.com. By doing this, the user will still be logging in using the @registry.google account but we'll match to their actual contact email. * fix up comments and messages * Error if >1 matching contact * include email addresses * set default optional * fix tests	2020-03-16 11:38:05 -04:00
Shicong Huang	0545375eba	Change cloud sql SDK to compile level dependency (#516 )	2020-03-16 10:24:19 -04:00
Michael Muller	8a045aedd0	Disambiguate naming of VKey.create() overloads (#513 ) * Disambiguate naming of VKey.create() overloads It was discovered in the course of trying to convert the larger codebase to VKey.create() calls that method overloading isn't a very effective discriminator in cases where "Object" is one of the distinguishing argument types:-) Convert the two specialized create() methods to createOfy() and createSql() so that (at least in the former case) we'll get a compile-time error if we aim to create a VKey for an Ofy key from an object of the incorrect type.	2020-03-12 16:13:12 -04:00
gbrodman	560bec1e83	Add a RelockDomainAction for future auto-relocks (#485 ) * Add a RelockAction and reference to relocks in RegistryLocks * Respond to CR - refactor the request param exception logging a bit - don't log an error if the domain was already locked, just skip * Save a relock for all locks (if possible) * derp * Long -> long + remove unnecessary transact * semantic merge conflict woo * fix another semantic merge conflict	2020-03-12 16:02:27 -04:00
Lai Jiang	3e7ea75b6f	Use cs.opensource.google for code search (#512 ) * Use cs.opensource.google for code search * Change logo size * Make texts in the table center-aligned	2020-03-12 14:06:04 -04:00
Weimin Yu	6ed7e00b00	Update SqlIntegrationTestSuite (#510 ) * Update SqlIntegrationTestSuite Edited Javadoc to emphasize that suite members should be DAO tests. Removed functional tests from the suite. They do not benefit much from running against different schemas when the entities they use are already covered by DAO tests. Added DomainBaseSqlTest to the suite, which tests DomainBase.	2020-03-11 14:11:53 -04:00
Michael Muller	6e1231233e	Create a nom_build wrapper script (#508 ) * Create a nom_build wrapper script nom_build is a wrapper around ./gradlew. It's purpose is to help us deal with properties. The main problem that it is trying to solve is that when properties are specified using -P, we don't get an error if the property we specify isn't correct. As a result, a user or a build agent can launch a build with unintended parameters. nom_build consolidates all of the properties that we define into a python script where the properties are translated to flags (actual gradlew flags are also proxied). It also generates the property file and warns the user if the current properties file is out of sync with the script and includes documentation on each of the properties.	2020-03-10 16:32:14 -04:00
Shicong Huang	3098048fdb	Enable Cloud SQL when Datastore is enabled for unit test (#502 ) * Enable Cloud SQL when Datastore is enabled for unit test * Add explanation for why add a ETA field in GenerateEscrowDepositCommand * Fix line length * Ignore membershipt test but bring back test suite * Fix tiny issue	2020-03-10 12:26:25 -04:00
gbrodman	f2846fc914	Gray out the password field for admins (#506 ) * Gray out the password field for admins We don't check it for admins since it's not necessary, so ignore it * Remove the field entirely	2020-03-10 11:30:20 -04:00
gbrodman	499237ac57	Listen to the user hitting enter in the lock/unlock modal input fields (#505 ) * Listen to the user hitting enter in the lock/unlock modal input fields Listen to both, just in case one or the other is disabled * Don't require that the element exist	2020-03-10 11:22:57 -04:00
Weimin Yu	6bd50421bc	Fix broken builds when Maven Central is used (#509 ) * Fix broken builds when Maven Central is used Gradle 6.2.1 apparently introduces a behavior change wrt boolean expression: empty string used to eval to false, but now evals to true. Pre Gradle 6.2.1, root project's Gradle properties apparently were not set to buildSrc. Now they are passed on to buildSrc -- mavenUrl in buildSrc changes from null to "". Both changes break the project when mavenUrl and/or pluginsUrl are not set on command line. Also added junit.jupiter-api as testCompile dependencies to projects. This is a directly used dependency, whose absence causes a Lint warning.	2020-03-10 11:21:03 -04:00
sarahcaseybot	dbdd2b4491	Add Lock dual write (#496 ) * Add Lock dual write * wrap calls in DB transaction	2020-03-09 11:13:46 -04:00
gbrodman	f83f8f92a3	Show locks in the case where you have an expired unlock request (#507 ) * Show locks in the case where you have an expired unlock request	2020-03-06 22:00:42 -05:00
gbrodman	28d3af0ee9	Change the wording on the lock-not-enabled page (#504 ) * Change the wording on the lock-not-enabled page * fix the screenshot	2020-03-06 16:15:11 -05:00
Lai Jiang	08a6a333ad	Upgrade to Gradle 6.2.1 (#501 )	2020-03-05 18:47:25 -05:00
Shicong Huang	adafab60c4	Add common CRUD operations to TransactionManager (#487 ) * Add BasicDao * Refactor RegistrarDao to extend BasicDao * Introduce VKey and rewrite BasicDao * Move CRUD methods to TransactionManager * Refactor code to simplify the way to get id from entity and sqlKey * Assert in transaction * Fix broken test * Change methods name	2020-03-05 14:03:03 -05:00