Resolve warnings in the Hibernate log (#542 )

Auto-apply JPA converters for map type (#520 )
* Add map converter * Delete old map usertype * Refactor bind * Change to use map entry * Use Map.Entry
2026-05-26 01:30:36 +00:00 · 2020-04-03 18:04:55 -04:00 · 2020-04-03 10:47:42 -04:00 · 2020-04-02 16:43:08 -04:00 · 2020-04-02 15:18:29 -04:00 · 2020-03-31 17:57:18 -04:00
399 changed files with 5956 additions and 3329 deletions
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # Nomulus

 | Internal Build | FOSS Build | LGTM | License | Code Search |
-|----------------|------------|------|---------|-------------|
-|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Source Graph](https://sourcegraph.com/.assets/img/sourcegraph-light-head-logo.svg)](https://sourcegraph.com/github.com/google/nomulus)|
+|:--------------:|:----------:|:----:|:-------:|:-----------:|
+|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Code Search](https://www.gstatic.com/devopsconsole/images/oss/favicons/oss-32x32.png)](https://cs.opensource.google/nomulus/nomulus)|

 ![Nomulus logo](./nomulus-logo.png)

--- a/build.gradle
+++ b/build.gradle
@@ -169,10 +169,10 @@ allprojects {
  if (project.name == 'services') return

  repositories {
-    if (rootProject.mavenUrl) {
+    if (!mavenUrl.isEmpty()) {
      maven {
-        println "Java dependencies: Using repo $pluginsUrl..."
-        url rootProject.mavenUrl
+        println "Java dependencies: Using repo ${mavenUrl}..."
+        url mavenUrl
      }
    } else {
      println "Java dependencies: Using Maven Central..."
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+import static com.google.common.base.Strings.isNullOrEmpty;
+
 buildscript {
  if (project.enableDependencyLocking.toBoolean()) {
    // Lock buildscript dependencies.
@@ -40,13 +42,13 @@ if (rootProject.enableDependencyLocking.toBoolean()) {
 }

 repositories {
-  if (project.ext.properties.mavenUrl == null) {
-    println "Plugin dependencies: Using Maven central..."
+  if (isNullOrEmpty(project.ext.properties.mavenUrl)) {
+    println "Java dependencies: Using Maven central..."
    mavenCentral()
    google()
  } else {
    maven {
-      println "Plugin dependencies: Using repo ${mavenUrl}..."
+      println "Java dependencies: Using repo ${mavenUrl}..."
      url mavenUrl
    }
  }
@@ -82,6 +84,7 @@ dependencies {
  testCompile deps['com.google.truth:truth']
  testCompile deps['com.google.truth.extensions:truth-java8-extension']
  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
  testCompile deps['org.mockito:mockito-core']
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -62,6 +62,7 @@ dependencies {
  testingCompile deps['io.github.java-diff-utils:java-diff-utils']

  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
 }
--- a/config/nom_build.py
+++ b/config/nom_build.py
@@ -0,0 +1,327 @@
+# Copyright 2020 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Script to generate dr-build and the properties file.
+"""
+
+import argparse
+import attr
+import io
+import os
+import subprocess
+import sys
+from typing import List, Union
+
+
+@attr.s(auto_attribs=True)
+class Property:
+    name : str = ''
+    desc : str = ''
+    default : str = ''
+    constraints : type = str
+
+    def validate(self, value: str):
+        """Verify that "value" is appropriate for the property."""
+        if type is bool:
+            if value not in ('true', 'false'):
+                raise ValidationError('value of {self.name} must be "true" or '
+                                      '"false".')
+
+@attr.s(auto_attribs=True)
+class GradleFlag:
+    flags : Union[str, List[str]]
+    desc : str
+    has_arg : bool = False
+
+
+PROPERTIES_HEADER = """\
+# This file defines properties used by the gradle build.  It must be kept in
+# sync with config/nom_build.py.
+#
+# To regenerate, run config/nom_build.py --generate-gradle-properties
+#
+# To view property descriptions (which are command line flags for
+# nom_build), run config/nom_build.py --help.
+#
+# DO NOT EDIT THIS FILE BY HAND
+org.gradle.jvmargs=-Xmx1024m
+"""
+
+# Define all of our special gradle properties here.
+PROPERTIES = [
+    Property('mavenUrl',
+             'URL to use for the main maven repository (defaults to maven '
+             'central).  This can be http(s) or a "gcs" repo.'),
+    Property('pluginsUrl',
+             'URL to use for the gradle plugins repository (defaults to maven '
+             'central, see also mavenUrl'),
+    Property('uploaderDestination',
+             'Location to upload test reports to.  Normally this should be a '
+             'GCS url (see also uploaderCredentialsFile)'),
+    Property('uploaderCredentialsFile',
+             'json credentials file to use to upload test reports.'),
+    Property('uploaderMultithreadedUpload',
+             'Whether to enable multithread upload.'),
+    Property('verboseTestOutput',
+             'If true, show all test output in near-realtime.',
+             'false',
+             bool),
+    Property('flowDocsFile',
+             'Output filename for the flowDocsTool command.'),
+    Property('enableDependencyLocking',
+             'Enables dependency locking.',
+             'true',
+             bool),
+    Property('enableCrossReferencing',
+             'generate metadata during java compile (used for kythe source '
+             'reference generation).',
+             'false'),
+    Property('testFilter',
+             'Comma separated list of test patterns, if specified run only '
+             'these.'),
+    Property('environment', 'GAE Environment for deployment and staging.'),
+
+    # Cloud SQL properties
+    Property('dbServer',
+             'A registry environment name (e.g., "alpha") or a host[:port] '
+             'string'),
+    Property('dbName',
+             'Database name to use in connection.',
+             'postgres'),
+    Property('dbUser', 'Database user name for use in connection'),
+    Property('dbPassword', 'Database password for use in connection'),
+
+    Property('publish_repo',
+             'Maven repository that hosts the Cloud SQL schema jar and the '
+             'registry server test jars. Such jars are needed for '
+             'server/schema integration tests. Please refer to <a '
+             'href="./integration/README.md">integration project</a> for more '
+             'information.'),
+    Property('schema_version',
+             'The nomulus version tag of the schema for use in a database'
+             'integration test.'),
+    Property('nomulus_version',
+             'The version of nomulus to test against in a database '
+             'integration test.'),
+]
+
+GRADLE_FLAGS = [
+    GradleFlag(['-a', '--no-rebuild'],
+               'Do not rebuild project dependencies.'),
+    GradleFlag(['-b', '--build-file'], 'Specify the build file.', True),
+    GradleFlag(['--build-cache'],
+               'Enables the Gradle build cache. Gradle will try to reuse '
+               'outputs from previous builds.'),
+    GradleFlag(['-c', '--settings-file'], 'Specify the settings file.', True),
+    GradleFlag(['--configure-on-demand'],
+               'Configure necessary projects only. Gradle will attempt to '
+               'reduce configuration time for large multi-project builds. '
+               '[incubating]'),
+    GradleFlag(['--console'],
+               'Specifies which type of console output to generate. Values '
+               "are 'plain', 'auto' (default), 'rich' or 'verbose'.",
+               True),
+    GradleFlag(['--continue'], 'Continue task execution after a task failure.'),
+    GradleFlag(['-D', '--system-prop'],
+               'Set system property of the JVM (e.g. -Dmyprop=myvalue).',
+               True),
+    GradleFlag(['-d', '--debug'],
+               'Log in debug mode (includes normal stacktrace).'),
+    GradleFlag(['--daemon'],
+               'Uses the Gradle Daemon to run the build. Starts the Daemon '
+               'if not running.'),
+    GradleFlag(['--foreground'], 'Starts the Gradle Daemon in the foreground.'),
+    GradleFlag(['-g', '--gradle-user-home'],
+               'Specifies the gradle user home directory.',
+               True),
+    GradleFlag(['-I', '--init-script'], 'Specify an initialization script.',
+               True),
+    GradleFlag(['-i', '--info'], 'Set log level to info.'),
+    GradleFlag(['--include-build'],
+               'Include the specified build in the composite.',
+               True),
+    GradleFlag(['-m', '--dry-run'],
+               'Run the builds with all task actions disabled.'),
+    GradleFlag(['--max-workers'],
+               'Configure the number of concurrent workers Gradle is '
+               'allowed to use.',
+               True),
+    GradleFlag(['--no-build-cache'], 'Disables the Gradle build cache.'),
+    GradleFlag(['--no-configure-on-demand'],
+               'Disables the use of configuration on demand. [incubating]'),
+    GradleFlag(['--no-daemon'],
+               'Do not use the Gradle daemon to run the build. Useful '
+               'occasionally if you have configured Gradle to always run '
+               'with the daemon by default.'),
+    GradleFlag(['--no-parallel'],
+               'Disables parallel execution to build projects.'),
+    GradleFlag(['--no-scan'],
+               'Disables the creation of a build scan. For more information '
+               'about build scans, please visit '
+               'https://gradle.com/build-scans.'),
+    GradleFlag(['--offline'],
+               'Execute the build without accessing network resources.'),
+    GradleFlag(['-P', '--project-prop'],
+               'Set project property for the build script (e.g. '
+               '-Pmyprop=myvalue).',
+               True),
+    GradleFlag(['-p', '--project-dir'],
+               'Specifies the start directory for Gradle. Defaults to '
+               'current directory.'),
+    GradleFlag(['--parallel'],
+               'Build projects in parallel. Gradle will attempt to '
+               'determine the optimal number of executor threads to use.'),
+    GradleFlag(['--priority'],
+               'Specifies the scheduling priority for the Gradle daemon and '
+               "all processes launched by it. Values are 'normal' (default) "
+               "or 'low' [incubating]",
+               True),
+    GradleFlag(['--profile'],
+               'Profile build execution time and generates a report in the '
+               '<build_dir>/reports/profile directory.'),
+    GradleFlag(['--project-cache-dir'],
+               'Specify the project-specific cache directory. Defaults to '
+               '.gradle in the root project directory.',
+               True),
+    GradleFlag(['-q', '--quiet'], 'Log errors only.'),
+    GradleFlag(['--refresh-dependencies'], 'Refresh the state of dependencies.'),
+    GradleFlag(['--rerun-tasks'], 'Ignore previously cached task results.'),
+    GradleFlag(['-S', '--full-stacktrace'],
+               'Print out the full (very verbose) stacktrace for all '
+               'exceptions.'),
+    GradleFlag(['-s', '--stacktrace'],
+               'Print out the stacktrace for all exceptions.'),
+    GradleFlag(['--scan'],
+               'Creates a build scan. Gradle will emit a warning if the '
+               'build scan plugin has not been applied. '
+               '(https://gradle.com/build-scans)'),
+    GradleFlag(['--status'],
+               'Shows status of running and recently stopped Gradle '
+               'Daemon(s).'),
+    GradleFlag(['--stop'], 'Stops the Gradle Daemon if it is running.'),
+    GradleFlag(['-t', '--continuous'],
+               'Enables continuous build. Gradle does not exit and will '
+               're-execute tasks when task file inputs change.'),
+    GradleFlag(['--update-locks'],
+               'Perform a partial update of the dependency lock, letting '
+               'passed in module notations change version. [incubating]'),
+    GradleFlag(['-v', '--version'], 'Print version info.'),
+    GradleFlag(['-w', '--warn'], 'Set log level to warn.'),
+    GradleFlag(['--warning-mode'],
+               'Specifies which mode of warnings to generate. Values are '
+               "'all', 'fail', 'summary'(default) or 'none'",
+               True),
+    GradleFlag(['--write-locks'],
+               'Persists dependency resolution for locked configurations, '
+               'ignoring existing locking information if it exists '
+               '[incubating]'),
+    GradleFlag(['-x', '--exclude-task'],
+               'Specify a task to be excluded from execution.',
+               True),
+]
+def generate_gradle_properties() -> str:
+    """Returns the expected contents of gradle.properties."""
+    out = io.StringIO()
+    out.write(PROPERTIES_HEADER)
+
+    for prop in PROPERTIES:
+        out.write(f'{prop.name}={prop.default}\n')
+
+    return out.getvalue()
+
+
+def get_root() -> str:
+    """Returns the root of the nomulus build tree."""
+    cur_dir = os.getcwd()
+    if not os.path.exists(os.path.join(cur_dir, '.git')) or \
+       not os.path.exists(os.path.join(cur_dir, 'core')) or \
+       not os.path.exists(os.path.join(cur_dir, 'gradle.properties')):
+        raise Exception('You must run this script from the root directory')
+    return cur_dir
+
+
+def main(args):
+    parser = argparse.ArgumentParser('nom_build')
+    for prop in PROPERTIES:
+        parser.add_argument('--' + prop.name, default=prop.default,
+                            help=prop.desc)
+
+    # Add Gradle flags.  We set 'dest' to the first flag to get a name that is
+    # predictable for getattr (even though it will have a leading '-' and thus
+    # we can't use normal python attribute syntax to get it).
+    for flag in GRADLE_FLAGS:
+        if flag.has_arg:
+            parser.add_argument(*flag.flags, dest=flag.flags[0],
+                                help=flag.desc)
+        else:
+            parser.add_argument(*flag.flags, dest=flag.flags[0],
+                                help=flag.desc,
+                                action='store_true')
+
+    # Add a flag to regenerate the gradle properties file.
+    parser.add_argument('--generate-gradle-properties',
+                        help='Regenerate the gradle.properties file.  This '
+                        'file must be regenerated when changes are made to '
+                        'config/nom_build.py, and should not be updated by '
+                        'hand.',
+                        action='store_true')
+
+    # Consume the remaining non-flag arguments.
+    parser.add_argument('non_flag_args', nargs='*')
+
+    # Parse command line arguments. Note that this exits the program and
+    # prints usage if either of the help options (-h, --help) are specified.
+    args = parser.parse_args(args)
+
+    gradle_properties = generate_gradle_properties()
+    root = get_root()
+
+    # If we're regenerating properties, do so and exit.
+    if args.generate_gradle_properties:
+        with open(f'{root}/gradle.properties', 'w') as dst:
+            dst.write(gradle_properties)
+        return
+
+    # Verify that the gradle properties file is what we expect it to be.
+    with open(f'{root}/gradle.properties') as src:
+        if src.read() != gradle_properties:
+            print('\033[33mWARNING:\033[0m Gradle properties out of sync '
+                  'with nom_build.  Run with --generate-gradle-properties '
+                  'to regenerate.')
+
+    # Add properties to the gradle argument list.
+    gradle_command = [f'{root}/gradlew']
+    for prop in PROPERTIES:
+        arg_val = getattr(args, prop.name)
+        if arg_val != prop.default:
+            prop.validate(arg_val)
+            gradle_command.extend(['-P', f'{prop.name}={arg_val}'])
+
+    # Add Gradle flags to the gradle argument list.
+    for flag in GRADLE_FLAGS:
+        arg_val = getattr(args, flag.flags[0])
+        if arg_val:
+            gradle_command.append(flag.flags[-1])
+            if flag.has_arg:
+                gradle_command.append(arg_val)
+
+    # Add the non-flag args (we exclude the first, which is the command name
+    # itself) and run.
+    gradle_command.extend(args.non_flag_args[1:])
+    subprocess.call(gradle_command)
+
+
+if __name__ == '__main__':
+    main(sys.argv)
+
--- a/config/nom_build_test.py
+++ b/config/nom_build_test.py
@@ -0,0 +1,109 @@
+# Copyright 2020 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import io
+import os
+import unittest
+from unittest import mock
+import nom_build
+import subprocess
+
+FAKE_PROPERTIES = [
+    nom_build.Property('foo', 'help text'),
+    nom_build.Property('bar', 'more text', 'true', bool),
+]
+
+FAKE_PROP_CONTENTS = nom_build.PROPERTIES_HEADER + 'foo=\nbar=true\n'
+PROPERTIES_FILENAME = '/tmp/rootdir/gradle.properties'
+GRADLEW = '/tmp/rootdir/gradlew'
+
+
+class FileFake(io.StringIO):
+    """File fake that writes file contents to the dictionary on close."""
+    def __init__(self, contents_dict, filename):
+        self.dict = contents_dict
+        self.filename = filename
+        super(FileFake, self).__init__()
+
+    def close(self):
+        self.dict[self.filename] = self.getvalue()
+        super(FileFake, self).close()
+
+
+class MyTest(unittest.TestCase):
+
+    def open_fake(self, filename, action='r'):
+        if action == 'r':
+            return io.StringIO(self.file_contents.get(filename, ''))
+        elif action == 'w':
+            result = self.file_contents[filename] = (
+                FileFake(self.file_contents, filename))
+            return result
+        else:
+            raise Exception(f'Unexpected action {action}')
+
+    def print_fake(self, data):
+        self.printed.append(data)
+
+    def setUp(self):
+        self.addCleanup(mock.patch.stopall)
+        self.exists_mock = mock.patch.object(os.path, 'exists').start()
+        self.getcwd_mock = mock.patch.object(os, 'getcwd').start()
+        self.getcwd_mock.return_value = '/tmp/rootdir'
+        self.open_mock = (
+            mock.patch.object(nom_build, 'open', self.open_fake).start())
+        self.print_mock = (
+            mock.patch.object(nom_build, 'print', self.print_fake).start())
+
+        self.call_mock = mock.patch.object(subprocess, 'call').start()
+
+        self.file_contents = {
+            # Prefil with the actual file contents.
+            PROPERTIES_FILENAME: nom_build.generate_gradle_properties()
+        }
+        self.printed = []
+
+    @mock.patch.object(nom_build, 'PROPERTIES', FAKE_PROPERTIES)
+    def test_property_generation(self):
+        self.assertEqual(nom_build.generate_gradle_properties(),
+                         FAKE_PROP_CONTENTS)
+
+    @mock.patch.object(nom_build, 'PROPERTIES', FAKE_PROPERTIES)
+    def test_property_file_write(self):
+        nom_build.main(['nom_build', '--generate-gradle-properties'])
+        self.assertEqual(self.file_contents[PROPERTIES_FILENAME],
+                         FAKE_PROP_CONTENTS)
+
+    def test_property_file_incorrect(self):
+        self.file_contents[PROPERTIES_FILENAME] = 'bad contents'
+        nom_build.main(['nom_build'])
+        self.assertIn('', self.printed[0])
+
+    def test_no_args(self):
+        nom_build.main(['nom_build'])
+        self.assertEqual(self.printed, [])
+        self.call_mock.assert_called_with([GRADLEW])
+
+    def test_property_calls(self):
+        nom_build.main(['nom_build', '--testFilter=foo'])
+        self.call_mock.assert_called_with([GRADLEW, '-P', 'testFilter=foo'])
+
+    def test_gradle_flags(self):
+        nom_build.main(['nom_build', '-d', '-b', 'foo'])
+        self.call_mock.assert_called_with([GRADLEW, '--build-file', 'foo',
+                                          '--debug'])
+
+unittest.main()
+
+
--- a/core/WEB-INF/appengine-generated/local_db.bin
+++ b/core/WEB-INF/appengine-generated/local_db.bin
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -177,6 +177,8 @@ dependencies {

  compile deps['com.beust:jcommander']
  compile deps['com.google.api-client:google-api-client']
+  compile deps['com.google.api-client:google-api-client-appengine']
+  compile deps['com.google.api-client:google-api-client-servlet']
  compile deps['com.google.monitoring-client:metrics']
  compile deps['com.google.monitoring-client:stackdriver']
  compile deps['com.google.api-client:google-api-client-java6']
@@ -197,6 +199,7 @@ dependencies {
  compile deps['com.google.appengine:appengine-remote-api']
  compile deps['com.google.auth:google-auth-library-credentials']
  compile deps['com.google.auth:google-auth-library-oauth2-http']
+  compile deps['com.google.cloud.sql:jdbc-socket-factory-core']
  runtimeOnly deps['com.google.cloud.sql:postgres-socket-factory']
  compile deps['com.google.code.gson:gson']
  compile deps['com.google.auto.value:auto-value-annotations']
@@ -215,6 +218,8 @@ dependencies {
  compile deps['com.google.oauth-client:google-oauth-client']
  compile deps['com.google.oauth-client:google-oauth-client-java6']
  compile deps['com.google.oauth-client:google-oauth-client-jetty']
+  compile deps['com.google.oauth-client:google-oauth-client-appengine']
+  compile deps['com.google.oauth-client:google-oauth-client-servlet']
  compile deps['com.google.re2j:re2j']
  compile deps['com.google.template:soy']
  compile deps['com.googlecode.json-simple:json-simple']
@@ -261,6 +266,7 @@ dependencies {
  testCompile deps['org.seleniumhq.selenium:selenium-chrome-driver']
  testCompile deps['org.seleniumhq.selenium:selenium-java']
  testCompile deps['org.seleniumhq.selenium:selenium-remote-driver']
+  runtimeOnly deps['org.slf4j:slf4j-jdk14']
  testCompile deps['org.testcontainers:jdbc']
  compile deps['org.testcontainers:postgresql']
  testCompile deps['org.testcontainers:selenium']
@@ -300,7 +306,9 @@ dependencies {
  testCompile deps['org.hamcrest:hamcrest-library']
  compile deps['org.hibernate:hibernate-hikaricp']
  testCompile deps['junit:junit']
+  testCompile deps['org.junit.jupiter:junit-jupiter-api']
  testCompile deps['org.junit.jupiter:junit-jupiter-engine']
+  testCompile deps['org.junit.jupiter:junit-jupiter-migrationsupport']
  testCompile deps['org.junit.vintage:junit-vintage-engine']
  testCompile deps['org.mockito:mockito-core']
  runtime deps['org.postgresql:postgresql']
@@ -869,7 +877,8 @@ test {
  // Don't run any tests from this task, all testing gets done in the
  // FilteringTest tasks.
  exclude "**"
-}.dependsOn(fragileTest, outcastTest, standardTest, registryToolIntegrationTest)
+  // TODO(weiminyu): Remove dependency on sqlIntegrationTest
+}.dependsOn(fragileTest, outcastTest, standardTest, registryToolIntegrationTest, sqlIntegrationTest)

 createUberJar('nomulus', 'nomulus', 'google.registry.tools.RegistryTool')

--- a/core/gradle/dependency-locks/compile.lockfile
+++ b/core/gradle/dependency-locks/compile.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -146,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -183,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -212,11 +223,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/compileClasspath.lockfile
+++ b/core/gradle/dependency-locks/compileClasspath.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -83,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -123,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -144,10 +155,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -180,8 +191,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -207,11 +218,11 @@ org.jvnet.staxex:stax-ex:1.8
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/default.lockfile
+++ b/core/gradle/dependency-locks/default.lockfile
@@ -1,13 +1,14 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -18,11 +19,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.29.0
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -95,22 +96,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -135,7 +136,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -157,10 +158,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -194,8 +195,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -234,6 +235,7 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
 org.scijava:native-lib-loader:2.0.2
 org.slf4j:slf4j-api:1.7.28
+org.slf4j:slf4j-jdk14:1.7.28
 org.testcontainers:database-commons:1.12.1
 org.testcontainers:jdbc:1.12.1
 org.testcontainers:postgresql:1.12.1
--- a/core/gradle/dependency-locks/deploy_jar.lockfile
+++ b/core/gradle/dependency-locks/deploy_jar.lockfile
@@ -1,13 +1,14 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -18,11 +19,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.29.0
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -95,22 +96,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -135,7 +136,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -157,10 +158,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -193,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -231,6 +232,7 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
 org.scijava:native-lib-loader:2.0.2
 org.slf4j:slf4j-api:1.7.28
+org.slf4j:slf4j-jdk14:1.7.28
 org.testcontainers:database-commons:1.12.1
 org.testcontainers:jdbc:1.12.1
 org.testcontainers:postgresql:1.12.1
--- a/core/gradle/dependency-locks/nonprodCompile.lockfile
+++ b/core/gradle/dependency-locks/nonprodCompile.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -146,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -183,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -212,11 +223,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/nonprodCompileClasspath.lockfile
+++ b/core/gradle/dependency-locks/nonprodCompileClasspath.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -83,22 +94,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -123,7 +134,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -144,10 +155,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -181,8 +192,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -210,11 +221,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/nonprodRuntime.lockfile
+++ b/core/gradle/dependency-locks/nonprodRuntime.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -146,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -183,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -212,11 +223,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -146,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -183,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -212,11 +223,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/runtime.lockfile
+++ b/core/gradle/dependency-locks/runtime.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -65,6 +75,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -84,22 +95,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -124,7 +135,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -146,10 +157,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -183,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -212,11 +223,11 @@ org.mockito:mockito-core:1.9.5
 org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:1.2
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.postgresql:postgresql:42.2.6
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
--- a/core/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -1,13 +1,14 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -18,11 +19,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.29.0
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -95,22 +96,22 @@ com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
 com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -135,7 +136,7 @@ io.dropwizard.metrics:metrics-core:3.1.2
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -157,10 +158,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -193,8 +194,8 @@ org.apache.beam:beam-vendor-grpc-1_21_0:0.1
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1
 org.apache.commons:commons-compress:1.19
 org.apache.commons:commons-lang3:3.5
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.bouncycastle:bcpg-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.10.0
@@ -231,6 +232,7 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
 org.scijava:native-lib-loader:2.0.2
 org.slf4j:slf4j-api:1.7.28
+org.slf4j:slf4j-jdk14:1.7.28
 org.testcontainers:database-commons:1.12.1
 org.testcontainers:jdbc:1.12.1
 org.testcontainers:postgresql:1.12.1
--- a/core/gradle/dependency-locks/testCompile.lockfile
+++ b/core/gradle/dependency-locks/testCompile.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +76,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -86,11 +97,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -98,11 +109,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -133,7 +144,7 @@ io.github.classgraph:classgraph:4.8.52
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -155,10 +166,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -198,8 +209,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -234,6 +245,7 @@ org.joda:joda-money:1.0.1
 org.json:json:20160810
 org.junit.jupiter:junit-jupiter-api:5.6.0
 org.junit.jupiter:junit-jupiter-engine:5.6.0
+org.junit.jupiter:junit-jupiter-migrationsupport:5.6.0
 org.junit.platform:junit-platform-commons:1.6.0
 org.junit.platform:junit-platform-engine:1.6.0
 org.junit.vintage:junit-vintage-engine:5.6.0
@@ -244,11 +256,11 @@ org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:2.6
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/testCompileClasspath.lockfile
+++ b/core/gradle/dependency-locks/testCompileClasspath.lockfile
@@ -1,20 +1,29 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
-com.google.api-client:google-api-client-appengine:1.29.0
+com.github.jnr:jffi:1.2.17
+com.github.jnr:jnr-a64asm:1.0.0
+com.github.jnr:jnr-constants:0.9.11
+com.github.jnr:jnr-enxio:0.19
+com.github.jnr:jnr-ffi:2.1.9
+com.github.jnr:jnr-posix:3.0.47
+com.github.jnr:jnr-unixsocket:0.21
+com.github.jnr:jnr-x86asm:1.0.2
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -50,6 +59,7 @@ com.google.apis:google-api-services-groupssettings:v1-rev60-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-pubsub:v1-rev20181105-1.27.0
 com.google.apis:google-api-services-sheets:v4-rev483-1.22.0
+com.google.apis:google-api-services-sqladmin:v1beta4-rev56-1.23.0
 com.google.apis:google-api-services-storage:v1-rev20181109-1.27.0
 com.google.appengine.tools:appengine-gcs-client:0.6
 com.google.appengine.tools:appengine-mapreduce:0.9
@@ -66,6 +76,7 @@ com.google.cloud.bigdataoss:gcsio:1.9.16
 com.google.cloud.bigdataoss:util:1.9.16
 com.google.cloud.bigtable:bigtable-client-core:1.8.0
 com.google.cloud.datastore:datastore-v1-proto-client:1.6.0
+com.google.cloud.sql:jdbc-socket-factory-core:1.0.12
 com.google.cloud:google-cloud-bigquerystorage:0.79.0-alpha
 com.google.cloud:google-cloud-bigtable-admin:0.73.0-alpha
 com.google.cloud:google-cloud-bigtable:0.73.0-alpha
@@ -85,11 +96,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -97,11 +108,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -132,7 +143,7 @@ io.github.classgraph:classgraph:4.8.52
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
 io.grpc:grpc-netty:1.17.1
@@ -153,10 +164,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -196,8 +207,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -232,6 +243,7 @@ org.joda:joda-money:1.0.1
 org.json:json:20160810
 org.junit.jupiter:junit-jupiter-api:5.6.0
 org.junit.jupiter:junit-jupiter-engine:5.6.0
+org.junit.jupiter:junit-jupiter-migrationsupport:5.6.0
 org.junit.platform:junit-platform-commons:1.6.0
 org.junit.platform:junit-platform-engine:1.6.0
 org.junit.vintage:junit-vintage-engine:5.6.0
@@ -242,11 +254,11 @@ org.mortbay.jetty:jetty-util:6.1.26
 org.mortbay.jetty:jetty:6.1.26
 org.objenesis:objenesis:2.6
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
+org.ow2.asm:asm-analysis:7.0
 org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.rnorth:tcp-unix-socket-proxy:1.0.2
--- a/core/gradle/dependency-locks/testRuntime.lockfile
+++ b/core/gradle/dependency-locks/testRuntime.lockfile
@@ -1,13 +1,14 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -18,11 +19,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.29.0
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -97,11 +98,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -109,11 +110,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -145,7 +146,7 @@ io.github.java-diff-utils:java-diff-utils:4.0
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -167,10 +168,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -210,8 +211,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -247,6 +248,7 @@ org.joda:joda-money:1.0.1
 org.json:json:20160810
 org.junit.jupiter:junit-jupiter-api:5.6.0
 org.junit.jupiter:junit-jupiter-engine:5.6.0
+org.junit.jupiter:junit-jupiter-migrationsupport:5.6.0
 org.junit.platform:junit-platform-commons:1.6.0
 org.junit.platform:junit-platform-engine:1.6.0
 org.junit.vintage:junit-vintage-engine:5.6.0
--- a/core/gradle/dependency-locks/testRuntimeClasspath.lockfile
+++ b/core/gradle/dependency-locks/testRuntimeClasspath.lockfile
@@ -1,13 +1,14 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+androidx.annotation:annotation:1.1.0
 antlr:antlr:2.7.7
 aopalliance:aopalliance:1.0
 args4j:args4j:2.33
 cglib:cglib-nodep:2.2
 com.beust:jcommander:1.60
 com.fasterxml.jackson.core:jackson-annotations:2.9.10
-com.fasterxml.jackson.core:jackson-core:2.9.10
+com.fasterxml.jackson.core:jackson-core:2.10.2
 com.fasterxml.jackson.core:jackson-databind:2.9.10
 com.fasterxml:classmate:1.3.4
 com.github.jnr:jffi:1.2.17
@@ -18,11 +19,11 @@ com.github.jnr:jnr-ffi:2.1.9
 com.github.jnr:jnr-posix:3.0.47
 com.github.jnr:jnr-unixsocket:0.21
 com.github.jnr:jnr-x86asm:1.0.2
-com.google.api-client:google-api-client-appengine:1.29.0
+com.google.api-client:google-api-client-appengine:1.30.8
 com.google.api-client:google-api-client-jackson2:1.27.0
 com.google.api-client:google-api-client-java6:1.27.0
-com.google.api-client:google-api-client-servlet:1.29.0
-com.google.api-client:google-api-client:1.29.2
+com.google.api-client:google-api-client-servlet:1.30.8
+com.google.api-client:google-api-client:1.30.8
 com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.44.0
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:0.38.0
 com.google.api.grpc:grpc-google-cloud-bigtable-v2:0.38.0
@@ -97,11 +98,11 @@ com.google.guava:guava-testlib:28.2-jre
 com.google.guava:guava:28.2-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.gwt:gwt-user:2.8.2
-com.google.http-client:google-http-client-appengine:1.29.2
-com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client-appengine:1.34.1
+com.google.http-client:google-http-client-jackson2:1.34.1
 com.google.http-client:google-http-client-jackson:1.20.0
 com.google.http-client:google-http-client-protobuf:1.20.0
-com.google.http-client:google-http-client:1.30.1
+com.google.http-client:google-http-client:1.34.1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
@@ -109,11 +110,11 @@ com.google.jsinterop:jsinterop-annotations:1.0.2
 com.google.monitoring-client:contrib:1.0.7
 com.google.monitoring-client:metrics:1.0.7
 com.google.monitoring-client:stackdriver:1.0.7
-com.google.oauth-client:google-oauth-client-appengine:1.29.0
+com.google.oauth-client:google-oauth-client-appengine:1.30.5
 com.google.oauth-client:google-oauth-client-java6:1.28.0
 com.google.oauth-client:google-oauth-client-jetty:1.28.0
-com.google.oauth-client:google-oauth-client-servlet:1.29.0
-com.google.oauth-client:google-oauth-client:1.29.2
+com.google.oauth-client:google-oauth-client-servlet:1.30.5
+com.google.oauth-client:google-oauth-client:1.30.5
 com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5
 com.google.protobuf:protobuf-java-util:3.6.1
 com.google.protobuf:protobuf-java:3.6.1
@@ -145,7 +146,7 @@ io.github.java-diff-utils:java-diff-utils:4.0
 io.grpc:grpc-all:1.17.1
 io.grpc:grpc-alts:1.17.1
 io.grpc:grpc-auth:1.17.1
-io.grpc:grpc-context:1.19.0
+io.grpc:grpc-context:1.22.1
 io.grpc:grpc-core:1.17.1
 io.grpc:grpc-grpclb:1.17.1
 io.grpc:grpc-netty-shaded:1.17.1
@@ -167,10 +168,10 @@ io.netty:netty-handler:4.1.30.Final
 io.netty:netty-resolver:4.1.30.Final
 io.netty:netty-tcnative-boringssl-static:2.0.17.Final
 io.netty:netty-transport:4.1.30.Final
-io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-api:0.24.0
 io.opencensus:opencensus-contrib-grpc-metrics:0.17.0
 io.opencensus:opencensus-contrib-grpc-util:0.17.0
-io.opencensus:opencensus-contrib-http-util:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.24.0
 it.unimi.dsi:fastutil:6.5.16
 javax.activation:activation:1.1
 javax.activation:javax.activation-api:1.2.0
@@ -210,8 +211,8 @@ org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.ftpserver:ftplet-api:1.0.6
 org.apache.ftpserver:ftpserver-core:1.0.6
-org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.11
+org.apache.httpcomponents:httpclient:4.5.11
+org.apache.httpcomponents:httpcore:4.4.13
 org.apache.mina:mina-core:2.0.4
 org.apache.sshd:sshd-core:2.0.0
 org.apache.sshd:sshd-scp:2.0.0
@@ -247,6 +248,7 @@ org.joda:joda-money:1.0.1
 org.json:json:20160810
 org.junit.jupiter:junit-jupiter-api:5.6.0
 org.junit.jupiter:junit-jupiter-engine:5.6.0
+org.junit.jupiter:junit-jupiter-migrationsupport:5.6.0
 org.junit.platform:junit-platform-commons:1.6.0
 org.junit.platform:junit-platform-engine:1.6.0
 org.junit.vintage:junit-vintage-engine:5.6.0
@@ -278,6 +280,7 @@ org.seleniumhq.selenium:selenium-remote-driver:3.141.59
 org.seleniumhq.selenium:selenium-safari-driver:3.141.59
 org.seleniumhq.selenium:selenium-support:3.141.59
 org.slf4j:slf4j-api:1.7.28
+org.slf4j:slf4j-jdk14:1.7.28
 org.testcontainers:database-commons:1.12.1
 org.testcontainers:jdbc:1.12.1
 org.testcontainers:postgresql:1.12.1
--- a/core/src/main/java/google/registry/batch/AsyncTaskEnqueuer.java
+++ b/core/src/main/java/google/registry/batch/AsyncTaskEnqueuer.java
@@ -30,6 +30,8 @@ import google.registry.model.EppResource;
 import google.registry.model.ImmutableObject;
 import google.registry.model.eppcommon.Trid;
 import google.registry.model.host.HostResource;
+import google.registry.persistence.VKey;
+import google.registry.schema.domain.RegistryLock;
 import google.registry.util.AppEngineServiceUtils;
 import google.registry.util.Retrier;
 import javax.inject.Inject;
@@ -148,15 +150,35 @@ public final class AsyncTaskEnqueuer {

  /** Enqueues a task to asynchronously refresh DNS for a renamed host. */
  public void enqueueAsyncDnsRefresh(HostResource host, DateTime now) {
-    Key<HostResource> hostKey = Key.create(host);
+    VKey<HostResource> hostKey = host.createKey();
    logger.atInfo().log("Enqueuing async DNS refresh for renamed host %s.", hostKey);
    addTaskToQueueWithRetry(
        asyncDnsRefreshPullQueue,
        TaskOptions.Builder.withMethod(Method.PULL)
-            .param(PARAM_HOST_KEY, hostKey.getString())
+            .param(PARAM_HOST_KEY, hostKey.getOfyKey().getString())
            .param(PARAM_REQUESTED_TIME, now.toString()));
  }

+  /**
+   * Enqueues a task to asynchronously re-lock a registry-locked domain after it was unlocked.
+   *
+   * <p>Note: the relockDuration must be present on the lock object.
+   */
+  public void enqueueDomainRelock(RegistryLock lock) {
+    checkArgument(
+        lock.getRelockDuration().isPresent(),
+        "Lock with ID %s not configured for relock",
+        lock.getRevisionId());
+    addTaskToQueueWithRetry(
+        asyncActionsPushQueue,
+        TaskOptions.Builder.withUrl(RelockDomainAction.PATH)
+            .method(Method.POST)
+            .param(
+                RelockDomainAction.OLD_UNLOCK_REVISION_ID_PARAM,
+                String.valueOf(lock.getRevisionId()))
+            .countdownMillis(lock.getRelockDuration().get().getMillis()));
+  }
+
  /**
   * Adds a task to a queue with retrying, to avoid aborting the entire flow over a transient issue
   * enqueuing a task.
--- a/core/src/main/java/google/registry/batch/BatchModule.java
+++ b/core/src/main/java/google/registry/batch/BatchModule.java
@@ -21,6 +21,7 @@ import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
+import static google.registry.request.RequestParameters.extractLongParameter;
 import static google.registry.request.RequestParameters.extractOptionalBooleanParameter;
 import static google.registry.request.RequestParameters.extractOptionalIntParameter;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
@@ -40,9 +41,7 @@ import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.DateTime;

-/**
- * Dagger module for injecting common settings for batch actions.
- */
+/** Dagger module for injecting common settings for batch actions. */
@Module
 public class BatchModule {

@@ -94,6 +93,12 @@ public class BatchModule {
    return extractSetOfDatetimeParameters(req, PARAM_RESAVE_TIMES);
  }

+  @Provides
+  @Parameter("oldUnlockRevisionId")
+  static long provideOldUnlockRevisionId(HttpServletRequest req) {
+    return extractLongParameter(req, "oldUnlockRevisionId");
+  }
+
  @Provides
  @Named(QUEUE_ASYNC_ACTIONS)
  static Queue provideAsyncActionsPushQueue() {
--- a/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java
@@ -85,6 +85,7 @@ import google.registry.model.poll.PendingActionNotificationResponse.HostPendingA
 import google.registry.model.poll.PollMessage;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.server.Lock;
+import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
@@ -284,7 +285,9 @@ public class DeleteContactsAndHostsAction implements Runnable {
      if (resourceKey.getKind().equals(KIND_CONTACT)) {
        return domain.getReferencedContacts().contains(resourceKey);
      } else if (resourceKey.getKind().equals(KIND_HOST)) {
-        return domain.getNameservers().contains(resourceKey);
+        return domain
+            .getNameservers()
+            .contains(VKey.createOfy(HostResource.class, (Key<HostResource>) resourceKey));
      } else {
        throw new IllegalStateException("EPP resource key of unknown type: " + resourceKey);
      }
--- a/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java
+++ b/core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java
@@ -52,6 +52,7 @@ import google.registry.mapreduce.inputs.NullInput;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.host.HostResource;
 import google.registry.model.server.Lock;
+import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
@@ -206,7 +207,9 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
      Key<HostResource> referencingHostKey = null;
      for (DnsRefreshRequest request : refreshRequests) {
        if (isActive(domain, request.lastUpdateTime())
-            && domain.getNameservers().contains(request.hostKey())) {
+            && domain
+                .getNameservers()
+                .contains(VKey.createOfy(HostResource.class, request.hostKey()))) {
          referencingHostKey = request.hostKey();
          break;
        }
--- a/core/src/main/java/google/registry/batch/RelockDomainAction.java
+++ b/core/src/main/java/google/registry/batch/RelockDomainAction.java
@@ -0,0 +1,168 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.request.Action.Method.POST;
+import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.net.MediaType;
+import google.registry.model.domain.DomainBase;
+import google.registry.model.eppcommon.StatusValue;
+import google.registry.model.registry.RegistryLockDao;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.schema.domain.RegistryLock;
+import google.registry.tools.DomainLockUtils;
+import google.registry.util.DateTimeUtils;
+import javax.inject.Inject;
+
+/**
+ * Task that relocks a previously-Registry-Locked domain after some predetermined period of time.
+ */
+@Action(
+    service = Action.Service.BACKEND,
+    path = RelockDomainAction.PATH,
+    method = POST,
+    automaticallyPrintOk = true,
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class RelockDomainAction implements Runnable {
+
+  public static final String PATH = "/_dr/task/relockDomain";
+  public static final String OLD_UNLOCK_REVISION_ID_PARAM = "oldUnlockRevisionId";
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private final long oldUnlockRevisionId;
+  private final DomainLockUtils domainLockUtils;
+  private final Response response;
+
+  @Inject
+  public RelockDomainAction(
+      @Parameter(OLD_UNLOCK_REVISION_ID_PARAM) long oldUnlockRevisionId,
+      DomainLockUtils domainLockUtils,
+      Response response) {
+    this.oldUnlockRevisionId = oldUnlockRevisionId;
+    this.domainLockUtils = domainLockUtils;
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    jpaTm().transact(this::relockDomain);
+  }
+
+  private void relockDomain() {
+    RegistryLock oldLock;
+    try {
+      oldLock =
+          RegistryLockDao.getByRevisionId(oldUnlockRevisionId)
+              .orElseThrow(
+                  () ->
+                      new IllegalArgumentException(
+                          String.format("Unknown revision ID %d", oldUnlockRevisionId)));
+      DomainBase domain =
+          ofy()
+              .load()
+              .type(DomainBase.class)
+              .id(oldLock.getRepoId())
+              .now()
+              .cloneProjectedAtTime(jpaTm().getTransactionTime());
+
+      if (domain.getStatusValues().containsAll(REGISTRY_LOCK_STATUSES)
+          || oldLock.getRelock() != null) {
+        // The domain was manually locked, so we shouldn't worry about relocking
+        String message =
+            String.format(
+                "Domain %s is already manually relocked, skipping automated relock.",
+                domain.getFullyQualifiedDomainName());
+        logger.atInfo().log(message);
+        // SC_NO_CONTENT (204) skips retry -- see the comment below
+        response.setStatus(SC_NO_CONTENT);
+        response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+        response.setPayload(message);
+        return;
+      }
+      verifyDomainAndLockState(oldLock, domain);
+    } catch (Throwable t) {
+      /* If there's a bad verification code or the domain is in a bad state, we won't want to retry.
+       * AppEngine will retry on non-2xx error codes, so we return SC_NO_CONTENT (204) to avoid it.
+       *
+       * See https://cloud.google.com/appengine/docs/standard/java/taskqueue/push/retrying-tasks
+       * for more details on retry behavior. */
+      logger.atWarning().withCause(t).log(
+          "Exception when attempting to relock domain with old revision ID %d.",
+          oldUnlockRevisionId);
+      response.setStatus(SC_NO_CONTENT);
+      response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+      response.setPayload(String.format("Relock failed: %s", t.getMessage()));
+      return;
+    }
+    applyRelock(oldLock);
+  }
+
+  private void applyRelock(RegistryLock oldLock) {
+    try {
+      domainLockUtils.administrativelyApplyLock(
+          oldLock.getDomainName(),
+          oldLock.getRegistrarId(),
+          oldLock.getRegistrarPocId(),
+          oldLock.isSuperuser());
+      logger.atInfo().log("Relocked domain %s.", oldLock.getDomainName());
+      response.setStatus(SC_OK);
+    } catch (Throwable t) {
+      // Any errors that occur here are unexpected, so we should retry. Return a non-2xx
+      // error code to get AppEngine to retry
+      logger.atSevere().withCause(t).log(
+          "Exception when attempting to relock domain %s.", oldLock.getDomainName());
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+      response.setPayload(String.format("Relock failed: %s", t.getMessage()));
+    }
+  }
+
+  private void verifyDomainAndLockState(RegistryLock oldLock, DomainBase domain) {
+    // Domain shouldn't be deleted or have a pending transfer/delete
+    String domainName = domain.getFullyQualifiedDomainName();
+    checkArgument(
+        !DateTimeUtils.isAtOrAfter(jpaTm().getTransactionTime(), domain.getDeletionTime()),
+        "Domain %s has been deleted",
+        domainName);
+    ImmutableSet<StatusValue> statusValues = domain.getStatusValues();
+    checkArgument(
+        !statusValues.contains(StatusValue.PENDING_DELETE),
+        "Domain %s has a pending delete",
+        domainName);
+    checkArgument(
+        !statusValues.contains(StatusValue.PENDING_TRANSFER),
+        "Domain %s has a pending transfer",
+        domainName);
+    checkArgument(
+        domain.getCurrentSponsorClientId().equals(oldLock.getRegistrarId()),
+        "Domain %s has been transferred from registrar %s to registrar %s since the unlock",
+        domainName,
+        oldLock.getRegistrarId(),
+        domain.getCurrentSponsorClientId());
+  }
+}
--- a/core/src/main/java/google/registry/flows/ResourceFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/ResourceFlowUtils.java
@@ -80,11 +80,9 @@ public final class ResourceFlowUtils {
      final Function<DomainBase, ImmutableSet<?>> getPotentialReferences) throws EppException {
    // Enter a transactionless context briefly.
    EppException failfastException =
-        tm()
-            .doTransactionless(
+        tm().doTransactionless(
                () -> {
-                  final ForeignKeyIndex<R> fki =
-                      ForeignKeyIndex.load(resourceClass, targetId, now);
+                  final ForeignKeyIndex<R> fki = ForeignKeyIndex.load(resourceClass, targetId, now);
                  if (fki == null) {
                    return new ResourceDoesNotExistException(resourceClass, targetId);
                  }
@@ -99,8 +97,7 @@ public final class ResourceFlowUtils {
                          .limit(FAILFAST_CHECK_COUNT)
                          .keys();
                  Predicate<DomainBase> predicate =
-                      domain ->
-                          getPotentialReferences.apply(domain).contains(fki.getResourceKey());
+                      domain -> getPotentialReferences.apply(domain).contains(fki.getResourceKey());
                  return ofy().load().keys(keys).values().stream().anyMatch(predicate)
                      ? new ResourceToDeleteIsReferencedException()
                      : null;
--- a/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
@@ -14,6 +14,7 @@

 package google.registry.flows.domain;

+import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceDoesNotExist;
@@ -95,6 +96,7 @@ import google.registry.model.eppinput.EppInput;
 import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppoutput.CreateData.DomainCreateData;
 import google.registry.model.eppoutput.EppResponse;
+import google.registry.model.host.HostResource;
 import google.registry.model.index.EppResourceIndex;
 import google.registry.model.index.ForeignKeyIndex;
 import google.registry.model.ofy.ObjectifyService;
@@ -108,6 +110,7 @@ import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
+import google.registry.persistence.VKey;
 import google.registry.tmch.LordnTaskUtils;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -352,7 +355,11 @@ public class DomainCreateFlow implements TransactionalFlow {
            .setRegistrant(command.getRegistrant())
            .setAuthInfo(command.getAuthInfo())
            .setFullyQualifiedDomainName(targetId)
-            .setNameservers(command.getNameservers())
+            .setNameservers(
+                (ImmutableSet<VKey<HostResource>>)
+                    command.getNameservers().stream()
+                        .map(key -> VKey.createOfy(HostResource.class, key))
+                        .collect(toImmutableSet()))
            .setStatusValues(statuses.build())
            .setContacts(command.getContacts())
            .addGracePeriod(GracePeriod.forBillingEvent(GracePeriodStatus.ADD, createBillingEvent))
--- a/core/src/main/java/google/registry/flows/domain/DomainInfoFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainInfoFlow.java
@@ -14,7 +14,6 @@

 package google.registry.flows.domain;

-import static com.google.common.collect.Sets.union;
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.verifyExistence;
 import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
@@ -23,6 +22,7 @@ import static google.registry.flows.domain.DomainFlowUtils.handleFeeRequest;
 import static google.registry.flows.domain.DomainFlowUtils.loadForeignKeyedDesignatedContacts;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
@@ -102,8 +102,9 @@ public final class DomainInfoFlow implements Flow {
    flowCustomLogic.afterValidation(
        AfterValidationParameters.newBuilder().setDomain(domain).build());
    // Prefetch all referenced resources. Calling values() blocks until loading is done.
-    ofy().load()
-        .values(union(domain.getNameservers(), domain.getReferencedContacts())).values();
+    // We do nameservers separately since they've been converted to VKey.
+    tm().load(domain.getNameservers());
+    ofy().load().values(domain.getReferencedContacts()).values();
    // Registrars can only see a few fields on unauthorized domains.
    // This is a policy decision that is left up to us by the rfcs.
    DomainInfoData.Builder infoBuilder = DomainInfoData.newBuilder()
--- a/core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java
@@ -15,6 +15,7 @@
 package google.registry.flows.domain;

 import static com.google.common.base.MoreObjects.firstNonNull;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.symmetricDifference;
 import static com.google.common.collect.Sets.union;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
@@ -71,9 +72,11 @@ import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.eppinput.EppInput;
 import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppoutput.EppResponse;
+import google.registry.model.host.HostResource;
 import google.registry.model.registry.Registry;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
+import google.registry.persistence.VKey;
 import java.util.Optional;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
@@ -243,8 +246,14 @@ public final class DomainUpdateFlow implements TransactionalFlow {
            .setLastEppUpdateClientId(clientId)
            .addStatusValues(add.getStatusValues())
            .removeStatusValues(remove.getStatusValues())
-            .addNameservers(add.getNameservers())
-            .removeNameservers(remove.getNameservers())
+            .addNameservers(
+                add.getNameservers().stream()
+                    .map(key -> VKey.createOfy(HostResource.class, key))
+                    .collect(toImmutableSet()))
+            .removeNameservers(
+                remove.getNameservers().stream()
+                    .map(key -> VKey.createOfy(HostResource.class, key))
+                    .collect(toImmutableSet()))
            .addContacts(add.getContacts())
            .removeContacts(remove.getContacts())
            .setRegistrant(firstNonNull(change.getRegistrant(), domain.getRegistrant()))
--- a/core/src/main/java/google/registry/flows/host/HostDeleteFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostDeleteFlow.java
@@ -14,6 +14,7 @@

 package google.registry.flows.host;

+import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.failfastForAsyncDelete;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -81,6 +82,17 @@ public final class HostDeleteFlow implements TransactionalFlow {
  @Inject EppResponse.Builder responseBuilder;
  @Inject HostDeleteFlow() {}

+  /**
+   * Hack to convert DomainBase's nameserver VKey's to Ofy Key's.
+   *
+   * <p>We currently need this because {@code failfastForAsyncDelete()} checks to see if a name is
+   * in the ofy keys and is used for both nameservers and contacts. When we convert contacts to
+   * VKey's, we can remove this and do the conversion in {@code failfastForAsyncDelete()}.
+   */
+  private static ImmutableSet<Key<HostResource>> getNameserverOfyKeys(DomainBase domain) {
+    return domain.getNameservers().stream().map(key -> key.getOfyKey()).collect(toImmutableSet());
+  }
+
  @Override
  public final EppResponse run() throws EppException {
    extensionManager.register(MetadataExtension.class);
@@ -88,7 +100,7 @@ public final class HostDeleteFlow implements TransactionalFlow {
    validateClientIsLoggedIn(clientId);
    DateTime now = tm().getTransactionTime();
    validateHostName(targetId);
-    failfastForAsyncDelete(targetId, now, HostResource.class, DomainBase::getNameservers);
+    failfastForAsyncDelete(targetId, now, HostResource.class, HostDeleteFlow::getNameserverOfyKeys);
    HostResource existingHost = loadAndVerifyExistence(HostResource.class, targetId, now);
    verifyNoDisallowedStatuses(existingHost, DISALLOWED_STATUSES);
    if (!isSuperuser) {
--- a/core/src/main/java/google/registry/model/domain/DomainBase.java
+++ b/core/src/main/java/google/registry/model/domain/DomainBase.java
@@ -42,8 +42,10 @@ import com.google.common.collect.Ordering;
 import com.google.common.collect.Streams;
 import com.googlecode.objectify.Key;
 import com.googlecode.objectify.annotation.Entity;
+import com.googlecode.objectify.annotation.Ignore;
 import com.googlecode.objectify.annotation.IgnoreSave;
 import com.googlecode.objectify.annotation.Index;
+import com.googlecode.objectify.annotation.OnLoad;
 import com.googlecode.objectify.condition.IfNull;
 import google.registry.flows.ResourceFlowUtils;
 import google.registry.model.EppResource;
@@ -63,6 +65,7 @@ import google.registry.model.poll.PollMessage;
 import google.registry.model.registry.Registry;
 import google.registry.model.transfer.TransferData;
 import google.registry.model.transfer.TransferStatus;
+import google.registry.persistence.VKey;
 import google.registry.util.CollectionUtils;
 import java.util.HashSet;
 import java.util.Objects;
@@ -130,9 +133,16 @@ public class DomainBase extends EppResource
  @Index
  String tld;

-  /** References to hosts that are the nameservers for the domain. */
+  /**
+   * References to hosts that are the nameservers for the domain.
+   *
+   * <p>This is a legacy field: we have to preserve it because it is still persisted and indexed in
+   * the datastore, but all external references go through nsHostVKeys.
+   */
  @Index @ElementCollection @Transient Set<Key<HostResource>> nsHosts;

+  @Ignore @Transient Set<VKey<HostResource>> nsHostVKeys;
+
  /**
   * The union of the contacts visible via {@link #getContacts} and {@link #getRegistrant}.
   *
@@ -240,6 +250,14 @@ public class DomainBase extends EppResource
   */
  DateTime lastTransferTime;

+  @OnLoad
+  void load() {
+    nsHostVKeys =
+        nullToEmptyImmutableCopy(nsHosts).stream()
+            .map(hostKey -> VKey.createOfy(HostResource.class, hostKey))
+            .collect(toImmutableSet());
+  }
+
  public ImmutableSet<String> getSubordinateHosts() {
    return nullToEmptyImmutableCopy(subordinateHosts);
  }
@@ -299,8 +317,10 @@ public class DomainBase extends EppResource
    return idnTableName;
  }

-  public ImmutableSet<Key<HostResource>> getNameservers() {
-    return nullToEmptyImmutableCopy(nsHosts);
+  public ImmutableSet<VKey<HostResource>> getNameservers() {
+    // Since nsHostVKeys gets initialized both from setNameservers() and the OnLoad method, this
+    // should always be valid.
+    return nullToEmptyImmutableCopy(nsHostVKeys);
  }

  public final String getCurrentSponsorClientId() {
@@ -482,7 +502,7 @@ public class DomainBase extends EppResource
  public ImmutableSortedSet<String> loadNameserverFullyQualifiedHostNames() {
    return ofy()
        .load()
-        .keys(getNameservers())
+        .keys(getNameservers().stream().map(VKey::getOfyKey).collect(toImmutableSet()))
        .values()
        .stream()
        .map(HostResource::getFullyQualifiedHostName)
@@ -542,6 +562,14 @@ public class DomainBase extends EppResource

    Builder(DomainBase instance) {
      super(instance);
+
+      // Convert nsHosts to nsHostVKeys.
+      if (instance.nsHosts != null) {
+        instance.nsHostVKeys =
+            instance.nsHosts.stream()
+                .map(key -> VKey.createOfy(HostResource.class, key))
+                .collect(toImmutableSet());
+      }
    }

    @Override
@@ -557,7 +585,7 @@ public class DomainBase extends EppResource
      } else {  // There are nameservers, so make sure INACTIVE isn't there.
        removeStatusValue(StatusValue.INACTIVE);
      }
-      
+
      checkArgumentNotNull(
          emptyToNull(instance.fullyQualifiedDomainName), "Missing fullyQualifiedDomainName");
      checkArgument(instance.allContacts.stream().anyMatch(IS_REGISTRANT), "Missing registrant");
@@ -591,30 +619,45 @@ public class DomainBase extends EppResource
      return thisCastToDerived();
    }

-    public Builder setNameservers(Key<HostResource> nameserver) {
-      getInstance().nsHosts = ImmutableSet.of(nameserver);
+    public Builder setNameservers(VKey<HostResource> nameserver) {
+      Optional<Key<HostResource>> nsKey = nameserver.maybeGetOfyKey();
+      if (nsKey.isPresent()) {
+        getInstance().nsHosts = ImmutableSet.of(nsKey.get());
+      } else {
+        getInstance().nsHosts = null;
+      }
+      getInstance().nsHostVKeys = ImmutableSet.of(nameserver);
      return thisCastToDerived();
    }

-    public Builder setNameservers(ImmutableSet<Key<HostResource>> nameservers) {
-      getInstance().nsHosts = forceEmptyToNull(nameservers);
+    public Builder setNameservers(ImmutableSet<VKey<HostResource>> nameservers) {
+      // If we have all of the ofy keys, we can set nsHosts.  Otherwise, make it null.
+      if (nameservers != null
+          && nameservers.stream().allMatch(key -> key.maybeGetOfyKey().isPresent())) {
+        getInstance().nsHosts =
+            nameservers.stream().map(key -> key.getOfyKey()).collect(toImmutableSet());
+      } else {
+        getInstance().nsHosts = null;
+      }
+
+      getInstance().nsHostVKeys = forceEmptyToNull(nameservers);
      return thisCastToDerived();
    }

-    public Builder addNameserver(Key<HostResource> nameserver) {
+    public Builder addNameserver(VKey<HostResource> nameserver) {
      return addNameservers(ImmutableSet.of(nameserver));
    }

-    public Builder addNameservers(ImmutableSet<Key<HostResource>> nameservers) {
+    public Builder addNameservers(ImmutableSet<VKey<HostResource>> nameservers) {
      return setNameservers(
          ImmutableSet.copyOf(union(getInstance().getNameservers(), nameservers)));
    }

-    public Builder removeNameserver(Key<HostResource> nameserver) {
+    public Builder removeNameserver(VKey<HostResource> nameserver) {
      return removeNameservers(ImmutableSet.of(nameserver));
    }

-    public Builder removeNameservers(ImmutableSet<Key<HostResource>> nameservers) {
+    public Builder removeNameservers(ImmutableSet<VKey<HostResource>> nameservers) {
      return setNameservers(
          ImmutableSet.copyOf(difference(getInstance().getNameservers(), nameservers)));
    }
--- a/core/src/main/java/google/registry/model/host/HostResource.java
+++ b/core/src/main/java/google/registry/model/host/HostResource.java
@@ -33,6 +33,7 @@ import google.registry.model.annotations.ExternalMessagingName;
 import google.registry.model.annotations.ReportedOn;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.transfer.TransferData;
+import google.registry.persistence.VKey;
 import java.net.InetAddress;
 import java.util.Optional;
 import java.util.Set;
@@ -117,6 +118,10 @@ public class HostResource extends EppResource implements ForeignKeyedEppResource
    return fullyQualifiedHostName;
  }

+  public VKey<HostResource> createKey() {
+    return VKey.createOfy(HostResource.class, Key.create(this));
+  }
+
  @Deprecated
  @Override
  public HostResource cloneProjectedAtTime(DateTime now) {
--- a/core/src/main/java/google/registry/model/ofy/DatastoreTransactionManager.java
+++ b/core/src/main/java/google/registry/model/ofy/DatastoreTransactionManager.java
@@ -18,10 +18,13 @@ import static google.registry.model.ofy.ObjectifyService.ofy;

 import com.google.common.collect.ImmutableCollection;
 import com.google.common.collect.ImmutableList;
+import com.googlecode.objectify.Key;
 import google.registry.persistence.VKey;
 import google.registry.persistence.transaction.TransactionManager;
+import java.util.Iterator;
 import java.util.Optional;
 import java.util.function.Supplier;
+import java.util.stream.StreamSupport;
 import org.joda.time.DateTime;

 /** Datastore implementation of {@link TransactionManager}. */
@@ -128,9 +131,22 @@ public class DatastoreTransactionManager implements TransactionManager {
    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
  }

+  // TODO: add tests for these methods.  They currently have some degree of test coverage because
+  // they are used when retrieving the nameservers which require these, as they are now loaded by
+  // VKey instead of by ofy Key.  But ideally, there should be one set of TransactionManager
+  // interface tests that are applied to both the datastore and SQL implementations.
  @Override
  public <T> Optional<T> load(VKey<T> key) {
-    throw new UnsupportedOperationException("Not available in the Datastore transaction manager");
+    return Optional.of(getOfy().load().key(key.getOfyKey()).now());
+  }
+
+  @Override
+  public <T> ImmutableList<T> load(Iterable<VKey<T>> keys) {
+    Iterator<Key<T>> iter =
+        StreamSupport.stream(keys.spliterator(), false).map(key -> key.getOfyKey()).iterator();
+
+    // The lambda argument to keys() effectively converts Iterator -> Iterable.
+    return ImmutableList.copyOf(getOfy().load().keys(() -> iter).values());
  }

  @Override
--- a/core/src/main/java/google/registry/model/ofy/ObjectifyService.java
+++ b/core/src/main/java/google/registry/model/ofy/ObjectifyService.java
@@ -36,6 +36,7 @@ import com.googlecode.objectify.impl.translate.opt.joda.MoneyStringTranslatorFac
 import google.registry.config.RegistryEnvironment;
 import google.registry.model.EntityClasses;
 import google.registry.model.ImmutableObject;
+import google.registry.model.host.HostResource;
 import google.registry.model.translators.BloomFilterOfStringTranslatorFactory;
 import google.registry.model.translators.CidrAddressBlockTranslatorFactory;
 import google.registry.model.translators.CommitLogRevisionsTranslatorFactory;
@@ -45,6 +46,7 @@ import google.registry.model.translators.DurationTranslatorFactory;
 import google.registry.model.translators.InetAddressTranslatorFactory;
 import google.registry.model.translators.ReadableInstantUtcTranslatorFactory;
 import google.registry.model.translators.UpdateAutoTimestampTranslatorFactory;
+import google.registry.model.translators.VKeyTranslatorFactory;
 import java.util.concurrent.atomic.AtomicLong;

 /**
@@ -117,17 +119,19 @@ public class ObjectifyService {

  /** Register translators that allow less common types to be stored directly in Datastore. */
  private static void registerTranslators() {
-    for (TranslatorFactory<?> translatorFactory : ImmutableList.of(
-        new BloomFilterOfStringTranslatorFactory(),
-        new CidrAddressBlockTranslatorFactory(),
-        new CommitLogRevisionsTranslatorFactory(),
-        new CreateAutoTimestampTranslatorFactory(),
-        new CurrencyUnitTranslatorFactory(),
-        new DurationTranslatorFactory(),
-        new InetAddressTranslatorFactory(),
-        new MoneyStringTranslatorFactory(),
-        new ReadableInstantUtcTranslatorFactory(),
-        new UpdateAutoTimestampTranslatorFactory())) {
+    for (TranslatorFactory<?> translatorFactory :
+        ImmutableList.of(
+            new BloomFilterOfStringTranslatorFactory(),
+            new CidrAddressBlockTranslatorFactory(),
+            new CommitLogRevisionsTranslatorFactory(),
+            new CreateAutoTimestampTranslatorFactory(),
+            new CurrencyUnitTranslatorFactory(),
+            new DurationTranslatorFactory(),
+            new InetAddressTranslatorFactory(),
+            new MoneyStringTranslatorFactory(),
+            new ReadableInstantUtcTranslatorFactory(),
+            new VKeyTranslatorFactory<HostResource>(HostResource.class),
+            new UpdateAutoTimestampTranslatorFactory())) {
      factory().getTranslators().add(translatorFactory);
    }
  }
--- a/core/src/main/java/google/registry/model/registrar/Registrar.java
+++ b/core/src/main/java/google/registry/model/registrar/Registrar.java
@@ -392,8 +392,6 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
   */
  @Nullable
  @Mapify(CurrencyMapper.class)
-  @org.hibernate.annotations.Type(
-      type = "google.registry.persistence.converter.CurrencyToBillingMapUserType")
  Map<CurrencyUnit, BillingAccountEntry> billingAccountMap;

  /** A billing account entry for this registrar, consisting of a currency and an account Id. */
--- a/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
+++ b/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
@@ -44,7 +44,9 @@ import google.registry.model.Jsonifiable;
 import google.registry.model.annotations.ReportedOn;
 import java.util.Arrays;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
+import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Table;
 import javax.persistence.Transient;
@@ -112,6 +114,9 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
  @Column(nullable = false)
  String emailAddress;

+  /** External email address of this contact used for registry lock confirmations. */
+  String registryLockEmailAddress;
+
  /** The voice number of the contact. */
  String phoneNumber;

@@ -212,6 +217,10 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    return emailAddress;
  }

+  public Optional<String> getRegistryLockEmailAddress() {
+    return Optional.ofNullable(registryLockEmailAddress);
+  }
+
  public String getPhoneNumber() {
    return phoneNumber;
  }
@@ -318,6 +327,7 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    return new JsonMapBuilder()
        .put("name", name)
        .put("emailAddress", emailAddress)
+        .put("registryLockEmailAddress", registryLockEmailAddress)
        .put("phoneNumber", phoneNumber)
        .put("faxNumber", faxNumber)
        .put("types", getTypes().stream().map(Object::toString).collect(joining(",")))
@@ -352,6 +362,14 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    public RegistrarContact build() {
      checkNotNull(getInstance().parent, "Registrar parent cannot be null");
      checkValidEmail(getInstance().emailAddress);
+      // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
+      // a registry lock password, we must also set up the correct registry lock email concurrently
+      // or beforehand.
+      if (getInstance().allowedToSetRegistryLockPassword) {
+        checkArgument(
+            !isNullOrEmpty(getInstance().registryLockEmailAddress),
+            "Registry lock email must not be null if allowing registry lock access");
+      }
      return cloneEmptyToNull(super.build());
    }

@@ -365,6 +383,11 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
      return this;
    }

+    public Builder setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+      getInstance().registryLockEmailAddress = registryLockEmailAddress;
+      return this;
+    }
+
    public Builder setPhoneNumber(String phoneNumber) {
      getInstance().phoneNumber = phoneNumber;
      return this;
--- a/core/src/main/java/google/registry/model/registry/RegistryLockDao.java
+++ b/core/src/main/java/google/registry/model/registry/RegistryLockDao.java
@@ -25,6 +25,12 @@ import javax.persistence.EntityManager;
 /** Data access object for {@link google.registry.schema.domain.RegistryLock}. */
 public final class RegistryLockDao {

+  /** Returns the {@link RegistryLock} referred to by this revision ID, or empty if none exists. */
+  public static Optional<RegistryLock> getByRevisionId(long revisionId) {
+    jpaTm().assertInTransaction();
+    return Optional.ofNullable(jpaTm().getEntityManager().find(RegistryLock.class, revisionId));
+  }
+
  /** Returns the most recent version of the {@link RegistryLock} referred to by the code. */
  public static Optional<RegistryLock> getByVerificationCode(String verificationCode) {
    jpaTm().assertInTransaction();
@@ -46,8 +52,10 @@ public final class RegistryLockDao {
        jpaTm()
            .getEntityManager()
            .createQuery(
-                "SELECT lock FROM RegistryLock lock WHERE lock.registrarId = :registrarId"
-                    + " AND lock.unlockCompletionTimestamp IS NULL",
+                "SELECT lock FROM RegistryLock lock"
+                    + " WHERE lock.registrarId = :registrarId"
+                    + " AND lock.unlockCompletionTimestamp IS NULL"
+                    + " ORDER BY lock.domainName ASC",
                RegistryLock.class)
            .setParameter("registrarId", registrarId)
            .getResultList());
@@ -84,7 +92,29 @@ public final class RegistryLockDao {
        .getEntityManager()
        .createQuery(
            "SELECT lock FROM RegistryLock lock WHERE lock.repoId = :repoId AND"
-                + " lock.lockCompletionTimestamp IS NOT NULL ORDER BY lock.revisionId"
+                + " lock.lockCompletionTimestamp IS NOT NULL AND"
+                + " lock.unlockCompletionTimestamp IS NULL ORDER BY lock.revisionId"
+                + " DESC",
+            RegistryLock.class)
+        .setParameter("repoId", repoId)
+        .setMaxResults(1)
+        .getResultStream()
+        .findFirst();
+  }
+
+  /**
+   * Returns the most recent verified unlock for a given domain specified by repo ID.
+   *
+   * <p>Returns empty if no unlock has ever been finalized for this domain. This is different from
+   * {@link #getMostRecentByRepoId(String)} in that it only returns verified unlocks.
+   */
+  public static Optional<RegistryLock> getMostRecentVerifiedUnlockByRepoId(String repoId) {
+    jpaTm().assertInTransaction();
+    return jpaTm()
+        .getEntityManager()
+        .createQuery(
+            "SELECT lock FROM RegistryLock lock WHERE lock.repoId = :repoId AND"
+                + " lock.unlockCompletionTimestamp IS NOT NULL ORDER BY lock.revisionId"
                + " DESC",
            RegistryLock.class)
        .setParameter("repoId", repoId)
--- a/core/src/main/java/google/registry/model/server/Lock.java
+++ b/core/src/main/java/google/registry/model/server/Lock.java
@@ -16,6 +16,7 @@ package google.registry.model.server;

 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;

@@ -28,6 +29,7 @@ import com.googlecode.objectify.annotation.Id;
 import google.registry.model.ImmutableObject;
 import google.registry.model.annotations.NotBackedUp;
 import google.registry.model.annotations.NotBackedUp.Reason;
+import google.registry.schema.server.LockDao;
 import google.registry.util.RequestStatusChecker;
 import google.registry.util.RequestStatusCheckerImpl;
 import java.io.Serializable;
@@ -39,8 +41,8 @@ import org.joda.time.Duration;
 /**
 * A lock on some shared resource.
 *
- * <p>Locks are either specific to a tld or global to the entire system, in which case a tld of
- * null is used.
+ * <p>Locks are either specific to a tld or global to the entire system, in which case a tld of null
+ * is used.
 *
 * <p>This is the "barebone" lock implementation, that requires manual locking and unlocking. For
 * safe calls that automatically lock and unlock, see LockHandler.
@@ -76,6 +78,18 @@ public class Lock extends ImmutableObject implements Serializable {
  /** When the lock can be considered implicitly released. */
  DateTime expirationTime;

+  public String getRequestLogId() {
+    return requestLogId;
+  }
+
+  public DateTime getExpirationTime() {
+    return expirationTime;
+  }
+
+  public DateTime getAcquiredTime() {
+    return acquiredTime;
+  }
+
  /** When was the lock acquired. Used for logging. */
  DateTime acquiredTime;

@@ -87,10 +101,10 @@ public class Lock extends ImmutableObject implements Serializable {
  String tld;

  /**
-   * Create a new {@link Lock} for the given resource name in the specified tld (which can be
-   * null for cross-tld locks).
+   * Create a new {@link Lock} for the given resource name in the specified tld (which can be null
+   * for cross-tld locks).
   */
-  private static Lock create(
+  public static Lock create(
      String resourceName,
      @Nullable String tld,
      String requestLogId,
@@ -177,13 +191,28 @@ public class Lock extends ImmutableObject implements Serializable {
    // access to resources like GCS that can't be transactionally rolled back. Therefore, the lock
    // must be definitively acquired before it is used, even when called inside another transaction.
    AcquireResult acquireResult =
-        tm()
-            .transactNew(
+        tm().transactNew(
                () -> {
                  DateTime now = tm().getTransactionTime();

                  // Checking if an unexpired lock still exists - if so, the lock can't be acquired.
                  Lock lock = ofy().load().type(Lock.class).id(lockId).now();
+                  try {
+                    jpaTm()
+                        .transact(
+                            () -> {
+                              Optional<google.registry.schema.server.Lock> cloudSqlLockOptional;
+                              if (tld == null) {
+                                cloudSqlLockOptional = LockDao.load(resourceName);
+                              } else {
+                                cloudSqlLockOptional = LockDao.load(resourceName, tld);
+                              }
+                              LockDao.compare(Optional.ofNullable(lock), cloudSqlLockOptional);
+                            });
+                  } catch (Exception e) {
+                    logger.atSevere().withCause(e).log(
+                        "Issue loading and comparing lock from Cloud SQL");
+                  }
                  if (lock != null) {
                    logger.atInfo().log(
                        "Loaded existing lock: %s for request: %s", lock.lockId, lock.requestLogId);
@@ -207,6 +236,36 @@ public class Lock extends ImmutableObject implements Serializable {
                  // contention) and
                  // don't need to be backed up.
                  ofy().saveWithoutBackup().entity(newLock);
+
+                  // create and save the lock to Cloud SQL
+                  try {
+                    jpaTm()
+                        .transact(
+                            () -> {
+                              google.registry.schema.server.Lock cloudSqlLock;
+                              if (tld == null) {
+                                cloudSqlLock =
+                                    google.registry.schema.server.Lock.createGlobal(
+                                        resourceName,
+                                        requestStatusChecker.getLogId(),
+                                        now,
+                                        leaseLength);
+                              } else {
+                                cloudSqlLock =
+                                    google.registry.schema.server.Lock.create(
+                                        resourceName,
+                                        tld,
+                                        requestStatusChecker.getLogId(),
+                                        now,
+                                        leaseLength);
+                              }
+                              LockDao.save(cloudSqlLock);
+                            });
+                  } catch (Exception e) {
+                    logger.atSevere().withCause(e).log(
+                        "Error saving lock to Cloud SQL: %s", newLock);
+                  }
+
                  return AcquireResult.create(now, lock, newLock, lockState);
                });

@@ -218,19 +277,51 @@ public class Lock extends ImmutableObject implements Serializable {
  /** Release the lock. */
  public void release() {
    // Just use the default clock because we aren't actually doing anything that will use the clock.
-    tm()
-        .transact(
+    tm().transact(
            () -> {
              // To release a lock, check that no one else has already obtained it and if not
              // delete it. If the lock in Datastore was different then this lock is gone already;
              // this can happen if release() is called around the expiration time and the lock
              // expires underneath us.
              Lock loadedLock = ofy().load().type(Lock.class).id(lockId).now();
+              try {
+                jpaTm()
+                    .transact(
+                        () -> {
+                          Optional<google.registry.schema.server.Lock> cloudSqlLockOptional;
+                          if (tld == null) {
+                            cloudSqlLockOptional = LockDao.load(resourceName);
+                          } else {
+                            cloudSqlLockOptional = LockDao.load(resourceName, tld);
+                          }
+                          LockDao.compare(Optional.ofNullable(loadedLock), cloudSqlLockOptional);
+                        });
+              } catch (Exception e) {
+                logger.atSevere().withCause(e).log(
+                    "Issue loading and comparing lock from Cloud SQL");
+              }
              if (Lock.this.equals(loadedLock)) {
                // Use noBackupOfy() so that we don't create a commit log entry for deleting the
                // lock.
                logger.atInfo().log("Deleting lock: %s", lockId);
                ofy().deleteWithoutBackup().entity(Lock.this);
+
+                // Remove the lock from Cloud SQL
+                try {
+                  jpaTm()
+                      .transact(
+                          () -> {
+                            if (tld == null) {
+                              LockDao.delete(resourceName);
+                            } else {
+                              LockDao.delete(resourceName, tld);
+                            }
+                          });
+                } catch (Exception e) {
+                  logger.atSevere().withCause(e).log(
+                      "Error deleting lock from Cloud SQL: %s", loadedLock);
+                }
+
                lockMetrics.recordRelease(
                    resourceName, tld, new Duration(acquiredTime, tm().getTransactionTime()));
              } else {
--- a/core/src/main/java/google/registry/model/translators/VKeyTranslatorFactory.java
+++ b/core/src/main/java/google/registry/model/translators/VKeyTranslatorFactory.java
@@ -0,0 +1,84 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.translators;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.googlecode.objectify.Key;
+import google.registry.persistence.VKey;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+
+/**
+ * Translator factory for VKey.
+ *
+ * <p>These get translated to a string containing the URL safe encoding of the objectify key
+ * followed by a (url-unsafe) ampersand delimiter and the SQL key.
+ */
+public class VKeyTranslatorFactory<T> extends AbstractSimpleTranslatorFactory<VKey, String> {
+  private final Class<T> refClass;
+
+  public VKeyTranslatorFactory(Class<T> refClass) {
+    super(VKey.class);
+    this.refClass = refClass;
+  }
+
+  @Override
+  public SimpleTranslator<VKey, String> createTranslator() {
+    return new SimpleTranslator<VKey, String>() {
+      @Override
+      public VKey loadValue(String datastoreValue) {
+        int pos = datastoreValue.indexOf('&');
+        Key ofyKey = null;
+        String sqlKey = null;
+        if (pos > 0) {
+          // We have an objectify key.
+          ofyKey = Key.create(datastoreValue.substring(0, pos));
+        }
+
+        if (pos < datastoreValue.length() - 1) {
+          // We have an SQL key.
+          sqlKey = decode(datastoreValue.substring(pos + 1));
+        }
+
+        return VKey.create(refClass, sqlKey, ofyKey);
+      }
+
+      @Override
+      public String saveValue(VKey key) {
+        return ((key.getOfyKey() == null) ? "" : key.getOfyKey().getString())
+            + "&"
+            + ((key.getSqlKey() == null) ? "" : encode(key.getSqlKey().toString()));
+      }
+    };
+  }
+
+  private static String encode(String val) {
+    try {
+      return URLEncoder.encode(val, UTF_8.toString());
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static String decode(String encoded) {
+    try {
+      return URLDecoder.decode(encoded, UTF_8.toString());
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
--- a/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
+++ b/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
@@ -26,6 +26,7 @@ import google.registry.batch.DeleteLoadTestDataAction;
 import google.registry.batch.DeleteProberDataAction;
 import google.registry.batch.ExpandRecurringBillingEventsAction;
 import google.registry.batch.RefreshDnsOnHostRenameAction;
+import google.registry.batch.RelockDomainAction;
 import google.registry.batch.ResaveAllEppResourcesAction;
 import google.registry.batch.ResaveEntityAction;
 import google.registry.cron.CommitLogFanoutAction;
@@ -86,77 +87,126 @@ import google.registry.tmch.TmchSmdrlAction;
@RequestScope
@Subcomponent(
    modules = {
-        BackendModule.class,
-        BackupModule.class,
-        BatchModule.class,
-        BillingModule.class,
-        CloudDnsWriterModule.class,
-        CronModule.class,
-        DnsCountQueryCoordinatorModule.class,
-        DnsModule.class,
-        DnsUpdateConfigModule.class,
-        DnsUpdateWriterModule.class,
-        ExportRequestModule.class,
-        IcannReportingModule.class,
-        MapreduceModule.class,
-        RdeModule.class,
-        ReportingModule.class,
-        RequestModule.class,
-        SheetModule.class,
-        Spec11Module.class,
-        TmchModule.class,
-        VoidDnsWriterModule.class,
-        WhiteboxModule.class,
+      BackendModule.class,
+      BackupModule.class,
+      BatchModule.class,
+      BillingModule.class,
+      CloudDnsWriterModule.class,
+      CronModule.class,
+      DnsCountQueryCoordinatorModule.class,
+      DnsModule.class,
+      DnsUpdateConfigModule.class,
+      DnsUpdateWriterModule.class,
+      ExportRequestModule.class,
+      IcannReportingModule.class,
+      MapreduceModule.class,
+      RdeModule.class,
+      ReportingModule.class,
+      RequestModule.class,
+      SheetModule.class,
+      Spec11Module.class,
+      TmchModule.class,
+      VoidDnsWriterModule.class,
+      WhiteboxModule.class,
    })
 interface BackendRequestComponent {
+
  BackupDatastoreAction backupDatastoreAction();
+
  BigqueryPollJobAction bigqueryPollJobAction();
+
  BrdaCopyAction brdaCopyAction();
+
  CheckBackupAction checkBackupAction();
+
  CommitLogCheckpointAction commitLogCheckpointAction();
+
  CommitLogFanoutAction commitLogFanoutAction();
+
  CopyDetailReportsAction copyDetailReportAction();
+
  DeleteContactsAndHostsAction deleteContactsAndHostsAction();
+
  DeleteLoadTestDataAction deleteLoadTestDataAction();
+
  DeleteOldCommitLogsAction deleteOldCommitLogsAction();
+
  DeleteProberDataAction deleteProberDataAction();
+
  ExpandRecurringBillingEventsAction expandRecurringBillingEventsAction();
+
  ExportCommitLogDiffAction exportCommitLogDiffAction();
+
  ExportDomainListsAction exportDomainListsAction();
+
  ExportPremiumTermsAction exportPremiumTermsAction();
+
  ExportReservedTermsAction exportReservedTermsAction();
+
  GenerateInvoicesAction generateInvoicesAction();
+
  GenerateSpec11ReportAction generateSpec11ReportAction();
+
  IcannReportingStagingAction icannReportingStagingAction();
+
  IcannReportingUploadAction icannReportingUploadAction();
+
  NordnUploadAction nordnUploadAction();
+
  NordnVerifyAction nordnVerifyAction();
+
  PublishDnsUpdatesAction publishDnsUpdatesAction();
+
  PublishSpec11ReportAction publishSpec11ReportAction();
+
  ReadDnsQueueAction readDnsQueueAction();
+
  RdeReportAction rdeReportAction();
+
  RdeStagingAction rdeStagingAction();
+
  RdeUploadAction rdeUploadAction();
+
  RdeReporter rdeReporter();
+
  RefreshDnsAction refreshDnsAction();
+
  RefreshDnsOnHostRenameAction refreshDnsOnHostRenameAction();
+
+  RelockDomainAction relockDomainAction();
+
  ResaveAllEppResourcesAction resaveAllEppResourcesAction();
+
  ResaveEntityAction resaveEntityAction();
+
  SyncGroupMembersAction syncGroupMembersAction();
+
  SyncRegistrarsSheetAction syncRegistrarsSheetAction();
+
  TldFanoutAction tldFanoutAction();
+
  TmchCrlAction tmchCrlAction();
+
  TmchDnlAction tmchDnlAction();
+
  TmchSmdrlAction tmchSmdrlAction();
+
  UploadDatastoreBackupAction uploadDatastoreBackupAction();
+
  UpdateRegistrarRdapBaseUrlsAction updateRegistrarRdapBaseUrlsAction();
+
  UpdateSnapshotViewAction updateSnapshotViewAction();
+
  PublishInvoicesAction uploadInvoicesAction();

  @Subcomponent.Builder
  abstract class Builder implements RequestComponentBuilder<BackendRequestComponent> {
-    @Override public abstract Builder requestModule(RequestModule requestModule);
-    @Override public abstract BackendRequestComponent build();
+
+    @Override
+    public abstract Builder requestModule(RequestModule requestModule);
+
+    @Override
+    public abstract BackendRequestComponent build();
  }

  @Module(subcomponents = BackendRequestComponent.class)
--- a/core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java
+++ b/core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java
@@ -16,6 +16,7 @@ package google.registry.module.frontend;

 import dagger.Module;
 import dagger.Subcomponent;
+import google.registry.batch.BatchModule;
 import google.registry.dns.DnsModule;
 import google.registry.flows.EppTlsAction;
 import google.registry.flows.FlowComponent;
@@ -38,6 +39,7 @@ import google.registry.ui.server.registrar.RegistryLockVerifyAction;
@RequestScope
@Subcomponent(
    modules = {
+      BatchModule.class,
      DnsModule.class,
      EppTlsModule.class,
      RegistrarConsoleModule.class,
--- a/core/src/main/java/google/registry/persistence/NomulusPostgreSQLDialect.java
+++ b/core/src/main/java/google/registry/persistence/NomulusPostgreSQLDialect.java
@@ -14,6 +14,7 @@
 package google.registry.persistence;

 import google.registry.persistence.converter.StringCollectionDescriptor;
+import google.registry.persistence.converter.StringMapDescriptor;
 import java.sql.Types;
 import org.hibernate.boot.model.TypeContributions;
 import org.hibernate.dialect.PostgreSQL95Dialect;
@@ -26,7 +27,7 @@ public class NomulusPostgreSQLDialect extends PostgreSQL95Dialect {
    registerColumnType(Types.VARCHAR, "text");
    registerColumnType(Types.TIMESTAMP_WITH_TIMEZONE, "timestamptz");
    registerColumnType(Types.TIMESTAMP, "timestamptz");
-    registerColumnType(Types.OTHER, "hstore");
+    registerColumnType(StringMapDescriptor.COLUMN_TYPE, StringMapDescriptor.COLUMN_NAME);
    registerColumnType(
        StringCollectionDescriptor.COLUMN_TYPE, StringCollectionDescriptor.COLUMN_DDL_NAME);
  }
@@ -37,5 +38,7 @@ public class NomulusPostgreSQLDialect extends PostgreSQL95Dialect {
    super.contributeTypes(typeContributions, serviceRegistry);
    typeContributions.contributeJavaTypeDescriptor(StringCollectionDescriptor.getInstance());
    typeContributions.contributeSqlTypeDescriptor(StringCollectionDescriptor.getInstance());
+    typeContributions.contributeJavaTypeDescriptor(StringMapDescriptor.getInstance());
+    typeContributions.contributeSqlTypeDescriptor(StringMapDescriptor.getInstance());
  }
 }
--- a/core/src/main/java/google/registry/persistence/PersistenceComponent.java
+++ b/core/src/main/java/google/registry/persistence/PersistenceComponent.java
@@ -19,7 +19,6 @@ import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.keyring.kms.KmsModule;
 import google.registry.persistence.PersistenceModule.AppEngineJpaTm;
-import google.registry.persistence.PersistenceModule.NomulusToolJpaTm;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -39,7 +38,4 @@ public interface PersistenceComponent {

  @AppEngineJpaTm
  JpaTransactionManager appEngineJpaTransactionManager();
-
-  @NomulusToolJpaTm
-  JpaTransactionManager nomulusToolJpaTransactionManager();
 }
--- a/core/src/main/java/google/registry/persistence/PersistenceModule.java
+++ b/core/src/main/java/google/registry/persistence/PersistenceModule.java
@@ -22,6 +22,7 @@ import static google.registry.config.RegistryConfig.getHibernateHikariMaximumPoo
 import static google.registry.config.RegistryConfig.getHibernateHikariMinimumIdle;
 import static google.registry.config.RegistryConfig.getHibernateLogSqlQueries;

+import com.google.api.client.auth.oauth2.Credential;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
@@ -29,8 +30,10 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.kms.KmsKeyring;
+import google.registry.persistence.transaction.CloudSqlCredentialSupplier;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.JpaTransactionManagerImpl;
+import google.registry.tools.AuthModule.CloudSqlClientCredential;
 import google.registry.util.Clock;
 import java.lang.annotation.Documented;
 import java.util.HashMap;
@@ -118,7 +121,9 @@ public class PersistenceModule {
      @Config("toolsCloudSqlUsername") String username,
      KmsKeyring kmsKeyring,
      @PartialCloudSqlConfigs ImmutableMap<String, String> cloudSqlConfigs,
+      @CloudSqlClientCredential Credential credential,
      Clock clock) {
+    CloudSqlCredentialSupplier.setupCredentialSupplier(credential);
    HashMap<String, String> overrides = Maps.newHashMap(cloudSqlConfigs);
    overrides.put(Environment.USER, username);
    overrides.put(Environment.PASS, kmsKeyring.getToolsCloudSqlPassword());
@@ -158,7 +163,7 @@ public class PersistenceModule {
  /** Dagger qualifier for {@link JpaTransactionManager} used for Nomulus tool. */
  @Qualifier
  @Documented
-  @interface NomulusToolJpaTm {}
+  public @interface NomulusToolJpaTm {}

  /** Dagger qualifier for the partial Cloud SQL configs. */
  @Qualifier
--- a/core/src/main/java/google/registry/persistence/VKey.java
+++ b/core/src/main/java/google/registry/persistence/VKey.java
@@ -14,7 +14,10 @@

 package google.registry.persistence;

+import static com.google.common.base.Preconditions.checkState;
+
 import google.registry.model.ImmutableObject;
+import java.util.Optional;

 /**
 * VKey is an abstraction that encapsulates the key concept.
@@ -25,12 +28,12 @@ import google.registry.model.ImmutableObject;
 public class VKey<T> extends ImmutableObject {

  // The primary key for the referenced entity.
-  private Object primaryKey;
+  private final Object primaryKey;

  // The objectify key for the referenced entity.
-  private com.googlecode.objectify.Key<T> ofyKey;
+  private final com.googlecode.objectify.Key<T> ofyKey;

-  private Class<? extends T> kind;
+  private final Class<? extends T> kind;

  private VKey(Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey, Object primaryKey) {
    this.kind = kind;
@@ -38,31 +41,43 @@ public class VKey<T> extends ImmutableObject {
    this.primaryKey = primaryKey;
  }

-  public static <T> VKey<T> create(
-      Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey, Object primaryKey) {
-    return new VKey(kind, ofyKey, primaryKey);
-  }
-
-  public static <T> VKey<T> create(Class<? extends T> kind, Object primaryKey) {
+  public static <T> VKey<T> createSql(Class<? extends T> kind, Object primaryKey) {
    return new VKey(kind, null, primaryKey);
  }

-  public static <T> VKey<T> create(
+  public static <T> VKey<T> createOfy(
      Class<? extends T> kind, com.googlecode.objectify.Key<T> ofyKey) {
    return new VKey(kind, ofyKey, null);
  }

+  public static <T> VKey<T> create(
+      Class<? extends T> kind, Object primaryKey, com.googlecode.objectify.Key ofyKey) {
+    return new VKey(kind, ofyKey, primaryKey);
+  }
+
  public Class<? extends T> getKind() {
    return this.kind;
  }

  /** Returns the SQL primary key. */
  public Object getSqlKey() {
+    checkState(primaryKey != null, "Attempting obtain a null SQL key.");
    return this.primaryKey;
  }

+  /** Returns the SQL primary key if it exists. */
+  public Optional<Object> maybeGetSqlKey() {
+    return Optional.ofNullable(this.primaryKey);
+  }
+
  /** Returns the objectify key. */
  public com.googlecode.objectify.Key<T> getOfyKey() {
+    checkState(ofyKey != null, "Attempting obtain a null Objectify key.");
    return this.ofyKey;
  }
+
+  /** Returns the objectify key if it exists. */
+  public Optional<com.googlecode.objectify.Key<T>> maybeGetOfyKey() {
+    return Optional.ofNullable(this.ofyKey);
+  }
 }
--- a/core/src/main/java/google/registry/persistence/converter/CurrencyToBillingConverter.java
+++ b/core/src/main/java/google/registry/persistence/converter/CurrencyToBillingConverter.java
@@ -0,0 +1,43 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.converter;
+
+import static google.registry.model.registrar.Registrar.BillingAccountEntry;
+
+import com.google.common.collect.Maps;
+import java.util.Map;
+import javax.persistence.Converter;
+import org.joda.money.CurrencyUnit;
+
+/** JPA converter for storing/retrieving {@link Map <CurrencyUnit, BillingAccountEntry>} objects. */
+@Converter(autoApply = true)
+public class CurrencyToBillingConverter
+    extends StringMapConverterBase<CurrencyUnit, BillingAccountEntry> {
+
+  @Override
+  Map.Entry<String, String> convertToDatabaseMapEntry(
+      Map.Entry<CurrencyUnit, BillingAccountEntry> entry) {
+    return Maps.immutableEntry(entry.getKey().getCode(), entry.getValue().getAccountId());
+  }
+
+  @Override
+  Map.Entry<CurrencyUnit, BillingAccountEntry> convertToEntityMapEntry(
+      Map.Entry<String, String> entry) {
+    CurrencyUnit currencyUnit = CurrencyUnit.of(entry.getKey());
+    BillingAccountEntry billingAccountEntry =
+        new BillingAccountEntry(currencyUnit, entry.getValue());
+    return Maps.immutableEntry(currencyUnit, billingAccountEntry);
+  }
+}
--- a/core/src/main/java/google/registry/persistence/converter/CurrencyToBillingMapUserType.java
+++ b/core/src/main/java/google/registry/persistence/converter/CurrencyToBillingMapUserType.java
@@ -1,54 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.persistence.converter;
-
-import static com.google.common.collect.ImmutableMap.toImmutableMap;
-
-import google.registry.model.registrar.Registrar.BillingAccountEntry;
-import java.util.Map;
-import org.hibernate.usertype.UserType;
-import org.joda.money.CurrencyUnit;
-
-/**
- * A custom {@link UserType} for storing/retrieving {@link Map<CurrencyUnit, BillingAccountEntry>}
- * objects.
- */
-public class CurrencyToBillingMapUserType extends MapUserType {
-
-  @Override
-  public Object toEntityTypeMap(Map<String, String> map) {
-    return map == null
-        ? null
-        : map.entrySet().stream()
-            .collect(
-                toImmutableMap(
-                    entry -> CurrencyUnit.of(entry.getKey()),
-                    entry ->
-                        new BillingAccountEntry(
-                            CurrencyUnit.of(entry.getKey()), entry.getValue())));
-  }
-
-  @Override
-  public Map<String, String> toDbSupportedMap(Object map) {
-    return map == null
-        ? null
-        : ((Map<CurrencyUnit, BillingAccountEntry>) map)
-            .entrySet().stream()
-                .collect(
-                    toImmutableMap(
-                        entry -> entry.getKey().getCode(),
-                        entry -> entry.getValue().getAccountId()));
-  }
-}
--- a/core/src/main/java/google/registry/persistence/converter/DurationConverter.java
+++ b/core/src/main/java/google/registry/persistence/converter/DurationConverter.java
@@ -0,0 +1,37 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.converter;
+
+import javax.annotation.Nullable;
+import javax.persistence.AttributeConverter;
+import javax.persistence.Converter;
+import org.joda.time.Duration;
+
+/** JPA converter to for storing/retrieving {@link org.joda.time.DateTime} objects. */
+@Converter(autoApply = true)
+public class DurationConverter implements AttributeConverter<Duration, Long> {
+
+  @Override
+  @Nullable
+  public Long convertToDatabaseColumn(@Nullable Duration duration) {
+    return duration == null ? null : duration.getMillis();
+  }
+
+  @Override
+  @Nullable
+  public Duration convertToEntityAttribute(@Nullable Long dbData) {
+    return dbData == null ? null : new Duration(dbData);
+  }
+}
--- a/core/src/main/java/google/registry/persistence/converter/MapUserType.java
+++ b/core/src/main/java/google/registry/persistence/converter/MapUserType.java
@@ -1,73 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.persistence.converter;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Types;
-import java.util.Map;
-import org.hibernate.HibernateException;
-import org.hibernate.engine.spi.SharedSessionContractImplementor;
-import org.hibernate.usertype.UserType;
-
-/**
- * A custom {@link UserType} used to convert a Java {@link Map<String, String>} to/from PostgreSQL
- * hstore type. Per this <a href="https://www.postgresql.org/docs/current/hstore.html">doc</a>, as
- * hstore keys and values are simply text strings, the type of key and value in the Java map has to
- * be {@link String} as well.
- */
-public class MapUserType extends MutableUserType {
-
-  @Override
-  public int[] sqlTypes() {
-    return new int[] {Types.OTHER};
-  }
-
-  @Override
-  public Class returnedClass() {
-    return Map.class;
-  }
-
-  @Override
-  public Object nullSafeGet(
-      ResultSet rs, String[] names, SharedSessionContractImplementor session, Object owner)
-      throws HibernateException, SQLException {
-    return toEntityTypeMap((Map<String, String>) rs.getObject(names[0]));
-  }
-
-  @Override
-  public void nullSafeSet(
-      PreparedStatement st, Object value, int index, SharedSessionContractImplementor session)
-      throws HibernateException, SQLException {
-    st.setObject(index, toDbSupportedMap(value));
-  }
-
-  /**
-   * Subclass can override this method to convert the {@link Map<String, String>} to a {@link Map}
-   * of specific type defined in the entity class.
-   */
-  public Object toEntityTypeMap(Map<String, String> map) {
-    return map;
-  }
-
-  /**
-   * Subclass can override this method to convert the {@link Map} of specific type to a {@link
-   * Map<String, String>} that can be stored in the hstore type column.
-   */
-  public Map<String, String> toDbSupportedMap(Object map) {
-    return (Map<String, String>) map;
-  }
-}
--- a/core/src/main/java/google/registry/persistence/converter/MutableUserType.java
+++ b/core/src/main/java/google/registry/persistence/converter/MutableUserType.java
@@ -1,63 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.persistence.converter;
-
-import java.io.Serializable;
-import java.util.Objects;
-import org.hibernate.HibernateException;
-import org.hibernate.usertype.UserType;
-
-/**
- * An abstract class represents a mutable Hibernate user type which implements related methods
- * defined in {@link UserType}.
- */
-public abstract class MutableUserType implements UserType {
-
-  @Override
-  public boolean equals(Object x, Object y) throws HibernateException {
-    return Objects.equals(x, y);
-  }
-
-  @Override
-  public int hashCode(Object x) throws HibernateException {
-    return x == null ? 0 : x.hashCode();
-  }
-
-  // TODO(b/147489651): Investigate how to properly implement the below methods.
-  @Override
-  public Object deepCopy(Object value) throws HibernateException {
-    return value;
-  }
-
-  @Override
-  public boolean isMutable() {
-    return false;
-  }
-
-  @Override
-  public Serializable disassemble(Object value) throws HibernateException {
-    return (Serializable) value;
-  }
-
-  @Override
-  public Object assemble(Serializable cached, Object owner) throws HibernateException {
-    return cached;
-  }
-
-  @Override
-  public Object replace(Object original, Object target, Object owner) throws HibernateException {
-    return original;
-  }
-}
--- a/core/src/main/java/google/registry/persistence/converter/StringMapConverterBase.java
+++ b/core/src/main/java/google/registry/persistence/converter/StringMapConverterBase.java
@@ -0,0 +1,52 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.converter;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+
+import google.registry.persistence.converter.StringMapDescriptor.StringMap;
+import java.util.Map;
+import javax.persistence.AttributeConverter;
+
+/**
+ * Base JPA converter for {@link Map} objects that are stored in a column with data type of hstore
+ * in the database.
+ */
+public abstract class StringMapConverterBase<K, V>
+    implements AttributeConverter<Map<K, V>, StringMap> {
+
+  abstract Map.Entry<String, String> convertToDatabaseMapEntry(Map.Entry<K, V> entry);
+
+  abstract Map.Entry<K, V> convertToEntityMapEntry(Map.Entry<String, String> entry);
+
+  @Override
+  public StringMap convertToDatabaseColumn(Map<K, V> attribute) {
+    return attribute == null
+        ? null
+        : StringMap.create(
+            attribute.entrySet().stream()
+                .map(this::convertToDatabaseMapEntry)
+                .collect(toImmutableMap(Map.Entry::getKey, Map.Entry::getValue)));
+  }
+
+  @Override
+  public Map<K, V> convertToEntityAttribute(StringMap dbData) {
+    return dbData == null
+        ? null
+        : dbData.getMap().entrySet().stream()
+            .map(this::convertToEntityMapEntry)
+            .collect(toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
+  }
+}
--- a/core/src/main/java/google/registry/persistence/converter/StringMapDescriptor.java
+++ b/core/src/main/java/google/registry/persistence/converter/StringMapDescriptor.java
@@ -0,0 +1,177 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.converter;
+
+import static google.registry.persistence.converter.StringMapDescriptor.StringMap;
+
+import com.google.common.collect.ImmutableMap;
+import java.sql.CallableStatement;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Types;
+import java.util.Map;
+import org.hibernate.type.descriptor.ValueBinder;
+import org.hibernate.type.descriptor.ValueExtractor;
+import org.hibernate.type.descriptor.WrapperOptions;
+import org.hibernate.type.descriptor.java.AbstractTypeDescriptor;
+import org.hibernate.type.descriptor.java.JavaTypeDescriptor;
+import org.hibernate.type.descriptor.spi.JdbcRecommendedSqlTypeMappingContext;
+import org.hibernate.type.descriptor.sql.BasicBinder;
+import org.hibernate.type.descriptor.sql.BasicExtractor;
+import org.hibernate.type.descriptor.sql.SqlTypeDescriptor;
+
+/**
+ * The {@link JavaTypeDescriptor} and {@link SqlTypeDescriptor} for {@link StringMap}.
+ *
+ * <p>A {@link StringMap} object is a simple wrapper for a {@link Map <String, String>} which can be
+ * stored in a column with data type of hstore in the database. The {@link JavaTypeDescriptor} and
+ * {@link SqlTypeDescriptor} is used by JPA/Hibernate to map between the map and hstore which is the
+ * actual type that JDBC uses to read from and write to the database.
+ *
+ * @see <a
+ *     href="https://docs.jboss.org/hibernate/orm/current/userguide/html_single/Hibernate_User_Guide.html#basic-jpa-convert">JPA
+ *     2.1 AttributeConverters</a>
+ * @see <a href="https://www.postgresql.org/docs/current/hstore.html">hstore</a>
+ */
+public class StringMapDescriptor extends AbstractTypeDescriptor<StringMap>
+    implements SqlTypeDescriptor {
+  public static final int COLUMN_TYPE = Types.OTHER;
+  public static final String COLUMN_NAME = "hstore";
+  private static final StringMapDescriptor INSTANCE = new StringMapDescriptor();
+
+  protected StringMapDescriptor() {
+    super(StringMap.class);
+  }
+
+  public static StringMapDescriptor getInstance() {
+    return INSTANCE;
+  }
+
+  @Override
+  public StringMap fromString(String string) {
+    throw new UnsupportedOperationException(
+        "Constructing StringMapDescriptor from string is not allowed");
+  }
+
+  @Override
+  public <X> X unwrap(StringMap value, Class<X> type, WrapperOptions options) {
+    if (value == null) {
+      return null;
+    }
+    if (Map.class.isAssignableFrom(type)) {
+      return (X) value.getMap();
+    }
+    throw unknownUnwrap(type);
+  }
+
+  @Override
+  public <X> StringMap wrap(X value, WrapperOptions options) {
+    if (value == null) {
+      return null;
+    }
+    if (value instanceof Map) {
+      return StringMap.create((Map<String, String>) value);
+    }
+    throw unknownWrap(value.getClass());
+  }
+
+  @Override
+  public SqlTypeDescriptor getJdbcRecommendedSqlType(JdbcRecommendedSqlTypeMappingContext context) {
+    return this;
+  }
+
+  @Override
+  public int getSqlType() {
+    return COLUMN_TYPE;
+  }
+
+  @Override
+  public boolean canBeRemapped() {
+    return false;
+  }
+
+  @Override
+  public <X> ValueBinder<X> getBinder(JavaTypeDescriptor<X> javaTypeDescriptor) {
+    return new BasicBinder<X>(javaTypeDescriptor, this) {
+      @Override
+      protected void doBind(PreparedStatement st, X value, int index, WrapperOptions options)
+          throws SQLException {
+        st.setObject(index, getStringMap(value));
+      }
+
+      @Override
+      protected void doBind(CallableStatement st, X value, String name, WrapperOptions options)
+          throws SQLException {
+        st.setObject(name, getStringMap(value));
+      }
+
+      private Map<String, String> getStringMap(X value) {
+        if (value == null) {
+          return null;
+        }
+        if (value instanceof StringMap) {
+          return ((StringMap) value).getMap();
+        } else {
+          throw new UnsupportedOperationException(
+              String.format(
+                  "Binding type %s is not supported by StringMapDescriptor",
+                  value.getClass().getName()));
+        }
+      }
+    };
+  }
+
+  @Override
+  public <X> ValueExtractor<X> getExtractor(JavaTypeDescriptor<X> javaTypeDescriptor) {
+    return new BasicExtractor<X>(javaTypeDescriptor, this) {
+      @Override
+      protected X doExtract(ResultSet rs, String name, WrapperOptions options) throws SQLException {
+        return javaTypeDescriptor.wrap(rs.getObject(name), options);
+      }
+
+      @Override
+      protected X doExtract(CallableStatement statement, int index, WrapperOptions options)
+          throws SQLException {
+        return javaTypeDescriptor.wrap(statement.getObject(index), options);
+      }
+
+      @Override
+      protected X doExtract(CallableStatement statement, String name, WrapperOptions options)
+          throws SQLException {
+        return javaTypeDescriptor.wrap(statement.getObject(name), options);
+      }
+    };
+  }
+
+  /** A simple wrapper class for {@link Map<String, String>}. */
+  public static class StringMap {
+    private Map<String, String> map;
+
+    private StringMap(Map<String, String> map) {
+      this.map = map;
+    }
+
+    /** Constructs an instance of {@link StringMap} from the given map. */
+    public static StringMap create(Map<String, String> map) {
+      return new StringMap(ImmutableMap.copyOf(map));
+    }
+
+    /** Returns the underlying {@link Map<String, String>} object. */
+    public Map<String, String> getMap() {
+      return map;
+    }
+  }
+}
--- a/core/src/main/java/google/registry/persistence/transaction/CloudSqlCredentialSupplier.java
+++ b/core/src/main/java/google/registry/persistence/transaction/CloudSqlCredentialSupplier.java
@@ -0,0 +1,35 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.persistence.transaction;
+
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.cloud.sql.CredentialFactory;
+
+/** Supplier class to provide {@link Credential} for Cloud SQL library. */
+public class CloudSqlCredentialSupplier implements CredentialFactory {
+  private static Credential credential;
+
+  /** Initialize the supplier with given credential json and scopes. */
+  public static void setupCredentialSupplier(Credential credential) {
+    System.setProperty(
+        CredentialFactory.CREDENTIAL_FACTORY_PROPERTY, CloudSqlCredentialSupplier.class.getName());
+    CloudSqlCredentialSupplier.credential = credential;
+  }
+
+  @Override
+  public Credential create() {
+    return credential;
+  }
+}
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@@ -15,6 +15,7 @@
 package google.registry.persistence.transaction;

 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.util.stream.Collectors.joining;
@@ -26,8 +27,10 @@ import com.google.common.flogger.FluentLogger;
 import google.registry.persistence.VKey;
 import google.registry.util.Clock;
 import java.lang.reflect.Field;
+import java.util.NoSuchElementException;
 import java.util.Optional;
 import java.util.function.Supplier;
+import java.util.stream.StreamSupport;
 import javax.persistence.EntityManager;
 import javax.persistence.EntityManagerFactory;
 import javax.persistence.EntityTransaction;
@@ -235,6 +238,23 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
    return Optional.ofNullable(getEntityManager().find(key.getKind(), key.getSqlKey()));
  }

+  @Override
+  public <T> ImmutableList<T> load(Iterable<VKey<T>> keys) {
+    checkArgumentNotNull(keys, "keys must be specified");
+    assertInTransaction();
+    return StreamSupport.stream(keys.spliterator(), false)
+        .map(
+            key -> {
+              T entity = getEntityManager().find(key.getKind(), key.getSqlKey());
+              if (entity == null) {
+                throw new NoSuchElementException(
+                    key.getKind().getName() + " with key " + key.getSqlKey() + " not found.");
+              }
+              return entity;
+            })
+        .collect(toImmutableList());
+  }
+
  @Override
  public <T> ImmutableList<T> loadAll(Class<T> clazz) {
    checkArgumentNotNull(clazz, "clazz must be specified");
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManager.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManager.java
@@ -110,6 +110,13 @@ public interface TransactionManager {
  /** Loads the entity by its id, returns empty if the entity doesn't exist. */
  <T> Optional<T> load(VKey<T> key);

+  /**
+   * Leads the set of entities by their key id.
+   *
+   * @throws NoSuchElementException if any of the keys are not found.
+   */
+  <T> ImmutableList<T> load(Iterable<VKey<T>> keys);
+
  /** Loads all entities of the given type, returns empty if there is no such entity. */
  <T> ImmutableList<T> loadAll(Class<T> clazz);

--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
@@ -16,11 +16,9 @@ package google.registry.persistence.transaction;

 import com.google.appengine.api.utils.SystemProperty;
 import com.google.appengine.api.utils.SystemProperty.Environment.Value;
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Suppliers;
 import google.registry.model.ofy.DatastoreTransactionManager;
 import google.registry.persistence.DaggerPersistenceComponent;
-import google.registry.tools.RegistryToolEnvironment;
 import google.registry.util.NonFinalForTesting;
 import java.util.function.Supplier;

@@ -38,11 +36,10 @@ public class TransactionManagerFactory {
  private TransactionManagerFactory() {}

  private static JpaTransactionManager createJpaTransactionManager() {
+    // If we are running a nomulus command, jpaTm will be injected in RegistryCli.java
+    // by calling setJpaTm().
    if (isInAppEngine()) {
      return DaggerPersistenceComponent.create().appEngineJpaTransactionManager();
-    } else if (RegistryToolEnvironment.isInRegistryTool()
-        && RegistryToolEnvironment.isJpaTmEnabled()) {
-      return DaggerPersistenceComponent.create().nomulusToolJpaTransactionManager();
    } else {
      return DummyJpaTransactionManager.create();
    }
@@ -78,8 +75,8 @@ public class TransactionManagerFactory {
    return jpaTm.get();
  }

-  @VisibleForTesting
-  static void setJpaTmForTesting(JpaTransactionManager newJpaTm) {
+  /** Sets the return of {@link #jpaTm()} to the given instance of {@link JpaTransactionManager}. */
+  public static void setJpaTm(JpaTransactionManager newJpaTm) {
    jpaTm = Suppliers.ofInstance(newJpaTm);
  }
 }
--- a/core/src/main/java/google/registry/rdap/RdapJsonFormatter.java
+++ b/core/src/main/java/google/registry/rdap/RdapJsonFormatter.java
@@ -21,6 +21,7 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
 import static google.registry.model.EppResourceUtils.isLinked;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.rdap.RdapIcannStandardInformation.CONTACT_REDACTED_VALUE;
 import static google.registry.util.CollectionUtils.union;

@@ -341,8 +342,8 @@ public class RdapJsonFormatter {

    // Kick off the database loads of the nameservers that we will need, so it can load
    // asynchronously while we load and process the contacts.
-    Map<Key<HostResource>, HostResource> loadedHosts =
-        ofy().load().keys(domainBase.getNameservers());
+    ImmutableSet<HostResource> loadedHosts =
+        ImmutableSet.copyOf(tm().load(domainBase.getNameservers()));
    // Load the registrant and other contacts and add them to the data.
    Map<Key<ContactResource>, ContactResource> loadedContacts =
        ofy().load().keys(domainBase.getReferencedContacts());
@@ -378,8 +379,7 @@ public class RdapJsonFormatter {
    }
    // Add the nameservers to the data; the load was kicked off above for efficiency.
    // RDAP Response Profile 2.9: we MUST have the nameservers
-    for (HostResource hostResource :
-        HOST_RESOURCE_ORDERING.immutableSortedCopy(loadedHosts.values())) {
+    for (HostResource hostResource : HOST_RESOURCE_ORDERING.immutableSortedCopy(loadedHosts)) {
      builder.nameserversBuilder().add(createRdapNameserver(hostResource, OutputDataType.INTERNAL));
    }

--- a/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
@@ -193,8 +193,7 @@ public class PublishSpec11ReportAction implements Runnable {
    // Group by email address then flat-map all of the ThreatMatch objects together
    return ImmutableMap.copyOf(
        Maps.transformValues(
-            Multimaps.index(registrarThreatMatches, RegistrarThreatMatches::clientId)
-                .asMap(),
+            Multimaps.index(registrarThreatMatches, RegistrarThreatMatches::clientId).asMap(),
            registrarThreatMatchesCollection ->
                registrarThreatMatchesCollection.stream()
                    .flatMap(matches -> matches.threatMatches().stream())
--- a/core/src/main/java/google/registry/request/RequestParameters.java
+++ b/core/src/main/java/google/registry/request/RequestParameters.java
@@ -44,11 +44,11 @@ public final class RequestParameters {
   * method to yield the following results:
   *
   * <ul>
-   * <li>/foo?bar=hello → hello
-   * <li>/foo?bar=hello&bar=there → hello
-   * <li>/foo?bar= → 400 error (empty)
-   * <li>/foo?bar=&bar=there → 400 error (empty)
-   * <li>/foo → 400 error (absent)
+   *   <li>/foo?bar=hello → hello
+   *   <li>/foo?bar=hello&bar=there → hello
+   *   <li>/foo?bar= → 400 error (empty)
+   *   <li>/foo?bar=&bar=there → 400 error (empty)
+   *   <li>/foo → 400 error (absent)
   * </ul>
   *
   * @throws BadRequestException if request parameter is absent or empty
@@ -88,10 +88,27 @@ public final class RequestParameters {
   * @throws BadRequestException if request parameter is absent, empty, or not a valid integer
   */
  public static int extractIntParameter(HttpServletRequest req, String name) {
+    String stringParam = req.getParameter(name);
    try {
-      return Integer.parseInt(nullToEmpty(req.getParameter(name)));
+      return Integer.parseInt(nullToEmpty(stringParam));
    } catch (NumberFormatException e) {
-      throw new BadRequestException("Expected integer: " + name);
+      throw new BadRequestException(
+          String.format("Expected int for parameter %s but received %s", name, stringParam));
+    }
+  }
+
+  /**
+   * Returns first GET or POST parameter associated with {@code name} as a long.
+   *
+   * @throws BadRequestException if request parameter is absent, empty, or not a valid long
+   */
+  public static long extractLongParameter(HttpServletRequest req, String name) {
+    String stringParam = req.getParameter(name);
+    try {
+      return Long.parseLong(nullToEmpty(stringParam));
+    } catch (NumberFormatException e) {
+      throw new BadRequestException(
+          String.format("Expected long for parameter %s but received %s", name, stringParam));
    }
  }

@@ -126,9 +143,7 @@ public final class RequestParameters {
    if (parameter == null || parameter.isEmpty()) {
      return ImmutableSet.of();
    }
-    return Splitter.on(',')
-        .splitToList(parameter)
-        .stream()
+    return Splitter.on(',').splitToList(parameter).stream()
        .filter(s -> !s.isEmpty())
        .collect(toImmutableSet());
  }
@@ -160,8 +175,8 @@ public final class RequestParameters {
   * @throws BadRequestException if request parameter named {@code name} is absent, empty, or not
   *     equal to any of the values in {@code enumClass}
   */
-  public static <C extends Enum<C>>
-      C extractEnumParameter(HttpServletRequest req, Class<C> enumClass, String name) {
+  public static <C extends Enum<C>> C extractEnumParameter(
+      HttpServletRequest req, Class<C> enumClass, String name) {
    return getEnumValue(enumClass, extractRequiredParameter(req, name), name);
  }

@@ -216,9 +231,9 @@ public final class RequestParameters {
  }

  /**
-   * Returns first request parameter associated with {@code name} parsed as an
-   * <a href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ},
-   * {@code 2000-01-01T16:20:00Z}.
+   * Returns first request parameter associated with {@code name} parsed as an <a
+   * href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ}, {@code
+   * 2000-01-01T16:20:00Z}.
   *
   * @throws BadRequestException if request parameter named {@code name} is absent, empty, or could
   *     not be parsed as an ISO 8601 timestamp
@@ -233,9 +248,9 @@ public final class RequestParameters {
  }

  /**
-   * Returns first request parameter associated with {@code name} parsed as an
-   * <a href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ},
-   * {@code 2000-01-01T16:20:00Z}.
+   * Returns first request parameter associated with {@code name} parsed as an <a
+   * href="https://goo.gl/pk5Q2k">ISO 8601</a> timestamp, e.g. {@code 1984-12-18TZ}, {@code
+   * 2000-01-01T16:20:00Z}.
   *
   * @throws BadRequestException if request parameter is present but not a valid {@link DateTime}.
   */
@@ -262,8 +277,7 @@ public final class RequestParameters {
  public static ImmutableSet<DateTime> extractSetOfDatetimeParameters(
      HttpServletRequest req, String name) {
    try {
-      return extractSetOfParameters(req, name)
-          .stream()
+      return extractSetOfParameters(req, name).stream()
          .filter(not(String::isEmpty))
          .map(DateTime::parse)
          .collect(toImmutableSet());
--- a/core/src/main/java/google/registry/schema/domain/RegistryLock.java
+++ b/core/src/main/java/google/registry/schema/domain/RegistryLock.java
@@ -26,14 +26,19 @@ import google.registry.model.UpdateAutoTimestamp;
 import google.registry.util.DateTimeUtils;
 import java.time.ZonedDateTime;
 import java.util.Optional;
+import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Entity;
+import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.Index;
+import javax.persistence.JoinColumn;
+import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;

 /**
 * Represents a registry lock/unlock object, meaning that the domain is locked on the registry
@@ -123,6 +128,14 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
  @Column(nullable = false)
  private boolean isSuperuser;

+  /** The lock that undoes this lock, if this lock has been unlocked and the domain locked again. */
+  @OneToOne(fetch = FetchType.LAZY)
+  @JoinColumn(name = "relockRevisionId", referencedColumnName = "revisionId")
+  private RegistryLock relock;
+
+  /** The duration after which we will re-lock this domain after it is unlocked. */
+  private Duration relockDuration;
+
  /** Time that this entity was last updated. */
  private UpdateAutoTimestamp lastUpdateTimestamp;

@@ -179,6 +192,21 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
    return revisionId;
  }

+  /**
+   * The lock that undoes this lock, if this lock has been unlocked and the domain locked again.
+   *
+   * <p>Note: this is lazily loaded, so it may not be initialized if referenced outside of the
+   * transaction in which this lock is loaded.
+   */
+  public RegistryLock getRelock() {
+    return relock;
+  }
+
+  /** The duration after which we will re-lock this domain after it is unlocked. */
+  public Optional<Duration> getRelockDuration() {
+    return Optional.ofNullable(relockDuration);
+  }
+
  public boolean isLocked() {
    return lockCompletionTimestamp != null && unlockCompletionTimestamp == null;
  }
@@ -266,5 +294,15 @@ public final class RegistryLock extends ImmutableObject implements Buildable {
      getInstance().isSuperuser = isSuperuser;
      return this;
    }
+
+    public Builder setRelock(RegistryLock relock) {
+      getInstance().relock = relock;
+      return this;
+    }
+
+    public Builder setRelockDuration(@Nullable Duration relockDuration) {
+      getInstance().relockDuration = relockDuration;
+      return this;
+    }
  }
 }
--- a/core/src/main/java/google/registry/schema/server/LockDao.java
+++ b/core/src/main/java/google/registry/schema/server/LockDao.java
@@ -18,18 +18,22 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.schema.server.Lock.GLOBAL;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

+import com.google.common.flogger.FluentLogger;
 import google.registry.schema.server.Lock.LockId;
+import google.registry.util.DateTimeUtils;
 import java.util.Optional;

 /** Data access object class for {@link Lock}. */
 public class LockDao {

+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
  /** Saves the {@link Lock} object to Cloud SQL. */
-  public static void saveNew(Lock lock) {
+  public static void save(Lock lock) {
    jpaTm()
        .transact(
            () -> {
-              jpaTm().getEntityManager().persist(lock);
+              jpaTm().getEntityManager().merge(lock);
            });
  }

@@ -51,26 +55,82 @@ public class LockDao {
   * else empty.
   */
  public static Optional<Lock> load(String resourceName) {
-    checkArgumentNotNull(resourceName, "The resource name of the lock to load cannot be null");
-    return Optional.ofNullable(
-        jpaTm()
-            .transact(
-                () ->
-                    jpaTm().getEntityManager().find(Lock.class, new LockId(resourceName, GLOBAL))));
+    return load(resourceName, GLOBAL);
  }

  /**
-   * Deletes the given {@link Lock} object from Cloud SQL. This method is idempotent and will simply
-   * return if the lock has already been deleted.
+   * Deletes the {@link Lock} object with the given resourceName and tld from Cloud SQL. This method
+   * is idempotent and will simply return if the lock has already been deleted.
   */
-  public static void delete(Lock lock) {
+  public static void delete(String resourceName, String tld) {
    jpaTm()
        .transact(
            () -> {
-              Optional<Lock> loadedLock = load(lock.resourceName, lock.tld);
+              Optional<Lock> loadedLock = load(resourceName, tld);
              if (loadedLock.isPresent()) {
                jpaTm().getEntityManager().remove(loadedLock.get());
              }
            });
  }
+
+  /**
+   * Deletes the global {@link Lock} object with the given resourceName from Cloud SQL. This method
+   * is idempotent and will simply return if the lock has already been deleted.
+   */
+  public static void delete(String resourceName) {
+    delete(resourceName, GLOBAL);
+  }
+
+  /**
+   * Compares a {@link google.registry.model.server.Lock} object with a {@link Lock} object, logging
+   * a warning if there are any differences.
+   */
+  public static void compare(
+      Optional<google.registry.model.server.Lock> datastoreLockOptional,
+      Optional<Lock> cloudSqlLockOptional) {
+    if (!datastoreLockOptional.isPresent()) {
+      cloudSqlLockOptional.ifPresent(
+          value ->
+              logger.atWarning().log(
+                  String.format(
+                      "Cloud SQL lock for %s with tld %s should be null",
+                      value.resourceName, value.tld)));
+      return;
+    }
+    google.registry.schema.server.Lock cloudSqlLock;
+    google.registry.model.server.Lock datastoreLock = datastoreLockOptional.get();
+    if (cloudSqlLockOptional.isPresent()) {
+      cloudSqlLock = cloudSqlLockOptional.get();
+      if (!datastoreLock.getRequestLogId().equals(cloudSqlLock.requestLogId)) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock requestLogId of %s does not equal Cloud SQL lock requestLogId of"
+                    + " %s",
+                datastoreLock.getRequestLogId(), cloudSqlLock.requestLogId));
+      }
+      if (!datastoreLock
+          .getAcquiredTime()
+          .equals(DateTimeUtils.toJodaDateTime(cloudSqlLock.acquiredTime))) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock acquiredTime of %s does not equal Cloud SQL lock acquiredTime of"
+                    + " %s",
+                datastoreLock.getAcquiredTime(),
+                DateTimeUtils.toJodaDateTime(cloudSqlLock.acquiredTime)));
+      }
+      if (!datastoreLock
+          .getExpirationTime()
+          .equals(DateTimeUtils.toJodaDateTime(cloudSqlLock.expirationTime))) {
+        logger.atWarning().log(
+            String.format(
+                "Datastore lock expirationTime of %s does not equal Cloud SQL lock expirationTime"
+                    + " of %s",
+                datastoreLock.getExpirationTime(),
+                DateTimeUtils.toJodaDateTime(cloudSqlLock.expirationTime)));
+      }
+    } else {
+      logger.atWarning().log(
+          String.format("Datastore lock: %s was not found in Cloud SQL", datastoreLock));
+    }
+  }
 }
--- a/core/src/main/java/google/registry/schema/tld/PremiumEntry.java
+++ b/core/src/main/java/google/registry/schema/tld/PremiumEntry.java
@@ -14,6 +14,7 @@

 package google.registry.schema.tld;

+import google.registry.model.ImmutableObject;
 import java.io.Serializable;
 import java.math.BigDecimal;
 import javax.persistence.Column;
@@ -26,7 +27,7 @@ import javax.persistence.Id;
 * <p>These are not persisted directly, but rather, using {@link PremiumList#getLabelsToPrices()}.
 */
@Entity
-public class PremiumEntry implements Serializable {
+public class PremiumEntry extends ImmutableObject implements Serializable {

  @Id
  @Column(nullable = false)
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@@ -20,6 +20,7 @@ import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets.Details;
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.store.AbstractDataStoreFactory;
@@ -42,6 +43,7 @@ import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@@ -92,6 +94,26 @@ public class AuthModule {
    }
  }

+  // TODO(b/138195359): Deprecate this credential once Cloud SQL socket library uses the new auth
+  // library.
+  @Provides
+  @CloudSqlClientCredential
+  public static Credential providesLocalCredentialForCloudSqlClient(
+      @LocalCredentialJson String credentialJson,
+      @Config("localCredentialOauthScopes") ImmutableList<String> credentialScopes) {
+    try {
+      GoogleCredential credential =
+          GoogleCredential.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
+      if (credential.createScopedRequired()) {
+        credential = credential.createScoped(credentialScopes);
+      }
+      return credential;
+    } catch (IOException e) {
+      throw new UncheckedIOException(
+          "Error occurred while creating a GoogleCredential for Cloud SQL client", e);
+    }
+  }
+
  @Provides
  public static GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
      JsonFactory jsonFactory,
@@ -184,6 +206,11 @@ public class AuthModule {
  @Retention(RetentionPolicy.RUNTIME)
  private @interface StoredCredential {}

+  /** Dagger qualifier for {@link Credential} used by the Cloud SQL client in the nomulus tool. */
+  @Qualifier
+  @Documented
+  public @interface CloudSqlClientCredential {}
+
  /** Dagger qualifier for the credential qualifier consisting of client and scopes. */
  @Qualifier
  @Documented
--- a/core/src/main/java/google/registry/tools/DomainLockUtils.java
+++ b/core/src/main/java/google/registry/tools/DomainLockUtils.java
@@ -24,6 +24,7 @@ import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STAT
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.googlecode.objectify.Key;
+import google.registry.batch.AsyncTaskEnqueuer;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingEvent.Reason;
 import google.registry.model.domain.DomainBase;
@@ -37,6 +38,7 @@ import javax.annotation.Nullable;
 import javax.inject.Inject;
 import javax.inject.Named;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;

 /**
 * Utility functions for validating and applying {@link RegistryLock}s.
@@ -50,10 +52,14 @@ public final class DomainLockUtils {
  private static final int VERIFICATION_CODE_LENGTH = 32;

  private final StringGenerator stringGenerator;
+  private final AsyncTaskEnqueuer asyncTaskEnqueuer;

  @Inject
-  public DomainLockUtils(@Named("base58StringGenerator") StringGenerator stringGenerator) {
+  public DomainLockUtils(
+      @Named("base58StringGenerator") StringGenerator stringGenerator,
+      AsyncTaskEnqueuer asyncTaskEnqueuer) {
    this.stringGenerator = stringGenerator;
+    this.asyncTaskEnqueuer = asyncTaskEnqueuer;
  }

  /**
@@ -76,12 +82,12 @@ public final class DomainLockUtils {
   * <p>The unlock will not be applied until {@link #verifyAndApplyUnlock} is called.
   */
  public RegistryLock saveNewRegistryUnlockRequest(
-      String domainName, String registrarId, boolean isAdmin) {
+      String domainName, String registrarId, boolean isAdmin, Optional<Duration> relockDuration) {
    return jpaTm()
        .transact(
            () ->
                RegistryLockDao.save(
-                    createUnlockBuilder(domainName, registrarId, isAdmin).build()));
+                    createUnlockBuilder(domainName, registrarId, isAdmin, relockDuration).build()));
  }

  /** Verifies and applies the lock request previously requested by a user. */
@@ -106,6 +112,7 @@ public final class DomainLockUtils {

              RegistryLock newLock =
                  RegistryLockDao.save(lock.asBuilder().setLockCompletionTimestamp(now).build());
+              setAsRelock(newLock);
              tm().transact(() -> applyLockStatuses(newLock, now));
              return newLock;
            });
@@ -113,35 +120,41 @@ public final class DomainLockUtils {

  /** Verifies and applies the unlock request previously requested by a user. */
  public RegistryLock verifyAndApplyUnlock(String verificationCode, boolean isAdmin) {
-    return jpaTm()
-        .transact(
-            () -> {
-              DateTime now = jpaTm().getTransactionTime();
-              RegistryLock lock = getByVerificationCode(verificationCode);
-              checkArgument(
-                  !lock.getUnlockCompletionTimestamp().isPresent(),
-                  "Domain %s is already unlocked",
-                  lock.getDomainName());
+    RegistryLock lock =
+        jpaTm()
+            .transact(
+                () -> {
+                  DateTime now = jpaTm().getTransactionTime();
+                  RegistryLock previousLock = getByVerificationCode(verificationCode);
+                  checkArgument(
+                      !previousLock.getUnlockCompletionTimestamp().isPresent(),
+                      "Domain %s is already unlocked",
+                      previousLock.getDomainName());

-              checkArgument(
-                  !lock.isUnlockRequestExpired(now),
-                  "The pending unlock has expired; please try again");
+                  checkArgument(
+                      !previousLock.isUnlockRequestExpired(now),
+                      "The pending unlock has expired; please try again");

-              checkArgument(
-                  isAdmin || !lock.isSuperuser(), "Non-admin user cannot complete admin unlock");
+                  checkArgument(
+                      isAdmin || !previousLock.isSuperuser(),
+                      "Non-admin user cannot complete admin unlock");

-              RegistryLock newLock =
-                  RegistryLockDao.save(lock.asBuilder().setUnlockCompletionTimestamp(now).build());
-              tm().transact(() -> removeLockStatuses(newLock, isAdmin, now));
-              return newLock;
-            });
+                  RegistryLock newLock =
+                      RegistryLockDao.save(
+                          previousLock.asBuilder().setUnlockCompletionTimestamp(now).build());
+                  tm().transact(() -> removeLockStatuses(newLock, isAdmin, now));
+                  return newLock;
+                });
+    // Submit relock outside of the transaction to make sure that it fully succeeded
+    submitRelockIfNecessary(lock);
+    return lock;
  }

  /**
-   * Creates and applies a lock in one step -- this should only be used for admin actions, e.g.
-   * Nomulus tool commands or relocks.
+   * Creates and applies a lock in one step.
   *
-   * <p>Note: in the case of relocks, isAdmin is determined by the previous lock.
+   * <p>This should only be used for admin actions, e.g. Nomulus tool commands or relocks.
+   * Note: in the case of relocks, isAdmin is determined by the previous lock.
   */
  public RegistryLock administrativelyApplyLock(
      String domainName, String registrarId, @Nullable String registrarPocId, boolean isAdmin) {
@@ -149,34 +162,56 @@ public final class DomainLockUtils {
        .transact(
            () -> {
              DateTime now = jpaTm().getTransactionTime();
-              RegistryLock result =
+              RegistryLock newLock =
                  RegistryLockDao.save(
                      createLockBuilder(domainName, registrarId, registrarPocId, isAdmin)
                          .setLockCompletionTimestamp(now)
                          .build());
-              tm().transact(() -> applyLockStatuses(result, now));
-              return result;
+              tm().transact(() -> applyLockStatuses(newLock, now));
+              setAsRelock(newLock);
+              return newLock;
            });
  }

  /**
-   * Creates and applies an unlock in one step -- this should only be used for admin actions, e.g.
-   * Nomulus tool commands.
+   * Creates and applies an unlock in one step.
+   * 
+   * <p>This should only be used for admin actions, e.g. Nomulus tool commands.
   */
  public RegistryLock administrativelyApplyUnlock(
-      String domainName, String registrarId, boolean isAdmin) {
-    return jpaTm()
+      String domainName, String registrarId, boolean isAdmin, Optional<Duration> relockDuration) {
+    RegistryLock lock =
+        jpaTm()
+            .transact(
+                () -> {
+                  DateTime now = jpaTm().getTransactionTime();
+                  RegistryLock result =
+                      RegistryLockDao.save(
+                          createUnlockBuilder(domainName, registrarId, isAdmin, relockDuration)
+                              .setUnlockCompletionTimestamp(now)
+                              .build());
+                  tm().transact(() -> removeLockStatuses(result, isAdmin, now));
+                  return result;
+                });
+    // Submit relock outside of the transaction to make sure that it fully succeeded
+    submitRelockIfNecessary(lock);
+    return lock;
+  }
+
+  private void submitRelockIfNecessary(RegistryLock lock) {
+    if (lock.getRelockDuration().isPresent()) {
+      asyncTaskEnqueuer.enqueueDomainRelock(lock);
+    }
+  }
+
+  private void setAsRelock(RegistryLock newLock) {
+    jpaTm()
        .transact(
-            () -> {
-              DateTime now = jpaTm().getTransactionTime();
-              RegistryLock result =
-                  RegistryLockDao.save(
-                      createUnlockBuilder(domainName, registrarId, isAdmin)
-                          .setUnlockCompletionTimestamp(now)
-                          .build());
-              tm().transact(() -> removeLockStatuses(result, isAdmin, now));
-              return result;
-            });
+            () ->
+                RegistryLockDao.getMostRecentVerifiedUnlockByRepoId(newLock.getRepoId())
+                    .ifPresent(
+                        oldLock ->
+                            RegistryLockDao.save(oldLock.asBuilder().setRelock(newLock).build())));
  }

  private RegistryLock.Builder createLockBuilder(
@@ -205,7 +240,7 @@ public final class DomainLockUtils {
  }

  private RegistryLock.Builder createUnlockBuilder(
-      String domainName, String registrarId, boolean isAdmin) {
+      String domainName, String registrarId, boolean isAdmin, Optional<Duration> relockDuration) {
    DateTime now = jpaTm().getTransactionTime();
    DomainBase domainBase = getDomain(domainName, now);
    Optional<RegistryLock> lockOptional =
@@ -246,6 +281,7 @@ public final class DomainLockUtils {
          !lock.isSuperuser(), "Non-admin user cannot unlock admin-locked domain %s", domainName);
      newLockBuilder = lock.asBuilder();
    }
+    relockDuration.ifPresent(newLockBuilder::setRelockDuration);
    return newLockBuilder
        .setVerificationCode(stringGenerator.createString(VERIFICATION_CODE_LENGTH))
        .isSuperuser(isAdmin)
--- a/core/src/main/java/google/registry/tools/GenerateEscrowDepositCommand.java
+++ b/core/src/main/java/google/registry/tools/GenerateEscrowDepositCommand.java
@@ -28,11 +28,13 @@ import com.beust.jcommander.ParameterException;
 import com.beust.jcommander.Parameters;
 import com.google.appengine.api.taskqueue.Queue;
 import com.google.appengine.api.taskqueue.TaskOptions;
+import com.google.common.annotations.VisibleForTesting;
 import google.registry.model.rde.RdeMode;
 import google.registry.rde.RdeStagingAction;
 import google.registry.tools.params.DateTimeParameter;
 import google.registry.util.AppEngineServiceUtils;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -75,7 +77,16 @@ final class GenerateEscrowDepositCommand implements CommandWithRemoteApi {
  private String outdir;

  @Inject AppEngineServiceUtils appEngineServiceUtils;
-  @Inject @Named("rde-report") Queue queue;
+
+  @Inject
+  @Named("rde-report")
+  Queue queue;
+
+  // ETA is a required property for TaskOptions but we let the service to set it when submitting the
+  // task to the task queue. However, the local test service doesn't do that for us during the unit
+  // test, so we add this field here to let the unit test be able to inject the ETA to pass the
+  // test.
+  @VisibleForTesting Optional<Long> maybeEtaMillis = Optional.empty();

  @Override
  public void run() {
@@ -115,6 +126,9 @@ final class GenerateEscrowDepositCommand implements CommandWithRemoteApi {
    if (revision != null) {
      opts = opts.param(PARAM_REVISION, String.valueOf(revision));
    }
+    if (maybeEtaMillis.isPresent()) {
+      opts = opts.etaMillis(maybeEtaMillis.get());
+    }
    queue.add(opts);
  }
 }
--- a/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
+++ b/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
@@ -78,11 +78,15 @@ final class RegistrarContactCommand extends MutatingCommand {
  private List<String> contactTypeNames;

  @Nullable
-  @Parameter(
-      names = "--email",
-      description = "Contact email address.")
+  @Parameter(names = "--email", description = "Contact email address.")
  String email;

+  @Nullable
+  @Parameter(
+      names = "--registry_lock_email",
+      description = "Email address used for registry lock confirmation emails")
+  String registryLockEmail;
+
  @Nullable
  @Parameter(
      names = "--phone",
@@ -247,6 +251,9 @@ final class RegistrarContactCommand extends MutatingCommand {
    builder.setParent(registrar);
    builder.setName(name);
    builder.setEmailAddress(email);
+    if (!isNullOrEmpty(registryLockEmail)) {
+      builder.setRegistryLockEmailAddress(registryLockEmail);
+    }
    if (phone != null) {
      builder.setPhoneNumber(phone.orElse(null));
    }
@@ -277,14 +284,14 @@ final class RegistrarContactCommand extends MutatingCommand {

  private RegistrarContact updateContact(RegistrarContact contact, Registrar registrar) {
    checkNotNull(registrar);
-    checkNotNull(email, "--email is required when --mode=UPDATE");
-    RegistrarContact.Builder builder = contact.asBuilder();
-    builder.setParent(registrar);
+    checkArgument(!isNullOrEmpty(email), "--email is required when --mode=UPDATE");
+    RegistrarContact.Builder builder =
+        contact.asBuilder().setEmailAddress(email).setParent(registrar);
    if (!isNullOrEmpty(name)) {
      builder.setName(name);
    }
-    if (!isNullOrEmpty(email)) {
-      builder.setEmailAddress(email);
+    if (!isNullOrEmpty(registryLockEmail)) {
+      builder.setRegistryLockEmailAddress(registryLockEmail);
    }
    if (phone != null) {
      builder.setPhoneNumber(phone.orElse(null));
--- a/core/src/main/java/google/registry/tools/RegistryCli.java
+++ b/core/src/main/java/google/registry/tools/RegistryCli.java
@@ -31,6 +31,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Iterables;
 import google.registry.config.RegistryConfig;
 import google.registry.model.ofy.ObjectifyService;
+import google.registry.persistence.transaction.TransactionManagerFactory;
 import google.registry.tools.AuthModule.LoginRequiredException;
 import google.registry.tools.params.ParameterFactory;
 import java.io.ByteArrayInputStream;
@@ -237,7 +238,7 @@ final class RegistryCli implements AutoCloseable, CommandRunner {
      // Enable Cloud SQL for command that needs remote API as they will very likely use
      // Cloud SQL after the database migration. Note that the DB password is stored in Datastore
      // and it is already initialized above.
-      RegistryToolEnvironment.enableJpaTm();
+      TransactionManagerFactory.setJpaTm(component.nomulusToolJpaTransactionManager());
    }

    command.run();
--- a/core/src/main/java/google/registry/tools/RegistryToolComponent.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolComponent.java
@@ -16,6 +16,7 @@ package google.registry.tools;

 import dagger.BindsInstance;
 import dagger.Component;
+import google.registry.batch.BatchModule;
 import google.registry.bigquery.BigqueryModule;
 import google.registry.config.CredentialModule.LocalCredentialJson;
 import google.registry.config.RegistryConfig.ConfigModule;
@@ -27,6 +28,9 @@ import google.registry.keyring.KeyringModule;
 import google.registry.keyring.api.DummyKeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.keyring.kms.KmsModule;
+import google.registry.persistence.PersistenceModule;
+import google.registry.persistence.PersistenceModule.NomulusToolJpaTm;
+import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.rde.RdeModule;
 import google.registry.request.Modules.DatastoreServiceModule;
 import google.registry.request.Modules.Jackson2Module;
@@ -51,6 +55,7 @@ import javax.inject.Singleton;
    modules = {
      AppEngineAdminApiModule.class,
      AuthModule.class,
+      BatchModule.class,
      BigqueryModule.class,
      ConfigModule.class,
      CloudDnsWriterModule.class,
@@ -63,6 +68,7 @@ import javax.inject.Singleton;
      KeyringModule.class,
      KmsModule.class,
      LocalCredentialModule.class,
+      PersistenceModule.class,
      RdeModule.class,
      RequestFactoryModule.class,
      URLFetchServiceModule.class,
@@ -70,7 +76,7 @@ import javax.inject.Singleton;
      UserServiceModule.class,
      UtilsModule.class,
      VoidDnsWriterModule.class,
-      WhoisModule.class,
+      WhoisModule.class
    })
 interface RegistryToolComponent {
  void inject(AckPollMessagesCommand command);
@@ -117,6 +123,9 @@ interface RegistryToolComponent {
  @LocalCredentialJson
  String googleCredentialJson();

+  @NomulusToolJpaTm
+  JpaTransactionManager nomulusToolJpaTransactionManager();
+
  @Component.Builder
  interface Builder {
    @BindsInstance
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -23,7 +23,6 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import google.registry.config.RegistryEnvironment;
 import google.registry.config.SystemPropertySetter;
-import google.registry.persistence.transaction.TransactionManagerFactory;

 /** Enum of production environments, used for the {@code --environment} flag. */
 public enum RegistryToolEnvironment {
@@ -40,7 +39,6 @@ public enum RegistryToolEnvironment {

  private static final ImmutableList<String> FLAGS = ImmutableList.of("-e", "--environment");
  private static RegistryToolEnvironment instance;
-  private static boolean isJpaTmEnabled = false;
  private final RegistryEnvironment actualEnvironment;
  private final ImmutableMap<String, String> extraProperties;

@@ -100,26 +98,6 @@ public enum RegistryToolEnvironment {
    }
  }

-  /** Returns true if the RegistryToolEnvironment is set up. */
-  public static boolean isInRegistryTool() {
-    return instance != null;
-  }
-
-  /**
-   * Sets the flag to indicate that the running command needs JpaTransactionManager to be enabled.
-   */
-  public static void enableJpaTm() {
-    isJpaTmEnabled = true;
-  }
-
-  /**
-   * Returns true if the JpaTransactionManager is enabled. Note that JpaTm is actually enabled in
-   * {@link TransactionManagerFactory} by reading this flag.
-   */
-  public static boolean isJpaTmEnabled() {
-    return isJpaTmEnabled;
-  }
-
  /** Extracts value from command-line arguments associated with any {@code flags}. */
  private static String getFlagValue(String[] args, Iterable<String> flags) {
    for (String flag : flags) {
--- a/core/src/main/java/google/registry/tools/UniformRapidSuspensionCommand.java
+++ b/core/src/main/java/google/registry/tools/UniformRapidSuspensionCommand.java
@@ -19,7 +19,7 @@ import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.common.collect.Sets.difference;
 import static google.registry.model.EppResourceUtils.checkResourcesExist;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 import static org.joda.time.DateTimeZone.UTC;

@@ -149,7 +149,7 @@ final class UniformRapidSuspensionCommand extends MutatingEppToolCommand {

  private ImmutableSortedSet<String> getExistingNameservers(DomainBase domain) {
    ImmutableSortedSet.Builder<String> nameservers = ImmutableSortedSet.naturalOrder();
-    for (HostResource host : ofy().load().keys(domain.getNameservers()).values()) {
+    for (HostResource host : tm().load(domain.getNameservers())) {
      nameservers.add(host.getForeignKey());
    }
    return nameservers.build();
--- a/core/src/main/java/google/registry/tools/UnlockDomainCommand.java
+++ b/core/src/main/java/google/registry/tools/UnlockDomainCommand.java
@@ -22,6 +22,7 @@ import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.eppcommon.StatusValue;
+import java.util.Optional;
 import org.joda.time.DateTime;

 /**
@@ -53,6 +54,6 @@ public class UnlockDomainCommand extends LockOrUnlockDomainCommand {

  @Override
  protected void createAndApplyRequest(String domain) {
-    domainLockUtils.administrativelyApplyUnlock(domain, clientId, true);
+    domainLockUtils.administrativelyApplyUnlock(domain, clientId, true, Optional.empty());
  }
 }
--- a/core/src/main/java/google/registry/tools/logging.properties
+++ b/core/src/main/java/google/registry/tools/logging.properties
@@ -2,4 +2,6 @@ handlers = java.util.logging.ConsoleHandler
 .level = INFO
 com.google.wrappers.base.GoogleInit.level = WARNING
 com.google.monitoring.metrics.MetricRegistryImpl.level = WARNING
-
+com.google.cloud.sql.level = WARNING
+com.zaxxer.hikari.level = WARNING
+org.hibernate.level = WARNING
--- a/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java
+++ b/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java
@@ -20,7 +20,7 @@ import static com.google.common.collect.Iterators.filter;
 import static com.google.common.io.BaseEncoding.base16;
 import static google.registry.mapreduce.inputs.EppResourceInputs.createEntityInput;
 import static google.registry.model.EppResourceUtils.loadAtPointInTime;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.joda.time.DateTimeZone.UTC;
@@ -214,7 +214,7 @@ public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonA
    private void emitForSubordinateHosts(DomainBase domain) {
      ImmutableSet<String> subordinateHosts = domain.getSubordinateHosts();
      if (!subordinateHosts.isEmpty()) {
-        for (HostResource unprojectedHost : ofy().load().keys(domain.getNameservers()).values()) {
+        for (HostResource unprojectedHost : tm().load(domain.getNameservers())) {
          HostResource host = loadAtPointInTime(unprojectedHost, exportTime).now();
          // A null means the host was deleted (or not created) at this time.
          if ((host != null) && subordinateHosts.contains(host.getFullyQualifiedHostName())) {
@@ -283,7 +283,7 @@ public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonA
      Duration dnsDefaultDsTtl) {
    StringBuilder result = new StringBuilder();
    String domainLabel = stripTld(domain.getFullyQualifiedDomainName(), domain.getTld());
-    for (HostResource nameserver : ofy().load().keys(domain.getNameservers()).values()) {
+    for (HostResource nameserver : tm().load(domain.getNameservers())) {
      result.append(String.format(
          NS_FORMAT,
          domainLabel,
--- a/core/src/main/java/google/registry/ui/server/RegistrarFormFields.java
+++ b/core/src/main/java/google/registry/ui/server/RegistrarFormFields.java
@@ -29,6 +29,7 @@ import com.google.re2j.Pattern;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarContact;
+import google.registry.ui.forms.FormException;
 import google.registry.ui.forms.FormField;
 import google.registry.ui.forms.FormFieldException;
 import google.registry.ui.forms.FormFields;
@@ -184,6 +185,11 @@ public final class RegistrarFormFields {
          .required()
          .build();

+  public static final FormField<String, String> REGISTRY_LOCK_EMAIL_ADDRESS_FIELD =
+      FormFields.EMAIL
+          .asBuilderNamed("registryLockEmailAddress")
+          .build();
+
  public static final FormField<Boolean, Boolean> CONTACT_VISIBLE_IN_WHOIS_AS_ADMIN_FIELD =
      FormField.named("visibleInWhoisAsAdmin", Boolean.class)
          .build();
@@ -377,6 +383,8 @@ public final class RegistrarFormFields {
      RegistrarContact.Builder builder, Map<String, ?> args) {
    builder.setName(CONTACT_NAME_FIELD.extractUntyped(args).orElse(null));
    builder.setEmailAddress(CONTACT_EMAIL_ADDRESS_FIELD.extractUntyped(args).orElse(null));
+    builder.setRegistryLockEmailAddress(
+        REGISTRY_LOCK_EMAIL_ADDRESS_FIELD.extractUntyped(args).orElse(null));
    builder.setVisibleInWhoisAsAdmin(
        CONTACT_VISIBLE_IN_WHOIS_AS_ADMIN_FIELD.extractUntyped(args).orElse(false));
    builder.setVisibleInWhoisAsTech(
@@ -398,6 +406,10 @@ public final class RegistrarFormFields {
        .ifPresent(
            password -> {
              if (!Strings.isNullOrEmpty(password)) {
+                if (password.length() < 8) {
+                  throw new FormException(
+                      "Registry lock password must be at least 8 characters long");
+                }
                builder.setRegistryLockPassword(password);
              }
            });
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
@@ -41,9 +41,9 @@ import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.schema.domain.RegistryLock;
 import google.registry.security.JsonResponseHelper;
+import java.util.Objects;
 import java.util.Optional;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
@@ -117,41 +117,65 @@ public final class RegistryLockGetAction implements JsonGetAction {
    }
  }

-  private ImmutableMap<String, ?> getLockedDomainsMap(String clientId)
-      throws RegistrarAccessDeniedException {
-    // Note: admins always have access to the locks page
-    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
-    boolean isAdmin = registrarAccessor.isAdmin();
-    Registrar registrar = getRegistrarAndVerifyLockAccess(clientId, isAdmin);
-    User user = userAuthInfo.user();
-    boolean isRegistryLockAllowed =
-        isAdmin
-            || registrar.getContacts().stream()
-                .filter(contact -> contact.getEmailAddress().equals(user.getEmail()))
-                .findFirst()
-                .map(RegistrarContact::isRegistryLockAllowed)
-                .orElse(false);
-    return ImmutableMap.of(
-        LOCK_ENABLED_FOR_CONTACT_PARAM,
-        isRegistryLockAllowed,
-        EMAIL_PARAM,
-        user.getEmail(),
-        PARAM_CLIENT_ID,
-        registrar.getClientId(),
-        LOCKS_PARAM,
-        getLockedDomains(clientId, isAdmin));
+  static Optional<RegistrarContact> getContactMatchingLogin(User user, Registrar registrar) {
+    ImmutableList<RegistrarContact> matchingContacts =
+        registrar.getContacts().stream()
+            .filter(contact -> contact.getGaeUserId() != null)
+            .filter(contact -> Objects.equals(contact.getGaeUserId(), user.getUserId()))
+            .collect(toImmutableList());
+    if (matchingContacts.size() > 1) {
+      ImmutableList<String> matchingEmails =
+          matchingContacts.stream()
+              .map(RegistrarContact::getEmailAddress)
+              .collect(toImmutableList());
+      throw new IllegalArgumentException(
+          String.format(
+              "User ID %s had multiple matching contacts with email addresses %s",
+              user.getUserId(), matchingEmails));
+    }
+    return matchingContacts.stream().findFirst();
  }

-  private Registrar getRegistrarAndVerifyLockAccess(String clientId, boolean isAdmin)
+  static Registrar getRegistrarAndVerifyLockAccess(
+      AuthenticatedRegistrarAccessor registrarAccessor, String clientId, boolean isAdmin)
      throws RegistrarAccessDeniedException {
    Registrar registrar = registrarAccessor.getRegistrar(clientId);
    checkArgument(
        isAdmin || registrar.isRegistryLockAllowed(),
-        "Registry lock not allowed for this registrar");
+        "Registry lock not allowed for registrar %s",
+        clientId);
    return registrar;
  }

+  private ImmutableMap<String, ?> getLockedDomainsMap(String clientId)
+      throws RegistrarAccessDeniedException {
+    // Note: admins always have access to the locks page
+    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
+
+    boolean isAdmin = registrarAccessor.isAdmin();
+    Registrar registrar = getRegistrarAndVerifyLockAccess(registrarAccessor, clientId, isAdmin);
+    User user = authResult.userAuthInfo().get().user();
+
+    Optional<RegistrarContact> contactOptional = getContactMatchingLogin(user, registrar);
+    boolean isRegistryLockAllowed =
+        isAdmin || contactOptional.map(RegistrarContact::isRegistryLockAllowed).orElse(false);
+    // Use the contact's registry lock email if it's present, else use the login email (for admins)
+    String relevantEmail =
+        isAdmin
+            ? user.getEmail()
+            // if the contact isn't present, we shouldn't display the email anyway so empty is fine
+            : contactOptional.flatMap(RegistrarContact::getRegistryLockEmailAddress).orElse("");
+    return ImmutableMap.of(
+        LOCK_ENABLED_FOR_CONTACT_PARAM,
+        isRegistryLockAllowed,
+        EMAIL_PARAM,
+        relevantEmail,
+        PARAM_CLIENT_ID,
+        registrar.getClientId(),
+        LOCKS_PARAM,
+        getLockedDomains(clientId, isAdmin));
+  }
+
  private ImmutableList<ImmutableMap<String, ?>> getLockedDomains(
      String clientId, boolean isAdmin) {
    return jpaTm()
@@ -159,12 +183,12 @@ public final class RegistryLockGetAction implements JsonGetAction {
            () ->
                RegistryLockDao.getLocksByRegistrarId(clientId).stream()
                    .filter(lock -> !lock.isLockRequestExpired(jpaTm().getTransactionTime()))
-                    .filter(lock -> !lock.isUnlockRequestExpired(jpaTm().getTransactionTime()))
                    .map(lock -> lockToMap(lock, isAdmin))
                    .collect(toImmutableList()));
  }

  private ImmutableMap<String, ?> lockToMap(RegistryLock lock, boolean isAdmin) {
+    DateTime now = jpaTm().getTransactionTime();
    return new ImmutableMap.Builder<String, Object>()
        .put(FULLY_QUALIFIED_DOMAIN_NAME_PARAM, lock.getDomainName())
        .put(
@@ -174,7 +198,8 @@ public final class RegistryLockGetAction implements JsonGetAction {
        .put(
            IS_UNLOCK_PENDING_PARAM,
            lock.getUnlockRequestTimestamp().isPresent()
-                && !lock.getUnlockCompletionTimestamp().isPresent())
+                && !lock.getUnlockCompletionTimestamp().isPresent()
+                && !lock.isUnlockRequestExpired(now))
        .put(USER_CAN_UNLOCK_PARAM, isAdmin || !lock.isSuperuser())
        .build();
  }
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
@@ -20,8 +20,11 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 import static google.registry.ui.server.registrar.RegistrarConsoleModule.PARAM_CLIENT_ID;
+import static google.registry.ui.server.registrar.RegistryLockGetAction.getContactMatchingLogin;
+import static google.registry.ui.server.registrar.RegistryLockGetAction.getRegistrarAndVerifyLockAccess;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

+import com.google.appengine.api.users.User;
 import com.google.common.base.Strings;
 import com.google.common.base.Throwables;
 import com.google.common.collect.ImmutableList;
@@ -53,6 +56,7 @@ import javax.inject.Inject;
 import javax.mail.internet.AddressException;
 import javax.mail.internet.InternetAddress;
 import org.apache.http.client.utils.URIBuilder;
+import org.joda.time.Duration;

 /**
 * UI action that allows for creating registry locks. Locks / unlocks must be verified separately
@@ -124,11 +128,7 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
              .userAuthInfo()
              .orElseThrow(() -> new ForbiddenException("User is not logged in"));

-      boolean isAdmin = userAuthInfo.isUserAdmin();
-      String userEmail = userAuthInfo.user().getEmail();
-      if (!isAdmin) {
-        verifyRegistryLockPassword(postInput, userEmail);
-      }
+      String userEmail = verifyPasswordAndGetEmail(userAuthInfo, postInput);
      jpaTm()
          .transact(
              () -> {
@@ -138,9 +138,12 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
                            postInput.fullyQualifiedDomainName,
                            postInput.clientId,
                            userEmail,
-                            isAdmin)
+                            registrarAccessor.isAdmin())
                        : domainLockUtils.saveNewRegistryUnlockRequest(
-                            postInput.fullyQualifiedDomainName, postInput.clientId, isAdmin);
+                            postInput.fullyQualifiedDomainName,
+                            postInput.clientId,
+                            registrarAccessor.isAdmin(),
+                            Optional.ofNullable(postInput.relockDurationMillis).map(Duration::new));
                sendVerificationEmail(registryLock, userEmail, postInput.isLock);
              });
      String action = postInput.isLock ? "lock" : "unlock";
@@ -180,25 +183,35 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
    }
  }

-  private void verifyRegistryLockPassword(RegistryLockPostInput postInput, String userEmail)
+  private String verifyPasswordAndGetEmail(
+      UserAuthInfo userAuthInfo, RegistryLockPostInput postInput)
      throws RegistrarAccessDeniedException {
-    // Verify that the user can access the registrar and that the user has
-    // registry lock enabled and provided a correct password
-    Registrar registrar = registrarAccessor.getRegistrar(postInput.clientId);
-    checkArgument(
-        registrar.isRegistryLockAllowed(), "Registry lock not allowed for this registrar");
-    checkArgument(!Strings.isNullOrEmpty(postInput.password), "Missing key for password");
+    User user = userAuthInfo.user();
+    if (registrarAccessor.isAdmin()) {
+      return user.getEmail();
+    }
+    // Verify that the user can access the registrar, that the user has
+    // registry lock enabled, and that the user providjed a correct password
+    Registrar registrar =
+        getRegistrarAndVerifyLockAccess(registrarAccessor, postInput.clientId, false);
    RegistrarContact registrarContact =
-        registrar.getContacts().stream()
-            .filter(contact -> contact.getEmailAddress().equals(userEmail))
-            .findFirst()
+        getContactMatchingLogin(user, registrar)
            .orElseThrow(
                () ->
                    new IllegalArgumentException(
-                        String.format("Unknown user email %s", userEmail)));
+                        String.format(
+                            "Cannot match user %s to registrar contact", user.getUserId())));
    checkArgument(
        registrarContact.verifyRegistryLockPassword(postInput.password),
        "Incorrect registry lock password for contact");
+    return registrarContact
+        .getRegistryLockEmailAddress()
+        .orElseThrow(
+            () ->
+                new IllegalStateException(
+                    String.format(
+                        "Contact %s had no registry lock email address",
+                        registrarContact.getEmailAddress())));
  }

  /** Value class that represents the expected input body from the UI request. */
@@ -207,5 +220,6 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
    private String fullyQualifiedDomainName;
    private Boolean isLock;
    private String password;
+    private Long relockDurationMillis;
  }
 }
--- a/core/src/main/javascript/google/registry/ui/css/registry-lock.css
+++ b/core/src/main/javascript/google/registry/ui/css/registry-lock.css
@@ -45,3 +45,41 @@
 .lock-confirm-modal button {
   margin-left: 10px
 }
+
+/** Following section taken from https://loading.io/css, under CC0 licensing. */
+.lds-ring {
+  display: inline-block;
+  position: relative;
+  width: 80px;
+  height: 80px;
+}
+.lds-ring div {
+  box-sizing: border-box;
+  display: block;
+  position: absolute;
+  width: 64px;
+  height: 64px;
+  margin: 8px;
+  border: 8px solid #000000;
+  border-radius: 50%;
+  animation: lds-ring 1.2s cubic-bezier(0.5, 0, 0.5, 1) infinite;
+  border-color: #000000 transparent transparent transparent;
+}
+.lds-ring div:nth-child(1) {
+  animation-delay: -0.45s;
+}
+.lds-ring div:nth-child(2) {
+  animation-delay: -0.3s;
+}
+.lds-ring div:nth-child(3) {
+  animation-delay: -0.15s;
+}
+@keyframes lds-ring {
+  0% {
+    transform: rotate(0deg);
+  }
+  100% {
+    transform: rotate(360deg);
+  }
+}
+/** End of material taken from https://loading.io/css. */
--- a/core/src/main/javascript/google/registry/ui/js/registrar/registry_lock.js
+++ b/core/src/main/javascript/google/registry/ui/js/registrar/registry_lock.js
@@ -45,6 +45,7 @@ registry.registrar.RegistryLock = function(console, resource) {
 goog.inherits(registry.registrar.RegistryLock, registry.ResourceComponent);

 registry.registrar.RegistryLock.prototype.runAfterRender = function(objArgs) {
+  this.isAdmin = objArgs.isAdmin;
  this.clientId = objArgs.clientId;
  this.xsrfToken = objArgs.xsrfToken;

@@ -55,8 +56,7 @@ registry.registrar.RegistryLock.prototype.runAfterRender = function(objArgs) {
  } else {
    goog.soy.renderElement(
        goog.dom.getRequiredElement('locks-content'),
-        registry.soy.registrar.registrylock.lockNotAllowedOnRegistrar,
-        {supportEmail: objArgs.supportEmail});
+        registry.soy.registrar.registrylock.lockNotAllowedOnRegistrar);
  }
 };

@@ -92,7 +92,7 @@ registry.registrar.RegistryLock.prototype.fillLocksPage_ = function(e) {
            lockEnabledForContact: locksDetails.lockEnabledForContact});

    if (locksDetails.lockEnabledForContact) {
-      // Listen to the lock-domain 'submit' button click as well as the enter key
+      // Listen to the lock-domain 'submit' button click
      var lockButton = goog.dom.getRequiredElement('button-lock-domain');
      goog.events.listen(lockButton, goog.events.EventType.CLICK, this.onLockDomain_, false, this);
      // For all unlock buttons, listen and perform the unlock action if they're clicked
@@ -115,12 +115,16 @@ registry.registrar.RegistryLock.prototype.showModal_ = function(targetElement, d
  var parentElement = targetElement.parentElement;
  // attach the modal to the parent element so focus remains correct if the user closes the modal
  var modalElement = goog.soy.renderAsElement(
-      registry.soy.registrar.registrylock.confirmModal, {domain: domain, isLock: isLock});
+      registry.soy.registrar.registrylock.confirmModal,
+      {domain: domain, isLock: isLock, isAdmin: this.isAdmin});
  parentElement.prepend(modalElement);
  if (domain == null) {
    goog.dom.getRequiredElement('domain-lock-input-value').focus();
  } else {
-    goog.dom.getRequiredElement('domain-lock-password').focus();
+    var passwordElem = goog.dom.getElement('domain-lock-password');
+    if (passwordElem != null) {
+      passwordElem.focus();
+    }
  }
  // delete the modal when the user clicks the cancel button
  goog.events.listen(
@@ -130,12 +134,29 @@ registry.registrar.RegistryLock.prototype.showModal_ = function(targetElement, d
      false,
      this);

+  // Listen to the "submit" click and also the user hitting enter
  goog.events.listen(
      goog.dom.getRequiredElement('domain-lock-submit'),
      goog.events.EventType.CLICK,
      e => this.lockOrUnlockDomain_(isLock, e),
      false,
      this);
+
+  [goog.dom.getElement('domain-lock-password'),
+      goog.dom.getElement('domain-lock-input-value')].forEach(elem => {
+        if (elem != null) {
+          goog.events.listen(
+              elem,
+              goog.events.EventType.KEYPRESS,
+              e => {
+                if (e.keyCode === goog.events.KeyCodes.ENTER) {
+                  this.lockOrUnlockDomain_(isLock, e);
+                }
+              },
+              false,
+              this);
+        }
+      });
 }

 /**
@@ -144,7 +165,9 @@ registry.registrar.RegistryLock.prototype.showModal_ = function(targetElement, d
 */
 registry.registrar.RegistryLock.prototype.lockOrUnlockDomain_ = function(isLock, e) {
  var domain = goog.dom.getRequiredElement('domain-lock-input-value').value;
-  var password = goog.dom.getRequiredElement('domain-lock-password').value;
+  var passwordElem = goog.dom.getElement('domain-lock-password');
+  var password = passwordElem == null ? null : passwordElem.value;
+  var relockDuration = this.getRelockDurationFromModal_()
  goog.net.XhrIo.send('/registry-lock-post',
      e => this.fillLocksPage_(e),
      'POST',
@@ -152,13 +175,30 @@ registry.registrar.RegistryLock.prototype.lockOrUnlockDomain_ = function(isLock,
        'clientId': this.clientId,
        'fullyQualifiedDomainName': domain,
        'isLock': isLock,
-        'password': password
+        'password': password,
+        'relockDurationMillis': relockDuration
      }), {
        'X-CSRF-Token': this.xsrfToken,
        'Content-Type': 'application/json; charset=UTF-8'
      });
 }

+/**
+ * Returns the duration after which we will re-lock a locked domain. Will return null if we
+ * are locking a domain, or if the user selects the "Never" option
+ * @private
+ */
+registry.registrar.RegistryLock.prototype.getRelockDurationFromModal_ = function() {
+  var inputElements = goog.dom.getElementsByTagNameAndClass("input", "relock-duration-input");
+  for (var i = 0; i < inputElements.length; i++) {
+    var elem = inputElements[i];
+    if (elem.checked && elem.value !== "0") {
+      return elem.value;
+    }
+  }
+  return null;
+}
+
 /**
 * Click handler for unlocking domains (button click).
 * @private
--- a/core/src/main/resources/META-INF/orm.xml
+++ b/core/src/main/resources/META-INF/orm.xml
@@ -4,15 +4,10 @@
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence/orm
          http://xmlns.jcp.org/xml/ns/persistence/orm_2_2.xsd"
    version="2.2">
-  <embeddable class="org.joda.money.Money" access="FIELD">
-    <attributes>
-      <embedded name="money" access="FIELD"/>
-    </attributes>
-  </embeddable>
+  <embeddable class="org.joda.money.Money" access="FIELD" />
  <embeddable class="org.joda.money.BigMoney" access="FIELD">
    <attributes>
      <basic name="amount" access="FIELD"/>
-      <basic name="currency" access="FIELD"/>
    </attributes>
  </embeddable>
 </entity-mappings>
--- a/core/src/main/resources/META-INF/persistence.xml
+++ b/core/src/main/resources/META-INF/persistence.xml
@@ -36,8 +36,10 @@
    <class>google.registry.persistence.converter.BloomFilterConverter</class>
    <class>google.registry.persistence.converter.CidrAddressBlockListConverter</class>
    <class>google.registry.persistence.converter.CreateAutoTimestampConverter</class>
+    <class>google.registry.persistence.converter.CurrencyToBillingConverter</class>
    <class>google.registry.persistence.converter.CurrencyUnitConverter</class>
    <class>google.registry.persistence.converter.DateTimeConverter</class>
+    <class>google.registry.persistence.converter.DurationConverter</class>
    <class>google.registry.persistence.converter.RegistrarPocSetConverter</class>
    <class>google.registry.persistence.converter.StatusValueSetConverter</class>
    <class>google.registry.persistence.converter.StringListConverter</class>
--- a/core/src/main/resources/google/registry/ui/soy/Forms.soy
+++ b/core/src/main/resources/google/registry/ui/soy/Forms.soy
@@ -89,7 +89,7 @@
             disabled
          {/if}
          {if $isPassword}
-             type="password"
+             type="password" minlength="8"
          {/if}>
    </td>
  </tr>
--- a/core/src/main/resources/google/registry/ui/soy/registrar/RegistryLock.soy
+++ b/core/src/main/resources/google/registry/ui/soy/registrar/RegistryLock.soy
@@ -18,7 +18,15 @@
 {template .settings}
  <h1>Registry lock</h1>
  <br>
-  <div id="locks-content"></div>
+  <div id="locks-content">
+    // CSS-ified loading spinner
+    <div class="{css('lds-ring')}">
+      <div></div>
+      <div></div>
+      <div></div>
+      <div></div>
+    </div>
+  </div>
 {/template}

 {template .locksContent}
@@ -106,20 +114,42 @@
 /** Modal that confirms that the user wishes to lock/unlock a domain. */
 {template .confirmModal}
  {@param isLock: bool}
+  {@param isAdmin: bool}
  {@param? domain: string|null}
  <div id="lock-confirm-modal" class="{css('lock-confirm-modal')}">
    <div class="modal-content">
-      <p>Are you sure you want to {if not $isLock}un{/if}lock the domain {$domain}? We will send
-        an email to the email address on file to confirm the {if not $isLock}un{/if}lock.</p>
+      <p>Are you sure you want to {if $isLock}lock a domain{else}unlock the domain {$domain}{/if}?
+        We will send an email to the email address on file to confirm the {if not $isLock}un{/if}
+        lock.</p>
      <label for="domain-to-lock">Domain: </label>
      <input id="domain-lock-input-value"
          {if isNonnull($domain)}
             value="{$domain}" disabled
          {/if}>
      <br>
-      <label for="domain-lock-password">Registry lock password: </label>
-      <input type="password" id="domain-lock-password">
-      <br>
+      {if not $isAdmin}
+        <label for="domain-lock-password">Registry lock password: </label>
+        <input type="password" id="domain-lock-password">
+        <br>
+      {/if}
+      {if not $isLock}
+        <div>
+          <br>
+          <p>Automatically re-lock the domain after:</p>
+          <input type="radio" name="relock-duration" id="one-hour-duration" value="3600000"
+                 class="relock-duration-input">
+          <label for="one-hour-duration">1 hour</label><br>
+          <input type="radio" name="relock-duration" id="six-hour-duration" value="21600000"
+                 class="relock-duration-input" checked>
+          <label for="six-hour-duration">6 hours</label><br>
+          <input type="radio" name="relock-duration" id="twenty-four-hour-duration" value="86400000"
+                 class="relock-duration-input">
+          <label for="twenty-four-hour-duration">24 hours</label><br>
+          <input type="radio" name="relock-duration" id="never-relock-duration" value="0"
+                 class="relock-duration-input">
+          <label for="never-relock-duration">Never</label><br>
+        </div>
+      {/if}
      <div id="modal-error-message" hidden class="{css('kd-errormessage')}"></div>
      <div class="{css('buttons-div')}">
        <button id="domain-lock-cancel" class="{css('kd-button')}">Cancel</button>
@@ -133,7 +163,5 @@

 /** Content if the registrar is not allowed to use registry lock. */
 {template .lockNotAllowedOnRegistrar}
-  {@param supportEmail: string}
-  <h2>Sorry, your registrar hasn't enrolled in registry lock yet. To do so, please
-    contact {$supportEmail}.</h2>
+  <h2>Registry Lock is coming soon; please stay tuned for updates.</h2>
 {/template}
--- a/core/src/test/java/google/registry/backup/CommitLogCheckpointActionTest.java
+++ b/core/src/test/java/google/registry/backup/CommitLogCheckpointActionTest.java
@@ -46,10 +46,8 @@ public class CommitLogCheckpointActionTest {
  private static final String QUEUE_NAME = "export-commits";

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  CommitLogCheckpointStrategy strategy = mock(CommitLogCheckpointStrategy.class);

--- a/core/src/test/java/google/registry/backup/CommitLogCheckpointStrategyTest.java
+++ b/core/src/test/java/google/registry/backup/CommitLogCheckpointStrategyTest.java
@@ -47,9 +47,7 @@ import org.junit.runners.JUnit4;
 public class CommitLogCheckpointStrategyTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/backup/ExportCommitLogDiffActionTest.java
+++ b/core/src/test/java/google/registry/backup/ExportCommitLogDiffActionTest.java
@@ -50,9 +50,7 @@ import org.junit.runners.JUnit4;
 public class ExportCommitLogDiffActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  /** Local GCS service available for testing. */
  private final GcsService gcsService = GcsServiceFactory.createGcsService();
--- a/core/src/test/java/google/registry/backup/GcsDiffFileListerTest.java
+++ b/core/src/test/java/google/registry/backup/GcsDiffFileListerTest.java
@@ -62,9 +62,7 @@ public class GcsDiffFileListerTest {
  private final TestLogHandler logHandler = new TestLogHandler();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Before
  public void before() throws Exception {
--- a/core/src/test/java/google/registry/backup/RestoreCommitLogsActionTest.java
+++ b/core/src/test/java/google/registry/backup/RestoreCommitLogsActionTest.java
@@ -71,9 +71,7 @@ public class RestoreCommitLogsActionTest {
  final GcsService gcsService = createGcsService();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
+  public final AppEngineRule appEngine = AppEngineRule.builder().withDatastoreAndCloudSql().build();

  @Before
  public void init() {
--- a/core/src/test/java/google/registry/batch/AsyncTaskEnqueuerTest.java
+++ b/core/src/test/java/google/registry/batch/AsyncTaskEnqueuerTest.java
@@ -15,6 +15,7 @@
 package google.registry.batch;

 import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
+import static com.google.common.truth.Truth.assertThat;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESAVE_TIMES;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
@@ -23,18 +24,21 @@ import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
 import static google.registry.testing.DatastoreHelper.persistActiveContact;
+import static google.registry.testing.SqlHelper.saveRegistryLock;
 import static google.registry.testing.TaskQueueHelper.assertNoTasksEnqueued;
 import static google.registry.testing.TaskQueueHelper.assertTasksEnqueued;
 import static google.registry.testing.TestLogHandlerUtils.assertLogMessage;
 import static org.joda.time.Duration.standardDays;
 import static org.joda.time.Duration.standardHours;
 import static org.joda.time.Duration.standardSeconds;
+import static org.junit.Assert.assertThrows;
 import static org.mockito.Mockito.when;

 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.flogger.LoggerConfig;
 import com.googlecode.objectify.Key;
 import google.registry.model.contact.ContactResource;
+import google.registry.schema.domain.RegistryLock;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeSleeper;
@@ -46,6 +50,7 @@ import google.registry.util.CapturingLogHandler;
 import google.registry.util.Retrier;
 import java.util.logging.Level;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -61,7 +66,7 @@ public class AsyncTaskEnqueuerTest extends ShardableTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule public final InjectRule inject = new InjectRule();

@@ -77,14 +82,18 @@ public class AsyncTaskEnqueuerTest extends ShardableTestCase {
  public void setUp() {
    LoggerConfig.getConfig(AsyncTaskEnqueuer.class).addHandler(logHandler);
    when(appEngineServiceUtils.getServiceHostname("backend")).thenReturn("backend.hostname.fake");
-    asyncTaskEnqueuer =
-        new AsyncTaskEnqueuer(
-            getQueue(QUEUE_ASYNC_ACTIONS),
-            getQueue(QUEUE_ASYNC_DELETE),
-            getQueue(QUEUE_ASYNC_HOST_RENAME),
-            standardSeconds(90),
-            appEngineServiceUtils,
-            new Retrier(new FakeSleeper(clock), 1));
+    asyncTaskEnqueuer = createForTesting(appEngineServiceUtils, clock, standardSeconds(90));
+  }
+
+  public static AsyncTaskEnqueuer createForTesting(
+      AppEngineServiceUtils appEngineServiceUtils, FakeClock clock, Duration asyncDeleteDelay) {
+    return new AsyncTaskEnqueuer(
+        getQueue(QUEUE_ASYNC_ACTIONS),
+        getQueue(QUEUE_ASYNC_DELETE),
+        getQueue(QUEUE_ASYNC_HOST_RENAME),
+        asyncDeleteDelay,
+        appEngineServiceUtils,
+        new Retrier(new FakeSleeper(clock), 1));
  }

  @Test
@@ -137,4 +146,56 @@ public class AsyncTaskEnqueuerTest extends ShardableTestCase {
    assertNoTasksEnqueued(QUEUE_ASYNC_ACTIONS);
    assertLogMessage(logHandler, Level.INFO, "Ignoring async re-save");
  }
+
+  @Test
+  public void testEnqueueRelock() {
+    RegistryLock lock =
+        saveRegistryLock(
+            new RegistryLock.Builder()
+                .setLockCompletionTimestamp(clock.nowUtc())
+                .setUnlockRequestTimestamp(clock.nowUtc())
+                .setUnlockCompletionTimestamp(clock.nowUtc())
+                .isSuperuser(false)
+                .setDomainName("example.tld")
+                .setRepoId("repoId")
+                .setRelockDuration(standardHours(6))
+                .setRegistrarId("TheRegistrar")
+                .setRegistrarPocId("someone@example.com")
+                .setVerificationCode("hi")
+                .build());
+    asyncTaskEnqueuer.enqueueDomainRelock(lock);
+    assertTasksEnqueued(
+        QUEUE_ASYNC_ACTIONS,
+        new TaskMatcher()
+            .url(RelockDomainAction.PATH)
+            .method("POST")
+            .param(
+                RelockDomainAction.OLD_UNLOCK_REVISION_ID_PARAM,
+                String.valueOf(lock.getRevisionId()))
+            .etaDelta(
+                standardHours(6).minus(standardSeconds(30)),
+                standardHours(6).plus(standardSeconds(30))));
+  }
+
+  @Test
+  public void testFailure_enqueueRelock_noDuration() {
+    RegistryLock lockWithoutDuration =
+        saveRegistryLock(
+            new RegistryLock.Builder()
+                .isSuperuser(false)
+                .setDomainName("example.tld")
+                .setRepoId("repoId")
+                .setRegistrarId("TheRegistrar")
+                .setRegistrarPocId("someone@example.com")
+                .setVerificationCode("hi")
+                .build());
+    assertThat(
+            assertThrows(
+                IllegalArgumentException.class,
+                () -> asyncTaskEnqueuer.enqueueDomainRelock(lockWithoutDuration)))
+        .hasMessageThat()
+        .isEqualTo(
+            String.format(
+                "Lock with ID %s not configured for relock", lockWithoutDuration.getRevisionId()));
+  }
 }
--- a/core/src/test/java/google/registry/batch/DeleteContactsAndHostsActionTest.java
+++ b/core/src/test/java/google/registry/batch/DeleteContactsAndHostsActionTest.java
@@ -18,9 +18,7 @@ import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static com.google.common.collect.MoreCollectors.onlyElement;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
 import static google.registry.batch.AsyncTaskMetrics.OperationResult.STALE;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.eppcommon.StatusValue.PENDING_DELETE;
@@ -151,13 +149,8 @@ public class DeleteContactsAndHostsActionTest
  public void setup() {
    inject.setStaticField(Ofy.class, "clock", clock);
    enqueuer =
-        new AsyncTaskEnqueuer(
-            getQueue(QUEUE_ASYNC_ACTIONS),
-            getQueue(QUEUE_ASYNC_DELETE),
-            getQueue(QUEUE_ASYNC_HOST_RENAME),
-            Duration.ZERO,
-            mock(AppEngineServiceUtils.class),
-            new Retrier(new FakeSleeper(clock), 1));
+        AsyncTaskEnqueuerTest.createForTesting(
+            mock(AppEngineServiceUtils.class), clock, Duration.ZERO);
    AsyncTaskMetrics asyncTaskMetricsMock = mock(AsyncTaskMetrics.class);
    action = new DeleteContactsAndHostsAction();
    action.asyncTaskMetrics = asyncTaskMetricsMock;
@@ -614,7 +607,7 @@ public class DeleteContactsAndHostsActionTest
        .hasDeletionTime(END_OF_TIME);
    DomainBase domain =
        loadByForeignKey(DomainBase.class, "example.tld", clock.nowUtc()).get();
-    assertThat(domain.getNameservers()).contains(Key.create(hostAfter));
+    assertThat(domain.getNameservers()).contains(hostAfter.createKey());
    HistoryEntry historyEntry = getOnlyHistoryEntryOfType(hostAfter, HOST_DELETE_FAILURE);
    assertPollMessageFor(
        historyEntry,
@@ -684,7 +677,7 @@ public class DeleteContactsAndHostsActionTest
    persistResource(
        newDomainBase("example.tld")
            .asBuilder()
-            .setNameservers(ImmutableSet.of(Key.create(host)))
+            .setNameservers(ImmutableSet.of(host.createKey()))
            .setDeletionTime(clock.nowUtc().minusDays(5))
            .build());
    enqueuer.enqueueAsyncDelete(
@@ -943,7 +936,7 @@ public class DeleteContactsAndHostsActionTest
    return persistResource(
        newDomainBase(domainName, contact)
            .asBuilder()
-            .setNameservers(ImmutableSet.of(Key.create(host)))
+            .setNameservers(ImmutableSet.of(host.createKey()))
            .build());
  }

--- a/core/src/test/java/google/registry/batch/RefreshDnsOnHostRenameActionTest.java
+++ b/core/src/test/java/google/registry/batch/RefreshDnsOnHostRenameActionTest.java
@@ -17,8 +17,6 @@ package google.registry.batch;
 import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
 import static google.registry.batch.AsyncTaskMetrics.OperationType.DNS_REFRESH;
 import static google.registry.model.ofy.ObjectifyService.ofy;
@@ -86,13 +84,8 @@ public class RefreshDnsOnHostRenameActionTest
  public void setup() {
    createTld("tld");
    enqueuer =
-        new AsyncTaskEnqueuer(
-            getQueue(QUEUE_ASYNC_ACTIONS),
-            getQueue(QUEUE_ASYNC_DELETE),
-            getQueue(QUEUE_ASYNC_HOST_RENAME),
-            Duration.ZERO,
-            mock(AppEngineServiceUtils.class),
-            new Retrier(new FakeSleeper(clock), 1));
+        AsyncTaskEnqueuerTest.createForTesting(
+            mock(AppEngineServiceUtils.class), clock, Duration.ZERO);
    AsyncTaskMetrics asyncTaskMetricsMock = mock(AsyncTaskMetrics.class);
    action = new RefreshDnsOnHostRenameAction();
    action.asyncTaskMetrics = asyncTaskMetricsMock;
--- a/core/src/test/java/google/registry/batch/RelockDomainActionTest.java
+++ b/core/src/test/java/google/registry/batch/RelockDomainActionTest.java
@@ -0,0 +1,185 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.eppcommon.StatusValue.PENDING_DELETE;
+import static google.registry.model.eppcommon.StatusValue.PENDING_TRANSFER;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.testing.DatastoreHelper.createTlds;
+import static google.registry.testing.DatastoreHelper.newDomainBase;
+import static google.registry.testing.DatastoreHelper.persistActiveHost;
+import static google.registry.testing.DatastoreHelper.persistDomainAsDeleted;
+import static google.registry.testing.DatastoreHelper.persistResource;
+import static google.registry.testing.SqlHelper.getMostRecentVerifiedRegistryLockByRepoId;
+import static google.registry.testing.SqlHelper.getRegistryLockByVerificationCode;
+import static google.registry.testing.SqlHelper.saveRegistryLock;
+import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+import static org.mockito.Mockito.mock;
+
+import com.google.common.collect.ImmutableSet;
+import google.registry.model.domain.DomainBase;
+import google.registry.model.host.HostResource;
+import google.registry.schema.domain.RegistryLock;
+import google.registry.testing.AppEngineRule;
+import google.registry.testing.DeterministicStringGenerator;
+import google.registry.testing.FakeClock;
+import google.registry.testing.FakeResponse;
+import google.registry.testing.UserInfo;
+import google.registry.tools.DomainLockUtils;
+import google.registry.util.AppEngineServiceUtils;
+import google.registry.util.StringGenerator.Alphabets;
+import java.util.Optional;
+import org.joda.time.Duration;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link RelockDomainAction}. */
+@RunWith(JUnit4.class)
+public class RelockDomainActionTest {
+
+  private static final String DOMAIN_NAME = "example.tld";
+  private static final String CLIENT_ID = "TheRegistrar";
+  private static final String POC_ID = "marla.singer@example.com";
+
+  private final FakeResponse response = new FakeResponse();
+  private final FakeClock clock = new FakeClock();
+  private final DomainLockUtils domainLockUtils =
+      new DomainLockUtils(
+          new DeterministicStringGenerator(Alphabets.BASE_58),
+          AsyncTaskEnqueuerTest.createForTesting(
+              mock(AppEngineServiceUtils.class), clock, Duration.ZERO));
+
+  @Rule
+  public final AppEngineRule appEngineRule =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withUserService(UserInfo.create(POC_ID, "12345"))
+          .build();
+
+  private DomainBase domain;
+  private RegistryLock oldLock;
+  private RelockDomainAction action;
+
+  @Before
+  public void setup() {
+    createTlds("tld", "net");
+    HostResource host = persistActiveHost("ns1.example.net");
+    domain = persistResource(newDomainBase(DOMAIN_NAME, host));
+
+    oldLock = domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, POC_ID, false);
+    assertThat(reloadDomain(domain).getStatusValues())
+        .containsAtLeastElementsIn(REGISTRY_LOCK_STATUSES);
+    oldLock =
+        domainLockUtils.administrativelyApplyUnlock(
+            DOMAIN_NAME, CLIENT_ID, false, Optional.empty());
+    assertThat(reloadDomain(domain).getStatusValues()).containsNoneIn(REGISTRY_LOCK_STATUSES);
+    action = createAction(oldLock.getRevisionId());
+  }
+
+  @Test
+  public void testLock() {
+    action.run();
+    assertThat(reloadDomain(domain).getStatusValues())
+        .containsAtLeastElementsIn(REGISTRY_LOCK_STATUSES);
+
+    // the old lock should have a reference to the relock
+    RegistryLock newLock = getMostRecentVerifiedRegistryLockByRepoId(domain.getRepoId()).get();
+    assertThat(getRegistryLockByVerificationCode(oldLock.getVerificationCode()).get().getRelock())
+        .isEqualTo(newLock);
+  }
+
+  @Test
+  public void testFailure_unknownCode() {
+    action = createAction(12128675309L);
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload()).isEqualTo("Relock failed: Unknown revision ID 12128675309");
+  }
+
+  @Test
+  public void testFailure_pendingDelete() {
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of(PENDING_DELETE)).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has a pending delete", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_pendingTransfer() {
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of(PENDING_TRANSFER)).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has a pending transfer", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_domainAlreadyLocked() {
+    domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, null, true);
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo("Domain example.tld is already manually relocked, skipping automated relock.");
+  }
+
+  @Test
+  public void testFailure_domainDeleted() {
+    persistDomainAsDeleted(domain, clock.nowUtc());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(String.format("Relock failed: Domain %s has been deleted", DOMAIN_NAME));
+  }
+
+  @Test
+  public void testFailure_domainTransferred() {
+    persistResource(domain.asBuilder().setPersistedCurrentSponsorClientId("NewRegistrar").build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo(
+            String.format(
+                "Relock failed: Domain %s has been transferred from registrar %s to registrar "
+                    + "%s since the unlock",
+                DOMAIN_NAME, CLIENT_ID, "NewRegistrar"));
+  }
+
+  @Test
+  public void testFailure_relockAlreadySet() {
+    RegistryLock newLock =
+        domainLockUtils.administrativelyApplyLock(DOMAIN_NAME, CLIENT_ID, null, true);
+    saveRegistryLock(oldLock.asBuilder().setRelock(newLock).build());
+    // Save the domain without the lock statuses so that we pass that check in the action
+    persistResource(domain.asBuilder().setStatusValues(ImmutableSet.of()).build());
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_NO_CONTENT);
+    assertThat(response.getPayload())
+        .isEqualTo("Domain example.tld is already manually relocked, skipping automated relock.");
+  }
+
+  private DomainBase reloadDomain(DomainBase domain) {
+    return ofy().load().entity(domain).now();
+  }
+
+  private RelockDomainAction createAction(Long oldUnlockRevisionId) {
+    return new RelockDomainAction(oldUnlockRevisionId, domainLockUtils, response);
+  }
+}
--- a/core/src/test/java/google/registry/batch/ResaveEntityActionTest.java
+++ b/core/src/test/java/google/registry/batch/ResaveEntityActionTest.java
@@ -14,14 +14,11 @@

 package google.registry.batch;

-import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
 import static google.registry.batch.AsyncTaskEnqueuer.PATH_RESAVE_ENTITY;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.testing.DatastoreHelper.createTld;
 import static google.registry.testing.DatastoreHelper.newDomainBase;
@@ -47,12 +44,10 @@ import google.registry.model.ofy.Ofy;
 import google.registry.request.Response;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeSleeper;
 import google.registry.testing.InjectRule;
 import google.registry.testing.ShardableTestCase;
 import google.registry.testing.TaskQueueHelper.TaskMatcher;
 import google.registry.util.AppEngineServiceUtils;
-import google.registry.util.Retrier;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
 import org.junit.Before;
@@ -70,7 +65,7 @@ public class ResaveEntityActionTest extends ShardableTestCase {

  @Rule
  public final AppEngineRule appEngine =
-      AppEngineRule.builder().withDatastore().withTaskQueue().build();
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule public final InjectRule inject = new InjectRule();
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();
@@ -85,13 +80,7 @@ public class ResaveEntityActionTest extends ShardableTestCase {
    inject.setStaticField(Ofy.class, "clock", clock);
    when(appEngineServiceUtils.getServiceHostname("backend")).thenReturn("backend.hostname.fake");
    asyncTaskEnqueuer =
-        new AsyncTaskEnqueuer(
-            getQueue(QUEUE_ASYNC_ACTIONS),
-            getQueue(QUEUE_ASYNC_DELETE),
-            getQueue(QUEUE_ASYNC_HOST_RENAME),
-            Duration.ZERO,
-            appEngineServiceUtils,
-            new Retrier(new FakeSleeper(clock), 1));
+        AsyncTaskEnqueuerTest.createForTesting(appEngineServiceUtils, clock, Duration.ZERO);
    createTld("tld");
  }

--- a/core/src/test/java/google/registry/cron/CommitLogFanoutActionTest.java
+++ b/core/src/test/java/google/registry/cron/CommitLogFanoutActionTest.java
@@ -39,17 +39,20 @@ public class CommitLogFanoutActionTest {
  private static final String QUEUE = "the-queue";

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>the-queue</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "</queue-entries>"))
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>the-queue</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .build();

  @Test
  public void testSuccess() {
--- a/core/src/test/java/google/registry/cron/TldFanoutActionTest.java
+++ b/core/src/test/java/google/registry/cron/TldFanoutActionTest.java
@@ -54,17 +54,20 @@ public class TldFanoutActionTest {
  private final FakeResponse response = new FakeResponse();

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>the-queue</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "</queue-entries>"))
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>the-queue</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .build();

  private static ImmutableListMultimap<String, String> getParamsMap(String... keysAndValues) {
    ImmutableListMultimap.Builder<String, String> params = new ImmutableListMultimap.Builder<>();
--- a/core/src/test/java/google/registry/dns/DnsInjectionTest.java
+++ b/core/src/test/java/google/registry/dns/DnsInjectionTest.java
@@ -46,10 +46,8 @@ import org.junit.runners.JUnit4;
 public final class DnsInjectionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/dns/DnsQueueTest.java
+++ b/core/src/test/java/google/registry/dns/DnsQueueTest.java
@@ -35,10 +35,9 @@ import org.junit.runners.JUnit4;
 public class DnsQueueTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();
+
  private DnsQueue dnsQueue;
  private final FakeClock clock = new FakeClock(DateTime.parse("2010-01-01T10:00:00Z"));

--- a/core/src/test/java/google/registry/dns/PublishDnsUpdatesActionTest.java
+++ b/core/src/test/java/google/registry/dns/PublishDnsUpdatesActionTest.java
@@ -55,10 +55,8 @@ import org.junit.runners.JUnit4;
 public class PublishDnsUpdatesActionTest {

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue()
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastoreAndCloudSql().withTaskQueue().build();

  @Rule
  public final InjectRule inject = new InjectRule();
--- a/core/src/test/java/google/registry/dns/ReadDnsQueueActionTest.java
+++ b/core/src/test/java/google/registry/dns/ReadDnsQueueActionTest.java
@@ -73,22 +73,25 @@ public class ReadDnsQueueActionTest {
  private FakeClock clock = new FakeClock(DateTime.parse("3000-01-01TZ"));

  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withTaskQueue(Joiner.on('\n').join(
-          "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-          "<queue-entries>",
-          "  <queue>",
-          "    <name>dns-publish</name>",
-          "    <rate>1/s</rate>",
-          "  </queue>",
-          "  <queue>",
-          "    <name>dns-pull</name>",
-          "    <mode>pull</mode>",
-          "  </queue>",
-          "</queue-entries>"))
-      .withClock(clock)
-      .build();
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder()
+          .withDatastoreAndCloudSql()
+          .withTaskQueue(
+              Joiner.on('\n')
+                  .join(
+                      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                      "<queue-entries>",
+                      "  <queue>",
+                      "    <name>dns-publish</name>",
+                      "    <rate>1/s</rate>",
+                      "  </queue>",
+                      "  <queue>",
+                      "    <name>dns-pull</name>",
+                      "    <mode>pull</mode>",
+                      "  </queue>",
+                      "</queue-entries>"))
+          .withClock(clock)
+          .build();

  @Before
  public void before() {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Shicong Huang	1ded33ecea	Resolve warnings in the Hibernate log (#542 )	2020-04-03 18:04:55 -04:00
Shicong Huang	bf4659f11c	Auto-apply JPA converters for map type (#520 ) * Add map converter * Delete old map usertype * Refactor bind * Change to use map entry * Use Map.Entry	2020-04-03 10:47:42 -04:00
Shicong Huang	bac1998d6a	Auto-apply JPA converters for map type (#520 ) * Add map converter * Delete old map usertype * Refactor bind * Change to use map entry * Use Map.Entry	2020-04-02 16:43:08 -04:00
gbrodman	4a34369ba9	Submit a task to relock domains if desired upon verification (#529 ) * Submit a task to relock domains if desired upon verification * Merge remote-tracking branch 'origin/master' into verifyRelock * Respond to CR	2020-04-02 15:18:29 -04:00
Shicong Huang	db7d49801d	Supress exccesive logging message from Cloud SQL (#540 ) * Supress exccesive logging message from Cloud SQL * Upgrade package versions that were downgraded before	2020-03-31 17:57:18 -04:00
sarahcaseybot	0c52d209e5	Fix IllegalArgumentException (#536 ) * Fix IllegalArgumentException * Add more information about global locks * Add null checks	2020-03-30 11:36:09 -04:00
gbrodman	73b98d298b	Add a set of radio buttons for relock duration (#535 ) * Add a set of radio buttons for relock duration	2020-03-30 11:06:32 -04:00
Michael Muller	7880aab386	Fix optional access for VKey nested keys (#539 ) * Fix optional access for VKey nested keys We should have used ofNullable() instead of of() for key creation. Also add a unit test.	2020-03-30 11:01:25 -04:00
Michael Muller	fa9134328a	Improve error information in coverage test. (#537 ) * Improve error information in coverage test. If the golden schema isn't up-to-date with the persistence model, the coverage tests fail with an exception chain that ends in a PSQLException 'relation "TableName" does not exist' which is kind of misleading when the problem is that your golden schema isn't up-to-date. Check for this error in the coverage tests and generate a more informative error message indicating a likely root cause.	2020-03-27 14:58:01 -04:00
Michael Muller	5b452bf074	Key to VKey conversion for Nameserver (#476 ) * Key to VKey conversion for Nameserver This change illustrates the conversion of a single key in the system (Key<HostResource> as used in the "nameservers" field of DomainBase) to a VKey. It currently builds, but had some curious (possibly unrelated?) test failures that I have not fully investigated. * Latest round of changes, all tests pass. * Changes requested in review. * Fix problems with null check in VKey accessors Add maybeGet versions of getSqlKey() and getOfyKey() that return Optional objects and make the nameserver management routines use those instead.	2020-03-26 17:13:30 -04:00
Weimin Yu	f749236500	Reuse JPA EntityManagerFactory in tests (#533 ) * Reuse JPA EntityManagerFactory in tests Reuse EntityManagerFactory instance in tests if the requested schema stays the same. Only truncate tables and reset sequences when reusing. Note that the jdbc driver needs to be informed to expect out-of-band schema changes.	2020-03-26 16:51:47 -04:00
gbrodman	e7825fae66	Don't rely on the password field's existence for admins (#534 ) * Don't rely on the password field's existence for admins We don't have the field when it's an admin user that's logged in. A nicer language would have caught this unfortunately.	2020-03-26 15:55:54 -04:00
gbrodman	91155d6c67	Fix up lock modal wording (#532 ) * Fix up lock modal wording When locking a domain, the "domain" variable is null so we shouldn't display it.	2020-03-26 15:52:11 -04:00
gbrodman	2ff1026cfd	Handle null GAE user IDs gracefully (for non-admins) (#531 ) Unfortunately in our testing environments, we're all admins so it's easy to miss things like this.	2020-03-26 14:29:05 -04:00
Weimin Yu	f1c46b8030	Drop postgresql schema instead of database in Sql tests (#530 ) * Drop schema instead of database in Sql tests Speed up the database cleanup between tests by dropping the schema instead of the database. The new approach is much faster. Ad hoc measurement on my desktop shows that :core:sqlIntegrationTest improves from 73 seconds to 48 seconds, and :core:standardTest improves from 12m40 to 7m40.	2020-03-25 21:03:58 -04:00
gbrodman	d663bf4db5	Add CSS spinner while loading locks content (#527 ) * Add CSS spinner while loading locks content	2020-03-24 15:33:17 -04:00
gbrodman	acf0baf048	Fix semantic merge conflict (#528 )	2020-03-24 12:29:11 -04:00
gbrodman	2998b56982	Add min length to password fields (#524 ) * Add min length to password fields	2020-03-24 11:16:05 -04:00
gbrodman	7b602300d8	Use the relock duration if provided in RLPA (#519 ) * Use the relock duration if provided in RLPA	2020-03-24 10:33:43 -04:00
Ben McIlwain	fe760d7066	Allow backwards compatibility with JUnit 4 @Rules in JUnit 5 (#526 ) * Allow backwards compatibility with JUnit 4 @Rules in JUnit 5 This allows us to defer having to re-implement all of our JUnit 4 Rules as JUnit 5 extensions for now, while continuing to in-place upgrade all existing JUnit 4 test classes to JUnit 5. As proof of concept, this upgrades PremiumListUtils (which uses AppEngineRule, our largest and most complicated @Rule) to use the JUnit 5 test runner. * Apply formatter to entire file	2020-03-23 14:45:54 -04:00
gbrodman	ad06f265a5	Flat-map registry lock emails to avoid unclean errors in bad situations (#525 ) * Flat map to avoid unclean errors in bad situations Also properly reflect that for admins, we will use their user email * Make MS's GAE user ID a public static field	2020-03-23 11:45:49 -04:00
Shicong Huang	fa9400ebc5	Set postgres package back to runtime dependency (#522 )	2020-03-20 15:43:30 -04:00
gbrodman	519a85af85	Add a registryLockEmailAddress field to RegistrarConctact objects (#523 ) * Add a registryLockEmailAddress field to RegistrarConctact objects Because we need to manage the login email, it should be on an account that we manage. However, for registry lock, we would want to send the verification emails to a separate email address that the user can use. As a result, we will use a second field for a user-accessible registry lock email address. This must be set on the contact when enabling registry lock for this contact. * Responses to CR * derp	2020-03-20 14:12:00 -04:00
sarahcaseybot	b2df127dc4	Add lock dual read (#517 ) * Add lock dual read * small changes	2020-03-20 14:11:00 -04:00
gbrodman	b21042bda9	Fix the test server (#521 ) * Fix the test server This rule isn't necessary any more since we merged the SQL-starting rule into the AppEngineRule logic. Furthermore, it actually causes the test server to crash because we try to drop-and-create the DB twice, the second time while the first instance is still connected.	2020-03-19 11:05:51 -04:00
Lai Jiang	36378f6b10	Upgrade to Gradle 6.2.2 (#518 )	2020-03-18 21:38:37 -04:00
Shicong Huang	d01f1f7604	Make jpaTm for nomulus tool use local credential (#515 ) * Make jpaTm for nomulus tool use local credential * Remove unused methods in RegistryToolEnvironment * Fix order of annotations * Remove unused method in PersistenceComponent * Move the creation of credential to the module * Move creadential creation to AuthModule * Add a TODO	2020-03-17 20:16:42 -04:00
gbrodman	e9610636e4	Add a relockDuration to the RegistryLock SQL object (#514 ) * Add a relockDuration to the RegistryLock SQL object This is the length of time after an unlock that we will re-lock the domain in question. * Sort by domain name for stability Note: this is likely not the best solution for the UI but we can iterate on this. * Add nullable * Add a converter for Duration	2020-03-16 17:44:25 -04:00
gbrodman	d09fc7ee05	Match logged-in GAE user ID with registrar POC user ID (#511 ) * Match logged-in GAE user ID with registrar POC user ID The reasoning for this is thus: We wish to have the users log in using Google-managed addresses--this is so that we can manage enforcement of things like 2FA, as well as generic account management. However, we wish for the registry-lock confirmation emails to go to their standard non-Google email addresses--e.g. johndoe@theregistrar.com, rather than johndoe@registry.google. As a result, for registry lock, we will enable it on the johndoe@registry.google account, but we will alter the email address of the corresponding Registrar POC account to contain johndoe@theregistrar.com. By doing this, the user will still be logging in using the @registry.google account but we'll match to their actual contact email. * fix up comments and messages * Error if >1 matching contact * include email addresses * set default optional * fix tests	2020-03-16 11:38:05 -04:00
Shicong Huang	0545375eba	Change cloud sql SDK to compile level dependency (#516 )	2020-03-16 10:24:19 -04:00
Michael Muller	8a045aedd0	Disambiguate naming of VKey.create() overloads (#513 ) * Disambiguate naming of VKey.create() overloads It was discovered in the course of trying to convert the larger codebase to VKey.create() calls that method overloading isn't a very effective discriminator in cases where "Object" is one of the distinguishing argument types:-) Convert the two specialized create() methods to createOfy() and createSql() so that (at least in the former case) we'll get a compile-time error if we aim to create a VKey for an Ofy key from an object of the incorrect type.	2020-03-12 16:13:12 -04:00
gbrodman	560bec1e83	Add a RelockDomainAction for future auto-relocks (#485 ) * Add a RelockAction and reference to relocks in RegistryLocks * Respond to CR - refactor the request param exception logging a bit - don't log an error if the domain was already locked, just skip * Save a relock for all locks (if possible) * derp * Long -> long + remove unnecessary transact * semantic merge conflict woo * fix another semantic merge conflict	2020-03-12 16:02:27 -04:00
Lai Jiang	3e7ea75b6f	Use cs.opensource.google for code search (#512 ) * Use cs.opensource.google for code search * Change logo size * Make texts in the table center-aligned	2020-03-12 14:06:04 -04:00
Weimin Yu	6ed7e00b00	Update SqlIntegrationTestSuite (#510 ) * Update SqlIntegrationTestSuite Edited Javadoc to emphasize that suite members should be DAO tests. Removed functional tests from the suite. They do not benefit much from running against different schemas when the entities they use are already covered by DAO tests. Added DomainBaseSqlTest to the suite, which tests DomainBase.	2020-03-11 14:11:53 -04:00
Michael Muller	6e1231233e	Create a nom_build wrapper script (#508 ) * Create a nom_build wrapper script nom_build is a wrapper around ./gradlew. It's purpose is to help us deal with properties. The main problem that it is trying to solve is that when properties are specified using -P, we don't get an error if the property we specify isn't correct. As a result, a user or a build agent can launch a build with unintended parameters. nom_build consolidates all of the properties that we define into a python script where the properties are translated to flags (actual gradlew flags are also proxied). It also generates the property file and warns the user if the current properties file is out of sync with the script and includes documentation on each of the properties.	2020-03-10 16:32:14 -04:00
Shicong Huang	3098048fdb	Enable Cloud SQL when Datastore is enabled for unit test (#502 ) * Enable Cloud SQL when Datastore is enabled for unit test * Add explanation for why add a ETA field in GenerateEscrowDepositCommand * Fix line length * Ignore membershipt test but bring back test suite * Fix tiny issue	2020-03-10 12:26:25 -04:00
gbrodman	f2846fc914	Gray out the password field for admins (#506 ) * Gray out the password field for admins We don't check it for admins since it's not necessary, so ignore it * Remove the field entirely	2020-03-10 11:30:20 -04:00
gbrodman	499237ac57	Listen to the user hitting enter in the lock/unlock modal input fields (#505 ) * Listen to the user hitting enter in the lock/unlock modal input fields Listen to both, just in case one or the other is disabled * Don't require that the element exist	2020-03-10 11:22:57 -04:00
Weimin Yu	6bd50421bc	Fix broken builds when Maven Central is used (#509 ) * Fix broken builds when Maven Central is used Gradle 6.2.1 apparently introduces a behavior change wrt boolean expression: empty string used to eval to false, but now evals to true. Pre Gradle 6.2.1, root project's Gradle properties apparently were not set to buildSrc. Now they are passed on to buildSrc -- mavenUrl in buildSrc changes from null to "". Both changes break the project when mavenUrl and/or pluginsUrl are not set on command line. Also added junit.jupiter-api as testCompile dependencies to projects. This is a directly used dependency, whose absence causes a Lint warning.	2020-03-10 11:21:03 -04:00
sarahcaseybot	dbdd2b4491	Add Lock dual write (#496 ) * Add Lock dual write * wrap calls in DB transaction	2020-03-09 11:13:46 -04:00
gbrodman	f83f8f92a3	Show locks in the case where you have an expired unlock request (#507 ) * Show locks in the case where you have an expired unlock request	2020-03-06 22:00:42 -05:00
gbrodman	28d3af0ee9	Change the wording on the lock-not-enabled page (#504 ) * Change the wording on the lock-not-enabled page * fix the screenshot	2020-03-06 16:15:11 -05:00