Create a scrap command to re-enable billing recurrences that were closed (#2077)

This is part of b/247839944 as a followup to the large bug from
September 2022. As a result of that, there are domains whose
BillingRecurrence objects were closed but the domain wasn't deleted. In
order to avoid having these domains stick around forever without being
billed, we want to restart billing on them whenever their next billing
cycle would have been.

build.gradle

@@ -332,6 +332,17 @@ subprojects {
     }
   }
 
+  // 'listenablefuture' is folded into guava since v32. This block is required
+  // until all transitive dependencies have upgraded past guava v32.
+  // TODO(periodically): remove this block and see if build succeeds.
+  configurations.all {
+    resolutionStrategy
+            .capabilitiesResolution
+            .withCapability("com.google.guava:listenablefuture") {
+      select("com.google.guava:guava:0")
+    }
+  }
+
   def services = [':services:default',
                   ':services:backend',
                   ':services:tools',
@@ -548,6 +559,7 @@ tasks.build.dependsOn(tasks.javadoc)
 // core Nomulus codebase, and runs all presubmits.
 task coreDev {
   dependsOn 'javaIncrementalFormatApply'
+  dependsOn 'console-webapp:applyFormatting'
   dependsOn 'javadoc'
   dependsOn 'checkDependenciesDotGradle'
   dependsOn 'checkLicense'
@@ -564,14 +576,18 @@ task deployCloudSchedulerAndQueue {
     def env = environment
     if (!prodOrSandboxEnv) {
       exec {
+        workingDir "${rootDir}/release/builder/"
         commandLine 'go', 'run',
-                "${rootDir}/release/builder/deployCloudSchedulerAndQueue.go",
+                "./deployCloudSchedulerAndQueue.go",
+                "${rootDir}/core/src/main/java/google/registry/config/files/nomulus-config-${env}.yaml",
                 "${rootDir}/core/src/main/java/google/registry/env/${env}/default/WEB-INF/cloud-scheduler-tasks.xml",
                 "domain-registry-${env}"
       }
       exec {
+        workingDir "${rootDir}/release/builder/"
         commandLine 'go', 'run',
-                "${rootDir}/release/builder/deployCloudSchedulerAndQueue.go",
+                "./deployCloudSchedulerAndQueue.go",
+                "${rootDir}/core/src/main/java/google/registry/config/files/nomulus-config-${env}.yaml",
                 "${rootDir}/core/src/main/java/google/registry/env/common/default/WEB-INF/cloud-tasks-queue.xml",
                 "domain-registry-${env}"
       }

buildSrc/build.gradle.kts

@@ -69,6 +69,17 @@ apply(from = "../dependencies.gradle")
 apply(from = "../dependency_lic.gradle")
 apply(from = "../java_common.gradle")
 
+// 'listenablefuture' is folded into guava since v32. This block is required
+// until all transitive dependencies have upgraded past guava v32.
+// TODO(periodically): remove this block and see if build succeeds.
+configurations.all {
+  resolutionStrategy
+      .capabilitiesResolution
+      .withCapability("com.google.guava:listenablefuture") {
+      select("com.google.guava:guava:0")
+  }
+}
+
 project.the<SourceSetContainer>()["main"].java {
   srcDir("${project.buildDir}/generated/source/apt/main")
 }

buildSrc/gradle.lockfile

@@ -10,41 +10,43 @@ com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,testAnnotationP
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor
 com.google.android:annotations:4.1.1.4=testRuntimeClasspath
 com.google.api-client:google-api-client:2.2.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.18.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.13.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.10.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.27.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.112.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.27.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20230301-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.16.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.16.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.20.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.15.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.29.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.114.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.29.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20230617-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-credentials:1.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value:1.10.1=annotationProcessor
+com.google.auto.value:auto-value:1.10.2=annotationProcessor
 com.google.auto:auto-common:0.10=annotationProcessor,testAnnotationProcessor
-com.google.cloud:google-cloud-core-grpc:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.22.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.19.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.19.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.19.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.23.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.common.html.types:types:1.0.6=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath
+com.google.errorprone:error_prone_annotations:2.19.1=testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotations:2.3.4=annotationProcessor,checkstyle,testAnnotationProcessor
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_type_annotations:2.3.4=annotationProcessor,testAnnotationProcessor
 com.google.escapevelocity:escapevelocity:0.9.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava-parent:32.1.1-jre=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:guava:27.0.1-jre=annotationProcessor,testAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
-com.google.guava:guava:31.1-jre=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:32.1.1-jre=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,testAnnotationProcessor
 com.google.http-client:google-http-client-apache-v2:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-appengine:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-gson:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -53,16 +55,17 @@ com.google.http-client:google-http-client:1.43.1=compileClasspath,testCompileCla
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:1.1=annotationProcessor,testAnnotationProcessor
-com.google.j2objc:j2objc-annotations:1.3=checkstyle,compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:1.3=checkstyle
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.jsinterop:jsinterop-annotations:1.0.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client:1.34.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java-util:3.21.12=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java:3.21.12=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java-util:3.23.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java:3.23.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,testAnnotationProcessor
-com.google.re2j:re2j:1.6=testRuntimeClasspath
+com.google.re2j:re2j:1.7=testRuntimeClasspath
 com.google.template:soy:2021-02-01=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.truth.extensions:truth-java8-extension:1.1.3=testCompileClasspath,testRuntimeClasspath
-com.google.truth:truth:1.1.3=testCompileClasspath,testRuntimeClasspath
+com.google.truth:truth:1.1.5=testCompileClasspath,testRuntimeClasspath
 com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,testAnnotationProcessor
 com.ibm.icu:icu4j:57.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:8.37=checkstyle
@@ -71,20 +74,20 @@ commons-codec:commons-codec:1.15=compileClasspath,testCompileClasspath,testRunti
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 info.picocli:picocli:4.5.2=checkstyle
-io.grpc:grpc-alts:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.54.0=testRuntimeClasspath
-io.grpc:grpc-googleapis:1.54.0=testRuntimeClasspath
-io.grpc:grpc-grpclb:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.54.0=testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-rls:1.54.0=testRuntimeClasspath
-io.grpc:grpc-services:1.54.0=testRuntimeClasspath
-io.grpc:grpc-stub:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.54.0=testRuntimeClasspath
+io.grpc:grpc-alts:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.56.0=testRuntimeClasspath
+io.grpc:grpc-googleapis:1.56.0=testRuntimeClasspath
+io.grpc:grpc-grpclb:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.56.0=testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.56.0=testRuntimeClasspath
+io.grpc:grpc-services:1.56.0=testRuntimeClasspath
+io.grpc:grpc-stub:1.56.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.56.0=testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=testRuntimeClasspath
@@ -93,8 +96,8 @@ javax.annotation:javax.annotation-api:1.3.2=compileClasspath,testCompileClasspat
 javax.annotation:jsr250-api:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 javax.inject:javax.inject:1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.14.4=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.14.4=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.12.19=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.12.19=testCompileClasspath,testRuntimeClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
 org.apache.commons:commons-lang3:3.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -104,7 +107,8 @@ org.apache.httpcomponents:httpcore:4.4.16=compileClasspath,testCompileClasspath,
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.32.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath
+org.checkerframework:checker-qual:3.35.0=testCompileClasspath,testRuntimeClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,testAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,testAnnotationProcessor
@@ -117,14 +121,14 @@ org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.json:json:20160212=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-core:5.3.1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:4.11.0=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:3.3=testRuntimeClasspath
-org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-commons:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -133,7 +137,8 @@ org.ow2.asm:asm-tree:7.0=compileClasspath,testCompileClasspath,testRuntimeClassp
 org.ow2.asm:asm-tree:9.1=jacocoAnt
 org.ow2.asm:asm-util:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=compileClasspath
-org.ow2.asm:asm:9.1=jacocoAnt,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.1=jacocoAnt
+org.ow2.asm:asm:9.5=testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,testAnnotationProcessor

common/gradle.lockfile

@@ -10,19 +10,21 @@ com.google.auto:auto-common:0.10=annotationProcessor,errorprone,testAnnotationPr
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.11.0=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.errorprone:error_prone_annotations:2.3.4=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_type_annotations:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.flogger:flogger:0.7.4=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
+com.google.guava:guava-parent:32.1.1-jre=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.guava:guava:27.0.1-jre=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
-com.google.guava:guava:31.1-jre=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
+com.google.guava:guava:32.1.1-jre=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.j2objc:j2objc-annotations:1.1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.j2objc:j2objc-annotations:1.3=checkstyle,compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.j2objc:j2objc-annotations:1.3=checkstyle
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,testCompileClasspath,testingCompileClasspath
 com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.truth:truth:1.1.3=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
@@ -40,7 +42,7 @@ org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.checkerframework:checker-compat-qual:2.5.3=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-org.checkerframework:checker-qual:3.19.0=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
@@ -50,12 +52,12 @@ org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
-org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-tree:9.1=jacocoAnt

config/dependency-license/allowed_licenses.json

@@ -287,6 +287,12 @@
       "moduleLicense": null,
       "moduleName": "com.fasterxml.jackson:jackson-bom"
     },
+    {
+      // Part of Guava with "Apache License, Version 2.0". The plugin is unable
+      // to parse its license for unknown reason.
+      "moduleLicense": null,
+      "moduleName": "com.google.guava:guava-parent"
+    },
     {
       // "Apache License, Version 2.0". The plugin is able to parse up to
       // 2.0.33.Final but not this verson.

console-webapp/build.gradle

@@ -50,12 +50,20 @@ task buildConsoleWebappProd(type: Exec) {
   args 'run', 'build'
 }
 
-task applyFormatting() {
-  exec {
-    workingDir "${consoleDir}/"
-    commandLine 'npm', 'run', 'prettify'
-  }
+task applyFormatting(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'prettify'
+}
+
+task checkFormatting(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'prettify:check'
 }
 
 tasks.runConsoleWebappUnitTests.dependsOn(tasks.npmInstallDeps)
 tasks.buildConsoleWebappProd.dependsOn(tasks.npmInstallDeps)
+tasks.applyFormatting.dependsOn(tasks.npmInstallDeps)
+tasks.checkFormatting.dependsOn(tasks.npmInstallDeps)
+tasks.build.dependsOn(tasks.checkFormatting)

console-webapp/package.json

@@ -10,6 +10,7 @@
     "test": "ng test --browsers=ChromeHeadless --watch=false",
     "run:dev": "",
     "prettify": "npx prettier --write ./src/",
+    "prettify:check": "npx prettier --check ./src/",
     "start:dev": "concurrently \"./../gradlew :core:runTestServer\" \"ng serve --proxy-config dev-proxy.config.json\"",
     "lint": "ng lint"
   },

core/gradle.lockfile

@@ -36,48 +36,50 @@ com.google.api-client:google-api-client-jackson2:1.32.2=compileClasspath,default
 com.google.api-client:google-api-client-java6:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-servlet:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.105.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-common-protos:2.14.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-datastore-v1:0.105.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-firestore-v1:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.22.5-alpha=testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.36.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.160.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.160.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.105.11=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.12.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.22.5-alpha=testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.api.grpc:grpc-google-common-protos:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.36.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.160.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.160.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-v2:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-datastore-v1:0.105.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-firestore-v1:3.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-monitoring-v3:1.64.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-cloud-monitoring-v3:3.14.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsub-v1:1.105.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.27.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.112.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.27.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:3.17.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsub-v1:1.105.11=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.12.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-v1:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.22.5-alpha=testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.23.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2:2.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.110.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.110.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.21.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.30.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:2.30.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.30.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-admin-directory:directory_v1-rev118-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-appengine:v1-rev20230424-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-appengine:v1-rev20230601-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-bigquery:v2-rev20220924-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-clouddebugger:v2-rev20220318-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-cloudresourcemanager:v1-rev20220828-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-dataflow:v1b3-rev20220920-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-dns:v2beta1-rev99-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -86,21 +88,22 @@ com.google.apis:google-api-services-gmail:v1-rev20220404-2.0.0=compileClasspath,
 com.google.apis:google-api-services-groupssettings:v1-rev20210624-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-healthcare:v1-rev20220818-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-iamcredentials:v1-rev20210326-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-monitoring:v3-rev20230521-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-monitoring:v3-rev20230529-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sheets:v4-rev20230227-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sheets:v4-rev20230526-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20230403-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20230301-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20230617-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-api-1.0-sdk:1.9.86=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.14=testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.14=testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-1.0-sdk:2.0.16=testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-stubs:2.0.16=testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-testing:1.9.86=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.service:auto-service-annotations:1.1.0=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.service:auto-service:1.1.0=annotationProcessor
+com.google.auth:google-auth-library-credentials:1.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.service:auto-service-annotations:1.1.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.service:auto-service:1.1.1=annotationProcessor
 com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value:1.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value:1.10.2=annotationProcessor,testAnnotationProcessor
 com.google.auto:auto-common:0.10=errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.auto:auto-common:1.2.1=annotationProcessor
 com.google.closure-stylesheets:closure-stylesheets:1.5.0=css
@@ -108,26 +111,30 @@ com.google.cloud.bigdataoss:gcsio:2.2.6=compileClasspath,default,deploy_jar,nonp
 com.google.cloud.bigdataoss:util:2.2.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigtable:bigtable-client-core-config:1.28.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.datastore:datastore-v1-proto-client:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:jdbc-socket-factory-core:1.11.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:postgres-socket-factory:1.11.2=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigquerystorage:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable-stats:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-firestore:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:jdbc-socket-factory-core:1.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:postgres-socket-factory:1.12.0=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigquerystorage:2.36.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable-stats:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.19.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.20.0=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.19.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.cloud:google-cloud-core-http:2.20.0=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.19.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.cloud:google-cloud-core:2.20.0=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-firestore:3.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-monitoring:1.82.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.cloud:google-cloud-monitoring:3.14.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-nio:0.126.15=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsub:1.123.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsublite:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-secretmanager:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-spanner:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.22.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-tasks:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-monitoring:3.17.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-nio:0.126.18=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsub:1.123.11=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsublite:1.12.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-secretmanager:2.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-spanner:6.41.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.22.5=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.23.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.cloud:google-cloud-tasks:2.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:grpc-gcp:1.4.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.1=css
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
@@ -140,10 +147,10 @@ com.google.dagger:dagger-spi:2.46.1=annotationProcessor,testAnnotationProcessor
 com.google.dagger:dagger:2.46.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.devtools.ksp:symbol-processing-api:1.8.0-1.0.9=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.11.0=annotationProcessor
-com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.19.1=testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotations:2.3.4=checkstyle,errorprone,nonprodAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.7.1=soy,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.7.1=soy
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_type_annotations:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
@@ -155,25 +162,30 @@ com.google.flogger:flogger:0.7.4=compileClasspath,default,deploy_jar,nonprodComp
 com.google.flogger:google-extensions:0.7.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.googlejavaformat:google-java-format:1.5=annotationProcessor,testAnnotationProcessor
 com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.guava:guava-testlib:31.1-jre=testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava-parent:32.1.1-jre=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava-testlib:32.1.1-jre=testCompileClasspath,testRuntimeClasspath
 com.google.guava:guava:20.0=css
 com.google.guava:guava:27.0.1-jre=errorprone,nonprodAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
-com.google.guava:guava:31.0.1-jre=soy,testAnnotationProcessor
-com.google.guava:guava:31.1-jre=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:31.0.1-jre=soy
+com.google.guava:guava:32.1.1-jre=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle,errorprone,nonprodAnnotationProcessor,soy
 com.google.gwt:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-gson:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.43.3=testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.http-client:google-http-client-appengine:1.43.3=testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-gson:1.43.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.http-client:google-http-client-jackson2:1.43.3=testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-protobuf:1.41.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:1.43.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:7.0.0=soy
 com.google.j2objc:j2objc-annotations:1.1=errorprone,nonprodAnnotationProcessor
-com.google.j2objc:j2objc-annotations:1.3=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:1.3=checkstyle,soy
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.javascript:closure-compiler-externs:v20160713=css
 com.google.javascript:closure-compiler-unshaded:v20160713=css
 com.google.javascript:closure-compiler:v20210505=closureCompiler
@@ -187,19 +199,21 @@ com.google.oauth-client:google-oauth-client-java6:1.34.1=compileClasspath,defaul
 com.google.oauth-client:google-oauth-client-jetty:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client-servlet:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java-util:3.21.12=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java-util:3.23.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:2.5.0=css
-com.google.protobuf:protobuf-java:3.21.12=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java:3.23.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.protobuf:protobuf-java:4.0.0-rc-2=soy
-com.google.re2j:re2j:1.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.re2j:re2j:1.6=compileClasspath,nonprodCompileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.re2j:re2j:1.7=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
 com.google.template:soy:2021-02-01=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.truth.extensions:truth-java8-extension:1.1.3=testCompileClasspath,testRuntimeClasspath
-com.google.truth:truth:1.1.3=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.truth:truth:1.1.3=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
+com.google.truth:truth:1.1.5=testCompileClasspath,testRuntimeClasspath
 com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.googlecode.json-simple:json-simple:1.1.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.ibm.icu:icu4j:57.1=compileClasspath,nonprodCompileClasspath,soy,testCompileClasspath
-com.ibm.icu:icu4j:73.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.ibm.icu:icu4j:73.2=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.jcraft:jsch:0.1.55=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.lmax:disruptor:3.4.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:8.37=checkstyle
@@ -210,9 +224,9 @@ com.squareup:kotlinpoet:1.11.0=annotationProcessor,testAnnotationProcessor
 com.sun.activation:jakarta.activation:1.2.2=jaxb
 com.sun.activation:javax.activation:1.2.0=jaxb
 com.sun.istack:istack-commons-runtime:3.0.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.sun.istack:istack-commons-runtime:4.1.1=nonprodRuntime,runtime
+com.sun.istack:istack-commons-runtime:4.1.2=nonprodRuntime,runtime
 com.sun.xml.bind:jaxb-impl:2.3.3=jaxb
-com.sun.xml.bind:jaxb-osgi:4.0.2=jaxb
+com.sun.xml.bind:jaxb-osgi:4.0.3=jaxb
 com.sun.xml.bind:jaxb-xjc:2.3.3=jaxb
 com.sun.xml.fastinfoset:FastInfoset:1.2.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.thoughtworks.paranamer:paranamer:2.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -238,37 +252,51 @@ io.confluent:kafka-avro-serializer:5.3.2=compileClasspath,default,deploy_jar,non
 io.confluent:kafka-schema-registry-client:5.3.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.classgraph:classgraph:4.8.104=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.java-diff-utils:java-diff-utils:4.12=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-census:1.53.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-googleapis:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty:1.53.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-rls:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.53.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-services:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.53.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-xds:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-api:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-auth:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-census:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-core:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-googleapis:1.55.1=testRuntimeClasspath
+io.grpc:grpc-googleapis:1.56.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-grpclb:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-grpclb:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-netty-shaded:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-netty:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-protobuf:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-rls:1.55.1=testRuntimeClasspath
+io.grpc:grpc-rls:1.56.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-services:1.54.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-services:1.55.1=testRuntimeClasspath
+io.grpc:grpc-services:1.56.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-stub:1.55.1=testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.56.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.grpc:grpc-xds:1.54.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-xds:1.55.1=testRuntimeClasspath
+io.grpc:grpc-xds:1.56.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
+io.netty:netty-buffer:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http2:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-socks:4.1.87.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-codec:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-handler-proxy:4.1.87.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-handler:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-resolver:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-boringssl-static:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-classes:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-transport-native-unix-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport-native-unix-common:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport:4.1.87.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -282,7 +310,7 @@ io.opencensus:opencensus-impl:0.31.0=compileClasspath,default,deploy_jar,nonprod
 io.opencensus:opencensus-proto:0.2.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.perfmark:perfmark-api:0.26.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 jakarta.activation:jakarta.activation-api:2.1.0=jaxb
-jakarta.activation:jakarta.activation-api:2.1.1=nonprodRuntime,runtime
+jakarta.activation:jakarta.activation-api:2.1.2=nonprodRuntime,runtime
 jakarta.inject:jakarta.inject-api:2.0.1=soy
 jakarta.xml.bind:jakarta.xml.bind-api:4.0.0=jaxb,nonprodRuntime,runtime
 javacc:javacc:4.1=css
@@ -302,9 +330,9 @@ jline:jline:1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonp
 joda-time:joda-time:2.10.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=default,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.arnx:nashorn-promise:0.1.1=nonprodRuntime,runtime,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.14.4=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.5=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.12.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-net.bytebuddy:byte-buddy:1.14.4=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.5=testCompileClasspath,testRuntimeClasspath
 net.java.dev.javacc:javacc:4.1=css
 net.java.dev.jna:jna:5.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.ltgt.gradle.incap:incap:0.2=annotationProcessor,testAnnotationProcessor
@@ -314,24 +342,24 @@ org.apache.arrow:arrow-format:5.0.0=compileClasspath,default,deploy_jar,nonprodC
 org.apache.arrow:arrow-memory-core:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.arrow:arrow-vector:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.avro:avro:1.8.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-job-management:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-pipeline:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-construction-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-direct-java:2.47.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-google-cloud-dataflow-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-java-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-core:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-expansion-service:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-arrow:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-avro:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-protobuf:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-kafka:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-vendor-grpc-1_48_1:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-fn-execution:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-job-management:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-pipeline:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-construction-java:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-java:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-direct-java:2.48.0=testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-google-cloud-dataflow-java:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-java-fn-execution:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-core:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-expansion-service:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-arrow:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-avro:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-protobuf:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-fn-execution:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-kafka:2.48.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-vendor-grpc-1_54_0:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-compress:1.23.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-csv:1.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -346,18 +374,19 @@ org.apache.mina:mina-core:2.1.6=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-core:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-scp:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-sftp:2.0.0=testCompileClasspath,testRuntimeClasspath
-org.apache.tomcat:tomcat-annotations-api:11.0.0-M6=testCompileClasspath,testRuntimeClasspath
+org.apache.tomcat:tomcat-annotations-api:11.0.0-M7=testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.bouncycastle:bcpg-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.bouncycastle:bcpkix-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.bouncycastle:bcprov-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.checkerframework:checker-compat-qual:2.5.3=nonprodRuntime,runtime
-org.checkerframework:checker-compat-qual:2.5.5=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-compat-qual:2.5.3=compileClasspath,nonprodCompileClasspath,nonprodRuntime,runtime,testCompileClasspath
+org.checkerframework:checker-compat-qual:2.5.5=annotationProcessor,default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testRuntimeClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=errorprone,nonprodAnnotationProcessor
-org.checkerframework:checker-qual:3.12.0=annotationProcessor,soy,testAnnotationProcessor
+org.checkerframework:checker-qual:3.12.0=soy
 org.checkerframework:checker-qual:3.31.0=nonprodRuntime,runtime
-org.checkerframework:checker-qual:3.32.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.33.0=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor
+org.checkerframework:checker-qual:3.35.0=testCompileClasspath,testRuntimeClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.codehaus.jackson:jackson-core-asl:1.9.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -366,7 +395,7 @@ org.codehaus.mojo:animal-sniffer-annotations:1.17=errorprone,nonprodAnnotationPr
 org.codehaus.mojo:animal-sniffer-annotations:1.23=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.easymock:easymock:3.0=css
-org.eclipse.angus:angus-activation:2.0.0=nonprodRuntime,runtime
+org.eclipse.angus:angus-activation:2.0.1=nonprodRuntime,runtime
 org.eclipse.jetty:jetty-http:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-io:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-security:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -374,12 +403,12 @@ org.eclipse.jetty:jetty-server:9.4.49.v20220914=compileClasspath,default,deploy_
 org.eclipse.jetty:jetty-servlet:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util-ajax:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.flywaydb:flyway-core:9.19.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-core:4.0.2=nonprodRuntime,runtime
+org.flywaydb:flyway-core:9.20.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.glassfish.jaxb:jaxb-core:4.0.3=nonprodRuntime,runtime
 org.glassfish.jaxb:jaxb-runtime:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-runtime:4.0.2=nonprodRuntime,runtime
+org.glassfish.jaxb:jaxb-runtime:4.0.3=nonprodRuntime,runtime
 org.glassfish.jaxb:txw2:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:txw2:4.0.2=nonprodRuntime,runtime
+org.glassfish.jaxb:txw2:4.0.3=nonprodRuntime,runtime
 org.gwtproject:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.1=css
 org.hamcrest:hamcrest-core:1.3=default,nonprodCompileClasspath,nonprodRuntimeClasspath
@@ -410,26 +439,26 @@ org.json:json:20160212=soy
 org.json:json:20230227=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jsoup:jsoup:1.16.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.junit-pioneer:junit-pioneer:2.0.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-migrationsupport:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-params:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-runner:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-api:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-commons:1.10.0-M1=testRuntimeClasspath
-org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-migrationsupport:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-runner:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-api:1.10.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-commons:1.10.0-RC1=testRuntimeClasspath
+org.junit:junit-bom:5.10.0-RC1=testCompileClasspath,testRuntimeClasspath
 org.jvnet.staxex:stax-ex:1.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-core:1.10.19=css
-org.mockito:mockito-core:5.3.1=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-junit-jupiter:5.3.1=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.4.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.4.0=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty-util:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:2.1=css
 org.objenesis:objenesis:3.3=testRuntimeClasspath
-org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=soy
 org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-analysis:9.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -470,12 +499,12 @@ org.slf4j:slf4j-jdk14:2.0.7=default,deploy_jar,runtimeClasspath,testRuntimeClass
 org.springframework:spring-core:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.springframework:spring-expression:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.springframework:spring-jcl:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:database-commons:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:jdbc:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:junit-jupiter:1.18.1=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:postgresql:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:selenium:1.18.1=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:testcontainers:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:database-commons:1.18.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:jdbc:1.18.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:junit-jupiter:1.18.3=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:postgresql:1.18.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:selenium:1.18.3=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:testcontainers:1.18.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.threeten:threetenbp:1.6.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.tukaani:xz:1.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.w3c.css:sac:1.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java

@@ -52,7 +52,7 @@ import javax.mail.internet.InternetAddress;
     path = "/_dr/task/executeCannedScript",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class CannedScriptExecutionAction implements Runnable {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 

core/src/main/java/google/registry/batch/CheckPackagesComplianceAction.java

@@ -41,7 +41,7 @@ import org.joda.time.Days;
 @Action(
     service = Service.BACKEND,
     path = CheckPackagesComplianceAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class CheckPackagesComplianceAction implements Runnable {
 
   public static final String PATH = "/_dr/task/checkPackagesCompliance";

core/src/main/java/google/registry/batch/CloudTasksUtils.java

@@ -20,8 +20,6 @@ import static google.registry.tools.ServiceConnection.getServer;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
 import com.google.api.gax.rpc.ApiException;
-import com.google.cloud.tasks.v2.AppEngineHttpRequest;
-import com.google.cloud.tasks.v2.AppEngineRouting;
 import com.google.cloud.tasks.v2.CloudTasksClient;
 import com.google.cloud.tasks.v2.HttpMethod;
 import com.google.cloud.tasks.v2.HttpRequest;
@@ -39,10 +37,12 @@ import com.google.common.net.MediaType;
 import com.google.common.net.UrlEscapers;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.util.Timestamps;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.Action.Service;
 import google.registry.util.Clock;
 import google.registry.util.CollectionUtils;
+import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Retrier;
 import java.io.Serializable;
 import java.nio.charset.StandardCharsets;
@@ -52,7 +52,6 @@ import java.util.Random;
 import java.util.function.BiConsumer;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
-import javax.annotation.Nullable;
 import javax.inject.Inject;
 import org.joda.time.Duration;
 
@@ -67,9 +66,8 @@ public class CloudTasksUtils implements Serializable {
   private final Clock clock;
   private final String projectId;
   private final String locationId;
-  // defaultServiceAccount and iapClientId are nullable because Optional isn't serializable
-  @Nullable private final String defaultServiceAccount;
-  @Nullable private final String iapClientId;
+  private final String oauthClientId;
+  private final GoogleCredentialsBundle credential;
   private final SerializableCloudTasksClient client;
 
   @Inject
@@ -78,15 +76,15 @@ public class CloudTasksUtils implements Serializable {
       Clock clock,
       @Config("projectId") String projectId,
       @Config("locationId") String locationId,
-      @Config("defaultServiceAccount") Optional<String> defaultServiceAccount,
-      @Config("iapClientId") Optional<String> iapClientId,
+      @Config("oauthClientId") String oauthClientId,
+      @ApplicationDefaultCredential GoogleCredentialsBundle credential,
       SerializableCloudTasksClient client) {
     this.retrier = retrier;
     this.clock = clock;
     this.projectId = projectId;
     this.locationId = locationId;
-    this.defaultServiceAccount = defaultServiceAccount.orElse(null);
-    this.iapClientId = iapClientId.orElse(null);
+    this.oauthClientId = oauthClientId;
+    this.credential = credential;
     this.client = client;
   }
 
@@ -94,10 +92,7 @@ public class CloudTasksUtils implements Serializable {
     return retrier.callWithRetry(
         () -> {
           logger.atInfo().log(
-              "Enqueuing queue='%s' endpoint='%s' service='%s'",
-              queue,
-              task.getAppEngineHttpRequest().getRelativeUri(),
-              task.getAppEngineHttpRequest().getAppEngineRouting().getService());
+              "Enqueuing queue='%s' endpoint='%s'", queue, task.getHttpRequest().getUrl());
           return client.enqueue(projectId, locationId, queue, task);
         },
         ApiException.class);
@@ -124,7 +119,7 @@ public class CloudTasksUtils implements Serializable {
    *
    * @return the resulting path (unchanged for POST requests, with params added for GET requests)
    */
-  private String processRequestParameters(
+  private static String processRequestParameters(
       String path,
       HttpMethod method,
       Multimap<String, String> params,
@@ -152,43 +147,17 @@ public class CloudTasksUtils implements Serializable {
     return path;
   }
 
-  /**
-   * Creates a {@link Task} that does not use AppEngine for submission.
-   *
-   * <p>This uses the standard Cloud Tasks auth format to create and send an OIDC ID token set to
-   * the default service account. That account must have permission to submit tasks to Cloud Tasks.
-   */
-  private Task createNonAppEngineTask(
-      String path, HttpMethod method, Service service, Multimap<String, String> params) {
-    HttpRequest.Builder requestBuilder = HttpRequest.newBuilder().setHttpMethod(method);
-    path =
-        processRequestParameters(
-            path, method, params, requestBuilder::putHeaders, requestBuilder::setBody);
-    OidcToken.Builder oidcTokenBuilder =
-        OidcToken.newBuilder().setServiceAccountEmail(defaultServiceAccount);
-    // If the service is using IAP, add that as the audience for the token so the request can be
-    // appropriately authed. Otherwise, use the project name.
-    if (iapClientId != null) {
-      oidcTokenBuilder.setAudience(iapClientId);
-    } else {
-      oidcTokenBuilder.setAudience(projectId);
-    }
-    requestBuilder.setOidcToken(oidcTokenBuilder.build());
-    String totalPath = String.format("%s%s", getServer(service), path);
-    requestBuilder.setUrl(totalPath);
-    return Task.newBuilder().setHttpRequest(requestBuilder.build()).build();
-  }
-
   /**
    * Create a {@link Task} to be enqueued.
    *
+   * <p>This uses the standard Cloud Tasks auth format to create and send an OIDC ID token with the
+   * default service account as the principal. That account must have permission to submit tasks to
+   * Cloud Tasks.
+   *
    * @param path the relative URI (staring with a slash and ending without one).
    * @param method the HTTP method to be used for the request, only GET and POST are supported.
-   * @param service the App Engine service to route the request to. Note that with App Engine Task
-   *     Queue API if no service is specified, the service which enqueues the task will be used to
-   *     process the task. Cloud Tasks API does not support this feature so the service will always
-   *     needs to be explicitly specified.
-   * @param params a multi-map of URL query parameters. Duplicate keys are saved as is, and it is up
+   * @param service the App Engine service to route the request to.
+   * @param params a multimap of URL query parameters. Duplicate keys are saved as is, and it is up
    *     to the server to process the duplicate keys.
    * @return the enqueued task.
    * @see <a
@@ -204,21 +173,18 @@ public class CloudTasksUtils implements Serializable {
         method.equals(HttpMethod.GET) || method.equals(HttpMethod.POST),
         "HTTP method %s is used. Only GET and POST are allowed.",
         method);
-    // If the default service account is configured, send a standard non-AppEngine HTTP request
-    if (defaultServiceAccount != null) {
-      return createNonAppEngineTask(path, method, service, params);
-    } else {
-      AppEngineHttpRequest.Builder requestBuilder =
-          AppEngineHttpRequest.newBuilder()
-              .setHttpMethod(method)
-              .setAppEngineRouting(
-                  AppEngineRouting.newBuilder().setService(service.toString()).build());
-      path =
-          processRequestParameters(
-              path, method, params, requestBuilder::putHeaders, requestBuilder::setBody);
-      requestBuilder.setRelativeUri(path);
-      return Task.newBuilder().setAppEngineHttpRequest(requestBuilder.build()).build();
-    }
+    HttpRequest.Builder requestBuilder = HttpRequest.newBuilder().setHttpMethod(method);
+    path =
+        processRequestParameters(
+            path, method, params, requestBuilder::putHeaders, requestBuilder::setBody);
+    OidcToken.Builder oidcTokenBuilder =
+        OidcToken.newBuilder()
+            .setServiceAccountEmail(credential.serviceAccount())
+            .setAudience(oauthClientId);
+    requestBuilder.setOidcToken(oidcTokenBuilder.build());
+    String totalPath = String.format("%s%s", getServer(service), path);
+    requestBuilder.setUrl(totalPath);
+    return Task.newBuilder().setHttpRequest(requestBuilder.build()).build();
   }
 
   /**
@@ -226,11 +192,8 @@ public class CloudTasksUtils implements Serializable {
    *
    * @param path the relative URI (staring with a slash and ending without one).
    * @param method the HTTP method to be used for the request, only GET and POST are supported.
-   * @param service the App Engine service to route the request to. Note that with App Engine Task
-   *     Queue API if no service is specified, the service which enqueues the task will be used to
-   *     process the task. Cloud Tasks API does not support this feature so the service will always
-   *     needs to be explicitly specified.
-   * @param params a multi-map of URL query parameters. Duplicate keys are saved as is, and it is up
+   * @param service the App Engine service to route the request to.
+   * @param params a multimap of URL query parameters. Duplicate keys are saved as is, and it is up
    *     to the server to process the duplicate keys.
    * @param jitterSeconds the number of seconds that a task is randomly delayed up to.
    * @return the enqueued task.
@@ -260,11 +223,8 @@ public class CloudTasksUtils implements Serializable {
    *
    * @param path the relative URI (staring with a slash and ending without one).
    * @param method the HTTP method to be used for the request, only GET and POST are supported.
-   * @param service the App Engine service to route the request to. Note that with App Engine Task
-   *     Queue API if no service is specified, the service which enqueues the task will be used to
-   *     process the task. Cloud Tasks API does not support this feature so the service will always
-   *     needs to be explicitly specified.
-   * @param params a multi-map of URL query parameters. Duplicate keys are saved as is, and it is up
+   * @param service the App Engine service to route the request to.
+   * @param params a multimap of URL query parameters. Duplicate keys are saved as is, and it is up
    *     to the server to process the duplicate keys.
    * @param delay the amount of time that a task needs to delayed for.
    * @return the enqueued task.
@@ -330,6 +290,9 @@ public class CloudTasksUtils implements Serializable {
   }
 
   public abstract static class SerializableCloudTasksClient implements Serializable {
+
+    private static final long serialVersionUID = 7872861868968535498L;
+
     public abstract Task enqueue(String projectId, String locationId, String queueName, Task task);
   }
 

core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java

@@ -69,7 +69,7 @@ import org.joda.time.Duration;
 @Action(
     service = Action.Service.BACKEND,
     path = DeleteExpiredDomainsAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class DeleteExpiredDomainsAction implements Runnable {
 
   public static final String PATH = "/_dr/task/deleteExpiredDomains";

core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java

@@ -56,7 +56,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/deleteLoadTestData",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class DeleteLoadTestDataAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/batch/DeleteProberDataAction.java

@@ -58,7 +58,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = "/_dr/task/deleteProberData",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class DeleteProberDataAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java

@@ -52,7 +52,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/expandBillingRecurrences",
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class ExpandBillingRecurrencesAction implements Runnable {
 
   public static final String PARAM_START_TIME = "startTime";

core/src/main/java/google/registry/batch/RelockDomainAction.java

@@ -53,7 +53,7 @@ import org.joda.time.Duration;
     path = RelockDomainAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class RelockDomainAction implements Runnable {
 
   public static final String PATH = "/_dr/task/relockDomain";

core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java

@@ -55,7 +55,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.BACKEND,
     path = ResaveAllEppResourcesPipelineAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class ResaveAllEppResourcesPipelineAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/batch/ResaveEntityAction.java

@@ -40,7 +40,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Action.Service.BACKEND,
     path = ResaveEntityAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN,
+    auth = Auth.AUTH_API_ADMIN,
     method = Method.POST)
 public class ResaveEntityAction implements Runnable {
 

core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java

@@ -53,7 +53,7 @@ import org.joda.time.format.DateTimeFormatter;
 @Action(
     service = Action.Service.BACKEND,
     path = SendExpiringCertificateNotificationEmailAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class SendExpiringCertificateNotificationEmailAction implements Runnable {
 
   public static final String PATH = "/_dr/task/sendExpiringCertificateNotificationEmail";

core/src/main/java/google/registry/batch/WipeOutCloudSqlAction.java

@@ -44,7 +44,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/wipeOutCloudSql",
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class WipeOutCloudSqlAction implements Runnable {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 

core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java

@@ -51,7 +51,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Service.BACKEND,
     path = WipeOutContactHistoryPiiAction.PATH,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class WipeOutContactHistoryPiiAction implements Runnable {
 
   public static final String PATH = "/_dr/task/wipeOutContactHistoryPii";

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -102,6 +102,8 @@ public final class RegistryConfig {
   @Module
   public static final class ConfigModule {
 
+    private ConfigModule() {}
+
     @Provides
     @Config("projectId")
     public static String provideProjectId(RegistryConfigSettings config) {
@@ -120,17 +122,6 @@ public final class RegistryConfig {
       return config.gcpProject.locationId;
     }
 
-    @Provides
-    @Config("serviceAccountEmails")
-    public static ImmutableList<String> provideServiceAccountEmails(RegistryConfigSettings config) {
-      return ImmutableList.copyOf(config.gcpProject.serviceAccountEmails);
-    }
-
-    @Provides
-    @Config("defaultServiceAccount")
-    public static Optional<String> provideDefaultServiceAccount(RegistryConfigSettings config) {
-      return Optional.ofNullable(config.gcpProject.defaultServiceAccount);
-    }
 
     /**
      * The filename of the logo to be displayed in the header of the registrar console.
@@ -257,7 +248,7 @@ public final class RegistryConfig {
     @Provides
     @Config("databaseRetention")
     public static Duration provideDatabaseRetention() {
-      return RegistryConfig.getDatabaseRetention();
+      return getDatabaseRetention();
     }
 
     /**
@@ -304,7 +295,7 @@ public final class RegistryConfig {
      * The maximum number of domain and host updates to batch together to send to
      * PublishDnsUpdatesAction, to avoid exceeding HTTP request timeout limits.
      *
-     * @see google.registry.dns.ReadDnsRefreshRequestsAction
+     * @see ReadDnsRefreshRequestsAction
      */
     @Provides
     @Config("dnsTldUpdateBatchSize")
@@ -1144,7 +1135,7 @@ public final class RegistryConfig {
     @Provides
     @Config("availableOauthScopes")
     public static ImmutableSet<String> provideAvailableOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.oAuth.availableOauthScopes);
+      return ImmutableSet.copyOf(config.auth.availableOauthScopes);
     }
 
     /**
@@ -1157,27 +1148,38 @@ public final class RegistryConfig {
      * API, which requires at least one of:
      *
      * <ul>
-     *   <li>https://www.googleapis.com/auth/appengine.apis
-     *   <li>https://www.googleapis.com/auth/cloud-platform
+     *   <li>{@code https://www.googleapis.com/auth/appengine.apis}
+     *   <li>{@code https://www.googleapis.com/auth/cloud-platform}
      * </ul>
      */
     @Provides
     @Config("requiredOauthScopes")
     public static ImmutableSet<String> provideRequiredOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.oAuth.requiredOauthScopes);
+      return ImmutableSet.copyOf(config.auth.requiredOauthScopes);
+    }
+
+    /**
+     * Provides service account email addresses allowed to authenticate with the app at {@link
+     * google.registry.request.auth.AuthSettings.AuthLevel#APP} level.
+     */
+    @Provides
+    @Config("allowedServiceAccountEmails")
+    public static ImmutableSet<String> provideAllowedServiceAccountEmails(
+        RegistryConfigSettings config) {
+      return ImmutableSet.copyOf(config.auth.allowedServiceAccountEmails);
     }
 
     /** Provides the allowed OAuth client IDs (could be multibinding). */
     @Provides
     @Config("allowedOauthClientIds")
     public static ImmutableSet<String> provideAllowedOauthClientIds(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.oAuth.allowedOauthClientIds);
+      return ImmutableSet.copyOf(config.auth.allowedOauthClientIds);
     }
 
     @Provides
-    @Config("iapClientId")
-    public static Optional<String> provideIapClientId(RegistryConfigSettings config) {
-      return Optional.ofNullable(config.oAuth.iapClientId);
+    @Config("oauthClientId")
+    public static String provideOauthClientId(RegistryConfigSettings config) {
+      return config.auth.oauthClientId;
     }
 
     /**
@@ -1253,7 +1255,7 @@ public final class RegistryConfig {
               toImmutableSortedMap(
                   naturalOrder(),
                   e ->
-                      e.getKey().equals("START_OF_TIME")
+                      "START_OF_TIME".equals(e.getKey())
                           ? START_OF_TIME
                           : DateTime.parse(e.getKey()),
                   Entry::getValue));
@@ -1374,6 +1376,12 @@ public final class RegistryConfig {
     public static String providePackageDomainLimitUpgradeEmailBody(RegistryConfigSettings config) {
       return config.packageMonitoring.packageDomainLimitUpgradeEmailBody;
     }
+
+    private static String formatComments(String text) {
+      return Splitter.on('\n').omitEmptyStrings().trimResults().splitToList(text).stream()
+          .map(s -> "# " + s)
+          .collect(Collectors.joining("\n"));
+    }
   }
 
   /** Returns the App Engine project ID, which is based off the environment name. */
@@ -1539,9 +1547,9 @@ public final class RegistryConfig {
    * one single INSERT statement which can dramatically increase speed in situations with many
    * inserts.
    *
-   * <p>Hibernate docs, i.e.
-   * https://docs.jboss.org/hibernate/orm/5.6/userguide/html_single/Hibernate_User_Guide.html,
-   * recommend between 10 and 50.
+   * <p><a
+   * href="https://docs.jboss.org/hibernate/orm/5.6/userguide/html_single/Hibernate_User_Guide.html">Hibernate
+   * User Guide</a> recommends between 10 and 50.
    */
   public static int getHibernateJdbcBatchSize() {
     return CONFIG_SETTINGS.get().hibernate.jdbcBatchSize;
@@ -1568,6 +1576,11 @@ public final class RegistryConfig {
     return Duration.standardDays(CONFIG_SETTINGS.get().registryPolicy.contactAutomaticTransferDays);
   }
 
+  /** A discount for all sunrise domain creates, between 0.0 (no discount) and 1.0 (free). */
+  public static double getSunriseDomainCreateDiscount() {
+    return CONFIG_SETTINGS.get().registryPolicy.sunriseDomainCreateDiscount;
+  }
+
   /**
    * Memoizes loading of the {@link RegistryConfigSettings} POJO.
    *
@@ -1578,11 +1591,7 @@ public final class RegistryConfig {
   public static final Supplier<RegistryConfigSettings> CONFIG_SETTINGS =
       memoize(RegistryConfig::getConfigSettings);
 
-  private static String formatComments(String text) {
-    return Splitter.on('\n').omitEmptyStrings().trimResults().splitToList(text).stream()
-        .map(s -> "# " + s)
-        .collect(Collectors.joining("\n"));
-  }
+
 
   private static InternetAddress parseEmailAddress(String email) {
     try {

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -23,7 +23,7 @@ public class RegistryConfigSettings {
 
   public GcpProject gcpProject;
   public GSuite gSuite;
-  public OAuth oAuth;
+  public Auth auth;
   public CredentialOAuth credentialOAuth;
   public RegistryPolicy registryPolicy;
   public Hibernate hibernate;
@@ -54,16 +54,15 @@ public class RegistryConfigSettings {
     public String backendServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
-    public List<String> serviceAccountEmails;
-    public String defaultServiceAccount;
   }
 
-  /** Configuration options for OAuth settings for authenticating users. */
-  public static class OAuth {
+  /** Configuration options for authenticating users. */
+  public static class Auth {
     public List<String> availableOauthScopes;
     public List<String> requiredOauthScopes;
     public List<String> allowedOauthClientIds;
-    public String iapClientId;
+    public List<String> allowedServiceAccountEmails;
+    public String oauthClientId;
   }
 
   /** Configuration options for accessing Google APIs. */
@@ -108,6 +107,7 @@ public class RegistryConfigSettings {
     public String registryName;
     public List<String> spec11WebResources;
     public boolean requireSslCertificates;
+    public double sunriseDomainCreateDiscount;
   }
 
   /** Configuration for Hibernate. */

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -18,18 +18,10 @@ gcpProject:
   # whether to use local/test credentials when connecting to the servers
   isLocal: true
   # URLs of the services for the project.
-  defaultServiceUrl: https://localhost
-  backendServiceUrl: https://localhost
-  toolsServiceUrl: https://localhost
-  pubapiServiceUrl: https://localhost
-  # Service accounts eligible for authorization (e.g. default service account,
-  # account used by Cloud Scheduler) to send authenticated requests.
-  serviceAccountEmails:
-  - default-service-account-email@email.com
-  - cloud-scheduler-email@email.com
-  # The default service account with which the service is running. For example,
-  # on GAE this would be {project-id}@appspot.gserviceaccount.com
-  defaultServiceAccount: null
+  defaultServiceUrl: https://default.example.com
+  backendServiceUrl: https://backend.example.com
+  toolsServiceUrl: https://tools.example.com
+  pubapiServiceUrl: https://pubapi.example.com
 
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
@@ -188,6 +180,11 @@ registryPolicy:
   # should generally be true for production environments, for added security.
   requireSslCertificates: true
 
+  # A fractional discount, if any, to be provided to all sunrise domain creates.
+  # 0 means no discount will be applied, and 1 means that all sunrise creates
+  # will be free.
+  sunriseDomainCreateDiscount: 0.15
+
 hibernate:
   # Make 'SERIALIZABLE' the default isolation level to ensure correctness.
   #
@@ -295,24 +292,41 @@ caching:
   # long duration is acceptable because claims lists don't change frequently.
   claimsListCachingSeconds: 21600 # six hours
 
-oAuth:
+# Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
+# Other fields are related to OAuth-based authentication and will be removed.
+auth:
+  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
   # OAuth scopes to detect on access tokens. Superset of requiredOauthScopes.
   availableOauthScopes:
   - https://www.googleapis.com/auth/userinfo.email
 
+  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
   # OAuth scopes required for authenticating. Subset of availableOauthScopes.
   requiredOauthScopes:
   - https://www.googleapis.com/auth/userinfo.email
 
+  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
   # OAuth client IDs that are allowed to authenticate and communicate with
-  # backend services, e. g. nomulus tool, EPP proxy, etc. The client_id value
-  # used in registryTool.clientId field for associated tooling should be included
-  # in this list. Client IDs are typically of the format
+  # backend services, e.g. nomulus tool, EPP proxy, etc. The value in
+  # registryTool.clientId field should be included in this list. Client IDs are
+  # typically of the format
   # numbers-alphanumerics.apps.googleusercontent.com
   allowedOauthClientIds: []
-  # GCP Identity-Aware Proxy client ID, if set up (note: this requires manual setup
-  # of User objects in the database for Nomulus tool users)
-  iapClientId: null
+
+  # Service accounts (e.g. default service account, account used by Cloud
+  # Scheduler) allowed to send authenticated requests.
+  allowedServiceAccountEmails:
+  - default-service-account-email@email.com
+  - cloud-scheduler-email@email.com
+
+  # OAuth 2.0 client ID that will be used as the audience in OIDC ID tokens sent
+  # from clients (e.g. proxy, nomulus tool, cloud tasks) for authentication. The
+  # same ID is the only one accepted by the regular OIDC or IAP authentication
+  # mechanisms. In most cases we should use the client ID created for IAP here,
+  # as it allows requests bearing a token with this audience to be accepted by
+  # both IAP or regular OIDC. The clientId value in proxy config file should be
+  # the same as this one.
+  oauthClientId: iap-oauth-clientid
 
 credentialOAuth:
   # OAuth scopes required for accessing Google APIs using the default

core/src/main/java/google/registry/cron/TldFanoutAction.java

@@ -81,7 +81,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/cron/fanout",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class TldFanoutAction implements Runnable {
 
   /** A set of control params to TldFanoutAction that aren't passed down to the executing action. */
@@ -140,25 +140,13 @@ public final class TldFanoutAction implements Runnable {
     for (String tld : tlds) {
       Task task = createTask(tld, flowThruParams);
       Task createdTask = cloudTasksUtils.enqueue(queue, task);
-      if (createdTask.hasAppEngineHttpRequest()) {
-        outputPayload.append(
-            String.format(
-                "- Task: '%s', tld: '%s', endpoint: '%s'\n",
-                createdTask.getName(),
-                tld,
-                createdTask.getAppEngineHttpRequest().getRelativeUri()));
-        logger.atInfo().log(
-            "Task: '%s', tld: '%s', endpoint: '%s'.",
-            createdTask.getName(), tld, createdTask.getAppEngineHttpRequest().getRelativeUri());
-      } else {
-        outputPayload.append(
-            String.format(
-                "- Task: '%s', tld: '%s', endpoint: '%s'\n",
-                createdTask.getName(), tld, createdTask.getHttpRequest().getUrl()));
-        logger.atInfo().log(
-            "Task: '%s', tld: '%s', endpoint: '%s'.",
-            createdTask.getName(), tld, createdTask.getHttpRequest().getUrl());
-      }
+      outputPayload.append(
+          String.format(
+              "- Task: '%s', tld: '%s', endpoint: '%s'\n",
+              createdTask.getName(), tld, createdTask.getHttpRequest().getUrl()));
+      logger.atInfo().log(
+          "Task: '%s', tld: '%s', endpoint: '%s'.",
+          createdTask.getName(), tld, createdTask.getHttpRequest().getUrl());
     }
     response.setContentType(PLAIN_TEXT_UTF_8);
     response.setPayload(outputPayload.toString());

core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java

@@ -76,14 +76,11 @@ import org.joda.time.Duration;
     path = PublishDnsUpdatesAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
 
   public static final String PATH = "/_dr/task/publishDnsUpdates";
   public static final String LOCK_NAME = "DNS updates";
-  // TODO(b/236726584): Remove App Engine header once CloudTasksUtils is refactored to create HTTP
-  // tasks.
-  public static final String APP_ENGINE_RETRY_HEADER = "X-AppEngine-TaskRetryCount";
   public static final String CLOUD_TASKS_RETRY_HEADER = "X-CloudTasks-TaskRetryCount";
   public static final int RETRIES_BEFORE_PERMANENT_FAILURE = 20;
 
@@ -140,8 +137,7 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
       @Config("registrySupportEmail") Lazy<InternetAddress> registrySupportEmail,
       @Config("registryCcEmail") Lazy<InternetAddress> registryCcEmail,
       @Config("gSuiteOutgoingEmailAddress") InternetAddress gSuiteOutgoingEmailAddress,
-      @Header(APP_ENGINE_RETRY_HEADER) Optional<Integer> appEngineRetryCount,
-      @Header(CLOUD_TASKS_RETRY_HEADER) Optional<Integer> cloudTasksRetryCount,
+      @Header(CLOUD_TASKS_RETRY_HEADER) int retryCount,
       DnsWriterProxy dnsWriterProxy,
       DnsMetrics dnsMetrics,
       LockHandler lockHandler,
@@ -153,10 +149,7 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
     this.dnsMetrics = dnsMetrics;
     this.timeout = timeout;
     this.sendEmailService = sendEmailService;
-    retryCount =
-        cloudTasksRetryCount.orElse(
-            appEngineRetryCount.orElseThrow(
-                () -> new IllegalStateException("Missing a valid retry count header")));
+    this.retryCount = retryCount;
     this.dnsWriter = dnsWriter;
     this.enqueuedTime = enqueuedTime;
     this.itemsCreateTime = itemsCreateTime;

core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java

@@ -64,7 +64,7 @@ import org.joda.time.Duration;
     path = "/_dr/task/readDnsRefreshRequests",
     automaticallyPrintOk = true,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ReadDnsRefreshRequestsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/dns/RefreshDnsAction.java

@@ -38,7 +38,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/dnsRefresh",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class RefreshDnsAction implements Runnable {
 
   private final Clock clock;

core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java

@@ -37,7 +37,7 @@ import org.joda.time.DateTime;
     service = Service.BACKEND,
     path = PATH,
     method = Action.Method.POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class RefreshDnsOnHostRenameAction implements Runnable {
 
   public static final String QUEUE_HOST_RENAME = "async-host-rename";

core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriter.java

@@ -144,15 +144,13 @@ public class CloudDnsWriter extends BaseDnsWriter {
         dsRrData.add(ds.toRrData());
       }
 
-      if (!dsRrData.isEmpty()) {
-        domainRecords.add(
-            new ResourceRecordSet()
-                .setName(absoluteDomainName)
-                .setTtl((int) tld.getDnsDsTtl().orElse(defaultDsTtl).getStandardSeconds())
-                .setType("DS")
-                .setKind("dns#resourceRecordSet")
-                .setRrdatas(ImmutableList.copyOf(dsRrData)));
-      }
+      domainRecords.add(
+          new ResourceRecordSet()
+              .setName(absoluteDomainName)
+              .setTtl((int) tld.getDnsDsTtl().orElse(defaultDsTtl).getStandardSeconds())
+              .setType("DS")
+              .setKind("dns#resourceRecordSet")
+              .setRrdatas(ImmutableList.copyOf(dsRrData)));
     }
 
     // Construct NS records (if any).
@@ -169,15 +167,13 @@ public class CloudDnsWriter extends BaseDnsWriter {
         }
       }
 
-      if (!nsRrData.isEmpty()) {
-        domainRecords.add(
-            new ResourceRecordSet()
-                .setName(absoluteDomainName)
-                .setTtl((int) tld.getDnsNsTtl().orElse(defaultNsTtl).getStandardSeconds())
-                .setType("NS")
-                .setKind("dns#resourceRecordSet")
-                .setRrdatas(ImmutableList.copyOf(nsRrData)));
-      }
+      domainRecords.add(
+          new ResourceRecordSet()
+              .setName(absoluteDomainName)
+              .setTtl((int) tld.getDnsNsTtl().orElse(defaultNsTtl).getStandardSeconds())
+              .setType("NS")
+              .setKind("dns#resourceRecordSet")
+              .setRrdatas(ImmutableList.copyOf(nsRrData)));
     }
 
     desiredRecords.put(absoluteDomainName, domainRecords.build());

core/src/main/java/google/registry/export/ExportDomainListsAction.java

@@ -49,7 +49,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportDomainLists",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class ExportDomainListsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/export/ExportPremiumTermsAction.java

@@ -48,7 +48,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportPremiumTerms",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class ExportPremiumTermsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/export/ExportReservedTermsAction.java

@@ -37,7 +37,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportReservedTerms",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class ExportReservedTermsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/export/SyncGroupMembersAction.java

@@ -55,7 +55,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/syncGroupMembers",
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class SyncGroupMembersAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java

@@ -57,7 +57,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = SyncRegistrarsSheetAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class SyncRegistrarsSheetAction implements Runnable {
 
   private enum Result {

core/src/main/java/google/registry/flows/CheckApiAction.java

@@ -69,7 +69,7 @@ import org.joda.time.DateTime;
  * user controlled, lest it open an XSS vector. Do not modify this to return the domain name in the
  * response.
  */
-@Action(service = Action.Service.PUBAPI, path = "/check", auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+@Action(service = Action.Service.PUBAPI, path = "/check", auth = Auth.AUTH_PUBLIC)
 public class CheckApiAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/flows/EppTlsAction.java

@@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
     service = Action.Service.DEFAULT,
     path = "/_dr/epp",
     method = Method.POST,
-    auth = Auth.AUTH_PUBLIC_OR_INTERNAL)
+    auth = Auth.AUTH_API_PUBLIC)
 public class EppTlsAction implements Runnable {
 
   @Inject @Payload byte[] inputXmlBytes;

core/src/main/java/google/registry/flows/EppToolAction.java

@@ -33,7 +33,7 @@ import javax.servlet.http.HttpServletRequest;
     service = Action.Service.TOOLS,
     path = EppToolAction.PATH,
     method = Method.POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class EppToolAction implements Runnable {
 
   public static final String PATH = "/_dr/epptool";

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -337,7 +337,8 @@ public final class DomainCreateFlow implements TransactionalFlow {
     Optional<FeeCreateCommandExtension> feeCreate =
         eppInput.getSingleExtension(FeeCreateCommandExtension.class);
     FeesAndCredits feesAndCredits =
-        pricingLogic.getCreatePrice(tld, targetId, now, years, isAnchorTenant, allocationToken);
+        pricingLogic.getCreatePrice(
+            tld, targetId, now, years, isAnchorTenant, isSunriseCreate, allocationToken);
     validateFeeChallenge(feeCreate, feesAndCredits, defaultTokenUsed);
     Optional<SecDnsCreateExtension> secDnsCreate =
         validateSecDnsExtension(eppInput.getSingleExtension(SecDnsCreateExtension.class));

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -690,6 +690,7 @@ public class DomainFlowUtils {
                       now,
                       years,
                       isAnchorTenant(domainName, allocationToken, Optional.empty()),
+                      isSunrise,
                       allocationToken)
                   .getFees();
         }

core/src/main/java/google/registry/flows/domain/DomainPricingLogic.java

@@ -22,6 +22,7 @@ import static google.registry.util.DomainNameUtils.getTldFromDomainName;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.google.common.net.InternetDomainName;
+import google.registry.config.RegistryConfig;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.custom.DomainPricingCustomLogic;
@@ -72,26 +73,33 @@ public final class DomainPricingLogic {
       DateTime dateTime,
       int years,
       boolean isAnchorTenant,
+      boolean isSunriseCreate,
       Optional<AllocationToken> allocationToken)
       throws EppException {
     CurrencyUnit currency = tld.getCurrency();
 
-    BaseFee createFeeOrCredit;
+    BaseFee createFee;
     // Domain create cost is always zero for anchor tenants
     if (isAnchorTenant) {
-      createFeeOrCredit = Fee.create(zeroInCurrency(currency), FeeType.CREATE, false);
+      createFee = Fee.create(zeroInCurrency(currency), FeeType.CREATE, false);
     } else {
       DomainPrices domainPrices = getPricesForDomainName(domainName, dateTime);
       Money domainCreateCost =
           getDomainCreateCostWithDiscount(domainPrices, years, allocationToken);
-      createFeeOrCredit =
+      // Apply a sunrise discount if configured and applicable
+      if (isSunriseCreate) {
+        domainCreateCost =
+            domainCreateCost.multipliedBy(
+                1.0d - RegistryConfig.getSunriseDomainCreateDiscount(), RoundingMode.HALF_EVEN);
+      }
+      createFee =
           Fee.create(domainCreateCost.getAmount(), FeeType.CREATE, domainPrices.isPremium());
     }
 
     // Create fees for the cost and the EAP fee, if any.
     Fee eapFee = tld.getEapFeeFor(dateTime);
     FeesAndCredits.Builder feesBuilder =
-        new FeesAndCredits.Builder().setCurrency(currency).addFeeOrCredit(createFeeOrCredit);
+        new FeesAndCredits.Builder().setCurrency(currency).addFeeOrCredit(createFee);
     // Don't charge anchor tenants EAP fees.
     if (!isAnchorTenant && !eapFee.hasZeroCost()) {
       feesBuilder.addFeeOrCredit(eapFee);

core/src/main/java/google/registry/loadtest/LoadTestAction.java

@@ -58,7 +58,7 @@ import org.joda.time.DateTime;
     path = LoadTestAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class LoadTestAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/model/registrar/Registrar.java

@@ -50,6 +50,7 @@ import com.google.common.collect.Maps;
 import com.google.common.collect.Range;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
+import com.google.gson.annotations.Expose;
 import com.google.re2j.Pattern;
 import google.registry.model.Buildable;
 import google.registry.model.CreateAutoTimestamp;
@@ -253,7 +254,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   // Authentication.
 
   /** X.509 PEM client certificate(s) used to authenticate registrar to EPP service. */
-  String clientCertificate;
+  @Expose String clientCertificate;
 
   /** Base64 encoded SHA256 hash of {@link #clientCertificate}. */
   String clientCertificateHash;
@@ -263,13 +264,13 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    *
    * <p>This allows registrars to migrate certificates without downtime.
    */
-  String failoverClientCertificate;
+  @Expose String failoverClientCertificate;
 
   /** Base64 encoded SHA256 hash of {@link #failoverClientCertificate}. */
   String failoverClientCertificateHash;
 
   /** An allow list of netmasks (in CIDR notation) which the client is allowed to connect from. */
-  List<CidrAddressBlock> ipAddressAllowList;
+  @Expose List<CidrAddressBlock> ipAddressAllowList;
 
   /** A hashed password for EPP access. The hash is a base64 encoded SHA256 string. */
   String passwordHash;

core/src/main/java/google/registry/model/tld/Tld.java

@@ -475,6 +475,9 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   /** An allowlist of hosts allowed to be used on domains on this TLD (ignored if empty). */
   @Nullable Set<String> allowedFullyQualifiedHostNames;
 
+  @Column(nullable = false)
+  boolean breakglassMode = false;
+
   /**
    * References to allocation tokens that can be used on the TLD if no other token is passed in on a
    * domain create.
@@ -701,6 +704,10 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     return nullToEmptyImmutableCopy(idnTables);
   }
 
+  public boolean getBreakglassMode() {
+    return breakglassMode;
+  }
+
   @Override
   public Builder asBuilder() {
     return new Builder(clone(this));
@@ -1004,6 +1011,11 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
       return this;
     }
 
+    public Builder setBreakglassMode(boolean breakglassMode) {
+      getInstance().breakglassMode = breakglassMode;
+      return this;
+    }
+
     @Override
     public Tld build() {
       final Tld instance = getInstance();

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -28,6 +28,7 @@ import google.registry.request.RequestScope;
 import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.settings.ContactAction;
+import google.registry.ui.server.console.settings.SecurityAction;
 import google.registry.ui.server.registrar.ConsoleOteSetupAction;
 import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
 import google.registry.ui.server.registrar.ConsoleUiAction;
@@ -70,6 +71,8 @@ interface FrontendRequestComponent {
 
   RegistrarsAction registrarsAction();
 
+  SecurityAction securityAction();
+
   @Subcomponent.Builder
   abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
     @Override public abstract Builder requestModule(RequestModule requestModule);

core/src/main/java/google/registry/rdap/RdapAutnumAction.java

@@ -35,7 +35,7 @@ import javax.inject.Inject;
     path = "/rdap/autnum/",
     method = {GET, HEAD},
     isPrefix = true,
-    auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+    auth = Auth.AUTH_PUBLIC)
 public class RdapAutnumAction extends RdapActionBase {
 
   @Inject RdapAutnumAction() {

core/src/main/java/google/registry/rdap/RdapDataStructures.java

@@ -367,7 +367,7 @@ final class RdapDataStructures {
     PENDING_RESTORE("pending restore"),
     REDEMPTION_PERIOD("redemption period"),
     RENEW_PERIOD("renew period"),
-    SERVER_DELETE_PROHIBITED("server deleted prohibited"),
+    SERVER_DELETE_PROHIBITED("server delete prohibited"),
     SERVER_RENEW_PROHIBITED("server renew prohibited"),
     SERVER_TRANSFER_PROHIBITED("server transfer prohibited"),
     SERVER_UPDATE_PROHIBITED("server update prohibited"),

core/src/main/java/google/registry/rdap/RdapHelpAction.java

@@ -33,7 +33,7 @@ import javax.inject.Inject;
     path = "/rdap/help",
     method = {GET, HEAD},
     isPrefix = true,
-    auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+    auth = Auth.AUTH_PUBLIC)
 public class RdapHelpAction extends RdapActionBase {
 
   /** The help path for the RDAP terms of service. */

core/src/main/java/google/registry/rdap/RdapIcannStandardInformation.java

@@ -54,12 +54,11 @@ public class RdapIcannStandardInformation {
   private static final Notice INACCURACY_COMPLAINT_FORM_NOTICE =
       Notice.builder()
           .setTitle("RDDS Inaccuracy Complaint Form")
-          .setDescription(
-              "URL of the ICANN RDDS Inaccuracy Complaint Form: https://www.icann.org/wicf")
+          .setDescription("URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf")
           .addLink(
               Link.builder()
                   .setRel("alternate")
-                  .setHref("https://www.icann.org/wicf")
+                  .setHref("https://icann.org/wicf")
                   .setType("text/html")
                   .build())
           .build();
@@ -150,14 +149,6 @@ public class RdapIcannStandardInformation {
                   .build())
           .build();
 
-  /**
-   * String that replaces GDPR redacted values.
-   *
-   * <p>GTLD Registration Data Temp Spec 17may18, Appendix A, 2.2: Fields required to be "redacted"
-   * MUST privide in the value section text similar to "REDACTED FOR PRIVACY"
-   */
-  static final String CONTACT_REDACTED_VALUE = "REDACTED FOR PRIVACY";
-
   /**
    * Included in ALL contact responses, even if the user is authorized.
    *

core/src/main/java/google/registry/rdap/RdapIpAction.java

@@ -35,7 +35,7 @@ import javax.inject.Inject;
     path = "/rdap/ip/",
     method = {GET, HEAD},
     isPrefix = true,
-    auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+    auth = Auth.AUTH_PUBLIC)
 public class RdapIpAction extends RdapActionBase {
 
   @Inject RdapIpAction() {

core/src/main/java/google/registry/rdap/RdapJsonFormatter.java

@@ -21,7 +21,6 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
 import static google.registry.model.EppResourceUtils.isLinked;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
-import static google.registry.rdap.RdapIcannStandardInformation.CONTACT_REDACTED_VALUE;
 import static google.registry.util.CollectionUtils.union;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -39,7 +38,6 @@ import com.google.gson.JsonArray;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.EppResource;
 import google.registry.model.contact.Contact;
-import google.registry.model.contact.ContactAddress;
 import google.registry.model.contact.ContactPhoneNumber;
 import google.registry.model.contact.PostalInfo;
 import google.registry.model.domain.DesignatedContact;
@@ -519,69 +517,68 @@ public class RdapJsonFormatter {
     boolean isAuthorized =
         rdapAuthorization.isAuthorizedForRegistrar(contact.getCurrentSponsorRegistrarId());
 
-    // ROID needs to be redacted if we aren't authorized, so we can't have a self-link for
-    // unauthorized users
+    VcardArray.Builder vcardBuilder = VcardArray.builder();
+
     if (isAuthorized) {
-      contactBuilder.linksBuilder().add(makeSelfLink("entity", contact.getRepoId()));
-    }
-
-    // Only show the "summary data remark" if the user is authorized to see this data - because
-    // unauthorized users don't have a self link meaning they can't navigate to the full data.
-    if (outputDataType != OutputDataType.FULL && isAuthorized) {
-      contactBuilder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
-    }
-
-    // GTLD Registration Data Temp Spec 17may18, Appendix A, 2.3, 2.4 and RDAP Response Profile
-    // 2.7.4.1, 2.7.4.2 - the following fields must be redacted:
-    // for REGISTRANT:
-    // handle (ROID), FN (name), TEL (telephone/fax and extension), street, city, postal code
-    // for ADMIN, TECH:
-    // handle (ROID), FN (name), TEL (telephone/fax and extension), Organization, street, city,
-    // state/province, postal code, country
-    //
-    // Note that in theory we have to show the Organization and state/province and country for the
-    // REGISTRANT. For now, we won't do that until we make sure it's really OK for GDPR
-    //
-    if (!isAuthorized) {
+      fillRdapContactEntityWhenAuthorized(contactBuilder, vcardBuilder, contact, outputDataType);
+    } else {
+      // GTLD Registration Data Temp Spec 17may18, Appendix A, 2.3, 2.4 and RDAP Response Profile
+      // 2.7.4.1, 2.7.4.2 - the following fields must be redacted:
+      // for REGISTRANT:
+      // handle (ROID), FN (name), TEL (telephone/fax and extension), street, city, postal code
+      // for ADMIN, TECH:
+      // handle (ROID), FN (name), TEL (telephone/fax and extension), Organization, street, city,
+      // state/province, postal code, country
+      //
+      // Note that in theory we have to show the Organization and state/province and country for the
+      // REGISTRANT. For now, we won't do that until we make sure it's really OK for GDPR
+      //
       // RDAP Response Profile 2.7.4.3: if we redact values from the contact, we MUST include a
       // remark
       contactBuilder
           .remarksBuilder()
           .add(RdapIcannStandardInformation.CONTACT_PERSONAL_DATA_HIDDEN_DATA_REMARK);
-      // to make sure we don't accidentally display data we shouldn't - we replace the
-      // contact with a safe resource. Then we can add any information we need (e.g. the
-      // Organization / state / country of the registrant), although we currently don't do that.
-      contact =
-          new Contact.Builder()
-              .setRepoId(CONTACT_REDACTED_VALUE)
-              .setVoiceNumber(
-                  new ContactPhoneNumber.Builder().setPhoneNumber(CONTACT_REDACTED_VALUE).build())
-              .setFaxNumber(
-                  new ContactPhoneNumber.Builder().setPhoneNumber(CONTACT_REDACTED_VALUE).build())
-              .setInternationalizedPostalInfo(
-                  new PostalInfo.Builder()
-                      .setName(CONTACT_REDACTED_VALUE)
-                      .setOrg(CONTACT_REDACTED_VALUE)
-                      .setType(PostalInfo.Type.INTERNATIONALIZED)
-                      .setAddress(
-                          new ContactAddress.Builder()
-                              .setStreet(ImmutableList.of(CONTACT_REDACTED_VALUE))
-                              .setCity(CONTACT_REDACTED_VALUE)
-                              .setState(CONTACT_REDACTED_VALUE)
-                              .setZip(CONTACT_REDACTED_VALUE)
-                              .setCountryCode("XX")
-                              .build())
-                      .build())
-              .build();
+      contactBuilder.setHandle("");
+      // The VCard format requires a "fn" entry even if it is empty (redacted)
+      vcardBuilder.add(Vcard.create("fn", "text", ""));
     }
 
-    // RDAP Response Profile 2.7.3 - we MUST provide a handle set with the ROID, subject to the
-    // redaction above.
-    contactBuilder.setHandle(contact.getRepoId());
+    contactBuilder.setVcardArray(vcardBuilder.build());
+    contactBuilder.rolesBuilder().addAll(roles);
 
-    // RDAP Response Profile doesn't mention status for contacts, so we only show it if we're both
-    // FULL and Authorized.
-    if (outputDataType == OutputDataType.FULL && isAuthorized) {
+    // RDAP Response Profile 2.7.5.1, 2.7.5.3:
+    // email MUST be omitted, and we MUST have a Remark saying so
+    contactBuilder
+        .remarksBuilder()
+        .add(RdapIcannStandardInformation.CONTACT_EMAIL_REDACTED_FOR_DOMAIN);
+
+    if (outputDataType != OutputDataType.INTERNAL) {
+      // Rdap Response Profile 2.7.6 must have "last update of RDAP database" response. But this is
+      // only for direct query responses and not for internal objects. I'm not sure why it's in that
+      // section at all...
+      contactBuilder.setLastUpdateOfRdapDatabaseEvent(
+          Event.builder()
+              .setEventAction(EventAction.LAST_UPDATE_OF_RDAP_DATABASE)
+              .setEventDate(getRequestTime())
+              .build());
+    }
+    return contactBuilder.build();
+  }
+
+  private void fillRdapContactEntityWhenAuthorized(
+      RdapContactEntity.Builder contactBuilder,
+      VcardArray.Builder vcardBuilder,
+      Contact contact,
+      OutputDataType outputDataType) {
+    // ROID needs to be redacted if we aren't authorized, so we can't have a self-link for
+    // unauthorized users
+    contactBuilder.linksBuilder().add(makeSelfLink("entity", contact.getRepoId()));
+    // RDAP Response Profile 2.7.3 - we MUST provide a handle set with the ROID, subject to
+    // redaction.
+    contactBuilder.setHandle(contact.getRepoId());
+    if (outputDataType.equals(OutputDataType.FULL)) {
+      // RDAP Response Profile doesn't mention status for contacts, so we only show it if we're both
+      // FULL and Authorized.
       contactBuilder
           .statusBuilder()
           .addAll(
@@ -591,12 +588,18 @@ public class RdapJsonFormatter {
                       : contact.getStatusValues(),
                   false,
                   contact.getDeletionTime().isBefore(getRequestTime())));
+      // If we are outputting all data (not just summary data), also add events taken from the
+      // history entries. This isn't strictly required.
+      //
+      // We also only add it for authorized users because millisecond times can fingerprint a user
+      // just as much as the handle can.
+      contactBuilder.eventsBuilder().addAll(makeOptionalEvents(contact));
+    } else {
+      // Only show the "summary data remark" if the user is authorized to see this data - because
+      // unauthorized users don't have a self link meaning they can't navigate to the full data.
+      contactBuilder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
     }
-
-    contactBuilder.rolesBuilder().addAll(roles);
-
-    VcardArray.Builder vcardBuilder = VcardArray.builder();
-    // Adding the VCard members subject to the redaction above.
+    // Adding the VCard members when not redacted.
     //
     // RDAP Response Profile 2.7.3 - we MUST have FN, ADR, TEL, EMAIL.
     //
@@ -622,33 +625,6 @@ public class RdapJsonFormatter {
     if (faxPhoneNumber != null) {
       vcardBuilder.add(makePhoneEntry(PHONE_TYPE_FAX, makePhoneString(faxPhoneNumber)));
     }
-    // RDAP Response Profile 2.7.5.1, 2.7.5.3:
-    // email MUST be omitted, and we MUST have a Remark saying so
-    contactBuilder
-        .remarksBuilder()
-        .add(RdapIcannStandardInformation.CONTACT_EMAIL_REDACTED_FOR_DOMAIN);
-    contactBuilder.setVcardArray(vcardBuilder.build());
-
-    if (outputDataType != OutputDataType.INTERNAL) {
-      // Rdap Response Profile 2.7.6 must have "last update of RDAP database" response. But this is
-      // only for direct query responses and not for internal objects. I'm not sure why it's in that
-      // section at all...
-      contactBuilder.setLastUpdateOfRdapDatabaseEvent(
-          Event.builder()
-              .setEventAction(EventAction.LAST_UPDATE_OF_RDAP_DATABASE)
-              .setEventDate(getRequestTime())
-              .build());
-    }
-
-    // If we are outputting all data (not just summary data), also add events taken from the history
-    // entries. This isn't strictly required.
-    //
-    // We also only add it for authorized users because millisecond times can fingerprint a user
-    // just as much as the handle can.
-    if (outputDataType == OutputDataType.FULL && isAuthorized) {
-      contactBuilder.eventsBuilder().addAll(makeOptionalEvents(contact));
-    }
-    return contactBuilder.build();
   }
 
   /**
@@ -1000,7 +976,7 @@ public class RdapJsonFormatter {
     // Gustavo Lozano of ICANN, the one we should use is an embedded array of street address lines
     // if there is more than one line:
     //
-    //   RFC7095 provides two examples of structured addresses, and one of the examples shows a
+    //   RFC 7095 provides two examples of structured addresses, and one of the examples shows a
     //   street JSON element that contains several data elements. The example showing (see below)
     //   several data elements is the expected output when two or more <contact:street> elements
     //   exists in the contact object.

core/src/main/java/google/registry/rdap/RdapNameserverAction.java

@@ -38,7 +38,7 @@ import javax.inject.Inject;
     path = "/rdap/nameserver/",
     method = {GET, HEAD},
     isPrefix = true,
-    auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+    auth = Auth.AUTH_PUBLIC)
 public class RdapNameserverAction extends RdapActionBase {
 
   @Inject public RdapNameserverAction() {

core/src/main/java/google/registry/rdap/RdapNameserverSearchAction.java

@@ -59,7 +59,7 @@ import javax.inject.Inject;
     service = Action.Service.PUBAPI,
     path = "/rdap/nameservers",
     method = {GET, HEAD},
-    auth = Auth.AUTH_PUBLIC_ANONYMOUS)
+    auth = Auth.AUTH_PUBLIC)
 public class RdapNameserverSearchAction extends RdapSearchActionBase {
 
   public static final String PATH = "/rdap/nameservers";

core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java

@@ -49,7 +49,7 @@ import org.apache.commons.csv.CSVRecord;
     service = Action.Service.BACKEND,
     path = "/_dr/task/updateRegistrarRdapBaseUrls",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
 
   private static final GenericUrl RDAP_IDS_URL =

core/src/main/java/google/registry/rde/BrdaCopyAction.java

@@ -66,7 +66,7 @@ import org.joda.time.DateTime;
     path = BrdaCopyAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class BrdaCopyAction implements Runnable {
 
   public static final String PATH = "/_dr/task/brdaCopy";

core/src/main/java/google/registry/rde/RdeReportAction.java

@@ -56,7 +56,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class RdeReportAction implements Runnable, EscrowTask {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/rde/RdeStagingAction.java

@@ -207,7 +207,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeStagingAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class RdeStagingAction implements Runnable {
 
   public static final String PATH = "/_dr/task/rdeStaging";

core/src/main/java/google/registry/rde/RdeUploadAction.java

@@ -87,7 +87,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeUploadAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class RdeUploadAction implements Runnable, EscrowTask {
 
   public static final String PATH = "/_dr/task/rdeUpload";

core/src/main/java/google/registry/reporting/billing/CopyDetailReportsAction.java

@@ -47,7 +47,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = CopyDetailReportsAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class CopyDetailReportsAction implements Runnable {
 
   public static final String PATH = "/_dr/task/copyDetailReports";

core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java

@@ -54,7 +54,7 @@ import org.joda.time.YearMonth;
     service = Action.Service.BACKEND,
     path = GenerateInvoicesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class GenerateInvoicesAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/reporting/billing/PublishInvoicesAction.java

@@ -52,7 +52,7 @@ import org.joda.time.YearMonth;
     service = Action.Service.BACKEND,
     path = PublishInvoicesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class PublishInvoicesAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java

@@ -67,7 +67,7 @@ import org.joda.time.format.DateTimeFormat;
     service = Action.Service.BACKEND,
     path = IcannReportingStagingAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class IcannReportingStagingAction implements Runnable {
 
   static final String PATH = "/_dr/task/icannReportingStaging";

core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java

@@ -70,7 +70,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = IcannReportingUploadAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class IcannReportingUploadAction implements Runnable {
 
   static final String PATH = "/_dr/task/icannReportingUpload";

core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java

@@ -53,7 +53,7 @@ import org.joda.time.LocalDate;
     service = Action.Service.BACKEND,
     path = GenerateSpec11ReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class GenerateSpec11ReportAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java

@@ -59,7 +59,7 @@ import org.json.JSONException;
     service = Action.Service.BACKEND,
     path = PublishSpec11ReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class PublishSpec11ReportAction implements Runnable {
 
   static final String PATH = "/_dr/task/publishSpec11";

core/src/main/java/google/registry/request/RequestModule.java

@@ -15,11 +15,10 @@
 package google.registry.request;
 
 import static com.google.common.net.MediaType.JSON_UTF_8;
-import static google.registry.dns.PublishDnsUpdatesAction.APP_ENGINE_RETRY_HEADER;
 import static google.registry.dns.PublishDnsUpdatesAction.CLOUD_TASKS_RETRY_HEADER;
 import static google.registry.model.tld.Tlds.assertTldExists;
 import static google.registry.model.tld.Tlds.assertTldsExist;
-import static google.registry.request.RequestParameters.extractOptionalHeader;
+import static google.registry.request.RequestParameters.extractRequiredHeader;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static google.registry.request.RequestParameters.extractSetOfParameters;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -131,8 +130,8 @@ public final class RequestModule {
   @FullServletPath
   static String provideFullServletPath(HttpServletRequest req) {
     // Include the port only if it differs from the default for the scheme.
-    if ((req.getScheme().equals("http") && (req.getServerPort() == 80))
-        || (req.getScheme().equals("https") && (req.getServerPort() == 443))) {
+    if (("http".equals(req.getScheme()) && (req.getServerPort() == 80))
+        || ("https".equals(req.getScheme()) && (req.getServerPort() == 443))) {
       return String.format("%s://%s%s", req.getScheme(), req.getServerName(), req.getServletPath());
     } else {
       return String.format(
@@ -237,16 +236,10 @@ public final class RequestModule {
     return params.build();
   }
 
-  @Provides
-  @Header(APP_ENGINE_RETRY_HEADER)
-  static Optional<Integer> provideAppEngineRetryCount(HttpServletRequest req) {
-    return extractOptionalHeader(req, APP_ENGINE_RETRY_HEADER).map(Integer::parseInt);
-  }
-
   @Provides
   @Header(CLOUD_TASKS_RETRY_HEADER)
-  static Optional<Integer> provideCloudTasksRetryCount(HttpServletRequest req) {
-    return extractOptionalHeader(req, CLOUD_TASKS_RETRY_HEADER).map(Integer::parseInt);
+  static int provideCloudTasksRetryCount(HttpServletRequest req) {
+    return Integer.parseInt(extractRequiredHeader(req, CLOUD_TASKS_RETRY_HEADER));
   }
 
   @Provides

core/src/main/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java

@@ -1,62 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
-import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
-
-import com.google.appengine.api.users.UserService;
-import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * Authentication mechanism which uses the X-AppEngine-QueueName header set by App Engine for
- * internal requests.
- *
- * <p>Task queue push task requests set this header value to the actual queue name. Cron requests
- * set this header value to __cron, since that's actually the name of the hidden queue used for cron
- * requests. Cron also sets the header X-AppEngine-Cron, which we could check, but it's simpler just
- * to check the one.
- *
- * <p>App Engine allows app admins to set these headers for testing purposes. Because of this, we
- * also need to verify that the current user is null, indicating that there is no user, to prevent
- * access by someone with "admin" privileges. If the user is an admin, UserService presumably must
- * return a User object.
- *
- * <p>See <a href=
- * "https://cloud.google.com/appengine/docs/java/taskqueue/push/creating-handlers#reading_request_headers">task
- * handler request header documentation</a>
- */
-public class AppEngineInternalAuthenticationMechanism implements AuthenticationMechanism {
-
-  // As defined in the App Engine request header documentation.
-  private static final String QUEUE_NAME_HEADER = "X-AppEngine-QueueName";
-
-  private UserService userService;
-
-  @Inject
-  public AppEngineInternalAuthenticationMechanism(UserService userService) {
-    this.userService = userService;
-  }
-
-  @Override
-  public AuthResult authenticate(HttpServletRequest request) {
-    if (request.getHeader(QUEUE_NAME_HEADER) == null || userService.getCurrentUser() != null) {
-      return AuthResult.create(NONE);
-    } else {
-      return AuthResult.create(APP);
-    }
-  }
-}

core/src/main/java/google/registry/request/auth/Auth.java

@@ -15,63 +15,65 @@
 package google.registry.request.auth;
 
 import com.google.common.collect.ImmutableList;
+import google.registry.flows.EppTlsAction;
+import google.registry.flows.TlsCredentials;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.request.auth.AuthSettings.AuthMethod;
 import google.registry.request.auth.AuthSettings.UserPolicy;
+import google.registry.ui.server.registrar.HtmlAction;
+import google.registry.ui.server.registrar.JsonGetAction;
 
 /** Enum used to configure authentication settings for Actions. */
 public enum Auth {
 
   /**
-   * Allows anyone access, doesn't attempt to authenticate user.
-   *
-   * <p>Will never return absent(), but only authenticates access from App Engine task-queues. For
-   * everyone else - returns NOT_AUTHENTICATED.
-   */
-  AUTH_PUBLIC_ANONYMOUS(ImmutableList.of(AuthMethod.INTERNAL), AuthLevel.NONE, UserPolicy.PUBLIC),
-
-  /**
-   * Allows anyone to access, does attempt to authenticate user.
+   * Allows anyone to access.
    *
    * <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still
    * granted, but NOT_AUTHENTICATED is returned.
    *
-   * <p>Will never return absent().
+   * <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
+   *
+   * <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) also use it.
+   * They need to allow requests from signed-out users so that they can redirect users to the login
+   * page. After a user is logged in, they check if the user actually has access to the specific
+   * console using {@link AuthenticatedRegistrarAccessor}.
+   *
+   * @see HtmlAction
    */
   AUTH_PUBLIC(
-      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API, AuthMethod.LEGACY),
-      AuthLevel.NONE,
-      UserPolicy.PUBLIC),
+      ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.NONE, UserPolicy.PUBLIC),
 
   /**
    * Allows anyone to access, as long as they are logged in.
    *
-   * <p>Does not allow access from App Engine task-queues.
+   * <p>This is used by legacy registrar console programmatic endpoints (those that extend {@link
+   * JsonGetAction}, which are accessed via XHR requests sent from a logged-in user when performing
+   * actions on the console.
    */
   AUTH_PUBLIC_LOGGED_IN(
       ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),
 
   /**
-   * Allows anyone to access, as long as they use OAuth to authenticate.
+   * Allows any client to access, as long as they are logged in via API-based authentication
+   * mechanisms.
    *
-   * <p>Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
-   * allow-listed in the config file for OAuth-based authentication to succeed.
+   * <p>This is used by the proxy to access Nomulus endpoints. The proxy service account does NOT
+   * have admin privileges. For EPP, we handle client authentication within {@link EppTlsAction},
+   * using {@link TlsCredentials}. For WHOIS, anyone connecting to the proxy can access.
+   *
+   * <p>Note that the proxy service account DOES need to be allow-listed in the {@code
+   * auth.allowedServiceAccountEmails} field in the config YAML file in order for OIDC-based
+   * authentication to pass.
    */
-  AUTH_PUBLIC_OR_INTERNAL(
-      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC),
-
-  /** Allows only admins or App Engine task-queue access. */
-  AUTH_INTERNAL_OR_ADMIN(
-      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API), AuthLevel.APP, UserPolicy.ADMIN),
+  AUTH_API_PUBLIC(ImmutableList.of(AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC),
 
   /**
-   * Allows only App Engine task-queue access.
+   * Allows only admins to access.
    *
-   * <p>In general, prefer AUTH_INTERNAL_OR_ADMIN. This level of access should be reserved for
-   * endpoints that have some sensitivity (it was introduced to mitigate a remote-shell
-   * vulnerability).
+   * <p>This applies to the majority of the endpoints.
    */
-  AUTH_INTERNAL_ONLY(ImmutableList.of(AuthMethod.INTERNAL), AuthLevel.APP, UserPolicy.IGNORED);
+  AUTH_API_ADMIN(ImmutableList.of(AuthMethod.API), AuthLevel.APP, UserPolicy.ADMIN);
 
   private final AuthSettings authSettings;
 

core/src/main/java/google/registry/request/auth/AuthModule.java

@@ -44,7 +44,7 @@ public class AuthModule {
   // See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
   private static final String IAP_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
   private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
-  private static final String SA_ISSUER_URL = "https://accounts.google.com";
+  private static final String REGULAR_ISSUER_URL = "https://accounts.google.com";
 
   /** Provides the custom authentication mechanisms (including OAuth and OIDC). */
   @Provides
@@ -82,8 +82,8 @@ public class AuthModule {
   @Provides
   @RegularOidc
   @Singleton
-  TokenVerifier provideRegularTokenVerifier(@Config("projectId") String projectId) {
-    return TokenVerifier.newBuilder().setAudience(projectId).setIssuer(SA_ISSUER_URL).build();
+  TokenVerifier provideRegularTokenVerifier(@Config("oauthClientId") String clientId) {
+    return TokenVerifier.newBuilder().setAudience(clientId).setIssuer(REGULAR_ISSUER_URL).build();
   }
 
   @Provides

core/src/main/java/google/registry/request/auth/AuthSettings.java

@@ -42,9 +42,6 @@ public abstract class AuthSettings {
   /** Available methods for authentication. */
   public enum AuthMethod {
 
-    /** App Engine internal authentication. Must always be provided as the first method. */
-    INTERNAL,
-
     /** Authentication methods suitable for API-style access, such as OAuth 2. */
     API,
 
@@ -55,7 +52,7 @@ public abstract class AuthSettings {
   /**
    * Authentication level.
    *
-   * <p>Used by {@link Auth} to specify what authentication is required, and by {@link AuthResult})
+   * <p>Used by {@link Auth} to specify what authentication is required, and by {@link AuthResult}
    * to specify what authentication was found. These are a series of levels, from least to most
    * authentication required. The lowest level of requirement, NONE, can be satisfied by any level
    * of authentication, while the highest level, USER, can only be satisfied by the authentication
@@ -92,9 +89,6 @@ public abstract class AuthSettings {
   /** User authorization policy options. */
   public enum UserPolicy {
 
-    /** This action ignores end users; the only configured auth method must be INTERNAL. */
-    IGNORED,
-
     /** No user policy is enforced; anyone can access this action. */
     PUBLIC,
 

core/src/main/java/google/registry/request/auth/OAuthAuthenticationMechanism.java

@@ -32,7 +32,7 @@ import javax.servlet.http.HttpServletRequest;
 /**
  * OAuth authentication mechanism, using the OAuthService interface.
  *
- * Only OAuth version 2 is supported.
+ * <p>Only OAuth version 2 is supported.
  */
 public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
 

core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java

@@ -19,7 +19,7 @@ import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryEnvironment;
@@ -57,10 +57,10 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
   protected final TokenExtractor tokenExtractor;
 
-  private final ImmutableList<String> serviceAccountEmails;
+  private final ImmutableSet<String> serviceAccountEmails;
 
   protected OidcTokenAuthenticationMechanism(
-      ImmutableList<String> serviceAccountEmails,
+      ImmutableSet<String> serviceAccountEmails,
       TokenVerifier tokenVerifier,
       TokenExtractor tokenExtractor) {
     this.serviceAccountEmails = serviceAccountEmails;
@@ -83,7 +83,11 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     try {
       token = tokenVerifier.verify(rawIdToken);
     } catch (Exception e) {
-      logger.atInfo().withCause(e).log("Error when verifying access token");
+      logger.atInfo().withCause(e).log(
+          "Failed OIDC verification attempt:\n%s",
+          RegistryEnvironment.get().equals(RegistryEnvironment.PRODUCTION)
+              ? "Raw token redacted in prod"
+              : rawIdToken);
       return AuthResult.NOT_AUTHENTICATED;
     }
     String email = (String) token.getPayload().get("email");
@@ -95,6 +99,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     if (maybeUser.isPresent()) {
       return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(maybeUser.get()));
     }
+    // TODO: implement caching so we don't have to look up the database for every request.
     logger.atInfo().log("No end user found for email address %s", email);
     if (serviceAccountEmails.stream().anyMatch(e -> e.equals(email))) {
       return AuthResult.create(APP);
@@ -136,7 +141,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
     @Inject
     protected IapOidcAuthenticationMechanism(
-        @Config("serviceAccountEmails") ImmutableList<String> serviceAccountEmails,
+        @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
         @IapOidc TokenVerifier tokenVerifier,
         @IapOidc TokenExtractor tokenExtractor) {
       super(serviceAccountEmails, tokenVerifier, tokenExtractor);
@@ -164,7 +169,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
     @Inject
     protected RegularOidcAuthenticationMechanism(
-        @Config("serviceAccountEmails") ImmutableList<String> serviceAccountEmails,
+        @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
         @RegularOidc TokenVerifier tokenVerifier,
         @RegularOidc TokenExtractor tokenExtractor) {
       super(serviceAccountEmails, tokenVerifier, tokenExtractor);

core/src/main/java/google/registry/request/auth/RequestAuthenticator.java

@@ -15,13 +15,15 @@
 package google.registry.request.auth;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
+import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
+import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
+import static google.registry.request.auth.AuthSettings.UserPolicy.ADMIN;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
-import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.request.auth.AuthSettings.AuthMethod;
-import google.registry.request.auth.AuthSettings.UserPolicy;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
@@ -29,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
 /** Top-level authentication/authorization class; calls authentication mechanisms as needed. */
 public class RequestAuthenticator {
 
-  private final AppEngineInternalAuthenticationMechanism appEngineInternalAuthenticationMechanism;
   private final ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms;
   private final LegacyAuthenticationMechanism legacyAuthenticationMechanism;
 
@@ -37,10 +38,8 @@ public class RequestAuthenticator {
 
   @Inject
   public RequestAuthenticator(
-      AppEngineInternalAuthenticationMechanism appEngineInternalAuthenticationMechanism,
       ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms,
       LegacyAuthenticationMechanism legacyAuthenticationMechanism) {
-    this.appEngineInternalAuthenticationMechanism = appEngineInternalAuthenticationMechanism;
     this.apiAuthenticationMechanisms = apiAuthenticationMechanisms;
     this.legacyAuthenticationMechanism = legacyAuthenticationMechanism;
   }
@@ -58,42 +57,19 @@ public class RequestAuthenticator {
   public Optional<AuthResult> authorize(AuthSettings auth, HttpServletRequest req) {
     logger.atInfo().log("Action requires auth: %s", auth);
     AuthResult authResult = authenticate(auth, req);
-    switch (auth.minimumLevel()) {
-      case NONE:
-        // Any authentication result is ok.
-        break;
-      case APP:
-        if (!authResult.isAuthenticated()) {
-          logger.atWarning().log("Not authorized; no authentication found.");
-          return Optional.empty();
-        }
-        break;
-      case USER:
-        if (authResult.authLevel() != AuthLevel.USER) {
-          logger.atWarning().log("Not authorized; no authenticated user.");
-          // TODO(mountford): change this so that the caller knows to return a more helpful error
-          return Optional.empty();
-        }
-        break;
+    if (auth.minimumLevel() == APP && !authResult.isAuthenticated()) {
+      logger.atWarning().log("Not authorized; no authentication found.");
+      return Optional.empty();
+    } else if (auth.minimumLevel() == USER && authResult.authLevel() != USER) {
+      logger.atWarning().log("Not authorized; no authenticated user.");
+      return Optional.empty();
     }
-    switch (auth.userPolicy()) {
-      case IGNORED:
-        if (authResult.authLevel() == AuthLevel.USER) {
-          logger.atWarning().log("Not authorized; user policy is IGNORED, but a user was found.");
-          return Optional.empty();
-        }
-        break;
-      case PUBLIC:
-        // Any user auth result is okay.
-        break;
-      case ADMIN:
-        if (authResult.userAuthInfo().isPresent()
-            && !authResult.userAuthInfo().get().isUserAdmin()) {
-          logger.atWarning().log(
-              "Not authorized; user policy is ADMIN, but the user was not an admin.");
-          return Optional.empty();
-        }
-        break;
+    if (auth.userPolicy() == ADMIN
+        && authResult.userAuthInfo().isPresent()
+        && !authResult.userAuthInfo().get().isUserAdmin()) {
+      logger.atWarning().log(
+          "Not authorized; user policy is ADMIN, but the user was not an admin.");
+      return Optional.empty();
     }
     return Optional.of(authResult);
   }
@@ -110,18 +86,8 @@ public class RequestAuthenticator {
     for (AuthMethod authMethod : auth.methods()) {
       AuthResult authResult;
       switch (authMethod) {
-          // App Engine internal authentication, using the queue name header
-        case INTERNAL:
-          // checkAuthConfig will have insured that the user policy is not USER.
-          authResult = appEngineInternalAuthenticationMechanism.authenticate(req);
-          if (authResult.isAuthenticated()) {
-            logger.atInfo().log("Authenticated via internal auth: %s", authResult);
-            return authResult;
-          }
-          break;
-          // API-based user authentication mechanisms, such as OAuth
+          // API-based user authentication mechanisms, such as OAuth and OIDC.
         case API:
-          // checkAuthConfig will have insured that the user policy is not IGNORED.
           for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) {
             authResult = authMechanism.authenticate(req);
             if (authResult.isAuthenticated()) {
@@ -133,7 +99,6 @@ public class RequestAuthenticator {
           break;
           // Legacy authentication via UserService
         case LEGACY:
-          // checkAuthConfig will have insured that the user policy is not IGNORED.
           authResult = legacyAuthenticationMechanism.authenticate(req);
           if (authResult.isAuthenticated()) {
             logger.atInfo().log("Authenticated via legacy auth: %s", authResult);
@@ -151,15 +116,10 @@ public class RequestAuthenticator {
     ImmutableList<AuthMethod> authMethods = ImmutableList.copyOf(auth.methods());
     checkArgument(!authMethods.isEmpty(), "Must specify at least one auth method");
     checkArgument(
-        Ordering.explicit(AuthMethod.INTERNAL, AuthMethod.API, AuthMethod.LEGACY)
-            .isStrictlyOrdered(authMethods),
-        "Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY");
+        Ordering.explicit(AuthMethod.API, AuthMethod.LEGACY).isStrictlyOrdered(authMethods),
+        "Auth methods must be unique and strictly in order - API, LEGACY");
     checkArgument(
-        !(authMethods.contains(AuthMethod.INTERNAL) && auth.minimumLevel().equals(AuthLevel.USER)),
-        "Actions with INTERNAL auth method may not require USER auth level");
-    checkArgument(
-        !(auth.userPolicy().equals(UserPolicy.IGNORED)
-            && !authMethods.equals(ImmutableList.of(AuthMethod.INTERNAL))),
-        "Actions with auth methods beyond INTERNAL must not specify the IGNORED user policy");
+        (auth.minimumLevel() != NONE) || (auth.userPolicy() != ADMIN),
+        "Actions with minimal auth level at NONE should not specify ADMIN user policy");
   }
 }

core/src/main/java/google/registry/tmch/NordnUploadAction.java

@@ -69,7 +69,7 @@ import org.joda.time.Duration;
     path = NordnUploadAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class NordnUploadAction implements Runnable {
 
   static final String PATH = "/_dr/task/nordnUpload";

core/src/main/java/google/registry/tmch/NordnVerifyAction.java

@@ -54,7 +54,7 @@ import javax.inject.Inject;
     path = NordnVerifyAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class NordnVerifyAction implements Runnable {
 
   static final String PATH = "/_dr/task/nordnVerify";

core/src/main/java/google/registry/tmch/TmchCrlAction.java

@@ -32,7 +32,7 @@ import javax.inject.Inject;
     path = "/_dr/task/tmchCrl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class TmchCrlAction implements Runnable {
 
   @Inject Marksdb marksdb;

core/src/main/java/google/registry/tmch/TmchDnlAction.java

@@ -35,7 +35,7 @@ import org.bouncycastle.openpgp.PGPException;
     path = "/_dr/task/tmchDnl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class TmchDnlAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/tmch/TmchSmdrlAction.java

@@ -34,7 +34,7 @@ import org.bouncycastle.openpgp.PGPException;
     path = "/_dr/task/tmchSmdrl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class TmchSmdrlAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/tools/CurlCommand.java

@@ -75,6 +75,11 @@ class CurlCommand implements CommandWithConnection {
       required = true)
   private Service service;
 
+  @Parameter(
+      names = {"--canary"},
+      description = "If set, use the canary end-point; otherwise use the regular end-point.")
+  private Boolean canary = Boolean.FALSE;
+
   @Override
   public void setConnection(ServiceConnection connection) {
     this.connection = connection;
@@ -90,7 +95,7 @@ class CurlCommand implements CommandWithConnection {
       throw new IllegalArgumentException("You may not specify a body for a get method.");
     }
 
-    ServiceConnection connectionToService = connection.withService(service);
+    ServiceConnection connectionToService = connection.withService(service, canary);
     String response =
         (method == Method.GET)
             ? connectionToService.sendGetRequest(path, ImmutableMap.<String, String>of())

core/src/main/java/google/registry/tools/RegistryTool.java

@@ -16,6 +16,7 @@ package google.registry.tools;
 
 import com.google.common.collect.ImmutableMap;
 import google.registry.tools.javascrap.CreateCancellationsForBillingEventsCommand;
+import google.registry.tools.javascrap.RecreateBillingRecurrencesCommand;
 
 /** Container class to create and run remote commands against a server instance. */
 public final class RegistryTool {
@@ -93,6 +94,7 @@ public final class RegistryTool {
           .put("login", LoginCommand.class)
           .put("logout", LogoutCommand.class)
           .put("pending_escrow", PendingEscrowCommand.class)
+          .put("recreate_billing_recurrences", RecreateBillingRecurrencesCommand.class)
           .put("registrar_poc", RegistrarPocCommand.class)
           .put("renew_domain", RenewDomainCommand.class)
           .put("save_sql_credential", SaveSqlCredentialCommand.class)

core/src/main/java/google/registry/tools/RequestFactoryModule.java

@@ -14,23 +14,17 @@
 
 package google.registry.tools;
 
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
+import static com.google.common.net.HttpHeaders.PROXY_AUTHORIZATION;
+
 import com.google.api.client.http.HttpRequestFactory;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.UrlEncodedContent;
 import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.util.GenericData;
-import com.google.auth.oauth2.UserCredentials;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
-import java.io.IOException;
-import java.net.URI;
-import java.util.Optional;
+import google.registry.util.OidcTokenUtils;
 
 /**
  * Module for providing the HttpRequestFactory.
@@ -39,25 +33,16 @@ import java.util.Optional;
  * connections in that they don't require OAuth2 credentials, but instead require a special cookie.
  */
 @Module
-class RequestFactoryModule {
+final class RequestFactoryModule {
 
   static final int REQUEST_TIMEOUT_MS = 10 * 60 * 1000;
 
-  /**
-   * Server to use if we want to manually request an IAP ID token
-   *
-   * <p>If we need to have an IAP-enabled audience, we can use the existing refresh token and the
-   * IAP client ID audience to request an IAP-enabled ID token. This token is read and used by
-   * {@link IapHeaderAuthenticationMechanismMechanism}, and it requires that the user have a {@link
-   * google.registry.model.console.User} object present in the database.
-   */
-  private static final GenericUrl TOKEN_SERVER_URL =
-      new GenericUrl(URI.create("https://oauth2.googleapis.com/token"));
+  private RequestFactoryModule() {}
 
   @Provides
   static HttpRequestFactory provideHttpRequestFactory(
       @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
-      @Config("iapClientId") Optional<String> iapClientId) {
+      @Config("oauthClientId") String oauthClientId) {
     if (RegistryConfig.areServersLocal()) {
       return new NetHttpTransport()
           .createRequestFactory(
@@ -71,14 +56,13 @@ class RequestFactoryModule {
               request -> {
                 // Use the standard credential initializer to set the Authorization header
                 credentialsBundle.getHttpRequestInitializer().initialize(request);
-                // If using IAP, use the refresh token to acquire an IAP-enabled ID token and use
-                // that for authentication.
-                if (iapClientId.isPresent()) {
-                  String idToken = getIdToken(credentialsBundle, iapClientId.get());
-                  // Set the Proxy-Authentication header so that IAP can read from it, see
-                  // https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
-                  request.getHeaders().set("Proxy-Authorization", "Bearer " + idToken);
-                }
+                // Set OIDC token as the alternative bearer token.
+                request
+                    .getHeaders()
+                    .set(
+                        PROXY_AUTHORIZATION,
+                        "Bearer "
+                            + OidcTokenUtils.createOidcToken(credentialsBundle, oauthClientId));
                 // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                 // needed to support some nomulus commands like updating premium lists that take
                 // a lot of time to complete.
@@ -89,32 +73,4 @@ class RequestFactoryModule {
               });
     }
   }
-
-  /**
-   * Uses the saved desktop-app refresh token to acquire an IAP ID token.
-   *
-   * <p>This is lifted mostly from the Google Auth Library's {@link UserCredentials}
-   * "doRefreshAccessToken" method (which is private and thus inaccessible) while adding in the
-   * audience of the IAP client ID. That addition of the audience is what allows us to satisfy IAP
-   * auth. See
-   * https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app for
-   * more details.
-   */
-  private static String getIdToken(GoogleCredentialsBundle credentialsBundle, String iapClientId)
-      throws IOException {
-    UserCredentials credentials = (UserCredentials) credentialsBundle.getGoogleCredentials();
-    GenericData tokenRequest = new GenericData();
-    tokenRequest.set("client_id", credentials.getClientId());
-    tokenRequest.set("client_secret", credentials.getClientSecret());
-    tokenRequest.set("refresh_token", credentials.getRefreshToken());
-    tokenRequest.set("audience", iapClientId);
-    tokenRequest.set("grant_type", "refresh_token");
-    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
-
-    HttpRequestFactory requestFactory = credentialsBundle.getHttpTransport().createRequestFactory();
-    HttpRequest request = requestFactory.buildPostRequest(TOKEN_SERVER_URL, content);
-    request.setParser(credentialsBundle.getJsonFactory().createJsonObjectParser());
-    HttpResponse response = request.execute();
-    return response.parseAs(GenericData.class).get("id_token").toString();
-  }
 }

core/src/main/java/google/registry/tools/ServiceConnection.java

@@ -15,6 +15,8 @@
 package google.registry.tools;
 
 import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static com.google.common.base.Verify.verify;
 import static com.google.common.net.HttpHeaders.X_REQUESTED_WITH;
 import static com.google.common.net.MediaType.JSON_UTF_8;
 import static google.registry.security.JsonHttp.JSON_SAFETY_PREFIX;
@@ -26,6 +28,7 @@ import com.google.api.client.http.HttpHeaders;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpResponse;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.io.CharStreams;
@@ -36,6 +39,7 @@ import google.registry.config.RegistryConfig;
 import google.registry.request.Action.Service;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Map;
 import javax.annotation.Nullable;
@@ -55,20 +59,23 @@ public class ServiceConnection {
 
   @Inject HttpRequestFactory requestFactory;
   private final Service service;
+  private final boolean useCanary;
 
   @Inject
   ServiceConnection() {
     service = Service.TOOLS;
+    useCanary = false;
   }
 
-  private ServiceConnection(Service service, HttpRequestFactory requestFactory) {
+  private ServiceConnection(Service service, HttpRequestFactory requestFactory, boolean useCanary) {
     this.service = service;
     this.requestFactory = requestFactory;
+    this.useCanary = useCanary;
   }
 
-  /** Returns a copy of this connection that talks to a different service. */
-  public ServiceConnection withService(Service service) {
-    return new ServiceConnection(service, requestFactory);
+  /** Returns a copy of this connection that talks to a different service endpoint. */
+  public ServiceConnection withService(Service service, boolean isCanary) {
+    return new ServiceConnection(service, requestFactory, isCanary);
   }
 
   /** Returns the contents of the title tag in the given HTML, or null if not found. */
@@ -85,7 +92,7 @@ public class ServiceConnection {
   private String internalSend(
       String endpoint, Map<String, ?> params, MediaType contentType, @Nullable byte[] payload)
       throws IOException {
-    GenericUrl url = new GenericUrl(String.format("%s%s", getServer(service), endpoint));
+    GenericUrl url = new GenericUrl(String.format("%s%s", getServer(), endpoint));
     url.putAll(params);
     HttpRequest request =
         (payload != null)
@@ -120,6 +127,20 @@ public class ServiceConnection {
     }
   }
 
+  @VisibleForTesting
+  URL getServer() {
+    URL url = getServer(service);
+    if (useCanary) {
+      verify(!isNullOrEmpty(url.getHost()), "Null host in url");
+      try {
+        return new URL(url.getProtocol(), "nomulus-dot-" + url.getHost(), url.getFile());
+      } catch (MalformedURLException e) {
+        throw new RuntimeException(e);
+      }
+    }
+    return url;
+  }
+
   public String sendPostRequest(
       String endpoint, Map<String, ?> params, MediaType contentType, byte[] payload)
       throws IOException {

core/src/main/java/google/registry/tools/UpdatePremiumListCommand.java

@@ -24,7 +24,6 @@ import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import google.registry.model.tld.label.PremiumListUtils;
 import java.nio.file.Files;
-import java.util.Optional;
 
 /** Command to safely update {@link PremiumList} in Database for a given TLD. */
 @Parameters(separators = " =", commandDescription = "Update a PremiumList in Database.")
@@ -33,16 +32,19 @@ class UpdatePremiumListCommand extends CreateOrUpdatePremiumListCommand {
   @Override
   protected String prompt() throws Exception {
     name = Strings.isNullOrEmpty(name) ? convertFilePathToName(inputFile) : name;
-    Optional<PremiumList> list = PremiumListDao.getLatestRevision(name);
-    checkArgument(
-        list.isPresent(),
-        String.format("Could not update premium list %s because it doesn't exist.", name));
+    PremiumList existingList =
+        PremiumListDao.getLatestRevision(name)
+            .orElseThrow(
+                () ->
+                    new IllegalArgumentException(
+                        String.format(
+                            "Could not update premium list %s because it doesn't exist", name)));
     inputData = Files.readAllLines(inputFile, UTF_8);
     checkArgument(!inputData.isEmpty(), "New premium list data cannot be empty");
-    currency = list.get().getCurrency();
+    currency = existingList.getCurrency();
     PremiumList updatedPremiumList = PremiumListUtils.parseToPremiumList(name, currency, inputData);
     return String.format(
         "Update premium list for %s?\n Old List: %s\n New List: %s",
-        name, list, updatedPremiumList);
+        name, existingList, updatedPremiumList);
   }
 }

core/src/main/java/google/registry/tools/javascrap/RecreateBillingRecurrencesCommand.java

@@ -0,0 +1,146 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tools.javascrap;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.DateTimeUtils.END_OF_TIME;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import com.google.common.base.Joiner;
+import com.google.common.collect.ImmutableList;
+import google.registry.model.EppResourceUtils;
+import google.registry.model.billing.BillingRecurrence;
+import google.registry.model.common.TimeOfYear;
+import google.registry.model.domain.Domain;
+import google.registry.persistence.VKey;
+import google.registry.persistence.transaction.QueryComposer.Comparator;
+import google.registry.tools.ConfirmingCommand;
+import java.util.List;
+import org.joda.time.DateTime;
+
+/**
+ * Command to recreate closed {@link BillingRecurrence}s for domains.
+ *
+ * <p>This can be used to fix situations where BillingRecurrences were inadvertently closed. The new
+ * recurrences will start at the recurrenceTimeOfYear that has most recently occurred in the past,
+ * so that billing will restart upon the next date that the domain would have normally been billed
+ * for autorenew.
+ */
+@Parameters(
+    separators = " =",
+    commandDescription = "Recreate inadvertently-closed BillingRecurrences.")
+public class RecreateBillingRecurrencesCommand extends ConfirmingCommand {
+
+  @Parameter(
+      description = "Domain name(s) for which we wish to recreate a BillingRecurrence",
+      required = true)
+  private List<String> mainParameters;
+
+  @Override
+  protected String prompt() throws Exception {
+    checkArgument(!mainParameters.isEmpty(), "Must provide at least one domain name");
+    return tm().transact(
+            () -> {
+              ImmutableList<BillingRecurrence> existingRecurrences = loadRecurrences();
+              ImmutableList<BillingRecurrence> newRecurrences =
+                  convertRecurrencesWithoutSaving(existingRecurrences);
+              return String.format(
+                  "Create new BillingRecurrence(s)?\n"
+                      + "Existing recurrences:\n"
+                      + "%s\n"
+                      + "New recurrences:\n"
+                      + "%s",
+                  Joiner.on('\n').join(existingRecurrences), Joiner.on('\n').join(newRecurrences));
+            });
+  }
+
+  @Override
+  protected String execute() throws Exception {
+    ImmutableList<BillingRecurrence> newBillingRecurrences = tm().transact(this::internalExecute);
+    return "Created new recurrence(s): " + newBillingRecurrences;
+  }
+
+  private ImmutableList<BillingRecurrence> internalExecute() {
+    ImmutableList<BillingRecurrence> newRecurrences =
+        convertRecurrencesWithoutSaving(loadRecurrences());
+    newRecurrences.forEach(
+        recurrence -> {
+          tm().put(recurrence);
+          Domain domain = tm().loadByKey(VKey.create(Domain.class, recurrence.getDomainRepoId()));
+          tm().put(domain.asBuilder().setAutorenewBillingEvent(recurrence.createVKey()).build());
+        });
+    return newRecurrences;
+  }
+
+  private ImmutableList<BillingRecurrence> convertRecurrencesWithoutSaving(
+      ImmutableList<BillingRecurrence> existingRecurrences) {
+    return existingRecurrences.stream()
+        .map(
+            existingRecurrence -> {
+              TimeOfYear timeOfYear = existingRecurrence.getRecurrenceTimeOfYear();
+              DateTime newLastExpansion =
+                  timeOfYear.getLastInstanceBeforeOrAt(tm().getTransactionTime());
+              // event time should be the next date of billing in the future
+              DateTime eventTime = timeOfYear.getNextInstanceAtOrAfter(tm().getTransactionTime());
+              return existingRecurrence
+                  .asBuilder()
+                  .setRecurrenceEndTime(END_OF_TIME)
+                  .setRecurrenceLastExpansion(newLastExpansion)
+                  .setEventTime(eventTime)
+                  .setId(0)
+                  .build();
+            })
+        .collect(toImmutableList());
+  }
+
+  private ImmutableList<BillingRecurrence> loadRecurrences() {
+    ImmutableList.Builder<BillingRecurrence> result = new ImmutableList.Builder<>();
+    DateTime now = tm().getTransactionTime();
+    for (String domainName : mainParameters) {
+      Domain domain =
+          EppResourceUtils.loadByForeignKey(Domain.class, domainName, now)
+              .orElseThrow(
+                  () ->
+                      new IllegalArgumentException(
+                          String.format(
+                              "Domain %s does not exist or has been deleted", domainName)));
+      BillingRecurrence billingRecurrence = tm().loadByKey(domain.getAutorenewBillingEvent());
+      checkArgument(
+          !billingRecurrence.getRecurrenceEndTime().equals(END_OF_TIME),
+          "Domain %s's recurrence's end date is already END_OF_TIME",
+          domainName);
+      // Double-check that there are no non-linked BillingRecurrences that have an END_OF_TIME end.
+      // If this is the case, something has been mis-linked.
+      ImmutableList<BillingRecurrence> allRecurrencesForDomain =
+          tm().createQueryComposer(BillingRecurrence.class)
+              .where("domainRepoId", Comparator.EQ, domain.getRepoId())
+              .list();
+      allRecurrencesForDomain.forEach(
+          recurrence ->
+              checkArgument(
+                  !recurrence.getRecurrenceEndTime().equals(END_OF_TIME),
+                  "There exists a recurrence with id %s for domain %s with an end date of"
+                      + " END_OF_TIME",
+                  recurrence.getId(),
+                  domainName));
+
+      result.add(billingRecurrence);
+    }
+    return result.build();
+  }
+}

core/src/main/java/google/registry/tools/server/CreateGroupsAction.java

@@ -43,7 +43,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = CreateGroupsAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class CreateGroupsAction implements Runnable {
 
   public static final String PATH = "/_dr/admin/createGroups";

core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java

@@ -65,7 +65,7 @@ import org.joda.time.Duration;
     service = Action.Service.TOOLS,
     path = GenerateZoneFilesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonAction {
 
   private static final FluentLogger log = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/tools/server/ListDomainsAction.java

@@ -39,7 +39,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListDomainsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListDomainsAction extends ListObjectsAction<Domain> {
 
   /** An App Engine limitation on how many subqueries can be used in a single query. */

core/src/main/java/google/registry/tools/server/ListHostsAction.java

@@ -34,7 +34,7 @@ import org.joda.time.DateTime;
     service = Action.Service.TOOLS,
     path = ListHostsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListHostsAction extends ListObjectsAction<Host> {
 
   public static final String PATH = "/_dr/admin/list/hosts";

core/src/main/java/google/registry/tools/server/ListPremiumListsAction.java

@@ -35,7 +35,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListPremiumListsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListPremiumListsAction extends ListObjectsAction<PremiumList> {
 
   public static final String PATH = "/_dr/admin/list/premiumLists";

core/src/main/java/google/registry/tools/server/ListRegistrarsAction.java

@@ -30,7 +30,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListRegistrarsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListRegistrarsAction extends ListObjectsAction<Registrar> {
 
   public static final String PATH = "/_dr/admin/list/registrars";

core/src/main/java/google/registry/tools/server/ListReservedListsAction.java

@@ -33,7 +33,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListReservedListsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListReservedListsAction extends ListObjectsAction<ReservedList> {
 
   public static final String PATH = "/_dr/admin/list/reservedLists";

core/src/main/java/google/registry/tools/server/ListTldsAction.java

@@ -34,7 +34,7 @@ import org.joda.time.DateTime;
     service = Action.Service.TOOLS,
     path = ListTldsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public final class ListTldsAction extends ListObjectsAction<Tld> {
 
   public static final String PATH = "/_dr/admin/list/tlds";

core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java

@@ -15,20 +15,27 @@
 package google.registry.tools.server;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static com.google.common.collect.Iterables.getLast;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.tld.Tlds.assertTldsExist;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
+import static google.registry.util.DateTimeUtils.END_OF_TIME;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
-import google.registry.util.Clock;
+import java.util.Optional;
 import java.util.Random;
+import javax.annotation.Nullable;
 import javax.inject.Inject;
+import javax.persistence.TypedQuery;
+import org.apache.arrow.util.VisibleForTesting;
 import org.apache.http.HttpStatus;
 import org.joda.time.Duration;
 
@@ -39,64 +46,92 @@ import org.joda.time.Duration;
  * are responsible for enqueuing refresh tasks for subordinate hosts. So this action thus refreshes
  * DNS for everything applicable under all TLDs under management.
  *
- * <p>Because there are no auth settings in the {@link Action} annotation, this command can only be
- * run internally, or by pretending to be internal by setting the X-AppEngine-QueueName header,
- * which only admin users can do.
- *
- * <p>You must pass in a number of {@code smearMinutes} as a URL parameter so that the DNS queue
- * doesn't get overloaded. A rough rule of thumb for Cloud DNS is 1 minute per every 1,000 domains.
- * This smears the updates out over the next N minutes. For small TLDs consisting of fewer than
- * 1,000 domains, passing in 1 is fine (which will execute all the updates immediately).
+ * <p>You may pass in a {@code batchSize} for the batched read of domains from the database. This is
+ * recommended to be somewhere between 200 and 500. The default value is 250.
  */
 @Action(
     service = Action.Service.TOOLS,
     path = "/_dr/task/refreshDnsForAllDomains",
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class RefreshDnsForAllDomainsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  @Inject Response response;
+  private static final int DEFAULT_BATCH_SIZE = 250;
+
+  private final Response response;
+  private final ImmutableSet<String> tlds;
+
+  // Recommended value for batch size is between 200 and 500
+  private final int batchSize;
+  private final Random random;
 
   @Inject
-  @Parameter(PARAM_TLDS)
-  ImmutableSet<String> tlds;
-
-  @Inject
-  @Parameter("smearMinutes")
-  int smearMinutes;
-
-  @Inject Clock clock;
-  @Inject Random random;
-
-  @Inject
-  RefreshDnsForAllDomainsAction() {}
+  RefreshDnsForAllDomainsAction(
+      Response response,
+      @Parameter(PARAM_TLDS) ImmutableSet<String> tlds,
+      @Parameter("batchSize") Optional<Integer> batchSize,
+      Random random) {
+    this.response = response;
+    this.tlds = tlds;
+    this.batchSize = batchSize.orElse(DEFAULT_BATCH_SIZE);
+    this.random = random;
+  }
 
   @Override
   public void run() {
     assertTldsExist(tlds);
-    checkArgument(smearMinutes > 0, "Must specify a positive number of smear minutes");
-    tm().transact(
-            () ->
-                tm().query(
-                        "SELECT domainName FROM Domain "
-                            + "WHERE tld IN (:tlds) "
-                            + "AND deletionTime > :now",
-                        String.class)
-                    .setParameter("tlds", tlds)
-                    .setParameter("now", clock.nowUtc())
-                    .getResultStream()
-                    .forEach(
-                        domainName -> {
-                          try {
-                            // Smear the task execution time over the next N minutes.
-                            requestDomainDnsRefresh(
-                                domainName, Duration.standardMinutes(random.nextInt(smearMinutes)));
-                          } catch (Throwable t) {
-                            logger.atSevere().withCause(t).log(
-                                "Error while enqueuing DNS refresh for domain '%s'.", domainName);
-                            response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
-                          }
-                        }));
+    checkArgument(batchSize > 0, "Must specify a positive number for batch size");
+    int smearMinutes = tm().transact(this::calculateSmearMinutes);
+
+    ImmutableList<String> domainsBatch;
+    @Nullable String lastInPreviousBatch = null;
+    do {
+      Optional<String> lastInPreviousBatchOpt = Optional.ofNullable(lastInPreviousBatch);
+      domainsBatch = tm().transact(() -> refreshBatch(lastInPreviousBatchOpt, smearMinutes));
+      lastInPreviousBatch = domainsBatch.isEmpty() ? null : getLast(domainsBatch);
+    } while (domainsBatch.size() == batchSize);
+  }
+
+  /**
+   * Calculates the number of smear minutes to enqueue refreshes so that the DNS queue does not get
+   * overloaded.
+   */
+  private int calculateSmearMinutes() {
+    Long activeDomains =
+        tm().query(
+                "SELECT COUNT(*) FROM Domain WHERE tld IN (:tlds) AND deletionTime = :endOfTime",
+                Long.class)
+            .setParameter("tlds", tlds)
+            .setParameter("endOfTime", END_OF_TIME)
+            .getSingleResult();
+    return Math.max(activeDomains.intValue() / 1000, 1);
+  }
+
+  private ImmutableList<String> getBatch(Optional<String> lastInPreviousBatch) {
+    String sql =
+        String.format(
+            "SELECT domainName FROM Domain WHERE tld IN (:tlds) AND"
+                + " deletionTime = :endOfTime %s ORDER BY domainName ASC",
+            lastInPreviousBatch.isPresent() ? "AND domainName > :lastInPreviousBatch" : "");
+    TypedQuery<String> query =
+        tm().query(sql, String.class)
+            .setParameter("tlds", tlds)
+            .setParameter("endOfTime", END_OF_TIME);
+    lastInPreviousBatch.ifPresent(l -> query.setParameter("lastInPreviousBatch", l));
+    return query.setMaxResults(batchSize).getResultStream().collect(toImmutableList());
+  }
+
+  @VisibleForTesting
+  ImmutableList<String> refreshBatch(Optional<String> lastInPreviousBatch, int smearMinutes) {
+    ImmutableList<String> domainBatch = getBatch(lastInPreviousBatch);
+    try {
+      // Smear the task execution time over the next N minutes.
+      requestDomainDnsRefresh(domainBatch, Duration.standardMinutes(random.nextInt(smearMinutes)));
+    } catch (Throwable t) {
+      logger.atSevere().withCause(t).log("Error while enqueuing DNS refresh batch");
+      response.setStatus(HttpStatus.SC_OK);
+    }
+    return domainBatch;
   }
 }

core/src/main/java/google/registry/tools/server/ToolsServerModule.java

@@ -16,6 +16,7 @@ package google.registry.tools.server;
 
 import static com.google.common.base.Strings.emptyToNull;
 import static google.registry.request.RequestParameters.extractIntParameter;
+import static google.registry.request.RequestParameters.extractOptionalIntParameter;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 
@@ -76,8 +77,8 @@ public class ToolsServerModule {
   }
 
   @Provides
-  @Parameter("smearMinutes")
-  static int provideSmearMinutes(HttpServletRequest req) {
-    return extractIntParameter(req, "smearMinutes");
+  @Parameter("batchSize")
+  static Optional<Integer> provideBatchSize(HttpServletRequest req) {
+    return extractOptionalIntParameter(req, "batchSize");
   }
 }

core/src/main/java/google/registry/tools/server/VerifyOteAction.java

@@ -37,7 +37,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = VerifyOteAction.PATH,
     method = Action.Method.POST,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+    auth = Auth.AUTH_API_ADMIN)
 public class VerifyOteAction implements Runnable, JsonAction {
 
   public static final String PATH = "/_dr/admin/verifyOte";

core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java

@@ -0,0 +1,171 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console.settings;
+
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.request.Action.Method.GET;
+import static google.registry.request.Action.Method.POST;
+
+import avro.shaded.com.google.common.collect.ImmutableList;
+import com.google.api.client.http.HttpStatusCodes;
+import com.google.gson.Gson;
+import google.registry.flows.certs.CertificateChecker;
+import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.User;
+import google.registry.model.registrar.Registrar;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
+import google.registry.ui.server.registrar.JsonGetAction;
+import java.util.Optional;
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+
+@Action(
+    service = Action.Service.DEFAULT,
+    path = SecurityAction.PATH,
+    method = {GET, POST},
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class SecurityAction implements JsonGetAction {
+
+  static final String PATH = "/console-api/settings/security";
+  private final HttpServletRequest req;
+  private final AuthResult authResult;
+  private final Response response;
+  private final Gson gson;
+  private final String registrarId;
+  private AuthenticatedRegistrarAccessor registrarAccessor;
+  private Optional<Registrar> registrar;
+  private CertificateChecker certificateChecker;
+
+  @Inject
+  public SecurityAction(
+      HttpServletRequest req,
+      AuthResult authResult,
+      Response response,
+      Gson gson,
+      CertificateChecker certificateChecker,
+      AuthenticatedRegistrarAccessor registrarAccessor,
+      @Parameter("registrarId") String registrarId,
+      @Parameter("registrar") Optional<Registrar> registrar) {
+    this.req = req;
+    this.authResult = authResult;
+    this.response = response;
+    this.gson = gson;
+    this.registrarId = registrarId;
+    this.registrarAccessor = registrarAccessor;
+    this.registrar = registrar;
+    this.certificateChecker = certificateChecker;
+  }
+
+  @Override
+  public void run() {
+    if (req.getMethod().equals(GET.toString())) {
+      getHandler();
+    } else {
+      postHandler();
+    }
+  }
+
+  private void getHandler() {
+    try {
+      Registrar registrar = registrarAccessor.getRegistrar(registrarId);
+      response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+      response.setPayload(gson.toJson(registrar));
+    } catch (RegistrarAccessDeniedException e) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      response.setPayload(e.getMessage());
+    }
+  }
+
+  private void postHandler() {
+    User user = authResult.userAuthInfo().get().consoleUser().get();
+    if (!user.getUserRoles().hasPermission(registrarId, ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      return;
+    }
+
+    if (!registrar.isPresent()) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      response.setPayload(gson.toJson("'registrar' parameter is not present"));
+      return;
+    }
+
+    Registrar savedRegistrar;
+    try {
+      savedRegistrar = registrarAccessor.getRegistrar(registrarId);
+    } catch (RegistrarAccessDeniedException e) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      response.setPayload(e.getMessage());
+      return;
+    }
+
+    tm().transact(() -> setResponse(savedRegistrar));
+  }
+
+  private void setResponse(Registrar savedRegistrar) {
+    Registrar registrarParameter = registrar.get();
+    Registrar.Builder updatedRegistrar =
+        savedRegistrar
+            .asBuilder()
+            .setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
+
+    boolean hasInvalidCerts =
+        ImmutableList.of(
+                registrarParameter.getClientCertificate(),
+                registrarParameter.getFailoverClientCertificate())
+            .stream()
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .anyMatch(
+                cert -> {
+                  try {
+                    certificateChecker.validateCertificate(cert);
+                    return false;
+                  } catch (InsecureCertificateException e) {
+                    return true;
+                  }
+                });
+
+    if (hasInvalidCerts) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      response.setPayload("Insecure Certificate in parameter");
+      return;
+    }
+
+    registrarParameter
+        .getClientCertificate()
+        .ifPresent(
+            newClientCert -> {
+              updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime());
+            });
+
+    registrarParameter
+        .getFailoverClientCertificate()
+        .ifPresent(
+            failoverCert -> {
+              updatedRegistrar.setFailoverClientCertificate(
+                  failoverCert, tm().getTransactionTime());
+            });
+
+    tm().put(updatedRegistrar.build());
+    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+  }
+}

core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java

@@ -124,7 +124,7 @@ public final class ConsoleUiAction extends HtmlAction {
       // requireFeeExtension) - to make sure the user indeed has access to the guessed registrar.
       //
       // Note that not doing so (and just passing the "clientId" as given) isn't a security issue
-      // since we double check the access to the registrar on any read / update request. We have to
+      // since we double-check the access to the registrar on any read / update request. We have to
       // - since the access might get revoked between the initial page load and the request! (also
       // because the requests come from the browser, and can easily be faked)
       registrarAccessor.getRegistrar(clientId);

core/src/main/java/google/registry/ui/server/registrar/HtmlAction.java

@@ -37,7 +37,7 @@ import javax.servlet.http.HttpServletRequest;
  * Handles some of the nitty-gritty of responding to requests that should return HTML, including
  * login, redirects, analytics, and some headers.
  *
- * If the user is not logged in, this will redirect to the login URL.
+ * <p>If the user is not logged in, this will redirect to the login URL.
  */
 public abstract class HtmlAction implements Runnable {
 

core/src/main/java/google/registry/ui/server/registrar/RegistrarConsoleModule.java

@@ -24,6 +24,7 @@ import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.OptionalJsonPayload;
 import google.registry.request.Parameter;
@@ -187,4 +188,15 @@ public final class RegistrarConsoleModule {
   static String provideRegistrarId(HttpServletRequest req) {
     return extractRequiredParameter(req, "registrarId");
   }
+
+  @Provides
+  @Parameter("registrar")
+  public static Optional<Registrar> provideRegistrar(
+      Gson gson, @OptionalJsonPayload Optional<JsonObject> payload) {
+    if (payload.isPresent() && payload.get().has("registrar")) {
+      return Optional.of(gson.fromJson(payload.get().get("registrar"), Registrar.class));
+    }
+
+    return Optional.empty();
+  }
 }