Add connection.disconnect() in finally blocks (#2189)

Bumps [postcss](https://github.com/postcss/postcss) from 8.4.21 to 8.4.31.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.4.21...8.4.31)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

console-webapp/angular.json

@@ -41,8 +41,8 @@
               "budgets": [
                 {
                   "type": "initial",
-                  "maximumWarning": "500kb",
-                  "maximumError": "1mb"
+                  "maximumWarning": "2mb",
+                  "maximumError": "5mb"
                 },
                 {
                   "type": "anyComponentStyle",

console-webapp/package-lock.json

@@ -150,7 +150,7 @@
         "ora": "5.4.1",
         "parse5-html-rewriting-stream": "7.0.0",
         "piscina": "3.2.0",
-        "postcss": "8.4.21",
+        "postcss": "8.4.31",
         "postcss-loader": "7.0.2",
         "resolve-url-loader": "5.0.0",
         "rxjs": "6.6.7",
@@ -782,12 +782,12 @@
       "dev": true
     },
     "node_modules/@babel/code-frame": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.10.tgz",
-      "integrity": "sha512-/KKIMG4UEL35WmI9OlvMhurwtytjvXoFcGNrOvyG9zIzA8YmPjVtIZUf7b05+TPO7G7/GEmLHDaoCgACHl9hhA==",
+      "version": "7.22.13",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.13.tgz",
+      "integrity": "sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==",
       "dev": true,
       "dependencies": {
-        "@babel/highlight": "^7.22.10",
+        "@babel/highlight": "^7.22.13",
         "chalk": "^2.4.2"
       },
       "engines": {
@@ -1072,36 +1072,36 @@
       }
     },
     "node_modules/@babel/helper-environment-visitor": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.5.tgz",
-      "integrity": "sha512-XGmhECfVA/5sAt+H+xpSg0mfrHq6FzNr9Oxh7PSEBBRUb/mL7Kz3NICXb194rCqAEdxkhPT1a88teizAFyvk8Q==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.20.tgz",
+      "integrity": "sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==",
       "dev": true,
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-function-name": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.22.5.tgz",
-      "integrity": "sha512-wtHSq6jMRE3uF2otvfuD3DIvVhOsSNshQl0Qrd7qC9oQJzHvOL4qQXlQn2916+CXGywIjpGuIkoyZRRxHPiNQQ==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.23.0.tgz",
+      "integrity": "sha512-OErEqsrxjZTJciZ4Oo+eoZqeW9UIiOcuYKRJA4ZAgV9myA+pOXhhmpfNCKjEH/auVfEYVFJ6y1Tc4r0eIApqiw==",
       "dev": true,
       "dependencies": {
-        "@babel/template": "^7.22.5",
-        "@babel/types": "^7.22.5"
+        "@babel/template": "^7.22.15",
+        "@babel/types": "^7.23.0"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-function-name/node_modules/@babel/template": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.22.5.tgz",
-      "integrity": "sha512-X7yV7eiwAxdj9k94NEylvbVHLiVG1nvzCV2EAowhxLTwODV1jl9UzZ48leOC0sH7OnuHrIkllaBgneUykIcZaw==",
+      "version": "7.22.15",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.22.15.tgz",
+      "integrity": "sha512-QPErUVm4uyJa60rkI73qneDacvdvzxshT3kksGqlGWYdOTIUOwJ7RDUL8sGqslY1uXWSL6xMFKEXDS3ox2uF0w==",
       "dev": true,
       "dependencies": {
-        "@babel/code-frame": "^7.22.5",
-        "@babel/parser": "^7.22.5",
-        "@babel/types": "^7.22.5"
+        "@babel/code-frame": "^7.22.13",
+        "@babel/parser": "^7.22.15",
+        "@babel/types": "^7.22.15"
       },
       "engines": {
         "node": ">=6.9.0"
@@ -1287,9 +1287,9 @@
       }
     },
     "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.5.tgz",
-      "integrity": "sha512-aJXu+6lErq8ltp+JhkJUfk1MTGyuA4v7f3pA+BJ5HLfNC6nAQ0Cpi9uOquUj8Hehg0aUiHzWQbOVJGao6ztBAQ==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz",
+      "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==",
       "dev": true,
       "engines": {
         "node": ">=6.9.0"
@@ -1361,12 +1361,12 @@
       }
     },
     "node_modules/@babel/highlight": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.10.tgz",
-      "integrity": "sha512-78aUtVcT7MUscr0K5mIEnkwxPE0MaxkR5RxRwuHaQ+JuU5AmTPhY+do2mdzVTnIJJpyBglql2pehuBIWHug+WQ==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.20.tgz",
+      "integrity": "sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==",
       "dev": true,
       "dependencies": {
-        "@babel/helper-validator-identifier": "^7.22.5",
+        "@babel/helper-validator-identifier": "^7.22.20",
         "chalk": "^2.4.2",
         "js-tokens": "^4.0.0"
       },
@@ -1375,9 +1375,9 @@
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.22.10.tgz",
-      "integrity": "sha512-lNbdGsQb9ekfsnjFGhEiF4hfFqGgfOP3H3d27re3n+CGhNuTSUEQdfWk556sTLNTloczcdM5TYF2LhzmDQKyvQ==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.23.0.tgz",
+      "integrity": "sha512-vvPKKdMemU85V9WE/l5wZEmImpCtLqbnTvqDS2U1fJ96KrxoW7KrXhNsNCblQlg8Ck4b85yxdTyelsMUgFUXiw==",
       "dev": true,
       "bin": {
         "parser": "bin/babel-parser.js"
@@ -2597,19 +2597,19 @@
       }
     },
     "node_modules/@babel/traverse": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.22.10.tgz",
-      "integrity": "sha512-Q/urqV4pRByiNNpb/f5OSv28ZlGJiFiiTh+GAHktbIrkPhPbl90+uW6SmpoLyZqutrg9AEaEf3Q/ZBRHBXgxig==",
+      "version": "7.23.2",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.23.2.tgz",
+      "integrity": "sha512-azpe59SQ48qG6nu2CzcMLbxUudtN+dOM9kDbUqGq3HXUJRlo7i8fvPoxQUzYgLZ4cMVmuZgm8vvBpNeRhd6XSw==",
       "dev": true,
       "dependencies": {
-        "@babel/code-frame": "^7.22.10",
-        "@babel/generator": "^7.22.10",
-        "@babel/helper-environment-visitor": "^7.22.5",
-        "@babel/helper-function-name": "^7.22.5",
+        "@babel/code-frame": "^7.22.13",
+        "@babel/generator": "^7.23.0",
+        "@babel/helper-environment-visitor": "^7.22.20",
+        "@babel/helper-function-name": "^7.23.0",
         "@babel/helper-hoist-variables": "^7.22.5",
         "@babel/helper-split-export-declaration": "^7.22.6",
-        "@babel/parser": "^7.22.10",
-        "@babel/types": "^7.22.10",
+        "@babel/parser": "^7.23.0",
+        "@babel/types": "^7.23.0",
         "debug": "^4.1.0",
         "globals": "^11.1.0"
       },
@@ -2618,12 +2618,12 @@
       }
     },
     "node_modules/@babel/traverse/node_modules/@babel/generator": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.22.10.tgz",
-      "integrity": "sha512-79KIf7YiWjjdZ81JnLujDRApWtl7BxTqWD88+FFdQEIOG8LJ0etDOM7CXuIgGJa55sGOwZVwuEsaLEm0PJ5/+A==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.23.0.tgz",
+      "integrity": "sha512-lN85QRR+5IbYrMWM6Y4pE/noaQtg4pNiqeNGX60eqOfo6gtEj6uw/JagelB8vVztSd7R6M5n1+PQkDbHbBRU4g==",
       "dev": true,
       "dependencies": {
-        "@babel/types": "^7.22.10",
+        "@babel/types": "^7.23.0",
         "@jridgewell/gen-mapping": "^0.3.2",
         "@jridgewell/trace-mapping": "^0.3.17",
         "jsesc": "^2.5.1"
@@ -2659,13 +2659,13 @@
       }
     },
     "node_modules/@babel/types": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.22.10.tgz",
-      "integrity": "sha512-obaoigiLrlDZ7TUQln/8m4mSqIW2QFeOrCQc9r+xsaHGNoplVNYlRVpsfE8Vj35GEm2ZH4ZhrNYogs/3fj85kg==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.23.0.tgz",
+      "integrity": "sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==",
       "dev": true,
       "dependencies": {
         "@babel/helper-string-parser": "^7.22.5",
-        "@babel/helper-validator-identifier": "^7.22.5",
+        "@babel/helper-validator-identifier": "^7.22.20",
         "to-fast-properties": "^2.0.0"
       },
       "engines": {
@@ -11592,9 +11592,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.21",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.21.tgz",
-      "integrity": "sha512-tP7u/Sn/dVxK2NnruI4H9BG+x+Wxz6oeZ1cJ8P6G/PZY0IKk4k/63TDsQf2kQq3+qoJeLm2kIBUNlZe3zgb4Zg==",
+      "version": "8.4.31",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz",
+      "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==",
       "dev": true,
       "funding": [
         {
@@ -11604,10 +11604,14 @@
         {
           "type": "tidelift",
           "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
         }
       ],
       "dependencies": {
-        "nanoid": "^3.3.4",
+        "nanoid": "^3.3.6",
         "picocolors": "^1.0.0",
         "source-map-js": "^1.0.2"
       },
@@ -14459,7 +14463,7 @@
         "ora": "5.4.1",
         "parse5-html-rewriting-stream": "7.0.0",
         "piscina": "3.2.0",
-        "postcss": "8.4.21",
+        "postcss": "8.4.31",
         "postcss-loader": "7.0.2",
         "resolve-url-loader": "5.0.0",
         "rxjs": "6.6.7",
@@ -14882,12 +14886,12 @@
       "dev": true
     },
     "@babel/code-frame": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.10.tgz",
-      "integrity": "sha512-/KKIMG4UEL35WmI9OlvMhurwtytjvXoFcGNrOvyG9zIzA8YmPjVtIZUf7b05+TPO7G7/GEmLHDaoCgACHl9hhA==",
+      "version": "7.22.13",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.13.tgz",
+      "integrity": "sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==",
       "dev": true,
       "requires": {
-        "@babel/highlight": "^7.22.10",
+        "@babel/highlight": "^7.22.13",
         "chalk": "^2.4.2"
       }
     },
@@ -15097,30 +15101,30 @@
       }
     },
     "@babel/helper-environment-visitor": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.5.tgz",
-      "integrity": "sha512-XGmhECfVA/5sAt+H+xpSg0mfrHq6FzNr9Oxh7PSEBBRUb/mL7Kz3NICXb194rCqAEdxkhPT1a88teizAFyvk8Q==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.20.tgz",
+      "integrity": "sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==",
       "dev": true
     },
     "@babel/helper-function-name": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.22.5.tgz",
-      "integrity": "sha512-wtHSq6jMRE3uF2otvfuD3DIvVhOsSNshQl0Qrd7qC9oQJzHvOL4qQXlQn2916+CXGywIjpGuIkoyZRRxHPiNQQ==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.23.0.tgz",
+      "integrity": "sha512-OErEqsrxjZTJciZ4Oo+eoZqeW9UIiOcuYKRJA4ZAgV9myA+pOXhhmpfNCKjEH/auVfEYVFJ6y1Tc4r0eIApqiw==",
       "dev": true,
       "requires": {
-        "@babel/template": "^7.22.5",
-        "@babel/types": "^7.22.5"
+        "@babel/template": "^7.22.15",
+        "@babel/types": "^7.23.0"
       },
       "dependencies": {
         "@babel/template": {
-          "version": "7.22.5",
-          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.22.5.tgz",
-          "integrity": "sha512-X7yV7eiwAxdj9k94NEylvbVHLiVG1nvzCV2EAowhxLTwODV1jl9UzZ48leOC0sH7OnuHrIkllaBgneUykIcZaw==",
+          "version": "7.22.15",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.22.15.tgz",
+          "integrity": "sha512-QPErUVm4uyJa60rkI73qneDacvdvzxshT3kksGqlGWYdOTIUOwJ7RDUL8sGqslY1uXWSL6xMFKEXDS3ox2uF0w==",
           "dev": true,
           "requires": {
-            "@babel/code-frame": "^7.22.5",
-            "@babel/parser": "^7.22.5",
-            "@babel/types": "^7.22.5"
+            "@babel/code-frame": "^7.22.13",
+            "@babel/parser": "^7.22.15",
+            "@babel/types": "^7.22.15"
           }
         }
       }
@@ -15258,9 +15262,9 @@
       "dev": true
     },
     "@babel/helper-validator-identifier": {
-      "version": "7.22.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.5.tgz",
-      "integrity": "sha512-aJXu+6lErq8ltp+JhkJUfk1MTGyuA4v7f3pA+BJ5HLfNC6nAQ0Cpi9uOquUj8Hehg0aUiHzWQbOVJGao6ztBAQ==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz",
+      "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==",
       "dev": true
     },
     "@babel/helper-validator-option": {
@@ -15318,20 +15322,20 @@
       }
     },
     "@babel/highlight": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.10.tgz",
-      "integrity": "sha512-78aUtVcT7MUscr0K5mIEnkwxPE0MaxkR5RxRwuHaQ+JuU5AmTPhY+do2mdzVTnIJJpyBglql2pehuBIWHug+WQ==",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.20.tgz",
+      "integrity": "sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==",
       "dev": true,
       "requires": {
-        "@babel/helper-validator-identifier": "^7.22.5",
+        "@babel/helper-validator-identifier": "^7.22.20",
         "chalk": "^2.4.2",
         "js-tokens": "^4.0.0"
       }
     },
     "@babel/parser": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.22.10.tgz",
-      "integrity": "sha512-lNbdGsQb9ekfsnjFGhEiF4hfFqGgfOP3H3d27re3n+CGhNuTSUEQdfWk556sTLNTloczcdM5TYF2LhzmDQKyvQ==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.23.0.tgz",
+      "integrity": "sha512-vvPKKdMemU85V9WE/l5wZEmImpCtLqbnTvqDS2U1fJ96KrxoW7KrXhNsNCblQlg8Ck4b85yxdTyelsMUgFUXiw==",
       "dev": true
     },
     "@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression": {
@@ -16160,30 +16164,30 @@
       }
     },
     "@babel/traverse": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.22.10.tgz",
-      "integrity": "sha512-Q/urqV4pRByiNNpb/f5OSv28ZlGJiFiiTh+GAHktbIrkPhPbl90+uW6SmpoLyZqutrg9AEaEf3Q/ZBRHBXgxig==",
+      "version": "7.23.2",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.23.2.tgz",
+      "integrity": "sha512-azpe59SQ48qG6nu2CzcMLbxUudtN+dOM9kDbUqGq3HXUJRlo7i8fvPoxQUzYgLZ4cMVmuZgm8vvBpNeRhd6XSw==",
       "dev": true,
       "requires": {
-        "@babel/code-frame": "^7.22.10",
-        "@babel/generator": "^7.22.10",
-        "@babel/helper-environment-visitor": "^7.22.5",
-        "@babel/helper-function-name": "^7.22.5",
+        "@babel/code-frame": "^7.22.13",
+        "@babel/generator": "^7.23.0",
+        "@babel/helper-environment-visitor": "^7.22.20",
+        "@babel/helper-function-name": "^7.23.0",
         "@babel/helper-hoist-variables": "^7.22.5",
         "@babel/helper-split-export-declaration": "^7.22.6",
-        "@babel/parser": "^7.22.10",
-        "@babel/types": "^7.22.10",
+        "@babel/parser": "^7.23.0",
+        "@babel/types": "^7.23.0",
         "debug": "^4.1.0",
         "globals": "^11.1.0"
       },
       "dependencies": {
         "@babel/generator": {
-          "version": "7.22.10",
-          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.22.10.tgz",
-          "integrity": "sha512-79KIf7YiWjjdZ81JnLujDRApWtl7BxTqWD88+FFdQEIOG8LJ0etDOM7CXuIgGJa55sGOwZVwuEsaLEm0PJ5/+A==",
+          "version": "7.23.0",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.23.0.tgz",
+          "integrity": "sha512-lN85QRR+5IbYrMWM6Y4pE/noaQtg4pNiqeNGX60eqOfo6gtEj6uw/JagelB8vVztSd7R6M5n1+PQkDbHbBRU4g==",
           "dev": true,
           "requires": {
-            "@babel/types": "^7.22.10",
+            "@babel/types": "^7.23.0",
             "@jridgewell/gen-mapping": "^0.3.2",
             "@jridgewell/trace-mapping": "^0.3.17",
             "jsesc": "^2.5.1"
@@ -16212,13 +16216,13 @@
       }
     },
     "@babel/types": {
-      "version": "7.22.10",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.22.10.tgz",
-      "integrity": "sha512-obaoigiLrlDZ7TUQln/8m4mSqIW2QFeOrCQc9r+xsaHGNoplVNYlRVpsfE8Vj35GEm2ZH4ZhrNYogs/3fj85kg==",
+      "version": "7.23.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.23.0.tgz",
+      "integrity": "sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==",
       "dev": true,
       "requires": {
         "@babel/helper-string-parser": "^7.22.5",
-        "@babel/helper-validator-identifier": "^7.22.5",
+        "@babel/helper-validator-identifier": "^7.22.20",
         "to-fast-properties": "^2.0.0"
       }
     },
@@ -23019,12 +23023,12 @@
       }
     },
     "postcss": {
-      "version": "8.4.21",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.21.tgz",
-      "integrity": "sha512-tP7u/Sn/dVxK2NnruI4H9BG+x+Wxz6oeZ1cJ8P6G/PZY0IKk4k/63TDsQf2kQq3+qoJeLm2kIBUNlZe3zgb4Zg==",
+      "version": "8.4.31",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz",
+      "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==",
       "dev": true,
       "requires": {
-        "nanoid": "^3.3.4",
+        "nanoid": "^3.3.6",
         "picocolors": "^1.0.0",
         "source-map-js": "^1.0.2"
       }

console-webapp/src/app/app-routing.module.ts

@@ -24,6 +24,10 @@ import SettingsSecurityComponent from './settings/security/security.component';
 import { RegistrarGuard } from './registrar/registrar.guard';
 import { RegistrarComponent } from './registrar/registrarsTable.component';
 import { EmptyRegistrar } from './registrar/emptyRegistrar.component';
+import ContactComponent from './settings/contact/contact.component';
+import WhoisComponent from './settings/whois/whois.component';
+import SecurityComponent from './settings/security/security.component';
+import UsersComponent from './settings/users/users.component';
 
 const routes: Routes = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -32,7 +36,7 @@ const routes: Routes = [
   { path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
   { path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
   {
-    path: 'settings',
+    path: SettingsComponent.PATH,
     component: SettingsComponent,
     children: [
       {
@@ -41,32 +45,27 @@ const routes: Routes = [
         pathMatch: 'full',
       },
       {
-        path: 'contact',
+        path: ContactComponent.PATH,
         component: SettingsContactComponent,
         canActivate: [RegistrarGuard],
       },
       {
-        path: 'whois',
+        path: WhoisComponent.PATH,
         component: SettingsWhoisComponent,
         canActivate: [RegistrarGuard],
       },
       {
-        path: 'security',
+        path: SecurityComponent.PATH,
         component: SettingsSecurityComponent,
         canActivate: [RegistrarGuard],
       },
       {
-        path: 'epp-password',
-        component: SettingsSecurityComponent,
-        canActivate: [RegistrarGuard],
-      },
-      {
-        path: 'users',
+        path: UsersComponent.PATH,
         component: SettingsUsersComponent,
         canActivate: [RegistrarGuard],
       },
       {
-        path: 'registrars',
+        path: RegistrarComponent.PATH,
         component: RegistrarComponent,
       },
     ],

console-webapp/src/app/app.component.scss

@@ -37,7 +37,7 @@
       background-color: transparent;
     }
     .active {
-      background: #eae1e1;
+      background-color: var(--secondary);
     }
   }
   &__content-wrapper {

console-webapp/src/app/app.component.ts

@@ -12,20 +12,29 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+import { AfterViewInit, Component, ViewChild } from '@angular/core';
 import { RegistrarService } from './registrar/registrar.service';
+import { UserDataService } from './shared/services/userData.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
+import { NavigationEnd, Router } from '@angular/router';
+import { MatSidenav } from '@angular/material/sidenav';
 
 @Component({
   selector: 'app-root',
   templateUrl: './app.component.html',
   styleUrls: ['./app.component.scss'],
 })
-export class AppComponent {
+export class AppComponent implements AfterViewInit {
   renderRouter: boolean = true;
+
+  @ViewChild('sidenav')
+  sidenav!: MatSidenav;
+
   constructor(
     protected registrarService: RegistrarService,
-    protected globalLoader: GlobalLoaderService
+    protected userDataService: UserDataService,
+    protected globalLoader: GlobalLoaderService,
+    protected router: Router
   ) {
     registrarService.activeRegistrarIdChange.subscribe(() => {
       this.renderRouter = false;
@@ -34,4 +43,12 @@ export class AppComponent {
       }, 400);
     });
   }
+
+  ngAfterViewInit() {
+    this.router.events.subscribe((event) => {
+      if (event instanceof NavigationEnd) {
+        this.sidenav.close();
+      }
+    });
+  }
 }

console-webapp/src/app/app.module.ts

@@ -46,6 +46,9 @@ import { EppWidgetComponent } from './home/widgets/epp-widget.component';
 import { BillingWidgetComponent } from './home/widgets/billing-widget.component';
 import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
 import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
+import { UserDataService } from './shared/services/userData.service';
+import WhoisComponent from './settings/whois/whois.component';
+import { SnackBarModule } from './snackbar.module';
 
 @NgModule({
   declarations: [
@@ -68,6 +71,7 @@ import { SettingsWidgetComponent } from './home/widgets/settings-widget.componen
     SettingsWidgetComponent,
     TldsComponent,
     TldsWidgetComponent,
+    WhoisComponent,
   ],
   imports: [
     AppRoutingModule,
@@ -76,11 +80,13 @@ import { SettingsWidgetComponent } from './home/widgets/settings-widget.componen
     FormsModule,
     HttpClientModule,
     MaterialModule,
+    SnackBarModule,
   ],
   providers: [
     BackendService,
     GlobalLoaderService,
     RegistrarGuard,
+    UserDataService,
     {
       provide: MAT_FORM_FIELD_DEFAULT_OPTIONS,
       useValue: {

console-webapp/src/app/header/header.component.html

@@ -1,24 +1,30 @@
-<p>
+<p class="console-app__header">
   <mat-toolbar color="primary">
     <button mat-icon-button aria-label="Open menu" (click)="toggleNavPane()">
       <mat-icon>menu</mat-icon>
     </button>
-    <span>
-      <a
-        [routerLink]="'/home'"
-        routerLinkActive="active"
-        class="console-app__logo"
-      >
-        Google Registry
-      </a>
-    </span>
+    <a
+      [routerLink]="'/home'"
+      routerLinkActive="active"
+      class="console-app__logo"
+    >
+      Google Registry
+    </a>
     <span class="spacer"></span>
     <app-registrar-selector />
     <button mat-icon-button aria-label="Open FAQ">
       <mat-icon>question_mark</mat-icon>
     </button>
-    <button mat-icon-button aria-label="Open user info">
+    <button
+      mat-icon-button
+      [matMenuTriggerFor]="menu"
+      #menuTrigger
+      aria-label="Open user info"
+    >
       <mat-icon>person</mat-icon>
     </button>
+    <mat-menu #menu="matMenu">
+      <button mat-menu-item (click)="logOut()">Log out</button>
+    </mat-menu>
   </mat-toolbar>
 </p>

console-webapp/src/app/header/header.component.scss

@@ -17,6 +17,21 @@
     color: inherit;
     text-decoration: none;
   }
+  &__header {
+    @media (max-width: 599px) {
+      .mat-toolbar {
+        padding: 0;
+      }
+      .console-app__logo {
+        font-size: 16px;
+      }
+      button {
+        padding-left: 0;
+        padding-right: 0;
+        width: 30px;
+      }
+    }
+  }
 }
 .spacer {
   flex: 1;

console-webapp/src/app/header/header.component.ts

@@ -28,4 +28,8 @@ export class HeaderComponent {
     this.isNavOpen = !this.isNavOpen;
     this.toggleNavOpen.emit(this.isNavOpen);
   }
+
+  logOut() {
+    window.open('/console?gcp-iap-mode=CLEAR_LOGIN_COOKIE', '_self');
+  }
 }

console-webapp/src/app/home/home.component.scss

@@ -29,4 +29,9 @@
       }
     }
   }
+  @media (max-width: 510px) {
+    .console-app__widget-wrapper__wide {
+      grid-column: initial;
+    }
+  }
 }

console-webapp/src/app/home/widgets/contact-widget.component.html

@@ -5,21 +5,23 @@
         <mat-icon class="console-app__widget-icon">call</mat-icon>
         <h1 class="console-app__widget-title">Contact Support</h1>
         <h4 class="secondary-text text-center">
-          View Google Registry support email and phone information
+          Let us know if you have any questions
         </h4>
       </div>
       <div class="console-app__widget_right">
-        <button mat-button color="primary" class="console-app__widget-link">
-          Give us a Call
-        </button>
+        <div class="console-app__widget-section-header">Give us a Call</div>
         <p class="secondary-text">
-          Call Google Registry support at +1 (404) 978 8419
+          Call {{ userDataService.userData?.productName }} support at
+          <a href="tel:{{ userDataService.userData?.supportPhoneNumber }}">{{
+            userDataService.userData?.supportPhoneNumber
+          }}</a>
         </p>
-        <button mat-button color="primary" class="console-app__widget-link">
-          Send us an Email
-        </button>
+        <div class="console-app__widget-section-header">Send us an Email</div>
         <p class="secondary-text">
-          Email Google Registry at support@google.com
+          Email {{ userDataService.userData?.productName }} at
+          <a href="mailto:{{ userDataService.userData?.supportEmail }}">{{
+            userDataService.userData?.supportEmail
+          }}</a>
         </p>
       </div>
     </div>

console-webapp/src/app/home/widgets/contact-widget.component.ts

@@ -13,11 +13,12 @@
 // limitations under the License.
 
 import { Component } from '@angular/core';
+import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-contact-widget]',
   templateUrl: './contact-widget.component.html',
 })
 export class ContactWidgetComponent {
-  constructor() {}
+  constructor(public userDataService: UserDataService) {}
 }

console-webapp/src/app/home/widgets/resources-widget.component.html

@@ -1,13 +1,17 @@
 <mat-card>
   <mat-card-content>
     <div class="console-app__widget">
-      <div class="console-app__widget_left">
+      <a
+        class="console-app__widget_left"
+        href="{{ userDataService.userData?.technicalDocsUrl }}"
+        target="_blank"
+      >
         <mat-icon class="console-app__widget-icon">menu_book</mat-icon>
         <h1 class="console-app__widget-title">Resources</h1>
         <h4 class="secondary-text text-center">
           Use Google Drive to view onboarding FAQs, and technical documentation.
         </h4>
-      </div>
+      </a>
     </div>
   </mat-card-content>
 </mat-card>

console-webapp/src/app/home/widgets/resources-widget.component.ts

@@ -13,11 +13,12 @@
 // limitations under the License.
 
 import { Component } from '@angular/core';
+import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-resources-widget]',
   templateUrl: './resources-widget.component.html',
 })
 export class ResourcesWidgetComponent {
-  constructor() {}
+  constructor(public userDataService: UserDataService) {}
 }

console-webapp/src/app/home/widgets/settings-widget.component.html

@@ -10,11 +10,21 @@
         </h4>
       </div>
       <div class="console-app__widget_right">
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openContactsPage()"
+        >
           Contact Information
         </button>
         <p class="secondary-text">Manage Primary, Technical, etc contacts.</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openSecurityPage()"
+        >
           Security
         </button>
         <p class="secondary-text">
@@ -28,7 +38,12 @@
           User Management
         </button>
         <p class="secondary-text">Create and manage console user accounts</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openRegistrarsPage()"
+        >
           Registrar Management
         </button>
         <p class="secondary-text">Create and manage registrar accounts</p>

console-webapp/src/app/home/widgets/settings-widget.component.ts

@@ -13,11 +13,32 @@
 // limitations under the License.
 
 import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+import { RegistrarComponent } from 'src/app/registrar/registrarsTable.component';
+import ContactComponent from 'src/app/settings/contact/contact.component';
+import SecurityComponent from 'src/app/settings/security/security.component';
+import { SettingsComponent } from 'src/app/settings/settings.component';
 
 @Component({
   selector: '[app-settings-widget]',
   templateUrl: './settings-widget.component.html',
 })
 export class SettingsWidgetComponent {
-  constructor() {}
+  constructor(private router: Router) {}
+
+  openRegistrarsPage() {
+    this.navigate(RegistrarComponent.PATH);
+  }
+
+  openSecurityPage() {
+    this.navigate(SecurityComponent.PATH);
+  }
+
+  openContactsPage() {
+    this.navigate(ContactComponent.PATH);
+  }
+
+  private navigate(route: string) {
+    this.router.navigate([SettingsComponent.PATH, route]);
+  }
 }

console-webapp/src/app/registrar/emptyRegistrar.component.scss

@@ -8,6 +8,7 @@
     left: 50%;
     top: 50%;
     transform: translate(-50%, -50%);
+    white-space: nowrap;
 
     &-icon {
       transform: scale(3);

console-webapp/src/app/registrar/registrar-selector.component.html

@@ -1,5 +1,14 @@
 <div class="console-app__registrar">
-  <div>
+  <button
+    mat-button
+    [routerLink]="'/settings/registrars'"
+    routerLinkActive="active"
+    *ngIf="isMobile; else desktop"
+  >
+    {{ registrarService.activeRegistrarId || "Select registrar" }}
+    <mat-icon>open_in_new</mat-icon>
+  </button>
+  <ng-template #desktop>
     <mat-form-field class="mat-form-field-density-5" appearance="fill">
       <mat-label>Registrar</mat-label>
       <mat-select
@@ -14,5 +23,5 @@
         </mat-option>
       </mat-select>
     </mat-form-field>
-  </div>
+  </ng-template>
 </div>

console-webapp/src/app/registrar/registrar-selector.component.ts

@@ -12,14 +12,35 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+import { Component, OnInit } from '@angular/core';
 import { RegistrarService } from './registrar.service';
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { distinctUntilChanged } from 'rxjs';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
 
 @Component({
   selector: 'app-registrar-selector',
   templateUrl: './registrar-selector.component.html',
   styleUrls: ['./registrar-selector.component.scss'],
 })
-export class RegistrarSelectorComponent {
-  constructor(protected registrarService: RegistrarService) {}
+export class RegistrarSelectorComponent implements OnInit {
+  protected isMobile: boolean = false;
+
+  readonly breakpoint$ = this.breakpointObserver
+    .observe([MOBILE_LAYOUT_BREAKPOINT])
+    .pipe(distinctUntilChanged());
+
+  constructor(
+    protected registrarService: RegistrarService,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  ngOnInit(): void {
+    this.breakpoint$.subscribe(() => this.breakpointChanged());
+  }
+
+  private breakpointChanged() {
+    this.isMobile = this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT);
+  }
 }

console-webapp/src/app/registrar/registrar.guard.ts

@@ -13,7 +13,11 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { Router } from '@angular/router';
+import {
+  ActivatedRouteSnapshot,
+  Router,
+  RouterStateSnapshot,
+} from '@angular/router';
 
 import { RegistrarService } from './registrar.service';
 
@@ -26,13 +30,16 @@ export class RegistrarGuard {
     private registrarService: RegistrarService
   ) {}
 
-  canActivate(): Promise<boolean> | boolean {
+  canActivate(
+    _: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): Promise<boolean> | boolean {
     if (this.registrarService.activeRegistrarId) {
       return true;
     }
-    // Get the full URL including any nested children (skip the initial '#/')
-    // NB: an empty nextUrl takes the user to the home page
-    const nextUrl = location.hash.split('#/')[1] || '';
-    return this.router.navigate([`/empty-registrar`, { nextUrl }]);
+    return this.router.navigate([
+      `/empty-registrar`,
+      { nextUrl: state.url || '' },
+    ]);
   }
 }

console-webapp/src/app/registrar/registrar.service.ts

@@ -13,14 +13,16 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { BackendService } from '../shared/services/backend.service';
 import { Observable, Subject, tap } from 'rxjs';
+
+import { BackendService } from '../shared/services/backend.service';
 import {
   GlobalLoader,
   GlobalLoaderService,
 } from '../shared/services/globalLoader.service';
+import { MatSnackBar } from '@angular/material/snack-bar';
 
-interface Address {
+export interface Address {
   street?: string[];
   city?: string;
   countryCode?: string;
@@ -30,16 +32,20 @@ interface Address {
 
 export interface Registrar {
   allowedTlds?: string[];
-  ipAddressAllowList?: string[];
-  emailAddress?: string;
   billingAccountMap?: object;
   driveFolderId?: string;
+  emailAddress?: string;
+  faxNumber?: string;
   ianaIdentifier?: number;
   icannReferralEmail?: string;
+  ipAddressAllowList?: string[];
   localizedAddress?: Address;
+  phoneNumber?: string;
   registrarId: string;
   registrarName: string;
   registryLockAllowed?: boolean;
+  url?: string;
+  whoisServer?: string;
 }
 
 @Injectable({
@@ -52,7 +58,8 @@ export class RegistrarService implements GlobalLoader {
 
   constructor(
     private backend: BackendService,
-    private globalLoader: GlobalLoaderService
+    private globalLoader: GlobalLoaderService,
+    private _snackBar: MatSnackBar
   ) {
     this.loadRegistrars().subscribe((r) => {
       this.globalLoader.stopGlobalLoader(this);
@@ -82,6 +89,6 @@ export class RegistrarService implements GlobalLoader {
   }
 
   loadingTimeout() {
-    // TODO: Decide what to do when timeout happens
+    this._snackBar.open('Timeout loading registrars');
   }
 }

console-webapp/src/app/registrar/registrarsTable.component.html

@@ -1,22 +1,21 @@
 <div class="console-app__registrars">
-  <table
-    mat-table
-    [dataSource]="registrarService.registrars"
+  <mat-table
+    [dataSource]="dataSource"
     class="mat-elevation-z8"
+    class="console-app__registrars-table"
+    matSort
   >
     <ng-container
       *ngFor="let column of columns"
       [matColumnDef]="column.columnDef"
     >
-      <th mat-header-cell *matHeaderCellDef>
-        {{ column.header }}
-      </th>
-      <td mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></td>
+      <mat-header-cell *matHeaderCellDef> {{ column.header }} </mat-header-cell>
+      <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
     </ng-container>
+    <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
+    <mat-row *matRowDef="let row; columns: displayedColumns"></mat-row>
+  </mat-table>
 
-    <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
-    <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
-  </table>
   <mat-paginator
     class="mat-elevation-z8"
     [pageSizeOptions]="[5, 10, 20]"

console-webapp/src/app/registrar/registrarsTable.component.scss

@@ -1,5 +1,27 @@
 .console-app {
+  $min-width: 756px;
+
   &__registrars {
     margin-top: 1.5rem;
+    width: 100%;
+    overflow: auto;
+  }
+
+  &__registrars-table {
+    min-width: $min-width !important;
+  }
+
+  .mat-mdc-paginator {
+    min-width: $min-width !important;
+  }
+
+  .mat-column {
+    &-driveId {
+      min-width: 200px;
+      word-break: break-all;
+    }
+    &-registryLockAllowed {
+      max-width: 80px;
+    }
   }
 }

console-webapp/src/app/registrar/registrarsTable.component.ts

@@ -12,15 +12,21 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+import { Component, ViewChild, ViewEncapsulation } from '@angular/core';
 import { Registrar, RegistrarService } from './registrar.service';
+import { MatPaginator } from '@angular/material/paginator';
+import { MatSort } from '@angular/material/sort';
+import { MatTableDataSource } from '@angular/material/table';
 
 @Component({
   selector: 'app-registrar',
   templateUrl: './registrarsTable.component.html',
   styleUrls: ['./registrarsTable.component.scss'],
+  encapsulation: ViewEncapsulation.None,
 })
 export class RegistrarComponent {
+  public static PATH = 'registrars';
+  dataSource: MatTableDataSource<Registrar>;
   columns = [
     {
       columnDef: 'registrarId',
@@ -71,5 +77,18 @@ export class RegistrarComponent {
     },
   ];
   displayedColumns = this.columns.map((c) => c.columnDef);
-  constructor(protected registrarService: RegistrarService) {}
+
+  @ViewChild(MatPaginator) paginator!: MatPaginator;
+  @ViewChild(MatSort) sort!: MatSort;
+
+  constructor(protected registrarService: RegistrarService) {
+    this.dataSource = new MatTableDataSource<Registrar>(
+      registrarService.registrars
+    );
+  }
+
+  ngAfterViewInit() {
+    this.dataSource.paginator = this.paginator;
+    this.dataSource.sort = this.sort;
+  }
 }

console-webapp/src/app/settings/contact/contact-details.component.html

@@ -1,7 +1,7 @@
 <h3 mat-dialog-title>Contact details</h3>
 <div mat-dialog-content>
   <form (ngSubmit)="saveAndClose($event)">
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Name: </mat-label>
         <input
@@ -11,9 +11,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Primary account email: </mat-label>
         <input
@@ -25,9 +25,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Phone: </mat-label>
         <input
@@ -36,9 +36,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Fax: </mat-label>
         <input
@@ -47,7 +47,7 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
     <div class="contact-details__group">
       <label>Contact type:</label>

console-webapp/src/app/settings/contact/contact.component.ts

@@ -129,9 +129,7 @@ export class ContactDetailsDialogComponent {
     operationObservable.subscribe({
       complete: this.onCloseCallback.bind(this),
       error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
       },
     });
   }
@@ -143,6 +141,8 @@ export class ContactDetailsDialogComponent {
   styleUrls: ['./contact.component.scss'],
 })
 export default class ContactComponent {
+  public static PATH = 'contact';
+
   loading: boolean = false;
   constructor(
     private dialog: MatDialog,
@@ -173,9 +173,7 @@ export default class ContactComponent {
     if (confirm(`Please confirm contact ${contact.name} delete`)) {
       this.contactService.deleteContact(contact).subscribe({
         error: (err: HttpErrorResponse) => {
-          this._snackBar.open(err.error, undefined, {
-            duration: 1500,
-          });
+          this._snackBar.open(err.error);
         },
       });
     }

console-webapp/src/app/settings/security/security.component.ts

@@ -29,6 +29,8 @@ import { RegistrarService } from 'src/app/registrar/registrar.service';
   providers: [SecurityService],
 })
 export default class SecurityComponent {
+  public static PATH = 'security';
+
   loading: boolean = false;
   inEdit: boolean = false;
   dataSource: SecuritySettings = {};
@@ -62,9 +64,7 @@ export default class SecurityComponent {
         this.resetDataSource();
       },
       error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
       },
     });
     this.cancel();

console-webapp/src/app/settings/settings.component.scss

@@ -15,9 +15,9 @@
 .console-settings {
   .mdc-tab {
     &.active-link {
-      border-bottom: 2px solid #673ab7;
+      border-bottom: 2px solid var(--primary);
       .mdc-tab__text-label {
-        color: #673ab7;
+        color: var(--primary);
       }
     }
   }

console-webapp/src/app/settings/settings.component.ts

@@ -20,4 +20,6 @@ import { Component, ViewEncapsulation } from '@angular/core';
   styleUrls: ['./settings.component.scss'],
   encapsulation: ViewEncapsulation.None,
 })
-export class SettingsComponent {}
+export class SettingsComponent {
+  public static PATH = 'settings';
+}

console-webapp/src/app/settings/users/users.component.ts

@@ -19,4 +19,6 @@ import { Component } from '@angular/core';
   templateUrl: './users.component.html',
   styleUrls: ['./users.component.scss'],
 })
-export default class UsersComponent {}
+export default class UsersComponent {
+  public static PATH = 'users';
+}

console-webapp/src/app/settings/whois/whois.component.html

@@ -1 +1,250 @@
-<p>whois works!</p>
+<div class="settings-whois">
+  <h2>WHOIS settings</h2>
+  <h3>
+    General registrar information for your WHOIS record. This information is
+    always visible in WHOIS.
+  </h3>
+  <div *ngIf="loading" class="settings-whois__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Name:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.registrarName"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>IANA Identifier:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.ianaIdentifier"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>ICANN Referral Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.icannReferralEmail"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>WHOIS server:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.whoisServer"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Referral URL:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.url"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.emailAddress"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Phone::</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.phoneNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Fax:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.faxNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 1:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![0]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>City:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.city"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 2:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![1]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>State/Region:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.state"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 3:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![2]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Country Code:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.countryCode"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__actions">
+    <ng-template [ngIf]="inEdit" [ngIfElse]="inView">
+      <button
+        class="actions-save"
+        mat-raised-button
+        color="primary"
+        (click)="save()"
+      >
+        Save
+      </button>
+      <button class="actions-cancel" mat-stroked-button (click)="cancel()">
+        Cancel
+      </button>
+    </ng-template>
+    <ng-template #inView>
+      <button #elseBlock mat-raised-button (click)="enableEdit()">Edit</button>
+    </ng-template>
+  </div>
+</div>

console-webapp/src/app/settings/whois/whois.component.scss

@@ -11,3 +11,49 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
+.settings-whois {
+  margin-top: 1.5rem;
+  &__section {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 10px;
+    min-width: 400px;
+  }
+  &__section-address {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 5px;
+    min-width: 400px;
+    width: 50%;
+    max-width: 50%;
+  }
+  &__section-description {
+    display: inline-block;
+    margin-block-start: 1em;
+    width: 160px;
+  }
+  &__section-form {
+    display: inline-block;
+    width: 70%;
+    mat-form-field {
+      width: 90%;
+      min-width: 300px;
+    }
+    input:disabled {
+      border: 0;
+    }
+  }
+  &__loading {
+    margin: 2rem 0;
+  }
+  &__actions {
+    margin-top: 50px;
+    display: flex;
+    justify-content: flex-end;
+    margin-right: 50px;
+    button {
+      margin-left: 20px;
+    }
+  }
+}

console-webapp/src/app/settings/whois/whois.component.ts

@@ -12,11 +12,65 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+import { HttpErrorResponse } from '@angular/common/http';
 import { Component } from '@angular/core';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  Registrar,
+  RegistrarService,
+} from 'src/app/registrar/registrar.service';
+
+import { WhoisService } from './whois.service';
 
 @Component({
   selector: 'app-whois',
   templateUrl: './whois.component.html',
   styleUrls: ['./whois.component.scss'],
+  providers: [WhoisService],
 })
-export default class WhoisComponent {}
+export default class WhoisComponent {
+  public static PATH = 'whois';
+  loading = false;
+  inEdit = false;
+  registrar: Registrar;
+
+  constructor(
+    public whoisService: WhoisService,
+    public registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
+
+  enableEdit() {
+    this.inEdit = true;
+  }
+
+  cancel() {
+    this.inEdit = false;
+    this.resetDataSource();
+  }
+
+  save() {
+    this.loading = true;
+    this.whoisService.saveChanges(this.registrar).subscribe({
+      complete: () => {
+        this.loading = false;
+        this.resetDataSource();
+      },
+      error: (err: HttpErrorResponse) => {
+        this._snackBar.open(err.error);
+        this.loading = false;
+      },
+    });
+    this.cancel();
+  }
+
+  resetDataSource() {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
+}

console-webapp/src/app/settings/whois/whois.service.ts

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { switchMap } from 'rxjs';
+import { Address, RegistrarService } from 'src/app/registrar/registrar.service';
+import { BackendService } from 'src/app/shared/services/backend.service';
+
+export interface WhoisRegistrarFields {
+  ianaIdentifier?: number;
+  icannReferralEmail?: string;
+  localizedAddress?: Address;
+  registrarId?: string;
+  url?: string;
+  whoisServer?: string;
+}
+
+@Injectable()
+export class WhoisService {
+  whoisRegistrarFields: WhoisRegistrarFields = {};
+
+  constructor(
+    private backend: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  saveChanges(newWhoisRegistrarFields: WhoisRegistrarFields) {
+    return this.backend.postWhoisRegistrarFields(newWhoisRegistrarFields).pipe(
+      switchMap(() => {
+        return this.registrarService.loadRegistrars();
+      })
+    );
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -19,6 +19,8 @@ import { SecuritySettingsBackendModel } from 'src/app/settings/security/security
 
 import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
+import { UserData } from './userData.service';
+import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
 
 @Injectable()
 export class BackendService {
@@ -90,4 +92,19 @@ export class BackendService {
       securitySettings
     );
   }
+
+  getUserData(): Observable<UserData> {
+    return this.http
+      .get<UserData>('/console-api/userdata')
+      .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
+  }
+
+  postWhoisRegistrarFields(
+    whoisRegistrarFields: WhoisRegistrarFields
+  ): Observable<WhoisRegistrarFields> {
+    return this.http.post<WhoisRegistrarFields>(
+      '/console-api/settings/whois-fields',
+      whoisRegistrarFields
+    );
+  }
 }

console-webapp/src/app/shared/services/userData.service.ts

@@ -0,0 +1,57 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { Observable, tap } from 'rxjs';
+import { BackendService } from './backend.service';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { GlobalLoader, GlobalLoaderService } from './globalLoader.service';
+
+export interface UserData {
+  globalRole: string;
+  isAdmin: boolean;
+  productName: string;
+  supportEmail: string;
+  supportPhoneNumber: string;
+  technicalDocsUrl: string;
+}
+
+@Injectable({
+  providedIn: 'root',
+})
+export class UserDataService implements GlobalLoader {
+  public userData?: UserData;
+  constructor(
+    private backend: BackendService,
+    protected globalLoader: GlobalLoaderService,
+    private _snackBar: MatSnackBar
+  ) {
+    this.getUserData().subscribe(() => {
+      this.globalLoader.stopGlobalLoader(this);
+    });
+    this.globalLoader.startGlobalLoader(this);
+  }
+
+  getUserData(): Observable<UserData> {
+    return this.backend.getUserData().pipe(
+      tap((userData: UserData) => {
+        this.userData = userData;
+      })
+    );
+  }
+
+  loadingTimeout() {
+    this._snackBar.open('Timeout loading user data');
+  }
+}

console-webapp/src/app/snackbar.module.ts

@@ -0,0 +1,24 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { NgModule } from '@angular/core';
+import { MAT_SNACK_BAR_DEFAULT_OPTIONS } from '@angular/material/snack-bar';
+
+/** Provides a default set of options for the snack bar. */
+@NgModule({
+  providers: [
+    { provide: MAT_SNACK_BAR_DEFAULT_OPTIONS, useValue: { duration: 5000 } },
+  ],
+})
+export class SnackBarModule {}

console-webapp/src/styles.scss

@@ -44,16 +44,23 @@ body {
     &-link {
       padding: 0 !important;
       text-align: left;
-      height: 20px !important;
+      min-width: auto !important;
+      height: min-content !important;
+    }
+    &-section-header {
+      font-weight: 500;
+      color: var(--primary) !important;
     }
     &-title {
       color: var(--primary) !important;
+      text-align: center;
     }
     &-icon {
-      font-size: 4rem;
-      line-height: 4rem;
-      height: 4rem !important;
-      width: 4rem !important;
+      color: var(--text);
+      font-size: 5rem;
+      line-height: 5rem;
+      height: 5rem !important;
+      width: 5rem !important;
     }
     &_left {
       flex: 1;

console-webapp/src/theme.scss

@@ -17,20 +17,9 @@ $theme-accent: mat.define-palette(mat.$pink-palette, A200, A100, A400);
 // The warn palette is optional (defaults to red).
 $theme-warn: mat.define-palette(mat.$red-palette);
 
-// Create the theme object. A theme consists of configurations for individual
-// theming systems such as "color" or "typography".
-$theme: mat.define-light-theme(
-  (
-    color: (
-      primary: $theme-primary,
-      accent: $theme-accent,
-      warn: $theme-warn,
-    ),
-    density: 0,
-  )
-);
-
-/** Application specific section **/
+/** 
+** Application specific section - Global styles and mixins
+**/
 
 @mixin form-field-density($density) {
   $field-typography: mat.define-typography-config(
@@ -46,19 +35,6 @@ $theme: mat.define-light-theme(
   @include form-field-density(-5);
 }
 
-$foreground: map.merge($theme, mat.$light-theme-foreground-palette);
-
-// Access and define a class with secondary color exposed
-.secondary-text {
-  color: map.get($foreground, "secondary-text");
-}
-
-:root {
-  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
-  --secondary: #{map.get($foreground, "secondary-text")};
-}
-
-@include mat.all-component-themes($theme);
 @import "@angular/material/theming";
 
 // Define application specific typography settings, font-family, etc
@@ -67,3 +43,61 @@ $typography-configuration: mat-typography-config(
 );
 
 @include angular-material-typography($typography-configuration);
+
+/** 
+** Light theme
+**/
+$light-theme: mat.define-light-theme(
+  (
+    color: (
+      primary: $theme-primary,
+      accent: $theme-accent,
+      warn: $theme-warn,
+    ),
+    density: 0,
+  )
+);
+
+// Access and define a class with secondary color exposed
+.secondary-text {
+  color: map.get(mat.$light-theme-foreground-palette, "secondary-text");
+}
+
+:root {
+  --text: #{map.get(mat.$light-theme-foreground-palette, "base")};
+  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
+  --secondary: #{map.get(mat.$light-theme-foreground-palette, "secondary-text")};
+}
+
+@include mat.all-component-themes($light-theme);
+
+/** 
+** Dark theme
+**/
+$dark-theme: mat.define-dark-theme(
+  (
+    color: (
+      primary: mat.define-palette(mat.$pink-palette),
+      accent: mat.define-palette(mat.$blue-grey-palette),
+    ),
+    density: 0,
+  )
+);
+
+@mixin _apply-dark-mode-colors() {
+  @include mat.all-component-colors($dark-theme);
+
+  .secondary-text {
+    color: map.get(mat.$dark-theme-foreground-palette, "secondary-text");
+  }
+
+  :root {
+    --text: #{map.get(mat.$dark-theme-foreground-palette, "base")};
+    --primary: #{mat.get-color-from-palette(mat.$pink-palette, 500)};
+    --secondary: #{map.get(mat.$dark-theme-background-palette, "secondary-text")};
+  }
+}
+
+@media (prefers-color-scheme: dark) {
+  @include _apply-dark-mode-colors();
+}

core/src/main/java/google/registry/batch/BatchModule.java

@@ -43,6 +43,12 @@ public class BatchModule {
   public static final String PARAM_DRY_RUN = "dryRun";
   public static final String PARAM_FAST = "fast";
 
+  @Provides
+  @Parameter("url")
+  static String provideUrl(HttpServletRequest req) {
+    return extractRequiredParameter(req, "url");
+  }
+
   @Provides
   @Parameter("jobName")
   static Optional<String> provideJobName(HttpServletRequest req) {

core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java

@@ -14,26 +14,20 @@
 
 package google.registry.batch;
 
-import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
-import static google.registry.util.RegistrarUtils.normalizeRegistrarId;
+import static java.nio.charset.StandardCharsets.UTF_8;
 
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.groups.GmailClient;
-import google.registry.groups.GroupsConnection;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
 import google.registry.request.auth.Auth;
-import google.registry.util.EmailMessage;
-import java.io.IOException;
-import java.util.Set;
+import java.net.URL;
 import javax.inject.Inject;
-import javax.mail.internet.AddressException;
-import javax.mail.internet.InternetAddress;
+import javax.net.ssl.HttpsURLConnection;
 
 /**
  * Action that executes a canned script specified by the caller.
@@ -50,88 +44,45 @@ import javax.mail.internet.InternetAddress;
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/executeCannedScript",
-    method = POST,
+    method = {POST, GET},
     automaticallyPrintOk = true,
     auth = Auth.AUTH_API_ADMIN)
 public class CannedScriptExecutionAction implements Runnable {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  private final GroupsConnection groupsConnection;
-  private final GmailClient gmailClient;
-
-  private final InternetAddress senderAddress;
-
-  private final InternetAddress recipientAddress;
-
-  private final String gSuiteDomainName;
+  @Inject UrlConnectionService urlConnectionService;
+  @Inject Response response;
 
   @Inject
-  CannedScriptExecutionAction(
-      GroupsConnection groupsConnection,
-      GmailClient gmailClient,
-      @Config("projectId") String projectId,
-      @Config("gSuiteDomainName") String gSuiteDomainName,
-      @Config("newAlertRecipientEmailAddress") InternetAddress recipientAddress) {
-    this.groupsConnection = groupsConnection;
-    this.gmailClient = gmailClient;
-    this.gSuiteDomainName = gSuiteDomainName;
-    try {
-      this.senderAddress = new InternetAddress(String.format("%s@%s", projectId, gSuiteDomainName));
-    } catch (AddressException e) {
-      throw new RuntimeException(e);
-    }
-    this.recipientAddress = recipientAddress;
-    logger.atInfo().log("Sender:%s; Recipient: %s.", this.senderAddress, this.recipientAddress);
-  }
+  @Parameter("url")
+  String url;
+
+  @Inject
+  CannedScriptExecutionAction() {}
 
   @Override
   public void run() {
+    Integer responseCode = null;
+    String responseContent = null;
     try {
-      // Invoke canned scripts here.
-      checkGroupApi();
-      EmailMessage message = createEmail();
-      this.gmailClient.sendEmail(message);
-      logger.atInfo().log("Finished running scripts.");
-    } catch (Throwable t) {
-      logger.atWarning().withCause(t).log("Error executing scripts.");
-      throw new RuntimeException("Execution failed.");
-    }
-  }
-
-  // Checks if Directory and GroupSettings still work after GWorkspace changes.
-  void checkGroupApi() {
-    ImmutableList<Registrar> registrars =
-        Streams.stream(Registrar.loadAllCached())
-            .filter(registrar -> registrar.isLive() && registrar.getType() == Registrar.Type.REAL)
-            .collect(toImmutableList());
-    logger.atInfo().log("Found %s registrars.", registrars.size());
-    for (Registrar registrar : registrars) {
-      for (final RegistrarPoc.Type type : RegistrarPoc.Type.values()) {
-        String groupKey =
-            String.format(
-                "%s-%s-contacts@%s",
-                normalizeRegistrarId(registrar.getRegistrarId()),
-                type.getDisplayName(),
-                gSuiteDomainName);
-        try {
-          Set<String> currentMembers = groupsConnection.getMembersOfGroup(groupKey);
-          logger.atInfo().log("%s has %s members.", groupKey, currentMembers.size());
-          // One success is enough for validation.
-          return;
-        } catch (IOException e) {
-          logger.atWarning().withCause(e).log("Failed to check %s", groupKey);
-        }
+      logger.atInfo().log("Connecting to: %s", url);
+      HttpsURLConnection connection =
+          (HttpsURLConnection) urlConnectionService.createConnection(new URL(url));
+      responseCode = connection.getResponseCode();
+      logger.atInfo().log("Code: %d", responseCode);
+      logger.atInfo().log("Headers: %s", connection.getHeaderFields());
+      responseContent = new String(UrlConnectionUtils.getResponseBytes(connection), UTF_8);
+      logger.atInfo().log("Response: %s", responseContent);
+    } catch (Exception e) {
+      logger.atWarning().withCause(e).log("Connection to %s failed", url);
+      throw new RuntimeException(e);
+    } finally {
+      if (responseCode != null) {
+        response.setStatus(responseCode);
+      }
+      if (responseContent != null) {
+        response.setPayload(responseContent);
       }
     }
-    logger.atInfo().log("Finished checking GroupApis.");
-  }
-
-  EmailMessage createEmail() {
-    return EmailMessage.newBuilder()
-        .setFrom(senderAddress)
-        .setSubject("Test: Please ignore<eom>.")
-        .setRecipients(ImmutableList.of(recipientAddress))
-        .setBody("Sent from Nomulus through Google Workspace.")
-        .build();
   }
 }

core/src/main/java/google/registry/beam/rde/RdePipeline.java

@@ -27,6 +27,10 @@ import static google.registry.beam.rde.RdePipeline.TupleTags.REVISION_ID;
 import static google.registry.beam.rde.RdePipeline.TupleTags.SUPERORDINATE_DOMAINS;
 import static google.registry.model.reporting.HistoryEntryDao.RESOURCE_TYPES_TO_HISTORY_TYPES;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.SafeSerializationUtils.safeDeserializeCollection;
+import static google.registry.util.SafeSerializationUtils.serializeCollection;
+import static google.registry.util.SerializeUtils.decodeBase64;
+import static google.registry.util.SerializeUtils.encodeBase64;
 import static org.apache.beam.sdk.values.TypeDescriptors.kvs;
 
 import com.google.common.collect.ImmutableList;
@@ -65,11 +69,7 @@ import google.registry.rde.PendingDeposit.PendingDepositCoder;
 import google.registry.rde.RdeMarshaller;
 import google.registry.util.UtilsModule;
 import google.registry.xml.ValidationMode;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.util.HashSet;
 import javax.inject.Inject;
@@ -658,14 +658,8 @@ public class RdePipeline implements Serializable {
    */
   @SuppressWarnings("unchecked")
   static ImmutableSet<PendingDeposit> decodePendingDeposits(String encodedPendingDeposits) {
-    try (ObjectInputStream ois =
-        new ObjectInputStream(
-            new ByteArrayInputStream(
-                BaseEncoding.base64Url().omitPadding().decode(encodedPendingDeposits)))) {
-      return (ImmutableSet<PendingDeposit>) ois.readObject();
-    } catch (IOException | ClassNotFoundException e) {
-      throw new IllegalArgumentException("Unable to parse encoded pending deposit map.", e);
-    }
+    return ImmutableSet.copyOf(
+        safeDeserializeCollection(PendingDeposit.class, decodeBase64(encodedPendingDeposits)));
   }
 
   /**
@@ -674,12 +668,7 @@ public class RdePipeline implements Serializable {
    */
   public static String encodePendingDeposits(ImmutableSet<PendingDeposit> pendingDeposits)
       throws IOException {
-    try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
-      ObjectOutputStream oos = new ObjectOutputStream(baos);
-      oos.writeObject(pendingDeposits);
-      oos.flush();
-      return BaseEncoding.base64Url().omitPadding().encode(baos.toByteArray());
-    }
+    return encodeBase64(serializeCollection(pendingDeposits));
   }
 
   public static void main(String[] args) throws IOException, ClassNotFoundException {

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -879,6 +879,17 @@ public final class RegistryConfig {
       return Optional.ofNullable(config.misc.sheetExportId);
     }
 
+    /**
+     * Returns the desired delay between outgoing emails when sending in bulk.
+     *
+     * <p>Gmail apparently has unpublished limits on peak throughput over short period.
+     */
+    @Provides
+    @Config("emailThrottleDuration")
+    public static Duration provideEmailThrottleSeconds(RegistryConfigSettings config) {
+      return Duration.standardSeconds(config.misc.emailThrottleSeconds);
+    }
+
     /**
      * Returns the email address we send various alert e-mails to.
      *
@@ -1163,44 +1174,6 @@ public final class RegistryConfig {
       return CONFIG_SETTINGS.get();
     }
 
-    /**
-     * Provides the OAuth scopes that authentication logic should detect on access tokens.
-     *
-     * <p>This list should be a superset of the required OAuth scope set provided below. Note that
-     * ideally, this setting would not be required and all scopes on an access token would be
-     * detected automatically, but that is not the case due to the way {@code OAuthService} works.
-     *
-     * <p>This is an independent setting from the required OAuth scopes (below) to support use cases
-     * where certain actions require some additional scope (e.g. access to a user's Google Drive)
-     * but that scope shouldn't be required for authentication alone; in that case the Drive scope
-     * would be specified only for this setting, allowing that action to check for its presence.
-     */
-    @Provides
-    @Config("availableOauthScopes")
-    public static ImmutableSet<String> provideAvailableOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.availableOauthScopes);
-    }
-
-    /**
-     * Provides the OAuth scopes that are required for authenticating successfully.
-     *
-     * <p>This set contains the scopes which must be present to authenticate a user. It should be a
-     * subset of the scopes we request from the OAuth interface, provided above.
-     *
-     * <p>If we feel the need, we could define additional fixed scopes, similar to the Java remote
-     * API, which requires at least one of:
-     *
-     * <ul>
-     *   <li>{@code https://www.googleapis.com/auth/appengine.apis}
-     *   <li>{@code https://www.googleapis.com/auth/cloud-platform}
-     * </ul>
-     */
-    @Provides
-    @Config("requiredOauthScopes")
-    public static ImmutableSet<String> provideRequiredOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.requiredOauthScopes);
-    }
-
     /**
      * Provides service account email addresses allowed to authenticate with the app at {@link
      * google.registry.request.auth.AuthSettings.AuthLevel#APP} level.
@@ -1212,13 +1185,6 @@ public final class RegistryConfig {
       return ImmutableSet.copyOf(config.auth.allowedServiceAccountEmails);
     }
 
-    /** Provides the allowed OAuth client IDs (could be multibinding). */
-    @Provides
-    @Config("allowedOauthClientIds")
-    public static ImmutableSet<String> provideAllowedOauthClientIds(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.allowedOauthClientIds);
-    }
-
     @Provides
     @Config("oauthClientId")
     public static String provideOauthClientId(RegistryConfigSettings config) {

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -58,9 +58,6 @@ public class RegistryConfigSettings {
 
   /** Configuration options for authenticating users. */
   public static class Auth {
-    public List<String> availableOauthScopes;
-    public List<String> requiredOauthScopes;
-    public List<String> allowedOauthClientIds;
     public List<String> allowedServiceAccountEmails;
     public String oauthClientId;
   }
@@ -208,6 +205,7 @@ public class RegistryConfigSettings {
   public static class Misc {
     public String sheetExportId;
     public boolean isEmailSendingEnabled;
+    public int emailThrottleSeconds;
     public String alertRecipientEmailAddress;
     // TODO(b/279671974): remove below field after migration
     public String newAlertRecipientEmailAddress;

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -304,24 +304,6 @@ caching:
 # Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
 # Other fields are related to OAuth-based authentication and will be removed.
 auth:
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth scopes to detect on access tokens. Superset of requiredOauthScopes.
-  availableOauthScopes:
-  - https://www.googleapis.com/auth/userinfo.email
-
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth scopes required for authenticating. Subset of availableOauthScopes.
-  requiredOauthScopes:
-  - https://www.googleapis.com/auth/userinfo.email
-
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth client IDs that are allowed to authenticate and communicate with
-  # backend services, e.g. nomulus tool, EPP proxy, etc. The value in
-  # registryTool.clientId field should be included in this list. Client IDs are
-  # typically of the format
-  # numbers-alphanumerics.apps.googleusercontent.com
-  allowedOauthClientIds: []
-
   # Service accounts (e.g. default service account, account used by Cloud
   # Scheduler) allowed to send authenticated requests.
   allowedServiceAccountEmails:
@@ -443,6 +425,9 @@ misc:
   # Whether emails may be sent. For Prod and Sandbox this should be true.
   isEmailSendingEnabled: false
 
+  # Delay between bulk messages to avoid triggering Gmail fraud checks
+  emailThrottleSeconds: 30
+
   # Address we send alert summary emails to.
   alertRecipientEmailAddress: email@example.com
 

core/src/main/java/google/registry/config/files/nomulus-config-production-sample.yaml

@@ -1,76 +0,0 @@
-# This is a sample production config (to be deployed in the WEB-INF directory).
-# This is the same as what Google Registry runs in production, except with
-# placeholders for Google-specific settings.
-
-gcpProject:
-  projectId: placeholder
-  # Set to true if running against local servers (localhost)
-  isLocal: false
-  # The "<service>-dot-" prefix is used on the project ID in this URL in order
-  # to get around an issue with double-wildcard SSL certs.
-  defaultServiceUrl: https://domain-registry-placeholder.appspot.com
-  backendServiceUrl: https://backend-dot-domain-registry-placeholder.appspot.com
-  toolsServiceUrl: https://tools-dot-domain-registry-placeholder.appspot.com
-  pubapiServiceUrl: https://pubapi-dot-domain-registry-placeholder.appspot.com
-
-gSuite:
-  domainName: placeholder
-  outgoingEmailDisplayName: placeholder
-  outgoingEmailAddress: placeholder
-  adminAccountEmailAddress: placeholder
-  supportGroupEmailAddress: placeholder
-
-registryPolicy:
-  contactAndHostRoidSuffix: placeholder
-  productName: placeholder
-  greetingServerId: placeholder
-  registrarChangesNotificationEmailAddresses:
-    - placeholder
-    - placeholder
-  defaultRegistrarWhoisServer: placeholder
-  tmchCaMode: PRODUCTION
-  tmchCrlUrl: http://crl.icann.org/tmch.crl
-  tmchMarksDbUrl: https://ry.marksdb.org
-  checkApiServletClientId: placeholder
-  registryAdminClientId: placeholder
-  whoisDisclaimer: |
-    multi-line
-    placeholder
-
-icannReporting:
-  icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions
-  icannActivityReportingUploadUrl: https://ry-api.icann.org/report/registry-functions-activity
-
-oAuth:
-  allowedOauthClientIds:
-    - placeholder.apps.googleusercontent.com
-    - placeholder-for-proxy
-
-rde:
-  reportUrlPrefix: https://ry-api.icann.org/report/registry-escrow-report
-  uploadUrl: sftp://placeholder@sftpipm2.ironmountain.com/Outbox
-  sshIdentityEmailAddress: placeholder
-
-registrarConsole:
-  logoFilename: placeholder
-  supportPhoneNumber: placeholder
-  supportEmailAddress: placeholder
-  announcementsEmailAddress: placeholder
-  integrationEmailAddress: placeholder
-  technicalDocsUrl: https://drive.google.com/drive/folders/placeholder
-
-misc:
-  sheetExportId: placeholder
-
-cloudDns:
-  rootUrl: null
-  servicePath: null
-
-keyring:
-  activeKeyring: KMS
-  kms:
-    projectId: placeholder
-
-registryTool:
-  clientId: placeholder.apps.googleusercontent.com
-  clientSecret: placeholder

core/src/main/java/google/registry/env/qa/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -59,13 +59,4 @@
     </description>
     <schedule>7 3 * * *</schedule>
   </task>
-
-  <task>
-    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
-    <name>wipeOutCloudSql</name>
-    <description>
-      This job runs an action that deletes all data in Cloud SQL.
-    </description>
-    <schedule>7 3 * * 6</schedule>
-  </task>
 </entries>

core/src/main/java/google/registry/flows/EppTlsAction.java

@@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
     service = Action.Service.DEFAULT,
     path = "/_dr/epp",
     method = Method.POST,
-    auth = Auth.AUTH_API_PUBLIC)
+    auth = Auth.AUTH_API_ADMIN)
 public class EppTlsAction implements Runnable {
 
   @Inject @Payload byte[] inputXmlBytes;

core/src/main/java/google/registry/flows/domain/DomainRenewFlow.java

@@ -53,8 +53,8 @@ import google.registry.flows.custom.DomainRenewFlowCustomLogic.BeforeResponseRet
 import google.registry.flows.custom.DomainRenewFlowCustomLogic.BeforeSaveParameters;
 import google.registry.flows.custom.EntityChanges;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveDomainTokenOnBulkPricingDomainException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveDomainTokenOnNonBulkPricingDomainException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveBulkPricingTokenOnBulkPricingDomainException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveBulkPricingTokenOnNonBulkPricingDomainException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
@@ -121,8 +121,8 @@ import org.joda.time.Duration;
  * @error {@link DomainFlowUtils.RegistrarMustBeActiveForThisOperationException}
  * @error {@link DomainFlowUtils.UnsupportedFeeAttributeException}
  * @error {@link DomainRenewFlow.IncorrectCurrentExpirationDateException}
- * @error {@link MissingRemoveDomainTokenOnBulkPricingDomainException}
- * @error {@link RemoveDomainTokenOnNonBulkPricingDomainException}
+ * @error {@link MissingRemoveBulkPricingTokenOnBulkPricingDomainException}
+ * @error {@link RemoveBulkPricingTokenOnNonBulkPricingDomainException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException}
  * @error {@link
@@ -328,7 +328,7 @@ public final class DomainRenewFlow implements MutatingFlow {
       checkHasBillingAccount(registrarId, existingDomain.getTld());
     }
     verifyUnitIsYears(command.getPeriod());
-    // We only allow __REMOVEDOMAIN__ token on bulk pricing domains for now
+    // We only allow __REMOVE_BULK_PRICING__ token on bulk pricing domains for now
     verifyTokenAllowedOnDomain(existingDomain, allocationToken);
     // If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
     if (!command.getCurrentExpirationDate().equals(

core/src/main/java/google/registry/flows/domain/token/AllocationTokenFlowUtils.java

@@ -243,21 +243,21 @@ public class AllocationTokenFlowUtils {
       Domain domain, Optional<AllocationToken> allocationToken) throws EppException {
 
     boolean domainHasBulkToken = domain.getCurrentBulkToken().isPresent();
-    boolean hasRemoveDomainToken =
+    boolean hasRemoveBulkPricingToken =
         allocationToken.isPresent()
-            && TokenBehavior.REMOVE_DOMAIN.equals(allocationToken.get().getTokenBehavior());
+            && TokenBehavior.REMOVE_BULK_PRICING.equals(allocationToken.get().getTokenBehavior());
 
-    if (hasRemoveDomainToken && !domainHasBulkToken) {
-      throw new RemoveDomainTokenOnNonBulkPricingDomainException();
-    } else if (!hasRemoveDomainToken && domainHasBulkToken) {
-      throw new MissingRemoveDomainTokenOnBulkPricingDomainException();
+    if (hasRemoveBulkPricingToken && !domainHasBulkToken) {
+      throw new RemoveBulkPricingTokenOnNonBulkPricingDomainException();
+    } else if (!hasRemoveBulkPricingToken && domainHasBulkToken) {
+      throw new MissingRemoveBulkPricingTokenOnBulkPricingDomainException();
     }
   }
 
   public static Domain maybeApplyBulkPricingRemovalToken(
       Domain domain, Optional<AllocationToken> allocationToken) {
     if (!allocationToken.isPresent()
-        || !TokenBehavior.REMOVE_DOMAIN.equals(allocationToken.get().getTokenBehavior())) {
+        || !TokenBehavior.REMOVE_BULK_PRICING.equals(allocationToken.get().getTokenBehavior())) {
       return domain;
     }
 
@@ -338,19 +338,19 @@ public class AllocationTokenFlowUtils {
     }
   }
 
-  /** The __REMOVEDOMAIN__ token is missing on a bulk pricing domain command */
-  public static class MissingRemoveDomainTokenOnBulkPricingDomainException
+  /** The __REMOVE_BULK_PRICING__ token is missing on a bulk pricing domain command */
+  public static class MissingRemoveBulkPricingTokenOnBulkPricingDomainException
       extends AssociationProhibitsOperationException {
-    MissingRemoveDomainTokenOnBulkPricingDomainException() {
+    MissingRemoveBulkPricingTokenOnBulkPricingDomainException() {
       super("Domains that are inside bulk pricing cannot be explicitly renewed or transferred");
     }
   }
 
-  /** The __REMOVEDOMAIN__ token is not allowed on non bulk pricing domains */
-  public static class RemoveDomainTokenOnNonBulkPricingDomainException
+  /** The __REMOVE_BULK_PRICING__ token is not allowed on non bulk pricing domains */
+  public static class RemoveBulkPricingTokenOnNonBulkPricingDomainException
       extends AssociationProhibitsOperationException {
-    RemoveDomainTokenOnNonBulkPricingDomainException() {
-      super("__REMOVEDOMAIN__ token is not allowed on non bulk pricing domains");
+    RemoveBulkPricingTokenOnNonBulkPricingDomainException() {
+      super("__REMOVE_BULK_PRICING__ token is not allowed on non bulk pricing domains");
     }
   }
 }

core/src/main/java/google/registry/model/EntityYamlUtils.java

@@ -14,6 +14,7 @@
 package google.registry.model;
 
 import static com.google.common.collect.ImmutableSortedMap.toImmutableSortedMap;
+import static com.google.common.collect.ImmutableSortedSet.toImmutableSortedSet;
 import static com.google.common.collect.Ordering.natural;
 
 import com.fasterxml.jackson.core.JsonGenerator;
@@ -29,6 +30,7 @@ import com.fasterxml.jackson.databind.module.SimpleModule;
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator.Feature;
+import com.google.common.collect.ImmutableSortedSet;
 import google.registry.model.common.TimedTransitionProperty;
 import google.registry.model.domain.token.AllocationToken;
 import google.registry.model.tld.Tld.TldState;
@@ -39,6 +41,7 @@ import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.SortedMap;
 import org.joda.money.CurrencyUnit;
 import org.joda.money.Money;
@@ -55,16 +58,67 @@ public class EntityYamlUtils {
     SimpleModule module = new SimpleModule();
     module.addSerializer(Money.class, new MoneySerializer());
     module.addDeserializer(Money.class, new MoneyDeserializer());
+    module.addSerializer(Duration.class, new DurationSerializer());
     ObjectMapper mapper =
         JsonMapper.builder(new YAMLFactory().disable(Feature.WRITE_DOC_START_MARKER))
             .disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
             .enable(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY)
-            .build()
-            .registerModule(module);
-    mapper.findAndRegisterModules();
+            .build();
+    mapper.findAndRegisterModules().registerModule(module);
     return mapper;
   }
 
+  /**
+   * A custom serializer for String Set to sort the order and make YAML generation deterministic.
+   */
+  public static class SortedSetSerializer extends StdSerializer<Set<String>> {
+    public SortedSetSerializer() {
+      this(null);
+    }
+
+    public SortedSetSerializer(Class<Set<String>> t) {
+      super(t);
+    }
+
+    @Override
+    public void serialize(Set<String> value, JsonGenerator g, SerializerProvider provider)
+        throws IOException {
+      ImmutableSortedSet<String> sorted =
+          value.stream()
+              .collect(toImmutableSortedSet(String::compareTo)); // sort the entries into a new set
+      g.writeStartArray();
+      for (String entry : sorted) {
+        g.writeString(entry);
+      }
+      g.writeEndArray();
+    }
+  }
+
+  /** A custom serializer for Enum Set to sort the order and make YAML generation deterministic. */
+  public static class SortedEnumSetSerializer extends StdSerializer<Set<Enum>> {
+    public SortedEnumSetSerializer() {
+      this(null);
+    }
+
+    public SortedEnumSetSerializer(Class<Set<Enum>> t) {
+      super(t);
+    }
+
+    @Override
+    public void serialize(Set<Enum> value, JsonGenerator g, SerializerProvider provider)
+        throws IOException {
+      ImmutableSortedSet<String> sorted =
+          value.stream()
+              .map(Enum::name)
+              .collect(toImmutableSortedSet(String::compareTo)); // sort the entries into a new set
+      g.writeStartArray();
+      for (String entry : sorted) {
+        g.writeString(entry);
+      }
+      g.writeEndArray();
+    }
+  }
+
   /** A custom JSON serializer for {@link Money}. */
   public static class MoneySerializer extends StdSerializer<Money> {
 
@@ -147,6 +201,24 @@ public class EntityYamlUtils {
     }
   }
 
+  /** A custom JSON serializer for a {@link Duration} object. */
+  public static class DurationSerializer extends StdSerializer<Duration> {
+
+    public DurationSerializer() {
+      this(null);
+    }
+
+    public DurationSerializer(Class<Duration> t) {
+      super(t);
+    }
+
+    @Override
+    public void serialize(Duration value, JsonGenerator gen, SerializerProvider provider)
+        throws IOException {
+      gen.writeString(value.toString());
+    }
+  }
+
   /** A custom JSON serializer for an Optional of a {@link Duration} object. */
   public static class OptionalDurationSerializer extends StdSerializer<Optional<Duration>> {
 
@@ -162,7 +234,7 @@ public class EntityYamlUtils {
     public void serialize(Optional<Duration> value, JsonGenerator gen, SerializerProvider provider)
         throws IOException {
       if (value.isPresent()) {
-        gen.writeNumber(value.get().getMillis());
+        gen.writeString(value.get().toString());
       } else {
         gen.writeNull();
       }

core/src/main/java/google/registry/model/console/User.java

@@ -35,21 +35,16 @@ import javax.persistence.Table;
 
 /** A console user, either a registry employee or a registrar partner. */
 @Entity
-@Table(
-    indexes = {
-      @Index(columnList = "gaiaId", name = "user_gaia_id_idx"),
-      @Index(columnList = "emailAddress", name = "user_email_address_idx")
-    })
+@Table(indexes = {@Index(columnList = "emailAddress", name = "user_email_address_idx")})
 public class User extends UpdateAutoTimestampEntity implements Buildable {
 
+  private static final long serialVersionUID = 6936728603828566721L;
+
   /** Autogenerated unique ID of this user. */
   @Id
   @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
-  /** GAIA ID associated with the user in question. */
-  private String gaiaId;
-
   /** Email address of the user in question. */
   @Column(nullable = false)
   private String emailAddress;
@@ -71,10 +66,6 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
     return id;
   }
 
-  public String getGaiaId() {
-    return gaiaId;
-  }
-
   public String getEmailAddress() {
     return emailAddress;
   }
@@ -139,12 +130,6 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
       return super.build();
     }
 
-    public Builder setGaiaId(String gaiaId) {
-      checkArgument(!isNullOrEmpty(gaiaId), "Gaia ID cannot be null or empty");
-      getInstance().gaiaId = gaiaId;
-      return this;
-    }
-
     public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = checkValidEmail(emailAddress);
       return this;

core/src/main/java/google/registry/model/domain/token/AllocationToken.java

@@ -77,10 +77,10 @@ import org.joda.time.DateTime;
 public class AllocationToken extends UpdateAutoTimestampEntity implements Buildable {
 
   private static final long serialVersionUID = -3954475393220876903L;
-  private static final String REMOVE_DOMAIN = "__REMOVEDOMAIN__";
+  private static final String REMOVE_BULK_PRICING = "__REMOVE_BULK_PRICING__";
 
   private static final ImmutableMap<String, TokenBehavior> STATIC_TOKEN_BEHAVIORS =
-      ImmutableMap.of(REMOVE_DOMAIN, TokenBehavior.REMOVE_DOMAIN);
+      ImmutableMap.of(REMOVE_BULK_PRICING, TokenBehavior.REMOVE_BULK_PRICING);
 
   // Promotions should only move forward, and ENDED / CANCELLED are terminal states.
   private static final ImmutableMultimap<TokenStatus, TokenStatus> VALID_TOKEN_STATUS_TRANSITIONS =
@@ -91,10 +91,10 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
 
   private static final ImmutableMap<String, AllocationToken> BEHAVIORAL_TOKENS =
       ImmutableMap.of(
-          REMOVE_DOMAIN,
+          REMOVE_BULK_PRICING,
           new AllocationToken.Builder()
               .setTokenType(TokenType.UNLIMITED_USE)
-              .setToken(REMOVE_DOMAIN)
+              .setToken(REMOVE_BULK_PRICING)
               .build());
 
   public static Optional<AllocationToken> maybeGetStaticTokenInstance(String name) {
@@ -142,10 +142,10 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
     /** No special behavior */
     DEFAULT,
     /**
-     * REMOVE_DOMAIN triggers domain removal from a bulk pricing package, bypasses DEFAULT token
-     * validations.
+     * REMOVE_BULK_PRICING triggers domain removal from a bulk pricing package, bypasses DEFAULT
+     * token validations.
      */
-    REMOVE_DOMAIN
+    REMOVE_BULK_PRICING
   }
 
   /** The status of this token with regard to any potential promotion. */
@@ -305,14 +305,14 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
                   new CacheLoader<VKey<AllocationToken>, Optional<AllocationToken>>() {
                     @Override
                     public Optional<AllocationToken> load(VKey<AllocationToken> key) {
-                      return tm().transact(() -> tm().loadByKeyIfPresent(key));
+                      return tm().reTransact(() -> tm().loadByKeyIfPresent(key));
                     }
 
                     @Override
                     public Map<VKey<AllocationToken>, Optional<AllocationToken>> loadAll(
                         Iterable<? extends VKey<AllocationToken>> keys) {
                       ImmutableSet<VKey<AllocationToken>> keySet = ImmutableSet.copyOf(keys);
-                      return tm().transact(
+                      return tm().reTransact(
                               () ->
                                   keySet.stream()
                                       .collect(

core/src/main/java/google/registry/model/registrar/Registrar.java

@@ -200,7 +200,11 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
 
   /** A caching {@link Supplier} of a registrarId to {@link Registrar} map. */
   private static final Supplier<ImmutableMap<String, Registrar>> CACHE_BY_REGISTRAR_ID =
-      memoizeWithShortExpiration(() -> Maps.uniqueIndex(loadAll(), Registrar::getRegistrarId));
+      memoizeWithShortExpiration(
+          () ->
+              Maps.uniqueIndex(
+                  tm().reTransact(() -> tm().loadAllOf(Registrar.class)),
+                  Registrar::getRegistrarId));
 
   /**
    * Unique registrar client id. Must conform to "clIDType" as defined in RFC5730.

core/src/main/java/google/registry/model/smd/SignedMarkRevocationListDao.java

@@ -28,7 +28,7 @@ public class SignedMarkRevocationListDao {
   /** Loads the {@link SignedMarkRevocationList}. */
   static SignedMarkRevocationList load() {
     Optional<SignedMarkRevocationList> smdrl =
-        tm().transact(
+        tm().reTransact(
                 () -> {
                   Long revisionId =
                       tm().query("SELECT MAX(revisionId) FROM SignedMarkRevocationList", Long.class)

core/src/main/java/google/registry/model/tld/Tld.java

@@ -19,6 +19,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Maps.toMap;
 import static google.registry.config.RegistryConfig.getSingletonCacheRefreshDuration;
+import static google.registry.model.EntityYamlUtils.createObjectMapper;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
@@ -28,6 +29,8 @@ import static org.joda.money.CurrencyUnit.USD;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.github.benmanes.caffeine.cache.CacheLoader;
@@ -50,6 +53,8 @@ import google.registry.model.EntityYamlUtils.CurrencyDeserializer;
 import google.registry.model.EntityYamlUtils.CurrencySerializer;
 import google.registry.model.EntityYamlUtils.OptionalDurationSerializer;
 import google.registry.model.EntityYamlUtils.OptionalStringSerializer;
+import google.registry.model.EntityYamlUtils.SortedEnumSetSerializer;
+import google.registry.model.EntityYamlUtils.SortedSetSerializer;
 import google.registry.model.EntityYamlUtils.TimedTransitionPropertyMoneyDeserializer;
 import google.registry.model.EntityYamlUtils.TimedTransitionPropertyTldStateDeserializer;
 import google.registry.model.EntityYamlUtils.TokenVKeyListDeserializer;
@@ -124,6 +129,20 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   public static final Money DEFAULT_SERVER_STATUS_CHANGE_BILLING_COST = Money.of(USD, 20);
   public static final Money DEFAULT_REGISTRY_LOCK_OR_UNLOCK_BILLING_COST = Money.of(USD, 0);
 
+  public boolean equalYaml(Tld tldToCompare) {
+    if (this.equals(tldToCompare)) {
+      return true;
+    }
+    ObjectMapper mapper = createObjectMapper();
+    try {
+      String thisYaml = mapper.writeValueAsString(this);
+      String otherYaml = mapper.writeValueAsString(tldToCompare);
+      return thisYaml.equals(otherYaml);
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
   /** The type of TLD, which determines things like backups and escrow policy. */
   public enum TldType {
     /**
@@ -214,7 +233,8 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
               new CacheLoader<String, Tld>() {
                 @Override
                 public Tld load(final String tld) {
-                  return tm().transact(() -> tm().loadByKeyIfPresent(createVKey(tld))).orElse(null);
+                  return tm().reTransact(() -> tm().loadByKeyIfPresent(createVKey(tld)))
+                      .orElse(null);
                 }
 
                 @Override
@@ -222,7 +242,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
                   ImmutableMap<String, VKey<Tld>> keysMap =
                       toMap(ImmutableSet.copyOf(tlds), Tld::createVKey);
                   Map<VKey<? extends Tld>, Tld> entities =
-                      tm().transact(() -> tm().loadByKeysIfPresent(keysMap.values()));
+                      tm().reTransact(() -> tm().loadByKeysIfPresent(keysMap.values()));
                   return Maps.transformEntries(keysMap, (k, v) -> entities.getOrDefault(v, null));
                 }
               });
@@ -255,6 +275,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
    * <p>All entries of this list must be valid keys for the map of {@code DnsWriter}s injected by
    * {@code @Inject Map<String, DnsWriter>}
    */
+  @JsonSerialize(using = SortedSetSerializer.class)
   @Column(nullable = false)
   Set<String> dnsWriters;
 
@@ -354,6 +375,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
 
   /** The set of reserved list names that are applicable to this tld. */
+  @JsonSerialize(using = SortedSetSerializer.class)
   @Column(name = "reserved_list_names")
   Set<String> reservedListNames;
 
@@ -493,10 +515,14 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   DateTime claimsPeriodEnd = END_OF_TIME;
 
   /** An allowlist of clients allowed to be used on domains on this TLD (ignored if empty). */
-  @Nullable Set<String> allowedRegistrantContactIds;
+  @Nullable
+  @JsonSerialize(using = SortedSetSerializer.class)
+  Set<String> allowedRegistrantContactIds;
 
   /** An allowlist of hosts allowed to be used on domains on this TLD (ignored if empty). */
-  @Nullable Set<String> allowedFullyQualifiedHostNames;
+  @Nullable
+  @JsonSerialize(using = SortedSetSerializer.class)
+  Set<String> allowedFullyQualifiedHostNames;
 
   /**
    * Indicates when the TLD is being modified using locally modified files to override the source
@@ -521,6 +547,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   List<VKey<AllocationToken>> defaultPromoTokens;
 
   /** A set of allowed {@link IdnTableEnum}s for this TLD, or empty if we should use the default. */
+  @JsonSerialize(using = SortedEnumSetSerializer.class)
   Set<IdnTableEnum> idnTables;
 
   public String getTldStr() {

core/src/main/java/google/registry/model/tld/Tlds.java

@@ -56,7 +56,7 @@ public final class Tlds {
   private static Supplier<ImmutableMap<String, TldType>> createFreshCache() {
     return memoizeWithShortExpiration(
         () ->
-            tm().transact(
+            tm().reTransact(
                     () -> {
                       EntityManager entityManager = tm().getEntityManager();
                       Stream<?> resultStream =

core/src/main/java/google/registry/module/backend/BackendComponent.java

@@ -43,8 +43,6 @@ import google.registry.rde.JSchModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UrlFetchServiceModule;
-import google.registry.request.Modules.UrlFetchTransportModule;
 import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.util.UtilsModule;
@@ -80,8 +78,6 @@ import javax.inject.Singleton;
       SheetsServiceModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      UrlFetchServiceModule.class,
-      UrlFetchTransportModule.class,
       UserServiceModule.class,
       VoidDnsWriterModule.class,
       UtilsModule.class

core/src/main/java/google/registry/persistence/VKey.java

@@ -16,6 +16,8 @@ package google.registry.persistence;
 
 import static com.google.common.collect.ImmutableMap.toImmutableMap;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
+import static google.registry.util.SafeSerializationUtils.safeDeserialize;
+import static google.registry.util.SerializeUtils.decodeBase64;
 import static java.util.function.Function.identity;
 
 import com.google.common.base.Joiner;
@@ -97,7 +99,7 @@ public class VKey<T> extends ImmutableObject implements Serializable {
       throw new IllegalArgumentException(
           String.format("\"%s\" missing from the string: %s", LOOKUP_KEY, keyString));
     }
-    return VKey.create(classType, SerializeUtils.parse(Serializable.class, kvs.get(LOOKUP_KEY)));
+    return VKey.create(classType, safeDeserialize(decodeBase64(kvs.get(LOOKUP_KEY))));
   }
 
   /** Returns the type of the entity. */

core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java

@@ -14,22 +14,26 @@
 
 package google.registry.rdap;
 
+import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_OK;
+import static com.google.common.net.HttpHeaders.ACCEPT_ENCODING;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.HttpTransport;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
-import com.google.common.io.ByteStreams;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.HttpException.InternalServerErrorException;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
 import google.registry.request.auth.Auth;
+import google.registry.util.UrlConnectionException;
 import java.io.IOException;
 import java.io.StringReader;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.GeneralSecurityException;
 import javax.inject.Inject;
 import org.apache.commons.csv.CSVFormat;
 import org.apache.commons.csv.CSVParser;
@@ -41,9 +45,9 @@ import org.apache.commons.csv.CSVRecord;
  * <p>This will update ALL the REAL registrars. If a REAL registrar doesn't have an RDAP entry in
  * MoSAPI, we'll delete any BaseUrls it has.
  *
- * <p>The ICANN base website that provides this information can be found at
- * https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml. The provided CSV endpoint
- * requires no authentication.
+ * <p>The ICANN base website that provides this information can be found at <a
+ * href=https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml>here</a>. The provided
+ * CSV endpoint requires no authentication.
  */
 @Action(
     service = Action.Service.BACKEND,
@@ -52,22 +56,26 @@ import org.apache.commons.csv.CSVRecord;
     auth = Auth.AUTH_API_ADMIN)
 public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
 
-  private static final GenericUrl RDAP_IDS_URL =
-      new GenericUrl("https://www.iana.org/assignments/registrar-ids/registrar-ids-1.csv");
+  private static final String RDAP_IDS_URL =
+      "https://www.iana.org/assignments/registrar-ids/registrar-ids-1.csv";
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  @Inject HttpTransport httpTransport;
+  @Inject UrlConnectionService urlConnectionService;
 
   @Inject
   UpdateRegistrarRdapBaseUrlsAction() {}
 
   @Override
   public void run() {
-    ImmutableMap<String, String> ianaIdsToUrls = getIanaIdsToUrls();
-    tm().transact(() -> processAllRegistrars(ianaIdsToUrls));
+    try {
+      ImmutableMap<String, String> ianaIdsToUrls = getIanaIdsToUrls();
+      tm().transact(() -> processAllRegistrars(ianaIdsToUrls));
+    } catch (Exception e) {
+      throw new InternalServerErrorException("Error when retrieving RDAP base URL CSV file", e);
+    }
   }
 
-  private void processAllRegistrars(ImmutableMap<String, String> ianaIdsToUrls) {
+  private static void processAllRegistrars(ImmutableMap<String, String> ianaIdsToUrls) {
     int nonUpdatedRegistrars = 0;
     for (Registrar registrar : Registrar.loadAll()) {
       // Only update REAL registrars
@@ -95,23 +103,28 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
     logger.atInfo().log("No change in RDAP base URLs for %d registrars", nonUpdatedRegistrars);
   }
 
-  private ImmutableMap<String, String> getIanaIdsToUrls() {
+  private ImmutableMap<String, String> getIanaIdsToUrls()
+      throws IOException, GeneralSecurityException {
     CSVParser csv;
+    HttpURLConnection connection = urlConnectionService.createConnection(new URL(RDAP_IDS_URL));
+    // Explictly set the accepted encoding, as we know Brotli causes us problems when talking to
+    // ICANN.
+    connection.setRequestProperty(ACCEPT_ENCODING, "gzip");
+    String csvString;
     try {
-      HttpRequest request = httpTransport.createRequestFactory().buildGetRequest(RDAP_IDS_URL);
-      // AppEngine might insert accept-encodings for us if we use the default gzip, so remove it
-      request.getHeaders().setAcceptEncoding(null);
-      HttpResponse response = request.execute();
-      String csvString = new String(ByteStreams.toByteArray(response.getContent()), UTF_8);
-      csv =
-          CSVFormat.Builder.create(CSVFormat.DEFAULT)
-              .setHeader()
-              .setSkipHeaderRecord(true)
-              .build()
-              .parse(new StringReader(csvString));
-    } catch (IOException e) {
-      throw new RuntimeException("Error when retrieving RDAP base URL CSV file", e);
+      if (connection.getResponseCode() != STATUS_CODE_OK) {
+        throw new UrlConnectionException("Failed to load RDAP base URLs from ICANN", connection);
+      }
+      csvString = new String(UrlConnectionUtils.getResponseBytes(connection), UTF_8);
+    } finally {
+      connection.disconnect();
     }
+    csv =
+        CSVFormat.Builder.create(CSVFormat.DEFAULT)
+            .setHeader()
+            .setSkipHeaderRecord(true)
+            .build()
+            .parse(new StringReader(csvString));
     ImmutableMap.Builder<String, String> result = new ImmutableMap.Builder<>();
     for (CSVRecord record : csv) {
       String ianaIdentifierString = record.get("ID");

core/src/main/java/google/registry/rde/PendingDeposit.java

@@ -14,18 +14,23 @@
 
 package google.registry.rde;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import com.google.auto.value.AutoValue;
 import google.registry.model.common.Cursor.CursorType;
 import google.registry.model.rde.RdeMode;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamException;
 import java.io.OutputStream;
 import java.io.Serializable;
+import java.util.Optional;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.coders.AtomicCoder;
 import org.apache.beam.sdk.coders.BooleanCoder;
 import org.apache.beam.sdk.coders.NullableCoder;
-import org.apache.beam.sdk.coders.SerializableCoder;
 import org.apache.beam.sdk.coders.StringUtf8Coder;
 import org.apache.beam.sdk.coders.VarIntCoder;
 import org.joda.time.DateTime;
@@ -35,6 +40,12 @@ import org.joda.time.Duration;
  * Container representing a single RDE or BRDA XML escrow deposit that needs to be created.
  *
  * <p>There are some {@code @Nullable} fields here because Optionals aren't Serializable.
+ *
+ * <p>Note that this class is serialized in two ways: by Beam pipelines using custom serialization
+ * mechanism and the {@code Coder} API, and by Java serialization when passed as command-line
+ * arguments (see {@code RdePipeline#decodePendingDeposits}). The latter requires safe
+ * deserialization because the data crosses credential boundaries (See {@code
+ * SafeObjectInputStream}).
  */
 @AutoValue
 public abstract class PendingDeposit implements Serializable {
@@ -95,11 +106,61 @@ public abstract class PendingDeposit implements Serializable {
 
   PendingDeposit() {}
 
+  /**
+   * Specifies that {@link SerializedForm} be used for {@code SafeObjectInputStream}-compatible
+   * custom-serialization of {@link AutoValue_PendingDeposit the AutoValue implementation class}.
+   *
+   * <p>This method is package-protected so that the AutoValue implementation class inherits this
+   * behavior.
+   *
+   * <p>This method leverages {@link PendingDepositCoder} to serializes an instance. However, it is
+   * not invoked in Beam pipelines.
+   */
+  Object writeReplace() throws ObjectStreamException {
+    return new SerializedForm(this);
+  }
+
+  /**
+   * Proxy for custom-serialization of {@link PendingDeposit}. This is necessary because the actual
+   * class to be (de)serialized is the generated AutoValue implementation. See also {@link
+   * #writeReplace}.
+   *
+   * <p>This class leverages {@link PendingDepositCoder} to safely deserializes an instance.
+   * However, it is not used in Beam pipelines.
+   */
+  private static class SerializedForm implements Serializable {
+
+    private static final long serialVersionUID = 3141095605225904433L;
+
+    private PendingDeposit value;
+
+    private SerializedForm(PendingDeposit value) {
+      this.value = value;
+    }
+
+    private void writeObject(ObjectOutputStream os) throws IOException {
+      checkState(value != null, "Non-null value expected for serialization.");
+      PendingDepositCoder.INSTANCE.encode(value, os);
+    }
+
+    private void readObject(ObjectInputStream is) throws IOException, ClassNotFoundException {
+      checkState(value == null, "Non-null value unexpected for deserialization.");
+      this.value = PendingDepositCoder.INSTANCE.decode(is);
+    }
+
+    @SuppressWarnings("unused")
+    private Object readResolve() throws ObjectStreamException {
+      return this.value;
+    }
+  }
+
   /**
    * A deterministic coder for {@link PendingDeposit} used during a GroupBy transform.
    *
-   * <p>We cannot use a {@link SerializableCoder} directly because it does not guarantee
-   * determinism, which is required by GroupBy.
+   * <p>We cannot use a {@code SerializableCoder} directly for two reasons: the default
+   * serialization does not guarantee determinism, which is required by GroupBy in Beam; and the
+   * default deserialization is not robust against deserialization-based attacks (See {@code
+   * SafeObjectInputStream} for more information).
    */
   public static class PendingDepositCoder extends AtomicCoder<PendingDeposit> {
 
@@ -117,10 +178,15 @@ public abstract class PendingDeposit implements Serializable {
     public void encode(PendingDeposit value, OutputStream outStream) throws IOException {
       BooleanCoder.of().encode(value.manual(), outStream);
       StringUtf8Coder.of().encode(value.tld(), outStream);
-      SerializableCoder.of(DateTime.class).encode(value.watermark(), outStream);
-      SerializableCoder.of(RdeMode.class).encode(value.mode(), outStream);
-      NullableCoder.of(SerializableCoder.of(CursorType.class)).encode(value.cursor(), outStream);
-      NullableCoder.of(SerializableCoder.of(Duration.class)).encode(value.interval(), outStream);
+      StringUtf8Coder.of().encode(value.watermark().toString(), outStream);
+      StringUtf8Coder.of().encode(value.mode().name(), outStream);
+      NullableCoder.of(StringUtf8Coder.of())
+          .encode(
+              Optional.ofNullable(value.cursor()).map(CursorType::name).orElse(null), outStream);
+      NullableCoder.of(StringUtf8Coder.of())
+          .encode(
+              Optional.ofNullable(value.interval()).map(Duration::toString).orElse(null),
+              outStream);
       NullableCoder.of(StringUtf8Coder.of()).encode(value.directoryWithTrailingSlash(), outStream);
       NullableCoder.of(VarIntCoder.of()).encode(value.revision(), outStream);
     }
@@ -130,10 +196,14 @@ public abstract class PendingDeposit implements Serializable {
       return new AutoValue_PendingDeposit(
           BooleanCoder.of().decode(inStream),
           StringUtf8Coder.of().decode(inStream),
-          SerializableCoder.of(DateTime.class).decode(inStream),
-          SerializableCoder.of(RdeMode.class).decode(inStream),
-          NullableCoder.of(SerializableCoder.of(CursorType.class)).decode(inStream),
-          NullableCoder.of(SerializableCoder.of(Duration.class)).decode(inStream),
+          DateTime.parse(StringUtf8Coder.of().decode(inStream)),
+          RdeMode.valueOf(StringUtf8Coder.of().decode(inStream)),
+          Optional.ofNullable(NullableCoder.of(StringUtf8Coder.of()).decode(inStream))
+              .map(CursorType::valueOf)
+              .orElse(null),
+          Optional.ofNullable(NullableCoder.of(StringUtf8Coder.of()).decode(inStream))
+              .map(Duration::parse)
+              .orElse(null),
           NullableCoder.of(StringUtf8Coder.of()).decode(inStream),
           NullableCoder.of(VarIntCoder.of()).decode(inStream));
     }

core/src/main/java/google/registry/rde/RdeReporter.java

@@ -14,25 +14,23 @@
 
 package google.registry.rde;
 
-import static com.google.appengine.api.urlfetch.FetchOptions.Builder.validateCertificate;
-import static com.google.appengine.api.urlfetch.HTTPMethod.PUT;
-import static com.google.common.io.BaseEncoding.base64;
-import static com.google.common.net.HttpHeaders.AUTHORIZATION;
-import static com.google.common.net.HttpHeaders.CONTENT_TYPE;
+import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_BAD_REQUEST;
+import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_OK;
+import static google.registry.request.UrlConnectionUtils.getResponseBytes;
+import static google.registry.request.UrlConnectionUtils.setBasicAuth;
+import static google.registry.request.UrlConnectionUtils.setPayload;
 import static google.registry.util.DomainNameUtils.canonicalizeHostname;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
 
-import com.google.appengine.api.urlfetch.HTTPHeader;
-import com.google.appengine.api.urlfetch.HTTPRequest;
+import com.google.api.client.http.HttpMethods;
 import com.google.appengine.api.urlfetch.HTTPResponse;
-import com.google.appengine.api.urlfetch.URLFetchService;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.request.HttpException.InternalServerErrorException;
-import google.registry.util.Retrier;
+import google.registry.request.UrlConnectionService;
+import google.registry.util.UrlConnectionException;
 import google.registry.xjc.XjcXmlTransformer;
 import google.registry.xjc.iirdea.XjcIirdeaResponseElement;
 import google.registry.xjc.iirdea.XjcIirdeaResult;
@@ -40,10 +38,11 @@ import google.registry.xjc.rdeheader.XjcRdeHeader;
 import google.registry.xjc.rdereport.XjcRdeReportReport;
 import google.registry.xml.XmlException;
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
-import java.net.SocketTimeoutException;
 import java.net.URL;
-import java.util.Arrays;
+import java.security.GeneralSecurityException;
 import javax.inject.Inject;
 
 /**
@@ -59,49 +58,47 @@ public class RdeReporter {
    * @see <a href="http://tools.ietf.org/html/draft-lozano-icann-registry-interfaces-05#section-4">
    *     ICANN Registry Interfaces - Interface details</a>
    */
-  private static final String REPORT_MIME = "text/xml";
+  private static final MediaType MEDIA_TYPE = MediaType.XML_UTF_8;
 
-  @Inject Retrier retrier;
-  @Inject URLFetchService urlFetchService;
+  @Inject UrlConnectionService urlConnectionService;
 
   @Inject @Config("rdeReportUrlPrefix") String reportUrlPrefix;
   @Inject @Key("icannReportingPassword") String password;
   @Inject RdeReporter() {}
 
   /** Uploads {@code reportBytes} to ICANN. */
-  public void send(byte[] reportBytes) throws XmlException {
-    XjcRdeReportReport report = XjcXmlTransformer.unmarshal(
-        XjcRdeReportReport.class, new ByteArrayInputStream(reportBytes));
+  public void send(byte[] reportBytes) throws XmlException, GeneralSecurityException, IOException {
+    XjcRdeReportReport report =
+        XjcXmlTransformer.unmarshal(
+            XjcRdeReportReport.class, new ByteArrayInputStream(reportBytes));
     XjcRdeHeader header = report.getHeader().getValue();
 
     // Send a PUT request to ICANN's HTTPS server.
     URL url = makeReportUrl(header.getTld(), report.getId());
     String username = header.getTld() + "_ry";
-    String token = base64().encode(String.format("%s:%s", username, password).getBytes(UTF_8));
-    final HTTPRequest req = new HTTPRequest(url, PUT, validateCertificate().setDeadline(60d));
-    req.addHeader(new HTTPHeader(CONTENT_TYPE, REPORT_MIME));
-    req.addHeader(new HTTPHeader(AUTHORIZATION, "Basic " + token));
-    req.setPayload(reportBytes);
     logger.atInfo().log("Sending report:\n%s", new String(reportBytes, UTF_8));
-    HTTPResponse rsp =
-        retrier.callWithRetry(
-            () -> {
-              HTTPResponse rsp1 = urlFetchService.fetch(req);
-              int responseCode = rsp1.getResponseCode();
-              if (responseCode != SC_OK && responseCode != SC_BAD_REQUEST) {
-                logger.atSevere().log(
-                    "Failure when trying to PUT RDE report to ICANN server: %d\n%s",
-                    responseCode, Arrays.toString(rsp1.getContent()));
-                throw new RuntimeException("Error uploading deposits to ICANN");
-              }
-              return rsp1;
-            },
-            SocketTimeoutException.class);
+    HttpURLConnection connection = urlConnectionService.createConnection(url);
+    connection.setRequestMethod(HttpMethods.PUT);
+    setBasicAuth(connection, username, password);
+    setPayload(connection, reportBytes, MEDIA_TYPE.toString());
+    int responseCode;
+    byte[] responseBytes;
 
-    // Ensure the XML response is valid. The EPP result code would not be 1000 if we get an
-    // SC_BAD_REQUEST as the HTTP response code.
-    XjcIirdeaResult result = parseResult(rsp.getContent());
-    if (result.getCode().getValue() != 1000) {
+    try {
+      responseCode = connection.getResponseCode();
+      if (responseCode != STATUS_CODE_OK && responseCode != STATUS_CODE_BAD_REQUEST) {
+        logger.atWarning().log("Connection to RDE report server failed: %d", responseCode);
+        throw new UrlConnectionException("PUT failed", connection);
+      }
+      responseBytes = getResponseBytes(connection);
+    } finally {
+      connection.disconnect();
+    }
+
+    // We know that an HTTP 200 response can only contain a result code of
+    // 1000 (i. e. success), there is no need to parse it.
+    if (responseCode != STATUS_CODE_OK) {
+      XjcIirdeaResult result = parseResult(responseBytes);
       logger.atWarning().log(
           "Rejected when trying to PUT RDE report to ICANN server: %d %s\n%s",
           result.getCode().getValue(), result.getMsg(), result.getDescription());
@@ -116,10 +113,11 @@ public class RdeReporter {
    *     href="http://tools.ietf.org/html/draft-lozano-icann-registry-interfaces-05#section-4.1">
    *     ICANN Registry Interfaces - IIRDEA Result Object</a>
    */
-  private XjcIirdeaResult parseResult(byte[] responseBytes) throws XmlException {
+  private static XjcIirdeaResult parseResult(byte[] responseBytes) throws XmlException {
     logger.atInfo().log("Received response:\n%s", new String(responseBytes, UTF_8));
-    XjcIirdeaResponseElement response = XjcXmlTransformer.unmarshal(
-        XjcIirdeaResponseElement.class, new ByteArrayInputStream(responseBytes));
+    XjcIirdeaResponseElement response =
+        XjcXmlTransformer.unmarshal(
+            XjcIirdeaResponseElement.class, new ByteArrayInputStream(responseBytes));
     return response.getResult();
   }
 

core/src/main/java/google/registry/reporting/billing/BillingEmailUtils.java

@@ -53,7 +53,7 @@ public class BillingEmailUtils {
       GmailClient gmailClient,
       YearMonth yearMonth,
       @Config("gSuiteOutgoingEmailAddress") InternetAddress outgoingEmailAddress,
-      @Config("alertRecipientEmailAddress") InternetAddress alertRecipientAddress,
+      @Config("newAlertRecipientEmailAddress") InternetAddress alertRecipientAddress,
       @Config("invoiceEmailRecipients") ImmutableList<InternetAddress> invoiceEmailRecipients,
       @Config("invoiceReplyToEmailAddress") Optional<InternetAddress> replyToEmailAddress,
       @Config("billingBucket") String billingBucket,

core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java

@@ -14,33 +14,31 @@
 
 package google.registry.reporting.icann;
 
+import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_BAD_REQUEST;
+import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_OK;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.net.MediaType.CSV_UTF_8;
 import static google.registry.model.tld.Tlds.assertTldExists;
-import static java.nio.charset.StandardCharsets.UTF_8;
 
-import com.google.api.client.http.ByteArrayContent;
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpHeaders;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.HttpResponseException;
-import com.google.api.client.http.HttpStatusCodes;
-import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.HttpMethods;
 import com.google.common.base.Ascii;
 import com.google.common.base.Splitter;
 import com.google.common.flogger.FluentLogger;
-import com.google.common.io.BaseEncoding;
-import com.google.common.io.ByteStreams;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.reporting.icann.IcannReportingModule.ReportType;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
 import google.registry.xjc.XjcXmlTransformer;
 import google.registry.xjc.iirdea.XjcIirdeaResponseElement;
 import google.registry.xjc.iirdea.XjcIirdeaResult;
 import google.registry.xml.XmlException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
 import java.util.List;
 import javax.inject.Inject;
 import org.joda.time.YearMonth;
@@ -62,78 +60,64 @@ public class IcannHttpReporter {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  @Inject HttpTransport httpTransport;
-  @Inject @Key("icannReportingPassword") String password;
-  @Inject @Config("icannTransactionsReportingUploadUrl") String icannTransactionsUrl;
-  @Inject @Config("icannActivityReportingUploadUrl") String icannActivityUrl;
-  @Inject IcannHttpReporter() {}
+  @Inject UrlConnectionService urlConnectionService;
+
+  @Inject
+  @Key("icannReportingPassword")
+  String password;
+
+  @Inject
+  @Config("icannTransactionsReportingUploadUrl")
+  String icannTransactionsUrl;
+
+  @Inject
+  @Config("icannActivityReportingUploadUrl")
+  String icannActivityUrl;
+
+  @Inject
+  IcannHttpReporter() {}
 
   /** Uploads {@code reportBytes} to ICANN, returning whether or not it succeeded. */
-  public boolean send(byte[] reportBytes, String reportFilename) throws XmlException, IOException {
+  public boolean send(byte[] reportBytes, String reportFilename)
+      throws GeneralSecurityException, XmlException, IOException {
     validateReportFilename(reportFilename);
-    GenericUrl uploadUrl = new GenericUrl(makeUrl(reportFilename));
-    HttpRequest request =
-        httpTransport
-            .createRequestFactory()
-            .buildPutRequest(uploadUrl, new ByteArrayContent(CSV_UTF_8.toString(), reportBytes));
-
-    HttpHeaders headers = request.getHeaders();
-    headers.setBasicAuthentication(getTld(reportFilename) + "_ry", password);
-    headers.setContentType(CSV_UTF_8.toString());
-    request.setHeaders(headers);
-    request.setFollowRedirects(false);
-    request.setThrowExceptionOnExecuteError(false);
-
-    HttpResponse response = null;
+    URL uploadUrl = makeUrl(reportFilename);
     logger.atInfo().log(
-        "Sending report to %s with content length %d.",
-        uploadUrl, request.getContent().getLength());
-    boolean success = true;
+        "Sending report to %s with content length %d.", uploadUrl, reportBytes.length);
+    HttpURLConnection connection = urlConnectionService.createConnection(uploadUrl);
+    connection.setRequestMethod(HttpMethods.PUT);
+    UrlConnectionUtils.setBasicAuth(connection, getTld(reportFilename) + "_ry", password);
+    UrlConnectionUtils.setPayload(connection, reportBytes, CSV_UTF_8.toString());
+    connection.setInstanceFollowRedirects(false);
+
+    int responseCode;
+    byte[] content;
     try {
-      response = request.execute();
-      // Only responses with a 200 or 400 status have a body. For everything else, throw so that
-      // the caller catches it and prints the stack trace.
-      if (response.getStatusCode() != HttpStatusCodes.STATUS_CODE_OK
-          && response.getStatusCode() != HttpStatusCodes.STATUS_CODE_BAD_REQUEST) {
-        throw new HttpResponseException(response);
-      }
-      byte[] content;
-      try {
-        content = ByteStreams.toByteArray(response.getContent());
-      } finally {
-        response.getContent().close();
-      }
-      logger.atInfo().log(
-          "Received response code %d\n\n"
-              + "Response headers: %s\n\n"
-              + "Response content in UTF-8: %s\n\n"
-              + "Response content in HEX: %s",
-          response.getStatusCode(),
-          response.getHeaders(),
-          new String(content, UTF_8),
-          BaseEncoding.base16().encode(content));
-      // For reasons unclear at the moment, when we parse the response content using UTF-8 we get
-      // garbled texts. Since we know that an HTTP 200 response can only contain a result code of
-      // 1000 (i. e. success), there is no need to parse it.
-      if (response.getStatusCode() == HttpStatusCodes.STATUS_CODE_BAD_REQUEST) {
-        success = false;
-        XjcIirdeaResult result = parseResult(content);
-        logger.atWarning().log(
-            "PUT rejected, status code %s:\n%s\n%s",
-            result.getCode().getValue(), result.getMsg(), result.getDescription());
+      responseCode = connection.getResponseCode();
+      // Only responses with a 200 or 400 status have a body. For everything else, we can return
+      // false early.
+      if (responseCode != STATUS_CODE_OK && responseCode != STATUS_CODE_BAD_REQUEST) {
+        logger.atWarning().log("Connection to ICANN server failed", connection);
+        return false;
       }
+      content = UrlConnectionUtils.getResponseBytes(connection);
     } finally {
-      if (response != null) {
-        response.disconnect();
-      } else {
-        success = false;
-        logger.atWarning().log("Received null response from ICANN server at %s", uploadUrl);
-      }
+      connection.disconnect();
     }
-    return success;
+    // We know that an HTTP 200 response can only contain a result code of
+    // 1000 (i. e. success), there is no need to parse it.
+    // See: https://tools.ietf.org/html/draft-lozano-icann-registry-interfaces-13#page-16
+    if (responseCode != STATUS_CODE_OK) {
+      XjcIirdeaResult result = parseResult(content);
+      logger.atWarning().log(
+          "PUT rejected, status code %s:\n%s\n%s",
+          result.getCode().getValue(), result.getMsg(), result.getDescription());
+      return false;
+    }
+    return true;
   }
 
-  private XjcIirdeaResult parseResult(byte[] content) throws XmlException {
+  private static XjcIirdeaResult parseResult(byte[] content) throws XmlException {
     XjcIirdeaResponseElement response =
         XjcXmlTransformer.unmarshal(
             XjcIirdeaResponseElement.class, new ByteArrayInputStream(content));
@@ -141,7 +125,7 @@ public class IcannHttpReporter {
   }
 
   /** Verifies a given report filename matches the pattern tld-reportType-yyyyMM.csv. */
-  private void validateReportFilename(String filename) {
+  private static void validateReportFilename(String filename) {
     checkArgument(
         filename.matches("[a-z0-9.\\-]+-((activity)|(transactions))-[0-9]{6}\\.csv"),
         "Expected file format: tld-reportType-yyyyMM.csv, got %s instead",
@@ -149,12 +133,12 @@ public class IcannHttpReporter {
     assertTldExists(getTld(filename));
   }
 
-  private String getTld(String filename) {
+  private static String getTld(String filename) {
     // Extract the TLD, up to second-to-last hyphen in the filename (works with international TLDs)
     return filename.substring(0, filename.lastIndexOf('-', filename.lastIndexOf('-') - 1));
   }
 
-  private String makeUrl(String filename) {
+  private URL makeUrl(String filename) throws MalformedURLException {
     // Filename is in the format tld-reportType-yearMonth.csv
     String tld = getTld(filename);
     // Remove the tld- prefix and csv suffix
@@ -164,7 +148,7 @@ public class IcannHttpReporter {
     // Re-add hyphen between year and month, because ICANN is inconsistent between filename and URL
     String yearMonth =
         YearMonth.parse(elements.get(1), DateTimeFormat.forPattern("yyyyMM")).toString("yyyy-MM");
-    return String.format("%s/%s/%s", getUrlPrefix(reportType), tld, yearMonth);
+    return new URL(String.format("%s/%s/%s", getUrlPrefix(reportType), tld, yearMonth));
   }
 
   private String getUrlPrefix(ReportType reportType) {

core/src/main/java/google/registry/reporting/spec11/Spec11EmailUtils.java

@@ -37,11 +37,13 @@ import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.reporting.spec11.soy.Spec11EmailSoyInfo;
 import google.registry.util.EmailMessage;
+import google.registry.util.Sleeper;
 import java.util.List;
 import java.util.Map;
 import javax.inject.Inject;
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetAddress;
+import org.joda.time.Duration;
 import org.joda.time.LocalDate;
 
 /** Provides e-mail functionality for Spec11 tasks, such as sending Spec11 reports to registrars. */
@@ -57,6 +59,8 @@ public class Spec11EmailUtils {
           .build()
           .compileToTofu();
   private final GmailClient gmailClient;
+  private final Sleeper sleeper;
+  private final Duration emailThrottleDuration;
   private final InternetAddress outgoingEmailAddress;
   private final ImmutableList<InternetAddress> spec11BccEmailAddresses;
   private final InternetAddress alertRecipientAddress;
@@ -66,12 +70,16 @@ public class Spec11EmailUtils {
   @Inject
   Spec11EmailUtils(
       GmailClient gmailClient,
+      Sleeper sleeper,
+      @Config("emailThrottleDuration") Duration emailThrottleDuration,
       @Config("newAlertRecipientEmailAddress") InternetAddress alertRecipientAddress,
       @Config("spec11OutgoingEmailAddress") InternetAddress spec11OutgoingEmailAddress,
       @Config("spec11BccEmailAddresses") ImmutableList<InternetAddress> spec11BccEmailAddresses,
       @Config("spec11WebResources") ImmutableList<String> spec11WebResources,
       @Config("registryName") String registryName) {
     this.gmailClient = gmailClient;
+    this.sleeper = sleeper;
+    this.emailThrottleDuration = emailThrottleDuration;
     this.outgoingEmailAddress = spec11OutgoingEmailAddress;
     this.spec11BccEmailAddresses = spec11BccEmailAddresses;
     this.alertRecipientAddress = alertRecipientAddress;
@@ -94,6 +102,13 @@ public class Spec11EmailUtils {
     for (RegistrarThreatMatches registrarThreatMatches : registrarThreatMatchesSet) {
       RegistrarThreatMatches filteredMatches = filterOutNonPublishedMatches(registrarThreatMatches);
       if (!filteredMatches.threatMatches().isEmpty()) {
+        if (numRegistrarsEmailed > 0) {
+          try {
+            sleeper.sleep(emailThrottleDuration);
+          } catch (InterruptedException ie) {
+            throw new RuntimeException(ie);
+          }
+        }
         try {
           // Handle exceptions individually per registrar so that one failed email doesn't prevent
           // the rest from being sent.
@@ -156,7 +171,7 @@ public class Spec11EmailUtils {
     gmailClient.sendEmail(
         EmailMessage.newBuilder()
             .setSubject(subject)
-            .setBody(getContent(date, soyTemplateInfo, registrarThreatMatches))
+            .setBody(getEmailBody(date, soyTemplateInfo, registrarThreatMatches))
             .setContentType(MediaType.HTML_UTF_8)
             .setFrom(outgoingEmailAddress)
             .addRecipient(getEmailAddressForRegistrar(registrarThreatMatches.clientId()))
@@ -164,7 +179,7 @@ public class Spec11EmailUtils {
             .build());
   }
 
-  private String getContent(
+  private String getEmailBody(
       LocalDate date,
       SoyTemplateInfo soyTemplateInfo,
       RegistrarThreatMatches registrarThreatMatches) {
@@ -175,7 +190,7 @@ public class Spec11EmailUtils {
             .map(
                 threatMatch ->
                     ImmutableMap.of(
-                        "domainName", threatMatch.domainName(),
+                        "domainName", toEmailSafeString(threatMatch.domainName()),
                         "threatType", threatMatch.threatType()))
             .collect(toImmutableList());
 
@@ -190,6 +205,12 @@ public class Spec11EmailUtils {
     return renderer.render();
   }
 
+  // Mutates a known bad domain to pass spam checks by Email sender and clients, as suggested by
+  // the Gmail abuse-detection team.
+  private String toEmailSafeString(String knownUnsafeDomain) {
+    return knownUnsafeDomain.replace(".", "[.]");
+  }
+
   /** Sends an e-mail indicating the state of the spec11 pipeline, with a given subject and body. */
   void sendAlertEmail(String subject, String body) {
     try {

core/src/main/java/google/registry/request/Modules.java

@@ -14,20 +14,18 @@
 
 package google.registry.request;
 
-import com.google.api.client.extensions.appengine.http.UrlFetchTransport;
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.gson.GsonFactory;
-import com.google.appengine.api.urlfetch.URLFetchService;
-import com.google.appengine.api.urlfetch.URLFetchServiceFactory;
 import com.google.appengine.api.users.UserService;
 import com.google.appengine.api.users.UserServiceFactory;
 import dagger.Module;
 import dagger.Provides;
 import java.net.HttpURLConnection;
 import javax.inject.Singleton;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
 
 /** Dagger modules for App Engine services and other vendor classes. */
 public final class Modules {
@@ -37,18 +35,16 @@ public final class Modules {
   public static final class UrlConnectionServiceModule {
     @Provides
     static UrlConnectionService provideUrlConnectionService() {
-      return url -> (HttpURLConnection) url.openConnection();
-    }
-  }
-
-  /** Dagger module for {@link URLFetchService}. */
-  @Module
-  public static final class UrlFetchServiceModule {
-    private static final URLFetchService fetchService = URLFetchServiceFactory.getURLFetchService();
-
-    @Provides
-    static URLFetchService provideUrlFetchService() {
-      return fetchService;
+      return url -> {
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+        if (connection instanceof HttpsURLConnection) {
+          HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
+          SSLContext tls13Context = SSLContext.getInstance("TLSv1.3");
+          tls13Context.init(null, null, null);
+          httpsConnection.setSSLSocketFactory(tls13Context.getSocketFactory());
+        }
+        return connection;
+      };
     }
   }
 
@@ -72,17 +68,6 @@ public final class Modules {
     }
   }
 
-  /** Dagger module that causes the App Engine's URL fetcher to be used for Google APIs requests. */
-  @Module
-  public static final class UrlFetchTransportModule {
-    private static final UrlFetchTransport HTTP_TRANSPORT = new UrlFetchTransport();
-
-    @Provides
-    static HttpTransport provideHttpTransport() {
-      return HTTP_TRANSPORT;
-    }
-  }
-
   /**
    * Dagger module that provides standard {@link NetHttpTransport}. Used in non App Engine
    * environment.

core/src/main/java/google/registry/request/RequestHandler.java

@@ -17,6 +17,7 @@ package google.registry.request;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_METHOD_NOT_ALLOWED;
 import static javax.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 
@@ -162,6 +163,10 @@ public class RequestHandler<C> {
     } catch (HttpException e) {
       e.send(rsp);
       success = false;
+    } catch (Exception e) {
+      rsp.setStatus(SC_INTERNAL_SERVER_ERROR);
+      rsp.getWriter().write("Internal server error, please try again later");
+      logger.atSevere().withCause(e).log("Encountered internal server error");
     } finally {
       requestMetrics.record(
           new Duration(startTime, clock.nowUtc()),

core/src/main/java/google/registry/request/UrlConnectionUtils.java

@@ -27,15 +27,20 @@ import com.google.common.io.ByteStreams;
 import com.google.common.net.MediaType;
 import java.io.DataOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URLConnection;
 import java.util.Random;
 
-/** Utilities for common functionality relating to {@link java.net.URLConnection}s. */
-public class UrlConnectionUtils {
+/** Utilities for common functionality relating to {@link URLConnection}s. */
+public final class UrlConnectionUtils {
+
+  private UrlConnectionUtils() {}
 
   /** Retrieves the response from the given connection as a byte array. */
   public static byte[] getResponseBytes(URLConnection connection) throws IOException {
-    return ByteStreams.toByteArray(connection.getInputStream());
+    try (InputStream is = connection.getInputStream()) {
+      return ByteStreams.toByteArray(is);
+    }
   }
 
   /** Sets auth on the given connection with the given username/password. */

core/src/main/java/google/registry/request/auth/Auth.java

@@ -15,8 +15,6 @@
 package google.registry.request.auth;
 
 import com.google.common.collect.ImmutableList;
-import google.registry.flows.EppTlsAction;
-import google.registry.flows.TlsCredentials;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.request.auth.AuthSettings.AuthMethod;
 import google.registry.request.auth.AuthSettings.UserPolicy;
@@ -48,30 +46,18 @@ public enum Auth {
    * Allows anyone to access, as long as they are logged in.
    *
    * <p>This is used by legacy registrar console programmatic endpoints (those that extend {@link
-   * JsonGetAction}, which are accessed via XHR requests sent from a logged-in user when performing
+   * JsonGetAction}), which are accessed via XHR requests sent from a logged-in user when performing
    * actions on the console.
    */
   AUTH_PUBLIC_LOGGED_IN(
       ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),
 
   /**
-   * Allows any client to access, as long as they are logged in via API-based authentication
-   * mechanisms.
+   * Allows only the app itself (via service accounts) or admins to access.
    *
-   * <p>This is used by the proxy to access Nomulus endpoints. The proxy service account does NOT
-   * have admin privileges. For EPP, we handle client authentication within {@link EppTlsAction},
-   * using {@link TlsCredentials}. For WHOIS, anyone connecting to the proxy can access.
-   *
-   * <p>Note that the proxy service account DOES need to be allow-listed in the {@code
-   * auth.allowedServiceAccountEmails} field in the config YAML file in order for OIDC-based
-   * authentication to pass.
-   */
-  AUTH_API_PUBLIC(ImmutableList.of(AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC),
-
-  /**
-   * Allows only admins to access.
-   *
-   * <p>This applies to the majority of the endpoints.
+   * <p>This applies to the majority of the endpoints. For APP level authentication to work, the
+   * associated service account needs to be allowlisted in the {@code
+   * auth.allowedServiceAccountEmails} field in the config YAML file.
    */
   AUTH_API_ADMIN(ImmutableList.of(AuthMethod.API), AuthLevel.APP, UserPolicy.ADMIN);
 

core/src/main/java/google/registry/request/auth/AuthModule.java

@@ -16,8 +16,6 @@ package google.registry.request.auth;
 
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 
-import com.google.appengine.api.oauth.OAuthService;
-import com.google.appengine.api.oauth.OAuthServiceFactory;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
@@ -36,9 +34,6 @@ public class AuthModule {
   // IAP-signed JWT will be in this header.
   // See https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers.
   public static final String IAP_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
-  // GAE will put the content in header "proxy-authorization" in this header when it routes the
-  // request to the app.
-  public static final String PROXY_HEADER_NAME = "X-Google-Proxy-Authorization";
   public static final String BEARER_PREFIX = "Bearer ";
   // TODO: Change the IAP audience format once we are on GKE.
   // See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
@@ -46,16 +41,12 @@ public class AuthModule {
   private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
   private static final String REGULAR_ISSUER_URL = "https://accounts.google.com";
 
-  /** Provides the custom authentication mechanisms (including OAuth and OIDC). */
+  /** Provides the custom authentication mechanisms. */
   @Provides
   ImmutableList<AuthenticationMechanism> provideApiAuthenticationMechanisms(
-      OAuthAuthenticationMechanism oauthAuthenticationMechanism,
       IapOidcAuthenticationMechanism iapOidcAuthenticationMechanism,
       RegularOidcAuthenticationMechanism regularOidcAuthenticationMechanism) {
-    return ImmutableList.of(
-        oauthAuthenticationMechanism,
-        iapOidcAuthenticationMechanism,
-        regularOidcAuthenticationMechanism);
+    return ImmutableList.of(iapOidcAuthenticationMechanism, regularOidcAuthenticationMechanism);
   }
 
   @Qualifier
@@ -64,12 +55,6 @@ public class AuthModule {
   @Qualifier
   @interface RegularOidc {}
 
-  /** Provides the OAuthService instance. */
-  @Provides
-  OAuthService provideOauthService() {
-    return OAuthServiceFactory.getOAuthService();
-  }
-
   @Provides
   @IapOidc
   @Singleton
@@ -98,11 +83,7 @@ public class AuthModule {
   @Singleton
   TokenExtractor provideRegularTokenExtractor() {
     return request -> {
-      // TODO: only check the Authorizaiton header after the migration to OIDC is complete.
-      String rawToken = request.getHeader(PROXY_HEADER_NAME);
-      if (rawToken == null) {
-        rawToken = request.getHeader(AUTHORIZATION);
-      }
+      String rawToken = request.getHeader(AUTHORIZATION);
       if (rawToken != null && rawToken.startsWith(BEARER_PREFIX)) {
         return rawToken.substring(BEARER_PREFIX.length());
       }

core/src/main/java/google/registry/request/auth/AuthResult.java

@@ -14,7 +14,9 @@
 
 package google.registry.request.auth;
 
-import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
+import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
 
 import com.google.auto.value.AutoValue;
 import google.registry.request.auth.AuthSettings.AuthLevel;
@@ -22,8 +24,8 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 /**
- * Results of authentication for a given HTTP request, as emitted by an
- * {@link AuthenticationMechanism}.
+ * Results of authentication for a given HTTP request, as emitted by an {@link
+ * AuthenticationMechanism}.
  */
 @AutoValue
 public abstract class AuthResult {
@@ -33,6 +35,10 @@ public abstract class AuthResult {
   /** Information about the authenticated user, if there is one. */
   public abstract Optional<UserAuthInfo> userAuthInfo();
 
+  /** Service account email of the authenticated app, if there is one. */
+  @SuppressWarnings("unused") // The service account will be logged upon successful login.
+  public abstract Optional<String> appServiceAccount();
+
   public boolean isAuthenticated() {
     return authLevel() != AuthLevel.NONE;
   }
@@ -47,15 +53,27 @@ public abstract class AuthResult {
         .orElse("<logged-out user>");
   }
 
-  public static AuthResult create(AuthLevel authLevel) {
-    return new AutoValue_AuthResult(authLevel, Optional.empty());
+  public static AuthResult createApp(String email) {
+    return create(APP, null, email);
   }
 
-  public static AuthResult create(AuthLevel authLevel, @Nullable UserAuthInfo userAuthInfo) {
-    if (authLevel == AuthLevel.USER) {
-      checkNotNull(userAuthInfo);
-    }
-    return new AutoValue_AuthResult(authLevel, Optional.ofNullable(userAuthInfo));
+  public static AuthResult createUser(UserAuthInfo userAuthInfo) {
+    return create(USER, userAuthInfo, null);
+  }
+
+  private static AuthResult create(
+      AuthLevel authLevel, @Nullable UserAuthInfo userAuthInfo, @Nullable String email) {
+    checkArgument(
+        userAuthInfo == null || email == null,
+        "User auth info and service account email cannot be specificed at the same time");
+    checkArgument(
+        authLevel != USER || userAuthInfo != null,
+        "User auth info must be specified for auth level USER");
+    checkArgument(
+        authLevel != APP || email != null,
+        "Service account email must be specified for auth level APP");
+    return new AutoValue_AuthResult(
+        authLevel, Optional.ofNullable(userAuthInfo), Optional.ofNullable(email));
   }
 
   /**
@@ -67,5 +85,5 @@ public abstract class AuthResult {
    * returns NOT_AUTHENTICATED in this case, as opposed to absent() if authentication failed and was
    * required. So as a return from an authorization check, this can be treated as a success.
    */
-  public static final AuthResult NOT_AUTHENTICATED = create(AuthLevel.NONE);
+  public static final AuthResult NOT_AUTHENTICATED = create(AuthLevel.NONE, null, null);
 }

core/src/main/java/google/registry/request/auth/AuthSettings.java

@@ -17,6 +17,7 @@ package google.registry.request.auth;
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.errorprone.annotations.Immutable;
+import google.registry.model.console.UserRoles;
 
 /**
  * Parameters used to configure the authenticator.
@@ -42,7 +43,10 @@ public abstract class AuthSettings {
   /** Available methods for authentication. */
   public enum AuthMethod {
 
-    /** Authentication methods suitable for API-style access, such as OAuth 2. */
+    /**
+     * Authentication methods suitable for API-style access, such as {@link
+     * OidcTokenAuthenticationMechanism}.
+     */
     API,
 
     /** Legacy authentication using cookie-based App Engine Users API. Must come last if present. */
@@ -68,10 +72,11 @@ public abstract class AuthSettings {
     /**
      * Authentication required, but user not required.
      *
-     * <p>In Auth: Authentication is required, but app-internal authentication (which isn't
-     * associated with a specific user) is permitted.
+     * <p>In Auth: authentication is required, but App-internal authentication (which isn't
+     * associated with a specific user, but a service account) is permitted. Examples include
+     * requests from Cloud Tasks, Cloud Scheduler, and the proxy.
      *
-     * <p>In AuthResult: App-internal authentication was successful.
+     * <p>In AuthResult: App-internal authentication (via service accounts) was successful.
      */
     APP,
 
@@ -93,10 +98,14 @@ public abstract class AuthSettings {
     PUBLIC,
 
     /**
-     * If there is a user, it must be an admin, as determined by isUserAdmin().
+     * If there is a user, it must be an admin, as determined by {@link UserAuthInfo#isUserAdmin()}.
      *
-     * <p>Note that, according to App Engine, anybody with access to the app in the GCP Console,
+     * <p>Note that, if the user returned is an App Engine {@link
+     * com.google.appengine.api.users.User} , anybody with access to the app in the GCP Console,
      * including editors and viewers, is an admin.
+     *
+     * <p>On the other hand, if the user is a {@link google.registry.model.console.User}, the admin
+     * role is explicitly defined in that object via the {@link UserRoles#isAdmin()} method.
      */
     ADMIN
   }

core/src/main/java/google/registry/request/auth/AuthenticationMechanism.java

@@ -19,7 +19,7 @@ import javax.servlet.http.HttpServletRequest;
 /**
  * A particular way to authenticate an HTTP request, returning an {@link AuthResult}.
  *
- * <p>For instance, a request could be authenticated using OAuth, via special request headers, etc.
+ * <p>For instance, a request could be authenticated using OIDC, via special request headers, etc.
  */
 public interface AuthenticationMechanism {
 

core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java

@@ -16,8 +16,7 @@ package google.registry.request.auth;
 
 import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.base.Strings.nullToEmpty;
-import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
-import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
+import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
 import static google.registry.security.XsrfTokenManager.P_CSRF_TOKEN;
 import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
 
@@ -49,15 +48,14 @@ public class LegacyAuthenticationMechanism implements AuthenticationMechanism {
   @Override
   public AuthResult authenticate(HttpServletRequest request) {
     if (!userService.isUserLoggedIn()) {
-      return AuthResult.create(NONE);
+      return NOT_AUTHENTICATED;
     }
 
     if (!SAFE_METHODS.contains(request.getMethod()) && !validateXsrf(request)) {
-      return AuthResult.create(NONE);
+      return NOT_AUTHENTICATED;
     }
 
-    return AuthResult.create(
-        USER,
+    return AuthResult.createUser(
         UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
   }
 

core/src/main/java/google/registry/request/auth/OAuthAuthenticationMechanism.java

@@ -1,136 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import static com.google.common.net.HttpHeaders.AUTHORIZATION;
-import static google.registry.request.auth.AuthModule.BEARER_PREFIX;
-import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
-import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
-
-import com.google.appengine.api.oauth.OAuthRequestException;
-import com.google.appengine.api.oauth.OAuthService;
-import com.google.appengine.api.oauth.OAuthServiceFailureException;
-import com.google.appengine.api.users.User;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
-import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * OAuth authentication mechanism, using the OAuthService interface.
- *
- * <p>Only OAuth version 2 is supported.
- */
-public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
-
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private final OAuthService oauthService;
-
-  /** The available OAuth scopes for which {@link OAuthService} should check. */
-  private final ImmutableSet<String> availableOauthScopes;
-
-  /** The OAuth scopes which must all be present for authentication to succeed. */
-  private final ImmutableSet<String> requiredOauthScopes;
-
-  private final ImmutableSet<String> allowedOauthClientIds;
-
-  @Inject
-  public OAuthAuthenticationMechanism(
-      OAuthService oauthService,
-      @Config("availableOauthScopes") ImmutableSet<String> availableOauthScopes,
-      @Config("requiredOauthScopes") ImmutableSet<String> requiredOauthScopes,
-      @Config("allowedOauthClientIds") ImmutableSet<String> allowedOauthClientIds) {
-    this.oauthService = oauthService;
-    this.availableOauthScopes = availableOauthScopes;
-    this.requiredOauthScopes = requiredOauthScopes;
-    this.allowedOauthClientIds = allowedOauthClientIds;
-  }
-
-  @Override
-  public AuthResult authenticate(HttpServletRequest request) {
-
-    // Make sure that there is an Authorization header in Bearer form. OAuthService also accepts
-    // tokens in the request body and URL string, but we should not use those, since they are more
-    // likely to be logged than the Authorization header. Checking to make sure there's a token also
-    // avoids unnecessary RPCs, since OAuthService itself does not check whether the header is
-    // present. In theory, there could be more than one Authorization header, but we only check the
-    // first one, because there's not a legitimate use case for having more than one, and
-    // OAuthService itself only looks at the first one anyway.
-    String header = request.getHeader(AUTHORIZATION);
-    if ((header == null) || !header.startsWith(BEARER_PREFIX)) {
-      if (header != null) {
-        logger.atInfo().log("Invalid authorization header.");
-      }
-      return AuthResult.create(NONE);
-    }
-    // Assume that, if a bearer token is found, it's what OAuthService will use to attempt
-    // authentication. This is not technically guaranteed by the contract of OAuthService; see
-    // OAuthTokenInfo for more information.
-    String rawAccessToken =
-        RegistryEnvironment.get() == RegistryEnvironment.PRODUCTION
-            ? "Raw token redacted in prod"
-            : header.substring(BEARER_PREFIX.length());
-
-    // Get the OAuth information. The various oauthService method calls use a single cached
-    // authentication result, so we can call them one by one.
-    User currentUser;
-    boolean isUserAdmin;
-    String oauthClientId;
-    ImmutableSet<String> authorizedScopes;
-    try {
-      String[] availableOauthScopeArray = availableOauthScopes.toArray(new String[0]);
-      currentUser = oauthService.getCurrentUser(availableOauthScopeArray);
-      isUserAdmin = oauthService.isUserAdmin(availableOauthScopeArray);
-      logger.atInfo().log(
-          "Current user: %s (%s).", currentUser, isUserAdmin ? "admin" : "not admin");
-      oauthClientId = oauthService.getClientId(availableOauthScopeArray);
-      logger.atInfo().log("OAuth client ID: %s", oauthClientId);
-      authorizedScopes =
-          ImmutableSet.copyOf(oauthService.getAuthorizedScopes(availableOauthScopeArray));
-      logger.atInfo().log("Authorized scope(s): %s", authorizedScopes);
-    } catch (OAuthRequestException | OAuthServiceFailureException e) {
-      logger.atInfo().withCause(e).log("Unable to get OAuth information.");
-      return AuthResult.create(NONE);
-    }
-    if ((currentUser == null) || (oauthClientId == null) || (authorizedScopes == null)) {
-      return AuthResult.create(NONE);
-    }
-
-    // Make sure that the client ID matches, to avoid a confused deputy attack; see:
-    // http://stackoverflow.com/a/17439317/1179226
-    if (!allowedOauthClientIds.contains(oauthClientId)) {
-      logger.atInfo().log("OAuth client ID is not allowed.");
-      return AuthResult.create(NONE);
-    }
-
-    // Make sure that all required scopes are present.
-    if (!authorizedScopes.containsAll(requiredOauthScopes)) {
-      logger.atInfo().log("Missing required scope(s).");
-      return AuthResult.create(NONE);
-    }
-
-    // Create the {@link AuthResult}, including the OAuth token info.
-    return AuthResult.create(
-        USER,
-        UserAuthInfo.create(
-            currentUser,
-            isUserAdmin,
-            OAuthTokenInfo.create(
-                ImmutableSet.copyOf(authorizedScopes), oauthClientId, rawAccessToken)));
-  }
-}

core/src/main/java/google/registry/request/auth/OAuthTokenInfo.java

@@ -1,48 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import com.google.auto.value.AutoValue;
-import com.google.common.collect.ImmutableSet;
-
-/** Information provided by the OAuth authentication mechanism (only) about the session. */
-@AutoValue
-public abstract class OAuthTokenInfo {
-
-  /** Authorized OAuth scopes granted by the access token provided with the request. */
-  abstract ImmutableSet<String> authorizedScopes();
-
-  /** OAuth client ID from the access token provided with the request. */
-  abstract String oauthClientId();
-
-  /**
-   * Raw OAuth access token value provided with the request, for passing along to downstream APIs as
-   * appropriate.
-   *
-   * <p>Note that the request parsing code makes certain assumptions about whether the Authorization
-   * header was used as the source of the token. Because OAuthService could theoretically fall back
-   * to some other source of authentication, it might be possible for rawAccessToken not to have
-   * been the source of OAuth authentication. Looking at the code of OAuthService, that could not
-   * currently happen, but if OAuthService were modified in the future so that it tried the bearer
-   * token, and then when that failed, fell back to another, successful authentication path, then
-   * rawAccessToken might not be valid.
-   */
-  abstract String rawAccessToken();
-
-  static OAuthTokenInfo create(
-      ImmutableSet<String> authorizedScopes, String oauthClientId, String rawAccessToken) {
-    return new AutoValue_OAuthTokenInfo(authorizedScopes, oauthClientId, rawAccessToken);
-  }
-}

core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java

@@ -14,8 +14,6 @@
 
 package google.registry.request.auth;
 
-import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
-
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.annotations.VisibleForTesting;
@@ -97,12 +95,11 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
     Optional<User> maybeUser = UserDao.loadUser(email);
     if (maybeUser.isPresent()) {
-      return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(maybeUser.get()));
+      return AuthResult.createUser(UserAuthInfo.create(maybeUser.get()));
     }
-    // TODO: implement caching so we don't have to look up the database for every request.
     logger.atInfo().log("No end user found for email address %s", email);
     if (serviceAccountEmails.stream().anyMatch(e -> e.equals(email))) {
-      return AuthResult.create(APP);
+      return AuthResult.createApp(email);
     }
     logger.atInfo().log("No service account found for email address %s", email);
     logger.atWarning().log(
@@ -153,15 +150,8 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
    *
    * <p>If the endpoint is not behind IAP, we can try to authenticate the OIDC token supplied in the
    * request header directly. Ideally we would like all endpoints to be behind IAP, but being able
-   * to authenticate the token directly provides us with the flexibility to do away with OAuth-based
-   * {@link OAuthAuthenticationMechanism} that is tied to App Engine runtime without having to turn
-   * on IAP, which is an all-or-nothing switch for each GAE service (i.e. no way to turn it on only
-   * for certain GAE endpoints).
-   *
-   * <p>Note that this mechanism will try to first extract the token under the "proxy-authorization"
-   * header, before trying "authorization". This is because currently the GAE OAuth service always
-   * uses "authorization", and we would like to provide a way for both auth mechanisms to be working
-   * at the same time for the same request.
+   * to authenticate the token directly provides us with some extra flexibility that comes in handy,
+   * at least during the migration to GKE.
    *
    * @see <a href=https://datatracker.ietf.org/doc/html/rfc6750>Bearer Token Usage</a>
    */

core/src/main/java/google/registry/request/auth/RequestAuthenticator.java

@@ -60,7 +60,8 @@ public class RequestAuthenticator {
     if (auth.minimumLevel() == APP && !authResult.isAuthenticated()) {
       logger.atWarning().log("Not authorized; no authentication found.");
       return Optional.empty();
-    } else if (auth.minimumLevel() == USER && authResult.authLevel() != USER) {
+    }
+    if (auth.minimumLevel() == USER && authResult.authLevel() != USER) {
       logger.atWarning().log("Not authorized; no authenticated user.");
       return Optional.empty();
     }
@@ -81,12 +82,12 @@ public class RequestAuthenticator {
    * @param req the {@link HttpServletRequest}; some authentication mechanisms use HTTP headers
    * @return an authentication result; if no authentication was made, returns NOT_AUTHENTICATED
    */
-  private AuthResult authenticate(AuthSettings auth, HttpServletRequest req) {
+  AuthResult authenticate(AuthSettings auth, HttpServletRequest req) {
     checkAuthConfig(auth);
     for (AuthMethod authMethod : auth.methods()) {
       AuthResult authResult;
       switch (authMethod) {
-          // API-based user authentication mechanisms, such as OAuth and OIDC.
+          // API-based user authentication mechanisms, such as OIDC.
         case API:
           for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) {
             authResult = authMechanism.authenticate(req);
@@ -113,10 +114,9 @@ public class RequestAuthenticator {
 
   /** Validates an AuthSettings object, checking for invalid setting combinations. */
   static void checkAuthConfig(AuthSettings auth) {
-    ImmutableList<AuthMethod> authMethods = ImmutableList.copyOf(auth.methods());
-    checkArgument(!authMethods.isEmpty(), "Must specify at least one auth method");
+    checkArgument(!auth.methods().isEmpty(), "Must specify at least one auth method");
     checkArgument(
-        Ordering.explicit(AuthMethod.API, AuthMethod.LEGACY).isStrictlyOrdered(authMethods),
+        Ordering.explicit(AuthMethod.API, AuthMethod.LEGACY).isStrictlyOrdered(auth.methods()),
         "Auth methods must be unique and strictly in order - API, LEGACY");
     checkArgument(
         (auth.minimumLevel() != NONE) || (auth.userPolicy() != ADMIN),

core/src/main/java/google/registry/request/auth/UserAuthInfo.java

@@ -22,6 +22,8 @@ import java.util.Optional;
 @AutoValue
 public abstract class UserAuthInfo {
 
+  public abstract Optional<google.registry.model.console.User> consoleUser();
+
   /** User object from the AppEngine Users API. */
   public abstract Optional<User> appEngineUser();
 
@@ -34,11 +36,6 @@ public abstract class UserAuthInfo {
    */
   public abstract boolean isUserAdmin();
 
-  public abstract Optional<google.registry.model.console.User> consoleUser();
-
-  /** Used by the OAuth authentication mechanism (only) to return information about the session. */
-  public abstract Optional<OAuthTokenInfo> oauthTokenInfo();
-
   public String getEmailAddress() {
     return appEngineUser()
         .map(User::getEmail)
@@ -51,20 +48,12 @@ public abstract class UserAuthInfo {
         .orElseGet(() -> consoleUser().get().getEmailAddress());
   }
 
-  public static UserAuthInfo create(
-      User user, boolean isUserAdmin) {
-    return new AutoValue_UserAuthInfo(
-        Optional.of(user), isUserAdmin, Optional.empty(), Optional.empty());
-  }
-
-  public static UserAuthInfo create(
-      User user, boolean isUserAdmin, OAuthTokenInfo oauthTokenInfo) {
-    return new AutoValue_UserAuthInfo(
-        Optional.of(user), isUserAdmin, Optional.empty(), Optional.of(oauthTokenInfo));
+  public static UserAuthInfo create(User user, boolean isUserAdmin) {
+    return new AutoValue_UserAuthInfo(Optional.empty(), Optional.of(user), isUserAdmin);
   }
 
   public static UserAuthInfo create(google.registry.model.console.User user) {
     return new AutoValue_UserAuthInfo(
-        Optional.empty(), user.getUserRoles().isAdmin(), Optional.of(user), Optional.empty());
+        Optional.of(user), Optional.empty(), user.getUserRoles().isAdmin());
   }
 }

core/src/main/java/google/registry/tmch/Marksdb.java

@@ -121,6 +121,8 @@ public final class Marksdb {
       return getResponseBytes(connection);
     } catch (IOException e) {
       throw new IOException(String.format("Error connecting to MarksDB at URL %s", url), e);
+    } finally {
+      connection.disconnect();
     }
   }
 

core/src/main/java/google/registry/tmch/NordnUploadAction.java

@@ -225,6 +225,8 @@ public final class NordnUploadAction implements Runnable {
       cloudTasksUtils.enqueue(NordnVerifyAction.QUEUE, makeVerifyTask(new URL(location)));
     } catch (IOException e) {
       throw new IOException(String.format("Error connecting to MarksDB at URL %s", url), e);
+    } finally {
+      connection.disconnect();
     }
   }
 

core/src/main/java/google/registry/tmch/NordnVerifyAction.java

@@ -148,6 +148,8 @@ public final class NordnVerifyAction implements Runnable {
       return log;
     } catch (IOException e) {
       throw new IOException(String.format("Error connecting to MarksDB at URL %s", url), e);
+    } finally {
+      connection.disconnect();
     }
   }
 }

core/src/main/java/google/registry/tools/ConfigureTldCommand.java

@@ -27,6 +27,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Sets.SetView;
+import com.google.common.flogger.FluentLogger;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
@@ -53,6 +54,8 @@ import org.yaml.snakeyaml.Yaml;
 @Parameters(separators = " =", commandDescription = "Create or update TLD using YAML")
 public class ConfigureTldCommand extends MutatingCommand {
 
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
   @Parameter(
       names = {"-i", "--input"},
       description = "Filename of TLD YAML file.",
@@ -60,17 +63,33 @@ public class ConfigureTldCommand extends MutatingCommand {
       required = true)
   Path inputFile;
 
+  @Parameter(
+      names = {"-b", "--breakglass"},
+      description =
+          "Sets the breakglass field on the TLD to true, preventing Cloud Build from overwriting"
+              + " these new changes until the TLD configuration file stored internally matches the"
+              + " configuration in the database.")
+  boolean breakglass;
+
+  @Parameter(
+      names = {"-d", "--dryrun"},
+      description = "Does not execute the entity mutation")
+  boolean dryrun;
+
   @Inject ObjectMapper mapper;
 
   @Inject
   @Named("dnsWriterNames")
   Set<String> validDnsWriterNames;
 
-  // TODO(sarahbot@): Add a breakglass setting to this tool to indicate when a TLD has been modified
-  // outside of source control
+  /** Indicates if the passed in file contains new changes to the TLD */
+  boolean newDiff = true;
 
-  // TODO(sarahbot@): Add a check for diffs between passed in file and current TLD and exit if there
-  // is no diff. Treat nulls and empty sets as the same value.
+  /**
+   * Indicates if the existing TLD is currently in breakglass mode and should not be modified unless
+   * the breakglass flag is used
+   */
+  boolean oldTldInBreakglass = false;
 
   @Override
   protected void init() throws Exception {
@@ -80,12 +99,55 @@ public class ConfigureTldCommand extends MutatingCommand {
     checkForMissingFields(tldData);
     Tld oldTld = getTlds().contains(name) ? Tld.get(name) : null;
     Tld newTld = mapper.readValue(inputFile.toFile(), Tld.class);
+    if (oldTld != null) {
+      oldTldInBreakglass = oldTld.getBreakglassMode();
+      newDiff = !oldTld.equalYaml(newTld);
+    }
+
+    if (!newDiff && !oldTldInBreakglass) {
+      // Don't construct a new object if there is no new diff
+      return;
+    }
+
+    if (oldTldInBreakglass && !breakglass) {
+      checkArgument(
+          !newDiff,
+          "Changes can not be applied since TLD is in breakglass mode but the breakglass flag was"
+              + " not used");
+      // if there are no new diffs, then the YAML file has caught up to the database and the
+      // breakglass mode should be removed
+      logger.atInfo().log("Breakglass mode removed from TLD: %s", name);
+    }
+
     checkPremiumList(newTld);
     checkDnsWriters(newTld);
     checkCurrency(newTld);
+    // Set the new TLD to breakglass mode if breakglass flag was used
+    if (breakglass) {
+      newTld = newTld.asBuilder().setBreakglassMode(true).build();
+    }
     stageEntityChange(oldTld, newTld);
   }
 
+  @Override
+  protected boolean dontRunCommand() {
+    if (dryrun) {
+      return true;
+    }
+    if (!newDiff) {
+      if (oldTldInBreakglass && !breakglass) {
+        // Run command to remove breakglass mode
+        return false;
+      }
+      logger.atInfo().log("TLD YAML file contains no new changes");
+      checkArgument(
+          !breakglass || oldTldInBreakglass,
+          "Breakglass mode can only be set when making new changes to a TLD configuration");
+      return true;
+    }
+    return false;
+  }
+
   private void checkName(String name, Map<String, Object> tldData) {
     checkArgument(CharMatcher.ascii().matchesAllOf(name), "A TLD name must be in plain ASCII");
     checkArgument(!Character.isDigit(name.charAt(0)), "TLDs cannot begin with a number");
@@ -122,7 +184,9 @@ public class ConfigureTldCommand extends MutatingCommand {
 
   private void checkPremiumList(Tld newTld) {
     Optional<String> premiumListName = newTld.getPremiumListName();
-    if (!premiumListName.isPresent()) return;
+    if (!premiumListName.isPresent()) {
+      return;
+    }
     Optional<PremiumList> premiumList = PremiumListDao.getLatestRevision(premiumListName.get());
     checkArgument(
         premiumList.isPresent(),

core/src/main/java/google/registry/tools/ConfirmingCommand.java

@@ -15,9 +15,12 @@
 package google.registry.tools;
 
 import static google.registry.tools.CommandUtilities.promptForYes;
+import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.beust.jcommander.Parameter;
 import com.google.common.base.Strings;
+import java.io.PrintStream;
+import java.io.UnsupportedEncodingException;
 
 /** A {@link Command} that implements a confirmation step before executing. */
 public abstract class ConfirmingCommand implements Command {
@@ -27,23 +30,37 @@ public abstract class ConfirmingCommand implements Command {
       description = "Do not prompt before executing")
   boolean force;
 
+  public PrintStream printStream;
+  public PrintStream errorPrintStream;
+
+  protected ConfirmingCommand() {
+    try {
+      printStream = new PrintStream(System.out, false, UTF_8.name());
+      errorPrintStream = new PrintStream(System.err, false, UTF_8.name());
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
   @Override
   public final void run() throws Exception {
     if (checkExecutionState()) {
       init();
-      printLineIfNotEmpty(prompt());
+      printLineIfNotEmpty(prompt(), printStream);
       if (dontRunCommand()) {
         // This typically happens when all of the work is accomplished inside of prompt(), so do
         // nothing further.
         return;
       } else if (force || promptForYes("Perform this command?")) {
-        System.out.println("Running ... ");
-        System.out.println(execute());
-        printLineIfNotEmpty(postExecute());
+        printStream.println("Running ... ");
+        printStream.println(execute());
+        printLineIfNotEmpty(postExecute(), printStream);
       } else {
-        System.out.println("Command aborted.");
+        printStream.println("Command aborted.");
       }
     }
+    printStream.close();
+    errorPrintStream.close();
   }
 
   /** Run any pre-execute command checks and return true if they all pass. */
@@ -76,9 +93,9 @@ public abstract class ConfirmingCommand implements Command {
   }
 
   /** Prints the provided text with a trailing newline, if text is not null or empty. */
-  private static void printLineIfNotEmpty(String text) {
+  private static void printLineIfNotEmpty(String text, PrintStream printStream) {
     if (!Strings.isNullOrEmpty(text)) {
-      System.out.println(text);
+      printStream.println(text);
     }
   }
 }

core/src/main/java/google/registry/tools/CreateDomainCommand.java

@@ -78,7 +78,7 @@ final class CreateDomainCommand extends CreateOrUpdateDomainCommand {
         Money createCost = prices.getCreateCost();
         currency = createCost.getCurrencyUnit().getCode();
         cost = createCost.multipliedBy(period).getAmount().toString();
-        System.out.printf(
+        printStream.printf(
             "NOTE: %s is premium at %s per year; sending total cost for %d year(s) of %s %s.\n",
             domain, createCost, period, currency, cost);
       }

core/src/main/java/google/registry/tools/CreateOrUpdateTldCommand.java

@@ -39,6 +39,7 @@ import google.registry.tools.params.OptionalStringParameter;
 import google.registry.tools.params.StringListParameter;
 import google.registry.tools.params.TransitionListParameter.BillingCostTransitions;
 import google.registry.tools.params.TransitionListParameter.TldStateTransitions;
+import java.io.UnsupportedEncodingException;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
@@ -233,12 +234,11 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
 
   @Nullable
   @Parameter(
-    names = {"--num_dns_publish_locks"},
-    description =
-        "The number of publish locks we allow in parallel for DNS updates under this tld "
-            + "(1 for TLD-wide locks)",
-    arity = 1
-  )
+      names = {"--num_dns_publish_locks"},
+      description =
+          "The number of publish locks we allow in parallel for DNS updates under this tld "
+              + "(1 for TLD-wide locks)",
+      arity = 1)
   Integer numDnsPublishShards;
 
   @Nullable
@@ -301,7 +301,7 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
   protected abstract void initTldCommand();
 
   @Override
-  protected final void init() {
+  protected final void init() throws UnsupportedEncodingException {
     assertAllowedEnvironment();
     initTldCommand();
     String duplicates = Joiner.on(", ").join(findDuplicates(mainParameters));
@@ -360,7 +360,7 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
       if (!renewBillingCostTransitions.isEmpty()) {
         // TODO(b/20764952): need invoicing support for multiple renew billing costs.
         if (renewBillingCostTransitions.size() > 1) {
-          System.err.println(
+          errorPrintStream.println(
               "----------------------\n"
                   + "WARNING: Do not set multiple renew cost transitions "
                   + "until b/20764952 is fixed.\n"
@@ -463,7 +463,8 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
     }
   }
 
-  private void checkReservedListValidityForTld(String tld, Set<String> reservedListNames) {
+  private void checkReservedListValidityForTld(String tld, Set<String> reservedListNames)
+      throws UnsupportedEncodingException {
     ImmutableList.Builder<String> builder = new ImmutableList.Builder<>();
     for (String reservedListName : reservedListNames) {
       if (!reservedListName.startsWith("common_") && !reservedListName.startsWith(tld + "_")) {
@@ -476,7 +477,7 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
           Joiner.on(", ").join(invalidNames),
           tld);
       if (overrideReservedListRules) {
-        System.err.println("Error overridden: " + errMsg);
+        errorPrintStream.println("Error overridden: " + errMsg);
       } else {
         throw new IllegalArgumentException(errMsg);
       }

core/src/main/java/google/registry/tools/DeleteAllocationTokensCommand.java

@@ -85,7 +85,7 @@ final class DeleteAllocationTokensCommand extends UpdateOrDeleteAllocationTokens
     if (!dryRun) {
       tm().delete(tokensToDelete);
     }
-    System.out.printf(
+    printStream.printf(
         "%s tokens: %s\n",
         dryRun ? "Would delete" : "Deleted",
         JOINER.join(tokensToDelete.stream().map(VKey::getKey).sorted().collect(toImmutableList())));

core/src/main/java/google/registry/tools/LoadTestCommand.java

@@ -14,6 +14,7 @@
 
 package google.registry.tools;
 
+
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableMap;
@@ -86,17 +87,17 @@ class LoadTestCommand extends ConfirmingCommand implements CommandWithConnection
   @Override
   protected boolean checkExecutionState() {
     if (RegistryToolEnvironment.get() == RegistryToolEnvironment.PRODUCTION) {
-      System.err.println("You may not run a load test against production.");
+      errorPrintStream.println("You may not run a load test against production.");
       return false;
     }
 
     // Check validity of TLD and Client Id.
     if (!Tlds.getTlds().contains(tld)) {
-      System.err.printf("No such TLD: %s\n", tld);
+      errorPrintStream.printf("No such TLD: %s\n", tld);
       return false;
     }
     if (!Registrar.loadByRegistrarId(clientId).isPresent()) {
-      System.err.printf("No such client: %s\n", clientId);
+      errorPrintStream.printf("No such client: %s\n", clientId);
       return false;
     }
 
@@ -112,7 +113,7 @@ class LoadTestCommand extends ConfirmingCommand implements CommandWithConnection
 
   @Override
   protected String execute() throws Exception {
-    System.err.println("Initiating load test...");
+    errorPrintStream.println("Initiating load test...");
 
     ImmutableMap<String, Object> params = new ImmutableMap.Builder<String, Object>()
         .put("tld", tld)

core/src/main/java/google/registry/tools/LockOrUnlockDomainCommand.java

@@ -71,7 +71,7 @@ public abstract class LockOrUnlockDomainCommand extends ConfirmingCommand {
     }
     String duplicates = Joiner.on(", ").join(findDuplicates(mainParameters));
     checkArgument(duplicates.isEmpty(), "Duplicate domain arguments found: '%s'", duplicates);
-    System.out.println(
+    printStream.println(
         "== ENSURE THAT YOU HAVE AUTHENTICATED THE REGISTRAR BEFORE RUNNING THIS COMMAND ==");
   }
 

core/src/main/java/google/registry/tools/RegistryCli.java

@@ -43,7 +43,8 @@ final class RegistryCli implements CommandRunner {
   // The environment parameter is parsed twice: once here, and once with {@link
   // RegistryToolEnvironment#parseFromArgs} in the {@link RegistryTool#main} function.
   //
-  // The flag names must be in sync between the two, and also - this is ugly and we should feel bad.
+  // The flag names must be in sync between the two, and also - this is ugly, and we should feel
+  // bad.
   @Parameter(
       names = {"-e", "--environment"},
       description = "Sets the default environment to run the command.")
@@ -55,22 +56,21 @@ final class RegistryCli implements CommandRunner {
   private boolean showAllCommands;
 
   @Parameter(
-      names = {"--credential"},
+      names = "--credential",
       description =
           "Name of a JSON file containing credential information used by the tool. "
               + "If not set, credentials saved by running `nomulus login' will be used.")
   private String credentialJson = null;
 
   @Parameter(
-      names = {"--sql_access_info"},
+      names = "--sql_access_info",
       description =
           "Name of a file containing space-separated SQL access info used when deploying "
               + "Beam pipelines")
   private String sqlAccessInfoFile = null;
 
   // Do not make this final - compile-time constant inlining may interfere with JCommander.
-  @ParametersDelegate
-  private LoggingParameters loggingParams = new LoggingParameters();
+  @ParametersDelegate private LoggingParameters loggingParams = new LoggingParameters();
 
   RegistryToolComponent component;
 
@@ -105,8 +105,8 @@ final class RegistryCli implements CommandRunner {
     jcommander.setProgramName(programName);
 
     // Create all command instances. It would be preferrable to do this in the constructor, but
-    // JCommander mutates the command instances and doesn't reset them so we have to do it for every
-    // run.
+    // JCommander mutates the command instances and doesn't reset them, so we have to do it for
+    // every run.
     try {
       for (Map.Entry<String, ? extends Class<? extends Command>> entry : commands.entrySet()) {
         Command command = entry.getValue().getDeclaredConstructor().newInstance();
@@ -169,7 +169,7 @@ final class RegistryCli implements CommandRunner {
     Command command =
         (Command)
             Iterables.getOnlyElement(jcommander.getCommands().get(parsedCommand).getObjects());
-    loggingParams.configureLogging();  // Must be called after parameters are parsed.
+    loggingParams.configureLogging(); // Must be called after parameters are parsed.
 
     try {
       runCommand(command);

core/src/main/java/google/registry/tools/RegistryToolComponent.java

@@ -39,7 +39,6 @@ import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.rde.RdeModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UrlFetchServiceModule;
 import google.registry.request.Modules.UserServiceModule;
 import google.registry.tools.AuthModule.LocalCredentialModule;
 import google.registry.util.UtilsModule;
@@ -77,7 +76,6 @@ import javax.inject.Singleton;
       SecretManagerKeyringModule.class,
       SecretManagerModule.class,
       UrlConnectionServiceModule.class,
-      UrlFetchServiceModule.class,
       UserServiceModule.class,
       UtilsModule.class,
       VoidDnsWriterModule.class,
@@ -123,6 +121,7 @@ interface RegistryToolComponent {
   void inject(GetDomainCommand command);
 
   void inject(GetHostCommand command);
+
   void inject(GetKeyringSecretCommand command);
 
   void inject(GetSqlCredentialCommand command);

core/src/main/java/google/registry/tools/RequestFactoryModule.java

@@ -14,7 +14,7 @@
 
 package google.registry.tools;
 
-import static com.google.common.net.HttpHeaders.PROXY_AUTHORIZATION;
+import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.javanet.NetHttpTransport;
@@ -54,13 +54,11 @@ final class RequestFactoryModule {
       return new NetHttpTransport()
           .createRequestFactory(
               request -> {
-                // Use the standard credential initializer to set the Authorization header
-                credentialsBundle.getHttpRequestInitializer().initialize(request);
-                // Set OIDC token as the alternative bearer token.
+                // Set OIDC token as the bearer token.
                 request
                     .getHeaders()
                     .set(
-                        PROXY_AUTHORIZATION,
+                        AUTHORIZATION,
                         "Bearer "
                             + OidcTokenUtils.createOidcToken(credentialsBundle, oauthClientId));
                 // GAE request times out after 10 min, so here we set the timeout to 10 min. This is

core/src/main/java/google/registry/tools/UnrenewDomainCommand.java

@@ -42,6 +42,7 @@ import google.registry.model.poll.PollMessage;
 import google.registry.model.reporting.HistoryEntry.Type;
 import google.registry.util.Clock;
 import google.registry.util.NonFinalForTesting;
+import java.io.UnsupportedEncodingException;
 import java.util.List;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -76,7 +77,7 @@ class UnrenewDomainCommand extends ConfirmingCommand {
           StatusValue.SERVER_UPDATE_PROHIBITED);
 
   @Override
-  protected void init() {
+  protected void init() throws UnsupportedEncodingException {
     checkArgument(period >= 1 && period <= 9, "Period must be in the range 1-9");
     DateTime now = clock.nowUtc();
     ImmutableSet.Builder<String> domainsNonexistentBuilder = new ImmutableSet.Builder<>();
@@ -116,20 +117,24 @@ class UnrenewDomainCommand extends ConfirmingCommand {
             && domainsDeleting.isEmpty()
             && domainsWithDisallowedStatuses.isEmpty()
             && domainsExpiringTooSoon.isEmpty());
+
     if (foundInvalidDomains) {
-      System.err.print("Found domains that cannot be unrenewed for the following reasons:\n\n");
+      errorPrintStream.print(
+          "Found domains that cannot be unrenewed for the following reasons:\n\n");
     }
     if (!domainsNonexistent.isEmpty()) {
-      System.err.printf("Domains that don't exist: %s\n\n", domainsNonexistent);
+      errorPrintStream.printf("Domains that don't exist: %s\n\n", domainsNonexistent);
     }
     if (!domainsDeleting.isEmpty()) {
-      System.err.printf("Domains that are deleted or pending delete: %s\n\n", domainsDeleting);
+      errorPrintStream.printf(
+          "Domains that are deleted or pending delete: %s\n\n", domainsDeleting);
     }
     if (!domainsWithDisallowedStatuses.isEmpty()) {
-      System.err.printf("Domains with disallowed statuses: %s\n\n", domainsWithDisallowedStatuses);
+      errorPrintStream.printf(
+          "Domains with disallowed statuses: %s\n\n", domainsWithDisallowedStatuses);
     }
     if (!domainsExpiringTooSoon.isEmpty()) {
-      System.err.printf("Domains expiring too soon: %s\n\n", domainsExpiringTooSoon);
+      errorPrintStream.printf("Domains expiring too soon: %s\n\n", domainsExpiringTooSoon);
     }
     checkArgument(!foundInvalidDomains, "Aborting because some domains cannot be unrenewed");
   }
@@ -154,7 +159,7 @@ class UnrenewDomainCommand extends ConfirmingCommand {
   protected String execute() {
     for (String domainName : mainParameters) {
       tm().transact(() -> unrenewDomain(domainName));
-      System.out.printf("Unrenewed %s\n", domainName);
+      printStream.printf("Unrenewed %s\n", domainName);
     }
     return "Successfully unrenewed all domains.";
   }

core/src/main/java/google/registry/tools/UpdateAllocationTokensCommand.java

@@ -208,7 +208,7 @@ final class UpdateAllocationTokensCommand extends UpdateOrDeleteAllocationTokens
     if (!dryRun) {
       tm().putAll(batch);
     }
-    System.out.printf(
+    printStream.printf(
         "%s tokens: %s\n",
         dryRun ? "Would update" : "Updated",
         JOINER.join(

core/src/main/java/google/registry/tools/javascrap/CreateCancellationsForBillingEventsCommand.java

@@ -70,14 +70,14 @@ public class CreateCancellationsForBillingEventsCommand extends ConfirmingComman
               }
             });
     billingEventsToCancel = billingEventsBuilder.build();
-    System.out.printf("Found %d BillingEvent(s) to cancel\n", billingEventsToCancel.size());
+    printStream.printf("Found %d BillingEvent(s) to cancel\n", billingEventsToCancel.size());
     ImmutableSet<Long> missingIds = missingIdsBuilder.build();
     if (!missingIds.isEmpty()) {
-      System.out.printf("Missing BillingEvent(s) for IDs %s\n", missingIds);
+      printStream.printf("Missing BillingEvent(s) for IDs %s\n", missingIds);
     }
     ImmutableSet<Long> alreadyCancelledIds = alreadyCancelledIdsBuilder.build();
     if (!alreadyCancelledIds.isEmpty()) {
-      System.out.printf(
+      printStream.printf(
           "The following BillingEvent IDs were already cancelled: %s\n", alreadyCancelledIds);
     }
   }
@@ -96,7 +96,7 @@ public class CreateCancellationsForBillingEventsCommand extends ConfirmingComman
           tm().transact(
                   () -> {
                     if (alreadyCancelled(billingEvent)) {
-                      System.out.printf(
+                      printStream.printf(
                           "BillingEvent %d already cancelled, this is unexpected.\n",
                           billingEvent.getId());
                       return 0;
@@ -111,7 +111,7 @@ public class CreateCancellationsForBillingEventsCommand extends ConfirmingComman
                                 .setReason(BillingBase.Reason.ERROR)
                                 .setTargetId(billingEvent.getTargetId())
                                 .build());
-                    System.out.printf(
+                    printStream.printf(
                         "Added BillingCancellation for BillingEvent with ID %d\n",
                         billingEvent.getId());
                     return 1;

core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java

@@ -19,6 +19,7 @@ import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.Iterables.getLast;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.tld.Tlds.assertTldsExist;
+import static google.registry.persistence.PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
@@ -82,13 +83,16 @@ public class RefreshDnsForAllDomainsAction implements Runnable {
   public void run() {
     assertTldsExist(tlds);
     checkArgument(batchSize > 0, "Must specify a positive number for batch size");
-    int smearMinutes = tm().transact(this::calculateSmearMinutes);
+    int smearMinutes = tm().transact(this::calculateSmearMinutes, TRANSACTION_REPEATABLE_READ);
 
     ImmutableList<String> domainsBatch;
     @Nullable String lastInPreviousBatch = null;
     do {
       Optional<String> lastInPreviousBatchOpt = Optional.ofNullable(lastInPreviousBatch);
-      domainsBatch = tm().transact(() -> refreshBatch(lastInPreviousBatchOpt, smearMinutes));
+      domainsBatch =
+          tm().transact(
+                  () -> refreshBatch(lastInPreviousBatchOpt, smearMinutes),
+                  TRANSACTION_REPEATABLE_READ);
       lastInPreviousBatch = domainsBatch.isEmpty() ? null : getLast(domainsBatch);
     } while (domainsBatch.size() == batchSize);
   }

core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java

@@ -40,15 +40,24 @@ public class ConsoleUserDataAction implements JsonGetAction {
 
   private final AuthResult authResult;
   private final Response response;
+  private final String productName;
+  private final String supportPhoneNumber;
+  private final String supportEmail;
   private final String technicalDocsUrl;
 
   @Inject
   public ConsoleUserDataAction(
       AuthResult authResult,
       Response response,
+      @Config("productName") String productName,
+      @Config("supportEmail") String supportEmail,
+      @Config("supportPhoneNumber") String supportPhoneNumber,
       @Config("technicalDocsUrl") String technicalDocsUrl) {
     this.response = response;
     this.authResult = authResult;
+    this.productName = productName;
+    this.supportEmail = supportEmail;
+    this.supportPhoneNumber = supportPhoneNumber;
     this.technicalDocsUrl = technicalDocsUrl;
   }
 
@@ -74,6 +83,10 @@ public class ConsoleUserDataAction implements JsonGetAction {
                 // auth checks.
                 "isAdmin", user.getUserRoles().isAdmin(),
                 "globalRole", user.getUserRoles().getGlobalRole(),
+                // Include static contact resources in this call to minimize round trips
+                "productName", productName,
+                "supportEmail", supportEmail,
+                "supportPhoneNumber", supportPhoneNumber,
                 // Is used by UI to construct a link to registry resources
                 "technicalDocsUrl", technicalDocsUrl));
 

core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java

@@ -17,7 +17,6 @@ package google.registry.ui.server.console.settings;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 
-import avro.shaded.com.google.common.collect.ImmutableList;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.gson.Gson;
 import google.registry.flows.certs.CertificateChecker;
@@ -103,42 +102,31 @@ public class SecurityAction implements JsonGetAction {
             .asBuilder()
             .setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
 
-    boolean hasInvalidCerts =
-        ImmutableList.of(
-                registrarParameter.getClientCertificate(),
-                registrarParameter.getFailoverClientCertificate())
-            .stream()
-            .filter(Optional::isPresent)
-            .map(Optional::get)
-            .anyMatch(
-                cert -> {
-                  try {
-                    certificateChecker.validateCertificate(cert);
-                    return false;
-                  } catch (InsecureCertificateException e) {
-                    return true;
-                  }
-                });
-
-    if (hasInvalidCerts) {
+    try {
+      if (!savedRegistrar
+          .getClientCertificate()
+          .equals(registrarParameter.getClientCertificate())) {
+        if (registrarParameter.getClientCertificate().isPresent()) {
+          String newClientCert = registrarParameter.getClientCertificate().get();
+          certificateChecker.validateCertificate(newClientCert);
+          updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime());
+        }
+      }
+      if (!savedRegistrar
+          .getFailoverClientCertificate()
+          .equals(registrarParameter.getFailoverClientCertificate())) {
+        if (registrarParameter.getFailoverClientCertificate().isPresent()) {
+          String newFailoverCert = registrarParameter.getFailoverClientCertificate().get();
+          certificateChecker.validateCertificate(newFailoverCert);
+          updatedRegistrar.setFailoverClientCertificate(newFailoverCert, tm().getTransactionTime());
+        }
+      }
+    } catch (InsecureCertificateException e) {
       response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
-      response.setPayload("Insecure Certificate in parameter");
+      response.setPayload("Invalid certificate in parameter");
       return;
     }
 
-    registrarParameter
-        .getClientCertificate()
-        .ifPresent(
-            newClientCert ->
-                updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime()));
-
-    registrarParameter
-        .getFailoverClientCertificate()
-        .ifPresent(
-            failoverCert ->
-                updatedRegistrar.setFailoverClientCertificate(
-                    failoverCert, tm().getTransactionTime()));
-
     tm().put(updatedRegistrar.build());
     response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
   }

core/src/main/java/google/registry/whois/WhoisAction.java

@@ -51,7 +51,7 @@ import org.joda.time.DateTime;
     service = Action.Service.PUBAPI,
     path = "/_dr/whois",
     method = POST,
-    auth = Auth.AUTH_API_PUBLIC)
+    auth = Auth.AUTH_API_ADMIN)
 public class WhoisAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

core/src/main/java/google/registry/xjc/JaxbFragment.java

@@ -1,105 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.xjc;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-
-import google.registry.xml.XmlException;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.io.Serializable;
-
-/**
- * JAXB element wrapper for java object serialization.
- *
- * Instances of {@link JaxbFragment} wrap a non-serializable JAXB element instance, and provide
- * hooks into the java object serialization process that allow the elements to be safely
- * marshalled and unmarshalled using {@link ObjectOutputStream} and {@link ObjectInputStream},
- * respectively.
- */
-public class JaxbFragment<T> implements Serializable {
-
-  private static final long serialVersionUID = 5651243983008818813L;
-
-  private T instance;
-
-  /** Stores a JAXB element in a {@link JaxbFragment} */
-  public static <T> JaxbFragment<T> create(T object) {
-    JaxbFragment<T> fragment = new JaxbFragment<>();
-    fragment.instance = object;
-    return fragment;
-  }
-
-  /** Serializes a JAXB element into xml bytes. */
-  private static <T> byte[] freezeInstance(T instance) throws IOException {
-    try {
-      ByteArrayOutputStream bout = new ByteArrayOutputStream();
-      XjcXmlTransformer.marshalLenient(instance, bout, UTF_8);
-      return bout.toByteArray();
-    } catch (XmlException e) {
-      throw new IOException(e);
-    }
-  }
-
-  /** Deserializes a JAXB element from xml bytes. */
-  private static <T> T unfreezeInstance(byte[] instanceData, Class<T> instanceType)
-      throws IOException {
-    try {
-      ByteArrayInputStream bin = new ByteArrayInputStream(instanceData);
-      return XjcXmlTransformer.unmarshal(instanceType, bin);
-    } catch (XmlException e) {
-      throw new IOException(e);
-    }
-  }
-
-  /**
-   * Retrieves the JAXB element that is wrapped by this fragment.
-   */
-  public T getInstance() {
-    return instance;
-  }
-
-  @Override
-  public String toString() {
-    try {
-      return new String(freezeInstance(instance), UTF_8);
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  private void writeObject(ObjectOutputStream out) throws IOException {
-    // write instanceType, then instanceData
-    out.writeObject(instance.getClass());
-    out.writeObject(freezeInstance(instance));
-  }
-
-  @SuppressWarnings("unchecked")
-  private void readObject(ObjectInputStream in) throws IOException {
-    // read instanceType, then instanceData
-    Class<T> instanceType;
-    byte[] instanceData;
-    try {
-      instanceType = (Class<T>) in.readObject();
-      instanceData = (byte[]) in.readObject();
-    } catch (ClassNotFoundException e) {
-      throw new RuntimeException(e);
-    }
-    instance = unfreezeInstance(instanceData, instanceType);
-  }
-}