Add cron config for the bsaDownload job in Sandbox (#2267)

* Add cron config for the bsaDownload job in Sandbox

build.gradle

@@ -60,9 +60,8 @@ dependencyLocking {
 }
 
 node {
-  download = true
-  version = "16.14.0"
-  npmVersion = "6.14.11"
+  download = false
+  version = "16.19.0"
 }
 
 wrapper {
@@ -348,6 +347,7 @@ subprojects {
 
   def services = [':services:default',
                   ':services:backend',
+                  ':services:bsa',
                   ':services:tools',
                   ':services:pubapi']
 

common/src/main/java/google/registry/util/BatchedStreams.java

@@ -0,0 +1,43 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.Iterators.partition;
+import static com.google.common.collect.Iterators.transform;
+import static com.google.common.collect.Streams.stream;
+import static java.lang.Math.min;
+
+import com.google.common.collect.ImmutableList;
+import java.util.stream.Stream;
+
+/** Utilities for breaking up a {@link Stream} into batches. */
+public final class BatchedStreams {
+
+  static final int MAX_BATCH = 1024 * 1024;
+
+  private BatchedStreams() {}
+
+  /**
+   * Transform a flat {@link Stream} into a {@code Stream} of batches.
+   *
+   * <p>Closing the returned stream does not close the original stream.
+   */
+  public static <T> Stream<ImmutableList<T>> toBatches(Stream<T> stream, int batchSize) {
+    checkArgument(batchSize > 0, "batchSize must be a positive integer.");
+    return stream(
+        transform(partition(stream.iterator(), min(MAX_BATCH, batchSize)), ImmutableList::copyOf));
+  }
+}

common/src/test/java/google/registry/util/BatchedStreamsTest.java

@@ -0,0 +1,65 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.util.BatchedStreams.toBatches;
+import static java.util.stream.Collectors.counting;
+import static java.util.stream.Collectors.groupingBy;
+import static org.junit.Assert.assertThrows;
+
+import com.google.common.collect.ImmutableList;
+import java.util.stream.IntStream;
+import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
+
+/** Unit tests for {@link BatchedStreams}. */
+public class BatchedStreamsTest {
+
+  @Test
+  void invalidBatchSize() {
+    assertThat(assertThrows(IllegalArgumentException.class, () -> toBatches(Stream.of(), 0)))
+        .hasMessageThat()
+        .contains("must be a positive integer");
+  }
+
+  @Test
+  void batch_success() {
+    // 900_002 elements -> 900 1K-batches + 1 2-element-batch
+    Stream<Integer> data = IntStream.rangeClosed(0, 900_001).boxed();
+    assertThat(
+            toBatches(data, 1000).map(ImmutableList::size).collect(groupingBy(x -> x, counting())))
+        .containsExactly(1000, 900L, 2, 1L);
+  }
+
+  @Test
+  void batch_partialBatch() {
+    Stream<Integer> data = Stream.of(1, 2, 3);
+    assertThat(
+            toBatches(data, 1000).map(ImmutableList::size).collect(groupingBy(x -> x, counting())))
+        .containsExactly(3, 1L);
+  }
+
+  @Test
+  void batch_truncateBatchSize() {
+    // 2M elements -> 2 1M-batches despite the user-specified 2M batch size.
+    Stream<Integer> data = IntStream.range(0, 1024 * 2048).boxed();
+    assertThat(
+            toBatches(data, 2_000_000)
+                .map(ImmutableList::size)
+                .collect(groupingBy(x -> x, counting())))
+        .containsExactly(1024 * 1024, 2L);
+  }
+}

console-webapp/angular.json

@@ -41,8 +41,8 @@
               "budgets": [
                 {
                   "type": "initial",
-                  "maximumWarning": "500kb",
-                  "maximumError": "1mb"
+                  "maximumWarning": "2mb",
+                  "maximumError": "5mb"
                 },
                 {
                   "type": "anyComponentStyle",

console-webapp/src/app/app-routing.module.ts

@@ -28,6 +28,7 @@ import ContactComponent from './settings/contact/contact.component';
 import WhoisComponent from './settings/whois/whois.component';
 import SecurityComponent from './settings/security/security.component';
 import UsersComponent from './settings/users/users.component';
+import { DomainListComponent } from './domains/domainList.component';
 
 const routes: Routes = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -35,6 +36,11 @@ const routes: Routes = [
   { path: 'empty-registrar', component: EmptyRegistrar },
   { path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
   { path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
+  {
+    path: DomainListComponent.PATH,
+    component: DomainListComponent,
+    canActivate: [RegistrarGuard],
+  },
   {
     path: SettingsComponent.PATH,
     component: SettingsComponent,

console-webapp/src/app/app.component.scss

@@ -37,7 +37,7 @@
       background-color: transparent;
     }
     .active {
-      background: #eae1e1;
+      background-color: var(--secondary);
     }
   }
   &__content-wrapper {

console-webapp/src/app/app.component.ts

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component, ViewChild } from '@angular/core';
+import { AfterViewInit, Component, ViewChild } from '@angular/core';
 import { RegistrarService } from './registrar/registrar.service';
 import { UserDataService } from './shared/services/userData.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
@@ -24,7 +24,7 @@ import { MatSidenav } from '@angular/material/sidenav';
   templateUrl: './app.component.html',
   styleUrls: ['./app.component.scss'],
 })
-export class AppComponent {
+export class AppComponent implements AfterViewInit {
   renderRouter: boolean = true;
 
   @ViewChild('sidenav')

console-webapp/src/app/app.module.ts

@@ -36,24 +36,31 @@ import { RegistrarGuard } from './registrar/registrar.guard';
 import SecurityComponent from './settings/security/security.component';
 import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field';
 import { EmptyRegistrar } from './registrar/emptyRegistrar.component';
-import { RegistrarSelectorComponent } from './registrar/registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrar/registrarSelector.component';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
-import { ContactWidgetComponent } from './home/widgets/contact-widget.component';
-import { PromotionsWidgetComponent } from './home/widgets/promotions-widget.component';
-import { TldsWidgetComponent } from './home/widgets/tlds-widget.component';
-import { ResourcesWidgetComponent } from './home/widgets/resources-widget.component';
-import { EppWidgetComponent } from './home/widgets/epp-widget.component';
-import { BillingWidgetComponent } from './home/widgets/billing-widget.component';
-import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
-import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
+import { ContactWidgetComponent } from './home/widgets/contactWidget.component';
+import { PromotionsWidgetComponent } from './home/widgets/promotionsWidget.component';
+import { TldsWidgetComponent } from './home/widgets/tldsWidget.component';
+import { ResourcesWidgetComponent } from './home/widgets/resourcesWidget.component';
+import { EppWidgetComponent } from './home/widgets/eppWidget.component';
+import { BillingWidgetComponent } from './home/widgets/billingWidget.component';
+import { DomainsWidgetComponent } from './home/widgets/domainsWidget.component';
+import { SettingsWidgetComponent } from './home/widgets/settingsWidget.component';
 import { UserDataService } from './shared/services/userData.service';
+import WhoisComponent from './settings/whois/whois.component';
+import { SnackBarModule } from './snackbar.module';
+import { RegistrarDetailsComponent } from './registrar/registrarDetails.component';
+import { DomainListComponent } from './domains/domainList.component';
+import { DialogBottomSheetWrapper } from './shared/components/dialogBottomSheet.component';
 
 @NgModule({
   declarations: [
     AppComponent,
+    DialogBottomSheetWrapper,
     BillingWidgetComponent,
     ContactDetailsDialogComponent,
     ContactWidgetComponent,
+    DomainListComponent,
     DomainsWidgetComponent,
     EmptyRegistrar,
     EppWidgetComponent,
@@ -61,6 +68,7 @@ import { UserDataService } from './shared/services/userData.service';
     HomeComponent,
     PromotionsWidgetComponent,
     RegistrarComponent,
+    RegistrarDetailsComponent,
     RegistrarSelectorComponent,
     ResourcesWidgetComponent,
     SecurityComponent,
@@ -69,6 +77,7 @@ import { UserDataService } from './shared/services/userData.service';
     SettingsWidgetComponent,
     TldsComponent,
     TldsWidgetComponent,
+    WhoisComponent,
   ],
   imports: [
     AppRoutingModule,
@@ -77,6 +86,7 @@ import { UserDataService } from './shared/services/userData.service';
     FormsModule,
     HttpClientModule,
     MaterialModule,
+    SnackBarModule,
   ],
   providers: [
     BackendService,

console-webapp/src/app/domains/domainList.component.html

@@ -0,0 +1,60 @@
+<div class="console-domains">
+  <mat-form-field>
+    <mat-label>Filter</mat-label>
+    <input
+      type="search"
+      matInput
+      [(ngModel)]="searchTerm"
+      (ngModelChange)="sendInput()"
+      #input
+    />
+  </mat-form-field>
+
+  <div *ngIf="isLoading; else domains_content" class="console-domains__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <ng-template #domains_content>
+    <table mat-table [dataSource]="dataSource" class="mat-elevation-z8">
+      <ng-container matColumnDef="domainName">
+        <th mat-header-cell *matHeaderCellDef>Domain Name</th>
+        <td mat-cell *matCellDef="let element">{{ element.domainName }}</td>
+      </ng-container>
+
+      <ng-container matColumnDef="creationTime">
+        <th mat-header-cell *matHeaderCellDef>Creation Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.creationTime.creationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="registrationExpirationTime">
+        <th mat-header-cell *matHeaderCellDef>Expiration Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.registrationExpirationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="statuses">
+        <th mat-header-cell *matHeaderCellDef>Statuses</th>
+        <td mat-cell *matCellDef="let element">{{ element.statuses }}</td>
+      </ng-container>
+
+      <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
+      <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
+
+      <!-- Row shown when there is no matching data. -->
+      <tr class="mat-row" *matNoDataRow>
+        <td class="mat-cell" colspan="4">No domains found</td>
+      </tr>
+    </table>
+    <mat-paginator
+      [length]="totalResults"
+      [pageIndex]="pageNumber"
+      [pageSize]="resultsPerPage"
+      [pageSizeOptions]="[10, 25, 50, 100, 500]"
+      (page)="onPageChange($event)"
+      aria-label="Select page of domain results"
+      showFirstLastButtons
+    ></mat-paginator>
+  </ng-template>
+</div>

console-webapp/src/app/domains/domainList.component.spec.ts

@@ -0,0 +1,36 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { DomainListComponent } from './domainList.component';
+
+describe('DomainListComponent', () => {
+  let component: DomainListComponent;
+  let fixture: ComponentFixture<DomainListComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [DomainListComponent],
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(DomainListComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

console-webapp/src/app/domains/domainList.component.ts

@@ -0,0 +1,98 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, ViewChild } from '@angular/core';
+import { MatTableDataSource } from '@angular/material/table';
+import { BackendService } from '../shared/services/backend.service';
+import { MatPaginator, PageEvent } from '@angular/material/paginator';
+import { RegistrarService } from '../registrar/registrar.service';
+import { Domain, DomainListService } from './domainList.service';
+import { Subject, debounceTime } from 'rxjs';
+
+@Component({
+  selector: 'app-domain-list',
+  templateUrl: './domainList.component.html',
+  styleUrls: ['./domainList.component.scss'],
+  providers: [DomainListService],
+})
+export class DomainListComponent {
+  public static PATH = 'domain-list';
+  private readonly DEBOUNCE_MS = 500;
+
+  displayedColumns: string[] = [
+    'domainName',
+    'creationTime',
+    'registrationExpirationTime',
+    'statuses',
+  ];
+
+  dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
+  isLoading = true;
+
+  searchTermSubject = new Subject<string>();
+  searchTerm?: string;
+
+  pageNumber?: number;
+  resultsPerPage = 50;
+  totalResults?: number;
+
+  @ViewChild(MatPaginator, { static: true }) paginator!: MatPaginator;
+
+  constructor(
+    private backendService: BackendService,
+    private domainListService: DomainListService,
+    private registrarService: RegistrarService
+  ) {}
+
+  ngOnInit() {
+    this.dataSource.paginator = this.paginator;
+    // Don't spam the server unnecessarily while the user is typing
+    this.searchTermSubject
+      .pipe(debounceTime(this.DEBOUNCE_MS))
+      .subscribe((searchTermValue) => {
+        this.reloadData();
+      });
+    this.reloadData();
+  }
+
+  ngOnDestroy() {
+    this.searchTermSubject.complete();
+  }
+
+  reloadData() {
+    this.isLoading = true;
+    this.domainListService
+      .retrieveDomains(
+        this.pageNumber,
+        this.resultsPerPage,
+        this.totalResults,
+        this.searchTerm
+      )
+      .subscribe((domainListResult) => {
+        this.dataSource.data = domainListResult.domains;
+        this.totalResults = domainListResult.totalResults;
+        this.isLoading = false;
+      });
+  }
+
+  sendInput() {
+    this.searchTermSubject.next(this.searchTerm!);
+  }
+
+  onPageChange(event: PageEvent) {
+    this.pageNumber = event.pageIndex;
+    this.resultsPerPage = event.pageSize;
+    this.reloadData();
+  }
+}

console-webapp/src/app/domains/domainList.service.ts

@@ -0,0 +1,68 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import { tap } from 'rxjs';
+
+export interface CreateAutoTimestamp {
+  creationTime: string;
+}
+
+export interface Domain {
+  creationTime: CreateAutoTimestamp;
+  currentSponsorRegistrarId: string;
+  domainName: string;
+  registrationExpirationTime: string;
+  statuses: string[];
+}
+
+export interface DomainListResult {
+  checkpointTime: string;
+  domains: Domain[];
+  totalResults: number;
+}
+
+@Injectable()
+export class DomainListService {
+  checkpointTime?: string;
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  retrieveDomains(
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number,
+    searchTerm?: string
+  ) {
+    return this.backendService
+      .getDomains(
+        this.registrarService.activeRegistrarId,
+        this.checkpointTime,
+        pageNumber,
+        resultsPerPage,
+        totalResults,
+        searchTerm
+      )
+      .pipe(
+        tap((domainListResult: DomainListResult) => {
+          this.checkpointTime = domainListResult.checkpointTime;
+        })
+      );
+  }
+}

console-webapp/src/app/header/header.component.html

@@ -1,24 +1,30 @@
-<p>
+<p class="console-app__header">
   <mat-toolbar color="primary">
     <button mat-icon-button aria-label="Open menu" (click)="toggleNavPane()">
       <mat-icon>menu</mat-icon>
     </button>
-    <span>
-      <a
-        [routerLink]="'/home'"
-        routerLinkActive="active"
-        class="console-app__logo"
-      >
-        Google Registry
-      </a>
-    </span>
+    <a
+      [routerLink]="'/home'"
+      routerLinkActive="active"
+      class="console-app__logo"
+    >
+      Google Registry
+    </a>
     <span class="spacer"></span>
     <app-registrar-selector />
     <button mat-icon-button aria-label="Open FAQ">
       <mat-icon>question_mark</mat-icon>
     </button>
-    <button mat-icon-button aria-label="Open user info">
+    <button
+      mat-icon-button
+      [matMenuTriggerFor]="menu"
+      #menuTrigger
+      aria-label="Open user info"
+    >
       <mat-icon>person</mat-icon>
     </button>
+    <mat-menu #menu="matMenu">
+      <button mat-menu-item (click)="logOut()">Log out</button>
+    </mat-menu>
   </mat-toolbar>
 </p>

console-webapp/src/app/header/header.component.scss

@@ -17,6 +17,21 @@
     color: inherit;
     text-decoration: none;
   }
+  &__header {
+    @media (max-width: 599px) {
+      .mat-toolbar {
+        padding: 0;
+      }
+      .console-app__logo {
+        font-size: 16px;
+      }
+      button {
+        padding-left: 0;
+        padding-right: 0;
+        width: 30px;
+      }
+    }
+  }
 }
 .spacer {
   flex: 1;

console-webapp/src/app/header/header.component.ts

@@ -28,4 +28,8 @@ export class HeaderComponent {
     this.isNavOpen = !this.isNavOpen;
     this.toggleNavOpen.emit(this.isNavOpen);
   }
+
+  logOut() {
+    window.open('/console?gcp-iap-mode=CLEAR_LOGIN_COOKIE', '_self');
+  }
 }

console-webapp/src/app/home/home.component.scss

@@ -29,4 +29,9 @@
       }
     }
   }
+  @media (max-width: 510px) {
+    .console-app__widget-wrapper__wide {
+      grid-column: initial;
+    }
+  }
 }

console-webapp/src/app/home/widgets/billingWidget.component.ts

@@ -17,7 +17,7 @@ import { RegistrarService } from 'src/app/registrar/registrar.service';
 
 @Component({
   selector: '[app-billing-widget]',
-  templateUrl: './billing-widget.component.html',
+  templateUrl: './billingWidget.component.html',
 })
 export class BillingWidgetComponent {
   constructor(public registrarService: RegistrarService) {}

console-webapp/src/app/home/widgets/contact-widget.component.html

@@ -1,27 +0,0 @@
-<mat-card>
-  <mat-card-content>
-    <div class="console-app__widget">
-      <div class="console-app__widget_left">
-        <mat-icon class="console-app__widget-icon">call</mat-icon>
-        <h1 class="console-app__widget-title">Contact Support</h1>
-        <h4 class="secondary-text text-center">
-          View Google Registry support email and phone information
-        </h4>
-      </div>
-      <div class="console-app__widget_right">
-        <button mat-button color="primary" class="console-app__widget-link">
-          Give us a Call
-        </button>
-        <p class="secondary-text">
-          Call Google Registry support at <b>+1 (404) 978 8419</b>
-        </p>
-        <button mat-button color="primary" class="console-app__widget-link">
-          Send us an Email
-        </button>
-        <p class="secondary-text">
-          Email Google Registry at <b>support@google.com</b>
-        </p>
-      </div>
-    </div>
-  </mat-card-content>
-</mat-card>

console-webapp/src/app/home/widgets/contactWidget.component.html

@@ -0,0 +1,29 @@
+<mat-card>
+  <mat-card-content>
+    <div class="console-app__widget">
+      <div class="console-app__widget_left">
+        <mat-icon class="console-app__widget-icon">call</mat-icon>
+        <h1 class="console-app__widget-title">Contact Support</h1>
+        <h4 class="secondary-text text-center">
+          Let us know if you have any questions
+        </h4>
+      </div>
+      <div class="console-app__widget_right">
+        <div class="console-app__widget-section-header">Give us a Call</div>
+        <p class="secondary-text">
+          Call {{ userDataService.userData?.productName }} support at
+          <a href="tel:{{ userDataService.userData?.supportPhoneNumber }}">{{
+            userDataService.userData?.supportPhoneNumber
+          }}</a>
+        </p>
+        <div class="console-app__widget-section-header">Send us an Email</div>
+        <p class="secondary-text">
+          Email {{ userDataService.userData?.productName }} at
+          <a href="mailto:{{ userDataService.userData?.supportEmail }}">{{
+            userDataService.userData?.supportEmail
+          }}</a>
+        </p>
+      </div>
+    </div>
+  </mat-card-content>
+</mat-card>

console-webapp/src/app/home/widgets/contactWidget.component.ts

@@ -13,11 +13,12 @@
 // limitations under the License.
 
 import { Component } from '@angular/core';
+import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-contact-widget]',
-  templateUrl: './contact-widget.component.html',
+  templateUrl: './contactWidget.component.html',
 })
 export class ContactWidgetComponent {
-  constructor() {}
+  constructor(public userDataService: UserDataService) {}
 }

console-webapp/src/app/home/widgets/domainsWidget.component.html

@@ -13,7 +13,12 @@
           Create a Domain
         </button>
         <p class="secondary-text">Register a new domain name</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openDomainsPage()"
+        >
           View DUMs
         </button>
         <p class="secondary-text">

console-webapp/src/app/home/widgets/domainsWidget.component.ts

@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+import { DomainListComponent } from 'src/app/domains/domainList.component';
+
+@Component({
+  selector: '[app-domains-widget]',
+  templateUrl: './domainsWidget.component.html',
+})
+export class DomainsWidgetComponent {
+  constructor(private router: Router) {}
+
+  openDomainsPage() {
+    this.router.navigate([DomainListComponent.PATH]);
+  }
+}

console-webapp/src/app/home/widgets/eppWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-epp-widget]',
-  templateUrl: './epp-widget.component.html',
+  templateUrl: './eppWidget.component.html',
 })
 export class EppWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/promotionsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-promotions-widget]',
-  templateUrl: './promotions-widget.component.html',
+  templateUrl: './promotionsWidget.component.html',
 })
 export class PromotionsWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/resourcesWidget.component.html

@@ -4,6 +4,7 @@
       <a
         class="console-app__widget_left"
         href="{{ userDataService.userData?.technicalDocsUrl }}"
+        target="_blank"
       >
         <mat-icon class="console-app__widget-icon">menu_book</mat-icon>
         <h1 class="console-app__widget-title">Resources</h1>

console-webapp/src/app/home/widgets/resourcesWidget.component.ts

@@ -17,7 +17,7 @@ import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-resources-widget]',
-  templateUrl: './resources-widget.component.html',
+  templateUrl: './resourcesWidget.component.html',
 })
 export class ResourcesWidgetComponent {
   constructor(public userDataService: UserDataService) {}

console-webapp/src/app/home/widgets/settingsWidget.component.ts

@@ -21,7 +21,7 @@ import { SettingsComponent } from 'src/app/settings/settings.component';
 
 @Component({
   selector: '[app-settings-widget]',
-  templateUrl: './settings-widget.component.html',
+  templateUrl: './settingsWidget.component.html',
 })
 export class SettingsWidgetComponent {
   constructor(private router: Router) {}

console-webapp/src/app/home/widgets/tldsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-tlds-widget]',
-  templateUrl: './tlds-widget.component.html',
+  templateUrl: './tldsWidget.component.html',
 })
 export class TldsWidgetComponent {
   constructor() {}

console-webapp/src/app/material.module.ts

@@ -45,6 +45,7 @@ import { DialogModule } from '@angular/cdk/dialog';
 import { MatSidenavModule } from '@angular/material/sidenav';
 import { MatSnackBarModule } from '@angular/material/snack-bar';
 import { MatPaginatorModule } from '@angular/material/paginator';
+import { MatChipsModule } from '@angular/material/chips';
 
 @NgModule({
   exports: [
@@ -81,6 +82,7 @@ import { MatPaginatorModule } from '@angular/material/paginator';
     DialogModule,
     MatSnackBarModule,
     MatPaginatorModule,
+    MatChipsModule,
   ],
 })
 export class MaterialModule {}

console-webapp/src/app/registrar/emptyRegistrar.component.scss

@@ -8,6 +8,7 @@
     left: 50%;
     top: 50%;
     transform: translate(-50%, -50%);
+    white-space: nowrap;
 
     &-icon {
       transform: scale(3);

console-webapp/src/app/registrar/registrar-selector.component.ts

@@ -1,25 +0,0 @@
-// Copyright 2023 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-import { Component } from '@angular/core';
-import { RegistrarService } from './registrar.service';
-
-@Component({
-  selector: 'app-registrar-selector',
-  templateUrl: './registrar-selector.component.html',
-  styleUrls: ['./registrar-selector.component.scss'],
-})
-export class RegistrarSelectorComponent {
-  constructor(protected registrarService: RegistrarService) {}
-}

console-webapp/src/app/registrar/registrar.guard.ts

@@ -13,7 +13,11 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { Router } from '@angular/router';
+import {
+  ActivatedRouteSnapshot,
+  Router,
+  RouterStateSnapshot,
+} from '@angular/router';
 
 import { RegistrarService } from './registrar.service';
 
@@ -26,13 +30,16 @@ export class RegistrarGuard {
     private registrarService: RegistrarService
   ) {}
 
-  canActivate(): Promise<boolean> | boolean {
+  canActivate(
+    _: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): Promise<boolean> | boolean {
     if (this.registrarService.activeRegistrarId) {
       return true;
     }
-    // Get the full URL including any nested children (skip the initial '#/')
-    // NB: an empty nextUrl takes the user to the home page
-    const nextUrl = location.hash.split('#/')[1] || '';
-    return this.router.navigate([`/empty-registrar`, { nextUrl }]);
+    return this.router.navigate([
+      `/empty-registrar`,
+      { nextUrl: state.url || '' },
+    ]);
   }
 }

console-webapp/src/app/registrar/registrar.service.ts

@@ -13,15 +13,16 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { BackendService } from '../shared/services/backend.service';
 import { Observable, Subject, tap } from 'rxjs';
+
+import { BackendService } from '../shared/services/backend.service';
 import {
   GlobalLoader,
   GlobalLoaderService,
 } from '../shared/services/globalLoader.service';
 import { MatSnackBar } from '@angular/material/snack-bar';
 
-interface Address {
+export interface Address {
   street?: string[];
   city?: string;
   countryCode?: string;
@@ -31,16 +32,20 @@ interface Address {
 
 export interface Registrar {
   allowedTlds?: string[];
-  ipAddressAllowList?: string[];
-  emailAddress?: string;
   billingAccountMap?: object;
   driveFolderId?: string;
+  emailAddress?: string;
+  faxNumber?: string;
   ianaIdentifier?: number;
   icannReferralEmail?: string;
+  ipAddressAllowList?: string[];
   localizedAddress?: Address;
+  phoneNumber?: string;
   registrarId: string;
   registrarName: string;
   registryLockAllowed?: boolean;
+  url?: string;
+  whoisServer?: string;
 }
 
 @Injectable({
@@ -68,7 +73,7 @@ export class RegistrarService implements GlobalLoader {
     )[0];
   }
 
-  public updateRegistrar(registrarId: string) {
+  public updateSelectedRegistrar(registrarId: string) {
     this.activeRegistrarId = registrarId;
     this.activeRegistrarIdChange.next(registrarId);
   }
@@ -84,8 +89,6 @@ export class RegistrarService implements GlobalLoader {
   }
 
   loadingTimeout() {
-    this._snackBar.open('Timeout loading registrars', undefined, {
-      duration: 1500,
-    });
+    this._snackBar.open('Timeout loading registrars');
   }
 }

console-webapp/src/app/registrar/registrarDetails.component.html

@@ -0,0 +1,40 @@
+<div class="registrarDetails" *ngIf="registrarInEdit">
+  <h3 mat-dialog-title>Edit Registrar: {{ registrarInEdit.registrarId }}</h3>
+  <div mat-dialog-content>
+    <form (ngSubmit)="saveAndClose()">
+      <mat-form-field class="registrarDetails__input">
+        <mat-label>Registry Lock:</mat-label>
+        <mat-select
+          [(ngModel)]="registrarInEdit.registryLockAllowed"
+          name="registryLockAllowed"
+        >
+          <mat-option [value]="true">True</mat-option>
+          <mat-option [value]="false">False</mat-option>
+        </mat-select>
+      </mat-form-field>
+      <mat-form-field class="registrarDetails__input">
+        <mat-label>Onboarded TLDs: </mat-label>
+        <mat-chip-grid #chipGrid aria-label="Enter TLD">
+          <mat-chip-row
+            *ngFor="let tld of registrarInEdit.allowedTlds"
+            (removed)="removeTLD(tld)"
+          >
+            {{ tld }}
+            <button matChipRemove aria-label="'remove ' + tld">
+              <mat-icon>cancel</mat-icon>
+            </button>
+          </mat-chip-row>
+        </mat-chip-grid>
+        <input
+          placeholder="New tld..."
+          [matChipInputFor]="chipGrid"
+          (matChipInputTokenEnd)="addTLD($event)"
+        />
+      </mat-form-field>
+      <mat-dialog-actions>
+        <button mat-button (click)="this.params?.close()">Cancel</button>
+        <button type="submit" mat-button color="primary">Save</button>
+      </mat-dialog-actions>
+    </form>
+  </div>
+</div>

console-webapp/src/app/registrar/registrarDetails.component.scss

@@ -0,0 +1,8 @@
+.registrarDetails {
+  min-width: 30vw;
+
+  &__input {
+    display: block;
+    margin-top: 0.5rem;
+  }
+}

console-webapp/src/app/registrar/registrarDetails.component.ts

@@ -0,0 +1,61 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { Registrar, RegistrarService } from './registrar.service';
+import { MatChipInputEvent } from '@angular/material/chips';
+import { DialogBottomSheetContent } from '../shared/components/dialogBottomSheet.component';
+
+type RegistrarDetailsParams = {
+  close: Function;
+  data: {
+    registrar: Registrar;
+  };
+};
+
+@Component({
+  selector: 'app-registrar-details',
+  templateUrl: './registrarDetails.component.html',
+  styleUrls: ['./registrarDetails.component.scss'],
+})
+export class RegistrarDetailsComponent implements DialogBottomSheetContent {
+  registrarInEdit!: Registrar;
+  params?: RegistrarDetailsParams;
+
+  constructor(protected registrarService: RegistrarService) {}
+
+  init(params: RegistrarDetailsParams) {
+    this.params = params;
+    this.registrarInEdit = JSON.parse(
+      JSON.stringify(this.params.data.registrar)
+    );
+  }
+
+  saveAndClose() {
+    this.params?.close();
+  }
+
+  addTLD(e: MatChipInputEvent) {
+    this.removeTLD(e.value); // Prevent dups
+    this.registrarInEdit.allowedTlds = this.registrarInEdit.allowedTlds?.concat(
+      [e.value.toLowerCase()]
+    );
+  }
+
+  removeTLD(tld: string) {
+    this.registrarInEdit.allowedTlds = this.registrarInEdit.allowedTlds?.filter(
+      (v) => v != tld
+    );
+  }
+}

console-webapp/src/app/registrar/registrarSelector.component.html

@@ -1,10 +1,21 @@
 <div class="console-app__registrar">
-  <div>
+  <button
+    mat-button
+    [routerLink]="'/settings/registrars'"
+    routerLinkActive="active"
+    *ngIf="isMobile; else desktop"
+  >
+    {{ registrarService.activeRegistrarId || "Select registrar" }}
+    <mat-icon>open_in_new</mat-icon>
+  </button>
+  <ng-template #desktop>
     <mat-form-field class="mat-form-field-density-5" appearance="fill">
       <mat-label>Registrar</mat-label>
       <mat-select
         [ngModel]="registrarService.activeRegistrarId"
-        (selectionChange)="registrarService.updateRegistrar($event.value)"
+        (selectionChange)="
+          registrarService.updateSelectedRegistrar($event.value)
+        "
       >
         <mat-option
           *ngFor="let registrar of registrarService.registrars"
@@ -14,5 +25,5 @@
         </mat-option>
       </mat-select>
     </mat-form-field>
-  </div>
+  </ng-template>
 </div>

console-webapp/src/app/registrar/registrarSelector.component.spec.ts

@@ -14,7 +14,7 @@
 
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 
-import { RegistrarSelectorComponent } from './registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrarSelector.component';
 
 describe('RegistrarSelectorComponent', () => {
   let component: RegistrarSelectorComponent;

console-webapp/src/app/registrar/registrarSelector.component.ts

@@ -0,0 +1,46 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, OnInit } from '@angular/core';
+import { RegistrarService } from './registrar.service';
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { distinctUntilChanged } from 'rxjs';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+
+@Component({
+  selector: 'app-registrar-selector',
+  templateUrl: './registrarSelector.component.html',
+  styleUrls: ['./registrarSelector.component.scss'],
+})
+export class RegistrarSelectorComponent implements OnInit {
+  protected isMobile: boolean = false;
+
+  readonly breakpoint$ = this.breakpointObserver
+    .observe([MOBILE_LAYOUT_BREAKPOINT])
+    .pipe(distinctUntilChanged());
+
+  constructor(
+    protected registrarService: RegistrarService,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  ngOnInit(): void {
+    this.breakpoint$.subscribe(() => this.breakpointChanged());
+  }
+
+  private breakpointChanged() {
+    this.isMobile = this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT);
+  }
+}

console-webapp/src/app/registrar/registrarsTable.component.html

@@ -1,25 +1,54 @@
 <div class="console-app__registrars">
-  <table
-    mat-table
-    [dataSource]="registrarService.registrars"
+  <mat-form-field class="console-app__registrars-filter">
+    <mat-label>Search</mat-label>
+    <input
+      matInput
+      (keyup)="applyFilter($event)"
+      placeholder="..."
+      type="search"
+    />
+    <mat-icon matPrefix>search</mat-icon>
+  </mat-form-field>
+  <mat-table
+    [dataSource]="dataSource"
     class="mat-elevation-z8"
+    class="console-app__registrars-table"
+    matSort
   >
+    <ng-container matColumnDef="edit">
+      <mat-header-cell *matHeaderCellDef></mat-header-cell>
+      <mat-cell *matCellDef="let row">
+        <button
+          mat-icon-button
+          color="primary"
+          aria-label="Edit registrar"
+          (click)="openDetails($event, row)"
+        >
+          <mat-icon>edit</mat-icon>
+        </button>
+      </mat-cell>
+    </ng-container>
+
     <ng-container
       *ngFor="let column of columns"
       [matColumnDef]="column.columnDef"
     >
-      <th mat-header-cell *matHeaderCellDef>
-        {{ column.header }}
-      </th>
-      <td mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></td>
+      <mat-header-cell *matHeaderCellDef> {{ column.header }} </mat-header-cell>
+      <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
     </ng-container>
+    <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
+    <mat-row
+      *matRowDef="let row; columns: displayedColumns"
+      (click)="registrarService.updateSelectedRegistrar(row.registrarId)"
+    ></mat-row>
+  </mat-table>
 
-    <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
-    <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
-  </table>
   <mat-paginator
     class="mat-elevation-z8"
     [pageSizeOptions]="[5, 10, 20]"
     showFirstLastButtons
   ></mat-paginator>
+  <app-dialog-bottom-sheet-wrapper
+    #registrarDetailsView
+  ></app-dialog-bottom-sheet-wrapper>
 </div>

console-webapp/src/app/registrar/registrarsTable.component.scss

@@ -1,5 +1,36 @@
 .console-app {
+  $min-width: 756px;
+
   &__registrars {
     margin-top: 1.5rem;
+    width: 100%;
+    overflow: auto;
+  }
+
+  &__registrars-filter {
+    min-width: $min-width !important;
+    width: 100%;
+  }
+
+  &__registrars-table {
+    min-width: $min-width !important;
+  }
+
+  .mat-mdc-paginator {
+    min-width: $min-width !important;
+  }
+
+  .mat-column {
+    &-edit {
+      max-width: 55px;
+      padding-left: 5px;
+    }
+    &-driveId {
+      min-width: 200px;
+      word-break: break-all;
+    }
+    &-registryLockAllowed {
+      max-width: 80px;
+    }
   }
 }

console-webapp/src/app/registrar/registrarsTable.component.ts

@@ -12,16 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+import { Component, ViewChild, ViewEncapsulation } from '@angular/core';
 import { Registrar, RegistrarService } from './registrar.service';
+import { MatPaginator } from '@angular/material/paginator';
+import { MatSort } from '@angular/material/sort';
+import { MatTableDataSource } from '@angular/material/table';
+import { RegistrarDetailsComponent } from './registrarDetails.component';
+import { DialogBottomSheetWrapper } from '../shared/components/dialogBottomSheet.component';
 
 @Component({
   selector: 'app-registrar',
   templateUrl: './registrarsTable.component.html',
   styleUrls: ['./registrarsTable.component.scss'],
+  encapsulation: ViewEncapsulation.None,
 })
 export class RegistrarComponent {
   public static PATH = 'registrars';
+  dataSource: MatTableDataSource<Registrar>;
   columns = [
     {
       columnDef: 'registrarId',
@@ -71,6 +78,34 @@ export class RegistrarComponent {
       cell: (record: Registrar) => `${record.driveFolderId || ''}`,
     },
   ];
-  displayedColumns = this.columns.map((c) => c.columnDef);
-  constructor(protected registrarService: RegistrarService) {}
+  displayedColumns = ['edit'].concat(this.columns.map((c) => c.columnDef));
+
+  @ViewChild(MatPaginator) paginator!: MatPaginator;
+  @ViewChild(MatSort) sort!: MatSort;
+  @ViewChild('registrarDetailsView')
+  detailsComponentWrapper!: DialogBottomSheetWrapper;
+
+  constructor(protected registrarService: RegistrarService) {
+    this.dataSource = new MatTableDataSource<Registrar>(
+      registrarService.registrars
+    );
+  }
+
+  ngAfterViewInit() {
+    this.dataSource.paginator = this.paginator;
+    this.dataSource.sort = this.sort;
+  }
+
+  openDetails(event: MouseEvent, registrar: Registrar) {
+    event.stopPropagation();
+    this.detailsComponentWrapper.open<RegistrarDetailsComponent>(
+      RegistrarDetailsComponent,
+      { registrar }
+    );
+  }
+
+  applyFilter(event: Event) {
+    const filterValue = (event.target as HTMLInputElement).value;
+    this.dataSource.filter = filterValue.trim().toLowerCase();
+  }
 }

console-webapp/src/app/settings/contact/contact.component.html

@@ -41,4 +41,7 @@
       <mat-icon>add</mat-icon>Create a Contact
     </button>
   </div>
+  <app-dialog-bottom-sheet-wrapper
+    #contactDetailsWrapper
+  ></app-dialog-bottom-sheet-wrapper>
 </div>

console-webapp/src/app/settings/contact/contact.component.ts

@@ -12,21 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component, Inject } from '@angular/core';
-import {
-  MatDialog,
-  MAT_DIALOG_DATA,
-  MatDialogRef,
-} from '@angular/material/dialog';
-import {
-  MatBottomSheet,
-  MAT_BOTTOM_SHEET_DATA,
-  MatBottomSheetRef,
-} from '@angular/material/bottom-sheet';
+import { Component, ViewChild } from '@angular/core';
 import { Contact, ContactService } from './contact.service';
-import { BreakpointObserver } from '@angular/cdk/layout';
 import { HttpErrorResponse } from '@angular/common/http';
 import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  DialogBottomSheetContent,
+  DialogBottomSheetWrapper,
+} from 'src/app/shared/components/dialogBottomSheet.component';
 
 enum Operations {
   DELETE,
@@ -40,7 +33,13 @@ interface GroupedContacts {
   contacts: Array<Contact>;
 }
 
-let isMobile: boolean;
+type ContactDetailsParams = {
+  close: Function;
+  data: {
+    contact: Contact;
+    operation: Operations;
+  };
+};
 
 const contactTypes: Array<GroupedContacts> = [
   { value: 'ADMIN', label: 'Primary contact', contacts: [] },
@@ -52,72 +51,46 @@ const contactTypes: Array<GroupedContacts> = [
   { value: 'WHOIS', label: 'WHOIS-Inquiry contact', contacts: [] },
 ];
 
-class ContactDetailsEventsResponder {
-  private ref?: MatDialogRef<any> | MatBottomSheetRef;
-  constructor() {
-    this.onClose = this.onClose.bind(this);
-  }
-
-  setRef(ref: MatDialogRef<any> | MatBottomSheetRef) {
-    this.ref = ref;
-  }
-
-  onClose() {
-    if (this.ref == undefined) {
-      throw "Reference to ContactDetailsDialogComponent hasn't been set. ";
-    }
-    if (this.ref instanceof MatBottomSheetRef) {
-      this.ref.dismiss();
-    } else if (this.ref instanceof MatDialogRef) {
-      this.ref.close();
-    }
-  }
-}
-
 @Component({
   selector: 'app-contact-details-dialog',
-  templateUrl: 'contact-details.component.html',
+  templateUrl: 'contactDetails.component.html',
   styleUrls: ['./contact.component.scss'],
 })
-export class ContactDetailsDialogComponent {
-  contact: Contact;
+export class ContactDetailsDialogComponent implements DialogBottomSheetContent {
+  contact?: Contact;
   contactTypes = contactTypes;
-  operation: Operations;
-  contactIndex: number;
-  onCloseCallback: Function;
+  contactIndex?: number;
+
+  params?: ContactDetailsParams;
 
   constructor(
     public contactService: ContactService,
-    private _snackBar: MatSnackBar,
-    @Inject(isMobile ? MAT_BOTTOM_SHEET_DATA : MAT_DIALOG_DATA)
-    public data: {
-      onClose: Function;
-      contact: Contact;
-      operation: Operations;
-    }
-  ) {
-    this.onCloseCallback = data.onClose;
-    this.contactIndex = contactService.contacts.findIndex(
-      (c) => c === data.contact
+    private _snackBar: MatSnackBar
+  ) {}
+
+  init(params: ContactDetailsParams) {
+    this.params = params;
+    this.contactIndex = this.contactService.contacts.findIndex(
+      (c) => c === params.data.contact
     );
-    this.contact = JSON.parse(JSON.stringify(data.contact));
-    this.operation = data.operation;
+    this.contact = JSON.parse(JSON.stringify(params.data.contact));
   }
 
-  onClose(e: MouseEvent) {
-    e.preventDefault();
-    this.onCloseCallback.call(this);
+  close() {
+    this.params?.close();
   }
 
   saveAndClose(e: SubmitEvent) {
     e.preventDefault();
+    if (!this.contact || this.contactIndex === undefined) return;
     if (!(e.target as HTMLFormElement).checkValidity()) {
       return;
     }
+    const operation = this.params?.data.operation;
     let operationObservable;
-    if (this.operation === Operations.ADD) {
+    if (operation === Operations.ADD) {
       operationObservable = this.contactService.addContact(this.contact);
-    } else if (this.operation === Operations.UPDATE) {
+    } else if (operation === Operations.UPDATE) {
       operationObservable = this.contactService.updateContact(
         this.contactIndex,
         this.contact
@@ -127,11 +100,9 @@ export class ContactDetailsDialogComponent {
     }
 
     operationObservable.subscribe({
-      complete: this.onCloseCallback.bind(this),
+      complete: () => this.close(),
       error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
       },
     });
   }
@@ -145,11 +116,11 @@ export class ContactDetailsDialogComponent {
 export default class ContactComponent {
   public static PATH = 'contact';
 
+  @ViewChild('contactDetailsWrapper')
+  detailsComponentWrapper!: DialogBottomSheetWrapper;
+
   loading: boolean = false;
   constructor(
-    private dialog: MatDialog,
-    private bottomSheet: MatBottomSheet,
-    private breakpointObserver: BreakpointObserver,
     public contactService: ContactService,
     private _snackBar: MatSnackBar
   ) {
@@ -175,9 +146,7 @@ export default class ContactComponent {
     if (confirm(`Please confirm contact ${contact.name} delete`)) {
       this.contactService.deleteContact(contact).subscribe({
         error: (err: HttpErrorResponse) => {
-          this._snackBar.open(err.error, undefined, {
-            duration: 1500,
-          });
+          this._snackBar.open(err.error);
         },
       });
     }
@@ -199,20 +168,9 @@ export default class ContactComponent {
     operation: Operations = Operations.UPDATE
   ) {
     e.preventDefault();
-    // TODO: handle orientation change
-    isMobile = this.breakpointObserver.isMatched('(max-width: 599px)');
-    const responder = new ContactDetailsEventsResponder();
-    const config = { data: { onClose: responder.onClose, contact, operation } };
-
-    if (isMobile) {
-      const bottomSheetRef = this.bottomSheet.open(
-        ContactDetailsDialogComponent,
-        config
-      );
-      responder.setRef(bottomSheetRef);
-    } else {
-      const dialogRef = this.dialog.open(ContactDetailsDialogComponent, config);
-      responder.setRef(dialogRef);
-    }
+    this.detailsComponentWrapper.open<ContactDetailsDialogComponent>(
+      ContactDetailsDialogComponent,
+      { contact, operation }
+    );
   }
 }

console-webapp/src/app/settings/contact/contact.service.ts

@@ -45,7 +45,7 @@ export class ContactService {
     return this.backend
       .getContacts(this.registrarService.activeRegistrarId)
       .pipe(
-        tap((contacts) => {
+        tap((contacts = []) => {
           this.contacts = contacts;
         })
       );

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -1,7 +1,7 @@
 <h3 mat-dialog-title>Contact details</h3>
-<div mat-dialog-content>
+<div mat-dialog-content *ngIf="contact">
   <form (ngSubmit)="saveAndClose($event)">
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Name: </mat-label>
         <input
@@ -11,9 +11,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Primary account email: </mat-label>
         <input
@@ -25,9 +25,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Phone: </mat-label>
         <input
@@ -36,9 +36,9 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
-    <div>
+    <p>
       <mat-form-field class="contact-details__input">
         <mat-label>Fax: </mat-label>
         <input
@@ -47,7 +47,7 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-    </div>
+    </p>
 
     <div class="contact-details__group">
       <label>Contact type:</label>
@@ -97,7 +97,7 @@
       >
     </section>
     <mat-dialog-actions>
-      <button mat-button (click)="onClose($event)">Cancel</button>
+      <button mat-button (click)="close()">Cancel</button>
       <button type="submit" mat-button>Save</button>
     </mat-dialog-actions>
   </form>

console-webapp/src/app/settings/security/security.component.ts

@@ -64,9 +64,7 @@ export default class SecurityComponent {
         this.resetDataSource();
       },
       error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
       },
     });
     this.cancel();

console-webapp/src/app/settings/settings.component.scss

@@ -15,9 +15,9 @@
 .console-settings {
   .mdc-tab {
     &.active-link {
-      border-bottom: 2px solid #673ab7;
+      border-bottom: 2px solid var(--primary);
       .mdc-tab__text-label {
-        color: #673ab7;
+        color: var(--primary);
       }
     }
   }

console-webapp/src/app/settings/whois/whois.component.html

@@ -1 +1,250 @@
-<p>whois works!</p>
+<div class="settings-whois">
+  <h2>WHOIS settings</h2>
+  <h3>
+    General registrar information for your WHOIS record. This information is
+    always visible in WHOIS.
+  </h3>
+  <div *ngIf="loading" class="settings-whois__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Name:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.registrarName"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>IANA Identifier:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.ianaIdentifier"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>ICANN Referral Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.icannReferralEmail"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>WHOIS server:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.whoisServer"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Referral URL:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.url"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.emailAddress"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Phone::</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.phoneNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Fax:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.faxNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 1:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![0]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>City:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.city"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 2:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![1]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>State/Region:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.state"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 3:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![2]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Country Code:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.countryCode"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__actions">
+    <ng-template [ngIf]="inEdit" [ngIfElse]="inView">
+      <button
+        class="actions-save"
+        mat-raised-button
+        color="primary"
+        (click)="save()"
+      >
+        Save
+      </button>
+      <button class="actions-cancel" mat-stroked-button (click)="cancel()">
+        Cancel
+      </button>
+    </ng-template>
+    <ng-template #inView>
+      <button #elseBlock mat-raised-button (click)="enableEdit()">Edit</button>
+    </ng-template>
+  </div>
+</div>

console-webapp/src/app/settings/whois/whois.component.scss

@@ -11,3 +11,49 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
+.settings-whois {
+  margin-top: 1.5rem;
+  &__section {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 10px;
+    min-width: 400px;
+  }
+  &__section-address {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 5px;
+    min-width: 400px;
+    width: 50%;
+    max-width: 50%;
+  }
+  &__section-description {
+    display: inline-block;
+    margin-block-start: 1em;
+    width: 160px;
+  }
+  &__section-form {
+    display: inline-block;
+    width: 70%;
+    mat-form-field {
+      width: 90%;
+      min-width: 300px;
+    }
+    input:disabled {
+      border: 0;
+    }
+  }
+  &__loading {
+    margin: 2rem 0;
+  }
+  &__actions {
+    margin-top: 50px;
+    display: flex;
+    justify-content: flex-end;
+    margin-right: 50px;
+    button {
+      margin-left: 20px;
+    }
+  }
+}

console-webapp/src/app/settings/whois/whois.component.ts

@@ -12,13 +12,65 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+import { HttpErrorResponse } from '@angular/common/http';
 import { Component } from '@angular/core';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  Registrar,
+  RegistrarService,
+} from 'src/app/registrar/registrar.service';
+
+import { WhoisService } from './whois.service';
 
 @Component({
   selector: 'app-whois',
   templateUrl: './whois.component.html',
   styleUrls: ['./whois.component.scss'],
+  providers: [WhoisService],
 })
 export default class WhoisComponent {
   public static PATH = 'whois';
+  loading = false;
+  inEdit = false;
+  registrar: Registrar;
+
+  constructor(
+    public whoisService: WhoisService,
+    public registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
+
+  enableEdit() {
+    this.inEdit = true;
+  }
+
+  cancel() {
+    this.inEdit = false;
+    this.resetDataSource();
+  }
+
+  save() {
+    this.loading = true;
+    this.whoisService.saveChanges(this.registrar).subscribe({
+      complete: () => {
+        this.loading = false;
+        this.resetDataSource();
+      },
+      error: (err: HttpErrorResponse) => {
+        this._snackBar.open(err.error);
+        this.loading = false;
+      },
+    });
+    this.cancel();
+  }
+
+  resetDataSource() {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
 }

console-webapp/src/app/settings/whois/whois.service.ts

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { switchMap } from 'rxjs';
+import { Address, RegistrarService } from 'src/app/registrar/registrar.service';
+import { BackendService } from 'src/app/shared/services/backend.service';
+
+export interface WhoisRegistrarFields {
+  ianaIdentifier?: number;
+  icannReferralEmail?: string;
+  localizedAddress?: Address;
+  registrarId?: string;
+  url?: string;
+  whoisServer?: string;
+}
+
+@Injectable()
+export class WhoisService {
+  whoisRegistrarFields: WhoisRegistrarFields = {};
+
+  constructor(
+    private backend: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  saveChanges(newWhoisRegistrarFields: WhoisRegistrarFields) {
+    return this.backend.postWhoisRegistrarFields(newWhoisRegistrarFields).pipe(
+      switchMap(() => {
+        return this.registrarService.loadRegistrars();
+      })
+    );
+  }
+}

console-webapp/src/app/shared/components/dialogBottomSheet.component.ts

@@ -0,0 +1,69 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { ComponentType } from '@angular/cdk/portal';
+import { Component } from '@angular/core';
+import {
+  MatBottomSheet,
+  MatBottomSheetRef,
+} from '@angular/material/bottom-sheet';
+import { MatDialog, MatDialogRef } from '@angular/material/dialog';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+
+export interface DialogBottomSheetContent {
+  init(data: Object): void;
+}
+
+/**
+ * Wraps up a child component in an Angular Material Dalog for desktop or a Bottom Sheet
+ * component for mobile depending on a screen resolution, with Breaking Point being 599px.
+ * Child component is required to implement @see DialogBottomSheetContent interface
+ */
+@Component({
+  selector: 'app-dialog-bottom-sheet-wrapper',
+  template: '',
+})
+export class DialogBottomSheetWrapper {
+  private elementRef?: MatBottomSheetRef | MatDialogRef<any>;
+
+  constructor(
+    private dialog: MatDialog,
+    private bottomSheet: MatBottomSheet,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  open<T extends DialogBottomSheetContent>(
+    component: ComponentType<T>,
+    data: any
+  ) {
+    const config = { data, close: () => this.close() };
+    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
+      this.elementRef = this.bottomSheet.open(component);
+      this.elementRef.instance.init(config);
+    } else {
+      this.elementRef = this.dialog.open(component);
+      this.elementRef.componentInstance.init(config);
+    }
+  }
+
+  close() {
+    if (this.elementRef instanceof MatBottomSheetRef) {
+      this.elementRef.dismiss();
+    } else if (this.elementRef instanceof MatDialogRef) {
+      this.elementRef.close();
+    }
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -20,6 +20,8 @@ import { SecuritySettingsBackendModel } from 'src/app/settings/security/security
 import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
 import { UserData } from './userData.service';
+import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
+import { DomainListResult } from 'src/app/domains/domainList.service';
 
 @Injectable()
 export class BackendService {
@@ -62,6 +64,35 @@ export class BackendService {
     );
   }
 
+  getDomains(
+    registrarId: string,
+    checkpointTime?: string,
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number,
+    searchTerm?: string
+  ): Observable<DomainListResult> {
+    var url = `/console-api/domain-list?registrarId=${registrarId}`;
+    if (checkpointTime) {
+      url += `&checkpointTime=${checkpointTime}`;
+    }
+    if (pageNumber) {
+      url += `&pageNumber=${pageNumber}`;
+    }
+    if (resultsPerPage) {
+      url += `&resultsPerPage=${resultsPerPage}`;
+    }
+    if (totalResults) {
+      url += `&totalResults=${totalResults}`;
+    }
+    if (searchTerm) {
+      url += `&searchTerm=${searchTerm}`;
+    }
+    return this.http
+      .get<DomainListResult>(url)
+      .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
+  }
+
   getRegistrars(): Observable<Registrar[]> {
     return this.http
       .get<Registrar[]>('/console-api/registrars')
@@ -94,7 +125,16 @@ export class BackendService {
 
   getUserData(): Observable<UserData> {
     return this.http
-      .get<UserData>(`/console-api/userdata`)
+      .get<UserData>('/console-api/userdata')
       .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
   }
+
+  postWhoisRegistrarFields(
+    whoisRegistrarFields: WhoisRegistrarFields
+  ): Observable<WhoisRegistrarFields> {
+    return this.http.post<WhoisRegistrarFields>(
+      '/console-api/settings/whois-fields',
+      whoisRegistrarFields
+    );
+  }
 }

console-webapp/src/app/shared/services/userData.service.ts

@@ -19,8 +19,11 @@ import { MatSnackBar } from '@angular/material/snack-bar';
 import { GlobalLoader, GlobalLoaderService } from './globalLoader.service';
 
 export interface UserData {
-  isAdmin: boolean;
   globalRole: string;
+  isAdmin: boolean;
+  productName: string;
+  supportEmail: string;
+  supportPhoneNumber: string;
   technicalDocsUrl: string;
 }
 
@@ -49,8 +52,6 @@ export class UserDataService implements GlobalLoader {
   }
 
   loadingTimeout() {
-    this._snackBar.open('Timeout loading user data', undefined, {
-      duration: 1500,
-    });
+    this._snackBar.open('Timeout loading user data');
   }
 }

console-webapp/src/app/snackbar.module.ts

@@ -0,0 +1,24 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { NgModule } from '@angular/core';
+import { MAT_SNACK_BAR_DEFAULT_OPTIONS } from '@angular/material/snack-bar';
+
+/** Provides a default set of options for the snack bar. */
+@NgModule({
+  providers: [
+    { provide: MAT_SNACK_BAR_DEFAULT_OPTIONS, useValue: { duration: 5000 } },
+  ],
+})
+export class SnackBarModule {}

console-webapp/src/styles.scss

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 @use "@angular/material" as mat;
-@import "app/registrar/registrar-selector.component.scss";
+@import "app/registrar/registrarSelector.component.scss";
 
 html,
 body {
@@ -44,13 +44,19 @@ body {
     &-link {
       padding: 0 !important;
       text-align: left;
-      height: 20px !important;
       min-width: auto !important;
+      height: min-content !important;
+    }
+    &-section-header {
+      font-weight: 500;
+      color: var(--primary) !important;
     }
     &-title {
       color: var(--primary) !important;
+      text-align: center;
     }
     &-icon {
+      color: var(--text);
       font-size: 5rem;
       line-height: 5rem;
       height: 5rem !important;

console-webapp/src/theme.scss

@@ -17,20 +17,9 @@ $theme-accent: mat.define-palette(mat.$pink-palette, A200, A100, A400);
 // The warn palette is optional (defaults to red).
 $theme-warn: mat.define-palette(mat.$red-palette);
 
-// Create the theme object. A theme consists of configurations for individual
-// theming systems such as "color" or "typography".
-$theme: mat.define-light-theme(
-  (
-    color: (
-      primary: $theme-primary,
-      accent: $theme-accent,
-      warn: $theme-warn,
-    ),
-    density: 0,
-  )
-);
-
-/** Application specific section **/
+/** 
+** Application specific section - Global styles and mixins
+**/
 
 @mixin form-field-density($density) {
   $field-typography: mat.define-typography-config(
@@ -46,19 +35,6 @@ $theme: mat.define-light-theme(
   @include form-field-density(-5);
 }
 
-$foreground: map.merge($theme, mat.$light-theme-foreground-palette);
-
-// Access and define a class with secondary color exposed
-.secondary-text {
-  color: map.get($foreground, "secondary-text");
-}
-
-:root {
-  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
-  --secondary: #{map.get($foreground, "secondary-text")};
-}
-
-@include mat.all-component-themes($theme);
 @import "@angular/material/theming";
 
 // Define application specific typography settings, font-family, etc
@@ -67,3 +43,61 @@ $typography-configuration: mat-typography-config(
 );
 
 @include angular-material-typography($typography-configuration);
+
+/** 
+** Light theme
+**/
+$light-theme: mat.define-light-theme(
+  (
+    color: (
+      primary: $theme-primary,
+      accent: $theme-accent,
+      warn: $theme-warn,
+    ),
+    density: 0,
+  )
+);
+
+// Access and define a class with secondary color exposed
+.secondary-text {
+  color: map.get(mat.$light-theme-foreground-palette, "secondary-text");
+}
+
+:root {
+  --text: #{map.get(mat.$light-theme-foreground-palette, "base")};
+  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
+  --secondary: #{map.get(mat.$light-theme-foreground-palette, "secondary-text")};
+}
+
+@include mat.all-component-themes($light-theme);
+
+/** 
+** Dark theme
+**/
+$dark-theme: mat.define-dark-theme(
+  (
+    color: (
+      primary: mat.define-palette(mat.$pink-palette),
+      accent: mat.define-palette(mat.$blue-grey-palette),
+    ),
+    density: 0,
+  )
+);
+
+@mixin _apply-dark-mode-colors() {
+  @include mat.all-component-colors($dark-theme);
+
+  .secondary-text {
+    color: map.get(mat.$dark-theme-foreground-palette, "secondary-text");
+  }
+
+  :root {
+    --text: #{map.get(mat.$dark-theme-foreground-palette, "base")};
+    --primary: #{mat.get-color-from-palette(mat.$pink-palette, 500)};
+    --secondary: #{map.get(mat.$dark-theme-background-palette, "secondary-text")};
+  }
+}
+
+@media (prefers-color-scheme: dark) {
+  @include _apply-dark-mode-colors();
+}

core/src/main/java/google/registry/batch/BatchModule.java

@@ -43,6 +43,12 @@ public class BatchModule {
   public static final String PARAM_DRY_RUN = "dryRun";
   public static final String PARAM_FAST = "fast";
 
+  @Provides
+  @Parameter("url")
+  static String provideUrl(HttpServletRequest req) {
+    return extractRequiredParameter(req, "url");
+  }
+
   @Provides
   @Parameter("jobName")
   static Optional<String> provideJobName(HttpServletRequest req) {

core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java

@@ -14,26 +14,20 @@
 
 package google.registry.batch;
 
-import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
-import static google.registry.util.RegistrarUtils.normalizeRegistrarId;
+import static java.nio.charset.StandardCharsets.UTF_8;
 
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.groups.GmailClient;
-import google.registry.groups.GroupsConnection;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
 import google.registry.request.auth.Auth;
-import google.registry.util.EmailMessage;
-import java.io.IOException;
-import java.util.Set;
+import java.net.URL;
 import javax.inject.Inject;
-import javax.mail.internet.AddressException;
-import javax.mail.internet.InternetAddress;
+import javax.net.ssl.HttpsURLConnection;
 
 /**
  * Action that executes a canned script specified by the caller.
@@ -50,88 +44,45 @@ import javax.mail.internet.InternetAddress;
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/executeCannedScript",
-    method = POST,
+    method = {POST, GET},
     automaticallyPrintOk = true,
     auth = Auth.AUTH_API_ADMIN)
 public class CannedScriptExecutionAction implements Runnable {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  private final GroupsConnection groupsConnection;
-  private final GmailClient gmailClient;
-
-  private final InternetAddress senderAddress;
-
-  private final InternetAddress recipientAddress;
-
-  private final String gSuiteDomainName;
+  @Inject UrlConnectionService urlConnectionService;
+  @Inject Response response;
 
   @Inject
-  CannedScriptExecutionAction(
-      GroupsConnection groupsConnection,
-      GmailClient gmailClient,
-      @Config("projectId") String projectId,
-      @Config("gSuiteDomainName") String gSuiteDomainName,
-      @Config("newAlertRecipientEmailAddress") InternetAddress recipientAddress) {
-    this.groupsConnection = groupsConnection;
-    this.gmailClient = gmailClient;
-    this.gSuiteDomainName = gSuiteDomainName;
-    try {
-      this.senderAddress = new InternetAddress(String.format("%s@%s", projectId, gSuiteDomainName));
-    } catch (AddressException e) {
-      throw new RuntimeException(e);
-    }
-    this.recipientAddress = recipientAddress;
-    logger.atInfo().log("Sender:%s; Recipient: %s.", this.senderAddress, this.recipientAddress);
-  }
+  @Parameter("url")
+  String url;
+
+  @Inject
+  CannedScriptExecutionAction() {}
 
   @Override
   public void run() {
+    Integer responseCode = null;
+    String responseContent = null;
     try {
-      // Invoke canned scripts here.
-      checkGroupApi();
-      EmailMessage message = createEmail();
-      this.gmailClient.sendEmail(message);
-      logger.atInfo().log("Finished running scripts.");
-    } catch (Throwable t) {
-      logger.atWarning().withCause(t).log("Error executing scripts.");
-      throw new RuntimeException("Execution failed.");
-    }
-  }
-
-  // Checks if Directory and GroupSettings still work after GWorkspace changes.
-  void checkGroupApi() {
-    ImmutableList<Registrar> registrars =
-        Streams.stream(Registrar.loadAllCached())
-            .filter(registrar -> registrar.isLive() && registrar.getType() == Registrar.Type.REAL)
-            .collect(toImmutableList());
-    logger.atInfo().log("Found %s registrars.", registrars.size());
-    for (Registrar registrar : registrars) {
-      for (final RegistrarPoc.Type type : RegistrarPoc.Type.values()) {
-        String groupKey =
-            String.format(
-                "%s-%s-contacts@%s",
-                normalizeRegistrarId(registrar.getRegistrarId()),
-                type.getDisplayName(),
-                gSuiteDomainName);
-        try {
-          Set<String> currentMembers = groupsConnection.getMembersOfGroup(groupKey);
-          logger.atInfo().log("%s has %s members.", groupKey, currentMembers.size());
-          // One success is enough for validation.
-          return;
-        } catch (IOException e) {
-          logger.atWarning().withCause(e).log("Failed to check %s", groupKey);
-        }
+      logger.atInfo().log("Connecting to: %s", url);
+      HttpsURLConnection connection =
+          (HttpsURLConnection) urlConnectionService.createConnection(new URL(url));
+      responseCode = connection.getResponseCode();
+      logger.atInfo().log("Code: %d", responseCode);
+      logger.atInfo().log("Headers: %s", connection.getHeaderFields());
+      responseContent = new String(UrlConnectionUtils.getResponseBytes(connection), UTF_8);
+      logger.atInfo().log("Response: %s", responseContent);
+    } catch (Exception e) {
+      logger.atWarning().withCause(e).log("Connection to %s failed", url);
+      throw new RuntimeException(e);
+    } finally {
+      if (responseCode != null) {
+        response.setStatus(responseCode);
+      }
+      if (responseContent != null) {
+        response.setPayload(responseContent);
       }
     }
-    logger.atInfo().log("Finished checking GroupApis.");
-  }
-
-  EmailMessage createEmail() {
-    return EmailMessage.newBuilder()
-        .setFrom(senderAddress)
-        .setSubject("Test: Please ignore<eom>.")
-        .setRecipients(ImmutableList.of(recipientAddress))
-        .setBody("Sent from Nomulus through Google Workspace.")
-        .build();
   }
 }

core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java

@@ -17,15 +17,14 @@ package google.registry.batch;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.poll.PollFlowUtils;
 import google.registry.model.EppResource;
 import google.registry.model.EppResourceUtils;
@@ -40,6 +39,7 @@ import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;
 
 /**

core/src/main/java/google/registry/batch/DeleteProberDataAction.java

@@ -18,13 +18,13 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
@@ -32,7 +32,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
@@ -41,6 +40,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
+import google.registry.util.RegistryEnvironment;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.inject.Inject;
 import org.hibernate.CacheMode;

core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java

@@ -31,7 +31,6 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import google.registry.beam.billing.ExpandBillingRecurrencesPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.common.Cursor;
@@ -40,6 +39,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;

core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java

@@ -27,12 +27,12 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;
 
 /**

core/src/main/java/google/registry/batch/WipeOutCloudSqlAction.java

@@ -1,161 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch;
-
-import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
-import google.registry.persistence.PersistenceModule.SchemaManagerConnection;
-import google.registry.request.Action;
-import google.registry.request.Response;
-import google.registry.request.auth.Auth;
-import google.registry.util.Retrier;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.function.Supplier;
-import javax.inject.Inject;
-
-/**
- * Wipes out all Cloud SQL data in a Nomulus GCP environment.
- *
- * <p>This class is created for the QA environment, where migration testing with production data
- * will happen. A regularly scheduled wipeout is a prerequisite to using production data there.
- */
-@Action(
-    service = Action.Service.BACKEND,
-    path = "/_dr/task/wipeOutCloudSql",
-    auth = Auth.AUTH_API_ADMIN)
-public class WipeOutCloudSqlAction implements Runnable {
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private static final ImmutableSet<RegistryEnvironment> FORBIDDEN_ENVIRONMENTS =
-      ImmutableSet.of(RegistryEnvironment.PRODUCTION, RegistryEnvironment.SANDBOX);
-
-  private final Supplier<Connection> connectionSupplier;
-  private final Response response;
-  private final Retrier retrier;
-
-  @Inject
-  WipeOutCloudSqlAction(
-      @SchemaManagerConnection Supplier<Connection> connectionSupplier,
-      Response response,
-      Retrier retrier) {
-    this.connectionSupplier = connectionSupplier;
-    this.response = response;
-    this.retrier = retrier;
-  }
-
-  @Override
-  public void run() {
-    response.setContentType(PLAIN_TEXT_UTF_8);
-
-    if (FORBIDDEN_ENVIRONMENTS.contains(RegistryEnvironment.get())) {
-      response.setStatus(SC_FORBIDDEN);
-      response.setPayload("Wipeout is not allowed in " + RegistryEnvironment.get());
-      return;
-    }
-
-    try {
-      retrier.callWithRetry(
-          () -> {
-            try (Connection conn = connectionSupplier.get()) {
-              dropAllTables(conn, listTables(conn));
-              dropAllSequences(conn, listSequences(conn));
-            }
-            return null;
-          },
-          e -> !(e instanceof SQLException));
-      response.setStatus(SC_OK);
-      response.setPayload("Wiped out Cloud SQL in " + RegistryEnvironment.get());
-    } catch (RuntimeException e) {
-      logger.atSevere().withCause(e).log("Failed to wipe out Cloud SQL data.");
-      response.setStatus(SC_INTERNAL_SERVER_ERROR);
-      response.setPayload("Failed to wipe out Cloud SQL in " + RegistryEnvironment.get());
-    }
-  }
-
-  /** Returns a list of all tables in the public schema of a Postgresql database. */
-  static ImmutableList<String> listTables(Connection connection) throws SQLException {
-    try (ResultSet resultSet =
-        connection.getMetaData().getTables(null, null, null, new String[] {"TABLE"})) {
-      ImmutableList.Builder<String> tables = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        String schema = resultSet.getString("TABLE_SCHEM");
-        if (schema == null || !schema.equalsIgnoreCase("public")) {
-          continue;
-        }
-        String tableName = resultSet.getString("TABLE_NAME");
-        tables.add("public.\"" + tableName + "\"");
-      }
-      return tables.build();
-    }
-  }
-
-  static void dropAllTables(Connection conn, ImmutableList<String> tables) throws SQLException {
-    if (tables.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String table : tables) {
-        statement.addBatch(String.format("DROP TABLE IF EXISTS %s CASCADE;", table));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some tables. Please check.");
-        }
-      }
-    }
-  }
-
-  /** Returns a list of all sequences in a Postgresql database. */
-  static ImmutableList<String> listSequences(Connection conn) throws SQLException {
-    try (Statement statement = conn.createStatement();
-        ResultSet resultSet =
-            statement.executeQuery("SELECT c.relname FROM pg_class c WHERE c.relkind = 'S';")) {
-      ImmutableList.Builder<String> sequences = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        sequences.add('\"' + resultSet.getString(1) + '\"');
-      }
-      return sequences.build();
-    }
-  }
-
-  static void dropAllSequences(Connection conn, ImmutableList<String> sequences)
-      throws SQLException {
-    if (sequences.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String sequence : sequences) {
-        statement.addBatch(String.format("DROP SEQUENCE IF EXISTS %s CASCADE;", sequence));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some sequences. Please check.");
-        }
-      }
-    }
-  }
-}

core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java

@@ -28,7 +28,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.contact.ContactHistory;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
@@ -36,6 +35,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;

core/src/main/java/google/registry/beam/common/RegistryJpaIO.java

@@ -209,7 +209,7 @@ public final class RegistryJpaIO {
 
       @ProcessElement
       public void processElement(OutputReceiver<T> outputReceiver) {
-        tm().transactNoRetry(
+        tm().transact(
                 () -> {
                   query.stream().map(resultMapper::apply).forEach(outputReceiver::output);
                 });

core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java

@@ -14,9 +14,9 @@
 
 package google.registry.beam.common;
 
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Objects;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;

core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java

@@ -19,10 +19,10 @@ import static google.registry.beam.common.RegistryPipelineOptions.toRegistryPipe
 import com.google.auto.service.AutoService;
 import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;
 import org.apache.beam.sdk.harness.JvmInitializer;
 import org.apache.beam.sdk.options.PipelineOptions;
 

core/src/main/java/google/registry/bsa/BlockListFetcher.java

@@ -0,0 +1,164 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.client.http.HttpMethods;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.io.ByteStreams;
+import google.registry.bsa.api.BsaCredential;
+import google.registry.bsa.api.BsaException;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.UrlConnectionService;
+import google.registry.util.Retrier;
+import java.io.BufferedInputStream;
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.util.function.BiConsumer;
+import javax.inject.Inject;
+import javax.net.ssl.HttpsURLConnection;
+
+/** Fetches data from the BSA API. */
+public class BlockListFetcher {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private final UrlConnectionService urlConnectionService;
+  private final BsaCredential credential;
+
+  private final ImmutableMap<String, String> blockListUrls;
+  private final Retrier retrier;
+
+  @Inject
+  BlockListFetcher(
+      UrlConnectionService urlConnectionService,
+      BsaCredential credential,
+      @Config("bsaDataUrls") ImmutableMap<String, String> blockListUrls,
+      Retrier retrier) {
+    this.urlConnectionService = urlConnectionService;
+    this.credential = credential;
+    this.blockListUrls = blockListUrls;
+    this.retrier = retrier;
+  }
+
+  LazyBlockList fetch(BlockListType blockListType) {
+    // TODO: use more informative exceptions to describe retriable errors
+    return retrier.callWithRetry(
+        () -> tryFetch(blockListType),
+        e -> e instanceof BsaException && ((BsaException) e).isRetriable());
+  }
+
+  LazyBlockList tryFetch(BlockListType blockListType) {
+    try {
+      URL dataUrl = new URL(blockListUrls.get(blockListType.name()));
+      logger.atInfo().log("Downloading from  %s", dataUrl);
+      HttpsURLConnection connection =
+          (HttpsURLConnection) urlConnectionService.createConnection(dataUrl);
+      connection.setRequestMethod(HttpMethods.GET);
+      connection.setRequestProperty("Authorization", "Bearer " + credential.getAuthToken());
+      int code = connection.getResponseCode();
+      if (code != SC_OK) {
+        String errorDetails = "";
+        try (InputStream errorStream = connection.getErrorStream()) {
+          errorDetails = new String(ByteStreams.toByteArray(errorStream), UTF_8);
+        } catch (NullPointerException e) {
+          // No error message.
+        } catch (Exception e) {
+          errorDetails = "Failed to retrieve error message: " + e.getMessage();
+        }
+        throw new BsaException(
+            String.format(
+                "Status code: [%s], error: [%s], details: [%s]",
+                code, connection.getResponseMessage(), errorDetails),
+            /* retriable= */ true);
+      }
+      return new LazyBlockList(blockListType, connection);
+    } catch (IOException e) {
+      throw new BsaException(e, /* retriable= */ true);
+    } catch (GeneralSecurityException e) {
+      throw new BsaException(e, /* retriable= */ false);
+    }
+  }
+
+  static class LazyBlockList implements Closeable {
+
+    private final BlockListType blockListType;
+
+    private final HttpsURLConnection connection;
+
+    private final BufferedInputStream inputStream;
+    private final String checksum;
+
+    LazyBlockList(BlockListType blockListType, HttpsURLConnection connection) throws IOException {
+      this.blockListType = blockListType;
+      this.connection = connection;
+      this.inputStream = new BufferedInputStream(connection.getInputStream());
+      this.checksum = readChecksum();
+    }
+
+    /** Reads the BSA-generated checksum, which is the first line of the input. */
+    private String readChecksum() throws IOException {
+      StringBuilder checksum = new StringBuilder();
+      char ch;
+      while ((ch = peekInputStream()) != (char) -1 && !Character.isWhitespace(ch)) {
+        checksum.append((char) inputStream.read());
+      }
+      while ((ch = peekInputStream()) != (char) -1 && Character.isWhitespace(ch)) {
+        inputStream.read();
+      }
+      return checksum.toString();
+    }
+
+    char peekInputStream() throws IOException {
+      inputStream.mark(1);
+      int byteValue = inputStream.read();
+      inputStream.reset();
+      return (char) byteValue;
+    }
+
+    BlockListType getName() {
+      return blockListType;
+    }
+
+    String checksum() {
+      return checksum;
+    }
+
+    void consumeAll(BiConsumer<byte[], Integer> consumer) throws IOException {
+      byte[] buffer = new byte[1024];
+      int bytesRead;
+      while ((bytesRead = inputStream.read(buffer)) != -1) {
+        consumer.accept(buffer, bytesRead);
+      }
+    }
+
+    @Override
+    public void close() {
+      if (inputStream != null) {
+        try {
+          inputStream.close();
+        } catch (IOException e) {
+          // Fall through to close the connection.
+        }
+      }
+      connection.disconnect();
+    }
+  }
+}

core/src/main/java/google/registry/bsa/BlockListType.java

@@ -12,12 +12,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+package google.registry.bsa;
 
-@Component({
-  selector: '[app-domains-widget]',
-  templateUrl: './domains-widget.component.html',
-})
-export class DomainsWidgetComponent {
-  constructor() {}
+/**
+ * The product types of the block lists, which determines the http endpoint that serves the data.
+ */
+public enum BlockListType {
+  BLOCK,
+  BLOCK_PLUS;
 }

core/src/main/java/google/registry/bsa/BsaDiffCreator.java

@@ -0,0 +1,267 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.Maps.newHashMap;
+import static com.google.common.collect.Multimaps.newListMultimap;
+import static com.google.common.collect.Multimaps.toMultimap;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
+import google.registry.bsa.api.BlockLabel;
+import google.registry.bsa.api.BlockLabel.LabelType;
+import google.registry.bsa.api.BlockOrder;
+import google.registry.bsa.api.BlockOrder.OrderType;
+import google.registry.bsa.persistence.DownloadSchedule;
+import google.registry.bsa.persistence.DownloadSchedule.CompletedJob;
+import google.registry.tldconfig.idn.IdnTableEnum;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.stream.Stream;
+import javax.inject.Inject;
+
+/** Creates diffs between the most recent download and the previous one. */
+class BsaDiffCreator {
+
+  private static final Splitter LINE_SPLITTER = Splitter.on(',').trimResults();
+  private static final Splitter ORDER_SPLITTER = Splitter.on(';').trimResults();
+
+  private static final String BSA_CSV_HEADER = "domainLabel,orderIDs";
+
+  /** An impossible value for order ID. See {@link #createDiff} for usage. */
+  static final Long ORDER_ID_SENTINEL = Long.MIN_VALUE;
+
+  private final GcsClient gcsClient;
+
+  @Inject
+  BsaDiffCreator(GcsClient gcsClient) {
+    this.gcsClient = gcsClient;
+  }
+
+  private <K, V extends Comparable> Multimap<K, V> listBackedMultiMap() {
+    return newListMultimap(newHashMap(), Lists::newArrayList);
+  }
+
+  BsaDiff createDiff(DownloadSchedule schedule, IdnChecker idnChecker) {
+    String currentJobName = schedule.jobName();
+    Optional<String> previousJobName = schedule.latestCompleted().map(CompletedJob::jobName);
+    /**
+     * Memory usage is a concern when creating a diff, when the newest download needs to be held in
+     * memory in its entirety. The top-grade AppEngine VM has 3GB of memory, leaving less than 1.5GB
+     * to application memory footprint after subtracting overheads due to copying garbage collection
+     * and non-heap data etc. Assuming 400K labels, each of which on average included in 5 orders,
+     * the memory footprint is at least 300MB when loaded into a Hashset-backed Multimap (64-bit
+     * JVM, with 12-byte object header, 16-byte array header, and 16-byte alignment).
+     *
+     * <p>The memory footprint can be reduced in two ways, by using a canonical instance for each
+     * order ID value, and by using a ArrayList-backed Multimap. Together they reduce memory size to
+     * well below 100MB for the scenario above.
+     *
+     * <p>We need to watch out for the download sizes even after the migration to GKE. However, at
+     * that point we will have a wider selection of hardware.
+     *
+     * <p>Beam pipeline is not a good option. It has to be launched as a separate, asynchronous job,
+     * and there is no guaranteed limit to launch delay. Both issues would increase code complexity.
+     */
+    Canonicals<Long> canonicals = new Canonicals<>();
+    try (Stream<Line> currentStream = loadBlockLists(currentJobName);
+        Stream<Line> previousStream =
+            previousJobName.map(this::loadBlockLists).orElseGet(Stream::of)) {
+      /**
+       * Load current label/order pairs into a multimap, which will contain both new labels and
+       * those that stay on when processing is done.
+       */
+      Multimap<String, Long> newAndRemaining =
+          currentStream
+              .map(line -> line.labelOrderPairs(canonicals))
+              .flatMap(x -> x)
+              .collect(
+                  toMultimap(
+                      LabelOrderPair::label, LabelOrderPair::orderId, this::listBackedMultiMap));
+
+      Multimap<String, Long> deleted =
+          previousStream
+              .map(
+                  line -> {
+                    // Mark labels that exist in both downloads with the SENTINEL id. This helps
+                    // distinguish existing label with new order from new labels.
+                    if (newAndRemaining.containsKey(line.label())
+                        && !newAndRemaining.containsEntry(line.label(), ORDER_ID_SENTINEL)) {
+                      newAndRemaining.put(line.label(), ORDER_ID_SENTINEL);
+                    }
+                    return line;
+                  })
+              .map(line -> line.labelOrderPairs(canonicals))
+              .flatMap(x -> x)
+              .filter(kv -> !newAndRemaining.remove(kv.label(), kv.orderId()))
+              .collect(
+                  toMultimap(
+                      LabelOrderPair::label, LabelOrderPair::orderId, this::listBackedMultiMap));
+
+      /**
+       * Labels in `newAndRemaining`:
+       *
+       * <ul>
+       *   <li>Mapped to `sentinel` only: Labels without change, ignore
+       *   <li>Mapped to `sentinel` and some orders: Existing labels with new order mapping. Those
+       *       orders are new orders.
+       *   <li>Mapped to some orders but not `sentinel`: New labels and new orders.
+       * </ul>
+       *
+       * <p>The `deleted` map has
+       *
+       * <ul>
+       *   <li>Deleted labels: the keyset of deleted minus the keyset of the newAndRemaining
+       *   <li>Deleted orders: the union of values.
+       * </ul>
+       */
+      return new BsaDiff(
+          ImmutableMultimap.copyOf(newAndRemaining), ImmutableMultimap.copyOf(deleted), idnChecker);
+    }
+  }
+
+  Stream<Line> loadBlockLists(String jobName) {
+    return Stream.of(BlockListType.values())
+        .map(blockList -> gcsClient.readBlockList(jobName, blockList))
+        .flatMap(x -> x)
+        .filter(line -> !line.startsWith(BSA_CSV_HEADER))
+        .map(BsaDiffCreator::parseLine);
+  }
+
+  static Line parseLine(String line) {
+    List<String> columns = LINE_SPLITTER.splitToList(line);
+    checkArgument(columns.size() == 2, "Invalid line: [%s]", line);
+    checkArgument(!Strings.isNullOrEmpty(columns.get(0)), "Missing label in line: [%s]", line);
+    try {
+      ImmutableList<Long> orderIds =
+          ORDER_SPLITTER
+              .splitToStream(columns.get(1))
+              .map(Long::valueOf)
+              .collect(toImmutableList());
+      checkArgument(!orderIds.isEmpty(), "Missing orders in line: [%s]", line);
+      checkArgument(
+          !orderIds.contains(ORDER_ID_SENTINEL), "Invalid order id %s", ORDER_ID_SENTINEL);
+      return Line.of(columns.get(0), orderIds);
+    } catch (NumberFormatException e) {
+      throw new IllegalArgumentException(line, e);
+    }
+  }
+
+  static class BsaDiff {
+    private final ImmutableMultimap<String, Long> newAndRemaining;
+
+    private final ImmutableMultimap<String, Long> deleted;
+    private final IdnChecker idnChecker;
+
+    BsaDiff(
+        ImmutableMultimap<String, Long> newAndRemaining,
+        ImmutableMultimap<String, Long> deleted,
+        IdnChecker idnChecker) {
+      this.newAndRemaining = newAndRemaining;
+      this.deleted = deleted;
+      this.idnChecker = idnChecker;
+    }
+
+    Stream<BlockOrder> getOrders() {
+      return Stream.concat(
+          newAndRemaining.values().stream()
+              .filter(value -> !Objects.equals(ORDER_ID_SENTINEL, value))
+              .distinct()
+              .map(id -> BlockOrder.of(id, OrderType.CREATE)),
+          deleted.values().stream().distinct().map(id -> BlockOrder.of(id, OrderType.DELETE)));
+    }
+
+    Stream<BlockLabel> getLabels() {
+      return Stream.of(
+              newAndRemaining.asMap().entrySet().stream()
+                  .filter(e -> e.getValue().size() > 1 || !e.getValue().contains(ORDER_ID_SENTINEL))
+                  .filter(entry -> entry.getValue().contains(ORDER_ID_SENTINEL))
+                  .map(
+                      entry ->
+                          BlockLabel.of(
+                              entry.getKey(),
+                              LabelType.NEW_ORDER_ASSOCIATION,
+                              idnChecker.getAllValidIdns(entry.getKey()).stream()
+                                  .map(IdnTableEnum::name)
+                                  .collect(toImmutableSet()))),
+              newAndRemaining.asMap().entrySet().stream()
+                  .filter(e -> e.getValue().size() > 1 || !e.getValue().contains(ORDER_ID_SENTINEL))
+                  .filter(entry -> !entry.getValue().contains(ORDER_ID_SENTINEL))
+                  .map(
+                      entry ->
+                          BlockLabel.of(
+                              entry.getKey(),
+                              LabelType.CREATE,
+                              idnChecker.getAllValidIdns(entry.getKey()).stream()
+                                  .map(IdnTableEnum::name)
+                                  .collect(toImmutableSet()))),
+              Sets.difference(deleted.keySet(), newAndRemaining.keySet()).stream()
+                  .map(label -> BlockLabel.of(label, LabelType.DELETE, ImmutableSet.of())))
+          .flatMap(x -> x);
+    }
+  }
+
+  static class Canonicals<T> {
+    private final HashMap<T, T> cache;
+
+    Canonicals() {
+      cache = Maps.newHashMap();
+    }
+
+    T get(T value) {
+      cache.putIfAbsent(value, value);
+      return cache.get(value);
+    }
+  }
+
+  @AutoValue
+  abstract static class LabelOrderPair {
+    abstract String label();
+
+    abstract Long orderId();
+
+    static <K, V> LabelOrderPair of(String key, Long value) {
+      return new AutoValue_BsaDiffCreator_LabelOrderPair(key, value);
+    }
+  }
+
+  @AutoValue
+  abstract static class Line {
+    abstract String label();
+
+    abstract ImmutableList<Long> orderIds();
+
+    Stream<LabelOrderPair> labelOrderPairs(Canonicals<Long> canonicals) {
+      return orderIds().stream().map(id -> LabelOrderPair.of(label(), canonicals.get(id)));
+    }
+
+    static Line of(String label, ImmutableList<Long> orderIds) {
+      return new AutoValue_BsaDiffCreator_Line(label, orderIds);
+    }
+  }
+}

core/src/main/java/google/registry/bsa/BsaDownloadAction.java

@@ -0,0 +1,237 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static google.registry.bsa.BlockListType.BLOCK;
+import static google.registry.bsa.BlockListType.BLOCK_PLUS;
+import static google.registry.bsa.api.JsonSerializations.toCompletedOrdersReport;
+import static google.registry.bsa.api.JsonSerializations.toInProgressOrdersReport;
+import static google.registry.bsa.api.JsonSerializations.toUnblockableDomainsReport;
+import static google.registry.bsa.persistence.LabelDiffUpdates.applyLabelDiff;
+import static google.registry.request.Action.Method.GET;
+import static google.registry.request.Action.Method.POST;
+import static google.registry.util.BatchedStreams.toBatches;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
+import dagger.Lazy;
+import google.registry.bsa.BlockListFetcher.LazyBlockList;
+import google.registry.bsa.BsaDiffCreator.BsaDiff;
+import google.registry.bsa.api.BlockLabel;
+import google.registry.bsa.api.BlockOrder;
+import google.registry.bsa.api.BsaReportSender;
+import google.registry.bsa.api.UnblockableDomain;
+import google.registry.bsa.persistence.DownloadSchedule;
+import google.registry.bsa.persistence.DownloadScheduler;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.model.tld.Tlds;
+import google.registry.request.Action;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.util.Clock;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.stream.Stream;
+import javax.inject.Inject;
+
+@Action(
+    service = Action.Service.BSA,
+    path = BsaDownloadAction.PATH,
+    method = {GET, POST},
+    auth = Auth.AUTH_API_ADMIN)
+public class BsaDownloadAction implements Runnable {
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  static final String PATH = "/_dr/task/bsaDownload";
+
+  private final DownloadScheduler downloadScheduler;
+  private final BlockListFetcher blockListFetcher;
+  private final BsaDiffCreator diffCreator;
+  private final BsaReportSender bsaReportSender;
+  private final GcsClient gcsClient;
+  private final Lazy<IdnChecker> lazyIdnChecker;
+  private final BsaLock bsaLock;
+  private final Clock clock;
+  private final int transactionBatchSize;
+  private final Response response;
+
+  @Inject
+  BsaDownloadAction(
+      DownloadScheduler downloadScheduler,
+      BlockListFetcher blockListFetcher,
+      BsaDiffCreator diffCreator,
+      BsaReportSender bsaReportSender,
+      GcsClient gcsClient,
+      Lazy<IdnChecker> lazyIdnChecker,
+      BsaLock bsaLock,
+      Clock clock,
+      @Config("bsaTxnBatchSize") int transactionBatchSize,
+      Response response) {
+    this.downloadScheduler = downloadScheduler;
+    this.blockListFetcher = blockListFetcher;
+    this.diffCreator = diffCreator;
+    this.bsaReportSender = bsaReportSender;
+    this.gcsClient = gcsClient;
+    this.lazyIdnChecker = lazyIdnChecker;
+    this.bsaLock = bsaLock;
+    this.clock = clock;
+    this.transactionBatchSize = transactionBatchSize;
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    try {
+      if (!bsaLock.executeWithLock(this::runWithinLock)) {
+        logger.atInfo().log("Job is being executed by another worker.");
+      }
+    } catch (Throwable throwable) {
+      // TODO(12/31/2023): consider sending an alert email.
+      // TODO: if unretriable errors, log at severe and send email.
+      logger.atWarning().withCause(throwable).log("Failed to update block lists.");
+    }
+    // Always return OK. Let the next cron job retry.
+    response.setStatus(SC_OK);
+  }
+
+  Void runWithinLock() {
+    // Cannot enroll new TLDs after download starts. This may change if b/309175410 is fixed.
+    if (!Tlds.hasActiveBsaEnrollment(clock.nowUtc())) {
+      logger.atInfo().log("No TLDs enrolled with BSA. Quitting.");
+      return null;
+    }
+    Optional<DownloadSchedule> scheduleOptional = downloadScheduler.schedule();
+    if (!scheduleOptional.isPresent()) {
+      logger.atInfo().log("Nothing to do.");
+      return null;
+    }
+    BsaDiff diff = null;
+    DownloadSchedule schedule = scheduleOptional.get();
+    switch (schedule.stage()) {
+      case DOWNLOAD_BLOCK_LISTS:
+        try (LazyBlockList block = blockListFetcher.fetch(BLOCK);
+            LazyBlockList blockPlus = blockListFetcher.fetch(BLOCK_PLUS)) {
+          ImmutableMap<BlockListType, String> fetchedChecksums =
+              ImmutableMap.of(BLOCK, block.checksum(), BLOCK_PLUS, blockPlus.checksum());
+          ImmutableMap<BlockListType, String> prevChecksums =
+              schedule
+                  .latestCompleted()
+                  .map(DownloadSchedule.CompletedJob::checksums)
+                  .orElseGet(ImmutableMap::of);
+          boolean checksumsMatch = Objects.equals(fetchedChecksums, prevChecksums);
+          if (!schedule.alwaysDownload() && checksumsMatch) {
+            logger.atInfo().log(
+                "Skipping download b/c block list checksums have not changed: [%s]",
+                fetchedChecksums);
+            schedule.updateJobStage(DownloadStage.NOP, fetchedChecksums);
+            return null;
+          } else if (checksumsMatch) {
+            logger.atInfo().log(
+                "Checksums match but download anyway: elapsed time since last download exceeds"
+                    + " configured limit.");
+          }
+          // When downloading, always fetch both lists so that whole data set is in one GCS folder.
+          ImmutableMap<BlockListType, String> actualChecksum =
+              gcsClient.saveAndChecksumBlockList(
+                  schedule.jobName(), ImmutableList.of(block, blockPlus));
+          if (!Objects.equals(fetchedChecksums, actualChecksum)) {
+            logger.atSevere().log(
+                "Inlined checksums do not match those calculated by us. Theirs: [%s]; ours: [%s]",
+                fetchedChecksums, actualChecksum);
+            schedule.updateJobStage(DownloadStage.CHECKSUMS_DO_NOT_MATCH, fetchedChecksums);
+            // TODO(01/15/24): add email alert.
+            return null;
+          }
+          schedule.updateJobStage(DownloadStage.MAKE_ORDER_AND_LABEL_DIFF, actualChecksum);
+        }
+        // Fall through
+      case MAKE_ORDER_AND_LABEL_DIFF:
+        diff = diffCreator.createDiff(schedule, lazyIdnChecker.get());
+        gcsClient.writeOrderDiffs(schedule.jobName(), diff.getOrders());
+        gcsClient.writeLabelDiffs(schedule.jobName(), diff.getLabels());
+        schedule.updateJobStage(DownloadStage.APPLY_ORDER_AND_LABEL_DIFF);
+        // Fall through
+      case APPLY_ORDER_AND_LABEL_DIFF:
+        try (Stream<BlockLabel> labels =
+            diff != null ? diff.getLabels() : gcsClient.readLabelDiffs(schedule.jobName())) {
+          Stream<ImmutableList<BlockLabel>> batches = toBatches(labels, transactionBatchSize);
+          gcsClient.writeUnblockableDomains(
+              schedule.jobName(),
+              batches
+                  .map(
+                      batch ->
+                          applyLabelDiff(batch, lazyIdnChecker.get(), schedule, clock.nowUtc()))
+                  .flatMap(ImmutableList::stream));
+        }
+        schedule.updateJobStage(DownloadStage.REPORT_START_OF_ORDER_PROCESSING);
+        // Fall through
+      case REPORT_START_OF_ORDER_PROCESSING:
+        try (Stream<BlockOrder> orders = gcsClient.readOrderDiffs(schedule.jobName())) {
+          // We expect that all order instances and the json string can fit in memory.
+          Optional<String> report = toInProgressOrdersReport(orders);
+          if (report.isPresent()) {
+            // Log report data
+            gcsClient.logInProgressOrderReport(
+                schedule.jobName(), BsaStringUtils.LINE_SPLITTER.splitToStream(report.get()));
+            bsaReportSender.sendOrderStatusReport(report.get());
+          } else {
+            logger.atInfo().log("No new or deleted orders in this round.");
+          }
+        }
+        schedule.updateJobStage(DownloadStage.UPLOAD_UNBLOCKABLE_DOMAINS_FOR_NEW_ORDERS);
+        // Fall through
+      case UPLOAD_UNBLOCKABLE_DOMAINS_FOR_NEW_ORDERS:
+        try (Stream<UnblockableDomain> unblockables =
+            gcsClient.readUnblockableDomains(schedule.jobName())) {
+          /* The number of unblockable domains may be huge in theory (label x ~50 tlds), but in
+           *  practice should be relatively small (tens of thousands?). Batches can be introduced
+           * if size becomes a problem.
+           */
+          Optional<String> report = toUnblockableDomainsReport(unblockables);
+          if (report.isPresent()) {
+            gcsClient.logAddedUnblockableDomainsReport(
+                schedule.jobName(), BsaStringUtils.LINE_SPLITTER.splitToStream(report.get()));
+            // During downloads, unblockable domains are only added, not removed.
+            bsaReportSender.addUnblockableDomainsUpdates(report.get());
+          } else {
+            logger.atInfo().log("No changes in the set of unblockable domains in this round.");
+          }
+        }
+        schedule.updateJobStage(DownloadStage.REPORT_END_OF_ORDER_PROCESSING);
+        // Fall through
+      case REPORT_END_OF_ORDER_PROCESSING:
+        try (Stream<BlockOrder> orders = gcsClient.readOrderDiffs(schedule.jobName())) {
+          // Orders are expected to be few, so the report can be kept in memory.
+          Optional<String> report = toCompletedOrdersReport(orders);
+          if (report.isPresent()) {
+            gcsClient.logCompletedOrderReport(
+                schedule.jobName(), BsaStringUtils.LINE_SPLITTER.splitToStream(report.get()));
+            bsaReportSender.sendOrderStatusReport(report.get());
+          }
+        }
+        schedule.updateJobStage(DownloadStage.DONE);
+        return null;
+      case DONE:
+      case NOP:
+      case CHECKSUMS_DO_NOT_MATCH:
+        logger.atWarning().log("Unexpectedly reached the %s stage.", schedule.stage());
+        break;
+    }
+    return null;
+  }
+}

core/src/main/java/google/registry/bsa/BsaLock.java

@@ -0,0 +1,40 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.lock.LockHandler;
+import java.util.concurrent.Callable;
+import javax.inject.Inject;
+import org.joda.time.Duration;
+
+/** Helper for guarding all BSA related work with a common lock. */
+public class BsaLock {
+
+  private static final String LOCK_NAME = "all-bsa-jobs";
+
+  private final LockHandler lockHandler;
+  private final Duration leaseExpiry;
+
+  @Inject
+  BsaLock(LockHandler lockHandler, @Config("bsaLockLeaseExpiry") Duration leaseExpiry) {
+    this.lockHandler = lockHandler;
+    this.leaseExpiry = leaseExpiry;
+  }
+
+  boolean executeWithLock(Callable<Void> callable) {
+    return lockHandler.executeWithLocks(callable, null, leaseExpiry, LOCK_NAME);
+  }
+}

core/src/main/java/google/registry/bsa/BsaRefreshAction.java

@@ -0,0 +1,174 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static google.registry.bsa.BsaStringUtils.LINE_SPLITTER;
+import static google.registry.request.Action.Method.GET;
+import static google.registry.request.Action.Method.POST;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.flogger.FluentLogger;
+import google.registry.bsa.api.BsaReportSender;
+import google.registry.bsa.api.JsonSerializations;
+import google.registry.bsa.api.UnblockableDomainChange;
+import google.registry.bsa.persistence.DomainsRefresher;
+import google.registry.bsa.persistence.RefreshSchedule;
+import google.registry.bsa.persistence.RefreshScheduler;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.model.tld.Tlds;
+import google.registry.request.Action;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.util.BatchedStreams;
+import google.registry.util.Clock;
+import java.util.Optional;
+import java.util.stream.Stream;
+import javax.inject.Inject;
+import org.joda.time.Duration;
+
+@Action(
+    service = Action.Service.BSA,
+    path = BsaRefreshAction.PATH,
+    method = {GET, POST},
+    auth = Auth.AUTH_API_ADMIN)
+public class BsaRefreshAction implements Runnable {
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  static final String PATH = "/_dr/task/bsaRefresh";
+
+  private final RefreshScheduler scheduler;
+  private final GcsClient gcsClient;
+  private final BsaReportSender bsaReportSender;
+  private final int transactionBatchSize;
+  private final Duration domainTxnMaxDuration;
+  private final BsaLock bsaLock;
+  private final Clock clock;
+  private final Response response;
+
+  @Inject
+  BsaRefreshAction(
+      RefreshScheduler scheduler,
+      GcsClient gcsClient,
+      BsaReportSender bsaReportSender,
+      @Config("bsaTxnBatchSize") int transactionBatchSize,
+      @Config("domainTxnMaxDuration") Duration domainTxnMaxDuration,
+      BsaLock bsaLock,
+      Clock clock,
+      Response response) {
+    this.scheduler = scheduler;
+    this.gcsClient = gcsClient;
+    this.bsaReportSender = bsaReportSender;
+    this.transactionBatchSize = transactionBatchSize;
+    this.domainTxnMaxDuration = domainTxnMaxDuration;
+    this.bsaLock = bsaLock;
+    this.clock = clock;
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    try {
+      if (!bsaLock.executeWithLock(this::runWithinLock)) {
+        logger.atInfo().log("Job is being executed by another worker.");
+      }
+    } catch (Throwable throwable) {
+      // TODO(12/31/2023): consider sending an alert email.
+      logger.atWarning().withCause(throwable).log("Failed to update block lists.");
+    }
+    // Always return OK. No need to use a retrier on `runWithinLock`. Its individual steps are
+    // implicitly retried. If action fails, the next cron will continue at checkpoint.
+    response.setStatus(SC_OK);
+  }
+
+  /** Executes the refresh action while holding the BSA lock. */
+  Void runWithinLock() {
+    // Cannot enroll new TLDs after download starts. This may change if b/309175410 is fixed.
+    if (!Tlds.hasActiveBsaEnrollment(clock.nowUtc())) {
+      logger.atInfo().log("No TLDs enrolled with BSA. Quitting.");
+      return null;
+    }
+    Optional<RefreshSchedule> maybeSchedule = scheduler.schedule();
+    if (!maybeSchedule.isPresent()) {
+      logger.atInfo().log("No completed downloads yet. Exiting.");
+      return null;
+    }
+    RefreshSchedule schedule = maybeSchedule.get();
+    DomainsRefresher refresher =
+        new DomainsRefresher(
+            schedule.prevRefreshTime(), clock.nowUtc(), domainTxnMaxDuration, transactionBatchSize);
+    switch (schedule.stage()) {
+      case CHECK_FOR_CHANGES:
+        ImmutableList<UnblockableDomainChange> blockabilityChanges =
+            refresher.checkForBlockabilityChanges();
+        if (blockabilityChanges.isEmpty()) {
+          logger.atInfo().log("No change to Unblockable domains found.");
+          schedule.updateJobStage(RefreshStage.DONE);
+          return null;
+        }
+        gcsClient.writeRefreshChanges(schedule.jobName(), blockabilityChanges.stream());
+        schedule.updateJobStage(RefreshStage.APPLY_CHANGES);
+        // Fall through
+      case APPLY_CHANGES:
+        try (Stream<UnblockableDomainChange> changes =
+            gcsClient.readRefreshChanges(schedule.jobName())) {
+          BatchedStreams.toBatches(changes, 500).forEach(refresher::applyUnblockableChanges);
+        }
+        schedule.updateJobStage(RefreshStage.UPLOAD_REMOVALS);
+        // Fall through
+      case UPLOAD_REMOVALS:
+        try (Stream<UnblockableDomainChange> changes =
+            gcsClient.readRefreshChanges(schedule.jobName())) {
+          Optional<String> report =
+              JsonSerializations.toUnblockableDomainsRemovalReport(
+                  changes
+                      .filter(UnblockableDomainChange::isDelete)
+                      .map(UnblockableDomainChange::domainName));
+          if (report.isPresent()) {
+            gcsClient.logRemovedUnblockableDomainsReport(
+                schedule.jobName(), LINE_SPLITTER.splitToStream(report.get()));
+            bsaReportSender.removeUnblockableDomainsUpdates(report.get());
+          } else {
+            logger.atInfo().log("No Unblockable domains to remove.");
+          }
+        }
+        schedule.updateJobStage(RefreshStage.UPLOAD_ADDITIONS);
+        // Fall through
+      case UPLOAD_ADDITIONS:
+        try (Stream<UnblockableDomainChange> changes =
+            gcsClient.readRefreshChanges(schedule.jobName())) {
+          Optional<String> report =
+              JsonSerializations.toUnblockableDomainsReport(
+                  changes
+                      .filter(UnblockableDomainChange::AddOrChange)
+                      .map(UnblockableDomainChange::newValue));
+          if (report.isPresent()) {
+            gcsClient.logRemovedUnblockableDomainsReport(
+                schedule.jobName(), LINE_SPLITTER.splitToStream(report.get()));
+            bsaReportSender.removeUnblockableDomainsUpdates(report.get());
+          } else {
+            logger.atInfo().log("No new Unblockable domains to add.");
+          }
+        }
+        schedule.updateJobStage(RefreshStage.DONE);
+        break;
+      case DONE:
+        logger.atInfo().log("Unexpectedly reaching the `DONE` stage.");
+        break;
+    }
+    return null;
+  }
+}

core/src/main/java/google/registry/bsa/BsaStringUtils.java

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Splitter;
+import java.util.List;
+
+/** Helpers for domain name manipulation and string serialization of Java objects. */
+public class BsaStringUtils {
+
+  public static final Joiner DOMAIN_JOINER = Joiner.on('.');
+  public static final Joiner PROPERTY_JOINER = Joiner.on(',');
+  public static final Splitter DOMAIN_SPLITTER = Splitter.on('.');
+  public static final Splitter PROPERTY_SPLITTER = Splitter.on(',');
+  public static final Splitter LINE_SPLITTER = Splitter.on('\n');
+
+  public static String getLabelInDomain(String domainName) {
+    List<String> parts = DOMAIN_SPLITTER.limit(1).splitToList(domainName);
+    checkArgument(!parts.isEmpty(), "Not a valid domain: [%s]", domainName);
+    return parts.get(0);
+  }
+
+  public static String getTldInDomain(String domainName) {
+    List<String> parts = DOMAIN_SPLITTER.splitToList(domainName);
+    checkArgument(parts.size() == 2, "Not a valid domain: [%s]", domainName);
+    return parts.get(1);
+  }
+
+  private BsaStringUtils() {}
+}

core/src/main/java/google/registry/bsa/BsaTransactions.java

@@ -0,0 +1,42 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static google.registry.persistence.PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+
+import com.google.errorprone.annotations.CanIgnoreReturnValue;
+import java.util.concurrent.Callable;
+
+/**
+ * Helpers for executing JPA transactions for BSA processing.
+ *
+ * <p>All mutating transactions for BSA may be executed at the {@code TRANSACTION_REPEATABLE_READ}
+ * level.
+ */
+public final class BsaTransactions {
+
+  @CanIgnoreReturnValue
+  public static <T> T bsaTransact(Callable<T> work) {
+    return tm().transact(work, TRANSACTION_REPEATABLE_READ);
+  }
+
+  @CanIgnoreReturnValue
+  public static <T> T bsaQuery(Callable<T> work) {
+    return tm().transact(work, TRANSACTION_REPEATABLE_READ);
+  }
+
+  private BsaTransactions() {}
+}

core/src/main/java/google/registry/bsa/DownloadStage.java

@@ -0,0 +1,55 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import google.registry.bsa.api.BlockLabel;
+import google.registry.bsa.api.BlockOrder;
+
+/** The processing stages of a download. */
+public enum DownloadStage {
+  /** Downloads BSA block list files. */
+  DOWNLOAD_BLOCK_LISTS,
+  /**
+   * Generates block list diffs against the previous download. The diffs consist of a stream of
+   * {@link BlockOrder orders} and a stream of {@link BlockLabel labels}.
+   */
+  MAKE_ORDER_AND_LABEL_DIFF,
+  /** Applies the diffs to the database. */
+  APPLY_ORDER_AND_LABEL_DIFF,
+  /**
+   * Makes a REST API call to BSA endpoint, declaring that processing starts for new orders in the
+   * diffs.
+   */
+  REPORT_START_OF_ORDER_PROCESSING,
+  /**
+   * Makes a REST API call to BSA endpoint, uploading unblockable domains that match labels in the
+   * diff.
+   */
+  UPLOAD_UNBLOCKABLE_DOMAINS_FOR_NEW_ORDERS,
+  /** Makes a REST API call to BSA endpoint, declaring the completion of order processing. */
+  REPORT_END_OF_ORDER_PROCESSING,
+  /** The terminal stage after processing succeeds. */
+  DONE,
+  /**
+   * The terminal stage indicating that the downloads are discarded because their checksums are the
+   * same as that of the previous download.
+   */
+  NOP,
+  /**
+   * The terminal stage indicating that the downloads are not processed because their BSA-generated
+   * checksums do not match those calculated by us.
+   */
+  CHECKSUMS_DO_NOT_MATCH;
+}

core/src/main/java/google/registry/bsa/GcsClient.java

@@ -0,0 +1,229 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.io.BaseEncoding.base16;
+
+import com.google.cloud.storage.BlobId;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import google.registry.bsa.BlockListFetcher.LazyBlockList;
+import google.registry.bsa.api.BlockLabel;
+import google.registry.bsa.api.BlockOrder;
+import google.registry.bsa.api.UnblockableDomain;
+import google.registry.bsa.api.UnblockableDomainChange;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.gcs.GcsUtils;
+import java.io.BufferedOutputStream;
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.stream.Stream;
+import javax.inject.Inject;
+
+/** Stores and accesses BSA-related data, including original downloads and processed data. */
+public class GcsClient {
+
+  // Intermediate data files:
+  static final String LABELS_DIFF_FILE = "labels_diff.csv";
+  static final String ORDERS_DIFF_FILE = "orders_diff.csv";
+  static final String UNBLOCKABLE_DOMAINS_FILE = "unblockable_domains.csv";
+  static final String REFRESHED_UNBLOCKABLE_DOMAINS_FILE = "refreshed_unblockable_domains.csv";
+
+  // Logged report data sent to BSA.
+  static final String IN_PROGRESS_ORDERS_REPORT = "in_progress_orders.json";
+  static final String COMPLETED_ORDERS_REPORT = "completed_orders.json";
+  static final String ADDED_UNBLOCKABLE_DOMAINS_REPORT = "added_unblockable_domains.json";
+  static final String REMOVED_UNBLOCKABLE_DOMAINS_REPORT = "removed_unblockable_domains.json";
+
+  private final GcsUtils gcsUtils;
+  private final String bucketName;
+
+  private final String checksumAlgorithm;
+
+  @Inject
+  GcsClient(
+      GcsUtils gcsUtils,
+      @Config("bsaGcsBucket") String bucketName,
+      @Config("bsaChecksumAlgorithm") String checksumAlgorithm) {
+    this.gcsUtils = gcsUtils;
+    this.bucketName = bucketName;
+    this.checksumAlgorithm = checksumAlgorithm;
+  }
+
+  static String getBlockListFileName(BlockListType blockListType) {
+    return blockListType.name() + ".csv";
+  }
+
+  ImmutableMap<BlockListType, String> saveAndChecksumBlockList(
+      String jobName, ImmutableList<LazyBlockList> blockLists) {
+    // Downloading sequentially, since one is expected to be much smaller than the other.
+    return blockLists.stream()
+        .collect(
+            ImmutableMap.toImmutableMap(
+                LazyBlockList::getName, blockList -> saveAndChecksumBlockList(jobName, blockList)));
+  }
+
+  private String saveAndChecksumBlockList(String jobName, LazyBlockList blockList) {
+    BlobId blobId = getBlobId(jobName, getBlockListFileName(blockList.getName()));
+    try (BufferedOutputStream gcsWriter =
+        new BufferedOutputStream(gcsUtils.openOutputStream(blobId))) {
+      MessageDigest messageDigest = MessageDigest.getInstance(checksumAlgorithm);
+      blockList.consumeAll(
+          (byteArray, length) -> {
+            try {
+              gcsWriter.write(byteArray, 0, length);
+            } catch (IOException e) {
+              throw new RuntimeException(e);
+            }
+            messageDigest.update(byteArray, 0, length);
+          });
+      return base16().lowerCase().encode(messageDigest.digest());
+    } catch (IOException | NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static void writeWithNewline(BufferedWriter writer, String line) {
+    try {
+      writer.write(line);
+      if (!line.endsWith("\n")) {
+        writer.write('\n');
+      }
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  Stream<String> readBlockList(String jobName, BlockListType blockListType) {
+    return readStream(getBlobId(jobName, getBlockListFileName(blockListType)));
+  }
+
+  Stream<BlockOrder> readOrderDiffs(String jobName) {
+    BlobId blobId = getBlobId(jobName, ORDERS_DIFF_FILE);
+    return readStream(blobId).map(BlockOrder::deserialize);
+  }
+
+  void writeOrderDiffs(String jobName, Stream<BlockOrder> orders) {
+    BlobId blobId = getBlobId(jobName, ORDERS_DIFF_FILE);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      orders.map(BlockOrder::serialize).forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  Stream<BlockLabel> readLabelDiffs(String jobName) {
+    BlobId blobId = getBlobId(jobName, LABELS_DIFF_FILE);
+    return readStream(blobId).map(BlockLabel::deserialize);
+  }
+
+  void writeLabelDiffs(String jobName, Stream<BlockLabel> labels) {
+    BlobId blobId = getBlobId(jobName, LABELS_DIFF_FILE);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      labels.map(BlockLabel::serialize).forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  Stream<UnblockableDomain> readUnblockableDomains(String jobName) {
+    BlobId blobId = getBlobId(jobName, UNBLOCKABLE_DOMAINS_FILE);
+    return readStream(blobId).map(UnblockableDomain::deserialize);
+  }
+
+  void writeUnblockableDomains(String jobName, Stream<UnblockableDomain> unblockables) {
+    BlobId blobId = getBlobId(jobName, UNBLOCKABLE_DOMAINS_FILE);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      unblockables
+          .map(UnblockableDomain::serialize)
+          .forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  Stream<UnblockableDomainChange> readRefreshChanges(String jobName) {
+    BlobId blobId = getBlobId(jobName, UNBLOCKABLE_DOMAINS_FILE);
+    return readStream(blobId).map(UnblockableDomainChange::deserialize);
+  }
+
+  void writeRefreshChanges(String jobName, Stream<UnblockableDomainChange> changes) {
+    BlobId blobId = getBlobId(jobName, REFRESHED_UNBLOCKABLE_DOMAINS_FILE);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      changes
+          .map(UnblockableDomainChange::serialize)
+          .forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  void logInProgressOrderReport(String jobName, Stream<String> lines) {
+    BlobId blobId = getBlobId(jobName, IN_PROGRESS_ORDERS_REPORT);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      lines.forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  void logCompletedOrderReport(String jobName, Stream<String> lines) {
+    BlobId blobId = getBlobId(jobName, COMPLETED_ORDERS_REPORT);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      lines.forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  void logAddedUnblockableDomainsReport(String jobName, Stream<String> lines) {
+    BlobId blobId = getBlobId(jobName, ADDED_UNBLOCKABLE_DOMAINS_REPORT);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      lines.forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  void logRemovedUnblockableDomainsReport(String jobName, Stream<String> lines) {
+    BlobId blobId = getBlobId(jobName, REMOVED_UNBLOCKABLE_DOMAINS_REPORT);
+    try (BufferedWriter gcsWriter = getWriter(blobId)) {
+      lines.forEach(line -> writeWithNewline(gcsWriter, line));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  BlobId getBlobId(String folder, String name) {
+    return BlobId.of(bucketName, String.format("%s/%s", folder, name));
+  }
+
+  Stream<String> readStream(BlobId blobId) {
+    return new BufferedReader(
+            new InputStreamReader(gcsUtils.openInputStream(blobId), StandardCharsets.UTF_8))
+        .lines();
+  }
+
+  BufferedWriter getWriter(BlobId blobId) {
+    return new BufferedWriter(
+        new OutputStreamWriter(gcsUtils.openOutputStream(blobId), StandardCharsets.UTF_8));
+  }
+}

core/src/main/java/google/registry/bsa/IdnChecker.java

@@ -0,0 +1,94 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.Maps.transformValues;
+import static google.registry.model.tld.Tld.isEnrolledWithBsa;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
+import google.registry.tldconfig.idn.IdnLabelValidator;
+import google.registry.tldconfig.idn.IdnTableEnum;
+import google.registry.util.Clock;
+import javax.inject.Inject;
+import org.joda.time.DateTime;
+
+/**
+ * Checks labels' validity wrt Idns in TLDs enrolled with BSA.
+ *
+ * <p>Each instance takes a snapshot of the TLDs at instantiation time, and should be limited to the
+ * Request scope.
+ */
+public class IdnChecker {
+  private static final IdnLabelValidator IDN_LABEL_VALIDATOR = new IdnLabelValidator();
+
+  private final ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds;
+  private final ImmutableSet<Tld> allTlds;
+
+  @Inject
+  IdnChecker(Clock clock) {
+    this.idnToTlds = getIdnToTldMap(clock.nowUtc());
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  /** Returns all IDNs in which the {@code label} is valid. */
+  ImmutableSet<IdnTableEnum> getAllValidIdns(String label) {
+    return idnToTlds.keySet().stream()
+        .filter(idnTable -> idnTable.getTable().isValidLabel(label))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that support at least one IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public ImmutableSet<Tld> getSupportingTlds(ImmutableSet<String> idnTables) {
+    return idnTables.stream()
+        .map(IdnTableEnum::valueOf)
+        .filter(idnToTlds::containsKey)
+        .map(idnToTlds::get)
+        .flatMap(ImmutableSet::stream)
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that do not support any IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public ImmutableSet<Tld> getForbiddingTlds(ImmutableSet<String> idnTables) {
+    return Sets.difference(allTlds, getSupportingTlds(idnTables)).immutableCopy();
+  }
+
+  private static ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> getIdnToTldMap(DateTime now) {
+    ImmutableMultimap.Builder<IdnTableEnum, Tld> idnToTldMap = new ImmutableMultimap.Builder();
+    Tlds.getTldEntitiesOfType(TldType.REAL).stream()
+        .filter(tld -> isEnrolledWithBsa(tld, now))
+        .forEach(
+            tld -> {
+              for (IdnTableEnum idn : IDN_LABEL_VALIDATOR.getIdnTablesForTld(tld)) {
+                idnToTldMap.put(idn, tld);
+              }
+            });
+    return ImmutableMap.copyOf(transformValues(idnToTldMap.build().asMap(), ImmutableSet::copyOf));
+  }
+}

core/src/main/java/google/registry/bsa/RefreshStage.java

@@ -0,0 +1,30 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+public enum RefreshStage {
+  /**
+   * Checks for stale unblockable domains. The output is a stream of {@link
+   * google.registry.bsa.api.UnblockableDomainChange} objects that describe the stale domains.
+   */
+  CHECK_FOR_CHANGES,
+  /** Fixes the stale domains in the database. */
+  APPLY_CHANGES,
+  /** Reports the unblockable domains to be removed to BSA. */
+  UPLOAD_REMOVALS,
+  /** Reports the newly found unblockable domains to BSA. */
+  UPLOAD_ADDITIONS,
+  DONE;
+}

core/src/main/java/google/registry/bsa/ReservedDomainsUtils.java

@@ -0,0 +1,80 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.base.Verify.verify;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.bsa.BsaStringUtils.DOMAIN_JOINER;
+import static google.registry.flows.domain.DomainFlowUtils.isReserved;
+import static google.registry.model.tld.Tlds.findTldForName;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.net.InternetDomainName;
+import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tld.TldState;
+import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
+import google.registry.model.tld.label.ReservedList;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Stream;
+import org.joda.time.DateTime;
+
+/**
+ * Utility for looking up reserved domain names.
+ *
+ * <p>This utility is only concerned with reserved domains that can be created (with appropriate
+ * tokens).
+ */
+public final class ReservedDomainsUtils {
+
+  private ReservedDomainsUtils() {}
+
+  public static Stream<String> getAllReservedNames(DateTime now) {
+    return Tlds.getTldEntitiesOfType(TldType.REAL).stream()
+        .filter(tld -> Tld.isEnrolledWithBsa(tld, now))
+        .map(tld -> getAllReservedDomainsInTld(tld, now))
+        .flatMap(ImmutableSet::stream);
+  }
+
+  /** Returns */
+  static ImmutableSet<String> getAllReservedDomainsInTld(Tld tld, DateTime now) {
+    return tld.getReservedListNames().stream()
+        .map(ReservedList::get)
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .map(ReservedList::getReservedListEntries)
+        .map(Map::keySet)
+        .flatMap(Set::stream)
+        .map(label -> DOMAIN_JOINER.join(label, tld.getTldStr()))
+        .filter(domain -> isReservedDomain(domain, now))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns true if {@code domain} is a reserved name that can be registered right now (e.g.,
+   * during sunrise or with allocation token), therefore unblockable.
+   */
+  public static boolean isReservedDomain(String domain, DateTime now) {
+    Optional<InternetDomainName> tldStr = findTldForName(InternetDomainName.from(domain));
+    verify(tldStr.isPresent(), "Tld for domain [%s] unexpectedly missing.", domain);
+    Tld tld = Tld.get(tldStr.get().toString());
+    return isReserved(
+        InternetDomainName.from(domain),
+        Objects.equals(tld.getTldState(now), TldState.START_DATE_SUNRISE));
+  }
+}

core/src/main/java/google/registry/bsa/api/BlockLabel.java

@@ -0,0 +1,64 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.base.Joiner;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableSet;
+import java.util.List;
+
+/**
+ * A BSA label to block. New domains with matching second-level domain (SLD) will be denied
+ * registration in TLDs enrolled with BSA.
+ */
+@AutoValue
+public abstract class BlockLabel {
+
+  static final Joiner JOINER = Joiner.on(',');
+  static final Splitter SPLITTER = Splitter.on(',').trimResults();
+
+  public abstract String label();
+
+  public abstract LabelType labelType();
+
+  public abstract ImmutableSet<String> idnTables();
+
+  public String serialize() {
+    return JOINER.join(label(), labelType().name(), idnTables().stream().sorted().toArray());
+  }
+
+  public static BlockLabel deserialize(String text) {
+    List<String> items = SPLITTER.splitToList(text);
+    try {
+      return of(
+          items.get(0),
+          LabelType.valueOf(items.get(1)),
+          ImmutableSet.copyOf(items.subList(2, items.size())));
+    } catch (NumberFormatException ne) {
+      throw new IllegalArgumentException(text);
+    }
+  }
+
+  public static BlockLabel of(String label, LabelType type, ImmutableSet<String> idnTables) {
+    return new AutoValue_BlockLabel(label, type, idnTables);
+  }
+
+  public enum LabelType {
+    CREATE,
+    NEW_ORDER_ASSOCIATION,
+    DELETE;
+  }
+}

core/src/main/java/google/registry/bsa/api/BlockOrder.java

@@ -0,0 +1,57 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.base.Joiner;
+import com.google.common.base.Splitter;
+import java.util.List;
+
+/**
+ * A BSA order, which are needed when communicating with the BSA API while processing downloaded
+ * block lists.
+ */
+@AutoValue
+public abstract class BlockOrder {
+
+  public abstract long orderId();
+
+  public abstract OrderType orderType();
+
+  static final Joiner JOINER = Joiner.on(',');
+  static final Splitter SPLITTER = Splitter.on(',');
+
+  public String serialize() {
+    return JOINER.join(orderId(), orderType().name());
+  }
+
+  public static BlockOrder deserialize(String text) {
+    List<String> items = SPLITTER.splitToList(text);
+    try {
+      return of(Long.valueOf(items.get(0)), OrderType.valueOf(items.get(1)));
+    } catch (NumberFormatException ne) {
+      throw new IllegalArgumentException(text);
+    }
+  }
+
+  public static BlockOrder of(long orderId, OrderType orderType) {
+    return new AutoValue_BlockOrder(orderId, orderType);
+  }
+
+  public enum OrderType {
+    CREATE,
+    DELETE;
+  }
+}

core/src/main/java/google/registry/bsa/api/BsaCredential.java

@@ -0,0 +1,160 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import static google.registry.request.UrlConnectionUtils.getResponseBytes;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.client.http.HttpMethods;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.flogger.FluentLogger;
+import com.google.gson.Gson;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.keyring.api.Keyring;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
+import google.registry.util.Clock;
+import java.io.IOException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.util.Map;
+import javax.annotation.Nullable;
+import javax.annotation.concurrent.ThreadSafe;
+import javax.inject.Inject;
+import javax.net.ssl.HttpsURLConnection;
+import org.joda.time.Duration;
+import org.joda.time.Instant;
+
+/**
+ * A credential for accessing the BSA API.
+ *
+ * <p>Fetches on-demand an auth token from BSA's auth http endpoint and caches it for repeated use
+ * until the token expires (expiry set by BSA and recorded in the configuration file). An expired
+ * token is refreshed only when requested. Token refreshing is blocking but thread-safe.
+ *
+ * <p>The token-fetching request authenticates itself with an API key, which is stored in the Secret
+ * Manager.
+ */
+@ThreadSafe
+public class BsaCredential {
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  /** Content type of the auth http request. */
+  private static final String CONTENT_TYPE = "application/x-www-form-urlencoded";
+  /** Template of the auth http request's payload. User must provide an API key. */
+  private static final String AUTH_REQ_BODY_TEMPLATE = "apiKey=%s&space=BSA";
+  /** The variable name for the auth token in the returned json response. */
+  public static final String ID_TOKEN = "id_token";
+
+  private final UrlConnectionService urlConnectionService;
+
+  private final String authUrl;
+
+  private final Duration authTokenExpiry;
+
+  private final Keyring keyring;
+
+  private final Clock clock;
+
+  @Nullable private String authToken;
+  private Instant lastRefreshTime;
+
+  @Inject
+  BsaCredential(
+      UrlConnectionService urlConnectionService,
+      @Config("bsaAuthUrl") String authUrl,
+      @Config("bsaAuthTokenExpiry") Duration authTokenExpiry,
+      Keyring keyring,
+      Clock clock) {
+    this.urlConnectionService = urlConnectionService;
+    this.authUrl = authUrl;
+    this.authTokenExpiry = authTokenExpiry;
+    this.keyring = keyring;
+    this.clock = clock;
+  }
+
+  /**
+   * Returns the auth token for accessing the BSA API.
+   *
+   * <p>This method refreshes the token if it is expired, and is thread-safe..
+   */
+  public String getAuthToken() {
+    try {
+      ensureAuthTokenValid();
+    } catch (IOException e) {
+      throw new BsaException(e, /* retriable= */ true);
+    } catch (GeneralSecurityException e) {
+      throw new BsaException(e, /* retriable= */ false);
+    }
+    return this.authToken;
+  }
+
+  private void ensureAuthTokenValid() throws IOException, GeneralSecurityException {
+    Instant now = Instant.ofEpochMilli(clock.nowUtc().getMillis());
+    if (authToken != null && lastRefreshTime.plus(authTokenExpiry).isAfter(now)) {
+      logger.atInfo().log("AuthToken still valid, reusing.");
+      return;
+    }
+    synchronized (this) {
+      authToken = fetchNewAuthToken();
+      lastRefreshTime = now;
+      logger.atInfo().log("AuthToken refreshed at %s.", now);
+    }
+  }
+
+  @VisibleForTesting
+  String fetchNewAuthToken() throws IOException, GeneralSecurityException {
+    String payload = String.format(AUTH_REQ_BODY_TEMPLATE, keyring.getBsaApiKey());
+    URL url = new URL(authUrl);
+    logger.atInfo().log("Fetching auth token from %s", url);
+    HttpsURLConnection connection = null;
+    try {
+      connection = (HttpsURLConnection) urlConnectionService.createConnection(url);
+      connection.setRequestMethod(HttpMethods.POST);
+      UrlConnectionUtils.setPayload(connection, payload.getBytes(UTF_8), CONTENT_TYPE);
+      int code = connection.getResponseCode();
+      if (code != SC_OK) {
+        String errorDetails;
+        try {
+          errorDetails = new String(getResponseBytes(connection), UTF_8);
+        } catch (Exception e) {
+          errorDetails = "Failed to retrieve error message: " + e.getMessage();
+        }
+        throw new BsaException(
+            String.format(
+                "Status code: [%s], error: [%s], details: [%s]",
+                code, connection.getResponseMessage(), errorDetails),
+            /* retriable= */ true);
+      }
+      // TODO: catch json syntax exception
+      @SuppressWarnings("unchecked")
+      String idToken =
+          new Gson()
+              .fromJson(new String(getResponseBytes(connection), UTF_8), Map.class)
+              .getOrDefault(ID_TOKEN, "")
+              .toString();
+      if (idToken.isEmpty()) {
+        throw new BsaException("Response missing ID token", /* retriable= */ false);
+      }
+      return idToken;
+    } finally {
+      if (connection != null) {
+        connection.disconnect();
+      }
+    }
+  }
+}

core/src/main/java/google/registry/bsa/api/BsaException.java

@@ -0,0 +1,34 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+public class BsaException extends RuntimeException {
+
+  private final boolean retriable;
+
+  public BsaException(Throwable cause, boolean retriable) {
+    super(cause);
+    this.retriable = retriable;
+  }
+
+  public BsaException(String message, boolean retriable) {
+    super(message);
+    this.retriable = retriable;
+  }
+
+  public boolean isRetriable() {
+    return this.retriable;
+  }
+}

core/src/main/java/google/registry/bsa/api/BsaReportSender.java

@@ -0,0 +1,127 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static javax.servlet.http.HttpServletResponse.SC_ACCEPTED;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.client.http.HttpMethods;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.io.ByteStreams;
+import com.google.common.net.MediaType;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
+import google.registry.util.Retrier;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import javax.inject.Inject;
+import javax.net.ssl.HttpsURLConnection;
+
+/**
+ * Sends order processing reports to BSA.
+ *
+ * <p>Senders are responsible for keeping payloads at reasonable sizes.
+ */
+public class BsaReportSender {
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private static final MediaType CONTENT_TYPE = MediaType.JSON_UTF_8;
+
+  private final UrlConnectionService urlConnectionService;
+  private final BsaCredential credential;
+  private final String orderStatusUrl;
+  private final String addUnblockableDomainsUrl;
+  private final String removeUnblockableDomainsUrl;
+
+  private final Retrier retrier;
+
+  @Inject
+  BsaReportSender(
+      UrlConnectionService urlConnectionService,
+      BsaCredential credential,
+      @Config("bsaOrderStatusUrl") String orderStatusUrl,
+      @Config("bsaAddUnblockableDomainsUrl") String addUnblockableDomainsUrl,
+      @Config("bsaRemoveUnblockableDomainsUrl") String removeUnblockableDomainsUrl,
+      Retrier retrier) {
+    this.urlConnectionService = urlConnectionService;
+    this.credential = credential;
+    this.orderStatusUrl = orderStatusUrl;
+    this.addUnblockableDomainsUrl = addUnblockableDomainsUrl;
+    this.removeUnblockableDomainsUrl = removeUnblockableDomainsUrl;
+    this.retrier = retrier;
+  }
+
+  public void sendOrderStatusReport(String payload) {
+    retrier.callWithRetry(
+        () -> trySendData(this.orderStatusUrl, payload),
+        e -> e instanceof BsaException && ((BsaException) e).isRetriable());
+  }
+
+  public void addUnblockableDomainsUpdates(String payload) {
+    retrier.callWithRetry(
+        () -> trySendData(this.addUnblockableDomainsUrl, payload),
+        e -> e instanceof BsaException && ((BsaException) e).isRetriable());
+  }
+
+  public void removeUnblockableDomainsUpdates(String payload) {
+    retrier.callWithRetry(
+        () -> trySendData(this.removeUnblockableDomainsUrl, payload),
+        e -> e instanceof BsaException && ((BsaException) e).isRetriable());
+  }
+
+  Void trySendData(String urlString, String payload) {
+    try {
+      URL url = new URL(urlString);
+      HttpsURLConnection connection =
+          (HttpsURLConnection) urlConnectionService.createConnection(url);
+      connection.setRequestMethod(HttpMethods.POST);
+      connection.setRequestProperty("Authorization", "Bearer " + credential.getAuthToken());
+      UrlConnectionUtils.setPayload(connection, payload.getBytes(UTF_8), CONTENT_TYPE.toString());
+      int code = connection.getResponseCode();
+      if (code != SC_OK && code != SC_ACCEPTED) {
+        String errorDetails = "";
+        try (InputStream errorStream = connection.getErrorStream()) {
+          errorDetails = new String(ByteStreams.toByteArray(errorStream), UTF_8);
+        } catch (NullPointerException e) {
+          // No error message.
+        } catch (Exception e) {
+          errorDetails = "Failed to retrieve error message: " + e.getMessage();
+        }
+        // TODO(b/318404541): sanitize errorDetails to prevent log injection attack.
+        throw new BsaException(
+            String.format(
+                "Status code: [%s], error: [%s], details: [%s]",
+                code, connection.getResponseMessage(), errorDetails),
+            /* retriable= */ true);
+      }
+      try (InputStream errorStream = connection.getInputStream()) {
+        String responseMessage = new String(ByteStreams.toByteArray(errorStream), UTF_8);
+        logger.atInfo().log("Received response: [%s]", responseMessage);
+      } catch (Exception e) {
+        logger.atInfo().withCause(e).log("Failed to retrieve response message.");
+      }
+      return null;
+    } catch (IOException e) {
+      throw new BsaException(e, /* retriable= */ true);
+    } catch (GeneralSecurityException e) {
+      throw new BsaException(e, /* retriable= */ false);
+    }
+  }
+}

core/src/main/java/google/registry/bsa/api/JsonSerializations.java

@@ -0,0 +1,91 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static com.google.common.collect.Maps.newTreeMap;
+import static com.google.common.collect.Multimaps.newListMultimap;
+import static com.google.common.collect.Multimaps.toMultimap;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.Lists;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import google.registry.bsa.api.BlockOrder.OrderType;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.stream.Stream;
+
+/** Helpers for generating {@link BlockOrder} and {@link UnblockableDomain} reports. */
+public final class JsonSerializations {
+
+  private static final Gson GSON = new GsonBuilder().setPrettyPrinting().create();
+
+  private JsonSerializations() {}
+
+  public static Optional<String> toInProgressOrdersReport(Stream<BlockOrder> orders) {
+    ImmutableList<ImmutableMap<String, Object>> maps =
+        orders.map(JsonSerializations::asInProgressOrder).collect(toImmutableList());
+    if (maps.isEmpty()) {
+      return Optional.empty();
+    }
+    return Optional.of(GSON.toJson(maps));
+  }
+
+  public static Optional<String> toCompletedOrdersReport(Stream<BlockOrder> orders) {
+    ImmutableList<ImmutableMap<String, Object>> maps =
+        orders.map(JsonSerializations::asCompletedOrder).collect(toImmutableList());
+    if (maps.isEmpty()) {
+      return Optional.empty();
+    }
+    return Optional.of(GSON.toJson(maps));
+  }
+
+  public static Optional<String> toUnblockableDomainsReport(Stream<UnblockableDomain> domains) {
+    ImmutableMultimap<String, String> reasonToNames =
+        ImmutableMultimap.copyOf(
+            domains.collect(
+                toMultimap(
+                    domain -> domain.reason().name().toLowerCase(Locale.ROOT),
+                    UnblockableDomain::domainName,
+                    () -> newListMultimap(newTreeMap(), Lists::newArrayList))));
+
+    if (reasonToNames.isEmpty()) {
+      return Optional.empty();
+    }
+    return Optional.of(GSON.toJson(reasonToNames.asMap()));
+  }
+
+  public static Optional<String> toUnblockableDomainsRemovalReport(Stream<String> domainNames) {
+    ImmutableList<String> domainsList = domainNames.collect(toImmutableList());
+    if (domainsList.isEmpty()) {
+      return Optional.empty();
+    }
+    return Optional.of(GSON.toJson(domainsList));
+  }
+
+  private static ImmutableMap<String, Object> asInProgressOrder(BlockOrder order) {
+    String status =
+        order.orderType().equals(OrderType.CREATE) ? "ActivationInProgress" : "ReleaseInProgress";
+    return ImmutableMap.of("blockOrderId", order.orderId(), "status", status);
+  }
+
+  private static ImmutableMap<String, Object> asCompletedOrder(BlockOrder order) {
+    String status = order.orderType().equals(OrderType.CREATE) ? "Active" : "Closed";
+    return ImmutableMap.of("blockOrderId", order.orderId(), "status", status);
+  }
+}

core/src/main/java/google/registry/bsa/api/UnblockableDomain.java

@@ -0,0 +1,58 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import static google.registry.bsa.BsaStringUtils.DOMAIN_JOINER;
+import static google.registry.bsa.BsaStringUtils.PROPERTY_JOINER;
+import static google.registry.bsa.BsaStringUtils.PROPERTY_SPLITTER;
+
+import com.google.auto.value.AutoValue;
+import java.util.List;
+
+/**
+ * A domain name whose second-level domain (SLD) matches a BSA label but is not blocked. It may be
+ * already registered, or on the TLD's reserve list.
+ */
+// TODO(1/15/2024): rename to UnblockableDomain.
+@AutoValue
+public abstract class UnblockableDomain {
+  abstract String domainName();
+
+  abstract Reason reason();
+
+  /** Reasons why a valid domain name cannot be blocked. */
+  public enum Reason {
+    REGISTERED,
+    RESERVED,
+    INVALID;
+  }
+
+  public String serialize() {
+    return PROPERTY_JOINER.join(domainName(), reason().name());
+  }
+
+  public static UnblockableDomain deserialize(String text) {
+    List<String> items = PROPERTY_SPLITTER.splitToList(text);
+    return of(items.get(0), Reason.valueOf(items.get(1)));
+  }
+
+  public static UnblockableDomain of(String domainName, Reason reason) {
+    return new AutoValue_UnblockableDomain(domainName, reason);
+  }
+
+  public static UnblockableDomain of(String label, String tld, Reason reason) {
+    return of(DOMAIN_JOINER.join(label, tld), reason);
+  }
+}

core/src/main/java/google/registry/bsa/api/UnblockableDomainChange.java

@@ -0,0 +1,99 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.api;
+
+import static com.google.common.base.Verify.verify;
+import static google.registry.bsa.BsaStringUtils.PROPERTY_JOINER;
+
+import com.google.auto.value.AutoValue;
+import com.google.auto.value.extension.memoized.Memoized;
+import google.registry.bsa.BsaStringUtils;
+import google.registry.bsa.api.UnblockableDomain.Reason;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+
+/** Change record of an {@link UnblockableDomain}. */
+@AutoValue
+public abstract class UnblockableDomainChange {
+
+  /**
+   * The text used in place of an empty {@link #newReason()} when an instance is serialized to
+   * string.
+   *
+   * <p>This value helps manual inspection of the change files, making it easier to `grep` for
+   * deletions in BSA reports.
+   */
+  private static final String DELETE_REASON_PLACEHOLDER = "IS_DELETE";
+
+  abstract UnblockableDomain unblockable();
+
+  abstract Optional<Reason> newReason();
+
+  public String domainName() {
+    return unblockable().domainName();
+  }
+
+  @Memoized
+  public UnblockableDomain newValue() {
+    verify(newReason().isPresent(), "Removed unblockable does not have new value.");
+    return UnblockableDomain.of(unblockable().domainName(), newReason().get());
+  }
+
+  public boolean AddOrChange() {
+    return newReason().isPresent();
+  }
+
+  public boolean isDelete() {
+    return !this.AddOrChange();
+  }
+
+  public boolean isNew() {
+    return newReason().filter(unblockable().reason()::equals).isPresent();
+  }
+
+  public String serialize() {
+    return PROPERTY_JOINER.join(
+        unblockable().domainName(),
+        unblockable().reason(),
+        newReason().map(Reason::name).orElse(DELETE_REASON_PLACEHOLDER));
+  }
+
+  public static UnblockableDomainChange deserialize(String text) {
+    List<String> items = BsaStringUtils.PROPERTY_SPLITTER.splitToList(text);
+    return of(
+        UnblockableDomain.of(items.get(0), Reason.valueOf(items.get(1))),
+        Objects.equals(items.get(2), DELETE_REASON_PLACEHOLDER)
+            ? Optional.empty()
+            : Optional.of(Reason.valueOf(items.get(2))));
+  }
+
+  public static UnblockableDomainChange ofNew(UnblockableDomain unblockable) {
+    return of(unblockable, Optional.of(unblockable.reason()));
+  }
+
+  public static UnblockableDomainChange ofDeleted(UnblockableDomain unblockable) {
+    return of(unblockable, Optional.empty());
+  }
+
+  public static UnblockableDomainChange ofChanged(UnblockableDomain unblockable, Reason newReason) {
+    return of(unblockable, Optional.of(newReason));
+  }
+
+  private static UnblockableDomainChange of(
+      UnblockableDomain unblockable, Optional<Reason> newReason) {
+    return new AutoValue_UnblockableDomainChange(unblockable, newReason);
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDomainRefresh.java

@@ -0,0 +1,116 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static google.registry.bsa.RefreshStage.CHECK_FOR_CHANGES;
+import static google.registry.bsa.RefreshStage.DONE;
+
+import com.google.common.base.Objects;
+import google.registry.bsa.RefreshStage;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Records of completed and ongoing refresh actions, which recomputes the set of unblockable domains
+ * and reports changes to BSA.
+ *
+ * <p>The refresh action only handles registered and reserved domain names. Invalid names only
+ * change status when the IDN tables change, and will be handled by a separate tool when it happens.
+ */
+@Entity
+class BsaDomainRefresh {
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  RefreshStage stage = CHECK_FOR_CHANGES;
+
+  BsaDomainRefresh() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  String getJobName() {
+    return getCreationTime().toString() + "-refresh";
+  }
+
+  boolean isDone() {
+    return java.util.Objects.equals(stage, DONE);
+  }
+
+  RefreshStage getStage() {
+    return this.stage;
+  }
+
+  BsaDomainRefresh setStage(RefreshStage refreshStage) {
+    this.stage = refreshStage;
+    return this;
+  }
+
+  VKey<BsaDomainRefresh> vKey() {
+    return vKey(jobId);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainRefresh)) {
+      return false;
+    }
+    BsaDomainRefresh that = (BsaDomainRefresh) o;
+    return Objects.equal(jobId, that.jobId)
+        && Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(jobId, creationTime, updateTime, stage);
+  }
+
+  static VKey<BsaDomainRefresh> vKey(long jobId) {
+    return VKey.create(BsaDomainRefresh.class, jobId);
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDownload.java

@@ -0,0 +1,141 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static google.registry.bsa.DownloadStage.DONE;
+import static google.registry.bsa.DownloadStage.DOWNLOAD_BLOCK_LISTS;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Objects;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedMap;
+import google.registry.bsa.BlockListType;
+import google.registry.bsa.DownloadStage;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import java.util.Locale;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Index;
+import javax.persistence.Table;
+import org.joda.time.DateTime;
+
+/** Records of ongoing and completed download jobs. */
+@Entity
+@Table(indexes = {@Index(columnList = "creationTime")})
+class BsaDownload {
+
+  private static final Joiner CSV_JOINER = Joiner.on(',');
+  private static final Splitter CSV_SPLITTER = Splitter.on(',');
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String blockListChecksums = "";
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  DownloadStage stage = DOWNLOAD_BLOCK_LISTS;
+
+  BsaDownload() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns a unique name of the job.
+   *
+   * <p>The returned value should be a valid GCS folder name, consisting of only lower case
+   * alphanumerics, underscore, hyphen and dot.
+   */
+  String getJobName() {
+    // Return a value based on job start time, which is unique.
+    return getCreationTime().toString().toLowerCase(Locale.ROOT).replace(":", "");
+  }
+
+  boolean isDone() {
+    return java.util.Objects.equals(stage, DONE);
+  }
+
+  DownloadStage getStage() {
+    return this.stage;
+  }
+
+  BsaDownload setStage(DownloadStage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  BsaDownload setChecksums(ImmutableMap<BlockListType, String> checksums) {
+    blockListChecksums =
+        CSV_JOINER.withKeyValueSeparator("=").join(ImmutableSortedMap.copyOf(checksums));
+    return this;
+  }
+
+  ImmutableMap<BlockListType, String> getChecksums() {
+    if (blockListChecksums.isEmpty()) {
+      return ImmutableMap.of();
+    }
+    return CSV_SPLITTER.withKeyValueSeparator('=').split(blockListChecksums).entrySet().stream()
+        .collect(
+            toImmutableMap(
+                entry -> BlockListType.valueOf(entry.getKey()), entry -> entry.getValue()));
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDownload)) {
+      return false;
+    }
+    BsaDownload that = (BsaDownload) o;
+    return Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && Objects.equal(blockListChecksums, that.blockListChecksums)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(creationTime, updateTime, blockListChecksums, stage);
+  }
+
+  static VKey<BsaDownload> vKey(long jobId) {
+    return VKey.create(BsaDownload.class, Long.valueOf(jobId));
+  }
+}