Filter in SQL when updating/deleting alloc tokens (#2244)

This doesn't fix any issues with dead/livelocks when deleting or
updating allocation tokens, but it at least will significantly reduce
the time to load the tokens that we'll want to update/delete.

build.gradle

@@ -347,6 +347,7 @@ subprojects {
 
   def services = [':services:default',
                   ':services:backend',
+                  ':services:bsa',
                   ':services:tools',
                   ':services:pubapi']
 

console-webapp/src/app/app-routing.module.ts

@@ -28,6 +28,7 @@ import ContactComponent from './settings/contact/contact.component';
 import WhoisComponent from './settings/whois/whois.component';
 import SecurityComponent from './settings/security/security.component';
 import UsersComponent from './settings/users/users.component';
+import { DomainListComponent } from './domains/domainList.component';
 
 const routes: Routes = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -35,6 +36,11 @@ const routes: Routes = [
   { path: 'empty-registrar', component: EmptyRegistrar },
   { path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
   { path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
+  {
+    path: DomainListComponent.PATH,
+    component: DomainListComponent,
+    canActivate: [RegistrarGuard],
+  },
   {
     path: SettingsComponent.PATH,
     component: SettingsComponent,

console-webapp/src/app/app.module.ts

@@ -36,16 +36,16 @@ import { RegistrarGuard } from './registrar/registrar.guard';
 import SecurityComponent from './settings/security/security.component';
 import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field';
 import { EmptyRegistrar } from './registrar/emptyRegistrar.component';
-import { RegistrarSelectorComponent } from './registrar/registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrar/registrarSelector.component';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
-import { ContactWidgetComponent } from './home/widgets/contact-widget.component';
-import { PromotionsWidgetComponent } from './home/widgets/promotions-widget.component';
-import { TldsWidgetComponent } from './home/widgets/tlds-widget.component';
-import { ResourcesWidgetComponent } from './home/widgets/resources-widget.component';
-import { EppWidgetComponent } from './home/widgets/epp-widget.component';
-import { BillingWidgetComponent } from './home/widgets/billing-widget.component';
-import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
-import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
+import { ContactWidgetComponent } from './home/widgets/contactWidget.component';
+import { PromotionsWidgetComponent } from './home/widgets/promotionsWidget.component';
+import { TldsWidgetComponent } from './home/widgets/tldsWidget.component';
+import { ResourcesWidgetComponent } from './home/widgets/resourcesWidget.component';
+import { EppWidgetComponent } from './home/widgets/eppWidget.component';
+import { BillingWidgetComponent } from './home/widgets/billingWidget.component';
+import { DomainsWidgetComponent } from './home/widgets/domainsWidget.component';
+import { SettingsWidgetComponent } from './home/widgets/settingsWidget.component';
 import { UserDataService } from './shared/services/userData.service';
 import WhoisComponent from './settings/whois/whois.component';
 import { SnackBarModule } from './snackbar.module';
@@ -53,6 +53,7 @@ import {
   RegistrarDetailsComponent,
   RegistrarDetailsWrapperComponent,
 } from './registrar/registrarDetails.component';
+import { DomainListComponent } from './domains/domainList.component';
 
 @NgModule({
   declarations: [
@@ -60,6 +61,7 @@ import {
     BillingWidgetComponent,
     ContactDetailsDialogComponent,
     ContactWidgetComponent,
+    DomainListComponent,
     DomainsWidgetComponent,
     EmptyRegistrar,
     EppWidgetComponent,

console-webapp/src/app/domains/domainList.component.html

@@ -0,0 +1,54 @@
+<div class="console-domains">
+  <mat-form-field>
+    <mat-label>Filter</mat-label>
+    <input matInput (keyup)="applyFilter($event)" #input />
+  </mat-form-field>
+
+  <div *ngIf="isLoading; else domains_content" class="console-domains__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <ng-template #domains_content>
+    <table mat-table [dataSource]="dataSource" class="mat-elevation-z8">
+      <ng-container matColumnDef="domainName">
+        <th mat-header-cell *matHeaderCellDef>Domain Name</th>
+        <td mat-cell *matCellDef="let element">{{ element.domainName }}</td>
+      </ng-container>
+
+      <ng-container matColumnDef="creationTime">
+        <th mat-header-cell *matHeaderCellDef>Creation Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.creationTime.creationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="registrationExpirationTime">
+        <th mat-header-cell *matHeaderCellDef>Expiration Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.registrationExpirationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="statuses">
+        <th mat-header-cell *matHeaderCellDef>Statuses</th>
+        <td mat-cell *matCellDef="let element">{{ element.statuses }}</td>
+      </ng-container>
+
+      <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
+      <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
+
+      <!-- Row shown when there is no matching data. -->
+      <tr class="mat-row" *matNoDataRow>
+        <td class="mat-cell" colspan="4">No domains found</td>
+      </tr>
+    </table>
+    <mat-paginator
+      [length]="totalResults"
+      [pageIndex]="pageNumber"
+      [pageSize]="resultsPerPage"
+      [pageSizeOptions]="[10, 25, 50, 100, 500]"
+      (page)="onPageChange($event)"
+      aria-label="Select page of domain results"
+      showFirstLastButtons
+    ></mat-paginator>
+  </ng-template>
+</div>

console-webapp/src/app/domains/domainList.component.spec.ts

@@ -0,0 +1,36 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { DomainListComponent } from './domainList.component';
+
+describe('DomainListComponent', () => {
+  let component: DomainListComponent;
+  let fixture: ComponentFixture<DomainListComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [DomainListComponent],
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(DomainListComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

console-webapp/src/app/domains/domainList.component.ts

@@ -0,0 +1,80 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, ViewChild } from '@angular/core';
+import { MatTableDataSource } from '@angular/material/table';
+import { BackendService } from '../shared/services/backend.service';
+import { MatPaginator, PageEvent } from '@angular/material/paginator';
+import { RegistrarService } from '../registrar/registrar.service';
+import { Domain, DomainListService } from './domainList.service';
+
+@Component({
+  selector: 'app-domain-list',
+  templateUrl: './domainList.component.html',
+  styleUrls: ['./domainList.component.scss'],
+  providers: [DomainListService],
+})
+export class DomainListComponent {
+  public static PATH = 'domain-list';
+
+  displayedColumns: string[] = [
+    'domainName',
+    'creationTime',
+    'registrationExpirationTime',
+    'statuses',
+  ];
+
+  dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
+  isLoading = true;
+
+  pageNumber?: number;
+  resultsPerPage = 50;
+  totalResults?: number;
+
+  @ViewChild(MatPaginator, { static: true }) paginator!: MatPaginator;
+
+  constructor(
+    private backendService: BackendService,
+    private domainListService: DomainListService,
+    private registrarService: RegistrarService
+  ) {}
+
+  ngOnInit() {
+    this.dataSource.paginator = this.paginator;
+    this.reloadData();
+  }
+
+  reloadData() {
+    this.isLoading = true;
+    this.domainListService
+      .retrieveDomains(this.pageNumber, this.resultsPerPage, this.totalResults)
+      .subscribe((domainListResult) => {
+        this.dataSource.data = domainListResult.domains;
+        this.totalResults = domainListResult.totalResults;
+        this.isLoading = false;
+      });
+  }
+
+  /** TODO: the backend will need to accept a filter string. */
+  applyFilter(event: KeyboardEvent) {
+    // const filterValue = (event.target as HTMLInputElement).value;
+    this.reloadData();
+  }
+
+  onPageChange(event: PageEvent) {
+    this.pageNumber = event.pageIndex;
+    this.resultsPerPage = event.pageSize;
+    this.reloadData();
+  }
+}

console-webapp/src/app/domains/domainList.service.ts

@@ -0,0 +1,66 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import { tap } from 'rxjs';
+
+export interface CreateAutoTimestamp {
+  creationTime: string;
+}
+
+export interface Domain {
+  creationTime: CreateAutoTimestamp;
+  currentSponsorRegistrarId: string;
+  domainName: string;
+  registrationExpirationTime: string;
+  statuses: string[];
+}
+
+export interface DomainListResult {
+  checkpointTime: string;
+  domains: Domain[];
+  totalResults: number;
+}
+
+@Injectable()
+export class DomainListService {
+  checkpointTime?: string;
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  retrieveDomains(
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number
+  ) {
+    return this.backendService
+      .getDomains(
+        this.registrarService.activeRegistrarId,
+        this.checkpointTime,
+        pageNumber,
+        resultsPerPage,
+        totalResults
+      )
+      .pipe(
+        tap((domainListResult: DomainListResult) => {
+          this.checkpointTime = domainListResult.checkpointTime;
+        })
+      );
+  }
+}

console-webapp/src/app/home/widgets/billingWidget.component.ts

@@ -17,7 +17,7 @@ import { RegistrarService } from 'src/app/registrar/registrar.service';
 
 @Component({
   selector: '[app-billing-widget]',
-  templateUrl: './billing-widget.component.html',
+  templateUrl: './billingWidget.component.html',
 })
 export class BillingWidgetComponent {
   constructor(public registrarService: RegistrarService) {}

console-webapp/src/app/home/widgets/contactWidget.component.ts

@@ -17,7 +17,7 @@ import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-contact-widget]',
-  templateUrl: './contact-widget.component.html',
+  templateUrl: './contactWidget.component.html',
 })
 export class ContactWidgetComponent {
   constructor(public userDataService: UserDataService) {}

console-webapp/src/app/home/widgets/domainsWidget.component.html

@@ -13,7 +13,12 @@
           Create a Domain
         </button>
         <p class="secondary-text">Register a new domain name</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openDomainsPage()"
+        >
           View DUMs
         </button>
         <p class="secondary-text">

console-webapp/src/app/home/widgets/domainsWidget.component.ts

@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+import { DomainListComponent } from 'src/app/domains/domainList.component';
+
+@Component({
+  selector: '[app-domains-widget]',
+  templateUrl: './domainsWidget.component.html',
+})
+export class DomainsWidgetComponent {
+  constructor(private router: Router) {}
+
+  openDomainsPage() {
+    this.router.navigate([DomainListComponent.PATH]);
+  }
+}

console-webapp/src/app/home/widgets/eppWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-epp-widget]',
-  templateUrl: './epp-widget.component.html',
+  templateUrl: './eppWidget.component.html',
 })
 export class EppWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/promotionsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-promotions-widget]',
-  templateUrl: './promotions-widget.component.html',
+  templateUrl: './promotionsWidget.component.html',
 })
 export class PromotionsWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/resourcesWidget.component.ts

@@ -17,7 +17,7 @@ import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-resources-widget]',
-  templateUrl: './resources-widget.component.html',
+  templateUrl: './resourcesWidget.component.html',
 })
 export class ResourcesWidgetComponent {
   constructor(public userDataService: UserDataService) {}

console-webapp/src/app/home/widgets/settingsWidget.component.ts

@@ -21,7 +21,7 @@ import { SettingsComponent } from 'src/app/settings/settings.component';
 
 @Component({
   selector: '[app-settings-widget]',
-  templateUrl: './settings-widget.component.html',
+  templateUrl: './settingsWidget.component.html',
 })
 export class SettingsWidgetComponent {
   constructor(private router: Router) {}

console-webapp/src/app/home/widgets/tldsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-tlds-widget]',
-  templateUrl: './tlds-widget.component.html',
+  templateUrl: './tldsWidget.component.html',
 })
 export class TldsWidgetComponent {
   constructor() {}

console-webapp/src/app/registrar/registrarSelector.component.spec.ts

@@ -14,7 +14,7 @@
 
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 
-import { RegistrarSelectorComponent } from './registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrarSelector.component';
 
 describe('RegistrarSelectorComponent', () => {
   let component: RegistrarSelectorComponent;

console-webapp/src/app/registrar/registrarSelector.component.ts

@@ -21,8 +21,8 @@ const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
 
 @Component({
   selector: 'app-registrar-selector',
-  templateUrl: './registrar-selector.component.html',
-  styleUrls: ['./registrar-selector.component.scss'],
+  templateUrl: './registrarSelector.component.html',
+  styleUrls: ['./registrarSelector.component.scss'],
 })
 export class RegistrarSelectorComponent implements OnInit {
   protected isMobile: boolean = false;

console-webapp/src/app/settings/contact/contact.component.ts

@@ -76,7 +76,7 @@ class ContactDetailsEventsResponder {
 
 @Component({
   selector: 'app-contact-details-dialog',
-  templateUrl: 'contact-details.component.html',
+  templateUrl: 'contactDetails.component.html',
   styleUrls: ['./contact.component.scss'],
 })
 export class ContactDetailsDialogComponent {

console-webapp/src/app/shared/services/backend.service.ts

@@ -21,6 +21,7 @@ import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
 import { UserData } from './userData.service';
 import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
+import { DomainListResult } from 'src/app/domains/domainList.service';
 
 @Injectable()
 export class BackendService {
@@ -63,6 +64,31 @@ export class BackendService {
     );
   }
 
+  getDomains(
+    registrarId: string,
+    checkpointTime?: string,
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number
+  ): Observable<DomainListResult> {
+    var url = `/console-api/domain-list?registrarId=${registrarId}`;
+    if (checkpointTime) {
+      url += `&checkpointTime=${checkpointTime}`;
+    }
+    if (pageNumber) {
+      url += `&pageNumber=${pageNumber}`;
+    }
+    if (resultsPerPage) {
+      url += `&resultsPerPage=${resultsPerPage}`;
+    }
+    if (totalResults) {
+      url += `&totalResults=${totalResults}`;
+    }
+    return this.http
+      .get<DomainListResult>(url)
+      .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
+  }
+
   getRegistrars(): Observable<Registrar[]> {
     return this.http
       .get<Registrar[]>('/console-api/registrars')

console-webapp/src/styles.scss

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 @use "@angular/material" as mat;
-@import "app/registrar/registrar-selector.component.scss";
+@import "app/registrar/registrarSelector.component.scss";
 
 html,
 body {

core/src/main/java/google/registry/batch/WipeOutCloudSqlAction.java

@@ -1,161 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch;
-
-import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
-import google.registry.persistence.PersistenceModule.SchemaManagerConnection;
-import google.registry.request.Action;
-import google.registry.request.Response;
-import google.registry.request.auth.Auth;
-import google.registry.util.Retrier;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.function.Supplier;
-import javax.inject.Inject;
-
-/**
- * Wipes out all Cloud SQL data in a Nomulus GCP environment.
- *
- * <p>This class is created for the QA environment, where migration testing with production data
- * will happen. A regularly scheduled wipeout is a prerequisite to using production data there.
- */
-@Action(
-    service = Action.Service.BACKEND,
-    path = "/_dr/task/wipeOutCloudSql",
-    auth = Auth.AUTH_API_ADMIN)
-public class WipeOutCloudSqlAction implements Runnable {
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private static final ImmutableSet<RegistryEnvironment> FORBIDDEN_ENVIRONMENTS =
-      ImmutableSet.of(RegistryEnvironment.PRODUCTION, RegistryEnvironment.SANDBOX);
-
-  private final Supplier<Connection> connectionSupplier;
-  private final Response response;
-  private final Retrier retrier;
-
-  @Inject
-  WipeOutCloudSqlAction(
-      @SchemaManagerConnection Supplier<Connection> connectionSupplier,
-      Response response,
-      Retrier retrier) {
-    this.connectionSupplier = connectionSupplier;
-    this.response = response;
-    this.retrier = retrier;
-  }
-
-  @Override
-  public void run() {
-    response.setContentType(PLAIN_TEXT_UTF_8);
-
-    if (FORBIDDEN_ENVIRONMENTS.contains(RegistryEnvironment.get())) {
-      response.setStatus(SC_FORBIDDEN);
-      response.setPayload("Wipeout is not allowed in " + RegistryEnvironment.get());
-      return;
-    }
-
-    try {
-      retrier.callWithRetry(
-          () -> {
-            try (Connection conn = connectionSupplier.get()) {
-              dropAllTables(conn, listTables(conn));
-              dropAllSequences(conn, listSequences(conn));
-            }
-            return null;
-          },
-          e -> !(e instanceof SQLException));
-      response.setStatus(SC_OK);
-      response.setPayload("Wiped out Cloud SQL in " + RegistryEnvironment.get());
-    } catch (RuntimeException e) {
-      logger.atSevere().withCause(e).log("Failed to wipe out Cloud SQL data.");
-      response.setStatus(SC_INTERNAL_SERVER_ERROR);
-      response.setPayload("Failed to wipe out Cloud SQL in " + RegistryEnvironment.get());
-    }
-  }
-
-  /** Returns a list of all tables in the public schema of a Postgresql database. */
-  static ImmutableList<String> listTables(Connection connection) throws SQLException {
-    try (ResultSet resultSet =
-        connection.getMetaData().getTables(null, null, null, new String[] {"TABLE"})) {
-      ImmutableList.Builder<String> tables = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        String schema = resultSet.getString("TABLE_SCHEM");
-        if (schema == null || !schema.equalsIgnoreCase("public")) {
-          continue;
-        }
-        String tableName = resultSet.getString("TABLE_NAME");
-        tables.add("public.\"" + tableName + "\"");
-      }
-      return tables.build();
-    }
-  }
-
-  static void dropAllTables(Connection conn, ImmutableList<String> tables) throws SQLException {
-    if (tables.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String table : tables) {
-        statement.addBatch(String.format("DROP TABLE IF EXISTS %s CASCADE;", table));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some tables. Please check.");
-        }
-      }
-    }
-  }
-
-  /** Returns a list of all sequences in a Postgresql database. */
-  static ImmutableList<String> listSequences(Connection conn) throws SQLException {
-    try (Statement statement = conn.createStatement();
-        ResultSet resultSet =
-            statement.executeQuery("SELECT c.relname FROM pg_class c WHERE c.relkind = 'S';")) {
-      ImmutableList.Builder<String> sequences = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        sequences.add('\"' + resultSet.getString(1) + '\"');
-      }
-      return sequences.build();
-    }
-  }
-
-  static void dropAllSequences(Connection conn, ImmutableList<String> sequences)
-      throws SQLException {
-    if (sequences.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String sequence : sequences) {
-        statement.addBatch(String.format("DROP SEQUENCE IF EXISTS %s CASCADE;", sequence));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some sequences. Please check.");
-        }
-      }
-    }
-  }
-}

core/src/main/java/google/registry/beam/common/RegistryJpaIO.java

@@ -209,7 +209,7 @@ public final class RegistryJpaIO {
 
       @ProcessElement
       public void processElement(OutputReceiver<T> outputReceiver) {
-        tm().transactNoRetry(
+        tm().transact(
                 () -> {
                   query.stream().map(resultMapper::apply).forEach(outputReceiver::output);
                 });

core/src/main/java/google/registry/bsa/BlockList.java

@@ -12,12 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+package google.registry.bsa;
 
-@Component({
-  selector: '[app-domains-widget]',
-  templateUrl: './domains-widget.component.html',
-})
-export class DomainsWidgetComponent {
-  constructor() {}
+/** Identifiers of the BSA lists with blocking labels. */
+public enum BlockList {
+  BLOCK,
+  BLOCK_PLUS;
 }

core/src/main/java/google/registry/bsa/DownloadStage.java

@@ -0,0 +1,46 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+/** The processing stages of a download. */
+public enum DownloadStage {
+  /** Downloads BSA block list files. */
+  DOWNLOAD,
+  /** Generates block list diffs with the previous download. */
+  MAKE_DIFF,
+  /** Applies the label diffs to the database tables. */
+  APPLY_DIFF,
+  /**
+   * Makes a REST API call to BSA endpoint, declaring that processing starts for new orders in the
+   * diffs.
+   */
+  START_UPLOADING,
+  /** Makes a REST API call to BSA endpoint, sending the domains that cannot be blocked. */
+  UPLOAD_DOMAINS_IN_USE,
+  /** Makes a REST API call to BSA endpoint, declaring the completion of order processing. */
+  FINISH_UPLOADING,
+  /** The terminal stage after processing succeeds. */
+  DONE,
+  /**
+   * The terminal stage indicating that the downloads are discarded because their checksums are the
+   * same as that of the previous download.
+   */
+  NOP,
+  /**
+   * The terminal stage indicating that the downloads are not processed because their BSA-generated
+   * checksums do not match those calculated by us.
+   */
+  CHECKSUMS_NOT_MATCH;
+}

core/src/main/java/google/registry/bsa/IdnChecker.java

@@ -0,0 +1,108 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.Maps.transformValues;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.collect.Sets.SetView;
+import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
+import google.registry.tldconfig.idn.IdnLabelValidator;
+import google.registry.tldconfig.idn.IdnTableEnum;
+import google.registry.util.Clock;
+import javax.inject.Inject;
+import org.joda.time.DateTime;
+
+/**
+ * Checks labels' validity wrt Idns in TLDs enrolled with BSA.
+ *
+ * <p>Each instance takes a snapshot of the TLDs at instantiation time, and should be limited to the
+ * Request scope.
+ */
+public class IdnChecker {
+  private static final IdnLabelValidator IDN_LABEL_VALIDATOR = new IdnLabelValidator();
+
+  private final ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds;
+  private final ImmutableSet<Tld> allTlds;
+
+  @Inject
+  IdnChecker(Clock clock) {
+    this.idnToTlds = getIdnToTldMap(clock.nowUtc());
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  // TODO(11/30/2023): Remove below when new Tld schema is deployed and the `getBsaEnrollStartTime`
+  // method is no longer hardcoded.
+  @VisibleForTesting
+  IdnChecker(ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds) {
+    this.idnToTlds = idnToTlds;
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  /** Returns all IDNs in which the {@code label} is valid. */
+  ImmutableSet<IdnTableEnum> getAllValidIdns(String label) {
+    return idnToTlds.keySet().stream()
+        .filter(idnTable -> idnTable.getTable().isValidLabel(label))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that support at least one IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public ImmutableSet<Tld> getSupportingTlds(ImmutableSet<String> idnTables) {
+    return idnTables.stream()
+        .map(IdnTableEnum::valueOf)
+        .filter(idnToTlds::containsKey)
+        .map(idnToTlds::get)
+        .flatMap(ImmutableSet::stream)
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that do not support any IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public SetView<Tld> getForbiddingTlds(ImmutableSet<String> idnTables) {
+    return Sets.difference(allTlds, getSupportingTlds(idnTables));
+  }
+
+  private static boolean isEnrolledWithBsa(Tld tld, DateTime now) {
+    DateTime enrollTime = tld.getBsaEnrollStartTime();
+    return enrollTime != null && enrollTime.isBefore(now);
+  }
+
+  private static ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> getIdnToTldMap(DateTime now) {
+    ImmutableMultimap.Builder<IdnTableEnum, Tld> idnToTldMap = new ImmutableMultimap.Builder();
+    Tlds.getTldEntitiesOfType(TldType.REAL).stream()
+        .filter(tld -> isEnrolledWithBsa(tld, now))
+        .forEach(
+            tld -> {
+              for (IdnTableEnum idn : IDN_LABEL_VALIDATOR.getIdnTablesForTld(tld)) {
+                idnToTldMap.put(idn, tld);
+              }
+            });
+    return ImmutableMap.copyOf(transformValues(idnToTldMap.build().asMap(), ImmutableSet::copyOf));
+  }
+}

core/src/main/java/google/registry/bsa/PlaceholderAction.java

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import google.registry.request.Action;
+import google.registry.request.Action.Service;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import javax.inject.Inject;
+
+@Action(
+    service = Service.BSA,
+    path = PlaceholderAction.PATH,
+    method = Action.Method.GET,
+    auth = Auth.AUTH_API_ADMIN)
+public class PlaceholderAction implements Runnable {
+  private final Response response;
+
+  static final String PATH = "/_dr/task/bsaDownload";
+
+  @Inject
+  public PlaceholderAction(Response response) {
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    response.setStatus(SC_OK);
+    response.setPayload("Hello World");
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDomainInUse.java

@@ -0,0 +1,102 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.bsa.persistence.BsaDomainInUse.BsaDomainInUseId;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.persistence.VKey;
+import java.io.Serializable;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.Id;
+import javax.persistence.IdClass;
+
+/** A domain matching a BSA label but is in use (registered or reserved), so cannot be blocked. */
+@Entity
+@IdClass(BsaDomainInUseId.class)
+public class BsaDomainInUse {
+  @Id String label;
+  @Id String tld;
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Reason reason;
+
+  /**
+   * Creation time of this record, which is the most recent time when the domain was detected to be
+   * in use wrt BSA. It may be during the processing of a download, or during some other job that
+   * refreshes the state.
+   *
+   * <p>This field is for information only.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  CreateAutoTimestamp createTime = CreateAutoTimestamp.create(null);
+
+  // For Hibernate
+  BsaDomainInUse() {}
+
+  public BsaDomainInUse(String label, String tld, Reason reason) {
+    this.label = label;
+    this.tld = tld;
+    this.reason = reason;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainInUse)) {
+      return false;
+    }
+    BsaDomainInUse that = (BsaDomainInUse) o;
+    return Objects.equal(label, that.label)
+        && Objects.equal(tld, that.tld)
+        && reason == that.reason
+        && Objects.equal(createTime, that.createTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, tld, reason, createTime);
+  }
+
+  enum Reason {
+    REGISTERED,
+    RESERVED;
+  }
+
+  static class BsaDomainInUseId implements Serializable {
+
+    private String label;
+    private String tld;
+
+    // For Hibernate
+    BsaDomainInUseId() {}
+
+    BsaDomainInUseId(String label, String tld) {
+      this.label = label;
+      this.tld = tld;
+    }
+  }
+
+  static VKey<BsaDomainInUse> vKey(String label, String tld) {
+    return VKey.create(BsaDomainInUse.class, new BsaDomainInUseId(label, tld));
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDownload.java

@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static google.registry.bsa.DownloadStage.DOWNLOAD;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Objects;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Index;
+import javax.persistence.Table;
+import org.joda.time.DateTime;
+
+/** Records of ongoing and completed download jobs. */
+@Entity
+@Table(indexes = {@Index(columnList = "creationTime")})
+public class BsaDownload {
+
+  private static final Joiner CSV_JOINER = Joiner.on(',');
+  private static final Splitter CSV_SPLITTER = Splitter.on(',');
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String blockListChecksums = "";
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  DownloadStage stage = DOWNLOAD;
+
+  BsaDownload() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  public String getJobName() {
+    return getCreationTime().toString();
+  }
+
+  public DownloadStage getStage() {
+    return this.stage;
+  }
+
+  BsaDownload setStage(DownloadStage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  BsaDownload setChecksums(ImmutableMap<BlockList, String> checksums) {
+    blockListChecksums =
+        CSV_JOINER.withKeyValueSeparator("=").join(ImmutableSortedMap.copyOf(checksums));
+    return this;
+  }
+
+  ImmutableMap<BlockList, String> getChecksums() {
+    if (blockListChecksums.isEmpty()) {
+      return ImmutableMap.of();
+    }
+    return CSV_SPLITTER.withKeyValueSeparator('=').split(blockListChecksums).entrySet().stream()
+        .collect(
+            toImmutableMap(entry -> BlockList.valueOf(entry.getKey()), entry -> entry.getValue()));
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDownload)) {
+      return false;
+    }
+    BsaDownload that = (BsaDownload) o;
+    return Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && Objects.equal(blockListChecksums, that.blockListChecksums)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(creationTime, updateTime, blockListChecksums, stage);
+  }
+
+  static VKey<BsaDownload> vKey(long jobId) {
+    return VKey.create(BsaDownload.class, Long.valueOf(jobId));
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaLabel.java

@@ -0,0 +1,79 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Specifies a second-level TLD name that should be blocked from registration in all TLDs except by
+ * the label's owner.
+ *
+ * <p>The label is valid (wrt IDN) in at least one TLD.
+ */
+@Entity
+public final class BsaLabel {
+
+  @Id String label;
+
+  /**
+   * Creation time of this label. This field is for human use, and should give the name of the GCS
+   * folder that contains the downloaded BSA data.
+   *
+   * <p>See {@link BsaDownload#getCreationTime} and {@link BsaDownload#getJobName} for more
+   * information.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  DateTime creationTime;
+
+  // For Hibernate.
+  BsaLabel() {}
+
+  BsaLabel(String label, DateTime creationTime) {
+    this.label = label;
+    this.creationTime = creationTime;
+  }
+
+  /** Returns the label to be blocked. */
+  public String getLabel() {
+    return label;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaLabel)) {
+      return false;
+    }
+    BsaLabel label1 = (BsaLabel) o;
+    return Objects.equal(label, label1.label) && Objects.equal(creationTime, label1.creationTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, creationTime);
+  }
+
+  static VKey<BsaLabel> vKey(String label) {
+    return VKey.create(BsaLabel.class, label);
+  }
+}

core/src/main/java/google/registry/bsa/persistence/DownloadSchedule.java

@@ -0,0 +1,73 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import java.util.Optional;
+
+/** Information needed when handling a download from BSA. */
+@AutoValue
+public abstract class DownloadSchedule {
+
+  abstract long jobId();
+
+  public abstract String jobName();
+
+  public abstract DownloadStage stage();
+
+  /** The most recent job that ended in the {@code DONE} stage. */
+  public abstract Optional<CompletedJob> latestCompleted();
+
+  /**
+   * Returns true if download should be processed even if the checksums show that it has not changed
+   * from the previous one.
+   */
+  abstract boolean alwaysDownload();
+
+  static DownloadSchedule of(BsaDownload currentJob) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.empty(),
+        /* alwaysDownload= */ true);
+  }
+
+  static DownloadSchedule of(
+      BsaDownload currentJob, CompletedJob latestCompleted, boolean alwaysDownload) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.of(latestCompleted),
+        /* alwaysDownload= */ alwaysDownload);
+  }
+
+  /** Information about a completed BSA download job. */
+  @AutoValue
+  public abstract static class CompletedJob {
+    public abstract String jobName();
+
+    public abstract ImmutableMap<BlockList, String> checksums();
+
+    static CompletedJob of(BsaDownload completedJob) {
+      return new AutoValue_DownloadSchedule_CompletedJob(
+          completedJob.getJobName(), completedJob.getChecksums());
+    }
+  }
+}

core/src/main/java/google/registry/bsa/persistence/DownloadScheduler.java

@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.base.Verify.verify;
+import static google.registry.bsa.DownloadStage.CHECKSUMS_NOT_MATCH;
+import static google.registry.bsa.DownloadStage.DONE;
+import static google.registry.bsa.DownloadStage.NOP;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.Duration.standardSeconds;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
+import google.registry.bsa.persistence.DownloadSchedule.CompletedJob;
+import google.registry.util.Clock;
+import java.util.Optional;
+import javax.inject.Inject;
+import org.joda.time.Duration;
+
+/**
+ * Assigns work for each cron invocation of the BSA Download job.
+ *
+ * <p>The download job is invoked at a divisible fraction of the desired data freshness to
+ * accommodate potential retries. E.g., for 30-minute data freshness with up to two retries on
+ * error, the cron schedule for the job should be set to 10 minutes.
+ *
+ * <p>The processing of each BSA download progresses through multiple stages as described in {@code
+ * DownloadStage} until it reaches one of the terminal stages. Each stage is check-pointed on
+ * completion, therefore if an invocation fails mid-process, the next invocation will skip the
+ * completed stages. No new downloads will start as long as the most recent one is still being
+ * processed.
+ *
+ * <p>When a new download is scheduled, the block list checksums from the most recent completed job
+ * is included. If the new checksums match the previous ones, the download may be skipped and the
+ * job should terminate in the {@code NOP} stage. However, if the checksums have stayed unchanged
+ * for longer than the user-provided {@code maxNopInterval}, the download will be processed.
+ *
+ * <p>The BSA downloads contains server-provided checksums. If they do not match the checksums
+ * generated on Nomulus' side, the download is skipped and the job should terminate in the {@code
+ * CHECKSUMS_NOT_MATCH} stage.
+ */
+public final class DownloadScheduler {
+
+  /** Allows a new download to proceed if the cron job fires a little early due to NTP drift. */
+  private static final Duration CRON_JITTER = standardSeconds(5);
+
+  private final Duration downloadInterval;
+  private final Duration maxNopInterval;
+  private final Clock clock;
+
+  @Inject
+  DownloadScheduler(Duration downloadInterval, Duration maxNopInterval, Clock clock) {
+    this.downloadInterval = downloadInterval;
+    this.maxNopInterval = maxNopInterval;
+    this.clock = clock;
+  }
+
+  /**
+   * Returns a {@link DownloadSchedule} instance that describes the work to be performed by an
+   * invocation of the download action, if applicable; or {@link Optional#empty} when there is
+   * nothing to do.
+   */
+  public Optional<DownloadSchedule> schedule() {
+    return tm().transact(
+            () -> {
+              ImmutableList<BsaDownload> recentJobs = loadRecentProcessedJobs();
+              if (recentJobs.isEmpty()) {
+                // No jobs initiated ever.
+                return Optional.of(scheduleNewJob(Optional.empty()));
+              }
+              BsaDownload mostRecent = recentJobs.get(0);
+              if (mostRecent.getStage().equals(DONE)) {
+                return isTimeAgain(mostRecent, downloadInterval)
+                    ? Optional.of(scheduleNewJob(Optional.of(mostRecent)))
+                    : Optional.empty();
+              } else if (recentJobs.size() == 1) {
+                // First job ever, still in progress
+                return Optional.of(DownloadSchedule.of(recentJobs.get(0)));
+              } else {
+                // Job in progress, with completed previous jobs.
+                BsaDownload prev = recentJobs.get(1);
+                verify(prev.getStage().equals(DONE), "Unexpectedly found two ongoing jobs.");
+                return Optional.of(
+                    DownloadSchedule.of(
+                        mostRecent,
+                        CompletedJob.of(prev),
+                        isTimeAgain(mostRecent, maxNopInterval)));
+              }
+            });
+  }
+
+  private boolean isTimeAgain(BsaDownload mostRecent, Duration interval) {
+    return mostRecent.getCreationTime().plus(interval).minus(CRON_JITTER).isBefore(clock.nowUtc());
+  }
+
+  /**
+   * Adds a new {@link BsaDownload} to the database and returns a {@link DownloadSchedule} for it.
+   */
+  private DownloadSchedule scheduleNewJob(Optional<BsaDownload> prevJob) {
+    BsaDownload job = new BsaDownload();
+    tm().insert(job);
+    return prevJob
+        .map(
+            prev ->
+                DownloadSchedule.of(job, CompletedJob.of(prev), isTimeAgain(prev, maxNopInterval)))
+        .orElseGet(() -> DownloadSchedule.of(job));
+  }
+
+  @VisibleForTesting
+  ImmutableList<BsaDownload> loadRecentProcessedJobs() {
+    return ImmutableList.copyOf(
+        tm().getEntityManager()
+            .createQuery(
+                "FROM BsaDownload WHERE stage NOT IN :nop_stages ORDER BY creationTime DESC")
+            .setParameter("nop_stages", ImmutableList.of(CHECKSUMS_NOT_MATCH, NOP))
+            .setMaxResults(2)
+            .getResultList());
+  }
+}

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -28,6 +28,7 @@ import com.google.common.base.Ascii;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import dagger.Module;
@@ -1191,6 +1192,12 @@ public final class RegistryConfig {
       return config.auth.oauthClientId;
     }
 
+    @Provides
+    @Config("fallbackOauthClientId")
+    public static String provideFallbackOauthClientId(RegistryConfigSettings config) {
+      return config.auth.fallbackOauthClientId;
+    }
+
     /**
      * Provides the OAuth scopes required for accessing Google APIs using the default credential.
      */
@@ -1390,6 +1397,86 @@ public final class RegistryConfig {
       return config.bulkPricingPackageMonitoring.bulkPricingPackageDomainLimitUpgradeEmailBody;
     }
 
+    @Provides
+    @Config("bsaGcsBucket")
+    public static String provideBsaGcsBucket(@Config("projectId") String projectId) {
+      return projectId + "-bsa";
+    }
+
+    @Provides
+    @Config("bsaChecksumAlgorithm")
+    public static String provideBsaChecksumAlgorithm(RegistryConfigSettings config) {
+      return config.bsa.bsaChecksumAlgorithm;
+    }
+
+    @Provides
+    @Config("bsaLockLeaseExpiry")
+    public static Duration provideBsaLockLeaseExpiry(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaLockLeaseExpiryMinutes);
+    }
+
+    /** Returns the desired interval between successive BSA downloads. */
+    @Provides
+    @Config("bsaDownloadInterval")
+    public static Duration provideBsaDownloadInterval(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaDownloadIntervalMinutes);
+    }
+
+    /**
+     * Returns the maximum period when a BSA download can be skipped due to the checksum-based
+     * equality check with the previous download.
+     */
+    @Provides
+    @Config("bsaMaxNopInterval")
+    public static Duration provideBsaMaxNopInterval(RegistryConfigSettings config) {
+      return Duration.standardHours(config.bsa.bsaMaxNopIntervalHours);
+    }
+
+    @Provides
+    @Config("bsaLabelTxnBatchSize")
+    public static int provideBsaLabelTxnBatchSize(RegistryConfigSettings config) {
+      return config.bsa.bsaLabelTxnBatchSize;
+    }
+
+    @Provides
+    @Config("bsaAuthUrl")
+    public static String provideBsaAuthUrl(RegistryConfigSettings config) {
+      return config.bsa.authUrl;
+    }
+
+    @Provides
+    @Config("bsaAuthTokenExpiry")
+    public static Duration provideBsaAuthTokenExpiry(RegistryConfigSettings config) {
+      return Duration.standardSeconds(config.bsa.authTokenExpirySeconds);
+    }
+
+    @Provides
+    @Config("bsaDataUrls")
+    public static ImmutableMap<String, String> provideBsaDataUrls(RegistryConfigSettings config) {
+      return ImmutableMap.copyOf(config.bsa.dataUrls);
+    }
+
+    /** Provides the BSA Http endpoint for reporting order processing status. */
+    @Provides
+    @Config("bsaOrderStatusUrl")
+    public static String provideBsaOrderStatusUrls(RegistryConfigSettings config) {
+      return config.bsa.orderStatusUrl;
+    }
+
+    /** Provides the BSA Http endpoint for reporting new unblockable domains. */
+    @Provides
+    @Config("bsaAddUnblockableDomainsUrl")
+    public static String provideBsaAddUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=add");
+    }
+
+    /** Provides the BSA Http endpoint for reporting domains that have become blockable. */
+    @Provides
+    @Config("bsaRemoveUnblockableDomainsUrl")
+    public static String provideBsaRemoveUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=remove");
+    }
+
     private static String formatComments(String text) {
       return Splitter.on('\n').omitEmptyStrings().trimResults().splitToList(text).stream()
           .map(s -> "# " + s)
@@ -1433,6 +1520,15 @@ public final class RegistryConfig {
     return makeUrl(CONFIG_SETTINGS.get().gcpProject.backendServiceUrl);
   }
 
+  /**
+   * Returns the address of the Nomulus app bsa HTTP server.
+   *
+   * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
+   */
+  public static URL getBsaServer() {
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.bsaServiceUrl);
+  }
+
   /**
    * Returns the address of the Nomulus app tools HTTP server.
    *
@@ -1529,9 +1625,9 @@ public final class RegistryConfig {
     return CONFIG_SETTINGS.get().hibernate.connectionIsolation;
   }
 
-  /** Returns true if per-transaction isolation level is enabled. */
-  public static boolean getHibernatePerTransactionIsolationEnabled() {
-    return CONFIG_SETTINGS.get().hibernate.perTransactionIsolation;
+  /** Returns true if nested calls to {@code tm().transact()} are allowed. */
+  public static boolean getHibernateAllowNestedTransactions() {
+    return CONFIG_SETTINGS.get().hibernate.allowNestedTransactions;
   }
 
   /** Returns true if hibernate.show_sql is enabled. */

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -43,6 +43,7 @@ public class RegistryConfigSettings {
   public ContactHistory contactHistory;
   public DnsUpdate dnsUpdate;
   public BulkPricingPackageMonitoring bulkPricingPackageMonitoring;
+  public Bsa bsa;
 
   /** Configuration options that apply to the entire GCP project. */
   public static class GcpProject {
@@ -52,6 +53,7 @@ public class RegistryConfigSettings {
     public boolean isLocal;
     public String defaultServiceUrl;
     public String backendServiceUrl;
+    public String bsaServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
   }
@@ -60,6 +62,7 @@ public class RegistryConfigSettings {
   public static class Auth {
     public List<String> allowedServiceAccountEmails;
     public String oauthClientId;
+    public String fallbackOauthClientId;
   }
 
   /** Configuration options for accessing Google APIs. */
@@ -112,7 +115,7 @@ public class RegistryConfigSettings {
 
   /** Configuration for Hibernate. */
   public static class Hibernate {
-    public boolean perTransactionIsolation;
+    public boolean allowNestedTransactions;
     public String connectionIsolation;
     public String logSqlQueries;
     public String hikariConnectionTimeout;
@@ -261,4 +264,18 @@ public class RegistryConfigSettings {
     public String bulkPricingPackageDomainLimitUpgradeEmailSubject;
     public String bulkPricingPackageDomainLimitUpgradeEmailBody;
   }
+
+  /** Configurations for integration with Brand Safety Alliance (BSA) API. */
+  public static class Bsa {
+    public String bsaChecksumAlgorithm;
+    public int bsaLockLeaseExpiryMinutes;
+    public int bsaDownloadIntervalMinutes;
+    public int bsaMaxNopIntervalHours;
+    public int bsaLabelTxnBatchSize;
+    public String authUrl;
+    public int authTokenExpirySeconds;
+    public Map<String, String> dataUrls;
+    public String orderStatusUrl;
+    public String unblockableDomainsUrl;
+  }
 }

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -20,9 +20,11 @@ gcpProject:
   # URLs of the services for the project.
   defaultServiceUrl: https://default.example.com
   backendServiceUrl: https://backend.example.com
+  bsaServiceUrl: https://bsa.example.com
   toolsServiceUrl: https://tools.example.com
   pubapiServiceUrl: https://pubapi.example.com
 
+
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
   domainName: domain-registry.example
@@ -189,11 +191,13 @@ registryPolicy:
   sunriseDomainCreateDiscount: 0.15
 
 hibernate:
-  # Make it possible to specify the isolation level for each transaction. If set
-  # to true, nested transactions will throw an exception. If set to false, a
-  # transaction with the isolation override specified will still execute at the
-  # default level (specified below).
-  perTransactionIsolation: true
+  # If set to false, calls to tm().transact() cannot be nested. If set to true,
+  # nested calls to tm().transact() are allowed, as long as they do not specify
+  # a transaction isolation level override. These nested transactions should
+  # either be refactored to non-nested transactions, or changed to
+  # tm().reTransact(), which explicitly allows nested transactions, but does not
+  # allow setting an isolation level override.
+  allowNestedTransactions: true
 
   # Make 'SERIALIZABLE' the default isolation level to ensure correctness.
   #
@@ -319,6 +323,10 @@ auth:
   # the same as this one.
   oauthClientId: iap-oauth-clientid
 
+  # Same as above, but serve as a fallback, so we can switch the client ID of
+  # the proxy without downtime.
+  fallbackOauthClientId: fallback-oauth-clientid
+
 credentialOAuth:
   # OAuth scopes required for accessing Google APIs using the default
   # credential.
@@ -598,3 +606,18 @@ bulkPricingPackageMonitoring:
     Registrar: %3$s
     Active Domain Limit: %4$s
     Current Active Domains: %5$s
+
+# Configurations for integration with Brand Safety Alliance (BSA) API
+bsa:
+  # Http endpoint for acquiring Auth tokens.
+  authUrl: "https://"
+  # Auth token expiry.
+  authTokenExpirySeconds: 1800
+  # Http endpoints for downloading data
+  dataUrls:
+    "BLOCK": "https://"
+    "BLOCK_PLUS": "https://"
+  # Http endpoint for reporting order processing status
+  orderStatusUrl: "https://"
+  # Http endpoint for reporting changes in the set of unblockable domains.
+  unblockableDomainsUrl: "https://"

core/src/main/java/google/registry/env/alpha/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/alpha/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="alpha"/>
+  </system-properties>
+
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-alpha/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/alpha/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/alpha/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/alpha/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/common/META-INF/application.xml

@@ -31,6 +31,12 @@ encoding="UTF-8"?>
       <context-root>backend</context-root>
     </web>
   </module>
+  <module>
+    <web>
+      <web-uri>bsa</web-uri>
+      <context-root>bsa</context-root>
+    </web>
+  </module>
   <module>
     <web>
       <web-uri>tools</web-uri>

core/src/main/java/google/registry/env/common/bsa/WEB-INF/logging.properties

@@ -0,0 +1,17 @@
+# A default java.util.logging configuration.
+# (All App Engine logging is through java.util.logging by default).
+#
+# To use this configuration, copy it into your application's WEB-INF
+# folder and add the following to your appengine-web.xml:
+#
+# <system-properties>
+#   <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
+# </system-properties>
+#
+
+# Set the default logging level for all loggers to INFO.
+.level = INFO
+
+# Turn off logging in Hibernate classes for misleading ERROR-level logs
+org.hibernate.engine.jdbc.batch.internal.BatchingBatch.level=OFF
+org.hibernate.engine.jdbc.spi.SqlExceptionHelper.level=OFF

core/src/main/java/google/registry/env/common/bsa/WEB-INF/web.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+  <!-- Servlets -->
+
+  <!-- Servlet for injected backends actions -->
+  <servlet>
+    <display-name>BsaServlet</display-name>
+    <servlet-name>bsa-servlet</servlet-name>
+    <servlet-class>google.registry.module.bsa.BsaServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- Test action -->
+  <servlet-mapping>
+    <servlet-name>bsa-servlet</servlet-name>
+    <url-pattern>/_dr/task/bsaDownload</url-pattern>
+  </servlet-mapping>
+
+  <!-- Security config -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Internal</web-resource-name>
+      <description>
+        Admin-only internal section. Requests for paths covered by the URL patterns below will be
+        checked for a logged-in user account that's allowed to access the AppEngine admin console
+        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
+        App Engine Admin role. See https://cloud.google.com/appengine/docs/java/access-control
+        specifically the "Access handlers that have a login:admin restriction" line.)
+
+        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
+        for endpoints that need to be accessed by open-source automated processes.
+      </description>
+
+      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
+      <url-pattern>/_ah/*</url-pattern>
+
+      <!-- Registrar console (should not be available on non-default module). -->
+      <url-pattern>/registrar*</url-pattern>
+
+      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
+      <url-pattern>/assets/sources/*</url-pattern>
+
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>admin</role-name>
+    </auth-constraint>
+
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- Require TLS on all requests. -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Secure</web-resource-name>
+      <description>
+        Require encryption for all paths. http URLs will be redirected to https.
+      </description>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+</web-app>

core/src/main/java/google/registry/env/crash/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/crash/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="crash"/>
+  </system-properties>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-crash/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/crash/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/crash/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/crash/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/local/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/local/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="local"/>
+    <property name="appengine.generated.dir"
+              value="/tmp/domain-registry-appengine-generated/local/"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/local/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/local/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/local/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/production/backend/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>backend</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/production/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4_1G</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="production"/>
+  </system-properties>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/production/default/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>default</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>pubapi</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/production/tools/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>tools</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/qa/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/qa/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="qa"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1h"/>
+  </static-files>
+
+    <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-qa/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/qa/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>F4_1G</instance-class>
   <automatic-scaling>

core/src/main/java/google/registry/env/qa/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/qa/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
   <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/sandbox/backend/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>backend</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>

core/src/main/java/google/registry/env/sandbox/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="sandbox"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-sandbox/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/sandbox/default/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>default</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>pubapi</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>

core/src/main/java/google/registry/env/sandbox/tools/WEB-INF/appengine-web.xml

@@ -3,6 +3,7 @@
 
   <runtime>java8</runtime>
   <service>tools</service>
+  <!--app-engine-apis>true</app-engine-apis-->
   <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>

core/src/main/java/google/registry/flows/EppRequestHandler.java

@@ -75,14 +75,6 @@ public class EppRequestHandler {
           && eppOutput.getResponse().getResult().getCode() == SUCCESS_AND_CLOSE) {
         response.setHeader(ProxyHttpHeaders.EPP_SESSION, "close");
       }
-      // If a login request returns a success, a logged-in header is added to the response to inform
-      // the proxy that it is no longer necessary to send the full client certificate to the backend
-      // for this connection.
-      if (eppOutput.isResponse()
-          && eppOutput.getResponse().isLoginResponse()
-          && eppOutput.isSuccess()) {
-        response.setHeader(ProxyHttpHeaders.LOGGED_IN, "true");
-      }
     } catch (Exception e) {
       logger.atWarning().withCause(e).log("handleEppCommand general exception.");
       response.setStatus(SC_BAD_REQUEST);

core/src/main/java/google/registry/flows/TlsCredentials.java

@@ -26,6 +26,7 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -66,11 +67,11 @@ public class TlsCredentials implements TransportCredentials {
   public TlsCredentials(
       @Config("requireSslCertificates") boolean requireSslCertificates,
       @Header(ProxyHttpHeaders.CERTIFICATE_HASH) Optional<String> clientCertificateHash,
-      @Header(ProxyHttpHeaders.IP_ADDRESS) Optional<String> clientAddress,
+      Optional<InetAddress> clientInetAddr,
       CertificateChecker certificateChecker) {
     this.requireSslCertificates = requireSslCertificates;
     this.clientCertificateHash = clientCertificateHash;
-    this.clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+    this.clientInetAddr = clientInetAddr;
     this.certificateChecker = certificateChecker;
   }
 
@@ -104,18 +105,25 @@ public class TlsCredentials implements TransportCredentials {
     }
     // In the rare unexpected case that the client inet address wasn't passed along at all, then
     // by default deny access.
-    if (clientInetAddr.isPresent()) {
-      for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
-        if (cidrAddressBlock.contains(clientInetAddr.get())) {
-          // IP address is in allow list; return early.
-          return;
-        }
+    if (!clientInetAddr.isPresent()) {
+      logger.atWarning().log(
+          "Authentication error: Missing IP address for registrar %s.", registrar.getRegistrarId());
+      throw new BadRegistrarIpAddressException(clientInetAddr);
+    }
+    for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
+      if (cidrAddressBlock.contains(clientInetAddr.get())) {
+        // IP address is in allow list; return early.
+        return;
       }
     }
-    logger.atInfo().log(
+    logger.atWarning().log(
         "Authentication error: IP address %s is not allow-listed for registrar %s; allow list is:"
             + " %s",
-        clientInetAddr, registrar.getRegistrarId(), ipAddressAllowList);
+        clientInetAddr,
+        registrar.getRegistrarId(),
+        RegistryEnvironment.get() == RegistryEnvironment.PRODUCTION
+            ? "redacted in production"
+            : ipAddressAllowList);
     throw new BadRegistrarIpAddressException(clientInetAddr);
   }
 
@@ -232,7 +240,7 @@ public class TlsCredentials implements TransportCredentials {
               ? String.format(
                   "Registrar IP address %s is not in stored allow list",
                   clientInetAddr.get().getHostAddress())
-              : "Registrar IP address is not in stored allow list");
+              : "Registrar IP address is missing");
     }
   }
 
@@ -249,9 +257,14 @@ public class TlsCredentials implements TransportCredentials {
     }
 
     @Provides
-    @Header(ProxyHttpHeaders.IP_ADDRESS)
-    static Optional<String> provideIpAddress(HttpServletRequest req) {
-      return extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+    static Optional<InetAddress> provideIpAddress(HttpServletRequest req) {
+      Optional<String> clientAddress = extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<String> fallbackClientAddress =
+          extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<InetAddress> clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+      return clientInetAddr.isPresent()
+          ? clientInetAddr
+          : fallbackClientAddress.map(TlsCredentials::parseInetAddress);
     }
   }
 }

core/src/main/java/google/registry/flows/domain/DomainCheckFlow.java

@@ -66,7 +66,6 @@ import google.registry.model.domain.DomainCommand.Check;
 import google.registry.model.domain.fee.FeeCheckCommandExtension;
 import google.registry.model.domain.fee.FeeCheckCommandExtensionItem;
 import google.registry.model.domain.fee.FeeCheckResponseExtensionItem;
-import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.fee06.FeeCheckCommandExtensionV06;
 import google.registry.model.domain.launch.LaunchCheckExtension;
 import google.registry.model.domain.token.AllocationToken;
@@ -272,7 +271,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
     ImmutableList.Builder<FeeCheckResponseExtensionItem> responseItems =
         new ImmutableList.Builder<>();
     ImmutableMap<String, Domain> domainObjs =
-        loadDomainsForRestoreChecks(feeCheck, domainNames, existingDomains);
+        loadDomainsForChecks(feeCheck, domainNames, existingDomains);
     ImmutableMap<String, BillingRecurrence> recurrences = loadRecurrencesForDomains(domainObjs);
 
     for (FeeCheckCommandExtensionItem feeCheckItem : feeCheck.getItems()) {
@@ -335,17 +334,20 @@ public final class DomainCheckFlow implements TransactionalFlow {
   }
 
   /**
-   * Loads and returns all existing domains that are having restore fees checked.
+   * Loads and returns all existing domains that are having restore/renew/transfer fees checked.
    *
-   * <p>This is necessary so that we can check their expiration dates to determine if a one-year
-   * renewal is part of the cost of a restore.
+   * <p>These need to be loaded for renews and transfers because there could be a relevant {@link
+   * google.registry.model.billing.BillingBase.RenewalPriceBehavior} on the {@link
+   * BillingRecurrence} affecting the price. They also need to be loaded for restores so that we can
+   * check their expiration dates to determine if a one-year renewal is part of the cost of a
+   * restore.
    *
    * <p>This may be resource-intensive for large checks of many restore fees, but those are
    * comparatively rare, and we are at least using an in-memory cache. Also, this will get a lot
    * nicer in Cloud SQL when we can SELECT just the fields we want rather than having to load the
    * entire entity.
    */
-  private ImmutableMap<String, Domain> loadDomainsForRestoreChecks(
+  private ImmutableMap<String, Domain> loadDomainsForChecks(
       FeeCheckCommandExtension<?, ?> feeCheck,
       ImmutableMap<String, InternetDomainName> domainNames,
       ImmutableMap<String, VKey<Domain>> existingDomains) {
@@ -354,18 +356,18 @@ public final class DomainCheckFlow implements TransactionalFlow {
       // The V06 fee extension supports specifying the command fees to check on a per-domain basis.
       restoreCheckDomains =
           feeCheck.getItems().stream()
-              .filter(fc -> fc.getCommandName() == CommandName.RESTORE)
+              .filter(fc -> fc.getCommandName().shouldLoadDomainForCheck())
               .map(FeeCheckCommandExtensionItem::getDomainName)
               .distinct()
               .collect(toImmutableList());
     } else if (feeCheck.getItems().stream()
-        .anyMatch(fc -> fc.getCommandName() == CommandName.RESTORE)) {
+        .anyMatch(fc -> fc.getCommandName().shouldLoadDomainForCheck())) {
       // The more recent fee extension versions support specifying the command fees to check only on
       // the overall domain check, not per-domain.
       restoreCheckDomains = ImmutableList.copyOf(domainNames.keySet());
     } else {
-      // Fall-through case for more recent fee extension versions when the restore fee isn't being
-      // checked.
+      // Fall-through case for more recent fee extension versions when the restore/renew/transfer
+      // fees aren't being checked.
       restoreCheckDomains = ImmutableList.of();
     }
 

core/src/main/java/google/registry/flows/domain/DomainPricingLogic.java

@@ -18,7 +18,6 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.flows.domain.DomainFlowUtils.zeroInCurrency;
 import static google.registry.flows.domain.token.AllocationTokenFlowUtils.validateTokenForPossiblePremiumName;
 import static google.registry.pricing.PricingEngineProxy.getPricesForDomainName;
-import static google.registry.util.DomainNameUtils.getTldFromDomainName;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.google.common.net.InternetDomainName;
@@ -31,11 +30,13 @@ import google.registry.flows.custom.DomainPricingCustomLogic.RenewPriceParameter
 import google.registry.flows.custom.DomainPricingCustomLogic.RestorePriceParameters;
 import google.registry.flows.custom.DomainPricingCustomLogic.TransferPriceParameters;
 import google.registry.flows.custom.DomainPricingCustomLogic.UpdatePriceParameters;
+import google.registry.model.billing.BillingBase.RenewalPriceBehavior;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.domain.fee.BaseFee;
 import google.registry.model.domain.fee.BaseFee.FeeType;
 import google.registry.model.domain.fee.Fee;
 import google.registry.model.domain.token.AllocationToken;
+import google.registry.model.domain.token.AllocationToken.RegistrationBehavior;
 import google.registry.model.domain.token.AllocationToken.TokenBehavior;
 import google.registry.model.pricing.PremiumPricingEngine.DomainPrices;
 import google.registry.model.tld.Tld;
@@ -132,12 +133,14 @@ public final class DomainPricingLogic {
     // recurrence is null if the domain is still available. Billing events are created
     // in the process of domain creation.
     if (billingRecurrence == null) {
-      renewCost = getDomainRenewCostWithDiscount(domainPrices, years, allocationToken);
+      renewCost =
+          getDomainRenewCostWithDiscount(tld, domainPrices, dateTime, years, allocationToken);
       isRenewCostPremiumPrice = domainPrices.isPremium();
     } else {
       switch (billingRecurrence.getRenewalPriceBehavior()) {
         case DEFAULT:
-          renewCost = getDomainRenewCostWithDiscount(domainPrices, years, allocationToken);
+          renewCost =
+              getDomainRenewCostWithDiscount(tld, domainPrices, dateTime, years, allocationToken);
           isRenewCostPremiumPrice = domainPrices.isPremium();
           break;
           // if the renewal price behavior is specified, then the renewal price should be the same
@@ -156,10 +159,7 @@ public final class DomainPricingLogic {
         case NONPREMIUM:
           renewCost =
               getDomainCostWithDiscount(
-                  false,
-                  years,
-                  allocationToken,
-                  Tld.get(getTldFromDomainName(domainName)).getStandardRenewCost(dateTime));
+                  false, years, allocationToken, tld.getStandardRenewCost(dateTime));
           isRenewCostPremiumPrice = false;
           break;
         default:
@@ -257,8 +257,20 @@ public final class DomainPricingLogic {
 
   /** Returns the domain renew cost with allocation-token-related discounts applied. */
   private Money getDomainRenewCostWithDiscount(
-      DomainPrices domainPrices, int years, Optional<AllocationToken> allocationToken)
+      Tld tld,
+      DomainPrices domainPrices,
+      DateTime dateTime,
+      int years,
+      Optional<AllocationToken> allocationToken)
       throws AllocationTokenInvalidForPremiumNameException {
+    // Short-circuit if the user sent an anchor-tenant or otherwise NONPREMIUM-renewal token
+    if (allocationToken.isPresent()) {
+      AllocationToken token = allocationToken.get();
+      if (token.getRegistrationBehavior().equals(RegistrationBehavior.ANCHOR_TENANT)
+          || token.getRenewalPriceBehavior().equals(RenewalPriceBehavior.NONPREMIUM)) {
+        return tld.getStandardRenewCost(dateTime).multipliedBy(years);
+      }
+    }
     return getDomainCostWithDiscount(
         domainPrices.isPremium(), years, allocationToken, domainPrices.getRenewCost());
   }

core/src/main/java/google/registry/flows/session/LoginFlow.java

@@ -28,11 +28,17 @@ import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
 import google.registry.flows.EppException.UnimplementedExtensionException;
 import google.registry.flows.EppException.UnimplementedObjectServiceException;
+import google.registry.flows.EppException.UnimplementedProtocolVersionException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.RegistrarId;
+import google.registry.flows.FlowUtils.GenericXmlSyntaxErrorException;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.SessionMetadata;
+import google.registry.flows.TlsCredentials.BadRegistrarCertificateException;
+import google.registry.flows.TlsCredentials.BadRegistrarIpAddressException;
+import google.registry.flows.TlsCredentials.MissingRegistrarCertificateException;
 import google.registry.flows.TransportCredentials;
+import google.registry.flows.TransportCredentials.BadRegistrarPasswordException;
 import google.registry.model.eppcommon.ProtocolDefinition;
 import google.registry.model.eppcommon.ProtocolDefinition.ServiceExtension;
 import google.registry.model.eppinput.EppInput;
@@ -41,6 +47,7 @@ import google.registry.model.eppinput.EppInput.Options;
 import google.registry.model.eppinput.EppInput.Services;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.PasswordUtils.HashAlgorithm;
 import java.util.Optional;
 import java.util.Set;
 import javax.inject.Inject;
@@ -48,14 +55,14 @@ import javax.inject.Inject;
 /**
  * An EPP flow for login.
  *
- * @error {@link google.registry.flows.EppException.UnimplementedExtensionException}
- * @error {@link google.registry.flows.EppException.UnimplementedObjectServiceException}
- * @error {@link google.registry.flows.EppException.UnimplementedProtocolVersionException}
- * @error {@link google.registry.flows.FlowUtils.GenericXmlSyntaxErrorException}
- * @error {@link google.registry.flows.TlsCredentials.BadRegistrarCertificateException}
- * @error {@link google.registry.flows.TlsCredentials.BadRegistrarIpAddressException}
- * @error {@link google.registry.flows.TlsCredentials.MissingRegistrarCertificateException}
- * @error {@link google.registry.flows.TransportCredentials.BadRegistrarPasswordException}
+ * @error {@link UnimplementedExtensionException}
+ * @error {@link UnimplementedObjectServiceException}
+ * @error {@link UnimplementedProtocolVersionException}
+ * @error {@link GenericXmlSyntaxErrorException}
+ * @error {@link BadRegistrarCertificateException}
+ * @error {@link BadRegistrarIpAddressException}
+ * @error {@link MissingRegistrarCertificateException}
+ * @error {@link BadRegistrarPasswordException}
  * @error {@link LoginFlow.AlreadyLoggedInException}
  * @error {@link BadRegistrarIdException}
  * @error {@link LoginFlow.TooManyFailedLoginsException}
@@ -134,13 +141,24 @@ public class LoginFlow implements MutatingFlow {
     if (!registrar.get().isLive()) {
       throw new RegistrarAccountNotActiveException();
     }
-    if (login.getNewPassword().isPresent()) {
+
+    if (login.getNewPassword().isPresent()
+        || registrar.get().getCurrentHashAlgorithm(login.getPassword()).orElse(null)
+            != HashAlgorithm.SCRYPT) {
+      String newPassword =
+          login
+              .getNewPassword()
+              .orElseGet(
+                  () -> {
+                    logger.atInfo().log("Rehashing existing registrar password with Scrypt");
+                    return login.getPassword();
+                  });
       // Load fresh from database (bypassing the cache) to ensure we don't save stale data.
       Optional<Registrar> freshRegistrar = Registrar.loadByRegistrarId(login.getClientId());
       if (!freshRegistrar.isPresent()) {
         throw new BadRegistrarIdException(login.getClientId());
       }
-      tm().put(freshRegistrar.get().asBuilder().setPassword(login.getNewPassword().get()).build());
+      tm().put(freshRegistrar.get().asBuilder().setPassword(newPassword).build());
     }
 
     // We are in!
@@ -152,35 +170,35 @@ public class LoginFlow implements MutatingFlow {
 
   /** Registrar with this ID could not be found. */
   static class BadRegistrarIdException extends AuthenticationErrorException {
-    public BadRegistrarIdException(String registrarId) {
+    BadRegistrarIdException(String registrarId) {
       super("Registrar with this ID could not be found: " + registrarId);
     }
   }
 
   /** Registrar login failed too many times. */
   static class TooManyFailedLoginsException extends AuthenticationErrorClosingConnectionException {
-    public TooManyFailedLoginsException() {
+    TooManyFailedLoginsException() {
       super("Registrar login failed too many times");
     }
   }
 
   /** Registrar account is not active. */
   static class RegistrarAccountNotActiveException extends AuthorizationErrorException {
-    public RegistrarAccountNotActiveException() {
+    RegistrarAccountNotActiveException() {
       super("Registrar account is not active");
     }
   }
 
   /** Registrar is already logged in. */
   static class AlreadyLoggedInException extends CommandUseErrorException {
-    public AlreadyLoggedInException() {
+    AlreadyLoggedInException() {
       super("Registrar is already logged in");
     }
   }
 
   /** Specified language is not supported. */
   static class UnsupportedLanguageException extends ParameterValuePolicyErrorException {
-    public UnsupportedLanguageException() {
+    UnsupportedLanguageException() {
       super("Specified language is not supported");
     }
   }

core/src/main/java/google/registry/groups/GmailClient.java

@@ -138,6 +138,7 @@ public final class GmailClient {
         BodyPart attachmentPart = new MimeBodyPart();
         attachmentPart.setContent(attachment.content(), attachment.contentType().toString());
         attachmentPart.setFileName(attachment.filename());
+        attachmentPart.setDisposition(MimeBodyPart.ATTACHMENT);
         multipart.addBodyPart(attachmentPart);
       }
       msg.addRecipients(RecipientType.BCC, toArray(emailMessage.bccs(), Address.class));

core/src/main/java/google/registry/keyring/api/InMemoryKeyring.java

@@ -38,7 +38,7 @@ public final class InMemoryKeyring implements Keyring {
   private final String marksdbDnlLoginAndPassword;
   private final String marksdbLordnPassword;
   private final String marksdbSmdrlLoginAndPassword;
-  private final String jsonCredential;
+  private final String bsaApiKey;
 
   public InMemoryKeyring(
       PGPKeyPair rdeStagingKey,
@@ -53,9 +53,9 @@ public final class InMemoryKeyring implements Keyring {
       String marksdbDnlLoginAndPassword,
       String marksdbLordnPassword,
       String marksdbSmdrlLoginAndPassword,
-      String jsonCredential,
       String cloudSqlPassword,
-      String toolsCloudSqlPassword) {
+      String toolsCloudSqlPassword,
+      String bsaApiKey) {
     checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
         "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
     checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@@ -80,7 +80,7 @@ public final class InMemoryKeyring implements Keyring {
     this.marksdbLordnPassword = checkNotNull(marksdbLordnPassword, "marksdbLordnPassword");
     this.marksdbSmdrlLoginAndPassword =
         checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
-    this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
+    this.bsaApiKey = checkNotNull(bsaApiKey, "bsaApiKey");
   }
 
   @Override
@@ -149,8 +149,8 @@ public final class InMemoryKeyring implements Keyring {
   }
 
   @Override
-  public String getJsonCredential() {
-    return jsonCredential;
+  public String getBsaApiKey() {
+    return bsaApiKey;
   }
 
   /** Does nothing. */

core/src/main/java/google/registry/keyring/api/Keyring.java

@@ -145,11 +145,8 @@ public interface Keyring extends AutoCloseable {
    */
   String getMarksdbSmdrlLoginAndPassword();
 
-  /**
-   * Returns the credentials for a service account on the Google AppEngine project downloaded from
-   * the Cloud Console dashboard in JSON format.
-   */
-  String getJsonCredential();
+  /** Returns the API_KEY for authentication with the BSA portal. */
+  String getBsaApiKey();
 
   // Don't throw so try-with-resources works better.
   @Override

core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyring.java

@@ -58,8 +58,8 @@ public class SecretManagerKeyring implements Keyring {
   /** Key labels for string secrets. */
   enum StringKeyLabel {
     SAFE_BROWSING_API_KEY,
+    BSA_API_KEY_STRING,
     ICANN_REPORTING_PASSWORD_STRING,
-    JSON_CREDENTIAL_STRING,
     MARKSDB_DNL_LOGIN_STRING,
     MARKSDB_LORDN_PASSWORD_STRING,
     MARKSDB_SMDRL_LOGIN_STRING,
@@ -143,10 +143,9 @@ public class SecretManagerKeyring implements Keyring {
     return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
   }
 
-  // TODO(b/237305940): remove this method and all supports, including entry in secretmanager
   @Override
-  public String getJsonCredential() {
-    return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
+  public String getBsaApiKey() {
+    return getString(StringKeyLabel.BSA_API_KEY_STRING);
   }
 
   /** No persistent resources are maintained for this Keyring implementation. */

core/src/main/java/google/registry/keyring/secretmanager/SecretManagerKeyringUpdater.java

@@ -24,8 +24,8 @@ import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicK
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
+import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.BSA_API_KEY_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
-import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING;
 import static google.registry.keyring.secretmanager.SecretManagerKeyring.StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING;
@@ -120,8 +120,8 @@ public final class SecretManagerKeyringUpdater {
     return setString(login, MARKSDB_SMDRL_LOGIN_STRING);
   }
 
-  public SecretManagerKeyringUpdater setJsonCredential(String credential) {
-    return setString(credential, JSON_CREDENTIAL_STRING);
+  public SecretManagerKeyringUpdater setBsaApiKey(String credential) {
+    return setString(credential, BSA_API_KEY_STRING);
   }
 
   /**

core/src/main/java/google/registry/model/EppResource.java

@@ -20,6 +20,7 @@ import static com.google.common.collect.Sets.difference;
 import static com.google.common.collect.Sets.union;
 import static google.registry.config.RegistryConfig.getEppResourceCachingDuration;
 import static google.registry.config.RegistryConfig.getEppResourceMaxCachedEntries;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
@@ -357,13 +358,13 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
 
         @Override
         public EppResource load(VKey<? extends EppResource> key) {
-          return tm().reTransact(() -> tm().loadByKey(key));
+          return replicaTm().reTransact(() -> replicaTm().loadByKey(key));
         }
 
         @Override
         public Map<VKey<? extends EppResource>, EppResource> loadAll(
             Iterable<? extends VKey<? extends EppResource>> keys) {
-          return tm().reTransact(() -> tm().loadByKeys(keys));
+          return replicaTm().reTransact(() -> replicaTm().loadByKeys(keys));
         }
       };
 

core/src/main/java/google/registry/model/ForeignKeyUtils.java

@@ -165,10 +165,11 @@ public final class ForeignKeyUtils {
    * foreign keys should not use this cache.
    *
    * <p>Note that here the key of the {@link LoadingCache} is of type {@code VKey<? extends
-   * EppResource>}, but they are not legal {VKey}s to {@link EppResource}s, whose keys are the SQL
-   * primary keys, i.e. the {@code repoId}s. Instead, their keys are the foreign keys used to query
-   * the database. We use {@link VKey} here because it is a convenient composite class that contains
-   * both the resource type and the foreign key, which are needed to for the query and caching.
+   * EppResource>}, but they are not legal {@link VKey}s to {@link EppResource}s, whose keys are the
+   * SQL primary keys, i.e. the {@code repoId}s. Instead, their keys are the foreign keys used to
+   * query the database. We use {@link VKey} here because it is a convenient composite class that
+   * contains both the resource type and the foreign key, which are needed to for the query and
+   * caching.
    *
    * <p>Also note that the value type of this cache is {@link Optional} because the foreign keys in
    * question are coming from external commands, and thus don't necessarily represent entities in

core/src/main/java/google/registry/model/adapters/ClassProcessingTypeAdapterFactory.java

@@ -0,0 +1,40 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.adapters;
+
+import com.google.gson.Gson;
+import com.google.gson.TypeAdapter;
+import com.google.gson.TypeAdapterFactory;
+import com.google.gson.reflect.TypeToken;
+
+/**
+ * Adapter factory that allows for (de)serialization of Class objects in GSON.
+ *
+ * <p>GSON's built-in adapter for Class objects throws an exception, but there are situations where
+ * we want to (de)serialize these, such as in VKeys. This instructs GSON to look for our custom
+ * {@link ClassTypeAdapter} rather than the default.
+ */
+public class ClassProcessingTypeAdapterFactory implements TypeAdapterFactory {
+
+  @Override
+  @SuppressWarnings("unchecked")
+  public <T> TypeAdapter<T> create(Gson gson, TypeToken<T> typeToken) {
+    if (Class.class.isAssignableFrom(typeToken.getRawType())) {
+      // in this case, T is a class object
+      return (TypeAdapter<T>) new ClassTypeAdapter();
+    }
+    return null;
+  }
+}

core/src/main/java/google/registry/model/adapters/ClassTypeAdapter.java

@@ -0,0 +1,48 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.adapters;
+
+import com.google.gson.TypeAdapter;
+import com.google.gson.stream.JsonReader;
+import com.google.gson.stream.JsonWriter;
+import java.io.IOException;
+
+/**
+ * TypeAdapter for {@link Class} objects.
+ *
+ * <p>GSON's default adapter doesn't allow this, but we want to allow for (de)serialization of Class
+ * objects for containers like VKeys using the full name of the class.
+ */
+public class ClassTypeAdapter extends TypeAdapter<Class<?>> {
+
+  @Override
+  public void write(JsonWriter out, Class value) throws IOException {
+    out.value(value.getName());
+  }
+
+  @Override
+  public Class<?> read(JsonReader reader) throws IOException {
+    String stringValue = reader.nextString();
+    if (stringValue.equals("null")) {
+      return null;
+    }
+    try {
+      return Class.forName(stringValue);
+    } catch (ClassNotFoundException e) {
+      // this should not happen...
+      throw new RuntimeException(e);
+    }
+  }
+}

core/src/main/java/google/registry/model/adapters/SerializableJsonTypeAdapter.java

@@ -0,0 +1,38 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.adapters;
+
+import google.registry.util.StringBaseTypeAdapter;
+import java.io.IOException;
+import java.io.Serializable;
+
+/**
+ * TypeAdapter for {@link Serializable} objects.
+ *
+ * <p>VKey keys (primary keys in SQL) are usually represented by either a long or a String. There
+ * are a couple situations (CursorId, HistoryEntryId) where the Serializable in question is a
+ * complex object, but we do not need to worry about (de)serializing those objects to/from JSON.
+ */
+public class SerializableJsonTypeAdapter extends StringBaseTypeAdapter<Serializable> {
+
+  @Override
+  protected Serializable fromString(String stringValue) throws IOException {
+    try {
+      return Long.parseLong(stringValue);
+    } catch (NumberFormatException e) {
+      return stringValue;
+    }
+  }
+}

core/src/main/java/google/registry/model/console/User.java

@@ -25,6 +25,7 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import google.registry.model.Buildable;
 import google.registry.model.UpdateAutoTimestampEntity;
 import google.registry.persistence.VKey;
+import google.registry.util.PasswordUtils;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
@@ -84,8 +85,9 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
         || isNullOrEmpty(registryLockPasswordHash)) {
       return false;
     }
-    return hashPassword(registryLockPassword, registryLockPasswordSalt)
-        .equals(registryLockPasswordHash);
+    return PasswordUtils.verifyPassword(
+            registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt)
+        .isPresent();
   }
 
   /**
@@ -154,9 +156,9 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
           !getInstance().hasRegistryLockPassword(), "User already has a password, remove it first");
       checkArgument(
           !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
-      getInstance().registryLockPasswordSalt = base64().encode(SALT_SUPPLIER.get());
-      getInstance().registryLockPasswordHash =
-          hashPassword(registryLockPassword, getInstance().registryLockPasswordSalt);
+      byte[] salt = SALT_SUPPLIER.get();
+      getInstance().registryLockPasswordSalt = base64().encode(salt);
+      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
       return this;
     }
   }

core/src/main/java/google/registry/model/domain/fee/FeeQueryCommandExtensionItem.java

@@ -34,12 +34,14 @@ public abstract class FeeQueryCommandExtensionItem extends ImmutableObject {
 
   /** The name of a command that might have an associated fee. */
   public enum CommandName {
-    UNKNOWN,
-    CREATE,
-    RENEW,
-    TRANSFER,
-    RESTORE,
-    UPDATE;
+    UNKNOWN(false),
+    CREATE(false),
+    RENEW(true),
+    TRANSFER(true),
+    RESTORE(true),
+    UPDATE(false);
+
+    private final boolean loadDomainForCheck;
 
     public static CommandName parseKnownCommand(String string) {
       try {
@@ -52,6 +54,14 @@ public abstract class FeeQueryCommandExtensionItem extends ImmutableObject {
                 + " UPDATE");
       }
     }
+
+    CommandName(boolean loadDomainForCheck) {
+      this.loadDomainForCheck = loadDomainForCheck;
+    }
+
+    public boolean shouldLoadDomainForCheck() {
+      return this.loadDomainForCheck;
+    }
   }
 
   /** The default validity period (if not specified) is 1 year for all operations. */

core/src/main/java/google/registry/model/registrar/Registrar.java

@@ -60,6 +60,8 @@ import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldType;
 import google.registry.persistence.VKey;
 import google.registry.util.CidrAddressBlock;
+import google.registry.util.PasswordUtils;
+import google.registry.util.PasswordUtils.HashAlgorithm;
 import java.security.cert.CertificateParsingException;
 import java.util.Comparator;
 import java.util.List;
@@ -97,7 +99,7 @@ import org.joda.time.DateTime;
     column = @Column(nullable = false, name = "lastUpdateTime"))
 public class Registrar extends UpdateAutoTimestampEntity implements Buildable, Jsonifiable {
 
-  /** Represents the type of a registrar entity. */
+  /** Represents the type of registrar entity. */
   public enum Type {
     /** A real-world, third-party registrar. Should have non-null IANA and billing account IDs. */
     REAL(Objects::nonNull),
@@ -376,7 +378,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    */
   @Expose String icannReferralEmail;
 
-  /** Id of the folder in drive used to publish information for this registrar. */
+  /** ID of the folder in drive used to publish information for this registrar. */
   @Expose String driveFolderId;
 
   // Metadata.
@@ -639,7 +641,11 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   }
 
   public boolean verifyPassword(String password) {
-    return hashPassword(password, salt).equals(passwordHash);
+    return getCurrentHashAlgorithm(password).isPresent();
+  }
+
+  public Optional<HashAlgorithm> getCurrentHashAlgorithm(String password) {
+    return PasswordUtils.verifyPassword(password, passwordHash, salt);
   }
 
   public String getPhonePasscode() {
@@ -861,8 +867,9 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
       checkArgument(
           Range.closed(6, 16).contains(nullToEmpty(password).length()),
           "Password must be 6-16 characters long.");
-      getInstance().salt = base64().encode(SALT_SUPPLIER.get());
-      getInstance().passwordHash = hashPassword(password, getInstance().salt);
+      byte[] salt = SALT_SUPPLIER.get();
+      getInstance().salt = base64().encode(salt);
+      getInstance().passwordHash = hashPassword(password, salt);
       return this;
     }
 

core/src/main/java/google/registry/model/registrar/RegistrarPoc.java

@@ -37,6 +37,8 @@ import google.registry.model.Jsonifiable;
 import google.registry.model.UnsafeSerializable;
 import google.registry.model.registrar.RegistrarPoc.RegistrarPocId;
 import google.registry.persistence.VKey;
+import google.registry.util.PasswordUtils;
+import google.registry.util.PasswordUtils.HashAlgorithm;
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Optional;
@@ -240,8 +242,12 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
         || isNullOrEmpty(registryLockPasswordHash)) {
       return false;
     }
-    return hashPassword(registryLockPassword, registryLockPasswordSalt)
-        .equals(registryLockPasswordHash);
+    return getCurrentHashAlgorithm(registryLockPassword).isPresent();
+  }
+
+  public Optional<HashAlgorithm> getCurrentHashAlgorithm(String registryLockPassword) {
+    return PasswordUtils.verifyPassword(
+        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
   }
 
   /**
@@ -436,9 +442,9 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
           "Not allowed to set registry lock password for this contact");
       checkArgument(
           !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
-      getInstance().registryLockPasswordSalt = base64().encode(SALT_SUPPLIER.get());
-      getInstance().registryLockPasswordHash =
-          hashPassword(registryLockPassword, getInstance().registryLockPasswordSalt);
+      byte[] salt = SALT_SUPPLIER.get();
+      getInstance().registryLockPasswordSalt = base64().encode(salt);
+      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
       getInstance().allowedToSetRegistryLockPassword = false;
       return this;
     }

core/src/main/java/google/registry/model/server/Lock.java

@@ -25,9 +25,10 @@ import com.google.common.base.Strings;
 import com.google.common.flogger.FluentLogger;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.VKey;
+import google.registry.persistence.transaction.TransactionManager.ThrowingRunnable;
 import java.io.Serializable;
 import java.util.Optional;
-import java.util.function.Supplier;
+import java.util.concurrent.Callable;
 import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Entity;
@@ -184,7 +185,7 @@ public class Lock extends ImmutableObject implements Serializable {
   public static Optional<Lock> acquire(
       String resourceName, @Nullable String tld, Duration leaseLength) {
     String scope = tld != null ? tld : GLOBAL;
-    Supplier<AcquireResult> lockAcquirer =
+    Callable<AcquireResult> lockAcquirer =
         () -> {
           DateTime now = tm().getTransactionTime();
 
@@ -221,7 +222,7 @@ public class Lock extends ImmutableObject implements Serializable {
   /** Release the lock. */
   public void release() {
     // Just use the default clock because we aren't actually doing anything that will use the clock.
-    Supplier<Void> lockReleaser =
+    ThrowingRunnable lockReleaser =
         () -> {
           // To release a lock, check that no one else has already obtained it and if not
           // delete it. If the lock in the database was different, then this lock is gone already;
@@ -246,7 +247,6 @@ public class Lock extends ImmutableObject implements Serializable {
             logger.atInfo().log(
                 "Not deleting lock: %s - someone else has it: %s", lockId, loadedLock);
           }
-          return null;
         };
     tm().transact(lockReleaser);
   }

core/src/main/java/google/registry/model/tld/Tld.java

@@ -550,6 +550,10 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   @JsonSerialize(using = SortedEnumSetSerializer.class)
   Set<IdnTableEnum> idnTables;
 
+  // TODO(11/30/2023): uncomment below two lines
+  // /** The start time of this TLD's enrollment in the BSA program, if applicable. */
+  // @JsonIgnore @Nullable DateTime bsaEnrollStartTime;
+
   public String getTldStr() {
     return tldStr;
   }
@@ -569,6 +573,15 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     return tldType;
   }
 
+  /** Returns the time when this TLD was enrolled in the Brand Safety Alliance (BSA) program. */
+  @JsonIgnore // Annotation can be removed once we add the field and annotate it.
+  @Nullable
+  public DateTime getBsaEnrollStartTime() {
+    // TODO(11/30/2023): uncomment below.
+    // return this.bsaEnrollStartTime;
+    return null;
+  }
+
   /** Retrieve whether invoicing is enabled. */
   public boolean isInvoicingEnabled() {
     return invoicingEnabled;
@@ -939,6 +952,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     }
 
     public Builder setReservedListsByName(Set<String> reservedListNames) {
+      // TODO(b/309175133): forbid if enrolled with BSA
       checkArgument(reservedListNames != null, "reservedListNames must not be null");
       ImmutableSet.Builder<ReservedList> builder = new ImmutableSet.Builder<>();
       for (String reservedListName : reservedListNames) {
@@ -958,6 +972,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     }
 
     public Builder setReservedLists(Set<ReservedList> reservedLists) {
+      // TODO(b/309175133): forbid if enrolled with BSA
       checkArgumentNotNull(reservedLists, "reservedLists must not be null");
       ImmutableSet.Builder<String> nameBuilder = new ImmutableSet.Builder<>();
       for (ReservedList reservedList : reservedLists) {
@@ -1076,6 +1091,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     }
 
     public Builder setIdnTables(ImmutableSet<IdnTableEnum> idnTables) {
+      // TODO(b/309175133): forbid if enrolled with BSA.
       getInstance().idnTables = idnTables;
       return this;
     }
@@ -1085,6 +1101,13 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
       return this;
     }
 
+    public Builder setBsaEnrollStartTime(DateTime enrollTime) {
+      // TODO(b/309175133): forbid if enrolled with BSA
+      // TODO(11/30/2023): uncomment below line
+      // getInstance().bsaEnrollStartTime = enrollTime;
+      return this;
+    }
+
     @Override
     public Tld build() {
       final Tld instance = getInstance();