Add support for bsa service to cloud tasks config (#2268 )

Use custom whois message for bsa-blocked domain (#2241 )
* Use custom whois message for bsa-blocked domain
2026-05-21 07:11:48 +00:00 · 2024-01-03 17:38:42 -05:00 · 2024-01-02 14:40:34 -05:00 · 2023-12-21 16:17:37 -05:00 · 2023-12-21 12:59:54 -05:00
57 changed files with 381 additions and 132 deletions
--- a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
@@ -17,15 +17,14 @@ package google.registry.batch;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.poll.PollFlowUtils;
 import google.registry.model.EppResource;
 import google.registry.model.EppResourceUtils;
@@ -40,6 +39,7 @@ import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
@@ -18,13 +18,13 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
@@ -32,7 +32,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
@@ -41,6 +40,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
+import google.registry.util.RegistryEnvironment;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.inject.Inject;
 import org.hibernate.CacheMode;
--- a/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
+++ b/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
@@ -31,7 +31,6 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import google.registry.beam.billing.ExpandBillingRecurrencesPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.common.Cursor;
@@ -40,6 +39,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
+++ b/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
@@ -27,12 +27,12 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
+++ b/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
@@ -28,7 +28,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.contact.ContactHistory;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
@@ -36,6 +35,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
@@ -14,9 +14,9 @@

 package google.registry.beam.common;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Objects;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
@@ -19,10 +19,10 @@ import static google.registry.beam.common.RegistryPipelineOptions.toRegistryPipe
 import com.google.auto.service.AutoService;
 import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;
 import org.apache.beam.sdk.harness.JvmInitializer;
 import org.apache.beam.sdk.options.PipelineOptions;

--- a/core/src/main/java/google/registry/config/RegistryConfig.java
+++ b/core/src/main/java/google/registry/config/RegistryConfig.java
@@ -36,6 +36,7 @@ import dagger.Provides;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.model.common.DnsRefreshRequest;
 import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.YamlUtils;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
@@ -1043,6 +1044,17 @@ public final class RegistryConfig {
      return config.registryPolicy.whoisDisclaimer;
    }

+    /**
+     * Message template for whois response when queried domain is blocked by BSA.
+     *
+     * @see google.registry.whois.WhoisResponse
+     */
+    @Provides
+    @Config("domainBlockedByBsaTemplate")
+    public static String provideDomainBlockedByBsaTemplate(RegistryConfigSettings config) {
+      return config.registryPolicy.domainBlockedByBsaTemplate;
+    }
+
    /**
     * Maximum QPS for the Google Cloud Monitoring V3 (aka Stackdriver) API. The QPS limit can be
     * adjusted by contacting Cloud Support.
--- a/core/src/main/java/google/registry/config/RegistryConfigSettings.java
+++ b/core/src/main/java/google/registry/config/RegistryConfigSettings.java
@@ -105,6 +105,7 @@ public class RegistryConfigSettings {
    public String reservedTermsExportDisclaimer;
    public String whoisRedactedEmailText;
    public String whoisDisclaimer;
+    public String domainBlockedByBsaTemplate;
    public String rdapTos;
    public String rdapTosStaticUrl;
    public String registryName;
--- a/core/src/main/java/google/registry/config/files/default-config.yaml
+++ b/core/src/main/java/google/registry/config/files/default-config.yaml
@@ -130,6 +130,12 @@ registryPolicy:
    unlawful behavior. We reserve the right to restrict or deny your access to
    the WHOIS database, and may modify these terms at any time.

+  # BSA blocked domain name template.
+  domainBlockedByBsaTemplate: |
+    Domain Name: %s
+    >>> This name is not available for registration.
+    >>> This name has been blocked by a GlobalBlock service.
+
  # RDAP Terms of Service text displayed at the /rdap/help/tos endpoint.
  rdapTos: >
    By querying our Domain Database as part of the RDAP pilot program (RDAP
--- a/core/src/main/java/google/registry/dns/DnsMetrics.java
+++ b/core/src/main/java/google/registry/dns/DnsMetrics.java
@@ -14,7 +14,7 @@

 package google.registry.dns;

-import static google.registry.config.RegistryEnvironment.PRODUCTION;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableSet;
 import com.google.monitoring.metrics.DistributionFitter;
@@ -24,7 +24,7 @@ import com.google.monitoring.metrics.FibonacciFitter;
 import com.google.monitoring.metrics.IncrementableMetric;
 import com.google.monitoring.metrics.LabelDescriptor;
 import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.config.RegistryEnvironment;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;
 import org.joda.time.Duration;

--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@@ -26,7 +26,6 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -34,6 +33,7 @@ import google.registry.model.registrar.Registrar;
 import google.registry.request.Header;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.ProxyHttpHeaders;
+import google.registry.util.RegistryEnvironment;
 import java.net.InetAddress;
 import java.security.MessageDigest;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
@@ -269,11 +269,15 @@ public class DomainFlowUtils {
   */
  public static void verifyNotBlockedByBsa(String domainLabel, Tld tld, DateTime now)
      throws DomainLabelBlockedByBsaException {
-    if (isEnrolledWithBsa(tld, now) && isLabelBlocked(domainLabel)) {
+    if (isBlockedByBsa(domainLabel, tld, now)) {
      throw new DomainLabelBlockedByBsaException();
    }
  }

+  public static boolean isBlockedByBsa(String domainLabel, Tld tld, DateTime now) {
+    return isEnrolledWithBsa(tld, now) && isLabelBlocked(domainLabel);
+  }
+
  /** Returns whether a given domain create request is for a valid anchor tenant. */
  public static boolean isAnchorTenant(
      InternetDomainName domainName,
--- a/core/src/main/java/google/registry/loadtest/LoadTestAction.java
+++ b/core/src/main/java/google/registry/loadtest/LoadTestAction.java
@@ -29,12 +29,12 @@ import com.google.common.collect.Iterators;
 import com.google.common.flogger.FluentLogger;
 import com.google.protobuf.Timestamp;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.security.XsrfTokenManager;
+import google.registry.util.RegistryEnvironment;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.Iterator;
--- a/core/src/main/java/google/registry/model/EntityYamlUtils.java
+++ b/core/src/main/java/google/registry/model/EntityYamlUtils.java
@@ -349,7 +349,7 @@ public class EntityYamlUtils {
    @Override
    public TimedTransitionProperty<Money> deserialize(JsonParser jp, DeserializationContext context)
        throws IOException {
-      SortedMap<String, LinkedHashMap> valueMap = jp.readValueAs(SortedMap.class);
+      SortedMap<String, LinkedHashMap<String, Object>> valueMap = jp.readValueAs(SortedMap.class);
      return TimedTransitionProperty.fromValueMap(
          valueMap.keySet().stream()
              .collect(
@@ -359,7 +359,7 @@ public class EntityYamlUtils {
                      key ->
                          Money.of(
                              CurrencyUnit.of(valueMap.get(key).get("currency").toString()),
-                              (double) valueMap.get(key).get("amount")))));
+                              new BigDecimal(String.valueOf(valueMap.get(key).get("amount")))))));
    }
  }

--- a/core/src/main/java/google/registry/model/OteAccountBuilder.java
+++ b/core/src/main/java/google/registry/model/OteAccountBuilder.java
@@ -28,7 +28,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.pricing.StaticPremiumListPricingEngine;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -40,6 +39,7 @@ import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import google.registry.persistence.VKey;
 import google.registry.util.CidrAddressBlock;
+import google.registry.util.RegistryEnvironment;
 import java.util.Collection;
 import java.util.Optional;
 import java.util.function.Function;
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@@ -33,12 +33,12 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.StackSize;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.JpaRetries;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.VKey;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.Retrier;
 import google.registry.util.SystemSleeper;
 import java.io.Serializable;
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
@@ -20,10 +20,10 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import com.google.appengine.api.utils.SystemProperty;
 import com.google.appengine.api.utils.SystemProperty.Environment.Value;
 import com.google.common.base.Suppliers;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.DaggerPersistenceComponent;
 import google.registry.tools.RegistryToolEnvironment;
 import google.registry.util.NonFinalForTesting;
+import google.registry.util.RegistryEnvironment;
 import java.util.function.Supplier;

 /** Factory class to create {@link TransactionManager} instance. */
--- a/core/src/main/java/google/registry/rde/RdeStagingAction.java
+++ b/core/src/main/java/google/registry/rde/RdeStagingAction.java
@@ -40,7 +40,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.io.BaseEncoding;
 import google.registry.beam.rde.RdePipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.gcs.GcsUtils;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.model.common.Cursor;
@@ -57,6 +56,7 @@ import google.registry.request.RequestParameters;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.xml.ValidationMode;
 import java.io.IOException;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
@@ -20,13 +20,13 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.console.User;
 import google.registry.model.console.UserDao;
 import google.registry.request.auth.AuthModule.IapOidc;
 import google.registry.request.auth.AuthModule.RegularOidc;
 import google.registry.request.auth.AuthModule.RegularOidcFallback;
 import google.registry.request.auth.AuthSettings.AuthLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
@@ -30,8 +30,8 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -21,8 +21,8 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;

 /** Enum of production environments, used for the {@code --environment} flag. */
 public enum RegistryToolEnvironment {
--- a/core/src/main/java/google/registry/tools/SetupOteCommand.java
+++ b/core/src/main/java/google/registry/tools/SetupOteCommand.java
@@ -22,10 +22,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.io.MoreFiles;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.tools.params.PathParameter;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.nio.file.Path;
 import java.util.ArrayList;
--- a/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
@@ -18,8 +18,8 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;

 import com.beust.jcommander.Parameters;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import javax.annotation.Nullable;

 /** Command to update a Registrar. */
--- a/core/src/main/java/google/registry/tools/UpdateTldCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateTldCommand.java
@@ -25,10 +25,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldState;
 import google.registry.tools.params.StringListParameter;
+import google.registry.util.RegistryEnvironment;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/VerifyOteCommand.java
+++ b/core/src/main/java/google/registry/tools/VerifyOteCommand.java
@@ -25,9 +25,9 @@ import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.tools.server.VerifyOteAction;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
@@ -15,8 +15,8 @@
 package google.registry.ui.server.registrar;

 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.ui.server.SoyTemplateUtils.CSS_RENAMING_MAP_SUPPLIER;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;

 import com.google.common.base.Ascii;
@@ -24,7 +24,6 @@ import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
@@ -34,6 +33,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.OteSetupConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
@@ -26,7 +26,6 @@ import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarAddress;
@@ -44,6 +43,7 @@ import google.registry.ui.soy.registrar.ConsoleSoyInfo;
 import google.registry.ui.soy.registrar.ConsoleUtilsSoyInfo;
 import google.registry.ui.soy.registrar.FormsSoyInfo;
 import google.registry.ui.soy.registrar.RegistrarCreateConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@@ -27,7 +27,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.data.SoyMapData;
 import com.google.template.soy.tofu.SoyTofu;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
@@ -36,6 +35,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAcce
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.ConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashMap;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
@@ -18,11 +18,11 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.auto.value.AutoValue;
 import com.google.common.base.Ascii;
@@ -37,7 +37,6 @@ import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -61,6 +60,7 @@ import google.registry.ui.server.RegistrarFormFields;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.CollectionUtils;
 import google.registry.util.DiffUtils;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
--- a/core/src/main/java/google/registry/whois/DomainLookupCommand.java
+++ b/core/src/main/java/google/registry/whois/DomainLookupCommand.java
@@ -14,34 +14,84 @@

 package google.registry.whois;

+import static com.google.common.base.Preconditions.checkNotNull;
+import static google.registry.flows.domain.DomainFlowUtils.isBlockedByBsa;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.tld.Tlds.findTldForName;
+import static google.registry.model.tld.Tlds.getTlds;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static javax.servlet.http.HttpServletResponse.SC_NOT_FOUND;

+import com.google.auto.value.AutoValue;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Verify;
 import com.google.common.net.InternetDomainName;
 import google.registry.model.domain.Domain;
+import google.registry.model.tld.Tld;
 import java.util.Optional;
 import org.joda.time.DateTime;

 /** Represents a WHOIS lookup on a domain name (i.e. SLD). */
-public class DomainLookupCommand extends DomainOrHostLookupCommand {
+public class DomainLookupCommand implements WhoisCommand {
+
+  private static final String ERROR_PREFIX = "Domain";
+
+  @VisibleForTesting final InternetDomainName domainName;

  private final boolean fullOutput;
  private final boolean cached;
  private final String whoisRedactedEmailText;
+  private final String domainBlockedByBsaTemplate;

  public DomainLookupCommand(
      InternetDomainName domainName,
      boolean fullOutput,
      boolean cached,
-      String whoisRedactedEmailText) {
-    super(domainName, "Domain");
+      String whoisRedactedEmailText,
+      String domainBlockedByBsaTemplate) {
+    this.domainName = checkNotNull(domainName, "domainOrHostName");
    this.fullOutput = fullOutput;
    this.cached = cached;
    this.whoisRedactedEmailText = whoisRedactedEmailText;
+    this.domainBlockedByBsaTemplate = domainBlockedByBsaTemplate;
  }

  @Override
-  protected Optional<WhoisResponse> getResponse(InternetDomainName domainName, DateTime now) {
+  public final WhoisResponse executeQuery(final DateTime now) throws WhoisException {
+    Optional<InternetDomainName> tld = findTldForName(domainName);
+    // Google Registry Policy: Do not return records under TLDs for which we're not
+    // authoritative.
+    if (!tld.isPresent() || !getTlds().contains(tld.get().toString())) {
+      throw new WhoisException(now, SC_NOT_FOUND, ERROR_PREFIX + " not found.");
+    }
+    // Include `getResponse` and `isBlockedByBsa` in one transaction to reduce latency.
+    // Must pass the exceptions outside to throw.
+    ResponseOrException result =
+        tm().transact(
+                () -> {
+                  final Optional<WhoisResponse> response = getResponse(domainName, now);
+                  if (response.isPresent()) {
+                    return ResponseOrException.of(response.get());
+                  }
+
+                  String label = domainName.parts().get(0);
+                  String tldStr = tld.get().toString();
+                  if (isBlockedByBsa(label, Tld.get(tldStr), now)) {
+                    return ResponseOrException.of(
+                        new WhoisException(
+                            now,
+                            SC_NOT_FOUND,
+                            String.format(domainBlockedByBsaTemplate, domainName)));
+                  }
+
+                  return ResponseOrException.of(
+                      new WhoisException(now, SC_NOT_FOUND, ERROR_PREFIX + " not found."));
+                });
+    return result.returnOrThrow();
+  }
+
+  private Optional<WhoisResponse> getResponse(InternetDomainName domainName, DateTime now) {
    Optional<Domain> domainResource =
        cached
            ? loadByForeignKeyCached(Domain.class, domainName.toString(), now)
@@ -49,4 +99,29 @@ public class DomainLookupCommand extends DomainOrHostLookupCommand {
    return domainResource.map(
        domain -> new DomainWhoisResponse(domain, fullOutput, whoisRedactedEmailText, now));
  }
+
+  @AutoValue
+  abstract static class ResponseOrException {
+
+    abstract Optional<WhoisResponse> whoisResponse();
+
+    abstract Optional<WhoisException> exception();
+
+    WhoisResponse returnOrThrow() throws WhoisException {
+      Verify.verify(
+          whoisResponse().isPresent() || exception().isPresent(),
+          "Response and exception must not both be missing.");
+      return whoisResponse().orElseThrow(() -> exception().get());
+    }
+
+    static ResponseOrException of(WhoisResponse response) {
+      return new AutoValue_DomainLookupCommand_ResponseOrException(
+          Optional.of(response), Optional.empty());
+    }
+
+    static ResponseOrException of(WhoisException exception) {
+      return new AutoValue_DomainLookupCommand_ResponseOrException(
+          Optional.empty(), Optional.of(exception));
+    }
+  }
 }
--- a/core/src/main/java/google/registry/whois/DomainOrHostLookupCommand.java
+++ b/core/src/main/java/google/registry/whois/DomainOrHostLookupCommand.java
@@ -1,55 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.whois;
-
-import static com.google.common.base.Preconditions.checkNotNull;
-import static google.registry.model.tld.Tlds.findTldForName;
-import static google.registry.model.tld.Tlds.getTlds;
-import static javax.servlet.http.HttpServletResponse.SC_NOT_FOUND;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.net.InternetDomainName;
-import java.util.Optional;
-import org.joda.time.DateTime;
-
-/** Represents a WHOIS lookup on a domain name (i.e. SLD) or a nameserver. */
-public abstract class DomainOrHostLookupCommand implements WhoisCommand {
-
-  @VisibleForTesting final InternetDomainName domainOrHostName;
-
-  private final String errorPrefix;
-
-  DomainOrHostLookupCommand(InternetDomainName domainName, String errorPrefix) {
-    this.errorPrefix = errorPrefix;
-    this.domainOrHostName = checkNotNull(domainName, "domainOrHostName");
-  }
-
-  @Override
-  public final WhoisResponse executeQuery(final DateTime now) throws WhoisException {
-    Optional<InternetDomainName> tld = findTldForName(domainOrHostName);
-    // Google Registry Policy: Do not return records under TLDs for which we're not authoritative.
-    if (tld.isPresent() && getTlds().contains(tld.get().toString())) {
-      final Optional<WhoisResponse> response = getResponse(domainOrHostName, now);
-      if (response.isPresent()) {
-        return response.get();
-      }
-    }
-    throw new WhoisException(now, SC_NOT_FOUND, errorPrefix + " not found.");
-  }
-
-  /** Renders a response record, provided its successfully retrieved entity. */
-  protected abstract Optional<WhoisResponse> getResponse(
-      InternetDomainName domainName, DateTime now);
-}
--- a/core/src/main/java/google/registry/whois/NameserverLookupByHostCommand.java
+++ b/core/src/main/java/google/registry/whois/NameserverLookupByHostCommand.java
@@ -14,26 +14,47 @@

 package google.registry.whois;

+import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.tld.Tlds.findTldForName;
+import static google.registry.model.tld.Tlds.getTlds;
+import static javax.servlet.http.HttpServletResponse.SC_NOT_FOUND;

+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.net.InternetDomainName;
 import google.registry.model.host.Host;
 import java.util.Optional;
 import org.joda.time.DateTime;

 /** Represents a WHOIS lookup on a nameserver based on its hostname. */
-public class NameserverLookupByHostCommand extends DomainOrHostLookupCommand {
+public class NameserverLookupByHostCommand implements WhoisCommand {
+
+  private static final String ERROR_PREFIX = "Nameserver";
+
+  @VisibleForTesting final InternetDomainName hostName;

  boolean cached;

  NameserverLookupByHostCommand(InternetDomainName hostName, boolean cached) {
-    super(hostName, "Nameserver");
+    this.hostName = checkNotNull(hostName, "hostName");
    this.cached = cached;
  }

  @Override
-  protected Optional<WhoisResponse> getResponse(InternetDomainName hostName, DateTime now) {
+  public final WhoisResponse executeQuery(final DateTime now) throws WhoisException {
+    Optional<InternetDomainName> tld = findTldForName(hostName);
+    // Google Registry Policy: Do not return records under TLDs for which we're not authoritative.
+    if (tld.isPresent() && getTlds().contains(tld.get().toString())) {
+      final Optional<WhoisResponse> response = getResponse(hostName, now);
+      if (response.isPresent()) {
+        return response.get();
+      }
+    }
+    throw new WhoisException(now, SC_NOT_FOUND, ERROR_PREFIX + " not found.");
+  }
+
+  private Optional<WhoisResponse> getResponse(InternetDomainName hostName, DateTime now) {
    Optional<Host> host =
        cached
            ? loadByForeignKeyCached(Host.class, hostName.toString(), now)
--- a/core/src/main/java/google/registry/whois/WhoisCommandFactory.java
+++ b/core/src/main/java/google/registry/whois/WhoisCommandFactory.java
@@ -48,8 +48,12 @@ public class WhoisCommandFactory {

  /** Returns a new {@link WhoisCommand} to perform a domain lookup on the specified domain name. */
  public WhoisCommand domainLookup(
-      InternetDomainName domainName, boolean fullOutput, String whoisRedactedEmailText) {
-    return new DomainLookupCommand(domainName, fullOutput, cached, whoisRedactedEmailText);
+      InternetDomainName domainName,
+      boolean fullOutput,
+      String whoisRedactedEmailText,
+      String domainBlockedByBsaTemplate) {
+    return new DomainLookupCommand(
+        domainName, fullOutput, cached, whoisRedactedEmailText, domainBlockedByBsaTemplate);
  }

  /**
--- a/core/src/main/java/google/registry/whois/WhoisReader.java
+++ b/core/src/main/java/google/registry/whois/WhoisReader.java
@@ -75,14 +75,17 @@ class WhoisReader {

  private final WhoisCommandFactory commandFactory;
  private final String whoisRedactedEmailText;
+  private final String domainBlockedByBsaTemplate;

  /** Creates a new WhoisReader that extracts its command from the specified Reader. */
  @Inject
  WhoisReader(
      @Config("whoisCommandFactory") WhoisCommandFactory commandFactory,
-      @Config("whoisRedactedEmailText") String whoisRedactedEmailText) {
+      @Config("whoisRedactedEmailText") String whoisRedactedEmailText,
+      @Config("domainBlockedByBsaTemplate") String domainBlockedByBsaTemplate) {
    this.commandFactory = commandFactory;
    this.whoisRedactedEmailText = whoisRedactedEmailText;
+    this.domainBlockedByBsaTemplate = domainBlockedByBsaTemplate;
  }

  /**
@@ -124,7 +127,8 @@ class WhoisReader {
        return commandFactory.domainLookup(
            InternetDomainName.from(canonicalizeHostname(tokens.get(1))),
            fullOutput,
-            whoisRedactedEmailText);
+            whoisRedactedEmailText,
+            domainBlockedByBsaTemplate);
      } catch (IllegalArgumentException iae) {
        // If we can't interpret the argument as a host name, then return an error.
        throw new WhoisException(now, SC_BAD_REQUEST, String.format(
@@ -202,7 +206,8 @@ class WhoisReader {
        // (SLD) and we should do a domain lookup on it.
        if (targetName.parent().equals(tld.get())) {
          logger.atInfo().log("Attempting domain lookup using %s as a domain name.", targetName);
-          return commandFactory.domainLookup(targetName, fullOutput, whoisRedactedEmailText);
+          return commandFactory.domainLookup(
+              targetName, fullOutput, whoisRedactedEmailText, domainBlockedByBsaTemplate);
        }

        // The target is more than one level above the TLD, so we'll assume it's a nameserver.
--- a/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
+++ b/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
@@ -33,7 +33,6 @@ import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.google.common.collect.ImmutableSet;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
@@ -47,6 +46,7 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import java.util.Set;
 import org.joda.money.Money;
--- a/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
+++ b/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
@@ -25,8 +25,8 @@ import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
 import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
 import com.google.common.collect.ImmutableMap;
 import google.registry.beam.BeamActionTestBase;
-import google.registry.config.RegistryEnvironment;
 import google.registry.testing.FakeClock;
+import google.registry.util.RegistryEnvironment;
 import org.junit.jupiter.api.Test;

 /** Unit tests for {@link ResaveAllEppResourcesPipelineAction}. */
--- a/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
+++ b/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
@@ -18,10 +18,10 @@ import static com.google.common.truth.Truth.assertThat;
 import static google.registry.beam.common.RegistryPipelineOptions.validateRegistryPipelineOptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
--- a/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
+++ b/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
@@ -105,6 +105,7 @@ public abstract class JpaTransactionManagerExtension
  // reused between test methods if the requested schema remains the same.
  private static EntityManagerFactory emf;
  // Hash of the ORM entity names in the current schema in the test db.
+
  private static int emfEntityHash;

  private JpaTransactionManager cachedTm;
--- a/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
+++ b/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
@@ -17,7 +17,7 @@ package google.registry.testing;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;

-import google.registry.config.SystemPropertySetter;
+import google.registry.util.SystemPropertySetter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
--- a/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
+++ b/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
@@ -29,6 +29,7 @@ import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.logging.Level.INFO;
 import static org.joda.money.CurrencyUnit.JPY;
 import static org.joda.money.CurrencyUnit.USD;
+import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -46,11 +47,11 @@ import google.registry.model.tld.Tld.TldNotFoundException;
 import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import java.io.File;
+import java.math.BigDecimal;
 import java.util.Optional;
 import java.util.logging.Logger;
 import org.joda.money.Money;
 import org.joda.time.DateTime;
-import org.joda.time.DateTimeZone;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
@@ -91,6 +92,18 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
    assertThat(tld.getBreakglassMode()).isFalse();
  }

+  @Test
+  void testSuccess_createNewTldJPY() throws Exception {
+    File tldFile = tmpDir.resolve("jpy.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "jpy.yaml"));
+    runCommandForced("--input=" + tldFile);
+    Tld tld = Tld.get("jpy");
+    assertThat(tld).isNotNull();
+    assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(JPY, new BigDecimal("250")));
+    assertThat(tld.getEapFeeFor(DateTime.now(UTC)).getCost()).isEqualTo(new BigDecimal(0));
+    testTldConfiguredSuccessfully(tld, "jpy.yaml");
+  }
+
  @Test
  void testSuccess_updateTld() throws Exception {
    Tld tld = createTld("tld");
@@ -108,7 +121,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
  @Test
  void testSuccess_updateTld_existingBsaTimeCarriedOver() throws Exception {
    Tld tld = createTld("tld");
-    DateTime bsaStartTime = DateTime.now(DateTimeZone.UTC);
+    DateTime bsaStartTime = DateTime.now(UTC);
    persistResource(tld.asBuilder().setBsaEnrollStartTime(Optional.of(bsaStartTime)).build());
    File tldFile = tmpDir.resolve("tld.yaml").toFile();
    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
@@ -30,7 +30,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
@@ -28,7 +28,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
@@ -30,7 +30,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
@@ -40,6 +39,7 @@ import google.registry.testing.CloudTasksHelper.TaskMatcher;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.function.Function;
--- a/core/src/test/java/google/registry/whois/WhoisActionTest.java
+++ b/core/src/test/java/google/registry/whois/WhoisActionTest.java
@@ -16,6 +16,7 @@ package google.registry.whois;

 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
+import static google.registry.bsa.persistence.BsaLabelTestingUtils.persistBsaLabel;
 import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
 import static google.registry.model.registrar.Registrar.State.ACTIVE;
 import static google.registry.model.registrar.Registrar.Type.PDT;
@@ -61,6 +62,7 @@ import java.io.IOException;
 import java.io.Reader;
 import java.io.StringReader;
 import java.time.Duration;
+import java.util.Optional;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
@@ -91,7 +93,8 @@ public class WhoisActionTest {
    whoisAction.input = new StringReader(input);
    whoisAction.response = response;
    whoisAction.whoisReader =
-        new WhoisReader(WhoisCommandFactory.createCached(), "Please contact registrar");
+        new WhoisReader(
+            WhoisCommandFactory.createCached(), "Please contact registrar", "Blocked by BSA: %s");
    whoisAction.whoisMetrics = new WhoisMetrics();
    whoisAction.metricBuilder = WhoisMetric.builderForRequest(clock);
    whoisAction.disclaimer =
@@ -164,6 +167,37 @@ public class WhoisActionTest {
    assertThat(response.getPayload()).isEqualTo(loadFile("whois_action_domain.txt"));
  }

+  @Test
+  void testRun_domainQuery_registeredDomainUnaffectedByBsa() {
+    persistResource(
+        Tld.get("lol")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().minusDays(1)))
+            .build());
+    persistBsaLabel("cat", clock.nowUtc());
+
+    Registrar registrar = persistResource(makeRegistrar("evilregistrar", "Yes Virginia", ACTIVE));
+    persistResource(makeDomainWithRegistrar(registrar));
+    persistSimpleResources(makeRegistrarPocs(registrar));
+    newWhoisAction("domain cat.lol\r\n").run();
+    assertThat(response.getStatus()).isEqualTo(200);
+    assertThat(response.getPayload()).isEqualTo(loadFile("whois_action_domain.txt"));
+  }
+
+  @Test
+  void testRun_domainQuery_unregisteredDomainShowBsaMessage() {
+    persistResource(
+        Tld.get("lol")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().minusDays(1)))
+            .build());
+    persistBsaLabel("cat", clock.nowUtc());
+
+    newWhoisAction("domain cat.lol\r\n").run();
+    assertThat(response.getStatus()).isEqualTo(200);
+    assertThat(response.getPayload()).isEqualTo(loadFile("whois_action_domain_blocked_by_bsa.txt"));
+  }
+
  @Test
  void testRun_domainAfterTransfer_hasUpdatedEppTimeAndClientId() {
    Registrar registrar = persistResource(makeRegistrar("TheRegistrar", "Yes Virginia", ACTIVE));
--- a/core/src/test/java/google/registry/whois/WhoisCommandFactoryTest.java
+++ b/core/src/test/java/google/registry/whois/WhoisCommandFactoryTest.java
@@ -142,7 +142,8 @@ class WhoisCommandFactoryTest {
  void testNonCached_DomainLookupCommand() throws Exception {
    WhoisResponse response =
        noncachedFactory
-            .domainLookup(InternetDomainName.from("example.tld"), true, "REDACTED")
+            .domainLookup(
+                InternetDomainName.from("example.tld"), true, "REDACTED", "Blocked by BSA")
            .executeQuery(clock.nowUtc());
    assertThat(response.getResponse(false, "").plainTextOutput())
        .contains("Registrar: The Registrar");
@@ -156,7 +157,8 @@ class WhoisCommandFactoryTest {
                            .build()));
    response =
        noncachedFactory
-            .domainLookup(InternetDomainName.from("example.tld"), true, "REDACTED")
+            .domainLookup(
+                InternetDomainName.from("example.tld"), true, "REDACTED", "Blocked by BSA")
            .executeQuery(clock.nowUtc());
    assertThat(response.getResponse(false, "").plainTextOutput())
        .contains("Registrar: OtherRegistrar name");
@@ -166,7 +168,7 @@ class WhoisCommandFactoryTest {
  void testCached_DomainLookupCommand() throws Exception {
    WhoisResponse response =
        cachedFactory
-            .domainLookup(InternetDomainName.from("example.tld"), true, "REDACTED")
+            .domainLookup(InternetDomainName.from("example.tld"), true, "REDACTED", "Not tested")
            .executeQuery(clock.nowUtc());
    assertThat(response.getResponse(false, "").plainTextOutput())
        .contains("Registrar: The Registrar");
@@ -180,7 +182,8 @@ class WhoisCommandFactoryTest {
                            .build()));
    response =
        cachedFactory
-            .domainLookup(InternetDomainName.from("example.tld"), true, "REDACTED")
+            .domainLookup(
+                InternetDomainName.from("example.tld"), true, "REDACTED", "Blocked by BSA")
            .executeQuery(clock.nowUtc());
    assertThat(response.getResponse(false, "").plainTextOutput())
        .contains("Registrar: The Registrar");
--- a/core/src/test/java/google/registry/whois/WhoisHttpActionTest.java
+++ b/core/src/test/java/google/registry/whois/WhoisHttpActionTest.java
@@ -16,6 +16,8 @@ package google.registry.whois;

 import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
 import static com.google.common.truth.Truth.assertThat;
+import static google.registry.bsa.persistence.BsaLabelTestingUtils.persistBsaLabel;
+import static google.registry.model.registrar.Registrar.State.ACTIVE;
 import static google.registry.testing.DatabaseHelper.createTlds;
 import static google.registry.testing.DatabaseHelper.loadRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
@@ -45,6 +47,7 @@ import google.registry.testing.FullFieldsTestEntityHelper;
 import google.registry.whois.WhoisMetrics.WhoisMetric;
 import java.io.IOException;
 import java.io.Reader;
+import java.util.Optional;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
 import org.junit.jupiter.api.BeforeEach;
@@ -74,7 +77,8 @@ class WhoisHttpActionTest {
    whoisAction.requestPath = WhoisHttpAction.PATH + pathInfo;
    whoisAction.response = response;
    whoisAction.whoisReader =
-        new WhoisReader(WhoisCommandFactory.createCached(), "Please contact registrar");
+        new WhoisReader(
+            WhoisCommandFactory.createCached(), "Please contact registrar", "Blocked by BSA: %s");
    whoisAction.whoisMetrics = new WhoisMetrics();
    whoisAction.metricBuilder = WhoisMetric.builderForRequest(clock);
    whoisAction.disclaimer =
@@ -214,6 +218,51 @@ class WhoisHttpActionTest {
    assertThat(response.getPayload()).contains("Domain Name: cat.みんな\r\n");
  }

+  @Test
+  void testRun_domainQuery_registeredDomainUnaffectedByBsa() {
+    persistResource(
+        Tld.get("lol")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().minusDays(1)))
+            .build());
+    persistBsaLabel("cat", clock.nowUtc());
+
+    Registrar registrar = persistResource(makeRegistrar("evilregistrar", "Yes Virginia", ACTIVE));
+    persistResource(
+        makeDomain(
+            "cat.lol",
+            persistResource(
+                FullFieldsTestEntityHelper.makeContact(
+                    "5372808-ERL", "Goblin Market", "lol@cat.lol")),
+            persistResource(
+                FullFieldsTestEntityHelper.makeContact(
+                    "5372808-IRL", "Santa Claus", "BOFH@cat.lol")),
+            persistResource(
+                FullFieldsTestEntityHelper.makeContact("5372808-TRL", "The Raven", "bog@cat.lol")),
+            persistResource(FullFieldsTestEntityHelper.makeHost("ns1.cat.lol", "1.2.3.4")),
+            persistResource(
+                FullFieldsTestEntityHelper.makeHost("ns2.cat.lol", "bad:f00d:cafe::15:beef")),
+            registrar));
+    persistSimpleResources(makeRegistrarPocs(registrar));
+    newWhoisHttpAction("domain cat.lol\r\n").run();
+    assertThat(response.getStatus()).isEqualTo(200);
+    assertThat(response.getPayload()).isEqualTo(loadFile("whois_action_domain.txt"));
+  }
+
+  @Test
+  void testRun_domainQuery_unregisteredDomainShowBsaMessage() {
+    persistResource(
+        Tld.get("lol")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().minusDays(1)))
+            .build());
+    persistBsaLabel("cat", clock.nowUtc());
+
+    newWhoisHttpAction("domain cat.lol\r\n").run();
+    assertThat(response.getStatus()).isEqualTo(404);
+    assertThat(response.getPayload()).isEqualTo(loadFile("whois_action_domain_blocked_by_bsa.txt"));
+  }
+
  @Test
  void testRun_hostnameOnly_works() {
    persistResource(FullFieldsTestEntityHelper.makeHost("ns1.cat.みんな", "1.2.3.4"));
--- a/core/src/test/java/google/registry/whois/WhoisReaderTest.java
+++ b/core/src/test/java/google/registry/whois/WhoisReaderTest.java
@@ -49,28 +49,29 @@ class WhoisReaderTest {
  @SuppressWarnings({"TypeParameterUnusedInFormals", "unchecked"})
  <T> T readCommand(String commandStr) throws Exception {
    return (T)
-        new WhoisReader(WhoisCommandFactory.createCached(), "Please contact registrar")
+        new WhoisReader(
+                WhoisCommandFactory.createCached(), "Please contact registrar", "Blocked by BSA")
            .readCommand(new StringReader(commandStr), false, clock.nowUtc());
  }

  void assertLoadsExampleTld(String commandString) throws Exception {
    DomainLookupCommand command = readCommand(commandString);
-    assertThat(command.domainOrHostName.toString()).isEqualTo("example.tld");
+    assertThat(command.domainName.toString()).isEqualTo("example.tld");
  }

  void assertLoadsIDN(String commandString) throws Exception {
    DomainLookupCommand command = readCommand(commandString);
-    assertThat(command.domainOrHostName.toString()).isEqualTo("xn--mgbh0fb.xn--kgbechtv");
+    assertThat(command.domainName.toString()).isEqualTo("xn--mgbh0fb.xn--kgbechtv");
  }

  void assertLoadsExampleNs(String commandString) throws Exception {
    NameserverLookupByHostCommand command = readCommand(commandString);
-    assertThat(command.domainOrHostName.toString()).isEqualTo("ns.example.tld");
+    assertThat(command.hostName.toString()).isEqualTo("ns.example.tld");
  }

  void assertLoadsIDNNs(String commandString) throws Exception {
    NameserverLookupByHostCommand command = readCommand(commandString);
-    assertThat(command.domainOrHostName.toString()).isEqualTo("ns.xn--mgbh0fb.xn--kgbechtv");
+    assertThat(command.hostName.toString()).isEqualTo("ns.xn--mgbh0fb.xn--kgbechtv");
  }

  void assertNsLookup(String commandString, String expectedIpAddress) throws Exception {
@@ -173,8 +174,8 @@ class WhoisReaderTest {
  @Test
  void testDeepNameserverLookup() throws Exception {
    NameserverLookupByHostCommand command = readCommand("ns.foo.bar.baz.example.tld\r\n");
-    assertThat(command.domainOrHostName.toString()).isEqualTo("ns.foo.bar.baz.example.tld");
-    assertThat(command.domainOrHostName.toString()).isEqualTo("ns.foo.bar.baz.example.tld");
+    assertThat(command.hostName.toString()).isEqualTo("ns.foo.bar.baz.example.tld");
+    assertThat(command.hostName.toString()).isEqualTo("ns.foo.bar.baz.example.tld");
  }

  @Test
--- a/core/src/test/resources/google/registry/tools/jpy.yaml
+++ b/core/src/test/resources/google/registry/tools/jpy.yaml
@@ -0,0 +1,55 @@
+addGracePeriodLength: "PT432000S"
+allowedFullyQualifiedHostNames: []
+allowedRegistrantContactIds: []
+anchorTenantAddGracePeriodLength: "PT2592000S"
+autoRenewGracePeriodLength: "PT3888000S"
+automaticTransferLength: "PT432000S"
+claimsPeriodEnd: "294247-01-10T04:00:54.775Z"
+createBillingCost:
+  currency: "JPY"
+  amount: 250
+creationTime: "2022-09-01T00:00:00.000Z"
+currency: "JPY"
+defaultPromoTokens: []
+dnsAPlusAaaaTtl: "PT900S"
+dnsDsTtl: null
+dnsNsTtl: null
+dnsPaused: false
+dnsWriters:
+- "VoidDnsWriter"
+driveFolderId: "driveFolder"
+eapFeeSchedule:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 0
+escrowEnabled: false
+idnTables: []
+invoicingEnabled: false
+lordnUsername: null
+numDnsPublishLocks: 1
+pendingDeleteLength: "PT432000S"
+premiumListName: null
+pricingEngineClassName: "google.registry.model.pricing.StaticPremiumListPricingEngine"
+redemptionGracePeriodLength: "PT2592000S"
+registryLockOrUnlockBillingCost:
+  currency: "JPY"
+  amount: 0
+renewBillingCostTransitions:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 100
+renewGracePeriodLength: "PT432000S"
+reservedListNames: []
+restoreBillingCost:
+  currency: "JPY"
+  amount: 70
+roidSuffix: "JPY"
+serverStatusChangeBillingCost:
+  currency: "JPY"
+  amount: 100
+tldStateTransitions:
+  "1970-01-01T00:00:00.000Z": "GENERAL_AVAILABILITY"
+tldStr: "jpy"
+tldType: "REAL"
+tldUnicode: "jpy"
+transferGracePeriodLength: "PT432000S"
--- a/core/src/test/resources/google/registry/whois/whois_action_domain_blocked_by_bsa.txt
+++ b/core/src/test/resources/google/registry/whois/whois_action_domain_blocked_by_bsa.txt
@@ -0,0 +1,6 @@
+Blocked by BSA: cat.lol
+>>> Last update of WHOIS database: 2009-06-29T20:13:00Z <<<
+
+Doodle Disclaimer
+I exist so that carriage return
+in disclaimer can be tested.
--- a/release/builder/deployCloudSchedulerAndQueue.go
+++ b/release/builder/deployCloudSchedulerAndQueue.go
@@ -65,6 +65,7 @@ type Queue struct {
 type Task struct {
 	URL         string `xml:"url"`
 	Description string `xml:"description"`
+	Service     string `xml:"service"`
 	Schedule    string `xml:"schedule"`
 	Name        string `xml:"name"`
 }
@@ -180,13 +181,18 @@ func (manager TasksSyncManager) getArgs(task Task, operationType string) []strin
 	}
 	description = strings.ReplaceAll(description, "\n", " ")

+	var service = "backend"
+	if task.Service != "backend" && task.Service != "" {
+		service = task.Service
+	}
+
 	return []string{
 		"--project", projectName,
 		"scheduler", "jobs", operationType,
 		"http", task.Name,
 		"--location", GcpLocation,
 		"--schedule", task.Schedule,
-		"--uri", fmt.Sprintf("https://backend-dot-%s.appspot.com%s", projectName, strings.TrimSpace(task.URL)),
+		"--uri", fmt.Sprintf("https://%s-dot-%s.appspot.com%s", service, projectName, strings.TrimSpace(task.URL)),
 		"--description", description,
 		"--http-method", "get",
 		"--oidc-service-account-email", getCloudSchedulerServiceAccountEmail(),
@@ -313,7 +319,7 @@ func getExistingEntries(cmd *exec.Cmd) ExistingEntries {
 func main() {
 	if len(os.Args) < 4 || os.Args[1] == "" || os.Args[2] == "" || os.Args[3] == "" {
 		panic("Error - Invalid Parameters.\n" +
-			"Required params: 1 - Nomulu config YAML path; 2 - config XML path; 3 - project name;")
+			"Required params: 1 - Nomulus config YAML path; 2 - config XML path; 3 - project name;")
 	}
 	// Nomulus YAML config file path, used to extract OAuth client ID.
 	nomulusConfigFileLocation := os.Args[1]
--- a/util/src/main/java/google/registry/util/PasswordUtils.java
+++ b/util/src/main/java/google/registry/util/PasswordUtils.java
@@ -22,6 +22,7 @@ import static java.nio.charset.StandardCharsets.US_ASCII;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.primitives.Bytes;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -68,15 +69,22 @@ public final class PasswordUtils {
            .digest((new String(password, US_ASCII) + base64().encode(salt)).getBytes(US_ASCII));
      }
    },
+
    /**
     * Memory-hard hashing algorithm, preferred over SHA-256.
     *
+     * <p>Note that in tests, we simply concatenate the password and salt which is much faster and
+     * reduces the overall test run time by a half. Our tests are not verifying that SCRYPT is
+     * implemented correctly anyway.
+     *
     * @see <a href="https://en.wikipedia.org/wiki/Scrypt">Scrypt</a>
     */
    SCRYPT {
      @Override
      byte[] hash(byte[] password, byte[] salt) {
-        return SCrypt.generate(password, salt, 32768, 8, 1, 256);
+        return RegistryEnvironment.get() == RegistryEnvironment.UNITTEST
+            ? Bytes.concat(password, salt)
+            : SCrypt.generate(password, salt, 32768, 8, 1, 256);
      }
    };

--- a/core/src/main/java/google/registry/config/RegistryEnvironment.java
+++ b/core/src/main/java/google/registry/config/RegistryEnvironment.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import com.google.common.base.Ascii;

--- a/core/src/main/java/google/registry/config/SystemPropertySetter.java
+++ b/core/src/main/java/google/registry/config/SystemPropertySetter.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import javax.annotation.Nullable;

--- a/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
+++ b/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import org.junit.jupiter.api.Test;
Author	SHA1	Message	Date
Pavlo Tkach	4eee7b8c0d	Add support for bsa service to cloud tasks config (#2268 )	2024-01-03 17:38:42 -05:00
Weimin Yu	ecb39d5899	Use custom whois message for bsa-blocked domain (#2241 ) * Use custom whois message for bsa-blocked domain	2024-01-02 14:40:34 -05:00
Lai Jiang	42b508427b	Bypass SCRYPT hashing in tests (#2262 ) SCRYPT is much computationally heavier than SHA265 (by design), which resulted in test run time doubling due to most tests initializing canned data that uses hashing. Since out tests are not verifying the correctness of a specific hashing algorithm anyway, this PR makes it so that simple concatenation is used in tests. Also moved RegistryEnvironment to the util subproject so it can be called by PasswordUtils, which makes sense as it is a utility class.	2023-12-21 16:17:37 -05:00
sarahcaseybot	20b5b43501	Add type conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency (#2258 ) * Add BigInt conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency * Remove unnecessary lines in test * Add eap schedule check * Don't use raw LinkedHashMap type * add timezone	2023-12-21 12:59:54 -05:00