Allow skip of emailing/uploading for activity reports (#2538)

This will help us if/when we need to run the report generation multiple
times, or for past dates and we don't want to send extra emails or
upload any extra reports to ICANN.

build.gradle

@@ -60,7 +60,7 @@ dependencyLocking {
 
 node {
   download = false
-  version = "20.10.0"
+  version = "22.7.0"
 }
 
 wrapper {
@@ -119,6 +119,7 @@ if (environment == '') {
 
 rootProject.ext.environment = environment
 rootProject.ext.gcpProject = gcpProject
+rootProject.ext.baseDomain = baseDomains[environment]
 rootProject.ext.prodOrSandboxEnv = environment in ['production', 'sandbox']
 
 // Function to verify that the deployment parameters have been set.

console-webapp/build.gradle

@@ -69,7 +69,9 @@ task deploy(type: Exec) {
 }
 
 tasks.buildConsoleWebappProd.dependsOn(tasks.npmInstallDeps)
+tasks.runConsoleWebappUnitTests.dependsOn(tasks.npmInstallDeps)
 tasks.applyFormatting.dependsOn(tasks.npmInstallDeps)
 tasks.checkFormatting.dependsOn(tasks.npmInstallDeps)
 tasks.build.dependsOn(tasks.checkFormatting)
+tasks.build.dependsOn(tasks.runConsoleWebappUnitTests)
 tasks.deploy.dependsOn(tasks.buildConsoleWebappProd)

console-webapp/karma.conf.js

@@ -3,6 +3,17 @@
 
 module.exports = function (config) {
   config.set({
+    customLaunchers: {
+      ChromeHeadless: {
+        base: 'Chrome',
+        flags: [
+          '--no-sandbox',
+          '--disable-gpu',
+          '--headless',
+          '--remote-debugging-port=9222'
+        ]
+      }
+    },
     basePath: '',
     frameworks: ['jasmine', '@angular-devkit/build-angular'],
     plugins: [

console-webapp/package-lock.json

@@ -6451,9 +6451,9 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.7.2",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.2.tgz",
-      "integrity": "sha512-2A8QhOMrbomlDuiLeK9XibIBzuHeRcqqNOHp0Cyp5EoJ1IFDh+XZH3A6BkXtv0K4gFGCI0Y4BM7B1wOEi0Rmgw==",
+      "version": "1.7.4",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz",
+      "integrity": "sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==",
       "dev": true,
       "dependencies": {
         "follow-redirects": "^1.15.6",

console-webapp/src/app/app-routing.module.ts

@@ -17,6 +17,9 @@ import { Route, RouterModule } from '@angular/router';
 import { BillingInfoComponent } from './billingInfo/billingInfo.component';
 import { DomainListComponent } from './domains/domainList.component';
 import { HomeComponent } from './home/home.component';
+import { RegistryLockVerifyComponent } from './lock/registryLockVerify.component';
+import { NewOteComponent } from './ote/newOte.component';
+import { OteStatusComponent } from './ote/oteStatus.component';
 import { RegistrarDetailsComponent } from './registrar/registrarDetails.component';
 import { RegistrarComponent } from './registrar/registrarsTable.component';
 import { ResourcesComponent } from './resources/resources.component';
@@ -33,6 +36,18 @@ export interface RouteWithIcon extends Route {
 
 export const routes: RouteWithIcon[] = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
+  {
+    path: RegistryLockVerifyComponent.PATH,
+    component: RegistryLockVerifyComponent,
+  },
+  {
+    path: NewOteComponent.PATH,
+    component: NewOteComponent,
+  },
+  {
+    path: OteStatusComponent.PATH,
+    component: OteStatusComponent,
+  },
   { path: 'registrars', component: RegistrarComponent },
   {
     path: 'home',

console-webapp/src/app/app.module.ts

@@ -27,9 +27,13 @@ import { provideHttpClient } from '@angular/common/http';
 import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field';
 import { BillingInfoComponent } from './billingInfo/billingInfo.component';
 import { DomainListComponent } from './domains/domainList.component';
+import { RegistryLockComponent } from './domains/registryLock.component';
 import { HeaderComponent } from './header/header.component';
 import { HomeComponent } from './home/home.component';
+import { RegistryLockVerifyComponent } from './lock/registryLockVerify.component';
 import { NavigationComponent } from './navigation/navigation.component';
+import { NewOteComponent } from './ote/newOte.component';
+import { OteStatusComponent } from './ote/oteStatus.component';
 import NewRegistrarComponent from './registrar/newRegistrar.component';
 import { RegistrarDetailsComponent } from './registrar/registrarDetails.component';
 import { RegistrarSelectorComponent } from './registrar/registrarSelector.component';
@@ -64,13 +68,17 @@ import { TldsComponent } from './tlds/tlds.component';
     HeaderComponent,
     HomeComponent,
     LocationBackDirective,
+    NewOteComponent,
+    OteStatusComponent,
     UserLevelVisibility,
     NavigationComponent,
     NewRegistrarComponent,
     NotificationsComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
+    RegistryLockComponent,
     RegistrarSelectorComponent,
+    RegistryLockVerifyComponent,
     ResourcesComponent,
     SecurityComponent,
     SecurityEditComponent,

console-webapp/src/app/domains/domainList.component.html

@@ -2,6 +2,17 @@
   <div class="console-app-domains">
     <h1 class="mat-headline-4">Domains</h1>
 
+    <div
+      class="console-app-domains__actions-wrapper"
+      [hidden]="!domainListService.activeActionComponent"
+    >
+      <ng-container
+        v-if="domainListService.activeActionComponent"
+        *ngComponentOutlet="domainListService.activeActionComponent"
+      >
+      </ng-container>
+    </div>
+
     @if (!isLoading && totalResults == 0) {
     <div class="console-app__empty-domains">
       <h1>
@@ -12,7 +23,18 @@
       <h1>No domains found</h1>
     </div>
     } @else {
-    <div class="console-app__domains-table-parent">
+    <mat-menu #actions="matMenu">
+      <ng-template matMenuContent let-domainName="domainName">
+        <button mat-menu-item (click)="openRegistryLock(domainName)">
+          <mat-icon>key</mat-icon>
+          <span>Registry Lock</span>
+        </button>
+      </ng-template>
+    </mat-menu>
+    <div
+      class="console-app__domains-table-parent"
+      [hidden]="domainListService.activeActionComponent"
+    >
       <div class="console-app__scrollable-wrapper">
         <div class="console-app__scrollable">
           @if (isLoading) {
@@ -78,6 +100,29 @@
               }}</mat-cell>
             </ng-container>
 
+            <ng-container matColumnDef="registryLock">
+              <mat-header-cell *matHeaderCellDef
+                >Registry-Locked</mat-header-cell
+              >
+              <mat-cell *matCellDef="let element">{{
+                isDomainLocked(element.domainName)
+              }}</mat-cell>
+            </ng-container>
+
+            <ng-container matColumnDef="actions">
+              <mat-header-cell *matHeaderCellDef>Actions</mat-header-cell>
+              <mat-cell *matCellDef="let element">
+                <button
+                  mat-icon-button
+                  [matMenuTriggerFor]="actions"
+                  [matMenuTriggerData]="{ domainName: element.domainName }"
+                  aria-label="Domain actions"
+                >
+                  <mat-icon>more_horiz</mat-icon>
+                </button>
+              </mat-cell>
+            </ng-container>
+
             <mat-header-row
               *matHeaderRowDef="displayedColumns"
             ></mat-header-row>
@@ -85,7 +130,7 @@
 
             <!-- Row shown when there is no matching data. -->
             <mat-row *matNoDataRow>
-              <mat-cell colspan="4">No domains found</mat-cell>
+              <mat-cell colspan="6">No domains found</mat-cell>
             </mat-row>
           </mat-table>
           <mat-paginator

console-webapp/src/app/domains/domainList.component.scss

@@ -30,6 +30,12 @@
 
   &__domains-table {
     min-width: $min-width !important;
+    .mat-column-actions {
+      max-width: 100px;
+    }
+    .mat-column-registryLock {
+      max-width: 150px;
+    }
   }
 
   &__domains-spinner {

console-webapp/src/app/domains/domainList.component.spec.ts

@@ -20,6 +20,7 @@ import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
 import { MaterialModule } from '../material.module';
 import { BackendService } from '../shared/services/backend.service';
 import { DomainListComponent } from './domainList.component';
+import { FormsModule } from '@angular/forms';
 
 describe('DomainListComponent', () => {
   let component: DomainListComponent;
@@ -28,7 +29,7 @@ describe('DomainListComponent', () => {
   beforeEach(async () => {
     await TestBed.configureTestingModule({
       declarations: [DomainListComponent],
-      imports: [MaterialModule, BrowserAnimationsModule],
+      imports: [MaterialModule, BrowserAnimationsModule, FormsModule],
       providers: [
         BackendService,
         provideHttpClient(),

console-webapp/src/app/domains/domainList.component.ts

@@ -19,14 +19,14 @@ import { MatSnackBar } from '@angular/material/snack-bar';
 import { MatTableDataSource } from '@angular/material/table';
 import { Subject, debounceTime } from 'rxjs';
 import { RegistrarService } from '../registrar/registrar.service';
-import { BackendService } from '../shared/services/backend.service';
 import { Domain, DomainListService } from './domainList.service';
+import { RegistryLockComponent } from './registryLock.component';
+import { RegistryLockService } from './registryLock.service';
 
 @Component({
   selector: 'app-domain-list',
   templateUrl: './domainList.component.html',
   styleUrls: ['./domainList.component.scss'],
-  providers: [DomainListService],
 })
 export class DomainListComponent {
   public static PATH = 'domain-list';
@@ -37,6 +37,8 @@ export class DomainListComponent {
     'creationTime',
     'registrationExpirationTime',
     'statuses',
+    'registryLock',
+    'actions',
   ];
 
   dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
@@ -52,15 +54,16 @@ export class DomainListComponent {
   @ViewChild(MatPaginator, { static: true }) paginator!: MatPaginator;
 
   constructor(
-    private backendService: BackendService,
-    private domainListService: DomainListService,
+    protected domainListService: DomainListService,
     protected registrarService: RegistrarService,
+    protected registryLockService: RegistryLockService,
     private _snackBar: MatSnackBar
   ) {
     effect(() => {
       this.pageNumber = 0;
       this.totalResults = 0;
       if (this.registrarService.registrarId()) {
+        this.loadLocks();
         this.reloadData();
       }
     });
@@ -80,6 +83,25 @@ export class DomainListComponent {
     this.searchTermSubject.complete();
   }
 
+  openRegistryLock(domainName: string) {
+    this.domainListService.selectedDomain = domainName;
+    this.domainListService.activeActionComponent = RegistryLockComponent;
+  }
+
+  loadLocks() {
+    this.registryLockService.retrieveLocks().subscribe({
+      error: (err: HttpErrorResponse) => {
+        this._snackBar.open(err.message);
+      },
+    });
+  }
+
+  isDomainLocked(domainName: string) {
+    return this.registryLockService.domainsLocks.some(
+      (d) => d.domainName === domainName
+    );
+  }
+
   reloadData() {
     this.isLoading = true;
     this.domainListService
@@ -95,7 +117,7 @@ export class DomainListComponent {
           this.isLoading = false;
         },
         next: (domainListResult) => {
-          this.dataSource.data = (domainListResult || {}).domains;
+          this.dataSource.data = this.domainListService.domainsList;
           this.totalResults = (domainListResult || {}).totalResults || 0;
           this.isLoading = false;
         },

console-webapp/src/app/domains/domainList.service.ts

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Injectable } from '@angular/core';
+import { Injectable, Type } from '@angular/core';
 import { tap } from 'rxjs';
 import { RegistrarService } from '../registrar/registrar.service';
 import { BackendService } from '../shared/services/backend.service';
@@ -35,9 +35,14 @@ export interface DomainListResult {
   totalResults: number;
 }
 
-@Injectable()
+@Injectable({
+  providedIn: 'root',
+})
 export class DomainListService {
   checkpointTime?: string;
+  selectedDomain?: string;
+  public activeActionComponent: Type<any> | null = null;
+  public domainsList: Domain[] = [];
 
   constructor(
     private backendService: BackendService,
@@ -62,6 +67,7 @@ export class DomainListService {
       .pipe(
         tap((domainListResult: DomainListResult) => {
           this.checkpointTime = domainListResult?.checkpointTime;
+          this.domainsList = domainListResult?.domains;
         })
       );
   }

console-webapp/src/app/domains/registryLock.component.html

@@ -0,0 +1,81 @@
+<div class="console-app__registry-lock">
+  <p>
+    <button
+      mat-icon-button
+      aria-label="Back to domains list"
+      (click)="goBack()"
+    >
+      <mat-icon>arrow_back</mat-icon>
+    </button>
+  </p>
+
+  @if(!registrarService.registrar()?.registryLockAllowed) {
+  <h1>
+    Sorry, your registrar hasn't enrolled in registry lock yet. To do so, please
+    contact {{ userDataService.userData()?.supportEmail }}.
+  </h1>
+  } @else if (isLocked()) {
+  <h1>Unlock the domain {{ domainListService.selectedDomain }}</h1>
+  <form (ngSubmit)="save(false)" [formGroup]="unlockDomain">
+    <p>
+      <mat-label for="password">Password: </mat-label>
+      <mat-form-field name="password" appearance="outline">
+        <input matInput type="text" formControlName="password" required />
+      </mat-form-field>
+    </p>
+    <p>
+      <mat-label for="relockTime"
+        >Automatically re-lock the domain after:</mat-label
+      >
+      <mat-radio-group
+        name="relockTime"
+        formControlName="relockTime"
+        aria-label="Automatically relock option"
+      >
+        @for (option of relockOptions; track option.name) {
+        <mat-radio-button [value]="option.duration">{{
+          option.name
+        }}</mat-radio-button>
+        }
+      </mat-radio-group>
+    </p>
+
+    <div class="console-app__registry-lock-notification">
+      <mat-icon>priority_high</mat-icon>Confirmation email will be sent to your
+      email address to confirm the unlock
+    </div>
+    <button
+      mat-flat-button
+      color="primary"
+      type="submit"
+      [disabled]="!unlockDomain.valid"
+    >
+      Save
+    </button>
+  </form>
+  } @else {
+  <h1>Lock the domain {{ domainListService.selectedDomain }}</h1>
+  <form (ngSubmit)="save(true)" [formGroup]="lockDomain">
+    <p>
+      <mat-label for="password">Password: </mat-label>
+      <mat-form-field name="password" appearance="outline">
+        <input matInput type="text" formControlName="password" required />
+      </mat-form-field>
+    </p>
+
+    <div class="console-app__registry-lock-notification">
+      <mat-icon>priority_high</mat-icon>The lock will not take effect until you
+      click the confirmation link that will be emailed to you. When it takes
+      effect, you will be billed the standard server status change billing cost.
+    </div>
+    <button
+      mat-flat-button
+      color="primary"
+      type="submit"
+      [disabled]="!lockDomain.valid"
+    >
+      Save
+    </button>
+  </form>
+  }
+</div>

console-webapp/src/app/domains/registryLock.component.scss

@@ -0,0 +1,20 @@
+.console-app {
+  &__registry-lock {
+    mat-label {
+      display: block;
+      margin-bottom: 10px;
+    }
+    p {
+      margin-bottom: 40px;
+    }
+  }
+  &__registry-lock-notification {
+    padding: 20px;
+    border-radius: 10px;
+    background-color: var(--light-highlight);
+    margin-bottom: 20px;
+    width: max-content;
+    display: flex;
+    align-items: center;
+  }
+}

console-webapp/src/app/domains/registryLock.component.ts

@@ -0,0 +1,92 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { HttpErrorResponse } from '@angular/common/http';
+import { Component, computed } from '@angular/core';
+import { FormControl, FormGroup } from '@angular/forms';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { RegistrarService } from '../registrar/registrar.service';
+import { UserDataService } from '../shared/services/userData.service';
+import { DomainListService } from './domainList.service';
+import { RegistryLockService } from './registryLock.service';
+
+@Component({
+  selector: 'app-registry-lock',
+  templateUrl: './registryLock.component.html',
+  styleUrls: ['./registryLock.component.scss'],
+})
+export class RegistryLockComponent {
+  readonly isLocked = computed(() =>
+    this.registryLockService.domainsLocks.some(
+      (dl) => dl.domainName === this.domainListService.selectedDomain
+    )
+  );
+
+  relockOptions = [
+    { name: '1 hour', duration: 3600000 },
+    { name: '6 hours', duration: 21600000 },
+    { name: '24 hours', duration: 86400000 },
+    { name: 'Never', duration: undefined },
+  ];
+
+  lockDomain = new FormGroup({
+    password: new FormControl(''),
+  });
+
+  unlockDomain = new FormGroup({
+    password: new FormControl(''),
+    relockTime: new FormControl(undefined),
+  });
+
+  constructor(
+    protected registrarService: RegistrarService,
+    protected domainListService: DomainListService,
+    protected registryLockService: RegistryLockService,
+    protected userDataService: UserDataService,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  goBack() {
+    this.domainListService.selectedDomain = undefined;
+    this.domainListService.activeActionComponent = null;
+  }
+
+  save(isLock: boolean) {
+    let request;
+    if (!isLock) {
+      request = this.registryLockService.registryLockDomain(
+        this.domainListService.selectedDomain || '',
+        this.unlockDomain.value.password || '',
+        this.unlockDomain.value.relockTime || undefined,
+        isLock
+      );
+    } else {
+      request = this.registryLockService.registryLockDomain(
+        this.domainListService.selectedDomain || '',
+        this.lockDomain.value.password || '',
+        undefined,
+        isLock
+      );
+    }
+
+    request.subscribe({
+      complete: () => {
+        this.goBack();
+      },
+      error: (err: HttpErrorResponse) => {
+        this._snackBar.open(err.error);
+      },
+    });
+  }
+}

console-webapp/src/app/domains/registryLock.service.ts

@@ -0,0 +1,59 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { tap } from 'rxjs';
+import { RegistrarService } from '../registrar/registrar.service';
+import { BackendService } from '../shared/services/backend.service';
+
+export interface DomainLocksResult {
+  domainName: string;
+}
+
+@Injectable({
+  providedIn: 'root',
+})
+export class RegistryLockService {
+  public domainsLocks: DomainLocksResult[] = [];
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  retrieveLocks() {
+    return this.backendService
+      .getLocks(this.registrarService.registrarId())
+      .pipe(
+        tap((domainLocksResult) => {
+          this.domainsLocks = domainLocksResult;
+        })
+      );
+  }
+
+  registryLockDomain(
+    domainName: string,
+    password: string,
+    relockDurationMillis: number | undefined,
+    isLock: boolean
+  ) {
+    return this.backendService.registryLockDomain(
+      domainName,
+      password,
+      relockDurationMillis,
+      this.registrarService.registrarId(),
+      isLock
+    );
+  }
+}

console-webapp/src/app/home/home.component.html

@@ -34,7 +34,10 @@
       </mat-card-actions>
     </mat-card>
 
-    <mat-card appearance="outlined">
+    <mat-card
+      appearance="outlined"
+      [elementId]="getElementIdForRegistrarsBlock()"
+    >
       <mat-card-content>
         <h3>
           <mat-icon class="secondary-text">account_circle</mat-icon>

console-webapp/src/app/home/home.component.ts

@@ -18,6 +18,7 @@ import { DomainListComponent } from '../domains/domainList.component';
 import { RegistrarComponent } from '../registrar/registrarsTable.component';
 import SecurityComponent from '../settings/security/security.component';
 import { SettingsComponent } from '../settings/settings.component';
+import { RESTRICTED_ELEMENTS } from '../shared/directives/userLevelVisiblity.directive';
 import { BreakPointObserverService } from '../shared/services/breakPoint.service';
 
 @Component({
@@ -30,6 +31,9 @@ export class HomeComponent {
     protected breakPointObserverService: BreakPointObserverService,
     private router: Router
   ) {}
+  getElementIdForRegistrarsBlock() {
+    return RESTRICTED_ELEMENTS.REGISTRAR_ELEMENT;
+  }
   viewRegistrars() {
     this.router.navigate([RegistrarComponent.PATH], {
       queryParamsHandling: 'merge',

console-webapp/src/app/lock/registryLockVerify.component.html

@@ -0,0 +1,28 @@
+@if (isLoading) {
+<div class="console-app__registry-lock-verify-spinner">
+  <mat-spinner />
+</div>
+} @else if (domainName) {
+<h1 class="mat-headline-4">Success!</h1>
+<div class="console-app__registry-lock-content">
+  <div class="console-app__registry-lock-subhead">
+    The domain {{ domainName }} has been successfully {{ action }}ed.
+  </div>
+</div>
+<div>
+  <a
+    class="text-l"
+    routerLink="{{ DOMAIN_LIST_COMPONENT_PATH }}"
+    [queryParams]="{ registrarId: this.registrarService.registrarId() }"
+    >Return to the list of domains</a
+  >
+</div>
+} @else {
+<h1 class="mat-headline-4">Failure</h1>
+<div class="console-app__registry-lock-content">
+  <div class="console-app__registry-lock-subhead">
+    An error occurred: {{ errorMessage }}.<br /><br />Please double-check the
+    verification code and try again.
+  </div>
+</div>
+}

console-webapp/src/app/lock/registryLockVerify.component.scss

@@ -0,0 +1,9 @@
+.console-app__registry-lock {
+  &-content {
+    margin-top: 30px;
+  }
+  &-subhead {
+    font-size: 20px;
+    margin-bottom: 20px;
+  }
+}

console-webapp/src/app/lock/registryLockVerify.component.ts

@@ -0,0 +1,65 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { RegistrarService } from '../registrar/registrar.service';
+import { ActivatedRoute, ParamMap } from '@angular/router';
+import { RegistryLockVerifyService } from './registryLockVerify.service';
+import { HttpErrorResponse } from '@angular/common/http';
+import { take } from 'rxjs';
+import { DomainListComponent } from '../domains/domainList.component';
+
+@Component({
+  selector: 'app-registry-lock-verify',
+  templateUrl: './registryLockVerify.component.html',
+  styleUrls: ['./registryLockVerify.component.scss'],
+  providers: [RegistryLockVerifyService],
+})
+export class RegistryLockVerifyComponent {
+  public static PATH = 'registry-lock-verify';
+
+  readonly DOMAIN_LIST_COMPONENT_PATH = `/${DomainListComponent.PATH}`;
+
+  isLoading = true;
+  domainName?: string;
+  action?: string;
+  errorMessage?: string;
+
+  constructor(
+    protected registrarService: RegistrarService,
+    protected registryLockVerifyService: RegistryLockVerifyService,
+    private route: ActivatedRoute
+  ) {}
+
+  ngOnInit() {
+    this.route.queryParamMap.pipe(take(1)).subscribe((params: ParamMap) => {
+      this.registryLockVerifyService
+        .verifyRequest(params.get('lockVerificationCode') || '')
+        .subscribe({
+          error: (err: HttpErrorResponse) => {
+            this.isLoading = false;
+            this.errorMessage = err.error;
+          },
+          next: (verificationResponse) => {
+            this.domainName = verificationResponse.domainName;
+            this.action = verificationResponse.action;
+            this.registrarService.registrarId.set(
+              verificationResponse.registrarId
+            );
+            this.isLoading = false;
+          },
+        });
+    });
+  }
+}

console-webapp/src/app/lock/registryLockVerify.service.ts

@@ -0,0 +1,31 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+
+export interface RegistryLockVerificationResponse {
+  action: string;
+  domainName: string;
+  registrarId: string;
+}
+
+@Injectable()
+export class RegistryLockVerifyService {
+  constructor(private backendService: BackendService) {}
+
+  verifyRequest(lockVerificationCode: string) {
+    return this.backendService.verifyRegistryLockRequest(lockVerificationCode);
+  }
+}

console-webapp/src/app/ote/newOte.component.html

@@ -0,0 +1,36 @@
+<h1 class="mat-headline-4">Generate OT&E Accounts</h1>
+<div class="console-app__new-ote">
+  @if (oteCreateResponseFormatted()) {
+  <h1>Generated Successfully</h1>
+  <mat-card appearance="outlined">
+    <mat-card-header>
+      <mat-card-title>Epp Credentials</mat-card-title>
+      <mat-card-subtitle
+        >Copy and paste this into an email to the registrars</mat-card-subtitle
+      >
+    </mat-card-header>
+    <mat-card-content>
+      <p>{{ oteCreateResponseFormatted() }}</p>
+    </mat-card-content>
+  </mat-card>
+  } @else {
+  <form (ngSubmit)="onSubmit()" [formGroup]="createOte">
+    <p>
+      <mat-form-field name="registrarId" appearance="outline">
+        <mat-label>Base Registrar Id: </mat-label>
+        <input matInput type="text" formControlName="registrarId" required />
+      </mat-form-field>
+    </p>
+    <p>
+      <mat-form-field name="registrarEmail" appearance="outline">
+        <mat-label>Contact Email: </mat-label>
+        <input matInput type="text" formControlName="registrarEmail" required />
+        <mat-hint
+          >Will be granted web-console access to the OTE registrars.</mat-hint
+        >
+      </mat-form-field>
+    </p>
+    <button mat-flat-button color="primary" type="submit">Save</button>
+  </form>
+  }
+</div>

console-webapp/src/app/ote/newOte.component.scss

@@ -0,0 +1,7 @@
+.console-app__new-ote {
+  max-width: 720px;
+  mat-card-content {
+    white-space: break-spaces;
+    padding: 20px;
+  }
+}

console-webapp/src/app/ote/newOte.component.ts

@@ -0,0 +1,81 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { HttpErrorResponse } from '@angular/common/http';
+import { Component, computed, signal } from '@angular/core';
+import { FormControl, FormGroup, Validators } from '@angular/forms';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { RegistrarService } from '../registrar/registrar.service';
+
+export interface OteCreateResponse extends Map<string, string> {
+  password: string;
+}
+
+@Component({
+  selector: 'app-ote',
+  templateUrl: './newOte.component.html',
+  styleUrls: ['./newOte.component.scss'],
+})
+export class NewOteComponent {
+  public static PATH = 'new-ote';
+
+  oteCreateResponse = signal<OteCreateResponse | undefined>(undefined);
+
+  readonly oteCreateResponseFormatted = computed(() => {
+    const oteCreateResponse = this.oteCreateResponse();
+    if (oteCreateResponse) {
+      const { password } = oteCreateResponse;
+      return Object.entries(oteCreateResponse)
+        .filter((entry) => entry[0] !== 'password')
+        .map(
+          ([login, tld]) =>
+            `Login: ${login}\t\tPassword: ${password}\t\tTLD: ${tld}`
+        )
+        .join('\n');
+    }
+    return undefined;
+  });
+
+  createOte = new FormGroup({
+    registrarId: new FormControl('', [Validators.required]),
+    registrarEmail: new FormControl('', [Validators.required]),
+  });
+
+  constructor(
+    protected registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  onSubmit() {
+    if (this.createOte.valid) {
+      const { registrarId, registrarEmail } = this.createOte.value;
+      this.registrarService
+        .generateOte(
+          {
+            registrarId,
+            registrarEmail,
+          },
+          registrarId || ''
+        )
+        .subscribe({
+          next: (oteCreateResponse: OteCreateResponse) => {
+            this.oteCreateResponse.set(oteCreateResponse);
+          },
+          error: (err: HttpErrorResponse) => {
+            this._snackBar.open(err.error || err.message);
+          },
+        });
+    }
+  }
+}

console-webapp/src/app/ote/oteStatus.component.html

@@ -0,0 +1,31 @@
+<app-selected-registrar-wrapper>
+  <h1 class="mat-headline-4">OT&E Status Check</h1>
+  @if(isOte()) {
+  <h1 *ngIf="oteStatusResponse().length">
+    Status:
+    <span>{{ oteStatusUnfinished().length ? "Unfinished" : "Completed" }}</span>
+  </h1>
+  <div class="console-app__ote-status">
+    @if(oteStatusCompleted().length) {
+    <div class="console-app__ote-status_completed">
+      <h1>Completed</h1>
+      <div *ngFor="let entry of oteStatusCompleted()">
+        <mat-icon>check_box</mat-icon>{{ entry.description }}
+      </div>
+    </div>
+    } @if(oteStatusUnfinished().length) {
+    <div class="console-app__ote-status_unfinished">
+      <h1>Unfinished</h1>
+      <div *ngFor="let entry of oteStatusUnfinished()">
+        <mat-icon>check_box_outline_blank</mat-icon>{{ entry.description }}
+      </div>
+    </div>
+    }
+  </div>
+  } @else {
+  <h1>
+    Registrar {{ registrarService.registrar()?.registrarId }} is not an OT&E
+    registrar
+  </h1>
+  }
+</app-selected-registrar-wrapper>

console-webapp/src/app/ote/oteStatus.component.scss

@@ -0,0 +1,28 @@
+.console-app__ote-status {
+  max-width: 730px;
+  display: flex;
+  flex-wrap: wrap;
+  &_completed,
+  &_unfinished {
+    border: 1px solid #ddd;
+    padding: 20px;
+    border-radius: 10px;
+    margin: 0 20px 30px 0;
+    div {
+      display: flex;
+      min-width: 300px;
+      align-items: flex-start;
+      max-width: 300px;
+      margin-bottom: 10px;
+      padding-bottom: 5px;
+      border-bottom: 1px solid #ddd;
+      &:last-child {
+        border: none;
+      }
+    }
+
+    mat-icon {
+      min-width: 30px;
+    }
+  }
+}

console-webapp/src/app/ote/oteStatus.component.ts

@@ -0,0 +1,62 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { HttpErrorResponse } from '@angular/common/http';
+import { Component, computed, signal } from '@angular/core';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { RegistrarService } from '../registrar/registrar.service';
+
+export interface OteStatusResponse {
+  description: string;
+  requirement: number;
+  timesPerformed: number;
+  completed: boolean;
+}
+
+@Component({
+  selector: 'app-ote-status',
+  templateUrl: './oteStatus.component.html',
+  styleUrls: ['./oteStatus.component.scss'],
+})
+export class OteStatusComponent {
+  public static PATH = 'ote-status';
+
+  oteStatusResponse = signal<OteStatusResponse[]>([]);
+
+  oteStatusCompleted = computed(() =>
+    this.oteStatusResponse().filter((v) => v.completed)
+  );
+  oteStatusUnfinished = computed(() =>
+    this.oteStatusResponse().filter((v) => !v.completed)
+  );
+  isOte = computed(
+    () => this.registrarService.registrar()?.type?.toLowerCase() === 'ote'
+  );
+
+  constructor(
+    protected registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {
+    this.registrarService
+      .oteStatus(this.registrarService.registrarId())
+      .subscribe({
+        next: (oteStatusResponse: OteStatusResponse[]) => {
+          this.oteStatusResponse.set(oteStatusResponse);
+        },
+        error: (err: HttpErrorResponse) => {
+          this._snackBar.open(err.error || err.message);
+        },
+      });
+  }
+}

console-webapp/src/app/registrar/newRegistrar.component.html

@@ -142,7 +142,7 @@ JPY=billing-id-for-yen"
         <mat-label>State/Region: </mat-label>
         <input
           matInput
-          [required]="false"
+          [required]="true"
           [(ngModel)]="newRegistrar.localizedAddress.state"
           [ngModelOptions]="{ standalone: true }"
         />

console-webapp/src/app/registrar/registrar.service.ts

@@ -17,6 +17,8 @@ import { Observable, switchMap, tap } from 'rxjs';
 
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { Router } from '@angular/router';
+import { OteCreateResponse } from '../ote/newOte.component';
+import { OteStatusResponse } from '../ote/oteStatus.component';
 import { BackendService } from '../shared/services/backend.service';
 import {
   GlobalLoader,
@@ -69,6 +71,7 @@ export interface Registrar
   registrarId: string;
   registrarName: string;
   registryLockAllowed?: boolean;
+  type?: string;
 }
 
 @Injectable({
@@ -149,4 +152,17 @@ export class RegistrarService implements GlobalLoader {
   loadingTimeout() {
     this._snackBar.open('Timeout loading registrars');
   }
+
+  generateOte(
+    oteForm: Object,
+    registrarId: string
+  ): Observable<OteCreateResponse> {
+    return this.backend
+      .generateOte(oteForm, registrarId)
+      .pipe(tap((_) => this.loadRegistrars()));
+  }
+
+  oteStatus(registrarId: string): Observable<OteStatusResponse[]> {
+    return this.backend.getOteStatus(registrarId);
+  }
 }

console-webapp/src/app/registrar/registrarDetails.component.html

@@ -8,6 +8,14 @@
       </button>
       <div class="spacer"></div>
       @if(!inEdit && !registrarNotFound) {
+      <button
+        mat-stroked-button
+        (click)="checkOteStatus()"
+        aria-label="Check OT&E account"
+        [elementId]="getElementIdForOteBlock()"
+      >
+        Check OT&E Status
+      </button>
       <button
         mat-flat-button
         color="primary"

console-webapp/src/app/registrar/registrarDetails.component.ts

@@ -18,6 +18,8 @@ import { MatChipInputEvent } from '@angular/material/chips';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { ActivatedRoute, ParamMap, Router } from '@angular/router';
 import { Subscription } from 'rxjs';
+import { OteStatusComponent } from '../ote/oteStatus.component';
+import { RESTRICTED_ELEMENTS } from '../shared/directives/userLevelVisiblity.directive';
 import { Registrar, RegistrarService } from './registrar.service';
 import { RegistrarComponent, columns } from './registrarsTable.component';
 
@@ -70,6 +72,14 @@ export class RegistrarDetailsComponent implements OnInit {
     ];
   }
 
+  checkOteStatus() {
+    this.router.navigate([OteStatusComponent.PATH]);
+  }
+
+  getElementIdForOteBlock() {
+    return RESTRICTED_ELEMENTS.OTE;
+  }
+
   removeTLD(tld: string) {
     this.registrarInEdit.allowedTlds = this.registrarInEdit.allowedTlds?.filter(
       (v) => v != tld
@@ -91,6 +101,6 @@ export class RegistrarDetailsComponent implements OnInit {
   }
 
   ngOnDestroy() {
-    this.subscription.unsubscribe();
+    this.subscription && this.subscription.unsubscribe();
   }
 }

console-webapp/src/app/registrar/registrarSelector.component.spec.ts

@@ -20,6 +20,7 @@ import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
 import { MaterialModule } from '../material.module';
 import { BackendService } from '../shared/services/backend.service';
 import { RegistrarSelectorComponent } from './registrarSelector.component';
+import { FormsModule } from '@angular/forms';
 
 describe('RegistrarSelectorComponent', () => {
   let component: RegistrarSelectorComponent;
@@ -28,7 +29,7 @@ describe('RegistrarSelectorComponent', () => {
   beforeEach(async () => {
     await TestBed.configureTestingModule({
       declarations: [RegistrarSelectorComponent],
-      imports: [MaterialModule, BrowserAnimationsModule],
+      imports: [MaterialModule, BrowserAnimationsModule, FormsModule],
       providers: [
         BackendService,
         provideHttpClient(),

console-webapp/src/app/registrar/registrarsTable.component.html

@@ -4,7 +4,17 @@
 <div class="console-app__registrars">
   <div class="console-app__registrars-header">
     <h1 class="mat-headline-4">Registrars</h1>
+    <div class="spacer"></div>
     <button
+      mat-stroked-button
+      (click)="createOteAccount()"
+      aria-label="Generate OT&E accounts"
+      [elementId]="getElementIdForOteBlock()"
+    >
+      Create OT&E accounts
+    </button>
+    <button
+      class="console-app__registrars-new"
       mat-flat-button
       color="primary"
       (click)="openNewRegistrar()"

console-webapp/src/app/registrar/registrarsTable.component.scss

@@ -10,6 +10,10 @@
     min-width: $min-width !important;
   }
 
+  &__registrars-new {
+    margin-left: 20px;
+  }
+
   &__registrars-header {
     display: flex;
     justify-content: space-between;

console-webapp/src/app/registrar/registrarsTable.component.ts

@@ -17,6 +17,8 @@ import { MatPaginator } from '@angular/material/paginator';
 import { MatSort } from '@angular/material/sort';
 import { MatTableDataSource } from '@angular/material/table';
 import { Router } from '@angular/router';
+import { NewOteComponent } from '../ote/newOte.component';
+import { RESTRICTED_ELEMENTS } from '../shared/directives/userLevelVisiblity.directive';
 import { Registrar, RegistrarService } from './registrar.service';
 
 export const columns = [
@@ -103,6 +105,14 @@ export class RegistrarComponent {
     this.dataSource.sort = this.sort;
   }
 
+  createOteAccount() {
+    this.router.navigate([NewOteComponent.PATH]);
+  }
+
+  getElementIdForOteBlock() {
+    return RESTRICTED_ELEMENTS.OTE;
+  }
+
   openDetails(registrarId: string) {
     this.router.navigate(['registrars/', registrarId], {
       queryParamsHandling: 'merge',

console-webapp/src/app/resources/resources.component.html

@@ -4,7 +4,7 @@
     <div class="console-app__resources-subhead">Technical resources</div>
     <a
       class="text-l"
-      href="{{ userDataService.userData.technicalDocsUrl }}"
+      href="{{ userDataService.userData()?.technicalDocsUrl }}"
       target="_blank"
       >View onboarding FAQs, TLD information, and technical documentation on
       Google Drive</a

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -18,7 +18,11 @@
       <mat-icon>edit</mat-icon>
       Edit
     </button>
-    <button mat-icon-button aria-label="Delete Contact">
+    <button
+      mat-icon-button
+      aria-label="Delete Contact"
+      (click)="deleteContact()"
+    >
       <mat-icon>delete</mat-icon>
     </button>
     }

console-webapp/src/app/settings/contact/contactDetails.component.ts

@@ -50,6 +50,9 @@ export class ContactDetailsComponent {
           error: (err: HttpErrorResponse) => {
             this._snackBar.open(err.error);
           },
+          complete: () => {
+            this.goBack();
+          },
         });
     }
   }

console-webapp/src/app/settings/security/security.component.spec.ts

@@ -20,20 +20,18 @@ import { FormsModule } from '@angular/forms';
 import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
 import { of } from 'rxjs';
 import { MaterialModule } from 'src/app/material.module';
-import {
-  Registrar,
-  RegistrarService,
-} from 'src/app/registrar/registrar.service';
+import { RegistrarService } from 'src/app/registrar/registrar.service';
 import { BackendService } from 'src/app/shared/services/backend.service';
 import SecurityComponent from './security.component';
-import { SecurityService, apiToUiConverter } from './security.service';
+import { SecurityService } from './security.service';
+import SecurityEditComponent from './securityEdit.component';
+import { MOCK_REGISTRAR_SERVICE } from 'src/testdata/registrar/registrar.service.mock';
 
 describe('SecurityComponent', () => {
   let component: SecurityComponent;
   let fixture: ComponentFixture<SecurityComponent>;
   let fetchSecurityDetailsSpy: Function;
   let saveSpy: Function;
-  let dummyRegistrarService: RegistrarService;
 
   beforeEach(async () => {
     const securityServiceSpy = jasmine.createSpyObj(SecurityService, [
@@ -46,16 +44,13 @@ describe('SecurityComponent', () => {
 
     saveSpy = securityServiceSpy.saveChanges;
 
-    dummyRegistrarService = {
-      registrar: { ipAddressAllowList: ['123.123.123.123'] },
-    } as RegistrarService;
-
     await TestBed.configureTestingModule({
-      declarations: [SecurityComponent],
+      declarations: [SecurityEditComponent, SecurityComponent],
       imports: [MaterialModule, BrowserAnimationsModule, FormsModule],
       providers: [
         BackendService,
-        { provide: RegistrarService, useValue: dummyRegistrarService },
+        SecurityService,
+        { provide: RegistrarService, useValue: MOCK_REGISTRAR_SERVICE },
         provideHttpClient(),
         provideHttpClientTesting(),
       ],
@@ -78,78 +73,65 @@ describe('SecurityComponent', () => {
     expect(component).toBeTruthy();
   });
 
-  it('should render ip allow list', waitForAsync(() => {
-    component.enableEdit();
+  it('should render security elements', waitForAsync(() => {
+    fixture.detectChanges();
     fixture.whenStable().then(() => {
-      expect(
-        Array.from(
-          fixture.nativeElement.querySelectorAll(
-            '.settings-security__ip-allowlist'
-          )
-        )
-      ).toHaveSize(1);
-      expect(
-        fixture.nativeElement.querySelector('.settings-security__ip-allowlist')
-          .value
-      ).toBe('123.123.123.123');
+      let listElems: Array<HTMLElement> = Array.from(
+        fixture.nativeElement.querySelectorAll('span.console-app__list-value')
+      );
+      expect(listElems).toHaveSize(8);
+      expect(listElems.map((e) => e.textContent)).toEqual([
+        'Change the password used for EPP logins',
+        '••••••••••••••',
+        'Restrict access to EPP production servers to the following IP/IPv6 addresses, or ranges like 1.1.1.0/24',
+        '123.123.123.123',
+        'X.509 PEM certificate for EPP production access',
+        'No client certificate on file.',
+        'X.509 PEM backup certificate for EPP production access',
+        'No failover certificate on file.',
+      ]);
     });
   }));
 
   it('should remove ip', waitForAsync(() => {
-    expect(
-      Array.from(
-        fixture.nativeElement.querySelectorAll(
-          '.settings-security__ip-allowlist'
-        )
-      )
-    ).toHaveSize(1);
-    component.removeIpEntry(0);
+    component.dataSource.ipAddressAllowList =
+      component.dataSource.ipAddressAllowList?.splice(1);
     fixture.whenStable().then(() => {
       fixture.detectChanges();
-      expect(
-        Array.from(
-          fixture.nativeElement.querySelectorAll(
-            '.settings-security__ip-allowlist'
-          )
-        )
-      ).toHaveSize(0);
+      let listElems: Array<HTMLElement> = Array.from(
+        fixture.nativeElement.querySelectorAll('span.console-app__list-value')
+      );
+      expect(listElems.map((e) => e.textContent)).toContain(
+        'No IP addresses on file.'
+      );
     });
   }));
 
-  it('should toggle inEdit', () => {
-    expect(component.inEdit).toBeFalse();
-    component.enableEdit();
-    expect(component.inEdit).toBeTrue();
+  it('should toggle isEditingSecurity', () => {
+    expect(component.securityService.isEditingSecurity).toBeFalse();
+    component.editSecurity();
+    expect(component.securityService.isEditingSecurity).toBeTrue();
   });
 
-  it('should create temporary data structure', () => {
-    expect(component.dataSource).toEqual(
-      apiToUiConverter(dummyRegistrarService.registrar)
-    );
-    component.removeIpEntry(0);
-    expect(component.dataSource).toEqual({ ipAddressAllowList: [] });
-    expect(dummyRegistrarService.registrar).toEqual({
-      ipAddressAllowList: ['123.123.123.123'],
-    } as Registrar);
-    component.cancel();
-    expect(component.dataSource).toEqual(
-      apiToUiConverter(dummyRegistrarService.registrar)
-    );
+  it('should toggle isEditingPassword', () => {
+    expect(component.securityService.isEditingPassword).toBeFalse();
+    component.editEppPassword();
+    expect(component.securityService.isEditingPassword).toBeTrue();
   });
 
   it('should call save', waitForAsync(async () => {
-    component.enableEdit();
-    fixture.detectChanges();
+    component.editSecurity();
     await fixture.whenStable();
+    fixture.detectChanges();
     const el = fixture.nativeElement.querySelector(
-      '.settings-security__clientCertificate'
+      '.console-app__clientCertificateValue'
     );
     el.value = 'test';
     el.dispatchEvent(new Event('input'));
     fixture.detectChanges();
     await fixture.whenStable();
     fixture.nativeElement
-      .querySelector('.settings-security__actions-save')
+      .querySelector('.settings-security__edit-save')
       .click();
     expect(saveSpy).toHaveBeenCalledOnceWith({
       ipAddressAllowList: [{ value: '123.123.123.123' }],

console-webapp/src/app/settings/security/security.component.ts

@@ -35,6 +35,7 @@ export default class SecurityComponent {
       if (this.registrarService.registrar()) {
         this.dataSource = apiToUiConverter(this.registrarService.registrar());
         this.securityService.isEditingSecurity = false;
+        this.securityService.isEditingPassword = false;
       }
     });
   }

console-webapp/src/app/settings/security/security.service.spec.ts

@@ -21,11 +21,13 @@ import { BackendService } from 'src/app/shared/services/backend.service';
 import SecurityComponent from './security.component';
 import {
   SecurityService,
-  SecuritySettings,
-  SecuritySettingsBackendModel,
   apiToUiConverter,
   uiToApiConverter,
 } from './security.service';
+import {
+  SecuritySettings,
+  SecuritySettingsBackendModel,
+} from 'src/app/registrar/registrar.service';
 
 describe('SecurityService', () => {
   const uiMockData: SecuritySettings = {

console-webapp/src/app/settings/security/securityEdit.component.html

@@ -33,6 +33,7 @@
     <p>X.509 PEM certificate for EPP production access.</p>
     <mat-form-field appearance="outline">
       <textarea
+        class="console-app__clientCertificateValue"
         matInput
         [(ngModel)]="dataSource.clientCertificate"
         [ngModelOptions]="{ standalone: true }"

console-webapp/src/app/settings/whois/whois.component.spec.ts

@@ -32,7 +32,14 @@ describe('WhoisComponent', () => {
       imports: [MaterialModule, BrowserAnimationsModule],
       providers: [
         BackendService,
-        { provide: RegistrarService, useValue: { registrar: {} } },
+        {
+          provide: RegistrarService,
+          useValue: {
+            registrar: function () {
+              return {};
+            },
+          },
+        },
         provideHttpClient(),
         provideHttpClientTesting(),
       ],

console-webapp/src/app/settings/whois/whoisEdit.component.html

@@ -132,6 +132,18 @@
         />
       </mat-form-field>
 
+      @if((userDataService.userData()?.globalRole || 'NONE') !== "NONE") {
+      <mat-form-field appearance="outline">
+        <mat-label>ICANN Referral Email: </mat-label>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrarInEdit.icannReferralEmail"
+          [ngModelOptions]="{ standalone: true }"
+        />
+      </mat-form-field>
+      }
+
       <button mat-flat-button color="primary" type="submit">Save</button>
     </form>
   </div>

console-webapp/src/app/settings/whois/whoisEdit.component.ts

@@ -19,6 +19,7 @@ import {
   Registrar,
   RegistrarService,
 } from 'src/app/registrar/registrar.service';
+import { UserDataService } from 'src/app/shared/services/userData.service';
 import { WhoisService } from './whois.service';
 
 @Component({
@@ -30,6 +31,7 @@ export default class WhoisEditComponent {
   registrarInEdit: Registrar | undefined;
 
   constructor(
+    public userDataService: UserDataService,
     public whoisService: WhoisService,
     public registrarService: RegistrarService,
     private _snackBar: MatSnackBar

console-webapp/src/app/shared/directives/userLevelVisiblity.directive.ts

@@ -12,43 +12,43 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Directive, ElementRef, Input, OnChanges } from '@angular/core';
+import { Directive, ElementRef, Input, effect } from '@angular/core';
 import { UserDataService } from '../services/userData.service';
 
 export enum RESTRICTED_ELEMENTS {
   REGISTRAR_ELEMENT,
+  OTE,
 }
 
 export const DISABLED_ELEMENTS_PER_ROLE = {
-  NONE: [RESTRICTED_ELEMENTS.REGISTRAR_ELEMENT],
+  NONE: [RESTRICTED_ELEMENTS.REGISTRAR_ELEMENT, RESTRICTED_ELEMENTS.OTE],
 };
 
 @Directive({
   selector: '[elementId]',
 })
-export class UserLevelVisibility implements OnChanges {
+export class UserLevelVisibility {
   @Input() elementId!: RESTRICTED_ELEMENTS | null;
 
   constructor(
     private userDataService: UserDataService,
     private el: ElementRef
-  ) {}
-
-  ngOnChanges() {
-    this.processElement();
+  ) {
+    effect(this.processElement.bind(this));
   }
 
   processElement() {
+    const globalRole = this.userDataService?.userData()?.globalRole || 'NONE';
     if (this.elementId === null) {
       return;
     }
-
-    const globalRole = this.userDataService?.userData?.globalRole || 'NONE';
     if (
       // @ts-ignore
       (DISABLED_ELEMENTS_PER_ROLE[globalRole] || []).includes(this.elementId)
     ) {
       this.el.nativeElement.style.display = 'none';
+    } else {
+      this.el.nativeElement.style.display = '';
     }
   }
 }

console-webapp/src/app/shared/services/backend.service.ts

@@ -17,6 +17,10 @@ import { Injectable } from '@angular/core';
 import { Observable, catchError, of, throwError } from 'rxjs';
 
 import { DomainListResult } from 'src/app/domains/domainList.service';
+import { DomainLocksResult } from 'src/app/domains/registryLock.service';
+import { RegistryLockVerificationResponse } from 'src/app/lock/registryLockVerify.service';
+import { OteCreateResponse } from 'src/app/ote/newOte.component';
+import { OteStatusResponse } from 'src/app/ote/oteStatus.component';
 import {
   Registrar,
   SecuritySettingsBackendModel,
@@ -169,4 +173,54 @@ export class BackendService {
       whoisRegistrarFields
     );
   }
+
+  registryLockDomain(
+    domainName: string,
+    password: string | undefined,
+    relockDurationMillis: number | undefined,
+    registrarId: string,
+    isLock: boolean
+  ) {
+    return this.http.post(
+      `/console-api/registry-lock?registrarId=${registrarId}`,
+      {
+        domainName,
+        password,
+        isLock,
+        relockDurationMillis,
+      }
+    );
+  }
+
+  getLocks(registrarId: string): Observable<DomainLocksResult[]> {
+    return this.http
+      .get<DomainLocksResult[]>(
+        `/console-api/registry-lock?registrarId=${registrarId}`
+      )
+      .pipe(catchError((err) => this.errorCatcher<DomainLocksResult[]>(err)));
+  }
+
+  generateOte(
+    oteForm: Object,
+    registrarId: string
+  ): Observable<OteCreateResponse> {
+    return this.http.post<OteCreateResponse>(
+      `/console-api/ote?registrarId=${registrarId}`,
+      oteForm
+    );
+  }
+
+  getOteStatus(registrarId: string) {
+    return this.http
+      .get<OteStatusResponse[]>(`/console-api/ote?registrarId=${registrarId}`)
+      .pipe(catchError((err) => this.errorCatcher<OteStatusResponse[]>(err)));
+  }
+
+  verifyRegistryLockRequest(
+    lockVerificationCode: string
+  ): Observable<RegistryLockVerificationResponse> {
+    return this.http.get<RegistryLockVerificationResponse>(
+      `/console-api/registry-lock-verify?lockVerificationCode=${lockVerificationCode}`
+    );
+  }
 }

console-webapp/src/app/shared/services/userData.service.ts

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Injectable } from '@angular/core';
+import { Injectable, signal } from '@angular/core';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { Observable, tap } from 'rxjs';
 import { BackendService } from './backend.service';
@@ -33,7 +33,7 @@ export interface UserData {
   providedIn: 'root',
 })
 export class UserDataService implements GlobalLoader {
-  public userData!: UserData;
+  userData = signal<UserData | undefined>(undefined);
   constructor(
     private backend: BackendService,
     protected globalLoader: GlobalLoaderService,
@@ -48,7 +48,7 @@ export class UserDataService implements GlobalLoader {
   getUserData(): Observable<UserData> {
     return this.backend.getUserData().pipe(
       tap((userData: UserData) => {
-        this.userData = userData;
+        this.userData.set(userData);
       })
     );
   }

console-webapp/src/app/support/support.component.html

@@ -17,9 +17,11 @@
     For general purpose questions once you are integrated with our registry
     system. If the issue is urgent, please put "Urgent" in the email title.
   </p>
-  <a class="text-l" href="mailto:{{ userDataService.userData.supportEmail }}">{{
-    userDataService.userData.supportEmail
-  }}</a>
+  <a
+    class="text-l"
+    href="mailto:{{ userDataService.userData()?.supportEmail }}"
+    >{{ userDataService.userData()?.supportEmail }}</a
+  >
   <p class="secondary-text">
     Note: You may receive occasional service announcements via
     registrar-announcement&#64;google.com. You will not be able to reply to
@@ -29,13 +31,13 @@
   <p class="text-l">For general support inquiries 24/7:</p>
   <a
     class="text-l"
-    href="tel:{{ userDataService.userData.supportPhoneNumber }}"
-    >{{ userDataService.userData.supportPhoneNumber }}</a
+    href="tel:{{ userDataService.userData()?.supportPhoneNumber }}"
+    >{{ userDataService.userData()?.supportPhoneNumber }}</a
   >
-  @if (userDataService.userData.passcode) {
+  @if (userDataService.userData()?.passcode) {
   <p class="text-l">Your telephone passcode:</p>
   <p class="text-l console-app__support-passcode">
-    {{ userDataService.userData.passcode }}
+    {{ userDataService.userData()?.passcode }}
   </p>
   <p class="secondary-text">
     Note: Please be ready with your account name and telephone passcode when

console-webapp/src/testdata/registrar/registrar.service.mock.ts

@@ -0,0 +1,21 @@
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { RegistrarService } from 'src/app/registrar/registrar.service';
+
+export const MOCK_REGISTRAR_SERVICE = {
+  registrar: function () {
+    return { ipAddressAllowList: ['123.123.123.123'] };
+  },
+} as RegistrarService;

console-webapp/tsconfig.json

@@ -29,5 +29,6 @@
     "strictInjectionParameters": true,
     "strictInputAccessModifiers": true,
     "strictTemplates": true
-  }
+  },
+  "exclude": ["./src/testdata/*.*/*.ts"]
 }

core/src/main/java/google/registry/batch/CloudTasksUtils.java

@@ -77,6 +77,7 @@ public class CloudTasksUtils implements Serializable {
       @Config("projectId") String projectId,
       @Config("locationId") String locationId,
       @Config("oauthClientId") String oauthClientId,
+      // Note that this has to be a service account, due to limitations of the Cloud Tasks API.
       @ApplicationDefaultCredential GoogleCredentialsBundle credential,
       SerializableCloudTasksClient client) {
     this.retrier = retrier;

core/src/main/java/google/registry/batch/DeleteProberDataAction.java

@@ -64,7 +64,7 @@ import org.joda.time.Duration;
     auth = Auth.AUTH_ADMIN)
 public class DeleteProberDataAction implements Runnable {
 
-  // TODO(b/323026070): Add email alert on failure of this action
+  // TODO(b/346390641): Add email alert on failure of this action
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   /**

core/src/main/java/google/registry/batch/delete_expired_domain.xml

@@ -1,17 +0,0 @@
-<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
-  <command>
-    <delete>
-      <domain:delete
-       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
-        <domain:name>%DOMAIN%</domain:name>
-      </domain:delete>
-    </delete>
-    <extension>
-      <metadata:metadata xmlns:metadata="urn:google:params:xml:ns:metadata-1.0">
-        <metadata:reason>Non-renewing domain has reached expiration date.</metadata:reason>
-        <metadata:requestedByRegistrar>false</metadata:requestedByRegistrar>
-      </metadata:metadata>
-    </extension>
-    <clTRID>ABC-12345</clTRID>
-  </command>
-</epp>

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -119,6 +119,18 @@ public final class RegistryConfig {
       return config.gcpProject.projectIdNumber;
     }
 
+    @Provides
+    @Config("backendServiceIds")
+    public static Map<String, Long> provideBackendServiceIds(RegistryConfigSettings config) {
+      return config.gcpProject.backendServiceIds;
+    }
+
+    @Provides
+    @Config("baseDomain")
+    public static String provideBaseDomain(RegistryConfigSettings config) {
+      return config.gcpProject.baseDomain;
+    }
+
     @Provides
     @Config("locationId")
     public static String provideLocationId(RegistryConfigSettings config) {
@@ -1259,12 +1271,6 @@ public final class RegistryConfig {
       return config.auth.oauthClientId;
     }
 
-    @Provides
-    @Config("fallbackOauthClientId")
-    public static String provideFallbackOauthClientId(RegistryConfigSettings config) {
-      return config.auth.fallbackOauthClientId;
-    }
-
     /**
      * Provides the OAuth scopes required for accessing Google APIs using the default credential.
      */

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -56,13 +56,14 @@ public class RegistryConfigSettings {
     public String bsaServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
+    public Map<String, Long> backendServiceIds;
+    public String baseDomain;
   }
 
   /** Configuration options for authenticating users. */
   public static class Auth {
     public List<String> allowedServiceAccountEmails;
     public String oauthClientId;
-    public String fallbackOauthClientId;
   }
 
   /** Configuration options for accessing Google APIs. */

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -1,5 +1,5 @@
 # This is the default configuration file for Nomulus. Do not make changes to it
-# unless you are writing new features that requires you to. To customize an
+# unless you are writing new features that require you to. To customize an
 # individual deployment or environment, create a nomulus-config.yaml file in the
 # WEB-INF/ directory overriding only the values you wish to change. You may need
 # to override some of these values to configure and enable some services used in
@@ -24,6 +24,17 @@ gcpProject:
   toolsServiceUrl: https://tools.example.com
   pubapiServiceUrl: https://pubapi.example.com
 
+  # The backend service IDs created when setting up GKE routes. They will be included in the
+  # audience field in the JWT that IAP creates.
+  # See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
+  backendServiceIds:
+    frontend: 12345
+    backend: 12345
+    pubapi: 12345
+    console: 12345
+
+  # The base domain name of the registry service. Services are reachable at [service].baseDomain.
+  baseDomain: registry.test
 
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
@@ -328,25 +339,21 @@ caching:
 # Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
 # Other fields are related to OAuth-based authentication and will be removed.
 auth:
-  # Service accounts (e.g. default service account, account used by Cloud
+  # Service accounts (e.g., default service account, account used by Cloud
   # Scheduler) allowed to send authenticated requests.
   allowedServiceAccountEmails:
   - default-service-account-email@email.com
   - cloud-scheduler-email@email.com
 
   # OAuth 2.0 client ID that will be used as the audience in OIDC ID tokens sent
-  # from clients (e.g. proxy, nomulus tool, cloud tasks) for authentication. The
+  # from clients (e.g., proxy, nomulus tool, cloud tasks) for authentication. The
   # same ID is the only one accepted by the regular OIDC or IAP authentication
-  # mechanisms. In most cases we should use the client ID created for IAP here,
+  # mechanisms. In most cases, we should use the client ID created for IAP here,
   # as it allows requests bearing a token with this audience to be accepted by
   # both IAP or regular OIDC. The clientId value in proxy config file should be
   # the same as this one.
   oauthClientId: iap-oauth-clientid
 
-  # Same as above, but serve as a fallback, so we can switch the client ID of
-  # the proxy without downtime.
-  fallbackOauthClientId: fallback-oauth-clientid
-
 credentialOAuth:
   # OAuth scopes required for accessing Google APIs using the default
   # credential.

core/src/main/java/google/registry/dns/RefreshDnsAction.java

@@ -36,7 +36,7 @@ import javax.inject.Inject;
 /** Action that manually triggers refresh of DNS information. */
 @Action(
     service = Action.Service.BACKEND,
-    path = "/_dr/dnsRefresh",
+    path = "/_dr/task/dnsRefresh",
     automaticallyPrintOk = true,
     auth = Auth.AUTH_ADMIN)
 public final class RefreshDnsAction implements Runnable {

core/src/main/java/google/registry/env/common/backend/WEB-INF/web.xml

@@ -165,7 +165,7 @@
   <!-- Manually refreshes DNS information. -->
   <servlet-mapping>
     <servlet-name>backend-servlet</servlet-name>
-    <url-pattern>/_dr/dnsRefresh</url-pattern>
+    <url-pattern>/_dr/task/dnsRefresh</url-pattern>
   </servlet-mapping>
 
   <!-- Fans out a cron task over an adjustable range of TLDs. -->

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -266,7 +266,6 @@ public final class DomainCreateFlow implements MutatingFlow {
       validateLaunchCreateNotice(launchCreate.get().getNotice(), domainLabel, isSuperuser, now);
     }
     boolean isSunriseCreate = hasSignedMarks && (tldState == START_DATE_SUNRISE);
-    // TODO(sarahbot@): Add check for valid EPP actions on the token
     Optional<AllocationToken> allocationToken =
         allocationTokenFlowUtils.verifyAllocationTokenCreateIfPresent(
             command,
@@ -366,7 +365,7 @@ public final class DomainCreateFlow implements MutatingFlow {
         createAutorenewBillingEvent(
             domainHistoryId,
             registrationExpirationTime,
-            getRenewalPriceInfo(isAnchorTenant, allocationToken, feesAndCredits));
+            getRenewalPriceInfo(isAnchorTenant, allocationToken));
     PollMessage.Autorenew autorenewPollMessage =
         createAutorenewPollMessage(domainHistoryId, registrationExpirationTime);
     ImmutableSet.Builder<ImmutableObject> entitiesToSave = new ImmutableSet.Builder<>();
@@ -689,9 +688,7 @@ public final class DomainCreateFlow implements MutatingFlow {
    * AllocationToken} is 'SPECIFIED'.
    */
   static RenewalPriceInfo getRenewalPriceInfo(
-      boolean isAnchorTenant,
-      Optional<AllocationToken> allocationToken,
-      FeesAndCredits feesAndCredits) {
+      boolean isAnchorTenant, Optional<AllocationToken> allocationToken) {
     if (isAnchorTenant) {
       allocationToken.ifPresent(
           token ->
@@ -702,7 +699,7 @@ public final class DomainCreateFlow implements MutatingFlow {
     } else if (allocationToken.isPresent()
         && allocationToken.get().getRenewalPriceBehavior() == RenewalPriceBehavior.SPECIFIED) {
       return RenewalPriceInfo.create(
-          RenewalPriceBehavior.SPECIFIED, feesAndCredits.getCreateCost());
+          RenewalPriceBehavior.SPECIFIED, allocationToken.get().getRenewalPrice().get());
     } else {
       return RenewalPriceInfo.create(RenewalPriceBehavior.DEFAULT, null);
     }

core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java

@@ -14,7 +14,6 @@
 
 package google.registry.flows.domain;
 
-import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSortedSet.toImmutableSortedSet;
 import static com.google.common.collect.Sets.symmetricDifference;
@@ -282,7 +281,7 @@ public final class DomainUpdateFlow implements MutatingFlow {
             .removeContacts(remove.getContacts())
             .addContacts(add.getContacts())
             .setRegistrant(determineUpdatedRegistrant(change, domain))
-            .setAuthInfo(firstNonNull(change.getAuthInfo(), domain.getAuthInfo()));
+            .setAuthInfo(Optional.ofNullable(change.getAuthInfo()).orElse(domain.getAuthInfo()));
 
     if (!add.getNameservers().isEmpty()) {
       domainBuilder.addNameservers(add.getNameservers().stream().collect(toImmutableSet()));

core/src/main/java/google/registry/model/OteAccountBuilder.java

@@ -32,7 +32,6 @@ import com.google.common.collect.Streams;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.model.console.RegistrarRole;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
 import google.registry.model.console.UserRoles;
 import google.registry.model.pricing.StaticPremiumListPricingEngine;
 import google.registry.model.registrar.Registrar;
@@ -48,9 +47,7 @@ import google.registry.util.CidrAddressBlock;
 import google.registry.util.RegistryEnvironment;
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.function.Function;
 import java.util.regex.Pattern;
@@ -271,29 +268,21 @@ public final class OteAccountBuilder {
       Optional<String> groupEmailAddress, CloudTasksUtils cloudTasksUtils, IamClient iamClient) {
     for (User user : users) {
       User.grantIapPermission(
-          user.getEmailAddress(), groupEmailAddress, cloudTasksUtils, iamClient);
+          user.getEmailAddress(), groupEmailAddress, cloudTasksUtils, null, iamClient);
     }
   }
 
   /** Saves all the OT&amp;E entities we created. */
   private void saveAllEntities() {
     ImmutableList<Tld> registries = ImmutableList.of(sunriseTld, gaTld, eapTld);
-    Map<String, User> existingUsers = new HashMap<>();
-
-    users.forEach(
-        user ->
-            UserDao.loadUser(user.getEmailAddress())
-                .ifPresent(
-                    existingUser ->
-                        existingUsers.put(existingUser.getEmailAddress(), existingUser)));
-
-    if (!replaceExisting) {
-      checkState(existingUsers.isEmpty(), "Found existing users: %s", existingUsers);
-    }
-
     tm().transact(
             () -> {
               if (!replaceExisting) {
+                ImmutableMap<String, User> existingUsers =
+                    tm().loadByEntitiesIfPresent(users).stream()
+                        .collect(toImmutableMap(User::getEmailAddress, u -> u));
+                checkState(existingUsers.isEmpty(), "Found existing users: %s", existingUsers);
+
                 ImmutableList<VKey<? extends ImmutableObject>> keys =
                     Streams.concat(
                             registries.stream().map(tld -> Tld.createVKey(tld.getTldStr())),
@@ -317,16 +306,7 @@ public final class OteAccountBuilder {
               tm().putAll(registrars);
             });
 
-    for (User user : users) {
-      String email = user.getEmailAddress();
-      if (existingUsers.containsKey(email)) {
-        // Note that other roles for the existing user are reset. We do this instead of simply
-        // saving the new user is that UserDao does not allow us to save the new user with the same
-        // email as the existing user.
-        user = existingUsers.get(email).asBuilder().setUserRoles(user.getUserRoles()).build();
-      }
-      UserDao.saveUser(user);
-    }
+    tm().transact(() -> tm().putAll(ImmutableList.copyOf(users)));
   }
 
   private Registrar addAllowedTld(Registrar registrar) {

core/src/main/java/google/registry/model/common/FeatureFlag.java

@@ -63,7 +63,8 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
   public enum FeatureName {
     TEST_FEATURE,
     MINIMUM_DATASET_CONTACTS_OPTIONAL,
-    MINIMUM_DATASET_CONTACTS_PROHIBITED
+    MINIMUM_DATASET_CONTACTS_PROHIBITED,
+    NEW_CONSOLE
   }
 
   /** The name of the flag/feature. */

core/src/main/java/google/registry/model/console/User.java

@@ -14,33 +14,36 @@
 
 package google.registry.model.console;
 
+import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.tools.server.UpdateUserGroupAction.GROUP_UPDATE_QUEUE;
 
 import com.google.cloud.tasks.v2.Task;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableMultimap;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.persistence.VKey;
 import google.registry.request.Action.Service;
 import google.registry.tools.IamClient;
+import google.registry.tools.ServiceConnection;
 import google.registry.tools.server.UpdateUserGroupAction;
 import google.registry.tools.server.UpdateUserGroupAction.Mode;
 import google.registry.util.RegistryEnvironment;
+import java.io.IOException;
 import java.util.Optional;
+import javax.annotation.Nullable;
 import javax.persistence.Access;
 import javax.persistence.AccessType;
 import javax.persistence.Embeddable;
 import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
 import javax.persistence.Id;
-import javax.persistence.Index;
 import javax.persistence.Table;
 
 /** A console user, either a registry employee or a registrar partner. */
 @Embeddable
 @Entity
-@Table(indexes = {@Index(columnList = "emailAddress", name = "user_email_address_idx")})
+@Table
 public class User extends UserBase {
 
   public static final String IAP_SECURED_WEB_APP_USER_ROLE = "roles/iap.httpsResourceAccessor";
@@ -55,18 +58,30 @@ public class User extends UserBase {
   public static void grantIapPermission(
       String emailAddress,
       Optional<String> groupEmailAddress,
-      CloudTasksUtils cloudTasksUtils,
+      @Nullable CloudTasksUtils cloudTasksUtils,
+      @Nullable ServiceConnection connection,
       IamClient iamClient) {
     if (RegistryEnvironment.isInTestServer()) {
       return;
     }
+    checkArgument(
+        cloudTasksUtils != null || connection != null,
+        "At least one of cloudTasksUtils or connection must be set");
+    checkArgument(
+        cloudTasksUtils == null || connection == null,
+        "Only one of cloudTasksUtils or connection can be set");
     if (groupEmailAddress.isEmpty()) {
       logger.atInfo().log("Granting IAP role to user %s", emailAddress);
       iamClient.addBinding(emailAddress, IAP_SECURED_WEB_APP_USER_ROLE);
     } else {
       logger.atInfo().log("Adding %s to group %s", emailAddress, groupEmailAddress.get());
-      modifyGroupMembershipAsync(
-          emailAddress, groupEmailAddress.get(), cloudTasksUtils, UpdateUserGroupAction.Mode.ADD);
+      if (cloudTasksUtils != null) {
+        modifyGroupMembershipAsync(
+            emailAddress, groupEmailAddress.get(), cloudTasksUtils, UpdateUserGroupAction.Mode.ADD);
+      } else {
+        modifyGroupMembershipSync(
+            emailAddress, groupEmailAddress.get(), connection, UpdateUserGroupAction.Mode.ADD);
+      }
     }
   }
 
@@ -79,18 +94,29 @@ public class User extends UserBase {
   public static void revokeIapPermission(
       String emailAddress,
       Optional<String> groupEmailAddress,
-      CloudTasksUtils cloudTasksUtils,
+      @Nullable CloudTasksUtils cloudTasksUtils,
+      @Nullable ServiceConnection connection,
       IamClient iamClient) {
     if (RegistryEnvironment.isInTestServer()) {
       return;
     }
+    checkArgument(
+        cloudTasksUtils != null || connection != null,
+        "At least one of cloudTasksUtils or connection must be set");
+    checkArgument(
+        cloudTasksUtils == null || connection == null,
+        "Only one of cloudTasksUtils or connection can be set");
     if (groupEmailAddress.isEmpty()) {
       logger.atInfo().log("Removing IAP role from user %s", emailAddress);
       iamClient.removeBinding(emailAddress, IAP_SECURED_WEB_APP_USER_ROLE);
     } else {
       logger.atInfo().log("Removing %s from group %s", emailAddress, groupEmailAddress.get());
-      modifyGroupMembershipAsync(
-          emailAddress, groupEmailAddress.get(), cloudTasksUtils, Mode.REMOVE);
+      if (cloudTasksUtils != null) {
+        modifyGroupMembershipAsync(
+            emailAddress, groupEmailAddress.get(), cloudTasksUtils, Mode.REMOVE);
+      } else {
+        modifyGroupMembershipSync(emailAddress, groupEmailAddress.get(), connection, Mode.REMOVE);
+      }
     }
   }
 
@@ -113,12 +139,30 @@ public class User extends UserBase {
     cloudTasksUtils.enqueue(GROUP_UPDATE_QUEUE, task);
   }
 
-  @Override
+  private static void modifyGroupMembershipSync(
+      String userEmailAddress, String groupEmailAddress, ServiceConnection connection, Mode mode) {
+    try {
+      connection.sendPostRequest(
+          UpdateUserGroupAction.PATH,
+          ImmutableMap.of(
+              "userEmailAddress",
+              userEmailAddress,
+              "groupEmailAddress",
+              groupEmailAddress,
+              "groupUpdateMode",
+              mode.name()),
+          MediaType.PLAIN_TEXT_UTF_8,
+          new byte[0]);
+    } catch (IOException e) {
+      throw new RuntimeException("Cannot send request to server", e);
+    }
+  }
+
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @Override
   @Access(AccessType.PROPERTY)
-  public Long getId() {
-    return super.getId();
+  public String getEmailAddress() {
+    return super.getEmailAddress();
   }
 
   @Override
@@ -128,7 +172,7 @@ public class User extends UserBase {
 
   @Override
   public VKey<User> createVKey() {
-    return VKey.create(User.class, getId());
+    return VKey.create(User.class, getEmailAddress());
   }
 
   /** Builder for constructing immutable {@link User} objects. */

core/src/main/java/google/registry/model/console/UserBase.java

@@ -49,12 +49,8 @@ public class UserBase extends UpdateAutoTimestampEntity implements Buildable {
 
   private static final long serialVersionUID = 6936728603828566721L;
 
-  /** Autogenerated unique ID of this user. */
-  @Transient private Long id;
-
   /** Email address of the user in question. */
-  @Column(nullable = false)
-  String emailAddress;
+  @Transient String emailAddress;
 
   /** Optional external email address to use for registry lock confirmation emails. */
   @Column String registryLockEmailAddress;
@@ -72,22 +68,17 @@ public class UserBase extends UpdateAutoTimestampEntity implements Buildable {
   /** Randomly generated hash salt. */
   String registryLockPasswordSalt;
 
-  public Long getId() {
-    return id;
-  }
-
   /**
-   * Sets the user ID.
+   * Sets the user email address.
    *
-   * <p>This should only be used for restoring the user id of an object being loaded in a PostLoad
-   * method (effectively, when it is still under construction by Hibernate). In all other cases, the
-   * object should be regarded as immutable and changes should go through a Builder.
+   * <p>This should only be used for restoring an object being loaded in a PostLoad method
+   * (effectively, when it is still under construction by Hibernate). In all other cases, the object
+   * should be regarded as immutable and changes should go through a Builder.
    *
    * <p>In addition to this special case use, this method must exist to satisfy Hibernate.
    */
-  @SuppressWarnings("unused")
-  void setId(Long id) {
-    this.id = id;
+  void setEmailAddress(String emailAddress) {
+    this.emailAddress = emailAddress;
   }
 
   public String getEmailAddress() {

core/src/main/java/google/registry/model/console/UserDao.java

@@ -1,54 +0,0 @@
-// Copyright 2022 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-
-import java.util.Optional;
-
-/** Data access object for {@link User} objects to simplify saving and retrieval. */
-public class UserDao {
-
-  /** Retrieves the one user with this email address if it exists. */
-  public static Optional<User> loadUser(String emailAddress) {
-    return tm().transact(
-            () ->
-                tm().query("FROM User WHERE emailAddress = :emailAddress", User.class)
-                    .setParameter("emailAddress", emailAddress)
-                    .getResultStream()
-                    .findFirst());
-  }
-
-  /** Saves the given user, checking that no existing user already exists with this email. */
-  public static void saveUser(User user) {
-    tm().transact(
-            () -> {
-              // Check for an existing user (the unique constraint protects us, but this gives a
-              // nicer exception)
-              Optional<User> maybeSavedUser = loadUser(user.getEmailAddress());
-              if (maybeSavedUser.isPresent()) {
-                User savedUser = maybeSavedUser.get();
-                checkArgument(
-                    savedUser.getId().equals(user.getId()),
-                    String.format(
-                        "Attempted save of User with email address %s and ID %s, user with that"
-                            + " email already exists with ID %s",
-                        user.getEmailAddress(), user.getId(), savedUser.getId()));
-              }
-              tm().put(user);
-            });
-  }
-}

core/src/main/java/google/registry/model/console/UserUpdateHistory.java

@@ -38,9 +38,8 @@ public class UserUpdateHistory extends ConsoleUpdateHistory {
 
   UserBase user;
 
-  // This field exists so that it's populated in the SQL table
-  @Column(nullable = false, name = "userId")
-  Long id;
+  @Column(nullable = false, name = "emailAddress")
+  String emailAddress;
 
   public UserBase getUser() {
     return user;
@@ -48,7 +47,7 @@ public class UserUpdateHistory extends ConsoleUpdateHistory {
 
   @PostLoad
   void postLoad() {
-    user.setId(id);
+    user.setEmailAddress(emailAddress);
   }
 
   /** Creates a {@link VKey} instance for this entity. */
@@ -79,7 +78,7 @@ public class UserUpdateHistory extends ConsoleUpdateHistory {
 
     public Builder setUser(User user) {
       getInstance().user = user;
-      getInstance().id = user.getId();
+      getInstance().emailAddress = user.getEmailAddress();
       return this;
     }
   }

core/src/main/java/google/registry/model/domain/DomainBase.java

@@ -144,6 +144,7 @@ public class DomainBase extends EppResource
     @AttributeOverride(name = "pw.value", column = @Column(name = "auth_info_value")),
     @AttributeOverride(name = "pw.repoId", column = @Column(name = "auth_info_repo_id")),
   })
+  @Nullable
   DomainAuthInfo authInfo;
 
   /** Data used to construct DS records for this domain. */
@@ -620,6 +621,7 @@ public class DomainBase extends EppResource
     return getAllContacts(true);
   }
 
+  @Nullable
   public DomainAuthInfo getAuthInfo() {
     return authInfo;
   }

core/src/main/java/google/registry/model/domain/token/AllocationToken.java

@@ -139,7 +139,7 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
     /** Token saved on a TLD to use if no other token is passed from the client */
     DEFAULT_PROMO(/* isOneTimeUse= */ false),
     /** This is the old name for what is now BULK_PRICING. */
-    // TODO(sarahbot@): Remove this type once all tokens of this type have been scrubbed from the
+    // TODO(b/261763205): Remove this type once all tokens of this type have been scrubbed from the
     // database
     @Deprecated
     PACKAGE(/* isOneTimeUse= */ false),

core/src/main/java/google/registry/model/eppcommon/AuthInfo.java

@@ -16,6 +16,7 @@ package google.registry.model.eppcommon;
 
 import google.registry.model.ImmutableObject;
 import google.registry.model.UnsafeSerializable;
+import javax.annotation.Nullable;
 import javax.persistence.Embeddable;
 import javax.persistence.Embedded;
 import javax.persistence.MappedSuperclass;
@@ -49,10 +50,12 @@ public abstract class AuthInfo extends ImmutableObject implements UnsafeSerializ
   public static class PasswordAuth extends ImmutableObject implements UnsafeSerializable {
     @XmlValue
     @XmlJavaTypeAdapter(NormalizedStringAdapter.class)
+    @Nullable
     String value;
 
     @XmlAttribute(name = "roid")
     @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+    @Nullable
     String repoId;
 
     public String getValue() {
@@ -63,14 +66,14 @@ public abstract class AuthInfo extends ImmutableObject implements UnsafeSerializ
       return repoId;
     }
 
-    public static PasswordAuth create(String value, String repoId) {
+    public static PasswordAuth create(@Nullable String value, @Nullable String repoId) {
       PasswordAuth instance = new PasswordAuth();
       instance.value = value;
       instance.repoId = repoId;
       return instance;
     }
 
-    public static PasswordAuth create(String value) {
+    public static PasswordAuth create(@Nullable String value) {
       return create(value, null);
     }
   }

core/src/main/java/google/registry/model/registrar/RegistrarBase.java

@@ -233,6 +233,7 @@ public class RegistrarBase extends UpdateAutoTimestampEntity implements Buildabl
   String registrarName;
 
   /** The type of this registrar. */
+  @Expose
   @Column(nullable = false)
   @Enumerated(EnumType.STRING)
   Type type;

core/src/main/java/google/registry/model/registrar/RegistrarPoc.java

@@ -25,8 +25,6 @@ import javax.persistence.AccessType;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.IdClass;
-import javax.persistence.Index;
-import javax.persistence.Table;
 
 /**
  * A contact for a Registrar. Note, equality, hashCode and comparable have been overridden to only
@@ -37,7 +35,6 @@ import javax.persistence.Table;
  * set to true.
  */
 @Entity
-@Table(indexes = @Index(columnList = "loginEmailAddress", name = "registrarpoc_login_email_idx"))
 @IdClass(RegistrarPocId.class)
 @Access(AccessType.FIELD)
 public class RegistrarPoc extends RegistrarPocBase {

core/src/main/java/google/registry/model/registrar/RegistrarPocBase.java

@@ -98,12 +98,7 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
   /** The name of the contact. */
   @Expose String name;
 
-  /**
-   * The contact email address of the contact.
-   *
-   * <p>This is different from the login email which is assgined to the regstrar and cannot be
-   * changed.
-   */
+  /** The contact email address of the contact. */
   @Expose @Transient String emailAddress;
 
   @Expose @Transient public String registrarId;
@@ -123,9 +118,6 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
    */
   @Expose Set<Type> types;
 
-  /** A GAIA email address that was assigned to the registrar for console login purpose. */
-  String loginEmailAddress;
-
   /**
    * Whether this contact is publicly visible in WHOIS registrar query results as an Admin contact.
    */
@@ -219,10 +211,6 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
     return visibleInDomainWhoisAsAbuse;
   }
 
-  public String getLoginEmailAddress() {
-    return loginEmailAddress;
-  }
-
   public Builder<? extends RegistrarPocBase, ?> asBuilder() {
     return new Builder<>(clone(this));
   }
@@ -286,13 +274,6 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
                 + "Registrar Abuse contact info: ")
         .append(getVisibleInDomainWhoisAsAbuse() ? "Yes" : "No")
         .append('\n');
-    result
-        .append("Registrar-Console access: ")
-        .append(getLoginEmailAddress() != null ? "Yes" : "No")
-        .append('\n');
-    if (getLoginEmailAddress() != null) {
-      result.append("Login Email Address: ").append(getLoginEmailAddress()).append('\n');
-    }
     return result.toString();
   }
 
@@ -310,7 +291,6 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
         .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
         .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
         .put("registryLockAllowed", isRegistryLockAllowed())
-        .put("loginEmailAddress", loginEmailAddress)
         .build();
   }
 
@@ -411,11 +391,6 @@ public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, Un
       return thisCastToDerived();
     }
 
-    public B setLoginEmailAddress(String loginEmailAddress) {
-      getInstance().loginEmailAddress = loginEmailAddress;
-      return thisCastToDerived();
-    }
-
     public B setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
       if (allowedToSetRegistryLockPassword) {
         getInstance().registryLockPasswordSalt = null;

core/src/main/java/google/registry/module/RegistryComponent.java

@@ -102,9 +102,11 @@ interface RegistryComponent {
   class RegistryModule {
     @Provides
     static RequestHandler<RequestComponent> provideRequestHandler(
+        @Config("baseDomain") String baseDomain,
         Provider<RequestComponent.Builder> componentProvider,
         RequestAuthenticator requestAuthenticator) {
-      return RequestHandler.create(RequestComponent.class, componentProvider, requestAuthenticator);
+      return RequestHandler.create(
+          RequestComponent.class, baseDomain, componentProvider, requestAuthenticator);
     }
   }
 }

core/src/main/java/google/registry/module/RequestComponent.java

@@ -113,6 +113,8 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleModule;
+import google.registry.ui.server.console.ConsoleOteAction;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
 import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
@@ -121,15 +123,6 @@ import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.settings.ContactAction;
 import google.registry.ui.server.console.settings.SecurityAction;
 import google.registry.ui.server.console.settings.WhoisRegistrarFieldsAction;
-import google.registry.ui.server.registrar.ConsoleOteSetupAction;
-import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
-import google.registry.ui.server.registrar.ConsoleUiAction;
-import google.registry.ui.server.registrar.OteStatusAction;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
-import google.registry.ui.server.registrar.RegistrarSettingsAction;
-import google.registry.ui.server.registrar.RegistryLockGetAction;
-import google.registry.ui.server.registrar.RegistryLockPostAction;
-import google.registry.ui.server.registrar.RegistryLockVerifyAction;
 import google.registry.whois.WhoisAction;
 import google.registry.whois.WhoisHttpAction;
 import google.registry.whois.WhoisModule;
@@ -142,6 +135,7 @@ import google.registry.whois.WhoisModule;
       BillingModule.class,
       CheckApiModule.class,
       CloudDnsWriterModule.class,
+      ConsoleModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
@@ -154,7 +148,6 @@ import google.registry.whois.WhoisModule;
       LoadTestModule.class,
       RdapModule.class,
       RdeModule.class,
-      RegistrarConsoleModule.class,
       ReportingModule.class,
       RequestModule.class,
       SheetModule.class,
@@ -186,16 +179,12 @@ interface RequestComponent {
 
   ConsoleEppPasswordAction consoleEppPasswordAction();
 
-  ConsoleOteSetupAction consoleOteSetupAction();
-
-  ConsoleRegistrarCreatorAction consoleRegistrarCreatorAction();
+  ConsoleOteAction consoleOteAction();
 
   ConsoleRegistryLockAction consoleRegistryLockAction();
 
   ConsoleRegistryLockVerifyAction consoleRegistryLockVerifyAction();
 
-  ConsoleUiAction consoleUiAction();
-
   ConsoleUpdateRegistrarAction consoleUpdateRegistrarAction();
 
   ConsoleUserDataAction consoleUserDataAction();
@@ -254,8 +243,6 @@ interface RequestComponent {
 
   NordnVerifyAction nordnVerifyAction();
 
-  OteStatusAction oteStatusAction();
-
   PublishDnsUpdatesAction publishDnsUpdatesAction();
 
   PublishInvoicesAction uploadInvoicesAction();
@@ -296,16 +283,8 @@ interface RequestComponent {
 
   RefreshDnsOnHostRenameAction refreshDnsOnHostRenameAction();
 
-  RegistrarSettingsAction registrarSettingsAction();
-
   RegistrarsAction registrarsAction();
 
-  RegistryLockGetAction registryLockGetAction();
-
-  RegistryLockPostAction registryLockPostAction();
-
-  RegistryLockVerifyAction registryLockVerifyAction();
-
   RelockDomainAction relockDomainAction();
 
   ResaveAllEppResourcesPipelineAction resaveAllEppResourcesPipelineAction();

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -29,6 +29,8 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleModule;
+import google.registry.ui.server.console.ConsoleOteAction;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
 import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
@@ -41,7 +43,6 @@ import google.registry.ui.server.registrar.ConsoleOteSetupAction;
 import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
 import google.registry.ui.server.registrar.ConsoleUiAction;
 import google.registry.ui.server.registrar.OteStatusAction;
-import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.ui.server.registrar.RegistrarSettingsAction;
 import google.registry.ui.server.registrar.RegistryLockGetAction;
 import google.registry.ui.server.registrar.RegistryLockPostAction;
@@ -54,7 +55,7 @@ import google.registry.ui.server.registrar.RegistryLockVerifyAction;
       BatchModule.class,
       DnsModule.class,
       EppTlsModule.class,
-      RegistrarConsoleModule.class,
+      ConsoleModule.class,
       RequestModule.class,
       WhiteboxModule.class,
     })
@@ -65,6 +66,8 @@ public interface FrontendRequestComponent {
 
   ConsoleEppPasswordAction consoleEppPasswordAction();
 
+  ConsoleOteAction consoleOteAction();
+
   ConsoleOteSetupAction consoleOteSetupAction();
   ConsoleRegistrarCreatorAction consoleRegistrarCreatorAction();
 

core/src/main/java/google/registry/reporting/icann/ActivityReportingQueryBuilder.java

@@ -82,7 +82,6 @@ public final class ActivityReportingQueryBuilder implements QueryBuilder {
 
     // Convert reportingMonth into YYYYMMDD format for Bigquery table partition pattern-matching.
     DateTimeFormatter logTableFormatter = DateTimeFormat.forPattern("yyyyMMdd");
-    // The monthly logs are a shared dependency for epp counts and whois metrics
     String monthlyLogsQuery =
         SqlTemplate.create(getQueryFromFile("monthly_logs.sql"))
             .put("PROJECT_ID", projectId)
@@ -96,12 +95,10 @@ public final class ActivityReportingQueryBuilder implements QueryBuilder {
     String eppQuery =
         SqlTemplate.create(getQueryFromFile("epp_metrics.sql"))
             .put("PROJECT_ID", projectId)
-            .put("ICANN_REPORTING_DATA_SET", icannReportingDataSet)
-            .put("MONTHLY_LOGS_TABLE", getTableName(MONTHLY_LOGS, yearMonth))
-            // All metadata logs for reporting come from google.registry.flows.FlowReporter.
-            .put(
-                "METADATA_LOG_PREFIX",
-                "google.registry.flows.FlowReporter recordToLogs: FLOW-LOG-SIGNATURE-METADATA")
+            .put("APPENGINE_LOGS_DATA_SET", "appengine_logs")
+            .put("APP_LOGS_TABLE", "_var_log_app_")
+            .put("FIRST_DAY_OF_MONTH", logTableFormatter.print(firstDayOfMonth))
+            .put("LAST_DAY_OF_MONTH", logTableFormatter.print(lastDayOfMonth))
             .build();
     queriesBuilder.put(getTableName(EPP_METRICS, yearMonth), eppQuery);
 

core/src/main/java/google/registry/reporting/icann/IcannReportingModule.java

@@ -14,6 +14,7 @@
 
 package google.registry.reporting.icann;
 
+import static google.registry.request.RequestParameters.extractOptionalBooleanParameter;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static google.registry.request.RequestParameters.extractSetOfEnumParameters;
@@ -42,6 +43,7 @@ public final class IcannReportingModule {
 
   static final String PARAM_SUBDIR = "subdir";
   static final String PARAM_REPORT_TYPES = "reportTypes";
+  static final String PARAM_SHOULD_UPLOAD = "shouldUpload";
   static final String ICANN_REPORTING_DATA_SET = "icannReportingDataSet";
   static final String MANIFEST_FILE_NAME = "MANIFEST.txt";
 
@@ -76,6 +78,12 @@ public final class IcannReportingModule {
     return reportTypes.isEmpty() ? ImmutableSet.copyOf(ReportType.values()) : reportTypes;
   }
 
+  @Provides
+  @Parameter(PARAM_SHOULD_UPLOAD)
+  static boolean provideShouldUpload(HttpServletRequest req) {
+    return extractOptionalBooleanParameter(req, PARAM_SHOULD_UPLOAD).orElse(true);
+  }
+
   /**
    * Constructs a BigqueryConnection with default settings.
    *

core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java

@@ -16,6 +16,7 @@ package google.registry.reporting.icann;
 
 import static com.google.common.base.Throwables.getRootCause;
 import static google.registry.reporting.icann.IcannReportingModule.PARAM_REPORT_TYPES;
+import static google.registry.reporting.icann.IcannReportingModule.PARAM_SHOULD_UPLOAD;
 import static google.registry.reporting.icann.IcannReportingModule.PARAM_SUBDIR;
 import static google.registry.request.Action.Method.POST;
 import static jakarta.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
@@ -30,6 +31,7 @@ import google.registry.batch.CloudTasksUtils;
 import google.registry.bigquery.BigqueryJobFailureException;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.groups.GmailClient;
+import google.registry.reporting.ReportingModule;
 import google.registry.reporting.icann.IcannReportingModule.ReportType;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
@@ -79,6 +81,15 @@ public final class IcannReportingStagingAction implements Runnable {
   @Inject YearMonth yearMonth;
   @Inject @Parameter(PARAM_SUBDIR) Optional<String> overrideSubdir;
   @Inject @Parameter(PARAM_REPORT_TYPES) ImmutableSet<ReportType> reportTypes;
+
+  @Inject
+  @Parameter(ReportingModule.SEND_EMAIL)
+  boolean sendEmail;
+
+  @Inject
+  @Parameter(PARAM_SHOULD_UPLOAD)
+  boolean shouldUpload;
+
   @Inject IcannReportingStager stager;
   @Inject Retrier retrier;
   @Inject Response response;
@@ -106,28 +117,35 @@ public final class IcannReportingStagingAction implements Runnable {
             stager.createAndUploadManifest(subdir, manifestedFiles);
 
             logger.atInfo().log("Completed staging %d report files.", manifestedFiles.size());
-            gmailClient.sendEmail(
-                EmailMessage.newBuilder()
-                    .setSubject("ICANN Monthly report staging summary [SUCCESS]")
-                    .setBody(
-                        String.format(
-                            "Completed staging the following %d ICANN reports:\n%s",
-                            manifestedFiles.size(), Joiner.on('\n').join(manifestedFiles)))
-                    .addRecipient(recipient)
-                    .build());
-
+            if (sendEmail) {
+              gmailClient.sendEmail(
+                  EmailMessage.newBuilder()
+                      .setSubject("ICANN Monthly report staging summary [SUCCESS]")
+                      .setBody(
+                          String.format(
+                              "Completed staging the following %d ICANN reports:\n%s",
+                              manifestedFiles.size(), Joiner.on('\n').join(manifestedFiles)))
+                      .addRecipient(recipient)
+                      .build());
+            } else {
+              logger.atInfo().log("Would have sent staging report summary to %s", recipient);
+            }
             response.setStatus(SC_OK);
             response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
             response.setPayload("Completed staging action.");
 
-            logger.atInfo().log("Enqueueing report upload.");
-            cloudTasksUtils.enqueue(
-                CRON_QUEUE,
-                cloudTasksUtils.createPostTaskWithDelay(
-                    IcannReportingUploadAction.PATH,
-                    Service.BACKEND,
-                    null,
-                    Duration.standardMinutes(2)));
+            if (shouldUpload) {
+              logger.atInfo().log("Enqueueing report upload.");
+              cloudTasksUtils.enqueue(
+                  CRON_QUEUE,
+                  cloudTasksUtils.createPostTaskWithDelay(
+                      IcannReportingUploadAction.PATH,
+                      Service.BACKEND,
+                      null,
+                      Duration.standardMinutes(2)));
+            } else {
+              logger.atInfo().log("Would have enqueued report upload");
+            }
             return null;
           },
           BigqueryJobFailureException.class);

core/src/main/java/google/registry/reporting/icann/TransactionsReportingQueryBuilder.java

@@ -113,13 +113,9 @@ public final class TransactionsReportingQueryBuilder implements QueryBuilder {
         SqlTemplate.create(getQueryFromFile("cloud_sql_attempted_adds.sql"))
             .put("PROJECT_ID", projectId)
             .put("APPENGINE_LOGS_DATA_SET", "appengine_logs")
-            .put("REQUEST_TABLE", "appengine_googleapis_com_request_log_")
+            .put("APP_LOGS_TABLE", "_var_log_app_")
             .put("FIRST_DAY_OF_MONTH", logTableFormatter.print(earliestReportTime))
             .put("LAST_DAY_OF_MONTH", logTableFormatter.print(latestReportTime))
-            // All metadata logs for reporting come from google.registry.flows.FlowReporter.
-            .put(
-                "METADATA_LOG_PREFIX",
-                "google.registry.flows.FlowReporter recordToLogs: FLOW-LOG-SIGNATURE-METADATA")
             .build();
     queriesBuilder.put(getTableName(ATTEMPTED_ADDS, yearMonth), attemptedAddsQuery);
 

core/src/main/java/google/registry/request/Action.java

@@ -14,6 +14,8 @@
 
 package google.registry.request;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import google.registry.request.auth.Auth;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ -36,7 +38,6 @@ public @interface Action {
     BACKEND("backend"),
     PUBAPI("pubapi");
 
-
     private final String serviceId;
 
     Service(String serviceId) {
@@ -49,9 +50,33 @@ public @interface Action {
     }
   }
 
+  enum GkeService {
+    // This designation means that it defers to the GAE service, so we don't have to annotate EVERY
+    // action during the GKE migration.
+    SAME_AS_GAE("same_as_gae"),
+    FRONTEND("frontend"),
+    BACKEND("backend"),
+    PUBAPI("pubapi"),
+    CONSOLE("console");
+
+    private final String serviceId;
+
+    GkeService(String serviceId) {
+      this.serviceId = serviceId;
+    }
+
+    public String getServiceId() {
+      checkState(this != SAME_AS_GAE, "Cannot get service Id for SAME_AS_GAE");
+      return serviceId;
+    }
+  }
+
   /** Which App Engine service this action lives on. */
   Service service();
 
+  /** Which GKE service this action lives on. */
+  GkeService gkeService() default GkeService.SAME_AS_GAE;
+
   /** HTTP path to serve the action from. The path components must be percent-escaped. */
   String path();
 
@@ -72,4 +97,22 @@ public @interface Action {
 
   /** Authentication settings. */
   Auth auth();
+
+  // TODO(jianglai): Use Action.gkeService() directly once we are off GAE.
+  class ServiceGetter {
+    public static GkeService get(Action action) {
+      GkeService service = action.gkeService();
+      if (service != GkeService.SAME_AS_GAE) {
+        return service;
+      }
+      Service gaeService = action.service();
+      return switch (gaeService) {
+        case DEFAULT -> GkeService.FRONTEND;
+        case BACKEND -> GkeService.BACKEND;
+        case TOOLS -> GkeService.BACKEND;
+        case BSA -> GkeService.BACKEND;
+        case PUBAPI -> GkeService.PUBAPI;
+      };
+    }
+  }
 }

core/src/main/java/google/registry/request/RequestHandler.java

@@ -22,14 +22,17 @@ import static jakarta.servlet.http.HttpServletResponse.SC_METHOD_NOT_ALLOWED;
 import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 
 import com.google.common.flogger.FluentLogger;
+import google.registry.request.Action.GkeService;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.RequestAuthenticator;
 import google.registry.util.NonFinalForTesting;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.SystemClock;
 import google.registry.util.TypeUtils.TypeInstantiator;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Objects;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Provider;
@@ -69,6 +72,7 @@ public class RequestHandler<C> {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   private final Router router;
+  @Nullable private final String baseDomain;
   private final Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider;
   private final RequestAuthenticator requestAuthenticator;
   private final SystemClock clock = new SystemClock();
@@ -91,22 +95,22 @@ public class RequestHandler<C> {
   protected RequestHandler(
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
-    this(null, requestComponentBuilderProvider, requestAuthenticator);
+    this(null, null, requestComponentBuilderProvider, requestAuthenticator);
   }
 
   /** Creates a new RequestHandler with an explicit component class for test purposes. */
   public static <C> RequestHandler<C> create(
       Class<C> component,
+      @Nullable String baseDomain,
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
     return new RequestHandler<>(
-        checkNotNull(component),
-        requestComponentBuilderProvider,
-        requestAuthenticator);
+        checkNotNull(component), baseDomain, requestComponentBuilderProvider, requestAuthenticator);
   }
 
   private RequestHandler(
       @Nullable Class<C> component,
+      @Nullable String baseDomain,
       Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
       RequestAuthenticator requestAuthenticator) {
     // If the component class isn't explicitly provided, infer it from the class's own typing.
@@ -114,6 +118,7 @@ public class RequestHandler<C> {
     // preserved at runtime, so only expose that option via the protected constructor.
     this.router = Router.create(
         component != null ? component : new TypeInstantiator<C>(getClass()){}.getExactType());
+    this.baseDomain = baseDomain;
     this.requestComponentBuilderProvider = checkNotNull(requestComponentBuilderProvider);
     this.requestAuthenticator = checkNotNull(requestAuthenticator);
   }
@@ -137,6 +142,17 @@ public class RequestHandler<C> {
       rsp.sendError(SC_NOT_FOUND);
       return;
     }
+    if (RegistryEnvironment.isOnJetty()) {
+      GkeService service = Action.ServiceGetter.get(route.get().action());
+      String expectedDomain = String.format("%s.%s", service.getServiceId(), baseDomain);
+      String actualDomain = req.getServerName();
+      if (!Objects.equals(actualDomain, expectedDomain)) {
+        logger.atWarning().log(
+            "Actual domain %s does not match expected domain %s", actualDomain, expectedDomain);
+        rsp.sendError(SC_NOT_FOUND);
+        return;
+      }
+    }
     if (!route.get().isMethodAllowed(method)) {
       logger.atWarning().log("Method %s not allowed for: %s", method, path);
       rsp.sendError(SC_METHOD_NOT_ALLOWED);

core/src/main/java/google/registry/request/RouterDisplayHelper.java

@@ -21,6 +21,7 @@ import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Streams;
+import java.util.Comparator;
 import java.util.Map;
 
 /**
@@ -37,6 +38,7 @@ import java.util.Map;
  * the content to be displayed. The columns are:
  *
  * <ol>
+ *   <li>the GKE service this action lives on
  *   <li>the URL path which maps to this action (with a "(*)" after it if the prefix flag is set)
  *   <li>the simple name of the action class
  *   <li>the allowable HTTP methods
@@ -49,12 +51,13 @@ import java.util.Map;
  */
 public class RouterDisplayHelper {
 
+  private static final String SERVICE = "service";
   private static final String PATH = "path";
   private static final String CLASS = "class";
   private static final String METHODS = "methods";
   private static final String MINIMUM_LEVEL = "minLevel";
 
-  private static final String FORMAT = "%%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%s";
+  private static final String FORMAT = "%%-%ds %%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%s";
 
   /** Returns a string representation of the routing map in the specified component. */
   public static String extractHumanReadableRoutesFromComponent(Class<?> componentClass) {
@@ -76,6 +79,7 @@ public class RouterDisplayHelper {
   private static String getFormatString(Map<String, Integer> columnWidths) {
     return String.format(
         FORMAT,
+        columnWidths.get(SERVICE),
         columnWidths.get(PATH),
         columnWidths.get(CLASS),
         columnWidths.get(METHODS),
@@ -84,18 +88,13 @@ public class RouterDisplayHelper {
 
   private static String headerToString(String formatString) {
     return String.format(
-        formatString,
-        "PATH",
-        "CLASS",
-        "METHODS",
-        "OK",
-        "MIN",
-        "USER_POLICY");
+        formatString, "SERVICE", "PATH", "CLASS", "METHODS", "OK", "MIN", "USER_POLICY");
   }
 
   private static String routeToString(Route route, String formatString) {
     return String.format(
         formatString,
+        Action.ServiceGetter.get(route.action()).name(),
         route.action().isPrefix() ? (route.action().path() + "(*)") : route.action().path(),
         route.actionClass().getSimpleName(),
         Joiner.on(",").join(route.action().method()),
@@ -107,12 +106,17 @@ public class RouterDisplayHelper {
   private static String formatRoutes(Iterable<Route> routes) {
 
     // Use the column header length as a minimum.
+    int serviceWidth = 7;
     int pathWidth = 4;
     int classWidth = 5;
     int methodsWidth = 7;
     int minLevelWidth = 3;
     for (Route route : routes) {
-      int len =
+      int len = Action.ServiceGetter.get(route.action()).name().length();
+      if (len > serviceWidth) {
+        serviceWidth = len;
+      }
+      len =
           route.action().isPrefix()
               ? (route.action().path().length() + 3)
               : route.action().path().length();
@@ -135,6 +139,7 @@ public class RouterDisplayHelper {
     final String formatString =
         getFormatString(
             new ImmutableMap.Builder<String, Integer>()
+                .put(SERVICE, serviceWidth)
                 .put(PATH, pathWidth)
                 .put(CLASS, classWidth)
                 .put(METHODS, methodsWidth)
@@ -143,6 +148,9 @@ public class RouterDisplayHelper {
     return headerToString(formatString)
         + String.format("%n")
         + Streams.stream(routes)
+            .sorted(
+                Comparator.comparing(
+                    (Route route) -> Action.ServiceGetter.get(route.action()).ordinal()))
             .map(route -> routeToString(route, formatString))
             .collect(joining(String.format("%n")));
   }

core/src/main/java/google/registry/request/auth/AuthModule.java

@@ -16,7 +16,6 @@ package google.registry.request.auth;
 
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 
-import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
@@ -24,6 +23,10 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.IapOidcAuthenticationMechanism;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.RegularOidcAuthenticationMechanism;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenExtractor;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenVerifier;
+import google.registry.util.RegistryEnvironment;
+import java.util.Map;
+import javax.annotation.Nullable;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
 
@@ -35,9 +38,10 @@ public class AuthModule {
   // See https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers.
   public static final String IAP_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
   public static final String BEARER_PREFIX = "Bearer ";
-  // TODO: Change the IAP audience format once we are on GKE.
+  // TODO (jianglai): Only use GKE audience once we are fully migrated to GKE.
   // See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
-  private static final String IAP_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
+  private static final String IAP_GAE_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
+  private static final String IAP_GKE_AUDIENCE_FORMAT = "/projects/%d/global/backendServices/%d";
   private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
   private static final String REGULAR_ISSUER_URL = "https://accounts.google.com";
 
@@ -62,24 +66,35 @@ public class AuthModule {
   @IapOidc
   @Singleton
   TokenVerifier provideIapTokenVerifier(
-      @Config("projectId") String projectId, @Config("projectIdNumber") long projectIdNumber) {
-    String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, projectId);
-    return TokenVerifier.newBuilder().setAudience(audience).setIssuer(IAP_ISSUER_URL).build();
+      @Config("projectId") String projectId,
+      @Config("projectIdNumber") long projectIdNumber,
+      @Config("backendServiceIds") Map<String, Long> backendServiceIds) {
+    com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder =
+        com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL);
+    return (String service, String token) -> {
+      String audience;
+      if (RegistryEnvironment.isOnJetty()) {
+        long backendServiceId = backendServiceIds.get(service);
+        audience = String.format(IAP_GKE_AUDIENCE_FORMAT, projectIdNumber, backendServiceId);
+      } else {
+        audience = String.format(IAP_GAE_AUDIENCE_FORMAT, projectIdNumber, projectId);
+      }
+      return tokenVerifierBuilder.setAudience(audience).build().verify(token);
+    };
   }
 
   @Provides
   @RegularOidc
   @Singleton
   TokenVerifier provideRegularTokenVerifier(@Config("oauthClientId") String clientId) {
-    return TokenVerifier.newBuilder().setAudience(clientId).setIssuer(REGULAR_ISSUER_URL).build();
-  }
-
-  @Provides
-  @RegularOidcFallback
-  @Singleton
-  TokenVerifier provideFallbackRegularTokenVerifier(
-      @Config("fallbackOauthClientId") String clientId) {
-    return TokenVerifier.newBuilder().setAudience(clientId).setIssuer(REGULAR_ISSUER_URL).build();
+    com.google.auth.oauth2.TokenVerifier tokenVerifier =
+        com.google.auth.oauth2.TokenVerifier.newBuilder()
+            .setAudience(clientId)
+            .setIssuer(REGULAR_ISSUER_URL)
+            .build();
+    return (@Nullable String service, String token) -> {
+      return tokenVerifier.verify(token);
+    };
   }
 
   @Provides

core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java

@@ -15,18 +15,19 @@
 package google.registry.request.auth;
 
 import static com.google.common.base.Preconditions.checkState;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.api.client.json.webtoken.JsonWebSignature;
-import com.google.auth.oauth2.TokenVerifier;
+import com.google.auth.oauth2.TokenVerifier.VerificationException;
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
+import google.registry.persistence.VKey;
 import google.registry.request.auth.AuthModule.IapOidc;
 import google.registry.request.auth.AuthModule.RegularOidc;
-import google.registry.request.auth.AuthModule.RegularOidcFallback;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.util.RegistryEnvironment;
 import jakarta.servlet.http.HttpServletRequest;
@@ -50,27 +51,23 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
   public static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  // A workaround that allows "use" of the OIDC authenticator when running local testing, i.e.
+  // A workaround that allows "use" of the OIDC authenticator when running local testing, i.e.,
   // the RegistryTestServer
   private static AuthResult authResultForTesting = null;
 
-  protected final TokenVerifier tokenVerifier;
-
-  protected final Optional<TokenVerifier> fallbackTokenVerifier;
-
   protected final TokenExtractor tokenExtractor;
 
+  protected final TokenVerifier tokenVerifier;
+
   private final ImmutableSet<String> serviceAccountEmails;
 
   protected OidcTokenAuthenticationMechanism(
       ImmutableSet<String> serviceAccountEmails,
-      TokenVerifier tokenVerifier,
-      @Nullable TokenVerifier fallbackTokenVerifier,
-      TokenExtractor tokenExtractor) {
+      TokenExtractor tokenExtractor,
+      TokenVerifier tokenVerifier) {
     this.serviceAccountEmails = serviceAccountEmails;
-    this.tokenVerifier = tokenVerifier;
-    this.fallbackTokenVerifier = Optional.ofNullable(fallbackTokenVerifier);
     this.tokenExtractor = tokenExtractor;
+    this.tokenVerifier = tokenVerifier;
   }
 
   @Override
@@ -86,7 +83,12 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
     JsonWebSignature token = null;
     try {
-      token = tokenVerifier.verify(rawIdToken);
+      String service = null;
+      if (RegistryEnvironment.isOnJetty()) {
+        String hostname = request.getServerName();
+        service = Splitter.on('.').split(hostname).iterator().next();
+      }
+      token = tokenVerifier.verify(service, rawIdToken);
     } catch (Exception e) {
       logger.atInfo().withCause(e).log(
           "Failed OIDC verification attempt:\n%s",
@@ -96,20 +98,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
 
     if (token == null) {
-      if (fallbackTokenVerifier.isPresent()) {
-        try {
-          token = fallbackTokenVerifier.get().verify(rawIdToken);
-        } catch (Exception e) {
-          logger.atInfo().withCause(e).log(
-              "Failed OIDC fallback verification attempt:\n%s",
-              RegistryEnvironment.get().equals(RegistryEnvironment.PRODUCTION)
-                  ? "Raw token redacted in prod"
-                  : rawIdToken);
-          return AuthResult.NOT_AUTHENTICATED;
-        }
-      } else {
-        return AuthResult.NOT_AUTHENTICATED;
-      }
+      return AuthResult.NOT_AUTHENTICATED;
     }
 
     String email = (String) token.getPayload().get("email");
@@ -117,7 +106,8 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
       logger.atWarning().log("No email address from the OIDC token:\n%s", token.getPayload());
       return AuthResult.NOT_AUTHENTICATED;
     }
-    Optional<User> maybeUser = UserDao.loadUser(email);
+    Optional<User> maybeUser =
+        tm().transact(() -> tm().loadByKeyIfPresent(VKey.create(User.class, email)));
     if (maybeUser.isPresent()) {
       return AuthResult.createUser(maybeUser.get());
     }
@@ -153,6 +143,12 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     String extract(HttpServletRequest request);
   }
 
+  @FunctionalInterface
+  protected interface TokenVerifier {
+    @Nullable
+    JsonWebSignature verify(@Nullable String service, String rawToken) throws VerificationException;
+  }
+
   /**
    * A mechanism to authenticate HTTP requests that have gone through the GCP Identity-Aware Proxy.
    *
@@ -169,9 +165,9 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     @Inject
     protected IapOidcAuthenticationMechanism(
         @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
-        @IapOidc TokenVerifier tokenVerifier,
-        @IapOidc TokenExtractor tokenExtractor) {
-      super(serviceAccountEmails, tokenVerifier, null, tokenExtractor);
+        @IapOidc TokenExtractor tokenExtractor,
+        @IapOidc TokenVerifier tokenVerifier) {
+      super(serviceAccountEmails, tokenExtractor, tokenVerifier);
     }
   }
 
@@ -190,10 +186,9 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     @Inject
     protected RegularOidcAuthenticationMechanism(
         @Config("allowedServiceAccountEmails") ImmutableSet<String> serviceAccountEmails,
-        @RegularOidc TokenVerifier tokenVerifier,
-        @RegularOidcFallback TokenVerifier fallbackTokenVerifier,
-        @RegularOidc TokenExtractor tokenExtractor) {
-      super(serviceAccountEmails, tokenVerifier, fallbackTokenVerifier, tokenExtractor);
+        @RegularOidc TokenExtractor tokenExtractor,
+        @RegularOidc TokenVerifier tokenVerifier) {
+      super(serviceAccountEmails, tokenExtractor, tokenVerifier);
     }
   }
 }

core/src/main/java/google/registry/tools/CreateOrUpdateUserCommand.java

@@ -22,7 +22,6 @@ import com.google.common.collect.ImmutableMap;
 import google.registry.model.console.GlobalRole;
 import google.registry.model.console.RegistrarRole;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
 import google.registry.model.console.UserRoles;
 import google.registry.tools.params.KeyValueMapParameter.StringToRegistrarRoleMap;
 import java.util.Optional;
@@ -95,8 +94,6 @@ public abstract class CreateOrUpdateUserCommand extends ConfirmingCommand {
         builder.setRegistryLockEmailAddress(registryLockEmailAddress);
       }
     }
-
-    User newUser = builder.build();
-    UserDao.saveUser(newUser);
+    tm().put(builder.build());
   }
 }

core/src/main/java/google/registry/tools/CreateUserCommand.java

@@ -16,24 +16,24 @@ package google.registry.tools;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.model.console.User.grantIapPermission;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.beust.jcommander.Parameters;
-import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
+import google.registry.persistence.VKey;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
 
 /** Command to create a new User. */
 @Parameters(separators = " =", commandDescription = "Update a user account")
-public class CreateUserCommand extends CreateOrUpdateUserCommand {
+public class CreateUserCommand extends CreateOrUpdateUserCommand implements CommandWithConnection {
+
+  private ServiceConnection connection;
 
   @Inject IamClient iamClient;
 
-  @Inject CloudTasksUtils cloudTasksUtils;
-
   @Inject
   @Config("gSuiteConsoleUserGroupEmailAddress")
   Optional<String> maybeGroupEmailAddress;
@@ -41,14 +41,20 @@ public class CreateUserCommand extends CreateOrUpdateUserCommand {
   @Nullable
   @Override
   User getExistingUser(String email) {
-    checkArgument(UserDao.loadUser(email).isEmpty(), "A user with email %s already exists", email);
+    checkArgument(
+        !tm().exists(VKey.create(User.class, email)), "A user with email %s already exists", email);
     return null;
   }
 
   @Override
   protected String execute() throws Exception {
     String ret = super.execute();
-    grantIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, iamClient);
+    grantIapPermission(email, maybeGroupEmailAddress, null, connection, iamClient);
     return ret;
   }
+
+  @Override
+  public void setConnection(ServiceConnection connection) {
+    this.connection = connection;
+  }
 }

core/src/main/java/google/registry/tools/DeleteUserCommand.java

@@ -14,28 +14,27 @@
 
 package google.registry.tools;
 
+import static com.google.api.client.util.Preconditions.checkArgument;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
-import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
+import google.registry.persistence.VKey;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
 
 /** Deletes a {@link User}. */
 @Parameters(separators = " =", commandDescription = "Delete a user account")
-public class DeleteUserCommand extends ConfirmingCommand {
+public class DeleteUserCommand extends ConfirmingCommand implements CommandWithConnection {
+
+  private ServiceConnection connection;
 
   @Inject IamClient iamClient;
 
-  @Inject CloudTasksUtils cloudTasksUtils;
-
   @Inject
   @Config("gSuiteConsoleUserGroupEmailAddress")
   Optional<String> maybeGroupEmailAddress;
@@ -47,7 +46,9 @@ public class DeleteUserCommand extends ConfirmingCommand {
   @Override
   protected String prompt() {
     checkArgumentNotNull(email, "Email must be provided");
-    checkArgumentPresent(UserDao.loadUser(email), "Email does not correspond to a valid user");
+    checkArgument(
+        tm().transact(() -> tm().exists(VKey.create(User.class, email))),
+        "Email does not correspond to a valid user");
     return String.format("Delete user with email %s?", email);
   }
 
@@ -55,11 +56,16 @@ public class DeleteUserCommand extends ConfirmingCommand {
   protected String execute() throws Exception {
     tm().transact(
             () -> {
-              Optional<User> optionalUser = UserDao.loadUser(email);
-              checkArgumentPresent(optionalUser, "Email no longer corresponds to a valid user");
-              tm().delete(optionalUser.get());
+              VKey<User> key = VKey.create(User.class, email);
+              checkArgument(tm().exists(key), "Email no longer corresponds to a valid user");
+              tm().delete(key);
             });
-    User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, iamClient);
+    User.revokeIapPermission(email, maybeGroupEmailAddress, null, connection, iamClient);
     return String.format("Deleted user with email %s", email);
   }
+
+  @Override
+  public void setConnection(ServiceConnection connection) {
+    this.connection = connection;
+  }
 }

core/src/main/java/google/registry/tools/DomainLockUtils.java

@@ -343,7 +343,7 @@ public final class DomainLockUtils {
         .orElseThrow(
             () ->
                 new IllegalArgumentException(
-                    String.format("Invalid verification code %s", verificationCode)));
+                    String.format("Invalid verification code \"%s\"", verificationCode)));
   }
 
   private void applyLockStatuses(RegistryLock lock, DateTime lockTime, boolean isAdmin) {

core/src/main/java/google/registry/tools/GenerateAllocationTokensCommand.java

@@ -293,7 +293,7 @@ class GenerateAllocationTokensCommand implements Command {
       // tokens should only be scheduled to end with a brief time period before the status
       // transition occurs so that no new domains are registered using that token between when the
       // status is scheduled and when the transition occurs.
-      // TODO(@sarahbot): Create a cleaner way to handle ending bulk pricing packages once we
+      // TODO(b/261763205): Create a cleaner way to handle ending bulk pricing packages once we
       // actually have customers using them
       boolean hasEnding =
           tokenStatusTransitions.containsValue(TokenStatus.ENDED)

core/src/main/java/google/registry/tools/GetUserCommand.java

@@ -14,10 +14,12 @@
 
 package google.registry.tools;
 
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
+import google.registry.persistence.VKey;
 import java.util.List;
 
 /** Command to display one or more users. */
@@ -29,11 +31,14 @@ public class GetUserCommand implements Command {
 
   @Override
   public void run() throws Exception {
-    for (String emailAddress : mainParameters) {
-      System.out.println(
-          UserDao.loadUser(emailAddress)
-              .map(User::toString)
-              .orElse(String.format("No user with email address %s", emailAddress)));
-    }
+    tm().transact(
+            () -> {
+              for (String emailAddress : mainParameters) {
+                System.out.println(
+                    tm().loadByKeyIfPresent(VKey.create(User.class, emailAddress))
+                        .map(User::toString)
+                        .orElse(String.format("No user with email address %s", emailAddress)));
+              }
+            });
   }
 }

core/src/main/java/google/registry/tools/RegistrarPocCommand.java

@@ -41,7 +41,6 @@ import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import javax.annotation.Nullable;
@@ -87,12 +86,6 @@ final class RegistrarPocCommand extends MutatingCommand {
               + " and will be used as the console login email, if --login_email is not specified.")
   String email;
 
-  @Nullable
-  @Parameter(
-      names = "--login_email",
-      description = "Console login email address. If not specified, --email will be used.")
-  String loginEmail;
-
   @Nullable
   @Parameter(
       names = "--registry_lock_email",
@@ -115,13 +108,6 @@ final class RegistrarPocCommand extends MutatingCommand {
       validateWith = OptionalPhoneNumberParameter.class)
   private Optional<String> fax;
 
-  @Nullable
-  @Parameter(
-      names = "--allow_console_access",
-      description = "Enable or disable access to the registrar console for this contact.",
-      arity = 1)
-  Boolean allowConsoleAccess;
-
   @Nullable
   @Parameter(
       names = "--visible_in_whois_as_admin",
@@ -173,7 +159,7 @@ final class RegistrarPocCommand extends MutatingCommand {
   protected void init() throws Exception {
     checkArgument(mainParameters.size() == 1,
         "Must specify exactly one client identifier: %s", ImmutableList.copyOf(mainParameters));
-    String clientId = mainParameters.get(0);
+    String clientId = mainParameters.getFirst();
     Registrar registrar =
         checkArgumentPresent(
             Registrar.loadByRegistrarId(clientId), "Registrar %s not found", clientId);
@@ -261,9 +247,6 @@ final class RegistrarPocCommand extends MutatingCommand {
     }
     builder.setTypes(nullToEmpty(contactTypes));
 
-    if (Objects.equals(allowConsoleAccess, Boolean.TRUE)) {
-      builder.setLoginEmailAddress(loginEmail == null ? email : loginEmail);
-    }
     if (visibleInWhoisAsAdmin != null) {
       builder.setVisibleInWhoisAsAdmin(visibleInWhoisAsAdmin);
     }
@@ -308,13 +291,6 @@ final class RegistrarPocCommand extends MutatingCommand {
     if (visibleInDomainWhoisAsAbuse != null) {
       builder.setVisibleInDomainWhoisAsAbuse(visibleInDomainWhoisAsAbuse);
     }
-    if (allowConsoleAccess != null) {
-      if (allowConsoleAccess.equals(Boolean.TRUE)) {
-        builder.setLoginEmailAddress(loginEmail == null ? email : loginEmail);
-      } else {
-        builder.setLoginEmailAddress(null);
-      }
-    }
     if (allowedToSetRegistryLockPassword != null) {
       builder.setAllowedToSetRegistryLockPassword(allowedToSetRegistryLockPassword);
     }

core/src/main/java/google/registry/tools/UpdateUserCommand.java

@@ -14,20 +14,20 @@
 
 package google.registry.tools;
 
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.beust.jcommander.Parameters;
 import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
-import javax.annotation.Nullable;
+import google.registry.persistence.VKey;
 
 /** Updates a user, assuming that the user in question already exists. */
 @Parameters(separators = " =", commandDescription = "Update a user account")
 public class UpdateUserCommand extends CreateOrUpdateUserCommand {
 
-  @Nullable
   @Override
   User getExistingUser(String email) {
-    return checkArgumentPresent(UserDao.loadUser(email), "User %s not found", email);
+    return checkArgumentPresent(
+        tm().loadByKeyIfPresent(VKey.create(User.class, email)), "User %s not found", email);
   }
 }

core/src/main/java/google/registry/ui/server/RegistrarFormFields.java

@@ -193,9 +193,6 @@ public final class RegistrarFormFields {
   public static final FormField<String, String> CONTACT_FAX_NUMBER_FIELD =
       FormFields.PHONE_NUMBER.asBuilderNamed("faxNumber").build();
 
-  public static final FormField<String, String> CONTACT_LOGIN_EMAIL_ADDRESS_FIELD =
-      FormFields.NAME.asBuilderNamed("loginEmailAddress").build();
-
   public static final FormField<Object, Boolean> CONTACT_ALLOWED_TO_SET_REGISTRY_LOCK_PASSWORD =
       FormField.named("allowedToSetRegistryLockPassword", Object.class)
           .transform(Boolean.class, b -> Boolean.valueOf(Objects.toString(b)))
@@ -384,8 +381,6 @@ public final class RegistrarFormFields {
     builder.setPhoneNumber(CONTACT_PHONE_NUMBER_FIELD.extractUntyped(args).orElse(null));
     builder.setFaxNumber(CONTACT_FAX_NUMBER_FIELD.extractUntyped(args).orElse(null));
     builder.setTypes(CONTACT_TYPES.extractUntyped(args).orElse(ImmutableSet.of()));
-    builder.setLoginEmailAddress(
-        CONTACT_LOGIN_EMAIL_ADDRESS_FIELD.extractUntyped(args).orElse(null));
     // The parser is inconsistent with whether it retrieves boolean values as strings or booleans.
     // As a result, use a potentially-redundant converter that can deal with both.
     builder.setAllowedToSetRegistryLockPassword(

core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java

@@ -16,6 +16,9 @@ package google.registry.ui.server.console;
 
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.model.common.FeatureFlag.FeatureName.NEW_CONSOLE;
+import static google.registry.model.common.FeatureFlag.isActiveNow;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.GET;
 import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
@@ -29,17 +32,18 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.batch.CloudTasksUtils;
+import google.registry.config.RegistryConfig;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.GlobalRole;
 import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.request.Action.Service;
 import google.registry.request.HttpException;
 import google.registry.security.XsrfTokenManager;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.ConsoleUiAction;
 import google.registry.util.DiffUtils;
 import google.registry.util.RegistryEnvironment;
@@ -62,6 +66,10 @@ public abstract class ConsoleApiAction implements Runnable {
 
   @Inject CloudTasksUtils cloudTasksUtils;
 
+  @Inject
+  @RegistryConfig.Config("registryAdminClientId")
+  String registryAdminClientId;
+
   public ConsoleApiAction(ConsoleApiParams consoleApiParams) {
     this.consoleApiParams = consoleApiParams;
   }
@@ -77,8 +85,15 @@ public abstract class ConsoleApiAction implements Runnable {
 
     // This allows us to enable console to a selected cohort of users with release
     // We can ignore it in tests
-    if (RegistryEnvironment.get() != RegistryEnvironment.UNITTEST
-        && GlobalRole.NONE.equals(user.getUserRoles().getGlobalRole())) {
+    UserRoles userRoles = user.getUserRoles();
+    boolean hasGlobalOrTestingRole =
+        !GlobalRole.NONE.equals(userRoles.getGlobalRole())
+            || userRoles.hasPermission(
+                registryAdminClientId, ConsolePermission.VIEW_REGISTRAR_DETAILS);
+
+    if (!hasGlobalOrTestingRole
+        && RegistryEnvironment.get() != RegistryEnvironment.UNITTEST
+        && tm().transact(() -> !isActiveNow(NEW_CONSOLE))) {
       try {
         consoleApiParams.response().sendRedirect(ConsoleUiAction.PATH);
         return;
@@ -161,7 +176,7 @@ public abstract class ConsoleApiAction implements Runnable {
 
     Map<String, Object> registrarDiffMap = registrar.toDiffableFieldMap();
     Stream.of("passwordHash", "salt") // fields to remove from final diff
-        .forEach(fieldToBeRemoved -> registrarDiffMap.remove(fieldToBeRemoved));
+        .forEach(registrarDiffMap::remove);
 
     // Use LinkedHashMap here to preserve ordering; null values mean we can't use ImmutableMap.
     LinkedHashMap<String, Object> result = new LinkedHashMap<>(registrarDiffMap);

core/src/main/java/google/registry/ui/server/console/ConsoleApiParams.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.ui.server.registrar;
+package google.registry.ui.server.console;
 
 import google.registry.request.Response;
 import google.registry.request.auth.AuthResult;

core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java

@@ -24,15 +24,16 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.inject.Inject;
 
 /** Returns a JSON representation of a domain to the registrar console. */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDomainGetAction.PATH,
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public class ConsoleDomainGetAction extends ConsoleApiAction {

core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java

@@ -27,9 +27,9 @@ import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.List;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -39,6 +39,7 @@ import org.joda.time.DateTime;
 /** Returns a (paginated) list of domains for a particular registrar. */
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDomainListAction.PATH,
     method = Action.Method.GET,
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)
@@ -115,6 +116,7 @@ public class ConsoleDomainListAction extends ConsoleApiAction {
             .setFirstResult(numResultsToSkip)
             .setMaxResults(resultsPerPage)
             .getResultList();
+
     consoleApiParams
         .response()
         .setPayload(gson.toJson(new DomainListResult(domains, checkpoint, actualTotalResults)));

core/src/main/java/google/registry/ui/server/console/ConsoleDumDownloadAction.java

@@ -26,9 +26,9 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.Clock;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -40,6 +40,7 @@ import org.joda.time.DateTime;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleDumDownloadAction.PATH,
     method = {GET},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)

core/src/main/java/google/registry/ui/server/console/ConsoleEppPasswordAction.java

@@ -30,17 +30,18 @@ import google.registry.flows.PasswordOnlyTransportCredentials;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
+import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.DiffUtils;
 import java.util.Optional;
 import javax.inject.Inject;
 
 @Action(
     service = Action.Service.DEFAULT,
+    gkeService = GkeService.CONSOLE,
     path = ConsoleEppPasswordAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)