Add schema deployment tests (#265 )

* Add schema deployment tests Updated flyway schema script files so that they reflect what is currently deployed in alpha: ClaimsList and PremiumList related elements. Put post-schema-push pg_dump output in nomulus.golden.sql as the authoritative schema. Also added test to verify that the schema pushed by flyway will result in exactly the golden schema. Upgraded testcontainers to 1.12.1. Added a custom Truth subject for better diffing of multi-line text blocks. Removed claims_list.sql and premium_list.sql, as we do not have use for them. * Add schema deployment tests Updated flyway schema script files so that they reflect what is currently deployed in alpha: ClaimsList and PremiumList related elements. Put post-schema-push pg_dump output in nomulus.golden.sql as the authoritative schema. Also added test to verify that the schema pushed by flyway will result in exactly the golden schema. Upgraded testcontainers to 1.12.1. Added a custom Truth subject for better diffing of multi-line text blocks. Removed claims_list.sql and premium_list.sql, as we do not have use for them. * Add schema deployment tests Updated flyway schema script files so that they reflect what is currently deployed in alpha: ClaimsList and PremiumList related elements. Put post-schema-push pg_dump output in nomulus.golden.sql as the authoritative schema. Also added test to verify that the schema pushed by flyway will result in exactly the golden schema. Upgraded testcontainers to 1.12.1. Added a custom Truth subject for better diffing of multi-line text blocks. Removed claims_list.sql and premium_list.sql, as we do not have use for them.
Regenerate schema using tools command (#269 )
2026-06-09 16:33:02 +00:00 · 2019-09-12 15:16:12 -04:00 · 2019-09-12 14:26:22 -04:00 · 2019-09-12 08:09:32 -07:00 · 2019-09-11 12:20:08 -04:00 · 2019-09-10 18:17:36 -04:00
1475 changed files with 16972 additions and 3407 deletions
@@ -4,3 +4,6 @@ python/
 .*/
 repos/**
 **/.idea/
+*.jar
+!third_party/**/*.jar
+!/gradle/wrapper/**/*.jar
@@ -100,3 +100,9 @@ nomulus.iws
 node_modules/**
 !node_modules/soyutils_usegoog.js
 /repos/
+
+# Compiled JS/CSS code
+core/**/registrar_bin*.js
+core/**/registrar_dbg*.js
+core/**/registrar_bin*.css
+core/**/registrar_dbg*.css
@@ -0,0 +1,4 @@
+extraction:
+  java:
+    prepare:
+      packages: "npm"
@@ -1,78 +0,0 @@
-# Copyright 2018 The Nomulus Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Collecting report files from a travis build to GCS requires setting the
-# "CREDZ" and "REPORT_GCS_BUCKET" environment variables in your travis
-# repository.
-#
-# The report destination can be any GCS path (e.g. "gcs://bucket-name/path").
-# You'll want to select "Display value in build log", otherwise travis will
-# hide the bucket name in the URL that is displayed.
-#
-# The CREDZ variable should be the contents of a json credentials file for
-# a service account with write access to the bucket, escaped for bash shell
-# usage (usually just wrapping it in single quotes should suffice).
-
-language: java
-jdk:
-  # Our builds fail against Oracle Java for reasons yet unknown.
-  - openjdk8
-
-# Caching options suggested by a random article.
-before_cache:
-  - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
-  - rm -f $HOME/.gradle/caches/*/plugin-resolution/
-
-cache:
-  directories:
-    - $HOME/.gradle/caches/
-    - $HOME/.gradle/wrapper/
-    - $HOME/google-cloud-sdk/
-
-# WebDriver tests need Chrome and ChromeDriver provisioned by the docker image
-services:
-  - docker
-
-env:
-  global:
-    # Disable fancy status information (looks bad on travis and exceeds logfile
-    # quota)
-    - TERM=dumb
-    # Do not prompt for user input when using any SDK methods.
-    - CLOUDSDK_CORE_DISABLE_PROMPTS=1
-
-install:
-  - |
-    if [ ! -d $HOME/google-cloud-sdk/bin ]
-    then
-      # The install script errors if this directory already exists,
-      # but Travis already creates it when we mark it as cached.
-      rm -rf $HOME/google-cloud-sdk
-      # The install script is overly verbose, which sometimes causes
-      # problems on Travis, so ignore stdout.
-      curl https://sdk.cloud.google.com | bash
-    fi
-  # This line is critical. We setup the SDK to take precedence in our
-  # environment over the old SDK that is already on the machine.
-  - source $HOME/google-cloud-sdk/path.bash.inc
-  - gcloud components install app-engine-java
-  - gcloud version
-
-# Specialize gradle build to use an up-to-date gradle and the /gradle
-# directory.
-# The "travis_wait 45" lets our build spend up to 45 minutes without writing
-# output, instead of the default 10.
-# See notes on the CREDZ and REPORT_GCS_BUCKET environment variable in the
-# comments at the top of the file.
-script: echo "$CREDZ" >credz.json && chmod 755 ./gradlew && travis_wait 45 ./gradlew build --continue -P uploaderDestination="$REPORT_GCS_DESTINATION" -P uploaderCredentialsFile=credz.json -P uploaderMultithreadedUpload=yes -P mavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven -P pluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins
@@ -1,4 +1,3 @@
-
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
@@ -1,8 +1,8 @@
 # Nomulus

-| Internal Build | FOSS Build | License | Code Search |
-|----------------|------------|---------|-------------|
-|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/index.html)|[![Build Status for the open source build](https://travis-ci.org/google/nomulus.svg?branch=master)](https://travis-ci.org/google/nomulus)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/jianglai/nomulus/blob/master/LICENSE)|[![Link to Source Graph](https://github.com/sourcegraph/sourcegraph/blob/master/ui/assets/img/sourcegraph-logo.svg)](https://sourcegraph.com/github.com/google/nomulus)|
+| Internal Build | FOSS Build | LGTM | License | Code Search |
+|----------------|------------|------|---------|-------------|
+|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Source Graph](https://github.com/sourcegraph/sourcegraph/blob/master/ui/assets/img/sourcegraph-logo.svg)](https://sourcegraph.com/github.com/google/nomulus)|

 ![Nomulus logo](./nomulus-logo.png)

@@ -1,22 +1,23 @@
-def environments = ['production', 'sandbox', 'alpha', 'crash']
-
-def projects = ['production': 'domain-registry',
-                'sandbox'   : 'domain-registry-sandbox',
-                'alpha'     : 'domain-registry-alpha',
-                'crash'     : 'domain-registry-crash']
-
-
-def environment = rootProject.findProperty("environment")
-if (environment == null) {
-    environment = 'production'
-}
-def gcpProject = projects[environment]
-if (gcpProject == null) {
-    throw new GradleException("-Penvironment must be one of ${environments}.")
-}
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.

+apply from: "${rootDir.path}/projects.gradle"
 apply plugin: 'war'

+def environment = rootProject.environment
+def gcpProject = rootProject.gcpProject
+
 // Set this directory before applying the appengine plugin so that the
 // plugin will recognize this as an app-engine standard app (and also
 // obtains the appengine-web.xml from the correct location)
@@ -61,7 +62,13 @@ if (project.path == ":services:default") {

 appengine {
    deploy {
-        project = gcpProject
+        // appengineDeployAll task requires the version to be set. So,
+        // this config lets gcloud select a version name when deploying
+        // to alpha or sandbox from our workstation.
+        if (!rootProject.prodOrSandboxEnv) {
+            version = 'GCLOUD_CONFIG'
+        }
+        projectId = gcpProject
    }
 }

@@ -69,6 +76,6 @@ dependencies {
    compile project(':core')
 }

-rootProject.deploy.dependsOn appengineDeploy
+rootProject.deploy.dependsOn appengineDeployAll
 rootProject.stage.dependsOn appengineStage
-appengineDeploy.dependsOn rootProject.verifyDeployment
+appengineDeployAll.dependsOn rootProject.verifyDeployment
@@ -1,5 +1,22 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import org.gradle.api.tasks.testing.logging.TestExceptionFormat
+import org.gradle.api.tasks.testing.logging.TestLogEvent
+
 buildscript {
-  if (project.disableDependencyLocking.toBoolean() == false) {
+  if (rootProject.enableDependencyLocking.toBoolean()) {
    // Lock buildscript dependencies.
    configurations.classpath {
      resolutionStrategy.activateDependencyLocking()
@@ -7,7 +24,7 @@ buildscript {
  }

  dependencies {
-    classpath 'com.google.cloud.tools:appengine-gradle-plugin:1.3.3'
+    classpath 'com.google.cloud.tools:appengine-gradle-plugin:2.0.1'
    classpath "net.ltgt.gradle:gradle-errorprone-plugin:0.6.1"
    classpath 'org.sonatype.aether:aether-api:1.13.1'
    classpath 'org.sonatype.aether:aether-impl:1.13.1'
@@ -23,13 +40,19 @@ plugins {
  id 'net.ltgt.apt' version '0.19' apply false
  id 'net.ltgt.errorprone' version '0.6.1'
  id 'checkstyle'
-  id 'com.github.johnrengelman.shadow' version '5.0.0'
+  id 'com.github.johnrengelman.shadow' version '5.1.0'

  // NodeJs plugin
  id "com.moowork.node" version "1.2.0"

  id 'idea'
  id 'com.diffplug.gradle.spotless' version '3.18.0'
+
+  id 'jacoco'
+}
+
+wrapper {
+  distributionType = Wrapper.DistributionType.ALL
 }

 apply plugin: google.registry.gradle.plugin.ReportUploaderPlugin
@@ -57,12 +80,22 @@ reportUploader {

 apply from: 'dependencies.gradle'

-// Provide defaults for all of the project properties.
+apply from: 'dependency_lic.gradle'

-// showAllOutput: boolean.  If true, dump all test output during the build.
-if (!project.hasProperty('showAllOutput')) {
-  ext.showAllOutput = 'false'
+apply from: 'utils.gradle'
+
+// Custom task to run checkLicense in buildSrc, which is not triggered
+// by root project tasks. A shell task is used because buildSrc tasks
+// cannot be referenced in the same way as tasks from a regular included
+// build.
+task checkBuildSrcLicense(type:Exec) {
+  workingDir "${rootDir}/buildSrc"
+  commandLine '../gradlew', 'checkLicense'
 }
+tasks.checkLicense.dependsOn(tasks.checkBuildSrcLicense)
+tasks.build.dependsOn(tasks.checkLicense)
+
+// Provide defaults for all of the project properties.

 // Only do linting if the build is successful.
 gradleLint.autoLintAfterFailure = false
@@ -78,10 +111,10 @@ task deploy {

 task verifyDeployment {
  group = 'deployment'
-  description = 'Ensure that one can only deploy to alpha.'
+  description = 'Ensure that one cannot deploy to production or sandbox.'
  doFirst {
-    if (rootProject.findProperty("environment") != 'alpha') {
-      throw new GradleException("Can only deploy to alpha.");
+    if (rootProject.prodOrSandboxEnv) {
+      throw new GradleException("Cannot deploy to production or sandbox.");
    }
  }
 }
@@ -126,8 +159,8 @@ subprojects {
        attributes 'Main-Class': mainClass
      }
      zip64 = true
-      classifier = null
-      version = null
+      classifier = ''
+      archiveVersion = ''
      configurations = [project.configurations.runtimeClasspath]
      from project.sourceSets.main.output
      // Excludes signature files that accompany some dependency jars, like
@@ -138,16 +171,17 @@ subprojects {
    }
  }

-  if (rootProject.disableDependencyLocking.toBoolean() == false) {
+  if (rootProject.enableDependencyLocking.toBoolean()) {
    buildscript {
      // Lock buildscript dependencies.
      configurations.classpath {
        resolutionStrategy.activateDependencyLocking()
      }
    }
-    // Lock application dependencies.
-    dependencyLocking {
-      lockAllConfigurations()
+    // Lock application dependencies except for the gradle-license-report
+    // plugin. See dependency_lic.gradle for more information.
+    configurations.findAll { it.name != 'dependencyLicenseReport' }.each {
+      it.resolutionStrategy.activateDependencyLocking()
    }
  }

@@ -204,14 +238,9 @@ subprojects {
    }
  }

-  if (project.name == 'util') return
-  if (project.name == 'proxy') return
-  if (project.name == 'core') return
-
-  test {
-    testLogging.showStandardStreams = Boolean.parseBoolean(showAllOutput)
-  }
+  if (['util', 'proxy', 'core', 'prober', 'db'].contains(project.name)) return

+  // TODO(weiminyu): investigate if the block below is still needed
  ext.relativePath = "google/registry/${project.name}"

  sourceSets.each {
@@ -223,3 +252,130 @@ subprojects {
    }
  }
 }
+
+// If "-P verboseTestOutput=true" is passed in, configure all subprojects to dump all of their
+// output and final test status (pass/fail, errors) for each test class.
+//
+// Note that we can't do this in the main subprojects section above because that's evaluated before
+// the subproject build files and the test tasks haven't been defined yet.  We have to do it from
+// the projectsEvaluted hook, which gets called after the subprojects are configured.
+if (verboseTestOutput.toBoolean()) {
+  gradle.projectsEvaluated({
+    subprojects {
+      tasks.withType(Test) {
+        testLogging {
+          events TestLogEvent.FAILED, TestLogEvent.PASSED, TestLogEvent.SKIPPED,
+              TestLogEvent.STANDARD_OUT, TestLogEvent.STANDARD_ERROR
+          exceptionFormat TestExceptionFormat.FULL
+          showExceptions true
+          showCauses true
+          showStackTraces true
+
+          afterSuite { desc, result ->
+            println "Results: ${result.resultType}, " +
+                "${result.successfulTestCount}/${result.testCount} tests " +
+                "passed, ${result.failedTestCount} failures.";
+          }
+        }
+      }
+    }
+  })
+}
+
+task checkDependenciesDotGradle {
+  def buildSrcDepsFile = File.createTempFile('buildSrc', 'deps')
+  buildSrcDepsFile.deleteOnExit()
+  dependsOn createGetBuildSrcDirectDepsTask(buildSrcDepsFile)
+
+  doLast {
+    Set<String> depsInUse = []
+    allprojects {
+      configurations.all {
+        it.dependencies.findAll { it.group != null }.each {
+          // Note: .toString() is required since GString should
+          // not be mixed with Java Strings.
+          depsInUse.add("${it.group}:${it.name}".toString())
+        }
+      }
+    }
+    if (buildSrcDepsFile.exists()) {
+      depsInUse.addAll(buildSrcDepsFile.readLines())
+    }
+    def unusedDeps =
+        rootProject.dependencyMap.keySet()
+            .findAll { !depsInUse.contains(it) }
+            .toSorted()
+
+    if (unusedDeps.isEmpty()) {
+      return
+    }
+    logger.error(
+        "Unused dependencies in dependencies.gradle:\n${unusedDeps.toListString()}")
+    throw new IllegalStateException(
+        "The dependencies.gradle file should only contain direct dependencies.")
+  }
+}
+tasks.build.dependsOn(tasks.checkDependenciesDotGradle)
+
+def createGetBuildSrcDirectDepsTask(outputFileName) {
+  return tasks
+      .create(
+          "getBuildSrcDeps_${java.util.UUID.randomUUID()}".toString(),
+          Exec) {
+    workingDir "${rootDir}/buildSrc"
+    commandLine '../gradlew', 'exportDependencies',
+                "-PdependencyExportFile=${outputFileName}"
+  }
+}
+
+rootProject.ext {
+  invokeJavaDiffFormatScript = { action ->
+    def scriptDir = rootDir.path.endsWith('buildSrc')
+            ? "${rootDir}/../java-format"
+            : "${rootDir}/java-format"
+    def workingDir = rootDir.path.endsWith('buildSrc')
+            ? "${rootDir}/.."
+            : rootDir
+    def formatDiffScript = "${scriptDir}/google-java-format-git-diff.sh"
+
+    return ext.execInBash(
+        "${formatDiffScript} ${action}", "${workingDir}")
+  }
+}
+
+// Checks if modified lines in Java source files need reformatting.
+// Note that this task checks modified Java files in the entire repository.
+task javaIncrementalFormatCheck {
+  doLast {
+    def checkResult = invokeJavaDiffFormatScript("check")
+    if (checkResult == 'true') {
+      throw new IllegalStateException(
+          "Some Java files need to be reformatted. You may use the "
+              + "'javaIncrementalFormatDryRun' task to review\n "
+              + "the changes, or the 'javaIncrementalFormatApply' task "
+              + "to reformat.")
+    } else if (checkResult != 'false') {
+      throw new RuntimeException(
+          "Failed to invoke format check script:\n" + checkResult)
+    }
+    println("Incremental Java format check ok.")
+  }
+}
+
+// Shows how modified lines in Java source files will change after formatting.
+// Note that this task checks modified Java files in the entire repository.
+task javaIncrementalFormatDryRun {
+  doLast {
+    println("${invokeJavaDiffFormatScript("show")}")
+  }
+}
+
+// Checks if modified lines in Java source files need reformatting.
+// Note that this task processes modified Java files in the entire repository.
+task javaIncrementalFormatApply {
+  doLast {
+    invokeJavaDiffFormatScript("format")
+  }
+}
+
+tasks.build.dependsOn(tasks.javaIncrementalFormatCheck)
@@ -1,5 +1,19 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 buildscript {
-  if (rootProject.disableDependencyLocking.toBoolean() == false) {
+  if (project.enableDependencyLocking.toBoolean()) {
    // Lock buildscript dependencies.
    configurations.classpath {
      resolutionStrategy.activateDependencyLocking()
@@ -18,7 +32,7 @@ plugins {
  id 'com.diffplug.gradle.spotless' version '3.18.0'
 }

-if (rootProject.disableDependencyLocking.toBoolean() == false) {
+if (rootProject.enableDependencyLocking.toBoolean()) {
  // Lock application dependencies.
  dependencyLocking {
    lockAllConfigurations()
@@ -38,6 +52,7 @@ repositories {
 }

 apply from: '../dependencies.gradle'
+apply from: '../dependency_lic.gradle'
 apply from: '../java_common.gradle'

 sourceSets {
@@ -74,3 +89,21 @@ gradle.projectsEvaluated {
    options.compilerArgs << "-Xlint:unchecked"
  }
 }
+
+task exportDependencies {
+  def outputFileProperty = 'dependencyExportFile'
+  def output = project.hasProperty(outputFileProperty)
+      ? new PrintStream(
+          new File(project.getProperty(outputFileProperty)))
+      : System.out
+
+  doLast {
+    project.configurations.all {
+      it.dependencies.findAll {
+        it.group != null
+      }.each {
+        output.println("${it.group}:${it.name}")
+      }
+    }
+  }
+}
@@ -1 +1 @@
-disableDependencyLocking=false
+enableDependencyLocking=false
@@ -25,6 +25,53 @@ by Joshua Bloch in his book Effective Java -->
    <property name="message" value='TODO is preferred to FIXME.  e.g. "TODO(johndoe): Refactor when v2 is released."' />
  </module>

+  <!-- Checks that String.toUpper/LowerCase() is never used without locale. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="\.to(Upper|Lower)Case\(\)"/>
+    <property name="message" value="String.toUpper/LowerCase() can have unexpected results depending on locale. Either set the locale explicitly - e.g., toUpperCase(Locale.ENGLISH) - or use Ascii.toUpper/LowerCase(...) instead." />
+  </module>
+
+  <!-- Checks that DateTime.now(...) is always passed a DateTimeZone parameter. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="DateTime\.now\(\)"/>
+    <property name="message" value="DateTime.now() must be called with a DateTimeZone parameter, e.g. DateTime.now(UTC)" />
+  </module>
+
+  <!-- Checks that Javadoc does not include a malformed @see tag. -->
+  <module name="RegexpSingleline">
+    <property name="format" value='@see\s\"http(|s)://'/>
+    <property name="message" value='Your Javadocs appear to use invalid &lt;a&gt; tag syntax in @see tags. Please use the correct syntax: @see &lt;a href="http(s)://your_url"&gt;url_description&lt;/a&gt;'/>
+  </module>
+
+  <!-- Checks that our Ofy wrapper is used instead of the "real" ofy(). -->
+  <module name="RegexpSingleline">
+    <property name="format" value="com\.googlecode\.objectify\.ObjectifyService\.ofy"/>
+    <property name="message" value="Use google.registry.model.ofy.ObjectifyService.ofy(). Do not use com.googlecode.objectify.v4.ObjectifyService.ofy()."/>
+  </module>
+
+  <!-- Checks that java.util.Optional is used instead of Guava's Optional. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="com\.google\.common\.base\.Optional"/>
+    <property name="message" value="Use java.util.Optional instead of Guava's Optional."/>
+  </module>
+
+  <!-- Checks that our backport JUnit exception assertion methods are used instead of the ones slated for release in JUnit 4.13. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="org\.junit\.Assert\.(assert|expect)Throws"/>
+    <property name="message" value="Use the exception assertion methods in google.registry.testing.JUnitBackports instead of those in JUnit."/>
+  </module>
+
+  <!-- Checks that the deprecated ExpectedException is not used. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="org\.junit\.rules\.ExpectedException"/>
+    <property name="message" value="Use assertThrows and expectThrows from JUnitBackports instead of the deprecated methods on ExpectedException."/>
+  </module>
+
+  <!-- Checks that the deprecated MockitoJUnitRunner is not used. -->
+  <module name="RegexpSingleline">
+    <property name="format" value="MockitoJUnitRunner"/>
+    <property name="message" value="MockitoJUnitRunner is deprecated. Use @RunWith(JUnit4.class) and MockitoRule instead."/>
+  </module>

  <!-- All Java AST specific tests live under TreeWalker module. -->
  <module name="TreeWalker">
@@ -9,4 +9,6 @@
  <suppress files="[/\\].*[/\\]generated.*[/\\]" checks="."/>
  <!-- Ignore Javadoc checks in test files -->
  <suppress files="[/\\].*[/\\]src/test/java/.*[/\\]" checks="JavadocType"/>
+  <!-- ofy() regex check doesn't apply to these files -->
+  <suppress files="AugmentedDeleter.java|AugmentedSaver.java|Ofy.java" checks="RegexpSingleline"/>
 </suppressions>
@@ -0,0 +1,217 @@
+{
+  "allowedLicenses": [
+    {
+      "moduleLicense": "Apache Software License, Version 1.1"
+    },
+    {
+      "moduleLicense": "Apache 2"
+    },
+    {
+      "moduleLicense": "Apache 2.0"
+    },
+    {
+      "moduleLicense": "Apache-2.0"
+    },
+    {
+      "moduleLicense": "Apache License"
+    },
+    {
+      "moduleLicense": "Apache License 2.0"
+    },
+    {
+      "moduleLicense": "Apache License v2.0"
+    },
+    {
+      "moduleLicense": "Apache License, Version 2.0"
+    },
+    {
+      "moduleLicense": "Apache Software License - Version 2.0"
+    },
+    {
+      "moduleLicense": "The Apache License, Version 2.0"
+    },
+    {
+      "moduleLicense": "The Apache Software License, Version 2.0"
+    },
+    {
+      "moduleLicense": "The Apache Software License, version 2.0"
+    },
+    {
+      "moduleLicense": "Bouncy Castle Licence"
+    },
+    {
+      "moduleLicense": "BSD"
+    },
+    {
+      "moduleLicense": "BSD-2-Clause"
+    },
+    {
+      "moduleLicense": "BSD 2-Clause License"
+    },
+    {
+      "moduleLicense": "BSD 2-Clause license"
+    },
+    {
+      "moduleLicense": "BSD 3-clause"
+    },
+    {
+      "moduleLicense": "BSD 3-Clause"
+    },
+    {
+      "moduleLicense": "BSD 3-Clause License"
+    },
+    {
+      "moduleLicense": "BSD 3-clause New License"
+    },
+    {
+      "moduleLicense": "The 3-Clause BSD License"
+    },
+    {
+      "moduleLicense": "BSD License"
+    },
+    {
+      "moduleLicense": "BSD New License"
+    },
+    {
+      "moduleLicense": "BSD New license"
+    },
+    {
+      "moduleLicense": "BSD style"
+    },
+    {
+      "moduleLicense": "BSD-2-Clause"
+    },
+    {
+      "moduleLicense": "New BSD License"
+    },
+    {
+      "moduleLicense": "Revised BSD"
+    },
+    {
+      "moduleLicense": "The BSD License"
+    },
+    {
+      "moduleLicense": "The PostgreSQL License"
+    },
+    {
+      "moduleLicense": "CC0 1.0 Universal License"
+    },
+    {
+      "moduleLicense": "CDDL 1.1"
+    },
+    {
+      "moduleLicense": "CDDL + GPLv2 with classpath exception"
+    },
+    {
+      "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0"
+    },
+    {
+      "moduleLicense": "https://glassfish.java.net/public/CDDL+GPL_1_1.html, https://glassfish.java.net/public/CDDL+GPL_1_1.html"
+    },
+    {
+      "moduleLicense": "CDDL+GPL License"
+    },
+    {
+      "moduleLicense": "\\n                Dual license consisting of the CDDL v1.1 and GPL v2\\n            "
+    },
+    {
+      "moduleLicense": "Eclipse Distribution License (New BSD License)"
+    },
+    {
+      "moduleLicense": "Eclipse Distribution License v. 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - Version 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License v1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 2.0"
+    },
+    {
+      "moduleLicense": "https://www.eclipse.org/legal/epl-2.0/, http://www.gnu.org/copyleft/gpl.html, http://www.gnu.org/licenses/lgpl.html"
+    },
+    {
+      "moduleLicense": "Google App Engine Terms of Service"
+    },
+    {
+      "moduleLicense": "GNU General Public License Version 2"
+    },
+    {
+      "moduleLicense": "GNU General Public License, version 2, with the Classpath Exception"
+    },
+    {
+      "moduleLicense": "GNU GENERAL PUBLIC LICENSE, Version 2 + Classpath Exception"
+    },
+    {
+      "moduleLicense": "GNU Library General Public License v2.1 or later"
+    },
+    {
+      "moduleLicense": "GPL2 w/ CPE"
+    },
+    {
+      "moduleLicense": "GNU Lesser Public License"
+    },
+    {
+      "moduleLicense": "GNU Lesser General Public License Version 2.1"
+    },
+    {
+      "moduleLicense": "GNU Library General Public License v2.1 or later"
+    },
+    {
+      "moduleLicense": "The Go license"
+    },
+    {
+      "moduleLicense": "GWT Terms"
+    },
+    {
+      "moduleLicense": "ICU License"
+    },
+    {
+      "moduleLicense": "The JSON License"
+    },
+    {
+      "moduleLicense": "LGPL-2.1+"
+    },
+    {
+      "moduleLicense": "LGPL, version 2.1"
+    },
+    {
+      "moduleLicense": "MIT"
+    },
+    {
+      "moduleLicense": "MIT License"
+    },
+    {
+      "moduleLicense": "MIT license"
+    },
+    {
+      "moduleLicense": "The MIT License"
+    },
+    {
+      "moduleLicense": "The MIT license"
+    },
+    {
+      "moduleLicense": "The PostgreSQL License"
+    },
+    {
+      "moduleLicense": "Mozilla Public License Version 2.0"
+    },
+    {
+      "moduleLicense": "Public Domain"
+    },
+    {
+      "moduleLicense": "PUBLIC DOMAIN"
+    },
+    {
+      "moduleLicense": "The W3C Software License"
+    }
+  ]
+}
@@ -0,0 +1,32 @@
+{
+  "bundles" : [
+    {
+      "bundleName" : "Apache 2.0",
+      "licenseName" : "Apache 2.0",
+      "licenseUrl" : "http://www.apache.org/licenses/LICENSE-2.0"
+    },
+    {
+      "bundleName" : "MIT License",
+      "licenseName" : "MIT License",
+      "licenseUrl" : "http://www.opensource.org/licenses/mit-license.php"
+    }
+  ],
+  "transformationRules" : [
+    {
+      "bundleName" : "Apache 2.0",
+      "licenseUrlPattern" : "http://www.apache.org/licenses/LICENSE-2.0"
+    },
+    {
+      "bundleName" : "Apache 2.0",
+      "licenseUrlPattern" : "http://www.apache.org/licenses/LICENSE-2.0.txt"
+    },
+    {
+      "bundleName" : "MIT License",
+      "licenseUrlPattern" : "http://www.opensource.org/licenses/mit-license.php"
+    },
+    {
+      "bundleName" : "MIT License",
+      "licenseUrlPattern" : "http://www.opensource.org/licenses/MIT"
+    }
+  ]
+}
@@ -76,12 +76,19 @@ PRESUBMITS = {
    # License check
    PresubmitCheck(
        r".*Copyright 20\d{2} The Nomulus Authors\. All Rights Reserved\.",
-        ("java", "js", "soy", "sql", "py", "sh"), {
+        ("java", "js", "soy", "sql", "py", "sh", "gradle"), {
            ".git", "/build/", "/generated/", "node_modules/",
-            "JUnitBackports.java"
+            "JUnitBackports.java", "registrar_bin.", "registrar_dbg.",
+            "google-java-format-diff.py",
+            "nomulus.golden.sql"
        }, REQUIRED):
        "File did not include the license header.",

+    # Files must end in a newline
+    PresubmitCheck(r".*\n$", ("java", "js", "soy", "sql", "py", "sh", "gradle"),
+                   {"node_modules/"}, REQUIRED):
+        "Source files must end in a newline.",
+
    # System.(out|err).println should only appear in tools/
    PresubmitCheck(
        r".*\bSystem\.(out|err)\.print", "java", {
@@ -143,7 +150,7 @@ PRESUBMITS = {
    PresubmitCheck(
        r".*(innerHTML|outerHTML)\s*(=|[+]=)([^=]|$)",
        "js",
-        {"/node_modules/"},
+        {"/node_modules/", "registrar_bin."},
    ):
        "Do not assign directly to the dom. Use goog.dom.setTextContent to set"
        " to plain text, goog.dom.removeChildren to clear, or "
@@ -151,14 +158,13 @@ PRESUBMITS = {
    PresubmitCheck(
        r".*console\.(log|info|warn|error)",
        "js",
-        {"/node_modules/", "google/registry/ui/js/util.js"},
+        {"/node_modules/", "google/registry/ui/js/util.js", "registrar_bin."},
    ):
        "JavaScript files should not include console logging."
 }


 def get_files():
-  result = []
  for root, dirnames, filenames in os.walk("."):
    for filename in filenames:
      yield os.path.join(root, filename)
@@ -0,0 +1,3 @@
+FROM gcr.io/distroless/java:debug
+ADD build/libs/nomulus.jar /nomulus.jar
+ENTRYPOINT ["/usr/bin/java", "-jar", "/nomulus.jar"]
@@ -1,3 +1,17 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 plugins {
  id 'java-library'
 }
@@ -11,6 +25,7 @@ def screenshotsForGoldensDir = "${project.buildDir}/screenshots_for_goldens"
 def newGoldensDir = "${project.buildDir}/new_golden_images"
 def goldensDir =
  "${javaTestDir}/google/registry/webdriver/goldens/chrome-linux"
+def jsDir = "${project.projectDir}/src/main/javascript"

 // Tests that conflict with (mostly unidentified) members of the main test
 // suite. It is unclear if they are offenders (i.e., those that pollute global
@@ -28,6 +43,22 @@ def outcastTestPatterns = [
    "google/registry/tools/server/CreatePremiumListActionTest.*",
 ]

+// Tests that fail when running Gradle in a docker container, e. g. when
+// building the release artifacts in Google Cloud Build.
+def dockerIncompatibleTestPatterns = [
+    // The webdriver tests start headless Chrome in a Docker container,
+    // resulting in Docker-in-Docker complications.  Likewise,
+    // GenerateSqlSchemaCommandTest launches postgresql in a docker container.
+    "google/registry/webdriver/*",
+    "google/registry/tools/GenerateSqlSchemaCommandTest.*",
+    // PathParameterTest includes tests which validate that file permissions are
+    // respected. However when running in Docker the user is root by default, so
+    // every file is read/write-able. There is no way to exclude specific test
+    // methods, so we exclude the whole test class.
+    "google/registry/tools/params/PathParameterTest.*",
+    "google/registry/persistence/EntityManagerFactoryProviderTest.*",
+]
+
 // Tests that conflict with members of both the main test suite and the
 // outcast suite. They seem to be affected by global states outside of
 // Nomulus classes, e.g., threads and objects retained by frameworks.
@@ -38,21 +69,8 @@ def fragileTestPatterns = [
    // Test Datastore inexplicably aborts transaction.
    "google/registry/model/tmch/ClaimsListShardTest.*",
    // Creates large object (64MBytes), occasionally throws OOM error.
-    "google/registry/model/server/KmsSecretRevisionTest.*"
-]
-
-// Tests that fail when running Gradle in a docker container, e. g. when
-// building the release artifacts in Google Cloud Build.
-def dockerIncompatibleTestPatterns = [
-    // The webdriver tests start headless Chrome in a Docker container,
-    // resulting in Docker-in-Docker complications.
-    "google/registry/webdriver/*",
-    // PathParameterTest includes tests which validate that file permissions are
-    // respected. However when running in Docker the user is root by default, so
-    // every file is read/write-able. There is no way to exclude specific test
-    // methods, so we exclude the whole test class.
-    "google/registry/tools/params/PathParameterTest.*"
-]
+    "google/registry/model/server/KmsSecretRevisionTest.*",
+] + dockerIncompatibleTestPatterns

 sourceSets {
  main {
@@ -82,14 +100,14 @@ sourceSets {
  }
 }

+processTestResources {
+  exclude '**/webdriver/*'
+}
+
 configurations {
  css
  jaxb
  soy
-  // Label for all dependencies inherited from Bazel build but not used in
-  // either compile or testRuntime. However, they may be needed at runtime.
-  // TODO(weiminyu): identify runtime dependencies and remove the rest.
-  maybeRuntime
  closureCompiler

  // Exclude non-canonical servlet-api jars. Our AppEngine deployment uses
@@ -125,53 +143,38 @@ dependencies {
      "${rootDir}/third_party/objectify/v4_1/objectify-4.1.3.jar")
  testImplementation project(':third_party')

+  testRuntime files(sourceSets.test.resources.srcDirs)
+
  compile deps['com.beust:jcommander']
  compile deps['com.google.api-client:google-api-client']
-  maybeRuntime deps['com.google.api-client:google-api-client-appengine']
-  maybeRuntime deps['com.google.api-client:google-api-client-jackson2']
  compile deps['com.google.monitoring-client:metrics']
  compile deps['com.google.monitoring-client:stackdriver']
  compile deps['com.google.api-client:google-api-client-java6']
-  maybeRuntime deps['com.google.api-client:google-api-client-servlet']
  compile deps['com.google.apis:google-api-services-admin-directory']
  compile deps['com.google.apis:google-api-services-appengine']
  compile deps['com.google.apis:google-api-services-bigquery']
-  maybeRuntime deps['com.google.apis:google-api-services-clouddebugger']
  compile deps['com.google.apis:google-api-services-cloudkms']
-  maybeRuntime deps['com.google.apis:google-api-services-cloudresourcemanager']
  compile deps['com.google.apis:google-api-services-dataflow']
  compile deps['com.google.apis:google-api-services-dns']
  compile deps['com.google.apis:google-api-services-drive']
  compile deps['com.google.apis:google-api-services-groupssettings']
  compile deps['com.google.apis:google-api-services-monitoring']
  compile deps['com.google.apis:google-api-services-sheets']
-  maybeRuntime deps['com.google.apis:google-api-services-storage']
  testCompileOnly deps['com.google.appengine:appengine-api-1.0-sdk']
-  maybeRuntime deps['com.google.appengine:appengine-api-labs']
-  maybeRuntime deps['com.google.appengine:appengine-api-stubs']
  testCompile deps['com.google.appengine:appengine-api-stubs']
  compile deps['com.google.appengine.tools:appengine-gcs-client']
  compile deps['com.google.appengine.tools:appengine-mapreduce']
  compile deps['com.google.appengine.tools:appengine-pipeline']
  compile deps['com.google.appengine:appengine-remote-api']
-  maybeRuntime deps['com.google.appengine:appengine-tools-sdk']
  compile deps['com.google.auth:google-auth-library-credentials']
  compile deps['com.google.auth:google-auth-library-oauth2-http']
-  maybeRuntime deps['com.google.auto:auto-common']
-  maybeRuntime deps['com.google.auto.factory:auto-factory']
  compile deps['com.google.code.gson:gson']
  compile deps['com.google.auto.value:auto-value-annotations']
-  maybeRuntime deps['com.google.cloud.bigdataoss:gcsio']
-  maybeRuntime deps['com.google.cloud.bigdataoss:util']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.dagger:dagger']
-  maybeRuntime deps['com.google.dagger:dagger-producers']
  compile deps['com.google.errorprone:error_prone_annotations']
-  maybeRuntime deps['com.google.errorprone:javac-shaded']
  compile deps['com.google.flogger:flogger']
  runtime deps['com.google.flogger:flogger-system-backend']
-  maybeRuntime deps['com.google.gdata:core']
-  maybeRuntime deps['com.google.googlejavaformat:google-java-format']
  compile deps['com.google.guava:guava']
  gradleLint.ignore('unused-dependency') {
    compile deps['com.google.gwt:gwt-user']
@@ -180,89 +183,50 @@ dependencies {
  compile deps['com.google.http-client:google-http-client-appengine']
  compile deps['com.google.http-client:google-http-client-jackson2']
  compile deps['com.google.oauth-client:google-oauth-client']
-  maybeRuntime deps['com.google.oauth-client:google-oauth-client-appengine']
  compile deps['com.google.oauth-client:google-oauth-client-java6']
  compile deps['com.google.oauth-client:google-oauth-client-jetty']
-  maybeRuntime deps['com.google.oauth-client:google-oauth-client-servlet']
-  maybeRuntime deps['com.google.protobuf:protobuf-java']
  compile deps['com.google.re2j:re2j']
  compile deps['com.google.template:soy']
-  maybeRuntime deps['com.googlecode.charts4j:charts4j']
  compile deps['com.googlecode.json-simple:json-simple']
  compile deps['com.jcraft:jsch']
-  maybeRuntime deps['com.jcraft:jzlib']
-  maybeRuntime deps['com.squareup:javapoet']
-  maybeRuntime deps['com.squareup:javawriter']
-  maybeRuntime deps['com.sun.activation:javax.activation']
-  maybeRuntime deps['com.thoughtworks.paranamer:paranamer']
  testCompile deps['com.thoughtworks.qdox:qdox']
-  maybeRuntime deps['commons-codec:commons-codec']
-  maybeRuntime deps['commons-logging:commons-logging']
  compile deps['dnsjava:dnsjava']
-  maybeRuntime deps['io.netty:netty-buffer']
-  maybeRuntime deps['io.netty:netty-codec']
-  maybeRuntime deps['io.netty:netty-codec-http']
-  maybeRuntime deps['io.netty:netty-common']
-  maybeRuntime deps['io.netty:netty-handler']
-  maybeRuntime deps['io.netty:netty-resolver']
-  maybeRuntime deps['io.netty:netty-tcnative']
-  maybeRuntime deps['io.netty:netty-tcnative-boringssl-static']
-  maybeRuntime deps['io.netty:netty-transport']
-  maybeRuntime deps['it.unimi.dsi:fastutil']
-  maybeRuntime deps['javax.annotation:jsr250-api']
  runtime deps['org.glassfish.jaxb:jaxb-runtime']
  testCompile deps['javax.annotation:jsr250-api']
  compile deps['javax.inject:javax.inject']
  compile deps['javax.mail:mail']
  compile deps['javax.servlet:servlet-api']
  compile deps['javax.xml.bind:jaxb-api']
-  maybeRuntime deps['javax.xml.soap:javax.xml.soap-api']
  compile deps['jline:jline']
  compile deps['joda-time:joda-time']
  compile deps['org.apache.avro:avro']
-  maybeRuntime deps['org.apache.beam:beam-runners-direct-java']
  testCompile deps['org.apache.beam:beam-runners-direct-java']
  compile deps['org.apache.beam:beam-runners-google-cloud-dataflow-java']
-  maybeRuntime deps['org.apache.beam:beam-sdks-common-runner-api']
  compile deps['org.apache.beam:beam-sdks-java-core']
  compile deps['org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core']
  compile deps['org.apache.beam:beam-sdks-java-io-google-cloud-platform']
-  maybeRuntime deps['org.apache.commons:commons-compress']
  testCompile deps['org.apache.commons:commons-text']
-  maybeRuntime deps['org.apache.ftpserver:ftplet-api']
  testCompile deps['org.apache.ftpserver:ftplet-api']
-  maybeRuntime deps['org.apache.ftpserver:ftpserver-core']
  testCompile deps['org.apache.ftpserver:ftpserver-core']
  compile deps['org.apache.httpcomponents:httpclient']
  compile deps['org.apache.httpcomponents:httpcore']
-  maybeRuntime deps['org.apache.mina:mina-core']
-  maybeRuntime deps['org.apache.sshd:sshd-core']
  testCompile deps['org.apache.sshd:sshd-core']
-  maybeRuntime deps['org.apache.sshd:sshd-scp']
  testCompile deps['org.apache.sshd:sshd-scp']
-  maybeRuntime deps['org.apache.sshd:sshd-sftp']
  testCompile deps['org.apache.sshd:sshd-sftp']
-  maybeRuntime deps['org.apache.tomcat:tomcat-annotations-api']
  testCompile deps['org.apache.tomcat:tomcat-annotations-api']
  compile deps['org.bouncycastle:bcpg-jdk15on']
  testCompile deps['org.bouncycastle:bcpkix-jdk15on']
  compile deps['org.bouncycastle:bcprov-jdk15on']
-  maybeRuntime deps['org.codehaus.jackson:jackson-core-asl']
-  maybeRuntime deps['org.codehaus.jackson:jackson-mapper-asl']
  compile deps['org.joda:joda-money']
  compile deps['org.json:json']
-  maybeRuntime deps['org.khronos:opengl-api']
-  maybeRuntime deps['org.mortbay.jetty:jetty']
  testCompile deps['org.mortbay.jetty:jetty']
-  maybeRuntime deps['org.mortbay.jetty:jetty-util']
+  runtimeOnly deps['org.postgresql:postgresql']
  testCompile deps['org.seleniumhq.selenium:selenium-api']
  testCompile deps['org.seleniumhq.selenium:selenium-chrome-driver']
  testCompile deps['org.seleniumhq.selenium:selenium-java']
  testCompile deps['org.seleniumhq.selenium:selenium-remote-driver']
-  maybeRuntime deps['org.slf4j:slf4j-api']
+  compile deps['org.testcontainers:postgresql']
  testCompile deps['org.testcontainers:selenium']
-  maybeRuntime deps['org.tukaani:xz']
-  maybeRuntime deps['org.xerial.snappy:snappy-java']
  compile deps['xerces:xmlParserAPIs']
  compile deps['xpp3:xpp3']

@@ -288,8 +252,10 @@ dependencies {
  testCompile deps['org.hamcrest:hamcrest-all']
  testCompile deps['org.hamcrest:hamcrest-core']
  testCompile deps['org.hamcrest:hamcrest-library']
+  compile deps['org.hibernate:hibernate-hikaricp']
  testCompile deps['junit:junit']
  testCompile deps['org.mockito:mockito-core']
+  runtime deps['org.postgresql:postgresql']

  // Indirect dependency found by undeclared-dependency check. Such
  // dependencies should go after all other compile and testCompile
@@ -466,7 +432,7 @@ task soyToJS {
 }

 task stylesheetsToJavascript {
-  def cssSourceDir = "${javaDir}/google/registry/ui/css"
+  def cssSourceDir = "${jsDir}/google/registry/ui/css"
  def outputDir = "${resourcesDir}/google/registry/ui/css"
  inputs.dir cssSourceDir
  outputs.dir outputDir
@@ -519,8 +485,8 @@ task compileProdJS(type: JavaExec) {
  def outputDir = "${resourcesDir}/google/registry/ui"
  def nodeModulesDir = "${rootDir}/node_modules"
  def cssSourceDir = "${resourcesDir}/google/registry/ui/css"
-  def jsSourceDir = "${javaDir}/google/registry/ui/js"
-  def externsDir = "${javaDir}/google/registry/ui/externs"
+  def jsSourceDir = "${jsDir}/google/registry/ui/js"
+  def externsDir = "${jsDir}/google/registry/ui/externs"
  def soySourceDir = "${generatedDir}/google/registry/ui/soy"

  [nodeModulesDir, cssSourceDir, jsSourceDir, externsDir, soySourceDir].each {
@@ -595,11 +561,12 @@ task fragileTest(type: Test) {
  exclude "**/*TestCase.*", "**/*TestSuite.*"
  include fragileTestPatterns

+  if (rootProject.findProperty("skipDockerIncompatibleTests") == "true") {
+    exclude dockerIncompatibleTestPatterns
+  }
+
  // Run every test class in a freshly started process.
  forkEvery 1
-
-  // Uncomment to see test outputs in stdout.
-  //testLogging.showStandardStreams = true
 }

 task outcastTest(type: Test) {
@@ -625,6 +592,13 @@ task findGoldenImages(type: JavaExec) {
  args arguments
 }

+// To run the nomulus tool:
+// gradle registryTool --args="foo --bar"
+task registryTool(type: JavaExec) {
+  classpath = sourceSets.main.runtimeClasspath
+  main = 'google.registry.tools.RegistryTool'
+}
+
 task generateGoldenImages(type: Test) {
  // Common exclude pattern. See README in parent directory for explanation.
  exclude "**/*TestCase.*", "**/*TestSuite.*"
@@ -686,10 +660,25 @@ test {
 }.dependsOn(fragileTest, outcastTest)

 createUberJar('nomulus', 'nomulus', 'google.registry.tools.RegistryTool')
-createUberJar('gtechTool', 'gtech_tool', 'google.registry.tools.GtechTool')
 project.nomulus.dependsOn project(':third_party').jar
-project.gtechTool.dependsOn project(':third_party').jar

-project.build.dependsOn nomulus
-project.build.dependsOn gtechTool
+task buildToolImage(dependsOn: nomulus, type: Exec) {
+  commandLine 'docker', 'build', '-t', 'nomulus-tool', '.'
+}
+
+task copyJsFilesForTestServer(dependsOn: assemble, type: Copy) {
+  // Unfortunately the test server relies on having some compiled JS/CSS
+  // in place, so copy it over here
+  from "${resourcesDir}/google/registry/ui/"
+  include '**/*.js'
+  include '**/*.css'
+  into "${project.projectDir}/src/main/resources/google/registry/ui/"
+}
+
+task runTestServer(dependsOn: copyJsFilesForTestServer, type: JavaExec) {
+  main = 'google.registry.server.RegistryTestServerMain'
+  classpath = sourceSets.test.runtimeClasspath
+}
+
+project.build.dependsOn buildToolImage
 project.build.dependsOn ':stage'
@@ -19,6 +19,7 @@ import static com.google.appengine.api.taskqueue.TaskOptions.Builder.withUrl;
 import static google.registry.backup.ExportCommitLogDiffAction.LOWER_CHECKPOINT_TIME_PARAM;
 import static google.registry.backup.ExportCommitLogDiffAction.UPPER_CHECKPOINT_TIME_PARAM;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;

 import com.google.common.flogger.FluentLogger;
@@ -63,7 +64,7 @@ public final class CommitLogCheckpointAction implements Runnable {
    final CommitLogCheckpoint checkpoint = strategy.computeCheckpoint();
    logger.atInfo().log(
        "Generated candidate checkpoint for time: %s", checkpoint.getCheckpointTime());
-    ofy()
+    tm()
        .transact(
            () -> {
              DateTime lastWrittenTime = CommitLogCheckpointRoot.loadRoot().getLastWrittenTime();
@@ -18,6 +18,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static java.lang.Boolean.FALSE;
 import static java.lang.Boolean.TRUE;

@@ -276,7 +277,7 @@ public final class DeleteOldCommitLogsAction implements Runnable {
        return;
      }

-      DeletionResult deletionResult = ofy().transactNew(() -> {
+      DeletionResult deletionResult = tm().transactNew(() -> {
        CommitLogManifest manifest = ofy().load().key(manifestKey).now();
        // It is possible that the same manifestKey was run twice, if a shard had to be restarted
        // or some weird failure. If this happens, we want to exit immediately.
@@ -39,6 +39,7 @@ import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_DELETE;
 import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_DELETE_FAILURE;
 import static google.registry.model.reporting.HistoryEntry.Type.HOST_DELETE;
 import static google.registry.model.reporting.HistoryEntry.Type.HOST_DELETE_FAILURE;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.model.transfer.TransferStatus.SERVER_CANCELLED;
 import static java.math.RoundingMode.CEILING;
 import static java.util.concurrent.TimeUnit.DAYS;
@@ -308,7 +309,7 @@ public class DeleteContactsAndHostsAction implements Runnable {
      final boolean hasNoActiveReferences = !Iterators.contains(values, true);
      logger.atInfo().log("Processing async deletion request for %s", deletionRequest.key());
      DeletionResult result =
-          ofy()
+          tm()
              .transactNew(
                  () -> {
                    DeletionResult deletionResult =
@@ -329,7 +330,7 @@ public class DeleteContactsAndHostsAction implements Runnable {

    private DeletionResult attemptToDeleteResource(
        DeletionRequest deletionRequest, boolean hasNoActiveReferences) {
-      DateTime now = ofy().getTransactionTime();
+      DateTime now = tm().getTransactionTime();
      EppResource resource =
          ofy().load().key(deletionRequest.key()).now().cloneProjectedAtTime(now);
      // Double-check transactionally that the resource is still active and in PENDING_DELETE.
@@ -19,6 +19,7 @@ import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
 import static google.registry.mapreduce.inputs.EppResourceInputs.createEntityInput;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;

 import com.google.appengine.tools.mapreduce.Mapper;
@@ -124,7 +125,7 @@ public class DeleteLoadTestDataAction implements Runnable {
          Key.create(EppResourceIndex.create(Key.create(resource)));
      final Key<? extends ForeignKeyIndex<?>> fki = ForeignKeyIndex.createKey(resource);
      int numEntitiesDeleted =
-          ofy()
+          tm()
              .transact(
                  () -> {
                    // This ancestor query selects all descendant entities.
@@ -23,6 +23,7 @@ import static google.registry.model.ResourceTransferUtils.updateForeignKeyIndexD
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registry.Registries.getTldsOfType;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
 import static org.joda.time.DateTimeZone.UTC;
@@ -219,7 +220,7 @@ public class DeleteProberDataAction implements Runnable {
      final Key<? extends ForeignKeyIndex<?>> fki = ForeignKeyIndex.createKey(domain);

      int entitiesDeleted =
-          ofy()
+          tm()
              .transact(
                  () -> {
                    // This ancestor query selects all descendant HistoryEntries, BillingEvents,
@@ -245,16 +246,16 @@ public class DeleteProberDataAction implements Runnable {
    }

    private void softDeleteDomain(final DomainBase domain) {
-      ofy().transactNew(() -> {
+      tm().transactNew(() -> {
          DomainBase deletedDomain = domain
              .asBuilder()
-              .setDeletionTime(ofy().getTransactionTime())
+              .setDeletionTime(tm().getTransactionTime())
              .setStatusValues(null)
              .build();
          HistoryEntry historyEntry = new HistoryEntry.Builder()
              .setParent(domain)
              .setType(DOMAIN_DELETE)
-              .setModificationTime(ofy().getTransactionTime())
+              .setModificationTime(tm().getTransactionTime())
              .setBySuperuser(true)
              .setReason("Deletion of prober data")
              .setClientId(registryAdminClientId)
@@ -23,6 +23,7 @@ import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
 import static google.registry.model.domain.Period.Unit.YEARS;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_AUTORENEW;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.getDomainRenewCost;
 import static google.registry.util.CollectionUtils.union;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -150,7 +151,7 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
      }
      int numBillingEventsSaved = 0;
      try {
-        numBillingEventsSaved = ofy().transactNew(() -> {
+        numBillingEventsSaved = tm().transactNew(() -> {
          ImmutableSet.Builder<OneTime> syntheticOneTimesBuilder =
              new ImmutableSet.Builder<>();
          final Registry tld = Registry.get(getTldFromDomainName(recurring.getTargetId()));
@@ -183,20 +184,24 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
            HistoryEntry historyEntry = new HistoryEntry.Builder()
                .setBySuperuser(false)
                .setClientId(recurring.getClientId())
-                .setModificationTime(ofy().getTransactionTime())
+                .setModificationTime(tm().getTransactionTime())
                .setParent(domainKey)
                .setPeriod(Period.create(1, YEARS))
                .setReason("Domain autorenewal by ExpandRecurringBillingEventsAction")
                .setRequestedByRegistrar(false)
                .setType(DOMAIN_AUTORENEW)
+                // Don't write a domain transaction record if the recurrence was ended prior to the
+                // billing time (i.e. a domain was deleted during the autorenew grace period).
                .setDomainTransactionRecords(
-                    ImmutableSet.of(
-                        DomainTransactionRecord.create(
-                            tld.getTldStr(),
-                            // We report this when the autorenew grace period ends
-                            billingTime,
-                            TransactionReportField.netRenewsFieldFromYears(1),
-                            1)))
+                    recurring.getRecurrenceEndTime().isBefore(billingTime)
+                        ? ImmutableSet.of()
+                        : ImmutableSet.of(
+                            DomainTransactionRecord.create(
+                                tld.getTldStr(),
+                                // We report this when the autorenew grace period ends
+                                billingTime,
+                                TransactionReportField.netRenewsFieldFromYears(1),
+                                1)))
                .build();
            historyEntriesBuilder.add(historyEntry);

@@ -308,7 +313,7 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
      logger.atInfo().log(
          "Recurring event expansion %s complete for billing event range [%s, %s).",
          isDryRun ? "(dry run) " : "", cursorTime, executionTime);
-      ofy()
+      tm()
          .transact(
              () -> {
                Cursor cursor = ofy().load().key(Cursor.createGlobalKey(RECURRING_BILLING)).now();
@@ -15,6 +15,7 @@
 package google.registry.batch;

 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.appengine.tools.mapreduce.Mapper;
 import com.google.common.collect.ImmutableList;
@@ -69,7 +70,7 @@ public class ResaveAllEppResourcesAction implements Runnable {

    @Override
    public final void map(final Key<EppResource> resourceKey) {
-      ofy()
+      tm()
          .transact(
              () -> {
                EppResource projectedResource =
@@ -77,7 +78,7 @@ public class ResaveAllEppResourcesAction implements Runnable {
                        .load()
                        .key(resourceKey)
                        .now()
-                        .cloneProjectedAtTime(ofy().getTransactionTime());
+                        .cloneProjectedAtTime(tm().getTransactionTime());
                ofy().save().entity(projectedResource).now();
              });
      getContext().incrementCounter(String.format("%s entities re-saved", resourceKey.getKind()));
@@ -18,6 +18,7 @@ import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESAVE_TIMES;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
@@ -73,11 +74,11 @@ public class ResaveEntityAction implements Runnable {
  public void run() {
    logger.atInfo().log(
        "Re-saving entity %s which was enqueued at %s.", resourceKey, requestedTime);
-    ofy().transact(() -> {
+    tm().transact(() -> {
      ImmutableObject entity = ofy().load().key(resourceKey).now();
      ofy().save().entity(
          (entity instanceof EppResource)
-              ? ((EppResource) entity).cloneProjectedAtTime(ofy().getTransactionTime()) : entity
+              ? ((EppResource) entity).cloneProjectedAtTime(tm().getTransactionTime()) : entity
      );
      if (!resaveTimes.isEmpty()) {
        asyncTaskEnqueuer.enqueueAsyncResave(entity, requestedTime, resaveTimes);
@@ -17,10 +17,11 @@ package google.registry.beam.invoicing;
 import com.google.auth.oauth2.GoogleCredentials;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
+import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.reporting.billing.BillingModule;
 import google.registry.reporting.billing.GenerateInvoicesAction;
-import google.registry.tools.AuthModule.LocalOAuth2Credentials;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.Serializable;
 import javax.inject.Inject;
 import org.apache.beam.runners.dataflow.DataflowRunner;
@@ -57,35 +58,31 @@ import org.apache.beam.sdk.values.TypeDescriptors;
 */
 public class InvoicingPipeline implements Serializable {

-  @Inject
-  @Config("projectId")
-  String projectId;
+  private final String projectId;
+  private final String beamBucketUrl;
+  private final String invoiceTemplateUrl;
+  private final String beamStagingUrl;
+  private final String billingBucketUrl;
+  private final String invoiceFilePrefix;
+  private final GoogleCredentials googleCredentials;

  @Inject
-  @Config("apacheBeamBucketUrl")
-  String beamBucketUrl;
-
-  @Inject
-  @Config("invoiceTemplateUrl")
-  String invoiceTemplateUrl;
-
-  @Inject
-  @Config("beamStagingUrl")
-  String beamStagingUrl;
-
-  @Inject
-  @Config("billingBucketUrl")
-  String billingBucketUrl;
-
-  @Inject
-  @Config("invoiceFilePrefix")
-  String invoiceFilePrefix;
-
-  @Inject @LocalOAuth2Credentials
-  GoogleCredentials credentials;
-
-  @Inject
-  InvoicingPipeline() {}
+  public InvoicingPipeline(
+      @Config("projectId") String projectId,
+      @Config("apacheBeamBucketUrl") String beamBucketUrl,
+      @Config("invoiceTemplateUrl") String invoiceTemplateUrl,
+      @Config("beamStagingUrl") String beamStagingUrl,
+      @Config("billingBucketUrl") String billingBucketUrl,
+      @Config("invoiceFilePrefix") String invoiceFilePrefix,
+      @LocalCredential GoogleCredentialsBundle googleCredentialsBundle) {
+    this.projectId = projectId;
+    this.beamBucketUrl = beamBucketUrl;
+    this.invoiceTemplateUrl = invoiceTemplateUrl;
+    this.beamStagingUrl = beamStagingUrl;
+    this.billingBucketUrl = billingBucketUrl;
+    this.invoiceFilePrefix = invoiceFilePrefix;
+    this.googleCredentials = googleCredentialsBundle.getGoogleCredentials();
+  }

  /** Custom options for running the invoicing pipeline. */
  interface InvoicingPipelineOptions extends DataflowPipelineOptions {
@@ -105,12 +102,15 @@ public class InvoicingPipeline implements Serializable {
  public void deploy() {
    // We can't store options as a member variable due to serialization concerns.
    InvoicingPipelineOptions options = PipelineOptionsFactory.as(InvoicingPipelineOptions.class);
-    options.setGcpCredential(credentials);
    options.setProject(projectId);
    options.setRunner(DataflowRunner.class);
    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
    options.setTemplateLocation(invoiceTemplateUrl);
    options.setStagingLocation(beamStagingUrl);
+    // This credential is used when Dataflow deploys the template to GCS in target GCP project.
+    // So, make sure the credential has write permission to GCS in that project.
+    options.setGcpCredential(googleCredentials);
+
    Pipeline p = Pipeline.create(options);

    PCollection<BillingEvent> billingEvents =
@@ -17,9 +17,12 @@ package google.registry.beam.spec11;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.beam.BeamUtils.getQueryFromFile;

+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auto.value.AutoValue;
 import google.registry.beam.spec11.SafeBrowsingTransforms.EvaluateSafeBrowsingFn;
+import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Retrier;
 import google.registry.util.SqlTemplate;
 import java.io.Serializable;
@@ -77,26 +80,29 @@ public class Spec11Pipeline implements Serializable {
  /** The JSON object field we put the threat match array for Spec11 reports. */
  public static final String THREAT_MATCHES_FIELD = "threatMatches";

-  @Inject
-  @Config("projectId")
-  String projectId;
+  private final String projectId;
+  private final String beamStagingUrl;
+  private final String spec11TemplateUrl;
+  private final String reportingBucketUrl;
+  private final GoogleCredentials googleCredentials;
+  private final Retrier retrier;

  @Inject
-  @Config("beamStagingUrl")
-  String beamStagingUrl;
-
-  @Inject
-  @Config("spec11TemplateUrl")
-  String spec11TemplateUrl;
-
-  @Inject
-  @Config("reportingBucketUrl")
-  String reportingBucketUrl;
-
-  @Inject Retrier retrier;
-
-  @Inject
-  Spec11Pipeline() {}
+  public Spec11Pipeline(
+      @Config("projectId") String projectId,
+      @Config("beamStagingUrl") String beamStagingUrl,
+      @Config("spec11TemplateUrl") String spec11TemplateUrl,
+      @Config("reportingBucketUrl") String reportingBucketUrl,
+      @LocalCredential GoogleCredentialsBundle googleCredentialsBundle,
+      Retrier retrier
+  ) {
+    this.projectId = projectId;
+    this.beamStagingUrl = beamStagingUrl;
+    this.spec11TemplateUrl = spec11TemplateUrl;
+    this.reportingBucketUrl = reportingBucketUrl;
+    this.googleCredentials = googleCredentialsBundle.getGoogleCredentials();
+    this.retrier = retrier;
+  }

  /** Custom options for running the spec11 pipeline. */
  interface Spec11PipelineOptions extends DataflowPipelineOptions {
@@ -134,6 +140,9 @@ public class Spec11Pipeline implements Serializable {
    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
    options.setTemplateLocation(spec11TemplateUrl);
    options.setStagingLocation(beamStagingUrl);
+    // This credential is used when Dataflow deploys the template to GCS in target GCP project.
+    // So, make sure the credential has write permission to GCS in that project.
+    options.setGcpCredential(googleCredentials);

    Pipeline p = Pipeline.create(options);
    PCollection<Subdomain> domains =
@@ -14,7 +14,6 @@

 package google.registry.bigquery;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.bigquery.Bigquery;
 import com.google.api.services.bigquery.model.TableFieldSchema;
 import com.google.common.collect.ImmutableList;
@@ -23,24 +22,29 @@ import dagger.Provides;
 import dagger.multibindings.Multibinds;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import java.util.Map;

 /** Dagger module for Google {@link Bigquery} connection objects. */
@Module
 public abstract class BigqueryModule {

-  /** Provides a map of BigQuery table names to field names. */
-  @Multibinds
-  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
+  // No subclasses.
+  private BigqueryModule() {}

  @Provides
  static Bigquery provideBigquery(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Bigquery.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Bigquery.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }

-  // No subclasses.
-  private BigqueryModule() {}
+  /** Provides a map of BigQuery table names to field names. */
+  @Multibinds
+  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
 }
@@ -1,60 +0,0 @@
-# Copyright 2017 The Nomulus Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Common routines for Nomulus build rules."""
-
-ZIPPER = "@bazel_tools//tools/zip:zipper"
-
-def long_path(ctx, file_):
-    """Constructs canonical runfile path relative to TEST_SRCDIR.
-
-    Args:
-      ctx: A Skylark rule context.
-      file_: A File object that should appear in the runfiles for the test.
-
-    Returns:
-      A string path relative to TEST_SRCDIR suitable for use in tests and
-      testing infrastructure.
-    """
-    if file_.short_path.startswith("../"):
-        return file_.short_path[3:]
-    if file_.owner and file_.owner.workspace_root:
-        return file_.owner.workspace_root + "/" + file_.short_path
-    return ctx.workspace_name + "/" + file_.short_path
-
-def collect_runfiles(targets):
-    """Aggregates runfiles from targets.
-
-    Args:
-      targets: A list of Bazel targets.
-
-    Returns:
-      A list of Bazel files.
-    """
-    data = depset()
-    for target in targets:
-        if hasattr(target, "runfiles"):
-            data += target.runfiles.files
-            continue
-        if hasattr(target, "data_runfiles"):
-            data += target.data_runfiles.files
-        if hasattr(target, "default_runfiles"):
-            data += target.default_runfiles.files
-    return data
-
-def _get_runfiles(target, attribute):
-    runfiles = getattr(target, attribute, None)
-    if runfiles:
-        return runfiles.files
-    return []
@@ -1,53 +0,0 @@
-# Copyright 2017 The Nomulus Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Build macro for creating App Engine EAR archives for Nomulus."""
-
-load("//java/google/registry/builddefs:defs.bzl", "ZIPPER")
-
-def registry_ear_file(name, out, configs, wars, **kwargs):
-    """Creates an EAR archive by combining WAR archives."""
-    cmd = [
-        "set -e",
-        "repo=$$(pwd)",
-        "zipper=$$repo/$(location %s)" % ZIPPER,
-        "tmp=$$(mktemp -d $${TMPDIR:-/tmp}/registry_ear_file.XXXXXXXXXX)",
-        "cd $${tmp}",
-    ]
-    for target, dest in configs.items():
-        cmd += [
-            "mkdir -p $${tmp}/$$(dirname %s)" % dest,
-            "ln -s $${repo}/$(location %s) $${tmp}/%s" % (target, dest),
-        ]
-    for target, dest in wars.items():
-        cmd += [
-            "mkdir " + dest,
-            "cd " + dest,
-            "$${zipper} x $${repo}/$(location %s)" % target,
-            "cd ..",
-        ]
-    cmd += [
-        "$${zipper} cC $${repo}/$@ $$(find . | sed 1d | cut -c 3- | LC_ALL=C sort)",
-        "cd $${repo}",
-        "rm -rf $${tmp}",
-    ]
-    native.genrule(
-        name = name,
-        srcs = configs.keys() + wars.keys(),
-        outs = [out],
-        cmd = "\n".join(cmd),
-        tools = [ZIPPER],
-        message = "Generating EAR archive",
-        **kwargs
-    )
@@ -1,256 +0,0 @@
-# Copyright 2017 The Nomulus Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Zip file creator that allows arbitrary path renaming.
-
-This rule takes two main inputs: a bunch of filesets and a dictionary of
-hard-coded source to dest mappings. It then applies those mappings to the input
-file paths, to create a zip file with the same name as the rule.
-
-The following preconditions must be met:
-
- Sources and destinations can't begin or end with slash.
- Every file must be matched by a mapping.
- Every mapping must match something.
-
-The source can either be an exact match or a prefix.
-
- If a match is exact, the destination replaces the entire path. If the
-  destination path is empty, then the path remains the same.
-
- If the match is a prefix, then the destination replaces the source prefix in
-  the path. If the destination is empty, then the source prefix is removed.
-
- If source is an empty string, it matches everything. In this case,
-  destination becomes the path prefix.
-
-Prefixes are matched with component granularity, not characters. Mappings with
-more components take precedence. Mappings with equal components are sorted
-asciibetically.
-
-Mappings apply to the "long path" of a file, i.e. relative to TEST_SRCDIR,
-e.g. workspace_name/pkg/file. Long paths do not take into consideration
-bazel-foo/ output directories.
-
-The deps attribute allows zip_file() rules to depend on other zip_file() rules.
-In such cases, the contents of directly dependent zip files are unzipped and
-then re-zipped. Mappings specified by the current rule do not apply to the
-files extracted from dependent zips. However those files can be overridden.
-
-The simplest example of this rule, which simply zips up short paths, is as
-follows:
-
-  # //my/package/BUILD
-  zip_file(
-      name = "doodle",
-      srcs = ["hello.txt"],
-      mappings = {"": ""},
-  )
-
-The rule above would create a zip file name //my/package/doodle.zip which would
-contain a single file named "my/package/hello.txt".
-
-If we wanted to strip the package path, we could do the following:
-
-  # //my/package/BUILD
-  zip_file(
-      name = "doodle",
-      srcs = ["hello.txt"],
-      mappings = {"my/package": ""},
-  )
-
-In this case, doodle.zip would contain a single file: "hello.txt".
-
-If we wanted to rename hello.txt, we could do the following:
-
-  # //my/package/BUILD
-  zip_file(
-      name = "doodle",
-      srcs = ["hello.txt"],
-      mappings = {"my/package/hello.txt": "my/package/world.txt"},
-  )
-
-A zip file can be assembled across many rules. For example:
-
-  # //webapp/html/BUILD
-  zip_file(
-      name = "assets",
-      srcs = glob(["*.html"]),
-      mappings = {"webapp/html": ""},
-  )
-
-  # //webapp/js/BUILD
-  zip_file(
-      name = "assets",
-      srcs = glob(["*.js"]),
-      mappings = {"webapp/js": "assets/js"},
-  )
-
-  # //webapp/BUILD
-  zip_file(
-      name = "war",
-      deps = [
-          "//webapp/html:assets",
-          "//webapp/js:assets",
-      ],
-      mappings = {"webapp/html": ""},
-  )
-
-You can exclude files with the "exclude" attribute:
-
-  # //webapp/BUILD
-  zip_file(
-      name = "war_without_tears",
-      deps = ["war"],
-      exclude = ["assets/js/tears.js"],
-  )
-
-Note that "exclude" excludes based on the mapped path relative to the root of
-the zipfile. If the file doesn't exist, you'll get an error.
-
-"""
-
-load(
-    "//java/google/registry/builddefs:defs.bzl",
-    "ZIPPER",
-    "collect_runfiles",
-    "long_path",
-)
-
-def _zip_file(ctx):
-    """Implementation of zip_file() rule."""
-    for s, d in ctx.attr.mappings.items():
-        if (s.startswith("/") or s.endswith("/") or
-            d.startswith("/") or d.endswith("/")):
-            fail("mappings should not begin or end with slash")
-    srcs = depset()
-    srcs += ctx.files.srcs
-    srcs += ctx.files.data
-    srcs += collect_runfiles(ctx.attr.data)
-    mapped = _map_sources(ctx, srcs, ctx.attr.mappings)
-    cmd = [
-        "#!/bin/sh",
-        "set -e",
-        'repo="$(pwd)"',
-        'zipper="${repo}/%s"' % ctx.file._zipper.path,
-        'archive="${repo}/%s"' % ctx.outputs.out.path,
-        'tmp="$(mktemp -d "${TMPDIR:-/tmp}/zip_file.XXXXXXXXXX")"',
-        'cd "${tmp}"',
-    ]
-    cmd += [
-        '"${zipper}" x "${repo}/%s"' % dep.zip_file.path
-        for dep in ctx.attr.deps
-    ]
-    cmd += ["rm %s" % filename for filename in ctx.attr.exclude]
-    cmd += [
-        'mkdir -p "${tmp}/%s"' % zip_path
-        for zip_path in depset(
-            [
-                zip_path[:zip_path.rindex("/")]
-                for _, zip_path in mapped
-                if "/" in zip_path
-            ],
-        ).to_list()
-    ]
-    cmd += [
-        'ln -sf "${repo}/%s" "${tmp}/%s"' % (path, zip_path)
-        for path, zip_path in mapped
-    ]
-    cmd += [
-        ("find . | sed 1d | cut -c 3- | LC_ALL=C sort" +
-         ' | xargs "${zipper}" cC "${archive}"'),
-        'cd "${repo}"',
-        'rm -rf "${tmp}"',
-    ]
-    if hasattr(ctx, "bin_dir"):
-        script = ctx.new_file(ctx.bin_dir, "%s.sh" % ctx.label.name)
-    else:
-        # TODO(kchodorow): remove this once Bazel 4.0+ is required.
-        script = ctx.new_file(ctx.configuration.bin_dir, "%s.sh" % ctx.label.name)
-    ctx.actions.write(output = script, content = "\n".join(cmd), is_executable = True)
-    inputs = [ctx.file._zipper]
-    inputs += [dep.zip_file for dep in ctx.attr.deps]
-    inputs += srcs.to_list()
-    ctx.actions.run(
-        inputs = inputs,
-        outputs = [ctx.outputs.out],
-        executable = script,
-        mnemonic = "zip",
-        progress_message = "Creating zip with %d inputs %s" % (
-            len(inputs),
-            ctx.label,
-        ),
-    )
-    return struct(files = depset([ctx.outputs.out]), zip_file = ctx.outputs.out)
-
-def _map_sources(ctx, srcs, mappings):
-    """Calculates paths in zip file for srcs."""
-
-    # order mappings with more path components first
-    mappings = sorted([
-        (-len(source.split("/")), source, dest)
-        for source, dest in mappings.items()
-    ])
-
-    # get rid of the integer part of tuple used for sorting
-    mappings = [(source, dest) for _, source, dest in mappings]
-    mappings_indexes = range(len(mappings))
-    used = {i: False for i in mappings_indexes}
-    mapped = []
-    for file_ in srcs:
-        run_path = long_path(ctx, file_)
-        zip_path = None
-        for i in mappings_indexes:
-            source = mappings[i][0]
-            dest = mappings[i][1]
-            if not source:
-                if dest:
-                    zip_path = dest + "/" + run_path
-                else:
-                    zip_path = run_path
-            elif source == run_path:
-                if dest:
-                    zip_path = dest
-                else:
-                    zip_path = run_path
-            elif run_path.startswith(source + "/"):
-                if dest:
-                    zip_path = dest + run_path[len(source):]
-                else:
-                    zip_path = run_path[len(source) + 1:]
-            else:
-                continue
-            used[i] = True
-            break
-        if not zip_path:
-            fail("no mapping matched: " + run_path)
-        mapped += [(file_.path, zip_path)]
-    for i in mappings_indexes:
-        if not used[i]:
-            fail('superfluous mapping: "%s" -> "%s"' % mappings[i])
-    return mapped
-
-zip_file = rule(
-    implementation = _zip_file,
-    output_to_genfiles = True,
-    attrs = {
-        "out": attr.output(mandatory = True),
-        "srcs": attr.label_list(allow_files = True),
-        "data": attr.label_list(allow_files = True),
-        "deps": attr.label_list(providers = ["zip_file"]),
-        "exclude": attr.string_list(),
-        "mappings": attr.string_dict(),
-        "_zipper": attr.label(default = Label(ZIPPER), allow_single_file = True),
-    },
-)
@@ -17,31 +17,28 @@ package google.registry.config;
 import static java.nio.charset.StandardCharsets.UTF_8;

 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.googleapis.util.Utils;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.KeyModule.Key;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
-import java.security.GeneralSecurityException;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;

-/**
- * Dagger module that provides all {@link GoogleCredential GoogleCredentials} used in the
- * application.
- */
+/** Dagger module that provides all {@link GoogleCredentials} used in the application. */
@Module
 public abstract class CredentialModule {

  /**
-   * Provides the default {@link GoogleCredential} from the Google Cloud runtime.
+   * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
   *
   * <p>The credential returned depends on the runtime environment:
   *
@@ -58,7 +55,30 @@ public abstract class CredentialModule {
  @DefaultCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDefaultCredential(
+  public static GoogleCredentialsBundle provideDefaultCredential(
+      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
+    GoogleCredentials credential;
+    try {
+      credential = GoogleCredentials.getApplicationDefault();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    if (credential.createScopedRequired()) {
+      credential = credential.createScoped(requiredScopes);
+    }
+    return GoogleCredentialsBundle.create(credential);
+  }
+
+  /**
+   * Provides the default {@link GoogleCredential} from the Google Cloud runtime for G Suite
+   * Drive API.
+   * TODO(b/138195359): Deprecate this credential once we figure out how to use
+   * {@link GoogleCredentials} for G Suite Drive API.
+   */
+  @GSuiteDriveCredential
+  @Provides
+  @Singleton
+  public static GoogleCredential provideGSuiteDriveCredential(
      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
    GoogleCredential credential;
    try {
@@ -66,35 +86,6 @@ public abstract class CredentialModule {
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
-    if (credential.createScopedRequired()) {
-      return credential.createScoped(requiredScopes);
-    }
-    return credential;
-  }
-
-  /**
-   * Provides a {@link GoogleCredential} from the service account's JSON key file.
-   *
-   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
-   * calls App Engine API. The Google Sheets API also needs this credential.
-   */
-  @JsonCredential
-  @Provides
-  @Singleton
-  public static GoogleCredential provideJsonCredential(
-      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @Key("jsonCredential") String jsonCredential) {
-    GoogleCredential credential;
-    try {
-      credential =
-          GoogleCredential.fromStream(
-              new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)),
-              // We cannot use UrlFetchTransport as that uses App Engine API.
-              GoogleNetHttpTransport.newTrustedTransport(),
-              Utils.getDefaultJsonFactory());
-    } catch (IOException | GeneralSecurityException e) {
-      throw new RuntimeException(e);
-    }
    if (credential.createScopedRequired()) {
      credential = credential.createScoped(requiredScopes);
    }
@@ -102,7 +93,32 @@ public abstract class CredentialModule {
  }

  /**
-   * Provides a {@link GoogleCredential} with delegated admin access for a G Suite domain.
+   * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
+   *
+   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
+   * calls App Engine API. The Google Sheets API also needs this credential.
+   */
+  @JsonCredential
+  @Provides
+  @Singleton
+  public static GoogleCredentialsBundle provideJsonCredential(
+      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
+      @Key("jsonCredential") String jsonCredential) {
+    GoogleCredentials credential;
+    try {
+      credential =
+          GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
+    } catch (IOException e) {
+      throw new UncheckedIOException(e);
+    }
+    if (credential.createScopedRequired()) {
+      credential = credential.createScoped(requiredScopes);
+    }
+    return GoogleCredentialsBundle.create(credential);
+  }
+
+  /**
+   * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
   *
   * <p>The G Suite domain must grant delegated admin access to the registry service account with
   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
@@ -110,18 +126,14 @@ public abstract class CredentialModule {
  @DelegatedCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDelegatedCredential(
+  public static GoogleCredentialsBundle provideDelegatedCredential(
      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @JsonCredential GoogleCredential googleCredential,
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
-    return new GoogleCredential.Builder()
-        .setTransport(Utils.getDefaultTransport())
-        .setJsonFactory(Utils.getDefaultJsonFactory())
-        .setServiceAccountId(googleCredential.getServiceAccountId())
-        .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
-        .setServiceAccountScopes(requiredScopes)
-        .setServiceAccountUser(gSuiteAdminAccountEmailAddress)
-        .build();
+    return GoogleCredentialsBundle.create(credentialsBundle
+        .getGoogleCredentials()
+        .createDelegated(gSuiteAdminAccountEmailAddress)
+        .createScoped(requiredScopes));
  }

  /** Dagger qualifier for the Application Default Credential. */
@@ -130,6 +142,13 @@ public abstract class CredentialModule {
  @Retention(RetentionPolicy.RUNTIME)
  public @interface DefaultCredential {}

+
+  /** Dagger qualifier for the credential for G Suite Drive API. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface GSuiteDriveCredential {}
+
  /**
   * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
   * threads.
@@ -112,7 +112,7 @@ public final class RegistryConfig {
    }

    /**
-     * The product name of this specific registry.  Used throughout the registrar console.
+     * The product name of this specific registry. Used throughout the registrar console.
     *
     * @see google.registry.ui.server.registrar.ConsoleUiAction
     */
@@ -123,11 +123,11 @@ public final class RegistryConfig {
    }

    /**
-     * Returns the roid suffix to be used for the roids of all contacts and hosts.  E.g. a value of
+     * Returns the roid suffix to be used for the roids of all contacts and hosts. E.g. a value of
     * "ROID" would end up creating roids that look like "ABC123-ROID".
     *
     * @see <a href="http://www.iana.org/assignments/epp-repository-ids/epp-repository-ids.xhtml">
-     *      Extensible Provisioning Protocol (EPP) Repository Identifiers</a>
+     *     Extensible Provisioning Protocol (EPP) Repository Identifiers</a>
     */
    @Provides
    @Config("contactAndHostRoidSuffix")
@@ -136,7 +136,7 @@ public final class RegistryConfig {
    }

    /**
-     * The e-mail address for questions about integrating with the registry.  Used in the
+     * The e-mail address for questions about integrating with the registry. Used in the
     * "contact-us" section of the registrar console.
     *
     * @see google.registry.ui.server.registrar.ConsoleUiAction
@@ -148,7 +148,7 @@ public final class RegistryConfig {
    }

    /**
-     * The e-mail address for general support.  Used in the "contact-us" section of the registrar
+     * The e-mail address for general support. Used in the "contact-us" section of the registrar
     * console.
     *
     * @see google.registry.ui.server.registrar.ConsoleUiAction
@@ -160,7 +160,7 @@ public final class RegistryConfig {
    }

    /**
-     * The "From" e-mail address for announcements.  Used in the "contact-us" section of the
+     * The "From" e-mail address for announcements. Used in the "contact-us" section of the
     * registrar console.
     *
     * @see google.registry.ui.server.registrar.ConsoleUiAction
@@ -172,7 +172,7 @@ public final class RegistryConfig {
    }

    /**
-     * The contact phone number.  Used in the "contact-us" section of the registrar console.
+     * The contact phone number. Used in the "contact-us" section of the registrar console.
     *
     * @see google.registry.ui.server.registrar.ConsoleUiAction
     */
@@ -392,6 +392,24 @@ public final class RegistryConfig {
      return config.datastore.eppResourceIndexBucketsNum;
    }

+    @Provides
+    @Config("cloudSqlJdbcUrl")
+    public static String providesCloudSqlJdbcUrl(RegistryConfigSettings config) {
+      return config.cloudSql.jdbcUrl;
+    }
+
+    @Provides
+    @Config("cloudSqlUsername")
+    public static String providesCloudSqlUsername(RegistryConfigSettings config) {
+      return config.cloudSql.username;
+    }
+
+    @Provides
+    @Config("cloudSqlInstanceConnectionName")
+    public static String providesCloudSqlInstanceConnectionName(RegistryConfigSettings config) {
+      return config.cloudSql.instanceConnectionName;
+    }
+
    @Provides
    @Config("cloudDnsRootUrl")
    public static Optional<String> getCloudDnsRootUrl(RegistryConfigSettings config) {
@@ -894,9 +912,9 @@ public final class RegistryConfig {
     * @see google.registry.reporting.spec11.Spec11EmailUtils
     */
    @Provides
-    @Config("spec11ReplyToEmailAddress")
-    public static InternetAddress provideSpec11ReplyToEmailAddress(RegistryConfigSettings config) {
-      return parseEmailAddress(config.misc.spec11ReplyToEmailAddress);
+    @Config("spec11OutgoingEmailAddress")
+    public static InternetAddress provideSpec11OutgoingEmailAddress(RegistryConfigSettings config) {
+      return parseEmailAddress(config.misc.spec11OutgoingEmailAddress);
    }

    /**
@@ -1040,8 +1058,8 @@ public final class RegistryConfig {
    }

    /**
-     * The global automatic transfer length for contacts.  After this amount of time has
-     * elapsed, the transfer is automatically approved.
+     * The global automatic transfer length for contacts. After this amount of time has elapsed, the
+     * transfer is automatically approved.
     *
     * @see google.registry.flows.contact.ContactTransferRequestFlow
     */
@@ -1196,7 +1214,7 @@ public final class RegistryConfig {
    /**
     * Provides the OAuth scopes that authentication logic should detect on access tokens.
     *
-     * <p>This list should be a superset of the required OAuth scope set provided below.  Note that
+     * <p>This list should be a superset of the required OAuth scope set provided below. Note that
     * ideally, this setting would not be required and all scopes on an access token would be
     * detected automatically, but that is not the case due to the way {@code OAuthService} works.
     *
@@ -1297,9 +1315,7 @@ public final class RegistryConfig {
    }
  }

-  /**
-   * Returns the App Engine project ID, which is based off the environment name.
-   */
+  /** Returns the App Engine project ID, which is based off the environment name. */
  public static String getProjectId() {
    return CONFIG_SETTINGS.get().appEngine.projectId;
  }
@@ -1451,20 +1467,46 @@ public final class RegistryConfig {
    return CONFIG_SETTINGS.get().registryPolicy.defaultRegistrarWhoisServer;
  }

-  /**
-   * Returns the number of {@code EppResourceIndex} buckets to be used.
-   */
+  /** Returns the number of {@code EppResourceIndex} buckets to be used. */
  public static int getEppResourceIndexBucketCount() {
    return CONFIG_SETTINGS.get().datastore.eppResourceIndexBucketsNum;
  }

-  /**
-   * Returns the base retry duration that gets doubled after each failure within {@code Ofy}.
-   */
+  /** Returns the base retry duration that gets doubled after each failure within {@code Ofy}. */
  public static Duration getBaseOfyRetryDuration() {
    return Duration.millis(CONFIG_SETTINGS.get().datastore.baseOfyRetryMillis);
  }

+  /** Returns the default database transaction isolation. */
+  public static String getHibernateConnectionIsolation() {
+    return CONFIG_SETTINGS.get().hibernate.connectionIsolation;
+  }
+
+  /** Returns true if hibernate.show_sql is enabled. */
+  public static String getHibernateLogSqlQueries() {
+    return CONFIG_SETTINGS.get().hibernate.logSqlQueries;
+  }
+
+  /** Returns the connection timeout for HikariCP. */
+  public static String getHibernateHikariConnectionTimeout() {
+    return CONFIG_SETTINGS.get().hibernate.hikariConnectionTimeout;
+  }
+
+  /** Returns the minimum idle connections for HikariCP. */
+  public static String getHibernateHikariMinimumIdle() {
+    return CONFIG_SETTINGS.get().hibernate.hikariMinimumIdle;
+  }
+
+  /** Returns the maximum pool size for HikariCP. */
+  public static String getHibernateHikariMaximumPoolSize() {
+    return CONFIG_SETTINGS.get().hibernate.hikariMaximumPoolSize;
+  }
+
+  /** Returns the idle timeout for HikariCP. */
+  public static String getHibernateHikariIdleTimeout() {
+    return CONFIG_SETTINGS.get().hibernate.hikariIdleTimeout;
+  }
+
  /** Returns the roid suffix to be used for the roids of all contacts and hosts. */
  public static String getContactAndHostRoidSuffix() {
    return CONFIG_SETTINGS.get().registryPolicy.contactAndHostRoidSuffix;
@@ -25,6 +25,8 @@ public class RegistryConfigSettings {
  public CredentialOAuth credentialOAuth;
  public RegistryPolicy registryPolicy;
  public Datastore datastore;
+  public Hibernate hibernate;
+  public CloudSql cloudSql;
  public CloudDns cloudDns;
  public Caching caching;
  public IcannReporting icannReporting;
@@ -105,6 +107,23 @@ public class RegistryConfigSettings {
    public int baseOfyRetryMillis;
  }

+  /** Configuration for Hibernate. */
+  public static class Hibernate {
+    public String connectionIsolation;
+    public String logSqlQueries;
+    public String hikariConnectionTimeout;
+    public String hikariMinimumIdle;
+    public String hikariMaximumPoolSize;
+    public String hikariIdleTimeout;
+  }
+
+  /** Configuration for Cloud SQL. */
+  public static class CloudSql {
+    public String jdbcUrl;
+    public String username;
+    public String instanceConnectionName;
+  }
+
  /** Configuration for Apache Beam (Cloud Dataflow). */
  public static class Beam {
    public String defaultJobZone;
@@ -173,7 +192,7 @@ public class RegistryConfigSettings {
  public static class Misc {
    public String sheetExportId;
    public String alertRecipientEmailAddress;
-    public String spec11ReplyToEmailAddress;
+    public String spec11OutgoingEmailAddress;
    public int asyncDeleteDelaySeconds;
    public int transientFailureRetries;
  }
@@ -191,6 +191,34 @@ datastore:
  # doubles after each failure).
  baseOfyRetryMillis: 100

+hibernate:
+  # Make 'SERIALIZABLE' the default isolation level to ensure correctness.
+  #
+  # Entities that are never involved in multi-table transactions may use optimistic
+  # locks and a less strict isolation level. We may lower individual transaction's
+  # isolation level using a framework-dependent method.
+  #
+  # Alternatively, if a use case calls for, we may also use a lower isolation level
+  # but lock tables explicitly, either using framework-dependent API, or execute
+  # "select table for update" statements directly.
+  connectionIsolation: TRANSACTION_SERIALIZABLE
+  # Whether to log all SQL queries to App Engine logs. Overridable at runtime.
+  logSqlQueries: false
+
+  # Connection pool configurations.
+  hikariConnectionTimeout: 20000
+  hikariMinimumIdle: 0
+  hikariMaximumPoolSize: 20
+  hikariIdleTimeout: 300000
+
+cloudSql:
+  # jdbc url for the Cloud SQL database.
+  jdbcUrl: jdbc:postgresql://localhost
+  # Username for the database user.
+  username: username
+  # This name is used by Cloud SQL when connecting to the database.
+  instanceConnectionName: project-id:region:instance-id
+
 cloudDns:
  # Set both properties to null in Production.
  # The root url for the Cloud DNS API.  Set this to a non-null value to
@@ -357,9 +385,9 @@ misc:
  # Address we send alert summary emails to.
  alertRecipientEmailAddress: email@example.com

-  # Address to which the Spec 11 emails to registrars should be replied. This needs
-  # to be a deliverable email address in case the registrars want to contact us.
-  spec11ReplyToEmailAddress: reply-to@example.com
+  # Address from which Spec 11 emails to registrars are sent. This needs
+  # to be a deliverable email address to handle replies from registrars as well.
+  spec11OutgoingEmailAddress: abuse@example.com

  # How long to delay processing of asynchronous deletions. This should always
  # be longer than eppResourceCachingSeconds, to prevent deleted contacts or
@@ -14,7 +14,6 @@

 package google.registry.dns.writer.clouddns;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.dns.Dns;
 import com.google.common.util.concurrent.RateLimiter;
 import dagger.Binds;
@@ -26,6 +25,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.dns.writer.DnsWriter;
+import google.registry.util.GoogleCredentialsBundle;
 import java.util.Optional;
 import javax.inject.Named;

@@ -35,12 +35,15 @@ public abstract class CloudDnsWriterModule {

  @Provides
  static Dns provideDns(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId,
      @Config("cloudDnsRootUrl") Optional<String> rootUrl,
      @Config("cloudDnsServicePath") Optional<String> servicePath) {
    Dns.Builder builder =
-        new Dns.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+        new Dns.Builder(
+                credentialsBundle.getHttpTransport(),
+                credentialsBundle.getJsonFactory(),
+                credentialsBundle.getHttpRequestInitializer())
            .setApplicationName(projectId);

    rootUrl.ifPresent(builder::setRootUrl);
@@ -13,11 +13,6 @@
    <load-on-startup>1</load-on-startup>
  </servlet>

-  <servlet-mapping>
-    <servlet-name>backend-servlet</servlet-name>
-    <url-pattern>/_dr/task/metrics</url-pattern>
-  </servlet-mapping>
-
  <!-- RDE -->

  <!--
@@ -112,8 +112,6 @@
    <target>backend</target>
  </cron>

-  <!--
-    TODO(b/134576418) enable this cron job once we're sure the Action works
  <cron>
    <url><![CDATA[/_dr/task/updateRegistrarRdapBaseUrls]]></url>
    <description>
@@ -122,7 +120,6 @@
    <schedule>every day 02:34</schedule>
    <target>backend</target>
  </cron>
-  -->

  <cron>
    <url><![CDATA[/_dr/task/deleteOldCommitLogs]]></url>
@@ -20,7 +20,7 @@ import dagger.Component;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.GSuiteDriveCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.storage.drive.DriveConnection;
@@ -32,8 +32,13 @@ public final class DriveModule {

  @Provides
  static Drive provideDrive(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Drive.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @GSuiteDriveCredential GoogleCredential googleCredential,
+      @Config("projectId") String projectId) {
+
+    return new Drive.Builder(
+            googleCredential.getTransport(),
+            googleCredential.getJsonFactory(),
+            googleCredential)
        .setApplicationName(projectId)
        .build();
  }
@@ -17,6 +17,7 @@ package google.registry.export;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.RegistrarUtils.normalizeClientId;
@@ -163,7 +164,7 @@ public final class SyncGroupMembersAction implements Runnable {
        registrarsToSave.add(result.getKey().asBuilder().setContactsRequireSyncing(false).build());
      }
    }
-    ofy().transactNew(() -> ofy().save().entities(registrarsToSave.build()));
+    tm().transactNew(() -> ofy().save().entities(registrarsToSave.build()));
    return errors;
  }

@@ -14,11 +14,11 @@

 package google.registry.export.datastore;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Dagger module that configures provision of {@link DatastoreAdmin}. */
@@ -28,10 +28,12 @@ public abstract class DatastoreAdminModule {
  @Singleton
  @Provides
  static DatastoreAdmin provideDatastoreAdmin(
-      @CredentialModule.DefaultCredential GoogleCredential credential,
+      @CredentialModule.DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @RegistryConfig.Config("projectId") String projectId) {
    return new DatastoreAdmin.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .setProjectId(projectId)
        .build();
@@ -14,12 +14,12 @@

 package google.registry.export.sheet;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.sheets.v4.Sheets;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.JsonCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for {@link Sheets}. */
@Module
@@ -27,8 +27,12 @@ public final class SheetsServiceModule {

  @Provides
  static Sheets provideSheets(
-      @JsonCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Sheets.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Sheets.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
@@ -25,6 +25,7 @@ import static google.registry.model.registrar.RegistrarContact.Type.LEGAL;
 import static google.registry.model.registrar.RegistrarContact.Type.MARKETING;
 import static google.registry.model.registrar.RegistrarContact.Type.TECH;
 import static google.registry.model.registrar.RegistrarContact.Type.WHOIS;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;

 import com.google.common.base.Joiner;
@@ -152,7 +153,7 @@ class SyncRegistrarsSheet {
                  return builder.build();
                })
            .collect(toImmutableList()));
-    ofy()
+    tm()
        .transact(
            () -> ofy().save().entity(Cursor.createGlobal(SYNC_REGISTRAR_SHEET, executionTime)));
  }
@@ -209,6 +209,7 @@ public abstract class EppException extends Exception {
  /** Specified command is not implemented. */
  @EppResultCode(Code.UNIMPLEMENTED_COMMAND)
  public static class UnimplementedCommandException extends EppException {
+
    public UnimplementedCommandException(InnerCommand command) {
      super(String.format(
          "No flow found for %s with extension %s",
@@ -217,6 +218,10 @@ public abstract class EppException extends Exception {
              ? ((ResourceCommandWrapper) command).getResourceCommand().getClass().getSimpleName()
              : null));
    }
+
+    public UnimplementedCommandException(String message) {
+      super(message);
+    }
  }

  /** Abstract exception class. Do not throw this directly or catch in tests. */
@@ -39,6 +39,13 @@ public class EppMetrics {
          LabelDescriptor.create("tld", "The TLD acted on by the command (if applicable)."),
          LabelDescriptor.create("status", "The return status of the command."));

+  private static final ImmutableSet<LabelDescriptor> LABEL_DESCRIPTORS =
+      ImmutableSet.of(
+          LabelDescriptor.create("command", "The name of the command."),
+          LabelDescriptor.create("traffic_type",
+              "The traffic type of the command; one of CANARY, PROBER, or REAL."),
+          LabelDescriptor.create("status", "The return status of the command."));
+
  private static final IncrementableMetric eppRequestsByRegistrar =
      MetricRegistryImpl.getDefault()
          .newIncrementableMetric(
@@ -55,23 +62,18 @@ public class EppMetrics {
              "count",
              LABEL_DESCRIPTORS_BY_TLD);

-  private static final EventMetric processingTimeByRegistrar =
+  private static final EventMetric requestTime =
      MetricRegistryImpl.getDefault()
          .newEventMetric(
-              "/epp/processing_time",
-              "EPP Processing Time By Registrar",
+              "/epp/request_time",
+              "EPP Request Time",
              "milliseconds",
-              LABEL_DESCRIPTORS_BY_REGISTRAR,
+              LABEL_DESCRIPTORS,
              DEFAULT_FITTER);

-  private static final EventMetric processingTimeByTld =
-      MetricRegistryImpl.getDefault()
-          .newEventMetric(
-              "/epp/processing_time_by_tld",
-              "EPP Processing Time By TLD",
-              "milliseconds",
-              LABEL_DESCRIPTORS_BY_TLD,
-              DEFAULT_FITTER);
+  private enum TrafficType {
+    CANARY, PROBER, REAL
+  }

  @Inject
  public EppMetrics() {}
@@ -97,15 +99,18 @@ public class EppMetrics {
        metric.getStatus().isPresent() ? String.valueOf(metric.getStatus().get().code) : "";
    long processingTime =
        metric.getEndTimestamp().getMillis() - metric.getStartTimestamp().getMillis();
-    processingTimeByRegistrar.record(
-        processingTime,
-        metric.getCommandName().orElse(""),
-        metric.getClientId().orElse(""),
-        eppStatusCode);
-    processingTimeByTld.record(
-        processingTime,
-        metric.getCommandName().orElse(""),
-        metric.getTld().orElse(""),
-        eppStatusCode);
+    String commandName = metric.getCommandName().orElse("");
+    String tld = metric.getTld().orElse("");
+    requestTime.record(processingTime, commandName, getTrafficType(tld).toString(), eppStatusCode);
+  }
+
+  private static TrafficType getTrafficType(String tld) {
+    if (tld.endsWith("canary.test")) {
+      return TrafficType.CANARY;
+    } else if (tld.endsWith(".test")) {
+      return TrafficType.PROBER;
+    } else {
+      return TrafficType.REAL;
+    }
  }
 }
@@ -14,7 +14,7 @@

 package google.registry.flows;

-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.xml.XmlTransformer.prettyPrint;

 import com.google.common.base.Strings;
@@ -80,7 +80,7 @@ public class FlowRunner {
      return eppOutput;
    }
    try {
-      return ofy()
+      return tm()
          .transact(
              () -> {
                try {
@@ -23,7 +23,7 @@ import google.registry.model.registrar.Registrar;
 public class PasswordOnlyTransportCredentials implements TransportCredentials {
  @Override
  public void validate(Registrar r, String password) throws AuthenticationErrorException {
-    if (!r.testPassword(password)) {
+    if (!r.verifyPassword(password)) {
      throw new BadRegistrarPasswordException();
    }
  }
@@ -19,6 +19,7 @@ import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.EppResourceUtils.queryForLinkedDomains;
 import static google.registry.model.index.ForeignKeyIndex.loadAndGetKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
@@ -77,7 +78,7 @@ public final class ResourceFlowUtils {
      final Function<DomainBase, ImmutableSet<?>> getPotentialReferences) throws EppException {
    // Enter a transactionless context briefly.
    EppException failfastException =
-        ofy()
+        tm()
            .doTransactionless(
                () -> {
                  final ForeignKeyIndex<R> fki =
@@ -145,7 +145,7 @@ public class TlsCredentials implements TransportCredentials {

  private void validatePassword(Registrar registrar, String password)
      throws BadRegistrarPasswordException {
-    if (!registrar.testPassword(password)) {
+    if (!registrar.verifyPassword(password)) {
      throw new BadRegistrarPasswordException();
    }
  }
@@ -20,6 +20,7 @@ import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostal
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
 import static google.registry.model.EppResourceUtils.createRepoId;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.googlecode.objectify.Key;
 import google.registry.config.RegistryConfig.Config;
@@ -71,7 +72,7 @@ public final class ContactCreateFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
    Create command = (Create) resourceCommand;
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    verifyResourceDoesNotExist(ContactResource.class, targetId, now, clientId);
    ContactResource newContact =
        new ContactResource.Builder()
@@ -22,6 +22,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PENDING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.googlecode.objectify.Key;
@@ -84,7 +85,7 @@ public final class ContactDeleteFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    failfastForAsyncDelete(targetId, now, ContactResource.class, DomainBase::getReferencedContacts);
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyNoDisallowedStatuses(existingContact, DISALLOWED_STATUSES);
@@ -93,7 +94,7 @@ public final class ContactDeleteFlow implements TransactionalFlow {
      verifyResourceOwnership(clientId, existingContact);
    }
    asyncTaskEnqueuer.enqueueAsyncDelete(
-        existingContact, ofy().getTransactionTime(), clientId, trid, isSuperuser);
+        existingContact, tm().getTransactionTime(), clientId, trid, isSuperuser);
    ContactResource newContact =
        existingContact.asBuilder().addStatusValue(StatusValue.PENDING_DELETE).build();
    historyBuilder
@@ -23,6 +23,7 @@ import static google.registry.flows.contact.ContactFlowUtils.createGainingTransf
 import static google.registry.flows.contact.ContactFlowUtils.createTransferResponse;
 import static google.registry.model.ResourceTransferUtils.approvePendingTransfer;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
@@ -78,7 +79,7 @@ public final class ContactTransferApproveFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingContact);
    verifyHasPendingTransfer(existingContact);
@@ -23,6 +23,7 @@ import static google.registry.flows.contact.ContactFlowUtils.createLosingTransfe
 import static google.registry.flows.contact.ContactFlowUtils.createTransferResponse;
 import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
@@ -74,7 +75,7 @@ public final class ContactTransferCancelFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingContact);
    verifyHasPendingTransfer(existingContact);
@@ -23,6 +23,7 @@ import static google.registry.flows.contact.ContactFlowUtils.createGainingTransf
 import static google.registry.flows.contact.ContactFlowUtils.createTransferResponse;
 import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
@@ -72,7 +73,7 @@ public final class ContactTransferRejectFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingContact);
    verifyHasPendingTransfer(existingContact);
@@ -24,6 +24,7 @@ import static google.registry.flows.contact.ContactFlowUtils.createLosingTransfe
 import static google.registry.flows.contact.ContactFlowUtils.createTransferResponse;
 import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PENDING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.googlecode.objectify.Key;
@@ -91,7 +92,7 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(gainingClientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyAuthInfoPresentForResourceTransfer(authInfo);
    verifyAuthInfo(authInfo.get(), existingContact);
@@ -25,6 +25,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostalInfo;
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.googlecode.objectify.Key;
@@ -92,7 +93,7 @@ public final class ContactUpdateFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
    Update command = (Update) resourceCommand;
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingContact);
    ImmutableSet<StatusValue> statusToRemove = command.getInnerRemove().getStatusValues();
@@ -42,11 +42,11 @@ import static google.registry.flows.domain.DomainFlowUtils.verifyRegistrarIsActi
 import static google.registry.flows.domain.DomainFlowUtils.verifyUnitIsYears;
 import static google.registry.model.EppResourceUtils.createDomainRepoId;
 import static google.registry.model.eppcommon.StatusValue.SERVER_HOLD;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registry.Registry.TldState.GENERAL_AVAILABILITY;
 import static google.registry.model.registry.Registry.TldState.QUIET_PERIOD;
 import static google.registry.model.registry.Registry.TldState.START_DATE_SUNRISE;
 import static google.registry.model.registry.label.ReservationType.NAME_COLLISION;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.leapSafeAddYears;

@@ -221,7 +221,7 @@ public class DomainCreateFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
    verifyRegistrarIsActive(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainCommand.Create command = cloneAndLinkReferences((Create) resourceCommand, now);
    Period period = command.getPeriod();
    verifyUnitIsYears(period);
@@ -34,6 +34,7 @@ import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PE
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.ADD_FIELDS;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.RENEW_FIELDS;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.getDomainRenewCost;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.CollectionUtils.union;
@@ -140,7 +141,7 @@ public final class DomainDeleteFlow implements TransactionalFlow {
    flowCustomLogic.beforeValidation();
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    // Loads the target resource if it exists
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    Registry registry = Registry.get(existingDomain.getTld());
@@ -28,7 +28,7 @@ import static google.registry.flows.domain.DomainFlowUtils.validateFeeChallenge;
 import static google.registry.flows.domain.DomainFlowUtils.validateRegistrationPeriod;
 import static google.registry.flows.domain.DomainFlowUtils.verifyRegistrarIsActive;
 import static google.registry.flows.domain.DomainFlowUtils.verifyUnitIsYears;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.leapSafeAddYears;

 import com.google.common.collect.ImmutableList;
@@ -137,7 +137,7 @@ public final class DomainRenewFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
    verifyRegistrarIsActive(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    Renew command = (Renew) resourceCommand;
    // Loads the target resource if it exists
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
@@ -27,6 +27,7 @@ import static google.registry.flows.domain.DomainFlowUtils.verifyPremiumNameIsNo
 import static google.registry.flows.domain.DomainFlowUtils.verifyRegistrarIsActive;
 import static google.registry.model.ResourceTransferUtils.updateForeignKeyIndexDeletionTime;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;

 import com.google.common.collect.ImmutableList;
@@ -133,7 +134,7 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow  {
    validateClientIsLoggedIn(clientId);
    verifyRegistrarIsActive(clientId);
    Update command = (Update) resourceCommand;
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    FeesAndCredits feesAndCredits =
        pricingLogic.getRestorePrice(Registry.get(existingDomain.getTld()), targetId, now);
@@ -29,6 +29,7 @@ import static google.registry.model.ResourceTransferUtils.approvePendingTransfer
 import static google.registry.model.domain.DomainBase.extendRegistrationWithCap;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.TRANSFER_SUCCESSFUL;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.getDomainRenewCost;
 import static google.registry.util.CollectionUtils.union;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
@@ -102,7 +103,7 @@ public final class DomainTransferApproveFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingDomain);
    verifyHasPendingTransfer(existingDomain);
@@ -27,6 +27,7 @@ import static google.registry.flows.domain.DomainTransferUtils.createTransferRes
 import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.TRANSFER_SUCCESSFUL;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;

 import com.google.common.collect.ImmutableSet;
@@ -87,7 +88,7 @@ public final class DomainTransferCancelFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    verifyOptionalAuthInfo(authInfo, existingDomain);
    verifyHasPendingTransfer(existingDomain);
@@ -28,6 +28,7 @@ import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.TRANSFER_NACKED;
 import static google.registry.model.reporting.DomainTransactionRecord.TransactionReportField.TRANSFER_SUCCESSFUL;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.union;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;

@@ -89,7 +90,7 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    Registry registry = Registry.get(existingDomain.getTld());
    HistoryEntry historyEntry = buildHistoryEntry(existingDomain, registry, now);
@@ -32,6 +32,7 @@ import static google.registry.flows.domain.DomainTransferUtils.createTransferSer
 import static google.registry.model.domain.DomainBase.extendRegistrationWithCap;
 import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PENDING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
@@ -143,7 +144,7 @@ public final class DomainTransferRequestFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(gainingClientId);
    verifyRegistrarIsActive(gainingClientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    Optional<DomainTransferRequestSuperuserExtension> superuserExtension =
        eppInput.getSingleExtension(DomainTransferRequestSuperuserExtension.class);
@@ -38,7 +38,7 @@ import static google.registry.flows.domain.DomainFlowUtils.validateRegistrantAll
 import static google.registry.flows.domain.DomainFlowUtils.validateRequiredContactsPresent;
 import static google.registry.flows.domain.DomainFlowUtils.verifyClientUpdateNotProhibited;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNotInPendingDelete;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.google.common.net.InternetDomainName;
@@ -154,7 +154,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
    flowCustomLogic.beforeValidation();
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    Update command = cloneAndLinkReferences((Update) resourceCommand, now);
    DomainBase existingDomain = loadAndVerifyExistence(DomainBase.class, targetId, now);
    verifyUpdateAllowed(command, existingDomain, now);
@@ -22,6 +22,7 @@ import static google.registry.flows.host.HostFlowUtils.verifySuperordinateDomain
 import static google.registry.flows.host.HostFlowUtils.verifySuperordinateDomainOwnership;
 import static google.registry.model.EppResourceUtils.createRepoId;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.isNullOrEmpty;
 import static google.registry.util.CollectionUtils.union;

@@ -103,7 +104,7 @@ public final class HostCreateFlow implements TransactionalFlow {
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
    Create command = (Create) resourceCommand;
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    verifyResourceDoesNotExist(HostResource.class, targetId, now, clientId);
    // The superordinate domain of the host object if creating an in-bailiwick host, or null if
    // creating an external host. This is looked up before we actually create the Host object so
@@ -22,6 +22,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.flows.host.HostFlowUtils.validateHostName;
 import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PENDING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
 import com.googlecode.objectify.Key;
@@ -85,7 +86,7 @@ public final class HostDeleteFlow implements TransactionalFlow {
    extensionManager.register(MetadataExtension.class);
    extensionManager.validate();
    validateClientIsLoggedIn(clientId);
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    validateHostName(targetId);
    failfastForAsyncDelete(targetId, now, HostResource.class, DomainBase::getNameservers);
    HostResource existingHost = loadAndVerifyExistence(HostResource.class, targetId, now);
@@ -101,7 +102,7 @@ public final class HostDeleteFlow implements TransactionalFlow {
      verifyResourceOwnership(clientId, owningResource);
    }
    asyncTaskEnqueuer.enqueueAsyncDelete(
-        existingHost, ofy().getTransactionTime(), clientId, trid, isSuperuser);
+        existingHost, tm().getTransactionTime(), clientId, trid, isSuperuser);
    HostResource newHost =
        existingHost.asBuilder().addStatusValue(StatusValue.PENDING_DELETE).build();
    historyBuilder
@@ -28,6 +28,7 @@ import static google.registry.flows.host.HostFlowUtils.verifySuperordinateDomain
 import static google.registry.flows.host.HostFlowUtils.verifySuperordinateDomainOwnership;
 import static google.registry.model.index.ForeignKeyIndex.loadAndGetKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.isNullOrEmpty;

 import com.google.common.collect.ImmutableSet;
@@ -129,7 +130,7 @@ public final class HostUpdateFlow implements TransactionalFlow {
    Update command = (Update) resourceCommand;
    Change change = command.getInnerChange();
    String suppliedNewHostName = change.getFullyQualifiedHostName();
-    DateTime now = ofy().getTransactionTime();
+    DateTime now = tm().getTransactionTime();
    validateHostName(targetId);
    HostResource existingHost = loadAndVerifyExistence(HostResource.class, targetId, now);
    boolean isHostRename = suppliedNewHostName != null;
@@ -271,7 +272,7 @@ public final class HostUpdateFlow implements TransactionalFlow {
      }
      // We must also enqueue updates for all domains that use this host as their nameserver so
      // that their NS records can be updated to point at the new name.
-      asyncTaskEnqueuer.enqueueAsyncDnsRefresh(existingHost, ofy().getTransactionTime());
+      asyncTaskEnqueuer.enqueueAsyncDnsRefresh(existingHost, tm().getTransactionTime());
    }
  }

@@ -82,6 +82,9 @@ public class FlowPicker {
  /** Marker class for unimplemented flows. */
  private abstract static class UnimplementedFlow implements Flow {}

+  /** Marker class for unimplemented restore flows. */
+  private abstract static class UnimplementedRestoreFlow implements Flow {}
+
  /** A function type that takes an {@link EppInput} and returns a {@link Flow} class. */
  private abstract static class FlowProvider {
    /** Get the flow associated with this {@link EppInput} or return null to signal no match. */
@@ -160,7 +163,7 @@ public class FlowPicker {
      // Restore command with an op of "report" is not currently supported.
      return (rgpUpdateExtension.get().getRestoreCommand().getRestoreOp() == RestoreOp.REQUEST)
          ? DomainRestoreRequestFlow.class
-          : UnimplementedFlow.class;
+          : UnimplementedRestoreFlow.class;
    }};

  /**
@@ -265,8 +268,11 @@ public class FlowPicker {
      Class<? extends Flow> flowClass = flowProvider.get(eppInput);
      if (flowClass == UnimplementedFlow.class) {
        break;  // We found it, but it's marked as not implemented.
-      }
-      if (flowClass != null) {
+      } else if (flowClass == UnimplementedRestoreFlow.class) {
+        throw new UnimplementedCommandException(
+            "Domain restores are approved and enacted instantly, "
+                + "therefore domain restore reports are not supported");
+      } else if (flowClass != null) {
        return flowClass;  // We found it!
      }
    }
@@ -21,6 +21,7 @@ import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_NO_MESSAG
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.poll.PollMessageExternalKeyConverter.makePollMessageExternalId;
 import static google.registry.model.poll.PollMessageExternalKeyConverter.parsePollMessageExternalId;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;

 import com.googlecode.objectify.Key;
@@ -78,7 +79,7 @@ public class PollAckFlow implements TransactionalFlow {
      throw new InvalidMessageIdException(messageId);
    }

-    final DateTime now = ofy().getTransactionTime();
+    final DateTime now = tm().getTransactionTime();

    // Load the message to be acked. If a message is queued to be delivered in the future, we treat
    // it as if it doesn't exist yet. Same for if the message ID year isn't the same as the actual
@@ -124,7 +125,7 @@ public class PollAckFlow implements TransactionalFlow {
    // acked, then we return a special status code indicating that. Note that the query will
    // include the message being acked.

-    int messageCount = ofy().doTransactionless(() -> getPollMessagesQuery(clientId, now).count());
+    int messageCount = tm().doTransactionless(() -> getPollMessagesQuery(clientId, now).count());
    if (!includeAckedMessageInCount) {
      messageCount--;
    }
@@ -14,12 +14,12 @@

 package google.registry.groups;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.admin.directory.Directory;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for the Google {@link Directory} service. */
@Module
@@ -27,8 +27,12 @@ public final class DirectoryModule {

  @Provides
  static Directory provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Directory.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Directory.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
@@ -14,12 +14,12 @@

 package google.registry.groups;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.groupssettings.Groupssettings;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for the Google {@link Groupssettings} service. */
@Module
@@ -27,9 +27,12 @@ public final class GroupssettingsModule {

  @Provides
  static Groupssettings provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
    return new Groupssettings.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
@@ -122,7 +122,8 @@ public abstract class DummyKeyringModule {
        "not a real login",
        "not a real password",
        "not a real login",
-        "not a real credential");
+        "not a real credential",
+        "not a real password");
  }

  private DummyKeyringModule() {}
@@ -39,6 +39,7 @@ public final class InMemoryKeyring implements Keyring {
  private final String marksdbLordnPassword;
  private final String marksdbSmdrlLoginAndPassword;
  private final String jsonCredential;
+  private final String cloudSqlPassword;

  public InMemoryKeyring(
      PGPKeyPair rdeStagingKey,
@@ -53,7 +54,8 @@ public final class InMemoryKeyring implements Keyring {
      String marksdbDnlLoginAndPassword,
      String marksdbLordnPassword,
      String marksdbSmdrlLoginAndPassword,
-      String jsonCredential) {
+      String jsonCredential,
+      String cloudSqlPassword) {
    checkArgument(PgpHelper.isSigningKey(rdeSigningKey.getPublicKey()),
        "RDE signing key must support signing: %s", rdeSigningKey.getKeyID());
    checkArgument(rdeStagingKey.getPublicKey().isEncryptionKey(),
@@ -79,6 +81,7 @@ public final class InMemoryKeyring implements Keyring {
    this.marksdbSmdrlLoginAndPassword =
        checkNotNull(marksdbSmdrlLoginAndPassword, "marksdbSmdrlLoginAndPassword");
    this.jsonCredential = checkNotNull(jsonCredential, "jsonCredential");
+    this.cloudSqlPassword = checkNotNull(cloudSqlPassword, "cloudSqlPassword");
  }

  @Override
@@ -151,6 +154,11 @@ public final class InMemoryKeyring implements Keyring {
    return jsonCredential;
  }

+  @Override
+  public String getCloudSqlPassword() {
+    return cloudSqlPassword;
+  }
+
  /** Does nothing. */
  @Override
  public void close() {}
@@ -36,6 +36,12 @@ public final class KeyModule {
    String value();
  }

+  @Provides
+  @Key("cloudSqlPassword")
+  static String providesCloudSqlPassword(Keyring keyring) {
+    return keyring.getCloudSqlPassword();
+  }
+
  @Provides
  @Key("brdaReceiverKey")
  static PGPPublicKey provideBrdaReceiverKey(Keyring keyring) {
@@ -28,6 +28,9 @@ import org.bouncycastle.openpgp.PGPPublicKey;
@ThreadSafe
 public interface Keyring extends AutoCloseable {

+  /** Returns the password which is used to connect to the Cloud SQL database. */
+  String getCloudSqlPassword();
+
  /**
   * Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
   *
@@ -67,6 +67,7 @@ public class KmsKeyring implements Keyring {

  /** Key labels for string secrets. */
  enum StringKeyLabel {
+    CLOUD_SQL_PASSWORD_STRING,
    SAFE_BROWSING_API_KEY,
    ICANN_REPORTING_PASSWORD_STRING,
    JSON_CREDENTIAL_STRING,
@@ -88,6 +89,11 @@ public class KmsKeyring implements Keyring {
    this.kmsConnection = kmsConnection;
  }

+  @Override
+  public String getCloudSqlPassword() {
+    return getString(StringKeyLabel.CLOUD_SQL_PASSWORD_STRING);
+  }
+
  @Override
  public PGPKeyPair getRdeSigningKey() {
    return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
@@ -14,7 +14,6 @@

 package google.registry.keyring.kms;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import dagger.Binds;
 import dagger.Module;
@@ -24,6 +23,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for Cloud KMS. */
@Module
@@ -31,20 +31,23 @@ public abstract class KmsModule {

  public static final String NAME = "KMS";

-  @Binds
-  @IntoMap
-  @StringKey(NAME)
-  abstract Keyring provideKeyring(KmsKeyring keyring);
-
  @Provides
  static CloudKMS provideKms(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("cloudKmsProjectId") String projectId) {
-    return new CloudKMS.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+    return new CloudKMS.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }

+  @Binds
+  @IntoMap
+  @StringKey(NAME)
+  abstract Keyring provideKeyring(KmsKeyring keyring);
+
  @Binds
  abstract KmsConnection provideKmsConnection(KmsConnectionImpl kmsConnectionImpl);
 }
@@ -24,6 +24,7 @@ import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
 import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.CLOUD_SQL_PASSWORD_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
@@ -33,6 +34,7 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIE
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
 import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

 import com.google.common.collect.ImmutableMap;
@@ -68,6 +70,10 @@ public final class KmsUpdater {
    this.secretValues = new LinkedHashMap<>();
  }

+  public KmsUpdater setCloudSqlPassword(String password) {
+    return setString(password, CLOUD_SQL_PASSWORD_STRING);
+  }
+
  public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
    return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC);
  }
@@ -182,7 +188,7 @@ public final class KmsUpdater {
   */
  private static void persistEncryptedValues(
      final ImmutableMap<String, EncryptResponse> encryptedValues) {
-    ofy()
+    tm()
        .transact(
            () -> {
              for (Map.Entry<String, EncryptResponse> entry : encryptedValues.entrySet()) {
@@ -22,6 +22,7 @@ import static com.google.common.collect.Sets.union;
 import static google.registry.config.RegistryConfig.getEppResourceCachingDuration;
 import static google.registry.config.RegistryConfig.getEppResourceMaxCachedEntries;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
@@ -49,10 +50,13 @@ import java.util.Map.Entry;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
+import javax.persistence.MappedSuperclass;
+import javax.persistence.Transient;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;

 /** An EPP entity object (i.e. a domain, contact, or host). */
+@MappedSuperclass
 public abstract class EppResource extends BackupGroupRoot implements Buildable {

  /**
@@ -61,8 +65,7 @@ public abstract class EppResource extends BackupGroupRoot implements Buildable {
   * <p>This is in the (\w|_){1,80}-\w{1,8} format specified by RFC 5730 for roidType.
   * @see <a href="https://tools.ietf.org/html/rfc5730">RFC 5730</a>
   */
-  @Id
-  String repoId;
+  @Id @javax.persistence.Id String repoId;

  /** The ID of the registrar that is currently sponsoring this resource. */
  @Index
@@ -84,8 +87,7 @@ public abstract class EppResource extends BackupGroupRoot implements Buildable {
  // Map the method to XML, not the field, because if we map the field (with an adaptor class) it
  // will never be omitted from the xml even if the timestamp inside creationTime is null and we
  // return null from the adaptor. (Instead it gets written as an empty tag.)
-  @Index
-  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+  @Index @Transient CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);

  /**
   * The time when this resource was or will be deleted.
@@ -114,7 +116,7 @@ public abstract class EppResource extends BackupGroupRoot implements Buildable {
  DateTime lastEppUpdateTime;

  /** Status values associated with this resource. */
-  Set<StatusValue> status;
+  @Transient Set<StatusValue> status;

  /**
   * Sorted map of {@link DateTime} keys (modified time) to {@link CommitLogManifest} entries.
@@ -325,13 +327,13 @@ public abstract class EppResource extends BackupGroupRoot implements Buildable {

        @Override
        public EppResource load(Key<? extends EppResource> key) {
-          return ofy().doTransactionless(() -> ofy().load().key(key).now());
+          return tm().doTransactionless(() -> ofy().load().key(key).now());
        }

        @Override
        public Map<Key<? extends EppResource>, EppResource> loadAll(
            Iterable<? extends Key<? extends EppResource>> keys) {
-          return ofy().doTransactionless(() -> loadMultiple(keys));
+          return tm().doTransactionless(() -> loadMultiple(keys));
        }
      };

@@ -21,6 +21,7 @@ import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registry.Registry.TldState.GENERAL_AVAILABILITY;
 import static google.registry.model.registry.Registry.TldState.START_DATE_SUNRISE;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;

 import com.google.common.collect.ImmutableList;
@@ -236,7 +237,7 @@ public final class OteAccountBuilder {
   */
  public ImmutableMap<String, String> buildAndPersist() {
    // save all the entitiesl in a single transaction
-    ofy().transact(this::saveAllEntities);
+    tm().transact(this::saveAllEntities);
    return clientIdToTld;
  }

@@ -249,7 +250,7 @@ public final class OteAccountBuilder {

  /** Saves all the OT&amp;E entities we created. */
  private void saveAllEntities() {
-    ofy().assertInTransaction();
+    tm().assertInTransaction();

    ImmutableList<Registry> registries = ImmutableList.of(sunriseTld, gaTld, eapTld);
    ImmutableList<RegistrarContact> contacts = contactsBuilder.build();
@@ -17,6 +17,7 @@ package google.registry.model.common;
 import static com.google.common.base.Preconditions.checkState;
 import static google.registry.model.ofy.ObjectifyService.allocateId;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.appengine.api.users.User;
 import com.google.common.base.Splitter;
@@ -55,13 +56,13 @@ public class GaeUserIdConverter extends ImmutableObject {
    try {
      // Perform these operations in a transactionless context to avoid enlisting in some outer
      // transaction (if any).
-      ofy().doTransactionless(() -> ofy().saveWithoutBackup().entity(gaeUserIdConverter).now());
+      tm().doTransactionless(() -> ofy().saveWithoutBackup().entity(gaeUserIdConverter).now());

      // The read must be done in its own transaction to avoid reading from the session cache.
-      return ofy()
+      return tm()
          .transactNew(() -> ofy().load().entity(gaeUserIdConverter).safe().user.getUserId());
    } finally {
-      ofy().doTransactionless(() -> ofy().deleteWithoutBackup().entity(gaeUserIdConverter).now());
+      tm().doTransactionless(() -> ofy().deleteWithoutBackup().entity(gaeUserIdConverter).now());
    }
  }
 }
@@ -21,24 +21,26 @@ import com.googlecode.objectify.annotation.Embed;
 import com.googlecode.objectify.annotation.Index;
 import google.registry.model.ImmutableObject;
 import google.registry.model.contact.ContactResource;
+import javax.persistence.Id;
 import javax.xml.bind.annotation.XmlEnumValue;

 /**
 * Persisted type for storing a domain's contact associations.
 *
 * <p>A contact association on a domain consists of the contact key and the contact "type", which is
- * the designated role of this contact with respect to this domain.  When converting to and from
- * EPP XML, we use {@link ForeignKeyedDesignatedContact} to replace the contact's Datastore key
- * with its foreign key, since that is what EPP exposes.
+ * the designated role of this contact with respect to this domain. When converting to and from EPP
+ * XML, we use {@link ForeignKeyedDesignatedContact} to replace the contact's Datastore key with its
+ * foreign key, since that is what EPP exposes.
 *
 * <p>Note one could in principle store contact foreign keys here in addition to keys, unlike the
- * situation with hosts where client-side renames would make that data stale.  However, we sometimes
+ * situation with hosts where client-side renames would make that data stale. However, we sometimes
 * rename contacts internally ourselves, and it's easier to use the same model for both cases.
 *
- * @see <a href="http://tools.ietf.org/html/rfc5731#section-2.2">
- *     RFC 5731 - EPP Domain Name Mapping - Contact and Client Identifiers</a>
+ * @see <a href="http://tools.ietf.org/html/rfc5731#section-2.2">RFC 5731 - EPP Domain Name Mapping
+ *     - Contact and Client Identifiers</a>
 */
@Embed
+@javax.persistence.Entity
 public class DesignatedContact extends ImmutableObject {

  /**
@@ -65,8 +67,7 @@ public class DesignatedContact extends ImmutableObject {

  Type type;

-  @Index
-  Key<ContactResource> contact;
+  @Index @Id Key<ContactResource> contact;

  public Type getType() {
    return type;
@@ -19,6 +19,7 @@ import google.registry.model.eppcommon.AuthInfo;

 /** A version of authInfo specifically for domains. */
@Embed
+@javax.persistence.Embeddable
 public class DomainAuthInfo extends AuthInfo {
  public static DomainAuthInfo create(PasswordAuth pw) {
    DomainAuthInfo instance = new DomainAuthInfo();
@@ -28,6 +28,7 @@ import static google.registry.util.CollectionUtils.forceEmptyToNull;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.union;
+import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.earliestOf;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 import static google.registry.util.DateTimeUtils.leapSafeAddYears;
@@ -68,6 +69,11 @@ import java.util.Optional;
 import java.util.Set;
 import java.util.function.Predicate;
 import javax.annotation.Nullable;
+import javax.persistence.AttributeOverride;
+import javax.persistence.AttributeOverrides;
+import javax.persistence.Column;
+import javax.persistence.ElementCollection;
+import javax.persistence.Embedded;
 import org.joda.time.DateTime;
 import org.joda.time.Interval;

@@ -82,6 +88,8 @@ import org.joda.time.Interval;
 */
@ReportedOn
@Entity
+@javax.persistence.Entity
+@javax.persistence.Table(name = "Domain")
@ExternalMessagingName("domain")
 public class DomainBase extends EppResource
    implements ForeignKeyedEppResource, ResourceWithTransferData {
@@ -104,7 +112,7 @@ public class DomainBase extends EppResource
   * from (creationTime, deletionTime) there can only be one domain in Datastore with this name.
   * However, there can be many domains with the same name and non-overlapping lifetimes.
   *
-   * @invariant fullyQualifiedDomainName == fullyQualifiedDomainName.toLowerCase()
+   * @invariant fullyQualifiedDomainName == fullyQualifiedDomainName.toLowerCase(Locale.ENGLISH)
   */
  @Index
  String fullyQualifiedDomainName;
@@ -114,17 +122,21 @@ public class DomainBase extends EppResource
  String tld;

  /** References to hosts that are the nameservers for the domain. */
-  @Index
-  Set<Key<HostResource>> nsHosts;
+  @Index @ElementCollection Set<Key<HostResource>> nsHosts;

  /**
   * The union of the contacts visible via {@link #getContacts} and {@link #getRegistrant}.
   *
   * <p>These are stored in one field so that we can query across all contacts at once.
   */
-  Set<DesignatedContact> allContacts;
+  @ElementCollection Set<DesignatedContact> allContacts;

  /** Authorization info (aka transfer secret) of the domain. */
+  @Embedded
+  @AttributeOverrides({
+    @AttributeOverride(name = "pw.value", column = @Column(name = "auth_info_value")),
+    @AttributeOverride(name = "pw.repoId", column = @Column(name = "auth_info_repo_id")),
+  })
  DomainAuthInfo authInfo;

  /**
@@ -133,13 +145,26 @@ public class DomainBase extends EppResource
   * <p>This is {@literal @}XmlTransient because it needs to be returned under the "extension" tag
   * of an info response rather than inside the "infData" tag.
   */
-  Set<DelegationSignerData> dsData;
+  @ElementCollection Set<DelegationSignerData> dsData;

  /**
   * The claims notice supplied when this application or domain was created, if there was one. It's
   * {@literal @}XmlTransient because it's not returned in an info response.
   */
  @IgnoreSave(IfNull.class)
+  @Embedded
+  @AttributeOverrides({
+    @AttributeOverride(name = "noticeId.tcnId", column = @Column(name = "launch_notice_tcn_id")),
+    @AttributeOverride(
+        name = "noticeId.validatorId",
+        column = @Column(name = "launch_notice_validator_id")),
+    @AttributeOverride(
+        name = "expirationTime",
+        column = @Column(name = "launch_notice_expiration_time")),
+    @AttributeOverride(
+        name = "acceptedTime",
+        column = @Column(name = "launch_notice_accepted_time")),
+  })
  LaunchNotice launchNotice;

  /**
@@ -151,7 +176,7 @@ public class DomainBase extends EppResource
  String idnTableName;

  /** Fully qualified host names of this domain's active subordinate hosts. */
-  Set<String> subordinateHosts;
+  @ElementCollection Set<String> subordinateHosts;

  /** When this domain's registration will expire. */
  DateTime registrationExpirationTime;
@@ -186,7 +211,7 @@ public class DomainBase extends EppResource
  Key<PollMessage.Autorenew> autorenewPollMessage;

  /** The unexpired grace periods for this domain (some of which may not be active yet). */
-  Set<GracePeriod> gracePeriods;
+  @ElementCollection Set<GracePeriod> gracePeriods;

  /**
   * The id of the signed mark that was used to create this domain in sunrise.
@@ -197,6 +222,30 @@ public class DomainBase extends EppResource
  String smdId;

  /** Data about any pending or past transfers on this domain. */
+  @Embedded
+  @AttributeOverrides({
+    @AttributeOverride(
+        name = "transferRequestTrid",
+        column = @Column(name = "transfer_data_request_trid")),
+    @AttributeOverride(
+        name = "transferPeriod",
+        column = @Column(name = "transfer_data_transfer_period")),
+    @AttributeOverride(
+        name = "transferredRegistrationExpirationTime",
+        column = @Column(name = "transfer_data_registration_expiration_time")),
+    @AttributeOverride(
+        name = "serverApproveEntities",
+        column = @Column(name = "transfer_data_server_approve_entities")),
+    @AttributeOverride(
+        name = "serverApproveBillingEvent",
+        column = @Column(name = "transfer_data_server_approve_billing_event")),
+    @AttributeOverride(
+        name = "serverApproveAutorenewEvent",
+        column = @Column(name = "transfer_data_server_approve_autorenrew_event")),
+    @AttributeOverride(
+        name = "serverApproveAutorenewPollMessage",
+        column = @Column(name = "transfer_data_server_approve_autorenrew_poll_message")),
+  })
  TransferData transferData;

  /**
@@ -376,10 +425,10 @@ public class DomainBase extends EppResource

    Optional<DateTime> newLastEppUpdateTime = Optional.empty();

-    // There is no transfer. Do any necessary autorenews.
+    // There is no transfer. Do any necessary autorenews for active domains.

    Builder builder = asBuilder();
-    if (isBeforeOrAt(registrationExpirationTime, now)) {
+    if (isBeforeOrAt(registrationExpirationTime, now) && END_OF_TIME.equals(getDeletionTime())) {
      // Autorenew by the number of years between the old expiration time and now.
      DateTime lastAutorenewTime = leapSafeAddYears(
          registrationExpirationTime,
@@ -19,21 +19,31 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;

 import com.googlecode.objectify.Key;
 import com.googlecode.objectify.annotation.Embed;
+import com.googlecode.objectify.annotation.Ignore;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.domain.rgp.GracePeriodStatus;
 import javax.annotation.Nullable;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
 import org.joda.time.DateTime;

 /**
 * A domain grace period with an expiration time.
 *
- * <p>When a grace period expires, it is lazily removed from the {@link DomainBase} the next
- * time the resource is loaded from Datastore.
+ * <p>When a grace period expires, it is lazily removed from the {@link DomainBase} the next time
+ * the resource is loaded from Datastore.
 */
@Embed
+@javax.persistence.Entity
 public class GracePeriod extends ImmutableObject {

+  @javax.persistence.Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @Ignore
+  /** Unique id required for hibernate representation. */
+  long id;
+
  /** The type of grace period. */
  GracePeriodStatus type;

@@ -22,6 +22,7 @@ import javax.xml.bind.annotation.XmlValue;

 /** The "periodType" from {@link "http://tools.ietf.org/html/rfc5731"}. */
@Embed
+@javax.persistence.Embeddable
 public class Period extends ImmutableObject {

  @XmlAttribute
@@ -15,9 +15,9 @@
 package google.registry.model.domain.fee;

 import com.google.common.base.Ascii;
-import com.google.common.base.CharMatcher;
 import google.registry.model.ImmutableObject;
 import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
+import java.util.Locale;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlValue;

@@ -47,7 +47,7 @@ public class FeeExtensionCommandDescriptor extends ImmutableObject {

  public CommandName getCommand() {
    // Require the xml string to be lowercase.
-    if (command != null && CharMatcher.javaLowerCase().matchesAllOf(command)) {
+    if (command != null && command.toLowerCase(Locale.ENGLISH).equals(command)) {
      try {
        return CommandName.valueOf(Ascii.toUpperCase(command));
      } catch (IllegalArgumentException e) {
@@ -15,9 +15,9 @@
 package google.registry.model.domain.fee12;

 import com.google.common.base.Ascii;
-import com.google.common.base.CharMatcher;
 import google.registry.model.domain.Period;
 import google.registry.model.domain.fee.FeeCheckCommandExtensionItem;
+import java.util.Locale;
 import java.util.Optional;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlElement;
@@ -83,7 +83,7 @@ public class FeeCheckCommandExtensionItemV12 extends FeeCheckCommandExtensionIte
  @Override
  public CommandName getCommandName() {
    // Require the xml string to be lowercase.
-    if (commandName != null && CharMatcher.javaLowerCase().matchesAllOf(commandName)) {
+    if (commandName != null && commandName.toLowerCase(Locale.ENGLISH).equals(commandName)) {
      try {
        return CommandName.valueOf(Ascii.toUpperCase(commandName));
      } catch (IllegalArgumentException e) {
@@ -28,6 +28,7 @@ import com.googlecode.objectify.annotation.IgnoreSave;
 import com.googlecode.objectify.condition.IfNull;
 import google.registry.model.ImmutableObject;
 import java.util.Optional;
+import javax.persistence.Embedded;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlType;
@@ -37,6 +38,7 @@ import org.joda.time.DateTime;
 /** The claims notice id from the claims phase. */
@Embed
@XmlType(propOrder = {"noticeId", "expirationTime", "acceptedTime"})
+@javax.persistence.Embeddable
 public class LaunchNotice extends ImmutableObject {

  /** An empty instance to use in place of null. */
@@ -44,6 +46,7 @@ public class LaunchNotice extends ImmutableObject {

  /** An id with a validator-id attribute. */
  @Embed
+  @javax.persistence.Embeddable
  public static class NoticeIdType extends ImmutableObject {

    /**
@@ -69,6 +72,7 @@ public class LaunchNotice extends ImmutableObject {
  }

  @XmlElement(name = "noticeID")
+  @Embedded
  NoticeIdType noticeId;

  @XmlElement(name = "notAfter")
@@ -30,12 +30,13 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 */
@Embed
@XmlType(name = "dsData")
+@javax.persistence.Entity
 public class DelegationSignerData extends ImmutableObject {

  private DelegationSignerData() {}

  /** The identifier for this particular key in the domain. */
-  int keyTag;
+  @javax.persistence.Id int keyTag;

  /**
   * The algorithm used by this key.
@@ -16,6 +16,9 @@ package google.registry.model.eppcommon;

 import com.googlecode.objectify.annotation.Embed;
 import google.registry.model.ImmutableObject;
+import javax.persistence.Embeddable;
+import javax.persistence.Embedded;
+import javax.persistence.MappedSuperclass;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlTransient;
 import javax.xml.bind.annotation.XmlType;
@@ -30,9 +33,11 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 * <p>RFCs 5731 and 5732 define this almost identically up to the namespace.
 */
@XmlTransient
+@Embeddable
+@MappedSuperclass
 public abstract class AuthInfo extends ImmutableObject {

-  protected PasswordAuth pw;
+  @Embedded protected PasswordAuth pw;

  public PasswordAuth getPw() {
    return pw;
@@ -41,6 +46,7 @@ public abstract class AuthInfo extends ImmutableObject {
  /** The "pwAuthInfoType" complex type. */
  @Embed
  @XmlType(namespace = "urn:ietf:params:xml:ns:eppcom-1.0")
+  @Embeddable
  public static class PasswordAuth extends ImmutableObject {
    @XmlValue
    @XmlJavaTypeAdapter(NormalizedStringAdapter.class)
@@ -31,6 +31,7 @@ import javax.xml.bind.annotation.XmlType;
 */
@Embed
@XmlType(propOrder = {"clientTransactionId", "serverTransactionId"})
+@javax.persistence.Embeddable
 public class Trid extends ImmutableObject {

  /** The server transaction id. */
@@ -19,6 +19,7 @@ import static com.google.common.collect.Maps.filterValues;
 import static google.registry.config.RegistryConfig.getEppResourceCachingDuration;
 import static google.registry.config.RegistryConfig.getEppResourceMaxCachedEntries;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.TypeUtils.instantiate;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;

@@ -188,7 +189,7 @@ public abstract class ForeignKeyIndex<E extends EppResource> extends BackupGroup

        @Override
        public Optional<ForeignKeyIndex<?>> load(Key<ForeignKeyIndex<?>> key) {
-          return Optional.ofNullable(ofy().doTransactionless(() -> ofy().load().key(key).now()));
+          return Optional.ofNullable(tm().doTransactionless(() -> ofy().load().key(key).now()));
        }

        @Override
@@ -196,7 +197,7 @@ public abstract class ForeignKeyIndex<E extends EppResource> extends BackupGroup
            Iterable<? extends Key<ForeignKeyIndex<?>>> keys) {
          ImmutableSet<Key<ForeignKeyIndex<?>>> typedKeys = ImmutableSet.copyOf(keys);
          Map<Key<ForeignKeyIndex<?>>, ForeignKeyIndex<?>> existingFkis =
-              ofy().doTransactionless(() -> ofy().load().keys(typedKeys));
+              tm().doTransactionless(() -> ofy().load().keys(typedKeys));
          // ofy() omits keys that don't have values in Datastore, so re-add them in
          // here with Optional.empty() values.
          return Maps.asMap(
@@ -250,7 +251,7 @@ public abstract class ForeignKeyIndex<E extends EppResource> extends BackupGroup
  public static <E extends EppResource> Map<String, ForeignKeyIndex<E>> loadCached(
      Class<E> clazz, Iterable<String> foreignKeys, final DateTime now) {
    if (!RegistryConfig.isEppResourceCachingEnabled()) {
-      return ofy().doTransactionless(() -> load(clazz, foreignKeys, now));
+      return tm().doTransactionless(() -> load(clazz, foreignKeys, now));
    }
    ImmutableList<Key<ForeignKeyIndex<?>>> fkiKeys =
        Streams.stream(foreignKeys)
@@ -28,10 +28,9 @@ import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.googlecode.objectify.Key;
-import com.googlecode.objectify.VoidWork;
-import com.googlecode.objectify.Work;
 import google.registry.model.BackupGroupRoot;
 import google.registry.model.ImmutableObject;
+import google.registry.model.transaction.TransactionManager.Work;
 import google.registry.util.Clock;
 import java.util.HashSet;
 import java.util.Map;
@@ -40,7 +39,7 @@ import java.util.Set;
 import org.joda.time.DateTime;

 /** Wrapper for {@link Work} that associates a time with each attempt. */
-class CommitLoggedWork<R> extends VoidWork {
+class CommitLoggedWork<R> implements Runnable {

  private final Work<R> work;
  private final Clock clock;
@@ -74,8 +73,8 @@ class CommitLoggedWork<R> extends VoidWork {
   */
  protected ImmutableSet<ImmutableObject> mutations = ImmutableSet.of();

-  /** Lifecycle marker to track whether {@link #vrun} has been called. */
-  private boolean vrunCalled;
+  /** Lifecycle marker to track whether {@link #run} has been called. */
+  private boolean runCalled;

  CommitLoggedWork(Work<R> work, Clock clock) {
    this.work = work;
@@ -87,26 +86,26 @@ class CommitLoggedWork<R> extends VoidWork {
  }

  boolean hasRun() {
-    return vrunCalled;
+    return runCalled;
  }

  R getResult() {
-    checkState(vrunCalled, "Cannot call getResult() before vrun()");
+    checkState(runCalled, "Cannot call getResult() before run()");
    return result;
  }

  CommitLogManifest getManifest() {
-    checkState(vrunCalled, "Cannot call getManifest() before vrun()");
+    checkState(runCalled, "Cannot call getManifest() before run()");
    return manifest;
  }

  ImmutableSet<ImmutableObject> getMutations() {
-    checkState(vrunCalled, "Cannot call getMutations() before vrun()");
+    checkState(runCalled, "Cannot call getMutations() before run()");
    return mutations;
  }

  @Override
-  public void vrun() {
+  public void run() {
    // The previous time will generally be null, except when using transactNew.
    TransactionInfo previous = Ofy.TRANSACTION_INFO.get();
    // Set the time to be used for "now" within the transaction.
@@ -117,7 +116,7 @@ class CommitLoggedWork<R> extends VoidWork {
    } finally {
      Ofy.TRANSACTION_INFO.set(previous);
    }
-    vrunCalled = true;
+    runCalled = true;
  }

  /** Records all mutations enrolled by this transaction to a {@link CommitLogManifest} entry. */
@@ -0,0 +1,86 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.ofy;
+
+
+import static google.registry.model.ofy.ObjectifyService.ofy;
+
+import google.registry.model.transaction.TransactionManager;
+import org.joda.time.DateTime;
+
+/** Datastore implementation of {@link TransactionManager}. */
+public class DatastoreTransactionManager implements TransactionManager {
+
+  private Ofy injectedOfy;
+
+  /** Constructs an instance. */
+  public DatastoreTransactionManager(Ofy injectedOfy) {
+    this.injectedOfy = injectedOfy;
+  }
+
+  private Ofy getOfy() {
+    return injectedOfy == null ? ofy() : injectedOfy;
+  }
+
+  @Override
+  public boolean inTransaction() {
+    return getOfy().inTransaction();
+  }
+
+  @Override
+  public void assertInTransaction() {
+    getOfy().assertInTransaction();
+  }
+
+  @Override
+  public <T> T transact(Work<T> work) {
+    return getOfy().transact(work);
+  }
+
+  @Override
+  public void transact(Runnable work) {
+    getOfy().transact(work);
+  }
+
+  @Override
+  public <T> T transactNew(Work<T> work) {
+    return getOfy().transactNew(work);
+  }
+
+  @Override
+  public void transactNew(Runnable work) {
+    getOfy().transactNew(work);
+  }
+
+  @Override
+  public <R> R transactNewReadOnly(Work<R> work) {
+    return getOfy().transactNewReadOnly(work);
+  }
+
+  @Override
+  public void transactNewReadOnly(Runnable work) {
+    getOfy().transactNewReadOnly(work);
+  }
+
+  @Override
+  public <R> R doTransactionless(Work<R> work) {
+    return getOfy().doTransactionless(work);
+  }
+
+  @Override
+  public DateTime getTransactionTime() {
+    return getOfy().getTransactionTime();
+  }
+}
@@ -32,13 +32,13 @@ import com.google.common.flogger.FluentLogger;
 import com.googlecode.objectify.Key;
 import com.googlecode.objectify.Objectify;
 import com.googlecode.objectify.ObjectifyFactory;
-import com.googlecode.objectify.Work;
 import com.googlecode.objectify.cmd.Deleter;
 import com.googlecode.objectify.cmd.Loader;
 import com.googlecode.objectify.cmd.Saver;
 import google.registry.model.annotations.NotBackedUp;
 import google.registry.model.annotations.VirtualEntity;
 import google.registry.model.ofy.ReadOnlyWork.KillTransactionException;
+import google.registry.model.transaction.TransactionManager.Work;
 import google.registry.util.Clock;
 import google.registry.util.NonFinalForTesting;
 import google.registry.util.Sleeper;
@@ -111,11 +111,11 @@ public class Ofy {
    ofy().clear();
  }

-  public boolean inTransaction() {
+  boolean inTransaction() {
    return ofy().getTransaction() != null;
  }

-  public void assertInTransaction() {
+  void assertInTransaction() {
    checkState(inTransaction(), "Must be called in a transaction");
  }

@@ -194,7 +194,7 @@ public class Ofy {
  }

  /** Execute a transaction. */
-  public <R> R transact(Work<R> work) {
+  <R> R transact(Work<R> work) {
    // If we are already in a transaction, don't wrap in a CommitLoggedWork.
    return inTransaction() ? work.run() : transactNew(work);
  }
@@ -205,7 +205,7 @@ public class Ofy {
   * <p>This overload is used for transactions that don't return a value, formerly implemented using
   * VoidWork.
   */
-  public void transact(Runnable work) {
+  void transact(Runnable work) {
    transact(
        () -> {
          work.run();
@@ -214,7 +214,7 @@ public class Ofy {
  }

  /** Pause the current transaction (if any) and complete this one before returning to it. */
-  public <R> R transactNew(Work<R> work) {
+  <R> R transactNew(Work<R> work) {
    // Wrap the Work in a CommitLoggedWork so that we can give transactions a frozen view of time
    // and maintain commit logs for them.
    return transactCommitLoggedWork(new CommitLoggedWork<>(work, getClock()));
@@ -226,7 +226,7 @@ public class Ofy {
   * <p>This overload is used for transactions that don't return a value, formerly implemented using
   * VoidWork.
   */
-  public void transactNew(Runnable work) {
+  void transactNew(Runnable work) {
    transactNew(
        () -> {
          work.run();
@@ -246,7 +246,10 @@ public class Ofy {
        true;
        attempt++, sleepMillis *= 2) {
      try {
-        ofy().transactNew(work);
+        ofy().transactNew(() -> {
+          work.run();
+          return null;
+        });
        return work.getResult();
      } catch (TransientFailureException
          | TimestampInversionException
@@ -295,10 +298,13 @@ public class Ofy {
  }

  /** A read-only transaction is useful to get strongly consistent reads at a shared timestamp. */
-  public <R> R transactNewReadOnly(Work<R> work) {
+  <R> R transactNewReadOnly(Work<R> work) {
    ReadOnlyWork<R> readOnlyWork = new ReadOnlyWork<>(work, getClock());
    try {
-      ofy().transactNew(readOnlyWork);
+      ofy().transactNew(() -> {
+        readOnlyWork.run();
+        return null;
+      });
    } catch (TransientFailureException | DatastoreTimeoutException | DatastoreFailureException e) {
      // These are always retryable for a read-only operation.
      return transactNewReadOnly(work);
@@ -309,7 +315,7 @@ public class Ofy {
    throw new AssertionError();  // How on earth did we get here?
  }

-  public void transactNewReadOnly(Runnable work) {
+  void transactNewReadOnly(Runnable work) {
    transactNewReadOnly(
        () -> {
          work.run();
@@ -318,7 +324,7 @@ public class Ofy {
  }

  /** Execute some work in a transactionless context. */
-  public <R> R doTransactionless(Work<R> work) {
+  <R> R doTransactionless(Work<R> work) {
    try {
      com.googlecode.objectify.ObjectifyService.push(
          com.googlecode.objectify.ObjectifyService.ofy().transactionless());
@@ -347,7 +353,7 @@ public class Ofy {
  }

  /** Get the time associated with the start of this particular transaction attempt. */
-  public DateTime getTransactionTime() {
+  DateTime getTransactionTime() {
    assertInTransaction();
    return TRANSACTION_INFO.get().transactionTime;
  }
@@ -14,7 +14,7 @@

 package google.registry.model.ofy;

-import com.googlecode.objectify.Work;
+import google.registry.model.transaction.TransactionManager.Work;
 import google.registry.util.Clock;

 /** Wrapper for {@link Work} that disallows mutations and fails the transaction at the end. */
@@ -30,8 +30,8 @@ class ReadOnlyWork<R> extends CommitLoggedWork<R> {
  }

  @Override
-  public void vrun() {
-    super.vrun();
+  public void run() {
+    super.run();
    throw new KillTransactionException();
  }

@@ -19,6 +19,7 @@ import static com.google.common.base.Verify.verify;
 import static com.google.common.base.Verify.verifyNotNull;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.rde.RdeNamingUtils.makePartialName;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;

 import com.google.common.base.VerifyException;
 import com.googlecode.objectify.annotation.Entity;
@@ -70,7 +71,7 @@ public final class RdeRevision extends ImmutableObject {
  public static void saveRevision(String tld, DateTime date, RdeMode mode, int revision) {
    checkArgument(revision >= 0, "Negative revision: %s", revision);
    String triplet = makePartialName(tld, date, mode);
-    ofy().assertInTransaction();
+    tm().assertInTransaction();
    RdeRevision object = ofy().load().type(RdeRevision.class).id(triplet).now();
    if (revision == 0) {
      verify(object == null, "RdeRevision object already created: %s", object);
@@ -31,12 +31,14 @@ import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
 import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registry.Registries.assertTldsExist;
+import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
+import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
+import static google.registry.util.PasswordUtils.hashPassword;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.X509Utils.getCertificateHash;
 import static google.registry.util.X509Utils.loadCertificate;
-import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.Comparator.comparing;
 import static java.util.function.Predicate.isEqual;

@@ -72,10 +74,6 @@ import google.registry.model.common.EntityGroupRoot;
 import google.registry.model.registrar.Registrar.BillingAccountEntry.CurrencyMapper;
 import google.registry.model.registry.Registry;
 import google.registry.util.CidrAddressBlock;
-import google.registry.util.NonFinalForTesting;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.security.cert.CertificateParsingException;
 import java.util.Comparator;
 import java.util.List;
@@ -206,7 +204,7 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
  private static final Supplier<ImmutableMap<String, Registrar>> CACHE_BY_CLIENT_ID =
      memoizeWithShortExpiration(
          () ->
-              ofy()
+              tm()
                  .doTransactionless(
                      () -> Maps.uniqueIndex(loadAll(), Registrar::getClientId)));

@@ -408,14 +406,8 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
   */
  boolean contactsRequireSyncing = true;

-  @NonFinalForTesting
-  private static Supplier<byte[]> saltSupplier =
-      () -> {
-        // There are 32 bytes in a sha-256 hash, and the salt should generally be the same size.
-        byte[] salt = new byte[32];
-        new SecureRandom().nextBytes(salt);
-        return salt;
-      };
+  /** Whether or not registry lock is allowed for this registrar. */
+  boolean registryLockAllowed = false;

  public String getClientId() {
    return clientIdentifier;
@@ -544,6 +536,10 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
    return contactsRequireSyncing;
  }

+  public boolean isRegistryLockAllowed() {
+    return registryLockAllowed;
+  }
+
  public String getUrl() {
    return url;
  }
@@ -623,19 +619,10 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
        .putListOfStrings("allowedTlds", getAllowedTlds())
        .putListOfStrings("ipAddressWhitelist", ipAddressWhitelist)
        .putListOfJsonObjects("contacts", getContacts())
+        .put("registryLockAllowed", registryLockAllowed)
        .build();
  }

-  private String hashPassword(String password) {
-    try {
-      return base64()
-          .encode(MessageDigest.getInstance("SHA-256").digest((password + salt).getBytes(UTF_8)));
-    } catch (NoSuchAlgorithmException e) {
-      // All implementations of MessageDigest are required to support SHA-256.
-      throw new RuntimeException(e);
-    }
-  }
-
  private static String checkValidPhoneNumber(String phoneNumber) {
    checkArgument(
        E164_PATTERN.matcher(phoneNumber).matches(),
@@ -644,8 +631,8 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
    return phoneNumber;
  }

-  public boolean testPassword(String password) {
-    return hashPassword(password).equals(passwordHash);
+  public boolean verifyPassword(String password) {
+    return hashPassword(password, salt).equals(passwordHash);
  }

  public String getPhonePasscode() {
@@ -868,7 +855,9 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
      return this;
    }

-    public Builder setDriveFolderId(String driveFolderId) {
+    public Builder setDriveFolderId(@Nullable String driveFolderId) {
+      checkArgument(driveFolderId == null || !driveFolderId.contains("/"),
+          "Drive folder ID must not be a full URL");
      getInstance().driveFolderId = driveFolderId;
      return this;
    }
@@ -878,8 +867,8 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
      checkArgument(
          Range.closed(6, 16).contains(nullToEmpty(password).length()),
          "Password must be 6-16 characters long.");
-      getInstance().salt = base64().encode(saltSupplier.get());
-      getInstance().passwordHash = getInstance().hashPassword(password);
+      getInstance().salt = base64().encode(SALT_SUPPLIER.get());
+      getInstance().passwordHash = hashPassword(password, getInstance().salt);
      return this;
    }

@@ -892,6 +881,11 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
      return this;
    }

+    public Builder setRegistryLockAllowed(boolean registryLockAllowed) {
+      getInstance().registryLockAllowed = registryLockAllowed;
+      return this;
+    }
+
    /** Build the registrar, nullifying empty fields. */
    @Override
    public Registrar build() {
--- a/Show More
+++ b/Show More