Add more BSA configs (#2230 )

* Add more BSA configs Added urls for reporting order and domains to BSA. Also added operational configs.
Add a dedicated IP header to accommodate Java 17 on GAE (#2224 )
2026-06-09 16:33:02 +00:00 · 2023-11-28 16:40:36 -05:00 · 2023-11-28 13:20:01 -05:00 · 2023-11-27 20:18:34 -05:00 · 2023-11-27 19:55:47 -05:00 · 2023-11-27 14:58:48 -05:00
305 changed files with 12054 additions and 7470 deletions
@@ -60,9 +60,8 @@ dependencyLocking {
 }

 node {
-  download = true
-  version = "16.14.0"
-  npmVersion = "6.14.11"
+  download = false
+  version = "16.19.0"
 }

 wrapper {
@@ -348,6 +347,7 @@ subprojects {

  def services = [':services:default',
                  ':services:backend',
+                  ':services:bsa',
                  ':services:tools',
                  ':services:pubapi']

@@ -28,6 +28,7 @@ import ContactComponent from './settings/contact/contact.component';
 import WhoisComponent from './settings/whois/whois.component';
 import SecurityComponent from './settings/security/security.component';
 import UsersComponent from './settings/users/users.component';
+import { DomainListComponent } from './domains/domainList.component';

 const routes: Routes = [
  { path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -35,6 +36,11 @@ const routes: Routes = [
  { path: 'empty-registrar', component: EmptyRegistrar },
  { path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
  { path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
+  {
+    path: DomainListComponent.PATH,
+    component: DomainListComponent,
+    canActivate: [RegistrarGuard],
+  },
  {
    path: SettingsComponent.PATH,
    component: SettingsComponent,
@@ -37,7 +37,7 @@
      background-color: transparent;
    }
    .active {
-      background: #eae1e1;
+      background-color: var(--secondary);
    }
  }
  &__content-wrapper {
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import { Component, ViewChild } from '@angular/core';
+import { AfterViewInit, Component, ViewChild } from '@angular/core';
 import { RegistrarService } from './registrar/registrar.service';
 import { UserDataService } from './shared/services/userData.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
@@ -24,7 +24,7 @@ import { MatSidenav } from '@angular/material/sidenav';
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.scss'],
 })
-export class AppComponent {
+export class AppComponent implements AfterViewInit {
  renderRouter: boolean = true;

  @ViewChild('sidenav')
@@ -48,6 +48,12 @@ import { DomainsWidgetComponent } from './home/widgets/domains-widget.component'
 import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
 import { UserDataService } from './shared/services/userData.service';
 import WhoisComponent from './settings/whois/whois.component';
+import { SnackBarModule } from './snackbar.module';
+import {
+  RegistrarDetailsComponent,
+  RegistrarDetailsWrapperComponent,
+} from './registrar/registrarDetails.component';
+import { DomainListComponent } from './domains/domainList.component';

@NgModule({
  declarations: [
@@ -55,6 +61,7 @@ import WhoisComponent from './settings/whois/whois.component';
    BillingWidgetComponent,
    ContactDetailsDialogComponent,
    ContactWidgetComponent,
+    DomainListComponent,
    DomainsWidgetComponent,
    EmptyRegistrar,
    EppWidgetComponent,
@@ -62,6 +69,8 @@ import WhoisComponent from './settings/whois/whois.component';
    HomeComponent,
    PromotionsWidgetComponent,
    RegistrarComponent,
+    RegistrarDetailsComponent,
+    RegistrarDetailsWrapperComponent,
    RegistrarSelectorComponent,
    ResourcesWidgetComponent,
    SecurityComponent,
@@ -79,6 +88,7 @@ import WhoisComponent from './settings/whois/whois.component';
    FormsModule,
    HttpClientModule,
    MaterialModule,
+    SnackBarModule,
  ],
  providers: [
    BackendService,
@@ -0,0 +1,54 @@
+<div class="console-domains">
+  <mat-form-field>
+    <mat-label>Filter</mat-label>
+    <input matInput (keyup)="applyFilter($event)" #input />
+  </mat-form-field>
+
+  <div *ngIf="isLoading; else domains_content" class="console-domains__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <ng-template #domains_content>
+    <table mat-table [dataSource]="dataSource" class="mat-elevation-z8">
+      <ng-container matColumnDef="domainName">
+        <th mat-header-cell *matHeaderCellDef>Domain Name</th>
+        <td mat-cell *matCellDef="let element">{{ element.domainName }}</td>
+      </ng-container>
+
+      <ng-container matColumnDef="creationTime">
+        <th mat-header-cell *matHeaderCellDef>Creation Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.creationTime.creationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="registrationExpirationTime">
+        <th mat-header-cell *matHeaderCellDef>Expiration Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.registrationExpirationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="statuses">
+        <th mat-header-cell *matHeaderCellDef>Statuses</th>
+        <td mat-cell *matCellDef="let element">{{ element.statuses }}</td>
+      </ng-container>
+
+      <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
+      <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
+
+      <!-- Row shown when there is no matching data. -->
+      <tr class="mat-row" *matNoDataRow>
+        <td class="mat-cell" colspan="4">No domains found</td>
+      </tr>
+    </table>
+    <mat-paginator
+      [length]="totalResults"
+      [pageIndex]="pageNumber"
+      [pageSize]="resultsPerPage"
+      [pageSizeOptions]="[10, 25, 50, 100, 500]"
+      (page)="onPageChange($event)"
+      aria-label="Select page of domain results"
+      showFirstLastButtons
+    ></mat-paginator>
+  </ng-template>
+</div>
@@ -0,0 +1,36 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { DomainListComponent } from './domainList.component';
+
+describe('DomainListComponent', () => {
+  let component: DomainListComponent;
+  let fixture: ComponentFixture<DomainListComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [DomainListComponent],
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(DomainListComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});
@@ -0,0 +1,80 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, ViewChild } from '@angular/core';
+import { MatTableDataSource } from '@angular/material/table';
+import { BackendService } from '../shared/services/backend.service';
+import { MatPaginator, PageEvent } from '@angular/material/paginator';
+import { RegistrarService } from '../registrar/registrar.service';
+import { Domain, DomainListService } from './domainList.service';
+
+@Component({
+  selector: 'app-domain-list',
+  templateUrl: './domainList.component.html',
+  styleUrls: ['./domainList.component.scss'],
+  providers: [DomainListService],
+})
+export class DomainListComponent {
+  public static PATH = 'domain-list';
+
+  displayedColumns: string[] = [
+    'domainName',
+    'creationTime',
+    'registrationExpirationTime',
+    'statuses',
+  ];
+
+  dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
+  isLoading = true;
+
+  pageNumber?: number;
+  resultsPerPage = 50;
+  totalResults?: number;
+
+  @ViewChild(MatPaginator, { static: true }) paginator!: MatPaginator;
+
+  constructor(
+    private backendService: BackendService,
+    private domainListService: DomainListService,
+    private registrarService: RegistrarService
+  ) {}
+
+  ngOnInit() {
+    this.dataSource.paginator = this.paginator;
+    this.reloadData();
+  }
+
+  reloadData() {
+    this.isLoading = true;
+    this.domainListService
+      .retrieveDomains(this.pageNumber, this.resultsPerPage, this.totalResults)
+      .subscribe((domainListResult) => {
+        this.dataSource.data = domainListResult.domains;
+        this.totalResults = domainListResult.totalResults;
+        this.isLoading = false;
+      });
+  }
+
+  /** TODO: the backend will need to accept a filter string. */
+  applyFilter(event: KeyboardEvent) {
+    // const filterValue = (event.target as HTMLInputElement).value;
+    this.reloadData();
+  }
+
+  onPageChange(event: PageEvent) {
+    this.pageNumber = event.pageIndex;
+    this.resultsPerPage = event.pageSize;
+    this.reloadData();
+  }
+}
@@ -0,0 +1,66 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import { tap } from 'rxjs';
+
+export interface CreateAutoTimestamp {
+  creationTime: string;
+}
+
+export interface Domain {
+  creationTime: CreateAutoTimestamp;
+  currentSponsorRegistrarId: string;
+  domainName: string;
+  registrationExpirationTime: string;
+  statuses: string[];
+}
+
+export interface DomainListResult {
+  checkpointTime: string;
+  domains: Domain[];
+  totalResults: number;
+}
+
+@Injectable()
+export class DomainListService {
+  checkpointTime?: string;
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  retrieveDomains(
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number
+  ) {
+    return this.backendService
+      .getDomains(
+        this.registrarService.activeRegistrarId,
+        this.checkpointTime,
+        pageNumber,
+        resultsPerPage,
+        totalResults
+      )
+      .pipe(
+        tap((domainListResult: DomainListResult) => {
+          this.checkpointTime = domainListResult.checkpointTime;
+        })
+      );
+  }
+}
@@ -1,24 +1,30 @@
-<p>
+<p class="console-app__header">
  <mat-toolbar color="primary">
    <button mat-icon-button aria-label="Open menu" (click)="toggleNavPane()">
      <mat-icon>menu</mat-icon>
    </button>
-    <span>
-      <a
-        [routerLink]="'/home'"
-        routerLinkActive="active"
-        class="console-app__logo"
-      >
-        Google Registry
-      </a>
-    </span>
+    <a
+      [routerLink]="'/home'"
+      routerLinkActive="active"
+      class="console-app__logo"
+    >
+      Google Registry
+    </a>
    <span class="spacer"></span>
    <app-registrar-selector />
    <button mat-icon-button aria-label="Open FAQ">
      <mat-icon>question_mark</mat-icon>
    </button>
-    <button mat-icon-button aria-label="Open user info">
+    <button
+      mat-icon-button
+      [matMenuTriggerFor]="menu"
+      #menuTrigger
+      aria-label="Open user info"
+    >
      <mat-icon>person</mat-icon>
    </button>
+    <mat-menu #menu="matMenu">
+      <button mat-menu-item (click)="logOut()">Log out</button>
+    </mat-menu>
  </mat-toolbar>
 </p>
@@ -17,6 +17,21 @@
    color: inherit;
    text-decoration: none;
  }
+  &__header {
+    @media (max-width: 599px) {
+      .mat-toolbar {
+        padding: 0;
+      }
+      .console-app__logo {
+        font-size: 16px;
+      }
+      button {
+        padding-left: 0;
+        padding-right: 0;
+        width: 30px;
+      }
+    }
+  }
 }
 .spacer {
  flex: 1;
@@ -28,4 +28,8 @@ export class HeaderComponent {
    this.isNavOpen = !this.isNavOpen;
    this.toggleNavOpen.emit(this.isNavOpen);
  }
+
+  logOut() {
+    window.open('/console?gcp-iap-mode=CLEAR_LOGIN_COOKIE', '_self');
+  }
 }
@@ -29,4 +29,9 @@
      }
    }
  }
+  @media (max-width: 510px) {
+    .console-app__widget-wrapper__wide {
+      grid-column: initial;
+    }
+  }
 }
@@ -5,21 +5,23 @@
        <mat-icon class="console-app__widget-icon">call</mat-icon>
        <h1 class="console-app__widget-title">Contact Support</h1>
        <h4 class="secondary-text text-center">
-          View Google Registry support email and phone information
+          Let us know if you have any questions
        </h4>
      </div>
      <div class="console-app__widget_right">
-        <button mat-button color="primary" class="console-app__widget-link">
-          Give us a Call
-        </button>
+        <div class="console-app__widget-section-header">Give us a Call</div>
        <p class="secondary-text">
-          Call Google Registry support at <b>+1 (404) 978 8419</b>
+          Call {{ userDataService.userData?.productName }} support at
+          <a href="tel:{{ userDataService.userData?.supportPhoneNumber }}">{{
+            userDataService.userData?.supportPhoneNumber
+          }}</a>
        </p>
-        <button mat-button color="primary" class="console-app__widget-link">
-          Send us an Email
-        </button>
+        <div class="console-app__widget-section-header">Send us an Email</div>
        <p class="secondary-text">
-          Email Google Registry at <b>support@google.com</b>
+          Email {{ userDataService.userData?.productName }} at
+          <a href="mailto:{{ userDataService.userData?.supportEmail }}">{{
+            userDataService.userData?.supportEmail
+          }}</a>
        </p>
      </div>
    </div>
@@ -13,11 +13,12 @@
 // limitations under the License.

 import { Component } from '@angular/core';
+import { UserDataService } from 'src/app/shared/services/userData.service';

@Component({
  selector: '[app-contact-widget]',
  templateUrl: './contact-widget.component.html',
 })
 export class ContactWidgetComponent {
-  constructor() {}
+  constructor(public userDataService: UserDataService) {}
 }
@@ -13,7 +13,12 @@
          Create a Domain
        </button>
        <p class="secondary-text">Register a new domain name</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openDomainsPage()"
+        >
          View DUMs
        </button>
        <p class="secondary-text">
@@ -13,11 +13,17 @@
 // limitations under the License.

 import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+import { DomainListComponent } from 'src/app/domains/domainList.component';

@Component({
  selector: '[app-domains-widget]',
  templateUrl: './domains-widget.component.html',
 })
 export class DomainsWidgetComponent {
-  constructor() {}
+  constructor(private router: Router) {}
+
+  openDomainsPage() {
+    this.router.navigate([DomainListComponent.PATH]);
+  }
 }
@@ -4,6 +4,7 @@
      <a
        class="console-app__widget_left"
        href="{{ userDataService.userData?.technicalDocsUrl }}"
+        target="_blank"
      >
        <mat-icon class="console-app__widget-icon">menu_book</mat-icon>
        <h1 class="console-app__widget-title">Resources</h1>
@@ -45,6 +45,7 @@ import { DialogModule } from '@angular/cdk/dialog';
 import { MatSidenavModule } from '@angular/material/sidenav';
 import { MatSnackBarModule } from '@angular/material/snack-bar';
 import { MatPaginatorModule } from '@angular/material/paginator';
+import { MatChipsModule } from '@angular/material/chips';

@NgModule({
  exports: [
@@ -81,6 +82,7 @@ import { MatPaginatorModule } from '@angular/material/paginator';
    DialogModule,
    MatSnackBarModule,
    MatPaginatorModule,
+    MatChipsModule,
  ],
 })
 export class MaterialModule {}
@@ -8,6 +8,7 @@
    left: 50%;
    top: 50%;
    transform: translate(-50%, -50%);
+    white-space: nowrap;

    &-icon {
      transform: scale(3);
@@ -1,10 +1,21 @@
 <div class="console-app__registrar">
-  <div>
+  <button
+    mat-button
+    [routerLink]="'/settings/registrars'"
+    routerLinkActive="active"
+    *ngIf="isMobile; else desktop"
+  >
+    {{ registrarService.activeRegistrarId || "Select registrar" }}
+    <mat-icon>open_in_new</mat-icon>
+  </button>
+  <ng-template #desktop>
    <mat-form-field class="mat-form-field-density-5" appearance="fill">
      <mat-label>Registrar</mat-label>
      <mat-select
        [ngModel]="registrarService.activeRegistrarId"
-        (selectionChange)="registrarService.updateRegistrar($event.value)"
+        (selectionChange)="
+          registrarService.updateSelectedRegistrar($event.value)
+        "
      >
        <mat-option
          *ngFor="let registrar of registrarService.registrars"
@@ -14,5 +25,5 @@
        </mat-option>
      </mat-select>
    </mat-form-field>
-  </div>
+  </ng-template>
 </div>
@@ -12,14 +12,35 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import { Component } from '@angular/core';
+import { Component, OnInit } from '@angular/core';
 import { RegistrarService } from './registrar.service';
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { distinctUntilChanged } from 'rxjs';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';

@Component({
  selector: 'app-registrar-selector',
  templateUrl: './registrar-selector.component.html',
  styleUrls: ['./registrar-selector.component.scss'],
 })
-export class RegistrarSelectorComponent {
-  constructor(protected registrarService: RegistrarService) {}
+export class RegistrarSelectorComponent implements OnInit {
+  protected isMobile: boolean = false;
+
+  readonly breakpoint$ = this.breakpointObserver
+    .observe([MOBILE_LAYOUT_BREAKPOINT])
+    .pipe(distinctUntilChanged());
+
+  constructor(
+    protected registrarService: RegistrarService,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  ngOnInit(): void {
+    this.breakpoint$.subscribe(() => this.breakpointChanged());
+  }
+
+  private breakpointChanged() {
+    this.isMobile = this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT);
+  }
 }
@@ -13,7 +13,11 @@
 // limitations under the License.

 import { Injectable } from '@angular/core';
-import { Router } from '@angular/router';
+import {
+  ActivatedRouteSnapshot,
+  Router,
+  RouterStateSnapshot,
+} from '@angular/router';

 import { RegistrarService } from './registrar.service';

@@ -26,13 +30,16 @@ export class RegistrarGuard {
    private registrarService: RegistrarService
  ) {}

-  canActivate(): Promise<boolean> | boolean {
+  canActivate(
+    _: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): Promise<boolean> | boolean {
    if (this.registrarService.activeRegistrarId) {
      return true;
    }
-    // Get the full URL including any nested children (skip the initial '#/')
-    // NB: an empty nextUrl takes the user to the home page
-    const nextUrl = location.hash.split('#/')[1] || '';
-    return this.router.navigate([`/empty-registrar`, { nextUrl }]);
+    return this.router.navigate([
+      `/empty-registrar`,
+      { nextUrl: state.url || '' },
+    ]);
  }
 }
@@ -73,7 +73,7 @@ export class RegistrarService implements GlobalLoader {
    )[0];
  }

-  public updateRegistrar(registrarId: string) {
+  public updateSelectedRegistrar(registrarId: string) {
    this.activeRegistrarId = registrarId;
    this.activeRegistrarIdChange.next(registrarId);
  }
@@ -89,8 +89,6 @@ export class RegistrarService implements GlobalLoader {
  }

  loadingTimeout() {
-    this._snackBar.open('Timeout loading registrars', undefined, {
-      duration: 1500,
-    });
+    this._snackBar.open('Timeout loading registrars');
  }
 }
@@ -0,0 +1,40 @@
+<div class="registrarDetails">
+  <h3 mat-dialog-title>Edit Registrar: {{ registrarInEdit.registrarId }}</h3>
+  <div mat-dialog-content>
+    <form (ngSubmit)="saveAndClose($event)">
+      <mat-form-field class="registrarDetails__input">
+        <mat-label>Registry Lock:</mat-label>
+        <mat-select
+          [(ngModel)]="registrarInEdit.registryLockAllowed"
+          name="registryLockAllowed"
+        >
+          <mat-option [value]="true">True</mat-option>
+          <mat-option [value]="false">False</mat-option>
+        </mat-select>
+      </mat-form-field>
+      <mat-form-field class="registrarDetails__input">
+        <mat-label>Onboarded TLDs: </mat-label>
+        <mat-chip-grid #chipGrid aria-label="Enter TLD">
+          <mat-chip-row
+            *ngFor="let tld of registrarInEdit.allowedTlds"
+            (removed)="removeTLD(tld)"
+          >
+            {{ tld }}
+            <button matChipRemove aria-label="'remove ' + tld">
+              <mat-icon>cancel</mat-icon>
+            </button>
+          </mat-chip-row>
+        </mat-chip-grid>
+        <input
+          placeholder="New tld..."
+          [matChipInputFor]="chipGrid"
+          (matChipInputTokenEnd)="addTLD($event)"
+        />
+      </mat-form-field>
+      <mat-dialog-actions>
+        <button mat-button (click)="onCancel($event)">Cancel</button>
+        <button type="submit" mat-button color="primary">Save</button>
+      </mat-dialog-actions>
+    </form>
+  </div>
+</div>
@@ -0,0 +1,8 @@
+.registrarDetails {
+  min-width: 30vw;
+
+  &__input {
+    display: block;
+    margin-top: 0.5rem;
+  }
+}
@@ -0,0 +1,105 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, Injector } from '@angular/core';
+import { Registrar, RegistrarService } from './registrar.service';
+import { BreakpointObserver } from '@angular/cdk/layout';
+import {
+  MAT_BOTTOM_SHEET_DATA,
+  MatBottomSheet,
+  MatBottomSheetRef,
+} from '@angular/material/bottom-sheet';
+import {
+  MAT_DIALOG_DATA,
+  MatDialog,
+  MatDialogRef,
+} from '@angular/material/dialog';
+import { MatChipInputEvent } from '@angular/material/chips';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+
+@Component({
+  selector: 'app-registrar-details',
+  templateUrl: './registrarDetails.component.html',
+  styleUrls: ['./registrarDetails.component.scss'],
+})
+export class RegistrarDetailsComponent {
+  registrarInEdit!: Registrar;
+  private elementRef:
+    | MatBottomSheetRef<RegistrarDetailsComponent>
+    | MatDialogRef<RegistrarDetailsComponent>;
+
+  constructor(
+    protected registrarService: RegistrarService,
+    private injector: Injector
+  ) {
+    // We only inject one, either Dialog or Bottom Sheet data
+    // so one of the injectors is expected to fail
+    try {
+      var params = this.injector.get(MAT_DIALOG_DATA);
+      this.elementRef = this.injector.get(MatDialogRef);
+    } catch (e) {
+      var params = this.injector.get(MAT_BOTTOM_SHEET_DATA);
+      this.elementRef = this.injector.get(MatBottomSheetRef);
+    }
+    this.registrarInEdit = JSON.parse(JSON.stringify(params.registrar));
+  }
+
+  onCancel(e: MouseEvent) {
+    if (this.elementRef instanceof MatBottomSheetRef) {
+      this.elementRef.dismiss();
+    } else if (this.elementRef instanceof MatDialogRef) {
+      this.elementRef.close();
+    }
+  }
+
+  saveAndClose(e: MouseEvent) {
+    // TODO: Implement save call to API
+    this.onCancel(e);
+  }
+
+  addTLD(e: MatChipInputEvent) {
+    this.removeTLD(e.value); // Prevent dups
+    this.registrarInEdit.allowedTlds = this.registrarInEdit.allowedTlds?.concat(
+      [e.value.toLowerCase()]
+    );
+  }
+
+  removeTLD(tld: string) {
+    this.registrarInEdit.allowedTlds = this.registrarInEdit.allowedTlds?.filter(
+      (v) => v != tld
+    );
+  }
+}
+
+@Component({
+  selector: 'app-registrar-details-wrapper',
+  template: '',
+})
+export class RegistrarDetailsWrapperComponent {
+  constructor(
+    private dialog: MatDialog,
+    private bottomSheet: MatBottomSheet,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  open(registrar: Registrar) {
+    const config = { data: { registrar } };
+    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
+      this.bottomSheet.open(RegistrarDetailsComponent, config);
+    } else {
+      this.dialog.open(RegistrarDetailsComponent, config);
+    }
+  }
+}
@@ -1,25 +1,54 @@
 <div class="console-app__registrars">
-  <table
-    mat-table
-    [dataSource]="registrarService.registrars"
+  <mat-form-field class="console-app__registrars-filter">
+    <mat-label>Search</mat-label>
+    <input
+      matInput
+      (keyup)="applyFilter($event)"
+      placeholder="..."
+      type="search"
+    />
+    <mat-icon matPrefix>search</mat-icon>
+  </mat-form-field>
+  <mat-table
+    [dataSource]="dataSource"
    class="mat-elevation-z8"
+    class="console-app__registrars-table"
+    matSort
  >
+    <ng-container matColumnDef="edit">
+      <mat-header-cell *matHeaderCellDef></mat-header-cell>
+      <mat-cell *matCellDef="let row">
+        <button
+          mat-icon-button
+          color="primary"
+          aria-label="Edit registrar"
+          (click)="openDetails($event, row)"
+        >
+          <mat-icon>edit</mat-icon>
+        </button>
+      </mat-cell>
+    </ng-container>
+
    <ng-container
      *ngFor="let column of columns"
      [matColumnDef]="column.columnDef"
    >
-      <th mat-header-cell *matHeaderCellDef>
-        {{ column.header }}
-      </th>
-      <td mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></td>
+      <mat-header-cell *matHeaderCellDef> {{ column.header }} </mat-header-cell>
+      <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
    </ng-container>
+    <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
+    <mat-row
+      *matRowDef="let row; columns: displayedColumns"
+      (click)="registrarService.updateSelectedRegistrar(row.registrarId)"
+    ></mat-row>
+  </mat-table>

-    <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
-    <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
-  </table>
  <mat-paginator
    class="mat-elevation-z8"
    [pageSizeOptions]="[5, 10, 20]"
    showFirstLastButtons
  ></mat-paginator>
+  <app-registrar-details-wrapper
+    #registrarDetailsView
+  ></app-registrar-details-wrapper>
 </div>
@@ -1,5 +1,36 @@
 .console-app {
+  $min-width: 756px;
+
  &__registrars {
    margin-top: 1.5rem;
+    width: 100%;
+    overflow: auto;
+  }
+
+  &__registrars-filter {
+    min-width: $min-width !important;
+    width: 100%;
+  }
+
+  &__registrars-table {
+    min-width: $min-width !important;
+  }
+
+  .mat-mdc-paginator {
+    min-width: $min-width !important;
+  }
+
+  .mat-column {
+    &-edit {
+      max-width: 55px;
+      padding-left: 5px;
+    }
+    &-driveId {
+      min-width: 200px;
+      word-break: break-all;
+    }
+    &-registryLockAllowed {
+      max-width: 80px;
+    }
  }
 }
@@ -12,16 +12,22 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import { Component } from '@angular/core';
+import { Component, ViewChild, ViewEncapsulation } from '@angular/core';
 import { Registrar, RegistrarService } from './registrar.service';
+import { MatPaginator } from '@angular/material/paginator';
+import { MatSort } from '@angular/material/sort';
+import { MatTableDataSource } from '@angular/material/table';
+import { RegistrarDetailsWrapperComponent } from './registrarDetails.component';

@Component({
  selector: 'app-registrar',
  templateUrl: './registrarsTable.component.html',
  styleUrls: ['./registrarsTable.component.scss'],
+  encapsulation: ViewEncapsulation.None,
 })
 export class RegistrarComponent {
  public static PATH = 'registrars';
+  dataSource: MatTableDataSource<Registrar>;
  columns = [
    {
      columnDef: 'registrarId',
@@ -71,6 +77,31 @@ export class RegistrarComponent {
      cell: (record: Registrar) => `${record.driveFolderId || ''}`,
    },
  ];
-  displayedColumns = this.columns.map((c) => c.columnDef);
-  constructor(protected registrarService: RegistrarService) {}
+  displayedColumns = ['edit'].concat(this.columns.map((c) => c.columnDef));
+
+  @ViewChild(MatPaginator) paginator!: MatPaginator;
+  @ViewChild(MatSort) sort!: MatSort;
+  @ViewChild('registrarDetailsView')
+  detailsComponentWrapper!: RegistrarDetailsWrapperComponent;
+
+  constructor(protected registrarService: RegistrarService) {
+    this.dataSource = new MatTableDataSource<Registrar>(
+      registrarService.registrars
+    );
+  }
+
+  ngAfterViewInit() {
+    this.dataSource.paginator = this.paginator;
+    this.dataSource.sort = this.sort;
+  }
+
+  openDetails(event: MouseEvent, registrar: Registrar) {
+    event.stopPropagation();
+    this.detailsComponentWrapper.open(registrar);
+  }
+
+  applyFilter(event: Event) {
+    const filterValue = (event.target as HTMLInputElement).value;
+    this.dataSource.filter = filterValue.trim().toLowerCase();
+  }
 }
@@ -1,7 +1,7 @@
 <h3 mat-dialog-title>Contact details</h3>
 <div mat-dialog-content>
  <form (ngSubmit)="saveAndClose($event)">
-    <div>
+    <p>
      <mat-form-field class="contact-details__input">
        <mat-label>Name: </mat-label>
        <input
@@ -11,9 +11,9 @@
          [ngModelOptions]="{ standalone: true }"
        />
      </mat-form-field>
-    </div>
+    </p>

-    <div>
+    <p>
      <mat-form-field class="contact-details__input">
        <mat-label>Primary account email: </mat-label>
        <input
@@ -25,9 +25,9 @@
          [ngModelOptions]="{ standalone: true }"
        />
      </mat-form-field>
-    </div>
+    </p>

-    <div>
+    <p>
      <mat-form-field class="contact-details__input">
        <mat-label>Phone: </mat-label>
        <input
@@ -36,9 +36,9 @@
          [ngModelOptions]="{ standalone: true }"
        />
      </mat-form-field>
-    </div>
+    </p>

-    <div>
+    <p>
      <mat-form-field class="contact-details__input">
        <mat-label>Fax: </mat-label>
        <input
@@ -47,7 +47,7 @@
          [ngModelOptions]="{ standalone: true }"
        />
      </mat-form-field>
-    </div>
+    </p>

    <div class="contact-details__group">
      <label>Contact type:</label>
@@ -129,9 +129,7 @@ export class ContactDetailsDialogComponent {
    operationObservable.subscribe({
      complete: this.onCloseCallback.bind(this),
      error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
      },
    });
  }
@@ -175,9 +173,7 @@ export default class ContactComponent {
    if (confirm(`Please confirm contact ${contact.name} delete`)) {
      this.contactService.deleteContact(contact).subscribe({
        error: (err: HttpErrorResponse) => {
-          this._snackBar.open(err.error, undefined, {
-            duration: 1500,
-          });
+          this._snackBar.open(err.error);
        },
      });
    }
@@ -64,9 +64,7 @@ export default class SecurityComponent {
        this.resetDataSource();
      },
      error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
      },
    });
    this.cancel();
@@ -15,9 +15,9 @@
 .console-settings {
  .mdc-tab {
    &.active-link {
-      border-bottom: 2px solid #673ab7;
+      border-bottom: 2px solid var(--primary);
      .mdc-tab__text-label {
-        color: #673ab7;
+        color: var(--primary);
      }
    }
  }
@@ -24,14 +24,14 @@
    display: flex;
    flex-wrap: wrap;
    margin-bottom: 5px;
-    min-width: 450px;
+    min-width: 400px;
    width: 50%;
    max-width: 50%;
  }
  &__section-description {
    display: inline-block;
    margin-block-start: 1em;
-    min-width: 150px;
+    width: 160px;
  }
  &__section-form {
    display: inline-block;
@@ -61,9 +61,8 @@ export default class WhoisComponent {
        this.resetDataSource();
      },
      error: (err: HttpErrorResponse) => {
-        this._snackBar.open(err.error, undefined, {
-          duration: 1500,
-        });
+        this._snackBar.open(err.error);
+        this.loading = false;
      },
    });
    this.cancel();
@@ -21,6 +21,7 @@ import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
 import { UserData } from './userData.service';
 import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
+import { DomainListResult } from 'src/app/domains/domainList.service';

@Injectable()
 export class BackendService {
@@ -63,6 +64,31 @@ export class BackendService {
    );
  }

+  getDomains(
+    registrarId: string,
+    checkpointTime?: string,
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number
+  ): Observable<DomainListResult> {
+    var url = `/console-api/domain-list?registrarId=${registrarId}`;
+    if (checkpointTime) {
+      url += `&checkpointTime=${checkpointTime}`;
+    }
+    if (pageNumber) {
+      url += `&pageNumber=${pageNumber}`;
+    }
+    if (resultsPerPage) {
+      url += `&resultsPerPage=${resultsPerPage}`;
+    }
+    if (totalResults) {
+      url += `&totalResults=${totalResults}`;
+    }
+    return this.http
+      .get<DomainListResult>(url)
+      .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
+  }
+
  getRegistrars(): Observable<Registrar[]> {
    return this.http
      .get<Registrar[]>('/console-api/registrars')
@@ -95,7 +121,7 @@ export class BackendService {

  getUserData(): Observable<UserData> {
    return this.http
-      .get<UserData>(`/console-api/userdata`)
+      .get<UserData>('/console-api/userdata')
      .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
  }

@@ -19,8 +19,11 @@ import { MatSnackBar } from '@angular/material/snack-bar';
 import { GlobalLoader, GlobalLoaderService } from './globalLoader.service';

 export interface UserData {
-  isAdmin: boolean;
  globalRole: string;
+  isAdmin: boolean;
+  productName: string;
+  supportEmail: string;
+  supportPhoneNumber: string;
  technicalDocsUrl: string;
 }

@@ -49,8 +52,6 @@ export class UserDataService implements GlobalLoader {
  }

  loadingTimeout() {
-    this._snackBar.open('Timeout loading user data', undefined, {
-      duration: 1500,
-    });
+    this._snackBar.open('Timeout loading user data');
  }
 }
@@ -0,0 +1,24 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { NgModule } from '@angular/core';
+import { MAT_SNACK_BAR_DEFAULT_OPTIONS } from '@angular/material/snack-bar';
+
+/** Provides a default set of options for the snack bar. */
+@NgModule({
+  providers: [
+    { provide: MAT_SNACK_BAR_DEFAULT_OPTIONS, useValue: { duration: 5000 } },
+  ],
+})
+export class SnackBarModule {}
@@ -44,13 +44,19 @@ body {
    &-link {
      padding: 0 !important;
      text-align: left;
-      height: 20px !important;
      min-width: auto !important;
+      height: min-content !important;
+    }
+    &-section-header {
+      font-weight: 500;
+      color: var(--primary) !important;
    }
    &-title {
      color: var(--primary) !important;
+      text-align: center;
    }
    &-icon {
+      color: var(--text);
      font-size: 5rem;
      line-height: 5rem;
      height: 5rem !important;
@@ -17,20 +17,9 @@ $theme-accent: mat.define-palette(mat.$pink-palette, A200, A100, A400);
 // The warn palette is optional (defaults to red).
 $theme-warn: mat.define-palette(mat.$red-palette);

-// Create the theme object. A theme consists of configurations for individual
-// theming systems such as "color" or "typography".
-$theme: mat.define-light-theme(
-  (
-    color: (
-      primary: $theme-primary,
-      accent: $theme-accent,
-      warn: $theme-warn,
-    ),
-    density: 0,
-  )
-);
-
-/** Application specific section **/
+/** 
+** Application specific section - Global styles and mixins
+**/

@mixin form-field-density($density) {
  $field-typography: mat.define-typography-config(
@@ -46,19 +35,6 @@ $theme: mat.define-light-theme(
  @include form-field-density(-5);
 }

-$foreground: map.merge($theme, mat.$light-theme-foreground-palette);
-
-// Access and define a class with secondary color exposed
-.secondary-text {
-  color: map.get($foreground, "secondary-text");
-}
-
-:root {
-  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
-  --secondary: #{map.get($foreground, "secondary-text")};
-}
-
-@include mat.all-component-themes($theme);
@import "@angular/material/theming";

 // Define application specific typography settings, font-family, etc
@@ -67,3 +43,61 @@ $typography-configuration: mat-typography-config(
 );

@include angular-material-typography($typography-configuration);
+
+/** 
+** Light theme
+**/
+$light-theme: mat.define-light-theme(
+  (
+    color: (
+      primary: $theme-primary,
+      accent: $theme-accent,
+      warn: $theme-warn,
+    ),
+    density: 0,
+  )
+);
+
+// Access and define a class with secondary color exposed
+.secondary-text {
+  color: map.get(mat.$light-theme-foreground-palette, "secondary-text");
+}
+
+:root {
+  --text: #{map.get(mat.$light-theme-foreground-palette, "base")};
+  --primary: #{mat.get-color-from-palette($theme-primary, 500)};
+  --secondary: #{map.get(mat.$light-theme-foreground-palette, "secondary-text")};
+}
+
+@include mat.all-component-themes($light-theme);
+
+/** 
+** Dark theme
+**/
+$dark-theme: mat.define-dark-theme(
+  (
+    color: (
+      primary: mat.define-palette(mat.$pink-palette),
+      accent: mat.define-palette(mat.$blue-grey-palette),
+    ),
+    density: 0,
+  )
+);
+
+@mixin _apply-dark-mode-colors() {
+  @include mat.all-component-colors($dark-theme);
+
+  .secondary-text {
+    color: map.get(mat.$dark-theme-foreground-palette, "secondary-text");
+  }
+
+  :root {
+    --text: #{map.get(mat.$dark-theme-foreground-palette, "base")};
+    --primary: #{mat.get-color-from-palette(mat.$pink-palette, 500)};
+    --secondary: #{map.get(mat.$dark-theme-background-palette, "secondary-text")};
+  }
+}
+
+@media (prefers-color-scheme: dark) {
+  @include _apply-dark-mode-colors();
+}
@@ -43,6 +43,12 @@ public class BatchModule {
  public static final String PARAM_DRY_RUN = "dryRun";
  public static final String PARAM_FAST = "fast";

+  @Provides
+  @Parameter("url")
+  static String provideUrl(HttpServletRequest req) {
+    return extractRequiredParameter(req, "url");
+  }
+
  @Provides
  @Parameter("jobName")
  static Optional<String> provideJobName(HttpServletRequest req) {
@@ -14,26 +14,20 @@

 package google.registry.batch;

-import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
-import static google.registry.util.RegistrarUtils.normalizeRegistrarId;
+import static java.nio.charset.StandardCharsets.UTF_8;

-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.groups.GmailClient;
-import google.registry.groups.GroupsConnection;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.UrlConnectionService;
+import google.registry.request.UrlConnectionUtils;
 import google.registry.request.auth.Auth;
-import google.registry.util.EmailMessage;
-import java.io.IOException;
-import java.util.Set;
+import java.net.URL;
 import javax.inject.Inject;
-import javax.mail.internet.AddressException;
-import javax.mail.internet.InternetAddress;
+import javax.net.ssl.HttpsURLConnection;

 /**
 * Action that executes a canned script specified by the caller.
@@ -50,88 +44,45 @@ import javax.mail.internet.InternetAddress;
@Action(
    service = Action.Service.BACKEND,
    path = "/_dr/task/executeCannedScript",
-    method = POST,
+    method = {POST, GET},
    automaticallyPrintOk = true,
    auth = Auth.AUTH_API_ADMIN)
 public class CannedScriptExecutionAction implements Runnable {
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();

-  private final GroupsConnection groupsConnection;
-  private final GmailClient gmailClient;
-
-  private final InternetAddress senderAddress;
-
-  private final InternetAddress recipientAddress;
-
-  private final String gSuiteDomainName;
+  @Inject UrlConnectionService urlConnectionService;
+  @Inject Response response;

  @Inject
-  CannedScriptExecutionAction(
-      GroupsConnection groupsConnection,
-      GmailClient gmailClient,
-      @Config("projectId") String projectId,
-      @Config("gSuiteDomainName") String gSuiteDomainName,
-      @Config("newAlertRecipientEmailAddress") InternetAddress recipientAddress) {
-    this.groupsConnection = groupsConnection;
-    this.gmailClient = gmailClient;
-    this.gSuiteDomainName = gSuiteDomainName;
-    try {
-      this.senderAddress = new InternetAddress(String.format("%s@%s", projectId, gSuiteDomainName));
-    } catch (AddressException e) {
-      throw new RuntimeException(e);
-    }
-    this.recipientAddress = recipientAddress;
-    logger.atInfo().log("Sender:%s; Recipient: %s.", this.senderAddress, this.recipientAddress);
-  }
+  @Parameter("url")
+  String url;
+
+  @Inject
+  CannedScriptExecutionAction() {}

  @Override
  public void run() {
+    Integer responseCode = null;
+    String responseContent = null;
    try {
-      // Invoke canned scripts here.
-      checkGroupApi();
-      EmailMessage message = createEmail();
-      this.gmailClient.sendEmail(message);
-      logger.atInfo().log("Finished running scripts.");
-    } catch (Throwable t) {
-      logger.atWarning().withCause(t).log("Error executing scripts.");
-      throw new RuntimeException("Execution failed.");
-    }
-  }
-
-  // Checks if Directory and GroupSettings still work after GWorkspace changes.
-  void checkGroupApi() {
-    ImmutableList<Registrar> registrars =
-        Streams.stream(Registrar.loadAllCached())
-            .filter(registrar -> registrar.isLive() && registrar.getType() == Registrar.Type.REAL)
-            .collect(toImmutableList());
-    logger.atInfo().log("Found %s registrars.", registrars.size());
-    for (Registrar registrar : registrars) {
-      for (final RegistrarPoc.Type type : RegistrarPoc.Type.values()) {
-        String groupKey =
-            String.format(
-                "%s-%s-contacts@%s",
-                normalizeRegistrarId(registrar.getRegistrarId()),
-                type.getDisplayName(),
-                gSuiteDomainName);
-        try {
-          Set<String> currentMembers = groupsConnection.getMembersOfGroup(groupKey);
-          logger.atInfo().log("%s has %s members.", groupKey, currentMembers.size());
-          // One success is enough for validation.
-          return;
-        } catch (IOException e) {
-          logger.atWarning().withCause(e).log("Failed to check %s", groupKey);
-        }
+      logger.atInfo().log("Connecting to: %s", url);
+      HttpsURLConnection connection =
+          (HttpsURLConnection) urlConnectionService.createConnection(new URL(url));
+      responseCode = connection.getResponseCode();
+      logger.atInfo().log("Code: %d", responseCode);
+      logger.atInfo().log("Headers: %s", connection.getHeaderFields());
+      responseContent = new String(UrlConnectionUtils.getResponseBytes(connection), UTF_8);
+      logger.atInfo().log("Response: %s", responseContent);
+    } catch (Exception e) {
+      logger.atWarning().withCause(e).log("Connection to %s failed", url);
+      throw new RuntimeException(e);
+    } finally {
+      if (responseCode != null) {
+        response.setStatus(responseCode);
+      }
+      if (responseContent != null) {
+        response.setPayload(responseContent);
      }
    }
-    logger.atInfo().log("Finished checking GroupApis.");
-  }
-
-  EmailMessage createEmail() {
-    return EmailMessage.newBuilder()
-        .setFrom(senderAddress)
-        .setSubject("Test: Please ignore<eom>.")
-        .setRecipients(ImmutableList.of(recipientAddress))
-        .setBody("Sent from Nomulus through Google Workspace.")
-        .build();
  }
 }
@@ -1,161 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch;
-
-import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
-import google.registry.persistence.PersistenceModule.SchemaManagerConnection;
-import google.registry.request.Action;
-import google.registry.request.Response;
-import google.registry.request.auth.Auth;
-import google.registry.util.Retrier;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.function.Supplier;
-import javax.inject.Inject;
-
-/**
- * Wipes out all Cloud SQL data in a Nomulus GCP environment.
- *
- * <p>This class is created for the QA environment, where migration testing with production data
- * will happen. A regularly scheduled wipeout is a prerequisite to using production data there.
- */
-@Action(
-    service = Action.Service.BACKEND,
-    path = "/_dr/task/wipeOutCloudSql",
-    auth = Auth.AUTH_API_ADMIN)
-public class WipeOutCloudSqlAction implements Runnable {
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private static final ImmutableSet<RegistryEnvironment> FORBIDDEN_ENVIRONMENTS =
-      ImmutableSet.of(RegistryEnvironment.PRODUCTION, RegistryEnvironment.SANDBOX);
-
-  private final Supplier<Connection> connectionSupplier;
-  private final Response response;
-  private final Retrier retrier;
-
-  @Inject
-  WipeOutCloudSqlAction(
-      @SchemaManagerConnection Supplier<Connection> connectionSupplier,
-      Response response,
-      Retrier retrier) {
-    this.connectionSupplier = connectionSupplier;
-    this.response = response;
-    this.retrier = retrier;
-  }
-
-  @Override
-  public void run() {
-    response.setContentType(PLAIN_TEXT_UTF_8);
-
-    if (FORBIDDEN_ENVIRONMENTS.contains(RegistryEnvironment.get())) {
-      response.setStatus(SC_FORBIDDEN);
-      response.setPayload("Wipeout is not allowed in " + RegistryEnvironment.get());
-      return;
-    }
-
-    try {
-      retrier.callWithRetry(
-          () -> {
-            try (Connection conn = connectionSupplier.get()) {
-              dropAllTables(conn, listTables(conn));
-              dropAllSequences(conn, listSequences(conn));
-            }
-            return null;
-          },
-          e -> !(e instanceof SQLException));
-      response.setStatus(SC_OK);
-      response.setPayload("Wiped out Cloud SQL in " + RegistryEnvironment.get());
-    } catch (RuntimeException e) {
-      logger.atSevere().withCause(e).log("Failed to wipe out Cloud SQL data.");
-      response.setStatus(SC_INTERNAL_SERVER_ERROR);
-      response.setPayload("Failed to wipe out Cloud SQL in " + RegistryEnvironment.get());
-    }
-  }
-
-  /** Returns a list of all tables in the public schema of a Postgresql database. */
-  static ImmutableList<String> listTables(Connection connection) throws SQLException {
-    try (ResultSet resultSet =
-        connection.getMetaData().getTables(null, null, null, new String[] {"TABLE"})) {
-      ImmutableList.Builder<String> tables = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        String schema = resultSet.getString("TABLE_SCHEM");
-        if (schema == null || !schema.equalsIgnoreCase("public")) {
-          continue;
-        }
-        String tableName = resultSet.getString("TABLE_NAME");
-        tables.add("public.\"" + tableName + "\"");
-      }
-      return tables.build();
-    }
-  }
-
-  static void dropAllTables(Connection conn, ImmutableList<String> tables) throws SQLException {
-    if (tables.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String table : tables) {
-        statement.addBatch(String.format("DROP TABLE IF EXISTS %s CASCADE;", table));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some tables. Please check.");
-        }
-      }
-    }
-  }
-
-  /** Returns a list of all sequences in a Postgresql database. */
-  static ImmutableList<String> listSequences(Connection conn) throws SQLException {
-    try (Statement statement = conn.createStatement();
-        ResultSet resultSet =
-            statement.executeQuery("SELECT c.relname FROM pg_class c WHERE c.relkind = 'S';")) {
-      ImmutableList.Builder<String> sequences = new ImmutableList.Builder<>();
-      while (resultSet.next()) {
-        sequences.add('\"' + resultSet.getString(1) + '\"');
-      }
-      return sequences.build();
-    }
-  }
-
-  static void dropAllSequences(Connection conn, ImmutableList<String> sequences)
-      throws SQLException {
-    if (sequences.isEmpty()) {
-      return;
-    }
-
-    try (Statement statement = conn.createStatement()) {
-      for (String sequence : sequences) {
-        statement.addBatch(String.format("DROP SEQUENCE IF EXISTS %s CASCADE;", sequence));
-      }
-      for (int code : statement.executeBatch()) {
-        if (code == Statement.EXECUTE_FAILED) {
-          throw new RuntimeException("Failed to drop some sequences. Please check.");
-        }
-      }
-    }
-  }
-}
@@ -209,7 +209,7 @@ public final class RegistryJpaIO {

      @ProcessElement
      public void processElement(OutputReceiver<T> outputReceiver) {
-        tm().transactNoRetry(
+        tm().transact(
                () -> {
                  query.stream().map(resultMapper::apply).forEach(outputReceiver::output);
                });
@@ -0,0 +1,21 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+/** Identifiers of the BSA lists with blocking labels. */
+public enum BlockList {
+  BLOCK,
+  BLOCK_PLUS;
+}
@@ -0,0 +1,46 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+/** The processing stages of a download. */
+public enum DownloadStage {
+  /** Downloads BSA block list files. */
+  DOWNLOAD,
+  /** Generates block list diffs with the previous download. */
+  MAKE_DIFF,
+  /** Applies the label diffs to the database tables. */
+  APPLY_DIFF,
+  /**
+   * Makes a REST API call to BSA endpoint, declaring that processing starts for new orders in the
+   * diffs.
+   */
+  START_UPLOADING,
+  /** Makes a REST API call to BSA endpoint, sending the domains that cannot be blocked. */
+  UPLOAD_DOMAINS_IN_USE,
+  /** Makes a REST API call to BSA endpoint, declaring the completion of order processing. */
+  FINISH_UPLOADING,
+  /** The terminal stage after processing succeeds. */
+  DONE,
+  /**
+   * The terminal stage indicating that the downloads are discarded because their checksums are the
+   * same as that of the previous download.
+   */
+  NOP,
+  /**
+   * The terminal stage indicating that the downloads are not processed because their BSA-generated
+   * checksums do not match those calculated by us.
+   */
+  CHECKSUMS_NOT_MATCH;
+}
@@ -0,0 +1,108 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.Maps.transformValues;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.collect.Sets.SetView;
+import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
+import google.registry.tldconfig.idn.IdnLabelValidator;
+import google.registry.tldconfig.idn.IdnTableEnum;
+import google.registry.util.Clock;
+import javax.inject.Inject;
+import org.joda.time.DateTime;
+
+/**
+ * Checks labels' validity wrt Idns in TLDs enrolled with BSA.
+ *
+ * <p>Each instance takes a snapshot of the TLDs at instantiation time, and should be limited to the
+ * Request scope.
+ */
+public class IdnChecker {
+  private static final IdnLabelValidator IDN_LABEL_VALIDATOR = new IdnLabelValidator();
+
+  private final ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds;
+  private final ImmutableSet<Tld> allTlds;
+
+  @Inject
+  IdnChecker(Clock clock) {
+    this.idnToTlds = getIdnToTldMap(clock.nowUtc());
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  // TODO(11/30/2023): Remove below when new Tld schema is deployed and the `getBsaEnrollStartTime`
+  // method is no longer hardcoded.
+  @VisibleForTesting
+  IdnChecker(ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds) {
+    this.idnToTlds = idnToTlds;
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  /** Returns all IDNs in which the {@code label} is valid. */
+  ImmutableSet<IdnTableEnum> getAllValidIdns(String label) {
+    return idnToTlds.keySet().stream()
+        .filter(idnTable -> idnTable.getTable().isValidLabel(label))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that support at least one IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public ImmutableSet<Tld> getSupportingTlds(ImmutableSet<String> idnTables) {
+    return idnTables.stream()
+        .map(IdnTableEnum::valueOf)
+        .filter(idnToTlds::containsKey)
+        .map(idnToTlds::get)
+        .flatMap(ImmutableSet::stream)
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that do not support any IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public SetView<Tld> getForbiddingTlds(ImmutableSet<String> idnTables) {
+    return Sets.difference(allTlds, getSupportingTlds(idnTables));
+  }
+
+  private static boolean isEnrolledWithBsa(Tld tld, DateTime now) {
+    DateTime enrollTime = tld.getBsaEnrollStartTime();
+    return enrollTime != null && enrollTime.isBefore(now);
+  }
+
+  private static ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> getIdnToTldMap(DateTime now) {
+    ImmutableMultimap.Builder<IdnTableEnum, Tld> idnToTldMap = new ImmutableMultimap.Builder();
+    Tlds.getTldEntitiesOfType(TldType.REAL).stream()
+        .filter(tld -> isEnrolledWithBsa(tld, now))
+        .forEach(
+            tld -> {
+              for (IdnTableEnum idn : IDN_LABEL_VALIDATOR.getIdnTablesForTld(tld)) {
+                idnToTldMap.put(idn, tld);
+              }
+            });
+    return ImmutableMap.copyOf(transformValues(idnToTldMap.build().asMap(), ImmutableSet::copyOf));
+  }
+}
@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import google.registry.request.Action;
+import google.registry.request.Action.Service;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import javax.inject.Inject;
+
+@Action(
+    service = Service.BSA,
+    path = PlaceholderAction.PATH,
+    method = Action.Method.GET,
+    auth = Auth.AUTH_API_ADMIN)
+public class PlaceholderAction implements Runnable {
+  private final Response response;
+
+  static final String PATH = "/_dr/task/bsaDownload";
+
+  @Inject
+  public PlaceholderAction(Response response) {
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    response.setStatus(SC_OK);
+    response.setPayload("Hello World");
+  }
+}
@@ -0,0 +1,102 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.bsa.persistence.BsaDomainInUse.BsaDomainInUseId;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.persistence.VKey;
+import java.io.Serializable;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.Id;
+import javax.persistence.IdClass;
+
+/** A domain matching a BSA label but is in use (registered or reserved), so cannot be blocked. */
+@Entity
+@IdClass(BsaDomainInUseId.class)
+public class BsaDomainInUse {
+  @Id String label;
+  @Id String tld;
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Reason reason;
+
+  /**
+   * Creation time of this record, which is the most recent time when the domain was detected to be
+   * in use wrt BSA. It may be during the processing of a download, or during some other job that
+   * refreshes the state.
+   *
+   * <p>This field is for information only.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  CreateAutoTimestamp createTime = CreateAutoTimestamp.create(null);
+
+  // For Hibernate
+  BsaDomainInUse() {}
+
+  public BsaDomainInUse(String label, String tld, Reason reason) {
+    this.label = label;
+    this.tld = tld;
+    this.reason = reason;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainInUse)) {
+      return false;
+    }
+    BsaDomainInUse that = (BsaDomainInUse) o;
+    return Objects.equal(label, that.label)
+        && Objects.equal(tld, that.tld)
+        && reason == that.reason
+        && Objects.equal(createTime, that.createTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, tld, reason, createTime);
+  }
+
+  enum Reason {
+    REGISTERED,
+    RESERVED;
+  }
+
+  static class BsaDomainInUseId implements Serializable {
+
+    private String label;
+    private String tld;
+
+    // For Hibernate
+    BsaDomainInUseId() {}
+
+    BsaDomainInUseId(String label, String tld) {
+      this.label = label;
+      this.tld = tld;
+    }
+  }
+
+  static VKey<BsaDomainInUse> vKey(String label, String tld) {
+    return VKey.create(BsaDomainInUse.class, new BsaDomainInUseId(label, tld));
+  }
+}
@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static google.registry.bsa.DownloadStage.DOWNLOAD;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Objects;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Index;
+import javax.persistence.Table;
+import org.joda.time.DateTime;
+
+/** Records of ongoing and completed download jobs. */
+@Entity
+@Table(indexes = {@Index(columnList = "creationTime")})
+public class BsaDownload {
+
+  private static final Joiner CSV_JOINER = Joiner.on(',');
+  private static final Splitter CSV_SPLITTER = Splitter.on(',');
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String blockListChecksums = "";
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  DownloadStage stage = DOWNLOAD;
+
+  BsaDownload() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  public String getJobName() {
+    return getCreationTime().toString();
+  }
+
+  public DownloadStage getStage() {
+    return this.stage;
+  }
+
+  BsaDownload setStage(DownloadStage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  BsaDownload setChecksums(ImmutableMap<BlockList, String> checksums) {
+    blockListChecksums =
+        CSV_JOINER.withKeyValueSeparator("=").join(ImmutableSortedMap.copyOf(checksums));
+    return this;
+  }
+
+  ImmutableMap<BlockList, String> getChecksums() {
+    if (blockListChecksums.isEmpty()) {
+      return ImmutableMap.of();
+    }
+    return CSV_SPLITTER.withKeyValueSeparator('=').split(blockListChecksums).entrySet().stream()
+        .collect(
+            toImmutableMap(entry -> BlockList.valueOf(entry.getKey()), entry -> entry.getValue()));
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDownload)) {
+      return false;
+    }
+    BsaDownload that = (BsaDownload) o;
+    return Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && Objects.equal(blockListChecksums, that.blockListChecksums)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(creationTime, updateTime, blockListChecksums, stage);
+  }
+
+  static VKey<BsaDownload> vKey(long jobId) {
+    return VKey.create(BsaDownload.class, Long.valueOf(jobId));
+  }
+}
@@ -0,0 +1,79 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Specifies a second-level TLD name that should be blocked from registration in all TLDs except by
+ * the label's owner.
+ *
+ * <p>The label is valid (wrt IDN) in at least one TLD.
+ */
+@Entity
+public final class BsaLabel {
+
+  @Id String label;
+
+  /**
+   * Creation time of this label. This field is for human use, and should give the name of the GCS
+   * folder that contains the downloaded BSA data.
+   *
+   * <p>See {@link BsaDownload#getCreationTime} and {@link BsaDownload#getJobName} for more
+   * information.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  DateTime creationTime;
+
+  // For Hibernate.
+  BsaLabel() {}
+
+  BsaLabel(String label, DateTime creationTime) {
+    this.label = label;
+    this.creationTime = creationTime;
+  }
+
+  /** Returns the label to be blocked. */
+  public String getLabel() {
+    return label;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaLabel)) {
+      return false;
+    }
+    BsaLabel label1 = (BsaLabel) o;
+    return Objects.equal(label, label1.label) && Objects.equal(creationTime, label1.creationTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, creationTime);
+  }
+
+  static VKey<BsaLabel> vKey(String label) {
+    return VKey.create(BsaLabel.class, label);
+  }
+}
@@ -0,0 +1,73 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import java.util.Optional;
+
+/** Information needed when handling a download from BSA. */
+@AutoValue
+public abstract class DownloadSchedule {
+
+  abstract long jobId();
+
+  public abstract String jobName();
+
+  public abstract DownloadStage stage();
+
+  /** The most recent job that ended in the {@code DONE} stage. */
+  public abstract Optional<CompletedJob> latestCompleted();
+
+  /**
+   * Returns true if download should be processed even if the checksums show that it has not changed
+   * from the previous one.
+   */
+  abstract boolean alwaysDownload();
+
+  static DownloadSchedule of(BsaDownload currentJob) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.empty(),
+        /* alwaysDownload= */ true);
+  }
+
+  static DownloadSchedule of(
+      BsaDownload currentJob, CompletedJob latestCompleted, boolean alwaysDownload) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.of(latestCompleted),
+        /* alwaysDownload= */ alwaysDownload);
+  }
+
+  /** Information about a completed BSA download job. */
+  @AutoValue
+  public abstract static class CompletedJob {
+    public abstract String jobName();
+
+    public abstract ImmutableMap<BlockList, String> checksums();
+
+    static CompletedJob of(BsaDownload completedJob) {
+      return new AutoValue_DownloadSchedule_CompletedJob(
+          completedJob.getJobName(), completedJob.getChecksums());
+    }
+  }
+}
@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.base.Verify.verify;
+import static google.registry.bsa.DownloadStage.CHECKSUMS_NOT_MATCH;
+import static google.registry.bsa.DownloadStage.DONE;
+import static google.registry.bsa.DownloadStage.NOP;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.Duration.standardSeconds;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
+import google.registry.bsa.persistence.DownloadSchedule.CompletedJob;
+import google.registry.util.Clock;
+import java.util.Optional;
+import javax.inject.Inject;
+import org.joda.time.Duration;
+
+/**
+ * Assigns work for each cron invocation of the BSA Download job.
+ *
+ * <p>The download job is invoked at a divisible fraction of the desired data freshness to
+ * accommodate potential retries. E.g., for 30-minute data freshness with up to two retries on
+ * error, the cron schedule for the job should be set to 10 minutes.
+ *
+ * <p>The processing of each BSA download progresses through multiple stages as described in {@code
+ * DownloadStage} until it reaches one of the terminal stages. Each stage is check-pointed on
+ * completion, therefore if an invocation fails mid-process, the next invocation will skip the
+ * completed stages. No new downloads will start as long as the most recent one is still being
+ * processed.
+ *
+ * <p>When a new download is scheduled, the block list checksums from the most recent completed job
+ * is included. If the new checksums match the previous ones, the download may be skipped and the
+ * job should terminate in the {@code NOP} stage. However, if the checksums have stayed unchanged
+ * for longer than the user-provided {@code maxNopInterval}, the download will be processed.
+ *
+ * <p>The BSA downloads contains server-provided checksums. If they do not match the checksums
+ * generated on Nomulus' side, the download is skipped and the job should terminate in the {@code
+ * CHECKSUMS_NOT_MATCH} stage.
+ */
+public final class DownloadScheduler {
+
+  /** Allows a new download to proceed if the cron job fires a little early due to NTP drift. */
+  private static final Duration CRON_JITTER = standardSeconds(5);
+
+  private final Duration downloadInterval;
+  private final Duration maxNopInterval;
+  private final Clock clock;
+
+  @Inject
+  DownloadScheduler(Duration downloadInterval, Duration maxNopInterval, Clock clock) {
+    this.downloadInterval = downloadInterval;
+    this.maxNopInterval = maxNopInterval;
+    this.clock = clock;
+  }
+
+  /**
+   * Returns a {@link DownloadSchedule} instance that describes the work to be performed by an
+   * invocation of the download action, if applicable; or {@link Optional#empty} when there is
+   * nothing to do.
+   */
+  public Optional<DownloadSchedule> schedule() {
+    return tm().transact(
+            () -> {
+              ImmutableList<BsaDownload> recentJobs = loadRecentProcessedJobs();
+              if (recentJobs.isEmpty()) {
+                // No jobs initiated ever.
+                return Optional.of(scheduleNewJob(Optional.empty()));
+              }
+              BsaDownload mostRecent = recentJobs.get(0);
+              if (mostRecent.getStage().equals(DONE)) {
+                return isTimeAgain(mostRecent, downloadInterval)
+                    ? Optional.of(scheduleNewJob(Optional.of(mostRecent)))
+                    : Optional.empty();
+              } else if (recentJobs.size() == 1) {
+                // First job ever, still in progress
+                return Optional.of(DownloadSchedule.of(recentJobs.get(0)));
+              } else {
+                // Job in progress, with completed previous jobs.
+                BsaDownload prev = recentJobs.get(1);
+                verify(prev.getStage().equals(DONE), "Unexpectedly found two ongoing jobs.");
+                return Optional.of(
+                    DownloadSchedule.of(
+                        mostRecent,
+                        CompletedJob.of(prev),
+                        isTimeAgain(mostRecent, maxNopInterval)));
+              }
+            });
+  }
+
+  private boolean isTimeAgain(BsaDownload mostRecent, Duration interval) {
+    return mostRecent.getCreationTime().plus(interval).minus(CRON_JITTER).isBefore(clock.nowUtc());
+  }
+
+  /**
+   * Adds a new {@link BsaDownload} to the database and returns a {@link DownloadSchedule} for it.
+   */
+  private DownloadSchedule scheduleNewJob(Optional<BsaDownload> prevJob) {
+    BsaDownload job = new BsaDownload();
+    tm().insert(job);
+    return prevJob
+        .map(
+            prev ->
+                DownloadSchedule.of(job, CompletedJob.of(prev), isTimeAgain(prev, maxNopInterval)))
+        .orElseGet(() -> DownloadSchedule.of(job));
+  }
+
+  @VisibleForTesting
+  ImmutableList<BsaDownload> loadRecentProcessedJobs() {
+    return ImmutableList.copyOf(
+        tm().getEntityManager()
+            .createQuery(
+                "FROM BsaDownload WHERE stage NOT IN :nop_stages ORDER BY creationTime DESC")
+            .setParameter("nop_stages", ImmutableList.of(CHECKSUMS_NOT_MATCH, NOP))
+            .setMaxResults(2)
+            .getResultList());
+  }
+}
@@ -28,6 +28,7 @@ import com.google.common.base.Ascii;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import dagger.Module;
@@ -879,6 +880,17 @@ public final class RegistryConfig {
      return Optional.ofNullable(config.misc.sheetExportId);
    }

+    /**
+     * Returns the desired delay between outgoing emails when sending in bulk.
+     *
+     * <p>Gmail apparently has unpublished limits on peak throughput over short period.
+     */
+    @Provides
+    @Config("emailThrottleDuration")
+    public static Duration provideEmailThrottleSeconds(RegistryConfigSettings config) {
+      return Duration.standardSeconds(config.misc.emailThrottleSeconds);
+    }
+
    /**
     * Returns the email address we send various alert e-mails to.
     *
@@ -1163,44 +1175,6 @@ public final class RegistryConfig {
      return CONFIG_SETTINGS.get();
    }

-    /**
-     * Provides the OAuth scopes that authentication logic should detect on access tokens.
-     *
-     * <p>This list should be a superset of the required OAuth scope set provided below. Note that
-     * ideally, this setting would not be required and all scopes on an access token would be
-     * detected automatically, but that is not the case due to the way {@code OAuthService} works.
-     *
-     * <p>This is an independent setting from the required OAuth scopes (below) to support use cases
-     * where certain actions require some additional scope (e.g. access to a user's Google Drive)
-     * but that scope shouldn't be required for authentication alone; in that case the Drive scope
-     * would be specified only for this setting, allowing that action to check for its presence.
-     */
-    @Provides
-    @Config("availableOauthScopes")
-    public static ImmutableSet<String> provideAvailableOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.availableOauthScopes);
-    }
-
-    /**
-     * Provides the OAuth scopes that are required for authenticating successfully.
-     *
-     * <p>This set contains the scopes which must be present to authenticate a user. It should be a
-     * subset of the scopes we request from the OAuth interface, provided above.
-     *
-     * <p>If we feel the need, we could define additional fixed scopes, similar to the Java remote
-     * API, which requires at least one of:
-     *
-     * <ul>
-     *   <li>{@code https://www.googleapis.com/auth/appengine.apis}
-     *   <li>{@code https://www.googleapis.com/auth/cloud-platform}
-     * </ul>
-     */
-    @Provides
-    @Config("requiredOauthScopes")
-    public static ImmutableSet<String> provideRequiredOauthScopes(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.requiredOauthScopes);
-    }
-
    /**
     * Provides service account email addresses allowed to authenticate with the app at {@link
     * google.registry.request.auth.AuthSettings.AuthLevel#APP} level.
@@ -1212,19 +1186,18 @@ public final class RegistryConfig {
      return ImmutableSet.copyOf(config.auth.allowedServiceAccountEmails);
    }

-    /** Provides the allowed OAuth client IDs (could be multibinding). */
-    @Provides
-    @Config("allowedOauthClientIds")
-    public static ImmutableSet<String> provideAllowedOauthClientIds(RegistryConfigSettings config) {
-      return ImmutableSet.copyOf(config.auth.allowedOauthClientIds);
-    }
-
    @Provides
    @Config("oauthClientId")
    public static String provideOauthClientId(RegistryConfigSettings config) {
      return config.auth.oauthClientId;
    }

+    @Provides
+    @Config("fallbackOauthClientId")
+    public static String provideFallbackOauthClientId(RegistryConfigSettings config) {
+      return config.auth.fallbackOauthClientId;
+    }
+
    /**
     * Provides the OAuth scopes required for accessing Google APIs using the default credential.
     */
@@ -1424,6 +1397,86 @@ public final class RegistryConfig {
      return config.bulkPricingPackageMonitoring.bulkPricingPackageDomainLimitUpgradeEmailBody;
    }

+    @Provides
+    @Config("bsaGcsBucket")
+    public static String provideBsaGcsBucket(@Config("projectId") String projectId) {
+      return projectId + "-bsa";
+    }
+
+    @Provides
+    @Config("bsaChecksumAlgorithm")
+    public static String provideBsaChecksumAlgorithm(RegistryConfigSettings config) {
+      return config.bsa.bsaChecksumAlgorithm;
+    }
+
+    @Provides
+    @Config("bsaLockLeaseExpiry")
+    public static Duration provideBsaLockLeaseExpiry(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaLockLeaseExpiryMinutes);
+    }
+
+    /** Returns the desired interval between successive BSA downloads. */
+    @Provides
+    @Config("bsaDownloadInterval")
+    public static Duration provideBsaDownloadInterval(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaDownloadIntervalMinutes);
+    }
+
+    /**
+     * Returns the maximum period when a BSA download can be skipped due to the checksum-based
+     * equality check with the previous download.
+     */
+    @Provides
+    @Config("bsaMaxNopInterval")
+    public static Duration provideBsaMaxNopInterval(RegistryConfigSettings config) {
+      return Duration.standardHours(config.bsa.bsaMaxNopIntervalHours);
+    }
+
+    @Provides
+    @Config("bsaLabelTxnBatchSize")
+    public static int provideBsaLabelTxnBatchSize(RegistryConfigSettings config) {
+      return config.bsa.bsaLabelTxnBatchSize;
+    }
+
+    @Provides
+    @Config("bsaAuthUrl")
+    public static String provideBsaAuthUrl(RegistryConfigSettings config) {
+      return config.bsa.authUrl;
+    }
+
+    @Provides
+    @Config("bsaAuthTokenExpiry")
+    public static Duration provideBsaAuthTokenExpiry(RegistryConfigSettings config) {
+      return Duration.standardSeconds(config.bsa.authTokenExpirySeconds);
+    }
+
+    @Provides
+    @Config("bsaDataUrls")
+    public static ImmutableMap<String, String> provideBsaDataUrls(RegistryConfigSettings config) {
+      return ImmutableMap.copyOf(config.bsa.dataUrls);
+    }
+
+    /** Provides the BSA Http endpoint for reporting order processing status. */
+    @Provides
+    @Config("bsaOrderStatusUrl")
+    public static String provideBsaOrderStatusUrls(RegistryConfigSettings config) {
+      return config.bsa.orderStatusUrl;
+    }
+
+    /** Provides the BSA Http endpoint for reporting new unblockable domains. */
+    @Provides
+    @Config("bsaAddUnblockableDomainsUrl")
+    public static String provideBsaAddUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=add");
+    }
+
+    /** Provides the BSA Http endpoint for reporting domains that have become blockable. */
+    @Provides
+    @Config("bsaRemoveUnblockableDomainsUrl")
+    public static String provideBsaRemoveUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=remove");
+    }
+
    private static String formatComments(String text) {
      return Splitter.on('\n').omitEmptyStrings().trimResults().splitToList(text).stream()
          .map(s -> "# " + s)
@@ -1467,6 +1520,15 @@ public final class RegistryConfig {
    return makeUrl(CONFIG_SETTINGS.get().gcpProject.backendServiceUrl);
  }

+  /**
+   * Returns the address of the Nomulus app bsa HTTP server.
+   *
+   * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
+   */
+  public static URL getBsaServer() {
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.bsaServiceUrl);
+  }
+
  /**
   * Returns the address of the Nomulus app tools HTTP server.
   *
@@ -1563,9 +1625,9 @@ public final class RegistryConfig {
    return CONFIG_SETTINGS.get().hibernate.connectionIsolation;
  }

-  /** Returns true if per-transaction isolation level is enabled. */
-  public static boolean getHibernatePerTransactionIsolationEnabled() {
-    return CONFIG_SETTINGS.get().hibernate.perTransactionIsolation;
+  /** Returns true if nested calls to {@code tm().transact()} are allowed. */
+  public static boolean getHibernateAllowNestedTransactions() {
+    return CONFIG_SETTINGS.get().hibernate.allowNestedTransactions;
  }

  /** Returns true if hibernate.show_sql is enabled. */
@@ -43,6 +43,7 @@ public class RegistryConfigSettings {
  public ContactHistory contactHistory;
  public DnsUpdate dnsUpdate;
  public BulkPricingPackageMonitoring bulkPricingPackageMonitoring;
+  public Bsa bsa;

  /** Configuration options that apply to the entire GCP project. */
  public static class GcpProject {
@@ -52,17 +53,16 @@ public class RegistryConfigSettings {
    public boolean isLocal;
    public String defaultServiceUrl;
    public String backendServiceUrl;
+    public String bsaServiceUrl;
    public String toolsServiceUrl;
    public String pubapiServiceUrl;
  }

  /** Configuration options for authenticating users. */
  public static class Auth {
-    public List<String> availableOauthScopes;
-    public List<String> requiredOauthScopes;
-    public List<String> allowedOauthClientIds;
    public List<String> allowedServiceAccountEmails;
    public String oauthClientId;
+    public String fallbackOauthClientId;
  }

  /** Configuration options for accessing Google APIs. */
@@ -115,7 +115,7 @@ public class RegistryConfigSettings {

  /** Configuration for Hibernate. */
  public static class Hibernate {
-    public boolean perTransactionIsolation;
+    public boolean allowNestedTransactions;
    public String connectionIsolation;
    public String logSqlQueries;
    public String hikariConnectionTimeout;
@@ -208,6 +208,7 @@ public class RegistryConfigSettings {
  public static class Misc {
    public String sheetExportId;
    public boolean isEmailSendingEnabled;
+    public int emailThrottleSeconds;
    public String alertRecipientEmailAddress;
    // TODO(b/279671974): remove below field after migration
    public String newAlertRecipientEmailAddress;
@@ -263,4 +264,18 @@ public class RegistryConfigSettings {
    public String bulkPricingPackageDomainLimitUpgradeEmailSubject;
    public String bulkPricingPackageDomainLimitUpgradeEmailBody;
  }
+
+  /** Configurations for integration with Brand Safety Alliance (BSA) API. */
+  public static class Bsa {
+    public String bsaChecksumAlgorithm;
+    public int bsaLockLeaseExpiryMinutes;
+    public int bsaDownloadIntervalMinutes;
+    public int bsaMaxNopIntervalHours;
+    public int bsaLabelTxnBatchSize;
+    public String authUrl;
+    public int authTokenExpirySeconds;
+    public Map<String, String> dataUrls;
+    public String orderStatusUrl;
+    public String unblockableDomainsUrl;
+  }
 }
@@ -20,9 +20,11 @@ gcpProject:
  # URLs of the services for the project.
  defaultServiceUrl: https://default.example.com
  backendServiceUrl: https://backend.example.com
+  bsaServiceUrl: https://bsa.example.com
  toolsServiceUrl: https://tools.example.com
  pubapiServiceUrl: https://pubapi.example.com

+
 gSuite:
  # Publicly accessible domain name of the running G Suite instance.
  domainName: domain-registry.example
@@ -189,11 +191,13 @@ registryPolicy:
  sunriseDomainCreateDiscount: 0.15

 hibernate:
-  # Make it possible to specify the isolation level for each transaction. If set
-  # to true, nested transactions will throw an exception. If set to false, a
-  # transaction with the isolation override specified will still execute at the
-  # default level (specified below).
-  perTransactionIsolation: false
+  # If set to false, calls to tm().transact() cannot be nested. If set to true,
+  # nested calls to tm().transact() are allowed, as long as they do not specify
+  # a transaction isolation level override. These nested transactions should
+  # either be refactored to non-nested transactions, or changed to
+  # tm().reTransact(), which explicitly allows nested transactions, but does not
+  # allow setting an isolation level override.
+  allowNestedTransactions: true

  # Make 'SERIALIZABLE' the default isolation level to ensure correctness.
  #
@@ -304,24 +308,6 @@ caching:
 # Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
 # Other fields are related to OAuth-based authentication and will be removed.
 auth:
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth scopes to detect on access tokens. Superset of requiredOauthScopes.
-  availableOauthScopes:
-  - https://www.googleapis.com/auth/userinfo.email
-
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth scopes required for authenticating. Subset of availableOauthScopes.
-  requiredOauthScopes:
-  - https://www.googleapis.com/auth/userinfo.email
-
-  # Deprecated: Use OIDC-based auth instead. This field is for OAuth-based auth.
-  # OAuth client IDs that are allowed to authenticate and communicate with
-  # backend services, e.g. nomulus tool, EPP proxy, etc. The value in
-  # registryTool.clientId field should be included in this list. Client IDs are
-  # typically of the format
-  # numbers-alphanumerics.apps.googleusercontent.com
-  allowedOauthClientIds: []
-
  # Service accounts (e.g. default service account, account used by Cloud
  # Scheduler) allowed to send authenticated requests.
  allowedServiceAccountEmails:
@@ -337,6 +323,10 @@ auth:
  # the same as this one.
  oauthClientId: iap-oauth-clientid

+  # Same as above, but serve as a fallback, so we can switch the client ID of
+  # the proxy without downtime.
+  fallbackOauthClientId: fallback-oauth-clientid
+
 credentialOAuth:
  # OAuth scopes required for accessing Google APIs using the default
  # credential.
@@ -443,6 +433,9 @@ misc:
  # Whether emails may be sent. For Prod and Sandbox this should be true.
  isEmailSendingEnabled: false

+  # Delay between bulk messages to avoid triggering Gmail fraud checks
+  emailThrottleSeconds: 30
+
  # Address we send alert summary emails to.
  alertRecipientEmailAddress: email@example.com

@@ -613,3 +606,18 @@ bulkPricingPackageMonitoring:
    Registrar: %3$s
    Active Domain Limit: %4$s
    Current Active Domains: %5$s
+
+# Configurations for integration with Brand Safety Alliance (BSA) API
+bsa:
+  # Http endpoint for acquiring Auth tokens.
+  authUrl: "https://"
+  # Auth token expiry.
+  authTokenExpirySeconds: 1800
+  # Http endpoints for downloading data
+  dataUrls:
+    "BLOCK": "https://"
+    "BLOCK_PLUS": "https://"
+  # Http endpoint for reporting order processing status
+  orderStatusUrl: "https://"
+  # Http endpoint for reporting changes in the set of unblockable domains.
+  unblockableDomainsUrl: "https://"
@@ -1,76 +0,0 @@
-# This is a sample production config (to be deployed in the WEB-INF directory).
-# This is the same as what Google Registry runs in production, except with
-# placeholders for Google-specific settings.
-
-gcpProject:
-  projectId: placeholder
-  # Set to true if running against local servers (localhost)
-  isLocal: false
-  # The "<service>-dot-" prefix is used on the project ID in this URL in order
-  # to get around an issue with double-wildcard SSL certs.
-  defaultServiceUrl: https://domain-registry-placeholder.appspot.com
-  backendServiceUrl: https://backend-dot-domain-registry-placeholder.appspot.com
-  toolsServiceUrl: https://tools-dot-domain-registry-placeholder.appspot.com
-  pubapiServiceUrl: https://pubapi-dot-domain-registry-placeholder.appspot.com
-
-gSuite:
-  domainName: placeholder
-  outgoingEmailDisplayName: placeholder
-  outgoingEmailAddress: placeholder
-  adminAccountEmailAddress: placeholder
-  supportGroupEmailAddress: placeholder
-
-registryPolicy:
-  contactAndHostRoidSuffix: placeholder
-  productName: placeholder
-  greetingServerId: placeholder
-  registrarChangesNotificationEmailAddresses:
-    - placeholder
-    - placeholder
-  defaultRegistrarWhoisServer: placeholder
-  tmchCaMode: PRODUCTION
-  tmchCrlUrl: http://crl.icann.org/tmch.crl
-  tmchMarksDbUrl: https://ry.marksdb.org
-  checkApiServletClientId: placeholder
-  registryAdminClientId: placeholder
-  whoisDisclaimer: |
-    multi-line
-    placeholder
-
-icannReporting:
-  icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions
-  icannActivityReportingUploadUrl: https://ry-api.icann.org/report/registry-functions-activity
-
-oAuth:
-  allowedOauthClientIds:
-    - placeholder.apps.googleusercontent.com
-    - placeholder-for-proxy
-
-rde:
-  reportUrlPrefix: https://ry-api.icann.org/report/registry-escrow-report
-  uploadUrl: sftp://placeholder@sftpipm2.ironmountain.com/Outbox
-  sshIdentityEmailAddress: placeholder
-
-registrarConsole:
-  logoFilename: placeholder
-  supportPhoneNumber: placeholder
-  supportEmailAddress: placeholder
-  announcementsEmailAddress: placeholder
-  integrationEmailAddress: placeholder
-  technicalDocsUrl: https://drive.google.com/drive/folders/placeholder
-
-misc:
-  sheetExportId: placeholder
-
-cloudDns:
-  rootUrl: null
-  servicePath: null
-
-keyring:
-  activeKeyring: KMS
-  kms:
-    projectId: placeholder
-
-registryTool:
-  clientId: placeholder.apps.googleusercontent.com
-  clientSecret: placeholder
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="alpha"/>
+  </system-properties>
+
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-alpha/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -31,6 +31,12 @@ encoding="UTF-8"?>
      <context-root>backend</context-root>
    </web>
  </module>
+  <module>
+    <web>
+      <web-uri>bsa</web-uri>
+      <context-root>bsa</context-root>
+    </web>
+  </module>
  <module>
    <web>
      <web-uri>tools</web-uri>
@@ -0,0 +1,17 @@
+# A default java.util.logging configuration.
+# (All App Engine logging is through java.util.logging by default).
+#
+# To use this configuration, copy it into your application's WEB-INF
+# folder and add the following to your appengine-web.xml:
+#
+# <system-properties>
+#   <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
+# </system-properties>
+#
+
+# Set the default logging level for all loggers to INFO.
+.level = INFO
+
+# Turn off logging in Hibernate classes for misleading ERROR-level logs
+org.hibernate.engine.jdbc.batch.internal.BatchingBatch.level=OFF
+org.hibernate.engine.jdbc.spi.SqlExceptionHelper.level=OFF
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+  <!-- Servlets -->
+
+  <!-- Servlet for injected backends actions -->
+  <servlet>
+    <display-name>BsaServlet</display-name>
+    <servlet-name>bsa-servlet</servlet-name>
+    <servlet-class>google.registry.module.bsa.BsaServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- Test action -->
+  <servlet-mapping>
+    <servlet-name>bsa-servlet</servlet-name>
+    <url-pattern>/_dr/task/bsaDownload</url-pattern>
+  </servlet-mapping>
+
+  <!-- Security config -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Internal</web-resource-name>
+      <description>
+        Admin-only internal section. Requests for paths covered by the URL patterns below will be
+        checked for a logged-in user account that's allowed to access the AppEngine admin console
+        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
+        App Engine Admin role. See https://cloud.google.com/appengine/docs/java/access-control
+        specifically the "Access handlers that have a login:admin restriction" line.)
+
+        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
+        for endpoints that need to be accessed by open-source automated processes.
+      </description>
+
+      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
+      <url-pattern>/_ah/*</url-pattern>
+
+      <!-- Registrar console (should not be available on non-default module). -->
+      <url-pattern>/registrar*</url-pattern>
+
+      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
+      <url-pattern>/assets/sources/*</url-pattern>
+
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>admin</role-name>
+    </auth-constraint>
+
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- Require TLS on all requests. -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Secure</web-resource-name>
+      <description>
+        Require encryption for all paths. http URLs will be redirected to https.
+      </description>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+</web-app>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="crash"/>
+  </system-properties>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-crash/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="local"/>
+    <property name="appengine.generated.dir"
+              value="/tmp/domain-registry-appengine-generated/local/"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+  </static-files>
+</appengine-web-app>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>backend</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4_1G</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="production"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>default</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>pubapi</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>tools</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>backend</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="qa"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1h"/>
+  </static-files>
+
+    <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-qa/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>default</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>F4_1G</instance-class>
  <automatic-scaling>
@@ -59,13 +59,4 @@
    </description>
    <schedule>7 3 * * *</schedule>
  </task>
-
-  <task>
-    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
-    <name>wipeOutCloudSql</name>
-    <description>
-      This job runs an action that deletes all data in Cloud SQL.
-    </description>
-    <schedule>7 3 * * 6</schedule>
-  </task>
 </entries>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>pubapi</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

-  <runtime>java8</runtime>
+  <runtime>java17</runtime>
  <service>tools</service>
-  <threadsafe>true</threadsafe>
+  <app-engine-apis>true</app-engine-apis>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
  <basic-scaling>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>backend</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="sandbox"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-sandbox/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>default</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>pubapi</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4_1G</instance-class>
@@ -3,6 +3,7 @@

  <runtime>java8</runtime>
  <service>tools</service>
+  <!--app-engine-apis>true</app-engine-apis-->
  <threadsafe>true</threadsafe>
  <sessions-enabled>true</sessions-enabled>
  <instance-class>B4</instance-class>
@@ -75,14 +75,6 @@ public class EppRequestHandler {
          && eppOutput.getResponse().getResult().getCode() == SUCCESS_AND_CLOSE) {
        response.setHeader(ProxyHttpHeaders.EPP_SESSION, "close");
      }
-      // If a login request returns a success, a logged-in header is added to the response to inform
-      // the proxy that it is no longer necessary to send the full client certificate to the backend
-      // for this connection.
-      if (eppOutput.isResponse()
-          && eppOutput.getResponse().isLoginResponse()
-          && eppOutput.isSuccess()) {
-        response.setHeader(ProxyHttpHeaders.LOGGED_IN, "true");
-      }
    } catch (Exception e) {
      logger.atWarning().withCause(e).log("handleEppCommand general exception.");
      response.setStatus(SC_BAD_REQUEST);
@@ -29,7 +29,7 @@ import javax.servlet.http.HttpSession;
    service = Action.Service.DEFAULT,
    path = "/_dr/epp",
    method = Method.POST,
-    auth = Auth.AUTH_API_PUBLIC)
+    auth = Auth.AUTH_API_ADMIN)
 public class EppTlsAction implements Runnable {

  @Inject @Payload byte[] inputXmlBytes;
@@ -26,6 +26,7 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -66,11 +67,11 @@ public class TlsCredentials implements TransportCredentials {
  public TlsCredentials(
      @Config("requireSslCertificates") boolean requireSslCertificates,
      @Header(ProxyHttpHeaders.CERTIFICATE_HASH) Optional<String> clientCertificateHash,
-      @Header(ProxyHttpHeaders.IP_ADDRESS) Optional<String> clientAddress,
+      Optional<InetAddress> clientInetAddr,
      CertificateChecker certificateChecker) {
    this.requireSslCertificates = requireSslCertificates;
    this.clientCertificateHash = clientCertificateHash;
-    this.clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+    this.clientInetAddr = clientInetAddr;
    this.certificateChecker = certificateChecker;
  }

@@ -104,18 +105,25 @@ public class TlsCredentials implements TransportCredentials {
    }
    // In the rare unexpected case that the client inet address wasn't passed along at all, then
    // by default deny access.
-    if (clientInetAddr.isPresent()) {
-      for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
-        if (cidrAddressBlock.contains(clientInetAddr.get())) {
-          // IP address is in allow list; return early.
-          return;
-        }
+    if (!clientInetAddr.isPresent()) {
+      logger.atWarning().log(
+          "Authentication error: Missing IP address for registrar %s.", registrar.getRegistrarId());
+      throw new BadRegistrarIpAddressException(clientInetAddr);
+    }
+    for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
+      if (cidrAddressBlock.contains(clientInetAddr.get())) {
+        // IP address is in allow list; return early.
+        return;
      }
    }
-    logger.atInfo().log(
+    logger.atWarning().log(
        "Authentication error: IP address %s is not allow-listed for registrar %s; allow list is:"
            + " %s",
-        clientInetAddr, registrar.getRegistrarId(), ipAddressAllowList);
+        clientInetAddr,
+        registrar.getRegistrarId(),
+        RegistryEnvironment.get() == RegistryEnvironment.PRODUCTION
+            ? "redacted in production"
+            : ipAddressAllowList);
    throw new BadRegistrarIpAddressException(clientInetAddr);
  }

@@ -232,7 +240,7 @@ public class TlsCredentials implements TransportCredentials {
              ? String.format(
                  "Registrar IP address %s is not in stored allow list",
                  clientInetAddr.get().getHostAddress())
-              : "Registrar IP address is not in stored allow list");
+              : "Registrar IP address is missing");
    }
  }

@@ -249,9 +257,14 @@ public class TlsCredentials implements TransportCredentials {
    }

    @Provides
-    @Header(ProxyHttpHeaders.IP_ADDRESS)
-    static Optional<String> provideIpAddress(HttpServletRequest req) {
-      return extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+    static Optional<InetAddress> provideIpAddress(HttpServletRequest req) {
+      Optional<String> clientAddress = extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<String> fallbackClientAddress =
+          extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<InetAddress> clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+      return clientInetAddr.isPresent()
+          ? clientInetAddr
+          : fallbackClientAddress.map(TlsCredentials::parseInetAddress);
    }
  }
 }
@@ -66,7 +66,6 @@ import google.registry.model.domain.DomainCommand.Check;
 import google.registry.model.domain.fee.FeeCheckCommandExtension;
 import google.registry.model.domain.fee.FeeCheckCommandExtensionItem;
 import google.registry.model.domain.fee.FeeCheckResponseExtensionItem;
-import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.fee06.FeeCheckCommandExtensionV06;
 import google.registry.model.domain.launch.LaunchCheckExtension;
 import google.registry.model.domain.token.AllocationToken;
@@ -272,7 +271,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
    ImmutableList.Builder<FeeCheckResponseExtensionItem> responseItems =
        new ImmutableList.Builder<>();
    ImmutableMap<String, Domain> domainObjs =
-        loadDomainsForRestoreChecks(feeCheck, domainNames, existingDomains);
+        loadDomainsForChecks(feeCheck, domainNames, existingDomains);
    ImmutableMap<String, BillingRecurrence> recurrences = loadRecurrencesForDomains(domainObjs);

    for (FeeCheckCommandExtensionItem feeCheckItem : feeCheck.getItems()) {
@@ -335,17 +334,20 @@ public final class DomainCheckFlow implements TransactionalFlow {
  }

  /**
-   * Loads and returns all existing domains that are having restore fees checked.
+   * Loads and returns all existing domains that are having restore/renew/transfer fees checked.
   *
-   * <p>This is necessary so that we can check their expiration dates to determine if a one-year
-   * renewal is part of the cost of a restore.
+   * <p>These need to be loaded for renews and transfers because there could be a relevant {@link
+   * google.registry.model.billing.BillingBase.RenewalPriceBehavior} on the {@link
+   * BillingRecurrence} affecting the price. They also need to be loaded for restores so that we can
+   * check their expiration dates to determine if a one-year renewal is part of the cost of a
+   * restore.
   *
   * <p>This may be resource-intensive for large checks of many restore fees, but those are
   * comparatively rare, and we are at least using an in-memory cache. Also, this will get a lot
   * nicer in Cloud SQL when we can SELECT just the fields we want rather than having to load the
   * entire entity.
   */
-  private ImmutableMap<String, Domain> loadDomainsForRestoreChecks(
+  private ImmutableMap<String, Domain> loadDomainsForChecks(
      FeeCheckCommandExtension<?, ?> feeCheck,
      ImmutableMap<String, InternetDomainName> domainNames,
      ImmutableMap<String, VKey<Domain>> existingDomains) {
@@ -354,18 +356,18 @@ public final class DomainCheckFlow implements TransactionalFlow {
      // The V06 fee extension supports specifying the command fees to check on a per-domain basis.
      restoreCheckDomains =
          feeCheck.getItems().stream()
-              .filter(fc -> fc.getCommandName() == CommandName.RESTORE)
+              .filter(fc -> fc.getCommandName().shouldLoadDomainForCheck())
              .map(FeeCheckCommandExtensionItem::getDomainName)
              .distinct()
              .collect(toImmutableList());
    } else if (feeCheck.getItems().stream()
-        .anyMatch(fc -> fc.getCommandName() == CommandName.RESTORE)) {
+        .anyMatch(fc -> fc.getCommandName().shouldLoadDomainForCheck())) {
      // The more recent fee extension versions support specifying the command fees to check only on
      // the overall domain check, not per-domain.
      restoreCheckDomains = ImmutableList.copyOf(domainNames.keySet());
    } else {
-      // Fall-through case for more recent fee extension versions when the restore fee isn't being
-      // checked.
+      // Fall-through case for more recent fee extension versions when the restore/renew/transfer
+      // fees aren't being checked.
      restoreCheckDomains = ImmutableList.of();
    }

@@ -28,11 +28,17 @@ import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
 import google.registry.flows.EppException.UnimplementedExtensionException;
 import google.registry.flows.EppException.UnimplementedObjectServiceException;
+import google.registry.flows.EppException.UnimplementedProtocolVersionException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.RegistrarId;
+import google.registry.flows.FlowUtils.GenericXmlSyntaxErrorException;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.SessionMetadata;
+import google.registry.flows.TlsCredentials.BadRegistrarCertificateException;
+import google.registry.flows.TlsCredentials.BadRegistrarIpAddressException;
+import google.registry.flows.TlsCredentials.MissingRegistrarCertificateException;
 import google.registry.flows.TransportCredentials;
+import google.registry.flows.TransportCredentials.BadRegistrarPasswordException;
 import google.registry.model.eppcommon.ProtocolDefinition;
 import google.registry.model.eppcommon.ProtocolDefinition.ServiceExtension;
 import google.registry.model.eppinput.EppInput;
@@ -41,6 +47,7 @@ import google.registry.model.eppinput.EppInput.Options;
 import google.registry.model.eppinput.EppInput.Services;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.PasswordUtils.HashAlgorithm;
 import java.util.Optional;
 import java.util.Set;
 import javax.inject.Inject;
@@ -48,14 +55,14 @@ import javax.inject.Inject;
 /**
 * An EPP flow for login.
 *
- * @error {@link google.registry.flows.EppException.UnimplementedExtensionException}
- * @error {@link google.registry.flows.EppException.UnimplementedObjectServiceException}
- * @error {@link google.registry.flows.EppException.UnimplementedProtocolVersionException}
- * @error {@link google.registry.flows.FlowUtils.GenericXmlSyntaxErrorException}
- * @error {@link google.registry.flows.TlsCredentials.BadRegistrarCertificateException}
- * @error {@link google.registry.flows.TlsCredentials.BadRegistrarIpAddressException}
- * @error {@link google.registry.flows.TlsCredentials.MissingRegistrarCertificateException}
- * @error {@link google.registry.flows.TransportCredentials.BadRegistrarPasswordException}
+ * @error {@link UnimplementedExtensionException}
+ * @error {@link UnimplementedObjectServiceException}
+ * @error {@link UnimplementedProtocolVersionException}
+ * @error {@link GenericXmlSyntaxErrorException}
+ * @error {@link BadRegistrarCertificateException}
+ * @error {@link BadRegistrarIpAddressException}
+ * @error {@link MissingRegistrarCertificateException}
+ * @error {@link BadRegistrarPasswordException}
 * @error {@link LoginFlow.AlreadyLoggedInException}
 * @error {@link BadRegistrarIdException}
 * @error {@link LoginFlow.TooManyFailedLoginsException}
@@ -134,13 +141,24 @@ public class LoginFlow implements MutatingFlow {
    if (!registrar.get().isLive()) {
      throw new RegistrarAccountNotActiveException();
    }
-    if (login.getNewPassword().isPresent()) {
+
+    if (login.getNewPassword().isPresent()
+        || registrar.get().getCurrentHashAlgorithm(login.getPassword()).orElse(null)
+            != HashAlgorithm.SCRYPT) {
+      String newPassword =
+          login
+              .getNewPassword()
+              .orElseGet(
+                  () -> {
+                    logger.atInfo().log("Rehashing existing registrar password with Scrypt");
+                    return login.getPassword();
+                  });
      // Load fresh from database (bypassing the cache) to ensure we don't save stale data.
      Optional<Registrar> freshRegistrar = Registrar.loadByRegistrarId(login.getClientId());
      if (!freshRegistrar.isPresent()) {
        throw new BadRegistrarIdException(login.getClientId());
      }
-      tm().put(freshRegistrar.get().asBuilder().setPassword(login.getNewPassword().get()).build());
+      tm().put(freshRegistrar.get().asBuilder().setPassword(newPassword).build());
    }

    // We are in!
@@ -152,35 +170,35 @@ public class LoginFlow implements MutatingFlow {

  /** Registrar with this ID could not be found. */
  static class BadRegistrarIdException extends AuthenticationErrorException {
-    public BadRegistrarIdException(String registrarId) {
+    BadRegistrarIdException(String registrarId) {
      super("Registrar with this ID could not be found: " + registrarId);
    }
  }

  /** Registrar login failed too many times. */
  static class TooManyFailedLoginsException extends AuthenticationErrorClosingConnectionException {
-    public TooManyFailedLoginsException() {
+    TooManyFailedLoginsException() {
      super("Registrar login failed too many times");
    }
  }

  /** Registrar account is not active. */
  static class RegistrarAccountNotActiveException extends AuthorizationErrorException {
-    public RegistrarAccountNotActiveException() {
+    RegistrarAccountNotActiveException() {
      super("Registrar account is not active");
    }
  }

  /** Registrar is already logged in. */
  static class AlreadyLoggedInException extends CommandUseErrorException {
-    public AlreadyLoggedInException() {
+    AlreadyLoggedInException() {
      super("Registrar is already logged in");
    }
  }

  /** Specified language is not supported. */
  static class UnsupportedLanguageException extends ParameterValuePolicyErrorException {
-    public UnsupportedLanguageException() {
+    UnsupportedLanguageException() {
      super("Specified language is not supported");
    }
  }
@@ -138,6 +138,7 @@ public final class GmailClient {
        BodyPart attachmentPart = new MimeBodyPart();
        attachmentPart.setContent(attachment.content(), attachment.contentType().toString());
        attachmentPart.setFileName(attachment.filename());
+        attachmentPart.setDisposition(MimeBodyPart.ATTACHMENT);
        multipart.addBodyPart(attachmentPart);
      }
      msg.addRecipients(RecipientType.BCC, toArray(emailMessage.bccs(), Address.class));
--- a/Show More
+++ b/Show More