Use downloaded Gradle distribution on Cloud Build (#2918)

This way we get around the http url and no longer needs public access on
the GCS bucket.

core/src/main/java/google/registry/flows/domain/DomainClaimsCheckFlow.java

@@ -108,7 +108,8 @@ public final class DomainClaimsCheckFlow implements TransactionalFlow {
           verifyClaimsPeriodNotEnded(tld, now);
         }
       }
-      Optional<String> claimKey = ClaimsListDao.get().getClaimKey(parsedDomain.parts().get(0));
+      Optional<String> claimKey =
+          ClaimsListDao.get(tldStr).getClaimKey(parsedDomain.parts().get(0));
       launchChecksBuilder.add(
           LaunchCheck.create(
               LaunchCheckName.create(claimKey.isPresent(), domainName), claimKey.orElse(null)));

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -280,7 +280,7 @@ public final class DomainCreateFlow implements MutatingFlow {
       checkAllowedAccessToTld(registrarId, tld.getTldStr());
       checkHasBillingAccount(registrarId, tld.getTldStr());
       boolean isValidReservedCreate = isValidReservedCreate(domainName, allocationToken);
-      ClaimsList claimsList = ClaimsListDao.get();
+      ClaimsList claimsList = ClaimsListDao.get(tld.getTldStr());
       verifyIsGaOrSpecialCase(
           tld,
           claimsList,
@@ -312,7 +312,8 @@ public final class DomainCreateFlow implements MutatingFlow {
       // at this point so that we can verify it before the "after validation" extension point.
       signedMarkId =
           tmchUtils
-              .verifySignedMarks(launchCreate.get().getSignedMarks(), domainLabel, now)
+              .verifySignedMarks(
+                  tld.getTldStr(), launchCreate.get().getSignedMarks(), domainLabel, now)
               .getId();
     }
     verifyNotBlockedByBsa(domainName, tld, now, allocationToken);

core/src/main/java/google/registry/flows/domain/DomainFlowTmchUtils.java

@@ -55,7 +55,7 @@ public final class DomainFlowTmchUtils {
   }
 
   public SignedMark verifySignedMarks(
-      ImmutableList<AbstractSignedMark> signedMarks, String domainLabel, DateTime now)
+      String tld, ImmutableList<AbstractSignedMark> signedMarks, String domainLabel, DateTime now)
       throws EppException {
     if (signedMarks.size() > 1) {
       throw new TooManySignedMarksException();
@@ -64,7 +64,7 @@ public final class DomainFlowTmchUtils {
       throw new SignedMarksMustBeEncodedException();
     }
     SignedMark signedMark =
-        verifyEncodedSignedMark((EncodedSignedMark) signedMarks.get(0), now);
+        verifyEncodedSignedMark(tld, (EncodedSignedMark) signedMarks.get(0), now);
     return verifySignedMarkValidForDomainLabel(signedMark, domainLabel);
   }
 
@@ -76,8 +76,9 @@ public final class DomainFlowTmchUtils {
     return signedMark;
   }
 
-  public SignedMark verifyEncodedSignedMark(EncodedSignedMark encodedSignedMark, DateTime now)
-      throws EppException {
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public SignedMark verifyEncodedSignedMark(
+      String tld, EncodedSignedMark encodedSignedMark, DateTime now) throws EppException {
     if (!encodedSignedMark.getEncoding().equals("base64")) {
       throw new Base64RequiredForEncodedSignedMarksException();
     }
@@ -95,7 +96,7 @@ public final class DomainFlowTmchUtils {
       throw new SignedMarkParsingErrorException();
     }
 
-    if (SignedMarkRevocationList.get().isSmdRevoked(signedMark.getId(), now)) {
+    if (SignedMarkRevocationList.get(tld).isSmdRevoked(signedMark.getId(), now)) {
       throw new SignedMarkRevokedErrorException();
     }
 

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -218,7 +218,7 @@ public class DomainFlowUtils {
     return domainName;
   }
 
-  private static void validateFirstLabel(String firstLabel) throws EppException {
+  public static void validateFirstLabel(String firstLabel) throws EppException {
     if (firstLabel.length() > MAX_LABEL_SIZE) {
       throw new DomainLabelTooLongException();
     }

core/src/main/java/google/registry/flows/host/HostCheckFlow.java

@@ -65,6 +65,7 @@ public final class HostCheckFlow implements TransactionalFlow {
         ForeignKeyUtils.loadKeys(Host.class, hostnames, clock.nowUtc()).keySet();
     ImmutableList.Builder<HostCheck> checks = new ImmutableList.Builder<>();
     for (String hostname : hostnames) {
+      HostFlowUtils.validateHostName(hostname);
       boolean unused = !existingIds.contains(hostname);
       checks.add(HostCheck.create(unused, hostname, unused ? null : "In use"));
     }

core/src/main/java/google/registry/flows/host/HostFlowUtils.java

@@ -14,12 +14,14 @@
 
 package google.registry.flows.host;
 
+import static google.registry.flows.domain.DomainFlowUtils.validateFirstLabel;
 import static google.registry.model.EppResourceUtils.isActive;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.util.stream.Collectors.joining;
 
 import com.google.common.base.Ascii;
+import com.google.common.base.CharMatcher;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AuthorizationErrorException;
@@ -38,6 +40,10 @@ import org.joda.time.DateTime;
 /** Static utility functions for host flows. */
 public class HostFlowUtils {
 
+  /** Validator for ASCII lowercase letters, digits, and "-_", allowing "." as a separator */
+  private static final CharMatcher HOST_NAME_ALLOWED_CHARS =
+      CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('0', '9').or(CharMatcher.anyOf("-._")));
+
   /** Checks that a host name is valid. */
   public static InternetDomainName validateHostName(String name) throws EppException {
     checkArgumentNotNull(name, "Must specify host name to validate");
@@ -53,6 +59,9 @@ public class HostFlowUtils {
       if (!name.equals(hostNamePunyCoded)) {
         throw new HostNameNotPunyCodedException(hostNamePunyCoded);
       }
+      if (!HOST_NAME_ALLOWED_CHARS.matchesAllOf(name)) {
+        throw new BadHostNameCharacterException();
+      }
       InternetDomainName hostName = InternetDomainName.from(name);
       if (!name.equals(hostName.toString())) {
         throw new HostNameNotNormalizedException(hostName.toString());
@@ -71,6 +80,7 @@ public class HostFlowUtils {
       if (hostName.parts().size() < effectiveTld.parts().size() + 2) {
         throw new HostNameTooShallowException();
       }
+      validateFirstLabel(hostName.parts().getFirst());
       return hostName;
     } catch (IllegalArgumentException e) {
       throw new InvalidHostNameException();
@@ -180,4 +190,11 @@ public class HostFlowUtils {
           String.format("Host names must be in normalized format; expected %s", expectedHostName));
     }
   }
+
+  /** Host names can only contain a-z, 0-9, '.', '_', and '-'. */
+  static class BadHostNameCharacterException extends ParameterValueSyntaxErrorException {
+    public BadHostNameCharacterException() {
+      super("Host names can only contain a-z, 0-9, '.', '_', and '-'");
+    }
+  }
 }

core/src/main/java/google/registry/model/smd/SignedMarkRevocationList.java

@@ -21,6 +21,7 @@ import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.ImmutableObject;
+import google.registry.tmch.RstTmchUtils;
 import jakarta.persistence.CollectionTable;
 import jakarta.persistence.Column;
 import jakarta.persistence.ElementCollection;
@@ -71,6 +72,11 @@ public class SignedMarkRevocationList extends ImmutableObject {
     return CACHE.get();
   }
 
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public static SignedMarkRevocationList get(String tld) {
+    return RstTmchUtils.getSmdrList(tld).orElseGet(SignedMarkRevocationList::get);
+  }
+
   /** Create a new {@link SignedMarkRevocationList} without saving it. */
   public static SignedMarkRevocationList create(
       DateTime creationTime, ImmutableMap<String, DateTime> revokes) {

core/src/main/java/google/registry/model/tmch/ClaimsListDao.java

@@ -22,6 +22,7 @@ import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.CacheUtils;
+import google.registry.tmch.RstTmchUtils;
 import java.time.Duration;
 import java.util.Optional;
 
@@ -72,6 +73,11 @@ public class ClaimsListDao {
     return CACHE.get(ClaimsListDao.class);
   }
 
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public static ClaimsList get(String tld) {
+    return RstTmchUtils.getClaimsList(tld).orElseGet(ClaimsListDao::get);
+  }
+
   /**
    * Returns the most recent revision of the {@link ClaimsList} in SQL or an empty list if it
    * doesn't exist.

core/src/main/java/google/registry/tmch/RstTmchUtils.java

@@ -0,0 +1,120 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tmch;
+
+import static com.google.common.base.Suppliers.memoize;
+import static com.google.common.io.Resources.getResource;
+import static com.google.common.io.Resources.readLines;
+import static google.registry.tmch.RstTmchUtils.RstEnvironment.OTE;
+import static google.registry.tmch.RstTmchUtils.RstEnvironment.PROD;
+import static google.registry.util.RegistryEnvironment.SANDBOX;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.common.base.Supplier;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
+import google.registry.model.smd.SignedMarkRevocationList;
+import google.registry.model.tmch.ClaimsList;
+import google.registry.util.RegistryEnvironment;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Locale;
+import java.util.Optional;
+
+/**
+ * Utilities supporting TMCH-related RST testing in the Sandbox environment.
+ *
+ * <p>For logistic reasons we must conduct RST testing in the Sandbox environments. RST tests
+ * require the use of special labels hosted on their website. To isolate these labels from regular
+ * customers conducting onboarding tests, we manually download the test files as resources, and
+ * serve them up only to RST TLDs.
+ */
+public class RstTmchUtils {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  /**
+   * The RST environments.
+   *
+   * <p>We conduct both OTE and PROD RST tests in Sandbox.
+   */
+  enum RstEnvironment {
+    OTE,
+    PROD
+  }
+
+  private static final ImmutableMap<RstEnvironment, Supplier<Optional<ClaimsList>>> CLAIMS_CACHE =
+      ImmutableMap.of(
+          OTE, memoize(() -> getClaimsList(OTE)), PROD, memoize(() -> getClaimsList(PROD)));
+
+  private static final ImmutableMap<RstEnvironment, Supplier<Optional<SignedMarkRevocationList>>>
+      SMDRL_CACHE =
+          ImmutableMap.of(
+              OTE, memoize(() -> getSmdrList(OTE)), PROD, memoize(() -> getSmdrList(PROD)));
+
+  /** Returns appropriate test labels if {@code tld} is for RST testing; otherwise returns empty. */
+  public static Optional<ClaimsList> getClaimsList(String tld) {
+    return getRstEnvironment(tld).map(CLAIMS_CACHE::get).flatMap(Supplier::get);
+  }
+
+  /** Returns appropriate test labels if {@code tld} is for RST testing; otherwise returns empty. */
+  public static Optional<SignedMarkRevocationList> getSmdrList(String tld) {
+    return getRstEnvironment(tld).map(SMDRL_CACHE::get).flatMap(Supplier::get);
+  }
+
+  static Optional<RstEnvironment> getRstEnvironment(String tld) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    if (tld.startsWith("cc-rst-test-")) {
+      return Optional.of(OTE);
+    }
+    if (tld.startsWith("zz--")) {
+      return Optional.of(PROD);
+    }
+    return Optional.empty();
+  }
+
+  private static Optional<ClaimsList> getClaimsList(RstEnvironment rstEnvironment) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    String resourceName = rstEnvironment.name().toLowerCase(Locale.ROOT) + ".rst.dnl.csv";
+    URL resource = getResource(RstTmchUtils.class, resourceName);
+    try {
+      return Optional.of(ClaimsListParser.parse(readLines(resource, UTF_8)));
+    } catch (IOException e) {
+      // Do not throw.
+      logger.atSevere().withCause(e).log(
+          "Could not load Claims list %s for %s in Sandbox.", resourceName, rstEnvironment);
+      return Optional.empty();
+    }
+  }
+
+  private static Optional<SignedMarkRevocationList> getSmdrList(RstEnvironment rstEnvironment) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    String resourceName = rstEnvironment.name().toLowerCase(Locale.ROOT) + ".rst.smdrl.csv";
+    URL resource = getResource(RstTmchUtils.class, resourceName);
+    try {
+      return Optional.of(SmdrlCsvParser.parse(readLines(resource, UTF_8)));
+    } catch (IOException e) {
+      // Do not throw.
+      logger.atSevere().withCause(e).log(
+          "Could not load SMDR list %s for %s in Sandbox.", resourceName, rstEnvironment);
+      return Optional.empty();
+    }
+  }
+}

core/src/main/resources/google/registry/tmch/ote.rst.dnl.csv

@@ -0,0 +1,10 @@
+1,2024-09-13T02:21:12.0Z
+DNL,lookup-key,insertion-datetime
+test---validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test--validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-and-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-andvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testand-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testandvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z

core/src/main/resources/google/registry/tmch/ote.rst.smdrl.csv

@@ -0,0 +1,7 @@
+1,2022-11-22T01:49:36.9Z
+smd-id,insertion-datetime
+0000001761385117375880-65535,2013-07-15T00:00:00.0Z
+0000001751501056761969-65535,2017-07-26T10:12:41.9Z
+000000541526299609231-65535,2018-05-14T17:52:23.7Z
+000000541602140609520-65535,2020-10-08T07:07:25.0Z
+000000541669081776937-65535,2022-11-22T01:49:36.9Z

core/src/main/resources/google/registry/tmch/prod.rst.dnl.csv

@@ -0,0 +1,10 @@
+1,2024-09-13T02:21:12.0Z
+DNL,lookup-key,insertion-datetime
+test---validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test--validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-and-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-andvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testand-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testandvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z

core/src/main/resources/google/registry/tmch/prod.rst.smdrl.csv

@@ -0,0 +1,7 @@
+1,2022-11-22T01:49:36.9Z
+smd-id,insertion-datetime
+0000001761385117375880-65535,2013-07-15T00:00:00.0Z
+0000001751501056761969-65535,2017-07-26T10:12:41.9Z
+000000541526299609231-65535,2018-05-14T17:52:23.7Z
+000000541602140609520-65535,2020-10-08T07:07:25.0Z
+000000541669081776937-65535,2022-11-22T01:49:36.9Z

core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java

@@ -20,7 +20,9 @@ import static google.registry.testing.DatabaseHelper.persistDeletedHost;
 import static google.registry.testing.EppExceptionSubject.assertAboutEppExceptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import com.google.common.collect.ImmutableMap;
 import google.registry.flows.EppException;
+import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.FlowUtils.NotLoggedInException;
 import google.registry.flows.ResourceCheckFlowTestCase;
 import google.registry.flows.exceptions.TooManyResourceChecksException;
@@ -95,4 +97,36 @@ class HostCheckFlowTest extends ResourceCheckFlowTestCase<HostCheckFlow, Host> {
     runFlow();
     assertIcannReportingActivityFieldLogged("srs-host-check");
   }
+
+  @Test
+  void testFailure_dotHost() throws Exception {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", ".host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_dashHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "-host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_underscoreHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "_host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_hostDash() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "host-"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
 }

core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java

@@ -39,12 +39,12 @@ import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientExcept
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.flows.host.HostCreateFlow.SubordinateHostMustHaveIpException;
 import google.registry.flows.host.HostCreateFlow.UnexpectedExternalHostIpException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.model.ForeignKeyUtils;
@@ -286,7 +286,7 @@ class HostCreateFlowTest extends ResourceFlowTestCase<HostCreateFlow, Host> {
 
   @Test
   void testFailure_badCharacter() {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test

core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java

@@ -54,13 +54,13 @@ import google.registry.flows.ResourceFlowUtils.ResourceNotOwnedException;
 import google.registry.flows.ResourceFlowUtils.StatusNotClientSettableException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.flows.exceptions.ResourceStatusProhibitsOperationException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostDomainNotOwnedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.flows.host.HostUpdateFlow.CannotAddIpToExternalHostException;
@@ -1259,7 +1259,7 @@ class HostUpdateFlowTest extends ResourceFlowTestCase<HostUpdateFlow, Host> {
 
   @Test
   void testFailure_renameToBadCharacter() throws Exception {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test

core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java

@@ -74,7 +74,9 @@ class RdapNameserverActionTest extends RdapActionBaseTestCase<RdapNameserverActi
         .that(generateActualJson("invalid/host/name"))
         .isEqualTo(
             generateExpectedJsonError(
-                "invalid/host/name is not a valid nameserver: Invalid host name", 400));
+                "invalid/host/name is not a valid nameserver: Host names can only contain a-z, 0-9,"
+                    + " '.', '_', and '-'",
+                400));
     assertThat(response.getStatus()).isEqualTo(400);
   }
 

core/src/test/java/google/registry/tmch/RstTmchUtilsIntTest.java

@@ -0,0 +1,161 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tmch;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
+import static google.registry.util.RegistryEnvironment.SANDBOX;
+import static org.joda.time.DateTime.now;
+import static org.joda.time.DateTimeZone.UTC;
+
+import com.google.common.base.Splitter;
+import google.registry.model.smd.SignedMarkRevocationList;
+import google.registry.model.smd.SignedMarkRevocationListDao;
+import google.registry.model.tmch.ClaimsListDao;
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.testing.FakeClock;
+import google.registry.util.RegistryEnvironment;
+import java.util.stream.Stream;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+public class RstTmchUtilsIntTest {
+  private final FakeClock clock = new FakeClock();
+
+  @RegisterExtension
+  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
+      new JpaTestExtensions.Builder().withClock(clock).buildIntegrationTestExtension();
+
+  private static final String TMCH_CLAIM_LABEL = "tmch";
+  // RST label found in *.rst.dnl.csv resources. Currently both files are identical
+  private static final String RST_CLAIM_LABEL = "test--validate";
+
+  private static final String TMCH_SMD_ID = "tmch";
+  // RST label found in *.rst.smdrl.csv resources. Currently both files are identical
+  private static final String RST_SMD_ID = "0000001761385117375880-65535";
+
+  private static final String TMCH_DNL =
+      """
+      1,2024-09-13T02:21:12.0Z
+      DNL,lookup-key,insertion-datetime
+      LABEL,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+      """
+          .replace("LABEL", TMCH_CLAIM_LABEL);
+
+  private static final String TMCH_SMDRL =
+      """
+      1,2022-11-22T01:49:36.9Z
+      smd-id,insertion-datetime
+      ID,2013-07-15T00:00:00.0Z
+      """
+          .replace("ID", TMCH_SMD_ID);
+
+  @BeforeEach
+  void setup() throws Exception {
+    Splitter lineSplitter = Splitter.on("\n").omitEmptyStrings().trimResults();
+    tm().transact(
+            () -> ClaimsListDao.save(ClaimsListParser.parse(lineSplitter.splitToList(TMCH_DNL))));
+    tm().transact(
+            () ->
+                SignedMarkRevocationListDao.save(
+                    SmdrlCsvParser.parse(lineSplitter.splitToList(TMCH_SMDRL))));
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getClaimsList_production(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      PRODUCTION.setup();
+      var claimsList = ClaimsListDao.get(tld);
+      assertThat(claimsList.getClaimKey(TMCH_CLAIM_LABEL)).isPresent();
+      assertThat(claimsList.getClaimKey(RST_CLAIM_LABEL)).isEmpty();
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getSmdrList_production(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      PRODUCTION.setup();
+      var smdrl = SignedMarkRevocationList.get(tld);
+      assertThat(smdrl.isSmdRevoked(TMCH_SMD_ID, now(UTC))).isTrue();
+      assertThat(smdrl.isSmdRevoked(RST_SMD_ID, now(UTC))).isFalse();
+      assertThat(smdrl.size()).isEqualTo(1);
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getClaimsList_sandbox(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      SANDBOX.setup();
+      var claimsList = ClaimsListDao.get(tld);
+      if (tld.equals("app")) {
+        assertThat(claimsList.getClaimKey(TMCH_CLAIM_LABEL)).isPresent();
+        assertThat(claimsList.getClaimKey(RST_CLAIM_LABEL)).isEmpty();
+      } else {
+        assertThat(claimsList.getClaimKey(TMCH_CLAIM_LABEL)).isEmpty();
+        // Currently ote and prod have the same data.
+        assertThat(claimsList.getClaimKey(RST_CLAIM_LABEL)).isPresent();
+      }
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getSmdrList_sandbox(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      SANDBOX.setup();
+      var smdrList = SignedMarkRevocationList.get(tld);
+      if (tld.equals("app")) {
+        assertThat(smdrList.size()).isEqualTo(1);
+        assertThat(smdrList.isSmdRevoked(TMCH_SMD_ID, now(UTC))).isTrue();
+        assertThat(smdrList.isSmdRevoked(RST_SMD_ID, now(UTC))).isFalse();
+      } else {
+        // Currently ote and prod have the same data.
+        assertThat(smdrList.size()).isEqualTo(5);
+        assertThat(smdrList.isSmdRevoked(TMCH_SMD_ID, now())).isFalse();
+        assertThat(smdrList.isSmdRevoked(RST_SMD_ID, now())).isTrue();
+      }
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  private static Stream<Arguments> provideTestCases() {
+    return Stream.of(
+        Arguments.of("NotRST", "app"),
+        Arguments.of("OTE", "cc-rst-test-tld-1"),
+        Arguments.of("PROD", "zz--idn-123"));
+  }
+}

core/src/test/java/google/registry/tmch/RstTmchUtilsTest.java

@@ -0,0 +1,117 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tmch;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.tmch.RstTmchUtils.getClaimsList;
+import static google.registry.tmch.RstTmchUtils.getSmdrList;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
+import static google.registry.util.RegistryEnvironment.SANDBOX;
+
+import google.registry.util.RegistryEnvironment;
+import java.util.stream.Stream;
+import org.joda.time.DateTime;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+public class RstTmchUtilsTest {
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getClaimsList_production(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      PRODUCTION.setup();
+      assertThat(getClaimsList(tld)).isEmpty();
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getSmdrList_production(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      PRODUCTION.setup();
+      assertThat(getSmdrList(tld)).isEmpty();
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getClaimsList_sandbox(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      SANDBOX.setup();
+      var claimsListOptional = getClaimsList(tld);
+      if (tld.equals("app")) {
+        assertThat(claimsListOptional).isEmpty();
+      } else {
+        // Currently ote and prod have the same data.
+        var claimsList = claimsListOptional.get();
+        assertThat(claimsList.getClaimKey("test-and-validate")).isPresent();
+        var labelsToKeys = claimsList.getLabelsToKeys();
+        assertThat(labelsToKeys).hasSize(8);
+        assertThat(labelsToKeys)
+            .containsEntry(
+                "test---validate", "2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001");
+      }
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCases")
+  @SuppressWarnings("unused") // testCaseName
+  void getSmdrList_sandbox(String testCaseName, String tld) {
+    var currEnv = RegistryEnvironment.get();
+    try {
+      SANDBOX.setup();
+      var smdrListOptional = getSmdrList(tld);
+      if (tld.equals("app")) {
+        assertThat(smdrListOptional).isEmpty();
+      } else {
+        // Currently ote and prod have the same data.
+        var smdrList = smdrListOptional.get();
+        assertThat(smdrList.size()).isEqualTo(5);
+        assertThat(
+                smdrList.isSmdRevoked(
+                    "000000541526299609231-65535", DateTime.parse("2018-05-14T17:52:23.6Z")))
+            .isFalse();
+        assertThat(
+                smdrList.isSmdRevoked(
+                    "000000541526299609231-65535", DateTime.parse("2018-05-14T17:52:23.7Z")))
+            .isTrue();
+      }
+    } finally {
+      currEnv.setup();
+    }
+  }
+
+  private static Stream<Arguments> provideTestCases() {
+    return Stream.of(
+        Arguments.of("NotRST", "app"),
+        Arguments.of("OTE", "cc-rst-test-tld-1"),
+        Arguments.of("PROD", "zz--idn-123"));
+  }
+}

core/src/test/java/google/registry/tmch/TmchTestDataExpirationTest.java

@@ -57,7 +57,7 @@ class TmchTestDataExpirationTest {
     String tmchData = loadFile(TmchTestDataExpirationTest.class, filePath);
     EncodedSignedMark smd = TmchData.readEncodedSignedMark(tmchData);
     try {
-      tmchUtils.verifyEncodedSignedMark(smd, DateTime.now(UTC));
+      tmchUtils.verifyEncodedSignedMark("", smd, DateTime.now(UTC));
     } catch (EppException e) {
       throw new AssertionError("Error verifying signed mark " + filePath, e);
     }

core/src/test/resources/google/registry/flows/host/host_check_50.xml

@@ -3,56 +3,56 @@
     <check>
       <host:check
        xmlns:host="urn:ietf:params:xml:ns:host-1.0">
-        <host:name>www1.tld</host:name>
-        <host:name>www2.tld</host:name>
-        <host:name>www3.tld</host:name>
-        <host:name>www4.tld</host:name>
-        <host:name>www5.tld</host:name>
-        <host:name>www6.tld</host:name>
-        <host:name>www7.tld</host:name>
-        <host:name>www8.tld</host:name>
-        <host:name>www9.tld</host:name>
-        <host:name>www10.tld</host:name>
-        <host:name>www11.tld</host:name>
-        <host:name>www12.tld</host:name>
-        <host:name>www13.tld</host:name>
-        <host:name>www14.tld</host:name>
-        <host:name>www15.tld</host:name>
-        <host:name>www16.tld</host:name>
-        <host:name>www17.tld</host:name>
-        <host:name>www18.tld</host:name>
-        <host:name>www19.tld</host:name>
-        <host:name>www20.tld</host:name>
-        <host:name>www21.tld</host:name>
-        <host:name>www22.tld</host:name>
-        <host:name>www23.tld</host:name>
-        <host:name>www24.tld</host:name>
-        <host:name>www25.tld</host:name>
-        <host:name>www26.tld</host:name>
-        <host:name>www27.tld</host:name>
-        <host:name>www28.tld</host:name>
-        <host:name>www29.tld</host:name>
-        <host:name>www30.tld</host:name>
-        <host:name>www31.tld</host:name>
-        <host:name>www32.tld</host:name>
-        <host:name>www33.tld</host:name>
-        <host:name>www34.tld</host:name>
-        <host:name>www35.tld</host:name>
-        <host:name>www36.tld</host:name>
-        <host:name>www37.tld</host:name>
-        <host:name>www38.tld</host:name>
-        <host:name>www39.tld</host:name>
-        <host:name>www40.tld</host:name>
-        <host:name>www41.tld</host:name>
-        <host:name>www42.tld</host:name>
-        <host:name>www43.tld</host:name>
-        <host:name>www44.tld</host:name>
-        <host:name>www45.tld</host:name>
-        <host:name>www46.tld</host:name>
-        <host:name>www47.tld</host:name>
-        <host:name>www48.tld</host:name>
-        <host:name>www49.tld</host:name>
-        <host:name>www50.tld</host:name>
+        <host:name>ns1.www1.tld</host:name>
+        <host:name>ns1.www2.tld</host:name>
+        <host:name>ns1.www3.tld</host:name>
+        <host:name>ns1.www4.tld</host:name>
+        <host:name>ns1.www5.tld</host:name>
+        <host:name>ns1.www6.tld</host:name>
+        <host:name>ns1.www7.tld</host:name>
+        <host:name>ns1.www8.tld</host:name>
+        <host:name>ns1.www9.tld</host:name>
+        <host:name>ns1.www10.tld</host:name>
+        <host:name>ns1.www11.tld</host:name>
+        <host:name>ns1.www12.tld</host:name>
+        <host:name>ns1.www13.tld</host:name>
+        <host:name>ns1.www14.tld</host:name>
+        <host:name>ns1.www15.tld</host:name>
+        <host:name>ns1.www16.tld</host:name>
+        <host:name>ns1.www17.tld</host:name>
+        <host:name>ns1.www18.tld</host:name>
+        <host:name>ns1.www19.tld</host:name>
+        <host:name>ns1.www20.tld</host:name>
+        <host:name>ns1.www21.tld</host:name>
+        <host:name>ns1.www22.tld</host:name>
+        <host:name>ns1.www23.tld</host:name>
+        <host:name>ns1.www24.tld</host:name>
+        <host:name>ns1.www25.tld</host:name>
+        <host:name>ns1.www26.tld</host:name>
+        <host:name>ns1.www27.tld</host:name>
+        <host:name>ns1.www28.tld</host:name>
+        <host:name>ns1.www29.tld</host:name>
+        <host:name>ns1.www30.tld</host:name>
+        <host:name>ns1.www31.tld</host:name>
+        <host:name>ns1.www32.tld</host:name>
+        <host:name>ns1.www33.tld</host:name>
+        <host:name>ns1.www34.tld</host:name>
+        <host:name>ns1.www35.tld</host:name>
+        <host:name>ns1.www36.tld</host:name>
+        <host:name>ns1.www37.tld</host:name>
+        <host:name>ns1.www38.tld</host:name>
+        <host:name>ns1.www39.tld</host:name>
+        <host:name>ns1.www40.tld</host:name>
+        <host:name>ns1.www41.tld</host:name>
+        <host:name>ns1.www42.tld</host:name>
+        <host:name>ns1.www43.tld</host:name>
+        <host:name>ns1.www44.tld</host:name>
+        <host:name>ns1.www45.tld</host:name>
+        <host:name>ns1.www46.tld</host:name>
+        <host:name>ns1.www47.tld</host:name>
+        <host:name>ns1.www48.tld</host:name>
+        <host:name>ns1.www49.tld</host:name>
+        <host:name>ns1.www50.tld</host:name>
       </host:check>
     </check>
     <clTRID>ABC-12345</clTRID>

core/src/test/resources/google/registry/flows/host/host_check_generic.xml

@@ -0,0 +1,11 @@
+<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
+    <command>
+        <check>
+            <host:check
+                    xmlns:host="urn:ietf:params:xml:ns:host-1.0">
+                <host:name>%HOSTNAME%</host:name>
+            </host:check>
+        </check>
+        <clTRID>ABC-12345</clTRID>
+    </command>
+</epp>

release/cloudbuild-dev-resource.yaml

@@ -9,6 +9,9 @@
 # To trigger a build automatically, follow the instructions below and add a trigger:
 # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
 steps:
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:live'
+  entrypoint: ./release/install_gradle.sh
 # Compile javadoc
 - name: 'gcr.io/${PROJECT_ID}/builder:live'
   entrypoint: /bin/bash

release/cloudbuild-kythe.yaml

@@ -41,6 +41,7 @@ steps:
     export KYTHE_OUTPUT_DIRECTORY="$${PWD}/kythe_output"
     mkdir -p $${KYTHE_OUTPUT_DIRECTORY}
     mkdir -p $${KYTHE_OUTPUT_DIRECTORY}/merged
+    ./release/install_gradle.sh
     ./gradlew clean testClasses \
       -Dno_werror=true -PenableCrossReferencing=true
 # Merge kzip files

release/cloudbuild-nomulus.yaml

@@ -7,6 +7,9 @@ steps:
 # Create a directory to store the artifacts
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['mkdir', 'nomulus']
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: ./release/install_gradle.sh
 # Run tests
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   # Set home for Gradle caches. Must be consistent with last step below

release/cloudbuild-proxy.yaml

@@ -7,6 +7,9 @@
 # To trigger a build automatically, follow the instructions below and add a trigger:
 # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
 steps:
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: ./release/install_gradle.sh
 # Build the proxy docker image.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args:

release/cloudbuild-release.yaml

@@ -265,7 +265,6 @@ steps:
       fi
     else
       gcloud storage cp $gradle_bin gs://${gcs_loc}/
-      gcloud storage objects update --predefined-acl=publicRead gs://${gcs_loc}/${gradle_bin}
     fi
     rm ${gradle_bin}
     sed -i s%services.gradle.org/distributions%storage.googleapis.com/${gcs_loc}% \

release/install_gradle.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Copyright 2019 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script should be invoked from the Gradle root. It downloads the
+# gradle distribution saved on GCS, and sets Gradle's distribution URL
+# to the local copy. This is necessary since when accessing a GCS bucket
+# using http, the bucket must have public access, which is forbidden by
+# our policy.
+
+set -e
+
+gradle_url=$(grep distributionUrl gradle/wrapper/gradle-wrapper.properties \
+  | awk -F = '{print $2}' | sed 's/\\//g')
+gradle_bin=$(basename $gradle_url)
+gcs_loc="domain-registry-maven-repository/gradle"
+
+gcloud storage cp "gs://${gcs_loc}/${gradle_bin}" .
+local_url="file\\\://${PWD}/${gradle_bin}"
+sed -i "s#distributionUrl=.*#distributionUrl=${local_url}#" \
+  gradle/wrapper/gradle-wrapper.properties