Bypass SCRYPT hashing in tests (#2262 )

SCRYPT is much computationally heavier than SHA265 (by design), which resulted in test run time doubling due to most tests initializing canned data that uses hashing. Since out tests are not verifying the correctness of a specific hashing algorithm anyway, this PR makes it so that simple concatenation is used in tests. Also moved RegistryEnvironment to the util subproject so it can be called by PasswordUtils, which makes sense as it is a utility class.
Add type conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency (#2258 )
2026-02-11 07:11:40 +00:00 · 2023-12-21 16:17:37 -05:00 · 2023-12-21 12:59:54 -05:00 · 2023-12-20 15:37:29 -05:00 · 2023-12-20 15:20:04 -05:00 · 2023-12-18 11:03:33 -05:00
78 changed files with 946 additions and 287 deletions
--- a/console-webapp/src/app/app.module.ts
+++ b/console-webapp/src/app/app.module.ts
@@ -49,15 +49,14 @@ import { SettingsWidgetComponent } from './home/widgets/settingsWidget.component
 import { UserDataService } from './shared/services/userData.service';
 import WhoisComponent from './settings/whois/whois.component';
 import { SnackBarModule } from './snackbar.module';
-import {
-  RegistrarDetailsComponent,
-  RegistrarDetailsWrapperComponent,
-} from './registrar/registrarDetails.component';
+import { RegistrarDetailsComponent } from './registrar/registrarDetails.component';
 import { DomainListComponent } from './domains/domainList.component';
+import { DialogBottomSheetWrapper } from './shared/components/dialogBottomSheet.component';

@NgModule({
  declarations: [
    AppComponent,
+    DialogBottomSheetWrapper,
    BillingWidgetComponent,
    ContactDetailsDialogComponent,
    ContactWidgetComponent,
@@ -70,7 +69,6 @@ import { DomainListComponent } from './domains/domainList.component';
    PromotionsWidgetComponent,
    RegistrarComponent,
    RegistrarDetailsComponent,
-    RegistrarDetailsWrapperComponent,
    RegistrarSelectorComponent,
    ResourcesWidgetComponent,
    SecurityComponent,
--- a/console-webapp/src/app/domains/domainList.component.html
+++ b/console-webapp/src/app/domains/domainList.component.html
@@ -1,7 +1,13 @@
 <div class="console-domains">
  <mat-form-field>
    <mat-label>Filter</mat-label>
-    <input matInput (keyup)="applyFilter($event)" #input />
+    <input
+      type="search"
+      matInput
+      [(ngModel)]="searchTerm"
+      (ngModelChange)="sendInput()"
+      #input
+    />
  </mat-form-field>

  <div *ngIf="isLoading; else domains_content" class="console-domains__loading">
--- a/console-webapp/src/app/domains/domainList.component.ts
+++ b/console-webapp/src/app/domains/domainList.component.ts
@@ -18,6 +18,7 @@ import { BackendService } from '../shared/services/backend.service';
 import { MatPaginator, PageEvent } from '@angular/material/paginator';
 import { RegistrarService } from '../registrar/registrar.service';
 import { Domain, DomainListService } from './domainList.service';
+import { Subject, debounceTime } from 'rxjs';

@Component({
  selector: 'app-domain-list',
@@ -27,6 +28,7 @@ import { Domain, DomainListService } from './domainList.service';
 })
 export class DomainListComponent {
  public static PATH = 'domain-list';
+  private readonly DEBOUNCE_MS = 500;

  displayedColumns: string[] = [
    'domainName',
@@ -38,6 +40,9 @@ export class DomainListComponent {
  dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
  isLoading = true;

+  searchTermSubject = new Subject<string>();
+  searchTerm?: string;
+
  pageNumber?: number;
  resultsPerPage = 50;
  totalResults?: number;
@@ -52,13 +57,28 @@ export class DomainListComponent {

  ngOnInit() {
    this.dataSource.paginator = this.paginator;
+    // Don't spam the server unnecessarily while the user is typing
+    this.searchTermSubject
+      .pipe(debounceTime(this.DEBOUNCE_MS))
+      .subscribe((searchTermValue) => {
+        this.reloadData();
+      });
    this.reloadData();
  }

+  ngOnDestroy() {
+    this.searchTermSubject.complete();
+  }
+
  reloadData() {
    this.isLoading = true;
    this.domainListService
-      .retrieveDomains(this.pageNumber, this.resultsPerPage, this.totalResults)
+      .retrieveDomains(
+        this.pageNumber,
+        this.resultsPerPage,
+        this.totalResults,
+        this.searchTerm
+      )
      .subscribe((domainListResult) => {
        this.dataSource.data = domainListResult.domains;
        this.totalResults = domainListResult.totalResults;
@@ -66,10 +86,8 @@ export class DomainListComponent {
      });
  }

-  /** TODO: the backend will need to accept a filter string. */
-  applyFilter(event: KeyboardEvent) {
-    // const filterValue = (event.target as HTMLInputElement).value;
-    this.reloadData();
+  sendInput() {
+    this.searchTermSubject.next(this.searchTerm!);
  }

  onPageChange(event: PageEvent) {
--- a/console-webapp/src/app/domains/domainList.service.ts
+++ b/console-webapp/src/app/domains/domainList.service.ts
@@ -47,7 +47,8 @@ export class DomainListService {
  retrieveDomains(
    pageNumber?: number,
    resultsPerPage?: number,
-    totalResults?: number
+    totalResults?: number,
+    searchTerm?: string
  ) {
    return this.backendService
      .getDomains(
@@ -55,7 +56,8 @@ export class DomainListService {
        this.checkpointTime,
        pageNumber,
        resultsPerPage,
-        totalResults
+        totalResults,
+        searchTerm
      )
      .pipe(
        tap((domainListResult: DomainListResult) => {
--- a/console-webapp/src/app/registrar/registrarDetails.component.html
+++ b/console-webapp/src/app/registrar/registrarDetails.component.html
@@ -1,7 +1,7 @@
-<div class="registrarDetails">
+<div class="registrarDetails" *ngIf="registrarInEdit">
  <h3 mat-dialog-title>Edit Registrar: {{ registrarInEdit.registrarId }}</h3>
  <div mat-dialog-content>
-    <form (ngSubmit)="saveAndClose($event)">
+    <form (ngSubmit)="saveAndClose()">
      <mat-form-field class="registrarDetails__input">
        <mat-label>Registry Lock:</mat-label>
        <mat-select
@@ -32,7 +32,7 @@
        />
      </mat-form-field>
      <mat-dialog-actions>
-        <button mat-button (click)="onCancel($event)">Cancel</button>
+        <button mat-button (click)="this.params?.close()">Cancel</button>
        <button type="submit" mat-button color="primary">Save</button>
      </mat-dialog-actions>
    </form>
--- a/console-webapp/src/app/registrar/registrarDetails.component.ts
+++ b/console-webapp/src/app/registrar/registrarDetails.component.ts
@@ -12,61 +12,38 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import { Component, Injector } from '@angular/core';
+import { Component } from '@angular/core';
 import { Registrar, RegistrarService } from './registrar.service';
-import { BreakpointObserver } from '@angular/cdk/layout';
-import {
-  MAT_BOTTOM_SHEET_DATA,
-  MatBottomSheet,
-  MatBottomSheetRef,
-} from '@angular/material/bottom-sheet';
-import {
-  MAT_DIALOG_DATA,
-  MatDialog,
-  MatDialogRef,
-} from '@angular/material/dialog';
 import { MatChipInputEvent } from '@angular/material/chips';
+import { DialogBottomSheetContent } from '../shared/components/dialogBottomSheet.component';

-const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+type RegistrarDetailsParams = {
+  close: Function;
+  data: {
+    registrar: Registrar;
+  };
+};

@Component({
  selector: 'app-registrar-details',
  templateUrl: './registrarDetails.component.html',
  styleUrls: ['./registrarDetails.component.scss'],
 })
-export class RegistrarDetailsComponent {
+export class RegistrarDetailsComponent implements DialogBottomSheetContent {
  registrarInEdit!: Registrar;
-  private elementRef:
-    | MatBottomSheetRef<RegistrarDetailsComponent>
-    | MatDialogRef<RegistrarDetailsComponent>;
+  params?: RegistrarDetailsParams;

-  constructor(
-    protected registrarService: RegistrarService,
-    private injector: Injector
-  ) {
-    // We only inject one, either Dialog or Bottom Sheet data
-    // so one of the injectors is expected to fail
-    try {
-      var params = this.injector.get(MAT_DIALOG_DATA);
-      this.elementRef = this.injector.get(MatDialogRef);
-    } catch (e) {
-      var params = this.injector.get(MAT_BOTTOM_SHEET_DATA);
-      this.elementRef = this.injector.get(MatBottomSheetRef);
-    }
-    this.registrarInEdit = JSON.parse(JSON.stringify(params.registrar));
+  constructor(protected registrarService: RegistrarService) {}
+
+  init(params: RegistrarDetailsParams) {
+    this.params = params;
+    this.registrarInEdit = JSON.parse(
+      JSON.stringify(this.params.data.registrar)
+    );
  }

-  onCancel(e: MouseEvent) {
-    if (this.elementRef instanceof MatBottomSheetRef) {
-      this.elementRef.dismiss();
-    } else if (this.elementRef instanceof MatDialogRef) {
-      this.elementRef.close();
-    }
-  }
-
-  saveAndClose(e: MouseEvent) {
-    // TODO: Implement save call to API
-    this.onCancel(e);
+  saveAndClose() {
+    this.params?.close();
  }

  addTLD(e: MatChipInputEvent) {
@@ -82,24 +59,3 @@ export class RegistrarDetailsComponent {
    );
  }
 }
-
-@Component({
-  selector: 'app-registrar-details-wrapper',
-  template: '',
-})
-export class RegistrarDetailsWrapperComponent {
-  constructor(
-    private dialog: MatDialog,
-    private bottomSheet: MatBottomSheet,
-    protected breakpointObserver: BreakpointObserver
-  ) {}
-
-  open(registrar: Registrar) {
-    const config = { data: { registrar } };
-    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
-      this.bottomSheet.open(RegistrarDetailsComponent, config);
-    } else {
-      this.dialog.open(RegistrarDetailsComponent, config);
-    }
-  }
-}
--- a/console-webapp/src/app/registrar/registrarsTable.component.html
+++ b/console-webapp/src/app/registrar/registrarsTable.component.html
@@ -48,7 +48,7 @@
    [pageSizeOptions]="[5, 10, 20]"
    showFirstLastButtons
  ></mat-paginator>
-  <app-registrar-details-wrapper
+  <app-dialog-bottom-sheet-wrapper
    #registrarDetailsView
-  ></app-registrar-details-wrapper>
+  ></app-dialog-bottom-sheet-wrapper>
 </div>
--- a/console-webapp/src/app/registrar/registrarsTable.component.ts
+++ b/console-webapp/src/app/registrar/registrarsTable.component.ts
@@ -17,7 +17,8 @@ import { Registrar, RegistrarService } from './registrar.service';
 import { MatPaginator } from '@angular/material/paginator';
 import { MatSort } from '@angular/material/sort';
 import { MatTableDataSource } from '@angular/material/table';
-import { RegistrarDetailsWrapperComponent } from './registrarDetails.component';
+import { RegistrarDetailsComponent } from './registrarDetails.component';
+import { DialogBottomSheetWrapper } from '../shared/components/dialogBottomSheet.component';

@Component({
  selector: 'app-registrar',
@@ -82,7 +83,7 @@ export class RegistrarComponent {
  @ViewChild(MatPaginator) paginator!: MatPaginator;
  @ViewChild(MatSort) sort!: MatSort;
  @ViewChild('registrarDetailsView')
-  detailsComponentWrapper!: RegistrarDetailsWrapperComponent;
+  detailsComponentWrapper!: DialogBottomSheetWrapper;

  constructor(protected registrarService: RegistrarService) {
    this.dataSource = new MatTableDataSource<Registrar>(
@@ -97,7 +98,10 @@ export class RegistrarComponent {

  openDetails(event: MouseEvent, registrar: Registrar) {
    event.stopPropagation();
-    this.detailsComponentWrapper.open(registrar);
+    this.detailsComponentWrapper.open<RegistrarDetailsComponent>(
+      RegistrarDetailsComponent,
+      { registrar }
+    );
  }

  applyFilter(event: Event) {
--- a/console-webapp/src/app/settings/contact/contact.component.html
+++ b/console-webapp/src/app/settings/contact/contact.component.html
@@ -41,4 +41,7 @@
      <mat-icon>add</mat-icon>Create a Contact
    </button>
  </div>
+  <app-dialog-bottom-sheet-wrapper
+    #contactDetailsWrapper
+  ></app-dialog-bottom-sheet-wrapper>
 </div>
--- a/console-webapp/src/app/settings/contact/contact.component.ts
+++ b/console-webapp/src/app/settings/contact/contact.component.ts
@@ -12,21 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import { Component, Inject } from '@angular/core';
-import {
-  MatDialog,
-  MAT_DIALOG_DATA,
-  MatDialogRef,
-} from '@angular/material/dialog';
-import {
-  MatBottomSheet,
-  MAT_BOTTOM_SHEET_DATA,
-  MatBottomSheetRef,
-} from '@angular/material/bottom-sheet';
+import { Component, ViewChild } from '@angular/core';
 import { Contact, ContactService } from './contact.service';
-import { BreakpointObserver } from '@angular/cdk/layout';
 import { HttpErrorResponse } from '@angular/common/http';
 import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  DialogBottomSheetContent,
+  DialogBottomSheetWrapper,
+} from 'src/app/shared/components/dialogBottomSheet.component';

 enum Operations {
  DELETE,
@@ -40,7 +33,13 @@ interface GroupedContacts {
  contacts: Array<Contact>;
 }

-let isMobile: boolean;
+type ContactDetailsParams = {
+  close: Function;
+  data: {
+    contact: Contact;
+    operation: Operations;
+  };
+};

 const contactTypes: Array<GroupedContacts> = [
  { value: 'ADMIN', label: 'Primary contact', contacts: [] },
@@ -52,72 +51,46 @@ const contactTypes: Array<GroupedContacts> = [
  { value: 'WHOIS', label: 'WHOIS-Inquiry contact', contacts: [] },
 ];

-class ContactDetailsEventsResponder {
-  private ref?: MatDialogRef<any> | MatBottomSheetRef;
-  constructor() {
-    this.onClose = this.onClose.bind(this);
-  }
-
-  setRef(ref: MatDialogRef<any> | MatBottomSheetRef) {
-    this.ref = ref;
-  }
-
-  onClose() {
-    if (this.ref == undefined) {
-      throw "Reference to ContactDetailsDialogComponent hasn't been set. ";
-    }
-    if (this.ref instanceof MatBottomSheetRef) {
-      this.ref.dismiss();
-    } else if (this.ref instanceof MatDialogRef) {
-      this.ref.close();
-    }
-  }
-}
-
@Component({
  selector: 'app-contact-details-dialog',
  templateUrl: 'contactDetails.component.html',
  styleUrls: ['./contact.component.scss'],
 })
-export class ContactDetailsDialogComponent {
-  contact: Contact;
+export class ContactDetailsDialogComponent implements DialogBottomSheetContent {
+  contact?: Contact;
  contactTypes = contactTypes;
-  operation: Operations;
-  contactIndex: number;
-  onCloseCallback: Function;
+  contactIndex?: number;
+
+  params?: ContactDetailsParams;

  constructor(
    public contactService: ContactService,
-    private _snackBar: MatSnackBar,
-    @Inject(isMobile ? MAT_BOTTOM_SHEET_DATA : MAT_DIALOG_DATA)
-    public data: {
-      onClose: Function;
-      contact: Contact;
-      operation: Operations;
-    }
-  ) {
-    this.onCloseCallback = data.onClose;
-    this.contactIndex = contactService.contacts.findIndex(
-      (c) => c === data.contact
+    private _snackBar: MatSnackBar
+  ) {}
+
+  init(params: ContactDetailsParams) {
+    this.params = params;
+    this.contactIndex = this.contactService.contacts.findIndex(
+      (c) => c === params.data.contact
    );
-    this.contact = JSON.parse(JSON.stringify(data.contact));
-    this.operation = data.operation;
+    this.contact = JSON.parse(JSON.stringify(params.data.contact));
  }

-  onClose(e: MouseEvent) {
-    e.preventDefault();
-    this.onCloseCallback.call(this);
+  close() {
+    this.params?.close();
  }

  saveAndClose(e: SubmitEvent) {
    e.preventDefault();
+    if (!this.contact || this.contactIndex === undefined) return;
    if (!(e.target as HTMLFormElement).checkValidity()) {
      return;
    }
+    const operation = this.params?.data.operation;
    let operationObservable;
-    if (this.operation === Operations.ADD) {
+    if (operation === Operations.ADD) {
      operationObservable = this.contactService.addContact(this.contact);
-    } else if (this.operation === Operations.UPDATE) {
+    } else if (operation === Operations.UPDATE) {
      operationObservable = this.contactService.updateContact(
        this.contactIndex,
        this.contact
@@ -127,7 +100,7 @@ export class ContactDetailsDialogComponent {
    }

    operationObservable.subscribe({
-      complete: this.onCloseCallback.bind(this),
+      complete: () => this.close(),
      error: (err: HttpErrorResponse) => {
        this._snackBar.open(err.error);
      },
@@ -143,11 +116,11 @@ export class ContactDetailsDialogComponent {
 export default class ContactComponent {
  public static PATH = 'contact';

+  @ViewChild('contactDetailsWrapper')
+  detailsComponentWrapper!: DialogBottomSheetWrapper;
+
  loading: boolean = false;
  constructor(
-    private dialog: MatDialog,
-    private bottomSheet: MatBottomSheet,
-    private breakpointObserver: BreakpointObserver,
    public contactService: ContactService,
    private _snackBar: MatSnackBar
  ) {
@@ -195,20 +168,9 @@ export default class ContactComponent {
    operation: Operations = Operations.UPDATE
  ) {
    e.preventDefault();
-    // TODO: handle orientation change
-    isMobile = this.breakpointObserver.isMatched('(max-width: 599px)');
-    const responder = new ContactDetailsEventsResponder();
-    const config = { data: { onClose: responder.onClose, contact, operation } };
-
-    if (isMobile) {
-      const bottomSheetRef = this.bottomSheet.open(
-        ContactDetailsDialogComponent,
-        config
-      );
-      responder.setRef(bottomSheetRef);
-    } else {
-      const dialogRef = this.dialog.open(ContactDetailsDialogComponent, config);
-      responder.setRef(dialogRef);
-    }
+    this.detailsComponentWrapper.open<ContactDetailsDialogComponent>(
+      ContactDetailsDialogComponent,
+      { contact, operation }
+    );
  }
 }
--- a/console-webapp/src/app/settings/contact/contact.service.ts
+++ b/console-webapp/src/app/settings/contact/contact.service.ts
@@ -45,7 +45,7 @@ export class ContactService {
    return this.backend
      .getContacts(this.registrarService.activeRegistrarId)
      .pipe(
-        tap((contacts) => {
+        tap((contacts = []) => {
          this.contacts = contacts;
        })
      );
--- a/console-webapp/src/app/settings/contact/contactDetails.component.html
+++ b/console-webapp/src/app/settings/contact/contactDetails.component.html
@@ -1,5 +1,5 @@
 <h3 mat-dialog-title>Contact details</h3>
-<div mat-dialog-content>
+<div mat-dialog-content *ngIf="contact">
  <form (ngSubmit)="saveAndClose($event)">
    <p>
      <mat-form-field class="contact-details__input">
@@ -97,7 +97,7 @@
      >
    </section>
    <mat-dialog-actions>
-      <button mat-button (click)="onClose($event)">Cancel</button>
+      <button mat-button (click)="close()">Cancel</button>
      <button type="submit" mat-button>Save</button>
    </mat-dialog-actions>
  </form>
--- a/console-webapp/src/app/shared/components/dialogBottomSheet.component.ts
+++ b/console-webapp/src/app/shared/components/dialogBottomSheet.component.ts
@@ -0,0 +1,69 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { ComponentType } from '@angular/cdk/portal';
+import { Component } from '@angular/core';
+import {
+  MatBottomSheet,
+  MatBottomSheetRef,
+} from '@angular/material/bottom-sheet';
+import { MatDialog, MatDialogRef } from '@angular/material/dialog';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+
+export interface DialogBottomSheetContent {
+  init(data: Object): void;
+}
+
+/**
+ * Wraps up a child component in an Angular Material Dalog for desktop or a Bottom Sheet
+ * component for mobile depending on a screen resolution, with Breaking Point being 599px.
+ * Child component is required to implement @see DialogBottomSheetContent interface
+ */
+@Component({
+  selector: 'app-dialog-bottom-sheet-wrapper',
+  template: '',
+})
+export class DialogBottomSheetWrapper {
+  private elementRef?: MatBottomSheetRef | MatDialogRef<any>;
+
+  constructor(
+    private dialog: MatDialog,
+    private bottomSheet: MatBottomSheet,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  open<T extends DialogBottomSheetContent>(
+    component: ComponentType<T>,
+    data: any
+  ) {
+    const config = { data, close: () => this.close() };
+    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
+      this.elementRef = this.bottomSheet.open(component);
+      this.elementRef.instance.init(config);
+    } else {
+      this.elementRef = this.dialog.open(component);
+      this.elementRef.componentInstance.init(config);
+    }
+  }
+
+  close() {
+    if (this.elementRef instanceof MatBottomSheetRef) {
+      this.elementRef.dismiss();
+    } else if (this.elementRef instanceof MatDialogRef) {
+      this.elementRef.close();
+    }
+  }
+}
--- a/console-webapp/src/app/shared/services/backend.service.ts
+++ b/console-webapp/src/app/shared/services/backend.service.ts
@@ -69,7 +69,8 @@ export class BackendService {
    checkpointTime?: string,
    pageNumber?: number,
    resultsPerPage?: number,
-    totalResults?: number
+    totalResults?: number,
+    searchTerm?: string
  ): Observable<DomainListResult> {
    var url = `/console-api/domain-list?registrarId=${registrarId}`;
    if (checkpointTime) {
@@ -84,6 +85,9 @@ export class BackendService {
    if (totalResults) {
      url += `&totalResults=${totalResults}`;
    }
+    if (searchTerm) {
+      url += `&searchTerm=${searchTerm}`;
+    }
    return this.http
      .get<DomainListResult>(url)
      .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
--- a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
@@ -17,15 +17,14 @@ package google.registry.batch;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.poll.PollFlowUtils;
 import google.registry.model.EppResource;
 import google.registry.model.EppResourceUtils;
@@ -40,6 +39,7 @@ import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
@@ -18,13 +18,13 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
@@ -32,7 +32,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
@@ -41,6 +40,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
+import google.registry.util.RegistryEnvironment;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.inject.Inject;
 import org.hibernate.CacheMode;
--- a/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
+++ b/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
@@ -31,7 +31,6 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import google.registry.beam.billing.ExpandBillingRecurrencesPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.common.Cursor;
@@ -40,6 +39,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
+++ b/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
@@ -27,12 +27,12 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
+++ b/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
@@ -28,7 +28,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.contact.ContactHistory;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
@@ -36,6 +35,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
@@ -14,9 +14,9 @@

 package google.registry.beam.common;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Objects;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
@@ -19,10 +19,10 @@ import static google.registry.beam.common.RegistryPipelineOptions.toRegistryPipe
 import com.google.auto.service.AutoService;
 import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;
 import org.apache.beam.sdk.harness.JvmInitializer;
 import org.apache.beam.sdk.options.PipelineOptions;

--- a/core/src/main/java/google/registry/bsa/persistence/BsaDomainRefresh.java
+++ b/core/src/main/java/google/registry/bsa/persistence/BsaDomainRefresh.java
@@ -0,0 +1,117 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static google.registry.bsa.persistence.BsaDomainRefresh.Stage.MAKE_DIFF;
+
+import com.google.common.base.Objects;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Records of completed and ongoing refresh actions, which recomputes the set of unblockable domains
+ * and reports changes to BSA.
+ *
+ * <p>The refresh action only handles registered and reserved domain names. Invalid names only
+ * change status when the IDN tables change, and will be handled by a separate tool when it happens.
+ */
+@Entity
+public class BsaDomainRefresh {
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Stage stage = MAKE_DIFF;
+
+  BsaDomainRefresh() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  public String getJobName() {
+    return "refresh-" + getCreationTime().toString();
+  }
+
+  public Stage getStage() {
+    return this.stage;
+  }
+
+  BsaDomainRefresh setStage(Stage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  VKey<BsaDomainRefresh> vKey() {
+    return vKey(this);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainRefresh)) {
+      return false;
+    }
+    BsaDomainRefresh that = (BsaDomainRefresh) o;
+    return Objects.equal(jobId, that.jobId)
+        && Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(jobId, creationTime, updateTime, stage);
+  }
+
+  static VKey vKey(BsaDomainRefresh bsaDomainRefresh) {
+    return VKey.create(BsaDomainRefresh.class, bsaDomainRefresh.jobId);
+  }
+
+  enum Stage {
+    MAKE_DIFF,
+    APPLY_DIFF,
+    REPORT_REMOVALS,
+    REPORT_ADDITIONS;
+  }
+}
--- a/core/src/main/java/google/registry/bsa/persistence/BsaLabel.java
+++ b/core/src/main/java/google/registry/bsa/persistence/BsaLabel.java
@@ -28,7 +28,7 @@ import org.joda.time.DateTime;
 * <p>The label is valid (wrt IDN) in at least one TLD.
 */
@Entity
-public final class BsaLabel {
+final class BsaLabel {

  @Id String label;

@@ -52,7 +52,7 @@ public final class BsaLabel {
  }

  /** Returns the label to be blocked. */
-  public String getLabel() {
+  String getLabel() {
    return label;
  }

--- a/core/src/main/java/google/registry/bsa/persistence/BsaLabelUtils.java
+++ b/core/src/main/java/google/registry/bsa/persistence/BsaLabelUtils.java
@@ -0,0 +1,87 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static google.registry.config.RegistryConfig.getEppResourceCachingDuration;
+import static google.registry.config.RegistryConfig.getEppResourceMaxCachedEntries;
+import static google.registry.model.CacheUtils.newCacheBuilder;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
+
+import com.github.benmanes.caffeine.cache.CacheLoader;
+import com.github.benmanes.caffeine.cache.LoadingCache;
+import com.google.common.annotations.VisibleForTesting;
+import google.registry.persistence.VKey;
+import java.time.Duration;
+import java.util.Map;
+import java.util.Optional;
+
+/** Helpers for {@link BsaLabel}. */
+public final class BsaLabelUtils {
+
+  private BsaLabelUtils() {}
+
+  static final CacheLoader<VKey<BsaLabel>, Optional<BsaLabel>> CACHE_LOADER =
+      new CacheLoader<VKey<BsaLabel>, Optional<BsaLabel>>() {
+
+        @Override
+        public Optional<BsaLabel> load(VKey<BsaLabel> key) {
+          return replicaTm().reTransact(() -> replicaTm().loadByKeyIfPresent(key));
+        }
+
+        @Override
+        public Map<VKey<BsaLabel>, Optional<BsaLabel>> loadAll(
+            Iterable<? extends VKey<BsaLabel>> keys) {
+          // TODO(b/309173359): need this for DomainCheckFlow
+          throw new UnsupportedOperationException(
+              "LoadAll not supported by the BsaLabel cache loader.");
+        }
+      };
+
+  /**
+   * A limited size, limited expiry cache of BSA labels.
+   *
+   * <p>BSA labels are used by the domain creation flow to verify that the requested domain name is
+   * not blocked by the BSA program. Label caching is mainly a defense against two scenarios, the
+   * initial rush and drop-catching, when clients run back-to-back domain creation requests around
+   * the time when a domain becomes available.
+   *
+   * <p>Because of caching and the use of the replica database, new BSA labels installed in the
+   * database will not take effect immediately. A blocked domain may be created due to race
+   * condition. A `refresh` job will detect such domains and report them to BSA as unblockable
+   * domains.
+   *
+   * <p>Since the cached BSA labels have the same usage pattern as the cached EppResources, the
+   * cache configuration for the latter are reused here.
+   */
+  private static LoadingCache<VKey<BsaLabel>, Optional<BsaLabel>> cacheBsaLabels =
+      createBsaLabelsCache(getEppResourceCachingDuration());
+
+  private static LoadingCache<VKey<BsaLabel>, Optional<BsaLabel>> createBsaLabelsCache(
+      Duration expiry) {
+    return newCacheBuilder(expiry)
+        .maximumSize(getEppResourceMaxCachedEntries())
+        .build(CACHE_LOADER);
+  }
+
+  @VisibleForTesting
+  void clearCache() {
+    cacheBsaLabels.invalidateAll();
+  }
+
+  /** Checks if the {@code domainLabel} (the leading `part` of a domain name) is blocked by BSA. */
+  public static boolean isLabelBlocked(String domainLabel) {
+    return cacheBsaLabels.get(BsaLabel.vKey(domainLabel)).isPresent();
+  }
+}
--- a/core/src/main/java/google/registry/config/RegistryConfig.java
+++ b/core/src/main/java/google/registry/config/RegistryConfig.java
@@ -36,6 +36,7 @@ import dagger.Provides;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.model.common.DnsRefreshRequest;
 import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.YamlUtils;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
--- a/core/src/main/java/google/registry/dns/DnsMetrics.java
+++ b/core/src/main/java/google/registry/dns/DnsMetrics.java
@@ -14,7 +14,7 @@

 package google.registry.dns;

-import static google.registry.config.RegistryEnvironment.PRODUCTION;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableSet;
 import com.google.monitoring.metrics.DistributionFitter;
@@ -24,7 +24,7 @@ import com.google.monitoring.metrics.FibonacciFitter;
 import com.google.monitoring.metrics.IncrementableMetric;
 import com.google.monitoring.metrics.LabelDescriptor;
 import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.config.RegistryEnvironment;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;
 import org.joda.time.Duration;

--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@@ -26,7 +26,6 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -34,6 +33,7 @@ import google.registry.model.registrar.Registrar;
 import google.registry.request.Header;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.ProxyHttpHeaders;
+import google.registry.util.RegistryEnvironment;
 import java.net.InetAddress;
 import java.security.MessageDigest;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
@@ -40,6 +40,7 @@ import static google.registry.flows.domain.DomainFlowUtils.verifyClaimsNoticeIfA
 import static google.registry.flows.domain.DomainFlowUtils.verifyClaimsPeriodNotEnded;
 import static google.registry.flows.domain.DomainFlowUtils.verifyLaunchPhaseMatchesRegistryPhase;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNoCodeMarks;
+import static google.registry.flows.domain.DomainFlowUtils.verifyNotBlockedByBsa;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNotReserved;
 import static google.registry.flows.domain.DomainFlowUtils.verifyPremiumNameIsNotBlocked;
 import static google.registry.flows.domain.DomainFlowUtils.verifyRegistrarIsActive;
@@ -168,6 +169,7 @@ import org.joda.time.Duration;
 * @error {@link DomainFlowUtils.CurrencyUnitMismatchException}
 * @error {@link DomainFlowUtils.CurrencyValueScaleException}
 * @error {@link DomainFlowUtils.DashesInThirdAndFourthException}
+ * @error {@link DomainFlowUtils.DomainLabelBlockedByBsaException}
 * @error {@link DomainFlowUtils.DomainLabelTooLongException}
 * @error {@link DomainFlowUtils.DomainReservedException}
 * @error {@link DomainFlowUtils.DuplicateContactForRoleException}
@@ -328,6 +330,7 @@ public final class DomainCreateFlow implements MutatingFlow {
              .verifySignedMarks(launchCreate.get().getSignedMarks(), domainLabel, now)
              .getId();
    }
+    verifyNotBlockedByBsa(domainLabel, tld, now);
    flowCustomLogic.afterValidation(
        DomainCreateFlowCustomLogic.AfterValidationParameters.newBuilder()
            .setDomainName(domainName)
--- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
@@ -25,11 +25,13 @@ import static com.google.common.collect.Iterables.any;
 import static com.google.common.collect.Sets.difference;
 import static com.google.common.collect.Sets.intersection;
 import static com.google.common.collect.Sets.union;
+import static google.registry.bsa.persistence.BsaLabelUtils.isLabelBlocked;
 import static google.registry.model.domain.Domain.MAX_REGISTRATION_YEARS;
 import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY;
 import static google.registry.model.tld.Tld.TldState.PREDELEGATION;
 import static google.registry.model.tld.Tld.TldState.QUIET_PERIOD;
 import static google.registry.model.tld.Tld.TldState.START_DATE_SUNRISE;
+import static google.registry.model.tld.Tld.isEnrolledWithBsa;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.model.tld.Tlds.getTlds;
 import static google.registry.model.tld.label.ReservationType.ALLOWED_IN_SUNRISE;
@@ -259,6 +261,19 @@ public class DomainFlowUtils {
    return idnTableName.get();
  }

+  /**
+   * Verifies that the {@code domainLabel} is not blocked by any BSA block label for the given
+   * {@code tld} at the specified time.
+   *
+   * @throws DomainLabelBlockedByBsaException
+   */
+  public static void verifyNotBlockedByBsa(String domainLabel, Tld tld, DateTime now)
+      throws DomainLabelBlockedByBsaException {
+    if (isEnrolledWithBsa(tld, now) && isLabelBlocked(domainLabel)) {
+      throw new DomainLabelBlockedByBsaException();
+    }
+  }
+
  /** Returns whether a given domain create request is for a valid anchor tenant. */
  public static boolean isAnchorTenant(
      InternetDomainName domainName,
@@ -1742,4 +1757,12 @@ public class DomainFlowUtils {
      super("Registrar must be active in order to perform this operation");
    }
  }
+
+  /** Domain label is blocked by the Brand Safety Alliance. */
+  static class DomainLabelBlockedByBsaException extends ParameterValuePolicyErrorException {
+    public DomainLabelBlockedByBsaException() {
+      // TODO(b/309174065): finalize the exception message.
+      super("Domain label is blocked by the Brand Safety Alliance");
+    }
+  }
 }
--- a/core/src/main/java/google/registry/loadtest/LoadTestAction.java
+++ b/core/src/main/java/google/registry/loadtest/LoadTestAction.java
@@ -29,12 +29,12 @@ import com.google.common.collect.Iterators;
 import com.google.common.flogger.FluentLogger;
 import com.google.protobuf.Timestamp;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.security.XsrfTokenManager;
+import google.registry.util.RegistryEnvironment;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.Iterator;
--- a/core/src/main/java/google/registry/model/EntityYamlUtils.java
+++ b/core/src/main/java/google/registry/model/EntityYamlUtils.java
@@ -349,7 +349,7 @@ public class EntityYamlUtils {
    @Override
    public TimedTransitionProperty<Money> deserialize(JsonParser jp, DeserializationContext context)
        throws IOException {
-      SortedMap<String, LinkedHashMap> valueMap = jp.readValueAs(SortedMap.class);
+      SortedMap<String, LinkedHashMap<String, Object>> valueMap = jp.readValueAs(SortedMap.class);
      return TimedTransitionProperty.fromValueMap(
          valueMap.keySet().stream()
              .collect(
@@ -359,7 +359,7 @@ public class EntityYamlUtils {
                      key ->
                          Money.of(
                              CurrencyUnit.of(valueMap.get(key).get("currency").toString()),
-                              (double) valueMap.get(key).get("amount")))));
+                              new BigDecimal(String.valueOf(valueMap.get(key).get("amount")))))));
    }
  }

--- a/core/src/main/java/google/registry/model/OteAccountBuilder.java
+++ b/core/src/main/java/google/registry/model/OteAccountBuilder.java
@@ -28,7 +28,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.pricing.StaticPremiumListPricingEngine;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -40,6 +39,7 @@ import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import google.registry.persistence.VKey;
 import google.registry.util.CidrAddressBlock;
+import google.registry.util.RegistryEnvironment;
 import java.util.Collection;
 import java.util.Optional;
 import java.util.function.Function;
--- a/core/src/main/java/google/registry/model/registrar/Registrar.java
+++ b/core/src/main/java/google/registry/model/registrar/Registrar.java
@@ -22,6 +22,7 @@ import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSortedSet.toImmutableSortedSet;
 import static com.google.common.collect.Sets.immutableEnumSet;
+import static com.google.common.collect.Streams.stream;
 import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.config.RegistryConfig.getDefaultRegistrarWhoisServer;
 import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
@@ -794,6 +795,24 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      }
    }

+    // Making sure there's no registrar with the same ianaId already in the system
+    private static boolean isNotADuplicateIanaId(
+        Iterable<Registrar> registrars, Registrar newInstance) {
+      // Return early if newly build registrar is not type REAL or ianaId is
+      // reserved by ICANN - https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
+      if (!Type.REAL.equals(newInstance.type)
+          || ImmutableSet.of(1L, 8L).contains(newInstance.ianaIdentifier)) {
+        return true;
+      }
+
+      return stream(registrars)
+          .filter(registrar -> Type.REAL.equals(registrar.getType()))
+          .filter(registrar -> !Objects.equals(newInstance.registrarId, registrar.getRegistrarId()))
+          .noneMatch(
+              registrar ->
+                  Objects.equals(newInstance.ianaIdentifier, registrar.getIanaIdentifier()));
+    }
+
    public Builder setContactsRequireSyncing(boolean contactsRequireSyncing) {
      getInstance().contactsRequireSyncing = contactsRequireSyncing;
      return this;
@@ -912,6 +931,15 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
              "Supplied IANA ID is not valid for %s registrar type: %s",
              getInstance().type, getInstance().ianaIdentifier));

+      // We do not allow creating Real registrars with IANA ID that's already in the system
+      // b/315007360 - for more details
+      checkArgument(
+          isNotADuplicateIanaId(loadAllCached(), getInstance()),
+          String.format(
+              "Rejected attempt to create a registrar with ianaId that's already in the system -"
+                  + " %s",
+              getInstance().ianaIdentifier));
+
      // In order to grant access to real TLDs, the registrar must have a corresponding billing
      // account ID for that TLD's billing currency.
      ImmutableSet<String> nonBillableTlds =
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@@ -33,12 +33,12 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.StackSize;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.JpaRetries;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.VKey;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.Retrier;
 import google.registry.util.SystemSleeper;
 import java.io.Serializable;
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
@@ -20,10 +20,10 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import com.google.appengine.api.utils.SystemProperty;
 import com.google.appengine.api.utils.SystemProperty.Environment.Value;
 import com.google.common.base.Suppliers;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.DaggerPersistenceComponent;
 import google.registry.tools.RegistryToolEnvironment;
 import google.registry.util.NonFinalForTesting;
+import google.registry.util.RegistryEnvironment;
 import java.util.function.Supplier;

 /** Factory class to create {@link TransactionManager} instance. */
--- a/core/src/main/java/google/registry/rde/RdeStagingAction.java
+++ b/core/src/main/java/google/registry/rde/RdeStagingAction.java
@@ -40,7 +40,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.io.BaseEncoding;
 import google.registry.beam.rde.RdePipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.gcs.GcsUtils;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.model.common.Cursor;
@@ -57,6 +56,7 @@ import google.registry.request.RequestParameters;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.xml.ValidationMode;
 import java.io.IOException;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
@@ -14,7 +14,6 @@

 package google.registry.reporting.icann;

-import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_BAD_REQUEST;
 import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_OK;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.net.MediaType.CSV_UTF_8;
@@ -38,6 +37,7 @@ import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.util.List;
 import javax.inject.Inject;
@@ -90,30 +90,31 @@ public class IcannHttpReporter {
    UrlConnectionUtils.setPayload(connection, reportBytes, CSV_UTF_8.toString());
    connection.setInstanceFollowRedirects(false);

-    int responseCode;
-    byte[] content;
+    int responseCode = 0;
+    byte[] content = null;
    try {
      responseCode = connection.getResponseCode();
-      // Only responses with a 200 or 400 status have a body. For everything else, we can return
-      // false early.
-      if (responseCode != STATUS_CODE_OK && responseCode != STATUS_CODE_BAD_REQUEST) {
-        logger.atWarning().log("Connection to ICANN server failed", connection);
+      content = UrlConnectionUtils.getResponseBytes(connection);
+      if (responseCode != STATUS_CODE_OK) {
+        XjcIirdeaResult result = parseResult(content);
+        logger.atWarning().log(
+            "PUT rejected, status code %s:\n%s\n%s",
+            result.getCode().getValue(), result.getMsg(), result.getDescription());
        return false;
      }
-      content = UrlConnectionUtils.getResponseBytes(connection);
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log(
+          "Connection to ICANN server failed with responseCode %s and connection %s",
+          responseCode == 0 ? "not available" : responseCode, connection);
+      return false;
+    } catch (XmlException e) {
+      logger.atWarning().withCause(e).log(
+          "Failed to parse ICANN response with responseCode %s and content %s",
+          responseCode, new String(content, StandardCharsets.UTF_8));
+      return false;
    } finally {
      connection.disconnect();
    }
-    // We know that an HTTP 200 response can only contain a result code of
-    // 1000 (i. e. success), there is no need to parse it.
-    // See: https://tools.ietf.org/html/draft-lozano-icann-registry-interfaces-13#page-16
-    if (responseCode != STATUS_CODE_OK) {
-      XjcIirdeaResult result = parseResult(content);
-      logger.atWarning().log(
-          "PUT rejected, status code %s:\n%s\n%s",
-          result.getCode().getValue(), result.getMsg(), result.getDescription());
-      return false;
-    }
    return true;
  }

@@ -164,4 +165,5 @@ public class IcannHttpReporter {
                reportType));
    }
  }
+
 }
--- a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
@@ -20,13 +20,13 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.console.User;
 import google.registry.model.console.UserDao;
 import google.registry.request.auth.AuthModule.IapOidc;
 import google.registry.request.auth.AuthModule.RegularOidc;
 import google.registry.request.auth.AuthModule.RegularOidcFallback;
 import google.registry.request.auth.AuthSettings.AuthLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/tmch/NordnUploadAction.java
+++ b/core/src/main/java/google/registry/tmch/NordnUploadAction.java
@@ -53,6 +53,7 @@ import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 import java.util.List;
+import java.util.Optional;
 import java.util.Random;
 import javax.inject.Inject;
 import org.joda.time.Duration;
@@ -126,55 +127,62 @@ public final class NordnUploadAction implements Runnable {
        phase.equals(PARAM_LORDN_PHASE_SUNRISE) || phase.equals(PARAM_LORDN_PHASE_CLAIMS),
        "Invalid phase specified to NordnUploadAction: %s.",
        phase);
-    tm().transact(
-            () -> {
-              // Note here that we load all domains pending Nordn in one batch, which should not
-              // be a problem for the rate of domain registration that we see. If we anticipate
-              // a peak in claims during TLD launch (sunrise is NOT first-come-first-serve, so
-              // there should be no expectation of a peak during it), we can consider temporarily
-              // increasing the frequency of Nordn upload to reduce the size of each batch.
-              //
-              // We did not further divide the domains into smaller batches because the
-              // read-upload-write operation per small batch needs to be inside a single
-              // transaction to prevent race conditions, and running several uploads in rapid
-              // sucession will likely overwhelm the MarksDB upload server, which recommands a
-              // maximum upload frequency of every 3 hours.
-              //
-              // See:
-              // https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-01#section-5.2.3.3
-              List<Domain> domains =
-                  tm().createQueryComposer(Domain.class)
-                      .where("lordnPhase", EQ, LordnPhase.valueOf(Ascii.toUpperCase(phase)))
-                      .where("tld", EQ, tld)
-                      .orderBy("creationTime")
-                      .list();
-              if (domains.isEmpty()) {
-                return;
-              }
-              StringBuilder csv = new StringBuilder();
-              ImmutableList.Builder<Domain> newDomains = new ImmutableList.Builder<>();
+    Optional<URL> uploadUrl =
+        tm().transact(
+                () -> {
+                  // Note here that we load all domains pending Nordn in one batch, which should not
+                  // be a problem for the rate of domain registration that we see. If we anticipate
+                  // a peak in claims during TLD launch (sunrise is NOT first-come-first-serve, so
+                  // there should be no expectation of a peak during it), we can consider
+                  // temporarily increasing the frequency of Nordn upload to reduce the size of each
+                  // batch.
+                  //
+                  // We did not further divide the domains into smaller batches because the
+                  // read-upload-write operation per small batch needs to be inside a single
+                  // transaction to prevent race conditions, and running several uploads in rapid
+                  // succession will likely overwhelm the MarksDB upload server, which recommends a
+                  // maximum upload frequency of every 3 hours.
+                  //
+                  // See:
+                  // https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-01#section-5.2.3.3
+                  List<Domain> domains =
+                      tm().createQueryComposer(Domain.class)
+                          .where("lordnPhase", EQ, LordnPhase.valueOf(Ascii.toUpperCase(phase)))
+                          .where("tld", EQ, tld)
+                          .orderBy("creationTime")
+                          .list();
+                  if (domains.isEmpty()) {
+                    return Optional.empty();
+                  }
+                  StringBuilder csv = new StringBuilder();
+                  ImmutableList.Builder<Domain> newDomains = new ImmutableList.Builder<>();

-              domains.forEach(
-                  domain -> {
-                    if (phase.equals(PARAM_LORDN_PHASE_SUNRISE)) {
-                      csv.append(getCsvLineForSunriseDomain(domain)).append('\n');
-                    } else {
-                      csv.append(getCsvLineForClaimsDomain(domain)).append('\n');
-                    }
-                    Domain newDomain = domain.asBuilder().setLordnPhase(LordnPhase.NONE).build();
-                    newDomains.add(newDomain);
-                  });
-              String columns =
-                  phase.equals(PARAM_LORDN_PHASE_SUNRISE) ? COLUMNS_SUNRISE : COLUMNS_CLAIMS;
-              String header =
-                  String.format("1,%s,%d\n%s\n", clock.nowUtc(), domains.size(), columns);
-              try {
-                uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), header + csv);
-              } catch (IOException | GeneralSecurityException e) {
-                throw new RuntimeException(e);
-              }
-              tm().updateAll(newDomains.build());
-            });
+                  domains.forEach(
+                      domain -> {
+                        if (phase.equals(PARAM_LORDN_PHASE_SUNRISE)) {
+                          csv.append(getCsvLineForSunriseDomain(domain)).append('\n');
+                        } else {
+                          csv.append(getCsvLineForClaimsDomain(domain)).append('\n');
+                        }
+                        Domain newDomain =
+                            domain.asBuilder().setLordnPhase(LordnPhase.NONE).build();
+                        newDomains.add(newDomain);
+                      });
+                  String columns =
+                      phase.equals(PARAM_LORDN_PHASE_SUNRISE) ? COLUMNS_SUNRISE : COLUMNS_CLAIMS;
+                  String header =
+                      String.format("1,%s,%d\n%s\n", clock.nowUtc(), domains.size(), columns);
+                  try {
+                    URL url =
+                        uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), header + csv);
+                    tm().updateAll(newDomains.build());
+                    return Optional.of(url);
+                  } catch (IOException | GeneralSecurityException e) {
+                    throw new RuntimeException(e);
+                  }
+                });
+    uploadUrl.ifPresent(
+        url -> cloudTasksUtils.enqueue(NordnVerifyAction.QUEUE, makeVerifyTask(url)));
  }

  /**
@@ -186,7 +194,7 @@ public final class NordnUploadAction implements Runnable {
   * @see <a href="http://tools.ietf.org/html/draft-lozano-tmch-func-spec-08#section-6.3">TMCH
   *     functional specifications - LORDN File</a>
   */
-  private void uploadCsvToLordn(String urlPath, String csvData)
+  private URL uploadCsvToLordn(String urlPath, String csvData)
      throws IOException, GeneralSecurityException {
    String url = tmchMarksdbUrl + urlPath;
    logger.atInfo().log(
@@ -222,7 +230,7 @@ public final class NordnUploadAction implements Runnable {
                actionLogId),
            connection);
      }
-      cloudTasksUtils.enqueue(NordnVerifyAction.QUEUE, makeVerifyTask(new URL(location)));
+      return new URL(location);
    } catch (IOException e) {
      throw new IOException(String.format("Error connecting to MarksDB at URL %s", url), e);
    } finally {
--- a/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
@@ -30,8 +30,8 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -21,8 +21,8 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;

 /** Enum of production environments, used for the {@code --environment} flag. */
 public enum RegistryToolEnvironment {
--- a/core/src/main/java/google/registry/tools/SetupOteCommand.java
+++ b/core/src/main/java/google/registry/tools/SetupOteCommand.java
@@ -22,10 +22,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.io.MoreFiles;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.tools.params.PathParameter;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.nio.file.Path;
 import java.util.ArrayList;
--- a/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
@@ -18,8 +18,8 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;

 import com.beust.jcommander.Parameters;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import javax.annotation.Nullable;

 /** Command to update a Registrar. */
--- a/core/src/main/java/google/registry/tools/UpdateTldCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateTldCommand.java
@@ -25,10 +25,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldState;
 import google.registry.tools.params.StringListParameter;
+import google.registry.util.RegistryEnvironment;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/VerifyOteCommand.java
+++ b/core/src/main/java/google/registry/tools/VerifyOteCommand.java
@@ -25,9 +25,9 @@ import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.tools.server.VerifyOteAction;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
@@ -15,8 +15,8 @@
 package google.registry.ui.server.registrar;

 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.ui.server.SoyTemplateUtils.CSS_RENAMING_MAP_SUPPLIER;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;

 import com.google.common.base.Ascii;
@@ -24,7 +24,6 @@ import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
@@ -34,6 +33,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.OteSetupConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
@@ -26,7 +26,6 @@ import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarAddress;
@@ -44,6 +43,7 @@ import google.registry.ui.soy.registrar.ConsoleSoyInfo;
 import google.registry.ui.soy.registrar.ConsoleUtilsSoyInfo;
 import google.registry.ui.soy.registrar.FormsSoyInfo;
 import google.registry.ui.soy.registrar.RegistrarCreateConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@@ -27,7 +27,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.data.SoyMapData;
 import com.google.template.soy.tofu.SoyTofu;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
@@ -36,6 +35,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAcce
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.ConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashMap;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
@@ -18,11 +18,11 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.auto.value.AutoValue;
 import com.google.common.base.Ascii;
@@ -37,7 +37,6 @@ import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -61,6 +60,7 @@ import google.registry.ui.server.RegistrarFormFields;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.CollectionUtils;
 import google.registry.util.DiffUtils;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
--- a/core/src/main/resources/META-INF/persistence.xml
+++ b/core/src/main/resources/META-INF/persistence.xml
@@ -38,6 +38,7 @@

    <mapping-file>META-INF/orm.xml</mapping-file>

+    <class>google.registry.bsa.persistence.BsaDomainRefresh</class>
    <class>google.registry.bsa.persistence.BsaDownload</class>
    <class>google.registry.bsa.persistence.BsaLabel</class>
    <class>google.registry.bsa.persistence.BsaDomainInUse</class>
--- a/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
+++ b/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
@@ -33,7 +33,6 @@ import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.google.common.collect.ImmutableSet;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
@@ -47,6 +46,7 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import java.util.Set;
 import org.joda.money.Money;
--- a/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
+++ b/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
@@ -25,8 +25,8 @@ import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
 import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
 import com.google.common.collect.ImmutableMap;
 import google.registry.beam.BeamActionTestBase;
-import google.registry.config.RegistryEnvironment;
 import google.registry.testing.FakeClock;
+import google.registry.util.RegistryEnvironment;
 import org.junit.jupiter.api.Test;

 /** Unit tests for {@link ResaveAllEppResourcesPipelineAction}. */
--- a/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
+++ b/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
@@ -18,10 +18,10 @@ import static com.google.common.truth.Truth.assertThat;
 import static google.registry.beam.common.RegistryPipelineOptions.validateRegistryPipelineOptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
--- a/core/src/test/java/google/registry/bsa/persistence/BsaDomainRefreshTest.java
+++ b/core/src/test/java/google/registry/bsa/persistence/BsaDomainRefreshTest.java
@@ -0,0 +1,54 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.bsa.persistence.BsaDomainRefresh.Stage.MAKE_DIFF;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.DateTimeZone.UTC;
+
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationWithCoverageExtension;
+import google.registry.testing.FakeClock;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+/** Unit test for {@link BsaDomainRefresh}. */
+public class BsaDomainRefreshTest {
+
+  protected FakeClock fakeClock = new FakeClock(DateTime.now(UTC));
+
+  @RegisterExtension
+  final JpaIntegrationWithCoverageExtension jpa =
+      new JpaTestExtensions.Builder().withClock(fakeClock).buildIntegrationWithCoverageExtension();
+
+  @Test
+  void saveJob() {
+    BsaDomainRefresh persisted =
+        tm().transact(() -> tm().getEntityManager().merge(new BsaDomainRefresh()));
+    assertThat(persisted.jobId).isNotNull();
+    assertThat(persisted.creationTime.getTimestamp()).isEqualTo(fakeClock.nowUtc());
+    assertThat(persisted.stage).isEqualTo(MAKE_DIFF);
+  }
+
+  @Test
+  void loadJobByKey() {
+    BsaDomainRefresh persisted =
+        tm().transact(() -> tm().getEntityManager().merge(new BsaDomainRefresh()));
+    assertThat(tm().transact(() -> tm().loadByKey(BsaDomainRefresh.vKey(persisted))))
+        .isEqualTo(persisted);
+  }
+}
--- a/core/src/test/java/google/registry/bsa/persistence/BsaLabelTest.java
+++ b/core/src/test/java/google/registry/bsa/persistence/BsaLabelTest.java
@@ -41,4 +41,15 @@ public class BsaLabelTest {
    assertThat(persisted.getLabel()).isEqualTo("label");
    assertThat(persisted.creationTime).isEqualTo(fakeClock.nowUtc());
  }
+
+  @Test
+  void isLabelBlocked_no() {
+    assertThat(tm().transact(() -> BsaLabelUtils.isLabelBlocked("abc"))).isFalse();
+  }
+
+  @Test
+  void isLabelBlocked_yes() {
+    tm().transact(() -> tm().put(new BsaLabel("abc", fakeClock.nowUtc())));
+    assertThat(tm().transact(() -> BsaLabelUtils.isLabelBlocked("abc"))).isTrue();
+  }
 }
--- a/core/src/test/java/google/registry/bsa/persistence/BsaLabelTestingUtils.java
+++ b/core/src/test/java/google/registry/bsa/persistence/BsaLabelTestingUtils.java
@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+
+import org.joda.time.DateTime;
+
+/** Testing utils for users of {@link BsaLabel}. */
+public final class BsaLabelTestingUtils {
+
+  private BsaLabelTestingUtils() {}
+
+  public static void persistBsaLabel(String domainLabel, DateTime creationTime) {
+    tm().transact(() -> tm().put(new BsaLabel(domainLabel, creationTime)));
+  }
+}
--- a/core/src/test/java/google/registry/bsa/persistence/BsaLabelUtilsTest.java
+++ b/core/src/test/java/google/registry/bsa/persistence/BsaLabelUtilsTest.java
@@ -0,0 +1,102 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.bsa.persistence.BsaLabelTestingUtils.persistBsaLabel;
+import static google.registry.bsa.persistence.BsaLabelUtils.isLabelBlocked;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.setJpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.setReplicaJpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.DateTimeZone.UTC;
+import static org.joda.time.Duration.millis;
+import static org.joda.time.Duration.standardMinutes;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationWithCoverageExtension;
+import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.testing.FakeClock;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+/** Unit tests for {@link BsaLabelUtils}. */
+public class BsaLabelUtilsTest {
+
+  protected FakeClock fakeClock = new FakeClock(DateTime.now(UTC));
+
+  @RegisterExtension
+  final JpaIntegrationWithCoverageExtension jpa =
+      new JpaTestExtensions.Builder().withClock(fakeClock).buildIntegrationWithCoverageExtension();
+
+  @Test
+  void isLabelBlocked_yes() {
+    persistBsaLabel("abc", fakeClock.nowUtc());
+    assertThat(isLabelBlocked("abc")).isTrue();
+  }
+
+  @Test
+  void isLabelBlocked_no() {
+    assertThat(isLabelBlocked("abc")).isFalse();
+  }
+
+  @Test
+  void isLabelBlocked_isCacheUsed_withReplica() throws Throwable {
+    JpaTransactionManager primaryTmSave = tm();
+    JpaTransactionManager replicaTmSave = replicaTm();
+
+    JpaTransactionManager primaryTm = mock(JpaTransactionManager.class);
+    JpaTransactionManager replicaTm = mock(JpaTransactionManager.class);
+    setJpaTm(() -> primaryTm);
+    setReplicaJpaTm(() -> replicaTm);
+    when(replicaTm.loadByKey(any())).thenReturn(new BsaLabel("abc", fakeClock.nowUtc()));
+    try {
+      assertThat(isLabelBlocked("abc")).isTrue();
+      assertThat(isLabelBlocked("abc")).isTrue();
+      verify(replicaTm, times(1)).loadByKey(any());
+      verify(primaryTm, never()).loadByKey(any());
+    } catch (Throwable e) {
+      setJpaTm(() -> primaryTmSave);
+      setReplicaJpaTm(() -> replicaTmSave);
+    }
+  }
+
+  @Test
+  void isLabelBlocked_isCacheUsed_withOneMinuteExpiry() throws Throwable {
+    JpaTransactionManager replicaTmSave = replicaTm();
+    JpaTransactionManager replicaTm = mock(JpaTransactionManager.class);
+    setReplicaJpaTm(() -> replicaTm);
+    when(replicaTm.loadByKey(any())).thenReturn(new BsaLabel("abc", fakeClock.nowUtc()));
+    try {
+      assertThat(isLabelBlocked("abc")).isTrue();
+      /**
+       * If test fails, check and fix cache expiry in the config file. Do not increase the duration
+       * on the line below without proper discussion.
+       */
+      fakeClock.advanceBy(standardMinutes(1).plus(millis(1)));
+      assertThat(isLabelBlocked("abc")).isTrue();
+      verify(replicaTm, times(2)).loadByKey(any());
+    } catch (Throwable e) {
+      setReplicaJpaTm(() -> replicaTmSave);
+    }
+  }
+}
--- a/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java
+++ b/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java
@@ -18,6 +18,7 @@ import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.io.BaseEncoding.base16;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
+import static google.registry.bsa.persistence.BsaLabelTestingUtils.persistBsaLabel;
 import static google.registry.flows.FlowTestCase.UserPrivileges.SUPERUSER;
 import static google.registry.model.billing.BillingBase.Flag.ANCHOR_TENANT;
 import static google.registry.model.billing.BillingBase.Flag.RESERVED;
@@ -30,6 +31,7 @@ import static google.registry.model.domain.token.AllocationToken.TokenType.BULK_
 import static google.registry.model.domain.token.AllocationToken.TokenType.DEFAULT_PROMO;
 import static google.registry.model.domain.token.AllocationToken.TokenType.SINGLE_USE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.UNLIMITED_USE;
+import static google.registry.model.eppcommon.EppXmlTransformer.marshal;
 import static google.registry.model.eppcommon.StatusValue.PENDING_DELETE;
 import static google.registry.model.eppcommon.StatusValue.SERVER_HOLD;
 import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY;
@@ -96,6 +98,7 @@ import google.registry.flows.domain.DomainFlowUtils.ClaimsPeriodEndedException;
 import google.registry.flows.domain.DomainFlowUtils.CurrencyUnitMismatchException;
 import google.registry.flows.domain.DomainFlowUtils.CurrencyValueScaleException;
 import google.registry.flows.domain.DomainFlowUtils.DashesInThirdAndFourthException;
+import google.registry.flows.domain.DomainFlowUtils.DomainLabelBlockedByBsaException;
 import google.registry.flows.domain.DomainFlowUtils.DomainLabelTooLongException;
 import google.registry.flows.domain.DomainFlowUtils.DomainNameExistsAsTldException;
 import google.registry.flows.domain.DomainFlowUtils.DomainReservedException;
@@ -165,6 +168,9 @@ import google.registry.model.domain.secdns.DomainDsData;
 import google.registry.model.domain.token.AllocationToken;
 import google.registry.model.domain.token.AllocationToken.RegistrationBehavior;
 import google.registry.model.domain.token.AllocationToken.TokenStatus;
+import google.registry.model.eppcommon.Trid;
+import google.registry.model.eppoutput.EppOutput;
+import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.poll.PendingActionNotificationResponse.DomainPendingActionNotificationResponse;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.registrar.Registrar;
@@ -183,7 +189,9 @@ import google.registry.tmch.LordnTaskUtils.LordnPhase;
 import google.registry.tmch.SmdrlCsvParser;
 import google.registry.tmch.TmchData;
 import google.registry.tmch.TmchTestData;
+import google.registry.xml.ValidationMode;
 import java.math.BigDecimal;
+import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.Optional;
 import javax.annotation.Nullable;
@@ -2562,6 +2570,53 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
    assertAboutEppExceptions().that(thrown).marshalsToXml();
  }

+  @Test
+  void testSuccess_bsaLabelMatch_notEnrolled() throws Exception {
+    persistResource(Tld.get("tld").asBuilder().setBsaEnrollStartTime(Optional.empty()).build());
+    persistBsaLabel("example", clock.nowUtc());
+    persistContactsAndHosts();
+    doSuccessfulTest();
+  }
+
+  @Test
+  void testSuccess_bsaLabelMatch_notEnrolledYet() throws Exception {
+    persistResource(
+        Tld.get("tld")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().plusSeconds(1)))
+            .build());
+    persistBsaLabel("example", clock.nowUtc());
+    persistContactsAndHosts();
+    doSuccessfulTest();
+  }
+
+  @Test
+  void testFailure_blockedByBsa() throws Exception {
+    persistResource(
+        Tld.get("tld")
+            .asBuilder()
+            .setBsaEnrollStartTime(Optional.of(clock.nowUtc().minusSeconds(1)))
+            .build());
+    persistBsaLabel("example", clock.nowUtc());
+    persistContactsAndHosts();
+    EppException thrown = assertThrows(DomainLabelBlockedByBsaException.class, this::runFlow);
+    assertAboutEppExceptions()
+        .that(thrown)
+        .marshalsToXml()
+        .and()
+        .hasMessage("Domain label is blocked by the Brand Safety Alliance");
+    byte[] responseXmlBytes =
+        marshal(
+            EppOutput.create(
+                new EppResponse.Builder()
+                    .setTrid(Trid.create(null, "server-trid"))
+                    .setResult(thrown.getResult())
+                    .build()),
+            ValidationMode.STRICT);
+    assertThat(new String(responseXmlBytes, StandardCharsets.UTF_8))
+        .isEqualTo(loadFile("domain_create_blocked_by_bsa.xml"));
+  }
+
  @Test
  void testFailure_uppercase() {
    doFailingDomainNameTest("Example.tld", BadDomainNameCharacterException.class);
--- a/core/src/test/java/google/registry/model/registrar/RegistrarTest.java
+++ b/core/src/test/java/google/registry/model/registrar/RegistrarTest.java
@@ -201,6 +201,23 @@ class RegistrarTest extends EntityTestCase {
        () -> new Registrar.Builder().setRegistrarId("abcdefghijklmnopq"));
  }

+  @Test
+  void testFailure_duplicateIanaId() {
+    persistResource(
+        registrar.asBuilder().setRegistrarId("registrar1").setIanaIdentifier(10L).build());
+
+    IllegalArgumentException thrown =
+        assertThrows(
+            IllegalArgumentException.class,
+            () ->
+                registrar.asBuilder().setRegistrarId("registrar2").setIanaIdentifier(10L).build());
+
+    assertThat(thrown)
+        .hasMessageThat()
+        .contains(
+            "Rejected attempt to create a registrar with ianaId that's already in the system");
+  }
+
  @Test
  void testSetCertificateHash_alsoSetsHash() {
    registrar = registrar.asBuilder().setClientCertificate(null, fakeClock.nowUtc()).build();
--- a/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
+++ b/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
@@ -105,6 +105,7 @@ public abstract class JpaTransactionManagerExtension
  // reused between test methods if the requested schema remains the same.
  private static EntityManagerFactory emf;
  // Hash of the ORM entity names in the current schema in the test db.
+
  private static int emfEntityHash;

  private JpaTransactionManager cachedTm;
--- a/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java
+++ b/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java
@@ -17,6 +17,7 @@ package google.registry.schema.integration;
 import static com.google.common.truth.Truth.assert_;

 import google.registry.bsa.persistence.BsaDomainInUseTest;
+import google.registry.bsa.persistence.BsaDomainRefreshTest;
 import google.registry.bsa.persistence.BsaDownloadTest;
 import google.registry.bsa.persistence.BsaLabelTest;
 import google.registry.model.billing.BillingBaseTest;
@@ -86,6 +87,7 @@ import org.junit.runner.RunWith;
  AllocationTokenTest.class,
  BillingBaseTest.class,
  BsaDomainInUseTest.class,
+  BsaDomainRefreshTest.class,
  BsaDownloadTest.class,
  BsaLabelTest.class,
  BulkPricingPackageTest.class,
--- a/core/src/test/java/google/registry/testing/DatabaseHelper.java
+++ b/core/src/test/java/google/registry/testing/DatabaseHelper.java
@@ -778,7 +778,7 @@ public final class DatabaseHelper {

  /** Persists and returns a {@link Registrar} with the specified registrarId. */
  public static Registrar persistNewRegistrar(String registrarId) {
-    return persistNewRegistrar(registrarId, registrarId + " name", Registrar.Type.REAL, 100L);
+    return persistNewRegistrar(registrarId, registrarId + " name", Registrar.Type.REAL, 8L);
  }

  /** Persists and returns a list of {@link Registrar}s with the specified registrarIds. */
--- a/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
+++ b/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
@@ -17,7 +17,7 @@ package google.registry.testing;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;

-import google.registry.config.SystemPropertySetter;
+import google.registry.util.SystemPropertySetter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
--- a/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
+++ b/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
@@ -29,6 +29,7 @@ import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.logging.Level.INFO;
 import static org.joda.money.CurrencyUnit.JPY;
 import static org.joda.money.CurrencyUnit.USD;
+import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -46,11 +47,11 @@ import google.registry.model.tld.Tld.TldNotFoundException;
 import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import java.io.File;
+import java.math.BigDecimal;
 import java.util.Optional;
 import java.util.logging.Logger;
 import org.joda.money.Money;
 import org.joda.time.DateTime;
-import org.joda.time.DateTimeZone;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
@@ -91,6 +92,18 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
    assertThat(tld.getBreakglassMode()).isFalse();
  }

+  @Test
+  void testSuccess_createNewTldJPY() throws Exception {
+    File tldFile = tmpDir.resolve("jpy.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "jpy.yaml"));
+    runCommandForced("--input=" + tldFile);
+    Tld tld = Tld.get("jpy");
+    assertThat(tld).isNotNull();
+    assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(JPY, new BigDecimal("250")));
+    assertThat(tld.getEapFeeFor(DateTime.now(UTC)).getCost()).isEqualTo(new BigDecimal(0));
+    testTldConfiguredSuccessfully(tld, "jpy.yaml");
+  }
+
  @Test
  void testSuccess_updateTld() throws Exception {
    Tld tld = createTld("tld");
@@ -108,7 +121,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
  @Test
  void testSuccess_updateTld_existingBsaTimeCarriedOver() throws Exception {
    Tld tld = createTld("tld");
-    DateTime bsaStartTime = DateTime.now(DateTimeZone.UTC);
+    DateTime bsaStartTime = DateTime.now(UTC);
    persistResource(tld.asBuilder().setBsaEnrollStartTime(Optional.of(bsaStartTime)).build());
    File tldFile = tmpDir.resolve("tld.yaml").toFile();
    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
@@ -30,7 +30,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
@@ -28,7 +28,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
@@ -30,7 +30,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
@@ -40,6 +39,7 @@ import google.registry.testing.CloudTasksHelper.TaskMatcher;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.function.Function;
--- a/core/src/test/resources/google/registry/flows/domain/domain_create_blocked_by_bsa.xml
+++ b/core/src/test/resources/google/registry/flows/domain/domain_create_blocked_by_bsa.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<epp xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xmlns:contact="urn:ietf:params:xml:ns:contact-1.0" xmlns:fee="urn:ietf:params:xml:ns:fee-0.6" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:rgp="urn:ietf:params:xml:ns:rgp-1.0" xmlns:bulkToken="urn:google:params:xml:ns:bulkToken-1.0" xmlns:fee11="urn:ietf:params:xml:ns:fee-0.11" xmlns:fee12="urn:ietf:params:xml:ns:fee-0.12" xmlns:launch="urn:ietf:params:xml:ns:launch-1.0" xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xmlns:host="urn:ietf:params:xml:ns:host-1.0">
+    <response>
+        <result code="2306">
+            <msg>Domain label is blocked by the Brand Safety Alliance</msg>
+        </result>
+        <trID>
+            <svTRID>server-trid</svTRID>
+        </trID>
+    </response>
+</epp>
--- a/core/src/test/resources/google/registry/tools/jpy.yaml
+++ b/core/src/test/resources/google/registry/tools/jpy.yaml
@@ -0,0 +1,55 @@
+addGracePeriodLength: "PT432000S"
+allowedFullyQualifiedHostNames: []
+allowedRegistrantContactIds: []
+anchorTenantAddGracePeriodLength: "PT2592000S"
+autoRenewGracePeriodLength: "PT3888000S"
+automaticTransferLength: "PT432000S"
+claimsPeriodEnd: "294247-01-10T04:00:54.775Z"
+createBillingCost:
+  currency: "JPY"
+  amount: 250
+creationTime: "2022-09-01T00:00:00.000Z"
+currency: "JPY"
+defaultPromoTokens: []
+dnsAPlusAaaaTtl: "PT900S"
+dnsDsTtl: null
+dnsNsTtl: null
+dnsPaused: false
+dnsWriters:
+- "VoidDnsWriter"
+driveFolderId: "driveFolder"
+eapFeeSchedule:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 0
+escrowEnabled: false
+idnTables: []
+invoicingEnabled: false
+lordnUsername: null
+numDnsPublishLocks: 1
+pendingDeleteLength: "PT432000S"
+premiumListName: null
+pricingEngineClassName: "google.registry.model.pricing.StaticPremiumListPricingEngine"
+redemptionGracePeriodLength: "PT2592000S"
+registryLockOrUnlockBillingCost:
+  currency: "JPY"
+  amount: 0
+renewBillingCostTransitions:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 100
+renewGracePeriodLength: "PT432000S"
+reservedListNames: []
+restoreBillingCost:
+  currency: "JPY"
+  amount: 70
+roidSuffix: "JPY"
+serverStatusChangeBillingCost:
+  currency: "JPY"
+  amount: 100
+tldStateTransitions:
+  "1970-01-01T00:00:00.000Z": "GENERAL_AVAILABILITY"
+tldStr: "jpy"
+tldType: "REAL"
+tldUnicode: "jpy"
+transferGracePeriodLength: "PT432000S"
--- a/db/src/main/resources/sql/schema/db-schema.sql.generated
+++ b/db/src/main/resources/sql/schema/db-schema.sql.generated
@@ -93,6 +93,14 @@
        primary key (label, tld)
    );

+    create table "BsaDomainRefresh" (
+       job_id  bigserial not null,
+        creation_time timestamptz not null,
+        stage text not null,
+        update_timestamp timestamptz,
+        primary key (job_id)
+    );
+
    create table "BsaDownload" (
       job_id  bigserial not null,
        block_list_checksums text not null,
--- a/docs/flows.md
+++ b/docs/flows.md
@@ -384,6 +384,7 @@ An EPP flow that creates a new domain resource.
    *   The requested fees cannot be provided in the requested currency.
    *   Non-IDN domain names cannot contain hyphens in the third or fourth
        position.
+    *   Domain label is blocked by the Brand Safety Alliance.
    *   Domain labels cannot be longer than 63 characters.
    *   More than one contact for a given role is not allowed.
    *   No part of a domain name can be empty.
--- a/proxy/kubernetes/proxy-service.yaml
+++ b/proxy/kubernetes/proxy-service.yaml
@@ -46,5 +46,5 @@ spec:
    apiVersion: apps/v1
    kind: Deployment
    name: proxy-deployment
-  maxReplicas: 10
-  minReplicas: 1
+  maxReplicas: 50
+  minReplicas: 10
--- a/util/src/main/java/google/registry/util/PasswordUtils.java
+++ b/util/src/main/java/google/registry/util/PasswordUtils.java
@@ -22,6 +22,7 @@ import static java.nio.charset.StandardCharsets.US_ASCII;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.primitives.Bytes;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -68,15 +69,22 @@ public final class PasswordUtils {
            .digest((new String(password, US_ASCII) + base64().encode(salt)).getBytes(US_ASCII));
      }
    },
+
    /**
     * Memory-hard hashing algorithm, preferred over SHA-256.
     *
+     * <p>Note that in tests, we simply concatenate the password and salt which is much faster and
+     * reduces the overall test run time by a half. Our tests are not verifying that SCRYPT is
+     * implemented correctly anyway.
+     *
     * @see <a href="https://en.wikipedia.org/wiki/Scrypt">Scrypt</a>
     */
    SCRYPT {
      @Override
      byte[] hash(byte[] password, byte[] salt) {
-        return SCrypt.generate(password, salt, 32768, 8, 1, 256);
+        return RegistryEnvironment.get() == RegistryEnvironment.UNITTEST
+            ? Bytes.concat(password, salt)
+            : SCrypt.generate(password, salt, 32768, 8, 1, 256);
      }
    };

--- a/core/src/main/java/google/registry/config/RegistryEnvironment.java
+++ b/core/src/main/java/google/registry/config/RegistryEnvironment.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import com.google.common.base.Ascii;

--- a/core/src/main/java/google/registry/config/SystemPropertySetter.java
+++ b/core/src/main/java/google/registry/config/SystemPropertySetter.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import javax.annotation.Nullable;

--- a/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
+++ b/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import org.junit.jupiter.api.Test;
Author	SHA1	Message	Date
Lai Jiang	42b508427b	Bypass SCRYPT hashing in tests (#2262 ) SCRYPT is much computationally heavier than SHA265 (by design), which resulted in test run time doubling due to most tests initializing canned data that uses hashing. Since out tests are not verifying the correctness of a specific hashing algorithm anyway, this PR makes it so that simple concatenation is used in tests. Also moved RegistryEnvironment to the util subproject so it can be called by PasswordUtils, which makes sense as it is a utility class.	2023-12-21 16:17:37 -05:00
sarahcaseybot	20b5b43501	Add type conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency (#2258 ) * Add BigInt conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency * Remove unnecessary lines in test * Add eap schedule check * Don't use raw LinkedHashMap type * add timezone	2023-12-21 12:59:54 -05:00
Lai Jiang	08285f5de7	Greatly increase the upper limit of proxy instances in production (#2259 ) From our investigation, the Monday night WHOIS storm does not cause any strain to the backend system. The backend latency metrics are all well within the limits. The latency measured from the proxy matches observed latency by the prober, and we see that the "used" CPU is 1.5x of "requested" CPU during the time when the latency is above the threshold. Making this change hopefully removes the proxy as the bottleneck and ameliorate the pages.	2023-12-20 15:37:29 -05:00
Pavlo Tkach	fb4c5b457d	Prevent reusing ianaId for real registrars (#2257 )	2023-12-20 15:20:04 -05:00
Pavlo Tkach	781c212275	Add IcannHttpReporter failed response logging (#2252 )	2023-12-18 11:03:33 -05:00
Weimin Yu	c73f7a6bd3	Add the BsaDomainRefresh entity (#2250 ) Add the BsaDomainRefresh class which tracks the refresh actions. The refresh actions checks for changes in the set of registered and reserved domains, which are called unblockables to BSA.	2023-12-13 16:08:37 -05:00
Lai Jiang	8d793b2349	Do not double-enqueue NordnVerifyAction (#2253 ) Currently, a verify action is enqueued every time the upload method succeeds. Because the upload job is wrapped in a transaction, the same task will be enqueued again if the transaction retries. We cannot move the upload method outside the transaction because the read-upload-write logic needs to be atomic, and the upload part itself is idempotent (therefore retri-able). We can, however, move the enqueuing part outside the transaction as we only need to enqueue the verify task once the transaction succeeds. This should fix the issue where multiple verify jobs try to hit the same marksdb endpoints, resulting in 429 (Too Many Requests) errors.	2023-12-12 16:00:35 -05:00
Weimin Yu	55d5f8c6f8	Forbid domain creation with label blocked by BSA (#2236 ) * Forbid domain creation with label blocked by BSA Add a BSA label check in the DomainCreation flow.	2023-12-11 22:14:12 -05:00
Pavlo Tkach	9006312253	Create reusable dialog / bottom sheet component (#2237 )	2023-12-08 17:52:57 -05:00
gbrodman	e5e2370923	Debouncedly use a search term in console domain list (#2242 )	2023-12-08 15:37:30 -05:00