Bypass SCRYPT hashing in tests (#2262 )

SCRYPT is much computationally heavier than SHA265 (by design), which resulted in test run time doubling due to most tests initializing canned data that uses hashing. Since out tests are not verifying the correctness of a specific hashing algorithm anyway, this PR makes it so that simple concatenation is used in tests. Also moved RegistryEnvironment to the util subproject so it can be called by PasswordUtils, which makes sense as it is a utility class.
Add type conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency (#2258 )
2026-02-11 23:31:37 +00:00 · 2023-12-21 16:17:37 -05:00 · 2023-12-21 12:59:54 -05:00 · 2023-12-20 15:37:29 -05:00 · 2023-12-20 15:20:04 -05:00 · 2023-12-18 11:03:33 -05:00
54 changed files with 435 additions and 120 deletions
--- a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
@@ -17,15 +17,14 @@ package google.registry.batch;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.poll.PollFlowUtils;
 import google.registry.model.EppResource;
 import google.registry.model.EppResourceUtils;
@@ -40,6 +39,7 @@ import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
@@ -18,13 +18,13 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
@@ -32,7 +32,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
@@ -41,6 +40,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
+import google.registry.util.RegistryEnvironment;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.inject.Inject;
 import org.hibernate.CacheMode;
--- a/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
+++ b/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
@@ -31,7 +31,6 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import google.registry.beam.billing.ExpandBillingRecurrencesPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.common.Cursor;
@@ -40,6 +39,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
+++ b/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
@@ -27,12 +27,12 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;

 /**
--- a/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
+++ b/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
@@ -28,7 +28,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.contact.ContactHistory;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
@@ -36,6 +35,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java
@@ -14,9 +14,9 @@

 package google.registry.beam.common;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Objects;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
--- a/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
+++ b/core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java
@@ -19,10 +19,10 @@ import static google.registry.beam.common.RegistryPipelineOptions.toRegistryPipe
 import com.google.auto.service.AutoService;
 import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;
 import org.apache.beam.sdk.harness.JvmInitializer;
 import org.apache.beam.sdk.options.PipelineOptions;

--- a/core/src/main/java/google/registry/bsa/persistence/BsaDomainRefresh.java
+++ b/core/src/main/java/google/registry/bsa/persistence/BsaDomainRefresh.java
@@ -0,0 +1,117 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static google.registry.bsa.persistence.BsaDomainRefresh.Stage.MAKE_DIFF;
+
+import com.google.common.base.Objects;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Records of completed and ongoing refresh actions, which recomputes the set of unblockable domains
+ * and reports changes to BSA.
+ *
+ * <p>The refresh action only handles registered and reserved domain names. Invalid names only
+ * change status when the IDN tables change, and will be handled by a separate tool when it happens.
+ */
+@Entity
+public class BsaDomainRefresh {
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Stage stage = MAKE_DIFF;
+
+  BsaDomainRefresh() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  public String getJobName() {
+    return "refresh-" + getCreationTime().toString();
+  }
+
+  public Stage getStage() {
+    return this.stage;
+  }
+
+  BsaDomainRefresh setStage(Stage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  VKey<BsaDomainRefresh> vKey() {
+    return vKey(this);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainRefresh)) {
+      return false;
+    }
+    BsaDomainRefresh that = (BsaDomainRefresh) o;
+    return Objects.equal(jobId, that.jobId)
+        && Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(jobId, creationTime, updateTime, stage);
+  }
+
+  static VKey vKey(BsaDomainRefresh bsaDomainRefresh) {
+    return VKey.create(BsaDomainRefresh.class, bsaDomainRefresh.jobId);
+  }
+
+  enum Stage {
+    MAKE_DIFF,
+    APPLY_DIFF,
+    REPORT_REMOVALS,
+    REPORT_ADDITIONS;
+  }
+}
--- a/core/src/main/java/google/registry/config/RegistryConfig.java
+++ b/core/src/main/java/google/registry/config/RegistryConfig.java
@@ -36,6 +36,7 @@ import dagger.Provides;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.model.common.DnsRefreshRequest;
 import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.YamlUtils;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
--- a/core/src/main/java/google/registry/dns/DnsMetrics.java
+++ b/core/src/main/java/google/registry/dns/DnsMetrics.java
@@ -14,7 +14,7 @@

 package google.registry.dns;

-import static google.registry.config.RegistryEnvironment.PRODUCTION;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.common.collect.ImmutableSet;
 import com.google.monitoring.metrics.DistributionFitter;
@@ -24,7 +24,7 @@ import com.google.monitoring.metrics.FibonacciFitter;
 import com.google.monitoring.metrics.IncrementableMetric;
 import com.google.monitoring.metrics.LabelDescriptor;
 import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.config.RegistryEnvironment;
+import google.registry.util.RegistryEnvironment;
 import javax.inject.Inject;
 import org.joda.time.Duration;

--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@@ -26,7 +26,6 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -34,6 +33,7 @@ import google.registry.model.registrar.Registrar;
 import google.registry.request.Header;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.ProxyHttpHeaders;
+import google.registry.util.RegistryEnvironment;
 import java.net.InetAddress;
 import java.security.MessageDigest;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/loadtest/LoadTestAction.java
+++ b/core/src/main/java/google/registry/loadtest/LoadTestAction.java
@@ -29,12 +29,12 @@ import com.google.common.collect.Iterators;
 import com.google.common.flogger.FluentLogger;
 import com.google.protobuf.Timestamp;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.security.XsrfTokenManager;
+import google.registry.util.RegistryEnvironment;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.Iterator;
--- a/core/src/main/java/google/registry/model/EntityYamlUtils.java
+++ b/core/src/main/java/google/registry/model/EntityYamlUtils.java
@@ -349,7 +349,7 @@ public class EntityYamlUtils {
    @Override
    public TimedTransitionProperty<Money> deserialize(JsonParser jp, DeserializationContext context)
        throws IOException {
-      SortedMap<String, LinkedHashMap> valueMap = jp.readValueAs(SortedMap.class);
+      SortedMap<String, LinkedHashMap<String, Object>> valueMap = jp.readValueAs(SortedMap.class);
      return TimedTransitionProperty.fromValueMap(
          valueMap.keySet().stream()
              .collect(
@@ -359,7 +359,7 @@ public class EntityYamlUtils {
                      key ->
                          Money.of(
                              CurrencyUnit.of(valueMap.get(key).get("currency").toString()),
-                              (double) valueMap.get(key).get("amount")))));
+                              new BigDecimal(String.valueOf(valueMap.get(key).get("amount")))))));
    }
  }

--- a/core/src/main/java/google/registry/model/OteAccountBuilder.java
+++ b/core/src/main/java/google/registry/model/OteAccountBuilder.java
@@ -28,7 +28,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.pricing.StaticPremiumListPricingEngine;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -40,6 +39,7 @@ import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import google.registry.persistence.VKey;
 import google.registry.util.CidrAddressBlock;
+import google.registry.util.RegistryEnvironment;
 import java.util.Collection;
 import java.util.Optional;
 import java.util.function.Function;
--- a/core/src/main/java/google/registry/model/registrar/Registrar.java
+++ b/core/src/main/java/google/registry/model/registrar/Registrar.java
@@ -22,6 +22,7 @@ import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSortedSet.toImmutableSortedSet;
 import static com.google.common.collect.Sets.immutableEnumSet;
+import static com.google.common.collect.Streams.stream;
 import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.config.RegistryConfig.getDefaultRegistrarWhoisServer;
 import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
@@ -794,6 +795,24 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      }
    }

+    // Making sure there's no registrar with the same ianaId already in the system
+    private static boolean isNotADuplicateIanaId(
+        Iterable<Registrar> registrars, Registrar newInstance) {
+      // Return early if newly build registrar is not type REAL or ianaId is
+      // reserved by ICANN - https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
+      if (!Type.REAL.equals(newInstance.type)
+          || ImmutableSet.of(1L, 8L).contains(newInstance.ianaIdentifier)) {
+        return true;
+      }
+
+      return stream(registrars)
+          .filter(registrar -> Type.REAL.equals(registrar.getType()))
+          .filter(registrar -> !Objects.equals(newInstance.registrarId, registrar.getRegistrarId()))
+          .noneMatch(
+              registrar ->
+                  Objects.equals(newInstance.ianaIdentifier, registrar.getIanaIdentifier()));
+    }
+
    public Builder setContactsRequireSyncing(boolean contactsRequireSyncing) {
      getInstance().contactsRequireSyncing = contactsRequireSyncing;
      return this;
@@ -912,6 +931,15 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
              "Supplied IANA ID is not valid for %s registrar type: %s",
              getInstance().type, getInstance().ianaIdentifier));

+      // We do not allow creating Real registrars with IANA ID that's already in the system
+      // b/315007360 - for more details
+      checkArgument(
+          isNotADuplicateIanaId(loadAllCached(), getInstance()),
+          String.format(
+              "Rejected attempt to create a registrar with ianaId that's already in the system -"
+                  + " %s",
+              getInstance().ianaIdentifier));
+
      // In order to grant access to real TLDs, the registrar must have a corresponding billing
      // account ID for that TLD's billing currency.
      ImmutableSet<String> nonBillableTlds =
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@@ -33,12 +33,12 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.StackSize;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.JpaRetries;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.VKey;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.Retrier;
 import google.registry.util.SystemSleeper;
 import java.io.Serializable;
--- a/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
+++ b/core/src/main/java/google/registry/persistence/transaction/TransactionManagerFactory.java
@@ -20,10 +20,10 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import com.google.appengine.api.utils.SystemProperty;
 import com.google.appengine.api.utils.SystemProperty.Environment.Value;
 import com.google.common.base.Suppliers;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.DaggerPersistenceComponent;
 import google.registry.tools.RegistryToolEnvironment;
 import google.registry.util.NonFinalForTesting;
+import google.registry.util.RegistryEnvironment;
 import java.util.function.Supplier;

 /** Factory class to create {@link TransactionManager} instance. */
--- a/core/src/main/java/google/registry/rde/RdeStagingAction.java
+++ b/core/src/main/java/google/registry/rde/RdeStagingAction.java
@@ -40,7 +40,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.io.BaseEncoding;
 import google.registry.beam.rde.RdePipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.gcs.GcsUtils;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.model.common.Cursor;
@@ -57,6 +56,7 @@ import google.registry.request.RequestParameters;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.xml.ValidationMode;
 import java.io.IOException;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
@@ -14,7 +14,6 @@

 package google.registry.reporting.icann;

-import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_BAD_REQUEST;
 import static com.google.api.client.http.HttpStatusCodes.STATUS_CODE_OK;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.net.MediaType.CSV_UTF_8;
@@ -38,6 +37,7 @@ import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.util.List;
 import javax.inject.Inject;
@@ -90,30 +90,31 @@ public class IcannHttpReporter {
    UrlConnectionUtils.setPayload(connection, reportBytes, CSV_UTF_8.toString());
    connection.setInstanceFollowRedirects(false);

-    int responseCode;
-    byte[] content;
+    int responseCode = 0;
+    byte[] content = null;
    try {
      responseCode = connection.getResponseCode();
-      // Only responses with a 200 or 400 status have a body. For everything else, we can return
-      // false early.
-      if (responseCode != STATUS_CODE_OK && responseCode != STATUS_CODE_BAD_REQUEST) {
-        logger.atWarning().log("Connection to ICANN server failed", connection);
+      content = UrlConnectionUtils.getResponseBytes(connection);
+      if (responseCode != STATUS_CODE_OK) {
+        XjcIirdeaResult result = parseResult(content);
+        logger.atWarning().log(
+            "PUT rejected, status code %s:\n%s\n%s",
+            result.getCode().getValue(), result.getMsg(), result.getDescription());
        return false;
      }
-      content = UrlConnectionUtils.getResponseBytes(connection);
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log(
+          "Connection to ICANN server failed with responseCode %s and connection %s",
+          responseCode == 0 ? "not available" : responseCode, connection);
+      return false;
+    } catch (XmlException e) {
+      logger.atWarning().withCause(e).log(
+          "Failed to parse ICANN response with responseCode %s and content %s",
+          responseCode, new String(content, StandardCharsets.UTF_8));
+      return false;
    } finally {
      connection.disconnect();
    }
-    // We know that an HTTP 200 response can only contain a result code of
-    // 1000 (i. e. success), there is no need to parse it.
-    // See: https://tools.ietf.org/html/draft-lozano-icann-registry-interfaces-13#page-16
-    if (responseCode != STATUS_CODE_OK) {
-      XjcIirdeaResult result = parseResult(content);
-      logger.atWarning().log(
-          "PUT rejected, status code %s:\n%s\n%s",
-          result.getCode().getValue(), result.getMsg(), result.getDescription());
-      return false;
-    }
    return true;
  }

@@ -164,4 +165,5 @@ public class IcannHttpReporter {
                reportType));
    }
  }
+
 }
--- a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
@@ -29,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -38,6 +37,7 @@ import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import javax.inject.Inject;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
@@ -20,13 +20,13 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.console.User;
 import google.registry.model.console.UserDao;
 import google.registry.request.auth.AuthModule.IapOidc;
 import google.registry.request.auth.AuthModule.RegularOidc;
 import google.registry.request.auth.AuthModule.RegularOidcFallback;
 import google.registry.request.auth.AuthSettings.AuthLevel;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/tmch/NordnUploadAction.java
+++ b/core/src/main/java/google/registry/tmch/NordnUploadAction.java
@@ -53,6 +53,7 @@ import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 import java.util.List;
+import java.util.Optional;
 import java.util.Random;
 import javax.inject.Inject;
 import org.joda.time.Duration;
@@ -126,55 +127,62 @@ public final class NordnUploadAction implements Runnable {
        phase.equals(PARAM_LORDN_PHASE_SUNRISE) || phase.equals(PARAM_LORDN_PHASE_CLAIMS),
        "Invalid phase specified to NordnUploadAction: %s.",
        phase);
-    tm().transact(
-            () -> {
-              // Note here that we load all domains pending Nordn in one batch, which should not
-              // be a problem for the rate of domain registration that we see. If we anticipate
-              // a peak in claims during TLD launch (sunrise is NOT first-come-first-serve, so
-              // there should be no expectation of a peak during it), we can consider temporarily
-              // increasing the frequency of Nordn upload to reduce the size of each batch.
-              //
-              // We did not further divide the domains into smaller batches because the
-              // read-upload-write operation per small batch needs to be inside a single
-              // transaction to prevent race conditions, and running several uploads in rapid
-              // sucession will likely overwhelm the MarksDB upload server, which recommands a
-              // maximum upload frequency of every 3 hours.
-              //
-              // See:
-              // https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-01#section-5.2.3.3
-              List<Domain> domains =
-                  tm().createQueryComposer(Domain.class)
-                      .where("lordnPhase", EQ, LordnPhase.valueOf(Ascii.toUpperCase(phase)))
-                      .where("tld", EQ, tld)
-                      .orderBy("creationTime")
-                      .list();
-              if (domains.isEmpty()) {
-                return;
-              }
-              StringBuilder csv = new StringBuilder();
-              ImmutableList.Builder<Domain> newDomains = new ImmutableList.Builder<>();
+    Optional<URL> uploadUrl =
+        tm().transact(
+                () -> {
+                  // Note here that we load all domains pending Nordn in one batch, which should not
+                  // be a problem for the rate of domain registration that we see. If we anticipate
+                  // a peak in claims during TLD launch (sunrise is NOT first-come-first-serve, so
+                  // there should be no expectation of a peak during it), we can consider
+                  // temporarily increasing the frequency of Nordn upload to reduce the size of each
+                  // batch.
+                  //
+                  // We did not further divide the domains into smaller batches because the
+                  // read-upload-write operation per small batch needs to be inside a single
+                  // transaction to prevent race conditions, and running several uploads in rapid
+                  // succession will likely overwhelm the MarksDB upload server, which recommends a
+                  // maximum upload frequency of every 3 hours.
+                  //
+                  // See:
+                  // https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-01#section-5.2.3.3
+                  List<Domain> domains =
+                      tm().createQueryComposer(Domain.class)
+                          .where("lordnPhase", EQ, LordnPhase.valueOf(Ascii.toUpperCase(phase)))
+                          .where("tld", EQ, tld)
+                          .orderBy("creationTime")
+                          .list();
+                  if (domains.isEmpty()) {
+                    return Optional.empty();
+                  }
+                  StringBuilder csv = new StringBuilder();
+                  ImmutableList.Builder<Domain> newDomains = new ImmutableList.Builder<>();

-              domains.forEach(
-                  domain -> {
-                    if (phase.equals(PARAM_LORDN_PHASE_SUNRISE)) {
-                      csv.append(getCsvLineForSunriseDomain(domain)).append('\n');
-                    } else {
-                      csv.append(getCsvLineForClaimsDomain(domain)).append('\n');
-                    }
-                    Domain newDomain = domain.asBuilder().setLordnPhase(LordnPhase.NONE).build();
-                    newDomains.add(newDomain);
-                  });
-              String columns =
-                  phase.equals(PARAM_LORDN_PHASE_SUNRISE) ? COLUMNS_SUNRISE : COLUMNS_CLAIMS;
-              String header =
-                  String.format("1,%s,%d\n%s\n", clock.nowUtc(), domains.size(), columns);
-              try {
-                uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), header + csv);
-              } catch (IOException | GeneralSecurityException e) {
-                throw new RuntimeException(e);
-              }
-              tm().updateAll(newDomains.build());
-            });
+                  domains.forEach(
+                      domain -> {
+                        if (phase.equals(PARAM_LORDN_PHASE_SUNRISE)) {
+                          csv.append(getCsvLineForSunriseDomain(domain)).append('\n');
+                        } else {
+                          csv.append(getCsvLineForClaimsDomain(domain)).append('\n');
+                        }
+                        Domain newDomain =
+                            domain.asBuilder().setLordnPhase(LordnPhase.NONE).build();
+                        newDomains.add(newDomain);
+                      });
+                  String columns =
+                      phase.equals(PARAM_LORDN_PHASE_SUNRISE) ? COLUMNS_SUNRISE : COLUMNS_CLAIMS;
+                  String header =
+                      String.format("1,%s,%d\n%s\n", clock.nowUtc(), domains.size(), columns);
+                  try {
+                    URL url =
+                        uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), header + csv);
+                    tm().updateAll(newDomains.build());
+                    return Optional.of(url);
+                  } catch (IOException | GeneralSecurityException e) {
+                    throw new RuntimeException(e);
+                  }
+                });
+    uploadUrl.ifPresent(
+        url -> cloudTasksUtils.enqueue(NordnVerifyAction.QUEUE, makeVerifyTask(url)));
  }

  /**
@@ -186,7 +194,7 @@ public final class NordnUploadAction implements Runnable {
   * @see <a href="http://tools.ietf.org/html/draft-lozano-tmch-func-spec-08#section-6.3">TMCH
   *     functional specifications - LORDN File</a>
   */
-  private void uploadCsvToLordn(String urlPath, String csvData)
+  private URL uploadCsvToLordn(String urlPath, String csvData)
      throws IOException, GeneralSecurityException {
    String url = tmchMarksdbUrl + urlPath;
    logger.atInfo().log(
@@ -222,7 +230,7 @@ public final class NordnUploadAction implements Runnable {
                actionLogId),
            connection);
      }
-      cloudTasksUtils.enqueue(NordnVerifyAction.QUEUE, makeVerifyTask(new URL(location)));
+      return new URL(location);
    } catch (IOException e) {
      throw new IOException(String.format("Error connecting to MarksDB at URL %s", url), e);
    } finally {
--- a/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateRegistrarCommand.java
@@ -30,8 +30,8 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -21,8 +21,8 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import google.registry.config.RegistryEnvironment;
-import google.registry.config.SystemPropertySetter;
+import google.registry.util.RegistryEnvironment;
+import google.registry.util.SystemPropertySetter;

 /** Enum of production environments, used for the {@code --environment} flag. */
 public enum RegistryToolEnvironment {
--- a/core/src/main/java/google/registry/tools/SetupOteCommand.java
+++ b/core/src/main/java/google/registry/tools/SetupOteCommand.java
@@ -22,10 +22,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.io.MoreFiles;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.tools.params.PathParameter;
 import google.registry.util.Clock;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.nio.file.Path;
 import java.util.ArrayList;
--- a/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateRegistrarCommand.java
@@ -18,8 +18,8 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;

 import com.beust.jcommander.Parameters;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.RegistryEnvironment;
 import javax.annotation.Nullable;

 /** Command to update a Registrar. */
--- a/core/src/main/java/google/registry/tools/UpdateTldCommand.java
+++ b/core/src/main/java/google/registry/tools/UpdateTldCommand.java
@@ -25,10 +25,10 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldState;
 import google.registry.tools.params.StringListParameter;
+import google.registry.util.RegistryEnvironment;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/tools/VerifyOteCommand.java
+++ b/core/src/main/java/google/registry/tools/VerifyOteCommand.java
@@ -25,9 +25,9 @@ import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.tools.server.VerifyOteAction;
+import google.registry.util.RegistryEnvironment;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
@@ -15,8 +15,8 @@
 package google.registry.ui.server.registrar;

 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.ui.server.SoyTemplateUtils.CSS_RENAMING_MAP_SUPPLIER;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;

 import com.google.common.base.Ascii;
@@ -24,7 +24,6 @@ import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.OteAccountBuilder;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
@@ -34,6 +33,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.OteSetupConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
@@ -26,7 +26,6 @@ import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.tofu.SoyTofu;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarAddress;
@@ -44,6 +43,7 @@ import google.registry.ui.soy.registrar.ConsoleSoyInfo;
 import google.registry.ui.soy.registrar.ConsoleUtilsSoyInfo;
 import google.registry.ui.soy.registrar.FormsSoyInfo;
 import google.registry.ui.soy.registrar.RegistrarCreateConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import google.registry.util.StringGenerator;
 import java.util.HashMap;
 import java.util.Optional;
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@@ -27,7 +27,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.template.soy.data.SoyMapData;
 import com.google.template.soy.tofu.SoyTofu;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
@@ -36,6 +35,7 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAcce
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.ui.server.SoyTemplateUtils;
 import google.registry.ui.soy.registrar.ConsoleSoyInfo;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashMap;
 import java.util.Optional;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
@@ -18,11 +18,11 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
-import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
+import static google.registry.util.RegistryEnvironment.PRODUCTION;

 import com.google.auto.value.AutoValue;
 import com.google.common.base.Ascii;
@@ -37,7 +37,6 @@ import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -61,6 +60,7 @@ import google.registry.ui.server.RegistrarFormFields;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.CollectionUtils;
 import google.registry.util.DiffUtils;
+import google.registry.util.RegistryEnvironment;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
--- a/core/src/main/resources/META-INF/persistence.xml
+++ b/core/src/main/resources/META-INF/persistence.xml
@@ -38,6 +38,7 @@

    <mapping-file>META-INF/orm.xml</mapping-file>

+    <class>google.registry.bsa.persistence.BsaDomainRefresh</class>
    <class>google.registry.bsa.persistence.BsaDownload</class>
    <class>google.registry.bsa.persistence.BsaLabel</class>
    <class>google.registry.bsa.persistence.BsaDomainInUse</class>
--- a/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
+++ b/core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java
@@ -33,7 +33,6 @@ import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.google.common.collect.ImmutableSet;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
@@ -47,6 +46,7 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import java.util.Set;
 import org.joda.money.Money;
--- a/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
+++ b/core/src/test/java/google/registry/batch/ResaveAllEppResourcesPipelineActionTest.java
@@ -25,8 +25,8 @@ import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
 import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
 import com.google.common.collect.ImmutableMap;
 import google.registry.beam.BeamActionTestBase;
-import google.registry.config.RegistryEnvironment;
 import google.registry.testing.FakeClock;
+import google.registry.util.RegistryEnvironment;
 import org.junit.jupiter.api.Test;

 /** Unit tests for {@link ResaveAllEppResourcesPipelineAction}. */
--- a/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
+++ b/core/src/test/java/google/registry/beam/common/RegistryPipelineOptionsTest.java
@@ -18,10 +18,10 @@ import static com.google.common.truth.Truth.assertThat;
 import static google.registry.beam.common.RegistryPipelineOptions.validateRegistryPipelineOptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;

-import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.testing.SystemPropertyExtension;
+import google.registry.util.RegistryEnvironment;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
--- a/core/src/test/java/google/registry/bsa/persistence/BsaDomainRefreshTest.java
+++ b/core/src/test/java/google/registry/bsa/persistence/BsaDomainRefreshTest.java
@@ -0,0 +1,54 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.bsa.persistence.BsaDomainRefresh.Stage.MAKE_DIFF;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.DateTimeZone.UTC;
+
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationWithCoverageExtension;
+import google.registry.testing.FakeClock;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+/** Unit test for {@link BsaDomainRefresh}. */
+public class BsaDomainRefreshTest {
+
+  protected FakeClock fakeClock = new FakeClock(DateTime.now(UTC));
+
+  @RegisterExtension
+  final JpaIntegrationWithCoverageExtension jpa =
+      new JpaTestExtensions.Builder().withClock(fakeClock).buildIntegrationWithCoverageExtension();
+
+  @Test
+  void saveJob() {
+    BsaDomainRefresh persisted =
+        tm().transact(() -> tm().getEntityManager().merge(new BsaDomainRefresh()));
+    assertThat(persisted.jobId).isNotNull();
+    assertThat(persisted.creationTime.getTimestamp()).isEqualTo(fakeClock.nowUtc());
+    assertThat(persisted.stage).isEqualTo(MAKE_DIFF);
+  }
+
+  @Test
+  void loadJobByKey() {
+    BsaDomainRefresh persisted =
+        tm().transact(() -> tm().getEntityManager().merge(new BsaDomainRefresh()));
+    assertThat(tm().transact(() -> tm().loadByKey(BsaDomainRefresh.vKey(persisted))))
+        .isEqualTo(persisted);
+  }
+}
--- a/core/src/test/java/google/registry/model/registrar/RegistrarTest.java
+++ b/core/src/test/java/google/registry/model/registrar/RegistrarTest.java
@@ -201,6 +201,23 @@ class RegistrarTest extends EntityTestCase {
        () -> new Registrar.Builder().setRegistrarId("abcdefghijklmnopq"));
  }

+  @Test
+  void testFailure_duplicateIanaId() {
+    persistResource(
+        registrar.asBuilder().setRegistrarId("registrar1").setIanaIdentifier(10L).build());
+
+    IllegalArgumentException thrown =
+        assertThrows(
+            IllegalArgumentException.class,
+            () ->
+                registrar.asBuilder().setRegistrarId("registrar2").setIanaIdentifier(10L).build());
+
+    assertThat(thrown)
+        .hasMessageThat()
+        .contains(
+            "Rejected attempt to create a registrar with ianaId that's already in the system");
+  }
+
  @Test
  void testSetCertificateHash_alsoSetsHash() {
    registrar = registrar.asBuilder().setClientCertificate(null, fakeClock.nowUtc()).build();
--- a/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
+++ b/core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java
@@ -105,6 +105,7 @@ public abstract class JpaTransactionManagerExtension
  // reused between test methods if the requested schema remains the same.
  private static EntityManagerFactory emf;
  // Hash of the ORM entity names in the current schema in the test db.
+
  private static int emfEntityHash;

  private JpaTransactionManager cachedTm;
--- a/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java
+++ b/core/src/test/java/google/registry/schema/integration/SqlIntegrationTestSuite.java
@@ -17,6 +17,7 @@ package google.registry.schema.integration;
 import static com.google.common.truth.Truth.assert_;

 import google.registry.bsa.persistence.BsaDomainInUseTest;
+import google.registry.bsa.persistence.BsaDomainRefreshTest;
 import google.registry.bsa.persistence.BsaDownloadTest;
 import google.registry.bsa.persistence.BsaLabelTest;
 import google.registry.model.billing.BillingBaseTest;
@@ -86,6 +87,7 @@ import org.junit.runner.RunWith;
  AllocationTokenTest.class,
  BillingBaseTest.class,
  BsaDomainInUseTest.class,
+  BsaDomainRefreshTest.class,
  BsaDownloadTest.class,
  BsaLabelTest.class,
  BulkPricingPackageTest.class,
--- a/core/src/test/java/google/registry/testing/DatabaseHelper.java
+++ b/core/src/test/java/google/registry/testing/DatabaseHelper.java
@@ -778,7 +778,7 @@ public final class DatabaseHelper {

  /** Persists and returns a {@link Registrar} with the specified registrarId. */
  public static Registrar persistNewRegistrar(String registrarId) {
-    return persistNewRegistrar(registrarId, registrarId + " name", Registrar.Type.REAL, 100L);
+    return persistNewRegistrar(registrarId, registrarId + " name", Registrar.Type.REAL, 8L);
  }

  /** Persists and returns a list of {@link Registrar}s with the specified registrarIds. */
--- a/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
+++ b/core/src/test/java/google/registry/testing/SystemPropertyExtension.java
@@ -17,7 +17,7 @@ package google.registry.testing;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;

-import google.registry.config.SystemPropertySetter;
+import google.registry.util.SystemPropertySetter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
--- a/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
+++ b/core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java
@@ -29,6 +29,7 @@ import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.logging.Level.INFO;
 import static org.joda.money.CurrencyUnit.JPY;
 import static org.joda.money.CurrencyUnit.USD;
+import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -46,11 +47,11 @@ import google.registry.model.tld.Tld.TldNotFoundException;
 import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import java.io.File;
+import java.math.BigDecimal;
 import java.util.Optional;
 import java.util.logging.Logger;
 import org.joda.money.Money;
 import org.joda.time.DateTime;
-import org.joda.time.DateTimeZone;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
@@ -91,6 +92,18 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
    assertThat(tld.getBreakglassMode()).isFalse();
  }

+  @Test
+  void testSuccess_createNewTldJPY() throws Exception {
+    File tldFile = tmpDir.resolve("jpy.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "jpy.yaml"));
+    runCommandForced("--input=" + tldFile);
+    Tld tld = Tld.get("jpy");
+    assertThat(tld).isNotNull();
+    assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(JPY, new BigDecimal("250")));
+    assertThat(tld.getEapFeeFor(DateTime.now(UTC)).getCost()).isEqualTo(new BigDecimal(0));
+    testTldConfiguredSuccessfully(tld, "jpy.yaml");
+  }
+
  @Test
  void testSuccess_updateTld() throws Exception {
    Tld tld = createTld("tld");
@@ -108,7 +121,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
  @Test
  void testSuccess_updateTld_existingBsaTimeCarriedOver() throws Exception {
    Tld tld = createTld("tld");
-    DateTime bsaStartTime = DateTime.now(DateTimeZone.UTC);
+    DateTime bsaStartTime = DateTime.now(UTC);
    persistResource(tld.asBuilder().setBsaEnrollStartTime(Optional.of(bsaStartTime)).build());
    File tldFile = tmpDir.resolve("tld.yaml").toFile();
    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
@@ -30,7 +30,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
@@ -28,7 +28,6 @@ import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
-import google.registry.config.RegistryEnvironment;
 import google.registry.groups.GmailClient;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
@@ -47,6 +46,7 @@ import google.registry.testing.SystemPropertyExtension;
 import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Optional;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.http.HttpServletRequest;
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java
@@ -30,7 +30,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
-import google.registry.config.RegistryEnvironment;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
@@ -40,6 +39,7 @@ import google.registry.testing.CloudTasksHelper.TaskMatcher;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.EmailMessage;
+import google.registry.util.RegistryEnvironment;
 import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.function.Function;
--- a/core/src/test/resources/google/registry/tools/jpy.yaml
+++ b/core/src/test/resources/google/registry/tools/jpy.yaml
@@ -0,0 +1,55 @@
+addGracePeriodLength: "PT432000S"
+allowedFullyQualifiedHostNames: []
+allowedRegistrantContactIds: []
+anchorTenantAddGracePeriodLength: "PT2592000S"
+autoRenewGracePeriodLength: "PT3888000S"
+automaticTransferLength: "PT432000S"
+claimsPeriodEnd: "294247-01-10T04:00:54.775Z"
+createBillingCost:
+  currency: "JPY"
+  amount: 250
+creationTime: "2022-09-01T00:00:00.000Z"
+currency: "JPY"
+defaultPromoTokens: []
+dnsAPlusAaaaTtl: "PT900S"
+dnsDsTtl: null
+dnsNsTtl: null
+dnsPaused: false
+dnsWriters:
+- "VoidDnsWriter"
+driveFolderId: "driveFolder"
+eapFeeSchedule:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 0
+escrowEnabled: false
+idnTables: []
+invoicingEnabled: false
+lordnUsername: null
+numDnsPublishLocks: 1
+pendingDeleteLength: "PT432000S"
+premiumListName: null
+pricingEngineClassName: "google.registry.model.pricing.StaticPremiumListPricingEngine"
+redemptionGracePeriodLength: "PT2592000S"
+registryLockOrUnlockBillingCost:
+  currency: "JPY"
+  amount: 0
+renewBillingCostTransitions:
+  "1970-01-01T00:00:00.000Z":
+    currency: "JPY"
+    amount: 100
+renewGracePeriodLength: "PT432000S"
+reservedListNames: []
+restoreBillingCost:
+  currency: "JPY"
+  amount: 70
+roidSuffix: "JPY"
+serverStatusChangeBillingCost:
+  currency: "JPY"
+  amount: 100
+tldStateTransitions:
+  "1970-01-01T00:00:00.000Z": "GENERAL_AVAILABILITY"
+tldStr: "jpy"
+tldType: "REAL"
+tldUnicode: "jpy"
+transferGracePeriodLength: "PT432000S"
--- a/db/src/main/resources/sql/schema/db-schema.sql.generated
+++ b/db/src/main/resources/sql/schema/db-schema.sql.generated
@@ -93,6 +93,14 @@
        primary key (label, tld)
    );

+    create table "BsaDomainRefresh" (
+       job_id  bigserial not null,
+        creation_time timestamptz not null,
+        stage text not null,
+        update_timestamp timestamptz,
+        primary key (job_id)
+    );
+
    create table "BsaDownload" (
       job_id  bigserial not null,
        block_list_checksums text not null,
--- a/proxy/kubernetes/proxy-service.yaml
+++ b/proxy/kubernetes/proxy-service.yaml
@@ -46,5 +46,5 @@ spec:
    apiVersion: apps/v1
    kind: Deployment
    name: proxy-deployment
-  maxReplicas: 10
-  minReplicas: 1
+  maxReplicas: 50
+  minReplicas: 10
--- a/util/src/main/java/google/registry/util/PasswordUtils.java
+++ b/util/src/main/java/google/registry/util/PasswordUtils.java
@@ -22,6 +22,7 @@ import static java.nio.charset.StandardCharsets.US_ASCII;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.primitives.Bytes;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -68,15 +69,22 @@ public final class PasswordUtils {
            .digest((new String(password, US_ASCII) + base64().encode(salt)).getBytes(US_ASCII));
      }
    },
+
    /**
     * Memory-hard hashing algorithm, preferred over SHA-256.
     *
+     * <p>Note that in tests, we simply concatenate the password and salt which is much faster and
+     * reduces the overall test run time by a half. Our tests are not verifying that SCRYPT is
+     * implemented correctly anyway.
+     *
     * @see <a href="https://en.wikipedia.org/wiki/Scrypt">Scrypt</a>
     */
    SCRYPT {
      @Override
      byte[] hash(byte[] password, byte[] salt) {
-        return SCrypt.generate(password, salt, 32768, 8, 1, 256);
+        return RegistryEnvironment.get() == RegistryEnvironment.UNITTEST
+            ? Bytes.concat(password, salt)
+            : SCrypt.generate(password, salt, 32768, 8, 1, 256);
      }
    };

--- a/core/src/main/java/google/registry/config/RegistryEnvironment.java
+++ b/core/src/main/java/google/registry/config/RegistryEnvironment.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import com.google.common.base.Ascii;

--- a/core/src/main/java/google/registry/config/SystemPropertySetter.java
+++ b/core/src/main/java/google/registry/config/SystemPropertySetter.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import javax.annotation.Nullable;

--- a/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
+++ b/core/src/test/java/google/registry/config/RegistryEnvironmentTest.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.config;
+package google.registry.util;

 import org.junit.jupiter.api.Test;
Author	SHA1	Message	Date
Lai Jiang	42b508427b	Bypass SCRYPT hashing in tests (#2262 ) SCRYPT is much computationally heavier than SHA265 (by design), which resulted in test run time doubling due to most tests initializing canned data that uses hashing. Since out tests are not verifying the correctness of a specific hashing algorithm anyway, this PR makes it so that simple concatenation is used in tests. Also moved RegistryEnvironment to the util subproject so it can be called by PasswordUtils, which makes sense as it is a utility class.	2023-12-21 16:17:37 -05:00
sarahcaseybot	20b5b43501	Add type conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency (#2258 ) * Add BigInt conversion to TimedTransitionProperty<Money> deserializer to handle JPY currency * Remove unnecessary lines in test * Add eap schedule check * Don't use raw LinkedHashMap type * add timezone	2023-12-21 12:59:54 -05:00
Lai Jiang	08285f5de7	Greatly increase the upper limit of proxy instances in production (#2259 ) From our investigation, the Monday night WHOIS storm does not cause any strain to the backend system. The backend latency metrics are all well within the limits. The latency measured from the proxy matches observed latency by the prober, and we see that the "used" CPU is 1.5x of "requested" CPU during the time when the latency is above the threshold. Making this change hopefully removes the proxy as the bottleneck and ameliorate the pages.	2023-12-20 15:37:29 -05:00
Pavlo Tkach	fb4c5b457d	Prevent reusing ianaId for real registrars (#2257 )	2023-12-20 15:20:04 -05:00
Pavlo Tkach	781c212275	Add IcannHttpReporter failed response logging (#2252 )	2023-12-18 11:03:33 -05:00
Weimin Yu	c73f7a6bd3	Add the BsaDomainRefresh entity (#2250 ) Add the BsaDomainRefresh class which tracks the refresh actions. The refresh actions checks for changes in the set of registered and reserved domains, which are called unblockables to BSA.	2023-12-13 16:08:37 -05:00
Lai Jiang	8d793b2349	Do not double-enqueue NordnVerifyAction (#2253 ) Currently, a verify action is enqueued every time the upload method succeeds. Because the upload job is wrapped in a transaction, the same task will be enqueued again if the transaction retries. We cannot move the upload method outside the transaction because the read-upload-write logic needs to be atomic, and the upload part itself is idempotent (therefore retri-able). We can, however, move the enqueuing part outside the transaction as we only need to enqueue the verify task once the transaction succeeds. This should fix the issue where multiple verify jobs try to hit the same marksdb endpoints, resulting in 429 (Too Many Requests) errors.	2023-12-12 16:00:35 -05:00