mirror of
https://github.com/google/nomulus.git
synced 2025-04-29 11:37:51 +02:00
Rename whitelist -> allow list (#635)
* Rename whitelist -> allow list * Merge branch 'master' into allowlist-denylist
This commit is contained in:
Ben McIlwain
GitHub
parent
f7ca068f8e
commit
23310bd688
91 changed files with 448 additions and 453 deletions
|
|
@ -246,28 +246,32 @@ public class DeleteProberDataAction implements Runnable {
|
|||
}
|
||||
|
||||
private void softDeleteDomain(final DomainBase domain) {
|
||||
tm().transactNew(() -> {
|
||||
DomainBase deletedDomain = domain
|
||||
.asBuilder()
|
||||
.setDeletionTime(tm().getTransactionTime())
|
||||
.setStatusValues(null)
|
||||
.build();
|
||||
HistoryEntry historyEntry = new HistoryEntry.Builder()
|
||||
.setParent(domain)
|
||||
.setType(DOMAIN_DELETE)
|
||||
.setModificationTime(tm().getTransactionTime())
|
||||
.setBySuperuser(true)
|
||||
.setReason("Deletion of prober data")
|
||||
.setClientId(registryAdminClientId)
|
||||
.build();
|
||||
// Note that we don't bother handling grace periods, billing events, pending transfers,
|
||||
// poll messages, or auto-renews because these will all be hard-deleted the next time the
|
||||
// mapreduce runs anyway.
|
||||
ofy().save().entities(deletedDomain, historyEntry);
|
||||
updateForeignKeyIndexDeletionTime(deletedDomain);
|
||||
dnsQueue.addDomainRefreshTask(deletedDomain.getDomainName());
|
||||
}
|
||||
);
|
||||
tm().transactNew(
|
||||
() -> {
|
||||
DomainBase deletedDomain =
|
||||
domain
|
||||
.asBuilder()
|
||||
.setDeletionTime(tm().getTransactionTime())
|
||||
.setStatusValues(null)
|
||||
.build();
|
||||
HistoryEntry historyEntry =
|
||||
new HistoryEntry.Builder()
|
||||
.setParent(domain)
|
||||
.setType(DOMAIN_DELETE)
|
||||
.setModificationTime(tm().getTransactionTime())
|
||||
.setBySuperuser(true)
|
||||
.setReason("Deletion of prober data")
|
||||
.setClientId(registryAdminClientId)
|
||||
.build();
|
||||
// Note that we don't bother handling grace periods, billing events, pending
|
||||
// transfers,
|
||||
// poll messages, or auto-renews because these will all be hard-deleted the next
|
||||
// time the
|
||||
// mapreduce runs anyway.
|
||||
ofy().save().entities(deletedDomain, historyEntry);
|
||||
updateForeignKeyIndexDeletionTime(deletedDomain);
|
||||
dnsQueue.addDomainRefreshTask(deletedDomain.getDomainName());
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -215,8 +215,7 @@ public class DnsUpdateWriter extends BaseDnsWriter {
|
|||
|
||||
private void addInBailiwickNameServerSet(DomainBase domain, Update update) {
|
||||
for (String hostName :
|
||||
intersection(
|
||||
domain.loadNameserverHostNames(), domain.getSubordinateHosts())) {
|
||||
intersection(domain.loadNameserverHostNames(), domain.getSubordinateHosts())) {
|
||||
Optional<HostResource> host = loadByForeignKey(HostResource.class, hostName, clock.nowUtc());
|
||||
checkState(host.isPresent(), "Host %s cannot be loaded", hostName);
|
||||
update.add(makeAddressSet(host.get()));
|
||||
|
|
|
|||
|
|
@ -284,7 +284,7 @@
|
|||
<description>
|
||||
Checks if the monthly ICANN reports have been successfully uploaded. If they have not, attempts to upload them again.
|
||||
Most of the time, this job should not do anything since the uploads are triggered when the reports are staged.
|
||||
However, in the event that an upload failed for any reason (e.g. ICANN server is down, IP whitelist issues),
|
||||
However, in the event that an upload failed for any reason (e.g. ICANN server is down, IP allow list issues),
|
||||
this cron job will continue to retry uploads daily until they succeed.
|
||||
</description>
|
||||
<schedule>every day 15:00</schedule>
|
||||
|
|
|
|||
|
|
@ -84,8 +84,7 @@ class SyncRegistrarsSheet {
|
|||
public int compare(Registrar left, Registrar right) {
|
||||
return left.getClientId().compareTo(right.getClientId());
|
||||
}
|
||||
}.immutableSortedCopy(Registrar.loadAllCached())
|
||||
.stream()
|
||||
}.immutableSortedCopy(Registrar.loadAllCached()).stream()
|
||||
.filter(
|
||||
registrar ->
|
||||
registrar.getType() == Registrar.Type.REAL
|
||||
|
|
@ -149,7 +148,7 @@ class SyncRegistrarsSheet {
|
|||
builder.put("allowedTlds", convert(registrar.getAllowedTlds()));
|
||||
builder.put("whoisServer", convert(registrar.getWhoisServer()));
|
||||
builder.put("blockPremiumNames", convert(registrar.getBlockPremiumNames()));
|
||||
builder.put("ipAddressWhitelist", convert(registrar.getIpAddressWhitelist()));
|
||||
builder.put("ipAddressAllowList", convert(registrar.getIpAddressAllowList()));
|
||||
builder.put("url", convert(registrar.getUrl()));
|
||||
builder.put("referralUrl", convert(registrar.getUrl()));
|
||||
builder.put("icannReferralEmail", convert(registrar.getIcannReferralEmail()));
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ import javax.inject.Inject;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
/**
|
||||
* Container and validation for TLS certificate and ip-whitelisting.
|
||||
* Container and validation for TLS certificate and IP-allow-listing.
|
||||
*
|
||||
* <p>Credentials are based on the following headers:
|
||||
*
|
||||
|
|
@ -48,7 +48,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||
* band.
|
||||
* <dt>X-Forwarded-For
|
||||
* <dd>This field should contain the host and port of the connecting client. It is validated
|
||||
* during an EPP login command against an IP whitelist that is transmitted out of band.
|
||||
* during an EPP login command against an IP allow list that is transmitted out of band.
|
||||
* </dl>
|
||||
*/
|
||||
public class TlsCredentials implements TransportCredentials {
|
||||
|
|
@ -85,27 +85,28 @@ public class TlsCredentials implements TransportCredentials {
|
|||
}
|
||||
|
||||
/**
|
||||
* Verifies {@link #clientInetAddr} is in CIDR whitelist associated with {@code registrar}.
|
||||
* Verifies {@link #clientInetAddr} is in CIDR allow list associated with {@code registrar}.
|
||||
*
|
||||
* @throws BadRegistrarIpAddressException If IP address is not in the whitelist provided
|
||||
* @throws BadRegistrarIpAddressException If IP address is not in the allow list provided
|
||||
*/
|
||||
private void validateIp(Registrar registrar) throws AuthenticationErrorException {
|
||||
ImmutableList<CidrAddressBlock> ipWhitelist = registrar.getIpAddressWhitelist();
|
||||
if (ipWhitelist.isEmpty()) {
|
||||
ImmutableList<CidrAddressBlock> ipAddressAllowList = registrar.getIpAddressAllowList();
|
||||
if (ipAddressAllowList.isEmpty()) {
|
||||
logger.atInfo().log(
|
||||
"Skipping IP whitelist check because %s doesn't have an IP whitelist",
|
||||
"Skipping IP allow list check because %s doesn't have an IP allow list",
|
||||
registrar.getClientId());
|
||||
return;
|
||||
}
|
||||
for (CidrAddressBlock cidrAddressBlock : ipWhitelist) {
|
||||
for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
|
||||
if (cidrAddressBlock.contains(clientInetAddr)) {
|
||||
// IP address is in whitelist; return early.
|
||||
// IP address is in allow list; return early.
|
||||
return;
|
||||
}
|
||||
}
|
||||
logger.atInfo().log(
|
||||
"Authentication error: IP address %s is not whitelisted for registrar %s; whitelist is: %s",
|
||||
clientInetAddr, registrar.getClientId(), ipWhitelist);
|
||||
"Authentication error: IP address %s is not allow-listed for registrar %s; allow list is:"
|
||||
+ " %s",
|
||||
clientInetAddr, registrar.getClientId(), ipAddressAllowList);
|
||||
throw new BadRegistrarIpAddressException();
|
||||
}
|
||||
|
||||
|
|
@ -180,10 +181,10 @@ public class TlsCredentials implements TransportCredentials {
|
|||
}
|
||||
}
|
||||
|
||||
/** Registrar IP address is not in stored whitelist. */
|
||||
/** Registrar IP address is not in stored allow list. */
|
||||
public static class BadRegistrarIpAddressException extends AuthenticationErrorException {
|
||||
public BadRegistrarIpAddressException() {
|
||||
super("Registrar IP address is not in stored whitelist");
|
||||
super("Registrar IP address is not in stored allow list");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ import org.joda.time.Duration;
|
|||
* @error {@link DomainFlowUtils.MissingRegistrantException}
|
||||
* @error {@link DomainFlowUtils.MissingTechnicalContactException}
|
||||
* @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
|
||||
* @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException}
|
||||
* @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException}
|
||||
* @error {@link DomainFlowUtils.PremiumNameBlockedException}
|
||||
* @error {@link DomainFlowUtils.RegistrantNotAllowedException}
|
||||
* @error {@link DomainFlowUtils.RegistrarMustBeActiveForThisOperationException}
|
||||
|
|
|
|||
|
|
@ -338,11 +338,11 @@ public class DomainFlowUtils {
|
|||
|
||||
static void validateNameserversCountForTld(String tld, InternetDomainName domainName, int count)
|
||||
throws EppException {
|
||||
// For TLDs with a nameserver whitelist, all domains must have at least 1 nameserver.
|
||||
ImmutableSet<String> tldNameserversWhitelist =
|
||||
// For TLDs with a nameserver allow list, all domains must have at least 1 nameserver.
|
||||
ImmutableSet<String> tldNameserversAllowList =
|
||||
Registry.get(tld).getAllowedFullyQualifiedHostNames();
|
||||
if (!tldNameserversWhitelist.isEmpty() && count == 0) {
|
||||
throw new NameserversNotSpecifiedForTldWithNameserverWhitelistException(
|
||||
if (!tldNameserversAllowList.isEmpty() && count == 0) {
|
||||
throw new NameserversNotSpecifiedForTldWithNameserverAllowListException(
|
||||
domainName.toString());
|
||||
}
|
||||
if (count > MAX_NAMESERVERS_PER_DOMAIN) {
|
||||
|
|
@ -398,21 +398,21 @@ public class DomainFlowUtils {
|
|||
|
||||
static void validateRegistrantAllowedOnTld(String tld, String registrantContactId)
|
||||
throws RegistrantNotAllowedException {
|
||||
ImmutableSet<String> whitelist = Registry.get(tld).getAllowedRegistrantContactIds();
|
||||
// Empty whitelist or null registrantContactId are ignored.
|
||||
ImmutableSet<String> allowedRegistrants = Registry.get(tld).getAllowedRegistrantContactIds();
|
||||
// Empty allow list or null registrantContactId are ignored.
|
||||
if (registrantContactId != null
|
||||
&& !whitelist.isEmpty()
|
||||
&& !whitelist.contains(registrantContactId)) {
|
||||
&& !allowedRegistrants.isEmpty()
|
||||
&& !allowedRegistrants.contains(registrantContactId)) {
|
||||
throw new RegistrantNotAllowedException(registrantContactId);
|
||||
}
|
||||
}
|
||||
|
||||
static void validateNameserversAllowedOnTld(String tld, Set<String> fullyQualifiedHostNames)
|
||||
throws EppException {
|
||||
ImmutableSet<String> whitelist = Registry.get(tld).getAllowedFullyQualifiedHostNames();
|
||||
ImmutableSet<String> allowedHostNames = Registry.get(tld).getAllowedFullyQualifiedHostNames();
|
||||
Set<String> hostnames = nullToEmpty(fullyQualifiedHostNames);
|
||||
if (!whitelist.isEmpty()) { // Empty whitelist is ignored.
|
||||
Set<String> disallowedNameservers = difference(hostnames, whitelist);
|
||||
if (!allowedHostNames.isEmpty()) { // Empty allow list is ignored.
|
||||
Set<String> disallowedNameservers = difference(hostnames, allowedHostNames);
|
||||
if (!disallowedNameservers.isEmpty()) {
|
||||
throw new NameserversNotAllowedForTldException(disallowedNameservers);
|
||||
}
|
||||
|
|
@ -1383,32 +1383,32 @@ public class DomainFlowUtils {
|
|||
}
|
||||
}
|
||||
|
||||
/** Registrant is not whitelisted for this TLD. */
|
||||
/** Registrant is not allow-listed for this TLD. */
|
||||
public static class RegistrantNotAllowedException extends StatusProhibitsOperationException {
|
||||
public RegistrantNotAllowedException(String contactId) {
|
||||
super(String.format("Registrant with id %s is not whitelisted for this TLD", contactId));
|
||||
super(String.format("Registrant with id %s is not allow-listed for this TLD", contactId));
|
||||
}
|
||||
}
|
||||
|
||||
/** Nameservers are not whitelisted for this TLD. */
|
||||
/** Nameservers are not allow-listed for this TLD. */
|
||||
public static class NameserversNotAllowedForTldException
|
||||
extends StatusProhibitsOperationException {
|
||||
public NameserversNotAllowedForTldException(Set<String> fullyQualifiedHostNames) {
|
||||
super(
|
||||
String.format(
|
||||
"Nameservers '%s' are not whitelisted for this TLD",
|
||||
"Nameservers '%s' are not allow-listed for this TLD",
|
||||
Joiner.on(',').join(fullyQualifiedHostNames)));
|
||||
}
|
||||
}
|
||||
|
||||
/** Nameservers not specified for domain on TLD with nameserver whitelist. */
|
||||
public static class NameserversNotSpecifiedForTldWithNameserverWhitelistException
|
||||
/** Nameservers not specified for domain on TLD with nameserver allow list. */
|
||||
public static class NameserversNotSpecifiedForTldWithNameserverAllowListException
|
||||
extends StatusProhibitsOperationException {
|
||||
public NameserversNotSpecifiedForTldWithNameserverWhitelistException(String domain) {
|
||||
public NameserversNotSpecifiedForTldWithNameserverAllowListException(String domain) {
|
||||
super(
|
||||
String.format(
|
||||
"At least one nameserver must be specified for domain %s"
|
||||
+ " on a TLD with nameserver whitelist",
|
||||
+ " on a TLD with nameserver allow list",
|
||||
domain));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -118,12 +118,9 @@ public final class DomainInfoFlow implements Flow {
|
|||
infoBuilder
|
||||
.setStatusValues(domain.getStatusValues())
|
||||
.setContacts(loadForeignKeyedDesignatedContacts(domain.getContacts()))
|
||||
.setNameservers(hostsRequest.requestDelegated()
|
||||
? domain.loadNameserverHostNames()
|
||||
: null)
|
||||
.setSubordinateHosts(hostsRequest.requestSubordinate()
|
||||
? domain.getSubordinateHosts()
|
||||
: null)
|
||||
.setNameservers(hostsRequest.requestDelegated() ? domain.loadNameserverHostNames() : null)
|
||||
.setSubordinateHosts(
|
||||
hostsRequest.requestSubordinate() ? domain.getSubordinateHosts() : null)
|
||||
.setCreationClientId(domain.getCreationClientId())
|
||||
.setCreationTime(domain.getCreationTime())
|
||||
.setLastEppUpdateClientId(domain.getLastEppUpdateClientId())
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ import google.registry.flows.custom.DomainUpdateFlowCustomLogic.AfterValidationP
|
|||
import google.registry.flows.custom.DomainUpdateFlowCustomLogic.BeforeSaveParameters;
|
||||
import google.registry.flows.custom.EntityChanges;
|
||||
import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException;
|
||||
import google.registry.model.ImmutableObject;
|
||||
import google.registry.model.billing.BillingEvent;
|
||||
import google.registry.model.billing.BillingEvent.Reason;
|
||||
|
|
@ -109,7 +110,7 @@ import org.joda.time.DateTime;
|
|||
* @error {@link DomainFlowUtils.MissingTechnicalContactException}
|
||||
* @error {@link DomainFlowUtils.MissingRegistrantException}
|
||||
* @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
|
||||
* @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException}
|
||||
* @error {@link NameserversNotSpecifiedForTldWithNameserverAllowListException}
|
||||
* @error {@link DomainFlowUtils.NotAuthorizedForTldException}
|
||||
* @error {@link DomainFlowUtils.RegistrantNotAllowedException}
|
||||
* @error {@link DomainFlowUtils.SecDnsAllUsageException}
|
||||
|
|
|
|||
|
|
@ -90,16 +90,17 @@ public final class HostInfoFlow implements Flow {
|
|||
.setLastTransferTime(host.getLastTransferTime());
|
||||
}
|
||||
return responseBuilder
|
||||
.setResData(hostInfoDataBuilder
|
||||
.setFullyQualifiedHostName(host.getHostName())
|
||||
.setRepoId(host.getRepoId())
|
||||
.setStatusValues(statusValues.build())
|
||||
.setInetAddresses(host.getInetAddresses())
|
||||
.setCreationClientId(host.getCreationClientId())
|
||||
.setCreationTime(host.getCreationTime())
|
||||
.setLastEppUpdateClientId(host.getLastEppUpdateClientId())
|
||||
.setLastEppUpdateTime(host.getLastEppUpdateTime())
|
||||
.build())
|
||||
.setResData(
|
||||
hostInfoDataBuilder
|
||||
.setFullyQualifiedHostName(host.getHostName())
|
||||
.setRepoId(host.getRepoId())
|
||||
.setStatusValues(statusValues.build())
|
||||
.setInetAddresses(host.getInetAddresses())
|
||||
.setCreationClientId(host.getCreationClientId())
|
||||
.setCreationTime(host.getCreationTime())
|
||||
.setLastEppUpdateClientId(host.getLastEppUpdateClientId())
|
||||
.setLastEppUpdateTime(host.getLastEppUpdateTime())
|
||||
.build())
|
||||
.build();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -175,19 +175,21 @@ public final class HostUpdateFlow implements TransactionalFlow {
|
|||
newSuperordinateDomain.isPresent()
|
||||
? newSuperordinateDomain.get().getCurrentSponsorClientId()
|
||||
: owningResource.getPersistedCurrentSponsorClientId();
|
||||
HostResource newHost = existingHost.asBuilder()
|
||||
.setHostName(newHostName)
|
||||
.addStatusValues(add.getStatusValues())
|
||||
.removeStatusValues(remove.getStatusValues())
|
||||
.addInetAddresses(add.getInetAddresses())
|
||||
.removeInetAddresses(remove.getInetAddresses())
|
||||
.setLastEppUpdateTime(now)
|
||||
.setLastEppUpdateClientId(clientId)
|
||||
.setSuperordinateDomain(newSuperordinateDomainKey)
|
||||
.setLastSuperordinateChange(lastSuperordinateChange)
|
||||
.setLastTransferTime(lastTransferTime)
|
||||
.setPersistedCurrentSponsorClientId(newPersistedClientId)
|
||||
.build();
|
||||
HostResource newHost =
|
||||
existingHost
|
||||
.asBuilder()
|
||||
.setHostName(newHostName)
|
||||
.addStatusValues(add.getStatusValues())
|
||||
.removeStatusValues(remove.getStatusValues())
|
||||
.addInetAddresses(add.getInetAddresses())
|
||||
.removeInetAddresses(remove.getInetAddresses())
|
||||
.setLastEppUpdateTime(now)
|
||||
.setLastEppUpdateClientId(clientId)
|
||||
.setSuperordinateDomain(newSuperordinateDomainKey)
|
||||
.setLastSuperordinateChange(lastSuperordinateChange)
|
||||
.setLastTransferTime(lastTransferTime)
|
||||
.setPersistedCurrentSponsorClientId(newPersistedClientId)
|
||||
.build();
|
||||
verifyHasIpsIffIsExternal(command, existingHost, newHost);
|
||||
ImmutableSet.Builder<ImmutableObject> entitiesToSave = new ImmutableSet.Builder<>();
|
||||
entitiesToSave.add(newHost);
|
||||
|
|
|
|||
|
|
@ -57,17 +57,17 @@ import org.joda.time.Duration;
|
|||
* <p>This includes the TLDs (Registries), Registrars, and the RegistrarContacts that can access the
|
||||
* web console.
|
||||
*
|
||||
* This class is basically a "builder" for the parameters needed to generate the OT&E entities.
|
||||
* Nothing is created until you call {@link #buildAndPersist}.
|
||||
* <p>This class is basically a "builder" for the parameters needed to generate the OT&E
|
||||
* entities. Nothing is created until you call {@link #buildAndPersist}.
|
||||
*
|
||||
* Usage example:
|
||||
* <p>Usage example:
|
||||
*
|
||||
* <pre> {@code
|
||||
* <pre>{@code
|
||||
* OteAccountBuilder.forClientId("example")
|
||||
* .addContact("contact@email.com") // OPTIONAL
|
||||
* .setPassword("password") // OPTIONAL
|
||||
* .setCertificateHash(certificateHash) // OPTIONAL
|
||||
* .setIpWhitelist(ImmutableList.of("1.1.1.1", "2.2.2.0/24")) // OPTIONAL
|
||||
* .setIpAllowList(ImmutableList.of("1.1.1.1", "2.2.2.0/24")) // OPTIONAL
|
||||
* .buildAndPersist();
|
||||
* }</pre>
|
||||
*/
|
||||
|
|
@ -221,11 +221,11 @@ public final class OteAccountBuilder {
|
|||
return transformRegistrars(builder -> builder.setClientCertificate(asciiCert, now));
|
||||
}
|
||||
|
||||
/** Sets the IP whitelist to all the OT&E Registrars. */
|
||||
public OteAccountBuilder setIpWhitelist(Collection<String> ipWhitelist) {
|
||||
ImmutableList<CidrAddressBlock> ipAddressWhitelist =
|
||||
ipWhitelist.stream().map(CidrAddressBlock::create).collect(toImmutableList());
|
||||
return transformRegistrars(builder -> builder.setIpAddressWhitelist(ipAddressWhitelist));
|
||||
/** Sets the IP allow list to all the OT&E Registrars. */
|
||||
public OteAccountBuilder setIpAllowList(Collection<String> ipAllowList) {
|
||||
ImmutableList<CidrAddressBlock> ipAddressAllowList =
|
||||
ipAllowList.stream().map(CidrAddressBlock::create).collect(toImmutableList());
|
||||
return transformRegistrars(builder -> builder.setIpAddressAllowList(ipAddressAllowList));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -139,7 +139,8 @@ public class DomainBase extends EppResource
|
|||
*/
|
||||
// TODO(b/158858642): Rename this to domainName when we are off Datastore
|
||||
@Column(name = "domainName")
|
||||
@Index String fullyQualifiedDomainName;
|
||||
@Index
|
||||
String fullyQualifiedDomainName;
|
||||
|
||||
/** The top level domain this is under, dernormalized from {@link #fullyQualifiedDomainName}. */
|
||||
@Index
|
||||
|
|
@ -680,8 +681,7 @@ public class DomainBase extends EppResource
|
|||
removeStatusValue(StatusValue.INACTIVE);
|
||||
}
|
||||
|
||||
checkArgumentNotNull(
|
||||
emptyToNull(instance.fullyQualifiedDomainName), "Missing domainName");
|
||||
checkArgumentNotNull(emptyToNull(instance.fullyQualifiedDomainName), "Missing domainName");
|
||||
if (instance.getRegistrant() == null
|
||||
&& instance.allContacts.stream().anyMatch(IS_REGISTRANT)) {
|
||||
throw new IllegalArgumentException("registrant is null but is in allContacts");
|
||||
|
|
|
|||
|
|
@ -128,7 +128,7 @@ public enum StatusValue implements EppEnum {
|
|||
|
||||
/** Enum to help clearly list which resource types a status value is allowed to be present on. */
|
||||
private enum AllowedOn {
|
||||
ALL(ContactResource.class, DomainBase.class, HostBase.class, HostResource.class),
|
||||
ALL(ContactResource.class, DomainBase.class, HostBase.class, HostResource.class),
|
||||
NONE,
|
||||
DOMAINS(DomainBase.class);
|
||||
|
||||
|
|
|
|||
|
|
@ -296,7 +296,9 @@ public class Registrar extends ImmutableObject
|
|||
/** Base64 encoded SHA256 hash of {@link #failoverClientCertificate}. */
|
||||
String failoverClientCertificateHash;
|
||||
|
||||
/** A whitelist of netmasks (in CIDR notation) which the client is allowed to connect from. */
|
||||
/** An allow list of netmasks (in CIDR notation) which the client is allowed to connect from. */
|
||||
// TODO: Rename to ipAddressAllowList once Cloud SQL migration is complete.
|
||||
@Column(name = "ip_address_allow_list")
|
||||
List<CidrAddressBlock> ipAddressWhitelist;
|
||||
|
||||
/** A hashed password for EPP access. The hash is a base64 encoded SHA256 string. */
|
||||
|
|
@ -553,7 +555,7 @@ public class Registrar extends ImmutableObject
|
|||
return failoverClientCertificateHash;
|
||||
}
|
||||
|
||||
public ImmutableList<CidrAddressBlock> getIpAddressWhitelist() {
|
||||
public ImmutableList<CidrAddressBlock> getIpAddressAllowList() {
|
||||
return nullToEmptyImmutableCopy(ipAddressWhitelist);
|
||||
}
|
||||
|
||||
|
|
@ -674,7 +676,7 @@ public class Registrar extends ImmutableObject
|
|||
.put("phoneNumber", phoneNumber)
|
||||
.put("phonePasscode", phonePasscode)
|
||||
.putListOfStrings("allowedTlds", getAllowedTlds())
|
||||
.putListOfStrings("ipAddressWhitelist", ipAddressWhitelist)
|
||||
.putListOfStrings("ipAddressAllowList", getIpAddressAllowList())
|
||||
.putListOfJsonObjects("contacts", getContacts())
|
||||
.put("registryLockAllowed", registryLockAllowed)
|
||||
.build();
|
||||
|
|
@ -853,8 +855,8 @@ public class Registrar extends ImmutableObject
|
|||
return this;
|
||||
}
|
||||
|
||||
public Builder setIpAddressWhitelist(Iterable<CidrAddressBlock> ipAddressWhitelist) {
|
||||
getInstance().ipAddressWhitelist = ImmutableList.copyOf(ipAddressWhitelist);
|
||||
public Builder setIpAddressAllowList(Iterable<CidrAddressBlock> ipAddressAllowList) {
|
||||
getInstance().ipAddressWhitelist = ImmutableList.copyOf(ipAddressAllowList);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -431,10 +431,10 @@ public class Registry extends ImmutableObject implements Buildable {
|
|||
/** The end of the claims period (at or after this time, claims no longer applies). */
|
||||
DateTime claimsPeriodEnd = END_OF_TIME;
|
||||
|
||||
/** A whitelist of clients allowed to be used on domains on this TLD (ignored if empty). */
|
||||
/** An allow list of clients allowed to be used on domains on this TLD (ignored if empty). */
|
||||
Set<String> allowedRegistrantContactIds;
|
||||
|
||||
/** A whitelist of hosts allowed to be used on domains on this TLD (ignored if empty). */
|
||||
/** An allow list of hosts allowed to be used on domains on this TLD (ignored if empty). */
|
||||
Set<String> allowedFullyQualifiedHostNames;
|
||||
|
||||
public String getTldStr() {
|
||||
|
|
|
|||
|
|
@ -424,8 +424,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
|
|||
// and fetch all domains, to make sure that we can return the first domains in alphabetical
|
||||
// order.
|
||||
ImmutableSortedSet.Builder<DomainBase> domainSetBuilder =
|
||||
ImmutableSortedSet.orderedBy(
|
||||
Comparator.comparing(DomainBase::getDomainName));
|
||||
ImmutableSortedSet.orderedBy(Comparator.comparing(DomainBase::getDomainName));
|
||||
int numHostKeysSearched = 0;
|
||||
for (List<VKey<HostResource>> chunk : Iterables.partition(hostKeys, 30)) {
|
||||
numHostKeysSearched += chunk.size();
|
||||
|
|
@ -444,8 +443,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
|
|||
Stream<DomainBase> stream = Streams.stream(query).filter(domain -> isAuthorized(domain));
|
||||
if (cursorString.isPresent()) {
|
||||
stream =
|
||||
stream.filter(
|
||||
domain -> (domain.getDomainName().compareTo(cursorString.get()) > 0));
|
||||
stream.filter(domain -> (domain.getDomainName().compareTo(cursorString.get()) > 0));
|
||||
}
|
||||
stream.forEach(domainSetBuilder::add);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -313,9 +313,7 @@ public class RdapJsonFormatter {
|
|||
// RDAP Technical Implementation Guide 3.2: must have link to the registrar's RDAP URL for this
|
||||
// domain, with rel=related.
|
||||
for (String registrarRdapBase : registrar.getRdapBaseUrls()) {
|
||||
String href =
|
||||
makeServerRelativeUrl(
|
||||
registrarRdapBase, "domain", domainBase.getDomainName());
|
||||
String href = makeServerRelativeUrl(registrarRdapBase, "domain", domainBase.getDomainName());
|
||||
builder
|
||||
.linksBuilder()
|
||||
.add(
|
||||
|
|
@ -409,9 +407,7 @@ public class RdapJsonFormatter {
|
|||
*/
|
||||
RdapNameserver createRdapNameserver(HostResource hostResource, OutputDataType outputDataType) {
|
||||
RdapNameserver.Builder builder = RdapNameserver.builder();
|
||||
builder
|
||||
.linksBuilder()
|
||||
.add(makeSelfLink("nameserver", hostResource.getHostName()));
|
||||
builder.linksBuilder().add(makeSelfLink("nameserver", hostResource.getHostName()));
|
||||
if (outputDataType != OutputDataType.FULL) {
|
||||
builder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -269,10 +269,7 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
|
|||
Optional<String> newCursor = Optional.empty();
|
||||
for (HostResource host : Iterables.limit(hosts, rdapResultSetMaxSize)) {
|
||||
newCursor =
|
||||
Optional.of(
|
||||
(cursorType == CursorType.NAME)
|
||||
? host.getHostName()
|
||||
: host.getRepoId());
|
||||
Optional.of((cursorType == CursorType.NAME) ? host.getHostName() : host.getRepoId());
|
||||
builder
|
||||
.nameserverSearchResultsBuilder()
|
||||
.add(rdapJsonFormatter.createRdapNameserver(host, outputDataType));
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ import javax.inject.Inject;
|
|||
* <p>It is a "login/query/logout" system where you login using the ICANN Reporting credentials, get
|
||||
* a cookie you then send to get the list and finally logout.
|
||||
*
|
||||
* <p>For clarity, this is how one would contact this endpoint "manually", from a whitelisted IP
|
||||
* <p>For clarity, this is how one would contact this endpoint "manually", from an allow-listed IP
|
||||
* server:
|
||||
*
|
||||
* <p>$ curl [base]/login -I --user [tld]_ry:[password]
|
||||
|
|
|
|||
|
|
@ -266,15 +266,15 @@ public final class IcannReportingUploadAction implements Runnable {
|
|||
private static final String ICANN_UPLOAD_PERMANENT_ERROR_MESSAGE =
|
||||
"A report for that month already exists, the cut-off date already passed";
|
||||
|
||||
/** Don't retry when the IP address isn't whitelisted, as retries go through the same IP. */
|
||||
private static final Pattern ICANN_UPLOAD_WHITELIST_ERROR =
|
||||
/** Don't retry when the IP address isn't allow-listed, as retries go through the same IP. */
|
||||
private static final Pattern ICANN_UPLOAD_ALLOW_LIST_ERROR =
|
||||
Pattern.compile("Your IP address .+ is not allowed to connect");
|
||||
|
||||
/** Predicate to retry uploads on IOException, so long as they aren't non-retryable errors. */
|
||||
private static boolean isUploadFailureRetryable(Throwable e) {
|
||||
return (e instanceof IOException)
|
||||
&& !e.getMessage().contains(ICANN_UPLOAD_PERMANENT_ERROR_MESSAGE)
|
||||
&& !ICANN_UPLOAD_WHITELIST_ERROR.matcher(e.getMessage()).matches();
|
||||
&& !ICANN_UPLOAD_ALLOW_LIST_ERROR.matcher(e.getMessage()).matches();
|
||||
}
|
||||
|
||||
private void emailUploadResults(ImmutableMap<String, Boolean> reportSummary) {
|
||||
|
|
|
|||
|
|
@ -59,13 +59,11 @@ public enum Auth {
|
|||
/**
|
||||
* Allows anyone access, as long as they use OAuth to authenticate.
|
||||
*
|
||||
* Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
|
||||
* whitelisted in the config file for OAuth-based authentication to succeed.
|
||||
* <p>Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
|
||||
* allow-listed in the config file for OAuth-based authentication to succeed.
|
||||
*/
|
||||
AUTH_PUBLIC_OR_INTERNAL(
|
||||
ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API),
|
||||
AuthLevel.APP,
|
||||
UserPolicy.PUBLIC),
|
||||
ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC),
|
||||
|
||||
/**
|
||||
* Allows only admins or App Engine task-queue access.
|
||||
|
|
|
|||
|
|
@ -153,9 +153,9 @@ abstract class CreateOrUpdateRegistrarCommand extends MutatingCommand {
|
|||
Path failoverClientCertificateFilename;
|
||||
|
||||
@Parameter(
|
||||
names = "--ip_whitelist",
|
||||
description = "Comma-delimited list of IP ranges. An empty string clears the whitelist.")
|
||||
List<String> ipWhitelist = new ArrayList<>();
|
||||
names = "--ip_allow_list",
|
||||
description = "Comma-delimited list of IP ranges. An empty string clears the allow list.")
|
||||
List<String> ipAllowList = new ArrayList<>();
|
||||
|
||||
@Nullable
|
||||
@Parameter(
|
||||
|
|
@ -343,16 +343,16 @@ abstract class CreateOrUpdateRegistrarCommand extends MutatingCommand {
|
|||
}
|
||||
builder.setAllowedTlds(allowedTldsBuilder.build());
|
||||
}
|
||||
if (!ipWhitelist.isEmpty()) {
|
||||
ImmutableList.Builder<CidrAddressBlock> ipWhitelistBuilder = new ImmutableList.Builder<>();
|
||||
if (!(ipWhitelist.size() == 1 && ipWhitelist.get(0).contains("null"))) {
|
||||
for (String ipRange : ipWhitelist) {
|
||||
if (!ipAllowList.isEmpty()) {
|
||||
ImmutableList.Builder<CidrAddressBlock> ipAllowListBuilder = new ImmutableList.Builder<>();
|
||||
if (!(ipAllowList.size() == 1 && ipAllowList.get(0).contains("null"))) {
|
||||
for (String ipRange : ipAllowList) {
|
||||
if (!ipRange.isEmpty()) {
|
||||
ipWhitelistBuilder.add(CidrAddressBlock.create(ipRange));
|
||||
ipAllowListBuilder.add(CidrAddressBlock.create(ipRange));
|
||||
}
|
||||
}
|
||||
}
|
||||
builder.setIpAddressWhitelist(ipWhitelistBuilder.build());
|
||||
builder.setIpAddressAllowList(ipAllowListBuilder.build());
|
||||
}
|
||||
if (clientCertificateFilename != null) {
|
||||
String asciiCert = new String(Files.readAllBytes(clientCertificateFilename), US_ASCII);
|
||||
|
|
|
|||
|
|
@ -127,9 +127,8 @@ final class GenerateDnsReportCommand implements CommandWithRemoteApi {
|
|||
.map(InetAddress::getHostAddress)
|
||||
.sorted()
|
||||
.collect(toImmutableList());
|
||||
ImmutableMap<String, ?> map = ImmutableMap.of(
|
||||
"host", nameserver.getHostName(),
|
||||
"ips", ipAddresses);
|
||||
ImmutableMap<String, ?> map =
|
||||
ImmutableMap.of("host", nameserver.getHostName(), "ips", ipAddresses);
|
||||
writeJson(map);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -46,10 +46,10 @@ final class SetupOteCommand extends ConfirmingCommand implements CommandWithRemo
|
|||
private String registrar;
|
||||
|
||||
@Parameter(
|
||||
names = {"-w", "--ip_whitelist"},
|
||||
names = {"-a", "--ip_allow_list"},
|
||||
description = "Comma-separated list of IP addreses or CIDR ranges.",
|
||||
required = true)
|
||||
private List<String> ipWhitelist = new ArrayList<>();
|
||||
private List<String> ipAllowList = new ArrayList<>();
|
||||
|
||||
@Parameter(
|
||||
names = {"--email"},
|
||||
|
|
@ -98,7 +98,7 @@ final class SetupOteCommand extends ConfirmingCommand implements CommandWithRemo
|
|||
OteAccountBuilder.forClientId(registrar)
|
||||
.addContact(email)
|
||||
.setPassword(password)
|
||||
.setIpWhitelist(ipWhitelist)
|
||||
.setIpAllowList(ipAllowList)
|
||||
.setReplaceExisting(overwrite);
|
||||
|
||||
if (certFile != null) {
|
||||
|
|
|
|||
|
|
@ -183,8 +183,7 @@ final class UpdateDomainCommand extends CreateOrUpdateDomainCommand {
|
|||
+ "to make updates, and if so, use the domain_unlock command to enable updates.",
|
||||
domain);
|
||||
if (!nameservers.isEmpty()) {
|
||||
ImmutableSortedSet<String> existingNameservers =
|
||||
domainBase.loadNameserverHostNames();
|
||||
ImmutableSortedSet<String> existingNameservers = domainBase.loadNameserverHostNames();
|
||||
populateAddRemoveLists(
|
||||
ImmutableSet.copyOf(nameservers),
|
||||
existingNameservers,
|
||||
|
|
|
|||
|
|
@ -83,9 +83,7 @@ public class BackfillRegistryLocksCommand extends ConfirmingCommand
|
|||
lockedDomains =
|
||||
jpaTm().transact(() -> getLockedDomainsWithoutLocks(jpaTm().getTransactionTime()));
|
||||
ImmutableList<String> lockedDomainNames =
|
||||
lockedDomains.stream()
|
||||
.map(DomainBase::getDomainName)
|
||||
.collect(toImmutableList());
|
||||
lockedDomains.stream().map(DomainBase::getDomainName).collect(toImmutableList());
|
||||
return String.format(
|
||||
"Locked domains for which there does not exist a RegistryLock object: %s",
|
||||
lockedDomainNames);
|
||||
|
|
@ -112,8 +110,7 @@ public class BackfillRegistryLocksCommand extends ConfirmingCommand
|
|||
.build());
|
||||
} catch (Throwable t) {
|
||||
logger.atSevere().withCause(t).log(
|
||||
"Error when creating lock object for domain %s.",
|
||||
domainBase.getDomainName());
|
||||
"Error when creating lock object for domain %s.", domainBase.getDomainName());
|
||||
failedDomainsBuilder.add(domainBase);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,10 +73,12 @@ public class RemoveIpAddressCommand extends MutatingEppToolCommand {
|
|||
// Build and execute the EPP command.
|
||||
setSoyTemplate(
|
||||
RemoveIpAddressSoyInfo.getInstance(), RemoveIpAddressSoyInfo.REMOVE_IP_ADDRESS);
|
||||
addSoyRecord(registrarId, new SoyMapData(
|
||||
"name", host.getHostName(),
|
||||
"ipAddresses", ipAddresses,
|
||||
"requestedByRegistrar", registrarId));
|
||||
addSoyRecord(
|
||||
registrarId,
|
||||
new SoyMapData(
|
||||
"name", host.getHostName(),
|
||||
"ipAddresses", ipAddresses,
|
||||
"requestedByRegistrar", registrarId));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -284,12 +284,13 @@ public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonA
|
|||
StringBuilder result = new StringBuilder();
|
||||
String domainLabel = stripTld(domain.getDomainName(), domain.getTld());
|
||||
for (HostResource nameserver : tm().load(domain.getNameservers())) {
|
||||
result.append(String.format(
|
||||
NS_FORMAT,
|
||||
domainLabel,
|
||||
dnsDefaultNsTtl.getStandardSeconds(),
|
||||
// Load the nameservers at the export time in case they've been renamed or deleted.
|
||||
loadAtPointInTime(nameserver, exportTime).now().getHostName()));
|
||||
result.append(
|
||||
String.format(
|
||||
NS_FORMAT,
|
||||
domainLabel,
|
||||
dnsDefaultNsTtl.getStandardSeconds(),
|
||||
// Load the nameservers at the export time in case they've been renamed or deleted.
|
||||
loadAtPointInTime(nameserver, exportTime).now().getHostName()));
|
||||
}
|
||||
for (DelegationSignerData dsData : domain.getDsData()) {
|
||||
result.append(
|
||||
|
|
@ -319,12 +320,13 @@ public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonA
|
|||
for (InetAddress addr : host.getInetAddresses()) {
|
||||
// must be either IPv4 or IPv6
|
||||
String rrSetClass = (addr instanceof Inet4Address) ? "A" : "AAAA";
|
||||
result.append(String.format(
|
||||
A_FORMAT,
|
||||
stripTld(host.getHostName(), tld),
|
||||
dnsDefaultATtl.getStandardSeconds(),
|
||||
rrSetClass,
|
||||
addr.getHostAddress()));
|
||||
result.append(
|
||||
String.format(
|
||||
A_FORMAT,
|
||||
stripTld(host.getHostName(), tld),
|
||||
dnsDefaultATtl.getStandardSeconds(),
|
||||
rrSetClass,
|
||||
addr.getHostAddress()));
|
||||
}
|
||||
return result.toString();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -158,8 +158,8 @@ public final class RegistrarFormFields {
|
|||
FormFields.MIN_TOKEN.asBuilderNamed("url")
|
||||
.build();
|
||||
|
||||
public static final FormField<List<String>, List<CidrAddressBlock>> IP_ADDRESS_WHITELIST_FIELD =
|
||||
FormField.named("ipAddressWhitelist")
|
||||
public static final FormField<List<String>, List<CidrAddressBlock>> IP_ADDRESS_ALLOW_LIST_FIELD =
|
||||
FormField.named("ipAddressAllowList")
|
||||
.emptyToNull()
|
||||
.transform(CidrAddressBlock.class, RegistrarFormFields::parseCidr)
|
||||
.asList()
|
||||
|
|
|
|||
|
|
@ -302,8 +302,8 @@ public class RegistrarSettingsAction implements Runnable, JsonActionRunner.JsonA
|
|||
RegistrarFormFields.L10N_ADDRESS_FIELD.extractUntyped(args).orElse(null));
|
||||
|
||||
// Security
|
||||
builder.setIpAddressWhitelist(
|
||||
RegistrarFormFields.IP_ADDRESS_WHITELIST_FIELD
|
||||
builder.setIpAddressAllowList(
|
||||
RegistrarFormFields.IP_ADDRESS_ALLOW_LIST_FIELD
|
||||
.extractUntyped(args)
|
||||
.orElse(ImmutableList.of()));
|
||||
RegistrarFormFields.CLIENT_CERTIFICATE_FIELD
|
||||
|
|
|
|||
|
|
@ -88,9 +88,7 @@ final class DomainWhoisResponse extends WhoisResponseImpl {
|
|||
.findFirst();
|
||||
return WhoisResponseResults.create(
|
||||
new DomainEmitter()
|
||||
.emitField(
|
||||
"Domain Name",
|
||||
maybeFormatHostname(domain.getDomainName(), preferUnicode))
|
||||
.emitField("Domain Name", maybeFormatHostname(domain.getDomainName(), preferUnicode))
|
||||
.emitField("Registry Domain ID", domain.getRepoId())
|
||||
.emitField("Registrar WHOIS Server", registrar.getWhoisServer())
|
||||
.emitField("Registrar URL", registrar.getUrl())
|
||||
|
|
|
|||
|
|
@ -51,8 +51,7 @@ final class NameserverLookupByIpCommand implements WhoisCommand {
|
|||
Streams.stream(queryNotDeleted(HostResource.class, now, "inetAddresses", ipAddress))
|
||||
.filter(
|
||||
host ->
|
||||
Registries.findTldForName(
|
||||
InternetDomainName.from(host.getHostName()))
|
||||
Registries.findTldForName(InternetDomainName.from(host.getHostName()))
|
||||
.isPresent())
|
||||
.collect(toImmutableList());
|
||||
if (hosts.isEmpty()) {
|
||||
|
|
|
|||
|
|
@ -56,8 +56,7 @@ final class NameserverWhoisResponse extends WhoisResponseImpl {
|
|||
Optional<Registrar> registrar = Registrar.loadByClientIdCached(clientId);
|
||||
checkState(registrar.isPresent(), "Could not load registrar %s", clientId);
|
||||
emitter
|
||||
.emitField(
|
||||
"Server Name", maybeFormatHostname(host.getHostName(), preferUnicode))
|
||||
.emitField("Server Name", maybeFormatHostname(host.getHostName(), preferUnicode))
|
||||
.emitSet("IP Address", host.getInetAddresses(), InetAddresses::toAddrString)
|
||||
.emitField("Registrar", registrar.get().getRegistrarName())
|
||||
.emitField("Registrar WHOIS Server", registrar.get().getWhoisServer())
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ registry.json.Response.prototype.results;
|
|||
* driveFolderId: string?,
|
||||
* ianaIdentifier: (number?|undefined),
|
||||
* icannReferralEmail: string,
|
||||
* ipAddressWhitelist: !Array<string>,
|
||||
* ipAddressAllowList: !Array<string>,
|
||||
* emailAddress: (string?|undefined),
|
||||
* lastUpdateTime: string,
|
||||
* url: (string?|undefined),
|
||||
|
|
|
|||
|
|
@ -64,8 +64,8 @@ registry.registrar.SecuritySettings.prototype.setupEditor =
|
|||
goog.events.EventType.CLICK,
|
||||
goog.bind(this.onIpRemove_, this, remBtn));
|
||||
}, this);
|
||||
this.typeCounts['reg-ips'] = objArgs.ipAddressWhitelist ?
|
||||
objArgs.ipAddressWhitelist.length : 0;
|
||||
this.typeCounts['reg-ips'] = objArgs.ipAddressAllowList ?
|
||||
objArgs.ipAddressAllowList.length : 0;
|
||||
|
||||
goog.events.listen(goog.dom.getRequiredElement('btn-add-ip'),
|
||||
goog.events.EventType.CLICK,
|
||||
|
|
@ -82,7 +82,7 @@ registry.registrar.SecuritySettings.prototype.setupEditor =
|
|||
registry.registrar.SecuritySettings.prototype.onIpAdd_ = function() {
|
||||
var ipInputElt = goog.dom.getRequiredElement('newIp');
|
||||
var ipElt = goog.soy.renderAsFragment(registry.soy.registrar.security.ip, {
|
||||
name: 'ipAddressWhitelist[' + this.typeCounts['reg-ips'] + ']',
|
||||
name: 'ipAddressAllowList[' + this.typeCounts['reg-ips'] + ']',
|
||||
ip: ipInputElt.value
|
||||
});
|
||||
goog.dom.appendChild(goog.dom.getRequiredElement('ips'), ipElt);
|
||||
|
|
|
|||
|
|
@ -849,7 +849,7 @@ soy.$$escapeHtml = function(value) {
|
|||
*
|
||||
* @param {?} value The string-like value to be escaped. May not be a string,
|
||||
* but the value will be coerced to a string.
|
||||
* @param {Array<string>=} opt_safeTags Additional tag names to whitelist.
|
||||
* @param {Array<string>=} opt_safeTags Additional tag names to allow-list.
|
||||
* @return {!goog.soy.data.SanitizedHtml} A sanitized and normalized version of
|
||||
* value.
|
||||
*/
|
||||
|
|
@ -858,15 +858,15 @@ soy.$$cleanHtml = function(value, opt_safeTags) {
|
|||
goog.asserts.assert(value.constructor === goog.soy.data.SanitizedHtml);
|
||||
return /** @type {!goog.soy.data.SanitizedHtml} */ (value);
|
||||
}
|
||||
var tagWhitelist;
|
||||
var tagAllowList;
|
||||
if (opt_safeTags) {
|
||||
tagWhitelist = goog.object.createSet(opt_safeTags);
|
||||
goog.object.extend(tagWhitelist, soy.esc.$$SAFE_TAG_WHITELIST_);
|
||||
tagAllowList = goog.object.createSet(opt_safeTags);
|
||||
goog.object.extend(tagAllowList, soy.esc.$$SAFE_TAG_ALLOW_LIST_);
|
||||
} else {
|
||||
tagWhitelist = soy.esc.$$SAFE_TAG_WHITELIST_;
|
||||
tagAllowList = soy.esc.$$SAFE_TAG_ALLOW_LIST_;
|
||||
}
|
||||
return soydata.VERY_UNSAFE.ordainSanitizedHtml(
|
||||
soy.$$stripHtmlTags(value, tagWhitelist), soydata.getContentDir(value));
|
||||
soy.$$stripHtmlTags(value, tagAllowList), soydata.getContentDir(value));
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -925,19 +925,19 @@ soy.$$HTML5_VOID_ELEMENTS_ = new RegExp(
|
|||
|
||||
/**
|
||||
* Removes HTML tags from a string of known safe HTML.
|
||||
* If opt_tagWhitelist is not specified or is empty, then
|
||||
* If opt_tagAllowList is not specified or is empty, then
|
||||
* the result can be used as an attribute value.
|
||||
*
|
||||
* @param {*} value The HTML to be escaped. May not be a string, but the
|
||||
* value will be coerced to a string.
|
||||
* @param {Object<string, boolean>=} opt_tagWhitelist Has an own property whose
|
||||
* @param {Object<string, boolean>=} opt_tagAllowList Has an own property whose
|
||||
* name is a lower-case tag name and whose value is `1` for
|
||||
* each element that is allowed in the output.
|
||||
* @return {string} A representation of value without disallowed tags,
|
||||
* HTML comments, or other non-text content.
|
||||
*/
|
||||
soy.$$stripHtmlTags = function(value, opt_tagWhitelist) {
|
||||
if (!opt_tagWhitelist) {
|
||||
soy.$$stripHtmlTags = function(value, opt_tagAllowList) {
|
||||
if (!opt_tagAllowList) {
|
||||
// If we have no white-list, then use a fast track which elides all tags.
|
||||
return String(value)
|
||||
.replace(soy.esc.$$HTML_TAG_REGEX_, '')
|
||||
|
|
@ -952,7 +952,7 @@ soy.$$stripHtmlTags = function(value, opt_tagWhitelist) {
|
|||
// have been removed.
|
||||
var html = String(value).replace(/\[/g, '[');
|
||||
|
||||
// Consider all uses of '<' and replace whitelisted tags with markers like
|
||||
// Consider all uses of '<' and replace allow-listed tags with markers like
|
||||
// [1] which are indices into a list of approved tag names.
|
||||
// Replace all other uses of < and > with entities.
|
||||
var tags = [];
|
||||
|
|
@ -960,8 +960,8 @@ soy.$$stripHtmlTags = function(value, opt_tagWhitelist) {
|
|||
html = html.replace(soy.esc.$$HTML_TAG_REGEX_, function(tok, tagName) {
|
||||
if (tagName) {
|
||||
tagName = tagName.toLowerCase();
|
||||
if (opt_tagWhitelist.hasOwnProperty(tagName) &&
|
||||
opt_tagWhitelist[tagName]) {
|
||||
if (opt_tagAllowList.hasOwnProperty(tagName) &&
|
||||
opt_tagAllowList[tagName]) {
|
||||
var isClose = tok.charAt(1) == '/';
|
||||
var index = tags.length;
|
||||
var start = '</';
|
||||
|
|
@ -2433,7 +2433,7 @@ soy.esc.$$LT_REGEX_ = /</g;
|
|||
*
|
||||
* @private {!Object<string, boolean>}
|
||||
*/
|
||||
soy.esc.$$SAFE_TAG_WHITELIST_ = {
|
||||
soy.esc.$$SAFE_TAG_ALLOW_LIST_ = {
|
||||
'b': true,
|
||||
'br': true,
|
||||
'em': true,
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@
|
|||
</td>
|
||||
</table>
|
||||
Gave <label>{$contactEmail}</label> web-console access to these registrars.
|
||||
<h1>Don't forget to set the <label>Certificate</label> and <label>IP-whitelist</label> for these Registrars!</h1>
|
||||
<h1>Don't forget to set the <label>Certificate</label> and <label>IP allow list</label> for these Registrars!</h1>
|
||||
Links to the security page for your convenience:<br>
|
||||
{for $clientId in mapKeys($clientIdToTld)}
|
||||
<a href="/registrar?clientId={$clientId}#security-settings" target="_blank">{$clientId}</a><br>
|
||||
|
|
|
|||
|
|
@ -132,7 +132,7 @@
|
|||
<a href="/registrar?clientId={$clientId}#whois-settings" target="_blank">WHOIS page</a>
|
||||
<li>allowed TLDs on the {sp}
|
||||
<a href="/registrar?clientId={$clientId}#admin-settings" target="_blank">admin page</a>
|
||||
<li>certificate, IP whitelist on the {sp}
|
||||
<li>certificate, IP allow list on the {sp}
|
||||
<a href="/registrar?clientId={$clientId}#security-settings" target="_blank">security page</a>
|
||||
</ol>
|
||||
</span>
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
/** Registrar security settings page for view and edit. */
|
||||
{template .settings}
|
||||
{@param ipAddressWhitelist: list<string>}
|
||||
{@param ipAddressAllowList: list<string>}
|
||||
{@param? phonePasscode: string}
|
||||
{@param? clientCertificate: string}
|
||||
{@param? clientCertificateHash: string}
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
|
||||
<tr class="{css('kd-settings-pane-section')}">
|
||||
<td>
|
||||
<label class="{css('setting-label')}">IP whitelist</label>
|
||||
<label class="{css('setting-label')}">IP allow list</label>
|
||||
<span class="{css('description')}">Restrict access to EPP
|
||||
production servers to the following IP/IPv6 addresses, or
|
||||
ranges like 1.1.1.0/24</span>
|
||||
|
|
@ -44,9 +44,9 @@
|
|||
<td class="{css('setting')}">
|
||||
<div class="{css('info')} {css('summary')}">
|
||||
<div id="ips">
|
||||
{for $ip in $ipAddressWhitelist}
|
||||
{for $ip in $ipAddressAllowList}
|
||||
{call .ip}
|
||||
{param name: 'ipAddressWhitelist[' + index($ip) + ']' /}
|
||||
{param name: 'ipAddressAllowList[' + index($ip) + ']' /}
|
||||
{param ip: $ip /}
|
||||
{/call}
|
||||
{/for}
|
||||
|
|
|
|||
|
|
@ -90,16 +90,17 @@ public class ExpandRecurringBillingEventsActionTest
|
|||
domain = persistResource(newDomainBase("example.tld").asBuilder()
|
||||
.setCreationTimeForTest(DateTime.parse("1999-01-05T00:00:00Z")).build());
|
||||
historyEntry = persistResource(new HistoryEntry.Builder().setParent(domain).build());
|
||||
recurring = new BillingEvent.Recurring.Builder()
|
||||
.setParent(historyEntry)
|
||||
.setClientId(domain.getCreationClientId())
|
||||
.setEventTime(DateTime.parse("2000-01-05T00:00:00Z"))
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setId(2L)
|
||||
.setReason(Reason.RENEW)
|
||||
.setRecurrenceEndTime(END_OF_TIME)
|
||||
.setTargetId(domain.getDomainName())
|
||||
.build();
|
||||
recurring =
|
||||
new BillingEvent.Recurring.Builder()
|
||||
.setParent(historyEntry)
|
||||
.setClientId(domain.getCreationClientId())
|
||||
.setEventTime(DateTime.parse("2000-01-05T00:00:00Z"))
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setId(2L)
|
||||
.setReason(Reason.RENEW)
|
||||
.setRecurrenceEndTime(END_OF_TIME)
|
||||
.setTargetId(domain.getDomainName())
|
||||
.build();
|
||||
}
|
||||
|
||||
private void saveCursor(final DateTime cursorTime) {
|
||||
|
|
@ -179,26 +180,29 @@ public class ExpandRecurringBillingEventsActionTest
|
|||
DateTime deletionTime = DateTime.parse("2000-08-01T00:00:00Z");
|
||||
DomainBase deletedDomain = persistDeletedDomain("deleted.tld", deletionTime);
|
||||
historyEntry = persistResource(new HistoryEntry.Builder().setParent(deletedDomain).build());
|
||||
recurring = persistResource(new BillingEvent.Recurring.Builder()
|
||||
.setParent(historyEntry)
|
||||
.setClientId(deletedDomain.getCreationClientId())
|
||||
.setEventTime(DateTime.parse("2000-01-05T00:00:00Z"))
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setId(2L)
|
||||
.setReason(Reason.RENEW)
|
||||
.setRecurrenceEndTime(deletionTime)
|
||||
.setTargetId(deletedDomain.getDomainName())
|
||||
.build());
|
||||
recurring =
|
||||
persistResource(
|
||||
new BillingEvent.Recurring.Builder()
|
||||
.setParent(historyEntry)
|
||||
.setClientId(deletedDomain.getCreationClientId())
|
||||
.setEventTime(DateTime.parse("2000-01-05T00:00:00Z"))
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setId(2L)
|
||||
.setReason(Reason.RENEW)
|
||||
.setRecurrenceEndTime(deletionTime)
|
||||
.setTargetId(deletedDomain.getDomainName())
|
||||
.build());
|
||||
action.cursorTimeParam = Optional.of(START_OF_TIME);
|
||||
runMapreduce();
|
||||
HistoryEntry persistedEntry = getOnlyHistoryEntryOfType(deletedDomain, DOMAIN_AUTORENEW);
|
||||
assertHistoryEntryMatches(
|
||||
deletedDomain, persistedEntry, "TheRegistrar", DateTime.parse("2000-02-19T00:00:00Z"),
|
||||
true);
|
||||
BillingEvent.OneTime expected = defaultOneTimeBuilder()
|
||||
.setParent(persistedEntry)
|
||||
.setTargetId(deletedDomain.getDomainName())
|
||||
.build();
|
||||
BillingEvent.OneTime expected =
|
||||
defaultOneTimeBuilder()
|
||||
.setParent(persistedEntry)
|
||||
.setTargetId(deletedDomain.getDomainName())
|
||||
.build();
|
||||
assertBillingEventsForResource(deletedDomain, expected, recurring);
|
||||
assertCursorAt(beginningOfTest);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -282,7 +282,7 @@ public class SyncRegistrarsSheetTest {
|
|||
assertThat(row.get("lastUpdateTime")).isEqualTo(beforeExecution.toString());
|
||||
assertThat(row).containsEntry("allowedTlds", "example");
|
||||
assertThat(row).containsEntry("blockPremiumNames", "false");
|
||||
assertThat(row).containsEntry("ipAddressWhitelist", "");
|
||||
assertThat(row).containsEntry("ipAddressAllowList", "");
|
||||
assertThat(row).containsEntry("url", "http://www.example.org/aaa_registrar");
|
||||
assertThat(row).containsEntry("icannReferralEmail", "");
|
||||
assertThat(row).containsEntry("whoisServer", getDefaultRegistrarWhoisServer());
|
||||
|
|
@ -317,7 +317,7 @@ public class SyncRegistrarsSheetTest {
|
|||
assertThat(row).containsEntry("allowedTlds", "");
|
||||
assertThat(row).containsEntry("whoisServer", "whois.example.com");
|
||||
assertThat(row).containsEntry("blockPremiumNames", "false");
|
||||
assertThat(row).containsEntry("ipAddressWhitelist", "");
|
||||
assertThat(row).containsEntry("ipAddressAllowList", "");
|
||||
assertThat(row).containsEntry("url", "http://www.example.org/another_registrar");
|
||||
assertThat(row).containsEntry("referralUrl", "http://www.example.org/another_registrar");
|
||||
assertThat(row).containsEntry("icannReferralEmail", "jim@example.net");
|
||||
|
|
@ -361,7 +361,7 @@ public class SyncRegistrarsSheetTest {
|
|||
assertThat(row).containsEntry("allowedTlds", "");
|
||||
assertThat(row).containsEntry("whoisServer", getDefaultRegistrarWhoisServer());
|
||||
assertThat(row).containsEntry("blockPremiumNames", "false");
|
||||
assertThat(row).containsEntry("ipAddressWhitelist", "");
|
||||
assertThat(row).containsEntry("ipAddressAllowList", "");
|
||||
assertThat(row).containsEntry("url", "");
|
||||
assertThat(row).containsEntry("referralUrl", "");
|
||||
assertThat(row).containsEntry("icannReferralEmail", "");
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
|
|||
import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.MissingTechnicalContactException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.PremiumNameBlockedException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
|
||||
|
|
@ -1445,10 +1445,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
|
|||
.setResponseData(
|
||||
ImmutableList.of(
|
||||
DomainPendingActionNotificationResponse.create(
|
||||
domain.getDomainName(),
|
||||
true,
|
||||
historyEntry.getTrid(),
|
||||
clock.nowUtc())))
|
||||
domain.getDomainName(), true, historyEntry.getTrid(), clock.nowUtc())))
|
||||
.setId(1L)
|
||||
.build());
|
||||
}
|
||||
|
|
@ -2019,7 +2016,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_registrantNotWhitelisted() {
|
||||
public void testFailure_registrantNotAllowListed() {
|
||||
persistActiveContact("someone");
|
||||
persistContactsAndHosts();
|
||||
persistResource(
|
||||
|
|
@ -2033,7 +2030,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_nameserverNotWhitelisted() {
|
||||
public void testFailure_nameserverNotAllowListed() {
|
||||
persistContactsAndHosts();
|
||||
persistResource(
|
||||
Registry.get("tld")
|
||||
|
|
@ -2046,7 +2043,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_emptyNameserverFailsWhitelist() {
|
||||
public void testFailure_emptyNameserverFailsAllowList() {
|
||||
setEppInput("domain_create_no_hosts_or_dsdata.xml", ImmutableMap.of("DOMAIN", "example.tld"));
|
||||
persistResource(
|
||||
Registry.get("tld")
|
||||
|
|
@ -2056,12 +2053,12 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
|
|||
persistContactsAndHosts();
|
||||
EppException thrown =
|
||||
assertThrows(
|
||||
NameserversNotSpecifiedForTldWithNameserverWhitelistException.class, this::runFlow);
|
||||
NameserversNotSpecifiedForTldWithNameserverAllowListException.class, this::runFlow);
|
||||
assertAboutEppExceptions().that(thrown).marshalsToXml();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_nameserverAndRegistrantWhitelisted() throws Exception {
|
||||
public void testSuccess_nameserverAndRegistrantAllowListed() throws Exception {
|
||||
persistResource(
|
||||
Registry.get("tld")
|
||||
.asBuilder()
|
||||
|
|
|
|||
|
|
@ -781,8 +781,7 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
|
|||
.asBuilder()
|
||||
.setSuperordinateDomain(reloadResourceByForeignKey().createVKey())
|
||||
.build());
|
||||
persistResource(
|
||||
domain.asBuilder().addSubordinateHost(subordinateHost.getHostName()).build());
|
||||
persistResource(domain.asBuilder().addSubordinateHost(subordinateHost.getHostName()).build());
|
||||
EppException thrown = assertThrows(DomainToDeleteHasHostsException.class, this::runFlow);
|
||||
assertAboutEppExceptions().that(thrown).marshalsToXml();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -137,9 +137,7 @@ public class DomainInfoFlowTest extends ResourceFlowTestCase<DomainInfoFlow, Dom
|
|||
persistResource(
|
||||
domain
|
||||
.asBuilder()
|
||||
.setSubordinateHosts(
|
||||
ImmutableSet.of(
|
||||
host1.getHostName(), host3.getHostName()))
|
||||
.setSubordinateHosts(ImmutableSet.of(host1.getHostName(), host3.getHostName()))
|
||||
.build());
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -120,10 +120,7 @@ public class DomainTransferFlowTestCase<F extends Flow, R extends EppResource>
|
|||
.build());
|
||||
domain =
|
||||
persistResource(
|
||||
domain
|
||||
.asBuilder()
|
||||
.addSubordinateHost(subordinateHost.getHostName())
|
||||
.build());
|
||||
domain.asBuilder().addSubordinateHost(subordinateHost.getHostName()).build());
|
||||
historyEntryDomainCreate = getOnlyHistoryEntryOfType(domain, DOMAIN_CREATE);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
|
|||
import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.MissingTechnicalContactException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
|
||||
import google.registry.flows.domain.DomainFlowUtils.SecDnsAllUsageException;
|
||||
|
|
@ -1156,7 +1156,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_newRegistrantNotWhitelisted() throws Exception {
|
||||
public void testFailure_newRegistrantNotAllowListed() throws Exception {
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
persistResource(
|
||||
|
|
@ -1186,11 +1186,11 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_newNameserverWhitelisted() throws Exception {
|
||||
public void testSuccess_newNameserverAllowListed() throws Exception {
|
||||
setEppInput("domain_update_add_nameserver.xml");
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
// No registrant is given but both nameserver and registrant whitelist exist.
|
||||
// No registrant is given but both nameserver and registrant allow list exist.
|
||||
persistResource(
|
||||
Registry.get("tld")
|
||||
.asBuilder()
|
||||
|
|
@ -1212,11 +1212,11 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_changeRegistrantWhitelisted() throws Exception {
|
||||
public void testSuccess_changeRegistrantAllowListed() throws Exception {
|
||||
setEppInput("domain_update_registrant.xml");
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
// Only changes registrant, with both nameserver and registrant whitelist on the TLD.
|
||||
// Only changes registrant, with both nameserver and registrant allow list on the TLD.
|
||||
persistResource(
|
||||
Registry.get("tld")
|
||||
.asBuilder()
|
||||
|
|
@ -1256,7 +1256,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_nameserverAndRegistrantWhitelisted() throws Exception {
|
||||
public void testSuccess_nameserverAndRegistrantAllowListed() throws Exception {
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
persistResource(
|
||||
|
|
@ -1269,7 +1269,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_tldWithNameserverWhitelist_removeNameserver() throws Exception {
|
||||
public void testSuccess_tldWithNameserverAllowList_removeNameserver() throws Exception {
|
||||
setEppInput("domain_update_remove_nameserver.xml");
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
|
|
@ -1301,7 +1301,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_tldWithNameserverWhitelist_removeLastNameserver() throws Exception {
|
||||
public void testFailure_tldWithNameserverAllowList_removeLastNameserver() throws Exception {
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
setEppInput("domain_update_remove_nameserver.xml");
|
||||
|
|
@ -1312,7 +1312,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
.build());
|
||||
EppException thrown =
|
||||
assertThrows(
|
||||
NameserversNotSpecifiedForTldWithNameserverWhitelistException.class, this::runFlow);
|
||||
NameserversNotSpecifiedForTldWithNameserverAllowListException.class, this::runFlow);
|
||||
assertAboutEppExceptions().that(thrown).marshalsToXml();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -42,8 +42,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
protected Registrar.Builder getRegistrarBuilder() {
|
||||
return super.getRegistrarBuilder()
|
||||
.setClientCertificateHash(GOOD_CERT)
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString(GOOD_IP.get()), 32)));
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(CidrAddressBlock.create(InetAddresses.forString(GOOD_IP.get()), 32)));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -57,8 +57,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testSuccess_withGoodCredentialsIpv6() throws Exception {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IPV6);
|
||||
doSuccessfulTest("login_valid.xml");
|
||||
|
|
@ -68,8 +68,8 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testSuccess_withIpv6AddressInSubnet() throws Exception {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IPV6);
|
||||
doSuccessfulTest("login_valid.xml");
|
||||
|
|
@ -79,8 +79,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testSuccess_withIpv4AddressInSubnet() throws Exception {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create("192.168.1.255/24")))
|
||||
.setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, GOOD_IP);
|
||||
doSuccessfulTest("login_valid.xml");
|
||||
|
|
@ -104,9 +103,10 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testFailure_missingClientIpAddress() {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, Optional.empty());
|
||||
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
|
||||
|
|
@ -116,9 +116,10 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testFailure_incorrectClientIpv4Address() {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, BAD_IP);
|
||||
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
|
||||
|
|
@ -128,9 +129,10 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
|
|||
public void testFailure_incorrectClientIpv6Address() {
|
||||
persistResource(
|
||||
getRegistrarBuilder()
|
||||
.setIpAddressWhitelist(ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
|
||||
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
|
||||
.build());
|
||||
credentials = new TlsCredentials(true, GOOD_CERT, BAD_IPV6);
|
||||
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
|
||||
|
|
|
|||
|
|
@ -181,12 +181,12 @@ public final class OteAccountBuilderTest {
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testCreateOteEntities_setIpWhitelist() {
|
||||
public void testCreateOteEntities_setIpAllowList() {
|
||||
OteAccountBuilder.forClientId("myclientid")
|
||||
.setIpWhitelist(ImmutableList.of("1.1.1.0/24"))
|
||||
.setIpAllowList(ImmutableList.of("1.1.1.0/24"))
|
||||
.buildAndPersist();
|
||||
|
||||
assertThat(Registrar.loadByClientId("myclientid-3").get().getIpAddressWhitelist())
|
||||
assertThat(Registrar.loadByClientId("myclientid-3").get().getIpAddressAllowList())
|
||||
.containsExactly(CidrAddressBlock.create("1.1.1.0/24"));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -610,8 +610,7 @@ public class DomainBaseTest extends EntityTestCase {
|
|||
public void testFailure_uppercaseDomainName() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> domain.asBuilder().setDomainName("AAA.BBB"));
|
||||
IllegalArgumentException.class, () -> domain.asBuilder().setDomainName("AAA.BBB"));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Domain name must be in puny-coded, lower-case form");
|
||||
|
|
@ -621,8 +620,7 @@ public class DomainBaseTest extends EntityTestCase {
|
|||
public void testFailure_utf8DomainName() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> domain.asBuilder().setDomainName("みんな.みんな"));
|
||||
IllegalArgumentException.class, () -> domain.asBuilder().setDomainName("みんな.みんな"));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Domain name must be in puny-coded, lower-case form");
|
||||
|
|
|
|||
|
|
@ -81,7 +81,6 @@ public class HostHistoryTest extends EntityTestCase {
|
|||
assertThat(one.getReason()).isEqualTo(two.getReason());
|
||||
assertThat(one.getTrid()).isEqualTo(two.getTrid());
|
||||
assertThat(one.getType()).isEqualTo(two.getType());
|
||||
assertThat(one.getHostBase().getHostName())
|
||||
.isEqualTo(two.getHostBase().getHostName());
|
||||
assertThat(one.getHostBase().getHostName()).isEqualTo(two.getHostBase().getHostName());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -171,8 +171,7 @@ public class HostResourceTest extends EntityTestCase {
|
|||
public void testFailure_uppercaseHostName() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> host.asBuilder().setHostName("AAA.BBB.CCC"));
|
||||
IllegalArgumentException.class, () -> host.asBuilder().setHostName("AAA.BBB.CCC"));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Host name must be in puny-coded, lower-case form");
|
||||
|
|
@ -182,8 +181,7 @@ public class HostResourceTest extends EntityTestCase {
|
|||
public void testFailure_utf8HostName() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> host.asBuilder().setHostName("みんな.みんな.みんな"));
|
||||
IllegalArgumentException.class, () -> host.asBuilder().setHostName("みんな.みんな.みんな"));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Host name must be in puny-coded, lower-case form");
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ public class RegistrarTest extends EntityTestCase {
|
|||
.setWhoisServer("whois.example.com")
|
||||
.setBlockPremiumNames(true)
|
||||
.setClientCertificate(SAMPLE_CERT, fakeClock.nowUtc())
|
||||
.setIpAddressWhitelist(
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create("192.168.1.1/31"),
|
||||
CidrAddressBlock.create("10.0.0.1/8")))
|
||||
|
|
|
|||
|
|
@ -28,10 +28,8 @@ import org.junit.jupiter.api.extension.RegisterExtension;
|
|||
|
||||
public class VKeyTranslatorFactoryTest {
|
||||
|
||||
@RegisterExtension public final AppEngineRule appEngine =
|
||||
AppEngineRule.builder()
|
||||
.withDatastore()
|
||||
.build();
|
||||
@RegisterExtension
|
||||
public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
|
||||
|
||||
public VKeyTranslatorFactoryTest() {}
|
||||
|
||||
|
|
|
|||
|
|
@ -321,8 +321,7 @@ public final class UpdateRegistrarRdapBaseUrlsActionTest extends ShardableTestCa
|
|||
MockLowLevelHttpResponse loginResponse = new MockLowLevelHttpResponse();
|
||||
loginResponse.addHeader(
|
||||
"Set-Cookie",
|
||||
"JSESSIONID=bogusid; "
|
||||
+ "Expires=Tue, 11-Jun-2019 16:34:21 GMT; Path=/; Secure; HttpOnly");
|
||||
"JSESSIONID=bogusid; " + "Expires=Tue, 11-Jun-2019 16:34:21 GMT; Path=/; Secure; HttpOnly");
|
||||
loginResponse.addHeader(
|
||||
"Set-Cookie",
|
||||
"id=myAuthenticationId; "
|
||||
|
|
|
|||
|
|
@ -256,7 +256,7 @@ public class IcannReportingUploadActionTest {
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_quicklySkipsOverIpWhitelistException() throws Exception {
|
||||
public void testFailure_quicklySkipsOverIpAllowListException() throws Exception {
|
||||
runTest_nonRetryableException(
|
||||
new IOException("Your IP address 25.147.130.158 is not allowed to connect"));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -156,9 +156,10 @@ public class DatastoreHelper {
|
|||
.setCreationTimeForTest(START_OF_TIME)
|
||||
.setAuthInfo(DomainAuthInfo.create(PasswordAuth.create("2fooBAR")))
|
||||
.setRegistrant(contactKey)
|
||||
.setContacts(ImmutableSet.of(
|
||||
DesignatedContact.create(Type.ADMIN, contactKey),
|
||||
DesignatedContact.create(Type.TECH, contactKey)))
|
||||
.setContacts(
|
||||
ImmutableSet.of(
|
||||
DesignatedContact.create(Type.ADMIN, contactKey),
|
||||
DesignatedContact.create(Type.TECH, contactKey)))
|
||||
.setRegistrationExpirationTime(END_OF_TIME)
|
||||
.build();
|
||||
}
|
||||
|
|
@ -564,25 +565,27 @@ public class DatastoreHelper {
|
|||
historyEntryDomainTransfer,
|
||||
requestTime,
|
||||
expirationTime));
|
||||
BillingEvent.Recurring gainingClientAutorenewEvent = persistResource(
|
||||
new BillingEvent.Recurring.Builder()
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setReason(Reason.RENEW)
|
||||
.setTargetId(domain.getDomainName())
|
||||
.setClientId("NewRegistrar")
|
||||
.setEventTime(extendedRegistrationExpirationTime)
|
||||
.setRecurrenceEndTime(END_OF_TIME)
|
||||
.setParent(historyEntryDomainTransfer)
|
||||
.build());
|
||||
PollMessage.Autorenew gainingClientAutorenewPollMessage = persistResource(
|
||||
new PollMessage.Autorenew.Builder()
|
||||
.setTargetId(domain.getDomainName())
|
||||
.setClientId("NewRegistrar")
|
||||
.setEventTime(extendedRegistrationExpirationTime)
|
||||
.setAutorenewEndTime(END_OF_TIME)
|
||||
.setMsg("Domain was auto-renewed.")
|
||||
.setParent(historyEntryDomainTransfer)
|
||||
.build());
|
||||
BillingEvent.Recurring gainingClientAutorenewEvent =
|
||||
persistResource(
|
||||
new BillingEvent.Recurring.Builder()
|
||||
.setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
|
||||
.setReason(Reason.RENEW)
|
||||
.setTargetId(domain.getDomainName())
|
||||
.setClientId("NewRegistrar")
|
||||
.setEventTime(extendedRegistrationExpirationTime)
|
||||
.setRecurrenceEndTime(END_OF_TIME)
|
||||
.setParent(historyEntryDomainTransfer)
|
||||
.build());
|
||||
PollMessage.Autorenew gainingClientAutorenewPollMessage =
|
||||
persistResource(
|
||||
new PollMessage.Autorenew.Builder()
|
||||
.setTargetId(domain.getDomainName())
|
||||
.setClientId("NewRegistrar")
|
||||
.setEventTime(extendedRegistrationExpirationTime)
|
||||
.setAutorenewEndTime(END_OF_TIME)
|
||||
.setMsg("Domain was auto-renewed.")
|
||||
.setParent(historyEntryDomainTransfer)
|
||||
.build());
|
||||
// Modify the existing autorenew event to reflect the pending transfer.
|
||||
persistResource(
|
||||
ofy().load().key(domain.getAutorenewBillingEvent()).now().asBuilder()
|
||||
|
|
|
|||
|
|
@ -42,9 +42,7 @@ public final class DomainBaseSubject
|
|||
|
||||
public And<DomainBaseSubject> hasFullyQualifiedDomainName(String fullyQualifiedDomainName) {
|
||||
return hasValue(
|
||||
fullyQualifiedDomainName,
|
||||
actual.getDomainName(),
|
||||
"has fullyQualifiedDomainName");
|
||||
fullyQualifiedDomainName, actual.getDomainName(), "has fullyQualifiedDomainName");
|
||||
}
|
||||
|
||||
public And<DomainBaseSubject> hasExactlyDsData(DelegationSignerData... dsData) {
|
||||
|
|
|
|||
|
|
@ -83,7 +83,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
assertThat(registrar.getIanaIdentifier()).isEqualTo(8);
|
||||
assertThat(registrar.getState()).isEqualTo(Registrar.State.ACTIVE);
|
||||
assertThat(registrar.getAllowedTlds()).isEmpty();
|
||||
assertThat(registrar.getIpAddressWhitelist()).isEmpty();
|
||||
assertThat(registrar.getIpAddressAllowList()).isEmpty();
|
||||
assertThat(registrar.getClientCertificateHash()).isNull();
|
||||
assertThat(registrar.getPhonePasscode()).isEqualTo("01234");
|
||||
assertThat(registrar.getCreationTime()).isIn(Range.closed(before, after));
|
||||
|
|
@ -307,13 +307,13 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_ipWhitelistFlag() throws Exception {
|
||||
public void testSuccess_ipAllowListFlag() throws Exception {
|
||||
runCommandForced(
|
||||
"--name=blobio",
|
||||
"--password=some_password",
|
||||
"--registrar_type=REAL",
|
||||
"--iana_id=8",
|
||||
"--ip_whitelist=192.168.1.1,192.168.0.2/16",
|
||||
"--ip_allow_list=192.168.1.1,192.168.0.2/16",
|
||||
"--passcode=01234",
|
||||
"--icann_referral_email=foo@bar.test",
|
||||
"--street=\"123 Fake St\"",
|
||||
|
|
@ -325,19 +325,19 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
|
||||
Optional<Registrar> registrar = Registrar.loadByClientId("clientz");
|
||||
assertThat(registrar).isPresent();
|
||||
assertThat(registrar.get().getIpAddressWhitelist())
|
||||
.containsExactlyElementsIn(registrar.get().getIpAddressWhitelist())
|
||||
assertThat(registrar.get().getIpAddressAllowList())
|
||||
.containsExactlyElementsIn(registrar.get().getIpAddressAllowList())
|
||||
.inOrder();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_ipWhitelistFlagNull() throws Exception {
|
||||
public void testSuccess_ipAllowListFlagNull() throws Exception {
|
||||
runCommandForced(
|
||||
"--name=blobio",
|
||||
"--password=some_password",
|
||||
"--registrar_type=REAL",
|
||||
"--iana_id=8",
|
||||
"--ip_whitelist=null",
|
||||
"--ip_allow_list=null",
|
||||
"--passcode=01234",
|
||||
"--icann_referral_email=foo@bar.test",
|
||||
"--street=\"123 Fake St\"",
|
||||
|
|
@ -349,7 +349,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
|
||||
Optional<Registrar> registrar = Registrar.loadByClientId("clientz");
|
||||
assertThat(registrar).isPresent();
|
||||
assertThat(registrar.get().getIpAddressWhitelist()).isEmpty();
|
||||
assertThat(registrar.get().getIpAddressAllowList()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -1008,7 +1008,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_invalidIpWhitelistFlag() {
|
||||
public void testFailure_invalidIpAllowListFlag() {
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() ->
|
||||
|
|
@ -1017,7 +1017,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
"--password=some_password",
|
||||
"--registrar_type=REAL",
|
||||
"--iana_id=8",
|
||||
"--ip_whitelist=foobarbaz",
|
||||
"--ip_allow_list=foobarbaz",
|
||||
"--passcode=01234",
|
||||
"--icann_referral_email=foo@bar.test",
|
||||
"--street=\"123 Fake St\"",
|
||||
|
|
@ -1029,7 +1029,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_ipWhitelistFlagWithNull() {
|
||||
public void testSuccess_ipAllowListFlagWithNull() {
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() ->
|
||||
|
|
@ -1038,7 +1038,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
|
|||
"--password=some_password",
|
||||
"--registrar_type=REAL",
|
||||
"--iana_id=8",
|
||||
"--ip_whitelist=192.168.1.1,192.168.0.2/16,null",
|
||||
"--ip_allow_list=192.168.1.1,192.168.0.2/16,null",
|
||||
"--passcode=01234",
|
||||
"--icann_referral_email=foo@bar.test",
|
||||
"--street=\"123 Fake St\"",
|
||||
|
|
|
|||
|
|
@ -88,10 +88,7 @@ public class LockDomainCommandTest extends CommandTestCase<LockDomainCommand> {
|
|||
runCommandForced(
|
||||
ImmutableList.<String>builder()
|
||||
.add("--client=NewRegistrar")
|
||||
.addAll(
|
||||
domains.stream()
|
||||
.map(DomainBase::getDomainName)
|
||||
.collect(Collectors.toList()))
|
||||
.addAll(domains.stream().map(DomainBase::getDomainName).collect(Collectors.toList()))
|
||||
.build());
|
||||
for (DomainBase domain : domains) {
|
||||
assertThat(reloadResource(domain).getStatusValues())
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
String registrarName,
|
||||
String allowedTld,
|
||||
String password,
|
||||
ImmutableList<CidrAddressBlock> ipWhitelist,
|
||||
ImmutableList<CidrAddressBlock> ipAllowList,
|
||||
boolean hashOnly) {
|
||||
Registrar registrar = loadRegistrar(registrarName);
|
||||
assertThat(registrar).isNotNull();
|
||||
|
|
@ -106,7 +106,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
assertThat(registrar.getRegistrarName()).isEqualTo(registrarName);
|
||||
assertThat(registrar.getState()).isEqualTo(ACTIVE);
|
||||
assertThat(registrar.verifyPassword(password)).isTrue();
|
||||
assertThat(registrar.getIpAddressWhitelist()).isEqualTo(ipWhitelist);
|
||||
assertThat(registrar.getIpAddressAllowList()).isEqualTo(ipAllowList);
|
||||
assertThat(registrar.getClientCertificateHash()).isEqualTo(SAMPLE_CERT_HASH);
|
||||
// If certificate hash is provided, there's no certificate file stored with the registrar.
|
||||
if (!hashOnly) {
|
||||
|
|
@ -118,8 +118,8 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
String registrarName,
|
||||
String allowedTld,
|
||||
String password,
|
||||
ImmutableList<CidrAddressBlock> ipWhitelist) {
|
||||
verifyRegistrarCreation(registrarName, allowedTld, password, ipWhitelist, false);
|
||||
ImmutableList<CidrAddressBlock> ipAllowList) {
|
||||
verifyRegistrarCreation(registrarName, allowedTld, password, ipAllowList, false);
|
||||
}
|
||||
|
||||
private void verifyRegistrarContactCreation(String registrarName, String email) {
|
||||
|
|
@ -135,7 +135,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
@Test
|
||||
public void testSuccess() throws Exception {
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename());
|
||||
|
|
@ -161,7 +161,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
@Test
|
||||
public void testSuccess_shortRegistrarName() throws Exception {
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=abc",
|
||||
"--email=abc@email.com",
|
||||
"--certfile=" + getCertFilename());
|
||||
|
|
@ -187,7 +187,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
@Test
|
||||
public void testSuccess_certificateHash() throws Exception {
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certhash=" + SAMPLE_CERT_HASH);
|
||||
|
|
@ -205,7 +205,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
@Test
|
||||
public void testSuccess_multipleIps() throws Exception {
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1,2.2.2.2",
|
||||
"--ip_allow_list=1.1.1.1,2.2.2.2",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename());
|
||||
|
|
@ -230,7 +230,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_missingIpWhitelist() {
|
||||
public void testFailure_missingIpAllowList() {
|
||||
ParameterException thrown =
|
||||
assertThrows(
|
||||
ParameterException.class,
|
||||
|
|
@ -239,7 +239,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
assertThat(thrown).hasMessageThat().contains("option is required: -w, --ip_whitelist");
|
||||
assertThat(thrown).hasMessageThat().contains("option is required: -a, --ip_allow_list");
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -249,7 +249,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
ParameterException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
assertThat(thrown).hasMessageThat().contains("option is required: -r, --registrar");
|
||||
|
|
@ -262,9 +262,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--email=contact@email.com",
|
||||
"--registrar=blobio"));
|
||||
"--ip_allow_list=1.1.1.1", "--email=contact@email.com", "--registrar=blobio"));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains(
|
||||
|
|
@ -278,7 +276,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--email=contact@email.com",
|
||||
"--registrar=blobio",
|
||||
"--certfile=" + getCertFilename(),
|
||||
|
|
@ -296,7 +294,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
ParameterException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--certfile=" + getCertFilename(),
|
||||
"--registrar=blobio"));
|
||||
assertThat(thrown).hasMessageThat().contains("option is required: --email");
|
||||
|
|
@ -309,7 +307,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
CertificateParsingException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=/dev/null"));
|
||||
|
|
@ -323,7 +321,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=3blo-bio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -337,7 +335,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=bl",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -351,7 +349,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobiotoooolong",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -365,7 +363,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalArgumentException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blo#bio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -380,7 +378,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalStateException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -393,7 +391,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
|
||||
runCommandForced(
|
||||
"--overwrite",
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename());
|
||||
|
|
@ -414,7 +412,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
IllegalStateException.class,
|
||||
() ->
|
||||
runCommandForced(
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename()));
|
||||
|
|
@ -431,7 +429,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
|
|||
|
||||
runCommandForced(
|
||||
"--overwrite",
|
||||
"--ip_whitelist=1.1.1.1",
|
||||
"--ip_allow_list=1.1.1.1",
|
||||
"--registrar=blobio",
|
||||
"--email=contact@email.com",
|
||||
"--certfile=" + getCertFilename());
|
||||
|
|
|
|||
|
|
@ -99,10 +99,7 @@ public class UnlockDomainCommandTest extends CommandTestCase<UnlockDomainCommand
|
|||
runCommandForced(
|
||||
ImmutableList.<String>builder()
|
||||
.add("--client=NewRegistrar")
|
||||
.addAll(
|
||||
domains.stream()
|
||||
.map(DomainBase::getDomainName)
|
||||
.collect(Collectors.toList()))
|
||||
.addAll(domains.stream().map(DomainBase::getDomainName).collect(Collectors.toList()))
|
||||
.build());
|
||||
for (DomainBase domain : domains) {
|
||||
assertThat(reloadResource(domain).getStatusValues()).containsNoneIn(REGISTRY_LOCK_STATUSES);
|
||||
|
|
|
|||
|
|
@ -191,43 +191,43 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_ipWhitelist() throws Exception {
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist()).isEmpty();
|
||||
runCommand("--ip_whitelist=192.168.1.1,192.168.0.2/16", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist())
|
||||
public void testSuccess_ipAllowList() throws Exception {
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList()).isEmpty();
|
||||
runCommand("--ip_allow_list=192.168.1.1,192.168.0.2/16", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList())
|
||||
.containsExactly(
|
||||
CidrAddressBlock.create("192.168.1.1"), CidrAddressBlock.create("192.168.0.2/16"))
|
||||
.inOrder();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_clearIpWhitelist_useNull() throws Exception {
|
||||
public void testSuccess_clearIpAllowList_useNull() throws Exception {
|
||||
persistResource(
|
||||
loadRegistrar("NewRegistrar")
|
||||
.asBuilder()
|
||||
.setIpAddressWhitelist(
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create("192.168.1.1"),
|
||||
CidrAddressBlock.create("192.168.0.2/16")))
|
||||
.build());
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist()).isNotEmpty();
|
||||
runCommand("--ip_whitelist=null", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist()).isEmpty();
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList()).isNotEmpty();
|
||||
runCommand("--ip_allow_list=null", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_clearIpWhitelist_useEmpty() throws Exception {
|
||||
public void testSuccess_clearIpAllowList_useEmpty() throws Exception {
|
||||
persistResource(
|
||||
loadRegistrar("NewRegistrar")
|
||||
.asBuilder()
|
||||
.setIpAddressWhitelist(
|
||||
.setIpAddressAllowList(
|
||||
ImmutableList.of(
|
||||
CidrAddressBlock.create("192.168.1.1"),
|
||||
CidrAddressBlock.create("192.168.0.2/16")))
|
||||
.build());
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist()).isNotEmpty();
|
||||
runCommand("--ip_whitelist=", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressWhitelist()).isEmpty();
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList()).isNotEmpty();
|
||||
runCommand("--ip_allow_list=", "--force", "NewRegistrar");
|
||||
assertThat(loadRegistrar("NewRegistrar").getIpAddressAllowList()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -653,10 +653,10 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_invalidIpWhitelist() {
|
||||
public void testFailure_invalidIpAllowList() {
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> runCommand("--ip_whitelist=foobarbaz", "--force", "NewRegistrar"));
|
||||
() -> runCommand("--ip_allow_list=foobarbaz", "--force", "NewRegistrar"));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ public class ValidateLoginCredentialsCommandTest
|
|||
.asBuilder()
|
||||
.setPassword(PASSWORD)
|
||||
.setClientCertificateHash(CERT_HASH)
|
||||
.setIpAddressWhitelist(ImmutableList.of(new CidrAddressBlock(CLIENT_IP)))
|
||||
.setIpAddressAllowList(ImmutableList.of(new CidrAddressBlock(CLIENT_IP)))
|
||||
.setState(ACTIVE)
|
||||
.setAllowedTlds(ImmutableSet.of("tld"))
|
||||
.build());
|
||||
|
|
|
|||
|
|
@ -360,12 +360,12 @@ public class RegistrarSettingsActionTest extends RegistrarSettingsActionTestCase
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testUpdate_ipAddressWhitelist() {
|
||||
public void testUpdate_ipAddressAllowList() {
|
||||
doTestUpdate(
|
||||
Role.OWNER,
|
||||
Registrar::getIpAddressWhitelist,
|
||||
Registrar::getIpAddressAllowList,
|
||||
ImmutableList.of(CidrAddressBlock.create("1.1.1.0/24")),
|
||||
Registrar.Builder::setIpAddressWhitelist);
|
||||
Registrar.Builder::setIpAddressAllowList);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -85,15 +85,19 @@ public class DomainWhoisResponseTest {
|
|||
|
||||
createTld("tld");
|
||||
|
||||
hostResource1 = persistResource(new HostResource.Builder()
|
||||
.setHostName("ns01.exampleregistrar.tld")
|
||||
.setRepoId("1-ROID")
|
||||
.build());
|
||||
hostResource1 =
|
||||
persistResource(
|
||||
new HostResource.Builder()
|
||||
.setHostName("ns01.exampleregistrar.tld")
|
||||
.setRepoId("1-ROID")
|
||||
.build());
|
||||
|
||||
hostResource2 = persistResource(new HostResource.Builder()
|
||||
.setHostName("ns02.exampleregistrar.tld")
|
||||
.setRepoId("2-ROID")
|
||||
.build());
|
||||
hostResource2 =
|
||||
persistResource(
|
||||
new HostResource.Builder()
|
||||
.setHostName("ns02.exampleregistrar.tld")
|
||||
.setRepoId("2-ROID")
|
||||
.build());
|
||||
|
||||
registrant = persistResource(new ContactResource.Builder()
|
||||
.setContactId("5372808-ERL")
|
||||
|
|
|
|||
|
|
@ -54,23 +54,27 @@ public class NameserverWhoisResponseTest {
|
|||
persistResource(loadRegistrar("example").asBuilder().setUrl("http://my.fake.url").build());
|
||||
createTld("tld");
|
||||
|
||||
hostResource1 = new HostResource.Builder()
|
||||
.setHostName("ns1.example.tld")
|
||||
.setPersistedCurrentSponsorClientId("example")
|
||||
.setInetAddresses(ImmutableSet.of(
|
||||
InetAddresses.forString("192.0.2.123"),
|
||||
InetAddresses.forString("2001:0DB8::1")))
|
||||
.setRepoId("1-EXAMPLE")
|
||||
.build();
|
||||
hostResource1 =
|
||||
new HostResource.Builder()
|
||||
.setHostName("ns1.example.tld")
|
||||
.setPersistedCurrentSponsorClientId("example")
|
||||
.setInetAddresses(
|
||||
ImmutableSet.of(
|
||||
InetAddresses.forString("192.0.2.123"),
|
||||
InetAddresses.forString("2001:0DB8::1")))
|
||||
.setRepoId("1-EXAMPLE")
|
||||
.build();
|
||||
|
||||
hostResource2 = new HostResource.Builder()
|
||||
.setHostName("ns2.example.tld")
|
||||
.setPersistedCurrentSponsorClientId("example")
|
||||
.setInetAddresses(ImmutableSet.of(
|
||||
InetAddresses.forString("192.0.2.123"),
|
||||
InetAddresses.forString("2001:0DB8::1")))
|
||||
.setRepoId("2-EXAMPLE")
|
||||
.build();
|
||||
hostResource2 =
|
||||
new HostResource.Builder()
|
||||
.setHostName("ns2.example.tld")
|
||||
.setPersistedCurrentSponsorClientId("example")
|
||||
.setInetAddresses(
|
||||
ImmutableSet.of(
|
||||
InetAddresses.forString("192.0.2.123"),
|
||||
InetAddresses.forString("2001:0DB8::1")))
|
||||
.setRepoId("2-EXAMPLE")
|
||||
.build();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ describe('security settings test', function() {
|
|||
const stubs = new goog.testing.PropertyReplacer();
|
||||
|
||||
const expectedRegistrar = {
|
||||
ipAddressWhitelist: [],
|
||||
ipAddressAllowList: [],
|
||||
phonePasscode: '12345',
|
||||
clientCertificate: null,
|
||||
clientCertificateHash: null,
|
||||
|
|
@ -105,7 +105,7 @@ describe('security settings test', function() {
|
|||
clientCertificate: exampleCert,
|
||||
clientCertificateHash: null,
|
||||
failoverClientCertificate: 'bourgeois blues',
|
||||
ipAddressWhitelist: ['1.1.1.1', '2.2.2.2'],
|
||||
ipAddressAllowList: ['1.1.1.1', '2.2.2.2'],
|
||||
phonePasscode: expectedRegistrar.phonePasscode,
|
||||
readonly: false }},
|
||||
{status: 'SUCCESS',
|
||||
|
|
@ -118,7 +118,7 @@ describe('security settings test', function() {
|
|||
expectedRegistrar.clientCertificate = exampleCert;
|
||||
expectedRegistrar.clientCertificateHash = exampleCertHash;
|
||||
expectedRegistrar.failoverClientCertificate = 'bourgeois blues';
|
||||
expectedRegistrar.ipAddressWhitelist = ['1.1.1.1/32', '2.2.2.2/32'];
|
||||
expectedRegistrar.ipAddressAllowList = ['1.1.1.1/32', '2.2.2.2/32'];
|
||||
registry.testing.assertReqMockRsp(
|
||||
test.testXsrfToken,
|
||||
'/registrar-settings',
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@
|
|||
"creationTime": "2014-04-15T21:57:54.765Z",
|
||||
"clientCertificate": null,
|
||||
"emailAddress": "thase@the.registrar",
|
||||
"ipAddressWhitelist": [
|
||||
"ipAddressAllowList": [
|
||||
"1.1.1.1\/32",
|
||||
"2.2.2.2\/32",
|
||||
"4.4.4.4\/32"
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"creationTime": "2014-04-15T21:57:54.765Z",
|
||||
"clientCertificate": null,
|
||||
"emailAddress": "thase@the.registrar",
|
||||
"ipAddressWhitelist": [
|
||||
"ipAddressAllowList": [
|
||||
"1.1.1.1\/32",
|
||||
"2.2.2.2\/32",
|
||||
"4.4.4.4\/32"
|
||||
|
|
|
|||
Binary file not shown.
|
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 60 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 200 KiB After Width: | Height: | Size: 200 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 197 KiB After Width: | Height: | Size: 197 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 62 KiB After Width: | Height: | Size: 62 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 74 KiB After Width: | Height: | Size: 74 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 65 KiB After Width: | Height: | Size: 65 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 142 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 62 KiB After Width: | Height: | Size: 62 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 62 KiB After Width: | Height: | Size: 62 KiB |
15
db/src/main/resources/sql/flyway/V35__rename_allow_list.sql
Normal file
15
db/src/main/resources/sql/flyway/V35__rename_allow_list.sql
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
-- Copyright 2020 The Nomulus Authors. All Rights Reserved.
|
||||
--
|
||||
-- Licensed under the Apache License, Version 2.0 (the "License");
|
||||
-- you may not use this file except in compliance with the License.
|
||||
-- You may obtain a copy of the License at
|
||||
--
|
||||
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||
--
|
||||
-- Unless required by applicable law or agreed to in writing, software
|
||||
-- distributed under the License is distributed on an "AS IS" BASIS,
|
||||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
-- See the License for the specific language governing permissions and
|
||||
-- limitations under the License.
|
||||
|
||||
ALTER TABLE "Registrar" RENAME COLUMN "ip_address_whitelist" TO "ip_address_allow_list";
|
||||
|
|
@ -332,7 +332,7 @@ create sequence history_id_sequence start 1 increment 1;
|
|||
i18n_address_street_line2 text,
|
||||
i18n_address_street_line3 text,
|
||||
i18n_address_zip text,
|
||||
ip_address_whitelist text[],
|
||||
ip_address_allow_list text[],
|
||||
last_certificate_update_time timestamptz,
|
||||
last_update_time timestamptz,
|
||||
localized_address_city text,
|
||||
|
|
|
|||
|
|
@ -526,7 +526,7 @@ CREATE TABLE public."Registrar" (
|
|||
i18n_address_street_line2 text,
|
||||
i18n_address_street_line3 text,
|
||||
i18n_address_zip text,
|
||||
ip_address_whitelist text[],
|
||||
ip_address_allow_list text[],
|
||||
last_certificate_update_time timestamp with time zone,
|
||||
last_update_time timestamp with time zone,
|
||||
localized_address_city text,
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ make sense. A master enumeration lists all the valid triplets. They are:
|
|||
|
||||
* `AUTH_PUBLIC_OR_INTERNAL`: Allows anyone access, as long as they use OAuth to
|
||||
authenticate. Also allows access from App Engine task-queue. Note that OAuth
|
||||
client ID still needs to be whitelisted in the config file for OAuth-based
|
||||
client ID still needs to be allow-listed in the config file for OAuth-based
|
||||
authentication to succeed. This is mainly used by the proxy.
|
||||
|
||||
### Action setting golden files
|
||||
|
|
|
|||
|
|
@ -137,7 +137,7 @@ used extensively throughout the codebase:
|
|||
a loop.
|
||||
* With the `of` method: used when constructing the collection with a
|
||||
handful of elements. Most commonly used when creating collections
|
||||
representing constants, like lookup tables or whitelists.
|
||||
representing constants, like lookup tables or allow lists.
|
||||
* With the `copyOf` method: used when constructing the method from a
|
||||
reference to another collection. Used to defensively copy a mutable
|
||||
collection (like a return value from an external library) to an
|
||||
|
|
|
|||
|
|
@ -350,11 +350,11 @@ An EPP flow that creates a new domain resource.
|
|||
* Requested domain is reserved.
|
||||
* Linked resource in pending delete prohibits operation.
|
||||
* Requested domain requires a claims notice.
|
||||
* Nameservers are not whitelisted for this TLD.
|
||||
* Nameservers not specified for domain on TLD with nameserver whitelist.
|
||||
* Nameservers are not allow-listed for this TLD.
|
||||
* Nameservers not specified for domain on TLD with nameserver allow list.
|
||||
* The requested domain name is on the premium price list, and this
|
||||
registrar has blocked premium registrations.
|
||||
* Registrant is not whitelisted for this TLD.
|
||||
* Registrant is not allow-listed for this TLD.
|
||||
* Requested domain does not require a claims notice.
|
||||
* 2305
|
||||
* The allocation token is not valid for this domain.
|
||||
|
|
@ -760,9 +760,9 @@ statuses are updated at once.
|
|||
clear that status.
|
||||
* Resource status prohibits this operation.
|
||||
* Linked resource in pending delete prohibits operation.
|
||||
* Nameservers are not whitelisted for this TLD.
|
||||
* Nameservers not specified for domain on TLD with nameserver whitelist.
|
||||
* Registrant is not whitelisted for this TLD.
|
||||
* Nameservers are not allow-listed for this TLD.
|
||||
* Nameservers not specified for domain on TLD with nameserver allow list.
|
||||
* Registrant is not allow-listed for this TLD.
|
||||
* 2306
|
||||
* Cannot add and remove the same value.
|
||||
* More than one contact for a given role is not allowed.
|
||||
|
|
@ -950,7 +950,7 @@ An EPP flow for login.
|
|||
* Specified extension is not implemented.
|
||||
* 2200
|
||||
* Registrar certificate does not match stored certificate.
|
||||
* Registrar IP address is not in stored whitelist.
|
||||
* Registrar IP address is not in stored allow list.
|
||||
* Registrar certificate not present.
|
||||
* Registrar password is incorrect.
|
||||
* Registrar with this client ID could not be found.
|
||||
|
|
|
|||
|
|
@ -71,9 +71,9 @@ label.
|
|||
## Domain create restriction on closed TLDs
|
||||
|
||||
Nomulus offers the ability to "lock-down" a TLD so that domain registration is
|
||||
forbidden except for whitelisted domain names. This is achieved by setting the
|
||||
forbidden except for allow-listed domain names. This is achieved by setting the
|
||||
"domain create restricted" option on the TLD using the `nomulus` tool. Domains
|
||||
are whitelisted for registration by adding them to reserved lists with entries
|
||||
are allow-listed for registration by adding them to reserved lists with entries
|
||||
of type `NAMESERVER_RESTRICTED`. Each domain will thus also need to have
|
||||
explicitly allowed nameservers configured in its reserved list entry, per the
|
||||
previous section.
|
||||
|
|
@ -90,7 +90,7 @@ Note that you do **not** have to set a TLD-wide allowed nameservers list with
|
|||
this option, because it operates independently from the per-domain nameservers
|
||||
restriction that `NAMESERVER_RESTRICTED` reservation imposes.
|
||||
|
||||
In addition to disabling registration of non-whitelisted domains, setting a TLD
|
||||
In addition to disabling registration of non-allow-listed domains, setting a TLD
|
||||
as domain create restricted also applies the `SERVER_UPDATE_PROHIBITED` and
|
||||
`SERVER_TRANSFER_PROHIBITED` statuses to domains upon creation. Any domains on a
|
||||
domain create restricted TLD are therefore virtually immutable, and must be
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ certifications required across gTLDs?**
|
|||
implementation. Here is how we answer it: ]*
|
||||
|
||||
The registry does not provide a secure certificate. Registrars must provide
|
||||
their own certificate during onboarding, which will be whitelisted for the
|
||||
their own certificate during onboarding, which will be allow-listed for the
|
||||
connection. A single certificate can be used for multiple TLDs.
|
||||
|
||||
**1.4 Locks and statuses: do lock and status rules follow RFC specifications?**
|
||||
|
|
@ -277,7 +277,7 @@ We have a shared registry system for EPP, with a shared namespace across all
|
|||
supported TLDs. Contacts and hosts are shared across all TLDs; for instance, the
|
||||
same contact can be used for all of a registrar's domains in the system.
|
||||
|
||||
**7.11 If using a DRS, are login credentials, IP whitelisting, etc. configured
|
||||
**7.11 If using a DRS, are login credentials, IP allow listing, etc. configured
|
||||
separately or will these be the same for all TLDs in your system?**
|
||||
|
||||
These will be the same for all TLDs, because we are a shared registry system.
|
||||
|
|
@ -477,20 +477,20 @@ commands.
|
|||
## Security
|
||||
|
||||
*[ The answers in this section depend on your EPP proxy implementation. These
|
||||
are the answers that we give, because our EPP proxy has IP whitelists, and
|
||||
are the answers that we give, because our EPP proxy has IP allow lists, and
|
||||
requires SSL certificates and SNI. We recommend that other proxy implementations
|
||||
do likewise. ]*
|
||||
|
||||
**9.1 How do I specify the IP addresses that can access your EPP system?**
|
||||
|
||||
You will be asked to submit your whitelisted IPs (in CIDR notation) during the
|
||||
You will be asked to submit your allow-listed IPs (in CIDR notation) during the
|
||||
onboarding process. After completion of the onboarding process, you can use the
|
||||
support console to manage the IP whitelist for your production account.
|
||||
support console to manage the IP allow list for your production account.
|
||||
|
||||
**9.2 What SSL certificates will you accept for EPP connections?**
|
||||
|
||||
We will accept any SSL certificate. You will be asked to submit your certificate
|
||||
for whitelisting during the onboarding process. After completion of the
|
||||
for allow-listing during the onboarding process. After completion of the
|
||||
onboarding process, you can use the support console to manage the certificate
|
||||
for your production account.
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ import javax.inject.Inject;
|
|||
* <p>When an EPP client connects to the registry (through the proxy), the registry performs two
|
||||
* validations to ensure that only known registrars are allowed. First it checks the sha265 hash of
|
||||
* the client SSL certificate and match it to the hash stored in datastore for the registrar. It
|
||||
* then checks if the connection is from an whitelisted IP address that belongs to that registrar.
|
||||
* then checks if the connection is from an allow-listed IP address that belongs to that registrar.
|
||||
*
|
||||
* <p>The proxy receives client connects via the GCP load balancer, which results in the loss of
|
||||
* original client IP from the channel. Luckily, the load balancer supports the PROXY protocol v1,
|
||||
|
|
|
|||
|
|
@ -78,9 +78,9 @@ public class Retrier implements Serializable {
|
|||
* Retries a unit of work in the face of transient errors and returns the result.
|
||||
*
|
||||
* <p>Retrying is done a fixed number of times, with exponential backoff, if the exception that is
|
||||
* thrown is on a whitelist of retryable errors. If the error is not on the whitelist, or if the
|
||||
* thread is interrupted, or if the allowable number of attempts has been exhausted, the original
|
||||
* exception is propagated through to the caller. Checked exceptions are wrapped in a
|
||||
* thrown is on an allow list of retryable errors. If the error is not on the allow list, or if
|
||||
* the thread is interrupted, or if the allowable number of attempts has been exhausted, the
|
||||
* original exception is propagated through to the caller. Checked exceptions are wrapped in a
|
||||
* RuntimeException, while unchecked exceptions are propagated as-is.
|
||||
*
|
||||
* <p>Uses a default FailureReporter that logs before each retry.
|
||||
|
|
@ -112,9 +112,9 @@ public class Retrier implements Serializable {
|
|||
* Retries a unit of work in the face of transient errors and returns the result.
|
||||
*
|
||||
* <p>Retrying is done a fixed number of times, with exponential backoff, if the exception that is
|
||||
* thrown is on a whitelist of retryable errors. If the error is not on the whitelist, or if the
|
||||
* thread is interrupted, or if the allowable number of attempts has been exhausted, the original
|
||||
* exception is propagated through to the caller. Checked exceptions are wrapped in a
|
||||
* thrown is on an allow list of retryable errors. If the error is not on the allow list, or if
|
||||
* the thread is interrupted, or if the allowable number of attempts has been exhausted, the
|
||||
* original exception is propagated through to the caller. Checked exceptions are wrapped in a
|
||||
* RuntimeException, while unchecked exceptions are propagated as-is.
|
||||
*
|
||||
* @return the value returned by the {@link Callable}.
|
||||
|
|
|
|||
|
|
@ -48,12 +48,12 @@ public final class SqlTemplate {
|
|||
/**
|
||||
* Adds a key/value that should be substituted an individual variable in the template.
|
||||
*
|
||||
* <p>Your template variables should appear as follows: {@code WHERE foo = '%BAR%'} and you
|
||||
* would call {@code .put("BAR", "some value"} to safely substitute it with a value. Only
|
||||
* whitelisted characters (as defined by {@link #LEGAL_SUBSTITUTIONS}) are allowed in values.
|
||||
* <p>Your template variables should appear as follows: {@code WHERE foo = '%BAR%'} and you would
|
||||
* call {@code .put("BAR", "some value"} to safely substitute it with a value. Only allow-listed
|
||||
* characters (as defined by {@link #LEGAL_SUBSTITUTIONS}) are allowed in values.
|
||||
*
|
||||
* @param key uppercase string that can have digits and underscores
|
||||
* @param value substitution value, comprised of whitelisted characters
|
||||
* @param value substitution value, composed of allow-listed characters
|
||||
* @throws IllegalArgumentException if key or value has bad chars or duplicate keys were added
|
||||
*/
|
||||
public SqlTemplate put(String key, String value) {
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ public final class X509Utils {
|
|||
* SHA-256 digest of the certificate.
|
||||
*
|
||||
* <p>Note that this must match the method used by the GFE to generate the client certificate hash
|
||||
* so that the two will match when we check against the whitelist.
|
||||
* so that the two will match when we check against the allow list.
|
||||
*/
|
||||
public static String getCertificateHash(X509Certificate cert) {
|
||||
try {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue