Enforce abuse WHOIS contact for REAL registrars when adding TLDs

We do not enforce this for non-REAL registrars or in any environment other than UNITTEST or PRODUCTION. This is similar but separate to [] since we can add allowed TLDs in either location. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=239510275
2025-05-17 01:47:14 +02:00 · 2019-03-20 17:30:46 -07:00 · 2019-03-20 17:30:46 -07:00 · 4544aa1efe
commit 4544aa1efe
parent 2a18e705a2
6 changed files with 210 additions and 12 deletions
--- a/java/google/registry/tools/CreateOrUpdateRegistrarCommand.java
+++ b/java/google/registry/tools/CreateOrUpdateRegistrarCommand.java
@ -258,6 +258,8 @@ abstract class CreateOrUpdateRegistrarCommand extends MutatingCommand {
  @Nullable
  abstract Registrar getOldRegistrar(String clientId);

+  abstract void checkModifyAllowedTlds(@Nullable Registrar oldRegistrar);
+
  protected void initRegistrarCommand() {}

  @Override
@ -300,9 +302,12 @@ abstract class CreateOrUpdateRegistrarCommand extends MutatingCommand {
      if (driveFolderId != null) {
        builder.setDriveFolderId(driveFolderId.orElse(null));
      }
+      if (!allowedTlds.isEmpty() || !addAllowedTlds.isEmpty()) {
+        checkModifyAllowedTlds(oldRegistrar);
+      }
      if (!allowedTlds.isEmpty()) {
-        checkArgument(addAllowedTlds.isEmpty(),
-            "Can't specify both --allowedTlds and --addAllowedTlds");
+        checkArgument(
+            addAllowedTlds.isEmpty(), "Can't specify both --allowedTlds and --addAllowedTlds");
        ImmutableSet.Builder<String> allowedTldsBuilder = new ImmutableSet.Builder<>();
        for (String allowedTld : allowedTlds) {
          allowedTldsBuilder.add(canonicalizeDomainName(allowedTld));
--- a/java/google/registry/tools/CreateRegistrarCommand.java
+++ b/java/google/registry/tools/CreateRegistrarCommand.java
@ -30,6 +30,7 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
+import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
 import java.util.ArrayList;
 import java.util.List;
@ -86,14 +87,28 @@ final class CreateRegistrarCommand extends CreateOrUpdateRegistrarCommand
            .filter(registrar -> normalizeClientId(registrar.getClientId()).equals(clientId))
            .collect(toCollection(ArrayList::new));
    if (!collisions.isEmpty()) {
-      throw new IllegalArgumentException(String.format(
-          "The registrar client identifier %s normalizes identically to existing registrar %s",
-          clientId,
-          collisions.get(0).getClientId()));
+      throw new IllegalArgumentException(
+          String.format(
+              "The registrar client identifier %s normalizes identically to existing registrar %s",
+              clientId, collisions.get(0).getClientId()));
    }
    return null;
  }

+  @Override
+  void checkModifyAllowedTlds(@Nullable Registrar oldRegistrar) {
+    // When creating a registrar, only allow allowed-TLD modification if we're in a non-PRODUCTION
+    // environment and/or the registrar is not REAL
+    checkArgument(
+        !RegistryEnvironment.PRODUCTION.equals(RegistryEnvironment.get())
+            || !Registrar.Type.REAL.equals(registrarType),
+        "Cannot add allowed TLDs when creating a REAL registrar in a production environment."
+            + " Please create the registrar without allowed TLDs, then use `nomulus"
+            + " registrar_contact` to create a registrar contact for it that is visible as the"
+            + " abuse contact in WHOIS. Then use `nomulus update_registrar` to add the allowed"
+            + " TLDs.");
+  }
+
  @Override
  protected String postExecute() {
    if (!createGoogleGroups) {
--- a/java/google/registry/tools/UpdateRegistrarCommand.java
+++ b/java/google/registry/tools/UpdateRegistrarCommand.java
@ -14,10 +14,13 @@

 package google.registry.tools;

+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;

 import com.beust.jcommander.Parameters;
+import google.registry.config.RegistryEnvironment;
 import google.registry.model.registrar.Registrar;
+import javax.annotation.Nullable;

 /** Command to update a Registrar. */
@Parameters(separators = " =", commandDescription = "Update registrar account(s)")
@ -28,4 +31,22 @@ final class UpdateRegistrarCommand extends CreateOrUpdateRegistrarCommand {
    return checkArgumentPresent(
        Registrar.loadByClientId(clientId), "Registrar %s not found", clientId);
  }
+
+  @Override
+  void checkModifyAllowedTlds(@Nullable Registrar oldRegistrar) {
+    // Only allow modifying allowed TLDs if we're in a non-PRODUCTION environment, if the registrar
+    // is not REAL, or the registrar has a WHOIS abuse contact set.
+    checkArgumentNotNull(oldRegistrar, "Old registrar was not present during modification");
+
+    boolean isRealRegistrar =
+        Registrar.Type.REAL.equals(registrarType)
+            || (Registrar.Type.REAL.equals(oldRegistrar.getType()) && registrarType == null);
+    if (RegistryEnvironment.PRODUCTION.equals(RegistryEnvironment.get()) && isRealRegistrar) {
+      checkArgumentPresent(
+          oldRegistrar.getWhoisAbuseContact(),
+          "Cannot modify allowed TLDs if there is no WHOIS abuse contact set. Please use the"
+              + " \"nomulus registrar_contact\" command on this registrar to set a WHOIS abuse"
+              + " contact.");
+    }
+  }
 }