Disallow empty nameservers for domains in TLDs with whitelist

If a TLD has a whitelist on nameservers, domains in such TLD must have at least one nameserver. Therefore creating domains with empty nameserver is forbidden, as well as deleting the last nameserver on a domain. We enforce this policy by checking the number of nameservers for the new resource to makesure it is not zero if a whitelist exists. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=127318320
2025-05-30 09:20:29 +02:00 · 2016-07-13 08:13:42 -07:00 · 2016-07-13 08:13:42 -07:00 · 4ccc016e5c
commit 4ccc016e5c
parent aa2f283f7c
11 changed files with 129 additions and 19 deletions
--- a/java/google/registry/flows/domain/BaseDomainCreateFlow.java
+++ b/java/google/registry/flows/domain/BaseDomainCreateFlow.java
@ -21,7 +21,7 @@ import static google.registry.flows.domain.DomainFlowUtils.validateDomainName;
 import static google.registry.flows.domain.DomainFlowUtils.validateDomainNameWithIdnTables;
 import static google.registry.flows.domain.DomainFlowUtils.validateDsData;
 import static google.registry.flows.domain.DomainFlowUtils.validateNameserversAllowedOnTld;
-import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCount;
+import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCountForTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateNoDuplicateContacts;
 import static google.registry.flows.domain.DomainFlowUtils.validateRegistrantAllowedOnTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateRequiredContactsPresent;
@ -215,7 +215,7 @@ public abstract class BaseDomainCreateFlow<R extends DomainBase, B extends Build
    validateRequiredContactsPresent(command.getRegistrant(), command.getContacts());
    Set<String> fullyQualifiedHostNames =
        nullToEmpty(command.getNameserverFullyQualifiedHostNames());
-    validateNameserversCount(fullyQualifiedHostNames.size());
+    validateNameserversCountForTld(tld, fullyQualifiedHostNames.size());
    validateNameserversAllowedOnTld(tld, fullyQualifiedHostNames);
    validateLaunchCreateExtension();
    // If a signed mark was provided, then it must match the desired domain label.
--- a/java/google/registry/flows/domain/BaseDomainUpdateFlow.java
+++ b/java/google/registry/flows/domain/BaseDomainUpdateFlow.java
@ -21,13 +21,14 @@ import static google.registry.flows.domain.DomainFlowUtils.cloneAndLinkReference
 import static google.registry.flows.domain.DomainFlowUtils.validateContactsHaveTypes;
 import static google.registry.flows.domain.DomainFlowUtils.validateDsData;
 import static google.registry.flows.domain.DomainFlowUtils.validateNameserversAllowedOnTld;
-import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCount;
+import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCountForTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateNoDuplicateContacts;
 import static google.registry.flows.domain.DomainFlowUtils.validateRegistrantAllowedOnTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateRequiredContactsPresent;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNotInPendingDelete;

 import com.google.common.collect.ImmutableSet;
+
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
 import google.registry.flows.EppException.RequiredParameterMissingException;
@ -40,6 +41,7 @@ import google.registry.model.domain.secdns.DelegationSignerData;
 import google.registry.model.domain.secdns.SecDnsUpdateExtension;
 import google.registry.model.domain.secdns.SecDnsUpdateExtension.Add;
 import google.registry.model.domain.secdns.SecDnsUpdateExtension.Remove;
+
 import java.util.Set;

 /**
@ -126,7 +128,7 @@ public abstract class BaseDomainUpdateFlow<R extends DomainBase, B extends Build
    validateNoDuplicateContacts(newResource.getContacts());
    validateRequiredContactsPresent(newResource.getRegistrant(), newResource.getContacts());
    validateDsData(newResource.getDsData());
-    validateNameserversCount(newResource.getNameservers().size());
+    validateNameserversCountForTld(newResource.getTld(), newResource.getNameservers().size());
  }

  /** The secDNS:all element must have value 'true' if present. */
--- a/java/google/registry/flows/domain/DomainApplicationCreateFlow.java
+++ b/java/google/registry/flows/domain/DomainApplicationCreateFlow.java
@ -90,6 +90,7 @@ import javax.inject.Inject;
 * @error {@link DomainFlowUtils.LinkedResourcesDoNotExistException}
 * @error {@link DomainFlowUtils.MissingContactTypeException}
 * @error {@link DomainFlowUtils.NameserversNotAllowedException}
+ * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
 * @error {@link DomainFlowUtils.NoMarksFoundMatchingDomainException}
 * @error {@link DomainFlowUtils.PremiumNameBlockedException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
--- a/java/google/registry/flows/domain/DomainCreateFlow.java
+++ b/java/google/registry/flows/domain/DomainCreateFlow.java
@ -80,6 +80,7 @@ import javax.inject.Inject;
 * @error {@link DomainFlowUtils.MissingRegistrantException}
 * @error {@link DomainFlowUtils.MissingTechnicalContactException}
 * @error {@link DomainFlowUtils.NameserversNotAllowedException}
+ * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
 * @error {@link DomainFlowUtils.PremiumNameBlockedException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
 * @error {@link DomainFlowUtils.TldDoesNotExistException}
--- a/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/java/google/registry/flows/domain/DomainFlowUtils.java
@ -274,11 +274,18 @@ public class DomainFlowUtils {
    }
  }

-  static void validateNameserversCount(int count) throws EppException {
+  static void validateNameserversCountForTld(String tld, int count) throws EppException {
+    ImmutableSet<String> whitelist = Registry.get(tld).getAllowedFullyQualifiedHostNames();
+    // For TLDs with a nameserver whitelist, all domains must have at least 1 nameserver.
+    if (!whitelist.isEmpty() && count == 0) {
+      throw new NameserversNotSpecifiedException();
+    }
+
    if (count > MAX_NAMESERVERS_PER_DOMAIN) {
      throw new TooManyNameserversException(String.format(
          "Only %d nameservers are allowed per domain", MAX_NAMESERVERS_PER_DOMAIN));
    }
+
  }

  static void validateNoDuplicateContacts(Set<DesignatedContact> contacts)
@ -313,7 +320,7 @@ public class DomainFlowUtils {
  static void validateRegistrantAllowedOnTld(String tld, String registrantContactId)
      throws RegistrantNotAllowedException {
    ImmutableSet<String> whitelist = Registry.get(tld).getAllowedRegistrantContactIds();
-    // Empty whitelists or null registrantContactId are ignored.
+    // Empty whitelist or null registrantContactId are ignored.
    if (registrantContactId != null && !whitelist.isEmpty() 
        && !whitelist.contains(registrantContactId)) {
      throw new RegistrantNotAllowedException(registrantContactId);
@ -323,12 +330,12 @@ public class DomainFlowUtils {
  static void validateNameserversAllowedOnTld(String tld, Set<String> fullyQualifiedHostNames)
      throws EppException {
    ImmutableSet<String> whitelist = Registry.get(tld).getAllowedFullyQualifiedHostNames();
-    if (whitelist.isEmpty()) {  // Empty whitelists are ignored.
-      return;
-    }
-    Set<String> disallowedNameservers = difference(nullToEmpty(fullyQualifiedHostNames), whitelist);
-    if (!disallowedNameservers.isEmpty()) {
-      throw new NameserversNotAllowedException(disallowedNameservers);
+    Set<String> hostnames = nullToEmpty(fullyQualifiedHostNames);
+    if (!whitelist.isEmpty()) { // Empty whitelist is ignored.
+      Set<String> disallowedNameservers = difference(hostnames, whitelist);
+      if (!disallowedNameservers.isEmpty()) {
+        throw new NameserversNotAllowedException(disallowedNameservers);
+      }
    }
  }

@ -998,4 +1005,12 @@ public class DomainFlowUtils {
          Joiner.on(',').join(fullyQualifiedHostNames)));
    }
  }
+
+  /** Nameservers not specified for this TLD with whitelist. */
+  public static class NameserversNotSpecifiedException extends StatusProhibitsOperationException {
+    public NameserversNotSpecifiedException() {
+      super("At least one nameserver must be specified for this TLD");
+    }
+  }
+
 }
--- a/java/google/registry/flows/domain/DomainUpdateFlow.java
+++ b/java/google/registry/flows/domain/DomainUpdateFlow.java
@ -59,6 +59,7 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.MissingContactTypeException}
 * @error {@link DomainFlowUtils.MissingTechnicalContactException}
 * @error {@link DomainFlowUtils.NameserversNotAllowedException}
+ * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
 * @error {@link DomainFlowUtils.TooManyDsRecordsException}
 * @error {@link DomainFlowUtils.TooManyNameserversException}