Add a registry lock password to contacts (#226)

* Add a registry lock password to contacts

* enabled -> allowed

* Simple CR responses, still need to add tests

* Add a very simple hashing test file

* Allow setting of RL password rather than directly setting it

* Round out pw tests

* Include 'allowedToSet...' in registrar contact JSON

* Responses to CR

* fix the hardcoded tests

* Use null or empty rather than just null

core/src/test/java/google/registry/model/OteAccountBuilderTest.java

@@ -153,7 +153,7 @@ public final class OteAccountBuilderTest {
   public void testCreateOteEntities_setPassword() {
     OteAccountBuilder.forClientId("myclientid").setPassword("myPassword").buildAndPersist();
 
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("myPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("myPassword")).isTrue();
   }
 
   @Test
@@ -268,7 +268,7 @@ public final class OteAccountBuilderTest {
         .addContact("email@example.com")
         .buildAndPersist();
 
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("oldPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("oldPassword")).isTrue();
 
     OteAccountBuilder.forClientId("myclientid")
         .setPassword("newPassword")
@@ -276,9 +276,9 @@ public final class OteAccountBuilderTest {
         .setReplaceExisting(true)
         .buildAndPersist();
 
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("oldPassword"))
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("oldPassword"))
         .isFalse();
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("newPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("newPassword")).isTrue();
   }
 
   @Test

core/src/test/java/google/registry/tools/CreateRegistrarCommandTest.java

@@ -77,7 +77,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
     Optional<Registrar> registrarOptional = Registrar.loadByClientId("clientz");
     assertThat(registrarOptional).isPresent();
     Registrar registrar = registrarOptional.get();
-    assertThat(registrar.testPassword("some_password")).isTrue();
+    assertThat(registrar.verifyPassword("some_password")).isTrue();
     assertThat(registrar.getType()).isEqualTo(Registrar.Type.REAL);
     assertThat(registrar.getIanaIdentifier()).isEqualTo(8);
     assertThat(registrar.getState()).isEqualTo(Registrar.State.ACTIVE);
@@ -118,7 +118,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
 
     Optional<Registrar> registrar = Registrar.loadByClientId("clientz");
     assertThat(registrar).isPresent();
-    assertThat(registrar.get().testPassword("some_password")).isTrue();
+    assertThat(registrar.get().verifyPassword("some_password")).isTrue();
   }
 
   @Test

core/src/test/java/google/registry/tools/RegistrarContactCommandTest.java

@@ -368,6 +368,67 @@ public class RegistrarContactCommandTest extends CommandTestCase<RegistrarContac
     assertThat(loadRegistrar("NewRegistrar").getContactsRequireSyncing()).isTrue();
   }
 
+  @Test
+  public void testCreate_setAllowedToSetRegistryLockPassword() throws Exception {
+    runCommandForced(
+        "--mode=CREATE",
+        "--name=Jim Doe",
+        "--email=jim.doe@example.com",
+        "--allowed_to_set_registry_lock_password=true",
+        "NewRegistrar");
+    RegistrarContact registrarContact = loadRegistrar("NewRegistrar").getContacts().asList().get(1);
+    assertThat(registrarContact.isAllowedToSetRegistryLockPassword()).isTrue();
+    registrarContact.asBuilder().setRegistryLockPassword("foo");
+  }
+
+  @Test
+  public void testUpdate_setAllowedToSetRegistryLockPassword() throws Exception {
+    Registrar registrar = loadRegistrar("NewRegistrar");
+    RegistrarContact registrarContact =
+        persistSimpleResource(
+            new RegistrarContact.Builder()
+                .setParent(registrar)
+                .setName("Jim Doe")
+                .setEmailAddress("jim.doe@example.com")
+                .build());
+    assertThat(registrarContact.isAllowedToSetRegistryLockPassword()).isFalse();
+    assertThrows(
+        IllegalArgumentException.class,
+        () -> registrarContact.asBuilder().setRegistryLockPassword("foo"));
+    runCommandForced(
+        "--mode=UPDATE",
+        "--email=jim.doe@example.com",
+        "--allowed_to_set_registry_lock_password=true",
+        "NewRegistrar");
+    RegistrarContact newContact = reloadResource(registrarContact);
+    assertThat(newContact.isAllowedToSetRegistryLockPassword()).isTrue();
+    // should be allowed to set the password now
+    newContact.asBuilder().setRegistryLockPassword("foo");
+  }
+
+  @Test
+  public void testUpdate_setAllowedToSetRegistryLockPassword_removesOldPassword() throws Exception {
+    Registrar registrar = loadRegistrar("NewRegistrar");
+    RegistrarContact registrarContact =
+        persistSimpleResource(
+            new RegistrarContact.Builder()
+                .setParent(registrar)
+                .setName("Jim Doe")
+                .setEmailAddress("jim.doe@example.com")
+                .setAllowedToSetRegistryLockPassword(true)
+                .setRegistryLockPassword("hi")
+                .build());
+    assertThat(registrarContact.verifyRegistryLockPassword("hi")).isTrue();
+    assertThat(registrarContact.verifyRegistryLockPassword("hello")).isFalse();
+    runCommandForced(
+        "--mode=UPDATE",
+        "--email=jim.doe@example.com",
+        "--allowed_to_set_registry_lock_password=true",
+        "NewRegistrar");
+    registrarContact = reloadResource(registrarContact);
+    assertThat(registrarContact.verifyRegistryLockPassword("hi")).isFalse();
+  }
+
   @Test
   public void testCreate_failure_badEmail() {
     IllegalArgumentException thrown =

core/src/test/java/google/registry/tools/SetupOteCommandTest.java

@@ -105,7 +105,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
     assertThat(registrar.getAllowedTlds()).containsExactlyElementsIn(ImmutableSet.of(allowedTld));
     assertThat(registrar.getRegistrarName()).isEqualTo(registrarName);
     assertThat(registrar.getState()).isEqualTo(ACTIVE);
-    assertThat(registrar.testPassword(password)).isTrue();
+    assertThat(registrar.verifyPassword(password)).isTrue();
     assertThat(registrar.getIpAddressWhitelist()).isEqualTo(ipWhitelist);
     assertThat(registrar.getClientCertificateHash()).isEqualTo(SAMPLE_CERT_HASH);
     // If certificate hash is provided, there's no certificate file stored with the registrar.

core/src/test/java/google/registry/tools/UpdateRegistrarCommandTest.java

@@ -44,9 +44,9 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
 
   @Test
   public void testSuccess_password() throws Exception {
-    assertThat(loadRegistrar("NewRegistrar").testPassword("some_password")).isFalse();
+    assertThat(loadRegistrar("NewRegistrar").verifyPassword("some_password")).isFalse();
     runCommand("--password=some_password", "--force", "NewRegistrar");
-    assertThat(loadRegistrar("NewRegistrar").testPassword("some_password")).isTrue();
+    assertThat(loadRegistrar("NewRegistrar").verifyPassword("some_password")).isTrue();
   }
 
   @Test
@@ -814,10 +814,10 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
     Registrar registrar =
         persistResource(
             loadRegistrar("NewRegistrar").asBuilder().setPoNumber(Optional.of("1664")).build());
-    assertThat(registrar.testPassword("some_password")).isFalse();
+    assertThat(registrar.verifyPassword("some_password")).isFalse();
     runCommand("--password=some_password", "--force", "NewRegistrar");
     Registrar reloadedRegistrar = loadRegistrar("NewRegistrar");
-    assertThat(reloadedRegistrar.testPassword("some_password")).isTrue();
+    assertThat(reloadedRegistrar.verifyPassword("some_password")).isTrue();
     assertThat(reloadedRegistrar.getPoNumber()).hasValue("1664");
   }
 

core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java

@@ -180,7 +180,7 @@ public final class ConsoleOteSetupActionTest {
 
     // We just check some samples to make sure OteAccountBuilder was called successfully. We aren't
     // checking that all the entities are there or that they have the correct values.
-    assertThat(loadByClientId("myclientid-4").get().testPassword("SomePassword"))
+    assertThat(loadByClientId("myclientid-4").get().verifyPassword("SomePassword"))
         .isTrue();
     assertThat(response.getPayload())
         .contains("<h1>OT&E successfully created for registrar myclientid!</h1>");

core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java

@@ -206,7 +206,7 @@ public final class ConsoleRegistrarCreatorActionTest {
     assertThat(registrar.getIanaIdentifier()).isEqualTo(12321L);
     assertThat(registrar.getIcannReferralEmail()).isEqualTo("icann@example.com");
     assertThat(registrar.getEmailAddress()).isEqualTo("icann@example.com");
-    assertThat(registrar.testPassword("abcdefghijklmnop")).isTrue();
+    assertThat(registrar.verifyPassword("abcdefghijklmnop")).isTrue();
     assertThat(registrar.getPhonePasscode()).isEqualTo("31415");
     assertThat(registrar.getState()).isEqualTo(Registrar.State.PENDING);
     assertThat(registrar.getType()).isEqualTo(Registrar.Type.REAL);
@@ -411,7 +411,7 @@ public final class ConsoleRegistrarCreatorActionTest {
 
     Registrar registrar = loadByClientId("myclientid").orElse(null);
     assertThat(registrar).isNotNull();
-    assertThat(registrar.testPassword("SomePassword")).isTrue();
+    assertThat(registrar.verifyPassword("SomePassword")).isTrue();
     assertThat(registrar.getPhonePasscode()).isEqualTo("10203");
   }
 

core/src/test/resources/google/registry/model/schema.txt

@@ -469,6 +469,7 @@ class google.registry.model.registrar.RegistrarAddress {
 class google.registry.model.registrar.RegistrarContact {
   @Id java.lang.String emailAddress;
   @Parent com.googlecode.objectify.Key<google.registry.model.registrar.Registrar> parent;
+  boolean allowedToSetRegistryLockPassword;
   boolean visibleInDomainWhoisAsAbuse;
   boolean visibleInWhoisAsAdmin;
   boolean visibleInWhoisAsTech;
@@ -476,6 +477,8 @@ class google.registry.model.registrar.RegistrarContact {
   java.lang.String gaeUserId;
   java.lang.String name;
   java.lang.String phoneNumber;
+  java.lang.String registryLockPasswordHash;
+  java.lang.String registryLockPasswordSalt;
   java.util.Set<google.registry.model.registrar.RegistrarContact$Type> types;
 }
 enum google.registry.model.registrar.RegistrarContact$Type {

core/src/test/resources/google/registry/ui/server/registrar/update_registrar_email.txt

@@ -11,9 +11,9 @@ emailAddress: the.registrar@example.com -> thase@the.registrar
 url: http://my.fake.url -> http://my.new.url
 contacts:
     ADDED:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}
     REMOVED:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=John Doe, emailAddress=johndoe@theregistrar.com, phoneNumber=+1.1234567890, faxNumber=null, types=[ADMIN], gaeUserId=31337, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false},
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Jian-Yang, emailAddress=jyang@bachman.accelerator, phoneNumber=+1.1234567890, faxNumber=null, types=[TECH], gaeUserId=null, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=John Doe, emailAddress=johndoe@theregistrar.com, phoneNumber=+1.1234567890, faxNumber=null, types=[ADMIN], gaeUserId=31337, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null},
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Jian-Yang, emailAddress=jyang@bachman.accelerator, phoneNumber=+1.1234567890, faxNumber=null, types=[TECH], gaeUserId=null, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}
     FINAL CONTENTS:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}