Use enum instead of boolean for TMCH CA mode

Also more narrowly scopes a catch block in TmchCertificateAuthority.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=144744847

javatests/google/registry/flows/EppCommitLogsTest.java

@@ -25,6 +25,7 @@ import static org.joda.time.DateTimeZone.UTC;
 import static org.joda.time.Duration.standardDays;
 
 import com.googlecode.objectify.Key;
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.flows.EppTestComponent.FakesAndMocksModule;
 import google.registry.model.domain.DomainResource;
 import google.registry.model.ofy.Ofy;
@@ -71,7 +72,7 @@ public class EppCommitLogsTest extends ShardableTestCase {
     SessionMetadata sessionMetadata = new HttpSessionMetadata(new FakeHttpSession());
     sessionMetadata.setClientId("TheRegistrar");
     DaggerEppTestComponent.builder()
-        .fakesAndMocksModule(new FakesAndMocksModule(clock, true))
+        .fakesAndMocksModule(new FakesAndMocksModule(clock, TmchCaMode.PILOT))
         .build()
         .startRequest()
         .flowComponentBuilder()

javatests/google/registry/flows/EppTestCase.java

@@ -23,6 +23,7 @@ import static javax.servlet.http.HttpServletResponse.SC_OK;
 import static org.joda.time.DateTimeZone.UTC;
 
 import com.google.common.net.MediaType;
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.flows.EppTestComponent.FakesAndMocksModule;
 import google.registry.model.ofy.Ofy;
 import google.registry.testing.FakeClock;
@@ -114,7 +115,7 @@ public class EppTestCase extends ShardableTestCase {
     FakeResponse response = new FakeResponse();
     handler.response = response;
     handler.eppController = DaggerEppTestComponent.builder()
-        .fakesAndMocksModule(new FakesAndMocksModule(clock, true))
+        .fakesAndMocksModule(new FakesAndMocksModule(clock, TmchCaMode.PILOT))
         .build()
         .startRequest()
         .eppController();

javatests/google/registry/flows/EppTestComponent.java

@@ -22,6 +22,7 @@ import dagger.Module;
 import dagger.Provides;
 import dagger.Subcomponent;
 import google.registry.config.RegistryConfig.ConfigModule;
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.dns.DnsQueue;
 import google.registry.flows.custom.CustomLogicFactory;
 import google.registry.flows.custom.TestCustomLogicFactory;
@@ -61,14 +62,13 @@ interface EppTestComponent {
     final Sleeper sleeper;
 
     FakesAndMocksModule() {
-      this(new FakeClock(), true);
+      this(new FakeClock(), TmchCaMode.PILOT);
     }
 
-    FakesAndMocksModule(FakeClock clock, boolean tmchCaTestingMode) {
+    FakesAndMocksModule(FakeClock clock, TmchCaMode tmchCaMode) {
       this.clock = clock;
       this.domainFlowTmchUtils =
-          new DomainFlowTmchUtils(
-              new TmchXmlSignature(new TmchCertificateAuthority(tmchCaTestingMode)));
+          new DomainFlowTmchUtils(new TmchXmlSignature(new TmchCertificateAuthority(tmchCaMode)));
       this.sleeper = new FakeSleeper(clock);
       this.dnsQueue = DnsQueue.create();
       this.metricBuilder = EppMetric.builderForRequest("request-id-1", clock);

javatests/google/registry/flows/FlowTestCase.java

@@ -33,6 +33,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Maps;
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.flows.EppTestComponent.FakesAndMocksModule;
 import google.registry.flows.picker.FlowPicker;
 import google.registry.model.billing.BillingEvent;
@@ -277,7 +278,7 @@ public abstract class FlowTestCase<F extends Flow> extends ShardableTestCase {
         .isEqualTo(new TypeInstantiator<F>(getClass()){}.getExactType());
     // Run the flow.
     return DaggerEppTestComponent.builder()
-        .fakesAndMocksModule(new FakesAndMocksModule(clock, tmchCaTestingMode))
+        .fakesAndMocksModule(new FakesAndMocksModule(clock, tmchCaMode))
         .build()
         .startRequest()
         .flowComponentBuilder()
@@ -339,10 +340,10 @@ public abstract class FlowTestCase<F extends Flow> extends ShardableTestCase {
     return output;
   }
 
-  private boolean tmchCaTestingMode = true;
+  private TmchCaMode tmchCaMode = TmchCaMode.PILOT;
 
   protected void useTmchProdCert() {
-    tmchCaTestingMode = false;
+    tmchCaMode = TmchCaMode.PRODUCTION;
   }
 
   public EppOutput dryRunFlowAssertResponse(String xml, String... ignoredPaths) throws Exception {

javatests/google/registry/tmch/BUILD

@@ -17,6 +17,7 @@ java_library(
         "testdata/*/*/*",
     ]),
     deps = [
+        "//java/google/registry/config",
         "//java/google/registry/model",
         "//java/google/registry/request",
         "//java/google/registry/tmch",

javatests/google/registry/tmch/TmchCertificateAuthorityTest.java

@@ -14,6 +14,8 @@
 
 package google.registry.tmch;
 
+import static google.registry.config.RegistryConfig.ConfigModule.TmchCaMode.PILOT;
+import static google.registry.config.RegistryConfig.ConfigModule.TmchCaMode.PRODUCTION;
 import static google.registry.tmch.TmchTestData.loadString;
 import static google.registry.util.ResourceUtils.readResourceUtf8;
 import static google.registry.util.X509Utils.loadCertificate;
@@ -61,7 +63,7 @@ public class TmchCertificateAuthorityTest {
 
   @Test
   public void testFailure_prodRootExpired() throws Exception {
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(false);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PRODUCTION);
     clock.setTo(DateTime.parse("2024-01-01T00:00:00Z"));
     thrown.expectRootCause(
         CertificateExpiredException.class, "NotAfter: Sun Jul 23 23:59:59 UTC 2023");
@@ -70,7 +72,7 @@ public class TmchCertificateAuthorityTest {
 
   @Test
   public void testFailure_prodRootNotYetValid() throws Exception {
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(false);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PRODUCTION);
     clock.setTo(DateTime.parse("2000-01-01T00:00:00Z"));
     thrown.expectRootCause(CertificateNotYetValidException.class,
         "NotBefore: Wed Jul 24 00:00:00 UTC 2013");
@@ -80,7 +82,7 @@ public class TmchCertificateAuthorityTest {
   @Test
   public void testFailure_crlDoesntMatchCerts() throws Exception {
     // Use the prod cl, which won't match our test certificate.
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(true);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PILOT);
     TmchCrl.set(
         readResourceUtf8(TmchCertificateAuthority.class, "icann-tmch.crl"), "http://cert.crl");
     thrown.expectRootCause(SignatureException.class, "Signature does not match");
@@ -89,20 +91,20 @@ public class TmchCertificateAuthorityTest {
 
   @Test
   public void testSuccess_verify() throws Exception {
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(true);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PILOT);
     tmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
   }
 
   @Test
   public void testFailure_verifySignatureDoesntMatch() throws Exception {
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(false);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PRODUCTION);
     thrown.expectRootCause(SignatureException.class, "Signature does not match");
     tmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
   }
 
   @Test
   public void testFailure_verifyRevoked() throws Exception {
-    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(true);
+    TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PILOT);
     thrown.expect(CertificateRevokedException.class, "revoked, reason: KEY_COMPROMISE");
     tmchCertificateAuthority.verify(loadCertificate(REVOKED_TEST_CERTIFICATE));
   }

javatests/google/registry/tmch/TmchCrlActionTest.java

@@ -19,6 +19,7 @@ import static google.registry.util.ResourceUtils.readResourceBytes;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.SignatureException;
@@ -30,10 +31,10 @@ import org.junit.Test;
 /** Unit tests for {@link TmchCrlAction}. */
 public class TmchCrlActionTest extends TmchActionTestCase {
 
-  private TmchCrlAction newTmchCrlAction(boolean tmchCaTestingMode) throws MalformedURLException {
+  private TmchCrlAction newTmchCrlAction(TmchCaMode tmchCaMode) throws MalformedURLException {
     TmchCrlAction action = new TmchCrlAction();
     action.marksdb = marksdb;
-    action.tmchCertificateAuthority = new TmchCertificateAuthority(tmchCaTestingMode);
+    action.tmchCertificateAuthority = new TmchCertificateAuthority(tmchCaMode);
     action.tmchCrlUrl = new URL("http://sloth.lol/tmch.crl");
     return action;
   }
@@ -43,7 +44,7 @@ public class TmchCrlActionTest extends TmchActionTestCase {
     clock.setTo(DateTime.parse("2013-07-24TZ"));
     when(httpResponse.getContent()).thenReturn(
         readResourceBytes(TmchCertificateAuthority.class, "icann-tmch.crl").read());
-    newTmchCrlAction(false).run();
+    newTmchCrlAction(TmchCaMode.PRODUCTION).run();
     verify(httpResponse).getContent();
     verify(fetchService).fetch(httpRequest.capture());
     assertThat(httpRequest.getValue().getURL().toString()).isEqualTo("http://sloth.lol/tmch.crl");
@@ -53,8 +54,12 @@ public class TmchCrlActionTest extends TmchActionTestCase {
   public void testFailure_crlTooOld() throws Exception {
     clock.setTo(DateTime.parse("2020-01-01TZ"));
     when(httpResponse.getContent()).thenReturn(
-        readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-test.crl").read());
-    TmchCrlAction action = newTmchCrlAction(false);
+        readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-pilot.crl").read());
+    // We use the pilot CRL here only because we know that it was generated more recently than the
+    // production CRL, and thus attempting to replace it with the production CRL will fail. It
+    // doesn't matter that the wrong CRT would be used to verify it because that check happens after
+    // the age check.
+    TmchCrlAction action = newTmchCrlAction(TmchCaMode.PRODUCTION);
     thrown.expectRootCause(CRLException.class, "New CRL is more out of date than our current CRL.");
     action.run();
   }
@@ -65,15 +70,15 @@ public class TmchCrlActionTest extends TmchActionTestCase {
     when(httpResponse.getContent()).thenReturn(
         readResourceBytes(TmchCertificateAuthority.class, "icann-tmch.crl").read());
     thrown.expectRootCause(SignatureException.class, "Signature does not match.");
-    newTmchCrlAction(true).run();
+    newTmchCrlAction(TmchCaMode.PILOT).run();
   }
 
   @Test
   public void testFailure_crlNotYetValid() throws Exception {
     clock.setTo(DateTime.parse("1984-01-01TZ"));
     when(httpResponse.getContent()).thenReturn(
-        readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-test.crl").read());
+        readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-pilot.crl").read());
     thrown.expectRootCause(CertificateNotYetValidException.class);
-    newTmchCrlAction(true).run();
+    newTmchCrlAction(TmchCaMode.PILOT).run();
   }
 }

javatests/google/registry/tmch/TmchXmlSignatureTest.java

@@ -16,6 +16,7 @@ package google.registry.tmch;
 
 import static google.registry.tmch.TmchTestData.loadSmd;
 
+import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.ExceptionRule;
 import google.registry.testing.FakeClock;
@@ -58,11 +59,11 @@ public class TmchXmlSignatureTest {
   @Before
   public void before() throws Exception {
     inject.setStaticField(TmchCertificateAuthority.class, "clock", clock);
-    tmchXmlSignature = new TmchXmlSignature(new TmchCertificateAuthority(true));
+    tmchXmlSignature = new TmchXmlSignature(new TmchCertificateAuthority(TmchCaMode.PILOT));
   }
 
   public void wrongCertificateAuthority() throws Exception {
-    tmchXmlSignature = new TmchXmlSignature(new TmchCertificateAuthority(false));
+    tmchXmlSignature = new TmchXmlSignature(new TmchCertificateAuthority(TmchCaMode.PRODUCTION));
     smdData = loadSmd("active/Court-Agent-Arabic-Active.smd");
     thrown.expectRootCause(SignatureException.class, "Signature does not match");
     tmchXmlSignature.verify(smdData);

javatests/google/registry/tools/UpdateSmdCommandTest.java

@@ -15,6 +15,7 @@
 package google.registry.tools;
 
 import static com.google.common.io.BaseEncoding.base64;
+import static google.registry.config.RegistryConfig.ConfigModule.TmchCaMode.PILOT;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.testing.DatastoreHelper.createTld;
 import static google.registry.testing.DatastoreHelper.newDomainApplication;
@@ -69,7 +70,7 @@ public class UpdateSmdCommandTest extends CommandTestCase<UpdateSmdCommand> {
         .setEncodedSignedMarks(ImmutableList.of(EncodedSignedMark.create("base64", "garbage")))
         .build());
     command.tmchUtils =
-        new DomainFlowTmchUtils(new TmchXmlSignature(new TmchCertificateAuthority(true)));
+        new DomainFlowTmchUtils(new TmchXmlSignature(new TmchCertificateAuthority(PILOT)));
   }
 
   private DomainApplication reloadDomainApplication() {