Add a registry lock password to contacts (#226)

* Add a registry lock password to contacts * enabled -> allowed * Simple CR responses, still need to add tests * Add a very simple hashing test file * Allow setting of RL password rather than directly setting it * Round out pw tests * Include 'allowedToSet...' in registrar contact JSON * Responses to CR * fix the hardcoded tests * Use null or empty rather than just null
2025-04-30 12:07:51 +02:00 · 2019-08-23 22:34:43 -04:00 · 2019-08-23 22:34:43 -04:00 · a5f27c693f
commit a5f27c693f
parent 584f887099
16 changed files with 274 additions and 57 deletions
--- a/core/src/main/java/google/registry/flows/PasswordOnlyTransportCredentials.java
+++ b/core/src/main/java/google/registry/flows/PasswordOnlyTransportCredentials.java
@ -23,7 +23,7 @@ import google.registry.model.registrar.Registrar;
 public class PasswordOnlyTransportCredentials implements TransportCredentials {
  @Override
  public void validate(Registrar r, String password) throws AuthenticationErrorException {
-    if (!r.testPassword(password)) {
+    if (!r.verifyPassword(password)) {
      throw new BadRegistrarPasswordException();
    }
  }
--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@ -145,7 +145,7 @@ public class TlsCredentials implements TransportCredentials {
  private void validatePassword(Registrar registrar, String password)
      throws BadRegistrarPasswordException {
-    if (!registrar.testPassword(password)) {
+    if (!registrar.verifyPassword(password)) {
      throw new BadRegistrarPasswordException();
    }
  }
--- a/core/src/main/java/google/registry/model/registrar/Registrar.java
+++ b/core/src/main/java/google/registry/model/registrar/Registrar.java
@ -34,10 +34,11 @@ import static google.registry.model.registry.Registries.assertTldsExist;
 import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
 import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
 import static google.registry.util.PasswordUtils.hashPassword;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static google.registry.util.X509Utils.getCertificateHash;
 import static google.registry.util.X509Utils.loadCertificate;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.Comparator.comparing;
 import static java.util.function.Predicate.isEqual;
@ -73,10 +74,6 @@ import google.registry.model.common.EntityGroupRoot;
 import google.registry.model.registrar.Registrar.BillingAccountEntry.CurrencyMapper;
 import google.registry.model.registry.Registry;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.NonFinalForTesting;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.cert.CertificateParsingException;
 import java.util.Comparator;
 import java.util.List;
@ -412,15 +409,6 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
  /** Whether or not registry lock is allowed for this registrar. */
  boolean registryLockAllowed = false;
  @NonFinalForTesting
  private static Supplier<byte[]> saltSupplier =
      () -> {
        // There are 32 bytes in a sha-256 hash, and the salt should generally be the same size.
        byte[] salt = new byte[32];
        new SecureRandom().nextBytes(salt);
        return salt;
      };
  public String getClientId() {
    return clientIdentifier;
  }
@ -634,16 +622,6 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
        .build();
  }
  private String hashPassword(String password) {
    try {
      return base64()
          .encode(MessageDigest.getInstance("SHA-256").digest((password + salt).getBytes(UTF_8)));
    } catch (NoSuchAlgorithmException e) {
      // All implementations of MessageDigest are required to support SHA-256.
      throw new RuntimeException(e);
    }
  }
  private static String checkValidPhoneNumber(String phoneNumber) {
    checkArgument(
        E164_PATTERN.matcher(phoneNumber).matches(),
@ -652,8 +630,8 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
    return phoneNumber;
  }
-  public boolean testPassword(String password) {
+  public boolean verifyPassword(String password) {
-    return hashPassword(password).equals(passwordHash);
+    return hashPassword(password, salt).equals(passwordHash);
  }
  public String getPhonePasscode() {
@ -888,8 +866,8 @@ public class Registrar extends ImmutableObject implements Buildable, Jsonifiable
      checkArgument(
          Range.closed(6, 16).contains(nullToEmpty(password).length()),
          "Password must be 6-16 characters long.");
-      getInstance().salt = base64().encode(saltSupplier.get());
+      getInstance().salt = base64().encode(SALT_SUPPLIER.get());
-      getInstance().passwordHash = getInstance().hashPassword(password);
+      getInstance().passwordHash = hashPassword(password, getInstance().salt);
      return this;
    }
--- a/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
+++ b/core/src/main/java/google/registry/model/registrar/RegistrarContact.java
@ -14,13 +14,18 @@
 package google.registry.model.registrar;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
 import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registrar.Registrar.checkValidEmail;
 import static google.registry.model.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
 import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
 import static google.registry.util.PasswordUtils.hashPassword;
 import static java.util.stream.Collectors.joining;
 import com.google.common.base.Enums;
@ -135,6 +140,21 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
   */
  boolean visibleInDomainWhoisAsAbuse = false;
  /**
   * Whether or not the contact is allowed to set their registry lock password through the registrar
   * console. This will be set to false on contact creation and when the user sets a password.
   */
  boolean allowedToSetRegistryLockPassword = false;
  /**
   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
   * encoded SHA256 string.
   */
  String registryLockPasswordHash;
  /** Randomly generated hash salt. */
  String registryLockPasswordSalt;
  public static ImmutableSet<Type> typesFromCSV(String csv) {
    return typesFromStrings(Arrays.asList(csv.split(",")));
  }
@ -213,11 +233,30 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
    return new Builder(clone(this));
  }
  public boolean isAllowedToSetRegistryLockPassword() {
    return allowedToSetRegistryLockPassword;
  }
  public boolean isRegistryLockAllowed() {
    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
  }
  public boolean verifyRegistryLockPassword(String registryLockPassword) {
    if (isNullOrEmpty(registryLockPassword)
        || isNullOrEmpty(registryLockPasswordSalt)
        || isNullOrEmpty(registryLockPasswordHash)) {
      return false;
    }
    return hashPassword(registryLockPassword, registryLockPasswordSalt)
        .equals(registryLockPasswordHash);
  }
  /**
   * Returns a string representation that's human friendly.
   *
-   * <p>The output will look something like this:<pre>   {@code
+   * <p>The output will look something like this:
   *
   * <pre>{@code
   * Some Person
   * person@example.com
   * Tel: +1.2125650666
@ -225,7 +264,8 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
   * Visible in WHOIS as Admin contact: Yes
   * Visible in WHOIS as Technical contact: No
   * GAE-UserID: 1234567890
-   *   Registrar-Console access: Yes}</pre>
+   * Registrar-Console access: Yes
   * }</pre>
   */
  public String toStringMultilinePlainText() {
    StringBuilder result = new StringBuilder(256);
@ -273,6 +313,7 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
        .put("visibleInWhoisAsAdmin", visibleInWhoisAsAdmin)
        .put("visibleInWhoisAsTech", visibleInWhoisAsTech)
        .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
        .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
        .put("gaeUserId", gaeUserId)
        .build();
  }
@ -346,5 +387,27 @@ public class RegistrarContact extends ImmutableObject implements Jsonifiable {
      getInstance().gaeUserId = gaeUserId;
      return this;
    }
    public Builder setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
      if (allowedToSetRegistryLockPassword) {
        getInstance().registryLockPasswordSalt = null;
        getInstance().registryLockPasswordHash = null;
      }
      getInstance().allowedToSetRegistryLockPassword = allowedToSetRegistryLockPassword;
      return this;
    }
    public Builder setRegistryLockPassword(String registryLockPassword) {
      checkArgument(
          getInstance().allowedToSetRegistryLockPassword,
          "Not allowed to set registry lock password for this contact");
      checkArgument(
          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
      getInstance().registryLockPasswordSalt = base64().encode(SALT_SUPPLIER.get());
      getInstance().registryLockPasswordHash =
          hashPassword(registryLockPassword, getInstance().registryLockPasswordSalt);
      getInstance().allowedToSetRegistryLockPassword = false;
      return this;
    }
  }
 }
--- a/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
+++ b/core/src/main/java/google/registry/tools/RegistrarContactCommand.java
@ -131,6 +131,15 @@ final class RegistrarContactCommand extends MutatingCommand {
      arity = 1)
  private Boolean visibleInDomainWhoisAsAbuse;
  @Nullable
  @Parameter(
      names = "--allowed_to_set_registry_lock_password",
      description =
          "Allow this contact to set their registry lock password in the console,"
              + " enabling registry lock",
      arity = 1)
  private Boolean allowedToSetRegistryLockPassword;
  @Parameter(
      names = {"-o", "--output"},
      description = "Output file when --mode=LIST",
@ -260,6 +269,9 @@ final class RegistrarContactCommand extends MutatingCommand {
    if (visibleInDomainWhoisAsAbuse != null) {
      builder.setVisibleInDomainWhoisAsAbuse(visibleInDomainWhoisAsAbuse);
    }
    if (allowedToSetRegistryLockPassword != null) {
      builder.setAllowedToSetRegistryLockPassword(allowedToSetRegistryLockPassword);
    }
    return builder.build();
  }
@ -301,6 +313,9 @@ final class RegistrarContactCommand extends MutatingCommand {
        builder.setGaeUserId(null);
      }
    }
    if (allowedToSetRegistryLockPassword != null) {
      builder.setAllowedToSetRegistryLockPassword(allowedToSetRegistryLockPassword);
    }
    return builder.build();
  }
--- a/core/src/test/java/google/registry/model/OteAccountBuilderTest.java
+++ b/core/src/test/java/google/registry/model/OteAccountBuilderTest.java
@ -153,7 +153,7 @@ public final class OteAccountBuilderTest {
  public void testCreateOteEntities_setPassword() {
    OteAccountBuilder.forClientId("myclientid").setPassword("myPassword").buildAndPersist();
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("myPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("myPassword")).isTrue();
  }
  @Test
@ -268,7 +268,7 @@ public final class OteAccountBuilderTest {
        .addContact("email@example.com")
        .buildAndPersist();
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("oldPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("oldPassword")).isTrue();
    OteAccountBuilder.forClientId("myclientid")
        .setPassword("newPassword")
@ -276,9 +276,9 @@ public final class OteAccountBuilderTest {
        .setReplaceExisting(true)
        .buildAndPersist();
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("oldPassword"))
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("oldPassword"))
        .isFalse();
-    assertThat(Registrar.loadByClientId("myclientid-3").get().testPassword("newPassword")).isTrue();
+    assertThat(Registrar.loadByClientId("myclientid-3").get().verifyPassword("newPassword")).isTrue();
  }
  @Test
--- a/core/src/test/java/google/registry/tools/CreateRegistrarCommandTest.java
+++ b/core/src/test/java/google/registry/tools/CreateRegistrarCommandTest.java
@ -77,7 +77,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
    Optional<Registrar> registrarOptional = Registrar.loadByClientId("clientz");
    assertThat(registrarOptional).isPresent();
    Registrar registrar = registrarOptional.get();
-    assertThat(registrar.testPassword("some_password")).isTrue();
+    assertThat(registrar.verifyPassword("some_password")).isTrue();
    assertThat(registrar.getType()).isEqualTo(Registrar.Type.REAL);
    assertThat(registrar.getIanaIdentifier()).isEqualTo(8);
    assertThat(registrar.getState()).isEqualTo(Registrar.State.ACTIVE);
@ -118,7 +118,7 @@ public class CreateRegistrarCommandTest extends CommandTestCase<CreateRegistrarC
    Optional<Registrar> registrar = Registrar.loadByClientId("clientz");
    assertThat(registrar).isPresent();
-    assertThat(registrar.get().testPassword("some_password")).isTrue();
+    assertThat(registrar.get().verifyPassword("some_password")).isTrue();
  }
  @Test
--- a/core/src/test/java/google/registry/tools/RegistrarContactCommandTest.java
+++ b/core/src/test/java/google/registry/tools/RegistrarContactCommandTest.java
@ -368,6 +368,67 @@ public class RegistrarContactCommandTest extends CommandTestCase<RegistrarContac
    assertThat(loadRegistrar("NewRegistrar").getContactsRequireSyncing()).isTrue();
  }
  @Test
  public void testCreate_setAllowedToSetRegistryLockPassword() throws Exception {
    runCommandForced(
        "--mode=CREATE",
        "--name=Jim Doe",
        "--email=jim.doe@example.com",
        "--allowed_to_set_registry_lock_password=true",
        "NewRegistrar");
    RegistrarContact registrarContact = loadRegistrar("NewRegistrar").getContacts().asList().get(1);
    assertThat(registrarContact.isAllowedToSetRegistryLockPassword()).isTrue();
    registrarContact.asBuilder().setRegistryLockPassword("foo");
  }
  @Test
  public void testUpdate_setAllowedToSetRegistryLockPassword() throws Exception {
    Registrar registrar = loadRegistrar("NewRegistrar");
    RegistrarContact registrarContact =
        persistSimpleResource(
            new RegistrarContact.Builder()
                .setParent(registrar)
                .setName("Jim Doe")
                .setEmailAddress("jim.doe@example.com")
                .build());
    assertThat(registrarContact.isAllowedToSetRegistryLockPassword()).isFalse();
    assertThrows(
        IllegalArgumentException.class,
        () -> registrarContact.asBuilder().setRegistryLockPassword("foo"));
    runCommandForced(
        "--mode=UPDATE",
        "--email=jim.doe@example.com",
        "--allowed_to_set_registry_lock_password=true",
        "NewRegistrar");
    RegistrarContact newContact = reloadResource(registrarContact);
    assertThat(newContact.isAllowedToSetRegistryLockPassword()).isTrue();
    // should be allowed to set the password now
    newContact.asBuilder().setRegistryLockPassword("foo");
  }
  @Test
  public void testUpdate_setAllowedToSetRegistryLockPassword_removesOldPassword() throws Exception {
    Registrar registrar = loadRegistrar("NewRegistrar");
    RegistrarContact registrarContact =
        persistSimpleResource(
            new RegistrarContact.Builder()
                .setParent(registrar)
                .setName("Jim Doe")
                .setEmailAddress("jim.doe@example.com")
                .setAllowedToSetRegistryLockPassword(true)
                .setRegistryLockPassword("hi")
                .build());
    assertThat(registrarContact.verifyRegistryLockPassword("hi")).isTrue();
    assertThat(registrarContact.verifyRegistryLockPassword("hello")).isFalse();
    runCommandForced(
        "--mode=UPDATE",
        "--email=jim.doe@example.com",
        "--allowed_to_set_registry_lock_password=true",
        "NewRegistrar");
    registrarContact = reloadResource(registrarContact);
    assertThat(registrarContact.verifyRegistryLockPassword("hi")).isFalse();
  }
  @Test
  public void testCreate_failure_badEmail() {
    IllegalArgumentException thrown =
--- a/core/src/test/java/google/registry/tools/SetupOteCommandTest.java
+++ b/core/src/test/java/google/registry/tools/SetupOteCommandTest.java
@ -105,7 +105,7 @@ public class SetupOteCommandTest extends CommandTestCase<SetupOteCommand> {
    assertThat(registrar.getAllowedTlds()).containsExactlyElementsIn(ImmutableSet.of(allowedTld));
    assertThat(registrar.getRegistrarName()).isEqualTo(registrarName);
    assertThat(registrar.getState()).isEqualTo(ACTIVE);
-    assertThat(registrar.testPassword(password)).isTrue();
+    assertThat(registrar.verifyPassword(password)).isTrue();
    assertThat(registrar.getIpAddressWhitelist()).isEqualTo(ipWhitelist);
    assertThat(registrar.getClientCertificateHash()).isEqualTo(SAMPLE_CERT_HASH);
    // If certificate hash is provided, there's no certificate file stored with the registrar.
--- a/core/src/test/java/google/registry/tools/UpdateRegistrarCommandTest.java
+++ b/core/src/test/java/google/registry/tools/UpdateRegistrarCommandTest.java
@ -44,9 +44,9 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
  @Test
  public void testSuccess_password() throws Exception {
-    assertThat(loadRegistrar("NewRegistrar").testPassword("some_password")).isFalse();
+    assertThat(loadRegistrar("NewRegistrar").verifyPassword("some_password")).isFalse();
    runCommand("--password=some_password", "--force", "NewRegistrar");
-    assertThat(loadRegistrar("NewRegistrar").testPassword("some_password")).isTrue();
+    assertThat(loadRegistrar("NewRegistrar").verifyPassword("some_password")).isTrue();
  }
  @Test
@ -814,10 +814,10 @@ public class UpdateRegistrarCommandTest extends CommandTestCase<UpdateRegistrarC
    Registrar registrar =
        persistResource(
            loadRegistrar("NewRegistrar").asBuilder().setPoNumber(Optional.of("1664")).build());
-    assertThat(registrar.testPassword("some_password")).isFalse();
+    assertThat(registrar.verifyPassword("some_password")).isFalse();
    runCommand("--password=some_password", "--force", "NewRegistrar");
    Registrar reloadedRegistrar = loadRegistrar("NewRegistrar");
-    assertThat(reloadedRegistrar.testPassword("some_password")).isTrue();
+    assertThat(reloadedRegistrar.verifyPassword("some_password")).isTrue();
    assertThat(reloadedRegistrar.getPoNumber()).hasValue("1664");
  }
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
@ -180,7 +180,7 @@ public final class ConsoleOteSetupActionTest {
    // We just check some samples to make sure OteAccountBuilder was called successfully. We aren't
    // checking that all the entities are there or that they have the correct values.
-    assertThat(loadByClientId("myclientid-4").get().testPassword("SomePassword"))
+    assertThat(loadByClientId("myclientid-4").get().verifyPassword("SomePassword"))
        .isTrue();
    assertThat(response.getPayload())
        .contains("<h1>OT&E successfully created for registrar myclientid!</h1>");
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
@ -206,7 +206,7 @@ public final class ConsoleRegistrarCreatorActionTest {
    assertThat(registrar.getIanaIdentifier()).isEqualTo(12321L);
    assertThat(registrar.getIcannReferralEmail()).isEqualTo("icann@example.com");
    assertThat(registrar.getEmailAddress()).isEqualTo("icann@example.com");
-    assertThat(registrar.testPassword("abcdefghijklmnop")).isTrue();
+    assertThat(registrar.verifyPassword("abcdefghijklmnop")).isTrue();
    assertThat(registrar.getPhonePasscode()).isEqualTo("31415");
    assertThat(registrar.getState()).isEqualTo(Registrar.State.PENDING);
    assertThat(registrar.getType()).isEqualTo(Registrar.Type.REAL);
@ -411,7 +411,7 @@ public final class ConsoleRegistrarCreatorActionTest {
    Registrar registrar = loadByClientId("myclientid").orElse(null);
    assertThat(registrar).isNotNull();
-    assertThat(registrar.testPassword("SomePassword")).isTrue();
+    assertThat(registrar.verifyPassword("SomePassword")).isTrue();
    assertThat(registrar.getPhonePasscode()).isEqualTo("10203");
  }
--- a/core/src/test/resources/google/registry/model/schema.txt
+++ b/core/src/test/resources/google/registry/model/schema.txt
@ -469,6 +469,7 @@ class google.registry.model.registrar.RegistrarAddress {
 class google.registry.model.registrar.RegistrarContact {
  @Id java.lang.String emailAddress;
  @Parent com.googlecode.objectify.Key<google.registry.model.registrar.Registrar> parent;
  boolean allowedToSetRegistryLockPassword;
  boolean visibleInDomainWhoisAsAbuse;
  boolean visibleInWhoisAsAdmin;
  boolean visibleInWhoisAsTech;
@ -476,6 +477,8 @@ class google.registry.model.registrar.RegistrarContact {
  java.lang.String gaeUserId;
  java.lang.String name;
  java.lang.String phoneNumber;
  java.lang.String registryLockPasswordHash;
  java.lang.String registryLockPasswordSalt;
  java.util.Set<google.registry.model.registrar.RegistrarContact$Type> types;
 }
 enum google.registry.model.registrar.RegistrarContact$Type {
--- a/core/src/test/resources/google/registry/ui/server/registrar/update_registrar_email.txt
+++ b/core/src/test/resources/google/registry/ui/server/registrar/update_registrar_email.txt
@ -11,9 +11,9 @@ emailAddress: the.registrar@example.com -> thase@the.registrar
 url: http://my.fake.url -> http://my.new.url
 contacts:
    ADDED:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}
    REMOVED:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=John Doe, emailAddress=johndoe@theregistrar.com, phoneNumber=+1.1234567890, faxNumber=null, types=[ADMIN], gaeUserId=31337, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false},
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=John Doe, emailAddress=johndoe@theregistrar.com, phoneNumber=+1.1234567890, faxNumber=null, types=[ADMIN], gaeUserId=31337, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null},
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Jian-Yang, emailAddress=jyang@bachman.accelerator, phoneNumber=+1.1234567890, faxNumber=null, types=[TECH], gaeUserId=null, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Jian-Yang, emailAddress=jyang@bachman.accelerator, phoneNumber=+1.1234567890, faxNumber=null, types=[TECH], gaeUserId=null, visibleInWhoisAsAdmin=false, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}
    FINAL CONTENTS:
-        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false}
+        {parent=Key<?>(EntityGroupRoot("cross-tld")/Registrar("TheRegistrar")), name=Extra Terrestrial, emailAddress=etphonehome@example.com, phoneNumber=+1.2345678901, faxNumber=null, types=[ADMIN, BILLING, TECH, WHOIS], gaeUserId=null, visibleInWhoisAsAdmin=true, visibleInWhoisAsTech=false, visibleInDomainWhoisAsAbuse=false, allowedToSetRegistryLockPassword=false, registryLockPasswordHash=null, registryLockPasswordSalt=null}
--- a/util/src/main/java/google/registry/util/PasswordUtils.java
+++ b/util/src/main/java/google/registry/util/PasswordUtils.java
@ -0,0 +1,47 @@
 // Copyright 2019 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.util;
 import static com.google.common.io.BaseEncoding.base64;
 import static java.nio.charset.StandardCharsets.US_ASCII;
 import com.google.common.base.Supplier;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 /** Common utility class to handle password hashing and salting */
 public final class PasswordUtils {
  public static final Supplier<byte[]> SALT_SUPPLIER =
      () -> {
        // There are 32 bytes in a SHA-256 hash, and the salt should generally be the same size.
        byte[] salt = new byte[32];
        new SecureRandom().nextBytes(salt);
        return salt;
      };
  public static String hashPassword(String password, String salt) {
    try {
      return base64()
          .encode(
              MessageDigest.getInstance("SHA-256").digest((password + salt).getBytes(US_ASCII)));
    } catch (NoSuchAlgorithmException e) {
      // All implementations of MessageDigest are required to support SHA-256.
      throw new RuntimeException(
          "All MessageDigest implementations are required to support SHA-256 but this didn't", e);
    }
  }
 }
--- a/util/src/test/java/google/registry/util/PasswordUtilsTest.java
+++ b/util/src/test/java/google/registry/util/PasswordUtilsTest.java
@ -0,0 +1,50 @@
 // Copyright 2019 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.util;
 import static com.google.common.io.BaseEncoding.base64;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
 import static google.registry.util.PasswordUtils.hashPassword;
 import java.util.Arrays;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 /** Unit tests for {@link google.registry.util.PasswordUtils}. */
@RunWith(JUnit4.class)
 public final class PasswordUtilsTest {
  @Test
  public void testDifferentSalts() {
    byte[] first = SALT_SUPPLIER.get();
    byte[] second = SALT_SUPPLIER.get();
    assertThat(first.length).isEqualTo(32);
    assertThat(second.length).isEqualTo(32);
    assertThat(Arrays.equals(first, second)).isFalse();
  }
  @Test
  public void testHash() {
    String salt = base64().encode(SALT_SUPPLIER.get());
    String password = "mySuperSecurePassword";
    String hashedPassword = hashPassword(password, salt);
    assertThat(hashedPassword).isEqualTo(hashPassword(password, salt));
    assertThat(hashedPassword).isNotEqualTo(hashPassword(password + "a", salt));
    String secondSalt = base64().encode(SALT_SUPPLIER.get());
    assertThat(hashedPassword).isNotEqualTo(hashPassword(password, secondSalt));
  }
 }