From ac500652acbe24323e4f2de6900b59f430b9edb7 Mon Sep 17 00:00:00 2001
From: mcilwain <mcilwain@google.com>
Date: Wed, 23 May 2018 06:45:35 -0700
Subject: [PATCH] Add "pubapi" App Engine service for check API, WHOIS, and
 RDAP

The migration plan is as follows:
1. This CL, which adds the new "pubapi" service that serves the check API, WHOIS, and RDAP.
2a. Update our public facing sites to switch over to use the new service.
2b. (either order) Rewrite the check API to remove dependencies on flows.
3. ... eventually, once the frontend service is no longer being hit by this traffic, remove its handling of these public endpoints.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=197716346
---
 java/google/registry/BUILD                    |  77 +++++++++++
 .../alpha/pubapi/WEB-INF/appengine-web.xml    |  29 ++++
 .../env/common/META-INF/application.xml       |   6 +
 .../env/common/pubapi/WEB-INF/dos.xml         |  16 +++
 .../common/pubapi/WEB-INF/logging.properties  |  13 ++
 .../env/common/pubapi/WEB-INF/web.xml         | 129 ++++++++++++++++++
 .../crash/pubapi/WEB-INF/appengine-web.xml    |  29 ++++
 .../local/pubapi/WEB-INF/appengine-web.xml    |  39 ++++++
 .../pubapi/WEB-INF/appengine-web.xml          |  33 +++++
 .../sandbox/pubapi/WEB-INF/appengine-web.xml  |  33 +++++
 java/google/registry/module/pubapi/BUILD      |  43 ++++++
 .../module/pubapi/PubApiComponent.java        |  71 ++++++++++
 .../module/pubapi/PubApiMetricsModule.java    |  25 ++++
 .../module/pubapi/PubApiRequestComponent.java |  78 +++++++++++
 .../module/pubapi/PubApiRequestHandler.java   |  31 +++++
 .../registry/module/pubapi/PubApiServlet.java |  68 +++++++++
 .../registry/module/pubapi/package-info.java  |  16 +++
 java/google/registry/tools/BUILD              |   1 +
 javatests/google/registry/module/pubapi/BUILD |  35 +++++
 .../pubapi/PubApiRequestComponentTest.java    |  33 +++++
 .../module/pubapi/PubApiServletTest.java      |  47 +++++++
 .../module/pubapi/testdata/pubapi_routing.txt |  13 ++
 22 files changed, 865 insertions(+)
 create mode 100644 java/google/registry/env/alpha/pubapi/WEB-INF/appengine-web.xml
 create mode 100644 java/google/registry/env/common/pubapi/WEB-INF/dos.xml
 create mode 100644 java/google/registry/env/common/pubapi/WEB-INF/logging.properties
 create mode 100644 java/google/registry/env/common/pubapi/WEB-INF/web.xml
 create mode 100644 java/google/registry/env/crash/pubapi/WEB-INF/appengine-web.xml
 create mode 100644 java/google/registry/env/local/pubapi/WEB-INF/appengine-web.xml
 create mode 100644 java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml
 create mode 100644 java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml
 create mode 100644 java/google/registry/module/pubapi/BUILD
 create mode 100644 java/google/registry/module/pubapi/PubApiComponent.java
 create mode 100644 java/google/registry/module/pubapi/PubApiMetricsModule.java
 create mode 100644 java/google/registry/module/pubapi/PubApiRequestComponent.java
 create mode 100644 java/google/registry/module/pubapi/PubApiRequestHandler.java
 create mode 100644 java/google/registry/module/pubapi/PubApiServlet.java
 create mode 100644 java/google/registry/module/pubapi/package-info.java
 create mode 100644 javatests/google/registry/module/pubapi/BUILD
 create mode 100644 javatests/google/registry/module/pubapi/PubApiRequestComponentTest.java
 create mode 100644 javatests/google/registry/module/pubapi/PubApiServletTest.java
 create mode 100644 javatests/google/registry/module/pubapi/testdata/pubapi_routing.txt

diff --git a/java/google/registry/BUILD b/java/google/registry/BUILD
index 697c04745..a76e2bee2 100644
--- a/java/google/registry/BUILD
+++ b/java/google/registry/BUILD
@@ -40,6 +40,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default.war": "default",
+        "registry_pubapi.war": "pubapi",
         "registry_backend.war": "backend",
         "registry_tools.war": "tools",
     },
@@ -57,6 +58,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_nocron.war": "default",
+        "registry_pubapi.war": "pubapi",
         "registry_backend.war": "backend",
         "registry_tools.war": "tools",
     },
@@ -93,6 +95,27 @@ zip_file(
     deps = [":registry_default_war"],
 )
 
+zip_file(
+    name = "registry_pubapi_war",
+    srcs = [
+        "env/common/pubapi/WEB-INF/dos.xml",
+        "env/common/pubapi/WEB-INF/logging.properties",
+        "env/common/pubapi/WEB-INF/web.xml",
+        "env/production/pubapi/WEB-INF/appengine-web.xml",
+        "//java/google/registry/module/pubapi:pubapi_jar_deploy.jar",
+    ],
+    out = "registry_pubapi.war",
+    mappings = {
+        "domain_registry/java/google/registry/env/common/pubapi": "",
+        "domain_registry/java/google/registry/env/production/pubapi": "",
+        "domain_registry/java/google/registry/module/pubapi": "WEB-INF/lib",
+    },
+    deps = [
+        ":common_war",
+        "//java/google/registry/ui:war_debug",
+    ],
+)
+
 zip_file(
     name = "registry_backend_war",
     srcs = [
@@ -148,6 +171,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_sandbox.war": "default",
+        "registry_pubapi_sandbox.war": "pubapi",
         "registry_backend_sandbox.war": "backend",
         "registry_tools_sandbox.war": "tools",
     },
@@ -166,6 +190,18 @@ zip_file(
     deps = [":registry_default_war"],
 )
 
+zip_file(
+    name = "registry_pubapi_sandbox_war",
+    srcs = [
+        "env/sandbox/pubapi/WEB-INF/appengine-web.xml",
+    ],
+    out = "registry_pubapi_sandbox.war",
+    mappings = {
+        "domain_registry/java/google/registry/env/sandbox/pubapi": "",
+    },
+    deps = [":registry_pubapi_war"],
+)
+
 zip_file(
     name = "registry_backend_sandbox_war",
     srcs = [
@@ -204,6 +240,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_alpha.war": "default",
+        "registry_pubapi_alpha.war": "pubapi",
         "registry_backend_alpha.war": "backend",
         "registry_tools_alpha.war": "tools",
     },
@@ -224,6 +261,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_alpha_nocron.war": "default",
+        "registry_pubapi_alpha.war": "pubapi",
         "registry_backend_alpha.war": "backend",
         "registry_tools_alpha.war": "tools",
     },
@@ -249,6 +287,18 @@ zip_file(
     deps = [":registry_default_alpha_war"],
 )
 
+zip_file(
+    name = "registry_pubapi_alpha_war",
+    srcs = [
+        "env/alpha/pubapi/WEB-INF/appengine-web.xml",
+    ],
+    out = "registry_pubapi_alpha.war",
+    mappings = {
+        "domain_registry/java/google/registry/env/alpha/pubapi": "",
+    },
+    deps = [":registry_pubapi_war"],
+)
+
 zip_file(
     name = "registry_backend_alpha_war",
     srcs = [
@@ -287,6 +337,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_crash.war": "default",
+        "registry_pubapi_crash.war": "pubapi",
         "registry_backend_crash.war": "backend",
         "registry_tools_crash.war": "tools",
     },
@@ -307,6 +358,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_crash_nocron.war": "default",
+        "registry_pubapi_crash.war": "pubapi",
         "registry_backend_crash.war": "backend",
         "registry_tools_crash.war": "tools",
     },
@@ -332,6 +384,18 @@ zip_file(
     deps = [":registry_default_crash_war"],
 )
 
+zip_file(
+    name = "registry_pubapi_crash_war",
+    srcs = [
+        "env/crash/pubapi/WEB-INF/appengine-web.xml",
+    ],
+    out = "registry_pubapi_crash.war",
+    mappings = {
+        "domain_registry/java/google/registry/env/crash/pubapi": "",
+    },
+    deps = [":registry_pubapi_war"],
+)
+
 zip_file(
     name = "registry_backend_crash_war",
     srcs = [
@@ -370,6 +434,7 @@ registry_ear_file(
     },
     wars = {
         "registry_default_local.war": "default",
+        "registry_pubapi_local.war": "pubapi",
         "registry_backend_local.war": "backend",
         "registry_tools_local.war": "tools",
     },
@@ -387,6 +452,18 @@ zip_file(
     deps = [":registry_default_war"],
 )
 
+zip_file(
+    name = "registry_pubapi_local_war",
+    srcs = [
+        "env/local/pubapi/WEB-INF/appengine-web.xml",
+    ],
+    out = "registry_pubapi_local.war",
+    mappings = {
+        "domain_registry/java/google/registry/env/local/pubapi": "",
+    },
+    deps = [":registry_pubapi_war"],
+)
+
 zip_file(
     name = "registry_backend_local_war",
     srcs = [
diff --git a/java/google/registry/env/alpha/pubapi/WEB-INF/appengine-web.xml b/java/google/registry/env/alpha/pubapi/WEB-INF/appengine-web.xml
new file mode 100644
index 000000000..ca8587338
--- /dev/null
+++ b/java/google/registry/env/alpha/pubapi/WEB-INF/appengine-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <application>domain-registry</application>
+  <version>1</version>
+  <runtime>java8</runtime>
+  <module>pubapi</module>
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>8</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="alpha"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+    <include path="/assets/js/**" expiration="1m"/>
+    <include path="/assets/css/**" expiration="1m"/>
+    <include path="/assets/images/**" expiration="1m"/>
+  </static-files>
+</appengine-web-app>
diff --git a/java/google/registry/env/common/META-INF/application.xml b/java/google/registry/env/common/META-INF/application.xml
index 485557063..80d8baf00 100644
--- a/java/google/registry/env/common/META-INF/application.xml
+++ b/java/google/registry/env/common/META-INF/application.xml
@@ -19,6 +19,12 @@ encoding="UTF-8"?>
       <context-root>default</context-root>
     </web>
   </module>
+  <module>
+    <web>
+      <web-uri>pubapi</web-uri>
+      <context-root>pubapi</context-root>
+    </web>
+  </module>
   <module>
     <web>
       <web-uri>backend</web-uri>
diff --git a/java/google/registry/env/common/pubapi/WEB-INF/dos.xml b/java/google/registry/env/common/pubapi/WEB-INF/dos.xml
new file mode 100644
index 000000000..14af3ba15
--- /dev/null
+++ b/java/google/registry/env/common/pubapi/WEB-INF/dos.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<blacklistentries>
+
+  <!-- Example IPv4 CIDR Subnet
+  <blacklist>
+    <subnet>1.2.3.4/24</subnet>
+    <description>An IPv4 subnet</description>
+  </blacklist> -->
+
+  <!-- Example IPv6 CIDR Subnet
+  <blacklist>
+    <subnet>abcd::123:4567/48</subnet>
+    <description>An IPv6 subnet</description>
+  </blacklist> -->
+
+</blacklistentries>
diff --git a/java/google/registry/env/common/pubapi/WEB-INF/logging.properties b/java/google/registry/env/common/pubapi/WEB-INF/logging.properties
new file mode 100644
index 000000000..064aa4905
--- /dev/null
+++ b/java/google/registry/env/common/pubapi/WEB-INF/logging.properties
@@ -0,0 +1,13 @@
+# A default java.util.logging configuration.
+# (All App Engine logging is through java.util.logging by default).
+#
+# To use this configuration, copy it into your application's WEB-INF
+# folder and add the following to your appengine-web.xml:
+#
+# <system-properties>
+#   <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
+# </system-properties>
+#
+
+# Set the default logging level for all loggers to INFO.
+.level = INFO
diff --git a/java/google/registry/env/common/pubapi/WEB-INF/web.xml b/java/google/registry/env/common/pubapi/WEB-INF/web.xml
new file mode 100644
index 000000000..ca266e06e
--- /dev/null
+++ b/java/google/registry/env/common/pubapi/WEB-INF/web.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+  <!-- Servlets -->
+
+  <!-- Servlet for injected frontend actions -->
+  <servlet>
+    <display-name>PubApiServlet</display-name>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <servlet-class>google.registry.module.pubapi.PubApiServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- HTTP WHOIS. -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/whois/*</url-pattern>
+  </servlet-mapping>
+
+  <!-- Protocol WHOIS. -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/_dr/whois</url-pattern>
+  </servlet-mapping>
+
+  <!-- RDAP (new WHOIS). -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/rdap/*</url-pattern>
+  </servlet-mapping>
+
+  <!-- Public API to do availability checks -->
+  <servlet-mapping>
+    <servlet-name>pubapi-servlet</servlet-name>
+    <url-pattern>/check</url-pattern>
+  </servlet-mapping>
+
+  <!-- Security config -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Internal</web-resource-name>
+      <description>
+        Admin-only internal section.  Requests for paths covered by the URL patterns below will be
+        checked for a logged-in user account that's allowed to access the AppEngine admin console
+        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
+        App Engine Admin role.  See https://cloud.google.com/appengine/docs/java/access-control
+        specifically the "Access handlers that have a login:admin restriction" line.)
+
+        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
+        for endpoints that need to be accessed by open-source automated processes.
+      </description>
+
+      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
+      <url-pattern>/_ah/*</url-pattern>
+
+      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
+      <url-pattern>/assets/sources/*</url-pattern>
+
+      <!-- TODO(b/26776367): Move these files to /assets/sources. -->
+      <url-pattern>/assets/js/registrar_bin.js.map</url-pattern>
+      <url-pattern>/assets/js/registrar_dbg.js</url-pattern>
+      <url-pattern>/assets/js/brain_bin.js.map</url-pattern>
+      <url-pattern>/assets/css/registrar_dbg.css</url-pattern>
+
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>admin</role-name>
+    </auth-constraint>
+
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Registrar console</web-resource-name>
+      <description>
+        Registrar console requires user login.  This is in addition to the
+        code-level "requireLogin" configuration on individual @Actions.
+      </description>
+      <url-pattern>/registrar*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>*</role-name>
+    </auth-constraint>
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- Require TLS on all requests. -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Secure</web-resource-name>
+      <description>
+        Require encryption for all paths. http URLs will be redirected to https.
+      </description>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- See: https://code.google.com/p/objectify-appengine/wiki/Setup -->
+  <filter>
+    <filter-name>ObjectifyFilter</filter-name>
+    <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>ObjectifyFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <!-- Register types with Objectify. -->
+  <filter>
+    <filter-name>OfyFilter</filter-name>
+    <filter-class>google.registry.model.ofy.OfyFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>OfyFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+</web-app>
diff --git a/java/google/registry/env/crash/pubapi/WEB-INF/appengine-web.xml b/java/google/registry/env/crash/pubapi/WEB-INF/appengine-web.xml
new file mode 100644
index 000000000..47a7f6edf
--- /dev/null
+++ b/java/google/registry/env/crash/pubapi/WEB-INF/appengine-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <application>domain-registry</application>
+  <version>1</version>
+  <runtime>java8</runtime>
+  <module>pubapi</module>
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>8</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="crash"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+    <include path="/assets/js/**" expiration="1m"/>
+    <include path="/assets/css/**" expiration="1m"/>
+    <include path="/assets/images/**" expiration="1m"/>
+  </static-files>
+</appengine-web-app>
diff --git a/java/google/registry/env/local/pubapi/WEB-INF/appengine-web.xml b/java/google/registry/env/local/pubapi/WEB-INF/appengine-web.xml
new file mode 100644
index 000000000..a26210a8a
--- /dev/null
+++ b/java/google/registry/env/local/pubapi/WEB-INF/appengine-web.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <application>domain-registry</application>
+  <version>1</version>
+  <runtime>java8</runtime>
+  <module>pubapi</module>
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>8</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="local"/>
+    <property name="appengine.generated.dir"
+              value="/tmp/domain-registry-appengine-generated/local/"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+    <include path="/assets/js/**">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+    <include path="/assets/css/**">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+    <include path="/assets/images/**">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+  </static-files>
+</appengine-web-app>
diff --git a/java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml b/java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml
new file mode 100644
index 000000000..5a6ea5c8e
--- /dev/null
+++ b/java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <application>domain-registry</application>
+  <version>1</version>
+  <runtime>java8</runtime>
+  <module>pubapi</module>
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4_1G</instance-class>
+  <manual-scaling>
+    <instances>20</instances>
+  </manual-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="production"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+    <include path="/assets/js/**" expiration="1d"/>
+    <include path="/assets/css/**" expiration="1d"/>
+    <include path="/assets/images/**" expiration="1d"/>
+  </static-files>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>
diff --git a/java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml b/java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml
new file mode 100644
index 000000000..cde9e57a8
--- /dev/null
+++ b/java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <application>domain-registry</application>
+  <version>1</version>
+  <runtime>java8</runtime>
+  <module>pubapi</module>
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4_1G</instance-class>
+  <manual-scaling>
+    <instances>20</instances>
+  </manual-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="sandbox"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+    <include path="/assets/js/**" expiration="1d"/>
+    <include path="/assets/css/**" expiration="1d"/>
+    <include path="/assets/images/**" expiration="1d"/>
+  </static-files>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>
diff --git a/java/google/registry/module/pubapi/BUILD b/java/google/registry/module/pubapi/BUILD
new file mode 100644
index 000000000..9e52e21e5
--- /dev/null
+++ b/java/google/registry/module/pubapi/BUILD
@@ -0,0 +1,43 @@
+package(
+    default_visibility = ["//java/google/registry:registry_project"],
+)
+
+licenses(["notice"])  # Apache 2.0
+
+java_library(
+    name = "pubapi",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//java/google/registry/config",
+        "//java/google/registry/dns",
+        "//java/google/registry/flows",
+        "//java/google/registry/keyring/api",
+        "//java/google/registry/keyring/kms",
+        "//java/google/registry/monitoring/whitebox",
+        "//java/google/registry/rdap",
+        "//java/google/registry/request",
+        "//java/google/registry/request:modules",
+        "//java/google/registry/request/auth",
+        "//java/google/registry/util",
+        "//java/google/registry/whois",
+        "@com_google_appengine_api_1_0_sdk",
+        "@com_google_code_findbugs_jsr305",
+        "@com_google_dagger",
+        "@com_google_guava",
+        "@com_google_monitoring_client_metrics",
+        "@javax_servlet_api",
+        "@org_bouncycastle_bcpkix_jdk15on",
+    ],
+)
+
+# This rule is used so bazel can generate "frontend_jar_deploy.jar" (which
+# contains transitive dependencies) for deployment to App Engine. It MUST
+# explicitly depend upon upon anything loaded at runtime, e.g. old servlets
+# referenced by the module's web.xml file, that isn't statically linked above.
+java_binary(
+    name = "pubapi_jar",
+    create_executable = 0,
+    runtime_deps = [
+        ":pubapi",
+    ],
+)
diff --git a/java/google/registry/module/pubapi/PubApiComponent.java b/java/google/registry/module/pubapi/PubApiComponent.java
new file mode 100644
index 000000000..d1edf4172
--- /dev/null
+++ b/java/google/registry/module/pubapi/PubApiComponent.java
@@ -0,0 +1,71 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import com.google.monitoring.metrics.MetricReporter;
+import dagger.Component;
+import dagger.Lazy;
+import google.registry.config.RegistryConfig.ConfigModule;
+import google.registry.flows.ServerTridProviderModule;
+import google.registry.flows.custom.CustomLogicFactoryModule;
+import google.registry.keyring.api.KeyModule;
+import google.registry.keyring.kms.KmsModule;
+import google.registry.module.pubapi.PubApiRequestComponent.PubApiRequestComponentModule;
+import google.registry.monitoring.whitebox.StackdriverModule;
+import google.registry.request.Modules.AppIdentityCredentialModule;
+import google.registry.request.Modules.GoogleCredentialModule;
+import google.registry.request.Modules.Jackson2Module;
+import google.registry.request.Modules.ModulesServiceModule;
+import google.registry.request.Modules.NetHttpTransportModule;
+import google.registry.request.Modules.UrlFetchTransportModule;
+import google.registry.request.Modules.UseAppIdentityCredentialForGoogleApisModule;
+import google.registry.request.Modules.UserServiceModule;
+import google.registry.request.auth.AuthModule;
+import google.registry.util.SystemClock.SystemClockModule;
+import google.registry.util.SystemSleeper.SystemSleeperModule;
+import javax.inject.Singleton;
+
+/** Dagger component with instance lifetime for "pubapi" App Engine module. */
+@Singleton
+@Component(
+  modules = {
+    // TODO(b/79692981): Remove flow-related includes once check API is rewritten to not wrap flow.
+    AppIdentityCredentialModule.class,
+    AuthModule.class,
+    ConfigModule.class,
+    CustomLogicFactoryModule.class,
+    google.registry.keyring.api.DummyKeyringModule.class,
+    PubApiMetricsModule.class,
+    PubApiRequestComponentModule.class,
+    GoogleCredentialModule.class,
+    Jackson2Module.class,
+    KeyModule.class,
+    KmsModule.class,
+    ModulesServiceModule.class,
+    NetHttpTransportModule.class,
+    ServerTridProviderModule.class,
+    StackdriverModule.class,
+    SystemClockModule.class,
+    SystemSleeperModule.class,
+    UrlFetchTransportModule.class,
+    UseAppIdentityCredentialForGoogleApisModule.class,
+    UserServiceModule.class,
+  }
+)
+interface PubApiComponent {
+  PubApiRequestHandler requestHandler();
+
+  Lazy<MetricReporter> metricReporter();
+}
diff --git a/java/google/registry/module/pubapi/PubApiMetricsModule.java b/java/google/registry/module/pubapi/PubApiMetricsModule.java
new file mode 100644
index 000000000..d2e5b9cc2
--- /dev/null
+++ b/java/google/registry/module/pubapi/PubApiMetricsModule.java
@@ -0,0 +1,25 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import dagger.Module;
+import javax.inject.Singleton;
+
+/**
+ * Dagger module for injecting metrics. All metrics should have {@link Singleton} scope to avoid
+ * being recreated per-request, as the metrics generally track cumulative values.
+ */
+@Module
+public class PubApiMetricsModule {}
diff --git a/java/google/registry/module/pubapi/PubApiRequestComponent.java b/java/google/registry/module/pubapi/PubApiRequestComponent.java
new file mode 100644
index 000000000..2e3612517
--- /dev/null
+++ b/java/google/registry/module/pubapi/PubApiRequestComponent.java
@@ -0,0 +1,78 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import dagger.Module;
+import dagger.Subcomponent;
+import google.registry.dns.DnsModule;
+import google.registry.flows.CheckApiAction;
+import google.registry.flows.CheckApiAction.CheckApiModule;
+import google.registry.flows.FlowComponent;
+import google.registry.flows.TlsCredentials.EppTlsModule;
+import google.registry.monitoring.whitebox.WhiteboxModule;
+import google.registry.rdap.RdapAutnumAction;
+import google.registry.rdap.RdapDomainAction;
+import google.registry.rdap.RdapDomainSearchAction;
+import google.registry.rdap.RdapEntityAction;
+import google.registry.rdap.RdapEntitySearchAction;
+import google.registry.rdap.RdapHelpAction;
+import google.registry.rdap.RdapIpAction;
+import google.registry.rdap.RdapModule;
+import google.registry.rdap.RdapNameserverAction;
+import google.registry.rdap.RdapNameserverSearchAction;
+import google.registry.request.RequestComponentBuilder;
+import google.registry.request.RequestModule;
+import google.registry.request.RequestScope;
+import google.registry.whois.WhoisAction;
+import google.registry.whois.WhoisHttpAction;
+import google.registry.whois.WhoisModule;
+
+/** Dagger component with per-request lifetime for "pubapi" App Engine module. */
+@RequestScope
+@Subcomponent(
+    modules = {
+        CheckApiModule.class,
+        DnsModule.class,
+        EppTlsModule.class,
+        RdapModule.class,
+        RequestModule.class,
+        WhiteboxModule.class,
+        WhoisModule.class,
+    })
+interface PubApiRequestComponent {
+  CheckApiAction checkApiAction();
+  // TODO(b/79692981): Remove flow-related includes once check API is rewritten to not wrap flow.
+  FlowComponent.Builder flowComponentBuilder();
+  RdapAutnumAction rdapAutnumAction();
+  RdapDomainAction rdapDomainAction();
+  RdapDomainSearchAction rdapDomainSearchAction();
+  RdapEntityAction rdapEntityAction();
+  RdapEntitySearchAction rdapEntitySearchAction();
+  RdapHelpAction rdapHelpAction();
+  RdapIpAction rdapDefaultAction();
+  RdapNameserverAction rdapNameserverAction();
+  RdapNameserverSearchAction rdapNameserverSearchAction();
+  WhoisHttpAction whoisHttpAction();
+  WhoisAction whoisAction();
+
+  @Subcomponent.Builder
+  abstract class Builder implements RequestComponentBuilder<PubApiRequestComponent> {
+    @Override public abstract Builder requestModule(RequestModule requestModule);
+    @Override public abstract PubApiRequestComponent build();
+  }
+
+  @Module(subcomponents = PubApiRequestComponent.class)
+  class PubApiRequestComponentModule {}
+}
diff --git a/java/google/registry/module/pubapi/PubApiRequestHandler.java b/java/google/registry/module/pubapi/PubApiRequestHandler.java
new file mode 100644
index 000000000..71a263c89
--- /dev/null
+++ b/java/google/registry/module/pubapi/PubApiRequestHandler.java
@@ -0,0 +1,31 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import google.registry.request.RequestHandler;
+import google.registry.request.auth.RequestAuthenticator;
+import javax.inject.Inject;
+import javax.inject.Provider;
+
+/** Request handler for the frontend module. */
+public class PubApiRequestHandler extends RequestHandler<PubApiRequestComponent> {
+
+  @Inject
+  PubApiRequestHandler(
+      Provider<PubApiRequestComponent.Builder> componentBuilderProvider,
+      RequestAuthenticator requestAuthenticator) {
+    super(componentBuilderProvider, requestAuthenticator);
+  }
+}
diff --git a/java/google/registry/module/pubapi/PubApiServlet.java b/java/google/registry/module/pubapi/PubApiServlet.java
new file mode 100644
index 000000000..aab42779b
--- /dev/null
+++ b/java/google/registry/module/pubapi/PubApiServlet.java
@@ -0,0 +1,68 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import com.google.appengine.api.LifecycleManager;
+import com.google.monitoring.metrics.MetricReporter;
+import dagger.Lazy;
+import google.registry.util.FormattingLogger;
+import java.io.IOException;
+import java.security.Security;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+/** Servlet that should handle all requests to our "default" App Engine module. */
+public final class PubApiServlet extends HttpServlet {
+
+  private static final PubApiComponent component = DaggerPubApiComponent.create();
+  private static final PubApiRequestHandler requestHandler = component.requestHandler();
+  private static final Lazy<MetricReporter> metricReporter = component.metricReporter();
+  private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
+
+  @Override
+  public void init() {
+    Security.addProvider(new BouncyCastleProvider());
+
+    // If metric reporter failed to instantiate for any reason (bad keyring, bad json credential,
+    // etc), we log the error but keep the main thread running. Also the shutdown hook will only be
+    // registered if metric reporter starts up correctly.
+    try {
+      metricReporter.get().startAsync().awaitRunning(10, TimeUnit.SECONDS);
+      logger.info("Started up MetricReporter");
+      LifecycleManager.getInstance()
+          .setShutdownHook(
+              () -> {
+                try {
+                  metricReporter.get().stopAsync().awaitTerminated(10, TimeUnit.SECONDS);
+                  logger.info("Shut down MetricReporter");
+                } catch (TimeoutException e) {
+                  logger.severe(e, "Failed to stop MetricReporter.");
+                }
+              });
+    } catch (Exception e) {
+      logger.severe(e, "Failed to initialize MetricReporter.");
+    }
+  }
+
+  @Override
+  public void service(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
+    logger.info("Received frontend request");
+    requestHandler.handleRequest(req, rsp);
+  }
+}
diff --git a/java/google/registry/module/pubapi/package-info.java b/java/google/registry/module/pubapi/package-info.java
new file mode 100644
index 000000000..55adfa585
--- /dev/null
+++ b/java/google/registry/module/pubapi/package-info.java
@@ -0,0 +1,16 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@javax.annotation.ParametersAreNonnullByDefault
+package google.registry.module.pubapi;
diff --git a/java/google/registry/tools/BUILD b/java/google/registry/tools/BUILD
index e042c8026..67c521c45 100644
--- a/java/google/registry/tools/BUILD
+++ b/java/google/registry/tools/BUILD
@@ -51,6 +51,7 @@ java_library(
         "//java/google/registry/model",
         "//java/google/registry/module/backend",
         "//java/google/registry/module/frontend",
+        "//java/google/registry/module/pubapi",
         "//java/google/registry/module/tools",
         "//java/google/registry/pricing",
         "//java/google/registry/rde",
diff --git a/javatests/google/registry/module/pubapi/BUILD b/javatests/google/registry/module/pubapi/BUILD
new file mode 100644
index 000000000..6af438dd1
--- /dev/null
+++ b/javatests/google/registry/module/pubapi/BUILD
@@ -0,0 +1,35 @@
+package(
+    default_testonly = 1,
+    default_visibility = ["//java/google/registry:registry_project"],
+)
+
+licenses(["notice"])  # Apache 2.0
+
+java_library(
+    name = "pubapi",
+    srcs = glob(["*.java"]),
+    resources = glob(["testdata/*"]),
+    runtime_deps = [
+        # TODO(b/19332643): Remove this dependency when Modules is lazy.
+        "@com_google_appengine_api_1_0_sdk//:testonly",
+    ],
+    deps = [
+        "//java/google/registry/module/pubapi",
+        "//java/google/registry/request",
+        "//javatests/google/registry/testing",
+        "@com_google_guava",
+        "@com_google_truth",
+        "@com_google_truth_extensions_truth_java8_extension",
+        "@javax_servlet_api",
+        "@junit",
+        "@org_mockito_all",
+    ],
+)
+
+load("//java/com/google/testing/builddefs:GenTestRules.bzl", "GenTestRules")
+
+GenTestRules(
+    name = "GeneratedTestRules",
+    test_files = glob(["*Test.java"]),
+    deps = [":pubapi"],
+)
diff --git a/javatests/google/registry/module/pubapi/PubApiRequestComponentTest.java b/javatests/google/registry/module/pubapi/PubApiRequestComponentTest.java
new file mode 100644
index 000000000..f85549a72
--- /dev/null
+++ b/javatests/google/registry/module/pubapi/PubApiRequestComponentTest.java
@@ -0,0 +1,33 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+
+import google.registry.testing.GoldenFileTestHelper;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link PubApiRequestComponent}. */
+@RunWith(JUnit4.class)
+public class PubApiRequestComponentTest {
+
+  @Test
+  public void testRoutingMap() throws Exception {
+    GoldenFileTestHelper.assertThatRoutesFromComponent(PubApiRequestComponent.class)
+        .describedAs("pubapi routing map")
+        .isEqualToGolden(PubApiRequestComponentTest.class, "pubapi_routing.txt");
+  }
+}
diff --git a/javatests/google/registry/module/pubapi/PubApiServletTest.java b/javatests/google/registry/module/pubapi/PubApiServletTest.java
new file mode 100644
index 000000000..58439782e
--- /dev/null
+++ b/javatests/google/registry/module/pubapi/PubApiServletTest.java
@@ -0,0 +1,47 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.pubapi;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import google.registry.testing.AppEngineRule;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link PubApiServlet}. */
+@RunWith(JUnit4.class)
+public class PubApiServletTest {
+
+  @Rule
+  public final AppEngineRule appEngine =
+      AppEngineRule.builder().withDatastore().withLocalModules().build();
+
+  private final HttpServletRequest req = mock(HttpServletRequest.class);
+  private final HttpServletResponse rsp = mock(HttpServletResponse.class);
+
+  @Test
+  public void testService_unknownPath_returnNotFound() throws Exception {
+    when(req.getMethod()).thenReturn("GET");
+    when(req.getRequestURI()).thenReturn("/lol");
+    new PubApiServlet().service(req, rsp);
+    verify(rsp).sendError(404);
+  }
+}
diff --git a/javatests/google/registry/module/pubapi/testdata/pubapi_routing.txt b/javatests/google/registry/module/pubapi/testdata/pubapi_routing.txt
new file mode 100644
index 000000000..089d67c16
--- /dev/null
+++ b/javatests/google/registry/module/pubapi/testdata/pubapi_routing.txt
@@ -0,0 +1,13 @@
+PATH                 CLASS                      METHODS  OK AUTH_METHODS        MIN  USER_POLICY
+/_dr/whois           WhoisAction                POST     n  INTERNAL,API        APP  PUBLIC
+/check               CheckApiAction             GET      n  INTERNAL            NONE PUBLIC
+/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  INTERNAL            NONE PUBLIC
+/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC
+/rdap/domains        RdapDomainSearchAction     GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC
+/rdap/entities       RdapEntitySearchAction     GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC
+/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  INTERNAL,API,LEGACY NONE PUBLIC
+/rdap/help(*)        RdapHelpAction             GET,HEAD n  INTERNAL            NONE PUBLIC
+/rdap/ip/(*)         RdapIpAction               GET,HEAD n  INTERNAL            NONE PUBLIC
+/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  INTERNAL            NONE PUBLIC
+/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  INTERNAL            NONE PUBLIC
+/whois/(*)           WhoisHttpAction            GET      n  INTERNAL            NONE PUBLIC