From bae5038b0a1ae8f2f78fcf4a06b312f71b21e058 Mon Sep 17 00:00:00 2001
From: jianglai <jianglai@google.com>
Date: Fri, 7 Apr 2017 13:03:14 -0700
Subject: [PATCH] Re-apply server prohibited status codes in domain update for
 locked-down TLDs

For TLDs with domain create restriction. SERVER_TRANSFER_PROHIBITED and SERVER_UPDATE_PROHIBITED status codes
are automatically applied to newly created domains to make them immutable. When there is a legitimate for an update on a domain, the registry must first run nomulus update_server_locks to remove status before the registrar can request an update via EPP.

To eliminate the risk of the registry forgetting to reapply the codes after a update, we automatically re-apply these codes after a success update.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=152533379
---
 .../flows/domain/DomainUpdateFlow.java        | 40 +++++++++++--------
 .../flows/domain/DomainUpdateFlowTest.java    | 34 +++++++++++++++-
 2 files changed, 57 insertions(+), 17 deletions(-)

diff --git a/java/google/registry/flows/domain/DomainUpdateFlow.java b/java/google/registry/flows/domain/DomainUpdateFlow.java
index 6a05a2ac0..1a27b5235 100644
--- a/java/google/registry/flows/domain/DomainUpdateFlow.java
+++ b/java/google/registry/flows/domain/DomainUpdateFlow.java
@@ -267,22 +267,30 @@ public final class DomainUpdateFlow implements TransactionalFlow {
     checkSameValuesNotAddedAndRemoved(add.getStatusValues(), remove.getStatusValues());
     Change change = command.getInnerChange();
     SecDnsUpdateExtension secDnsUpdate = eppInput.getSingleExtension(SecDnsUpdateExtension.class);
-    return domain.asBuilder()
-        // Handle the secDNS extension.
-        .setDsData(secDnsUpdate != null
-            ? updateDsData(domain.getDsData(), secDnsUpdate)
-            : domain.getDsData())
-        .setLastEppUpdateTime(now)
-        .setLastEppUpdateClientId(clientId)
-        .addStatusValues(add.getStatusValues())
-        .removeStatusValues(remove.getStatusValues())
-        .addNameservers(add.getNameservers())
-        .removeNameservers(remove.getNameservers())
-        .addContacts(add.getContacts())
-        .removeContacts(remove.getContacts())
-        .setRegistrant(firstNonNull(change.getRegistrant(), domain.getRegistrant()))
-        .setAuthInfo(firstNonNull(change.getAuthInfo(), domain.getAuthInfo()))
-        .build();
+    DomainResource.Builder domainBuilder =
+        domain
+            .asBuilder()
+            // Handle the secDNS extension.
+            .setDsData(
+                secDnsUpdate != null
+                    ? updateDsData(domain.getDsData(), secDnsUpdate)
+                    : domain.getDsData())
+            .setLastEppUpdateTime(now)
+            .setLastEppUpdateClientId(clientId)
+            .addStatusValues(add.getStatusValues())
+            .removeStatusValues(remove.getStatusValues())
+            .addNameservers(add.getNameservers())
+            .removeNameservers(remove.getNameservers())
+            .addContacts(add.getContacts())
+            .removeContacts(remove.getContacts())
+            .setRegistrant(firstNonNull(change.getRegistrant(), domain.getRegistrant()))
+            .setAuthInfo(firstNonNull(change.getAuthInfo(), domain.getAuthInfo()));
+    if (Registry.get(domain.getTld()).getDomainCreateRestricted()) {
+      domainBuilder
+          .addStatusValue(StatusValue.SERVER_TRANSFER_PROHIBITED)
+          .addStatusValue(StatusValue.SERVER_UPDATE_PROHIBITED);
+    }
+    return domainBuilder.build();
   }
 
   private DomainResource convertSunrushAddToAdd(
diff --git a/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java b/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java
index e776f73bb..bed5d735a 100644
--- a/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java
@@ -1260,7 +1260,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
   }
 
   @Test
-  public void testSuccess_domainCreateRestricted_addedNameserverAllowed() throws Exception {
+  public void testSuccess_domainCreateRestricted_addedNameserverNotAllowed() throws Exception {
     persistReferencedEntities();
     persistDomain();
     persistResource(
@@ -1374,6 +1374,38 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
     doSuccessfulTest();
   }
 
+  @Test
+  public void testSuccess_domainCreateRestricted_reApplyServerProhibitedStatusCodes()
+      throws Exception {
+    persistReferencedEntities();
+    persistDomain();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "example,NAMESERVER_RESTRICTED,ns1.example.foo:ns2.example.foo"))
+            .build());
+    doSuccessfulTest();
+    assertAboutDomains()
+        .that(reloadResourceByForeignKey())
+        .hasStatusValue(StatusValue.SERVER_UPDATE_PROHIBITED)
+        .and()
+        .hasStatusValue(StatusValue.SERVER_TRANSFER_PROHIBITED);
+  }
+
+  @Test
+  public void testSuccess_domainCreateNotRestricted_doNotApplyServerProhibitedStatusCodes()
+      throws Exception {
+    persistReferencedEntities();
+    persistDomain();
+    doSuccessfulTest();
+    assertAboutDomains()
+        .that(reloadResourceByForeignKey())
+        .hasExactlyStatusValues(StatusValue.CLIENT_HOLD);
+  }
+
   @Test
   public void testFailure_freePremium_wrongFee() throws Exception {
     setEppInput("domain_update_fee.xml", ImmutableMap.of("FEE_VERSION", "0.11"));