Re-apply server prohibited status codes in domain update for locked-down TLDs

For TLDs with domain create restriction. SERVER_TRANSFER_PROHIBITED and SERVER_UPDATE_PROHIBITED status codes
are automatically applied to newly created domains to make them immutable. When there is a legitimate for an update on a domain, the registry must first run nomulus update_server_locks to remove status before the registrar can request an update via EPP.

To eliminate the risk of the registry forgetting to reapply the codes after a update, we automatically re-apply these codes after a success update.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=152533379

java/google/registry/flows/domain/DomainUpdateFlow.java

@@ -267,9 +267,12 @@ public final class DomainUpdateFlow implements TransactionalFlow {
     checkSameValuesNotAddedAndRemoved(add.getStatusValues(), remove.getStatusValues());
     Change change = command.getInnerChange();
     SecDnsUpdateExtension secDnsUpdate = eppInput.getSingleExtension(SecDnsUpdateExtension.class);
-    return domain.asBuilder()
+    DomainResource.Builder domainBuilder =
+        domain
+            .asBuilder()
             // Handle the secDNS extension.
-        .setDsData(secDnsUpdate != null
+            .setDsData(
+                secDnsUpdate != null
                     ? updateDsData(domain.getDsData(), secDnsUpdate)
                     : domain.getDsData())
             .setLastEppUpdateTime(now)
@@ -281,8 +284,13 @@ public final class DomainUpdateFlow implements TransactionalFlow {
             .addContacts(add.getContacts())
             .removeContacts(remove.getContacts())
             .setRegistrant(firstNonNull(change.getRegistrant(), domain.getRegistrant()))
-        .setAuthInfo(firstNonNull(change.getAuthInfo(), domain.getAuthInfo()))
-        .build();
+            .setAuthInfo(firstNonNull(change.getAuthInfo(), domain.getAuthInfo()));
+    if (Registry.get(domain.getTld()).getDomainCreateRestricted()) {
+      domainBuilder
+          .addStatusValue(StatusValue.SERVER_TRANSFER_PROHIBITED)
+          .addStatusValue(StatusValue.SERVER_UPDATE_PROHIBITED);
+    }
+    return domainBuilder.build();
   }
 
   private DomainResource convertSunrushAddToAdd(

javatests/google/registry/flows/domain/DomainUpdateFlowTest.java

@@ -1260,7 +1260,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
   }
 
   @Test
-  public void testSuccess_domainCreateRestricted_addedNameserverAllowed() throws Exception {
+  public void testSuccess_domainCreateRestricted_addedNameserverNotAllowed() throws Exception {
     persistReferencedEntities();
     persistDomain();
     persistResource(
@@ -1374,6 +1374,38 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
     doSuccessfulTest();
   }
 
+  @Test
+  public void testSuccess_domainCreateRestricted_reApplyServerProhibitedStatusCodes()
+      throws Exception {
+    persistReferencedEntities();
+    persistDomain();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "example,NAMESERVER_RESTRICTED,ns1.example.foo:ns2.example.foo"))
+            .build());
+    doSuccessfulTest();
+    assertAboutDomains()
+        .that(reloadResourceByForeignKey())
+        .hasStatusValue(StatusValue.SERVER_UPDATE_PROHIBITED)
+        .and()
+        .hasStatusValue(StatusValue.SERVER_TRANSFER_PROHIBITED);
+  }
+
+  @Test
+  public void testSuccess_domainCreateNotRestricted_doNotApplyServerProhibitedStatusCodes()
+      throws Exception {
+    persistReferencedEntities();
+    persistDomain();
+    doSuccessfulTest();
+    assertAboutDomains()
+        .that(reloadResourceByForeignKey())
+        .hasExactlyStatusValues(StatusValue.CLIENT_HOLD);
+  }
+
   @Test
   public void testFailure_freePremium_wrongFee() throws Exception {
     setEppInput("domain_update_fee.xml", ImmutableMap.of("FEE_VERSION", "0.11"));