Add Spec11 registrar emailing mechanism

This adds the terminal step of the Spec11 pipeline- processing the output of the Beam pipeline to send an e-mail to each registrar informing them of identified 'bad urls.' This also factors out methods common between invoicing (which uses similar beam pipeline tools) and spec11 to the common superpackage ReportingModule + ReportingUtils classes. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=210932496
2025-05-16 09:27:16 +02:00 · 2018-08-30 10:16:20 -07:00 · 2018-08-30 10:16:20 -07:00 · c5e6eae555
commit c5e6eae555
parent e4bb1c281c
26 changed files with 816 additions and 93 deletions
--- a/java/google/registry/beam/spec11/Spec11Pipeline.java
+++ b/java/google/registry/beam/spec11/Spec11Pipeline.java
@ -55,6 +55,21 @@ import org.json.JSONObject;
 */
 public class Spec11Pipeline implements Serializable {

+  /**
+   * Returns the subdirectory spec11 reports reside in for a given yearMonth in yyyy-MM format.
+   *
+   * @see google.registry.beam.spec11.Spec11Pipeline
+   * @see google.registry.reporting.spec11.Spec11EmailUtils
+   */
+  public static String getSpec11Subdirectory(String yearMonth) {
+    return String.format("icann/spec11/%s/SPEC11_MONTHLY_REPORT", yearMonth);
+  }
+
+  /** The JSON object field we put the registrar's e-mail address for Spec11 reports. */
+  public static final String REGISTRAR_EMAIL_FIELD = "registrarEmailAddress";
+  /** The JSON object field we put the threat match array for Spec11 reports. */
+  public static final String THREAT_MATCHES_FIELD = "threatMatches";
+
  @Inject
  @Config("projectId")
  String projectId;
@ -68,8 +83,8 @@ public class Spec11Pipeline implements Serializable {
  String spec11TemplateUrl;

  @Inject
-  @Config("spec11BucketUrl")
-  String spec11BucketUrl;
+  @Config("reportingBucketUrl")
+  String reportingBucketUrl;

  @Inject
  Retrier retrier;
@ -165,12 +180,12 @@ public class Spec11Pipeline implements Serializable {
                    (KV<String, Iterable<ThreatMatch>> kv) -> {
                      JSONObject output = new JSONObject();
                      try {
-                        output.put("registrarEmailAddress", kv.getKey());
+                        output.put(REGISTRAR_EMAIL_FIELD, kv.getKey());
                        JSONArray threatMatches = new JSONArray();
                        for (ThreatMatch match : kv.getValue()) {
                          threatMatches.put(match.toJSON());
                        }
-                        output.put("threatMatches", threatMatches);
+                        output.put(THREAT_MATCHES_FIELD, threatMatches);
                        return output.toString();
                      } catch (JSONException e) {
                        throw new RuntimeException(
@ -187,8 +202,10 @@ public class Spec11Pipeline implements Serializable {
                        yearMonthProvider,
                        yearMonth ->
                            String.format(
-                                "%s/%s/%s-monthly-report", spec11BucketUrl, yearMonth, yearMonth)))
+                                "%s/%s",
+                                reportingBucketUrl, getSpec11Subdirectory(yearMonth))))
                .withoutSharding()
                .withHeader("Map from registrar email to detected subdomain threats:"));
  }
+
 }
--- a/java/google/registry/beam/spec11/ThreatMatch.java
+++ b/java/google/registry/beam/spec11/ThreatMatch.java
@ -26,9 +26,10 @@ public abstract class ThreatMatch implements Serializable {
  private static final String THREAT_TYPE_FIELD = "threatType";
  private static final String PLATFORM_TYPE_FIELD = "platformType";
  private static final String METADATA_FIELD = "threatEntryMetadata";
+  private static final String DOMAIN_NAME_FIELD = "fullyQualifiedDomainName";

  /** Returns what kind of threat it is (malware, phishing etc.) */
-  abstract String threatType();
+  public abstract String threatType();
  /** Returns what platforms it affects (Windows, Linux etc.) */
  abstract String platformType();
  /**
@ -40,7 +41,7 @@ public abstract class ThreatMatch implements Serializable {
   */
  abstract String metadata();
  /** Returns the fully qualified domain name [SLD].[TLD] of the matched threat. */
-  abstract String fullyQualifiedDomainName();
+  public abstract String fullyQualifiedDomainName();

  /**
   * Constructs a {@link ThreatMatch} by parsing a {@code SafeBrowsing API} response {@link
@ -59,14 +60,21 @@ public abstract class ThreatMatch implements Serializable {
        fullyQualifiedDomainName);
  }

-  /** Returns a {@link String} containing the simplest details about this threat. */
-  String getSimpleDetails() {
-    return String.format("%s;%s", this.fullyQualifiedDomainName(), this.threatType());
-  }
  /** Returns a {@link JSONObject} representing a subset of this object's data. */
  JSONObject toJSON() throws JSONException {
    return new JSONObject()
-        .put("fullyQualifiedDomainName", fullyQualifiedDomainName())
-        .put("threatType", threatType());
+        .put(THREAT_TYPE_FIELD, threatType())
+        .put(PLATFORM_TYPE_FIELD, platformType())
+        .put(METADATA_FIELD, metadata())
+        .put(DOMAIN_NAME_FIELD, fullyQualifiedDomainName());
+  }
+
+  /** Parses a {@link JSONObject} and returns an equivalent {@link ThreatMatch}. */
+  public static ThreatMatch fromJSON(JSONObject threatMatch) throws JSONException {
+    return new AutoValue_ThreatMatch(
+        threatMatch.getString(THREAT_TYPE_FIELD),
+        threatMatch.getString(PLATFORM_TYPE_FIELD),
+        threatMatch.getString(METADATA_FIELD),
+        threatMatch.getString(DOMAIN_NAME_FIELD));
  }
 }
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@ -564,10 +564,24 @@ public final class RegistryConfig {
     */
    @Provides
    @Config("reportingBucket")
-    public static String provideIcannReportingBucket(@Config("projectId") String projectId) {
+    public static String provideReportingBucket(@Config("projectId") String projectId) {
      return projectId + "-reporting";
    }

+    /**
+     * Returns the Google Cloud Storage bucket URL for Spec11 and ICANN transaction and activity
+     * reports to be uploaded.
+     *
+     * @see google.registry.reporting.icann.IcannReportingUploadAction
+     * @see google.registry.reporting.spec11.PublishSpec11ReportAction
+     */
+    @Provides
+    @Config("reportingBucketUrl")
+    public static String provideReportingBucketUrl(
+        @Config("reportingBucket") String reportingBucket) {
+      return "gs://" + reportingBucket;
+    }
+
    /**
     * Returns the URL we send HTTP PUT requests for ICANN monthly transactions reports.
     *
@ -613,17 +627,6 @@ public final class RegistryConfig {
      return "gs://" + billingBucket;
    }

-    /**
-     * Returns the URL of the GCS subdirectory we store Spec11 reports in.
-     *
-     * @see google.registry.beam.spec11.Spec11Pipeline
-     */
-    @Provides
-    @Config("spec11BucketUrl")
-    public static String provideSpec11BucketUrl(@Config("reportingBucket") String reportingBucket) {
-      return "gs://" + reportingBucket + "/icann/spec11";
-    }
-
    /**
     * Returns whether or not we should publish invoices to partners automatically by default.
     *
--- a/java/google/registry/env/common/backend/WEB-INF/web.xml
+++ b/java/google/registry/env/common/backend/WEB-INF/web.xml
@ -115,6 +115,15 @@
    <url-pattern>/_dr/task/generateSpec11</url-pattern>
  </servlet-mapping>

+  <!--
+    Publishes the Spec11 report for the month, emailing registrars about their
+    registrations which were flagged by the SafeBrowsing API.
+  -->
+  <servlet-mapping>
+    <servlet-name>backend-servlet</servlet-name>
+    <url-pattern>/_dr/task/publishSpec11</url-pattern>
+  </servlet-mapping>
+
  <!-- Trademark Clearinghouse -->

  <!-- Downloads TMCH DNL data from MarksDB. -->
--- a/java/google/registry/env/common/default/WEB-INF/queue.xml
+++ b/java/google/registry/env/common/default/WEB-INF/queue.xml
@ -126,9 +126,9 @@
    </retry-parameters>
  </queue>

-  <!-- Queue for tasks to generate or upload monthly invoices. -->
+  <!-- Queue for tasks that wait for a Beam pipeline to complete (i.e. Spec11 and invoicing). -->
  <queue>
-    <name>billing</name>
+    <name>beam-reporting</name>
    <rate>1/m</rate>
    <max-concurrent-requests>1</max-concurrent-requests>
    <retry-parameters>
--- a/java/google/registry/module/backend/BackendRequestComponent.java
+++ b/java/google/registry/module/backend/BackendRequestComponent.java
@ -76,6 +76,8 @@ import google.registry.reporting.icann.IcannReportingModule;
 import google.registry.reporting.icann.IcannReportingStagingAction;
 import google.registry.reporting.icann.IcannReportingUploadAction;
 import google.registry.reporting.spec11.GenerateSpec11ReportAction;
+import google.registry.reporting.spec11.PublishSpec11ReportAction;
+import google.registry.reporting.spec11.Spec11Module;
 import google.registry.request.RequestComponentBuilder;
 import google.registry.request.RequestModule;
 import google.registry.request.RequestScope;
@ -108,6 +110,7 @@ import google.registry.tmch.TmchSmdrlAction;
        ReportingModule.class,
        RequestModule.class,
        SheetModule.class,
+        Spec11Module.class,
        TmchModule.class,
        VoidDnsWriterModule.class,
        WhiteboxModule.class,
@ -138,6 +141,7 @@ interface BackendRequestComponent {
  NordnUploadAction nordnUploadAction();
  NordnVerifyAction nordnVerifyAction();
  PublishDnsUpdatesAction publishDnsUpdatesAction();
+  PublishSpec11ReportAction publishSpec11ReportAction();
  ReadDnsQueueAction readDnsQueueAction();
  RdeContactImportAction rdeContactImportAction();
  RdeDomainImportAction rdeDomainImportAction();
--- a/java/google/registry/reporting/BUILD
+++ b/java/google/registry/reporting/BUILD
@ -8,9 +8,15 @@ java_library(
    name = "reporting",
    srcs = glob(["*.java"]),
    deps = [
+        "//java/google/registry/config",
        "//java/google/registry/request",
        "//java/google/registry/util",
+        "@com_google_api_client_appengine",
+        "@com_google_apis_google_api_services_dataflow",
+        "@com_google_appengine_api_1_0_sdk",
        "@com_google_dagger",
+        "@com_google_guava",
+        "@com_google_http_client",
        "@javax_servlet_api",
        "@joda_time",
    ],
--- a/java/google/registry/reporting/ReportingModule.java
+++ b/java/google/registry/reporting/ReportingModule.java
@ -15,29 +15,49 @@
 package google.registry.reporting;

 import static google.registry.request.RequestParameters.extractOptionalParameter;
+import static google.registry.request.RequestParameters.extractRequiredParameter;

+import com.google.api.client.googleapis.extensions.appengine.auth.oauth2.AppIdentityCredential;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.services.dataflow.Dataflow;
+import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.config.RegistryConfig.Config;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
 import google.registry.util.Clock;
 import java.util.Optional;
+import java.util.Set;
+import java.util.function.Function;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.YearMonth;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;

-/**
- * Dagger module for injecting common settings for all Backend tasks.
- */
+/** Dagger module for injecting common settings for all reporting tasks. */
@Module
 public class ReportingModule {

+  private static final String CLOUD_PLATFORM_SCOPE =
+      "https://www.googleapis.com/auth/cloud-platform";
+
+  public static final String BEAM_QUEUE = "beam-reporting";
  /**
   * The request parameter name used by reporting actions that takes a year/month parameter, which
   * defaults to the last month.
   */
  public static final String PARAM_YEAR_MONTH = "yearMonth";
+  /** The request parameter specifying the jobId for a running Dataflow pipeline. */
+  public static final String PARAM_JOB_ID = "jobId";
+
+  /** Provides the Cloud Dataflow jobId for a pipeline. */
+  @Provides
+  @Parameter(PARAM_JOB_ID)
+  static String provideJobId(HttpServletRequest req) {
+    return extractRequiredParameter(req, PARAM_JOB_ID);
+  }

  /** Extracts an optional YearMonth in yyyy-MM format from the request. */
  @Provides
@ -64,4 +84,21 @@ public class ReportingModule {
      @Parameter(PARAM_YEAR_MONTH) Optional<YearMonth> yearMonthOptional, Clock clock) {
    return yearMonthOptional.orElseGet(() -> new YearMonth(clock.nowUtc().minusMonths(1)));
  }
+
+  /** Constructs a {@link Dataflow} API client with default settings. */
+  @Provides
+  static Dataflow provideDataflow(
+      @Config("projectId") String projectId,
+      HttpTransport transport,
+      JsonFactory jsonFactory,
+      Function<Set<String>, AppIdentityCredential> appIdentityCredentialFunc) {
+
+    return new Dataflow.Builder(
+        transport,
+        jsonFactory,
+        appIdentityCredentialFunc.apply(ImmutableSet.of(CLOUD_PLATFORM_SCOPE)))
+        .setApplicationName(String.format("%s billing", projectId))
+        .build();
+  }
+
 }
--- a/java/google/registry/reporting/ReportingUtils.java
+++ b/java/google/registry/reporting/ReportingUtils.java
@ -0,0 +1,39 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.reporting;
+
+import com.google.appengine.api.taskqueue.QueueFactory;
+import com.google.appengine.api.taskqueue.TaskOptions;
+import org.joda.time.Duration;
+import org.joda.time.YearMonth;
+
+/** Static methods common to various reporting tasks. */
+public class ReportingUtils {
+
+  private static final int ENQUEUE_DELAY_MINUTES = 10;
+
+  /** Enqueues a task that takes a Beam jobId and the {@link YearMonth} as parameters. */
+  public static void enqueueBeamReportingTask(String path, String jobId, YearMonth yearMonth) {
+    TaskOptions publishTask =
+        TaskOptions.Builder.withUrl(path)
+            .method(TaskOptions.Method.POST)
+            // Dataflow jobs tend to take about 10 minutes to complete.
+            .countdownMillis(Duration.standardMinutes(ENQUEUE_DELAY_MINUTES).getMillis())
+            .param(ReportingModule.PARAM_JOB_ID, jobId)
+            // Need to pass this through to ensure transitive yearMonth dependencies are satisfied.
+            .param(ReportingModule.PARAM_YEAR_MONTH, yearMonth.toString());
+    QueueFactory.getQueue(ReportingModule.BEAM_QUEUE).add(publishTask);
+  }
+}
--- a/java/google/registry/reporting/billing/BillingModule.java
+++ b/java/google/registry/reporting/billing/BillingModule.java
@ -15,22 +15,14 @@
 package google.registry.reporting.billing;

 import static google.registry.request.RequestParameters.extractOptionalBooleanParameter;
-import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static java.lang.annotation.RetentionPolicy.RUNTIME;

-import com.google.api.client.googleapis.extensions.appengine.auth.oauth2.AppIdentityCredential;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.json.JsonFactory;
-import com.google.api.services.dataflow.Dataflow;
-import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.Parameter;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
-import java.util.Set;
-import java.util.function.Function;
 import javax.inject.Qualifier;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.YearMonth;
@ -43,20 +35,9 @@ public final class BillingModule {
  public static final String OVERALL_INVOICE_PREFIX = "CRR-INV";
  public static final String INVOICES_DIRECTORY = "invoices";

-  static final String PARAM_JOB_ID = "jobId";
  static final String PARAM_SHOULD_PUBLISH = "shouldPublish";
-  static final String BILLING_QUEUE = "billing";
  static final String CRON_QUEUE = "retryable-cron-tasks";

-  private static final String CLOUD_PLATFORM_SCOPE =
-      "https://www.googleapis.com/auth/cloud-platform";
-
-  /** Provides the invoicing Dataflow jobId enqueued by {@link GenerateInvoicesAction}. */
-  @Provides
-  @Parameter(PARAM_JOB_ID)
-  static String provideJobId(HttpServletRequest req) {
-    return extractRequiredParameter(req, PARAM_JOB_ID);
-  }

  @Provides
  @Parameter(PARAM_SHOULD_PUBLISH)
@ -73,23 +54,7 @@ public final class BillingModule {
    return String.format("%s/%s/", INVOICES_DIRECTORY, yearMonth.toString());
  }

-  /** Constructs a {@link Dataflow} API client with default settings. */
-  @Provides
-  static Dataflow provideDataflow(
-      @Config("projectId") String projectId,
-      HttpTransport transport,
-      JsonFactory jsonFactory,
-      Function<Set<String>, AppIdentityCredential> appIdentityCredentialFunc) {
-
-    return new Dataflow.Builder(
-            transport,
-            jsonFactory,
-            appIdentityCredentialFunc.apply(ImmutableSet.of(CLOUD_PLATFORM_SCOPE)))
-        .setApplicationName(String.format("%s billing", projectId))
-        .build();
-  }
-
-  /** Dagger qualifier for the subdirectory we stage to/upload from. */
+  /** Dagger qualifier for the subdirectory we stage to/upload from for invoices. */
  @Qualifier
  @Documented
  @Retention(RUNTIME)
--- a/java/google/registry/reporting/billing/GenerateInvoicesAction.java
+++ b/java/google/registry/reporting/billing/GenerateInvoicesAction.java
@ -14,7 +14,7 @@

 package google.registry.reporting.billing;

-import static google.registry.reporting.ReportingModule.PARAM_YEAR_MONTH;
+import static google.registry.reporting.ReportingUtils.enqueueBeamReportingTask;
 import static google.registry.reporting.billing.BillingModule.PARAM_SHOULD_PUBLISH;
 import static google.registry.request.Action.Method.POST;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
@ -24,8 +24,6 @@ import com.google.api.services.dataflow.Dataflow;
 import com.google.api.services.dataflow.model.LaunchTemplateParameters;
 import com.google.api.services.dataflow.model.LaunchTemplateResponse;
 import com.google.api.services.dataflow.model.RuntimeEnvironment;
-import com.google.appengine.api.taskqueue.QueueFactory;
-import com.google.appengine.api.taskqueue.TaskOptions;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
@ -36,7 +34,6 @@ import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import java.io.IOException;
 import javax.inject.Inject;
-import org.joda.time.Duration;
 import org.joda.time.YearMonth;

 /**
@ -108,7 +105,7 @@ public class GenerateInvoicesAction implements Runnable {
      logger.atInfo().log("Got response: %s", launchResponse.getJob().toPrettyString());
      String jobId = launchResponse.getJob().getId();
      if (shouldPublish) {
-        enqueuePublishTask(jobId);
+        enqueueBeamReportingTask(PublishInvoicesAction.PATH, jobId, yearMonth);
      }
    } catch (IOException e) {
      logger.atWarning().withCause(e).log("Template Launch failed");
@ -122,16 +119,4 @@ public class GenerateInvoicesAction implements Runnable {
    response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
    response.setPayload("Launched dataflow template.");
  }
-
-  private void enqueuePublishTask(String jobId) {
-    TaskOptions publishTask =
-        TaskOptions.Builder.withUrl(PublishInvoicesAction.PATH)
-            .method(TaskOptions.Method.POST)
-            // Dataflow jobs tend to take about 10 minutes to complete.
-            .countdownMillis(Duration.standardMinutes(10).getMillis())
-            .param(BillingModule.PARAM_JOB_ID, jobId)
-            // Need to pass this through to ensure transitive yearMonth dependencies are satisfied.
-            .param(PARAM_YEAR_MONTH, yearMonth.toString());
-    QueueFactory.getQueue(BillingModule.BILLING_QUEUE).add(publishTask);
-  }
 }
--- a/java/google/registry/reporting/billing/PublishInvoicesAction.java
+++ b/java/google/registry/reporting/billing/PublishInvoicesAction.java
@ -28,6 +28,7 @@ import com.google.appengine.api.taskqueue.TaskOptions;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
@ -62,7 +63,7 @@ public class PublishInvoicesAction implements Runnable {
  @Inject
  PublishInvoicesAction(
      @Config("projectId") String projectId,
-      @Parameter(BillingModule.PARAM_JOB_ID) String jobId,
+      @Parameter(ReportingModule.PARAM_JOB_ID) String jobId,
      BillingEmailUtils emailUtils,
      Dataflow dataflow,
      Response response,
--- a/java/google/registry/reporting/spec11/BUILD
+++ b/java/google/registry/reporting/spec11/BUILD
@ -8,10 +8,14 @@ java_library(
    name = "spec11",
    srcs = glob(["*.java"]),
    deps = [
+        "//java/google/registry/beam/spec11",
        "//java/google/registry/config",
+        "//java/google/registry/gcs",
        "//java/google/registry/keyring/api",
+        "//java/google/registry/reporting",
        "//java/google/registry/request",
        "//java/google/registry/request/auth",
+        "//java/google/registry/util",
        "@com_google_api_client_appengine",
        "@com_google_apis_google_api_services_dataflow",
        "@com_google_appengine_api_1_0_sdk",
@ -28,5 +32,6 @@ java_library(
        "@org_apache_beam_runners_google_cloud_dataflow_java",
        "@org_apache_beam_sdks_java_core",
        "@org_apache_beam_sdks_java_io_google_cloud_platform",
+        "@org_json",
    ],
 )
--- a/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
+++ b/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
@ -14,6 +14,7 @@

 package google.registry.reporting.spec11;

+import static google.registry.reporting.ReportingUtils.enqueueBeamReportingTask;
 import static google.registry.request.Action.Method.POST;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
@ -32,6 +33,7 @@ import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import java.io.IOException;
 import javax.inject.Inject;
+import org.joda.time.YearMonth;

 /**
 * Invokes the {@code Spec11Pipeline} Beam template via the REST api.
@ -51,6 +53,7 @@ public class GenerateSpec11ReportAction implements Runnable {
  private final String spec11TemplateUrl;
  private final String jobZone;
  private final String apiKey;
+  private final YearMonth yearMonth;
  private final Response response;
  private final Dataflow dataflow;

@ -61,6 +64,7 @@ public class GenerateSpec11ReportAction implements Runnable {
      @Config("spec11TemplateUrl") String spec11TemplateUrl,
      @Config("defaultJobZone") String jobZone,
      @Key("safeBrowsingAPIKey") String apiKey,
+      YearMonth yearMonth,
      Response response,
      Dataflow dataflow) {
    this.projectId = projectId;
@ -68,6 +72,7 @@ public class GenerateSpec11ReportAction implements Runnable {
    this.spec11TemplateUrl = spec11TemplateUrl;
    this.jobZone = jobZone;
    this.apiKey = apiKey;
+    this.yearMonth = yearMonth;
    this.response = response;
    this.dataflow = dataflow;
  }
@ -77,12 +82,14 @@ public class GenerateSpec11ReportAction implements Runnable {
    try {
      LaunchTemplateParameters params =
          new LaunchTemplateParameters()
-              .setJobName("spec11_action")
+              .setJobName(String.format("spec11_%s", yearMonth.toString()))
              .setEnvironment(
                  new RuntimeEnvironment()
                      .setZone(jobZone)
                      .setTempLocation(beamBucketUrl + "/temporary"))
-              .setParameters(ImmutableMap.of("safeBrowsingApiKey", apiKey));
+              .setParameters(
+                  ImmutableMap.of(
+                      "safeBrowsingApiKey", apiKey, "yearMonth", yearMonth.toString("yyyy-MM")));
      LaunchTemplateResponse launchResponse =
          dataflow
              .projects()
@ -90,7 +97,8 @@ public class GenerateSpec11ReportAction implements Runnable {
              .launch(projectId, params)
              .setGcsPath(spec11TemplateUrl)
              .execute();
-      // TODO(b/111545355): Send an e-mail alert interpreting the results.
+      enqueueBeamReportingTask(
+          PublishSpec11ReportAction.PATH, launchResponse.getJob().getId(), yearMonth);
      logger.atInfo().log("Got response: %s", launchResponse.getJob().toPrettyString());
    } catch (IOException e) {
      logger.atWarning().withCause(e).log("Template Launch failed");
--- a/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
+++ b/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
@ -0,0 +1,110 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.reporting.spec11;
+
+import static google.registry.request.Action.Method.POST;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_NOT_MODIFIED;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dataflow.model.Job;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.net.MediaType;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.reporting.ReportingModule;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import java.io.IOException;
+import javax.inject.Inject;
+import org.joda.time.YearMonth;
+
+/**
+ * Retries until a {@code Dataflow} job with a given {@code jobId} completes, continuing the Spec11
+ * pipeline accordingly.
+ *
+ * <p>This calls {@link Spec11EmailUtils#emailSpec11Reports()} on success or {@link
+ * Spec11EmailUtils#sendFailureAlertEmail(String)} on failure.
+ */
+@Action(path = PublishSpec11ReportAction.PATH, method = POST, auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class PublishSpec11ReportAction implements Runnable {
+
+  static final String PATH = "/_dr/task/publishSpec11";
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+  private static final String JOB_DONE = "JOB_STATE_DONE";
+  private static final String JOB_FAILED = "JOB_STATE_FAILED";
+
+  private final String projectId;
+  private final String jobId;
+  private final Spec11EmailUtils emailUtils;
+  private final Dataflow dataflow;
+  private final Response response;
+  private final YearMonth yearMonth;
+
+  @Inject
+  PublishSpec11ReportAction(
+      @Config("projectId") String projectId,
+      @Parameter(ReportingModule.PARAM_JOB_ID) String jobId,
+      Spec11EmailUtils emailUtils,
+      Dataflow dataflow,
+      Response response,
+      YearMonth yearMonth) {
+    this.projectId = projectId;
+    this.jobId = jobId;
+    this.emailUtils = emailUtils;
+    this.dataflow = dataflow;
+    this.response = response;
+    this.yearMonth = yearMonth;
+  }
+
+  @Override
+  public void run() {
+    try {
+      logger.atInfo().log("Starting publish job.");
+      Job job = dataflow.projects().jobs().get(projectId, jobId).execute();
+      String state = job.getCurrentState();
+      switch (state) {
+        case JOB_DONE:
+          logger.atInfo().log("Dataflow job %s finished successfully, publishing results.", jobId);
+          response.setStatus(SC_OK);
+          emailUtils.emailSpec11Reports();
+          break;
+        case JOB_FAILED:
+          logger.atSevere().log("Dataflow job %s finished unsuccessfully.", jobId);
+          response.setStatus(SC_NO_CONTENT);
+          emailUtils.sendFailureAlertEmail(
+              String.format(
+                  "Spec11 %s job %s ended in status failure.", yearMonth.toString(), jobId));
+          break;
+        default:
+          logger.atInfo().log("Job in non-terminal state %s, retrying:", state);
+          response.setStatus(SC_NOT_MODIFIED);
+          break;
+      }
+    } catch (IOException e) {
+      logger.atSevere().withCause(e).log("Failed to publish Spec11 reports.");
+      emailUtils.sendFailureAlertEmail(
+          String.format(
+              "Spec11 %s publish action failed due to %s", yearMonth.toString(), e.getMessage()));
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+      response.setPayload(String.format("Template launch failed: %s", e.getMessage()));
+    }
+  }
+}
--- a/java/google/registry/reporting/spec11/Spec11EmailUtils.java
+++ b/java/google/registry/reporting/spec11/Spec11EmailUtils.java
@ -0,0 +1,153 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.reporting.spec11;
+
+import static com.google.common.base.Throwables.getRootCause;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.appengine.tools.cloudstorage.GcsFilename;
+import com.google.common.collect.ImmutableList;
+import com.google.common.io.CharStreams;
+import google.registry.beam.spec11.Spec11Pipeline;
+import google.registry.beam.spec11.ThreatMatch;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.gcs.GcsUtils;
+import google.registry.reporting.spec11.Spec11Module.Spec11ReportDirectory;
+import google.registry.util.Retrier;
+import google.registry.util.SendEmailService;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import javax.inject.Inject;
+import javax.mail.Message;
+import javax.mail.Message.RecipientType;
+import javax.mail.MessagingException;
+import javax.mail.internet.InternetAddress;
+import org.joda.time.YearMonth;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/** Provides e-mail functionality for Spec11 tasks, such as sending Spec11 reports to registrars. */
+public class Spec11EmailUtils {
+
+  private final SendEmailService emailService;
+  private final YearMonth yearMonth;
+  private final String alertSenderAddress;
+  private final String alertRecipientAddress;
+  private final String reportingBucket;
+  private final String spec11ReportDirectory;
+  private final GcsUtils gcsUtils;
+  private final Retrier retrier;
+
+  @Inject
+  Spec11EmailUtils(
+      SendEmailService emailService,
+      YearMonth yearMonth,
+      @Config("alertSenderEmailAddress") String alertSenderAddress,
+      @Config("alertRecipientEmailAddress") String alertRecipientAddress,
+      @Config("reportingBucket") String reportingBucket,
+      @Spec11ReportDirectory String spec11ReportDirectory,
+      GcsUtils gcsUtils,
+      Retrier retrier) {
+    this.emailService = emailService;
+    this.yearMonth = yearMonth;
+    this.alertSenderAddress = alertSenderAddress;
+    this.alertRecipientAddress = alertRecipientAddress;
+    this.reportingBucket = reportingBucket;
+    this.spec11ReportDirectory = spec11ReportDirectory;
+    this.gcsUtils = gcsUtils;
+    this.retrier = retrier;
+  }
+
+  /**
+   * Processes a Spec11 report on GCS for a given month and e-mails registrars based on the
+   * contents.
+   */
+  void emailSpec11Reports() {
+    try {
+      retrier.callWithRetry(
+          () -> {
+            // Grab the file as an inputstream
+            GcsFilename spec11ReportFilename =
+                new GcsFilename(reportingBucket, spec11ReportDirectory);
+            try (InputStream in = gcsUtils.openInputStream(spec11ReportFilename)) {
+              ImmutableList<String> reportLines =
+                  ImmutableList.copyOf(
+                      CharStreams.toString(new InputStreamReader(in, UTF_8)).split("\n"));
+              // Iterate from 1 to size() to skip the header at line 0.
+              for (int i = 1; i < reportLines.size(); i++) {
+                emailRegistrar(reportLines.get(i));
+              }
+            }
+          },
+          IOException.class,
+          MessagingException.class);
+    } catch (Throwable e) {
+      // Send an alert with the root cause, unwrapping the retrier's RuntimeException
+      sendFailureAlertEmail(
+          String.format(
+              "Emailing spec11 reports failed due to %s",
+              getRootCause(e).getMessage()));
+      throw new RuntimeException("Emailing spec11 report failed", e);
+    }
+  }
+
+  private void emailRegistrar(String line) throws MessagingException, JSONException {
+    // Parse the Spec11 report JSON
+    JSONObject reportJSON = new JSONObject(line);
+    String registrarEmail = reportJSON.getString(Spec11Pipeline.REGISTRAR_EMAIL_FIELD);
+    JSONArray threatMatches = reportJSON.getJSONArray(Spec11Pipeline.THREAT_MATCHES_FIELD);
+    // TODO(b/112354588): Reword this e-mail according to business team's opinions.
+    StringBuilder body =
+        new StringBuilder("Hello registrar partner,\n")
+            .append("The SafeBrowsing API has detected problems with the following domains:\n");
+    for (int i = 0; i < threatMatches.length(); i++) {
+      ThreatMatch threatMatch = ThreatMatch.fromJSON(threatMatches.getJSONObject(i));
+      body.append(
+          String.format(
+              "%s - %s\n", threatMatch.fullyQualifiedDomainName(), threatMatch.threatType()));
+    }
+    body.append("At the moment, no action is required. This is purely informatory.")
+        .append("Regards,\nGoogle Registry\n");
+    Message msg = emailService.createMessage();
+    msg.setSubject(
+        String.format("Spec11 Monthly Threat Detector [%s]", yearMonth.toString()));
+    msg.setText(body.toString());
+    msg.setFrom(new InternetAddress(alertSenderAddress));
+    msg.setRecipient(RecipientType.TO, new InternetAddress(registrarEmail));
+    emailService.sendMessage(msg);
+
+  }
+
+  /** Sends an e-mail to the provided alert e-mail address indicating a spec11 failure. */
+  void sendFailureAlertEmail(String body) {
+    try {
+      retrier.callWithRetry(
+          () -> {
+            Message msg = emailService.createMessage();
+            msg.setFrom(new InternetAddress(alertSenderAddress));
+            msg.addRecipient(RecipientType.TO, new InternetAddress(alertRecipientAddress));
+            msg.setSubject(String.format("Spec11 Pipeline Alert: %s", yearMonth.toString()));
+            msg.setText(body);
+            emailService.sendMessage(msg);
+            return null;
+          },
+          MessagingException.class);
+    } catch (Throwable e) {
+      throw new RuntimeException("The spec11 alert e-mail system failed.", e);
+    }
+  }
+}
--- a/java/google/registry/reporting/spec11/Spec11Module.java
+++ b/java/google/registry/reporting/spec11/Spec11Module.java
@ -0,0 +1,42 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.reporting.spec11;
+
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import dagger.Module;
+import dagger.Provides;
+import google.registry.beam.spec11.Spec11Pipeline;
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import javax.inject.Qualifier;
+import org.joda.time.YearMonth;
+
+/** Module for dependencies required by Spec11 reporting. */
+@Module
+public class Spec11Module {
+
+  @Provides
+  @Spec11ReportDirectory
+  static String provideDirectoryPrefix(YearMonth yearMonth) {
+    return Spec11Pipeline.getSpec11Subdirectory(yearMonth.toString("yyyy-MM"));
+  }
+
+  /** Dagger qualifier for the subdirectory we stage to/upload from for Spec11 reports. */
+  @Qualifier
+  @Documented
+  @Retention(RUNTIME)
+  @interface Spec11ReportDirectory {}
+}