Decouple superuser from SessionMetadata

Superuser should only be settable via the tool (see []
which is merged in here but not diffbased, and which removes
the implicit superuser for CharlestonRoad). It is a property
of the request, not of the session (there are no sessions in the tool).
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=125204707

java/google/registry/flows/EppConsoleAction.java

@@ -44,6 +44,7 @@ public class EppConsoleAction implements Runnable {
         new HttpSessionMetadata(session),
         new GaeUserCredentials(getUserService().getCurrentUser()),
         false,  // This endpoint is never a dry run.
+        false,  // This endpoint is never a superuser.
         inputXmlBytes);
   }
 }

java/google/registry/flows/EppController.java

@@ -55,6 +55,7 @@ public final class EppController {
       SessionMetadata sessionMetadata,
       TransportCredentials credentials,
       boolean isDryRun,
+      boolean isSuperuser,
       byte[] inputXmlBytes) {
     Trid trid = null;
     try {
@@ -63,7 +64,7 @@ public final class EppController {
       ImmutableList<String> targetIds = eppInput.getTargetIds();
       metrics.setCommandName(eppInput.getCommandName());
       metrics.setClientId(sessionMetadata.getClientId());
-      metrics.setPrivilegeLevel(sessionMetadata.isSuperuser() ? "SUPERUSER" : "NORMAL");
+      metrics.setPrivilegeLevel(isSuperuser ? "SUPERUSER" : "NORMAL");
       if (!targetIds.isEmpty()) {
         metrics.setEppTarget(Joiner.on(",").join(targetIds));
       }
@@ -74,6 +75,7 @@ public final class EppController {
           sessionMetadata,
           credentials,
           isDryRun,
+          isSuperuser,
           inputXmlBytes,
           metrics,
           clock);

java/google/registry/flows/EppRequestHandler.java

@@ -43,11 +43,12 @@ public class EppRequestHandler {
       SessionMetadata sessionMetadata,
       TransportCredentials credentials,
       boolean isDryRun,
+      boolean isSuperuser,
       byte[] inputXmlBytes) {
     try {
       response.setPayload(new String(
           eppController.handleEppCommand(
-              sessionMetadata, credentials, isDryRun, inputXmlBytes), UTF_8));
+              sessionMetadata, credentials, isDryRun, isSuperuser, inputXmlBytes), UTF_8));
       response.setContentType(APPLICATION_EPP_XML);
       // Note that we always return 200 (OK) even if the EppController returns an error response.
       // This is because returning an non-OK HTTP status code will cause the proxy server to

java/google/registry/flows/EppTlsAction.java

@@ -50,6 +50,7 @@ public class EppTlsAction implements Runnable {
         new HttpSessionMetadata(session),
         tlsCredentials,
         false,  // This endpoint is never a dry run.
+        false,  // This endpoint is never a superuser.
         inputXmlBytes);
   }
 }

java/google/registry/flows/EppToolAction.java

@@ -39,8 +39,8 @@ import javax.servlet.http.HttpServletRequest;
 public class EppToolAction implements Runnable {
 
   @Inject @Parameter("clientIdentifier") String clientIdentifier;
-  @Inject @Parameter("superuser") boolean superuser;
+  @Inject @Parameter("superuser") boolean isSuperuser;
-  @Inject @Parameter("dryRun") boolean dryRun;
+  @Inject @Parameter("dryRun") boolean isDryRun;
   @Inject @Parameter("xml") String xml;
   @Inject EppRequestHandler eppRequestHandler;
   @Inject EppToolAction() {}
@@ -50,11 +50,11 @@ public class EppToolAction implements Runnable {
     eppRequestHandler.executeEpp(
         new StatelessRequestSessionMetadata(
             clientIdentifier,
-            superuser,
             ProtocolDefinition.getVisibleServiceExtensionUris(),
             SessionSource.TOOL),
         new PasswordOnlyTransportCredentials(),
-        dryRun,
+        isDryRun,
+        isSuperuser,
         xml.getBytes(UTF_8));
   }
 

java/google/registry/flows/Flow.java

@@ -48,7 +48,7 @@ public abstract class Flow {
   protected byte[] inputXmlBytes;
 
   /** Whether this flow is being run in a superuser mode that can skip some checks. */
-  protected boolean superuser;
+  protected boolean isSuperuser;
 
   /** The collection of allowed extensions for the flow. */
   private Set<Class<? extends CommandExtension>> validExtensions = new HashSet<>();
@@ -103,6 +103,7 @@ public abstract class Flow {
       Trid trid,
       SessionMetadata sessionMetadata,
       TransportCredentials credentials,
+      boolean isSuperuser,
       DateTime now,
       byte[] inputXmlBytes) throws EppException {
     this.eppInput = eppInput;
@@ -110,7 +111,7 @@ public abstract class Flow {
     this.sessionMetadata = sessionMetadata;
     this.credentials = credentials;
     this.now = now;
-    this.superuser = sessionMetadata.isSuperuser();
+    this.isSuperuser = isSuperuser;
     this.inputXmlBytes = inputXmlBytes;
     initFlow();
     validExtensions = ImmutableSet.copyOf(validExtensions);

java/google/registry/flows/FlowRunner.java

@@ -36,7 +36,7 @@ import org.joda.time.DateTime;
 /** Run a flow, either transactionally or not, with logging and retrying as needed. */
 public class FlowRunner {
 
-  private static final String COMMAND_LOG_FORMAT = "EPP Command" + Strings.repeat("\n\t%s", 6);
+  private static final String COMMAND_LOG_FORMAT = "EPP Command" + Strings.repeat("\n\t%s", 7);
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
 
@@ -45,6 +45,7 @@ public class FlowRunner {
   private final Trid trid;
   private final SessionMetadata sessionMetadata;
   private final boolean isDryRun;
+  private final boolean isSuperuser;
   private final TransportCredentials credentials;
   private final byte[] inputXmlBytes;
   private final EppMetrics metrics;
@@ -57,6 +58,7 @@ public class FlowRunner {
       SessionMetadata sessionMetadata,
       TransportCredentials credentials,
       boolean isDryRun,
+      boolean isSuperuser,
       byte[] inputXmlBytes,
       final EppMetrics metrics,
       Clock clock) {
@@ -67,6 +69,7 @@ public class FlowRunner {
     this.sessionMetadata = sessionMetadata;
     this.credentials = credentials;
     this.isDryRun = isDryRun;
+    this.isSuperuser = isSuperuser;
     this.inputXmlBytes = inputXmlBytes;
     this.metrics = metrics;
     this.clock = clock;
@@ -81,7 +84,8 @@ public class FlowRunner {
         sessionMetadata,
         prettyPrint(inputXmlBytes).replaceAll("\n", "\n\t"),
         credentials,
-        isDryRun ? "DRY_RUN" : "LIVE");
+        isDryRun ? "DRY_RUN" : "LIVE",
+        isSuperuser ? "SUPERUSER" : "NORMAL");
     if (!isTransactional()) {
       if (metrics != null) {
         metrics.incrementAttempts();
@@ -93,7 +97,7 @@ public class FlowRunner {
     // before it could log.
     logger.info("EPP_Mutation " + new JsonLogStatement(trid)
         .add("client", clientId)
-        .add("privileges", sessionMetadata.isSuperuser() ? "SUPERUSER" : "NORMAL")
+        .add("privileges", isSuperuser ? "SUPERUSER" : "NORMAL")
         .add("xmlBytes", base64().encode(inputXmlBytes)));
     try {
       EppOutput flowResult = ofy().transact(new Work<EppOutput>() {
@@ -134,6 +138,7 @@ public class FlowRunner {
           trid,
           sessionMetadata,
           credentials,
+          isSuperuser,
           now,
           inputXmlBytes);
   }

java/google/registry/flows/LoggedInFlow.java

@@ -95,7 +95,7 @@ public abstract class LoggedInFlow extends Flow {
             getClientId(), getClass().getSimpleName(), undeclaredUris);
       }
     }
-    if (sessionMetadata.isSuperuser()) {
+    if (isSuperuser) {
       allowedTlds = getTlds();
     } else {
       Registrar registrar = verifyNotNull(

java/google/registry/flows/OwnedResourceMutateFlow.java

@@ -31,7 +31,7 @@ public abstract class OwnedResourceMutateFlow
   /** Fail if the object doesn't exist or was deleted. */
   @Override
   protected final void verifyMutationAllowed() throws EppException {
-    if (!superuser) {
+    if (!isSuperuser) {
       verifyResourceOwnership(getClientId(), existingResource);
     }
     verifyMutationOnOwnedResourceAllowed();

java/google/registry/flows/ResourceCreateOrMutateFlow.java

@@ -78,7 +78,7 @@ public abstract class ResourceCreateOrMutateFlow
         .setTrid(trid)
         .setModificationTime(now)
         .setXmlBytes(storeXmlInHistoryEntry() ? inputXmlBytes : null)
-        .setBySuperuser(superuser)
+        .setBySuperuser(isSuperuser)
         .setReason(getHistoryEntryReason())
         .setRequestedByRegistrar(getHistoryEntryRequestedByRegistrar())
         .setParent(getResourceKey())

java/google/registry/flows/ResourceFlow.java

@@ -67,7 +67,7 @@ public abstract class ResourceFlow<R extends EppResource, C extends ResourceComm
    * a domain) is allowed in the registry phase for the specified TLD that the resource is in.
    */
   protected void checkRegistryStateForTld(String tld) throws BadCommandForRegistryPhaseException {
-    if (!superuser && getDisallowedTldStates().contains(Registry.get(tld).getTldState(now))) {
+    if (!isSuperuser && getDisallowedTldStates().contains(Registry.get(tld).getTldState(now))) {
       throw new BadCommandForRegistryPhaseException();
     }
   }

java/google/registry/flows/ResourceUpdateFlow.java

@@ -61,7 +61,7 @@ public abstract class ResourceUpdateFlow
     for (StatusValue statusValue : Sets.union(
         command.getInnerAdd().getStatusValues(),
         command.getInnerRemove().getStatusValues())) {
-      if (!superuser && !statusValue.isClientSettable()) {  // The superuser can set any status.
+      if (!isSuperuser && !statusValue.isClientSettable()) {  // The superuser can set any status.
         throw new StatusNotClientSettableException(statusValue.getXmlName());
       }
     }
@@ -85,7 +85,7 @@ public abstract class ResourceUpdateFlow
   protected final void verifyNewStateIsAllowed() throws EppException {
     // If the resource is marked with clientUpdateProhibited, and this update did not clear that
     // status, then the update must be disallowed (unless a superuser is requesting the change).
-    if (!superuser
+    if (!isSuperuser
         && existingResource.getStatusValues().contains(StatusValue.CLIENT_UPDATE_PROHIBITED)
         && newResource.getStatusValues().contains(StatusValue.CLIENT_UPDATE_PROHIBITED)) {
       throw new ResourceHasClientUpdateProhibitedException();

java/google/registry/flows/SessionMetadata.java

@@ -49,9 +49,6 @@ public abstract class SessionMetadata {
   /** The key used for looking up the current client id on the session object. */
   protected static final String CLIENT_ID_KEY = "CLIENT_ID";
 
-  /** The key used for looking up the superuser bit on the session object. */
-  protected static final String SUPERUSER_KEY = "SUPERUSER";
-
   /** The key used for looking up the service extensions on the session object. */
   protected static final String SERVICE_EXTENSIONS_KEY = "SERVICE_EXTENSIONS";
 
@@ -93,10 +90,6 @@ public abstract class SessionMetadata {
     return getProperty(String.class, CLIENT_ID_KEY);
   }
 
-  public boolean isSuperuser() {
-    return Boolean.TRUE.equals(getProperty(Boolean.class, SUPERUSER_KEY));
-  }
-
   @SuppressWarnings("unchecked")
   public Set<String> getServiceExtensionUris() {
     return getProperty(Set.class, SERVICE_EXTENSIONS_KEY);
@@ -116,10 +109,6 @@ public abstract class SessionMetadata {
     setPropertyChecked(CLIENT_ID_KEY, clientId);
   }
 
-  public void setSuperuser(boolean superuser) {
-    setPropertyChecked(SUPERUSER_KEY, superuser);
-  }
-
   public void setServiceExtensionUris(Set<String> serviceExtensionUris) {
     setPropertyChecked(SERVICE_EXTENSIONS_KEY, checkNotNull(serviceExtensionUris));
   }
@@ -142,7 +131,6 @@ public abstract class SessionMetadata {
     return toStringHelper(getClass())
         .add("system hash code", System.identityHashCode(this))
         .add("clientId", getClientId())
-        .add("isSuperuser", isSuperuser())
         .add("failedLoginAttempts", getFailedLoginAttempts())
         .add("sessionSource", getSessionSource())
         .add("serviceExtensionUris", Joiner.on('.').join(nullToEmpty(getServiceExtensionUris())))

java/google/registry/flows/StatelessRequestSessionMetadata.java

@@ -20,17 +20,14 @@ import java.util.Set;
 public class StatelessRequestSessionMetadata extends SessionMetadata {
 
   private final String clientId;
-  private final boolean isSuperuser;
   private final Set<String> serviceExtensionUris;
   private final SessionSource sessionSource;
 
   public StatelessRequestSessionMetadata(
       String clientId,
-      boolean isSuperuser,
       Set<String> serviceExtensionUris,
       SessionSource source) {
     this.clientId = clientId;
-    this.isSuperuser = isSuperuser;
     this.serviceExtensionUris = serviceExtensionUris;
     this.sessionSource = source;
   }
@@ -40,11 +37,6 @@ public class StatelessRequestSessionMetadata extends SessionMetadata {
     return clientId;
   }
 
-  @Override
-  public boolean isSuperuser() {
-    return isSuperuser;
-  }
-
   @Override
   public Set<String> getServiceExtensionUris() {
     return serviceExtensionUris;

java/google/registry/flows/contact/ContactDeleteFlow.java

@@ -77,7 +77,7 @@ public class ContactDeleteFlow extends ResourceAsyncDeleteFlow<ContactResource,
             DeleteEppResourceAction.PARAM_REQUESTING_CLIENT_ID,
             getClientId(),
             DeleteEppResourceAction.PARAM_IS_SUPERUSER,
-            Boolean.toString(superuser)),
+            Boolean.toString(isSuperuser)),
         RegistryEnvironment.get().config().getAsyncDeleteFlowMapreduceDelay());
   }
 

java/google/registry/flows/domain/BaseDomainCreateFlow.java

@@ -187,7 +187,7 @@ public abstract class BaseDomainCreateFlow<R extends DomainBase, B extends Build
         domainLabel, tld, command.getAuthInfo().getPw().getValue());
     // Superusers can create reserved domains, force creations on domains that require a claims
     // notice without specifying a claims key, and override blocks on registering premium domains.
-    if (!superuser) {
+    if (!isSuperuser) {
       boolean isSunriseApplication =
           launchCreate != null && !launchCreate.getSignedMarks().isEmpty();
       if (!isAnchorTenantViaReservation) {
@@ -254,7 +254,7 @@ public abstract class BaseDomainCreateFlow<R extends DomainBase, B extends Build
     if (launchCreate == null) {
       return;
     }
-    if (!superuser) {  // Superusers can ignore the phase.
+    if (!isSuperuser) {  // Superusers can ignore the phase.
       verifyLaunchPhase(getTld(), launchCreate, now);
     }
     if (launchCreate.hasCodeMarks()) {
@@ -269,7 +269,7 @@ public abstract class BaseDomainCreateFlow<R extends DomainBase, B extends Build
       throw new InvalidTrademarkValidatorException();
     }
     // Superuser can force domain creations regardless of the current date.
-    if (!superuser) {
+    if (!isSuperuser) {
       if (notice.getExpirationTime().isBefore(now)) {
         throw new ExpiredClaimException();
       }

java/google/registry/flows/domain/DomainAllocateFlow.java

@@ -73,7 +73,7 @@ public class DomainAllocateFlow extends DomainCreateOrAllocateFlow {
 
   @Override
   protected final void verifyDomainCreateIsAllowed() throws EppException {
-    if (!superuser) {
+    if (!isSuperuser) {
       throw new OnlySuperuserCanAllocateException();
     }
     if (allocateCreate == null) {

java/google/registry/flows/domain/DomainApplicationCreateFlow.java

@@ -140,7 +140,7 @@ public class DomainApplicationCreateFlow extends BaseDomainCreateFlow<DomainAppl
   @Override
   protected void verifyDomainCreateIsAllowed() throws EppException {
     validateFeeChallenge(targetId, getTld(), now, feeCreate, createCost);
-    if (tldState == TldState.LANDRUSH && !superuser) {
+    if (tldState == TldState.LANDRUSH && !isSuperuser) {
       // Prohibit creating a landrush application in LANDRUSH (but not in SUNRUSH) if there is
       // exactly one sunrise application for the same name.
       List<DomainApplication> applications = FluentIterable

java/google/registry/flows/domain/DomainApplicationDeleteFlow.java

@@ -66,7 +66,7 @@ public class DomainApplicationDeleteFlow
     // Don't allow deleting a sunrise application during landrush.
     if (existingResource.getPhase().equals(LaunchPhase.SUNRISE)
         && Registry.get(existingResource.getTld()).getTldState(now).equals(TldState.LANDRUSH)
-        && !superuser) {
+        && !isSuperuser) {
       throw new SunriseApplicationCannotBeDeletedInLandrushException();
     }
   }

java/google/registry/flows/domain/DomainCreateFlow.java

@@ -109,7 +109,7 @@ public class DomainCreateFlow extends DomainCreateOrAllocateFlow {
   protected final void verifyDomainCreateIsAllowed() throws EppException {
     String tld = getTld();
     validateFeeChallenge(targetId, tld, now, feeCreate, createCost);
-    if (!superuser) {
+    if (!isSuperuser) {
       // Prohibit creating a domain if there is an open application for the same name.
       for (DomainApplication application : loadActiveApplicationsByDomainName(targetId, now)) {
         if (!application.getApplicationStatus().isFinalStatus()) {

java/google/registry/flows/domain/DomainRestoreRequestFlow.java

@@ -97,7 +97,7 @@ public class DomainRestoreRequestFlow extends OwnedResourceMutateFlow<DomainReso
 
     String tld = existingResource.getTld();
     checkAllowedAccessToTld(getAllowedTlds(), tld);
-    if (!superuser) {
+    if (!isSuperuser) {
       verifyNotReserved(InternetDomainName.from(targetId), false);
       verifyPremiumNameIsNotBlocked(targetId, now, getClientId());
     }

java/google/registry/flows/domain/DomainTransferRequestFlow.java

@@ -152,7 +152,7 @@ public class DomainTransferRequestFlow
   @Override
   protected final void verifyTransferRequestIsAllowed() throws EppException {
     verifyUnitIsYears(command.getPeriod());
-    if (!superuser) {
+    if (!isSuperuser) {
       verifyPremiumNameIsNotBlocked(targetId, now, getClientId());
     }
     validateFeeChallenge(

java/google/registry/flows/host/HostDeleteFlow.java

@@ -77,7 +77,7 @@ public class HostDeleteFlow extends ResourceAsyncDeleteFlow<HostResource, Builde
             DeleteEppResourceAction.PARAM_REQUESTING_CLIENT_ID,
             getClientId(),
             DeleteEppResourceAction.PARAM_IS_SUPERUSER,
-            Boolean.toString(superuser)),
+            Boolean.toString(isSuperuser)),
         RegistryEnvironment.get().config().getAsyncDeleteFlowMapreduceDelay());
   }
 

java/google/registry/flows/session/LoginFlow.java

@@ -39,7 +39,6 @@ import google.registry.model.eppoutput.Result.Code;
 import google.registry.model.registrar.Registrar;
 import google.registry.util.FormattingLogger;
 
-import java.util.Objects;
 import java.util.Set;
 
 /**
@@ -66,9 +65,6 @@ public class LoginFlow extends Flow {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
 
-  /** This is the IANA ID used for the internal account of the registry. */
-  private static final long INTERNAL_IANA_REGISTRAR_ID = 9999L;
-
   /** Maximum number of failed login attempts allowed per connection. */
   private static final int MAX_FAILED_LOGIN_ATTEMPTS_PER_CONNECTION = 3;
 
@@ -134,8 +130,6 @@ public class LoginFlow extends Flow {
     // We are in!
     sessionMetadata.resetFailedLoginAttempts();
     sessionMetadata.setClientId(login.getClientId());
-    sessionMetadata.setSuperuser(
-        Objects.equals(INTERNAL_IANA_REGISTRAR_ID, registrar.getIanaIdentifier()));
     sessionMetadata.setServiceExtensionUris(serviceExtensionUrisBuilder.build());
     return createOutput(Code.Success);
   }

java/google/registry/tools/ValidateLoginCredentialsCommand.java

@@ -110,6 +110,7 @@ final class ValidateLoginCredentialsCommand implements RemoteApiCommand, GtechCo
                 Optional.of(clientIpAddress),
                 "placeholder"),  // behave as if we have SNI on, since we're validating a cert
             false,
+            false,
             inputXmlBytes,
             null,
             new SystemClock()).run()), UTF_8));

java/google/registry/ui/server/api/CheckApiAction.java

@@ -80,7 +80,6 @@ public class CheckApiAction implements Runnable {
   private final StatelessRequestSessionMetadata sessionMetadata =
       new StatelessRequestSessionMetadata(
           RegistryEnvironment.get().config().getCheckApiServletRegistrarClientId(),
-          false,
           ImmutableSet.of(FEE_0_6.getUri()),
           SessionSource.HTTP);
 
@@ -121,6 +120,7 @@ public class CheckApiAction implements Runnable {
           sessionMetadata,
           new PasswordOnlyTransportCredentials(),
           false,
+          false,
           inputXmlBytes,
           null,
           clock)

javatests/google/registry/flows/EppConsoleActionTest.java

@@ -17,7 +17,7 @@ package google.registry.flows;
 
 import static com.google.common.truth.Truth.assertThat;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.mockito.Mockito.eq;
+import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 
@@ -43,33 +43,25 @@ public class EppConsoleActionTest extends ShardableTestCase {
       .withUserService(UserInfo.create("person@example.com", "12345"))
       .build();
 
-  private void doTest(boolean superuser) {
+  @Test
+  public void testPassesArgumentsThrough() {
     EppConsoleAction action = new EppConsoleAction();
     action.inputXmlBytes = INPUT_XML_BYTES;
     action.session = new BasicHttpSession();
     action.session.setAttribute("CLIENT_ID", "ClientIdentifier");
-    action.session.setAttribute("SUPERUSER", superuser);
     action.eppRequestHandler = mock(EppRequestHandler.class);
     action.run();
     ArgumentCaptor<TransportCredentials> credentialsCaptor =
         ArgumentCaptor.forClass(TransportCredentials.class);
     ArgumentCaptor<SessionMetadata> metadataCaptor = ArgumentCaptor.forClass(SessionMetadata.class);
     verify(action.eppRequestHandler).executeEpp(
-        metadataCaptor.capture(), credentialsCaptor.capture(), eq(false), eq(INPUT_XML_BYTES));
+        metadataCaptor.capture(),
+        credentialsCaptor.capture(),
+        eq(false),
+        eq(false),
+        eq(INPUT_XML_BYTES));
     assertThat(((GaeUserCredentials) credentialsCaptor.getValue()).gaeUser.getEmail())
         .isEqualTo("person@example.com");
-    SessionMetadata sessionMetadata = metadataCaptor.getValue();
+    assertThat(metadataCaptor.getValue().getClientId()).isEqualTo("ClientIdentifier");
-    assertThat(sessionMetadata.getClientId()).isEqualTo("ClientIdentifier");
-    assertThat(sessionMetadata.isSuperuser()).isEqualTo(superuser);
-  }
-
-  @Test
-  public void testSuperuser() throws Exception {
-    doTest(true);
-  }
-
-  @Test
-  public void testNotSuperuser() throws Exception {
-    doTest(false);
   }
 }

javatests/google/registry/flows/EppLifecycleDomainApplicationTest.java

@@ -104,12 +104,12 @@ public class EppLifecycleDomainApplicationTest extends EppTestCase {
         "domain_allocate_testvalidate.xml",
         "domain_allocate_response_testvalidate_only_superuser.xml",
         START_OF_GA.plusDays(1));
-    setSuperuser(true);
+    setIsSuperuser(true);
     assertCommandAndResponse(
         "domain_allocate_testvalidate.xml",
         "domain_allocate_response_testvalidate.xml",
         START_OF_GA.plusDays(1).plusMinutes(1));
-    setSuperuser(false);
+    setIsSuperuser(false);
     assertCommandAndResponse(
         "domain_info_testvalidate.xml",
         "domain_info_response_testvalidate_ok.xml",

javatests/google/registry/flows/EppTestCase.java

@@ -70,7 +70,7 @@ public class EppTestCase extends ShardableTestCase {
     this.credentials = credentials;
   }
 
-  protected void setSuperuser(boolean isSuperuser) {
+  protected void setIsSuperuser(boolean isSuperuser) {
     this.isSuperuser = isSuperuser;
   }
 
@@ -96,7 +96,6 @@ public class EppTestCase extends ShardableTestCase {
     if (sessionMetadata == null) {
       sessionMetadata = new TestSessionMetadata();
     }
-    sessionMetadata.setSuperuser(isSuperuser);
     String actualOutput = executeXmlCommand(input);
     if (!sessionMetadata.isValid()) {
       sessionMetadata = null;
@@ -118,7 +117,7 @@ public class EppTestCase extends ShardableTestCase {
     handler.eppController = new EppController();
     handler.eppController.clock = clock;
     handler.eppController.metrics = mock(EppMetrics.class);
-    handler.executeEpp(sessionMetadata, credentials, false, inputXml.getBytes(UTF_8));
+    handler.executeEpp(sessionMetadata, credentials, false, isSuperuser, inputXml.getBytes(UTF_8));
     assertThat(response.getStatus()).isEqualTo(SC_OK);
     assertThat(response.getContentType()).isEqualTo(APPLICATION_EPP_XML_UTF8);
     String result = response.getPayload();

javatests/google/registry/flows/EppTlsActionTest.java

@@ -37,31 +37,23 @@ public class EppTlsActionTest extends ShardableTestCase {
 
   private static final byte[] INPUT_XML_BYTES = "<xml>".getBytes(UTF_8);
 
-  private void doTest(boolean superuser) {
+  @Test
+  public void testPassesArgumentsThrough() {
     EppTlsAction action = new EppTlsAction();
     action.inputXmlBytes = INPUT_XML_BYTES;
     action.tlsCredentials = mock(TlsCredentials.class);
     when(action.tlsCredentials.hasSni()).thenReturn(true);
     action.session = new BasicHttpSession();
     action.session.setAttribute("CLIENT_ID", "ClientIdentifier");
-    action.session.setAttribute("SUPERUSER", superuser);
     action.eppRequestHandler = mock(EppRequestHandler.class);
     action.run();
     ArgumentCaptor<SessionMetadata> captor = ArgumentCaptor.forClass(SessionMetadata.class);
-    verify(action.eppRequestHandler)
+    verify(action.eppRequestHandler).executeEpp(
-        .executeEpp(captor.capture(), same(action.tlsCredentials), eq(false), eq(INPUT_XML_BYTES));
+        captor.capture(),
-    SessionMetadata sessionMetadata = captor.getValue();
+        same(action.tlsCredentials),
-    assertThat(sessionMetadata.getClientId()).isEqualTo("ClientIdentifier");
+        eq(false),
-    assertThat(sessionMetadata.isSuperuser()).isEqualTo(superuser);
+        eq(false),
-  }
+        eq(INPUT_XML_BYTES));
-
+    assertThat(captor.getValue().getClientId()).isEqualTo("ClientIdentifier");
-  @Test
-  public void testSuperuser() throws Exception {
-    doTest(true);
-  }
-
-  @Test
-  public void testNotSuperuser() throws Exception {
-    doTest(false);
   }
 }

javatests/google/registry/flows/EppToolActionTest.java

@@ -16,8 +16,8 @@ package google.registry.flows;
 
 import static com.google.common.truth.Truth.assertThat;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.eq;
-import static org.mockito.Matchers.isA;
+import static org.mockito.Mockito.isA;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 
@@ -30,11 +30,11 @@ import org.mockito.ArgumentCaptor;
 @RunWith(JUnit4.class)
 public class EppToolActionTest {
 
-  private void doTest(boolean dryRun, boolean superuser) {
+  private void doTest(boolean isDryRun, boolean isSuperuser) {
     EppToolAction action = new EppToolAction();
     action.clientIdentifier = "ClientIdentifier";
-    action.dryRun = dryRun;
+    action.isDryRun = isDryRun;
-    action.superuser = superuser;
+    action.isSuperuser = isSuperuser;
     action.eppRequestHandler = mock(EppRequestHandler.class);
     action.xml = "<xml>";
     action.run();
@@ -42,11 +42,10 @@ public class EppToolActionTest {
     verify(action.eppRequestHandler).executeEpp(
         captor.capture(),
         isA(PasswordOnlyTransportCredentials.class),
-        eq(dryRun),
+        eq(isDryRun),
+        eq(isSuperuser),
         eq(action.xml.getBytes(UTF_8)));
-    SessionMetadata sessionMetadata = captor.getValue();
+    assertThat(captor.getValue().getClientId()).isEqualTo("ClientIdentifier");
-    assertThat(sessionMetadata.getClientId()).isEqualTo("ClientIdentifier");
-    assertThat(sessionMetadata.isSuperuser()).isEqualTo(superuser);
   }
 
   @Test

javatests/google/registry/flows/FlowTestCase.java

@@ -89,7 +89,7 @@ public abstract class FlowTestCase<F extends Flow> {
 
   protected EppLoader eppLoader;
   protected Class<? extends Flow> flowClass;
-  protected TestSessionMetadata sessionMetadata;
+  protected SessionMetadata sessionMetadata;
   protected FakeClock clock = new FakeClock(DateTime.now(UTC));
   protected TransportCredentials credentials = new PasswordOnlyTransportCredentials();
 
@@ -121,7 +121,8 @@ public abstract class FlowTestCase<F extends Flow> {
   }
 
   /** Load a flow from an epp object. */
-  private FlowRunner getFlowRunner(CommitMode commitMode) throws Exception {
+  private FlowRunner getFlowRunner(CommitMode commitMode, UserPrivileges userPrivileges)
+      throws Exception {
     EppInput eppInput = eppLoader.getEpp();
     flowClass = firstNonNull(flowClass, FlowPicker.getFlowClass(eppInput));
     Class<?> expectedFlowClass = new TypeInstantiator<F>(getClass()){}.getExactType();
@@ -133,6 +134,7 @@ public abstract class FlowTestCase<F extends Flow> {
         sessionMetadata,
         credentials,
         commitMode.equals(CommitMode.DRY_RUN),
+        userPrivileges.equals(UserPrivileges.SUPERUSER),
         "<xml></xml>".getBytes(),
         null,
         clock);
@@ -153,7 +155,8 @@ public abstract class FlowTestCase<F extends Flow> {
   }
 
   public void assertTransactionalFlow(boolean isTransactional) throws Exception {
-    assertThat(getFlowRunner(CommitMode.LIVE).isTransactional()).isEqualTo(isTransactional);
+    assertThat(getFlowRunner(CommitMode.LIVE, UserPrivileges.NORMAL).isTransactional())
+        .isEqualTo(isTransactional);
   }
 
   public void assertNoHistory() throws Exception {
@@ -271,8 +274,7 @@ public abstract class FlowTestCase<F extends Flow> {
 
   /** Run a flow, and attempt to marshal the result to EPP or throw if it doesn't validate. */
   public EppOutput runFlow(CommitMode commitMode, UserPrivileges userPrivileges) throws Exception {
-    sessionMetadata.setSuperuser(userPrivileges.equals(UserPrivileges.SUPERUSER));
+    EppOutput output = getFlowRunner(commitMode, userPrivileges).run();
-    EppOutput output = getFlowRunner(commitMode).run();
     marshal(output, ValidationMode.STRICT);
     return output;
   }
@@ -284,8 +286,7 @@ public abstract class FlowTestCase<F extends Flow> {
   public void runFlowAssertResponse(
       CommitMode commitMode, UserPrivileges userPrivileges, String xml, String... ignoredPaths)
       throws Exception {
-    sessionMetadata.setSuperuser(userPrivileges.equals(UserPrivileges.SUPERUSER));
+    EppOutput eppOutput = getFlowRunner(commitMode, userPrivileges).run();
-    EppOutput eppOutput = getFlowRunner(commitMode).run();
     if (eppOutput.isResponse()) {
       assertThat(eppOutput.isSuccess()).isTrue();
     }

javatests/google/registry/flows/contact/ContactDeleteFlowTest.java

@@ -142,7 +142,6 @@ public class ContactDeleteFlowTest
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistActiveContact(getUniqueIdFromCommand());
     clock.advanceOneMilli();

javatests/google/registry/flows/contact/ContactUpdateFlowTest.java

@@ -195,7 +195,6 @@ public class ContactUpdateFlowTest
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistActiveContact(getUniqueIdFromCommand());
     clock.advanceOneMilli();

javatests/google/registry/flows/domain/DomainApplicationDeleteFlowTest.java

@@ -164,7 +164,6 @@ public class DomainApplicationDeleteFlowTest
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistResource(
         newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());

javatests/google/registry/flows/domain/DomainApplicationUpdateFlowTest.java

@@ -565,7 +565,6 @@ public class DomainApplicationUpdateFlowTest
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistReferencedEntities();
     persistApplication();

javatests/google/registry/flows/domain/DomainDeleteFlowTest.java

@@ -546,7 +546,6 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     setupSuccessfulTest();
     clock.advanceOneMilli();

javatests/google/registry/flows/domain/DomainRenewFlowTest.java

@@ -425,7 +425,6 @@ public class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, D
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistDomain();
     runFlowAssertResponse(

javatests/google/registry/flows/domain/DomainRestoreRequestFlowTest.java

@@ -369,7 +369,6 @@ public class DomainRestoreRequestFlowTest extends
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
     thrown.expect(ResourceNotOwnedException.class);
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistPendingDeleteDomain();
     runFlowAssertResponse(readFile("domain_update_response.xml"));

javatests/google/registry/flows/domain/DomainUpdateFlowTest.java

@@ -969,7 +969,6 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistReferencedEntities();
     persistDomain();

javatests/google/registry/flows/host/HostDeleteFlowTest.java

@@ -145,7 +145,6 @@ public class HostDeleteFlowTest extends ResourceFlowTestCase<HostDeleteFlow, Hos
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistActiveHost(getUniqueIdFromCommand());
     clock.advanceOneMilli();

javatests/google/registry/flows/host/HostUpdateFlowTest.java

@@ -833,7 +833,6 @@ public class HostUpdateFlowTest extends ResourceFlowTestCase<HostUpdateFlow, Hos
 
   @Test
   public void testSuccess_superuserUnauthorizedClient() throws Exception {
-    sessionMetadata.setSuperuser(true);
     sessionMetadata.setClientId("NewRegistrar");
     persistActiveHost(oldHostName());
 

javatests/google/registry/flows/session/LoginFlowTestCase.java

@@ -14,7 +14,6 @@
 
 package google.registry.flows.session;
 
-import static com.google.common.truth.Truth.assertThat;
 import static google.registry.testing.DatastoreHelper.deleteResource;
 import static google.registry.testing.DatastoreHelper.persistResource;
 
@@ -76,21 +75,6 @@ public abstract class LoginFlowTestCase extends FlowTestCase<LoginFlow> {
   @Test
   public void testSuccess() throws Exception {
     doSuccessfulTest("login_valid.xml");
-    assertThat(sessionMetadata.isSuperuser()).isFalse();
-  }
-
-  @Test
-  public void testSuccess_superuser() throws Exception {
-    persistResource(getRegistrarBuilder().setIanaIdentifier(9999L).build());
-    doSuccessfulTest("login_valid.xml");
-    assertThat(sessionMetadata.isSuperuser()).isTrue();
-  }
-
-  @Test
-  public void testSuccess_notSuperuser() throws Exception {
-    persistResource(getRegistrarBuilder().setIanaIdentifier(15L).build());
-    doSuccessfulTest("login_valid.xml");
-    assertThat(sessionMetadata.isSuperuser()).isFalse();
   }
 
   @Test

javatests/google/registry/model/EppResourceUtilsTest.java

@@ -87,6 +87,7 @@ public class EppResourceUtilsTest {
         sessionMetadata,
         new PasswordOnlyTransportCredentials(),
         false,
+        false,
         "<xml></xml>".getBytes(),
         null,
         clock)