Merge remote-tracking branch 'origin/add-registrant-api-token-log' into add-role-filter-to-registrant-api

2025-07-24 19:48:28 +02:00 · 2021-02-23 13:48:05 +02:00 · 2021-02-23 13:48:05 +02:00 · f60bf4013c
commit f60bf4013c
parent 951d95a3e8 d864265760
60 changed files with 1153 additions and 178 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@ -11,7 +11,7 @@ module Api
      end

      def authenticate_shared_key
-        api_key = "Basic #{ENV['api_shared_key']}"
+        api_key = "Basic #{ENV['rwhois_internal_api_shared_key']}"
        head(:unauthorized) unless api_key == request.authorization
      end

--- a/app/controllers/api/v1/bounces_controller.rb
+++ b/app/controllers/api/v1/bounces_controller.rb
@ -1,7 +1,7 @@
 module Api
  module V1
    class BouncesController < BaseController
-      before_action :authenticate_shared_key
+      before_action :validate_shared_key_integrity

      # POST api/v1/bounces/
      def create
@ -20,6 +20,13 @@ module Api

        params.require(:data)
      end
+
+      private
+
+      def validate_shared_key_integrity
+        api_key = "Basic #{ENV['rwhois_bounces_api_shared_key']}"
+        head(:unauthorized) unless api_key == request.authorization
+      end
    end
  end
 end
--- a/app/controllers/api/v1/contact_requests_controller.rb
+++ b/app/controllers/api/v1/contact_requests_controller.rb
@ -0,0 +1,37 @@
+module Api
+  module V1
+    class ContactRequestsController < BaseController
+      before_action :authenticate_shared_key
+
+      # POST api/v1/contact_requests/
+      def create
+        return head(:bad_request) if contact_request_params[:email].blank?
+
+        contact_request = ContactRequest.save_record(contact_request_params)
+        render json: contact_request, status: :created
+      rescue StandardError
+        head(:bad_request)
+      end
+
+      def update
+        return head(:bad_request) if params[:id].blank?
+
+        process_id(params[:id])
+      end
+
+      def process_id(id)
+        record = ContactRequest.find_by(id: id)
+        return :not_found unless record
+
+        record.update_status(contact_request_params)
+        render json: record, status: :ok
+      rescue StandardError
+        head :bad_request
+      end
+
+      def contact_request_params
+        params.require(:contact_request).permit(:email, :whois_record_id, :name, :status, :ip)
+      end
+    end
+  end
+end
--- a/app/controllers/api/v1/registrant/auth_controller.rb
+++ b/app/controllers/api/v1/registrant/auth_controller.rb
@ -19,6 +19,8 @@ module Api
          token = create_token(user)

          if token
+            ToStdout.msg("Bearer for #{eid_params[:first_name]} #{eid_params[:last_name]} " \
+                         "(#{eid_params[:ident]}) - '#{token[:access_token]}'")
            render json: token
          else
            render json: { errors: [{ base: ['Cannot create generate session token'] }] }
--- a/app/controllers/epp/contacts_controller.rb
+++ b/app/controllers/epp/contacts_controller.rb
@ -14,7 +14,7 @@ module Epp
      authorize! :check, Epp::Contact

      ids = params[:parsed_frame].css('id').map(&:text)
-      @results = Epp::Contact.check_availability(ids)
+      @results = Epp::Contact.check_availability(ids, reg: current_user.registrar.code)
      render_epp_response '/epp/contacts/check'
    end

@ -93,7 +93,11 @@ module Epp

    def find_contact
      code = params[:parsed_frame].css('id').text.strip.upcase
-      @contact = Epp::Contact.find_by!(code: code)
+      reg_code = current_user.registrar.code.upcase
+      arr = [code, "#{reg_code}:#{code}", "CID:#{code}", "CID:#{reg_code}:#{code}"]
+
+      contact = arr.find { |c| Epp::Contact.find_by(code: c).present? }
+      @contact = Epp::Contact.find_by!(code: contact || code)
    end

    #
--- a/app/controllers/registrar/admin_contacts_controller.rb
+++ b/app/controllers/registrar/admin_contacts_controller.rb
@ -0,0 +1,18 @@
+class Registrar
+  class AdminContactsController < BulkChangeController
+    BASE_URL = URI.parse("#{ENV['repp_url']}domains/admin_contacts").freeze
+    ACTIVE_TAB = :admin_contact
+
+    def update
+      authorize! :manage, :repp
+      uri = BASE_URL
+      request = form_request(uri)
+      response = do_request(request, uri)
+      start_notice = t('.replaced')
+
+      process_response(response: response,
+                       start_notice: start_notice,
+                       active_tab: ACTIVE_TAB)
+    end
+  end
+end
--- a/app/controllers/registrar/bulk_change_controller.rb
+++ b/app/controllers/registrar/bulk_change_controller.rb
@ -26,6 +26,84 @@ class Registrar

    private

+    def form_request(uri)
+      request = Net::HTTP::Patch.new(uri)
+      request.set_form_data(current_contact_id: params[:current_contact_id],
+                            new_contact_id: params[:new_contact_id])
+      request.basic_auth(current_registrar_user.username,
+                         current_registrar_user.plain_text_password)
+      request
+    end
+
+    def process_response(response:, start_notice: '', active_tab:)
+      parsed_response = JSON.parse(response.body, symbolize_names: true)
+
+      if response.code == '200'
+        notices = success_notices(parsed_response, start_notice)
+
+        flash[:notice] = notices.join(', ')
+        redirect_to registrar_domains_url
+      else
+        @error = response.code == '404' ? 'Contact(s) not found' : parsed_response[:message]
+        render file: 'registrar/bulk_change/new', locals: { active_tab: active_tab }
+      end
+    end
+
+    def success_notices(parsed_response, start_notice)
+      notices = [start_notice]
+
+      notices << "#{t('.affected_domains')}: " \
+                   "#{parsed_response[:data][:affected_domains].join(', ')}"
+
+      if parsed_response[:data][:skipped_domains]
+        notices << "#{t('.skipped_domains')}: " \
+                     "#{parsed_response[:data][:skipped_domains].join(', ')}"
+      end
+      notices
+    end
+
+    def do_request(request, uri)
+      response = if Rails.env.test?
+                   do_test_request(request, uri)
+                 elsif Rails.env.development?
+                   do_dev_request(request, uri)
+                 else
+                   do_live_request(request, uri)
+                 end
+      response
+    end
+
+    def do_live_request(request, uri)
+      client_cert = File.read(ENV['cert_path'])
+      client_key = File.read(ENV['key_path'])
+      Net::HTTP.start(uri.hostname, uri.port,
+                      use_ssl: (uri.scheme == 'https'),
+                      cert: OpenSSL::X509::Certificate.new(client_cert),
+                      key: OpenSSL::PKey::RSA.new(client_key)) do |http|
+        http.request(request)
+      end
+    end
+
+    def do_dev_request(request, uri)
+      client_cert = File.read(ENV['cert_path'])
+      client_key = File.read(ENV['key_path'])
+      Net::HTTP.start(uri.hostname, uri.port,
+                      use_ssl: (uri.scheme == 'https'),
+                      verify_mode: OpenSSL::SSL::VERIFY_NONE,
+                      cert: OpenSSL::X509::Certificate.new(client_cert),
+                      key: OpenSSL::PKey::RSA.new(client_key)) do |http|
+        http.request(request)
+      end
+    end
+
+    def do_test_request(request, uri)
+      Net::HTTP.start(uri.hostname, uri.port,
+                      use_ssl: (uri.scheme == 'https'),
+                      verify_mode: OpenSSL::SSL::VERIFY_NONE) do |http|
+        http.request(request)
+      end
+    end
+
    def ready_to_renew?
      domain_ids_for_bulk_renew.present? && params[:renew].present?
    end
--- a/app/controllers/registrar/domain_transfers_controller.rb
+++ b/app/controllers/registrar/domain_transfers_controller.rb
@ -25,32 +25,7 @@ class Registrar
                           current_registrar_user.plain_text_password)


-        if Rails.env.test?
-          response = Net::HTTP.start(uri.hostname, uri.port,
-                                     use_ssl: (uri.scheme == 'https'),
-                                     verify_mode: OpenSSL::SSL::VERIFY_NONE) do |http|
-            http.request(request)
-          end
-        elsif Rails.env.development?
-          client_cert = File.read(ENV['cert_path'])
-          client_key = File.read(ENV['key_path'])
-          response = Net::HTTP.start(uri.hostname, uri.port,
-                                     use_ssl: (uri.scheme == 'https'),
-                                     verify_mode: OpenSSL::SSL::VERIFY_NONE,
-                                     cert: OpenSSL::X509::Certificate.new(client_cert),
-                                     key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-            http.request(request)
-          end
-        else
-          client_cert = File.read(ENV['cert_path'])
-          client_key = File.read(ENV['key_path'])
-          response = Net::HTTP.start(uri.hostname, uri.port,
-                                     use_ssl: (uri.scheme == 'https'),
-                                     cert: OpenSSL::X509::Certificate.new(client_cert),
-                                     key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-            http.request(request)
-          end
-        end
+        response = do_request(request, uri)

        parsed_response = JSON.parse(response.body, symbolize_names: true)

--- a/app/controllers/registrar/nameservers_controller.rb
+++ b/app/controllers/registrar/nameservers_controller.rb
@ -18,32 +18,7 @@ class Registrar
      request.basic_auth(current_registrar_user.username,
                         current_registrar_user.plain_text_password)

-      if Rails.env.test?
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   verify_mode: OpenSSL::SSL::VERIFY_NONE) do |http|
-          http.request(request)
-        end
-      elsif Rails.env.development?
-        client_cert = File.read(ENV['cert_path'])
-        client_key = File.read(ENV['key_path'])
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   verify_mode: OpenSSL::SSL::VERIFY_NONE,
-                                   cert: OpenSSL::X509::Certificate.new(client_cert),
-                                   key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-          http.request(request)
-        end
-      else
-        client_cert = File.read(ENV['cert_path'])
-        client_key = File.read(ENV['key_path'])
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   cert: OpenSSL::X509::Certificate.new(client_cert),
-                                   key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-          http.request(request)
-        end
-      end
+      response = do_request(request, uri)

      parsed_response = JSON.parse(response.body, symbolize_names: true)

--- a/app/controllers/registrar/tech_contacts_controller.rb
+++ b/app/controllers/registrar/tech_contacts_controller.rb
@ -1,62 +1,19 @@
 class Registrar
  class TechContactsController < BulkChangeController
+    BASE_URL = URI.parse("#{ENV['repp_url']}domains/contacts").freeze
+    ACTIVE_TAB = :technical_contact
+
    def update
      authorize! :manage, :repp

-      uri = URI.parse("#{ENV['repp_url']}domains/contacts")
+      uri = BASE_URL
+      request = form_request(uri)
+      response = do_request(request, uri)
+      start_notice = t('.replaced')

-      request = Net::HTTP::Patch.new(uri)
-      request.set_form_data(current_contact_id: params[:current_contact_id],
-                            new_contact_id: params[:new_contact_id])
-      request.basic_auth(current_registrar_user.username,
-                         current_registrar_user.plain_text_password)
-
-      if Rails.env.test?
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   verify_mode: OpenSSL::SSL::VERIFY_NONE) do |http|
-          http.request(request)
-        end
-      elsif Rails.env.development?
-        client_cert = File.read(ENV['cert_path'])
-        client_key = File.read(ENV['key_path'])
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   verify_mode: OpenSSL::SSL::VERIFY_NONE,
-                                   cert: OpenSSL::X509::Certificate.new(client_cert),
-                                   key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-          http.request(request)
-        end
-      else
-        client_cert = File.read(ENV['cert_path'])
-        client_key = File.read(ENV['key_path'])
-        response = Net::HTTP.start(uri.hostname, uri.port,
-                                   use_ssl: (uri.scheme == 'https'),
-                                   cert: OpenSSL::X509::Certificate.new(client_cert),
-                                   key: OpenSSL::PKey::RSA.new(client_key)) do |http|
-          http.request(request)
-        end
-      end
-
-      parsed_response = JSON.parse(response.body, symbolize_names: true)
-
-      if response.code == '200'
-        notices = [t('.replaced')]
-
-        notices << "#{t('.affected_domains')}: " \
-                   "#{parsed_response[:data][:affected_domains].join(', ')}"
-
-        if parsed_response[:data][:skipped_domains]
-          notices << "#{t('.skipped_domains')}: " \
-                     "#{parsed_response[:data][:skipped_domains].join(', ')}"
-        end
-
-        flash[:notice] = notices.join(', ')
-        redirect_to registrar_domains_url
-      else
-        @error = response.code == '404' ? 'Contact(s) not found' : parsed_response[:message]
-        render file: 'registrar/bulk_change/new', locals: { active_tab: :technical_contact }
-      end
+      process_response(response: response,
+                       start_notice: start_notice,
+                       active_tab: ACTIVE_TAB)
    end
  end
 end
--- a/app/controllers/repp/v1/domains/admin_contacts_controller.rb
+++ b/app/controllers/repp/v1/domains/admin_contacts_controller.rb
@ -0,0 +1,21 @@
+module Repp
+  module V1
+    module Domains
+      class AdminContactsController < BaseContactsController
+        def update
+          super
+
+          unless @new_contact.identical_to?(@current_contact)
+            @epp_errors << { code: 2304, msg: 'Admin contacts must be identical' }
+          end
+
+          return handle_errors if @epp_errors.any?
+
+          affected, skipped = AdminDomainContact.replace(@current_contact, @new_contact)
+          @response = { affected_domains: affected, skipped_domains: skipped }
+          render_success(data: @response)
+        end
+      end
+    end
+  end
+end
--- a/app/controllers/repp/v1/domains/base_contacts_controller.rb
+++ b/app/controllers/repp/v1/domains/base_contacts_controller.rb
@ -0,0 +1,31 @@
+module Repp
+  module V1
+    module Domains
+      class BaseContactsController < BaseController
+        before_action :set_current_contact, only: [:update]
+        before_action :set_new_contact, only: [:update]
+
+        def set_current_contact
+          @current_contact = current_user.registrar.contacts
+                                         .find_by!(code: contact_params[:current_contact_id])
+        end
+
+        def set_new_contact
+          @new_contact = current_user.registrar.contacts.find_by!(code: params[:new_contact_id])
+        end
+
+        def update
+          @epp_errors ||= []
+          @epp_errors << { code: 2304, msg: 'New contact must be valid' } if @new_contact.invalid?
+        end
+
+        private
+
+        def contact_params
+          params.require(%i[current_contact_id new_contact_id])
+          params.permit(:current_contact_id, :new_contact_id)
+        end
+      end
+    end
+  end
+end
--- a/app/controllers/repp/v1/domains/contacts_controller.rb
+++ b/app/controllers/repp/v1/domains/contacts_controller.rb
@ -1,23 +1,9 @@
 module Repp
  module V1
    module Domains
-      class ContactsController < BaseController
-        before_action :set_current_contact, only: [:update]
-        before_action :set_new_contact, only: [:update]
-
-        def set_current_contact
-          @current_contact = current_user.registrar.contacts.find_by!(
-            code: contact_params[:current_contact_id]
-          )
-        end
-
-        def set_new_contact
-          @new_contact = current_user.registrar.contacts.find_by!(code: params[:new_contact_id])
-        end
-
+      class ContactsController < BaseContactsController
        def update
-          @epp_errors ||= []
-          @epp_errors << { code: 2304, msg: 'New contact must be valid' } if @new_contact.invalid?
+          super

          if @new_contact == @current_contact
            @epp_errors << { code: 2304, msg: 'New contact must be different from current' }
@ -29,13 +15,6 @@ module Repp
          @response = { affected_domains: affected, skipped_domains: skipped }
          render_success(data: @response)
        end
-
-        private
-
-        def contact_params
-          params.require(%i[current_contact_id new_contact_id])
-          params.permit(:current_contact_id, :new_contact_id)
-        end
      end
    end
  end
--- a/app/models/actions/contact_delete.rb
+++ b/app/models/actions/contact_delete.rb
@ -19,6 +19,11 @@ module Actions
        return
      end

+      if contact.delete_prohibited?
+        contact.errors.add(:statuses, :delete_prohibited)
+        return
+      end
+
      commit
    end

--- a/app/models/admin_domain_contact.rb
+++ b/app/models/admin_domain_contact.rb
@ -1,2 +1,26 @@
 class AdminDomainContact < DomainContact
+  # rubocop:disable Metrics/AbcSize
+  # rubocop:disable Metrics/MethodLength
+  def self.replace(current_contact, new_contact)
+    affected_domains = []
+    skipped_domains = []
+    admin_contacts = where(contact: current_contact)
+
+    admin_contacts.each do |admin_contact|
+      if admin_contact.domain.bulk_update_prohibited?
+        skipped_domains << admin_contact.domain.name
+        next
+      end
+      begin
+        admin_contact.contact = new_contact
+        admin_contact.save!
+        affected_domains << admin_contact.domain.name
+      rescue ActiveRecord::RecordNotUnique
+        skipped_domains << admin_contact.domain.name
+      end
+    end
+    [affected_domains.sort, skipped_domains.sort]
+  end
+  # rubocop:enable Metrics/AbcSize
+  # rubocop:enable Metrics/MethodLength
 end
--- a/app/models/bounced_mail_address.rb
+++ b/app/models/bounced_mail_address.rb
@ -1,5 +1,6 @@
 class BouncedMailAddress < ApplicationRecord
  validates :email, :message_id, :bounce_type, :bounce_subtype, :action, :status, presence: true
+  after_destroy :destroy_aws_suppression

  def bounce_reason
    "#{action} (#{status} #{diagnostic})"
@ -25,4 +26,20 @@ class BouncedMailAddress < ApplicationRecord
      diagnostic: bounced_record['diagnosticCode'],
    }
  end
+
+  def destroy_aws_suppression
+    return unless BouncedMailAddress.ses_configured?
+
+    res = Aws::SESV2::Client.new.delete_suppressed_destination(email_address: email)
+    res.successful?
+  rescue Aws::SESV2::Errors::ServiceError => e
+    logger.warn("Suppression not removed. #{e}")
+  end
+
+  def self.ses_configured?
+    ses ||= Aws::SESV2::Client.new
+    ses.config.credentials.access_key_id.present?
+  rescue Aws::Errors::MissingRegionError
+    false
+  end
 end
--- a/app/models/concerns/contact/identical.rb
+++ b/app/models/concerns/contact/identical.rb
@ -11,6 +11,13 @@ module Concerns::Contact::Identical
    ident_country_code
    org_name
  ]
+
+  IDENTICAL_ATTRIBUTES = %w[
+    ident
+    ident_type
+    ident_country_code
+  ].freeze
+
  private_constant :IDENTIFIABLE_ATTRIBUTES

  def identical(registrar)
@ -20,6 +27,12 @@ module Concerns::Contact::Identical
      .where.not(id: id).take
  end

+  def identical_to?(contact)
+    IDENTICAL_ATTRIBUTES.all? do |attribute|
+      attributes[attribute] == contact.attributes[attribute]
+    end
+  end
+
  private

  def identifiable_hash
--- a/app/models/concerns/domain/deletable.rb
+++ b/app/models/concerns/domain/deletable.rb
@ -1,6 +1,12 @@
 module Concerns::Domain::Deletable
  extend ActiveSupport::Concern

+  DELETE_STATUSES = [
+    DomainStatus::PENDING_DELETE_CONFIRMATION,
+    DomainStatus::PENDING_DELETE,
+    DomainStatus::FORCE_DELETE,
+  ].freeze
+
  private

  def delete_later
--- a/app/models/concerns/domain/force_delete.rb
+++ b/app/models/concerns/domain/force_delete.rb
@ -11,6 +11,11 @@ module Concerns::Domain::ForceDelete # rubocop:disable Metrics/ModuleLength
          lambda {
            where("(force_delete_data->>'contact_notification_sent_date') is null")
          }
+
+    HOLD_STATUSES = [
+      DomainStatus::SERVER_HOLD,
+      DomainStatus::CLIENT_HOLD,
+    ].freeze
  end

  class_methods do
@ -19,6 +24,10 @@ module Concerns::Domain::ForceDelete # rubocop:disable Metrics/ModuleLength
    end
  end

+  def hold_status?
+    HOLD_STATUSES.any? { |status| statuses.include? status }
+  end
+
  def notification_template(explicit: nil)
    reason = explicit&.downcase
    return reason if %w[invalid_email invalid_phone].include?(reason)
--- a/app/models/concerns/domain/registry_lockable.rb
+++ b/app/models/concerns/domain/registry_lockable.rb
@ -12,6 +12,7 @@ module Concerns
          statuses << DomainStatus::SERVER_DELETE_PROHIBITED
          statuses << DomainStatus::SERVER_TRANSFER_PROHIBITED
          self.locked_by_registrant_at = Time.zone.now
+          alert_registrar_lock_changes!(lock: true)

          save!
        end
@ -42,10 +43,21 @@ module Concerns
          statuses.delete(DomainStatus::SERVER_DELETE_PROHIBITED)
          statuses.delete(DomainStatus::SERVER_TRANSFER_PROHIBITED)
          self.locked_by_registrant_at = nil
+          alert_registrar_lock_changes!(lock: false)

          save!
        end
      end
+
+      def alert_registrar_lock_changes!(lock: true)
+        translation = lock ? 'locked' : 'unlocked'
+        registrar.notifications.create!(
+          text: I18n.t("notifications.texts.registrar_#{translation}",
+                       domain_name: name),
+          attached_obj_id: name,
+          attached_obj_type: self.class.name
+        )
+      end
    end
  end
 end
--- a/app/models/contact_request.rb
+++ b/app/models/contact_request.rb
@ -0,0 +1,40 @@
+class ContactRequest < ApplicationRecord
+  establish_connection :"whois_#{Rails.env}"
+  self.table_name = 'contact_requests'
+
+  STATUS_NEW       = 'new'.freeze
+  STATUS_CONFIRMED = 'confirmed'.freeze
+  STATUS_SENT      = 'sent'.freeze
+  STATUSES         = [STATUS_NEW, STATUS_CONFIRMED, STATUS_SENT].freeze
+
+  validates :whois_record_id, presence: true
+  validates :email, presence: true
+  validates :name, presence: true
+  validates :status, inclusion: { in: STATUSES }
+
+  attr_readonly :secret,
+                :valid_to
+
+  def self.save_record(params)
+    contact_request = new(params)
+    contact_request.secret = create_random_secret
+    contact_request.valid_to = set_valid_to_24_hours_from_now
+    contact_request.status = STATUS_NEW
+    contact_request.save!
+    contact_request
+  end
+
+  def update_status(params)
+    self.status = params['status']
+    self.ip_address = params['ip']
+    save!
+  end
+
+  def self.create_random_secret
+    SecureRandom.hex(64)
+  end
+
+  def self.set_valid_to_24_hours_from_now
+    (Time.zone.now + 24.hours)
+  end
+end
--- a/app/models/domain.rb
+++ b/app/models/domain.rb
@ -107,13 +107,13 @@ class Domain < ApplicationRecord

  validate :status_is_consistant
  def status_is_consistant
-      has_error = (statuses.include?(DomainStatus::SERVER_HOLD) && statuses.include?(DomainStatus::SERVER_MANUAL_INZONE))
-      unless has_error
-        if (statuses & [DomainStatus::PENDING_DELETE_CONFIRMATION, DomainStatus::PENDING_DELETE, DomainStatus::FORCE_DELETE]).any?
-          has_error = statuses.include? DomainStatus::SERVER_DELETE_PROHIBITED
-        end
+    has_error = (hold_status? && statuses.include?(DomainStatus::SERVER_MANUAL_INZONE))
+    unless has_error
+      if (statuses & DELETE_STATUSES).any?
+        has_error = statuses.include? DomainStatus::SERVER_DELETE_PROHIBITED
      end
-      errors.add(:domains, I18n.t(:object_status_prohibits_operation)) if has_error
+    end
+    errors.add(:domains, I18n.t(:object_status_prohibits_operation)) if has_error
  end

  attr_accessor :is_admin
--- a/app/models/epp/contact.rb
+++ b/app/models/epp/contact.rb
@ -42,17 +42,12 @@ class Epp::Contact < Contact
      )
    end

-    def check_availability(codes)
+    def check_availability(codes, reg:)
      codes = [codes] if codes.is_a?(String)
-
      res = []
-      codes.each do |x|
-        contact = find_by_epp_code(x)
-        if contact
-          res << { code: contact.code, avail: 0, reason: 'in use' }
-        else
-          res << { code: x, avail: 1 }
-        end
+      codes.map { |c| c.include?(':') ? c : "#{reg}:#{c}" }.map { |c| c.strip.upcase }.each do |x|
+        c = find_by_epp_code(x)
+        res << (c ? { code: c.code, avail: 0, reason: 'in use' } : { code: x, avail: 1 })
      end

      res
@ -87,8 +82,11 @@ class Epp::Contact < Contact
      '2302' => [ # Object exists
        [:code, :epp_id_taken]
      ],
+      '2304' => [ # Status prohibits operation
+        [:statuses, :delete_prohibited],
+      ],
      '2305' => [ # Association exists
-        [:domains, :exist]
+        [:domains, :exist],
      ]
    }
  end
--- a/app/models/epp/domain.rb
+++ b/app/models/epp/domain.rb
@ -495,7 +495,7 @@ class Epp::Domain < Domain
    registrant_verification_needed = false
    # registrant block may not be present, so we need this to rule out false positives
    if frame.css('registrant').text.present?
-      registrant_verification_needed = (registrant.code != frame.css('registrant').text)
+      registrant_verification_needed = verification_needed?(code: frame.css('registrant').text)
    end

    if registrant_verification_needed && disputed?
@ -612,7 +612,6 @@ class Epp::Domain < Domain

    statuses.delete(DomainStatus::SERVER_HOLD)
    statuses.delete(DomainStatus::EXPIRED)
-    statuses.delete(DomainStatus::SERVER_UPDATE_PROHIBITED)
    cancel_pending_delete

    save
@ -798,4 +797,13 @@ class Epp::Domain < Domain
      result
    end
  end
+
+  private
+
+  def verification_needed?(code:)
+    new_registrant = Registrant.find_by(code: code)
+    return false if new_registrant.try(:identical_to?, registrant)
+
+    registrant.code != code
+  end
 end
--- a/app/models/notification.rb
+++ b/app/models/notification.rb
@ -25,6 +25,10 @@ class Notification < ApplicationRecord
    ''
  end

+  def registry_lock?
+    text.include?('has been locked') || text.include?('has been unlocked')
+  end
+
  private

  def set_defaults
--- a/app/models/white_ip.rb
+++ b/app/models/white_ip.rb
@ -4,8 +4,13 @@ class WhiteIp < ApplicationRecord

  validate :valid_ipv4?
  validate :valid_ipv6?
-
  validate :validate_ipv4_and_ipv6
+  before_save :normalize_blank_values
+
+  def normalize_blank_values
+    %i[ipv4 ipv6].each { |c| self[c].present? || self[c] = nil }
+  end
+
  def validate_ipv4_and_ipv6
    return if ipv4.present? || ipv6.present?
    errors.add(:base, I18n.t(:ipv4_or_ipv6_must_be_present))
@ -50,10 +55,10 @@ class WhiteIp < ApplicationRecord
    def ids_including(ip)
      ipv4 = ipv6 = []
      if check_ip4(ip).present?
-        ipv4 = select { |white_ip| IPAddr.new(white_ip.ipv4, Socket::AF_INET) === check_ip4(ip) }
+        ipv4 = select { |white_ip| check_ip4(white_ip.ipv4) === check_ip4(ip) }
      end
      if check_ip6(ip).present?
-        ipv6 = select { |white_ip| IPAddr.new(white_ip.ipv6, Socket::AF_INET6) === check_ip6(ip) }
+        ipv6 = select { |white_ip| check_ip6(white_ip.ipv6) === check_ip6(ip) }
      end
      (ipv4 + ipv6).pluck(:id).flatten.uniq
    end
--- a/app/models/whois_record.rb
+++ b/app/models/whois_record.rb
@ -97,7 +97,9 @@ class WhoisRecord < ApplicationRecord
  end

  def destroy_whois_record
-    Whois::Record.without_auctions.where(name: name).delete_all
+    return if Auction.find_by(domain: name).present?
+
+    Whois::Record.where(name: name).delete_all
  end

  private
--- a/app/views/epp/poll/poll_req.xml.builder
+++ b/app/views/epp/poll/poll_req.xml.builder
@ -15,12 +15,22 @@ xml.epp_head do
      end if @object
    end

-    if @notification.action&.contact
-      render(partial: 'epp/poll/action',
-             locals: {
-               builder: xml,
-               action: @notification.action
-             })
+    if @notification.action&.contact || @notification.registry_lock?
+      if @notification.registry_lock?
+        state = @notification.text.include?('unlocked') ? 'unlock' : 'lock'
+        xml.extension do
+          xml.tag!('changePoll:changeData',
+                   'xmlns:changePoll': 'https://epp.tld.ee/schema/changePoll-1.0.xsd') do
+            xml.tag!('changePoll:operation', state)
+          end
+        end
+      else
+        render(partial: 'epp/poll/action',
+               locals: {
+                 builder: xml,
+                 action: @notification.action,
+               })
+      end
    end

    render('epp/shared/trID', builder: xml)
--- a/app/views/registrar/bulk_change/_admin_contact_form.html.erb
+++ b/app/views/registrar/bulk_change/_admin_contact_form.html.erb
@ -0,0 +1,65 @@
+<%= form_tag registrar_admin_contacts_path, method: :patch, class: 'form-horizontal' do %>
+    <% if @error %>
+        <div class="alert alert-danger">
+            <%= @error %>
+        </div>
+    <% end %>
+
+    <div class="form-group">
+        <div class="row">
+            <div class="col-md-6 control-label">
+              <p><%= t '.comment' %></p>
+            </div>
+        </div>
+        <div class="col-md-2 control-label">
+            <%= label_tag :current_contact_id, t('.current_contact_id') %>
+        </div>
+
+        <div class="col-md-4 current_admin_contact">
+            <%= text_field_tag :current_contact_id, params[:current_contact_id],
+                               list: :contacts,
+                               required: true,
+                               autofocus: true,
+                               class: 'form-control' %>
+        </div>
+    </div>
+
+    <div class="form-group">
+        <div class="col-md-2 control-label">
+            <%= label_tag :new_contact_id, t('.new_contact_id') %>
+        </div>
+
+        <div class="col-md-4 new_admin_contact">
+            <%= text_field_tag :new_contact_id, params[:new_contact_id],
+                               list: :contacts,
+                               required: true,
+                               class: 'form-control' %>
+        </div>
+    </div>
+
+    <div class="form-group">
+        <div class="col-md-4 col-md-offset-2 text-right">
+            <button class="btn btn-warning">
+                <%= t '.submit_btn' %>
+            </button>
+        </div>
+    </div>
+
+    <div class="form-group">
+        <div class="col-md-6">
+            <a class="btn btn-default btn-xs" role="button" data-toggle="collapse"
+               href="#bulk_change_tech_contact_help"><%= t '.help_btn' %></a>
+            <div class="collapse" id="bulk_change_tech_contact_help">
+                <div class="well">
+                    <%= t '.help' %>
+                </div>
+            </div>
+        </div>
+    </div>
+<% end %>
+
+<datalist id="contacts">
+    <% available_contacts.each do |data| %>
+        <option value="<%= data.second %>"><%= data.first %></option>
+    <% end %>
+</datalist>
--- a/app/views/registrar/bulk_change/_tech_contact_form.html.erb
+++ b/app/views/registrar/bulk_change/_tech_contact_form.html.erb
@ -10,7 +10,7 @@
            <%= label_tag :current_contact_id, t('.current_contact_id') %>
        </div>

-        <div class="col-md-4">
+        <div class="col-md-4 current_tech_contact">
            <%= text_field_tag :current_contact_id, params[:current_contact_id],
                               list: :contacts,
                               required: true,
@ -24,7 +24,7 @@
            <%= label_tag :new_contact_id, t('.new_contact_id') %>
        </div>

-        <div class="col-md-4">
+        <div class="col-md-4 new_tech_contact">
            <%= text_field_tag :new_contact_id, params[:new_contact_id],
                               list: :contacts,
                               required: true,
--- a/app/views/registrar/bulk_change/new.html.erb
+++ b/app/views/registrar/bulk_change/new.html.erb
@ -12,6 +12,10 @@
                <a href="#technical_contact" data-toggle="tab"><%= t '.technical_contact' %></a>
            </li>

+            <li class="<%= 'active' if active_tab == :admin_contact %>">
+                <a href="#admin_contact" data-toggle="tab"><%= t '.admin_contact' %></a>
+            </li>
+
            <li class="<%= 'active' if active_tab == :nameserver %>">
                <a href="#nameserver" data-toggle="tab"><%= t '.nameserver' %></a>
            </li>
@ -31,6 +35,11 @@
                <%= render 'tech_contact_form', available_contacts: available_contacts %>
            </div>

+            <div class="tab-pane<%= ' active' if active_tab == :admin_contact %>"
+                 id="admin_contact">
+                <%= render 'admin_contact_form', available_contacts: available_contacts %>
+            </div>
+
            <div class="tab-pane<%= ' active' if active_tab == :nameserver %>" id="nameserver">
                <%= render 'nameserver_form' %>
            </div>