Add RST support in Sandbox

Added RST test label files as resources.

Added a RstTmchUtils class that loads appropriate labels according to
TLD pattern.

Temporarily changed label fetching in production to include the TLD
string, so that the new class may know which set of labels to use.

Author: weiminyu

core/src/main/java/google/registry/flows/domain/DomainClaimsCheckFlow.java

@@ -108,7 +108,8 @@ public EppResponse run() throws EppException {
           verifyClaimsPeriodNotEnded(tld, now);
         }
       }
-      Optional<String> claimKey = ClaimsListDao.get().getClaimKey(parsedDomain.parts().get(0));
+      Optional<String> claimKey =
+          ClaimsListDao.get(tldStr).getClaimKey(parsedDomain.parts().get(0));
       launchChecksBuilder.add(
           LaunchCheck.create(
               LaunchCheckName.create(claimKey.isPresent(), domainName), claimKey.orElse(null)));

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -280,7 +280,7 @@ public EppResponse run() throws EppException {
       checkAllowedAccessToTld(registrarId, tld.getTldStr());
       checkHasBillingAccount(registrarId, tld.getTldStr());
       boolean isValidReservedCreate = isValidReservedCreate(domainName, allocationToken);
-      ClaimsList claimsList = ClaimsListDao.get();
+      ClaimsList claimsList = ClaimsListDao.get(tld.getTldStr());
       verifyIsGaOrSpecialCase(
           tld,
           claimsList,
@@ -312,7 +312,8 @@ public EppResponse run() throws EppException {
       // at this point so that we can verify it before the "after validation" extension point.
       signedMarkId =
           tmchUtils
-              .verifySignedMarks(launchCreate.get().getSignedMarks(), domainLabel, now)
+              .verifySignedMarks(
+                  tld.getTldStr(), launchCreate.get().getSignedMarks(), domainLabel, now)
               .getId();
     }
     verifyNotBlockedByBsa(domainName, tld, now, allocationToken);

core/src/main/java/google/registry/flows/domain/DomainFlowTmchUtils.java

@@ -55,7 +55,7 @@ public DomainFlowTmchUtils(TmchXmlSignature tmchXmlSignature) {
   }
 
   public SignedMark verifySignedMarks(
-      ImmutableList<AbstractSignedMark> signedMarks, String domainLabel, DateTime now)
+      String tld, ImmutableList<AbstractSignedMark> signedMarks, String domainLabel, DateTime now)
       throws EppException {
     if (signedMarks.size() > 1) {
       throw new TooManySignedMarksException();
@@ -64,7 +64,7 @@ public SignedMark verifySignedMarks(
       throw new SignedMarksMustBeEncodedException();
     }
     SignedMark signedMark =
-        verifyEncodedSignedMark((EncodedSignedMark) signedMarks.get(0), now);
+        verifyEncodedSignedMark(tld, (EncodedSignedMark) signedMarks.get(0), now);
     return verifySignedMarkValidForDomainLabel(signedMark, domainLabel);
   }
 
@@ -76,8 +76,9 @@ public SignedMark verifySignedMarkValidForDomainLabel(SignedMark signedMark, Str
     return signedMark;
   }
 
-  public SignedMark verifyEncodedSignedMark(EncodedSignedMark encodedSignedMark, DateTime now)
-      throws EppException {
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public SignedMark verifyEncodedSignedMark(
+      String tld, EncodedSignedMark encodedSignedMark, DateTime now) throws EppException {
     if (!encodedSignedMark.getEncoding().equals("base64")) {
       throw new Base64RequiredForEncodedSignedMarksException();
     }
@@ -95,7 +96,7 @@ public SignedMark verifyEncodedSignedMark(EncodedSignedMark encodedSignedMark, D
       throw new SignedMarkParsingErrorException();
     }
 
-    if (SignedMarkRevocationList.get().isSmdRevoked(signedMark.getId(), now)) {
+    if (SignedMarkRevocationList.get(tld).isSmdRevoked(signedMark.getId(), now)) {
       throw new SignedMarkRevokedErrorException();
     }
 

core/src/main/java/google/registry/model/smd/SignedMarkRevocationList.java

@@ -21,6 +21,7 @@
 import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.ImmutableObject;
+import google.registry.tmch.RstTmchUtils;
 import jakarta.persistence.CollectionTable;
 import jakarta.persistence.Column;
 import jakarta.persistence.ElementCollection;
@@ -71,6 +72,11 @@ public static SignedMarkRevocationList get() {
     return CACHE.get();
   }
 
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public static SignedMarkRevocationList get(String tld) {
+    return RstTmchUtils.getSmdrList(tld).orElseGet(SignedMarkRevocationList::get);
+  }
+
   /** Create a new {@link SignedMarkRevocationList} without saving it. */
   public static SignedMarkRevocationList create(
       DateTime creationTime, ImmutableMap<String, DateTime> revokes) {

core/src/main/java/google/registry/model/tmch/ClaimsListDao.java

@@ -22,6 +22,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.CacheUtils;
+import google.registry.tmch.RstTmchUtils;
 import java.time.Duration;
 import java.util.Optional;
 
@@ -72,6 +73,11 @@ public static ClaimsList get() {
     return CACHE.get(ClaimsListDao.class);
   }
 
+  // TODO(b/412715713): remove the tld parameter when RST completes.
+  public static ClaimsList get(String tld) {
+    return RstTmchUtils.getClaimsList(tld).orElseGet(ClaimsListDao::get);
+  }
+
   /**
    * Returns the most recent revision of the {@link ClaimsList} in SQL or an empty list if it
    * doesn't exist.

core/src/main/java/google/registry/tmch/RstTmchUtils.java

@@ -0,0 +1,119 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.tmch;
+
+import static com.google.common.base.Suppliers.memoize;
+import static com.google.common.io.Resources.getResource;
+import static com.google.common.io.Resources.readLines;
+import static google.registry.tmch.RstTmchUtils.RstType.OTE;
+import static google.registry.tmch.RstTmchUtils.RstType.PROD;
+import static google.registry.util.RegistryEnvironment.SANDBOX;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.common.base.Supplier;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
+import google.registry.model.smd.SignedMarkRevocationList;
+import google.registry.model.tmch.ClaimsList;
+import google.registry.util.RegistryEnvironment;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Locale;
+import java.util.Optional;
+
+/**
+ * Utilities supporting TMCH-related RST testing in the Sandbox environment.
+ *
+ * <p>For logistic reasons we must conduct RST testing in the Sandbox environments. RST tests
+ * require the use of special labels hosted on their website. To isolate these labels from regular
+ * customers conducting onboarding tests, we manually download the test files as resources, and
+ * serve them up only to RST TLDs.
+ */
+public class RstTmchUtils {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  enum RstType {
+    OTE,
+    PROD
+  }
+
+  private static final ImmutableMap<RstType, Supplier<Optional<ClaimsList>>> CLAIMS_CACHE =
+      ImmutableMap.of(
+          OTE, memoize(() -> getClaimList(OTE)), PROD, memoize(() -> getClaimList(PROD)));
+
+  private static final ImmutableMap<RstType, Supplier<Optional<SignedMarkRevocationList>>>
+      SMDRL_CACHE =
+          ImmutableMap.of(
+              OTE, memoize(() -> getSmdrList(OTE)), PROD, memoize(() -> getSmdrList(PROD)));
+
+  /**
+   * Returns appropriate test labels if {@code tld} is for RST testing; otherwise returns {@code
+   * defaultList}.
+   */
+  public static Optional<ClaimsList> getClaimsList(String tld) {
+    return getRstType(tld).map(CLAIMS_CACHE::get).flatMap(Supplier::get);
+  }
+
+  /**
+   * Returns appropriate test labels if {@code tld} is for RST testing; otherwise returns {@code
+   * defaultList}.
+   */
+  public static Optional<SignedMarkRevocationList> getSmdrList(String tld) {
+    return getRstType(tld).map(SMDRL_CACHE::get).flatMap(Supplier::get);
+  }
+
+  static Optional<RstType> getRstType(String tld) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    if (tld.startsWith("cc-rst-test-")) {
+      return Optional.of(OTE);
+    }
+    if (tld.startsWith("zz--")) {
+      return Optional.of(PROD);
+    }
+    return Optional.empty();
+  }
+
+  private static Optional<ClaimsList> getClaimList(RstType rstType) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    String resourceName = rstType.name().toLowerCase(Locale.ROOT) + ".rst.dnl.csv";
+    URL resource = getResource(RstTmchUtils.class, resourceName);
+    try {
+      return Optional.of(ClaimsListParser.parse(readLines(resource, UTF_8)));
+    } catch (IOException fnfe) {
+      // Do not throw.
+      logger.atSevere().log("Could not load Claims list for %s in Sandbox.", rstType);
+      return Optional.empty();
+    }
+  }
+
+  private static Optional<SignedMarkRevocationList> getSmdrList(RstType rstType) {
+    if (!RegistryEnvironment.get().equals(SANDBOX)) {
+      return Optional.empty();
+    }
+    String resourceName = rstType.name().toLowerCase(Locale.ROOT) + ".rst.smdrl.csv";
+    URL resource = getResource(RstTmchUtils.class, resourceName);
+    try {
+      return Optional.of(SmdrlCsvParser.parse(readLines(resource, UTF_8)));
+    } catch (IOException fnfe) {
+      // Do not throw.
+      logger.atSevere().log("Could not load Claims list for %s in Sandbox.", rstType);
+      return Optional.empty();
+    }
+  }
+}

core/src/main/resources/google/registry/tmch/ote.rst.dnl.csv

@@ -0,0 +1,10 @@
+1,2024-09-13T02:21:12.0Z
+DNL,lookup-key,insertion-datetime
+test---validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test--validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-and-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-andvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testand-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testandvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z

core/src/main/resources/google/registry/tmch/ote.rst.smdrl.csv

@@ -0,0 +1,7 @@
+1,2022-11-22T01:49:36.9Z
+smd-id,insertion-datetime
+0000001761385117375880-65535,2013-07-15T00:00:00.0Z
+0000001751501056761969-65535,2017-07-26T10:12:41.9Z
+000000541526299609231-65535,2018-05-14T17:52:23.7Z
+000000541602140609520-65535,2020-10-08T07:07:25.0Z
+000000541669081776937-65535,2022-11-22T01:49:36.9Z

core/src/main/resources/google/registry/tmch/prod.rst.dnl.csv

@@ -0,0 +1,10 @@
+1,2024-09-13T02:21:12.0Z
+DNL,lookup-key,insertion-datetime
+test---validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test--validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-and-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-andvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+test-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testand-validate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testandvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z
+testvalidate,2024091300/6/a/b/arJyPPf2CK7f21bVGne0qMgW0000000001,2024-09-13T02:21:12.0Z

core/src/main/resources/google/registry/tmch/prod.rst.smdrl.csv

@@ -0,0 +1,7 @@
+1,2022-11-22T01:49:36.9Z
+smd-id,insertion-datetime
+0000001761385117375880-65535,2013-07-15T00:00:00.0Z
+0000001751501056761969-65535,2017-07-26T10:12:41.9Z
+000000541526299609231-65535,2018-05-14T17:52:23.7Z
+000000541602140609520-65535,2020-10-08T07:07:25.0Z
+000000541669081776937-65535,2022-11-22T01:49:36.9Z