#!/usr/bin/env lucicfg
# Copyright 2019 The Flutter Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""
LUCI project configuration for the production instance of LUCI.

After modifying this file execute it ('./main.star') to regenerate the configs.

This file uses a Python-like syntax known as Starlark:
https://docs.bazel.build/versions/master/skylark/language.html

The documentation for lucicfg can be found here:
https://chromium.googlesource.com/infra/luci/luci-go/+/refs/heads/master/lucicfg/doc/README.md
"""

load("//lib/common.star", "common")
load("//lib/repos.star", "repos")
load("//cocoon_config.star", "cocoon_config")
load("//devicelab_staging_config.star", "devicelab_staging_config")
load("//flutter_config.star", "flutter_config")
load("//recipes_config.star", "recipes_config")
load("//engine_config.star", "engine_config")
load("//infra_config.star", "infra_config")
load("//iostools_config.star", "iostools_config")
load("//packages_config.star", "packages_config")

# Avoid jumping back and forth with configs being updated by lower version
# lucicfg.
LUCICFG_VERSION = "1.32.1"
lucicfg.check_version(LUCICFG_VERSION)

# Use LUCI Scheduler BBv2 names and add Scheduler realms configs.
lucicfg.enable_experiment("crbug.com/1182002")

lucicfg.config(
    config_dir = "generated/flutter",
    tracked_files = ["**/*"],
    fail_on_warnings = True,
    lint_checks = ["default"],
)

luci.project(
    name = "flutter",
    config_dir = "luci",
    buildbucket = "cr-buildbucket.appspot.com",
    logdog = "luci-logdog.appspot.com",
    milo = "luci-milo.appspot.com",
    scheduler = "luci-scheduler.appspot.com",
    swarming = "chromium-swarm.appspot.com",
    notify = "luci-notify.appspot.com",
    tricium = "tricium-prod.appspot.com",
    acls = [
        acl.entry(
            roles = [
                acl.BUILDBUCKET_READER,
                acl.LOGDOG_READER,
                acl.PROJECT_CONFIGS_READER,
                acl.SCHEDULER_READER,
            ],
            groups = "all",
        ),
        acl.entry(
            roles = [
                acl.BUILDBUCKET_TRIGGERER,
                acl.SCHEDULER_TRIGGERER,
            ],
            groups = [
                "project-flutter-prod-schedulers",
                "project-flutter-staging-schedulers",
            ],
        ),
        acl.entry(
            roles = [
                acl.BUILDBUCKET_OWNER,
                acl.SCHEDULER_OWNER,
            ],
            groups = "project-flutter-admins",
        ),
        acl.entry(
            acl.LOGDOG_WRITER,
            groups = "luci-logdog-chromium-writers",
        ),
        acl.entry(
            roles = [acl.CQ_COMMITTER, acl.CQ_DRY_RUNNER],
            groups = ["project-flutter-try-schedulers"],
        ),
    ],
    bindings = [
        luci.binding(
            roles = "role/configs.validator",
            groups = [
                "project-flutter-try-task-accounts",
                "project-flutter-prod-task-accounts",
                "project-flutter-staging-task-accounts",
            ],
        ),
        luci.binding(
            roles = "role/swarming.poolOwner",
            groups = "project-flutter-admins",
        ),
        luci.binding(
            roles = "role/swarming.poolViewer",
            groups = "all",  # public
        ),
    ],
)

# Allow admins to use LED and "Debug" button on every builder and bot.
luci.binding(
    realm = "@root",
    roles = "role/swarming.poolUser",
    groups = "project-flutter-admins",
)
luci.binding(
    realm = "@root",
    roles = "role/swarming.taskTriggerer",
    groups = "project-flutter-admins",
)

# These 4 pool security realms are effectively no-ops,
# as they inherit ACLs from the @root realm (defined via acls/bindings above).
# However, they are left here to ensure humans can search & find them,
# since they are referenced from LUCI's side of configs in `pools.cfg` file.
luci.realm(name = "pools/prod")
luci.realm(name = "pools/try")
luci.realm(name = "pools/staging")
luci.realm(name = "pools/tests")

def task_triggerers(*, pool_realm, builder_realms, users = None, groups = None, projects = "flutter"):
    # Allow submitting tasks to the pool.
    luci.binding(
        realm = pool_realm,
        roles = "role/swarming.poolUser",
        users = users,
        groups = groups,
        projects = projects,
    )

    # Allow associating tasks with a particular builder realm.
    luci.binding(
        realm = builder_realms,
        roles = "role/swarming.taskTriggerer",
        users = users,
        groups = groups,
    )

    # Allow to create subbuilds.
    luci.binding(
        realm = builder_realms,
        roles = "role/buildbucket.creator",
        users = users,
        groups = groups,
    )

# Permissions for prod builds to trigger subbuilds.
task_triggerers(
    pool_realm = "pools/prod",
    builder_realms = ["prod"],
    users = ["flutter-prod-builder@chops-service-accounts.iam.gserviceaccount.com"],
)

# Permissions to run LED jobs with try builds.
task_triggerers(
    pool_realm = "pools/try",
    builder_realms = ["try"],
    users = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"],
    groups = [
        "project-flutter-led-users",
        "project-flutter-try-schedulers",
    ],
)

# Permissions to run LED jobs with staging builds.
task_triggerers(
    pool_realm = "pools/staging",
    builder_realms = ["staging"],
    groups = [
        "project-flutter-led-users",
        "project-flutter-staging-schedulers",
    ],
    projects = [
        "flutter",
        "dart",
    ],
)

luci.logdog(gs_bucket = "chromium-luci-logdog")

luci.milo(
    logo =
        "https://storage.googleapis.com/chrome-infra-public/logo/flutter-logo.svg",
    favicon = "https://storage.googleapis.com/flutter_infra/favicon.ico",
)

luci.bucket(
    name = "prod",
    acls = [
        acl.entry(
            acl.BUILDBUCKET_TRIGGERER,
            groups = "project-flutter-prod-schedulers",
        ),
        acl.entry(
            acl.SCHEDULER_TRIGGERER,
            groups = "project-flutter-prod-schedulers",
        ),
    ],
)

luci.bucket(
    name = "try",
    acls = [
        acl.entry(
            acl.BUILDBUCKET_TRIGGERER,
            groups =
                "project-flutter-try-schedulers",
        ),
    ],
)

# These shawdow bucket is used to trigger a real Buildbucket build using led
# go/luci-how-to-led#new-trigger-a-real-buildbucket-build-using-led

# No need to add constraints as try builds do not persist anything.
luci.bucket(
    name = "try.shadow",
    shadows = "try",
    constraints = luci.bucket_constraints(
        pools = ["luci.flutter.try"],
        service_accounts = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"],
    ),
    bindings = [
        # for led permissions.
        luci.binding(
            roles = "role/buildbucket.creator",
            groups = "project-flutter-try-schedulers",
        ),
    ],
    dynamic = True,
)

luci.bucket(
    name = "staging.shadow",
    shadows = "staging",
    constraints = luci.bucket_constraints(
        pools = ["luci.flutter.staging"],
        service_accounts = ["flutter-staging-builder@chops-service-accounts.iam.gserviceaccount.com"],
    ),
    bindings = [
        # for led permissions.
        luci.binding(
            roles = "role/buildbucket.creator",
            groups = "project-flutter-staging-schedulers",
        ),
    ],
    dynamic = True,
)

luci.bucket(
    name = "staging",
    acls = [
        acl.entry(
            acl.BUILDBUCKET_TRIGGERER,
            groups = "project-flutter-staging-schedulers",
        ),
    ],
)

# CQ group configurations. Only FLUTTER_RECIPES is using
# LUCI CQ but we still need the CQ configurations for all
# the try configurations for led recipe tests.
common.cq_group(repos.FLUTTER_INFRA)

luci.builder.defaults.properties.set({
    "$kitchen": {
        "emulate_gce": True,
    },
    "$flutter/goma": {
        "server": "rbe-prod1.endpoints.fuchsia-infra-goma-prod.cloud.goog",
    },
    "$recipe_engine/isolated": {
        "server": "https://isolateserver.appspot.com",
    },
    "$recipe_engine/swarming": {
        "server": "https://chromium-swarm.appspot.com",
    },
    "mastername": "client.flutter",
    "goma_jobs": "200",
    "upload_packages": False,
    "clobber": False,
})

############################ End Global Defaults ############################
cocoon_config.setup()

devicelab_staging_config.setup()

# While it doens't make alphabetical sense, temporarily it does
flutter_config.setup()

engine_config.setup()

infra_config.setup()

iostools_config.setup()

packages_config.setup()

recipes_config.setup()

######################### Console Definitions #################################