Move SCM policies to the koji hub

Moving all SCM policies previously defined in each builder to
centralized hub configuration. From now on, any SCM policy change just
needs updating the hub config and reloading it. Builders need nor change
nor reload.

Related: https://pagure.io/fedora-infrastructure/issue/9728

Signed-off-by: Tomas Kopecek <tkopecek@redhat.com>

roles/koji_builder/templates/kojid.conf

@@ -76,53 +76,9 @@ server={{koji_server_url}}
 pkgurl=http://kojipkgs.stg.fedoraproject.org/packages
 {% endif %}
 
-{% if env == 'staging' %}
+# everything related to allowed scms is now defined at hub
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
+allowed_scms_use_config = false
-allowed_scms=
+allowed_scms_use_policy = true
-    !src.stg.fedoraproject.org:/pagure/fork/*
-    !src.stg.fedoraproject.org:/pagure/forks/*
-    !pkgs.stg.fedoraproject.org:/pagure/fork/*
-    !pkgs.stg.fedoraproject.org:/pagure/forks/*
-    !src.stg.fedoraproject.org:/fork/*
-    !src.stg.fedoraproject.org:/forks/*
-    !src.stg.fedoraproject.org:/cgit/*
-    src.stg.fedoraproject.org:/container/*:false
-    src.stg.fedoraproject.org:/flatpaks/*:false
-    src.stg.fedoraproject.org:/git/rpms/*:false:fedpkg,sources
-    !src.stg.fedoraproject.org:/git/*
-    !pkgs.stg.fedoraproject.org:/fork/*
-    !pkgs.stg.fedoraproject.org:/forks/*
-    !pkgs.stg.fedoraproject.org:/cgit/*
-    !pkgs.stg.fedoraproject.org:/git/*
-    pkgs.stg.fedoraproject.org:/container/*:false
-    pkgs.stg.fedoraproject.org:/flatpaks/*:false
-    pkgs.stg.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.stg.fedoraproject.org:/*:false:fedpkg,sources
-    src.stg.fedoraproject.org:/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-{% else %}
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
-allowed_scms=
-    !src.fedoraproject.org:/pagure/fork/*
-    !src.fedoraproject.org:/pagure/forks/*
-    !pkgs.fedoraproject.org:/pagure/fork/*
-    !pkgs.fedoraproject.org:/pagure/forks/*
-    !src.fedoraproject.org:/fork/*
-    !src.fedoraproject.org:/forks/*
-    !src.fedoraproject.org:/cgit/*
-    !src.fedoraproject.org:/git/*
-    !pkgs.fedoraproject.org:/fork/*
-    !pkgs.fedoraproject.org:/forks/*
-    !pkgs.fedoraproject.org:/cgit/*
-    !pkgs.fedoraproject.org:/git/*
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fork/*/fedora-kickstarts.git:false
-{% endif %}
 
 ; allow tasks to continue to completion if a sibling fails
 ; the parent task will fail but all child tasks will complete

roles/koji_hub/templates/hub.conf.j2

@@ -203,16 +203,45 @@ sidetag =
     all :: deny
 
 {% if env == "staging" %}
-# Policy for building scratch builds
 build_from_scm =
-    # allow scratch build for anything from anywhere
+    match scm_host src.stg.fedoraproject.org :: {
-    bool scratch :: allow
+        bool scratch :: fedpkg sources
-    # allow to build from forks
+        match scm_repository /rpms/* :: fedpkg sources
-    match scm_type GIT GIT+SSH && match scm_host src.fedoraproject.org/forks/* :: allow
+        match scm_repository /modules/* :: fedpkg sources
-{% endif %}
+        match scm_repository /containers/* :: fedpkg sources
-
+        match scm_repository /flatpaks/* :: fedpkg sources
-scm =
+    }
-      # allow scratch builds from any commits
+    match scm_host pkgs.stg.fedoraproject.org :: {
-      bool scratch :: allow
+        bool scratch :: fedpkg sources
-      match_all branches * !! deny Commit must be present on some branch
+        match scm_repository /rpms/* :: fedpkg sources
-      all :: allow
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org && match scm_repository /* :: allow fedpkg sources
+    match scm_host pagure.io && match scm_repository /fedora-kickstarts.git :: allow
+    match scm_host src.fedoraproject.org :: allow fedpkg sources
+    all :: deny
+{% else %}
+build_from_scm =
+    match scm_host src.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pagure.io :: {
+        bool scratch :: allow
+        match scm_repository /fedora-kickstarts.git :: allow
+        match scm_repository /fork/*/fedora-kickstarts.git :: allow
+    }
+    all :: deny
+{%endif}