Add docs for Cloud Build status notification (#2157)

Add documentation that describes the current Cloud Build status notification
to Google Chat, as well as how to update the configuration and the
notifier service.

console-webapp/angular.json

@@ -41,8 +41,8 @@
               "budgets": [
                 {
                   "type": "initial",
-                  "maximumWarning": "500kb",
-                  "maximumError": "1mb"
+                  "maximumWarning": "2mb",
+                  "maximumError": "5mb"
                 },
                 {
                   "type": "anyComponentStyle",

console-webapp/src/app/app.component.ts

@@ -12,10 +12,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+import { Component, ViewChild } from '@angular/core';
 import { RegistrarService } from './registrar/registrar.service';
 import { UserDataService } from './shared/services/userData.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
+import { NavigationEnd, Router } from '@angular/router';
+import { MatSidenav } from '@angular/material/sidenav';
 
 @Component({
   selector: 'app-root',
@@ -24,10 +26,15 @@ import { GlobalLoaderService } from './shared/services/globalLoader.service';
 })
 export class AppComponent {
   renderRouter: boolean = true;
+
+  @ViewChild('sidenav')
+  sidenav!: MatSidenav;
+
   constructor(
     protected registrarService: RegistrarService,
     protected userDataService: UserDataService,
-    protected globalLoader: GlobalLoaderService
+    protected globalLoader: GlobalLoaderService,
+    protected router: Router
   ) {
     registrarService.activeRegistrarIdChange.subscribe(() => {
       this.renderRouter = false;
@@ -36,4 +43,12 @@ export class AppComponent {
       }, 400);
     });
   }
+
+  ngAfterViewInit() {
+    this.router.events.subscribe((event) => {
+      if (event instanceof NavigationEnd) {
+        this.sidenav.close();
+      }
+    });
+  }
 }

console-webapp/src/app/app.module.ts

@@ -47,6 +47,7 @@ import { BillingWidgetComponent } from './home/widgets/billing-widget.component'
 import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
 import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
 import { UserDataService } from './shared/services/userData.service';
+import WhoisComponent from './settings/whois/whois.component';
 
 @NgModule({
   declarations: [
@@ -69,6 +70,7 @@ import { UserDataService } from './shared/services/userData.service';
     SettingsWidgetComponent,
     TldsComponent,
     TldsWidgetComponent,
+    WhoisComponent,
   ],
   imports: [
     AppRoutingModule,

console-webapp/src/app/registrar/registrar.service.ts

@@ -13,15 +13,16 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { BackendService } from '../shared/services/backend.service';
 import { Observable, Subject, tap } from 'rxjs';
+
+import { BackendService } from '../shared/services/backend.service';
 import {
   GlobalLoader,
   GlobalLoaderService,
 } from '../shared/services/globalLoader.service';
 import { MatSnackBar } from '@angular/material/snack-bar';
 
-interface Address {
+export interface Address {
   street?: string[];
   city?: string;
   countryCode?: string;
@@ -31,16 +32,20 @@ interface Address {
 
 export interface Registrar {
   allowedTlds?: string[];
-  ipAddressAllowList?: string[];
-  emailAddress?: string;
   billingAccountMap?: object;
   driveFolderId?: string;
+  emailAddress?: string;
+  faxNumber?: string;
   ianaIdentifier?: number;
   icannReferralEmail?: string;
+  ipAddressAllowList?: string[];
   localizedAddress?: Address;
+  phoneNumber?: string;
   registrarId: string;
   registrarName: string;
   registryLockAllowed?: boolean;
+  url?: string;
+  whoisServer?: string;
 }
 
 @Injectable({

console-webapp/src/app/settings/whois/whois.component.html

@@ -1 +1,250 @@
-<p>whois works!</p>
+<div class="settings-whois">
+  <h2>WHOIS settings</h2>
+  <h3>
+    General registrar information for your WHOIS record. This information is
+    always visible in WHOIS.
+  </h3>
+  <div *ngIf="loading" class="settings-whois__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Name:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.registrarName"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>IANA Identifier:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.ianaIdentifier"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>ICANN Referral Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.icannReferralEmail"
+          disabled
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>WHOIS server:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.whoisServer"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Referral URL:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.url"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Email:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="email"
+          [(ngModel)]="registrar.emailAddress"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Phone::</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.phoneNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-description">
+      <h3>Fax:</h3>
+    </div>
+    <div class="settings-whois__section-form">
+      <mat-form-field>
+        <input
+          matInput
+          type="text"
+          [(ngModel)]="registrar.faxNumber"
+          [disabled]="!inEdit"
+        />
+      </mat-form-field>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 1:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![0]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>City:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.city"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 2:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![1]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>State/Region:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.state"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__section">
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Address Line 3:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress?.street"
+            matInput
+            type="text"
+            [(ngModel)]="(registrar.localizedAddress?.street)![2]"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+    <div class="settings-whois__section-address">
+      <div class="settings-whois__section-description">
+        <h3>Country Code:</h3>
+      </div>
+      <div class="settings-whois__section-form">
+        <mat-form-field>
+          <input
+            *ngIf="registrar.localizedAddress"
+            matInput
+            type="text"
+            [(ngModel)]="registrar.localizedAddress.countryCode"
+            [disabled]="!inEdit"
+          />
+        </mat-form-field>
+      </div>
+    </div>
+  </div>
+  <div class="settings-whois__actions">
+    <ng-template [ngIf]="inEdit" [ngIfElse]="inView">
+      <button
+        class="actions-save"
+        mat-raised-button
+        color="primary"
+        (click)="save()"
+      >
+        Save
+      </button>
+      <button class="actions-cancel" mat-stroked-button (click)="cancel()">
+        Cancel
+      </button>
+    </ng-template>
+    <ng-template #inView>
+      <button #elseBlock mat-raised-button (click)="enableEdit()">Edit</button>
+    </ng-template>
+  </div>
+</div>

console-webapp/src/app/settings/whois/whois.component.scss

@@ -11,3 +11,49 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
+.settings-whois {
+  margin-top: 1.5rem;
+  &__section {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 10px;
+    min-width: 400px;
+  }
+  &__section-address {
+    display: flex;
+    flex-wrap: wrap;
+    margin-bottom: 5px;
+    min-width: 450px;
+    width: 50%;
+    max-width: 50%;
+  }
+  &__section-description {
+    display: inline-block;
+    margin-block-start: 1em;
+    min-width: 150px;
+  }
+  &__section-form {
+    display: inline-block;
+    width: 70%;
+    mat-form-field {
+      width: 90%;
+      min-width: 300px;
+    }
+    input:disabled {
+      border: 0;
+    }
+  }
+  &__loading {
+    margin: 2rem 0;
+  }
+  &__actions {
+    margin-top: 50px;
+    display: flex;
+    justify-content: flex-end;
+    margin-right: 50px;
+    button {
+      margin-left: 20px;
+    }
+  }
+}

console-webapp/src/app/settings/whois/whois.component.ts

@@ -12,13 +12,66 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+import { HttpErrorResponse } from '@angular/common/http';
 import { Component } from '@angular/core';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  Registrar,
+  RegistrarService,
+} from 'src/app/registrar/registrar.service';
+
+import { WhoisService } from './whois.service';
 
 @Component({
   selector: 'app-whois',
   templateUrl: './whois.component.html',
   styleUrls: ['./whois.component.scss'],
+  providers: [WhoisService],
 })
 export default class WhoisComponent {
   public static PATH = 'whois';
+  loading = false;
+  inEdit = false;
+  registrar: Registrar;
+
+  constructor(
+    public whoisService: WhoisService,
+    public registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
+
+  enableEdit() {
+    this.inEdit = true;
+  }
+
+  cancel() {
+    this.inEdit = false;
+    this.resetDataSource();
+  }
+
+  save() {
+    this.loading = true;
+    this.whoisService.saveChanges(this.registrar).subscribe({
+      complete: () => {
+        this.loading = false;
+        this.resetDataSource();
+      },
+      error: (err: HttpErrorResponse) => {
+        this._snackBar.open(err.error, undefined, {
+          duration: 1500,
+        });
+      },
+    });
+    this.cancel();
+  }
+
+  resetDataSource() {
+    this.registrar = JSON.parse(
+      JSON.stringify(this.registrarService.registrar)
+    );
+  }
 }

console-webapp/src/app/settings/whois/whois.service.ts

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { switchMap } from 'rxjs';
+import { Address, RegistrarService } from 'src/app/registrar/registrar.service';
+import { BackendService } from 'src/app/shared/services/backend.service';
+
+export interface WhoisRegistrarFields {
+  ianaIdentifier?: number;
+  icannReferralEmail?: string;
+  localizedAddress?: Address;
+  registrarId?: string;
+  url?: string;
+  whoisServer?: string;
+}
+
+@Injectable()
+export class WhoisService {
+  whoisRegistrarFields: WhoisRegistrarFields = {};
+
+  constructor(
+    private backend: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  saveChanges(newWhoisRegistrarFields: WhoisRegistrarFields) {
+    return this.backend.postWhoisRegistrarFields(newWhoisRegistrarFields).pipe(
+      switchMap(() => {
+        return this.registrarService.loadRegistrars();
+      })
+    );
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -20,6 +20,7 @@ import { SecuritySettingsBackendModel } from 'src/app/settings/security/security
 import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
 import { UserData } from './userData.service';
+import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
 
 @Injectable()
 export class BackendService {
@@ -97,4 +98,13 @@ export class BackendService {
       .get<UserData>(`/console-api/userdata`)
       .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
   }
+
+  postWhoisRegistrarFields(
+    whoisRegistrarFields: WhoisRegistrarFields
+  ): Observable<WhoisRegistrarFields> {
+    return this.http.post<WhoisRegistrarFields>(
+      '/console-api/settings/whois-fields',
+      whoisRegistrarFields
+    );
+  }
 }

core/src/main/java/google/registry/model/tld/Tld.java

@@ -130,7 +130,7 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   public static final Money DEFAULT_REGISTRY_LOCK_OR_UNLOCK_BILLING_COST = Money.of(USD, 0);
 
   public boolean equalYaml(Tld tldToCompare) {
-    if (this == tldToCompare) {
+    if (this.equals(tldToCompare)) {
       return true;
     }
     ObjectMapper mapper = createObjectMapper();

core/src/main/java/google/registry/tools/ConfigureTldCommand.java

@@ -63,6 +63,14 @@ public class ConfigureTldCommand extends MutatingCommand {
       required = true)
   Path inputFile;
 
+  @Parameter(
+      names = {"-b", "--breakglass"},
+      description =
+          "Sets the breakglass field on the TLD to true, preventing Cloud Build from overwriting"
+              + " these new changes until the TLD configuration file stored internally matches the"
+              + " configuration in the database.")
+  boolean breakglass;
+
   @Inject ObjectMapper mapper;
 
   @Inject
@@ -70,13 +78,13 @@ public class ConfigureTldCommand extends MutatingCommand {
   Set<String> validDnsWriterNames;
 
   /** Indicates if the passed in file contains new changes to the TLD */
-  boolean newDiff = false;
+  boolean newDiff = true;
 
-  // TODO(sarahbot@): Add a breakglass setting to this tool to indicate when a TLD has been modified
-  // outside of source control
-
-  // TODO(sarahbot@): Add a check for diffs between passed in file and current TLD and exit if there
-  // is no diff. Treat nulls and empty sets as the same value.
+  /**
+   * Indicates if the existing TLD is currently in breakglass mode and should not be modified unless
+   * the breakglass flag is used
+   */
+  boolean oldTldInBreakglass = false;
 
   @Override
   protected void init() throws Exception {
@@ -86,20 +94,47 @@ public class ConfigureTldCommand extends MutatingCommand {
     checkForMissingFields(tldData);
     Tld oldTld = getTlds().contains(name) ? Tld.get(name) : null;
     Tld newTld = mapper.readValue(inputFile.toFile(), Tld.class);
-    if (oldTld != null && oldTld.equalYaml(newTld)) {
+    if (oldTld != null) {
+      oldTldInBreakglass = oldTld.getBreakglassMode();
+      newDiff = !oldTld.equalYaml(newTld);
+    }
+
+    if (!newDiff && !oldTldInBreakglass) {
+      // Don't construct a new object if there is no new diff
       return;
     }
-    newDiff = true;
+
+    if (oldTldInBreakglass && !breakglass) {
+      checkArgument(
+          !newDiff,
+          "Changes can not be applied since TLD is in breakglass mode but the breakglass flag was"
+              + " not used");
+      // if there are no new diffs, then the YAML file has caught up to the database and the
+      // breakglass mode should be removed
+      logger.atInfo().log("Breakglass mode removed from TLD: %s", name);
+    }
+
     checkPremiumList(newTld);
     checkDnsWriters(newTld);
     checkCurrency(newTld);
+    // Set the new TLD to breakglass mode if breakglass flag was used
+    if (breakglass) {
+      newTld = newTld.asBuilder().setBreakglassMode(true).build();
+    }
     stageEntityChange(oldTld, newTld);
   }
 
   @Override
   protected boolean dontRunCommand() {
     if (!newDiff) {
+      if (oldTldInBreakglass && !breakglass) {
+        // Run command to remove breakglass mode
+        return false;
+      }
       logger.atInfo().log("TLD YAML file contains no new changes");
+      checkArgument(
+          !breakglass || oldTldInBreakglass,
+          "Breakglass mode can only be set when making new changes to a TLD configuration");
       return true;
     }
     return false;
@@ -141,7 +176,9 @@ public class ConfigureTldCommand extends MutatingCommand {
 
   private void checkPremiumList(Tld newTld) {
     Optional<String> premiumListName = newTld.getPremiumListName();
-    if (!premiumListName.isPresent()) return;
+    if (!premiumListName.isPresent()) {
+      return;
+    }
     Optional<PremiumList> premiumList = PremiumListDao.getLatestRevision(premiumListName.get());
     checkArgument(
         premiumList.isPresent(),

core/src/test/java/google/registry/tools/ConfigureTldCommandTest.java

@@ -64,6 +64,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
     command.mapper = objectMapper;
     premiumList = persistPremiumList("test", USD, "silver,USD 50", "gold,USD 80");
     command.validDnsWriterNames = ImmutableSet.of("VoidDnsWriter", "FooDnsWriter");
+    logger.addHandler(logHandler);
   }
 
   private void testTldConfiguredSuccessfully(Tld tld, String filename)
@@ -82,6 +83,7 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
     assertThat(tld.getDriveFolderId()).isEqualTo("driveFolder");
     assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
     testTldConfiguredSuccessfully(tld, "tld.yaml");
+    assertThat(tld.getBreakglassMode()).isFalse();
   }
 
   @Test
@@ -94,19 +96,17 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
     Tld updatedTld = Tld.get("tld");
     assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
     testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
+    assertThat(updatedTld.getBreakglassMode()).isFalse();
   }
 
   @Test
   void testSuccess_noDiff() throws Exception {
-    logger.addHandler(logHandler);
     Tld tld = createTld("idns");
-    tld =
-        persistResource(
-            tld.asBuilder()
-                .setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
-                .setAllowedFullyQualifiedHostNames(
-                    ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
-                .build());
+    persistResource(
+        tld.asBuilder()
+            .setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
+            .build());
     File tldFile = tmpDir.resolve("idns.yaml").toFile();
     Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
     runCommandForced("--input=" + tldFile);
@@ -473,4 +473,101 @@ public class ConfigureTldCommandTest extends CommandTestCase<ConfigureTldCommand
         assertThrows(IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile));
     assertThat(thrown.getMessage()).isEqualTo("The premium list must use the TLD's currency");
   }
+
+  @Test
+  void testFailure_breakglassFlag_NoChanges() throws Exception {
+    Tld tld = createTld("idns");
+    persistResource(
+        tld.asBuilder()
+            .setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
+            .build());
+    File tldFile = tmpDir.resolve("idns.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
+    IllegalArgumentException thrown =
+        assertThrows(
+            IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile, "-b"));
+    assertThat(thrown.getMessage())
+        .isEqualTo(
+            "Breakglass mode can only be set when making new changes to a TLD configuration");
+  }
+
+  @Test
+  void testSuccess_breakglassFlag_startsBreakglassMode() throws Exception {
+    Tld tld = createTld("tld");
+    assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 13));
+    File tldFile = tmpDir.resolve("tld.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
+    runCommandForced("--input=" + tldFile, "--breakglass");
+    Tld updatedTld = Tld.get("tld");
+    assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
+    testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
+    assertThat(updatedTld.getBreakglassMode()).isTrue();
+  }
+
+  @Test
+  void testSuccess_breakglassFlag_continuesBreakglassMode() throws Exception {
+    Tld tld = createTld("tld");
+    assertThat(tld.getCreateBillingCost()).isEqualTo(Money.of(USD, 13));
+    persistResource(tld.asBuilder().setBreakglassMode(true).build());
+    File tldFile = tmpDir.resolve("tld.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
+    runCommandForced("--input=" + tldFile, "--breakglass");
+    Tld updatedTld = Tld.get("tld");
+    assertThat(updatedTld.getCreateBillingCost()).isEqualTo(Money.of(USD, 25));
+    testTldConfiguredSuccessfully(updatedTld, "tld.yaml");
+    assertThat(updatedTld.getBreakglassMode()).isTrue();
+  }
+
+  @Test
+  void testSuccess_NoDiffNoBreakglassFlag_endsBreakglassMode() throws Exception {
+    Tld tld = createTld("idns");
+    persistResource(
+        tld.asBuilder()
+            .setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
+            .setBreakglassMode(true)
+            .build());
+    File tldFile = tmpDir.resolve("idns.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
+    runCommandForced("--input=" + tldFile);
+    Tld updatedTld = Tld.get("idns");
+    assertThat(updatedTld.getBreakglassMode()).isFalse();
+    assertAboutLogs()
+        .that(logHandler)
+        .hasLogAtLevelWithMessage(INFO, "Breakglass mode removed from TLD: idns");
+  }
+
+  @Test
+  void testSuccess_noDiffBreakglassFlag_continuesBreakglassMode() throws Exception {
+    Tld tld = createTld("idns");
+    persistResource(
+        tld.asBuilder()
+            .setIdnTables(ImmutableSet.of(JA, UNCONFUSABLE_LATIN, EXTENDED_LATIN))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("zeta", "alpha", "gamma", "beta"))
+            .setBreakglassMode(true)
+            .build());
+    File tldFile = tmpDir.resolve("idns.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "idns.yaml"));
+    runCommandForced("--input=" + tldFile, "-b");
+    Tld updatedTld = Tld.get("idns");
+    assertThat(updatedTld.getBreakglassMode()).isTrue();
+    assertAboutLogs()
+        .that(logHandler)
+        .hasLogAtLevelWithMessage(INFO, "TLD YAML file contains no new changes");
+  }
+
+  @Test
+  void testFailure_noBreakglassFlag_inBreakglassMode() throws Exception {
+    Tld tld = createTld("tld");
+    persistResource(tld.asBuilder().setBreakglassMode(true).build());
+    File tldFile = tmpDir.resolve("tld.yaml").toFile();
+    Files.asCharSink(tldFile, UTF_8).write(loadFile(getClass(), "tld.yaml"));
+    IllegalArgumentException thrown =
+        assertThrows(IllegalArgumentException.class, () -> runCommandForced("--input=" + tldFile));
+    assertThat(thrown.getMessage())
+        .isEqualTo(
+            "Changes can not be applied since TLD is in breakglass mode but the breakglass flag"
+                + " was not used");
+  }
 }

release/notifications/README.md

@@ -0,0 +1,42 @@
+## About
+
+We have deployed a Cloud Build notifier on Cloud Run that sends build failure
+notifications to a Google Chat space. This folder contains the configuration and
+helper scripts.
+
+## Details
+
+The instructions for notifier setup can be found on the
+[GCP documentation site](https://cloud.google.com/build/docs/configuring-notifications/configure-googlechat).
+For the **initial** setup, Cloud Build provides a
+[script](https://cloud.google.com/build/docs/configuring-notifications/automate)
+that automates a lot of the work.
+
+With the automated procedure, the notifier is deployed as a Cloud Run service
+named `googlechat-notifier` in a single region of user's choice. The notifier
+subscribes to the `cloud-builds` Pub/sub topic for build statuses, applies our
+custom filter, and sends matching notifications to our Google Chat space.
+
+Our custom configuration for the notifier is in the `googlechat.yaml` file. It
+defines:
+
+*   The build status filter, currently matching for all triggered builds that
+    have failed or timed out. The filter semantics are explained
+    [here](https://cloud.google.com/build/docs/configuring-notifications/configure-googlechat#using_cel_to_filter_build_events).
+*   The secret name of the Chat Webhook token stored in the Secret Manager. This
+    token allows the notifier to send notifications to our Chat space. The
+    webhook token can be managed in the Google Chat client.
+
+The `googlechat.yaml` configuration file should be uploaded to the GCS bucket
+`{PROJECT_ID}-notifiers-config`. The `upload_config.sh` script can be used for
+uploading. The new configuration will take effect eventually after all currently
+running notifier instances shutdown due to inactivity, which is bound to happen
+with our workload (Note: this depends on the scale-to-zero policy, which is the
+default).
+
+To make sure the new configurations take effect immediately, the
+`update_notifier.sh`. It deploys a new revision of the notifier and shuts down
+old instances.
+
+Note that if the notifier is moved to another region, the full setup must be
+repeated.

release/notifications/googlechat.yaml

@@ -0,0 +1,14 @@
+  apiVersion: cloud-build-notifiers/v1
+  kind: GoogleChatNotifier
+  metadata:
+    name: nomulus-cloudbuild-googlechat-notifier
+  spec:
+    notification:
+      filter: has(build.build_trigger_id) && build.status in [Build.Status.FAILURE, Build.Status.TIMEOUT]
+      delivery:
+        webhookUrl:
+          secretRef: webhook-url
+    secrets:
+    - name: webhook-url
+      value: projects/_project_id_/secrets/Chat-Webhook-CloudBuildNotifications/versions/latest
+

release/notifications/update_notifier.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright 2019 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script redeploys the Cloud Build notifier with the latest container
+# image. It can be used to force immediate configuration change after invoking
+# `upload_config.sh`.
+
+set -e
+
+if [ $# -ne 1 ];
+then
+  echo "Usage: $0 <project_id>"
+  exit 1
+fi
+
+project_id="$1"
+
+region=$(gcloud run services list \
+         --filter="SERVICE:googlechat-notifier" \
+         --format="csv[no-heading](REGION)" \
+         --project="${project_id}")
+
+SERVICE_NAME=googlechat-notifier
+IMAGE_PATH=us-east1-docker.pkg.dev/gcb-release/cloud-build-notifiers/googlechat:latest
+DESTINATION_CONFIG_PATH="gs://${project_id}-notifiers-config/googlechat.yaml"
+
+gcloud run deploy "${SERVICE_NAME}" --image="${IMAGE_PATH}" \
+    --no-allow-unauthenticated  \
+    --update-env-vars="CONFIG_PATH=${DESTINATION_CONFIG_PATH},PROJECT_ID=${project_id}" \
+    --region="${region}" \
+    --project="${project_id}" \
+    || fail "failed to deploy notifier service -- check service logs for configuration error"

release/notifications/upload_config.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Copyright 2019 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script uploads the `googlechat.yaml` configuration to the GCS bucket used
+# by the Cloud Build notifier. The new config takes effect only AFTER all
+# currently running notifier instances are shut down due to inactivity. To force
+# immediate change, use `update_notifier.sh` in this directory to redeploy the
+# service.
+
+set -e
+
+if [ $# -ne 1 ];
+then
+  echo "Usage: $0 <project_id>"
+  exit 1
+fi
+
+project_id="$1"
+
+SCRIPT_DIR="$(realpath $(dirname $0))"
+
+cat "${SCRIPT_DIR}"/googlechat.yaml  \
+    | sed  "s/_project_id_/${project_id}/g" \
+    | gcloud storage cp - "gs://${project_id}-notifiers-config/googlechat.yaml"