From a01680aa751ac551bca1fb5e35e1cab93697dc7f Mon Sep 17 00:00:00 2001 From: Erez Freiberger Date: Tue, 13 Jun 2017 16:05:05 +0300 Subject: [PATCH] subclassing ContainerImage to Openshift::ContainerImage Adds type and ems_ref columns to ContainerImage and enables STI. allow annotating only OpenshiftContainerImages and remove annotation function from container_image --- app/models/container_image.rb | 14 -------------- app/models/ems_refresh/save_inventory_container.rb | 1 + app/models/miq_action.rb | 7 +------ spec/models/miq_action_spec.rb | 11 +++++++++++ 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/app/models/container_image.rb b/app/models/container_image.rb index 4a8189a4cb2..06f22a478a7 100644 --- a/app/models/container_image.rb +++ b/app/models/container_image.rb @@ -83,20 +83,6 @@ def has_compliance_policies? !plist.blank? end - def annotate_deny_execution(causing_policy) - # TODO: support sti and replace check with inplementing only for OpenShift providers - unless ext_management_system.kind_of?(ManageIQ::Providers::Openshift::ContainerManagerMixin) - _log.error("#{__method__} only applicable for OpenShift Providers") - return - end - ext_management_system.annotate( - "image", - digest, - "security.manageiq.org/failed-policy" => causing_policy, - "images.openshift.io/deny-execution" => "true" - ) - end - def openscap_failed_rules_summary openscap_rule_results.where(:result => "fail").group(:severity).count.symbolize_keys end diff --git a/app/models/ems_refresh/save_inventory_container.rb b/app/models/ems_refresh/save_inventory_container.rb index 5fd54b43526..977cb6799f2 100644 --- a/app/models/ems_refresh/save_inventory_container.rb +++ b/app/models/ems_refresh/save_inventory_container.rb @@ -308,6 +308,7 @@ def save_container_images_inventory(ems, hashes, target = nil) hashes.each do |h| h[:container_image_registry_id] = h[:container_image_registry][:id] unless h[:container_image_registry].nil? + h[:type] ||= 'ContainerImage' end save_inventory_multi(ems.container_images, hashes, deletes, [:image_ref, :container_image_registry_id], diff --git a/app/models/miq_action.rb b/app/models/miq_action.rb index d5f53aab036..0b6792dcb2b 100644 --- a/app/models/miq_action.rb +++ b/app/models/miq_action.rb @@ -737,12 +737,7 @@ def action_container_image_annotate_deny_execution(action, rec, inputs) return end - unless rec.try(:ext_management_system).kind_of?(ManageIQ::Providers::Openshift::ContainerManagerMixin) - MiqPolicy.logger.error("#{error_prefix} only applicable for OpenShift Providers") - return - end - - unless rec.digest.present? + unless rec.respond_to?(:annotate_deny_execution) MiqPolicy.logger.error("#{error_prefix} ContainerImage is not linked with an OpenShift image") return end diff --git a/spec/models/miq_action_spec.rb b/spec/models/miq_action_spec.rb index 36131282889..474631ebd3f 100644 --- a/spec/models/miq_action_spec.rb +++ b/spec/models/miq_action_spec.rb @@ -218,6 +218,17 @@ end end + context "#action_container_image_annotate_deny_execution" do + let(:container_image) { FactoryGirl.create(:container_image) } + let(:event) { FactoryGirl.create(:miq_event_definition, :name => "whatever") } + let(:action) { FactoryGirl.create(:miq_action, :name => "container_image_annotate_deny_execution") } + + it "will not annotate if the method is unavailable" do + expect(MiqQueue).to receive(:put).exactly(0).times + action.action_container_image_annotate_deny_execution(action, container_image, :event => event) + end + end + context '.create_default_actions' do context 'seeding default actions from a file with 3 csv rows and some comments' do before do