From 803fbfdde3667478e4e3511c5b5681fb5f931d65 Mon Sep 17 00:00:00 2001
From: Erez Freiberger <efreiber@redhat.com>
Date: Sun, 7 May 2017 13:37:38 +0300
Subject: [PATCH 1/2] annotating container images with successful compliance

---
 app/models/miq_action.rb        | 14 ++++++++++++--
 db/fixtures/miq_actions.csv     |  1 +
 db/fixtures/miq_policy_sets.yml | 15 +++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/app/models/miq_action.rb b/app/models/miq_action.rb
index 9633e4384d5..88f35617d96 100644
--- a/app/models/miq_action.rb
+++ b/app/models/miq_action.rb
@@ -724,7 +724,17 @@ def action_container_image_analyze(action, rec, inputs)
     rec.scan
   end
 
+  def action_container_image_annotate_allow_execution(action, rec, inputs)
+    MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}]")
+    openshift_container_image_annotate_method(action, rec, inputs, "annotate_allow_execution")
+  end
+
   def action_container_image_annotate_deny_execution(action, rec, inputs)
+    MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}]")
+    openshift_container_image_annotate_method(action, rec, inputs, "annotate_deny_execution")
+  end
+
+  def openshift_container_image_annotate_method(action, rec, inputs, method_name)
     error_prefix = "MIQ(#{__method__}): Unable to perform action [#{action.description}], "
     unless rec.kind_of?(ContainerImage)
       MiqPolicy.logger.error("#{error_prefix} object [#{rec.inspect}] is not a Container Image")
@@ -739,7 +749,7 @@ def action_container_image_annotate_deny_execution(action, rec, inputs)
     if inputs[:synchronous]
       MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}] for event "\
                             "[#{inputs[:event].description}]")
-      rec.annotate_deny_execution(inputs[:policy].name)
+      rec.send(method_name.to_sym, inputs[:policy].name)
     else
       MiqPolicy.logger.info("MIQ(#{__method__}): Queueing [#{action.description}] for event "\
                             "[#{inputs[:event].description}]")
@@ -747,7 +757,7 @@ def action_container_image_annotate_deny_execution(action, rec, inputs)
         :service     => "ems_operations",
         :affinity    => rec.ext_management_system,
         :class_name  => rec.class.name,
-        :method_name => "annotate_deny_execution",
+        :method_name => method_name,
         :args        => inputs[:policy].name,
         :instance_id => rec.id,
         :priority    => MiqQueue::HIGH_PRIORITY,
diff --git a/db/fixtures/miq_actions.csv b/db/fixtures/miq_actions.csv
index 40e11d4536b..8b806c9a6f0 100644
--- a/db/fixtures/miq_actions.csv
+++ b/db/fixtures/miq_actions.csv
@@ -11,6 +11,7 @@ script,Execute an external script
 prevent,Prevent current event from proceeding
 container_image_analyze,Initiate SmartState Analysis for Container Image
 container_image_annotate_deny_execution,Prevent container image from running on OpenShift
+container_image_annotate_allow_execution,Mark container image as safe for running on OpenShift
 vm_start,Start Virtual Machine
 vm_stop,Stop Virtual Machine
 vm_suspend,Suspend Virtual Machine
diff --git a/db/fixtures/miq_policy_sets.yml b/db/fixtures/miq_policy_sets.yml
index a0cf06e3349..d2c5b4e910c 100644
--- a/db/fixtures/miq_policy_sets.yml
+++ b/db/fixtures/miq_policy_sets.yml
@@ -54,6 +54,21 @@
           description: Prevent container image from running on OpenShift
           action_type: default
           options: {}
+      - qualifier: success
+        success_sequence: 1
+        success_synchronous: true
+        MiqEventDefinition:
+          name: containerimage_compliance_check
+          description: Container Image Compliance Check
+          event_type: Default
+          definition:
+          default:
+          enabled:
+        MiqAction:
+          name: container_image_annotate_allow_execution
+          description: Mark container image as safe for running on OpenShift
+          action_type: default
+          options: {}
       Condition:
       - name: if container image has high severity openscap rule results
         description: Has high severity OpenSCAP rule results

From 73342165fecb0b22c80f7c32893c4d9bec99ab58 Mon Sep 17 00:00:00 2001
From: Erez Freiberger <efreiber@redhat.com>
Date: Wed, 9 Aug 2017 19:41:57 +0300
Subject: [PATCH 2/2] move to one annotating function for policy results

---
 app/models/miq_action.rb        | 19 +++++--------------
 db/fixtures/miq_actions.csv     |  1 +
 db/fixtures/miq_policy_sets.yml |  8 ++++----
 spec/models/miq_action_spec.rb  |  4 ++--
 4 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/app/models/miq_action.rb b/app/models/miq_action.rb
index 88f35617d96..b3cf8b98136 100644
--- a/app/models/miq_action.rb
+++ b/app/models/miq_action.rb
@@ -724,24 +724,15 @@ def action_container_image_analyze(action, rec, inputs)
     rec.scan
   end
 
-  def action_container_image_annotate_allow_execution(action, rec, inputs)
+  def action_container_image_annotate_scan_results(action, rec, inputs)
     MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}]")
-    openshift_container_image_annotate_method(action, rec, inputs, "annotate_allow_execution")
-  end
-
-  def action_container_image_annotate_deny_execution(action, rec, inputs)
-    MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}]")
-    openshift_container_image_annotate_method(action, rec, inputs, "annotate_deny_execution")
-  end
-
-  def openshift_container_image_annotate_method(action, rec, inputs, method_name)
     error_prefix = "MIQ(#{__method__}): Unable to perform action [#{action.description}], "
     unless rec.kind_of?(ContainerImage)
       MiqPolicy.logger.error("#{error_prefix} object [#{rec.inspect}] is not a Container Image")
       return
     end
 
-    unless rec.respond_to?(:annotate_deny_execution)
+    unless rec.respond_to?(:annotate_scan_policy_results)
       MiqPolicy.logger.error("#{error_prefix} ContainerImage is not linked with an OpenShift image")
       return
     end
@@ -749,7 +740,7 @@ def openshift_container_image_annotate_method(action, rec, inputs, method_name)
     if inputs[:synchronous]
       MiqPolicy.logger.info("MIQ(#{__method__}): Now executing  [#{action.description}] for event "\
                             "[#{inputs[:event].description}]")
-      rec.send(method_name.to_sym, inputs[:policy].name)
+      rec.annotate_scan_policy_results(inputs[:policy].name, inputs[:result])
     else
       MiqPolicy.logger.info("MIQ(#{__method__}): Queueing [#{action.description}] for event "\
                             "[#{inputs[:event].description}]")
@@ -757,8 +748,8 @@ def openshift_container_image_annotate_method(action, rec, inputs, method_name)
         :service     => "ems_operations",
         :affinity    => rec.ext_management_system,
         :class_name  => rec.class.name,
-        :method_name => method_name,
-        :args        => inputs[:policy].name,
+        :method_name => :annotate_scan_policy_results,
+        :args        => [inputs[:policy].name, inputs[:result]],
         :instance_id => rec.id,
         :priority    => MiqQueue::HIGH_PRIORITY,
       )
diff --git a/db/fixtures/miq_actions.csv b/db/fixtures/miq_actions.csv
index 8b806c9a6f0..f0a9a32dcc5 100644
--- a/db/fixtures/miq_actions.csv
+++ b/db/fixtures/miq_actions.csv
@@ -12,6 +12,7 @@ prevent,Prevent current event from proceeding
 container_image_analyze,Initiate SmartState Analysis for Container Image
 container_image_annotate_deny_execution,Prevent container image from running on OpenShift
 container_image_annotate_allow_execution,Mark container image as safe for running on OpenShift
+container_image_annotate_scan_results,Annotate image with scan results and execution prevention status
 vm_start,Start Virtual Machine
 vm_stop,Stop Virtual Machine
 vm_suspend,Suspend Virtual Machine
diff --git a/db/fixtures/miq_policy_sets.yml b/db/fixtures/miq_policy_sets.yml
index d2c5b4e910c..f1fb7c609a4 100644
--- a/db/fixtures/miq_policy_sets.yml
+++ b/db/fixtures/miq_policy_sets.yml
@@ -50,8 +50,8 @@
           default:
           enabled:
         MiqAction:
-          name: container_image_annotate_deny_execution
-          description: Prevent container image from running on OpenShift
+          name: container_image_annotate_scan_results
+          description: Annotate image with scan results and execution prevention status
           action_type: default
           options: {}
       - qualifier: success
@@ -65,8 +65,8 @@
           default:
           enabled:
         MiqAction:
-          name: container_image_annotate_allow_execution
-          description: Mark container image as safe for running on OpenShift
+          name: container_image_annotate_scan_results
+          description: Annotate image with scan results and execution prevention status
           action_type: default
           options: {}
       Condition:
diff --git a/spec/models/miq_action_spec.rb b/spec/models/miq_action_spec.rb
index 474631ebd3f..90cca62a1cb 100644
--- a/spec/models/miq_action_spec.rb
+++ b/spec/models/miq_action_spec.rb
@@ -218,14 +218,14 @@
     end
   end
 
-  context "#action_container_image_annotate_deny_execution" do
+  context "#action_container_image_annotate_scan_results" do
     let(:container_image) { FactoryGirl.create(:container_image) }
     let(:event) { FactoryGirl.create(:miq_event_definition, :name => "whatever") }
     let(:action) { FactoryGirl.create(:miq_action, :name => "container_image_annotate_deny_execution") }
 
     it "will not annotate if the method is unavailable" do
       expect(MiqQueue).to receive(:put).exactly(0).times
-      action.action_container_image_annotate_deny_execution(action, container_image, :event => event)
+      action.action_container_image_annotate_scan_results(action, container_image, :event => event)
     end
   end