Bug 1434833

Summary: Policies --> Conditions for events are being saved Inverted
Product: Red Hat CloudForms Management Engine Reporter: Pavel Zagalsky <pzagalsk>
Component: ControlAssignee: Greg McCullough <gmccullo>
Status: CLOSED NOTABUG QA Contact: Dave Johnson <dajohnso>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.8.0CC: cben, jhardy, lufu, mtayer, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-22 18:04:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1371225    
Attachments:
Description Flags
policies1
none
policies2
none
RailConsoleLog
none
evm.log none

Description Pavel Zagalsky 2017-03-22 12:55:22 UTC 
Description of problem:

False conditions are saved as true conditions for Events policies


How reproducible:
Always

Steps to Reproduce:
1. Create a Container Image Compliance Policy
2. Add to that policy a compliance event
3. Add to that event a condition with the following expression: Container Image : Name REGULAR EXPRESSION DOES NOT MATCH "foo"
4. Assign it to created policy
5. Assign the policy to a container image
6. Run a compliance scan to the assigned image

Actual results:
After a few minutes the container image page shows that the image is compliant

Expected results:
The scan should show that the scan is not compliant because the name did not match "foo"

Additional info:
The bug happens because the conditions weren't properly saved. 
Check the qualifier field:

Policy generated in UI:

#<MiqPolicyContent:0x0055e684c01dc0> {
                         :id => 1000000000316,
              :miq_policy_id => 1000000000003,
              :miq_action_id => 1000000000033,
    :miq_event_definition_id => 1000000000131,
                 :created_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                 :updated_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                  :qualifier => "success",
           :success_sequence => 1,
           :failure_sequence => nil,
        :success_synchronous => nil,
        :failure_synchronous => nil
}

Out of the box policy:

#<MiqPolicyContent:0x0055e684c228b8> {
                         :id => 1000000000313,
              :miq_policy_id => 1000000000001,
              :miq_action_id => 1000000000032,
    :miq_event_definition_id => 1000000000133,
                 :created_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                 :updated_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                  :qualifier => "failure",
           :success_sequence => nil,
           :failure_sequence => 1,
        :success_synchronous => nil,
        :failure_synchronous => nil
}
Comment 2 Pavel Zagalsky 2017-03-22 12:57:47 UTC 
Created attachment 1265396 [details]
policies1
Comment 3 Pavel Zagalsky 2017-03-22 12:58:14 UTC 
Created attachment 1265397 [details]
policies2
Comment 4 Beni Paskin-Cherniavsky 2017-03-22 13:01:19 UTC 
Please include policy.log (demonstrating false => "if true" actions run, true => "if false" actions run).
Also please include rails console output for:

> p = MiqPolicy.find_by(description: 'PavelTest')
> pp p.miq_policy_contents
Comment 5 Pavel Zagalsky 2017-03-22 13:19:23 UTC 
Policy log:


[----] I, [2017-03-22T09:14:29.926531 #2998:1728c28]  INFO -- : MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [jboss-decisionserver-6/decisionserver62-openshift]
[----] I, [2017-03-22T09:14:29.948362 #2998:1728c28]  INFO -- : MIQ(policy-enforce_policy): Resolving policy [PavelTest]...
[----] I, [2017-03-22T09:14:29.954436 #2998:1728c28]  INFO -- : MIQ(condition-eval): Name: PavelCondition2, Expression evaluation result: [false]
[----] I, [2017-03-22T09:14:29.962309 #2998:1728c28]  INFO -- : MIQ(action-invoke) Invoking action [Mark as Non-Compliant] for failed policy [PavelTest], event: [Container Image Compliance Check], entity name: [jboss-decisionserver-6/decisionserver62-openshift], entity type: [Container Image], sequence: [1], synchronous? [true]
[----] I, [2017-03-22T09:14:29.962458 #2998:1728c28]  INFO -- : MIQ(action_compliance_failed): Now executing [Mark as Non-Compliant] of ContainerImage [jboss-decisionserver-6/decisionserver62-openshift]
[----] I, [2017-03-22T09:14:29.962639 #2998:1728c28]  INFO -- : MIQ(action-invoke) Invoking action [Prevent container image from running on OpenShift] for failed policy [PavelTest], event: [Container Image Compliance Check], entity name: [jboss-decisionserver-6/decisionserver62-openshift], entity type: [Container Image], sequence: [2], synchronous? [true]
[----] I, [2017-03-22T09:14:29.962859 #2998:1728c28]  INFO -- : MIQ(action_container_image_annotate_deny_execution): Now executing  [Prevent container image from running on OpenShift] for event [Container Image Compliance Check]
Comment 6 Pavel Zagalsky 2017-03-22 13:24:47 UTC 
Created attachment 1265402 [details]
RailConsoleLog
Comment 7 Pavel Zagalsky 2017-03-22 13:31:12 UTC 
Created attachment 1265403 [details]
evm.log
Comment 8 Mooli Tayer 2017-03-22 17:20:08 UTC 
I just create a compliance policy and got the expected result.

The action "mark as non complient" is written under:
Order of Actions if ANY Conditions are False

Your condition is:
Name REGULAR EXPRESSION DOES NOT MATCH "foo"
that is true - the name does not match "foo"
and so the object is complient.

The log in 1434833#c5 also looks good:
Expression evaluation result: [false]
Now executing [Mark as Non-Compliant]

Please close as NOTABUG.
Comment 10 Beni Paskin-Cherniavsky 2017-03-22 22:58:00 UTC 
Sorry if I'm being dense.

> Your condition is:
> Name REGULAR EXPRESSION DOES NOT MATCH "foo"
> that is true - the name does not match "foo"
> and so the object is complient.

> The log in 1434833#c5 also looks good:
> Expression evaluation result: [false]
> Now executing [Mark as Non-Compliant]

So condition was supposed to be true, but evaluation result = false, and it executed the "if False" action?
And a should-be-compliant object was marked non-compliant?

(Lucy's test does look better)
Comment 11 Lucy Fu 2017-03-23 13:17:12 UTC 
Beni,
 
> So condition was supposed to be true, but evaluation result = false, and it
> executed the "if False" action?
Compliance policy can have actions for true/false condition separately.
You may have some action for true condition and other action for false condition.

> And a should-be-compliant object was marked non-compliant?
This seems not the case.
Comment 12 Mooli Tayer 2017-03-23 14:39:41 UTC 
Beni maybe the cause for misunderstanding is that the log in 1434833#c5 
isn't a result if the evaluation described in the bug description. I was referring to the two separately.

BTW while testing I also saw that the OOTB policies we discussed (not related to this bug though) are also presented correctly in the UI that knows how to handle
qualifier => "failure" conditions differently