1434833 – Policies --> Conditions for events are being saved Inverted

Bug 1434833 - Policies --> Conditions for events are being saved Inverted

Summary: Policies --> Conditions for events are being saved Inverted

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Control
Sub Component:
Version:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	GA
Target Release:	cfme-future
Assignee:	Greg McCullough
QA Contact:	Dave Johnson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1371225
TreeView+	depends on / blocked

Reported:	2017-03-22 12:55 UTC by Pavel Zagalsky
Modified:	2017-03-23 14:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-22 18:04:06 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
policies1 (201.53 KB, image/png) 2017-03-22 12:57 UTC, Pavel Zagalsky	no flags	Details
policies2 (223.88 KB, image/png) 2017-03-22 12:58 UTC, Pavel Zagalsky	no flags	Details
RailConsoleLog (3.10 KB, text/plain) 2017-03-22 13:24 UTC, Pavel Zagalsky	no flags	Details
evm.log (57.86 KB, text/plain) 2017-03-22 13:31 UTC, Pavel Zagalsky	no flags	Details
View All

Description Pavel Zagalsky 2017-03-22 12:55:22 UTC

Description of problem:

False conditions are saved as true conditions for Events policies


How reproducible:
Always

Steps to Reproduce:
1. Create a Container Image Compliance Policy
2. Add to that policy a compliance event
3. Add to that event a condition with the following expression: Container Image : Name REGULAR EXPRESSION DOES NOT MATCH "foo"
4. Assign it to created policy
5. Assign the policy to a container image
6. Run a compliance scan to the assigned image

Actual results:
After a few minutes the container image page shows that the image is compliant

Expected results:
The scan should show that the scan is not compliant because the name did not match "foo"

Additional info:
The bug happens because the conditions weren't properly saved. 
Check the qualifier field:

Policy generated in UI:

#<MiqPolicyContent:0x0055e684c01dc0> {
                         :id => 1000000000316,
              :miq_policy_id => 1000000000003,
              :miq_action_id => 1000000000033,
    :miq_event_definition_id => 1000000000131,
                 :created_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                 :updated_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                  :qualifier => "success",
           :success_sequence => 1,
           :failure_sequence => nil,
        :success_synchronous => nil,
        :failure_synchronous => nil
}

Out of the box policy:

#<MiqPolicyContent:0x0055e684c228b8> {
                         :id => 1000000000313,
              :miq_policy_id => 1000000000001,
              :miq_action_id => 1000000000032,
    :miq_event_definition_id => 1000000000133,
                 :created_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                 :updated_on => Wed, 22 Mar 2017 09:54:28 UTC +00:00,
                  :qualifier => "failure",
           :success_sequence => nil,
           :failure_sequence => 1,
        :success_synchronous => nil,
        :failure_synchronous => nil
}

Comment 2 Pavel Zagalsky 2017-03-22 12:57:47 UTC

Created attachment 1265396 [details]
policies1

Comment 3 Pavel Zagalsky 2017-03-22 12:58:14 UTC

Created attachment 1265397 [details]
policies2

Comment 4 Beni Paskin-Cherniavsky 2017-03-22 13:01:19 UTC

Please include policy.log (demonstrating false => "if true" actions run, true => "if false" actions run).
Also please include rails console output for:

> p = MiqPolicy.find_by(description: 'PavelTest')
> pp p.miq_policy_contents

Comment 5 Pavel Zagalsky 2017-03-22 13:19:23 UTC

Policy log:


[----] I, [2017-03-22T09:14:29.926531 #2998:1728c28]  INFO -- : MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [jboss-decisionserver-6/decisionserver62-openshift]
[----] I, [2017-03-22T09:14:29.948362 #2998:1728c28]  INFO -- : MIQ(policy-enforce_policy): Resolving policy [PavelTest]...
[----] I, [2017-03-22T09:14:29.954436 #2998:1728c28]  INFO -- : MIQ(condition-eval): Name: PavelCondition2, Expression evaluation result: [false]
[----] I, [2017-03-22T09:14:29.962309 #2998:1728c28]  INFO -- : MIQ(action-invoke) Invoking action [Mark as Non-Compliant] for failed policy [PavelTest], event: [Container Image Compliance Check], entity name: [jboss-decisionserver-6/decisionserver62-openshift], entity type: [Container Image], sequence: [1], synchronous? [true]
[----] I, [2017-03-22T09:14:29.962458 #2998:1728c28]  INFO -- : MIQ(action_compliance_failed): Now executing [Mark as Non-Compliant] of ContainerImage [jboss-decisionserver-6/decisionserver62-openshift]
[----] I, [2017-03-22T09:14:29.962639 #2998:1728c28]  INFO -- : MIQ(action-invoke) Invoking action [Prevent container image from running on OpenShift] for failed policy [PavelTest], event: [Container Image Compliance Check], entity name: [jboss-decisionserver-6/decisionserver62-openshift], entity type: [Container Image], sequence: [2], synchronous? [true]
[----] I, [2017-03-22T09:14:29.962859 #2998:1728c28]  INFO -- : MIQ(action_container_image_annotate_deny_execution): Now executing  [Prevent container image from running on OpenShift] for event [Container Image Compliance Check]

Comment 6 Pavel Zagalsky 2017-03-22 13:24:47 UTC

Created attachment 1265402 [details]
RailConsoleLog

Comment 7 Pavel Zagalsky 2017-03-22 13:31:12 UTC

Created attachment 1265403 [details]
evm.log

Comment 8 Mooli Tayer 2017-03-22 17:20:08 UTC

I just create a compliance policy and got the expected result.

The action "mark as non complient" is written under:
Order of Actions if ANY Conditions are False

Your condition is:
Name REGULAR EXPRESSION DOES NOT MATCH "foo"
that is true - the name does not match "foo"
and so the object is complient.

The log in 1434833#c5 also looks good:
Expression evaluation result: [false]
Now executing [Mark as Non-Compliant]

Please close as NOTABUG.

Comment 10 Beni Paskin-Cherniavsky 2017-03-22 22:58:00 UTC

Sorry if I'm being dense.

> Your condition is:
> Name REGULAR EXPRESSION DOES NOT MATCH "foo"
> that is true - the name does not match "foo"
> and so the object is complient.

> The log in 1434833#c5 also looks good:
> Expression evaluation result: [false]
> Now executing [Mark as Non-Compliant]

So condition was supposed to be true, but evaluation result = false, and it executed the "if False" action?
And a should-be-compliant object was marked non-compliant?

(Lucy's test does look better)

Comment 11 Lucy Fu 2017-03-23 13:17:12 UTC

Beni,
 
> So condition was supposed to be true, but evaluation result = false, and it
> executed the "if False" action?
Compliance policy can have actions for true/false condition separately.
You may have some action for true condition and other action for false condition.

> And a should-be-compliant object was marked non-compliant?
This seems not the case.

Comment 12 Mooli Tayer 2017-03-23 14:39:41 UTC

Beni maybe the cause for misunderstanding is that the log in 1434833#c5 
isn't a result if the evaluation described in the bug description. I was referring to the two separately.

BTW while testing I also saw that the OOTB policies we discussed (not related to this bug though) are also presented correctly in the UI that knows how to handle
qualifier => "failure" conditions differently

Note You need to log in before you can comment on or make changes to this bug.