NextStepManager.GetNextStep counts all previous actions taken against an resource even if they dont apply to a certain Policy

[jacob-kinzer]

Rule Engine

• OS Type: Linux
• Java version:
• 1.8

Summary

Rule engine during fixing of a existing resource violation a policy will check the amount of actions already taken against the resource to be able to determine if the property:

pacman.auto.fix.max.email.notifications

has been reached. Once the max email notifications have been reached the fix method is invoked and applied.

If you have a resource that is a routine offender the following steps could occur:

• Resource in violation created
• Resource found by policy in violation
• After max emails sent, Resource is fixed (in this case say deleted)
• Resource with same identifier recreated
• Resource found by policy in violation
• Fix will pull the last actions based on compliance/v1/get-last-action/?resourceId=$resourceId
  which will pull the actions taken on the first instance of the resource created.
• Autofix will invoke the fix method without sending notifications

Reproduce steps

• Create a resource that violates a policy where the fix is something like destroying the resource.
• Once the resource has been destroyed by the policy recreate it with the same violation and resourceId
• Resource will be destroyed without any notification emails sent about the second instance of the resource

Expected Results

• Violated resource is sent notification emails up to the max notification property
• executeFix executed
• Resource recreated
• Violation resource is sent notification emails up to the max notification property
• executeFix executed

Actual Results

• Violated resource is sent notification emails up to the max notification property
• executeFix executed
• Resource recreated
• executeFix executed

This can also occur if you have two different policies enact on the same resource type and an certain resourceId is in violation of both policies. Example where the max notification is set to 2

• Resource in violation of two different policies
• Policy 1 runs, create issue, sends 1 notification
• Policy 2 runs, creates issue, sends 1 notification
• Policy 1 runs again, pulls get-last-actions, sees 2 emails sent for resourceId, executes executeFix early

Where you would expect each policy to send individual notifications of up to 2 each.

It looks like this is mostly caused by the pac_rule_engine_autofix_actions table not having any reference to what annotation/issue/autofixplan the actions are in reference to. Because the table is just resourceId, lastActionTime, action there is no way to identify which policies did which actions and therefore all past actions are counted against the resource during getNextStep

I could see an additional column being added to pac_rule_engine_autofix_actions to correlate a certain action to a certain annotation/issue/autofixplan that during the AutoFixManager calls NextStepManager.GetNextStep the lastActions list would only be filled out with actions that applied to the current issue/annotation/autofixplan execution.

Although that is only a rough thought and maybe you guys know of/have a better way for this to be solved.

Let me know if i can explain anything in more detail.

[kaykumar]

@jacob-kinzer acknowledged this is a bug, and we will fix it in next release.

[jacob-kinzer]

@kaykumar Sounds good. Is there any tentative date for the next release? I understand its hard to pin down actual releases so i obviously wouldn't expect it to be accurate. But if you have a idea like its planned for end of Q3 that might help use decide on how we want to proceed.

Thanks for the response!

[jacob-kinzer]

@kaykumar Any thoughts on when the next release might be that might include this fix?

Thanks!