Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Take selectors into use in executor #4004

Merged
merged 7 commits into from
Jul 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions cmd/dev/app/rule_type/rttst.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,14 +203,27 @@ func testCmdRun(cmd *cobra.Command, _ []string) error {
func getProfileSelectors(entType minderv1.Entity, profile *minderv1.Profile) (selectors.Selection, error) {
selectorEnv := selectors.NewEnv()

profSel, err := selectorEnv.NewSelectionFromProfile(entType, profile.Selection)
profSel, err := selectorEnv.NewSelectionFromProfile(entType, modelSelectionFromProfileSelector(profile.Selection))
if err != nil {
return nil, fmt.Errorf("error creating selectors: %w", err)
}

return profSel, nil
}

func modelSelectionFromProfileSelector(sel []*minderv1.Profile_Selector) []models.ProfileSelector {
modSel := make([]models.ProfileSelector, 0, len(sel))
for _, s := range sel {
ms := models.ProfileSelector{
Entity: minderv1.EntityFromString(s.Entity),
Selector: s.Selector,
}
modSel = append(modSel, ms)
}

return modSel
}

func getEiwFromFile(ruletype *minderv1.RuleType, epath string) (*entities.EntityInfoWrapper, error) {
entType := minderv1.EntityFromString(ruletype.Def.InEntity)
ent, err := readEntityFromFile(epath, entType)
Expand Down Expand Up @@ -301,7 +314,7 @@ func selectAndEval(
return fmt.Errorf("error converting entity to selector entity")
}

selected, err := profileSelectors.Select(selEnt)
selected, matchedSelector, err := profileSelectors.Select(selEnt)
if err != nil {
return fmt.Errorf("error selecting entity: %w", err)
}
Expand All @@ -310,7 +323,7 @@ func selectAndEval(
if selected {
evalErr = eng.Eval(ctx, inf, evalStatus)
} else {
evalErr = errors.NewErrEvaluationSkipped("entity not selected by selectors")
evalErr = errors.NewErrEvaluationSkipped("entity not selected by selector %s", matchedSelector)
}

return evalErr
Expand Down
4 changes: 2 additions & 2 deletions database/mock/store.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 12 additions & 1 deletion database/query/profiles.sql
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,17 @@ GROUP BY r.entity_type;
SELECT COUNT(*) AS num_named_profiles FROM profiles WHERE lower(name) = lower(sqlc.arg(name));

-- name: BulkGetProfilesByID :many
SELECT *
WITH helper AS(
SELECT pr.id as profid,
ARRAY_AGG(ROW(ps.id, ps.profile_id, ps.entity, ps.selector, ps.comment)::profile_selector) AS selectors
FROM profiles pr
JOIN profile_selectors ps
ON pr.id = ps.profile_id
WHERE pr.id = ANY(sqlc.arg(profile_ids)::UUID[])
GROUP BY pr.id
)
SELECT sqlc.embed(profiles),
helper.selectors::profile_selector[] AS profiles_with_selectors
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is too hairy, we can instead just loop over the profiles and do a get for each profile

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the other hand, having everything in a single call is probably safer in the long run

FROM profiles
LEFT JOIN helper ON profiles.id = helper.profid
WHERE id = ANY(sqlc.arg(profile_ids)::UUID[]);
49 changes: 33 additions & 16 deletions internal/db/profiles.sql.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 38 additions & 0 deletions internal/db/profiles_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,14 @@ func findRowWithLabels(t *testing.T, rows []ListProfilesByProjectIDAndLabelRow,
return slices.IndexFunc(rows, matchIdWithListLabelRow(t, id))
}

func findBulkRow(t *testing.T, rows []BulkGetProfilesByIDRow, id uuid.UUID) int {
t.Helper()

return slices.IndexFunc(rows, func(r BulkGetProfilesByIDRow) bool {
return r.Profile.ID == id
})
}

func TestProfileListWithSelectors(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -301,6 +309,36 @@ func TestProfileListWithSelectors(t *testing.T) {
require.Len(t, multiResult[0].ProfilesWithSelectors, 3)
require.Subset(t, multiResult[0].ProfilesWithSelectors, []ProfileSelector{mulitSel1, mulitSel2, mulitSel3})
})

t.Run("Bulk get profiles by ID with selectors", func(t *testing.T) {
t.Parallel()

profileIDs := []uuid.UUID{
noSelectors.ID, oneSelectorProfile.ID, multiSelectorProfile.ID, genericSelectorProfile.ID,
}

rows, err := testQueries.BulkGetProfilesByID(context.Background(), profileIDs)
require.NoError(t, err)
require.Len(t, rows, len(profileIDs))

noSelIdx := findBulkRow(t, rows, noSelectors.ID)
require.True(t, noSelIdx >= 0, "noSelectors not found in rows")
require.Empty(t, rows[noSelIdx].ProfilesWithSelectors)

oneSelIdx := findBulkRow(t, rows, oneSelectorProfile.ID)
require.True(t, oneSelIdx >= 0, "oneSelector not found in rows")
require.Len(t, rows[oneSelIdx].ProfilesWithSelectors, 1)
require.Contains(t, rows[oneSelIdx].ProfilesWithSelectors, oneSel)

multiSelIdx := findBulkRow(t, rows, multiSelectorProfile.ID)
require.True(t, multiSelIdx >= 0, "multiSelectorProfile not found in rows")
require.Len(t, rows[multiSelIdx].ProfilesWithSelectors, 3)
require.Subset(t, rows[multiSelIdx].ProfilesWithSelectors, []ProfileSelector{mulitSel1, mulitSel2, mulitSel3})

genSelIdx := findBulkRow(t, rows, genericSelectorProfile.ID)
require.Len(t, rows[genSelIdx].ProfilesWithSelectors, 1)
require.Contains(t, rows[genSelIdx].ProfilesWithSelectors, genericSel)
})
}

func TestProfileLabels(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion internal/db/querier.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

53 changes: 50 additions & 3 deletions internal/engine/executor.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,13 @@ import (
"github.com/stacklok/minder/internal/engine/ingestcache"
engif "github.com/stacklok/minder/internal/engine/interfaces"
"github.com/stacklok/minder/internal/engine/rtengine"
"github.com/stacklok/minder/internal/engine/selectors"
"github.com/stacklok/minder/internal/history"
minderlogger "github.com/stacklok/minder/internal/logger"
"github.com/stacklok/minder/internal/profiles"
"github.com/stacklok/minder/internal/profiles/models"
"github.com/stacklok/minder/internal/providers/manager"
provsel "github.com/stacklok/minder/internal/providers/selectors"
pb "github.com/stacklok/minder/pkg/api/protobuf/go/minder/v1"
provinfv1 "github.com/stacklok/minder/pkg/providers/v1"
)
Expand All @@ -55,6 +57,7 @@ type executor struct {
historyService history.EvaluationHistoryService
featureFlags openfeature.IClient
profileStore profiles.ProfileStore
selBuilder selectors.SelectionBuilder
}

// NewExecutor creates a new executor
Expand All @@ -65,6 +68,7 @@ func NewExecutor(
historyService history.EvaluationHistoryService,
featureFlags openfeature.IClient,
profileStore profiles.ProfileStore,
selBuilder selectors.SelectionBuilder,
) Executor {
return &executor{
querier: querier,
Expand All @@ -73,6 +77,7 @@ func NewExecutor(
historyService: historyService,
featureFlags: featureFlags,
profileStore: profileStore,
selBuilder: selBuilder,
}
}

Expand Down Expand Up @@ -131,10 +136,15 @@ func (e *executor) EvalEntityEvent(ctx context.Context, inf *entities.EntityInfo
return fmt.Errorf("error while retrieving profiles and rule instances: %w", err)
}

// For each profile, evaluate each rule and store the outcome in the database
// For each profile, get the profileEvalStatus first. Then, if the profileEvalStatus is nil
// evaluate each rule and store the outcome in the database. If profileEvalStatus is non-nil,
// just store it for all rules without evaluation.
for _, profile := range profileAggregates {

profileEvalStatus := e.profileEvalStatus(ctx, provider, inf, profile)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JAORMX I called the variable actually profileEvalStatus, but "profile-override status" in the comment. I'll fix the naming since it's confusing.


for _, rule := range profile.Rules {
if err := e.evaluateRule(ctx, inf, provider, &profile, &rule, ruleEngineCache); err != nil {
if err := e.evaluateRule(ctx, inf, provider, &profile, &rule, ruleEngineCache, profileEvalStatus); err != nil {
return fmt.Errorf("error evaluating entity event: %w", err)
}
}
Expand All @@ -150,6 +160,7 @@ func (e *executor) evaluateRule(
profile *models.ProfileAggregate,
rule *models.RuleInstance,
ruleEngineCache rtengine.Cache,
profileEvalStatus error,
) error {
// Create eval status params
evalParams, err := e.createEvalStatusParams(ctx, inf, profile, rule)
Expand All @@ -176,7 +187,12 @@ func (e *executor) evaluateRule(
defer e.updateLockLease(ctx, *inf.ExecutionID, evalParams)

// Evaluate the rule
evalErr := ruleEngine.Eval(ctx, inf, evalParams)
var evalErr error
if profileEvalStatus != nil {
evalErr = profileEvalStatus
} else {
evalErr = ruleEngine.Eval(ctx, inf, evalParams)
}
evalParams.SetEvalErr(evalErr)

// Perform actionEngine, if any
Expand All @@ -190,6 +206,37 @@ func (e *executor) evaluateRule(
return e.createOrUpdateEvalStatus(ctx, evalParams)
}

func (e *executor) profileEvalStatus(
ctx context.Context,
provider provinfv1.Provider,
eiw *entities.EntityInfoWrapper,
aggregate models.ProfileAggregate,
) error {
// so far this function only handles selectors. In the future we can extend it to handle other
// profile-global evaluations

selection, err := e.selBuilder.NewSelectionFromProfile(eiw.Type, aggregate.Selectors)
if err != nil {
return fmt.Errorf("error creating selection from profile: %w", err)
}

selEnt := provsel.EntityToSelectorEntity(ctx, provider, eiw.Type, eiw.Entity)
if selEnt == nil {
return fmt.Errorf("error converting entity to selector entity")
}

selected, matchedSelector, err := selection.Select(selEnt)
if err != nil {
return fmt.Errorf("error selecting entity: %w", err)
}

if !selected {
return evalerrors.NewErrEvaluationSkipped("entity not applicable due to profile selector %s", matchedSelector)
}

return nil
}

func (e *executor) updateLockLease(
ctx context.Context,
executionID uuid.UUID,
Expand Down
32 changes: 24 additions & 8 deletions internal/engine/executor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import (
"github.com/stacklok/minder/internal/engine/actions/alert"
"github.com/stacklok/minder/internal/engine/actions/remediate"
"github.com/stacklok/minder/internal/engine/entities"
mock_selectors "github.com/stacklok/minder/internal/engine/selectors/mock"
"github.com/stacklok/minder/internal/flags"
mockhistory "github.com/stacklok/minder/internal/history/mock"
"github.com/stacklok/minder/internal/logger"
Expand Down Expand Up @@ -187,15 +188,17 @@ func TestExecutor_handleEntityEvent(t *testing.T) {
// list one profile
mockStore.EXPECT().
BulkGetProfilesByID(gomock.Any(), []uuid.UUID{profileID}).
Return([]db.Profile{
Return([]db.BulkGetProfilesByIDRow{
{
ID: profileID,
Name: "test-profile",
ProjectID: projectID,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
Alert: db.NullActionType{Valid: true, ActionType: db.ActionTypeOff},
Remediate: db.NullActionType{Valid: true, ActionType: db.ActionTypeOff},
Profile: db.Profile{
ID: profileID,
Name: "test-profile",
ProjectID: projectID,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
Alert: db.NullActionType{Valid: true, ActionType: db.ActionTypeOff},
Remediate: db.NullActionType{Valid: true, ActionType: db.ActionTypeOff},
},
},
}, nil)

Expand Down Expand Up @@ -355,13 +358,26 @@ default allow = true`,
return fn(mockStore)
})

mockSelection := mock_selectors.NewMockSelection(ctrl)
mockSelection.EXPECT().
Select(gomock.Any(), gomock.Any()).
Return(true, "", nil).
AnyTimes()

mockSelectionBuilder := mock_selectors.NewMockSelectionBuilder(ctrl)
mockSelectionBuilder.EXPECT().
NewSelectionFromProfile(gomock.Any(), gomock.Any()).
Return(mockSelection, nil).
AnyTimes()

executor := engine.NewExecutor(
mockStore,
providerManager,
execMetrics,
historyService,
&flags.FakeClient{},
profiles.NewProfileStore(mockStore),
mockSelectionBuilder,
)

eiw := entities.NewEntityInfoWrapper().
Expand Down
Loading