From 6180370ebc1af298b83051277608dbd34fdabf0c Mon Sep 17 00:00:00 2001 From: Christian Zunker Date: Wed, 28 Aug 2024 10:57:17 +0200 Subject: [PATCH] Include reporting jobs in graph execution checksum for resolved policy Signed-off-by: Christian Zunker --- policy/reportingjob.go | 9 +++++++++ policy/resolver.go | 27 ++++++++++++++++++--------- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/policy/reportingjob.go b/policy/reportingjob.go index f7ebd675..4d08f486 100644 --- a/policy/reportingjob.go +++ b/policy/reportingjob.go @@ -37,5 +37,14 @@ func (r *ReportingJob) RefreshChecksum() { checksum = checksum.Add(notify[i]) } } + + { + mrns := make([]string, len(r.Mrns)) + copy(mrns, r.Mrns) + sort.Strings(mrns) + for i := range mrns { + checksum = checksum.Add(mrns[i]) + } + } r.Checksum = checksum.String() } diff --git a/policy/resolver.go b/policy/resolver.go index 4d9bea79..c4f064c0 100644 --- a/policy/resolver.go +++ b/policy/resolver.go @@ -650,21 +650,30 @@ func (s *LocalServices) tryResolve(ctx context.Context, bundleMrn string, assetF Str("bundle", bundleMrn). Msg("resolver> phase 5: resolve controls [ok]") - // phase 6: refresh all checksums - s.refreshChecksums(executionJob, collectorJob) - // the final phases are done in the DataLake for _, rj := range collectorJob.ReportingJobs { rj.RefreshChecksum() } + // phase 6: refresh all checksums + // This uses the ReportingJobs checksums, so calculate them first. + s.refreshChecksums(executionJob, collectorJob) + + // resolvedPolicyExecutionChecksum is the GraphExceutionChecksum of the policy and the framework + // it does not change if any of the jobs changes, only if the policy or the framework changes + rpChecksumInclJobs := checksums.New + rpChecksumInclJobs.Add(resolvedPolicyExecutionChecksum) + rpChecksumInclJobs.Add(executionJob.Checksum) + rpChecksumInclJobs.Add(collectorJob.Checksum) + resolvedPolicy := ResolvedPolicy{ - GraphExecutionChecksum: resolvedPolicyExecutionChecksum, - Filters: matchingFilters, - FiltersChecksum: assetFiltersChecksum, - ExecutionJob: executionJob, - CollectorJob: collectorJob, - ReportingJobUuid: reportingJob.Uuid, + GraphExecutionChecksum: rpChecksumInclJobs.String(), + // GraphExecutionChecksum: resolvedPolicyExecutionChecksum, + Filters: matchingFilters, + FiltersChecksum: assetFiltersChecksum, + ExecutionJob: executionJob, + CollectorJob: collectorJob, + ReportingJobUuid: reportingJob.Uuid, } err = s.DataLake.SetResolvedPolicy(ctx, bundleMrn, &resolvedPolicy, V2Code, false)