Normation · Normation-Quality-Assistant · Jun 18, 2024 · May 29, 2024
diff --git a/...s/rudder/rudder-core/src/main/resources/hooks.d/policy-generation-pre-start/hook-template b/...s/rudder/rudder-core/src/main/resources/hooks.d/policy-generation-pre-start/hook-template
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Use 'HOOK_WARN_TIMEOUT' or 'HOOK_KILL_TIMEOUT' *ABOVE THAT COMMENT* to specify a time after which a warning is emitted
+# or the hook is interrupted.
+# For example, 'HOOK_WARN_TIMEOUT' = 1 second (without quote, without text on the line after duration) will emit a warning if
+# the hook takes more than one second to run.
+
+# Parameters are passed by environment variable:
+#
+# - RUDDER_GENERATION_DATETIME: generation datetime: ISO-8601 YYYY-MM-ddTHH:mm:ss.sssZ date/time that identify that policy generation.
+
+# Errors code on hooks are interpreted as follow:
+# - 0     : success, no log (apart if debug one)          , continue to next hook
+# - 1-31  : error  , error   log in /var/log/rudder/webapp/, stop processing and stop policy generation
+# - 32-63 : warning, warning log in /var/log/rudder/webapp/, continue to next hook
+# - 64-255: reserved for future use case. Behavior may change without notice.
+
+exit 0
diff --git a/.../rudder-core/src/main/resources/hooks.d/policy-generation-pre-start/readme.adoc b/.../rudder-core/src/main/resources/hooks.d/policy-generation-pre-start/readme.adoc
@@ -0,0 +1,16 @@
+= policy-generation-pre-start
+
+== When/What ?
+
+This directory contains hooks executed before policy generation.
+
+Typically, these hooks are used to check the integrity of techniques.
+
+An error during the execution in one of them will stop policy generation, preventing deployment of new policies until the hook succeeds.
+
+== Parameters
+
+Hooks parameters are passed by environment variable:
+
+- RUDDER_GENERATION_DATETIME: generation datetime: ISO-8601
+YYYY-MM-ddTHH:mm:ss.sssZ date/time that identify that policy generation.
diff --git a/...rudder-core/src/main/scala/com/normation/rudder/services/policies/DeploymentService.scala b/...rudder-core/src/main/scala/com/normation/rudder/services/policies/DeploymentService.scala
@@ -75,6 +75,7 @@ import com.normation.rudder.facts.nodes.CoreNodeFact
 import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.rudder.facts.nodes.QueryContext
 import com.normation.rudder.hooks.HookEnvPairs
+import com.normation.rudder.hooks.HookReturnCode
 import com.normation.rudder.hooks.Hooks
 import com.normation.rudder.hooks.HooksLogger
 import com.normation.rudder.hooks.RunHooks
@@ -108,7 +109,6 @@ import org.joda.time.Period
 import org.joda.time.format.ISODateTimeFormat
 import org.joda.time.format.PeriodFormatterBuilder
 import scala.collection.MapView
-import scala.collection.immutable.Map
 import scala.concurrent.duration.FiniteDuration
 import zio.{System as _, *}
 import zio.syntax.*
@@ -211,22 +211,29 @@ trait PromiseGenerationService {
     )
 
     val result = for {
-      // trigger a dynamic group update
-      _                 <- if (computeDynGroupsEnabled) {
-                             triggerNodeGroupUpdate()
-                           } else {
-                             PolicyGenerationLogger.warn(
-                               s"Computing dynamic groups disable by REST API settings 'rudder_generation_compute_dyngroups'"
-                             )
-                             Full(())
-                           }
-      timeComputeGroups  = (System.currentTimeMillis - initialTime)
-      _                  = PolicyGenerationLogger.timing.debug(s"Computing dynamic groups finished in ${timeComputeGroups} ms")
-      preGenHooksTime    = System.currentTimeMillis
+
       _                 <- runPreHooks(generationTime, systemEnv)
-      timeRunPreGenHooks = (System.currentTimeMillis - preGenHooksTime)
+      timeRunPreGenHooks = (System.currentTimeMillis - initialTime)
       _                  = PolicyGenerationLogger.timing.debug(s"Pre-policy-generation scripts hooks ran in ${timeRunPreGenHooks} ms")
 
+      // trigger a dynamic group update
+      dynamicGroupUpdateTime = System.currentTimeMillis
+      _                     <- if (computeDynGroupsEnabled) {
+                                 triggerNodeGroupUpdate()
+                               } else {
+                                 PolicyGenerationLogger.warn(
+                                   s"Computing dynamic groups disable by REST API settings 'rudder_generation_compute_dyngroups'"
+                                 )
+                                 Full(())
+                               }
+      timeComputeGroups      = (System.currentTimeMillis - dynamicGroupUpdateTime)
+      _                      = PolicyGenerationLogger.timing.debug(s"Computing dynamic groups finished in ${timeComputeGroups} ms")
+
+      startedGenHooksTime    = System.currentTimeMillis
+      _                     <- runStartedHooks(generationTime, systemEnv)
+      timeRunStartedGenHooks = (System.currentTimeMillis - startedGenHooksTime)
+      _                      = PolicyGenerationLogger.timing.debug(s"Pre-policy-generation scripts hooks ran in ${timeRunStartedGenHooks} ms")
+
       codePreGenHooksTime = System.currentTimeMillis
       _                  <- beforeDeploymentSync(generationTime)
       timeCodePreGenHooks = (System.currentTimeMillis - codePreGenHooksTime)
@@ -772,6 +779,9 @@ trait PromiseGenerationService {
   /**
    * Run pre generation hooks
    */
+
+  def runStartedHooks(generationTime: DateTime, systemEnv: HookEnvPairs): Box[Unit]
+
   def runPreHooks(generationTime: DateTime, systemEnv: HookEnvPairs): Box[Unit]
 
   /**
@@ -1922,7 +1932,25 @@ trait PromiseGeneration_Hooks extends PromiseGenerationService with PromiseGener
   /*
    * Pre generation hooks
    */
-  override def runPreHooks(generationTime: DateTime, systemEnv: HookEnvPairs): Box[Unit] = {
+  override def runPreHooks(generationTime: DateTime, systemEnv: HookEnvPairs):     Box[Unit] = {
+    (for {
+      preHooks <- RunHooks.getHooksPure(HOOKS_D + "/policy-generation-pre-start", HOOKS_IGNORE_SUFFIXES)
+      res      <-
+        RunHooks.syncRun(preHooks, HookEnvPairs.build(("RUDDER_GENERATION_DATETIME", generationTime.toString)), systemEnv) match {
+          case _: HookReturnCode.Success => ().succeed
+          case x: HookReturnCode.Error   =>
+            Inconsistency(
+              s"Policy generation pre hook failed, Interrupting policy generation now.\nError is: ${x.msg}\n stdout: ${x.stdout}\n stderr: '${x.stderr}'"
+            ).fail
+        }
+    } yield {
+      res
+    }).toBox
+  }
+  /*
+   * Pre generation hooks
+   */
+  override def runStartedHooks(generationTime: DateTime, systemEnv: HookEnvPairs): Box[Unit] = {
     (for {
       // fetch all
       preHooks <- RunHooks.getHooksPure(HOOKS_D + "/policy-generation-started", HOOKS_IGNORE_SUFFIXES)

diff --git a/...p/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala b/...p/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala
@@ -388,6 +388,7 @@ class RestTestSetUp {
     ): List[NodeExpectedReports] = ???
     override def saveExpectedReports(expectedReports: List[NodeExpectedReports]): Box[Seq[NodeExpectedReports]] = ???
     override def runPreHooks(generationTime:        DateTime, systemEnv: HookEnvPairs): Box[Unit] = ???
+    override def runStartedHooks(generationTime:    DateTime, systemEnv: HookEnvPairs): Box[Unit] = ???
     override def runPostHooks(
         generationTime:    DateTime,
         endTime:           DateTime,