Allow filtering out images by published repository name

Extend the image metadata available to allowlist/blocklist functionality, adding the published repository name on top of the existing NVR information. The published repo name includes the registry namespace, which lets us fine-tune rebuild criteria for a group of images (products, releases, other subdivisions) without needing to maintain full lists of images in Freshmaker configuration. JIRA: CWFHEALTH-3013
redhat-exd-rebuilds · May 14, 2024 · 3c64a51 · 3c64a51
1 parent e43d56b
commit 3c64a51
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 0 deletions.
diff --git a/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py b/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py
@@ -389,6 +389,7 @@ def _filter_out_not_allowed_builds(self, image):
             image_name=parsed_nvr["name"],
             image_version=parsed_nvr["version"],
             image_release=parsed_nvr["release"],
+            image_published_repo=image.get("published_repo"),
         ):
             self.log_info("Skipping rebuild of image %s, not allowed by configuration", image.nvr)
             return True

diff --git a/freshmaker/image.py b/freshmaker/image.py
@@ -763,6 +763,11 @@ def find_images_with_included_rpms(
                 for auto_rebuild_tag in published_repo["auto_rebuild_tags"]:
                     if auto_rebuild_tag in tag_names:
                         image["release_categories"] = published_repo["release_categories"]
+                        # There can potentially be multiple published
+                        # repositories but we only store the first one we
+                        # encounter. This adds uncertainty, but it's good
+                        # enough for our current use case.
+                        image["published_repo"] = repository["repository"]
                         image_nvr_to_image[nvr] = image
                         break
                 else:

diff --git a/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py b/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py
@@ -955,6 +955,85 @@ def test_filter_out_not_allowed_builds_image_version(
         ret = handler._filter_out_not_allowed_builds(image)
         self.assertEqual(ret, True)
 
+    @patch(
+        "freshmaker.config.Config.handler_build_allowlist",
+        new_callable=PropertyMock,
+        return_value={
+            "RebuildImagesOnRPMAdvisoryChange": {
+                "image": {"advisory_security_impact": ["moderate", "important"]}
+            }
+        },
+    )
+    @patch(
+        "freshmaker.config.Config.handler_build_blocklist",
+        new_callable=PropertyMock,
+        return_value={
+            "RebuildImagesOnRPMAdvisoryChange": {
+                "image": all_(
+                    {
+                        "image_published_repo": ["^foo-.*", "^bar/.*"],
+                        "advisory_security_impact": ["low", "moderate"],
+                        "advisory_is_major_incident": False,
+                    }
+                )
+            }
+        },
+    )
+    def test_filter_out_not_allowed_builds_combined_repo_impact(
+        self, handler_build_blocklist, handler_build_allowlist
+    ):
+        """
+        Tests that allow_build filters on combined published_repo,
+        security_impact and major_incident criteria.
+        """
+        image_block_a = ContainerImage(
+            {
+                "published_repo": "foo-bar1/image-a",
+                "brew": {"build": "image-a-1.0-2"},
+            }
+        )
+        image_block_b = ContainerImage(
+            {
+                "published_repo": "bar/image-b",
+                "brew": {"build": "image-b-1.0-2"},
+            }
+        )
+        image_allow_c = ContainerImage(
+            {
+                "published_repo": "notfoo-bar/image-c",
+                "brew": {"build": "image-c-0.2-9"},
+            }
+        )
+
+        for severity in ["moderate", "important"]:
+            for is_major_incident in [False, True]:
+                handler = RebuildImagesOnRPMAdvisoryChange()
+                handler.event = ErrataRPMAdvisoryShippedEvent(
+                    "123",
+                    ErrataAdvisory(
+                        123,
+                        "RHSA-2017",
+                        "SHIPPED_LIVE",
+                        [],
+                        security_impact=severity,
+                        is_major_incident=is_major_incident,
+                        product_short_name="product",
+                    ),
+                )
+
+                # Not in blocklist, always rebuilt
+                ret = handler._filter_out_not_allowed_builds(image_allow_c)
+                self.assertEqual(ret, False)
+
+                for image in image_block_a, image_block_b:
+                    ret = handler._filter_out_not_allowed_builds(image)
+                    if is_major_incident:
+                        # Never blocked for Major Incidents
+                        self.assertEqual(ret, False)
+                    else:
+                        # Blocked for Moderates
+                        self.assertEqual(ret, severity == "moderate")
+
 
 class TestBatches(helpers.ModelsTestCase):
     """Test handling of batches"""

diff --git a/tests/test_image.py b/tests/test_image.py
@@ -1178,6 +1178,9 @@ def test_find_images_with_included_rpm(self, exists, mocked_client):
         )
         self.assertEqual(len(ret), 2)
         self.assertEqual(["parent-1-2", "parent-1-3"], sorted([x.nvr for x in ret]))
+        self.assertEqual(
+            ["product/repo1", "product2/repo2"], sorted([x.get("published_repo") for x in ret])
+        )
 
     @patch("freshmaker.pyxis_gql.Client")
     @patch("os.path.exists")