[resotocore][fix] Filter accounts when marking resources as compliant (…

…#1825)
someengineering · Nov 15, 2023 · 25d2be1 · 25d2be1
1 parent b8d575c
commit 25d2be1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/resotocore/resotocore/db/graphdb.py b/resotocore/resotocore/db/graphdb.py
@@ -114,7 +114,11 @@ def update_nodes_metadata(
 
     @abstractmethod
     async def update_security_section(
-        self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
+        self,
+        report_run_id: str,
+        iterator: AsyncIterator[Tuple[NodeId, Json]],
+        model: Model,
+        accounts: Optional[List[str]] = None,
     ) -> Tuple[int, int]:
         pass
 
@@ -447,7 +451,11 @@ async def delete_children(element: Json) -> None:
             await self.db.delete_vertex(self.name, {"_id": f'{self.vertex_name}/{node["id"]}'})
 
     async def update_security_section(
-        self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
+        self,
+        report_run_id: str,
+        iterator: AsyncIterator[Tuple[NodeId, Json]],
+        model: Model,
+        accounts: Optional[List[str]] = None,
     ) -> Tuple[int, int]:  # inserted, updated
         temp_collection = await self.get_tmp_collection(report_run_id)
         now = utc_str()
@@ -508,13 +516,14 @@ async def update_chunk(chunk: Dict[NodeId, Json]) -> None:
 
         async def move_security_temp_to_proper() -> None:
             temp_name = temp_collection.name
+            account_filter = ("and e.refs.account_id in [" + ",".join(accounts) + "]") if accounts else ""
             aql_updates = [
                 # Select all new or updated vulnerable nodes. Insert into history and update vertex.
                 f'for e in {temp_name} filter e.action=="node_vulnerable" insert e.data in {self.node_history} update {{_key: e.node_id, security: e.data.security}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}',  # noqa
                 # Update security.run_id for all items with the same security issues
                 f'for e in {temp_name} filter e.action=="mark" update {{_key: e.node_id, security: {{run_id: e.run_id}}}} in {self.vertex_name} OPTIONS {{mergeObjects: true}}',  # noqa
                 # Select all remaining nodes with a different run_id -> they are compliant again
-                f'for e in {self.vertex_name} filter e.security.run_id!=null and e.security.run_id!="{report_run_id}" insert MERGE(UNSET(e, "_key", "_id", "_rev", "flat", "hash"), {{id: e._key, change: "node_compliant", changed_at: "{now}", security: MERGE(e.security, {{closed_at: "{now}"}})}}) in {self.node_history} OPTIONS {{mergeObjects: true}} update {{_key: e._key, security: {{reopen_counter: e.security.reopen_counter, closed_at: "{now}"}}}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}',  # noqa: E501
+                f'for e in {self.vertex_name} filter e.security.run_id!=null and e.security.run_id!="{report_run_id}" {account_filter} insert MERGE(UNSET(e, "_key", "_id", "_rev", "flat", "hash"), {{id: e._key, change: "node_compliant", changed_at: "{now}", security: MERGE(e.security, {{closed_at: "{now}"}})}}) in {self.node_history} OPTIONS {{mergeObjects: true}} update {{_key: e._key, security: {{reopen_counter: e.security.reopen_counter, closed_at: "{now}"}}}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}',  # noqa: E501
             ]
             updates = ";\n".join(map(lambda aql: f"db._createStatement({{ query: `{aql}` }}).execute()", aql_updates))
             await self.db.execute_transaction(
@@ -1477,9 +1486,13 @@ async def update_nodes_metadata(
             yield a
 
     async def update_security_section(
-        self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
+        self,
+        report_run_id: str,
+        iterator: AsyncIterator[Tuple[NodeId, Json]],
+        model: Model,
+        accounts: Optional[List[str]] = None,
     ) -> Tuple[int, int]:
-        return await self.real.update_security_section(report_run_id, iterator, model)
+        return await self.real.update_security_section(report_run_id, iterator, model, accounts)
 
     async def merge_graph(
         self,

diff --git a/resotocore/resotocore/report/inspector_service.py b/resotocore/resotocore/report/inspector_service.py
@@ -208,7 +208,7 @@ async def perform_benchmarks(
             # In case no run_id is provided, we invent a report run id here.
             run_id = report_run_id or uuid_str()
             await self.db_access.get_graph_db(graph).update_security_section(
-                run_id, self.__benchmarks_to_security_iterator(result), model
+                run_id, self.__benchmarks_to_security_iterator(result), model, accounts
             )
         return result