Forbid scripts to be attached to the terminal states

[didier-wenzek]

Proposed changes

Simply forbid scripts to be attached to the terminal states in order to avoid unexpected behavior such as:

• infinite loop if a script fails on the failed state (see Workflow script of failed state not tolerant to failures #2484)
• race condition where the action is executed or not depending on the requester clear the state before it is observed by the agent.

This is more a workaround rather than the definitive solution.

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#2484

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Attention: 15 lines in your changes are missing coverage. Please review.

Comparison is base (141c1d0) 76.0% compared to head (f95df67) 76.1%.

Additional details and impacted files

Files	Coverage Δ
crates/core/tedge_api/src/workflow/error.rs	0.0% <ø> (ø)
crates/core/tedge_api/src/workflow/toml_config.rs	79.2% <100.0%> (+8.8%)	⬆️
crates/core/tedge_api/src/workflow/mod.rs	68.6% <65.1%> (+7.5%)	⬆️

... and 2 files with indirect coverage changes

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
376	0	3	376	100	57m40.903s

[albinsuresh]

Happy to approve after a clarification on the decision to make clear the default action on terminal states, when not explicitly provided.

[albinsuresh]

That comment seemed to suggest that the only the clear action is allowed in the terminal state, if the user has explicitly defined this state. But, the following impl seems to be adding clear as the default, even if the user has not explicitly provided one. There seems to be a mismatch.

[albinsuresh]

That default behaviour of auto-clearing a command on successful, when not explicitly provide, seems a bit dangerous, considering the fact that most of the ops in a deployment would be triggered by the C8y mapper and it would want to explicitly clear those operations as well, to avoid the risk of losing that terminal state transition, just in-case it was down while operation was completed by the agent. I'd rather prefer "clear on success/failure" to be more explicitly given by the user, to be on the safer side.

[didier-wenzek]

OperationAction::Clear might be a misnomer. The agent clear nothing but wait for the requester to clear the command topic.

[albinsuresh]

Aah okay. My bad. I thought that Clear action was giving the ability to automatically clear the operation, as that's what I was trying to do in #2484.

And yes, the naming could be more explicit to avoid such confusion. But, since it's not part of the external workflow TOML API like action=clear, it's okay.

[albinsuresh]

I just noticed that action=cleanup maps to the same OperationAction::Clear. That's also a bit misleading IMO, giving the notion that we perform some cleanup. But we can improve these things later.

[albinsuresh]

We could add even more validations here like the restarting action must have an on_exec handler, or the background_script action must have the on_exec handler but the other handlers like on_success, on_stdout etc are not expected.

But, for the limited scope of this ticket, this seems sufficient.

[albinsuresh]

LGTM

[albinsuresh]

Aah okay. My bad. I thought that Clear action was giving the ability to automatically clear the operation, as that's what I was trying to do in #2484.

And yes, the naming could be more explicit to avoid such confusion. But, since it's not part of the external workflow TOML API like action=clear, it's okay.