Skip to content

Commit

Permalink
Address comments and disable dependencies e2e tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@mgunnala
mgunnala committed Dec 16, 2024
1 parent 5198cf8 commit 4a0a4ef
Show file tree
Hide file tree
Showing 7 changed files with 62 additions and 54 deletions.
37 changes: 18 additions & 19 deletions azurelinuxagent/ga/exthandlers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -503,9 +503,8 @@ def handle_ext_handlers(self, goal_state_id):
depends_on_err_msg = None
extensions_enabled = conf.get_extensions_enabled()

# Instantiate policy engine, and use same engine to handle all extension handlers.
# If an error is thrown during policy engine initialization, we block all extensions and report the error via handler/extension status for
# each extension.
# Instantiate policy engine, and use same engine to handle all extension handlers. If an error is thrown during
# policy engine initialization, we block all extensions and report the error via handler status for each extension.
policy_error = None
try:
policy_engine = ExtensionPolicyEngine()
Expand Down Expand Up @@ -537,11 +536,10 @@ def handle_ext_handlers(self, goal_state_id):

# If an error was thrown during policy engine initialization, skip further processing of the extension.
# CRP is still waiting for status, so we report error status here.
# of the extension.
policy_op, policy_err_code = _POLICY_ERROR_MAP.get(ext_handler.state)
operation, error_code = _POLICY_ERROR_MAP.get(ext_handler.state)
if policy_error is not None:
msg = "Extension will not be processed: {0}".format(ustr(policy_error))
self.__report_policy_error(ext_handler_i=handler_i, error_code=policy_err_code,
self.__report_policy_error(ext_handler_i=handler_i, error_code=error_code,
report_op=handler_i.operation, message=msg,
extension=extension)
continue
Expand All @@ -567,20 +565,18 @@ def handle_ext_handlers(self, goal_state_id):

continue

# Invoke policy engine to determine if extension is allowed. If disallowed, report an error on behalf of
# the extension and do not process the extension. Dependent extensions will also be blocked.
# Invoke policy engine to determine if extension is allowed.
# - if allowed: process the extension and get if it was successfully executed or not
# - if disallowed: do not process the handler and report an error on behalf of the extension, dependent
# extensions will also be blocked.
extension_allowed = policy_engine.should_allow_extension(ext_handler.name)
if not extension_allowed:
msg = (
"Extension will not be processed: failed to {0} extension '{1}' because it is not specified "
"in the allowlist. To {0}, add the extension to the allowed list in the policy file ('{2}')."
).format(policy_op, ext_handler.name, conf.get_policy_file_path())
self.__report_policy_error(handler_i, policy_err_code, report_op=handler_i.operation,
"in the allowlist. To {0}, add the extension to the list of allowed extensions in the policy file ('{2}')."
).format(operation, ext_handler.name, conf.get_policy_file_path())
self.__report_policy_error(handler_i, error_code, report_op=handler_i.operation,
message=msg, extension=extension)

# Process extensions and get if it was successfully executed or not
# If extension was blocked by policy, treat the extension as failed and do not process the handler.
if not extension_allowed:
extension_success = False
else:
extension_success = self.handle_ext_handler(handler_i, extension, goal_state_id)
Expand Down Expand Up @@ -749,7 +745,7 @@ def __handle_and_report_ext_handler_errors(ext_handler_i, error, report_op, mess
message=message)

@staticmethod
def __report_policy_error(ext_handler_i, error_code, report_op, message, extension=None):
def __report_policy_error(ext_handler_i, error_code, report_op, message, extension):
# TODO: Consider merging this function with __handle_and_report_ext_handler_errors() above, after investigating
# the impact of this change.
#
Expand All @@ -760,13 +756,16 @@ def __report_policy_error(ext_handler_i, error_code, report_op, message, extensi
# it will require additional testing/investigation. As a temporary workaround, this separate function was created
# to write a status file for single-config extensions.

# Set handler status for all extensions (with and without settings)
# Set handler status for all extensions (with and without settings). We report the same error at both the
# handler and extension status level.
ext_handler_i.set_handler_status(message=message, code=error_code)

# Create status file for extensions with settings (single and multi config).
# If status file already exists, overwrite it. If an extension was previously reporting status and is now
# blocked by a policy error, we should report the policy error.
if extension is not None:
# TODO: if extension is reporting a heartbeat, it overwrites status. Consider overwriting heartbeat, if
# it exists.
ext_handler_i.create_status_file(extension, status=ExtensionStatusValue.error, code=error_code,
operation=report_op, message=message, overwrite=True)

Expand Down Expand Up @@ -1071,8 +1070,8 @@ def report_ext_handler_status(self, vm_status, ext_handler, goal_state_changed):
# For MultiConfig, we need to report status per extension even for Handler level failures.
# If we have HandlerStatus for a MultiConfig handler and GS is requesting for it, we would report status per
# extension even if HandlerState == NotInstalled (Sample scenario: ExtensionsGoalStateError, DecideVersionError, etc)
# We also need to report extension status for an uninstalled handler if extensions are disabled, or if the extension
# failed due to policy, because CRP waits for extension runtime status before failing the extension operation.
# We also need to report extension status for an uninstalled handler if extensions are disabled, because CRP
# waits for extension runtime status before failing the extension operation.
if handler_state != ExtHandlerState.NotInstalled or ext_handler.supports_multi_config or not conf.get_extensions_enabled():

# Since we require reading the Manifest for reading the heartbeat, this would fail if HandlerManifest not found.
Expand Down
4 changes: 2 additions & 2 deletions azurelinuxagent/ga/policy/policy_engine.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ class _PolicyEngine(object):
"""
def __init__(self):
# Set defaults for policy
self._policy_enforcement_enabled = self.get_policy_enforcement_enabled()
self._policy_enforcement_enabled = self.__get_policy_enforcement_enabled()
if not self.policy_enforcement_enabled:
return

Expand All @@ -69,7 +69,7 @@ def _log_policy_event(msg, is_success=True, op=WALAEventOperation.Policy, send_e
add_event(op=op, message=msg, is_success=is_success, log_event=False)

@staticmethod
def get_policy_enforcement_enabled():
def __get_policy_enforcement_enabled():
"""
Policy will be enabled if (1) policy file exists at the expected location and (2) the conf flag "Debug.EnableExtensionPolicy" is true.
"""
Expand Down
20 changes: 8 additions & 12 deletions tests/ga/test_extension.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3536,14 +3536,13 @@ def _create_policy_file(self, policy):
policy_file.write(policy)
policy_file.flush()

def _test_policy_case(self, policy, op, expected_status_code, expected_handler_status, expected_ext_count=0,
def _test_policy_case(self, policy, op, expected_status_code, expected_handler_status, expected_ext_count,
expected_status_msg=None):

# Set up a mock protocol instance. In the case of uninstall, we need to update the goal state to test uninstall.
# update_goal_state() only updates the goal state if incarnation has changed, so we increment the incarnation
# number.
# Set up a mock protocol instance.
with mock_wire_protocol(wire_protocol_data.DATA_FILE) as protocol:
if op == ExtensionRequestedState.Uninstall:
# Generate a new mock goal state to uninstall the extension - increment the incarnation
protocol.mock_wire_data.set_incarnation(2)
protocol.mock_wire_data.set_extensions_config_state(ExtensionRequestedState.Uninstall)
protocol.client.update_goal_state()
Expand Down Expand Up @@ -3573,7 +3572,7 @@ def test_should_fail_enable_if_extension_disallowed(self):
}
expected_msg = "failed to run extension 'OSTCExtensions.ExampleHandlerLinux' because it is not specified in the allowlist."
self._test_policy_case(policy=policy, op=ExtensionRequestedState.Enabled, expected_status_code=ExtensionErrorCodes.PluginEnableProcessingFailed,
expected_handler_status='NotReady', expected_status_msg=expected_msg)
expected_handler_status='NotReady', expected_ext_count=0, expected_status_msg=expected_msg)

def test_should_fail_enable_for_invalid_policy(self):
policy = \
Expand All @@ -3585,7 +3584,7 @@ def test_should_fail_enable_for_invalid_policy(self):
}
expected_msg = "attribute 'extensionPolicies.allowListedExtensionsOnly'; must be 'boolean'"
self._test_policy_case(policy=policy, op=ExtensionRequestedState.Enabled, expected_status_code=ExtensionErrorCodes.PluginEnableProcessingFailed,
expected_handler_status='NotReady', expected_status_msg=expected_msg)
expected_handler_status='NotReady', expected_ext_count=0, expected_status_msg=expected_msg)

def test_should_fail_extension_if_error_thrown_during_policy_engine_init(self):
policy = \
Expand All @@ -3597,7 +3596,7 @@ def test_should_fail_extension_if_error_thrown_during_policy_engine_init(self):
expected_msg = "Extension will not be processed: mock exception"
self._test_policy_case(policy=policy, op=ExtensionRequestedState.Enabled,
expected_status_code=ExtensionErrorCodes.PluginEnableProcessingFailed,
expected_handler_status='NotReady', expected_status_msg=expected_msg)
expected_handler_status='NotReady', expected_ext_count=0, expected_status_msg=expected_msg)

def test_should_fail_uninstall_if_extension_disallowed(self):
policy = \
Expand All @@ -3611,7 +3610,7 @@ def test_should_fail_uninstall_if_extension_disallowed(self):
}
expected_msg = "failed to uninstall extension 'OSTCExtensions.ExampleHandlerLinux' because it is not specified in the allowlist."
self._test_policy_case(policy=policy, op=ExtensionRequestedState.Uninstall, expected_status_code=ExtensionErrorCodes.PluginDisableProcessingFailed,
expected_handler_status='NotReady', expected_status_msg=expected_msg)
expected_handler_status='NotReady', expected_ext_count=0, expected_status_msg=expected_msg)

def test_should_fail_enable_if_dependent_extension_disallowed(self):
self._create_policy_file({
Expand Down Expand Up @@ -3696,10 +3695,7 @@ def test_uninstall_should_succeed_if_extension_allowed(self):
]
for policy in policy_cases:
with mock_wire_protocol(wire_protocol_data.DATA_FILE) as protocol:
# Set up a mock protocol instance, which instantiates a goal state with incarnation number 1.
# We then change the goal state to test uninstall, and need to update the goal state with this change.
# update_goal_state() only updates the goal state if the incarnation has changed, so we increment the
# incarnation number to 2.
# Generate a new mock goal state to uninstall the extension - increment the incarnation
protocol.mock_wire_data.set_incarnation(2)
protocol.mock_wire_data.set_extensions_config_state(ExtensionRequestedState.Uninstall)
protocol.client.update_goal_state()
Expand Down
3 changes: 2 additions & 1 deletion tests_e2e/orchestrator/runbook.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ variable:
- ext_cgroups
- extensions_disabled
- ext_policy
- ext_policy_with_dependencies
# TODO: re-enable ext_policy_with_dependencies after investigating status reporting failures
# - ext_policy_with_dependencies
- ext_sequencing
- ext_telemetry_pipeline
- fips
Expand Down
Loading

0 comments on commit 4a0a4ef

Please sign in to comment.