db: Add service_snapshots JSONB column for compliance policy tracking

Add service_snapshots JSONB column to blueprint_versions table.

This enables us to store compliance policy snapshots and tracking blueprint TOML generated
from policies and detecting when compliance customizations become obsolete.

The stored snapshots allow us to:
Compare policy changes between blueprint versions
Identify customizations that were added by previous policies but are no longer required
Inform users about potentially superfluous customizations

Changes:
Add service_snapshots JSONB column to blueprint_versions table
Add ServiceSnapshots and ComplianceSnapshot structs
Add InsertBlueprintWithServiceSnapshots() and UpdateBlueprintWithServiceSnapshots() functions

Author: mgold1234

cmd/image-builder-db-test/main_test.go

@@ -43,7 +43,7 @@ func testInsertCompose(ctx context.Context, t *testing.T) {
 
 	tutils.MigrateTern(ctx, t)
 
-	err = d.InsertBlueprint(ctx, blueprintId, versionId, ORGID1, ANR1, "blueprint", "blueprint desc", []byte("{}"), []byte("{}"))
+	err = d.InsertBlueprint(ctx, blueprintId, versionId, ORGID1, ANR1, "blueprint", "blueprint desc", []byte("{}"), []byte("{}"), nil)
 	require.NoError(t, err)
 
 	// test
@@ -318,7 +318,7 @@ func testBlueprints(ctx context.Context, t *testing.T) {
 
 	id := uuid.New()
 	versionId := uuid.New()
-	err = d.InsertBlueprint(ctx, id, versionId, ORGID1, ANR1, name1, description1, bodyJson1, []byte("{}"))
+	err = d.InsertBlueprint(ctx, id, versionId, ORGID1, ANR1, name1, description1, bodyJson1, []byte("{}"), nil)
 	require.NoError(t, err)
 
 	entry, err := d.GetBlueprint(ctx, id, ORGID1, nil)
@@ -352,7 +352,7 @@ func testBlueprints(ctx context.Context, t *testing.T) {
 	require.NoError(t, err)
 
 	newVersionId := uuid.New()
-	err = d.UpdateBlueprint(ctx, newVersionId, id, ORGID1, name2, description2, bodyJson2)
+	err = d.UpdateBlueprint(ctx, newVersionId, id, ORGID1, name2, description2, bodyJson2, nil)
 	require.NoError(t, err)
 	entryUpdated, err := d.GetBlueprint(ctx, id, ORGID1, nil)
 	require.NoError(t, err)
@@ -390,7 +390,7 @@ func testBlueprints(ctx context.Context, t *testing.T) {
 	bodyJson3, err := json.Marshal(body3)
 	require.NoError(t, err)
 	newBlueprintId := uuid.New()
-	err = d.UpdateBlueprint(ctx, newBlueprintId, id, ORGID2, name3, description3, bodyJson3)
+	err = d.UpdateBlueprint(ctx, newBlueprintId, id, ORGID2, name3, description3, bodyJson3, nil)
 	require.Error(t, err)
 	entryAfterInvalidUpdate, err := d.GetBlueprint(ctx, id, ORGID1, nil)
 	require.NoError(t, err)
@@ -407,19 +407,19 @@ func testBlueprints(ctx context.Context, t *testing.T) {
 	newestBlueprintName := "new name"
 
 	// Fail to insert blueprint with the same name
-	err = d.InsertBlueprint(ctx, newestBlueprintId, newestBlueprintVersionId, ORGID1, ANR1, newestBlueprintName, "desc", bodyJson1, []byte("{}"))
+	err = d.InsertBlueprint(ctx, newestBlueprintId, newestBlueprintVersionId, ORGID1, ANR1, newestBlueprintName, "desc", bodyJson1, []byte("{}"), nil)
 	require.Error(t, err)
 
 	newestBlueprintName = "New name 2"
-	err = d.InsertBlueprint(ctx, newestBlueprintId, newestBlueprintVersionId, ORGID1, ANR1, newestBlueprintName, "desc", bodyJson1, []byte("{}"))
+	err = d.InsertBlueprint(ctx, newestBlueprintId, newestBlueprintVersionId, ORGID1, ANR1, newestBlueprintName, "desc", bodyJson1, []byte("{}"), nil)
 	require.NoError(t, err)
 	entries, bpCount, err := d.GetBlueprints(ctx, ORGID1, 100, 0)
 	require.NoError(t, err)
 	require.Equal(t, 2, bpCount)
 	require.Equal(t, entries[0].Name, newestBlueprintName)
 	require.Equal(t, entries[1].Version, 2)
 
-	err = d.InsertBlueprint(ctx, uuid.New(), uuid.New(), ORGID1, ANR1, "unique name", "unique desc", bodyJson1, []byte("{}"))
+	err = d.InsertBlueprint(ctx, uuid.New(), uuid.New(), ORGID1, ANR1, "unique name", "unique desc", bodyJson1, []byte("{}"), nil)
 	entries, count, err := d.FindBlueprints(ctx, ORGID1, "", 100, 0)
 	require.NoError(t, err)
 	require.Equal(t, 3, count)
@@ -460,7 +460,39 @@ func testGetBlueprintComposes(ctx context.Context, t *testing.T) {
 
 	id := uuid.New()
 	versionId := uuid.New()
-	err = d.InsertBlueprint(ctx, id, versionId, ORGID1, ANR1, "name", "desc", []byte("{}"), []byte("{}"))
+	body1 := v1.BlueprintBody{
+		Distribution: "rhel-8",
+		ImageRequests: []v1.ImageRequest{
+			{
+				Architecture: "x86_64",
+				ImageType:    "guest-image",
+			},
+		},
+		Customizations: v1.Customizations{
+			Packages: common.ToPtr([]string{"vim", "git"}),
+		},
+	}
+	bodyJson1, err := json.Marshal(body1)
+	require.NoError(t, err)
+
+	policyCustomizations1 := &v1.Customizations{
+		Packages: &[]string{"vim", "git", "curl", "admin"},
+		Hostname: common.ToPtr("rhel8-server"),
+	}
+
+	policyCustomizations1JSON, err := json.Marshal(policyCustomizations1)
+	require.NoError(t, err)
+
+	serviceSnapshots1 := db.ServiceSnapshots{
+		Compliance: &db.ComplianceSnapshot{
+			PolicyId:             uuid.New(),
+			PolicyCustomizations: policyCustomizations1JSON,
+		},
+	}
+	serviceSnapshotsJson1, err := json.Marshal(serviceSnapshots1)
+	require.NoError(t, err)
+
+	err = d.InsertBlueprint(ctx, id, versionId, ORGID1, ANR1, "name", "desc", bodyJson1, []byte("{}"), serviceSnapshotsJson1)
 	require.NoError(t, err)
 
 	// get latest version
@@ -469,41 +501,140 @@ func testGetBlueprintComposes(ctx context.Context, t *testing.T) {
 	require.Equal(t, 1, version)
 
 	version2Id := uuid.New()
-	err = d.UpdateBlueprint(ctx, version2Id, id, ORGID1, "name", "desc2", []byte("{}"))
+
+	body2 := v1.BlueprintBody{
+		Distribution: "rhel-9",
+		ImageRequests: []v1.ImageRequest{
+			{
+				Architecture: "x86_64",
+				ImageType:    "ami",
+			},
+		},
+		Customizations: v1.Customizations{
+			Packages: common.ToPtr([]string{"httpd", "vim", "git", "curl"}),
+		},
+	}
+	bodyJson2, err := json.Marshal(body2)
 	require.NoError(t, err)
 
-	clientId := "ui"
-	err = d.InsertCompose(ctx, uuid.New(), ANR1, EMAIL1, ORGID1, common.ToPtr("image1"), []byte("{}"), &clientId, &versionId)
+	policyCustomizations2 := &v1.Customizations{
+		Packages: &[]string{"httpd", "vim", "git", "curl", "nginx", "firewalld", "webadmin"},
+		Hostname: common.ToPtr("rhel9-webserver"),
+		Services: &v1.Services{
+			Enabled: &[]string{"httpd", "nginx", "firewalld"},
+		},
+		Timezone: &v1.Timezone{
+			Timezone: common.ToPtr("UTC"),
+		},
+	}
+
+	policyCustomizations2JSON, err := json.Marshal(policyCustomizations2)
 	require.NoError(t, err)
-	err = d.InsertCompose(ctx, uuid.New(), ANR1, EMAIL1, ORGID1, common.ToPtr("image2"), []byte("{}"), &clientId, &versionId)
+
+	serviceSnapshots2 := db.ServiceSnapshots{
+		Compliance: &db.ComplianceSnapshot{
+			PolicyId:             uuid.New(),
+			PolicyCustomizations: policyCustomizations2JSON,
+		},
+	}
+	serviceSnapshotsJson2, err := json.Marshal(serviceSnapshots2)
 	require.NoError(t, err)
-	err = d.InsertCompose(ctx, uuid.New(), ANR1, EMAIL1, ORGID1, common.ToPtr("image3"), []byte("{}"), &clientId, nil)
+
+	err = d.UpdateBlueprint(ctx, version2Id, id, ORGID1, "name", "desc2", bodyJson2, serviceSnapshotsJson2)
 	require.NoError(t, err)
-	err = d.InsertCompose(ctx, uuid.New(), ANR1, EMAIL1, ORGID1, common.ToPtr("image4"), []byte("{}"), &clientId, &version2Id)
+
+	clientId := "ui"
+	composeRequest1 := []byte(`{
+		"distribution": "rhel-8",
+		"image_requests": [{
+			"architecture": "x86_64",
+			"image_type": "guest-image",
+			"upload_request": {
+				"type": "aws.s3",
+				"options": {
+					"region": "us-east-1"
+				}
+			}
+		}],
+		"customizations": {
+			"packages": ["vim", "git"],
+			"users": [{"name": "testuser", "key": "ssh-rsa AAAAB3..."}]
+		}
+	}`)
+
+	composeRequest2 := []byte(`{
+		"distribution": "rhel-9",
+		"image_requests": [{
+			"architecture": "aarch64",
+			"image_type": "edge-installer",
+			"upload_request": {
+				"type": "azure.storage",
+				"options": {
+					"resource_group": "test-rg"
+				}
+			}
+		}],
+		"customizations": {
+			"services": {"enabled": ["httpd", "nginx"]}
+		}
+	}`)
+
+	composeRequest3 := []byte(`{
+		"distribution": "fedora-38",
+		"image_requests": [{
+			"architecture": "x86_64",
+			"image_type": "qcow2"
+		}],
+		"customizations": {
+			"hostname": "test-host"
+		}
+	}`)
+
+	composeRequest4 := []byte(`{
+		"distribution": "rhel-8",
+		"image_requests": [{
+			"architecture": "x86_64",
+			"image_type": "ami",
+			"upload_request": {
+				"type": "aws.ec2",
+				"options": {
+					"region": "us-west-2",
+					"instance_type": "t3.micro"
+				}
+			}
+		}]
+	}`)
+
+	compose1Id := uuid.New()
+	err = d.InsertCompose(ctx, compose1Id, ANR1, EMAIL1, ORGID1, common.ToPtr("rhel8-guest-image"), composeRequest1, &clientId, &versionId)
 	require.NoError(t, err)
 
-	count, err := d.CountBlueprintComposesSince(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), nil)
+	compose2Id := uuid.New()
+	err = d.InsertCompose(ctx, compose2Id, ANR1, EMAIL1, ORGID1, common.ToPtr("rhel9-edge-installer"), composeRequest2, &clientId, &versionId)
 	require.NoError(t, err)
-	require.Equal(t, 3, count)
-	entries, err := d.GetBlueprintComposes(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), 10, 0, nil)
+
+	compose3Id := uuid.New()
+	err = d.InsertCompose(ctx, compose3Id, ANR1, EMAIL1, ORGID1, common.ToPtr("fedora38-qcow2"), composeRequest3, &clientId, nil)
 	require.NoError(t, err)
-	require.Len(t, entries, 3)
-	// retrieves fresh first
-	require.Equal(t, "image4", *entries[0].ImageName)
-	require.Equal(t, "image2", *entries[1].ImageName)
-	require.Equal(t, "image1", *entries[2].ImageName)
 
-	composes, count, err := d.GetComposes(ctx, ORGID1, fortnight, 100, 0, []string{})
+	compose4Id := uuid.New()
+	err = d.InsertCompose(ctx, compose4Id, ANR1, EMAIL1, ORGID1, common.ToPtr("rhel8-ami"), composeRequest4, &clientId, &version2Id)
 	require.NoError(t, err)
-	require.Equal(t, id, *composes[0].BlueprintId)
-	require.Equal(t, 2, *composes[0].BlueprintVersion)
 
-	count, err = d.CountBlueprintComposesSince(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), nil)
+	count, err := d.CountBlueprintComposesSince(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), nil)
 	require.NoError(t, err)
 	require.Equal(t, 3, count)
-	entries, err = d.GetBlueprintComposes(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), 10, 0, nil)
+	entries, err := d.GetBlueprintComposes(ctx, ORGID1, id, nil, (time.Hour * 24 * 14), 10, 0, nil)
 	require.NoError(t, err)
 	require.Len(t, entries, 3)
+	require.Equal(t, "rhel8-ami", *entries[0].ImageName)
+	require.Equal(t, "rhel9-edge-installer", *entries[1].ImageName)
+	require.Equal(t, "rhel8-guest-image", *entries[2].ImageName)
+
+	var requestData map[string]any
+	err = json.Unmarshal(entries[0].Request, &requestData)
+	require.NoError(t, err)
+	require.Equal(t, "rhel-8", requestData["distribution"])
 
 	// get composes for specific version
 	count, err = d.CountBlueprintComposesSince(ctx, ORGID1, id, common.ToPtr(2), (time.Hour * 24 * 14), nil)
@@ -512,13 +643,45 @@ func testGetBlueprintComposes(ctx context.Context, t *testing.T) {
 	entries, err = d.GetBlueprintComposes(ctx, ORGID1, id, common.ToPtr(2), (time.Hour * 24 * 14), 10, 0, nil)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
-	require.Equal(t, "image4", *entries[0].ImageName)
+	require.Equal(t, "rhel8-ami", *entries[0].ImageName)
 	require.Equal(t, 2, entries[0].BlueprintVersion)
 
 	// get latest version
 	version, err = d.GetLatestBlueprintVersionNumber(ctx, ORGID1, id)
 	require.NoError(t, err)
 	require.Equal(t, 2, version)
+
+	blueprintEntry, err := d.GetBlueprint(ctx, id, ORGID1, common.ToPtr(2))
+	require.NoError(t, err)
+	retrievedBlueprint, err := v1.BlueprintFromEntry(blueprintEntry)
+	require.NoError(t, err)
+	require.Equal(t, v1.Distributions("rhel-9"), retrievedBlueprint.Distribution)
+
+	var retrievedServiceSnapshots db.ServiceSnapshots
+	err = json.Unmarshal(blueprintEntry.ServiceSnapshots, &retrievedServiceSnapshots)
+	require.NoError(t, err)
+	require.NotNil(t, retrievedServiceSnapshots.Compliance)
+
+	var customizations map[string]any
+	err = json.Unmarshal(retrievedServiceSnapshots.Compliance.PolicyCustomizations, &customizations)
+	require.NoError(t, err)
+	require.Contains(t, customizations["hostname"], "rhel9-webserver")
+	require.Contains(t, customizations["packages"], "httpd")
+	require.Contains(t, customizations["packages"], "webadmin")
+
+	blueprintEntry1, err := d.GetBlueprint(ctx, id, ORGID1, common.ToPtr(1))
+	require.NoError(t, err)
+
+	var retrievedServiceSnapshots1 db.ServiceSnapshots
+	err = json.Unmarshal(blueprintEntry1.ServiceSnapshots, &retrievedServiceSnapshots1)
+	require.NoError(t, err)
+	require.NotNil(t, retrievedServiceSnapshots1.Compliance)
+	var customizations1 map[string]any
+	err = json.Unmarshal(retrievedServiceSnapshots1.Compliance.PolicyCustomizations, &customizations1)
+	require.NoError(t, err)
+	require.Contains(t, customizations1["hostname"], "rhel8-server")
+	require.Contains(t, customizations1["packages"], "admin")
+	require.Contains(t, customizations1["packages"], "vim")
 }
 
 func TestAll(t *testing.T) {

internal/db/db.go

@@ -45,13 +45,14 @@ type CloneEntry struct {
 }
 
 type BlueprintEntry struct {
-	Id          uuid.UUID
-	VersionId   uuid.UUID
-	Version     int
-	Body        json.RawMessage
-	Name        string
-	Description string
-	Metadata    json.RawMessage
+	Id               uuid.UUID
+	VersionId        uuid.UUID
+	Version          int
+	Body             json.RawMessage
+	Name             string
+	Description      string
+	Metadata         json.RawMessage
+	ServiceSnapshots json.RawMessage
 }
 
 type BlueprintWithNoBody struct {
@@ -62,6 +63,15 @@ type BlueprintWithNoBody struct {
 	LastModifiedAt time.Time
 }
 
+type ServiceSnapshots struct {
+	Compliance *ComplianceSnapshot `json:"compliance,omitempty"`
+}
+
+type ComplianceSnapshot struct {
+	PolicyId             uuid.UUID       `json:"policy_id"`
+	PolicyCustomizations json.RawMessage `json:"policy_customizations"`
+}
+
 type DB interface {
 	InsertCompose(ctx context.Context, jobId uuid.UUID, accountNumber, email, orgId string, imageName *string, request json.RawMessage, clientId *string, blueprintVersionId *uuid.UUID) error
 	GetComposes(ctx context.Context, orgId string, since time.Duration, limit, offset int, ignoreImageTypes []string) ([]ComposeWithBlueprintVersion, int, error)
@@ -77,9 +87,9 @@ type DB interface {
 	GetClonesForCompose(ctx context.Context, composeId uuid.UUID, orgId string, limit, offset int) ([]CloneEntry, int, error)
 	GetClone(ctx context.Context, id uuid.UUID, orgId string) (*CloneEntry, error)
 
-	InsertBlueprint(ctx context.Context, id uuid.UUID, versionId uuid.UUID, orgID, accountNumber, name, description string, body json.RawMessage, metadata json.RawMessage) error
+	InsertBlueprint(ctx context.Context, id uuid.UUID, versionId uuid.UUID, orgID, accountNumber, name, description string, body json.RawMessage, metadata json.RawMessage, serviceSnapshots json.RawMessage) error
 	GetBlueprint(ctx context.Context, id uuid.UUID, orgID string, version *int) (*BlueprintEntry, error)
-	UpdateBlueprint(ctx context.Context, id uuid.UUID, blueprintId uuid.UUID, orgId string, name string, description string, body json.RawMessage) error
+	UpdateBlueprint(ctx context.Context, id uuid.UUID, blueprintId uuid.UUID, orgId string, name string, description string, body json.RawMessage, serviceSnapshots json.RawMessage) error
 	GetBlueprints(ctx context.Context, orgID string, limit, offset int) ([]BlueprintWithNoBody, int, error)
 	FindBlueprints(ctx context.Context, orgID, search string, limit, offset int) ([]BlueprintWithNoBody, int, error)
 	FindBlueprintByName(ctx context.Context, orgID, nameQuery string) (*BlueprintWithNoBody, error)