Add setting custom messages on configuration policies

Relates:
https://issues.redhat.com/browse/ACM-13134

Co-authored-by: Jason Zhang <[email protected]>

Signed-off-by: mprahl <[email protected]>

Author: mprahl

docs/policygenerator-reference.yaml

@@ -35,6 +35,12 @@ policyDefaults:
   # If set to false, only the policy framework specific policy labels and annotations will be copied to the replicated
   # policy.
   copyPolicyMetadata: true
+  # Optional. customMessage configures the compliance messages emitted by the configuration policy to use one
+  # of the specified Go templates based on the current compliance. See the ConfigurationPolicy API documentation for
+  # more details.
+  customMessage:
+    compliant: ""
+    noncompliant: ""
   # Optional. A list of objects that should be in specific compliance states before this policy is applied. Cannot be
   # specified when policyDefaults.orderPolicies is set to true.
   dependencies:
@@ -253,6 +259,11 @@ policies:
         # Optional. (See policyDefaults.namespaceSelector for description.)
         # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         namespaceSelector: {}
+        # Optional. (See policyDefaults.customMessage for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
+        customMessage:
+          compliant: ""
+          noncompliant: ""
         # Optional. (See policyDefaults.evaluationInterval for description.)
         # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         evaluationInterval: {}
@@ -312,6 +323,10 @@ policies:
     configurationPolicyAnnotations: {}
     # Optional. (See policyDefaults.copyPolicyMetadata for description.)
     copyPolicyMetadata: true
+    # Optional. (See policyDefaults.customMessage for description.)
+    customMessage:
+      compliant: ""
+      noncompliant: ""
     # Optional. (See policyDefaults.metadataComplianceType for description.)
     metadataComplianceType: ""
     # Optional. (See policyDefaults.controls for description.)

internal/plugin.go

@@ -324,15 +324,13 @@ func getPolicySet(config map[string]interface{}, policySetIndex int) map[string]
 	return getArrayObject(config, "policySets", policySetIndex)
 }
 
-// getEvaluationInterval will return the evaluation interval of specified policy in the Policy Generator configuration
-// YAML.
-func isEvaluationIntervalSet(config map[string]interface{}, policyIndex int, complianceType string) bool {
+func isComplianceConfigSet(config map[string]interface{}, policyIndex int, field, complianceType string) bool {
 	policy := getPolicy(config, policyIndex)
 	if policy == nil {
 		return false
 	}
 
-	evaluationInterval, ok := policy["evaluationInterval"].(map[string]interface{})
+	evaluationInterval, ok := policy[field].(map[string]interface{})
 	if !ok {
 		return false
 	}
@@ -342,10 +340,20 @@ func isEvaluationIntervalSet(config map[string]interface{}, policyIndex int, com
 	return set
 }
 
-// isEvaluationIntervalSetManifest will return whether the evaluation interval of the specified manifest
-// of the specified policy is set in the Policy Generator configuration YAML.
-func isEvaluationIntervalSetManifest(
-	config map[string]interface{}, policyIndex int, manifestIndex int, complianceType string,
+// isEvaluationIntervalSet will return if the evaluation interval is set for the specified policy in the Policy
+// Generator configuration YAML.
+func isEvaluationIntervalSet(config map[string]interface{}, policyIndex int, complianceType string) bool {
+	return isComplianceConfigSet(config, policyIndex, "evaluationInterval", complianceType)
+}
+
+// isCustomMessageSet will return if the custom message is set for the specified policy in the Policy
+// Generator configuration YAML.
+func isCustomMessageSet(config map[string]interface{}, policyIndex int, complianceType string) bool {
+	return isComplianceConfigSet(config, policyIndex, "customMessage", complianceType)
+}
+
+func isComplianceConfigSetManifest(
+	config map[string]interface{}, policyIndex int, manifestIndex int, field, complianceType string,
 ) bool {
 	policy := getPolicy(config, policyIndex)
 	if policy == nil {
@@ -366,16 +374,32 @@ func isEvaluationIntervalSetManifest(
 		return false
 	}
 
-	evaluationInterval, ok := manifest["evaluationInterval"].(map[string]interface{})
+	fieldValue, ok := manifest[field].(map[string]interface{})
 	if !ok {
 		return false
 	}
 
-	_, set := evaluationInterval[complianceType].(string)
+	_, set := fieldValue[complianceType].(string)
 
 	return set
 }
 
+// isEvaluationIntervalSetManifest will return whether the evaluation interval of the specified manifest
+// of the specified policy is set in the Policy Generator configuration YAML.
+func isEvaluationIntervalSetManifest(
+	config map[string]interface{}, policyIndex int, manifestIndex int, complianceType string,
+) bool {
+	return isComplianceConfigSetManifest(config, policyIndex, manifestIndex, "evaluationInterval", complianceType)
+}
+
+// isCustomMessageSetManifest will return whether the compliance message of the specified manifest
+// of the specified policy is set in the Policy Generator configuration YAML.
+func isCustomMessageSetManifest(
+	config map[string]interface{}, policyIndex int, manifestIndex int, complianceType string,
+) bool {
+	return isComplianceConfigSetManifest(config, policyIndex, manifestIndex, "customMessage", complianceType)
+}
+
 func isPolicyFieldSet(config map[string]interface{}, policyIndex int, field string) bool {
 	policy := getPolicy(config, policyIndex)
 	if policy == nil {
@@ -598,6 +622,21 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			}
 		}
 
+		// Only use the policyDefault customMessage value when it's not explicitly set on the policy.
+		if policy.CustomMessage.Compliant == "" {
+			set := isCustomMessageSet(unmarshaledConfig, i, "compliant")
+			if !set {
+				policy.CustomMessage.Compliant = p.PolicyDefaults.CustomMessage.Compliant
+			}
+		}
+
+		if policy.CustomMessage.NonCompliant == "" {
+			set := isCustomMessageSet(unmarshaledConfig, i, "noncompliant")
+			if !set {
+				policy.CustomMessage.NonCompliant = p.PolicyDefaults.CustomMessage.NonCompliant
+			}
+		}
+
 		if policy.PruneObjectBehavior == "" {
 			policy.PruneObjectBehavior = p.PolicyDefaults.PruneObjectBehavior
 		}
@@ -727,6 +766,20 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 				}
 			}
 
+			if manifest.CustomMessage.Compliant == "" {
+				set := isCustomMessageSetManifest(unmarshaledConfig, i, j, "compliant")
+				if !set {
+					manifest.CustomMessage.Compliant = policy.CustomMessage.Compliant
+				}
+			}
+
+			if manifest.CustomMessage.NonCompliant == "" {
+				set := isCustomMessageSetManifest(unmarshaledConfig, i, j, "noncompliant")
+				if !set {
+					manifest.CustomMessage.NonCompliant = policy.CustomMessage.NonCompliant
+				}
+			}
+
 			selector := manifest.NamespaceSelector
 			if selector.Exclude == nil && selector.Include == nil &&
 				selector.MatchLabels == nil && selector.MatchExpressions == nil {
@@ -1067,6 +1120,10 @@ func (p *Plugin) assertValidConfig() error {
 					return fmt.Errorf(errorMsgFmt, "evaluationInterval")
 				}
 
+				if !reflect.DeepEqual(manifest.CustomMessage, policy.CustomMessage) {
+					return fmt.Errorf(errorMsgFmt, "customMessage")
+				}
+
 				if !reflect.DeepEqual(manifest.NamespaceSelector, policy.NamespaceSelector) {
 					return fmt.Errorf(errorMsgFmt, "namespaceSelector")
 				}

internal/plugin_test.go

@@ -4650,6 +4650,213 @@ func TestCreatePolicyWithCopyPolicyMetadata(t *testing.T) {
 	}
 }
 
+func TestCreatePolicyWithCustomMessage(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+	createConfigMap(t, tmpDir, "configmap2.yaml")
+
+	p := Plugin{}
+	var err error
+
+	p.baseDirectory, err = filepath.EvalSymlinks(tmpDir)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	p.PolicyDefaults.Namespace = "my-policies"
+	p.PolicyDefaults.CustomMessage = types.CustomMessage{
+		Compliant:    "{{ default }}",
+		NonCompliant: "{{ default }}",
+	}
+
+	policyConf := types.PolicyConfig{
+		Name: "policy-app-config",
+		PolicyOptions: types.PolicyOptions{
+			ConsolidateManifests: false,
+		},
+		Manifests: []types.Manifest{
+			{
+				Path: path.Join(tmpDir, "configmap.yaml"),
+			},
+			{
+				Path: path.Join(tmpDir, "configmap2.yaml"),
+			},
+		},
+	}
+	p.Policies = append(p.Policies, policyConf)
+
+	// Ensure values are correctly propagated/overridden
+	p.applyDefaults(map[string]interface{}{})
+	assertEqual(t, policyConf.Manifests[0].ConfigurationPolicyOptions.CustomMessage.Compliant, "{{ default }}")
+	assertEqual(t, policyConf.Manifests[0].ConfigurationPolicyOptions.CustomMessage.NonCompliant, "{{ default }}")
+	assertEqual(t, policyConf.Manifests[1].ConfigurationPolicyOptions.CustomMessage.Compliant, "{{ default }}")
+	assertEqual(t, policyConf.Manifests[1].ConfigurationPolicyOptions.CustomMessage.NonCompliant, "{{ default }}")
+
+	// With consolidateManifest = false
+	policyConf.ConfigurationPolicyOptions = types.ConfigurationPolicyOptions{
+		CustomMessage: types.CustomMessage{
+			Compliant:    "{{ root }}",
+			NonCompliant: "{{ root }}",
+		},
+	}
+	policyConf.Manifests[0].ConfigurationPolicyOptions = types.ConfigurationPolicyOptions{
+		CustomMessage: types.CustomMessage{
+			Compliant:    "{{ manifest1 }}",
+			NonCompliant: "{{ manifest1 }}",
+		},
+	}
+	policyConf.Manifests[1].ConfigurationPolicyOptions = types.ConfigurationPolicyOptions{
+		CustomMessage: types.CustomMessage{
+			Compliant:    "{{ manifest2 }}",
+			NonCompliant: "{{ manifest2 }}",
+		},
+	}
+
+	p.applyDefaults(map[string]interface{}{})
+
+	err = p.createPolicy(&policyConf)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output := p.outputBuffer.String()
+	expected := `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: ""
+        policy.open-cluster-management.io/controls: ""
+        policy.open-cluster-management.io/description: ""
+        policy.open-cluster-management.io/standards: ""
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    copyPolicyMetadata: false
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                customMessage:
+                    compliant: '{{ manifest1 }}'
+                    noncompliant: '{{ manifest1 }}'
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: inform
+                severity: low
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config2
+            spec:
+                customMessage:
+                    compliant: '{{ manifest2 }}'
+                    noncompliant: '{{ manifest2 }}'
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: inform
+                severity: low
+    remediationAction: inform
+`
+
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+	p.outputBuffer.Reset()
+
+	// With consolidateManifest = true
+	policyConf.PolicyOptions.ConsolidateManifests = true
+	err = p.assertValidConfig()
+	expectedErr := "the policy policy-app-config has the customMessage " +
+		"value set on manifest[0] but consolidateManifests is true"
+	assertEqual(t, err.Error(), expectedErr)
+
+	// Note: customMessage field at the manifest level must be set to
+	// the same value as in the policy level when consolidateManifest = true
+	// to successfully generate a policy. If customMessage field is unset
+	// at the manifest level, applyDefaults() can be used to populate this field
+	// if it's set at the policyDefaults or policy level.
+	policyConf.Manifests[0].ConfigurationPolicyOptions.CustomMessage.Compliant = "{{ root }}"
+	policyConf.Manifests[0].ConfigurationPolicyOptions.CustomMessage.NonCompliant = "{{ root }}"
+	policyConf.Manifests[1].ConfigurationPolicyOptions.CustomMessage.Compliant = "{{ root }}"
+	policyConf.Manifests[1].ConfigurationPolicyOptions.CustomMessage.NonCompliant = "{{ root }}"
+
+	err = p.createPolicy(&policyConf)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output = p.outputBuffer.String()
+	expected = `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: ""
+        policy.open-cluster-management.io/controls: ""
+        policy.open-cluster-management.io/description: ""
+        policy.open-cluster-management.io/standards: ""
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    copyPolicyMetadata: false
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                customMessage:
+                    compliant: '{{ root }}'
+                    noncompliant: '{{ root }}'
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: ""
+                severity: ""
+`
+
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+}
+
 // Test Patching a CR object, "MyCr", containing a list of profile objects.
 // Patching profile interface name and (not profile) recommend
 // - metadata: