Added changes for support of popultaing existing_cves and fixed_cves in OS Resource and Instance Resource for immutable OS (#119)

Co-authored-by: joanna kossakowska <joanna.kossakowska@intel.com>

Author: SushilLakra

maintenance/pkg/invclient/invclient.go

@@ -213,6 +213,7 @@ func UpdateInstance(
 	updateStatus inv_status.ResourceStatus,
 	updateStatusDetail string,
 	newOSResID string,
+	newExistingCves string,
 ) error {
 	zlog.Debug().Msgf("UpdateInstanceStatus: tenantID=%s, InstanceID=%s, NewUpdateStatus=%v, LastUpdateDetail=%s",
 		tenantID, instanceID, updateStatus, updateStatusDetail)
@@ -245,6 +246,11 @@ func UpdateInstance(
 		fields = append(fields, computev1.InstanceResourceEdgeCurrentOs)
 	}
 
+	if newExistingCves != "" {
+		instRes.ExistingCves = newExistingCves
+		fields = append(fields, computev1.InstanceResourceFieldExistingCves)
+	}
+
 	fieldMask, err := fieldmaskpb.New(instRes, fields...)
 	if err != nil {
 		// This should never happen
@@ -366,6 +372,39 @@ func GetLatestImmutableOSByProfile(
 	return latestOS, nil
 }
 
+func GetOSResourceByID(
+	ctx context.Context,
+	c inv_client.TenantAwareInventoryClient,
+	tenantID, osResourceID string,
+) (*os_v1.OperatingSystemResource, error) {
+	zlog.Debug().Msgf("GetOSResourceByID: tenantID=%s, osResourceID=%s", tenantID, osResourceID)
+
+	childCtx, cancel := context.WithTimeout(ctx, *inventoryTimeout)
+	defer cancel()
+
+	resp, err := c.Get(childCtx, tenantID, osResourceID)
+	if err != nil {
+		zlog.InfraErr(err).Msgf("Failed to get OS resource: tenantID=%s, osResourceID=%s", tenantID, osResourceID)
+		return nil, err
+	}
+
+	if err = validator.ValidateMessage(resp); err != nil {
+		zlog.InfraSec().InfraErr(err).Msg("")
+		return nil, errors.Wrap(err)
+	}
+
+	osResource, err := util.UnwrapResource[*os_v1.OperatingSystemResource](resp.GetResource())
+	if err != nil {
+		zlog.InfraSec().InfraErr(err).Msgf("Failed to unwrap OS resource: %s", resp.GetResource())
+		return nil, err
+	}
+
+	zlog.Debug().Msgf("Successfully retrieved OS resource: %s (Profile: %s, Version: %s)",
+		osResource.GetResourceId(), osResource.GetProfileName(), osResource.GetImageId())
+
+	return osResource, nil
+}
+
 func CreateOSUpdateRun(
 	ctx context.Context, c inv_client.TenantAwareInventoryClient, tenantID string, osUpRun *computev1.OSUpdateRunResource,
 ) error {

maintenance/pkg/invclient/invclient_test.go

@@ -26,6 +26,10 @@ import (
 	inv_utils "github.com/open-edge-platform/infra-managers/maintenance/pkg/utils"
 )
 
+const (
+	semverVersion100 = "1.0.0"
+)
+
 func TestMain(m *testing.M) {
 	wd, err := os.Getwd()
 	if err != nil {
@@ -292,7 +296,7 @@ func TestInvClient_UpdateInstance(t *testing.T) {
 	// Error - non-existent Instance
 	t.Run("ErrorNoInst", func(t *testing.T) {
 		err := invclient.UpdateInstance(ctx, client, mm_testing.Tenant1, "inst-12345678",
-			mm_status.UpdateStatusUpToDate, "", newOSRes.GetResourceId())
+			mm_status.UpdateStatusUpToDate, "", newOSRes.GetResourceId(), "")
 		require.Error(t, err)
 		sts, _ := status.FromError(err)
 		assert.Equal(t, codes.NotFound, sts.Code())
@@ -303,7 +307,7 @@ func TestInvClient_UpdateInstance(t *testing.T) {
 	t.Run("UpdateInstStatusNotCurrentOS", func(t *testing.T) {
 		timeBeforeUpdate := time.Now().Unix()
 		err := invclient.UpdateInstance(ctx, client, mm_testing.Tenant1, inst.ResourceId,
-			mm_status.UpdateStatusInProgress, "", "")
+			mm_status.UpdateStatusInProgress, "", "", "")
 
 		require.NoError(t, err)
 		updatedInst, err := client.Get(ctx, mm_testing.Tenant1, inst.ResourceId)
@@ -323,7 +327,7 @@ func TestInvClient_UpdateInstance(t *testing.T) {
 		require.NoError(t, err)
 		assert.NotEqual(t, newOSRes.GetSha256(), beforeUpdateInst.GetResource().GetInstance().GetCurrentOs().GetSha256())
 		err = invclient.UpdateInstance(ctx, client, mm_testing.Tenant1, inst.ResourceId,
-			mm_status.UpdateStatusDone, "some update status detail", newOSRes.GetResourceId())
+			mm_status.UpdateStatusDone, "some update status detail", newOSRes.GetResourceId(), "")
 		require.NoError(t, err)
 		updatedInst, err := client.Get(ctx, mm_testing.Tenant1, inst.ResourceId)
 		require.NoError(t, err)
@@ -338,11 +342,11 @@ func TestInvClient_UpdateInstance(t *testing.T) {
 	t.Run("UpdateUpdateStatusToRunning", func(t *testing.T) {
 		// initial setup of instance status to running and update status to unknown
 		err := invclient.UpdateInstance(ctx, client, mm_testing.Tenant1, inst.ResourceId,
-			mm_status.UpdateStatusUnknown, "some update status detail", newOSRes.GetResourceId())
+			mm_status.UpdateStatusUnknown, "some update status detail", newOSRes.GetResourceId(), "")
 		require.NoError(t, err)
 		// setup only the update status as instance status is already set to running
 		err = invclient.UpdateInstance(ctx, client, mm_testing.Tenant1, inst.ResourceId,
-			mm_status.UpdateStatusDone, "some update status detail", newOSRes.GetResourceId())
+			mm_status.UpdateStatusDone, "some update status detail", newOSRes.GetResourceId(), "")
 		require.NoError(t, err)
 		updatedInst, err := client.Get(ctx, mm_testing.Tenant1, inst.ResourceId)
 		require.NoError(t, err)
@@ -427,13 +431,12 @@ func TestInvClient_GetLatestImmutableOSByProfile(t *testing.T) {
 	dao := inv_testing.NewInvResourceDAOOrFail(t)
 	ctx := t.Context()
 	client := inv_testing.TestClients[inv_testing.RMClient].GetTenantAwareInventoryClient()
-	semver100 := "1.0.0"
 
 	osRes1 := dao.CreateOsWithOpts(t, mm_testing.Tenant1, true, func(os *os_v1.OperatingSystemResource) {
 		os.Sha256 = inv_testing.GenerateRandomSha256()
 		os.Name = "OS Resource 1"
 		os.ProfileName = "profile name 1"
-		os.ProfileVersion = semver100
+		os.ProfileVersion = semverVersion100
 		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_NONE
 		os.OsType = os_v1.OsType_OS_TYPE_IMMUTABLE
 	})
@@ -442,7 +445,7 @@ func TestInvClient_GetLatestImmutableOSByProfile(t *testing.T) {
 		os.Sha256 = inv_testing.GenerateRandomSha256()
 		os.Name = "OS Resource 2"
 		os.ProfileName = "profile name 2"
-		os.ProfileVersion = semver100
+		os.ProfileVersion = semverVersion100
 		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_NONE
 		os.OsType = os_v1.OsType_OS_TYPE_IMMUTABLE
 	})
@@ -460,7 +463,7 @@ func TestInvClient_GetLatestImmutableOSByProfile(t *testing.T) {
 		os.Sha256 = inv_testing.GenerateRandomSha256()
 		os.Name = "OS Resource 3"
 		os.ProfileName = "profile name 3"
-		os.ProfileVersion = semver100
+		os.ProfileVersion = semverVersion100
 		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_NONE
 		os.OsType = os_v1.OsType_OS_TYPE_IMMUTABLE
 	})
@@ -543,3 +546,139 @@ func TestInvClient_GetLatestImmutableOSByProfile(t *testing.T) {
 		})
 	}
 }
+
+// createOSResourceValidator creates a validation function for OS resource comparison.
+func createOSResourceValidator(expected *os_v1.OperatingSystemResource) func(*testing.T, *os_v1.OperatingSystemResource) {
+	return func(t *testing.T, osRes *os_v1.OperatingSystemResource) {
+		t.Helper()
+		assert.Equal(t, expected.GetResourceId(), osRes.GetResourceId())
+		assert.Equal(t, expected.GetName(), osRes.GetName())
+		assert.Equal(t, expected.GetProfileName(), osRes.GetProfileName())
+		assert.Equal(t, expected.GetImageId(), osRes.GetImageId())
+		assert.Equal(t, expected.GetProfileVersion(), osRes.GetProfileVersion())
+		assert.Equal(t, expected.GetSha256(), osRes.GetSha256())
+		assert.Equal(t, expected.GetSecurityFeature(), osRes.GetSecurityFeature())
+		assert.Equal(t, expected.GetOsType(), osRes.GetOsType())
+	}
+}
+
+func TestInvClient_GetOSResourceByID(t *testing.T) {
+	dao := inv_testing.NewInvResourceDAOOrFail(t)
+	ctx := context.TODO()
+	client := inv_testing.TestClients[inv_testing.RMClient].GetTenantAwareInventoryClient()
+
+	// Create test OS resources
+	osRes1 := dao.CreateOsWithOpts(t, mm_testing.Tenant1, true, func(os *os_v1.OperatingSystemResource) {
+		os.Sha256 = inv_testing.GenerateRandomSha256()
+		os.Name = "Test OS Resource 1"
+		os.ProfileName = "test-profile-1"
+		os.ImageId = "test-image-1.0.0"
+		os.ProfileVersion = "1.0.0"
+		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_SECURE_BOOT_AND_FULL_DISK_ENCRYPTION
+		os.OsType = os_v1.OsType_OS_TYPE_IMMUTABLE
+	})
+
+	osRes2 := dao.CreateOsWithOpts(t, mm_testing.Tenant1, true, func(os *os_v1.OperatingSystemResource) {
+		os.Sha256 = inv_testing.GenerateRandomSha256()
+		os.Name = "Test OS Resource 2"
+		os.ProfileName = "test-profile-2"
+		os.ImageId = "test-image-2.0.0"
+		os.ProfileVersion = "2.0.0"
+		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_NONE
+		os.OsType = os_v1.OsType_OS_TYPE_MUTABLE
+	})
+
+	tests := []struct {
+		name         string
+		osResourceID string
+		expectError  bool
+		expectedCode codes.Code
+		validateFunc func(*testing.T, *os_v1.OperatingSystemResource)
+	}{
+		{
+			name:         "SuccessGetImmutableOS",
+			osResourceID: osRes1.GetResourceId(),
+			expectError:  false,
+			validateFunc: createOSResourceValidator(osRes1),
+		},
+		{
+			name:         "SuccessGetMutableOS",
+			osResourceID: osRes2.GetResourceId(),
+			expectError:  false,
+			validateFunc: createOSResourceValidator(osRes2),
+		},
+		{
+			name:         "ErrorNonExistentOSResource",
+			osResourceID: "os-nonexistent-12345678",
+			expectError:  true,
+			expectedCode: codes.NotFound,
+		},
+		{
+			name:         "ErrorEmptyOSResourceID",
+			osResourceID: "",
+			expectError:  true,
+			expectedCode: codes.InvalidArgument,
+		},
+		{
+			name:         "ErrorInvalidOSResourceID",
+			osResourceID: "invalid-resource-id",
+			expectError:  true,
+			expectedCode: codes.InvalidArgument,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osRes, err := invclient.GetOSResourceByID(ctx, client, mm_testing.Tenant1, tt.osResourceID)
+
+			if tt.expectError {
+				require.Error(t, err)
+				assert.Equal(t, tt.expectedCode, status.Code(err))
+				assert.Nil(t, osRes)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, osRes)
+				if tt.validateFunc != nil {
+					tt.validateFunc(t, osRes)
+				}
+			}
+		})
+	}
+}
+
+func TestInvClient_GetOSResourceByID_ErrorCases(t *testing.T) {
+	dao := inv_testing.NewInvResourceDAOOrFail(t)
+	ctx := context.TODO()
+	client := inv_testing.TestClients[inv_testing.RMClient].GetTenantAwareInventoryClient()
+
+	// Create a test OS resource for some tests
+	osRes1 := dao.CreateOsWithOpts(t, mm_testing.Tenant1, true, func(os *os_v1.OperatingSystemResource) {
+		os.Sha256 = inv_testing.GenerateRandomSha256()
+		os.Name = "Test OS Resource 1"
+		os.ProfileName = "test-profile-1"
+		os.ImageId = "test-image-1.0.0"
+		os.ProfileVersion = "1.0.0"
+		os.SecurityFeature = os_v1.SecurityFeature_SECURITY_FEATURE_SECURE_BOOT_AND_FULL_DISK_ENCRYPTION
+		os.OsType = os_v1.OsType_OS_TYPE_IMMUTABLE
+	})
+
+	// Test with different tenant
+	t.Run("ErrorWrongTenant", func(t *testing.T) {
+		_, err := invclient.GetOSResourceByID(ctx, client, "wrong-tenant-id", osRes1.GetResourceId())
+		require.Error(t, err)
+		sts, _ := status.FromError(err)
+		assert.Equal(t, codes.NotFound, sts.Code())
+	})
+
+	// Test context timeout
+	t.Run("ContextTimeout", func(t *testing.T) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Nanosecond)
+		defer cancel()
+		time.Sleep(1 * time.Millisecond) // Ensure context is expired
+
+		_, err := invclient.GetOSResourceByID(timeoutCtx, client, mm_testing.Tenant1, osRes1.GetResourceId())
+		require.Error(t, err)
+		sts, _ := status.FromError(err)
+		assert.Equal(t, codes.DeadlineExceeded, sts.Code())
+	})
+}

maintenance/pkg/maintmgr/southbound_handler.go

@@ -12,8 +12,10 @@ import (
 
 	computev1 "github.com/open-edge-platform/infra-core/inventory/v2/pkg/api/compute/v1"
 	os_v1 "github.com/open-edge-platform/infra-core/inventory/v2/pkg/api/os/v1"
+	statusv1 "github.com/open-edge-platform/infra-core/inventory/v2/pkg/api/status/v1"
 	inv_client "github.com/open-edge-platform/infra-core/inventory/v2/pkg/client"
 	"github.com/open-edge-platform/infra-core/inventory/v2/pkg/errors"
+	inv_status "github.com/open-edge-platform/infra-core/inventory/v2/pkg/status"
 	pb "github.com/open-edge-platform/infra-managers/maintenance/pkg/api/maintmgr/v1"
 	"github.com/open-edge-platform/infra-managers/maintenance/pkg/invclient"
 	maintgmr_util "github.com/open-edge-platform/infra-managers/maintenance/pkg/utils"
@@ -43,8 +45,17 @@ func updateInstanceInInv(
 			return
 		}
 
+		zlog.Debug().Msgf("New OS Resource ID: %s", newOSResID)
+
+		newExistingCVEs, err := GetNewExistingCVEs(ctx, client, tenantID, newOSResID, instRes, newInstUpStatus)
+		if err != nil {
+			// Return and continue in case of errors
+			zlog.InfraSec().Warn().Err(err).Msgf("Failed to get new existing CVEs")
+			return
+		}
+
 		err = invclient.UpdateInstance(ctx, client, tenantID, instRes.GetResourceId(),
-			*newInstUpStatus, newUpdateStatusDetail, newOSResID)
+			*newInstUpStatus, newUpdateStatusDetail, newOSResID, newExistingCVEs)
 		if err != nil {
 			// Return and continue in case of errors
 			zlog.InfraSec().Warn().Err(err).Msgf("Failed to update Instance Status")
@@ -234,3 +245,35 @@ func updateOSUpdateRun(
 			newUpdateStatus, maintgmr_util.GetUpdateStatusFromInstance(instRes))
 	}
 }
+
+// GetNewExistingCVEs retrieves the new existing CVEs based on the new OS Resource ID.
+// or from the current OS resource if no new OS Resource ID is provided.
+func GetNewExistingCVEs(
+	ctx context.Context,
+	client inv_client.TenantAwareInventoryClient,
+	tenantID string,
+	newOSResID string,
+	instRes *computev1.InstanceResource,
+	newInstUpStatus *inv_status.ResourceStatus,
+) (string, error) {
+	var newExistingCVEs string
+
+	if newOSResID == "" {
+		// If newOSResID is os zero length, it means there is no new OS Resource update and
+		// also if Instance Status is getting updated from UnSpecified to Idle then only
+		// copy existing CVEs from existing OS resource
+		if instRes.GetUpdateStatusIndicator() == statusv1.StatusIndication_STATUS_INDICATION_UNSPECIFIED &&
+			newInstUpStatus.StatusIndicator == statusv1.StatusIndication_STATUS_INDICATION_IDLE {
+			newExistingCVEs = instRes.GetOs().GetExistingCves()
+		}
+	} else {
+		// Fetch the new existing CVEs after fetching the new OS Resource based on the newOSResID
+		newOSResource, osErr := invclient.GetOSResourceByID(ctx, client, tenantID, newOSResID)
+		if osErr != nil {
+			return "", osErr
+		}
+		newExistingCVEs = newOSResource.GetExistingCves()
+	}
+
+	return newExistingCVEs, nil
+}