Improve whitelist reporting by content audit [RHELDST-13955] (#168)

This commit adds a blacklist check to depsolve's filter_whitelist so
whitelists exclude content that is also blacklisted, which was happening
in content audit task. Additionally, module whitelists are now included
in content audit's checks--previously overlooked.

tests/test_content_audit_task.py

@@ -71,7 +71,7 @@ def _setup_population_sources(pulp):
         provides=[],
     )
     unit_3 = ModulemdUnit(
-        name="some_module1",
+        name="fake_name",
         stream="fake_stream",
         version=10,
         context="b7fad3bf",
@@ -82,7 +82,7 @@ def _setup_population_sources(pulp):
         ],
     )
     unit_4 = ModulemdUnit(
-        name="some_module2",
+        name="some_module1",
         stream="fake_stream",
         version=10,
         context="b7fad3bf",
@@ -92,27 +92,49 @@ def _setup_population_sources(pulp):
             "test-1:1.24-3.module+el8.1.0+2934+dec45db7.src",
         ],
     )
-    unit_5 = ModulemdDefaultsUnit(
+    unit_5 = ModulemdUnit(
+        name="some_module2",
+        stream="fake_stream",
+        version=10,
+        context="b7fad3bf",
+        arch="x86_64",
+        artifacts=[
+            "test-2:1.24-3.module+el8.1.0+2934+dec45db7.noarch",
+            "test-2:1.24-3.module+el8.1.0+2934+dec45db7.src",
+        ],
+    )
+    unit_6 = ModulemdDefaultsUnit(
         name="some_module_defaults1",
         stream="fake_stream",
         repo_id="ubi_repo",
         profiles={"1.1": ["default"], "1.0": []},
     )
-    unit_6 = ModulemdDefaultsUnit(
+    unit_7 = ModulemdDefaultsUnit(
         name="some_module_defaults2",
         stream="fake_stream",
         repo_id="ubi_repo",
         profiles={"1.0": ["default"]},
     )
-    unit_7 = RpmUnit(name="httpd.src", version="1", release="2", arch="x86_64")
-    unit_8 = RpmUnit(name="pkg-debuginfo.foo", version="1", release="2", arch="x86_64")
-    unit_9 = RpmUnit(name="package-name-abc", version="1", release="2", arch="x86_64")
+    unit_8 = RpmUnit(name="httpd.src", version="1", release="2", arch="x86_64")
+    unit_9 = RpmUnit(name="pkg-debuginfo.foo", version="1", release="2", arch="x86_64")
+    unit_10 = RpmUnit(name="package-name-abc", version="1", release="2", arch="x86_64")
 
     pulp.insert_units(rhel_repo_1, [unit_1, unit_3, unit_5, unit_7, unit_9])
-    pulp.insert_units(rhel_repo_2, [unit_2, unit_4, unit_6, unit_8])
+    pulp.insert_units(rhel_repo_2, [unit_2, unit_4, unit_6, unit_8, unit_10])
     pulp.insert_units(
         ubi_repo,
-        [unit_1, unit_2, unit_3, unit_4, unit_5, unit_6, unit_7, unit_8, unit_9],
+        [
+            unit_1,
+            unit_2,
+            unit_3,
+            unit_4,
+            unit_5,
+            unit_6,
+            unit_7,
+            unit_8,
+            unit_9,
+            unit_10,
+        ],
     )
 
 
@@ -194,7 +216,20 @@ def test_content_audit_outdated(pulp, caplog):
         repo_id="outdated_ubi_repo",
         profiles={"1.0": ["default"]},
     )
-    pulp.insert_units(ubi_repo, [unit_1, unit_2, unit_3, unit_4, unit_5, unit_6])
+    unit_7 = ModulemdUnit(
+        name="fake_name",
+        stream="fake_stream",
+        version=10,
+        context="b7fad3bf",
+        arch="x86_64",
+        artifacts=[
+            "test-0:1.24-3.module+el8.1.0+2934+dec45db7.noarch",
+            "test-0:1.24-3.module+el8.1.0+2934+dec45db7.src",
+        ],
+    )
+    pulp.insert_units(
+        ubi_repo, [unit_1, unit_2, unit_3, unit_4, unit_5, unit_6, unit_7]
+    )
 
     with mock.patch("ubi_manifest.worker.tasks.depsolver.utils.Client") as client:
         with mock.patch("ubiconfig.get_loader", return_value=MockLoader()):
@@ -208,8 +243,8 @@ def test_content_audit_outdated(pulp, caplog):
             "[outdated_ubi_repo] UBI modulemd 'some_module1:fake_stream' version is outdated (current: 7, latest: 10)",
             "[outdated_ubi_repo] UBI modulemd_defaults 'some_module_defaults1:fake_stream' version is outdated",
             "[outdated_ubi_repo] UBI rpm 'gcc' version is outdated (current: ('0', '8.2.1', '200'), latest: ('0', '9.0.1', '200'))",
-            # we didn't add a 'pkg-debuginfo' or 'package-name-' unit (latter is blacklisted)
-            "[outdated_ubi_repo] whitelisted content not found in population source repositories;\n\tpackage-name-\n\tpkg-debuginfo",
+            # we didn't add RPM 'pkg-debuginfo'
+            "[outdated_ubi_repo] whitelisted content missing from UBI and/or population sources;\n\tpkg-debuginfo",
         ]
         for real_msg, expected_msg in zip(sorted(caplog.messages), expected_logs):
             assert expected_msg in real_msg

ubi_manifest/worker/tasks/content_audit.py

@@ -57,7 +57,8 @@ def content_audit_task() -> None:
                 search_units(out_repo, [Criteria.true()], ModulemdDefaultsUnit)
             )
 
-            seen_units: set[UbiUnit] = set()
+            seen_rpms: set[UbiUnit] = set()
+            seen_modules: set[str] = set()
             output_whitelist: set[str] = set()
             output_blacklist: list[PackageToExclude] = []
 
@@ -103,25 +104,30 @@ def content_audit_task() -> None:
                         out_repo.content_set,
                         out_repo.ubi_config_version,
                     )
-                    whitelist, debuginfo_whitelist = filter_whitelist(config)
-                    output_whitelist |= whitelist | debuginfo_whitelist
                     output_blacklist.extend(parse_blacklist_config(config))
+                    whitelist, debuginfo_whitelist = filter_whitelist(
+                        config, output_blacklist
+                    )
+                    output_whitelist |= whitelist | debuginfo_whitelist
+                    output_whitelist |= {
+                        f"{md.name}:{md.stream}" for md in config.modules.whitelist
+                    }
 
             # check that all content is up-to-date
             out_rpms_result = out_rpms.result()
             for in_rpm in _latest_input_rpms(in_rpms_fts):
                 for out_rpm in out_rpms_result.copy():
                     if (out_rpm.name, out_rpm.arch) == (in_rpm.name, in_rpm.arch):
                         _compare_versions(out_repo.id, out_rpm, in_rpm)
-                        seen_units.add(in_rpm)
+                        seen_rpms.add(in_rpm)
                         out_rpms_result.discard(out_rpm)
                         break
             out_mds_result = out_mds.result()
             for in_md in _latest_input_mds(in_mds_fts):
                 for out_md in out_mds_result.copy():
                     if (out_md.name, out_md.stream) == (in_md.name, in_md.stream):
                         _compare_versions(out_repo.id, out_md, in_md)
-                        seen_units.add(in_md)
+                        seen_modules.add(f"{in_md.name}:{in_md.stream}")
                         out_mds_result.discard(out_md)
                         break
             out_mdds_result = out_mdds.result()
@@ -132,25 +138,28 @@ def content_audit_task() -> None:
                         out_mdds_result.discard(out_mdd)
                         break
 
-            # check seen units against blacklist
+            # check seen RPMs against blacklist
             if blacklisted := {
-                u.name for u in seen_units if is_blacklisted(u, output_blacklist)
+                u.name for u in seen_rpms if is_blacklisted(u, output_blacklist)
             }:
                 _LOG.warning(
                     "[%s] blacklisted content found in input repositories;\n\t%s",
                     out_repo.id,
                     "\n\t".join(sorted(blacklisted)),
                 )
 
-            # check seen units off of whitelist
+            # check seen RPMs and Modules off of whitelist
+            to_check = {u.name for u in seen_rpms} | seen_modules
             for pattern in output_whitelist.copy():
-                if [u.name for u in seen_units if pattern in u.name]:
+                if matches := {name for name in to_check if pattern in name}:
                     output_whitelist.remove(pattern)
+                    # Let's not recheck those we've already found
+                    to_check -= matches
 
             # report any missing whitelisted packages for the output repo
             if output_whitelist:
                 _LOG.warning(
-                    "[%s] whitelisted content not found in population source repositories;\n\t%s",
+                    "[%s] whitelisted content missing from UBI and/or population sources;\n\t%s",
                     out_repo.id,
                     "\n\t".join(sorted(output_whitelist)),
                 )

ubi_manifest/worker/tasks/depsolve.py

@@ -19,12 +19,14 @@
 from ubi_manifest.worker.tasks.depsolver.models import (
     DepsolverItem,
     ModularDepsolverItem,
+    PackageToExclude,
     UbiUnit,
 )
 from ubi_manifest.worker.tasks.depsolver.modulemd_depsolver import ModularDepsolver
 from ubi_manifest.worker.tasks.depsolver.rpm_depsolver import Depsolver
 from ubi_manifest.worker.tasks.depsolver.ubi_config import UbiConfigLoader
 from ubi_manifest.worker.tasks.depsolver.utils import (
+    is_blacklisted,
     make_pulp_client,
     parse_blacklist_config,
     remap_keys,
@@ -96,8 +98,8 @@ def depsolve_task(ubi_repo_ids: Iterable[str], content_config_url: str) -> None:
                     repo.content_set,
                     repo.ubi_config_version,
                 )
-                whitelist, debuginfo_whitelist = filter_whitelist(config)
                 blacklist = parse_blacklist_config(config)
+                whitelist, debuginfo_whitelist = filter_whitelist(config, blacklist)
                 depsolver_flags[(repo.id, input_cs)] = config.flags.as_dict()
 
                 dep_map[(repo.id, input_cs)] = DepsolverItem(
@@ -245,13 +247,17 @@ def _save(data: dict[str, list[UbiUnit]]) -> None:
         )
 
 
-def filter_whitelist(ubi_config: UbiConfig) -> tuple[set[str], set[str]]:
+def filter_whitelist(
+    ubi_config: UbiConfig, blacklist: list[PackageToExclude]
+) -> tuple[set[str], set[str]]:
     whitelist = set()
     debuginfo_whitelist = set()
 
     for pkg in ubi_config.packages.whitelist:
         if pkg.arch == "src":
             continue
+        if is_blacklisted(pkg, blacklist):
+            continue
         if pkg.name.endswith("debuginfo") or pkg.name.endswith("debugsource"):
             debuginfo_whitelist.add(pkg.name)
         else: