osbuild · mgold1234 · Sep 7, 2025 · Sep 28, 2025
@@ -769,6 +769,27 @@ paths:
           description: successful update
         404:
           description: blueprint was not found
+  /experimental/blueprints/{id}/ignore-warnings:
+    parameters:
+      - in: path
+        name: id
+        schema:
+          type: string
+          format: uuid
+        example: '123e4567-e89b-12d3-a456-426655440000'
+        required: true
+        description: UUID of a blueprint
+    post:
+      summary: Ignore blueprint compliance warnings
+      operationId: ignoreBlueprintWarnings
+      description: |
+        Ignore compliance warnings by saving the current blueprint state as the new baseline.
+        This will prevent the same warnings from appearing in future linting checks.
+      responses:
+        201:
+          description: warnings successfully ignored
+        404:
+          description: blueprint was not found
 
 components:
   schemas:
@@ -1151,14 +1172,19 @@ components:
     BlueprintLint:
       required:
         - errors
+        - warnings
       description: |
-        Linting errors in the current blueprint, these might need to be resolved before the
-        blueprint can be used to build images again.
+        Linting errors and warnings in the current blueprint. Errors might need to be resolved before the
+        blueprint can be used to build images again. Warnings provide information about policy changes.
       properties:
         errors:
           type: array
           items:
             $ref: '#/components/schemas/BlueprintLintItem'
+        warnings:
+          type: array
+          items:
+            $ref: '#/components/schemas/BlueprintLintItem'
     BlueprintLintItem:
       type: object
       required:

@@ -162,7 +162,7 @@ func (h *Handlers) buildServiceSnapshots(ctx echo.Context, customizations *Custo
 	}
 
 	var cust Customizations
-	_, err = h.lintOpenscap(ctx, &cust, true, distribution, compl.PolicyId.String())
+	_, _, err = h.lintOpenscap(ctx, &cust, true, distribution, compl.PolicyId.String(), nil)
 	if err != nil {
 		slog.ErrorContext(ctx.Request().Context(), "error getting policy customizations via lintOpenscap",
 			"error", err.Error(), "distribution", distribution, "policy_id", compl.PolicyId.String())
@@ -385,7 +385,7 @@ func (h *Handlers) GetBlueprint(ctx echo.Context, id openapi_types.UUID, params
 		return err
 	}
 
-	lintErrors, err := h.lintBlueprint(ctx, &blueprint, false)
+	lintErrors, lintWarnings, err := h.lintBlueprint(ctx, blueprintEntry, false)
 	if err != nil {
 		return err
 	}
@@ -398,33 +398,71 @@ func (h *Handlers) GetBlueprint(ctx echo.Context, id openapi_types.UUID, params
 		Distribution:   blueprint.Distribution,
 		Customizations: blueprint.Customizations,
 		Lint: BlueprintLint{
-			Errors: lintErrors,
+			Errors:   lintErrors,
+			Warnings: lintWarnings,
 		},
 	}
 
 	return ctx.JSON(http.StatusOK, blueprintResponse)
 }
 
-func (h *Handlers) lintBlueprint(ctx echo.Context, blueprint *BlueprintBody, fixup bool) ([]BlueprintLintItem, error) {
+func (h *Handlers) lintBlueprint(ctx echo.Context, bpe *db.BlueprintEntry, fixup bool) ([]BlueprintLintItem, []BlueprintLintItem, error) {
 	lintErrors := []BlueprintLintItem{}
-	if blueprint.Customizations.Openscap != nil {
-		var compl OpenSCAPCompliance
-		var err error
-		if compl, err = blueprint.Customizations.Openscap.AsOpenSCAPCompliance(); err == nil && compl.PolicyId != uuid.Nil {
-			errs, err := h.lintOpenscap(ctx, &blueprint.Customizations, fixup, blueprint.Distribution, compl.PolicyId.String())
-			if err == compliance.ErrorTailoringNotFound {
-				lintErrors = append(lintErrors, BlueprintLintItem{
-					Name:        "Compliance",
-					Description: "Compliance policy does not have a definition for the latest minor version",
-				})
-			} else if err != nil {
-				return nil, err
-			} else {
-				lintErrors = append(lintErrors, errs...)
-			}
-		}
+	lintWarnings := []BlueprintLintItem{}
+
+	bpBody, err := BlueprintFromEntry(bpe)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if bpBody.Customizations.Openscap == nil {
+		return lintErrors, lintWarnings, nil
+	}
+
+	compl, err := bpBody.Customizations.Openscap.AsOpenSCAPCompliance()
+	if err != nil || compl.PolicyId == uuid.Nil {
+		return lintErrors, lintWarnings, nil
+	}
+
+	snapshotCustomizations := h.extractSnapshotCustomizations(bpe)
+
+	errs, warns, err := h.lintOpenscap(ctx, &bpBody.Customizations, fixup, bpBody.Distribution, compl.PolicyId.String(), snapshotCustomizations)
+	if err == compliance.ErrorTailoringNotFound {
+		lintErrors = append(lintErrors, BlueprintLintItem{
+			Name:        "Compliance",
+			Description: "Compliance policy does not have a definition for the latest minor version",
+		})
+	} else if err != nil {
+		return nil, nil, err
+	} else {
+		lintErrors = append(lintErrors, errs...)
+		lintWarnings = append(lintWarnings, warns...)
 	}
-	return lintErrors, nil
+
+	return lintErrors, lintWarnings, nil
+}
+
+// Helper function to extract saved policy from service snapshots
+func (h *Handlers) extractSnapshotCustomizations(bpe *db.BlueprintEntry) *Customizations {
+	if len(bpe.ServiceSnapshots) == 0 {
+		return nil
+	}
+
+	var snapshots db.ServiceSnapshots
+	if err := json.Unmarshal(bpe.ServiceSnapshots, &snapshots); err != nil {
+		return nil
+	}
+
+	if snapshots.Compliance == nil || len(snapshots.Compliance.PolicyCustomizations) == 0 {
+		return nil
+	}
+
+	var savedCust Customizations
+	if err := json.Unmarshal(snapshots.Compliance.PolicyCustomizations, &savedCust); err != nil {
+		return nil
+	}
+
+	return &savedCust
 }
 
 func (h *Handlers) ExportBlueprint(ctx echo.Context, id openapi_types.UUID) error {
@@ -841,9 +879,15 @@ func (h *Handlers) FixupBlueprint(ctx echo.Context, id openapi_types.UUID) error
 		return err
 	}
 
-	_, err = h.lintBlueprint(ctx, &blueprint, true)
-	if err != nil {
-		return err
+	if blueprint.Customizations.Openscap != nil {
+		compl, err := blueprint.Customizations.Openscap.AsOpenSCAPCompliance()
+		if err == nil && compl.PolicyId != uuid.Nil {
+			snapshotCustomizations := h.extractSnapshotCustomizations(blueprintEntry)
+			_, _, err = h.lintOpenscap(ctx, &blueprint.Customizations, true, blueprint.Distribution, compl.PolicyId.String(), snapshotCustomizations)
+			if err != nil && err != compliance.ErrorTailoringNotFound {
+				return err
+			}
+		}
 	}
 
 	var md BlueprintMetadata
@@ -902,3 +946,118 @@ func (h *Handlers) FixupBlueprint(ctx echo.Context, id openapi_types.UUID) error
 
 	return ctx.NoContent(http.StatusCreated)
 }
+
+func (h *Handlers) IgnoreBlueprintWarnings(ctx echo.Context, id openapi_types.UUID) error {
+	userID, err := h.server.getIdentity(ctx)
+	if err != nil {
+		return err
+	}
+
+	blueprintEntry, err := h.server.db.GetBlueprint(ctx.Request().Context(), id, userID.OrgID(), nil)
+	if err != nil {
+		if errors.Is(err, db.ErrBlueprintNotFound) {
+			return echo.NewHTTPError(http.StatusNotFound, err)
+		}
+		return err
+	}
+
+	blueprint, err := BlueprintFromEntry(
+		blueprintEntry,
+		WithRedactedPasswords(),
+	)
+	if err != nil {
+		return err
+	}
+
+	// Only proceed if this blueprint has compliance configured
+	if blueprint.Customizations.Openscap == nil {
+		slog.InfoContext(ctx.Request().Context(), "ignoring warnings skipped - no compliance configured",
+			"blueprint_id", blueprintEntry.Id)
+		return ctx.NoContent(http.StatusCreated)
+	}
+
+	compl, err := blueprint.Customizations.Openscap.AsOpenSCAPCompliance()
+	if err != nil || compl.PolicyId == uuid.Nil {
+		slog.InfoContext(ctx.Request().Context(), "ignoring warnings skipped - invalid compliance config",
+			"blueprint_id", blueprintEntry.Id,
+			"error", err)
+		return ctx.NoContent(http.StatusCreated)
+	}
+
+	// Get current policy customizations to save as the baseline for future comparisons
+	d, err := h.server.getDistro(ctx, blueprint.Distribution)
+	if err != nil {
+		return err
+	}
+	major, minor, err := d.RHELMajorMinor()
+	if err != nil {
+		return err
+	}
+
+	// Get the current policy requirements (for validation only)
+	_, err = h.server.complianceClient.PolicyCustomizations(ctx.Request().Context(), major, minor, compl.PolicyId.String())
+	if err != nil {
+		return err
+	}
+
+	// Convert current policy customizations to JSON for storage
+	var policyCustomizations Customizations
+	_, _, err = h.lintOpenscap(ctx, &policyCustomizations, true, blueprint.Distribution, compl.PolicyId.String(), nil)
+	if err != nil {
+		return err
+	}
+
+	policyCustomizationsJSON, err := json.Marshal(policyCustomizations)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to marshal policy customizations")
+	}
+
+	// Create service snapshots with current policy requirements
+	serviceSnapshots := &db.ServiceSnapshots{
+		Compliance: &db.ComplianceSnapshot{
+			PolicyId:             compl.PolicyId,
+			PolicyCustomizations: json.RawMessage(policyCustomizationsJSON),
+		},
+	}
+
+	serviceSnapshotsJSON, err := json.Marshal(serviceSnapshots)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to marshal service snapshots")
+	}
+
+	var md BlueprintMetadata
+	if len(blueprintEntry.Metadata) > 0 {
+		err = json.Unmarshal(blueprintEntry.Metadata, &md)
+		if err != nil {
+			return err
+		}
+	}
+
+	blueprintRequest := CreateBlueprintRequest{
+		Name:           blueprintEntry.Name,
+		Description:    &blueprintEntry.Description,
+		Metadata:       &md,
+		Distribution:   blueprint.Distribution,
+		ImageRequests:  blueprint.ImageRequests,
+		Customizations: blueprint.Customizations,
+	}
+
+	body, err := json.Marshal(blueprintRequest)
+	if err != nil {
+		return err
+	}
+	desc := common.FromPtr(blueprintRequest.Description)
+
+	versionId := uuid.New()
+	err = h.server.db.UpdateBlueprint(ctx.Request().Context(), versionId, blueprintEntry.Id, userID.OrgID(), blueprintRequest.Name, desc, body, serviceSnapshotsJSON)
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error updating blueprint in db during ignore warnings",
+			"error", err)
+		if errors.Is(err, db.ErrBlueprintNotFound) {
+			return echo.NewHTTPError(http.StatusNotFound, err)
+		}
+		return err
+	}
+
+	return ctx.NoContent(http.StatusCreated)
+}