Skip to content

Commit

Permalink
feat: remove resource prefix from assertion trees (#28)
Browse files Browse the repository at this point in the history
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
eddycharly authored Oct 4, 2023
1 parent 800ff8b commit aeaff9d
Show file tree
Hide file tree
Showing 11 changed files with 53 additions and 68 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ build: fmt vet codegen-all ## Build
########

.PHONY: tests
tests: ## Run tests
tests: build ## Run tests
@echo Running tests... >&2
@go test ./...

Expand Down
6 changes: 3 additions & 3 deletions pkg/json-engine/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func New() engine.Engine[JsonEngineRequest, JsonEngineResponse] {
type request struct {
policy *v1alpha1.Policy
rule v1alpha1.Rule
value map[string]interface{}
value interface{}
bindings binding.Bindings
}
looper := func(r JsonEngineRequest) []request {
Expand All @@ -46,7 +46,7 @@ func New() engine.Engine[JsonEngineRequest, JsonEngineResponse] {
requests = append(requests, request{
policy: policy,
rule: rule,
value: map[string]interface{}{"resource": resource},
value: resource,
bindings: bindings,
})
}
Expand All @@ -59,7 +59,7 @@ func New() engine.Engine[JsonEngineRequest, JsonEngineResponse] {
response := JsonEngineResponse{
Policy: r.policy,
Rule: r.rule,
Resource: r.value["resource"],
Resource: r.value,
}
errs, err := assert.Match(nil, r.rule.Validation.Assert, r.value, r.bindings)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion testdata/foo-bar/out.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ Loading policies ...
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- test / foo-bar-4 / ERROR: all[0].foo: Internal error: failed to find the map index `foo`
- test / foo-bar-4 / PASSED
Done
2 changes: 1 addition & 1 deletion testdata/jim/out.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ Loading policies ...
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- required-s3-tags / require-team-tag / FAILED: any[0].resource.tags.(wildcard('?*', Team)): Invalid value: true: Expected value: false
- required-s3-tags / require-team-tag / FAILED: all[0].tags.(wildcard('?*', Team)): Invalid value: true: Expected value: false
Done
13 changes: 5 additions & 8 deletions testdata/jim/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,12 @@ spec:
- name: require-team-tag
match:
any:
- resource:
type: aws_s3_bucket
- type: aws_s3_bucket
exclude:
any:
- resource:
(wildcard('bypass-*', name)): true
- (wildcard('bypass-*', name)): true
validate:
assert:
any:
- resource:
tags:
(wildcard('?*', Team)): false
all:
- tags:
(wildcard('?*', Team)): false
10 changes: 4 additions & 6 deletions testdata/payload-yaml/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,14 @@ spec:
- name: require-team-tag
match:
any:
- resource:
type: aws_s3_bucket
- type: aws_s3_bucket
context:
- name: tags
variable:
Team: Kyverno
validate:
message: Bucket `{{ resource.name }}` ({{ resource.address }}) does not have the required tags {{ to_string($tags) }}
message: Bucket `{{ name }}` ({{ address }}) does not have the required tags {{ to_string($tags) }}
assert:
all:
- resource:
values:
tags: ($tags)
- values:
tags: ($tags)
16 changes: 7 additions & 9 deletions testdata/pod-all-latest/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,13 @@ spec:
variable: (concat(':', $tag))
match:
any:
- resource:
apiVersion: v1
kind: Pod
- apiVersion: v1
kind: Pod
validate:
assert:
all:
- resource:
~(spec.containers[*].image):
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, $tag)): true
- ~(spec.containers[*].image):
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, $tag)): true
2 changes: 1 addition & 1 deletion testdata/pod-no-latest/out.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ Loading policies ...
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- test / pod-no-latest / FAILED: [all[0].resource.spec.~foo.containers@foos[0].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].resource.spec.~foo.containers@foos[1].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].resource.spec.~foo.containers@foos[2].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[0].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[1].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[2].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[0].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[1].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[2].(ends_with(@, ':latest')): Invalid value: true: Expected value: false]
- test / pod-no-latest / FAILED: [all[0].spec.~foo.containers@foos[0].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].spec.~foo.containers@foos[1].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].spec.~foo.containers@foos[2].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[1].spec.~.containers@foo[0].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].spec.~.containers@foo[1].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].spec.~.containers@foo[2].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].~index.(spec.containers[*].image)@images[0].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].~index.(spec.containers[*].image)@images[1].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].~index.(spec.containers[*].image)@images[2].(ends_with(@, ':latest')): Invalid value: true: Expected value: false]
Done
46 changes: 21 additions & 25 deletions testdata/pod-no-latest/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,27 @@ spec:
variable: :latest
match:
any:
- resource:
apiVersion: v1
kind: Pod
- apiVersion: v1
kind: Pod
validate:
assert:
all:
- resource:
spec:
~foo.containers@foos:
(at($foos, $foo).image)@foo:
# an image tag is required
(contains($foo, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with($foo, $tag)): false
- resource:
spec:
~.containers@foo:
image:
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, ':latest')): false
- resource:
~index.(spec.containers[*].image)@images:
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, ':latest')): false
- spec:
~foo.containers@foos:
(at($foos, $foo).image)@foo:
# an image tag is required
(contains($foo, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with($foo, $tag)): false
- spec:
~.containers@foo:
image:
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, ':latest')): false
- ~index.(spec.containers[*].image)@images:
# an image tag is required
(contains(@, ':')): true
# using a mutable image tag e.g. 'latest' is not allowed
(ends_with(@, ':latest')): false
12 changes: 5 additions & 7 deletions testdata/scripted/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,8 @@ spec:
validate:
assert:
all:
- resource:
foo:
(bar > `3`): true
(!baz): false
- resource:
foo:
(bar + bat): 10
- foo:
(bar > `3`): true
(!baz): false
- foo:
(bar + bat): 10
10 changes: 4 additions & 6 deletions testdata/tf-plan/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,14 @@ spec:
- name: require-team-tag
match:
any:
- resource:
type: aws_s3_bucket
- type: aws_s3_bucket
context:
- name: tags
variable:
Team: Kyverno
validate:
message: Bucket `{{ resource.name }}` ({{ resource.address }}) does not have the required tags {{ to_string($tags) }}
message: Bucket `{{ name }}` ({{ address }}) does not have the required tags {{ to_string($tags) }}
assert:
all:
- resource:
values:
tags: ($tags)
- values:
tags: ($tags)

0 comments on commit aeaff9d

Please sign in to comment.