kyverno/pkg/engine/validation.go

package engine

import (
	"encoding/json"
	"strconv"

	kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
	"github.com/nirmata/kyverno/pkg/result"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// Validate handles validating admission request
// Checks the target resourse for rules defined in the policy
func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) result.Result {
	var resource interface{}
	json.Unmarshal(rawResource, &resource)

	policyResult := result.NewPolicyApplicationResult(policy.Name)

	for _, rule := range policy.Spec.Rules {
		if rule.Validation == nil {
			continue
		}

		ruleApplicationResult := result.NewRuleApplicationResult(rule.Name)

		ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)
		if !ok {
			ruleApplicationResult.AddMessagef("Rule %s is not applicable to resource\n", rule.Name)
			policyResult = result.Append(policyResult, &ruleApplicationResult)
			continue
		}

		validationResult := validateResourceWithPattern(resource, rule.Validation.Pattern)
		if result.Success != validationResult.Reason {
			ruleApplicationResult.MergeWith(&validationResult)
			ruleApplicationResult.AddMessagef(*rule.Validation.Message)
		} else {
			ruleApplicationResult.AddMessagef("Success")
		}

		policyResult = result.Append(policyResult, &ruleApplicationResult)
	}

	return policyResult
}

func validateResourceWithPattern(resource, pattern interface{}) result.RuleApplicationResult {
	return validateResourceElement(resource, pattern, "/")
}

func validateResourceElement(value, pattern interface{}, path string) result.RuleApplicationResult {
	res := result.NewRuleApplicationResult("")
	// TODO: Move similar message templates to message package

	switch typedPattern := pattern.(type) {
	case map[string]interface{}:
		typedValue, ok := value.(map[string]interface{})
		if !ok {
			res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, pattern, value)
			return res
		}

		return validateMap(typedValue, typedPattern, path)
	case []interface{}:
		typedValue, ok := value.([]interface{})
		if !ok {
			res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, pattern, value)
			return res
		}

		return validateArray(typedValue, typedPattern, path)
	case string, float64, int, int64, bool, nil:
		if !ValidateValueWithPattern(value, pattern) {
			res.FailWithMessagef("Failed to validate value %v with pattern %v. Path: %s", value, pattern, path)
		}

		return res
	default:
		res.FailWithMessagef("Pattern contains unknown type %T. Path: %s", pattern, path)
		return res
	}
}

func validateMap(valueMap, patternMap map[string]interface{}, path string) result.RuleApplicationResult {
	res := result.NewRuleApplicationResult("")

	for key, pattern := range patternMap {
		if wrappedWithParentheses(key) {
			key = key[1 : len(key)-1]
		}

		if pattern == "*" && valueMap[key] != nil {
			continue
		} else if pattern == "*" && valueMap[key] == nil {
			res.FailWithMessagef("Field %s is not present", key)
		} else {
			elementResult := validateResourceElement(valueMap[key], pattern, path+key+"/")
			if result.Failed == elementResult.Reason {
				res.Reason = elementResult.Reason
				res.Messages = append(res.Messages, elementResult.Messages...)
			}
		}

	}

	return res
}

func validateArray(resourceArray, patternArray []interface{}, path string) result.RuleApplicationResult {
	res := result.NewRuleApplicationResult("")

	if 0 == len(patternArray) {
		return res
	}

	switch pattern := patternArray[0].(type) {
	case map[string]interface{}:
		anchors := GetAnchorsFromMap(pattern)
		for i, value := range resourceArray {
			currentPath := path + strconv.Itoa(i) + "/"
			resource, ok := value.(map[string]interface{})
			if !ok {
				res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", currentPath, pattern, value)
				return res
			}

			if skipArrayObject(resource, anchors) {
				continue
			}

			mapValidationResult := validateMap(resource, pattern, currentPath)
			if result.Failed == mapValidationResult.Reason {
				res.Reason = mapValidationResult.Reason
				res.Messages = append(res.Messages, mapValidationResult.Messages...)
			}
		}
	case string, float64, int, int64, bool, nil:
		for _, value := range resourceArray {
			if !ValidateValueWithPattern(value, pattern) {
				res.FailWithMessagef("Failed to validate value %v with pattern %v. Path: %s", value, pattern, path)
			}
		}
	default:
		res.FailWithMessagef("Array element pattern of unknown type %T. Path: %s", pattern, path)
	}

	return res
}
Resolve PR 27 2019-05-13 18:17:28 -07:00			`package engine`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`import (`
			`"encoding/json"`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`"strconv"`
Fixed errors in type validation 2019-05-16 19:31:02 +03:00
rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`"github.com/nirmata/kyverno/pkg/result"`
Fixed issue with absent kind in resource raw data in PolicyEngine 2019-05-14 19:40:17 +03:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`)`

Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`// Validate handles validating admission request`
			`// Checks the target resourse for rules defined in the policy`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) result.Result {`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`var resource interface{}`
			`json.Unmarshal(rawResource, &resource)`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`policyResult := result.NewPolicyApplicationResult(policy.Name)`

Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`for _, rule := range policy.Spec.Rules {`
			`if rule.Validation == nil {`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`continue`
			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`ruleApplicationResult := result.NewRuleApplicationResult(rule.Name)`

Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`if !ok {`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`ruleApplicationResult.AddMessagef("Rule %s is not applicable to resource\n", rule.Name)`
			`policyResult = result.Append(policyResult, &ruleApplicationResult)`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`continue`
			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`validationResult := validateResourceWithPattern(resource, rule.Validation.Pattern)`
			`if result.Success != validationResult.Reason {`
			`ruleApplicationResult.MergeWith(&validationResult)`
			`ruleApplicationResult.AddMessagef(*rule.Validation.Message)`
			`} else {`
			`ruleApplicationResult.AddMessagef("Success")`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00
			`policyResult = result.Append(policyResult, &ruleApplicationResult)`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return policyResult`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`func validateResourceWithPattern(resource, pattern interface{}) result.RuleApplicationResult {`
			`return validateResourceElement(resource, pattern, "/")`
			`}`

			`func validateResourceElement(value, pattern interface{}, path string) result.RuleApplicationResult {`
			`res := result.NewRuleApplicationResult("")`
			`// TODO: Move similar message templates to message package`

			`switch typedPattern := pattern.(type) {`
			`case map[string]interface{}:`
			`typedValue, ok := value.(map[string]interface{})`
			`if !ok {`
Fixed output of validation messages. Added test whcih validates ImagePullPolicy. 2019-06-05 15:02:58 +03:00			`res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, pattern, value)`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return res`
			`}`
I have applied notes from review 2019-05-17 14:51:54 +03:00
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return validateMap(typedValue, typedPattern, path)`
			`case []interface{}:`
			`typedValue, ok := value.([]interface{})`
			`if !ok {`
Fixed output of validation messages. Added test whcih validates ImagePullPolicy. 2019-06-05 15:02:58 +03:00			`res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, pattern, value)`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return res`
			`}`

			`return validateArray(typedValue, typedPattern, path)`
Added nil support 2019-06-05 17:35:34 +03:00			`case string, float64, int, int64, bool, nil:`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if !ValidateValueWithPattern(value, pattern) {`
			`res.FailWithMessagef("Failed to validate value %v with pattern %v. Path: %s", value, pattern, path)`
			`}`

			`return res`
			`default:`
			`res.FailWithMessagef("Pattern contains unknown type %T. Path: %s", pattern, path)`
			`return res`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`}`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`func validateMap(valueMap, patternMap map[string]interface{}, path string) result.RuleApplicationResult {`
			`res := result.NewRuleApplicationResult("")`

			`for key, pattern := range patternMap {`
Fixed issue with checking parentheses 2019-05-16 21:36:30 +03:00			`if wrappedWithParentheses(key) {`
			`key = key[1 : len(key)-1]`
			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if pattern == "*" && valueMap[key] != nil {`
Fixed bug #117 Added validation tests 2019-06-04 17:33:21 +03:00			`continue`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`} else if pattern == "*" && valueMap[key] == nil {`
			`res.FailWithMessagef("Field %s is not present", key)`
Fixed bug #117 Added validation tests 2019-06-04 17:33:21 +03:00			`} else {`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`elementResult := validateResourceElement(valueMap[key], pattern, path+key+"/")`
			`if result.Failed == elementResult.Reason {`
			`res.Reason = elementResult.Reason`
			`res.Messages = append(res.Messages, elementResult.Messages...)`
Fixed bug #117 Added validation tests 2019-06-04 17:33:21 +03:00			`}`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return res`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`func validateArray(resourceArray, patternArray []interface{}, path string) result.RuleApplicationResult {`
			`res := result.NewRuleApplicationResult("")`
I have applied notes from review 2019-05-17 14:51:54 +03:00
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if 0 == len(patternArray) {`
			`return res`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`

Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`switch pattern := patternArray[0].(type) {`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`case map[string]interface{}:`
Implemented base for Mutation Overlay 2019-05-21 18:27:56 +03:00			`anchors := GetAnchorsFromMap(pattern)`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`for i, value := range resourceArray {`
			`currentPath := path + strconv.Itoa(i) + "/"`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`resource, ok := value.(map[string]interface{})`
			`if !ok {`
Fixed output of validation messages. Added test whcih validates ImagePullPolicy. 2019-06-05 15:02:58 +03:00			`res.FailWithMessagef("Pattern and resource have different structures. Path: %s. Expected %T, found %T", currentPath, pattern, value)`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return res`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if skipArrayObject(resource, anchors) {`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`continue`
			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`mapValidationResult := validateMap(resource, pattern, currentPath)`
			`if result.Failed == mapValidationResult.Reason {`
			`res.Reason = mapValidationResult.Reason`
			`res.Messages = append(res.Messages, mapValidationResult.Messages...)`
Fixed issue with checking parentheses 2019-05-16 21:36:30 +03:00			`}`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`}`
Added nil support 2019-06-05 17:35:34 +03:00			`case string, float64, int, int64, bool, nil:`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`for _, value := range resourceArray {`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if !ValidateValueWithPattern(value, pattern) {`
			`res.FailWithMessagef("Failed to validate value %v with pattern %v. Path: %s", value, pattern, path)`
Finished implementing validation patterns 2019-05-16 17:37:05 +03:00			`}`
			`}`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`default:`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`res.FailWithMessagef("Array element pattern of unknown type %T. Path: %s", pattern, path)`
Fixed errors in type validation 2019-05-16 19:31:02 +03:00			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`return res`
Reworking validation logic due to the anchor feature 2019-05-15 19:25:49 +03:00			`}`