kyverno/pkg/validation/policy/generate.go

package policy

import (
	"crypto/md5" //nolint:gosec
	"encoding/hex"
	"encoding/json"
	"errors"
	"fmt"

	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
	"k8s.io/apimachinery/pkg/util/sets"
)

func immutableGenerateFields(new, old kyvernov1.PolicyInterface) error {
	if new == nil || old == nil {
		return nil
	}

	if !new.GetSpec().HasGenerate() {
		return nil
	}

	oldRuleHashes, err := buildHashes(old.GetSpec().Rules)
	if err != nil {
		return err
	}
	newRuleHashes, err := buildHashes(new.GetSpec().Rules)
	if err != nil {
		return err
	}

	switch len(old.GetSpec().Rules) <= len(new.GetSpec().Rules) {
	case true:
		if newRuleHashes.IsSuperset(oldRuleHashes) {
			return nil
		} else {
			return errors.New("change of immutable fields for a generate rule is disallowed")
		}
	case false:
		if oldRuleHashes.IsSuperset(newRuleHashes) {
			return nil
		} else {
			return errors.New("rule deletion - change of immutable fields for a generate rule is disallowed")
		}
	}
	return nil
}

func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
	new := new(kyvernov1.Rule)
	rule.DeepCopyInto(new)
	new.Generation.Synchronize = true
	new.Generation.SetData(nil)
	return new
}

func buildHashes(rules []kyvernov1.Rule) (sets.Set[string], error) {
	ruleHashes := sets.New[string]()
	for _, rule := range rules {
		r := resetMutableFields(rule)
		data, err := json.Marshal(r)
		if err != nil {
			return ruleHashes, fmt.Errorf("failed to create hash from the generate rule %v", err)
		}
		hash := md5.Sum(data) //nolint:gosec
		ruleHashes.Insert(hex.EncodeToString(hash[:]))
	}
	return ruleHashes, nil
}
fix: generate policy validation to prevent endless loop (#7026) * refactor policy validation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add loop check for generate Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-04-28 21:54:17 +08:00			`package policy`

			`import (`
			`"crypto/md5" //nolint:gosec`
			`"encoding/hex"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`

			`kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"`
			`"k8s.io/apimachinery/pkg/util/sets"`
			`)`

			`func immutableGenerateFields(new, old kyvernov1.PolicyInterface) error {`
			`if new == nil \|\| old == nil {`
			`return nil`
			`}`

			`if !new.GetSpec().HasGenerate() {`
			`return nil`
			`}`

			`oldRuleHashes, err := buildHashes(old.GetSpec().Rules)`
			`if err != nil {`
			`return err`
			`}`
			`newRuleHashes, err := buildHashes(new.GetSpec().Rules)`
			`if err != nil {`
			`return err`
			`}`

			`switch len(old.GetSpec().Rules) <= len(new.GetSpec().Rules) {`
			`case true:`
			`if newRuleHashes.IsSuperset(oldRuleHashes) {`
			`return nil`
			`} else {`
			`return errors.New("change of immutable fields for a generate rule is disallowed")`
			`}`
			`case false:`
			`if oldRuleHashes.IsSuperset(newRuleHashes) {`
			`return nil`
			`} else {`
			`return errors.New("rule deletion - change of immutable fields for a generate rule is disallowed")`
			`}`
			`}`
			`return nil`
			`}`

			`func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {`
			`new := new(kyvernov1.Rule)`
			`rule.DeepCopyInto(new)`
			`new.Generation.Synchronize = true`
			`new.Generation.SetData(nil)`
			`return new`
			`}`

			`func buildHashes(rules []kyvernov1.Rule) (sets.Set[string], error) {`
			`ruleHashes := sets.New[string]()`
			`for _, rule := range rules {`
			`r := resetMutableFields(rule)`
			`data, err := json.Marshal(r)`
			`if err != nil {`
			`return ruleHashes, fmt.Errorf("failed to create hash from the generate rule %v", err)`
			`}`
			`hash := md5.Sum(data) //nolint:gosec`
			`ruleHashes.Insert(hex.EncodeToString(hash[:]))`
			`}`
			`return ruleHashes, nil`
			`}`