kyverno/pkg/openapi/validation.go

package openapi

import (
	"encoding/json"
	"errors"
	"fmt"
	"strconv"
	"strings"
	"sync"

	"github.com/nirmata/kyverno/pkg/engine/utils"

	"github.com/nirmata/kyverno/data"

	"github.com/golang/glog"

	"github.com/nirmata/kyverno/pkg/engine"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"

	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
	"github.com/googleapis/gnostic/compiler"
	"k8s.io/kube-openapi/pkg/util/proto"
	"k8s.io/kube-openapi/pkg/util/proto/validation"

	"gopkg.in/yaml.v2"
)

var openApiGlobalState struct {
	mutex                sync.RWMutex
	document             *openapi_v2.Document
	definitions          map[string]*openapi_v2.Schema
	kindToDefinitionName map[string]string
	crdList              []string
	models               proto.Models
}

func init() {
	defaultDoc, err := getSchemaDocument()
	if err != nil {
		panic(err)
	}

	err = useOpenApiDocument(defaultDoc)
	if err != nil {
		panic(err)
	}
}

func ValidatePolicyFields(policyRaw []byte) error {
	openApiGlobalState.mutex.RLock()
	defer openApiGlobalState.mutex.RUnlock()

	var policy v1.ClusterPolicy
	err := json.Unmarshal(policyRaw, &policy)
	if err != nil {
		return err
	}

	policyUnst, err := utils.ConvertToUnstructured(policyRaw)
	if err != nil {
		return err
	}

	err = ValidateResource(*policyUnst.DeepCopy(), "ClusterPolicy")
	if err != nil {
		return err
	}

	return validatePolicyMutation(policy)
}

func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
	openApiGlobalState.mutex.RLock()
	defer openApiGlobalState.mutex.RUnlock()
	var err error

	kind = openApiGlobalState.kindToDefinitionName[kind]
	schema := openApiGlobalState.models.LookupModel(kind)
	if schema == nil {
		// Check if kind is a CRD
		schema, err = getSchemaFromDefinitions(kind)
		if err != nil || schema == nil {
			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
		}
		delete(patchedResource.Object, "kind")
	}

	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
		var errorMessages []string
		for i := range errs {
			errorMessages = append(errorMessages, errs[i].Error())
		}

		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
	}

	return nil
}

func GetDefinitionNameFromKind(kind string) string {
	openApiGlobalState.mutex.RLock()
	defer openApiGlobalState.mutex.RUnlock()
	return openApiGlobalState.kindToDefinitionName[kind]
}

func validatePolicyMutation(policy v1.ClusterPolicy) error {
	var kindToRules = make(map[string][]v1.Rule)
	for _, rule := range policy.Spec.Rules {
		if rule.HasMutate() {
			for _, kind := range rule.MatchResources.Kinds {
				kindToRules[kind] = append(kindToRules[kind], rule)
			}
		}
	}

	for kind, rules := range kindToRules {
		newPolicy := *policy.DeepCopy()
		newPolicy.Spec.Rules = rules
		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
		if resource == nil {
			glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)
			return nil
		}
		newResource := unstructured.Unstructured{Object: resource}
		newResource.SetKind(kind)

		patchedResource, err := engine.ForceMutate(nil, *newPolicy.DeepCopy(), newResource)
		if err != nil {
			return err
		}
		err = ValidateResource(*patchedResource.DeepCopy(), kind)
		if err != nil {
			return err
		}
	}

	return nil
}

func useOpenApiDocument(customDoc *openapi_v2.Document) error {
	openApiGlobalState.mutex.Lock()
	defer openApiGlobalState.mutex.Unlock()

	openApiGlobalState.document = customDoc

	openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
	openApiGlobalState.kindToDefinitionName = make(map[string]string)
	for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
		openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
		path := strings.Split(definition.GetName(), ".")
		openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
	}

	var err error
	openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
	if err != nil {
		return err
	}

	return nil
}

func getSchemaDocument() (*openapi_v2.Document, error) {
	var spec yaml.MapSlice
	err := yaml.Unmarshal([]byte(data.SwaggerDoc), &spec)
	if err != nil {
		return nil, err
	}

	return openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))
}

// For crd, we do not store definition in document
func getSchemaFromDefinitions(kind string) (proto.Schema, error) {
	if kind == "" {
		return nil, errors.New("invalid kind")
	}

	path := proto.NewPath(kind)
	definition := openApiGlobalState.definitions[kind]
	if definition == nil {
		return nil, errors.New("could not find definition")
	}

	// This was added so crd's can access
	// normal definitions from existing schema such as
	// `metadata` - this maybe a breaking change.
	// Removing this may cause policy validate to stop working
	existingDefinitions, _ := openApiGlobalState.models.(*proto.Definitions)

	return (existingDefinitions).ParseSchema(definition, &path)
}

func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {

	types := kindSchema.GetType().GetValue()

	if kindSchema.GetXRef() != "" {
		return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
	}

	if len(types) != 1 {
		if len(kindSchema.GetProperties().GetAdditionalProperties()) > 0 {
			types = []string{"object"}
		} else {
			return nil
		}
	}

	switch types[0] {
	case "object":
		var props = make(map[string]interface{})
		properties := kindSchema.GetProperties().GetAdditionalProperties()
		if len(properties) == 0 {
			return props
		}

		var wg sync.WaitGroup
		var mutex sync.Mutex
		wg.Add(len(properties))
		for _, property := range properties {
			go func(property *openapi_v2.NamedSchema) {
				prop := generateEmptyResource(property.GetValue())
				mutex.Lock()
				props[property.GetName()] = prop
				mutex.Unlock()
				wg.Done()
			}(property)
		}
		wg.Wait()
		return props
	case "array":
		var array []interface{}
		for _, schema := range kindSchema.GetItems().GetSchema() {
			array = append(array, generateEmptyResource(schema))
		}
		return array
	case "string":
		if kindSchema.GetDefault() != nil {
			return string(kindSchema.GetDefault().Value.Value)
		}
		if kindSchema.GetExample() != nil {
			return string(kindSchema.GetExample().GetValue().Value)
		}
		return ""
	case "integer":
		if kindSchema.GetDefault() != nil {
			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
			return int64(val)
		}
		if kindSchema.GetExample() != nil {
			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
			return int64(val)
		}
		return int64(0)
	case "number":
		if kindSchema.GetDefault() != nil {
			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
			return int64(val)
		}
		if kindSchema.GetExample() != nil {
			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
			return int64(val)
		}
		return int64(0)
	case "boolean":
		if kindSchema.GetDefault() != nil {
			return string(kindSchema.GetDefault().Value.Value) == "true"
		}
		if kindSchema.GetExample() != nil {
			return string(kindSchema.GetExample().GetValue().Value) == "true"
		}
		return false
	}

	return nil
}
522 save commit 2020-03-04 18:56:59 +05:30			`package openapi`

			`import (`
754 save commit 2020-03-19 20:45:30 +05:30			`"encoding/json"`
			`"errors"`
522 save commit 2020-03-04 18:56:59 +05:30			`"fmt"`
			`"strconv"`
			`"strings"`
			`"sync"`

754 save commit 2020-03-19 20:45:30 +05:30			`"github.com/nirmata/kyverno/pkg/engine/utils"`

522 save commit 2020-03-04 18:56:59 +05:30			`"github.com/nirmata/kyverno/data"`

			`"github.com/golang/glog"`

			`"github.com/nirmata/kyverno/pkg/engine"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`

			`v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`

			`openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"`
			`"github.com/googleapis/gnostic/compiler"`
			`"k8s.io/kube-openapi/pkg/util/proto"`
			`"k8s.io/kube-openapi/pkg/util/proto/validation"`

			`"gopkg.in/yaml.v2"`
			`)`

			`var openApiGlobalState struct {`
			`mutex sync.RWMutex`
			`document *openapi_v2.Document`
			`definitions map[string]*openapi_v2.Schema`
			`kindToDefinitionName map[string]string`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`crdList []string`
522 save commit 2020-03-04 18:56:59 +05:30			`models proto.Models`
			`}`

			`func init() {`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`defaultDoc, err := getSchemaDocument()`
			`if err != nil {`
			`panic(err)`
			`}`
522 save commit 2020-03-04 18:56:59 +05:30
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`err = useOpenApiDocument(defaultDoc)`
			`if err != nil {`
			`panic(err)`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
			`}`

754 works as intended - more changes required related to locks .etc 2020-03-24 23:12:45 +05:30			`func ValidatePolicyFields(policyRaw []byte) error {`
522 save commit 2020-03-04 18:56:59 +05:30			`openApiGlobalState.mutex.RLock()`
			`defer openApiGlobalState.mutex.RUnlock()`

754 works as intended - more changes required related to locks .etc 2020-03-24 23:12:45 +05:30			`var policy v1.ClusterPolicy`
			`err := json.Unmarshal(policyRaw, &policy)`
754 save commit 2020-03-19 20:45:30 +05:30			`if err != nil {`
			`return err`
			`}`

			`policyUnst, err := utils.ConvertToUnstructured(policyRaw)`
			`if err != nil {`
			`return err`
			`}`

			`err = ValidateResource(*policyUnst.DeepCopy(), "ClusterPolicy")`
			`if err != nil {`
			`return err`
			`}`

			`return validatePolicyMutation(policy)`
			`}`

754 crds can be immidiatly validate on startup - changed locks so as to not timeout requests 2020-03-25 02:00:30 +05:30			`func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {`
			`openApiGlobalState.mutex.RLock()`
			`defer openApiGlobalState.mutex.RUnlock()`
			`var err error`

			`kind = openApiGlobalState.kindToDefinitionName[kind]`
			`schema := openApiGlobalState.models.LookupModel(kind)`
			`if schema == nil {`
754 removing redundant code 2020-03-25 02:15:56 +05:30			`// Check if kind is a CRD`
754 crds can be immidiatly validate on startup - changed locks so as to not timeout requests 2020-03-25 02:00:30 +05:30			`schema, err = getSchemaFromDefinitions(kind)`
			`if err != nil \|\| schema == nil {`
			`return fmt.Errorf("pre-validation: couldn't find model %s", kind)`
			`}`
			`delete(patchedResource.Object, "kind")`
			`}`

			`if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {`
			`var errorMessages []string`
			`for i := range errs {`
			`errorMessages = append(errorMessages, errs[i].Error())`
			`}`

			`return fmt.Errorf(strings.Join(errorMessages, "\n\n"))`
			`}`

			`return nil`
			`}`

			`func GetDefinitionNameFromKind(kind string) string {`
			`openApiGlobalState.mutex.RLock()`
			`defer openApiGlobalState.mutex.RUnlock()`
			`return openApiGlobalState.kindToDefinitionName[kind]`
			`}`

754 save commit 2020-03-19 20:45:30 +05:30			`func validatePolicyMutation(policy v1.ClusterPolicy) error {`
522 save commit 2020-03-04 18:56:59 +05:30			`var kindToRules = make(map[string][]v1.Rule)`
			`for _, rule := range policy.Spec.Rules {`
			`if rule.HasMutate() {`
			`for _, kind := range rule.MatchResources.Kinds {`
			`kindToRules[kind] = append(kindToRules[kind], rule)`
			`}`
			`}`
			`}`

			`for kind, rules := range kindToRules {`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`newPolicy := *policy.DeepCopy()`
522 save commit 2020-03-04 18:56:59 +05:30			`newPolicy.Spec.Rules = rules`
			`resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})`
522 supporting crd validation 2020-03-05 22:50:32 +05:30			`if resource == nil {`
			`glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)`
			`return nil`
			`}`
522 save commit 2020-03-04 18:56:59 +05:30			`newResource := unstructured.Unstructured{Object: resource}`
			`newResource.SetKind(kind)`
522 added service account name in context 2020-03-04 19:38:33 +05:30
522 dealing with substitute variables 2020-03-06 01:52:03 +05:30			`patchedResource, err := engine.ForceMutate(nil, *newPolicy.DeepCopy(), newResource)`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`if err != nil {`
			`return err`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`err = ValidateResource(*patchedResource.DeepCopy(), kind)`
522 save commit 2020-03-04 18:56:59 +05:30			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

522 supporting crd validation 2020-03-05 22:50:32 +05:30			`func useOpenApiDocument(customDoc *openapi_v2.Document) error {`
522 save commit 2020-03-04 18:56:59 +05:30			`openApiGlobalState.mutex.Lock()`
			`defer openApiGlobalState.mutex.Unlock()`

			`openApiGlobalState.document = customDoc`

			`openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)`
			`openApiGlobalState.kindToDefinitionName = make(map[string]string)`
			`for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {`
			`openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()`
			`path := strings.Split(definition.GetName(), ".")`
			`openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()`
			`}`

			`var err error`
			`openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`func getSchemaDocument() (*openapi_v2.Document, error) {`
			`var spec yaml.MapSlice`
			`err := yaml.Unmarshal([]byte(data.SwaggerDoc), &spec)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))`
			`}`

522 adding force mutate function 2020-03-06 01:09:38 +05:30			`// For crd, we do not store definition in document`
			`func getSchemaFromDefinitions(kind string) (proto.Schema, error) {`
754 save commit 2020-03-19 20:45:30 +05:30			`if kind == "" {`
			`return nil, errors.New("invalid kind")`
			`}`

522 adding force mutate function 2020-03-06 01:09:38 +05:30			`path := proto.NewPath(kind)`
754 save commit 2020-03-19 20:45:30 +05:30			`definition := openApiGlobalState.definitions[kind]`
			`if definition == nil {`
			`return nil, errors.New("could not find definition")`
			`}`

754 fixed apiVersion and metadata issue 2020-03-24 19:08:46 +05:30			`// This was added so crd's can access`
			`// normal definitions from existing schema such as`
			// `metadata` - this maybe a breaking change.
			`// Removing this may cause policy validate to stop working`
			`existingDefinitions, _ := openApiGlobalState.models.(*proto.Definitions)`

			`return (existingDefinitions).ParseSchema(definition, &path)`
522 adding force mutate function 2020-03-06 01:09:38 +05:30			`}`

522 save commit 2020-03-04 18:56:59 +05:30			`func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {`

			`types := kindSchema.GetType().GetValue()`

			`if kindSchema.GetXRef() != "" {`
			`return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])`
			`}`

			`if len(types) != 1 {`
522 supporting crd validation 2020-03-05 22:50:32 +05:30			`if len(kindSchema.GetProperties().GetAdditionalProperties()) > 0 {`
			`types = []string{"object"}`
			`} else {`
			`return nil`
			`}`
522 save commit 2020-03-04 18:56:59 +05:30			`}`

			`switch types[0] {`
			`case "object":`
			`var props = make(map[string]interface{})`
			`properties := kindSchema.GetProperties().GetAdditionalProperties()`
			`if len(properties) == 0 {`
			`return props`
			`}`

			`var wg sync.WaitGroup`
			`var mutex sync.Mutex`
			`wg.Add(len(properties))`
			`for _, property := range properties {`
			`go func(property *openapi_v2.NamedSchema) {`
			`prop := generateEmptyResource(property.GetValue())`
			`mutex.Lock()`
			`props[property.GetName()] = prop`
			`mutex.Unlock()`
			`wg.Done()`
			`}(property)`
			`}`
			`wg.Wait()`
			`return props`
			`case "array":`
			`var array []interface{}`
			`for _, schema := range kindSchema.GetItems().GetSchema() {`
			`array = append(array, generateEmptyResource(schema))`
			`}`
			`return array`
			`case "string":`
			`if kindSchema.GetDefault() != nil {`
			`return string(kindSchema.GetDefault().Value.Value)`
			`}`
			`if kindSchema.GetExample() != nil {`
			`return string(kindSchema.GetExample().GetValue().Value)`
			`}`
			`return ""`
			`case "integer":`
			`if kindSchema.GetDefault() != nil {`
			`val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(val)`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
			`if kindSchema.GetExample() != nil {`
			`val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(val)`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(0)`
522 save commit 2020-03-04 18:56:59 +05:30			`case "number":`
			`if kindSchema.GetDefault() != nil {`
			`val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(val)`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
			`if kindSchema.GetExample() != nil {`
			`val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(val)`
522 save commit 2020-03-04 18:56:59 +05:30			`}`
522 fixed tests and added validation of mutated resources 2020-03-04 19:27:08 +05:30			`return int64(0)`
522 save commit 2020-03-04 18:56:59 +05:30			`case "boolean":`
			`if kindSchema.GetDefault() != nil {`
			`return string(kindSchema.GetDefault().Value.Value) == "true"`
			`}`
			`if kindSchema.GetExample() != nil {`
			`return string(kindSchema.GetExample().GetValue().Value) == "true"`
			`}`
			`return false`
			`}`

			`return nil`
			`}`