2019-12-30 17:08:50 -08:00
package engine
import (
"encoding/json"
2021-03-23 10:34:03 -07:00
"reflect"
"testing"
2019-12-30 17:08:50 -08:00
2020-10-07 11:12:31 -07:00
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/utils"
2021-04-29 22:39:44 +05:30
"github.com/kyverno/kyverno/pkg/kyverno/store"
2019-12-30 17:08:50 -08:00
"gotest.tools/assert"
)
func Test_VariableSubstitutionOverlay ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "add-label"
} ,
"spec" : {
"rules" : [
{
"name" : "add-name-label" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"mutate" : {
"overlay" : {
"metadata" : {
"labels" : {
"appname" : "{{request.object.metadata.name}}"
}
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "check-root-user"
} ,
"spec" : {
"containers" : [
{
"name" : "check-root-user" ,
"image" : "nginxinc/nginx-unprivileged" ,
"securityContext" : {
"runAsNonRoot" : true
}
}
]
}
}
` )
2020-09-23 04:49:09 +05:30
expectedPatch := [ ] byte ( ` { "op":"add","path":"/metadata/labels","value": { "appname":"check-root-user"}} ` )
2019-12-30 17:08:50 -08:00
var policy kyverno . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
if err != nil {
t . Error ( err )
}
2020-01-07 17:06:17 -08:00
resourceUnstructured , err := utils . ConvertToUnstructured ( rawResource )
2019-12-30 17:08:50 -08:00
assert . NilError ( t , err )
ctx := context . NewContext ( )
2020-03-24 00:35:05 +05:30
err = ctx . AddResource ( rawResource )
if err != nil {
t . Error ( err )
}
2019-12-30 17:08:50 -08:00
value , err := ctx . Query ( "request.object.metadata.name" )
2020-08-07 17:09:24 -07:00
2019-12-30 17:08:50 -08:00
t . Log ( value )
if err != nil {
t . Error ( err )
}
2020-12-23 15:10:07 -08:00
policyContext := & PolicyContext {
2019-12-30 17:08:50 -08:00
Policy : policy ,
2020-12-23 15:10:07 -08:00
JSONContext : ctx ,
2019-12-30 17:08:50 -08:00
NewResource : * resourceUnstructured }
er := Mutate ( policyContext )
t . Log ( string ( expectedPatch ) )
t . Log ( string ( er . PolicyResponse . Rules [ 0 ] . Patches [ 0 ] ) )
if ! reflect . DeepEqual ( expectedPatch , er . PolicyResponse . Rules [ 0 ] . Patches [ 0 ] ) {
t . Error ( "patches dont match" )
}
}
2020-01-09 12:24:37 -08:00
func Test_variableSubstitutionPathNotExist ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "check-root-user"
} ,
"spec" : {
"containers" : [
{
"name" : "check-root-user" ,
"image" : "nginxinc/nginx-unprivileged" ,
"securityContext" : {
"runAsNonRoot" : true
}
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
2020-01-24 12:05:53 -08:00
"name" : "substitute-variable"
2020-01-09 12:24:37 -08:00
} ,
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"mutate" : {
"overlay" : {
"spec" : {
"name" : "{{request.object.metadata.name1}}"
}
}
}
}
]
}
} ` )
var policy kyverno . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( policyraw , & policy )
assert . NilError ( t , err )
2020-01-09 12:24:37 -08:00
resourceUnstructured , err := utils . ConvertToUnstructured ( resourceRaw )
assert . NilError ( t , err )
ctx := context . NewContext ( )
2020-03-24 00:35:05 +05:30
err = ctx . AddResource ( resourceRaw )
assert . NilError ( t , err )
2020-01-09 12:24:37 -08:00
2020-12-23 15:10:07 -08:00
policyContext := & PolicyContext {
2020-01-09 12:24:37 -08:00
Policy : policy ,
2020-12-23 15:10:07 -08:00
JSONContext : ctx ,
2020-01-09 12:24:37 -08:00
NewResource : * resourceUnstructured }
er := Mutate ( policyContext )
2021-04-15 17:33:34 -07:00
expectedErrorStr := "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /mutate/overlay/spec/name"
2020-02-14 11:59:28 -08:00
t . Log ( er . PolicyResponse . Rules [ 0 ] . Message )
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Message , expectedErrorStr )
2020-01-10 17:15:44 -08:00
}
2021-04-29 22:39:44 +05:30
func Test_variableSubstitutionCLI ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx-config-test"
} ,
"spec" : {
"containers" : [
{
"image" : "nginx:latest" ,
"name" : "test-nginx"
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "cm-variable-example"
} ,
"spec" : {
"rules" : [
{
"name" : "example-configmap-lookup" ,
"context" : [
{
"name" : "dictionary" ,
"configMap" : {
"name" : "mycmap" ,
"namespace" : "default"
}
}
] ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"mutate" : {
"patchStrategicMerge" : {
"metadata" : {
"labels" : {
"my-environment-name" : "{{dictionary.data.env}}"
}
}
}
}
}
]
}
} ` )
configMapVariableContext := store . Context {
Policies : [ ] store . Policy {
{
Name : "cm-variable-example" ,
Rules : [ ] store . Rule {
{
Name : "example-configmap-lookup" ,
Values : map [ string ] string {
"dictionary.data.env" : "dev1" ,
} ,
} ,
} ,
} ,
} ,
}
expectedPatch := [ ] byte ( ` { "op":"add","path":"/metadata/labels","value": { "my-environment-name":"dev1"}} ` )
store . SetContext ( configMapVariableContext )
store . SetMock ( true )
var policy kyverno . ClusterPolicy
err := json . Unmarshal ( policyraw , & policy )
assert . NilError ( t , err )
resourceUnstructured , err := utils . ConvertToUnstructured ( resourceRaw )
assert . NilError ( t , err )
ctx := context . NewContext ( )
err = ctx . AddResource ( resourceRaw )
assert . NilError ( t , err )
policyContext := & PolicyContext {
Policy : policy ,
JSONContext : ctx ,
NewResource : * resourceUnstructured ,
}
er := Mutate ( policyContext )
t . Log ( string ( expectedPatch ) )
t . Log ( string ( er . PolicyResponse . Rules [ 0 ] . Patches [ 0 ] ) )
if ! reflect . DeepEqual ( expectedPatch , er . PolicyResponse . Rules [ 0 ] . Patches [ 0 ] ) {
t . Error ( "patches dont match" )
}
}
