kyverno/pkg/engine/mutation_test.go

package engine

import (
	"encoding/json"
	"reflect"
	"testing"

	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/engine/context"
	"github.com/kyverno/kyverno/pkg/engine/utils"
	"gotest.tools/assert"
)

func Test_VariableSubstitutionOverlay(t *testing.T) {
	rawPolicy := []byte(`
	{
		"apiVersion": "kyverno.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
			"name": "add-label"
		},
		"spec": {
			"rules": [
				{
					"name": "add-name-label",
					"match": {
						"resources": {
							"kinds": [
								"Pod"
							]
						}
					},
					"mutate": {
						"overlay": {
							"metadata": {
								"labels": {
									"appname": "{{request.object.metadata.name}}"
								}
							}
						}
					}
				}
			]
		}
	}
	`)
	rawResource := []byte(`
	{
		"apiVersion": "v1",
		"kind": "Pod",
		"metadata": {
			"name": "check-root-user"
		},
		"spec": {
			"containers": [
				{
					"name": "check-root-user",
					"image": "nginxinc/nginx-unprivileged",
					"securityContext": {
						"runAsNonRoot": true
					}
				}
			]
		}
	}
	`)
	expectedPatch := []byte(`{"op":"add","path":"/metadata/labels","value":{"appname":"check-root-user"}}`)

	var policy kyverno.ClusterPolicy
	err := json.Unmarshal(rawPolicy, &policy)
	if err != nil {
		t.Error(err)
	}
	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
	assert.NilError(t, err)
	ctx := context.NewContext()
	err = ctx.AddResource(rawResource)
	if err != nil {
		t.Error(err)
	}
	value, err := ctx.Query("request.object.metadata.name")

	t.Log(value)
	if err != nil {
		t.Error(err)
	}
	policyContext := &PolicyContext{
		Policy:      policy,
		JSONContext: ctx,
		NewResource: *resourceUnstructured}
	er := Mutate(policyContext)
	t.Log(string(expectedPatch))
	t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))
	if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {
		t.Error("patches dont match")
	}
}

func Test_variableSubstitutionPathNotExist(t *testing.T) {
	resourceRaw := []byte(`{
		"apiVersion": "v1",
		"kind": "Pod",
		"metadata": {
			"name": "check-root-user"
		},
		"spec": {
			"containers": [
				{
					"name": "check-root-user",
					"image": "nginxinc/nginx-unprivileged",
					"securityContext": {
						"runAsNonRoot": true
					}
				}
			]
		}
	}`)

	policyraw := []byte(`{
		"apiVersion": "kyverno.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "substitute-variable"
		},
		"spec": {
		  "rules": [
			{
			  "name": "test-path-not-exist",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "mutate": {
				"overlay": {
				  "spec": {
					"name": "{{request.object.metadata.name1}}"
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	var policy kyverno.ClusterPolicy
	err := json.Unmarshal(policyraw, &policy)
	assert.NilError(t, err)
	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
	assert.NilError(t, err)

	ctx := context.NewContext()
	err = ctx.AddResource(resourceRaw)
	assert.NilError(t, err)

	policyContext := &PolicyContext{
		Policy:      policy,
		JSONContext: ctx,
		NewResource: *resourceUnstructured}
	er := Mutate(policyContext)
	expectedErrorStr := "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /mutate/overlay/spec/name"
	t.Log(er.PolicyResponse.Rules[0].Message)
	assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
}
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`package engine`

			`import (`
			`"encoding/json"`
Add Images info to variables context (#1725) * - remove supportMutateValidate; - refactor new context in the webhook Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add ImageInfo to variables context Signed-off-by: Shuting Zhao <shutting06@gmail.com> * revert unexpected changes Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-03-23 17:34:03 +00:00			`"reflect"`
			`"testing"`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00
update nirmata/kyverno to kyverno/kyverno 2020-10-07 18:12:31 +00:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/engine/context"`
			`"github.com/kyverno/kyverno/pkg/engine/utils"`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`"gotest.tools/assert"`
			`)`

			`func Test_VariableSubstitutionOverlay(t *testing.T) {`
			rawPolicy := []byte(`
			`{`
			`"apiVersion": "kyverno.io/v1",`
			`"kind": "ClusterPolicy",`
			`"metadata": {`
			`"name": "add-label"`
			`},`
			`"spec": {`
			`"rules": [`
			`{`
			`"name": "add-name-label",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"mutate": {`
			`"overlay": {`
			`"metadata": {`
			`"labels": {`
			`"appname": "{{request.object.metadata.name}}"`
			`}`
			`}`
			`}`
			`}`
			`}`
			`]`
			`}`
			`}`
			`)
			rawResource := []byte(`
			`{`
			`"apiVersion": "v1",`
			`"kind": "Pod",`
			`"metadata": {`
			`"name": "check-root-user"`
			`},`
			`"spec": {`
			`"containers": [`
			`{`
			`"name": "check-root-user",`
			`"image": "nginxinc/nginx-unprivileged",`
			`"securityContext": {`
			`"runAsNonRoot": true`
			`}`
			`}`
			`]`
			`}`
			`}`
			`)
added conversion of overlay to patch strategic merge (#1138) * added conversion of overlay to patch strategic merge and modified unittest for the same * updated best practice policy 2020-09-22 23:19:09 +00:00			expectedPatch := []byte(`{"op":"add","path":"/metadata/labels","value":{"appname":"check-root-user"}}`)
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00
			`var policy kyverno.ClusterPolicy`
golanfci-lint changes Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-03-23 19:05:05 +00:00			`err := json.Unmarshal(rawPolicy, &policy)`
			`if err != nil {`
			`t.Error(err)`
			`}`
move mutation to subpackage pkg/engine/mutate 2020-01-08 01:06:17 +00:00			`resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`assert.NilError(t, err)`
			`ctx := context.NewContext()`
golanfci-lint changes Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-03-23 19:05:05 +00:00			`err = ctx.AddResource(rawResource)`
			`if err != nil {`
			`t.Error(err)`
			`}`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`value, err := ctx.Query("request.object.metadata.name")`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-08 00:09:24 +00:00
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`t.Log(value)`
			`if err != nil {`
			`t.Error(err)`
			`}`
update validation logic 2020-12-23 23:10:07 +00:00			`policyContext := &PolicyContext{`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`Policy: policy,`
update validation logic 2020-12-23 23:10:07 +00:00			`JSONContext: ctx,`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-31 01:08:50 +00:00			`NewResource: *resourceUnstructured}`
			`er := Mutate(policyContext)`
			`t.Log(string(expectedPatch))`
			`t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))`
			`if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {`
			`t.Error("patches dont match")`
			`}`
			`}`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00
			`func Test_variableSubstitutionPathNotExist(t *testing.T) {`
			resourceRaw := []byte(`{
			`"apiVersion": "v1",`
			`"kind": "Pod",`
			`"metadata": {`
			`"name": "check-root-user"`
			`},`
			`"spec": {`
			`"containers": [`
			`{`
			`"name": "check-root-user",`
			`"image": "nginxinc/nginx-unprivileged",`
			`"securityContext": {`
			`"runAsNonRoot": true`
			`}`
			`}`
			`]`
			`}`
			}`)

			policyraw := []byte(`{
			`"apiVersion": "kyverno.io/v1",`
			`"kind": "ClusterPolicy",`
			`"metadata": {`
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 20:05:53 +00:00			`"name": "substitute-variable"`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00			`},`
			`"spec": {`
			`"rules": [`
			`{`
			`"name": "test-path-not-exist",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"mutate": {`
			`"overlay": {`
			`"spec": {`
			`"name": "{{request.object.metadata.name1}}"`
			`}`
			`}`
			`}`
			`}`
			`]`
			`}`
			}`)

			`var policy kyverno.ClusterPolicy`
golanfci-lint changes Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-03-23 19:05:05 +00:00			`err := json.Unmarshal(policyraw, &policy)`
			`assert.NilError(t, err)`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00			`resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)`
			`assert.NilError(t, err)`

			`ctx := context.NewContext()`
golanfci-lint changes Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-03-23 19:05:05 +00:00			`err = ctx.AddResource(resourceRaw)`
			`assert.NilError(t, err)`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00
update validation logic 2020-12-23 23:10:07 +00:00			`policyContext := &PolicyContext{`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00			`Policy: policy,`
update validation logic 2020-12-23 23:10:07 +00:00			`JSONContext: ctx,`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00			`NewResource: *resourceUnstructured}`
			`er := Mutate(policyContext)`
skip rule application if referred path not exist (#1806) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-04-16 00:33:34 +00:00			`expectedErrorStr := "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /mutate/overlay/spec/name"`
refactor variable substitution 2020-02-14 19:59:28 +00:00			`t.Log(er.PolicyResponse.Rules[0].Message)`
			`assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)`
add more unit tests 2020-01-11 01:15:44 +00:00			`}`