kyverno/pkg/engine/utils.go

package engine

import (
	"encoding/json"
	"fmt"
	"strconv"
	"strings"

	"github.com/minio/minio/pkg/wildcard"
	kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
)

// ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule
func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool {
	if !findKind(description.Kinds, gvk.Kind) {
		return false
	}

	if resourceRaw != nil {
		meta := parseMetadataFromObject(resourceRaw)
		name := ParseNameFromObject(resourceRaw)

		if description.Name != nil {

			if !wildcard.Match(*description.Name, name) {
				return false
			}
		}

		if description.Selector != nil {
			selector, err := metav1.LabelSelectorAsSelector(description.Selector)

			if err != nil {
				return false
			}

			labelMap := parseLabelsFromMetadata(meta)

			if !selector.Matches(labelMap) {
				return false
			}

		}
	}
	return true
}

func parseMetadataFromObject(bytes []byte) map[string]interface{} {
	var objectJSON map[string]interface{}
	json.Unmarshal(bytes, &objectJSON)

	return objectJSON["metadata"].(map[string]interface{})
}

func parseKindFromObject(bytes []byte) string {
	var objectJSON map[string]interface{}
	json.Unmarshal(bytes, &objectJSON)

	return objectJSON["kind"].(string)
}

func parseLabelsFromMetadata(meta map[string]interface{}) labels.Set {
	if interfaceMap, ok := meta["labels"].(map[string]interface{}); ok {
		labelMap := make(labels.Set, len(interfaceMap))

		for key, value := range interfaceMap {
			labelMap[key] = value.(string)
		}
		return labelMap
	}
	return nil
}

//ParseNameFromObject extracts resource name from JSON obj
func ParseNameFromObject(bytes []byte) string {
	var objectJSON map[string]interface{}
	json.Unmarshal(bytes, &objectJSON)

	meta := objectJSON["metadata"].(map[string]interface{})

	if name, ok := meta["name"].(string); ok {
		return name
	}
	return ""
}

// ParseNamespaceFromObject extracts the namespace from the JSON obj
func ParseNamespaceFromObject(bytes []byte) string {
	var objectJSON map[string]interface{}
	json.Unmarshal(bytes, &objectJSON)

	meta := objectJSON["metadata"].(map[string]interface{})

	if namespace, ok := meta["namespace"].(string); ok {
		return namespace
	}
	return ""
}

// ParseRegexPolicyResourceName returns true if policyResourceName is a regexp
func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {
	regex := strings.Split(policyResourceName, "regex:")
	if len(regex) == 1 {
		return regex[0], false
	}
	return strings.Trim(regex[1], " "), true
}

func getAnchorsFromMap(anchorsMap map[string]interface{}) map[string]interface{} {
	result := make(map[string]interface{})

	for key, value := range anchorsMap {
		if isConditionAnchor(key) || isExistanceAnchor(key) {
			result[key] = value
		}
	}

	return result
}

func getAnchorFromMap(anchorsMap map[string]interface{}) (string, interface{}) {
	for key, value := range anchorsMap {
		if isConditionAnchor(key) || isExistanceAnchor(key) {
			return key, value
		}
	}

	return "", nil
}

func findKind(kinds []string, kindGVK string) bool {
	for _, kind := range kinds {
		if kind == kindGVK {
			return true
		}
	}
	return false
}

func isConditionAnchor(str string) bool {
	if len(str) < 2 {
		return false
	}

	return (str[0] == '(' && str[len(str)-1] == ')')
}

func isExistanceAnchor(str string) bool {
	left := "^("
	right := ")"

	if len(str) < len(left)+len(right) {
		return false
	}

	return (str[:len(left)] == left && str[len(str)-len(right):] == right)
}

// Checks if array object matches anchors. If not - skip - return true
func skipArrayObject(object, anchors map[string]interface{}) bool {
	for key, pattern := range anchors {
		key = key[1 : len(key)-1]

		value, ok := object[key]
		if !ok {
			return true
		}

		if !ValidateValueWithPattern(value, pattern) {
			return true
		}
	}

	return false
}

// removeAnchor remove special characters around anchored key
func removeAnchor(key string) string {
	if isConditionAnchor(key) {
		return key[1 : len(key)-1]
	}

	if isExistanceAnchor(key) {
		return key[2 : len(key)-1]
	}

	// TODO: Add logic for other anchors here

	return key
}

// convertToFloat converts string and any other value to float64
func convertToFloat(value interface{}) (float64, error) {
	switch typed := value.(type) {
	case string:
		var err error
		floatValue, err := strconv.ParseFloat(typed, 64)
		if err != nil {
			return 0, err
		}

		return floatValue, nil
	case float64:
		return typed, nil
	case int64:
		return float64(typed), nil
	case int:
		return float64(typed), nil
	default:
		return 0, fmt.Errorf("Could not convert %T to float64", value)
	}
}
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`package engine`
NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00
			`import (`
			`"encoding/json"`
Refactored pattern.go 2019-06-10 17:32:26 +03:00			`"fmt"`
			`"strconv"`
parse regex from policyResourceName 2019-04-30 18:54:08 -07:00			`"strings"`
NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`"github.com/minio/minio/pkg/wildcard"`
rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00			`"k8s.io/apimachinery/pkg/labels"`
			`)`

Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`// ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule`
			`func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool {`
support list of kind in resource, update the CRD openapischema & adapt the test and examples for the change 2019-05-21 15:43:43 -07:00			`if !findKind(description.Kinds, gvk.Kind) {`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`return false`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`}`

			`if resourceRaw != nil {`
refactor code 2019-06-05 17:43:59 -07:00			`meta := parseMetadataFromObject(resourceRaw)`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`name := ParseNameFromObject(resourceRaw)`

			`if description.Name != nil {`

			`if !wildcard.Match(*description.Name, name) {`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`return false`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`}`
			`}`

			`if description.Selector != nil {`
			`selector, err := metav1.LabelSelectorAsSelector(description.Selector)`

			`if err != nil {`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`return false`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`}`

refactor code 2019-06-05 17:43:59 -07:00			`labelMap := parseLabelsFromMetadata(meta)`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00
			`if !selector.Matches(labelMap) {`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`return false`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`}`

			`}`
			`}`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`return true`
Moved common utils for mutation, validation and generation to pkg/engine/utils 2019-05-15 14:25:32 +03:00			`}`

refactor code 2019-06-05 17:43:59 -07:00			`func parseMetadataFromObject(bytes []byte) map[string]interface{} {`
NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00			`var objectJSON map[string]interface{}`
			`json.Unmarshal(bytes, &objectJSON)`

			`return objectJSON["metadata"].(map[string]interface{})`
			`}`

refactor code 2019-06-05 17:43:59 -07:00			`func parseKindFromObject(bytes []byte) string {`
add violations when patches are not applied 2019-05-01 14:48:50 -07:00			`var objectJSON map[string]interface{}`
			`json.Unmarshal(bytes, &objectJSON)`

			`return objectJSON["kind"].(string)`
			`}`

refactor code 2019-06-05 17:43:59 -07:00			`func parseLabelsFromMetadata(meta map[string]interface{}) labels.Set {`
NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00			`if interfaceMap, ok := meta["labels"].(map[string]interface{}); ok {`
			`labelMap := make(labels.Set, len(interfaceMap))`

			`for key, value := range interfaceMap {`
			`labelMap[key] = value.(string)`
			`}`
			`return labelMap`
			`}`
			`return nil`
			`}`

refactor code 2019-06-05 17:43:59 -07:00			`//ParseNameFromObject extracts resource name from JSON obj`
move webhooks/patches.go webhooks/utils.go to pkg/policymanager/ 2019-05-07 16:50:39 -07:00			`func ParseNameFromObject(bytes []byte) string {`
change util function for retrieving kind, name and namespace from resource RAW 2019-05-02 11:15:23 -07:00			`var objectJSON map[string]interface{}`
			`json.Unmarshal(bytes, &objectJSON)`

			`meta := objectJSON["metadata"].(map[string]interface{})`

NK-23: Implemented generating of secrets and configmaps after namespace is created. Functions for parsing metadata moved to utils. Changed login of mutation webhook according to last changes. 2019-03-06 13:01:17 +02:00			`if name, ok := meta["name"].(string); ok {`
			`return name`
			`}`
			`return ""`
			`}`
NK-31: Implemnted loggin about success to policy. Also fixed showing of error on initialization. 2019-03-21 18:09:58 +02:00
refactor code 2019-06-05 17:43:59 -07:00			`// ParseNamespaceFromObject extracts the namespace from the JSON obj`
move webhooks/patches.go webhooks/utils.go to pkg/policymanager/ 2019-05-07 16:50:39 -07:00			`func ParseNamespaceFromObject(bytes []byte) string {`
change util function for retrieving kind, name and namespace from resource RAW 2019-05-02 11:15:23 -07:00			`var objectJSON map[string]interface{}`
			`json.Unmarshal(bytes, &objectJSON)`

			`meta := objectJSON["metadata"].(map[string]interface{})`

NK-31: Implemnted loggin about success to policy. Also fixed showing of error on initialization. 2019-03-21 18:09:58 +02:00			`if namespace, ok := meta["namespace"].(string); ok {`
			`return namespace`
			`}`
			`return ""`
			`}`
implement wildcard support 2019-04-30 17:26:50 -07:00
Refactored pattern.go 2019-06-10 17:32:26 +03:00			`// ParseRegexPolicyResourceName returns true if policyResourceName is a regexp`
move webhooks/patches.go webhooks/utils.go to pkg/policymanager/ 2019-05-07 16:50:39 -07:00			`func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {`
parse regex from policyResourceName 2019-04-30 18:54:08 -07:00			`regex := strings.Split(policyResourceName, "regex:")`
			`if len(regex) == 1 {`
			`return regex[0], false`
			`}`
			`return strings.Trim(regex[1], " "), true`
implement wildcard support 2019-04-30 17:26:50 -07:00			`}`
Implemented base for Mutation Overlay 2019-05-21 18:27:56 +03:00
refactor code 2019-06-05 17:43:59 -07:00			`func getAnchorsFromMap(anchorsMap map[string]interface{}) map[string]interface{} {`
Implemented base for Mutation Overlay 2019-05-21 18:27:56 +03:00			`result := make(map[string]interface{})`

			`for key, value := range anchorsMap {`
Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`if isConditionAnchor(key) \|\| isExistanceAnchor(key) {`
Implemented base for Mutation Overlay 2019-05-21 18:27:56 +03:00			`result[key] = value`
			`}`
			`}`

			`return result`
			`}`
resolve merge conflicts with branch release-0.1 2019-05-22 16:17:26 -07:00
Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`func getAnchorFromMap(anchorsMap map[string]interface{}) (string, interface{}) {`
			`for key, value := range anchorsMap {`
			`if isConditionAnchor(key) \|\| isExistanceAnchor(key) {`
			`return key, value`
			`}`
			`}`

			`return "", nil`
			`}`

support list of kind in resource, update the CRD openapischema & adapt the test and examples for the change 2019-05-21 15:43:43 -07:00			`func findKind(kinds []string, kindGVK string) bool {`
			`for _, kind := range kinds {`
			`if kind == kindGVK {`
			`return true`
			`}`
			`}`
			`return false`
			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00
Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`func isConditionAnchor(str string) bool {`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`if len(str) < 2 {`
			`return false`
			`}`

			`return (str[0] == '(' && str[len(str)-1] == ')')`
			`}`

Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`func isExistanceAnchor(str string) bool {`
			`left := "^("`
			`right := ")"`

			`if len(str) < len(left)+len(right) {`
			`return false`
			`}`

			`return (str[:len(left)] == left && str[len(str)-len(right):] == right)`
			`}`

127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00			`// Checks if array object matches anchors. If not - skip - return true`
			`func skipArrayObject(object, anchors map[string]interface{}) bool {`
			`for key, pattern := range anchors {`
			`key = key[1 : len(key)-1]`

			`value, ok := object[key]`
			`if !ok {`
			`return true`
			`}`

			`if !ValidateValueWithPattern(value, pattern) {`
			`return true`
			`}`
			`}`

			`return false`
			`}`
Added comments and refactored array processing validation logic 2019-06-10 17:06:31 +03:00
Refactored pattern.go 2019-06-10 17:32:26 +03:00			`// removeAnchor remove special characters around anchored key`
Added comments and refactored array processing validation logic 2019-06-10 17:06:31 +03:00			`func removeAnchor(key string) string {`
Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`if isConditionAnchor(key) {`
Added comments and refactored array processing validation logic 2019-06-10 17:06:31 +03:00			`return key[1 : len(key)-1]`
			`}`

Implemented at least one exists logic 2019-06-13 17:20:00 +03:00			`if isExistanceAnchor(key) {`
			`return key[2 : len(key)-1]`
			`}`

Added comments and refactored array processing validation logic 2019-06-10 17:06:31 +03:00			`// TODO: Add logic for other anchors here`

			`return key`
			`}`
Refactored pattern.go 2019-06-10 17:32:26 +03:00
			`// convertToFloat converts string and any other value to float64`
			`func convertToFloat(value interface{}) (float64, error) {`
			`switch typed := value.(type) {`
			`case string:`
			`var err error`
			`floatValue, err := strconv.ParseFloat(typed, 64)`
			`if err != nil {`
			`return 0, err`
			`}`

			`return floatValue, nil`
			`case float64:`
			`return typed, nil`
			`case int64:`
			`return float64(typed), nil`
			`case int:`
			`return float64(typed), nil`
			`default:`
			`return 0, fmt.Errorf("Could not convert %T to float64", value)`
			`}`
			`}`