From 0a65a66cc009b789adfe6981e6cacd168aad24b5 Mon Sep 17 00:00:00 2001 From: shravan Date: Mon, 27 Apr 2020 15:05:10 +0530 Subject: [PATCH] 823 tested prototype --- pkg/policy/validate.go | 32 ++++++++++++++++++++++++++++---- pkg/policy/validate_test.go | 5 +++++ 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 04741669ea..c85eb18825 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -94,10 +94,6 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro // of match and exclude block is not an empty set func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { - if reflect.DeepEqual(rule.MatchResources, kyverno.MatchResources{}) { - return true - } - if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) { return false } @@ -137,6 +133,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(excludeRoles) > 0 { + if len(rule.MatchResources.UserInfo.Roles) == 0 { + return false + } + for _, role := range rule.MatchResources.UserInfo.Roles { if !excludeRoles[role] { return false @@ -145,6 +145,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(excludeClusterRoles) > 0 { + if len(rule.MatchResources.UserInfo.ClusterRoles) == 0 { + return false + } + for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles { if !excludeClusterRoles[clusterRole] { return false @@ -153,6 +157,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(excludeSubjects) > 0 { + if len(rule.MatchResources.UserInfo.Subjects) == 0 { + return false + } + for _, subject := range rule.MatchResources.UserInfo.Subjects { subjectRaw, _ := json.Marshal(subject) if !excludeSubjects[string(subjectRaw)] { @@ -168,6 +176,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(excludeNamespaces) > 0 { + if len(rule.MatchResources.ResourceDescription.Namespaces) == 0 { + return false + } + for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces { if !excludeNamespaces[namespace] { return false @@ -176,6 +188,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(excludeKinds) > 0 { + if len(rule.MatchResources.ResourceDescription.Kinds) == 0 { + return false + } + for _, kind := range rule.MatchResources.ResourceDescription.Kinds { if !excludeKinds[kind] { return false @@ -185,6 +201,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil { if len(excludeMatchExpressions) > 0 { + if len(rule.MatchResources.ResourceDescription.Selector.MatchExpressions) == 0 { + return false + } + for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions { matchExpressionRaw, _ := json.Marshal(matchExpression) if !excludeMatchExpressions[string(matchExpressionRaw)] { @@ -194,6 +214,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { } if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 0 { + if len(rule.MatchResources.ResourceDescription.Selector.MatchLabels) == 0 { + return false + } + for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels { if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value { return false diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index 0ca0778dd6..6b5717ea7f 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -1022,6 +1022,11 @@ func Test_doesMatchExcludeConflict(t *testing.T) { rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`), expectedOutput: false, }, + { + description: "empty case", + rule: []byte(`{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.object.kind}}/{{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}`), + expectedOutput: false, + }, } for i, testcase := range testcases {