744 fixing tests and making sure policy with variables that are not request.object are not allowed in background mode

pkg/engine/context/evaluate.go

@@ -3,6 +3,7 @@ package context
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	jmespath "github.com/jmespath/go-jmespath"
 )
@@ -11,7 +12,7 @@ import (
 func (ctx *Context) Query(query string) (interface{}, error) {
 	var emptyResult interface{}
 	// check for white-listed variables
-	if ctx.isWhiteListed(query) {
+	if !ctx.isWhiteListed(query) {
 		return emptyResult, fmt.Errorf("variable %s cannot be used", query)
 	}
 
@@ -41,7 +42,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 
 func (ctx *Context) isWhiteListed(variable string) bool {
 	for _, wVar := range ctx.whiteListVars {
-		if wVar == variable {
+		if strings.HasPrefix(variable, wVar) {
 			return true
 		}
 	}

pkg/engine/mutation_test.go

@@ -159,7 +159,7 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 		Context:     ctx,
 		NewResource: *resourceUnstructured}
 	er := Mutate(policyContext)
-	expectedErrorStr := "[failed to resolve request.object.metadata.name1 at path /spec/name]"
+	expectedErrorStr := "[failed to resolve [request.object.metadata.name1] at path /spec/name]"
 	t.Log(er.PolicyResponse.Rules[0].Message)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
 }

pkg/engine/variables/vars.go

@@ -69,7 +69,7 @@ func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interfac
 // subValR resolves the variables if defined
 func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
 	originalPattern := valuePattern
-	var failedVars []interface{}
+	var failedVars []string
 
 	defer func() {
 		if len(failedVars) > 0 {

pkg/policy/background.go

@@ -9,8 +9,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-//ContainsUserInfo returns error is userInfo is defined
-func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
+//ContainsVariablesOtherThanObject returns error if variable that does not start from request.object is defined
+func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 	var err error
 	// iterate of the policy rules to identify if userInfo is used
 	for idx, rule := range policy.Spec.Rules {
@@ -33,7 +33,7 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
 		// - serviceAccountName
 		// - serviceAccountNamespace
 
-		filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"}
+		filterVars := []string{"request.object"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
 			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {

pkg/policy/controller.go

@@ -157,7 +157,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
 	if p.Spec.Background == nil {
 		// if userInfo is not defined in policy we process the policy
-		if err := ContainsUserInfo(*p); err != nil {
+		if err := ContainsVariablesOtherThanObject(*p); err != nil {
 			return
 		}
 	} else {
@@ -166,7 +166,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 		}
 		// If userInfo is used then skip the policy
 		// ideally this should be handled by background flag only
-		if err := ContainsUserInfo(*p); err != nil {
+		if err := ContainsVariablesOtherThanObject(*p); err != nil {
 			// contains userInfo used in policy
 			return
 		}
@@ -192,7 +192,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
 	if curP.Spec.Background == nil {
 		// if userInfo is not defined in policy we process the policy
-		if err := ContainsUserInfo(*curP); err != nil {
+		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
 			return
 		}
 	} else {
@@ -201,7 +201,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 		}
 		// If userInfo is used then skip the policy
 		// ideally this should be handled by background flag only
-		if err := ContainsUserInfo(*curP); err != nil {
+		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
 			// contains userInfo used in policy
 			return
 		}

pkg/policy/validate.go

@@ -35,7 +35,7 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 		return nil
 	}
 	if *p.Spec.Background {
-		if err := ContainsUserInfo(p); err != nil {
+		if err := ContainsVariablesOtherThanObject(p); err != nil {
 			// policy.spec.background -> "true"
 			// - cannot use variables with request.userInfo
 			// - cannot define userInfo(roles, cluserRoles, subjects) for filtering (match & exclude)

pkg/policy/validate_test.go

@@ -608,7 +608,7 @@ func Test_BackGroundUserInfo_match_roles(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/roles")
 }
 
@@ -640,7 +640,7 @@ func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/clusterRoles")
 }
@@ -676,7 +676,7 @@ func Test_BackGroundUserInfo_match_subjects(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/subjects")
 }
@@ -708,7 +708,7 @@ func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
@@ -743,7 +743,7 @@ func Test_BackGroundUserInfo_mutate_overlay2(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
@@ -778,7 +778,7 @@ func Test_BackGroundUserInfo_validate_pattern(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/pattern" {
 		t.Log(err)
@@ -817,7 +817,7 @@ func Test_BackGroundUserInfo_validate_anyPattern(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
@@ -856,7 +856,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_multiple_var(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
@@ -895,7 +895,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)