handle Deny rules where conditions eval to true (#7204)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/engine/variables/evaluate.go

@@ -1,12 +1,11 @@
 package variables
 
 import (
-	"strings"
-
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/variables/operator"
+	stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
 )
 
 // Evaluate evaluates the condition
@@ -32,20 +31,24 @@ func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions i
 }
 
 func EvaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyvernov1.AnyAllConditions) (bool, string) {
+	var conditionTrueMessages []string
 	for _, c := range conditions {
 		if val, msg := evaluateAnyAllConditions(log, ctx, c); !val {
 			return false, msg
+		} else {
+			conditionTrueMessages = append(conditionTrueMessages, msg)
 		}
 	}
 
-	return true, ""
+	return true, stringutils.JoinNonEmpty(conditionTrueMessages, ";")
 }
 
 // evaluateAnyAllConditions evaluates multiple conditions as a logical AND (all) or OR (any) operation depending on the conditions
 func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, conditions kyvernov1.AnyAllConditions) (bool, string) {
 	anyConditions, allConditions := conditions.AnyConditions, conditions.AllConditions
 	anyConditionsResult, allConditionsResult := true, true
-	var messages []string
+	var conditionFalseMessages []string
+	var conditionTrueMessages []string
 
 	// update the anyConditionsResult if they are present
 	if anyConditions != nil {
@@ -53,11 +56,10 @@ func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, condit
 		for _, condition := range anyConditions {
 			if val, msg := Evaluate(log, ctx, condition); val {
 				anyConditionsResult = true
+				conditionTrueMessages = append(conditionTrueMessages, msg)
 				break
 			} else {
-				if msg != "" {
-					messages = append(messages, msg)
-				}
+				conditionFalseMessages = append(conditionFalseMessages, msg)
 			}
 		}
 
@@ -70,24 +72,32 @@ func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, condit
 	for _, condition := range allConditions {
 		if val, msg := Evaluate(log, ctx, condition); !val {
 			allConditionsResult = false
-			messages = append(messages, msg)
+			conditionFalseMessages = append(conditionFalseMessages, msg)
 			log.V(3).Info("a condition failed in 'all' block", "condition", condition, "message", msg)
 			break
+		} else {
+			conditionTrueMessages = append(conditionTrueMessages, msg)
 		}
 	}
 
 	finalResult := anyConditionsResult && allConditionsResult
-	message := strings.Join(messages, "; ")
-	return finalResult, message
+	if finalResult {
+		return finalResult, stringutils.JoinNonEmpty(conditionTrueMessages, "; ")
+	}
+
+	return finalResult, stringutils.JoinNonEmpty(conditionFalseMessages, "; ")
 }
 
 // evaluateOldConditions evaluates multiple conditions when those conditions are provided in the old manner i.e. without 'any' or 'all'
 func evaluateOldConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyvernov1.Condition) (bool, string) {
+	var conditionTrueMessages []string
 	for _, condition := range conditions {
 		if val, msg := Evaluate(log, ctx, condition); !val {
 			return false, msg
+		} else {
+			conditionTrueMessages = append(conditionTrueMessages, msg)
 		}
 	}
 
-	return true, ""
+	return true, stringutils.JoinNonEmpty(conditionTrueMessages, ";")
 }

pkg/engine/variables/evaluate_test.go

@@ -512,7 +512,7 @@ func Test_Condition_Messages(t *testing.T) {
 
 	val, msg = EvaluateAnyAllConditions(logr.Discard(), ctx, conditions)
 	assert.Equal(t, true, val)
-	assert.Equal(t, msg, "")
+	assert.Equal(t, "invalid name", msg)
 
 	conditions[0].AllConditions = append(conditions[0].AllConditions, conditions[0].AnyConditions[0])
 	conditions[0].AllConditions = append(conditions[0].AllConditions, conditions[0].AnyConditions[1])