From 423afb57d8e45164a197e55a7f325f9485acfe4a Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Wed, 31 Aug 2022 13:09:53 +0800
Subject: [PATCH] skip validate rules if conditional anchor key doesn't exist
 in the resource (#4451)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/engine/anchor/anchor.go          |  4 +++-
 pkg/engine/validate/validate_test.go | 36 ++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go
index e15af4d218..fe53715004 100644
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@@ -156,8 +156,10 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource
 			return returnPath, ac.AnchorError.Error()
 		}
 		return "", nil
+	} else {
+		msg := "conditional anchor key doesn't exist in the resource"
+		return currentPath, NewConditionalAnchorError(msg).Error()
 	}
-	return "", nil
 }
 
 // NewGlobalAnchorHandler returns an instance of condition acnhor handler
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index 7d633529b8..b39d5faef1 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -1581,6 +1581,42 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) {
 			resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx"}], "imagePullSecrets": [{"name": "my-registry-secret"}]}}`),
 			status:   response.RuleStatusPass,
 		},
+		{
+			name:     "test-37",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}]}}`),
+			status:   response.RuleStatusSkip,
+		},
+		{
+			name:     "test-38",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
+			status:   response.RuleStatusFail,
+		},
+		{
+			name:     "test-39",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/randome/value"}}]}}`),
+			status:   response.RuleStatusSkip,
+		},
+		{
+			name:     "test-40",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx","allow-docker": "true"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
+			status:   response.RuleStatusPass,
+		},
+		{
+			name:     "test-41",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx","allow-docker": "false"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
+			status:   response.RuleStatusFail,
+		},
+		{
+			name:     "test-42",
+			pattern:  []byte(`{"metadata": {"labels": {"allow-docker": "true"}},"(spec)": {"(volumes)": [{"(hostPath)": {"path": "/var/run/docker.sock"}}]}}`),
+			resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
+			status:   response.RuleStatusFail,
+		},
 	}
 
 	for _, testCase := range testCases {