add more unit tests

pkg/engine/mutate/overlay.go

@@ -33,7 +33,7 @@ func ProcessOverlay(ctx context.EvalInterface, rule kyverno.Rule, resource unstr
 		glog.V(4).Infof("finished applying overlay rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
 	}()
 
-	// if referenced is not present, we skip processing the rule and report violation
+	// if referenced path not present, we skip processing the rule and report violation
 	if invalidPaths := variables.ValidateVariables(ctx, rule.Mutation.Overlay); len(invalidPaths) != 0 {
 		resp.Success = true
 		resp.PathNotPresent = true

pkg/engine/mutation.go

@@ -57,11 +57,10 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			continue
 		}
 
-		// TODO(shuting): add unit test for validateGeneralRuleInfoVariables
 		if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 {
 			glog.Infof("referenced path not present in rule %s, resource %s/%s/%s, path: %s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), paths)
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules,
-				newPathNotPresentRuleResponse(rule.Name, utils.Mutation.String(), fmt.Sprintf("path not present: %s", paths)))
+				newPathNotPresentRuleResponse(rule.Name, utils.Mutation.String(), fmt.Sprintf("path not present in rule info: %s", paths)))
 			continue
 		}
 

pkg/engine/mutation_test.go

@@ -3,6 +3,7 @@ package engine
 import (
 	"encoding/json"
 	"reflect"
+	"strings"
 	"testing"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -153,3 +154,50 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 	er := Mutate(policyContext)
 	assert.Assert(t, er.PolicyResponse.Rules[0].PathNotPresent, true)
 }
+
+func Test_variableSubstitutionPathNotExist_InRuleInfo(t *testing.T) {
+	resourceRaw := []byte(`{
+		"apiVersion": "v1",
+		"kind": "Deployment",
+		"metadata": {
+		  "name": "check-root-user"
+		}
+	  }`)
+
+	policyraw := []byte(`{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "test-validate-variables"
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "name": "test-match",
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"{{request.kind}}"
+				  ]
+				}
+			  }
+			}
+		  ]
+		}
+	  }`)
+
+	var policy kyverno.ClusterPolicy
+	assert.NilError(t, json.Unmarshal(policyraw, &policy))
+	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
+	assert.NilError(t, err)
+
+	ctx := context.NewContext()
+	ctx.AddResource(resourceRaw)
+
+	policyContext := PolicyContext{
+		Policy:      policy,
+		Context:     ctx,
+		NewResource: *resourceUnstructured}
+	er := Mutate(policyContext)
+	assert.Assert(t, strings.Contains(er.PolicyResponse.Rules[0].Message, "path not present in rule info"))
+}

pkg/engine/utils.go

@@ -237,19 +237,25 @@ type resourceInfo struct {
 // - ExcludeResources
 // - Conditions
 func validateGeneralRuleInfoVariables(ctx context.EvalInterface, rule kyverno.Rule) string {
-	var invalidPaths []string
-	if path := variables.ValidateVariables(ctx, rule.MatchResources); len(path) != 0 {
-		invalidPaths = append(invalidPaths, path)
+	var tempRule kyverno.Rule
+	var tempRulePattern interface{}
+
+	tempRule.MatchResources = rule.MatchResources
+	tempRule.ExcludeResources = rule.ExcludeResources
+	tempRule.Conditions = rule.Conditions
+
+	raw, err := json.Marshal(tempRule)
+	if err != nil {
+		glog.Infof("failed to serilize rule info while validating variable substitution: %v", err)
+		return ""
 	}
 
-	if path := variables.ValidateVariables(ctx, rule.ExcludeResources); len(path) != 0 {
-		invalidPaths = append(invalidPaths, path)
+	if err := json.Unmarshal(raw, &tempRulePattern); err != nil {
+		glog.Infof("failed to serilize rule info while validating variable substitution: %v", err)
+		return ""
 	}
 
-	if path := variables.ValidateVariables(ctx, rule.Conditions); len(path) != 0 {
-		invalidPaths = append(invalidPaths, path)
-	}
-	return strings.Join(invalidPaths, ";")
+	return variables.ValidateVariables(ctx, tempRulePattern)
 }
 
 func newPathNotPresentRuleResponse(rname, rtype, msg string) response.RuleResponse {

pkg/engine/utils_test.go

@@ -1,11 +1,15 @@
 package engine
 
 import (
+	"encoding/json"
+	"fmt"
 	"testing"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	context "github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -393,43 +397,105 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
 	assert.Assert(t, !MatchesResourceDescription(*resource, rule))
 }
 
-// func Test_validateGeneralRuleInfoVariables(t *testing.T) {
-// 	policyRaw := []byte(`{
-// 		"apiVersion": "kyverno.io/v1",
-// 		"kind": "ClusterPolicy",
-// 		"metadata": {
-// 		  "name": "test-validate-variables"
-// 		},
-// 		"spec": {
-// 		  "rules": [
-// 			{
-// 			  "name": "test-match",
-// 			  "match": {
-// 				"Subjects": [
-// 				  {
-// 					"kind": "User",
-// 					"name": "{{request.userInfo.username1}}}"
-// 				  }
-// 				]
-// 			  }
-// 			}
-// 		  ]
-// 		}
-// 	  }`)
+func Test_validateGeneralRuleInfoVariables(t *testing.T) {
+	rawResource := []byte(`
+	{
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+		   "name": "image-with-hostpath",
+		   "labels": {
+			  "app.type": "prod",
+			  "namespace": "my-namespace"
+		   }
+		},
+		"spec": {
+		   "containers": [
+			  {
+				 "name": "image-with-hostpath",
+				 "image": "docker.io/nautiker/curl",
+				 "volumeMounts": [
+					{
+					   "name": "var-lib-etcd",
+					   "mountPath": "/var/lib"
+					}
+				 ]
+			  }
+		   ],
+		   "volumes": [
+			  {
+				 "name": "var-lib-etcd",
+				 "emptyDir": {}
+			  }
+		   ]
+		}
+	 }
+			`)
 
-// 	userReqInfo := kyverno.RequestInfo{
-// 		AdmissionUserInfo: authenticationv1.UserInfo{
-// 			Username: "user1",
-// 		},
-// 	}
+	policyRaw := []byte(`{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "test-validate-variables"
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "name": "test-match",
+			  "match": {
+				"Subjects": [
+				  {
+					"kind": "User",
+					"name": "{{request.userInfo.username1}}}"
+				  }
+				],
+				"resources": {
+				  "kind": "{{request.object.kind}}"
+				}
+			  }
+			},
+			{
+			  "name": "test-exclude",
+			  "match": {
+				"resources": {
+				  "namespaces": [
+					"{{request.object.namespace}}"
+				  ]
+				}
+			  }
+			},
+			{
+			  "name": "test-condition",
+			  "preconditions": [
+				{
+				  "key": "{{serviceAccountName}}",
+				  "operator": "NotEqual",
+				  "value": "testuser"
+				}
+			  ]
+			}
+		  ]
+		}
+	  }`)
 
-// 	var policy interface{}
-// 	assert.NilError(t, json.Unmarshal(policyRaw, &policy))
+	userReqInfo := kyverno.RequestInfo{
+		AdmissionUserInfo: authenticationv1.UserInfo{
+			Username: "user1",
+		},
+	}
 
-// 	ctx := context.NewContext()
-// 	// ctx.AddResource(resourceRaw)
-// 	ctx.AddUserInfo(userReqInfo)
+	var policy kyverno.ClusterPolicy
+	assert.NilError(t, json.Unmarshal(policyRaw, &policy))
 
-// 	invalidPaths := validateGeneralRuleInfoVariables(ctx, policy.Spec.Rules[0])
-// 	assert.Assert(t, len(invalidPaths) == 1, fmt.Sprintf("got path len = %d", len(invalidPaths)))
-// }
+	ctx := context.NewContext()
+	ctx.AddResource(rawResource)
+	ctx.AddUserInfo(userReqInfo)
+	ctx.AddSA("system:serviceaccount:test:testuser")
+
+	expectPaths := []string{"request.userInfo.username1", "request.object.namespace", ""}
+
+	for i, rule := range policy.Spec.Rules {
+		invalidPaths := validateGeneralRuleInfoVariables(ctx, rule)
+		assert.Assert(t, invalidPaths == expectPaths[i], fmt.Sprintf("result not match, got invalidPaths %s", invalidPaths))
+	}
+}