refactor: simplify variables regex (#5075)

* feat: add simple conformance tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* gh action

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* separate workflow

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix the bug

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix cli test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* improvements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* improvements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: variables regex

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

Makefile

@@ -560,6 +560,20 @@ code-cov-report: test-clean ## Generate code coverage report
 	@go tool cover -func=coverage.out -o $(CODE_COVERAGE_FILE_TXT)
 	@go tool cover -html=coverage.out -o $(CODE_COVERAGE_FILE_HTML)
 
+#####################
+# CONFORMANCE TESTS #
+#####################
+
+.PHONY: test-conformance
+test-conformance: ## Run conformance tests
+	@echo Running conformance tests... >&2
+	@go run ./test/conformance
+
+.PHONY: kind-test-conformance
+kind-test-conformance: kind-deploy-kyverno ## Run conformance tests on a local cluster
+	@echo Running conformance tests... >&2
+	@go run ./test/conformance --create-cluster=false
+
 #############
 # CLI TESTS #
 #############

pkg/engine/variables/vars.go

@@ -17,7 +17,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/operator"
 )
 
-var RegexVariables = regexp.MustCompile(`^\{\{(\{[^{}]*\}|[^{}])*\}\}|[^\\]\{\{(\{[^{}]*\}|[^{}])*\}\}`)
+var RegexVariables = regexp.MustCompile(`(?:^|[^\\])(\{\{(?:\{[^{}]*\}|[^{}])*\}\})`)
 
 var RegexEscpVariables = regexp.MustCompile(`\\\{\{(\{[^{}]*\}|[^{}])*\}\}`)
 

pkg/policy/background.go

@@ -31,8 +31,8 @@ func containsUserVariables(policy kyvernov1.PolicyInterface, vars [][]string) er
 	}
 	for _, s := range vars {
 		for _, banned := range forbidden {
-			if banned.Match([]byte(s[0])) {
-				return fmt.Errorf("variable %s is not allowed", s[0])
+			if banned.Match([]byte(s[1])) {
+				return fmt.Errorf("variable %s is not allowed", s[1])
 			}
 		}
 	}

pkg/policy/background_test.go

@@ -132,5 +132,5 @@ func Test_Validation_invalid_backgroundPolicy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 	err = ValidateVariables(&policy, true)
-	assert.ErrorContains(t, err, "variable \"{{serviceAccountName}} is not allowed")
+	assert.ErrorContains(t, err, "variable {{serviceAccountName}} is not allowed")
 }

pkg/policy/on_update_policy_test.go

@@ -105,5 +105,5 @@ func Test_invalid_onUpdatePolicyPolicy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 	err = ValidateOnPolicyUpdate(&policy, true)
-	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable \"{{request.userInfo.username}} is not allowed ")
+	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable {{request.userInfo.username}} is not allowed ")
 }

test/conformance/tests.yaml

@@ -10,7 +10,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed 
   - description: Policy with backgound enabled and referencing user infos should be rejected
     kubectl:
       args:
@@ -36,7 +36,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{request.userInfo}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed 
   - description: Policy with backgound enabled and referencing user infos should be rejected
     kubectl:
       args:
@@ -48,7 +48,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{serviceAccountName}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed 
   - description: Best practice policies should create fine
     kubectl:
       args: