add unit test for negationanchor on mutation

2025-03-31 03:45:17 +00:00 · 2019-10-18 18:17:11 -07:00 · 2019-10-18 18:17:11 -07:00 · 68c87a09ec
commit 68c87a09ec
parent 2e1b731e35
2 changed files with 27 additions and 9 deletions
--- a/pkg/engine/policy/validate.go
+++ b/pkg/engine/policy/validate.go
@ -154,7 +154,7 @@ func validateMutation(m kyverno.Mutation) []error {
 	}

 	if m.Overlay != nil {
-		_, err := validateAnchors([]anchor{conditionalAnchor, plusAnchor, negationAnchor}, m.Overlay, "/")
+		_, err := validateAnchors([]anchor{conditionalAnchor, plusAnchor}, m.Overlay, "/")
 		if err != nil {
 			errs = append(errs, err)
 		}
@ -189,14 +189,14 @@ func validateValidation(v kyverno.Validation) []error {
 	}

 	if v.Pattern != nil {
-		if _, err := validateAnchors([]anchor{conditionalAnchor, existingAnchor, equalityAnchor}, v.Pattern, "/"); err != nil {
+		if _, err := validateAnchors([]anchor{conditionalAnchor, existingAnchor, equalityAnchor, negationAnchor}, v.Pattern, "/"); err != nil {
 			errs = append(errs, err)
 		}
 	}

 	if len(v.AnyPattern) != 0 {
 		for _, p := range v.AnyPattern {
-			if _, err := validateAnchors([]anchor{conditionalAnchor, existingAnchor, equalityAnchor}, p, "/"); err != nil {
+			if _, err := validateAnchors([]anchor{conditionalAnchor, existingAnchor, equalityAnchor, negationAnchor}, p, "/"); err != nil {
 				errs = append(errs, err)
 			}
 		}
--- a/pkg/engine/policy/validate_test.go
+++ b/pkg/engine/policy/validate_test.go
@ -807,13 +807,14 @@ func Test_Validate_Mutate_Mismatched(t *testing.T) {
 		}
 	 }`)

-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
+	var mutateExistence kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutateExistence)
 	assert.NilError(t, err)

-	errs := validateMutation(mutate)
+	errs := validateMutation(mutateExistence)
 	assert.Assert(t, len(errs) != 0)

+	var mutateEqual kyverno.Mutation
 	rawMutate = []byte(`
 	{
 		"overlay": {
@ -824,10 +825,27 @@ func Test_Validate_Mutate_Mismatched(t *testing.T) {
 		}
 	 }`)

-	err = json.Unmarshal(rawMutate, &mutate)
+	err = json.Unmarshal(rawMutate, &mutateEqual)
 	assert.NilError(t, err)

-	errs = validateMutation(mutate)
+	errs = validateMutation(mutateEqual)
+	assert.Assert(t, len(errs) != 0)
+
+	var mutateNegation kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "X(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateNegation)
+	assert.NilError(t, err)
+
+	errs = validateMutation(mutateNegation)
 	assert.Assert(t, len(errs) != 0)
 }

@ -1227,7 +1245,7 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 duplicate rule name: 'validate-user-privilege'
 - invalid rule 'image-pull-policy':
 error in exclude block, the requirements are not specified in selector
-invalid anchor found at /spec/template/spec/containers/0/=(image), expect: () || +() || X()
+invalid anchor found at /spec/template/spec/containers/0/=(image), expect: () || +()
 - invalid rule 'validate-user-privilege':
 error in match block, field Kind is not specified
 - invalid rule 'validate-user-privilege':