fix: variable substitution error handling in policy validation (#10936)

* fix variable substitution error handling in policy validation and add tests

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>

* cleanup

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>

* fix variable substitution error handling in policy validation and add tests

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>

* cleanup

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>

* add review comment

Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: asr2003 <162500856+asr2003@users.noreply.github.com>

* Update pkg/validation/policy/validate.go

The rule and policy will be appended to the top level message, so no need to repeat here.

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>

* Update pkg/validation/policy/validate.go

update for unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Ambati Sahithi <162500856+asr2003@users.noreply.github.com>
Signed-off-by: asr2003 <162500856+asr2003@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>

pkg/validation/policy/validate.go

@@ -560,7 +560,7 @@ func hasInvalidVariables(policy kyvernov1.PolicyInterface, background bool) erro
 
 		ctx := buildContext(ruleCopy, background, mutateTarget)
 		if _, err := variables.SubstituteAllInRule(logging.GlobalLogger(), ctx, *ruleCopy); !variables.CheckNotFoundErr(err) {
-			return fmt.Errorf("variable substitution failed for rule %s: %s", ruleCopy.Name, err.Error())
+			return fmt.Errorf("variable substitution failed for %s/%s: %s", policy.GetName(), ruleCopy.Name, err.Error())
 		}
 	}
 

pkg/validation/policy/validate_test.go

@@ -1,20 +1,61 @@
 package policy
 
-// import (
-// 	"encoding/json"
-// 	"errors"
-// 	"fmt"
-// 	"testing"
+import (
+	// 	"encoding/json"
+	// 	"errors"
+	// 	"fmt"
+	"testing"
 
-// 	"github.com/go-logr/logr"
-// 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
-// 	"github.com/kyverno/kyverno/pkg/openapi"
-// 	"gotest.tools/assert"
-// 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-// 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-// 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-// 	"k8s.io/apimachinery/pkg/util/validation/field"
-// )
+	// 	"github.com/go-logr/logr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	// 	"github.com/kyverno/kyverno/pkg/openapi"
+	"github.com/stretchr/testify/assert"
+	// 	"gotest.tools/assert"
+	// 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	// 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	// 	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_PolicyValidationWithInvalidVariable(t *testing.T) {
+	policy := &kyvernov1.ClusterPolicy{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ClusterPolicy",
+			APIVersion: "kyverno.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "policy-with-invalid-variable",
+		},
+		Spec: kyvernov1.Spec{
+			Rules: []kyvernov1.Rule{
+				{
+					Name: "test-rule-invalid-variable",
+					MatchResources: kyvernov1.MatchResources{
+						Any: []kyvernov1.ResourceFilter{
+							{
+								ResourceDescription: kyvernov1.ResourceDescription{
+									Kinds: []string{"Pod"},
+								},
+							},
+						},
+					},
+					Validation: kyvernov1.Validation{
+						Message: "{{ bar }} world!",
+						Deny:    &kyvernov1.Deny{},
+					},
+				},
+			},
+		},
+	}
+
+	err := ValidateVariables(policy, false)
+
+	assert.NotNil(t, err)
+
+	assert.Contains(t, err.Error(), "variable substitution failed")
+	assert.Contains(t, err.Error(), "test-rule-invalid-variable")
+	assert.Contains(t, err.Error(), "variable bar must match regex")
+}
 
 // func Test_Validate_ResourceDescription_Empty(t *testing.T) {
 // 	var err error