Only report on intended errors when checking JSONPatch path for variables (#2710)

* Only report on intended errors Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Change error text to be more fitting Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Replace vars for checks Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove more checks for testing Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Disable schema validation Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove unneeded fmt prints Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2025-03-31 03:45:17 +00:00 · 2021-11-30 18:14:58 +01:00 · 2021-11-30 18:14:58 +01:00 · 962f4de8d8
commit 962f4de8d8
parent ef20ae4d47
4 changed files with 100 additions and 14 deletions
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@ -102,11 +102,6 @@ func NewOpenAPIController() (*Controller, error) {
 	return controller, nil
 }

-// ValidatePolicyFields ...
-func (o *Controller) ValidatePolicyFields(policy v1.ClusterPolicy) error {
-	return o.ValidatePolicyMutation(policy)
-}
-
 // ValidateResource ...
 func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, apiVersion, kind string) error {
 	var err error
@ -168,7 +163,7 @@ func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 			return err
 		}

-		if (policy.Spec.SchemaValidation == nil || *policy.Spec.SchemaValidation) && (kind != "*") {
+		if kind != "*" {
 			err = o.ValidateResource(*patchedResource.DeepCopy(), "", kind)
 			if err != nil {
 				return err
--- a/pkg/policy/allowed_vars_test.go
+++ b/pkg/policy/allowed_vars_test.go
@ -200,6 +200,49 @@ func TestNotAllowedVars_JSONPatchPath(t *testing.T) {
 	assert.Error(t, err, "rule \"pCM1\" should not have variables in patchesJSON6902 path section")
 }

+func TestNotAllowedVars_JSONPatchPath_ContextPositive(t *testing.T) {
+	var policyWithVarInExclude = []byte(`{
+    "apiVersion": "kyverno.io/v1",
+    "kind": "ClusterPolicy",
+    "metadata": {
+      "name": "policy-patch-cm"
+    },
+    "spec": {
+      "rules": [
+      {
+        "name": "pCM1",
+        "context": [
+          {
+            "name": "source",
+            "configMap":{
+              "name":"source-yaml-to-json",
+              "namespace":"default"
+            }
+          }
+        ],
+        "match": {
+        "resources": {
+          "name": "config-game",
+          "kinds": [
+          "ConfigMap"
+          ]
+        }
+        },
+        "mutate": {
+        "patchesJson6902": "- op: replace\n  path: /spec/strategy\n  value: {{ source.data.strategy }}"
+        }
+      }
+      ]
+    }
+    }`)
+
+	policy, err := ut.GetPolicy(policyWithVarInExclude)
+	assert.NilError(t, err)
+
+	err = hasInvalidVariables(policy[0], false)
+	assert.NilError(t, err)
+}
+
 func TestNotAllowedVars_JSONPatchPath_PositiveCase(t *testing.T) {
 	var policyWithVarInExclude = []byte(`{
    "apiVersion": "kyverno.io/v1",
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -35,8 +35,13 @@ var allowedVariablesBackground = regexp.MustCompile(`request\.|element\.|@|image
 // wildCardAllowedVariables represents regex for the allowed fields in wildcards
 var wildCardAllowedVariables = regexp.MustCompile(`\{\{\s*(request\.|serviceAccountName|serviceAccountNamespace)[^{}]*\}\}`)

+var errOperationForbidden = errors.New("variables are forbidden in the path of a JSONPatch")
+
 // validateJSONPatchPathForForwardSlash checks for forward slash
 func validateJSONPatchPathForForwardSlash(patch string) error {
+	// Replace all variables in PatchesJSON6902, all variable checks should have happened already.
+	// This prevents further checks from failing unexpectedly.
+	patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" })

 	re, err := regexp.Compile("^/")
 	if err != nil {
@ -325,11 +330,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		}
 	}

-	if !mock {
-		if err := openAPIController.ValidatePolicyFields(*policy); err != nil {
-			return err
-		}
-	} else {
+	if policy.Spec.SchemaValidation == nil || *policy.Spec.SchemaValidation {
 		if err := openAPIController.ValidatePolicyMutation(*policy); err != nil {
 			return err
 		}
@ -387,7 +388,7 @@ func ruleForbiddenSectionsHaveVariables(rule *kyverno.Rule) error {
 	var err error

 	err = jsonPatchPathHasVariables(rule.Mutation.PatchesJSON6902)
-	if err != nil {
+	if err != nil && errors.Is(errOperationForbidden, err) {
 		return fmt.Errorf("rule \"%s\" should not have variables in patchesJSON6902 path section", rule.Name)
 	}

@ -430,7 +431,7 @@ func jsonPatchPathHasVariables(patch string) error {

 		vars := variables.RegexVariables.FindAllString(path, -1)
 		if len(vars) > 0 {
-			return fmt.Errorf("operation \"%s\" has forbidden variables", operation.Kind())
+			return errOperationForbidden
 		}
 	}

--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -1508,6 +1508,53 @@ func Test_Namespced_Policy(t *testing.T) {

 	openAPIController, _ := openapi.NewOpenAPIController()
 	err = Validate(policy, nil, true, openAPIController)
-	fmt.Println(err)
 	assert.Assert(t, err != nil)
 }
+
+func Test_patchesJson6902_Policy(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+   "apiVersion": "kyverno.io/v1",
+   "kind": "ClusterPolicy",
+   "metadata": {
+      "name": "set-max-surge-yaml-to-json"
+   },
+   "spec": {
+      "background": false,
+			"schemaValidation": false,
+      "rules": [
+         {
+            "name": "set-max-surge",
+            "context": [
+               {
+                  "name": "source",
+                  "configMap": {
+                     "name": "source-yaml-to-json",
+                     "namespace": "default"
+                  }
+               }
+            ],
+            "match": {
+               "resources": {
+                  "kinds": [
+                     "Deployment"
+                  ]
+               }
+            },
+            "mutate": {
+               "patchesJson6902": "- op: replace\n  path: /spec/strategy\n  value: {{ source.data.strategy }}"
+            }
+         }
+      ]
+   }
+}
+	`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, false, openAPIController)
+	assert.NilError(t, err)
+}