From 962f4de8d8bd3a8ce101847088bd2ee5f9b6dab9 Mon Sep 17 00:00:00 2001
From: Bricktop <marcel.mueller1@rwth-aachen.de>
Date: Tue, 30 Nov 2021 18:14:58 +0100
Subject: [PATCH] Only report on intended errors when checking JSONPatch path
 for variables (#2710)

* Only report on intended errors

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Change error text to be more fitting

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Replace vars for checks

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Remove more checks for testing

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Disable schema validation

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Remove unneeded fmt prints

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
---
 pkg/openapi/validation.go       |  7 +----
 pkg/policy/allowed_vars_test.go | 43 +++++++++++++++++++++++++++++
 pkg/policy/validate.go          | 15 +++++-----
 pkg/policy/validate_test.go     | 49 ++++++++++++++++++++++++++++++++-
 4 files changed, 100 insertions(+), 14 deletions(-)

diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 7f518b2305..98b320a8c5 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -102,11 +102,6 @@ func NewOpenAPIController() (*Controller, error) {
 	return controller, nil
 }
 
-// ValidatePolicyFields ...
-func (o *Controller) ValidatePolicyFields(policy v1.ClusterPolicy) error {
-	return o.ValidatePolicyMutation(policy)
-}
-
 // ValidateResource ...
 func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, apiVersion, kind string) error {
 	var err error
@@ -168,7 +163,7 @@ func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 			return err
 		}
 
-		if (policy.Spec.SchemaValidation == nil || *policy.Spec.SchemaValidation) && (kind != "*") {
+		if kind != "*" {
 			err = o.ValidateResource(*patchedResource.DeepCopy(), "", kind)
 			if err != nil {
 				return err
diff --git a/pkg/policy/allowed_vars_test.go b/pkg/policy/allowed_vars_test.go
index b3853230e1..0e84e12e88 100644
--- a/pkg/policy/allowed_vars_test.go
+++ b/pkg/policy/allowed_vars_test.go
@@ -200,6 +200,49 @@ func TestNotAllowedVars_JSONPatchPath(t *testing.T) {
 	assert.Error(t, err, "rule \"pCM1\" should not have variables in patchesJSON6902 path section")
 }
 
+func TestNotAllowedVars_JSONPatchPath_ContextPositive(t *testing.T) {
+	var policyWithVarInExclude = []byte(`{
+    "apiVersion": "kyverno.io/v1",
+    "kind": "ClusterPolicy",
+    "metadata": {
+      "name": "policy-patch-cm"
+    },
+    "spec": {
+      "rules": [
+      {
+        "name": "pCM1",
+        "context": [
+          {
+            "name": "source",
+            "configMap":{
+              "name":"source-yaml-to-json",
+              "namespace":"default"
+            }
+          }
+        ],
+        "match": {
+        "resources": {
+          "name": "config-game",
+          "kinds": [
+          "ConfigMap"
+          ]
+        }
+        },
+        "mutate": {
+        "patchesJson6902": "- op: replace\n  path: /spec/strategy\n  value: {{ source.data.strategy }}"
+        }
+      }
+      ]
+    }
+    }`)
+
+	policy, err := ut.GetPolicy(policyWithVarInExclude)
+	assert.NilError(t, err)
+
+	err = hasInvalidVariables(policy[0], false)
+	assert.NilError(t, err)
+}
+
 func TestNotAllowedVars_JSONPatchPath_PositiveCase(t *testing.T) {
 	var policyWithVarInExclude = []byte(`{
     "apiVersion": "kyverno.io/v1",
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 7ffc184752..ba93cd4824 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -35,8 +35,13 @@ var allowedVariablesBackground = regexp.MustCompile(`request\.|element\.|@|image
 // wildCardAllowedVariables represents regex for the allowed fields in wildcards
 var wildCardAllowedVariables = regexp.MustCompile(`\{\{\s*(request\.|serviceAccountName|serviceAccountNamespace)[^{}]*\}\}`)
 
+var errOperationForbidden = errors.New("variables are forbidden in the path of a JSONPatch")
+
 // validateJSONPatchPathForForwardSlash checks for forward slash
 func validateJSONPatchPathForForwardSlash(patch string) error {
+	// Replace all variables in PatchesJSON6902, all variable checks should have happened already.
+	// This prevents further checks from failing unexpectedly.
+	patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" })
 
 	re, err := regexp.Compile("^/")
 	if err != nil {
@@ -325,11 +330,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		}
 	}
 
-	if !mock {
-		if err := openAPIController.ValidatePolicyFields(*policy); err != nil {
-			return err
-		}
-	} else {
+	if policy.Spec.SchemaValidation == nil || *policy.Spec.SchemaValidation {
 		if err := openAPIController.ValidatePolicyMutation(*policy); err != nil {
 			return err
 		}
@@ -387,7 +388,7 @@ func ruleForbiddenSectionsHaveVariables(rule *kyverno.Rule) error {
 	var err error
 
 	err = jsonPatchPathHasVariables(rule.Mutation.PatchesJSON6902)
-	if err != nil {
+	if err != nil && errors.Is(errOperationForbidden, err) {
 		return fmt.Errorf("rule \"%s\" should not have variables in patchesJSON6902 path section", rule.Name)
 	}
 
@@ -430,7 +431,7 @@ func jsonPatchPathHasVariables(patch string) error {
 
 		vars := variables.RegexVariables.FindAllString(path, -1)
 		if len(vars) > 0 {
-			return fmt.Errorf("operation \"%s\" has forbidden variables", operation.Kind())
+			return errOperationForbidden
 		}
 	}
 
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index cfbcb69461..12def395e8 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1508,6 +1508,53 @@ func Test_Namespced_Policy(t *testing.T) {
 
 	openAPIController, _ := openapi.NewOpenAPIController()
 	err = Validate(policy, nil, true, openAPIController)
-	fmt.Println(err)
 	assert.Assert(t, err != nil)
 }
+
+func Test_patchesJson6902_Policy(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+   "apiVersion": "kyverno.io/v1",
+   "kind": "ClusterPolicy",
+   "metadata": {
+      "name": "set-max-surge-yaml-to-json"
+   },
+   "spec": {
+      "background": false,
+			"schemaValidation": false,
+      "rules": [
+         {
+            "name": "set-max-surge",
+            "context": [
+               {
+                  "name": "source",
+                  "configMap": {
+                     "name": "source-yaml-to-json",
+                     "namespace": "default"
+                  }
+               }
+            ],
+            "match": {
+               "resources": {
+                  "kinds": [
+                     "Deployment"
+                  ]
+               }
+            },
+            "mutate": {
+               "patchesJson6902": "- op: replace\n  path: /spec/strategy\n  value: {{ source.data.strategy }}"
+            }
+         }
+      ]
+   }
+}
+	`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, false, openAPIController)
+	assert.NilError(t, err)
+}