644 working version need to add more tests

2024-12-14 11:57:48 +00:00 · 2020-02-09 19:11:25 +05:30 · 2020-02-09 19:11:25 +05:30 · a969a38c81
commit a969a38c81
parent 122d1bd5fa
2 changed files with 46 additions and 27 deletions
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -111,34 +111,32 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription,
 		wg.Done()
 	}()

-	if !reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) {
-		go func() {
-			if len(userInfo.Roles) > 0 {
-				if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
-					errs <- fmt.Errorf("user info does not match roles for the given conditionBlock")
-				}
+	go func() {
+		if len(userInfo.Roles) > 0 {
+			if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
+				errs <- fmt.Errorf("user info does not match roles for the given conditionBlock")
 			}
-			wg.Done()
-		}()
+		}
+		wg.Done()
+	}()

-		go func() {
-			if len(userInfo.ClusterRoles) > 0 {
-				if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
-					errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock")
-				}
+	go func() {
+		if len(userInfo.ClusterRoles) > 0 {
+			if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
+				errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock")
 			}
-			wg.Done()
-		}()
+		}
+		wg.Done()
+	}()

-		go func() {
-			if len(userInfo.Subjects) > 0 {
-				if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) {
-					errs <- fmt.Errorf("user info does not match subject for the given conditionBlock")
-				}
+	go func() {
+		if len(userInfo.Subjects) > 0 {
+			if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) {
+				errs <- fmt.Errorf("user info does not match subject for the given conditionBlock")
 			}
-			wg.Done()
-		}()
-	}
+		}
+		wg.Done()
+	}()

 	wg.Wait()
 	close(errs)
@ -198,6 +196,10 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno
 	var wg sync.WaitGroup
 	wg.Add(2)

+	if reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) {
+		rule.MatchResources.UserInfo = kyverno.UserInfo{}
+	}
+
 	// checking if resource matches the rule
 	go func() {
 		if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) {
--- a/pkg/engine/utils_test.go
+++ b/pkg/engine/utils_test.go
@ -30,20 +30,37 @@ func TestMatchesResourceDescription(t *testing.T) {
 			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
 			areErrorsExpected: false,
 		},
+		{
+			Description: "",
+			AdmissionInfo: kyverno.RequestInfo{
+				ClusterRoles: []string{"system:node"},
+			},
+			Resource:          []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
+			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
+			areErrorsExpected: true,
+		},
+		{
+			Description:       "",
+			Resource:          []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
+			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
+			areErrorsExpected: false,
+		},
 	}

-	for _, tc := range tcs {
+	for i, tc := range tcs {
 		var policy kyverno.Policy
 		json.Unmarshal(tc.Policy, &policy)
 		resource, _ := utils.ConvertToUnstructured(tc.Resource)

 		for _, rule := range policy.Spec.Rules {
 			err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo)
-			if err != nil && !tc.areErrorsExpected {
-				t.Errorf("Unexpected error: %v", err)
+			if err != nil {
+				if !tc.areErrorsExpected {
+					t.Errorf("Testcase %d Unexpected error: %v", i+1, err)
+				}
 			} else {
 				if tc.areErrorsExpected {
-					t.Errorf("Expected Error but recievd no error")
+					t.Errorf("Testcase %d Expected Error but recieved no error", i+1)
 				}
 			}
 		}