From d99c000b178b3814c102ec2d171da3397efaffa9 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 18 May 2023 00:20:34 +0800
Subject: [PATCH] fix: mutate existing auth check (#7219)

* fix auth check when using variables in ns

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/policy/mutate/validate.go                 |  2 +-
 .../01-fail-no-permission.yaml                |  0
 .../cpol-namespace-variable/README.md         | 12 +++++++++
 .../cpol-namespace-variable/policy.yaml       | 25 +++++++++++++++++++
 .../01-fail-no-permission.yaml                |  5 ++++
 .../02-update-clusterrole.yaml                |  0
 .../03-pass.yaml                              |  0
 .../04-reset-clusterrole.yaml                 |  0
 .../{ => cpol-standard-auth-check}/README.md  |  0
 .../policy-assert.yaml                        |  0
 .../policy.yaml                               |  0
 11 files changed, 43 insertions(+), 1 deletion(-)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-namespace-variable}/01-fail-no-permission.yaml (100%)
 create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md
 create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml
 create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/02-update-clusterrole.yaml (100%)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/03-pass.yaml (100%)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/04-reset-clusterrole.yaml (100%)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/README.md (100%)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/policy-assert.yaml (100%)
 rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/{ => cpol-standard-auth-check}/policy.yaml (100%)

diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
index 30d4c7620a..06fe8f45df 100644
--- a/pkg/policy/mutate/validate.go
+++ b/pkg/policy/mutate/validate.go
@@ -93,7 +93,7 @@ func (m *Mutate) hasPatchesJSON6902() bool {
 func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetResourceSpec) error {
 	var errs []error
 	for _, target := range targets {
-		if !regex.IsVariable(target.Namespace) {
+		if !regex.IsVariable(target.Kind) {
 			_, _, k, sub := kubeutils.ParseKindSelector(target.Kind)
 			srcKey := k
 			if sub != "" {
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/01-fail-no-permission.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/01-fail-no-permission.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/01-fail-no-permission.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/01-fail-no-permission.yaml
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md
new file mode 100644
index 0000000000..eded9c4daa
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test ensures that a mutate existing policy is denied when the target has the namespace defined as variable.
+
+## Expected Behavior
+
+The test fails if the policy creation is allowed, otherwise passes.
+
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/7213
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml
new file mode 100644
index 0000000000..026ffffcae
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml
@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-namespace-variable
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: apply-flag
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              selector:
+                matchLabels:
+                  policy.lan/flag: 'true'
+      mutate:
+        targets:
+          - kind: PersistentVolumeClaim
+            apiVersion: v1
+            namespace: "{{ request.object.metadata.name }}"
+        patchStrategicMerge:
+          metadata:
+            labels:
+              policy.lan/apply-flag: 'true'
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml
new file mode 100644
index 0000000000..cc374cb853
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: policy.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/02-update-clusterrole.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/02-update-clusterrole.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/02-update-clusterrole.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/02-update-clusterrole.yaml
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/03-pass.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/03-pass.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/03-pass.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/03-pass.yaml
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/04-reset-clusterrole.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/04-reset-clusterrole.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/04-reset-clusterrole.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/04-reset-clusterrole.yaml
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/README.md
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/README.md
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/README.md
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/policy-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy-assert.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/policy-assert.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy-assert.yaml
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy.yaml
similarity index 100%
rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/policy.yaml
rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy.yaml