From db4f7fb5e64c751ea135b49312981ab42d1a4e66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 27 Jan 2025 17:16:27 +0100 Subject: [PATCH] feat: register cel context lib (#12007) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: register cel context lib Signed-off-by: Charles-Edouard Brétéché * unit test Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- pkg/cel/policy/compiler.go | 1 + pkg/cel/policy/compiler_test.go | 74 +++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 pkg/cel/policy/compiler_test.go diff --git a/pkg/cel/policy/compiler.go b/pkg/cel/policy/compiler.go index 6719e01f2a..1bb5f36eb6 100644 --- a/pkg/cel/policy/compiler.go +++ b/pkg/cel/policy/compiler.go @@ -54,6 +54,7 @@ func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy) (CompiledPo panic(err) } options = append(options, declOptions...) + options = append(options, context.Lib()) // TODO: params, authorizer, authorizer.requestResource ? env, err := base.Extend(options...) if err != nil { diff --git a/pkg/cel/policy/compiler_test.go b/pkg/cel/policy/compiler_test.go new file mode 100644 index 0000000000..69ffdc2ce6 --- /dev/null +++ b/pkg/cel/policy/compiler_test.go @@ -0,0 +1,74 @@ +package policy + +import ( + "testing" + + kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1" + "github.com/stretchr/testify/assert" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func Test_compiler_Compile(t *testing.T) { + tests := []struct { + name string + policy *kyvernov2alpha1.ValidatingPolicy + wantErr bool + }{{ + name: "simple", + policy: &kyvernov2alpha1.ValidatingPolicy{ + TypeMeta: metav1.TypeMeta{ + APIVersion: kyvernov2alpha1.GroupVersion.String(), + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: kyvernov2alpha1.ValidatingPolicySpec{ + ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{ + Variables: []admissionregistrationv1.Variable{{ + Name: "environment", + Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'", + }}, + Validations: []admissionregistrationv1.Validation{{ + Expression: "variables.environment == true", + }}, + }, + }, + }, + }, { + name: "with configmap", + policy: &kyvernov2alpha1.ValidatingPolicy{ + TypeMeta: metav1.TypeMeta{ + APIVersion: kyvernov2alpha1.GroupVersion.String(), + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: kyvernov2alpha1.ValidatingPolicySpec{ + ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{ + Variables: []admissionregistrationv1.Variable{{ + Name: "cm", + Expression: "context.GetConfigMap('foo', 'bar')", + }}, + Validations: []admissionregistrationv1.Validation{{ + Expression: "variables.cm != null", + }}, + }, + }, + }, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := NewCompiler() + compiled, errs := c.Compile(tt.policy) + if tt.wantErr { + assert.Error(t, errs.ToAggregate()) + } else { + assert.NoError(t, errs.ToAggregate()) + assert.NotNil(t, compiled) + } + }) + } +}