feat: register cel context lib (#12007)

* feat: register cel context lib Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-06 16:06:56 +00:00 · 2025-01-27 17:16:27 +01:00 · 2025-01-27 17:16:27 +01:00 · db4f7fb5e6
commit db4f7fb5e6
parent b8c6931aa5
2 changed files with 75 additions and 0 deletions
--- a/pkg/cel/policy/compiler.go
+++ b/pkg/cel/policy/compiler.go
@ -54,6 +54,7 @@ func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy) (CompiledPo
 		panic(err)
 	}
 	options = append(options, declOptions...)
+	options = append(options, context.Lib())
 	// TODO: params, authorizer, authorizer.requestResource ?
 	env, err := base.Extend(options...)
 	if err != nil {
--- a/pkg/cel/policy/compiler_test.go
+++ b/pkg/cel/policy/compiler_test.go
@ -0,0 +1,74 @@
+package policy
+
+import (
+	"testing"
+
+	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	"github.com/stretchr/testify/assert"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func Test_compiler_Compile(t *testing.T) {
+	tests := []struct {
+		name    string
+		policy  *kyvernov2alpha1.ValidatingPolicy
+		wantErr bool
+	}{{
+		name: "simple",
+		policy: &kyvernov2alpha1.ValidatingPolicy{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: kyvernov2alpha1.GroupVersion.String(),
+				Kind:       "ValidatingPolicy",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "foo",
+			},
+			Spec: kyvernov2alpha1.ValidatingPolicySpec{
+				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
+					Variables: []admissionregistrationv1.Variable{{
+						Name:       "environment",
+						Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'",
+					}},
+					Validations: []admissionregistrationv1.Validation{{
+						Expression: "variables.environment == true",
+					}},
+				},
+			},
+		},
+	}, {
+		name: "with configmap",
+		policy: &kyvernov2alpha1.ValidatingPolicy{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: kyvernov2alpha1.GroupVersion.String(),
+				Kind:       "ValidatingPolicy",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "foo",
+			},
+			Spec: kyvernov2alpha1.ValidatingPolicySpec{
+				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
+					Variables: []admissionregistrationv1.Variable{{
+						Name:       "cm",
+						Expression: "context.GetConfigMap('foo', 'bar')",
+					}},
+					Validations: []admissionregistrationv1.Validation{{
+						Expression: "variables.cm != null",
+					}},
+				},
+			},
+		},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := NewCompiler()
+			compiled, errs := c.Compile(tt.policy)
+			if tt.wantErr {
+				assert.Error(t, errs.ToAggregate())
+			} else {
+				assert.NoError(t, errs.ToAggregate())
+				assert.NotNil(t, compiled)
+			}
+		})
+	}
+}