From efdb7881ef1e8304f6db983ab738589cf51a43d0 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Tue, 14 Sep 2021 19:46:04 -0700
Subject: [PATCH] - fix any/all during policy mutation; - add unit tests
 (#2388)

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
---
 pkg/policymutation/policymutation.go      | 94 +++++++++++++++++++----
 pkg/policymutation/policymutation_test.go | 81 +++++++++++++++++++
 2 files changed, 160 insertions(+), 15 deletions(-)

diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go
index d0735d5081..94253d5844 100644
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@@ -88,28 +88,92 @@ func GenerateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logg
 func checkForGVKFormatPatch(policy *kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	patches = make([][]byte, 0)
 	for i, rule := range policy.Spec.Rules {
-		kindList := []string{}
-		for _, k := range rule.MatchResources.Kinds {
-			kindList = append(kindList, common.GetFormatedKind(k))
+		patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)), rule.MatchResources.Kinds, log)
+		if err == nil && patchByte != nil {
+			patches = append(patches, patchByte)
+		} else if err != nil {
+			errs = append(errs, fmt.Errorf("failed to GVK for rule '%s/%s/%d/match': %v", policy.Name, rule.Name, i, err))
 		}
-		jsonPatch := struct {
-			Path  string   `json:"path"`
-			Op    string   `json:"op"`
-			Value []string `json:"value"`
-		}{
-			fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)),
-			"replace",
-			kindList,
+
+		for j, matchAll := range rule.MatchResources.All {
+			patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/all/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(j)), matchAll.ResourceDescription.Kinds, log)
+			if err == nil && patchByte != nil {
+				patches = append(patches, patchByte)
+			} else if err != nil {
+				errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/match/all/%d': %v", policy.Name, rule.Name, i, j, err))
+			}
 		}
-		patchByte, err := json.Marshal(jsonPatch)
-		if err != nil {
-			errs = append(errs, fmt.Errorf("failed to convert policy '%s': %v", policy.Name, err))
+
+		for k, matchAny := range rule.MatchResources.Any {
+			patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/any/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(k)), matchAny.ResourceDescription.Kinds, log)
+			if err == nil && patchByte != nil {
+				patches = append(patches, patchByte)
+			} else if err != nil {
+				errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/match/any/%d': %v", policy.Name, rule.Name, i, k, err))
+			}
+		}
+
+		patchByte, err = convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/resources/kinds", strconv.Itoa(i)), rule.ExcludeResources.Kinds, log)
+		if err == nil && patchByte != nil {
+			patches = append(patches, patchByte)
+		} else if err != nil {
+			errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude': %v", policy.Name, rule.Name, i, err))
+		}
+
+		for j, excludeAll := range rule.ExcludeResources.All {
+			patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/all/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(j)), excludeAll.ResourceDescription.Kinds, log)
+			if err == nil && patchByte != nil {
+				patches = append(patches, patchByte)
+			} else if err != nil {
+				errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude/all/%d': %v", policy.Name, rule.Name, i, j, err))
+			}
+		}
+
+		for k, excludeAny := range rule.ExcludeResources.Any {
+			patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/any/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(k)), excludeAny.ResourceDescription.Kinds, log)
+			if err == nil && patchByte != nil {
+				patches = append(patches, patchByte)
+			} else if err != nil {
+				errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude/any/%d': %v", policy.Name, rule.Name, i, k, err))
+			}
 		}
-		patches = append(patches, patchByte)
 	}
+
 	return patches, errs
 }
 
+func convertGVKForKinds(path string, kinds []string, log logr.Logger) ([]byte, error) {
+	kindList := []string{}
+	for _, k := range kinds {
+		gvk := common.GetFormatedKind(k)
+		if gvk == k {
+			continue
+		}
+		kindList = append(kindList, gvk)
+	}
+
+	if len(kindList) == 0 {
+		return nil, nil
+	}
+
+	p, err := buildReplaceJsonPatch(path, kindList)
+	log.V(4).WithName("convertGVKForKinds").Info("generated patch", "patch", string(p))
+	return p, err
+}
+
+func buildReplaceJsonPatch(path string, kindList []string) ([]byte, error) {
+	jsonPatch := struct {
+		Path  string   `json:"path"`
+		Op    string   `json:"op"`
+		Value []string `json:"value"`
+	}{
+		path,
+		"replace",
+		kindList,
+	}
+	return json.Marshal(jsonPatch)
+}
+
 func convertPatchToJSON6902(policy *kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	patches = make([][]byte, 0)
 
diff --git a/pkg/policymutation/policymutation_test.go b/pkg/policymutation/policymutation_test.go
index 8c414ecb47..60a8ce19eb 100644
--- a/pkg/policymutation/policymutation_test.go
+++ b/pkg/policymutation/policymutation_test.go
@@ -307,3 +307,84 @@ func Test_UpdateVariablePath(t *testing.T) {
 
 	assert.DeepEqual(t, rulePatches, expectedPatches)
 }
+
+func Test_checkForGVKFormatPatch(t *testing.T) {
+	testCases := []struct {
+		name            string
+		policy          []byte
+		expectedPatches []byte
+	}{
+		{
+			name:            "match-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["ConfigMap","batch.volcano.sh/v1alpha1/Job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "match-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-kinds"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["configmap","batch.volcano.sh/v1alpha1/job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/match/resources/kinds","op":"replace","value":["Configmap","batch.volcano.sh/v1alpha1/Job"]}`),
+		},
+		{
+			name:            "exclude-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"resources":{"kinds":["ConfigMap","batch.volcano.sh/v1alpha1/Job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "exclude-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-kinds"},"spec":{"rules":[{"name":"test","exclude":{"resources":{"kinds":["configmap","batch.volcano.sh/v1alpha1/job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/resources/kinds","op":"replace","value":["Configmap","batch.volcano.sh/v1alpha1/Job"]}`),
+		},
+		{
+			name:            "match-any-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-any-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "match-any-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-any-kinds"},"spec":{"rules":[{"name":"test","match":{"any":[{"resources":{"kinds":["deployment","pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/match/any/0/resources/kinds","op":"replace","value":["Deployment","Pod"]}`),
+		},
+		{
+			name:            "match-all-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-all-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"all":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "match-all-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-all-kinds"},"spec":{"rules":[{"name":"test","match":{"all":[{"resources":{"kinds":["deployment","pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/match/all/0/resources/kinds","op":"replace","value":["Deployment","Pod"]}`),
+		},
+		{
+			name:            "exclude-any-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-any-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "exclude-any-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-any-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["configMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/any/1/resources/kinds","op":"replace","value":["ConfigMap"]}`),
+		},
+		{
+			name:            "exclude-all-kinds-empty",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-all-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"all":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: nil,
+		},
+		{
+			name:            "exclude-all-kinds",
+			policy:          []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-all-kinds"},"spec":{"rules":[{"name":"test","exclude":{"all":[{"resources":{"kinds":["Deployment","pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`),
+			expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/all/0/resources/kinds","op":"replace","value":["Pod"]}`),
+		},
+	}
+
+	for _, test := range testCases {
+		var policy kyverno.ClusterPolicy
+		err := json.Unmarshal(test.policy, &policy)
+		assert.NilError(t, err, fmt.Sprintf("failed to convert policy test %s: %v", test.name, err))
+
+		patches, errs := checkForGVKFormatPatch(&policy, log.Log)
+		assert.Assert(t, len(errs) == 0)
+		for _, p := range patches {
+			assert.Equal(t, string(p), string(test.expectedPatches), fmt.Sprintf("test %s failed", test.name))
+		}
+	}
+}