Fixed error handling for negation anchors (#2986)

* Fixed error handling for negation anchors Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2024-12-14 11:57:48 +00:00 · 2022-01-19 15:39:07 +05:30 · 2022-01-19 15:39:07 +05:30 · f0359f8272
commit f0359f8272
parent b5341b685d
3 changed files with 37 additions and 1 deletions
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@ -56,7 +56,9 @@ func (nh NegationHandler) Handle(handler resourceElementHandler, resourceMap map
 	// if anchor is present in the resource then fail
 	if _, ok := resourceMap[anchorKey]; ok {
 		// no need to process elements in value as key cannot be present in resource
-		return currentPath, fmt.Errorf("%s/%s is not allowed", currentPath, anchorKey)
+		ac.AnchorError = NewNegationAnchorError(fmt.Sprintf("%s is not allowed", currentPath))
+		return currentPath, ac.AnchorError.Error()
+
 	}
 	// key is not defined in the resource
 	return "", nil
--- a/pkg/engine/anchor/anchorKey.go
+++ b/pkg/engine/anchor/anchorKey.go
@ -6,6 +6,11 @@ import (
 	"strings"
 )

+// IsNegationAnchorError checks if error message has negation anchor error string
+func IsNegationAnchorError(msg string) bool {
+	return strings.Contains(msg, NegationAnchorErrMsg)
+}
+
 // IsConditionalAnchorError checks if error message has conditional anchor error string
 func IsConditionalAnchorError(msg string) bool {
 	return strings.Contains(msg, ConditionalAnchorErrMsg)
@ -16,6 +21,19 @@ func IsGlobalAnchorError(msg string) bool {
 	return strings.Contains(msg, GlobalAnchorErrMsg)
 }

+// NewNegationAnchorError returns a new instance of NegationAnchorError
+func NewNegationAnchorError(msg string) ValidateAnchorError {
+	return ValidateAnchorError{
+		Err:     NegationAnchorErr,
+		Message: fmt.Sprintf("%s: %s", NegationAnchorErrMsg, msg),
+	}
+}
+
+// IsNegationAnchorError checks if the error is a negation anchor error
+func (e ValidateAnchorError) IsNegationAnchorError() bool {
+	return e.Err == NegationAnchorErr
+}
+
 // NewConditionalAnchorError returns a new instance of ConditionalAnchorError
 func NewConditionalAnchorError(msg string) ValidateAnchorError {
 	return ValidateAnchorError{
@ -61,6 +79,9 @@ const (

 	// GlobalAnchorErr refers to global condition violation
 	GlobalAnchorErr
+
+	// NegationAnchorErr refers to negation violation
+	NegationAnchorErr
 )

 // ValidateAnchorError represents the error type of validation anchors
@ -69,6 +90,9 @@ type ValidateAnchorError struct {
 	Message string
 }

+// NegationAnchorErrMsg - the error message for negation anchor error
+var NegationAnchorErrMsg = "negation anchor matched in resource"
+
 // ConditionalAnchorErrMsg - the error message for conditional anchor error
 var ConditionalAnchorErrMsg = "conditional anchor mismatch"

--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@ -37,6 +37,11 @@ func MatchPattern(logger logr.Logger, resource, pattern interface{}) error {
 			return &PatternError{err, "", true}
 		}

+		if fail(err) {
+			logger.V(2).Info("failed to apply rule on resource", "msg", ac.AnchorError.Error())
+			return &PatternError{err, elemPath, false}
+		}
+
 		// check if an anchor defined in the policy rule is missing in the resource
 		if ac.IsAnchorError() {
 			logger.V(3).Info("missing anchor in resource")
@ -54,6 +59,11 @@ func skip(err error) bool {
 	return anchor.IsConditionalAnchorError(err.Error()) || anchor.IsGlobalAnchorError(err.Error())
 }

+func fail(err error) bool {
+	// if negation anchors report errors, the rule will fail
+	return anchor.IsNegationAnchorError(err.Error())
+}
+
 // validateResourceElement detects the element type (map, array, nil, string, int, bool, float)
 // and calls corresponding handler
 // Pattern tree and resource tree can have different structure. In this case validation fails