Merge pull request #870 from fabriziosestito/feat/validate-policygrou…

…p-expression feat: validate PolicyGroup expressions
kubewarden · Sep 10, 2024 · c299746 · c299746
2 parents ecfb764 + 8895033
commit c299746
Show file tree

Hide file tree

Showing 9 changed files with 691 additions and 328 deletions.
diff --git a/api/policies/v1/admissionpolicy_webhook.go b/api/policies/v1/admissionpolicy_webhook.go
@@ -19,7 +19,6 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -51,6 +50,7 @@ var _ webhook.Defaulter = &AdmissionPolicy{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type.
 func (r *AdmissionPolicy) Default() {
 	admissionpolicylog.Info("default", "name", r.Name)
+
 	if r.Spec.PolicyServer == "" {
 		r.Spec.PolicyServer = constants.DefaultPolicyServer
 	}
@@ -66,17 +66,12 @@ var _ webhook.Validator = &AdmissionPolicy{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AdmissionPolicy) ValidateCreate() (admission.Warnings, error) {
 	admissionpolicylog.Info("validate create", "name", r.Name)
-	errList := field.ErrorList{}
 
-	if errs := validateRulesField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if errs := validateMatchConditionsField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if len(errList) != 0 {
-		return nil, prepareInvalidAPIError(r, errList)
+	allErrors := validatePolicyCreate(r)
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
 	}
+
 	return nil, nil
 }
 
@@ -89,11 +84,18 @@ func (r *AdmissionPolicy) ValidateUpdate(old runtime.Object) (admission.Warnings
 		return admission.Warnings{}, apierrors.NewInternalError(
 			fmt.Errorf("object is not of type AdmissionPolicy: %#v", old))
 	}
-	return nil, validatePolicyUpdate(oldPolicy, r)
+
+	allErrors := validatePolicyUpdate(oldPolicy, r)
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
+	}
+
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
 func (r *AdmissionPolicy) ValidateDelete() (admission.Warnings, error) {
 	admissionpolicylog.Info("validate delete", "name", r.Name)
+
 	return nil, nil
 }
diff --git a/api/policies/v1/admissionpolicygroup_webhook.go b/api/policies/v1/admissionpolicygroup_webhook.go
@@ -19,7 +19,6 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -51,6 +50,7 @@ var _ webhook.Defaulter = &AdmissionPolicyGroup{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type.
 func (r *AdmissionPolicyGroup) Default() {
 	admissionpolicygrouplog.Info("default", "name", r.Name)
+
 	if r.Spec.PolicyServer == "" {
 		r.Spec.PolicyServer = constants.DefaultPolicyServer
 	}
@@ -66,20 +66,13 @@ var _ webhook.Validator = &AdmissionPolicyGroup{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AdmissionPolicyGroup) ValidateCreate() (admission.Warnings, error) {
 	admissionpolicygrouplog.Info("validate create", "name", r.Name)
-	errList := field.ErrorList{}
 
-	if errs := validateRulesField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if errs := validateMatchConditionsField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if err := validatePolicyGroupMembers(r); err != nil {
-		errList = append(errList, err)
-	}
-	if len(errList) != 0 {
-		return nil, prepareInvalidAPIError(r, errList)
+	allErrors := validatePolicyGroupCreate(r)
+
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
 	}
+
 	return nil, nil
 }
 
@@ -92,7 +85,12 @@ func (r *AdmissionPolicyGroup) ValidateUpdate(old runtime.Object) (admission.War
 		return admission.Warnings{}, apierrors.NewInternalError(
 			fmt.Errorf("object is not of type AdmissionPolicyGroup: %#v", old))
 	}
-	return nil, validatePolicyUpdate(oldPolicy, r)
+
+	if allErrors := validatePolicyGroupUpdate(oldPolicy, r); len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
+	}
+
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

diff --git a/api/policies/v1/clusteradmissionpolicy_webhook.go b/api/policies/v1/clusteradmissionpolicy_webhook.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -43,6 +42,7 @@ func (r *ClusterAdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error
 	if err != nil {
 		return fmt.Errorf("failed enrolling webhook with manager: %w", err)
 	}
+
 	return nil
 }
 
@@ -53,6 +53,7 @@ var _ webhook.Defaulter = &ClusterAdmissionPolicy{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type.
 func (r *ClusterAdmissionPolicy) Default() {
 	clusteradmissionpolicylog.Info("default", "name", r.Name)
+
 	if r.Spec.PolicyServer == "" {
 		r.Spec.PolicyServer = constants.DefaultPolicyServer
 	}
@@ -68,17 +69,12 @@ var _ webhook.Validator = &ClusterAdmissionPolicy{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *ClusterAdmissionPolicy) ValidateCreate() (admission.Warnings, error) {
 	clusteradmissionpolicylog.Info("validate create", "name", r.Name)
-	errList := field.ErrorList{}
 
-	if errs := validateRulesField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if errs := validateMatchConditionsField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if len(errList) != 0 {
-		return nil, prepareInvalidAPIError(r, errList)
+	allErrors := validatePolicyCreate(r)
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
 	}
+
 	return nil, nil
 }
 
@@ -92,11 +88,17 @@ func (r *ClusterAdmissionPolicy) ValidateUpdate(old runtime.Object) (admission.W
 			fmt.Errorf("object is not of type ClusterAdmissionPolicy: %#v", old))
 	}
 
-	return nil, validatePolicyUpdate(oldPolicy, r)
+	allErrors := validatePolicyUpdate(oldPolicy, r)
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
+	}
+
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
 func (r *ClusterAdmissionPolicy) ValidateDelete() (admission.Warnings, error) {
 	clusteradmissionpolicylog.Info("validate delete", "name", r.Name)
+
 	return nil, nil
 }
diff --git a/api/policies/v1/clusteradmissionpolicygroup_webhook.go b/api/policies/v1/clusteradmissionpolicygroup_webhook.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -68,21 +67,12 @@ var _ webhook.Validator = &ClusterAdmissionPolicyGroup{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *ClusterAdmissionPolicyGroup) ValidateCreate() (admission.Warnings, error) {
 	clusteradmissionpolicygrouplog.Info("validate create", "name", r.Name)
-	errList := field.ErrorList{}
 
-	if errs := validateRulesField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if errs := validateMatchConditionsField(r); len(errs) != 0 {
-		errList = append(errList, errs...)
-	}
-	if err := validatePolicyGroupMembers(r); err != nil {
-		errList = append(errList, err)
+	allErrors := validatePolicyGroupCreate(r)
+	if len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
 	}
 
-	if len(errList) != 0 {
-		return nil, prepareInvalidAPIError(r, errList)
-	}
 	return nil, nil
 }
 
@@ -96,7 +86,11 @@ func (r *ClusterAdmissionPolicyGroup) ValidateUpdate(old runtime.Object) (admiss
 			fmt.Errorf("object is not of type ClusterAdmissionPolicyGroup: %#v", old))
 	}
 
-	return nil, validatePolicyUpdate(oldPolicy, r)
+	if allErrors := validatePolicyGroupUpdate(oldPolicy, r); len(allErrors) != 0 {
+		return nil, prepareInvalidAPIError(r, allErrors)
+	}
+
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

diff --git a/api/policies/v1/policy_utils_test.go b/api/policies/v1/policy_utils_test.go
@@ -54,7 +54,7 @@ func admissionPolicyGroupFactory() *AdmissionPolicyGroup {
 				Message:      "This is a test policy",
 				Policies: []PolicyGroupMember{
 					{
-						Name:                  "testing-policy",
+						Name:                  "mypolicy",
 						Module:                "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
 						Settings:              runtime.RawExtension{},
 						ContextAwareResources: []ContextAwareResource{},
@@ -101,7 +101,7 @@ func clusterAdmissionPolicyGroupFactory() *ClusterAdmissionPolicyGroup {
 				Message:         "This is a test policy",
 				Policies: []PolicyGroupMember{
 					{
-						Name:                  "testing-policy",
+						Name:                  "mypolicy",
 						Module:                "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
 						Settings:              runtime.RawExtension{},
 						ContextAwareResources: []ContextAwareResource{},