Merge pull request #567 from fabriziosestito/feat/raw-validations

feat: raw policy validation
kubewarden · Oct 26, 2023 · 8092637 · 8092637
2 parents dae81ef + 4e92d03
commit 8092637
Show file tree

Hide file tree

Showing 20 changed files with 707 additions and 384 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,7 +28,7 @@ opentelemetry = { version = "0.20", default-features = false, features = [
   "rt-tokio",
 ] }
 procfs = "0.15"
-policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.11.5" }
+policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.12.0" }
 rayon = "1.8"
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }

diff --git a/e2e-tests/07-raw-policies.yml b/e2e-tests/07-raw-policies.yml
@@ -0,0 +1,115 @@
+name: Raw policies execution
+
+testcases:
+  - name: fixtures
+    steps:
+      - type: readfile
+        path: ./test_data/raw_validation.json
+        assertions:
+          - result.err ShouldBeEmpty
+        vars:
+          raw_validation:
+            from: result.content
+      - type: readfile
+        path: ./test_data/raw_mutation.json
+        assertions:
+          - result.err ShouldBeEmpty
+        vars:
+          raw_mutation:
+            from: result.content
+
+  - name: Raw waPC validation policy works as expected
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-validation
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_validation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldNotContainKey patch
+          - result.bodyjson.response ShouldNotContainKey patchType
+
+  - name: Raw waPC mutation policy accepts without mutating
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-mutation
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_validation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldNotContainKey patch
+          - result.bodyjson.response ShouldNotContainKey patchType
+
+  - name: Raw waPC mutation policy mutates the request
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-mutation
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_mutation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldContainKey patch
+          - result.bodyjson.response ShouldContainKey patchType
+
+  - name: Raw OPA validation policy works as expected
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-validation-opa
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_validation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldNotContainKey patch
+          - result.bodyjson.response ShouldNotContainKey patchType
+
+  - name: Raw WASI validation policy works as expected
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-validation-wasi
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_validation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldNotContainKey patch
+          - result.bodyjson.response ShouldNotContainKey patchType
+
+  - name: Raw WASI mutation policy mutates the request
+    steps:
+      - name: Accept
+        type: http
+        method: POST
+        url: http://localhost:3000/validate_raw/raw-mutation-wasi
+        headers:
+          Content-Type: application/json
+        body: "{{ .fixtures.raw_mutation }}"
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.bodyjson.response.allowed ShouldEqual true
+          - result.bodyjson.response.status.code ShouldNotEqual 500
+          - result.bodyjson.response ShouldContainKey patch
+          - result.bodyjson.response ShouldContainKey patchType
diff --git a/e2e-tests/test_data/policies.yaml b/e2e-tests/test_data/policies.yaml
@@ -29,3 +29,46 @@ flux:
   settings:
     requiredAnnotations:
       "fluxcd.io/cat": "felix"
+
+raw-validation:
+  url: ghcr.io/kubewarden/tests/raw-validation-policy:v0.1.0
+  settings:
+    validUsers:
+      - "tonio"
+      - "wanda"
+    validActions:
+      - "eats"
+      - "likes"
+    validResources:
+      - "banana"
+      - "hay"
+
+raw-mutation:
+  url: ghcr.io/kubewarden/tests/raw-mutation-policy:v0.1.0
+  allowedToMutate: true
+  settings: {}
+
+raw-validation-opa:
+  url: ghcr.io/kubewarden/tests/raw-validation-opa-policy:v0.1.0
+  settings: {}
+
+raw-validation-wasi:
+  url: ghcr.io/kubewarden/tests/raw-validation-wasi-policy:v0.1.0
+  settings:
+    validUsers:
+      - "tonio"
+      - "wanda"
+    validActions:
+      - "eats"
+      - "likes"
+    validResources:
+      - "banana"
+      - "hay"
+
+raw-mutation-wasi:
+  url: ghcr.io/kubewarden/tests/raw-mutation-wasi-policy:v0.1.0
+  allowedToMutate: true
+  settings:
+    forbiddenResources:
+      - "banana"
+      - "carrot"
diff --git a/e2e-tests/test_data/raw_mutation.json b/e2e-tests/test_data/raw_mutation.json
@@ -0,0 +1,3 @@
+{
+  "request": { "user": "tonio", "action": "eats", "resource": "banana" }
+}
diff --git a/e2e-tests/test_data/raw_validation.json b/e2e-tests/test_data/raw_validation.json
@@ -0,0 +1,3 @@
+{
+  "request": { "user": "tonio", "action": "eats", "resource": "hay" }
+}
diff --git a/src/admission_review.rs b/src/admission_review.rs
@@ -1,19 +1,6 @@
+use policy_evaluator::admission_request::AdmissionRequest;
 use policy_evaluator::admission_response::AdmissionResponse;
 
-#[derive(Clone, Debug, Default, serde::Serialize, serde::Deserialize)]
-pub(crate) struct GroupVersionKind {
-    pub group: String,
-    pub version: String,
-    pub kind: String,
-}
-
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
-pub(crate) struct GroupVersionResource {
-    pub group: String,
-    pub version: String,
-    pub resource: String,
-}
-
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub(crate) struct AdmissionReview {
@@ -49,37 +36,6 @@ impl Default for AdmissionReview {
         }
     }
 }
-
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub(crate) struct AdmissionRequest {
-    pub uid: String,
-    pub kind: GroupVersionKind,
-    pub resource: GroupVersionResource,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub sub_resource: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub request_kind: Option<GroupVersionKind>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub request_resource: Option<GroupVersionResource>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub request_sub_resource: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub name: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub namespace: Option<String>,
-    pub operation: String,
-    pub user_info: k8s_openapi::api::authentication::v1::UserInfo,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub object: Option<k8s_openapi::apimachinery::pkg::runtime::RawExtension>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub old_object: Option<k8s_openapi::apimachinery::pkg::runtime::RawExtension>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub dry_run: Option<bool>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub options: Option<k8s_openapi::apimachinery::pkg::runtime::RawExtension>,
-}
-
 #[cfg(test)]
 pub(crate) mod tests {
     use super::*;