pepr 0.35.0 → 0.37.0

package/src/lib/filter.test.ts

@@ -6,12 +6,11 @@ import { kind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import * as fc from "fast-check";
 import { CreatePod, DeletePod } from "../fixtures/loader";
 import { shouldSkipRequest } from "./filter";
-import { Event, Binding } from "./types";
-import { AdmissionRequest } from "./k8s";
+import { AdmissionRequest, Binding, Event } from "./types";
 
-const callback = () => undefined;
+export const callback = () => undefined;
 
-const podKind = modelToGroupVersionKind(kind.Pod.name);
+export const podKind = modelToGroupVersionKind(kind.Pod.name);
 
 describe("Fuzzing shouldSkipRequest", () => {
   test("should handle random inputs without crashing", () => {
@@ -29,6 +28,7 @@ describe("Fuzzing shouldSkipRequest", () => {
             namespaces: fc.array(fc.string()),
             labels: fc.dictionary(fc.string(), fc.string()),
             annotations: fc.dictionary(fc.string(), fc.string()),
+            deletionTimestamp: fc.boolean(),
           }),
         }),
         fc.record({
@@ -41,6 +41,11 @@ describe("Fuzzing shouldSkipRequest", () => {
             version: fc.string(),
             kind: fc.string(),
           }),
+          object: fc.record({
+            metadata: fc.record({
+              deletionTimestamp: fc.option(fc.date()),
+            }),
+          }),
         }),
         fc.array(fc.string()),
         (binding, req, capabilityNamespaces) => {
@@ -69,6 +74,7 @@ describe("Property-Based Testing shouldSkipRequest", () => {
             namespaces: fc.array(fc.string()),
             labels: fc.dictionary(fc.string(), fc.string()),
             annotations: fc.dictionary(fc.string(), fc.string()),
+            deletionTimestamp: fc.boolean(),
           }),
         }),
         fc.record({
@@ -81,6 +87,11 @@ describe("Property-Based Testing shouldSkipRequest", () => {
             version: fc.string(),
             kind: fc.string(),
           }),
+          object: fc.record({
+            metadata: fc.record({
+              deletionTimestamp: fc.option(fc.date()),
+            }),
+          }),
         }),
         fc.array(fc.string()),
         (binding, req, capabilityNamespaces) => {
@@ -93,24 +104,182 @@ describe("Property-Based Testing shouldSkipRequest", () => {
   });
 });
 
-test("should reject when name does not match", () => {
+test("create: should reject when regex name does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
     kind: podKind,
     filters: {
-      name: "bleh",
+      name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^default$/).source,
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
   const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+test("create: should not reject when regex name does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^cool/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+test("delete: should reject when regex name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^default$/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+test("delete: should not reject when regex name does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^cool/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
 
+test("create: should not reject when regex namespace does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^helm/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("create: should reject when regex namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^argo/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("delete: should reject when regex namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^argo/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
   expect(shouldSkipRequest(binding, pod, [])).toBe(true);
 });
 
+test("delete: should not reject when regex namespace does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^helm/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("delete: should reject when name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^not-cool/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
 test("should reject when kind does not match", () => {
   const binding = {
     model: kind.Pod,
@@ -119,8 +288,11 @@ test("should reject when kind does not match", () => {
     filters: {
       name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -139,6 +311,9 @@ test("should reject when group does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -161,6 +336,9 @@ test("should reject when version does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -179,6 +357,9 @@ test("should allow when group, version, and kind match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -201,6 +382,9 @@ test("should allow when kind match and others are empty", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -209,7 +393,7 @@ test("should allow when kind match and others are empty", () => {
   expect(shouldSkipRequest(binding, pod, [])).toBe(false);
 });
 
-test("should reject when teh capability namespace does not match", () => {
+test("should reject when the capability namespace does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
@@ -219,6 +403,9 @@ test("should reject when teh capability namespace does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -237,6 +424,9 @@ test("should reject when namespace does not match", () => {
       namespaces: ["bleh"],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -252,9 +442,12 @@ test("should allow when namespace is match", () => {
     kind: podKind,
     filters: {
       name: "",
-      namespaces: ["default", "unicorn", "things"],
+      namespaces: ["helm-releasename", "unicorn", "things"],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -275,6 +468,9 @@ test("should reject when label does not match", () => {
         foo: "bar",
       },
       annotations: {},
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -290,8 +486,10 @@ test("should allow when label is match", () => {
     kind: podKind,
     filters: {
       name: "",
-
+      deletionTimestamp: false,
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
       labels: {
         foo: "bar",
         test: "test1",
@@ -324,6 +522,9 @@ test("should reject when annotation does not match", () => {
       annotations: {
         foo: "bar",
       },
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -345,6 +546,9 @@ test("should allow when annotation is match", () => {
         foo: "bar",
         test: "test1",
       },
+      deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -368,6 +572,9 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
     filters: {
       name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
+      deletionTimestamp: false,
       labels: {
         "app.kubernetes.io/name": "cool-name-podinfo",
       },
@@ -382,3 +589,66 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
 
   expect(shouldSkipRequest(binding, pod, [])).toBe(false);
 });
+
+test("should skip processing when deletionTimestamp is not present on pod", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      regexNamespaces: [],
+      regexName: "",
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+      deletionTimestamp: true,
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should processing when deletionTimestamp is not present on pod", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      regexNamespaces: [],
+      regexName: "",
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+      deletionTimestamp: true,
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata!.deletionTimestamp = new Date("2021-09-01T00:00:00Z");
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});

package/src/lib/filter.ts

@@ -1,9 +1,24 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { AdmissionRequest, Operation } from "./k8s";
-import logger from "./logger";
-import { Binding, Event } from "./types";
+import { AdmissionRequest, Binding, Operation } from "./types";
+import {
+  carriesIgnoredNamespace,
+  misboundDeleteWithDeletionTimestamp,
+  mismatchedDeletionTimestamp,
+  mismatchedAnnotations,
+  mismatchedLabels,
+  mismatchedName,
+  mismatchedNameRegex,
+  mismatchedNamespace,
+  mismatchedNamespaceRegex,
+  mismatchedEvent,
+  mismatchedGroup,
+  mismatchedVersion,
+  mismatchedKind,
+  unbindableNamespaces,
+  uncarryableNamespace,
+} from "./adjudicators";
 
 /**
  * shouldSkipRequest determines if a request should be skipped based on the binding filters.
@@ -12,99 +27,32 @@ import { Binding, Event } from "./types";
  * @param req the incoming request
  * @returns
  */
-export function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capabilityNamespaces: string[]) {
-  const { group, kind, version } = binding.kind || {};
-  const { namespaces, labels, annotations, name } = binding.filters || {};
-  const operation = req.operation.toUpperCase();
-  const uid = req.uid;
-  // Use the old object if the request is a DELETE operation
-  const srcObject = operation === Operation.DELETE ? req.oldObject : req.object;
-  const { metadata } = srcObject || {};
-  const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
-
-  // Test for matching operation
-  if (!binding.event.includes(operation) && !binding.event.includes(Event.Any)) {
-    return true;
-  }
-
-  // Test name first, since it's the most specific
-  if (name && name !== req.name) {
-    return true;
-  }
-
-  // Test for matching kinds
-  if (kind !== req.kind.kind) {
-    return true;
-  }
-
-  // Test for matching groups
-  if (group && group !== req.kind.group) {
-    return true;
-  }
-
-  // Test for matching versions
-  if (version && version !== req.kind.version) {
-    return true;
-  }
-
-  // Test for matching namespaces
-  if (
-    (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "")) ||
-    (!namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0)
-  ) {
-    let type = "";
-    let label = "";
-
-    if (binding.isMutate) {
-      type = "Mutate";
-      label = binding.mutateCallback!.name;
-    } else if (binding.isValidate) {
-      type = "Validate";
-      label = binding.validateCallback!.name;
-    } else if (binding.isWatch) {
-      type = "Watch";
-      label = binding.watchCallback!.name;
-    }
-
-    logger.debug({ uid }, `${type} binding (${label}) does not match request namespace "${req.namespace}"`);
-
-    return true;
-  }
-
-  // Test for matching labels
-  for (const [key, value] of Object.entries(labels)) {
-    const testKey = metadata?.labels?.[key];
-
-    // First check if the label exists
-    if (!testKey) {
-      logger.debug({ uid }, `Label ${key} does not exist`);
-      return true;
-    }
-
-    // Then check if the value matches, if specified
-    if (value && testKey !== value) {
-      logger.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-
-  // Test for matching annotations
-  for (const [key, value] of Object.entries(annotations)) {
-    const testKey = metadata?.annotations?.[key];
-
-    // First check if the annotation exists
-    if (!testKey) {
-      logger.debug({ uid }, `Annotation ${key} does not exist`);
-      return true;
-    }
-
-    // Then check if the value matches, if specified
-    if (value && testKey !== value) {
-      logger.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-
-  // No failed filters, so we should not skip this request
-  return false;
+export function shouldSkipRequest(
+  binding: Binding,
+  req: AdmissionRequest,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): boolean {
+  const obj = req.operation === Operation.DELETE ? req.oldObject : req.object;
+
+  // prettier-ignore
+  return (
+    misboundDeleteWithDeletionTimestamp(binding) ? true :
+    mismatchedDeletionTimestamp(binding, obj) ? true :
+    mismatchedEvent(binding, req) ? true :
+    mismatchedName(binding, obj) ? true :
+    mismatchedGroup(binding, req) ? true :
+    mismatchedVersion(binding, req) ? true :
+    mismatchedKind(binding, req) ? true :
+    unbindableNamespaces(capabilityNamespaces, binding) ? true :
+    uncarryableNamespace(capabilityNamespaces, obj) ? true :
+    mismatchedNamespace(binding, obj) ? true :
+    mismatchedLabels(binding, obj) ? true :
+    mismatchedAnnotations(binding, obj) ? true :
+    mismatchedNamespaceRegex(binding, obj) ? true :
+    mismatchedNameRegex(binding, obj) ? true :
+    carriesIgnoredNamespace(ignoredNamespaces, obj) ? true :
+
+    false
+  );
 }