pepr 0.36.0 → 0.37.0

package/src/lib/helpers.test.ts

@@ -1,37 +1,38 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { Binding, CapabilityExport } from "./types";
+import { Binding, CapabilityExport, Event } from "./types";
 import {
-  createRBACMap,
   addVerbIfNotExists,
-  checkOverlap,
+  bindingAndCapabilityNSConflict,
+  createDirectoryIfNotExists,
+  createRBACMap,
+  checkDeploymentStatus,
   filterNoMatchReason,
+  dedent,
+  generateWatchNamespaceError,
+  hasAnyOverlap,
+  hasEveryOverlap,
+  ignoredNamespaceConflict,
+  matchesRegex,
+  namespaceDeploymentsReady,
+  namespaceComplianceValidator,
+  parseTimeout,
+  replaceString,
+  secretOverLimit,
   validateHash,
-  ValidationError,
   validateCapabilityNames,
+  ValidationError,
 } from "./helpers";
 import { sanitizeResourceName } from "../sdk/sdk";
 import * as fc from "fast-check";
 import { expect, describe, test, jest, beforeEach, afterEach } from "@jest/globals";
-import { parseTimeout, secretOverLimit, replaceString } from "./helpers";
 import { promises as fs } from "fs";
-
-import {
-  createDirectoryIfNotExists,
-  hasAnyOverlap,
-  hasEveryOverlap,
-  ignoredNamespaceConflict,
-  bindingAndCapabilityNSConflict,
-  generateWatchNamespaceError,
-  namespaceComplianceValidator,
-  dedent,
-} from "./helpers";
 import { SpiedFunction } from "jest-mock";
-
-import { K8s, GenericClass, KubernetesObject } from "kubernetes-fluent-client";
+import { K8s, GenericClass, KubernetesObject, kind } from "kubernetes-fluent-client";
 import { K8sInit } from "kubernetes-fluent-client/dist/fluent/types";
-import { checkDeploymentStatus, namespaceDeploymentsReady } from "./helpers";
+
+export const callback = () => undefined;
 
 jest.mock("kubernetes-fluent-client", () => {
   return {
@@ -336,6 +337,7 @@ describe("validateCapabilityNames", () => {
     expect(validateCapabilityNames(undefined)).toBe(undefined);
   });
 });
+
 describe("createRBACMap", () => {
   test("should return the correct RBACMap for given capabilities", () => {
     const result = createRBACMap(mockCapabilities);
@@ -606,8 +608,75 @@ describe("namespaceComplianceValidator", () => {
   afterEach(() => {
     errorSpy.mockRestore();
   });
-
-  test("should not throw an error for invalid namespaces", () => {
+  test("should throw error for invalid regex namespaces", () => {
+    const nsViolationCapability: CapabilityExport = {
+      ...nonNsViolation[0],
+      bindings: nonNsViolation[0].bindings.map(binding => ({
+        ...binding,
+        filters: {
+          ...binding.filters,
+          namespaces: [],
+          regexNamespaces: [new RegExp(/^system/).source],
+        },
+      })),
+    };
+    expect(() => {
+      namespaceComplianceValidator(nsViolationCapability);
+    }).toThrowError(
+      `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${nsViolationCapability.bindings[0].filters.regexNamespaces[0]}.`,
+    );
+  });
+  test("should not throw an error for valid regex namespaces", () => {
+    const nonnsViolationCapability: CapabilityExport = {
+      ...nonNsViolation[0],
+      bindings: nonNsViolation[0].bindings.map(binding => ({
+        ...binding,
+        filters: {
+          ...binding.filters,
+          namespaces: [],
+          regexNamespaces: [new RegExp(/^mia/).source],
+        },
+      })),
+    };
+    expect(() => {
+      namespaceComplianceValidator(nonnsViolationCapability);
+    }).not.toThrow();
+  });
+  test("should throw error for invalid regex ignored namespaces", () => {
+    const nsViolationCapability: CapabilityExport = {
+      ...nonNsViolation[0],
+      bindings: nonNsViolation[0].bindings.map(binding => ({
+        ...binding,
+        filters: {
+          ...binding.filters,
+          namespaces: [],
+          regexNamespaces: [new RegExp(/^mia/).source],
+        },
+      })),
+    };
+    expect(() => {
+      namespaceComplianceValidator(nsViolationCapability, ["miami"]);
+    }).toThrowError(
+      `Ignoring Watch Callback: Regex namespace: ${nsViolationCapability.bindings[0].filters.regexNamespaces[0]}, is an ignored namespace: miami.`,
+    );
+  });
+  test("should not throw an error for valid regex ignored namespaces", () => {
+    const nonnsViolationCapability: CapabilityExport = {
+      ...nonNsViolation[0],
+      bindings: nonNsViolation[0].bindings.map(binding => ({
+        ...binding,
+        filters: {
+          ...binding.filters,
+          namespaces: [],
+          regexNamespaces: [new RegExp(/^mia/).source],
+        },
+      })),
+    };
+    expect(() => {
+      namespaceComplianceValidator(nonnsViolationCapability, ["Seattle"]);
+    }).not.toThrow();
+  });
+  test("should not throw an error for valid namespaces", () => {
     expect(() => {
       namespaceComplianceValidator(nonNsViolation[0]);
     }).not.toThrow();
@@ -998,49 +1067,109 @@ describe("replaceString", () => {
   });
 });
 
-describe("checkOverlap", () => {
-  test("should return false since all binding annotations/labels do not exist on the object", () => {
-    expect(checkOverlap({ key1: "", key2: "" }, { key1: "something" })).toBe(false);
-  });
-  test("should return false since all binding annotations/labels values do not match on the object values", () => {
-    expect(checkOverlap({ key1: "key1", key2: "key2" }, { key1: "value1", key2: "key2" })).toBe(false);
-  });
-  test("should return true since all binding annotations/labels keys and values match the object keys and values", () => {
-    expect(checkOverlap({ key1: "key1", key2: "key2" }, { key1: "key1", key2: "key2" })).toBe(true);
-  });
-
-  test("should return true since all binding annotations/labels keys exist on the object", () => {
-    expect(checkOverlap({ key1: "", key2: "" }, { key1: "key1", key2: "key2" })).toBe(true);
-  });
-
-  test("(Mixed) should return true since key and key value match on object", () => {
-    expect(checkOverlap({ key1: "one", key2: "" }, { key1: "one", key2: "something" })).toBe(true);
-  });
-  test("(Mixed) should return false since key1 value is different on object", () => {
-    expect(checkOverlap({ key1: "one", key2: "" }, { key1: "different", key2: "" })).toBe(false);
-  });
-  test("should return true if binding has no labels or annotations", () => {
-    expect(checkOverlap({}, { key1: "value1" })).toBe(true);
-  });
-
-  test("should return false if there is no overlap", () => {
-    expect(checkOverlap({ key1: "value1" }, { key2: "value2" })).toBe(false);
+describe("filterNoMatchReason", () => {
+  test("returns regex namespace filter error for Pods whos namespace does not match the regex", () => {
+    const binding = {
+      kind: { kind: "Pod" },
+      filters: { regexNamespaces: ["(.*)-system"], namespaces: [] },
+    };
+    const obj = { metadata: { namespace: "pepr-demo" } };
+    const objArray = [
+      { ...obj },
+      { ...obj, metadata: { namespace: "pepr-uds" } },
+      { ...obj, metadata: { namespace: "pepr-core" } },
+      { ...obj, metadata: { namespace: "uds-ns" } },
+      { ...obj, metadata: { namespace: "uds" } },
+    ];
+    const capabilityNamespaces: string[] = [];
+    objArray.map(object => {
+      const result = filterNoMatchReason(
+        binding as unknown as Partial<Binding>,
+        object as unknown as Partial<KubernetesObject>,
+        capabilityNamespaces,
+      );
+      expect(result).toEqual(
+        `Ignoring Watch Callback: Binding defines namespace regexes '["(.*)-system"]' but Object carries '${object?.metadata?.namespace}'.`,
+      );
+    });
   });
 
-  test("should return true since object has key1 and value1", () => {
-    expect(checkOverlap({ key1: "value1" }, { key1: "value1", key2: "value2" })).toBe(true);
+  test("returns no regex namespace filter error for Pods whos namespace does match the regex", () => {
+    const binding = {
+      kind: { kind: "Pod" },
+      filters: { regexNamespaces: [/(.*)-system/], namespaces: [] },
+    };
+    const obj = { metadata: { namespace: "pepr-demo" } };
+    const objArray = [
+      { ...obj, metadata: { namespace: "pepr-system" } },
+      { ...obj, metadata: { namespace: "pepr-uds-system" } },
+      { ...obj, metadata: { namespace: "uds-system" } },
+      { ...obj, metadata: { namespace: "some-thing-that-is-a-system" } },
+      { ...obj, metadata: { namespace: "your-system" } },
+    ];
+    const capabilityNamespaces: string[] = [];
+    objArray.map(object => {
+      const result = filterNoMatchReason(
+        binding as unknown as Partial<Binding>,
+        object as unknown as Partial<KubernetesObject>,
+        capabilityNamespaces,
+      );
+      expect(result).toEqual(``);
+    });
   });
 
-  test("should return false since object value does not match binding value", () => {
-    expect(checkOverlap({ key1: "value1" }, { key1: "value2" })).toBe(false);
+  // Names Fail
+  test("returns regex name filter error for Pods whos name does not match the regex", () => {
+    const binding = {
+      kind: { kind: "Pod" },
+      filters: { regexName: "^system", namespaces: [] },
+    };
+    const obj = { metadata: { name: "pepr-demo" } };
+    const objArray = [
+      { ...obj },
+      { ...obj, metadata: { name: "pepr-uds" } },
+      { ...obj, metadata: { name: "pepr-core" } },
+      { ...obj, metadata: { name: "uds-ns" } },
+      { ...obj, metadata: { name: "uds" } },
+    ];
+    const capabilityNamespaces: string[] = [];
+    objArray.map(object => {
+      const result = filterNoMatchReason(
+        binding as unknown as Partial<Binding>,
+        object as unknown as Partial<KubernetesObject>,
+        capabilityNamespaces,
+      );
+      expect(result).toEqual(
+        `Ignoring Watch Callback: Binding defines name regex '^system' but Object carries '${object?.metadata?.name}'.`,
+      );
+    });
   });
 
-  test("should return true if the object has no labels and neither does the binding", () => {
-    expect(checkOverlap({}, {})).toBe(true);
+  // Names Pass
+  test("returns no regex name filter error for Pods whos name does match the regex", () => {
+    const binding = {
+      kind: { kind: "Pod" },
+      filters: { regexName: /^system/, namespaces: [] },
+    };
+    const obj = { metadata: { name: "pepr-demo" } };
+    const objArray = [
+      { ...obj, metadata: { name: "systemd" } },
+      { ...obj, metadata: { name: "systemic" } },
+      { ...obj, metadata: { name: "system-of-kube-apiserver" } },
+      { ...obj, metadata: { name: "system" } },
+      { ...obj, metadata: { name: "system-uds" } },
+    ];
+    const capabilityNamespaces: string[] = [];
+    objArray.map(object => {
+      const result = filterNoMatchReason(
+        binding as unknown as Partial<Binding>,
+        object as unknown as Partial<KubernetesObject>,
+        capabilityNamespaces,
+      );
+      expect(result).toEqual(``);
+    });
   });
-});
 
-describe("filterMatcher", () => {
   test("returns namespace filter error for namespace objects with namespace filters", () => {
     const binding = {
       kind: { kind: "Namespace" },
@@ -1053,7 +1182,40 @@ describe("filterMatcher", () => {
       obj as unknown as Partial<KubernetesObject>,
       capabilityNamespaces,
     );
-    expect(result).toEqual("Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.");
+    expect(result).toEqual("Ignoring Watch Callback: Cannot use namespace filter on a namespace object.");
+  });
+
+  test("return an Ignoring Watch Callback string if the binding name and object name are different", () => {
+    const binding = {
+      filters: { name: "pepr" },
+    };
+    const obj = {
+      metadata: {
+        name: "not-pepr",
+      },
+    };
+    const capabilityNamespaces: string[] = [];
+    const result = filterNoMatchReason(
+      binding as unknown as Partial<Binding>,
+      obj as unknown as Partial<KubernetesObject>,
+      capabilityNamespaces,
+    );
+    expect(result).toEqual(`Ignoring Watch Callback: Binding defines name 'pepr' but Object carries 'not-pepr'.`);
+  });
+  test("returns no Ignoring Watch Callback string if the binding name and object name are the same", () => {
+    const binding = {
+      filters: { name: "pepr" },
+    };
+    const obj = {
+      metadata: { name: "pepr" },
+    };
+    const capabilityNamespaces: string[] = [];
+    const result = filterNoMatchReason(
+      binding as unknown as Partial<Binding>,
+      obj as unknown as Partial<KubernetesObject>,
+      capabilityNamespaces,
+    );
+    expect(result).toEqual("");
   });
 
   test("return deletionTimestamp error when there is no deletionTimestamp in the object", () => {
@@ -1069,7 +1231,7 @@ describe("filterMatcher", () => {
       obj as unknown as Partial<KubernetesObject>,
       capabilityNamespaces,
     );
-    expect(result).toEqual("Ignoring Watch Callback: Object does not have a deletion timestamp.");
+    expect(result).toEqual("Ignoring Watch Callback: Binding defines deletionTimestamp but Object does not carry it.");
   });
 
   test("return no deletionTimestamp error when there is a deletionTimestamp in the object", () => {
@@ -1087,7 +1249,7 @@ describe("filterMatcher", () => {
       obj as unknown as Partial<KubernetesObject>,
       capabilityNamespaces,
     );
-    expect(result).not.toEqual("Ignoring Watch Callback: Object does not have a deletion timestamp.");
+    expect(result).not.toEqual("Ignoring Watch Callback: Binding defines deletionTimestamp Object does not carry it.");
   });
 
   test("returns label overlap error when there is no overlap between binding and object labels", () => {
@@ -1104,7 +1266,7 @@ describe("filterMatcher", () => {
       capabilityNamespaces,
     );
     expect(result).toEqual(
-      'Ignoring Watch Callback: No overlap between binding and object labels. Binding labels {"key":"value"}, Object Labels {"anotherKey":"anotherValue"}.',
+      `Ignoring Watch Callback: Binding defines labels '{"key":"value"}' but Object carries '{"anotherKey":"anotherValue"}'.`,
     );
   });
 
@@ -1122,29 +1284,48 @@ describe("filterMatcher", () => {
       capabilityNamespaces,
     );
     expect(result).toEqual(
-      'Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations {"key":"value"}, Object annotations {"anotherKey":"anotherValue"}.',
+      `Ignoring Watch Callback: Binding defines annotations '{"key":"value"}' but Object carries '{"anotherKey":"anotherValue"}'.`,
     );
   });
 
   test("returns capability namespace error when object is not in capability namespaces", () => {
-    const binding = {};
+    const binding = {
+      model: kind.Pod,
+      event: Event.Any,
+      kind: {
+        group: "",
+        version: "v1",
+        kind: "Pod",
+      },
+      filters: {
+        name: "bleh",
+        namespaces: [],
+        regexNamespaces: [],
+        regexName: "",
+        labels: {},
+        annotations: {},
+        deletionTimestamp: false,
+      },
+      callback,
+    };
+
     const obj = {
-      metadata: { namespace: "ns2" },
+      metadata: { namespace: "ns2", name: "bleh" },
     };
     const capabilityNamespaces = ["ns1"];
     const result = filterNoMatchReason(
-      binding as unknown as Partial<Binding>,
+      binding as Binding,
       obj as unknown as Partial<KubernetesObject>,
       capabilityNamespaces,
     );
     expect(result).toEqual(
-      "Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ns1, Object namespace: ns2.",
+      `Ignoring Watch Callback: Object carries namespace 'ns2' but namespaces allowed by Capability are '["ns1"]'.`,
     );
   });
 
   test("returns binding namespace error when filter namespace is not part of capability namespaces", () => {
     const binding = {
-      filters: { namespaces: ["ns3"] },
+      filters: { namespaces: ["ns3"], regexNamespaces: [] },
     };
     const obj = {};
     const capabilityNamespaces = ["ns1", "ns2"];
@@ -1154,13 +1335,13 @@ describe("filterMatcher", () => {
       capabilityNamespaces,
     );
     expect(result).toEqual(
-      "Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ns1, ns2, Binding namespaces: ns3.",
+      `Ignoring Watch Callback: Binding defines namespaces ["ns3"] but namespaces allowed by Capability are '["ns1","ns2"]'.`,
     );
   });
 
   test("returns binding and object namespace error when they do not overlap", () => {
     const binding = {
-      filters: { namespaces: ["ns1"] },
+      filters: { namespaces: ["ns1"], regexNamespaces: [] },
     };
     const obj = {
       metadata: { namespace: "ns2" },
@@ -1171,8 +1352,26 @@ describe("filterMatcher", () => {
       obj as unknown as Partial<KubernetesObject>,
       capabilityNamespaces,
     );
+    expect(result).toEqual(`Ignoring Watch Callback: Binding defines namespaces '["ns1"]' but Object carries 'ns2'.`);
+  });
+
+  test("return watch violation message when object is in an ignored namespace", () => {
+    const binding = {
+      filters: { namespaces: ["ns3"] },
+    };
+    const obj = {
+      metadata: { namespace: "ns3" },
+    };
+    const capabilityNamespaces = ["ns3"];
+    const ignoredNamespaces = ["ns3"];
+    const result = filterNoMatchReason(
+      binding as unknown as Partial<Binding>,
+      obj as unknown as Partial<KubernetesObject>,
+      capabilityNamespaces,
+      ignoredNamespaces,
+    );
     expect(result).toEqual(
-      "Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ns1, Object namespace: ns2.",
+      `Ignoring Watch Callback: Object carries namespace 'ns3' but ignored namespaces include '["ns3"]'.`,
     );
   });
 
@@ -1224,3 +1423,64 @@ describe("validateHash", () => {
     expect(() => validateHash(validHash)).not.toThrow();
   });
 });
+
+describe("matchesRegex", () => {
+  test("should return true for a valid pattern that matches the string", () => {
+    const pattern = /abc/;
+    const testString = "abc123";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(true);
+  });
+
+  test("should return false for a valid pattern that does not match the string", () => {
+    const pattern = /xyz/;
+    const testString = "abc123";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(false);
+  });
+
+  test("should return false for an invalid regex pattern", () => {
+    const invalidPattern = new RegExp(/^p/); // Invalid regex with unclosed bracket
+    const testString = "test";
+    const result = matchesRegex(invalidPattern.source, testString);
+    expect(result).toBe(false);
+  });
+
+  test("should return false when pattern is null or undefined", () => {
+    const testString = "abc123";
+    // Check for undefined
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    expect(matchesRegex(undefined as any, testString)).toBe(false);
+    // Check for null
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    expect(matchesRegex(null as any, testString)).toBe(false);
+  });
+
+  test("should return true for an empty string matching an empty regex", () => {
+    const pattern = new RegExp("");
+    const testString = "";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(true);
+  });
+
+  test("should return false for an empty string and a non-empty regex", () => {
+    const pattern = new RegExp("abc");
+    const testString = "";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(false);
+  });
+
+  test("should return true for a complex valid regex that matches", () => {
+    const pattern = /^[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[A-Za-z]+$/;
+    const testString = "test@example.com";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(true);
+  });
+
+  test("should return false for a complex valid regex that does not match", () => {
+    const pattern = /^[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[A-Za-z]+$/;
+    const testString = "invalid-email.com";
+    const result = matchesRegex(new RegExp(pattern).source, testString);
+    expect(result).toBe(false);
+  });
+});