pepr 0.36.0 → 0.37.1

package/src/lib/filter.test.ts

@@ -6,12 +6,11 @@ import { kind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import * as fc from "fast-check";
 import { CreatePod, DeletePod } from "../fixtures/loader";
 import { shouldSkipRequest } from "./filter";
-import { Event, Binding } from "./types";
-import { AdmissionRequest } from "./k8s";
+import { AdmissionRequest, Binding, Event } from "./types";
 
-const callback = () => undefined;
+export const callback = () => undefined;
 
-const podKind = modelToGroupVersionKind(kind.Pod.name);
+export const podKind = modelToGroupVersionKind(kind.Pod.name);
 
 describe("Fuzzing shouldSkipRequest", () => {
   test("should handle random inputs without crashing", () => {
@@ -105,14 +104,35 @@ describe("Property-Based Testing shouldSkipRequest", () => {
   });
 });
 
-test("should reject when name does not match", () => {
+test("create: should reject when regex name does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
     kind: podKind,
     filters: {
-      name: "bleh",
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^default$/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+test("create: should not reject when regex name does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^cool/).source,
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -120,10 +140,146 @@ test("should reject when name does not match", () => {
     callback,
   };
   const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+test("delete: should reject when regex name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^default$/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+test("delete: should not reject when regex name does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^cool/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
 
+test("create: should not reject when regex namespace does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^helm/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("create: should reject when regex namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^argo/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = CreatePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("delete: should reject when regex namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^argo/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
   expect(shouldSkipRequest(binding, pod, [])).toBe(true);
 });
 
+test("delete: should not reject when regex namespace does match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      regexNamespaces: [new RegExp(/^helm/).source],
+      regexName: "",
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("delete: should reject when name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      regexNamespaces: [],
+      regexName: new RegExp(/^not-cool/).source,
+      labels: {},
+      annotations: {},
+      deletionTimestamp: false,
+    },
+    callback,
+  };
+  const pod = DeletePod();
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
 test("should reject when kind does not match", () => {
   const binding = {
     model: kind.Pod,
@@ -132,6 +288,8 @@ test("should reject when kind does not match", () => {
     filters: {
       name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -154,6 +312,8 @@ test("should reject when group does not match", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -177,6 +337,8 @@ test("should reject when version does not match", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -196,6 +358,8 @@ test("should allow when group, version, and kind match", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -219,6 +383,8 @@ test("should allow when kind match and others are empty", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -227,7 +393,7 @@ test("should allow when kind match and others are empty", () => {
   expect(shouldSkipRequest(binding, pod, [])).toBe(false);
 });
 
-test("should reject when teh capability namespace does not match", () => {
+test("should reject when the capability namespace does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
@@ -238,6 +404,8 @@ test("should reject when teh capability namespace does not match", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -257,6 +425,8 @@ test("should reject when namespace does not match", () => {
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -272,10 +442,12 @@ test("should allow when namespace is match", () => {
     kind: podKind,
     filters: {
       name: "",
-      namespaces: ["default", "unicorn", "things"],
+      namespaces: ["helm-releasename", "unicorn", "things"],
       labels: {},
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -297,6 +469,8 @@ test("should reject when label does not match", () => {
       },
       annotations: {},
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -314,6 +488,8 @@ test("should allow when label is match", () => {
       name: "",
       deletionTimestamp: false,
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
       labels: {
         foo: "bar",
         test: "test1",
@@ -347,6 +523,8 @@ test("should reject when annotation does not match", () => {
         foo: "bar",
       },
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -369,6 +547,8 @@ test("should allow when annotation is match", () => {
         test: "test1",
       },
       deletionTimestamp: false,
+      regexNamespaces: [],
+      regexName: "",
     },
     callback,
   };
@@ -392,6 +572,8 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
     filters: {
       name: "",
       namespaces: [],
+      regexNamespaces: [],
+      regexName: "",
       deletionTimestamp: false,
       labels: {
         "app.kubernetes.io/name": "cool-name-podinfo",
@@ -417,6 +599,8 @@ test("should skip processing when deletionTimestamp is not present on pod", () =
       name: "",
       namespaces: [],
       labels: {},
+      regexNamespaces: [],
+      regexName: "",
       annotations: {
         foo: "bar",
         test: "test1",
@@ -446,6 +630,8 @@ test("should processing when deletionTimestamp is not present on pod", () => {
       name: "",
       namespaces: [],
       labels: {},
+      regexNamespaces: [],
+      regexName: "",
       annotations: {
         foo: "bar",
         test: "test1",

package/src/lib/filter.ts

@@ -1,9 +1,24 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { AdmissionRequest, Operation } from "./k8s";
-import logger from "./logger";
-import { Binding, Event } from "./types";
+import { AdmissionRequest, Binding, Operation } from "./types";
+import {
+  carriesIgnoredNamespace,
+  misboundDeleteWithDeletionTimestamp,
+  mismatchedDeletionTimestamp,
+  mismatchedAnnotations,
+  mismatchedLabels,
+  mismatchedName,
+  mismatchedNameRegex,
+  mismatchedNamespace,
+  mismatchedNamespaceRegex,
+  mismatchedEvent,
+  mismatchedGroup,
+  mismatchedVersion,
+  mismatchedKind,
+  unbindableNamespaces,
+  uncarryableNamespace,
+} from "./adjudicators";
 
 /**
  * shouldSkipRequest determines if a request should be skipped based on the binding filters.
@@ -12,108 +27,32 @@ import { Binding, Event } from "./types";
  * @param req the incoming request
  * @returns
  */
-export function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capabilityNamespaces: string[]) {
-  const { group, kind, version } = binding.kind || {};
-  const { namespaces, labels, annotations, name } = binding.filters || {};
-  const operation = req.operation.toUpperCase();
-  const uid = req.uid;
-  // Use the old object if the request is a DELETE operation
-  const srcObject = operation === Operation.DELETE ? req.oldObject : req.object;
-  const { metadata } = srcObject || {};
-  const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
-
-  // Delete bindings do not work through admission with DeletionTimestamp
-  if (binding.event.includes(Event.Delete) && binding.filters?.deletionTimestamp) {
-    return true;
-  }
-
-  // Test for deletionTimestamp
-  if (binding.filters?.deletionTimestamp && !req.object.metadata?.deletionTimestamp) {
-    return true;
-  }
-  // Test for matching operation
-  if (!binding.event.includes(operation) && !binding.event.includes(Event.Any)) {
-    return true;
-  }
-
-  // Test name first, since it's the most specific
-  if (name && name !== req.name) {
-    return true;
-  }
-
-  // Test for matching kinds
-  if (kind !== req.kind.kind) {
-    return true;
-  }
-
-  // Test for matching groups
-  if (group && group !== req.kind.group) {
-    return true;
-  }
-
-  // Test for matching versions
-  if (version && version !== req.kind.version) {
-    return true;
-  }
-
-  // Test for matching namespaces
-  if (
-    (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "")) ||
-    (!namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0)
-  ) {
-    let type = "";
-    let label = "";
-
-    if (binding.isMutate) {
-      type = "Mutate";
-      label = binding.mutateCallback!.name;
-    } else if (binding.isValidate) {
-      type = "Validate";
-      label = binding.validateCallback!.name;
-    } else if (binding.isWatch) {
-      type = "Watch";
-      label = binding.watchCallback!.name;
-    }
-
-    logger.debug({ uid }, `${type} binding (${label}) does not match request namespace "${req.namespace}"`);
-
-    return true;
-  }
-
-  // Test for matching labels
-  for (const [key, value] of Object.entries(labels)) {
-    const testKey = metadata?.labels?.[key];
-
-    // First check if the label exists
-    if (!testKey) {
-      logger.debug({ uid }, `Label ${key} does not exist`);
-      return true;
-    }
-
-    // Then check if the value matches, if specified
-    if (value && testKey !== value) {
-      logger.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-
-  // Test for matching annotations
-  for (const [key, value] of Object.entries(annotations)) {
-    const testKey = metadata?.annotations?.[key];
-
-    // First check if the annotation exists
-    if (!testKey) {
-      logger.debug({ uid }, `Annotation ${key} does not exist`);
-      return true;
-    }
-
-    // Then check if the value matches, if specified
-    if (value && testKey !== value) {
-      logger.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-
-  // No failed filters, so we should not skip this request
-  return false;
+export function shouldSkipRequest(
+  binding: Binding,
+  req: AdmissionRequest,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): boolean {
+  const obj = req.operation === Operation.DELETE ? req.oldObject : req.object;
+
+  // prettier-ignore
+  return (
+    misboundDeleteWithDeletionTimestamp(binding) ? true :
+    mismatchedDeletionTimestamp(binding, obj) ? true :
+    mismatchedEvent(binding, req) ? true :
+    mismatchedName(binding, obj) ? true :
+    mismatchedGroup(binding, req) ? true :
+    mismatchedVersion(binding, req) ? true :
+    mismatchedKind(binding, req) ? true :
+    unbindableNamespaces(capabilityNamespaces, binding) ? true :
+    uncarryableNamespace(capabilityNamespaces, obj) ? true :
+    mismatchedNamespace(binding, obj) ? true :
+    mismatchedLabels(binding, obj) ? true :
+    mismatchedAnnotations(binding, obj) ? true :
+    mismatchedNamespaceRegex(binding, obj) ? true :
+    mismatchedNameRegex(binding, obj) ? true :
+    carriesIgnoredNamespace(ignoredNamespaces, obj) ? true :
+
+    false
+  );
 }