pepr 0.46.0 → 0.46.1-nightly.0

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.46.0",
+  "version": "0.46.1-nightly.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -52,7 +52,7 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.4.0",
+    "kubernetes-fluent-client": "3.4.2",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -76,12 +76,11 @@
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
     "shellcheck": "^3.0.0",
-    "ts-jest": "29.2.5",
+    "ts-jest": "29.2.6",
     "undici": "^7.0.1"
   },
   "overrides": {
-    "glob": "^9.0.0",
-    "jsonpath-plus": "^10.3.0"
+    "glob": "^9.0.0"
   },
   "peerDependencies": {
     "@types/prompts": "2.4.9",
@@ -96,4 +95,4 @@
     "typescript": "5.7.3",
     "uuid": "11.0.5"
   }
-}
+}

package/src/cli/init/index.ts

@@ -9,10 +9,11 @@ import { RootCmd } from "../root";
 import {
   codeSettings,
   eslint,
-  genPeprTS,
+  peprTSTemplate,
   genPkgJSON,
   gitignore,
   helloPepr,
+  peprPackageJSON,
   prettier,
   readme,
   samplesYaml,
@@ -50,29 +51,15 @@ export default function (program: RootCmd): void {
     .action(async opts => {
       const dirName = sanitizeName(response.name);
       const packageJSON = genPkgJSON(response, pkgOverride);
-      const peprTS = genPeprTS();
 
-      const confirmed = await confirm(dirName, packageJSON, peprTS.path, opts.confirm);
+      const confirmed = await confirm(dirName, packageJSON, peprTSTemplate.path, opts.confirm);
 
       if (confirmed) {
         console.log("Creating new Pepr module...");
 
         try {
-          await createDir(dirName);
-          await createDir(resolve(dirName, ".vscode"));
-          await createDir(resolve(dirName, "capabilities"));
-
-          await write(resolve(dirName, gitignore.path), gitignore.data);
-          await write(resolve(dirName, eslint.path), eslint.data);
-          await write(resolve(dirName, prettier.path), prettier.data);
-          await write(resolve(dirName, packageJSON.path), packageJSON.data);
-          await write(resolve(dirName, readme.path), readme.data);
-          await write(resolve(dirName, tsConfig.path), tsConfig.data);
-          await write(resolve(dirName, peprTS.path), peprTS.data);
-          await write(resolve(dirName, ".vscode", snippet.path), snippet.data);
-          await write(resolve(dirName, ".vscode", codeSettings.path), codeSettings.data);
-          await write(resolve(dirName, "capabilities", samplesYaml.path), samplesYaml.data);
-          await write(resolve(dirName, "capabilities", helloPepr.path), helloPepr.data);
+          await setupProjectStructure(dirName);
+          await createProjectFiles(dirName, packageJSON);
 
           if (!opts.skipPostInit) {
             doPostInitActions(dirName);
@@ -90,6 +77,39 @@ export default function (program: RootCmd): void {
     });
 }
 
+async function setupProjectStructure(dirName: string): Promise<void> {
+  await createDir(dirName);
+  await createDir(resolve(dirName, ".vscode"));
+  await createDir(resolve(dirName, "capabilities"));
+}
+
+async function createProjectFiles(dirName: string, packageJSON: peprPackageJSON): Promise<void> {
+  const files = [
+    { path: gitignore.path, data: gitignore.data },
+    { path: eslint.path, data: eslint.data },
+    { path: prettier.path, data: prettier.data },
+    { path: packageJSON.path, data: packageJSON.data },
+    { path: readme.path, data: readme.data },
+    { path: tsConfig.path, data: tsConfig.data },
+    { path: peprTSTemplate.path, data: peprTSTemplate.data },
+  ];
+
+  const nestedFiles = [
+    { dir: ".vscode", path: snippet.path, data: snippet.data },
+    { dir: ".vscode", path: codeSettings.path, data: codeSettings.data },
+    { dir: "capabilities", path: samplesYaml.path, data: samplesYaml.data },
+    { dir: "capabilities", path: helloPepr.path, data: helloPepr.data },
+  ];
+
+  for (const file of files) {
+    await write(resolve(dirName, file.path), file.data);
+  }
+
+  for (const file of nestedFiles) {
+    await write(resolve(dirName, file.dir, file.path), file.data);
+  }
+}
+
 const doPostInitActions = (dirName: string): void => {
   // run npm install from the new directory
   process.chdir(dirName);

package/src/cli/init/templates.ts

@@ -20,7 +20,7 @@ import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
-type peprPackageJSON = {
+export type peprPackageJSON = {
   data: {
     name: string;
     version: string;
@@ -101,12 +101,10 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPack
   };
 }
 
-export function genPeprTS(): { path: string; data: string } {
-  return {
-    path: "pepr.ts",
-    data: peprTS,
-  };
-}
+export const peprTSTemplate = {
+  path: "pepr.ts",
+  data: peprTS,
+};
 
 export const readme = {
   path: "README.md",

package/src/lib/assets/defaultTestObjects.ts

@@ -0,0 +1,533 @@
+import { GenericClass } from "kubernetes-fluent-client";
+import { Event } from "../enums";
+import { CapabilityExport } from "../types";
+import { describe, beforeEach, jest, it, expect } from "@jest/globals";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import fs from "fs";
+import { clusterRole } from "./rbac";
+import * as helpers from "../helpers";
+
+export const mockCapabilities: CapabilityExport[] = [
+  {
+    rbac: [
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+    ],
+    bindings: [
+      {
+        kind: { group: "pepr.dev", version: "v1", kind: "peprstore", plural: "peprstores" },
+        isWatch: false,
+        event: Event.CREATE,
+        model: {} as GenericClass,
+        filters: {
+          name: "",
+          regexName: "",
+          namespaces: [],
+          regexNamespaces: [],
+          labels: {},
+          annotations: {},
+          deletionTimestamp: false,
+        },
+      },
+    ],
+    hasSchedule: false,
+    name: "",
+    description: "",
+  },
+  {
+    rbac: [
+      {
+        apiGroups: ["apiextensions.k8s.io"],
+        resources: ["customresourcedefinitions"],
+        verbs: ["patch", "create"],
+      },
+    ],
+    bindings: [
+      {
+        kind: {
+          group: "apiextensions.k8s.io",
+          version: "v1",
+          kind: "customresourcedefinition",
+          plural: "customresourcedefinitions",
+        },
+        isWatch: false,
+        isFinalize: false,
+        event: Event.CREATE,
+        model: {} as GenericClass,
+        filters: {
+          name: "",
+          regexName: "",
+          namespaces: [],
+          regexNamespaces: [],
+          labels: {},
+          annotations: {},
+          deletionTimestamp: false,
+        },
+      },
+    ],
+    hasSchedule: false,
+    name: "",
+    description: "",
+  },
+  {
+    rbac: [
+      {
+        apiGroups: [""],
+        resources: ["namespaces"],
+        verbs: ["watch"],
+      },
+    ],
+    bindings: [
+      {
+        kind: { group: "", version: "v1", kind: "namespace", plural: "namespaces" },
+        isWatch: true,
+        isFinalize: false,
+        event: Event.CREATE,
+        model: {} as GenericClass,
+        filters: {
+          name: "",
+          regexName: "",
+          namespaces: [],
+          regexNamespaces: [],
+          labels: {},
+          annotations: {},
+          deletionTimestamp: false,
+        },
+      },
+    ],
+    hasSchedule: false,
+    name: "",
+    description: "",
+  },
+  {
+    rbac: [
+      {
+        apiGroups: [""],
+        resources: ["configmaps"],
+        verbs: ["watch"],
+      },
+    ],
+    bindings: [
+      {
+        kind: { group: "", version: "v1", kind: "configmap", plural: "configmaps" },
+        isWatch: true,
+        isFinalize: false,
+        event: Event.CREATE,
+        model: {} as GenericClass,
+        filters: {
+          name: "",
+          regexName: "",
+          namespaces: [],
+          regexNamespaces: [],
+          labels: {},
+          annotations: {},
+          deletionTimestamp: false,
+        },
+      },
+    ],
+    hasSchedule: false,
+    name: "",
+    description: "",
+  },
+];
+describe("RBAC generation", () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    const mockPackageJsonRBAC = {};
+
+    jest.spyOn(fs, "readFileSync").mockImplementation((path: unknown) => {
+      if (typeof path === "string" && path.includes("package.json")) {
+        return JSON.stringify({ rbac: mockPackageJsonRBAC });
+      }
+      return "{}";
+    });
+  });
+
+  it("should generate correct ClusterRole rules in scoped mode", () => {
+    const result = clusterRole("test-role", mockCapabilities, "scoped", []);
+
+    expect(result.rules).toEqual([
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+      {
+        apiGroups: ["apiextensions.k8s.io"],
+        resources: ["customresourcedefinitions"],
+        verbs: ["patch", "create"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["namespaces"],
+        verbs: ["watch"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["configmaps"],
+        verbs: ["watch"],
+      },
+    ]);
+  });
+
+  it("should generate a ClusterRole with wildcard rules when not in scoped mode", () => {
+    const expectedWildcardRules = [
+      {
+        apiGroups: ["*"],
+        resources: ["*"],
+        verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
+      },
+    ];
+
+    const result = clusterRole("test-role", mockCapabilities, "admin", []);
+
+    expect(result.rules).toEqual(expectedWildcardRules);
+  });
+
+  it("should return an empty rules array when capabilities are empty in scoped mode", () => {
+    const result = clusterRole("test-role", [], "scoped", []);
+
+    expect(result.rules).toEqual([]);
+  });
+
+  it("should include finalize verbs if isFinalize is true in scoped mode", () => {
+    const capabilitiesWithFinalize: CapabilityExport[] = [
+      {
+        rbac: [
+          {
+            apiGroups: ["pepr.dev"],
+            resources: ["peprstores"],
+            verbs: ["patch"],
+          },
+        ],
+        bindings: [
+          {
+            kind: { group: "pepr.dev", version: "v1", kind: "peprstore", plural: "peprstores" },
+            isWatch: false,
+            isFinalize: true,
+            event: Event.CREATE,
+            model: {} as GenericClass,
+            filters: {
+              name: "",
+              regexName: "",
+              namespaces: [],
+              regexNamespaces: [],
+              labels: {},
+              annotations: {},
+              deletionTimestamp: false,
+            },
+          },
+        ],
+        hasSchedule: false,
+        name: "",
+        description: "",
+      },
+    ];
+
+    const result = clusterRole(
+      "test-role",
+      capabilitiesWithFinalize,
+      "scoped",
+      capabilitiesWithFinalize.flatMap(c => c.rbac).filter((rule): rule is PolicyRule => rule !== undefined),
+    );
+
+    expect(result.rules).toEqual([
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        verbs: ["patch"],
+      },
+      {
+        apiGroups: ["apiextensions.k8s.io"],
+        resources: ["customresourcedefinitions"],
+        verbs: ["patch", "create"],
+      },
+    ]);
+  });
+
+  it("should deduplicate verbs and resources in rules", () => {
+    const capabilitiesWithDuplicates: CapabilityExport[] = [
+      {
+        rbac: [
+          {
+            apiGroups: ["pepr.dev"],
+            resources: ["peprstores"],
+            verbs: ["create", "get"],
+          },
+        ],
+        bindings: [
+          {
+            kind: { group: "pepr.dev", version: "v1", kind: "peprlog", plural: "peprlogs" },
+            isWatch: false,
+            event: Event.CREATE,
+            model: {} as GenericClass,
+            filters: {
+              name: "",
+              regexName: "",
+              namespaces: [],
+              regexNamespaces: [],
+              labels: {},
+              annotations: {},
+              deletionTimestamp: false,
+            },
+          },
+        ],
+        hasSchedule: false,
+        name: "",
+        description: "",
+      },
+      {
+        rbac: [
+          {
+            apiGroups: ["pepr.dev"],
+            resources: ["peprstores"],
+            verbs: ["get", "patch"],
+          },
+        ],
+        bindings: [
+          {
+            kind: { group: "pepr.dev", version: "v1", kind: "peprlog", plural: "peprlogs" },
+            isWatch: false,
+            event: Event.CREATE,
+            model: {} as GenericClass,
+            filters: {
+              name: "",
+              regexName: "",
+              namespaces: [],
+              regexNamespaces: [],
+              labels: {},
+              annotations: {},
+              deletionTimestamp: false,
+            },
+          },
+        ],
+        hasSchedule: false,
+        name: "",
+        description: "",
+      },
+    ];
+
+    const result = clusterRole(
+      "test-role",
+      capabilitiesWithDuplicates,
+      "scoped",
+      capabilitiesWithDuplicates.flatMap(c => c.rbac).filter((rule): rule is PolicyRule => rule !== undefined),
+    );
+
+    // Filter out only the rules for 'pepr.dev' and 'peprstores'
+    const filteredRules = result.rules?.filter(
+      rule => rule.apiGroups?.includes("pepr.dev") && rule.resources?.includes("peprstores"),
+    );
+
+    expect(filteredRules).toEqual([
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+    ]);
+  });
+});
+describe("clusterRole", () => {
+  // Mocking the readRBACFromPackageJson function to return null
+  jest.mock("./rbac", () => ({
+    ...(jest.requireActual("./rbac") as object),
+    readRBACFromPackageJson: jest.fn(() => null),
+  }));
+
+  // Mocking createRBACMap to isolate the behavior of clusterRole function
+  jest.mock("../helpers", () => ({
+    ...(jest.requireActual("../helpers") as object),
+    createRBACMap: jest.fn(),
+  }));
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    jest.restoreAllMocks();
+  });
+
+  it("should handle keys with less than 3 segments and set group to an empty string", () => {
+    jest.spyOn(helpers, "createRBACMap").mockReturnValue({
+      nodes: {
+        plural: "nodes",
+        verbs: ["get"],
+      },
+    });
+
+    const capabilitiesWithShortKey: CapabilityExport[] = [
+      {
+        rbac: [
+          {
+            apiGroups: [""],
+            resources: ["nodes"],
+            verbs: ["get"],
+          },
+        ],
+        bindings: [
+          {
+            kind: { group: "", version: "v1", kind: "node", plural: "nodes" },
+            isWatch: false,
+            event: Event.CREATE,
+            model: {} as GenericClass,
+            filters: {
+              name: "",
+              regexName: "",
+              namespaces: [],
+              regexNamespaces: [],
+              labels: {},
+              annotations: {},
+              deletionTimestamp: false,
+            },
+          },
+        ],
+        hasSchedule: false,
+        name: "",
+        description: "",
+      },
+    ];
+
+    const result = clusterRole(
+      "test-role",
+      capabilitiesWithShortKey,
+      "scoped",
+      capabilitiesWithShortKey.flatMap(c => c.rbac).filter((rule): rule is PolicyRule => rule !== undefined),
+    );
+
+    expect(result.rules).toEqual([
+      {
+        apiGroups: [""],
+        resources: ["nodes"],
+        verbs: ["get"],
+      },
+    ]);
+  });
+
+  it("should handle keys with 3 or more segments and set group correctly", () => {
+    jest.spyOn(helpers, "createRBACMap").mockReturnValue({
+      "apps/v1/deployments": {
+        plural: "deployments",
+        verbs: ["create"],
+      },
+    });
+
+    const capabilitiesWithLongKey: CapabilityExport[] = [
+      {
+        rbac: [
+          {
+            apiGroups: ["apps"],
+            resources: ["deployments"],
+            verbs: ["create"],
+          },
+        ],
+        bindings: [
+          {
+            kind: { group: "apps", version: "v1", kind: "deployment", plural: "deployments" },
+            isWatch: false,
+            event: Event.CREATE,
+            model: {} as GenericClass,
+            filters: {
+              name: "",
+              regexName: "",
+              namespaces: [],
+              regexNamespaces: [],
+              labels: {},
+              annotations: {},
+              deletionTimestamp: false,
+            },
+          },
+        ],
+        hasSchedule: false,
+        name: "",
+        description: "",
+      },
+    ];
+
+    const result = clusterRole(
+      "test-role",
+      capabilitiesWithLongKey,
+      "scoped",
+      capabilitiesWithLongKey.flatMap(c => c.rbac).filter((rule): rule is PolicyRule => rule !== undefined),
+    );
+
+    expect(result.rules).toEqual([
+      {
+        apiGroups: ["apps"],
+        resources: ["deployments"],
+        verbs: ["create"],
+      },
+    ]);
+  });
+
+  it("should handle non-array custom RBAC by defaulting to an empty array", () => {
+    // Mock readRBACFromPackageJson to return a non-array value
+    jest.spyOn(fs, "readFileSync").mockImplementation(() => {
+      return JSON.stringify({
+        pepr: {
+          rbac: "not-an-array", // Simulate invalid RBAC structure
+        },
+      });
+    });
+
+    const result = clusterRole(
+      "test-role",
+      mockCapabilities,
+      "scoped",
+      mockCapabilities.flatMap(c => c.rbac).filter((rule): rule is PolicyRule => rule !== undefined),
+    );
+
+    // The result should only contain rules from the capabilities, not from the invalid custom RBAC
+    expect(result.rules).toEqual([
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+      {
+        apiGroups: ["apiextensions.k8s.io"],
+        resources: ["customresourcedefinitions"],
+        verbs: ["patch", "create"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["namespaces"],
+        verbs: ["watch"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["configmaps"],
+        verbs: ["watch"],
+      },
+    ]);
+  });
+
+  it("should default to an empty verbs array if rule.verbs is undefined", () => {
+    // Simulate a custom RBAC rule with empty verbs
+    const customRbacWithNoVerbs: PolicyRule[] = [
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["customresources"],
+        verbs: [], // Set verbs to an empty array to satisfy the V1PolicyRule type
+      },
+    ];
+
+    jest.spyOn(fs, "readFileSync").mockImplementation(() => {
+      return JSON.stringify({
+        pepr: {
+          rbac: customRbacWithNoVerbs,
+        },
+      });
+    });
+
+    const result = clusterRole("test-role", mockCapabilities, "scoped", customRbacWithNoVerbs);
+
+    // Check that the verbs array is empty for the custom RBAC rule
+    expect(result.rules).toContainEqual({
+      apiGroups: ["pepr.dev"],
+      resources: ["customresources"],
+      verbs: [],
+    });
+  });
+});

package/src/lib/filter/adjudicators/admissionRequest.ts

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { Operation } from "../../enums";
+import { AdmissionRequest } from "../../types";
+import { defaultTo, pipe } from "ramda";
+import { KubernetesObject } from "kubernetes-fluent-client";
+
+export const declaredOperation = pipe(
+  (request: AdmissionRequest<KubernetesObject>): Operation => request?.operation,
+  defaultTo(""),
+);
+export const declaredGroup = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.group,
+  defaultTo(""),
+);
+export const declaredVersion = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string | undefined => request?.kind?.version,
+  defaultTo(""),
+);
+export const declaredKind = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.kind,
+  defaultTo(""),
+);
+export const declaredUid = pipe((request: AdmissionRequest<KubernetesObject>): string => request?.uid, defaultTo(""));