pepr 0.46.0 → 0.46.1-nightly.1

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.46.0",
+  "version": "0.46.1-nightly.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -52,7 +52,7 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.4.0",
+    "kubernetes-fluent-client": "3.4.2",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -76,12 +76,11 @@
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
     "shellcheck": "^3.0.0",
-    "ts-jest": "29.2.5",
+    "ts-jest": "29.2.6",
     "undici": "^7.0.1"
   },
   "overrides": {
-    "glob": "^9.0.0",
-    "jsonpath-plus": "^10.3.0"
+    "glob": "^9.0.0"
   },
   "peerDependencies": {
     "@types/prompts": "2.4.9",
@@ -96,4 +95,4 @@
     "typescript": "5.7.3",
     "uuid": "11.0.5"
   }
-}
+}

package/src/cli/init/index.ts

@@ -9,10 +9,11 @@ import { RootCmd } from "../root";
 import {
   codeSettings,
   eslint,
-  genPeprTS,
+  peprTSTemplate,
   genPkgJSON,
   gitignore,
   helloPepr,
+  peprPackageJSON,
   prettier,
   readme,
   samplesYaml,
@@ -50,29 +51,15 @@ export default function (program: RootCmd): void {
     .action(async opts => {
       const dirName = sanitizeName(response.name);
       const packageJSON = genPkgJSON(response, pkgOverride);
-      const peprTS = genPeprTS();
 
-      const confirmed = await confirm(dirName, packageJSON, peprTS.path, opts.confirm);
+      const confirmed = await confirm(dirName, packageJSON, peprTSTemplate.path, opts.confirm);
 
       if (confirmed) {
         console.log("Creating new Pepr module...");
 
         try {
-          await createDir(dirName);
-          await createDir(resolve(dirName, ".vscode"));
-          await createDir(resolve(dirName, "capabilities"));
-
-          await write(resolve(dirName, gitignore.path), gitignore.data);
-          await write(resolve(dirName, eslint.path), eslint.data);
-          await write(resolve(dirName, prettier.path), prettier.data);
-          await write(resolve(dirName, packageJSON.path), packageJSON.data);
-          await write(resolve(dirName, readme.path), readme.data);
-          await write(resolve(dirName, tsConfig.path), tsConfig.data);
-          await write(resolve(dirName, peprTS.path), peprTS.data);
-          await write(resolve(dirName, ".vscode", snippet.path), snippet.data);
-          await write(resolve(dirName, ".vscode", codeSettings.path), codeSettings.data);
-          await write(resolve(dirName, "capabilities", samplesYaml.path), samplesYaml.data);
-          await write(resolve(dirName, "capabilities", helloPepr.path), helloPepr.data);
+          await setupProjectStructure(dirName);
+          await createProjectFiles(dirName, packageJSON);
 
           if (!opts.skipPostInit) {
             doPostInitActions(dirName);
@@ -90,6 +77,39 @@ export default function (program: RootCmd): void {
     });
 }
 
+async function setupProjectStructure(dirName: string): Promise<void> {
+  await createDir(dirName);
+  await createDir(resolve(dirName, ".vscode"));
+  await createDir(resolve(dirName, "capabilities"));
+}
+
+async function createProjectFiles(dirName: string, packageJSON: peprPackageJSON): Promise<void> {
+  const files = [
+    { path: gitignore.path, data: gitignore.data },
+    { path: eslint.path, data: eslint.data },
+    { path: prettier.path, data: prettier.data },
+    { path: packageJSON.path, data: packageJSON.data },
+    { path: readme.path, data: readme.data },
+    { path: tsConfig.path, data: tsConfig.data },
+    { path: peprTSTemplate.path, data: peprTSTemplate.data },
+  ];
+
+  const nestedFiles = [
+    { dir: ".vscode", path: snippet.path, data: snippet.data },
+    { dir: ".vscode", path: codeSettings.path, data: codeSettings.data },
+    { dir: "capabilities", path: samplesYaml.path, data: samplesYaml.data },
+    { dir: "capabilities", path: helloPepr.path, data: helloPepr.data },
+  ];
+
+  for (const file of files) {
+    await write(resolve(dirName, file.path), file.data);
+  }
+
+  for (const file of nestedFiles) {
+    await write(resolve(dirName, file.dir, file.path), file.data);
+  }
+}
+
 const doPostInitActions = (dirName: string): void => {
   // run npm install from the new directory
   process.chdir(dirName);

package/src/cli/init/templates.ts

@@ -20,7 +20,7 @@ import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
-type peprPackageJSON = {
+export type peprPackageJSON = {
   data: {
     name: string;
     version: string;
@@ -101,12 +101,10 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPack
   };
 }
 
-export function genPeprTS(): { path: string; data: string } {
-  return {
-    path: "pepr.ts",
-    data: peprTS,
-  };
-}
+export const peprTSTemplate = {
+  path: "pepr.ts",
+  data: peprTS,
+};
 
 export const readme = {
   path: "README.md",

package/src/lib/assets/defaultTestObjects.ts

@@ -0,0 +1,137 @@
+import { GenericClass } from "kubernetes-fluent-client";
+import { Event } from "../enums";
+import { Binding, CapabilityExport } from "../types";
+import { defaultFilters } from "../filter/adjudicators/defaultTestObjects";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+
+export const createMockRbacRule = (
+  apiGroups: string[] = ["pepr.dev"],
+  resources: string[] = ["peprstores"],
+  verbs: string[] = ["create", "get", "patch", "watch"],
+): PolicyRule => ({
+  apiGroups,
+  resources,
+  verbs,
+});
+
+export const createMockBinding = (
+  kindDetails: { group?: string; version?: string; kind?: string; plural?: string } = {},
+  options: { isWatch?: boolean; event?: Event; isFinalize?: boolean } = {},
+): Binding => {
+  const { group = "pepr.dev", version = "v1", kind = "peprstore", plural = "peprstores" } = kindDetails;
+
+  const { isWatch = false, event = Event.CREATE, isFinalize } = options;
+
+  return {
+    kind: { group, version, kind, plural },
+    isWatch,
+    ...(isFinalize !== undefined && { isFinalize }),
+    event,
+    model: {} as GenericClass,
+    filters: { ...defaultFilters, regexName: "" },
+  };
+};
+
+export const createMockCapability = (
+  rbacRules = [createMockRbacRule()],
+  bindings = [createMockBinding()],
+): CapabilityExport => ({
+  name: "",
+  hasSchedule: false,
+  description: "",
+  rbac: rbacRules,
+  bindings,
+});
+
+export const mockCapabilities: CapabilityExport[] = [
+  createMockCapability(),
+  createMockCapability(
+    [createMockRbacRule(["apiextensions.k8s.io"], ["customresourcedefinitions"], ["patch", "create"])],
+    [
+      createMockBinding(
+        {
+          group: "apiextensions.k8s.io",
+          version: "v1",
+          kind: "customresourcedefinition",
+          plural: "customresourcedefinitions",
+        },
+        { isWatch: false, event: Event.CREATE, isFinalize: false },
+      ),
+    ],
+  ),
+  createMockCapability(
+    [createMockRbacRule([""], ["namespaces"], ["watch"])],
+    [
+      createMockBinding(
+        { group: "", version: "v1", kind: "namespace", plural: "namespaces" },
+        { isWatch: true, event: Event.CREATE, isFinalize: false },
+      ),
+    ],
+  ),
+  createMockCapability(
+    [createMockRbacRule([""], ["configmaps"], ["watch"])],
+    [
+      createMockBinding(
+        { group: "", version: "v1", kind: "configmap", plural: "configmaps" },
+        { isWatch: true, event: Event.CREATE, isFinalize: false },
+      ),
+    ],
+  ),
+];
+
+export const capabilityWithFinalize: CapabilityExport[] = [
+  createMockCapability(
+    [createMockRbacRule(["pepr.dev"], ["peprstores"], ["patch"])],
+    [
+      createMockBinding(
+        { group: "pepr.dev", version: "v1", kind: "peprstore", plural: "peprstores" },
+        { isWatch: false, event: Event.CREATE, isFinalize: true },
+      ),
+    ],
+  ),
+];
+
+export const capabilityWithDuplicates: CapabilityExport[] = [
+  createMockCapability(
+    [createMockRbacRule(["pepr.dev"], ["peprstores"], ["create", "get"])],
+    [
+      createMockBinding(
+        { group: "pepr.dev", version: "v1", kind: "peprlog", plural: "peprlogs" },
+        { isWatch: false, event: Event.CREATE },
+      ),
+    ],
+  ),
+  createMockCapability(
+    [createMockRbacRule(["pepr.dev"], ["peprstores"], ["get", "patch"])],
+    [
+      createMockBinding(
+        { group: "pepr.dev", version: "v1", kind: "peprlog", plural: "peprlogs" },
+        { isWatch: false, event: Event.CREATE },
+      ),
+    ],
+  ),
+];
+
+export const capabilityWithShortKey: CapabilityExport[] = [
+  createMockCapability(
+    [createMockRbacRule([""], ["nodes"], ["get"])],
+    [
+      createMockBinding(
+        { group: "", version: "v1", kind: "node", plural: "nodes" },
+        { isWatch: false, event: Event.CREATE },
+      ),
+    ],
+  ),
+];
+
+export const capabilityWithLongKey: CapabilityExport[] = [
+  createMockCapability(
+    [createMockRbacRule(["apps"], ["deployments"], ["create"])],
+    [
+      createMockBinding(
+        { group: "apps", version: "v1", kind: "deployment", plural: "deployments" },
+        { isWatch: false, event: Event.CREATE },
+      ),
+    ],
+  ),
+];

package/src/lib/filter/adjudicators/admissionRequest.ts

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { Operation } from "../../enums";
+import { AdmissionRequest } from "../../types";
+import { defaultTo, pipe } from "ramda";
+import { KubernetesObject } from "kubernetes-fluent-client";
+
+export const declaredOperation = pipe(
+  (request: AdmissionRequest<KubernetesObject>): Operation => request?.operation,
+  defaultTo(""),
+);
+export const declaredGroup = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.group,
+  defaultTo(""),
+);
+export const declaredVersion = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string | undefined => request?.kind?.version,
+  defaultTo(""),
+);
+export const declaredKind = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.kind,
+  defaultTo(""),
+);
+export const declaredUid = pipe((request: AdmissionRequest<KubernetesObject>): string => request?.uid, defaultTo(""));

package/src/lib/filter/adjudicators/binding.ts

@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { Event } from "../../enums";
+import { Binding, FinalizeAction, WatchLogAction, MutateAction, ValidateAction } from "../../types";
+import { complement, defaultTo, equals, not, pipe } from "ramda";
+import { GenericClass } from "kubernetes-fluent-client";
+
+export const definesDeletionTimestamp = pipe(
+  (binding: Binding): boolean => binding?.filters?.deletionTimestamp ?? false,
+  defaultTo(false),
+);
+export const ignoresDeletionTimestamp = complement(definesDeletionTimestamp);
+
+export const definedName = pipe((binding: Binding): string => {
+  return binding.filters.name;
+}, defaultTo(""));
+export const definesName = pipe(definedName, equals(""), not);
+export const ignoresName = complement(definesName);
+
+export const definedNameRegex = pipe(
+  (binding: Partial<Binding>): string | undefined => binding.filters?.regexName,
+  defaultTo(""),
+);
+export const definesNameRegex = pipe(definedNameRegex, equals(""), not);
+
+export const definedNamespaces = pipe(binding => binding?.filters?.namespaces, defaultTo([]));
+export const definesNamespaces = pipe(definedNamespaces, equals([]), not);
+
+export const definedNamespaceRegexes = pipe(binding => binding?.filters?.regexNamespaces, defaultTo([]));
+export const definesNamespaceRegexes = pipe(definedNamespaceRegexes, equals([]), not);
+
+export const definedAnnotations = pipe((binding: Partial<Binding>) => binding?.filters?.annotations, defaultTo({}));
+export const definesAnnotations = pipe(definedAnnotations, equals({}), not);
+
+export const definedLabels = pipe((binding: Partial<Binding>) => binding?.filters?.labels, defaultTo({}));
+export const definesLabels = pipe(definedLabels, equals({}), not);
+
+export const definedEvent = (binding: Binding): Event => {
+  return binding.event;
+};
+
+export const definesDelete = pipe(definedEvent, equals(Event.DELETE));
+
+export const definedGroup = pipe((binding): string => binding?.kind?.group, defaultTo(""));
+export const definesGroup = pipe(definedGroup, equals(""), not);
+
+export const definedVersion = pipe(
+  (binding: Partial<Binding>): string | undefined => binding?.kind?.version,
+  defaultTo(""),
+);
+export const definesVersion = pipe(definedVersion, equals(""), not);
+
+export const definedKind = pipe((binding): string => binding?.kind?.kind, defaultTo(""));
+export const definesKind = pipe(definedKind, equals(""), not);
+
+export const definedCategory = (binding: Partial<Binding>): string => {
+  // Ordering matters, finalize is a "watch"
+  const categories: { [key: string]: boolean | undefined } = {
+    Finalize: binding.isFinalize,
+    Watch: binding.isWatch,
+    Mutate: binding.isMutate,
+    Validate: binding.isValidate,
+  };
+
+  return Object.keys(categories).find(key => categories[key]) || "";
+};
+export type DefinedCallbackReturnType =
+  | FinalizeAction<GenericClass, InstanceType<GenericClass>>
+  | WatchLogAction<GenericClass, InstanceType<GenericClass>>
+  | MutateAction<GenericClass, InstanceType<GenericClass>>
+  | ValidateAction<GenericClass, InstanceType<GenericClass>>
+  | null
+  | undefined;
+
+export const definedCallback = (binding: Partial<Binding>): DefinedCallbackReturnType => {
+  // Ordering matters, finalize is a "watch"
+  // prettier-ignore
+  return binding.isFinalize ? binding.finalizeCallback :
+    binding.isWatch ? binding.watchCallback :
+    binding.isMutate ? binding.mutateCallback :
+    binding.isValidate ? binding.validateCallback :
+    null;
+};
+export const definedCallbackName = pipe(definedCallback, defaultTo({ name: "" }), callback => callback.name);

package/src/lib/filter/adjudicators/kubernetesObject.ts

@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { __, allPass, complement, defaultTo, equals, length, gt, not, nthArg, pipe } from "ramda";
+import { KubernetesObject } from "kubernetes-fluent-client";
+
+export const carriesDeletionTimestamp = pipe(
+  kubernetesObject => !!kubernetesObject.metadata?.deletionTimestamp,
+  defaultTo(false),
+);
+export const missingDeletionTimestamp = complement(carriesDeletionTimestamp);
+
+export const carriedKind = pipe(
+  (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.kind,
+  defaultTo("not set"),
+);
+export const carriedVersion = pipe(
+  (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.metadata?.resourceVersion,
+  defaultTo("not set"),
+);
+export const carriedName = pipe(
+  (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.metadata?.name,
+  defaultTo(""),
+);
+export const carriesName = pipe(carriedName, equals(""), not);
+export const missingName = complement(carriesName);
+
+export const carriedNamespace = pipe(
+  (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.metadata?.namespace,
+  defaultTo(""),
+);
+
+export const carriesNamespace = pipe(carriedNamespace, equals(""), not);
+
+export const carriedAnnotations = pipe(
+  (kubernetesObject: KubernetesObject): { [key: string]: string } | undefined =>
+    kubernetesObject?.metadata?.annotations,
+  defaultTo({}),
+);
+export const carriesAnnotations = pipe(carriedAnnotations, equals({}), not);
+
+export const carriedLabels = pipe(
+  (kubernetesObject: KubernetesObject): { [key: string]: string } | undefined => kubernetesObject?.metadata?.labels,
+  defaultTo({}),
+);
+export const carriesLabels = pipe(carriedLabels, equals({}), not);
+
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be uncarryable
+ */
+export const uncarryableNamespace = allPass([
+  pipe(nthArg(0), length, gt(__, 0)),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return true;
+  }, not),
+]);
+
+export const missingCarriableNamespace = allPass([
+  pipe(nthArg(0), length, gt(__, 0)),
+  pipe((namespaceSelector: string[], kubernetesObject: KubernetesObject): boolean =>
+    kubernetesObject.kind === "Namespace"
+      ? !namespaceSelector.includes(kubernetesObject.metadata!.name!)
+      : !carriesNamespace(kubernetesObject),
+  ),
+]);
+
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be ignored
+ */
+export const carriesIgnoredNamespace = allPass([
+  pipe(nthArg(0), length, gt(__, 0)),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+
+    return false;
+  }),
+]);

package/src/lib/filter/adjudicators/mismatch.ts

@@ -0,0 +1,129 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { AdmissionRequest, Binding } from "../../types";
+import { allPass, any, anyPass, equals, not, nthArg, pipe } from "ramda";
+import {
+  definedAnnotations,
+  definedEvent,
+  definedGroup,
+  definedKind,
+  definedLabels,
+  definedName,
+  definedNameRegex,
+  definedNamespaceRegexes,
+  definedNamespaces,
+  definedVersion,
+  definesAnnotations,
+  definesDeletionTimestamp,
+  definesGroup,
+  definesKind,
+  definesLabels,
+  definesName,
+  definesNameRegex,
+  definesNamespaceRegexes,
+  definesNamespaces,
+  definesVersion,
+} from "./binding";
+import {
+  carriedAnnotations,
+  carriedLabels,
+  carriedName,
+  carriedNamespace,
+  missingDeletionTimestamp,
+} from "./kubernetesObject";
+import { declaredOperation, declaredGroup, declaredVersion, declaredKind } from "./admissionRequest";
+import { Event, Operation } from "../../enums";
+
+export const mismatchedDeletionTimestamp = allPass([
+  pipe(nthArg(0), definesDeletionTimestamp),
+  pipe(nthArg(1), missingDeletionTimestamp),
+]);
+
+export const mismatchedName = allPass([
+  pipe(nthArg(0), definesName),
+  pipe((binding, kubernetesObject) => definedName(binding) !== carriedName(kubernetesObject)),
+]);
+
+export const mismatchedNameRegex = allPass([
+  pipe(nthArg(0), definesNameRegex),
+  pipe((binding, kubernetesObject) => new RegExp(definedNameRegex(binding)).test(carriedName(kubernetesObject)), not),
+]);
+
+export const mismatchedNamespace = allPass([
+  pipe(nthArg(0), definesNamespaces),
+  pipe((binding, kubernetesObject) => definedNamespaces(binding).includes(carriedNamespace(kubernetesObject)), not),
+]);
+
+export const mismatchedNamespaceRegex = allPass([
+  pipe(nthArg(0), definesNamespaceRegexes),
+  pipe((binding, kubernetesObject) =>
+    pipe(
+      any((regEx: string) => new RegExp(regEx).test(carriedNamespace(kubernetesObject))),
+      not,
+    )(definedNamespaceRegexes(binding)),
+  ),
+]);
+
+export const metasMismatch = pipe(
+  (defined, carried) => {
+    const result = { defined, carried, unalike: {} };
+
+    result.unalike = Object.entries(result.defined)
+      .map(([key, value]) => {
+        const keyMissing = !Object.hasOwn(result.carried, key);
+        const noValue = !value;
+        const valMissing = !result.carried[key];
+        const valDiffers = result.carried[key] !== result.defined[key];
+
+        // prettier-ignore
+        return (
+          keyMissing ? { [key]: value } :
+          noValue ? {} :
+          valMissing ? { [key]: value } :
+          valDiffers ? { [key]: value } :
+          {}
+        )
+      })
+      .reduce((acc, cur) => ({ ...acc, ...cur }), {});
+
+    return result.unalike;
+  },
+  unalike => Object.keys(unalike).length > 0,
+);
+
+export const mismatchedAnnotations = allPass([
+  pipe(nthArg(0), definesAnnotations),
+  pipe((binding, kubernetesObject) => metasMismatch(definedAnnotations(binding), carriedAnnotations(kubernetesObject))),
+]);
+
+export const mismatchedLabels = allPass([
+  pipe(nthArg(0), definesLabels),
+  pipe((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject))),
+]);
+
+export const mismatchedEvent = pipe(
+  (binding: Binding, request: AdmissionRequest): boolean =>
+    operationMatchesEvent(declaredOperation(request), definedEvent(binding)),
+  not,
+);
+
+export const mismatchedGroup = allPass([
+  pipe(nthArg(0), definesGroup),
+  pipe((binding, request) => definedGroup(binding) !== declaredGroup(request)),
+]);
+
+export const mismatchedVersion = allPass([
+  pipe(nthArg(0), definesVersion),
+  pipe((binding, request) => definedVersion(binding) !== declaredVersion(request)),
+]);
+
+export const mismatchedKind = allPass([
+  pipe(nthArg(0), definesKind),
+  pipe((binding, request) => definedKind(binding) !== declaredKind(request)),
+]);
+export const operationMatchesEvent = anyPass([
+  pipe(nthArg(1), equals(Event.ANY)),
+  pipe((operation: Operation, event: Event): boolean => operation.valueOf() === event.valueOf()),
+  pipe((operation: Operation, event: Event): boolean => (operation ? event.includes(operation) : false)),
+]);