Relax rule context validation to follow JMESPath grammar (#3129)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
kyverno · Jan 31, 2022 · 460014c · 460014c
1 parent 68a5231
commit 460014c
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 2 deletions.
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
@@ -1111,9 +1111,12 @@ func validateRuleContext(rule kyverno.Rule) error {
 	}
 
 	ruleBytes, _ := json.Marshal(rule)
-	ruleString := strings.ReplaceAll(string(ruleBytes), " ", "")
 	for _, contextName := range contextNames {
-		if !strings.Contains(ruleString, fmt.Sprintf("{{"+contextName)) && !strings.Contains(ruleString, fmt.Sprintf("{{\\\""+contextName)) {
+		contextRegex, err := regexp.Compile(fmt.Sprintf(`{{.*\b%s\b.*}}`, contextName))
+		if err != nil {
+			return fmt.Errorf("unable to validate context variable `%s`, %w", contextName, err)
+		}
+		if !contextRegex.Match(ruleBytes) {
 			return fmt.Errorf("context variable `%s` is not used in the policy", contextName)
 		}
 	}

diff --git a/test/cli/test/variables/cm-multiple-example.yaml b/test/cli/test/variables/cm-multiple-example.yaml
@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cm-multiple-example
+spec:
+  rules:
+  - name: example-configmap-lookup
+    context:
+    - name: dictionary
+      configMap:
+        name: some-config-map
+        namespace: some-namespace
+    - name: anotherdictionary
+      configMap:
+        name: another-config-map
+        namespace: some-namespace
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      pattern:
+        metadata:
+          labels:
+            my-environment-name: "{{dictionary.data.env || anotherdictionary.data.env }}"
diff --git a/test/cli/test/variables/kyverno-test.yaml b/test/cli/test/variables/kyverno-test.yaml
@@ -1,6 +1,7 @@
 name: test-variables
 policies:
   - cm-variable-example.yaml
+  - cm-multiple-example.yaml
   - cm-array-example.yaml
   - cm-blk-scalar-example.yaml
   - cm-globalval-example.yaml
@@ -9,6 +10,16 @@ resources:
   - resources.yaml
 variables: variables.yaml
 results:
+  - policy: cm-multiple-example
+    rule: example-configmap-lookup
+    resource: test-env-test
+    kind: Pod
+    result: pass
+  - policy: cm-multiple-example
+    rule: example-configmap-lookup
+    resource: test-env-dev
+    kind: Pod
+    result: fail
   - policy: cm-variable-example
     rule: example-configmap-lookup
     resource: test-env-test

diff --git a/test/cli/test/variables/variables.yaml b/test/cli/test/variables/variables.yaml
@@ -1,4 +1,10 @@
 policies:
+  - name: cm-multiple-example
+    rules:
+      - name: example-configmap-lookup
+        values:
+          dictionary.data.env: ''
+          anotherdictionary.data.env: test
   - name: cm-variable-example
     rules:
       - name: example-configmap-lookup