fixes

Signed-off-by: Anlan Du <adu47249@gmail.com>
open-policy-agent · Jan 16, 2024 · 0fe90b9 · 0fe90b9
1 parent 60697ca
commit 0fe90b9
Show file tree

Hide file tree

Showing 6 changed files with 128 additions and 174 deletions.
diff --git a/cmd/gator/sync/sync.go b/cmd/gator/sync/sync.go
@@ -14,7 +14,7 @@ var commands = []*cobra.Command{
 var Cmd = &cobra.Command{
 	Use:   "sync",
 	Short: "Manage SyncSets and Config",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(_ *cobra.Command, _ []string) {
 		fmt.Println("Usage: gator sync test")
 	},
 }

diff --git a/cmd/gator/sync/test/test.go b/cmd/gator/sync/test/test.go
@@ -36,7 +36,7 @@ func init() {
 		"and configs are supported by the cluster under test. If this assumption isn't true, the given config may cause errors or templates may not be enforced correctly even after passing this test.")
 }
 
-func run(cmd *cobra.Command, args []string) {
+func run(_ *cobra.Command, _ []string) {
 	unstrucs, err := reader.ReadSources(flagFilenames, flagImages, "")
 	if err != nil {
 		cmdutils.ErrFatalf("reading: %v", err)

diff --git a/pkg/fakes/gvkmanifest.go b/pkg/fakes/gvkmanifest.go
@@ -0,0 +1,34 @@
+package fakes
+
+import (
+	gvkmanifestv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/gvkmanifest/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GVKManifestFor returns a GVKManifest resource with the given name for the requested set of resources.
+func GVKManifestFor(name string, gvks []schema.GroupVersionKind) *gvkmanifestv1alpha1.GVKManifest {
+	groups := map[string]gvkmanifestv1alpha1.Versions{}
+	for _, gvk := range gvks {
+		if groups[gvk.Group] == nil {
+			groups[gvk.Group] = gvkmanifestv1alpha1.Versions{}
+		}
+		if groups[gvk.Group][gvk.Version] == nil {
+			groups[gvk.Group][gvk.Version] = gvkmanifestv1alpha1.Kinds{}
+		}
+		groups[gvk.Group][gvk.Version] = append(groups[gvk.Group][gvk.Version], gvk.Kind)
+	}
+
+	return &gvkmanifestv1alpha1.GVKManifest{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: gvkmanifestv1alpha1.GroupVersion.String(),
+			Kind:       "GVKManifest",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: gvkmanifestv1alpha1.GVKManifestSpec{
+			Groups: groups,
+		},
+	}
+}
diff --git a/pkg/gator/fixtures/fixtures.go b/pkg/gator/fixtures/fixtures.go
@@ -336,6 +336,46 @@ metadata:
           }
         ]
       ]"
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sUniqueServiceSelector
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8suniqueserviceselector
+        make_apiversion(kind) = apiVersion {
+          g := kind.group
+          v := kind.version
+          g != ""
+          apiVersion = sprintf("%v/%v", [g, v])
+        }
+        make_apiversion(kind) = apiVersion {
+          kind.group == ""
+          apiVersion = kind.version
+        }
+        identical(obj, review) {
+          obj.metadata.namespace == review.namespace
+          obj.metadata.name == review.name
+          obj.kind == review.kind.kind
+          obj.apiVersion == make_apiversion(review.kind)
+        }
+        flatten_selector(obj) = flattened {
+          selectors := [s | s = concat(":", [key, val]); val = obj.spec.selector[key]]
+          flattened := concat(",", sort(selectors))
+        }
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.kind.version == "v1"
+          input.review.kind.group == ""
+          input_selector := flatten_selector(input.review.object)
+          other := data.inventory.namespace[namespace][_]["Service"][name]
+          not identical(other, input.review)
+          other_selector := flatten_selector(other)
+          input_selector == other_selector
+          msg := sprintf("same selector as service <%v> in namespace <%v>", [name, namespace])
+        }
 `
 
 	TemplateReferentialMultEquivSets = `
@@ -615,41 +655,5 @@ spec:
     kinds:
       - apiGroups: ["*"]
         kinds: ["*"]
-`
-	BadSyncSet = `
-apiVersion: syncset.gatekeeper.sh/v1alpha1
-kind: SyncSet
-metadata:
-  name: syncset
-spec:
-  unknownField: "unknown"
-`
-	BadConfig = `
-apiVersion: config.gatekeeper.sh/v1alpha1
-kind: Config
-metadata:
-  name: config
-spec:
-  unknownField: "unknown"
-`
-	GVKManifestServices = `
-apiVersion: gvkmanifest.gatekeeper.sh/v1alpha1
-kind: GVKManifest
-metadata:
-  name: gvkmanifest
-spec:
-  groups:
-    "":
-      "v1": ["Service"]
-`
-	GVKManifestDeployments = `
-apiVersion: gvkmanifest.gatekeeper.sh/v1alpha1
-kind: GVKManifest
-metadata:
-  name: gvkmanifest
-spec:
-  groups:
-    apps:
-      "v1": ["Deployment"]
 `
 )
diff --git a/pkg/gator/sync/test/test.go b/pkg/gator/sync/test/test.go
@@ -6,7 +6,6 @@ import (
 	cfapis "github.com/open-policy-agent/frameworks/constraint/pkg/apis"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
 	gkapis "github.com/open-policy-agent/gatekeeper/v3/apis"
-
 	gvkmanifestv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/gvkmanifest/v1alpha1"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/cachemanager/parser"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
@@ -40,7 +39,8 @@ func Test(unstrucs []*unstructured.Unstructured, omitGVKManifest bool) (map[stri
 	var err error
 
 	for _, obj := range unstrucs {
-		if reader.IsSyncSet(obj) {
+		switch {
+		case reader.IsSyncSet(obj):
 			syncSet, err := reader.ToSyncSet(scheme, obj)
 			if err != nil {
 				return nil, nil, fmt.Errorf("converting unstructured %q to syncset: %w", obj.GetName(), err)
@@ -53,7 +53,7 @@ func Test(unstrucs []*unstructured.Unstructured, omitGVKManifest bool) (map[stri
 				}
 				syncedGVKs[gvk] = struct{}{}
 			}
-		} else if reader.IsConfig(obj) {
+		case reader.IsConfig(obj):
 			if hasConfig {
 				return nil, nil, fmt.Errorf("multiple configs found; Config is a singleton resource")
 			}
@@ -70,7 +70,7 @@ func Test(unstrucs []*unstructured.Unstructured, omitGVKManifest bool) (map[stri
 				}
 				syncedGVKs[gvk] = struct{}{}
 			}
-		} else if reader.IsTemplate(obj) {
+		case reader.IsTemplate(obj):
 			templ, err := reader.ToTemplate(scheme, obj)
 			if err != nil {
 				templateErrs[obj.GetName()] = err
@@ -82,7 +82,7 @@ func Test(unstrucs []*unstructured.Unstructured, omitGVKManifest bool) (map[stri
 				continue
 			}
 			templates[templ] = syncRequirements
-		} else if reader.IsGVKManifest(obj) {
+		case reader.IsGVKManifest(obj):
 			if gvkManifest == nil {
 				gvkManifest, err = reader.ToGVKManifest(scheme, obj)
 				if err != nil {
@@ -91,7 +91,7 @@ func Test(unstrucs []*unstructured.Unstructured, omitGVKManifest bool) (map[stri
 			} else {
 				return nil, nil, fmt.Errorf("multiple GVK manifests found; please provide one manifest enumerating the GVKs supported by the cluster")
 			}
-		} else {
+		default:
 			fmt.Printf("skipping unstructured %q because it is not a syncset, config, gvk manifest, or template\n", obj.GetName())
 		}
 	}