Ignore empty namespaces when comparing policies (#2226)

Author: jsoriano

internal/testrunner/runners/policy/policy.go

@@ -97,6 +97,7 @@ type policyEntryFilter struct {
 	name            string
 	elementsEntries []policyEntryFilter
 	memberReplace   *policyEntryReplace
+	onlyIfEmpty     bool
 }
 
 type policyEntryReplace struct {
@@ -148,6 +149,9 @@ var policyEntryFilters = []policyEntryFilter{
 		regexp:  regexp.MustCompile(`^[a-z0-9]{4,}(-[a-z0-9]{4,})+$`),
 		replace: "uuid-for-permissions-on-related-indices",
 	}},
+
+	// Namespaces may not be present in older versions of the stack.
+	{name: "namespaces", onlyIfEmpty: true},
 }
 
 // cleanPolicy prepares a policy YAML as returned by the download API to be compared with other
@@ -170,15 +174,16 @@ func cleanPolicy(policy []byte, entriesToClean []policyEntryFilter) ([]byte, err
 
 func cleanPolicyMap(policyMap common.MapStr, entries []policyEntryFilter) (common.MapStr, error) {
 	for _, entry := range entries {
+		v, err := policyMap.GetValue(entry.name)
+		if errors.Is(err, common.ErrKeyNotFound) {
+			continue
+		}
+		if err != nil {
+			return nil, err
+		}
+
 		switch {
 		case len(entry.elementsEntries) > 0:
-			v, err := policyMap.GetValue(entry.name)
-			if errors.Is(err, common.ErrKeyNotFound) {
-				continue
-			}
-			if err != nil {
-				return nil, err
-			}
 			list, err := common.ToMapStrSlice(v)
 			if err != nil {
 				return nil, err
@@ -197,10 +202,6 @@ func cleanPolicyMap(policyMap common.MapStr, entries []policyEntryFilter) (commo
 				return nil, err
 			}
 		case entry.memberReplace != nil:
-			v, err := policyMap.GetValue(entry.name)
-			if errors.Is(err, common.ErrKeyNotFound) {
-				continue
-			}
 			m, ok := v.(common.MapStr)
 			if !ok {
 				return nil, fmt.Errorf("expected map, found %T", v)
@@ -212,6 +213,9 @@ func cleanPolicyMap(policyMap common.MapStr, entries []policyEntryFilter) (commo
 				}
 			}
 		default:
+			if entry.onlyIfEmpty && !isEmpty(v) {
+				continue
+			}
 			err := policyMap.Delete(entry.name)
 			if errors.Is(err, common.ErrKeyNotFound) {
 				continue
@@ -224,3 +228,16 @@ func cleanPolicyMap(policyMap common.MapStr, entries []policyEntryFilter) (commo
 
 	return policyMap, nil
 }
+
+func isEmpty(v any) bool {
+	switch v := v.(type) {
+	case nil:
+		return true
+	case []any:
+		return len(v) == 0
+	case map[string]any:
+		return len(v) == 0
+	}
+
+	return false
+}

internal/testrunner/runners/policy/policy_test.go

@@ -58,6 +58,25 @@ id: "2e19c1c4-185b-11ef-a7fc-43855f39047f"
 `,
 			fail: true,
 		},
+		{
+			title: "clean namespaces if empty",
+			expected: `
+`,
+			found: `
+namespaces: []
+`,
+			equal: true,
+		},
+		{
+			title: "clean namespaces only if empty",
+			expected: `
+namespaces: []
+`,
+			found: `
+namespaces: [foo]
+`,
+			equal: false,
+		},
 		{
 			title: "clean expected",
 			expected: `
@@ -138,6 +157,7 @@ inputs:
           password: ${SECRET_0}
       type: sql/metrics
       use_output: default
+namespaces: []
 output_permissions:
     default:
         _elastic_agent_checks: