kernelci: api: helper: fix rules enforcement for missing params

By default, if a rule refers to a param that can be found neither in
the to-be-created node nor in any of its ancestors we assume the rule
is verified (as in, we don't block creating the node). This behaviour
felt safe enough until we encountered a rare corner case:
`coverage-report` nodes were created with a `kunit-x86_64` parent,
although such nodes should only be created on jobs run for a kernel
built with the `coverage` fragment.

This could happen because `kunit-x86_64` is created from a `checkout`
node, not a `kbuild` one, and therefore neither this job nor its parent
contain a `fragments` attribute.

The above showed we needed to be a bit stricter when checking rules. To
this end, the following behaviour is enforced for missing attributes:
- if the rule only contains a deny-list, the rule is verified and the
  node can be created (a non-existing attribute cannot have a forbidden
  value, precisely because it doesn't have a value)
- if an allow-list is present, then the attribute's value MUST be part
  of this list; as a consequence, we now require the attribute to exist,
  and deny the node creation if it doesn't

Fixes kernelci/kernelci-pipeline#1290

Signed-off-by: Arnaud Ferraris <[email protected]>

Author: a-wai

kernelci/api/helper.py

@@ -162,12 +162,25 @@ def _is_allowed(self, rules, key, node):
         # Find the node (or ancestor node) attribute corresponding to the
         # rule we're applying
         base = self._find_container(key, node)
-        if not base:
-            return True
 
         deny = [f.lstrip('!') for f in rules[key] if f.startswith('!')]
         allow = [f for f in rules[key] if not f.startswith('!')]
 
+        # If the parameter (key) associated to a given rule cannot be found
+        # in the current hierarchy, there are two cases:
+        # * the rule only excludes certain values (no allowed value, only
+        #   denied ones): as the parameter doesn't exist, it can't use a
+        #   denied value, so we can proceed with creating the node
+        # * the rule does have an allow-list: here we can assume that the
+        #   parameter is REQUIRED to have one of the allowed values, and
+        #   therefore MUST exist; if it doesn't, then we shouldn't create
+        #   the node on the basis that its rules aren; t fulfilled
+        if not base:
+            if len(allow) > 0:
+                print(f"rules[{key}]: attribute '{key}' not found in node hierarchy")
+                return False
+            return True
+
         # Rules are appied depending on how the data is initially stored:
         # * if it's a list (e.g. config fragments), then it must contain
         #   at least one element from the allow-list; additionally, none