Gracefully report error in tag_format template

detjensrobert · detjensrobert · commit 2a42a6875d75 · 2025-04-28T22:35:55.000-07:00
`render!()` panics when a strict-mode error occurs. Add a small helper fn
to render template strings without the macro and gracefully return errors.

Signed-off-by: Robert Detjens &lt;github@detjens.dev&gt;
diff --git a/src/access_handlers/docker.rs b/src/access_handlers/docker.rs
@@ -6,11 +6,11 @@ use bollard::{
 };
 use futures::{StreamExt, TryStreamExt};
 use itertools::Itertools;
-use minijinja::render;
+use minijinja;
 use tokio;
 use tracing::{debug, error, info, trace, warn};
 
-use crate::clients::docker;
+use crate::clients::{docker, render_strict};
 use crate::configparser::{get_config, get_profile_config};
 
 /// container registry / daemon access checks
@@ -27,13 +27,16 @@ pub async fn check(profile_name: &str) -> Result<()> {
 
     // build test image string
     // registry.example.com/somerepo/testimage:pleaseignore
-    let test_image = render!(
+    let test_image = render_strict(
         &registry_config.tag_format,
+        minijinja::context! {
         domain => registry_config.domain,
         challenge => "accesscheck",
         container => "testimage",
         profile => profile_name
-    );
+        },
+    )
+    .context("could not render tag format template")?;
     debug!("will push test image to {}", test_image);
 
     // push alpine image with build credentials
diff --git a/src/clients.rs b/src/clients.rs
@@ -345,3 +345,19 @@ pub async fn wait_for_status(client: &kube::Client, object: &DynamicObject) -> R
 
     Ok(())
 }
+
+//
+// Minijinja strict rendering with error
+//
+
+/// Similar to minijinja.render!(), but return Error if any undefined values.
+pub fn render_strict(template: &str, context: minijinja::Value) -> Result<String> {
+    let mut strict_env = minijinja::Environment::new();
+    // error on any undefined template variables
+    strict_env.set_undefined_behavior(minijinja::UndefinedBehavior::Strict);
+
+    let r = strict_env
+        .render_str(template, context)
+        .context(format!("could not render template {:?}", template))?;
+    Ok(r)
+}
diff --git a/src/configparser/challenge.rs b/src/configparser/challenge.rs
@@ -4,7 +4,6 @@ use figment::Figment;
 use fully_pub::fully_pub;
 use glob::glob;
 use itertools::Itertools;
-use minijinja::render;
 use serde::{Deserialize, Serialize};
 use serde_nested_with::serde_nested;
 use std::collections::HashMap as Map;
@@ -13,6 +12,7 @@ use std::str::FromStr;
 use tracing::{debug, error, info, trace, warn};
 use void::Void;
 
+use crate::clients::render_strict;
 use crate::configparser::config::Resource;
 use crate::configparser::field_coersion::string_or_struct;
 use crate::configparser::get_config;
@@ -154,13 +154,16 @@ impl ChallengeConfig {
         match &pod.image_source {
             ImageSource::Image(t) => Ok(t.to_string()),
             // render image tag template from config
-            ImageSource::Build(b) => Ok(render!(
+            ImageSource::Build(b) => render_strict(
                 &get_config()?.registry.tag_format,
-                domain => config.registry.domain,
-                challenge => self.slugify(),
-                container => pod.name,
-                profile => profile_name
-            )),
+                minijinja::context! {
+                    domain => config.registry.domain,
+                    challenge => self.slugify(),
+                    container => pod.name,
+                    profile => profile_name
+                },
+            )
+            .context("error rendering challenge image tag template"),
         }
     }
 
