Expand context kinds

With the `.Object` variable, Kubernetes objects
could have a variety of kinds. Expand the context
check to allow these kinds, avoiding pointers,
channels, and functions.

ref: https://issues.redhat.com/browse/ACM-20863
Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>

Author: dhaiducek

pkg/templates/templates.go

@@ -50,8 +50,7 @@ var (
 	ErrProtectNotEnabled     = errors.New("the protect template function is not enabled in this mode")
 	ErrNewLinesNotAllowed    = errors.New("new lines are not allowed in the string passed to the toLiteral function")
 	ErrInvalidContextType    = errors.New(
-		"the input context must be a struct with fields (recursively) of type string, map[string]string, " +
-			"map[string]interface{}, or struct",
+		"the input context must be a struct that recurses to kinds bool, int, float, or string",
 	)
 	ErrMissingNamespace = errors.New(
 		"the lookup of a single namespaced resource must have a namespace specified",
@@ -385,10 +384,10 @@ func getValidContext(value interface{}) (interface{}, error) {
 
 	// Require the context to be a struct
 	if reflect.TypeOf(value).Kind() != reflect.Struct {
-		return nil, fmt.Errorf("%w, got %s", ErrInvalidContextType, reflect.TypeOf(value))
+		return nil, fmt.Errorf("%w, but found a parent of kind %s", ErrInvalidContextType, reflect.TypeOf(value))
 	}
 
-	// Require the context to have fields of strings or maps/structs with string/map values/fields.
+	// Require the context to recurse to primitive keys and values through structs, maps, or arrays
 	err := getValidContextHelper(value)
 	if err != nil {
 		return nil, err
@@ -397,49 +396,85 @@ func getValidContext(value interface{}) (interface{}, error) {
 	return value, nil
 }
 
-func getValidContextHelper(value interface{}) error {
+// isPrimitive detects primitive types from the reflect package
+func isPrimitive(kind reflect.Kind) bool {
+	switch kind {
+	case
+		reflect.Bool,
+		reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
+		reflect.Float32, reflect.Float64,
+		reflect.String:
+		return true
+
+	default:
+		return false
+	}
+}
+
+func getValidContextHelper(value any) error {
 	f := reflect.TypeOf(value)
 
-	switch f.Kind() {
-	case reflect.String:
+	// Allow primitive types (excludes complex numbers)
+	if isPrimitive(f.Kind()) {
 		return nil
+	}
+
+	// Handle complex types
+	switch f.Kind() {
+	// Allow arrays and recurse into each item
+	case reflect.Slice, reflect.Array:
+		// Iterate over embedded maps and interfaces
+		if f.Elem().Kind() == reflect.Interface || f.Elem().Kind() == reflect.Map {
+			for i := range reflect.ValueOf(value).Len() {
+				err := getValidContextHelper(reflect.ValueOf(value).Index(i).Interface())
+				if err != nil {
+					return err
+				}
+			}
+		} else if !isPrimitive(f.Elem().Kind()) {
+			// Verify map values are primitive
+			return fmt.Errorf("%w, found an array with values of kind %s", ErrInvalidContextType, reflect.TypeOf(value))
+		}
+
+	// Allow structs and recurse into fields
 	case reflect.Struct:
 		for i := range f.NumField() {
-			err := getValidContextHelper(reflect.ValueOf(value).Field(i).Interface())
-			if err != nil {
-				return err
+			// Only handle exported struct fields (causes a panic calling Interface())
+			if f.Field(i).IsExported() {
+				err := getValidContextHelper(reflect.ValueOf(value).Field(i).Interface())
+				if err != nil {
+					return err
+				}
 			}
 		}
 
-		return nil
+	// Allow maps and recurse into keys
 	case reflect.Map:
-		// Only allow string keys in maps
-		if f.Key().Kind() != reflect.String {
-			return ErrInvalidContextType
+		// Only allow primitive keys in maps
+		if !isPrimitive(f.Key().Kind()) {
+			return fmt.Errorf("%w, found a map with keys of kind %s", ErrInvalidContextType, f.Key().Kind())
 		}
 
-		// Check if it's a map of maps/strings. This is to allow things such as the Kubernetes metadata field which has
-		// string (e.g. name) and map[string]string (e.g. labels) values.
+		// Iterate over embedded maps and interfaces
 		if f.Elem().Kind() == reflect.Interface || f.Elem().Kind() == reflect.Map {
 			for _, key := range reflect.ValueOf(value).MapKeys() {
 				err := getValidContextHelper(reflect.ValueOf(value).MapIndex(key).Interface())
 				if err != nil {
 					return err
 				}
 			}
-
-			return nil
-		}
-
-		// Check if it's map[string]string
-		if f.Elem().Kind() != reflect.String {
-			return ErrInvalidContextType
+		} else if !isPrimitive(f.Elem().Kind()) {
+			// Verify map values are primitive
+			return fmt.Errorf("%w, found a map with values of kind %s", ErrInvalidContextType, reflect.TypeOf(value))
 		}
 
-		return nil
+	// Disallow all else like pointers and channels
 	default:
-		return ErrInvalidContextType
+		return fmt.Errorf("%w, found value of kind %s", ErrInvalidContextType, reflect.TypeOf(value))
 	}
+
+	return nil
 }
 
 // validateEncryptionConfig validates an EncryptionConfig struct to ensure that if encryption

pkg/templates/templates_test.go

@@ -737,6 +737,8 @@ func TestResolveTemplateDefaultConfig(t *testing.T) {
 func TestResolveTemplateErrors(t *testing.T) {
 	t.Parallel()
 
+	str := "world"
+
 	testcases := map[string]resolveTestCase{
 		"toLiteral_with_newlines": {
 			inputTmpl:   `param: '{{ "something\n  with\n  new\n lines\n" | toLiteral }}'`,
@@ -754,29 +756,24 @@ func TestResolveTemplateErrors(t *testing.T) {
 			ctx:         123,
 			expectedErr: ErrInvalidContextType,
 		},
-		"invalid_context_nested_int": {
-			inputTmpl:   `test: '{{ printf "hello %s" "world" }}'`,
-			ctx:         struct{ ClusterID int }{12},
-			expectedErr: ErrInvalidContextType,
-		},
-		"invalid_context_map_with_int": {
+		"invalid_context_not_struct": {
 			inputTmpl:   `test: '{{ printf "hello %s" "world" }}'`,
-			ctx:         struct{ Foo map[string]int }{Foo: map[string]int{"bar": 12}},
+			ctx:         map[string]string{"hello": "world"},
 			expectedErr: ErrInvalidContextType,
 		},
-		"invalid_context_map_of_int": {
+		"invalid_context_pointer": {
 			inputTmpl:   `test: '{{ printf "hello %s" "world" }}'`,
-			ctx:         struct{ Foo map[int]string }{Foo: map[int]string{47: "something"}},
+			ctx:         struct{ Hello *string }{Hello: &str},
 			expectedErr: ErrInvalidContextType,
 		},
-		"invalid_context_nested_struct": {
+		"invalid_context_array_of_pointers": {
 			inputTmpl:   `test: '{{ printf "hello %s" "world" }}'`,
-			ctx:         struct{ Metadata struct{ NestedInt int } }{struct{ NestedInt int }{NestedInt: 3}},
+			ctx:         struct{ Hello []*string }{Hello: []*string{&str}},
 			expectedErr: ErrInvalidContextType,
 		},
-		"invalid_context_not_struct": {
+		"invalid_context_array_of_maps_to_pointers": {
 			inputTmpl:   `test: '{{ printf "hello %s" "world" }}'`,
-			ctx:         map[string]string{"hello": "world"},
+			ctx:         struct{ Hello []map[bool]*string }{Hello: []map[bool]*string{{false: &str}}},
 			expectedErr: ErrInvalidContextType,
 		},
 		"disabled_fromSecret": {
@@ -911,11 +908,36 @@ func TestResolveTemplateWithContext(t *testing.T) {
 			expectedResult: "test: SSBhbSBhIHJlYWxseSBsb25nIHRlbXBsYXRlIGZvciBjbHVzdGVyIGNsdXN0ZXIxIHRoYXQgbmVlZH" +
 				"MgdG8gYmUgb3ZlciA4MCBjaGFyYWN0ZXJzIHRvIHRlc3Qgc29tZXRoaW5n",
 		},
+		"nested_int": {
+			inputTmpl:      `test: '{{ printf "hello %d" .ClusterID }}'`,
+			ctx:            struct{ ClusterID int }{12},
+			expectedResult: "test: hello 12",
+		},
+		"nested_array": {
+			inputTmpl:      `value: '{{ index .Foo 0 }}'`,
+			ctx:            struct{ Foo []string }{Foo: []string{"hello"}},
+			expectedResult: "value: hello",
+		},
+		"nested_map_with_int": {
+			inputTmpl:      `test: '{{ printf "hello %d" .Foo.bar }}'`,
+			ctx:            struct{ Foo map[string]int }{Foo: map[string]int{"bar": 12}},
+			expectedResult: "test: hello 12",
+		},
+		"nested_map_of_int": {
+			inputTmpl:      `test: '{{ printf "hello %s" (index .Foo 47) }}'`,
+			ctx:            struct{ Foo map[int]string }{Foo: map[int]string{47: "something"}},
+			expectedResult: "test: hello something",
+		},
 		"nested_map": {
 			inputTmpl:      `value: '{{ .Foo.greeting }}'`,
 			ctx:            struct{ Foo map[string]string }{Foo: map[string]string{"greeting": "hello"}},
 			expectedResult: "value: hello",
 		},
+		"nested_struct_with_int": {
+			inputTmpl:      `test: '{{ printf "hello %d" .Metadata.NestedInt }}'`,
+			ctx:            struct{ Metadata struct{ NestedInt int } }{struct{ NestedInt int }{NestedInt: 3}},
+			expectedResult: "test: hello 3",
+		},
 		"nested_struct": {
 			inputTmpl: `value: '{{ .Metadata.Labels.hello }} {{ .Metadata.Namespace }}'`,
 			ctx: struct{ Metadata partialMetadata }{