Skip to content

Commit d081fd5

Browse files
sbueringersbueringer
committed
Validate stored messageExpressions with the correct CEL environment
Signed-off-by: Stefan Büringer [email protected]
1 parent 8b72795 commit d081fd5

File tree

2 files changed

+41
-17
lines changed

2 files changed

+41
-17
lines changed

staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -179,7 +179,7 @@ func findPreexistingExpressionsInSchema(schema *apiextensions.JSONSchemaProps, e
179179
for _, v := range s.XValidations {
180180
expressions.rules.Insert(v.Rule)
181181
if len(v.MessageExpression) > 0 {
182-
expressions.messageExpressions.Insert(v.Rule)
182+
expressions.messageExpressions.Insert(v.MessageExpression)
183183
}
184184
}
185185
return false

staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go

Lines changed: 40 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -7282,7 +7282,7 @@ func TestValidateCustomResourceDefinitionUpdate(t *testing.T) {
72827282
}
72837283

72847284
func TestValidateCustomResourceDefinitionValidationRuleCompatibility(t *testing.T) {
7285-
allValidationsErrors := []validationMatch{
7285+
allRuleValidationsErrors := []validationMatch{
72867286
invalid("spec", "validation", "openAPIV3Schema", "properties[x]", "x-kubernetes-validations[0]", "rule"),
72877287
invalid("spec", "validation", "openAPIV3Schema", "properties[obj]", "x-kubernetes-validations[0]", "rule"),
72887288
invalid("spec", "validation", "openAPIV3Schema", "properties[obj]", "properties[a]", "x-kubernetes-validations[0]", "rule"),
@@ -7291,23 +7291,46 @@ func TestValidateCustomResourceDefinitionValidationRuleCompatibility(t *testing.
72917291
invalid("spec", "validation", "openAPIV3Schema", "properties[map]", "x-kubernetes-validations[0]", "rule"),
72927292
invalid("spec", "validation", "openAPIV3Schema", "properties[map]", "additionalProperties", "x-kubernetes-validations[0]", "rule"),
72937293
}
7294+
allMessageExpressionValidationsErrors := []validationMatch{
7295+
invalid("spec", "validation", "openAPIV3Schema", "properties[x]", "x-kubernetes-validations[0]", "messageExpression"),
7296+
invalid("spec", "validation", "openAPIV3Schema", "properties[obj]", "x-kubernetes-validations[0]", "messageExpression"),
7297+
invalid("spec", "validation", "openAPIV3Schema", "properties[obj]", "properties[a]", "x-kubernetes-validations[0]", "messageExpression"),
7298+
invalid("spec", "validation", "openAPIV3Schema", "properties[array]", "x-kubernetes-validations[0]", "messageExpression"),
7299+
invalid("spec", "validation", "openAPIV3Schema", "properties[array]", "items", "x-kubernetes-validations[0]", "messageExpression"),
7300+
invalid("spec", "validation", "openAPIV3Schema", "properties[map]", "x-kubernetes-validations[0]", "messageExpression"),
7301+
invalid("spec", "validation", "openAPIV3Schema", "properties[map]", "additionalProperties", "x-kubernetes-validations[0]", "messageExpression"),
7302+
}
72947303

72957304
tests := []struct {
7296-
name string
7297-
storedRule string
7298-
updatedRule string
7299-
errors []validationMatch
7305+
name string
7306+
storedRule string
7307+
updatedRule string
7308+
storedMessageExpression string
7309+
updatedMessageExpression string
7310+
errors []validationMatch
73007311
}{
73017312
{
7302-
name: "functions declared for storage mode allowed if expression is unchanged from what is stored",
7303-
storedRule: "test() == true",
7304-
updatedRule: "test() == true",
7313+
name: "functions declared for storage mode allowed if expressions are unchanged from what is stored",
7314+
storedRule: "test() == true",
7315+
updatedRule: "test() == true",
7316+
storedMessageExpression: "'test: %s'.format([test()])",
7317+
updatedMessageExpression: "'test: %s'.format([test()])",
7318+
},
7319+
{
7320+
name: "functions declared for storage mode not allowed if rule expression is changed",
7321+
storedRule: "test() == false",
7322+
updatedRule: "test() == true", // rule was changed
7323+
storedMessageExpression: "'test: %s'.format([test()])",
7324+
updatedMessageExpression: "'test: %s'.format([test()])",
7325+
errors: allRuleValidationsErrors,
73057326
},
73067327
{
7307-
name: "functions declared for storage mode not allowed if expression is changed",
7308-
storedRule: "test() == false",
7309-
updatedRule: "test() == true",
7310-
errors: allValidationsErrors,
7328+
name: "functions declared for storage mode not allowed if message expression is changed",
7329+
storedRule: "test() == true",
7330+
updatedRule: "test() == true",
7331+
storedMessageExpression: "'test: %s'.format([test()])",
7332+
updatedMessageExpression: "'test - updated: %s'.format([test()])", // messageExpression was changed
7333+
errors: allMessageExpressionValidationsErrors,
73117334
},
73127335
}
73137336

@@ -7322,10 +7345,11 @@ func TestValidateCustomResourceDefinitionValidationRuleCompatibility(t *testing.
73227345
}
73237346

73247347
for _, tc := range tests {
7325-
fn := func(rule string) *apiextensions.CustomResourceDefinition {
7348+
fn := func(rule, messageExpression string) *apiextensions.CustomResourceDefinition {
73267349
validationRules := []apiextensions.ValidationRule{
73277350
{
7328-
Rule: rule,
7351+
Rule: rule,
7352+
MessageExpression: messageExpression,
73297353
},
73307354
}
73317355
return &apiextensions.CustomResourceDefinition{
@@ -7382,8 +7406,8 @@ func TestValidateCustomResourceDefinitionValidationRuleCompatibility(t *testing.
73827406
Status: apiextensions.CustomResourceDefinitionStatus{StoredVersions: []string{"version"}},
73837407
}
73847408
}
7385-
old := fn(tc.storedRule)
7386-
resource := fn(tc.updatedRule)
7409+
old := fn(tc.storedRule, tc.storedMessageExpression)
7410+
resource := fn(tc.updatedRule, tc.updatedMessageExpression)
73877411

73887412
t.Run(tc.name, func(t *testing.T) {
73897413
ctx := context.TODO()

0 commit comments

Comments
 (0)