Merge branch 'main' into pre-push-size-check

defenseunicorns · Dec 13, 2024 · 5cdb69e · 5cdb69e
2 parents 1169929 + 34f4e50
commit 5cdb69e
Show file tree

Hide file tree

Showing 10 changed files with 151 additions and 172 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,17 +44,17 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/init@8a93837afdf1873301a68d777844b43e98cd4313 # v3.27.8
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/autobuild@8a93837afdf1873301a68d777844b43e98cd4313 # v3.27.8
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/analyze@8a93837afdf1873301a68d777844b43e98cd4313 # v3.27.8
         with:
           category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.2.4
+        uses: github/codeql-action/upload-sarif@8a93837afdf1873301a68d777844b43e98cd4313 # v2.2.4
         with:
           sarif_file: results.sarif
diff --git a/src/lib/filter/filterNoMatchReason.ts b/src/lib/filter/filterNoMatchReason.ts
@@ -0,0 +1,108 @@
+import { KubernetesObject } from "kubernetes-fluent-client";
+import {
+  mismatchedDeletionTimestamp,
+  mismatchedName,
+  definedName,
+  carriedName,
+  misboundNamespace,
+  mismatchedLabels,
+  definedLabels,
+  carriedLabels,
+  mismatchedAnnotations,
+  definedAnnotations,
+  carriedAnnotations,
+  uncarryableNamespace,
+  carriedNamespace,
+  unbindableNamespaces,
+  definedNamespaces,
+  mismatchedNamespace,
+  mismatchedNamespaceRegex,
+  definedNamespaceRegexes,
+  mismatchedNameRegex,
+  definedNameRegex,
+  carriesIgnoredNamespace,
+  missingCarriableNamespace,
+} from "./adjudicators/adjudicators";
+import { Binding } from "../types";
+
+/**
+ * Decide to run callback after the event comes back from API Server
+ **/
+
+export function filterNoMatchReason(
+  binding: Binding,
+  kubernetesObject: Partial<KubernetesObject>,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): string {
+  const prefix = "Ignoring Watch Callback:";
+
+  // prettier-ignore
+  return (
+    mismatchedDeletionTimestamp(binding, kubernetesObject) ?
+      `${prefix} Binding defines deletionTimestamp but Object does not carry it.` :
+
+      mismatchedName(binding, kubernetesObject) ?
+        `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(kubernetesObject)}'.` :
+
+        misboundNamespace(binding) ?
+          `${prefix} Cannot use namespace filter on a namespace object.` :
+
+          mismatchedLabels(binding, kubernetesObject) ?
+            (
+              `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' ` +
+              `but Object carries '${JSON.stringify(carriedLabels(kubernetesObject))}'.`
+            ) :
+
+            mismatchedAnnotations(binding, kubernetesObject) ?
+              (
+                `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' ` +
+                `but Object carries '${JSON.stringify(carriedAnnotations(kubernetesObject))}'.`
+              ) :
+
+              uncarryableNamespace(capabilityNamespaces, kubernetesObject) ?
+                (
+                  `${prefix} Object carries namespace '${carriedNamespace(kubernetesObject)}' ` +
+                  `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+                ) :
+
+                unbindableNamespaces(capabilityNamespaces, binding) ?
+                  (
+                    `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} ` +
+                    `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+                  ) :
+
+                  mismatchedNamespace(binding, kubernetesObject) ?
+                    (
+                      `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' ` +
+                      `but Object carries '${carriedNamespace(kubernetesObject)}'.`
+                    ) :
+
+                    mismatchedNamespaceRegex(binding, kubernetesObject) ?
+                      (
+                        `${prefix} Binding defines namespace regexes ` +
+                        `'${JSON.stringify(definedNamespaceRegexes(binding))}' ` +
+                        `but Object carries '${carriedNamespace(kubernetesObject)}'.`
+                      ) :
+
+                      mismatchedNameRegex(binding, kubernetesObject) ?
+                        (
+                          `${prefix} Binding defines name regex '${definedNameRegex(binding)}' ` +
+                          `but Object carries '${carriedName(kubernetesObject)}'.`
+                        ) :
+
+                        carriesIgnoredNamespace(ignoredNamespaces, kubernetesObject) ?
+                          (
+                            `${prefix} Object carries namespace '${carriedNamespace(kubernetesObject)}' ` +
+                            `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+                          ) :
+
+                          missingCarriableNamespace(capabilityNamespaces, kubernetesObject) ?
+                            (
+                              `${prefix} Object does not carry a namespace ` +
+                              `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+                            ) :
+
+                            ""
+  );
+}
diff --git a/src/lib/helpers.test.ts b/src/lib/helpers.test.ts
@@ -4,10 +4,8 @@
 import { Binding, CapabilityExport } from "./types";
 import { Event } from "./enums";
 import {
-  addVerbIfNotExists,
   bindingAndCapabilityNSConflict,
   createRBACMap,
-  filterNoMatchReason,
   dedent,
   generateWatchNamespaceError,
   hasAnyOverlap,
@@ -22,6 +20,7 @@ import {
   validateCapabilityNames,
   ValidationError,
 } from "./helpers";
+import { filterNoMatchReason } from "./filter/filterNoMatchReason";
 import { sanitizeResourceName } from "../sdk/sdk";
 import * as fc from "fast-check";
 import { expect, describe, jest, beforeEach, afterEach, it } from "@jest/globals";
@@ -358,20 +357,6 @@ describe("createRBACMap", () => {
   });
 });
 
-describe("addVerbIfNotExists", () => {
-  it("should add a verb if it does not exist in the array", () => {
-    const verbs = ["get", "list"];
-    addVerbIfNotExists(verbs, "watch");
-    expect(verbs).toEqual(["get", "list", "watch"]);
-  });
-
-  it("should not add a verb if it already exists in the array", () => {
-    const verbs = ["get", "list", "watch"];
-    addVerbIfNotExists(verbs, "get");
-    expect(verbs).toEqual(["get", "list", "watch"]); // The array remains unchanged
-  });
-});
-
 describe("hasAnyOverlap", () => {
   it("returns true for overlapping arrays", () => {
     expect(hasAnyOverlap([1, 2, 3], [3, 4, 5])).toBe(true);
@@ -683,26 +668,25 @@ describe("namespaceComplianceValidator", () => {
 });
 
 describe("parseTimeout", () => {
-  const PREV = "a";
   it("should return a number when a valid string number between 1 and 30 is provided", () => {
-    expect(parseTimeout("5", PREV)).toBe(5);
-    expect(parseTimeout("1", PREV)).toBe(1);
-    expect(parseTimeout("30", PREV)).toBe(30);
+    expect(parseTimeout("5")).toBe(5);
+    expect(parseTimeout("1")).toBe(1);
+    expect(parseTimeout("30")).toBe(30);
   });
 
   it("should throw an InvalidArgumentError for non-numeric strings", () => {
-    expect(() => parseTimeout("abc", PREV)).toThrow(Error);
-    expect(() => parseTimeout("", PREV)).toThrow(Error);
+    expect(() => parseTimeout("abc")).toThrow(Error);
+    expect(() => parseTimeout("")).toThrow(Error);
   });
 
   it("should throw an InvalidArgumentError for numbers outside the 1-30 range", () => {
-    expect(() => parseTimeout("0", PREV)).toThrow(Error);
-    expect(() => parseTimeout("31", PREV)).toThrow(Error);
+    expect(() => parseTimeout("0")).toThrow(Error);
+    expect(() => parseTimeout("31")).toThrow(Error);
   });
 
   it("should throw an InvalidArgumentError for numeric strings that represent floating point numbers", () => {
-    expect(() => parseTimeout("5.5", PREV)).toThrow(Error);
-    expect(() => parseTimeout("20.1", PREV)).toThrow(Error);
+    expect(() => parseTimeout("5.5")).toThrow(Error);
+    expect(() => parseTimeout("20.1")).toThrow(Error);
   });
 });