diff --git a/third_party/k8s.io/apiserver/pkg/cel/errors.go b/third_party/k8s.io/apiserver/pkg/cel/errors.go index 907ca6e..d7b052f 100644 --- a/third_party/k8s.io/apiserver/pkg/cel/errors.go +++ b/third_party/k8s.io/apiserver/pkg/cel/errors.go @@ -16,11 +16,46 @@ limitations under the License. package cel +import ( + "fmt" + + "github.com/google/cel-go/cel" +) + +// ErrInternal the basic error that occurs when the expression fails to evaluate +// due to internal reasons. Any Error that has the Type of +// ErrorInternal is considered equal to ErrInternal +var ErrInternal = fmt.Errorf("internal") + +// ErrInvalid is the basic error that occurs when the expression fails to +// evaluate but not due to internal reasons. Any Error that has the Type of +// ErrorInvalid is considered equal to ErrInvalid. +var ErrInvalid = fmt.Errorf("invalid") + +// ErrRequired is the basic error that occurs when the expression is required +// but absent. +// Any Error that has the Type of ErrorRequired is considered equal +// to ErrRequired. +var ErrRequired = fmt.Errorf("required") + +// ErrCompilation is the basic error that occurs when the expression fails to +// compile. Any CompilationError wraps ErrCompilation. +// ErrCompilation wraps ErrInvalid +var ErrCompilation = fmt.Errorf("%w: compilation error", ErrInvalid) + +// ErrOutOfBudget is the basic error that occurs when the expression fails due to +// exceeding budget. +var ErrOutOfBudget = fmt.Errorf("out of budget") + // Error is an implementation of the 'error' interface, which represents a // XValidation error. type Error struct { Type ErrorType Detail string + + // Cause is an optional wrapped errors that can be useful to + // programmatically retrieve detailed errors. + Cause error } var _ error = &Error{} @@ -30,7 +65,24 @@ func (v *Error) Error() string { return v.Detail } -// ErrorType is a machine readable value providing more detail about why +func (v *Error) Is(err error) bool { + switch v.Type { + case ErrorTypeRequired: + return err == ErrRequired + case ErrorTypeInvalid: + return err == ErrInvalid + case ErrorTypeInternal: + return err == ErrInternal + } + return false +} + +// Unwrap returns the wrapped Cause. +func (v *Error) Unwrap() error { + return v.Cause +} + +// ErrorType is a machine-readable value providing more detail about why // a XValidation is invalid. type ErrorType string @@ -45,3 +97,28 @@ const ( // to user input. See InternalError(). ErrorTypeInternal ErrorType = "InternalError" ) + +// CompilationError indicates an error during expression compilation. +// It wraps ErrCompilation. +type CompilationError struct { + err *Error + Issues *cel.Issues +} + +// NewCompilationError wraps a cel.Issues to indicate a compilation failure. +func NewCompilationError(issues *cel.Issues) *CompilationError { + return &CompilationError{ + Issues: issues, + err: &Error{ + Type: ErrorTypeInvalid, + Detail: fmt.Sprintf("compilation error: %s", issues), + }} +} + +func (e *CompilationError) Error() string { + return e.err.Error() +} + +func (e *CompilationError) Unwrap() []error { + return []error{e.err, ErrCompilation} +} diff --git a/third_party/k8s.io/apiserver/pkg/cel/escaping.go b/third_party/k8s.io/apiserver/pkg/cel/escaping.go new file mode 100644 index 0000000..705c353 --- /dev/null +++ b/third_party/k8s.io/apiserver/pkg/cel/escaping.go @@ -0,0 +1,170 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cel + +import ( + "regexp" + + "k8s.io/apimachinery/pkg/util/sets" +) + +// celReservedSymbols is a list of RESERVED symbols defined in the CEL lexer. +// No identifiers are allowed to collide with these symbols. +// https://github.com/google/cel-spec/blob/master/doc/langdef.md#syntax +var celReservedSymbols = sets.NewString( + "true", "false", "null", "in", + "as", "break", "const", "continue", "else", + "for", "function", "if", "import", "let", + "loop", "package", "namespace", "return", // !! 'namespace' is used heavily in Kubernetes + "var", "void", "while", +) + +// expandMatcher matches the escape sequence, characters that are escaped, and characters that are unsupported +var expandMatcher = regexp.MustCompile(`(__|[-./]|[^a-zA-Z0-9-./_])`) + +// newCharacterFilter returns a boolean array to indicate the allowed characters +func newCharacterFilter(characters string) []bool { + maxChar := 0 + for _, c := range characters { + if maxChar < int(c) { + maxChar = int(c) + } + } + filter := make([]bool, maxChar+1) + + for _, c := range characters { + filter[int(c)] = true + } + + return filter +} + +type escapeCheck struct { + canSkipRegex bool + invalidCharFound bool +} + +// skipRegexCheck checks if escape would be skipped. +// if invalidCharFound is true, it must have invalid character; if invalidCharFound is false, not sure if it has invalid character or not +func skipRegexCheck(ident string) escapeCheck { + escapeCheck := escapeCheck{canSkipRegex: true, invalidCharFound: false} + // skip escape if possible + previous_underscore := false + for _, c := range ident { + if c == '/' || c == '-' || c == '.' { + escapeCheck.canSkipRegex = false + return escapeCheck + } + intc := int(c) + if intc < 0 || intc >= len(validCharacterFilter) || !validCharacterFilter[intc] { + escapeCheck.invalidCharFound = true + return escapeCheck + } + if c == '_' && previous_underscore { + escapeCheck.canSkipRegex = false + return escapeCheck + } + + previous_underscore = c == '_' + } + return escapeCheck +} + +// validCharacterFilter indicates the allowed characters. +var validCharacterFilter = newCharacterFilter("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_") + +// Escape escapes ident and returns a CEL identifier (of the form '[a-zA-Z_][a-zA-Z0-9_]*'), or returns +// false if the ident does not match the supported input format of `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`. +// Escaping Rules: +// - '__' escapes to '__underscores__' +// - '.' escapes to '__dot__' +// - '-' escapes to '__dash__' +// - '/' escapes to '__slash__' +// - Identifiers that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: "true", "false", +// "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let", loop", "package", +// "namespace", "return". +func Escape(ident string) (string, bool) { + if len(ident) == 0 || ('0' <= ident[0] && ident[0] <= '9') { + return "", false + } + if celReservedSymbols.Has(ident) { + return "__" + ident + "__", true + } + + escapeCheck := skipRegexCheck(ident) + if escapeCheck.invalidCharFound { + return "", false + } + if escapeCheck.canSkipRegex { + return ident, true + } + + ok := true + ident = expandMatcher.ReplaceAllStringFunc(ident, func(s string) string { + switch s { + case "__": + return "__underscores__" + case ".": + return "__dot__" + case "-": + return "__dash__" + case "/": + return "__slash__" + default: // matched a unsupported supported + ok = false + return "" + } + }) + if !ok { + return "", false + } + return ident, true +} + +var unexpandMatcher = regexp.MustCompile(`(_{2}[^_]+_{2})`) + +// Unescape unescapes an CEL identifier containing the escape sequences described in Escape, or return false if the +// string contains invalid escape sequences. The escaped input is expected to be a valid CEL identifier, but is +// not checked. +func Unescape(escaped string) (string, bool) { + ok := true + escaped = unexpandMatcher.ReplaceAllStringFunc(escaped, func(s string) string { + contents := s[2 : len(s)-2] + switch contents { + case "underscores": + return "__" + case "dot": + return "." + case "dash": + return "-" + case "slash": + return "/" + } + if celReservedSymbols.Has(contents) { + if len(s) != len(escaped) { + ok = false + } + return contents + } + ok = false + return "" + }) + if !ok { + return "", false + } + return escaped, true +} diff --git a/third_party/k8s.io/apiserver/pkg/cel/limits.go b/third_party/k8s.io/apiserver/pkg/cel/limits.go index 65c6ad5..66ab4e4 100644 --- a/third_party/k8s.io/apiserver/pkg/cel/limits.go +++ b/third_party/k8s.io/apiserver/pkg/cel/limits.go @@ -47,4 +47,6 @@ const ( MinBoolSize = 4 // MinNumberSize is the length of literal 0 MinNumberSize = 1 + + MaxNameFormatRegexSize = 128 ) diff --git a/third_party/k8s.io/apiserver/pkg/cel/quantity.go b/third_party/k8s.io/apiserver/pkg/cel/quantity.go index 1057e33..ce82396 100644 --- a/third_party/k8s.io/apiserver/pkg/cel/quantity.go +++ b/third_party/k8s.io/apiserver/pkg/cel/quantity.go @@ -50,7 +50,7 @@ func (d Quantity) ConvertToNative(typeDesc reflect.Type) (interface{}, error) { func (d Quantity) ConvertToType(typeVal ref.Type) ref.Val { switch typeVal { - case typeValue: + case quantityTypeValue: return d case types.TypeType: return quantityTypeValue diff --git a/third_party/k8s.io/apiserver/pkg/cel/types.go b/third_party/k8s.io/apiserver/pkg/cel/types.go index bd14e16..83c90c8 100644 --- a/third_party/k8s.io/apiserver/pkg/cel/types.go +++ b/third_party/k8s.io/apiserver/pkg/cel/types.go @@ -27,7 +27,7 @@ import ( "github.com/google/cel-go/common/types/traits" exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1" - "google.golang.org/protobuf/proto" + "k8s.io/apimachinery/pkg/api/resource" ) const ( @@ -348,9 +348,14 @@ func NewDeclTypeProvider(rootTypes ...*DeclType) *DeclTypeProvider { // DeclTypeProvider extends the CEL ref.TypeProvider interface and provides an Open API Schema-based // type-system. type DeclTypeProvider struct { - registeredTypes map[string]*DeclType - typeProvider ref.TypeProvider - typeAdapter ref.TypeAdapter + registeredTypes map[string]*DeclType + typeProvider types.Provider + typeAdapter types.Adapter + recognizeKeywordAsFieldName bool +} + +func (rt *DeclTypeProvider) SetRecognizeKeywordAsFieldName(recognize bool) { + rt.recognizeKeywordAsFieldName = recognize } func (rt *DeclTypeProvider) EnumValue(enumName string) ref.Val { @@ -365,7 +370,7 @@ func (rt *DeclTypeProvider) FindIdent(identName string) (ref.Val, bool) { // as well as a custom ref.TypeProvider. // // If the DeclTypeProvider value is nil, an empty []cel.EnvOption set is returned. -func (rt *DeclTypeProvider) EnvOptions(tp ref.TypeProvider) ([]cel.EnvOption, error) { +func (rt *DeclTypeProvider) EnvOptions(tp types.Provider) ([]cel.EnvOption, error) { if rt == nil { return []cel.EnvOption{}, nil } @@ -381,54 +386,52 @@ func (rt *DeclTypeProvider) EnvOptions(tp ref.TypeProvider) ([]cel.EnvOption, er // WithTypeProvider returns a new DeclTypeProvider that sets the given TypeProvider // If the original DeclTypeProvider is nil, the returned DeclTypeProvider is still nil. -func (rt *DeclTypeProvider) WithTypeProvider(tp ref.TypeProvider) (*DeclTypeProvider, error) { +func (rt *DeclTypeProvider) WithTypeProvider(tp types.Provider) (*DeclTypeProvider, error) { if rt == nil { return nil, nil } - var ta ref.TypeAdapter = types.DefaultTypeAdapter - tpa, ok := tp.(ref.TypeAdapter) + var ta types.Adapter = types.DefaultTypeAdapter + tpa, ok := tp.(types.Adapter) if ok { ta = tpa } rtWithTypes := &DeclTypeProvider{ - typeProvider: tp, - typeAdapter: ta, - registeredTypes: rt.registeredTypes, + typeProvider: tp, + typeAdapter: ta, + registeredTypes: rt.registeredTypes, + recognizeKeywordAsFieldName: rt.recognizeKeywordAsFieldName, } for name, declType := range rt.registeredTypes { - tpType, found := tp.FindType(name) - expT, err := declType.ExprType() - if err != nil { - return nil, fmt.Errorf("fail to get cel type: %s", err) - } - if found && !proto.Equal(tpType, expT) { + tpType, found := tp.FindStructType(name) + // cast celType to types.type + + expT := declType.CelType() + if found && !expT.IsExactType(tpType) { return nil, fmt.Errorf( "type %s definition differs between CEL environment and type provider", name) } + } return rtWithTypes, nil } -// FindType attempts to resolve the typeName provided from the rule's rule-schema, or if not +// FindStructType attempts to resolve the typeName provided from the rule's rule-schema, or if not // from the embedded ref.TypeProvider. // -// FindType overrides the default type-finding behavior of the embedded TypeProvider. +// FindStructType overrides the default type-finding behavior of the embedded TypeProvider. // // Note, when the type name is based on the Open API Schema, the name will reflect the object path // where the type definition appears. -func (rt *DeclTypeProvider) FindType(typeName string) (*exprpb.Type, bool) { +func (rt *DeclTypeProvider) FindStructType(typeName string) (*types.Type, bool) { if rt == nil { return nil, false } declType, found := rt.findDeclType(typeName) if found { - expT, err := declType.ExprType() - if err != nil { - return expT, false - } + expT := declType.CelType() return expT, found } - return rt.typeProvider.FindType(typeName) + return rt.typeProvider.FindStructType(typeName) } // FindDeclType returns the CPT type description which can be mapped to a CEL type. @@ -439,37 +442,41 @@ func (rt *DeclTypeProvider) FindDeclType(typeName string) (*DeclType, bool) { return rt.findDeclType(typeName) } -// FindFieldType returns a field type given a type name and field name, if found. +// FindStructFieldNames returns the field names associated with the type, if the type +// is found. +func (rt *DeclTypeProvider) FindStructFieldNames(typeName string) ([]string, bool) { + return []string{}, false +} + +// FindStructFieldType returns a field type given a type name and field name, if found. // // Note, the type name for an Open API Schema type is likely to be its qualified object path. // If, in the future an object instance rather than a type name were provided, the field // resolution might more accurately reflect the expected type model. However, in this case // concessions were made to align with the existing CEL interfaces. -func (rt *DeclTypeProvider) FindFieldType(typeName, fieldName string) (*ref.FieldType, bool) { +func (rt *DeclTypeProvider) FindStructFieldType(typeName, fieldName string) (*types.FieldType, bool) { st, found := rt.findDeclType(typeName) if !found { - return rt.typeProvider.FindFieldType(typeName, fieldName) + return rt.typeProvider.FindStructFieldType(typeName, fieldName) } f, found := st.Fields[fieldName] + if rt.recognizeKeywordAsFieldName && !found && celReservedSymbols.Has(fieldName) { + f, found = st.Fields["__"+fieldName+"__"] + } + if found { ft := f.Type - expT, err := ft.ExprType() - if err != nil { - return nil, false - } - return &ref.FieldType{ + expT := ft.CelType() + return &types.FieldType{ Type: expT, }, true } // This could be a dynamic map. if st.IsMap() { et := st.ElemType - expT, err := et.ExprType() - if err != nil { - return nil, false - } - return &ref.FieldType{ + expT := et.CelType() + return &types.FieldType{ Type: expT, }, true } @@ -576,6 +583,10 @@ var ( // labeled as Timestamp will necessarily have the same MinSerializedSize. TimestampType = NewSimpleTypeWithMinSize("timestamp", cel.TimestampType, types.Timestamp{Time: time.Time{}}, JSONDateSize) + // QuantityDeclType wraps a [QuantityType] and makes it usable with functions that expect + // a [DeclType]. + QuantityDeclType = NewSimpleTypeWithMinSize("quantity", QuantityType, Quantity{Quantity: resource.NewQuantity(0, resource.DecimalSI)}, 8) + // UintType is equivalent to the CEL 'uint' type. UintType = NewSimpleTypeWithMinSize("uint", cel.UintType, types.Uint(0), 1)