Merge pull request #655 from viccuad/deterministic-inventory

fix: Make Rego inventories ordered and deterministic
kubewarden · Nov 23, 2023 · cafb94c · cafb94c
2 parents 8a91a5f + 4269e27
commit cafb94c
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 37 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,7 +22,7 @@ lazy_static = "1.4.0"
 pulldown-cmark-mdcat = { version = "2.1.0", default-features = false, features = [
   "regex-fancy",
 ] }
-policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.12.1" }
+policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.12.2" }
 prettytable-rs = "^0.10"
 pulldown-cmark = { version = "0.9.3", default-features = false }
 regex = "1"

diff --git a/src/run.rs b/src/run.rs
@@ -9,8 +9,8 @@ use policy_evaluator::{
     policy_fetcher::{sources::Sources, verify::FulcioAndRekorData, PullDestination},
     policy_metadata::{ContextAwareResource, Metadata, PolicyType},
 };
+use std::collections::BTreeSet;
 use std::{
-    collections::HashSet,
     net::{Ipv4Addr, Ipv6Addr},
     path::Path,
 };
@@ -299,15 +299,15 @@ fn has_raw_policy_type(metadata: Option<&Metadata>) -> bool {
 fn compute_context_aware_resources(
     metadata: Option<&Metadata>,
     cfg: &PullAndRunSettings,
-) -> HashSet<ContextAwareResource> {
+) -> BTreeSet<ContextAwareResource> {
     match metadata {
         None => {
             info!("Policy is not annotated, access to Kubernetes resources is not allowed");
-            HashSet::new()
+            BTreeSet::new()
         }
         Some(metadata) => {
             if metadata.context_aware_resources.is_empty() {
-                return HashSet::new();
+                return BTreeSet::new();
             }
 
             if cfg.allow_context_aware_resources {
@@ -317,7 +317,7 @@ fn compute_context_aware_resources(
                 warn!("Policy requires access to Kubernetes resources at evaluation time. During this execution the access to Kubernetes resources is denied. This can cause the policy to not behave properly");
                 warn!("Carefully review which types of Kubernetes resources the policy needs via the `inspect` command, then run the policy using the `--allow-context-aware` flag.");
 
-                HashSet::new()
+                BTreeSet::new()
             }
         }
     }
@@ -585,7 +585,8 @@ mod tests {
 
     #[test]
     fn prevent_access_to_kubernetes_resources_when_allow_context_aware_resources_is_disabled() {
-        let mut context_aware_resources = HashSet::new();
+        let mut context_aware_resources = BTreeSet::new();
+
         context_aware_resources.insert(ContextAwareResource {
             api_version: "v1".to_string(),
             kind: "Pod".to_string(),
@@ -607,7 +608,7 @@ mod tests {
 
     #[test]
     fn allow_access_to_kubernetes_resources_when_allow_context_aware_resources_is_enabled() {
-        let mut context_aware_resources = HashSet::new();
+        let mut context_aware_resources = BTreeSet::new();
         context_aware_resources.insert(ContextAwareResource {
             api_version: "v1".to_string(),
             kind: "Pod".to_string(),

diff --git a/src/scaffold.rs b/src/scaffold.rs
@@ -2,7 +2,7 @@ use anyhow::{anyhow, Result};
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
 use policy_evaluator::validator::Validate;
 use serde::{Deserialize, Serialize};
-use std::collections::{BTreeMap, HashMap, HashSet};
+use std::collections::{BTreeMap, BTreeSet, HashMap};
 use std::convert::TryFrom;
 use std::fs::{self, File};
 use std::path::PathBuf;
@@ -58,14 +58,14 @@ struct ClusterAdmissionPolicySpec {
     #[serde(skip_serializing_if = "is_true")]
     background_audit: bool,
     #[serde(skip_serializing_if = "is_empty")]
-    context_aware_resources: HashSet<ContextAwareResource>,
+    context_aware_resources: BTreeSet<ContextAwareResource>,
 }
 
 fn is_true(b: &bool) -> bool {
     *b
 }
 
-fn is_empty(h: &HashSet<ContextAwareResource>) -> bool {
+fn is_empty(h: &BTreeSet<ContextAwareResource>) -> bool {
     h.is_empty()
 }
 
@@ -196,7 +196,7 @@ fn generate_yaml_resource(
                     warn!("Carefully review which types of Kubernetes resources the policy needs via the `inspect` command an populate the `contextAwareResources` accordingly.");
                     warn!("Otherwise, invoke the `scaffold` command using the `--allow-context-aware` flag.");
 
-                    scaffold_data.metadata.context_aware_resources = HashSet::new();
+                    scaffold_data.metadata.context_aware_resources = BTreeSet::new();
                 }
             }
 
@@ -331,7 +331,6 @@ pub(crate) fn artifacthub(
 #[cfg(test)]
 mod tests {
     use super::*;
-    use std::collections::HashSet;
 
     fn mock_metadata_with_no_annotations() -> Metadata {
         Metadata {
@@ -340,7 +339,7 @@ mod tests {
             annotations: None,
             mutating: false,
             background_audit: true,
-            context_aware_resources: HashSet::new(),
+            context_aware_resources: BTreeSet::new(),
             execution_mode: Default::default(),
             policy_type: Default::default(),
             minimum_kubewarden_version: None,
@@ -357,7 +356,7 @@ mod tests {
             )])),
             mutating: false,
             background_audit: true,
-            context_aware_resources: HashSet::new(),
+            context_aware_resources: BTreeSet::new(),
             execution_mode: Default::default(),
             policy_type: Default::default(),
             minimum_kubewarden_version: None,
@@ -384,7 +383,7 @@ mod tests {
             ])),
             mutating: false,
             background_audit: true,
-            context_aware_resources: HashSet::new(),
+            context_aware_resources: BTreeSet::new(),
             execution_mode: Default::default(),
             policy_type: Default::default(),
             minimum_kubewarden_version: None,
@@ -529,7 +528,7 @@ mod tests {
 
     #[test]
     fn scaffold_cluster_admission_policy_with_context_aware_enabled() {
-        let mut context_aware_resources: HashSet<ContextAwareResource> = HashSet::new();
+        let mut context_aware_resources: BTreeSet<ContextAwareResource> = BTreeSet::new();
         context_aware_resources.insert(ContextAwareResource {
             api_version: "v1".to_string(),
             kind: "Pod".to_string(),
@@ -559,7 +558,7 @@ mod tests {
 
     #[test]
     fn scaffold_cluster_admission_policy_with_context_aware_disabled() {
-        let mut context_aware_resources: HashSet<ContextAwareResource> = HashSet::new();
+        let mut context_aware_resources: BTreeSet<ContextAwareResource> = BTreeSet::new();
         context_aware_resources.insert(ContextAwareResource {
             api_version: "v1".to_string(),
             kind: "Pod".to_string(),