chore: add match conditions errors chainsaw test

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

pkg/policy/compiler.go

@@ -12,6 +12,7 @@ import (
 	engine "github.com/kyverno/kyverno-envoy-plugin/pkg/authz/cel"
 	envoy "github.com/kyverno/kyverno-envoy-plugin/pkg/authz/cel/libs/envoy"
 	"github.com/kyverno/kyverno-envoy-plugin/pkg/authz/cel/utils"
+	"go.uber.org/multierr"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/cel/lazy"
@@ -49,25 +50,28 @@ func (p compiledPolicy) For(r *authv3.CheckRequest) (AllowFunc, DenyFunc) {
 		data := map[string]any{
 			ObjectKey: r,
 		}
+		var errs []error
 		for _, matchCondition := range p.matchConditions {
 			// evaluate the condition
 			out, _, err := matchCondition.Eval(data)
 			// check error
 			if err != nil {
-				return false, err
+				errs = append(errs, err)
+				continue
 			}
 			// try to convert to a bool
 			result, err := utils.ConvertToNative[bool](out)
 			// check error
 			if err != nil {
-				return false, err
+				errs = append(errs, err)
+				continue
 			}
 			// if condition is false, skip
 			if !result {
 				return false, nil
 			}
 		}
-		return true, nil
+		return true, multierr.Combine(errs...)
 	})
 	variables := sync.OnceValue(func() map[string]any {
 		vars := lazy.NewMapValue(engine.VariablesType)

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-false/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: error-with-false
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get
+        check:
+          (wildcard('*http_code=200', $stdout)): true
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-false/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-false/policy.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=../../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - name: error
+    expression: '(2 / 0) == 1'
+  - name: 'false'
+    expression: 'false'
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-false/shell.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-true/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: error-with-true
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get
+        check:
+          (wildcard('*http_code=403', $stdout)): true
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-true/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-true/policy.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=../../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - name: error
+    expression: '(2 / 0) == 1'
+  - name: 'true'
+    expression: 'true'
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()

tests/e2e/authz-server/match-conditions/failure-policy-fail/error-with-true/shell.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true

tests/e2e/authz-server/match-conditions/failure-policy-ignore/error-with-false/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: error-with-false
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get
+        check:
+          (wildcard('*http_code=200', $stdout)): true
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/match-conditions/failure-policy-ignore/error-with-false/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/match-conditions/failure-policy-ignore/error-with-false/policy.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=../../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  failurePolicy: Ignore
+  matchConditions:
+  - name: error
+    expression: '(2 / 0) == 1'
+  - name: 'false'
+    expression: 'false'
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()

tests/e2e/authz-server/match-conditions/failure-policy-ignore/error-with-false/shell.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true