chore: add unit tests

pkg/apis/v1alpha1/variable.go

@@ -1,9 +1,22 @@
 package v1alpha1
 
+import (
+	"github.com/jinzhu/copier"
+)
+
 // Variable defines an arbitrary JMESPath context variable that can be defined inline.
+// +k8s:deepcopy-gen=false
 type Variable struct {
 	// Value is any arbitrary object.
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// +kubebuilder:validation:Schemaless
-	Value Any `json:"value,omitempty"`
+	Value interface{} `json:"value,omitempty"`
+}
+
+func (in *Variable) DeepCopy() *Variable {
+	out := &Variable{}
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+	return out
 }

pkg/commands/root_test.go

@@ -1,96 +1,93 @@
 package commands
 
-// func Test_TfPlan(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/tf-plan/tf.plan.json",
-// 		"--pre-process",
-// 		"planned_values.root_module.resources",
-// 		"--policy",
-// 		"../../testdata/tf-plan/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
+import (
+	"bytes"
+	"io"
+	"os"
+	"testing"
 
-// func Test_PayloadYaml(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/payload-yaml/payload.yaml",
-// 		"--pre-process",
-// 		"planned_values.root_module.resources",
-// 		"--policy",
-// 		"../../testdata/payload-yaml/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
+	"github.com/stretchr/testify/assert"
+)
 
-// func Test_FooBar(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/foo-bar/payload.yaml",
-// 		"--policy",
-// 		"../../testdata/foo-bar/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
-
-// func Test_Scripted(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/scripted/payload.yaml",
-// 		"--policy",
-// 		"../../testdata/scripted/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
-
-// func Test_PodNoLatest(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/pod-no-latest/payload.yaml",
-// 		"--policy",
-// 		"../../testdata/pod-no-latest/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
-
-// func Test_PodAllLatest(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/pod-all-latest/payload.yaml",
-// 		"--policy",
-// 		"../../testdata/pod-all-latest/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
-
-// func Test_Jim(t *testing.T) {
-// 	cmd := NewRootCommand()
-// 	assert.NotNil(t, cmd)
-// 	cmd.SetArgs([]string{
-// 		"--payload",
-// 		"../../testdata/jim/payload.json",
-// 		"--policy",
-// 		"../../testdata/jim/policy.yaml",
-// 	})
-// 	err := cmd.Execute()
-// 	assert.NoError(t, err)
-// }
+func Test_Execute(t *testing.T) {
+	tests := []struct {
+		name          string
+		payload       string
+		preprocessors []string
+		policies      []string
+		wantErr       bool
+		out           string
+	}{{
+		name:     "foo-bar",
+		payload:  "../../testdata/foo-bar/payload.yaml",
+		policies: []string{"../../testdata/foo-bar/policy.yaml"},
+		out:      "../../testdata/foo-bar/out.txt",
+		wantErr:  false,
+	}, {
+		name:     "jim",
+		payload:  "../../testdata/jim/payload.json",
+		policies: []string{"../../testdata/jim/policy.yaml"},
+		out:      "../../testdata/jim/out.txt",
+		wantErr:  false,
+	}, {
+		name:     "pod-no-latest",
+		payload:  "../../testdata/pod-no-latest/payload.yaml",
+		policies: []string{"../../testdata/pod-no-latest/policy.yaml"},
+		out:      "../../testdata/pod-no-latest/out.txt",
+		wantErr:  false,
+	}, {
+		name:     "pod-all-latest",
+		payload:  "../../testdata/pod-all-latest/payload.yaml",
+		policies: []string{"../../testdata/pod-all-latest/policy.yaml"},
+		out:      "../../testdata/pod-all-latest/out.txt",
+		wantErr:  false,
+	}, {
+		name:     "scripted",
+		payload:  "../../testdata/scripted/payload.yaml",
+		policies: []string{"../../testdata/scripted/policy.yaml"},
+		out:      "../../testdata/scripted/out.txt",
+		wantErr:  false,
+	}, {
+		name:          "payload-yaml",
+		payload:       "../../testdata/payload-yaml/payload.yaml",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../testdata/payload-yaml/policy.yaml"},
+		out:           "../../testdata/payload-yaml/out.txt",
+		wantErr:       false,
+	}, {
+		name:          "tf-plan",
+		payload:       "../../testdata/tf-plan/tf.plan.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../testdata/tf-plan/policy.yaml"},
+		out:           "../../testdata/tf-plan/out.txt",
+		wantErr:       false,
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := NewRootCommand()
+			assert.NotNil(t, cmd)
+			var args []string
+			args = append(args, "--payload", tt.payload)
+			for _, preprocessor := range tt.preprocessors {
+				args = append(args, "--pre-process", preprocessor)
+			}
+			for _, policy := range tt.policies {
+				args = append(args, "--policy", policy)
+			}
+			args = append(args, "--payload", tt.payload)
+			cmd.SetArgs(args)
+			b := bytes.NewBufferString("")
+			cmd.SetOut(b)
+			if err := cmd.Execute(); (err != nil) != tt.wantErr {
+				t.Errorf("command.Run() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			actual, err := io.ReadAll(b)
+			assert.NoError(t, err)
+			if tt.out != "" {
+				expected, err := os.ReadFile(tt.out)
+				assert.NoError(t, err)
+				assert.Equal(t, string(expected), string(actual))
+			}
+		})
+	}
+}

pkg/engine/assert/expression.go

@@ -55,9 +55,9 @@ func parseExpression(value interface{}) *expression {
 		statement = strings.TrimPrefix(statement, expressionPrefix)
 		statement = strings.TrimSuffix(statement, expressionSuffix)
 		engine = "jp"
-	} else if binding == "" {
+	} /* else if binding == "" {
 		binding = strings.TrimSpace(statement)
-	}
+	}*/
 	return &expression{
 		foreach:   foreach,
 		statement: strings.TrimSpace(statement),

pkg/utils/file/ext_test.go

@@ -1,6 +1,8 @@
 package file
 
-import "testing"
+import (
+	"testing"
+)
 
 func TestIsYaml(t *testing.T) {
 	tests := []struct {

testdata/foo-bar/out.txt

@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- test / foo-bar-4 /  ERROR: all[0].foo: Internal error: failed to find the map index `foo`
+Done

testdata/foo-bar/policy.yaml

@@ -6,6 +6,7 @@ spec:
   rules:
     - name: foo-bar-4
       validate:
-        pattern:
-          foo:
-            bar: 4
+        assert:
+          all:
+          - foo:
+              bar: 4

testdata/jim/out.txt

@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- required-s3-tags / require-team-tag /  FAILED: any[0].resource.tags.(wildcard('?*', Team)): Invalid value: true: Expected value: false
+Done

testdata/payload-yaml/out.txt

@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- required-s3-tags / require-team-tag / aws_s3_bucket.example FAILED: Bucket `example` (aws_s3_bucket.example) does not have the required tags {"Team":"Kyverno"}
+Done

testdata/payload-yaml/payload.yaml

@@ -15,11 +15,9 @@ planned_values:
         tags:
           Environment: Dev
           Name: My bucket
-          Team: Kyverno
         tags_all:
           Environment: Dev
           Name: My bucket
-          Team: Kyverno
         timeouts:
       sensitive_values:
         cors_rule: []

testdata/payload-yaml/policy.yaml

@@ -16,6 +16,8 @@ spec:
             Team: Kyverno
       validate:
         message: Bucket `{{ resource.name }}` ({{ resource.address }}) does not have the required tags {{ to_string($tags) }}
-        pattern:
-          values:
-            tags: '{{ $tags }}'
+        assert:
+          all:
+          - resource:
+              values:
+                tags: ($tags)

testdata/pod-all-latest/out.txt

@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- test / pod-no-latest /  PASSED
+Done

testdata/pod-all-latest/policy.yaml

@@ -18,9 +18,11 @@ spec:
             apiVersion: v1
             kind: Pod
       validate:
-        pattern:
-          ~(spec.containers[*].image):
-            # an image tag is required
-            (contains(@, ':')): true
-            # using a mutable image tag e.g. 'latest' is not allowed
-            (ends_with(@, $tag)): true
+        assert:
+          all:
+          - resource:
+              ~(spec.containers[*].image):
+                # an image tag is required
+                (contains(@, ':')): true
+                # using a mutable image tag e.g. 'latest' is not allowed
+                (ends_with(@, $tag)): true

testdata/pod-no-latest/out.txt

@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- test / pod-no-latest /  FAILED: [all[0].resource.spec.~foo.containers@foos[0].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].resource.spec.~foo.containers@foos[1].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[0].resource.spec.~foo.containers@foos[2].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[0].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[1].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[1].resource.spec.~.containers@foo[2].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[0].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[1].(ends_with(@, ':latest')): Invalid value: true: Expected value: false, all[2].resource.~index.(spec.containers[*].image)@images[2].(ends_with(@, ':latest')): Invalid value: true: Expected value: false]
+Done

testdata/pod-no-latest/policy.yaml

@@ -15,22 +15,27 @@ spec:
             apiVersion: v1
             kind: Pod
       validate:
-        pattern:
-          spec:
-            ~foo.containers@foos:
-              (at($foos, $foo).image)@foo:
-                # an image tag is required
-                (contains($foo, ':')): true
-                # using a mutable image tag e.g. 'latest' is not allowed
-                (ends_with($foo, $tag)): false
-            ~.containers@foo:
-              image:
+        assert:
+          all:
+          - resource:
+              spec:
+                ~foo.containers@foos:
+                  (at($foos, $foo).image)@foo:
+                    # an image tag is required
+                    (contains($foo, ':')): true
+                    # using a mutable image tag e.g. 'latest' is not allowed
+                    (ends_with($foo, $tag)): false
+          - resource:
+              spec:
+                ~.containers@foo:
+                  image:
+                    # an image tag is required
+                    (contains(@, ':')): true
+                    # using a mutable image tag e.g. 'latest' is not allowed
+                    (ends_with(@, ':latest')): false
+          - resource:
+              ~index.(spec.containers[*].image)@images:
                 # an image tag is required
                 (contains(@, ':')): true
                 # using a mutable image tag e.g. 'latest' is not allowed
                 (ends_with(@, ':latest')): false
-          ~index.(spec.containers[*].image)@images:
-            # an image tag is required
-            (contains(@, ':')): true
-            # using a mutable image tag e.g. 'latest' is not allowed
-            (ends_with(@, ':latest')): false