Disallow empty AuthPolicies (#1034)

guicassolato · web-flow · commit 877a74293993 · 2024-11-27T12:28:12.000+01:00
Signed-off-by: Guilherme Cassolato &lt;guicassolato@gmail.com&gt;
diff --git a/api/v1/authpolicy_types.go b/api/v1/authpolicy_types.go
@@ -292,6 +292,9 @@ func (p *AuthPolicy) Kind() string {
 // +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive"
 // +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive"
 // +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive"
+// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) || has(self.defaults)) ? has(self.rules) && ((has(self.rules.authentication) && size(self.rules.authentication) > 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0) || (has(self.rules.authorization) && size(self.rules.authorization) > 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated) || has(self.rules.response.unauthorized) || (has(self.rules.response.success) && (size(self.rules.response.success.headers) > 0 ||  size(self.rules.response.success.filters) > 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks) > 0)) : true",message="At least one spec.rules must be defined"
+// +kubebuilder:validation:XValidation:rule="has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication) && size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata) && size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization) && size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response) && (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized) || (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers) > 0 ||  size(self.defaults.rules.response.success.filters) > 0)))) || (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks) > 0)) : true",message="At least one spec.defaults.rules must be defined"
+// +kubebuilder:validation:XValidation:rule="has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication) && size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata) && size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization) && size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response) && (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized) || (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers) > 0 ||  size(self.overrides.rules.response.success.filters) > 0)))) || (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks) > 0)) : true",message="At least one spec.overrides.rules must be defined"
 type AuthPolicySpec struct {
 	// Reference to the object to which this policy applies.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
@@ -109,7 +109,7 @@ metadata:
     capabilities: Basic Install
     categories: Integration & Delivery
     containerImage: quay.io/kuadrant/kuadrant-operator:latest
-    createdAt: "2024-11-25T09:30:08Z"
+    createdAt: "2024-11-26T15:09:44Z"
     description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml
@@ -6888,6 +6888,36 @@ spec:
                 || has(self.rules)))'
             - message: Explicit overrides and explicit defaults are mutually exclusive
               rule: '!(has(self.overrides) && has(self.defaults))'
+            - message: At least one spec.rules must be defined
+              rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
+                && ((has(self.rules.authentication) && size(self.rules.authentication)
+                > 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
+                || (has(self.rules.authorization) && size(self.rules.authorization)
+                > 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
+                || has(self.rules.response.unauthorized) || (has(self.rules.response.success)
+                && (size(self.rules.response.success.headers) > 0 ||  size(self.rules.response.success.filters)
+                > 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.defaults.rules must be defined
+              rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
+                && size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
+                && size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
+                && size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
+                && (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
+                || (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
+                > 0 ||  size(self.defaults.rules.response.success.filters) > 0))))
+                || (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.overrides.rules must be defined
+              rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
+                && size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
+                && size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
+                && size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
+                && (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
+                || (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
+                > 0 ||  size(self.overrides.rules.response.success.filters) > 0))))
+                || (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
+                > 0)) : true'
           status:
             properties:
               conditions:
diff --git a/charts/kuadrant-operator/templates/manifests.yaml b/charts/kuadrant-operator/templates/manifests.yaml
@@ -6888,6 +6888,36 @@ spec:
                 || has(self.rules)))'
             - message: Explicit overrides and explicit defaults are mutually exclusive
               rule: '!(has(self.overrides) && has(self.defaults))'
+            - message: At least one spec.rules must be defined
+              rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
+                && ((has(self.rules.authentication) && size(self.rules.authentication)
+                > 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
+                || (has(self.rules.authorization) && size(self.rules.authorization)
+                > 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
+                || has(self.rules.response.unauthorized) || (has(self.rules.response.success)
+                && (size(self.rules.response.success.headers) > 0 ||  size(self.rules.response.success.filters)
+                > 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.defaults.rules must be defined
+              rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
+                && size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
+                && size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
+                && size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
+                && (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
+                || (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
+                > 0 ||  size(self.defaults.rules.response.success.filters) > 0))))
+                || (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.overrides.rules must be defined
+              rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
+                && size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
+                && size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
+                && size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
+                && (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
+                || (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
+                > 0 ||  size(self.overrides.rules.response.success.filters) > 0))))
+                || (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
+                > 0)) : true'
           status:
             properties:
               conditions:
diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml
@@ -6887,6 +6887,36 @@ spec:
                 || has(self.rules)))'
             - message: Explicit overrides and explicit defaults are mutually exclusive
               rule: '!(has(self.overrides) && has(self.defaults))'
+            - message: At least one spec.rules must be defined
+              rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.rules)
+                && ((has(self.rules.authentication) && size(self.rules.authentication)
+                > 0) || (has(self.rules.metadata) && size(self.rules.metadata) > 0)
+                || (has(self.rules.authorization) && size(self.rules.authorization)
+                > 0) || (has(self.rules.response) && (has(self.rules.response.unauthenticated)
+                || has(self.rules.response.unauthorized) || (has(self.rules.response.success)
+                && (size(self.rules.response.success.headers) > 0 ||  size(self.rules.response.success.filters)
+                > 0)))) || (has(self.rules.callbacks) && size(self.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.defaults.rules must be defined
+              rule: 'has(self.defaults) ? has(self.defaults.rules) && ((has(self.defaults.rules.authentication)
+                && size(self.defaults.rules.authentication) > 0) || (has(self.defaults.rules.metadata)
+                && size(self.defaults.rules.metadata) > 0) || (has(self.defaults.rules.authorization)
+                && size(self.defaults.rules.authorization) > 0) || (has(self.defaults.rules.response)
+                && (has(self.defaults.rules.response.unauthenticated) || has(self.defaults.rules.response.unauthorized)
+                || (has(self.defaults.rules.response.success) && (size(self.defaults.rules.response.success.headers)
+                > 0 ||  size(self.defaults.rules.response.success.filters) > 0))))
+                || (has(self.defaults.rules.callbacks) && size(self.defaults.rules.callbacks)
+                > 0)) : true'
+            - message: At least one spec.overrides.rules must be defined
+              rule: 'has(self.overrides) ? has(self.overrides.rules) && ((has(self.overrides.rules.authentication)
+                && size(self.overrides.rules.authentication) > 0) || (has(self.overrides.rules.metadata)
+                && size(self.overrides.rules.metadata) > 0) || (has(self.overrides.rules.authorization)
+                && size(self.overrides.rules.authorization) > 0) || (has(self.overrides.rules.response)
+                && (has(self.overrides.rules.response.unauthenticated) || has(self.overrides.rules.response.unauthorized)
+                || (has(self.overrides.rules.response.success) && (size(self.overrides.rules.response.success.headers)
+                > 0 ||  size(self.overrides.rules.response.success.filters) > 0))))
+                || (has(self.overrides.rules.callbacks) && size(self.overrides.rules.callbacks)
+                > 0)) : true'
           status:
             properties:
               conditions:
diff --git a/tests/common/authpolicy/authpolicy_controller_test.go b/tests/common/authpolicy/authpolicy_controller_test.go
