github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 09:49:50 +00:00
Code Issues Projects Releases Wiki Activity

Fix elapsed time tracking for validating admission policies

Browse Source 
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
This commit is contained in:
Kevin Conner 2024-10-29 11:26:46 -07:00
parent 16f9fdc705
commit 9538747d4d
2 changed files with 136 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator.go
View File

@ -122,6 +122,7 @@ func (v *validator) Validate(ctx context.Context, matchedResource schema.GroupVe
messageResults, _, err := v.messageFilter.ForInput(ctx, versionedAttr, admissionRequest, expressionOptionalVars, ns, remainingBudget) messageResults, _, err := v.messageFilter.ForInput(ctx, versionedAttr, admissionRequest, expressionOptionalVars, ns, remainingBudget)
for i, evalResult := range evalResults { for i, evalResult := range evalResults {
var decision = &decisions[i] var decision = &decisions[i]
decision.Elapsed = evalResult.Elapsed
// TODO: move this to generics // TODO: move this to generics
validation, ok := evalResult.ExpressionAccessor.(*ValidationCondition) validation, ok := evalResult.ExpressionAccessor.(*ValidationCondition)
if !ok { if !ok {
@ -211,6 +212,7 @@ func (v *validator) Validate(ctx context.Context, matchedResource schema.GroupVe
continue continue
} }
var auditAnnotationResult = &auditAnnotationResults[i] var auditAnnotationResult = &auditAnnotationResults[i]
auditAnnotationResult.Elapsed = evalResult.Elapsed
// TODO: move this to generics // TODO: move this to generics
validation, ok := evalResult.ExpressionAccessor.(*AuditAnnotationCondition) validation, ok := evalResult.ExpressionAccessor.(*AuditAnnotationCondition)
if !ok { if !ok {

103
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator_test.go
View File

@ -22,6 +22,7 @@ import (
"fmt" "fmt"
"strings" "strings"
"testing" "testing"
"time"
celtypes "github.com/google/cel-go/common/types" celtypes "github.com/google/cel-go/common/types"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -105,11 +106,13 @@ func TestValidate(t *testing.T) {
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -119,18 +122,22 @@ func TestValidate(t *testing.T) {
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -140,11 +147,13 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &ignore, failPolicy: &ignore,
@ -155,11 +164,13 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -169,11 +180,13 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -184,18 +197,22 @@ func TestValidate(t *testing.T) {
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &ignore, failPolicy: &ignore,
@ -206,18 +223,22 @@ func TestValidate(t *testing.T) {
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -227,18 +248,22 @@ func TestValidate(t *testing.T) {
{ {
EvalResult: celtypes.True, EvalResult: celtypes.True,
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -249,18 +274,22 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &ignore, failPolicy: &ignore,
@ -271,18 +300,22 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -292,18 +325,22 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
{ {
Error: errors.New(""), Error: errors.New(""),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -316,6 +353,7 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &ValidationCondition{ ExpressionAccessor: &ValidationCondition{
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -323,6 +361,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonInvalid, Reason: metav1.StatusReasonInvalid,
Message: "failed expression: this.expression == unit.test", Message: "failed expression: this.expression == unit.test",
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -336,6 +375,7 @@ func TestValidate(t *testing.T) {
Reason: &forbiddenReason, Reason: &forbiddenReason,
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -343,6 +383,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonForbidden, Reason: metav1.StatusReasonForbidden,
Message: "failed expression: this.expression == unit.test", Message: "failed expression: this.expression == unit.test",
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -356,6 +397,7 @@ func TestValidate(t *testing.T) {
Reason: &forbiddenReason, Reason: &forbiddenReason,
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
}, },
Elapsed: time.Millisecond,
}, },
{ {
EvalResult: celtypes.False, EvalResult: celtypes.False,
@ -363,6 +405,7 @@ func TestValidate(t *testing.T) {
Reason: &unauthorizedReason, Reason: &unauthorizedReason,
Expression: "this.expression.2 == unit.test.2", Expression: "this.expression.2 == unit.test.2",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -370,11 +413,13 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonForbidden, Reason: metav1.StatusReasonForbidden,
Message: "failed expression: this.expression == unit.test", Message: "failed expression: this.expression == unit.test",
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonUnauthorized, Reason: metav1.StatusReasonUnauthorized,
Message: "failed expression: this.expression.2 == unit.test.2", Message: "failed expression: this.expression.2 == unit.test.2",
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -389,6 +434,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test", Message: "test",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -396,6 +442,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonForbidden, Reason: metav1.StatusReasonForbidden,
Message: "test", Message: "test",
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -410,6 +457,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
{ {
EvalResult: celtypes.False, EvalResult: celtypes.False,
@ -418,6 +466,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test2", Message: "test2",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -425,11 +474,13 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonForbidden, Reason: metav1.StatusReasonForbidden,
Message: "test1", Message: "test1",
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Reason: metav1.StatusReasonForbidden, Reason: metav1.StatusReasonForbidden,
Message: "test2", Message: "test2",
Elapsed: time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -444,6 +495,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -465,6 +517,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
{ {
EvalResult: celtypes.False, EvalResult: celtypes.False,
@ -473,6 +526,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test2", Message: "test2",
}, },
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -492,6 +546,7 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "'string value'", ValueExpression: "'string value'",
}, },
Elapsed: 2 * time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -499,6 +554,7 @@ func TestValidate(t *testing.T) {
{ {
Action: AuditAnnotationActionPublish, Action: AuditAnnotationActionPublish,
Value: "string value", Value: "string value",
Elapsed: 2 * time.Millisecond,
}, },
}, },
}, },
@ -512,6 +568,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
auditEvaluations: []cel.EvaluationResult{ auditEvaluations: []cel.EvaluationResult{
@ -520,17 +577,20 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "'string value'", ValueExpression: "'string value'",
}, },
Elapsed: 2 * time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
{ {
Action: ActionAdmit, Action: ActionAdmit,
Elapsed: time.Millisecond,
}, },
}, },
auditAnnotations: []PolicyAuditAnnotation{ auditAnnotations: []PolicyAuditAnnotation{
{ {
Action: AuditAnnotationActionPublish, Action: AuditAnnotationActionPublish,
Value: "string value", Value: "string value",
Elapsed: 2 * time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -543,21 +603,25 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "null", ValueExpression: "null",
}, },
Elapsed: 2 * time.Millisecond,
}, },
{ {
EvalResult: celtypes.String("string value"), EvalResult: celtypes.String("string value"),
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "'string value'", ValueExpression: "'string value'",
}, },
Elapsed: 2 * time.Millisecond,
}, },
}, },
auditAnnotations: []PolicyAuditAnnotation{ auditAnnotations: []PolicyAuditAnnotation{
{ {
Action: AuditAnnotationActionExclude, Action: AuditAnnotationActionExclude,
Elapsed: 2 * time.Millisecond,
}, },
{ {
Action: AuditAnnotationActionPublish, Action: AuditAnnotationActionPublish,
Value: "string value", Value: "string value",
Elapsed: 2 * time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -570,12 +634,14 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "'this is not valid CEL", ValueExpression: "'this is not valid CEL",
}, },
Elapsed: 2 * time.Millisecond,
}, },
}, },
auditAnnotations: []PolicyAuditAnnotation{ auditAnnotations: []PolicyAuditAnnotation{
{ {
Action: AuditAnnotationActionError, Action: AuditAnnotationActionError,
Error: "valueExpression ''this is not valid CEL' resulted in error: <nil>", Error: "valueExpression ''this is not valid CEL' resulted in error: <nil>",
Elapsed: 2 * time.Millisecond,
}, },
}, },
failPolicy: &fail, failPolicy: &fail,
@ -588,12 +654,14 @@ func TestValidate(t *testing.T) {
ExpressionAccessor: &AuditAnnotationCondition{ ExpressionAccessor: &AuditAnnotationCondition{
ValueExpression: "'this is not valid CEL", ValueExpression: "'this is not valid CEL",
}, },
Elapsed: 2 * time.Millisecond,
}, },
}, },
auditAnnotations: []PolicyAuditAnnotation{ auditAnnotations: []PolicyAuditAnnotation{
{ {
Action: AuditAnnotationActionExclude, // TODO: is this right? Action: AuditAnnotationActionExclude, // TODO: is this right?
Error: "valueExpression ''this is not valid CEL' resulted in error: <nil>", Error: "valueExpression ''this is not valid CEL' resulted in error: <nil>",
Elapsed: 2 * time.Millisecond,
}, },
}, },
failPolicy: &ignore, failPolicy: &ignore,
@ -607,11 +675,13 @@ func TestValidate(t *testing.T) {
Reason: &forbiddenReason, Reason: &forbiddenReason,
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
EvalResult: celtypes.String("evaluated message"), EvalResult: celtypes.String("evaluated message"),
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -619,6 +689,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "evaluated message", Message: "evaluated message",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -632,6 +703,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "I am not overwritten", Message: "I am not overwritten",
}, },
Elapsed: time.Millisecond,
}, },
{ {
EvalResult: celtypes.False, EvalResult: celtypes.False,
@ -640,12 +712,14 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "I am overwritten", Message: "I am overwritten",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{}, {},
{ {
EvalResult: celtypes.String("evaluated message"), EvalResult: celtypes.String("evaluated message"),
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -653,11 +727,13 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "I am not overwritten", Message: "I am not overwritten",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
{ {
Action: ActionDeny, Action: ActionDeny,
Message: "evaluated message", Message: "evaluated message",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -671,11 +747,13 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "I am overwritten", Message: "I am overwritten",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
EvalResult: celtypes.String("evaluated message"), EvalResult: celtypes.String("evaluated message"),
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -683,6 +761,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "evaluated message", Message: "evaluated message",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -696,11 +775,13 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
Error: &apiservercel.Error{Type: apiservercel.ErrorTypeInvalid}, Error: &apiservercel.Error{Type: apiservercel.ErrorTypeInvalid},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -708,6 +789,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "test1", // original message used Message: "test1", // original message used
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -721,11 +803,13 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
EvalResult: celtypes.String(" "), EvalResult: celtypes.String(" "),
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -733,6 +817,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "test1", Message: "test1",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -746,11 +831,13 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
EvalResult: celtypes.String("hello\nthere"), EvalResult: celtypes.String("hello\nthere"),
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -758,6 +845,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "test1", Message: "test1",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -771,6 +859,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
@ -783,6 +872,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "test1", Message: "test1",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -796,11 +886,13 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
{ {
EvalResult: celtypes.NullValue, EvalResult: celtypes.NullValue,
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -808,6 +900,7 @@ func TestValidate(t *testing.T) {
Action: ActionDeny, Action: ActionDeny,
Message: "test1", Message: "test1",
Reason: forbiddenReason, Reason: forbiddenReason,
Elapsed: time.Millisecond,
}, },
}, },
}, },
@ -821,6 +914,7 @@ func TestValidate(t *testing.T) {
Expression: "this.expression == unit.test", Expression: "this.expression == unit.test",
Message: "test1", Message: "test1",
}, },
Elapsed: time.Millisecond,
}, },
}, },
messageEvaluations: []cel.EvaluationResult{ messageEvaluations: []cel.EvaluationResult{
@ -832,6 +926,7 @@ func TestValidate(t *testing.T) {
{ {
Action: ActionDeny, Action: ActionDeny,
Message: "running out of cost budget", Message: "running out of cost budget",
Elapsed: time.Millisecond,
}, },
}, },
costBudget: 1, // shared between expression and messageExpression, needs 1 + 1 = 2 in total costBudget: 1, // shared between expression and messageExpression, needs 1 + 1 = 2 in total
@ -843,6 +938,7 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New("expected"), Error: errors.New("expected"),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{}, policyDecision: []PolicyDecision{},
@ -855,6 +951,7 @@ func TestValidate(t *testing.T) {
{ {
Error: errors.New("expected"), Error: errors.New("expected"),
ExpressionAccessor: &ValidationCondition{}, ExpressionAccessor: &ValidationCondition{},
Elapsed: time.Millisecond,
}, },
}, },
policyDecision: []PolicyDecision{ policyDecision: []PolicyDecision{
@ -908,6 +1005,9 @@ func TestValidate(t *testing.T) {
if policyDecision.Reason != validateResult.Decisions[i].Reason { if policyDecision.Reason != validateResult.Decisions[i].Reason {
t.Errorf("Expected policy decision reason '%v' but got '%v'", policyDecision.Reason, validateResult.Decisions[i].Reason) t.Errorf("Expected policy decision reason '%v' but got '%v'", policyDecision.Reason, validateResult.Decisions[i].Reason)
} }
if policyDecision.Elapsed != validateResult.Decisions[i].Elapsed {
t.Errorf("Expected policy decision elapsed time '%v', but got '%v'", policyDecision.Elapsed, validateResult.Decisions[i].Elapsed)
}
} }
require.Equal(t, len(tc.auditEvaluations), len(validateResult.AuditAnnotations)) require.Equal(t, len(tc.auditEvaluations), len(validateResult.AuditAnnotations))
@ -922,6 +1022,9 @@ func TestValidate(t *testing.T) {
if auditAnnotation.Value != actual.Value { if auditAnnotation.Value != actual.Value {
t.Errorf("Expected policy audit annotation value '%v' but got '%v'", auditAnnotation.Value, actual.Value) t.Errorf("Expected policy audit annotation value '%v' but got '%v'", auditAnnotation.Value, actual.Value)
} }
if auditAnnotation.Elapsed != actual.Elapsed {
t.Errorf("Expected policy audit annotation elapsed time '%v', but got '%v'", auditAnnotation.Elapsed, actual.Elapsed)
}
} }
}) })
} }