feat: add env-value-from as opt-in check for #705

Author: Nexusrex18

pkg/templates/envvarvaluefrom/internal/params/params_test.go

@@ -4,13 +4,16 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext"
 )
 
 func TestValidateParams(t *testing.T) {
 	t.Run("InvalidRegex", func(t *testing.T) {
 		p := Params{IgnoredSecrets: []string{"[invalid("}}
 		err := p.Validate()
-		// If Validate doesn't check regex, this will pass; otherwise, expect error
+		// Current behavior: No validation, so no error
 		if err == nil {
 			t.Log("Warning: Validate does not check regex validity; consider adding regex validation")
 		} else {
@@ -25,3 +28,45 @@ func TestValidateParams(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestParseAndValidate(t *testing.T) {
+	t.Run("InvalidDecode", func(t *testing.T) {
+		// Simulate invalid map structure
+		m := map[string]interface{}{"IgnoredSecrets": map[string]interface{}{"invalid": true}}
+		_, err := ParseAndValidate(m)
+		assert.Error(t, err) // Expect DecodeMapStructure to fail
+	})
+
+	t.Run("ValidParse", func(t *testing.T) {
+		m := map[string]interface{}{"IgnoredSecrets": []interface{}{"^valid$"}}
+		p, err := ParseAndValidate(m)
+		assert.NoError(t, err)
+		assert.Equal(t, []string{"^valid$"}, p.(Params).IgnoredSecrets)
+	})
+}
+
+func TestWrapInstantiateFunc(t *testing.T) {
+	t.Run("ValidWrap", func(t *testing.T) {
+		f := func(p Params) (check.Func, error) {
+			// check.Func is a function type, so we can return a function directly
+			return func(lintCtx lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				return nil // Return empty slice instead of nil for consistency
+			}, nil
+		}
+		wrapped := WrapInstantiateFunc(f)
+		_, err := wrapped(Params{})
+		assert.NoError(t, err)
+	})
+
+	t.Run("InvalidType", func(t *testing.T) {
+		f := func(p Params) (check.Func, error) {
+			return func(lintCtx lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				return nil // Return empty slice instead of nil for consistency
+			}, nil
+		}
+		wrapped := WrapInstantiateFunc(f)
+		assert.Panics(t, func() {
+			_, _ = wrapped("not-a-Params") // Expect panic due to type assertion failure
+		})
+	})
+}

pkg/templates/envvarvaluefrom/template_test.go

@@ -68,17 +68,17 @@ func makeConfigMapSource(descriptor sourceReference) *coreV1.EnvVarSource {
 	}
 }
 
-func (s *EnVarValueFromTestSuite) addContainerWithEnvFromSecret(envRef envReference) { // Fix: Remove name parameter
+func (s *EnVarValueFromTestSuite) addContainerWithEnvFromSecret(envRef envReference) {
 	var valueFrom *coreV1.EnvVarSource
 	switch envRef.Kind {
 	case "secret":
 		valueFrom = makeSecretSource(envRef.Source)
 	case "configmap":
 		valueFrom = makeConfigMapSource(envRef.Source)
 	default:
-		s.Require().FailNow(fmt.Sprintf("Unknown source kind %s", envRef.Kind)) // Fix: Use s.Require().FailNow
+		s.Require().FailNow(fmt.Sprintf("Unknown source kind %s", envRef.Kind))
 	}
-	s.ctx.AddContainerToDeployment(s.T(), targetDeploymentName, coreV1.Container{ // Fix: Hardcode targetDeploymentName
+	s.ctx.AddContainerToDeployment(s.T(), targetDeploymentName, coreV1.Container{
 		Name: "container",
 		Env: []coreV1.EnvVar{
 			{
@@ -342,3 +342,86 @@ func (s *EnVarValueFromTestSuite) TestKeysEmptyMap() {
 	keys := Keys(emptyMap)
 	s.Empty(keys)
 }
+
+func (s *EnVarValueFromTestSuite) TestExtractRegexListInvalidConfigMaps() {
+	p := params.Params{IgnoredConfigMaps: []string{"[invalid("}}
+	_, err := extractRegexList(p.IgnoredConfigMaps)
+	s.Error(err)
+	s.Contains(err.Error(), "invalid regex [invalid(")
+}
+
+func (s *EnVarValueFromTestSuite) TestUnknownKeyInSecretWithStringData() {
+	s.ctx.AddMockDeployment(s.T(), targetDeploymentName)
+	secret := &coreV1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-secret"},
+		StringData: map[string]string{"key1": "value"},
+	}
+	s.ctx.AddObject("test-secret", secret)
+	s.addContainerWithEnvFromSecret(envReference{
+		Name: "my-secret",
+		Kind: "secret",
+		Source: sourceReference{
+			Name:     "test-secret",
+			Key:      "unknown-key",
+			Optional: pointers.Bool(false),
+		},
+	})
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				targetDeploymentName: {{
+					Message: "The container \"container\" is referring to an unknown key \"unknown-key\" in secret \"test-secret\"",
+				}},
+			},
+		},
+	})
+}
+
+func (s *EnVarValueFromTestSuite) TestMultipleIgnoredSecrets() {
+	s.ctx.AddMockDeployment(s.T(), targetDeploymentName)
+	secret1 := &coreV1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "secret1"}, Data: map[string][]byte{"key": []byte("value")}}
+	secret2 := &coreV1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "secret2"}, Data: map[string][]byte{"key": []byte("value")}}
+	s.ctx.AddObject("secret1", secret1)
+	s.ctx.AddObject("secret2", secret2)
+	s.addContainerWithEnvFromSecret(envReference{
+		Name: "my-secret",
+		Kind: "secret",
+		Source: sourceReference{
+			Name:     "secret1",
+			Key:      "key",
+			Optional: pointers.Bool(false),
+		},
+	})
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{IgnoredSecrets: []string{"^secret2$"}},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				targetDeploymentName: {},
+			},
+		},
+	})
+}
+
+func (s *EnVarValueFromTestSuite) TestEmptyObjectList() {
+	s.ctx.AddMockDeployment(s.T(), targetDeploymentName)
+	s.addContainerWithEnvFromSecret(envReference{
+		Name: "my-secret",
+		Kind: "secret",
+		Source: sourceReference{
+			Name:     "test-secret",
+			Key:      "key",
+			Optional: pointers.Bool(false),
+		},
+	})
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				targetDeploymentName: {{
+					Message: "The container \"container\" is referring to an unknown secret \"test-secret\"",
+				}},
+			},
+		},
+	})
+}