11use policy_evaluator:: {
2- admission_response:: { AdmissionResponse , AdmissionResponseStatus } ,
2+ admission_response:: { self , AdmissionResponse , AdmissionResponseStatus } ,
33 callback_requests:: CallbackRequest ,
44 evaluation_context:: EvaluationContext ,
55 kubewarden_policy_sdk:: settings:: SettingsValidationResponse ,
@@ -659,28 +659,67 @@ impl EvaluationEnvironment {
659659 // to define inside of the expression
660660 let allowed = rhai_engine. eval_expression :: < bool > ( expression. as_str ( ) ) ?;
661661
662+ // The API Server puts some limitations on the warnings:
663+ // - they cannot exceed 256 characters
664+ // - the size of all the warnings cannot exceed 4096 characters
665+ // - they are returned as HTTP headers, hence not all characters are allowed
666+ //
667+ // Because of these reasons, we use the warning struct only to
668+ // tell the user whether a member policy was evaluated or not. When it was
669+ // evaluated we just tell the outcome (allow/reject).
670+ let mut warnings = vec ! [ ] ;
671+
672+ // The details of each policy evaluation are returned as part of the
673+ // AdmissionResponse.status.details.causes
674+ let mut status_causes = vec ! [ ] ;
675+
676+ let evaluation_results = policies_evaluation_results. lock ( ) . unwrap ( ) ;
677+
678+ for policy_id in & policy_ids {
679+ if let Some ( result) = evaluation_results. get ( policy_id) {
680+ let outcome = if result. allowed {
681+ "allowed"
682+ } else {
683+ "rejected"
684+ } ;
685+ warnings. push ( format ! ( "{policy_id}: {outcome}" , ) ) ;
686+
687+ if !result. allowed {
688+ let cause = admission_response:: StatusCause {
689+ field : Some ( format ! ( "spec.policies.{}" , policy_id) ) ,
690+ message : result. message . clone ( ) ,
691+ ..Default :: default ( )
692+ } ;
693+ status_causes. push ( cause) ;
694+ }
695+ } else {
696+ warnings. push ( format ! ( "{}: not evaluated" , policy_id) ) ;
697+ }
698+ }
699+ debug ! (
700+ ?policy_id,
701+ ?allowed,
702+ ?warnings,
703+ ?status_causes,
704+ "policy group evaluation result"
705+ ) ;
706+
662707 let status = if allowed {
708+ // The status field is discarded by the Kubernetes API server when the
709+ // request is allowed.
663710 None
664711 } else {
665712 Some ( AdmissionResponseStatus {
666713 message : Some ( message) ,
667714 code : None ,
715+ details : Some ( admission_response:: StatusDetails {
716+ causes : status_causes,
717+ ..Default :: default ( )
718+ } ) ,
719+ ..Default :: default ( )
668720 } )
669721 } ;
670722
671- // Provide some feedback to the end user about the single policy evaluation results
672- let evaluation_results = policies_evaluation_results. lock ( ) . unwrap ( ) ;
673- let warnings: Vec < String > = policy_ids
674- . iter ( )
675- . map ( |policy_id| {
676- let result = evaluation_results
677- . get ( policy_id)
678- . map ( |result| result. to_string ( ) )
679- . unwrap_or_else ( || "[NOT EVALUATED]" . to_string ( ) ) ;
680- format ! ( "{}: {}" , policy_id, result)
681- } )
682- . collect ( ) ;
683-
684723 Ok ( AdmissionResponse {
685724 uid : req. uid ( ) . to_string ( ) ,
686725 allowed,
@@ -1022,24 +1061,38 @@ mod tests {
10221061 "group_policy_with_unhappy_or_bracket_happy_and_unhappy_bracket" ,
10231062 false ,
10241063 vec![
1025- "unhappy_policy_2: [DENIED] - failing as expected " ,
1026- "unhappy_policy_1: [DENIED] - failing as expected " ,
1027- "happy_policy_1: [ALLOWED] " ,
1064+ "unhappy_policy_2: rejected " ,
1065+ "unhappy_policy_1: rejected " ,
1066+ "happy_policy_1: allowed " ,
10281067 ] ,
1068+ vec![
1069+ admission_response:: StatusCause {
1070+ field: Some ( "spec.policies.unhappy_policy_1" . to_string( ) ) ,
1071+ message: Some ( "failing as expected" . to_string( ) ) ,
1072+ ..Default :: default ( )
1073+ } ,
1074+ admission_response:: StatusCause {
1075+ field: Some ( "spec.policies.unhappy_policy_2" . to_string( ) ) ,
1076+ message: Some ( "failing as expected" . to_string( ) ) ,
1077+ ..Default :: default ( )
1078+ } ,
1079+ ]
10291080 ) ]
10301081 #[ case:: not_all_policies_are_evaluated(
10311082 "group_policy_with_unhappy_or_happy_or_unhappy" ,
10321083 true ,
10331084 vec![
1034- "unhappy_policy_1: [DENIED] - failing as expected " ,
1035- "unhappy_policy_2: [NOT EVALUATED] " ,
1036- "happy_policy_1: [ALLOWED] " ,
1085+ "unhappy_policy_1: rejected " ,
1086+ "unhappy_policy_2: not evaluated " ,
1087+ "happy_policy_1: allowed " ,
10371088 ] ,
1089+ Vec :: new( ) , // no expected causes, since the request is accepted
10381090 ) ]
10391091 fn group_policy_warning_assignments (
10401092 #[ case] policy_id : & str ,
10411093 #[ case] admission_accepted : bool ,
10421094 #[ case] expected_warnings : Vec < & str > ,
1095+ #[ case] expected_status_causes : Vec < admission_response:: StatusCause > ,
10431096 ) {
10441097 let policy_id = PolicyID :: Policy ( policy_id. to_string ( ) ) ;
10451098 let evaluation_environment = Arc :: new ( build_evaluation_environment ( ) ) ;
@@ -1063,10 +1116,28 @@ mod tests {
10631116 for expected in expected_warnings {
10641117 assert ! (
10651118 warnings. iter( ) . any( |w| w. contains( expected) ) ,
1066- "could not find {}" ,
1119+ "could not find warning {}" ,
10671120 expected
10681121 ) ;
10691122 }
1123+
1124+ if admission_accepted {
1125+ assert ! ( response. status. is_none( ) ) ;
1126+ } else {
1127+ let causes = response
1128+ . status
1129+ . expect ( "should have status" )
1130+ . details
1131+ . expect ( "should have details" )
1132+ . causes ;
1133+ for expected in expected_status_causes {
1134+ assert ! (
1135+ causes. iter( ) . any( |c| * c == expected) ,
1136+ "could not find cause {:?}" ,
1137+ expected
1138+ ) ;
1139+ }
1140+ }
10701141 }
10711142
10721143 /// Given to identical wasm modules, only one instance of PolicyEvaluator is going to be
0 commit comments