feat: hold compiled assertion in api

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

Makefile

@@ -205,7 +205,7 @@ codegen-deepcopy: $(PACKAGE_SHIM) $(DEEPCOPY_GEN) ## Generate deep copy function
 codegen-crds: $(CONTROLLER_GEN) ## Generate CRDs
 	@echo Generate crds... >&2
 	@rm -rf $(CRDS_PATH)
-	@$(CONTROLLER_GEN) paths=./pkg/apis/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
+	@$(CONTROLLER_GEN) paths=./pkg/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true output:dir=$(CRDS_PATH)
 	@echo Copy generated CRDs to embed in the CLI... >&2
 	@rm -rf pkg/data/crds && mkdir -p pkg/data/crds
 	@cp $(CRDS_PATH)/* pkg/data/crds

pkg/apis/policy/v1alpha1/any.go

@@ -1,65 +1,27 @@
 package v1alpha1
 
 import (
-	"fmt"
-
 	"k8s.io/apimachinery/pkg/util/json"
 )
 
-func deepCopy(in any) any {
-	if in == nil {
-		return nil
-	}
-	switch in := in.(type) {
-	case string:
-		return in
-	case int:
-		return in
-	case int32:
-		return in
-	case int64:
-		return in
-	case float32:
-		return in
-	case float64:
-		return in
-	case bool:
-		return in
-	case []any:
-		var out []any
-		for _, in := range in {
-			out = append(out, deepCopy(in))
-		}
-		return out
-	case map[string]any:
-		out := map[string]any{}
-		for k, in := range in {
-			out[k] = deepCopy(in)
-		}
-		return out
-	}
-	panic(fmt.Sprintf("deep copy failed - unrecognized type %T", in))
-}
-
 // Any can be any type.
 // +k8s:deepcopy-gen=false
 // +kubebuilder:validation:XPreserveUnknownFields
 // +kubebuilder:validation:Type:=""
 type Any struct {
-	// +optional
-	value any `json:"-"`
+	_value any
 }
 
 func NewAny(value any) Any {
 	return Any{value}
 }
 
 func (t *Any) Value() any {
-	return t.value
+	return t._value
 }
 
 func (in *Any) DeepCopyInto(out *Any) {
-	out.value = deepCopy(in.value)
+	out._value = deepCopy(in._value)
 }
 
 func (in *Any) DeepCopy() *Any {
@@ -72,7 +34,7 @@ func (in *Any) DeepCopy() *Any {
 }
 
 func (a *Any) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.value)
+	return json.Marshal(a._value)
 }
 
 func (a *Any) UnmarshalJSON(data []byte) error {
@@ -81,6 +43,6 @@ func (a *Any) UnmarshalJSON(data []byte) error {
 	if err != nil {
 		return err
 	}
-	a.value = v
+	a._value = v
 	return nil
 }

pkg/apis/policy/v1alpha1/assertion.go

@@ -1,44 +1,5 @@
 package v1alpha1
 
-import (
-	"k8s.io/apimachinery/pkg/util/json"
-)
-
-// +k8s:deepcopy-gen=false
-// +kubebuilder:validation:XPreserveUnknownFields
-// +kubebuilder:validation:Type:=""
-// AssertionTree represents an assertion tree.
-type AssertionTree struct {
-	// +optional
-	tree any `json:"-"`
-}
-
-func NewAssertionTree(value any) AssertionTree {
-	return AssertionTree{value}
-}
-
-func (t *AssertionTree) Raw() any {
-	return t.tree
-}
-
-func (a *AssertionTree) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.tree)
-}
-
-func (a *AssertionTree) UnmarshalJSON(data []byte) error {
-	var v any
-	err := json.Unmarshal(data, &v)
-	if err != nil {
-		return err
-	}
-	a.tree = v
-	return nil
-}
-
-func (in *AssertionTree) DeepCopyInto(out *AssertionTree) {
-	out.tree = deepCopy(in.tree)
-}
-
 // Assertion contains an assertion tree associated with a message.
 type Assertion struct {
 	// Message is the message associated message.

pkg/apis/policy/v1alpha1/assertion_tree.go

@@ -0,0 +1,56 @@
+package v1alpha1
+
+import (
+	"context"
+	"sync"
+
+	"github.com/kyverno/kyverno-json/pkg/engine/assert"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+// +k8s:deepcopy-gen=false
+// +kubebuilder:validation:XPreserveUnknownFields
+// +kubebuilder:validation:Type:=""
+// AssertionTree represents an assertion tree.
+type AssertionTree struct {
+	_tree      any
+	_assertion func() (assert.Assertion, error)
+}
+
+func NewAssertionTree(value any) AssertionTree {
+	return AssertionTree{
+		_tree: value,
+		_assertion: sync.OnceValues(func() (assert.Assertion, error) {
+			return assert.Parse(context.Background(), value)
+		}),
+	}
+}
+
+func (t *AssertionTree) Assertion() (assert.Assertion, error) {
+	if t._tree == nil {
+		return nil, nil
+	}
+	return t._assertion()
+}
+
+func (a *AssertionTree) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a._tree)
+}
+
+func (a *AssertionTree) UnmarshalJSON(data []byte) error {
+	var v any
+	err := json.Unmarshal(data, &v)
+	if err != nil {
+		return err
+	}
+	a._tree = v
+	a._assertion = sync.OnceValues(func() (assert.Assertion, error) {
+		return assert.Parse(context.Background(), v)
+	})
+	return nil
+}
+
+func (in *AssertionTree) DeepCopyInto(out *AssertionTree) {
+	out._tree = deepCopy(in._tree)
+	out._assertion = in._assertion
+}

pkg/apis/policy/v1alpha1/deep_copy.go

@@ -0,0 +1,40 @@
+package v1alpha1
+
+import (
+	"fmt"
+)
+
+func deepCopy(in any) any {
+	if in == nil {
+		return nil
+	}
+	switch in := in.(type) {
+	case string:
+		return in
+	case int:
+		return in
+	case int32:
+		return in
+	case int64:
+		return in
+	case float32:
+		return in
+	case float64:
+		return in
+	case bool:
+		return in
+	case []any:
+		var out []any
+		for _, in := range in {
+			out = append(out, deepCopy(in))
+		}
+		return out
+	case map[string]any:
+		out := map[string]any{}
+		for k, in := range in {
+			out[k] = deepCopy(in)
+		}
+		return out
+	}
+	panic(fmt.Sprintf("deep copy failed - unrecognized type %T", in))
+}

pkg/engine/assert/assert_test.go

@@ -48,7 +48,7 @@ func TestAssert(t *testing.T) {
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			parsed, err := Parse(context.TODO(), nil, tt.assertion)
+			parsed, err := Parse(context.TODO(), tt.assertion)
 			tassert.NoError(t, err)
 			got, err := Assert(context.TODO(), nil, parsed, tt.value, tt.bindings)
 			if tt.wantErr {

pkg/engine/assert/parse.go

@@ -2,6 +2,7 @@ package assert
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"reflect"
 
@@ -13,14 +14,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-func Parse(ctx context.Context, path *field.Path, assertion any) (Assertion, error) {
+func Parse(ctx context.Context, assertion any) (Assertion, error) {
 	switch reflectutils.GetKind(assertion) {
 	case reflect.Slice:
-		return parseSlice(ctx, path, assertion)
+		return parseSlice(ctx, assertion)
 	case reflect.Map:
-		return parseMap(ctx, path, assertion)
+		return parseMap(ctx, assertion)
 	default:
-		return parseScalar(ctx, path, assertion)
+		return parseScalar(ctx, assertion)
 	}
 }
 
@@ -34,11 +35,11 @@ func (n node) assert(ctx context.Context, path *field.Path, value any, bindings
 // parseSlice is the assertion represented by a slice.
 // it first compares the length of the analysed resource with the length of the descendants.
 // if lengths match all descendants are evaluated with their corresponding items.
-func parseSlice(ctx context.Context, path *field.Path, assertion any) (node, error) {
+func parseSlice(ctx context.Context, assertion any) (node, error) {
 	var assertions []Assertion
 	valueOf := reflect.ValueOf(assertion)
 	for i := 0; i < valueOf.Len(); i++ {
-		sub, err := Parse(ctx, path.Index(i), valueOf.Index(i).Interface())
+		sub, err := Parse(ctx, valueOf.Index(i).Interface())
 		if err != nil {
 			return nil, err
 		}
@@ -70,7 +71,7 @@ func parseSlice(ctx context.Context, path *field.Path, assertion any) (node, err
 
 // parseMap is the assertion represented by a map.
 // it is responsible for projecting the analysed resource and passing the result to the descendant
-func parseMap(ctx context.Context, path *field.Path, assertion any) (node, error) {
+func parseMap(ctx context.Context, assertion any) (node, error) {
 	assertions := map[any]struct {
 		*expression
 		Assertion
@@ -79,7 +80,7 @@ func parseMap(ctx context.Context, path *field.Path, assertion any) (node, error
 	for iter.Next() {
 		key := iter.Key().Interface()
 		value := iter.Value().Interface()
-		assertion, err := Parse(ctx, path.Child(fmt.Sprint(key)), value)
+		assertion, err := Parse(ctx, value)
 		if err != nil {
 			return nil, err
 		}
@@ -158,21 +159,21 @@ func parseMap(ctx context.Context, path *field.Path, assertion any) (node, error
 // parseScalar is the assertion represented by a leaf.
 // it receives a value and compares it with an expected value.
 // the expected value can be the result of an expression.
-func parseScalar(ctx context.Context, path *field.Path, assertion any) (node, error) {
+func parseScalar(ctx context.Context, assertion any) (node, error) {
 	expression := parseExpression(ctx, assertion)
 	// we only project if the expression uses the engine syntax
 	// this is to avoid the case where the value is a map and the RHS is a string
 	var project func(ctx context.Context, value any, bindings binding.Bindings, opts ...template.Option) (any, error)
 	if expression != nil && expression.engine != "" {
 		if expression.foreachName != "" {
-			return nil, field.Invalid(path, assertion, "foreach is not supported on the RHS")
+			return nil, errors.New("foreach is not supported on the RHS")
 		}
 		if expression.binding != "" {
-			return nil, field.Invalid(path, assertion, "binding is not supported on the RHS")
+			return nil, errors.New("binding is not supported on the RHS")
 		}
 		ast, err := expression.ast()
 		if err != nil {
-			return nil, field.InternalError(path, err)
+			return nil, err
 		}
 		project = func(ctx context.Context, value any, bindings jpbinding.Bindings, opts ...template.Option) (any, error) {
 			return template.ExecuteAST(ctx, ast, value, bindings, opts...)

pkg/matching/match.go

@@ -48,11 +48,12 @@ func MatchAssert(ctx context.Context, path *field.Path, match *v1alpha1.Assert,
 			var fails []Result
 			path := path.Child("any")
 			for i, assertion := range match.Any {
-				parsed, err := assert.Parse(ctx, path.Index(i).Child("check"), assertion.Check.Raw())
+				path := path.Index(i).Child("check")
+				parsed, err := assertion.Check.Assertion()
 				if err != nil {
 					return fails, err
 				}
-				checkFails, err := assert.Assert(ctx, path.Index(i).Child("check"), parsed, actual, bindings, opts...)
+				checkFails, err := assert.Assert(ctx, path, parsed, actual, bindings, opts...)
 				if err != nil {
 					return fails, err
 				}
@@ -76,11 +77,12 @@ func MatchAssert(ctx context.Context, path *field.Path, match *v1alpha1.Assert,
 			var fails []Result
 			path := path.Child("all")
 			for i, assertion := range match.All {
-				parsed, err := assert.Parse(ctx, path.Index(i).Child("check"), assertion.Check.Raw())
+				path := path.Index(i).Child("check")
+				parsed, err := assertion.Check.Assertion()
 				if err != nil {
 					return fails, err
 				}
-				checkFails, err := assert.Assert(ctx, path.Index(i).Child("check"), parsed, actual, bindings, opts...)
+				checkFails, err := assert.Assert(ctx, path, parsed, actual, bindings, opts...)
 				if err != nil {
 					return fails, err
 				}
@@ -126,11 +128,12 @@ func Match(ctx context.Context, path *field.Path, match *v1alpha1.Match, actual
 func MatchAny(ctx context.Context, path *field.Path, assertions []v1alpha1.AssertionTree, actual any, bindings binding.Bindings, opts ...template.Option) (field.ErrorList, error) {
 	var errs field.ErrorList
 	for i, assertion := range assertions {
-		parsed, err := assert.Parse(ctx, path.Index(i), assertion.Raw())
+		path := path.Index(i)
+		assertion, err := assertion.Assertion()
 		if err != nil {
 			return errs, err
 		}
-		_errs, err := assert.Assert(ctx, path.Index(i), parsed, actual, bindings, opts...)
+		_errs, err := assert.Assert(ctx, path, assertion, actual, bindings, opts...)
 		if err != nil {
 			return errs, err
 		}
@@ -145,11 +148,12 @@ func MatchAny(ctx context.Context, path *field.Path, assertions []v1alpha1.Asser
 func MatchAll(ctx context.Context, path *field.Path, assertions []v1alpha1.AssertionTree, actual any, bindings binding.Bindings, opts ...template.Option) (field.ErrorList, error) {
 	var errs field.ErrorList
 	for i, assertion := range assertions {
-		parsed, err := assert.Parse(ctx, path.Index(i), assertion.Raw())
+		path := path.Index(i)
+		assertion, err := assertion.Assertion()
 		if err != nil {
 			return errs, err
 		}
-		_errs, err := assert.Assert(ctx, path.Index(i), parsed, actual, bindings, opts...)
+		_errs, err := assert.Assert(ctx, path, assertion, actual, bindings, opts...)
 		if err != nil {
 			return errs, err
 		}