kubewarden · jvanz · Aug 1, 2023 · Aug 1, 2023 · Aug 1, 2023 · Aug 1, 2023
@@ -1,17 +1,16 @@
 on:
   push:
     branches:
-    - main
+      - main
     tags:
-    - 'v*'
+      - "v*"
 
 name: Release policy
 
 jobs:
-
   test:
     name: run tests and linters
-    uses: kubewarden/github-actions/.github/workflows/[email protected].4
+    uses: kubewarden/github-actions/.github/workflows/[email protected].6
 
   release:
     needs: test
@@ -23,6 +22,6 @@ jobs:
       # Required by cosign keyless signing
       id-token: write
 
-    uses: kubewarden/github-actions/.github/workflows/[email protected].4
+    uses: kubewarden/github-actions/.github/workflows/[email protected].6
     with:
       oci-target: ghcr.io/${{ github.repository_owner }}/policies/safe-annotations
@@ -3,4 +3,4 @@ name: Continuous integration
 jobs:
   test:
     name: run tests and linters
-    uses: kubewarden/github-actions/.github/workflows/[email protected].4
+    uses: kubewarden/github-actions/.github/workflows/[email protected].6
@@ -3,19 +3,12 @@ SOURCE_FILES := $(shell find . -type f -name '*.go')
 # starting with v.
 VERSION ?= $(shell git describe | cut -c2-)
 
-types_easyjson.go: types.go
-	docker run \
-		--rm \
-		-v ${PWD}:/src \
-		-w /src \
-		golang:1.17-alpine ./hack/generate-easyjson.sh
-
-policy.wasm: $(SOURCE_FILES) go.mod go.sum types_easyjson.go
+policy.wasm: $(SOURCE_FILES) go.mod go.sum
 	docker run \
 		--rm \
 		-e GOFLAGS="-buildvcs=false" \
 		-v ${PWD}:/src \
-		-w /src tinygo/tinygo:0.27.0 \
+		-w /src tinygo/tinygo:0.28.1 \
 		tinygo build -o policy.wasm -target=wasi -no-debug .
 
 artifacthub-pkg.yml: metadata.yml go.mod
@@ -31,7 +24,7 @@ annotated-policy.wasm: policy.wasm metadata.yml artifacthub-pkg.yml
 	kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm
 
 .PHONY: test
-test: types_easyjson.go
+test:
 	go test -v
 
 .PHONY: e2e-tests

@@ -4,27 +4,27 @@
 #
 # This config can be saved to its default location with:
 #   kwctl scaffold artifacthub > artifacthub-pkg.yml 
-version: 0.2.8
+version: 0.2.9
 name: safe-annotations
 displayName: Safe Annotations
-createdAt: 2023-07-07T18:51:34.299402705Z
+createdAt: 2023-08-01T08:12:22.889095273Z
 description: A policy that validates Kubernetes' resource annotations
 license: Apache-2.0
 homeURL: https://github.com/kubewarden/safe-annotations-policy
 containersImages:
 - name: policy
-  image: ghcr.io/kubewarden/policies/safe-annotations:v0.2.8
+  image: ghcr.io/kubewarden/policies/safe-annotations:v0.2.9
 keywords:
 - annotations
 links:
 - name: policy
-  url: https://github.com/kubewarden/safe-annotations-policy/releases/download/v0.2.8/policy.wasm
+  url: https://github.com/kubewarden/safe-annotations-policy/releases/download/v0.2.9/policy.wasm
 - name: source
   url: https://github.com/kubewarden/safe-annotations-policy
 install: |
   The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
   ```console
-  kwctl pull ghcr.io/kubewarden/policies/safe-annotations:v0.2.8
+  kwctl pull ghcr.io/kubewarden/policies/safe-annotations:v0.2.9
   ```
 maintainers:
 - name: Kubewarden developers

@@ -5,17 +5,15 @@ go 1.20
 require (
 	github.com/deckarep/golang-set/v2 v2.3.0
 	github.com/kubewarden/gjson v1.7.2
-	github.com/kubewarden/policy-sdk-go v0.4.1
-	github.com/mailru/easyjson v0.7.7
+	github.com/kubewarden/policy-sdk-go v0.5.0
 	github.com/wapc/wapc-guest-tinygo v0.3.3
 )
 
 require (
 	github.com/go-openapi/strfmt v0.21.3 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/kubewarden/k8s-objects v1.24.0-kw7 // indirect
+	github.com/kubewarden/k8s-objects v1.27.0-kw2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 )
 
-replace github.com/go-openapi/strfmt => github.com/kubewarden/strfmt v0.1.2
+replace github.com/go-openapi/strfmt => github.com/kubewarden/strfmt v0.1.3
@@ -1,23 +1,16 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/deckarep/golang-set/v2 v2.3.0 h1:qs18EKUfHm2X9fA50Mr/M5hccg2tNnVqsiBImnyDs0g=
 github.com/deckarep/golang-set/v2 v2.3.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/kubewarden/gjson v1.7.2 h1:+cLRfPqyvjwrkgE68cGdNfUy1Z6L45DjvuFH9/ofwQ0=
 github.com/kubewarden/gjson v1.7.2/go.mod h1:jSlxpubGqBG5HHe4v8kwcc8z1JF2reJ7AJAUojw66AY=
-github.com/kubewarden/k8s-objects v1.24.0-kw4 h1:/XAEdK8uHUz+asM/PgUs1T4vgCN7d+tiDDb5azMOimo=
-github.com/kubewarden/k8s-objects v1.24.0-kw4/go.mod h1:0d8vhSnO2G4bwo58G9ncQYhsgBggGzgh+V0Wqc3CLe8=
-github.com/kubewarden/k8s-objects v1.24.0-kw7 h1:uXGSLyyp/qnipq7yNxFy5zebFRy8utoO+wn1fW6QkkU=
-github.com/kubewarden/k8s-objects v1.24.0-kw7/go.mod h1:IuIHLG1JtxjC1JnY7SyEEA9MukCh/FACcwpzaBjgdLQ=
-github.com/kubewarden/policy-sdk-go v0.3.0 h1:5WqhrC3eJP+gRti14d4vCyXCITeM95X4hob6QA96eX8=
-github.com/kubewarden/policy-sdk-go v0.3.0/go.mod h1:zJLxhZkoFVKOlHJ3mlbG8qTCvVbkZprZ7odVwVsunUo=
-github.com/kubewarden/policy-sdk-go v0.4.0 h1:qxYHarQ3fHD90QErZEjXRzErEOXLQVtTYKmtyv0rtMQ=
-github.com/kubewarden/policy-sdk-go v0.4.0/go.mod h1:pY1FrcuGdhnzzN31wNieAimI4+7rYWbtkP+tYGna0Ug=
-github.com/kubewarden/policy-sdk-go v0.4.1 h1:MTGxJaWWH6dZBwCdZ+FYVUclxveGzW3p4kuUJiZw+7M=
-github.com/kubewarden/policy-sdk-go v0.4.1/go.mod h1:pY1FrcuGdhnzzN31wNieAimI4+7rYWbtkP+tYGna0Ug=
-github.com/kubewarden/strfmt v0.1.2 h1:S0YUVkPeyUMikz8QssbMzfd1MC5K8ZqxLI2zfF8euMs=
-github.com/kubewarden/strfmt v0.1.2/go.mod h1:sqLlis8qlm4A4pnZsRyRjNxyH86fiM+7Ee7bO+uJk94=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/kubewarden/k8s-objects v1.27.0-kw2 h1:6ZA72SFtDSbCupwxlIyJimUzN0nSweMCUx5jUEnoxkw=
+github.com/kubewarden/k8s-objects v1.27.0-kw2/go.mod h1:wVx4Rg1HKml8yewPwAHUWp1wYSAtBlKV/tsmteDuK1g=
+github.com/kubewarden/policy-sdk-go v0.5.0 h1:JnSRf5pHjFzTNNp6jJbSP5a4cwzFzkUBjLujqJd+Z+w=
+github.com/kubewarden/policy-sdk-go v0.5.0/go.mod h1:1IZXauwI5iCuOZj7tU58nE/SZFb/HsCmj3ZpDVStVQs=
+github.com/kubewarden/strfmt v0.1.3 h1:bb+2rbotioROjCkziSt+hqnHXzOlumN94NxDKdV2kPI=
+github.com/kubewarden/strfmt v0.1.3/go.mod h1:DXoaaIYwqW1LyyRoMeyxfHUU+VUSTNFdj38juCXfRzs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
@@ -26,3 +19,4 @@ github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/wapc/wapc-guest-tinygo v0.3.3 h1:jLebiwjVSHLGnS+BRabQ6+XOV7oihVWAc05Hf1SbeR0=
 github.com/wapc/wapc-guest-tinygo v0.3.3/go.mod h1:mzM3CnsdSYktfPkaBdZ8v88ZlfUDEy5Jh5XBOV3fYcw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -1,20 +1,56 @@
 package main
 
 import (
-	mapset "github.com/deckarep/golang-set/v2"
-	kubewarden "github.com/kubewarden/policy-sdk-go"
-	kubewarden_protocol "github.com/kubewarden/policy-sdk-go/protocol"
-	easyjson "github.com/mailru/easyjson"
-
+	"encoding/json"
 	"fmt"
 	"regexp"
 	"strings"
+
+	mapset "github.com/deckarep/golang-set/v2"
+	kubewarden "github.com/kubewarden/policy-sdk-go"
+	kubewarden_protocol "github.com/kubewarden/policy-sdk-go/protocol"
 )
 
+// A wrapper around the standard regexp.Regexp struct
+// that implements marshalling and unmarshalling
+type RegularExpression struct {
+	*regexp.Regexp
+}
+
+// Convenience method to build a regular expression
+func CompileRegularExpression(expr string) (*RegularExpression, error) {
+	nativeRegExp, err := regexp.Compile(expr)
+	if err != nil {
+		return nil, err
+	}
+	return &RegularExpression{nativeRegExp}, nil
+}
+
+// UnmarshalText satisfies the encoding.TextMarshaler interface,
+// also used by json.Unmarshal.
+func (r *RegularExpression) UnmarshalText(text []byte) error {
+	nativeRegExp, err := regexp.Compile(string(text))
+	if err != nil {
+		return err
+	}
+	r.Regexp = nativeRegExp
+	return nil
+}
+
+// MarshalText satisfies the encoding.TextMarshaler interface,
+// also used by json.Marshal.
+func (r *RegularExpression) MarshalText() ([]byte, error) {
+	if r.Regexp != nil {
+		return []byte(r.Regexp.String()), nil
+	}
+
+	return nil, nil
+}
+
 type Settings struct {
-	DeniedAnnotations      mapset.Set[string]        `json:"denied_annotations"`
-	MandatoryAnnotations   mapset.Set[string]        `json:"mandatory_annotations"`
-	ConstrainedAnnotations map[string]*regexp.Regexp `json:"constrained_annotations"`
+	DeniedAnnotations      mapset.Set[string]            `json:"denied_annotations"`
+	MandatoryAnnotations   mapset.Set[string]            `json:"mandatory_annotations"`
+	ConstrainedAnnotations map[string]*RegularExpression `json:"constrained_annotations"`
 }
 
 // Builds a new Settings instance starting from a validation
@@ -28,41 +64,15 @@ type Settings struct {
 //	      "constrained_annotations": { ... }
 //	   }
 //	}
-func NewSettingsFromValidationReq(validationReq kubewarden_protocol.ValidationRequest) (Settings, error) {
-	return newSettings(validationReq.Settings)
-}
+func NewSettingsFromValidationReq(validationRequest kubewarden_protocol.ValidationRequest) (Settings, error) {
+	settings := Settings{}
 
-func newSettings(settingsJson []byte) (Settings, error) {
-	basicSettings := BasicSettings{}
-	err := easyjson.Unmarshal(settingsJson, &basicSettings)
+	err := json.Unmarshal(validationRequest.Settings, &settings)
 	if err != nil {
 		return Settings{}, err
 	}
 
-	deniedAnnotations := mapset.NewThreadUnsafeSet[string]()
-	for _, label := range basicSettings.DeniedAnnotations {
-		deniedAnnotations.Add(label)
-	}
-
-	mandatoryAnnotations := mapset.NewThreadUnsafeSet[string]()
-	for _, label := range basicSettings.MandatoryAnnotations {
-		mandatoryAnnotations.Add(label)
-	}
-
-	constrainedAnnotations := make(map[string]*regexp.Regexp)
-	for name, expr := range basicSettings.ConstrainedAnnotations {
-		reg, err := regexp.Compile(expr)
-		if err != nil {
-			return Settings{}, fmt.Errorf("Cannot compile regexp %s: %v", expr, err)
-		}
-		constrainedAnnotations[name] = reg
-	}
-
-	return Settings{
-		DeniedAnnotations:      deniedAnnotations,
-		MandatoryAnnotations:   mandatoryAnnotations,
-		ConstrainedAnnotations: constrainedAnnotations,
-	}, nil
+	return settings, nil
 }
 
 func (s *Settings) Valid() (bool, error) {
@@ -104,10 +114,34 @@ func (s *Settings) Valid() (bool, error) {
 	return true, nil
 }
 
+func (s *Settings) UnmarshalJSON(data []byte) error {
+	// This is needed becaus golang-set v2.3.0 has a bug that prevents
+	// the correct unmarshalling of ThreadUnsafeSet types.
+	rawSettings := struct {
+		DeniedAnnotations      []string                      `json:"denied_annotations"`
+		MandatoryAnnotations   []string                      `json:"mandatory_annotations"`
+		ConstrainedAnnotations map[string]*RegularExpression `json:"constrained_annotations"`
+	}{}
+
+	err := json.Unmarshal(data, &rawSettings)
+	if err != nil {
+		return err
+	}
+
+	s.DeniedAnnotations = mapset.NewThreadUnsafeSet[string](rawSettings.DeniedAnnotations...)
+	s.MandatoryAnnotations = mapset.NewThreadUnsafeSet[string](rawSettings.MandatoryAnnotations...)
+	s.ConstrainedAnnotations = rawSettings.ConstrainedAnnotations
+
+	return nil
+}
+
 func validateSettings(payload []byte) ([]byte, error) {
-	settings, err := newSettings(payload)
+	settings := Settings{}
+
+	err := json.Unmarshal(payload, &settings)
 	if err != nil {
-		// this happens when one of the user-defined regular expressions are invalid
+		// this happens when one the payload cannot be unmarshaled
+		// or one of the user-defined regular expressions is invalid
 		return kubewarden.RejectSettings(
 			kubewarden.Message(fmt.Sprintf("Provided settings are not valid: %v", err)))
 	}
@@ -116,6 +150,7 @@ func validateSettings(payload []byte) ([]byte, error) {
 	if valid {
 		return kubewarden.AcceptSettings()
 	}
+
 	return kubewarden.RejectSettings(
 		kubewarden.Message(fmt.Sprintf("Provided settings are not valid: %v", err)))
 }