From 44cb08f53ee1ca8fec837d13b5439cf97eee536d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:26:47 +0000 Subject: [PATCH] vendor: bump the k8s-dependencies group with 5 updates Bumps the k8s-dependencies group with 5 updates: | Package | From | To | | --- | --- | --- | | [k8s.io/api](https://github.com/kubernetes/api) | `0.34.1` | `0.34.2` | | [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.34.1` | `0.34.2` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.34.1` | `0.34.2` | | [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.33.3` | `0.34.2` | | [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) | `0.21.0` | `0.22.4` | Updates `k8s.io/api` from 0.34.1 to 0.34.2 - [Commits](https://github.com/kubernetes/api/compare/v0.34.1...v0.34.2) Updates `k8s.io/apimachinery` from 0.34.1 to 0.34.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.34.1...v0.34.2) Updates `k8s.io/client-go` from 0.34.1 to 0.34.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.34.1...v0.34.2) Updates `k8s.io/mount-utils` from 0.33.3 to 0.34.2 - [Commits](https://github.com/kubernetes/mount-utils/compare/v0.33.3...v0.34.2) Updates `sigs.k8s.io/controller-runtime` from 0.21.0 to 0.22.4 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.21.0...v0.22.4) --- updated-dependencies: - dependency-name: k8s.io/api dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-dependencies - dependency-name: k8s.io/apimachinery dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-dependencies - dependency-name: k8s.io/client-go dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-dependencies - dependency-name: k8s.io/mount-utils dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.22.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies ... Signed-off-by: dependabot[bot] --- go.mod | 20 +- go.sum | 40 +- .../github.com/fsnotify/fsnotify/.cirrus.yml | 7 +- .../fsnotify/fsnotify/.editorconfig | 12 - .../fsnotify/fsnotify/.gitattributes | 1 - .../github.com/fsnotify/fsnotify/.gitignore | 3 + .../github.com/fsnotify/fsnotify/CHANGELOG.md | 67 +- .../fsnotify/fsnotify/CONTRIBUTING.md | 121 ++- vendor/github.com/fsnotify/fsnotify/README.md | 2 - .../fsnotify/fsnotify/backend_fen.go | 401 +++----- .../fsnotify/fsnotify/backend_inotify.go | 735 +++++++-------- .../fsnotify/fsnotify/backend_kqueue.go | 783 +++++++--------- .../fsnotify/fsnotify/backend_other.go | 203 +--- .../fsnotify/fsnotify/backend_windows.go | 321 ++----- .../github.com/fsnotify/fsnotify/fsnotify.go | 370 +++++++- .../fsnotify/fsnotify/internal/darwin.go | 39 + .../fsnotify/internal/debug_darwin.go | 57 ++ .../fsnotify/internal/debug_dragonfly.go | 33 + .../fsnotify/internal/debug_freebsd.go | 42 + .../fsnotify/internal/debug_kqueue.go | 32 + .../fsnotify/fsnotify/internal/debug_linux.go | 56 ++ .../fsnotify/internal/debug_netbsd.go | 25 + .../fsnotify/internal/debug_openbsd.go | 28 + .../fsnotify/internal/debug_solaris.go | 45 + .../fsnotify/internal/debug_windows.go | 40 + .../fsnotify/fsnotify/internal/freebsd.go | 31 + .../fsnotify/fsnotify/internal/internal.go | 2 + .../fsnotify/fsnotify/internal/unix.go | 31 + .../fsnotify/fsnotify/internal/unix2.go | 7 + .../fsnotify/fsnotify/internal/windows.go | 41 + vendor/github.com/fsnotify/fsnotify/mkdoc.zsh | 259 ----- vendor/github.com/fsnotify/fsnotify/shared.go | 64 ++ .../fsnotify/fsnotify/staticcheck.conf | 3 + .../fsnotify/fsnotify/system_bsd.go | 1 - .../fsnotify/fsnotify/system_darwin.go | 1 - .../github.com/google/cel-go/cel/BUILD.bazel | 13 +- vendor/github.com/google/cel-go/cel/decls.go | 70 +- vendor/github.com/google/cel-go/cel/env.go | 233 ++++- .../github.com/google/cel-go/cel/folding.go | 60 +- vendor/github.com/google/cel-go/cel/io.go | 57 +- .../github.com/google/cel-go/cel/library.go | 409 ++++---- vendor/github.com/google/cel-go/cel/macro.go | 30 +- .../github.com/google/cel-go/cel/options.go | 227 ++++- .../github.com/google/cel-go/cel/program.go | 274 +++--- vendor/github.com/google/cel-go/cel/prompt.go | 155 +++ .../cel-go/cel/templates/authoring.tmpl | 56 ++ .../github.com/google/cel-go/cel/validator.go | 70 +- .../google/cel-go/checker/checker.go | 11 + .../github.com/google/cel-go/checker/cost.go | 7 +- .../google/cel-go/checker/decls/decls.go | 37 +- .../google/cel-go/checker/errors.go | 4 + .../google/cel-go/common/BUILD.bazel | 2 + .../google/cel-go/common/ast/ast.go | 78 ++ .../google/cel-go/common/ast/navigable.go | 7 +- .../cel-go/common/containers/container.go | 14 +- .../google/cel-go/common/decls/BUILD.bazel | 2 + .../google/cel-go/common/decls/decls.go | 287 +++++- vendor/github.com/google/cel-go/common/doc.go | 154 +++ .../google/cel-go/common/env/BUILD.bazel | 50 + .../google/cel-go/common/env/env.go | 887 ++++++++++++++++++ .../google/cel-go/common/stdlib/BUILD.bazel | 1 + .../google/cel-go/common/stdlib/standard.go | 702 +++++++++++--- .../google/cel-go/common/types/BUILD.bazel | 1 + .../google/cel-go/common/types/bool.go | 9 + .../google/cel-go/common/types/bytes.go | 15 + .../google/cel-go/common/types/double.go | 22 + .../google/cel-go/common/types/duration.go | 5 + .../google/cel-go/common/types/format.go | 42 + .../google/cel-go/common/types/int.go | 5 + .../google/cel-go/common/types/list.go | 16 + .../google/cel-go/common/types/map.go | 36 + .../google/cel-go/common/types/null.go | 5 + .../google/cel-go/common/types/object.go | 29 + .../google/cel-go/common/types/optional.go | 11 + .../google/cel-go/common/types/string.go | 4 + .../google/cel-go/common/types/timestamp.go | 4 + .../google/cel-go/common/types/types.go | 11 +- .../google/cel-go/common/types/uint.go | 6 + .../github.com/google/cel-go/ext/BUILD.bazel | 17 +- vendor/github.com/google/cel-go/ext/README.md | 30 +- .../github.com/google/cel-go/ext/bindings.go | 10 +- .../cel-go/ext/extension_option_factory.go | 75 ++ .../google/cel-go/ext/formatting.go | 25 +- .../google/cel-go/ext/formatting_v2.go | 788 ++++++++++++++++ vendor/github.com/google/cel-go/ext/lists.go | 268 +++++- vendor/github.com/google/cel-go/ext/math.go | 47 + vendor/github.com/google/cel-go/ext/native.go | 2 +- vendor/github.com/google/cel-go/ext/regex.go | 332 +++++++ vendor/github.com/google/cel-go/ext/sets.go | 14 +- .../github.com/google/cel-go/ext/strings.go | 63 +- .../google/cel-go/interpreter/activation.go | 14 +- .../cel-go/interpreter/attribute_patterns.go | 2 +- .../cel-go/interpreter/interpretable.go | 86 +- .../google/cel-go/interpreter/interpreter.go | 188 +++- .../google/cel-go/interpreter/planner.go | 48 +- .../google/cel-go/interpreter/runtimecost.go | 225 +++-- .../github.com/google/cel-go/parser/macro.go | 181 +++- .../grpc/otelgrpc/stats_handler.go | 51 +- .../grpc/otelgrpc/version.go | 2 +- .../pkg/apis/apiextensions/v1/conversion.go | 2 +- .../pkg/apis/apiextensions/v1/defaults.go | 4 +- .../apis/apiextensions/v1beta1/conversion.go | 2 +- .../apis/apiextensions/v1beta1/defaults.go | 6 +- .../v1/customresourcedefinition.go | 17 + .../v1beta1/customresourcedefinition.go | 17 + .../apiserver/pkg/apis/apiserver/types.go | 19 + .../pkg/apis/apiserver/v1/defaults.go | 7 + .../pkg/apis/apiserver/v1/register.go | 2 + .../apiserver/pkg/apis/apiserver/v1/types.go | 389 ++++++++ .../apiserver/v1/zz_generated.conversion.go | 502 +++++++++- .../apiserver/v1/zz_generated.deepcopy.go | 273 ++++++ .../pkg/apis/apiserver/v1alpha1/defaults.go | 7 + .../pkg/apis/apiserver/v1alpha1/types.go | 35 + .../v1alpha1/zz_generated.conversion.go | 58 +- .../v1alpha1/zz_generated.deepcopy.go | 10 + .../pkg/apis/apiserver/v1beta1/defaults.go | 7 + .../pkg/apis/apiserver/v1beta1/types.go | 35 + .../v1beta1/zz_generated.conversion.go | 58 +- .../v1beta1/zz_generated.deepcopy.go | 10 + .../apis/apiserver/validation/validation.go | 64 +- vendor/k8s.io/apiserver/pkg/audit/context.go | 266 +++++- vendor/k8s.io/apiserver/pkg/audit/request.go | 207 ++-- .../pkg/authentication/cel/interface.go | 9 +- .../pkg/authentication/cel/mapper.go | 33 +- .../token/cache/cached_token_authenticator.go | 6 +- .../apiserver/pkg/cel/environment/base.go | 7 + .../k8s.io/apiserver/pkg/cel/library/cost.go | 28 +- .../pkg/endpoints/request/methods.go | 37 + .../pkg/endpoints/request/requestinfo.go | 10 +- .../apiserver/pkg/features/kube_features.go | 247 +++-- .../pkg/server/egressselector/config.go | 8 +- .../apiserver/pkg/util/webhook/validation.go | 4 +- .../leaderelection/resourcelock/leaselock.go | 3 + vendor/k8s.io/client-go/util/cert/cert.go | 4 +- .../component-base/zpages/features/doc.go | 22 + .../zpages/features/kube_features.go | 52 + vendor/k8s.io/mount-utils/README.md | 5 + vendor/k8s.io/mount-utils/mount.go | 6 +- .../k8s.io/mount-utils/mount_helper_unix.go | 2 +- vendor/k8s.io/utils/pointer/OWNERS | 10 - vendor/k8s.io/utils/pointer/README.md | 3 - vendor/k8s.io/utils/pointer/pointer.go | 249 ----- vendor/modules.txt | 29 +- .../controller-runtime/.golangci.yml | 10 + .../controller-runtime/OWNERS_ALIASES | 4 +- .../sigs.k8s.io/controller-runtime/README.md | 6 +- .../controller-runtime/VERSIONING.md | 10 + .../controller-runtime/pkg/builder/webhook.go | 1 + .../controller-runtime/pkg/cache/cache.go | 93 +- .../pkg/cache/internal/cache_reader.go | 9 +- .../pkg/cache/internal/informers.go | 2 +- .../pkg/certwatcher/certwatcher.go | 25 +- .../pkg/client/apiutil/apimachinery.go | 20 +- .../pkg/client/applyconfigurations.go | 75 ++ .../controller-runtime/pkg/client/client.go | 13 +- .../pkg/client/client_rest_resources.go | 105 ++- .../controller-runtime/pkg/client/dryrun.go | 4 + .../pkg/client/fake/client.go | 475 ++++++++-- .../pkg/client/fake/typeconverter.go | 60 ++ .../pkg/client/fieldowner.go | 4 + .../pkg/client/fieldvalidation.go | 4 + .../pkg/client/interceptor/intercept.go | 9 + .../pkg/client/interfaces.go | 3 + .../pkg/client/namespaced_client.go | 56 +- .../controller-runtime/pkg/client/options.go | 127 ++- .../controller-runtime/pkg/client/patch.go | 5 + .../pkg/client/typed_client.go | 57 +- .../pkg/client/unstructured_client.go | 57 +- .../pkg/config/controller.go | 23 +- .../pkg/controller/controller.go | 37 +- .../controller/priorityqueue/priorityqueue.go | 139 ++- .../pkg/envtest/binaries.go | 75 +- .../controller-runtime/pkg/envtest/server.go | 63 +- .../pkg/handler/enqueue_mapped.go | 3 +- .../pkg/handler/eventhandler.go | 70 +- .../pkg/internal/controller/controller.go | 275 ++++-- .../testing/controlplane/apiserver.go | 7 +- .../pkg/internal/testing/controlplane/etcd.go | 4 + .../pkg/leaderelection/leader_election.go | 32 +- .../pkg/manager/internal.go | 17 + .../controller-runtime/pkg/manager/manager.go | 21 +- .../pkg/manager/runnable_group.go | 60 +- .../controller-runtime/pkg/manager/server.go | 2 +- .../pkg/predicate/predicate.go | 25 +- .../pkg/webhook/conversion/conversion.go | 21 +- .../pkg/webhook/conversion/metrics/metrics.go | 39 + 186 files changed, 11684 insertions(+), 3743 deletions(-) delete mode 100644 vendor/github.com/fsnotify/fsnotify/.editorconfig delete mode 100644 vendor/github.com/fsnotify/fsnotify/.gitattributes create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/darwin.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/freebsd.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/internal.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/unix.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/unix2.go create mode 100644 vendor/github.com/fsnotify/fsnotify/internal/windows.go delete mode 100644 vendor/github.com/fsnotify/fsnotify/mkdoc.zsh create mode 100644 vendor/github.com/fsnotify/fsnotify/shared.go create mode 100644 vendor/github.com/fsnotify/fsnotify/staticcheck.conf create mode 100644 vendor/github.com/google/cel-go/cel/prompt.go create mode 100644 vendor/github.com/google/cel-go/cel/templates/authoring.tmpl create mode 100644 vendor/github.com/google/cel-go/common/env/BUILD.bazel create mode 100644 vendor/github.com/google/cel-go/common/env/env.go create mode 100644 vendor/github.com/google/cel-go/common/types/format.go create mode 100644 vendor/github.com/google/cel-go/ext/extension_option_factory.go create mode 100644 vendor/github.com/google/cel-go/ext/formatting_v2.go create mode 100644 vendor/github.com/google/cel-go/ext/regex.go create mode 100644 vendor/k8s.io/apiserver/pkg/endpoints/request/methods.go create mode 100644 vendor/k8s.io/component-base/zpages/features/doc.go create mode 100644 vendor/k8s.io/component-base/zpages/features/kube_features.go delete mode 100644 vendor/k8s.io/utils/pointer/OWNERS delete mode 100644 vendor/k8s.io/utils/pointer/README.md delete mode 100644 vendor/k8s.io/utils/pointer/pointer.go create mode 100644 vendor/sigs.k8s.io/controller-runtime/pkg/client/applyconfigurations.go create mode 100644 vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/typeconverter.go create mode 100644 vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics/metrics.go diff --git a/go.mod b/go.mod index d9649b2c7..3d240c59e 100644 --- a/go.mod +++ b/go.mod @@ -14,13 +14,13 @@ require ( go.uber.org/zap v1.27.0 google.golang.org/grpc v1.77.0 google.golang.org/protobuf v1.36.10 - k8s.io/api v0.34.1 - k8s.io/apimachinery v0.34.1 - k8s.io/client-go v0.34.1 + k8s.io/api v0.34.2 + k8s.io/apimachinery v0.34.2 + k8s.io/client-go v0.34.2 k8s.io/klog/v2 v2.130.1 - k8s.io/mount-utils v0.33.3 + k8s.io/mount-utils v0.34.2 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 - sigs.k8s.io/controller-runtime v0.21.0 + sigs.k8s.io/controller-runtime v0.22.4 ) require ( @@ -36,7 +36,7 @@ require ( github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect @@ -46,7 +46,7 @@ require ( github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/btree v1.1.3 // indirect - github.com/google/cel-go v0.23.2 // indirect + github.com/google/cel-go v0.26.0 // indirect github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect @@ -71,7 +71,7 @@ require ( github.com/stoewer/go-strcase v1.3.0 // indirect github.com/x448/float16 v0.8.4 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect @@ -100,8 +100,8 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.33.1 // indirect - k8s.io/apiserver v0.33.1 // indirect + k8s.io/apiextensions-apiserver v0.34.1 // indirect + k8s.io/apiserver v0.34.1 // indirect k8s.io/component-base v0.34.1 // indirect k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect diff --git a/go.sum b/go.sum index 928ed548c..0b602921e 100644 --- a/go.sum +++ b/go.sum @@ -29,8 +29,8 @@ github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjT github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= +github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= @@ -62,8 +62,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= -github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= @@ -168,8 +168,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 h1:PS8wXpbyaDJQ2VDHHncMe9Vct0Zn1fEjpsjrLxGJoSc= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= @@ -267,30 +267,30 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= -k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= -k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY= +k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw= +k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= +k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= +k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= +k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= +k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M= +k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE= k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/mount-utils v0.33.3 h1:Q1jsnqdS4LdtJSYSXgiQv/XNrRHQncLk3gMYjKNSZrE= -k8s.io/mount-utils v0.33.3/go.mod h1:1JR4rKymg8B8bCPo618hpSAdrpO6XLh0Acqok/xVwPE= +k8s.io/mount-utils v0.34.2 h1:DiesOtAiYccJWKGRlJZhRkjCHvpQ3YmSlQp+zkkvf9Y= +k8s.io/mount-utils v0.34.2/go.mod h1:MIjjYlqJ0ziYQg0MO09kc9S96GIcMkhF/ay9MncF0GA= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= -sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= +sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= +sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/vendor/github.com/fsnotify/fsnotify/.cirrus.yml b/vendor/github.com/fsnotify/fsnotify/.cirrus.yml index ffc7b992b..7f257e99a 100644 --- a/vendor/github.com/fsnotify/fsnotify/.cirrus.yml +++ b/vendor/github.com/fsnotify/fsnotify/.cirrus.yml @@ -1,7 +1,7 @@ freebsd_task: name: 'FreeBSD' freebsd_instance: - image_family: freebsd-13-2 + image_family: freebsd-14-2 install_script: - pkg update -f - pkg install -y go @@ -9,5 +9,6 @@ freebsd_task: # run tests as user "cirrus" instead of root - pw useradd cirrus -m - chown -R cirrus:cirrus . - - FSNOTIFY_BUFFER=4096 sudo --preserve-env=FSNOTIFY_BUFFER -u cirrus go test -parallel 1 -race ./... - - sudo --preserve-env=FSNOTIFY_BUFFER -u cirrus go test -parallel 1 -race ./... + - FSNOTIFY_BUFFER=4096 sudo --preserve-env=FSNOTIFY_BUFFER -u cirrus go test -parallel 1 -race ./... + - sudo --preserve-env=FSNOTIFY_BUFFER -u cirrus go test -parallel 1 -race ./... + - FSNOTIFY_DEBUG=1 sudo --preserve-env=FSNOTIFY_BUFFER -u cirrus go test -parallel 1 -race -v ./... diff --git a/vendor/github.com/fsnotify/fsnotify/.editorconfig b/vendor/github.com/fsnotify/fsnotify/.editorconfig deleted file mode 100644 index fad895851..000000000 --- a/vendor/github.com/fsnotify/fsnotify/.editorconfig +++ /dev/null @@ -1,12 +0,0 @@ -root = true - -[*.go] -indent_style = tab -indent_size = 4 -insert_final_newline = true - -[*.{yml,yaml}] -indent_style = space -indent_size = 2 -insert_final_newline = true -trim_trailing_whitespace = true diff --git a/vendor/github.com/fsnotify/fsnotify/.gitattributes b/vendor/github.com/fsnotify/fsnotify/.gitattributes deleted file mode 100644 index 32f1001be..000000000 --- a/vendor/github.com/fsnotify/fsnotify/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -go.sum linguist-generated diff --git a/vendor/github.com/fsnotify/fsnotify/.gitignore b/vendor/github.com/fsnotify/fsnotify/.gitignore index 391cc076b..daea9dd6d 100644 --- a/vendor/github.com/fsnotify/fsnotify/.gitignore +++ b/vendor/github.com/fsnotify/fsnotify/.gitignore @@ -5,3 +5,6 @@ # Output of go build ./cmd/fsnotify /fsnotify /fsnotify.exe + +/test/kqueue +/test/a.out diff --git a/vendor/github.com/fsnotify/fsnotify/CHANGELOG.md b/vendor/github.com/fsnotify/fsnotify/CHANGELOG.md index e0e575754..6468d2cf4 100644 --- a/vendor/github.com/fsnotify/fsnotify/CHANGELOG.md +++ b/vendor/github.com/fsnotify/fsnotify/CHANGELOG.md @@ -1,8 +1,69 @@ # Changelog -Unreleased ----------- -Nothing yet. +1.9.0 2024-04-04 +---------------- + +### Changes and fixes + +- all: make BufferedWatcher buffered again ([#657]) + +- inotify: fix race when adding/removing watches while a watched path is being + deleted ([#678], [#686]) + +- inotify: don't send empty event if a watched path is unmounted ([#655]) + +- inotify: don't register duplicate watches when watching both a symlink and its + target; previously that would get "half-added" and removing the second would + panic ([#679]) + +- kqueue: fix watching relative symlinks ([#681]) + +- kqueue: correctly mark pre-existing entries when watching a link to a dir on + kqueue ([#682]) + +- illumos: don't send error if changed file is deleted while processing the + event ([#678]) + + +[#657]: https://github.com/fsnotify/fsnotify/pull/657 +[#678]: https://github.com/fsnotify/fsnotify/pull/678 +[#686]: https://github.com/fsnotify/fsnotify/pull/686 +[#655]: https://github.com/fsnotify/fsnotify/pull/655 +[#681]: https://github.com/fsnotify/fsnotify/pull/681 +[#679]: https://github.com/fsnotify/fsnotify/pull/679 +[#682]: https://github.com/fsnotify/fsnotify/pull/682 + +1.8.0 2024-10-31 +---------------- + +### Additions + +- all: add `FSNOTIFY_DEBUG` to print debug logs to stderr ([#619]) + +### Changes and fixes + +- windows: fix behaviour of `WatchList()` to be consistent with other platforms ([#610]) + +- kqueue: ignore events with Ident=0 ([#590]) + +- kqueue: set O_CLOEXEC to prevent passing file descriptors to children ([#617]) + +- kqueue: emit events as "/path/dir/file" instead of "path/link/file" when watching a symlink ([#625]) + +- inotify: don't send event for IN_DELETE_SELF when also watching the parent ([#620]) + +- inotify: fix panic when calling Remove() in a goroutine ([#650]) + +- fen: allow watching subdirectories of watched directories ([#621]) + +[#590]: https://github.com/fsnotify/fsnotify/pull/590 +[#610]: https://github.com/fsnotify/fsnotify/pull/610 +[#617]: https://github.com/fsnotify/fsnotify/pull/617 +[#619]: https://github.com/fsnotify/fsnotify/pull/619 +[#620]: https://github.com/fsnotify/fsnotify/pull/620 +[#621]: https://github.com/fsnotify/fsnotify/pull/621 +[#625]: https://github.com/fsnotify/fsnotify/pull/625 +[#650]: https://github.com/fsnotify/fsnotify/pull/650 1.7.0 - 2023-10-22 ------------------ diff --git a/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md b/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md index ea379759d..4cc40fa59 100644 --- a/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md +++ b/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md @@ -1,7 +1,7 @@ Thank you for your interest in contributing to fsnotify! We try to review and merge PRs in a reasonable timeframe, but please be aware that: -- To avoid "wasted" work, please discus changes on the issue tracker first. You +- To avoid "wasted" work, please discuss changes on the issue tracker first. You can just send PRs, but they may end up being rejected for one reason or the other. @@ -20,6 +20,125 @@ platforms. Testing different platforms locally can be done with something like Use the `-short` flag to make the "stress test" run faster. +Writing new tests +----------------- +Scripts in the testdata directory allow creating test cases in a "shell-like" +syntax. The basic format is: + + script + + Output: + desired output + +For example: + + # Create a new empty file with some data. + watch / + echo data >/file + + Output: + create /file + write /file + +Just create a new file to add a new test; select which tests to run with +`-run TestScript/[path]`. + +script +------ +The script is a "shell-like" script: + + cmd arg arg + +Comments are supported with `#`: + + # Comment + cmd arg arg # Comment + +All operations are done in a temp directory; a path like "/foo" is rewritten to +"/tmp/TestFoo/foo". + +Arguments can be quoted with `"` or `'`; there are no escapes and they're +functionally identical right now, but this may change in the future, so best to +assume shell-like rules. + + touch "/file with spaces" + +End-of-line escapes with `\` are not supported. + +### Supported commands + + watch path [ops] # Watch the path, reporting events for it. Nothing is + # watched by default. Optionally a list of ops can be + # given, as with AddWith(path, WithOps(...)). + unwatch path # Stop watching the path. + watchlist n # Assert watchlist length. + + stop # Stop running the script; for debugging. + debug [yes/no] # Enable/disable FSNOTIFY_DEBUG (tests are run in + parallel by default, so -parallel=1 is probably a good + idea). + print [any strings] # Print text to stdout; for debugging. + + touch path + mkdir [-p] dir + ln -s target link # Only ln -s supported. + mkfifo path + mknod dev path + mv src dst + rm [-r] path + chmod mode path # Octal only + sleep time-in-ms + + cat path # Read path (does nothing with the data; just reads it). + echo str >>path # Append "str" to "path". + echo str >path # Truncate "path" and write "str". + + require reason # Skip the test if "reason" is true; "skip" and + skip reason # "require" behave identical; it supports both for + # readability. Possible reasons are: + # + # always Always skip this test. + # symlink Symlinks are supported (requires admin + # permissions on Windows). + # mkfifo Platform doesn't support FIFO named sockets. + # mknod Platform doesn't support device nodes. + + +output +------ +After `Output:` the desired output is given; this is indented by convention, but +that's not required. + +The format of that is: + + # Comment + event path # Comment + + system: + event path + system2: + event path + +Every event is one line, and any whitespace between the event and path are +ignored. The path can optionally be surrounded in ". Anything after a "#" is +ignored. + +Platform-specific tests can be added after GOOS; for example: + + watch / + touch /file + + Output: + # Tested if nothing else matches + create /file + + # Windows-specific test. + windows: + write /file + +You can specify multiple platforms with a comma (e.g. "windows, linux:"). +"kqueue" is a shortcut for all kqueue systems (BSD, macOS). + [goon]: https://github.com/arp242/goon [Vagrant]: https://www.vagrantup.com/ diff --git a/vendor/github.com/fsnotify/fsnotify/README.md b/vendor/github.com/fsnotify/fsnotify/README.md index e480733d1..1f4eb583d 100644 --- a/vendor/github.com/fsnotify/fsnotify/README.md +++ b/vendor/github.com/fsnotify/fsnotify/README.md @@ -15,7 +15,6 @@ Platform support: | ReadDirectoryChangesW | Windows | Supported | | FEN | illumos | Supported | | fanotify | Linux 5.9+ | [Not yet](https://github.com/fsnotify/fsnotify/issues/114) | -| AHAFS | AIX | [aix branch]; experimental due to lack of maintainer and test environment | | FSEvents | macOS | [Needs support in x/sys/unix][fsevents] | | USN Journals | Windows | [Needs support in x/sys/windows][usn] | | Polling | *All* | [Not yet](https://github.com/fsnotify/fsnotify/issues/9) | @@ -25,7 +24,6 @@ untested. [fsevents]: https://github.com/fsnotify/fsnotify/issues/11#issuecomment-1279133120 [usn]: https://github.com/fsnotify/fsnotify/issues/53#issuecomment-1279829847 -[aix branch]: https://github.com/fsnotify/fsnotify/issues/353#issuecomment-1284590129 Usage ----- diff --git a/vendor/github.com/fsnotify/fsnotify/backend_fen.go b/vendor/github.com/fsnotify/fsnotify/backend_fen.go index 28497f1dd..57fc69284 100644 --- a/vendor/github.com/fsnotify/fsnotify/backend_fen.go +++ b/vendor/github.com/fsnotify/fsnotify/backend_fen.go @@ -1,162 +1,44 @@ //go:build solaris -// +build solaris -// Note: the documentation on the Watcher type and methods is generated from -// mkdoc.zsh +// FEN backend for illumos (supported) and Solaris (untested, but should work). +// +// See port_create(3c) etc. for docs. https://www.illumos.org/man/3C/port_create package fsnotify import ( "errors" "fmt" + "io/fs" "os" "path/filepath" "sync" + "time" + "github.com/fsnotify/fsnotify/internal" "golang.org/x/sys/unix" ) -// Watcher watches a set of paths, delivering events on a channel. -// -// A watcher should not be copied (e.g. pass it by pointer, rather than by -// value). -// -// # Linux notes -// -// When a file is removed a Remove event won't be emitted until all file -// descriptors are closed, and deletes will always emit a Chmod. For example: -// -// fp := os.Open("file") -// os.Remove("file") // Triggers Chmod -// fp.Close() // Triggers Remove -// -// This is the event that inotify sends, so not much can be changed about this. -// -// The fs.inotify.max_user_watches sysctl variable specifies the upper limit -// for the number of watches per user, and fs.inotify.max_user_instances -// specifies the maximum number of inotify instances per user. Every Watcher you -// create is an "instance", and every path you add is a "watch". -// -// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and -// /proc/sys/fs/inotify/max_user_instances -// -// To increase them you can use sysctl or write the value to the /proc file: -// -// # Default values on Linux 5.18 -// sysctl fs.inotify.max_user_watches=124983 -// sysctl fs.inotify.max_user_instances=128 -// -// To make the changes persist on reboot edit /etc/sysctl.conf or -// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check -// your distro's documentation): -// -// fs.inotify.max_user_watches=124983 -// fs.inotify.max_user_instances=128 -// -// Reaching the limit will result in a "no space left on device" or "too many open -// files" error. -// -// # kqueue notes (macOS, BSD) -// -// kqueue requires opening a file descriptor for every file that's being watched; -// so if you're watching a directory with five files then that's six file -// descriptors. You will run in to your system's "max open files" limit faster on -// these platforms. -// -// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to -// control the maximum number of open files, as well as /etc/login.conf on BSD -// systems. -// -// # Windows notes -// -// Paths can be added as "C:\path\to\dir", but forward slashes -// ("C:/path/to/dir") will also work. -// -// When a watched directory is removed it will always send an event for the -// directory itself, but may not send events for all files in that directory. -// Sometimes it will send events for all times, sometimes it will send no -// events, and often only for some files. -// -// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest -// value that is guaranteed to work with SMB filesystems. If you have many -// events in quick succession this may not be enough, and you will have to use -// [WithBufferSize] to increase the value. -type Watcher struct { - // Events sends the filesystem change events. - // - // fsnotify can send the following events; a "path" here can refer to a - // file, directory, symbolic link, or special file like a FIFO. - // - // fsnotify.Create A new path was created; this may be followed by one - // or more Write events if data also gets written to a - // file. - // - // fsnotify.Remove A path was removed. - // - // fsnotify.Rename A path was renamed. A rename is always sent with the - // old path as Event.Name, and a Create event will be - // sent with the new name. Renames are only sent for - // paths that are currently watched; e.g. moving an - // unmonitored file into a monitored directory will - // show up as just a Create. Similarly, renaming a file - // to outside a monitored directory will show up as - // only a Rename. - // - // fsnotify.Write A file or named pipe was written to. A Truncate will - // also trigger a Write. A single "write action" - // initiated by the user may show up as one or multiple - // writes, depending on when the system syncs things to - // disk. For example when compiling a large Go program - // you may get hundreds of Write events, and you may - // want to wait until you've stopped receiving them - // (see the dedup example in cmd/fsnotify). - // - // Some systems may send Write event for directories - // when the directory content changes. - // - // fsnotify.Chmod Attributes were changed. On Linux this is also sent - // when a file is removed (or more accurately, when a - // link to an inode is removed). On kqueue it's sent - // when a file is truncated. On Windows it's never - // sent. +type fen struct { + *shared Events chan Event - - // Errors sends any errors. - // - // ErrEventOverflow is used to indicate there are too many events: - // - // - inotify: There are too many queued events (fs.inotify.max_queued_events sysctl) - // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. - // - kqueue, fen: Not used. Errors chan error mu sync.Mutex port *unix.EventPort - done chan struct{} // Channel for sending a "quit message" to the reader goroutine - dirs map[string]struct{} // Explicitly watched directories - watches map[string]struct{} // Explicitly watched non-directories + dirs map[string]Op // Explicitly watched directories + watches map[string]Op // Explicitly watched non-directories } -// NewWatcher creates a new Watcher. -func NewWatcher() (*Watcher, error) { - return NewBufferedWatcher(0) -} +var defaultBufferSize = 0 -// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events -// channel. -// -// The main use case for this is situations with a very large number of events -// where the kernel buffer size can't be increased (e.g. due to lack of -// permissions). An unbuffered Watcher will perform better for almost all use -// cases, and whenever possible you will be better off increasing the kernel -// buffers instead of adding a large userspace buffer. -func NewBufferedWatcher(sz uint) (*Watcher, error) { - w := &Watcher{ - Events: make(chan Event, sz), - Errors: make(chan error), - dirs: make(map[string]struct{}), - watches: make(map[string]struct{}), - done: make(chan struct{}), +func newBackend(ev chan Event, errs chan error) (backend, error) { + w := &fen{ + shared: newShared(ev, errs), + Events: ev, + Errors: errs, + dirs: make(map[string]Op), + watches: make(map[string]Op), } var err error @@ -169,104 +51,28 @@ func NewBufferedWatcher(sz uint) (*Watcher, error) { return w, nil } -// sendEvent attempts to send an event to the user, returning true if the event -// was put in the channel successfully and false if the watcher has been closed. -func (w *Watcher) sendEvent(name string, op Op) (sent bool) { - select { - case w.Events <- Event{Name: name, Op: op}: - return true - case <-w.done: - return false - } -} - -// sendError attempts to send an error to the user, returning true if the error -// was put in the channel successfully and false if the watcher has been closed. -func (w *Watcher) sendError(err error) (sent bool) { - select { - case w.Errors <- err: - return true - case <-w.done: - return false - } -} - -func (w *Watcher) isClosed() bool { - select { - case <-w.done: - return true - default: - return false - } -} - -// Close removes all watches and closes the Events channel. -func (w *Watcher) Close() error { - // Take the lock used by associateFile to prevent lingering events from - // being processed after the close - w.mu.Lock() - defer w.mu.Unlock() - if w.isClosed() { +func (w *fen) Close() error { + if w.shared.close() { return nil } - close(w.done) return w.port.Close() } -// Add starts monitoring the path for changes. -// -// A path can only be watched once; watching it more than once is a no-op and will -// not return an error. Paths that do not yet exist on the filesystem cannot be -// watched. -// -// A watch will be automatically removed if the watched path is deleted or -// renamed. The exception is the Windows backend, which doesn't remove the -// watcher on renames. -// -// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special -// filesystems (/proc, /sys, etc.) generally don't work. -// -// Returns [ErrClosed] if [Watcher.Close] was called. -// -// See [Watcher.AddWith] for a version that allows adding options. -// -// # Watching directories -// -// All files in a directory are monitored, including new files that are created -// after the watcher is started. Subdirectories are not watched (i.e. it's -// non-recursive). -// -// # Watching files -// -// Watching individual files (rather than directories) is generally not -// recommended as many programs (especially editors) update files atomically: it -// will write to a temporary file which is then moved to to destination, -// overwriting the original (or some variant thereof). The watcher on the -// original file is now lost, as that no longer exists. -// -// The upshot of this is that a power failure or crash won't leave a -// half-written file. -// -// Watch the parent directory and use Event.Name to filter out files you're not -// interested in. There is an example of this in cmd/fsnotify/file.go. -func (w *Watcher) Add(name string) error { return w.AddWith(name) } +func (w *fen) Add(name string) error { return w.AddWith(name) } -// AddWith is like [Watcher.Add], but allows adding options. When using Add() -// the defaults described below are used. -// -// Possible options are: -// -// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on -// other platforms. The default is 64K (65536 bytes). -func (w *Watcher) AddWith(name string, opts ...addOpt) error { +func (w *fen) AddWith(name string, opts ...addOpt) error { if w.isClosed() { return ErrClosed } - if w.port.PathIsWatched(name) { - return nil + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s AddWith(%q)\n", + time.Now().Format("15:04:05.000000000"), name) } - _ = getOptions(opts...) + with := getOptions(opts...) + if !w.xSupports(with.op) { + return fmt.Errorf("%w: %s", xErrUnsupported, with.op) + } // Currently we resolve symlinks that were explicitly requested to be // watched. Otherwise we would use LStat here. @@ -283,7 +89,7 @@ func (w *Watcher) AddWith(name string, opts ...addOpt) error { } w.mu.Lock() - w.dirs[name] = struct{}{} + w.dirs[name] = with.op w.mu.Unlock() return nil } @@ -294,26 +100,22 @@ func (w *Watcher) AddWith(name string, opts ...addOpt) error { } w.mu.Lock() - w.watches[name] = struct{}{} + w.watches[name] = with.op w.mu.Unlock() return nil } -// Remove stops monitoring the path for changes. -// -// Directories are always removed non-recursively. For example, if you added -// /tmp/dir and /tmp/dir/subdir then you will need to remove both. -// -// Removing a path that has not yet been added returns [ErrNonExistentWatch]. -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) Remove(name string) error { +func (w *fen) Remove(name string) error { if w.isClosed() { return nil } if !w.port.PathIsWatched(name) { return fmt.Errorf("%w: %s", ErrNonExistentWatch, name) } + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s Remove(%q)\n", + time.Now().Format("15:04:05.000000000"), name) + } // The user has expressed an intent. Immediately remove this name from // whichever watch list it might be in. If it's not in there the delete @@ -346,7 +148,7 @@ func (w *Watcher) Remove(name string) error { } // readEvents contains the main loop that runs in a goroutine watching for events. -func (w *Watcher) readEvents() { +func (w *fen) readEvents() { // If this function returns, the watcher has been closed and we can close // these channels defer func() { @@ -367,7 +169,7 @@ func (w *Watcher) readEvents() { return } // There was an error not caused by calling w.Close() - if !w.sendError(err) { + if !w.sendError(fmt.Errorf("port.Get: %w", err)) { return } } @@ -382,17 +184,19 @@ func (w *Watcher) readEvents() { continue } + if debug { + internal.Debug(pevent.Path, pevent.Events) + } + err = w.handleEvent(&pevent) - if err != nil { - if !w.sendError(err) { - return - } + if !w.sendError(err) { + return } } } } -func (w *Watcher) handleDirectory(path string, stat os.FileInfo, follow bool, handler func(string, os.FileInfo, bool) error) error { +func (w *fen) handleDirectory(path string, stat os.FileInfo, follow bool, handler func(string, os.FileInfo, bool) error) error { files, err := os.ReadDir(path) if err != nil { return err @@ -418,7 +222,7 @@ func (w *Watcher) handleDirectory(path string, stat os.FileInfo, follow bool, ha // bitmap matches more than one event type (e.g. the file was both modified and // had the attributes changed between when the association was created and the // when event was returned) -func (w *Watcher) handleEvent(event *unix.PortEvent) error { +func (w *fen) handleEvent(event *unix.PortEvent) error { var ( events = event.Events path = event.Path @@ -433,13 +237,13 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { isWatched := watchedDir || watchedPath if events&unix.FILE_DELETE != 0 { - if !w.sendEvent(path, Remove) { + if !w.sendEvent(Event{Name: path, Op: Remove}) { return nil } reRegister = false } if events&unix.FILE_RENAME_FROM != 0 { - if !w.sendEvent(path, Rename) { + if !w.sendEvent(Event{Name: path, Op: Rename}) { return nil } // Don't keep watching the new file name @@ -453,7 +257,7 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { // inotify reports a Remove event in this case, so we simulate this // here. - if !w.sendEvent(path, Remove) { + if !w.sendEvent(Event{Name: path, Op: Remove}) { return nil } // Don't keep watching the file that was removed @@ -487,7 +291,7 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { // get here, the sudirectory is already gone. Clearly we were watching // this path but now it is gone. Let's tell the user that it was // removed. - if !w.sendEvent(path, Remove) { + if !w.sendEvent(Event{Name: path, Op: Remove}) { return nil } // Suppress extra write events on removed directories; they are not @@ -502,7 +306,7 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { if err != nil { // The symlink still exists, but the target is gone. Report the // Remove similar to above. - if !w.sendEvent(path, Remove) { + if !w.sendEvent(Event{Name: path, Op: Remove}) { return nil } // Don't return the error @@ -510,18 +314,12 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { } if events&unix.FILE_MODIFIED != 0 { - if fmode.IsDir() { - if watchedDir { - if err := w.updateDirectory(path); err != nil { - return err - } - } else { - if !w.sendEvent(path, Write) { - return nil - } + if fmode.IsDir() && watchedDir { + if err := w.updateDirectory(path); err != nil { + return err } } else { - if !w.sendEvent(path, Write) { + if !w.sendEvent(Event{Name: path, Op: Write}) { return nil } } @@ -529,7 +327,7 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { if events&unix.FILE_ATTRIB != 0 && stat != nil { // Only send Chmod if perms changed if stat.Mode().Perm() != fmode.Perm() { - if !w.sendEvent(path, Chmod) { + if !w.sendEvent(Event{Name: path, Op: Chmod}) { return nil } } @@ -538,17 +336,27 @@ func (w *Watcher) handleEvent(event *unix.PortEvent) error { if stat != nil { // If we get here, it means we've hit an event above that requires us to // continue watching the file or directory - return w.associateFile(path, stat, isWatched) + err := w.associateFile(path, stat, isWatched) + if errors.Is(err, fs.ErrNotExist) { + // Path may have been removed since the stat. + err = nil + } + return err } return nil } -func (w *Watcher) updateDirectory(path string) error { - // The directory was modified, so we must find unwatched entities and watch - // them. If something was removed from the directory, nothing will happen, - // as everything else should still be watched. +// The directory was modified, so we must find unwatched entities and watch +// them. If something was removed from the directory, nothing will happen, as +// everything else should still be watched. +func (w *fen) updateDirectory(path string) error { files, err := os.ReadDir(path) if err != nil { + // Directory no longer exists: probably just deleted since we got the + // event. + if errors.Is(err, fs.ErrNotExist) { + return nil + } return err } @@ -563,19 +371,22 @@ func (w *Watcher) updateDirectory(path string) error { return err } err = w.associateFile(path, finfo, false) - if err != nil { - if !w.sendError(err) { - return nil - } + if errors.Is(err, fs.ErrNotExist) { + // File may have disappeared between getting the dir listing and + // adding the port: that's okay to ignore. + continue } - if !w.sendEvent(path, Create) { + if !w.sendError(err) { + return nil + } + if !w.sendEvent(Event{Name: path, Op: Create}) { return nil } } return nil } -func (w *Watcher) associateFile(path string, stat os.FileInfo, follow bool) error { +func (w *fen) associateFile(path string, stat os.FileInfo, follow bool) error { if w.isClosed() { return ErrClosed } @@ -593,34 +404,42 @@ func (w *Watcher) associateFile(path string, stat os.FileInfo, follow bool) erro // cleared up that discrepancy. The most likely cause is that the event // has fired but we haven't processed it yet. err := w.port.DissociatePath(path) - if err != nil && err != unix.ENOENT { - return err + if err != nil && !errors.Is(err, unix.ENOENT) { + return fmt.Errorf("port.DissociatePath(%q): %w", path, err) } } - // FILE_NOFOLLOW means we watch symlinks themselves rather than their - // targets. - events := unix.FILE_MODIFIED | unix.FILE_ATTRIB | unix.FILE_NOFOLLOW - if follow { - // We *DO* follow symlinks for explicitly watched entries. - events = unix.FILE_MODIFIED | unix.FILE_ATTRIB + + var events int + if !follow { + // Watch symlinks themselves rather than their targets unless this entry + // is explicitly watched. + events |= unix.FILE_NOFOLLOW + } + if true { // TODO: implement withOps() + events |= unix.FILE_MODIFIED + } + if true { + events |= unix.FILE_ATTRIB } - return w.port.AssociatePath(path, stat, - events, - stat.Mode()) + err := w.port.AssociatePath(path, stat, events, stat.Mode()) + if err != nil { + return fmt.Errorf("port.AssociatePath(%q): %w", path, err) + } + return nil } -func (w *Watcher) dissociateFile(path string, stat os.FileInfo, unused bool) error { +func (w *fen) dissociateFile(path string, stat os.FileInfo, unused bool) error { if !w.port.PathIsWatched(path) { return nil } - return w.port.DissociatePath(path) + err := w.port.DissociatePath(path) + if err != nil { + return fmt.Errorf("port.DissociatePath(%q): %w", path, err) + } + return nil } -// WatchList returns all paths explicitly added with [Watcher.Add] (and are not -// yet removed). -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) WatchList() []string { +func (w *fen) WatchList() []string { if w.isClosed() { return nil } @@ -638,3 +457,11 @@ func (w *Watcher) WatchList() []string { return entries } + +func (w *fen) xSupports(op Op) bool { + if op.Has(xUnportableOpen) || op.Has(xUnportableRead) || + op.Has(xUnportableCloseWrite) || op.Has(xUnportableCloseRead) { + return false + } + return true +} diff --git a/vendor/github.com/fsnotify/fsnotify/backend_inotify.go b/vendor/github.com/fsnotify/fsnotify/backend_inotify.go index 921c1c1e4..a36cb89d7 100644 --- a/vendor/github.com/fsnotify/fsnotify/backend_inotify.go +++ b/vendor/github.com/fsnotify/fsnotify/backend_inotify.go @@ -1,8 +1,4 @@ //go:build linux && !appengine -// +build linux,!appengine - -// Note: the documentation on the Watcher type and methods is generated from -// mkdoc.zsh package fsnotify @@ -10,127 +6,21 @@ import ( "errors" "fmt" "io" + "io/fs" "os" "path/filepath" "strings" "sync" + "time" "unsafe" + "github.com/fsnotify/fsnotify/internal" "golang.org/x/sys/unix" ) -// Watcher watches a set of paths, delivering events on a channel. -// -// A watcher should not be copied (e.g. pass it by pointer, rather than by -// value). -// -// # Linux notes -// -// When a file is removed a Remove event won't be emitted until all file -// descriptors are closed, and deletes will always emit a Chmod. For example: -// -// fp := os.Open("file") -// os.Remove("file") // Triggers Chmod -// fp.Close() // Triggers Remove -// -// This is the event that inotify sends, so not much can be changed about this. -// -// The fs.inotify.max_user_watches sysctl variable specifies the upper limit -// for the number of watches per user, and fs.inotify.max_user_instances -// specifies the maximum number of inotify instances per user. Every Watcher you -// create is an "instance", and every path you add is a "watch". -// -// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and -// /proc/sys/fs/inotify/max_user_instances -// -// To increase them you can use sysctl or write the value to the /proc file: -// -// # Default values on Linux 5.18 -// sysctl fs.inotify.max_user_watches=124983 -// sysctl fs.inotify.max_user_instances=128 -// -// To make the changes persist on reboot edit /etc/sysctl.conf or -// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check -// your distro's documentation): -// -// fs.inotify.max_user_watches=124983 -// fs.inotify.max_user_instances=128 -// -// Reaching the limit will result in a "no space left on device" or "too many open -// files" error. -// -// # kqueue notes (macOS, BSD) -// -// kqueue requires opening a file descriptor for every file that's being watched; -// so if you're watching a directory with five files then that's six file -// descriptors. You will run in to your system's "max open files" limit faster on -// these platforms. -// -// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to -// control the maximum number of open files, as well as /etc/login.conf on BSD -// systems. -// -// # Windows notes -// -// Paths can be added as "C:\path\to\dir", but forward slashes -// ("C:/path/to/dir") will also work. -// -// When a watched directory is removed it will always send an event for the -// directory itself, but may not send events for all files in that directory. -// Sometimes it will send events for all times, sometimes it will send no -// events, and often only for some files. -// -// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest -// value that is guaranteed to work with SMB filesystems. If you have many -// events in quick succession this may not be enough, and you will have to use -// [WithBufferSize] to increase the value. -type Watcher struct { - // Events sends the filesystem change events. - // - // fsnotify can send the following events; a "path" here can refer to a - // file, directory, symbolic link, or special file like a FIFO. - // - // fsnotify.Create A new path was created; this may be followed by one - // or more Write events if data also gets written to a - // file. - // - // fsnotify.Remove A path was removed. - // - // fsnotify.Rename A path was renamed. A rename is always sent with the - // old path as Event.Name, and a Create event will be - // sent with the new name. Renames are only sent for - // paths that are currently watched; e.g. moving an - // unmonitored file into a monitored directory will - // show up as just a Create. Similarly, renaming a file - // to outside a monitored directory will show up as - // only a Rename. - // - // fsnotify.Write A file or named pipe was written to. A Truncate will - // also trigger a Write. A single "write action" - // initiated by the user may show up as one or multiple - // writes, depending on when the system syncs things to - // disk. For example when compiling a large Go program - // you may get hundreds of Write events, and you may - // want to wait until you've stopped receiving them - // (see the dedup example in cmd/fsnotify). - // - // Some systems may send Write event for directories - // when the directory content changes. - // - // fsnotify.Chmod Attributes were changed. On Linux this is also sent - // when a file is removed (or more accurately, when a - // link to an inode is removed). On kqueue it's sent - // when a file is truncated. On Windows it's never - // sent. +type inotify struct { + *shared Events chan Event - - // Errors sends any errors. - // - // ErrEventOverflow is used to indicate there are too many events: - // - // - inotify: There are too many queued events (fs.inotify.max_queued_events sysctl) - // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. - // - kqueue, fen: Not used. Errors chan error // Store fd here as os.File.Read() will no longer return on close after @@ -138,21 +28,41 @@ type Watcher struct { fd int inotifyFile *os.File watches *watches - done chan struct{} // Channel for sending a "quit message" to the reader goroutine - closeMu sync.Mutex doneResp chan struct{} // Channel to respond to Close + + // Store rename cookies in an array, with the index wrapping to 0. Almost + // all of the time what we get is a MOVED_FROM to set the cookie and the + // next event inotify sends will be MOVED_TO to read it. However, this is + // not guaranteed – as described in inotify(7) – and we may get other events + // between the two MOVED_* events (including other MOVED_* ones). + // + // A second issue is that moving a file outside the watched directory will + // trigger a MOVED_FROM to set the cookie, but we never see the MOVED_TO to + // read and delete it. So just storing it in a map would slowly leak memory. + // + // Doing it like this gives us a simple fast LRU-cache that won't allocate. + // Ten items should be more than enough for our purpose, and a loop over + // such a short array is faster than a map access anyway (not that it hugely + // matters since we're talking about hundreds of ns at the most, but still). + cookies [10]koekje + cookieIndex uint8 + cookiesMu sync.Mutex } type ( watches struct { - mu sync.RWMutex wd map[uint32]*watch // wd → watch path map[string]uint32 // pathname → wd } watch struct { - wd uint32 // Watch descriptor (as returned by the inotify_add_watch() syscall) - flags uint32 // inotify flags of this watch (see inotify(7) for the list of valid flags) - path string // Watch path. + wd uint32 // Watch descriptor (as returned by the inotify_add_watch() syscall) + flags uint32 // inotify flags of this watch (see inotify(7) for the list of valid flags) + path string // Watch path. + recurse bool // Recursion with ./...? + } + koekje struct { + cookie uint32 + path string } ) @@ -163,57 +73,43 @@ func newWatches() *watches { } } -func (w *watches) len() int { - w.mu.RLock() - defer w.mu.RUnlock() - return len(w.wd) -} - -func (w *watches) add(ww *watch) { - w.mu.Lock() - defer w.mu.Unlock() - w.wd[ww.wd] = ww - w.path[ww.path] = ww.wd -} - -func (w *watches) remove(wd uint32) { - w.mu.Lock() - defer w.mu.Unlock() - delete(w.path, w.wd[wd].path) - delete(w.wd, wd) -} - -func (w *watches) removePath(path string) (uint32, bool) { - w.mu.Lock() - defer w.mu.Unlock() +func (w *watches) byPath(path string) *watch { return w.wd[w.path[path]] } +func (w *watches) byWd(wd uint32) *watch { return w.wd[wd] } +func (w *watches) len() int { return len(w.wd) } +func (w *watches) add(ww *watch) { w.wd[ww.wd] = ww; w.path[ww.path] = ww.wd } +func (w *watches) remove(watch *watch) { delete(w.path, watch.path); delete(w.wd, watch.wd) } +func (w *watches) removePath(path string) ([]uint32, error) { + path, recurse := recursivePath(path) wd, ok := w.path[path] if !ok { - return 0, false + return nil, fmt.Errorf("%w: %s", ErrNonExistentWatch, path) + } + + watch := w.wd[wd] + if recurse && !watch.recurse { + return nil, fmt.Errorf("can't use /... with non-recursive watch %q", path) } delete(w.path, path) delete(w.wd, wd) + if !watch.recurse { + return []uint32{wd}, nil + } - return wd, true -} - -func (w *watches) byPath(path string) *watch { - w.mu.RLock() - defer w.mu.RUnlock() - return w.wd[w.path[path]] -} - -func (w *watches) byWd(wd uint32) *watch { - w.mu.RLock() - defer w.mu.RUnlock() - return w.wd[wd] + wds := make([]uint32, 0, 8) + wds = append(wds, wd) + for p, rwd := range w.path { + if strings.HasPrefix(p, path) { + delete(w.path, p) + delete(w.wd, rwd) + wds = append(wds, rwd) + } + } + return wds, nil } func (w *watches) updatePath(path string, f func(*watch) (*watch, error)) error { - w.mu.Lock() - defer w.mu.Unlock() - var existing *watch wd, ok := w.path[path] if ok { @@ -236,20 +132,9 @@ func (w *watches) updatePath(path string, f func(*watch) (*watch, error)) error return nil } -// NewWatcher creates a new Watcher. -func NewWatcher() (*Watcher, error) { - return NewBufferedWatcher(0) -} +var defaultBufferSize = 0 -// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events -// channel. -// -// The main use case for this is situations with a very large number of events -// where the kernel buffer size can't be increased (e.g. due to lack of -// permissions). An unbuffered Watcher will perform better for almost all use -// cases, and whenever possible you will be better off increasing the kernel -// buffers instead of adding a large userspace buffer. -func NewBufferedWatcher(sz uint) (*Watcher, error) { +func newBackend(ev chan Event, errs chan error) (backend, error) { // Need to set nonblocking mode for SetDeadline to work, otherwise blocking // I/O operations won't terminate on close. fd, errno := unix.InotifyInit1(unix.IN_CLOEXEC | unix.IN_NONBLOCK) @@ -257,13 +142,13 @@ func NewBufferedWatcher(sz uint) (*Watcher, error) { return nil, errno } - w := &Watcher{ + w := &inotify{ + shared: newShared(ev, errs), + Events: ev, + Errors: errs, fd: fd, inotifyFile: os.NewFile(uintptr(fd), ""), watches: newWatches(), - Events: make(chan Event, sz), - Errors: make(chan error), - done: make(chan struct{}), doneResp: make(chan struct{}), } @@ -271,44 +156,10 @@ func NewBufferedWatcher(sz uint) (*Watcher, error) { return w, nil } -// Returns true if the event was sent, or false if watcher is closed. -func (w *Watcher) sendEvent(e Event) bool { - select { - case w.Events <- e: - return true - case <-w.done: - return false - } -} - -// Returns true if the error was sent, or false if watcher is closed. -func (w *Watcher) sendError(err error) bool { - select { - case w.Errors <- err: - return true - case <-w.done: - return false - } -} - -func (w *Watcher) isClosed() bool { - select { - case <-w.done: - return true - default: - return false - } -} - -// Close removes all watches and closes the Events channel. -func (w *Watcher) Close() error { - w.closeMu.Lock() - if w.isClosed() { - w.closeMu.Unlock() +func (w *inotify) Close() error { + if w.shared.close() { return nil } - close(w.done) - w.closeMu.Unlock() // Causes any blocking reads to return with an error, provided the file // still supports deadline operations. @@ -317,84 +168,114 @@ func (w *Watcher) Close() error { return err } - // Wait for goroutine to close - <-w.doneResp - + <-w.doneResp // Wait for readEvents() to finish. return nil } -// Add starts monitoring the path for changes. -// -// A path can only be watched once; watching it more than once is a no-op and will -// not return an error. Paths that do not yet exist on the filesystem cannot be -// watched. -// -// A watch will be automatically removed if the watched path is deleted or -// renamed. The exception is the Windows backend, which doesn't remove the -// watcher on renames. -// -// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special -// filesystems (/proc, /sys, etc.) generally don't work. -// -// Returns [ErrClosed] if [Watcher.Close] was called. -// -// See [Watcher.AddWith] for a version that allows adding options. -// -// # Watching directories -// -// All files in a directory are monitored, including new files that are created -// after the watcher is started. Subdirectories are not watched (i.e. it's -// non-recursive). -// -// # Watching files -// -// Watching individual files (rather than directories) is generally not -// recommended as many programs (especially editors) update files atomically: it -// will write to a temporary file which is then moved to to destination, -// overwriting the original (or some variant thereof). The watcher on the -// original file is now lost, as that no longer exists. -// -// The upshot of this is that a power failure or crash won't leave a -// half-written file. -// -// Watch the parent directory and use Event.Name to filter out files you're not -// interested in. There is an example of this in cmd/fsnotify/file.go. -func (w *Watcher) Add(name string) error { return w.AddWith(name) } - -// AddWith is like [Watcher.Add], but allows adding options. When using Add() -// the defaults described below are used. -// -// Possible options are: -// -// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on -// other platforms. The default is 64K (65536 bytes). -func (w *Watcher) AddWith(name string, opts ...addOpt) error { +func (w *inotify) Add(name string) error { return w.AddWith(name) } + +func (w *inotify) AddWith(path string, opts ...addOpt) error { if w.isClosed() { return ErrClosed } + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s AddWith(%q)\n", + time.Now().Format("15:04:05.000000000"), path) + } + + with := getOptions(opts...) + if !w.xSupports(with.op) { + return fmt.Errorf("%w: %s", xErrUnsupported, with.op) + } + + add := func(path string, with withOpts, recurse bool) error { + var flags uint32 + if with.noFollow { + flags |= unix.IN_DONT_FOLLOW + } + if with.op.Has(Create) { + flags |= unix.IN_CREATE + } + if with.op.Has(Write) { + flags |= unix.IN_MODIFY + } + if with.op.Has(Remove) { + flags |= unix.IN_DELETE | unix.IN_DELETE_SELF + } + if with.op.Has(Rename) { + flags |= unix.IN_MOVED_TO | unix.IN_MOVED_FROM | unix.IN_MOVE_SELF + } + if with.op.Has(Chmod) { + flags |= unix.IN_ATTRIB + } + if with.op.Has(xUnportableOpen) { + flags |= unix.IN_OPEN + } + if with.op.Has(xUnportableRead) { + flags |= unix.IN_ACCESS + } + if with.op.Has(xUnportableCloseWrite) { + flags |= unix.IN_CLOSE_WRITE + } + if with.op.Has(xUnportableCloseRead) { + flags |= unix.IN_CLOSE_NOWRITE + } + return w.register(path, flags, recurse) + } + + w.mu.Lock() + defer w.mu.Unlock() + path, recurse := recursivePath(path) + if recurse { + return filepath.WalkDir(path, func(root string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if !d.IsDir() { + if root == path { + return fmt.Errorf("fsnotify: not a directory: %q", path) + } + return nil + } + + // Send a Create event when adding new directory from a recursive + // watch; this is for "mkdir -p one/two/three". Usually all those + // directories will be created before we can set up watchers on the + // subdirectories, so only "one" would be sent as a Create event and + // not "one/two" and "one/two/three" (inotifywait -r has the same + // problem). + if with.sendCreate && root != path { + w.sendEvent(Event{Name: root, Op: Create}) + } - name = filepath.Clean(name) - _ = getOptions(opts...) + return add(root, with, true) + }) + } - var flags uint32 = unix.IN_MOVED_TO | unix.IN_MOVED_FROM | - unix.IN_CREATE | unix.IN_ATTRIB | unix.IN_MODIFY | - unix.IN_MOVE_SELF | unix.IN_DELETE | unix.IN_DELETE_SELF + return add(path, with, false) +} - return w.watches.updatePath(name, func(existing *watch) (*watch, error) { +func (w *inotify) register(path string, flags uint32, recurse bool) error { + return w.watches.updatePath(path, func(existing *watch) (*watch, error) { if existing != nil { flags |= existing.flags | unix.IN_MASK_ADD } - wd, err := unix.InotifyAddWatch(w.fd, name, flags) + wd, err := unix.InotifyAddWatch(w.fd, path, flags) if wd == -1 { return nil, err } + if e, ok := w.watches.wd[uint32(wd)]; ok { + return e, nil + } + if existing == nil { return &watch{ - wd: uint32(wd), - path: name, - flags: flags, + wd: uint32(wd), + path: path, + flags: flags, + recurse: recurse, }, nil } @@ -404,87 +285,80 @@ func (w *Watcher) AddWith(name string, opts ...addOpt) error { }) } -// Remove stops monitoring the path for changes. -// -// Directories are always removed non-recursively. For example, if you added -// /tmp/dir and /tmp/dir/subdir then you will need to remove both. -// -// Removing a path that has not yet been added returns [ErrNonExistentWatch]. -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) Remove(name string) error { +func (w *inotify) Remove(name string) error { if w.isClosed() { return nil } + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s Remove(%q)\n", + time.Now().Format("15:04:05.000000000"), name) + } + + w.mu.Lock() + defer w.mu.Unlock() return w.remove(filepath.Clean(name)) } -func (w *Watcher) remove(name string) error { - wd, ok := w.watches.removePath(name) - if !ok { - return fmt.Errorf("%w: %s", ErrNonExistentWatch, name) - } - - success, errno := unix.InotifyRmWatch(w.fd, wd) - if success == -1 { - // TODO: Perhaps it's not helpful to return an error here in every case; - // The only two possible errors are: - // - // - EBADF, which happens when w.fd is not a valid file descriptor - // of any kind. - // - EINVAL, which is when fd is not an inotify descriptor or wd - // is not a valid watch descriptor. Watch descriptors are - // invalidated when they are removed explicitly or implicitly; - // explicitly by inotify_rm_watch, implicitly when the file they - // are watching is deleted. - return errno +func (w *inotify) remove(name string) error { + wds, err := w.watches.removePath(name) + if err != nil { + return err + } + + for _, wd := range wds { + _, err := unix.InotifyRmWatch(w.fd, wd) + if err != nil { + // TODO: Perhaps it's not helpful to return an error here in every + // case; the only two possible errors are: + // + // EBADF, which happens when w.fd is not a valid file descriptor of + // any kind. + // + // EINVAL, which is when fd is not an inotify descriptor or wd is + // not a valid watch descriptor. Watch descriptors are invalidated + // when they are removed explicitly or implicitly; explicitly by + // inotify_rm_watch, implicitly when the file they are watching is + // deleted. + return err + } } return nil } -// WatchList returns all paths explicitly added with [Watcher.Add] (and are not -// yet removed). -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) WatchList() []string { +func (w *inotify) WatchList() []string { if w.isClosed() { return nil } + w.mu.Lock() + defer w.mu.Unlock() entries := make([]string, 0, w.watches.len()) - w.watches.mu.RLock() for pathname := range w.watches.path { entries = append(entries, pathname) } - w.watches.mu.RUnlock() - return entries } // readEvents reads from the inotify file descriptor, converts the // received events into Event objects and sends them via the Events channel -func (w *Watcher) readEvents() { +func (w *inotify) readEvents() { defer func() { close(w.doneResp) close(w.Errors) close(w.Events) }() - var ( - buf [unix.SizeofInotifyEvent * 4096]byte // Buffer for a maximum of 4096 raw events - errno error // Syscall errno - ) + var buf [unix.SizeofInotifyEvent * 4096]byte // Buffer for a maximum of 4096 raw events for { - // See if we have been closed. if w.isClosed() { return } n, err := w.inotifyFile.Read(buf[:]) - switch { - case errors.Unwrap(err) == os.ErrClosed: - return - case err != nil: + if err != nil { + if errors.Is(err, os.ErrClosed) { + return + } if !w.sendError(err) { return } @@ -492,13 +366,9 @@ func (w *Watcher) readEvents() { } if n < unix.SizeofInotifyEvent { - var err error + err := errors.New("notify: short read in readEvents()") // Read was too short. if n == 0 { err = io.EOF // If EOF is received. This should really never happen. - } else if n < 0 { - err = errno // If an error occurred while reading. - } else { - err = errors.New("notify: short read in readEvents()") // Read was too short. } if !w.sendError(err) { return @@ -506,74 +376,146 @@ func (w *Watcher) readEvents() { continue } + // We don't know how many events we just read into the buffer While the + // offset points to at least one whole event. var offset uint32 - // We don't know how many events we just read into the buffer - // While the offset points to at least one whole event... for offset <= uint32(n-unix.SizeofInotifyEvent) { - var ( - // Point "raw" to the event in the buffer - raw = (*unix.InotifyEvent)(unsafe.Pointer(&buf[offset])) - mask = uint32(raw.Mask) - nameLen = uint32(raw.Len) - ) - - if mask&unix.IN_Q_OVERFLOW != 0 { + // Point to the event in the buffer. + inEvent := (*unix.InotifyEvent)(unsafe.Pointer(&buf[offset])) + + if inEvent.Mask&unix.IN_Q_OVERFLOW != 0 { if !w.sendError(ErrEventOverflow) { return } } - // If the event happened to the watched directory or the watched file, the kernel - // doesn't append the filename to the event, but we would like to always fill the - // the "Name" field with a valid filename. We retrieve the path of the watch from - // the "paths" map. - watch := w.watches.byWd(uint32(raw.Wd)) - - // inotify will automatically remove the watch on deletes; just need - // to clean our state here. - if watch != nil && mask&unix.IN_DELETE_SELF == unix.IN_DELETE_SELF { - w.watches.remove(watch.wd) + ev, ok := w.handleEvent(inEvent, &buf, offset) + if !ok { + return } - // We can't really update the state when a watched path is moved; - // only IN_MOVE_SELF is sent and not IN_MOVED_{FROM,TO}. So remove - // the watch. - if watch != nil && mask&unix.IN_MOVE_SELF == unix.IN_MOVE_SELF { - err := w.remove(watch.path) - if err != nil && !errors.Is(err, ErrNonExistentWatch) { - if !w.sendError(err) { - return - } - } + if !w.sendEvent(ev) { + return } - var name string - if watch != nil { - name = watch.path - } - if nameLen > 0 { - // Point "bytes" at the first byte of the filename - bytes := (*[unix.PathMax]byte)(unsafe.Pointer(&buf[offset+unix.SizeofInotifyEvent]))[:nameLen:nameLen] - // The filename is padded with NULL bytes. TrimRight() gets rid of those. - name += "/" + strings.TrimRight(string(bytes[0:nameLen]), "\000") + // Move to the next event in the buffer + offset += unix.SizeofInotifyEvent + inEvent.Len + } + } +} + +func (w *inotify) handleEvent(inEvent *unix.InotifyEvent, buf *[65536]byte, offset uint32) (Event, bool) { + w.mu.Lock() + defer w.mu.Unlock() + + /// If the event happened to the watched directory or the watched file, the + /// kernel doesn't append the filename to the event, but we would like to + /// always fill the the "Name" field with a valid filename. We retrieve the + /// path of the watch from the "paths" map. + /// + /// Can be nil if Remove() was called in another goroutine for this path + /// inbetween reading the events from the kernel and reading the internal + /// state. Not much we can do about it, so just skip. See #616. + watch := w.watches.byWd(uint32(inEvent.Wd)) + if watch == nil { + return Event{}, true + } + + var ( + name = watch.path + nameLen = uint32(inEvent.Len) + ) + if nameLen > 0 { + /// Point "bytes" at the first byte of the filename + bb := *buf + bytes := (*[unix.PathMax]byte)(unsafe.Pointer(&bb[offset+unix.SizeofInotifyEvent]))[:nameLen:nameLen] + /// The filename is padded with NULL bytes. TrimRight() gets rid of those. + name += "/" + strings.TrimRight(string(bytes[0:nameLen]), "\x00") + } + + if debug { + internal.Debug(name, inEvent.Mask, inEvent.Cookie) + } + + if inEvent.Mask&unix.IN_IGNORED != 0 || inEvent.Mask&unix.IN_UNMOUNT != 0 { + w.watches.remove(watch) + return Event{}, true + } + + // inotify will automatically remove the watch on deletes; just need + // to clean our state here. + if inEvent.Mask&unix.IN_DELETE_SELF == unix.IN_DELETE_SELF { + w.watches.remove(watch) + } + + // We can't really update the state when a watched path is moved; only + // IN_MOVE_SELF is sent and not IN_MOVED_{FROM,TO}. So remove the watch. + if inEvent.Mask&unix.IN_MOVE_SELF == unix.IN_MOVE_SELF { + if watch.recurse { // Do nothing + return Event{}, true + } + + err := w.remove(watch.path) + if err != nil && !errors.Is(err, ErrNonExistentWatch) { + if !w.sendError(err) { + return Event{}, false } + } + } + + /// Skip if we're watching both this path and the parent; the parent will + /// already send a delete so no need to do it twice. + if inEvent.Mask&unix.IN_DELETE_SELF != 0 { + _, ok := w.watches.path[filepath.Dir(watch.path)] + if ok { + return Event{}, true + } + } - event := w.newEvent(name, mask) + ev := w.newEvent(name, inEvent.Mask, inEvent.Cookie) + // Need to update watch path for recurse. + if watch.recurse { + isDir := inEvent.Mask&unix.IN_ISDIR == unix.IN_ISDIR + /// New directory created: set up watch on it. + if isDir && ev.Has(Create) { + err := w.register(ev.Name, watch.flags, true) + if !w.sendError(err) { + return Event{}, false + } - // Send the events that are not ignored on the events channel - if mask&unix.IN_IGNORED == 0 { - if !w.sendEvent(event) { - return + // This was a directory rename, so we need to update all the + // children. + // + // TODO: this is of course pretty slow; we should use a better data + // structure for storing all of this, e.g. store children in the + // watch. I have some code for this in my kqueue refactor we can use + // in the future. For now I'm okay with this as it's not publicly + // available. Correctness first, performance second. + if ev.renamedFrom != "" { + for k, ww := range w.watches.wd { + if k == watch.wd || ww.path == ev.Name { + continue + } + if strings.HasPrefix(ww.path, ev.renamedFrom) { + ww.path = strings.Replace(ww.path, ev.renamedFrom, ev.Name, 1) + w.watches.wd[k] = ww + } } } - - // Move to the next event in the buffer - offset += unix.SizeofInotifyEvent + nameLen } } + + return ev, true +} + +func (w *inotify) isRecursive(path string) bool { + ww := w.watches.byPath(path) + if ww == nil { // path could be a file, so also check the Dir. + ww = w.watches.byPath(filepath.Dir(path)) + } + return ww != nil && ww.recurse } -// newEvent returns an platform-independent Event based on an inotify mask. -func (w *Watcher) newEvent(name string, mask uint32) Event { +func (w *inotify) newEvent(name string, mask, cookie uint32) Event { e := Event{Name: name} if mask&unix.IN_CREATE == unix.IN_CREATE || mask&unix.IN_MOVED_TO == unix.IN_MOVED_TO { e.Op |= Create @@ -584,11 +526,58 @@ func (w *Watcher) newEvent(name string, mask uint32) Event { if mask&unix.IN_MODIFY == unix.IN_MODIFY { e.Op |= Write } + if mask&unix.IN_OPEN == unix.IN_OPEN { + e.Op |= xUnportableOpen + } + if mask&unix.IN_ACCESS == unix.IN_ACCESS { + e.Op |= xUnportableRead + } + if mask&unix.IN_CLOSE_WRITE == unix.IN_CLOSE_WRITE { + e.Op |= xUnportableCloseWrite + } + if mask&unix.IN_CLOSE_NOWRITE == unix.IN_CLOSE_NOWRITE { + e.Op |= xUnportableCloseRead + } if mask&unix.IN_MOVE_SELF == unix.IN_MOVE_SELF || mask&unix.IN_MOVED_FROM == unix.IN_MOVED_FROM { e.Op |= Rename } if mask&unix.IN_ATTRIB == unix.IN_ATTRIB { e.Op |= Chmod } + + if cookie != 0 { + if mask&unix.IN_MOVED_FROM == unix.IN_MOVED_FROM { + w.cookiesMu.Lock() + w.cookies[w.cookieIndex] = koekje{cookie: cookie, path: e.Name} + w.cookieIndex++ + if w.cookieIndex > 9 { + w.cookieIndex = 0 + } + w.cookiesMu.Unlock() + } else if mask&unix.IN_MOVED_TO == unix.IN_MOVED_TO { + w.cookiesMu.Lock() + var prev string + for _, c := range w.cookies { + if c.cookie == cookie { + prev = c.path + break + } + } + w.cookiesMu.Unlock() + e.renamedFrom = prev + } + } return e } + +func (w *inotify) xSupports(op Op) bool { + return true // Supports everything. +} + +func (w *inotify) state() { + w.mu.Lock() + defer w.mu.Unlock() + for wd, ww := range w.watches.wd { + fmt.Fprintf(os.Stderr, "%4d: recurse=%t %q\n", wd, ww.recurse, ww.path) + } +} diff --git a/vendor/github.com/fsnotify/fsnotify/backend_kqueue.go b/vendor/github.com/fsnotify/fsnotify/backend_kqueue.go index 063a0915a..340aeec06 100644 --- a/vendor/github.com/fsnotify/fsnotify/backend_kqueue.go +++ b/vendor/github.com/fsnotify/fsnotify/backend_kqueue.go @@ -1,8 +1,4 @@ //go:build freebsd || openbsd || netbsd || dragonfly || darwin -// +build freebsd openbsd netbsd dragonfly darwin - -// Note: the documentation on the Watcher type and methods is generated from -// mkdoc.zsh package fsnotify @@ -11,174 +7,196 @@ import ( "fmt" "os" "path/filepath" + "runtime" "sync" + "time" + "github.com/fsnotify/fsnotify/internal" "golang.org/x/sys/unix" ) -// Watcher watches a set of paths, delivering events on a channel. -// -// A watcher should not be copied (e.g. pass it by pointer, rather than by -// value). -// -// # Linux notes -// -// When a file is removed a Remove event won't be emitted until all file -// descriptors are closed, and deletes will always emit a Chmod. For example: -// -// fp := os.Open("file") -// os.Remove("file") // Triggers Chmod -// fp.Close() // Triggers Remove -// -// This is the event that inotify sends, so not much can be changed about this. -// -// The fs.inotify.max_user_watches sysctl variable specifies the upper limit -// for the number of watches per user, and fs.inotify.max_user_instances -// specifies the maximum number of inotify instances per user. Every Watcher you -// create is an "instance", and every path you add is a "watch". -// -// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and -// /proc/sys/fs/inotify/max_user_instances -// -// To increase them you can use sysctl or write the value to the /proc file: -// -// # Default values on Linux 5.18 -// sysctl fs.inotify.max_user_watches=124983 -// sysctl fs.inotify.max_user_instances=128 -// -// To make the changes persist on reboot edit /etc/sysctl.conf or -// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check -// your distro's documentation): -// -// fs.inotify.max_user_watches=124983 -// fs.inotify.max_user_instances=128 -// -// Reaching the limit will result in a "no space left on device" or "too many open -// files" error. -// -// # kqueue notes (macOS, BSD) -// -// kqueue requires opening a file descriptor for every file that's being watched; -// so if you're watching a directory with five files then that's six file -// descriptors. You will run in to your system's "max open files" limit faster on -// these platforms. -// -// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to -// control the maximum number of open files, as well as /etc/login.conf on BSD -// systems. -// -// # Windows notes -// -// Paths can be added as "C:\path\to\dir", but forward slashes -// ("C:/path/to/dir") will also work. -// -// When a watched directory is removed it will always send an event for the -// directory itself, but may not send events for all files in that directory. -// Sometimes it will send events for all times, sometimes it will send no -// events, and often only for some files. -// -// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest -// value that is guaranteed to work with SMB filesystems. If you have many -// events in quick succession this may not be enough, and you will have to use -// [WithBufferSize] to increase the value. -type Watcher struct { - // Events sends the filesystem change events. - // - // fsnotify can send the following events; a "path" here can refer to a - // file, directory, symbolic link, or special file like a FIFO. - // - // fsnotify.Create A new path was created; this may be followed by one - // or more Write events if data also gets written to a - // file. - // - // fsnotify.Remove A path was removed. - // - // fsnotify.Rename A path was renamed. A rename is always sent with the - // old path as Event.Name, and a Create event will be - // sent with the new name. Renames are only sent for - // paths that are currently watched; e.g. moving an - // unmonitored file into a monitored directory will - // show up as just a Create. Similarly, renaming a file - // to outside a monitored directory will show up as - // only a Rename. - // - // fsnotify.Write A file or named pipe was written to. A Truncate will - // also trigger a Write. A single "write action" - // initiated by the user may show up as one or multiple - // writes, depending on when the system syncs things to - // disk. For example when compiling a large Go program - // you may get hundreds of Write events, and you may - // want to wait until you've stopped receiving them - // (see the dedup example in cmd/fsnotify). - // - // Some systems may send Write event for directories - // when the directory content changes. - // - // fsnotify.Chmod Attributes were changed. On Linux this is also sent - // when a file is removed (or more accurately, when a - // link to an inode is removed). On kqueue it's sent - // when a file is truncated. On Windows it's never - // sent. +type kqueue struct { + *shared Events chan Event - - // Errors sends any errors. - // - // ErrEventOverflow is used to indicate there are too many events: - // - // - inotify: There are too many queued events (fs.inotify.max_queued_events sysctl) - // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. - // - kqueue, fen: Not used. Errors chan error - done chan struct{} - kq int // File descriptor (as returned by the kqueue() syscall). - closepipe [2]int // Pipe used for closing. - mu sync.Mutex // Protects access to watcher data - watches map[string]int // Watched file descriptors (key: path). - watchesByDir map[string]map[int]struct{} // Watched file descriptors indexed by the parent directory (key: dirname(path)). - userWatches map[string]struct{} // Watches added with Watcher.Add() - dirFlags map[string]uint32 // Watched directories to fflags used in kqueue. - paths map[int]pathInfo // File descriptors to path names for processing kqueue events. - fileExists map[string]struct{} // Keep track of if we know this file exists (to stop duplicate create events). - isClosed bool // Set to true when Close() is first called + kq int // File descriptor (as returned by the kqueue() syscall). + closepipe [2]int // Pipe used for closing kq. + watches *watches } -type pathInfo struct { - name string - isDir bool +type ( + watches struct { + mu sync.RWMutex + wd map[int]watch // wd → watch + path map[string]int // pathname → wd + byDir map[string]map[int]struct{} // dirname(path) → wd + seen map[string]struct{} // Keep track of if we know this file exists. + byUser map[string]struct{} // Watches added with Watcher.Add() + } + watch struct { + wd int + name string + linkName string // In case of links; name is the target, and this is the link. + isDir bool + dirFlags uint32 + } +) + +func newWatches() *watches { + return &watches{ + wd: make(map[int]watch), + path: make(map[string]int), + byDir: make(map[string]map[int]struct{}), + seen: make(map[string]struct{}), + byUser: make(map[string]struct{}), + } } -// NewWatcher creates a new Watcher. -func NewWatcher() (*Watcher, error) { - return NewBufferedWatcher(0) +func (w *watches) listPaths(userOnly bool) []string { + w.mu.RLock() + defer w.mu.RUnlock() + + if userOnly { + l := make([]string, 0, len(w.byUser)) + for p := range w.byUser { + l = append(l, p) + } + return l + } + + l := make([]string, 0, len(w.path)) + for p := range w.path { + l = append(l, p) + } + return l } -// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events -// channel. -// -// The main use case for this is situations with a very large number of events -// where the kernel buffer size can't be increased (e.g. due to lack of -// permissions). An unbuffered Watcher will perform better for almost all use -// cases, and whenever possible you will be better off increasing the kernel -// buffers instead of adding a large userspace buffer. -func NewBufferedWatcher(sz uint) (*Watcher, error) { +func (w *watches) watchesInDir(path string) []string { + w.mu.RLock() + defer w.mu.RUnlock() + + l := make([]string, 0, 4) + for fd := range w.byDir[path] { + info := w.wd[fd] + if _, ok := w.byUser[info.name]; !ok { + l = append(l, info.name) + } + } + return l +} + +// Mark path as added by the user. +func (w *watches) addUserWatch(path string) { + w.mu.Lock() + defer w.mu.Unlock() + w.byUser[path] = struct{}{} +} + +func (w *watches) addLink(path string, fd int) { + w.mu.Lock() + defer w.mu.Unlock() + + w.path[path] = fd + w.seen[path] = struct{}{} +} + +func (w *watches) add(path, linkPath string, fd int, isDir bool) { + w.mu.Lock() + defer w.mu.Unlock() + + w.path[path] = fd + w.wd[fd] = watch{wd: fd, name: path, linkName: linkPath, isDir: isDir} + + parent := filepath.Dir(path) + byDir, ok := w.byDir[parent] + if !ok { + byDir = make(map[int]struct{}, 1) + w.byDir[parent] = byDir + } + byDir[fd] = struct{}{} +} + +func (w *watches) byWd(fd int) (watch, bool) { + w.mu.RLock() + defer w.mu.RUnlock() + info, ok := w.wd[fd] + return info, ok +} + +func (w *watches) byPath(path string) (watch, bool) { + w.mu.RLock() + defer w.mu.RUnlock() + info, ok := w.wd[w.path[path]] + return info, ok +} + +func (w *watches) updateDirFlags(path string, flags uint32) bool { + w.mu.Lock() + defer w.mu.Unlock() + + fd, ok := w.path[path] + if !ok { // Already deleted: don't re-set it here. + return false + } + info := w.wd[fd] + info.dirFlags = flags + w.wd[fd] = info + return true +} + +func (w *watches) remove(fd int, path string) bool { + w.mu.Lock() + defer w.mu.Unlock() + + isDir := w.wd[fd].isDir + delete(w.path, path) + delete(w.byUser, path) + + parent := filepath.Dir(path) + delete(w.byDir[parent], fd) + + if len(w.byDir[parent]) == 0 { + delete(w.byDir, parent) + } + + delete(w.wd, fd) + delete(w.seen, path) + return isDir +} + +func (w *watches) markSeen(path string, exists bool) { + w.mu.Lock() + defer w.mu.Unlock() + if exists { + w.seen[path] = struct{}{} + } else { + delete(w.seen, path) + } +} + +func (w *watches) seenBefore(path string) bool { + w.mu.RLock() + defer w.mu.RUnlock() + _, ok := w.seen[path] + return ok +} + +var defaultBufferSize = 0 + +func newBackend(ev chan Event, errs chan error) (backend, error) { kq, closepipe, err := newKqueue() if err != nil { return nil, err } - w := &Watcher{ - kq: kq, - closepipe: closepipe, - watches: make(map[string]int), - watchesByDir: make(map[string]map[int]struct{}), - dirFlags: make(map[string]uint32), - paths: make(map[int]pathInfo), - fileExists: make(map[string]struct{}), - userWatches: make(map[string]struct{}), - Events: make(chan Event, sz), - Errors: make(chan error), - done: make(chan struct{}), + w := &kqueue{ + shared: newShared(ev, errs), + Events: ev, + Errors: errs, + kq: kq, + closepipe: closepipe, + watches: newWatches(), } go w.readEvents() @@ -193,7 +211,7 @@ func NewBufferedWatcher(sz uint) (*Watcher, error) { // all. func newKqueue() (kq int, closepipe [2]int, err error) { kq, err = unix.Kqueue() - if kq == -1 { + if err != nil { return kq, closepipe, err } @@ -203,6 +221,8 @@ func newKqueue() (kq int, closepipe [2]int, err error) { unix.Close(kq) return kq, closepipe, err } + unix.CloseOnExec(closepipe[0]) + unix.CloseOnExec(closepipe[1]) // Register changes to listen on the closepipe. changes := make([]unix.Kevent_t, 1) @@ -220,167 +240,72 @@ func newKqueue() (kq int, closepipe [2]int, err error) { return kq, closepipe, nil } -// Returns true if the event was sent, or false if watcher is closed. -func (w *Watcher) sendEvent(e Event) bool { - select { - case w.Events <- e: - return true - case <-w.done: - return false - } -} - -// Returns true if the error was sent, or false if watcher is closed. -func (w *Watcher) sendError(err error) bool { - select { - case w.Errors <- err: - return true - case <-w.done: - return false - } -} - -// Close removes all watches and closes the Events channel. -func (w *Watcher) Close() error { - w.mu.Lock() - if w.isClosed { - w.mu.Unlock() +func (w *kqueue) Close() error { + if w.shared.close() { return nil } - w.isClosed = true - // copy paths to remove while locked - pathsToRemove := make([]string, 0, len(w.watches)) - for name := range w.watches { - pathsToRemove = append(pathsToRemove, name) - } - w.mu.Unlock() // Unlock before calling Remove, which also locks + pathsToRemove := w.watches.listPaths(false) for _, name := range pathsToRemove { w.Remove(name) } - // Send "quit" message to the reader goroutine. - unix.Close(w.closepipe[1]) - close(w.done) - + unix.Close(w.closepipe[1]) // Send "quit" message to readEvents return nil } -// Add starts monitoring the path for changes. -// -// A path can only be watched once; watching it more than once is a no-op and will -// not return an error. Paths that do not yet exist on the filesystem cannot be -// watched. -// -// A watch will be automatically removed if the watched path is deleted or -// renamed. The exception is the Windows backend, which doesn't remove the -// watcher on renames. -// -// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special -// filesystems (/proc, /sys, etc.) generally don't work. -// -// Returns [ErrClosed] if [Watcher.Close] was called. -// -// See [Watcher.AddWith] for a version that allows adding options. -// -// # Watching directories -// -// All files in a directory are monitored, including new files that are created -// after the watcher is started. Subdirectories are not watched (i.e. it's -// non-recursive). -// -// # Watching files -// -// Watching individual files (rather than directories) is generally not -// recommended as many programs (especially editors) update files atomically: it -// will write to a temporary file which is then moved to to destination, -// overwriting the original (or some variant thereof). The watcher on the -// original file is now lost, as that no longer exists. -// -// The upshot of this is that a power failure or crash won't leave a -// half-written file. -// -// Watch the parent directory and use Event.Name to filter out files you're not -// interested in. There is an example of this in cmd/fsnotify/file.go. -func (w *Watcher) Add(name string) error { return w.AddWith(name) } +func (w *kqueue) Add(name string) error { return w.AddWith(name) } -// AddWith is like [Watcher.Add], but allows adding options. When using Add() -// the defaults described below are used. -// -// Possible options are: -// -// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on -// other platforms. The default is 64K (65536 bytes). -func (w *Watcher) AddWith(name string, opts ...addOpt) error { - _ = getOptions(opts...) +func (w *kqueue) AddWith(name string, opts ...addOpt) error { + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s AddWith(%q)\n", + time.Now().Format("15:04:05.000000000"), name) + } - w.mu.Lock() - w.userWatches[name] = struct{}{} - w.mu.Unlock() - _, err := w.addWatch(name, noteAllEvents) - return err + with := getOptions(opts...) + if !w.xSupports(with.op) { + return fmt.Errorf("%w: %s", xErrUnsupported, with.op) + } + + _, err := w.addWatch(name, noteAllEvents, false) + if err != nil { + return err + } + w.watches.addUserWatch(name) + return nil } -// Remove stops monitoring the path for changes. -// -// Directories are always removed non-recursively. For example, if you added -// /tmp/dir and /tmp/dir/subdir then you will need to remove both. -// -// Removing a path that has not yet been added returns [ErrNonExistentWatch]. -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) Remove(name string) error { +func (w *kqueue) Remove(name string) error { + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s Remove(%q)\n", + time.Now().Format("15:04:05.000000000"), name) + } return w.remove(name, true) } -func (w *Watcher) remove(name string, unwatchFiles bool) error { - name = filepath.Clean(name) - w.mu.Lock() - if w.isClosed { - w.mu.Unlock() +func (w *kqueue) remove(name string, unwatchFiles bool) error { + if w.isClosed() { return nil } - watchfd, ok := w.watches[name] - w.mu.Unlock() + + name = filepath.Clean(name) + info, ok := w.watches.byPath(name) if !ok { return fmt.Errorf("%w: %s", ErrNonExistentWatch, name) } - err := w.register([]int{watchfd}, unix.EV_DELETE, 0) + err := w.register([]int{info.wd}, unix.EV_DELETE, 0) if err != nil { return err } - unix.Close(watchfd) - - w.mu.Lock() - isDir := w.paths[watchfd].isDir - delete(w.watches, name) - delete(w.userWatches, name) - - parentName := filepath.Dir(name) - delete(w.watchesByDir[parentName], watchfd) - - if len(w.watchesByDir[parentName]) == 0 { - delete(w.watchesByDir, parentName) - } + unix.Close(info.wd) - delete(w.paths, watchfd) - delete(w.dirFlags, name) - delete(w.fileExists, name) - w.mu.Unlock() + isDir := w.watches.remove(info.wd, name) // Find all watched paths that are in this directory that are not external. if unwatchFiles && isDir { - var pathsToRemove []string - w.mu.Lock() - for fd := range w.watchesByDir[name] { - path := w.paths[fd] - if _, ok := w.userWatches[path.name]; !ok { - pathsToRemove = append(pathsToRemove, path.name) - } - } - w.mu.Unlock() + pathsToRemove := w.watches.watchesInDir(name) for _, name := range pathsToRemove { // Since these are internal, not much sense in propagating error to // the user, as that will just confuse them with an error about a @@ -391,23 +316,11 @@ func (w *Watcher) remove(name string, unwatchFiles bool) error { return nil } -// WatchList returns all paths explicitly added with [Watcher.Add] (and are not -// yet removed). -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) WatchList() []string { - w.mu.Lock() - defer w.mu.Unlock() - if w.isClosed { +func (w *kqueue) WatchList() []string { + if w.isClosed() { return nil } - - entries := make([]string, 0, len(w.userWatches)) - for pathname := range w.userWatches { - entries = append(entries, pathname) - } - - return entries + return w.watches.listPaths(true) } // Watch all events (except NOTE_EXTEND, NOTE_LINK, NOTE_REVOKE) @@ -417,114 +330,93 @@ const noteAllEvents = unix.NOTE_DELETE | unix.NOTE_WRITE | unix.NOTE_ATTRIB | un // described in kevent(2). // // Returns the real path to the file which was added, with symlinks resolved. -func (w *Watcher) addWatch(name string, flags uint32) (string, error) { - var isDir bool - name = filepath.Clean(name) - - w.mu.Lock() - if w.isClosed { - w.mu.Unlock() +func (w *kqueue) addWatch(name string, flags uint32, listDir bool) (string, error) { + if w.isClosed() { return "", ErrClosed } - watchfd, alreadyWatching := w.watches[name] - // We already have a watch, but we can still override flags. - if alreadyWatching { - isDir = w.paths[watchfd].isDir - } - w.mu.Unlock() + name = filepath.Clean(name) + + info, alreadyWatching := w.watches.byPath(name) if !alreadyWatching { fi, err := os.Lstat(name) if err != nil { return "", err } - // Don't watch sockets or named pipes + // Don't watch sockets or named pipes. if (fi.Mode()&os.ModeSocket == os.ModeSocket) || (fi.Mode()&os.ModeNamedPipe == os.ModeNamedPipe) { return "", nil } - // Follow Symlinks. - if fi.Mode()&os.ModeSymlink == os.ModeSymlink { + // Follow symlinks, but only for paths added with Add(), and not paths + // we're adding from internalWatch from a listdir. + if !listDir && fi.Mode()&os.ModeSymlink == os.ModeSymlink { link, err := os.Readlink(name) if err != nil { - // Return nil because Linux can add unresolvable symlinks to the - // watch list without problems, so maintain consistency with - // that. There will be no file events for broken symlinks. - // TODO: more specific check; returns os.PathError; ENOENT? - return "", nil + return "", err + } + if !filepath.IsAbs(link) { + link = filepath.Join(filepath.Dir(name), link) } - w.mu.Lock() - _, alreadyWatching = w.watches[link] - w.mu.Unlock() - + _, alreadyWatching = w.watches.byPath(link) if alreadyWatching { // Add to watches so we don't get spurious Create events later // on when we diff the directories. - w.watches[name] = 0 - w.fileExists[name] = struct{}{} + w.watches.addLink(name, 0) return link, nil } + info.linkName = name name = link fi, err = os.Lstat(name) if err != nil { - return "", nil + return "", err } } // Retry on EINTR; open() can return EINTR in practice on macOS. // See #354, and Go issues 11180 and 39237. for { - watchfd, err = unix.Open(name, openMode, 0) + info.wd, err = unix.Open(name, openMode, 0) if err == nil { break } if errors.Is(err, unix.EINTR) { continue } - return "", err } - isDir = fi.IsDir() + info.isDir = fi.IsDir() } - err := w.register([]int{watchfd}, unix.EV_ADD|unix.EV_CLEAR|unix.EV_ENABLE, flags) + err := w.register([]int{info.wd}, unix.EV_ADD|unix.EV_CLEAR|unix.EV_ENABLE, flags) if err != nil { - unix.Close(watchfd) + unix.Close(info.wd) return "", err } if !alreadyWatching { - w.mu.Lock() - parentName := filepath.Dir(name) - w.watches[name] = watchfd - - watchesByDir, ok := w.watchesByDir[parentName] - if !ok { - watchesByDir = make(map[int]struct{}, 1) - w.watchesByDir[parentName] = watchesByDir - } - watchesByDir[watchfd] = struct{}{} - w.paths[watchfd] = pathInfo{name: name, isDir: isDir} - w.mu.Unlock() + w.watches.add(name, info.linkName, info.wd, info.isDir) } - if isDir { - // Watch the directory if it has not been watched before, or if it was - // watched before, but perhaps only a NOTE_DELETE (watchDirectoryFiles) - w.mu.Lock() - + // Watch the directory if it has not been watched before, or if it was + // watched before, but perhaps only a NOTE_DELETE (watchDirectoryFiles) + if info.isDir { watchDir := (flags&unix.NOTE_WRITE) == unix.NOTE_WRITE && - (!alreadyWatching || (w.dirFlags[name]&unix.NOTE_WRITE) != unix.NOTE_WRITE) - // Store flags so this watch can be updated later - w.dirFlags[name] = flags - w.mu.Unlock() + (!alreadyWatching || (info.dirFlags&unix.NOTE_WRITE) != unix.NOTE_WRITE) + if !w.watches.updateDirFlags(name, flags) { + return "", nil + } if watchDir { - if err := w.watchDirectoryFiles(name); err != nil { + d := name + if info.linkName != "" { + d = info.linkName + } + if err := w.watchDirectoryFiles(d); err != nil { return "", err } } @@ -534,7 +426,7 @@ func (w *Watcher) addWatch(name string, flags uint32) (string, error) { // readEvents reads from kqueue and converts the received kevents into // Event values that it sends down the Events channel. -func (w *Watcher) readEvents() { +func (w *kqueue) readEvents() { defer func() { close(w.Events) close(w.Errors) @@ -543,50 +435,65 @@ func (w *Watcher) readEvents() { }() eventBuffer := make([]unix.Kevent_t, 10) - for closed := false; !closed; { + for { kevents, err := w.read(eventBuffer) // EINTR is okay, the syscall was interrupted before timeout expired. if err != nil && err != unix.EINTR { if !w.sendError(fmt.Errorf("fsnotify.readEvents: %w", err)) { - closed = true + return } - continue } - // Flush the events we received to the Events channel for _, kevent := range kevents { var ( - watchfd = int(kevent.Ident) - mask = uint32(kevent.Fflags) + wd = int(kevent.Ident) + mask = uint32(kevent.Fflags) ) // Shut down the loop when the pipe is closed, but only after all // other events have been processed. - if watchfd == w.closepipe[0] { - closed = true - continue + if wd == w.closepipe[0] { + return + } + + path, ok := w.watches.byWd(wd) + if debug { + internal.Debug(path.name, &kevent) } - w.mu.Lock() - path := w.paths[watchfd] - w.mu.Unlock() + // On macOS it seems that sometimes an event with Ident=0 is + // delivered, and no other flags/information beyond that, even + // though we never saw such a file descriptor. For example in + // TestWatchSymlink/277 (usually at the end, but sometimes sooner): + // + // fmt.Printf("READ: %2d %#v\n", kevent.Ident, kevent) + // unix.Kevent_t{Ident:0x2a, Filter:-4, Flags:0x25, Fflags:0x2, Data:0, Udata:(*uint8)(nil)} + // unix.Kevent_t{Ident:0x0, Filter:-4, Flags:0x25, Fflags:0x2, Data:0, Udata:(*uint8)(nil)} + // + // The first is a normal event, the second with Ident 0. No error + // flag, no data, no ... nothing. + // + // I read a bit through bsd/kern_event.c from the xnu source, but I + // don't really see an obvious location where this is triggered – + // this doesn't seem intentional, but idk... + // + // Technically fd 0 is a valid descriptor, so only skip it if + // there's no path, and if we're on macOS. + if !ok && kevent.Ident == 0 && runtime.GOOS == "darwin" { + continue + } - event := w.newEvent(path.name, mask) + event := w.newEvent(path.name, path.linkName, mask) if event.Has(Rename) || event.Has(Remove) { w.remove(event.Name, false) - w.mu.Lock() - delete(w.fileExists, event.Name) - w.mu.Unlock() + w.watches.markSeen(event.Name, false) } if path.isDir && event.Has(Write) && !event.Has(Remove) { - w.sendDirectoryChangeEvents(event.Name) - } else { - if !w.sendEvent(event) { - closed = true - continue - } + w.dirChange(event.Name) + } else if !w.sendEvent(event) { + return } if event.Has(Remove) { @@ -594,25 +501,34 @@ func (w *Watcher) readEvents() { // mv f1 f2 will delete f2, then create f2. if path.isDir { fileDir := filepath.Clean(event.Name) - w.mu.Lock() - _, found := w.watches[fileDir] - w.mu.Unlock() + _, found := w.watches.byPath(fileDir) if found { - err := w.sendDirectoryChangeEvents(fileDir) - if err != nil { - if !w.sendError(err) { - closed = true - } + // TODO: this branch is never triggered in any test. + // Added in d6220df (2012). + // isDir check added in 8611c35 (2016): https://github.com/fsnotify/fsnotify/pull/111 + // + // I don't really get how this can be triggered either. + // And it wasn't triggered in the patch that added it, + // either. + // + // Original also had a comment: + // make sure the directory exists before we watch for + // changes. When we do a recursive watch and perform + // rm -rf, the parent directory might have gone + // missing, ignore the missing directory and let the + // upcoming delete event remove the watch from the + // parent directory. + err := w.dirChange(fileDir) + if !w.sendError(err) { + return } } } else { - filePath := filepath.Clean(event.Name) - if fi, err := os.Lstat(filePath); err == nil { - err := w.sendFileCreatedEventIfNew(filePath, fi) - if err != nil { - if !w.sendError(err) { - closed = true - } + path := filepath.Clean(event.Name) + if fi, err := os.Lstat(path); err == nil { + err := w.sendCreateIfNew(path, fi) + if !w.sendError(err) { + return } } } @@ -622,8 +538,14 @@ func (w *Watcher) readEvents() { } // newEvent returns an platform-independent Event based on kqueue Fflags. -func (w *Watcher) newEvent(name string, mask uint32) Event { +func (w *kqueue) newEvent(name, linkName string, mask uint32) Event { e := Event{Name: name} + if linkName != "" { + // If the user watched "/path/link" then emit events as "/path/link" + // rather than "/path/target". + e.Name = linkName + } + if mask&unix.NOTE_DELETE == unix.NOTE_DELETE { e.Op |= Remove } @@ -645,8 +567,7 @@ func (w *Watcher) newEvent(name string, mask uint32) Event { } // watchDirectoryFiles to mimic inotify when adding a watch on a directory -func (w *Watcher) watchDirectoryFiles(dirPath string) error { - // Get all files +func (w *kqueue) watchDirectoryFiles(dirPath string) error { files, err := os.ReadDir(dirPath) if err != nil { return err @@ -674,9 +595,7 @@ func (w *Watcher) watchDirectoryFiles(dirPath string) error { } } - w.mu.Lock() - w.fileExists[cleanPath] = struct{}{} - w.mu.Unlock() + w.watches.markSeen(cleanPath, true) } return nil @@ -686,7 +605,7 @@ func (w *Watcher) watchDirectoryFiles(dirPath string) error { // // This functionality is to have the BSD watcher match the inotify, which sends // a create event for files created in a watched directory. -func (w *Watcher) sendDirectoryChangeEvents(dir string) error { +func (w *kqueue) dirChange(dir string) error { files, err := os.ReadDir(dir) if err != nil { // Directory no longer exists: we can ignore this safely. kqueue will @@ -694,69 +613,62 @@ func (w *Watcher) sendDirectoryChangeEvents(dir string) error { if errors.Is(err, os.ErrNotExist) { return nil } - return fmt.Errorf("fsnotify.sendDirectoryChangeEvents: %w", err) + return fmt.Errorf("fsnotify.dirChange %q: %w", dir, err) } for _, f := range files { fi, err := f.Info() if err != nil { - return fmt.Errorf("fsnotify.sendDirectoryChangeEvents: %w", err) + if errors.Is(err, os.ErrNotExist) { + return nil + } + return fmt.Errorf("fsnotify.dirChange: %w", err) } - err = w.sendFileCreatedEventIfNew(filepath.Join(dir, fi.Name()), fi) + err = w.sendCreateIfNew(filepath.Join(dir, fi.Name()), fi) if err != nil { // Don't need to send an error if this file isn't readable. - if errors.Is(err, unix.EACCES) || errors.Is(err, unix.EPERM) { + if errors.Is(err, unix.EACCES) || errors.Is(err, unix.EPERM) || errors.Is(err, os.ErrNotExist) { return nil } - return fmt.Errorf("fsnotify.sendDirectoryChangeEvents: %w", err) + return fmt.Errorf("fsnotify.dirChange: %w", err) } } return nil } -// sendFileCreatedEvent sends a create event if the file isn't already being tracked. -func (w *Watcher) sendFileCreatedEventIfNew(filePath string, fi os.FileInfo) (err error) { - w.mu.Lock() - _, doesExist := w.fileExists[filePath] - w.mu.Unlock() - if !doesExist { - if !w.sendEvent(Event{Name: filePath, Op: Create}) { - return +// Send a create event if the file isn't already being tracked, and start +// watching this file. +func (w *kqueue) sendCreateIfNew(path string, fi os.FileInfo) error { + if !w.watches.seenBefore(path) { + if !w.sendEvent(Event{Name: path, Op: Create}) { + return nil } } - // like watchDirectoryFiles (but without doing another ReadDir) - filePath, err = w.internalWatch(filePath, fi) + // Like watchDirectoryFiles, but without doing another ReadDir. + path, err := w.internalWatch(path, fi) if err != nil { return err } - - w.mu.Lock() - w.fileExists[filePath] = struct{}{} - w.mu.Unlock() - + w.watches.markSeen(path, true) return nil } -func (w *Watcher) internalWatch(name string, fi os.FileInfo) (string, error) { +func (w *kqueue) internalWatch(name string, fi os.FileInfo) (string, error) { if fi.IsDir() { // mimic Linux providing delete events for subdirectories, but preserve // the flags used if currently watching subdirectory - w.mu.Lock() - flags := w.dirFlags[name] - w.mu.Unlock() - - flags |= unix.NOTE_DELETE | unix.NOTE_RENAME - return w.addWatch(name, flags) + info, _ := w.watches.byPath(name) + return w.addWatch(name, info.dirFlags|unix.NOTE_DELETE|unix.NOTE_RENAME, true) } - // watch file to mimic Linux inotify - return w.addWatch(name, noteAllEvents) + // Watch file to mimic Linux inotify. + return w.addWatch(name, noteAllEvents, true) } // Register events with the queue. -func (w *Watcher) register(fds []int, flags int, fflags uint32) error { +func (w *kqueue) register(fds []int, flags int, fflags uint32) error { changes := make([]unix.Kevent_t, len(fds)) for i, fd := range fds { // SetKevent converts int to the platform-specific types. @@ -773,10 +685,21 @@ func (w *Watcher) register(fds []int, flags int, fflags uint32) error { } // read retrieves pending events, or waits until an event occurs. -func (w *Watcher) read(events []unix.Kevent_t) ([]unix.Kevent_t, error) { +func (w *kqueue) read(events []unix.Kevent_t) ([]unix.Kevent_t, error) { n, err := unix.Kevent(w.kq, nil, events, nil) if err != nil { return nil, err } return events[0:n], nil } + +func (w *kqueue) xSupports(op Op) bool { + //if runtime.GOOS == "freebsd" { + // return true // Supports everything. + //} + if op.Has(xUnportableOpen) || op.Has(xUnportableRead) || + op.Has(xUnportableCloseWrite) || op.Has(xUnportableCloseRead) { + return false + } + return true +} diff --git a/vendor/github.com/fsnotify/fsnotify/backend_other.go b/vendor/github.com/fsnotify/fsnotify/backend_other.go index d34a23c01..b8c0ad722 100644 --- a/vendor/github.com/fsnotify/fsnotify/backend_other.go +++ b/vendor/github.com/fsnotify/fsnotify/backend_other.go @@ -1,205 +1,22 @@ //go:build appengine || (!darwin && !dragonfly && !freebsd && !openbsd && !linux && !netbsd && !solaris && !windows) -// +build appengine !darwin,!dragonfly,!freebsd,!openbsd,!linux,!netbsd,!solaris,!windows - -// Note: the documentation on the Watcher type and methods is generated from -// mkdoc.zsh package fsnotify import "errors" -// Watcher watches a set of paths, delivering events on a channel. -// -// A watcher should not be copied (e.g. pass it by pointer, rather than by -// value). -// -// # Linux notes -// -// When a file is removed a Remove event won't be emitted until all file -// descriptors are closed, and deletes will always emit a Chmod. For example: -// -// fp := os.Open("file") -// os.Remove("file") // Triggers Chmod -// fp.Close() // Triggers Remove -// -// This is the event that inotify sends, so not much can be changed about this. -// -// The fs.inotify.max_user_watches sysctl variable specifies the upper limit -// for the number of watches per user, and fs.inotify.max_user_instances -// specifies the maximum number of inotify instances per user. Every Watcher you -// create is an "instance", and every path you add is a "watch". -// -// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and -// /proc/sys/fs/inotify/max_user_instances -// -// To increase them you can use sysctl or write the value to the /proc file: -// -// # Default values on Linux 5.18 -// sysctl fs.inotify.max_user_watches=124983 -// sysctl fs.inotify.max_user_instances=128 -// -// To make the changes persist on reboot edit /etc/sysctl.conf or -// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check -// your distro's documentation): -// -// fs.inotify.max_user_watches=124983 -// fs.inotify.max_user_instances=128 -// -// Reaching the limit will result in a "no space left on device" or "too many open -// files" error. -// -// # kqueue notes (macOS, BSD) -// -// kqueue requires opening a file descriptor for every file that's being watched; -// so if you're watching a directory with five files then that's six file -// descriptors. You will run in to your system's "max open files" limit faster on -// these platforms. -// -// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to -// control the maximum number of open files, as well as /etc/login.conf on BSD -// systems. -// -// # Windows notes -// -// Paths can be added as "C:\path\to\dir", but forward slashes -// ("C:/path/to/dir") will also work. -// -// When a watched directory is removed it will always send an event for the -// directory itself, but may not send events for all files in that directory. -// Sometimes it will send events for all times, sometimes it will send no -// events, and often only for some files. -// -// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest -// value that is guaranteed to work with SMB filesystems. If you have many -// events in quick succession this may not be enough, and you will have to use -// [WithBufferSize] to increase the value. -type Watcher struct { - // Events sends the filesystem change events. - // - // fsnotify can send the following events; a "path" here can refer to a - // file, directory, symbolic link, or special file like a FIFO. - // - // fsnotify.Create A new path was created; this may be followed by one - // or more Write events if data also gets written to a - // file. - // - // fsnotify.Remove A path was removed. - // - // fsnotify.Rename A path was renamed. A rename is always sent with the - // old path as Event.Name, and a Create event will be - // sent with the new name. Renames are only sent for - // paths that are currently watched; e.g. moving an - // unmonitored file into a monitored directory will - // show up as just a Create. Similarly, renaming a file - // to outside a monitored directory will show up as - // only a Rename. - // - // fsnotify.Write A file or named pipe was written to. A Truncate will - // also trigger a Write. A single "write action" - // initiated by the user may show up as one or multiple - // writes, depending on when the system syncs things to - // disk. For example when compiling a large Go program - // you may get hundreds of Write events, and you may - // want to wait until you've stopped receiving them - // (see the dedup example in cmd/fsnotify). - // - // Some systems may send Write event for directories - // when the directory content changes. - // - // fsnotify.Chmod Attributes were changed. On Linux this is also sent - // when a file is removed (or more accurately, when a - // link to an inode is removed). On kqueue it's sent - // when a file is truncated. On Windows it's never - // sent. +type other struct { Events chan Event - - // Errors sends any errors. - // - // ErrEventOverflow is used to indicate there are too many events: - // - // - inotify: There are too many queued events (fs.inotify.max_queued_events sysctl) - // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. - // - kqueue, fen: Not used. Errors chan error } -// NewWatcher creates a new Watcher. -func NewWatcher() (*Watcher, error) { +var defaultBufferSize = 0 + +func newBackend(ev chan Event, errs chan error) (backend, error) { return nil, errors.New("fsnotify not supported on the current platform") } - -// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events -// channel. -// -// The main use case for this is situations with a very large number of events -// where the kernel buffer size can't be increased (e.g. due to lack of -// permissions). An unbuffered Watcher will perform better for almost all use -// cases, and whenever possible you will be better off increasing the kernel -// buffers instead of adding a large userspace buffer. -func NewBufferedWatcher(sz uint) (*Watcher, error) { return NewWatcher() } - -// Close removes all watches and closes the Events channel. -func (w *Watcher) Close() error { return nil } - -// WatchList returns all paths explicitly added with [Watcher.Add] (and are not -// yet removed). -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) WatchList() []string { return nil } - -// Add starts monitoring the path for changes. -// -// A path can only be watched once; watching it more than once is a no-op and will -// not return an error. Paths that do not yet exist on the filesystem cannot be -// watched. -// -// A watch will be automatically removed if the watched path is deleted or -// renamed. The exception is the Windows backend, which doesn't remove the -// watcher on renames. -// -// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special -// filesystems (/proc, /sys, etc.) generally don't work. -// -// Returns [ErrClosed] if [Watcher.Close] was called. -// -// See [Watcher.AddWith] for a version that allows adding options. -// -// # Watching directories -// -// All files in a directory are monitored, including new files that are created -// after the watcher is started. Subdirectories are not watched (i.e. it's -// non-recursive). -// -// # Watching files -// -// Watching individual files (rather than directories) is generally not -// recommended as many programs (especially editors) update files atomically: it -// will write to a temporary file which is then moved to to destination, -// overwriting the original (or some variant thereof). The watcher on the -// original file is now lost, as that no longer exists. -// -// The upshot of this is that a power failure or crash won't leave a -// half-written file. -// -// Watch the parent directory and use Event.Name to filter out files you're not -// interested in. There is an example of this in cmd/fsnotify/file.go. -func (w *Watcher) Add(name string) error { return nil } - -// AddWith is like [Watcher.Add], but allows adding options. When using Add() -// the defaults described below are used. -// -// Possible options are: -// -// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on -// other platforms. The default is 64K (65536 bytes). -func (w *Watcher) AddWith(name string, opts ...addOpt) error { return nil } - -// Remove stops monitoring the path for changes. -// -// Directories are always removed non-recursively. For example, if you added -// /tmp/dir and /tmp/dir/subdir then you will need to remove both. -// -// Removing a path that has not yet been added returns [ErrNonExistentWatch]. -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) Remove(name string) error { return nil } +func (w *other) Close() error { return nil } +func (w *other) WatchList() []string { return nil } +func (w *other) Add(name string) error { return nil } +func (w *other) AddWith(name string, opts ...addOpt) error { return nil } +func (w *other) Remove(name string) error { return nil } +func (w *other) xSupports(op Op) bool { return false } diff --git a/vendor/github.com/fsnotify/fsnotify/backend_windows.go b/vendor/github.com/fsnotify/fsnotify/backend_windows.go index 9bc91e5d6..3433642d6 100644 --- a/vendor/github.com/fsnotify/fsnotify/backend_windows.go +++ b/vendor/github.com/fsnotify/fsnotify/backend_windows.go @@ -1,12 +1,8 @@ //go:build windows -// +build windows // Windows backend based on ReadDirectoryChangesW() // // https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readdirectorychangesw -// -// Note: the documentation on the Watcher type and methods is generated from -// mkdoc.zsh package fsnotify @@ -19,196 +15,80 @@ import ( "runtime" "strings" "sync" + "time" "unsafe" + "github.com/fsnotify/fsnotify/internal" "golang.org/x/sys/windows" ) -// Watcher watches a set of paths, delivering events on a channel. -// -// A watcher should not be copied (e.g. pass it by pointer, rather than by -// value). -// -// # Linux notes -// -// When a file is removed a Remove event won't be emitted until all file -// descriptors are closed, and deletes will always emit a Chmod. For example: -// -// fp := os.Open("file") -// os.Remove("file") // Triggers Chmod -// fp.Close() // Triggers Remove -// -// This is the event that inotify sends, so not much can be changed about this. -// -// The fs.inotify.max_user_watches sysctl variable specifies the upper limit -// for the number of watches per user, and fs.inotify.max_user_instances -// specifies the maximum number of inotify instances per user. Every Watcher you -// create is an "instance", and every path you add is a "watch". -// -// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and -// /proc/sys/fs/inotify/max_user_instances -// -// To increase them you can use sysctl or write the value to the /proc file: -// -// # Default values on Linux 5.18 -// sysctl fs.inotify.max_user_watches=124983 -// sysctl fs.inotify.max_user_instances=128 -// -// To make the changes persist on reboot edit /etc/sysctl.conf or -// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check -// your distro's documentation): -// -// fs.inotify.max_user_watches=124983 -// fs.inotify.max_user_instances=128 -// -// Reaching the limit will result in a "no space left on device" or "too many open -// files" error. -// -// # kqueue notes (macOS, BSD) -// -// kqueue requires opening a file descriptor for every file that's being watched; -// so if you're watching a directory with five files then that's six file -// descriptors. You will run in to your system's "max open files" limit faster on -// these platforms. -// -// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to -// control the maximum number of open files, as well as /etc/login.conf on BSD -// systems. -// -// # Windows notes -// -// Paths can be added as "C:\path\to\dir", but forward slashes -// ("C:/path/to/dir") will also work. -// -// When a watched directory is removed it will always send an event for the -// directory itself, but may not send events for all files in that directory. -// Sometimes it will send events for all times, sometimes it will send no -// events, and often only for some files. -// -// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest -// value that is guaranteed to work with SMB filesystems. If you have many -// events in quick succession this may not be enough, and you will have to use -// [WithBufferSize] to increase the value. -type Watcher struct { - // Events sends the filesystem change events. - // - // fsnotify can send the following events; a "path" here can refer to a - // file, directory, symbolic link, or special file like a FIFO. - // - // fsnotify.Create A new path was created; this may be followed by one - // or more Write events if data also gets written to a - // file. - // - // fsnotify.Remove A path was removed. - // - // fsnotify.Rename A path was renamed. A rename is always sent with the - // old path as Event.Name, and a Create event will be - // sent with the new name. Renames are only sent for - // paths that are currently watched; e.g. moving an - // unmonitored file into a monitored directory will - // show up as just a Create. Similarly, renaming a file - // to outside a monitored directory will show up as - // only a Rename. - // - // fsnotify.Write A file or named pipe was written to. A Truncate will - // also trigger a Write. A single "write action" - // initiated by the user may show up as one or multiple - // writes, depending on when the system syncs things to - // disk. For example when compiling a large Go program - // you may get hundreds of Write events, and you may - // want to wait until you've stopped receiving them - // (see the dedup example in cmd/fsnotify). - // - // Some systems may send Write event for directories - // when the directory content changes. - // - // fsnotify.Chmod Attributes were changed. On Linux this is also sent - // when a file is removed (or more accurately, when a - // link to an inode is removed). On kqueue it's sent - // when a file is truncated. On Windows it's never - // sent. +type readDirChangesW struct { Events chan Event - - // Errors sends any errors. - // - // ErrEventOverflow is used to indicate there are too many events: - // - // - inotify: There are too many queued events (fs.inotify.max_queued_events sysctl) - // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. - // - kqueue, fen: Not used. Errors chan error port windows.Handle // Handle to completion port input chan *input // Inputs to the reader are sent on this channel - quit chan chan<- error + done chan chan<- error mu sync.Mutex // Protects access to watches, closed watches watchMap // Map of watches (key: i-number) closed bool // Set to true when Close() is first called } -// NewWatcher creates a new Watcher. -func NewWatcher() (*Watcher, error) { - return NewBufferedWatcher(50) -} +var defaultBufferSize = 50 -// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events -// channel. -// -// The main use case for this is situations with a very large number of events -// where the kernel buffer size can't be increased (e.g. due to lack of -// permissions). An unbuffered Watcher will perform better for almost all use -// cases, and whenever possible you will be better off increasing the kernel -// buffers instead of adding a large userspace buffer. -func NewBufferedWatcher(sz uint) (*Watcher, error) { +func newBackend(ev chan Event, errs chan error) (backend, error) { port, err := windows.CreateIoCompletionPort(windows.InvalidHandle, 0, 0, 0) if err != nil { return nil, os.NewSyscallError("CreateIoCompletionPort", err) } - w := &Watcher{ + w := &readDirChangesW{ + Events: ev, + Errors: errs, port: port, watches: make(watchMap), input: make(chan *input, 1), - Events: make(chan Event, sz), - Errors: make(chan error), - quit: make(chan chan<- error, 1), + done: make(chan chan<- error, 1), } go w.readEvents() return w, nil } -func (w *Watcher) isClosed() bool { +func (w *readDirChangesW) isClosed() bool { w.mu.Lock() defer w.mu.Unlock() return w.closed } -func (w *Watcher) sendEvent(name string, mask uint64) bool { +func (w *readDirChangesW) sendEvent(name, renamedFrom string, mask uint64) bool { if mask == 0 { return false } event := w.newEvent(name, uint32(mask)) + event.renamedFrom = renamedFrom select { - case ch := <-w.quit: - w.quit <- ch + case ch := <-w.done: + w.done <- ch case w.Events <- event: } return true } // Returns true if the error was sent, or false if watcher is closed. -func (w *Watcher) sendError(err error) bool { +func (w *readDirChangesW) sendError(err error) bool { + if err == nil { + return true + } select { + case <-w.done: + return false case w.Errors <- err: return true - case <-w.quit: } - return false } -// Close removes all watches and closes the Events channel. -func (w *Watcher) Close() error { +func (w *readDirChangesW) Close() error { if w.isClosed() { return nil } @@ -217,66 +97,30 @@ func (w *Watcher) Close() error { w.closed = true w.mu.Unlock() - // Send "quit" message to the reader goroutine + // Send "done" message to the reader goroutine ch := make(chan error) - w.quit <- ch + w.done <- ch if err := w.wakeupReader(); err != nil { return err } return <-ch } -// Add starts monitoring the path for changes. -// -// A path can only be watched once; watching it more than once is a no-op and will -// not return an error. Paths that do not yet exist on the filesystem cannot be -// watched. -// -// A watch will be automatically removed if the watched path is deleted or -// renamed. The exception is the Windows backend, which doesn't remove the -// watcher on renames. -// -// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special -// filesystems (/proc, /sys, etc.) generally don't work. -// -// Returns [ErrClosed] if [Watcher.Close] was called. -// -// See [Watcher.AddWith] for a version that allows adding options. -// -// # Watching directories -// -// All files in a directory are monitored, including new files that are created -// after the watcher is started. Subdirectories are not watched (i.e. it's -// non-recursive). -// -// # Watching files -// -// Watching individual files (rather than directories) is generally not -// recommended as many programs (especially editors) update files atomically: it -// will write to a temporary file which is then moved to to destination, -// overwriting the original (or some variant thereof). The watcher on the -// original file is now lost, as that no longer exists. -// -// The upshot of this is that a power failure or crash won't leave a -// half-written file. -// -// Watch the parent directory and use Event.Name to filter out files you're not -// interested in. There is an example of this in cmd/fsnotify/file.go. -func (w *Watcher) Add(name string) error { return w.AddWith(name) } +func (w *readDirChangesW) Add(name string) error { return w.AddWith(name) } -// AddWith is like [Watcher.Add], but allows adding options. When using Add() -// the defaults described below are used. -// -// Possible options are: -// -// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on -// other platforms. The default is 64K (65536 bytes). -func (w *Watcher) AddWith(name string, opts ...addOpt) error { +func (w *readDirChangesW) AddWith(name string, opts ...addOpt) error { if w.isClosed() { return ErrClosed } + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s AddWith(%q)\n", + time.Now().Format("15:04:05.000000000"), filepath.ToSlash(name)) + } with := getOptions(opts...) + if !w.xSupports(with.op) { + return fmt.Errorf("%w: %s", xErrUnsupported, with.op) + } if with.bufsize < 4096 { return fmt.Errorf("fsnotify.WithBufferSize: buffer size cannot be smaller than 4096 bytes") } @@ -295,18 +139,14 @@ func (w *Watcher) AddWith(name string, opts ...addOpt) error { return <-in.reply } -// Remove stops monitoring the path for changes. -// -// Directories are always removed non-recursively. For example, if you added -// /tmp/dir and /tmp/dir/subdir then you will need to remove both. -// -// Removing a path that has not yet been added returns [ErrNonExistentWatch]. -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) Remove(name string) error { +func (w *readDirChangesW) Remove(name string) error { if w.isClosed() { return nil } + if debug { + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s Remove(%q)\n", + time.Now().Format("15:04:05.000000000"), filepath.ToSlash(name)) + } in := &input{ op: opRemoveWatch, @@ -320,11 +160,7 @@ func (w *Watcher) Remove(name string) error { return <-in.reply } -// WatchList returns all paths explicitly added with [Watcher.Add] (and are not -// yet removed). -// -// Returns nil if [Watcher.Close] was called. -func (w *Watcher) WatchList() []string { +func (w *readDirChangesW) WatchList() []string { if w.isClosed() { return nil } @@ -335,7 +171,13 @@ func (w *Watcher) WatchList() []string { entries := make([]string, 0, len(w.watches)) for _, entry := range w.watches { for _, watchEntry := range entry { - entries = append(entries, watchEntry.path) + for name := range watchEntry.names { + entries = append(entries, filepath.Join(watchEntry.path, name)) + } + // the directory itself is being watched + if watchEntry.mask != 0 { + entries = append(entries, watchEntry.path) + } } } @@ -361,7 +203,7 @@ const ( sysFSIGNORED = 0x8000 ) -func (w *Watcher) newEvent(name string, mask uint32) Event { +func (w *readDirChangesW) newEvent(name string, mask uint32) Event { e := Event{Name: name} if mask&sysFSCREATE == sysFSCREATE || mask&sysFSMOVEDTO == sysFSMOVEDTO { e.Op |= Create @@ -417,7 +259,7 @@ type ( watchMap map[uint32]indexMap ) -func (w *Watcher) wakeupReader() error { +func (w *readDirChangesW) wakeupReader() error { err := windows.PostQueuedCompletionStatus(w.port, 0, 0, nil) if err != nil { return os.NewSyscallError("PostQueuedCompletionStatus", err) @@ -425,7 +267,7 @@ func (w *Watcher) wakeupReader() error { return nil } -func (w *Watcher) getDir(pathname string) (dir string, err error) { +func (w *readDirChangesW) getDir(pathname string) (dir string, err error) { attr, err := windows.GetFileAttributes(windows.StringToUTF16Ptr(pathname)) if err != nil { return "", os.NewSyscallError("GetFileAttributes", err) @@ -439,7 +281,7 @@ func (w *Watcher) getDir(pathname string) (dir string, err error) { return } -func (w *Watcher) getIno(path string) (ino *inode, err error) { +func (w *readDirChangesW) getIno(path string) (ino *inode, err error) { h, err := windows.CreateFile(windows.StringToUTF16Ptr(path), windows.FILE_LIST_DIRECTORY, windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE|windows.FILE_SHARE_DELETE, @@ -482,9 +324,8 @@ func (m watchMap) set(ino *inode, watch *watch) { } // Must run within the I/O thread. -func (w *Watcher) addWatch(pathname string, flags uint64, bufsize int) error { - //pathname, recurse := recursivePath(pathname) - recurse := false +func (w *readDirChangesW) addWatch(pathname string, flags uint64, bufsize int) error { + pathname, recurse := recursivePath(pathname) dir, err := w.getDir(pathname) if err != nil { @@ -538,7 +379,7 @@ func (w *Watcher) addWatch(pathname string, flags uint64, bufsize int) error { } // Must run within the I/O thread. -func (w *Watcher) remWatch(pathname string) error { +func (w *readDirChangesW) remWatch(pathname string) error { pathname, recurse := recursivePath(pathname) dir, err := w.getDir(pathname) @@ -566,11 +407,11 @@ func (w *Watcher) remWatch(pathname string) error { return fmt.Errorf("%w: %s", ErrNonExistentWatch, pathname) } if pathname == dir { - w.sendEvent(watch.path, watch.mask&sysFSIGNORED) + w.sendEvent(watch.path, "", watch.mask&sysFSIGNORED) watch.mask = 0 } else { name := filepath.Base(pathname) - w.sendEvent(filepath.Join(watch.path, name), watch.names[name]&sysFSIGNORED) + w.sendEvent(filepath.Join(watch.path, name), "", watch.names[name]&sysFSIGNORED) delete(watch.names, name) } @@ -578,23 +419,23 @@ func (w *Watcher) remWatch(pathname string) error { } // Must run within the I/O thread. -func (w *Watcher) deleteWatch(watch *watch) { +func (w *readDirChangesW) deleteWatch(watch *watch) { for name, mask := range watch.names { if mask&provisional == 0 { - w.sendEvent(filepath.Join(watch.path, name), mask&sysFSIGNORED) + w.sendEvent(filepath.Join(watch.path, name), "", mask&sysFSIGNORED) } delete(watch.names, name) } if watch.mask != 0 { if watch.mask&provisional == 0 { - w.sendEvent(watch.path, watch.mask&sysFSIGNORED) + w.sendEvent(watch.path, "", watch.mask&sysFSIGNORED) } watch.mask = 0 } } // Must run within the I/O thread. -func (w *Watcher) startRead(watch *watch) error { +func (w *readDirChangesW) startRead(watch *watch) error { err := windows.CancelIo(watch.ino.handle) if err != nil { w.sendError(os.NewSyscallError("CancelIo", err)) @@ -624,7 +465,7 @@ func (w *Watcher) startRead(watch *watch) error { err := os.NewSyscallError("ReadDirectoryChanges", rdErr) if rdErr == windows.ERROR_ACCESS_DENIED && watch.mask&provisional == 0 { // Watched directory was probably removed - w.sendEvent(watch.path, watch.mask&sysFSDELETESELF) + w.sendEvent(watch.path, "", watch.mask&sysFSDELETESELF) err = nil } w.deleteWatch(watch) @@ -637,7 +478,7 @@ func (w *Watcher) startRead(watch *watch) error { // readEvents reads from the I/O completion port, converts the // received events into Event objects and sends them via the Events channel. // Entry point to the I/O thread. -func (w *Watcher) readEvents() { +func (w *readDirChangesW) readEvents() { var ( n uint32 key uintptr @@ -652,7 +493,7 @@ func (w *Watcher) readEvents() { watch := (*watch)(unsafe.Pointer(ov)) if watch == nil { select { - case ch := <-w.quit: + case ch := <-w.done: w.mu.Lock() var indexes []indexMap for _, index := range w.watches { @@ -700,7 +541,7 @@ func (w *Watcher) readEvents() { } case windows.ERROR_ACCESS_DENIED: // Watched directory was probably removed - w.sendEvent(watch.path, watch.mask&sysFSDELETESELF) + w.sendEvent(watch.path, "", watch.mask&sysFSDELETESELF) w.deleteWatch(watch) w.startRead(watch) continue @@ -733,6 +574,10 @@ func (w *Watcher) readEvents() { name := windows.UTF16ToString(buf) fullname := filepath.Join(watch.path, name) + if debug { + internal.Debug(fullname, raw.Action) + } + var mask uint64 switch raw.Action { case windows.FILE_ACTION_REMOVED: @@ -761,21 +606,22 @@ func (w *Watcher) readEvents() { } } - sendNameEvent := func() { - w.sendEvent(fullname, watch.names[name]&mask) - } if raw.Action != windows.FILE_ACTION_RENAMED_NEW_NAME { - sendNameEvent() + w.sendEvent(fullname, "", watch.names[name]&mask) } if raw.Action == windows.FILE_ACTION_REMOVED { - w.sendEvent(fullname, watch.names[name]&sysFSIGNORED) + w.sendEvent(fullname, "", watch.names[name]&sysFSIGNORED) delete(watch.names, name) } - w.sendEvent(fullname, watch.mask&w.toFSnotifyFlags(raw.Action)) + if watch.rename != "" && raw.Action == windows.FILE_ACTION_RENAMED_NEW_NAME { + w.sendEvent(fullname, filepath.Join(watch.path, watch.rename), watch.mask&w.toFSnotifyFlags(raw.Action)) + } else { + w.sendEvent(fullname, "", watch.mask&w.toFSnotifyFlags(raw.Action)) + } + if raw.Action == windows.FILE_ACTION_RENAMED_NEW_NAME { - fullname = filepath.Join(watch.path, watch.rename) - sendNameEvent() + w.sendEvent(filepath.Join(watch.path, watch.rename), "", watch.names[name]&mask) } // Move to the next event in the buffer @@ -787,8 +633,7 @@ func (w *Watcher) readEvents() { // Error! if offset >= n { //lint:ignore ST1005 Windows should be capitalized - w.sendError(errors.New( - "Windows system assumed buffer larger than it is, events have likely been missed")) + w.sendError(errors.New("Windows system assumed buffer larger than it is, events have likely been missed")) break } } @@ -799,7 +644,7 @@ func (w *Watcher) readEvents() { } } -func (w *Watcher) toWindowsFlags(mask uint64) uint32 { +func (w *readDirChangesW) toWindowsFlags(mask uint64) uint32 { var m uint32 if mask&sysFSMODIFY != 0 { m |= windows.FILE_NOTIFY_CHANGE_LAST_WRITE @@ -810,7 +655,7 @@ func (w *Watcher) toWindowsFlags(mask uint64) uint32 { return m } -func (w *Watcher) toFSnotifyFlags(action uint32) uint64 { +func (w *readDirChangesW) toFSnotifyFlags(action uint32) uint64 { switch action { case windows.FILE_ACTION_ADDED: return sysFSCREATE @@ -825,3 +670,11 @@ func (w *Watcher) toFSnotifyFlags(action uint32) uint64 { } return 0 } + +func (w *readDirChangesW) xSupports(op Op) bool { + if op.Has(xUnportableOpen) || op.Has(xUnportableRead) || + op.Has(xUnportableCloseWrite) || op.Has(xUnportableCloseRead) { + return false + } + return true +} diff --git a/vendor/github.com/fsnotify/fsnotify/fsnotify.go b/vendor/github.com/fsnotify/fsnotify/fsnotify.go index 24c99cc49..f64be4bf9 100644 --- a/vendor/github.com/fsnotify/fsnotify/fsnotify.go +++ b/vendor/github.com/fsnotify/fsnotify/fsnotify.go @@ -3,19 +3,146 @@ // // Currently supported systems: // -// Linux 2.6.32+ via inotify -// BSD, macOS via kqueue -// Windows via ReadDirectoryChangesW -// illumos via FEN +// - Linux via inotify +// - BSD, macOS via kqueue +// - Windows via ReadDirectoryChangesW +// - illumos via FEN +// +// # FSNOTIFY_DEBUG +// +// Set the FSNOTIFY_DEBUG environment variable to "1" to print debug messages to +// stderr. This can be useful to track down some problems, especially in cases +// where fsnotify is used as an indirect dependency. +// +// Every event will be printed as soon as there's something useful to print, +// with as little processing from fsnotify. +// +// Example output: +// +// FSNOTIFY_DEBUG: 11:34:23.633087586 256:IN_CREATE → "/tmp/file-1" +// FSNOTIFY_DEBUG: 11:34:23.633202319 4:IN_ATTRIB → "/tmp/file-1" +// FSNOTIFY_DEBUG: 11:34:28.989728764 512:IN_DELETE → "/tmp/file-1" package fsnotify import ( "errors" "fmt" + "os" "path/filepath" "strings" ) +// Watcher watches a set of paths, delivering events on a channel. +// +// A watcher should not be copied (e.g. pass it by pointer, rather than by +// value). +// +// # Linux notes +// +// When a file is removed a Remove event won't be emitted until all file +// descriptors are closed, and deletes will always emit a Chmod. For example: +// +// fp := os.Open("file") +// os.Remove("file") // Triggers Chmod +// fp.Close() // Triggers Remove +// +// This is the event that inotify sends, so not much can be changed about this. +// +// The fs.inotify.max_user_watches sysctl variable specifies the upper limit +// for the number of watches per user, and fs.inotify.max_user_instances +// specifies the maximum number of inotify instances per user. Every Watcher you +// create is an "instance", and every path you add is a "watch". +// +// These are also exposed in /proc as /proc/sys/fs/inotify/max_user_watches and +// /proc/sys/fs/inotify/max_user_instances +// +// To increase them you can use sysctl or write the value to the /proc file: +// +// # Default values on Linux 5.18 +// sysctl fs.inotify.max_user_watches=124983 +// sysctl fs.inotify.max_user_instances=128 +// +// To make the changes persist on reboot edit /etc/sysctl.conf or +// /usr/lib/sysctl.d/50-default.conf (details differ per Linux distro; check +// your distro's documentation): +// +// fs.inotify.max_user_watches=124983 +// fs.inotify.max_user_instances=128 +// +// Reaching the limit will result in a "no space left on device" or "too many open +// files" error. +// +// # kqueue notes (macOS, BSD) +// +// kqueue requires opening a file descriptor for every file that's being watched; +// so if you're watching a directory with five files then that's six file +// descriptors. You will run in to your system's "max open files" limit faster on +// these platforms. +// +// The sysctl variables kern.maxfiles and kern.maxfilesperproc can be used to +// control the maximum number of open files, as well as /etc/login.conf on BSD +// systems. +// +// # Windows notes +// +// Paths can be added as "C:\\path\\to\\dir", but forward slashes +// ("C:/path/to/dir") will also work. +// +// When a watched directory is removed it will always send an event for the +// directory itself, but may not send events for all files in that directory. +// Sometimes it will send events for all files, sometimes it will send no +// events, and often only for some files. +// +// The default ReadDirectoryChangesW() buffer size is 64K, which is the largest +// value that is guaranteed to work with SMB filesystems. If you have many +// events in quick succession this may not be enough, and you will have to use +// [WithBufferSize] to increase the value. +type Watcher struct { + b backend + + // Events sends the filesystem change events. + // + // fsnotify can send the following events; a "path" here can refer to a + // file, directory, symbolic link, or special file like a FIFO. + // + // fsnotify.Create A new path was created; this may be followed by one + // or more Write events if data also gets written to a + // file. + // + // fsnotify.Remove A path was removed. + // + // fsnotify.Rename A path was renamed. A rename is always sent with the + // old path as Event.Name, and a Create event will be + // sent with the new name. Renames are only sent for + // paths that are currently watched; e.g. moving an + // unmonitored file into a monitored directory will + // show up as just a Create. Similarly, renaming a file + // to outside a monitored directory will show up as + // only a Rename. + // + // fsnotify.Write A file or named pipe was written to. A Truncate will + // also trigger a Write. A single "write action" + // initiated by the user may show up as one or multiple + // writes, depending on when the system syncs things to + // disk. For example when compiling a large Go program + // you may get hundreds of Write events, and you may + // want to wait until you've stopped receiving them + // (see the dedup example in cmd/fsnotify). + // + // Some systems may send Write event for directories + // when the directory content changes. + // + // fsnotify.Chmod Attributes were changed. On Linux this is also sent + // when a file is removed (or more accurately, when a + // link to an inode is removed). On kqueue it's sent + // when a file is truncated. On Windows it's never + // sent. + Events chan Event + + // Errors sends any errors. + Errors chan error +} + // Event represents a file system notification. type Event struct { // Path to the file or directory. @@ -30,6 +157,16 @@ type Event struct { // This is a bitmask and some systems may send multiple operations at once. // Use the Event.Has() method instead of comparing with ==. Op Op + + // Create events will have this set to the old path if it's a rename. This + // only works when both the source and destination are watched. It's not + // reliable when watching individual files, only directories. + // + // For example "mv /tmp/file /tmp/rename" will emit: + // + // Event{Op: Rename, Name: "/tmp/file"} + // Event{Op: Create, Name: "/tmp/rename", RenamedFrom: "/tmp/file"} + renamedFrom string } // Op describes a set of file operations. @@ -50,7 +187,7 @@ const ( // example "remove to trash" is often a rename). Remove - // The path was renamed to something else; any watched on it will be + // The path was renamed to something else; any watches on it will be // removed. Rename @@ -60,15 +197,157 @@ const ( // get triggered very frequently by some software. For example, Spotlight // indexing on macOS, anti-virus software, backup software, etc. Chmod + + // File descriptor was opened. + // + // Only works on Linux and FreeBSD. + xUnportableOpen + + // File was read from. + // + // Only works on Linux and FreeBSD. + xUnportableRead + + // File opened for writing was closed. + // + // Only works on Linux and FreeBSD. + // + // The advantage of using this over Write is that it's more reliable than + // waiting for Write events to stop. It's also faster (if you're not + // listening to Write events): copying a file of a few GB can easily + // generate tens of thousands of Write events in a short span of time. + xUnportableCloseWrite + + // File opened for reading was closed. + // + // Only works on Linux and FreeBSD. + xUnportableCloseRead ) -// Common errors that can be reported. var ( + // ErrNonExistentWatch is used when Remove() is called on a path that's not + // added. ErrNonExistentWatch = errors.New("fsnotify: can't remove non-existent watch") - ErrEventOverflow = errors.New("fsnotify: queue or buffer overflow") - ErrClosed = errors.New("fsnotify: watcher already closed") + + // ErrClosed is used when trying to operate on a closed Watcher. + ErrClosed = errors.New("fsnotify: watcher already closed") + + // ErrEventOverflow is reported from the Errors channel when there are too + // many events: + // + // - inotify: inotify returns IN_Q_OVERFLOW – because there are too + // many queued events (the fs.inotify.max_queued_events + // sysctl can be used to increase this). + // - windows: The buffer size is too small; WithBufferSize() can be used to increase it. + // - kqueue, fen: Not used. + ErrEventOverflow = errors.New("fsnotify: queue or buffer overflow") + + // ErrUnsupported is returned by AddWith() when WithOps() specified an + // Unportable event that's not supported on this platform. + //lint:ignore ST1012 not relevant + xErrUnsupported = errors.New("fsnotify: not supported with this backend") ) +// NewWatcher creates a new Watcher. +func NewWatcher() (*Watcher, error) { + ev, errs := make(chan Event, defaultBufferSize), make(chan error) + b, err := newBackend(ev, errs) + if err != nil { + return nil, err + } + return &Watcher{b: b, Events: ev, Errors: errs}, nil +} + +// NewBufferedWatcher creates a new Watcher with a buffered Watcher.Events +// channel. +// +// The main use case for this is situations with a very large number of events +// where the kernel buffer size can't be increased (e.g. due to lack of +// permissions). An unbuffered Watcher will perform better for almost all use +// cases, and whenever possible you will be better off increasing the kernel +// buffers instead of adding a large userspace buffer. +func NewBufferedWatcher(sz uint) (*Watcher, error) { + ev, errs := make(chan Event, sz), make(chan error) + b, err := newBackend(ev, errs) + if err != nil { + return nil, err + } + return &Watcher{b: b, Events: ev, Errors: errs}, nil +} + +// Add starts monitoring the path for changes. +// +// A path can only be watched once; watching it more than once is a no-op and will +// not return an error. Paths that do not yet exist on the filesystem cannot be +// watched. +// +// A watch will be automatically removed if the watched path is deleted or +// renamed. The exception is the Windows backend, which doesn't remove the +// watcher on renames. +// +// Notifications on network filesystems (NFS, SMB, FUSE, etc.) or special +// filesystems (/proc, /sys, etc.) generally don't work. +// +// Returns [ErrClosed] if [Watcher.Close] was called. +// +// See [Watcher.AddWith] for a version that allows adding options. +// +// # Watching directories +// +// All files in a directory are monitored, including new files that are created +// after the watcher is started. Subdirectories are not watched (i.e. it's +// non-recursive). +// +// # Watching files +// +// Watching individual files (rather than directories) is generally not +// recommended as many programs (especially editors) update files atomically: it +// will write to a temporary file which is then moved to destination, +// overwriting the original (or some variant thereof). The watcher on the +// original file is now lost, as that no longer exists. +// +// The upshot of this is that a power failure or crash won't leave a +// half-written file. +// +// Watch the parent directory and use Event.Name to filter out files you're not +// interested in. There is an example of this in cmd/fsnotify/file.go. +func (w *Watcher) Add(path string) error { return w.b.Add(path) } + +// AddWith is like [Watcher.Add], but allows adding options. When using Add() +// the defaults described below are used. +// +// Possible options are: +// +// - [WithBufferSize] sets the buffer size for the Windows backend; no-op on +// other platforms. The default is 64K (65536 bytes). +func (w *Watcher) AddWith(path string, opts ...addOpt) error { return w.b.AddWith(path, opts...) } + +// Remove stops monitoring the path for changes. +// +// Directories are always removed non-recursively. For example, if you added +// /tmp/dir and /tmp/dir/subdir then you will need to remove both. +// +// Removing a path that has not yet been added returns [ErrNonExistentWatch]. +// +// Returns nil if [Watcher.Close] was called. +func (w *Watcher) Remove(path string) error { return w.b.Remove(path) } + +// Close removes all watches and closes the Events channel. +func (w *Watcher) Close() error { return w.b.Close() } + +// WatchList returns all paths explicitly added with [Watcher.Add] (and are not +// yet removed). +// +// The order is undefined, and may differ per call. Returns nil if +// [Watcher.Close] was called. +func (w *Watcher) WatchList() []string { return w.b.WatchList() } + +// Supports reports if all the listed operations are supported by this platform. +// +// Create, Write, Remove, Rename, and Chmod are always supported. It can only +// return false for an Op starting with Unportable. +func (w *Watcher) xSupports(op Op) bool { return w.b.xSupports(op) } + func (o Op) String() string { var b strings.Builder if o.Has(Create) { @@ -80,6 +359,18 @@ func (o Op) String() string { if o.Has(Write) { b.WriteString("|WRITE") } + if o.Has(xUnportableOpen) { + b.WriteString("|OPEN") + } + if o.Has(xUnportableRead) { + b.WriteString("|READ") + } + if o.Has(xUnportableCloseWrite) { + b.WriteString("|CLOSE_WRITE") + } + if o.Has(xUnportableCloseRead) { + b.WriteString("|CLOSE_READ") + } if o.Has(Rename) { b.WriteString("|RENAME") } @@ -100,24 +391,48 @@ func (e Event) Has(op Op) bool { return e.Op.Has(op) } // String returns a string representation of the event with their path. func (e Event) String() string { + if e.renamedFrom != "" { + return fmt.Sprintf("%-13s %q ← %q", e.Op.String(), e.Name, e.renamedFrom) + } return fmt.Sprintf("%-13s %q", e.Op.String(), e.Name) } type ( + backend interface { + Add(string) error + AddWith(string, ...addOpt) error + Remove(string) error + WatchList() []string + Close() error + xSupports(Op) bool + } addOpt func(opt *withOpts) withOpts struct { - bufsize int + bufsize int + op Op + noFollow bool + sendCreate bool } ) +var debug = func() bool { + // Check for exactly "1" (rather than mere existence) so we can add + // options/flags in the future. I don't know if we ever want that, but it's + // nice to leave the option open. + return os.Getenv("FSNOTIFY_DEBUG") == "1" +}() + var defaultOpts = withOpts{ bufsize: 65536, // 64K + op: Create | Write | Remove | Rename | Chmod, } func getOptions(opts ...addOpt) withOpts { with := defaultOpts for _, o := range opts { - o(&with) + if o != nil { + o(&with) + } } return with } @@ -136,9 +451,44 @@ func WithBufferSize(bytes int) addOpt { return func(opt *withOpts) { opt.bufsize = bytes } } +// WithOps sets which operations to listen for. The default is [Create], +// [Write], [Remove], [Rename], and [Chmod]. +// +// Excluding operations you're not interested in can save quite a bit of CPU +// time; in some use cases there may be hundreds of thousands of useless Write +// or Chmod operations per second. +// +// This can also be used to add unportable operations not supported by all +// platforms; unportable operations all start with "Unportable": +// [UnportableOpen], [UnportableRead], [UnportableCloseWrite], and +// [UnportableCloseRead]. +// +// AddWith returns an error when using an unportable operation that's not +// supported. Use [Watcher.Support] to check for support. +func withOps(op Op) addOpt { + return func(opt *withOpts) { opt.op = op } +} + +// WithNoFollow disables following symlinks, so the symlinks themselves are +// watched. +func withNoFollow() addOpt { + return func(opt *withOpts) { opt.noFollow = true } +} + +// "Internal" option for recursive watches on inotify. +func withCreate() addOpt { + return func(opt *withOpts) { opt.sendCreate = true } +} + +var enableRecurse = false + // Check if this path is recursive (ends with "/..." or "\..."), and return the // path with the /... stripped. func recursivePath(path string) (string, bool) { + path = filepath.Clean(path) + if !enableRecurse { // Only enabled in tests for now. + return path, false + } if filepath.Base(path) == "..." { return filepath.Dir(path), true } diff --git a/vendor/github.com/fsnotify/fsnotify/internal/darwin.go b/vendor/github.com/fsnotify/fsnotify/internal/darwin.go new file mode 100644 index 000000000..0b01bc182 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/darwin.go @@ -0,0 +1,39 @@ +//go:build darwin + +package internal + +import ( + "syscall" + + "golang.org/x/sys/unix" +) + +var ( + ErrSyscallEACCES = syscall.EACCES + ErrUnixEACCES = unix.EACCES +) + +var maxfiles uint64 + +func SetRlimit() { + // Go 1.19 will do this automatically: https://go-review.googlesource.com/c/go/+/393354/ + var l syscall.Rlimit + err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &l) + if err == nil && l.Cur != l.Max { + l.Cur = l.Max + syscall.Setrlimit(syscall.RLIMIT_NOFILE, &l) + } + maxfiles = l.Cur + + if n, err := syscall.SysctlUint32("kern.maxfiles"); err == nil && uint64(n) < maxfiles { + maxfiles = uint64(n) + } + + if n, err := syscall.SysctlUint32("kern.maxfilesperproc"); err == nil && uint64(n) < maxfiles { + maxfiles = uint64(n) + } +} + +func Maxfiles() uint64 { return maxfiles } +func Mkfifo(path string, mode uint32) error { return unix.Mkfifo(path, mode) } +func Mknod(path string, mode uint32, dev int) error { return unix.Mknod(path, mode, dev) } diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go new file mode 100644 index 000000000..928319fb0 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go @@ -0,0 +1,57 @@ +package internal + +import "golang.org/x/sys/unix" + +var names = []struct { + n string + m uint32 +}{ + {"NOTE_ABSOLUTE", unix.NOTE_ABSOLUTE}, + {"NOTE_ATTRIB", unix.NOTE_ATTRIB}, + {"NOTE_BACKGROUND", unix.NOTE_BACKGROUND}, + {"NOTE_CHILD", unix.NOTE_CHILD}, + {"NOTE_CRITICAL", unix.NOTE_CRITICAL}, + {"NOTE_DELETE", unix.NOTE_DELETE}, + {"NOTE_EXEC", unix.NOTE_EXEC}, + {"NOTE_EXIT", unix.NOTE_EXIT}, + {"NOTE_EXITSTATUS", unix.NOTE_EXITSTATUS}, + {"NOTE_EXIT_CSERROR", unix.NOTE_EXIT_CSERROR}, + {"NOTE_EXIT_DECRYPTFAIL", unix.NOTE_EXIT_DECRYPTFAIL}, + {"NOTE_EXIT_DETAIL", unix.NOTE_EXIT_DETAIL}, + {"NOTE_EXIT_DETAIL_MASK", unix.NOTE_EXIT_DETAIL_MASK}, + {"NOTE_EXIT_MEMORY", unix.NOTE_EXIT_MEMORY}, + {"NOTE_EXIT_REPARENTED", unix.NOTE_EXIT_REPARENTED}, + {"NOTE_EXTEND", unix.NOTE_EXTEND}, + {"NOTE_FFAND", unix.NOTE_FFAND}, + {"NOTE_FFCOPY", unix.NOTE_FFCOPY}, + {"NOTE_FFCTRLMASK", unix.NOTE_FFCTRLMASK}, + {"NOTE_FFLAGSMASK", unix.NOTE_FFLAGSMASK}, + {"NOTE_FFNOP", unix.NOTE_FFNOP}, + {"NOTE_FFOR", unix.NOTE_FFOR}, + {"NOTE_FORK", unix.NOTE_FORK}, + {"NOTE_FUNLOCK", unix.NOTE_FUNLOCK}, + {"NOTE_LEEWAY", unix.NOTE_LEEWAY}, + {"NOTE_LINK", unix.NOTE_LINK}, + {"NOTE_LOWAT", unix.NOTE_LOWAT}, + {"NOTE_MACHTIME", unix.NOTE_MACHTIME}, + {"NOTE_MACH_CONTINUOUS_TIME", unix.NOTE_MACH_CONTINUOUS_TIME}, + {"NOTE_NONE", unix.NOTE_NONE}, + {"NOTE_NSECONDS", unix.NOTE_NSECONDS}, + {"NOTE_OOB", unix.NOTE_OOB}, + //{"NOTE_PCTRLMASK", unix.NOTE_PCTRLMASK}, -0x100000 (?!) + {"NOTE_PDATAMASK", unix.NOTE_PDATAMASK}, + {"NOTE_REAP", unix.NOTE_REAP}, + {"NOTE_RENAME", unix.NOTE_RENAME}, + {"NOTE_REVOKE", unix.NOTE_REVOKE}, + {"NOTE_SECONDS", unix.NOTE_SECONDS}, + {"NOTE_SIGNAL", unix.NOTE_SIGNAL}, + {"NOTE_TRACK", unix.NOTE_TRACK}, + {"NOTE_TRACKERR", unix.NOTE_TRACKERR}, + {"NOTE_TRIGGER", unix.NOTE_TRIGGER}, + {"NOTE_USECONDS", unix.NOTE_USECONDS}, + {"NOTE_VM_ERROR", unix.NOTE_VM_ERROR}, + {"NOTE_VM_PRESSURE", unix.NOTE_VM_PRESSURE}, + {"NOTE_VM_PRESSURE_SUDDEN_TERMINATE", unix.NOTE_VM_PRESSURE_SUDDEN_TERMINATE}, + {"NOTE_VM_PRESSURE_TERMINATE", unix.NOTE_VM_PRESSURE_TERMINATE}, + {"NOTE_WRITE", unix.NOTE_WRITE}, +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go new file mode 100644 index 000000000..3186b0c34 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go @@ -0,0 +1,33 @@ +package internal + +import "golang.org/x/sys/unix" + +var names = []struct { + n string + m uint32 +}{ + {"NOTE_ATTRIB", unix.NOTE_ATTRIB}, + {"NOTE_CHILD", unix.NOTE_CHILD}, + {"NOTE_DELETE", unix.NOTE_DELETE}, + {"NOTE_EXEC", unix.NOTE_EXEC}, + {"NOTE_EXIT", unix.NOTE_EXIT}, + {"NOTE_EXTEND", unix.NOTE_EXTEND}, + {"NOTE_FFAND", unix.NOTE_FFAND}, + {"NOTE_FFCOPY", unix.NOTE_FFCOPY}, + {"NOTE_FFCTRLMASK", unix.NOTE_FFCTRLMASK}, + {"NOTE_FFLAGSMASK", unix.NOTE_FFLAGSMASK}, + {"NOTE_FFNOP", unix.NOTE_FFNOP}, + {"NOTE_FFOR", unix.NOTE_FFOR}, + {"NOTE_FORK", unix.NOTE_FORK}, + {"NOTE_LINK", unix.NOTE_LINK}, + {"NOTE_LOWAT", unix.NOTE_LOWAT}, + {"NOTE_OOB", unix.NOTE_OOB}, + {"NOTE_PCTRLMASK", unix.NOTE_PCTRLMASK}, + {"NOTE_PDATAMASK", unix.NOTE_PDATAMASK}, + {"NOTE_RENAME", unix.NOTE_RENAME}, + {"NOTE_REVOKE", unix.NOTE_REVOKE}, + {"NOTE_TRACK", unix.NOTE_TRACK}, + {"NOTE_TRACKERR", unix.NOTE_TRACKERR}, + {"NOTE_TRIGGER", unix.NOTE_TRIGGER}, + {"NOTE_WRITE", unix.NOTE_WRITE}, +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go new file mode 100644 index 000000000..f69fdb930 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go @@ -0,0 +1,42 @@ +package internal + +import "golang.org/x/sys/unix" + +var names = []struct { + n string + m uint32 +}{ + {"NOTE_ABSTIME", unix.NOTE_ABSTIME}, + {"NOTE_ATTRIB", unix.NOTE_ATTRIB}, + {"NOTE_CHILD", unix.NOTE_CHILD}, + {"NOTE_CLOSE", unix.NOTE_CLOSE}, + {"NOTE_CLOSE_WRITE", unix.NOTE_CLOSE_WRITE}, + {"NOTE_DELETE", unix.NOTE_DELETE}, + {"NOTE_EXEC", unix.NOTE_EXEC}, + {"NOTE_EXIT", unix.NOTE_EXIT}, + {"NOTE_EXTEND", unix.NOTE_EXTEND}, + {"NOTE_FFAND", unix.NOTE_FFAND}, + {"NOTE_FFCOPY", unix.NOTE_FFCOPY}, + {"NOTE_FFCTRLMASK", unix.NOTE_FFCTRLMASK}, + {"NOTE_FFLAGSMASK", unix.NOTE_FFLAGSMASK}, + {"NOTE_FFNOP", unix.NOTE_FFNOP}, + {"NOTE_FFOR", unix.NOTE_FFOR}, + {"NOTE_FILE_POLL", unix.NOTE_FILE_POLL}, + {"NOTE_FORK", unix.NOTE_FORK}, + {"NOTE_LINK", unix.NOTE_LINK}, + {"NOTE_LOWAT", unix.NOTE_LOWAT}, + {"NOTE_MSECONDS", unix.NOTE_MSECONDS}, + {"NOTE_NSECONDS", unix.NOTE_NSECONDS}, + {"NOTE_OPEN", unix.NOTE_OPEN}, + {"NOTE_PCTRLMASK", unix.NOTE_PCTRLMASK}, + {"NOTE_PDATAMASK", unix.NOTE_PDATAMASK}, + {"NOTE_READ", unix.NOTE_READ}, + {"NOTE_RENAME", unix.NOTE_RENAME}, + {"NOTE_REVOKE", unix.NOTE_REVOKE}, + {"NOTE_SECONDS", unix.NOTE_SECONDS}, + {"NOTE_TRACK", unix.NOTE_TRACK}, + {"NOTE_TRACKERR", unix.NOTE_TRACKERR}, + {"NOTE_TRIGGER", unix.NOTE_TRIGGER}, + {"NOTE_USECONDS", unix.NOTE_USECONDS}, + {"NOTE_WRITE", unix.NOTE_WRITE}, +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go new file mode 100644 index 000000000..607e683bd --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go @@ -0,0 +1,32 @@ +//go:build freebsd || openbsd || netbsd || dragonfly || darwin + +package internal + +import ( + "fmt" + "os" + "strings" + "time" + + "golang.org/x/sys/unix" +) + +func Debug(name string, kevent *unix.Kevent_t) { + mask := uint32(kevent.Fflags) + + var ( + l []string + unknown = mask + ) + for _, n := range names { + if mask&n.m == n.m { + l = append(l, n.n) + unknown ^= n.m + } + } + if unknown > 0 { + l = append(l, fmt.Sprintf("0x%x", unknown)) + } + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s %10d:%-60s → %q\n", + time.Now().Format("15:04:05.000000000"), mask, strings.Join(l, " | "), name) +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go new file mode 100644 index 000000000..35c734be4 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go @@ -0,0 +1,56 @@ +package internal + +import ( + "fmt" + "os" + "strings" + "time" + + "golang.org/x/sys/unix" +) + +func Debug(name string, mask, cookie uint32) { + names := []struct { + n string + m uint32 + }{ + {"IN_ACCESS", unix.IN_ACCESS}, + {"IN_ATTRIB", unix.IN_ATTRIB}, + {"IN_CLOSE", unix.IN_CLOSE}, + {"IN_CLOSE_NOWRITE", unix.IN_CLOSE_NOWRITE}, + {"IN_CLOSE_WRITE", unix.IN_CLOSE_WRITE}, + {"IN_CREATE", unix.IN_CREATE}, + {"IN_DELETE", unix.IN_DELETE}, + {"IN_DELETE_SELF", unix.IN_DELETE_SELF}, + {"IN_IGNORED", unix.IN_IGNORED}, + {"IN_ISDIR", unix.IN_ISDIR}, + {"IN_MODIFY", unix.IN_MODIFY}, + {"IN_MOVE", unix.IN_MOVE}, + {"IN_MOVED_FROM", unix.IN_MOVED_FROM}, + {"IN_MOVED_TO", unix.IN_MOVED_TO}, + {"IN_MOVE_SELF", unix.IN_MOVE_SELF}, + {"IN_OPEN", unix.IN_OPEN}, + {"IN_Q_OVERFLOW", unix.IN_Q_OVERFLOW}, + {"IN_UNMOUNT", unix.IN_UNMOUNT}, + } + + var ( + l []string + unknown = mask + ) + for _, n := range names { + if mask&n.m == n.m { + l = append(l, n.n) + unknown ^= n.m + } + } + if unknown > 0 { + l = append(l, fmt.Sprintf("0x%x", unknown)) + } + var c string + if cookie > 0 { + c = fmt.Sprintf("(cookie: %d) ", cookie) + } + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s %-30s → %s%q\n", + time.Now().Format("15:04:05.000000000"), strings.Join(l, "|"), c, name) +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go new file mode 100644 index 000000000..e5b3b6f69 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go @@ -0,0 +1,25 @@ +package internal + +import "golang.org/x/sys/unix" + +var names = []struct { + n string + m uint32 +}{ + {"NOTE_ATTRIB", unix.NOTE_ATTRIB}, + {"NOTE_CHILD", unix.NOTE_CHILD}, + {"NOTE_DELETE", unix.NOTE_DELETE}, + {"NOTE_EXEC", unix.NOTE_EXEC}, + {"NOTE_EXIT", unix.NOTE_EXIT}, + {"NOTE_EXTEND", unix.NOTE_EXTEND}, + {"NOTE_FORK", unix.NOTE_FORK}, + {"NOTE_LINK", unix.NOTE_LINK}, + {"NOTE_LOWAT", unix.NOTE_LOWAT}, + {"NOTE_PCTRLMASK", unix.NOTE_PCTRLMASK}, + {"NOTE_PDATAMASK", unix.NOTE_PDATAMASK}, + {"NOTE_RENAME", unix.NOTE_RENAME}, + {"NOTE_REVOKE", unix.NOTE_REVOKE}, + {"NOTE_TRACK", unix.NOTE_TRACK}, + {"NOTE_TRACKERR", unix.NOTE_TRACKERR}, + {"NOTE_WRITE", unix.NOTE_WRITE}, +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go new file mode 100644 index 000000000..1dd455bc5 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go @@ -0,0 +1,28 @@ +package internal + +import "golang.org/x/sys/unix" + +var names = []struct { + n string + m uint32 +}{ + {"NOTE_ATTRIB", unix.NOTE_ATTRIB}, + // {"NOTE_CHANGE", unix.NOTE_CHANGE}, // Not on 386? + {"NOTE_CHILD", unix.NOTE_CHILD}, + {"NOTE_DELETE", unix.NOTE_DELETE}, + {"NOTE_EOF", unix.NOTE_EOF}, + {"NOTE_EXEC", unix.NOTE_EXEC}, + {"NOTE_EXIT", unix.NOTE_EXIT}, + {"NOTE_EXTEND", unix.NOTE_EXTEND}, + {"NOTE_FORK", unix.NOTE_FORK}, + {"NOTE_LINK", unix.NOTE_LINK}, + {"NOTE_LOWAT", unix.NOTE_LOWAT}, + {"NOTE_PCTRLMASK", unix.NOTE_PCTRLMASK}, + {"NOTE_PDATAMASK", unix.NOTE_PDATAMASK}, + {"NOTE_RENAME", unix.NOTE_RENAME}, + {"NOTE_REVOKE", unix.NOTE_REVOKE}, + {"NOTE_TRACK", unix.NOTE_TRACK}, + {"NOTE_TRACKERR", unix.NOTE_TRACKERR}, + {"NOTE_TRUNCATE", unix.NOTE_TRUNCATE}, + {"NOTE_WRITE", unix.NOTE_WRITE}, +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go new file mode 100644 index 000000000..f1b2e73bd --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go @@ -0,0 +1,45 @@ +package internal + +import ( + "fmt" + "os" + "strings" + "time" + + "golang.org/x/sys/unix" +) + +func Debug(name string, mask int32) { + names := []struct { + n string + m int32 + }{ + {"FILE_ACCESS", unix.FILE_ACCESS}, + {"FILE_MODIFIED", unix.FILE_MODIFIED}, + {"FILE_ATTRIB", unix.FILE_ATTRIB}, + {"FILE_TRUNC", unix.FILE_TRUNC}, + {"FILE_NOFOLLOW", unix.FILE_NOFOLLOW}, + {"FILE_DELETE", unix.FILE_DELETE}, + {"FILE_RENAME_TO", unix.FILE_RENAME_TO}, + {"FILE_RENAME_FROM", unix.FILE_RENAME_FROM}, + {"UNMOUNTED", unix.UNMOUNTED}, + {"MOUNTEDOVER", unix.MOUNTEDOVER}, + {"FILE_EXCEPTION", unix.FILE_EXCEPTION}, + } + + var ( + l []string + unknown = mask + ) + for _, n := range names { + if mask&n.m == n.m { + l = append(l, n.n) + unknown ^= n.m + } + } + if unknown > 0 { + l = append(l, fmt.Sprintf("0x%x", unknown)) + } + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s %10d:%-30s → %q\n", + time.Now().Format("15:04:05.000000000"), mask, strings.Join(l, " | "), name) +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go b/vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go new file mode 100644 index 000000000..52bf4ce53 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go @@ -0,0 +1,40 @@ +package internal + +import ( + "fmt" + "os" + "path/filepath" + "strings" + "time" + + "golang.org/x/sys/windows" +) + +func Debug(name string, mask uint32) { + names := []struct { + n string + m uint32 + }{ + {"FILE_ACTION_ADDED", windows.FILE_ACTION_ADDED}, + {"FILE_ACTION_REMOVED", windows.FILE_ACTION_REMOVED}, + {"FILE_ACTION_MODIFIED", windows.FILE_ACTION_MODIFIED}, + {"FILE_ACTION_RENAMED_OLD_NAME", windows.FILE_ACTION_RENAMED_OLD_NAME}, + {"FILE_ACTION_RENAMED_NEW_NAME", windows.FILE_ACTION_RENAMED_NEW_NAME}, + } + + var ( + l []string + unknown = mask + ) + for _, n := range names { + if mask&n.m == n.m { + l = append(l, n.n) + unknown ^= n.m + } + } + if unknown > 0 { + l = append(l, fmt.Sprintf("0x%x", unknown)) + } + fmt.Fprintf(os.Stderr, "FSNOTIFY_DEBUG: %s %-65s → %q\n", + time.Now().Format("15:04:05.000000000"), strings.Join(l, " | "), filepath.ToSlash(name)) +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/freebsd.go b/vendor/github.com/fsnotify/fsnotify/internal/freebsd.go new file mode 100644 index 000000000..5ac8b5079 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/freebsd.go @@ -0,0 +1,31 @@ +//go:build freebsd + +package internal + +import ( + "syscall" + + "golang.org/x/sys/unix" +) + +var ( + ErrSyscallEACCES = syscall.EACCES + ErrUnixEACCES = unix.EACCES +) + +var maxfiles uint64 + +func SetRlimit() { + // Go 1.19 will do this automatically: https://go-review.googlesource.com/c/go/+/393354/ + var l syscall.Rlimit + err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &l) + if err == nil && l.Cur != l.Max { + l.Cur = l.Max + syscall.Setrlimit(syscall.RLIMIT_NOFILE, &l) + } + maxfiles = uint64(l.Cur) +} + +func Maxfiles() uint64 { return maxfiles } +func Mkfifo(path string, mode uint32) error { return unix.Mkfifo(path, mode) } +func Mknod(path string, mode uint32, dev int) error { return unix.Mknod(path, mode, uint64(dev)) } diff --git a/vendor/github.com/fsnotify/fsnotify/internal/internal.go b/vendor/github.com/fsnotify/fsnotify/internal/internal.go new file mode 100644 index 000000000..7daa45e19 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/internal.go @@ -0,0 +1,2 @@ +// Package internal contains some helpers. +package internal diff --git a/vendor/github.com/fsnotify/fsnotify/internal/unix.go b/vendor/github.com/fsnotify/fsnotify/internal/unix.go new file mode 100644 index 000000000..b251fb803 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/unix.go @@ -0,0 +1,31 @@ +//go:build !windows && !darwin && !freebsd && !plan9 + +package internal + +import ( + "syscall" + + "golang.org/x/sys/unix" +) + +var ( + ErrSyscallEACCES = syscall.EACCES + ErrUnixEACCES = unix.EACCES +) + +var maxfiles uint64 + +func SetRlimit() { + // Go 1.19 will do this automatically: https://go-review.googlesource.com/c/go/+/393354/ + var l syscall.Rlimit + err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &l) + if err == nil && l.Cur != l.Max { + l.Cur = l.Max + syscall.Setrlimit(syscall.RLIMIT_NOFILE, &l) + } + maxfiles = uint64(l.Cur) +} + +func Maxfiles() uint64 { return maxfiles } +func Mkfifo(path string, mode uint32) error { return unix.Mkfifo(path, mode) } +func Mknod(path string, mode uint32, dev int) error { return unix.Mknod(path, mode, dev) } diff --git a/vendor/github.com/fsnotify/fsnotify/internal/unix2.go b/vendor/github.com/fsnotify/fsnotify/internal/unix2.go new file mode 100644 index 000000000..37dfeddc2 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/unix2.go @@ -0,0 +1,7 @@ +//go:build !windows + +package internal + +func HasPrivilegesForSymlink() bool { + return true +} diff --git a/vendor/github.com/fsnotify/fsnotify/internal/windows.go b/vendor/github.com/fsnotify/fsnotify/internal/windows.go new file mode 100644 index 000000000..896bc2e5a --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/internal/windows.go @@ -0,0 +1,41 @@ +//go:build windows + +package internal + +import ( + "errors" + + "golang.org/x/sys/windows" +) + +// Just a dummy. +var ( + ErrSyscallEACCES = errors.New("dummy") + ErrUnixEACCES = errors.New("dummy") +) + +func SetRlimit() {} +func Maxfiles() uint64 { return 1<<64 - 1 } +func Mkfifo(path string, mode uint32) error { return errors.New("no FIFOs on Windows") } +func Mknod(path string, mode uint32, dev int) error { return errors.New("no device nodes on Windows") } + +func HasPrivilegesForSymlink() bool { + var sid *windows.SID + err := windows.AllocateAndInitializeSid( + &windows.SECURITY_NT_AUTHORITY, + 2, + windows.SECURITY_BUILTIN_DOMAIN_RID, + windows.DOMAIN_ALIAS_RID_ADMINS, + 0, 0, 0, 0, 0, 0, + &sid) + if err != nil { + return false + } + defer windows.FreeSid(sid) + token := windows.Token(0) + member, err := token.IsMember(sid) + if err != nil { + return false + } + return member || token.IsElevated() +} diff --git a/vendor/github.com/fsnotify/fsnotify/mkdoc.zsh b/vendor/github.com/fsnotify/fsnotify/mkdoc.zsh deleted file mode 100644 index 99012ae65..000000000 --- a/vendor/github.com/fsnotify/fsnotify/mkdoc.zsh +++ /dev/null @@ -1,259 +0,0 @@ -#!/usr/bin/env zsh -[ "${ZSH_VERSION:-}" = "" ] && echo >&2 "Only works with zsh" && exit 1 -setopt err_exit no_unset pipefail extended_glob - -# Simple script to update the godoc comments on all watchers so you don't need -# to update the same comment 5 times. - -watcher=$(</tmp/x - print -r -- $cmt >>/tmp/x - tail -n+$(( end + 1 )) $file >>/tmp/x - mv /tmp/x $file - done -} - -set-cmt '^type Watcher struct ' $watcher -set-cmt '^func NewWatcher(' $new -set-cmt '^func NewBufferedWatcher(' $newbuffered -set-cmt '^func (w \*Watcher) Add(' $add -set-cmt '^func (w \*Watcher) AddWith(' $addwith -set-cmt '^func (w \*Watcher) Remove(' $remove -set-cmt '^func (w \*Watcher) Close(' $close -set-cmt '^func (w \*Watcher) WatchList(' $watchlist -set-cmt '^[[:space:]]*Events *chan Event$' $events -set-cmt '^[[:space:]]*Errors *chan error$' $errors diff --git a/vendor/github.com/fsnotify/fsnotify/shared.go b/vendor/github.com/fsnotify/fsnotify/shared.go new file mode 100644 index 000000000..3ee9b58f1 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/shared.go @@ -0,0 +1,64 @@ +package fsnotify + +import "sync" + +type shared struct { + Events chan Event + Errors chan error + done chan struct{} + mu sync.Mutex +} + +func newShared(ev chan Event, errs chan error) *shared { + return &shared{ + Events: ev, + Errors: errs, + done: make(chan struct{}), + } +} + +// Returns true if the event was sent, or false if watcher is closed. +func (w *shared) sendEvent(e Event) bool { + if e.Op == 0 { + return true + } + select { + case <-w.done: + return false + case w.Events <- e: + return true + } +} + +// Returns true if the error was sent, or false if watcher is closed. +func (w *shared) sendError(err error) bool { + if err == nil { + return true + } + select { + case <-w.done: + return false + case w.Errors <- err: + return true + } +} + +func (w *shared) isClosed() bool { + select { + case <-w.done: + return true + default: + return false + } +} + +// Mark as closed; returns true if it was already closed. +func (w *shared) close() bool { + w.mu.Lock() + defer w.mu.Unlock() + if w.isClosed() { + return true + } + close(w.done) + return false +} diff --git a/vendor/github.com/fsnotify/fsnotify/staticcheck.conf b/vendor/github.com/fsnotify/fsnotify/staticcheck.conf new file mode 100644 index 000000000..8fa7351f0 --- /dev/null +++ b/vendor/github.com/fsnotify/fsnotify/staticcheck.conf @@ -0,0 +1,3 @@ +checks = ['all', + '-U1000', # Don't complain about unused functions. +] diff --git a/vendor/github.com/fsnotify/fsnotify/system_bsd.go b/vendor/github.com/fsnotify/fsnotify/system_bsd.go index 4322b0b88..f65e8fe3e 100644 --- a/vendor/github.com/fsnotify/fsnotify/system_bsd.go +++ b/vendor/github.com/fsnotify/fsnotify/system_bsd.go @@ -1,5 +1,4 @@ //go:build freebsd || openbsd || netbsd || dragonfly -// +build freebsd openbsd netbsd dragonfly package fsnotify diff --git a/vendor/github.com/fsnotify/fsnotify/system_darwin.go b/vendor/github.com/fsnotify/fsnotify/system_darwin.go index 5da5ffa78..a29fc7aab 100644 --- a/vendor/github.com/fsnotify/fsnotify/system_darwin.go +++ b/vendor/github.com/fsnotify/fsnotify/system_darwin.go @@ -1,5 +1,4 @@ //go:build darwin -// +build darwin package fsnotify diff --git a/vendor/github.com/google/cel-go/cel/BUILD.bazel b/vendor/github.com/google/cel-go/cel/BUILD.bazel index 81549fb4c..c12e4904d 100644 --- a/vendor/github.com/google/cel-go/cel/BUILD.bazel +++ b/vendor/github.com/google/cel-go/cel/BUILD.bazel @@ -11,15 +11,17 @@ go_library( "decls.go", "env.go", "folding.go", - "io.go", "inlining.go", + "io.go", "library.go", "macro.go", "optimizer.go", "options.go", "program.go", + "prompt.go", "validator.go", ], + embedsrcs = ["//cel/templates"], importpath = "github.com/google/cel-go/cel", visibility = ["//visibility:public"], deps = [ @@ -29,6 +31,7 @@ go_library( "//common/ast:go_default_library", "//common/containers:go_default_library", "//common/decls:go_default_library", + "//common/env:go_default_library", "//common/functions:go_default_library", "//common/operators:go_default_library", "//common/overloads:go_default_library", @@ -61,9 +64,10 @@ go_test( "decls_test.go", "env_test.go", "folding_test.go", - "io_test.go", "inlining_test.go", + "io_test.go", "optimizer_test.go", + "prompt_test.go", "validator_test.go", ], data = [ @@ -72,6 +76,9 @@ go_test( embed = [ ":go_default_library", ], + embedsrcs = [ + "//cel/testdata:prompts", + ], deps = [ "//common/operators:go_default_library", "//common/overloads:go_default_library", @@ -83,8 +90,8 @@ go_test( "//test/proto2pb:go_default_library", "//test/proto3pb:go_default_library", "@org_golang_google_genproto_googleapis_api//expr/v1alpha1:go_default_library", - "@org_golang_google_protobuf//proto:go_default_library", "@org_golang_google_protobuf//encoding/prototext:go_default_library", + "@org_golang_google_protobuf//proto:go_default_library", "@org_golang_google_protobuf//types/known/structpb:go_default_library", "@org_golang_google_protobuf//types/known/wrapperspb:go_default_library", ], diff --git a/vendor/github.com/google/cel-go/cel/decls.go b/vendor/github.com/google/cel-go/cel/decls.go index 418806021..4d4873bd6 100644 --- a/vendor/github.com/google/cel-go/cel/decls.go +++ b/vendor/github.com/google/cel-go/cel/decls.go @@ -142,8 +142,23 @@ func Constant(name string, t *Type, v ref.Val) EnvOption { // Variable creates an instance of a variable declaration with a variable name and type. func Variable(name string, t *Type) EnvOption { + return VariableWithDoc(name, t, "") +} + +// VariableWithDoc creates an instance of a variable declaration with a variable name, type, and doc string. +func VariableWithDoc(name string, t *Type, doc string) EnvOption { + return func(e *Env) (*Env, error) { + e.variables = append(e.variables, decls.NewVariableWithDoc(name, t, doc)) + return e, nil + } +} + +// VariableDecls configures a set of fully defined cel.VariableDecl instances in the environment. +func VariableDecls(vars ...*decls.VariableDecl) EnvOption { return func(e *Env) (*Env, error) { - e.variables = append(e.variables, decls.NewVariable(name, t)) + for _, v := range vars { + e.variables = append(e.variables, v) + } return e, nil } } @@ -183,13 +198,38 @@ func Function(name string, opts ...FunctionOpt) EnvOption { if err != nil { return nil, err } - if existing, found := e.functions[fn.Name()]; found { - fn, err = existing.Merge(fn) - if err != nil { - return nil, err + return FunctionDecls(fn)(e) + } +} + +// OverloadSelector selects an overload associated with a given function when it returns true. +// +// Used in combination with the FunctionDecl.Subset method. +type OverloadSelector = decls.OverloadSelector + +// IncludeOverloads defines an OverloadSelector which allow-lists a set of overloads by their ids. +func IncludeOverloads(overloadIDs ...string) OverloadSelector { + return decls.IncludeOverloads(overloadIDs...) +} + +// ExcludeOverloads defines an OverloadSelector which deny-lists a set of overloads by their ids. +func ExcludeOverloads(overloadIDs ...string) OverloadSelector { + return decls.ExcludeOverloads(overloadIDs...) +} + +// FunctionDecls provides one or more fully formed function declarations to be added to the environment. +func FunctionDecls(funcs ...*decls.FunctionDecl) EnvOption { + return func(e *Env) (*Env, error) { + var err error + for _, fn := range funcs { + if existing, found := e.functions[fn.Name()]; found { + fn, err = existing.Merge(fn) + if err != nil { + return nil, err + } } + e.functions[fn.Name()] = fn } - e.functions[fn.Name()] = fn return e, nil } } @@ -197,6 +237,13 @@ func Function(name string, opts ...FunctionOpt) EnvOption { // FunctionOpt defines a functional option for configuring a function declaration. type FunctionOpt = decls.FunctionOpt +// FunctionDocs provides a general usage documentation for the function. +// +// Use OverloadExamples to provide example usage instructions for specific overloads. +func FunctionDocs(docs ...string) FunctionOpt { + return decls.FunctionDocs(docs...) +} + // SingletonUnaryBinding creates a singleton function definition to be used for all function overloads. // // Note, this approach works well if operand is expected to have a specific trait which it implements, @@ -270,6 +317,11 @@ func MemberOverload(overloadID string, args []*Type, resultType *Type, opts ...O // OverloadOpt is a functional option for configuring a function overload. type OverloadOpt = decls.OverloadOpt +// OverloadExamples configures an example of how to invoke the overload. +func OverloadExamples(docs ...string) OverloadOpt { + return decls.OverloadExamples(docs...) +} + // UnaryBinding provides the implementation of a unary overload. The provided function is protected by a runtime // type-guard which ensures runtime type agreement between the overload signature and runtime argument types. func UnaryBinding(binding functions.UnaryOp) OverloadOpt { @@ -288,6 +340,12 @@ func FunctionBinding(binding functions.FunctionOp) OverloadOpt { return decls.FunctionBinding(binding) } +// LateFunctionBinding indicates that the function has a binding which is not known at compile time. +// This is useful for functions which have side-effects or are not deterministically computable. +func LateFunctionBinding() OverloadOpt { + return decls.LateFunctionBinding() +} + // OverloadIsNonStrict enables the function to be called with error and unknown argument values. // // Note: do not use this option unless absoluately necessary as it should be an uncommon feature. diff --git a/vendor/github.com/google/cel-go/cel/env.go b/vendor/github.com/google/cel-go/cel/env.go index 3bfe42899..bb3014464 100644 --- a/vendor/github.com/google/cel-go/cel/env.go +++ b/vendor/github.com/google/cel-go/cel/env.go @@ -16,6 +16,8 @@ package cel import ( "errors" + "fmt" + "math" "sync" "github.com/google/cel-go/checker" @@ -24,12 +26,15 @@ import ( celast "github.com/google/cel-go/common/ast" "github.com/google/cel-go/common/containers" "github.com/google/cel-go/common/decls" + "github.com/google/cel-go/common/env" + "github.com/google/cel-go/common/stdlib" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/ref" "github.com/google/cel-go/interpreter" "github.com/google/cel-go/parser" exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1" + "google.golang.org/protobuf/reflect/protoreflect" ) // Source interface representing a user-provided expression. @@ -127,12 +132,13 @@ type Env struct { Container *containers.Container variables []*decls.VariableDecl functions map[string]*decls.FunctionDecl - macros []parser.Macro + macros []Macro + contextProto protoreflect.MessageDescriptor adapter types.Adapter provider types.Provider features map[int]bool appliedFeatures map[int]bool - libraries map[string]bool + libraries map[string]SingletonLibrary validators []ASTValidator costOptions []checker.CostOption @@ -151,6 +157,134 @@ type Env struct { progOpts []ProgramOption } +// ToConfig produces a YAML-serializable env.Config object from the given environment. +// +// The serialized configuration value is intended to represent a baseline set of config +// options which could be used as input to an EnvOption to configure the majority of the +// environment from a file. +// +// Note: validators, features, flags, and safe-guard settings are not yet supported by +// the serialize method. Since optimizers are a separate construct from the environment +// and the standard expression components (parse, check, evalute), they are also not +// supported by the serialize method. +func (e *Env) ToConfig(name string) (*env.Config, error) { + conf := env.NewConfig(name) + // Container settings + if e.Container != containers.DefaultContainer { + conf.SetContainer(e.Container.Name()) + } + for _, typeName := range e.Container.AliasSet() { + conf.AddImports(env.NewImport(typeName)) + } + + libOverloads := map[string][]string{} + for libName, lib := range e.libraries { + // Track the options which have been configured by a library and + // then diff the library version against the configured function + // to detect incremental overloads or rewrites. + libEnv, _ := NewCustomEnv() + libEnv, _ = Lib(lib)(libEnv) + for fnName, fnDecl := range libEnv.Functions() { + if len(fnDecl.OverloadDecls()) == 0 { + continue + } + overloads, exist := libOverloads[fnName] + if !exist { + overloads = make([]string, 0, len(fnDecl.OverloadDecls())) + } + for _, o := range fnDecl.OverloadDecls() { + overloads = append(overloads, o.ID()) + } + libOverloads[fnName] = overloads + } + subsetLib, canSubset := lib.(LibrarySubsetter) + alias := "" + if aliasLib, canAlias := lib.(LibraryAliaser); canAlias { + alias = aliasLib.LibraryAlias() + libName = alias + } + if libName == "stdlib" && canSubset { + conf.SetStdLib(subsetLib.LibrarySubset()) + continue + } + version := uint32(math.MaxUint32) + if versionLib, isVersioned := lib.(LibraryVersioner); isVersioned { + version = versionLib.LibraryVersion() + } + conf.AddExtensions(env.NewExtension(libName, version)) + } + + // If this is a custom environment without the standard env, mark the stdlib as disabled. + if conf.StdLib == nil && !e.HasLibrary("cel.lib.std") { + conf.SetStdLib(env.NewLibrarySubset().SetDisabled(true)) + } + + // Serialize the variables + vars := make([]*decls.VariableDecl, 0, len(e.Variables())) + stdTypeVars := map[string]*decls.VariableDecl{} + for _, v := range stdlib.Types() { + stdTypeVars[v.Name()] = v + } + for _, v := range e.Variables() { + if _, isStdType := stdTypeVars[v.Name()]; isStdType { + continue + } + vars = append(vars, v) + } + if e.contextProto != nil { + conf.SetContextVariable(env.NewContextVariable(string(e.contextProto.FullName()))) + skipVariables := map[string]bool{} + fields := e.contextProto.Fields() + for i := 0; i < fields.Len(); i++ { + field := fields.Get(i) + variable, err := fieldToVariable(field) + if err != nil { + return nil, fmt.Errorf("could not serialize context field variable %q, reason: %w", field.FullName(), err) + } + skipVariables[variable.Name()] = true + } + for _, v := range vars { + if _, found := skipVariables[v.Name()]; !found { + conf.AddVariableDecls(v) + } + } + } else { + conf.AddVariableDecls(vars...) + } + + // Serialize functions which are distinct from the ones configured by libraries. + for fnName, fnDecl := range e.Functions() { + if excludedOverloads, found := libOverloads[fnName]; found { + if newDecl := fnDecl.Subset(decls.ExcludeOverloads(excludedOverloads...)); newDecl != nil { + conf.AddFunctionDecls(newDecl) + } + } else { + conf.AddFunctionDecls(fnDecl) + } + } + + // Serialize validators + for _, val := range e.Validators() { + // Only add configurable validators to the env.Config as all others are + // expected to be implicitly enabled via extension libraries. + if confVal, ok := val.(ConfigurableASTValidator); ok { + conf.AddValidators(confVal.ToConfig()) + } + } + + // Serialize features + for featID, enabled := range e.features { + featName, found := featureNameByID(featID) + if !found { + // If the feature isn't named, it isn't intended to be publicly exposed + continue + } + conf.AddFeatures(env.NewFeature(featName, enabled)) + } + + return conf, nil +} + // NewEnv creates a program environment configured with the standard library of CEL functions and // macros. The Env value returned can parse and check any CEL program which builds upon the core // features documented in the CEL specification. @@ -194,7 +328,7 @@ func NewCustomEnv(opts ...EnvOption) (*Env, error) { provider: registry, features: map[int]bool{}, appliedFeatures: map[int]bool{}, - libraries: map[string]bool{}, + libraries: map[string]SingletonLibrary{}, validators: []ASTValidator{}, progOpts: []ProgramOption{}, costOptions: []checker.CostOption{}, @@ -362,7 +496,7 @@ func (e *Env) Extend(opts ...EnvOption) (*Env, error) { for k, v := range e.functions { funcsCopy[k] = v } - libsCopy := make(map[string]bool, len(e.libraries)) + libsCopy := make(map[string]SingletonLibrary, len(e.libraries)) for k, v := range e.libraries { libsCopy[k] = v } @@ -376,6 +510,7 @@ func (e *Env) Extend(opts ...EnvOption) (*Env, error) { variables: varsCopy, functions: funcsCopy, macros: macsCopy, + contextProto: e.contextProto, progOpts: progOptsCopy, adapter: adapter, features: featuresCopy, @@ -399,8 +534,8 @@ func (e *Env) HasFeature(flag int) bool { // HasLibrary returns whether a specific SingletonLibrary has been configured in the environment. func (e *Env) HasLibrary(libName string) bool { - configured, exists := e.libraries[libName] - return exists && configured + _, exists := e.libraries[libName] + return exists } // Libraries returns a list of SingletonLibrary that have been configured in the environment. @@ -418,9 +553,27 @@ func (e *Env) HasFunction(functionName string) bool { return ok } -// Functions returns map of Functions, keyed by function name, that have been configured in the environment. +// Functions returns a shallow copy of the Functions, keyed by function name, that have been configured in the environment. func (e *Env) Functions() map[string]*decls.FunctionDecl { - return e.functions + shallowCopy := make(map[string]*decls.FunctionDecl, len(e.functions)) + for nm, fn := range e.functions { + shallowCopy[nm] = fn + } + return shallowCopy +} + +// Variables returns a shallow copy of the variables associated with the environment. +func (e *Env) Variables() []*decls.VariableDecl { + shallowCopy := make([]*decls.VariableDecl, len(e.variables)) + copy(shallowCopy, e.variables) + return shallowCopy +} + +// Macros returns a shallow copy of macros associated with the environment. +func (e *Env) Macros() []Macro { + shallowCopy := make([]Macro, len(e.macros)) + copy(shallowCopy, e.macros) + return shallowCopy } // HasValidator returns whether a specific ASTValidator has been configured in the environment. @@ -433,6 +586,11 @@ func (e *Env) HasValidator(name string) bool { return false } +// Validators returns the set of ASTValidators configured on the environment. +func (e *Env) Validators() []ASTValidator { + return e.validators[:] +} + // Parse parses the input expression value `txt` to a Ast and/or a set of Issues. // // This form of Parse creates a Source value for the input `txt` and forwards to the @@ -502,31 +660,30 @@ func (e *Env) TypeProvider() ref.TypeProvider { return &interopLegacyTypeProvider{Provider: e.provider} } -// UnknownVars returns an interpreter.PartialActivation which marks all variables declared in the -// Env as unknown AttributePattern values. +// UnknownVars returns a PartialActivation which marks all variables declared in the Env as +// unknown AttributePattern values. // -// Note, the UnknownVars will behave the same as an interpreter.EmptyActivation unless the -// PartialAttributes option is provided as a ProgramOption. -func (e *Env) UnknownVars() interpreter.PartialActivation { +// Note, the UnknownVars will behave the same as an cel.NoVars() unless the PartialAttributes +// option is provided as a ProgramOption. +func (e *Env) UnknownVars() PartialActivation { act := interpreter.EmptyActivation() part, _ := PartialVars(act, e.computeUnknownVars(act)...) return part } -// PartialVars returns an interpreter.PartialActivation where all variables not in the input variable +// PartialVars returns a PartialActivation where all variables not in the input variable // set, but which have been configured in the environment, are marked as unknown. // -// The `vars` value may either be an interpreter.Activation or any valid input to the -// interpreter.NewActivation call. +// The `vars` value may either be an Activation or any valid input to the cel.NewActivation call. // // Note, this is equivalent to calling cel.PartialVars and manually configuring the set of unknown // variables. For more advanced use cases of partial state where portions of an object graph, rather // than top-level variables, are missing the PartialVars() method may be a more suitable choice. // -// Note, the PartialVars will behave the same as an interpreter.EmptyActivation unless the -// PartialAttributes option is provided as a ProgramOption. -func (e *Env) PartialVars(vars any) (interpreter.PartialActivation, error) { - act, err := interpreter.NewActivation(vars) +// Note, the PartialVars will behave the same as cel.NoVars() unless the PartialAttributes +// option is provided as a ProgramOption. +func (e *Env) PartialVars(vars any) (PartialActivation, error) { + act, err := NewActivation(vars) if err != nil { return nil, err } @@ -598,10 +755,15 @@ func (e *Env) configure(opts []EnvOption) (*Env, error) { } } - // If the default UTC timezone fix has been enabled, make sure the library is configured - e, err = e.maybeApplyFeature(featureDefaultUTCTimeZone, Lib(timeUTCLibrary{})) - if err != nil { - return nil, err + // If the default UTC timezone has been disabled, configure the legacy overloads + if utcTime, isSet := e.features[featureDefaultUTCTimeZone]; isSet && !utcTime { + if !e.appliedFeatures[featureDefaultUTCTimeZone] { + e.appliedFeatures[featureDefaultUTCTimeZone] = true + e, err = Lib(timeLegacyLibrary{})(e) + if err != nil { + return nil, err + } + } } // Configure the parser. @@ -685,30 +847,9 @@ func (e *Env) getCheckerOrError() (*checker.Env, error) { return e.chk, e.chkErr } -// maybeApplyFeature determines whether the feature-guarded option is enabled, and if so applies -// the feature if it has not already been enabled. -func (e *Env) maybeApplyFeature(feature int, option EnvOption) (*Env, error) { - if !e.HasFeature(feature) { - return e, nil - } - _, applied := e.appliedFeatures[feature] - if applied { - return e, nil - } - e, err := option(e) - if err != nil { - return nil, err - } - // record that the feature has been applied since it will generate declarations - // and functions which will be propagated on Extend() calls and which should only - // be registered once. - e.appliedFeatures[feature] = true - return e, nil -} - // computeUnknownVars determines a set of missing variables based on the input activation and the // environment's configured declaration set. -func (e *Env) computeUnknownVars(vars interpreter.Activation) []*interpreter.AttributePattern { +func (e *Env) computeUnknownVars(vars Activation) []*interpreter.AttributePattern { var unknownPatterns []*interpreter.AttributePattern for _, v := range e.variables { varName := v.Name() diff --git a/vendor/github.com/google/cel-go/cel/folding.go b/vendor/github.com/google/cel-go/cel/folding.go index d7060896d..40d843ece 100644 --- a/vendor/github.com/google/cel-go/cel/folding.go +++ b/vendor/github.com/google/cel-go/cel/folding.go @@ -38,6 +38,23 @@ func MaxConstantFoldIterations(limit int) ConstantFoldingOption { } } +// Adds an Activation which provides known values for the folding evaluator +// +// Any values the activation provides will be used by the constant folder and turned into +// literals in the AST. +// +// Defaults to the NoVars() Activation +func FoldKnownValues(knownValues Activation) ConstantFoldingOption { + return func(opt *constantFoldingOptimizer) (*constantFoldingOptimizer, error) { + if knownValues != nil { + opt.knownValues = knownValues + } else { + opt.knownValues = NoVars() + } + return opt, nil + } +} + // NewConstantFoldingOptimizer creates an optimizer which inlines constant scalar an aggregate // literal values within function calls and select statements with their evaluated result. func NewConstantFoldingOptimizer(opts ...ConstantFoldingOption) (ASTOptimizer, error) { @@ -56,6 +73,7 @@ func NewConstantFoldingOptimizer(opts ...ConstantFoldingOption) (ASTOptimizer, e type constantFoldingOptimizer struct { maxFoldIterations int + knownValues Activation } // Optimize queries the expression graph for scalar and aggregate literal expressions within call and @@ -68,7 +86,8 @@ func (opt *constantFoldingOptimizer) Optimize(ctx *OptimizerContext, a *ast.AST) // Walk the list of foldable expression and continue to fold until there are no more folds left. // All of the fold candidates returned by the constantExprMatcher should succeed unless there's // a logic bug with the selection of expressions. - foldableExprs := ast.MatchDescendants(root, constantExprMatcher) + constantExprMatcherCapture := func(e ast.NavigableExpr) bool { return opt.constantExprMatcher(ctx, a, e) } + foldableExprs := ast.MatchDescendants(root, constantExprMatcherCapture) foldCount := 0 for len(foldableExprs) != 0 && foldCount < opt.maxFoldIterations { for _, fold := range foldableExprs { @@ -77,21 +96,27 @@ func (opt *constantFoldingOptimizer) Optimize(ctx *OptimizerContext, a *ast.AST) if fold.Kind() == ast.CallKind && maybePruneBranches(ctx, fold) { continue } + // Late-bound function calls cannot be folded. + if fold.Kind() == ast.CallKind && isLateBoundFunctionCall(ctx, a, fold) { + continue + } // Otherwise, assume all context is needed to evaluate the expression. - err := tryFold(ctx, a, fold) - if err != nil { + err := opt.tryFold(ctx, a, fold) + // Ignore errors for identifiers, since there is no guarantee that the environment + // has a value for them. + if err != nil && fold.Kind() != ast.IdentKind { ctx.ReportErrorAtID(fold.ID(), "constant-folding evaluation failed: %v", err.Error()) return a } } foldCount++ - foldableExprs = ast.MatchDescendants(root, constantExprMatcher) + foldableExprs = ast.MatchDescendants(root, constantExprMatcherCapture) } // Once all of the constants have been folded, try to run through the remaining comprehensions // one last time. In this case, there's no guarantee they'll run, so we only update the // target comprehension node with the literal value if the evaluation succeeds. for _, compre := range ast.MatchDescendants(root, ast.KindMatcher(ast.ComprehensionKind)) { - tryFold(ctx, a, compre) + opt.tryFold(ctx, a, compre) } // If the output is a list, map, or struct which contains optional entries, then prune it @@ -121,7 +146,7 @@ func (opt *constantFoldingOptimizer) Optimize(ctx *OptimizerContext, a *ast.AST) // // If the evaluation succeeds, the input expr value will be modified to become a literal, otherwise // the method will return an error. -func tryFold(ctx *OptimizerContext, a *ast.AST, expr ast.Expr) error { +func (opt *constantFoldingOptimizer) tryFold(ctx *OptimizerContext, a *ast.AST, expr ast.Expr) error { // Assume all context is needed to evaluate the expression. subAST := &Ast{ impl: ast.NewCheckedAST(ast.NewAST(expr, a.SourceInfo()), a.TypeMap(), a.ReferenceMap()), @@ -130,7 +155,11 @@ func tryFold(ctx *OptimizerContext, a *ast.AST, expr ast.Expr) error { if err != nil { return err } - out, _, err := prg.Eval(NoVars()) + activation := opt.knownValues + if activation == nil { + activation = NoVars() + } + out, _, err := prg.Eval(activation) if err != nil { return err } @@ -139,6 +168,15 @@ func tryFold(ctx *OptimizerContext, a *ast.AST, expr ast.Expr) error { return nil } +func isLateBoundFunctionCall(ctx *OptimizerContext, a *ast.AST, expr ast.Expr) bool { + call := expr.AsCall() + function := ctx.Functions()[call.FunctionName()] + if function == nil { + return false + } + return function.HasLateBinding() +} + // maybePruneBranches inspects the non-strict call expression to determine whether // a branch can be removed. Evaluation will naturally prune logical and / or calls, // but conditional will not be pruned cleanly, so this is one small area where the @@ -455,13 +493,15 @@ func adaptLiteral(ctx *OptimizerContext, val ref.Val) (ast.Expr, error) { // Only comprehensions which are not nested are included as possible constant folds, and only // if all variables referenced in the comprehension stack exist are only iteration or // accumulation variables. -func constantExprMatcher(e ast.NavigableExpr) bool { +func (opt *constantFoldingOptimizer) constantExprMatcher(ctx *OptimizerContext, a *ast.AST, e ast.NavigableExpr) bool { switch e.Kind() { case ast.CallKind: return constantCallMatcher(e) case ast.SelectKind: sel := e.AsSelect() // guaranteed to be a navigable value return constantMatcher(sel.Operand().(ast.NavigableExpr)) + case ast.IdentKind: + return opt.knownValues != nil && a.ReferenceMap()[e.ID()] != nil case ast.ComprehensionKind: if isNestedComprehension(e) { return false @@ -477,6 +517,10 @@ func constantExprMatcher(e ast.NavigableExpr) bool { if e.Kind() == ast.IdentKind && !vars[e.AsIdent()] { constantExprs = false } + // Late-bound function calls cannot be folded. + if e.Kind() == ast.CallKind && isLateBoundFunctionCall(ctx, a, e) { + constantExprs = false + } }) ast.PreOrderVisit(e, visitor) return constantExprs diff --git a/vendor/github.com/google/cel-go/cel/io.go b/vendor/github.com/google/cel-go/cel/io.go index a327c9672..2e611228d 100644 --- a/vendor/github.com/google/cel-go/cel/io.go +++ b/vendor/github.com/google/cel-go/cel/io.go @@ -99,7 +99,13 @@ func AstToParsedExpr(a *Ast) (*exprpb.ParsedExpr, error) { // Note, the conversion may not be an exact replica of the original expression, but will produce // a string that is semantically equivalent and whose textual representation is stable. func AstToString(a *Ast) (string, error) { - return parser.Unparse(a.NativeRep().Expr(), a.NativeRep().SourceInfo()) + return ExprToString(a.NativeRep().Expr(), a.NativeRep().SourceInfo()) +} + +// ExprToString converts an AST Expr node back to a string using macro call tracking metadata from +// source info if any macros are encountered within the expression. +func ExprToString(e ast.Expr, info *ast.SourceInfo) (string, error) { + return parser.Unparse(e, info) } // RefValueToValue converts between ref.Val and google.api.expr.v1alpha1.Value. @@ -120,6 +126,55 @@ func ValueAsAlphaProto(res ref.Val) (*exprpb.Value, error) { return alpha, err } +// RefValToExprValue converts between ref.Val and google.api.expr.v1alpha1.ExprValue. +// The result ExprValue is the serialized proto form. +func RefValToExprValue(res ref.Val) (*exprpb.ExprValue, error) { + return ExprValueAsAlphaProto(res) +} + +// ExprValueAsAlphaProto converts between ref.Val and google.api.expr.v1alpha1.ExprValue. +// The result ExprValue is the serialized proto form. +func ExprValueAsAlphaProto(res ref.Val) (*exprpb.ExprValue, error) { + canonical, err := ExprValueAsProto(res) + if err != nil { + return nil, err + } + alpha := &exprpb.ExprValue{} + err = convertProto(canonical, alpha) + return alpha, err +} + +// ExprValueAsProto converts between ref.Val and cel.expr.ExprValue. +// The result ExprValue is the serialized proto form. +func ExprValueAsProto(res ref.Val) (*celpb.ExprValue, error) { + switch res := res.(type) { + case *types.Unknown: + return &celpb.ExprValue{ + Kind: &celpb.ExprValue_Unknown{ + Unknown: &celpb.UnknownSet{ + Exprs: res.IDs(), + }, + }}, nil + case *types.Err: + return &celpb.ExprValue{ + Kind: &celpb.ExprValue_Error{ + Error: &celpb.ErrorSet{ + // Keeping the error code as UNKNOWN since there's no error codes associated with + // Cel-Go runtime errors. + Errors: []*celpb.Status{{Code: 2, Message: res.Error()}}, + }, + }, + }, nil + default: + val, err := ValueAsProto(res) + if err != nil { + return nil, err + } + return &celpb.ExprValue{ + Kind: &celpb.ExprValue_Value{Value: val}}, nil + } +} + // ValueAsProto converts between ref.Val and cel.expr.Value. // The result Value is the serialized proto form. The ref.Val must not be error or unknown. func ValueAsProto(res ref.Val) (*celpb.Value, error) { diff --git a/vendor/github.com/google/cel-go/cel/library.go b/vendor/github.com/google/cel-go/cel/library.go index c0aef5019..59a10e81d 100644 --- a/vendor/github.com/google/cel-go/cel/library.go +++ b/vendor/github.com/google/cel-go/cel/library.go @@ -17,11 +17,11 @@ package cel import ( "fmt" "math" - "strconv" - "strings" - "time" + "github.com/google/cel-go/common" "github.com/google/cel-go/common/ast" + "github.com/google/cel-go/common/decls" + "github.com/google/cel-go/common/env" "github.com/google/cel-go/common/operators" "github.com/google/cel-go/common/overloads" "github.com/google/cel-go/common/stdlib" @@ -71,6 +71,23 @@ type SingletonLibrary interface { LibraryName() string } +// LibraryAliaser generates a simple named alias for the library, for use during environment serialization. +type LibraryAliaser interface { + LibraryAlias() string +} + +// LibrarySubsetter provides the subset description associated with the library, nil if not subset. +type LibrarySubsetter interface { + LibrarySubset() *env.LibrarySubset +} + +// LibraryVersioner provides a version number for the library. +// +// If not implemented, the library version will be flagged as 'latest' during environment serialization. +type LibraryVersioner interface { + LibraryVersion() uint32 +} + // Lib creates an EnvOption out of a Library, allowing libraries to be provided as functional args, // and to be linked to each other. func Lib(l Library) EnvOption { @@ -80,7 +97,7 @@ func Lib(l Library) EnvOption { if e.HasLibrary(singleton.LibraryName()) { return e, nil } - e.libraries[singleton.LibraryName()] = true + e.libraries[singleton.LibraryName()] = singleton } var err error for _, opt := range l.CompileOptions() { @@ -94,26 +111,79 @@ func Lib(l Library) EnvOption { } } +// StdLibOption specifies a functional option for configuring the standard CEL library. +type StdLibOption func(*stdLibrary) *stdLibrary + +// StdLibSubset configures the standard library to use a subset of its functions and macros. +// +// Since the StdLib is a singleton library, only the first instance of the StdLib() environment options +// will be configured on the environment which means only the StdLibSubset() initially configured with +// the library will be used. +func StdLibSubset(subset *env.LibrarySubset) StdLibOption { + return func(lib *stdLibrary) *stdLibrary { + lib.subset = subset + return lib + } +} + // StdLib returns an EnvOption for the standard library of CEL functions and macros. -func StdLib() EnvOption { - return Lib(stdLibrary{}) +func StdLib(opts ...StdLibOption) EnvOption { + lib := &stdLibrary{} + for _, o := range opts { + lib = o(lib) + } + return Lib(lib) } // stdLibrary implements the Library interface and provides functional options for the core CEL // features documented in the specification. -type stdLibrary struct{} +type stdLibrary struct { + subset *env.LibrarySubset +} // LibraryName implements the SingletonLibrary interface method. -func (stdLibrary) LibraryName() string { +func (*stdLibrary) LibraryName() string { return "cel.lib.std" } +// LibraryAlias returns the simple name of the library. +func (*stdLibrary) LibraryAlias() string { + return "stdlib" +} + +// LibrarySubset returns the env.LibrarySubset definition associated with the CEL Library. +func (lib *stdLibrary) LibrarySubset() *env.LibrarySubset { + return lib.subset +} + // CompileOptions returns options for the standard CEL function declarations and macros. -func (stdLibrary) CompileOptions() []EnvOption { +func (lib *stdLibrary) CompileOptions() []EnvOption { + funcs := stdlib.Functions() + macros := StandardMacros + if lib.subset != nil { + subMacros := []Macro{} + for _, m := range macros { + if lib.subset.SubsetMacro(m.Function()) { + subMacros = append(subMacros, m) + } + } + macros = subMacros + subFuncs := []*decls.FunctionDecl{} + for _, fn := range funcs { + if f, include := lib.subset.SubsetFunction(fn); include { + subFuncs = append(subFuncs, f) + } + } + funcs = subFuncs + } return []EnvOption{ func(e *Env) (*Env, error) { var err error - for _, fn := range stdlib.Functions() { + if err = lib.subset.Validate(); err != nil { + return nil, err + } + e.variables = append(e.variables, stdlib.Types()...) + for _, fn := range funcs { existing, found := e.functions[fn.Name()] if found { fn, err = existing.Merge(fn) @@ -125,16 +195,12 @@ func (stdLibrary) CompileOptions() []EnvOption { } return e, nil }, - func(e *Env) (*Env, error) { - e.variables = append(e.variables, stdlib.Types()...) - return e, nil - }, - Macros(StandardMacros...), + Macros(macros...), } } // ProgramOptions returns function implementations for the standard CEL functions. -func (stdLibrary) ProgramOptions() []ProgramOption { +func (*stdLibrary) ProgramOptions() []ProgramOption { return []ProgramOption{} } @@ -263,7 +329,7 @@ func (stdLibrary) ProgramOptions() []ProgramOption { // be expressed with `optMap`. // // msg.?elements.optFlatMap(e, e[?0]) // return the first element if present. - +// // # First // // Introduced in version: 2 @@ -272,7 +338,7 @@ func (stdLibrary) ProgramOptions() []ProgramOption { // optional.None. // // [1, 2, 3].first().value() == 1 - +// // # Last // // Introduced in version: 2 @@ -283,7 +349,7 @@ func (stdLibrary) ProgramOptions() []ProgramOption { // [1, 2, 3].last().value() == 3 // // This is syntactic sugar for msg.elements[msg.elements.size()-1]. - +// // # Unwrap / UnwrapOpt // // Introduced in version: 2 @@ -293,7 +359,6 @@ func (stdLibrary) ProgramOptions() []ProgramOption { // // optional.unwrap([optional.of(42), optional.none()]) == [42] // [optional.of(42), optional.none()].unwrapOpt() == [42] - func OptionalTypes(opts ...OptionalTypesOption) EnvOption { lib := &optionalLib{version: math.MaxUint32} for _, opt := range opts { @@ -326,10 +391,20 @@ func OptionalTypesVersion(version uint32) OptionalTypesOption { } // LibraryName implements the SingletonLibrary interface method. -func (lib *optionalLib) LibraryName() string { +func (*optionalLib) LibraryName() string { return "cel.lib.optional" } +// LibraryAlias returns the simple name of the library. +func (*optionalLib) LibraryAlias() string { + return "optional" +} + +// LibraryVersion returns the version of the library. +func (lib *optionalLib) LibraryVersion() uint32 { + return lib.version +} + // CompileOptions implements the Library interface method. func (lib *optionalLib) CompileOptions() []EnvOption { paramTypeK := TypeParamType("K") @@ -347,16 +422,29 @@ func (lib *optionalLib) CompileOptions() []EnvOption { Types(types.OptionalType), // Configure the optMap and optFlatMap macros. - Macros(ReceiverMacro(optMapMacro, 2, optMap)), + Macros(ReceiverMacro(optMapMacro, 2, optMap, + MacroDocs(`perform computation on the value if present and return the result as an optional`), + MacroExamples( + common.MultilineDescription( + `// sub with the prefix 'dev.cel' or optional.none()`, + `request.auth.tokens.?sub.optMap(id, 'dev.cel.' + id)`), + `optional.none().optMap(i, i * 2) // optional.none()`))), // Global and member functions for working with optional values. Function(optionalOfFunc, + FunctionDocs(`create a new optional_type(T) with a value where any value is considered valid`), Overload("optional_of", []*Type{paramTypeV}, optionalTypeV, + OverloadExamples(`optional.of(1) // optional(1)`), UnaryBinding(func(value ref.Val) ref.Val { return types.OptionalOf(value) }))), Function(optionalOfNonZeroValueFunc, + FunctionDocs(`create a new optional_type(T) with a value, if the value is not a zero or empty value`), Overload("optional_ofNonZeroValue", []*Type{paramTypeV}, optionalTypeV, + OverloadExamples( + `optional.ofNonZeroValue(null) // optional.none()`, + `optional.ofNonZeroValue("") // optional.none()`, + `optional.ofNonZeroValue("hello") // optional.of('hello')`), UnaryBinding(func(value ref.Val) ref.Val { v, isZeroer := value.(traits.Zeroer) if !isZeroer || !v.IsZeroValue() { @@ -365,18 +453,26 @@ func (lib *optionalLib) CompileOptions() []EnvOption { return types.OptionalNone }))), Function(optionalNoneFunc, + FunctionDocs(`singleton value representing an optional without a value`), Overload("optional_none", []*Type{}, optionalTypeV, + OverloadExamples(`optional.none()`), FunctionBinding(func(values ...ref.Val) ref.Val { return types.OptionalNone }))), Function(valueFunc, + FunctionDocs(`obtain the value contained by the optional, error if optional.none()`), MemberOverload("optional_value", []*Type{optionalTypeV}, paramTypeV, + OverloadExamples( + `optional.of(1).value() // 1`, + `optional.none().value() // error`), UnaryBinding(func(value ref.Val) ref.Val { opt := value.(*types.Optional) return opt.GetValue() }))), Function(hasValueFunc, + FunctionDocs(`determine whether the optional contains a value`), MemberOverload("optional_hasValue", []*Type{optionalTypeV}, BoolType, + OverloadExamples(`optional.of({1: 2}).hasValue() // true`), UnaryBinding(func(value ref.Val) ref.Val { opt := value.(*types.Optional) return types.Bool(opt.HasValue()) @@ -385,21 +481,43 @@ func (lib *optionalLib) CompileOptions() []EnvOption { // Implementation of 'or' and 'orValue' are special-cased to support short-circuiting in the // evaluation chain. Function("or", - MemberOverload("optional_or_optional", []*Type{optionalTypeV, optionalTypeV}, optionalTypeV)), + FunctionDocs(`chain optional expressions together, picking the first valued optional expression`), + MemberOverload("optional_or_optional", []*Type{optionalTypeV, optionalTypeV}, optionalTypeV, + OverloadExamples( + `optional.none().or(optional.of(1)) // optional.of(1)`, + common.MultilineDescription( + `// either a value from the first list, a value from the second, or optional.none()`, + `[1, 2, 3][?x].or([3, 4, 5][?y])`)))), Function("orValue", - MemberOverload("optional_orValue_value", []*Type{optionalTypeV, paramTypeV}, paramTypeV)), + FunctionDocs(`chain optional expressions together picking the first valued optional or the default value`), + MemberOverload("optional_orValue_value", []*Type{optionalTypeV, paramTypeV}, paramTypeV, + OverloadExamples( + common.MultilineDescription( + `// pick the value for the given key if the key exists, otherwise return 'you'`, + `{'hello': 'world', 'goodbye': 'cruel world'}[?greeting].orValue('you')`)))), // OptSelect is handled specially by the type-checker, so the receiver's field type is used to determine the // optput type. Function(operators.OptSelect, - Overload("select_optional_field", []*Type{DynType, StringType}, optionalTypeV)), + FunctionDocs(`if the field is present create an optional of the field value, otherwise return optional.none()`), + Overload("select_optional_field", []*Type{DynType, StringType}, optionalTypeV, + OverloadExamples( + `msg.?field // optional.of(field) if non-empty, otherwise optional.none()`, + `msg.?field.?nested_field // optional.of(nested_field) if both field and nested_field are non-empty.`))), // OptIndex is handled mostly like any other indexing operation on a list or map, so the type-checker can use // these signatures to determine type-agreement without any special handling. Function(operators.OptIndex, - Overload("list_optindex_optional_int", []*Type{listTypeV, IntType}, optionalTypeV), + FunctionDocs(`if the index is present create an optional of the field value, otherwise return optional.none()`), + Overload("list_optindex_optional_int", []*Type{listTypeV, IntType}, optionalTypeV, + OverloadExamples(`[1, 2, 3][?x] // element value if x is in the list size, else optional.none()`)), Overload("optional_list_optindex_optional_int", []*Type{OptionalType(listTypeV), IntType}, optionalTypeV), - Overload("map_optindex_optional_value", []*Type{mapTypeKV, paramTypeK}, optionalTypeV), + Overload("map_optindex_optional_value", []*Type{mapTypeKV, paramTypeK}, optionalTypeV, + OverloadExamples( + `map_value[?key] // value at the key if present, else optional.none()`, + common.MultilineDescription( + `// map key-value if index is a valid map key, else optional.none()`, + `{0: 2, 2: 4, 6: 8}[?index]`))), Overload("optional_map_optindex_optional_value", []*Type{OptionalType(mapTypeKV), paramTypeK}, optionalTypeV)), // Index overloads to accommodate using an optional value as the operand. @@ -408,45 +526,62 @@ func (lib *optionalLib) CompileOptions() []EnvOption { Overload("optional_map_index_value", []*Type{OptionalType(mapTypeKV), paramTypeK}, optionalTypeV)), } if lib.version >= 1 { - opts = append(opts, Macros(ReceiverMacro(optFlatMapMacro, 2, optFlatMap))) + opts = append(opts, Macros(ReceiverMacro(optFlatMapMacro, 2, optFlatMap, + MacroDocs(`perform computation on the value if present and produce an optional value within the computation`), + MacroExamples( + common.MultilineDescription( + `// m = {'key': {}}`, + `m.?key.optFlatMap(k, k.?subkey) // optional.none()`), + common.MultilineDescription( + `// m = {'key': {'subkey': 'value'}}`, + `m.?key.optFlatMap(k, k.?subkey) // optional.of('value')`), + )))) } if lib.version >= 2 { opts = append(opts, Function("last", + FunctionDocs(`return the last value in a list if present, otherwise optional.none()`), MemberOverload("list_last", []*Type{listTypeV}, optionalTypeV, + OverloadExamples( + `[].last() // optional.none()`, + `[1, 2, 3].last() ? optional.of(3)`), UnaryBinding(func(v ref.Val) ref.Val { list := v.(traits.Lister) - sz := list.Size().Value().(int64) - - if sz == 0 { + sz := list.Size().(types.Int) + if sz == types.IntZero { return types.OptionalNone } - return types.OptionalOf(list.Get(types.Int(sz - 1))) }), ), )) opts = append(opts, Function("first", + FunctionDocs(`return the first value in a list if present, otherwise optional.none()`), MemberOverload("list_first", []*Type{listTypeV}, optionalTypeV, + OverloadExamples( + `[].first() // optional.none()`, + `[1, 2, 3].first() ? optional.of(1)`), UnaryBinding(func(v ref.Val) ref.Val { list := v.(traits.Lister) - sz := list.Size().Value().(int64) - - if sz == 0 { + sz := list.Size().(types.Int) + if sz == types.IntZero { return types.OptionalNone } - return types.OptionalOf(list.Get(types.Int(0))) }), ), )) opts = append(opts, Function(optionalUnwrapFunc, + FunctionDocs(`convert a list of optional values to a list containing only value which are not optional.none()`), Overload("optional_unwrap", []*Type{listOptionalTypeV}, listTypeV, + OverloadExamples(`optional.unwrap([optional.of(1), optional.none()]) // [1]`), UnaryBinding(optUnwrap)))) opts = append(opts, Function(unwrapOptFunc, + FunctionDocs(`convert a list of optional values to a list containing only value which are not optional.none()`), MemberOverload("optional_unwrapOpt", []*Type{listOptionalTypeV}, listTypeV, + OverloadExamples(`[optional.of(1), optional.none()].unwrapOpt() // [1]`), UnaryBinding(optUnwrap)))) } @@ -460,6 +595,11 @@ func (lib *optionalLib) ProgramOptions() []ProgramOption { } } +// Version returns the current version of the library. +func (lib *optionalLib) Version() uint32 { + return lib.version +} + func optMap(meh MacroExprFactory, target ast.Expr, args []ast.Expr) (ast.Expr, *Error) { varIdent := args[0] varName := "" @@ -633,250 +773,99 @@ func (opt *evalOptionalOrValue) Eval(ctx interpreter.Activation) ref.Val { return opt.rhs.Eval(ctx) } -type timeUTCLibrary struct{} +type timeLegacyLibrary struct{} -func (timeUTCLibrary) CompileOptions() []EnvOption { +func (timeLegacyLibrary) CompileOptions() []EnvOption { return timeOverloadDeclarations } -func (timeUTCLibrary) ProgramOptions() []ProgramOption { +func (timeLegacyLibrary) ProgramOptions() []ProgramOption { return []ProgramOption{} } // Declarations and functions which enable using UTC on time.Time inputs when the timezone is unspecified // in the CEL expression. var ( - utcTZ = types.String("UTC") - timeOverloadDeclarations = []EnvOption{ - Function(overloads.TimeGetHours, - MemberOverload(overloads.DurationToHours, []*Type{DurationType}, IntType, - UnaryBinding(types.DurationGetHours))), - Function(overloads.TimeGetMinutes, - MemberOverload(overloads.DurationToMinutes, []*Type{DurationType}, IntType, - UnaryBinding(types.DurationGetMinutes))), - Function(overloads.TimeGetSeconds, - MemberOverload(overloads.DurationToSeconds, []*Type{DurationType}, IntType, - UnaryBinding(types.DurationGetSeconds))), - Function(overloads.TimeGetMilliseconds, - MemberOverload(overloads.DurationToMilliseconds, []*Type{DurationType}, IntType, - UnaryBinding(types.DurationGetMilliseconds))), Function(overloads.TimeGetFullYear, MemberOverload(overloads.TimestampToYear, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetFullYear(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetFullYear, overloads.TimestampToYear, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToYearWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetFullYear), - ), ), Function(overloads.TimeGetMonth, MemberOverload(overloads.TimestampToMonth, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetMonth(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetMonth, overloads.TimestampToMonth, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToMonthWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetMonth), - ), ), Function(overloads.TimeGetDayOfYear, MemberOverload(overloads.TimestampToDayOfYear, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetDayOfYear(ts, utcTZ) - }), - ), - MemberOverload(overloads.TimestampToDayOfYearWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(func(ts, tz ref.Val) ref.Val { - return timestampGetDayOfYear(ts, tz) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetDayOfYear, overloads.TimestampToDayOfYear, []ref.Val{}) }), ), ), Function(overloads.TimeGetDayOfMonth, MemberOverload(overloads.TimestampToDayOfMonthZeroBased, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetDayOfMonthZeroBased(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetDayOfMonth, overloads.TimestampToDayOfMonthZeroBased, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToDayOfMonthZeroBasedWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetDayOfMonthZeroBased), - ), ), Function(overloads.TimeGetDate, MemberOverload(overloads.TimestampToDayOfMonthOneBased, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetDayOfMonthOneBased(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetDate, overloads.TimestampToDayOfMonthOneBased, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToDayOfMonthOneBasedWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetDayOfMonthOneBased), - ), ), Function(overloads.TimeGetDayOfWeek, MemberOverload(overloads.TimestampToDayOfWeek, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetDayOfWeek(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetDayOfWeek, overloads.TimestampToDayOfWeek, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToDayOfWeekWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetDayOfWeek), - ), ), Function(overloads.TimeGetHours, MemberOverload(overloads.TimestampToHours, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetHours(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetHours, overloads.TimestampToHours, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToHoursWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetHours), - ), ), Function(overloads.TimeGetMinutes, MemberOverload(overloads.TimestampToMinutes, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetMinutes(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetMinutes, overloads.TimestampToMinutes, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToMinutesWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetMinutes), - ), ), Function(overloads.TimeGetSeconds, MemberOverload(overloads.TimestampToSeconds, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetSeconds(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetSeconds, overloads.TimestampToSeconds, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToSecondsWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetSeconds), - ), ), Function(overloads.TimeGetMilliseconds, MemberOverload(overloads.TimestampToMilliseconds, []*Type{TimestampType}, IntType, UnaryBinding(func(ts ref.Val) ref.Val { - return timestampGetMilliseconds(ts, utcTZ) + t := ts.(types.Timestamp) + return t.Receive(overloads.TimeGetMilliseconds, overloads.TimestampToMilliseconds, []ref.Val{}) }), ), - MemberOverload(overloads.TimestampToMillisecondsWithTz, []*Type{TimestampType, StringType}, IntType, - BinaryBinding(timestampGetMilliseconds), - ), ), } ) - -func timestampGetFullYear(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Year()) -} - -func timestampGetMonth(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - // CEL spec indicates that the month should be 0-based, but the Time value - // for Month() is 1-based. - return types.Int(t.Month() - 1) -} - -func timestampGetDayOfYear(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.YearDay() - 1) -} - -func timestampGetDayOfMonthZeroBased(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Day() - 1) -} - -func timestampGetDayOfMonthOneBased(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Day()) -} - -func timestampGetDayOfWeek(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Weekday()) -} - -func timestampGetHours(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Hour()) -} - -func timestampGetMinutes(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Minute()) -} - -func timestampGetSeconds(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Second()) -} - -func timestampGetMilliseconds(ts, tz ref.Val) ref.Val { - t, err := inTimeZone(ts, tz) - if err != nil { - return types.NewErrFromString(err.Error()) - } - return types.Int(t.Nanosecond() / 1000000) -} - -func inTimeZone(ts, tz ref.Val) (time.Time, error) { - t := ts.(types.Timestamp) - val := string(tz.(types.String)) - ind := strings.Index(val, ":") - if ind == -1 { - loc, err := time.LoadLocation(val) - if err != nil { - return time.Time{}, err - } - return t.In(loc), nil - } - - // If the input is not the name of a timezone (for example, 'US/Central'), it should be a numerical offset from UTC - // in the format ^(+|-)(0[0-9]|1[0-4]):[0-5][0-9]$. The numerical input is parsed in terms of hours and minutes. - hr, err := strconv.Atoi(string(val[0:ind])) - if err != nil { - return time.Time{}, err - } - min, err := strconv.Atoi(string(val[ind+1:])) - if err != nil { - return time.Time{}, err - } - var offset int - if string(val[0]) == "-" { - offset = hr*60 - min - } else { - offset = hr*60 + min - } - secondsEastOfUTC := int((time.Duration(offset) * time.Minute).Seconds()) - timezone := time.FixedZone("", secondsEastOfUTC) - return t.In(timezone), nil -} diff --git a/vendor/github.com/google/cel-go/cel/macro.go b/vendor/github.com/google/cel-go/cel/macro.go index 4db1fd57a..3d3c5be1b 100644 --- a/vendor/github.com/google/cel-go/cel/macro.go +++ b/vendor/github.com/google/cel-go/cel/macro.go @@ -142,24 +142,38 @@ type MacroExprHelper interface { NewError(exprID int64, message string) *Error } +// MacroOpt defines a functional option for configuring macro behavior. +type MacroOpt = parser.MacroOpt + +// MacroDocs configures a list of strings into a multiline description for the macro. +func MacroDocs(docs ...string) MacroOpt { + return parser.MacroDocs(docs...) +} + +// MacroExamples configures a list of examples, either as a string or common.MultilineString, +// into an example set to be provided with the macro Documentation() call. +func MacroExamples(examples ...string) MacroOpt { + return parser.MacroExamples(examples...) +} + // GlobalMacro creates a Macro for a global function with the specified arg count. -func GlobalMacro(function string, argCount int, factory MacroFactory) Macro { - return parser.NewGlobalMacro(function, argCount, factory) +func GlobalMacro(function string, argCount int, factory MacroFactory, opts ...MacroOpt) Macro { + return parser.NewGlobalMacro(function, argCount, factory, opts...) } // ReceiverMacro creates a Macro for a receiver function matching the specified arg count. -func ReceiverMacro(function string, argCount int, factory MacroFactory) Macro { - return parser.NewReceiverMacro(function, argCount, factory) +func ReceiverMacro(function string, argCount int, factory MacroFactory, opts ...MacroOpt) Macro { + return parser.NewReceiverMacro(function, argCount, factory, opts...) } // GlobalVarArgMacro creates a Macro for a global function with a variable arg count. -func GlobalVarArgMacro(function string, factory MacroFactory) Macro { - return parser.NewGlobalVarArgMacro(function, factory) +func GlobalVarArgMacro(function string, factory MacroFactory, opts ...MacroOpt) Macro { + return parser.NewGlobalVarArgMacro(function, factory, opts...) } // ReceiverVarArgMacro creates a Macro for a receiver function matching a variable arg count. -func ReceiverVarArgMacro(function string, factory MacroFactory) Macro { - return parser.NewReceiverVarArgMacro(function, factory) +func ReceiverVarArgMacro(function string, factory MacroFactory, opts ...MacroOpt) Macro { + return parser.NewReceiverVarArgMacro(function, factory, opts...) } // NewGlobalMacro creates a Macro for a global function with the specified arg count. diff --git a/vendor/github.com/google/cel-go/cel/options.go b/vendor/github.com/google/cel-go/cel/options.go index 85f777e95..fee67323c 100644 --- a/vendor/github.com/google/cel-go/cel/options.go +++ b/vendor/github.com/google/cel-go/cel/options.go @@ -15,6 +15,7 @@ package cel import ( + "errors" "fmt" "google.golang.org/protobuf/proto" @@ -25,6 +26,8 @@ import ( "github.com/google/cel-go/checker" "github.com/google/cel-go/common/containers" + "github.com/google/cel-go/common/decls" + "github.com/google/cel-go/common/env" "github.com/google/cel-go/common/functions" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/pb" @@ -70,6 +73,26 @@ const ( featureIdentEscapeSyntax ) +var featureIDsToNames = map[int]string{ + featureEnableMacroCallTracking: "cel.feature.macro_call_tracking", + featureCrossTypeNumericComparisons: "cel.feature.cross_type_numeric_comparisons", + featureIdentEscapeSyntax: "cel.feature.backtick_escape_syntax", +} + +func featureNameByID(id int) (string, bool) { + name, found := featureIDsToNames[id] + return name, found +} + +func featureIDByName(name string) (int, bool) { + for id, n := range featureIDsToNames { + if n == name { + return id, true + } + } + return 0, false +} + // EnvOption is a functional interface for configuring the environment. type EnvOption func(e *Env) (*Env, error) @@ -112,6 +135,8 @@ func CustomTypeProvider(provider any) EnvOption { // Note: Declarations will by default be appended to the pre-existing declaration set configured // for the environment. The NewEnv call builds on top of the standard CEL declarations. For a // purely custom set of declarations use NewCustomEnv. +// +// Deprecated: use FunctionDecls and VariableDecls or FromConfig instead. func Declarations(decls ...*exprpb.Decl) EnvOption { declOpts := []EnvOption{} var err error @@ -379,7 +404,7 @@ type ProgramOption func(p *prog) (*prog, error) // InterpretableDecorators can be used to inspect, alter, or replace the Program plan. func CustomDecorator(dec interpreter.InterpretableDecorator) ProgramOption { return func(p *prog) (*prog, error) { - p.decorators = append(p.decorators, dec) + p.plannerOptions = append(p.plannerOptions, interpreter.CustomDecorator(dec)) return p, nil } } @@ -401,10 +426,10 @@ func Functions(funcs ...*functions.Overload) ProgramOption { // variables with the same name provided to the Eval() call. If Globals is used in a Library with // a Lib EnvOption, vars may shadow variables provided by previously added libraries. // -// The vars value may either be an `interpreter.Activation` instance or a `map[string]any`. +// The vars value may either be an `cel.Activation` instance or a `map[string]any`. func Globals(vars any) ProgramOption { return func(p *prog) (*prog, error) { - defaultVars, err := interpreter.NewActivation(vars) + defaultVars, err := NewActivation(vars) if err != nil { return nil, err } @@ -426,6 +451,174 @@ func OptimizeRegex(regexOptimizations ...*interpreter.RegexOptimization) Program } } +// ConfigOptionFactory declares a signature which accepts a configuration element, e.g. env.Extension +// and optionally produces an EnvOption in response. +// +// If there are multiple ConfigOptionFactory values which could apply to the same configuration node +// the first one that returns an EnvOption and a `true` response will be used, and the config node +// will not be passed along to any other option factory. +// +// Only the *env.Extension type is provided at this time, but validators, optimizers, and other tuning +// parameters may be supported in the future. +type ConfigOptionFactory func(any) (EnvOption, bool) + +// FromConfig produces and applies a set of EnvOption values derived from an env.Config object. +// +// For configuration elements which refer to features outside of the `cel` package, an optional set of +// ConfigOptionFactory values may be passed in to support the conversion from static configuration to +// configured cel.Env value. +// +// Note: disabling the standard library will clear the EnvOptions values previously set for the +// environment with the exception of propagating types and adapters over to the new environment. +// +// Note: to support custom types referenced in the configuration file, you must ensure that one of +// the following options appears before the FromConfig option: Types, TypeDescs, or CustomTypeProvider +// as the type provider configured at the time when the config is processed is the one used to derive +// type references from the configuration. +func FromConfig(config *env.Config, optFactories ...ConfigOptionFactory) EnvOption { + return func(e *Env) (*Env, error) { + if err := config.Validate(); err != nil { + return nil, err + } + opts, err := configToEnvOptions(config, e.CELTypeProvider(), optFactories) + if err != nil { + return nil, err + } + for _, o := range opts { + e, err = o(e) + if err != nil { + return nil, err + } + } + return e, nil + } +} + +// configToEnvOptions generates a set of EnvOption values (or error) based on a config, a type provider, +// and an optional set of environment options. +func configToEnvOptions(config *env.Config, provider types.Provider, optFactories []ConfigOptionFactory) ([]EnvOption, error) { + envOpts := []EnvOption{} + // Configure the standard lib subset. + if config.StdLib != nil { + envOpts = append(envOpts, func(e *Env) (*Env, error) { + if e.HasLibrary("cel.lib.std") { + return nil, errors.New("invalid subset of stdlib: create a custom env") + } + return e, nil + }) + if !config.StdLib.Disabled { + envOpts = append(envOpts, StdLib(StdLibSubset(config.StdLib))) + } + } else { + envOpts = append(envOpts, StdLib()) + } + + // Configure the container + if config.Container != "" { + envOpts = append(envOpts, Container(config.Container)) + } + + // Configure abbreviations + for _, imp := range config.Imports { + envOpts = append(envOpts, Abbrevs(imp.Name)) + } + + // Configure the context variable declaration + if config.ContextVariable != nil { + typeName := config.ContextVariable.TypeName + if _, found := provider.FindStructType(typeName); !found { + return nil, fmt.Errorf("invalid context proto type: %q", typeName) + } + // Attempt to instantiate the proto in order to reflect to its descriptor + msg := provider.NewValue(typeName, map[string]ref.Val{}) + pbMsg, ok := msg.Value().(proto.Message) + if !ok { + return nil, fmt.Errorf("unsupported context type: %T", msg.Value()) + } + envOpts = append(envOpts, DeclareContextProto(pbMsg.ProtoReflect().Descriptor())) + } + + // Configure variables + if len(config.Variables) != 0 { + vars := make([]*decls.VariableDecl, 0, len(config.Variables)) + for _, v := range config.Variables { + vDef, err := v.AsCELVariable(provider) + if err != nil { + return nil, err + } + vars = append(vars, vDef) + } + envOpts = append(envOpts, VariableDecls(vars...)) + } + + // Configure functions + if len(config.Functions) != 0 { + funcs := make([]*decls.FunctionDecl, 0, len(config.Functions)) + for _, f := range config.Functions { + fnDef, err := f.AsCELFunction(provider) + if err != nil { + return nil, err + } + funcs = append(funcs, fnDef) + } + envOpts = append(envOpts, FunctionDecls(funcs...)) + } + + // Configure features + for _, feat := range config.Features { + // Note, if a feature is not found, it is skipped as it is possible the feature + // is not intended to be supported publicly. In the future, a refinement of + // to this strategy to report unrecognized features and validators should probably + // be covered as a standard ConfigOptionFactory + if id, found := featureIDByName(feat.Name); found { + envOpts = append(envOpts, features(id, feat.Enabled)) + } + } + + // Configure validators + for _, val := range config.Validators { + if fac, found := astValidatorFactories[val.Name]; found { + envOpts = append(envOpts, func(e *Env) (*Env, error) { + validator, err := fac(val) + if err != nil { + return nil, fmt.Errorf("%w", err) + } + return ASTValidators(validator)(e) + }) + } else if opt, handled := handleExtendedConfigOption(val, optFactories); handled { + envOpts = append(envOpts, opt) + } + // we don't error when the validator isn't found as it may be part + // of an extension library and enabled implicitly. + } + + // Configure extensions + for _, ext := range config.Extensions { + // version number has been validated by the call to `Validate` + ver, _ := ext.VersionNumber() + if ext.Name == "optional" { + envOpts = append(envOpts, OptionalTypes(OptionalTypesVersion(ver))) + } else { + opt, handled := handleExtendedConfigOption(ext, optFactories) + if !handled { + return nil, fmt.Errorf("unrecognized extension: %s", ext.Name) + } + envOpts = append(envOpts, opt) + } + } + + return envOpts, nil +} + +func handleExtendedConfigOption(conf any, optFactories []ConfigOptionFactory) (EnvOption, bool) { + for _, optFac := range optFactories { + if opt, useOption := optFac(conf); useOption { + return opt, true + } + } + return nil, false +} + // EvalOption indicates an evaluation option that may affect the evaluation behavior or information // in the output result. type EvalOption int @@ -534,7 +727,7 @@ func fieldToCELType(field protoreflect.FieldDescriptor) (*Type, error) { return nil, fmt.Errorf("field %s type %s not implemented", field.FullName(), field.Kind().String()) } -func fieldToVariable(field protoreflect.FieldDescriptor) (EnvOption, error) { +func fieldToVariable(field protoreflect.FieldDescriptor) (*decls.VariableDecl, error) { name := string(field.Name()) if field.IsMap() { mapKey := field.MapKey() @@ -547,20 +740,20 @@ func fieldToVariable(field protoreflect.FieldDescriptor) (EnvOption, error) { if err != nil { return nil, err } - return Variable(name, MapType(keyType, valueType)), nil + return decls.NewVariable(name, MapType(keyType, valueType)), nil } if field.IsList() { elemType, err := fieldToCELType(field) if err != nil { return nil, err } - return Variable(name, ListType(elemType)), nil + return decls.NewVariable(name, ListType(elemType)), nil } celType, err := fieldToCELType(field) if err != nil { return nil, err } - return Variable(name, celType), nil + return decls.NewVariable(name, celType), nil } // DeclareContextProto returns an option to extend CEL environment with declarations from the given context proto. @@ -568,17 +761,25 @@ func fieldToVariable(field protoreflect.FieldDescriptor) (EnvOption, error) { // https://github.com/google/cel-spec/blob/master/doc/langdef.md#evaluation-environment func DeclareContextProto(descriptor protoreflect.MessageDescriptor) EnvOption { return func(e *Env) (*Env, error) { + if e.contextProto != nil { + return nil, fmt.Errorf("context proto already declared as %q, got %q", + e.contextProto.FullName(), descriptor.FullName()) + } + e.contextProto = descriptor fields := descriptor.Fields() + vars := make([]*decls.VariableDecl, 0, fields.Len()) for i := 0; i < fields.Len(); i++ { field := fields.Get(i) variable, err := fieldToVariable(field) if err != nil { return nil, err } - e, err = variable(e) - if err != nil { - return nil, err - } + vars = append(vars, variable) + } + var err error + e, err = VariableDecls(vars...)(e) + if err != nil { + return nil, err } return Types(dynamicpb.NewMessage(descriptor))(e) } @@ -588,7 +789,7 @@ func DeclareContextProto(descriptor protoreflect.MessageDescriptor) EnvOption { // // Consider using with `DeclareContextProto` to simplify variable type declarations and publishing when using // protocol buffers. -func ContextProtoVars(ctx proto.Message) (interpreter.Activation, error) { +func ContextProtoVars(ctx proto.Message) (Activation, error) { if ctx == nil || !ctx.ProtoReflect().IsValid() { return interpreter.EmptyActivation(), nil } @@ -612,7 +813,7 @@ func ContextProtoVars(ctx proto.Message) (interpreter.Activation, error) { } vars[field.TextName()] = fieldVal } - return interpreter.NewActivation(vars) + return NewActivation(vars) } // EnableMacroCallTracking ensures that call expressions which are replaced by macros diff --git a/vendor/github.com/google/cel-go/cel/program.go b/vendor/github.com/google/cel-go/cel/program.go index 49bd53783..24f41a4a7 100644 --- a/vendor/github.com/google/cel-go/cel/program.go +++ b/vendor/github.com/google/cel-go/cel/program.go @@ -29,7 +29,7 @@ import ( type Program interface { // Eval returns the result of an evaluation of the Ast and environment against the input vars. // - // The vars value may either be an `interpreter.Activation` or a `map[string]any`. + // The vars value may either be an `Activation` or a `map[string]any`. // // If the `OptTrackState`, `OptTrackCost` or `OptExhaustiveEval` flags are used, the `details` response will // be non-nil. Given this caveat on `details`, the return state from evaluation will be: @@ -47,14 +47,39 @@ type Program interface { // to support cancellation and timeouts. This method must be used in conjunction with the // InterruptCheckFrequency() option for cancellation interrupts to be impact evaluation. // - // The vars value may either be an `interpreter.Activation` or `map[string]any`. + // The vars value may either be an `Activation` or `map[string]any`. // // The output contract for `ContextEval` is otherwise identical to the `Eval` method. ContextEval(context.Context, any) (ref.Val, *EvalDetails, error) } +// Activation used to resolve identifiers by name and references by id. +// +// An Activation is the primary mechanism by which a caller supplies input into a CEL program. +type Activation = interpreter.Activation + +// NewActivation returns an activation based on a map-based binding where the map keys are +// expected to be qualified names used with ResolveName calls. +// +// The input `bindings` may either be of type `Activation` or `map[string]any`. +// +// Lazy bindings may be supplied within the map-based input in either of the following forms: +// - func() any +// - func() ref.Val +// +// The output of the lazy binding will overwrite the variable reference in the internal map. +// +// Values which are not represented as ref.Val types on input may be adapted to a ref.Val using +// the types.Adapter configured in the environment. +func NewActivation(bindings any) (Activation, error) { + return interpreter.NewActivation(bindings) +} + +// PartialActivation extends the Activation interface with a set of unknown AttributePatterns. +type PartialActivation = interpreter.PartialActivation + // NoVars returns an empty Activation. -func NoVars() interpreter.Activation { +func NoVars() Activation { return interpreter.EmptyActivation() } @@ -64,10 +89,9 @@ func NoVars() interpreter.Activation { // This method relies on manually configured sets of missing attribute patterns. For a method which // infers the missing variables from the input and the configured environment, use Env.PartialVars(). // -// The `vars` value may either be an interpreter.Activation or any valid input to the -// interpreter.NewActivation call. +// The `vars` value may either be an Activation or any valid input to the NewActivation call. func PartialVars(vars any, - unknowns ...*interpreter.AttributePattern) (interpreter.PartialActivation, error) { + unknowns ...*AttributePatternType) (PartialActivation, error) { return interpreter.NewPartialActivation(vars, unknowns...) } @@ -84,12 +108,15 @@ func PartialVars(vars any, // fully qualified variable name may be `ns.app.a`, `ns.a`, or `a` per the CEL namespace resolution // rules. Pick the fully qualified variable name that makes sense within the container as the // AttributePattern `varName` argument. +func AttributePattern(varName string) *AttributePatternType { + return interpreter.NewAttributePattern(varName) +} + +// AttributePatternType represents a top-level variable with an optional set of qualifier patterns. // // See the interpreter.AttributePattern and interpreter.AttributeQualifierPattern for more info // about how to create and manipulate AttributePattern values. -func AttributePattern(varName string) *interpreter.AttributePattern { - return interpreter.NewAttributePattern(varName) -} +type AttributePatternType = interpreter.AttributePattern // EvalDetails holds additional information observed during the Eval() call. type EvalDetails struct { @@ -120,37 +147,24 @@ func (ed *EvalDetails) ActualCost() *uint64 { type prog struct { *Env evalOpts EvalOption - defaultVars interpreter.Activation + defaultVars Activation dispatcher interpreter.Dispatcher interpreter interpreter.Interpreter interruptCheckFrequency uint // Intermediate state used to configure the InterpretableDecorator set provided // to the initInterpretable call. - decorators []interpreter.InterpretableDecorator + plannerOptions []interpreter.PlannerOption regexOptimizations []*interpreter.RegexOptimization // Interpretable configured from an Ast and aggregate decorator set based on program options. interpretable interpreter.Interpretable + observable *interpreter.ObservableInterpretable callCostEstimator interpreter.ActualCostEstimator costOptions []interpreter.CostTrackerOption costLimit *uint64 } -func (p *prog) clone() *prog { - costOptsCopy := make([]interpreter.CostTrackerOption, len(p.costOptions)) - copy(costOptsCopy, p.costOptions) - - return &prog{ - Env: p.Env, - evalOpts: p.evalOpts, - defaultVars: p.defaultVars, - dispatcher: p.dispatcher, - interpreter: p.interpreter, - interruptCheckFrequency: p.interruptCheckFrequency, - } -} - // newProgram creates a program instance with an environment, an ast, and an optional list of // ProgramOption values. // @@ -162,10 +176,10 @@ func newProgram(e *Env, a *ast.AST, opts []ProgramOption) (Program, error) { // Ensure the default attribute factory is set after the adapter and provider are // configured. p := &prog{ - Env: e, - decorators: []interpreter.InterpretableDecorator{}, - dispatcher: disp, - costOptions: []interpreter.CostTrackerOption{}, + Env: e, + plannerOptions: []interpreter.PlannerOption{}, + dispatcher: disp, + costOptions: []interpreter.CostTrackerOption{}, } // Configure the program via the ProgramOption values. @@ -203,74 +217,71 @@ func newProgram(e *Env, a *ast.AST, opts []ProgramOption) (Program, error) { p.interpreter = interp // Translate the EvalOption flags into InterpretableDecorator instances. - decorators := make([]interpreter.InterpretableDecorator, len(p.decorators)) - copy(decorators, p.decorators) + plannerOptions := make([]interpreter.PlannerOption, len(p.plannerOptions)) + copy(plannerOptions, p.plannerOptions) // Enable interrupt checking if there's a non-zero check frequency if p.interruptCheckFrequency > 0 { - decorators = append(decorators, interpreter.InterruptableEval()) + plannerOptions = append(plannerOptions, interpreter.InterruptableEval()) } // Enable constant folding first. if p.evalOpts&OptOptimize == OptOptimize { - decorators = append(decorators, interpreter.Optimize()) + plannerOptions = append(plannerOptions, interpreter.Optimize()) p.regexOptimizations = append(p.regexOptimizations, interpreter.MatchesRegexOptimization) } // Enable regex compilation of constants immediately after folding constants. if len(p.regexOptimizations) > 0 { - decorators = append(decorators, interpreter.CompileRegexConstants(p.regexOptimizations...)) + plannerOptions = append(plannerOptions, interpreter.CompileRegexConstants(p.regexOptimizations...)) } // Enable exhaustive eval, state tracking and cost tracking last since they require a factory. if p.evalOpts&(OptExhaustiveEval|OptTrackState|OptTrackCost) != 0 { - factory := func(state interpreter.EvalState, costTracker *interpreter.CostTracker) (Program, error) { - costTracker.Estimator = p.callCostEstimator - costTracker.Limit = p.costLimit - for _, costOpt := range p.costOptions { - err := costOpt(costTracker) - if err != nil { - return nil, err - } - } - // Limit capacity to guarantee a reallocation when calling 'append(decs, ...)' below. This - // prevents the underlying memory from being shared between factory function calls causing - // undesired mutations. - decs := decorators[:len(decorators):len(decorators)] - var observers []interpreter.EvalObserver - - if p.evalOpts&(OptExhaustiveEval|OptTrackState) != 0 { - // EvalStateObserver is required for OptExhaustiveEval. - observers = append(observers, interpreter.EvalStateObserver(state)) - } - if p.evalOpts&OptTrackCost == OptTrackCost { - observers = append(observers, interpreter.CostObserver(costTracker)) - } - - // Enable exhaustive eval over a basic observer since it offers a superset of features. - if p.evalOpts&OptExhaustiveEval == OptExhaustiveEval { - decs = append(decs, interpreter.ExhaustiveEval(), interpreter.Observe(observers...)) - } else if len(observers) > 0 { - decs = append(decs, interpreter.Observe(observers...)) - } - - return p.clone().initInterpretable(a, decs) + costOptCount := len(p.costOptions) + if p.costLimit != nil { + costOptCount++ + } + costOpts := make([]interpreter.CostTrackerOption, 0, costOptCount) + costOpts = append(costOpts, p.costOptions...) + if p.costLimit != nil { + costOpts = append(costOpts, interpreter.CostTrackerLimit(*p.costLimit)) + } + trackerFactory := func() (*interpreter.CostTracker, error) { + return interpreter.NewCostTracker(p.callCostEstimator, costOpts...) + } + var observers []interpreter.PlannerOption + if p.evalOpts&(OptExhaustiveEval|OptTrackState) != 0 { + // EvalStateObserver is required for OptExhaustiveEval. + observers = append(observers, interpreter.EvalStateObserver()) + } + if p.evalOpts&OptTrackCost == OptTrackCost { + observers = append(observers, interpreter.CostObserver(interpreter.CostTrackerFactory(trackerFactory))) + } + // Enable exhaustive eval over a basic observer since it offers a superset of features. + if p.evalOpts&OptExhaustiveEval == OptExhaustiveEval { + plannerOptions = append(plannerOptions, + append([]interpreter.PlannerOption{interpreter.ExhaustiveEval()}, observers...)...) + } else if len(observers) > 0 { + plannerOptions = append(plannerOptions, observers...) } - return newProgGen(factory) } - return p.initInterpretable(a, decorators) + return p.initInterpretable(a, plannerOptions) } -func (p *prog) initInterpretable(a *ast.AST, decs []interpreter.InterpretableDecorator) (*prog, error) { +func (p *prog) initInterpretable(a *ast.AST, plannerOptions []interpreter.PlannerOption) (*prog, error) { // When the AST has been exprAST it contains metadata that can be used to speed up program execution. - interpretable, err := p.interpreter.NewInterpretable(a, decs...) + interpretable, err := p.interpreter.NewInterpretable(a, plannerOptions...) if err != nil { return nil, err } p.interpretable = interpretable + if oi, ok := interpretable.(*interpreter.ObservableInterpretable); ok { + p.observable = oi + } return p, nil } // Eval implements the Program interface method. -func (p *prog) Eval(input any) (v ref.Val, det *EvalDetails, err error) { +func (p *prog) Eval(input any) (out ref.Val, det *EvalDetails, err error) { // Configure error recovery for unexpected panics during evaluation. Note, the use of named // return values makes it possible to modify the error response during the recovery // function. @@ -285,9 +296,9 @@ func (p *prog) Eval(input any) (v ref.Val, det *EvalDetails, err error) { } }() // Build a hierarchical activation if there are default vars set. - var vars interpreter.Activation + var vars Activation switch v := input.(type) { - case interpreter.Activation: + case Activation: vars = v case map[string]any: vars = activationPool.Setup(v) @@ -298,12 +309,24 @@ func (p *prog) Eval(input any) (v ref.Val, det *EvalDetails, err error) { if p.defaultVars != nil { vars = interpreter.NewHierarchicalActivation(p.defaultVars, vars) } - v = p.interpretable.Eval(vars) + if p.observable != nil { + det = &EvalDetails{} + out = p.observable.ObserveEval(vars, func(observed any) { + switch o := observed.(type) { + case interpreter.EvalState: + det.state = o + case *interpreter.CostTracker: + det.costTracker = o + } + }) + } else { + out = p.interpretable.Eval(vars) + } // The output of an internal Eval may have a value (`v`) that is a types.Err. This step // translates the CEL value to a Go error response. This interface does not quite match the // RPC signature which allows for multiple errors to be returned, but should be sufficient. - if types.IsError(v) { - err = v.(*types.Err) + if types.IsError(out) { + err = out.(*types.Err) } return } @@ -315,9 +338,9 @@ func (p *prog) ContextEval(ctx context.Context, input any) (ref.Val, *EvalDetail } // Configure the input, making sure to wrap Activation inputs in the special ctxActivation which // exposes the #interrupted variable and manages rate-limited checks of the ctx.Done() state. - var vars interpreter.Activation + var vars Activation switch v := input.(type) { - case interpreter.Activation: + case Activation: vars = ctxActivationPool.Setup(v, ctx.Done(), p.interruptCheckFrequency) defer ctxActivationPool.Put(vars) case map[string]any: @@ -331,90 +354,8 @@ func (p *prog) ContextEval(ctx context.Context, input any) (ref.Val, *EvalDetail return p.Eval(vars) } -// progFactory is a helper alias for marking a program creation factory function. -type progFactory func(interpreter.EvalState, *interpreter.CostTracker) (Program, error) - -// progGen holds a reference to a progFactory instance and implements the Program interface. -type progGen struct { - factory progFactory -} - -// newProgGen tests the factory object by calling it once and returns a factory-based Program if -// the test is successful. -func newProgGen(factory progFactory) (Program, error) { - // Test the factory to make sure that configuration errors are spotted at config - tracker, err := interpreter.NewCostTracker(nil) - if err != nil { - return nil, err - } - _, err = factory(interpreter.NewEvalState(), tracker) - if err != nil { - return nil, err - } - return &progGen{factory: factory}, nil -} - -// Eval implements the Program interface method. -func (gen *progGen) Eval(input any) (ref.Val, *EvalDetails, error) { - // The factory based Eval() differs from the standard evaluation model in that it generates a - // new EvalState instance for each call to ensure that unique evaluations yield unique stateful - // results. - state := interpreter.NewEvalState() - costTracker, err := interpreter.NewCostTracker(nil) - if err != nil { - return nil, nil, err - } - det := &EvalDetails{state: state, costTracker: costTracker} - - // Generate a new instance of the interpretable using the factory configured during the call to - // newProgram(). It is incredibly unlikely that the factory call will generate an error given - // the factory test performed within the Program() call. - p, err := gen.factory(state, costTracker) - if err != nil { - return nil, det, err - } - - // Evaluate the input, returning the result and the 'state' within EvalDetails. - v, _, err := p.Eval(input) - if err != nil { - return v, det, err - } - return v, det, nil -} - -// ContextEval implements the Program interface method. -func (gen *progGen) ContextEval(ctx context.Context, input any) (ref.Val, *EvalDetails, error) { - if ctx == nil { - return nil, nil, fmt.Errorf("context can not be nil") - } - // The factory based Eval() differs from the standard evaluation model in that it generates a - // new EvalState instance for each call to ensure that unique evaluations yield unique stateful - // results. - state := interpreter.NewEvalState() - costTracker, err := interpreter.NewCostTracker(nil) - if err != nil { - return nil, nil, err - } - det := &EvalDetails{state: state, costTracker: costTracker} - - // Generate a new instance of the interpretable using the factory configured during the call to - // newProgram(). It is incredibly unlikely that the factory call will generate an error given - // the factory test performed within the Program() call. - p, err := gen.factory(state, costTracker) - if err != nil { - return nil, det, err - } - - // Evaluate the input, returning the result and the 'state' within EvalDetails. - v, _, err := p.ContextEval(ctx, input) - if err != nil { - return v, det, err - } - return v, det, nil -} - type ctxEvalActivation struct { - parent interpreter.Activation + parent Activation interrupt <-chan struct{} interruptCheckCount uint interruptCheckFrequency uint @@ -438,10 +379,15 @@ func (a *ctxEvalActivation) ResolveName(name string) (any, bool) { return a.parent.ResolveName(name) } -func (a *ctxEvalActivation) Parent() interpreter.Activation { +func (a *ctxEvalActivation) Parent() Activation { return a.parent } +func (a *ctxEvalActivation) AsPartialActivation() (interpreter.PartialActivation, bool) { + pa, ok := a.parent.(interpreter.PartialActivation) + return pa, ok +} + func newCtxEvalActivationPool() *ctxEvalActivationPool { return &ctxEvalActivationPool{ Pool: sync.Pool{ @@ -457,7 +403,7 @@ type ctxEvalActivationPool struct { } // Setup initializes a pooled Activation with the ability check for context.Context cancellation -func (p *ctxEvalActivationPool) Setup(vars interpreter.Activation, done <-chan struct{}, interruptCheckRate uint) *ctxEvalActivation { +func (p *ctxEvalActivationPool) Setup(vars Activation, done <-chan struct{}, interruptCheckRate uint) *ctxEvalActivation { a := p.Pool.Get().(*ctxEvalActivation) a.parent = vars a.interrupt = done @@ -506,8 +452,8 @@ func (a *evalActivation) ResolveName(name string) (any, bool) { } } -// Parent implements the interpreter.Activation interface -func (a *evalActivation) Parent() interpreter.Activation { +// Parent implements the Activation interface +func (a *evalActivation) Parent() Activation { return nil } diff --git a/vendor/github.com/google/cel-go/cel/prompt.go b/vendor/github.com/google/cel-go/cel/prompt.go new file mode 100644 index 000000000..929a26f91 --- /dev/null +++ b/vendor/github.com/google/cel-go/cel/prompt.go @@ -0,0 +1,155 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cel + +import ( + _ "embed" + "sort" + "strings" + "text/template" + + "github.com/google/cel-go/common" + "github.com/google/cel-go/common/operators" + "github.com/google/cel-go/common/overloads" +) + +//go:embed templates/authoring.tmpl +var authoringPrompt string + +// AuthoringPrompt creates a prompt template from a CEL environment for the purpose of AI-assisted authoring. +func AuthoringPrompt(env *Env) (*Prompt, error) { + funcMap := template.FuncMap{ + "split": func(str string) []string { return strings.Split(str, "\n") }, + } + tmpl := template.New("cel").Funcs(funcMap) + tmpl, err := tmpl.Parse(authoringPrompt) + if err != nil { + return nil, err + } + return &Prompt{ + Persona: defaultPersona, + FormatRules: defaultFormatRules, + GeneralUsage: defaultGeneralUsage, + tmpl: tmpl, + env: env, + }, nil +} + +// Prompt represents the core components of an LLM prompt based on a CEL environment. +// +// All fields of the prompt may be overwritten / modified with support for rendering the +// prompt to a human-readable string. +type Prompt struct { + // Persona indicates something about the kind of user making the request + Persona string + + // FormatRules indicate how the LLM should generate its output + FormatRules string + + // GeneralUsage specifies additional context on how CEL should be used. + GeneralUsage string + + // tmpl is the text template base-configuration for rendering text. + tmpl *template.Template + + // env reference used to collect variables, functions, and macros available to the prompt. + env *Env +} + +type promptInst struct { + *Prompt + + Variables []*common.Doc + Macros []*common.Doc + Functions []*common.Doc + UserPrompt string +} + +// Render renders the user prompt with the associated context from the prompt template +// for use with LLM generators. +func (p *Prompt) Render(userPrompt string) string { + var buffer strings.Builder + vars := make([]*common.Doc, len(p.env.Variables())) + for i, v := range p.env.Variables() { + vars[i] = v.Documentation() + } + sort.SliceStable(vars, func(i, j int) bool { + return vars[i].Name < vars[j].Name + }) + macs := make([]*common.Doc, len(p.env.Macros())) + for i, m := range p.env.Macros() { + macs[i] = m.(common.Documentor).Documentation() + } + funcs := make([]*common.Doc, 0, len(p.env.Functions())) + for _, f := range p.env.Functions() { + if _, hidden := hiddenFunctions[f.Name()]; hidden { + continue + } + funcs = append(funcs, f.Documentation()) + } + sort.SliceStable(funcs, func(i, j int) bool { + return funcs[i].Name < funcs[j].Name + }) + inst := &promptInst{ + Prompt: p, + Variables: vars, + Macros: macs, + Functions: funcs, + UserPrompt: userPrompt} + p.tmpl.Execute(&buffer, inst) + return buffer.String() +} + +const ( + defaultPersona = `You are a software engineer with expertise in networking and application security +authoring boolean Common Expression Language (CEL) expressions to ensure firewall, +networking, authentication, and data access is only permitted when all conditions +are satisfied.` + + defaultFormatRules = `Output your response as a CEL expression. + +Write the expression with the comment on the first line and the expression on the +subsequent lines. Format the expression using 80-character line limits commonly +found in C++ or Java code.` + + defaultGeneralUsage = `CEL supports Protocol Buffer and JSON types, as well as simple types and aggregate types. + +Simple types include bool, bytes, double, int, string, and uint: + +* double literals must always include a decimal point: 1.0, 3.5, -2.2 +* uint literals must be positive values suffixed with a 'u': 42u +* byte literals are strings prefixed with a 'b': b'1235' +* string literals can use either single quotes or double quotes: 'hello', "world" +* string literals can also be treated as raw strings that do not require any + escaping within the string by using the 'R' prefix: R"""quote: "hi" """ + +Aggregate types include list and map: + +* list literals consist of zero or more values between brackets: "['a', 'b', 'c']" +* map literal consist of colon-separated key-value pairs within braces: "{'key1': 1, 'key2': 2}" +* Only int, uint, string, and bool types are valid map keys. +* Maps containing HTTP headers must always use lower-cased string keys. + +Comments start with two-forward slashes followed by text and a newline.` +) + +var ( + hiddenFunctions = map[string]bool{ + overloads.DeprecatedIn: true, + operators.OldIn: true, + operators.OldNotStrictlyFalse: true, + operators.NotStrictlyFalse: true, + } +) diff --git a/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl b/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl new file mode 100644 index 000000000..d6b3da5c6 --- /dev/null +++ b/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl @@ -0,0 +1,56 @@ +{{define "variable"}}{{.Name}} is a {{.Type}} +{{- end -}} + +{{define "macro" -}} +{{.Name}} macro{{if .Description}} - {{range split .Description}}{{.}} {{end}} +{{end}} +{{range .Children}}{{range split .Description}} {{.}} +{{end}} +{{- end -}} +{{- end -}} + +{{define "overload" -}} +{{if .Children}}{{range .Children}}{{range split .Description}} {{.}} +{{end}} +{{- end -}} +{{else}} {{.Signature}} +{{end}} +{{- end -}} + +{{define "function" -}} +{{.Name}}{{if .Description}} - {{range split .Description}}{{.}} {{end}} +{{end}} +{{range .Children}}{{template "overload" .}}{{end}} +{{- end -}} + +{{.Persona}} + +{{.FormatRules}} + +{{if or .Variables .Macros .Functions -}} +Only use the following variables, macros, and functions in expressions. +{{if .Variables}} +Variables: + +{{range .Variables}}* {{template "variable" .}} +{{end -}} + +{{end -}} +{{if .Macros}} +Macros: + +{{range .Macros}}* {{template "macro" .}} +{{end -}} + +{{end -}} +{{if .Functions}} +Functions: + +{{range .Functions}}* {{template "function" .}} +{{end -}} + +{{end -}} +{{- end -}} +{{.GeneralUsage}} + +{{.UserPrompt}} diff --git a/vendor/github.com/google/cel-go/cel/validator.go b/vendor/github.com/google/cel-go/cel/validator.go index b50c67452..5f06b2dd5 100644 --- a/vendor/github.com/google/cel-go/cel/validator.go +++ b/vendor/github.com/google/cel-go/cel/validator.go @@ -20,11 +20,16 @@ import ( "regexp" "github.com/google/cel-go/common/ast" + "github.com/google/cel-go/common/env" "github.com/google/cel-go/common/overloads" ) const ( - homogeneousValidatorName = "cel.lib.std.validate.types.homogeneous" + durationValidatorName = "cel.validator.duration" + regexValidatorName = "cel.validator.matches" + timestampValidatorName = "cel.validator.timestamp" + homogeneousValidatorName = "cel.validator.homogeneous_literals" + nestingLimitValidatorName = "cel.validator.comprehension_nesting_limit" // HomogeneousAggregateLiteralExemptFunctions is the ValidatorConfig key used to configure // the set of function names which are exempt from homogeneous type checks. The expected type @@ -36,6 +41,35 @@ const ( HomogeneousAggregateLiteralExemptFunctions = homogeneousValidatorName + ".exempt" ) +var ( + astValidatorFactories = map[string]ASTValidatorFactory{ + nestingLimitValidatorName: func(val *env.Validator) (ASTValidator, error) { + if limit, found := val.ConfigValue("limit"); found { + if val, isInt := limit.(int); isInt { + return ValidateComprehensionNestingLimit(val), nil + } + return nil, fmt.Errorf("invalid validator: %s unsupported limit type: %v", nestingLimitValidatorName, limit) + } + return nil, fmt.Errorf("invalid validator: %s missing limit", nestingLimitValidatorName) + }, + durationValidatorName: func(*env.Validator) (ASTValidator, error) { + return ValidateDurationLiterals(), nil + }, + regexValidatorName: func(*env.Validator) (ASTValidator, error) { + return ValidateRegexLiterals(), nil + }, + timestampValidatorName: func(*env.Validator) (ASTValidator, error) { + return ValidateTimestampLiterals(), nil + }, + homogeneousValidatorName: func(*env.Validator) (ASTValidator, error) { + return ValidateHomogeneousAggregateLiterals(), nil + }, + } +) + +// ASTValidatorFactory creates an ASTValidator as configured by the input map +type ASTValidatorFactory func(*env.Validator) (ASTValidator, error) + // ASTValidators configures a set of ASTValidator instances into the target environment. // // Validators are applied in the order in which the are specified and are treated as singletons. @@ -70,6 +104,18 @@ type ASTValidator interface { Validate(*Env, ValidatorConfig, *ast.AST, *Issues) } +// ConfigurableASTValidator supports conversion of an object to an `env.Validator` instance used for +// YAML serialization. +type ConfigurableASTValidator interface { + // ToConfig converts the internal configuration of an ASTValidator into an env.Validator instance + // which minimally must include the validator name, but may also include a map[string]any config + // object to be serialized to YAML. The string keys represent the configuration parameter name, + // and the any value must mirror the internally supported type associated with the config key. + // + // Note: only primitive CEL types are supported by CEL validators at this time. + ToConfig() *env.Validator +} + // ValidatorConfig provides an accessor method for querying validator configuration state. type ValidatorConfig interface { GetOrDefault(name string, value any) any @@ -196,7 +242,12 @@ type formatValidator struct { // Name returns the unique name of this function format validator. func (v formatValidator) Name() string { - return fmt.Sprintf("cel.lib.std.validate.functions.%s", v.funcName) + return fmt.Sprintf("cel.validator.%s", v.funcName) +} + +// ToConfig converts the ASTValidator to an env.Validator specifying the validator name. +func (v formatValidator) ToConfig() *env.Validator { + return env.NewValidator(v.Name()) } // Validate searches the AST for uses of a given function name with a constant argument and performs a check @@ -242,6 +293,11 @@ func (homogeneousAggregateLiteralValidator) Name() string { return homogeneousValidatorName } +// ToConfig converts the ASTValidator to an env.Validator specifying the validator name. +func (v homogeneousAggregateLiteralValidator) ToConfig() *env.Validator { + return env.NewValidator(v.Name()) +} + // Validate validates that all lists and map literals have homogeneous types, i.e. don't contain dyn types. // // This validator makes an exception for list and map literals which occur at any level of nesting within @@ -336,10 +392,18 @@ type nestingLimitValidator struct { limit int } +// Name returns the name of the nesting limit validator. func (v nestingLimitValidator) Name() string { - return "cel.lib.std.validate.comprehension_nesting_limit" + return nestingLimitValidatorName +} + +// ToConfig converts the ASTValidator to an env.Validator specifying the validator name and the nesting limit +// as an integer value: {"limit": int} +func (v nestingLimitValidator) ToConfig() *env.Validator { + return env.NewValidator(v.Name()).SetConfig(map[string]any{"limit": v.limit}) } +// Validate implements the ASTValidator interface method. func (v nestingLimitValidator) Validate(e *Env, _ ValidatorConfig, a *ast.AST, iss *Issues) { root := ast.NavigateAST(a) comprehensions := ast.MatchDescendants(root, ast.KindMatcher(ast.ComprehensionKind)) diff --git a/vendor/github.com/google/cel-go/checker/checker.go b/vendor/github.com/google/cel-go/checker/checker.go index 6824af7a5..0057c16cc 100644 --- a/vendor/github.com/google/cel-go/checker/checker.go +++ b/vendor/github.com/google/cel-go/checker/checker.go @@ -145,6 +145,17 @@ func (c *checker) checkSelect(e ast.Expr) { func (c *checker) checkOptSelect(e ast.Expr) { // Collect metadata related to the opt select call packaged by the parser. call := e.AsCall() + if len(call.Args()) != 2 || call.IsMemberFunction() { + t := "" + if call.IsMemberFunction() { + t = " member call with" + } + c.errors.notAnOptionalFieldSelectionCall(e.ID(), c.location(e), + fmt.Sprintf( + "incorrect signature.%s argument count: %d", t, len(call.Args()))) + return + } + operand := call.Args()[0] field := call.Args()[1] fieldName, isString := maybeUnwrapString(field) diff --git a/vendor/github.com/google/cel-go/checker/cost.go b/vendor/github.com/google/cel-go/checker/cost.go index 59be751c9..5bc6318ed 100644 --- a/vendor/github.com/google/cel-go/checker/cost.go +++ b/vendor/github.com/google/cel-go/checker/cost.go @@ -545,16 +545,17 @@ func (c *coster) costCall(e ast.Expr) CostEstimate { if len(overloadIDs) == 0 { return CostEstimate{} } - var targetType AstNode + var targetType *AstNode if call.IsMemberFunction() { sum = sum.Add(c.cost(call.Target())) - targetType = c.newAstNode(call.Target()) + var t AstNode = c.newAstNode(call.Target()) + targetType = &t } // Pick a cost estimate range that covers all the overload cost estimation ranges fnCost := CostEstimate{Min: uint64(math.MaxUint64), Max: 0} var resultSize *SizeEstimate for _, overload := range overloadIDs { - overloadCost := c.functionCost(e, call.FunctionName(), overload, &targetType, argTypes, argCosts) + overloadCost := c.functionCost(e, call.FunctionName(), overload, targetType, argTypes, argCosts) fnCost = fnCost.Union(overloadCost.CostEstimate) if overloadCost.ResultSize != nil { if resultSize == nil { diff --git a/vendor/github.com/google/cel-go/checker/decls/decls.go b/vendor/github.com/google/cel-go/checker/decls/decls.go index c0e5de469..e013d2c2b 100644 --- a/vendor/github.com/google/cel-go/checker/decls/decls.go +++ b/vendor/github.com/google/cel-go/checker/decls/decls.go @@ -91,6 +91,17 @@ func NewFunction(name string, Overloads: overloads}}} } +// NewFunctionWithDoc creates a named function declaration with a description and one or more overloads. +func NewFunctionWithDoc(name, doc string, + overloads ...*exprpb.Decl_FunctionDecl_Overload) *exprpb.Decl { + return &exprpb.Decl{ + Name: name, + DeclKind: &exprpb.Decl_Function{ + Function: &exprpb.Decl_FunctionDecl{ + // Doc: desc, + Overloads: overloads}}} +} + // NewIdent creates a named identifier declaration with an optional literal // value. // @@ -98,28 +109,37 @@ func NewFunction(name string, // // Deprecated: Use NewVar or NewConst instead. func NewIdent(name string, t *exprpb.Type, v *exprpb.Constant) *exprpb.Decl { + return newIdent(name, t, v, "") +} + +func newIdent(name string, t *exprpb.Type, v *exprpb.Constant, desc string) *exprpb.Decl { return &exprpb.Decl{ Name: name, DeclKind: &exprpb.Decl_Ident{ Ident: &exprpb.Decl_IdentDecl{ Type: t, - Value: v}}} + Value: v, + Doc: desc}}} } // NewConst creates a constant identifier with a CEL constant literal value. func NewConst(name string, t *exprpb.Type, v *exprpb.Constant) *exprpb.Decl { - return NewIdent(name, t, v) + return newIdent(name, t, v, "") } // NewVar creates a variable identifier. func NewVar(name string, t *exprpb.Type) *exprpb.Decl { - return NewIdent(name, t, nil) + return newIdent(name, t, nil, "") +} + +// NewVarWithDoc creates a variable identifier with a type and a description string. +func NewVarWithDoc(name string, t *exprpb.Type, desc string) *exprpb.Decl { + return newIdent(name, t, nil, desc) } // NewInstanceOverload creates a instance function overload contract. // First element of argTypes is instance. -func NewInstanceOverload(id string, argTypes []*exprpb.Type, - resultType *exprpb.Type) *exprpb.Decl_FunctionDecl_Overload { +func NewInstanceOverload(id string, argTypes []*exprpb.Type, resultType *exprpb.Type) *exprpb.Decl_FunctionDecl_Overload { return &exprpb.Decl_FunctionDecl_Overload{ OverloadId: id, ResultType: resultType, @@ -154,8 +174,7 @@ func NewObjectType(typeName string) *exprpb.Type { // NewOverload creates a function overload declaration which contains a unique // overload id as well as the expected argument and result types. Overloads // must be aggregated within a Function declaration. -func NewOverload(id string, argTypes []*exprpb.Type, - resultType *exprpb.Type) *exprpb.Decl_FunctionDecl_Overload { +func NewOverload(id string, argTypes []*exprpb.Type, resultType *exprpb.Type) *exprpb.Decl_FunctionDecl_Overload { return &exprpb.Decl_FunctionDecl_Overload{ OverloadId: id, ResultType: resultType, @@ -231,7 +250,5 @@ func NewWrapperType(wrapped *exprpb.Type) *exprpb.Type { // TODO: return an error panic("Wrapped type must be a primitive") } - return &exprpb.Type{ - TypeKind: &exprpb.Type_Wrapper{ - Wrapper: primitive}} + return &exprpb.Type{TypeKind: &exprpb.Type_Wrapper{Wrapper: primitive}} } diff --git a/vendor/github.com/google/cel-go/checker/errors.go b/vendor/github.com/google/cel-go/checker/errors.go index 8b3bf0b8b..3535440ba 100644 --- a/vendor/github.com/google/cel-go/checker/errors.go +++ b/vendor/github.com/google/cel-go/checker/errors.go @@ -45,6 +45,10 @@ func (e *typeErrors) notAComprehensionRange(id int64, l common.Location, t *type FormatCELType(t)) } +func (e *typeErrors) notAnOptionalFieldSelectionCall(id int64, l common.Location, err string) { + e.errs.ReportErrorAtID(id, l, "unsupported optional field selection: %s", err) +} + func (e *typeErrors) notAnOptionalFieldSelection(id int64, l common.Location, field ast.Expr) { e.errs.ReportErrorAtID(id, l, "unsupported optional field selection: %v", field) } diff --git a/vendor/github.com/google/cel-go/common/BUILD.bazel b/vendor/github.com/google/cel-go/common/BUILD.bazel index eef7f281b..1b1b7914d 100644 --- a/vendor/github.com/google/cel-go/common/BUILD.bazel +++ b/vendor/github.com/google/cel-go/common/BUILD.bazel @@ -9,6 +9,7 @@ go_library( name = "go_default_library", srcs = [ "cost.go", + "doc.go", "error.go", "errors.go", "location.go", @@ -25,6 +26,7 @@ go_test( name = "go_default_test", size = "small", srcs = [ + "doc_test.go", "errors_test.go", "source_test.go", ], diff --git a/vendor/github.com/google/cel-go/common/ast/ast.go b/vendor/github.com/google/cel-go/common/ast/ast.go index b807669d4..62c09cfc6 100644 --- a/vendor/github.com/google/cel-go/common/ast/ast.go +++ b/vendor/github.com/google/cel-go/common/ast/ast.go @@ -160,6 +160,13 @@ func MaxID(a *AST) int64 { return visitor.maxID + 1 } +// Heights computes the heights of all AST expressions and returns a map from expression id to height. +func Heights(a *AST) map[int64]int { + visitor := make(heightVisitor) + PostOrderVisit(a.Expr(), visitor) + return visitor +} + // NewSourceInfo creates a simple SourceInfo object from an input common.Source value. func NewSourceInfo(src common.Source) *SourceInfo { var lineOffsets []int32 @@ -455,3 +462,74 @@ func (v *maxIDVisitor) VisitEntryExpr(e EntryExpr) { v.maxID = e.ID() } } + +type heightVisitor map[int64]int + +// VisitExpr computes the height of a given node as the max height of its children plus one. +// +// Identifiers and literals are treated as having a height of zero. +func (hv heightVisitor) VisitExpr(e Expr) { + // default includes IdentKind, LiteralKind + hv[e.ID()] = 0 + switch e.Kind() { + case SelectKind: + hv[e.ID()] = 1 + hv[e.AsSelect().Operand().ID()] + case CallKind: + c := e.AsCall() + height := hv.maxHeight(c.Args()...) + if c.IsMemberFunction() { + tHeight := hv[c.Target().ID()] + if tHeight > height { + height = tHeight + } + } + hv[e.ID()] = 1 + height + case ListKind: + l := e.AsList() + hv[e.ID()] = 1 + hv.maxHeight(l.Elements()...) + case MapKind: + m := e.AsMap() + hv[e.ID()] = 1 + hv.maxEntryHeight(m.Entries()...) + case StructKind: + s := e.AsStruct() + hv[e.ID()] = 1 + hv.maxEntryHeight(s.Fields()...) + case ComprehensionKind: + comp := e.AsComprehension() + hv[e.ID()] = 1 + hv.maxHeight(comp.IterRange(), comp.AccuInit(), comp.LoopCondition(), comp.LoopStep(), comp.Result()) + } +} + +// VisitEntryExpr computes the max height of a map or struct entry and associates the height with the entry id. +func (hv heightVisitor) VisitEntryExpr(e EntryExpr) { + hv[e.ID()] = 0 + switch e.Kind() { + case MapEntryKind: + me := e.AsMapEntry() + hv[e.ID()] = hv.maxHeight(me.Value(), me.Key()) + case StructFieldKind: + sf := e.AsStructField() + hv[e.ID()] = hv[sf.Value().ID()] + } +} + +func (hv heightVisitor) maxHeight(exprs ...Expr) int { + max := 0 + for _, e := range exprs { + h := hv[e.ID()] + if h > max { + max = h + } + } + return max +} + +func (hv heightVisitor) maxEntryHeight(entries ...EntryExpr) int { + max := 0 + for _, e := range entries { + h := hv[e.ID()] + if h > max { + max = h + } + } + return max +} diff --git a/vendor/github.com/google/cel-go/common/ast/navigable.go b/vendor/github.com/google/cel-go/common/ast/navigable.go index d7a90fb7c..13e5777b5 100644 --- a/vendor/github.com/google/cel-go/common/ast/navigable.go +++ b/vendor/github.com/google/cel-go/common/ast/navigable.go @@ -237,8 +237,13 @@ func visit(expr Expr, visitor Visitor, order visitOrder, depth, maxDepth int) { case StructKind: s := expr.AsStruct() for _, f := range s.Fields() { - visitor.VisitEntryExpr(f) + if order == preOrder { + visitor.VisitEntryExpr(f) + } visit(f.AsStructField().Value(), visitor, order, depth+1, maxDepth) + if order == postOrder { + visitor.VisitEntryExpr(f) + } } } if order == postOrder { diff --git a/vendor/github.com/google/cel-go/common/containers/container.go b/vendor/github.com/google/cel-go/common/containers/container.go index 3097a3f78..fc146b6fc 100644 --- a/vendor/github.com/google/cel-go/common/containers/container.go +++ b/vendor/github.com/google/cel-go/common/containers/container.go @@ -63,9 +63,9 @@ func (c *Container) Extend(opts ...ContainerOption) (*Container, error) { } // Copy the name and aliases of the existing container. ext := &Container{name: c.Name()} - if len(c.aliasSet()) > 0 { - aliasSet := make(map[string]string, len(c.aliasSet())) - for k, v := range c.aliasSet() { + if len(c.AliasSet()) > 0 { + aliasSet := make(map[string]string, len(c.AliasSet())) + for k, v := range c.AliasSet() { aliasSet[k] = v } ext.aliases = aliasSet @@ -133,8 +133,8 @@ func (c *Container) ResolveCandidateNames(name string) []string { return append(candidates, name) } -// aliasSet returns the alias to fully-qualified name mapping stored in the container. -func (c *Container) aliasSet() map[string]string { +// AliasSet returns the alias to fully-qualified name mapping stored in the container. +func (c *Container) AliasSet() map[string]string { if c == nil || c.aliases == nil { return noAliases } @@ -160,7 +160,7 @@ func (c *Container) findAlias(name string) (string, bool) { simple = name[0:dot] qualifier = name[dot:] } - alias, found := c.aliasSet()[simple] + alias, found := c.AliasSet()[simple] if !found { return "", false } @@ -264,7 +264,7 @@ func aliasAs(kind, qualifiedName, alias string) ContainerOption { return nil, fmt.Errorf("%s must refer to a valid qualified name: %s", kind, qualifiedName) } - aliasRef, found := c.aliasSet()[alias] + aliasRef, found := c.AliasSet()[alias] if found { return nil, fmt.Errorf( "%s collides with existing reference: name=%s, %s=%s, existing=%s", diff --git a/vendor/github.com/google/cel-go/common/decls/BUILD.bazel b/vendor/github.com/google/cel-go/common/decls/BUILD.bazel index 17791dce6..bd3f9ae70 100644 --- a/vendor/github.com/google/cel-go/common/decls/BUILD.bazel +++ b/vendor/github.com/google/cel-go/common/decls/BUILD.bazel @@ -13,7 +13,9 @@ go_library( importpath = "github.com/google/cel-go/common/decls", deps = [ "//checker/decls:go_default_library", + "//common:go_default_library", "//common/functions:go_default_library", + "//common/operators:go_default_library", "//common/types:go_default_library", "//common/types/ref:go_default_library", "//common/types/traits:go_default_library", diff --git a/vendor/github.com/google/cel-go/common/decls/decls.go b/vendor/github.com/google/cel-go/common/decls/decls.go index bfeb52c51..a4a51c3f2 100644 --- a/vendor/github.com/google/cel-go/common/decls/decls.go +++ b/vendor/github.com/google/cel-go/common/decls/decls.go @@ -20,7 +20,9 @@ import ( "strings" chkdecls "github.com/google/cel-go/checker/decls" + "github.com/google/cel-go/common" "github.com/google/cel-go/common/functions" + "github.com/google/cel-go/common/operators" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/ref" @@ -54,6 +56,7 @@ func NewFunction(name string, opts ...FunctionOpt) (*FunctionDecl, error) { // overload instances. type FunctionDecl struct { name string + doc string // overloads associated with the function name. overloads map[string]*OverloadDecl @@ -84,6 +87,26 @@ const ( declarationEnabled ) +// Documentation generates documentation about the Function and its overloads as a common.Doc object. +func (f *FunctionDecl) Documentation() *common.Doc { + if f == nil { + return nil + } + children := make([]*common.Doc, len(f.OverloadDecls())) + for i, o := range f.OverloadDecls() { + var examples []*common.Doc + for _, ex := range o.Examples() { + examples = append(examples, common.NewExampleDoc(ex)) + } + od := common.NewOverloadDoc(o.ID(), formatSignature(f.Name(), o), examples...) + children[i] = od + } + return common.NewFunctionDoc( + f.Name(), + f.Description(), + children...) +} + // Name returns the function name in human-readable terms, e.g. 'contains' of 'math.least' func (f *FunctionDecl) Name() string { if f == nil { @@ -92,9 +115,22 @@ func (f *FunctionDecl) Name() string { return f.name } +// Description provides an overview of the function's purpose. +// +// Usage examples should be included on specific overloads. +func (f *FunctionDecl) Description() string { + if f == nil { + return "" + } + return f.doc +} + // IsDeclarationDisabled indicates that the function implementation should be added to the dispatcher, but the // declaration should not be exposed for use in expressions. func (f *FunctionDecl) IsDeclarationDisabled() bool { + if f == nil { + return true + } return f.state == declarationDisabled } @@ -107,8 +143,8 @@ func (f *FunctionDecl) Merge(other *FunctionDecl) (*FunctionDecl, error) { if f == other { return f, nil } - if f.Name() != other.Name() { - return nil, fmt.Errorf("cannot merge unrelated functions. %s and %s", f.Name(), other.Name()) + if f == nil || other == nil || f.Name() != other.Name() { + return nil, fmt.Errorf("cannot merge unrelated functions. %q and %q", f.Name(), other.Name()) } merged := &FunctionDecl{ name: f.Name(), @@ -120,12 +156,17 @@ func (f *FunctionDecl) Merge(other *FunctionDecl) (*FunctionDecl, error) { disableTypeGuards: f.disableTypeGuards && other.disableTypeGuards, // default to the current functions declaration state. state: f.state, + doc: f.doc, } // If the other state indicates that the declaration should be explicitly enabled or // disabled, then update the merged state with the most recent value. if other.state != declarationStateUnset { merged.state = other.state } + // Allow for non-empty overrides of documentation + if len(other.doc) != 0 && f.doc != other.doc { + merged.doc = other.doc + } // baseline copy of the overloads and their ordinals copy(merged.overloadOrdinals, f.overloadOrdinals) for oID, o := range f.overloads { @@ -148,6 +189,70 @@ func (f *FunctionDecl) Merge(other *FunctionDecl) (*FunctionDecl, error) { return merged, nil } +// FunctionSubsetter subsets a function declaration or returns nil and false if the function +// subset was empty. +type FunctionSubsetter func(fn *FunctionDecl) (*FunctionDecl, bool) + +// OverloadSelector selects an overload associated with a given function when it returns true. +// +// Used in combination with the Subset method. +type OverloadSelector func(overload *OverloadDecl) bool + +// IncludeOverloads defines an OverloadSelector which allow-lists a set of overloads by their ids. +func IncludeOverloads(overloadIDs ...string) OverloadSelector { + return func(overload *OverloadDecl) bool { + for _, oID := range overloadIDs { + if overload.id == oID { + return true + } + } + return false + } +} + +// ExcludeOverloads defines an OverloadSelector which deny-lists a set of overloads by their ids. +func ExcludeOverloads(overloadIDs ...string) OverloadSelector { + return func(overload *OverloadDecl) bool { + for _, oID := range overloadIDs { + if overload.id == oID { + return false + } + } + return true + } +} + +// Subset returns a new function declaration which contains only the overloads with the specified IDs. +// If the subset function contains no overloads, then nil is returned to indicate the function is not +// functional. +func (f *FunctionDecl) Subset(selector OverloadSelector) *FunctionDecl { + if f == nil { + return nil + } + overloads := make(map[string]*OverloadDecl) + overloadOrdinals := make([]string, 0, len(f.overloadOrdinals)) + for _, oID := range f.overloadOrdinals { + overload := f.overloads[oID] + if selector(overload) { + overloads[oID] = overload + overloadOrdinals = append(overloadOrdinals, oID) + } + } + if len(overloads) == 0 { + return nil + } + subset := &FunctionDecl{ + name: f.Name(), + doc: f.doc, + overloads: overloads, + singleton: f.singleton, + disableTypeGuards: f.disableTypeGuards, + state: f.state, + overloadOrdinals: overloadOrdinals, + } + return subset +} + // AddOverload ensures that the new overload does not collide with an existing overload signature; // however, if the function signatures are identical, the implementation may be rewritten as its // difficult to compare functions by object identity. @@ -155,6 +260,9 @@ func (f *FunctionDecl) AddOverload(overload *OverloadDecl) error { if f == nil { return fmt.Errorf("nil function cannot add overload: %s", overload.ID()) } + if overload == nil { + return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name()) + } for oID, o := range f.overloads { if oID != overload.ID() && o.SignatureOverlaps(overload) { return fmt.Errorf("overload signature collision in function %s: %s collides with %s", f.Name(), oID, overload.ID()) @@ -165,10 +273,17 @@ func (f *FunctionDecl) AddOverload(overload *OverloadDecl) error { if overload.hasBinding() { f.overloads[oID] = overload } + // Allow redefinition of the doc string. + if len(overload.doc) != 0 && o.doc != overload.doc { + o.doc = overload.doc + } return nil } return fmt.Errorf("overload redefinition in function. %s: %s has multiple definitions", f.Name(), oID) } + if overload.HasLateBinding() != o.HasLateBinding() { + return fmt.Errorf("overload with late binding cannot be added to function %s: cannot mix late and non-late bindings", f.Name()) + } } f.overloadOrdinals = append(f.overloadOrdinals, overload.ID()) f.overloads[overload.ID()] = overload @@ -177,8 +292,9 @@ func (f *FunctionDecl) AddOverload(overload *OverloadDecl) error { // OverloadDecls returns the overload declarations in the order in which they were declared. func (f *FunctionDecl) OverloadDecls() []*OverloadDecl { + var emptySet []*OverloadDecl if f == nil { - return []*OverloadDecl{} + return emptySet } overloads := make([]*OverloadDecl, 0, len(f.overloads)) for _, oID := range f.overloadOrdinals { @@ -187,15 +303,31 @@ func (f *FunctionDecl) OverloadDecls() []*OverloadDecl { return overloads } +// HasLateBinding returns true if the function has late bindings. A function cannot mix late bindings with other bindings. +func (f *FunctionDecl) HasLateBinding() bool { + if f == nil { + return false + } + for _, oID := range f.overloadOrdinals { + if f.overloads[oID].HasLateBinding() { + return true + } + } + return false +} + // Bindings produces a set of function bindings, if any are defined. func (f *FunctionDecl) Bindings() ([]*functions.Overload, error) { + var emptySet []*functions.Overload if f == nil { - return []*functions.Overload{}, nil + return emptySet, nil } overloads := []*functions.Overload{} nonStrict := false + hasLateBinding := false for _, oID := range f.overloadOrdinals { o := f.overloads[oID] + hasLateBinding = hasLateBinding || o.HasLateBinding() if o.hasBinding() { overload := &functions.Overload{ Operator: o.ID(), @@ -213,6 +345,9 @@ func (f *FunctionDecl) Bindings() ([]*functions.Overload, error) { if len(overloads) != 0 { return nil, fmt.Errorf("singleton function incompatible with specialized overloads: %s", f.Name()) } + if hasLateBinding { + return nil, fmt.Errorf("singleton function incompatible with late bindings: %s", f.Name()) + } overloads = []*functions.Overload{ { Operator: f.Name(), @@ -298,6 +433,14 @@ func MaybeNoSuchOverload(funcName string, args ...ref.Val) ref.Val { // FunctionOpt defines a functional option for mutating a function declaration. type FunctionOpt func(*FunctionDecl) (*FunctionDecl, error) +// FunctionDocs configures documentation from a list of strings separated by newlines. +func FunctionDocs(docs ...string) FunctionOpt { + return func(fn *FunctionDecl) (*FunctionDecl, error) { + fn.doc = common.MultilineDescription(docs...) + return fn, nil + } +} + // DisableTypeGuards disables automatically generated function invocation guards on direct overload calls. // Type guards remain on during dynamic dispatch for parsed-only expressions. func DisableTypeGuards(value bool) FunctionOpt { @@ -450,9 +593,13 @@ func newOverloadInternal(overloadID string, // implementation. type OverloadDecl struct { id string + doc string argTypes []*types.Type resultType *types.Type isMemberFunction bool + // hasLateBinding indicates that the function has a binding which is not known at compile time. + // This is useful for functions which have side-effects or are not deterministically computable. + hasLateBinding bool // nonStrict indicates that the function will accept error and unknown arguments as inputs. nonStrict bool // operandTrait indicates whether the member argument should have a specific type-trait. @@ -469,6 +616,15 @@ type OverloadDecl struct { functionOp functions.FunctionOp } +// Examples returns a list of string examples for the overload. +func (o *OverloadDecl) Examples() []string { + var emptySet []string + if o == nil || len(o.doc) == 0 { + return emptySet + } + return common.ParseDescriptions(o.doc) +} + // ID mirrors the overload signature and provides a unique id which may be referenced within the type-checker // and interpreter to optimize performance. // @@ -508,6 +664,14 @@ func (o *OverloadDecl) IsNonStrict() bool { return o.nonStrict } +// HasLateBinding returns whether the overload has a binding which is not known at compile time. +func (o *OverloadDecl) HasLateBinding() bool { + if o == nil { + return false + } + return o.hasLateBinding +} + // OperandTrait returns the trait mask of the first operand to the overload call, e.g. // `traits.Indexer` func (o *OverloadDecl) OperandTrait() int { @@ -666,6 +830,14 @@ func matchOperandTrait(trait int, arg ref.Val) bool { // OverloadOpt is a functional option for configuring a function overload. type OverloadOpt func(*OverloadDecl) (*OverloadDecl, error) +// OverloadExamples configures example expressions for the overload. +func OverloadExamples(examples ...string) OverloadOpt { + return func(o *OverloadDecl) (*OverloadDecl, error) { + o.doc = common.MultilineDescription(examples...) + return o, nil + } +} + // UnaryBinding provides the implementation of a unary overload. The provided function is protected by a runtime // type-guard which ensures runtime type agreement between the overload signature and runtime argument types. func UnaryBinding(binding functions.UnaryOp) OverloadOpt { @@ -676,6 +848,9 @@ func UnaryBinding(binding functions.UnaryOp) OverloadOpt { if len(o.ArgTypes()) != 1 { return nil, fmt.Errorf("unary function bound to non-unary overload: %s", o.ID()) } + if o.hasLateBinding { + return nil, fmt.Errorf("overload already has a late binding: %s", o.ID()) + } o.unaryOp = binding return o, nil } @@ -691,6 +866,9 @@ func BinaryBinding(binding functions.BinaryOp) OverloadOpt { if len(o.ArgTypes()) != 2 { return nil, fmt.Errorf("binary function bound to non-binary overload: %s", o.ID()) } + if o.hasLateBinding { + return nil, fmt.Errorf("overload already has a late binding: %s", o.ID()) + } o.binaryOp = binding return o, nil } @@ -703,11 +881,26 @@ func FunctionBinding(binding functions.FunctionOp) OverloadOpt { if o.hasBinding() { return nil, fmt.Errorf("overload already has a binding: %s", o.ID()) } + if o.hasLateBinding { + return nil, fmt.Errorf("overload already has a late binding: %s", o.ID()) + } o.functionOp = binding return o, nil } } +// LateFunctionBinding indicates that the function has a binding which is not known at compile time. +// This is useful for functions which have side-effects or are not deterministically computable. +func LateFunctionBinding() OverloadOpt { + return func(o *OverloadDecl) (*OverloadDecl, error) { + if o.hasBinding() { + return nil, fmt.Errorf("overload already has a binding: %s", o.ID()) + } + o.hasLateBinding = true + return o, nil + } +} + // OverloadIsNonStrict enables the function to be called with error and unknown argument values. // // Note: do not use this option unless absoluately necessary as it should be an uncommon feature. @@ -737,13 +930,27 @@ func NewVariable(name string, t *types.Type) *VariableDecl { return &VariableDecl{name: name, varType: t} } +// NewVariableWithDoc creates a new variable declaration with usage documentation. +func NewVariableWithDoc(name string, t *types.Type, doc string) *VariableDecl { + return &VariableDecl{name: name, varType: t, doc: doc} +} + // VariableDecl defines a variable declaration which may optionally have a constant value. type VariableDecl struct { name string + doc string varType *types.Type value ref.Val } +// Documentation returns name, type, and description for the variable. +func (v *VariableDecl) Documentation() *common.Doc { + if v == nil { + return nil + } + return common.NewVariableDoc(v.Name(), describeCELType(v.Type()), v.Description()) +} + // Name returns the fully-qualified variable name func (v *VariableDecl) Name() string { if v == nil { @@ -752,6 +959,16 @@ func (v *VariableDecl) Name() string { return v.name } +// Description returns the usage documentation for the variable, if set. +// +// Good usage instructions provide information about the valid formats, ranges, sizes for the variable type. +func (v *VariableDecl) Description() string { + if v == nil { + return "" + } + return v.doc +} + // Type returns the types.Type value associated with the variable. func (v *VariableDecl) Type() *types.Type { if v == nil { @@ -793,7 +1010,7 @@ func variableDeclToExprDecl(v *VariableDecl) (*exprpb.Decl, error) { if err != nil { return nil, err } - return chkdecls.NewVar(v.Name(), varType), nil + return chkdecls.NewVarWithDoc(v.Name(), varType, v.doc), nil } // FunctionDeclToExprDecl converts a go-native function declaration into a protobuf-typed function declaration. @@ -838,8 +1055,10 @@ func functionDeclToExprDecl(f *FunctionDecl) (*exprpb.Decl, error) { overloads[i] = chkdecls.NewParameterizedOverload(oID, argTypes, resultType, params) } } + doc := common.MultilineDescription(o.Examples()...) + overloads[i].Doc = doc } - return chkdecls.NewFunction(f.Name(), overloads...), nil + return chkdecls.NewFunctionWithDoc(f.Name(), f.Description(), overloads...), nil } func collectParamNames(paramNames map[string]struct{}, arg *types.Type) { @@ -851,6 +1070,60 @@ func collectParamNames(paramNames map[string]struct{}, arg *types.Type) { } } +func formatSignature(fnName string, o *OverloadDecl) string { + if opName, isOperator := operators.FindReverse(fnName); isOperator { + if opName == "" { + opName = fnName + } + return formatOperator(opName, o) + } + return formatCall(fnName, o) +} + +func formatOperator(opName string, o *OverloadDecl) string { + args := o.ArgTypes() + argTypes := make([]string, len(o.ArgTypes())) + for j, a := range args { + argTypes[j] = describeCELType(a) + } + ret := describeCELType(o.ResultType()) + switch len(args) { + case 1: + return fmt.Sprintf("%s%s -> %s", opName, argTypes[0], ret) + case 2: + if opName == operators.Index { + return fmt.Sprintf("%s[%s] -> %s", argTypes[0], argTypes[1], ret) + } + return fmt.Sprintf("%s %s %s -> %s", argTypes[0], opName, argTypes[1], ret) + default: + if opName == operators.Conditional { + return fmt.Sprint("bool ? : -> ") + } + return formatCall(opName, o) + } +} + +func formatCall(funcName string, o *OverloadDecl) string { + args := make([]string, len(o.ArgTypes())) + ret := describeCELType(o.ResultType()) + for j, a := range o.ArgTypes() { + args[j] = describeCELType(a) + } + if o.IsMemberFunction() { + target := args[0] + args = args[1:] + return fmt.Sprintf("%s.%s(%s) -> %s", target, funcName, strings.Join(args, ", "), ret) + } + return fmt.Sprintf("%s(%s) -> %s", funcName, strings.Join(args, ", "), ret) +} + +func describeCELType(t *types.Type) string { + if t.Kind() == types.TypeKind { + return "type" + } + return t.String() +} + var ( - emptyArgs = []*types.Type{} + emptyArgs []*types.Type ) diff --git a/vendor/github.com/google/cel-go/common/doc.go b/vendor/github.com/google/cel-go/common/doc.go index 5362fdfe4..06eae3642 100644 --- a/vendor/github.com/google/cel-go/common/doc.go +++ b/vendor/github.com/google/cel-go/common/doc.go @@ -15,3 +15,157 @@ // Package common defines types and utilities common to expression parsing, // checking, and interpretation package common + +import ( + "strings" + "unicode" +) + +// DocKind indicates the type of documentation element. +type DocKind int + +const ( + // DocEnv represents environment variable documentation. + DocEnv DocKind = iota + 1 + // DocFunction represents function documentation. + DocFunction + // DocOverload represents function overload documentation. + DocOverload + // DocVariable represents variable documentation. + DocVariable + // DocMacro represents macro documentation. + DocMacro + // DocExample represents example documentation. + DocExample +) + +// Doc holds the documentation details for a specific program element like +// a variable, function, macro, or example. +type Doc struct { + // Kind specifies the type of documentation element (e.g., Function, Variable). + Kind DocKind + + // Name is the identifier of the documented element (e.g., function name, variable name). + Name string + + // Type is the data type associated with the element, primarily used for variables. + Type string + + // Signature represents the function or overload signature. + Signature string + + // Description holds the textual description of the element, potentially spanning multiple lines. + Description string + + // Children holds nested documentation elements, such as overloads for a function + // or examples for a function/macro. + Children []*Doc +} + +// MultilineDescription combines multiple lines into a newline separated string. +func MultilineDescription(lines ...string) string { + return strings.Join(lines, "\n") +} + +// ParseDescription takes a single string containing newline characters and splits +// it into a multiline description. All empty lines will be skipped. +// +// Returns an empty string if the input string is empty. +func ParseDescription(doc string) string { + var lines []string + if len(doc) != 0 { + // Split the input string by newline characters. + for _, line := range strings.Split(doc, "\n") { + l := strings.TrimRightFunc(line, unicode.IsSpace) + if len(l) == 0 { + continue + } + lines = append(lines, l) + } + } + // Return an empty slice if the input is empty. + return MultilineDescription(lines...) +} + +// ParseDescriptions splits a documentation string into multiple multi-line description +// sections, using blank lines as delimiters. +func ParseDescriptions(doc string) []string { + var examples []string + if len(doc) != 0 { + lines := strings.Split(doc, "\n") + lineStart := 0 + for i, l := range lines { + // Trim trailing whitespace to identify effectively blank lines. + l = strings.TrimRightFunc(l, unicode.IsSpace) + // If a line is blank, it marks the end of the current section. + if len(l) == 0 { + // Start the next section after the blank line. + ex := lines[lineStart:i] + if len(ex) != 0 { + examples = append(examples, MultilineDescription(ex...)) + } + lineStart = i + 1 + } + } + // Append the last section if it wasn't terminated by a blank line. + if lineStart < len(lines) { + examples = append(examples, MultilineDescription(lines[lineStart:]...)) + } + } + return examples +} + +// NewVariableDoc creates a new Doc struct specifically for documenting a variable. +func NewVariableDoc(name, celType, description string) *Doc { + return &Doc{ + Kind: DocVariable, + Name: name, + Type: celType, + Description: ParseDescription(description), + } +} + +// NewFunctionDoc creates a new Doc struct for documenting a function. +func NewFunctionDoc(name, description string, overloads ...*Doc) *Doc { + return &Doc{ + Kind: DocFunction, + Name: name, + Description: ParseDescription(description), + Children: overloads, + } +} + +// NewOverloadDoc creates a new Doc struct for a function example. +func NewOverloadDoc(id, signature string, examples ...*Doc) *Doc { + return &Doc{ + Kind: DocOverload, + Name: id, + Signature: signature, + Children: examples, + } +} + +// NewMacroDoc creates a new Doc struct for documenting a macro. +func NewMacroDoc(name, description string, examples ...*Doc) *Doc { + return &Doc{ + Kind: DocMacro, + Name: name, + Description: ParseDescription(description), + Children: examples, + } +} + +// NewExampleDoc creates a new Doc struct specifically for holding an example. +func NewExampleDoc(ex string) *Doc { + return &Doc{ + Kind: DocExample, + Description: ex, + } +} + +// Documentor is an interface for types that can provide their own documentation. +type Documentor interface { + // Documentation returns the documentation coded by the DocKind to assist + // with text formatting. + Documentation() *Doc +} diff --git a/vendor/github.com/google/cel-go/common/env/BUILD.bazel b/vendor/github.com/google/cel-go/common/env/BUILD.bazel new file mode 100644 index 000000000..aebe1e544 --- /dev/null +++ b/vendor/github.com/google/cel-go/common/env/BUILD.bazel @@ -0,0 +1,50 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") + +package( + default_visibility = ["//visibility:public"], + licenses = ["notice"], # Apache 2.0 +) + +go_library( + name = "go_default_library", + srcs = [ + "env.go", + ], + importpath = "github.com/google/cel-go/common/env", + deps = [ + "//common:go_default_library", + "//common/decls:go_default_library", + "//common/types:go_default_library", + ], +) + +go_test( + name = "go_default_test", + size = "small", + srcs = [ + "env_test.go", + ], + data = glob(["testdata/**"]), + embed = [":go_default_library"], + deps = [ + "//common/decls:go_default_library", + "//common/operators:go_default_library", + "//common/overloads:go_default_library", + "//common/types:go_default_library", + "@in_gopkg_yaml_v3//:go_default_library", + ], +) diff --git a/vendor/github.com/google/cel-go/common/env/env.go b/vendor/github.com/google/cel-go/common/env/env.go new file mode 100644 index 000000000..d848860c2 --- /dev/null +++ b/vendor/github.com/google/cel-go/common/env/env.go @@ -0,0 +1,887 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package env provides a representation of a CEL environment. +package env + +import ( + "errors" + "fmt" + "math" + "strconv" + "strings" + + "github.com/google/cel-go/common/decls" + "github.com/google/cel-go/common/types" +) + +// NewConfig creates an instance of a YAML serializable CEL environment configuration. +func NewConfig(name string) *Config { + return &Config{ + Name: name, + } +} + +// Config represents a serializable form of the CEL environment configuration. +// +// Note: custom validations, feature flags, and performance tuning parameters are not (yet) +// considered part of the core CEL environment configuration and should be managed separately +// until a common convention for such settings is developed. +type Config struct { + Name string `yaml:"name,omitempty"` + Description string `yaml:"description,omitempty"` + Container string `yaml:"container,omitempty"` + Imports []*Import `yaml:"imports,omitempty"` + StdLib *LibrarySubset `yaml:"stdlib,omitempty"` + Extensions []*Extension `yaml:"extensions,omitempty"` + ContextVariable *ContextVariable `yaml:"context_variable,omitempty"` + Variables []*Variable `yaml:"variables,omitempty"` + Functions []*Function `yaml:"functions,omitempty"` + Validators []*Validator `yaml:"validators,omitempty"` + Features []*Feature `yaml:"features,omitempty"` +} + +// Validate validates the whole configuration is well-formed. +func (c *Config) Validate() error { + if c == nil { + return nil + } + var errs []error + for _, imp := range c.Imports { + if err := imp.Validate(); err != nil { + errs = append(errs, err) + } + } + if err := c.StdLib.Validate(); err != nil { + errs = append(errs, err) + } + for _, ext := range c.Extensions { + if err := ext.Validate(); err != nil { + errs = append(errs, err) + } + } + if err := c.ContextVariable.Validate(); err != nil { + errs = append(errs, err) + } + if c.ContextVariable != nil && len(c.Variables) != 0 { + errs = append(errs, errors.New("invalid config: either context variable or variables may be set, but not both")) + } + for _, v := range c.Variables { + if err := v.Validate(); err != nil { + errs = append(errs, err) + } + } + for _, fn := range c.Functions { + if err := fn.Validate(); err != nil { + errs = append(errs, err) + } + } + for _, feat := range c.Features { + if err := feat.Validate(); err != nil { + errs = append(errs, err) + } + } + for _, val := range c.Validators { + if err := val.Validate(); err != nil { + errs = append(errs, err) + } + } + return errors.Join(errs...) +} + +// SetContainer configures the container name for this configuration. +func (c *Config) SetContainer(container string) *Config { + c.Container = container + return c +} + +// AddVariableDecls adds one or more variables to the config, converting them to serializable values first. +// +// VariableDecl inputs are expected to be well-formed. +func (c *Config) AddVariableDecls(vars ...*decls.VariableDecl) *Config { + convVars := make([]*Variable, len(vars)) + for i, v := range vars { + if v == nil { + continue + } + cv := NewVariable(v.Name(), SerializeTypeDesc(v.Type())) + cv.Description = v.Description() + convVars[i] = cv + } + return c.AddVariables(convVars...) +} + +// AddVariables adds one or more vairables to the config. +func (c *Config) AddVariables(vars ...*Variable) *Config { + c.Variables = append(c.Variables, vars...) + return c +} + +// SetContextVariable configures the ContextVariable for this configuration. +func (c *Config) SetContextVariable(ctx *ContextVariable) *Config { + c.ContextVariable = ctx + return c +} + +// AddFunctionDecls adds one or more functions to the config, converting them to serializable values first. +// +// FunctionDecl inputs are expected to be well-formed. +func (c *Config) AddFunctionDecls(funcs ...*decls.FunctionDecl) *Config { + convFuncs := make([]*Function, len(funcs)) + for i, fn := range funcs { + if fn == nil { + continue + } + overloads := make([]*Overload, 0, len(fn.OverloadDecls())) + for _, o := range fn.OverloadDecls() { + overloadID := o.ID() + args := make([]*TypeDesc, 0, len(o.ArgTypes())) + for _, a := range o.ArgTypes() { + args = append(args, SerializeTypeDesc(a)) + } + ret := SerializeTypeDesc(o.ResultType()) + var overload *Overload + if o.IsMemberFunction() { + overload = NewMemberOverload(overloadID, args[0], args[1:], ret) + } else { + overload = NewOverload(overloadID, args, ret) + } + exampleCount := len(o.Examples()) + if exampleCount > 0 { + overload.Examples = o.Examples() + } + overloads = append(overloads, overload) + } + cf := NewFunction(fn.Name(), overloads...) + cf.Description = fn.Description() + convFuncs[i] = cf + } + return c.AddFunctions(convFuncs...) +} + +// AddFunctions adds one or more functions to the config. +func (c *Config) AddFunctions(funcs ...*Function) *Config { + c.Functions = append(c.Functions, funcs...) + return c +} + +// SetStdLib configures the LibrarySubset for the standard library. +func (c *Config) SetStdLib(subset *LibrarySubset) *Config { + c.StdLib = subset + return c +} + +// AddImports appends a set of imports to the config. +func (c *Config) AddImports(imps ...*Import) *Config { + c.Imports = append(c.Imports, imps...) + return c +} + +// AddExtensions appends a set of extensions to the config. +func (c *Config) AddExtensions(exts ...*Extension) *Config { + c.Extensions = append(c.Extensions, exts...) + return c +} + +// AddValidators appends one or more validators to the config. +func (c *Config) AddValidators(vals ...*Validator) *Config { + c.Validators = append(c.Validators, vals...) + return c +} + +// AddFeatures appends one or more features to the config. +func (c *Config) AddFeatures(feats ...*Feature) *Config { + c.Features = append(c.Features, feats...) + return c +} + +// NewImport returns a serializable import value from the qualified type name. +func NewImport(name string) *Import { + return &Import{Name: name} +} + +// Import represents a type name that will be appreviated by its simple name using +// the cel.Abbrevs() option. +type Import struct { + Name string `yaml:"name"` +} + +// Validate validates the import configuration is well-formed. +func (imp *Import) Validate() error { + if imp == nil { + return errors.New("invalid import: nil") + } + if imp.Name == "" { + return errors.New("invalid import: missing type name") + } + return nil +} + +// NewVariable returns a serializable variable from a name and type definition +func NewVariable(name string, t *TypeDesc) *Variable { + return NewVariableWithDoc(name, t, "") +} + +// NewVariableWithDoc returns a serializable variable from a name, type definition, and doc string. +func NewVariableWithDoc(name string, t *TypeDesc, doc string) *Variable { + return &Variable{Name: name, TypeDesc: t, Description: doc} +} + +// Variable represents a typed variable declaration which will be published via the +// cel.VariableDecls() option. +type Variable struct { + Name string `yaml:"name"` + Description string `yaml:"description,omitempty"` + + // Type represents the type declaration for the variable. + // + // Deprecated: use the embedded *TypeDesc fields directly. + Type *TypeDesc `yaml:"type,omitempty"` + + // TypeDesc is an embedded set of fields allowing for the specification of the Variable type. + *TypeDesc `yaml:",inline"` +} + +// Validate validates the variable configuration is well-formed. +func (v *Variable) Validate() error { + if v == nil { + return errors.New("invalid variable: nil") + } + if v.Name == "" { + return errors.New("invalid variable: missing variable name") + } + if err := v.GetType().Validate(); err != nil { + return fmt.Errorf("invalid variable %q: %w", v.Name, err) + } + return nil +} + +// GetType returns the variable type description. +// +// Note, if both the embedded TypeDesc and the field Type are non-nil, the embedded TypeDesc will +// take precedence. +func (v *Variable) GetType() *TypeDesc { + if v == nil { + return nil + } + if v.TypeDesc != nil { + return v.TypeDesc + } + if v.Type != nil { + return v.Type + } + return nil +} + +// AsCELVariable converts the serializable form of the Variable into a CEL environment declaration. +func (v *Variable) AsCELVariable(tp types.Provider) (*decls.VariableDecl, error) { + if err := v.Validate(); err != nil { + return nil, err + } + t, err := v.GetType().AsCELType(tp) + if err != nil { + return nil, fmt.Errorf("invalid variable %q: %w", v.Name, err) + } + return decls.NewVariableWithDoc(v.Name, t, v.Description), nil +} + +// NewContextVariable returns a serializable context variable with a specific type name. +func NewContextVariable(typeName string) *ContextVariable { + return &ContextVariable{TypeName: typeName} +} + +// ContextVariable represents a structured message whose fields are to be treated as the top-level +// variable identifiers within CEL expressions. +type ContextVariable struct { + // TypeName represents the fully qualified typename of the context variable. + // Currently, only protobuf types are supported. + TypeName string `yaml:"type_name"` +} + +// Validate validates the context-variable configuration is well-formed. +func (ctx *ContextVariable) Validate() error { + if ctx == nil { + return nil + } + if ctx.TypeName == "" { + return errors.New("invalid context variable: missing type name") + } + return nil +} + +// NewFunction creates a serializable function and overload set. +func NewFunction(name string, overloads ...*Overload) *Function { + return &Function{Name: name, Overloads: overloads} +} + +// NewFunctionWithDoc creates a serializable function and overload set. +func NewFunctionWithDoc(name, doc string, overloads ...*Overload) *Function { + return &Function{Name: name, Description: doc, Overloads: overloads} +} + +// Function represents the serializable format of a function and its overloads. +type Function struct { + Name string `yaml:"name"` + Description string `yaml:"description,omitempty"` + Overloads []*Overload `yaml:"overloads,omitempty"` +} + +// Validate validates the function configuration is well-formed. +func (fn *Function) Validate() error { + if fn == nil { + return errors.New("invalid function: nil") + } + if fn.Name == "" { + return errors.New("invalid function: missing function name") + } + if len(fn.Overloads) == 0 { + return fmt.Errorf("invalid function %q: missing overloads", fn.Name) + } + var errs []error + for _, o := range fn.Overloads { + if err := o.Validate(); err != nil { + errs = append(errs, fmt.Errorf("invalid function %q: %w", fn.Name, err)) + } + } + return errors.Join(errs...) +} + +// AsCELFunction converts the serializable form of the Function into CEL environment declaration. +func (fn *Function) AsCELFunction(tp types.Provider) (*decls.FunctionDecl, error) { + if err := fn.Validate(); err != nil { + return nil, err + } + opts := make([]decls.FunctionOpt, 0, len(fn.Overloads)+1) + for _, o := range fn.Overloads { + opt, err := o.AsFunctionOption(tp) + opts = append(opts, opt) + if err != nil { + return nil, fmt.Errorf("invalid function %q: %w", fn.Name, err) + } + } + if len(fn.Description) != 0 { + opts = append(opts, decls.FunctionDocs(fn.Description)) + } + return decls.NewFunction(fn.Name, opts...) +} + +// NewOverload returns a new serializable representation of a global overload. +func NewOverload(id string, args []*TypeDesc, ret *TypeDesc, examples ...string) *Overload { + return &Overload{ID: id, Args: args, Return: ret, Examples: examples} +} + +// NewMemberOverload returns a new serializable representation of a member (receiver) overload. +func NewMemberOverload(id string, target *TypeDesc, args []*TypeDesc, ret *TypeDesc, examples ...string) *Overload { + return &Overload{ID: id, Target: target, Args: args, Return: ret, Examples: examples} +} + +// Overload represents the serializable format of a function overload. +type Overload struct { + ID string `yaml:"id"` + Examples []string `yaml:"examples,omitempty"` + Target *TypeDesc `yaml:"target,omitempty"` + Args []*TypeDesc `yaml:"args,omitempty"` + Return *TypeDesc `yaml:"return,omitempty"` +} + +// Validate validates the overload configuration is well-formed. +func (od *Overload) Validate() error { + if od == nil { + return errors.New("invalid overload: nil") + } + if od.ID == "" { + return errors.New("invalid overload: missing overload id") + } + var errs []error + if od.Target != nil { + if err := od.Target.Validate(); err != nil { + errs = append(errs, fmt.Errorf("invalid overload %q target: %w", od.ID, err)) + } + } + for i, arg := range od.Args { + if err := arg.Validate(); err != nil { + errs = append(errs, fmt.Errorf("invalid overload %q arg[%d]: %w", od.ID, i, err)) + } + } + if err := od.Return.Validate(); err != nil { + errs = append(errs, fmt.Errorf("invalid overload %q return: %w", od.ID, err)) + } + return errors.Join(errs...) +} + +// AsFunctionOption converts the serializable form of the Overload into a function declaration option. +func (od *Overload) AsFunctionOption(tp types.Provider) (decls.FunctionOpt, error) { + if err := od.Validate(); err != nil { + return nil, err + } + args := make([]*types.Type, len(od.Args)) + var err error + var errs []error + for i, a := range od.Args { + args[i], err = a.AsCELType(tp) + if err != nil { + errs = append(errs, err) + } + } + result, err := od.Return.AsCELType(tp) + if err != nil { + errs = append(errs, err) + } + if od.Target != nil { + t, err := od.Target.AsCELType(tp) + if err != nil { + return nil, errors.Join(append(errs, err)...) + } + args = append([]*types.Type{t}, args...) + return decls.MemberOverload(od.ID, args, result), nil + } + if len(errs) != 0 { + return nil, errors.Join(errs...) + } + return decls.Overload(od.ID, args, result, decls.OverloadExamples(od.Examples...)), nil +} + +// NewExtension creates a serializable Extension from a name and version string. +func NewExtension(name string, version uint32) *Extension { + versionString := "latest" + if version < math.MaxUint32 { + versionString = strconv.FormatUint(uint64(version), 10) + } + return &Extension{ + Name: name, + Version: versionString, + } +} + +// Extension represents a named and optionally versioned extension library configured in the environment. +type Extension struct { + // Name is either the LibraryName() or some short-hand simple identifier which is understood by the config-handler. + Name string `yaml:"name"` + + // Version may either be an unsigned long value or the string 'latest'. If empty, the value is treated as '0'. + Version string `yaml:"version,omitempty"` +} + +// Validate validates the extension configuration is well-formed. +func (e *Extension) Validate() error { + _, err := e.VersionNumber() + return err +} + +// VersionNumber returns the parsed version string, or an error if the version cannot be parsed. +func (e *Extension) VersionNumber() (uint32, error) { + if e == nil { + return 0, fmt.Errorf("invalid extension: nil") + } + if e.Name == "" { + return 0, fmt.Errorf("invalid extension: missing name") + } + if e.Version == "latest" { + return math.MaxUint32, nil + } + if e.Version == "" { + return 0, nil + } + ver, err := strconv.ParseUint(e.Version, 10, 32) + if err != nil { + return 0, fmt.Errorf("invalid extension %q version: %w", e.Name, err) + } + return uint32(ver), nil +} + +// NewLibrarySubset returns an empty library subsetting config which permits all library features. +func NewLibrarySubset() *LibrarySubset { + return &LibrarySubset{} +} + +// LibrarySubset indicates a subset of the macros and function supported by a subsettable library. +type LibrarySubset struct { + // Disabled indicates whether the library has been disabled, typically only used for + // default-enabled libraries like stdlib. + Disabled bool `yaml:"disabled,omitempty"` + + // DisableMacros disables macros for the given library. + DisableMacros bool `yaml:"disable_macros,omitempty"` + + // IncludeMacros specifies a set of macro function names to include in the subset. + IncludeMacros []string `yaml:"include_macros,omitempty"` + + // ExcludeMacros specifies a set of macro function names to exclude from the subset. + // Note: if IncludeMacros is non-empty, then ExcludeFunctions is ignored. + ExcludeMacros []string `yaml:"exclude_macros,omitempty"` + + // IncludeFunctions specifies a set of functions to include in the subset. + // + // Note: the overloads specified in the subset need only specify their ID. + // Note: if IncludeFunctions is non-empty, then ExcludeFunctions is ignored. + IncludeFunctions []*Function `yaml:"include_functions,omitempty"` + + // ExcludeFunctions specifies the set of functions to exclude from the subset. + // + // Note: the overloads specified in the subset need only specify their ID. + ExcludeFunctions []*Function `yaml:"exclude_functions,omitempty"` +} + +// Validate validates the library configuration is well-formed. +// +// For example, setting both the IncludeMacros and ExcludeMacros together could be confusing +// and create a broken expectation, likewise for IncludeFunctions and ExcludeFunctions. +func (lib *LibrarySubset) Validate() error { + if lib == nil { + return nil + } + var errs []error + if len(lib.IncludeMacros) != 0 && len(lib.ExcludeMacros) != 0 { + errs = append(errs, errors.New("invalid subset: cannot both include and exclude macros")) + } + if len(lib.IncludeFunctions) != 0 && len(lib.ExcludeFunctions) != 0 { + errs = append(errs, errors.New("invalid subset: cannot both include and exclude functions")) + } + return errors.Join(errs...) +} + +// SubsetFunction produces a function declaration which matches the supported subset, or nil +// if the function is not supported by the LibrarySubset. +// +// For IncludeFunctions, if the function does not specify a set of overloads to include, the +// whole function definition is included. If overloads are set, then a new function which +// includes only the specified overloads is produced. +// +// For ExcludeFunctions, if the function does not specify a set of overloads to exclude, the +// whole function definition is excluded. If overloads are set, then a new function which +// includes only the permitted overloads is produced. +func (lib *LibrarySubset) SubsetFunction(fn *decls.FunctionDecl) (*decls.FunctionDecl, bool) { + // When lib is null, it should indicate that all values are included in the subset. + if lib == nil { + return fn, true + } + if lib.Disabled { + return nil, false + } + if len(lib.IncludeFunctions) != 0 { + for _, include := range lib.IncludeFunctions { + if include.Name != fn.Name() { + continue + } + if len(include.Overloads) == 0 { + return fn, true + } + overloadIDs := make([]string, len(include.Overloads)) + for i, o := range include.Overloads { + overloadIDs[i] = o.ID + } + return fn.Subset(decls.IncludeOverloads(overloadIDs...)), true + } + return nil, false + } + if len(lib.ExcludeFunctions) != 0 { + for _, exclude := range lib.ExcludeFunctions { + if exclude.Name != fn.Name() { + continue + } + if len(exclude.Overloads) == 0 { + return nil, false + } + overloadIDs := make([]string, len(exclude.Overloads)) + for i, o := range exclude.Overloads { + overloadIDs[i] = o.ID + } + return fn.Subset(decls.ExcludeOverloads(overloadIDs...)), true + } + return fn, true + } + return fn, true +} + +// SubsetMacro indicates whether the macro function should be included in the library subset. +func (lib *LibrarySubset) SubsetMacro(macroFunction string) bool { + // When lib is null, it should indicate that all values are included in the subset. + if lib == nil { + return true + } + if lib.Disabled || lib.DisableMacros { + return false + } + if len(lib.IncludeMacros) != 0 { + for _, name := range lib.IncludeMacros { + if name == macroFunction { + return true + } + } + return false + } + if len(lib.ExcludeMacros) != 0 { + for _, name := range lib.ExcludeMacros { + if name == macroFunction { + return false + } + } + return true + } + return true +} + +// SetDisabled disables or enables the library. +func (lib *LibrarySubset) SetDisabled(value bool) *LibrarySubset { + lib.Disabled = value + return lib +} + +// SetDisableMacros disables the macros for the library. +func (lib *LibrarySubset) SetDisableMacros(value bool) *LibrarySubset { + lib.DisableMacros = value + return lib +} + +// AddIncludedMacros allow-lists one or more macros by function name. +// +// Note, this option will override any excluded macros. +func (lib *LibrarySubset) AddIncludedMacros(macros ...string) *LibrarySubset { + lib.IncludeMacros = append(lib.IncludeMacros, macros...) + return lib +} + +// AddExcludedMacros deny-lists one or more macros by function name. +func (lib *LibrarySubset) AddExcludedMacros(macros ...string) *LibrarySubset { + lib.ExcludeMacros = append(lib.ExcludeMacros, macros...) + return lib +} + +// AddIncludedFunctions allow-lists one or more functions from the subset. +// +// Note, this option will override any excluded functions. +func (lib *LibrarySubset) AddIncludedFunctions(funcs ...*Function) *LibrarySubset { + lib.IncludeFunctions = append(lib.IncludeFunctions, funcs...) + return lib +} + +// AddExcludedFunctions deny-lists one or more functions from the subset. +func (lib *LibrarySubset) AddExcludedFunctions(funcs ...*Function) *LibrarySubset { + lib.ExcludeFunctions = append(lib.ExcludeFunctions, funcs...) + return lib +} + +// NewValidator returns a named Validator instance. +func NewValidator(name string) *Validator { + return &Validator{Name: name} +} + +// Validator represents a named validator with an optional map-based configuration object. +// +// Note: the map-keys must directly correspond to the internal representation of the original +// validator, and should only use primitive scalar types as values at this time. +type Validator struct { + Name string `yaml:"name"` + Config map[string]any `yaml:"config,omitempty"` +} + +// Validate validates the configuration of the validator object. +func (v *Validator) Validate() error { + if v == nil { + return errors.New("invalid validator: nil") + } + if v.Name == "" { + return errors.New("invalid validator: missing name") + } + return nil +} + +// SetConfig sets the set of map key-value pairs associated with this validator's configuration. +func (v *Validator) SetConfig(config map[string]any) *Validator { + v.Config = config + return v +} + +// ConfigValue retrieves the value associated with the config key name, if one exists. +func (v *Validator) ConfigValue(name string) (any, bool) { + if v == nil { + return nil, false + } + value, found := v.Config[name] + return value, found +} + +// NewFeature creates a new feature flag with a boolean enablement flag. +func NewFeature(name string, enabled bool) *Feature { + return &Feature{Name: name, Enabled: enabled} +} + +// Feature represents a named boolean feature flag supported by CEL. +type Feature struct { + Name string `yaml:"name"` + Enabled bool `yaml:"enabled"` +} + +// Validate validates whether the feature is well-configured. +func (feat *Feature) Validate() error { + if feat == nil { + return errors.New("invalid feature: nil") + } + if feat.Name == "" { + return errors.New("invalid feature: missing name") + } + return nil +} + +// NewTypeDesc describes a simple or complex type with parameters. +func NewTypeDesc(typeName string, params ...*TypeDesc) *TypeDesc { + return &TypeDesc{TypeName: typeName, Params: params} +} + +// NewTypeParam describe a type-param type. +func NewTypeParam(paramName string) *TypeDesc { + return &TypeDesc{TypeName: paramName, IsTypeParam: true} +} + +// TypeDesc represents the serializable format of a CEL *types.Type value. +type TypeDesc struct { + TypeName string `yaml:"type_name"` + Params []*TypeDesc `yaml:"params,omitempty"` + IsTypeParam bool `yaml:"is_type_param,omitempty"` +} + +// String implements the strings.Stringer interface method. +func (td *TypeDesc) String() string { + ps := make([]string, len(td.Params)) + for i, p := range td.Params { + ps[i] = p.String() + } + typeName := td.TypeName + if len(ps) != 0 { + typeName = fmt.Sprintf("%s(%s)", typeName, strings.Join(ps, ",")) + } + return typeName +} + +// Validate validates the type configuration is well-formed. +func (td *TypeDesc) Validate() error { + if td == nil { + return errors.New("invalid type: nil") + } + if td.TypeName == "" { + return errors.New("invalid type: missing type name") + } + if td.IsTypeParam && len(td.Params) != 0 { + return errors.New("invalid type: param type cannot have parameters") + } + switch td.TypeName { + case "list": + if len(td.Params) != 1 { + return fmt.Errorf("invalid type: list expects 1 parameter, got %d", len(td.Params)) + } + return td.Params[0].Validate() + case "map": + if len(td.Params) != 2 { + return fmt.Errorf("invalid type: map expects 2 parameters, got %d", len(td.Params)) + } + if err := td.Params[0].Validate(); err != nil { + return err + } + if err := td.Params[1].Validate(); err != nil { + return err + } + case "optional_type": + if len(td.Params) != 1 { + return fmt.Errorf("invalid type: optional_type expects 1 parameter, got %d", len(td.Params)) + } + return td.Params[0].Validate() + default: + } + return nil +} + +// AsCELType converts the serializable object to a *types.Type value. +func (td *TypeDesc) AsCELType(tp types.Provider) (*types.Type, error) { + err := td.Validate() + if err != nil { + return nil, err + } + switch td.TypeName { + case "dyn": + return types.DynType, nil + case "map": + kt, err := td.Params[0].AsCELType(tp) + if err != nil { + return nil, err + } + vt, err := td.Params[1].AsCELType(tp) + if err != nil { + return nil, err + } + return types.NewMapType(kt, vt), nil + case "list": + et, err := td.Params[0].AsCELType(tp) + if err != nil { + return nil, err + } + return types.NewListType(et), nil + case "optional_type": + et, err := td.Params[0].AsCELType(tp) + if err != nil { + return nil, err + } + return types.NewOptionalType(et), nil + default: + if td.IsTypeParam { + return types.NewTypeParamType(td.TypeName), nil + } + if msgType, found := tp.FindStructType(td.TypeName); found { + // First parameter is the type name. + return msgType.Parameters()[0], nil + } + t, found := tp.FindIdent(td.TypeName) + if !found { + return nil, fmt.Errorf("undefined type name: %q", td.TypeName) + } + _, ok := t.(*types.Type) + if ok && len(td.Params) == 0 { + return t.(*types.Type), nil + } + params := make([]*types.Type, len(td.Params)) + for i, p := range td.Params { + params[i], err = p.AsCELType(tp) + if err != nil { + return nil, err + } + } + return types.NewOpaqueType(td.TypeName, params...), nil + } +} + +// SerializeTypeDesc converts a CEL native *types.Type to a serializable TypeDesc. +func SerializeTypeDesc(t *types.Type) *TypeDesc { + typeName := t.TypeName() + if t.Kind() == types.TypeParamKind { + return NewTypeParam(typeName) + } + if t != types.NullType && t.IsAssignableType(types.NullType) { + if wrapperTypeName, found := wrapperTypes[t.Kind()]; found { + return NewTypeDesc(wrapperTypeName) + } + } + var params []*TypeDesc + for _, p := range t.Parameters() { + params = append(params, SerializeTypeDesc(p)) + } + return NewTypeDesc(typeName, params...) +} + +var wrapperTypes = map[types.Kind]string{ + types.BoolKind: "google.protobuf.BoolValue", + types.BytesKind: "google.protobuf.BytesValue", + types.DoubleKind: "google.protobuf.DoubleValue", + types.IntKind: "google.protobuf.Int64Value", + types.StringKind: "google.protobuf.StringValue", + types.UintKind: "google.protobuf.UInt64Value", +} diff --git a/vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel b/vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel index b55f45215..124dbea81 100644 --- a/vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel +++ b/vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel @@ -12,6 +12,7 @@ go_library( ], importpath = "github.com/google/cel-go/common/stdlib", deps = [ + "//common:go_default_library", "//common/decls:go_default_library", "//common/functions:go_default_library", "//common/operators:go_default_library", diff --git a/vendor/github.com/google/cel-go/common/stdlib/standard.go b/vendor/github.com/google/cel-go/common/stdlib/standard.go index 1550c1786..4040a4f5c 100644 --- a/vendor/github.com/google/cel-go/common/stdlib/standard.go +++ b/vendor/github.com/google/cel-go/common/stdlib/standard.go @@ -16,6 +16,11 @@ package stdlib import ( + "strconv" + "strings" + "time" + + "github.com/google/cel-go/common" "github.com/google/cel-go/common/decls" "github.com/google/cel-go/common/functions" "github.com/google/cel-go/common/operators" @@ -28,6 +33,7 @@ import ( var ( stdFunctions []*decls.FunctionDecl stdTypes []*decls.VariableDecl + utcTZ = types.String("UTC") ) func init() { @@ -55,19 +61,49 @@ func init() { // Logical operators. Special-cased within the interpreter. // Note, the singleton binding prevents extensions from overriding the operator behavior. function(operators.Conditional, + decls.FunctionDocs( + `The ternary operator tests a boolean predicate and returns the left-hand side `+ + `(truthy) expression if true, or the right-hand side (falsy) expression if false`), decls.Overload(overloads.Conditional, argTypes(types.BoolType, paramA, paramA), paramA, - decls.OverloadIsNonStrict()), + decls.OverloadIsNonStrict(), + decls.OverloadExamples( + `'hello'.contains('lo') ? 'hi' : 'bye' // 'hi'`, + `32 % 3 == 0 ? 'divisible' : 'not divisible' // 'not divisible'`)), decls.SingletonFunctionBinding(noFunctionOverrides)), + function(operators.LogicalAnd, + decls.FunctionDocs( + `logically AND two boolean values. Errors and unknown values`, + `are valid inputs and will not halt evaluation.`), decls.Overload(overloads.LogicalAnd, argTypes(types.BoolType, types.BoolType), types.BoolType, - decls.OverloadIsNonStrict()), + decls.OverloadIsNonStrict(), + decls.OverloadExamples( + `true && true // true`, + `true && false // false`, + `error && true // error`, + `error && false // false`)), decls.SingletonBinaryBinding(noBinaryOverrides)), + function(operators.LogicalOr, + decls.FunctionDocs( + `logically OR two boolean values. Errors and unknown values`, + `are valid inputs and will not halt evaluation.`), decls.Overload(overloads.LogicalOr, argTypes(types.BoolType, types.BoolType), types.BoolType, - decls.OverloadIsNonStrict()), + decls.OverloadIsNonStrict(), + decls.OverloadExamples( + `true || false // true`, + `false || false // false`, + `error || true // true`, + `error || error // true`)), decls.SingletonBinaryBinding(noBinaryOverrides)), + function(operators.LogicalNot, - decls.Overload(overloads.LogicalNot, argTypes(types.BoolType), types.BoolType), + decls.FunctionDocs(`logically negate a boolean value.`), + decls.Overload(overloads.LogicalNot, argTypes(types.BoolType), types.BoolType, + decls.OverloadExamples( + `!true // false`, + `!false // true`, + `!error // error`)), decls.SingletonUnaryBinding(func(val ref.Val) ref.Val { b, ok := val.(types.Bool) if !ok { @@ -90,66 +126,104 @@ func init() { // Equality / inequality. Special-cased in the interpreter function(operators.Equals, - decls.Overload(overloads.Equals, argTypes(paramA, paramA), types.BoolType), + decls.FunctionDocs(`compare two values of the same type for equality`), + decls.Overload(overloads.Equals, argTypes(paramA, paramA), types.BoolType, + decls.OverloadExamples( + `1 == 1 // true`, + `'hello' == 'world' // false`, + `bytes('hello') == b'hello' // true`, + `duration('1h') == duration('60m') // true`, + `dyn(3.0) == 3 // true`)), decls.SingletonBinaryBinding(noBinaryOverrides)), function(operators.NotEquals, - decls.Overload(overloads.NotEquals, argTypes(paramA, paramA), types.BoolType), + decls.FunctionDocs(`compare two values of the same type for inequality`), + decls.Overload(overloads.NotEquals, argTypes(paramA, paramA), types.BoolType, + decls.OverloadExamples( + `1 != 2 // true`, + `"a" != "a" // false`, + `3.0 != 3.1 // true`)), decls.SingletonBinaryBinding(noBinaryOverrides)), // Mathematical operators function(operators.Add, + decls.FunctionDocs( + `adds two numeric values or concatenates two strings, bytes,`, + `or lists.`), decls.Overload(overloads.AddBytes, - argTypes(types.BytesType, types.BytesType), types.BytesType), + argTypes(types.BytesType, types.BytesType), types.BytesType, + decls.OverloadExamples(`b'hi' + bytes('ya') // b'hiya'`)), decls.Overload(overloads.AddDouble, - argTypes(types.DoubleType, types.DoubleType), types.DoubleType), + argTypes(types.DoubleType, types.DoubleType), types.DoubleType, + decls.OverloadExamples(`3.14 + 1.59 // 4.73`)), decls.Overload(overloads.AddDurationDuration, - argTypes(types.DurationType, types.DurationType), types.DurationType), + argTypes(types.DurationType, types.DurationType), types.DurationType, + decls.OverloadExamples(`duration('1m') + duration('1s') // duration('1m1s')`)), decls.Overload(overloads.AddDurationTimestamp, - argTypes(types.DurationType, types.TimestampType), types.TimestampType), + argTypes(types.DurationType, types.TimestampType), types.TimestampType, + decls.OverloadExamples(`duration('24h') + timestamp('2023-01-01T00:00:00Z') // timestamp('2023-01-02T00:00:00Z')`)), decls.Overload(overloads.AddTimestampDuration, - argTypes(types.TimestampType, types.DurationType), types.TimestampType), + argTypes(types.TimestampType, types.DurationType), types.TimestampType, + decls.OverloadExamples(`timestamp('2023-01-01T00:00:00Z') + duration('24h1m2s') // timestamp('2023-01-02T00:01:02Z')`)), decls.Overload(overloads.AddInt64, - argTypes(types.IntType, types.IntType), types.IntType), + argTypes(types.IntType, types.IntType), types.IntType, + decls.OverloadExamples(`1 + 2 // 3`)), decls.Overload(overloads.AddList, - argTypes(listOfA, listOfA), listOfA), + argTypes(listOfA, listOfA), listOfA, + decls.OverloadExamples(`[1] + [2, 3] // [1, 2, 3]`)), decls.Overload(overloads.AddString, - argTypes(types.StringType, types.StringType), types.StringType), + argTypes(types.StringType, types.StringType), types.StringType, + decls.OverloadExamples(`"Hello, " + "world!" // "Hello, world!"`)), decls.Overload(overloads.AddUint64, - argTypes(types.UintType, types.UintType), types.UintType), + argTypes(types.UintType, types.UintType), types.UintType, + decls.OverloadExamples(`22u + 33u // 55u`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Adder).Add(rhs) }, traits.AdderType)), function(operators.Divide, + decls.FunctionDocs(`divide two numbers`), decls.Overload(overloads.DivideDouble, - argTypes(types.DoubleType, types.DoubleType), types.DoubleType), + argTypes(types.DoubleType, types.DoubleType), types.DoubleType, + decls.OverloadExamples(`7.0 / 2.0 // 3.5`)), decls.Overload(overloads.DivideInt64, - argTypes(types.IntType, types.IntType), types.IntType), + argTypes(types.IntType, types.IntType), types.IntType, + decls.OverloadExamples(`10 / 2 // 5`)), decls.Overload(overloads.DivideUint64, - argTypes(types.UintType, types.UintType), types.UintType), + argTypes(types.UintType, types.UintType), types.UintType, + decls.OverloadExamples(`42u / 2u // 21u`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Divider).Divide(rhs) }, traits.DividerType)), function(operators.Modulo, + decls.FunctionDocs(`compute the modulus of one integer into another`), decls.Overload(overloads.ModuloInt64, - argTypes(types.IntType, types.IntType), types.IntType), + argTypes(types.IntType, types.IntType), types.IntType, + decls.OverloadExamples(`3 % 2 // 1`)), decls.Overload(overloads.ModuloUint64, - argTypes(types.UintType, types.UintType), types.UintType), + argTypes(types.UintType, types.UintType), types.UintType, + decls.OverloadExamples(`6u % 3u // 0u`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Modder).Modulo(rhs) }, traits.ModderType)), function(operators.Multiply, + decls.FunctionDocs(`multiply two numbers`), decls.Overload(overloads.MultiplyDouble, - argTypes(types.DoubleType, types.DoubleType), types.DoubleType), + argTypes(types.DoubleType, types.DoubleType), types.DoubleType, + decls.OverloadExamples(`3.5 * 40.0 // 140.0`)), decls.Overload(overloads.MultiplyInt64, - argTypes(types.IntType, types.IntType), types.IntType), + argTypes(types.IntType, types.IntType), types.IntType, + decls.OverloadExamples(`-2 * 6 // -12`)), decls.Overload(overloads.MultiplyUint64, - argTypes(types.UintType, types.UintType), types.UintType), + argTypes(types.UintType, types.UintType), types.UintType, + decls.OverloadExamples(`13u * 3u // 39u`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Multiplier).Multiply(rhs) }, traits.MultiplierType)), function(operators.Negate, - decls.Overload(overloads.NegateDouble, argTypes(types.DoubleType), types.DoubleType), - decls.Overload(overloads.NegateInt64, argTypes(types.IntType), types.IntType), + decls.FunctionDocs(`negate a numeric value`), + decls.Overload(overloads.NegateDouble, argTypes(types.DoubleType), types.DoubleType, + decls.OverloadExamples(`-(3.14) // -3.14`)), + decls.Overload(overloads.NegateInt64, argTypes(types.IntType), types.IntType, + decls.OverloadExamples(`-(5) // -5`)), decls.SingletonUnaryBinding(func(val ref.Val) ref.Val { if types.IsBool(val) { return types.MaybeNoSuchOverloadErr(val) @@ -157,18 +231,32 @@ func init() { return val.(traits.Negater).Negate() }, traits.NegatorType)), function(operators.Subtract, + decls.FunctionDocs(`subtract two numbers, or two time-related values`), decls.Overload(overloads.SubtractDouble, - argTypes(types.DoubleType, types.DoubleType), types.DoubleType), + argTypes(types.DoubleType, types.DoubleType), types.DoubleType, + decls.OverloadExamples(`10.5 - 2.0 // 8.5`)), decls.Overload(overloads.SubtractDurationDuration, - argTypes(types.DurationType, types.DurationType), types.DurationType), + argTypes(types.DurationType, types.DurationType), types.DurationType, + decls.OverloadExamples(`duration('1m') - duration('1s') // duration('59s')`)), decls.Overload(overloads.SubtractInt64, - argTypes(types.IntType, types.IntType), types.IntType), + argTypes(types.IntType, types.IntType), types.IntType, + decls.OverloadExamples(`5 - 3 // 2`)), decls.Overload(overloads.SubtractTimestampDuration, - argTypes(types.TimestampType, types.DurationType), types.TimestampType), + argTypes(types.TimestampType, types.DurationType), types.TimestampType, + decls.OverloadExamples(common.MultilineDescription( + `timestamp('2023-01-10T12:00:00Z')`, + ` - duration('12h') // timestamp('2023-01-10T00:00:00Z')`))), decls.Overload(overloads.SubtractTimestampTimestamp, - argTypes(types.TimestampType, types.TimestampType), types.DurationType), + argTypes(types.TimestampType, types.TimestampType), types.DurationType, + decls.OverloadExamples(common.MultilineDescription( + `timestamp('2023-01-10T12:00:00Z')`, + ` - timestamp('2023-01-10T00:00:00Z') // duration('12h')`))), decls.Overload(overloads.SubtractUint64, - argTypes(types.UintType, types.UintType), types.UintType), + argTypes(types.UintType, types.UintType), types.UintType, + decls.OverloadExamples(common.MultilineDescription( + `// the subtraction result must be positive, otherwise an overflow`, + `// error is generated.`, + `42u - 3u // 39u`))), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Subtractor).Subtract(rhs) }, traits.SubtractorType)), @@ -176,34 +264,51 @@ func init() { // Relations operators function(operators.Less, + decls.FunctionDocs( + `compare two values and return true if the first value is`, + `less than the second`), decls.Overload(overloads.LessBool, - argTypes(types.BoolType, types.BoolType), types.BoolType), + argTypes(types.BoolType, types.BoolType), types.BoolType, + decls.OverloadExamples(`false < true // true`)), decls.Overload(overloads.LessInt64, - argTypes(types.IntType, types.IntType), types.BoolType), + argTypes(types.IntType, types.IntType), types.BoolType, + decls.OverloadExamples(`-2 < 3 // true`, `1 < 0 // false`)), decls.Overload(overloads.LessInt64Double, - argTypes(types.IntType, types.DoubleType), types.BoolType), + argTypes(types.IntType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`1 < 1.1 // true`)), decls.Overload(overloads.LessInt64Uint64, - argTypes(types.IntType, types.UintType), types.BoolType), + argTypes(types.IntType, types.UintType), types.BoolType, + decls.OverloadExamples(`1 < 2u // true`)), decls.Overload(overloads.LessUint64, - argTypes(types.UintType, types.UintType), types.BoolType), + argTypes(types.UintType, types.UintType), types.BoolType, + decls.OverloadExamples(`1u < 2u // true`)), decls.Overload(overloads.LessUint64Double, - argTypes(types.UintType, types.DoubleType), types.BoolType), + argTypes(types.UintType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`1u < 0.9 // false`)), decls.Overload(overloads.LessUint64Int64, - argTypes(types.UintType, types.IntType), types.BoolType), + argTypes(types.UintType, types.IntType), types.BoolType, + decls.OverloadExamples(`1u < 23 // true`, `1u < -1 // false`)), decls.Overload(overloads.LessDouble, - argTypes(types.DoubleType, types.DoubleType), types.BoolType), + argTypes(types.DoubleType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2.0 < 2.4 // true`)), decls.Overload(overloads.LessDoubleInt64, - argTypes(types.DoubleType, types.IntType), types.BoolType), + argTypes(types.DoubleType, types.IntType), types.BoolType, + decls.OverloadExamples(`2.1 < 3 // true`)), decls.Overload(overloads.LessDoubleUint64, - argTypes(types.DoubleType, types.UintType), types.BoolType), + argTypes(types.DoubleType, types.UintType), types.BoolType, + decls.OverloadExamples(`2.3 < 2u // false`, `-1.0 < 1u // true`)), decls.Overload(overloads.LessString, - argTypes(types.StringType, types.StringType), types.BoolType), + argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples(`'a' < 'b' // true`, `'cat' < 'cab' // false`)), decls.Overload(overloads.LessBytes, - argTypes(types.BytesType, types.BytesType), types.BoolType), + argTypes(types.BytesType, types.BytesType), types.BoolType, + decls.OverloadExamples(`b'hello' < b'world' // true`)), decls.Overload(overloads.LessTimestamp, - argTypes(types.TimestampType, types.TimestampType), types.BoolType), + argTypes(types.TimestampType, types.TimestampType), types.BoolType, + decls.OverloadExamples(`timestamp('2001-01-01T02:03:04Z') < timestamp('2002-02-02T02:03:04Z') // true`)), decls.Overload(overloads.LessDuration, - argTypes(types.DurationType, types.DurationType), types.BoolType), + argTypes(types.DurationType, types.DurationType), types.BoolType, + decls.OverloadExamples(`duration('1ms') < duration('1s') // true`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { cmp := lhs.(traits.Comparer).Compare(rhs) if cmp == types.IntNegOne { @@ -216,34 +321,51 @@ func init() { }, traits.ComparerType)), function(operators.LessEquals, + decls.FunctionDocs( + `compare two values and return true if the first value is`, + `less than or equal to the second`), decls.Overload(overloads.LessEqualsBool, - argTypes(types.BoolType, types.BoolType), types.BoolType), + argTypes(types.BoolType, types.BoolType), types.BoolType, + decls.OverloadExamples(`false <= true // true`)), decls.Overload(overloads.LessEqualsInt64, - argTypes(types.IntType, types.IntType), types.BoolType), + argTypes(types.IntType, types.IntType), types.BoolType, + decls.OverloadExamples(`-2 <= 3 // true`)), decls.Overload(overloads.LessEqualsInt64Double, - argTypes(types.IntType, types.DoubleType), types.BoolType), + argTypes(types.IntType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`1 <= 1.1 // true`)), decls.Overload(overloads.LessEqualsInt64Uint64, - argTypes(types.IntType, types.UintType), types.BoolType), + argTypes(types.IntType, types.UintType), types.BoolType, + decls.OverloadExamples(`1 <= 2u // true`, `-1 <= 0u // true`)), decls.Overload(overloads.LessEqualsUint64, - argTypes(types.UintType, types.UintType), types.BoolType), + argTypes(types.UintType, types.UintType), types.BoolType, + decls.OverloadExamples(`1u <= 2u // true`)), decls.Overload(overloads.LessEqualsUint64Double, - argTypes(types.UintType, types.DoubleType), types.BoolType), + argTypes(types.UintType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`1u <= 1.0 // true`, `1u <= 1.1 // true`)), decls.Overload(overloads.LessEqualsUint64Int64, - argTypes(types.UintType, types.IntType), types.BoolType), + argTypes(types.UintType, types.IntType), types.BoolType, + decls.OverloadExamples(`1u <= 23 // true`)), decls.Overload(overloads.LessEqualsDouble, - argTypes(types.DoubleType, types.DoubleType), types.BoolType), + argTypes(types.DoubleType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2.0 <= 2.4 // true`)), decls.Overload(overloads.LessEqualsDoubleInt64, - argTypes(types.DoubleType, types.IntType), types.BoolType), + argTypes(types.DoubleType, types.IntType), types.BoolType, + decls.OverloadExamples(`2.1 <= 3 // true`)), decls.Overload(overloads.LessEqualsDoubleUint64, - argTypes(types.DoubleType, types.UintType), types.BoolType), + argTypes(types.DoubleType, types.UintType), types.BoolType, + decls.OverloadExamples(`2.0 <= 2u // true`, `-1.0 <= 1u // true`)), decls.Overload(overloads.LessEqualsString, - argTypes(types.StringType, types.StringType), types.BoolType), + argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples(`'a' <= 'b' // true`, `'a' <= 'a' // true`, `'cat' <= 'cab' // false`)), decls.Overload(overloads.LessEqualsBytes, - argTypes(types.BytesType, types.BytesType), types.BoolType), + argTypes(types.BytesType, types.BytesType), types.BoolType, + decls.OverloadExamples(`b'hello' <= b'world' // true`)), decls.Overload(overloads.LessEqualsTimestamp, - argTypes(types.TimestampType, types.TimestampType), types.BoolType), + argTypes(types.TimestampType, types.TimestampType), types.BoolType, + decls.OverloadExamples(`timestamp('2001-01-01T02:03:04Z') <= timestamp('2002-02-02T02:03:04Z') // true`)), decls.Overload(overloads.LessEqualsDuration, - argTypes(types.DurationType, types.DurationType), types.BoolType), + argTypes(types.DurationType, types.DurationType), types.BoolType, + decls.OverloadExamples(`duration('1ms') <= duration('1s') // true`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { cmp := lhs.(traits.Comparer).Compare(rhs) if cmp == types.IntNegOne || cmp == types.IntZero { @@ -256,34 +378,51 @@ func init() { }, traits.ComparerType)), function(operators.Greater, + decls.FunctionDocs( + `compare two values and return true if the first value is`, + `greater than the second`), decls.Overload(overloads.GreaterBool, - argTypes(types.BoolType, types.BoolType), types.BoolType), + argTypes(types.BoolType, types.BoolType), types.BoolType, + decls.OverloadExamples(`true > false // true`)), decls.Overload(overloads.GreaterInt64, - argTypes(types.IntType, types.IntType), types.BoolType), + argTypes(types.IntType, types.IntType), types.BoolType, + decls.OverloadExamples(`3 > -2 // true`)), decls.Overload(overloads.GreaterInt64Double, - argTypes(types.IntType, types.DoubleType), types.BoolType), + argTypes(types.IntType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2 > 1.1 // true`)), decls.Overload(overloads.GreaterInt64Uint64, - argTypes(types.IntType, types.UintType), types.BoolType), + argTypes(types.IntType, types.UintType), types.BoolType, + decls.OverloadExamples(`3 > 2u // true`)), decls.Overload(overloads.GreaterUint64, - argTypes(types.UintType, types.UintType), types.BoolType), + argTypes(types.UintType, types.UintType), types.BoolType, + decls.OverloadExamples(`2u > 1u // true`)), decls.Overload(overloads.GreaterUint64Double, - argTypes(types.UintType, types.DoubleType), types.BoolType), + argTypes(types.UintType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2u > 1.9 // true`)), decls.Overload(overloads.GreaterUint64Int64, - argTypes(types.UintType, types.IntType), types.BoolType), + argTypes(types.UintType, types.IntType), types.BoolType, + decls.OverloadExamples(`23u > 1 // true`, `0u > -1 // true`)), decls.Overload(overloads.GreaterDouble, - argTypes(types.DoubleType, types.DoubleType), types.BoolType), + argTypes(types.DoubleType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2.4 > 2.0 // true`)), decls.Overload(overloads.GreaterDoubleInt64, - argTypes(types.DoubleType, types.IntType), types.BoolType), + argTypes(types.DoubleType, types.IntType), types.BoolType, + decls.OverloadExamples(`3.1 > 3 // true`, `3.0 > 3 // false`)), decls.Overload(overloads.GreaterDoubleUint64, - argTypes(types.DoubleType, types.UintType), types.BoolType), + argTypes(types.DoubleType, types.UintType), types.BoolType, + decls.OverloadExamples(`2.3 > 2u // true`)), decls.Overload(overloads.GreaterString, - argTypes(types.StringType, types.StringType), types.BoolType), + argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples(`'b' > 'a' // true`)), decls.Overload(overloads.GreaterBytes, - argTypes(types.BytesType, types.BytesType), types.BoolType), + argTypes(types.BytesType, types.BytesType), types.BoolType, + decls.OverloadExamples(`b'world' > b'hello' // true`)), decls.Overload(overloads.GreaterTimestamp, - argTypes(types.TimestampType, types.TimestampType), types.BoolType), + argTypes(types.TimestampType, types.TimestampType), types.BoolType, + decls.OverloadExamples(`timestamp('2002-02-02T02:03:04Z') > timestamp('2001-01-01T02:03:04Z') // true`)), decls.Overload(overloads.GreaterDuration, - argTypes(types.DurationType, types.DurationType), types.BoolType), + argTypes(types.DurationType, types.DurationType), types.BoolType, + decls.OverloadExamples(`duration('1ms') > duration('1us') // true`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { cmp := lhs.(traits.Comparer).Compare(rhs) if cmp == types.IntOne { @@ -296,34 +435,51 @@ func init() { }, traits.ComparerType)), function(operators.GreaterEquals, + decls.FunctionDocs( + `compare two values and return true if the first value is`, + `greater than or equal to the second`), decls.Overload(overloads.GreaterEqualsBool, - argTypes(types.BoolType, types.BoolType), types.BoolType), + argTypes(types.BoolType, types.BoolType), types.BoolType, + decls.OverloadExamples(`true >= false // true`)), decls.Overload(overloads.GreaterEqualsInt64, - argTypes(types.IntType, types.IntType), types.BoolType), + argTypes(types.IntType, types.IntType), types.BoolType, + decls.OverloadExamples(`3 >= -2 // true`)), decls.Overload(overloads.GreaterEqualsInt64Double, - argTypes(types.IntType, types.DoubleType), types.BoolType), + argTypes(types.IntType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2 >= 1.1 // true`, `1 >= 1.0 // true`)), decls.Overload(overloads.GreaterEqualsInt64Uint64, - argTypes(types.IntType, types.UintType), types.BoolType), + argTypes(types.IntType, types.UintType), types.BoolType, + decls.OverloadExamples(`3 >= 2u // true`)), decls.Overload(overloads.GreaterEqualsUint64, - argTypes(types.UintType, types.UintType), types.BoolType), + argTypes(types.UintType, types.UintType), types.BoolType, + decls.OverloadExamples(`2u >= 1u // true`)), decls.Overload(overloads.GreaterEqualsUint64Double, - argTypes(types.UintType, types.DoubleType), types.BoolType), + argTypes(types.UintType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2u >= 1.9 // true`)), decls.Overload(overloads.GreaterEqualsUint64Int64, - argTypes(types.UintType, types.IntType), types.BoolType), + argTypes(types.UintType, types.IntType), types.BoolType, + decls.OverloadExamples(`23u >= 1 // true`, `1u >= 1 // true`)), decls.Overload(overloads.GreaterEqualsDouble, - argTypes(types.DoubleType, types.DoubleType), types.BoolType), + argTypes(types.DoubleType, types.DoubleType), types.BoolType, + decls.OverloadExamples(`2.4 >= 2.0 // true`)), decls.Overload(overloads.GreaterEqualsDoubleInt64, - argTypes(types.DoubleType, types.IntType), types.BoolType), + argTypes(types.DoubleType, types.IntType), types.BoolType, + decls.OverloadExamples(`3.1 >= 3 // true`)), decls.Overload(overloads.GreaterEqualsDoubleUint64, - argTypes(types.DoubleType, types.UintType), types.BoolType), + argTypes(types.DoubleType, types.UintType), types.BoolType, + decls.OverloadExamples(`2.3 >= 2u // true`)), decls.Overload(overloads.GreaterEqualsString, - argTypes(types.StringType, types.StringType), types.BoolType), + argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples(`'b' >= 'a' // true`)), decls.Overload(overloads.GreaterEqualsBytes, - argTypes(types.BytesType, types.BytesType), types.BoolType), + argTypes(types.BytesType, types.BytesType), types.BoolType, + decls.OverloadExamples(`b'world' >= b'hello' // true`)), decls.Overload(overloads.GreaterEqualsTimestamp, - argTypes(types.TimestampType, types.TimestampType), types.BoolType), + argTypes(types.TimestampType, types.TimestampType), types.BoolType, + decls.OverloadExamples(`timestamp('2001-01-01T02:03:04Z') >= timestamp('2001-01-01T02:03:04Z') // true`)), decls.Overload(overloads.GreaterEqualsDuration, - argTypes(types.DurationType, types.DurationType), types.BoolType), + argTypes(types.DurationType, types.DurationType), types.BoolType, + decls.OverloadExamples(`duration('60s') >= duration('1m') // true`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { cmp := lhs.(traits.Comparer).Compare(rhs) if cmp == types.IntOne || cmp == types.IntZero { @@ -337,16 +493,28 @@ func init() { // Indexing function(operators.Index, - decls.Overload(overloads.IndexList, argTypes(listOfA, types.IntType), paramA), - decls.Overload(overloads.IndexMap, argTypes(mapOfAB, paramA), paramB), + decls.FunctionDocs(`select a value from a list by index, or value from a map by key`), + decls.Overload(overloads.IndexList, argTypes(listOfA, types.IntType), paramA, + decls.OverloadExamples(`[1, 2, 3][1] // 2`)), + decls.Overload(overloads.IndexMap, argTypes(mapOfAB, paramA), paramB, + decls.OverloadExamples( + `{'key': 'value'}['key'] // 'value'`, + `{'key': 'value'}['missing'] // error`)), decls.SingletonBinaryBinding(func(lhs, rhs ref.Val) ref.Val { return lhs.(traits.Indexer).Get(rhs) }, traits.IndexerType)), // Collections operators function(operators.In, - decls.Overload(overloads.InList, argTypes(paramA, listOfA), types.BoolType), - decls.Overload(overloads.InMap, argTypes(paramA, mapOfAB), types.BoolType), + decls.FunctionDocs(`test whether a value exists in a list, or a key exists in a map`), + decls.Overload(overloads.InList, argTypes(paramA, listOfA), types.BoolType, + decls.OverloadExamples( + `2 in [1, 2, 3] // true`, + `"a" in ["b", "c"] // false`)), + decls.Overload(overloads.InMap, argTypes(paramA, mapOfAB), types.BoolType, + decls.OverloadExamples( + `'key1' in {'key1': 'value1', 'key2': 'value2'} // true`, + `3 in {1: "one", 2: "two"} // false`)), decls.SingletonBinaryBinding(inAggregate)), function(operators.OldIn, decls.DisableDeclaration(true), // safe deprecation @@ -359,209 +527,364 @@ func init() { decls.Overload(overloads.InMap, argTypes(paramA, mapOfAB), types.BoolType), decls.SingletonBinaryBinding(inAggregate)), function(overloads.Size, - decls.Overload(overloads.SizeBytes, argTypes(types.BytesType), types.IntType), - decls.MemberOverload(overloads.SizeBytesInst, argTypes(types.BytesType), types.IntType), - decls.Overload(overloads.SizeList, argTypes(listOfA), types.IntType), - decls.MemberOverload(overloads.SizeListInst, argTypes(listOfA), types.IntType), - decls.Overload(overloads.SizeMap, argTypes(mapOfAB), types.IntType), - decls.MemberOverload(overloads.SizeMapInst, argTypes(mapOfAB), types.IntType), - decls.Overload(overloads.SizeString, argTypes(types.StringType), types.IntType), - decls.MemberOverload(overloads.SizeStringInst, argTypes(types.StringType), types.IntType), + decls.FunctionDocs( + `compute the size of a list or map, the number of characters in a string,`, + `or the number of bytes in a sequence`), + decls.Overload(overloads.SizeBytes, argTypes(types.BytesType), types.IntType, + decls.OverloadExamples(`size(b'123') // 3`)), + decls.MemberOverload(overloads.SizeBytesInst, argTypes(types.BytesType), types.IntType, + decls.OverloadExamples(`b'123'.size() // 3`)), + decls.Overload(overloads.SizeList, argTypes(listOfA), types.IntType, + decls.OverloadExamples(`size([1, 2, 3]) // 3`)), + decls.MemberOverload(overloads.SizeListInst, argTypes(listOfA), types.IntType, + decls.OverloadExamples(`[1, 2, 3].size() // 3`)), + decls.Overload(overloads.SizeMap, argTypes(mapOfAB), types.IntType, + decls.OverloadExamples(`size({'a': 1, 'b': 2}) // 2`)), + decls.MemberOverload(overloads.SizeMapInst, argTypes(mapOfAB), types.IntType, + decls.OverloadExamples(`{'a': 1, 'b': 2}.size() // 2`)), + decls.Overload(overloads.SizeString, argTypes(types.StringType), types.IntType, + decls.OverloadExamples(`size('hello') // 5`)), + decls.MemberOverload(overloads.SizeStringInst, argTypes(types.StringType), types.IntType, + decls.OverloadExamples(`'hello'.size() // 5`)), decls.SingletonUnaryBinding(func(val ref.Val) ref.Val { return val.(traits.Sizer).Size() }, traits.SizerType)), // Type conversions function(overloads.TypeConvertType, - decls.Overload(overloads.TypeConvertType, argTypes(paramA), types.NewTypeTypeWithParam(paramA)), + decls.FunctionDocs(`convert a value to its type identifier`), + decls.Overload(overloads.TypeConvertType, argTypes(paramA), types.NewTypeTypeWithParam(paramA), + decls.OverloadExamples( + `type(1) // int`, + `type('hello') // string`, + `type(int) // type`, + `type(type) // type`)), decls.SingletonUnaryBinding(convertToType(types.TypeType))), // Bool conversions function(overloads.TypeConvertBool, + decls.FunctionDocs(`convert a value to a boolean`), decls.Overload(overloads.BoolToBool, argTypes(types.BoolType), types.BoolType, + + decls.OverloadExamples(`bool(true) // true`), decls.UnaryBinding(identity)), decls.Overload(overloads.StringToBool, argTypes(types.StringType), types.BoolType, + + decls.OverloadExamples(`bool('true') // true`, `bool('false') // false`), decls.UnaryBinding(convertToType(types.BoolType)))), // Bytes conversions function(overloads.TypeConvertBytes, + decls.FunctionDocs(`convert a value to bytes`), decls.Overload(overloads.BytesToBytes, argTypes(types.BytesType), types.BytesType, + decls.OverloadExamples(`bytes(b'abc') // b'abc'`), decls.UnaryBinding(identity)), decls.Overload(overloads.StringToBytes, argTypes(types.StringType), types.BytesType, + decls.OverloadExamples(`bytes('hello') // b'hello'`), decls.UnaryBinding(convertToType(types.BytesType)))), // Double conversions function(overloads.TypeConvertDouble, + decls.FunctionDocs(`convert a value to a double`), decls.Overload(overloads.DoubleToDouble, argTypes(types.DoubleType), types.DoubleType, + decls.OverloadExamples(`double(1.23) // 1.23`), decls.UnaryBinding(identity)), decls.Overload(overloads.IntToDouble, argTypes(types.IntType), types.DoubleType, + decls.OverloadExamples(`double(123) // 123.0`), decls.UnaryBinding(convertToType(types.DoubleType))), decls.Overload(overloads.StringToDouble, argTypes(types.StringType), types.DoubleType, + decls.OverloadExamples(`double('1.23') // 1.23`), decls.UnaryBinding(convertToType(types.DoubleType))), decls.Overload(overloads.UintToDouble, argTypes(types.UintType), types.DoubleType, + decls.OverloadExamples(`double(123u) // 123.0`), decls.UnaryBinding(convertToType(types.DoubleType)))), // Duration conversions function(overloads.TypeConvertDuration, + decls.FunctionDocs(`convert a value to a google.protobuf.Duration`), decls.Overload(overloads.DurationToDuration, argTypes(types.DurationType), types.DurationType, + decls.OverloadExamples(`duration(duration('1s')) // duration('1s')`), decls.UnaryBinding(identity)), decls.Overload(overloads.IntToDuration, argTypes(types.IntType), types.DurationType, decls.UnaryBinding(convertToType(types.DurationType))), decls.Overload(overloads.StringToDuration, argTypes(types.StringType), types.DurationType, + decls.OverloadExamples(`duration('1h2m3s') // duration('3723s')`), decls.UnaryBinding(convertToType(types.DurationType)))), // Dyn conversions function(overloads.TypeConvertDyn, - decls.Overload(overloads.ToDyn, argTypes(paramA), types.DynType), + decls.FunctionDocs(`indicate that the type is dynamic for type-checking purposes`), + decls.Overload(overloads.ToDyn, argTypes(paramA), types.DynType, + decls.OverloadExamples(`dyn(1) // 1`)), decls.SingletonUnaryBinding(identity)), // Int conversions function(overloads.TypeConvertInt, + decls.FunctionDocs(`convert a value to an int`), decls.Overload(overloads.IntToInt, argTypes(types.IntType), types.IntType, + decls.OverloadExamples(`int(123) // 123`), decls.UnaryBinding(identity)), decls.Overload(overloads.DoubleToInt, argTypes(types.DoubleType), types.IntType, + decls.OverloadExamples(`int(123.45) // 123`), decls.UnaryBinding(convertToType(types.IntType))), decls.Overload(overloads.DurationToInt, argTypes(types.DurationType), types.IntType, - decls.UnaryBinding(convertToType(types.IntType))), + decls.OverloadExamples(`int(duration('1s')) // 1000000000`), + decls.UnaryBinding(convertToType(types.IntType))), // Duration to nanoseconds decls.Overload(overloads.StringToInt, argTypes(types.StringType), types.IntType, + decls.OverloadExamples(`int('123') // 123`, `int('-456') // -456`), decls.UnaryBinding(convertToType(types.IntType))), decls.Overload(overloads.TimestampToInt, argTypes(types.TimestampType), types.IntType, - decls.UnaryBinding(convertToType(types.IntType))), + decls.OverloadExamples(`int(timestamp('1970-01-01T00:00:01Z')) // 1`), + decls.UnaryBinding(convertToType(types.IntType))), // Timestamp to epoch seconds decls.Overload(overloads.UintToInt, argTypes(types.UintType), types.IntType, - decls.UnaryBinding(convertToType(types.IntType))), - ), + decls.OverloadExamples(`int(123u) // 123`), + decls.UnaryBinding(convertToType(types.IntType)))), // String conversions function(overloads.TypeConvertString, + decls.FunctionDocs(`convert a value to a string`), decls.Overload(overloads.StringToString, argTypes(types.StringType), types.StringType, + decls.OverloadExamples(`string('hello') // 'hello'`), decls.UnaryBinding(identity)), decls.Overload(overloads.BoolToString, argTypes(types.BoolType), types.StringType, + decls.OverloadExamples(`string(true) // 'true'`), decls.UnaryBinding(convertToType(types.StringType))), decls.Overload(overloads.BytesToString, argTypes(types.BytesType), types.StringType, + decls.OverloadExamples(`string(b'hello') // 'hello'`), decls.UnaryBinding(convertToType(types.StringType))), decls.Overload(overloads.DoubleToString, argTypes(types.DoubleType), types.StringType, - decls.UnaryBinding(convertToType(types.StringType))), + decls.UnaryBinding(convertToType(types.StringType)), + decls.OverloadExamples(`string(-1.23e4) // '-12300'`)), decls.Overload(overloads.DurationToString, argTypes(types.DurationType), types.StringType, + decls.OverloadExamples(`string(duration('1h30m')) // '5400s'`), decls.UnaryBinding(convertToType(types.StringType))), decls.Overload(overloads.IntToString, argTypes(types.IntType), types.StringType, + decls.OverloadExamples(`string(-123) // '-123'`), decls.UnaryBinding(convertToType(types.StringType))), decls.Overload(overloads.TimestampToString, argTypes(types.TimestampType), types.StringType, + decls.OverloadExamples(`string(timestamp('1970-01-01T00:00:00Z')) // '1970-01-01T00:00:00Z'`), decls.UnaryBinding(convertToType(types.StringType))), decls.Overload(overloads.UintToString, argTypes(types.UintType), types.StringType, + decls.OverloadExamples(`string(123u) // '123'`), decls.UnaryBinding(convertToType(types.StringType)))), // Timestamp conversions function(overloads.TypeConvertTimestamp, + decls.FunctionDocs(`convert a value to a google.protobuf.Timestamp`), decls.Overload(overloads.TimestampToTimestamp, argTypes(types.TimestampType), types.TimestampType, + decls.OverloadExamples(`timestamp(timestamp('2023-01-01T00:00:00Z')) // timestamp('2023-01-01T00:00:00Z')`), decls.UnaryBinding(identity)), decls.Overload(overloads.IntToTimestamp, argTypes(types.IntType), types.TimestampType, + decls.OverloadExamples(`timestamp(1) // timestamp('1970-01-01T00:00:01Z')`), // Epoch seconds to Timestamp decls.UnaryBinding(convertToType(types.TimestampType))), decls.Overload(overloads.StringToTimestamp, argTypes(types.StringType), types.TimestampType, + decls.OverloadExamples(`timestamp('2025-01-01T12:34:56Z') // timestamp('2025-01-01T12:34:56Z')`), decls.UnaryBinding(convertToType(types.TimestampType)))), // Uint conversions function(overloads.TypeConvertUint, + decls.FunctionDocs(`convert a value to a uint`), decls.Overload(overloads.UintToUint, argTypes(types.UintType), types.UintType, + decls.OverloadExamples(`uint(123u) // 123u`), decls.UnaryBinding(identity)), decls.Overload(overloads.DoubleToUint, argTypes(types.DoubleType), types.UintType, + decls.OverloadExamples(`uint(123.45) // 123u`), decls.UnaryBinding(convertToType(types.UintType))), decls.Overload(overloads.IntToUint, argTypes(types.IntType), types.UintType, + decls.OverloadExamples(`uint(123) // 123u`), decls.UnaryBinding(convertToType(types.UintType))), decls.Overload(overloads.StringToUint, argTypes(types.StringType), types.UintType, + decls.OverloadExamples(`uint('123') // 123u`), decls.UnaryBinding(convertToType(types.UintType)))), // String functions function(overloads.Contains, + decls.FunctionDocs(`test whether a string contains a substring`), decls.MemberOverload(overloads.ContainsString, argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples( + `'hello world'.contains('o w') // true`, + `'hello world'.contains('goodbye') // false`), decls.BinaryBinding(types.StringContains)), decls.DisableTypeGuards(true)), function(overloads.EndsWith, + decls.FunctionDocs(`test whether a string ends with a substring suffix`), decls.MemberOverload(overloads.EndsWithString, argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples( + `'hello world'.endsWith('world') // true`, + `'hello world'.endsWith('hello') // false`), decls.BinaryBinding(types.StringEndsWith)), decls.DisableTypeGuards(true)), function(overloads.StartsWith, + decls.FunctionDocs(`test whether a string starts with a substring prefix`), decls.MemberOverload(overloads.StartsWithString, argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples( + `'hello world'.startsWith('hello') // true`, + `'hello world'.startsWith('world') // false`), decls.BinaryBinding(types.StringStartsWith)), decls.DisableTypeGuards(true)), function(overloads.Matches, - decls.Overload(overloads.Matches, argTypes(types.StringType, types.StringType), types.BoolType), + decls.FunctionDocs(`test whether a string matches an RE2 regular expression`), + decls.Overload(overloads.Matches, argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples( + `matches('123-456', '^[0-9]+(-[0-9]+)?$') // true`, + `matches('hello', '^h.*o$') // true`)), decls.MemberOverload(overloads.MatchesString, - argTypes(types.StringType, types.StringType), types.BoolType), + argTypes(types.StringType, types.StringType), types.BoolType, + decls.OverloadExamples( + `'123-456'.matches('^[0-9]+(-[0-9]+)?$') // true`, + `'hello'.matches('^h.*o$') // true`)), decls.SingletonBinaryBinding(func(str, pat ref.Val) ref.Val { return str.(traits.Matcher).Match(pat) }, traits.MatcherType)), // Timestamp / duration functions function(overloads.TimeGetFullYear, + decls.FunctionDocs(`get the 0-based full year from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToYear, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getFullYear() // 2023`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetFullYear(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToYearWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-01-01T05:30:00Z').getFullYear('-08:00') // 2022`), + decls.BinaryBinding(timestampGetFullYear))), function(overloads.TimeGetMonth, + decls.FunctionDocs(`get the 0-based month from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToMonth, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMonth() // 6`), // July is month 6 + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetMonth(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToMonthWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-01-01T05:30:00Z').getMonth('America/Los_Angeles') // 11`), // December is month 11 + decls.BinaryBinding(timestampGetMonth))), function(overloads.TimeGetDayOfYear, + decls.FunctionDocs(`get the 0-based day of the year from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToDayOfYear, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-01-02T00:00:00Z').getDayOfYear() // 1`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetDayOfYear(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToDayOfYearWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-01-01T05:00:00Z').getDayOfYear('America/Los_Angeles') // 364`), + decls.BinaryBinding(timestampGetDayOfYear))), function(overloads.TimeGetDayOfMonth, + decls.FunctionDocs(`get the 0-based day of the month from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToDayOfMonthZeroBased, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDayOfMonth() // 13`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetDayOfMonthZeroBased(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToDayOfMonthZeroBasedWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-01T05:00:00Z').getDayOfMonth('America/Los_Angeles') // 29`), + decls.BinaryBinding(timestampGetDayOfMonthZeroBased))), function(overloads.TimeGetDate, + decls.FunctionDocs(`get the 1-based day of the month from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToDayOfMonthOneBased, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDate() // 14`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetDayOfMonthOneBased(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToDayOfMonthOneBasedWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-01T05:00:00Z').getDate('America/Los_Angeles') // 30`), + decls.BinaryBinding(timestampGetDayOfMonthOneBased))), function(overloads.TimeGetDayOfWeek, + decls.FunctionDocs(`get the 0-based day of the week from a timestamp, UTC unless an IANA timezone is specified.`), decls.MemberOverload(overloads.TimestampToDayOfWeek, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDayOfWeek() // 5`), // Friday is day 5 + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetDayOfWeek(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToDayOfWeekWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType)), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-16T05:00:00Z').getDayOfWeek('America/Los_Angeles') // 6`), // Saturday is day 6 + decls.BinaryBinding(timestampGetDayOfWeek))), function(overloads.TimeGetHours, + decls.FunctionDocs(`get the hours portion from a timestamp, or convert a duration to hours`), decls.MemberOverload(overloads.TimestampToHours, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getHours() // 10`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetHours(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToHoursWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getHours('America/Los_Angeles') // 2`), + decls.BinaryBinding(timestampGetHours)), decls.MemberOverload(overloads.DurationToHours, - argTypes(types.DurationType), types.IntType)), + argTypes(types.DurationType), types.IntType, + decls.OverloadExamples(`duration('3723s').getHours() // 1`), + decls.UnaryBinding(types.DurationGetHours))), function(overloads.TimeGetMinutes, + decls.FunctionDocs(`get the minutes portion from a timestamp, or convert a duration to minutes`), decls.MemberOverload(overloads.TimestampToMinutes, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMinutes() // 30`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetMinutes(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToMinutesWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMinutes('America/Los_Angeles') // 30`), + decls.BinaryBinding(timestampGetMinutes)), decls.MemberOverload(overloads.DurationToMinutes, - argTypes(types.DurationType), types.IntType)), + argTypes(types.DurationType), types.IntType, + decls.OverloadExamples(`duration('3723s').getMinutes() // 62`), + decls.UnaryBinding(types.DurationGetMinutes))), function(overloads.TimeGetSeconds, + decls.FunctionDocs(`get the seconds portion from a timestamp, or convert a duration to seconds`), decls.MemberOverload(overloads.TimestampToSeconds, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getSeconds() // 45`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetSeconds(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToSecondsWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getSeconds('America/Los_Angeles') // 45`), + decls.BinaryBinding(timestampGetSeconds)), decls.MemberOverload(overloads.DurationToSeconds, - argTypes(types.DurationType), types.IntType)), + argTypes(types.DurationType), types.IntType, + decls.OverloadExamples(`duration('3723.456s').getSeconds() // 3723`), + decls.UnaryBinding(types.DurationGetSeconds))), function(overloads.TimeGetMilliseconds, + decls.FunctionDocs(`get the milliseconds portion from a timestamp`), decls.MemberOverload(overloads.TimestampToMilliseconds, - argTypes(types.TimestampType), types.IntType), + argTypes(types.TimestampType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMilliseconds() // 123`), + decls.UnaryBinding(func(ts ref.Val) ref.Val { + return timestampGetMilliseconds(ts, utcTZ) + })), decls.MemberOverload(overloads.TimestampToMillisecondsWithTz, - argTypes(types.TimestampType, types.StringType), types.IntType), + argTypes(types.TimestampType, types.StringType), types.IntType, + decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMilliseconds('America/Los_Angeles') // 123`), + decls.BinaryBinding(timestampGetMilliseconds)), decls.MemberOverload(overloads.DurationToMilliseconds, - argTypes(types.DurationType), types.IntType)), + argTypes(types.DurationType), types.IntType, + decls.UnaryBinding(types.DurationGetMilliseconds))), } } @@ -618,3 +941,118 @@ func convertToType(t ref.Type) functions.UnaryOp { return val.ConvertToType(t) } } + +func timestampGetFullYear(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Year()) +} + +func timestampGetMonth(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + // CEL spec indicates that the month should be 0-based, but the Time value + // for Month() is 1-based. + return types.Int(t.Month() - 1) +} + +func timestampGetDayOfYear(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.YearDay() - 1) +} + +func timestampGetDayOfMonthZeroBased(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Day() - 1) +} + +func timestampGetDayOfMonthOneBased(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Day()) +} + +func timestampGetDayOfWeek(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Weekday()) +} + +func timestampGetHours(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Hour()) +} + +func timestampGetMinutes(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Minute()) +} + +func timestampGetSeconds(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Second()) +} + +func timestampGetMilliseconds(ts, tz ref.Val) ref.Val { + t, err := inTimeZone(ts, tz) + if err != nil { + return types.NewErrFromString(err.Error()) + } + return types.Int(t.Nanosecond() / 1000000) +} + +func inTimeZone(ts, tz ref.Val) (time.Time, error) { + t := ts.(types.Timestamp) + val := string(tz.(types.String)) + ind := strings.Index(val, ":") + if ind == -1 { + loc, err := time.LoadLocation(val) + if err != nil { + return time.Time{}, err + } + return t.In(loc), nil + } + + // If the input is not the name of a timezone (for example, 'US/Central'), it should be a numerical offset from UTC + // in the format ^(+|-)(0[0-9]|1[0-4]):[0-5][0-9]$. The numerical input is parsed in terms of hours and minutes. + hr, err := strconv.Atoi(string(val[0:ind])) + if err != nil { + return time.Time{}, err + } + min, err := strconv.Atoi(string(val[ind+1:])) + if err != nil { + return time.Time{}, err + } + var offset int + if string(val[0]) == "-" { + offset = hr*60 - min + } else { + offset = hr*60 + min + } + secondsEastOfUTC := int((time.Duration(offset) * time.Minute).Seconds()) + timezone := time.FixedZone("", secondsEastOfUTC) + return t.In(timezone), nil +} diff --git a/vendor/github.com/google/cel-go/common/types/BUILD.bazel b/vendor/github.com/google/cel-go/common/types/BUILD.bazel index 8f010fae4..7082bc755 100644 --- a/vendor/github.com/google/cel-go/common/types/BUILD.bazel +++ b/vendor/github.com/google/cel-go/common/types/BUILD.bazel @@ -18,6 +18,7 @@ go_library( "int.go", "iterator.go", "json_value.go", + "format.go", "list.go", "map.go", "null.go", diff --git a/vendor/github.com/google/cel-go/common/types/bool.go b/vendor/github.com/google/cel-go/common/types/bool.go index 565734f3f..1f9e10739 100644 --- a/vendor/github.com/google/cel-go/common/types/bool.go +++ b/vendor/github.com/google/cel-go/common/types/bool.go @@ -18,6 +18,7 @@ import ( "fmt" "reflect" "strconv" + "strings" "github.com/google/cel-go/common/types/ref" @@ -128,6 +129,14 @@ func (b Bool) Value() any { return bool(b) } +func (b Bool) format(sb *strings.Builder) { + if b { + sb.WriteString("true") + } else { + sb.WriteString("false") + } +} + // IsBool returns whether the input ref.Val or ref.Type is equal to BoolType. func IsBool(elem ref.Val) bool { switch v := elem.(type) { diff --git a/vendor/github.com/google/cel-go/common/types/bytes.go b/vendor/github.com/google/cel-go/common/types/bytes.go index 7e813e291..b59e1fc20 100644 --- a/vendor/github.com/google/cel-go/common/types/bytes.go +++ b/vendor/github.com/google/cel-go/common/types/bytes.go @@ -19,6 +19,7 @@ import ( "encoding/base64" "fmt" "reflect" + "strings" "unicode/utf8" "github.com/google/cel-go/common/types/ref" @@ -138,3 +139,17 @@ func (b Bytes) Type() ref.Type { func (b Bytes) Value() any { return []byte(b) } + +func (b Bytes) format(sb *strings.Builder) { + fmt.Fprintf(sb, "b\"%s\"", bytesToOctets([]byte(b))) +} + +// bytesToOctets converts byte sequences to a string using a three digit octal encoded value +// per byte. +func bytesToOctets(byteVal []byte) string { + var b strings.Builder + for _, c := range byteVal { + fmt.Fprintf(&b, "\\%03o", c) + } + return b.String() +} diff --git a/vendor/github.com/google/cel-go/common/types/double.go b/vendor/github.com/google/cel-go/common/types/double.go index 027e78978..1e7de9d6e 100644 --- a/vendor/github.com/google/cel-go/common/types/double.go +++ b/vendor/github.com/google/cel-go/common/types/double.go @@ -18,6 +18,8 @@ import ( "fmt" "math" "reflect" + "strconv" + "strings" "github.com/google/cel-go/common/types/ref" @@ -209,3 +211,23 @@ func (d Double) Type() ref.Type { func (d Double) Value() any { return float64(d) } + +func (d Double) format(sb *strings.Builder) { + if math.IsNaN(float64(d)) { + sb.WriteString(`double("NaN")`) + return + } + if math.IsInf(float64(d), -1) { + sb.WriteString(`double("-Infinity")`) + return + } + if math.IsInf(float64(d), 1) { + sb.WriteString(`double("Infinity")`) + return + } + s := strconv.FormatFloat(float64(d), 'f', -1, 64) + sb.WriteString(s) + if !strings.ContainsRune(s, '.') { + sb.WriteString(".0") + } +} diff --git a/vendor/github.com/google/cel-go/common/types/duration.go b/vendor/github.com/google/cel-go/common/types/duration.go index 596e56d6b..be58d567e 100644 --- a/vendor/github.com/google/cel-go/common/types/duration.go +++ b/vendor/github.com/google/cel-go/common/types/duration.go @@ -18,6 +18,7 @@ import ( "fmt" "reflect" "strconv" + "strings" "time" "github.com/google/cel-go/common/overloads" @@ -185,6 +186,10 @@ func (d Duration) Value() any { return d.Duration } +func (d Duration) format(sb *strings.Builder) { + fmt.Fprintf(sb, `duration("%ss")`, strconv.FormatFloat(d.Seconds(), 'f', -1, 64)) +} + // DurationGetHours returns the duration in hours. func DurationGetHours(val ref.Val) ref.Val { dur, ok := val.(Duration) diff --git a/vendor/github.com/google/cel-go/common/types/format.go b/vendor/github.com/google/cel-go/common/types/format.go new file mode 100644 index 000000000..174a2bd04 --- /dev/null +++ b/vendor/github.com/google/cel-go/common/types/format.go @@ -0,0 +1,42 @@ +package types + +import ( + "fmt" + "strings" + + "github.com/google/cel-go/common/types/ref" + "github.com/google/cel-go/common/types/traits" +) + +type formattable interface { + format(*strings.Builder) +} + +// Format formats the value as a string. The result is only intended for human consumption and ignores errors. +// Do not depend on the output being stable. It may change at any time. +func Format(val ref.Val) string { + var sb strings.Builder + formatTo(&sb, val) + return sb.String() +} + +func formatTo(sb *strings.Builder, val ref.Val) { + if fmtable, ok := val.(formattable); ok { + fmtable.format(sb) + return + } + // All of the builtins implement formattable. Try to deal with traits. + if l, ok := val.(traits.Lister); ok { + formatList(l, sb) + return + } + if m, ok := val.(traits.Mapper); ok { + formatMap(m, sb) + return + } + // This could be an error, unknown, opaque or object. + // Unfortunately we have no consistent way of inspecting + // opaque and object. So we just fallback to fmt.Stringer + // and hope it is relavent. + fmt.Fprintf(sb, "%s", val) +} diff --git a/vendor/github.com/google/cel-go/common/types/int.go b/vendor/github.com/google/cel-go/common/types/int.go index 0ae9507c3..0ac1997b7 100644 --- a/vendor/github.com/google/cel-go/common/types/int.go +++ b/vendor/github.com/google/cel-go/common/types/int.go @@ -19,6 +19,7 @@ import ( "math" "reflect" "strconv" + "strings" "time" "github.com/google/cel-go/common/types/ref" @@ -290,6 +291,10 @@ func (i Int) Value() any { return int64(i) } +func (i Int) format(sb *strings.Builder) { + sb.WriteString(strconv.FormatInt(int64(i), 10)) +} + // isJSONSafe indicates whether the int is safely representable as a floating point value in JSON. func (i Int) isJSONSafe() bool { return i >= minIntJSON && i <= maxIntJSON diff --git a/vendor/github.com/google/cel-go/common/types/list.go b/vendor/github.com/google/cel-go/common/types/list.go index 7e68a5daf..8c023f891 100644 --- a/vendor/github.com/google/cel-go/common/types/list.go +++ b/vendor/github.com/google/cel-go/common/types/list.go @@ -299,6 +299,22 @@ func (l *baseList) String() string { return sb.String() } +func formatList(l traits.Lister, sb *strings.Builder) { + sb.WriteString("[") + n, _ := l.Size().(Int) + for i := 0; i < int(n); i++ { + formatTo(sb, l.Get(Int(i))) + if i != int(n)-1 { + sb.WriteString(", ") + } + } + sb.WriteString("]") +} + +func (l *baseList) format(sb *strings.Builder) { + formatList(l, sb) +} + // mutableList aggregates values into its internal storage. For use with internal CEL variables only. type mutableList struct { *baseList diff --git a/vendor/github.com/google/cel-go/common/types/map.go b/vendor/github.com/google/cel-go/common/types/map.go index cb6cce78b..b33096197 100644 --- a/vendor/github.com/google/cel-go/common/types/map.go +++ b/vendor/github.com/google/cel-go/common/types/map.go @@ -17,6 +17,7 @@ package types import ( "fmt" "reflect" + "sort" "strings" "github.com/stoewer/go-strcase" @@ -318,6 +319,41 @@ func (m *baseMap) String() string { return sb.String() } +type baseMapEntry struct { + key string + val string +} + +func formatMap(m traits.Mapper, sb *strings.Builder) { + it := m.Iterator() + var ents []baseMapEntry + if s, ok := m.Size().(Int); ok { + ents = make([]baseMapEntry, 0, int(s)) + } + for it.HasNext() == True { + k := it.Next() + v, _ := m.Find(k) + ents = append(ents, baseMapEntry{Format(k), Format(v)}) + } + sort.SliceStable(ents, func(i, j int) bool { + return ents[i].key < ents[j].key + }) + sb.WriteString("{") + for i, ent := range ents { + if i > 0 { + sb.WriteString(", ") + } + sb.WriteString(ent.key) + sb.WriteString(": ") + sb.WriteString(ent.val) + } + sb.WriteString("}") +} + +func (m *baseMap) format(sb *strings.Builder) { + formatMap(m, sb) +} + // Type implements the ref.Val interface method. func (m *baseMap) Type() ref.Type { return MapType diff --git a/vendor/github.com/google/cel-go/common/types/null.go b/vendor/github.com/google/cel-go/common/types/null.go index 36514ff20..2c0297fe6 100644 --- a/vendor/github.com/google/cel-go/common/types/null.go +++ b/vendor/github.com/google/cel-go/common/types/null.go @@ -17,6 +17,7 @@ package types import ( "fmt" "reflect" + "strings" "google.golang.org/protobuf/proto" @@ -117,3 +118,7 @@ func (n Null) Type() ref.Type { func (n Null) Value() any { return structpb.NullValue_NULL_VALUE } + +func (n Null) format(sb *strings.Builder) { + sb.WriteString("null") +} diff --git a/vendor/github.com/google/cel-go/common/types/object.go b/vendor/github.com/google/cel-go/common/types/object.go index 5377bff8d..776f6954a 100644 --- a/vendor/github.com/google/cel-go/common/types/object.go +++ b/vendor/github.com/google/cel-go/common/types/object.go @@ -17,9 +17,12 @@ package types import ( "fmt" "reflect" + "sort" + "strings" "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/reflect/protoreflect" "github.com/google/cel-go/common/types/pb" "github.com/google/cel-go/common/types/ref" @@ -163,3 +166,29 @@ func (o *protoObj) Type() ref.Type { func (o *protoObj) Value() any { return o.value } + +type protoObjField struct { + fd protoreflect.FieldDescriptor + v protoreflect.Value +} + +func (o *protoObj) format(sb *strings.Builder) { + var fields []protoreflect.FieldDescriptor + o.value.ProtoReflect().Range(func(fd protoreflect.FieldDescriptor, v protoreflect.Value) bool { + fields = append(fields, fd) + return true + }) + sort.SliceStable(fields, func(i, j int) bool { + return fields[i].Number() < fields[j].Number() + }) + sb.WriteString(o.Type().TypeName()) + sb.WriteString("{") + for i, field := range fields { + if i > 0 { + sb.WriteString(", ") + } + sb.WriteString(fmt.Sprintf("%s: ", field.Name())) + formatTo(sb, o.Get(String(field.Name()))) + } + sb.WriteString("}") +} diff --git a/vendor/github.com/google/cel-go/common/types/optional.go b/vendor/github.com/google/cel-go/common/types/optional.go index 97845a740..b8685ebf5 100644 --- a/vendor/github.com/google/cel-go/common/types/optional.go +++ b/vendor/github.com/google/cel-go/common/types/optional.go @@ -18,6 +18,7 @@ import ( "errors" "fmt" "reflect" + "strings" "github.com/google/cel-go/common/types/ref" ) @@ -94,6 +95,16 @@ func (o *Optional) String() string { return "optional.none()" } +func (o *Optional) format(sb *strings.Builder) { + if o.HasValue() { + sb.WriteString(`optional.of(`) + formatTo(sb, o.GetValue()) + sb.WriteString(`)`) + } else { + sb.WriteString("optional.none()") + } +} + // Type implements the ref.Val interface method. func (o *Optional) Type() ref.Type { return OptionalType diff --git a/vendor/github.com/google/cel-go/common/types/string.go b/vendor/github.com/google/cel-go/common/types/string.go index 3a93743f2..8aad4701c 100644 --- a/vendor/github.com/google/cel-go/common/types/string.go +++ b/vendor/github.com/google/cel-go/common/types/string.go @@ -186,6 +186,10 @@ func (s String) Value() any { return string(s) } +func (s String) format(sb *strings.Builder) { + sb.WriteString(strconv.Quote(string(s))) +} + // StringContains returns whether the string contains a substring. func StringContains(s, sub ref.Val) ref.Val { str, ok := s.(String) diff --git a/vendor/github.com/google/cel-go/common/types/timestamp.go b/vendor/github.com/google/cel-go/common/types/timestamp.go index 33acdea8e..f7be58591 100644 --- a/vendor/github.com/google/cel-go/common/types/timestamp.go +++ b/vendor/github.com/google/cel-go/common/types/timestamp.go @@ -179,6 +179,10 @@ func (t Timestamp) Value() any { return t.Time } +func (t Timestamp) format(sb *strings.Builder) { + fmt.Fprintf(sb, `timestamp("%s")`, t.Time.UTC().Format(time.RFC3339Nano)) +} + var ( timestampValueType = reflect.TypeOf(&tpb.Timestamp{}) diff --git a/vendor/github.com/google/cel-go/common/types/types.go b/vendor/github.com/google/cel-go/common/types/types.go index f419beabd..78c77a9b5 100644 --- a/vendor/github.com/google/cel-go/common/types/types.go +++ b/vendor/github.com/google/cel-go/common/types/types.go @@ -164,9 +164,9 @@ var ( traits.SubtractorType, } // ListType represents the runtime list type. - ListType = NewListType(nil) + ListType = NewListType(DynType) // MapType represents the runtime map type. - MapType = NewMapType(nil, nil) + MapType = NewMapType(DynType, DynType) // NullType represents the type of a null value. NullType = &Type{ kind: NullTypeKind, @@ -376,6 +376,10 @@ func (t *Type) TypeName() string { return t.runtimeTypeName } +func (t *Type) format(sb *strings.Builder) { + sb.WriteString(t.TypeName()) +} + // WithTraits creates a copy of the current Type and sets the trait mask to the traits parameter. // // This method should be used with Opaque types where the type acts like a container, e.g. vector. @@ -395,6 +399,9 @@ func (t *Type) WithTraits(traits int) *Type { // String returns a human-readable definition of the type name. func (t *Type) String() string { + if t.Kind() == TypeParamKind { + return fmt.Sprintf("<%s>", t.DeclaredTypeName()) + } if len(t.Parameters()) == 0 { return t.DeclaredTypeName() } diff --git a/vendor/github.com/google/cel-go/common/types/uint.go b/vendor/github.com/google/cel-go/common/types/uint.go index 6d74f30d8..a93405a13 100644 --- a/vendor/github.com/google/cel-go/common/types/uint.go +++ b/vendor/github.com/google/cel-go/common/types/uint.go @@ -19,6 +19,7 @@ import ( "math" "reflect" "strconv" + "strings" "github.com/google/cel-go/common/types/ref" @@ -250,6 +251,11 @@ func (i Uint) Value() any { return uint64(i) } +func (i Uint) format(sb *strings.Builder) { + sb.WriteString(strconv.FormatUint(uint64(i), 10)) + sb.WriteString("u") +} + // isJSONSafe indicates whether the uint is safely representable as a floating point value in JSON. func (i Uint) isJSONSafe() bool { return i <= maxIntJSON diff --git a/vendor/github.com/google/cel-go/ext/BUILD.bazel b/vendor/github.com/google/cel-go/ext/BUILD.bazel index b764fa1f5..ef4f4ec3d 100644 --- a/vendor/github.com/google/cel-go/ext/BUILD.bazel +++ b/vendor/github.com/google/cel-go/ext/BUILD.bazel @@ -10,12 +10,15 @@ go_library( "bindings.go", "comprehensions.go", "encoders.go", + "extension_option_factory.go", "formatting.go", + "formatting_v2.go", "guards.go", "lists.go", "math.go", "native.go", "protos.go", + "regex.go", "sets.go", "strings.go", ], @@ -24,10 +27,12 @@ go_library( deps = [ "//cel:go_default_library", "//checker:go_default_library", + "//common:go_default_library", "//common/ast:go_default_library", "//common/decls:go_default_library", - "//common/overloads:go_default_library", + "//common/env:go_default_library", "//common/operators:go_default_library", + "//common/overloads:go_default_library", "//common/types:go_default_library", "//common/types/pb:go_default_library", "//common/types/ref:go_default_library", @@ -48,11 +53,15 @@ go_test( srcs = [ "bindings_test.go", "comprehensions_test.go", - "encoders_test.go", + "encoders_test.go", + "extension_option_factory_test.go", + "formatting_test.go", + "formatting_v2_test.go", "lists_test.go", "math_test.go", "native_test.go", "protos_test.go", + "regex_test.go", "sets_test.go", "strings_test.go", ], @@ -62,14 +71,16 @@ go_test( deps = [ "//cel:go_default_library", "//checker:go_default_library", + "//common:go_default_library", + "//common/env:go_default_library", "//common/types:go_default_library", "//common/types/ref:go_default_library", "//common/types/traits:go_default_library", "//test:go_default_library", "//test/proto2pb:go_default_library", "//test/proto3pb:go_default_library", + "@org_golang_google_protobuf//encoding/protojson:go_default_library", "@org_golang_google_protobuf//proto:go_default_library", "@org_golang_google_protobuf//types/known/wrapperspb:go_default_library", - "@org_golang_google_protobuf//encoding/protojson:go_default_library", ], ) diff --git a/vendor/github.com/google/cel-go/ext/README.md b/vendor/github.com/google/cel-go/ext/README.md index 4620204fc..41ae6a314 100644 --- a/vendor/github.com/google/cel-go/ext/README.md +++ b/vendor/github.com/google/cel-go/ext/README.md @@ -356,6 +356,23 @@ Examples: math.isFinite(0.0/0.0) // returns false math.isFinite(1.2) // returns true +### Math.Sqrt + +Introduced at version: 2 + +Returns the square root of the given input as double +Throws error for negative or non-numeric inputs + + math.sqrt() -> + math.sqrt() -> + math.sqrt() -> + +Examples: + + math.sqrt(81) // returns 9.0 + math.sqrt(985.25) // returns 31.388692231439016 + math.sqrt(-15) // returns NaN + ## Protos Protos configure extended macros and functions for proto manipulation. @@ -395,7 +412,7 @@ zero-based. ### Distinct -**Introduced in version 2** +**Introduced in version 2 (cost support in version 3)** Returns the distinct elements of a list. @@ -409,7 +426,7 @@ Examples: ### Flatten -**Introduced in version 1** +**Introduced in version 1 (cost support in version 3)** Flattens a list recursively. If an optional depth is provided, the list is flattened to a the specificied level. @@ -428,7 +445,7 @@ Examples: ### Range -**Introduced in version 2** +**Introduced in version 2 (cost support in version 3)** Returns a list of integers from 0 to n-1. @@ -441,7 +458,7 @@ Examples: ### Reverse -**Introduced in version 2** +**Introduced in version 2 (cost support in version 3)** Returns the elements of a list in reverse order. @@ -454,6 +471,7 @@ Examples: ### Slice +**Introduced in version 0 (cost support in version 3)** Returns a new sub-list using the indexes provided. @@ -466,7 +484,7 @@ Examples: ### Sort -**Introduced in version 2** +**Introduced in version 2 (cost support in version 3)** Sorts a list with comparable elements. If the element type is not comparable or the element types are not the same, the function will produce an error. @@ -483,7 +501,7 @@ Examples: ### SortBy -**Introduced in version 2** +**Introduced in version 2 (cost support in version 3)** Sorts a list by a key value, i.e., the order is determined by the result of an expression applied to each element of the list. diff --git a/vendor/github.com/google/cel-go/ext/bindings.go b/vendor/github.com/google/cel-go/ext/bindings.go index 50cf4fb3d..63942b85c 100644 --- a/vendor/github.com/google/cel-go/ext/bindings.go +++ b/vendor/github.com/google/cel-go/ext/bindings.go @@ -149,7 +149,7 @@ type blockValidationExemption struct{} // Name returns the name of the validator. func (blockValidationExemption) Name() string { - return "cel.lib.ext.validate.functions.cel.block" + return "cel.validator.cel_block" } // Configure implements the ASTValidatorConfigurer interface and augments the list of functions to skip @@ -224,7 +224,7 @@ func (b *dynamicBlock) ID() int64 { } // Eval implements the Interpretable interface method. -func (b *dynamicBlock) Eval(activation interpreter.Activation) ref.Val { +func (b *dynamicBlock) Eval(activation cel.Activation) ref.Val { sa := b.slotActivationPool.Get().(*dynamicSlotActivation) sa.Activation = activation defer b.clearSlots(sa) @@ -242,7 +242,7 @@ type slotVal struct { } type dynamicSlotActivation struct { - interpreter.Activation + cel.Activation slotExprs []interpreter.Interpretable slotCount int slotVals []*slotVal @@ -295,13 +295,13 @@ func (b *constantBlock) ID() int64 { // Eval implements the interpreter.Interpretable interface method, and will proxy @index prefixed variable // lookups into a set of constant slots determined from the plan step. -func (b *constantBlock) Eval(activation interpreter.Activation) ref.Val { +func (b *constantBlock) Eval(activation cel.Activation) ref.Val { vars := constantSlotActivation{Activation: activation, slots: b.slots, slotCount: b.slotCount} return b.expr.Eval(vars) } type constantSlotActivation struct { - interpreter.Activation + cel.Activation slots traits.Lister slotCount int } diff --git a/vendor/github.com/google/cel-go/ext/extension_option_factory.go b/vendor/github.com/google/cel-go/ext/extension_option_factory.go new file mode 100644 index 000000000..cebf0d760 --- /dev/null +++ b/vendor/github.com/google/cel-go/ext/extension_option_factory.go @@ -0,0 +1,75 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ext + +import ( + "fmt" + + "github.com/google/cel-go/cel" + "github.com/google/cel-go/common/env" +) + +// ExtensionOptionFactory converts an ExtensionConfig value to a CEL environment option. +func ExtensionOptionFactory(configElement any) (cel.EnvOption, bool) { + ext, isExtension := configElement.(*env.Extension) + if !isExtension { + return nil, false + } + fac, found := extFactories[ext.Name] + if !found { + return nil, false + } + // If the version is 'latest', set the version value to the max uint. + ver, err := ext.VersionNumber() + if err != nil { + return func(*cel.Env) (*cel.Env, error) { + return nil, fmt.Errorf("invalid extension version: %s - %s", ext.Name, ext.Version) + }, true + } + return fac(ver), true +} + +// extensionFactory accepts a version and produces a CEL environment associated with the versioned extension. +type extensionFactory func(uint32) cel.EnvOption + +var extFactories = map[string]extensionFactory{ + "bindings": func(version uint32) cel.EnvOption { + return Bindings(BindingsVersion(version)) + }, + "encoders": func(version uint32) cel.EnvOption { + return Encoders(EncodersVersion(version)) + }, + "lists": func(version uint32) cel.EnvOption { + return Lists(ListsVersion(version)) + }, + "math": func(version uint32) cel.EnvOption { + return Math(MathVersion(version)) + }, + "protos": func(version uint32) cel.EnvOption { + return Protos(ProtosVersion(version)) + }, + "sets": func(version uint32) cel.EnvOption { + return Sets(SetsVersion(version)) + }, + "strings": func(version uint32) cel.EnvOption { + return Strings(StringsVersion(version)) + }, + "two-var-comprehensions": func(version uint32) cel.EnvOption { + return TwoVarComprehensions(TwoVarComprehensionsVersion(version)) + }, + "regex": func(version uint32) cel.EnvOption { + return Regex(RegexVersion(version)) + }, +} diff --git a/vendor/github.com/google/cel-go/ext/formatting.go b/vendor/github.com/google/cel-go/ext/formatting.go index 932d562ec..111184b73 100644 --- a/vendor/github.com/google/cel-go/ext/formatting.go +++ b/vendor/github.com/google/cel-go/ext/formatting.go @@ -268,14 +268,17 @@ func makeMatcher(locale string) (language.Matcher, error) { type stringFormatter struct{} +// String implements formatStringInterpolator.String. func (c *stringFormatter) String(arg ref.Val, locale string) (string, error) { return FormatString(arg, locale) } +// Decimal implements formatStringInterpolator.Decimal. func (c *stringFormatter) Decimal(arg ref.Val, locale string) (string, error) { return formatDecimal(arg, locale) } +// Fixed implements formatStringInterpolator.Fixed. func (c *stringFormatter) Fixed(precision *int) func(ref.Val, string) (string, error) { if precision == nil { precision = new(int) @@ -307,6 +310,7 @@ func (c *stringFormatter) Fixed(precision *int) func(ref.Val, string) (string, e } } +// Scientific implements formatStringInterpolator.Scientific. func (c *stringFormatter) Scientific(precision *int) func(ref.Val, string) (string, error) { if precision == nil { precision = new(int) @@ -337,6 +341,7 @@ func (c *stringFormatter) Scientific(precision *int) func(ref.Val, string) (stri } } +// Binary implements formatStringInterpolator.Binary. func (c *stringFormatter) Binary(arg ref.Val, locale string) (string, error) { switch arg.Type() { case types.IntType: @@ -358,6 +363,7 @@ func (c *stringFormatter) Binary(arg ref.Val, locale string) (string, error) { } } +// Hex implements formatStringInterpolator.Hex. func (c *stringFormatter) Hex(useUpper bool) func(ref.Val, string) (string, error) { return func(arg ref.Val, locale string) (string, error) { fmtStr := "%x" @@ -388,6 +394,7 @@ func (c *stringFormatter) Hex(useUpper bool) func(ref.Val, string) (string, erro } } +// Octal implements formatStringInterpolator.Octal. func (c *stringFormatter) Octal(arg ref.Val, locale string) (string, error) { switch arg.Type() { case types.IntType: @@ -407,7 +414,7 @@ type stringFormatValidator struct{} // Name returns the name of the validator. func (stringFormatValidator) Name() string { - return "cel.lib.ext.validate.functions.string.format" + return "cel.validator.string_format" } // Configure implements the ASTValidatorConfigurer interface and augments the list of functions to skip @@ -504,6 +511,7 @@ type stringFormatChecker struct { ast *ast.AST } +// String implements formatStringInterpolator.String. func (c *stringFormatChecker) String(arg ref.Val, locale string) (string, error) { formatArg := c.args[c.currArgIndex] valid, badID := c.verifyString(formatArg) @@ -513,6 +521,7 @@ func (c *stringFormatChecker) String(arg ref.Val, locale string) (string, error) return "", nil } +// Decimal implements formatStringInterpolator.Decimal. func (c *stringFormatChecker) Decimal(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() valid := c.verifyTypeOneOf(id, types.IntType, types.UintType) @@ -522,6 +531,7 @@ func (c *stringFormatChecker) Decimal(arg ref.Val, locale string) (string, error return "", nil } +// Fixed implements formatStringInterpolator.Fixed. func (c *stringFormatChecker) Fixed(precision *int) func(ref.Val, string) (string, error) { return func(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() @@ -534,6 +544,7 @@ func (c *stringFormatChecker) Fixed(precision *int) func(ref.Val, string) (strin } } +// Scientific implements formatStringInterpolator.Scientific. func (c *stringFormatChecker) Scientific(precision *int) func(ref.Val, string) (string, error) { return func(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() @@ -545,6 +556,7 @@ func (c *stringFormatChecker) Scientific(precision *int) func(ref.Val, string) ( } } +// Binary implements formatStringInterpolator.Binary. func (c *stringFormatChecker) Binary(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() valid := c.verifyTypeOneOf(id, types.IntType, types.UintType, types.BoolType) @@ -554,6 +566,7 @@ func (c *stringFormatChecker) Binary(arg ref.Val, locale string) (string, error) return "", nil } +// Hex implements formatStringInterpolator.Hex. func (c *stringFormatChecker) Hex(useUpper bool) func(ref.Val, string) (string, error) { return func(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() @@ -565,6 +578,7 @@ func (c *stringFormatChecker) Hex(useUpper bool) func(ref.Val, string) (string, } } +// Octal implements formatStringInterpolator.Octal. func (c *stringFormatChecker) Octal(arg ref.Val, locale string) (string, error) { id := c.args[c.currArgIndex].ID() valid := c.verifyTypeOneOf(id, types.IntType, types.UintType) @@ -574,6 +588,7 @@ func (c *stringFormatChecker) Octal(arg ref.Val, locale string) (string, error) return "", nil } +// Arg implements formatListArgs.Arg. func (c *stringFormatChecker) Arg(index int64) (ref.Val, error) { c.argsRequested++ c.currArgIndex = index @@ -582,6 +597,7 @@ func (c *stringFormatChecker) Arg(index int64) (ref.Val, error) { return types.Int(0), nil } +// Size implements formatListArgs.Size. func (c *stringFormatChecker) Size() int64 { return int64(len(c.args)) } @@ -686,10 +702,12 @@ func newFormatError(id int64, msg string, args ...any) error { } } +// Error implements error. func (e formatError) Error() string { return e.msg } +// Is implements errors.Is. func (e formatError) Is(target error) bool { return e.msg == target.Error() } @@ -699,6 +717,7 @@ type stringArgList struct { args traits.Lister } +// Arg implements formatListArgs.Arg. func (c *stringArgList) Arg(index int64) (ref.Val, error) { if index >= c.args.Size().Value().(int64) { return nil, fmt.Errorf("index %d out of range", index) @@ -706,6 +725,7 @@ func (c *stringArgList) Arg(index int64) (ref.Val, error) { return c.args.Get(types.Int(index)), nil } +// Size implements formatListArgs.Size. func (c *stringArgList) Size() int64 { return c.args.Size().Value().(int64) } @@ -887,14 +907,17 @@ func newParseFormatError(msg string, wrapped error) error { return parseFormatError{msg: msg, wrapped: wrapped} } +// Error implements error. func (e parseFormatError) Error() string { return fmt.Sprintf("%s: %s", e.msg, e.wrapped.Error()) } +// Is implements errors.Is. func (e parseFormatError) Is(target error) bool { return e.Error() == target.Error() } +// Is implements errors.Unwrap. func (e parseFormatError) Unwrap() error { return e.wrapped } diff --git a/vendor/github.com/google/cel-go/ext/formatting_v2.go b/vendor/github.com/google/cel-go/ext/formatting_v2.go new file mode 100644 index 000000000..ca8efbc4e --- /dev/null +++ b/vendor/github.com/google/cel-go/ext/formatting_v2.go @@ -0,0 +1,788 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ext + +import ( + "errors" + "fmt" + "math" + "sort" + "strconv" + "strings" + "time" + "unicode" + + "github.com/google/cel-go/cel" + "github.com/google/cel-go/common/ast" + "github.com/google/cel-go/common/types" + "github.com/google/cel-go/common/types/ref" + "github.com/google/cel-go/common/types/traits" +) + +type clauseImplV2 func(ref.Val) (string, error) + +type appendingFormatterV2 struct { + buf []byte +} + +type formattedMapEntryV2 struct { + key string + val string +} + +func (af *appendingFormatterV2) format(arg ref.Val) error { + switch arg.Type() { + case types.BoolType: + argBool, ok := arg.Value().(bool) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.BoolType) + } + af.buf = strconv.AppendBool(af.buf, argBool) + return nil + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + af.buf = strconv.AppendInt(af.buf, argInt, 10) + return nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + af.buf = strconv.AppendUint(af.buf, argUint, 10) + return nil + case types.DoubleType: + argDbl, ok := arg.Value().(float64) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.DoubleType) + } + if math.IsNaN(argDbl) { + af.buf = append(af.buf, "NaN"...) + return nil + } + if math.IsInf(argDbl, -1) { + af.buf = append(af.buf, "-Infinity"...) + return nil + } + if math.IsInf(argDbl, 1) { + af.buf = append(af.buf, "Infinity"...) + return nil + } + af.buf = strconv.AppendFloat(af.buf, argDbl, 'f', -1, 64) + return nil + case types.BytesType: + argBytes, ok := arg.Value().([]byte) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.BytesType) + } + af.buf = append(af.buf, argBytes...) + return nil + case types.StringType: + argStr, ok := arg.Value().(string) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.StringType) + } + af.buf = append(af.buf, argStr...) + return nil + case types.DurationType: + argDur, ok := arg.Value().(time.Duration) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.DurationType) + } + af.buf = strconv.AppendFloat(af.buf, argDur.Seconds(), 'f', -1, 64) + af.buf = append(af.buf, "s"...) + return nil + case types.TimestampType: + argTime, ok := arg.Value().(time.Time) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.TimestampType) + } + af.buf = argTime.UTC().AppendFormat(af.buf, time.RFC3339Nano) + return nil + case types.NullType: + af.buf = append(af.buf, "null"...) + return nil + case types.TypeType: + argType, ok := arg.Value().(string) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.TypeType) + } + af.buf = append(af.buf, argType...) + return nil + case types.ListType: + argList, ok := arg.(traits.Lister) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.ListType) + } + argIter := argList.Iterator() + af.buf = append(af.buf, "["...) + if argIter.HasNext() == types.True { + if err := af.format(argIter.Next()); err != nil { + return err + } + for argIter.HasNext() == types.True { + af.buf = append(af.buf, ", "...) + if err := af.format(argIter.Next()); err != nil { + return err + } + } + } + af.buf = append(af.buf, "]"...) + return nil + case types.MapType: + argMap, ok := arg.(traits.Mapper) + if !ok { + return fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.MapType) + } + argIter := argMap.Iterator() + ents := []formattedMapEntryV2{} + for argIter.HasNext() == types.True { + key := argIter.Next() + val, ok := argMap.Find(key) + if !ok { + return fmt.Errorf("key missing from map: '%s'", key) + } + keyStr, err := formatStringV2(key) + if err != nil { + return err + } + valStr, err := formatStringV2(val) + if err != nil { + return err + } + ents = append(ents, formattedMapEntryV2{keyStr, valStr}) + } + sort.SliceStable(ents, func(x, y int) bool { + return ents[x].key < ents[y].key + }) + af.buf = append(af.buf, "{"...) + for i, e := range ents { + if i > 0 { + af.buf = append(af.buf, ", "...) + } + af.buf = append(af.buf, e.key...) + af.buf = append(af.buf, ": "...) + af.buf = append(af.buf, e.val...) + } + af.buf = append(af.buf, "}"...) + return nil + default: + return stringFormatErrorV2(runtimeID, arg.Type().TypeName()) + } +} + +func formatStringV2(arg ref.Val) (string, error) { + var fmter appendingFormatterV2 + if err := fmter.format(arg); err != nil { + return "", err + } + return string(fmter.buf), nil +} + +type stringFormatterV2 struct{} + +// String implements formatStringInterpolatorV2.String. +func (c *stringFormatterV2) String(arg ref.Val) (string, error) { + return formatStringV2(arg) +} + +// Decimal implements formatStringInterpolatorV2.Decimal. +func (c *stringFormatterV2) Decimal(arg ref.Val) (string, error) { + switch arg.Type() { + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return strconv.FormatInt(argInt, 10), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return strconv.FormatUint(argUint, 10), nil + case types.DoubleType: + argDbl, ok := arg.Value().(float64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.DoubleType) + } + if math.IsNaN(argDbl) { + return "NaN", nil + } + if math.IsInf(argDbl, -1) { + return "-Infinity", nil + } + if math.IsInf(argDbl, 1) { + return "Infinity", nil + } + return strconv.FormatFloat(argDbl, 'f', -1, 64), nil + default: + return "", decimalFormatErrorV2(runtimeID, arg.Type().TypeName()) + } +} + +// Fixed implements formatStringInterpolatorV2.Fixed. +func (c *stringFormatterV2) Fixed(precision int) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + fmtStr := fmt.Sprintf("%%.%df", precision) + switch arg.Type() { + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return fmt.Sprintf(fmtStr, argInt), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return fmt.Sprintf(fmtStr, argUint), nil + case types.DoubleType: + argDbl, ok := arg.Value().(float64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.DoubleType) + } + if math.IsNaN(argDbl) { + return "NaN", nil + } + if math.IsInf(argDbl, -1) { + return "-Infinity", nil + } + if math.IsInf(argDbl, 1) { + return "Infinity", nil + } + return fmt.Sprintf(fmtStr, argDbl), nil + default: + return "", fixedPointFormatErrorV2(runtimeID, arg.Type().TypeName()) + } + } +} + +// Scientific implements formatStringInterpolatorV2.Scientific. +func (c *stringFormatterV2) Scientific(precision int) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + fmtStr := fmt.Sprintf("%%1.%de", precision) + switch arg.Type() { + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return fmt.Sprintf(fmtStr, argInt), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return fmt.Sprintf(fmtStr, argUint), nil + case types.DoubleType: + argDbl, ok := arg.Value().(float64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.DoubleType) + } + if math.IsNaN(argDbl) { + return "NaN", nil + } + if math.IsInf(argDbl, -1) { + return "-Infinity", nil + } + if math.IsInf(argDbl, 1) { + return "Infinity", nil + } + return fmt.Sprintf(fmtStr, argDbl), nil + default: + return "", scientificFormatErrorV2(runtimeID, arg.Type().TypeName()) + } + } +} + +// Binary implements formatStringInterpolatorV2.Binary. +func (c *stringFormatterV2) Binary(arg ref.Val) (string, error) { + switch arg.Type() { + case types.BoolType: + argBool, ok := arg.Value().(bool) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.BoolType) + } + if argBool { + return "1", nil + } + return "0", nil + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return strconv.FormatInt(argInt, 2), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return strconv.FormatUint(argUint, 2), nil + default: + return "", binaryFormatErrorV2(runtimeID, arg.Type().TypeName()) + } +} + +// Hex implements formatStringInterpolatorV2.Hex. +func (c *stringFormatterV2) Hex(useUpper bool) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + var fmtStr string + if useUpper { + fmtStr = "%X" + } else { + fmtStr = "%x" + } + switch arg.Type() { + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return fmt.Sprintf(fmtStr, argInt), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return fmt.Sprintf(fmtStr, argUint), nil + case types.StringType: + argStr, ok := arg.Value().(string) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.StringType) + } + return fmt.Sprintf(fmtStr, argStr), nil + case types.BytesType: + argBytes, ok := arg.Value().([]byte) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.BytesType) + } + return fmt.Sprintf(fmtStr, argBytes), nil + default: + return "", hexFormatErrorV2(runtimeID, arg.Type().TypeName()) + } + } +} + +// Octal implements formatStringInterpolatorV2.Octal. +func (c *stringFormatterV2) Octal(arg ref.Val) (string, error) { + switch arg.Type() { + case types.IntType: + argInt, ok := arg.Value().(int64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.IntType) + } + return strconv.FormatInt(argInt, 8), nil + case types.UintType: + argUint, ok := arg.Value().(uint64) + if !ok { + return "", fmt.Errorf("type conversion error from '%s' to '%s'", arg.Type(), types.UintType) + } + return strconv.FormatUint(argUint, 8), nil + default: + return "", octalFormatErrorV2(runtimeID, arg.Type().TypeName()) + } +} + +// stringFormatValidatorV2 implements the cel.ASTValidator interface allowing for static validation +// of string.format calls. +type stringFormatValidatorV2 struct{} + +// Name returns the name of the validator. +func (stringFormatValidatorV2) Name() string { + return "cel.validator.string_format" +} + +// Configure implements the ASTValidatorConfigurer interface and augments the list of functions to skip +// during homogeneous aggregate literal type-checks. +func (stringFormatValidatorV2) Configure(config cel.MutableValidatorConfig) error { + functions := config.GetOrDefault(cel.HomogeneousAggregateLiteralExemptFunctions, []string{}).([]string) + functions = append(functions, "format") + return config.Set(cel.HomogeneousAggregateLiteralExemptFunctions, functions) +} + +// Validate parses all literal format strings and type checks the format clause against the argument +// at the corresponding ordinal within the list literal argument to the function, if one is specified. +func (stringFormatValidatorV2) Validate(env *cel.Env, _ cel.ValidatorConfig, a *ast.AST, iss *cel.Issues) { + root := ast.NavigateAST(a) + formatCallExprs := ast.MatchDescendants(root, matchConstantFormatStringWithListLiteralArgs(a)) + for _, e := range formatCallExprs { + call := e.AsCall() + formatStr := call.Target().AsLiteral().Value().(string) + args := call.Args()[0].AsList().Elements() + formatCheck := &stringFormatCheckerV2{ + args: args, + ast: a, + } + // use a placeholder locale, since locale doesn't affect syntax + _, err := parseFormatStringV2(formatStr, formatCheck, formatCheck) + if err != nil { + iss.ReportErrorAtID(getErrorExprID(e.ID(), err), "%v", err) + continue + } + seenArgs := formatCheck.argsRequested + if len(args) > seenArgs { + iss.ReportErrorAtID(e.ID(), + "too many arguments supplied to string.format (expected %d, got %d)", seenArgs, len(args)) + } + } +} + +// stringFormatCheckerV2 implements the formatStringInterpolater interface +type stringFormatCheckerV2 struct { + args []ast.Expr + argsRequested int + currArgIndex int64 + ast *ast.AST +} + +// String implements formatStringInterpolatorV2.String. +func (c *stringFormatCheckerV2) String(arg ref.Val) (string, error) { + formatArg := c.args[c.currArgIndex] + valid, badID := c.verifyString(formatArg) + if !valid { + return "", stringFormatErrorV2(badID, c.typeOf(badID).TypeName()) + } + return "", nil +} + +// Decimal implements formatStringInterpolatorV2.Decimal. +func (c *stringFormatCheckerV2) Decimal(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.IntType, types.UintType, types.DoubleType) + if !valid { + return "", decimalFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil +} + +// Fixed implements formatStringInterpolatorV2.Fixed. +func (c *stringFormatCheckerV2) Fixed(precision int) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.IntType, types.UintType, types.DoubleType) + if !valid { + return "", fixedPointFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil + } +} + +// Scientific implements formatStringInterpolatorV2.Scientific. +func (c *stringFormatCheckerV2) Scientific(precision int) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.IntType, types.UintType, types.DoubleType) + if !valid { + return "", scientificFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil + } +} + +// Binary implements formatStringInterpolatorV2.Binary. +func (c *stringFormatCheckerV2) Binary(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.BoolType, types.IntType, types.UintType) + if !valid { + return "", binaryFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil +} + +// Hex implements formatStringInterpolatorV2.Hex. +func (c *stringFormatCheckerV2) Hex(useUpper bool) func(ref.Val) (string, error) { + return func(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.IntType, types.UintType, types.StringType, types.BytesType) + if !valid { + return "", hexFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil + } +} + +// Octal implements formatStringInterpolatorV2.Octal. +func (c *stringFormatCheckerV2) Octal(arg ref.Val) (string, error) { + id := c.args[c.currArgIndex].ID() + valid := c.verifyTypeOneOf(id, types.IntType, types.UintType) + if !valid { + return "", octalFormatErrorV2(id, c.typeOf(id).TypeName()) + } + return "", nil +} + +// Arg implements formatListArgs.Arg. +func (c *stringFormatCheckerV2) Arg(index int64) (ref.Val, error) { + c.argsRequested++ + c.currArgIndex = index + // return a dummy value - this is immediately passed to back to us + // through one of the FormatCallback functions, so anything will do + return types.Int(0), nil +} + +// Size implements formatListArgs.Size. +func (c *stringFormatCheckerV2) Size() int64 { + return int64(len(c.args)) +} + +func (c *stringFormatCheckerV2) typeOf(id int64) *cel.Type { + return c.ast.GetType(id) +} + +func (c *stringFormatCheckerV2) verifyTypeOneOf(id int64, validTypes ...*cel.Type) bool { + t := c.typeOf(id) + if t == cel.DynType { + return true + } + for _, vt := range validTypes { + // Only check runtime type compatibility without delving deeper into parameterized types + if t.Kind() == vt.Kind() { + return true + } + } + return false +} + +func (c *stringFormatCheckerV2) verifyString(sub ast.Expr) (bool, int64) { + paramA := cel.TypeParamType("A") + paramB := cel.TypeParamType("B") + subVerified := c.verifyTypeOneOf(sub.ID(), + cel.ListType(paramA), cel.MapType(paramA, paramB), + cel.IntType, cel.UintType, cel.DoubleType, cel.BoolType, cel.StringType, + cel.TimestampType, cel.BytesType, cel.DurationType, cel.TypeType, cel.NullType) + if !subVerified { + return false, sub.ID() + } + switch sub.Kind() { + case ast.ListKind: + for _, e := range sub.AsList().Elements() { + // recursively verify if we're dealing with a list/map + verified, id := c.verifyString(e) + if !verified { + return false, id + } + } + return true, sub.ID() + case ast.MapKind: + for _, e := range sub.AsMap().Entries() { + // recursively verify if we're dealing with a list/map + entry := e.AsMapEntry() + verified, id := c.verifyString(entry.Key()) + if !verified { + return false, id + } + verified, id = c.verifyString(entry.Value()) + if !verified { + return false, id + } + } + return true, sub.ID() + default: + return true, sub.ID() + } +} + +// helper routines for reporting common errors during string formatting static validation and +// runtime execution. + +func binaryFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "only ints, uints, and bools can be formatted as binary, was given %s", badType) +} + +func decimalFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "decimal clause can only be used on ints, uints, and doubles, was given %s", badType) +} + +func fixedPointFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "fixed-point clause can only be used on ints, uints, and doubles, was given %s", badType) +} + +func hexFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "only ints, uints, bytes, and strings can be formatted as hex, was given %s", badType) +} + +func octalFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "octal clause can only be used on ints and uints, was given %s", badType) +} + +func scientificFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "scientific clause can only be used on ints, uints, and doubles, was given %s", badType) +} + +func stringFormatErrorV2(id int64, badType string) error { + return newFormatError(id, "string clause can only be used on strings, bools, bytes, ints, doubles, maps, lists, types, durations, and timestamps, was given %s", badType) +} + +// formatStringInterpolatorV2 is an interface that allows user-defined behavior +// for formatting clause implementations, as well as argument retrieval. +// Each function is expected to support the appropriate types as laid out in +// the string.format documentation, and to return an error if given an inappropriate type. +type formatStringInterpolatorV2 interface { + // String takes a ref.Val and a string representing the current locale identifier + // and returns the Val formatted as a string, or an error if one occurred. + String(ref.Val) (string, error) + + // Decimal takes a ref.Val and a string representing the current locale identifier + // and returns the Val formatted as a decimal integer, or an error if one occurred. + Decimal(ref.Val) (string, error) + + // Fixed takes an int pointer representing precision (or nil if none was given) and + // returns a function operating in a similar manner to String and Decimal, taking a + // ref.Val and locale and returning the appropriate string. A closure is returned + // so precision can be set without needing an additional function call/configuration. + Fixed(int) func(ref.Val) (string, error) + + // Scientific functions identically to Fixed, except the string returned from the closure + // is expected to be in scientific notation. + Scientific(int) func(ref.Val) (string, error) + + // Binary takes a ref.Val and a string representing the current locale identifier + // and returns the Val formatted as a binary integer, or an error if one occurred. + Binary(ref.Val) (string, error) + + // Hex takes a boolean that, if true, indicates the hex string output by the returned + // closure should use uppercase letters for A-F. + Hex(bool) func(ref.Val) (string, error) + + // Octal takes a ref.Val and a string representing the current locale identifier and + // returns the Val formatted in octal, or an error if one occurred. + Octal(ref.Val) (string, error) +} + +// parseFormatString formats a string according to the string.format syntax, taking the clause implementations +// from the provided FormatCallback and the args from the given FormatList. +func parseFormatStringV2(formatStr string, callback formatStringInterpolatorV2, list formatListArgs) (string, error) { + i := 0 + argIndex := 0 + var builtStr strings.Builder + for i < len(formatStr) { + if formatStr[i] == '%' { + if i+1 < len(formatStr) && formatStr[i+1] == '%' { + err := builtStr.WriteByte('%') + if err != nil { + return "", fmt.Errorf("error writing format string: %w", err) + } + i += 2 + continue + } else { + argAny, err := list.Arg(int64(argIndex)) + if err != nil { + return "", err + } + if i+1 >= len(formatStr) { + return "", errors.New("unexpected end of string") + } + if int64(argIndex) >= list.Size() { + return "", fmt.Errorf("index %d out of range", argIndex) + } + numRead, val, refErr := parseAndFormatClauseV2(formatStr[i:], argAny, callback, list) + if refErr != nil { + return "", refErr + } + _, err = builtStr.WriteString(val) + if err != nil { + return "", fmt.Errorf("error writing format string: %w", err) + } + i += numRead + argIndex++ + } + } else { + err := builtStr.WriteByte(formatStr[i]) + if err != nil { + return "", fmt.Errorf("error writing format string: %w", err) + } + i++ + } + } + return builtStr.String(), nil +} + +// parseAndFormatClause parses the format clause at the start of the given string with val, and returns +// how many characters were consumed and the substituted string form of val, or an error if one occurred. +func parseAndFormatClauseV2(formatStr string, val ref.Val, callback formatStringInterpolatorV2, list formatListArgs) (int, string, error) { + i := 1 + read, formatter, err := parseFormattingClauseV2(formatStr[i:], callback) + i += read + if err != nil { + return -1, "", newParseFormatError("could not parse formatting clause", err) + } + + valStr, err := formatter(val) + if err != nil { + return -1, "", newParseFormatError("error during formatting", err) + } + return i, valStr, nil +} + +func parseFormattingClauseV2(formatStr string, callback formatStringInterpolatorV2) (int, clauseImplV2, error) { + i := 0 + read, precision, err := parsePrecisionV2(formatStr[i:]) + i += read + if err != nil { + return -1, nil, fmt.Errorf("error while parsing precision: %w", err) + } + r := rune(formatStr[i]) + i++ + switch r { + case 's': + return i, callback.String, nil + case 'd': + return i, callback.Decimal, nil + case 'f': + return i, callback.Fixed(precision), nil + case 'e': + return i, callback.Scientific(precision), nil + case 'b': + return i, callback.Binary, nil + case 'x', 'X': + return i, callback.Hex(unicode.IsUpper(r)), nil + case 'o': + return i, callback.Octal, nil + default: + return -1, nil, fmt.Errorf("unrecognized formatting clause \"%c\"", r) + } +} + +func parsePrecisionV2(formatStr string) (int, int, error) { + i := 0 + if formatStr[i] != '.' { + return i, defaultPrecision, nil + } + i++ + var buffer strings.Builder + for { + if i >= len(formatStr) { + return -1, -1, errors.New("could not find end of precision specifier") + } + if !isASCIIDigit(rune(formatStr[i])) { + break + } + buffer.WriteByte(formatStr[i]) + i++ + } + precision, err := strconv.Atoi(buffer.String()) + if err != nil { + return -1, -1, fmt.Errorf("error while converting precision to integer: %w", err) + } + if precision < 0 { + return -1, -1, fmt.Errorf("negative precision: %d", precision) + } + return i, precision, nil +} diff --git a/vendor/github.com/google/cel-go/ext/lists.go b/vendor/github.com/google/cel-go/ext/lists.go index 675ea8672..b27ddf22f 100644 --- a/vendor/github.com/google/cel-go/ext/lists.go +++ b/vendor/github.com/google/cel-go/ext/lists.go @@ -20,11 +20,14 @@ import ( "sort" "github.com/google/cel-go/cel" + "github.com/google/cel-go/checker" + "github.com/google/cel-go/common" "github.com/google/cel-go/common/ast" "github.com/google/cel-go/common/decls" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/ref" "github.com/google/cel-go/common/types/traits" + "github.com/google/cel-go/interpreter" "github.com/google/cel-go/parser" ) @@ -44,7 +47,7 @@ var comparableTypes = []*cel.Type{ // // # Distinct // -// Introduced in version: 2 +// Introduced in version: 2 (cost support in version 3) // // Returns the distinct elements of a list. // @@ -58,7 +61,7 @@ var comparableTypes = []*cel.Type{ // // # Range // -// Introduced in version: 2 +// Introduced in version: 2 (cost support in version 3) // // Returns a list of integers from 0 to n-1. // @@ -70,7 +73,7 @@ var comparableTypes = []*cel.Type{ // // # Reverse // -// Introduced in version: 2 +// Introduced in version: 2 (cost support in version 3) // // Returns the elements of a list in reverse order. // @@ -82,6 +85,8 @@ var comparableTypes = []*cel.Type{ // // # Slice // +// Introduced in version: 0 (cost support in version 3) +// // Returns a new sub-list using the indexes provided. // // .slice(, ) -> @@ -93,12 +98,14 @@ var comparableTypes = []*cel.Type{ // // # Flatten // +// Introduced in version: 1 (cost support in version 3) +// // Flattens a list recursively. -// If an optional depth is provided, the list is flattened to a the specificied level. +// If an optional depth is provided, the list is flattened to a the specified level. // A negative depth value will result in an error. // -// .flatten() -> -// .flatten(, ) -> +// .flatten() -> +// .flatten() -> // // Examples: // @@ -110,7 +117,7 @@ var comparableTypes = []*cel.Type{ // // # Sort // -// Introduced in version: 2 +// Introduced in version: 2 (cost support in version 3) // // Sorts a list with comparable elements. If the element type is not comparable // or the element types are not the same, the function will produce an error. @@ -127,6 +134,8 @@ var comparableTypes = []*cel.Type{ // // # SortBy // +// Introduced in version: 2 (cost support in version 3) +// // Sorts a list by a key value, i.e., the order is determined by the result of // an expression applied to each element of the list. // The output of the key expression must be a comparable type, otherwise the @@ -134,7 +143,7 @@ var comparableTypes = []*cel.Type{ // // .sortBy(, ) -> // keyExpr returns a value in {int, uint, double, bool, duration, timestamp, string, bytes} - +// // Examples: // // [ @@ -143,7 +152,6 @@ var comparableTypes = []*cel.Type{ // Player { name: "baz", score: 1000 }, // ].sortBy(e, e.score).map(e, e.name) // == ["bar", "foo", "baz"] - func Lists(options ...ListsOption) cel.EnvOption { l := &listsLib{version: math.MaxUint32} for _, o := range options { @@ -304,9 +312,8 @@ func (lib listsLib) CompileOptions() []cel.EnvOption { opts = append(opts, cel.Function("lists.range", cel.Overload("lists_range", []*cel.Type{cel.IntType}, cel.ListType(cel.IntType), - cel.FunctionBinding(func(args ...ref.Val) ref.Val { - n := args[0].(types.Int) - result, err := genRange(n) + cel.UnaryBinding(func(n ref.Val) ref.Val { + result, err := genRange(n.(types.Int)) if err != nil { return types.WrapErr(err) } @@ -317,9 +324,8 @@ func (lib listsLib) CompileOptions() []cel.EnvOption { opts = append(opts, cel.Function("reverse", cel.MemberOverload("list_reverse", []*cel.Type{listType}, listType, - cel.FunctionBinding(func(args ...ref.Val) ref.Val { - list := args[0].(traits.Lister) - result, err := reverseList(list) + cel.UnaryBinding(func(list ref.Val) ref.Val { + result, err := reverseList(list.(traits.Lister)) if err != nil { return types.WrapErr(err) } @@ -340,13 +346,61 @@ func (lib listsLib) CompileOptions() []cel.EnvOption { ), )) } + if lib.version >= 3 { + estimators := []checker.CostOption{ + checker.OverloadCostEstimate("list_slice", estimateListSlice), + checker.OverloadCostEstimate("list_flatten", estimateListFlatten), + checker.OverloadCostEstimate("list_flatten_int", estimateListFlatten), + checker.OverloadCostEstimate("lists_range", estimateListsRange), + checker.OverloadCostEstimate("list_reverse", estimateListReverse), + checker.OverloadCostEstimate("list_distinct", estimateListDistinct), + } + for _, t := range comparableTypes { + estimators = append(estimators, + checker.OverloadCostEstimate( + fmt.Sprintf("list_%s_sort", t.TypeName()), + estimateListSort(t), + ), + checker.OverloadCostEstimate( + fmt.Sprintf("list_%s_sortByAssociatedKeys", t.TypeName()), + estimateListSortBy(t), + ), + ) + } + opts = append(opts, cel.CostEstimatorOptions(estimators...)) + } return opts } // ProgramOptions implements the Library interface method. -func (listsLib) ProgramOptions() []cel.ProgramOption { - return []cel.ProgramOption{} +func (lib *listsLib) ProgramOptions() []cel.ProgramOption { + var opts []cel.ProgramOption + if lib.version >= 3 { + // TODO: Add cost trackers for list operations + trackers := []interpreter.CostTrackerOption{ + interpreter.OverloadCostTracker("list_slice", trackListOutputSize), + interpreter.OverloadCostTracker("list_flatten", trackListFlatten), + interpreter.OverloadCostTracker("list_flatten_int", trackListFlatten), + interpreter.OverloadCostTracker("lists_range", trackListOutputSize), + interpreter.OverloadCostTracker("list_reverse", trackListOutputSize), + interpreter.OverloadCostTracker("list_distinct", trackListDistinct), + } + for _, t := range comparableTypes { + trackers = append(trackers, + interpreter.OverloadCostTracker( + fmt.Sprintf("list_%s_sort", t.TypeName()), + trackListSort, + ), + interpreter.OverloadCostTracker( + fmt.Sprintf("list_%s_sortByAssociatedKeys", t.TypeName()), + trackListSortBy, + ), + ) + } + opts = append(opts, cel.CostTrackerOptions(trackers...)) + } + return opts } func genRange(n types.Int) (ref.Val, error) { @@ -451,20 +505,24 @@ func sortListByAssociatedKeys(list, keys traits.Lister) (ref.Val, error) { sortedIndices := make([]ref.Val, 0, listLength) for i := types.IntZero; i < listLength; i++ { - if keys.Get(i).Type() != elem.Type() { - return nil, fmt.Errorf("list elements must have the same type") - } sortedIndices = append(sortedIndices, i) } + var err error sort.Slice(sortedIndices, func(i, j int) bool { iKey := keys.Get(sortedIndices[i]) jKey := keys.Get(sortedIndices[j]) + if iKey.Type() != elem.Type() || jKey.Type() != elem.Type() { + err = fmt.Errorf("list elements must have the same type") + return false + } return iKey.(traits.Comparer).Compare(jKey) == types.IntNegOne }) + if err != nil { + return nil, err + } sorted := make([]ref.Val, 0, listLength) - for _, sortedIdx := range sortedIndices { sorted = append(sorted, list.Get(sortedIdx)) } @@ -551,3 +609,171 @@ func templatedOverloads(types []*cel.Type, template func(t *cel.Type) cel.Functi } return overloads } + +// estimateListSlice computes an O(n) slice operation with a cost factor of 1. +func estimateListSlice(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) != 2 { + return nil + } + sz := estimateSize(estimator, *target) + start := nodeAsIntValue(args[0], 0) + end := nodeAsIntValue(args[1], sz.Max) + return estimateAllocatingListCall(1, checker.FixedSizeEstimate(end-start)) +} + +// estimateListsRange computes an O(n) range operation with a cost factor of 1. +func estimateListsRange(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target != nil || len(args) != 1 { + return nil + } + return estimateAllocatingListCall(1, checker.FixedSizeEstimate(nodeAsIntValue(args[0], math.MaxUint))) +} + +// estimateListReverse computes an O(n) reverse operation with a cost factor of 1. +func estimateListReverse(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) != 0 { + return nil + } + return estimateAllocatingListCall(1, estimateSize(estimator, *target)) +} + +// estimateListFlatten computes an O(n) flatten operation with a cost factor proportional to the flatten depth. +func estimateListFlatten(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) > 1 { + return nil + } + depth := uint64(1) + if len(args) == 1 { + depth = nodeAsIntValue(args[0], math.MaxUint) + } + return estimateAllocatingListCall(float64(depth), estimateSize(estimator, *target)) +} + +// Compute an O(n^2) with a cost factor of 2, equivalent to sets.contains with a result list +// which can vary in size from 1 element to the original list size. +func estimateListDistinct(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) != 0 { + return nil + } + sz := estimateSize(estimator, *target) + costFactor := 2.0 + return estimateAllocatingListCall(costFactor, sz.Multiply(sz)) +} + +// estimateListSort computes an O(n^2) sort operation with a cost factor of 2 for the equality +// operations against the elements in the list against themselves which occur during the sort computation. +func estimateListSort(t *types.Type) checker.FunctionEstimator { + return func(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) != 0 { + return nil + } + return estimateListSortCost(estimator, *target, t) + } +} + +// estimateListSortBy computes an O(n^2) sort operation with a cost factor of 2 for the equality +// operations against the sort index list which occur during the sort computation. +func estimateListSortBy(u *types.Type) checker.FunctionEstimator { + return func(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + if target == nil || len(args) != 1 { + return nil + } + // Estimate the size of the list used as the sort index + return estimateListSortCost(estimator, args[0], u) + } +} + +// estimateListSortCost estimates an O(n^2) sort operation with a cost factor of 2 for the equality +// operations which occur during the sort computation. +func estimateListSortCost(estimator checker.CostEstimator, node checker.AstNode, elemType *types.Type) *checker.CallEstimate { + sz := estimateSize(estimator, node) + costFactor := 2.0 + switch elemType { + case types.StringType, types.BytesType: + costFactor += common.StringTraversalCostFactor + } + return estimateAllocatingListCall(costFactor, sz.Multiply(sz)) +} + +// estimateAllocatingListCall computes cost as a function of the size of the result list with a +// baseline cost for the call dispatch and the associated list allocation. +func estimateAllocatingListCall(costFactor float64, listSize checker.SizeEstimate) *checker.CallEstimate { + return estimateListCall(costFactor, listSize, true) +} + +// estimateListCall computes cost as a function of the size of the target list and whether the +// call allocates memory. +func estimateListCall(costFactor float64, listSize checker.SizeEstimate, allocates bool) *checker.CallEstimate { + cost := listSize.MultiplyByCostFactor(costFactor).Add(callCostEstimate) + if allocates { + cost = cost.Add(checker.FixedCostEstimate(common.ListCreateBaseCost)) + } + return &checker.CallEstimate{CostEstimate: cost, ResultSize: &listSize} +} + +// trackListOutputSize computes cost as a function of the size of the result list. +func trackListOutputSize(_ []ref.Val, result ref.Val) *uint64 { + return trackAllocatingListCall(1, actualSize(result)) +} + +// trackListFlatten computes cost as a function of the size of the result list and the depth of +// the flatten operation. +func trackListFlatten(args []ref.Val, _ ref.Val) *uint64 { + depth := 1.0 + if len(args) == 2 { + depth = float64(args[1].(types.Int)) + } + inputSize := actualSize(args[0]) + return trackAllocatingListCall(depth, inputSize) +} + +// trackListDistinct computes costs as a worst-case O(n^2) operation over the input list. +func trackListDistinct(args []ref.Val, _ ref.Val) *uint64 { + return trackListSelfCompare(args[0].(traits.Lister)) +} + +// trackListSort computes costs as a worst-case O(n^2) operation over the input list. +func trackListSort(args []ref.Val, result ref.Val) *uint64 { + return trackListSelfCompare(args[0].(traits.Lister)) +} + +// trackListSortBy computes costs as a worst-case O(n^2) operation over the sort index list. +func trackListSortBy(args []ref.Val, result ref.Val) *uint64 { + return trackListSelfCompare(args[1].(traits.Lister)) +} + +// trackListSelfCompare computes costs as a worst-case O(n^2) operation over the input list. +func trackListSelfCompare(l traits.Lister) *uint64 { + sz := actualSize(l) + costFactor := 2.0 + if sz == 0 { + return trackAllocatingListCall(costFactor, 0) + } + elem := l.Get(types.IntZero) + if elem.Type() == types.StringType || elem.Type() == types.BytesType { + costFactor += common.StringTraversalCostFactor + } + return trackAllocatingListCall(costFactor, sz*sz) +} + +// trackAllocatingListCall computes costs as a function of the size of the result list with a baseline cost +// for the call dispatch and the associated list allocation. +func trackAllocatingListCall(costFactor float64, size uint64) *uint64 { + cost := uint64(float64(size)*costFactor) + callCost + common.ListCreateBaseCost + return &cost +} + +func nodeAsIntValue(node checker.AstNode, defaultVal uint64) uint64 { + if node.Expr().Kind() != ast.LiteralKind { + return defaultVal + } + lit := node.Expr().AsLiteral() + if lit.Type() != types.IntType { + return defaultVal + } + val := lit.(types.Int) + if val < types.IntZero { + return 0 + } + return uint64(lit.(types.Int)) +} diff --git a/vendor/github.com/google/cel-go/ext/math.go b/vendor/github.com/google/cel-go/ext/math.go index 250246db1..6df8e3773 100644 --- a/vendor/github.com/google/cel-go/ext/math.go +++ b/vendor/github.com/google/cel-go/ext/math.go @@ -325,6 +325,23 @@ import ( // // math.isFinite(0.0/0.0) // returns false // math.isFinite(1.2) // returns true +// +// # Math.Sqrt +// +// Introduced at version: 2 +// +// Returns the square root of the given input as double +// Throws error for negative or non-numeric inputs +// +// math.sqrt() -> +// math.sqrt() -> +// math.sqrt() -> +// +// Examples: +// +// math.sqrt(81) // returns 9.0 +// math.sqrt(985.25) // returns 31.388692231439016 +// math.sqrt(-15) // returns NaN func Math(options ...MathOption) cel.EnvOption { m := &mathLib{version: math.MaxUint32} for _, o := range options { @@ -357,6 +374,9 @@ const ( absFunc = "math.abs" signFunc = "math.sign" + // SquareRoot function + sqrtFunc = "math.sqrt" + // Bitwise functions bitAndFunc = "math.bitAnd" bitOrFunc = "math.bitOr" @@ -548,6 +568,18 @@ func (lib *mathLib) CompileOptions() []cel.EnvOption { ), ) } + if lib.version >= 2 { + opts = append(opts, + cel.Function(sqrtFunc, + cel.Overload("math_sqrt_double", []*cel.Type{cel.DoubleType}, cel.DoubleType, + cel.UnaryBinding(sqrt)), + cel.Overload("math_sqrt_int", []*cel.Type{cel.IntType}, cel.DoubleType, + cel.UnaryBinding(sqrt)), + cel.Overload("math_sqrt_uint", []*cel.Type{cel.UintType}, cel.DoubleType, + cel.UnaryBinding(sqrt)), + ), + ) + } return opts } @@ -691,6 +723,21 @@ func sign(val ref.Val) ref.Val { } } + +func sqrt(val ref.Val) ref.Val { + switch v := val.(type) { + case types.Double: + return types.Double(math.Sqrt(float64(v))) + case types.Int: + return types.Double(math.Sqrt(float64(v))) + case types.Uint: + return types.Double(math.Sqrt(float64(v))) + default: + return types.NewErr("no such overload: sqrt") + } +} + + func bitAndPairInt(first, second ref.Val) ref.Val { l := first.(types.Int) r := second.(types.Int) diff --git a/vendor/github.com/google/cel-go/ext/native.go b/vendor/github.com/google/cel-go/ext/native.go index 1c33def49..661984cbb 100644 --- a/vendor/github.com/google/cel-go/ext/native.go +++ b/vendor/github.com/google/cel-go/ext/native.go @@ -81,7 +81,7 @@ var ( // the time that it is invoked. // // There is also the possibility to rename the fields of native structs by setting the `cel` tag -// for fields you want to override. In order to enable this feature, pass in the `EnableStructTag` +// for fields you want to override. In order to enable this feature, pass in the `ParseStructTags(true)` // option. Here is an example to see it in action: // // ```go diff --git a/vendor/github.com/google/cel-go/ext/regex.go b/vendor/github.com/google/cel-go/ext/regex.go new file mode 100644 index 000000000..1a66f65d0 --- /dev/null +++ b/vendor/github.com/google/cel-go/ext/regex.go @@ -0,0 +1,332 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ext + +import ( + "errors" + "fmt" + "math" + "regexp" + "strconv" + "strings" + + "github.com/google/cel-go/cel" + "github.com/google/cel-go/common/types" + "github.com/google/cel-go/common/types/ref" +) + +const ( + regexReplace = "regex.replace" + regexExtract = "regex.extract" + regexExtractAll = "regex.extractAll" +) + +// Regex returns a cel.EnvOption to configure extended functions for regular +// expression operations. +// +// Note: all functions use the 'regex' namespace. If you are +// currently using a variable named 'regex', the functions will likely work as +// intended, however there is some chance for collision. +// +// This library depends on the CEL optional type. Please ensure that the +// cel.OptionalTypes() is enabled when using regex extensions. +// +// # Replace +// +// The `regex.replace` function replaces all non-overlapping substring of a regex +// pattern in the target string with a replacement string. Optionally, you can +// limit the number of replacements by providing a count argument. When the count +// is a negative number, the function acts as replace all. Only numeric (\N) +// capture group references are supported in the replacement string, with +// validation for correctness. Backslashed-escaped digits (\1 to \9) within the +// replacement argument can be used to insert text matching the corresponding +// parenthesized group in the regexp pattern. An error will be thrown for invalid +// regex or replace string. +// +// regex.replace(target: string, pattern: string, replacement: string) -> string +// regex.replace(target: string, pattern: string, replacement: string, count: int) -> string +// +// Examples: +// +// regex.replace('hello world hello', 'hello', 'hi') == 'hi world hi' +// regex.replace('banana', 'a', 'x', 0) == 'banana' +// regex.replace('banana', 'a', 'x', 1) == 'bxnana' +// regex.replace('banana', 'a', 'x', 2) == 'bxnxna' +// regex.replace('banana', 'a', 'x', -12) == 'bxnxnx' +// regex.replace('foo bar', '(fo)o (ba)r', r'\2 \1') == 'ba fo' +// regex.replace('test', '(.)', r'\2') \\ Runtime Error invalid replace string +// regex.replace('foo bar', '(', '$2 $1') \\ Runtime Error invalid regex string +// regex.replace('id=123', r'id=(?P\d+)', r'value: \values') \\ Runtime Error invalid replace string +// +// # Extract +// +// The `regex.extract` function returns the first match of a regex pattern in a +// string. If no match is found, it returns an optional none value. An error will +// be thrown for invalid regex or for multiple capture groups. +// +// regex.extract(target: string, pattern: string) -> optional +// +// Examples: +// +// regex.extract('hello world', 'hello(.*)') == optional.of(' world') +// regex.extract('item-A, item-B', 'item-(\\w+)') == optional.of('A') +// regex.extract('HELLO', 'hello') == optional.empty() +// regex.extract('testuser@testdomain', '(.*)@([^.]*)') // Runtime Error multiple capture group +// +// # Extract All +// +// The `regex.extractAll` function returns a list of all matches of a regex +// pattern in a target string. If no matches are found, it returns an empty list. An error will +// be thrown for invalid regex or for multiple capture groups. +// +// regex.extractAll(target: string, pattern: string) -> list +// +// Examples: +// +// regex.extractAll('id:123, id:456', 'id:\\d+') == ['id:123', 'id:456'] +// regex.extractAll('id:123, id:456', 'assa') == [] +// regex.extractAll('testuser@testdomain', '(.*)@([^.]*)') // Runtime Error multiple capture group +func Regex(options ...RegexOptions) cel.EnvOption { + s := ®exLib{ + version: math.MaxUint32, + } + for _, o := range options { + s = o(s) + } + return cel.Lib(s) +} + +// RegexOptions declares a functional operator for configuring regex extension. +type RegexOptions func(*regexLib) *regexLib + +// RegexVersion configures the version of the Regex library definitions to use. See [Regex] for supported values. +func RegexVersion(version uint32) RegexOptions { + return func(lib *regexLib) *regexLib { + lib.version = version + return lib + } +} + +type regexLib struct { + version uint32 +} + +// LibraryName implements that SingletonLibrary interface method. +func (r *regexLib) LibraryName() string { + return "cel.lib.ext.regex" +} + +// CompileOptions implements the cel.Library interface method. +func (r *regexLib) CompileOptions() []cel.EnvOption { + optionalTypesEnabled := func(env *cel.Env) (*cel.Env, error) { + if !env.HasLibrary("cel.lib.optional") { + return nil, errors.New("regex library requires the optional library") + } + return env, nil + } + opts := []cel.EnvOption{ + cel.Function(regexExtract, + cel.Overload("regex_extract_string_string", []*cel.Type{cel.StringType, cel.StringType}, cel.OptionalType(cel.StringType), + cel.BinaryBinding(extract))), + + cel.Function(regexExtractAll, + cel.Overload("regex_extractAll_string_string", []*cel.Type{cel.StringType, cel.StringType}, cel.ListType(cel.StringType), + cel.BinaryBinding(extractAll))), + + cel.Function(regexReplace, + cel.Overload("regex_replace_string_string_string", []*cel.Type{cel.StringType, cel.StringType, cel.StringType}, cel.StringType, + cel.FunctionBinding(regReplace)), + cel.Overload("regex_replace_string_string_string_int", []*cel.Type{cel.StringType, cel.StringType, cel.StringType, cel.IntType}, cel.StringType, + cel.FunctionBinding((regReplaceN))), + ), + cel.EnvOption(optionalTypesEnabled), + } + return opts +} + +// ProgramOptions implements the cel.Library interface method +func (r *regexLib) ProgramOptions() []cel.ProgramOption { + return []cel.ProgramOption{} +} + +func compileRegex(regexStr string) (*regexp.Regexp, error) { + re, err := regexp.Compile(regexStr) + if err != nil { + return nil, fmt.Errorf("given regex is invalid: %w", err) + } + return re, nil +} + +func regReplace(args ...ref.Val) ref.Val { + target := args[0].(types.String) + regexStr := args[1].(types.String) + replaceStr := args[2].(types.String) + + return regReplaceN(target, regexStr, replaceStr, types.Int(-1)) +} + +func regReplaceN(args ...ref.Val) ref.Val { + target := string(args[0].(types.String)) + regexStr := string(args[1].(types.String)) + replaceStr := string(args[2].(types.String)) + replaceCount := int64(args[3].(types.Int)) + + if replaceCount == 0 { + return types.String(target) + } + + if replaceCount > math.MaxInt32 { + return types.NewErr("integer overflow") + } + + // If replaceCount is negative, just do a replaceAll. + if replaceCount < 0 { + replaceCount = -1 + } + + re, err := regexp.Compile(regexStr) + if err != nil { + return types.WrapErr(err) + } + + var resultBuilder strings.Builder + var lastIndex int + counter := int64(0) + + matches := re.FindAllStringSubmatchIndex(target, -1) + + for _, match := range matches { + if replaceCount != -1 && counter >= replaceCount { + break + } + + processedReplacement, err := replaceStrValidator(target, re, match, replaceStr) + if err != nil { + return types.WrapErr(err) + } + + resultBuilder.WriteString(target[lastIndex:match[0]]) + resultBuilder.WriteString(processedReplacement) + lastIndex = match[1] + counter++ + } + + resultBuilder.WriteString(target[lastIndex:]) + return types.String(resultBuilder.String()) +} + +func replaceStrValidator(target string, re *regexp.Regexp, match []int, replacement string) (string, error) { + groupCount := re.NumSubexp() + var sb strings.Builder + runes := []rune(replacement) + + for i := 0; i < len(runes); i++ { + c := runes[i] + + if c != '\\' { + sb.WriteRune(c) + continue + } + + if i+1 >= len(runes) { + return "", fmt.Errorf("invalid replacement string: '%s' \\ not allowed at end", replacement) + } + + i++ + nextChar := runes[i] + + if nextChar == '\\' { + sb.WriteRune('\\') + continue + } + + groupNum, err := strconv.Atoi(string(nextChar)) + if err != nil { + return "", fmt.Errorf("invalid replacement string: '%s' \\ must be followed by a digit or \\", replacement) + } + + if groupNum > groupCount { + return "", fmt.Errorf("replacement string references group %d but regex has only %d group(s)", groupNum, groupCount) + } + + if match[2*groupNum] != -1 { + sb.WriteString(target[match[2*groupNum]:match[2*groupNum+1]]) + } + } + return sb.String(), nil +} + +func extract(target, regexStr ref.Val) ref.Val { + t := string(target.(types.String)) + r := string(regexStr.(types.String)) + re, err := compileRegex(r) + if err != nil { + return types.WrapErr(err) + } + + if len(re.SubexpNames())-1 > 1 { + return types.WrapErr(fmt.Errorf("regular expression has more than one capturing group: %q", r)) + } + + matches := re.FindStringSubmatch(t) + if len(matches) == 0 { + return types.OptionalNone + } + + // If there is a capturing group, return the first match; otherwise, return the whole match. + if len(matches) > 1 { + capturedGroup := matches[1] + // If optional group is empty, return OptionalNone. + if capturedGroup == "" { + return types.OptionalNone + } + return types.OptionalOf(types.String(capturedGroup)) + } + return types.OptionalOf(types.String(matches[0])) +} + +func extractAll(target, regexStr ref.Val) ref.Val { + t := string(target.(types.String)) + r := string(regexStr.(types.String)) + re, err := compileRegex(r) + if err != nil { + return types.WrapErr(err) + } + + groupCount := len(re.SubexpNames()) - 1 + if groupCount > 1 { + return types.WrapErr(fmt.Errorf("regular expression has more than one capturing group: %q", r)) + } + + matches := re.FindAllStringSubmatch(t, -1) + result := make([]string, 0, len(matches)) + if len(matches) == 0 { + return types.NewStringList(types.DefaultTypeAdapter, result) + } + + if groupCount != 1 { + for _, match := range matches { + result = append(result, match[0]) + } + return types.NewStringList(types.DefaultTypeAdapter, result) + } + + for _, match := range matches { + if match[1] != "" { + result = append(result, match[1]) + } + } + return types.NewStringList(types.DefaultTypeAdapter, result) +} diff --git a/vendor/github.com/google/cel-go/ext/sets.go b/vendor/github.com/google/cel-go/ext/sets.go index 9a9ef6eef..ecac4bf9d 100644 --- a/vendor/github.com/google/cel-go/ext/sets.go +++ b/vendor/github.com/google/cel-go/ext/sets.go @@ -236,13 +236,13 @@ func setsEquivalent(listA, listB ref.Val) ref.Val { func estimateSetsCost(costFactor float64) checker.FunctionEstimator { return func(estimator checker.CostEstimator, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { - if len(args) == 2 { - arg0Size := estimateSize(estimator, args[0]) - arg1Size := estimateSize(estimator, args[1]) - costEstimate := arg0Size.Multiply(arg1Size).MultiplyByCostFactor(costFactor).Add(callCostEstimate) - return &checker.CallEstimate{CostEstimate: costEstimate} + if len(args) != 2 { + return nil } - return nil + arg0Size := estimateSize(estimator, args[0]) + arg1Size := estimateSize(estimator, args[1]) + costEstimate := arg0Size.Multiply(arg1Size).MultiplyByCostFactor(costFactor).Add(callCostEstimate) + return &checker.CallEstimate{CostEstimate: costEstimate} } } @@ -273,6 +273,6 @@ func actualSize(value ref.Val) uint64 { } var ( - callCostEstimate = checker.CostEstimate{Min: 1, Max: 1} + callCostEstimate = checker.FixedCostEstimate(1) callCost = uint64(1) ) diff --git a/vendor/github.com/google/cel-go/ext/strings.go b/vendor/github.com/google/cel-go/ext/strings.go index 2e590a4c5..de65421f6 100644 --- a/vendor/github.com/google/cel-go/ext/strings.go +++ b/vendor/github.com/google/cel-go/ext/strings.go @@ -286,10 +286,15 @@ const ( // // 'gums'.reverse() // returns 'smug' // 'John Smith'.reverse() // returns 'htimS nhoJ' +// +// Introduced at version: 4 +// +// Formatting updated to adhere to https://github.com/google/cel-spec/blob/master/doc/extensions/strings.md. +// +// .format() -> func Strings(options ...StringsOption) cel.EnvOption { s := &stringLib{ - version: math.MaxUint32, - validateFormat: true, + version: math.MaxUint32, } for _, o := range options { s = o(s) @@ -298,9 +303,8 @@ func Strings(options ...StringsOption) cel.EnvOption { } type stringLib struct { - locale string - version uint32 - validateFormat bool + locale string + version uint32 } // LibraryName implements the SingletonLibrary interface method. @@ -314,6 +318,8 @@ type StringsOption func(*stringLib) *stringLib // StringsLocale configures the library with the given locale. The locale tag will // be checked for validity at the time that EnvOptions are configured. If this option // is not passed, string.format will behave as if en_US was passed as the locale. +// +// If StringsVersion is greater than or equal to 4, this option is ignored. func StringsLocale(locale string) StringsOption { return func(sl *stringLib) *stringLib { sl.locale = locale @@ -340,10 +346,9 @@ func StringsVersion(version uint32) StringsOption { // StringsValidateFormatCalls validates type-checked ASTs to ensure that string.format() calls have // valid formatting clauses and valid argument types for each clause. // -// Enabled by default. +// Deprecated func StringsValidateFormatCalls(value bool) StringsOption { return func(s *stringLib) *stringLib { - s.validateFormat = value return s } } @@ -351,7 +356,7 @@ func StringsValidateFormatCalls(value bool) StringsOption { // CompileOptions implements the Library interface method. func (lib *stringLib) CompileOptions() []cel.EnvOption { formatLocale := "en_US" - if lib.locale != "" { + if lib.version < 4 && lib.locale != "" { // ensure locale is properly-formed if set _, err := language.Parse(lib.locale) if err != nil { @@ -466,21 +471,29 @@ func (lib *stringLib) CompileOptions() []cel.EnvOption { }))), } if lib.version >= 1 { - opts = append(opts, cel.Function("format", - cel.MemberOverload("string_format", []*cel.Type{cel.StringType, cel.ListType(cel.DynType)}, cel.StringType, - cel.FunctionBinding(func(args ...ref.Val) ref.Val { - s := string(args[0].(types.String)) - formatArgs := args[1].(traits.Lister) - return stringOrError(parseFormatString(s, &stringFormatter{}, &stringArgList{formatArgs}, formatLocale)) - }))), + if lib.version >= 4 { + opts = append(opts, cel.Function("format", + cel.MemberOverload("string_format", []*cel.Type{cel.StringType, cel.ListType(cel.DynType)}, cel.StringType, + cel.FunctionBinding(func(args ...ref.Val) ref.Val { + s := string(args[0].(types.String)) + formatArgs := args[1].(traits.Lister) + return stringOrError(parseFormatStringV2(s, &stringFormatterV2{}, &stringArgList{formatArgs})) + })))) + } else { + opts = append(opts, cel.Function("format", + cel.MemberOverload("string_format", []*cel.Type{cel.StringType, cel.ListType(cel.DynType)}, cel.StringType, + cel.FunctionBinding(func(args ...ref.Val) ref.Val { + s := string(args[0].(types.String)) + formatArgs := args[1].(traits.Lister) + return stringOrError(parseFormatString(s, &stringFormatter{}, &stringArgList{formatArgs}, formatLocale)) + })))) + } + opts = append(opts, cel.Function("strings.quote", cel.Overload("strings_quote", []*cel.Type{cel.StringType}, cel.StringType, cel.UnaryBinding(func(str ref.Val) ref.Val { s := str.(types.String) return stringOrError(quote(string(s))) - }))), - - cel.ASTValidators(stringFormatValidator{})) - + })))) } if lib.version >= 2 { opts = append(opts, @@ -529,8 +542,12 @@ func (lib *stringLib) CompileOptions() []cel.EnvOption { }))), ) } - if lib.validateFormat { - opts = append(opts, cel.ASTValidators(stringFormatValidator{})) + if lib.version >= 1 { + if lib.version >= 4 { + opts = append(opts, cel.ASTValidators(stringFormatValidatorV2{})) + } else { + opts = append(opts, cel.ASTValidators(stringFormatValidator{})) + } } return opts } @@ -590,6 +607,10 @@ func lastIndexOf(str, substr string) (int64, error) { if substr == "" { return int64(len(runes)), nil } + + if len(str) < len(substr) { + return -1, nil + } return lastIndexOfOffset(str, substr, int64(len(runes)-1)) } diff --git a/vendor/github.com/google/cel-go/interpreter/activation.go b/vendor/github.com/google/cel-go/interpreter/activation.go index c20d19de1..dd40619ee 100644 --- a/vendor/github.com/google/cel-go/interpreter/activation.go +++ b/vendor/github.com/google/cel-go/interpreter/activation.go @@ -158,7 +158,8 @@ type PartialActivation interface { // partialActivationConverter indicates whether an Activation implementation supports conversion to a PartialActivation type partialActivationConverter interface { - asPartialActivation() (PartialActivation, bool) + // AsPartialActivation converts the current activation to a PartialActivation + AsPartialActivation() (PartialActivation, bool) } // partActivation is the default implementations of the PartialActivation interface. @@ -172,19 +173,20 @@ func (a *partActivation) UnknownAttributePatterns() []*AttributePattern { return a.unknowns } -// asPartialActivation returns the partActivation as a PartialActivation interface. -func (a *partActivation) asPartialActivation() (PartialActivation, bool) { +// AsPartialActivation returns the partActivation as a PartialActivation interface. +func (a *partActivation) AsPartialActivation() (PartialActivation, bool) { return a, true } -func asPartialActivation(vars Activation) (PartialActivation, bool) { +// AsPartialActivation walks the activation hierarchy and returns the first PartialActivation, if found. +func AsPartialActivation(vars Activation) (PartialActivation, bool) { // Only internal activation instances may implement this interface if pv, ok := vars.(partialActivationConverter); ok { - return pv.asPartialActivation() + return pv.AsPartialActivation() } // Since Activations may be hierarchical, test whether a parent converts to a PartialActivation if vars.Parent() != nil { - return asPartialActivation(vars.Parent()) + return AsPartialActivation(vars.Parent()) } return nil, false } diff --git a/vendor/github.com/google/cel-go/interpreter/attribute_patterns.go b/vendor/github.com/google/cel-go/interpreter/attribute_patterns.go index 7e5c2db0f..7d0759e37 100644 --- a/vendor/github.com/google/cel-go/interpreter/attribute_patterns.go +++ b/vendor/github.com/google/cel-go/interpreter/attribute_patterns.go @@ -358,7 +358,7 @@ func (m *attributeMatcher) AddQualifier(qual Qualifier) (Attribute, error) { func (m *attributeMatcher) Resolve(vars Activation) (any, error) { id := m.NamespacedAttribute.ID() // Bug in how partial activation is resolved, should search parents as well. - partial, isPartial := asPartialActivation(vars) + partial, isPartial := AsPartialActivation(vars) if isPartial { unk, err := m.fac.matchesUnknownPatterns( partial, diff --git a/vendor/github.com/google/cel-go/interpreter/interpretable.go b/vendor/github.com/google/cel-go/interpreter/interpretable.go index 591b7688b..96b5a8ffc 100644 --- a/vendor/github.com/google/cel-go/interpreter/interpretable.go +++ b/vendor/github.com/google/cel-go/interpreter/interpretable.go @@ -109,6 +109,47 @@ type InterpretableConstructor interface { Type() ref.Type } +// ObservableInterpretable is an Interpretable which supports stateful observation, such as tracing +// or cost-tracking. +type ObservableInterpretable struct { + Interpretable + observers []StatefulObserver +} + +// ID implements the Interpretable method to get the expression id associated with the step. +func (oi *ObservableInterpretable) ID() int64 { + return oi.Interpretable.ID() +} + +// Eval proxies to the ObserveEval method while invoking a no-op callback to report the observations. +func (oi *ObservableInterpretable) Eval(vars Activation) ref.Val { + return oi.ObserveEval(vars, func(any) {}) +} + +// ObserveEval evaluates an interpretable and performs per-evaluation state-tracking. +// +// This method is concurrency safe and the expectation is that the observer function will use +// a switch statement to determine the type of the state which has been reported back from the call. +func (oi *ObservableInterpretable) ObserveEval(vars Activation, observer func(any)) ref.Val { + var err error + // Initialize the state needed for the observers to function. + for _, obs := range oi.observers { + vars, err = obs.InitState(vars) + if err != nil { + return types.WrapErr(err) + } + // Provide an initial reference to the state to ensure state is available + // even in cases of interrupting errors generated during evaluation. + observer(obs.GetState(vars)) + } + result := oi.Interpretable.Eval(vars) + // Get the state which needs to be reported back as having been observed. + for _, obs := range oi.observers { + observer(obs.GetState(vars)) + } + return result +} + // Core Interpretable implementations used during the program planning phase. type evalTestOnly struct { @@ -156,9 +197,6 @@ func (q *testOnlyQualifier) Qualify(vars Activation, obj any) (any, error) { if unk, isUnk := out.(types.Unknown); isUnk { return unk, nil } - if opt, isOpt := out.(types.Optional); isOpt { - return opt.HasValue(), nil - } return present, nil } @@ -822,9 +860,9 @@ type evalWatch struct { } // Eval implements the Interpretable interface method. -func (e *evalWatch) Eval(ctx Activation) ref.Val { - val := e.Interpretable.Eval(ctx) - e.observer(e.ID(), e.Interpretable, val) +func (e *evalWatch) Eval(vars Activation) ref.Val { + val := e.Interpretable.Eval(vars) + e.observer(vars, e.ID(), e.Interpretable, val) return val } @@ -883,7 +921,7 @@ func (e *evalWatchAttr) AddQualifier(q Qualifier) (Attribute, error) { // Eval implements the Interpretable interface method. func (e *evalWatchAttr) Eval(vars Activation) ref.Val { val := e.InterpretableAttribute.Eval(vars) - e.observer(e.ID(), e.InterpretableAttribute, val) + e.observer(vars, e.ID(), e.InterpretableAttribute, val) return val } @@ -904,7 +942,7 @@ func (e *evalWatchConstQual) Qualify(vars Activation, obj any) (any, error) { } else { val = e.adapter.NativeToValue(out) } - e.observer(e.ID(), e.ConstantQualifier, val) + e.observer(vars, e.ID(), e.ConstantQualifier, val) return out, err } @@ -920,7 +958,7 @@ func (e *evalWatchConstQual) QualifyIfPresent(vars Activation, obj any, presence val = types.Bool(present) } if present || presenceOnly { - e.observer(e.ID(), e.ConstantQualifier, val) + e.observer(vars, e.ID(), e.ConstantQualifier, val) } return out, present, err } @@ -947,7 +985,7 @@ func (e *evalWatchAttrQual) Qualify(vars Activation, obj any) (any, error) { } else { val = e.adapter.NativeToValue(out) } - e.observer(e.ID(), e.Attribute, val) + e.observer(vars, e.ID(), e.Attribute, val) return out, err } @@ -963,7 +1001,7 @@ func (e *evalWatchAttrQual) QualifyIfPresent(vars Activation, obj any, presenceO val = types.Bool(present) } if present || presenceOnly { - e.observer(e.ID(), e.Attribute, val) + e.observer(vars, e.ID(), e.Attribute, val) } return out, present, err } @@ -984,7 +1022,7 @@ func (e *evalWatchQual) Qualify(vars Activation, obj any) (any, error) { } else { val = e.adapter.NativeToValue(out) } - e.observer(e.ID(), e.Qualifier, val) + e.observer(vars, e.ID(), e.Qualifier, val) return out, err } @@ -1000,7 +1038,7 @@ func (e *evalWatchQual) QualifyIfPresent(vars Activation, obj any, presenceOnly val = types.Bool(present) } if present || presenceOnly { - e.observer(e.ID(), e.Qualifier, val) + e.observer(vars, e.ID(), e.Qualifier, val) } return out, present, err } @@ -1014,7 +1052,7 @@ type evalWatchConst struct { // Eval implements the Interpretable interface method. func (e *evalWatchConst) Eval(vars Activation) ref.Val { val := e.Value() - e.observer(e.ID(), e.InterpretableConst, val) + e.observer(vars, e.ID(), e.InterpretableConst, val) return val } @@ -1187,13 +1225,13 @@ func (a *evalAttr) Eval(ctx Activation) ref.Val { } // Qualify proxies to the Attribute's Qualify method. -func (a *evalAttr) Qualify(ctx Activation, obj any) (any, error) { - return a.attr.Qualify(ctx, obj) +func (a *evalAttr) Qualify(vars Activation, obj any) (any, error) { + return a.attr.Qualify(vars, obj) } // QualifyIfPresent proxies to the Attribute's QualifyIfPresent method. -func (a *evalAttr) QualifyIfPresent(ctx Activation, obj any, presenceOnly bool) (any, bool, error) { - return a.attr.QualifyIfPresent(ctx, obj, presenceOnly) +func (a *evalAttr) QualifyIfPresent(vars Activation, obj any, presenceOnly bool) (any, bool, error) { + return a.attr.QualifyIfPresent(vars, obj, presenceOnly) } func (a *evalAttr) IsOptional() bool { @@ -1226,9 +1264,9 @@ func (c *evalWatchConstructor) ID() int64 { } // Eval implements the Interpretable Eval function. -func (c *evalWatchConstructor) Eval(ctx Activation) ref.Val { - val := c.constructor.Eval(ctx) - c.observer(c.ID(), c.constructor, val) +func (c *evalWatchConstructor) Eval(vars Activation) ref.Val { + val := c.constructor.Eval(vars) + c.observer(vars, c.ID(), c.constructor, val) return val } @@ -1370,16 +1408,16 @@ func (f *folder) Parent() Activation { // if they were provided to the input activation, or an empty set if the proxied activation is not partial. func (f *folder) UnknownAttributePatterns() []*AttributePattern { if pv, ok := f.activation.(partialActivationConverter); ok { - if partial, isPartial := pv.asPartialActivation(); isPartial { + if partial, isPartial := pv.AsPartialActivation(); isPartial { return partial.UnknownAttributePatterns() } } return []*AttributePattern{} } -func (f *folder) asPartialActivation() (PartialActivation, bool) { +func (f *folder) AsPartialActivation() (PartialActivation, bool) { if pv, ok := f.activation.(partialActivationConverter); ok { - if _, isPartial := pv.asPartialActivation(); isPartial { + if _, isPartial := pv.AsPartialActivation(); isPartial { return f, true } } diff --git a/vendor/github.com/google/cel-go/interpreter/interpreter.go b/vendor/github.com/google/cel-go/interpreter/interpreter.go index 0aca74d88..be57e7439 100644 --- a/vendor/github.com/google/cel-go/interpreter/interpreter.go +++ b/vendor/github.com/google/cel-go/interpreter/interpreter.go @@ -18,36 +18,41 @@ package interpreter import ( + "errors" + "github.com/google/cel-go/common/ast" "github.com/google/cel-go/common/containers" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/ref" ) +// PlannerOption configures the program plan options during interpretable setup. +type PlannerOption func(*planner) (*planner, error) + // Interpreter generates a new Interpretable from a checked or unchecked expression. type Interpreter interface { // NewInterpretable creates an Interpretable from a checked expression and an - // optional list of InterpretableDecorator values. - NewInterpretable(exprAST *ast.AST, decorators ...InterpretableDecorator) (Interpretable, error) + // optional list of PlannerOption values. + NewInterpretable(exprAST *ast.AST, opts ...PlannerOption) (Interpretable, error) } // EvalObserver is a functional interface that accepts an expression id and an observed value. // The id identifies the expression that was evaluated, the programStep is the Interpretable or Qualifier that // was evaluated and value is the result of the evaluation. -type EvalObserver func(id int64, programStep any, value ref.Val) +type EvalObserver func(vars Activation, id int64, programStep any, value ref.Val) -// Observe constructs a decorator that calls all the provided observers in order after evaluating each Interpretable -// or Qualifier during program evaluation. -func Observe(observers ...EvalObserver) InterpretableDecorator { - if len(observers) == 1 { - return decObserveEval(observers[0]) - } - observeFn := func(id int64, programStep any, val ref.Val) { - for _, observer := range observers { - observer(id, programStep, val) - } - } - return decObserveEval(observeFn) +// StatefulObserver observes evaluation while tracking or utilizing stateful behavior. +type StatefulObserver interface { + // InitState configures stateful metadata on the activation. + InitState(Activation) (Activation, error) + + // GetState retrieves the stateful metadata from the activation. + GetState(Activation) any + + // Observe passes the activation and relevant evaluation metadata to the observer. + // The observe method is expected to do the equivalent of GetState(vars) in order + // to find the metadata that needs to be updated upon invocation. + Observe(vars Activation, id int64, programStep any, value ref.Val) } // EvalCancelledError represents a cancelled program evaluation operation. @@ -73,24 +78,110 @@ const ( CostLimitExceeded ) -// TODO: Replace all usages of TrackState with EvalStateObserver +// evalStateOption configures the evalStateFactory behavior. +type evalStateOption func(*evalStateFactory) *evalStateFactory + +// EvalStateFactory configures the EvalState generator to be used by the EvalStateObserver. +func EvalStateFactory(factory func() EvalState) evalStateOption { + return func(fac *evalStateFactory) *evalStateFactory { + fac.factory = factory + return fac + } +} + +// EvalStateObserver provides an observer which records the value associated with the given expression id. +// EvalState must be provided to the observer. +func EvalStateObserver(opts ...evalStateOption) PlannerOption { + et := &evalStateFactory{factory: NewEvalState} + for _, o := range opts { + et = o(et) + } + return func(p *planner) (*planner, error) { + if et.factory == nil { + return nil, errors.New("eval state factory not configured") + } + p.observers = append(p.observers, et) + p.decorators = append(p.decorators, decObserveEval(et.Observe)) + return p, nil + } +} + +// evalStateConverter identifies an object which is convertible to an EvalState instance. +type evalStateConverter interface { + asEvalState() EvalState +} + +// evalStateActivation hides state in the Activation in a manner not accessible to expressions. +type evalStateActivation struct { + vars Activation + state EvalState +} + +// ResolveName proxies variable lookups to the backing activation. +func (esa evalStateActivation) ResolveName(name string) (any, bool) { + return esa.vars.ResolveName(name) +} + +// Parent proxies parent lookups to the backing activation. +func (esa evalStateActivation) Parent() Activation { + return esa.vars +} + +// AsPartialActivation supports conversion to a partial activation in order to detect unknown attributes. +func (esa evalStateActivation) AsPartialActivation() (PartialActivation, bool) { + return AsPartialActivation(esa.vars) +} -// TrackState decorates each expression node with an observer which records the value -// associated with the given expression id. EvalState must be provided to the decorator. -// This decorator is not thread-safe, and the EvalState must be reset between Eval() -// calls. -// DEPRECATED: Please use EvalStateObserver instead. It composes gracefully with additional observers. -func TrackState(state EvalState) InterpretableDecorator { - return Observe(EvalStateObserver(state)) +// asEvalState implements the evalStateConverter method. +func (esa evalStateActivation) asEvalState() EvalState { + return esa.state } -// EvalStateObserver provides an observer which records the value -// associated with the given expression id. EvalState must be provided to the observer. -// This decorator is not thread-safe, and the EvalState must be reset between Eval() -// calls. -func EvalStateObserver(state EvalState) EvalObserver { - return func(id int64, programStep any, val ref.Val) { - state.SetValue(id, val) +// asEvalState walks the Activation hierarchy and returns the first EvalState found, if present. +func asEvalState(vars Activation) (EvalState, bool) { + if conv, ok := vars.(evalStateConverter); ok { + return conv.asEvalState(), true + } + if vars.Parent() != nil { + return asEvalState(vars.Parent()) + } + return nil, false +} + +// evalStateFactory holds a reference to a factory function that produces an EvalState instance. +type evalStateFactory struct { + factory func() EvalState +} + +// InitState produces an EvalState instance and bundles it into the Activation in a way which is +// not visible to expression evaluation. +func (et *evalStateFactory) InitState(vars Activation) (Activation, error) { + state := et.factory() + return evalStateActivation{vars: vars, state: state}, nil +} + +// GetState extracts the EvalState from the Activation. +func (et *evalStateFactory) GetState(vars Activation) any { + if state, found := asEvalState(vars); found { + return state + } + return nil +} + +// Observe records the evaluation state for a given expression node and program step. +func (et *evalStateFactory) Observe(vars Activation, id int64, programStep any, val ref.Val) { + state, found := asEvalState(vars) + if !found { + return + } + state.SetValue(id, val) +} + +// CustomDecorator configures a custom interpretable decorator for the program. +func CustomDecorator(dec InterpretableDecorator) PlannerOption { + return func(p *planner) (*planner, error) { + p.decorators = append(p.decorators, dec) + return p, nil } } @@ -99,11 +190,8 @@ func EvalStateObserver(state EvalState) EvalObserver { // insight into the evaluation state of the entire expression. EvalState must be // provided to the decorator. This decorator is not thread-safe, and the EvalState // must be reset between Eval() calls. -func ExhaustiveEval() InterpretableDecorator { - ex := decDisableShortcircuits() - return func(i Interpretable) (Interpretable, error) { - return ex(i) - } +func ExhaustiveEval() PlannerOption { + return CustomDecorator(decDisableShortcircuits()) } // InterruptableEval annotates comprehension loops with information that indicates they @@ -111,14 +199,14 @@ func ExhaustiveEval() InterpretableDecorator { // // The custom activation is currently managed higher up in the stack within the 'cel' package // and should not require any custom support on behalf of callers. -func InterruptableEval() InterpretableDecorator { - return decInterruptFolds() +func InterruptableEval() PlannerOption { + return CustomDecorator(decInterruptFolds()) } // Optimize will pre-compute operations such as list and map construction and optimize // call arguments to set membership tests. The set of optimizations will increase over time. -func Optimize() InterpretableDecorator { - return decOptimize() +func Optimize() PlannerOption { + return CustomDecorator(decOptimize()) } // RegexOptimization provides a way to replace an InterpretableCall for a regex function when the @@ -142,8 +230,8 @@ type RegexOptimization struct { // CompileRegexConstants compiles regex pattern string constants at program creation time and reports any regex pattern // compile errors. -func CompileRegexConstants(regexOptimizations ...*RegexOptimization) InterpretableDecorator { - return decRegexOptimizer(regexOptimizations...) +func CompileRegexConstants(regexOptimizations ...*RegexOptimization) PlannerOption { + return CustomDecorator(decRegexOptimizer(regexOptimizations...)) } type exprInterpreter struct { @@ -172,14 +260,14 @@ func NewInterpreter(dispatcher Dispatcher, // NewIntepretable implements the Interpreter interface method. func (i *exprInterpreter) NewInterpretable( checked *ast.AST, - decorators ...InterpretableDecorator) (Interpretable, error) { - p := newPlanner( - i.dispatcher, - i.provider, - i.adapter, - i.attrFactory, - i.container, - checked, - decorators...) + opts ...PlannerOption) (Interpretable, error) { + p := newPlanner(i.dispatcher, i.provider, i.adapter, i.attrFactory, i.container, checked) + var err error + for _, o := range opts { + p, err = o(p) + if err != nil { + return nil, err + } + } return p.Plan(checked.Expr()) } diff --git a/vendor/github.com/google/cel-go/interpreter/planner.go b/vendor/github.com/google/cel-go/interpreter/planner.go index f0fd4eaf9..f0e0d4305 100644 --- a/vendor/github.com/google/cel-go/interpreter/planner.go +++ b/vendor/github.com/google/cel-go/interpreter/planner.go @@ -25,12 +25,6 @@ import ( "github.com/google/cel-go/common/types" ) -// interpretablePlanner creates an Interpretable evaluation plan from a proto Expr value. -type interpretablePlanner interface { - // Plan generates an Interpretable value (or error) from the input proto Expr. - Plan(expr ast.Expr) (Interpretable, error) -} - // newPlanner creates an interpretablePlanner which references a Dispatcher, TypeProvider, // TypeAdapter, Container, and CheckedExpr value. These pieces of data are used to resolve // functions, types, and namespaced identifiers at plan time rather than at runtime since @@ -40,8 +34,7 @@ func newPlanner(disp Dispatcher, adapter types.Adapter, attrFactory AttributeFactory, cont *containers.Container, - exprAST *ast.AST, - decorators ...InterpretableDecorator) interpretablePlanner { + exprAST *ast.AST) *planner { return &planner{ disp: disp, provider: provider, @@ -50,7 +43,8 @@ func newPlanner(disp Dispatcher, container: cont, refMap: exprAST.ReferenceMap(), typeMap: exprAST.TypeMap(), - decorators: decorators, + decorators: make([]InterpretableDecorator, 0), + observers: make([]StatefulObserver, 0), } } @@ -64,6 +58,7 @@ type planner struct { refMap map[int64]*ast.ReferenceInfo typeMap map[int64]*types.Type decorators []InterpretableDecorator + observers []StatefulObserver } // Plan implements the interpretablePlanner interface. This implementation of the Plan method also @@ -72,6 +67,17 @@ type planner struct { // such as state-tracking, expression re-write, and possibly efficient thread-safe memoization of // repeated expressions. func (p *planner) Plan(expr ast.Expr) (Interpretable, error) { + i, err := p.plan(expr) + if err != nil { + return nil, err + } + if len(p.observers) == 0 { + return i, nil + } + return &ObservableInterpretable{Interpretable: i, observers: p.observers}, nil +} + +func (p *planner) plan(expr ast.Expr) (Interpretable, error) { switch expr.Kind() { case ast.CallKind: return p.decorate(p.planCall(expr)) @@ -161,7 +167,7 @@ func (p *planner) planSelect(expr ast.Expr) (Interpretable, error) { sel := expr.AsSelect() // Plan the operand evaluation. - op, err := p.Plan(sel.Operand()) + op, err := p.plan(sel.Operand()) if err != nil { return nil, err } @@ -220,14 +226,14 @@ func (p *planner) planCall(expr ast.Expr) (Interpretable, error) { args := make([]Interpretable, argCount) if target != nil { - arg, err := p.Plan(target) + arg, err := p.plan(target) if err != nil { return nil, err } args[0] = arg } for i, argExpr := range call.Args() { - arg, err := p.Plan(argExpr) + arg, err := p.plan(argExpr) if err != nil { return nil, err } @@ -496,7 +502,7 @@ func (p *planner) planCreateList(expr ast.Expr) (Interpretable, error) { } elems := make([]Interpretable, len(elements)) for i, elem := range elements { - elemVal, err := p.Plan(elem) + elemVal, err := p.plan(elem) if err != nil { return nil, err } @@ -521,13 +527,13 @@ func (p *planner) planCreateMap(expr ast.Expr) (Interpretable, error) { hasOptionals := false for i, e := range entries { entry := e.AsMapEntry() - keyVal, err := p.Plan(entry.Key()) + keyVal, err := p.plan(entry.Key()) if err != nil { return nil, err } keys[i] = keyVal - valVal, err := p.Plan(entry.Value()) + valVal, err := p.plan(entry.Value()) if err != nil { return nil, err } @@ -560,7 +566,7 @@ func (p *planner) planCreateStruct(expr ast.Expr) (Interpretable, error) { for i, f := range objFields { field := f.AsStructField() fields[i] = field.Name() - val, err := p.Plan(field.Value()) + val, err := p.plan(field.Value()) if err != nil { return nil, err } @@ -582,23 +588,23 @@ func (p *planner) planCreateStruct(expr ast.Expr) (Interpretable, error) { // planComprehension generates an Interpretable fold operation. func (p *planner) planComprehension(expr ast.Expr) (Interpretable, error) { fold := expr.AsComprehension() - accu, err := p.Plan(fold.AccuInit()) + accu, err := p.plan(fold.AccuInit()) if err != nil { return nil, err } - iterRange, err := p.Plan(fold.IterRange()) + iterRange, err := p.plan(fold.IterRange()) if err != nil { return nil, err } - cond, err := p.Plan(fold.LoopCondition()) + cond, err := p.plan(fold.LoopCondition()) if err != nil { return nil, err } - step, err := p.Plan(fold.LoopStep()) + step, err := p.plan(fold.LoopStep()) if err != nil { return nil, err } - result, err := p.Plan(fold.Result()) + result, err := p.plan(fold.Result()) if err != nil { return nil, err } diff --git a/vendor/github.com/google/cel-go/interpreter/runtimecost.go b/vendor/github.com/google/cel-go/interpreter/runtimecost.go index 8f47c53d2..6c44cd798 100644 --- a/vendor/github.com/google/cel-go/interpreter/runtimecost.go +++ b/vendor/github.com/google/cel-go/interpreter/runtimecost.go @@ -15,6 +15,7 @@ package interpreter import ( + "errors" "math" "github.com/google/cel-go/common" @@ -34,78 +35,172 @@ type ActualCostEstimator interface { CallCost(function, overloadID string, args []ref.Val, result ref.Val) *uint64 } +// costTrackPlanOption modifies the cost tracking factory associatied with the CostObserver +type costTrackPlanOption func(*costTrackerFactory) *costTrackerFactory + +// CostTrackerFactory configures the factory method to generate a new cost-tracker per-evaluation. +func CostTrackerFactory(factory func() (*CostTracker, error)) costTrackPlanOption { + return func(fac *costTrackerFactory) *costTrackerFactory { + fac.factory = factory + return fac + } +} + // CostObserver provides an observer that tracks runtime cost. -func CostObserver(tracker *CostTracker) EvalObserver { - observer := func(id int64, programStep any, val ref.Val) { - switch t := programStep.(type) { - case ConstantQualifier: - // TODO: Push identifiers on to the stack before observing constant qualifiers that apply to them - // and enable the below pop. Once enabled this can case can be collapsed into the Qualifier case. - tracker.cost++ - case InterpretableConst: - // zero cost - case InterpretableAttribute: - switch a := t.Attr().(type) { - case *conditionalAttribute: - // Ternary has no direct cost. All cost is from the conditional and the true/false branch expressions. - tracker.stack.drop(a.falsy.ID(), a.truthy.ID(), a.expr.ID()) - default: - tracker.stack.drop(t.Attr().ID()) - tracker.cost += common.SelectAndIdentCost - } - if !tracker.presenceTestHasCost { - if _, isTestOnly := programStep.(*evalTestOnly); isTestOnly { - tracker.cost -= common.SelectAndIdentCost - } - } - case *evalExhaustiveConditional: - // Ternary has no direct cost. All cost is from the conditional and the true/false branch expressions. - tracker.stack.drop(t.attr.falsy.ID(), t.attr.truthy.ID(), t.attr.expr.ID()) +func CostObserver(opts ...costTrackPlanOption) PlannerOption { + ct := &costTrackerFactory{} + for _, o := range opts { + ct = o(ct) + } + return func(p *planner) (*planner, error) { + if ct.factory == nil { + return nil, errors.New("cost tracker factory not configured") + } + p.observers = append(p.observers, ct) + p.decorators = append(p.decorators, decObserveEval(ct.Observe)) + return p, nil + } +} - // While the field names are identical, the boolean operation eval structs do not share an interface and so - // must be handled individually. - case *evalOr: - for _, term := range t.terms { - tracker.stack.drop(term.ID()) - } - case *evalAnd: - for _, term := range t.terms { - tracker.stack.drop(term.ID()) - } - case *evalExhaustiveOr: - for _, term := range t.terms { - tracker.stack.drop(term.ID()) - } - case *evalExhaustiveAnd: - for _, term := range t.terms { - tracker.stack.drop(term.ID()) - } - case *evalFold: - tracker.stack.drop(t.iterRange.ID()) - case Qualifier: - tracker.cost++ - case InterpretableCall: - if argVals, ok := tracker.stack.dropArgs(t.Args()); ok { - tracker.cost += tracker.costCall(t, argVals, val) - } - case InterpretableConstructor: - tracker.stack.dropArgs(t.InitVals()) - switch t.Type() { - case types.ListType: - tracker.cost += common.ListCreateBaseCost - case types.MapType: - tracker.cost += common.MapCreateBaseCost - default: - tracker.cost += common.StructCreateBaseCost +// costTrackerConverter identifies an object which is convertible to a CostTracker instance. +type costTrackerConverter interface { + asCostTracker() *CostTracker +} + +// costTrackActivation hides state in the Activation in a manner not accessible to expressions. +type costTrackActivation struct { + vars Activation + costTracker *CostTracker +} + +// ResolveName proxies variable lookups to the backing activation. +func (cta costTrackActivation) ResolveName(name string) (any, bool) { + return cta.vars.ResolveName(name) +} + +// Parent proxies parent lookups to the backing activation. +func (cta costTrackActivation) Parent() Activation { + return cta.vars +} + +// AsPartialActivation supports conversion to a partial activation in order to detect unknown attributes. +func (cta costTrackActivation) AsPartialActivation() (PartialActivation, bool) { + return AsPartialActivation(cta.vars) +} + +// asCostTracker implements the costTrackerConverter method. +func (cta costTrackActivation) asCostTracker() *CostTracker { + return cta.costTracker +} + +// asCostTracker walks the Activation hierarchy and returns the first cost tracker found, if present. +func asCostTracker(vars Activation) (*CostTracker, bool) { + if conv, ok := vars.(costTrackerConverter); ok { + return conv.asCostTracker(), true + } + if vars.Parent() != nil { + return asCostTracker(vars.Parent()) + } + return nil, false +} + +// costTrackerFactory holds a factory for producing new CostTracker instances on each Eval call. +type costTrackerFactory struct { + factory func() (*CostTracker, error) +} + +// InitState produces a CostTracker and bundles it into an Activation in a way which is not visible +// to expression evaluation. +func (ct *costTrackerFactory) InitState(vars Activation) (Activation, error) { + tracker, err := ct.factory() + if err != nil { + return nil, err + } + return costTrackActivation{vars: vars, costTracker: tracker}, nil +} + +// GetState extracts the CostTracker from the Activation. +func (ct *costTrackerFactory) GetState(vars Activation) any { + if tracker, found := asCostTracker(vars); found { + return tracker + } + return nil +} + +// Observe computes the incremental cost of each step and records it into the CostTracker associated +// with the evaluation. +func (ct *costTrackerFactory) Observe(vars Activation, id int64, programStep any, val ref.Val) { + tracker, found := asCostTracker(vars) + if !found { + return + } + switch t := programStep.(type) { + case ConstantQualifier: + // TODO: Push identifiers on to the stack before observing constant qualifiers that apply to them + // and enable the below pop. Once enabled this can case can be collapsed into the Qualifier case. + tracker.cost++ + case InterpretableConst: + // zero cost + case InterpretableAttribute: + switch a := t.Attr().(type) { + case *conditionalAttribute: + // Ternary has no direct cost. All cost is from the conditional and the true/false branch expressions. + tracker.stack.drop(a.falsy.ID(), a.truthy.ID(), a.expr.ID()) + default: + tracker.stack.drop(t.Attr().ID()) + tracker.cost += common.SelectAndIdentCost + } + if !tracker.presenceTestHasCost { + if _, isTestOnly := programStep.(*evalTestOnly); isTestOnly { + tracker.cost -= common.SelectAndIdentCost } } - tracker.stack.push(val, id) + case *evalExhaustiveConditional: + // Ternary has no direct cost. All cost is from the conditional and the true/false branch expressions. + tracker.stack.drop(t.attr.falsy.ID(), t.attr.truthy.ID(), t.attr.expr.ID()) - if tracker.Limit != nil && tracker.cost > *tracker.Limit { - panic(EvalCancelledError{Cause: CostLimitExceeded, Message: "operation cancelled: actual cost limit exceeded"}) + // While the field names are identical, the boolean operation eval structs do not share an interface and so + // must be handled individually. + case *evalOr: + for _, term := range t.terms { + tracker.stack.drop(term.ID()) + } + case *evalAnd: + for _, term := range t.terms { + tracker.stack.drop(term.ID()) } + case *evalExhaustiveOr: + for _, term := range t.terms { + tracker.stack.drop(term.ID()) + } + case *evalExhaustiveAnd: + for _, term := range t.terms { + tracker.stack.drop(term.ID()) + } + case *evalFold: + tracker.stack.drop(t.iterRange.ID()) + case Qualifier: + tracker.cost++ + case InterpretableCall: + if argVals, ok := tracker.stack.dropArgs(t.Args()); ok { + tracker.cost += tracker.costCall(t, argVals, val) + } + case InterpretableConstructor: + tracker.stack.dropArgs(t.InitVals()) + switch t.Type() { + case types.ListType: + tracker.cost += common.ListCreateBaseCost + case types.MapType: + tracker.cost += common.MapCreateBaseCost + default: + tracker.cost += common.StructCreateBaseCost + } + } + tracker.stack.push(val, id) + + if tracker.Limit != nil && tracker.cost > *tracker.Limit { + panic(EvalCancelledError{Cause: CostLimitExceeded, Message: "operation cancelled: actual cost limit exceeded"}) } - return observer } // CostTrackerOption configures the behavior of CostTracker objects. diff --git a/vendor/github.com/google/cel-go/parser/macro.go b/vendor/github.com/google/cel-go/parser/macro.go index 6b3b648d3..1ef43c4b5 100644 --- a/vendor/github.com/google/cel-go/parser/macro.go +++ b/vendor/github.com/google/cel-go/parser/macro.go @@ -24,38 +24,74 @@ import ( "github.com/google/cel-go/common/types/ref" ) +// MacroOpt defines a functional option for configuring macro behavior. +type MacroOpt func(*macro) *macro + +// MacroDocs configures a list of strings into a multiline description for the macro. +func MacroDocs(docs ...string) MacroOpt { + return func(m *macro) *macro { + m.doc = common.MultilineDescription(docs...) + return m + } +} + +// MacroExamples configures a list of examples, either as a string or common.MultilineString, +// into an example set to be provided with the macro Documentation() call. +func MacroExamples(examples ...string) MacroOpt { + return func(m *macro) *macro { + m.examples = examples + return m + } +} + // NewGlobalMacro creates a Macro for a global function with the specified arg count. -func NewGlobalMacro(function string, argCount int, expander MacroExpander) Macro { - return ¯o{ +func NewGlobalMacro(function string, argCount int, expander MacroExpander, opts ...MacroOpt) Macro { + m := ¯o{ function: function, argCount: argCount, expander: expander} + for _, opt := range opts { + m = opt(m) + } + return m } // NewReceiverMacro creates a Macro for a receiver function matching the specified arg count. -func NewReceiverMacro(function string, argCount int, expander MacroExpander) Macro { - return ¯o{ +func NewReceiverMacro(function string, argCount int, expander MacroExpander, opts ...MacroOpt) Macro { + m := ¯o{ function: function, argCount: argCount, expander: expander, receiverStyle: true} + for _, opt := range opts { + m = opt(m) + } + return m } // NewGlobalVarArgMacro creates a Macro for a global function with a variable arg count. -func NewGlobalVarArgMacro(function string, expander MacroExpander) Macro { - return ¯o{ +func NewGlobalVarArgMacro(function string, expander MacroExpander, opts ...MacroOpt) Macro { + m := ¯o{ function: function, expander: expander, varArgStyle: true} + for _, opt := range opts { + m = opt(m) + } + return m } // NewReceiverVarArgMacro creates a Macro for a receiver function matching a variable arg count. -func NewReceiverVarArgMacro(function string, expander MacroExpander) Macro { - return ¯o{ +func NewReceiverVarArgMacro(function string, expander MacroExpander, opts ...MacroOpt) Macro { + m := ¯o{ function: function, expander: expander, receiverStyle: true, varArgStyle: true} + for _, opt := range opts { + m = opt(m) + } + return m } // Macro interface for describing the function signature to match and the MacroExpander to apply. @@ -95,6 +131,8 @@ type macro struct { varArgStyle bool argCount int expander MacroExpander + doc string + examples []string } // Function returns the macro's function name (i.e. the function whose syntax it mimics). @@ -125,6 +163,15 @@ func (m *macro) MacroKey() string { return makeMacroKey(m.function, m.argCount, m.receiverStyle) } +// Documentation generates documentation and examples for the macro. +func (m *macro) Documentation() *common.Doc { + examples := make([]*common.Doc, len(m.examples)) + for i, ex := range m.examples { + examples[i] = common.NewExampleDoc(ex) + } + return common.NewMacroDoc(m.Function(), m.doc, examples...) +} + func makeMacroKey(name string, args int, receiverStyle bool) string { return fmt.Sprintf("%s:%d:%v", name, args, receiverStyle) } @@ -250,37 +297,139 @@ type ExprHelper interface { var ( // HasMacro expands "has(m.f)" which tests the presence of a field, avoiding the need to // specify the field as a string. - HasMacro = NewGlobalMacro(operators.Has, 1, MakeHas) + HasMacro = NewGlobalMacro(operators.Has, 1, MakeHas, + MacroDocs( + `check a protocol buffer message for the presence of a field, or check a map`, + `for the presence of a string key.`, + `Only map accesses using the select notation are supported.`), + MacroExamples( + common.MultilineDescription( + `// true if the 'address' field exists in the 'user' message`, + `has(user.address)`), + common.MultilineDescription( + `// test whether the 'key_name' is set on the map which defines it`, + `has({'key_name': 'value'}.key_name) // true`), + common.MultilineDescription( + `// test whether the 'id' field is set to a non-default value on the Expr{} message literal`, + `has(Expr{}.id) // false`), + )) // AllMacro expands "range.all(var, predicate)" into a comprehension which ensures that all // elements in the range satisfy the predicate. - AllMacro = NewReceiverMacro(operators.All, 2, MakeAll) + AllMacro = NewReceiverMacro(operators.All, 2, MakeAll, + MacroDocs(`tests whether all elements in the input list or all keys in a map`, + `satisfy the given predicate. The all macro behaves in a manner consistent with`, + `the Logical AND operator including in how it absorbs errors and short-circuits.`), + MacroExamples( + `[1, 2, 3].all(x, x > 0) // true`, + `[1, 2, 0].all(x, x > 0) // false`, + `['apple', 'banana', 'cherry'].all(fruit, fruit.size() > 3) // true`, + `[3.14, 2.71, 1.61].all(num, num < 3.0) // false`, + `{'a': 1, 'b': 2, 'c': 3}.all(key, key != 'b') // false`, + common.MultilineDescription( + `// an empty list or map as the range will result in a trivially true result`, + `[].all(x, x > 0) // true`), + )) // ExistsMacro expands "range.exists(var, predicate)" into a comprehension which ensures that // some element in the range satisfies the predicate. - ExistsMacro = NewReceiverMacro(operators.Exists, 2, MakeExists) + ExistsMacro = NewReceiverMacro(operators.Exists, 2, MakeExists, + MacroDocs(`tests whether any value in the list or any key in the map`, + `satisfies the predicate expression. The exists macro behaves in a manner`, + `consistent with the Logical OR operator including in how it absorbs errors and`, + `short-circuits.`), + MacroExamples( + `[1, 2, 3].exists(i, i % 2 != 0) // true`, + `[0, -1, 5].exists(num, num < 0) // true`, + `{'x': 'foo', 'y': 'bar'}.exists(key, key.startsWith('z')) // false`, + common.MultilineDescription( + `// an empty list or map as the range will result in a trivially false result`, + `[].exists(i, i > 0) // false`), + common.MultilineDescription( + `// test whether a key name equalling 'iss' exists in the map and the`, + `// value contains the substring 'cel.dev'`, + `// tokens = {'sub': 'me', 'iss': 'https://issuer.cel.dev'}`, + `tokens.exists(k, k == 'iss' && tokens[k].contains('cel.dev'))`), + )) // ExistsOneMacro expands "range.exists_one(var, predicate)", which is true if for exactly one // element in range the predicate holds. // Deprecated: Use ExistsOneMacroNew - ExistsOneMacro = NewReceiverMacro(operators.ExistsOne, 2, MakeExistsOne) + ExistsOneMacro = NewReceiverMacro(operators.ExistsOne, 2, MakeExistsOne, + MacroDocs(`tests whether exactly one list element or map key satisfies`, + `the predicate expression. This macro does not short-circuit in order to remain`, + `consistent with logical operators being the only operators which can absorb`, + `errors within CEL.`), + MacroExamples( + `[1, 2, 2].exists_one(i, i < 2) // true`, + `{'a': 'hello', 'aa': 'hellohello'}.exists_one(k, k.startsWith('a')) // false`, + `[1, 2, 3, 4].exists_one(num, num % 2 == 0) // false`, + common.MultilineDescription( + `// ensure exactly one key in the map ends in @acme.co`, + `{'wiley@acme.co': 'coyote', 'aa@milne.co': 'bear'}.exists_one(k, k.endsWith('@acme.co')) // true`), + )) // ExistsOneMacroNew expands "range.existsOne(var, predicate)", which is true if for exactly one // element in range the predicate holds. - ExistsOneMacroNew = NewReceiverMacro("existsOne", 2, MakeExistsOne) + ExistsOneMacroNew = NewReceiverMacro("existsOne", 2, MakeExistsOne, + MacroDocs( + `tests whether exactly one list element or map key satisfies the predicate`, + `expression. This macro does not short-circuit in order to remain consistent`, + `with logical operators being the only operators which can absorb errors`, + `within CEL.`), + MacroExamples( + `[1, 2, 2].existsOne(i, i < 2) // true`, + `{'a': 'hello', 'aa': 'hellohello'}.existsOne(k, k.startsWith('a')) // false`, + `[1, 2, 3, 4].existsOne(num, num % 2 == 0) // false`, + common.MultilineDescription( + `// ensure exactly one key in the map ends in @acme.co`, + `{'wiley@acme.co': 'coyote', 'aa@milne.co': 'bear'}.existsOne(k, k.endsWith('@acme.co')) // true`), + )) // MapMacro expands "range.map(var, function)" into a comprehension which applies the function // to each element in the range to produce a new list. - MapMacro = NewReceiverMacro(operators.Map, 2, MakeMap) + MapMacro = NewReceiverMacro(operators.Map, 2, MakeMap, + MacroDocs("the three-argument form of map transforms all elements in the input range."), + MacroExamples( + `[1, 2, 3].map(x, x * 2) // [2, 4, 6]`, + `[5, 10, 15].map(x, x / 5) // [1, 2, 3]`, + `['apple', 'banana'].map(fruit, fruit.upperAscii()) // ['APPLE', 'BANANA']`, + common.MultilineDescription( + `// Combine all map key-value pairs into a list`, + `{'hi': 'you', 'howzit': 'bruv'}.map(k,`, + ` k + ":" + {'hi': 'you', 'howzit': 'bruv'}[k]) // ['hi:you', 'howzit:bruv']`), + )) // MapFilterMacro expands "range.map(var, predicate, function)" into a comprehension which // first filters the elements in the range by the predicate, then applies the transform function // to produce a new list. - MapFilterMacro = NewReceiverMacro(operators.Map, 3, MakeMap) + MapFilterMacro = NewReceiverMacro(operators.Map, 3, MakeMap, + MacroDocs(`the four-argument form of the map transforms only elements which satisfy`, + `the predicate which is equivalent to chaining the filter and three-argument`, + `map macros together.`), + MacroExamples( + common.MultilineDescription( + `// multiply only numbers divisible two, by 2`, + `[1, 2, 3, 4].map(num, num % 2 == 0, num * 2) // [4, 8]`), + )) // FilterMacro expands "range.filter(var, predicate)" into a comprehension which filters // elements in the range, producing a new list from the elements that satisfy the predicate. - FilterMacro = NewReceiverMacro(operators.Filter, 2, MakeFilter) + FilterMacro = NewReceiverMacro(operators.Filter, 2, MakeFilter, + MacroDocs(`returns a list containing only the elements from the input list`, + `that satisfy the given predicate`), + MacroExamples( + `[1, 2, 3].filter(x, x > 1) // [2, 3]`, + `['cat', 'dog', 'bird', 'fish'].filter(pet, pet.size() == 3) // ['cat', 'dog']`, + `[{'a': 10, 'b': 5, 'c': 20}].map(m, m.filter(key, m[key] > 10)) // [['c']]`, + common.MultilineDescription( + `// filter a list to select only emails with the @cel.dev suffix`, + `['alice@buf.io', 'tristan@cel.dev'].filter(v, v.endsWith('@cel.dev')) // ['tristan@cel.dev']`), + common.MultilineDescription( + `// filter a map into a list, selecting only the values for keys that start with 'http-auth'`, + `{'http-auth-agent': 'secret', 'user-agent': 'mozilla'}.filter(k,`, + ` k.startsWith('http-auth')) // ['secret']`), + )) // AllMacros includes the list of all spec-supported macros. AllMacros = []Macro{ diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go index c01cb897c..216127d6f 100644 --- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go +++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go @@ -59,20 +59,26 @@ func (h *serverHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) cont name, attrs := internal.ParseFullMethod(info.FullMethodName) attrs = append(attrs, RPCSystemGRPC) - ctx, _ = h.tracer.Start( - trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)), - name, - trace.WithSpanKind(trace.SpanKindServer), - trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...), - ) + + record := true + if h.config.Filter != nil { + record = h.config.Filter(info) + } + + if record { + ctx, _ = h.tracer.Start( + trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)), + name, + trace.WithSpanKind(trace.SpanKindServer), + trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...), + ) + } gctx := gRPCContext{ metricAttrs: append(attrs, h.config.MetricAttributes...), - record: true, - } - if h.config.Filter != nil { - gctx.record = h.config.Filter(info) + record: record, } + return context.WithValue(ctx, gRPCContextKey{}, &gctx) } @@ -99,19 +105,24 @@ func NewClientHandler(opts ...Option) stats.Handler { func (h *clientHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context { name, attrs := internal.ParseFullMethod(info.FullMethodName) attrs = append(attrs, RPCSystemGRPC) - ctx, _ = h.tracer.Start( - ctx, - name, - trace.WithSpanKind(trace.SpanKindClient), - trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...), - ) + + record := true + if h.config.Filter != nil { + record = h.config.Filter(info) + } + + if record { + ctx, _ = h.tracer.Start( + ctx, + name, + trace.WithSpanKind(trace.SpanKindClient), + trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...), + ) + } gctx := gRPCContext{ metricAttrs: append(attrs, h.config.MetricAttributes...), - record: true, - } - if h.config.Filter != nil { - gctx.record = h.config.Filter(info) + record: record, } return inject(context.WithValue(ctx, gRPCContextKey{}, &gctx), h.config.Propagators) diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go index 25a3a8629..442e8a838 100644 --- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go +++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go @@ -5,7 +5,7 @@ package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.g // Version is the current release version of the gRPC instrumentation. func Version() string { - return "0.58.0" + return "0.60.0" // This string is updated by the pre_release.sh script during release } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go index 2ca72bb16..98ee94b19 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go @@ -65,7 +65,7 @@ func Convert_v1_JSON_To_apiextensions_JSON(in *JSON, out *apiextensions.JSON, s } *out = i } else { - out = nil + *out = nil } return nil } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/defaults.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/defaults.go index 5cebec927..629501470 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/defaults.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/defaults.go @@ -20,7 +20,7 @@ import ( "strings" "k8s.io/apimachinery/pkg/runtime" - utilpointer "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -56,6 +56,6 @@ func SetDefaults_CustomResourceDefinitionSpec(obj *CustomResourceDefinitionSpec) // SetDefaults_ServiceReference sets defaults for Webhook's ServiceReference func SetDefaults_ServiceReference(obj *ServiceReference) { if obj.Port == nil { - obj.Port = utilpointer.Int32Ptr(443) + obj.Port = ptr.To[int32](443) } } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/conversion.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/conversion.go index eed3fde63..91c55dba4 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/conversion.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/conversion.go @@ -64,7 +64,7 @@ func Convert_v1beta1_JSON_To_apiextensions_JSON(in *JSON, out *apiextensions.JSO } *out = i } else { - out = nil + *out = nil } return nil } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/defaults.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/defaults.go index 1a9c2238e..02898ae50 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/defaults.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/defaults.go @@ -20,7 +20,7 @@ import ( "strings" "k8s.io/apimachinery/pkg/runtime" - utilpointer "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -70,13 +70,13 @@ func SetDefaults_CustomResourceDefinitionSpec(obj *CustomResourceDefinitionSpec) obj.Conversion.ConversionReviewVersions = []string{SchemeGroupVersion.Version} } if obj.PreserveUnknownFields == nil { - obj.PreserveUnknownFields = utilpointer.BoolPtr(true) + obj.PreserveUnknownFields = ptr.To(true) } } // SetDefaults_ServiceReference sets defaults for Webhook's ServiceReference func SetDefaults_ServiceReference(obj *ServiceReference) { if obj.Port == nil { - obj.Port = utilpointer.Int32Ptr(443) + obj.Port = ptr.To[int32](443) } } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go b/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go index 110620d65..742af4ad8 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go @@ -42,6 +42,7 @@ func CustomResourceDefinition(name string) *CustomResourceDefinitionApplyConfigu b.WithAPIVersion("apiextensions.k8s.io/v1") return b } +func (b CustomResourceDefinitionApplyConfiguration) IsApplyConfiguration() {} // WithKind sets the Kind field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. @@ -217,8 +218,24 @@ func (b *CustomResourceDefinitionApplyConfiguration) WithStatus(value *CustomRes return b } +// GetKind retrieves the value of the Kind field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetKind() *string { + return b.TypeMetaApplyConfiguration.Kind +} + +// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetAPIVersion() *string { + return b.TypeMetaApplyConfiguration.APIVersion +} + // GetName retrieves the value of the Name field in the declarative configuration. func (b *CustomResourceDefinitionApplyConfiguration) GetName() *string { b.ensureObjectMetaApplyConfigurationExists() return b.ObjectMetaApplyConfiguration.Name } + +// GetNamespace retrieves the value of the Namespace field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetNamespace() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Namespace +} diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go b/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go index d56cff21f..8df22620d 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go @@ -42,6 +42,7 @@ func CustomResourceDefinition(name string) *CustomResourceDefinitionApplyConfigu b.WithAPIVersion("apiextensions.k8s.io/v1beta1") return b } +func (b CustomResourceDefinitionApplyConfiguration) IsApplyConfiguration() {} // WithKind sets the Kind field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. @@ -217,8 +218,24 @@ func (b *CustomResourceDefinitionApplyConfiguration) WithStatus(value *CustomRes return b } +// GetKind retrieves the value of the Kind field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetKind() *string { + return b.TypeMetaApplyConfiguration.Kind +} + +// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetAPIVersion() *string { + return b.TypeMetaApplyConfiguration.APIVersion +} + // GetName retrieves the value of the Name field in the declarative configuration. func (b *CustomResourceDefinitionApplyConfiguration) GetName() *string { b.ensureObjectMetaApplyConfigurationExists() return b.ObjectMetaApplyConfiguration.Name } + +// GetNamespace retrieves the value of the Namespace field in the declarative configuration. +func (b *CustomResourceDefinitionApplyConfiguration) GetNamespace() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Namespace +} diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/types.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/types.go index a610ebc1a..596b1f140 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/types.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/types.go @@ -234,6 +234,7 @@ type Issuer struct { CertificateAuthority string Audiences []string AudienceMatchPolicy AudienceMatchPolicyType + EgressSelectorType EgressSelectorType } // AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy @@ -244,6 +245,14 @@ const ( AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" ) +type EgressSelectorType string + +const ( + EgressSelectorControlPlane EgressSelectorType = "controlplane" + + EgressSelectorCluster EgressSelectorType = "cluster" +) + // ClaimValidationRule provides the configuration for a single claim validation rule. type ClaimValidationRule struct { Claim string @@ -334,11 +343,21 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + CacheAuthorizedRequests bool // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + CacheUnauthorizedRequests bool // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go index 46fb841a5..6ba5a7ca1 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go @@ -21,6 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) var ( @@ -53,7 +54,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/register.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/register.go index 7b1b51b62..ec48038dd 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/register.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/register.go @@ -47,8 +47,10 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &AdmissionConfiguration{}, + &AuthenticationConfiguration{}, &AuthorizationConfiguration{}, &EncryptionConfiguration{}, + &TracingConfiguration{}, ) // also register into the v1 group as EncryptionConfig (due to a docs bug) scheme.AddKnownTypeWithName(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "EncryptionConfig"}, &EncryptionConfiguration{}) diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go index 18328c558..ecfe48262 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go @@ -19,6 +19,7 @@ package v1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + tracingapi "k8s.io/component-base/tracing/api/v1" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -51,6 +52,372 @@ type AdmissionPluginConfiguration struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// AuthenticationConfiguration provides versioned configuration for authentication. +type AuthenticationConfiguration struct { + metav1.TypeMeta + + // jwt is a list of authenticator to authenticate Kubernetes users using + // JWT compliant tokens. The authenticator will attempt to parse a raw ID token, + // verify it's been signed by the configured issuer. The public key to verify the + // signature is discovered from the issuer's public endpoint using OIDC discovery. + // For an incoming token, each JWT authenticator will be attempted in + // the order in which it is specified in this list. Note however that + // other authenticators may run before or after the JWT authenticators. + // The specific position of JWT authenticators in relation to other + // authenticators is neither defined nor stable across releases. Since + // each JWT authenticator must have a unique issuer URL, at most one + // JWT authenticator will attempt to cryptographically validate the token. + // + // The minimum valid JWT payload must contain the following claims: + // { + // "iss": "https://issuer.example.com", + // "aud": ["audience"], + // "exp": 1234567890, + // "": "username" + // } + JWT []JWTAuthenticator `json:"jwt"` + + // If present --anonymous-auth must not be set + Anonymous *AnonymousAuthConfig `json:"anonymous,omitempty"` +} + +// AnonymousAuthConfig provides the configuration for the anonymous authenticator. +type AnonymousAuthConfig struct { + Enabled bool `json:"enabled"` + + // If set, anonymous auth is only allowed if the request meets one of the + // conditions. + Conditions []AnonymousAuthCondition `json:"conditions,omitempty"` +} + +// AnonymousAuthCondition describes the condition under which anonymous auth +// should be enabled. +type AnonymousAuthCondition struct { + // Path for which anonymous auth is enabled. + Path string `json:"path"` +} + +// JWTAuthenticator provides the configuration for a single JWT authenticator. +type JWTAuthenticator struct { + // issuer contains the basic OIDC provider connection options. + // +required + Issuer Issuer `json:"issuer"` + + // claimValidationRules are rules that are applied to validate token claims to authenticate users. + // +optional + ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"` + + // claimMappings points claims of a token to be treated as user attributes. + // +required + ClaimMappings ClaimMappings `json:"claimMappings"` + + // userValidationRules are rules that are applied to final user before completing authentication. + // These allow invariants to be applied to incoming identities such as preventing the + // use of the system: prefix that is commonly used by Kubernetes components. + // The validation rules are logically ANDed together and must all return true for the validation to pass. + // +optional + UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"` +} + +// Issuer provides the configuration for an external provider's specific settings. +type Issuer struct { + // url points to the issuer URL in a format https://url or https://url/path. + // This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. + // Same value as the --oidc-issuer-url flag. + // Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL. + // Required to be unique across all JWT authenticators. + // Note that egress selection configuration is not used for this network connection. + // +required + URL string `json:"url"` + + // discoveryURL, if specified, overrides the URL used to fetch discovery + // information instead of using "{url}/.well-known/openid-configuration". + // The exact value specified is used, so "/.well-known/openid-configuration" + // must be included in discoveryURL if needed. + // + // The "issuer" field in the fetched discovery information must match the "issuer.url" field + // in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT. + // This is for scenarios where the well-known and jwks endpoints are hosted at a different + // location than the issuer (such as locally in the cluster). + // + // Example: + // A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace' + // and discovery information is available at '/.well-known/openid-configuration'. + // discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration" + // certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate + // must be set to 'oidc.oidc-namespace'. + // + // curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field) + // { + // issuer: "https://oidc.example.com" (.url field) + // } + // + // discoveryURL must be different from url. + // Required to be unique across all JWT authenticators. + // Note that egress selection configuration is not used for this network connection. + // +optional + DiscoveryURL *string `json:"discoveryURL,omitempty"` + + // certificateAuthority contains PEM-encoded certificate authority certificates + // used to validate the connection when fetching discovery information. + // If unset, the system verifier is used. + // Same value as the content of the file referenced by the --oidc-ca-file flag. + // +optional + CertificateAuthority string `json:"certificateAuthority,omitempty"` + + // audiences is the set of acceptable audiences the JWT must be issued to. + // At least one of the entries must match the "aud" claim in presented JWTs. + // Same value as the --oidc-client-id flag (though this field supports an array). + // Required to be non-empty. + // +required + Audiences []string `json:"audiences"` + + // audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT. + // Allowed values are: + // 1. "MatchAny" when multiple audiences are specified and + // 2. empty (or unset) or "MatchAny" when a single audience is specified. + // + // - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field. + // For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both). + // + // - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others). + // + // For more nuanced audience validation, use claimValidationRules. + // example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match. + // +optional + AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"` + + // egressSelectorType is an indicator of which egress selection should be used for sending all traffic related + // to this issuer (discovery, JWKS, distributed claims, etc). If unspecified, no custom dialer is used. + // When specified, the valid choices are "controlplane" and "cluster". These correspond to the associated + // values in the --egress-selector-config-file. + // + // - controlplane: for traffic intended to go to the control plane. + // + // - cluster: for traffic intended to go to the system being managed by Kubernetes. + // + // +optional + EgressSelectorType EgressSelectorType `json:"egressSelectorType,omitempty"` +} + +// AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy +type AudienceMatchPolicyType string + +// Valid types for AudienceMatchPolicyType +const ( + // MatchAny means the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field. + AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" +) + +// EgressSelectorType is an indicator of which egress selection should be used for sending traffic. +type EgressSelectorType string + +const ( + // EgressSelectorControlPlane is the EgressSelectorType for traffic intended to go to the control plane. + EgressSelectorControlPlane EgressSelectorType = "controlplane" + + // EgressSelectorCluster is the EgressSelectorType for traffic intended to go to the system being managed by Kubernetes. + EgressSelectorCluster EgressSelectorType = "cluster" +) + +// ClaimValidationRule provides the configuration for a single claim validation rule. +type ClaimValidationRule struct { + // claim is the name of a required claim. + // Same as --oidc-required-claim flag. + // Only string claim keys are supported. + // Mutually exclusive with expression and message. + // +optional + Claim string `json:"claim,omitempty"` + // requiredValue is the value of a required claim. + // Same as --oidc-required-claim flag. + // Only string claim values are supported. + // If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string. + // Mutually exclusive with expression and message. + // +optional + RequiredValue string `json:"requiredValue,omitempty"` + + // expression represents the expression which will be evaluated by CEL. + // Must produce a boolean. + // + // CEL expressions have access to the contents of the token claims, organized into CEL variable: + // - 'claims' is a map of claim names to claim values. + // For example, a variable named 'sub' can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. + // Must return true for the validation to pass. + // + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Mutually exclusive with claim and requiredValue. + // +optional + Expression string `json:"expression,omitempty"` + // message customizes the returned error message when expression returns false. + // message is a literal string. + // Mutually exclusive with claim and requiredValue. + // +optional + Message string `json:"message,omitempty"` +} + +// ClaimMappings provides the configuration for claim mapping +type ClaimMappings struct { + // username represents an option for the username attribute. + // The claim's value must be a singular string. + // Same as the --oidc-username-claim and --oidc-username-prefix flags. + // If username.expression is set, the expression must produce a string value. + // If username.expression uses 'claims.email', then 'claims.email_verified' must be used in + // username.expression or extra[*].valueExpression or claimValidationRules[*].expression. + // An example claim validation rule expression that matches the validation automatically + // applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing + // the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified + // claim will be caught at runtime. + // + // In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set, + // the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly. + // For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config. + // For prefix: + // (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config, + // set username.prefix="" + // (2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "#". For the same + // behavior using authentication config, set username.prefix="#" + // (3) --oidc-username-prefix="". For the same behavior using authentication config, set username.prefix="" + // +required + Username PrefixedClaimOrExpression `json:"username"` + // groups represents an option for the groups attribute. + // The claim's value must be a string or string array claim. + // If groups.claim is set, the prefix must be specified (and can be the empty string). + // If groups.expression is set, the expression must produce a string or string array value. + // "", [], and null values are treated as the group mapping not being present. + // +optional + Groups PrefixedClaimOrExpression `json:"groups,omitempty"` + + // uid represents an option for the uid attribute. + // Claim must be a singular string claim. + // If uid.expression is set, the expression must produce a string value. + // +optional + UID ClaimOrExpression `json:"uid"` + + // extra represents an option for the extra attribute. + // expression must produce a string or string array value. + // If the value is empty, the extra mapping will not be present. + // + // hard-coded extra key/value + // - key: "foo" + // valueExpression: "'bar'" + // This will result in an extra attribute - foo: ["bar"] + // + // hard-coded key, value copying claim value + // - key: "foo" + // valueExpression: "claims.some_claim" + // This will result in an extra attribute - foo: [value of some_claim] + // + // hard-coded key, value derived from claim value + // - key: "admin" + // valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""' + // This will result in: + // - if is_admin claim is present and true, extra attribute - admin: ["true"] + // - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added + // + // +optional + Extra []ExtraMapping `json:"extra,omitempty"` +} + +// PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression. +type PrefixedClaimOrExpression struct { + // claim is the JWT claim to use. + // Mutually exclusive with expression. + // +optional + Claim string `json:"claim,omitempty"` + // prefix is prepended to claim's value to prevent clashes with existing names. + // prefix needs to be set if claim is set and can be the empty string. + // Mutually exclusive with expression. + // +optional + Prefix *string `json:"prefix,omitempty"` + + // expression represents the expression which will be evaluated by CEL. + // + // CEL expressions have access to the contents of the token claims, organized into CEL variable: + // - 'claims' is a map of claim names to claim values. + // For example, a variable named 'sub' can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. + // + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Mutually exclusive with claim and prefix. + // +optional + Expression string `json:"expression,omitempty"` +} + +// ClaimOrExpression provides the configuration for a single claim or expression. +type ClaimOrExpression struct { + // claim is the JWT claim to use. + // Either claim or expression must be set. + // Mutually exclusive with expression. + // +optional + Claim string `json:"claim,omitempty"` + + // expression represents the expression which will be evaluated by CEL. + // + // CEL expressions have access to the contents of the token claims, organized into CEL variable: + // - 'claims' is a map of claim names to claim values. + // For example, a variable named 'sub' can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. + // + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Mutually exclusive with claim. + // +optional + Expression string `json:"expression,omitempty"` +} + +// ExtraMapping provides the configuration for a single extra mapping. +type ExtraMapping struct { + // key is a string to use as the extra attribute key. + // key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid + // subdomain as defined by RFC 1123. All characters trailing the first "/" must + // be valid HTTP Path characters as defined by RFC 3986. + // key must be lowercase. + // Required to be unique. + // +required + Key string `json:"key"` + + // valueExpression is a CEL expression to extract extra attribute value. + // valueExpression must produce a string or string array value. + // "", [], and null values are treated as the extra mapping not being present. + // Empty string values contained within a string array are filtered out. + // + // CEL expressions have access to the contents of the token claims, organized into CEL variable: + // - 'claims' is a map of claim names to claim values. + // For example, a variable named 'sub' can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. + // + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // +required + ValueExpression string `json:"valueExpression"` +} + +// UserValidationRule provides the configuration for a single user info validation rule. +type UserValidationRule struct { + // expression represents the expression which will be evaluated by CEL. + // Must return true for the validation to pass. + // + // CEL expressions have access to the contents of UserInfo, organized into CEL variable: + // - 'user' - authentication.k8s.io/v1, Kind=UserInfo object + // Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition. + // API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io + // + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // +required + Expression string `json:"expression"` + + // message customizes the returned error message when rule returns false. + // message is a literal string. + // +optional + Message string `json:"message,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + type AuthorizationConfiguration struct { metav1.TypeMeta @@ -97,11 +464,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. @@ -174,3 +553,13 @@ type WebhookMatchCondition struct { // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Expression string `json:"expression"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// TracingConfiguration provides versioned configuration for tracing clients. +type TracingConfiguration struct { + metav1.TypeMeta `json:",inline"` + + // Embed the component config tracing configuration struct + tracingapi.TracingConfiguration `json:",inline"` +} diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go index 63083025a..325739c7c 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go @@ -67,6 +67,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*AnonymousAuthCondition)(nil), (*apiserver.AnonymousAuthCondition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition(a.(*AnonymousAuthCondition), b.(*apiserver.AnonymousAuthCondition), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.AnonymousAuthCondition)(nil), (*AnonymousAuthCondition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_AnonymousAuthCondition_To_v1_AnonymousAuthCondition(a.(*apiserver.AnonymousAuthCondition), b.(*AnonymousAuthCondition), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*AnonymousAuthConfig)(nil), (*apiserver.AnonymousAuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig(a.(*AnonymousAuthConfig), b.(*apiserver.AnonymousAuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.AnonymousAuthConfig)(nil), (*AnonymousAuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_AnonymousAuthConfig_To_v1_AnonymousAuthConfig(a.(*apiserver.AnonymousAuthConfig), b.(*AnonymousAuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*AuthenticationConfiguration)(nil), (*apiserver.AuthenticationConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration(a.(*AuthenticationConfiguration), b.(*apiserver.AuthenticationConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.AuthenticationConfiguration)(nil), (*AuthenticationConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_AuthenticationConfiguration_To_v1_AuthenticationConfiguration(a.(*apiserver.AuthenticationConfiguration), b.(*AuthenticationConfiguration), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*AuthorizationConfiguration)(nil), (*apiserver.AuthorizationConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(a.(*AuthorizationConfiguration), b.(*apiserver.AuthorizationConfiguration), scope) }); err != nil { @@ -87,6 +117,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*ClaimMappings)(nil), (*apiserver.ClaimMappings)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ClaimMappings_To_apiserver_ClaimMappings(a.(*ClaimMappings), b.(*apiserver.ClaimMappings), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.ClaimMappings)(nil), (*ClaimMappings)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_ClaimMappings_To_v1_ClaimMappings(a.(*apiserver.ClaimMappings), b.(*ClaimMappings), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ClaimOrExpression)(nil), (*apiserver.ClaimOrExpression)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression(a.(*ClaimOrExpression), b.(*apiserver.ClaimOrExpression), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.ClaimOrExpression)(nil), (*ClaimOrExpression)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression(a.(*apiserver.ClaimOrExpression), b.(*ClaimOrExpression), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ClaimValidationRule)(nil), (*apiserver.ClaimValidationRule)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ClaimValidationRule_To_apiserver_ClaimValidationRule(a.(*ClaimValidationRule), b.(*apiserver.ClaimValidationRule), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.ClaimValidationRule)(nil), (*ClaimValidationRule)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_ClaimValidationRule_To_v1_ClaimValidationRule(a.(*apiserver.ClaimValidationRule), b.(*ClaimValidationRule), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*EncryptionConfiguration)(nil), (*apiserver.EncryptionConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_EncryptionConfiguration_To_apiserver_EncryptionConfiguration(a.(*EncryptionConfiguration), b.(*apiserver.EncryptionConfiguration), scope) }); err != nil { @@ -97,6 +157,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*ExtraMapping)(nil), (*apiserver.ExtraMapping)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ExtraMapping_To_apiserver_ExtraMapping(a.(*ExtraMapping), b.(*apiserver.ExtraMapping), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.ExtraMapping)(nil), (*ExtraMapping)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_ExtraMapping_To_v1_ExtraMapping(a.(*apiserver.ExtraMapping), b.(*ExtraMapping), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*IdentityConfiguration)(nil), (*apiserver.IdentityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_IdentityConfiguration_To_apiserver_IdentityConfiguration(a.(*IdentityConfiguration), b.(*apiserver.IdentityConfiguration), scope) }); err != nil { @@ -107,6 +177,26 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Issuer)(nil), (*apiserver.Issuer)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Issuer_To_apiserver_Issuer(a.(*Issuer), b.(*apiserver.Issuer), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.Issuer)(nil), (*Issuer)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_Issuer_To_v1_Issuer(a.(*apiserver.Issuer), b.(*Issuer), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*JWTAuthenticator)(nil), (*apiserver.JWTAuthenticator)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator(a.(*JWTAuthenticator), b.(*apiserver.JWTAuthenticator), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.JWTAuthenticator)(nil), (*JWTAuthenticator)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator(a.(*apiserver.JWTAuthenticator), b.(*JWTAuthenticator), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*KMSConfiguration)(nil), (*apiserver.KMSConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_KMSConfiguration_To_apiserver_KMSConfiguration(a.(*KMSConfiguration), b.(*apiserver.KMSConfiguration), scope) }); err != nil { @@ -127,6 +217,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*PrefixedClaimOrExpression)(nil), (*apiserver.PrefixedClaimOrExpression)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(a.(*PrefixedClaimOrExpression), b.(*apiserver.PrefixedClaimOrExpression), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.PrefixedClaimOrExpression)(nil), (*PrefixedClaimOrExpression)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(a.(*apiserver.PrefixedClaimOrExpression), b.(*PrefixedClaimOrExpression), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ProviderConfiguration)(nil), (*apiserver.ProviderConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_ProviderConfiguration_To_apiserver_ProviderConfiguration(a.(*ProviderConfiguration), b.(*apiserver.ProviderConfiguration), scope) }); err != nil { @@ -157,6 +257,26 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*TracingConfiguration)(nil), (*apiserver.TracingConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_TracingConfiguration_To_apiserver_TracingConfiguration(a.(*TracingConfiguration), b.(*apiserver.TracingConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.TracingConfiguration)(nil), (*TracingConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_TracingConfiguration_To_v1_TracingConfiguration(a.(*apiserver.TracingConfiguration), b.(*TracingConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*UserValidationRule)(nil), (*apiserver.UserValidationRule)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_UserValidationRule_To_apiserver_UserValidationRule(a.(*UserValidationRule), b.(*apiserver.UserValidationRule), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*apiserver.UserValidationRule)(nil), (*UserValidationRule)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiserver_UserValidationRule_To_v1_UserValidationRule(a.(*apiserver.UserValidationRule), b.(*UserValidationRule), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*WebhookConfiguration)(nil), (*apiserver.WebhookConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(a.(*WebhookConfiguration), b.(*apiserver.WebhookConfiguration), scope) }); err != nil { @@ -254,8 +374,102 @@ func Convert_apiserver_AdmissionPluginConfiguration_To_v1_AdmissionPluginConfigu return autoConvert_apiserver_AdmissionPluginConfiguration_To_v1_AdmissionPluginConfiguration(in, out, s) } +func autoConvert_v1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition(in *AnonymousAuthCondition, out *apiserver.AnonymousAuthCondition, s conversion.Scope) error { + out.Path = in.Path + return nil +} + +// Convert_v1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition is an autogenerated conversion function. +func Convert_v1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition(in *AnonymousAuthCondition, out *apiserver.AnonymousAuthCondition, s conversion.Scope) error { + return autoConvert_v1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition(in, out, s) +} + +func autoConvert_apiserver_AnonymousAuthCondition_To_v1_AnonymousAuthCondition(in *apiserver.AnonymousAuthCondition, out *AnonymousAuthCondition, s conversion.Scope) error { + out.Path = in.Path + return nil +} + +// Convert_apiserver_AnonymousAuthCondition_To_v1_AnonymousAuthCondition is an autogenerated conversion function. +func Convert_apiserver_AnonymousAuthCondition_To_v1_AnonymousAuthCondition(in *apiserver.AnonymousAuthCondition, out *AnonymousAuthCondition, s conversion.Scope) error { + return autoConvert_apiserver_AnonymousAuthCondition_To_v1_AnonymousAuthCondition(in, out, s) +} + +func autoConvert_v1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig(in *AnonymousAuthConfig, out *apiserver.AnonymousAuthConfig, s conversion.Scope) error { + out.Enabled = in.Enabled + out.Conditions = *(*[]apiserver.AnonymousAuthCondition)(unsafe.Pointer(&in.Conditions)) + return nil +} + +// Convert_v1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig is an autogenerated conversion function. +func Convert_v1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig(in *AnonymousAuthConfig, out *apiserver.AnonymousAuthConfig, s conversion.Scope) error { + return autoConvert_v1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig(in, out, s) +} + +func autoConvert_apiserver_AnonymousAuthConfig_To_v1_AnonymousAuthConfig(in *apiserver.AnonymousAuthConfig, out *AnonymousAuthConfig, s conversion.Scope) error { + out.Enabled = in.Enabled + out.Conditions = *(*[]AnonymousAuthCondition)(unsafe.Pointer(&in.Conditions)) + return nil +} + +// Convert_apiserver_AnonymousAuthConfig_To_v1_AnonymousAuthConfig is an autogenerated conversion function. +func Convert_apiserver_AnonymousAuthConfig_To_v1_AnonymousAuthConfig(in *apiserver.AnonymousAuthConfig, out *AnonymousAuthConfig, s conversion.Scope) error { + return autoConvert_apiserver_AnonymousAuthConfig_To_v1_AnonymousAuthConfig(in, out, s) +} + +func autoConvert_v1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration(in *AuthenticationConfiguration, out *apiserver.AuthenticationConfiguration, s conversion.Scope) error { + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = make([]apiserver.JWTAuthenticator, len(*in)) + for i := range *in { + if err := Convert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.JWT = nil + } + out.Anonymous = (*apiserver.AnonymousAuthConfig)(unsafe.Pointer(in.Anonymous)) + return nil +} + +// Convert_v1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration is an autogenerated conversion function. +func Convert_v1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration(in *AuthenticationConfiguration, out *apiserver.AuthenticationConfiguration, s conversion.Scope) error { + return autoConvert_v1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration(in, out, s) +} + +func autoConvert_apiserver_AuthenticationConfiguration_To_v1_AuthenticationConfiguration(in *apiserver.AuthenticationConfiguration, out *AuthenticationConfiguration, s conversion.Scope) error { + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = make([]JWTAuthenticator, len(*in)) + for i := range *in { + if err := Convert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.JWT = nil + } + out.Anonymous = (*AnonymousAuthConfig)(unsafe.Pointer(in.Anonymous)) + return nil +} + +// Convert_apiserver_AuthenticationConfiguration_To_v1_AuthenticationConfiguration is an autogenerated conversion function. +func Convert_apiserver_AuthenticationConfiguration_To_v1_AuthenticationConfiguration(in *apiserver.AuthenticationConfiguration, out *AuthenticationConfiguration, s conversion.Scope) error { + return autoConvert_apiserver_AuthenticationConfiguration_To_v1_AuthenticationConfiguration(in, out, s) +} + func autoConvert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -265,7 +479,17 @@ func Convert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfigurati } func autoConvert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -277,7 +501,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfigurati func autoConvert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -289,7 +521,15 @@ func Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in func autoConvert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -298,6 +538,92 @@ func Convert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(in return autoConvert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(in, out, s) } +func autoConvert_v1_ClaimMappings_To_apiserver_ClaimMappings(in *ClaimMappings, out *apiserver.ClaimMappings, s conversion.Scope) error { + if err := Convert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(&in.Username, &out.Username, s); err != nil { + return err + } + if err := Convert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(&in.Groups, &out.Groups, s); err != nil { + return err + } + if err := Convert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression(&in.UID, &out.UID, s); err != nil { + return err + } + out.Extra = *(*[]apiserver.ExtraMapping)(unsafe.Pointer(&in.Extra)) + return nil +} + +// Convert_v1_ClaimMappings_To_apiserver_ClaimMappings is an autogenerated conversion function. +func Convert_v1_ClaimMappings_To_apiserver_ClaimMappings(in *ClaimMappings, out *apiserver.ClaimMappings, s conversion.Scope) error { + return autoConvert_v1_ClaimMappings_To_apiserver_ClaimMappings(in, out, s) +} + +func autoConvert_apiserver_ClaimMappings_To_v1_ClaimMappings(in *apiserver.ClaimMappings, out *ClaimMappings, s conversion.Scope) error { + if err := Convert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(&in.Username, &out.Username, s); err != nil { + return err + } + if err := Convert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(&in.Groups, &out.Groups, s); err != nil { + return err + } + if err := Convert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression(&in.UID, &out.UID, s); err != nil { + return err + } + out.Extra = *(*[]ExtraMapping)(unsafe.Pointer(&in.Extra)) + return nil +} + +// Convert_apiserver_ClaimMappings_To_v1_ClaimMappings is an autogenerated conversion function. +func Convert_apiserver_ClaimMappings_To_v1_ClaimMappings(in *apiserver.ClaimMappings, out *ClaimMappings, s conversion.Scope) error { + return autoConvert_apiserver_ClaimMappings_To_v1_ClaimMappings(in, out, s) +} + +func autoConvert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression(in *ClaimOrExpression, out *apiserver.ClaimOrExpression, s conversion.Scope) error { + out.Claim = in.Claim + out.Expression = in.Expression + return nil +} + +// Convert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression is an autogenerated conversion function. +func Convert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression(in *ClaimOrExpression, out *apiserver.ClaimOrExpression, s conversion.Scope) error { + return autoConvert_v1_ClaimOrExpression_To_apiserver_ClaimOrExpression(in, out, s) +} + +func autoConvert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression(in *apiserver.ClaimOrExpression, out *ClaimOrExpression, s conversion.Scope) error { + out.Claim = in.Claim + out.Expression = in.Expression + return nil +} + +// Convert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression is an autogenerated conversion function. +func Convert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression(in *apiserver.ClaimOrExpression, out *ClaimOrExpression, s conversion.Scope) error { + return autoConvert_apiserver_ClaimOrExpression_To_v1_ClaimOrExpression(in, out, s) +} + +func autoConvert_v1_ClaimValidationRule_To_apiserver_ClaimValidationRule(in *ClaimValidationRule, out *apiserver.ClaimValidationRule, s conversion.Scope) error { + out.Claim = in.Claim + out.RequiredValue = in.RequiredValue + out.Expression = in.Expression + out.Message = in.Message + return nil +} + +// Convert_v1_ClaimValidationRule_To_apiserver_ClaimValidationRule is an autogenerated conversion function. +func Convert_v1_ClaimValidationRule_To_apiserver_ClaimValidationRule(in *ClaimValidationRule, out *apiserver.ClaimValidationRule, s conversion.Scope) error { + return autoConvert_v1_ClaimValidationRule_To_apiserver_ClaimValidationRule(in, out, s) +} + +func autoConvert_apiserver_ClaimValidationRule_To_v1_ClaimValidationRule(in *apiserver.ClaimValidationRule, out *ClaimValidationRule, s conversion.Scope) error { + out.Claim = in.Claim + out.RequiredValue = in.RequiredValue + out.Expression = in.Expression + out.Message = in.Message + return nil +} + +// Convert_apiserver_ClaimValidationRule_To_v1_ClaimValidationRule is an autogenerated conversion function. +func Convert_apiserver_ClaimValidationRule_To_v1_ClaimValidationRule(in *apiserver.ClaimValidationRule, out *ClaimValidationRule, s conversion.Scope) error { + return autoConvert_apiserver_ClaimValidationRule_To_v1_ClaimValidationRule(in, out, s) +} + func autoConvert_v1_EncryptionConfiguration_To_apiserver_EncryptionConfiguration(in *EncryptionConfiguration, out *apiserver.EncryptionConfiguration, s conversion.Scope) error { out.Resources = *(*[]apiserver.ResourceConfiguration)(unsafe.Pointer(&in.Resources)) return nil @@ -318,6 +644,28 @@ func Convert_apiserver_EncryptionConfiguration_To_v1_EncryptionConfiguration(in return autoConvert_apiserver_EncryptionConfiguration_To_v1_EncryptionConfiguration(in, out, s) } +func autoConvert_v1_ExtraMapping_To_apiserver_ExtraMapping(in *ExtraMapping, out *apiserver.ExtraMapping, s conversion.Scope) error { + out.Key = in.Key + out.ValueExpression = in.ValueExpression + return nil +} + +// Convert_v1_ExtraMapping_To_apiserver_ExtraMapping is an autogenerated conversion function. +func Convert_v1_ExtraMapping_To_apiserver_ExtraMapping(in *ExtraMapping, out *apiserver.ExtraMapping, s conversion.Scope) error { + return autoConvert_v1_ExtraMapping_To_apiserver_ExtraMapping(in, out, s) +} + +func autoConvert_apiserver_ExtraMapping_To_v1_ExtraMapping(in *apiserver.ExtraMapping, out *ExtraMapping, s conversion.Scope) error { + out.Key = in.Key + out.ValueExpression = in.ValueExpression + return nil +} + +// Convert_apiserver_ExtraMapping_To_v1_ExtraMapping is an autogenerated conversion function. +func Convert_apiserver_ExtraMapping_To_v1_ExtraMapping(in *apiserver.ExtraMapping, out *ExtraMapping, s conversion.Scope) error { + return autoConvert_apiserver_ExtraMapping_To_v1_ExtraMapping(in, out, s) +} + func autoConvert_v1_IdentityConfiguration_To_apiserver_IdentityConfiguration(in *IdentityConfiguration, out *apiserver.IdentityConfiguration, s conversion.Scope) error { return nil } @@ -336,6 +684,74 @@ func Convert_apiserver_IdentityConfiguration_To_v1_IdentityConfiguration(in *api return autoConvert_apiserver_IdentityConfiguration_To_v1_IdentityConfiguration(in, out, s) } +func autoConvert_v1_Issuer_To_apiserver_Issuer(in *Issuer, out *apiserver.Issuer, s conversion.Scope) error { + out.URL = in.URL + if err := metav1.Convert_Pointer_string_To_string(&in.DiscoveryURL, &out.DiscoveryURL, s); err != nil { + return err + } + out.CertificateAuthority = in.CertificateAuthority + out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) + out.AudienceMatchPolicy = apiserver.AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = apiserver.EgressSelectorType(in.EgressSelectorType) + return nil +} + +// Convert_v1_Issuer_To_apiserver_Issuer is an autogenerated conversion function. +func Convert_v1_Issuer_To_apiserver_Issuer(in *Issuer, out *apiserver.Issuer, s conversion.Scope) error { + return autoConvert_v1_Issuer_To_apiserver_Issuer(in, out, s) +} + +func autoConvert_apiserver_Issuer_To_v1_Issuer(in *apiserver.Issuer, out *Issuer, s conversion.Scope) error { + out.URL = in.URL + if err := metav1.Convert_string_To_Pointer_string(&in.DiscoveryURL, &out.DiscoveryURL, s); err != nil { + return err + } + out.CertificateAuthority = in.CertificateAuthority + out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) + out.AudienceMatchPolicy = AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = EgressSelectorType(in.EgressSelectorType) + return nil +} + +// Convert_apiserver_Issuer_To_v1_Issuer is an autogenerated conversion function. +func Convert_apiserver_Issuer_To_v1_Issuer(in *apiserver.Issuer, out *Issuer, s conversion.Scope) error { + return autoConvert_apiserver_Issuer_To_v1_Issuer(in, out, s) +} + +func autoConvert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator(in *JWTAuthenticator, out *apiserver.JWTAuthenticator, s conversion.Scope) error { + if err := Convert_v1_Issuer_To_apiserver_Issuer(&in.Issuer, &out.Issuer, s); err != nil { + return err + } + out.ClaimValidationRules = *(*[]apiserver.ClaimValidationRule)(unsafe.Pointer(&in.ClaimValidationRules)) + if err := Convert_v1_ClaimMappings_To_apiserver_ClaimMappings(&in.ClaimMappings, &out.ClaimMappings, s); err != nil { + return err + } + out.UserValidationRules = *(*[]apiserver.UserValidationRule)(unsafe.Pointer(&in.UserValidationRules)) + return nil +} + +// Convert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator is an autogenerated conversion function. +func Convert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator(in *JWTAuthenticator, out *apiserver.JWTAuthenticator, s conversion.Scope) error { + return autoConvert_v1_JWTAuthenticator_To_apiserver_JWTAuthenticator(in, out, s) +} + +func autoConvert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator(in *apiserver.JWTAuthenticator, out *JWTAuthenticator, s conversion.Scope) error { + if err := Convert_apiserver_Issuer_To_v1_Issuer(&in.Issuer, &out.Issuer, s); err != nil { + return err + } + out.ClaimValidationRules = *(*[]ClaimValidationRule)(unsafe.Pointer(&in.ClaimValidationRules)) + if err := Convert_apiserver_ClaimMappings_To_v1_ClaimMappings(&in.ClaimMappings, &out.ClaimMappings, s); err != nil { + return err + } + out.UserValidationRules = *(*[]UserValidationRule)(unsafe.Pointer(&in.UserValidationRules)) + return nil +} + +// Convert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator is an autogenerated conversion function. +func Convert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator(in *apiserver.JWTAuthenticator, out *JWTAuthenticator, s conversion.Scope) error { + return autoConvert_apiserver_JWTAuthenticator_To_v1_JWTAuthenticator(in, out, s) +} + func autoConvert_v1_KMSConfiguration_To_apiserver_KMSConfiguration(in *KMSConfiguration, out *apiserver.KMSConfiguration, s conversion.Scope) error { out.APIVersion = in.APIVersion out.Name = in.Name @@ -386,6 +802,30 @@ func Convert_apiserver_Key_To_v1_Key(in *apiserver.Key, out *Key, s conversion.S return autoConvert_apiserver_Key_To_v1_Key(in, out, s) } +func autoConvert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(in *PrefixedClaimOrExpression, out *apiserver.PrefixedClaimOrExpression, s conversion.Scope) error { + out.Claim = in.Claim + out.Prefix = (*string)(unsafe.Pointer(in.Prefix)) + out.Expression = in.Expression + return nil +} + +// Convert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression is an autogenerated conversion function. +func Convert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(in *PrefixedClaimOrExpression, out *apiserver.PrefixedClaimOrExpression, s conversion.Scope) error { + return autoConvert_v1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(in, out, s) +} + +func autoConvert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(in *apiserver.PrefixedClaimOrExpression, out *PrefixedClaimOrExpression, s conversion.Scope) error { + out.Claim = in.Claim + out.Prefix = (*string)(unsafe.Pointer(in.Prefix)) + out.Expression = in.Expression + return nil +} + +// Convert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression is an autogenerated conversion function. +func Convert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(in *apiserver.PrefixedClaimOrExpression, out *PrefixedClaimOrExpression, s conversion.Scope) error { + return autoConvert_apiserver_PrefixedClaimOrExpression_To_v1_PrefixedClaimOrExpression(in, out, s) +} + func autoConvert_v1_ProviderConfiguration_To_apiserver_ProviderConfiguration(in *ProviderConfiguration, out *apiserver.ProviderConfiguration, s conversion.Scope) error { out.AESGCM = (*apiserver.AESConfiguration)(unsafe.Pointer(in.AESGCM)) out.AESCBC = (*apiserver.AESConfiguration)(unsafe.Pointer(in.AESCBC)) @@ -456,9 +896,57 @@ func Convert_apiserver_SecretboxConfiguration_To_v1_SecretboxConfiguration(in *a return autoConvert_apiserver_SecretboxConfiguration_To_v1_SecretboxConfiguration(in, out, s) } +func autoConvert_v1_TracingConfiguration_To_apiserver_TracingConfiguration(in *TracingConfiguration, out *apiserver.TracingConfiguration, s conversion.Scope) error { + out.TracingConfiguration = in.TracingConfiguration + return nil +} + +// Convert_v1_TracingConfiguration_To_apiserver_TracingConfiguration is an autogenerated conversion function. +func Convert_v1_TracingConfiguration_To_apiserver_TracingConfiguration(in *TracingConfiguration, out *apiserver.TracingConfiguration, s conversion.Scope) error { + return autoConvert_v1_TracingConfiguration_To_apiserver_TracingConfiguration(in, out, s) +} + +func autoConvert_apiserver_TracingConfiguration_To_v1_TracingConfiguration(in *apiserver.TracingConfiguration, out *TracingConfiguration, s conversion.Scope) error { + out.TracingConfiguration = in.TracingConfiguration + return nil +} + +// Convert_apiserver_TracingConfiguration_To_v1_TracingConfiguration is an autogenerated conversion function. +func Convert_apiserver_TracingConfiguration_To_v1_TracingConfiguration(in *apiserver.TracingConfiguration, out *TracingConfiguration, s conversion.Scope) error { + return autoConvert_apiserver_TracingConfiguration_To_v1_TracingConfiguration(in, out, s) +} + +func autoConvert_v1_UserValidationRule_To_apiserver_UserValidationRule(in *UserValidationRule, out *apiserver.UserValidationRule, s conversion.Scope) error { + out.Expression = in.Expression + out.Message = in.Message + return nil +} + +// Convert_v1_UserValidationRule_To_apiserver_UserValidationRule is an autogenerated conversion function. +func Convert_v1_UserValidationRule_To_apiserver_UserValidationRule(in *UserValidationRule, out *apiserver.UserValidationRule, s conversion.Scope) error { + return autoConvert_v1_UserValidationRule_To_apiserver_UserValidationRule(in, out, s) +} + +func autoConvert_apiserver_UserValidationRule_To_v1_UserValidationRule(in *apiserver.UserValidationRule, out *UserValidationRule, s conversion.Scope) error { + out.Expression = in.Expression + out.Message = in.Message + return nil +} + +// Convert_apiserver_UserValidationRule_To_v1_UserValidationRule is an autogenerated conversion function. +func Convert_apiserver_UserValidationRule_To_v1_UserValidationRule(in *apiserver.UserValidationRule, out *UserValidationRule, s conversion.Scope) error { + return autoConvert_apiserver_UserValidationRule_To_v1_UserValidationRule(in, out, s) +} + func autoConvert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -477,7 +965,13 @@ func Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *Webho func autoConvert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go index 6afdbd3a2..acb1b46ed 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go @@ -100,6 +100,80 @@ func (in *AdmissionPluginConfiguration) DeepCopy() *AdmissionPluginConfiguration return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AnonymousAuthCondition) DeepCopyInto(out *AnonymousAuthCondition) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnonymousAuthCondition. +func (in *AnonymousAuthCondition) DeepCopy() *AnonymousAuthCondition { + if in == nil { + return nil + } + out := new(AnonymousAuthCondition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AnonymousAuthConfig) DeepCopyInto(out *AnonymousAuthConfig) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]AnonymousAuthCondition, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnonymousAuthConfig. +func (in *AnonymousAuthConfig) DeepCopy() *AnonymousAuthConfig { + if in == nil { + return nil + } + out := new(AnonymousAuthConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthenticationConfiguration) DeepCopyInto(out *AuthenticationConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = make([]JWTAuthenticator, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Anonymous != nil { + in, out := &in.Anonymous, &out.Anonymous + *out = new(AnonymousAuthConfig) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfiguration. +func (in *AuthenticationConfiguration) DeepCopy() *AuthenticationConfiguration { + if in == nil { + return nil + } + out := new(AuthenticationConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AuthenticationConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthorizationConfiguration) DeepCopyInto(out *AuthorizationConfiguration) { *out = *in @@ -153,6 +227,62 @@ func (in *AuthorizerConfiguration) DeepCopy() *AuthorizerConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClaimMappings) DeepCopyInto(out *ClaimMappings) { + *out = *in + in.Username.DeepCopyInto(&out.Username) + in.Groups.DeepCopyInto(&out.Groups) + out.UID = in.UID + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make([]ExtraMapping, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimMappings. +func (in *ClaimMappings) DeepCopy() *ClaimMappings { + if in == nil { + return nil + } + out := new(ClaimMappings) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClaimOrExpression) DeepCopyInto(out *ClaimOrExpression) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimOrExpression. +func (in *ClaimOrExpression) DeepCopy() *ClaimOrExpression { + if in == nil { + return nil + } + out := new(ClaimOrExpression) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClaimValidationRule) DeepCopyInto(out *ClaimValidationRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimValidationRule. +func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule { + if in == nil { + return nil + } + out := new(ClaimValidationRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EncryptionConfiguration) DeepCopyInto(out *EncryptionConfiguration) { *out = *in @@ -185,6 +315,22 @@ func (in *EncryptionConfiguration) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping. +func (in *ExtraMapping) DeepCopy() *ExtraMapping { + if in == nil { + return nil + } + out := new(ExtraMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IdentityConfiguration) DeepCopyInto(out *IdentityConfiguration) { *out = *in @@ -201,6 +347,60 @@ func (in *IdentityConfiguration) DeepCopy() *IdentityConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Issuer) DeepCopyInto(out *Issuer) { + *out = *in + if in.DiscoveryURL != nil { + in, out := &in.DiscoveryURL, &out.DiscoveryURL + *out = new(string) + **out = **in + } + if in.Audiences != nil { + in, out := &in.Audiences, &out.Audiences + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer. +func (in *Issuer) DeepCopy() *Issuer { + if in == nil { + return nil + } + out := new(Issuer) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { + *out = *in + in.Issuer.DeepCopyInto(&out.Issuer) + if in.ClaimValidationRules != nil { + in, out := &in.ClaimValidationRules, &out.ClaimValidationRules + *out = make([]ClaimValidationRule, len(*in)) + copy(*out, *in) + } + in.ClaimMappings.DeepCopyInto(&out.ClaimMappings) + if in.UserValidationRules != nil { + in, out := &in.UserValidationRules, &out.UserValidationRules + *out = make([]UserValidationRule, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator. +func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator { + if in == nil { + return nil + } + out := new(JWTAuthenticator) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KMSConfiguration) DeepCopyInto(out *KMSConfiguration) { *out = *in @@ -243,6 +443,27 @@ func (in *Key) DeepCopy() *Key { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PrefixedClaimOrExpression) DeepCopyInto(out *PrefixedClaimOrExpression) { + *out = *in + if in.Prefix != nil { + in, out := &in.Prefix, &out.Prefix + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimOrExpression. +func (in *PrefixedClaimOrExpression) DeepCopy() *PrefixedClaimOrExpression { + if in == nil { + return nil + } + out := new(PrefixedClaimOrExpression) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProviderConfiguration) DeepCopyInto(out *ProviderConfiguration) { *out = *in @@ -333,11 +554,63 @@ func (in *SecretboxConfiguration) DeepCopy() *SecretboxConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TracingConfiguration) DeepCopyInto(out *TracingConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + in.TracingConfiguration.DeepCopyInto(&out.TracingConfiguration) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TracingConfiguration. +func (in *TracingConfiguration) DeepCopy() *TracingConfiguration { + if in == nil { + return nil + } + out := new(TracingConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *TracingConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserValidationRule. +func (in *UserValidationRule) DeepCopy() *UserValidationRule { + if in == nil { + return nil + } + out := new(UserValidationRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil { diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go index a9af01fe7..825173b16 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go @@ -20,6 +20,7 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go index 0a50799c2..6e0f86da8 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go @@ -295,6 +295,18 @@ type Issuer struct { // example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match. // +optional AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"` + + // egressSelectorType is an indicator of which egress selection should be used for sending all traffic related + // to this issuer (discovery, JWKS, distributed claims, etc). If unspecified, no custom dialer is used. + // When specified, the valid choices are "controlplane" and "cluster". These correspond to the associated + // values in the --egress-selector-config-file. + // + // - controlplane: for traffic intended to go to the control plane. + // + // - cluster: for traffic intended to go to the system being managed by Kubernetes. + // + // +optional + EgressSelectorType EgressSelectorType `json:"egressSelectorType,omitempty"` } // AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy @@ -306,6 +318,17 @@ const ( AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" ) +// EgressSelectorType is an indicator of which egress selection should be used for sending traffic. +type EgressSelectorType string + +const ( + // EgressSelectorControlPlane is the EgressSelectorType for traffic intended to go to the control plane. + EgressSelectorControlPlane EgressSelectorType = "controlplane" + + // EgressSelectorCluster is the EgressSelectorType for traffic intended to go to the system being managed by Kubernetes. + EgressSelectorCluster EgressSelectorType = "cluster" +) + // ClaimValidationRule provides the configuration for a single claim validation rule. type ClaimValidationRule struct { // claim is the name of a required claim. @@ -550,11 +573,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go index 3a6c66c3a..9d7a8ce62 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go @@ -429,7 +429,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1alpha1_AuthenticationCon } func autoConvert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -439,7 +449,17 @@ func Convert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfi } func autoConvert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -451,7 +471,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfi func autoConvert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -463,7 +491,15 @@ func Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfigurati func autoConvert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -671,6 +707,7 @@ func autoConvert_v1alpha1_Issuer_To_apiserver_Issuer(in *Issuer, out *apiserver. out.CertificateAuthority = in.CertificateAuthority out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) out.AudienceMatchPolicy = apiserver.AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = apiserver.EgressSelectorType(in.EgressSelectorType) return nil } @@ -687,6 +724,7 @@ func autoConvert_apiserver_Issuer_To_v1alpha1_Issuer(in *apiserver.Issuer, out * out.CertificateAuthority = in.CertificateAuthority out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) out.AudienceMatchPolicy = AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = EgressSelectorType(in.EgressSelectorType) return nil } @@ -885,7 +923,13 @@ func Convert_apiserver_UserValidationRule_To_v1alpha1_UserValidationRule(in *api func autoConvert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -904,7 +948,13 @@ func Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in func autoConvert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go index 81b652254..cacbca48f 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go @@ -547,7 +547,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil { diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go index eebcb6c00..7102cc7e3 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go @@ -20,6 +20,7 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go index 72fe602b9..16260efb6 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go @@ -266,6 +266,18 @@ type Issuer struct { // example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match. // +optional AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"` + + // egressSelectorType is an indicator of which egress selection should be used for sending all traffic related + // to this issuer (discovery, JWKS, distributed claims, etc). If unspecified, no custom dialer is used. + // When specified, the valid choices are "controlplane" and "cluster". These correspond to the associated + // values in the --egress-selector-config-file. + // + // - controlplane: for traffic intended to go to the control plane. + // + // - cluster: for traffic intended to go to the system being managed by Kubernetes. + // + // +optional + EgressSelectorType EgressSelectorType `json:"egressSelectorType,omitempty"` } // AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy @@ -277,6 +289,17 @@ const ( AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" ) +// EgressSelectorType is an indicator of which egress selection should be used for sending traffic. +type EgressSelectorType string + +const ( + // EgressSelectorControlPlane is the EgressSelectorType for traffic intended to go to the control plane. + EgressSelectorControlPlane EgressSelectorType = "controlplane" + + // EgressSelectorCluster is the EgressSelectorType for traffic intended to go to the system being managed by Kubernetes. + EgressSelectorCluster EgressSelectorType = "cluster" +) + // ClaimValidationRule provides the configuration for a single claim validation rule. type ClaimValidationRule struct { // claim is the name of a required claim. @@ -521,11 +544,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go index 30ef049d4..4f25bd60c 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go @@ -365,7 +365,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConf } func autoConvert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -375,7 +385,17 @@ func Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfig } func autoConvert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -387,7 +407,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfig func autoConvert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -399,7 +427,15 @@ func Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguratio func autoConvert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -607,6 +643,7 @@ func autoConvert_v1beta1_Issuer_To_apiserver_Issuer(in *Issuer, out *apiserver.I out.CertificateAuthority = in.CertificateAuthority out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) out.AudienceMatchPolicy = apiserver.AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = apiserver.EgressSelectorType(in.EgressSelectorType) return nil } @@ -623,6 +660,7 @@ func autoConvert_apiserver_Issuer_To_v1beta1_Issuer(in *apiserver.Issuer, out *I out.CertificateAuthority = in.CertificateAuthority out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences)) out.AudienceMatchPolicy = AudienceMatchPolicyType(in.AudienceMatchPolicy) + out.EgressSelectorType = EgressSelectorType(in.EgressSelectorType) return nil } @@ -821,7 +859,13 @@ func Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule(in *apis func autoConvert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -840,7 +884,13 @@ func Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in * func autoConvert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go index 0d78e51a9..45b6510ca 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go @@ -494,7 +494,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil { diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go index ac5f0f34f..c81faca78 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go @@ -61,7 +61,7 @@ func ValidateAuthenticationConfiguration(compiler authenticationcel.Compiler, c seenDiscoveryURLs := sets.New[string]() for i, a := range c.JWT { fldPath := root.Index(i) - _, errs := validateJWTAuthenticator(compiler, a, fldPath, sets.New(disallowedIssuers...), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfiguration)) + _, errs := validateJWTAuthenticator(compiler, a, fldPath, sets.New(disallowedIssuers...), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfiguration), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfigurationEgressSelector)) allErrs = append(allErrs, errs...) if seenIssuers.Has(a.Issuer.URL) { @@ -93,15 +93,15 @@ func ValidateAuthenticationConfiguration(compiler authenticationcel.Compiler, c // CEL expressions for claim mappings and validation rules. // This is exported for use in oidc package. func CompileAndValidateJWTAuthenticator(compiler authenticationcel.Compiler, authenticator api.JWTAuthenticator, disallowedIssuers []string) (authenticationcel.CELMapper, field.ErrorList) { - return validateJWTAuthenticator(compiler, authenticator, nil, sets.New(disallowedIssuers...), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfiguration)) + return validateJWTAuthenticator(compiler, authenticator, nil, sets.New(disallowedIssuers...), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfiguration), utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfigurationEgressSelector)) } -func validateJWTAuthenticator(compiler authenticationcel.Compiler, authenticator api.JWTAuthenticator, fldPath *field.Path, disallowedIssuers sets.Set[string], structuredAuthnFeatureEnabled bool) (authenticationcel.CELMapper, field.ErrorList) { +func validateJWTAuthenticator(compiler authenticationcel.Compiler, authenticator api.JWTAuthenticator, fldPath *field.Path, disallowedIssuers sets.Set[string], structuredAuthnFeatureEnabled, structuredAuthnEgressSelectorFeatureEnabled bool) (authenticationcel.CELMapper, field.ErrorList) { var allErrs field.ErrorList state := &validationState{} - allErrs = append(allErrs, validateIssuer(authenticator.Issuer, disallowedIssuers, fldPath.Child("issuer"), structuredAuthnFeatureEnabled)...) + allErrs = append(allErrs, validateIssuer(authenticator.Issuer, disallowedIssuers, fldPath.Child("issuer"), structuredAuthnFeatureEnabled, structuredAuthnEgressSelectorFeatureEnabled)...) allErrs = append(allErrs, validateClaimValidationRules(compiler, state, authenticator.ClaimValidationRules, fldPath.Child("claimValidationRules"), structuredAuthnFeatureEnabled)...) allErrs = append(allErrs, validateClaimMappings(compiler, state, authenticator.ClaimMappings, fldPath.Child("claimMappings"), structuredAuthnFeatureEnabled)...) allErrs = append(allErrs, validateUserValidationRules(compiler, state, authenticator.UserValidationRules, fldPath.Child("userValidationRules"), structuredAuthnFeatureEnabled)...) @@ -115,20 +115,21 @@ type validationState struct { usesEmailVerifiedClaim bool } -func validateIssuer(issuer api.Issuer, disallowedIssuers sets.Set[string], fldPath *field.Path, structuredAuthnFeatureEnabled bool) field.ErrorList { +func validateIssuer(issuer api.Issuer, disallowedIssuers sets.Set[string], fldPath *field.Path, structuredAuthnFeatureEnabled, structuredAuthnEgressSelectorFeatureEnabled bool) field.ErrorList { var allErrs field.ErrorList allErrs = append(allErrs, validateIssuerURL(issuer.URL, disallowedIssuers, fldPath.Child("url"))...) allErrs = append(allErrs, validateIssuerDiscoveryURL(issuer.URL, issuer.DiscoveryURL, fldPath.Child("discoveryURL"), structuredAuthnFeatureEnabled)...) allErrs = append(allErrs, validateAudiences(issuer.Audiences, issuer.AudienceMatchPolicy, fldPath.Child("audiences"), fldPath.Child("audienceMatchPolicy"), structuredAuthnFeatureEnabled)...) allErrs = append(allErrs, validateCertificateAuthority(issuer.CertificateAuthority, fldPath.Child("certificateAuthority"))...) + allErrs = append(allErrs, validateEgressSelector(issuer.EgressSelectorType, fldPath.Child("egressSelectorType"), structuredAuthnFeatureEnabled, structuredAuthnEgressSelectorFeatureEnabled)...) return allErrs } func validateIssuerURL(issuerURL string, disallowedIssuers sets.Set[string], fldPath *field.Path) field.ErrorList { if len(issuerURL) == 0 { - return field.ErrorList{field.Required(fldPath, "URL is required")} + return field.ErrorList{field.Required(fldPath, "")} } return validateURL(issuerURL, disallowedIssuers, fldPath) @@ -198,7 +199,7 @@ func validateAudiences(audiences []string, audienceMatchPolicy api.AudienceMatch for i, audience := range audiences { fldPath := fldPath.Index(i) if len(audience) == 0 { - allErrs = append(allErrs, field.Required(fldPath, "audience can't be empty")) + allErrs = append(allErrs, field.Required(fldPath, "")) } if seenAudiences.Has(audience) { allErrs = append(allErrs, field.Duplicate(fldPath, audience)) @@ -230,6 +231,31 @@ func validateCertificateAuthority(certificateAuthority string, fldPath *field.Pa return allErrs } +func validateEgressSelector(selectorType api.EgressSelectorType, fldPath *field.Path, structuredAuthnFeatureEnabled, structuredAuthnEgressSelectorFeatureEnabled bool) field.ErrorList { + var allErrs field.ErrorList + + if len(selectorType) == 0 { + return allErrs + } + + if !structuredAuthnFeatureEnabled { + allErrs = append(allErrs, field.Invalid(fldPath, selectorType, "egress selector is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + } + + if !structuredAuthnEgressSelectorFeatureEnabled { + allErrs = append(allErrs, field.Invalid(fldPath, selectorType, "egress selector is not supported when StructuredAuthenticationConfigurationEgressSelector feature gate is disabled")) + } + + switch selectorType { + case api.EgressSelectorControlPlane, api.EgressSelectorCluster: + // valid + default: + allErrs = append(allErrs, field.Invalid(fldPath, selectorType, "egress selector must be either controlplane or cluster")) + } + + return allErrs +} + func validateClaimValidationRules(compiler authenticationcel.Compiler, state *validationState, rules []api.ClaimValidationRule, fldPath *field.Path, structuredAuthnFeatureEnabled bool) field.ErrorList { var allErrs field.ErrorList @@ -241,7 +267,7 @@ func validateClaimValidationRules(compiler authenticationcel.Compiler, state *va fldPath := fldPath.Index(i) if len(rule.Expression) > 0 && !structuredAuthnFeatureEnabled { - allErrs = append(allErrs, field.Invalid(fldPath.Child("expression"), rule.Expression, "expression is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("expression"), rule.Expression, "not supported when StructuredAuthenticationConfiguration feature gate is disabled")) } switch { @@ -251,7 +277,7 @@ func validateClaimValidationRules(compiler authenticationcel.Compiler, state *va allErrs = append(allErrs, field.Required(fldPath, "claim or expression is required")) case len(rule.Claim) > 0: if len(rule.Message) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("message"), rule.Message, "message can't be set when claim is set")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("message"), rule.Message, "may not be specified when claim is set")) } if seenClaims.Has(rule.Claim) { allErrs = append(allErrs, field.Duplicate(fldPath.Child("claim"), rule.Claim)) @@ -259,7 +285,7 @@ func validateClaimValidationRules(compiler authenticationcel.Compiler, state *va seenClaims.Insert(rule.Claim) case len(rule.Expression) > 0: if len(rule.RequiredValue) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("requiredValue"), rule.RequiredValue, "requiredValue can't be set when expression is set")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("requiredValue"), rule.RequiredValue, "may not be specified when expression is set")) } if seenExpressions.Has(rule.Expression) { allErrs = append(allErrs, field.Duplicate(fldPath.Child("expression"), rule.Expression)) @@ -295,16 +321,16 @@ func validateClaimMappings(compiler authenticationcel.Compiler, state *validatio if !structuredAuthnFeatureEnabled { if len(m.Username.Expression) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("username").Child("expression"), m.Username.Expression, "expression is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("username").Child("expression"), m.Username.Expression, "not supported when StructuredAuthenticationConfiguration feature gate is disabled")) } if len(m.Groups.Expression) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("groups").Child("expression"), m.Groups.Expression, "expression is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("groups").Child("expression"), m.Groups.Expression, "not supported when StructuredAuthenticationConfiguration feature gate is disabled")) } if len(m.UID.Claim) > 0 || len(m.UID.Expression) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("uid"), "", "uid claim mapping is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("uid"), "", "claim mapping is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) } if len(m.Extra) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("extra"), "", "extra claim mapping is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("extra"), "", "claim mapping is not supported when StructuredAuthenticationConfiguration feature gate is disabled")) } } @@ -350,7 +376,7 @@ func validateClaimMappings(compiler authenticationcel.Compiler, state *validatio // IsDomainPrefixedPath checks for non-empty key and that the key is prefixed with a domain name. allErrs = append(allErrs, utilvalidation.IsDomainPrefixedPath(fldPath.Child("key"), mapping.Key)...) if mapping.Key != strings.ToLower(mapping.Key) { - allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), mapping.Key, "key must be lowercase")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), mapping.Key, "must be lowercase")) } if isKubernetesDomainPrefix(mapping.Key) { @@ -364,7 +390,7 @@ func validateClaimMappings(compiler authenticationcel.Compiler, state *validatio seenExtraKeys.Insert(mapping.Key) if len(mapping.ValueExpression) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("valueExpression"), "valueExpression is required")) + allErrs = append(allErrs, field.Required(fldPath.Child("valueExpression"), "")) continue } @@ -532,7 +558,7 @@ func validatePrefixClaimOrExpression(compiler authenticationcel.Compiler, mappin var err *field.Error if mapping.Prefix != nil { - allErrs = append(allErrs, field.Invalid(fldPath.Child("prefix"), *mapping.Prefix, "prefix can't be set when expression is set")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("prefix"), *mapping.Prefix, "may not be specified when expression is set")) } compilationResult, err = compileClaimsCELExpression(compiler, &authenticationcel.ClaimMappingExpression{ Expression: mapping.Expression, @@ -564,7 +590,7 @@ func validateUserValidationRules(compiler authenticationcel.Compiler, state *val fldPath := fldPath.Index(i) if len(rule.Expression) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("expression"), "expression is required")) + allErrs = append(allErrs, field.Required(fldPath.Child("expression"), "")) continue } @@ -753,7 +779,7 @@ func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions var allErrs field.ErrorList // should fail when match conditions are used without feature enabled if len(matchConditions) > 0 && !structuredAuthzFeatureEnabled { - allErrs = append(allErrs, field.Invalid(fldPath.Child("matchConditions"), "", "matchConditions are not supported when StructuredAuthorizationConfiguration feature gate is disabled")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("matchConditions"), "", "not supported when StructuredAuthorizationConfiguration feature gate is disabled")) } if len(matchConditions) > 64 { allErrs = append(allErrs, field.TooMany(fldPath.Child("matchConditions"), len(matchConditions), 64)) diff --git a/vendor/k8s.io/apiserver/pkg/audit/context.go b/vendor/k8s.io/apiserver/pkg/audit/context.go index 964858737..5b93d594b 100644 --- a/vendor/k8s.io/apiserver/pkg/audit/context.go +++ b/vendor/k8s.io/apiserver/pkg/audit/context.go @@ -18,10 +18,18 @@ package audit import ( "context" + "errors" + "maps" "sync" + "sync/atomic" + "time" + authnv1 "k8s.io/api/authentication/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" auditinternal "k8s.io/apiserver/pkg/apis/audit" + "k8s.io/apiserver/pkg/authentication/user" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/klog/v2" ) @@ -35,22 +43,223 @@ const auditKey key = iota // AuditContext holds the information for constructing the audit events for the current request. type AuditContext struct { - // RequestAuditConfig is the audit configuration that applies to the request - RequestAuditConfig RequestAuditConfig - - // Event is the audit Event object that is being captured to be written in + // initialized indicates whether requestAuditConfig and sink have been populated and are safe to read unguarded. + // This should only be set via Init(). + initialized atomic.Bool + // requestAuditConfig is the audit configuration that applies to the request. + // This should only be written via Init(RequestAuditConfig, Sink), and only read when initialized.Load() is true. + requestAuditConfig RequestAuditConfig + // sink is the sink to use when processing event stages. + // This should only be written via Init(RequestAuditConfig, Sink), and only read when initialized.Load() is true. + sink Sink + + // lock guards event + lock sync.Mutex + + // event is the audit Event object that is being captured to be written in // the API audit log. - Event auditinternal.Event + event auditinternal.Event - // annotationMutex guards event.Annotations - annotationMutex sync.Mutex + // unguarded copy of auditID from the event + auditID atomic.Value } // Enabled checks whether auditing is enabled for this audit context. func (ac *AuditContext) Enabled() bool { - // Note: An unset Level should be considered Enabled, so that request data (e.g. annotations) - // can still be captured before the audit policy is evaluated. - return ac != nil && ac.RequestAuditConfig.Level != auditinternal.LevelNone + if ac == nil { + // protect against nil pointers + return false + } + if !ac.initialized.Load() { + // Note: An unset Level should be considered Enabled, so that request data (e.g. annotations) + // can still be captured before the audit policy is evaluated. + return true + } + return ac.requestAuditConfig.Level != auditinternal.LevelNone +} + +func (ac *AuditContext) Init(requestAuditConfig RequestAuditConfig, sink Sink) error { + ac.lock.Lock() + defer ac.lock.Unlock() + if ac.initialized.Load() { + return errors.New("audit context was already initialized") + } + ac.requestAuditConfig = requestAuditConfig + ac.sink = sink + ac.event.Level = requestAuditConfig.Level + ac.initialized.Store(true) + return nil +} + +func (ac *AuditContext) AuditID() types.UID { + // return the unguarded copy of the auditID + id, _ := ac.auditID.Load().(types.UID) + return id +} + +func (ac *AuditContext) visitEvent(f func(event *auditinternal.Event)) { + ac.lock.Lock() + defer ac.lock.Unlock() + f(&ac.event) +} + +// ProcessEventStage returns true on success, false if there was an error processing the stage. +func (ac *AuditContext) ProcessEventStage(ctx context.Context, stage auditinternal.Stage) bool { + if ac == nil || !ac.initialized.Load() { + return true + } + if ac.sink == nil { + return true + } + for _, omitStage := range ac.requestAuditConfig.OmitStages { + if stage == omitStage { + return true + } + } + + processed := false + ac.visitEvent(func(event *auditinternal.Event) { + event.Stage = stage + if stage == auditinternal.StageRequestReceived { + event.StageTimestamp = event.RequestReceivedTimestamp + } else { + event.StageTimestamp = metav1.NewMicroTime(time.Now()) + } + + ObserveEvent(ctx) + processed = ac.sink.ProcessEvents(event) + }) + return processed +} + +func (ac *AuditContext) LogImpersonatedUser(user user.Info) { + ac.visitEvent(func(ev *auditinternal.Event) { + if ev == nil || ev.Level.Less(auditinternal.LevelMetadata) { + return + } + ev.ImpersonatedUser = &authnv1.UserInfo{ + Username: user.GetName(), + } + ev.ImpersonatedUser.Groups = user.GetGroups() + ev.ImpersonatedUser.UID = user.GetUID() + ev.ImpersonatedUser.Extra = map[string]authnv1.ExtraValue{} + for k, v := range user.GetExtra() { + ev.ImpersonatedUser.Extra[k] = authnv1.ExtraValue(v) + } + }) +} + +func (ac *AuditContext) LogResponseObject(status *metav1.Status, obj *runtime.Unknown) { + ac.visitEvent(func(ae *auditinternal.Event) { + if status != nil { + // selectively copy the bounded fields. + ae.ResponseStatus = &metav1.Status{ + Status: status.Status, + Message: status.Message, + Reason: status.Reason, + Details: status.Details, + Code: status.Code, + } + } + if ae.Level.Less(auditinternal.LevelRequestResponse) { + return + } + ae.ResponseObject = obj + }) +} + +// LogRequestPatch fills in the given patch as the request object into an audit event. +func (ac *AuditContext) LogRequestPatch(patch []byte) { + ac.visitEvent(func(ae *auditinternal.Event) { + ae.RequestObject = &runtime.Unknown{ + Raw: patch, + ContentType: runtime.ContentTypeJSON, + } + }) +} + +func (ac *AuditContext) GetEventAnnotation(key string) (string, bool) { + var val string + var ok bool + ac.visitEvent(func(event *auditinternal.Event) { + val, ok = event.Annotations[key] + }) + return val, ok +} + +func (ac *AuditContext) GetEventLevel() auditinternal.Level { + var level auditinternal.Level + ac.visitEvent(func(event *auditinternal.Event) { + level = event.Level + }) + return level +} + +func (ac *AuditContext) SetEventStage(stage auditinternal.Stage) { + ac.visitEvent(func(event *auditinternal.Event) { + event.Stage = stage + }) +} + +func (ac *AuditContext) GetEventStage() auditinternal.Stage { + var stage auditinternal.Stage + ac.visitEvent(func(event *auditinternal.Event) { + stage = event.Stage + }) + return stage +} + +func (ac *AuditContext) SetEventStageTimestamp(timestamp metav1.MicroTime) { + ac.visitEvent(func(event *auditinternal.Event) { + event.StageTimestamp = timestamp + }) +} + +func (ac *AuditContext) GetEventResponseStatus() *metav1.Status { + var status *metav1.Status + ac.visitEvent(func(event *auditinternal.Event) { + status = event.ResponseStatus + }) + return status +} + +func (ac *AuditContext) GetEventRequestReceivedTimestamp() metav1.MicroTime { + var timestamp metav1.MicroTime + ac.visitEvent(func(event *auditinternal.Event) { + timestamp = event.RequestReceivedTimestamp + }) + return timestamp +} + +func (ac *AuditContext) GetEventStageTimestamp() metav1.MicroTime { + var timestamp metav1.MicroTime + ac.visitEvent(func(event *auditinternal.Event) { + timestamp = event.StageTimestamp + }) + return timestamp +} + +func (ac *AuditContext) SetEventResponseStatus(status *metav1.Status) { + ac.visitEvent(func(event *auditinternal.Event) { + event.ResponseStatus = status + }) +} + +func (ac *AuditContext) SetEventResponseStatusCode(statusCode int32) { + ac.visitEvent(func(event *auditinternal.Event) { + if event.ResponseStatus == nil { + event.ResponseStatus = &metav1.Status{} + } + event.ResponseStatus.Code = statusCode + }) +} + +func (ac *AuditContext) GetEventAnnotations() map[string]string { + var annotations map[string]string + ac.visitEvent(func(event *auditinternal.Event) { + annotations = maps.Clone(event.Annotations) + }) + return annotations } // AddAuditAnnotation sets the audit annotation for the given key, value pair. @@ -66,8 +275,8 @@ func AddAuditAnnotation(ctx context.Context, key, value string) { return } - ac.annotationMutex.Lock() - defer ac.annotationMutex.Unlock() + ac.lock.Lock() + defer ac.lock.Unlock() addAuditAnnotationLocked(ac, key, value) } @@ -81,8 +290,8 @@ func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) { return } - ac.annotationMutex.Lock() - defer ac.annotationMutex.Unlock() + ac.lock.Lock() + defer ac.lock.Unlock() if len(keysAndValues)%2 != 0 { klog.Errorf("Dropping mismatched audit annotation %q", keysAndValues[len(keysAndValues)-1]) @@ -100,8 +309,8 @@ func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) return } - ac.annotationMutex.Lock() - defer ac.annotationMutex.Unlock() + ac.lock.Lock() + defer ac.lock.Unlock() for k, v := range annotations { addAuditAnnotationLocked(ac, k, v) @@ -110,8 +319,7 @@ func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) // addAuditAnnotationLocked records the audit annotation on the event. func addAuditAnnotationLocked(ac *AuditContext, key, value string) { - ae := &ac.Event - + ae := &ac.event if ae.Annotations == nil { ae.Annotations = make(map[string]string) } @@ -128,15 +336,11 @@ func WithAuditContext(parent context.Context) context.Context { return parent // Avoid double registering. } - return genericapirequest.WithValue(parent, auditKey, &AuditContext{}) -} - -// AuditEventFrom returns the audit event struct on the ctx -func AuditEventFrom(ctx context.Context) *auditinternal.Event { - if ac := AuditContextFrom(ctx); ac.Enabled() { - return &ac.Event - } - return nil + return genericapirequest.WithValue(parent, auditKey, &AuditContext{ + event: auditinternal.Event{ + Stage: auditinternal.StageResponseStarted, + }, + }) } // AuditContextFrom returns the pair of the audit configuration object @@ -154,7 +358,10 @@ func WithAuditID(ctx context.Context, auditID types.UID) { return } if ac := AuditContextFrom(ctx); ac != nil { - ac.Event.AuditID = auditID + ac.visitEvent(func(event *auditinternal.Event) { + ac.auditID.Store(auditID) + event.AuditID = auditID + }) } } @@ -162,7 +369,8 @@ func WithAuditID(ctx context.Context, auditID types.UID) { // auditing is enabled. func AuditIDFrom(ctx context.Context) (types.UID, bool) { if ac := AuditContextFrom(ctx); ac != nil { - return ac.Event.AuditID, true + id, _ := ac.auditID.Load().(types.UID) + return id, true } return "", false } diff --git a/vendor/k8s.io/apiserver/pkg/audit/request.go b/vendor/k8s.io/apiserver/pkg/audit/request.go index 9185278f0..d5f9c730f 100644 --- a/vendor/k8s.io/apiserver/pkg/audit/request.go +++ b/vendor/k8s.io/apiserver/pkg/audit/request.go @@ -40,110 +40,73 @@ const ( userAgentTruncateSuffix = "...TRUNCATED" ) -func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) { +func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, attribs authorizer.Attributes) { ac := AuditContextFrom(ctx) if !ac.Enabled() { return } - ev := &ac.Event - - ev.RequestReceivedTimestamp = metav1.NewMicroTime(requestReceivedTimestamp) - ev.Verb = attribs.GetVerb() - ev.RequestURI = req.URL.RequestURI() - ev.UserAgent = maybeTruncateUserAgent(req) - ev.Level = level - - ips := utilnet.SourceIPs(req) - ev.SourceIPs = make([]string, len(ips)) - for i := range ips { - ev.SourceIPs[i] = ips[i].String() - } - if user := attribs.GetUser(); user != nil { - ev.User.Username = user.GetName() - ev.User.Extra = map[string]authnv1.ExtraValue{} - for k, v := range user.GetExtra() { - ev.User.Extra[k] = authnv1.ExtraValue(v) + ac.visitEvent(func(ev *auditinternal.Event) { + ev.RequestReceivedTimestamp = metav1.NewMicroTime(requestReceivedTimestamp) + ev.Verb = attribs.GetVerb() + ev.RequestURI = req.URL.RequestURI() + ev.UserAgent = maybeTruncateUserAgent(req) + + ips := utilnet.SourceIPs(req) + ev.SourceIPs = make([]string, len(ips)) + for i := range ips { + ev.SourceIPs[i] = ips[i].String() } - ev.User.Groups = user.GetGroups() - ev.User.UID = user.GetUID() - } - if attribs.IsResourceRequest() { - ev.ObjectRef = &auditinternal.ObjectReference{ - Namespace: attribs.GetNamespace(), - Name: attribs.GetName(), - Resource: attribs.GetResource(), - Subresource: attribs.GetSubresource(), - APIGroup: attribs.GetAPIGroup(), - APIVersion: attribs.GetAPIVersion(), + if user := attribs.GetUser(); user != nil { + ev.User.Username = user.GetName() + ev.User.Extra = map[string]authnv1.ExtraValue{} + for k, v := range user.GetExtra() { + ev.User.Extra[k] = authnv1.ExtraValue(v) + } + ev.User.Groups = user.GetGroups() + ev.User.UID = user.GetUID() } - } + + if attribs.IsResourceRequest() { + ev.ObjectRef = &auditinternal.ObjectReference{ + Namespace: attribs.GetNamespace(), + Name: attribs.GetName(), + Resource: attribs.GetResource(), + Subresource: attribs.GetSubresource(), + APIGroup: attribs.GetAPIGroup(), + APIVersion: attribs.GetAPIVersion(), + } + } + }) } // LogImpersonatedUser fills in the impersonated user attributes into an audit event. -func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) { - if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { +func LogImpersonatedUser(ctx context.Context, user user.Info) { + ac := AuditContextFrom(ctx) + if !ac.Enabled() { return } - ae.ImpersonatedUser = &authnv1.UserInfo{ - Username: user.GetName(), - } - ae.ImpersonatedUser.Groups = user.GetGroups() - ae.ImpersonatedUser.UID = user.GetUID() - ae.ImpersonatedUser.Extra = map[string]authnv1.ExtraValue{} - for k, v := range user.GetExtra() { - ae.ImpersonatedUser.Extra[k] = authnv1.ExtraValue(v) - } + ac.LogImpersonatedUser(user) } // LogRequestObject fills in the request object into an audit event. The passed runtime.Object // will be converted to the given gv. func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.GroupVersion, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) { - ae := AuditEventFrom(ctx) - if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { + ac := AuditContextFrom(ctx) + if !ac.Enabled() { return } - - // complete ObjectRef - if ae.ObjectRef == nil { - ae.ObjectRef = &auditinternal.ObjectReference{} - } - - // meta.Accessor is more general than ObjectMetaAccessor, but if it fails, we can just skip setting these bits - if meta, err := meta.Accessor(obj); err == nil { - if len(ae.ObjectRef.Namespace) == 0 { - ae.ObjectRef.Namespace = meta.GetNamespace() - } - if len(ae.ObjectRef.Name) == 0 { - ae.ObjectRef.Name = meta.GetName() - } - if len(ae.ObjectRef.UID) == 0 { - ae.ObjectRef.UID = meta.GetUID() - } - if len(ae.ObjectRef.ResourceVersion) == 0 { - ae.ObjectRef.ResourceVersion = meta.GetResourceVersion() - } - } - if len(ae.ObjectRef.APIVersion) == 0 { - ae.ObjectRef.APIGroup = gvr.Group - ae.ObjectRef.APIVersion = gvr.Version - } - if len(ae.ObjectRef.Resource) == 0 { - ae.ObjectRef.Resource = gvr.Resource - } - if len(ae.ObjectRef.Subresource) == 0 { - ae.ObjectRef.Subresource = subresource - } - - if ae.Level.Less(auditinternal.LevelRequest) { + if ac.GetEventLevel().Less(auditinternal.LevelMetadata) { return } - if shouldOmitManagedFields(ctx) { + // meta.Accessor is more general than ObjectMetaAccessor, but if it fails, we can just skip setting these bits + objMeta, _ := meta.Accessor(obj) + if shouldOmitManagedFields(ac) { copy, ok, err := copyWithoutManagedFields(obj) if err != nil { - klog.ErrorS(err, "Error while dropping managed fields from the request", "auditID", ae.AuditID) + klog.ErrorS(err, "Error while dropping managed fields from the request", "auditID", ac.AuditID()) } if ok { obj = copy @@ -151,54 +114,75 @@ func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.Grou } // TODO(audit): hook into the serializer to avoid double conversion - var err error - ae.RequestObject, err = encodeObject(obj, objGV, s) + requestObject, err := encodeObject(obj, objGV, s) if err != nil { // TODO(audit): add error slice to audit event struct - klog.ErrorS(err, "Encoding failed of request object", "auditID", ae.AuditID, "gvr", gvr.String(), "obj", obj) + klog.ErrorS(err, "Encoding failed of request object", "auditID", ac.AuditID(), "gvr", gvr.String(), "obj", obj) return } + + ac.visitEvent(func(ae *auditinternal.Event) { + if ae.ObjectRef == nil { + ae.ObjectRef = &auditinternal.ObjectReference{} + } + + if objMeta != nil { + if len(ae.ObjectRef.Namespace) == 0 { + ae.ObjectRef.Namespace = objMeta.GetNamespace() + } + if len(ae.ObjectRef.Name) == 0 { + ae.ObjectRef.Name = objMeta.GetName() + } + if len(ae.ObjectRef.UID) == 0 { + ae.ObjectRef.UID = objMeta.GetUID() + } + if len(ae.ObjectRef.ResourceVersion) == 0 { + ae.ObjectRef.ResourceVersion = objMeta.GetResourceVersion() + } + } + if len(ae.ObjectRef.APIVersion) == 0 { + ae.ObjectRef.APIGroup = gvr.Group + ae.ObjectRef.APIVersion = gvr.Version + } + if len(ae.ObjectRef.Resource) == 0 { + ae.ObjectRef.Resource = gvr.Resource + } + if len(ae.ObjectRef.Subresource) == 0 { + ae.ObjectRef.Subresource = subresource + } + + if ae.Level.Less(auditinternal.LevelRequest) { + return + } + ae.RequestObject = requestObject + }) } // LogRequestPatch fills in the given patch as the request object into an audit event. func LogRequestPatch(ctx context.Context, patch []byte) { - ae := AuditEventFrom(ctx) - if ae == nil || ae.Level.Less(auditinternal.LevelRequest) { + ac := AuditContextFrom(ctx) + if ac.GetEventLevel().Less(auditinternal.LevelRequest) { return } - - ae.RequestObject = &runtime.Unknown{ - Raw: patch, - ContentType: runtime.ContentTypeJSON, - } + ac.LogRequestPatch(patch) } // LogResponseObject fills in the response object into an audit event. The passed runtime.Object // will be converted to the given gv. func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupVersion, s runtime.NegotiatedSerializer) { - ae := AuditEventFrom(ctx) - if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { + ac := AuditContextFrom(WithAuditContext(ctx)) + status, _ := obj.(*metav1.Status) + if ac.GetEventLevel().Less(auditinternal.LevelMetadata) { return - } - if status, ok := obj.(*metav1.Status); ok { - // selectively copy the bounded fields. - ae.ResponseStatus = &metav1.Status{ - Status: status.Status, - Message: status.Message, - Reason: status.Reason, - Details: status.Details, - Code: status.Code, - } - } - - if ae.Level.Less(auditinternal.LevelRequestResponse) { + } else if ac.GetEventLevel().Less(auditinternal.LevelRequestResponse) { + ac.LogResponseObject(status, nil) return } - if shouldOmitManagedFields(ctx) { + if shouldOmitManagedFields(ac) { copy, ok, err := copyWithoutManagedFields(obj) if err != nil { - klog.ErrorS(err, "Error while dropping managed fields from the response", "auditID", ae.AuditID) + klog.ErrorS(err, "Error while dropping managed fields from the response", "auditID", ac.AuditID()) } if ok { obj = copy @@ -207,10 +191,11 @@ func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupV // TODO(audit): hook into the serializer to avoid double conversion var err error - ae.ResponseObject, err = encodeObject(obj, gv, s) + responseObject, err := encodeObject(obj, gv, s) if err != nil { - klog.ErrorS(err, "Encoding failed of response object", "auditID", ae.AuditID, "obj", obj) + klog.ErrorS(err, "Encoding failed of response object", "auditID", ac.AuditID(), "obj", obj) } + ac.LogResponseObject(status, responseObject) } func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime.NegotiatedSerializer) (*runtime.Unknown, error) { @@ -301,9 +286,9 @@ func removeManagedFields(obj runtime.Object) error { return nil } -func shouldOmitManagedFields(ctx context.Context) bool { - if auditContext := AuditContextFrom(ctx); auditContext != nil { - return auditContext.RequestAuditConfig.OmitManagedFields +func shouldOmitManagedFields(ac *AuditContext) bool { + if ac != nil && ac.initialized.Load() && ac.requestAuditConfig.OmitManagedFields { + return true } // If we can't decide, return false to maintain current behavior which is diff --git a/vendor/k8s.io/apiserver/pkg/authentication/cel/interface.go b/vendor/k8s.io/apiserver/pkg/authentication/cel/interface.go index 0fc208414..be7e634f3 100644 --- a/vendor/k8s.io/apiserver/pkg/authentication/cel/interface.go +++ b/vendor/k8s.io/apiserver/pkg/authentication/cel/interface.go @@ -22,8 +22,7 @@ import ( celgo "github.com/google/cel-go/cel" "github.com/google/cel-go/common/types/ref" - - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/google/cel-go/common/types/traits" ) // ExpressionAccessor is an interface that provides access to a CEL expression. @@ -55,17 +54,17 @@ type Compiler interface { type ClaimsMapper interface { // EvalClaimMapping evaluates the given claim mapping expression and returns a EvaluationResult. // This is used for username, groups and uid claim mapping that contains a single expression. - EvalClaimMapping(ctx context.Context, claims *unstructured.Unstructured) (EvaluationResult, error) + EvalClaimMapping(ctx context.Context, claims traits.Mapper) (EvaluationResult, error) // EvalClaimMappings evaluates the given expressions and returns a list of EvaluationResult. // This is used for extra claim mapping and claim validation that contains a list of expressions. - EvalClaimMappings(ctx context.Context, claims *unstructured.Unstructured) ([]EvaluationResult, error) + EvalClaimMappings(ctx context.Context, claims traits.Mapper) ([]EvaluationResult, error) } // UserMapper provides a CEL expression mapper configured with the user CEL variable. type UserMapper interface { // EvalUser evaluates the given user expressions and returns a list of EvaluationResult. // This is used for user validation that contains a list of expressions. - EvalUser(ctx context.Context, userInfo *unstructured.Unstructured) ([]EvaluationResult, error) + EvalUser(ctx context.Context, userInfo traits.Mapper) ([]EvaluationResult, error) } var _ ExpressionAccessor = &ClaimMappingExpression{} diff --git a/vendor/k8s.io/apiserver/pkg/authentication/cel/mapper.go b/vendor/k8s.io/apiserver/pkg/authentication/cel/mapper.go index ab308bb7f..3b6041aeb 100644 --- a/vendor/k8s.io/apiserver/pkg/authentication/cel/mapper.go +++ b/vendor/k8s.io/apiserver/pkg/authentication/cel/mapper.go @@ -20,7 +20,8 @@ import ( "context" "fmt" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/google/cel-go/common/types/traits" + "github.com/google/cel-go/interpreter" ) var _ ClaimsMapper = &mapper{} @@ -57,8 +58,8 @@ func NewUserMapper(compilationResults []CompilationResult) UserMapper { } // EvalClaimMapping evaluates the given claim mapping expression and returns a EvaluationResult. -func (m *mapper) EvalClaimMapping(ctx context.Context, claims *unstructured.Unstructured) (EvaluationResult, error) { - results, err := m.eval(ctx, map[string]interface{}{claimsVarName: claims.Object}) +func (m *mapper) EvalClaimMapping(ctx context.Context, claims traits.Mapper) (EvaluationResult, error) { + results, err := m.eval(ctx, &varNameActivation{name: claimsVarName, value: claims}) if err != nil { return EvaluationResult{}, err } @@ -69,16 +70,16 @@ func (m *mapper) EvalClaimMapping(ctx context.Context, claims *unstructured.Unst } // EvalClaimMappings evaluates the given expressions and returns a list of EvaluationResult. -func (m *mapper) EvalClaimMappings(ctx context.Context, claims *unstructured.Unstructured) ([]EvaluationResult, error) { - return m.eval(ctx, map[string]interface{}{claimsVarName: claims.Object}) +func (m *mapper) EvalClaimMappings(ctx context.Context, claims traits.Mapper) ([]EvaluationResult, error) { + return m.eval(ctx, &varNameActivation{name: claimsVarName, value: claims}) } // EvalUser evaluates the given user expressions and returns a list of EvaluationResult. -func (m *mapper) EvalUser(ctx context.Context, userInfo *unstructured.Unstructured) ([]EvaluationResult, error) { - return m.eval(ctx, map[string]interface{}{userVarName: userInfo.Object}) +func (m *mapper) EvalUser(ctx context.Context, userInfo traits.Mapper) ([]EvaluationResult, error) { + return m.eval(ctx, &varNameActivation{name: userVarName, value: userInfo}) } -func (m *mapper) eval(ctx context.Context, input map[string]interface{}) ([]EvaluationResult, error) { +func (m *mapper) eval(ctx context.Context, input *varNameActivation) ([]EvaluationResult, error) { evaluations := make([]EvaluationResult, len(m.compilationResults)) for i, compilationResult := range m.compilationResults { @@ -95,3 +96,19 @@ func (m *mapper) eval(ctx context.Context, input map[string]interface{}) ([]Eval return evaluations, nil } + +var _ interpreter.Activation = &varNameActivation{} + +type varNameActivation struct { + name string + value traits.Mapper +} + +func (v *varNameActivation) ResolveName(name string) (any, bool) { + if v.name != name { + return nil, false + } + return v.value, true +} + +func (v *varNameActivation) Parent() interpreter.Activation { return nil } diff --git a/vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go b/vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go index 18167dddc..9d1556e63 100644 --- a/vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go +++ b/vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go @@ -33,7 +33,6 @@ import ( "golang.org/x/sync/singleflight" apierrors "k8s.io/apimachinery/pkg/api/errors" - auditinternal "k8s.io/apiserver/pkg/apis/audit" "k8s.io/apiserver/pkg/audit" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/warning" @@ -199,12 +198,9 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke ctx = audit.WithAuditContext(ctx) ac := audit.AuditContextFrom(ctx) - // since this is shared work between multiple requests, we have no way of knowing if any - // particular request supports audit annotations. thus we always attempt to record them. - ac.Event.Level = auditinternal.LevelMetadata record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token) - record.annotations = ac.Event.Annotations + record.annotations = ac.GetEventAnnotations() record.warnings = recorder.extractWarnings() if !a.cacheErrs && record.err != nil { diff --git a/vendor/k8s.io/apiserver/pkg/cel/environment/base.go b/vendor/k8s.io/apiserver/pkg/cel/environment/base.go index a258fdec4..4b0e7265f 100644 --- a/vendor/k8s.io/apiserver/pkg/cel/environment/base.go +++ b/vendor/k8s.io/apiserver/pkg/cel/environment/base.go @@ -183,6 +183,13 @@ var baseOptsWithoutStrictCost = []VersionedOptions{ library.SemverLib(library.SemverVersion(1)), }, }, + // List library + { + IntroducedVersion: version.MajorMinor(1, 34), + EnvOptions: []cel.EnvOption{ + ext.Lists(ext.ListsVersion(3)), + }, + }, } var ( diff --git a/vendor/k8s.io/apiserver/pkg/cel/library/cost.go b/vendor/k8s.io/apiserver/pkg/cel/library/cost.go index 47dbe7aa6..1eb68e16f 100644 --- a/vendor/k8s.io/apiserver/pkg/cel/library/cost.go +++ b/vendor/k8s.io/apiserver/pkg/cel/library/cost.go @@ -421,26 +421,22 @@ func (l *CostEstimator) EstimateCallCost(function, overloadId string, target *ch return &checker.CallEstimate{CostEstimate: strCost.Multiply(regexCost), ResultSize: &checker.SizeEstimate{Min: 0, Max: sz.Max}} } case "cidr", "isIP", "isCIDR": - if target != nil { + if len(args) >= 1 { sz := l.sizeEstimate(args[0]) return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor)} } case "ip": - if target != nil && len(args) >= 1 { - if overloadId == "cidr_ip" { - // The IP member of the CIDR object is just accessing a field. - // Nominal cost. - return &checker.CallEstimate{CostEstimate: checker.CostEstimate{Min: 1, Max: 1}} - } - + if overloadId == "cidr_ip" { + // The IP member of the CIDR object is just accessing a field. + // Nominal cost. + return &checker.CallEstimate{CostEstimate: checker.CostEstimate{Min: 1, Max: 1}} + } + if len(args) >= 1 { sz := l.sizeEstimate(args[0]) return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor)} - } else if target != nil { - // The IP member of a CIDR is a just accessing a field, nominal cost. - return &checker.CallEstimate{CostEstimate: checker.CostEstimate{Min: 1, Max: 1}} } case "ip.isCanonical": - if target != nil && len(args) >= 1 { + if len(args) >= 1 { sz := l.sizeEstimate(args[0]) // We have to parse the string and then compare the parsed string to the original string. // So we double the cost of parsing the string. @@ -450,7 +446,7 @@ func (l *CostEstimator) EstimateCallCost(function, overloadId string, target *ch // IP and CIDR accessors are nominal cost. return &checker.CallEstimate{CostEstimate: checker.CostEstimate{Min: 1, Max: 1}} case "containsIP": - if target != nil && len(args) >= 1 { + if len(args) >= 1 { // The base cost of the function is the cost of comparing two byte lists. // The byte lists will be either ipv4 or ipv6 so will have a length of 4, or 16 bytes. sz := checker.SizeEstimate{Min: 4, Max: 16} @@ -466,7 +462,7 @@ func (l *CostEstimator) EstimateCallCost(function, overloadId string, target *ch return &checker.CallEstimate{CostEstimate: ipCompCost} } case "containsCIDR": - if target != nil && len(args) >= 1 { + if len(args) >= 1 { // The base cost of the function is the cost of comparing two byte lists. // The byte lists will be either ipv4 or ipv6 so will have a length of 4, or 16 bytes. sz := checker.SizeEstimate{Min: 4, Max: 16} @@ -488,12 +484,12 @@ func (l *CostEstimator) EstimateCallCost(function, overloadId string, target *ch return &checker.CallEstimate{CostEstimate: ipCompCost} } case "quantity", "isQuantity", "semver", "isSemver": - if target != nil { + if len(args) >= 1 { sz := l.sizeEstimate(args[0]) return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor)} } case "validate": - if target != nil { + if len(args) >= 1 { sz := l.sizeEstimate(args[0]) return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor).MultiplyByCostFactor(cel.MaxNameFormatRegexSize * common.RegexStringLengthCostFactor)} } diff --git a/vendor/k8s.io/apiserver/pkg/endpoints/request/methods.go b/vendor/k8s.io/apiserver/pkg/endpoints/request/methods.go new file mode 100644 index 000000000..0aa0a8045 --- /dev/null +++ b/vendor/k8s.io/apiserver/pkg/endpoints/request/methods.go @@ -0,0 +1,37 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package request + +import "net/http" + +const ( + MethodApply string = "APPLY" + MethodConnect string = http.MethodConnect + MethodCreate string = "CREATE" + MethodDelete string = http.MethodDelete + MethodDeleteCollection string = "DELETECOLLECTION" + MethodGet string = http.MethodGet + MethodHead string = http.MethodHead + MethodList string = "LIST" + MethodPatch string = http.MethodPatch + MethodPost string = http.MethodPost + MethodProxy string = "PROXY" + MethodPut string = http.MethodPut + MethodUpdate string = "UPDATE" + MethodWatch string = "WATCH" + MethodWatchList string = "WATCHLIST" +) diff --git a/vendor/k8s.io/apiserver/pkg/endpoints/request/requestinfo.go b/vendor/k8s.io/apiserver/pkg/endpoints/request/requestinfo.go index 808943d16..d6bf062a1 100644 --- a/vendor/k8s.io/apiserver/pkg/endpoints/request/requestinfo.go +++ b/vendor/k8s.io/apiserver/pkg/endpoints/request/requestinfo.go @@ -175,15 +175,15 @@ func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, er } else { switch req.Method { - case "POST": + case MethodPost: requestInfo.Verb = "create" - case "GET", "HEAD": + case MethodGet, MethodHead: requestInfo.Verb = "get" - case "PUT": + case MethodPut: requestInfo.Verb = "update" - case "PATCH": + case MethodPatch: requestInfo.Verb = "patch" - case "DELETE": + case MethodDelete: requestInfo.Verb = "delete" default: requestInfo.Verb = "" diff --git a/vendor/k8s.io/apiserver/pkg/features/kube_features.go b/vendor/k8s.io/apiserver/pkg/features/kube_features.go index 0ede8f9cb..e04f1d468 100644 --- a/vendor/k8s.io/apiserver/pkg/features/kube_features.go +++ b/vendor/k8s.io/apiserver/pkg/features/kube_features.go @@ -21,18 +21,38 @@ import ( "k8s.io/apimachinery/pkg/util/version" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/featuregate" + zpagesfeatures "k8s.io/component-base/zpages/features" ) +// Every feature gate should have an entry here following this template: +// +// // owner: @username +// MyFeature featuregate.Feature = "MyFeature" +// +// Feature gates should be listed in alphabetical, case-sensitive +// (upper before any lower case character) order. This reduces the risk +// of code conflicts because changes are more likely to be scattered +// across the file. const ( - // Every feature gate should add method here following this template: + // owner: @ilackams // - // // owner: @username - // MyFeature featuregate.Feature = "MyFeature" + // Enables compression of REST responses (GET and LIST only) + APIResponseCompression featuregate.Feature = "APIResponseCompression" + + // owner: @roycaihw // - // Feature gates should be listed in alphabetical, case-sensitive - // (upper before any lower case character) order. This reduces the risk - // of code conflicts because changes are more likely to be scattered - // across the file. + // Assigns each kube-apiserver an ID in a cluster. + APIServerIdentity featuregate.Feature = "APIServerIdentity" + + // owner: @dashpole + // + // Add support for distributed tracing in the API Server + APIServerTracing featuregate.Feature = "APIServerTracing" + + // owner: @linxiulei + // + // Enables serving watch requests in separate goroutines. + APIServingWithRoutine featuregate.Feature = "APIServingWithRoutine" // owner: @jefftree // @@ -46,12 +66,6 @@ const ( // Allow user.DefaultInfo.UID to be set from x509 cert during cert auth. AllowParsingUserUIDFromCertAuth featuregate.Feature = "AllowParsingUserUIDFromCertAuth" - // owner: @vinayakankugoyal - // kep: https://kep.k8s.io/4633 - // - // Allows us to enable anonymous auth for only certain apiserver endpoints. - AnonymousAuthConfigurableEndpoints featuregate.Feature = "AnonymousAuthConfigurableEndpoints" - // owner: @stlaz @tkashem @dgrisonnet // kep: https://kep.k8s.io/3926 // @@ -61,25 +75,11 @@ const ( // resources using the Kubernetes API only. AllowUnsafeMalformedObjectDeletion featuregate.Feature = "AllowUnsafeMalformedObjectDeletion" - // owner: @ilackams - // - // Enables compression of REST responses (GET and LIST only) - APIResponseCompression featuregate.Feature = "APIResponseCompression" - - // owner: @roycaihw - // - // Assigns each kube-apiserver an ID in a cluster. - APIServerIdentity featuregate.Feature = "APIServerIdentity" - - // owner: @dashpole - // - // Add support for distributed tracing in the API Server - APIServerTracing featuregate.Feature = "APIServerTracing" - - // owner: @linxiulei + // owner: @vinayakankugoyal + // kep: https://kep.k8s.io/4633 // - // Enables serving watch requests in separate goroutines. - APIServingWithRoutine featuregate.Feature = "APIServingWithRoutine" + // Allows us to enable anonymous auth for only certain apiserver endpoints. + AnonymousAuthConfigurableEndpoints featuregate.Feature = "AnonymousAuthConfigurableEndpoints" // owner: @deads2k // kep: https://kep.k8s.io/4601 @@ -87,6 +87,11 @@ const ( // Allows authorization to use field and label selectors. AuthorizeWithSelectors featuregate.Feature = "AuthorizeWithSelectors" + // owner: @serathius + // + // Replaces watch cache hashmap implementation with a btree based one, bringing performance improvements. + BtreeWatchCache featuregate.Feature = "BtreeWatchCache" + // owner: @benluddy // kep: https://kep.k8s.io/4222 // @@ -94,21 +99,28 @@ const ( // preferred storage encoding for custom resources. CBORServingAndStorage featuregate.Feature = "CBORServingAndStorage" - // owner: @serathius - // - // Replaces watch cache hashmap implementation with a btree based one, bringing performance improvements. - BtreeWatchCache featuregate.Feature = "BtreeWatchCache" - // owner: @serathius // Enables concurrent watch object decoding to avoid starving watch cache when conversion webhook is installed. ConcurrentWatchObjectDecode featuregate.Feature = "ConcurrentWatchObjectDecode" + // owner: @serathius + // kep: http://kep.k8s.io/2340 + // + // Allow the API server to serve consistent lists from cache + ConsistentListFromCache featuregate.Feature = "ConsistentListFromCache" + // owner: @jefftree // kep: https://kep.k8s.io/4355 // // Enables coordinated leader election in the API server CoordinatedLeaderElection featuregate.Feature = "CoordinatedLeaderElection" + // owner: @serathius + // kep: https://kep.k8s.io/4988 + // + // Enabled cache inconsistency detection. + DetectCacheInconsistency featuregate.Feature = "DetectCacheInconsistency" + // owner: @aramase // kep: https://kep.k8s.io/3299 // deprecated: v1.28 @@ -148,29 +160,6 @@ const ( // overload. ResilientWatchCacheInitialization featuregate.Feature = "ResilientWatchCacheInitialization" - // owner: @serathius - // - // Allow watch cache to create a watch on a dedicated RPC. - // This prevents watch cache from being starved by other watches. - SeparateCacheWatchRPC featuregate.Feature = "SeparateCacheWatchRPC" - - // owner: @enj - // - // Enables http2 DOS mitigations for unauthenticated clients. - // - // Some known reasons to disable these mitigations: - // - // An API server that is fronted by an L7 load balancer that is set up - // to mitigate http2 attacks may opt to disable this protection to prevent - // unauthenticated clients from disabling connection reuse between the load - // balancer and the API server (many incoming connections could share the - // same backend connection). - // - // An API server that is on a private network may opt to disable this - // protection to prevent performance regressions for unauthenticated - // clients. - UnauthenticatedHTTP2DOSMitigation featuregate.Feature = "UnauthenticatedHTTP2DOSMitigation" - // owner: @jpbetz // Resource create requests using generateName are retried automatically by the apiserver // if the generated name conflicts with an existing resource name, up to a maximum number of 7 retries. @@ -178,19 +167,14 @@ const ( // owner: @cici37 // - // StrictCostEnforcementForVAP is used to apply strict CEL cost validation for ValidatingAdmissionPolicy. - // It will be set to off by default for certain time of period to prevent the impact on the existing users. - // It is strongly recommended to enable this feature gate as early as possible. - // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. - StrictCostEnforcementForVAP featuregate.Feature = "StrictCostEnforcementForVAP" + // Allow watch cache to create a watch on a dedicated RPC. + // This prevents watch cache from being starved by other watches. + SeparateCacheWatchRPC featuregate.Feature = "SeparateCacheWatchRPC" - // owner: @cici37 + // owner: @serathius // - // StrictCostEnforcementForWebhooks is used to apply strict CEL cost validation for matchConditions in Webhooks. - // It will be set to off by default for certain time of period to prevent the impact on the existing users. - // It is strongly recommended to enable this feature gate as early as possible. - // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. - StrictCostEnforcementForWebhooks featuregate.Feature = "StrictCostEnforcementForWebhooks" + // Enables APF to use size of objects for estimating request cost. + SizeBasedListCostEstimate featuregate.Feature = "SizeBasedListCostEstimate" // owner: @caesarxuchao @roycaihw // @@ -211,18 +195,67 @@ const ( // Allow API server Protobuf encoder to encode collections item by item, instead of all at once. StreamingCollectionEncodingToProtobuf featuregate.Feature = "StreamingCollectionEncodingToProtobuf" + // owner: @cici37 + // + // StrictCostEnforcementForVAP is used to apply strict CEL cost validation for ValidatingAdmissionPolicy. + // It will be set to off by default for certain time of period to prevent the impact on the existing users. + // It is strongly recommended to enable this feature gate as early as possible. + // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. + StrictCostEnforcementForVAP featuregate.Feature = "StrictCostEnforcementForVAP" + + // owner: @cici37 + // + // StrictCostEnforcementForWebhooks is used to apply strict CEL cost validation for matchConditions in Webhooks. + // It will be set to off by default for certain time of period to prevent the impact on the existing users. + // It is strongly recommended to enable this feature gate as early as possible. + // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. + StrictCostEnforcementForWebhooks featuregate.Feature = "StrictCostEnforcementForWebhooks" + // owner: @aramase, @enj, @nabokihms // kep: https://kep.k8s.io/3331 // // Enables Structured Authentication Configuration StructuredAuthenticationConfiguration featuregate.Feature = "StructuredAuthenticationConfiguration" + // owner: @aramase, @enj, @nabokihms + // kep: https://kep.k8s.io/3331 + // + // Enables Egress Selector in Structured Authentication Configuration + StructuredAuthenticationConfigurationEgressSelector featuregate.Feature = "StructuredAuthenticationConfigurationEgressSelector" + // owner: @palnabarun // kep: https://kep.k8s.io/3221 // // Enables Structured Authorization Configuration StructuredAuthorizationConfiguration featuregate.Feature = "StructuredAuthorizationConfiguration" + // owner: @aramase + // + // Enables validation of service account UID in TokenRequest API. + // + // This feature gate is used to ensure that the UID provided in the TokenRequest + // matches the UID of the service account for which the token is being requested. + // It helps prevent misuse of the TokenRequest API by ensuring that tokens are only + // issued for the correct service account. + TokenRequestServiceAccountUIDValidation featuregate.Feature = "TokenRequestServiceAccountUIDValidation" + + // owner: @enj + // + // Enables http2 DOS mitigations for unauthenticated clients. + // + // Some known reasons to disable these mitigations: + // + // An API server that is fronted by an L7 load balancer that is set up + // to mitigate http2 attacks may opt to disable this protection to prevent + // unauthenticated clients from disabling connection reuse between the load + // balancer and the API server (many incoming connections could share the + // same backend connection). + // + // An API server that is on a private network may opt to disable this + // protection to prevent performance regressions for unauthenticated + // clients. + UnauthenticatedHTTP2DOSMitigation featuregate.Feature = "UnauthenticatedHTTP2DOSMitigation" + // owner: @wojtek-t // // Enables post-start-hook for storage readiness @@ -237,16 +270,11 @@ const ( // // Allow the API server to stream individual items instead of chunking WatchList featuregate.Feature = "WatchList" - - // owner: @serathius - // kep: http://kep.k8s.io/2340 - // - // Allow the API server to serve consistent lists from cache - ConsistentListFromCache featuregate.Feature = "ConsistentListFromCache" ) func init() { runtime.Must(utilfeature.DefaultMutableFeatureGate.AddVersioned(defaultVersionedKubernetesFeatureGates)) + runtime.Must(zpagesfeatures.AddFeatureGates(utilfeature.DefaultMutableFeatureGate)) } // defaultVersionedKubernetesFeatureGates consists of all known Kubernetes-specific feature keys with VersionedSpecs. @@ -256,24 +284,6 @@ func init() { // Entries are alphabetized and separated from each other with blank lines to avoid sweeping gofmt changes // when adding or removing one entry. var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate.VersionedSpecs{ - AggregatedDiscoveryRemoveBetaType: { - {Version: version.MustParse("1.0"), Default: false, PreRelease: featuregate.GA}, - {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Deprecated}, - }, - - AllowParsingUserUIDFromCertAuth: { - {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, - }, - - AllowUnsafeMalformedObjectDeletion: { - {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, - }, - - AnonymousAuthConfigurableEndpoints: { - {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, - }, - APIResponseCompression: { {Version: version.MustParse("1.8"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.16"), Default: true, PreRelease: featuregate.Beta}, @@ -287,20 +297,41 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate APIServerTracing: { {Version: version.MustParse("1.22"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.27"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37 }, APIServingWithRoutine: { {Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Alpha}, }, - BtreeWatchCache: { + AggregatedDiscoveryRemoveBetaType: { + {Version: version.MustParse("1.0"), Default: false, PreRelease: featuregate.GA}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Deprecated}, + }, + + AllowParsingUserUIDFromCertAuth: { + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, + }, + + AllowUnsafeMalformedObjectDeletion: { + {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + }, + + AnonymousAuthConfigurableEndpoints: { + {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, AuthorizeWithSelectors: { {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37 + }, + + BtreeWatchCache: { + {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, CBORServingAndStorage: { @@ -314,6 +345,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate ConsistentListFromCache: { {Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, CoordinatedLeaderElection: { @@ -321,6 +353,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta}, }, + DetectCacheInconsistency: { + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, + }, + KMSv1: { {Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.GA}, {Version: version.MustParse("1.28"), Default: true, PreRelease: featuregate.Deprecated}, @@ -329,10 +365,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate ListFromCacheSnapshot: { {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, MutatingAdmissionPolicy: { {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Beta}, }, OpenAPIEnums: { @@ -347,6 +385,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate ResilientWatchCacheInitialization: { {Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, RetryGenerateName: { @@ -360,6 +399,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Deprecated}, }, + SizeBasedListCostEstimate: { + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, + }, + StorageVersionAPI: { {Version: version.MustParse("1.20"), Default: false, PreRelease: featuregate.Alpha}, }, @@ -371,10 +414,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate StreamingCollectionEncodingToJSON: { {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, StreamingCollectionEncodingToProtobuf: { {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, StrictCostEnforcementForVAP: { @@ -390,6 +435,11 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate StructuredAuthenticationConfiguration: { {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA and LockToDefault in 1.34, remove in 1.37 + }, + + StructuredAuthenticationConfigurationEgressSelector: { + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, StructuredAuthorizationConfiguration: { @@ -398,6 +448,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, + TokenRequestServiceAccountUIDValidation: { + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, + }, + UnauthenticatedHTTP2DOSMitigation: { {Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Beta}, {Version: version.MustParse("1.29"), Default: true, PreRelease: featuregate.Beta}, @@ -417,5 +471,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, // switch this back to false because the json and proto streaming encoders appear to work better. {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, } diff --git a/vendor/k8s.io/apiserver/pkg/server/egressselector/config.go b/vendor/k8s.io/apiserver/pkg/server/egressselector/config.go index 0513b2822..6ad7b288e 100644 --- a/vendor/k8s.io/apiserver/pkg/server/egressselector/config.go +++ b/vendor/k8s.io/apiserver/pkg/server/egressselector/config.go @@ -32,7 +32,7 @@ import ( var cfgScheme = runtime.NewScheme() -// validEgressSelectorNames contains the set of valid egress selctor names. +// validEgressSelectorNames contains the set of valid egress selector names. var validEgressSelectorNames = sets.NewString("controlplane", "cluster", "etcd") func init() { @@ -165,7 +165,7 @@ func validateDirectConnection(connection apiserver.Connection, fldPath *field.Pa return field.ErrorList{field.Invalid( fldPath.Child("transport"), "direct", - "Transport config should be absent for direct connect"), + "config must be absent for direct connect"), } } @@ -178,7 +178,7 @@ func validateUDSConnection(udsConfig *apiserver.UDSTransport, fldPath *field.Pat allErrs = append(allErrs, field.Invalid( fldPath.Child("udsName"), "nil", - "UDSName should be present for UDS connections")) + "must be present for UDS connections")) } return allErrs } @@ -191,7 +191,7 @@ func validateTCPConnection(tcpConfig *apiserver.TCPTransport, fldPath *field.Pat allErrs = append(allErrs, field.Invalid( fldPath.Child("tlsConfig"), "nil", - "TLSConfig config should not be present when using HTTP")) + "config must not be present when using HTTP")) } } else if strings.HasPrefix(tcpConfig.URL, "https://") { return validateTLSConfig(tcpConfig.TLSConfig, fldPath) diff --git a/vendor/k8s.io/apiserver/pkg/util/webhook/validation.go b/vendor/k8s.io/apiserver/pkg/util/webhook/validation.go index 9cf258b72..767f98a9c 100644 --- a/vendor/k8s.io/apiserver/pkg/util/webhook/validation.go +++ b/vendor/k8s.io/apiserver/pkg/util/webhook/validation.go @@ -65,11 +65,11 @@ func ValidateWebhookService(fldPath *field.Path, namespace, name string, path *s var allErrors field.ErrorList if len(name) == 0 { - allErrors = append(allErrors, field.Required(fldPath.Child("name"), "service name is required")) + allErrors = append(allErrors, field.Required(fldPath.Child("name"), "")) } if len(namespace) == 0 { - allErrors = append(allErrors, field.Required(fldPath.Child("namespace"), "service namespace is required")) + allErrors = append(allErrors, field.Required(fldPath.Child("namespace"), "")) } if errs := validation.IsValidPortNum(int(port)); errs != nil { diff --git a/vendor/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go b/vendor/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go index 5d2054155..79a748b74 100644 --- a/vendor/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go +++ b/vendor/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go @@ -77,6 +77,9 @@ func (ll *LeaseLock) Update(ctx context.Context, ler LeaderElectionRecord) error ll.lease.Spec = LeaderElectionRecordToLeaseSpec(&ler) if ll.Labels != nil { + if ll.lease.Labels == nil { + ll.lease.Labels = map[string]string{} + } // Only overwrite the labels that are specifically set for k, v := range ll.Labels { ll.lease.Labels[k] = v diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go index 122046126..48c78b595 100644 --- a/vendor/k8s.io/client-go/util/cert/cert.go +++ b/vendor/k8s.io/client-go/util/cert/cert.go @@ -75,13 +75,15 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro CommonName: cfg.CommonName, Organization: cfg.Organization, }, - DNSNames: []string{cfg.CommonName}, NotBefore: notBefore, NotAfter: now.Add(duration365d * 10).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, } + if len(cfg.CommonName) > 0 { + tmpl.DNSNames = []string{cfg.CommonName} + } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { diff --git a/vendor/k8s.io/component-base/zpages/features/doc.go b/vendor/k8s.io/component-base/zpages/features/doc.go new file mode 100644 index 000000000..b2fa2809a --- /dev/null +++ b/vendor/k8s.io/component-base/zpages/features/doc.go @@ -0,0 +1,22 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package features contains a separate feature set specifically designed for +// managing zpages related features. These feature gates control the +// availability and behavior of various zpages within Kubernetes components. +// New zpages added to Kubernetes components should utilize this feature set +// to ensure proper management of their availability. +package features diff --git a/vendor/k8s.io/component-base/zpages/features/kube_features.go b/vendor/k8s.io/component-base/zpages/features/kube_features.go new file mode 100644 index 000000000..ed5e41e01 --- /dev/null +++ b/vendor/k8s.io/component-base/zpages/features/kube_features.go @@ -0,0 +1,52 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package features + +import ( + "k8s.io/apimachinery/pkg/util/version" + "k8s.io/component-base/featuregate" +) + +const ( + // owner: @richabanker + // kep: https://kep.k8s.io/4828 + ComponentFlagz featuregate.Feature = "ComponentFlagz" + + // owner: @richabanker + // kep: https://kep.k8s.io/4827 + // alpha: v1.32 + // + // Enables /statusz endpoint for a component making it accessible to + // users with the system:monitoring cluster role. + ComponentStatusz featuregate.Feature = "ComponentStatusz" +) + +func featureGates() map[featuregate.Feature]featuregate.VersionedSpecs { + return map[featuregate.Feature]featuregate.VersionedSpecs{ + ComponentFlagz: { + {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + }, + ComponentStatusz: { + {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + }, + } +} + +// AddFeatureGates adds all feature gates used by this package. +func AddFeatureGates(mutableFeatureGate featuregate.MutableVersionedFeatureGate) error { + return mutableFeatureGate.AddVersioned(featureGates()) +} diff --git a/vendor/k8s.io/mount-utils/README.md b/vendor/k8s.io/mount-utils/README.md index ee7c8e89a..02a46dd89 100644 --- a/vendor/k8s.io/mount-utils/README.md +++ b/vendor/k8s.io/mount-utils/README.md @@ -1,3 +1,8 @@ +> ⚠️ **This is an automatically published [staged repository](https://git.k8s.io/kubernetes/staging#external-repository-staging-area) for Kubernetes**. +> Contributions, including issues and pull requests, should be made to the main Kubernetes repository: [https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes). +> This repository is read-only for importing, and not used for direct contributions. +> See [CONTRIBUTING.md](./CONTRIBUTING.md) for more details. + ## Purpose This repository defines an interface to mounting filesystems to be consumed by diff --git a/vendor/k8s.io/mount-utils/mount.go b/vendor/k8s.io/mount-utils/mount.go index 0bd91ee61..1fdae6903 100644 --- a/vendor/k8s.io/mount-utils/mount.go +++ b/vendor/k8s.io/mount-utils/mount.go @@ -100,7 +100,7 @@ type MounterForceUnmounter interface { } // MountPoint represents a single line in /proc/mounts or /etc/fstab. -type MountPoint struct { // nolint: golint +type MountPoint struct { Device string Path string Type string @@ -109,7 +109,7 @@ type MountPoint struct { // nolint: golint Pass int } -type MountErrorType string // nolint: golint +type MountErrorType string const ( FilesystemMismatch MountErrorType = "FilesystemMismatch" @@ -120,7 +120,7 @@ const ( UnknownMountError MountErrorType = "UnknownMountError" ) -type MountError struct { // nolint: golint +type MountError struct { Type MountErrorType Message string } diff --git a/vendor/k8s.io/mount-utils/mount_helper_unix.go b/vendor/k8s.io/mount-utils/mount_helper_unix.go index 1c603dca7..6c74eb9ca 100644 --- a/vendor/k8s.io/mount-utils/mount_helper_unix.go +++ b/vendor/k8s.io/mount-utils/mount_helper_unix.go @@ -71,7 +71,7 @@ func IsCorruptedMnt(err error) bool { } // MountInfo represents a single line in /proc//mountinfo. -type MountInfo struct { // nolint: golint +type MountInfo struct { // Unique ID for the mount (maybe reused after umount). ID int // The ID of the parent mount (or of self for the root of this mount namespace's mount tree). diff --git a/vendor/k8s.io/utils/pointer/OWNERS b/vendor/k8s.io/utils/pointer/OWNERS deleted file mode 100644 index 0d6392752..000000000 --- a/vendor/k8s.io/utils/pointer/OWNERS +++ /dev/null @@ -1,10 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -approvers: -- apelisse -- stewart-yu -- thockin -reviewers: -- apelisse -- stewart-yu -- thockin diff --git a/vendor/k8s.io/utils/pointer/README.md b/vendor/k8s.io/utils/pointer/README.md deleted file mode 100644 index 2ca8073dc..000000000 --- a/vendor/k8s.io/utils/pointer/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Pointer - -This package provides some functions for pointer-based operations. diff --git a/vendor/k8s.io/utils/pointer/pointer.go b/vendor/k8s.io/utils/pointer/pointer.go deleted file mode 100644 index b673a6425..000000000 --- a/vendor/k8s.io/utils/pointer/pointer.go +++ /dev/null @@ -1,249 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Deprecated: Use functions in k8s.io/utils/ptr instead: ptr.To to obtain -// a pointer, ptr.Deref to dereference a pointer, ptr.Equal to compare -// dereferenced pointers. -package pointer - -import ( - "time" - - "k8s.io/utils/ptr" -) - -// AllPtrFieldsNil tests whether all pointer fields in a struct are nil. This is useful when, -// for example, an API struct is handled by plugins which need to distinguish -// "no plugin accepted this spec" from "this spec is empty". -// -// This function is only valid for structs and pointers to structs. Any other -// type will cause a panic. Passing a typed nil pointer will return true. -// -// Deprecated: Use ptr.AllPtrFieldsNil instead. -var AllPtrFieldsNil = ptr.AllPtrFieldsNil - -// Int returns a pointer to an int. -var Int = ptr.To[int] - -// IntPtr is a function variable referring to Int. -// -// Deprecated: Use ptr.To instead. -var IntPtr = Int // for back-compat - -// IntDeref dereferences the int ptr and returns it if not nil, or else -// returns def. -var IntDeref = ptr.Deref[int] - -// IntPtrDerefOr is a function variable referring to IntDeref. -// -// Deprecated: Use ptr.Deref instead. -var IntPtrDerefOr = IntDeref // for back-compat - -// Int32 returns a pointer to an int32. -var Int32 = ptr.To[int32] - -// Int32Ptr is a function variable referring to Int32. -// -// Deprecated: Use ptr.To instead. -var Int32Ptr = Int32 // for back-compat - -// Int32Deref dereferences the int32 ptr and returns it if not nil, or else -// returns def. -var Int32Deref = ptr.Deref[int32] - -// Int32PtrDerefOr is a function variable referring to Int32Deref. -// -// Deprecated: Use ptr.Deref instead. -var Int32PtrDerefOr = Int32Deref // for back-compat - -// Int32Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Int32Equal = ptr.Equal[int32] - -// Uint returns a pointer to an uint -var Uint = ptr.To[uint] - -// UintPtr is a function variable referring to Uint. -// -// Deprecated: Use ptr.To instead. -var UintPtr = Uint // for back-compat - -// UintDeref dereferences the uint ptr and returns it if not nil, or else -// returns def. -var UintDeref = ptr.Deref[uint] - -// UintPtrDerefOr is a function variable referring to UintDeref. -// -// Deprecated: Use ptr.Deref instead. -var UintPtrDerefOr = UintDeref // for back-compat - -// Uint32 returns a pointer to an uint32. -var Uint32 = ptr.To[uint32] - -// Uint32Ptr is a function variable referring to Uint32. -// -// Deprecated: Use ptr.To instead. -var Uint32Ptr = Uint32 // for back-compat - -// Uint32Deref dereferences the uint32 ptr and returns it if not nil, or else -// returns def. -var Uint32Deref = ptr.Deref[uint32] - -// Uint32PtrDerefOr is a function variable referring to Uint32Deref. -// -// Deprecated: Use ptr.Deref instead. -var Uint32PtrDerefOr = Uint32Deref // for back-compat - -// Uint32Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Uint32Equal = ptr.Equal[uint32] - -// Int64 returns a pointer to an int64. -var Int64 = ptr.To[int64] - -// Int64Ptr is a function variable referring to Int64. -// -// Deprecated: Use ptr.To instead. -var Int64Ptr = Int64 // for back-compat - -// Int64Deref dereferences the int64 ptr and returns it if not nil, or else -// returns def. -var Int64Deref = ptr.Deref[int64] - -// Int64PtrDerefOr is a function variable referring to Int64Deref. -// -// Deprecated: Use ptr.Deref instead. -var Int64PtrDerefOr = Int64Deref // for back-compat - -// Int64Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Int64Equal = ptr.Equal[int64] - -// Uint64 returns a pointer to an uint64. -var Uint64 = ptr.To[uint64] - -// Uint64Ptr is a function variable referring to Uint64. -// -// Deprecated: Use ptr.To instead. -var Uint64Ptr = Uint64 // for back-compat - -// Uint64Deref dereferences the uint64 ptr and returns it if not nil, or else -// returns def. -var Uint64Deref = ptr.Deref[uint64] - -// Uint64PtrDerefOr is a function variable referring to Uint64Deref. -// -// Deprecated: Use ptr.Deref instead. -var Uint64PtrDerefOr = Uint64Deref // for back-compat - -// Uint64Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Uint64Equal = ptr.Equal[uint64] - -// Bool returns a pointer to a bool. -var Bool = ptr.To[bool] - -// BoolPtr is a function variable referring to Bool. -// -// Deprecated: Use ptr.To instead. -var BoolPtr = Bool // for back-compat - -// BoolDeref dereferences the bool ptr and returns it if not nil, or else -// returns def. -var BoolDeref = ptr.Deref[bool] - -// BoolPtrDerefOr is a function variable referring to BoolDeref. -// -// Deprecated: Use ptr.Deref instead. -var BoolPtrDerefOr = BoolDeref // for back-compat - -// BoolEqual returns true if both arguments are nil or both arguments -// dereference to the same value. -var BoolEqual = ptr.Equal[bool] - -// String returns a pointer to a string. -var String = ptr.To[string] - -// StringPtr is a function variable referring to String. -// -// Deprecated: Use ptr.To instead. -var StringPtr = String // for back-compat - -// StringDeref dereferences the string ptr and returns it if not nil, or else -// returns def. -var StringDeref = ptr.Deref[string] - -// StringPtrDerefOr is a function variable referring to StringDeref. -// -// Deprecated: Use ptr.Deref instead. -var StringPtrDerefOr = StringDeref // for back-compat - -// StringEqual returns true if both arguments are nil or both arguments -// dereference to the same value. -var StringEqual = ptr.Equal[string] - -// Float32 returns a pointer to a float32. -var Float32 = ptr.To[float32] - -// Float32Ptr is a function variable referring to Float32. -// -// Deprecated: Use ptr.To instead. -var Float32Ptr = Float32 - -// Float32Deref dereferences the float32 ptr and returns it if not nil, or else -// returns def. -var Float32Deref = ptr.Deref[float32] - -// Float32PtrDerefOr is a function variable referring to Float32Deref. -// -// Deprecated: Use ptr.Deref instead. -var Float32PtrDerefOr = Float32Deref // for back-compat - -// Float32Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Float32Equal = ptr.Equal[float32] - -// Float64 returns a pointer to a float64. -var Float64 = ptr.To[float64] - -// Float64Ptr is a function variable referring to Float64. -// -// Deprecated: Use ptr.To instead. -var Float64Ptr = Float64 - -// Float64Deref dereferences the float64 ptr and returns it if not nil, or else -// returns def. -var Float64Deref = ptr.Deref[float64] - -// Float64PtrDerefOr is a function variable referring to Float64Deref. -// -// Deprecated: Use ptr.Deref instead. -var Float64PtrDerefOr = Float64Deref // for back-compat - -// Float64Equal returns true if both arguments are nil or both arguments -// dereference to the same value. -var Float64Equal = ptr.Equal[float64] - -// Duration returns a pointer to a time.Duration. -var Duration = ptr.To[time.Duration] - -// DurationDeref dereferences the time.Duration ptr and returns it if not nil, or else -// returns def. -var DurationDeref = ptr.Deref[time.Duration] - -// DurationEqual returns true if both arguments are nil or both arguments -// dereference to the same value. -var DurationEqual = ptr.Equal[time.Duration] diff --git a/vendor/modules.txt b/vendor/modules.txt index 3b3cc7997..ec2060391 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -46,9 +46,10 @@ github.com/evanphx/json-patch/v5/internal/json # github.com/felixge/httpsnoop v1.0.4 ## explicit; go 1.13 github.com/felixge/httpsnoop -# github.com/fsnotify/fsnotify v1.7.0 +# github.com/fsnotify/fsnotify v1.9.0 ## explicit; go 1.17 github.com/fsnotify/fsnotify +github.com/fsnotify/fsnotify/internal # github.com/fxamacker/cbor/v2 v2.9.0 ## explicit; go 1.20 github.com/fxamacker/cbor/v2 @@ -84,8 +85,8 @@ github.com/gogo/protobuf/sortkeys # github.com/google/btree v1.1.3 ## explicit; go 1.18 github.com/google/btree -# github.com/google/cel-go v0.23.2 -## explicit; go 1.21.1 +# github.com/google/cel-go v0.26.0 +## explicit; go 1.22.0 github.com/google/cel-go/cel github.com/google/cel-go/checker github.com/google/cel-go/checker/decls @@ -94,6 +95,7 @@ github.com/google/cel-go/common/ast github.com/google/cel-go/common/containers github.com/google/cel-go/common/debug github.com/google/cel-go/common/decls +github.com/google/cel-go/common/env github.com/google/cel-go/common/functions github.com/google/cel-go/common/operators github.com/google/cel-go/common/overloads @@ -254,8 +256,8 @@ github.com/x448/float16 ## explicit; go 1.24.0 go.opentelemetry.io/auto/sdk go.opentelemetry.io/auto/sdk/internal/telemetry -# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 -## explicit; go 1.22.7 +# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 +## explicit; go 1.22.0 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal # go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 @@ -562,7 +564,7 @@ gopkg.in/inf.v0 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.34.1 +# k8s.io/api v0.34.2 ## explicit; go 1.24.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -624,7 +626,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.33.1 +# k8s.io/apiextensions-apiserver v0.34.1 ## explicit; go 1.24.0 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 @@ -635,7 +637,7 @@ k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1 -# k8s.io/apimachinery v0.34.1 +# k8s.io/apimachinery v0.34.2 ## explicit; go 1.24.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -703,7 +705,7 @@ k8s.io/apimachinery/pkg/version k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.33.1 +# k8s.io/apiserver v0.34.1 ## explicit; go 1.24.0 k8s.io/apiserver/pkg/apis/apiserver k8s.io/apiserver/pkg/apis/apiserver/install @@ -748,7 +750,7 @@ k8s.io/apiserver/pkg/warning k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/client-go v0.34.1 +# k8s.io/client-go v0.34.2 ## explicit; go 1.24.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1101,6 +1103,7 @@ k8s.io/component-base/metrics/prometheusextension k8s.io/component-base/tracing k8s.io/component-base/tracing/api/v1 k8s.io/component-base/version +k8s.io/component-base/zpages/features # k8s.io/klog/v2 v2.130.1 ## explicit; go 1.18 k8s.io/klog/v2 @@ -1125,7 +1128,7 @@ k8s.io/kube-openapi/pkg/validation/errors k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson -# k8s.io/mount-utils v0.33.3 +# k8s.io/mount-utils v0.34.2 ## explicit; go 1.24.0 k8s.io/mount-utils # k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 @@ -1140,7 +1143,6 @@ k8s.io/utils/keymutex k8s.io/utils/lru k8s.io/utils/net k8s.io/utils/path -k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/trace # sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 @@ -1149,7 +1151,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client -# sigs.k8s.io/controller-runtime v0.21.0 +# sigs.k8s.io/controller-runtime v0.22.4 ## explicit; go 1.24.0 sigs.k8s.io/controller-runtime sigs.k8s.io/controller-runtime/pkg/builder @@ -1204,6 +1206,7 @@ sigs.k8s.io/controller-runtime/pkg/webhook sigs.k8s.io/controller-runtime/pkg/webhook/admission sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics sigs.k8s.io/controller-runtime/pkg/webhook/conversion +sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics # sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 ## explicit; go 1.23 diff --git a/vendor/sigs.k8s.io/controller-runtime/.golangci.yml b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml index 7390d2024..1741432a0 100644 --- a/vendor/sigs.k8s.io/controller-runtime/.golangci.yml +++ b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml @@ -17,6 +17,7 @@ linters: - errchkjson - errorlint - exhaustive + - forbidigo - ginkgolinter - goconst - gocritic @@ -39,6 +40,12 @@ linters: - unused - whitespace settings: + forbidigo: + forbid: + - pattern: context.Background + msg: Use ginkgos SpecContext or go testings t.Context instead + - pattern: context.TODO + msg: Use ginkgos SpecContext or go testings t.Context instead govet: disable: - fieldalignment @@ -94,6 +101,9 @@ linters: - zz_generated.*\.go$ - .*conversion.*\.go$ rules: + - linters: + - forbidigo + path-except: _test\.go - linters: - gosec text: 'G108: Profiling endpoint is automatically exposed on /debug/pprof' diff --git a/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES index 5f5b2b66d..47bf6eedf 100644 --- a/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES +++ b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES @@ -4,8 +4,10 @@ aliases: # active folks who can be contacted to perform admin-related # tasks on the repo, or otherwise approve any PRS. controller-runtime-admins: - - vincepri + - alvaroaleman - joelanford + - sbueringer + - vincepri # non-admin folks who have write-access and can approve any PRs in the repo controller-runtime-maintainers: diff --git a/vendor/sigs.k8s.io/controller-runtime/README.md b/vendor/sigs.k8s.io/controller-runtime/README.md index 20f7fd817..54bacad42 100644 --- a/vendor/sigs.k8s.io/controller-runtime/README.md +++ b/vendor/sigs.k8s.io/controller-runtime/README.md @@ -25,9 +25,9 @@ The full documentation can be found at [VERSIONING.md](VERSIONING.md), but TL;DR Users: -- We follow [Semantic Versioning (semver)](https://semver.org) -- Use releases with your dependency management to ensure that you get compatible code -- The main branch contains all the latest code, some of which may break compatibility (so "normal" `go get` is not recommended) +- We stick to a zero major version +- We publish a minor version for each Kubernetes minor release and allow breaking changes between minor versions +- We publish patch versions as needed and we don't allow breaking changes in them Contributors: diff --git a/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md index 2c0f2f9b2..7ad6b142c 100644 --- a/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md +++ b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md @@ -7,6 +7,16 @@ For the purposes of the aforementioned guidelines, controller-runtime counts as a "library project", but otherwise follows the guidelines exactly. +We stick to a major version of zero and create a minor version for +each Kubernetes minor version and we allow breaking changes in our +minor versions. We create patch releases as needed and don't allow +breaking changes in them. + +Publishing a non-zero major version is pointless for us, as the k8s.io/* +libraries we heavily depend on do breaking changes but use the same +versioning scheme as described above. Consequently, a project can only +ever depend on one controller-runtime version. + [guidelines]: https://sigs.k8s.io/kubebuilder-release-tools/VERSIONING.md ## Compatibility and Release Support diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go index 8ec6d58fd..6263f030a 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go @@ -98,6 +98,7 @@ func (blder *WebhookBuilder) RecoverPanic(recoverPanic bool) *WebhookBuilder { } // WithCustomPath overrides the webhook's default path by the customPath +// // Deprecated: WithCustomPath should not be used anymore. // Please use WithValidatorCustomPath or WithDefaulterCustomPath instead. func (blder *WebhookBuilder) WithCustomPath(customPath string) *WebhookBuilder { diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/cache.go b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/cache.go index 648d0d75b..a94ec6cc3 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/cache.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/cache.go @@ -172,6 +172,15 @@ type Options struct { // is "done" with an object, and would otherwise not requeue it, i.e., we // recommend the `Reconcile` function return `reconcile.Result{RequeueAfter: t}`, // instead of `reconcile.Result{}`. + // + // SyncPeriod will locally trigger an artificial Update event with the same + // object in both ObjectOld and ObjectNew for everything that is in the + // cache. + // + // Predicates or Handlers that expect ObjectOld and ObjectNew to be different + // (such as GenerationChangedPredicate) will filter out this event, preventing + // it from triggering a reconciliation. + // SyncPeriod does not sync between the local cache and the server. SyncPeriod *time.Duration // ReaderFailOnMissingInformer configures the cache to return a ErrResourceNotCached error when a user @@ -299,6 +308,42 @@ type ByObject struct { // // Defaults to true. EnableWatchBookmarks *bool + + // SyncPeriod determines the minimum frequency at which watched resources are + // reconciled. A lower period will correct entropy more quickly, but reduce + // responsiveness to change if there are many watched resources. Change this + // value only if you know what you are doing. Defaults to 10 hours if unset. + // there will a 10 percent jitter between the SyncPeriod of all controllers + // so that all controllers will not send list requests simultaneously. + // + // This applies to all controllers. + // + // A period sync happens for two reasons: + // 1. To insure against a bug in the controller that causes an object to not + // be requeued, when it otherwise should be requeued. + // 2. To insure against an unknown bug in controller-runtime, or its dependencies, + // that causes an object to not be requeued, when it otherwise should be + // requeued, or to be removed from the queue, when it otherwise should not + // be removed. + // + // If you want + // 1. to insure against missed watch events, or + // 2. to poll services that cannot be watched, + // then we recommend that, instead of changing the default period, the + // controller requeue, with a constant duration `t`, whenever the controller + // is "done" with an object, and would otherwise not requeue it, i.e., we + // recommend the `Reconcile` function return `reconcile.Result{RequeueAfter: t}`, + // instead of `reconcile.Result{}`. + // + // SyncPeriod will locally trigger an artificial Update event with the same + // object in both ObjectOld and ObjectNew for everything that is in the + // cache. + // + // Predicates or Handlers that expect ObjectOld and ObjectNew to be different + // (such as GenerationChangedPredicate) will filter out this event, preventing + // it from triggering a reconciliation. + // SyncPeriod does not sync between the local cache and the server. + SyncPeriod *time.Duration } // Config describes all potential options for a given watch. @@ -334,6 +379,42 @@ type Config struct { // // Defaults to true. EnableWatchBookmarks *bool + + // SyncPeriod determines the minimum frequency at which watched resources are + // reconciled. A lower period will correct entropy more quickly, but reduce + // responsiveness to change if there are many watched resources. Change this + // value only if you know what you are doing. Defaults to 10 hours if unset. + // there will a 10 percent jitter between the SyncPeriod of all controllers + // so that all controllers will not send list requests simultaneously. + // + // This applies to all controllers. + // + // A period sync happens for two reasons: + // 1. To insure against a bug in the controller that causes an object to not + // be requeued, when it otherwise should be requeued. + // 2. To insure against an unknown bug in controller-runtime, or its dependencies, + // that causes an object to not be requeued, when it otherwise should be + // requeued, or to be removed from the queue, when it otherwise should not + // be removed. + // + // If you want + // 1. to insure against missed watch events, or + // 2. to poll services that cannot be watched, + // then we recommend that, instead of changing the default period, the + // controller requeue, with a constant duration `t`, whenever the controller + // is "done" with an object, and would otherwise not requeue it, i.e., we + // recommend the `Reconcile` function return `reconcile.Result{RequeueAfter: t}`, + // instead of `reconcile.Result{}`. + // + // SyncPeriod will locally trigger an artificial Update event with the same + // object in both ObjectOld and ObjectNew for everything that is in the + // cache. + // + // Predicates or Handlers that expect ObjectOld and ObjectNew to be different + // (such as GenerationChangedPredicate) will filter out this event, preventing + // it from triggering a reconciliation. + // SyncPeriod does not sync between the local cache and the server. + SyncPeriod *time.Duration } // NewCacheFunc - Function for creating a new cache from the options and a rest config. @@ -404,6 +485,7 @@ func optionDefaultsToConfig(opts *Options) Config { Transform: opts.DefaultTransform, UnsafeDisableDeepCopy: opts.DefaultUnsafeDisableDeepCopy, EnableWatchBookmarks: opts.DefaultEnableWatchBookmarks, + SyncPeriod: opts.SyncPeriod, } } @@ -414,6 +496,7 @@ func byObjectToConfig(byObject ByObject) Config { Transform: byObject.Transform, UnsafeDisableDeepCopy: byObject.UnsafeDisableDeepCopy, EnableWatchBookmarks: byObject.EnableWatchBookmarks, + SyncPeriod: byObject.SyncPeriod, } } @@ -427,7 +510,7 @@ func newCache(restConfig *rest.Config, opts Options) newCacheFunc { HTTPClient: opts.HTTPClient, Scheme: opts.Scheme, Mapper: opts.Mapper, - ResyncPeriod: *opts.SyncPeriod, + ResyncPeriod: ptr.Deref(config.SyncPeriod, defaultSyncPeriod), Namespace: namespace, Selector: internal.Selector{ Label: config.LabelSelector, @@ -525,6 +608,7 @@ func defaultOpts(config *rest.Config, opts Options) (Options, error) { byObject.Transform = defaultedConfig.Transform byObject.UnsafeDisableDeepCopy = defaultedConfig.UnsafeDisableDeepCopy byObject.EnableWatchBookmarks = defaultedConfig.EnableWatchBookmarks + byObject.SyncPeriod = defaultedConfig.SyncPeriod } opts.ByObject[obj] = byObject @@ -546,10 +630,6 @@ func defaultOpts(config *rest.Config, opts Options) (Options, error) { opts.DefaultNamespaces[namespace] = cfg } - // Default the resync period to 10 hours if unset - if opts.SyncPeriod == nil { - opts.SyncPeriod = &defaultSyncPeriod - } return opts, nil } @@ -569,6 +649,9 @@ func defaultConfig(toDefault, defaultFrom Config) Config { if toDefault.EnableWatchBookmarks == nil { toDefault.EnableWatchBookmarks = defaultFrom.EnableWatchBookmarks } + if toDefault.SyncPeriod == nil { + toDefault.SyncPeriod = defaultFrom.SyncPeriod + } return toDefault } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/cache_reader.go b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/cache_reader.go index 33ce8a830..eb6b54485 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/cache_reader.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/cache_reader.go @@ -54,7 +54,10 @@ type CacheReader struct { } // Get checks the indexer for the object and writes a copy of it if found. -func (c *CacheReader) Get(_ context.Context, key client.ObjectKey, out client.Object, _ ...client.GetOption) error { +func (c *CacheReader) Get(_ context.Context, key client.ObjectKey, out client.Object, opts ...client.GetOption) error { + getOpts := client.GetOptions{} + getOpts.ApplyOptions(opts) + if c.scopeName == apimeta.RESTScopeNameRoot { key.Namespace = "" } @@ -81,7 +84,7 @@ func (c *CacheReader) Get(_ context.Context, key client.ObjectKey, out client.Ob return fmt.Errorf("cache contained %T, which is not an Object", obj) } - if c.disableDeepCopy { + if c.disableDeepCopy || (getOpts.UnsafeDisableDeepCopy != nil && *getOpts.UnsafeDisableDeepCopy) { // skip deep copy which might be unsafe // you must DeepCopy any object before mutating it outside } else { @@ -97,7 +100,7 @@ func (c *CacheReader) Get(_ context.Context, key client.ObjectKey, out client.Ob return fmt.Errorf("cache had type %s, but %s was asked for", objVal.Type(), outVal.Type()) } reflect.Indirect(outVal).Set(reflect.Indirect(objVal)) - if !c.disableDeepCopy { + if !c.disableDeepCopy && (getOpts.UnsafeDisableDeepCopy == nil || !*getOpts.UnsafeDisableDeepCopy) { out.GetObjectKind().SetGroupVersionKind(c.groupVersionKind) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go index 4bf832b2d..f216be0d9 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go @@ -518,7 +518,7 @@ func (ip *Informers) makeListWatcher(gvk schema.GroupVersionKind, obj runtime.Ob // Structured. // default: - client, err := apiutil.RESTClientForGVK(gvk, false, ip.config, ip.codecs, ip.httpClient) + client, err := apiutil.RESTClientForGVK(gvk, false, false, ip.config, ip.codecs, ip.httpClient) if err != nil { return nil, err } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/certwatcher/certwatcher.go b/vendor/sigs.k8s.io/controller-runtime/pkg/certwatcher/certwatcher.go index c32324098..2362d020b 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/certwatcher/certwatcher.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/certwatcher/certwatcher.go @@ -26,6 +26,7 @@ import ( "time" "github.com/fsnotify/fsnotify" + "github.com/go-logr/logr" kerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" @@ -47,6 +48,7 @@ type CertWatcher struct { currentCert *tls.Certificate watcher *fsnotify.Watcher interval time.Duration + log logr.Logger certPath string keyPath string @@ -65,6 +67,7 @@ func New(certPath, keyPath string) (*CertWatcher, error) { certPath: certPath, keyPath: keyPath, interval: defaultWatchInterval, + log: log.WithValues("cert", certPath, "key", keyPath), } // Initial read of certificate and key. @@ -130,14 +133,14 @@ func (cw *CertWatcher) Start(ctx context.Context) error { ticker := time.NewTicker(cw.interval) defer ticker.Stop() - log.Info("Starting certificate poll+watcher", "interval", cw.interval) + cw.log.Info("Starting certificate poll+watcher", "interval", cw.interval) for { select { case <-ctx.Done(): return cw.watcher.Close() case <-ticker.C: if err := cw.ReadCertificate(); err != nil { - log.Error(err, "failed read certificate") + cw.log.Error(err, "failed read certificate") } } } @@ -160,7 +163,7 @@ func (cw *CertWatcher) Watch() { return } - log.Error(err, "certificate watch error") + cw.log.Error(err, "certificate watch error") } } } @@ -174,7 +177,7 @@ func (cw *CertWatcher) updateCachedCertificate(cert *tls.Certificate, keyPEMBloc if cw.currentCert != nil && bytes.Equal(cw.currentCert.Certificate[0], cert.Certificate[0]) && bytes.Equal(cw.cachedKeyPEMBlock, keyPEMBlock) { - log.V(7).Info("certificate already cached") + cw.log.V(7).Info("certificate already cached") return false } cw.currentCert = cert @@ -208,7 +211,7 @@ func (cw *CertWatcher) ReadCertificate() error { return nil } - log.Info("Updated current TLS certificate") + cw.log.Info("Updated current TLS certificate") // If a callback is registered, invoke it with the new certificate. cw.RLock() @@ -229,14 +232,20 @@ func (cw *CertWatcher) handleEvent(event fsnotify.Event) { case event.Op.Has(fsnotify.Chmod), event.Op.Has(fsnotify.Remove): // If the file was removed or renamed, re-add the watch to the previous name if err := cw.watcher.Add(event.Name); err != nil { - log.Error(err, "error re-watching file") + cw.log.Error(err, "error re-watching file") } default: return } - log.V(1).Info("certificate event", "event", event) + cw.log.V(1).Info("certificate event", "event", event) if err := cw.ReadCertificate(); err != nil { - log.Error(err, "error re-reading certificate") + cw.log.Error(err, "error re-reading certificate") } } + +// NeedLeaderElection indicates that the cert-manager +// does not need leader election. +func (cw *CertWatcher) NeedLeaderElection() bool { + return false +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/apiutil/apimachinery.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/apiutil/apimachinery.go index 1d4ce264c..b132cb2d4 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/apiutil/apimachinery.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/apiutil/apimachinery.go @@ -161,15 +161,27 @@ func GVKForObject(obj runtime.Object, scheme *runtime.Scheme) (schema.GroupVersi // RESTClientForGVK constructs a new rest.Interface capable of accessing the resource associated // with the given GroupVersionKind. The REST client will be configured to use the negotiated serializer from // baseConfig, if set, otherwise a default serializer will be set. -func RESTClientForGVK(gvk schema.GroupVersionKind, isUnstructured bool, baseConfig *rest.Config, codecs serializer.CodecFactory, httpClient *http.Client) (rest.Interface, error) { +func RESTClientForGVK( + gvk schema.GroupVersionKind, + forceDisableProtoBuf bool, + isUnstructured bool, + baseConfig *rest.Config, + codecs serializer.CodecFactory, + httpClient *http.Client, +) (rest.Interface, error) { if httpClient == nil { return nil, fmt.Errorf("httpClient must not be nil, consider using rest.HTTPClientFor(c) to create a client") } - return rest.RESTClientForConfigAndClient(createRestConfig(gvk, isUnstructured, baseConfig, codecs), httpClient) + return rest.RESTClientForConfigAndClient(createRestConfig(gvk, forceDisableProtoBuf, isUnstructured, baseConfig, codecs), httpClient) } // createRestConfig copies the base config and updates needed fields for a new rest config. -func createRestConfig(gvk schema.GroupVersionKind, isUnstructured bool, baseConfig *rest.Config, codecs serializer.CodecFactory) *rest.Config { +func createRestConfig(gvk schema.GroupVersionKind, + forceDisableProtoBuf bool, + isUnstructured bool, + baseConfig *rest.Config, + codecs serializer.CodecFactory, +) *rest.Config { gv := gvk.GroupVersion() cfg := rest.CopyConfig(baseConfig) @@ -183,7 +195,7 @@ func createRestConfig(gvk schema.GroupVersionKind, isUnstructured bool, baseConf cfg.UserAgent = rest.DefaultKubernetesUserAgent() } // TODO(FillZpp): In the long run, we want to check discovery or something to make sure that this is actually true. - if cfg.ContentType == "" && !isUnstructured { + if cfg.ContentType == "" && !forceDisableProtoBuf { protobufSchemeLock.RLock() if protobufScheme.Recognizes(gvk) { cfg.ContentType = runtime.ContentTypeProtobuf diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/applyconfigurations.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/applyconfigurations.go new file mode 100644 index 000000000..97192050f --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/applyconfigurations.go @@ -0,0 +1,75 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package client + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/utils/ptr" +) + +type unstructuredApplyConfiguration struct { + *unstructured.Unstructured +} + +func (u *unstructuredApplyConfiguration) IsApplyConfiguration() {} + +// ApplyConfigurationFromUnstructured creates a runtime.ApplyConfiguration from an *unstructured.Unstructured object. +// +// Do not use Unstructured objects here that were generated from API objects, as its impossible to tell +// if a zero value was explicitly set. +func ApplyConfigurationFromUnstructured(u *unstructured.Unstructured) runtime.ApplyConfiguration { + return &unstructuredApplyConfiguration{Unstructured: u} +} + +type applyconfigurationRuntimeObject struct { + runtime.ApplyConfiguration +} + +func (a *applyconfigurationRuntimeObject) GetObjectKind() schema.ObjectKind { + return a +} + +func (a *applyconfigurationRuntimeObject) GroupVersionKind() schema.GroupVersionKind { + return schema.GroupVersionKind{} +} + +func (a *applyconfigurationRuntimeObject) SetGroupVersionKind(gvk schema.GroupVersionKind) {} + +func (a *applyconfigurationRuntimeObject) DeepCopyObject() runtime.Object { + panic("applyconfigurationRuntimeObject does not support DeepCopyObject") +} + +func runtimeObjectFromApplyConfiguration(ac runtime.ApplyConfiguration) runtime.Object { + return &applyconfigurationRuntimeObject{ApplyConfiguration: ac} +} + +func gvkFromApplyConfiguration(ac applyConfiguration) (schema.GroupVersionKind, error) { + var gvk schema.GroupVersionKind + gv, err := schema.ParseGroupVersion(ptr.Deref(ac.GetAPIVersion(), "")) + if err != nil { + return gvk, fmt.Errorf("failed to parse %q as GroupVersion: %w", ptr.Deref(ac.GetAPIVersion(), ""), err) + } + gvk.Group = gv.Group + gvk.Version = gv.Version + gvk.Kind = ptr.Deref(ac.GetKind(), "") + + return gvk, nil +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/client.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/client.go index 50b0ebf33..e9f731453 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/client.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/client.go @@ -151,8 +151,7 @@ func newClient(config *rest.Config, options Options) (*client, error) { mapper: options.Mapper, codecs: serializer.NewCodecFactory(options.Scheme), - structuredResourceByType: make(map[schema.GroupVersionKind]*resourceMeta), - unstructuredResourceByType: make(map[schema.GroupVersionKind]*resourceMeta), + resourceByType: make(map[cacheKey]*resourceMeta), } rawMetaClient, err := metadata.NewForConfigAndClient(metadata.ConfigFor(config), options.HTTPClient) @@ -329,6 +328,16 @@ func (c *client) Patch(ctx context.Context, obj Object, patch Patch, opts ...Pat } } +func (c *client) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + switch obj := obj.(type) { + case *unstructuredApplyConfiguration: + defer c.resetGroupVersionKind(obj, obj.GetObjectKind().GroupVersionKind()) + return c.unstructuredClient.Apply(ctx, obj, opts...) + default: + return c.typedClient.Apply(ctx, obj, opts...) + } +} + // Get implements client.Client. func (c *client) Get(ctx context.Context, key ObjectKey, obj Object, opts ...GetOption) error { if isUncached, err := c.shouldBypassCache(obj); err != nil { diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/client_rest_resources.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/client_rest_resources.go index 2d0787952..d75d685cb 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/client_rest_resources.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/client_rest_resources.go @@ -17,16 +17,17 @@ limitations under the License. package client import ( + "fmt" "net/http" "strings" "sync" "k8s.io/apimachinery/pkg/api/meta" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/client-go/rest" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" ) @@ -47,22 +48,30 @@ type clientRestResources struct { // codecs are used to create a REST client for a gvk codecs serializer.CodecFactory - // structuredResourceByType stores structured type metadata - structuredResourceByType map[schema.GroupVersionKind]*resourceMeta - // unstructuredResourceByType stores unstructured type metadata - unstructuredResourceByType map[schema.GroupVersionKind]*resourceMeta - mu sync.RWMutex + // resourceByType stores type metadata + resourceByType map[cacheKey]*resourceMeta + + mu sync.RWMutex +} + +type cacheKey struct { + gvk schema.GroupVersionKind + forceDisableProtoBuf bool } // newResource maps obj to a Kubernetes Resource and constructs a client for that Resource. // If the object is a list, the resource represents the item's type instead. -func (c *clientRestResources) newResource(gvk schema.GroupVersionKind, isList, isUnstructured bool) (*resourceMeta, error) { +func (c *clientRestResources) newResource(gvk schema.GroupVersionKind, + isList bool, + forceDisableProtoBuf bool, + isUnstructured bool, +) (*resourceMeta, error) { if strings.HasSuffix(gvk.Kind, "List") && isList { // if this was a list, treat it as a request for the item's resource gvk.Kind = gvk.Kind[:len(gvk.Kind)-4] } - client, err := apiutil.RESTClientForGVK(gvk, isUnstructured, c.config, c.codecs, c.httpClient) + client, err := apiutil.RESTClientForGVK(gvk, forceDisableProtoBuf, isUnstructured, c.config, c.codecs, c.httpClient) if err != nil { return nil, err } @@ -73,52 +82,96 @@ func (c *clientRestResources) newResource(gvk schema.GroupVersionKind, isList, i return &resourceMeta{Interface: client, mapping: mapping, gvk: gvk}, nil } +type applyConfiguration interface { + GetName() *string + GetNamespace() *string + GetKind() *string + GetAPIVersion() *string +} + // getResource returns the resource meta information for the given type of object. // If the object is a list, the resource represents the item's type instead. -func (c *clientRestResources) getResource(obj runtime.Object) (*resourceMeta, error) { - gvk, err := apiutil.GVKForObject(obj, c.scheme) - if err != nil { - return nil, err +func (c *clientRestResources) getResource(obj any) (*resourceMeta, error) { + var gvk schema.GroupVersionKind + var err error + var isApplyConfiguration bool + switch o := obj.(type) { + case runtime.Object: + gvk, err = apiutil.GVKForObject(o, c.scheme) + if err != nil { + return nil, err + } + case runtime.ApplyConfiguration: + ac, ok := o.(applyConfiguration) + if !ok { + return nil, fmt.Errorf("%T is a runtime.ApplyConfiguration but not an applyConfiguration", o) + } + gvk, err = gvkFromApplyConfiguration(ac) + if err != nil { + return nil, err + } + isApplyConfiguration = true + default: + return nil, fmt.Errorf("bug: %T is neither a runtime.Object nor a runtime.ApplyConfiguration", o) } _, isUnstructured := obj.(runtime.Unstructured) + forceDisableProtoBuf := isUnstructured || isApplyConfiguration // It's better to do creation work twice than to not let multiple // people make requests at once c.mu.RLock() - resourceByType := c.structuredResourceByType - if isUnstructured { - resourceByType = c.unstructuredResourceByType - } - r, known := resourceByType[gvk] + + cacheKey := cacheKey{gvk: gvk, forceDisableProtoBuf: forceDisableProtoBuf} + + r, known := c.resourceByType[cacheKey] + c.mu.RUnlock() if known { return r, nil } + var isList bool + if runtimeObject, ok := obj.(runtime.Object); ok && meta.IsListType(runtimeObject) { + isList = true + } + // Initialize a new Client c.mu.Lock() defer c.mu.Unlock() - r, err = c.newResource(gvk, meta.IsListType(obj), isUnstructured) + r, err = c.newResource(gvk, isList, forceDisableProtoBuf, isUnstructured) if err != nil { return nil, err } - resourceByType[gvk] = r + c.resourceByType[cacheKey] = r return r, err } // getObjMeta returns objMeta containing both type and object metadata and state. -func (c *clientRestResources) getObjMeta(obj runtime.Object) (*objMeta, error) { +func (c *clientRestResources) getObjMeta(obj any) (*objMeta, error) { r, err := c.getResource(obj) if err != nil { return nil, err } - m, err := meta.Accessor(obj) - if err != nil { - return nil, err + objMeta := &objMeta{resourceMeta: r} + + switch o := obj.(type) { + case runtime.Object: + m, err := meta.Accessor(obj) + if err != nil { + return nil, err + } + objMeta.namespace = m.GetNamespace() + objMeta.name = m.GetName() + case applyConfiguration: + objMeta.namespace = ptr.Deref(o.GetNamespace(), "") + objMeta.name = ptr.Deref(o.GetName(), "") + default: + return nil, fmt.Errorf("object %T is neither a runtime.Object nor a runtime.ApplyConfiguration", obj) } - return &objMeta{resourceMeta: r, Object: m}, err + + return objMeta, nil } // resourceMeta stores state for a Kubernetes type. @@ -146,6 +199,6 @@ type objMeta struct { // resourceMeta contains type information for the object *resourceMeta - // Object contains meta data for the object instance - metav1.Object + namespace string + name string } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/dryrun.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/dryrun.go index bbcdd3832..a185860d3 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/dryrun.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/dryrun.go @@ -82,6 +82,10 @@ func (c *dryRunClient) Patch(ctx context.Context, obj Object, patch Patch, opts return c.client.Patch(ctx, obj, patch, append(opts, DryRunAll)...) } +func (c *dryRunClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + return c.client.Apply(ctx, obj, append(opts, DryRunAll)...) +} + // Get implements client.Client. func (c *dryRunClient) Get(ctx context.Context, key ObjectKey, obj Object, opts ...GetOption) error { return c.client.Get(ctx, key, obj, opts...) diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/client.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/client.go index 16e2cba51..f88a44edd 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/client.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/client.go @@ -41,6 +41,7 @@ import ( https://github.com/kubernetes/kubernetes/pull/120326 (v5.6.0+incompatible missing a critical fix) */ + jsonpatch "gopkg.in/evanphx/json-patch.v4" appsv1 "k8s.io/api/apps/v1" authenticationv1 "k8s.io/api/authentication/v1" @@ -52,17 +53,21 @@ import ( "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/apis/meta/v1/validation" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/json" + "k8s.io/apimachinery/pkg/util/managedfields" utilrand "k8s.io/apimachinery/pkg/util/rand" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/strategicpatch" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/watch" + clientgoapplyconfigurations "k8s.io/client-go/applyconfigurations" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/testing" "k8s.io/utils/ptr" @@ -76,8 +81,9 @@ import ( type versionedTracker struct { testing.ObjectTracker - scheme *runtime.Scheme - withStatusSubresource sets.Set[schema.GroupVersionKind] + scheme *runtime.Scheme + withStatusSubresource sets.Set[schema.GroupVersionKind] + usesFieldManagedObjectTracker bool } type fakeClient struct { @@ -98,6 +104,8 @@ type fakeClient struct { indexes map[schema.GroupVersionKind]map[string]client.IndexerFunc // indexesLock must be held when accessing indexes. indexesLock sync.RWMutex + + returnManagedFields bool } var _ client.WithWatch = &fakeClient{} @@ -131,6 +139,9 @@ type ClientBuilder struct { withStatusSubresource []client.Object objectTracker testing.ObjectTracker interceptorFuncs *interceptor.Funcs + typeConverters []managedfields.TypeConverter + returnManagedFields bool + isBuilt bool // indexes maps each GroupVersionKind (GVK) to the indexes registered for that GVK. // The inner map maps from index name to IndexerFunc. @@ -172,6 +183,8 @@ func (f *ClientBuilder) WithRuntimeObjects(initRuntimeObjs ...runtime.Object) *C } // WithObjectTracker can be optionally used to initialize this fake client with testing.ObjectTracker. +// Setting this is incompatible with setting WithTypeConverters, as they are a setting on the +// tracker. func (f *ClientBuilder) WithObjectTracker(ot testing.ObjectTracker) *ClientBuilder { f.objectTracker = ot return f @@ -228,8 +241,36 @@ func (f *ClientBuilder) WithInterceptorFuncs(interceptorFuncs interceptor.Funcs) return f } +// WithTypeConverters sets the type converters for the fake client. The list is ordered and the first +// non-erroring converter is used. A type converter must be provided for all types the client is used +// for, otherwise it will error. +// +// This setting is incompatible with WithObjectTracker, as the type converters are a setting on the tracker. +// +// If unset, this defaults to: +// * clientgoapplyconfigurations.NewTypeConverter(scheme.Scheme), +// * managedfields.NewDeducedTypeConverter(), +// +// Be aware that the behavior of the `NewDeducedTypeConverter` might not match the behavior of the +// Kubernetes APIServer, it is recommended to provide a type converter for your types. TypeConverters +// are generated along with ApplyConfigurations. +func (f *ClientBuilder) WithTypeConverters(typeConverters ...managedfields.TypeConverter) *ClientBuilder { + f.typeConverters = append(f.typeConverters, typeConverters...) + return f +} + +// WithReturnManagedFields configures the fake client to return managedFields +// on objects. +func (f *ClientBuilder) WithReturnManagedFields() *ClientBuilder { + f.returnManagedFields = true + return f +} + // Build builds and returns a new fake client. func (f *ClientBuilder) Build() client.WithWatch { + if f.isBuilt { + panic("Build() must not be called multiple times when creating a ClientBuilder") + } if f.scheme == nil { f.scheme = scheme.Scheme } @@ -237,8 +278,6 @@ func (f *ClientBuilder) Build() client.WithWatch { f.restMapper = meta.NewDefaultRESTMapper([]schema.GroupVersion{}) } - var tracker versionedTracker - withStatusSubResource := sets.New(inTreeResourcesWithStatus()...) for _, o := range f.withStatusSubresource { gvk, err := apiutil.GVKForObject(o, f.scheme) @@ -248,10 +287,36 @@ func (f *ClientBuilder) Build() client.WithWatch { withStatusSubResource.Insert(gvk) } + if f.objectTracker != nil && len(f.typeConverters) > 0 { + panic(errors.New("WithObjectTracker and WithTypeConverters are incompatible")) + } + + var usesFieldManagedObjectTracker bool if f.objectTracker == nil { - tracker = versionedTracker{ObjectTracker: testing.NewObjectTracker(f.scheme, scheme.Codecs.UniversalDecoder()), scheme: f.scheme, withStatusSubresource: withStatusSubResource} - } else { - tracker = versionedTracker{ObjectTracker: f.objectTracker, scheme: f.scheme, withStatusSubresource: withStatusSubResource} + if len(f.typeConverters) == 0 { + // Use corresponding scheme to ensure the converter error + // for types it can't handle. + clientGoScheme := runtime.NewScheme() + if err := scheme.AddToScheme(clientGoScheme); err != nil { + panic(fmt.Sprintf("failed to construct client-go scheme: %v", err)) + } + f.typeConverters = []managedfields.TypeConverter{ + clientgoapplyconfigurations.NewTypeConverter(clientGoScheme), + managedfields.NewDeducedTypeConverter(), + } + } + f.objectTracker = testing.NewFieldManagedObjectTracker( + f.scheme, + serializer.NewCodecFactory(f.scheme).UniversalDecoder(), + multiTypeConverter{upstream: f.typeConverters}, + ) + usesFieldManagedObjectTracker = true + } + tracker := versionedTracker{ + ObjectTracker: f.objectTracker, + scheme: f.scheme, + withStatusSubresource: withStatusSubResource, + usesFieldManagedObjectTracker: usesFieldManagedObjectTracker, } for _, obj := range f.initObject { @@ -276,12 +341,14 @@ func (f *ClientBuilder) Build() client.WithWatch { restMapper: f.restMapper, indexes: f.indexes, withStatusSubresource: withStatusSubResource, + returnManagedFields: f.returnManagedFields, } if f.interceptorFuncs != nil { result = interceptor.NewClient(result, *f.interceptorFuncs) } + f.isBuilt = true return result } @@ -318,6 +385,16 @@ func (t versionedTracker) Add(obj runtime.Object) error { if err != nil { return err } + + // If the fieldManager can not decode fields, it will just silently clear them. This is pretty + // much guaranteed not to be what someone that initializes a fake client with objects that + // have them set wants, so validate them here. + // Ref https://github.com/kubernetes/kubernetes/blob/a956ef4862993b825bcd524a19260192ff1da72d/staging/src/k8s.io/apimachinery/pkg/util/managedfields/internal/fieldmanager.go#L105 + if t.usesFieldManagedObjectTracker { + if err := managedfields.ValidateManagedFields(accessor.GetManagedFields()); err != nil { + return fmt.Errorf("invalid managedFields on %T: %w", obj, err) + } + } if err := t.ObjectTracker.Add(obj); err != nil { return err } @@ -332,8 +409,9 @@ func (t versionedTracker) Create(gvr schema.GroupVersionResource, obj runtime.Ob return fmt.Errorf("failed to get accessor for object: %w", err) } if accessor.GetName() == "" { + gvk, _ := apiutil.GVKForObject(obj, t.scheme) return apierrors.NewInvalid( - obj.GetObjectKind().GroupVersionKind().GroupKind(), + gvk.GroupKind(), accessor.GetName(), field.ErrorList{field.Required(field.NewPath("metadata.name"), "name is required")}) } @@ -372,6 +450,9 @@ func convertFromUnstructuredIfNecessary(s *runtime.Scheme, o runtime.Object) (ru if err != nil { return nil, fmt.Errorf("scheme recognizes %s but failed to produce an object for it: %w", gvk, err) } + if _, isTypedUnstructured := typed.(runtime.Unstructured); isTypedUnstructured { + return o, nil + } unstructuredSerialized, err := json.Marshal(u) if err != nil { @@ -394,7 +475,11 @@ func (t versionedTracker) Update(gvr schema.GroupVersionResource, obj runtime.Ob } func (t versionedTracker) update(gvr schema.GroupVersionResource, obj runtime.Object, ns string, isStatus, deleting bool, opts metav1.UpdateOptions) error { - obj, err := t.updateObject(gvr, obj, ns, isStatus, deleting, opts.DryRun) + gvk, err := apiutil.GVKForObject(obj, t.scheme) + if err != nil { + return err + } + obj, err = t.updateObject(gvr, obj, ns, isStatus, deleting, opts.DryRun) if err != nil { return err } @@ -402,6 +487,10 @@ func (t versionedTracker) update(gvr schema.GroupVersionResource, obj runtime.Ob return nil } + if u, unstructured := obj.(*unstructured.Unstructured); unstructured { + u.SetGroupVersionKind(gvk) + } + return t.ObjectTracker.Update(gvr, obj, ns, opts) } @@ -433,8 +522,9 @@ func (t versionedTracker) updateObject(gvr schema.GroupVersionResource, obj runt } if accessor.GetName() == "" { + gvk, _ := apiutil.GVKForObject(obj, t.scheme) return nil, apierrors.NewInvalid( - obj.GetObjectKind().GroupVersionKind().GroupKind(), + gvk.GroupKind(), accessor.GetName(), field.ErrorList{field.Required(field.NewPath("metadata.name"), "name is required")}) } @@ -521,42 +611,60 @@ func (t versionedTracker) updateObject(gvr schema.GroupVersionResource, obj runt } func (c *fakeClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() gvr, err := getGVRFromObject(obj, c.scheme) if err != nil { return err } + gvk, err := apiutil.GVKForObject(obj, c.scheme) + if err != nil { + return err + } o, err := c.tracker.Get(gvr, key.Namespace, key.Name) if err != nil { return err } - _, isUnstructured := obj.(runtime.Unstructured) - _, isPartialObject := obj.(*metav1.PartialObjectMetadata) - - if isUnstructured || isPartialObject { - gvk, err := apiutil.GVKForObject(obj, c.scheme) - if err != nil { - return err - } - ta, err := meta.TypeAccessor(o) - if err != nil { - return err - } - ta.SetKind(gvk.Kind) - ta.SetAPIVersion(gvk.GroupVersion().String()) + ta, err := meta.TypeAccessor(o) + if err != nil { + return err } + // If the final object is unstructuctured, the json + // representation must contain GVK or the apimachinery + // json serializer will error out. + ta.SetAPIVersion(gvk.GroupVersion().String()) + ta.SetKind(gvk.Kind) + j, err := json.Marshal(o) if err != nil { return err } zero(obj) - return json.Unmarshal(j, obj) + if err := json.Unmarshal(j, obj); err != nil { + return err + } + + if !c.returnManagedFields { + obj.SetManagedFields(nil) + } + + return ensureTypeMeta(obj, gvk) } func (c *fakeClient) Watch(ctx context.Context, list client.ObjectList, opts ...client.ListOption) (watch.Interface, error) { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(list); err != nil { + return nil, err + } + + c.schemeLock.RLock() + defer c.schemeLock.RUnlock() + gvk, err := apiutil.GVKForObject(list, c.scheme) if err != nil { return nil, err @@ -572,6 +680,10 @@ func (c *fakeClient) Watch(ctx context.Context, list client.ObjectList, opts ... } func (c *fakeClient) List(ctx context.Context, obj client.ObjectList, opts ...client.ListOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() gvk, err := apiutil.GVKForObject(obj, c.scheme) @@ -579,11 +691,12 @@ func (c *fakeClient) List(ctx context.Context, obj client.ObjectList, opts ...cl return err } - originalKind := gvk.Kind - + originalGVK := gvk gvk.Kind = strings.TrimSuffix(gvk.Kind, "List") + listGVK := gvk + listGVK.Kind += "List" - if _, isUnstructuredList := obj.(runtime.Unstructured); isUnstructuredList && !c.scheme.Recognizes(gvk) { + if _, isUnstructuredList := obj.(runtime.Unstructured); isUnstructuredList && !c.scheme.Recognizes(listGVK) { // We need to register the ListKind with UnstructuredList: // https://github.com/kubernetes/kubernetes/blob/7b2776b89fb1be28d4e9203bdeec079be903c103/staging/src/k8s.io/client-go/dynamic/fake/simple.go#L44-L51 c.schemeLock.RUnlock() @@ -602,39 +715,34 @@ func (c *fakeClient) List(ctx context.Context, obj client.ObjectList, opts ...cl return err } - if _, isUnstructured := obj.(runtime.Unstructured); isUnstructured { - ta, err := meta.TypeAccessor(o) - if err != nil { - return err - } - ta.SetKind(originalKind) - ta.SetAPIVersion(gvk.GroupVersion().String()) - } - j, err := json.Marshal(o) if err != nil { return err } zero(obj) + if err := ensureTypeMeta(obj, originalGVK); err != nil { + return err + } objCopy := obj.DeepCopyObject().(client.ObjectList) if err := json.Unmarshal(j, objCopy); err != nil { return err } - if _, isUnstructured := obj.(runtime.Unstructured); isUnstructured { - ta, err := meta.TypeAccessor(obj) - if err != nil { - return err - } - ta.SetKind(originalKind) - ta.SetAPIVersion(gvk.GroupVersion().String()) - } - objs, err := meta.ExtractList(objCopy) if err != nil { return err } + for _, o := range objs { + if err := ensureTypeMeta(o, gvk); err != nil { + return err + } + + if !c.returnManagedFields { + o.(metav1.Object).SetManagedFields(nil) + } + } + if listOpts.LabelSelector == nil && listOpts.FieldSelector == nil { return meta.SetList(obj, objs) } @@ -741,8 +849,13 @@ func (c *fakeClient) IsObjectNamespaced(obj runtime.Object) (bool, error) { } func (c *fakeClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() + createOptions := &client.CreateOptions{} createOptions.ApplyOptions(opts) @@ -773,14 +886,35 @@ func (c *fakeClient) Create(ctx context.Context, obj client.Object, opts ...clie accessor.SetDeletionTimestamp(nil) } + gvk, err := apiutil.GVKForObject(obj, c.scheme) + if err != nil { + return err + } + c.trackerWriteLock.Lock() defer c.trackerWriteLock.Unlock() - return c.tracker.Create(gvr, obj, accessor.GetNamespace()) + + if err := c.tracker.Create(gvr, obj, accessor.GetNamespace(), *createOptions.AsCreateOptions()); err != nil { + // The managed fields tracker sets gvk even on errors + _ = ensureTypeMeta(obj, gvk) + return err + } + + if !c.returnManagedFields { + obj.SetManagedFields(nil) + } + + return ensureTypeMeta(obj, gvk) } func (c *fakeClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() + gvr, err := getGVRFromObject(obj, c.scheme) if err != nil { return err @@ -826,8 +960,13 @@ func (c *fakeClient) Delete(ctx context.Context, obj client.Object, opts ...clie } func (c *fakeClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() + gvk, err := apiutil.GVKForObject(obj, c.scheme) if err != nil { return err @@ -877,8 +1016,13 @@ func (c *fakeClient) Update(ctx context.Context, obj client.Object, opts ...clie } func (c *fakeClient) update(obj client.Object, isStatus bool, opts ...client.UpdateOption) error { + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + c.schemeLock.RLock() defer c.schemeLock.RUnlock() + updateOptions := &client.UpdateOptions{} updateOptions.ApplyOptions(opts) @@ -892,6 +1036,10 @@ func (c *fakeClient) update(obj client.Object, isStatus bool, opts ...client.Upd if err != nil { return err } + gvk, err := apiutil.GVKForObject(obj, c.scheme) + if err != nil { + return err + } accessor, err := meta.Accessor(obj) if err != nil { return err @@ -899,19 +1047,100 @@ func (c *fakeClient) update(obj client.Object, isStatus bool, opts ...client.Upd c.trackerWriteLock.Lock() defer c.trackerWriteLock.Unlock() - return c.tracker.update(gvr, obj, accessor.GetNamespace(), isStatus, false, *updateOptions.AsUpdateOptions()) + + // Retain managed fields + // We can ignore all errors here since update will fail if we encounter an error. + obj.SetManagedFields(nil) + current, _ := c.tracker.Get(gvr, accessor.GetNamespace(), accessor.GetName()) + if currentMetaObj, ok := current.(metav1.Object); ok { + obj.SetManagedFields(currentMetaObj.GetManagedFields()) + } + + if err := c.tracker.update(gvr, obj, accessor.GetNamespace(), isStatus, false, *updateOptions.AsUpdateOptions()); err != nil { + return err + } + + if !c.returnManagedFields { + obj.SetManagedFields(nil) + } + + return ensureTypeMeta(obj, gvk) } func (c *fakeClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { return c.patch(obj, patch, opts...) } +func (c *fakeClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error { + applyOpts := &client.ApplyOptions{} + applyOpts.ApplyOptions(opts) + + data, err := json.Marshal(obj) + if err != nil { + return fmt.Errorf("failed to marshal apply configuration: %w", err) + } + + u := &unstructured.Unstructured{} + if err := json.Unmarshal(data, u); err != nil { + return fmt.Errorf("failed to unmarshal apply configuration: %w", err) + } + + applyPatch := &fakeApplyPatch{} + + patchOpts := &client.PatchOptions{} + patchOpts.Raw = applyOpts.AsPatchOptions() + + if err := c.patch(u, applyPatch, patchOpts); err != nil { + return err + } + + acJSON, err := json.Marshal(u) + if err != nil { + return fmt.Errorf("failed to marshal patched object: %w", err) + } + + // We have to zero the object in case it contained a status and there is a + // status subresource. If its the private `unstructuredApplyConfiguration` + // we can not zero all of it, as that will cause the embedded Unstructured + // to be nil which then causes a NPD in the json.Unmarshal below. + switch reflect.TypeOf(obj).String() { + case "*client.unstructuredApplyConfiguration": + zero(reflect.ValueOf(obj).Elem().FieldByName("Unstructured").Interface()) + default: + zero(obj) + } + if err := json.Unmarshal(acJSON, obj); err != nil { + return fmt.Errorf("failed to unmarshal patched object: %w", err) + } + + return nil +} + +type fakeApplyPatch struct{} + +func (p *fakeApplyPatch) Type() types.PatchType { + return types.ApplyPatchType +} + +func (p *fakeApplyPatch) Data(obj client.Object) ([]byte, error) { + return json.Marshal(obj) +} + func (c *fakeClient) patch(obj client.Object, patch client.Patch, opts ...client.PatchOption) error { - c.schemeLock.RLock() - defer c.schemeLock.RUnlock() + if err := c.addToSchemeIfUnknownAndUnstructuredOrPartial(obj); err != nil { + return err + } + patchOptions := &client.PatchOptions{} patchOptions.ApplyOptions(opts) + if errs := validation.ValidatePatchOptions(patchOptions.AsPatchOptions(), patch.Type()); len(errs) > 0 { + return apierrors.NewInvalid(schema.GroupKind{Group: "meta.k8s.io", Kind: "PatchOptions"}, "", errs) + } + + c.schemeLock.RLock() + defer c.schemeLock.RUnlock() + for _, dryRunOpt := range patchOptions.DryRun { if dryRunOpt == metav1.DryRunAll { return nil @@ -922,51 +1151,77 @@ func (c *fakeClient) patch(obj client.Object, patch client.Patch, opts ...client if err != nil { return err } - accessor, err := meta.Accessor(obj) - if err != nil { - return err - } - data, err := patch.Data(obj) + gvk, err := apiutil.GVKForObject(obj, c.scheme) if err != nil { return err } - - gvk, err := apiutil.GVKForObject(obj, c.scheme) + accessor, err := meta.Accessor(obj) if err != nil { return err } + var isApplyCreate bool c.trackerWriteLock.Lock() defer c.trackerWriteLock.Unlock() oldObj, err := c.tracker.Get(gvr, accessor.GetNamespace(), accessor.GetName()) if err != nil { - return err + if !apierrors.IsNotFound(err) || patch.Type() != types.ApplyPatchType { + return err + } + oldObj = &unstructured.Unstructured{} + isApplyCreate = true } oldAccessor, err := meta.Accessor(oldObj) if err != nil { return err } - // Apply patch without updating object. - // To remain in accordance with the behavior of k8s api behavior, - // a patch must not allow for changes to the deletionTimestamp of an object. - // The reaction() function applies the patch to the object and calls Update(), - // whereas dryPatch() replicates this behavior but skips the call to Update(). - // This ensures that the patch may be rejected if a deletionTimestamp is modified, prior - // to updating the object. - action := testing.NewPatchAction(gvr, accessor.GetNamespace(), accessor.GetName(), patch.Type(), data) - o, err := dryPatch(action, c.tracker) - if err != nil { - return err + // SSA deletionTimestamp updates are silently ignored + if patch.Type() == types.ApplyPatchType && !isApplyCreate { + obj.SetDeletionTimestamp(oldAccessor.GetDeletionTimestamp()) } - newObj, err := meta.Accessor(o) + + data, err := patch.Data(obj) if err != nil { return err } - // Validate that deletionTimestamp has not been changed - if !deletionTimestampEqual(newObj, oldAccessor) { - return fmt.Errorf("rejected patch, metadata.deletionTimestamp immutable") + action := testing.NewPatchActionWithOptions( + gvr, + accessor.GetNamespace(), + accessor.GetName(), + patch.Type(), + data, + *patchOptions.AsPatchOptions(), + ) + + // Apply is implemented in the tracker and calling it has side-effects + // such as bumping RV and updating managedFields timestamps, hence we + // can not dry-run it. Luckily, the only validation we use it for + // doesn't apply to SSA - Creating objects with non-nil deletionTimestamp + // through SSA is possible and updating the deletionTimestamp is valid, + // but has no effect. + if patch.Type() != types.ApplyPatchType { + // Apply patch without updating object. + // To remain in accordance with the behavior of k8s api behavior, + // a patch must not allow for changes to the deletionTimestamp of an object. + // The reaction() function applies the patch to the object and calls Update(), + // whereas dryPatch() replicates this behavior but skips the call to Update(). + // This ensures that the patch may be rejected if a deletionTimestamp is modified, prior + // to updating the object. + o, err := dryPatch(action, c.tracker) + if err != nil { + return err + } + newObj, err := meta.Accessor(o) + if err != nil { + return err + } + + // Validate that deletionTimestamp has not been changed + if !deletionTimestampEqual(newObj, oldAccessor) { + return fmt.Errorf("rejected patch, metadata.deletionTimestamp immutable") + } } reaction := testing.ObjectReaction(c.tracker) @@ -978,21 +1233,28 @@ func (c *fakeClient) patch(obj client.Object, patch client.Patch, opts ...client panic("tracker could not handle patch method") } - if _, isUnstructured := obj.(runtime.Unstructured); isUnstructured { - ta, err := meta.TypeAccessor(o) - if err != nil { - return err - } - ta.SetKind(gvk.Kind) - ta.SetAPIVersion(gvk.GroupVersion().String()) + ta, err := meta.TypeAccessor(o) + if err != nil { + return err } + ta.SetAPIVersion(gvk.GroupVersion().String()) + ta.SetKind(gvk.Kind) + j, err := json.Marshal(o) if err != nil { return err } zero(obj) - return json.Unmarshal(j, obj) + if err := json.Unmarshal(j, obj); err != nil { + return err + } + + if !c.returnManagedFields { + obj.SetManagedFields(nil) + } + + return ensureTypeMeta(obj, gvk) } // Applying a patch results in a deletionTimestamp that is truncated to the nearest second. @@ -1020,6 +1282,9 @@ func dryPatch(action testing.PatchActionImpl, tracker testing.ObjectTracker) (ru obj, err := tracker.Get(gvr, ns, action.GetName()) if err != nil { + if apierrors.IsNotFound(err) && action.GetPatchType() == types.ApplyPatchType { + return &unstructured.Unstructured{}, nil + } return nil, err } @@ -1064,10 +1329,10 @@ func dryPatch(action testing.PatchActionImpl, tracker testing.ObjectTracker) (ru if err = json.Unmarshal(mergedByte, obj); err != nil { return nil, err } - case types.ApplyPatchType: - return nil, errors.New("apply patches are not supported in the fake client. Follow https://github.com/kubernetes/kubernetes/issues/115598 for the current status") case types.ApplyCBORPatchType: return nil, errors.New("apply CBOR patches are not supported in the fake client") + case types.ApplyPatchType: + return nil, errors.New("bug in controller-runtime: should not end up in dryPatch for SSA") default: return nil, fmt.Errorf("%s PatchType is not supported", action.GetPatchType()) } @@ -1600,3 +1865,47 @@ func AddIndex(c client.Client, obj runtime.Object, field string, extractValue cl return nil } + +func (c *fakeClient) addToSchemeIfUnknownAndUnstructuredOrPartial(obj runtime.Object) error { + c.schemeLock.Lock() + defer c.schemeLock.Unlock() + + _, isUnstructured := obj.(*unstructured.Unstructured) + _, isUnstructuredList := obj.(*unstructured.UnstructuredList) + _, isPartial := obj.(*metav1.PartialObjectMetadata) + _, isPartialList := obj.(*metav1.PartialObjectMetadataList) + if !isUnstructured && !isUnstructuredList && !isPartial && !isPartialList { + return nil + } + + gvk, err := apiutil.GVKForObject(obj, c.scheme) + if err != nil { + return err + } + + if !c.scheme.Recognizes(gvk) { + c.scheme.AddKnownTypeWithName(gvk, obj) + } + + return nil +} + +func ensureTypeMeta(obj runtime.Object, gvk schema.GroupVersionKind) error { + ta, err := meta.TypeAccessor(obj) + if err != nil { + return err + } + _, isUnstructured := obj.(runtime.Unstructured) + _, isPartialObject := obj.(*metav1.PartialObjectMetadata) + _, isPartialObjectList := obj.(*metav1.PartialObjectMetadataList) + if !isUnstructured && !isPartialObject && !isPartialObjectList { + ta.SetKind("") + ta.SetAPIVersion("") + return nil + } + + ta.SetKind(gvk.Kind) + ta.SetAPIVersion(gvk.GroupVersion().String()) + + return nil +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/typeconverter.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/typeconverter.go new file mode 100644 index 000000000..3cb3a0dc7 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/typeconverter.go @@ -0,0 +1,60 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/runtime" + kerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/managedfields" + "sigs.k8s.io/structured-merge-diff/v6/typed" +) + +type multiTypeConverter struct { + upstream []managedfields.TypeConverter +} + +func (m multiTypeConverter) ObjectToTyped(r runtime.Object, o ...typed.ValidationOptions) (*typed.TypedValue, error) { + var errs []error + for _, u := range m.upstream { + res, err := u.ObjectToTyped(r, o...) + if err != nil { + errs = append(errs, err) + continue + } + + return res, nil + } + + return nil, fmt.Errorf("failed to convert Object to TypedValue: %w", kerrors.NewAggregate(errs)) +} + +func (m multiTypeConverter) TypedToObject(v *typed.TypedValue) (runtime.Object, error) { + var errs []error + for _, u := range m.upstream { + res, err := u.TypedToObject(v) + if err != nil { + errs = append(errs, err) + continue + } + + return res, nil + } + + return nil, fmt.Errorf("failed to convert TypedValue to Object: %w", kerrors.NewAggregate(errs)) +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go index 07183cd19..93274f950 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go @@ -54,6 +54,10 @@ func (f *clientWithFieldManager) Patch(ctx context.Context, obj Object, patch Pa return f.c.Patch(ctx, obj, patch, append([]PatchOption{FieldOwner(f.owner)}, opts...)...) } +func (f *clientWithFieldManager) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + return f.c.Apply(ctx, obj, append([]ApplyOption{FieldOwner(f.owner)}, opts...)...) +} + func (f *clientWithFieldManager) Delete(ctx context.Context, obj Object, opts ...DeleteOption) error { return f.c.Delete(ctx, obj, opts...) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldvalidation.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldvalidation.go index 659b3d44c..ce8d0576c 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldvalidation.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldvalidation.go @@ -53,6 +53,10 @@ func (c *clientWithFieldValidation) Patch(ctx context.Context, obj Object, patch return c.client.Patch(ctx, obj, patch, append([]PatchOption{c.validation}, opts...)...) } +func (c *clientWithFieldValidation) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + return c.client.Apply(ctx, obj, opts...) +} + func (c *clientWithFieldValidation) Delete(ctx context.Context, obj Object, opts ...DeleteOption) error { return c.client.Delete(ctx, obj, opts...) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/interceptor/intercept.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/interceptor/intercept.go index 3d3f3cb01..7ff73bd8d 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/interceptor/intercept.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/interceptor/intercept.go @@ -19,6 +19,7 @@ type Funcs struct { DeleteAllOf func(ctx context.Context, client client.WithWatch, obj client.Object, opts ...client.DeleteAllOfOption) error Update func(ctx context.Context, client client.WithWatch, obj client.Object, opts ...client.UpdateOption) error Patch func(ctx context.Context, client client.WithWatch, obj client.Object, patch client.Patch, opts ...client.PatchOption) error + Apply func(ctx context.Context, client client.WithWatch, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error Watch func(ctx context.Context, client client.WithWatch, obj client.ObjectList, opts ...client.ListOption) (watch.Interface, error) SubResource func(client client.WithWatch, subResource string) client.SubResourceClient SubResourceGet func(ctx context.Context, client client.Client, subResourceName string, obj client.Object, subResource client.Object, opts ...client.SubResourceGetOption) error @@ -92,6 +93,14 @@ func (c interceptor) Patch(ctx context.Context, obj client.Object, patch client. return c.client.Patch(ctx, obj, patch, opts...) } +func (c interceptor) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error { + if c.funcs.Apply != nil { + return c.funcs.Apply(ctx, c.client, obj, opts...) + } + + return c.client.Apply(ctx, obj, opts...) +} + func (c interceptor) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error { if c.funcs.DeleteAllOf != nil { return c.funcs.DeleteAllOf(ctx, c.client, obj, opts...) diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go index 3b282fc2c..61559ecbe 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/interfaces.go @@ -61,6 +61,9 @@ type Reader interface { // Writer knows how to create, delete, and update Kubernetes objects. type Writer interface { + // Apply applies the given apply configuration to the Kubernetes cluster. + Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error + // Create saves the object obj in the Kubernetes cluster. obj must be a // struct pointer so that obj can be updated with the content returned by the Server. Create(ctx context.Context, obj Object, opts ...CreateOption) error diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/namespaced_client.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/namespaced_client.go index 222dc7957..d4223eda2 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/namespaced_client.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/namespaced_client.go @@ -19,10 +19,13 @@ package client import ( "context" "fmt" + "reflect" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" ) // NewNamespacedClient wraps an existing client enforcing the namespace value. @@ -147,6 +150,52 @@ func (n *namespacedClient) Patch(ctx context.Context, obj Object, patch Patch, o return n.client.Patch(ctx, obj, patch, opts...) } +func (n *namespacedClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + var gvk schema.GroupVersionKind + switch o := obj.(type) { + case applyConfiguration: + var err error + gvk, err = gvkFromApplyConfiguration(o) + if err != nil { + return err + } + case *unstructuredApplyConfiguration: + gvk = o.GroupVersionKind() + default: + return fmt.Errorf("object %T is not a valid apply configuration", obj) + } + isNamespaceScoped, err := apiutil.IsGVKNamespaced(gvk, n.RESTMapper()) + if err != nil { + return fmt.Errorf("error finding the scope of the object: %w", err) + } + if isNamespaceScoped { + switch o := obj.(type) { + case applyConfiguration: + if o.GetNamespace() != nil && *o.GetNamespace() != "" && *o.GetNamespace() != n.namespace { + return fmt.Errorf("namespace %s provided for the object %s does not match the namespace %s on the client", + *o.GetNamespace(), ptr.Deref(o.GetName(), ""), n.namespace) + } + v := reflect.ValueOf(o) + withNamespace := v.MethodByName("WithNamespace") + if !withNamespace.IsValid() { + return fmt.Errorf("ApplyConfiguration %T does not have a WithNamespace method", o) + } + if tp := withNamespace.Type(); tp.NumIn() != 1 || tp.In(0).Kind() != reflect.String { + return fmt.Errorf("WithNamespace method of ApplyConfiguration %T must take a single string argument", o) + } + withNamespace.Call([]reflect.Value{reflect.ValueOf(n.namespace)}) + case *unstructuredApplyConfiguration: + if o.GetNamespace() != "" && o.GetNamespace() != n.namespace { + return fmt.Errorf("namespace %s provided for the object %s does not match the namespace %s on the client", + o.GetNamespace(), o.GetName(), n.namespace) + } + o.SetNamespace(n.namespace) + } + } + + return n.client.Apply(ctx, obj, opts...) +} + // Get implements client.Client. func (n *namespacedClient) Get(ctx context.Context, key ObjectKey, obj Object, opts ...GetOption) error { isNamespaceScoped, err := n.IsObjectNamespaced(obj) @@ -164,7 +213,12 @@ func (n *namespacedClient) Get(ctx context.Context, key ObjectKey, obj Object, o // List implements client.Client. func (n *namespacedClient) List(ctx context.Context, obj ObjectList, opts ...ListOption) error { - if n.namespace != "" { + isNamespaceScoped, err := n.IsObjectNamespaced(obj) + if err != nil { + return fmt.Errorf("error finding the scope of the object: %w", err) + } + + if isNamespaceScoped && n.namespace != "" { opts = append(opts, InNamespace(n.namespace)) } return n.client.List(ctx, obj, opts...) diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/options.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/options.go index db50ed8fe..33c460738 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/options.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/options.go @@ -21,6 +21,7 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" + "k8s.io/utils/ptr" ) // {{{ "Functional" Option Interfaces @@ -61,6 +62,12 @@ type PatchOption interface { ApplyToPatch(*PatchOptions) } +// ApplyOption is some configuration that modifies options for an apply request. +type ApplyOption interface { + // ApplyToApply applies this configuration to the given apply options. + ApplyToApply(*ApplyOptions) +} + // DeleteAllOfOption is some configuration that modifies options for a delete request. type DeleteAllOfOption interface { // ApplyToDeleteAllOf applies this configuration to the given deletecollection options. @@ -115,7 +122,12 @@ func (dryRunAll) ApplyToPatch(opts *PatchOptions) { opts.DryRun = []string{metav1.DryRunAll} } -// ApplyToPatch applies this configuration to the given delete options. +// ApplyToApply applies this configuration to the given apply options. +func (dryRunAll) ApplyToApply(opts *ApplyOptions) { + opts.DryRun = []string{metav1.DryRunAll} +} + +// ApplyToDelete applies this configuration to the given delete options. func (dryRunAll) ApplyToDelete(opts *DeleteOptions) { opts.DryRun = []string{metav1.DryRunAll} } @@ -154,6 +166,11 @@ func (f FieldOwner) ApplyToUpdate(opts *UpdateOptions) { opts.FieldManager = string(f) } +// ApplyToApply applies this configuration to the given apply options. +func (f FieldOwner) ApplyToApply(opts *ApplyOptions) { + opts.FieldManager = string(f) +} + // ApplyToSubResourcePatch applies this configuration to the given patch options. func (f FieldOwner) ApplyToSubResourcePatch(opts *SubResourcePatchOptions) { opts.FieldManager = string(f) @@ -431,6 +448,12 @@ type GetOptions struct { // Raw represents raw GetOptions, as passed to the API server. Note // that these may not be respected by all implementations of interface. Raw *metav1.GetOptions + + // UnsafeDisableDeepCopy indicates not to deep copy objects during get object. + // Be very careful with this, when enabled you must DeepCopy any object before mutating it, + // otherwise you will mutate the object in the cache. + // +optional + UnsafeDisableDeepCopy *bool } var _ GetOption = &GetOptions{} @@ -440,6 +463,9 @@ func (o *GetOptions) ApplyToGet(lo *GetOptions) { if o.Raw != nil { lo.Raw = o.Raw } + if o.UnsafeDisableDeepCopy != nil { + lo.UnsafeDisableDeepCopy = o.UnsafeDisableDeepCopy + } } // AsGetOptions returns these options as a flattened metav1.GetOptions. @@ -618,6 +644,9 @@ type MatchingLabelsSelector struct { // ApplyToList applies this configuration to the given list options. func (m MatchingLabelsSelector) ApplyToList(opts *ListOptions) { + if m.Selector == nil { + m.Selector = labels.Nothing() + } opts.LabelSelector = m } @@ -651,6 +680,9 @@ type MatchingFieldsSelector struct { // ApplyToList applies this configuration to the given list options. func (m MatchingFieldsSelector) ApplyToList(opts *ListOptions) { + if m.Selector == nil { + m.Selector = fields.Nothing() + } opts.FieldSelector = m } @@ -692,15 +724,14 @@ func (l Limit) ApplyToList(opts *ListOptions) { // otherwise you will mutate the object in the cache. type UnsafeDisableDeepCopyOption bool +// ApplyToGet applies this configuration to the given an Get options. +func (d UnsafeDisableDeepCopyOption) ApplyToGet(opts *GetOptions) { + opts.UnsafeDisableDeepCopy = ptr.To(bool(d)) +} + // ApplyToList applies this configuration to the given an List options. func (d UnsafeDisableDeepCopyOption) ApplyToList(opts *ListOptions) { - definitelyTrue := true - definitelyFalse := false - if d { - opts.UnsafeDisableDeepCopy = &definitelyTrue - } else { - opts.UnsafeDisableDeepCopy = &definitelyFalse - } + opts.UnsafeDisableDeepCopy = ptr.To(bool(d)) } // UnsafeDisableDeepCopy indicates not to deep copy objects during list objects. @@ -863,10 +894,18 @@ func (o *PatchOptions) AsPatchOptions() *metav1.PatchOptions { o.Raw = &metav1.PatchOptions{} } - o.Raw.DryRun = o.DryRun - o.Raw.Force = o.Force - o.Raw.FieldManager = o.FieldManager - o.Raw.FieldValidation = o.FieldValidation + if o.DryRun != nil { + o.Raw.DryRun = o.DryRun + } + if o.Force != nil { + o.Raw.Force = o.Force + } + if o.FieldManager != "" { + o.Raw.FieldManager = o.FieldManager + } + if o.FieldValidation != "" { + o.Raw.FieldValidation = o.FieldValidation + } return o.Raw } @@ -899,13 +938,15 @@ var ForceOwnership = forceOwnership{} type forceOwnership struct{} func (forceOwnership) ApplyToPatch(opts *PatchOptions) { - definitelyTrue := true - opts.Force = &definitelyTrue + opts.Force = ptr.To(true) } func (forceOwnership) ApplyToSubResourcePatch(opts *SubResourcePatchOptions) { - definitelyTrue := true - opts.Force = &definitelyTrue + opts.Force = ptr.To(true) +} + +func (forceOwnership) ApplyToApply(opts *ApplyOptions) { + opts.Force = ptr.To(true) } // }}} @@ -939,3 +980,57 @@ func (o *DeleteAllOfOptions) ApplyToDeleteAllOf(do *DeleteAllOfOptions) { } // }}} + +// ApplyOptions are the options for an apply request. +type ApplyOptions struct { + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + DryRun []string + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. + Force *bool + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required. + // + // +required + FieldManager string +} + +// ApplyOptions applies the given opts onto the ApplyOptions +func (o *ApplyOptions) ApplyOptions(opts []ApplyOption) *ApplyOptions { + for _, opt := range opts { + opt.ApplyToApply(o) + } + return o +} + +// ApplyToApply applies the given opts onto the ApplyOptions +func (o *ApplyOptions) ApplyToApply(opts *ApplyOptions) { + if o.DryRun != nil { + opts.DryRun = o.DryRun + } + if o.Force != nil { + opts.Force = o.Force + } + + if o.FieldManager != "" { + opts.FieldManager = o.FieldManager + } +} + +// AsPatchOptions constructs patch options from the given ApplyOptions +func (o *ApplyOptions) AsPatchOptions() *metav1.PatchOptions { + return &metav1.PatchOptions{ + DryRun: o.DryRun, + Force: o.Force, + FieldManager: o.FieldManager, + } +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/patch.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/patch.go index 11d608388..b99d7663b 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/patch.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/patch.go @@ -27,6 +27,11 @@ import ( var ( // Apply uses server-side apply to patch the given object. + // + // This should now only be used to patch sub resources, e.g. with client.Client.Status().Patch(). + // Use client.Client.Apply() instead of client.Client.Patch(..., client.Apply, ...) + // This will be deprecated once the Apply method has been added for sub resources. + // See the following issue for more details: https://github.com/kubernetes-sigs/controller-runtime/issues/3183 Apply Patch = applyPatch{} // Merge uses the raw object as a merge patch, without modifications. diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/typed_client.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/typed_client.go index 92afd9a9c..3bd762a63 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/typed_client.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/typed_client.go @@ -18,8 +18,10 @@ package client import ( "context" + "fmt" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/util/apply" ) var _ Reader = &typedClient{} @@ -41,7 +43,7 @@ func (c *typedClient) Create(ctx context.Context, obj Object, opts ...CreateOpti createOpts.ApplyOptions(opts) return o.Post(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). Body(obj). VersionedParams(createOpts.AsCreateOptions(), c.paramCodec). @@ -60,9 +62,9 @@ func (c *typedClient) Update(ctx context.Context, obj Object, opts ...UpdateOpti updateOpts.ApplyOptions(opts) return o.Put(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). Body(obj). VersionedParams(updateOpts.AsUpdateOptions(), c.paramCodec). Do(ctx). @@ -80,9 +82,9 @@ func (c *typedClient) Delete(ctx context.Context, obj Object, opts ...DeleteOpti deleteOpts.ApplyOptions(opts) return o.Delete(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). Body(deleteOpts.AsDeleteOptions()). Do(ctx). Error() @@ -123,15 +125,40 @@ func (c *typedClient) Patch(ctx context.Context, obj Object, patch Patch, opts . patchOpts.ApplyOptions(opts) return o.Patch(patch.Type()). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). VersionedParams(patchOpts.AsPatchOptions(), c.paramCodec). Body(data). Do(ctx). Into(obj) } +func (c *typedClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + o, err := c.resources.getObjMeta(obj) + if err != nil { + return err + } + req, err := apply.NewRequest(o, obj) + if err != nil { + return fmt.Errorf("failed to create apply request: %w", err) + } + applyOpts := &ApplyOptions{} + applyOpts.ApplyOptions(opts) + + return req. + NamespaceIfScoped(o.namespace, o.isNamespaced()). + Resource(o.resource()). + Name(o.name). + VersionedParams(applyOpts.AsPatchOptions(), c.paramCodec). + Do(ctx). + // This is hacky, it is required because `Into` takes a `runtime.Object` and + // that is not implemented by the ApplyConfigurations. The generated clients + // don't have this problem because they deserialize into the api type, not the + // apply configuration: https://github.com/kubernetes/kubernetes/blob/22f5e01a37c0bc6a5f494dec14dd4e3688ee1d55/staging/src/k8s.io/client-go/gentype/type.go#L296-L317 + Into(runtimeObjectFromApplyConfiguration(obj)) +} + // Get implements client.Client. func (c *typedClient) Get(ctx context.Context, key ObjectKey, obj Object, opts ...GetOption) error { r, err := c.resources.getResource(obj) @@ -179,9 +206,9 @@ func (c *typedClient) GetSubResource(ctx context.Context, obj, subResourceObj Ob getOpts.ApplyOptions(opts) return o.Get(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). VersionedParams(getOpts.AsGetOptions(), c.paramCodec). Do(ctx). @@ -202,9 +229,9 @@ func (c *typedClient) CreateSubResource(ctx context.Context, obj Object, subReso createOpts.ApplyOptions(opts) return o.Post(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(subResourceObj). VersionedParams(createOpts.AsCreateOptions(), c.paramCodec). @@ -237,9 +264,9 @@ func (c *typedClient) UpdateSubResource(ctx context.Context, obj Object, subReso } return o.Put(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(body). VersionedParams(updateOpts.AsUpdateOptions(), c.paramCodec). @@ -268,9 +295,9 @@ func (c *typedClient) PatchSubResource(ctx context.Context, obj Object, subResou } return o.Patch(patch.Type()). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(data). VersionedParams(patchOpts.AsPatchOptions(), c.paramCodec). diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/unstructured_client.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/unstructured_client.go index 0d9695178..e636c3bee 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/unstructured_client.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/unstructured_client.go @@ -22,6 +22,7 @@ import ( "strings" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/util/apply" ) var _ Reader = &unstructuredClient{} @@ -50,7 +51,7 @@ func (uc *unstructuredClient) Create(ctx context.Context, obj Object, opts ...Cr createOpts.ApplyOptions(opts) result := o.Post(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). Body(obj). VersionedParams(createOpts.AsCreateOptions(), uc.paramCodec). @@ -79,9 +80,9 @@ func (uc *unstructuredClient) Update(ctx context.Context, obj Object, opts ...Up updateOpts.ApplyOptions(opts) result := o.Put(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). Body(obj). VersionedParams(updateOpts.AsUpdateOptions(), uc.paramCodec). Do(ctx). @@ -106,9 +107,9 @@ func (uc *unstructuredClient) Delete(ctx context.Context, obj Object, opts ...De deleteOpts.ApplyOptions(opts) return o.Delete(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). Body(deleteOpts.AsDeleteOptions()). Do(ctx). Error() @@ -157,15 +158,41 @@ func (uc *unstructuredClient) Patch(ctx context.Context, obj Object, patch Patch patchOpts.ApplyOptions(opts) return o.Patch(patch.Type()). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). VersionedParams(patchOpts.AsPatchOptions(), uc.paramCodec). Body(data). Do(ctx). Into(obj) } +func (uc *unstructuredClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...ApplyOption) error { + unstructuredApplyConfig, ok := obj.(*unstructuredApplyConfiguration) + if !ok { + return fmt.Errorf("bug: unstructured client got an applyconfiguration that was not %T but %T", &unstructuredApplyConfiguration{}, obj) + } + o, err := uc.resources.getObjMeta(unstructuredApplyConfig.Unstructured) + if err != nil { + return err + } + + req, err := apply.NewRequest(o, obj) + if err != nil { + return fmt.Errorf("failed to create apply request: %w", err) + } + applyOpts := &ApplyOptions{} + applyOpts.ApplyOptions(opts) + + return req. + NamespaceIfScoped(o.namespace, o.isNamespaced()). + Resource(o.resource()). + Name(o.name). + VersionedParams(applyOpts.AsPatchOptions(), uc.paramCodec). + Do(ctx). + Into(unstructuredApplyConfig.Unstructured) +} + // Get implements client.Client. func (uc *unstructuredClient) Get(ctx context.Context, key ObjectKey, obj Object, opts ...GetOption) error { u, ok := obj.(runtime.Unstructured) @@ -244,9 +271,9 @@ func (uc *unstructuredClient) GetSubResource(ctx context.Context, obj, subResour getOpts.ApplyOptions(opts) return o.Get(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). VersionedParams(getOpts.AsGetOptions(), uc.paramCodec). Do(ctx). @@ -275,9 +302,9 @@ func (uc *unstructuredClient) CreateSubResource(ctx context.Context, obj, subRes createOpts.ApplyOptions(opts) return o.Post(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(subResourceObj). VersionedParams(createOpts.AsCreateOptions(), uc.paramCodec). @@ -310,9 +337,9 @@ func (uc *unstructuredClient) UpdateSubResource(ctx context.Context, obj Object, } return o.Put(). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(body). VersionedParams(updateOpts.AsUpdateOptions(), uc.paramCodec). @@ -347,9 +374,9 @@ func (uc *unstructuredClient) PatchSubResource(ctx context.Context, obj Object, } result := o.Patch(patch.Type()). - NamespaceIfScoped(o.GetNamespace(), o.isNamespaced()). + NamespaceIfScoped(o.namespace, o.isNamespaced()). Resource(o.resource()). - Name(o.GetName()). + Name(o.name). SubResource(subResource). Body(data). VersionedParams(patchOpts.AsPatchOptions(), uc.paramCodec). diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/config/controller.go b/vendor/sigs.k8s.io/controller-runtime/pkg/config/controller.go index a5655593e..3dafaef93 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/config/controller.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/config/controller.go @@ -60,12 +60,33 @@ type Controller struct { // Defaults to true, which means the controller will use leader election. NeedLeaderElection *bool + // EnableWarmup specifies whether the controller should start its sources when the manager is not + // the leader. This is useful for cases where sources take a long time to start, as it allows + // for the controller to warm up its caches even before it is elected as the leader. This + // improves leadership failover time, as the caches will be prepopulated before the controller + // transitions to be leader. + // + // Setting EnableWarmup to true and NeedLeaderElection to true means the controller will start its + // sources without waiting to become leader. + // Setting EnableWarmup to true and NeedLeaderElection to false is a no-op as controllers without + // leader election do not wait on leader election to start their sources. + // Defaults to false. + // + // Note: This feature is currently in beta and subject to change. + // For more details, see: https://github.com/kubernetes-sigs/controller-runtime/issues/3220. + EnableWarmup *bool + // UsePriorityQueue configures the controllers queue to use the controller-runtime provided // priority queue. // - // Note: This flag is disabled by default until a future version. It's currently in beta. + // Note: This flag is disabled by default until a future version. This feature is currently in beta. + // For more details, see: https://github.com/kubernetes-sigs/controller-runtime/issues/2374. UsePriorityQueue *bool // Logger is the logger controllers should use. Logger logr.Logger + + // ReconciliationTimeout is used as the timeout passed to the context of each Reconcile call. + // By default, there is no timeout. + ReconciliationTimeout time.Duration } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controller.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controller.go index 9de959b48..afa15aebe 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controller.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controller.go @@ -91,8 +91,29 @@ type TypedOptions[request comparable] struct { // UsePriorityQueue configures the controllers queue to use the controller-runtime provided // priority queue. // - // Note: This flag is disabled by default until a future version. It's currently in beta. + // Note: This flag is disabled by default until a future version. This feature is currently in beta. + // For more details, see: https://github.com/kubernetes-sigs/controller-runtime/issues/2374. UsePriorityQueue *bool + + // EnableWarmup specifies whether the controller should start its sources when the manager is not + // the leader. This is useful for cases where sources take a long time to start, as it allows + // for the controller to warm up its caches even before it is elected as the leader. This + // improves leadership failover time, as the caches will be prepopulated before the controller + // transitions to be leader. + // + // Setting EnableWarmup to true and NeedLeaderElection to true means the controller will start its + // sources without waiting to become leader. + // Setting EnableWarmup to true and NeedLeaderElection to false is a no-op as controllers without + // leader election do not wait on leader election to start their sources. + // Defaults to false. + // + // Note: This feature is currently in beta and subject to change. + // For more details, see: https://github.com/kubernetes-sigs/controller-runtime/issues/3220. + EnableWarmup *bool + + // ReconciliationTimeout is used as the timeout passed to the context of each Reconcile call. + // By default, there is no timeout. + ReconciliationTimeout time.Duration } // DefaultFromConfig defaults the config from a config.Controller @@ -124,6 +145,14 @@ func (options *TypedOptions[request]) DefaultFromConfig(config config.Controller if options.NeedLeaderElection == nil { options.NeedLeaderElection = config.NeedLeaderElection } + + if options.EnableWarmup == nil { + options.EnableWarmup = config.EnableWarmup + } + + if options.ReconciliationTimeout == 0 { + options.ReconciliationTimeout = config.ReconciliationTimeout + } } // Controller implements an API. A Controller manages a work queue fed reconcile.Requests @@ -243,7 +272,7 @@ func NewTypedUnmanaged[request comparable](name string, options TypedOptions[req } // Create controller with dependencies set - return &controller.Controller[request]{ + return controller.New[request](controller.Options[request]{ Do: options.Reconciler, RateLimiter: options.RateLimiter, NewQueue: options.NewQueue, @@ -253,7 +282,9 @@ func NewTypedUnmanaged[request comparable](name string, options TypedOptions[req LogConstructor: options.LogConstructor, RecoverPanic: options.RecoverPanic, LeaderElected: options.NeedLeaderElection, - }, nil + EnableWarmup: options.EnableWarmup, + ReconciliationTimeout: options.ReconciliationTimeout, + }), nil } // ReconcileIDFromContext gets the reconcileID from the current context. diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue/priorityqueue.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue/priorityqueue.go index c3f77a6f3..71363f0d1 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue/priorityqueue.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue/priorityqueue.go @@ -1,6 +1,7 @@ package priorityqueue import ( + "math" "sync" "sync/atomic" "time" @@ -19,7 +20,10 @@ import ( type AddOpts struct { After time.Duration RateLimited bool - Priority int + // Priority is the priority of the item. Higher values + // indicate higher priority. + // Defaults to zero if unset. + Priority *int } // PriorityQueue is a priority queue for a controller. It @@ -120,8 +124,8 @@ type priorityqueue[T comparable] struct { get chan item[T] // waiters is the number of routines blocked in Get, we use it to determine - // if we can push items. - waiters atomic.Int64 + // if we can push items. Every manipulation has to be protected with the lock. + waiters int64 // Configurable for testing now func() time.Time @@ -129,6 +133,10 @@ type priorityqueue[T comparable] struct { } func (w *priorityqueue[T]) AddWithOpts(o AddOpts, items ...T) { + if w.shutdown.Load() { + return + } + w.lock.Lock() defer w.lock.Unlock() @@ -150,7 +158,7 @@ func (w *priorityqueue[T]) AddWithOpts(o AddOpts, items ...T) { item := &item[T]{ Key: key, AddedCounter: w.addedCounter, - Priority: o.Priority, + Priority: ptr.Deref(o.Priority, 0), ReadyAt: readyAt, } w.items[key] = item @@ -165,12 +173,12 @@ func (w *priorityqueue[T]) AddWithOpts(o AddOpts, items ...T) { // The b-tree de-duplicates based on ordering and any change here // will affect the order - Just delete and re-add. item, _ := w.queue.Delete(w.items[key]) - if o.Priority > item.Priority { + if newPriority := ptr.Deref(o.Priority, 0); newPriority > item.Priority { // Update depth metric only if the item in the queue was already added to the depth metric. if item.ReadyAt == nil || w.becameReady.Has(key) { - w.metrics.updateDepthWithPriorityMetric(item.Priority, o.Priority) + w.metrics.updateDepthWithPriorityMetric(item.Priority, newPriority) } - item.Priority = o.Priority + item.Priority = newPriority } if item.ReadyAt != nil && (readyAt == nil || readyAt.Before(*item.ReadyAt)) { @@ -199,6 +207,7 @@ func (w *priorityqueue[T]) spin() { blockForever := make(chan time.Time) var nextReady <-chan time.Time nextReady = blockForever + var nextItemReadyAt time.Time for { select { @@ -206,10 +215,10 @@ func (w *priorityqueue[T]) spin() { return case <-w.itemOrWaiterAdded: case <-nextReady: + nextReady = blockForever + nextItemReadyAt = time.Time{} } - nextReady = blockForever - func() { w.lock.Lock() defer w.lock.Unlock() @@ -220,39 +229,67 @@ func (w *priorityqueue[T]) spin() { // manipulating the tree from within Ascend might lead to panics, so // track what we want to delete and do it after we are done ascending. var toDelete []*item[T] - w.queue.Ascend(func(item *item[T]) bool { - if item.ReadyAt != nil { - if readyAt := item.ReadyAt.Sub(w.now()); readyAt > 0 { - nextReady = w.tick(readyAt) - return false + + var key T + + // Items in the queue tree are sorted first by priority and second by readiness, so + // items with a lower priority might be ready further down in the queue. + // We iterate through the priorities high to low until we find a ready item + pivot := item[T]{ + Key: key, + AddedCounter: 0, + Priority: math.MaxInt, + ReadyAt: nil, + } + + for { + pivotChange := false + + w.queue.AscendGreaterOrEqual(&pivot, func(item *item[T]) bool { + // Item is locked, we can not hand it out + if w.locked.Has(item.Key) { + return true } - if !w.becameReady.Has(item.Key) { - w.metrics.add(item.Key, item.Priority) - w.becameReady.Insert(item.Key) + + if item.ReadyAt != nil { + if readyAt := item.ReadyAt.Sub(w.now()); readyAt > 0 { + if nextItemReadyAt.After(*item.ReadyAt) || nextItemReadyAt.IsZero() { + nextReady = w.tick(readyAt) + nextItemReadyAt = *item.ReadyAt + } + + // Adjusting the pivot item moves the ascend to the next lower priority + pivot.Priority = item.Priority - 1 + pivotChange = true + return false + } + if !w.becameReady.Has(item.Key) { + w.metrics.add(item.Key, item.Priority) + w.becameReady.Insert(item.Key) + } } - } - if w.waiters.Load() == 0 { - // Have to keep iterating here to ensure we update metrics - // for further items that became ready and set nextReady. - return true - } + if w.waiters == 0 { + // Have to keep iterating here to ensure we update metrics + // for further items that became ready and set nextReady. + return true + } - // Item is locked, we can not hand it out - if w.locked.Has(item.Key) { - return true - } + w.metrics.get(item.Key, item.Priority) + w.locked.Insert(item.Key) + w.waiters-- + delete(w.items, item.Key) + toDelete = append(toDelete, item) + w.becameReady.Delete(item.Key) + w.get <- *item - w.metrics.get(item.Key, item.Priority) - w.locked.Insert(item.Key) - w.waiters.Add(-1) - delete(w.items, item.Key) - toDelete = append(toDelete, item) - w.becameReady.Delete(item.Key) - w.get <- *item + return true + }) - return true - }) + if !pivotChange { + break + } + } for _, item := range toDelete { w.queue.Delete(item) @@ -274,12 +311,29 @@ func (w *priorityqueue[T]) AddRateLimited(item T) { } func (w *priorityqueue[T]) GetWithPriority() (_ T, priority int, shutdown bool) { - w.waiters.Add(1) + if w.shutdown.Load() { + var zero T + return zero, 0, true + } + + w.lock.Lock() + w.waiters++ + w.lock.Unlock() w.notifyItemOrWaiterAdded() - item := <-w.get - return item.Key, item.Priority, w.shutdown.Load() + select { + case <-w.done: + // Return if the queue was shutdown while we were already waiting for an item here. + // For example controller workers are continuously calling GetWithPriority and + // GetWithPriority is blocking the workers if there are no items in the queue. + // If the controller and accordingly the queue is then shut down, without this code + // branch the controller workers remain blocked here and are unable to shut down. + var zero T + return zero, 0, true + case item := <-w.get: + return item.Key, item.Priority, w.shutdown.Load() + } } func (w *priorityqueue[T]) Get() (item T, shutdown bool) { @@ -365,6 +419,9 @@ func (w *priorityqueue[T]) logState() { } func less[T comparable](a, b *item[T]) bool { + if a.Priority != b.Priority { + return a.Priority > b.Priority + } if a.ReadyAt == nil && b.ReadyAt != nil { return true } @@ -374,9 +431,6 @@ func less[T comparable](a, b *item[T]) bool { if a.ReadyAt != nil && b.ReadyAt != nil && !a.ReadyAt.Equal(*b.ReadyAt) { return a.ReadyAt.Before(*b.ReadyAt) } - if a.Priority != b.Priority { - return a.Priority > b.Priority - } return a.AddedCounter < b.AddedCounter } @@ -404,4 +458,5 @@ type bTree[T any] interface { ReplaceOrInsert(item T) (_ T, _ bool) Delete(item T) (T, bool) Ascend(iterator btree.ItemIteratorG[T]) + AscendGreaterOrEqual(pivot T, iterator btree.ItemIteratorG[T]) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/binaries.go b/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/binaries.go index 4c9b1dae3..5110d3265 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/binaries.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/binaries.go @@ -32,10 +32,9 @@ import ( "path" "path/filepath" "runtime" - "sort" "strings" - "github.com/blang/semver/v4" + "k8s.io/apimachinery/pkg/util/version" "sigs.k8s.io/yaml" ) @@ -111,6 +110,25 @@ type archive struct { SelfLink string `json:"selfLink"` } +// parseKubernetesVersion returns: +// 1. the SemVer form of s when it refers to a specific Kubernetes release, or +// 2. the major and minor portions of s when it refers to a release series, or +// 3. an error +func parseKubernetesVersion(s string) (exact string, major, minor uint, err error) { + if v, err := version.ParseSemantic(s); err == nil { + return v.String(), 0, 0, nil + } + + // See two parseable components and nothing else. + if v, err := version.ParseGeneric(s); err == nil && len(v.Components()) == 2 { + if v.String() == strings.TrimPrefix(s, "v") { + return "", v.Major(), v.Minor(), nil + } + } + + return "", 0, 0, fmt.Errorf("could not parse %q as version", s) +} + func downloadBinaryAssets(ctx context.Context, binaryAssetsDirectory, binaryAssetsVersion, binaryAssetsIndexURL string) (string, string, string, error) { if binaryAssetsIndexURL == "" { binaryAssetsIndexURL = DefaultBinaryAssetsIndexURL @@ -125,14 +143,23 @@ func downloadBinaryAssets(ctx context.Context, binaryAssetsDirectory, binaryAsse } var binaryAssetsIndex *index - if binaryAssetsVersion == "" { - var err error + switch exact, major, minor, err := parseKubernetesVersion(binaryAssetsVersion); { + case binaryAssetsVersion != "" && err != nil: + return "", "", "", err + + case binaryAssetsVersion != "" && exact != "": + // Look for these specific binaries locally before downloading them from the release index. + // Use the canonical form of the version from here on. + binaryAssetsVersion = "v" + exact + + case binaryAssetsVersion == "" || major != 0 || minor != 0: + // Select a stable version from the release index before continuing. binaryAssetsIndex, err = getIndex(ctx, binaryAssetsIndexURL) if err != nil { return "", "", "", err } - binaryAssetsVersion, err = latestStableVersionFromIndex(binaryAssetsIndex) + binaryAssetsVersion, err = latestStableVersionFromIndex(binaryAssetsIndex, major, minor) if err != nil { return "", "", "", err } @@ -252,34 +279,50 @@ func downloadBinaryAssetsArchive(ctx context.Context, index *index, version stri return readBody(resp, out, archiveName, archive.Hash) } -func latestStableVersionFromIndex(index *index) (string, error) { +// latestStableVersionFromIndex returns the version with highest [precedence] in index that is not a prerelease. +// When either major or minor are not zero, the returned version will have those major and minor versions. +// Note that the version cannot be limited to 0.0.x this way. +// +// It is an error when there is no appropriate version in index. +// +// [precedence]: https://semver.org/spec/v2.0.0.html#spec-item-11 +func latestStableVersionFromIndex(index *index, major, minor uint) (string, error) { if len(index.Releases) == 0 { return "", fmt.Errorf("failed to find latest stable version from index: index is empty") } - parsedVersions := []semver.Version{} + var found *version.Version for releaseVersion := range index.Releases { - v, err := semver.ParseTolerant(releaseVersion) + v, err := version.ParseSemantic(releaseVersion) if err != nil { return "", fmt.Errorf("failed to parse version %q: %w", releaseVersion, err) } // Filter out pre-releases. - if len(v.Pre) > 0 { + if len(v.PreRelease()) > 0 { continue } - parsedVersions = append(parsedVersions, v) + // Filter on release series, if any. + if (major != 0 || minor != 0) && (v.Major() != major || v.Minor() != minor) { + continue + } + + if found == nil || v.GreaterThan(found) { + found = v + } } - if len(parsedVersions) == 0 { - return "", fmt.Errorf("failed to find latest stable version from index: index does not have stable versions") + if found == nil { + search := "any" + if major != 0 || minor != 0 { + search = fmt.Sprint(major, ".", minor) + } + + return "", fmt.Errorf("failed to find latest stable version from index: index does not have %s stable versions", search) } - sort.Slice(parsedVersions, func(i, j int) bool { - return parsedVersions[i].GT(parsedVersions[j]) - }) - return "v" + parsedVersions[0].String(), nil + return "v" + found.String(), nil } func getIndex(ctx context.Context, indexURL string) (*index, error) { diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/server.go b/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/server.go index 9bb81ed2a..c9f19da97 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/server.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/envtest/server.go @@ -109,7 +109,11 @@ var ( // Environment creates a Kubernetes test environment that will start / stop the Kubernetes control plane and // install extension APIs. type Environment struct { - // ControlPlane is the ControlPlane including the apiserver and etcd + // ControlPlane is the ControlPlane including the apiserver and etcd. + // Binary paths (APIServer.Path, Etcd.Path, KubectlPath) can be pre-configured in ControlPlane. + // If DownloadBinaryAssets is true, the downloaded paths will always be used. + // If DownloadBinaryAssets is false and paths are not pre-configured (default is empty), they will be + // automatically resolved using BinaryAssetsDirectory. ControlPlane controlplane.ControlPlane // Scheme is used to determine if conversion webhooks should be enabled @@ -211,6 +215,40 @@ func (te *Environment) Stop() error { return te.ControlPlane.Stop() } +// configureBinaryPaths configures the binary paths for the API server, etcd, and kubectl. +// If DownloadBinaryAssets is true, it downloads and uses those paths. +// If DownloadBinaryAssets is false, it only sets paths that are not already configured (empty). +func (te *Environment) configureBinaryPaths() error { + apiServer := te.ControlPlane.GetAPIServer() + + if te.ControlPlane.Etcd == nil { + te.ControlPlane.Etcd = &controlplane.Etcd{} + } + + if te.DownloadBinaryAssets { + apiServerPath, etcdPath, kubectlPath, err := downloadBinaryAssets(context.TODO(), + te.BinaryAssetsDirectory, te.DownloadBinaryAssetsVersion, te.DownloadBinaryAssetsIndexURL) + if err != nil { + return err + } + + apiServer.Path = apiServerPath + te.ControlPlane.Etcd.Path = etcdPath + te.ControlPlane.KubectlPath = kubectlPath + } else { + if apiServer.Path == "" { + apiServer.Path = process.BinPathFinder("kube-apiserver", te.BinaryAssetsDirectory) + } + if te.ControlPlane.Etcd.Path == "" { + te.ControlPlane.Etcd.Path = process.BinPathFinder("etcd", te.BinaryAssetsDirectory) + } + if te.ControlPlane.KubectlPath == "" { + te.ControlPlane.KubectlPath = process.BinPathFinder("kubectl", te.BinaryAssetsDirectory) + } + } + return nil +} + // Start starts a local Kubernetes server and updates te.ApiserverPort with the port it is listening on. func (te *Environment) Start() (*rest.Config, error) { if te.useExistingCluster() { @@ -229,10 +267,6 @@ func (te *Environment) Start() (*rest.Config, error) { } else { apiServer := te.ControlPlane.GetAPIServer() - if te.ControlPlane.Etcd == nil { - te.ControlPlane.Etcd = &controlplane.Etcd{} - } - if os.Getenv(envAttachOutput) == "true" { te.AttachControlPlaneOutput = true } @@ -243,6 +277,9 @@ func (te *Environment) Start() (*rest.Config, error) { if apiServer.Err == nil { apiServer.Err = os.Stderr } + if te.ControlPlane.Etcd == nil { + te.ControlPlane.Etcd = &controlplane.Etcd{} + } if te.ControlPlane.Etcd.Out == nil { te.ControlPlane.Etcd.Out = os.Stdout } @@ -251,20 +288,8 @@ func (te *Environment) Start() (*rest.Config, error) { } } - if te.DownloadBinaryAssets { - apiServerPath, etcdPath, kubectlPath, err := downloadBinaryAssets(context.TODO(), - te.BinaryAssetsDirectory, te.DownloadBinaryAssetsVersion, te.DownloadBinaryAssetsIndexURL) - if err != nil { - return nil, err - } - - apiServer.Path = apiServerPath - te.ControlPlane.Etcd.Path = etcdPath - te.ControlPlane.KubectlPath = kubectlPath - } else { - apiServer.Path = process.BinPathFinder("kube-apiserver", te.BinaryAssetsDirectory) - te.ControlPlane.Etcd.Path = process.BinPathFinder("etcd", te.BinaryAssetsDirectory) - te.ControlPlane.KubectlPath = process.BinPathFinder("kubectl", te.BinaryAssetsDirectory) + if err := te.configureBinaryPaths(); err != nil { + return nil, fmt.Errorf("failed to configure binary paths: %w", err) } if err := te.defaultTimeouts(); err != nil { diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/handler/enqueue_mapped.go b/vendor/sigs.k8s.io/controller-runtime/pkg/handler/enqueue_mapped.go index fe78f21a2..62d672815 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/handler/enqueue_mapped.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/handler/enqueue_mapped.go @@ -20,6 +20,7 @@ import ( "context" "k8s.io/client-go/util/workqueue" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue" "sigs.k8s.io/controller-runtime/pkg/event" @@ -141,7 +142,7 @@ func (e *enqueueRequestsFromMapFunc[object, request]) mapAndEnqueue( if !ok { if lowPriority { q.(priorityqueue.PriorityQueue[request]).AddWithOpts(priorityqueue.AddOpts{ - Priority: LowPriority, + Priority: ptr.To(LowPriority), }, req) } else { q.Add(req) diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/handler/eventhandler.go b/vendor/sigs.k8s.io/controller-runtime/pkg/handler/eventhandler.go index 29e755cbf..88510d29e 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/handler/eventhandler.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/handler/eventhandler.go @@ -19,8 +19,10 @@ package handler import ( "context" "reflect" + "time" "k8s.io/client-go/util/workqueue" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue" "sigs.k8s.io/controller-runtime/pkg/event" @@ -126,20 +128,14 @@ func (h TypedFuncs[object, request]) Create(ctx context.Context, e event.TypedCr h.CreateFunc(ctx, e, q) return } - wq := workqueueWithCustomAddFunc[request]{ - TypedRateLimitingInterface: q, + + wq := workqueueWithDefaultPriority[request]{ // We already know that we have a priority queue, that event.Object implements // client.Object and that its not nil - addFunc: func(item request, q workqueue.TypedRateLimitingInterface[request]) { - var priority int - if e.IsInInitialList { - priority = LowPriority - } - q.(priorityqueue.PriorityQueue[request]).AddWithOpts( - priorityqueue.AddOpts{Priority: priority}, - item, - ) - }, + PriorityQueue: q.(priorityqueue.PriorityQueue[request]), + } + if e.IsInInitialList { + wq.priority = ptr.To(LowPriority) } h.CreateFunc(ctx, e, wq) } @@ -160,20 +156,13 @@ func (h TypedFuncs[object, request]) Update(ctx context.Context, e event.TypedUp return } - wq := workqueueWithCustomAddFunc[request]{ - TypedRateLimitingInterface: q, + wq := workqueueWithDefaultPriority[request]{ // We already know that we have a priority queue, that event.ObjectOld and ObjectNew implement // client.Object and that they are not nil - addFunc: func(item request, q workqueue.TypedRateLimitingInterface[request]) { - var priority int - if any(e.ObjectOld).(client.Object).GetResourceVersion() == any(e.ObjectNew).(client.Object).GetResourceVersion() { - priority = LowPriority - } - q.(priorityqueue.PriorityQueue[request]).AddWithOpts( - priorityqueue.AddOpts{Priority: priority}, - item, - ) - }, + PriorityQueue: q.(priorityqueue.PriorityQueue[request]), + } + if any(e.ObjectOld).(client.Object).GetResourceVersion() == any(e.ObjectNew).(client.Object).GetResourceVersion() { + wq.priority = ptr.To(LowPriority) } h.UpdateFunc(ctx, e, wq) } @@ -201,13 +190,28 @@ func WithLowPriorityWhenUnchanged[object client.Object, request comparable](u Ty } } -type workqueueWithCustomAddFunc[request comparable] struct { - workqueue.TypedRateLimitingInterface[request] - addFunc func(item request, q workqueue.TypedRateLimitingInterface[request]) +type workqueueWithDefaultPriority[request comparable] struct { + priorityqueue.PriorityQueue[request] + priority *int +} + +func (w workqueueWithDefaultPriority[request]) Add(item request) { + w.PriorityQueue.AddWithOpts(priorityqueue.AddOpts{Priority: w.priority}, item) } -func (w workqueueWithCustomAddFunc[request]) Add(item request) { - w.addFunc(item, w.TypedRateLimitingInterface) +func (w workqueueWithDefaultPriority[request]) AddAfter(item request, after time.Duration) { + w.PriorityQueue.AddWithOpts(priorityqueue.AddOpts{Priority: w.priority, After: after}, item) +} + +func (w workqueueWithDefaultPriority[request]) AddRateLimited(item request) { + w.PriorityQueue.AddWithOpts(priorityqueue.AddOpts{Priority: w.priority, RateLimited: true}, item) +} + +func (w workqueueWithDefaultPriority[request]) AddWithOpts(o priorityqueue.AddOpts, items ...request) { + if o.Priority == nil { + o.Priority = w.priority + } + w.PriorityQueue.AddWithOpts(o, items...) } // addToQueueCreate adds the reconcile.Request to the priorityqueue in the handler @@ -219,9 +223,9 @@ func addToQueueCreate[T client.Object, request comparable](q workqueue.TypedRate return } - var priority int + var priority *int if evt.IsInInitialList { - priority = LowPriority + priority = ptr.To(LowPriority) } priorityQueue.AddWithOpts(priorityqueue.AddOpts{Priority: priority}, item) } @@ -235,9 +239,9 @@ func addToQueueUpdate[T client.Object, request comparable](q workqueue.TypedRate return } - var priority int + var priority *int if evt.ObjectOld.GetResourceVersion() == evt.ObjectNew.GetResourceVersion() { - priority = LowPriority + priority = ptr.To(LowPriority) } priorityQueue.AddWithOpts(priorityqueue.AddOpts{Priority: priority}, item) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go index 9fa7ec71e..ea7968186 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go @@ -30,6 +30,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/client-go/util/workqueue" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue" ctrlmetrics "sigs.k8s.io/controller-runtime/pkg/internal/controller/metrics" @@ -38,6 +39,55 @@ import ( "sigs.k8s.io/controller-runtime/pkg/source" ) +// Options are the arguments for creating a new Controller. +type Options[request comparable] struct { + // Reconciler is a function that can be called at any time with the Name / Namespace of an object and + // ensures that the state of the system matches the state specified in the object. + // Defaults to the DefaultReconcileFunc. + Do reconcile.TypedReconciler[request] + + // RateLimiter is used to limit how frequently requests may be queued into the work queue. + RateLimiter workqueue.TypedRateLimiter[request] + + // NewQueue constructs the queue for this controller once the controller is ready to start. + // This is a func because the standard Kubernetes work queues start themselves immediately, which + // leads to goroutine leaks if something calls controller.New repeatedly. + NewQueue func(controllerName string, rateLimiter workqueue.TypedRateLimiter[request]) workqueue.TypedRateLimitingInterface[request] + + // MaxConcurrentReconciles is the maximum number of concurrent Reconciles which can be run. Defaults to 1. + MaxConcurrentReconciles int + + // CacheSyncTimeout refers to the time limit set on waiting for cache to sync + // Defaults to 2 minutes if not set. + CacheSyncTimeout time.Duration + + // Name is used to uniquely identify a Controller in tracing, logging and monitoring. Name is required. + Name string + + // LogConstructor is used to construct a logger to then log messages to users during reconciliation, + // or for example when a watch is started. + // Note: LogConstructor has to be able to handle nil requests as we are also using it + // outside the context of a reconciliation. + LogConstructor func(request *request) logr.Logger + + // RecoverPanic indicates whether the panic caused by reconcile should be recovered. + // Defaults to true. + RecoverPanic *bool + + // LeaderElected indicates whether the controller is leader elected or always running. + LeaderElected *bool + + // EnableWarmup specifies whether the controller should start its sources + // when the manager is not the leader. + // Defaults to false, which means that the controller will wait for leader election to start + // before starting sources. + EnableWarmup *bool + + // ReconciliationTimeout is used as the timeout passed to the context of each Reconcile call. + // By default, there is no timeout. + ReconciliationTimeout time.Duration +} + // Controller implements controller.Controller. type Controller[request comparable] struct { // Name is used to uniquely identify a Controller in tracing, logging and monitoring. Name is required. @@ -83,6 +133,14 @@ type Controller[request comparable] struct { // startWatches maintains a list of sources, handlers, and predicates to start when the controller is started. startWatches []source.TypedSource[request] + // startedEventSourcesAndQueue is used to track if the event sources have been started. + // It ensures that we append sources to c.startWatches only until we call Start() / Warmup() + // It is true if startEventSourcesAndQueueLocked has been called at least once. + startedEventSourcesAndQueue bool + + // didStartEventSourcesOnce is used to ensure that the event sources are only started once. + didStartEventSourcesOnce sync.Once + // LogConstructor is used to construct a logger to then log messages to users during reconciliation, // or for example when a watch is started. // Note: LogConstructor has to be able to handle nil requests as we are also using it @@ -95,6 +153,38 @@ type Controller[request comparable] struct { // LeaderElected indicates whether the controller is leader elected or always running. LeaderElected *bool + + // EnableWarmup specifies whether the controller should start its sources when the manager is not + // the leader. This is useful for cases where sources take a long time to start, as it allows + // for the controller to warm up its caches even before it is elected as the leader. This + // improves leadership failover time, as the caches will be prepopulated before the controller + // transitions to be leader. + // + // Setting EnableWarmup to true and NeedLeaderElection to true means the controller will start its + // sources without waiting to become leader. + // Setting EnableWarmup to true and NeedLeaderElection to false is a no-op as controllers without + // leader election do not wait on leader election to start their sources. + // Defaults to false. + EnableWarmup *bool + + ReconciliationTimeout time.Duration +} + +// New returns a new Controller configured with the given options. +func New[request comparable](options Options[request]) *Controller[request] { + return &Controller[request]{ + Do: options.Do, + RateLimiter: options.RateLimiter, + NewQueue: options.NewQueue, + MaxConcurrentReconciles: options.MaxConcurrentReconciles, + CacheSyncTimeout: options.CacheSyncTimeout, + Name: options.Name, + LogConstructor: options.LogConstructor, + RecoverPanic: options.RecoverPanic, + LeaderElected: options.LeaderElected, + EnableWarmup: options.EnableWarmup, + ReconciliationTimeout: options.ReconciliationTimeout, + } } // Reconcile implements reconcile.Reconciler. @@ -116,6 +206,13 @@ func (c *Controller[request]) Reconcile(ctx context.Context, req request) (_ rec panic(r) } }() + + if c.ReconciliationTimeout > 0 { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, c.ReconciliationTimeout) + defer cancel() + } + return c.Do.Reconcile(ctx, req) } @@ -124,10 +221,9 @@ func (c *Controller[request]) Watch(src source.TypedSource[request]) error { c.mu.Lock() defer c.mu.Unlock() - // Controller hasn't started yet, store the watches locally and return. - // - // These watches are going to be held on the controller struct until the manager or user calls Start(...). - if !c.Started { + // Sources weren't started yet, store the watches locally and return. + // These sources are going to be held until either Warmup() or Start(...) is called. + if !c.startedEventSourcesAndQueue { c.startWatches = append(c.startWatches, src) return nil } @@ -144,6 +240,21 @@ func (c *Controller[request]) NeedLeaderElection() bool { return *c.LeaderElected } +// Warmup implements the manager.WarmupRunnable interface. +func (c *Controller[request]) Warmup(ctx context.Context) error { + if c.EnableWarmup == nil || !*c.EnableWarmup { + return nil + } + + c.mu.Lock() + defer c.mu.Unlock() + + // Set the ctx so later calls to watch use this internal context + c.ctx = ctx + + return c.startEventSourcesAndQueueLocked(ctx) +} + // Start implements controller.Controller. func (c *Controller[request]) Start(ctx context.Context) error { // use an IIFE to get proper lock handling @@ -158,17 +269,6 @@ func (c *Controller[request]) Start(ctx context.Context) error { // Set the internal context. c.ctx = ctx - queue := c.NewQueue(c.Name, c.RateLimiter) - if priorityQueue, isPriorityQueue := queue.(priorityqueue.PriorityQueue[request]); isPriorityQueue { - c.Queue = priorityQueue - } else { - c.Queue = &priorityQueueWrapper[request]{TypedRateLimitingInterface: queue} - } - go func() { - <-ctx.Done() - c.Queue.ShutDown() - }() - wg := &sync.WaitGroup{} err := func() error { defer c.mu.Unlock() @@ -179,18 +279,12 @@ func (c *Controller[request]) Start(ctx context.Context) error { // NB(directxman12): launch the sources *before* trying to wait for the // caches to sync so that they have a chance to register their intended // caches. - if err := c.startEventSources(ctx); err != nil { + if err := c.startEventSourcesAndQueueLocked(ctx); err != nil { return err } c.LogConstructor(nil).Info("Starting Controller") - // All the watches have been started, we can reset the local slice. - // - // We should never hold watches more than necessary, each watch source can hold a backing cache, - // which won't be garbage collected if we hold a reference to it. - c.startWatches = nil - // Launch workers to process resources c.LogConstructor(nil).Info("Starting workers", "worker count", c.MaxConcurrentReconciles) wg.Add(c.MaxConcurrentReconciles) @@ -218,63 +312,90 @@ func (c *Controller[request]) Start(ctx context.Context) error { return nil } -// startEventSources launches all the sources registered with this controller and waits +// startEventSourcesAndQueueLocked launches all the sources registered with this controller and waits // for them to sync. It returns an error if any of the sources fail to start or sync. -func (c *Controller[request]) startEventSources(ctx context.Context) error { - errGroup := &errgroup.Group{} - for _, watch := range c.startWatches { - log := c.LogConstructor(nil) - _, ok := watch.(interface { - String() string - }) - - if !ok { - log = log.WithValues("source", fmt.Sprintf("%T", watch)) +func (c *Controller[request]) startEventSourcesAndQueueLocked(ctx context.Context) error { + var retErr error + + c.didStartEventSourcesOnce.Do(func() { + queue := c.NewQueue(c.Name, c.RateLimiter) + if priorityQueue, isPriorityQueue := queue.(priorityqueue.PriorityQueue[request]); isPriorityQueue { + c.Queue = priorityQueue } else { - log = log.WithValues("source", fmt.Sprintf("%s", watch)) + c.Queue = &priorityQueueWrapper[request]{TypedRateLimitingInterface: queue} } - didStartSyncingSource := &atomic.Bool{} - errGroup.Go(func() error { - // Use a timeout for starting and syncing the source to avoid silently - // blocking startup indefinitely if it doesn't come up. - sourceStartCtx, cancel := context.WithTimeout(ctx, c.CacheSyncTimeout) - defer cancel() - - sourceStartErrChan := make(chan error, 1) // Buffer chan to not leak goroutine if we time out - go func() { - defer close(sourceStartErrChan) - log.Info("Starting EventSource") - if err := watch.Start(ctx, c.Queue); err != nil { - sourceStartErrChan <- err - return - } - syncingSource, ok := watch.(source.TypedSyncingSource[request]) - if !ok { - return - } - didStartSyncingSource.Store(true) - if err := syncingSource.WaitForSync(sourceStartCtx); err != nil { - err := fmt.Errorf("failed to wait for %s caches to sync %v: %w", c.Name, syncingSource, err) - log.Error(err, "Could not wait for Cache to sync") - sourceStartErrChan <- err + go func() { + <-ctx.Done() + c.Queue.ShutDown() + }() + + errGroup := &errgroup.Group{} + for _, watch := range c.startWatches { + log := c.LogConstructor(nil) + _, ok := watch.(interface { + String() string + }) + if !ok { + log = log.WithValues("source", fmt.Sprintf("%T", watch)) + } else { + log = log.WithValues("source", fmt.Sprintf("%s", watch)) + } + didStartSyncingSource := &atomic.Bool{} + errGroup.Go(func() error { + // Use a timeout for starting and syncing the source to avoid silently + // blocking startup indefinitely if it doesn't come up. + sourceStartCtx, cancel := context.WithTimeout(ctx, c.CacheSyncTimeout) + defer cancel() + + sourceStartErrChan := make(chan error, 1) // Buffer chan to not leak goroutine if we time out + go func() { + defer close(sourceStartErrChan) + log.Info("Starting EventSource") + + if err := watch.Start(ctx, c.Queue); err != nil { + sourceStartErrChan <- err + return + } + syncingSource, ok := watch.(source.TypedSyncingSource[request]) + if !ok { + return + } + didStartSyncingSource.Store(true) + if err := syncingSource.WaitForSync(sourceStartCtx); err != nil { + err := fmt.Errorf("failed to wait for %s caches to sync %v: %w", c.Name, syncingSource, err) + log.Error(err, "Could not wait for Cache to sync") + sourceStartErrChan <- err + } + }() + + select { + case err := <-sourceStartErrChan: + return err + case <-sourceStartCtx.Done(): + if didStartSyncingSource.Load() { // We are racing with WaitForSync, wait for it to let it tell us what happened + return <-sourceStartErrChan + } + if ctx.Err() != nil { // Don't return an error if the root context got cancelled + return nil + } + return fmt.Errorf("timed out waiting for source %s to Start. Please ensure that its Start() method is non-blocking", watch) } - }() + }) + } + retErr = errGroup.Wait() - select { - case err := <-sourceStartErrChan: - return err - case <-sourceStartCtx.Done(): - if didStartSyncingSource.Load() { // We are racing with WaitForSync, wait for it to let it tell us what happened - return <-sourceStartErrChan - } - if ctx.Err() != nil { // Don't return an error if the root context got cancelled - return nil - } - return fmt.Errorf("timed out waiting for source %s to Start. Please ensure that its Start() method is non-blocking", watch) - } - }) - } - return errGroup.Wait() + // All the watches have been started, we can reset the local slice. + // + // We should never hold watches more than necessary, each watch source can hold a backing cache, + // which won't be garbage collected if we hold a reference to it. + c.startWatches = nil + + // Mark event sources as started after resetting the startWatches slice so that watches from + // a new Watch() call are immediately started. + c.startedEventSourcesAndQueue = true + }) + + return retErr } // processNextWorkItem will read a single work item off the workqueue and @@ -343,7 +464,7 @@ func (c *Controller[request]) reconcileHandler(ctx context.Context, req request, if errors.Is(err, reconcile.TerminalError(nil)) { ctrlmetrics.TerminalReconcileErrors.WithLabelValues(c.Name).Inc() } else { - c.Queue.AddWithOpts(priorityqueue.AddOpts{RateLimited: true, Priority: priority}, req) + c.Queue.AddWithOpts(priorityqueue.AddOpts{RateLimited: true, Priority: ptr.To(priority)}, req) } ctrlmetrics.ReconcileErrors.WithLabelValues(c.Name).Inc() ctrlmetrics.ReconcileTotal.WithLabelValues(c.Name, labelError).Inc() @@ -358,11 +479,11 @@ func (c *Controller[request]) reconcileHandler(ctx context.Context, req request, // We need to drive to stable reconcile loops before queuing due // to result.RequestAfter c.Queue.Forget(req) - c.Queue.AddWithOpts(priorityqueue.AddOpts{After: result.RequeueAfter, Priority: priority}, req) + c.Queue.AddWithOpts(priorityqueue.AddOpts{After: result.RequeueAfter, Priority: ptr.To(priority)}, req) ctrlmetrics.ReconcileTotal.WithLabelValues(c.Name, labelRequeueAfter).Inc() case result.Requeue: //nolint: staticcheck // We have to handle it until it is removed log.V(5).Info("Reconcile done, requeueing") - c.Queue.AddWithOpts(priorityqueue.AddOpts{RateLimited: true, Priority: priority}, req) + c.Queue.AddWithOpts(priorityqueue.AddOpts{RateLimited: true, Priority: ptr.To(priority)}, req) ctrlmetrics.ReconcileTotal.WithLabelValues(c.Name, labelRequeue).Inc() default: log.V(5).Info("Reconcile successful") diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/apiserver.go b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/apiserver.go index bbd2eff64..aadb69e84 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/apiserver.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/apiserver.go @@ -374,7 +374,12 @@ func (s *APIServer) populateAPIServerCerts() error { return err } - servingCerts, err := ca.NewServingCert() + servingAddresses := []string{"localhost"} + if s.SecureServing.ListenAddr.Address != "" { + servingAddresses = append(servingAddresses, s.SecureServing.ListenAddr.Address) + } + + servingCerts, err := ca.NewServingCert(servingAddresses...) if err != nil { return err } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/etcd.go b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/etcd.go index c30d21329..98ffe3ac5 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/etcd.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/etcd.go @@ -159,6 +159,10 @@ func (e *Etcd) setProcessState() error { // Stop stops this process gracefully, waits for its termination, and cleans up // the DataDir if necessary. func (e *Etcd) Stop() error { + if e.processState == nil { + return nil + } + if e.processState.DirNeedsCleaning { e.DataDir = "" // reset the directory if it was randomly allocated, so that we can safely restart } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/leaderelection/leader_election.go b/vendor/sigs.k8s.io/controller-runtime/pkg/leaderelection/leader_election.go index 5cc253917..6c013e799 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/leaderelection/leader_election.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/leaderelection/leader_election.go @@ -56,6 +56,10 @@ type Options struct { // Without that, a single slow response from the API server can result // in losing leadership. RenewDeadline time.Duration + + // LeaderLabels are an optional set of labels that will be set on the lease object + // when this replica becomes leader + LeaderLabels map[string]string } // NewResourceLock creates a new resource lock for use in a leader election loop. @@ -63,7 +67,6 @@ func NewResourceLock(config *rest.Config, recorderProvider recorder.Provider, op if !options.LeaderElection { return nil, nil } - // Default resource lock to "leases". The previous default (from v0.7.0 to v0.11.x) was configmapsleases, which was // used to migrate from configmaps to leases. Since the default was "configmapsleases" for over a year, spanning // five minor releases, any actively maintained operators are very likely to have a released version that uses @@ -93,22 +96,21 @@ func NewResourceLock(config *rest.Config, recorderProvider recorder.Provider, op } id = id + "_" + string(uuid.NewUUID()) - // Construct clients for leader election - rest.AddUserAgent(config, "leader-election") + // Construct config for leader election + config = rest.AddUserAgent(config, "leader-election") + // Timeout set for a client used to contact to Kubernetes should be lower than + // RenewDeadline to keep a single hung request from forcing a leader loss. + // Setting it to max(time.Second, RenewDeadline/2) as a reasonable heuristic. if options.RenewDeadline != 0 { - return resourcelock.NewFromKubeconfig(options.LeaderElectionResourceLock, - options.LeaderElectionNamespace, - options.LeaderElectionID, - resourcelock.ResourceLockConfig{ - Identity: id, - EventRecorder: recorderProvider.GetEventRecorderFor(id), - }, - config, - options.RenewDeadline, - ) + timeout := options.RenewDeadline / 2 + if timeout < time.Second { + timeout = time.Second + } + config.Timeout = timeout } + // Construct clients for leader election corev1Client, err := corev1client.NewForConfig(config) if err != nil { return nil, err @@ -118,7 +120,8 @@ func NewResourceLock(config *rest.Config, recorderProvider recorder.Provider, op if err != nil { return nil, err } - return resourcelock.New(options.LeaderElectionResourceLock, + + return resourcelock.NewWithLabels(options.LeaderElectionResourceLock, options.LeaderElectionNamespace, options.LeaderElectionID, corev1Client, @@ -127,6 +130,7 @@ func NewResourceLock(config *rest.Config, recorderProvider recorder.Provider, op Identity: id, EventRecorder: recorderProvider.GetEventRecorderFor(id), }, + options.LeaderLabels, ) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go index e5204a750..a9f91cbdd 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go @@ -439,6 +439,11 @@ func (cm *controllerManager) Start(ctx context.Context) (err error) { return fmt.Errorf("failed to start other runnables: %w", err) } + // Start WarmupRunnables and wait for warmup to complete. + if err := cm.runnables.Warmup.Start(cm.internalCtx); err != nil { + return fmt.Errorf("failed to start warmup runnables: %w", err) + } + // Start the leader election and all required runnables. { ctx, cancel := context.WithCancel(context.Background()) @@ -534,6 +539,18 @@ func (cm *controllerManager) engageStopProcedure(stopComplete <-chan struct{}) e }() go func() { + go func() { + // Stop the warmup runnables in a separate goroutine to avoid blocking. + // It is important to stop the warmup runnables in parallel with the other runnables + // since we cannot assume ordering of whether or not one of the warmup runnables or one + // of the other runnables is holding a lock. + // Cancelling the wrong runnable (one that is not holding the lock) will cause the + // shutdown sequence to block indefinitely as it will wait for the runnable that is + // holding the lock to finish. + cm.logger.Info("Stopping and waiting for warmup runnables") + cm.runnables.Warmup.StopAndWait(cm.shutdownCtx) + }() + // First stop the non-leader election runnables. cm.logger.Info("Stopping and waiting for non leader election runnables") cm.runnables.Others.StopAndWait(cm.shutdownCtx) diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go index c3ae317b0..e0e94245e 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go @@ -201,10 +201,15 @@ type Options struct { // LeaseDuration time first. LeaderElectionReleaseOnCancel bool + // LeaderElectionLabels allows a controller to supplement all leader election api calls with a set of custom labels based on + // the replica attempting to acquire leader status. + LeaderElectionLabels map[string]string + // LeaderElectionResourceLockInterface allows to provide a custom resourcelock.Interface that was created outside // of the controller-runtime. If this value is set the options LeaderElectionID, LeaderElectionNamespace, - // LeaderElectionResourceLock, LeaseDuration, RenewDeadline and RetryPeriod will be ignored. This can be useful if you - // want to use a locking mechanism that is currently not supported, like a MultiLock across two Kubernetes clusters. + // LeaderElectionResourceLock, LeaseDuration, RenewDeadline, RetryPeriod and LeaderElectionLeases will be ignored. + // This can be useful if you want to use a locking mechanism that is currently not supported, like a MultiLock across + // two Kubernetes clusters. LeaderElectionResourceLockInterface resourcelock.Interface // LeaseDuration is the duration that non-leader candidates will @@ -314,6 +319,15 @@ type LeaderElectionRunnable interface { NeedLeaderElection() bool } +// warmupRunnable knows if a Runnable requires warmup. A warmup runnable is a runnable +// that should be run when the manager is started but before it becomes leader. +// Note: Implementing this interface is only useful when LeaderElection can be enabled, as the +// behavior when leaderelection is not enabled is to run LeaderElectionRunnables immediately. +type warmupRunnable interface { + // Warmup will be called when the manager is started but before it becomes leader. + Warmup(context.Context) error +} + // New returns a new Manager for creating Controllers. // Note that if ContentType in the given config is not set, "application/vnd.kubernetes.protobuf" // will be used for all built-in resources of Kubernetes, and "application/json" is for other types @@ -390,6 +404,7 @@ func New(config *rest.Config, options Options) (Manager, error) { LeaderElectionID: options.LeaderElectionID, LeaderElectionNamespace: options.LeaderElectionNamespace, RenewDeadline: *options.RenewDeadline, + LeaderLabels: options.LeaderElectionLabels, }) if err != nil { return nil, err @@ -417,7 +432,7 @@ func New(config *rest.Config, options Options) (Manager, error) { } errChan := make(chan error, 1) - runnables := newRunnables(options.BaseContext, errChan) + runnables := newRunnables(options.BaseContext, errChan).withLogger(options.Logger) return &controllerManager{ stopProcedureEngaged: ptr.To(int64(0)), cluster: cluster, diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go index db5cda7c8..53e29fc56 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go @@ -5,6 +5,7 @@ import ( "errors" "sync" + "github.com/go-logr/logr" "sigs.k8s.io/controller-runtime/pkg/webhook" ) @@ -32,6 +33,7 @@ type runnables struct { Webhooks *runnableGroup Caches *runnableGroup LeaderElection *runnableGroup + Warmup *runnableGroup Others *runnableGroup } @@ -42,10 +44,21 @@ func newRunnables(baseContext BaseContextFunc, errChan chan error) *runnables { Webhooks: newRunnableGroup(baseContext, errChan), Caches: newRunnableGroup(baseContext, errChan), LeaderElection: newRunnableGroup(baseContext, errChan), + Warmup: newRunnableGroup(baseContext, errChan), Others: newRunnableGroup(baseContext, errChan), } } +// withLogger returns the runnables with the logger set for all runnable groups. +func (r *runnables) withLogger(logger logr.Logger) *runnables { + r.HTTPServers.withLogger(logger) + r.Webhooks.withLogger(logger) + r.Caches.withLogger(logger) + r.LeaderElection.withLogger(logger) + r.Others.withLogger(logger) + return r +} + // Add adds a runnable to closest group of runnable that they belong to. // // Add should be able to be called before and after Start, but not after StopAndWait. @@ -65,8 +78,20 @@ func (r *runnables) Add(fn Runnable) error { }) case webhook.Server: return r.Webhooks.Add(fn, nil) - case LeaderElectionRunnable: - if !runnable.NeedLeaderElection() { + case warmupRunnable, LeaderElectionRunnable: + if warmupRunnable, ok := fn.(warmupRunnable); ok { + if err := r.Warmup.Add(RunnableFunc(warmupRunnable.Warmup), nil); err != nil { + return err + } + } + + leaderElectionRunnable, ok := fn.(LeaderElectionRunnable) + if !ok { + // If the runnable is not a LeaderElectionRunnable, add it to the leader election group for backwards compatibility + return r.LeaderElection.Add(fn, nil) + } + + if !leaderElectionRunnable.NeedLeaderElection() { return r.Others.Add(fn, nil) } return r.LeaderElection.Add(fn, nil) @@ -105,6 +130,9 @@ type runnableGroup struct { // wg is an internal sync.WaitGroup that allows us to properly stop // and wait for all the runnables to finish before returning. wg *sync.WaitGroup + + // logger is used for logging when errors are dropped during shutdown + logger logr.Logger } func newRunnableGroup(baseContext BaseContextFunc, errChan chan error) *runnableGroup { @@ -113,12 +141,18 @@ func newRunnableGroup(baseContext BaseContextFunc, errChan chan error) *runnable errChan: errChan, ch: make(chan *readyRunnable), wg: new(sync.WaitGroup), + logger: logr.Discard(), // Default to no-op logger } r.ctx, r.cancel = context.WithCancel(baseContext()) return r } +// withLogger sets the logger for this runnable group. +func (r *runnableGroup) withLogger(logger logr.Logger) { + r.logger = logger +} + // Started returns true if the group has started. func (r *runnableGroup) Started() bool { r.start.Lock() @@ -224,7 +258,27 @@ func (r *runnableGroup) reconcile() { // Start the runnable. if err := rn.Start(r.ctx); err != nil { - r.errChan <- err + // Check if we're during the shutdown process. + r.stop.RLock() + isStopped := r.stopped + r.stop.RUnlock() + + if isStopped { + // During shutdown, try to send error first (error drain goroutine might still be running) + // but drop if it would block to prevent goroutine leaks + select { + case r.errChan <- err: + // Error sent successfully (error drain goroutine is still running) + default: + // Error drain goroutine has exited, drop error to prevent goroutine leak + if !errors.Is(err, context.Canceled) { // don't log context.Canceled errors as they are expected during shutdown + r.logger.Info("error dropped during shutdown to prevent goroutine leak", "error", err) + } + } + } else { + // During normal operation, always try to send errors (may block briefly) + r.errChan <- err + } } }(runnable) } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/server.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/server.go index 76f6165b5..1983165da 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/server.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/server.go @@ -70,7 +70,7 @@ func (s *Server) Start(ctx context.Context) error { shutdownCtx := context.Background() if s.ShutdownTimeout != nil { var shutdownCancel context.CancelFunc - shutdownCtx, shutdownCancel = context.WithTimeout(context.Background(), *s.ShutdownTimeout) + shutdownCtx, shutdownCancel = context.WithTimeout(shutdownCtx, *s.ShutdownTimeout) defer shutdownCancel() } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/predicate/predicate.go b/vendor/sigs.k8s.io/controller-runtime/pkg/predicate/predicate.go index ce33975f3..9f24cb178 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/predicate/predicate.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/predicate/predicate.go @@ -47,13 +47,15 @@ type TypedPredicate[object any] interface { Generic(event.TypedGenericEvent[object]) bool } -var _ Predicate = Funcs{} -var _ Predicate = ResourceVersionChangedPredicate{} -var _ Predicate = GenerationChangedPredicate{} -var _ Predicate = AnnotationChangedPredicate{} -var _ Predicate = or[client.Object]{} -var _ Predicate = and[client.Object]{} -var _ Predicate = not[client.Object]{} +var ( + _ Predicate = Funcs{} + _ Predicate = ResourceVersionChangedPredicate{} + _ Predicate = GenerationChangedPredicate{} + _ Predicate = AnnotationChangedPredicate{} + _ Predicate = or[client.Object]{} + _ Predicate = and[client.Object]{} + _ Predicate = not[client.Object]{} +) // Funcs is a function that implements Predicate. type Funcs = TypedFuncs[client.Object] @@ -259,11 +261,10 @@ func (TypedAnnotationChangedPredicate[object]) Update(e event.TypedUpdateEvent[o // This predicate will skip update events that have no change in the object's label. // It is intended to be used in conjunction with the GenerationChangedPredicate, as in the following example: // -// Controller.Watch( -// -// &source.Kind{Type: v1.MyCustomKind}, -// &handler.EnqueueRequestForObject{}, -// predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{})) +// Controller.Watch( +// &source.Kind{Type: v1.MyCustomKind}, +// &handler.EnqueueRequestForObject{}, +// predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{})) // // This will be helpful when object's labels is carrying some extra specification information beyond object's spec, // and the controller will be triggered if any valid spec change (not only in spec, but also in labels) happens. diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go index 249a364b3..a26fa348b 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go @@ -22,7 +22,9 @@ See pkg/conversion for interface definitions required to ensure an API Type is c package conversion import ( + "context" "encoding/json" + "errors" "fmt" "net/http" @@ -31,8 +33,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" "sigs.k8s.io/controller-runtime/pkg/conversion" logf "sigs.k8s.io/controller-runtime/pkg/log" + conversionmetrics "sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics" ) var ( @@ -53,6 +57,8 @@ type webhook struct { var _ http.Handler = &webhook{} func (wh *webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + convertReview := &apix.ConversionReview{} err := json.NewDecoder(r.Body).Decode(convertReview) if err != nil { @@ -69,7 +75,7 @@ func (wh *webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) { // TODO(droot): may be move the conversion logic to a separate module to // decouple it from the http layer ? - resp, err := wh.handleConvertRequest(convertReview.Request) + resp, err := wh.handleConvertRequest(ctx, convertReview.Request) if err != nil { log.Error(err, "failed to convert", "request", convertReview.Request.UID) convertReview.Response = errored(err) @@ -87,7 +93,18 @@ func (wh *webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) { } // handles a version conversion request. -func (wh *webhook) handleConvertRequest(req *apix.ConversionRequest) (*apix.ConversionResponse, error) { +func (wh *webhook) handleConvertRequest(ctx context.Context, req *apix.ConversionRequest) (_ *apix.ConversionResponse, retErr error) { + defer func() { + if r := recover(); r != nil { + conversionmetrics.WebhookPanics.WithLabelValues().Inc() + + for _, fn := range utilruntime.PanicHandlers { + fn(ctx, r) + } + retErr = errors.New("internal error occurred during conversion") + return + } + }() if req == nil { return nil, fmt.Errorf("conversion request is nil") } diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics/metrics.go b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics/metrics.go new file mode 100644 index 000000000..c825f17f0 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics/metrics.go @@ -0,0 +1,39 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package metrics + +import ( + "github.com/prometheus/client_golang/prometheus" + "sigs.k8s.io/controller-runtime/pkg/metrics" +) + +var ( + // WebhookPanics is a prometheus counter metrics which holds the total + // number of panics from conversion webhooks. + WebhookPanics = prometheus.NewCounterVec(prometheus.CounterOpts{ + Name: "controller_runtime_conversion_webhook_panics_total", + Help: "Total number of conversion webhook panics", + }, []string{}) +) + +func init() { + metrics.Registry.MustRegister( + WebhookPanics, + ) + // Init metric. + WebhookPanics.WithLabelValues().Add(0) +}