Fix: corrects validating webhook behaviour with cuex compilers (#6799)

Signed-off-by: Brian Kane <briankane1@gmail.com>
2025-07-17 23:18:36 +01:00 · 2025-07-17 23:18:36 +01:00 · c79f03fe92
parent fedcca1c7b
commit c79f03fe92
4 changed files with 119 additions and 2 deletions
--- a/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler.go
@ -65,7 +65,7 @@ func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) a

 		// validate cueTemplate
 		if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
-			err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
+			err = webhookutils.ValidateCuexTemplate(ctx, obj.Spec.Schematic.CUE.Template)
 			if err != nil {
 				return admission.Denied(err.Error())
 			}
--- a/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler.go
@ -91,7 +91,7 @@ func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) a

 		// validate cueTemplate
 		if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
-			err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
+			err = webhookutils.ValidateCuexTemplate(ctx, obj.Spec.Schematic.CUE.Template)
 			if err != nil {
 				return admission.Denied(err.Error())
 			}
--- a/pkg/webhook/utils/utils.go
+++ b/pkg/webhook/utils/utils.go
@ -23,6 +23,8 @@ import (
 	"strconv"
 	"strings"

+	"github.com/kubevela/pkg/cue/cuex"
+
 	"cuelang.org/go/cue/cuecontext"
 	cueErrors "cuelang.org/go/cue/errors"
 	"github.com/pkg/errors"
@ -73,6 +75,19 @@ func ValidateCueTemplate(cueTemplate string) error {
 	return checkError(err)
 }

+// ValidateCuexTemplate validate cueTemplate with CueX for types utilising it
+func ValidateCuexTemplate(ctx context.Context, cueTemplate string) error {
+	val, err := cuex.DefaultCompiler.Get().CompileStringWithOptions(ctx, cueTemplate)
+	if err != nil {
+		return err
+	}
+	if e := checkError(val.Err()); e != nil {
+		return e
+	}
+	err = val.Validate()
+	return checkError(err)
+}
+
 func checkError(err error) error {
 	re := regexp.MustCompile(ContextRegex)
 	if err != nil {
--- a/pkg/webhook/utils/utils_test.go
+++ b/pkg/webhook/utils/utils_test.go
@ -17,9 +17,17 @@ limitations under the License.
 package utils

 import (
+	"context"
 	"fmt"
+	"strings"
 	"testing"

+	"github.com/kubevela/pkg/cue/cuex"
+	"github.com/kubevela/pkg/util/singleton"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	dynamicfake "k8s.io/client-go/dynamic/fake"
+
 	"cuelang.org/go/cue/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/google/go-cmp/cmp"
@ -70,6 +78,100 @@ func TestValidateCueTemplate(t *testing.T) {
 	}
 }

+func TestValidateCuexTemplate(t *testing.T) {
+	cases := map[string]struct {
+		cueTemplate string
+		want        error
+	}{
+		"normalCueTemp": {
+			cueTemplate: "name: 'name'",
+			want:        nil,
+		},
+		"contextNouFoundCueTemp": {
+			cueTemplate: `
+				output: {
+					metadata: {
+						name: context.name
+						label: context.label
+						annotation: "default"
+					}
+				}`,
+			want: nil,
+		},
+		"withCuexPackageImports": {
+			cueTemplate: `
+				import "test/ext"
+				
+				test: ext.#Add & {
+					a: 1
+					b: 2
+				}
+	
+				output: {
+					metadata: {
+						name: context.name + "\(test.result)"
+						label: context.label
+						annotation: "default"
+					}
+				}
+			`,
+			want: nil,
+		},
+		"inValidCueTemp": {
+			cueTemplate: `
+				output: {
+					metadata: {
+						name: context.name
+						label: context.label
+						annotation: "default"
+					},
+					hello: world 
+				}`,
+			want: errors.New("output.hello: reference \"world\" not found"),
+		},
+	}
+
+	packageObj := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "cue.oam.dev/v1alpha1",
+			"kind":       "Package",
+			"metadata": map[string]interface{}{
+				"name":      "test-package",
+				"namespace": "vela-system",
+			},
+			"spec": map[string]interface{}{
+				"path": "test/ext",
+				"templates": map[string]interface{}{
+					"test/ext": strings.TrimSpace(`
+                        package ext
+                        #Add: {
+						  a: number
+						  b: number
+                          result: a + b
+						}
+                    `),
+				},
+			},
+		},
+	}
+
+	dcl := dynamicfake.NewSimpleDynamicClient(runtime.NewScheme(), packageObj)
+	singleton.DynamicClient.Set(dcl)
+	cuex.DefaultCompiler.Reload()
+
+	defer singleton.ReloadClients()
+	defer cuex.DefaultCompiler.Reload()
+
+	for caseName, cs := range cases {
+		t.Run(caseName, func(t *testing.T) {
+			err := ValidateCuexTemplate(context.Background(), cs.cueTemplate)
+			if diff := cmp.Diff(cs.want, err, test.EquateErrors()); diff != "" {
+				t.Errorf("\n%s\nValidateCueTemplate: -want , +got \n%s\n", cs.want, diff)
+			}
+		})
+	}
+}
+
 func TestValidateSemanticVersion(t *testing.T) {
 	cases := map[string]struct {
 		version string