fix: validation mode lower case

The check on the validation mode is done by lower casing the input and comparing it to a constant. Unfortunately the constant wasn\'t entirely lower case. This has been fixed. fixes #1816
sse-secure-systems · Nov 15, 2024 · be004c8 · be004c8
1 parent eab664e
commit be004c8
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 22 deletions.
diff --git a/charts/connaisseur/Chart.yaml b/charts/connaisseur/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: connaisseur
 description: Helm chart for Connaisseur - a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.
 type: application
-version: 2.7.0
-appVersion: 3.7.0
+version: 2.7.1
+appVersion: 3.7.1
 keywords:
   - container image
   - signature

diff --git a/internal/handler/validation/validation.go b/internal/handler/validation/validation.go
@@ -9,7 +9,6 @@ import (
 	"connaisseur/internal/utils"
 	"context"
 	"fmt"
-	"strings"
 
 	"github.com/sirupsen/logrus"
 )
@@ -161,7 +160,7 @@ func ValidateImage(ctx context.Context, in ValidationInput, out chan<- Validatio
 	logrus.Debugf("validator: %s", validatorName)
 
 	// get validation mode
-	switch strings.ToLower(rule.With.ValidationMode) {
+	switch rule.With.ValidationMode {
 	case constants.MutateMode:
 		validationMode = constants.MutateMode
 	case constants.ValidateMode:

diff --git a/internal/handler/validation/validation_test.go b/internal/handler/validation/validation_test.go
@@ -32,8 +32,9 @@ func TestValidateWorkloadObject(t *testing.T) {
 	var testCases = []struct {
 		newWLO kubernetes.WorkloadObject
 		out    map[string]struct {
-			img string
-			err error
+			img            string
+			validationMode string
+			err            error
 		}
 	}{
 		// test case with one image
@@ -43,10 +44,11 @@ func TestValidateWorkloadObject(t *testing.T) {
 				InitContainers: []core.Container{{Image: "nginx"}},
 			},
 			map[string]struct {
-				img string
-				err error
+				img            string
+				validationMode string
+				err            error
 			}{
-				"nginx": {"index.docker.io/library/nginx:latest", nil},
+				"nginx": {"index.docker.io/library/nginx:latest", constants.MutateMode, nil},
 			},
 		},
 		// test case with validationMode set to mutate
@@ -56,11 +58,13 @@ func TestValidateWorkloadObject(t *testing.T) {
 				InitContainers: []core.Container{{Image: "docker.io/securesystemsengineering/sample"}},
 			},
 			map[string]struct {
-				img string
-				err error
+				img            string
+				validationMode string
+				err            error
 			}{
 				"docker.io/securesystemsengineering/sample": {
 					"index.docker.io/securesystemsengineering/sample:latest",
+					constants.MutateMode,
 					nil,
 				},
 			},
@@ -72,11 +76,13 @@ func TestValidateWorkloadObject(t *testing.T) {
 				InitContainers: []core.Container{{Image: "docker.io/securesystemsengineering/sample:v1"}},
 			},
 			map[string]struct {
-				img string
-				err error
+				img            string
+				validationMode string
+				err            error
 			}{
 				"docker.io/securesystemsengineering/sample:v1": {
 					"index.docker.io/securesystemsengineering/sample:v1",
+					constants.ValidateMode,
 					nil,
 				},
 			},
@@ -89,11 +95,12 @@ func TestValidateWorkloadObject(t *testing.T) {
 				EphemeralContainers: []core.EphemeralContainer{{EphemeralContainerCommon: core.EphemeralContainerCommon{Image: "debian"}}},
 			},
 			map[string]struct {
-				img string
-				err error
+				img            string
+				validationMode string
+				err            error
 			}{
-				"nginx":  {"index.docker.io/library/nginx:latest", nil},
-				"debian": {"index.docker.io/library/debian:latest", nil},
+				"nginx":  {"index.docker.io/library/nginx:latest", constants.MutateMode, nil},
+				"debian": {"index.docker.io/library/debian:latest", constants.MutateMode, nil},
 			},
 		},
 	}
@@ -108,16 +115,18 @@ func TestValidateWorkloadObject(t *testing.T) {
 	for idx, tc := range testCases {
 		voChannel := ValidateWorkloadObject(ctx, &tc.newWLO, &kubernetes.WorkloadObject{})
 		validatedImages := map[string]struct {
-			img string
-			err error
+			img  string
+			mode string
+			err  error
 		}{}
 		containers := tc.newWLO.ConsolidatedContainers()
 		for range containers {
 			vo := <-voChannel
 			validatedImages[vo.RawImage] = struct {
-				img string
-				err error
-			}{vo.NewImage, vo.Error}
+				img  string
+				mode string
+				err  error
+			}{vo.NewImage, vo.ValidationMode, vo.Error}
 		}
 		assert.Equalf(t, len(tc.out), len(validatedImages), "test case %i", idx+1)
 		for expectedValidatedImg := range tc.out {
@@ -130,6 +139,13 @@ func TestValidateWorkloadObject(t *testing.T) {
 				"test case %i",
 				idx+1,
 			)
+			assert.Equalf(
+				t,
+				tc.out[expectedValidatedImg].validationMode,
+				actualValidatedImg.mode,
+				"test case %i",
+				idx+1,
+			)
 			assert.Equalf(
 				t,
 				tc.out[expectedValidatedImg].err,