fix: add recursive check of cel rules (#630)

timmilesdw · ldmonster · web-flow · commit c174978ed98a · 2025-07-18T12:54:21.000+03:00
Signed-off-by: Timur Tuktamyshev &lt;timur.tuktamyshev@flant.com&gt;
Signed-off-by: Pavel Okhlopkov &lt;pavel.okhlopkov@flant.com&gt;
Co-authored-by: Pavel Okhlopkov &lt;pavel.okhlopkov@flant.com&gt;
diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/dominikbraun/graph v0.23.0
 	github.com/ettle/strcase v0.2.0
 	github.com/flant/kube-client v1.3.1
-	github.com/flant/shell-operator v1.9.0
+	github.com/flant/shell-operator v1.9.1
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-openapi/loads v0.19.5
 	github.com/go-openapi/spec v0.19.8
diff --git a/go.sum b/go.sum
@@ -144,8 +144,8 @@ github.com/flant/go-openapi-validate v0.19.12-flant.1 h1:GuB9XEfiLHq3M7fafRLq1AW
 github.com/flant/go-openapi-validate v0.19.12-flant.1/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4=
 github.com/flant/kube-client v1.3.1 h1:1SdD799sujXNg2F6Z27le/+qkcKQaKf9Z492YGEhVhc=
 github.com/flant/kube-client v1.3.1/go.mod h1:mql6hsZMgBLAhdj3Emb8TrP5MVdXduFQ2NLjzn6IF0Y=
-github.com/flant/shell-operator v1.9.0 h1:XaNif0v0NK2S0AzSfujYO6d/ifHsw6nmPylGmuBlPaU=
-github.com/flant/shell-operator v1.9.0/go.mod h1:9gZmjxCuyLDz3hFsmRXYTlw7+hpw199CMYzSodWKk50=
+github.com/flant/shell-operator v1.9.1 h1:P4f8kyxSK+TRUS7EYLcY9+IrCvvF0e8MBRPA7hPdCnQ=
+github.com/flant/shell-operator v1.9.1/go.mod h1:9gZmjxCuyLDz3hFsmRXYTlw7+hpw199CMYzSodWKk50=
 github.com/flopp/go-findfont v0.1.0 h1:lPn0BymDUtJo+ZkV01VS3661HL6F4qFlkhcJN55u6mU=
 github.com/flopp/go-findfont v0.1.0/go.mod h1:wKKxRDjD024Rh7VMwoU90i6ikQRCr+JTHB5n4Ejkqvw=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
diff --git a/pkg/values/validation/cel/cel.go b/pkg/values/validation/cel/cel.go
@@ -18,31 +18,43 @@ type rule struct {
 }
 
 // Validate validates config values against x-deckhouse-validation rules in schema
-func Validate(schema *spec.Schema, values map[string]interface{}) error {
-	env, err := cel.NewEnv(cel.Variable("self", cel.MapType(cel.StringType, cel.DynType)))
-	if err != nil {
-		return fmt.Errorf("create CEL env: %w", err)
+func Validate(schema *spec.Schema, values any) ([]error, error) {
+	var validationErrs []error
+	// First we validate only object nested properties
+	if m, ok := values.(map[string]any); ok {
+		for propName, propSchema := range schema.Properties {
+			if propValue, ok := m[propName]; ok {
+				subErrs, err := Validate(&propSchema, propValue)
+				if err != nil {
+					return nil, err
+				}
+				validationErrs = append(validationErrs, subErrs...)
+			}
+		}
 	}
 
 	raw, found := schema.Extensions[ruleKey]
 	if !found {
-		return nil
+		if len(validationErrs) > 0 {
+			return validationErrs, nil
+		}
+		return nil, nil
 	}
 
 	var rules []rule
 	switch v := raw.(type) {
-	case []interface{}:
+	case []any:
 		for _, entry := range v {
-			mapEntry, ok := entry.(map[string]interface{})
+			mapEntry, ok := entry.(map[string]any)
 			if !ok || len(mapEntry) == 0 {
-				return fmt.Errorf("x-deckhouse-validations invalid")
+				return nil, fmt.Errorf("x-deckhouse-validations invalid")
 			}
 
 			if val, ok := mapEntry["expression"]; !ok || len(val.(string)) == 0 {
-				return fmt.Errorf("x-deckhouse-validations invalid: missing expression")
+				return nil, fmt.Errorf("x-deckhouse-validations invalid: missing expression")
 			}
 			if val, ok := mapEntry["message"]; !ok || len(val.(string)) == 0 {
-				return fmt.Errorf("x-deckhouse-validations invalid: missing message")
+				return nil, fmt.Errorf("x-deckhouse-validations invalid: missing message")
 			}
 
 			rules = append(rules, rule{
@@ -51,41 +63,68 @@ func Validate(schema *spec.Schema, values map[string]interface{}) error {
 			})
 		}
 	default:
-		return fmt.Errorf("x-deckhouse-validations invalid")
+		return nil, fmt.Errorf("x-deckhouse-validations invalid")
 	}
 
-	obj, err := structpb.NewStruct(values)
+	celSelfType, celSelfValue, err := buildCELValueAndType(values)
 	if err != nil {
-		return fmt.Errorf("convert values to struct: %w", err)
+		return nil, err
 	}
 
+	env, err := cel.NewEnv(cel.Variable("self", celSelfType))
+	if err != nil {
+		return nil, fmt.Errorf("create CEL env: %w", err)
+	}
 	for _, r := range rules {
 		ast, issues := env.Compile(r.Expression)
 		if issues.Err() != nil {
-			return fmt.Errorf("compile the '%s' rule: %w", r.Expression, issues.Err())
+			return nil, fmt.Errorf("compile the '%s' rule: %w", r.Expression, issues.Err())
 		}
 
 		prg, err := env.Program(ast)
 		if err != nil {
-			return fmt.Errorf("create program for the '%s' rule: %w", r.Expression, err)
+			return nil, fmt.Errorf("create program for the '%s' rule: %w", r.Expression, err)
 		}
 
-		out, _, err := prg.Eval(map[string]interface{}{"self": obj})
+		out, _, err := prg.Eval(map[string]any{"self": celSelfValue})
 		if err != nil {
 			if strings.Contains(err.Error(), "no such key:") {
 				continue
 			}
-			return fmt.Errorf("evaluate the '%s' rule: %w", r.Expression, err)
+			return nil, fmt.Errorf("evaluate the '%s' rule: %w", r.Expression, err)
 		}
 
 		pass, ok := out.Value().(bool)
 		if !ok {
-			return errors.New("rule should return boolean")
+			return nil, errors.New("rule should return boolean")
 		}
 		if !pass {
-			return errors.New(r.Message)
+			validationErrs = append(validationErrs, errors.New(r.Message))
 		}
 	}
 
-	return nil
+	return validationErrs, nil
+}
+
+func buildCELValueAndType(value any) (*cel.Type, any, error) {
+	switch v := value.(type) {
+	case map[string]any:
+		obj, err := structpb.NewStruct(v)
+		if err != nil {
+			return nil, nil, fmt.Errorf("convert values to struct: %w", err)
+		}
+		return cel.MapType(cel.StringType, cel.DynType), obj, nil
+	case []any:
+		list, err := structpb.NewList(v)
+		if err != nil {
+			return nil, nil, fmt.Errorf("convert array to list: %w", err)
+		}
+		return cel.ListType(cel.DynType), list, nil
+	default:
+		val, err := structpb.NewValue(v)
+		if err != nil {
+			return nil, nil, fmt.Errorf("convert dyn to value: %w", err)
+		}
+		return cel.DynType, val, nil
+	}
 }
diff --git a/pkg/values/validation/schemas.go b/pkg/values/validation/schemas.go
@@ -2,6 +2,7 @@ package validation
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log/slog"
 	"reflect"
@@ -133,9 +134,13 @@ func validateObject(dataObj interface{}, s *spec.Schema, rootName string) error
 
 	// Validate values against x-deckhouse-validation rules.
 	if values, ok := dataObj.(map[string]interface{}); ok {
-		if err := cel.Validate(s, values); err != nil {
+		validationErrs, err := cel.Validate(s, values)
+		if err != nil {
 			return err
 		}
+		if len(validationErrs) > 0 {
+			return errors.Join(validationErrs...)
+		}
 	}
 
 	result := validator.Validate(dataObj)
diff --git a/pkg/values/validation/validator_test.go b/pkg/values/validation/validator_test.go
