From 2263598a656e0789290ff0ce933f1e8e1c1e342f Mon Sep 17 00:00:00 2001
From: Pierangelo Di Pilato <pierdipi@redhat.com>
Date: Mon, 17 Jun 2024 11:45:19 +0200
Subject: [PATCH] Add validation for EventPolicy sub suffix matching

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
---
 .../v1alpha1/eventpolicy_validation.go        | 16 ++++++
 .../v1alpha1/eventpolicy_validation_test.go   | 52 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
index 6c4eafb5caa..0c267b31968 100644
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"context"
+	"strings"
 
 	"knative.dev/pkg/apis"
 )
@@ -36,6 +37,7 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 			err = err.Also(apis.ErrMultipleOneOf("ref", "sub").ViaFieldIndex("from", i))
 		}
 		err = err.Also(f.Ref.Validate().ViaField("ref").ViaFieldIndex("from", i))
+		err = err.Also(validateSub(f.Sub).ViaField("sub").ViaFieldIndex("from", i))
 	}
 
 	for i, t := range ets.To {
@@ -53,6 +55,20 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 	return err
 }
 
+func validateSub(sub *string) *apis.FieldError {
+	if sub == nil || len(*sub) <= 1 {
+		return nil
+	}
+
+	lastInvalidIdx := len(*sub) - 2
+	firstInvalidIdx := 0
+	if idx := strings.IndexRune(*sub, '*'); idx >= firstInvalidIdx && idx <= lastInvalidIdx {
+		return apis.ErrInvalidValue(*sub, "", "'*' is only allowed as suffix")
+	}
+
+	return nil
+}
+
 func (r *EventPolicyFromReference) Validate() *apis.FieldError {
 	if r == nil {
 		return nil
diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
index c4b388b0291..da103fd069f 100644
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
@@ -196,6 +196,58 @@ func TestEventPolicySpecValidation(t *testing.T) {
 				return apis.ErrMissingField("apiVersion").ViaField("ref").ViaFieldIndex("to", 0).ViaField("spec")
 			}(),
 		},
+		{
+			name: "invalid, from.sub '*' set as infix",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("a*c"),
+					}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return apis.ErrInvalidValue("a*c", "sub", "'*' is only allowed as suffix").ViaFieldIndex("from", 0).ViaField("spec")
+			}(),
+		},
+		{
+			name: "invalid, from.sub '*' set as prefix",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("*a"),
+					}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return apis.ErrInvalidValue("*a", "sub", "'*' is only allowed as suffix").ViaFieldIndex("from", 0).ViaField("spec")
+			}(),
+		},
+		{
+			name: "valid, from.sub '*' set as suffix",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("a*"),
+					}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return nil
+			}(),
+		},
+		{
+			name: "valid, from.sub exactly '*'",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("*"),
+					}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return nil
+			}(),
+		},
 	}
 
 	for _, test := range tests {