Throw errors when elementType/objectType is wrong (#1023)

In a service binding annotation on a service, elementType and objectType
could be garbage (i.e. elementType=asdf), and SBO would panic.  We
should instead do the following:

1. Throw an error instead of panicking when either of these two are
   invalid.
2. Fail the binding if those errors are thrown.

Signed-off-by: Andy Sadler <[email protected]>

Author: sadlerap

pkg/binding/annotationmapper.go

@@ -2,9 +2,10 @@ package binding
 
 import (
 	"fmt"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
 	"github.com/pkg/errors"
 )
 
@@ -26,12 +27,13 @@ var _ DefinitionBuilder = (*annotationBackedDefinitionBuilder)(nil)
 type modelKey string
 
 const (
-	pathModelKey        modelKey = "path"
-	objectTypeModelKey  modelKey = "objectType"
-	sourceKeyModelKey   modelKey = "sourceKey"
-	sourceValueModelKey modelKey = "sourceValue"
-	elementTypeModelKey modelKey = "elementType"
-	AnnotationPrefix             = "service.binding"
+	pathModelKey                    modelKey = "path"
+	objectTypeModelKey              modelKey = "objectType"
+	sourceKeyModelKey               modelKey = "sourceKey"
+	sourceValueModelKey             modelKey = "sourceValue"
+	elementTypeModelKey             modelKey = "elementType"
+	AnnotationPrefix                         = "service.binding"
+	ProvisionedServiceAnnotationKey          = "servicebinding.io/provisioned-service"
 )
 
 func NewDefinitionBuilder(annotationName string, annotationValue string, configMapReader UnstructuredResourceReader, secretReader UnstructuredResourceReader) *annotationBackedDefinitionBuilder {
@@ -45,26 +47,44 @@ func NewDefinitionBuilder(annotationName string, annotationValue string, configM
 	}
 }
 
-func (m *annotationBackedDefinitionBuilder) outputName() (string, error) {
-	// bail out in the case the annotation name doesn't start with "service.binding"
-	if m.name != AnnotationPrefix && !strings.HasPrefix(m.name, AnnotationPrefix+"/") {
-		return "", fmt.Errorf("can't process annotation with name %q", m.name)
+func (m *annotationBackedDefinitionBuilder) isServiceBindingAnnotation() (bool, error) {
+	if m.name == ProvisionedServiceAnnotationKey {
+		return false, nil
+	}
+
+	if m.name == AnnotationPrefix {
+		return true, nil
+	} else if strings.HasPrefix(m.name, AnnotationPrefix) {
+		if strings.HasPrefix(m.name, AnnotationPrefix+"/") {
+			return true, nil
+		}
+
+		// it starts with AnnotationPrefix, but has extra text at the end not
+		// separated by a /, so treat it as an error
+		return false, fmt.Errorf("can't process annotation with name %q", m.name)
 	}
 
-	if p := strings.SplitN(m.name, "/", 2); len(p) > 1 && len(p[1]) > 0 {
-		return p[1], nil
+	// bail out when the annotation name doesn't start with "service.binding"
+	return false, nil
+}
+
+func (m *annotationBackedDefinitionBuilder) outputName() string {
+
+	if p := strings.SplitN(m.name, "/", 2); len(p) == 2 && len(p[1]) > 0 {
+		return p[1]
 	}
 
-	return "", nil
+	return ""
 }
 
 func (m *annotationBackedDefinitionBuilder) Build() (Definition, error) {
 
-	outputName, err := m.outputName()
-	if err != nil {
+	if valid, err := m.isServiceBindingAnnotation(); !valid || err != nil {
 		return nil, err
 	}
 
+	outputName := m.outputName()
+
 	mod, err := newModel(m.value)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not create binding model for annotation key %s and value %s", m.name, m.value)
@@ -128,6 +148,5 @@ func (m *annotationBackedDefinitionBuilder) Build() (Definition, error) {
 			sourceValue: mod.sourceValue,
 		}, nil
 	}
-
-	panic(fmt.Sprintf("Annotation %s=%s not implemented!", m.name, m.value))
+	return nil, fmt.Errorf("Annotation %s: %s not implemented!", m.name, m.value)
 }

pkg/binding/annotationmapper_test.go

@@ -41,9 +41,17 @@ func TestAnnotationBackedBuilderInvalidAnnotation(t *testing.T) {
 			},
 		},
 		{
-			description: "other prefix supplied",
+			description: "invalid element type",
 			builder: &annotationBackedDefinitionBuilder{
-				name: "other.prefix",
+				name:  "service.binding/databaseField",
+				value: "path={.status.dbCredential},elementType=asdf",
+			},
+		},
+		{
+			description: "invalid object type",
+			builder: &annotationBackedDefinitionBuilder{
+				name:  "service.binding/username",
+				value: "path={.status.dbCredential},objectType=asdf,valueKey=username",
 			},
 		},
 	}
@@ -77,7 +85,22 @@ func TestAnnotationBackedBuilderValidAnnotations(t *testing.T) {
 				},
 			},
 		},
-
+		{
+			description: "Ignore non-service binding annotations",
+			builder: &annotationBackedDefinitionBuilder{
+				name:  "foo",
+				value: "bar",
+			},
+			expectedValue: nil,
+		},
+		{
+			description: "Ignore provisioned service binding annotations",
+			builder: &annotationBackedDefinitionBuilder{
+				name:  ProvisionedServiceAnnotationKey,
+				value: "true",
+			},
+			expectedValue: nil,
+		},
 		{
 			description: "string definition",
 			builder: &annotationBackedDefinitionBuilder{

pkg/reconcile/pipeline/handler/collect/impl.go

@@ -27,7 +27,8 @@ const (
 	ErrorReadingBindingReason    = "ErrorReadingBinding"
 	ErrorReadingSecret           = "ErrorReadingSecret"
 
-	ValueNotFound = "ValueNotFound"
+	ValueNotFound     = "ValueNotFound"
+	InvalidAnnotation = "InvalidAnnotation"
 )
 
 func PreFlight(ctx pipeline.Context) {
@@ -65,9 +66,14 @@ func BindingDefinitions(ctx pipeline.Context) {
 		for k, v := range anns {
 			definition, err := makeBindingDefinition(k, v, ctx)
 			if err != nil {
-				continue
+				condition := notCollectionReadyCond(InvalidAnnotation, fmt.Errorf("Failed to create binding definition from \"%v: %v\": %v", k, v, err))
+				ctx.SetCondition(condition)
+				ctx.Error(err)
+				ctx.StopProcessing()
+			}
+			if definition != nil {
+				service.AddBindingDef(definition)
 			}
-			service.AddBindingDef(definition)
 		}
 	}
 }
@@ -96,8 +102,6 @@ func BindingItems(ctx pipeline.Context) {
 	}
 }
 
-const ProvisionedServiceAnnotationKey = "servicebinding.io/provisioned-service"
-
 func ProvisionedService(ctx pipeline.Context) {
 	services, _ := ctx.Services()
 
@@ -126,7 +130,7 @@ func ProvisionedService(ctx pipeline.Context) {
 			if crd == nil {
 				continue
 			}
-			v, ok := crd.Resource().GetAnnotations()[ProvisionedServiceAnnotationKey]
+			v, ok := crd.Resource().GetAnnotations()[binding.ProvisionedServiceAnnotationKey]
 			if ok && v == "true" {
 				requestRetry(ctx, ErrorReadingBindingReason, fmt.Errorf("CRD of service %v/%v indicates provisioned service, but no secret name provided under .status.binding.name", res.GetNamespace(), res.GetName()))
 				return
@@ -255,9 +259,7 @@ func collectItems(prefix string, ctx pipeline.Context, service pipeline.Service,
 			if mapVal := v.MapIndex(n).Interface(); mapVal != nil {
 				collectItems(p, ctx, service, n, mapVal)
 			} else {
-				condition := apis.Conditions().NotCollectionReady().
-					Msg(fmt.Sprintf("Value for key %v_%v not found", prefix+k.String(), n.String())).
-					Reason(ValueNotFound).Build()
+				condition := notCollectionReadyCond(ValueNotFound, fmt.Errorf("Value for key %v_%v not found", prefix+k.String(), n.String()))
 				ctx.SetCondition(condition)
 				ctx.Error(ErrorValueNotFound)
 				ctx.StopProcessing()

pkg/reconcile/pipeline/handler/collect/impl_test.go

@@ -156,7 +156,7 @@ var _ = Describe("Collect Binding Definitions", func() {
 
 				serviceContent.SetAnnotations(map[string]string{
 					"foo":                                   "bar",
-					collect.ProvisionedServiceAnnotationKey: "true",
+					binding.ProvisionedServiceAnnotationKey: "true",
 					"service.binding/foo":                   "path={.status.foo},objectType=Secret,sourceValue=username",
 					"service.binding/foo2":                  "path={.status.foo2},objectType=Secret,sourceValue=username",
 				})
@@ -420,6 +420,51 @@ var _ = Describe("Collect Binding Data", func() {
 			)
 		})
 
+		Context("on invalid annotations", func() {
+			var (
+				service        *mocks.MockService
+				serviceContent *unstructured.Unstructured
+			)
+			BeforeEach(func() {
+				service = mocks.NewMockService(mockCtrl)
+				serviceContent = &unstructured.Unstructured{}
+				service.EXPECT().CustomResourceDefinition().Return(nil, nil)
+				service.EXPECT().Resource().Return(serviceContent)
+
+				ctx.EXPECT().Services().Return([]pipeline.Service{service}, nil)
+			})
+
+			It("should error when elementType is invalid", func() {
+				serviceContent.SetAnnotations(map[string]string{
+					"service.binding/foo": "path={.status.foo},elementType=asdf",
+				})
+
+				condition := apis.Conditions().NotCollectionReady().
+					Msg("Failed to create binding definition from \"service.binding/foo: path={.status.foo},elementType=asdf\": Annotation service.binding/foo: path={.status.foo},elementType=asdf not implemented!").
+					Reason(collect.InvalidAnnotation).Build()
+				ctx.EXPECT().SetCondition(condition)
+				ctx.EXPECT().Error(errors.New("Annotation service.binding/foo: path={.status.foo},elementType=asdf not implemented!"))
+				ctx.EXPECT().StopProcessing()
+
+				collect.BindingDefinitions(ctx)
+			})
+
+			It("should error when objectType is invalid", func() {
+				serviceContent.SetAnnotations(map[string]string{
+					"service.binding/foo": "path={.status.foo},objectType=asdf",
+				})
+
+				condition := apis.Conditions().NotCollectionReady().
+					Msg("Failed to create binding definition from \"service.binding/foo: path={.status.foo},objectType=asdf\": Annotation service.binding/foo: path={.status.foo},objectType=asdf not implemented!").
+					Reason(collect.InvalidAnnotation).Build()
+				ctx.EXPECT().SetCondition(condition)
+				ctx.EXPECT().Error(errors.New("Annotation service.binding/foo: path={.status.foo},objectType=asdf not implemented!"))
+				ctx.EXPECT().StopProcessing()
+
+				collect.BindingDefinitions(ctx)
+			})
+		})
+
 		Context("on returning unexpected data", func() {
 			var (
 				service *mocks.MockService
@@ -752,7 +797,7 @@ var _ = Describe("Collect From Provisioned Service", func() {
 			err := errors.New("CRD of service ns1/foo indicates provisioned service, but no secret name provided under .status.binding.name")
 			crd := mocks.NewMockCRD(mockCtrl)
 			u := &unstructured.Unstructured{}
-			u.SetAnnotations(map[string]string{collect.ProvisionedServiceAnnotationKey: "true"})
+			u.SetAnnotations(map[string]string{binding.ProvisionedServiceAnnotationKey: "true"})
 
 			crd.EXPECT().Resource().Return(u)
 

test/acceptance/features/bindAppToServiceAnnotations.feature

@@ -584,3 +584,126 @@ Feature: Bind an application to a service using annotations
         And Service Binding CollectionReady.reason is "ValueNotFound"
         And Service Binding CollectionReady.message is "Value for key webarrows_primary not found"
 
+    Scenario: Application cannot be bound to service containing invalid elementType annotation
+        Given Generic test application is running
+        And CustomResourceDefinition backends.stable.example.com is available
+        And The Custom Resource is present
+            """
+            apiVersion: stable.example.com/v1
+            kind: Backend
+            metadata:
+                name: $scenario_id
+                annotations:
+                    service.binding/credentials: path={.spec.connections.dbCredentials},elementType=asdf
+            spec:
+                connections:
+                  - type: primary
+                    url: primary.example.com
+            status:
+                somestatus: good
+            """
+        When Service Binding is applied
+            """
+            apiVersion: binding.operators.coreos.com/v1alpha1
+            kind: ServiceBinding
+            metadata:
+                name: $scenario_id
+            spec:
+                bindAsFiles: false
+                services:
+                  - group: stable.example.com
+                    version: v1
+                    kind: Backend
+                    name: $scenario_id
+                application:
+                    name: $scenario_id
+                    group: apps
+                    version: v1
+                    resource: deployments
+            """
+        Then Service Binding CollectionReady.status is "False"
+        And Service Binding CollectionReady.reason is "InvalidAnnotation"
+        And Service Binding Ready.message is "Annotation service.binding/credentials: path={.spec.connections.dbCredentials},elementType=asdf not implemented!"
+
+    Scenario: Application cannot be bound to service containing invalid objectType annotation
+        Given Generic test application is running
+        And CustomResourceDefinition backends.stable.example.com is available
+        And The Custom Resource is present
+            """
+            apiVersion: stable.example.com/v1
+            kind: Backend
+            metadata:
+                name: $scenario_id
+                annotations:
+                    service.binding/credentials: path={.spec.connections.dbCredentials},objectType=asdf,sourceKey=username
+            spec:
+                connections:
+                  - type: primary
+                    url: primary.example.com
+            status:
+                somestatus: good
+            """
+        When Service Binding is applied
+            """
+            apiVersion: binding.operators.coreos.com/v1alpha1
+            kind: ServiceBinding
+            metadata:
+                name: $scenario_id
+            spec:
+                bindAsFiles: false
+                services:
+                  - group: stable.example.com
+                    version: v1
+                    kind: Backend
+                    name: $scenario_id
+                application:
+                    name: $scenario_id
+                    group: apps
+                    version: v1
+                    resource: deployments
+            """
+        Then Service Binding CollectionReady.status is "False"
+        And Service Binding CollectionReady.reason is "InvalidAnnotation"
+        And Service Binding Ready.message is "Annotation service.binding/credentials: path={.spec.connections.dbCredentials},objectType=asdf,sourceKey=username not implemented!"
+
+    Scenario: Application cannot be bound to service containing invalid path annotation
+        Given Generic test application is running
+        And CustomResourceDefinition backends.stable.example.com is available
+        And The Custom Resource is present
+            """
+            apiVersion: stable.example.com/v1
+            kind: Backend
+            metadata:
+                name: $scenario_id
+                annotations:
+                    service.binding/credentials: path=asdf
+            spec:
+                connections:
+                  - type: primary
+                    url: primary.example.com
+            status:
+                somestatus: good
+            """
+        When Service Binding is applied
+            """
+            apiVersion: binding.operators.coreos.com/v1alpha1
+            kind: ServiceBinding
+            metadata:
+                name: $scenario_id
+            spec:
+                bindAsFiles: false
+                services:
+                  - group: stable.example.com
+                    version: v1
+                    kind: Backend
+                    name: $scenario_id
+                application:
+                    name: $scenario_id
+                    group: apps
+                    version: v1
+                    resource: deployments
+            """
+        Then Service Binding CollectionReady.status is "False"
+        And Service Binding CollectionReady.reason is "InvalidAnnotation"
+        And Service Binding CollectionReady.message is "Failed to create binding definition from "service.binding/credentials: path=asdf": could not create binding model for annotation key service.binding/credentials and value path=asdf: path has invalid syntax: "asdf""
+        And Service Binding Ready.message is "could not create binding model for annotation key service.binding/credentials and value path=asdf: path has invalid syntax: "asdf""