From 963744dd7f57a6872d9ca61bf984ea88b3afdcdb Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Thu, 29 Aug 2024 01:00:23 +0000
Subject: [PATCH] fixing CEL error

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 .../host-filesystem/1.1.0/artifacthub-pkg.yml                 | 2 +-
 .../pod-security-policy/host-filesystem/1.1.0/template.yaml   | 4 ++--
 library/pod-security-policy/host-filesystem/template.yaml     | 4 ++--
 src/pod-security-policy/host-filesystem/src.cel               | 4 ++--
 website/docs/validation/host-filesystem.md                    | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/artifacthub-pkg.yml
index 734c84b8b..7fe2cbdb6 100644
--- a/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/artifacthub-pkg.yml
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8spsphostfilesystem
 displayName: Host Filesystem
 createdAt: "2024-06-05T20:31:16Z"
 description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
-digest: d414daa954ca9553d81c63e57c6fc3674ab3cd70975f6ebaf47782a1a0f05da0
+digest: 3883941aac9b7598a79c9bf6517c77a401b99d165bf584dce604a00eef79f8e7
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem
 keywords:
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml
index 8281e5d59..6158ec1ca 100644
--- a/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml
@@ -53,7 +53,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -66,7 +66,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'
diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml
index 8281e5d59..6158ec1ca 100644
--- a/library/pod-security-policy/host-filesystem/template.yaml
+++ b/library/pod-security-policy/host-filesystem/template.yaml
@@ -53,7 +53,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -66,7 +66,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'
diff --git a/src/pod-security-policy/host-filesystem/src.cel b/src/pod-security-policy/host-filesystem/src.cel
index 02fbc4925..3497a3e28 100644
--- a/src/pod-security-policy/host-filesystem/src.cel
+++ b/src/pod-security-policy/host-filesystem/src.cel
@@ -9,7 +9,7 @@ variables:
   expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
 - name: allowedPaths
   expression: |
-    !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+    !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
 - name: volumes
   expression: |
     variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -22,7 +22,7 @@ variables:
           (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
             (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
             c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-    ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+    ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
 validations:
 - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
   messageExpression: 'variables.badHostPaths.join("\n")'
\ No newline at end of file
diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md
index ccdc26659..07704e0bd 100644
--- a/website/docs/validation/host-filesystem.md
+++ b/website/docs/validation/host-filesystem.md
@@ -65,7 +65,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -78,7 +78,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'