Clean up validation for task and pipeline refs

pkg/apis/pipeline/v1beta1/pipelineref_types.go

@@ -0,0 +1,35 @@
+/*
+Copyright 2022 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// PipelineRef can be used to refer to a specific instance of a Pipeline.
+type PipelineRef struct {
+	// Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	Name string `json:"name,omitempty"`
+	// API version of the referent
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+	// Bundle url reference to a Tekton Bundle.
+	// +optional
+	Bundle string `json:"bundle,omitempty"`
+
+	// ResolverRef allows referencing a Pipeline in a remote location
+	// like a git repo. This field is only supported when the alpha
+	// feature gate is enabled.
+	// +optional
+	ResolverRef `json:",omitempty"`
+}

pkg/apis/pipeline/v1beta1/pipelineref_validation.go

@@ -18,71 +18,58 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/tektoncd/pipeline/pkg/apis/config"
+	"github.com/tektoncd/pipeline/pkg/apis/version"
 	"knative.dev/pkg/apis"
 )
 
 // Validate ensures that a supplied PipelineRef field is populated
 // correctly. No errors are returned for a nil PipelineRef.
 func (ref *PipelineRef) Validate(ctx context.Context) (errs *apis.FieldError) {
-	cfg := config.FromContextOrDefaults(ctx)
 	if ref == nil {
 		return
 	}
-	if cfg.FeatureFlags.EnableAPIFields == config.AlphaAPIFields {
-		errs = errs.Also(ref.validateAlphaRef(ctx))
-	} else {
-		errs = errs.Also(ref.validateInTreeRef(ctx))
-	}
-	return
-}
-
-// validateInTreeRef returns errors if the given pipelineRef is not
-// valid for Pipelines' built-in resolution machinery.
-func (ref *PipelineRef) validateInTreeRef(ctx context.Context) (errs *apis.FieldError) {
-	cfg := config.FromContextOrDefaults(ctx)
-	if ref.Resolver != "" {
-		errs = errs.Also(apis.ErrDisallowedFields("resolver"))
-	}
-	if ref.Resource != nil {
-		errs = errs.Also(apis.ErrDisallowedFields("resource"))
-	}
-	if ref.Name == "" {
-		errs = errs.Also(apis.ErrMissingField("name"))
-	}
-	if cfg.FeatureFlags.EnableTektonOCIBundles {
-		if ref.Bundle != "" && ref.Name == "" {
-			errs = errs.Also(apis.ErrMissingField("name"))
-		}
-		if ref.Bundle != "" {
-			if _, err := name.ParseReference(ref.Bundle); err != nil {
-				errs = errs.Also(apis.ErrInvalidValue("invalid bundle reference", "bundle", err.Error()))
-			}
-		}
-	} else if ref.Bundle != "" {
-		errs = errs.Also(apis.ErrDisallowedFields("bundle"))
-	}
-	return
-}
 
-// validateAlphaRef ensures that the user has passed either a
-// valid remote resource reference or a valid in-tree resource reference,
-// but not both.
-func (ref *PipelineRef) validateAlphaRef(ctx context.Context) (errs *apis.FieldError) {
 	switch {
-	case ref.Resolver == "" && ref.Resource != nil:
-		errs = errs.Also(apis.ErrMissingField("resolver"))
-	case ref.Resolver == "":
-		errs = errs.Also(ref.validateInTreeRef(ctx))
-	default:
+	case ref.Resolver != "":
+		errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "resolver", config.AlphaAPIFields).ViaField("resolver"))
 		if ref.Name != "" {
 			errs = errs.Also(apis.ErrMultipleOneOf("name", "resolver"))
 		}
 		if ref.Bundle != "" {
 			errs = errs.Also(apis.ErrMultipleOneOf("bundle", "resolver"))
 		}
+	case ref.Resource != nil:
+		errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "resource", config.AlphaAPIFields).ViaField("resource"))
+		if ref.Name != "" {
+			errs = errs.Also(apis.ErrMultipleOneOf("name", "resource"))
+		}
+		if ref.Bundle != "" {
+			errs = errs.Also(apis.ErrMultipleOneOf("bundle", "resource"))
+		}
+		if ref.Resolver == "" {
+			errs = errs.Also(apis.ErrMissingField("resolver"))
+		}
+	case ref.Name == "":
+		errs = errs.Also(apis.ErrMissingField("name"))
+	case ref.Bundle != "":
+		errs = errs.Also(validateBundleFeatureFlag(ctx, "bundle", true).ViaField("bundle"))
+		if _, err := name.ParseReference(ref.Bundle); err != nil {
+			errs = errs.Also(apis.ErrInvalidValue("invalid bundle reference", "bundle", err.Error()))
+		}
 	}
 	return
 }
+
+func validateBundleFeatureFlag(ctx context.Context, featureName string, wantValue bool) *apis.FieldError {
+	flagValue := config.FromContextOrDefaults(ctx).FeatureFlags.EnableTektonOCIBundles
+	if flagValue != wantValue {
+		var errs *apis.FieldError
+		message := fmt.Sprintf(`%s requires "enable-tekton-oci-bundles" feature gate to be %t but it is %t`, featureName, wantValue, flagValue)
+		return errs.Also(apis.ErrGeneric(message))
+	}
+	return nil
+}

pkg/apis/pipeline/v1beta1/pipelineref_validation_test.go

@@ -0,0 +1,200 @@
+/*
+Copyright 2020 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/tektoncd/pipeline/pkg/apis/config"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
+	"github.com/tektoncd/pipeline/test/diff"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/apis"
+	logtesting "knative.dev/pkg/logging/testing"
+)
+
+func TestPipelineRef_Invalid(t *testing.T) {
+	tests := []struct {
+		name        string
+		ref         *v1beta1.PipelineRef
+		wantErr     *apis.FieldError
+		withContext func(context.Context) context.Context
+	}{{
+		name: "use of bundle without the feature flag set",
+		ref: &v1beta1.PipelineRef{
+			Name:   "my-pipeline",
+			Bundle: "docker.io/foo",
+		},
+		wantErr: apis.ErrGeneric("bundle requires \"enable-tekton-oci-bundles\" feature gate to be true but it is false"),
+	}, {
+		name: "bundle missing name",
+		ref: &v1beta1.PipelineRef{
+			Bundle: "docker.io/foo",
+		},
+		wantErr:     apis.ErrMissingField("name"),
+		withContext: enableTektonOCIBundles(t),
+	}, {
+		name: "invalid bundle reference",
+		ref: &v1beta1.PipelineRef{
+			Name:   "my-pipeline",
+			Bundle: "not a valid reference",
+		},
+		wantErr:     apis.ErrInvalidValue("invalid bundle reference", "bundle", "could not parse reference: not a valid reference"),
+		withContext: enableTektonOCIBundles(t),
+	}, {
+		name:    "pipelineRef without Pipeline Name",
+		ref:     &v1beta1.PipelineRef{},
+		wantErr: apis.ErrMissingField("name"),
+	}, {
+		name: "pipelineref resolver disallowed without alpha feature gate",
+		ref: &v1beta1.PipelineRef{
+			ResolverRef: v1beta1.ResolverRef{
+				Resolver: "foo",
+			},
+		},
+		wantErr: apis.ErrGeneric("resolver requires \"enable-api-fields\" feature gate to be \"alpha\" but it is \"stable\""),
+	}, {
+		name: "pipelineref resource disallowed without alpha feature gate",
+		ref: &v1beta1.PipelineRef{
+			ResolverRef: v1beta1.ResolverRef{
+				Resource: []v1beta1.ResolverParam{},
+			},
+		},
+		wantErr: apis.ErrMissingField("resolver").Also(apis.ErrGeneric("resource requires \"enable-api-fields\" feature gate to be \"alpha\" but it is \"stable\"")),
+	}, {
+		name: "pipelineref resource disallowed without resolver",
+		ref: &v1beta1.PipelineRef{
+			ResolverRef: v1beta1.ResolverRef{
+				Resource: []v1beta1.ResolverParam{},
+			},
+		},
+		wantErr:     apis.ErrMissingField("resolver"),
+		withContext: enableAlphaAPIFields,
+	}, {
+		name: "pipelineref resolver disallowed in conjunction with pipelineref name",
+		ref: &v1beta1.PipelineRef{
+			Name: "foo",
+			ResolverRef: v1beta1.ResolverRef{
+				Resolver: "bar",
+			},
+		},
+		wantErr:     apis.ErrMultipleOneOf("name", "resolver"),
+		withContext: enableAlphaAPIFields,
+	}, {
+		name: "pipelineref resolver disallowed in conjunction with pipelineref bundle",
+		ref: &v1beta1.PipelineRef{
+			Bundle: "foo",
+			ResolverRef: v1beta1.ResolverRef{
+				Resolver: "baz",
+			},
+		},
+		wantErr:     apis.ErrMultipleOneOf("bundle", "resolver"),
+		withContext: enableAlphaAPIFields,
+	}, {
+		name: "pipelineref resource disallowed in conjunction with pipelineref name",
+		ref: &v1beta1.PipelineRef{
+			Name: "bar",
+			ResolverRef: v1beta1.ResolverRef{
+				Resource: []v1beta1.ResolverParam{{
+					Name:  "foo",
+					Value: "bar",
+				}},
+			},
+		},
+		wantErr:     apis.ErrMultipleOneOf("name", "resource").Also(apis.ErrMissingField("resolver")),
+		withContext: enableAlphaAPIFields,
+	}, {
+		name: "pipelineref resource disallowed in conjunction with pipelineref bundle",
+		ref: &v1beta1.PipelineRef{
+			Bundle: "bar",
+			ResolverRef: v1beta1.ResolverRef{
+				Resource: []v1beta1.ResolverParam{{
+					Name:  "foo",
+					Value: "bar",
+				}},
+			},
+		},
+		wantErr:     apis.ErrMultipleOneOf("bundle", "resource").Also(apis.ErrMissingField("resolver")),
+		withContext: enableAlphaAPIFields,
+	}}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			if tc.withContext != nil {
+				ctx = tc.withContext(ctx)
+			}
+			err := tc.ref.Validate(ctx)
+			if d := cmp.Diff(tc.wantErr.Error(), err.Error()); d != "" {
+				t.Error(diff.PrintWantGot(d))
+			}
+		})
+	}
+}
+
+func TestPipelineRef_Valid(t *testing.T) {
+	tests := []struct {
+		name string
+		ref  *v1beta1.PipelineRef
+		wc   func(context.Context) context.Context
+	}{{
+		name: "no pipelineRef",
+		ref:  nil,
+	}, {
+		name: "alpha feature: valid resolver",
+		ref:  &v1beta1.PipelineRef{ResolverRef: v1beta1.ResolverRef{Resolver: "git"}},
+		wc:   enableAlphaAPIFields,
+	}, {
+		name: "alpha feature: valid resolver with resource parameters",
+		ref: &v1beta1.PipelineRef{ResolverRef: v1beta1.ResolverRef{Resolver: "git", Resource: []v1beta1.ResolverParam{{
+			Name:  "repo",
+			Value: "https://github.com/tektoncd/pipeline.git",
+		}, {
+			Name:  "branch",
+			Value: "baz",
+		}}}},
+		wc: enableAlphaAPIFields,
+	}}
+
+	for _, ts := range tests {
+		t.Run(ts.name, func(t *testing.T) {
+			ctx := context.Background()
+			if ts.wc != nil {
+				ctx = ts.wc(ctx)
+			}
+			if err := ts.ref.Validate(ctx); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
+
+func enableTektonOCIBundles(t *testing.T) func(context.Context) context.Context {
+	return func(ctx context.Context) context.Context {
+		s := config.NewStore(logtesting.TestLogger(t))
+		s.OnConfigChanged(&corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName()},
+			Data: map[string]string{
+				"enable-tekton-oci-bundles": "true",
+			},
+		})
+		return s.ToContext(ctx)
+	}
+}

pkg/apis/pipeline/v1beta1/pipelinerun_types.go

@@ -265,25 +265,6 @@ const (
 	PipelineRunSpecStatusPending = "PipelineRunPending"
 )
 
-// PipelineRef can be used to refer to a specific instance of a Pipeline.
-// Copied from CrossVersionObjectReference: https://github.com/kubernetes/kubernetes/blob/169df7434155cbbc22f1532cba8e0a9588e29ad8/pkg/apis/autoscaling/types.go#L64
-type PipelineRef struct {
-	// Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
-	Name string `json:"name,omitempty"`
-	// API version of the referent
-	// +optional
-	APIVersion string `json:"apiVersion,omitempty"`
-	// Bundle url reference to a Tekton Bundle.
-	// +optional
-	Bundle string `json:"bundle,omitempty"`
-
-	// ResolverRef allows referencing a Pipeline in a remote location
-	// like a git repo. This field is only supported when the alpha
-	// feature gate is enabled.
-	// +optional
-	ResolverRef `json:",omitempty"`
-}
-
 // PipelineRunStatus defines the observed state of PipelineRun
 type PipelineRunStatus struct {
 	duckv1beta1.Status `json:",inline"`