argoproj · jannfis · Aug 23, 2024 · Aug 23, 2024
@@ -580,7 +580,7 @@ func (r *ApplicationSetReconciler) applyTemplatePatch(app *argov1alpha1.Applicat
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
 	return predicate.Funcs{
 		CreateFunc: func(e event.CreateEvent) bool {
-			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), false)
+			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), glob.GLOB)
 		},
 	}
 }

@@ -2011,7 +2011,7 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool,
 // isAppNamespaceAllowed returns whether the application is allowed in the
 // namespace it's residing in.
 func (ctrl *ApplicationController) isAppNamespaceAllowed(app *appv1.Application) bool {
-	return app.Namespace == ctrl.namespace || glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false)
+	return app.Namespace == ctrl.namespace || glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, glob.GLOB)
 }
 
 func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {

@@ -42,8 +42,11 @@ In order for an application to be managed and reconciled outside the Argo CD's c
 
 In order to enable this feature, the Argo CD administrator must reconfigure the `argocd-server` and `argocd-application-controller` workloads to add the `--application-namespaces` parameter to the container's startup command.
 
-The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports:
 
+- shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+- regex, requires wrapping the string in ```/```, example to allow all namespaces except a particular one: ```/^((?!not-allowed).)*$/```.
+
 The startup parameters for both, the `argocd-server` and the `argocd-application-controller` can also be conveniently set up and kept in sync by specifying the `application.namespaces` settings in the `argocd-cmd-params-cm` ConfigMap _instead_ of changing the manifests for the respective workloads. For example:
 
 ```yaml

@@ -187,6 +187,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dlclark/regexp2 v1.11.2
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect

@@ -843,6 +843,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/dlclark/regexp2 v1.11.2 h1:/u628IuisSTwri5/UKloiIsH8+qF2Pu7xEQX+yIKg68=
+github.com/dlclark/regexp2 v1.11.2/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=

@@ -122,7 +122,7 @@ func NewController(
 
 // Check if app is not in the namespace where the controller is in, and also app is not in one of the applicationNamespaces
 func checkAppNotInAdditionalNamespaces(app *unstructured.Unstructured, namespace string, applicationNamespaces []string) bool {
-	return namespace != app.GetNamespace() && !glob.MatchStringInList(applicationNamespaces, app.GetNamespace(), false)
+	return namespace != app.GetNamespace() && !glob.MatchStringInList(applicationNamespaces, app.GetNamespace(), glob.GLOB)
 }
 
 func (c *notificationController) alterDestinations(obj v1.Object, destinations services.Destinations, cfg api.Config) services.Destinations {
@@ -151,7 +151,7 @@ func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string
 				}
 				newItems := []unstructured.Unstructured{}
 				for _, res := range appList.Items {
-					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), false) {
+					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), glob.GLOB) {
 						newItems = append(newItems, res)
 					}
 				}

@@ -562,5 +562,5 @@ func (p AppProject) IsAppNamespacePermitted(app *Application, controllerNs strin
 		return true
 	}
 
-	return glob.MatchStringInList(p.Spec.SourceNamespaces, app.Namespace, false)
+	return glob.MatchStringInList(p.Spec.SourceNamespaces, app.Namespace, glob.GLOB)
 }
@@ -1132,7 +1132,7 @@ func GetAppEventLabels(app *argoappv1.Application, projLister applicationsv1.App
 	// Filter out event labels to include
 	inKeys := settingsManager.GetIncludeEventLabelKeys()
 	for k, v := range labels {
-		found := glob.MatchStringInList(inKeys, k, false)
+		found := glob.MatchStringInList(inKeys, k, glob.GLOB)
 		if found {
 			eventLabels[k] = v
 		}
@@ -1141,7 +1141,7 @@ func GetAppEventLabels(app *argoappv1.Application, projLister applicationsv1.App
 	// Remove excluded event labels
 	exKeys := settingsManager.GetExcludeEventLabelKeys()
 	for k := range eventLabels {
-		found := glob.MatchStringInList(exKeys, k, false)
+		found := glob.MatchStringInList(exKeys, k, glob.GLOB)
 		if found {
 			delete(eventLabels, k)
 		}

@@ -31,26 +31,28 @@ func Test_Match(t *testing.T) {
 
 func Test_MatchList(t *testing.T) {
 	tests := []struct {
-		name   string
-		input  string
-		list   []string
-		exact  bool
-		result bool
+		name         string
+		input        string
+		list         []string
+		patternMatch string
+		result       bool
 	}{
-		{"Exact name in list", "test", []string{"test"}, true, true},
-		{"Exact name not in list", "test", []string{"other"}, true, false},
-		{"Exact name not in list, multiple elements", "test", []string{"some", "other"}, true, false},
-		{"Exact name not in list, list empty", "test", []string{}, true, false},
-		{"Exact name not in list, empty element", "test", []string{""}, true, false},
-		{"Glob name in list, but exact wanted", "test", []string{"*"}, true, false},
-		{"Glob name in list with simple wildcard", "test", []string{"*"}, false, true},
-		{"Glob name in list without wildcard", "test", []string{"test"}, false, true},
-		{"Glob name in list, multiple elements", "test", []string{"other*", "te*"}, false, true},
+		{"Exact name in list", "test", []string{"test"}, EXACT, true},
+		{"Exact name not in list", "test", []string{"other"}, EXACT, false},
+		{"Exact name not in list, multiple elements", "test", []string{"some", "other"}, EXACT, false},
+		{"Exact name not in list, list empty", "test", []string{}, EXACT, false},
+		{"Exact name not in list, empty element", "test", []string{""}, EXACT, false},
+		{"Glob name in list, but exact wanted", "test", []string{"*"}, EXACT, false},
+		{"Glob name in list with simple wildcard", "test", []string{"*"}, GLOB, true},
+		{"Glob name in list without wildcard", "test", []string{"test"}, GLOB, true},
+		{"Glob name in list, multiple elements", "test", []string{"other*", "te*"}, GLOB, true},
+		{"match everything but specified word: fail", "disallowed", []string{"/^((?!disallowed).)*$/"}, REGEXP, false},
+		{"match everything but specified word: pass", "allowed", []string{"/^((?!disallowed).)*$/"}, REGEXP, true},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			res := MatchStringInList(tt.list, tt.input, tt.exact)
+			res := MatchStringInList(tt.list, tt.input, tt.patternMatch)
 			assert.Equal(t, tt.result, res)
 		})
 	}

@@ -1,10 +1,30 @@
 package glob
 
-// MatchStringInList will return true if item is contained in list. If
-// exactMatch is set to false, list may contain globs to be matched.
-func MatchStringInList(list []string, item string, exactMatch bool) bool {
+import (
+	"strings"
+
+	"github.com/argoproj/argo-cd/v2/util/regex"
+)
+
+const (
+	EXACT  = "exact"
+	GLOB   = "glob"
+	REGEXP = "regexp"
+)
+
+// MatchStringInList will return true if item is contained in list.
+// patternMatch; can be set to  exact, glob, regexp.
+// If patternMatch; is set to exact, the item must be an exact match.
+// If patternMatch; is set to glob, the item must match a glob pattern.
+// If patternMatch; is set to regexp, the item must match a regular expression or glob.
+func MatchStringInList(list []string, item string, patternMatch string) bool {
 	for _, ll := range list {
-		if item == ll || (!exactMatch && Match(ll, item)) {
+		// If string is wrapped in "/", assume it is a regular expression.
+		if patternMatch == REGEXP && strings.HasPrefix(ll, "/") && strings.HasSuffix(ll, "/") && regex.Match(ll[1:len(ll)-1], item) {
+			return true
+		} else if (patternMatch == REGEXP || patternMatch == GLOB) && Match(ll, item) {
+			return true
+		} else if patternMatch == EXACT && item == ll {
 			return true
 		}
 	}

@@ -0,0 +1,20 @@
+package regex
+
+import (
+	"github.com/dlclark/regexp2"
+	log "github.com/sirupsen/logrus"
+)
+
+func Match(pattern, text string) bool {
+	compiledRegex, err := regexp2.Compile(pattern, 0)
+	if err != nil {
+		log.Warnf("failed to compile pattern %s due to error %v", pattern, err)
+		return false
+	}
+	regexMatch, err := compiledRegex.MatchString(text)
+	if err != nil {
+		log.Warnf("failed to match pattern %s due to error %v", pattern, err)
+		return false
+	}
+	return regexMatch
+}
@@ -7,7 +7,7 @@ import (
 )
 
 func IsNamespaceEnabled(namespace string, serverNamespace string, enabledNamespaces []string) bool {
-	return namespace == serverNamespace || glob.MatchStringInList(enabledNamespaces, namespace, false)
+	return namespace == serverNamespace || glob.MatchStringInList(enabledNamespaces, namespace, glob.REGEXP)
 }
 
 func NamespaceNotPermittedError(namespace string) error {

@@ -49,6 +49,20 @@ func Test_IsNamespaceEnabled(t *testing.T) {
 			[]string{"allowed"},
 			false,
 		},
+		{
+			"match everything but specified word: fail",
+			"disallowed",
+			"argocd",
+			[]string{"/^((?!disallowed).)*$/"},
+			false,
+		},
+		{
+			"match everything but specified word: pass",
+			"allowed",
+			"argocd",
+			[]string{"/^((?!disallowed).)*$/"},
+			true,
+		},
 	}
 
 	for _, tc := range testCases {

@@ -278,7 +278,7 @@ func (a *ArgoCDWebhookHandler) HandleEvent(payload interface{}) {
 	// nor in the list of enabled namespaces.
 	var filteredApps []v1alpha1.Application
 	for _, app := range apps.Items {
-		if app.Namespace == a.ns || glob.MatchStringInList(a.appNs, app.Namespace, false) {
+		if app.Namespace == a.ns || glob.MatchStringInList(a.appNs, app.Namespace, glob.GLOB) {
 			filteredApps = append(filteredApps, app)
 		}
 	}