Simplify threshold calculation

Author: J12934

main.go

@@ -27,9 +27,8 @@ type scanDeduplicatorValidator struct {
 }
 
 func (v *scanDeduplicatorValidator) Validate(_ context.Context, _ *kwhmodel.AdmissionReview, obj metav1.Object) (*kwhvalidating.ValidatorResult, error) {
-	scan, ok := obj.(*executionv1.Scan)
-
 	v.logger.Infof("Validating Scan.")
+	scan, ok := obj.(*executionv1.Scan)
 
 	if !ok {
 		return nil, fmt.Errorf("not an scan")
@@ -56,7 +55,17 @@ func (v *scanDeduplicatorValidator) Validate(_ context.Context, _ *kwhmodel.Admi
 
 	if lastExecution, ok := recentHashes[hash]; ok {
 		now := time.Now()
-		threshhold := thresholds.GetThreshholdForScan(*scan)
+		threshhold, err := thresholds.GetThreshholdForScan(*scan)
+
+		if err != nil {
+			v.logger.Errorf("Failed to get threshold for scan!", err)
+			return &kwhvalidating.ValidatorResult{
+				Valid:    true,
+				Message:  fmt.Sprintf("Failed to check for duplicated scan. Failed to get threshold: %s", err),
+				Warnings: []string{"Failed to get threshold.", "Deduplication wasn't performed."},
+			}, err
+		}
+
 		if lastExecution.Before(now.Add(-threshhold)) {
 			v.logger.Infof("Scan was executed before (%v ago), but it was longer than %v. Starting it normally.", now.Sub(lastExecution), threshhold)
 			recentHashes[hash] = now

thresholds/thesholds_test.go

@@ -10,29 +10,55 @@ import (
 )
 
 func TestGetThreshholdForScan(t *testing.T) {
-	t.Run("returns zero threshold for scans without matching labels", func(t *testing.T) {
+	t.Run("returns zero threshold for scans without deduplication annotation", func(t *testing.T) {
 		scan := executionv1.Scan{
 			ObjectMeta: metav1.ObjectMeta{
-				Labels: map[string]string{
-					"foo": "bar",
+				Annotations: map[string]string{
+					"irrelevant annotation": "...",
 				},
 			},
 		}
-		threshold := GetThreshholdForScan(scan)
+		threshold, err := GetThreshholdForScan(scan)
+		assert.Nil(t, err)
 		assert.Equal(t, 0*time.Second, threshold)
 	})
 
-	t.Run("returns matchign thresholds for scnas with matching rules threshold for scans without matching labels", func(t *testing.T) {
+	t.Run("returns parsed threshold for scans with matching annotation", func(t *testing.T) {
 		scan := executionv1.Scan{
 			ObjectMeta: metav1.ObjectMeta{
-				Labels: map[string]string{
-					"securecodebox.io/hook":                     "cascading-scans",
-					"cascading.securecodebox.io/cascading-rule": "nmap-portscan",
-					"foo": "bar",
+				Annotations: map[string]string{
+					"scan-deduplicator.securecodebox.io/min-time-interval": "24h",
 				},
 			},
 		}
-		threshold := GetThreshholdForScan(scan)
-		assert.Equal(t, 4*time.Hour, threshold)
+		threshold, err := GetThreshholdForScan(scan)
+		assert.Nil(t, err)
+		assert.Equal(t, 24*time.Hour, threshold)
+	})
+
+	t.Run("returns an error if the threshold is wrongly formatted", func(t *testing.T) {
+		scan := executionv1.Scan{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"scan-deduplicator.securecodebox.io/min-time-interval": "invalid-time-format",
+				},
+			},
+		}
+		threshold, err := GetThreshholdForScan(scan)
+		assert.EqualError(t, err, "error parsing duration: time: invalid duration \"invalid-time-format\"")
+		assert.Equal(t, 0*time.Second, threshold)
+	})
+
+	t.Run("returns an error if the threshold is negative", func(t *testing.T) {
+		scan := executionv1.Scan{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"scan-deduplicator.securecodebox.io/min-time-interval": "-24h",
+				},
+			},
+		}
+		threshold, err := GetThreshholdForScan(scan)
+		assert.EqualError(t, err, "threshold must be a positive duration")
+		assert.Equal(t, 0*time.Second, threshold)
 	})
 }

thresholds/thresholds.go

@@ -1,52 +1,26 @@
 package thresholds
 
 import (
-	"math"
+	"fmt"
 	"time"
 
 	executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1"
 )
 
-type ThreshholdRule struct {
-	MatchLabels map[string]string
-	Threshold   time.Duration
-}
-
-var rules []ThreshholdRule = []ThreshholdRule{
-	// default fallback, no limitation
-	{
-		MatchLabels: map[string]string{},
-		Threshold:   0 * time.Second,
-	},
-	{
-		MatchLabels: map[string]string{
-			"securecodebox.io/hook":                     "cascading-scans",
-			"cascading.securecodebox.io/cascading-rule": "nmap-portscan",
-		},
-		Threshold: 4 * time.Hour,
-	},
-}
-
-func GetThreshholdForScan(scan executionv1.Scan) time.Duration {
-	highestMatchingThreshold := time.Duration(math.MinInt64)
-	for _, rule := range rules {
-		if isMapSubset(scan.Labels, rule.MatchLabels) {
-			if highestMatchingThreshold < rule.Threshold {
-				highestMatchingThreshold = rule.Threshold
-			}
-		}
+func GetThreshholdForScan(scan executionv1.Scan) (time.Duration, error) {
+	thresholdStr, ok := scan.Annotations["scan-deduplicator.securecodebox.io/min-time-interval"]
+	if !ok {
+		return 0 * time.Second, nil
 	}
-	return highestMatchingThreshold
-}
 
-func isMapSubset[K, V comparable](m, sub map[K]V) bool {
-	if len(sub) > len(m) {
-		return false
+	threshold, err := time.ParseDuration(thresholdStr)
+	if err != nil {
+		return 0, fmt.Errorf("error parsing duration: %w", err)
 	}
-	for k, vsub := range sub {
-		if vm, found := m[k]; !found || vm != vsub {
-			return false
-		}
+
+	if threshold < 0 {
+		return 0, fmt.Errorf("threshold must be a positive duration")
 	}
-	return true
+
+	return threshold, nil
 }