Internal Changes

PiperOrigin-RevId: 910292784

Author: l46kok

bundle/src/main/java/dev/cel/bundle/BUILD.bazel

@@ -104,6 +104,7 @@ java_library(
         ":required_fields_checker",
         "//:auto_value",
         "//bundle:cel",
+        "//checker:proto_type_mask",
         "//checker:standard_decl",
         "//common:compiler_common",
         "//common:container",

bundle/src/main/java/dev/cel/bundle/CelEnvironment.java

@@ -30,6 +30,7 @@
 import dev.cel.checker.CelStandardDeclarations;
 import dev.cel.checker.CelStandardDeclarations.StandardFunction;
 import dev.cel.checker.CelStandardDeclarations.StandardOverload;
+import dev.cel.checker.ProtoTypeMask;
 import dev.cel.common.CelContainer;
 import dev.cel.common.CelFunctionDecl;
 import dev.cel.common.CelOptions;
@@ -134,6 +135,9 @@ public abstract class CelEnvironment {
   /** Limits to set in the environment. */
   public abstract ImmutableSet<Limit> limits();
 
+  /** Context variable to enable in the environment. */
+  public abstract Optional<ContextVariable> contextVariable();
+
   /** Builder for {@link CelEnvironment}. */
   @AutoValue.Builder
   public abstract static class Builder {
@@ -199,6 +203,8 @@ public Builder setLimits(Limit... limits) {
 
     public abstract Builder setLimits(ImmutableSet<Limit> limits);
 
+    public abstract Builder setContextVariable(ContextVariable contextVariable);
+
     abstract CelEnvironment autoBuild();
 
     @CheckReturnValue
@@ -258,6 +264,12 @@ public CelCompiler extend(CelCompiler celCompiler, CelOptions celOptions)
 
       applyStandardLibrarySubset(compilerBuilder);
 
+      contextVariable()
+          .ifPresent(
+              cv ->
+                  compilerBuilder.addProtoTypeMasks(
+                      ProtoTypeMask.ofAllFields(cv.typeName()).withFieldsAsVariableDeclarations()));
+
       return compilerBuilder.build();
     } catch (RuntimeException e) {
       throw new CelEnvironmentException(e.getMessage(), e);
@@ -406,6 +418,17 @@ private static CanonicalCelExtension getExtensionOrThrow(String extensionName) {
     return extension;
   }
 
+  /** Represents a context variable declaration. */
+  @AutoValue
+  public abstract static class ContextVariable {
+    /** Fully qualified type name of the context variable. */
+    public abstract String typeName();
+
+    public static ContextVariable create(String typeName) {
+      return new AutoValue_CelEnvironment_ContextVariable(typeName);
+    }
+  }
+
   /** Represents a policy variable declaration. */
   @AutoValue
   public abstract static class VariableDecl {

bundle/src/main/java/dev/cel/bundle/CelEnvironmentYamlParser.java

@@ -28,6 +28,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import dev.cel.bundle.CelEnvironment.Alias;
+import dev.cel.bundle.CelEnvironment.ContextVariable;
 import dev.cel.bundle.CelEnvironment.ExtensionConfig;
 import dev.cel.bundle.CelEnvironment.FunctionDecl;
 import dev.cel.bundle.CelEnvironment.LibrarySubset;
@@ -320,6 +321,36 @@ private ImmutableSet<String> parseAbbreviations(ParserContext<Node> ctx, Node no
     return builder.build();
   }
 
+  private ContextVariable parseContextVariable(ParserContext<Node> ctx, Node node) {
+    long id = ctx.collectMetadata(node);
+    if (!assertYamlType(ctx, id, node, YamlNodeType.MAP)) {
+      return ContextVariable.create("");
+    }
+
+    MappingNode mapNode = (MappingNode) node;
+    String typeName = "";
+    for (NodeTuple nodeTuple : mapNode.getValue()) {
+      Node keyNode = nodeTuple.getKeyNode();
+      long keyId = ctx.collectMetadata(keyNode);
+      Node valueNode = nodeTuple.getValueNode();
+      String keyName = ((ScalarNode) keyNode).getValue();
+      switch (keyName) {
+        case "type_name":
+          typeName = newString(ctx, valueNode);
+          break;
+        default:
+          ctx.reportError(keyId, String.format("Unsupported context_variable tag: %s", keyName));
+          break;
+      }
+    }
+
+    if (typeName.isEmpty()) {
+      ctx.reportError(id, "Missing required attribute(s): type_name");
+    }
+
+    return ContextVariable.create(typeName);
+  }
+
   private ImmutableSet<VariableDecl> parseVariables(ParserContext<Node> ctx, Node node) {
     long valueId = ctx.collectMetadata(node);
     ImmutableSet.Builder<VariableDecl> variableSetBuilder = ImmutableSet.builder();
@@ -900,6 +931,9 @@ private CelEnvironment.Builder parseConfig(ParserContext<Node> ctx, Node node) {
           case "limits":
             builder.setLimits(parseLimits(ctx, valueNode));
             break;
+          case "context_variable":
+            builder.setContextVariable(parseContextVariable(ctx, valueNode));
+            break;
           default:
             ctx.reportError(id, "Unknown config tag: " + fieldName);
             // continue handling the rest of the nodes

conformance/src/test/java/dev/cel/conformance/policy/BUILD.bazel

@@ -12,6 +12,12 @@ java_library(
     deps = [
         "//:auto_value",
         "//bundle:cel",
+        "//common/formats:value_string",
+        "//common/formats:yaml_helper",
+        "//policy",
+        "//policy:parser",
+        "//policy:parser_factory",
+        "//policy:policy_parser_context",
         "//runtime:function_binding",
         "//testing/testrunner:cel_expression_source",
         "//testing/testrunner:cel_test_context",
@@ -23,5 +29,6 @@ java_library(
         "@maven//:com_google_guava_guava",
         "@maven//:com_google_protobuf_protobuf_java",
         "@maven//:junit_junit",
+        "@maven//:org_yaml_snakeyaml",
     ],
 )

conformance/src/test/java/dev/cel/conformance/policy/K8sTestTagHandler.java

@@ -0,0 +1,123 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dev.cel.conformance.policy;
+
+import static dev.cel.common.formats.YamlHelper.assertYamlType;
+
+import dev.cel.common.formats.ValueString;
+import dev.cel.common.formats.YamlHelper.YamlNodeType;
+import dev.cel.policy.CelPolicy;
+import dev.cel.policy.CelPolicy.Match;
+import dev.cel.policy.CelPolicyParser.TagVisitor;
+import dev.cel.policy.PolicyParserContext;
+import java.util.IdentityHashMap;
+import java.util.Map;
+import org.yaml.snakeyaml.nodes.Node;
+import org.yaml.snakeyaml.nodes.SequenceNode;
+
+/**
+ * K8sTestTagHandler is a {@link TagVisitor} implementation to support parsing Kubernetes
+ * ValidatingAdmissionPolicy structures in conformance tests.
+ */
+public final class K8sTestTagHandler implements TagVisitor<Node> {
+
+  private final Map<Match.Builder, Boolean> messageExpressionSeen = new IdentityHashMap<>();
+
+  @Override
+  public void visitPolicyTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder) {
+    switch (tagName) {
+      case "kind":
+        policyBuilder.putMetadata("kind", ctx.newYamlString(node).value());
+        break;
+      case "metadata":
+        assertYamlType(ctx, id, node, YamlNodeType.MAP);
+        break;
+      case "spec":
+        CelPolicy.Rule spec = ctx.parseRule(ctx, policyBuilder, node);
+        policyBuilder.setRule(spec);
+        break;
+      default:
+        ctx.reportError(id, String.format("Unsupported policy tag: %s", tagName));
+        break;
+    }
+  }
+
+  @Override
+  public void visitRuleTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder,
+      CelPolicy.Rule.Builder ruleBuilder) {
+    switch (tagName) {
+      case "failurePolicy":
+        policyBuilder.putMetadata(tagName, ctx.newYamlString(node).value());
+        break;
+      case "matchConstraints":
+        assertYamlType(ctx, id, node, YamlNodeType.MAP);
+        break;
+      case "validations":
+        if (!assertYamlType(ctx, id, node, YamlNodeType.LIST)) {
+          return;
+        }
+        SequenceNode seqNode = (SequenceNode) node;
+        for (Node valNode : seqNode.getValue()) {
+          ruleBuilder.addMatches(ctx.parseMatch(ctx, policyBuilder, valNode));
+        }
+        break;
+      default:
+        ctx.reportError(id, String.format("Unsupported rule tag: %s", tagName));
+        break;
+    }
+  }
+
+  @Override
+  public void visitMatchTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder,
+      CelPolicy.Match.Builder matchBuilder) {
+    switch (tagName) {
+      case "expression":
+        // The K8s expression to validate must return false in order to generate a violation
+        // message.
+        ValueString condition = ctx.newSourceString(node);
+        String invertedCondition = "!(" + condition.value() + ")";
+        matchBuilder.setCondition(ValueString.of(condition.id(), invertedCondition));
+
+        // If we haven't handled messageExpression yet, set the default output.
+        if (!messageExpressionSeen.getOrDefault(matchBuilder, false)) {
+          matchBuilder.setResult(
+              Match.Result.ofOutput(ValueString.of(ctx.nextId(), "'invalid admission request'")));
+        }
+        break;
+      case "messageExpression":
+        matchBuilder.setResult(Match.Result.ofOutput(ctx.newSourceString(node)));
+        messageExpressionSeen.put(matchBuilder, true);
+        break;
+      default:
+        ctx.reportError(id, String.format("Unsupported match tag: %s", tagName));
+        break;
+    }
+  }
+}

conformance/src/test/java/dev/cel/conformance/policy/PolicyConformanceTest.java

@@ -18,6 +18,7 @@
 import dev.cel.bundle.Cel;
 import dev.cel.bundle.CelFactory;
 import dev.cel.expr.conformance.proto3.TestAllTypes;
+import dev.cel.policy.CelPolicyParserFactory;
 import dev.cel.runtime.CelFunctionBinding;
 import dev.cel.testing.testrunner.CelExpressionSource;
 import dev.cel.testing.testrunner.CelTestContext;
@@ -77,6 +78,15 @@ public void evaluate() throws Throwable {
                 TestAllTypes.getDescriptor().getFile(),
                 Struct.getDescriptor().getFile());
 
+    // Scopes the custom Kubernetes tag visitor exclusively to k8s tests to prevent non-standard
+    // grammar leakage.
+    if (name.startsWith("k8s/")) {
+      contextBuilder.setCelPolicyParser(
+          CelPolicyParserFactory.newYamlParserBuilder()
+              .addTagVisitor(new K8sTestTagHandler())
+              .build());
+    }
+
     Path yamlConfigPath = Paths.get(dirPath, "config.yaml");
     Path textprotoConfigPath = Paths.get(dirPath, "config.textproto");
 

testing/src/main/java/dev/cel/testing/testrunner/BUILD.bazel

@@ -161,6 +161,7 @@ java_library(
     deps = [
         ":cel_expression_source",
         ":default_result_matcher",
+        ":registry_utils",
         ":result_matcher",
         "//:auto_value",
         "//bundle:cel",

testing/src/main/java/dev/cel/testing/testrunner/CelTestContext.java

@@ -140,21 +140,21 @@ public Optional<CelDescriptors> celDescriptors() {
     return Optional.empty();
   }
 
+  /** Returns a unified set of {@link CelDescriptors} combined from all descriptor sources. */
   @Memoized
-  public Optional<TypeRegistry> typeRegistry() {
+  public Optional<CelDescriptors> mergedDescriptors() {
     if (fileTypes().isEmpty() && !fileDescriptorSetPath().isPresent()) {
       return Optional.empty();
     }
-    TypeRegistry.Builder builder = TypeRegistry.newBuilder();
-    if (!fileTypes().isEmpty()) {
-      builder.add(
-          CelDescriptorUtil.getAllDescriptorsFromFileDescriptor(fileTypes())
-              .messageTypeDescriptors());
-    }
-    if (celDescriptors().isPresent()) {
-      builder.add(celDescriptors().get().messageTypeDescriptors());
-    }
-    return Optional.of(builder.build());
+    ImmutableSet.Builder<FileDescriptor> allFiles =
+        ImmutableSet.<FileDescriptor>builder().addAll(fileTypes());
+    celDescriptors().ifPresent(d -> allFiles.addAll(d.fileDescriptors()));
+    return Optional.of(CelDescriptorUtil.getAllDescriptorsFromFileDescriptor(allFiles.build()));
+  }
+
+  @Memoized
+  public Optional<TypeRegistry> typeRegistry() {
+    return mergedDescriptors().map(RegistryUtils::getTypeRegistry);
   }
 
   public abstract Optional<ExtensionRegistry> extensionRegistry();

testing/src/main/java/dev/cel/testing/testrunner/TestRunnerLibrary.java

@@ -360,18 +360,33 @@ private static Object getEvaluationResultWithMessage(
   }
 
   private static Message unpackAny(Any any, CelTestContext celTestContext) throws IOException {
-    if (!celTestContext.fileDescriptorSetPath().isPresent()) {
-      throw new IllegalArgumentException(
-          "Proto descriptors are required for unpacking Any messages.");
+    TypeRegistry typeRegistry =
+        celTestContext
+            .typeRegistry()
+            .orElseThrow(
+                () ->
+                    new IllegalArgumentException(
+                        "Proto descriptors or type registry are required for unpacking Any"
+                            + " messages."));
+
+    Descriptor descriptor = typeRegistry.getDescriptorForTypeUrl(any.getTypeUrl());
+    if (descriptor == null) {
+      throw new IllegalArgumentException("Descriptor not found for type URL: " + any.getTypeUrl());
     }
-    Descriptor descriptor =
-        RegistryUtils.getTypeRegistry(celTestContext.celDescriptors().get())
-            .getDescriptorForTypeUrl(any.getTypeUrl());
+
+    ExtensionRegistry extensionRegistry =
+        celTestContext
+            .extensionRegistry()
+            .orElseGet(
+                () ->
+                    celTestContext
+                        .mergedDescriptors()
+                        .map(RegistryUtils::getExtensionRegistry)
+                        .orElseGet(ExtensionRegistry::getEmptyRegistry));
+
     return DynamicMessage.getDefaultInstance(descriptor)
         .getParserForType()
-        .parseFrom(
-            any.getValue(),
-            RegistryUtils.getExtensionRegistry(celTestContext.celDescriptors().get()));
+        .parseFrom(any.getValue(), extensionRegistry);
   }
 
   private static Message getEvaluatedContextExpr(

testing/src/test/java/dev/cel/testing/testrunner/TestRunnerLibraryTest.java

@@ -262,7 +262,7 @@ public void runTest_missingProtoDescriptors_failure() throws Exception {
 
     assertThat(thrown)
         .hasMessageThat()
-        .contains("Proto descriptors are required for unpacking Any messages.");
+        .contains("Proto descriptors or type registry are required for unpacking Any messages");
   }
 
   @Test