adding objects as option to the policy-engine

pkg/cli/evaluate.go

@@ -180,7 +180,10 @@ func runEvalCommand() error {
 	}
 
 	cLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
-	pe := eval.NewPolicyEngineWithOptionsList(eval.WithLogger(cLogger))
+	pe, err := eval.NewPolicyEngineWithOptionsList(eval.WithLogger(cLogger))
+	if err != nil { // will not get here
+		return err
+	}
 
 	if dirPath != "" {
 		if err := updatePolicyEngineObjectsFromDirPath(pe, podNames); err != nil {

pkg/netpol/connlist/connlist.go

@@ -200,13 +200,14 @@ func (ca *ConnlistAnalyzer) hasFatalError() error {
 // getPolicyEngine returns a new policy engine considering the exposure analysis option
 func (ca *ConnlistAnalyzer) getPolicyEngine(objectsList []parser.K8sObject) (*eval.PolicyEngine, error) {
 	if !ca.exposureAnalysis {
-		pe := eval.NewPolicyEngineWithOptionsList(eval.WithLogger(ca.logger))
-		err := pe.AddObjectsByKind(objectsList)
-		return pe, err
+		return eval.NewPolicyEngineWithOptionsList(eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList))
 	}
 	// else build new policy engine with exposure analysis option
-	pe := eval.NewPolicyEngineWithOptionsList(eval.WithExposureAnalysis(), eval.WithLogger(ca.logger))
-	err := pe.AddObjectsForExposureAnalysis(objectsList)
+	pe, err := eval.NewPolicyEngineWithOptionsList(eval.WithExposureAnalysis(), eval.WithLogger(ca.logger))
+	if err != nil { // will not get here
+		return nil, err
+	}
+	err = pe.AddObjectsForExposureAnalysis(objectsList)
 	return pe, err
 }
 

pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer_test.go

@@ -29,7 +29,7 @@ func getIngressAnalyzerFromDirObjects(t *testing.T, testName, dirName string, pr
 	objects, fpErrs := parser.ResourceInfoListToK8sObjectsList(rList, l, false)
 	require.Len(t, fpErrs, processingErrsNum, "test: %q, expected %d processing errors but got %d",
 		testName, processingErrsNum, len(fpErrs))
-	pe, err := eval.NewPolicyEngineWithObjects(objects)
+	pe, err := eval.NewPolicyEngineWithOptionsList(eval.WithObjectsList(objects))
 	require.Empty(t, err, "test: %q", testName)
 	ia, err := NewIngressAnalyzerWithObjects(objects, pe, l, false)
 	require.Empty(t, err, "test: %q", testName)

pkg/netpol/connlist/internal/ingressanalyzer/service_test.go

@@ -89,7 +89,7 @@ func TestServiceMappingToPods(t *testing.T) {
 			objects, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, l, false)
 			require.Len(t, processingErrs, 1, "test: %q", tt.name) // no policies
 			require.Len(t, objects, 17, "test: %q", tt.name)       // found 6 services and 11 pods
-			pe, err := eval.NewPolicyEngineWithObjects(objects)
+			pe, err := eval.NewPolicyEngineWithOptionsList(eval.WithObjectsList(objects))
 			require.Empty(t, err, "test: %q", tt.name)
 			ia, err := NewIngressAnalyzerWithObjects(objects, pe, l, false)
 			require.Empty(t, err, "test: %q", tt.name)

pkg/netpol/eval/eval_test.go

@@ -1786,7 +1786,7 @@ func TestPolicyEngineWithWorkloads(t *testing.T) {
 	if len(processingErrs) > 0 {
 		t.Fatalf("TestPolicyEngineWithWorkloads errors: %v", processingErrs)
 	}
-	pe, err := NewPolicyEngineWithObjects(objects)
+	pe, err := NewPolicyEngineWithOptionsList(WithObjectsList(objects))
 	if err != nil {
 		t.Fatalf("TestPolicyEngineWithWorkloads error: %v", err)
 	}
@@ -1829,7 +1829,7 @@ func runParsedResourcesEvalTests(t *testing.T, testList []examples.ParsedResourc
 		test := &testList[i]
 		t.Run(test.Name, func(t *testing.T) {
 			t.Parallel()
-			pe, err := NewPolicyEngineWithObjects(test.GetK8sObjects())
+			pe, err := NewPolicyEngineWithOptionsList(WithObjectsList(test.GetK8sObjects()))
 			require.Nil(t, err, test.TestInfo)
 			for _, evalTest := range test.EvalTests {
 				src := evalTest.Src
@@ -1956,7 +1956,7 @@ func TestDirPathEvalResults(t *testing.T) {
 			require.Empty(t, errs, "test: %q", testName)
 			objectsList, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, logger.NewDefaultLogger(), false)
 			require.Empty(t, processingErrs, "test: %q", testName)
-			pe, err := NewPolicyEngineWithObjects(objectsList)
+			pe, err := NewPolicyEngineWithOptionsList(WithObjectsList(objectsList))
 			require.Nil(t, err, "test: %q", testName)
 			var src, dst string
 			for podStr, podObj := range pe.podsMap {

pkg/netpol/eval/resources.go

@@ -61,22 +61,31 @@ type (
 
 	// PolicyEngineOption is the type for specifying options for PolicyEngine,
 	// using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html).
-	PolicyEngineOption func(*PolicyEngine)
+	PolicyEngineOption func(*PolicyEngine) error
 )
 
 // WithLogger is a functional option which sets the logger for a PolicyEngine to use.
 // The provided logger must conform with the package's Logger interface.
 func WithLogger(l logger.Logger) PolicyEngineOption {
-	return func(pe *PolicyEngine) {
+	return func(pe *PolicyEngine) error {
 		pe.logger = l
+		return nil
 	}
 }
 
 // WithExposureAnalysis is a functional option which directs PolicyEngine to perform exposure analysis
 func WithExposureAnalysis() PolicyEngineOption {
-	return func(pe *PolicyEngine) {
+	return func(pe *PolicyEngine) error {
 		pe.exposureAnalysisFlag = true
 		pe.representativePeersMap = make(map[string]*k8s.WorkloadPeer)
+		return nil
+	}
+}
+
+// WithObjectsList is a functional option which directs the policyEngine to insert given k8s objects by kind
+func WithObjectsList(objects []parser.K8sObject) PolicyEngineOption {
+	return func(pe *PolicyEngine) error {
+		return pe.addObjectsByKind(objects)
 	}
 }
 
@@ -94,11 +103,10 @@ func NewPolicyEngine() *PolicyEngine {
 	}
 }
 
-// Deprecated : this func call is replaced by NewPolicyEngineWithOptions + AddObjectsByKind
-// currently is used only for testing
+// Deprecated : this func call is contained in NewPolicyEngineWithOptionsList
 func NewPolicyEngineWithObjects(objects []parser.K8sObject) (*PolicyEngine, error) {
 	pe := NewPolicyEngine()
-	err := pe.AddObjectsByKind(objects)
+	err := pe.addObjectsByKind(objects)
 	return pe, err
 }
 
@@ -113,13 +121,15 @@ func NewPolicyEngineWithOptions(exposureFlag bool) *PolicyEngine {
 	return pe
 }
 
-// NewPolicyEngineWithOptions returns a new policy engine with given options
-func NewPolicyEngineWithOptionsList(opts ...PolicyEngineOption) *PolicyEngine {
-	pe := NewPolicyEngine()
+// NewPolicyEngineWithOptionsList returns a new policy engine with given options
+func NewPolicyEngineWithOptionsList(opts ...PolicyEngineOption) (pe *PolicyEngine, err error) {
+	pe = NewPolicyEngine()
 	for _, o := range opts {
-		o(pe)
+		if err := o(pe); err != nil {
+			return nil, err
+		}
 	}
-	return pe
+	return pe, nil
 }
 
 // AddObjectsForExposureAnalysis adds k8s objects to the policy engine: first adds network-policies and namespaces and then other objects.
@@ -137,13 +147,13 @@ func (pe *PolicyEngine) AddObjectsForExposureAnalysis(objects []parser.K8sObject
 	policiesAndNamespaces, otherObjects := splitPoliciesAndNamespacesAndOtherObjects(objects)
 	// note: in the first call addObjectsByKind with policy objects, will add
 	// the representative peers
-	err := pe.AddObjectsByKind(policiesAndNamespaces)
+	err := pe.addObjectsByKind(policiesAndNamespaces)
 	if err != nil {
 		return err
 	}
 	// note: in the second call addObjectsByKind with workload objects, will possibly remove some
 	// representative peers (for which there is already an identical actual workload with simple selectors)
-	err = pe.AddObjectsByKind(otherObjects)
+	err = pe.addObjectsByKind(otherObjects)
 	return err
 }
 
@@ -164,10 +174,10 @@ func splitPoliciesAndNamespacesAndOtherObjects(objects []parser.K8sObject) (poli
 	return policiesAndNs, others
 }
 
-// AddObjectsByKind adds different k8s objects from parsed resources to the policy engine
+// addObjectsByKind adds different k8s objects from parsed resources to the policy engine
 //
 //gocyclo:ignore
-func (pe *PolicyEngine) AddObjectsByKind(objects []parser.K8sObject) error {
+func (pe *PolicyEngine) addObjectsByKind(objects []parser.K8sObject) error {
 	var err error
 	for i := range objects {
 		obj := objects[i]