nginx
diff --git a/‎internal/controller/nginx/config/policies/snippetspolicy/validator.go‎
Lines changed: 87 additions & 0 deletions b/‎internal/controller/nginx/config/policies/snippetspolicy/validator.go‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎internal/controller/nginx/config/policies/snippetspolicy/validator_test.go‎
Lines changed: 127 additions & 0 deletions b/‎internal/controller/nginx/config/policies/snippetspolicy/validator_test.go‎
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,87 @@
+/*
+Copyright 2025 The NGINX Gateway Fabric Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package snippetspolicy
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	ngfAPI "github.com/nginx/nginx-gateway-fabric/v2/apis/v1alpha1"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/state/conditions"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/framework/helpers"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/framework/kinds"
+)
+
+// Validator validates a SnippetsPolicy.
+// Implements policies.Validator interface.
+type Validator struct{}
+
+// NewValidator returns a new instance of Validator.
+func NewValidator() *Validator {
+	return &Validator{}
+}
+
+// Validate validates the spec of a SnippetsPolicy.
+func (v *Validator) Validate(policy policies.Policy) []conditions.Condition {
+	sp := helpers.MustCastObject[*ngfAPI.SnippetsPolicy](policy)
+
+	targetRefPath := field.NewPath("spec").Child("targetRef")
+	supportedKinds := []gatewayv1.Kind{kinds.Gateway}
+	supportedGroups := []gatewayv1.Group{gatewayv1.GroupName}
+
+	// Validate TargetRef
+	if err := policies.ValidateTargetRef(sp.Spec.TargetRef.LocalPolicyTargetReference, targetRefPath, supportedGroups, supportedKinds); err != nil {
+		return []conditions.Condition{conditions.NewPolicyInvalid(err.Error())}
+	}
+
+	// Validate Snippets
+	if err := validateSnippets(sp.Spec.Snippets); err != nil {
+		return []conditions.Condition{conditions.NewPolicyInvalid(err.Error())}
+	}
+
+	return nil
+}
+
+// ValidateGlobalSettings validates a SnippetsPolicy with respect to the NginxProxy global settings.
+func (v *Validator) ValidateGlobalSettings(
+	_ policies.Policy,
+	_ *policies.GlobalSettings,
+) []conditions.Condition {
+	return nil
+}
+
+// Conflicts returns true if the two SnippetsPolicies conflict.
+// SnippetsPolicies are merged by lexicographic order, so they don't inherently conflict
+// in a way that prevents them from being applied together (structurally).
+// Detailed logical conflicts (e.g. conflicting NGINX directives) are caught by nginx -t.
+func (v *Validator) Conflicts(polA, polB policies.Policy) bool {
+	return false
+}
+
+func validateSnippets(snippets []ngfAPI.Snippet) error {
+	seenContexts := make(map[ngfAPI.NginxContext]struct{})
+	for _, snippet := range snippets {
+		if _, exists := seenContexts[snippet.Context]; exists {
+			return fmt.Errorf("duplicate context %q", snippet.Context)
+		}
+		seenContexts[snippet.Context] = struct{}{}
+	}
+	return nil
+}
@@ -0,0 +1,127 @@
+package snippetspolicy_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	ngfAPI "github.com/nginx/nginx-gateway-fabric/v2/apis/v1alpha1"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies/snippetspolicy"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/state/conditions"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/framework/kinds"
+)
+
+type policyModFunc func(policy *ngfAPI.SnippetsPolicy) *ngfAPI.SnippetsPolicy
+
+func createValidPolicy() *ngfAPI.SnippetsPolicy {
+	return &ngfAPI.SnippetsPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "test-policy",
+		},
+		Spec: ngfAPI.SnippetsPolicySpec{
+			TargetRef: ngfAPI.SnippetsPolicyTargetRef{
+				LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
+					Group: gatewayv1.GroupName,
+					Kind:  kinds.Gateway,
+					Name:  "test-gateway",
+				},
+			},
+			Snippets: []ngfAPI.Snippet{
+				{
+					Context: ngfAPI.NginxContextMain,
+					Value:   "worker_processes 1;",
+				},
+				{
+					Context: ngfAPI.NginxContextHTTP,
+					Value:   "log_format custom '...';",
+				},
+			},
+		},
+		Status: gatewayv1.PolicyStatus{},
+	}
+}
+
+func createModifiedPolicy(mod policyModFunc) *ngfAPI.SnippetsPolicy {
+	return mod(createValidPolicy())
+}
+
+func TestValidator_Validate(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name          string
+		policy        *ngfAPI.SnippetsPolicy
+		expConditions []conditions.Condition
+	}{
+		{
+			name:          "valid policy",
+			policy:        createValidPolicy(),
+			expConditions: nil,
+		},
+		{
+			name: "invalid target ref - unsupported group",
+			policy: createModifiedPolicy(func(p *ngfAPI.SnippetsPolicy) *ngfAPI.SnippetsPolicy {
+				p.Spec.TargetRef.Group = "unsupported.group"
+				return p
+			}),
+			expConditions: []conditions.Condition{
+				conditions.NewPolicyInvalid("spec.targetRef.group: Unsupported value: \"unsupported.group\": supported values: \"gateway.networking.k8s.io\""),
+			},
+		},
+		{
+			name: "invalid target ref - unsupported kind",
+			policy: createModifiedPolicy(func(p *ngfAPI.SnippetsPolicy) *ngfAPI.SnippetsPolicy {
+				p.Spec.TargetRef.Kind = "UnsupportedKind"
+				return p
+			}),
+			expConditions: []conditions.Condition{
+				conditions.NewPolicyInvalid("spec.targetRef.kind: Unsupported value: \"UnsupportedKind\": supported values: \"Gateway\""),
+			},
+		},
+		{
+			name: "duplicate context",
+			policy: createModifiedPolicy(func(p *ngfAPI.SnippetsPolicy) *ngfAPI.SnippetsPolicy {
+				p.Spec.Snippets = append(p.Spec.Snippets, ngfAPI.Snippet{
+					Context: ngfAPI.NginxContextMain,
+					Value:   "another snippet;",
+				})
+				return p
+			}),
+			expConditions: []conditions.Condition{
+				conditions.NewPolicyInvalid("duplicate context \"main\""),
+			},
+		},
+	}
+
+	v := snippetspolicy.NewValidator()
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			conds := v.Validate(test.policy)
+			g.Expect(conds).To(Equal(test.expConditions))
+		})
+	}
+}
+
+func TestValidator_ValidateGlobalSettings(t *testing.T) {
+	t.Parallel()
+	g := NewWithT(t)
+
+	v := snippetspolicy.NewValidator()
+
+	g.Expect(v.ValidateGlobalSettings(nil, nil)).To(BeNil())
+}
+
+func TestValidator_Conflicts(t *testing.T) {
+	t.Parallel()
+	g := NewWithT(t)
+
+	v := snippetspolicy.NewValidator()
+
+	g.Expect(v.Conflicts(nil, nil)).To(BeFalse())
+}