policy: Refactor tests to allow different request types in a testcase.

This commit introduces changes to add different request types in a
single testcases.json file. This allows for testing request types,
ex: ExecProcessRequest which depends on state from evaluation of
CreateContainerRequest.

The changes include:
- refactor tests/main.rs to allow different types in testcases.json
- modify existing test cases data
- add test for ExecProcessRequest

Signed-off-by: Sumedh Sharma <[email protected]>

Author: Sumynwa

src/tools/genpolicy/tests/main.rs

@@ -6,26 +6,53 @@
 #[cfg(test)]
 mod tests {
     use base64::prelude::*;
-    use std::any;
     use std::fs::{self, File};
     use std::path;
     use std::str;
 
     use protocols::agent::{
         CreateContainerRequest, CreateSandboxRequest, UpdateInterfaceRequest, UpdateRoutesRequest,
+        ExecProcessRequest,
     };
-    use serde::de::DeserializeOwned;
     use serde::{Deserialize, Serialize};
 
     use kata_agent_policy::policy::{
         AgentPolicy, PolicyCopyFileRequest, PolicyCreateContainerRequest,
     };
 
-    #[derive(Clone, Debug, Deserialize, Serialize)]
-    struct TestCase<T> {
+    // each test case in testcase.json will translate
+    // to one request type
+    #[derive(Deserialize, Serialize)]
+    #[serde(tag = "type")]
+    enum TestRequest {
+        LegacyCreateContainer(CreateContainerRequest),
+        CopyFile(PolicyCopyFileRequest),
+        CreateContainer(PolicyCreateContainerRequest),
+        CreateSandbox(CreateSandboxRequest),
+        ExecProcess(ExecProcessRequest),
+        UpdateInterface(UpdateInterfaceRequest),
+        UpdateRoutes(UpdateRoutesRequest),
+    }
+
+    impl ToString for TestRequest {
+        fn to_string(&self) -> String {
+            match self {
+                TestRequest::LegacyCreateContainer(_) => String::from("CreateContainerRequest"),
+                TestRequest::CopyFile(_) => String::from("CopyFileRequest"),
+                TestRequest::CreateContainer(_) => String::from("CreateContainerRequest"),
+                TestRequest::CreateSandbox(_) => String::from("CreateSandboxRequest"),
+                TestRequest::ExecProcess(_) => String::from("ExecProcessRequest"),
+                TestRequest::UpdateInterface(_) => String::from("UpdateInterfaceRequest"),
+                TestRequest::UpdateRoutes(_) => String::from("UpdateRoutesRequest"),
+            }
+        }
+    }
+
+    #[derive(Deserialize, Serialize)]
+    struct TestCase {
         description: String,
         allowed: bool,
-        request: T,
+        request: TestRequest,
     }
 
     /// Run tests from the given directory.
@@ -34,9 +61,7 @@ mod tests {
     /// The resources must produce a policy when fed into genpolicy, so there
     /// should be exactly one entry with a PodSpec. The test case file must contain
     /// a JSON list of [TestCase] instances appropriate for `T`.
-    async fn runtests<T>(test_case_dir: &str)
-    where
-        T: DeserializeOwned + Serialize,
+    async fn runtests(test_case_dir: &str)
     {
         // Prepare temp dir for running genpolicy.
         let workdir = path::PathBuf::from(env!("CARGO_TARGET_TMPDIR")).join(test_case_dir);
@@ -105,18 +130,16 @@ mod tests {
 
         let case_file =
             File::open(testdata_dir.join("testcases.json")).expect("test case file should open");
-        let test_cases: Vec<TestCase<T>> =
+        let test_cases: Vec<TestCase> =
             serde_json::from_reader(case_file).expect("test case file should parse");
 
         for test_case in test_cases {
             println!("\n== case: {} ==\n", test_case.description);
 
             let v = serde_json::to_value(&test_case.request).unwrap();
 
-            let request_type = map_request(any::type_name::<T>().split("::").last().unwrap());
-
             let results = pol
-                .allow_request(request_type, &serde_json::to_string(&v).unwrap())
+                .allow_request(&test_case.request.to_string(), &serde_json::to_string(&v).unwrap())
                 .await;
 
             let logs = fs::read_to_string(workdir.join("policy.log")).unwrap();
@@ -130,45 +153,43 @@ mod tests {
         }
     }
 
-    fn map_request(request: &str) -> &str {
-        match request {
-            "PolicyCopyFileRequest" => "CopyFileRequest",
-            "PolicyCreateContainerRequest" => "CreateContainerRequest",
-            _ => request,
-        }
-    }
-
     #[tokio::test]
     async fn test_copyfile() {
-        runtests::<PolicyCopyFileRequest>("copyfile").await;
+        runtests("copyfile").await;
     }
 
     #[tokio::test]
     async fn test_create_sandbox() {
-        runtests::<CreateSandboxRequest>("createsandbox").await;
+        runtests("createsandbox").await;
     }
 
     #[tokio::test]
     async fn test_update_routes() {
-        runtests::<UpdateRoutesRequest>("updateroutes").await;
+        runtests("updateroutes").await;
     }
 
     #[tokio::test]
     async fn test_update_interface() {
-        runtests::<UpdateInterfaceRequest>("updateinterface").await;
+        runtests("updateinterface").await;
     }
+
     #[tokio::test]
     async fn test_legacy_basic_create_container() {
-        runtests::<CreateContainerRequest>("createContainer/legacy").await;
+        runtests("createContainer/legacy").await;
     }
 
     #[tokio::test]
     async fn test_basic_create_container() {
-        runtests::<PolicyCreateContainerRequest>("createContainer/basic").await;
+        runtests("createContainer/basic").await;
     }
 
     #[tokio::test]
     async fn test_create_container_generate_name() {
-        runtests::<PolicyCreateContainerRequest>("createcontainer/generate_name").await;
+        runtests("createcontainer/generate_name").await;
+    }
+
+    #[tokio::test]
+    async fn test_exec_process() {
+        runtests("execprocess").await;
     }
 }

src/tools/genpolicy/tests/testdata/copyfile/testcases.json

@@ -3,14 +3,16 @@
     "description": "copy initiated by k8s mount",
     "allowed": true,
     "request": {
+      "type": "CopyFile",
       "path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-resolv.conf"
     }
   },
   {
     "description": "attempt to copy outside of container root",
     "allowed": false,
     "request": {
+      "type": "CopyFile",
       "path": "/etc/ssl/cert.pem"
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createContainer/basic/testcases.json

@@ -3,6 +3,7 @@
     "description": "basic request for pause container",
     "allowed": true,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -286,4 +287,4 @@
       }
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createContainer/legacy/testcases.json

@@ -3,6 +3,7 @@
     "description": "legacy request for pause container",
     "allowed": true,
     "request": {
+      "type": "LegacyCreateContainer",
       "OCI": {
         "Annotations": {
           "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bbf2a6b6b510a279cd17b2bfc8b64d39c11ebb55f855ba78a0034c4fe394246",
@@ -281,4 +282,4 @@
       "string_user": null
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json

@@ -3,6 +3,7 @@
     "description": "generated name with valid prefix (dummyxyz)",
     "allowed": true,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -290,6 +291,7 @@
     "description": "generated name with invalid prefix (xyzdummy)",
     "allowed": false,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -573,4 +575,4 @@
       }
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createsandbox/testcases.json

@@ -3,6 +3,7 @@
     "description": "no pidns",
     "allowed": true,
     "request": {
+      "type": "CreateSandbox",
       "sandbox_pidns": false
     }
   }

src/tools/genpolicy/tests/testdata/execprocess/pod.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+spec:
+  runtimeClassName: kata-cc
+  containers:
+    - name: first-test-container
+      image: "quay.io/prometheus/busybox:latest"
+      env:
+        - name: CONTAINER_NAME
+          value: first-test-container
+      command:
+        - sleep
+        - "3600"
+      livenessProbe:
+        exec:
+          command:
+            - echo
+            - test