genpolicy: Refactor tests to add different request types in testcases json

Cherry-pick upstream changes in PR kata-containers#11074 to add test data for multiple request
type in a single testcases.json file. This allows for stateful testing,
for ex: enable testing ExecProcessRequest using policy state set after testing
a CreateContainerRequest.

Signed-off-by: Sumedh Sharma <sumsharma@microsoft.com>

Author: Sumynwa

src/tools/genpolicy/tests/main.rs

@@ -6,26 +6,51 @@
 #[cfg(test)]
 mod tests {
     use base64::prelude::*;
-    use std::any;
+    use std::fmt::{self, Display};
     use std::fs::{self, File};
     use std::path;
     use std::str;
 
     use protocols::agent::{
         CreateContainerRequest, CreateSandboxRequest, UpdateInterfaceRequest, UpdateRoutesRequest,
     };
-    use serde::de::DeserializeOwned;
     use serde::{Deserialize, Serialize};
 
     use kata_agent_policy::policy::{
         AgentPolicy, PolicyCopyFileRequest, PolicyCreateContainerRequest,
     };
 
-    #[derive(Clone, Debug, Deserialize, Serialize)]
-    struct TestCase<T> {
+    // each test case in testcase.json will translate
+    // to one request type
+    #[derive(Deserialize, Serialize)]
+    #[serde(tag = "type")]
+    enum TestRequest {
+        LegacyCreateContainer(CreateContainerRequest),
+        CopyFile(PolicyCopyFileRequest),
+        CreateContainer(PolicyCreateContainerRequest),
+        CreateSandbox(CreateSandboxRequest),
+        UpdateInterface(UpdateInterfaceRequest),
+        UpdateRoutes(UpdateRoutesRequest),
+    }
+
+    impl Display for TestRequest {
+        fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+            match self {
+                TestRequest::LegacyCreateContainer(_) => write!(f, "CreateContainerRequest"),
+                TestRequest::CopyFile(_) => write!(f, "CopyFileRequest"),
+                TestRequest::CreateContainer(_) => write!(f, "CreateContainerRequest"),
+                TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"),
+                TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"),
+                TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"),
+            }
+        }
+    }
+
+    #[derive(Deserialize, Serialize)]
+    struct TestCase {
         description: String,
         allowed: bool,
-        request: T,
+        request: TestRequest,
     }
 
     /// Run tests from the given directory.
@@ -34,10 +59,7 @@ mod tests {
     /// The resources must produce a policy when fed into genpolicy, so there
     /// should be exactly one entry with a PodSpec. The test case file must contain
     /// a JSON list of [TestCase] instances appropriate for `T`.
-    async fn runtests<T>(test_case_dir: &str)
-    where
-        T: DeserializeOwned + Serialize,
-    {
+    async fn runtests(test_case_dir: &str) {
         // Prepare temp dir for running genpolicy.
         let workdir = path::PathBuf::from(env!("CARGO_TARGET_TMPDIR")).join(test_case_dir);
         fs::create_dir_all(&workdir)
@@ -105,18 +127,19 @@ mod tests {
 
         let case_file =
             File::open(testdata_dir.join("testcases.json")).expect("test case file should open");
-        let test_cases: Vec<TestCase<T>> =
+        let test_cases: Vec<TestCase> =
             serde_json::from_reader(case_file).expect("test case file should parse");
 
         for test_case in test_cases {
             println!("\n== case: {} ==\n", test_case.description);
 
             let v = serde_json::to_value(&test_case.request).unwrap();
 
-            let request_type = map_request(any::type_name::<T>().split("::").last().unwrap());
-
             let results = pol
-                .allow_request(request_type, &serde_json::to_string(&v).unwrap())
+                .allow_request(
+                    &test_case.request.to_string(),
+                    &serde_json::to_string(&v).unwrap(),
+                )
                 .await;
 
             let logs = fs::read_to_string(workdir.join("policy.log")).unwrap();
@@ -130,45 +153,38 @@ mod tests {
         }
     }
 
-    fn map_request(request: &str) -> &str {
-        match request {
-            "PolicyCopyFileRequest" => "CopyFileRequest",
-            "PolicyCreateContainerRequest" => "CreateContainerRequest",
-            _ => request,
-        }
-    }
-
     #[tokio::test]
     async fn test_copyfile() {
-        runtests::<PolicyCopyFileRequest>("copyfile").await;
+        runtests("copyfile").await;
     }
 
     #[tokio::test]
     async fn test_create_sandbox() {
-        runtests::<CreateSandboxRequest>("createsandbox").await;
+        runtests("createsandbox").await;
     }
 
     #[tokio::test]
     async fn test_update_routes() {
-        runtests::<UpdateRoutesRequest>("updateroutes").await;
+        runtests("updateroutes").await;
     }
 
     #[tokio::test]
     async fn test_update_interface() {
-        runtests::<UpdateInterfaceRequest>("updateinterface").await;
+        runtests("updateinterface").await;
     }
+
     #[tokio::test]
     async fn test_legacy_basic_create_container() {
-        runtests::<CreateContainerRequest>("createContainer/legacy").await;
+        runtests("createContainer/legacy").await;
     }
 
     #[tokio::test]
     async fn test_basic_create_container() {
-        runtests::<PolicyCreateContainerRequest>("createContainer/basic").await;
+        runtests("createContainer/basic").await;
     }
 
     #[tokio::test]
     async fn test_create_container_generate_name() {
-        runtests::<PolicyCreateContainerRequest>("createcontainer/generate_name").await;
+        runtests("createcontainer/generate_name").await;
     }
 }

src/tools/genpolicy/tests/testdata/copyfile/testcases.json

@@ -3,14 +3,16 @@
     "description": "copy initiated by k8s mount",
     "allowed": true,
     "request": {
+      "type": "CopyFile",
       "path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-resolv.conf"
     }
   },
   {
     "description": "attempt to copy outside of container root",
     "allowed": false,
     "request": {
+      "type": "CopyFile",
       "path": "/etc/ssl/cert.pem"
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createContainer/basic/testcases.json

@@ -3,6 +3,7 @@
     "description": "basic request for pause container",
     "allowed": true,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -286,4 +287,4 @@
       }
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createContainer/legacy/testcases.json

@@ -3,6 +3,7 @@
     "description": "legacy request for pause container",
     "allowed": true,
     "request": {
+      "type": "LegacyCreateContainer",
       "OCI": {
         "Annotations": {
           "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bbf2a6b6b510a279cd17b2bfc8b64d39c11ebb55f855ba78a0034c4fe394246",
@@ -281,4 +282,4 @@
       "string_user": null
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json

@@ -3,6 +3,7 @@
     "description": "generated name with valid prefix (dummyxyz)",
     "allowed": true,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -290,6 +291,7 @@
     "description": "generated name with invalid prefix (xyzdummy)",
     "allowed": false,
     "request": {
+      "type": "CreateContainer",
       "base": {
         "OCI": {
           "Annotations": {
@@ -573,4 +575,4 @@
       }
     }
   }
-]
+]

src/tools/genpolicy/tests/testdata/createsandbox/testcases.json

@@ -3,6 +3,7 @@
     "description": "no pidns",
     "allowed": true,
     "request": {
+      "type": "CreateSandbox",
       "sandbox_pidns": false
     }
   }

src/tools/genpolicy/tests/testdata/updateinterface/testcases.json

@@ -3,6 +3,7 @@
     "description": "no flags",
     "allowed": true,
     "request": {
+      "type": "UpdateInterface",
       "interface": {
           "device": "eth0",
           "name": "eth0",
@@ -22,6 +23,7 @@
     "description": "allowed arp flag",
     "allowed": true,
     "request": {
+      "type": "UpdateInterface",
       "interface": {
           "device": "eth0",
           "name": "eth0",
@@ -41,6 +43,7 @@
     "description": "forbidden flag",
     "allowed": false,
     "request": {
+      "type": "UpdateInterface",
       "interface": {
           "device": "eth0",
           "name": "eth0",
@@ -60,6 +63,7 @@
     "description": "forbidden name",
     "allowed": false,
     "request": {
+      "type": "UpdateInterface",
       "interface": {
           "device": "eth0",
           "name": "lo",
@@ -79,6 +83,7 @@
     "description": "forbidden hwAddr",
     "allowed": false,
     "request": {
+      "type": "UpdateInterface",
       "interface": {
           "device": "eth0",
           "name": "eth0",

src/tools/genpolicy/tests/testdata/updateroutes/testcases.json

@@ -3,6 +3,7 @@
     "description": "compliant routes",
     "allowed": true,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {
@@ -21,6 +22,7 @@
     "description": "forbidden device",
     "allowed": false,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {
@@ -39,6 +41,7 @@
     "description": "one compliant route, one noncompliant",
     "allowed": false,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {
@@ -65,6 +68,7 @@
     "description": "noncompliant routes",
     "allowed": false,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {
@@ -83,6 +87,7 @@
     "description": "noncompliant routes ipv6 1",
     "allowed": false,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {
@@ -101,6 +106,7 @@
     "description": "noncompliant routes ipv6 2",
     "allowed": false,
     "request": {
+      "type": "UpdateRoutes",
       "routes": {
         "Routes": [
           {