tests: k8s: additional policy testing utilities

1. add_requests_to_policy_settings allows one or more ttrpc requests
   from the Host to the Guest. Example:

add_requests_to_policy_settings "${policy_settings_dir}" \
   "ReadStreamRequest" "WriteStreamRequest"

2. add_copy_from_host_to_policy_settings allows executing on the Guest
   the commands initiated behind the scenes by "kubectl cp" from the
   Host to the Guest. Example:

add_copy_from_host_to_policy_settings "${policy_settings_dir}"

3. add_copy_from_guest_to_policy_settings allows executing on the Guest
   the commands initiated behind the scenes by "kubectl cp" from the
   Guest to the Host. Example:

add_copy_from_guest_to_policy_settings "${policy_settings_dir}" \
   "/tmp/file.txt"

Signed-off-by: Dan Mihai <dmihai@microsoft.com>

tests/integration/kubernetes/k8s-attach-handlers.bats

@@ -23,9 +23,12 @@ setup() {
 
 	# Add policy to yaml
 	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	
 	display_message="cat /usr/share/message"
 	exec_command="sh -c ${display_message}"
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
 	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 

tests/integration/kubernetes/tests_common.sh

@@ -175,12 +175,44 @@ add_exec_to_policy_settings() {
 		"${settings_dir}/new-genpolicy-settings.json"
 	mv "${settings_dir}/new-genpolicy-settings.json" \
 		"${settings_dir}/genpolicy-settings.json"
-
+}
-	# Change genpolicy settings to allow kubectl to read the output of the command being executed.
+
-	info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest"
+# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest.
-	jq '.request_defaults.ReadStreamRequest |= true' \
+add_requests_to_policy_settings() {
-		"${settings_dir}"/genpolicy-settings.json > \
+	declare -r settings_dir="$1"
-		"${settings_dir}"/new-genpolicy-settings.json
+	shift
-	mv "${settings_dir}"/new-genpolicy-settings.json \
+	declare -r requests=("$@")
-		"${settings_dir}"/genpolicy-settings.json
+
+	auto_generate_policy_enabled || return 0
+
+	for request in ${requests[@]}
+	do
+		info "${settings_dir}/genpolicy-settings.json: allowing ${request}"
+		jq ".request_defaults.${request} |= true" \
+			"${settings_dir}"/genpolicy-settings.json > \
+			"${settings_dir}"/new-genpolicy-settings.json
+		mv "${settings_dir}"/new-genpolicy-settings.json \
+			"${settings_dir}"/genpolicy-settings.json
+	done
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Host to the Guest.
+add_copy_from_host_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+
+	exec_command="test -d /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	exec_command="tar -xmf - -C /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Guest to the Host.
+add_copy_from_guest_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+	declare -r copied_file="$2"
+
+	exec_command="tar cf - ${copied_file}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 }