agent-ctl: Add SetPolicy support

This patch adds support to call kata agents SetPolicy API. Also adds tests for SetPolicy API using agent-ctl. Fixes #9711 Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2025-09-18 15:28:10 +00:00 · 2024-09-13 15:24:22 +05:30
parent 28d430ec42
commit 18c887f055
5 changed files with 120 additions and 3 deletions
--- a/tests/functional/kata-agent-apis/api-tests/test_set_policy.bats
+++ b/tests/functional/kata-agent-apis/api-tests/test_set_policy.bats
@@ -0,0 +1,44 @@
+#!/usr/bin/env bats
+
+# Copyright (c) 2024 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+load "${BATS_TEST_DIRNAME}/../../../common.bash"
+load "${BATS_TEST_DIRNAME}/../setup_common.sh"
+
+setup_file() {
+    info "setup"
+}
+
+@test "Test SetPolicy API: Set allow all policy" {
+    info "Upload policy document from under src/kata-opa"
+    repo_root_dir="${BATS_TEST_DIRNAME}/../../../../"
+    policy_dir="${repo_root_dir}/src/kata-opa"
+    policy_file="${policy_dir}/allow-all.rego"
+    local cmds=()
+    cmds+=("-c 'SetPolicy json://{\"policy_file\": \"$policy_file\"}'")
+    run_agent_ctl "${cmds[@]}"
+}
+
+@test "Test SetPolicy API: Block CopyFile in policy" {
+    policy_file=$(mktemp)
+    deny_single_api_in_policy ${policy_file} "CopyFileRequest"
+    local cmds=()
+    cmds+=("-c 'SetPolicy json://{\"policy_file\": \"$policy_file\"}'")
+    run_agent_ctl "${cmds[@]}"
+
+    src_file=$(mktemp)
+    local cmds=()
+    cmds+=("-c 'CopyFile json://{\"src\": \"$src_file\", \"dest\":\"/run/kata-containers/foo\"}'")
+    run run_agent_ctl "${cmds[@]}"
+    [ "$status" -ne 0 ]
+
+    rm $src_file
+    rm $policy_file
+}
+
+teardown_file() {
+    info "teardown"
+    sudo rm -r /run/kata-containers/ || echo "Failed to clean /run/kata-containers"
+}
--- a/tests/functional/kata-agent-apis/setup_common.sh
+++ b/tests/functional/kata-agent-apis/setup_common.sh
@@ -205,3 +205,16 @@ try_and_remove_coco_attestation_procs()
 		[ -f "${procs_path}${i}" ] && sudo mv "${procs_path}${i}" /tmp || true
 	done
 }
+
+deny_single_api_in_policy()
+{
+	info "Setting default deny for single API in policy"
+	local pol_file=$1
+	local deny_req=$2
+
+	[ ! -f $local_policy_file ] && install_policy_doc
+
+	info "Not allowing ${deny_req}"
+	sudo cp $local_policy_file $pol_file
+	sed -i "s/\(.*$deny_req.*:= \)\(.*\)/\1false/" $pol_file
+}