From 02cd1e20c055a3ecef39b494afd911cc2e1f853e Mon Sep 17 00:00:00 2001
From: "Sean T. Allen" <seanallen@microsoft.com>
Date: Mon, 20 Sep 2021 09:44:33 -0400
Subject: [PATCH] Make policy environment variable rules consts

This was a small change that came up in the initial code review that we put
off "for a later date".

The valid strategy strings are now shared between the policy tool and gcs
so they can't end up with a mismatch.

Signed-off-by: Sean T. Allen <seanallen@microsoft.com>
---
 internal/tools/securitypolicy/main.go             | 10 +++++-----
 pkg/securitypolicy/securitypolicy.go              | 15 +++++++++++----
 pkg/securitypolicy/securitypolicy_test.go         |  2 +-
 .../hcsshim/pkg/securitypolicy/securitypolicy.go  | 15 +++++++++++----
 4 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/internal/tools/securitypolicy/main.go b/internal/tools/securitypolicy/main.go
index 591b2ac7d0..6b5c87b1a5 100644
--- a/internal/tools/securitypolicy/main.go
+++ b/internal/tools/securitypolicy/main.go
@@ -79,8 +79,8 @@ func main() {
 }
 
 type EnvironmentVariableRule struct {
-	Strategy string `toml:"strategy"`
-	Rule     string `toml:"rule"`
+	Strategy sp.EnvVarRule `toml:"strategy"`
+	Rule     string        `toml:"rule"`
 }
 
 type Image struct {
@@ -205,7 +205,7 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 		}
 		for _, env := range config.Config.Env {
 			rule := sp.SecurityPolicyEnvironmentVariableRule{
-				Strategy: "string",
+				Strategy: sp.EnvVarRuleString,
 				Rule:     env,
 			}
 
@@ -215,7 +215,7 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 		// cri adds TERM=xterm for all workload containers. we add to all containers
 		// to prevent any possble erroring
 		rule := sp.SecurityPolicyEnvironmentVariableRule{
-			Strategy: "string",
+			Strategy: sp.EnvVarRuleString,
 			Rule:     "TERM=xterm",
 		}
 
@@ -233,7 +233,7 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 func validateEnvRules(rules []EnvironmentVariableRule) error {
 	for _, rule := range rules {
 		switch rule.Strategy {
-		case "re2":
+		case sp.EnvVarRuleRegex:
 			_, err := regexp.Compile(rule.Rule)
 			if err != nil {
 				return err
diff --git a/pkg/securitypolicy/securitypolicy.go b/pkg/securitypolicy/securitypolicy.go
index 86aae0b84a..5079e890ec 100644
--- a/pkg/securitypolicy/securitypolicy.go
+++ b/pkg/securitypolicy/securitypolicy.go
@@ -7,6 +7,13 @@ import (
 	"github.com/pkg/errors"
 )
 
+type EnvVarRule string
+
+const (
+	EnvVarRuleString EnvVarRule = "string"
+	EnvVarRuleRegex  EnvVarRule = "re2"
+)
+
 // Internal version of SecurityPolicyContainer
 type securityPolicyContainer struct {
 	// The command that we will allow the container to execute
@@ -22,8 +29,8 @@ type securityPolicyContainer struct {
 
 // Internal versino of SecurityPolicyEnvironmentVariableRule
 type securityPolicyEnvironmentVariableRule struct {
-	Strategy string `json:"type"`
-	Rule     string `json:"rule"`
+	Strategy EnvVarRule `json:"type"`
+	Rule     string     `json:"rule"`
 }
 
 // SecurityPolicyState is a structure that holds user supplied policy to enforce
@@ -83,8 +90,8 @@ type SecurityPolicyContainer struct {
 }
 
 type SecurityPolicyEnvironmentVariableRule struct {
-	Strategy string `json:"strategy"`
-	Rule     string `json:"rule"`
+	Strategy EnvVarRule `json:"strategy"`
+	Rule     string     `json:"rule"`
 }
 
 // Constructs SecurityPolicyState from base64Policy string. It first decodes
diff --git a/pkg/securitypolicy/securitypolicy_test.go b/pkg/securitypolicy/securitypolicy_test.go
index 8f8d5d309a..604b0b99fc 100644
--- a/pkg/securitypolicy/securitypolicy_test.go
+++ b/pkg/securitypolicy/securitypolicy_test.go
@@ -569,7 +569,7 @@ func Test_EnforceEnvironmentVariablePolicy_Re2Match(t *testing.T) {
 	container := generateContainersContainer(r, 1)
 	// add a rule to re2 match
 	re2MatchRule := securityPolicyEnvironmentVariableRule{
-		Strategy: "re2",
+		Strategy: EnvVarRuleRegex,
 		Rule:     "PREFIX_.+=.+"}
 	container.EnvRules = append(container.EnvRules, re2MatchRule)
 	p.containers = append(p.containers, container)
diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
index 86aae0b84a..5079e890ec 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
@@ -7,6 +7,13 @@ import (
 	"github.com/pkg/errors"
 )
 
+type EnvVarRule string
+
+const (
+	EnvVarRuleString EnvVarRule = "string"
+	EnvVarRuleRegex  EnvVarRule = "re2"
+)
+
 // Internal version of SecurityPolicyContainer
 type securityPolicyContainer struct {
 	// The command that we will allow the container to execute
@@ -22,8 +29,8 @@ type securityPolicyContainer struct {
 
 // Internal versino of SecurityPolicyEnvironmentVariableRule
 type securityPolicyEnvironmentVariableRule struct {
-	Strategy string `json:"type"`
-	Rule     string `json:"rule"`
+	Strategy EnvVarRule `json:"type"`
+	Rule     string     `json:"rule"`
 }
 
 // SecurityPolicyState is a structure that holds user supplied policy to enforce
@@ -83,8 +90,8 @@ type SecurityPolicyContainer struct {
 }
 
 type SecurityPolicyEnvironmentVariableRule struct {
-	Strategy string `json:"strategy"`
-	Rule     string `json:"rule"`
+	Strategy EnvVarRule `json:"strategy"`
+	Rule     string     `json:"rule"`
 }
 
 // Constructs SecurityPolicyState from base64Policy string. It first decodes