C-WCOW: Add a test for verified CIM policy enforcement

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>

Author: MahatiC

internal/gcs-sidecar/handlers.go

@@ -741,19 +741,19 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 				layerPath := settings.CombinedLayers.Layers[0].Path
 				if guidStr, ok := volumeGUIDFromLayerPath(layerPath); ok {
 					hashes, haveHashes := b.hostState.blockCIMVolumeHashes[guidStr]
+					// This must always be true for every container as the hashes are recorded during initial CIM mount in ResourceTypeWCOWBlockCims request
 					if haveHashes {
-						// Only do this if it wasn't already enforced by the ResourceTypeWCOWBlockCims request
 						containers := b.hostState.blockCIMVolumeContainers[guidStr]
 						if _, seen := containers[containerID]; !seen {
-							// This is a container with CIMs already mounted (container with similar layers as an existing container). Call EnforceVerifiedCIMsPolicy on this new container
+							// This is a container with CIMs already mounted. Just Call EnforceVerifiedCIMsPolicy on this to record in policy metadata
 							log.G(ctx).Tracef("Verified CIM hashes for reused mount volume %s (container %s)", guidStr, containerID)
 							if err := b.hostState.securityPolicyEnforcer.EnforceVerifiedCIMsPolicy(ctx, containerID, hashes); err != nil {
 								return fmt.Errorf("CIM mount is denied by policy for this container: %w", err)
 							}
 							containers[containerID] = struct{}{}
 						}
 					} else {
-						log.G(ctx).Debugf("No cached CIM hashes found for volume %s", guidStr)
+						return fmt.Errorf("No CIM hashes found for container ID %s", containerID)
 					}
 				}
 			}

pkg/securitypolicy/regopolicy_windows_test.go

@@ -8,6 +8,7 @@ import (
 	_ "embed"
 	"fmt"
 	"math/rand"
+	"strconv"
 	"strings"
 	"testing"
 	"testing/quick"
@@ -315,6 +316,45 @@ func Test_Rego_EnforceCreateContainer_Same_Container_Twice_Windows(t *testing.T)
 	}
 }
 
+func Test_Rego_EnforceVerifiedCIMSPolicy_Multiple_Instances_Same_Container(t *testing.T) {
+	for containersToCreate := 5; containersToCreate <= maxContainersInGeneratedConstraints; containersToCreate++ {
+		constraints := new(generatedWindowsConstraints)
+		constraints.ctx = context.Background()
+		constraints.externalProcesses = generateExternalProcesses(testRand)
+
+		for i := 1; i <= containersToCreate; i++ {
+			arg := "command " + strconv.Itoa(i)
+			c := &securityPolicyWindowsContainer{
+				Command: []string{arg},
+				Layers:  []string{"1", "2"},
+			}
+
+			constraints.containers = append(constraints.containers, c)
+		}
+
+		securityPolicy := constraints.toPolicy()
+		policy, err := newRegoPolicy(securityPolicy.marshalWindowsRego(), []oci.Mount{}, []oci.Mount{}, testOSType)
+
+		if err != nil {
+			t.Fatalf("failed create enforcer")
+		}
+
+		for _, container := range constraints.containers {
+			// Reverse container.Layers to satisfy layerHashes_ok ordering
+			layerHashes := make([]string, len(container.Layers))
+			for i, layer := range container.Layers {
+				layerHashes[len(container.Layers)-1-i] = layer
+			}
+
+			id := testDataGenerator.uniqueContainerID()
+			err = policy.EnforceVerifiedCIMsPolicy(constraints.ctx, id, layerHashes)
+			if err != nil {
+				t.Fatalf("failed with %d containers", containersToCreate)
+			}
+		}
+	}
+}
+
 // -- Capabilities/Mount/Rego version tests are removed -- Add back Rego versions test//
 func Test_Rego_ExecInContainerPolicy_Windows(t *testing.T) {
 	f := func(p *generatedWindowsConstraints) bool {