C-WCOW: Add a test for verified CIM policy enforcement

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>

Author: MahatiC

internal/gcs-sidecar/handlers.go

@@ -698,6 +698,8 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 						} else {
 							log.G(ctx).Debugf("No cached CIM hashes found for volume %s", guidStr)
 						}
+					} else {
+						return fmt.Errorf("no cim hashes found for container ID %s", containerID)
 					}
 				}
 

pkg/securitypolicy/regopolicy_windows_test.go

@@ -8,6 +8,7 @@ import (
 	_ "embed"
 	"fmt"
 	"math/rand"
+	"strconv"
 	"strings"
 	"testing"
 	"testing/quick"
@@ -315,6 +316,45 @@ func Test_Rego_EnforceCreateContainer_Same_Container_Twice_Windows(t *testing.T)
 	}
 }
 
+func Test_Rego_EnforceVerifiedCIMSPolicy_Multiple_Instances_Same_Container(t *testing.T) {
+	for containersToCreate := 5; containersToCreate <= maxContainersInGeneratedConstraints; containersToCreate++ {
+		constraints := new(generatedWindowsConstraints)
+		constraints.ctx = context.Background()
+		constraints.externalProcesses = generateExternalProcesses(testRand)
+
+		for i := 1; i <= containersToCreate; i++ {
+			arg := "command " + strconv.Itoa(i)
+			c := &securityPolicyWindowsContainer{
+				Command: []string{arg},
+				Layers:  []string{"1", "2"},
+			}
+
+			constraints.containers = append(constraints.containers, c)
+		}
+
+		securityPolicy := constraints.toPolicy()
+		policy, err := newRegoPolicy(securityPolicy.marshalWindowsRego(), []oci.Mount{}, []oci.Mount{}, testOSType)
+
+		if err != nil {
+			t.Fatalf("failed create enforcer")
+		}
+
+		for _, container := range constraints.containers {
+			// Reverse container.Layers to satisfy layerHashes_ok ordering
+			layerHashes := make([]string, len(container.Layers))
+			for i, layer := range container.Layers {
+				layerHashes[len(container.Layers)-1-i] = layer
+			}
+
+			id := testDataGenerator.uniqueContainerID()
+			err = policy.EnforceVerifiedCIMsPolicy(constraints.ctx, id, layerHashes)
+			if err != nil {
+				t.Fatalf("failed with %d containers", containersToCreate)
+			}
+		}
+	}
+}
+
 // -- Capabilities/Mount/Rego version tests are removed -- Add back Rego versions test//
 func Test_Rego_ExecInContainerPolicy_Windows(t *testing.T) {
 	f := func(p *generatedWindowsConstraints) bool {