From f4e78103acbe224ac66b4778edcd931407fde63d Mon Sep 17 00:00:00 2001
From: Qi Feng Huo <huoqif@cn.ibm.com>
Date: Mon, 6 May 2024 10:51:23 +0800
Subject: [PATCH] libvirt: enable customized opa file in kbs Fixes: #1825

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
---
 src/cloud-api-adaptor/test/e2e/main_test.go         | 13 ++++++++++---
 src/cloud-api-adaptor/test/provisioner/provision.go |  7 +++----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/cloud-api-adaptor/test/e2e/main_test.go b/src/cloud-api-adaptor/test/e2e/main_test.go
index 6444f2ad3..edce2ee4e 100644
--- a/src/cloud-api-adaptor/test/e2e/main_test.go
+++ b/src/cloud-api-adaptor/test/e2e/main_test.go
@@ -101,6 +101,10 @@ func TestMain(m *testing.M) {
 		shouldDeployKbs = true
 	}
 
+	// The TEE_CUSTOMIZED_OPA is an option variable which specifies the opa file path
+	// such as: $HOME/trustee/kbs/sample_policies/allow_all.rego.
+	customizedOpaFile := os.Getenv("TEE_CUSTOMIZED_OPA")
+
 	if !shouldProvisionCluster {
 		// Look for a suitable kubeconfig file in the sequence: --kubeconfig flag,
 		// or KUBECONFIG variable, or $HOME/.kube/config.
@@ -154,9 +158,12 @@ func TestMain(m *testing.M) {
 
 			kbsparams = "cc_kbc::http://" + kbsEndpoint
 			log.Infof("KBS PARAMS: %s", kbsparams)
-			if cloudProvider == "libvirt" {
-				log.Info("Enable sample TEE for libvirt provider by change KBS OPA to allow all")
-				if err = keyBrokerService.EnableKbsAllowAllPolicy("http://" + kbsEndpoint); err != nil {
+			if customizedOpaFile != "" {
+				log.Info("Enable customized opa file in KBS service.")
+				if _, err := os.Stat(customizedOpaFile); err != nil {
+					return ctx, err
+				}
+				if err = keyBrokerService.EnableKbsCustomizedPolicy("http://"+kbsEndpoint, customizedOpaFile); err != nil {
 					return ctx, err
 				}
 			}
diff --git a/src/cloud-api-adaptor/test/provisioner/provision.go b/src/cloud-api-adaptor/test/provisioner/provision.go
index e47bf5093..79ad03d76 100644
--- a/src/cloud-api-adaptor/test/provisioner/provision.go
+++ b/src/cloud-api-adaptor/test/provisioner/provision.go
@@ -381,12 +381,11 @@ func (p *KeyBrokerService) GetKbsEndpoint(ctx context.Context, cfg *envconf.Conf
 	return "", fmt.Errorf("Service %s not found", serviceName)
 }
 
-func (p *KeyBrokerService) EnableKbsAllowAllPolicy(kbsEndpoint string) error {
-	log.Info("EnableKbsAllowAllPolicy")
+func (p *KeyBrokerService) EnableKbsCustomizedPolicy(kbsEndpoint string, customizedOpaFile string) error {
+	log.Info("EnableKbsCustomizedPolicy")
 	kbsClientDir := filepath.Join(TRUSTEE_REPO_PATH, "target/release")
 	privateKey := "../../kbs/config/kubernetes/base/kbs.key"
-	policyFile := "../../kbs/sample_policies/allow_all.rego"
-	cmd := exec.Command("./kbs-client", "--url", kbsEndpoint, "config", "--auth-private-key", privateKey, "set-resource-policy", "--policy-file", policyFile)
+	cmd := exec.Command("./kbs-client", "--url", kbsEndpoint, "config", "--auth-private-key", privateKey, "set-resource-policy", "--policy-file", customizedOpaFile)
 	cmd.Dir = kbsClientDir
 	cmd.Env = os.Environ()
 	stdoutStderr, err := cmd.CombinedOutput()