tokenizing env variables and args both on agent and genpolicy side

src/agent/Cargo.toml

@@ -96,7 +96,6 @@ regorus = { version = "0.2.6", default-features = false, features = [
     "base64url",
 ], optional = true }
 json-patch = "2.0.0"
-shell-words = "1.1.0"
 
 [dev-dependencies]
 tempfile = "3.1.0"

src/agent/src/policy.rs

@@ -74,8 +74,6 @@ mod tests {
             Err(e) => panic!("Unexpected error: {:?}", e),
         }
 
-        let shell_split = shell_words::split("ls -l /tmp").expect("Failed to split");
-        println!("{:?}", shell_split);
         assert!(false, "fail");
     }
 }
@@ -175,19 +173,34 @@ pub struct AgentPolicy {
     engine: regorus::Engine,
 }
 
+#[derive(Debug)]
+struct PolicyCreateContainerRequest {
+    base: protocols::agent::CreateContainerRequest,
+    tokenized_args: Vec<Vec<String>>,
+    env_map: std::collections::HashMap<String, String>,
+}
+
 fn map_request<'a>(ep: &str, input: &'a str) -> &'a str {
     println!("Mapping request");
     match ep {
         "CreateContainerRequest" => {
             println!("CreateContainerRequest detected");
             let req: protocols::agent::CreateContainerRequest =
                 serde_json::from_str(input).expect("JSON was not well-formatted");
-            for arg in &req.OCI.Process.Args {
-                println!("Arg: {}", arg);
-                let arg_split = shell_words::split(arg).expect("Failed to split");
-                println!("arg_split: {:?}", arg_split);
-            }
+            let tokenized_args = oci::get_tokenized_args(&req.OCI.Process.Args);
+
+            println!("Tokenized args: {:?}", tokenized_args);
+
+            let env_map = oci::get_env_map(&req.OCI.Process.Env);
+            println!("Env: {:?}", env_map);
+
+            let req_v2 = PolicyCreateContainerRequest {
+                base: req,
+                tokenized_args,
+                env_map,
+            };
 
+            // todo: return the new request
             input
         }
 

src/libs/oci/Cargo.toml

@@ -10,3 +10,4 @@ serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
 libc = "0.2.112"
+shell-words = "1.1.0"

src/libs/oci/src/lib.rs

@@ -81,6 +81,30 @@ impl Spec {
 
 pub type LinuxRlimit = PosixRlimit;
 
+pub fn get_tokenized_args(args: &Vec<String>) -> Vec<Vec<String>> {
+    let mut tokenized_args: Vec<Vec<String>> = Vec::new();
+    for arg in args {
+        let arg_split = shell_words::split(arg).expect("Failed to split");
+        tokenized_args.push(arg_split);
+    }
+    tokenized_args
+}
+
+pub fn get_env_map(env: &Vec<String>) -> std::collections::HashMap<String, String> {
+    let env_map: std::collections::HashMap<String, String> = env
+        .iter()
+        .filter_map(|v| {
+            let mut split = v.splitn(2, "=");
+            if let (Some(key), Some(value)) = (split.next(), split.next()) {
+                Some((key.to_string(), value.to_string()))
+            } else {
+                None
+            }
+        })
+        .collect();
+    env_map
+}
+
 #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)]
 pub struct Process {
     #[serde(default)]

src/tools/genpolicy/src/policy.rs

@@ -271,6 +271,9 @@ pub struct ContainerPolicy {
     /// ExecProcessRequest. By default, all ExecProcessRequest calls are blocked
     /// by the policy.
     exec_commands: Vec<String>,
+
+    tokenized_args: Vec<Vec<String>>,
+    env_map: std::collections::HashMap<String, String>,
 }
 
 /// See Reference / Kubernetes API / Config and Storage Resources / Volume.
@@ -595,6 +598,9 @@ impl AgentPolicy {
         };
         let exec_commands = yaml_container.get_exec_commands();
 
+        let env_map = oci::get_env_map(&process.Env);
+
+        let tokenized_args = oci::get_tokenized_args(&process.Args);
         ContainerPolicy {
             OCI: KataSpec {
                 Version: version_default(),
@@ -608,6 +614,8 @@ impl AgentPolicy {
             storages,
             sandbox_pidns,
             exec_commands,
+            tokenized_args,
+            env_map,
         }
     }