securitypolicyenforcer: Remove the standard JSON enforcer

This commit removes the long deprecated standard JSON enforcer - all
confidential containers now has to either use Rego (the default), or the
open_door enforcer if provided with an empty policy or a policy that is
`{"allow_all": true}` (both case checked against host data).

Note that the host can still choose either rego or open_door, and this is not
measured into host data, but the policy check in createOpenDoorEnforcer ensures
that if the policy is a rego policy, trying to use an open_door enforcer will
error, leaving the enforcer at the default (which for confidential is a
deny-everything ClosedDoorSecurityPolicyEnforcer).

Closes: https://portal.microsofticm.com/imp/v5/incidents/details/31000000387867/summary
Signed-off-by: Tingmao Wang <[email protected]>

Author: micromaomao

pkg/securitypolicy/rego_utils_test.go

@@ -2218,40 +2218,6 @@ func (*generatedConstraints) Generate(r *rand.Rand, _ int) reflect.Value {
 	return reflect.ValueOf(c)
 }
 
-type testConfig struct {
-	container   *securityPolicyContainer
-	layers      []string
-	containerID string
-	policy      *StandardSecurityPolicyEnforcer
-}
-
-func setupContainerWithOverlay(gc *generatedConstraints, valid bool) (tc *testConfig, err error) {
-	sp := NewStandardSecurityPolicyEnforcer(gc.containers, ignoredEncodedPolicyString)
-
-	containerID := testDataGenerator.uniqueContainerID()
-	c := selectContainerFromContainerList(gc.containers, testRand)
-
-	var layerPaths []string
-	if valid {
-		layerPaths, err = testDataGenerator.createValidOverlayForContainer(sp, c)
-		if err != nil {
-			return nil, fmt.Errorf("error creating valid overlay: %w", err)
-		}
-	} else {
-		layerPaths, err = testDataGenerator.createInvalidOverlayForContainer(sp, c)
-		if err != nil {
-			return nil, fmt.Errorf("error creating invalid overlay: %w", err)
-		}
-	}
-
-	return &testConfig{
-		container:   c,
-		layers:      layerPaths,
-		containerID: containerID,
-		policy:      sp,
-	}, nil
-}
-
 func generateConstraints(r *rand.Rand, maxContainers int32) *generatedConstraints {
 	var containers []*securityPolicyContainer
 

pkg/securitypolicy/securitypolicy.go

@@ -26,7 +26,7 @@ var apiCodeTemplate string
 var APICode = strings.Replace(apiCodeTemplate, "@@API_VERSION@@", apiVersion, 1)
 var FrameworkCode = strings.Replace(frameworkCodeTemplate, "@@FRAMEWORK_VERSION@@", frameworkVersion, 1)
 
-var ErrInvalidOpenDoorPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")
+var ErrInvalidOpenDoorPolicy = errors.New("Invalid policy for open-door enforcer")
 
 type EnvVarRule string