From f81348a16b6dd8705cd75379daf3b7490185e841 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Wed, 30 Oct 2024 09:48:12 -0700
Subject: [PATCH] util/syspolicy/source: put EnvPolicyStore env keys in their
 own namespace

... all prefixed with TS_DEBUGSYSPOLICY_*.

Updates #13193
Updates #12687
Updates #13855

Change-Id: Ia8024946f53e2b3afda4456a7bb85bbcf6d12bfc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 util/syspolicy/source/env_policy_store.go     |  2 +-
 .../syspolicy/source/env_policy_store_test.go | 85 ++++++++++---------
 2 files changed, 46 insertions(+), 41 deletions(-)

diff --git a/util/syspolicy/source/env_policy_store.go b/util/syspolicy/source/env_policy_store.go
index 61065ceff..299132b4e 100644
--- a/util/syspolicy/source/env_policy_store.go
+++ b/util/syspolicy/source/env_policy_store.go
@@ -114,7 +114,7 @@ func keyToEnvVarName(key setting.Key) (string, error) {
 	isDigit := func(c byte) bool { return '0' <= c && c <= '9' }
 
 	words := make([]string, 0, 8)
-	words = append(words, "TS")
+	words = append(words, "TS_DEBUGSYSPOLICY")
 	var currentWord strings.Builder
 	for i := 0; i < len(key); i++ {
 		c := key[i]
diff --git a/util/syspolicy/source/env_policy_store_test.go b/util/syspolicy/source/env_policy_store_test.go
index 364a6104d..9eacf6378 100644
--- a/util/syspolicy/source/env_policy_store_test.go
+++ b/util/syspolicy/source/env_policy_store_test.go
@@ -14,11 +14,11 @@
 	"tailscale.com/util/syspolicy/setting"
 )
 
-func TestKeyToVariableName(t *testing.T) {
+func TestKeyToEnvVarName(t *testing.T) {
 	tests := []struct {
 		name    string
 		key     setting.Key
-		want    string
+		want    string // suffix after "TS_DEBUGSYSPOLICY_"
 		wantErr error
 	}{
 		{
@@ -29,87 +29,87 @@ func TestKeyToVariableName(t *testing.T) {
 		{
 			name: "lowercase",
 			key:  "tailnet",
-			want: "TS_TAILNET",
+			want: "TAILNET",
 		},
 		{
 			name: "CamelCase",
 			key:  "AuthKey",
-			want: "TS_AUTH_KEY",
+			want: "AUTH_KEY",
 		},
 		{
 			name: "LongerCamelCase",
 			key:  "ManagedByOrganizationName",
-			want: "TS_MANAGED_BY_ORGANIZATION_NAME",
+			want: "MANAGED_BY_ORGANIZATION_NAME",
 		},
 		{
 			name: "UPPERCASE",
 			key:  "UPPERCASE",
-			want: "TS_UPPERCASE",
+			want: "UPPERCASE",
 		},
 		{
 			name: "WithAbbrev/Front",
 			key:  "DNSServer",
-			want: "TS_DNS_SERVER",
+			want: "DNS_SERVER",
 		},
 		{
 			name: "WithAbbrev/Middle",
 			key:  "ExitNodeAllowLANAccess",
-			want: "TS_EXIT_NODE_ALLOW_LAN_ACCESS",
+			want: "EXIT_NODE_ALLOW_LAN_ACCESS",
 		},
 		{
 			name: "WithAbbrev/Back",
 			key:  "ExitNodeID",
-			want: "TS_EXIT_NODE_ID",
+			want: "EXIT_NODE_ID",
 		},
 		{
 			name: "WithDigits/Single/Front",
 			key:  "0TestKey",
-			want: "TS_0_TEST_KEY",
+			want: "0_TEST_KEY",
 		},
 		{
 			name: "WithDigits/Multi/Front",
 			key:  "64TestKey",
-			want: "TS_64_TEST_KEY",
+			want: "64_TEST_KEY",
 		},
 		{
 			name: "WithDigits/Single/Middle",
 			key:  "Test0Key",
-			want: "TS_TEST_0_KEY",
+			want: "TEST_0_KEY",
 		},
 		{
 			name: "WithDigits/Multi/Middle",
 			key:  "Test64Key",
-			want: "TS_TEST_64_KEY",
+			want: "TEST_64_KEY",
 		},
 		{
 			name: "WithDigits/Single/Back",
 			key:  "TestKey0",
-			want: "TS_TEST_KEY_0",
+			want: "TEST_KEY_0",
 		},
 		{
 			name: "WithDigits/Multi/Back",
 			key:  "TestKey64",
-			want: "TS_TEST_KEY_64",
+			want: "TEST_KEY_64",
 		},
 		{
 			name: "WithDigits/Multi/Back",
 			key:  "TestKey64",
-			want: "TS_TEST_KEY_64",
+			want: "TEST_KEY_64",
 		},
 		{
 			name: "WithPathSeparators/Single",
 			key:  "Key/Subkey",
-			want: "TS_KEY_SUBKEY",
+			want: "KEY_SUBKEY",
 		},
 		{
 			name: "WithPathSeparators/Multi",
 			key:  "Root/Level1/Level2",
-			want: "TS_ROOT_LEVEL_1_LEVEL_2",
+			want: "ROOT_LEVEL_1_LEVEL_2",
 		},
 		{
 			name: "Mixed",
 			key:  "Network/DNSServer/IPAddress",
-			want: "TS_NETWORK_DNS_SERVER_IP_ADDRESS",
+			want: "NETWORK_DNS_SERVER_IP_ADDRESS",
 		},
 		{
 			name:    "Non-Alphanumeric/NonASCII/1",
@@ -142,8 +142,12 @@ func TestKeyToVariableName(t *testing.T) {
 			got, err := keyToEnvVarName(tt.key)
 			checkError(t, err, tt.wantErr, true)
 
-			if got != tt.want {
-				t.Fatalf("got %q; want %q", got, tt.want)
+			want := tt.want
+			if want != "" {
+				want = "TS_DEBUGSYSPOLICY_" + want
+			}
+			if got != want {
+				t.Fatalf("got %q; want %q", got, want)
 			}
 		})
 	}
@@ -152,6 +156,7 @@ func TestKeyToVariableName(t *testing.T) {
 func TestEnvPolicyStore(t *testing.T) {
 	blankEnv := func(string) (string, bool) { return "", false }
 	makeEnv := func(wantName, value string) func(string) (string, bool) {
+		wantName = "TS_DEBUGSYSPOLICY_" + wantName
 		return func(gotName string) (string, bool) {
 			if gotName != wantName {
 				return "", false
@@ -176,13 +181,13 @@ func TestEnvPolicyStore(t *testing.T) {
 		{
 			name:   "Configured/String/Empty",
 			key:    "AuthKey",
-			lookup: makeEnv("TS_AUTH_KEY", ""),
+			lookup: makeEnv("AUTH_KEY", ""),
 			want:   "",
 		},
 		{
 			name:   "Configured/String/NonEmpty",
 			key:    "AuthKey",
-			lookup: makeEnv("TS_AUTH_KEY", "ABC123"),
+			lookup: makeEnv("AUTH_KEY", "ABC123"),
 			want:   "ABC123",
 		},
 		{
@@ -195,39 +200,39 @@ func TestEnvPolicyStore(t *testing.T) {
 		{
 			name:    "Configured/UInt64/Empty",
 			key:     "IntegerSetting",
-			lookup:  makeEnv("TS_INTEGER_SETTING", ""),
+			lookup:  makeEnv("INTEGER_SETTING", ""),
 			wantErr: setting.ErrNotConfigured,
 			want:    uint64(0),
 		},
 		{
 			name:   "Configured/UInt64/Zero",
 			key:    "IntegerSetting",
-			lookup: makeEnv("TS_INTEGER_SETTING", "0"),
+			lookup: makeEnv("INTEGER_SETTING", "0"),
 			want:   uint64(0),
 		},
 		{
 			name:   "Configured/UInt64/NonZero",
 			key:    "IntegerSetting",
-			lookup: makeEnv("TS_INTEGER_SETTING", "12345"),
+			lookup: makeEnv("INTEGER_SETTING", "12345"),
 			want:   uint64(12345),
 		},
 		{
 			name:   "Configured/UInt64/MaxUInt64",
 			key:    "IntegerSetting",
-			lookup: makeEnv("TS_INTEGER_SETTING", strconv.FormatUint(math.MaxUint64, 10)),
+			lookup: makeEnv("INTEGER_SETTING", strconv.FormatUint(math.MaxUint64, 10)),
 			want:   uint64(math.MaxUint64),
 		},
 		{
 			name:    "Configured/UInt64/Negative",
 			key:     "IntegerSetting",
-			lookup:  makeEnv("TS_INTEGER_SETTING", "-1"),
+			lookup:  makeEnv("INTEGER_SETTING", "-1"),
 			wantErr: setting.ErrTypeMismatch,
 			want:    uint64(0),
 		},
 		{
 			name:   "Configured/UInt64/Hex",
 			key:    "IntegerSetting",
-			lookup: makeEnv("TS_INTEGER_SETTING", "0xDEADBEEF"),
+			lookup: makeEnv("INTEGER_SETTING", "0xDEADBEEF"),
 			want:   uint64(0xDEADBEEF),
 		},
 		{
@@ -240,38 +245,38 @@ func TestEnvPolicyStore(t *testing.T) {
 		{
 			name:    "Configured/Bool/Empty",
 			key:     "LogSCMInteractions",
-			lookup:  makeEnv("TS_LOG_SCM_INTERACTIONS", ""),
+			lookup:  makeEnv("LOG_SCM_INTERACTIONS", ""),
 			wantErr: setting.ErrNotConfigured,
 			want:    false,
 		},
 		{
 			name:   "Configured/Bool/True",
 			key:    "LogSCMInteractions",
-			lookup: makeEnv("TS_LOG_SCM_INTERACTIONS", "true"),
+			lookup: makeEnv("LOG_SCM_INTERACTIONS", "true"),
 			want:   true,
 		},
 		{
 			name:   "Configured/Bool/False",
 			key:    "LogSCMInteractions",
-			lookup: makeEnv("TS_LOG_SCM_INTERACTIONS", "False"),
+			lookup: makeEnv("LOG_SCM_INTERACTIONS", "False"),
 			want:   false,
 		},
 		{
 			name:   "Configured/Bool/1",
 			key:    "LogSCMInteractions",
-			lookup: makeEnv("TS_LOG_SCM_INTERACTIONS", "1"),
+			lookup: makeEnv("LOG_SCM_INTERACTIONS", "1"),
 			want:   true,
 		},
 		{
 			name:   "Configured/Bool/0",
 			key:    "LogSCMInteractions",
-			lookup: makeEnv("TS_LOG_SCM_INTERACTIONS", "0"),
+			lookup: makeEnv("LOG_SCM_INTERACTIONS", "0"),
 			want:   false,
 		},
 		{
 			name:    "Configured/Bool/Invalid",
 			key:     "IntegerSetting",
-			lookup:  makeEnv("TS_INTEGER_SETTING", "NotABool"),
+			lookup:  makeEnv("INTEGER_SETTING", "NotABool"),
 			wantErr: setting.ErrTypeMismatch,
 			want:    false,
 		},
@@ -285,31 +290,31 @@ func TestEnvPolicyStore(t *testing.T) {
 		{
 			name:   "Configured/StringArray/Empty",
 			key:    "AllowedSuggestedExitNodes",
-			lookup: makeEnv("TS_ALLOWED_SUGGESTED_EXIT_NODES", ""),
+			lookup: makeEnv("ALLOWED_SUGGESTED_EXIT_NODES", ""),
 			want:   []string(nil),
 		},
 		{
 			name:   "Configured/StringArray/Spaces",
 			key:    "AllowedSuggestedExitNodes",
-			lookup: makeEnv("TS_ALLOWED_SUGGESTED_EXIT_NODES", " \t  "),
+			lookup: makeEnv("ALLOWED_SUGGESTED_EXIT_NODES", " \t  "),
 			want:   []string{},
 		},
 		{
 			name:   "Configured/StringArray/Single",
 			key:    "AllowedSuggestedExitNodes",
-			lookup: makeEnv("TS_ALLOWED_SUGGESTED_EXIT_NODES", "NodeA"),
+			lookup: makeEnv("ALLOWED_SUGGESTED_EXIT_NODES", "NodeA"),
 			want:   []string{"NodeA"},
 		},
 		{
 			name:   "Configured/StringArray/Multi",
 			key:    "AllowedSuggestedExitNodes",
-			lookup: makeEnv("TS_ALLOWED_SUGGESTED_EXIT_NODES", "NodeA,NodeB,NodeC"),
+			lookup: makeEnv("ALLOWED_SUGGESTED_EXIT_NODES", "NodeA,NodeB,NodeC"),
 			want:   []string{"NodeA", "NodeB", "NodeC"},
 		},
 		{
 			name:   "Configured/StringArray/WithBlank",
 			key:    "AllowedSuggestedExitNodes",
-			lookup: makeEnv("TS_ALLOWED_SUGGESTED_EXIT_NODES", "NodeA,\t,,   ,NodeB"),
+			lookup: makeEnv("ALLOWED_SUGGESTED_EXIT_NODES", "NodeA,\t,,   ,NodeB"),
 			want:   []string{"NodeA", "NodeB"},
 		},
 	}