refactor(guard): extract validateIntegrityField to eliminate triplicated switch blocks (#4944)

lpcox · web-flow · commit 1a7562438497 · 2026-05-01T09:38:45.000-07:00
The integrity-level validation switch (`none|unapproved|approved|merged`) was inlined identically three times in `buildStrictLabelAgentPayload`, meaning any new integrity level required three synchronized edits. ## Changes - **`internal/guard/wasm_validate.go`** *(new)*: single `validateIntegrityField(fieldName string, raw interface{}) error` helper — handles both the `string` type assertion and the validity switch in one place - **`internal/guard/wasm_payload.go`**: replaces the three duplicate blocks for `integrity`, `disapproval-integrity`, and `endorser-min-integrity` with calls to the helper ```go // before — repeated verbatim three times disInt, ok := disIntRaw.(string) if !ok { return nil, fmt.Errorf("invalid disapproval-integrity value: ...") } switch strings.ToLower(strings.TrimSpace(disInt)) { case "none", "unapproved", "approved", "merged": default: return nil, fmt.Errorf("invalid disapproval-integrity value: ...") } // after if err := validateIntegrityField("disapproval-integrity", disIntRaw); err != nil { return nil, err } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build3106413706/b513/launcher.test /tmp/go-build3106413706/b513/launcher.test -test.testlogfile=/tmp/go-build3106413706/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o .cfg 3753103/b314/ x_amd64/vet -p github.com/githu--version -lang=go1.25 x_amd64/vet .cfg�� 3753103/b364/_pkg_.a ache/go/1.25.9/x64/src/net/http/internal/httpcommon/httpcommon.ggoogle.golang.org/protobuf/types-qE x_amd64/vet --gdwarf-5 --64 -o 42W3fCn/gP4cHa5aRI3EQQAZUMxk` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3106413706/b495/config.test /tmp/go-build3106413706/b495/config.test -test.testlogfile=/tmp/go-build3106413706/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build3106413706/b393/vet.cfg 1.80.0/resolver/dns/dns_resolver.go 64/src/crypto/x509/cert_pool.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -o g_.a -trimpath x_amd64/vet -p gzip -lang=go1.25 x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build3106413706/b513/launcher.test /tmp/go-build3106413706/b513/launcher.test -test.testlogfile=/tmp/go-build3106413706/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o .cfg 3753103/b314/ x_amd64/vet -p github.com/githu--version -lang=go1.25 x_amd64/vet .cfg�� 3753103/b364/_pkg_.a ache/go/1.25.9/x64/src/net/http/internal/httpcommon/httpcommon.ggoogle.golang.org/protobuf/types-qE x_amd64/vet --gdwarf-5 --64 -o 42W3fCn/gP4cHa5aRI3EQQAZUMxk` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build3106413706/b513/launcher.test /tmp/go-build3106413706/b513/launcher.test -test.testlogfile=/tmp/go-build3106413706/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o .cfg 3753103/b314/ x_amd64/vet -p github.com/githu--version -lang=go1.25 x_amd64/vet .cfg�� 3753103/b364/_pkg_.a ache/go/1.25.9/x64/src/net/http/internal/httpcommon/httpcommon.ggoogle.golang.org/protobuf/types-qE x_amd64/vet --gdwarf-5 --64 -o 42W3fCn/gP4cHa5aRI3EQQAZUMxk` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3106413706/b522/mcp.test /tmp/go-build3106413706/b522/mcp.test -test.testlogfile=/tmp/go-build3106413706/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -I .cfg -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet .cfg�� 3753103/b400/_pkg_.a -dynimport x_amd64/vet -dynout g/grpc/internal//usr/bin/runc p/bin/git x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/guard/wasm_payload.go b/internal/guard/wasm_payload.go
@@ -92,8 +92,10 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e
 
 	reposRaw, hasRepos := allowOnly["repos"]
 	integrityRaw, hasIntegrity := allowOnly["min-integrity"]
+	integrityFieldName := "min-integrity"
 	if !hasIntegrity {
 		integrityRaw, hasIntegrity = allowOnly["integrity"]
+		integrityFieldName = "integrity"
 	}
 	if !hasRepos || !hasIntegrity {
 		return nil, fmt.Errorf("invalid guard policy transport shape: missing required fields repos and/or min-integrity in allow-only object")
@@ -114,15 +116,8 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e
 		return nil, fmt.Errorf("invalid repos value: expected all, public, or non-empty array of scoped strings")
 	}
 
-	integrity, ok := integrityRaw.(string)
-	if !ok {
-		return nil, fmt.Errorf("invalid integrity value: expected one of none|unapproved|approved|merged")
-	}
-
-	switch strings.ToLower(strings.TrimSpace(integrity)) {
-	case "none", "unapproved", "approved", "merged":
-	default:
-		return nil, fmt.Errorf("invalid integrity value: expected one of none|unapproved|approved|merged")
+	if err := validateIntegrityField(integrityFieldName, integrityRaw); err != nil {
+		return nil, err
 	}
 
 	// Validate blocked-users if present: must be a non-empty array of non-empty strings.
@@ -199,27 +194,15 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e
 
 	// Validate disapproval-integrity if present.
 	if disIntRaw, ok := allowOnly["disapproval-integrity"]; ok {
-		disInt, ok := disIntRaw.(string)
-		if !ok {
-			return nil, fmt.Errorf("invalid disapproval-integrity value: expected one of none|unapproved|approved|merged")
-		}
-		switch strings.ToLower(strings.TrimSpace(disInt)) {
-		case "none", "unapproved", "approved", "merged":
-		default:
-			return nil, fmt.Errorf("invalid disapproval-integrity value: expected one of none|unapproved|approved|merged")
+		if err := validateIntegrityField("disapproval-integrity", disIntRaw); err != nil {
+			return nil, err
 		}
 	}
 
 	// Validate endorser-min-integrity if present.
 	if endMinRaw, ok := allowOnly["endorser-min-integrity"]; ok {
-		endMin, ok := endMinRaw.(string)
-		if !ok {
-			return nil, fmt.Errorf("invalid endorser-min-integrity value: expected one of none|unapproved|approved|merged")
-		}
-		switch strings.ToLower(strings.TrimSpace(endMin)) {
-		case "none", "unapproved", "approved", "merged":
-		default:
-			return nil, fmt.Errorf("invalid endorser-min-integrity value: expected one of none|unapproved|approved|merged")
+		if err := validateIntegrityField("endorser-min-integrity", endMinRaw); err != nil {
+			return nil, err
 		}
 	}
 
diff --git a/internal/guard/wasm_test.go b/internal/guard/wasm_test.go
@@ -358,7 +358,7 @@ func TestBuildStrictLabelAgentPayloadExtended(t *testing.T) {
 
 		_, err := buildStrictLabelAgentPayload(policy)
 		require.Error(t, err)
-		assert.Contains(t, err.Error(), "invalid integrity value")
+		assert.Contains(t, err.Error(), "invalid min-integrity value")
 	})
 
 	t.Run("valid allow-only policy succeeds", func(t *testing.T) {
diff --git a/internal/guard/wasm_validate.go b/internal/guard/wasm_validate.go
@@ -0,0 +1,38 @@
+package guard
+
+import (
+	"fmt"
+	"strings"
+)
+
+// allowedIntegrityLevels is the single source of truth for valid integrity-level values.
+var allowedIntegrityLevels = []string{"none", "unapproved", "approved", "merged"}
+
+var allowedIntegrityLevelSet = map[string]struct{}{
+	"none":       {},
+	"unapproved": {},
+	"approved":   {},
+	"merged":     {},
+}
+
+func invalidIntegrityFieldError(fieldName string) error {
+	return fmt.Errorf(
+		"invalid %s value: expected one of %s",
+		fieldName,
+		strings.Join(allowedIntegrityLevels, "|"),
+	)
+}
+
+// validateIntegrityField returns an error if raw is not a valid integrity-level
+// string. fieldName is used in the error message (e.g. "disapproval-integrity").
+func validateIntegrityField(fieldName string, raw interface{}) error {
+	s, ok := raw.(string)
+	if !ok {
+		return invalidIntegrityFieldError(fieldName)
+	}
+	normalized := strings.ToLower(strings.TrimSpace(s))
+	if _, ok := allowedIntegrityLevelSet[normalized]; ok {
+		return nil
+	}
+	return invalidIntegrityFieldError(fieldName)
+}
