feat: validate benchmark type

Author: olegsu

beater/cloudbeat.go

@@ -20,9 +20,10 @@ package beater
 import (
 	"context"
 	"fmt"
-	"github.com/elastic/cloudbeat/resources/providers"
 	"time"
 
+	"github.com/elastic/cloudbeat/resources/providers"
+
 	"github.com/elastic/cloudbeat/config"
 	"github.com/elastic/cloudbeat/dataprovider"
 	"github.com/elastic/cloudbeat/evaluator"

beater/validator.go

@@ -32,7 +32,7 @@ type validator struct{}
 func (v *validator) Validate(cfg *agentconfig.C) error {
 	c, err := config.New(cfg)
 	if err != nil {
-		return fmt.Errorf("could not parse reconfiguration %v, skipping with error: %v", cfg.FlattenedKeys(), err)
+		return fmt.Errorf("could not parse reconfiguration %v, skipping with error: %w", cfg.FlattenedKeys(), err)
 	}
 
 	if c.RuntimeCfg == nil {

config/benchmark.go

@@ -0,0 +1,12 @@
+package config
+
+type Benchmark int
+
+// https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/data_stream/findings/agent/stream
+const (
+	CIS_K8S = "cis_k8s"
+	CIS_EKS = "cis_eks"
+	CIS_AWS = "cis_aws"
+)
+
+var SupportedCIS = []string{CIS_AWS, CIS_K8S, CIS_EKS}

config/config.go

@@ -22,11 +22,14 @@ package config
 
 import (
 	"context"
-	"github.com/elastic/elastic-agent-libs/logp"
+	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"time"
 
+	"github.com/elastic/elastic-agent-libs/logp"
+
 	"github.com/elastic/beats/v7/libbeat/processors"
 	"github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
 	"github.com/elastic/elastic-agent-libs/config"
@@ -38,11 +41,7 @@ const DefaultNamespace = "default"
 
 const ResultsDatastreamIndexPrefix = "logs-cloud_security_posture.findings"
 
-const (
-	InputTypeVanillaK8s = "cloudbeat/cis_k8s"
-	InputTypeEks        = "cloudbeat/cis_eks"
-	InputTypeAws        = "cloudbeat/cis_aws"
-)
+var ErrBenchmarkNotSupported = errors.New("benchmark is not supported")
 
 type Fetcher struct {
 	Name string `config:"name"` // Name of the fetcher
@@ -57,6 +56,7 @@ type Config struct {
 	Period     time.Duration           `config:"period"`
 	Processors processors.PluginConfig `config:"processors"`
 	BundlePath string                  `config:"bundle_path"`
+	Benchmark  *string                 `config:"config.v1.benchmark"`
 }
 
 type RuntimeConfig struct {
@@ -79,16 +79,23 @@ func New(cfg *config.C) (*Config, error) {
 		return nil, err
 	}
 
-	if c.RuntimeCfg != nil && c.RuntimeCfg.ActivatedRules != nil && len(c.RuntimeCfg.ActivatedRules.CisEks) > 0 {
-		c.Type = InputTypeEks
+	if c.Benchmark != nil {
+		if !isSupportedBenchmark(*c.Benchmark) {
+			return c, ErrBenchmarkNotSupported
+		}
+		c.Type = buildConfigType(*c.Benchmark)
+	} else {
+		if c.RuntimeCfg != nil && c.RuntimeCfg.ActivatedRules != nil && len(c.RuntimeCfg.ActivatedRules.CisEks) > 0 {
+			c.Type = buildConfigType(CIS_EKS)
+		}
 	}
 	return c, nil
 }
 
 func defaultConfig() (*Config, error) {
 	ret := &Config{
 		Period: 4 * time.Hour,
-		Type:   InputTypeVanillaK8s,
+		Type:   buildConfigType(CIS_K8S),
 	}
 
 	bundle, err := getBundlePath()
@@ -120,3 +127,16 @@ func Datastream(namespace string, indexPrefix string) string {
 type AwsConfigProvider interface {
 	InitializeAWSConfig(ctx context.Context, cfg aws.ConfigAWS, log *logp.Logger) (awssdk.Config, error)
 }
+
+func isSupportedBenchmark(benchmark string) bool {
+	for _, s := range SupportedCIS {
+		if benchmark == s {
+			return true
+		}
+	}
+	return false
+}
+
+func buildConfigType(benchmark string) string {
+	return fmt.Sprintf("cloudbeat/%s", benchmark)
+}

config/config_test.go

@@ -170,6 +170,48 @@ not_runtime_cfg:
 	}
 }
 
+func (s *ConfigTestSuite) TestBenchmarkType() {
+	tests := []struct {
+		config    string
+		expected  string
+		wantError bool
+	}{
+		{
+			`
+config:
+  v1:
+    benchmark: cis_eks
+`,
+			"cis_eks",
+			false,
+		},
+		{
+			`
+config:
+  v1:
+    benchmark: cis_gcp
+`,
+			"",
+			true,
+		},
+	}
+
+	for i, test := range tests {
+		s.Run(fmt.Sprint(i), func() {
+			cfg, err := config.NewConfigFrom(test.config)
+			s.NoError(err)
+
+			c, err := New(cfg)
+			if test.wantError {
+				s.Error(err)
+				return
+			}
+			s.NoError(err)
+			s.Equal(test.expected, *c.Benchmark)
+		})
+	}
+}
+
 func (s *ConfigTestSuite) TestRuntimeConfig() {
 	tests := []struct {
 		config   string

launcher/launcher.go

@@ -21,11 +21,14 @@
 package launcher
 
 import (
+	"errors"
 	"fmt"
 	"sync"
 	"time"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
+	"github.com/elastic/beats/v7/libbeat/management"
+	cloudbeat_config "github.com/elastic/cloudbeat/config"
 	"github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/elastic/go-ucfg"
@@ -239,6 +242,9 @@ func (l *launcher) reconfigureWait(timeout time.Duration) (*config.C, error) {
 				err := l.validator.Validate(update)
 				if err != nil {
 					l.log.Errorf("Config update validation failed: %v", err)
+					if errors.Is(err, cloudbeat_config.ErrBenchmarkNotSupported) {
+						l.beat.Manager.UpdateStatus(management.Degraded, cloudbeat_config.ErrBenchmarkNotSupported.Error())
+					}
 					continue
 				}
 			}

resources/fetchersManager/factory.go

@@ -94,7 +94,7 @@ func (fa *factories) parseConfigFetcher(log *logp.Logger, fcfg *agentconfig.C, c
 // This function takes the configuration file provided by the integration the `cfg` file
 // and depending on the input type, extract the relevant credentials and add them to the fetcher config
 func addCredentialsToFetcherConfiguration(log *logp.Logger, cfg *config.Config, fcfg *agentconfig.C) {
-	if cfg.Type == config.InputTypeEks || cfg.Type == config.InputTypeAws {
+	if cfg.Type == config.CIS_EKS || cfg.Type == config.CIS_AWS {
 		err := fcfg.Merge(cfg.AWSConfig)
 		if err != nil {
 			log.Errorf("Failed to merge aws configuration to fetcher configuration: %v", err)

resources/fetchersManager/factory_aws_test.go

@@ -169,7 +169,7 @@ func (s *FactoriesTestSuite) TestRegisterFetchersWithAwsCredentials() {
 
 func createEksAgentConfig(s *FactoriesTestSuite, awsConfig aws.ConfigAWS, fetcherName string) *config.Config {
 	conf := &config.Config{
-		Type:       config.InputTypeEks,
+		Type:       config.CIS_EKS,
 		AWSConfig:  awsConfig,
 		RuntimeCfg: nil,
 		Fetchers:   []*agentconfig.C{agentconfig.MustNewConfigFrom(fmt.Sprint("name: ", fetcherName))},

resources/providers/cluster_provider.go

@@ -20,6 +20,7 @@ package providers
 import (
 	"context"
 	"fmt"
+
 	"github.com/elastic/cloudbeat/config"
 	"github.com/elastic/cloudbeat/resources/providers/awslib"
 	"github.com/elastic/elastic-agent-libs/logp"
@@ -40,9 +41,9 @@ type ClusterNameProvider struct {
 
 func (provider ClusterNameProvider) GetClusterName(ctx context.Context, cfg *config.Config, log *logp.Logger) (string, error) {
 	switch cfg.Type {
-	case config.InputTypeVanillaK8s:
+	case config.CIS_K8S:
 		return provider.KubernetesClusterNameProvider.GetClusterName(cfg, provider.KubeClient)
-	case config.InputTypeEks:
+	case config.CIS_EKS:
 		awsConfig, err := provider.AwsConfigProvider.InitializeAWSConfig(ctx, cfg.AWSConfig, log)
 		if err != nil {
 			return "", fmt.Errorf("failed to initialize aws configuration for identifying the cluster name: %v", err)

resources/providers/cluster_provider_test.go

@@ -19,13 +19,14 @@ package providers
 
 import (
 	"context"
+	"testing"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
 	"github.com/elastic/cloudbeat/config"
 	"github.com/elastic/cloudbeat/resources/providers/awslib"
 	"github.com/stretchr/testify/mock"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
-	"testing"
 
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/stretchr/testify/suite"
@@ -49,15 +50,15 @@ func TestClusterProviderTestSuite(t *testing.T) {
 }
 
 func (s *ClusterProviderTestSuite) TestGetClusterName() {
-	var tests = []struct {
+	tests := []struct {
 		config              config.Config
 		vanillaClusterName  string
 		eksClusterName      string
 		expectedClusterName string
 	}{
 		{
 			config.Config{
-				Type:       config.InputTypeVanillaK8s,
+				Type:       config.CIS_K8S,
 				KubeConfig: "",
 			},
 			"vanilla-cluster",
@@ -66,7 +67,7 @@ func (s *ClusterProviderTestSuite) TestGetClusterName() {
 		},
 		{
 			config.Config{
-				Type:      config.InputTypeEks,
+				Type:      config.CIS_EKS,
 				AWSConfig: aws.ConfigAWS{},
 			},
 			"vanilla-cluster",