[CloudConnectors] Implement AWS OIDC chain (#3675)

The OIDC role chaining should go through the "Elastic Global Role" and
then assume the remote role.
To do that I extended `AWSRoleChainingStep` to support
`NewWebIdentityRoleProvider`.

Author: amirbenun

internal/config/config.go

@@ -254,6 +254,7 @@ const (
 	CloudConnectorsGlobalRoleEnvVar = "CLOUD_CONNECTORS_GLOBAL_ROLE"
 	CloudResourceIDEnvVar           = "CLOUD_RESOURCE_ID"
 	CloudConnectorsJWTPathEnvVar    = "CLOUD_CONNECTORS_ID_TOKEN_FILE"
+	CloudConnectorsAWSTokenEnvVar   = "AWS_WEB_IDENTITY_TOKEN_FILE"
 )
 
 type CloudConnectorsConfig struct {

internal/flavors/assetinventory/strategy_test.go

@@ -39,37 +39,42 @@ func TestStrategyPicks(t *testing.T) {
 	testCases := []struct {
 		name        string
 		cfg         *config.Config
+		env         map[string]string
 		expectedErr string
 	}{
 		{
-			"expected error: asset_inventory_provider not set",
-			&config.Config{},
-			"missing config.v1.asset_inventory_provider",
+			name:        "expected error: asset_inventory_provider not set",
+			cfg:         &config.Config{},
+			env:         nil,
+			expectedErr: "missing config.v1.asset_inventory_provider",
 		},
 		{
-			"expected error: unsupported provider",
-			&config.Config{
+			name: "expected error: unsupported provider",
+			cfg: &config.Config{
 				AssetInventoryProvider: "NOPE",
 			},
-			"unsupported Asset Inventory provider \"NOPE\"",
+			env:         nil,
+			expectedErr: "unsupported Asset Inventory provider \"NOPE\"",
 		},
 		{
-			"expected success: Azure",
-			&config.Config{
+			name: "expected success: Azure",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderAzure,
 			},
-			"",
+			env:         nil,
+			expectedErr: "",
 		},
 		{
-			"expected error: GCP missing account type",
-			&config.Config{
+			name: "expected error: GCP missing account type",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderGCP,
 			},
-			"invalid gcp account type",
+			env:         nil,
+			expectedErr: "invalid gcp account type",
 		},
 		{
-			"expected success: GCP",
-			&config.Config{
+			name: "expected success: GCP",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderGCP,
 				CloudConfig: config.CloudConfig{
 					Gcp: config.GcpConfig{
@@ -82,23 +87,25 @@ func TestStrategyPicks(t *testing.T) {
 					},
 				},
 			},
-			"could not parse key",
+			env:         nil,
+			expectedErr: "could not parse key",
 		},
 		{
-			"expected error: AWS unsupported account type",
-			&config.Config{
+			name: "expected error: AWS unsupported account type",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderAWS,
 				CloudConfig: config.CloudConfig{
 					Aws: config.AwsConfig{
 						AccountType: "NOPE",
 					},
 				},
 			},
-			"unsupported account_type: \"NOPE\"",
+			env:         nil,
+			expectedErr: "unsupported account_type: \"NOPE\"",
 		},
 		{
-			"expected success: AWS",
-			&config.Config{
+			name: "expected success: AWS",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderAWS,
 				CloudConfig: config.CloudConfig{
 					Aws: config.AwsConfig{
@@ -110,11 +117,12 @@ func TestStrategyPicks(t *testing.T) {
 					},
 				},
 			},
-			"STS: GetCallerIdentity",
+			env:         nil,
+			expectedErr: "STS: GetCallerIdentity",
 		},
 		{
-			"expected success: AWS with cloud connectors",
-			&config.Config{
+			name: "expected success: AWS with cloud connectors",
+			cfg: &config.Config{
 				AssetInventoryProvider: config.ProviderAWS,
 				CloudConfig: config.CloudConfig{
 					Aws: config.AwsConfig{
@@ -132,12 +140,19 @@ func TestStrategyPicks(t *testing.T) {
 					},
 				},
 			},
-			"STS: GetCallerIdentity",
+			env: map[string]string{
+				"AWS_WEB_IDENTITY_TOKEN_FILE": "/tmp/fake-token-file",
+				"AWS_ROLE_ARN":                "arn:aws:iam::123456789012:role/test-local-role",
+			},
+			expectedErr: "STS: GetCallerIdentity",
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			for k, v := range tc.env {
+				t.Setenv(k, v)
+			}
 			s := strategy{
 				logger: testhelper.NewLogger(t),
 				cfg:    tc.cfg,

internal/flavors/benchmark/aws_test.go

@@ -40,6 +40,7 @@ func TestAWS_Initialize(t *testing.T) {
 
 	tests := []struct {
 		name             string
+		envsVars         map[string]string
 		identityProvider awslib.IdentityProviderGetter
 		cfg              config.Config
 		want             []string
@@ -69,7 +70,12 @@ func TestAWS_Initialize(t *testing.T) {
 			},
 		},
 		{
-			name: "cloud connectors",
+			name: "cloud connectors irsa",
+			envsVars: map[string]string{
+				config.CloudConnectorsAWSTokenEnvVar: "/abc",
+				"AWS_REGION":                         "eu-west-1",
+				"AWS_ROLE_ARN":                       "arn:aws:iam::111111111111:role/localrole",
+			},
 			cfg: config.Config{
 				Benchmark: "cis_aws",
 				CloudConfig: config.CloudConfig{
@@ -113,6 +119,51 @@ func TestAWS_Initialize(t *testing.T) {
 				fetching.S3Type,
 			},
 		},
+		{
+			name:     "cloud connectors id token",
+			envsVars: map[string]string{config.CloudConnectorsJWTPathEnvVar: "/abc"},
+			cfg: config.Config{
+				Benchmark: "cis_aws",
+				CloudConfig: config.CloudConfig{
+					Aws: config.AwsConfig{
+						AccountType:     config.SingleAccount,
+						Cred:            libbeataws.ConfigAWS{},
+						CloudConnectors: true,
+						CloudConnectorsConfig: config.CloudConnectorsConfig{
+							GlobalRoleARN: "abc456",
+							ResourceID:    "abc789",
+						},
+					},
+				},
+			},
+			identityProvider: func() awslib.IdentityProviderGetter {
+				cfgMatcher := mock.MatchedBy(func(cfg aws.Config) bool {
+					c, is := cfg.Credentials.(*aws.CredentialsCache)
+					if !is {
+						return false
+					}
+					return c.IsCredentialsProvider(&stscreds.AssumeRoleProvider{})
+				})
+				identityProvider := &awslib.MockIdentityProviderGetter{}
+				identityProvider.EXPECT().GetIdentity(mock.Anything, cfgMatcher).Return(
+					&cloud.Identity{
+						Account: "test-account",
+					},
+					nil,
+				)
+
+				return identityProvider
+			}(),
+			want: []string{
+				fetching.IAMType,
+				fetching.KmsType,
+				fetching.TrailType,
+				fetching.AwsMonitoringType,
+				fetching.EC2NetworkingType,
+				fetching.RdsType,
+				fetching.S3Type,
+			},
+		},
 		{
 			name: "no credential cache in non cloud connectors setup",
 			cfg: config.Config{
@@ -156,7 +207,10 @@ func TestAWS_Initialize(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			// t.Parallel() // cannot be used with t.Setenv
+			for k, v := range tt.envsVars {
+				t.Setenv(k, v)
+			}
 
 			testInitialize(t, &AWS{
 				IdentityProvider: tt.identityProvider,

internal/flavors/benchmark/strategy_test.go

@@ -115,6 +115,7 @@ func testInitialize(t *testing.T, s benchInit, cfg *config.Config, wantErr strin
 		require.ErrorContains(t, err, wantErr)
 		return
 	}
+
 	reg.Update(t.Context())
 	defer reg.Stop()