[CWS Agent] Moving SecAgent subcommands to new dir part 2 (#14915)

* moving flare command to subcommands dir

* consolidating and moving secagent config package

* moving runtime to subcommands dir

* moved check subcommand, updated compliance subcommand which is the entry point to check funcs

* moving compliance cmd to subcommand dir

* exporting CliParams and RunCheck in Check subcommand for Compliance tests

* fixing cluster agent entry point into the check subcommand

cmd/cluster-agent/app/compliance_cmd.go

@@ -11,7 +11,7 @@ package app
 import (
 	"github.com/spf13/cobra"
 
-	"github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/check"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/check"
 	"github.com/DataDog/datadog-agent/comp/core"
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	"github.com/DataDog/datadog-agent/comp/core/log"
@@ -34,6 +34,7 @@ func init() {
 		LogParams: log.LogForOneShot(string(loggerName), "off", true),
 	}
 
-	complianceCmd.AddCommand(check.Commands(bundleParams)...)
+	// TODO: The SecAgent Check package should be a component
+	complianceCmd.AddCommand(check.CommandsWrapped(bundleParams)...)
 	ClusterAgentCmd.AddCommand(complianceCmd)
 }

cmd/security-agent/app/app.go

@@ -9,7 +9,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
 	"net/http"
 	"os"
 	"path"
@@ -25,15 +24,17 @@ import (
 	commonagent "github.com/DataDog/datadog-agent/cmd/agent/common"
 	"github.com/DataDog/datadog-agent/cmd/manager"
 	"github.com/DataDog/datadog-agent/cmd/security-agent/api"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/compliance"
-	subconfig "github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/config"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/flare"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/runtime"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
 	"github.com/DataDog/datadog-agent/cmd/security-agent/flags"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/compliance"
+	subconfig "github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/config"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/flare"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/runtime"
 	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/status"
 	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/version"
 	compconfig "github.com/DataDog/datadog-agent/comp/core/config"
 	"github.com/DataDog/datadog-agent/pkg/aggregator"
+	coreconfig "github.com/DataDog/datadog-agent/pkg/config"
 	"github.com/DataDog/datadog-agent/pkg/config/resolver"
 	"github.com/DataDog/datadog-agent/pkg/config/settings"
 	"github.com/DataDog/datadog-agent/pkg/forwarder"
@@ -50,8 +51,6 @@ import (
 	pkgversion "github.com/DataDog/datadog-agent/pkg/version"
 	"github.com/DataDog/datadog-agent/pkg/workloadmeta"
 	ddgostatsd "github.com/DataDog/datadog-go/v5/statsd"
-
-	coreconfig "github.com/DataDog/datadog-agent/pkg/config"
 )
 
 const (

cmd/security-agent/app/subcommands/check/command.go → cmd/security-agent/subcommands/check/command.go

@@ -11,14 +11,14 @@ package check
 import (
 	"context"
 	"errors"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
-	"github.com/DataDog/datadog-agent/cmd/security-agent/flags"
 	"os"
 	"time"
 
 	"github.com/spf13/cobra"
 	"go.uber.org/fx"
 
+	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/flags"
 	"github.com/DataDog/datadog-agent/comp/core"
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	"github.com/DataDog/datadog-agent/comp/core/log"
@@ -31,7 +31,10 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/util/startstop"
 )
 
-type checkCliParams struct {
+// CliParams needs to be exported because the compliance subcommand is tightly coupled to this subcommand and tests need to be able to access this type.
+type CliParams struct {
+	*command.GlobalParams
+
 	args []string
 
 	framework         string
@@ -44,16 +47,19 @@ type checkCliParams struct {
 	skipRegoEval      bool
 }
 
-func SecAgentCommands(globalParams *command.GlobalParams) []*cobra.Command {
-	bp := core.BundleParams{
+// Commands returns a cobra command to run security agent checks
+func Commands(globalParams *command.GlobalParams) []*cobra.Command {
+	bundleParams := core.BundleParams{
 		ConfigParams: config.NewSecurityAgentParams(globalParams.ConfigFilePaths),
-		LogParams:    log.LogForOneShot(command.LoggerName, "info", true)}
-	return Commands(bp)
+		LogParams:    log.LogForOneShot(command.LoggerName, "info", true),
+	}
+
+	return CommandsWrapped(bundleParams)
 }
 
-// Commands returns a cobra command to run security agent checks
-func Commands(bundleParams core.BundleParams) []*cobra.Command {
-	checkArgs := &checkCliParams{}
+// CommandsWrapped exists to allow for an entry point from the Cluster-Agent. We should remove this and refactor once Check becomes a component that both the Cluster Agent and the Security Agent can use.
+func CommandsWrapped(bundleParams core.BundleParams) []*cobra.Command {
+	checkArgs := &CliParams{}
 
 	cmd := &cobra.Command{
 		Use:   "check",
@@ -65,7 +71,7 @@ func Commands(bundleParams core.BundleParams) []*cobra.Command {
 				bundleParams.LogParams = log.LogForOneShot(bundleParams.LogParams.LoggerName(), "trace", true)
 			}
 
-			return fxutil.OneShot(runCheck,
+			return fxutil.OneShot(RunCheck,
 				fx.Supply(checkArgs),
 				fx.Supply(bundleParams),
 				core.Bundle,
@@ -85,7 +91,7 @@ func Commands(bundleParams core.BundleParams) []*cobra.Command {
 	return []*cobra.Command{cmd}
 }
 
-func runCheck(log log.Component, config config.Component, checkArgs *checkCliParams) error {
+func RunCheck(log log.Component, config config.Component, checkArgs *CliParams) error {
 	if checkArgs.skipRegoEval && checkArgs.dumpReports != "" {
 		return errors.New("skipping the rego evaluation does not allow the generation of reports")
 	}

cmd/security-agent/subcommands/check/command_test.go

@@ -0,0 +1,53 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build !windows && kubeapiserver
+// +build !windows,kubeapiserver
+
+package check
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
+	"github.com/DataDog/datadog-agent/comp/core"
+	"github.com/DataDog/datadog-agent/pkg/util/fxutil"
+)
+
+func TestCommands(t *testing.T) {
+	tests := []struct {
+		name     string
+		cliInput []string
+		check    func(cliParams *CliParams, params core.BundleParams)
+	}{
+		{
+			name:     "check",
+			cliInput: []string{"check"},
+			check: func(cliParams *CliParams, params core.BundleParams) {
+				require.Equal(t, command.LoggerName, params.LoggerName(), "logger name not matching")
+				require.Equal(t, "info", params.LogLevelFn(nil), "params.LogLevelFn not matching")
+			},
+		},
+		{
+			name:     "verbose",
+			cliInput: []string{"check", "--verbose"},
+			check: func(cliParams *CliParams, params core.BundleParams) {
+				require.Equal(t, command.LoggerName, params.LoggerName(), "logger name not matching")
+				require.Equal(t, "trace", params.LogLevelFn(nil), "params.LogLevelFn not matching")
+			},
+		},
+	}
+
+	for _, test := range tests {
+		fxutil.TestOneShotSubcommand(t,
+			Commands(&command.GlobalParams{}),
+			test.cliInput,
+			RunCheck,
+			test.check,
+		)
+	}
+}

cmd/security-agent/app/subcommands/check/command_unsupported.go → cmd/security-agent/subcommands/check/command_unsupported.go

@@ -12,6 +12,6 @@ import (
 	"github.com/spf13/cobra"
 )
 
-func SecAgentCommands(globalParams *command.GlobalParams) []*cobra.Command {
+func Commands(globalParams *command.GlobalParams) []*cobra.Command {
 	return nil
 }

cmd/security-agent/app/subcommands/compliance/command.go → cmd/security-agent/subcommands/compliance/command.go

@@ -15,7 +15,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.uber.org/fx"
 
-	"github.com/DataDog/datadog-agent/cmd/security-agent/app/subcommands/check"
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/check"
 	"github.com/DataDog/datadog-agent/comp/core"
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	compconfig "github.com/DataDog/datadog-agent/comp/core/config"
@@ -34,12 +34,12 @@ func Commands(globalParams *command.GlobalParams) []*cobra.Command {
 	}
 
 	complianceCmd.AddCommand(complianceEventCommand(globalParams))
-	complianceCmd.AddCommand(check.SecAgentCommands(globalParams)...)
+	complianceCmd.AddCommand(check.Commands(globalParams)...)
 
 	return []*cobra.Command{complianceCmd}
 }
 
-type eventCliParams struct {
+type cliParams struct {
 	*command.GlobalParams
 
 	sourceName string
@@ -49,7 +49,7 @@ type eventCliParams struct {
 }
 
 func complianceEventCommand(globalParams *command.GlobalParams) *cobra.Command {
-	eventArgs := &eventCliParams{
+	eventArgs := &cliParams{
 		GlobalParams: globalParams,
 	}
 
@@ -61,7 +61,8 @@ func complianceEventCommand(globalParams *command.GlobalParams) *cobra.Command {
 				fx.Supply(eventArgs),
 				fx.Supply(core.BundleParams{
 					ConfigParams: config.NewSecurityAgentParams(globalParams.ConfigFilePaths),
-					LogParams:    log.LogForOneShot(command.LoggerName, "info", true)}),
+					LogParams:    log.LogForOneShot(command.LoggerName, "info", true),
+				}),
 				core.Bundle,
 			)
 		},
@@ -79,7 +80,7 @@ func complianceEventCommand(globalParams *command.GlobalParams) *cobra.Command {
 	return eventCmd
 }
 
-func eventRun(log complog.Component, config compconfig.Component, eventArgs *eventCliParams) error {
+func eventRun(log complog.Component, config compconfig.Component, eventArgs *cliParams) error {
 	stopper := startstop.NewSerialStopper()
 	defer stopper.Stop()
 

cmd/security-agent/subcommands/compliance/command_kubeapiserver_test.go

@@ -0,0 +1,93 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build !windows && kubeapiserver
+// +build !windows,kubeapiserver
+
+package compliance
+
+import (
+	"github.com/DataDog/datadog-agent/cmd/security-agent/subcommands/check"
+	"github.com/DataDog/datadog-agent/pkg/util/fxutil"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/DataDog/datadog-agent/cmd/security-agent/command"
+	"github.com/DataDog/datadog-agent/comp/core"
+)
+
+// This test suite requires build flags because the check child command requires them.
+// go test ./cmd/security-agent/subcommands/compliance --tags=\!windows,kubeapiserver
+
+// TestCheckSubcommand ultimately uses the check package, so its dependencies are different from the event subcommand
+func TestCheckSubcommand(t *testing.T) {
+	tests := []struct {
+		name     string
+		cliInput []string
+		check    func(cliParams *check.CliParams, params core.BundleParams)
+	}{
+		{
+			name:     "compliance check",
+			cliInput: []string{"compliance", "check"},
+			check: func(cliParams *check.CliParams, params core.BundleParams) {
+				require.Equal(t, command.LoggerName, params.LoggerName(), "logger name not matching")
+				require.Equal(t, "info", params.LogLevelFn(nil), "params.LogLevelFn not matching")
+			},
+		},
+		{
+			name:     "compliance check verbose",
+			cliInput: []string{"compliance", "check", "--verbose"},
+			check: func(cliParams *check.CliParams, params core.BundleParams) {
+				require.Equal(t, command.LoggerName, params.LoggerName(), "logger name not matching")
+				require.Equal(t, "trace", params.LogLevelFn(nil), "params.LogLevelFn not matching")
+			},
+		},
+	}
+
+	for _, test := range tests {
+		fxutil.TestOneShotSubcommand(t,
+			Commands(&command.GlobalParams{}),
+			test.cliInput,
+			check.RunCheck,
+			test.check,
+		)
+	}
+}
+
+func TestCommand_kubeapiserver(t *testing.T) {
+	tests := []struct {
+		name     string
+		cliInput []string
+		check    func(cliParams *cliParams, params core.BundleParams)
+	}{
+		{
+			name:     "compliance event tags",
+			cliInput: []string{"compliance", "event", "--tags", "test:tag"},
+			check: func(cliParams *cliParams, params core.BundleParams) {
+				require.Equal(t, command.LoggerName, params.LoggerName(), "logger name not matching")
+				require.Equal(t, "info", params.LogLevelFn(nil), "params.LogLevelFn not matching")
+				require.Equal(t, []string{"test:tag"}, cliParams.event.Tags, "tags arg input not matching")
+			},
+		},
+	}
+
+	for _, test := range tests {
+		rootCommand := Commands(&command.GlobalParams{})[0]
+
+		var subcommandNames []string
+		for _, subcommand := range rootCommand.Commands() {
+			subcommandNames = append(subcommandNames, subcommand.Use)
+		}
+		require.Equal(t, []string{"check", "event"}, subcommandNames, "subcommand missing")
+
+		fxutil.TestOneShotSubcommand(t,
+			Commands(&command.GlobalParams{}),
+			test.cliInput,
+			eventRun,
+			test.check,
+		)
+	}
+}