feat: Add table_options support for aws_securityhub_findings table (#11955)

VictorCovalski · web-flow · commit c9eff1252fb2 · 2023-07-05T21:27:41.000Z
#### Summary
This PR adds support for `table_options` for the table `aws_securityhub_findings`. This allows users to specify filters before fetching findings from Security Hub.

&lt;!--
diff --git a/plugins/source/aws/client/tableoptions/securityhub.go b/plugins/source/aws/client/tableoptions/securityhub.go
@@ -0,0 +1,59 @@
+package tableoptions
+
+import (
+	"encoding/json"
+	"errors"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub"
+	"github.com/cloudquery/plugin-sdk/v3/caser"
+)
+
+type SecurityHubAPIs struct {
+	GetFindingsOpts []CustomGetFindingsOpts `json:"get_findings,omitempty"`
+}
+
+type CustomGetFindingsOpts struct {
+	securityhub.GetFindingsInput
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface for the CustomGetFindingsOpts type.
+// It is the same as default, but allows the use of underscore in the JSON field names.
+func (s *CustomGetFindingsOpts) UnmarshalJSON(data []byte) error {
+	m := map[string]any{}
+	err := json.Unmarshal(data, &m)
+	if err != nil {
+		return err
+	}
+	csr := caser.New()
+	changeCaseForObject(m, csr.ToPascal)
+	b, _ := json.Marshal(m)
+	return json.Unmarshal(b, &s.GetFindingsInput)
+}
+
+func (s *SecurityHubAPIs) validateGetFindingEvent() error {
+	for _, opt := range s.GetFindingsOpts {
+		if aws.ToString(opt.NextToken) != "" {
+			return errors.New("invalid input: cannot set NextToken in GetFindings")
+		}
+
+		// As per https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html#API_GetFindings_RequestSyntax
+		if opt.MaxResults < 1 || opt.MaxResults > 100 {
+			return errors.New("invalid range: MaxResults must be within range [1-100]")
+		}
+	}
+	return nil
+}
+
+func (s *SecurityHubAPIs) setDefaults() {
+	for i := 0; i < len(s.GetFindingsOpts); i++ {
+		if s.GetFindingsOpts[i].MaxResults == 0 {
+			s.GetFindingsOpts[i].MaxResults = 100
+		}
+	}
+}
+
+func (s *SecurityHubAPIs) Validate() error {
+	s.setDefaults()
+	return s.validateGetFindingEvent()
+}
diff --git a/plugins/source/aws/client/tableoptions/securityhub_test.go b/plugins/source/aws/client/tableoptions/securityhub_test.go
@@ -0,0 +1,25 @@
+package tableoptions
+
+import (
+	"testing"
+
+	"github.com/cloudquery/plugin-sdk/v3/faker"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetFindings(t *testing.T) {
+	u := CustomGetFindingsOpts{}
+	require.NoError(t, faker.FakeObject(&u))
+	api := SecurityHubAPIs{
+		GetFindingsOpts: []CustomGetFindingsOpts{u},
+	}
+	// Ensure that the validation works as expected
+	err := api.Validate()
+	assert.EqualError(t, err, "invalid input: cannot set NextToken in GetFindings")
+
+	// Ensure that as soon as the validation passes that there are no unexpected empty or nil fields
+	api.GetFindingsOpts[0].NextToken = nil
+	err = api.Validate()
+	assert.EqualError(t, err, "invalid range: MaxResults must be within range [1-100]")
+}
diff --git a/plugins/source/aws/client/tableoptions/table_options.go b/plugins/source/aws/client/tableoptions/table_options.go
@@ -12,6 +12,7 @@ type TableOptions struct {
 	AccessAnalyzerFindings *AccessanalyzerFindings `json:"aws_accessanalyzer_analyzer_findings,omitempty"`
 	Inspector2Findings     *Inspector2APIs         `json:"aws_inspector2_findings,omitempty"`
 	CustomCostExplorer     *CostExplorerAPIs       `json:"aws_alpha_costexplorer_cost_custom,omitempty"`
+	SecurityHubFindings    *SecurityHubAPIs        `json:"aws_securityhub_findings,omitempty"`
 }
 
 func (t TableOptions) Validate() error {
diff --git a/plugins/source/aws/client/tableoptions/table_options_test.go b/plugins/source/aws/client/tableoptions/table_options_test.go
@@ -15,6 +15,8 @@ import (
 	costexplorertypes "github.com/aws/aws-sdk-go-v2/service/costexplorer/types"
 	"github.com/aws/aws-sdk-go-v2/service/inspector2"
 	inspector2types "github.com/aws/aws-sdk-go-v2/service/inspector2/types"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub"
+	securityhubtypes "github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/stretchr/testify/require"
 
 	"github.com/cloudquery/plugin-sdk/v3/caser"
@@ -108,6 +110,16 @@ func TestTableOptionsUnmarshal(t *testing.T) {
 		costexplorertypes.TagValues{},
 		costexplorertypes.GroupDefinition{},
 		costexplorer.GetCostAndUsageInput{},
+		securityhub.GetFindingsInput{},
+		securityhubtypes.AwsSecurityFindingFilters{},
+		securityhubtypes.StringFilter{},
+		securityhubtypes.NumberFilter{},
+		securityhubtypes.DateFilter{},
+		securityhubtypes.KeywordFilter{},
+		securityhubtypes.MapFilter{},
+		securityhubtypes.IpFilter{},
+		securityhubtypes.BooleanFilter{},
+		securityhubtypes.SortCriterion{},
 	)); diff != "" {
 		t.Fatalf("mismatch between objects after loading from snake case json: %v", diff)
 	}
diff --git a/plugins/source/aws/resources/services/securityhub/findings.go b/plugins/source/aws/resources/services/securityhub/findings.go
@@ -7,6 +7,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/securityhub"
 	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client/tableoptions"
 	"github.com/cloudquery/plugin-sdk/v3/schema"
 	"github.com/cloudquery/plugin-sdk/v3/transformers"
 )
@@ -44,19 +45,29 @@ This is useful when multi region and account aggregation is enabled.`,
 
 func fetchFindings(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- any) error {
 	cl := meta.(*client.Client)
-	svc := cl.Services().Securityhub
-	config := securityhub.GetFindingsInput{
-		MaxResults: 100,
+	var allConfigs []tableoptions.CustomGetFindingsOpts
+
+	if cl.Spec.TableOptions.SecurityHubFindings != nil && cl.Spec.TableOptions.SecurityHubFindings.GetFindingsOpts != nil {
+		allConfigs = cl.Spec.TableOptions.SecurityHubFindings.GetFindingsOpts
+	} else {
+		allConfigs = []tableoptions.CustomGetFindingsOpts{{GetFindingsInput: securityhub.GetFindingsInput{MaxResults: 100}}}
 	}
-	p := securityhub.NewGetFindingsPaginator(svc, &config)
-	for p.HasMorePages() {
-		response, err := p.NextPage(ctx, func(o *securityhub.Options) {
-			o.Region = cl.Region
-		})
-		if err != nil {
-			return err
+
+	svc := cl.Services().Securityhub
+
+	var config securityhub.GetFindingsInput
+	for _, w := range allConfigs {
+		config = w.GetFindingsInput
+		p := securityhub.NewGetFindingsPaginator(svc, &config)
+		for p.HasMorePages() {
+			response, err := p.NextPage(ctx, func(o *securityhub.Options) {
+				o.Region = cl.Region
+			})
+			if err != nil {
+				return err
+			}
+			res <- response.Findings
 		}
-		res <- response.Findings
 	}
 	return nil
 }
diff --git a/website/pages/docs/plugins/sources/aws/configuration.md b/website/pages/docs/plugins/sources/aws/configuration.md
@@ -157,6 +157,9 @@ This is the (nested) spec used by the AWS source plugin.
     aws_inspector2_findings:
       list_findings:
         - <[ListFindings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html)>
+    aws_securityhub_findings:
+      get_findings:
+        - <[GetFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html)>
   ```
 
 

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ type TableOptions struct {`
`12`	`12`	AccessAnalyzerFindings *AccessanalyzerFindings `json:"aws_accessanalyzer_analyzer_findings,omitempty"`
`13`	`13`	Inspector2Findings *Inspector2APIs `json:"aws_inspector2_findings,omitempty"`
`14`	`14`	CustomCostExplorer *CostExplorerAPIs `json:"aws_alpha_costexplorer_cost_custom,omitempty"`
	`15`	+ SecurityHubFindings *SecurityHubAPIs `json:"aws_securityhub_findings,omitempty"`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`func (t TableOptions) Validate() error {`