[AGTMETRICS-179]Validate all API keys given to the forwarder also come with a config path (#36193)

Author: StephenWakely

comp/aggregator/demultiplexer/demultiplexerimpl/test_agent_demultiplexer.go

@@ -183,7 +183,7 @@ func initTestAgentDemultiplexerWithFlushInterval(log log.Component, hostname hos
 	opts.DontStartForwarders = true
 	opts.EnableNoAggregationPipeline = true
 
-	sharedForwarderOptions := defaultforwarder.NewOptions(pkgconfigsetup.Datadog(), log, nil)
+	sharedForwarderOptions, _ := defaultforwarder.NewOptions(pkgconfigsetup.Datadog(), log, nil)
 	sharedForwarder := defaultforwarder.NewDefaultForwarder(pkgconfigsetup.Datadog(), log, sharedForwarderOptions)
 
 	orchestratorForwarder := option.New[defaultforwarder.Forwarder](defaultforwarder.NoopForwarder{})

comp/aggregator/diagnosesendermanager/diagnosesendermanagerimpl/sendermanager.go

@@ -74,7 +74,11 @@ func (sender *diagnoseSenderManager) LazyGetSenderManager() (sender.SenderManage
 	log := sender.deps.Log
 	config := sender.deps.Config
 	haAgent := sender.deps.HaAgent
-	forwarder := defaultforwarder.NewDefaultForwarder(config, log, defaultforwarder.NewOptions(config, log, nil))
+	options, err := defaultforwarder.NewOptions(config, log, nil)
+	if err != nil {
+		return nil, err
+	}
+	forwarder := defaultforwarder.NewDefaultForwarder(config, log, options)
 	orchestratorForwarder := option.NewPtr[defaultforwarder.Forwarder](defaultforwarder.NoopForwarder{})
 	eventPlatformForwarder := option.NewPtr[eventplatform.Forwarder](eventplatformimpl.NewNoopEventPlatformForwarder(sender.deps.Hostname, sender.deps.LogsCompressor))
 	senderManager = aggregator.InitAndStartAgentDemultiplexer(

comp/forwarder/defaultforwarder/default_forwarder.go

@@ -121,24 +121,31 @@ func ToggleFeature(features, flag Features) Features { return features ^ flag }
 func HasFeature(features, flag Features) bool { return features&flag != 0 }
 
 // NewOptions creates new Options with default values
-func NewOptions(config config.Component, log log.Component, keysPerDomain map[string][]utils.APIKeys) *Options {
+func NewOptions(config config.Component, log log.Component, keysPerDomain map[string][]utils.APIKeys) (*Options, error) {
+
+	resolvers, err := pkgresolver.NewSingleDomainResolvers(keysPerDomain)
+	if err != nil {
+		return nil, err
+	}
 
-	resolvers := pkgresolver.NewSingleDomainResolvers(keysPerDomain)
 	vectorMetricsURL, err := pkgconfigsetup.GetObsPipelineURL(pkgconfigsetup.Metrics, config)
 	if err != nil {
 		log.Error("Misconfiguration of agent observability_pipelines_worker endpoint for metrics: ", err)
 	}
 	if r, ok := resolvers[utils.GetInfraEndpoint(config)]; ok && vectorMetricsURL != "" {
 		log.Debugf("Configuring forwarder to send metrics to observability_pipelines_worker: %s", vectorMetricsURL)
-
-		resolvers[utils.GetInfraEndpoint(config)] = pkgresolver.NewDomainResolverWithMetricToVector(
+		resolver, err := pkgresolver.NewDomainResolverWithMetricToVector(
 			r.GetBaseDomain(),
 			r.GetAPIKeysInfo(),
 			vectorMetricsURL,
 		)
+		if err != nil {
+			return nil, err
+		}
+		resolvers[utils.GetInfraEndpoint(config)] = resolver
 	}
 
-	return NewOptionsWithResolvers(config, log, resolvers)
+	return NewOptionsWithResolvers(config, log, resolvers), nil
 }
 
 // NewOptionsWithResolvers creates new Options with default values

comp/forwarder/defaultforwarder/default_forwarder_test.go

@@ -41,7 +41,8 @@ func TestDefaultForwarderUpdateAPIKey(t *testing.T) {
 			utils.NewAPIKeys("additional_endpoints", "api_key3"),
 		},
 	}
-	forwarderOptions := NewOptions(mockConfig, log, keysPerDomains)
+	forwarderOptions, err := NewOptions(mockConfig, log, keysPerDomains)
+	require.NoError(t, err)
 	forwarder := NewDefaultForwarder(mockConfig, log, forwarderOptions)
 
 	// API keys from the domain resolvers match
@@ -78,7 +79,8 @@ func TestDefaultForwarderUpdateAdditionalEndpointAPIKey(t *testing.T) {
 			utils.NewAPIKeys("additional_endpoints", "api_key3"),
 		},
 	}
-	forwarderOptions := NewOptions(mockConfig, log, keysPerDomains)
+	forwarderOptions, err := NewOptions(mockConfig, log, keysPerDomains)
+	require.NoError(t, err)
 	forwarder := NewDefaultForwarder(mockConfig, log, forwarderOptions)
 
 	// API keys from the domain resolvers match

comp/forwarder/defaultforwarder/forwarder.go

@@ -7,6 +7,7 @@ package defaultforwarder
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"go.uber.org/fx"
@@ -34,29 +35,42 @@ type provides struct {
 	StatusProvider status.InformationProvider
 }
 
-func newForwarder(dep dependencies) provides {
+func newForwarder(dep dependencies) (provides, error) {
 	if dep.Params.useNoopForwarder {
 		return provides{
 			Comp: NoopForwarder{},
-		}
+		}, nil
 	}
 
-	options := createOptions(dep.Params, dep.Config, dep.Log)
+	options, err := createOptions(dep.Params, dep.Config, dep.Log)
+	if err != nil {
+		return provides{}, err
+	}
 
-	return NewForwarder(dep.Config, dep.Log, dep.Lc, true, options)
+	return NewForwarder(dep.Config, dep.Log, dep.Lc, true, options), nil
 }
 
-func createOptions(params Params, config config.Component, log log.Component) *Options {
+func createOptions(params Params, config config.Component, log log.Component) (*Options, error) {
 	var options *Options
 	keysPerDomain, err := utils.GetMultipleEndpoints(config)
 	if err != nil {
 		log.Error("Misconfiguration of agent endpoints: ", err)
+		return nil, fmt.Errorf("Misconfiguration of agent endpoints: %s", err)
 	}
 
 	if !params.withResolver {
-		options = NewOptions(config, log, keysPerDomain)
+		options, err = NewOptions(config, log, keysPerDomain)
+		if err != nil {
+			log.Error("Error creating forwarder options: ", err)
+			return nil, fmt.Errorf("Error creating forwarder options: %s", err)
+		}
 	} else {
-		options = NewOptionsWithResolvers(config, log, resolver.NewSingleDomainResolvers(keysPerDomain))
+		r, err := resolver.NewSingleDomainResolvers(keysPerDomain)
+		if err != nil {
+			log.Error("Error creating resolver: ", err)
+			return nil, fmt.Errorf("Error creating resolver: %s", err)
+		}
+		options = NewOptionsWithResolvers(config, log, r)
 	}
 	// Override the DisableAPIKeyChecking only if WithFeatures was called
 	if disableAPIKeyChecking, ok := params.disableAPIKeyCheckingOverride.Get(); ok {
@@ -72,7 +86,7 @@ func createOptions(params Params, config config.Component, log log.Component) *O
 		}
 		log.Infof("domain '%s' has %d keys: %s", resolver.GetBaseDomain(), len(scrubbedKeys), strings.Join(scrubbedKeys, ", "))
 	}
-	return options
+	return options, nil
 }
 
 // NewForwarder returns a new forwarder component.
@@ -98,7 +112,8 @@ func NewForwarder(config config.Component, log log.Component, lc fx.Lifecycle, i
 }
 
 func newMockForwarder(config config.Component, log log.Component) provides {
+	options, _ := NewOptions(config, log, nil)
 	return provides{
-		Comp: NewDefaultForwarder(config, log, NewOptions(config, log, nil)),
+		Comp: NewDefaultForwarder(config, log, options),
 	}
 }

comp/forwarder/defaultforwarder/forwarder_health_test.go

@@ -16,6 +16,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	logmock "github.com/DataDog/datadog-agent/comp/core/log/mock"
@@ -35,16 +36,18 @@ func TestCheckValidAPIKey(t *testing.T) {
 
 	keysPerDomains := map[string][]utils.APIKeys{
 		ts1.URL: {
-			utils.NewAPIKeys("", "api_key1"),
-			utils.NewAPIKeys("", "api_key2"),
+			utils.NewAPIKeys("path", "api_key1"),
+			utils.NewAPIKeys("path", "api_key2"),
 		},
 		ts2.URL: {
-			utils.NewAPIKeys("", "key3"),
+			utils.NewAPIKeys("path", "key3"),
 		},
 	}
 	log := logmock.New(t)
 	cfg := config.NewMock(t)
-	fh := forwarderHealth{log: log, config: cfg, domainResolvers: resolver.NewSingleDomainResolvers(keysPerDomains)}
+	r, err := resolver.NewSingleDomainResolvers(keysPerDomains)
+	require.NoError(t, err)
+	fh := forwarderHealth{log: log, config: cfg, domainResolvers: r}
 	fh.init()
 	assert.True(t, fh.checkValidAPIKey())
 
@@ -55,18 +58,18 @@ func TestCheckValidAPIKey(t *testing.T) {
 
 func TestComputeDomainsURL(t *testing.T) {
 	keysPerDomains := map[string][]utils.APIKeys{
-		"https://app.datadoghq.com":              {utils.NewAPIKeys("", "api_key1")},
-		"https://custom.datadoghq.com":           {utils.NewAPIKeys("", "api_key2")},
-		"https://custom.agent.datadoghq.com":     {utils.NewAPIKeys("", "api_key3")},
-		"https://app.datadoghq.eu":               {utils.NewAPIKeys("", "api_key4")},
-		"https://app.us2.datadoghq.com":          {utils.NewAPIKeys("", "api_key5")},
-		"https://app.xx9.datadoghq.com":          {utils.NewAPIKeys("", "api_key5")},
-		"https://custom.agent.us2.datadoghq.com": {utils.NewAPIKeys("", "api_key6")},
+		"https://app.datadoghq.com":              {utils.NewAPIKeys("path", "api_key1")},
+		"https://custom.datadoghq.com":           {utils.NewAPIKeys("path", "api_key2")},
+		"https://custom.agent.datadoghq.com":     {utils.NewAPIKeys("path", "api_key3")},
+		"https://app.datadoghq.eu":               {utils.NewAPIKeys("path", "api_key4")},
+		"https://app.us2.datadoghq.com":          {utils.NewAPIKeys("path", "api_key5")},
+		"https://app.xx9.datadoghq.com":          {utils.NewAPIKeys("path", "api_key5")},
+		"https://custom.agent.us2.datadoghq.com": {utils.NewAPIKeys("path", "api_key6")},
 		// debatable whether the next one should be changed to `api.`, preserve pre-existing behavior for now
-		"https://app.datadoghq.internal": {utils.NewAPIKeys("", "api_key7")},
-		"https://app.myproxy.com":        {utils.NewAPIKeys("", "api_key8")},
-		"https://app.ddog-gov.com":       {utils.NewAPIKeys("", "api_key9")},
-		"https://custom.ddog-gov.com":    {utils.NewAPIKeys("", "api_key10")},
+		"https://app.datadoghq.internal": {utils.NewAPIKeys("path", "api_key7")},
+		"https://app.myproxy.com":        {utils.NewAPIKeys("path", "api_key8")},
+		"https://app.ddog-gov.com":       {utils.NewAPIKeys("path", "api_key9")},
+		"https://custom.ddog-gov.com":    {utils.NewAPIKeys("path", "api_key10")},
 	}
 
 	expectedMap := map[string][]string{
@@ -84,7 +87,9 @@ func TestComputeDomainsURL(t *testing.T) {
 		sort.Strings(keys)
 	}
 	log := logmock.New(t)
-	fh := forwarderHealth{log: log, domainResolvers: resolver.NewSingleDomainResolvers(keysPerDomains)}
+	r, err := resolver.NewSingleDomainResolvers(keysPerDomains)
+	require.NoError(t, err)
+	fh := forwarderHealth{log: log, domainResolvers: r}
 	fh.init()
 
 	// lexicographical sort for assert
@@ -166,14 +171,16 @@ func TestUpdateAPIKey(t *testing.T) {
 
 	// starting API Keys, before the update
 	keysPerDomains := map[string][]utils.APIKeys{
-		ts1.URL: {utils.NewAPIKeys("", "api_key1"), utils.NewAPIKeys("", "api_key2")},
-		ts2.URL: {utils.NewAPIKeys("", "api_key3")},
+		ts1.URL: {utils.NewAPIKeys("path", "api_key1"), utils.NewAPIKeys("path", "api_key2")},
+		ts2.URL: {utils.NewAPIKeys("path", "api_key3")},
 	}
 
 	log := logmock.New(t)
 	cfg := config.NewMock(t)
 
-	fh := forwarderHealth{log: log, config: cfg, domainResolvers: resolver.NewSingleDomainResolvers(keysPerDomains)}
+	r, err := resolver.NewSingleDomainResolvers(keysPerDomains)
+	require.NoError(t, err)
+	fh := forwarderHealth{log: log, config: cfg, domainResolvers: r}
 	fh.init()
 	assert.True(t, fh.checkValidAPIKey())