Add definition to restrict deployment modes per input (#915)

In various Kibana issues, we found that agentless integrations needed
specific inputs to be allowed/blocked. This is currently in a blocklist
maintained in Fleet, but as more integrations become available for
agentless, it is unsustainable for Fleet to maintain this list. Therefore
the package spec needs to allow integrations to control what inputs are
allowed on agentless, and Fleet should read from this information.

Author: jen-huang

code/go/internal/validator/semantic/validate_deployment_modes.go

@@ -0,0 +1,112 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package semantic
+
+import (
+	"fmt"
+	"io/fs"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/elastic/package-spec/v3/code/go/internal/fspath"
+	"github.com/elastic/package-spec/v3/code/go/pkg/specerrors"
+)
+
+// ValidateDeploymentModes ensures that for each deployment mode enabled in a policy template,
+// there is at least one input that supports that deployment mode.
+func ValidateDeploymentModes(fsys fspath.FS) specerrors.ValidationErrors {
+	manifestPath := "manifest.yml"
+	d, err := fs.ReadFile(fsys, manifestPath)
+	if err != nil {
+		return specerrors.ValidationErrors{specerrors.NewStructuredErrorf("file \"%s\" is invalid: failed to read manifest: %w", fsys.Path(manifestPath), err)}
+	}
+
+	var manifest struct {
+		PolicyTemplates []struct {
+			Name            string `yaml:"name"`
+			DeploymentModes struct {
+				Default struct {
+					Enabled *bool `yaml:"enabled"` // Use pointer to detect if field was set, default is true
+				} `yaml:"default"`
+				Agentless struct {
+					Enabled bool `yaml:"enabled"`
+				} `yaml:"agentless"`
+			} `yaml:"deployment_modes"`
+			Inputs []struct {
+				Type            string    `yaml:"type"`
+				DeploymentModes *[]string `yaml:"deployment_modes"` // Use pointer to detect if field was set
+			} `yaml:"inputs"`
+		} `yaml:"policy_templates"`
+	}
+
+	err = yaml.Unmarshal(d, &manifest)
+	if err != nil {
+		return specerrors.ValidationErrors{specerrors.NewStructuredErrorf("file \"%s\" is invalid: failed to parse manifest: %w", fsys.Path(manifestPath), err)}
+	}
+
+	var errs specerrors.ValidationErrors
+	for _, template := range manifest.PolicyTemplates {
+		// Collect enabled deployment modes for this policy template
+		enabledModes := []string{}
+		// Default mode is enabled by default, unless explicitly disabled
+		if template.DeploymentModes.Default.Enabled == nil || *template.DeploymentModes.Default.Enabled {
+			enabledModes = append(enabledModes, "default")
+		}
+		if template.DeploymentModes.Agentless.Enabled {
+			enabledModes = append(enabledModes, "agentless")
+		}
+
+		// Check each enabled deployment mode has at least one supporting input
+		for _, enabledMode := range enabledModes {
+			hasSupport := false
+			for _, input := range template.Inputs {
+				// If deployment_modes field was not specified, input supports all modes
+				if input.DeploymentModes == nil {
+					hasSupport = true
+					break
+				}
+				// Check if this input explicitly supports the deployment mode
+				for _, inputMode := range *input.DeploymentModes {
+					if inputMode == enabledMode {
+						hasSupport = true
+						break
+					}
+				}
+				if hasSupport {
+					break
+				}
+			}
+
+			if !hasSupport {
+				err := fmt.Errorf("file \"%s\" is invalid: policy template \"%s\" enables deployment mode \"%s\" but no input supports this mode", fsys.Path(manifestPath), template.Name, enabledMode)
+				errs = append(errs, specerrors.NewStructuredError(err, specerrors.UnassignedCode))
+			}
+		}
+
+		// Check that input deployment modes are supported by the policy template
+		for _, input := range template.Inputs {
+			// If deployment_modes field was not specified, input supports all modes
+			if input.DeploymentModes == nil {
+				continue
+			}
+			// Check if the input has any deployment modes that are not enabled by the policy template
+			for _, mode := range *input.DeploymentModes {
+				found := false
+				for _, enabledMode := range enabledModes {
+					if mode == enabledMode {
+						found = true
+						break
+					}
+				}
+				if !found {
+					err := fmt.Errorf("file \"%s\" is invalid: input \"%s\" in policy template \"%s\" specifies unsupported deployment mode \"%s\"", fsys.Path(manifestPath), input.Type, template.Name, mode)
+					errs = append(errs, specerrors.NewStructuredError(err, specerrors.UnassignedCode))
+				}
+			}
+		}
+	}
+
+	return errs
+}

code/go/internal/validator/semantic/validate_deployment_modes_test.go

@@ -0,0 +1,215 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package semantic
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/elastic/package-spec/v3/code/go/internal/fspath"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateDeploymentModes(t *testing.T) {
+	cases := []struct {
+		title        string
+		manifestYAML string
+		expectedErrs []string
+	}{
+		{
+			title: "valid - inputs support all enabled deployment modes",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      default:
+        enabled: true
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: httpjson
+        deployment_modes: ['default', 'agentless']
+      - type: filestream
+        deployment_modes: ['default']
+`,
+			expectedErrs: nil,
+		},
+		{
+			title: "valid - input with no deployment_modes supports all",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      default:
+        enabled: true
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: httpjson
+        # No deployment_modes specified - supports all
+`,
+			expectedErrs: nil,
+		},
+		{
+			title: "invalid - default mode enabled but no input supports it",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: httpjson
+        deployment_modes: ['agentless']
+`,
+			expectedErrs: []string{
+				`policy template "test" enables deployment mode "default" but no input supports this mode`,
+			},
+		},
+		{
+			title: "invalid - agentless mode enabled but no input supports it",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: httpjson
+        deployment_modes: ['default']
+`,
+			expectedErrs: []string{
+				`policy template "test" enables deployment mode "agentless" but no input supports this mode`,
+			},
+		},
+		{
+			title: "invalid - both modes enabled but inputs support none",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: httpjson
+        deployment_modes: []
+`,
+			expectedErrs: []string{
+				`policy template "test" enables deployment mode "default" but no input supports this mode`,
+				`policy template "test" enables deployment mode "agentless" but no input supports this mode`,
+			},
+		},
+		{
+			title: "valid - no deployment modes enabled",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    inputs:
+      - type: httpjson
+        deployment_modes: ['default']
+`,
+			expectedErrs: nil,
+		},
+		{
+			title: "valid - multiple policy templates",
+			manifestYAML: `
+policy_templates:
+  - name: test1
+    inputs:
+      - type: httpjson
+        deployment_modes: ['default']
+  - name: test2
+    deployment_modes:
+      default:
+        enabled: false
+      agentless:
+        enabled: true
+        organization: elastic
+        division: observability
+        team: test
+    inputs:
+      - type: filestream
+        deployment_modes: ['agentless']
+`,
+			expectedErrs: nil,
+		},
+		{
+			title: "invalid - input specifies unsupported deployment mode",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      default:
+        enabled: true
+    inputs:
+      - type: httpjson
+        deployment_modes: ['agentless']  # agentless is disabled by default
+`,
+			expectedErrs: []string{
+				`policy template "test" enables deployment mode "default" but no input supports this mode`,
+				`input "httpjson" in policy template "test" specifies unsupported deployment mode "agentless"`,
+			},
+		},
+		{
+			title: "invalid - input specifies multiple unsupported deployment modes",
+			manifestYAML: `
+policy_templates:
+  - name: test
+    deployment_modes:
+      default:
+        enabled: false
+    inputs:
+      - type: httpjson
+        deployment_modes: ['default', 'agentless']  # both disabled
+`,
+			expectedErrs: []string{
+				`input "httpjson" in policy template "test" specifies unsupported deployment mode "default"`,
+				`input "httpjson" in policy template "test" specifies unsupported deployment mode "agentless"`,
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.title, func(t *testing.T) {
+			// Create a temporary directory and manifest file
+			tempDir, err := os.MkdirTemp("", "test-deployment-modes")
+			require.NoError(t, err)
+			defer os.RemoveAll(tempDir)
+
+			manifestPath := filepath.Join(tempDir, "manifest.yml")
+			err = os.WriteFile(manifestPath, []byte(c.manifestYAML), 0644)
+			require.NoError(t, err)
+
+			fsys := fspath.DirFS(tempDir)
+			errs := ValidateDeploymentModes(fsys)
+
+			if len(c.expectedErrs) == 0 {
+				assert.Empty(t, errs)
+			} else {
+				require.Len(t, errs, len(c.expectedErrs))
+				for i, expectedErr := range c.expectedErrs {
+					assert.Contains(t, errs[i].Error(), expectedErr)
+				}
+			}
+		})
+	}
+}

code/go/internal/validator/spec.go

@@ -214,6 +214,7 @@ func (s Spec) rules(pkgType string, rootSpec spectypes.ItemSpec) validationRules
 		{fn: semantic.ValidateDimensionsPresent, types: []string{"integration"}, since: semver.MustParse("3.0.1")},
 		{fn: semantic.ValidateCapabilitiesRequired, since: semver.MustParse("2.10.0")}, // capabilities definition was added in spec version 2.10.0
 		{fn: semantic.ValidateRequiredVarGroups},
+		{fn: semantic.ValidateDeploymentModes, types: []string{"integration"}},
 	}
 
 	var validationRules validationRules

code/go/pkg/validator/validator_test.go

@@ -272,6 +272,17 @@ func TestValidateFile(t *testing.T) {
 				`required var "password" in optional group is not defined`,
 			},
 		},
+		"bad_input_deployment_modes": {
+			"manifest.yml",
+			[]string{
+				`field policy_templates.0.inputs.0.deployment_modes.0: policy_templates.0.inputs.0.deployment_modes.0 must be one of the following: "default", "agentless"`,
+				`field policy_templates.0.inputs.1.deployment_modes: Array must have at least 1 items`,
+				`field policy_templates.0.inputs.2.deployment_modes: array items[0,1] must be unique`,
+				`input "test/metrics" in policy template "test" specifies unsupported deployment mode "invalid_mode"`,
+				`input "test/system" in policy template "test" specifies unsupported deployment mode "agentless"`,
+				`policy template "unsupported_modes" enables deployment mode "default" but no input supports this mode`,
+			},
+		},
 		"with_links": {},
 		"bad_discovery_fields": {
 			"manifest.yml",

spec/changelog.yml

@@ -27,6 +27,9 @@
     - description: Add support for `knowledge_base` directory under docs to store markdown files for AI assistant context.
       type: enhancement
       link: https://github.com/elastic/package-spec/pull/916
+    - description: Add definition for input-level deployment modes.
+      type: enhancement
+      link: https://github.com/elastic/package-spec/pull/915
 - version: 3.4.0
   changes:
     - description: Add kibana/security_ai_prompt to support security AI prompt assets.

spec/integration/manifest.spec.yml

@@ -522,6 +522,22 @@ spec:
                   description: Can input be defined multiple times
                   type: boolean
                   default: false
+                deployment_modes:
+                  description: >
+                    List of deployment modes that this input is compatible with.
+                    If not specified, the input is compatible with all deployment modes.
+                  type: array
+                  minItems: 1
+                  uniqueItems: true
+                  items:
+                    type: string
+                    enum:
+                      - default
+                      - agentless
+                  examples:
+                    - ["default"]
+                    - ["agentless"]
+                    - ["default", "agentless"]
                 required_vars:
                   $ref: "./data_stream/manifest.spec.yml#/definitions/required_vars"
                 vars:

test/packages/bad_input_deployment_modes/changelog.yml

@@ -0,0 +1,5 @@
+- version: 0.0.1
+  changes:
+    - description: Initial version
+      type: enhancement
+      link: https://github.com/elastic/package-spec/pull/915

test/packages/bad_input_deployment_modes/docs/README.md

@@ -0,0 +1,3 @@
+# Test Package
+
+This is a test package for deployment modes validation.