Add filtering by cluster name

Author: mtodor

internal/toolsets/vulnerability/cluster_resolver.go

@@ -0,0 +1,33 @@
+package vulnerability
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/stackrox/rox/generated/api/v1"
+)
+
+// resolveClusterNameToID resolves a cluster name to its ID.
+// Returns empty string if clusterName is empty (no filtering).
+// Returns error if cluster name is not found or if API call fails.
+func resolveClusterNameToID(ctx context.Context, clusterName string, client v1.ClustersServiceClient) (string, error) {
+	// Empty cluster name means no filtering
+	if clusterName == "" {
+		return "", nil
+	}
+
+	// Fetch all clusters
+	resp, err := client.GetClusters(ctx, &v1.GetClustersRequest{})
+	if err != nil {
+		return "", fmt.Errorf("failed to fetch clusters: %w", err)
+	}
+
+	// Find cluster by exact name match (case-sensitive)
+	for _, cluster := range resp.GetClusters() {
+		if cluster.GetName() == clusterName {
+			return cluster.GetId(), nil
+		}
+	}
+
+	return "", fmt.Errorf("cluster with name %q not found", clusterName)
+}

internal/toolsets/vulnerability/cluster_resolver_test.go

@@ -0,0 +1,110 @@
+package vulnerability
+
+import (
+	"context"
+	"errors"
+	"net"
+	"testing"
+
+	v1 "github.com/stackrox/rox/generated/api/v1"
+	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/stackrox-mcp/internal/toolsets/mock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func TestResolveClusterNameToID(t *testing.T) {
+	tests := map[string]struct {
+		clusterName     string
+		mockClusters    []*storage.Cluster
+		mockError       error
+		expectedID      string
+		expectError     bool
+		expectedErrText string
+	}{
+		"empty cluster name returns empty ID": {
+			clusterName:  "",
+			mockClusters: []*storage.Cluster{{Id: "cluster-1", Name: "production"}},
+			expectedID:   "",
+			expectError:  false,
+		},
+		"cluster name found returns correct ID": {
+			clusterName: "production",
+			mockClusters: []*storage.Cluster{
+				{Id: "cluster-0", Name: "dev"},
+				{Id: "cluster-1", Name: "production"},
+				{Id: "cluster-2", Name: "staging"},
+			},
+			expectedID:  "cluster-1",
+			expectError: false,
+		},
+		"cluster name not found returns error": {
+			clusterName: "nonexistent",
+			mockClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+			},
+			expectedID:      "",
+			expectError:     true,
+			expectedErrText: `cluster with name "nonexistent" not found`,
+		},
+		"case sensitive matching": {
+			clusterName: "Production",
+			mockClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+			},
+			expectedID:      "",
+			expectError:     true,
+			expectedErrText: `cluster with name "Production" not found`,
+		},
+		"API error propagation": {
+			clusterName:     "production",
+			mockError:       errors.New("API connection failed"),
+			expectedID:      "",
+			expectError:     true,
+			expectedErrText: "failed to fetch clusters:",
+		},
+		"exact match required": {
+			clusterName: "prod",
+			mockClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+			},
+			expectedID:      "",
+			expectError:     true,
+			expectedErrText: `cluster with name "prod" not found`,
+		},
+	}
+
+	for testName, testCase := range tests {
+		t.Run(testName, func(t *testing.T) {
+			mockService := mock.NewClustersServiceMock(testCase.mockClusters, testCase.mockError)
+			grpcServer, listener := mock.SetupClusterServer(mockService)
+			defer grpcServer.Stop()
+
+			// Create a gRPC client connection to the mock server
+			conn, err := grpc.NewClient(
+				"passthrough://buffer",
+				grpc.WithLocalDNSResolution(),
+				grpc.WithContextDialer(func(_ context.Context, _ string) (net.Conn, error) {
+					return listener.Dial()
+				}),
+				grpc.WithTransportCredentials(insecure.NewCredentials()),
+			)
+			require.NoError(t, err)
+			defer conn.Close()
+
+			client := v1.NewClustersServiceClient(conn)
+
+			id, err := resolveClusterNameToID(context.Background(), testCase.clusterName, client)
+
+			if testCase.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), testCase.expectedErrText)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, testCase.expectedID, id)
+			}
+		})
+	}
+}

internal/toolsets/vulnerability/clusters.go

@@ -18,15 +18,20 @@ import (
 
 // getClustersForCVEInput defines the input parameters for get_clusters_for_cve tool.
 type getClustersForCVEInput struct {
-	CVEName         string `json:"cveName"`
-	FilterClusterID string `json:"filterClusterId,omitempty"`
+	CVEName           string `json:"cveName"`
+	FilterClusterID   string `json:"filterClusterId,omitempty"`
+	FilterClusterName string `json:"filterClusterName,omitempty"`
 }
 
 func (input *getClustersForCVEInput) validate() error {
 	if input.CVEName == "" {
 		return errors.New("CVE name is required")
 	}
 
+	if input.FilterClusterID != "" && input.FilterClusterName != "" {
+		return errors.New("cannot specify both filterClusterId and filterClusterName")
+	}
+
 	return nil
 }
 
@@ -76,9 +81,7 @@ func (t *getClustersForCVETool) GetTool() *mcp.Tool {
 			" Call ALL THREE CVE tools (get_clusters_with_orchestrator_cve, get_deployments_for_cve, get_nodes_for_cve)" +
 			" for comprehensive coverage." +
 			" 2) When user asks specifically about 'orchestrator', 'Kubernetes components'," +
-			" or 'control plane': Use ONLY this tool." +
-			" 3) For single cluster queries (e.g., 'in cluster X'): First call list_clusters to get cluster ID," +
-			" then call ONLY this tool with filterClusterId.",
+			" or 'control plane': Use ONLY this tool.",
 		InputSchema: getClustersForCVEInputSchema(),
 	}
 }
@@ -97,11 +100,13 @@ func getClustersForCVEInputSchema() *jsonschema.Schema {
 
 	schema.Properties["cveName"].Description = "CVE name to filter clusters (e.g., CVE-2021-44228)"
 	schema.Properties["filterClusterId"].Description =
-		"Optional cluster ID (cluster ID only, not cluster name) to verify if CVE is detected in a specific cluster." +
-			" Only use this parameter when the user's query explicitly mentions a specific cluster name." +
-			" When checking if a CVE exists at all, call without this parameter to check all clusters at once." +
-			" To resolve cluster names to IDs, use list_clusters tool first." +
-			" If the cluster doesn't exist, respond that the CVE is not detected in that cluster (since it doesn't exist)."
+		"Optional cluster ID to verify if CVE is detected in a specific cluster." +
+			" Cannot be used together with filterClusterName." +
+			" When checking if a CVE exists at all, call without this parameter to check all clusters at once."
+	schema.Properties["filterClusterName"].Description =
+		"Optional cluster name to verify if CVE is detected in a specific cluster." +
+			" Cannot be used together with filterClusterId." +
+			" When checking if a CVE exists at all, call without this parameter to check all clusters at once."
 
 	return schema
 }
@@ -143,7 +148,21 @@ func (t *getClustersForCVETool) handle(
 
 	clustersClient := v1.NewClustersServiceClient(conn)
 
-	query := buildClusterQuery(input)
+	// Resolve cluster name to ID if provided
+	resolvedClusterID := input.FilterClusterID
+	if input.FilterClusterName != "" {
+		resolvedClusterID, err = resolveClusterNameToID(callCtx, input.FilterClusterName, clustersClient)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	// Build query using the resolved cluster ID
+	queryInput := getClustersForCVEInput{
+		CVEName:         input.CVEName,
+		FilterClusterID: resolvedClusterID,
+	}
+	query := buildClusterQuery(queryInput)
 
 	resp, err := clustersClient.GetClusters(callCtx, &v1.GetClustersRequest{
 		Query: query,

internal/toolsets/vulnerability/clusters_test.go

@@ -78,6 +78,29 @@ func TestClusterInputValidate(t *testing.T) {
 			expectError: true,
 			errorMsg:    "CVE name is required",
 		},
+		"both cluster ID and name provided": {
+			input: getClustersForCVEInput{
+				CVEName:           "CVE-2021-44228",
+				FilterClusterID:   "cluster-123",
+				FilterClusterName: "production",
+			},
+			expectError: true,
+			errorMsg:    "cannot specify both filterClusterId and filterClusterName",
+		},
+		"only cluster ID provided": {
+			input: getClustersForCVEInput{
+				CVEName:         "CVE-2021-44228",
+				FilterClusterID: "cluster-123",
+			},
+			expectError: false,
+		},
+		"only cluster name provided": {
+			input: getClustersForCVEInput{
+				CVEName:           "CVE-2021-44228",
+				FilterClusterName: "production",
+			},
+			expectError: false,
+		},
 	}
 
 	for testName, testCase := range tests {
@@ -297,3 +320,68 @@ func TestClusterHandle_WithFilters(t *testing.T) {
 		})
 	}
 }
+
+func TestClusterHandle_WithClusterName(t *testing.T) {
+	tests := map[string]struct {
+		clusterName       string
+		availableClusters []*storage.Cluster
+		expectError       bool
+		expectedErrText   string
+		expectedQuery     string
+	}{
+		"cluster name found": {
+			clusterName: "production",
+			availableClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+				{Id: "cluster-2", Name: "staging"},
+			},
+			expectError:   false,
+			expectedQuery: `CVE:"CVE-2021-44228"+Cluster ID:"cluster-1"`,
+		},
+		"cluster name not found": {
+			clusterName: "nonexistent",
+			availableClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+			},
+			expectError:     true,
+			expectedErrText: `cluster with name "nonexistent" not found`,
+		},
+		"empty cluster name": {
+			clusterName: "",
+			availableClusters: []*storage.Cluster{
+				{Id: "cluster-1", Name: "production"},
+			},
+			expectError:   false,
+			expectedQuery: `CVE:"CVE-2021-44228"`,
+		},
+	}
+
+	for testName, testCase := range tests {
+		t.Run(testName, func(t *testing.T) {
+			mockService := mock.NewClustersServiceMock(testCase.availableClusters, nil)
+			grpcServer, listener := mock.SetupClusterServer(mockService)
+			defer grpcServer.Stop()
+
+			tool, ok := NewGetClustersForCVETool(createTestClient(t, listener)).(*getClustersForCVETool)
+			require.True(t, ok)
+
+			input := getClustersForCVEInput{
+				CVEName:           "CVE-2021-44228",
+				FilterClusterName: testCase.clusterName,
+			}
+
+			result, output, err := tool.handle(context.Background(), &mcp.CallToolRequest{}, input)
+
+			if testCase.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), testCase.expectedErrText)
+				assert.Nil(t, output)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, output)
+				assert.Nil(t, result)
+				assert.Contains(t, mockService.GetLastCallQuery(), testCase.expectedQuery)
+			}
+		})
+	}
+}

internal/toolsets/vulnerability/deployments.go

@@ -33,6 +33,7 @@ const (
 type getDeploymentsForCVEInput struct {
 	CVEName               string             `json:"cveName"`
 	FilterClusterID       string             `json:"filterClusterId,omitempty"`
+	FilterClusterName     string             `json:"filterClusterName,omitempty"`
 	FilterNamespace       string             `json:"filterNamespace,omitempty"`
 	FilterPlatform        filterPlatformType `json:"filterPlatform,omitempty"`
 	IncludeDetectedImages bool               `json:"includeDetectedImages,omitempty"`
@@ -44,6 +45,10 @@ func (input *getDeploymentsForCVEInput) validate() error {
 		return errors.New("CVE name is required")
 	}
 
+	if input.FilterClusterID != "" && input.FilterClusterName != "" {
+		return errors.New("cannot specify both filterClusterId and filterClusterName")
+	}
+
 	return nil
 }
 
@@ -100,9 +105,7 @@ func (t *getDeploymentsForCVETool) GetTool() *mcp.Tool {
 			" Call ALL THREE CVE tools (get_clusters_with_orchestrator_cve, get_deployments_for_cve, get_nodes_for_cve)" +
 			" for comprehensive coverage." +
 			" 2) When user asks specifically about 'deployments', 'workloads', 'applications'," +
-			" or 'containers': Use ONLY this tool." +
-			" 3) For single cluster queries (e.g., 'in cluster X'): First call list_clusters to get cluster ID," +
-			" then call ONLY this tool with filterClusterId.",
+			" or 'containers': Use ONLY this tool.",
 		InputSchema: getDeploymentsForCVEInputSchema(),
 	}
 }
@@ -120,7 +123,10 @@ func getDeploymentsForCVEInputSchema() *jsonschema.Schema {
 	schema.Required = []string{"cveName"}
 
 	schema.Properties["cveName"].Description = "CVE name to filter deployments (e.g., CVE-2021-44228)"
-	schema.Properties["filterClusterId"].Description = "Optional cluster ID to filter deployments"
+	schema.Properties["filterClusterId"].Description = "Optional cluster ID to filter deployments." +
+		" Cannot be used together with filterClusterName."
+	schema.Properties["filterClusterName"].Description = "Optional cluster name to filter deployments." +
+		" Cannot be used together with filterClusterId."
 	schema.Properties["filterNamespace"].Description = "Optional namespace to filter deployments"
 
 	schema.Properties["filterPlatform"].Description =
@@ -287,10 +293,29 @@ func (t *getDeploymentsForCVETool) handle(
 	}
 
 	callCtx := auth.WithMCPRequestContext(ctx, req)
+
+	// Resolve cluster name to ID if provided
+	resolvedClusterID := input.FilterClusterID
+	if input.FilterClusterName != "" {
+		clustersClient := v1.NewClustersServiceClient(conn)
+		resolvedClusterID, err = resolveClusterNameToID(callCtx, input.FilterClusterName, clustersClient)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
 	deploymentClient := v1.NewDeploymentServiceClient(conn)
 
+	// Build query using the resolved cluster ID
+	queryInput := getDeploymentsForCVEInput{
+		CVEName:         input.CVEName,
+		FilterClusterID: resolvedClusterID,
+		FilterNamespace: input.FilterNamespace,
+		FilterPlatform:  input.FilterPlatform,
+	}
+
 	listReq := &v1.RawQuery{
-		Query: buildQuery(input),
+		Query: buildQuery(queryInput),
 		Pagination: &v1.Pagination{
 			Offset: currCursor.GetOffset(),
 			Limit:  defaultLimit + 1,