WIP

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

pkg/client/client_cyberark.go

@@ -2,6 +2,10 @@ package client
 
 import (
 	"context"
+	"net/http"
+	"time"
+
+	"k8s.io/client-go/transport"
 
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/internal/cyberark"
@@ -10,6 +14,7 @@ import (
 
 type CyberArkClient struct {
 	configLoader cyberark.ClientConfigLoader
+	httpClient   *http.Client
 }
 
 var _ Client = &CyberArkClient{}
@@ -22,6 +27,10 @@ func NewCyberArk() (*CyberArkClient, error) {
 	}
 	return &CyberArkClient{
 		configLoader: configLoader,
+		httpClient: &http.Client{
+			Timeout:   time.Minute,
+			Transport: transport.DebugWrappers(http.DefaultTransport),
+		},
 	}, nil
 }
 
@@ -33,7 +42,7 @@ func (o *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readin
 	if err != nil {
 		return err
 	}
-	datauploadClient, err := cyberark.NewDatauploadClient(ctx, cfg)
+	datauploadClient, err := cyberark.NewDatauploadClient(ctx, o.httpClient, cfg)
 	if err != nil {
 		return err
 	}

pkg/client/client_cyberark_test.go

@@ -1,4 +1,4 @@
-package client
+package client_test
 
 import (
 	"os"
@@ -9,36 +9,56 @@ import (
 	"k8s.io/klog/v2/ktesting"
 
 	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/client"
+	"github.com/jetstack/preflight/pkg/testutil"
 
 	_ "k8s.io/klog/v2/ktesting/init"
 )
 
-func TestCyberArkClient_PostDataReadingsWithOptions(t *testing.T) {
-	// TestCyberArkClient_PostDataReadingsWithOptions/RealAPI demonstrates that the
-	// dataupload code works with the real inventory API.
-	//
-	// To enable verbose request logging:
-	//
-	//	go test ./pkg/internal/cyberark/dataupload/... \
-	//	  -v -count 1 -run TestPostDataReadingsWithOptionsWithRealAPI -args -testing.v 6
-	t.Run("RealAPI", func(t *testing.T) {
-		platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+func TestCyberArkClient_PostDataReadingsWithOptions_MockAPI(t *testing.T) {
+	t.Setenv("ARK_SECRET", "")
+	t.Run("success", func(t *testing.T) {
+		logger := ktesting.NewLogger(t, ktesting.DefaultConfig)
+		ctx := klog.NewContext(t.Context(), logger)
+
+		server, serverCert := testutil.FakeCyberArk(t)
+		t.Setenv("ARK_DISCOVERY_ENDPOINT", server.URL)
+		cl, err := client.NewCyberArk()
+		require.NoError(t, err)
+
+		testutil.TrustCA(t, cl, serverCert)
+
+		var readings []*api.DataReading
+		err = cl.PostDataReadingsWithOptions(ctx, readings, client.Options{})
+		require.NoError(t, err)
+	})
+}
+
+// TestCyberArkClient_PostDataReadingsWithOptions_RealAPI demonstrates that the
+// dataupload code works with the real inventory API.
+//
+// To enable verbose request logging:
+//
+//	go test ./pkg/internal/cyberark/dataupload/... \
+//	  -v -count 1 -run TestCyberArkClient_PostDataReadingsWithOptions_RealAPI -args -testing.v 6
+func TestCyberArkClient_PostDataReadingsWithOptions_RealAPI(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
 		subdomain := os.Getenv("ARK_SUBDOMAIN")
 		username := os.Getenv("ARK_USERNAME")
 		secret := os.Getenv("ARK_SECRET")
 
-		if platformDomain == "" || subdomain == "" || username == "" || secret == "" {
-			t.Skip("Skipping because one of the following environment variables is unset or empty: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
+		if subdomain == "" || username == "" || secret == "" {
+			t.Skip("Skipping because one of the following environment variables is unset or empty: ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
 			return
 		}
 
 		logger := ktesting.NewLogger(t, ktesting.DefaultConfig)
 		ctx := klog.NewContext(t.Context(), logger)
 
-		c, err := NewCyberArk()
+		c, err := client.NewCyberArk()
 		require.NoError(t, err)
 		var readings []*api.DataReading
-		err = c.PostDataReadingsWithOptions(ctx, readings, Options{})
+		err = c.PostDataReadingsWithOptions(ctx, readings, client.Options{})
 		require.NoError(t, err)
 	})
 }

pkg/internal/cyberark/client.go

@@ -3,7 +3,7 @@ package cyberark
 import (
 	"context"
 	"errors"
-	"fmt"
+	"net/http"
 	"os"
 
 	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
@@ -12,62 +12,44 @@ import (
 )
 
 type ClientConfig struct {
-	platformDomain string
-	subdomain      string
-	username       string
-	secret         string
+	subdomain string
+	username  string
+	secret    string
 }
 
 type ClientConfigLoader func() (ClientConfig, error)
 
 func LoadClientConfigFromEnvironment() (ClientConfig, error) {
-	platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
 	subdomain := os.Getenv("ARK_SUBDOMAIN")
 	username := os.Getenv("ARK_USERNAME")
 	secret := os.Getenv("ARK_SECRET")
 
-	if platformDomain == "" || subdomain == "" || username == "" || secret == "" {
+	if subdomain == "" || username == "" || secret == "" {
 		return ClientConfig{}, errors.New(
-			"missing environment variables: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
+			"missing environment variables: ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
 	}
 
 	return ClientConfig{
-		platformDomain: platformDomain,
-		subdomain:      subdomain,
-		username:       username,
-		secret:         secret,
+		subdomain: subdomain,
+		username:  username,
+		secret:    secret,
 	}, nil
 
 }
 
-func NewDatauploadClient(ctx context.Context, cfg ClientConfig) (*dataupload.CyberArkClient, error) {
-	const (
-		discoveryContextServiceName = "inventory"
-		separator                   = "."
-	)
-
-	serviceURL := fmt.Sprintf("https://%s%s%s.%s", cfg.subdomain, separator, discoveryContextServiceName, cfg.platformDomain)
-
-	var (
-		identityClient *identity.Client
-		err            error
-	)
-	if cfg.platformDomain == "cyberark.cloud" {
-		identityClient, err = identity.New(ctx, cfg.subdomain)
-	} else {
-		discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
-		identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, cfg.subdomain)
-	}
+func NewDatauploadClient(ctx context.Context, httpClient *http.Client, cfg ClientConfig) (*dataupload.CyberArkClient, error) {
+	discoveryClient := servicediscovery.New(httpClient)
+	serviceMap, err := discoveryClient.DiscoverIdentityAPIURL(ctx, cfg.subdomain)
 	if err != nil {
 		return nil, err
 	}
 
+	identityClient := identity.New(ctx, httpClient, serviceMap.IdentityEndpoint(), cfg.subdomain)
 	err = identityClient.LoginUsernamePassword(ctx, cfg.username, []byte(cfg.secret))
 	if err != nil {
 		return nil, err
 	}
-
-	cyberArkClient, err := dataupload.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
+	cyberArkClient, err := dataupload.NewCyberArkClient(nil, serviceMap.DiscoveryContextEndpoint(), identityClient.AuthenticateRequest)
 	if err != nil {
 		return nil, err
 	}

pkg/internal/cyberark/identity/identity.go

@@ -12,10 +12,8 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v5"
-	"k8s.io/client-go/transport"
 	"k8s.io/klog/v2"
 
-	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
 	"github.com/jetstack/preflight/pkg/logs"
 	"github.com/jetstack/preflight/pkg/version"
 )
@@ -189,40 +187,17 @@ type Client struct {
 // token is a wrapper type for holding auth tokens we want to cache.
 type token string
 
-// New returns an initialized CyberArk Identity client using a default service discovery client.
-// NB: This function performs service discovery when called, in order to ensure that all Identity
-// clients are created with a valid Identity API URL. This function blocks on the network call to
-// the discovery service.
-func New(ctx context.Context, subdomain string) (*Client, error) {
-	return NewWithDiscoveryClient(ctx, servicediscovery.New(), subdomain)
-}
-
-// NewWithDiscoveryClient returns an initialized CyberArk Identity client using the given service discovery client.
-// NB: This function performs service discovery when called, in order to ensure that all Identity
-// clients are created with a valid Identity API URL. This function blocks on the network call to
-// the discovery service.
-func NewWithDiscoveryClient(ctx context.Context, discoveryClient *servicediscovery.Client, subdomain string) (*Client, error) {
-	if discoveryClient == nil {
-		return nil, fmt.Errorf("must provide a non-nil discovery client to the Identity Client")
-	}
-
-	endpoint, err := discoveryClient.DiscoverIdentityAPIURL(ctx, subdomain)
-	if err != nil {
-		return nil, err
-	}
-
+// New returns an initialized CyberArk Identity client
+func New(ctx context.Context, httpClient *http.Client, endpoint string, subdomain string) *Client {
 	return &Client{
-		client: &http.Client{
-			Timeout:   10 * time.Second,
-			Transport: transport.NewDebuggingRoundTripper(http.DefaultTransport, transport.DebugByContext),
-		},
+		client: httpClient,
 
 		endpoint:  endpoint,
 		subdomain: subdomain,
 
 		tokenCached:      "",
 		tokenCachedMutex: sync.Mutex{},
-	}, nil
+	}
 }
 
 // LoginUsernamePassword performs a blocking call to fetch an auth token from CyberArk Identity using the given username and password.