feat: add CyberArk Identity client

This includes a bunch of testing data obtained experimentally from
testing against an integration-environment tenant.

I've confirmed that I'm able to log in using this code.

Currently, this code stores the login token and requires exactly
one username/password challenge to complete successfully.

Signed-off-by: Ashley Davis <[email protected]>

Author: SgtCoDFish

pkg/internal/cyberark/identity/advance_authentication_test.go

@@ -0,0 +1,150 @@
+package identity
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
+)
+
+func Test_IdentityAdvanceAuthentication(t *testing.T) {
+	tests := map[string]struct {
+		username    string
+		advanceBody *advanceAuthenticationRequestBody
+
+		expectedError error
+	}{
+		"success": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          ActionAnswer,
+				Answer:          successPassword,
+				MechanismID:     successMechanismID,
+				SessionID:       successSessionID,
+				TenantID:        "foo",
+				PersistantLogin: true,
+			},
+
+			expectedError: nil,
+		},
+		"incorrect password": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          ActionAnswer,
+				Answer:          "foo",
+				MechanismID:     successMechanismID,
+				SessionID:       successSessionID,
+				TenantID:        "foo",
+				PersistantLogin: true,
+			},
+
+			expectedError: fmt.Errorf(`got a failure response from request to advance authentication: message="Authentication (login or challenge) has failed. Please try again or contact your system administrator.", error="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee:55555555555555555555555555555555"`),
+		},
+		"bad action": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          "foo",
+				Answer:          successPassword,
+				MechanismID:     successMechanismID,
+				SessionID:       successSessionID,
+				TenantID:        "foo",
+				PersistantLogin: true,
+			},
+
+			expectedError: fmt.Errorf(`got a failure response from request to advance authentication: message="Authentication (login or challenge) has failed. Please try again or contact your system administrator.", error="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee:55555555555555555555555555555555"`),
+		},
+		"bad mechanism id": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          ActionAnswer,
+				Answer:          successPassword,
+				MechanismID:     "foo",
+				SessionID:       successSessionID,
+				TenantID:        "foo",
+				PersistantLogin: true,
+			},
+
+			expectedError: fmt.Errorf(`got a failure response from request to advance authentication: message="Authentication (login or challenge) has failed. Please try again or contact your system administrator.", error="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee:55555555555555555555555555555555"`),
+		},
+		"bad session id": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          ActionAnswer,
+				Answer:          successPassword,
+				MechanismID:     successMechanismID,
+				SessionID:       "foo",
+				TenantID:        "foo",
+				PersistantLogin: true,
+			},
+
+			expectedError: fmt.Errorf(`got a failure response from request to advance authentication: message="Authentication (login or challenge) has failed. Please try again or contact your system administrator.", error="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee:55555555555555555555555555555555"`),
+		},
+		"persistant login not set": {
+			username: successUser,
+			advanceBody: &advanceAuthenticationRequestBody{
+				Action:          ActionAnswer,
+				Answer:          successPassword,
+				MechanismID:     successMechanismID,
+				SessionID:       successSessionID,
+				TenantID:        "foo",
+				PersistantLogin: false,
+			},
+
+			expectedError: fmt.Errorf("got unexpected status code 403 Forbidden from request to advance authentication in CyberArk Identity API"),
+		},
+	}
+
+	for name, testSpec := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctx := context.Background()
+
+			identityServer := MockIdentityServer()
+			defer identityServer.Close()
+
+			mockDiscoveryServer := servicediscovery.MockDiscoveryServerWithCustomAPIURL(identityServer.Server.URL)
+			defer mockDiscoveryServer.Close()
+
+			discoveryClient := servicediscovery.New(servicediscovery.WithCustomEndpoint(mockDiscoveryServer.Server.URL))
+
+			client, err := NewWithDiscoveryClient(ctx, discoveryClient, servicediscovery.MockDiscoverySubdomain)
+			if err != nil {
+				t.Errorf("failed to create identity client: %s", err)
+				return
+			}
+
+			err = client.doAdvanceAuthentication(ctx, testSpec.username, testSpec.advanceBody)
+			if testSpec.expectedError != err {
+				if testSpec.expectedError == nil {
+					t.Errorf("didn't expect an error but got %v", err)
+					return
+				}
+
+				if err == nil {
+					t.Errorf("expected no error but got err=%v", testSpec.expectedError)
+					return
+				}
+
+				if err.Error() != testSpec.expectedError.Error() {
+					t.Errorf("expected err=%v\nbut got err=%v", testSpec.expectedError, err)
+					return
+				}
+			}
+
+			if testSpec.expectedError != nil {
+				return
+			}
+
+			val, ok := client.tokenCache[testSpec.username]
+
+			if !ok {
+				t.Errorf("expected token for %s to be set to %q but wasn't found", testSpec.username, mockSuccessfulStartAuthenticationToken)
+				return
+			}
+
+			if val != mockSuccessfulStartAuthenticationToken {
+				t.Errorf("expected token for %s to be set to %q but was set to %q", testSpec.username, mockSuccessfulStartAuthenticationToken, val)
+			}
+		})
+	}
+}

pkg/internal/cyberark/identity/cmd/testidentity/main.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+
+	"k8s.io/klog/v2"
+
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
+)
+
+// This is a trivial CLI application for testing our identity client end-to-end.
+// It's not intended for distribution; it simply allows us to run our client and check
+// the login is successful.
+
+const (
+	subdomainFlag = "subdomain"
+	usernameFlag  = "username"
+	passwordEnv   = "TESTIDENTITY_PASSWORD"
+)
+
+var (
+	subdomain string
+	username  string
+)
+
+func run(ctx context.Context) error {
+	if subdomain == "" {
+		return fmt.Errorf("no %s flag provided", subdomainFlag)
+	}
+
+	if username == "" {
+		return fmt.Errorf("no %s flag provided", usernameFlag)
+	}
+
+	password := os.Getenv(passwordEnv)
+	if password == "" {
+		return fmt.Errorf("no password provided in %s", passwordEnv)
+	}
+	sdClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
+
+	client, err := identity.NewWithDiscoveryClient(ctx, sdClient, subdomain)
+	if err != nil {
+		return err
+	}
+
+	err = client.LoginUsernamePassword(ctx, username, []byte(password))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func main() {
+	defer klog.Flush()
+
+	flagSet := flag.NewFlagSet("test", flag.ExitOnError)
+	klog.InitFlags(flagSet)
+	_ = flagSet.Parse([]string{"--v", "5"})
+
+	logger := klog.Background()
+
+	ctx := klog.NewContext(context.Background(), logger)
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer cancel()
+
+	flag.StringVar(&subdomain, subdomainFlag, "cert-manager", "The subdomain to use for service discovery")
+	flag.StringVar(&username, usernameFlag, "",
+		fmt.Sprintf("Username to log in with. Password should be provided via %s envvar", passwordEnv),
+	)
+
+	flag.Parse()
+
+	errCode := 0
+
+	err := run(ctx)
+	if err != nil {
+		logger.Error(err, "execution failed")
+		errCode = 1
+	}
+
+	klog.FlushAndExit(klog.ExitFlushTimeout, errCode)
+}