add cyberark client and mock server

inteon · inteon · commit 7acd5c9a6e8e · 2025-06-11T18:02:17.000+02:00
Signed-off-by: Tim Ramlot &lt;42113979+inteon@users.noreply.github.com&gt;
diff --git a/pkg/client/client_cyberark.go b/pkg/client/client_cyberark.go
@@ -0,0 +1,142 @@
+package client
+
+import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"k8s.io/client-go/transport"
+
+	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/version"
+)
+
+type CyberArkClient struct {
+	baseURL string
+
+	// Used to make HTTP requests to CyberArk.
+	Client *http.Client
+}
+
+func NewCyberArkClient(trustedCAs *x509.CertPool, baseURL string) (*CyberArkClient, error) {
+	cyberClient := &http.Client{}
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	if trustedCAs != nil {
+		tr.TLSClientConfig.RootCAs = trustedCAs
+	}
+	cyberClient.Transport = transport.DebugWrappers(tr)
+
+	return &CyberArkClient{
+		baseURL: baseURL,
+		Client:  cyberClient,
+	}, nil
+}
+
+// `opts.ClusterName` and `opts.ClusterDescription` are the only values used
+// from the Options struct. OrgID and ClusterID are not used by CyberArk.
+func (c *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error {
+	if opts.ClusterName == "" {
+		return fmt.Errorf("programmer mistake: the cluster name (aka `cluster_id` in the config file) cannot be left empty")
+	}
+
+	presignedUploadURL, err := c.retrievePresignedUploadURL(ctx, "TODO-token", "TODO-checksum", opts)
+	if err != nil {
+		return err
+	}
+
+	// POST to presigned URL
+	payload := api.DataReadingsPost{
+		AgentMetadata:  nil,
+		DataGatherTime: time.Now().UTC(),
+		DataReadings:   readings,
+	}
+
+	encodedBody := &bytes.Buffer{}
+	if err := json.NewEncoder(encodedBody).Encode(payload); err != nil {
+		return err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, presignedUploadURL, encodedBody)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	version.SetUserAgent(req)
+
+	res, err := c.Client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+
+	if code := res.StatusCode; code < 200 || code >= 300 {
+		errorContent := ""
+		body, _ := io.ReadAll(res.Body)
+		if body != nil {
+			errorContent = string(body)
+		}
+
+		return fmt.Errorf("received response with status code %d. Body: [%s]", code, errorContent)
+	}
+
+	return nil
+}
+
+// POST to api/data/kubernetes/upload and retrieve presigned URL
+func (c *CyberArkClient) retrievePresignedUploadURL(ctx context.Context, token string, checksum string, opts Options) (string, error) {
+	request := struct {
+		ClusterID          string `json:"cluster_id"`
+		ClusterDescription string `json:"Cluster_description"`
+		Checksum           string `json:"checksum_sha256"`
+	}{
+		ClusterID:          opts.ClusterName,
+		ClusterDescription: opts.ClusterDescription,
+		Checksum:           checksum,
+	}
+
+	encodedBody := &bytes.Buffer{}
+	if err := json.NewEncoder(encodedBody).Encode(request); err != nil {
+		return "", err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fullURL(c.baseURL, "/api/data/kubernetes/upload"), encodedBody)
+	if err != nil {
+		return "", err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+	version.SetUserAgent(req)
+
+	res, err := c.Client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer res.Body.Close()
+
+	if code := res.StatusCode; code < 200 || code >= 300 {
+		errorContent := ""
+		body, _ := io.ReadAll(res.Body)
+		if body != nil {
+			errorContent = string(body)
+		}
+
+		return "", fmt.Errorf("received response with status code %d. Body: [%s]", code, errorContent)
+	}
+
+	response := struct {
+		URL string `json:"url"`
+	}{}
+
+	if err := json.NewDecoder(res.Body).Decode(&response); err != nil {
+		return "", err
+	}
+
+	return response.URL, nil
+}
diff --git a/pkg/client/client_cyberark_test.go b/pkg/client/client_cyberark_test.go
@@ -0,0 +1,181 @@
+package client_test
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/client"
+)
+
+func TestCyberArkClient_PostDataReadingsWithOptions(t *testing.T) {
+	type testCase struct {
+		name      string
+		handler   http.Handler
+		readings  []*api.DataReading
+		opts      client.Options
+		assertion func(t *testing.T, err error)
+	}
+
+	defaultReadings := []*api.DataReading{
+		{
+			ClusterID:     "test-cluster",
+			DataGatherer:  "test-gatherer",
+			Timestamp:     api.Time{Time: time.Now()},
+			Data:          map[string]interface{}{"test": "data"},
+			SchemaVersion: "v1",
+		},
+	}
+	defaultOpts := client.Options{
+		ClusterName:        "test-cluster",
+		ClusterDescription: "Test cluster description",
+	}
+
+	tests := []testCase{
+		{
+			name: "successful upload",
+			handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				switch r.URL.Path {
+				case "/api/data/kubernetes/upload":
+					assert.Equal(t, "application/json", r.Header.Get("Content-Type"))
+					assert.Equal(t, "Bearer TODO-token", r.Header.Get("Authorization"))
+					body, err := io.ReadAll(r.Body)
+					require.NoError(t, err)
+					var req struct {
+						ClusterID          string `json:"cluster_id"`
+						ClusterDescription string `json:"Cluster_description"`
+						Checksum           string `json:"checksum_sha256"`
+					}
+					err = json.Unmarshal(body, &req)
+					require.NoError(t, err)
+					assert.Equal(t, "test-cluster", req.ClusterID)
+					assert.Equal(t, "Test cluster description", req.ClusterDescription)
+					assert.Equal(t, "TODO-checksum", req.Checksum)
+					presignedURL := "https://" + r.Host + "/presigned-upload"
+					w.Header().Set("Content-Type", "application/json")
+					require.NoError(t, json.NewEncoder(w).Encode(struct {
+						URL string `json:"url"`
+					}{presignedURL}))
+				case "/presigned-upload":
+					assert.Equal(t, "application/json", r.Header.Get("Content-Type"))
+					body, err := io.ReadAll(r.Body)
+					require.NoError(t, err)
+					var payload api.DataReadingsPost
+					err = json.Unmarshal(body, &payload)
+					require.NoError(t, err)
+					assert.Nil(t, payload.AgentMetadata)
+					assert.NotZero(t, payload.DataGatherTime)
+					assert.Len(t, payload.DataReadings, 1)
+					assert.Equal(t, "test-cluster", payload.DataReadings[0].ClusterID)
+					assert.Equal(t, "test-gatherer", payload.DataReadings[0].DataGatherer)
+					w.WriteHeader(http.StatusOK)
+				default:
+					t.Errorf("Unexpected request path: %s", r.URL.Path)
+					w.WriteHeader(http.StatusNotFound)
+				}
+			}),
+			readings: defaultReadings,
+			opts:     defaultOpts,
+			assertion: func(t *testing.T, err error) {
+				assert.NoError(t, err)
+			},
+		},
+		{
+			name:     "error when cluster name is empty",
+			handler:  http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+			readings: defaultReadings,
+			opts:     client.Options{ClusterName: ""},
+			assertion: func(t *testing.T, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "programmer mistake: the cluster name (aka `cluster_id` in the config file) cannot be left empty")
+			},
+		},
+		{
+			name: "error when presigned URL request fails",
+			handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path == "/api/data/kubernetes/upload" {
+					w.WriteHeader(http.StatusInternalServerError)
+					_, _ = w.Write([]byte("Internal server error"))
+					return
+				}
+				w.WriteHeader(http.StatusNotFound)
+			}),
+			readings: defaultReadings,
+			opts:     defaultOpts,
+			assertion: func(t *testing.T, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "received response with status code 500. Body: [Internal server error]")
+			},
+		},
+		{
+			name: "error when upload to presigned URL fails",
+			handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path == "/api/data/kubernetes/upload" {
+					presignedURL := "https://" + r.Host + "/presigned-upload"
+					require.NoError(t, json.NewEncoder(w).Encode(struct {
+						URL string `json:"url"`
+					}{presignedURL}))
+					return
+				}
+				if r.URL.Path == "/presigned-upload" {
+					w.WriteHeader(http.StatusBadRequest)
+					_, _ = w.Write([]byte("Bad request"))
+					return
+				}
+				w.WriteHeader(http.StatusNotFound)
+			}),
+			readings: defaultReadings,
+			opts:     defaultOpts,
+			assertion: func(t *testing.T, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "received response with status code 400. Body: [Bad request]")
+			},
+		},
+		{
+			name: "error when presigned URL response is invalid JSON",
+			handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path == "/api/data/kubernetes/upload" {
+					w.Header().Set("Content-Type", "application/json")
+					_, _ = w.Write([]byte("invalid json"))
+					return
+				}
+				w.WriteHeader(http.StatusNotFound)
+			}),
+			readings: defaultReadings,
+			opts:     defaultOpts,
+			assertion: func(t *testing.T, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "invalid character")
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			server := httptest.NewTLSServer(tc.handler)
+			defer server.Close()
+
+			certPool := x509.NewCertPool()
+			require.True(t, certPool.AppendCertsFromPEM(pem.EncodeToMemory(&pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: server.TLS.Certificates[0].Certificate[0],
+			})))
+
+			cyberArkClient, err := client.NewCyberArkClient(certPool, server.URL)
+			require.NoError(t, err)
+
+			postErr := cyberArkClient.PostDataReadingsWithOptions(context.TODO(), tc.readings, tc.opts)
+			tc.assertion(t, postErr)
+		})
+	}
+}
