Skip to content

[VC-43403] Refactor the CyberArk identity client to take an HTTP client #698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 27, 2025
Merged

[VC-43403] Refactor the CyberArk identity client to take an HTTP client #698

merged 1 commit into from
Aug 27, 2025

Conversation

wallrj-cyberark
Copy link
Member

@wallrj-cyberark wallrj-cyberark commented Aug 27, 2025
edited
Loading

I'm refactoring the CyberArk identity client to be less dependent on the service discovery client.
This detangles the those two packages and simplifies things.

The identity client interacts with the CyberArk authentication API.
The discoveryservice client retrieves a list of the services that are enabled for a particular tenant along with the associated API URLs.

The identity client now takes an identityAPI url parameter instead of a discovery client.
So we can test it in isolation.

I'm refactoring the various CyberArk API clients, so that we can more easily pass in a shared and customized HTTP client which will be used by all the of them.
Ultimately, I want to instantiate a single http_client.NewDefaultClient (from venafi-connection-lib) and supply it to all the CyberArk API wrappers. That client has a builtin retry mechanism and builtin user-agent header injection.

This also makes it easier to pass in a client that is matched to an httptest.NewTLSServer; one configured with the CA certificates to connect to the server.

Followups

Testing

export ARK_USERNAME=****
export ARK_SECRET=****
export ARK_SUBDOMAIN=tlskp-test
export ARK_PLATFORM_DOMAIN=integration-cyberark.cloud
export ARK_DISCOVERY_API=https://platform-discovery.integration-cyberark.cloud/api/v2
$ go run ./pkg/internal/cyberark/identity/cmd/testidentity/main.go  --username $ARK_USERNAME --subdomain $ARK_SUBDOMAIN
I0827 11:40:15.890540  557774 round_trippers.go:632] "Response" verb="GET" url="https://platform-discovery.integration-cyberark.cloud/api/v2/services/subdomain/tlskp-test" status="200 OK" milliseconds=242
I0827 11:40:16.677861  557774 round_trippers.go:632] "Response" verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/StartAuthentication" status="200 OK" milliseconds=785
I0827 11:40:16.679219  557774 identity.go:303] "made successful request to StartAuthentication" source="Identity.doStartAuthentication" summary="NewPackage"
I0827 11:40:17.369865  557774 round_trippers.go:632] "Response" verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/AdvanceAuthentication" status="200 OK" milliseconds=690
I0827 11:40:17.371148  557774 identity.go:419] "successfully completed AdvanceAuthentication request to CyberArk Identity; login complete" username="<REDACTED>"
$ go test ./pkg/internal/cyberark/dataupload/... -v -run RealAPI -args -testing.v 6
=== RUN   TestPostDataReadingsWithOptionsWithRealAPI
    round_trippers.go:632: I0827 11:43:17.911596] Response verb="GET" url="https://platform-discovery.integration-cyberark.cloud/api/v2/services/subdomain/tlskp-test" status="200 OK" milliseconds=279
    round_trippers.go:632: I0827 11:43:18.288517] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/StartAuthentication" status="200 OK" milliseconds=375
    identity.go:303: I0827 11:43:18.289432] made successful request to StartAuthentication source="Identity.doStartAuthentication" summary="NewPackage"
    round_trippers.go:632: I0827 11:43:18.716915] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/AdvanceAuthentication" status="200 OK" milliseconds=426
    identity.go:419: I0827 11:43:18.717787] successfully completed AdvanceAuthentication request to CyberArk Identity; login complete username="<REDACTED>"
    round_trippers.go:632: I0827 11:43:19.349515] Response verb="POST" url="https://tlskp-test.inventory.integration-cyberark.cloud/api/ingestions/kubernetes/snapshot-links" status="200 OK" milliseconds=631
    round_trippers.go:632: I0827 11:43:19.834370] Response verb="PUT" url="<REDACTED>" status="200 OK" milliseconds=484
--- PASS: TestPostDataReadingsWithOptionsWithRealAPI (2.20s)
PASS
ok      github.com/jetstack/preflight/pkg/internal/cyberark/dataupload  2.267s

@wallrj-cyberark
Refactor the CyberArk identity client to take an HTTP client
4114d53 
So that we can more easily pass in an HTTP client which is configured with CA
certificates to connect to an httptest TLS server.

Signed-off-by: Richard Wall <[email protected]>
@wallrj-cyberark wallrj-cyberark force-pushed the VC-43403-identity-client branch from cd52d4d to 4114d53 Compare August 27, 2025 10:54
@wallrj-cyberark wallrj-cyberark mentioned this pull request Aug 27, 2025
Merged
@wallrj-cyberark wallrj-cyberark merged commit 0b4b1aa into master Aug 27, 2025
2 checks passed
@wallrj-cyberark wallrj-cyberark deleted the VC-43403-identity-client branch August 27, 2025 16:09
@wallrj-cyberark wallrj-cyberark mentioned this pull request Aug 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mladen-rusev-cyberark mladen-rusev-cyberark mladen-rusev-cyberark approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wallrj-cyberark @mladen-rusev-cyberark