Simplify HTPasswd identity provider to support only users array input

Remove complex multi-option input handling for HTPasswd IDP setup in favor
of single users array format for better consistency and maintainability.

Changes:
- Remove username/password parameter support
- Remove htpasswd_file_content parameter support
- Make users array parameter required
- Simplify ProcessUserInput() function signature
- Remove parseHtpasswordFile() function
- Always hash passwords (no pre-hashed support)
- Update tests to cover only users array scenarios
- Update implementation plan documentation

Benefits:
- Clearer API with single input method
- Reduced code complexity and test surface
- Better alignment with ROSA CLI patterns
- Improved maintainability

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: tiwillia

CLAUDE.md

@@ -103,19 +103,17 @@ The HTPasswd identity provider implementation (`setup_htpasswd_identity_provider
 - `UsernameValidator()` - Username format validation (no /, :, % characters)
 - `clusterAdminValidator()` - Reserved username check (prevents "cluster-admin")
 - `ValidateIdpName()` - IDP name validation with regex pattern matching
-- `parseHtpasswordFile()` - HTPasswd file parsing for base64 encoded content
-- `ProcessUserInput()` - Handles multiple input formats (users array, single user, htpasswd file)
+- `ProcessUserInput()` - Simplified to handle only users array format
 
 **Validation Flow:**
 1. IDP name validation using ROSA CLI regex patterns
 2. Username/password validation with ROSA CLI rules
-3. Password hashing with `ocm-common` utilities
+3. Password hashing with `ocm-common` utilities (always hash passwords)
 4. OCM API integration following ROSA CLI error handling patterns
 
-**Input Compatibility:**
-- Users array format: `["user1:password1", "user2:password2"]`
-- Single user format: `username` + `password` parameters (backward compatibility)
-- HTPasswd file format: Base64-encoded htpasswd file content
+**Input Format (Simplified):**
+- Users array format: `["user1:password1", "user2:password2"]` (required parameter)
+- Removed backward compatibility for single user and htpasswd file formats for better consistency
 
 ## Development Notes
 

README.md

@@ -221,19 +221,8 @@ Setup an HTPasswd identity provider for a ROSA HCP cluster with username/passwor
     },
     "users": {
       "type": "array",
-      "description": "List of username:password pairs [\"user1:password1\", \"user2:password2\"]"
-    },
-    "username": {
-      "type": "string",
-      "description": "Single user username (for backward compatibility)"
-    },
-    "password": {
-      "type": "string",
-      "description": "Single user password (for backward compatibility)"
-    },
-    "htpasswd_file_content": {
-      "type": "string",
-      "description": "Base64-encoded htpasswd file content"
+      "description": "List of username:password pairs [\"user1:password1\", \"user2:password2\"]",
+      "required": true
     },
     "overwrite_existing": {
       "type": "boolean",

pkg/htpasswd/validation.go

@@ -1,7 +1,6 @@
 package htpasswd
 
 import (
-	"encoding/base64"
 	"fmt"
 	"regexp"
 	"strings"
@@ -70,73 +69,29 @@ func validateHtUsernameAndPassword(username, password string) error {
 	return nil
 }
 
-// parseHtpasswordFile - copied from rosa/cmd/create/idp/htpasswd.go:281
-func parseHtpasswordFile(usersList *map[string]string, fileContent string) error {
-	lines := strings.Split(fileContent, "\n")
-	for _, line := range lines {
-		line = strings.TrimSpace(line)
-		if line == "" {
-			continue
-		}
-
-		// split "user:password" at colon
-		username, password, found := strings.Cut(line, ":")
-		if !found || username == "" || password == "" {
-			return fmt.Errorf("Malformed line, Expected: validUsername:validPassword, Got: %s", line)
-		}
-
-		(*usersList)[username] = password
-	}
-	return nil
-}
-
-// ProcessUserInput - processes MCP tool parameters using ROSA CLI patterns
-func ProcessUserInput(userInput map[string]interface{}) (map[string]string, bool, error) {
+// ProcessUserInput - processes MCP tool parameters using ROSA CLI patterns (simplified to users array only)
+func ProcessUserInput(userInput map[string]interface{}) (map[string]string, error) {
 	userList := make(map[string]string)
-	isHashedPassword := false
-
-	// Option 1: users array (comma-separated list like ROSA CLI)
-	if users, ok := userInput["users"].([]interface{}); ok && len(users) > 0 {
-		for _, user := range users {
-			userStr, ok := user.(string)
-			if !ok {
-				return nil, false, fmt.Errorf("invalid user format, expected string")
-			}
-			username, password, found := strings.Cut(userStr, ":")
-			if !found {
-				return nil, false, fmt.Errorf("users should be provided in format username:password")
-			}
-			userList[username] = password
-		}
-		return userList, false, nil
-	}
 
-	// Option 2: single username/password (ROSA CLI backward compatibility)
-	if username, hasUsername := userInput["username"].(string); hasUsername {
-		if password, hasPassword := userInput["password"].(string); hasPassword {
-			userList[username] = password
-			return userList, false, nil
-		}
-		return nil, false, fmt.Errorf("password required when username is provided")
+	// Only support users array format
+	users, ok := userInput["users"].([]interface{})
+	if !ok || len(users) == 0 {
+		return nil, fmt.Errorf("'users' parameter is required: provide list of username:password pairs")
 	}
 
-	// Option 3: htpasswd file content
-	if fileContent, ok := userInput["htpasswd_file_content"].(string); ok && fileContent != "" {
-		// Decode base64 content
-		decoded, err := base64.StdEncoding.DecodeString(fileContent)
-		if err != nil {
-			return nil, false, fmt.Errorf("failed to decode htpasswd file content: %w", err)
+	for _, user := range users {
+		userStr, ok := user.(string)
+		if !ok {
+			return nil, fmt.Errorf("invalid user format, expected string")
 		}
-
-		// Use ROSA CLI parsing function
-		if err := parseHtpasswordFile(&userList, string(decoded)); err != nil {
-			return nil, false, fmt.Errorf("failed to parse htpasswd file: %w", err)
+		username, password, found := strings.Cut(userStr, ":")
+		if !found || username == "" || password == "" {
+			return nil, fmt.Errorf("users should be provided in format username:password")
 		}
-		isHashedPassword = true // htpasswd files contain pre-hashed passwords
-		return userList, isHashedPassword, nil
+		userList[username] = password
 	}
-
-	return nil, false, fmt.Errorf("no user input provided: specify 'users', 'username'+'password', or 'htpasswd_file_content'")
+	
+	return userList, nil
 }
 
 // ValidateUserCredentials - validates username and password using ROSA CLI validation

pkg/htpasswd/validation_test.go

@@ -1,7 +1,6 @@
 package htpasswd
 
 import (
-	"encoding/base64"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -120,77 +119,10 @@ func TestValidateUserCredentials(t *testing.T) {
 	}
 }
 
-func TestParseHtpasswordFile(t *testing.T) {
-	testCases := []struct {
-		content     string
-		expected    map[string]string
-		expectError bool
-		description string
-	}{
-		{
-			"user1:password1\nuser2:password2",
-			map[string]string{"user1": "password1", "user2": "password2"},
-			false,
-			"valid htpasswd content",
-		},
-		{
-			"user1:password1\n\nuser2:password2\n",
-			map[string]string{"user1": "password1", "user2": "password2"},
-			false,
-			"htpasswd content with empty lines",
-		},
-		{
-			"user1:$apr1$hRY7OJWH$km1EYH.UIRjp6CzfZQz/g1",
-			map[string]string{"user1": "$apr1$hRY7OJWH$km1EYH.UIRjp6CzfZQz/g1"},
-			false,
-			"htpasswd with hashed password",
-		},
-		{
-			"invalid_line_without_colon",
-			nil,
-			true,
-			"malformed line without colon",
-		},
-		{
-			"user1:\nuser2:password2",
-			nil,
-			true,
-			"empty password",
-		},
-		{
-			":password1",
-			nil,
-			true,
-			"empty username",
-		},
-		{
-			"",
-			map[string]string{},
-			false,
-			"empty content",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			usersList := make(map[string]string)
-			err := parseHtpasswordFile(&usersList, tc.content)
-			
-			if tc.expectError {
-				assert.Error(t, err, "Expected error for content: %s", tc.content)
-			} else {
-				assert.NoError(t, err, "Expected no error for content: %s", tc.content)
-				assert.Equal(t, tc.expected, usersList, "Expected parsed users to match")
-			}
-		})
-	}
-}
-
 func TestProcessUserInput(t *testing.T) {
 	testCases := []struct {
 		input           map[string]interface{}
 		expectedUsers   map[string]string
-		expectedHashed  bool
 		expectError     bool
 		description     string
 	}{
@@ -200,75 +132,57 @@ func TestProcessUserInput(t *testing.T) {
 			},
 			map[string]string{"user1": "password1", "user2": "password2"},
 			false,
-			false,
 			"users array input",
 		},
 		{
 			map[string]interface{}{
-				"username": "testuser",
-				"password": "testpassword",
-			},
-			map[string]string{"testuser": "testpassword"},
-			false,
-			false,
-			"single username/password input",
-		},
-		{
-			map[string]interface{}{
-				"htpasswd_file_content": base64.StdEncoding.EncodeToString([]byte("user1:$apr1$hash1\nuser2:$apr1$hash2")),
+				"users": []interface{}{"invalid_user_without_colon"},
 			},
-			map[string]string{"user1": "$apr1$hash1", "user2": "$apr1$hash2"},
+			nil,
 			true,
-			false,
-			"htpasswd file content input",
+			"invalid users array format",
 		},
 		{
-			map[string]interface{}{
-				"username": "testuser",
-				// missing password
-			},
+			map[string]interface{}{},
 			nil,
-			false,
 			true,
-			"username without password",
+			"no users parameter provided",
 		},
 		{
 			map[string]interface{}{
-				"users": []interface{}{"invalid_user_without_colon"},
+				"users": []interface{}{},
 			},
 			nil,
-			false,
 			true,
-			"invalid users array format",
+			"empty users array",
 		},
 		{
 			map[string]interface{}{
-				"htpasswd_file_content": "invalid_base64",
+				"users": []interface{}{123},
 			},
 			nil,
-			false,
 			true,
-			"invalid base64 htpasswd content",
+			"invalid user type in array",
 		},
 		{
-			map[string]interface{}{},
+			map[string]interface{}{
+				"users": []interface{}{"user1:password1", "user2:"},
+			},
 			nil,
-			false,
 			true,
-			"no user input provided",
+			"user with empty password",
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			users, isHashed, err := ProcessUserInput(tc.input)
+			users, err := ProcessUserInput(tc.input)
 
 			if tc.expectError {
 				assert.Error(t, err, "Expected error for input: %v", tc.input)
 			} else {
 				assert.NoError(t, err, "Expected no error for input: %v", tc.input)
 				assert.Equal(t, tc.expectedUsers, users, "Expected users to match")
-				assert.Equal(t, tc.expectedHashed, isHashed, "Expected hashed flag to match")
 			}
 		})
 	}

pkg/mcp/tools.go

@@ -73,10 +73,7 @@ HTPasswd is a common identity provider for development and testing environments.
 			mcp.WithString("cluster_id", mcp.Description("Target cluster identifier"), mcp.Required()),
 			mcp.WithString("name", mcp.Description("Identity provider name"), mcp.DefaultString("htpasswd")),
 			mcp.WithString("mapping_method", mcp.Description("User mapping method - options: add, claim, generate, lookup"), mcp.DefaultString("claim")),
-			mcp.WithArray("users", mcp.Description("List of username:password pairs [\"user1:password1\", \"user2:password2\"]")),
-			mcp.WithString("username", mcp.Description("Single user username (for backward compatibility)")),
-			mcp.WithString("password", mcp.Description("Single user password (for backward compatibility)")),
-			mcp.WithString("htpasswd_file_content", mcp.Description("Base64-encoded htpasswd file content")),
+			mcp.WithArray("users", mcp.Description("List of username:password pairs [\"user1:password1\", \"user2:password2\"]"), mcp.Required()),
 			mcp.WithBoolean("overwrite_existing", mcp.Description("Whether to overwrite if IDP with same name exists"), mcp.DefaultBool(false)),
 			mcp.WithReadOnlyHintAnnotation(false),
 			mcp.WithDestructiveHintAnnotation(false),

pkg/ocm/htpasswd.go

@@ -69,31 +69,29 @@ func (c *Client) SetupHTPasswdIdentityProvider(
 		}
 	}
 
-	// Step 4: Process user input using ROSA CLI patterns
-	userList, isHashedPassword, err := htpasswd.ProcessUserInput(userInput)
+	// Step 4: Process user input using simplified validation
+	userList, err := htpasswd.ProcessUserInput(userInput)
 	if err != nil {
 		return nil, fmt.Errorf("failed to process user input: %w", err)
 	}
 
-	// Step 5: Build HTPasswd user list using ROSA CLI pattern
+	// Step 5: Build HTPasswd user list (always hash passwords)
 	htpasswdUsers := []*cmv1.HTPasswdUserBuilder{}
 	for username, password := range userList {
 		// Validate each user using ROSA CLI validation
 		if err := htpasswd.ValidateUserCredentials(username, password); err != nil {
 			return nil, fmt.Errorf("invalid user credentials for '%s': %w", username, err)
 		}
 
-		userBuilder := cmv1.NewHTPasswdUser().Username(username)
-		if isHashedPassword {
-			userBuilder.HashedPassword(password)
-		} else {
-			// Use ROSA CLI password hashing
-			hashedPwd, err := idputils.GenerateHTPasswdCompatibleHash(password)
-			if err != nil {
-				return nil, fmt.Errorf("failed to hash password for user '%s': %w", username, err)
-			}
-			userBuilder.HashedPassword(hashedPwd)
+		// Always hash passwords using ROSA CLI method
+		hashedPwd, err := idputils.GenerateHTPasswdCompatibleHash(password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to hash password for user '%s': %w", username, err)
 		}
+		
+		userBuilder := cmv1.NewHTPasswdUser().
+			Username(username).
+			HashedPassword(hashedPwd)
 		htpasswdUsers = append(htpasswdUsers, userBuilder)
 	}