APIGOV-32516 - improve IDP lifecycle and credential handler

- Add GetAPIServerVersionURL() to CentralConfig for version-level API paths
- Refactor to manage idp and idp metadata resources and use tokenEndpoint for lookups
- Changes to manage provisioning/deprovisioning external mode credentials

Author: vivekschauhan

pkg/agent/handler/credential.go

@@ -223,7 +223,7 @@ func (h *credentials) onDeleting(ctx context.Context, cred *management.Credentia
 
 func (h *credentials) deprovisionPostProcess(status prov.RequestStatus, provCreds *provCreds, logger log.FieldLogger, ctx context.Context, cred *management.Credential) {
 	if status.GetStatus() == prov.Success {
-		if provCreds.IsIDPCredential() {
+		if provCreds.IsIDPCredential() && !isExternalCredential(cred) {
 			err := provCreds.idpProvisioner.UnregisterClient()
 			if err != nil {
 				logger.
@@ -339,19 +339,22 @@ func (h *credentials) provisionPostProcess(status prov.RequestStatus, credential
 	var err error
 	data := map[string]interface{}{}
 	idpAgentDetails := make(map[string]string)
+	isExternal := isExternalCredential(cred)
 	if status.GetStatus() == prov.Success {
 		credentialData := h.getProvisionedCredentialData(provCreds, credentialData)
 		if credentialData != nil {
-			sec := app.Spec.Security
-			d := credentialData.GetData()
-			if crd.Spec.Provision == nil {
-				data = d
-			} else if d != nil {
-				data, err = h.encryptSchema(
-					crd.Spec.Provision.Schema,
-					d,
-					sec.EncryptionKey, sec.EncryptionAlgorithm, sec.EncryptionHash,
-				)
+			if !isExternal {
+				sec := app.Spec.Security
+				d := credentialData.GetData()
+				if crd.Spec.Provision == nil {
+					data = d
+				} else if d != nil {
+					data, err = h.encryptSchema(
+						crd.Spec.Provision.Schema,
+						d,
+						sec.EncryptionKey, sec.EncryptionAlgorithm, sec.EncryptionHash,
+					)
+				}
 			}
 			if provCreds.IsIDPCredential() {
 				idpAgentDetails, err = provCreds.idpProvisioner.GetAgentDetails()
@@ -387,6 +390,14 @@ func (h *credentials) provisionPostProcess(status prov.RequestStatus, credential
 
 	h.processCredentialLevelSuccess(provCreds, cred)
 
+	if isExternal {
+		cred.SubResources = map[string]interface{}{
+			defs.XAgentDetails: util.GetAgentDetails(cred),
+			"state":            cred.State,
+		}
+		return
+	}
+
 	cred.SubResources = map[string]interface{}{
 		defs.XAgentDetails: util.GetAgentDetails(cred),
 		"data":             cred.Data,

pkg/agent/idplifecycle.go

@@ -1,7 +1,6 @@
 package agent
 
 import (
-	"fmt"
 	"sync"
 
 	management "github.com/Axway/agent-sdk/pkg/apic/apiserver/models/management/v1alpha1"
@@ -43,7 +42,7 @@ func manageIDPResource(idpLogger log.FieldLogger, idp config.IDPConfig) string {
 		return ""
 	}
 
-	name := manageIDPResourceFromMetadata(idpLogger, idp, provider.GetMetadata())
+	name := manageIDPResourceFromMetadata(idpLogger, idp, "", provider.GetMetadata())
 	if name == "" {
 		idpLogger.Warn("IdentityProvider resource could not be created or found; CRD will be registered without an IdentityProvider reference")
 		return ""
@@ -65,7 +64,7 @@ func manageIDPResourceWithMetadata(idpLogger log.FieldLogger, idp config.IDPConf
 
 	idpLogger = idpLogger.WithField("environmentName", agent.cfg.GetEnvironmentName())
 
-	name := manageIDPResourceFromMetadata(idpLogger, idp, metadata)
+	name := manageIDPResourceFromMetadata(idpLogger, idp, "", metadata)
 	if name != "" {
 		GetAuthProviderRegistry().SetIDPResourceName(idp.GetMetadataURL(), name)
 	}
@@ -76,7 +75,7 @@ func manageIDPResourceWithMetadata(idpLogger log.FieldLogger, idp config.IDPConf
 // pre-resolved metadata. Public entry point for agents like v7 that supply metadata
 // directly without a discovery URL.
 // Returns the Engage IdentityProvider resource name, or empty string on failure.
-func ManageIDPResource(idpLogger log.FieldLogger, metadata *oauth.AuthorizationServerMetadata) string {
+func ManageIDPResource(idpLogger log.FieldLogger, idpName string, metadata *oauth.AuthorizationServerMetadata) string {
 	if metadata == nil {
 		idpLogger.Error("metadata is nil; cannot manage IdentityProvider resource")
 		return ""
@@ -88,25 +87,8 @@ func ManageIDPResource(idpLogger log.FieldLogger, metadata *oauth.AuthorizationS
 		return name
 	}
 
-	// try finding IdentityProviderMetadata in Engage by token endpoint; scope name is the IdP resource name
-	existing, err := agent.apicClient.GetAPIV1ResourceInstances(
-		map[string]string{"query": fmt.Sprintf("spec.tokenEndpoint==\"%s\"", metadata.TokenEndpoint)},
-		management.NewIdentityProviderMetadata("", "").GetKindLink(),
-	)
-	if err == nil && len(existing) > 0 {
-		// IdentityProviderMetadata is scoped under IdentityProvider; scope name is the IdP resource name
-		name := existing[0].Metadata.Scope.Name
-		if name != "" {
-			// store by token endpoint so subsequent calls skip the API lookup
-			setIDPMetadataResourceName(metadata.TokenEndpoint, name)
-			idpLogger.WithField("name", name).Info("found existing IdentityProvider resource in Engage via IdP metadata")
-			return name
-		}
-		idpLogger.Warn("IdentityProviderMetadata found in Engage but scope name is empty; falling through to create")
-	}
-
-	// not found in cache or Engage — create the IdP resource and cache it by token endpoint
-	name := manageIDPResourceFromMetadata(idpLogger, nil, metadata)
+	// not found in cache — create the IdP resource and cache it by token endpoint
+	name := manageIDPResourceFromMetadata(idpLogger, nil, idpName, metadata)
 	if name != "" {
 		setIDPMetadataResourceName(metadata.TokenEndpoint, name)
 	}
@@ -115,20 +97,21 @@ func ManageIDPResource(idpLogger log.FieldLogger, metadata *oauth.AuthorizationS
 
 // manageIDPResourceFromMetadata is the shared internal entry point for both paths.
 // idpCfg is passed to the IDPResourceBuilder when a supplier is registered; may be nil for the v7 path.
-func manageIDPResourceFromMetadata(idpLogger log.FieldLogger, idpCfg config.IDPConfig, metadata *oauth.AuthorizationServerMetadata) string {
+func manageIDPResourceFromMetadata(idpLogger log.FieldLogger, idpCfg config.IDPConfig, idpName string, metadata *oauth.AuthorizationServerMetadata) string {
 	if metadata == nil {
 		idpLogger.Error("metadata is nil; cannot manage IdentityProvider resource")
 		return ""
 	}
 
 	idpLogger = idpLogger.WithField("issuer", metadata.Issuer)
 
-	idpName := metadata.Issuer
+	idpType := oauth.TypeGeneric
 	if idpCfg != nil {
 		idpName = idpCfg.GetIDPName()
+		idpType = idpCfg.GetIDPType()
 	}
 
-	name, err := newLifecycle().CreateEngageResourcesFromMetadata(idpLogger, idpCfg, idpName, metadata, agent.cfg.GetEnvironmentURL(), getEnvCredentialPolicies(idpLogger))
+	name, err := newLifecycle().CreateEngageResourcesFromMetadata(idpLogger, idpCfg, idpType, idpName, metadata, agent.cfg.GetAPIServerVersionURL(), getEnvCredentialPolicies(idpLogger))
 	if err != nil {
 		idpLogger.WithError(err).Warn("unable to create or find IdentityProvider resource in Engage")
 		return ""

pkg/agent/idplifecycle_test.go

@@ -153,7 +153,7 @@ func TestManageIDPResourceExistingFound(t *testing.T) {
 	for name, tc := range tests {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
-			existingRI := idpInstanceRI(tc.existingName)
+			existingRI := idpMetadataInstanceRI(tc.existingName)
 			createCalled := false
 			subResourceCalled := false
 
@@ -677,7 +677,7 @@ func TestManageIDPResourceWithMetadataExistingFound(t *testing.T) {
 			createCount := 0
 			apicClient := &mock.Client{
 				GetAPIV1ResourceInstancesMock: func(_ map[string]string, _ string) ([]*apiv1.ResourceInstance, error) {
-					return []*apiv1.ResourceInstance{idpInstanceRI(tc.existingName)}, nil
+					return []*apiv1.ResourceInstance{idpMetadataInstanceRI(tc.existingName)}, nil
 				},
 				CreateOrUpdateResourceMock: func(ri apiv1.Interface) (*apiv1.ResourceInstance, error) {
 					createCount++
@@ -851,8 +851,8 @@ func TestManageIDPResource(t *testing.T) {
 		wantCachedAfter        bool
 	}{
 		"nil metadata returns empty without any API call": {
-			metadata:     nil,
-			assertResult: func(t *testing.T, result string) { assert.Empty(t, result) },
+			metadata:       nil,
+			assertResult:   func(t *testing.T, result string) { assert.Empty(t, result) },
 			wantQueryCount: 0,
 		},
 		"local cache hit skips Engage query and returns cached name": {
@@ -862,49 +862,27 @@ func TestManageIDPResource(t *testing.T) {
 			wantQueryCount:   0,
 			wantCachedAfter:  true,
 		},
-		"Engage query finds IdentityProviderMetadata with non-empty scope name": {
-			metadata:               testMeta,
-			tokenEndpointInstances: []*apiv1.ResourceInstance{idpMetadataInstanceRI("found-idp")},
-			assertResult:           func(t *testing.T, result string) { assert.Equal(t, "found-idp", result) },
-			wantQueryCount:         1,
-			wantCachedAfter:        true,
-		},
-		"Engage query finds result with empty scope name falls through to create": {
-			metadata:               testMeta,
-			tokenEndpointInstances: []*apiv1.ResourceInstance{idpMetadataInstanceRI("")},
-			metadataURLInstances:   []*apiv1.ResourceInstance{},
-			assertResult:           func(t *testing.T, result string) { assert.NotEmpty(t, result) },
-			wantQueryCount:         2,
-			wantCreateCalled:       true,
-			wantCachedAfter:        true,
-		},
-		"Engage query error falls through to create": {
-			metadata:             testMeta,
-			tokenEndpointErr:     errors.New("query error"),
-			metadataURLInstances: []*apiv1.ResourceInstance{},
-			assertResult:         func(t *testing.T, result string) { assert.NotEmpty(t, result) },
-			wantQueryCount:       2,
-			wantCreateCalled:     true,
-			wantCachedAfter:      true,
+		"creates resource when not in cache": {
+			metadata:         testMeta,
+			assertResult:     func(t *testing.T, result string) { assert.NotEmpty(t, result) },
+			wantQueryCount:   1,
+			wantCreateCalled: true,
+			wantCachedAfter:  true,
 		},
-		"not in cache or Engage creates resource and caches by token endpoint": {
-			metadata:               testMeta,
-			tokenEndpointInstances: []*apiv1.ResourceInstance{},
-			metadataURLInstances:   []*apiv1.ResourceInstance{},
-			assertResult:           func(t *testing.T, result string) { assert.NotEmpty(t, result) },
-			wantQueryCount:         2,
-			wantCreateCalled:       true,
-			wantCachedAfter:        true,
+		"creates and caches resource when not in cache": {
+			metadata:         testMeta,
+			assertResult:     func(t *testing.T, result string) { assert.NotEmpty(t, result) },
+			wantQueryCount:   1,
+			wantCreateCalled: true,
+			wantCachedAfter:  true,
 		},
 		"create failure returns empty name and nothing cached": {
-			metadata:               testMeta,
-			tokenEndpointInstances: []*apiv1.ResourceInstance{},
-			metadataURLInstances:   []*apiv1.ResourceInstance{},
-			createErr:              errors.New("create failed"),
-			assertResult:           func(t *testing.T, result string) { assert.Empty(t, result) },
-			wantQueryCount:         2,
-			wantCreateCalled:       true,
-			wantCachedAfter:        false,
+			metadata:         testMeta,
+			createErr:        errors.New("create failed"),
+			assertResult:     func(t *testing.T, result string) { assert.Empty(t, result) },
+			wantQueryCount:   1,
+			wantCreateCalled: true,
+			wantCachedAfter:  false,
 		},
 	}
 
@@ -949,7 +927,7 @@ func TestManageIDPResource(t *testing.T) {
 				setIDPMetadataResourceName(testMeta.TokenEndpoint, tc.preloadCacheName)
 			}
 
-			result := ManageIDPResource(logger, tc.metadata)
+			result := ManageIDPResource(logger, testIDPName, tc.metadata)
 
 			tc.assertResult(t, result)
 			assert.Equal(t, tc.wantQueryCount, queryCount)

pkg/apic/resourcePagination.go

@@ -84,7 +84,7 @@ func (c *ServiceClient) GetAPIV1ResourceInstancesWithPageSize(queryParams map[st
 
 	log := c.logger.WithField("endpoint", url)
 	log.Trace("retrieving all resources from endpoint")
-	if !strings.HasPrefix(url, c.cfg.GetAPIServerURL()) {
+	if !strings.HasPrefix(url, c.cfg.GetAPIServerURL()) && !strings.HasPrefix(url, c.cfg.GetAPIServerVersionURL()) {
 		url = c.createAPIServerURL(url)
 	}
 

pkg/authz/oauth/idplifecycle.go

@@ -10,6 +10,10 @@ import (
 	"github.com/Axway/agent-sdk/pkg/util/log"
 )
 
+const (
+	defaultIdpClientTimeoutSeconds = 60
+)
+
 // IDPClient is the subset of apic.Client used by the IdP lifecycle manager,
 // defined here to avoid a circular import with pkg/apic.
 type IDPClient interface {
@@ -32,7 +36,7 @@ type IDPEngageLifecycle interface {
 	// resources in Engage using pre-resolved metadata — no Provider or outbound HTTP fetch required.
 	// idpCfg is optional (may be nil for the v7 path); when set it is passed to the IDPResourceBuilder.
 	// Returns the Engage IdentityProvider resource name.
-	CreateEngageResourcesFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpName string, metadata *AuthorizationServerMetadata, envURL string, envPolicies management.EnvironmentPoliciesCredentials) (string, error)
+	CreateEngageResourcesFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpType, idpName string, metadata *AuthorizationServerMetadata, baseUrl string, envPolicies management.EnvironmentPoliciesCredentials) (string, error)
 }
 
 // LifecycleOption configures an idpEngageLifecycle.
@@ -57,28 +61,25 @@ func NewIDPEngageLifecycle(client IDPClient, opts ...LifecycleOption) IDPEngageL
 	return l
 }
 
-func (l *idpEngageLifecycle) CreateEngageResourcesFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpName string, metadata *AuthorizationServerMetadata, envURL string, envPolicies management.EnvironmentPoliciesCredentials) (string, error) {
-	metadataURL := metadata.Issuer
-	if idpCfg != nil {
-		metadataURL = idpCfg.GetMetadataURL()
-	}
+func (l *idpEngageLifecycle) CreateEngageResourcesFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpType, idpName string, metadata *AuthorizationServerMetadata, baseUrl string, envPolicies management.EnvironmentPoliciesCredentials) (string, error) {
+	tokenEndpoint := metadata.TokenEndpoint
 
 	idpLogger.Debug("querying Engage for existing IdentityProvider resource")
 	existing, err := l.client.GetAPIV1ResourceInstances(
-		map[string]string{"query": fmt.Sprintf("spec.metadataUrl==\"%s\"", metadataURL)},
-		envURL+"/"+management.IdentityProviderResourceName,
+		map[string]string{"query": fmt.Sprintf("spec.tokenEndpoint==\"%s\"", tokenEndpoint)},
+		baseUrl+"/"+management.NewIdentityProviderMetadata("", "").PluralName(),
 	)
 	if err != nil {
 		return "", err
 	}
 
 	if len(existing) > 0 {
-		name := existing[0].Name
+		name := existing[0].GetMetadata().Scope.Name
 		idpLogger.WithField("name", name).Info("reusing existing IdentityProvider resource")
 		return name, nil
 	}
 
-	idpResource, err := l.buildIdentityProviderFromMetadata(idpLogger, idpCfg, idpName, metadataURL)
+	idpResource, err := l.buildIdentityProviderFromMetadata(idpLogger, idpCfg, idpType, idpName)
 	if err != nil {
 		return "", err
 	}
@@ -106,7 +107,7 @@ func (l *idpEngageLifecycle) CreateEngageResourcesFromMetadata(idpLogger log.Fie
 	return createdName, nil
 }
 
-func (l *idpEngageLifecycle) buildIdentityProviderFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpName, metadataURL string) (*management.IdentityProvider, error) {
+func (l *idpEngageLifecycle) buildIdentityProviderFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpType, idpName string) (*management.IdentityProvider, error) {
 	if l.builder != nil && idpCfg != nil {
 		idpLogger.Debug("building IdentityProvider resource via supplier")
 		res, err := l.builder.GetIdentityProvider(idpCfg)
@@ -120,7 +121,8 @@ func (l *idpEngageLifecycle) buildIdentityProviderFromMetadata(idpLogger log.Fie
 	name := util.NormalizeNameForCentral(idpName)
 	res := management.NewIdentityProvider(name)
 	res.Spec = management.IdentityProviderSpec{
-		MetadataUrl: metadataURL,
+		ProviderType:  idpType,
+		ClientTimeout: defaultIdpClientTimeoutSeconds,
 	}
 	return res, nil
 }