upload OIDC discovery data to disco backend

inteon · inteon · commit fce42cc53812 · 2026-02-02T14:59:28.000+01:00
Signed-off-by: Tim Ramlot &lt;42113979+inteon@users.noreply.github.com&gt;
diff --git a/api/datareading.go b/api/datareading.go
@@ -64,6 +64,7 @@ func (o *DataReading) UnmarshalJSON(data []byte) error {
 		target any
 		assign func(any)
 	}{
+		{&OIDCDiscoveryData{}, func(v any) { o.Data = v.(*OIDCDiscoveryData) }},
 		{&DiscoveryData{}, func(v any) { o.Data = v.(*DiscoveryData) }},
 		{&DynamicData{}, func(v any) { o.Data = v.(*DynamicData) }},
 	}
diff --git a/internal/cyberark/dataupload/dataupload.go b/internal/cyberark/dataupload/dataupload.go
@@ -57,6 +57,15 @@ type Snapshot struct {
 	ClusterDescription string `json:"cluster_description,omitempty"`
 	// K8SVersion is the version of Kubernetes which the cluster is running.
 	K8SVersion string `json:"k8s_version"`
+	// OIDCConfig contains OIDC configuration data from the API server's
+	// `/.well-known/openid-configuration` endpoint
+	OIDCConfig map[string]any `json:"openid_configuration,omitempty"`
+	// OIDCConfigError contains any error encountered while fetching the OIDC configuration
+	OIDCConfigError string `json:"openid_configuration_error,omitempty"`
+	// JWKS contains JWKS data from the API server's `/openid/v1/jwks` endpoint
+	JWKS map[string]any `json:"jwks,omitempty"`
+	// JWKSError contains any error encountered while fetching the JWKS
+	JWKSError string `json:"jwks_error,omitempty"`
 	// Secrets is a list of Secret resources in the cluster. Not all Secret
 	// types are included and only a subset of the Secret data is included.
 	Secrets []runtime.Object `json:"secrets"`
diff --git a/pkg/client/client_cyberark.go b/pkg/client/client_cyberark.go
@@ -104,6 +104,25 @@ func baseSnapshotFromOptions(opts Options) dataupload.Snapshot {
 	}
 }
 
+// extractOIDCFromReading converts the opaque data from a OIDCDiscoveryData
+// data reading to allow access to the OIDC fields within.
+func extractOIDCFromReading(reading *api.DataReading, target *dataupload.Snapshot) error {
+	if reading == nil {
+		return fmt.Errorf("programmer mistake: the DataReading must not be nil")
+	}
+	data, ok := reading.Data.(*api.OIDCDiscoveryData)
+	if !ok {
+		return fmt.Errorf(
+			"programmer mistake: the DataReading must have data type *api.OIDCDiscoveryData. "+
+				"This DataReading (%s) has data type %T", reading.DataGatherer, reading.Data)
+	}
+	target.OIDCConfig = data.OIDCConfig
+	target.OIDCConfigError = data.OIDCConfigError
+	target.JWKS = data.JWKS
+	target.JWKSError = data.JWKSError
+	return nil
+}
+
 // extractClusterIDAndServerVersionFromReading converts the opaque data from a DiscoveryData
 // data reading to allow access to the Kubernetes version fields within.
 func extractClusterIDAndServerVersionFromReading(reading *api.DataReading, target *dataupload.Snapshot) error {
@@ -161,6 +180,7 @@ func extractResourceListFromReading(reading *api.DataReading, target *[]runtime.
 // and populates the relevant field(s) of the Snapshot based on the DataReading's data.
 // Deleted resources are excluded from the snapshot because they are not needed by CyberArk.
 var defaultExtractorFunctions = map[string]func(*api.DataReading, *dataupload.Snapshot) error{
+	"ark/oidc":      extractOIDCFromReading,
 	"ark/discovery": extractClusterIDAndServerVersionFromReading,
 	"ark/secrets": func(r *api.DataReading, s *dataupload.Snapshot) error {
 		return extractResourceListFromReading(r, &s.Secrets)
diff --git a/pkg/datagatherer/oidc/oidc.go b/pkg/datagatherer/oidc/oidc.go
@@ -74,7 +74,7 @@ func (g *DataGathererOIDC) Fetch() (any, int, error) {
 		return ""
 	}
 
-	return api.OIDCDiscoveryData{
+	return &api.OIDCDiscoveryData{
 		OIDCConfig:      oidcResponse,
 		OIDCConfigError: errToString(oidcErr),
 		JWKS:            jwksResponse,
diff --git a/pkg/datagatherer/oidc/oidc_test.go b/pkg/datagatherer/oidc/oidc_test.go
@@ -57,7 +57,7 @@ func TestFetch_Success(t *testing.T) {
 		t.Fatalf("expected count 1, got %d", count)
 	}
 
-	res, ok := anyRes.(api.OIDCDiscoveryData)
+	res, ok := anyRes.(*api.OIDCDiscoveryData)
 	if !ok {
 		t.Fatalf("unexpected result type: %T", anyRes)
 	}
@@ -101,7 +101,7 @@ func TestFetch_Errors(t *testing.T) {
 		t.Fatalf("Fetch returned error: %v", err)
 	}
 
-	res, ok := anyRes.(api.OIDCDiscoveryData)
+	res, ok := anyRes.(*api.OIDCDiscoveryData)
 	if !ok {
 		t.Fatalf("unexpected result type: %T", anyRes)
 	}

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ func (o *DataReading) UnmarshalJSON(data []byte) error {`
`64`	`64`	`target any`
`65`	`65`	`assign func(any)`
`66`	`66`	`}{`
	`67`	`+ {&OIDCDiscoveryData{}, func(v any) { o.Data = v.(*OIDCDiscoveryData) }},`
`67`	`68`	`{&DiscoveryData{}, func(v any) { o.Data = v.(*DiscoveryData) }},`
`68`	`69`	`{&DynamicData{}, func(v any) { o.Data = v.(*DynamicData) }},`
`69`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func (g *DataGathererOIDC) Fetch() (any, int, error) {`
`74`	`74`	`return ""`
`75`	`75`	`}`
`76`	`76`
`77`		`- return api.OIDCDiscoveryData{`
	`77`	`+ return &api.OIDCDiscoveryData{`
`78`	`78`	`OIDCConfig: oidcResponse,`
`79`	`79`	`OIDCConfigError: errToString(oidcErr),`
`80`	`80`	`JWKS: jwksResponse,`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ func TestFetch_Success(t *testing.T) {`
`57`	`57`	`t.Fatalf("expected count 1, got %d", count)`
`58`	`58`	`}`
`59`	`59`
`60`		`- res, ok := anyRes.(api.OIDCDiscoveryData)`
	`60`	`+ res, ok := anyRes.(*api.OIDCDiscoveryData)`
`61`	`61`	`if !ok {`
`62`	`62`	`t.Fatalf("unexpected result type: %T", anyRes)`
`63`	`63`	`}`
`@@ -101,7 +101,7 @@ func TestFetch_Errors(t *testing.T) {`
`101`	`101`	`t.Fatalf("Fetch returned error: %v", err)`
`102`	`102`	`}`
`103`	`103`
`104`		`- res, ok := anyRes.(api.OIDCDiscoveryData)`
	`104`	`+ res, ok := anyRes.(*api.OIDCDiscoveryData)`
`105`	`105`	`if !ok {`
`106`	`106`	`t.Fatalf("unexpected result type: %T", anyRes)`
`107`	`107`	`}`