CRED-2149: Add PAT auth support to Java API client

tausman · tausman · commit 20d4b7c57c01 · 2026-03-04T22:53:35.000Z
diff --git a/.generator/src/generator/templates/ApiClient.j2 b/.generator/src/generator/templates/ApiClient.j2
@@ -223,6 +223,16 @@ public class ApiClient {
     }
     defaultApiClient.configureApiKeys(secrets);
 
+    {%- for name, schema in specs.v2.components.securitySchemes.items() %}
+    {%- if schema.type == "http" and "x-env-name" in schema %}
+    // Configure {{ name }} authorization
+    String {{ name }}Token = System.getenv("{{ schema["x-env-name"] }}");
+    if ({{ name }}Token != null) {
+      defaultApiClient.setBearerToken({{ name }}Token);
+    }
+    {%- endif %}
+    {%- endfor %}
+
     return defaultApiClient;
   }
 
@@ -279,6 +289,15 @@ public class ApiClient {
     } else {
       authentications.put("{{ name }}", new {{ schema.type|upperfirst ~ "Auth" }}("{{ schema["in"] }}", "{{ schema.name }}"));
     }
+    {%- elif schema.type == "http" %}
+    if (authMap != null) {
+      auth = authMap.get("{{ name }}");
+    }
+    if (auth instanceof HttpBearerAuth) {
+      authentications.put("{{ name }}", auth);
+    } else {
+      authentications.put("{{ name }}", new HttpBearerAuth("{{ schema.scheme }}"));
+    }
     {%- endif %}
     {%- endfor %}
     // Prevent the authentications from being modified.
@@ -1573,6 +1592,18 @@ public class ApiClient {
       Map<String, String> cookieParams,
       URI uri)
       throws ApiException {
+    {%- for name, schema in specs.v2.components.securitySchemes.items() %}
+    {%- if schema.type == "http" %}
+    // If a bearer token is configured, use it exclusively (no API key / app key).
+    Authentication {{ name }} = authentications.get("{{ name }}");
+    if ({{ name }} instanceof HttpBearerAuth
+        && ((HttpBearerAuth) {{ name }}).getBearerToken() != null) {
+      {{ name }}.applyToParams(queryParams, headerParams, cookieParams, "", "", uri);
+      return;
+    }
+    {%- endif %}
+    {%- endfor %}
+
     for (String authName : authNames) {
       Authentication auth = authentications.get(authName);
       if (auth == null) {
diff --git a/src/main/java/com/datadog/api/client/ApiClient.java b/src/main/java/com/datadog/api/client/ApiClient.java
@@ -1009,6 +1009,12 @@ public static ApiClient getDefaultApiClient() {
     }
     defaultApiClient.configureApiKeys(secrets);
 
+    // Configure bearerAuth authorization
+    String bearerAuthToken = System.getenv("DD_BEARER_TOKEN");
+    if (bearerAuthToken != null) {
+      defaultApiClient.setBearerToken(bearerAuthToken);
+    }
+
     return defaultApiClient;
   }
 
@@ -1068,6 +1074,14 @@ public ApiClient(Map<String, Authentication> authMap) {
     } else {
       authentications.put("appKeyAuth", new ApiKeyAuth("header", "DD-APPLICATION-KEY"));
     }
+    if (authMap != null) {
+      auth = authMap.get("bearerAuth");
+    }
+    if (auth instanceof HttpBearerAuth) {
+      authentications.put("bearerAuth", auth);
+    } else {
+      authentications.put("bearerAuth", new HttpBearerAuth("bearer"));
+    }
     // Prevent the authentications from being modified.
     authentications = Collections.unmodifiableMap(authentications);
   }
@@ -2443,6 +2457,14 @@ protected void updateParamsForAuth(
       Map<String, String> cookieParams,
       URI uri)
       throws ApiException {
+    // If a bearer token is configured, use it exclusively (no API key / app key).
+    Authentication bearerAuth = authentications.get("bearerAuth");
+    if (bearerAuth instanceof HttpBearerAuth
+        && ((HttpBearerAuth) bearerAuth).getBearerToken() != null) {
+      bearerAuth.applyToParams(queryParams, headerParams, cookieParams, "", "", uri);
+      return;
+    }
+
     for (String authName : authNames) {
       Authentication auth = authentications.get(authName);
       if (auth == null) {
diff --git a/src/test/java/com/datadog/api/client/auth/HttpBearerAuthTest.java b/src/test/java/com/datadog/api/client/auth/HttpBearerAuthTest.java
@@ -0,0 +1,82 @@
+/*
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2019-Present Datadog, Inc.
+ */
+
+package com.datadog.api.client.auth;
+
+import static org.junit.Assert.*;
+
+import com.datadog.api.client.ApiClient;
+import com.datadog.api.client.ApiException;
+import com.datadog.api.client.Pair;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.junit.Test;
+
+public class HttpBearerAuthTest {
+
+  @Test
+  public void testSetAndGetBearerToken() {
+    HttpBearerAuth auth = new HttpBearerAuth("bearer");
+    assertNull(auth.getBearerToken());
+
+    auth.setBearerToken("test-token-123");
+    assertEquals("test-token-123", auth.getBearerToken());
+  }
+
+  @Test
+  public void testApplyToParamsAddsBearerHeader() throws ApiException {
+    HttpBearerAuth auth = new HttpBearerAuth("bearer");
+    auth.setBearerToken("my-pat-token");
+
+    List<Pair> queryParams = new ArrayList<>();
+    Map<String, String> headerParams = new HashMap<>();
+    Map<String, String> cookieParams = new HashMap<>();
+
+    auth.applyToParams(
+        queryParams, headerParams, cookieParams, "", "", URI.create("https://example.com"));
+
+    assertEquals("Bearer my-pat-token", headerParams.get("Authorization"));
+    assertTrue(queryParams.isEmpty());
+    assertTrue(cookieParams.isEmpty());
+  }
+
+  @Test
+  public void testApplyToParamsNullTokenIsNoOp() throws ApiException {
+    HttpBearerAuth auth = new HttpBearerAuth("bearer");
+
+    List<Pair> queryParams = new ArrayList<>();
+    Map<String, String> headerParams = new HashMap<>();
+    Map<String, String> cookieParams = new HashMap<>();
+
+    auth.applyToParams(
+        queryParams, headerParams, cookieParams, "", "", URI.create("https://example.com"));
+
+    assertFalse(headerParams.containsKey("Authorization"));
+  }
+
+  @Test
+  public void testApiClientRegistersBearerAuth() {
+    ApiClient client = new ApiClient();
+    // setBearerToken should not throw since bearerAuth is now registered
+    client.setBearerToken("test-pat");
+  }
+
+  @Test
+  public void testApiClientSetBearerTokenApplied() throws ApiException {
+    ApiClient client = new ApiClient();
+    client.setBearerToken("my-pat-token");
+
+    // Verify through the authentication map that the token was set
+    Map<String, Authentication> auths = client.getAuthentications();
+    Authentication auth = auths.get("bearerAuth");
+    assertNotNull("bearerAuth should be registered", auth);
+    assertTrue("bearerAuth should be HttpBearerAuth", auth instanceof HttpBearerAuth);
+    assertEquals("my-pat-token", ((HttpBearerAuth) auth).getBearerToken());
+  }
+}
