CRED-2150: Add PAT auth support - templates and tests

tausman · tausman · commit 67c751bf9a55 · 2026-03-05T16:56:17.000Z
diff --git a/.generator/src/generator/templates/api.j2 b/.generator/src/generator/templates/api.j2
@@ -384,19 +384,14 @@ impl {{ structName }} {
         };
         
         // build auth
-        {%- set authMethods = operation.security if "security" in operation else openapi.security %}
-        {%- if authMethods %}
-        {%- for authMethod in authMethods %}
-        {%- for name in authMethod %}
-        {%- set schema = openapi.components.securitySchemes[name] %}
-        {%- if schema.type == "apiKey" and schema.in != "cookie" %}
-        if let Some(local_key) = local_configuration.auth_keys.get("{{ name }}") {
-            headers.insert("{{schema.name}}", HeaderValue::from_str(local_key.key.as_str()).expect("failed to parse {{schema.name}} header"));
-        };
-        {%- endif %}
-        {%- endfor %}
-        {%- endfor %}
-        {%- endif %}
+        for (key, value) in local_configuration.auth_headers() {
+            headers.insert(
+                reqwest::header::HeaderName::from_bytes(key.as_bytes())
+                    .expect("failed to parse auth header name"),
+                HeaderValue::from_str(value.as_str())
+                    .expect("failed to parse auth header value"),
+            );
+        }
 
         {% if formParameter %}
         // build form parameters
diff --git a/.generator/src/generator/templates/configuration.j2 b/.generator/src/generator/templates/configuration.j2
@@ -44,6 +44,9 @@ pub struct Configuration {
     pub(crate) user_agent: String,
     pub(crate) unstable_operations: HashMap<String, bool>,
     pub(crate) auth_keys: HashMap<String, APIKey>,
+    {%- if "bearerAuth" in openapi.components.securitySchemes %}
+    pub(crate) pat: Option<String>,
+    {%- endif %}
     pub server_index: usize,
     pub server_variables: HashMap<String, String>,
     pub server_operation_index: HashMap<String, usize>,
@@ -106,6 +109,40 @@ impl Configuration {
         self.auth_keys.insert(operation_str.to_string(), api_key);
     }
 
+    {%- if "bearerAuth" in openapi.components.securitySchemes %}
+
+    /// Set a bearer token for authentication.
+    pub fn set_pat(&mut self, pat: String) {
+        self.pat = Some(pat);
+    }
+
+    {%- endif %}
+
+    /// Build authentication headers for an API request.
+    /// All configured auth credentials are sent; the server decides which to use.
+    pub fn auth_headers(&self) -> Vec<(String, String)> {
+        let mut headers = Vec::new();
+        {%- if "bearerAuth" in openapi.components.securitySchemes %}
+        if let Some(ref pat) = self.pat {
+            headers.push(("Authorization".to_string(), format!("Bearer {}", pat)));
+        }
+        {%- endif %}
+        {%- set authMethods = openapi.security %}
+        {%- if authMethods %}
+        {%- for authMethod in authMethods %}
+        {%- for name in authMethod %}
+        {%- set schema = openapi.components.securitySchemes[name] %}
+        {%- if schema.type == "apiKey" and schema.in != "cookie" %}
+        if let Some(key) = self.auth_keys.get("{{ name }}") {
+            headers.push(("{{ schema.name }}".to_string(), key.key.clone()));
+        }
+        {%- endif %}
+        {%- endfor %}
+        {%- endfor %}
+        {%- endif %}
+        headers
+    }
+
     pub fn set_proxy_url(&mut self, proxy_url: Option<String>) {
         self.proxy_url = proxy_url;
     }
@@ -149,10 +186,20 @@ impl Default for Configuration {
         {%- endfor %}
         {%- endif %}
 
+        {%- if "bearerAuth" in openapi.components.securitySchemes %}
+        {%- set bearerEnvName = openapi.components.securitySchemes.bearerAuth["x-env-name"] %}
+
+        // {{ bearerEnvName }} env var enables Bearer token auth (mutually exclusive with API key auth)
+        let pat = env::var("{{ bearerEnvName }}").ok().filter(|p| !p.is_empty());
+        {%- endif %}
+
         Self {
             user_agent: DEFAULT_USER_AGENT.clone(),
             unstable_operations,
             auth_keys,
+            {%- if "bearerAuth" in openapi.components.securitySchemes %}
+            pat,
+            {%- endif %}
             server_index: 0,
             server_variables: HashMap::from([(
                 "site".into(),
diff --git a/tests/configuration_test.rs b/tests/configuration_test.rs
@@ -0,0 +1,148 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2019-Present Datadog, Inc.
+use datadog_api_client::datadog::{APIKey, Configuration};
+use std::env;
+use std::sync::Mutex;
+
+// Mutex to prevent env var tests from interfering with each other
+static ENV_MUTEX: Mutex<()> = Mutex::new(());
+
+#[test]
+fn test_set_pat_stores_pat() {
+    let mut config = Configuration::new();
+    config.set_pat("my-pat-token".to_string());
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "Authorization" && v == "Bearer my-pat-token"));
+}
+
+#[test]
+fn test_auth_headers_with_pat_returns_bearer() {
+    let mut config = Configuration::new();
+    config.set_pat("my-pat-token".to_string());
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "Authorization" && v == "Bearer my-pat-token"));
+}
+
+#[test]
+fn test_auth_headers_with_pat_and_api_keys_sends_all() {
+    let mut config = Configuration::new();
+    config.set_auth_key(
+        "apiKeyAuth",
+        APIKey {
+            key: "my-api-key".to_string(),
+            prefix: "".to_string(),
+        },
+    );
+    config.set_auth_key(
+        "appKeyAuth",
+        APIKey {
+            key: "my-app-key".to_string(),
+            prefix: "".to_string(),
+        },
+    );
+    config.set_pat("my-pat-token".to_string());
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "Authorization" && v == "Bearer my-pat-token"));
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "DD-API-KEY" && v == "my-api-key"));
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+}
+
+#[test]
+fn test_auth_headers_without_pat_returns_api_keys() {
+    let _lock = ENV_MUTEX.lock().unwrap();
+    let old_pat = env::var("DD_BEARER_TOKEN").ok();
+    env::remove_var("DD_BEARER_TOKEN");
+
+    let mut config = Configuration::new();
+    config.set_auth_key(
+        "apiKeyAuth",
+        APIKey {
+            key: "my-api-key".to_string(),
+            prefix: "".to_string(),
+        },
+    );
+    config.set_auth_key(
+        "appKeyAuth",
+        APIKey {
+            key: "my-app-key".to_string(),
+            prefix: "".to_string(),
+        },
+    );
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "DD-API-KEY" && v == "my-api-key"));
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+    // No Authorization header should be present
+    assert!(!headers.iter().any(|(k, _)| k == "Authorization"));
+
+    match old_pat {
+        Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+        None => env::remove_var("DD_BEARER_TOKEN"),
+    }
+}
+
+#[test]
+fn test_dd_bearer_token_env_var() {
+    let _lock = ENV_MUTEX.lock().unwrap();
+    let old_pat = env::var("DD_BEARER_TOKEN").ok();
+
+    env::set_var("DD_BEARER_TOKEN", "env-pat-token");
+
+    let config = Configuration::default();
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "Authorization" && v == "Bearer env-pat-token"));
+
+    // Restore env
+    match old_pat {
+        Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+        None => env::remove_var("DD_BEARER_TOKEN"),
+    }
+}
+
+#[test]
+fn test_empty_dd_pat_does_not_set_pat() {
+    let _lock = ENV_MUTEX.lock().unwrap();
+    let old_pat = env::var("DD_BEARER_TOKEN").ok();
+    let old_app_key = env::var("DD_APP_KEY").ok();
+
+    env::set_var("DD_BEARER_TOKEN", "");
+    env::set_var("DD_APP_KEY", "my-app-key");
+
+    let config = Configuration::default();
+
+    let headers = config.auth_headers();
+    assert!(headers
+        .iter()
+        .any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+
+    // Restore env
+    match old_pat {
+        Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+        None => env::remove_var("DD_BEARER_TOKEN"),
+    }
+    match old_app_key {
+        Some(v) => env::set_var("DD_APP_KEY", v),
+        None => env::remove_var("DD_APP_KEY"),
+    }
+}
