CRED-2150: Add PAT auth support to Rust API client

Author: tausman

.generator/src/generator/templates/api.j2

@@ -384,19 +384,14 @@ impl {{ structName }} {
         };
 
         // build auth
-        {%- set authMethods = operation.security if "security" in operation else openapi.security %}
-        {%- if authMethods %}
-        {%- for authMethod in authMethods %}
-        {%- for name in authMethod %}
-        {%- set schema = openapi.components.securitySchemes[name] %}
-        {%- if schema.type == "apiKey" and schema.in != "cookie" %}
-        if let Some(local_key) = local_configuration.auth_keys.get("{{ name }}") {
-            headers.insert("{{schema.name}}", HeaderValue::from_str(local_key.key.as_str()).expect("failed to parse {{schema.name}} header"));
-        };
-        {%- endif %}
-        {%- endfor %}
-        {%- endfor %}
-        {%- endif %}
+        for (key, value) in local_configuration.auth_headers() {
+            headers.insert(
+                reqwest::header::HeaderName::from_bytes(key.as_bytes())
+                    .expect("failed to parse auth header name"),
+                HeaderValue::from_str(value.as_str())
+                    .expect("failed to parse auth header value"),
+            );
+        }
 
         {% if formParameter %}
         // build form parameters

.generator/src/generator/templates/configuration.j2

@@ -44,6 +44,9 @@ pub struct Configuration {
     pub(crate) user_agent: String,
     pub(crate) unstable_operations: HashMap<String, bool>,
     pub(crate) auth_keys: HashMap<String, APIKey>,
+    {%- if "bearerAuth" in openapi.components.securitySchemes %}
+    pub(crate) pat: Option<String>,
+    {%- endif %}
     pub server_index: usize,
     pub server_variables: HashMap<String, String>,
     pub server_operation_index: HashMap<String, usize>,
@@ -106,6 +109,45 @@ impl Configuration {
         self.auth_keys.insert(operation_str.to_string(), api_key);
     }
 
+    {%- if "bearerAuth" in openapi.components.securitySchemes %}
+
+    /// Set a bearer token for authentication.
+    /// When a bearer token is configured, the client sends only an `Authorization: Bearer <token>`
+    /// header and does NOT send DD-API-KEY or DD-APPLICATION-KEY headers.
+    pub fn set_pat(&mut self, pat: String) {
+        self.pat = Some(pat);
+    }
+
+    {%- endif %}
+
+    /// Build authentication headers for an API request.
+    {%- if "bearerAuth" in openapi.components.securitySchemes %}
+    /// If a bearer token is configured, returns a single `Authorization: Bearer` header.
+    /// Otherwise, returns API key headers.
+    {%- endif %}
+    pub fn auth_headers(&self) -> Vec<(String, String)> {
+        {%- if "bearerAuth" in openapi.components.securitySchemes %}
+        if let Some(ref pat) = self.pat {
+            return vec![("Authorization".to_string(), format!("Bearer {}", pat))];
+        }
+        {%- endif %}
+        let mut headers = Vec::new();
+        {%- set authMethods = openapi.security %}
+        {%- if authMethods %}
+        {%- for authMethod in authMethods %}
+        {%- for name in authMethod %}
+        {%- set schema = openapi.components.securitySchemes[name] %}
+        {%- if schema.type == "apiKey" and schema.in != "cookie" %}
+        if let Some(key) = self.auth_keys.get("{{ name }}") {
+            headers.push(("{{ schema.name }}".to_string(), key.key.clone()));
+        }
+        {%- endif %}
+        {%- endfor %}
+        {%- endfor %}
+        {%- endif %}
+        headers
+    }
+
     pub fn set_proxy_url(&mut self, proxy_url: Option<String>) {
         self.proxy_url = proxy_url;
     }
@@ -149,10 +191,20 @@ impl Default for Configuration {
         {%- endfor %}
         {%- endif %}
 
+        {%- if "bearerAuth" in openapi.components.securitySchemes %}
+        {%- set bearerEnvName = openapi.components.securitySchemes.bearerAuth["x-env-name"] %}
+
+        // {{ bearerEnvName }} env var enables Bearer token auth (mutually exclusive with API key auth)
+        let pat = env::var("{{ bearerEnvName }}").ok().filter(|p| !p.is_empty());
+        {%- endif %}
+
         Self {
             user_agent: DEFAULT_USER_AGENT.clone(),
             unstable_operations,
             auth_keys,
+            {%- if "bearerAuth" in openapi.components.securitySchemes %}
+            pat,
+            {%- endif %}
             server_index: 0,
             server_variables: HashMap::from([(
                 "site".into(),

src/datadog/configuration.rs

@@ -46,6 +46,7 @@ pub struct Configuration {
     pub(crate) user_agent: String,
     pub(crate) unstable_operations: HashMap<String, bool>,
     pub(crate) auth_keys: HashMap<String, APIKey>,
+    pub(crate) pat: Option<String>,
     pub server_index: usize,
     pub server_variables: HashMap<String, String>,
     pub server_operation_index: HashMap<String, usize>,
@@ -109,6 +110,30 @@ impl Configuration {
         self.auth_keys.insert(operation_str.to_string(), api_key);
     }
 
+    /// Set a bearer token for authentication.
+    /// When a bearer token is configured, the client sends only an `Authorization: Bearer <token>`
+    /// header and does NOT send DD-API-KEY or DD-APPLICATION-KEY headers.
+    pub fn set_pat(&mut self, pat: String) {
+        self.pat = Some(pat);
+    }
+
+    /// Build authentication headers for an API request.
+    /// If a bearer token is configured, returns a single `Authorization: Bearer` header.
+    /// Otherwise, returns API key headers.
+    pub fn auth_headers(&self) -> Vec<(String, String)> {
+        if let Some(ref pat) = self.pat {
+            return vec![("Authorization".to_string(), format!("Bearer {}", pat))];
+        }
+        let mut headers = Vec::new();
+        if let Some(key) = self.auth_keys.get("apiKeyAuth") {
+            headers.push(("DD-API-KEY".to_string(), key.key.clone()));
+        }
+        if let Some(key) = self.auth_keys.get("appKeyAuth") {
+            headers.push(("DD-APPLICATION-KEY".to_string(), key.key.clone()));
+        }
+        headers
+    }
+
     pub fn set_proxy_url(&mut self, proxy_url: Option<String>) {
         self.proxy_url = proxy_url;
     }
@@ -363,10 +388,14 @@ impl Default for Configuration {
             },
         );
 
+        // DD_BEARER_TOKEN env var enables Bearer token auth (mutually exclusive with API key auth)
+        let pat = env::var("DD_BEARER_TOKEN").ok().filter(|p| !p.is_empty());
+
         Self {
             user_agent: DEFAULT_USER_AGENT.clone(),
             unstable_operations,
             auth_keys,
+            pat,
             server_index: 0,
             server_variables: HashMap::from([(
                 "site".into(),
@@ -1128,3 +1157,138 @@ lazy_static! {
         ])
     };
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::Mutex;
+
+    // Mutex to prevent env var tests from interfering with each other
+    static ENV_MUTEX: Mutex<()> = Mutex::new(());
+
+    #[test]
+    fn test_set_pat_stores_pat() {
+        let mut config = Configuration::new();
+        config.set_pat("my-pat-token".to_string());
+        assert_eq!(config.pat.as_deref(), Some("my-pat-token"));
+    }
+
+    #[test]
+    fn test_auth_headers_with_pat_returns_bearer() {
+        let mut config = Configuration::new();
+        config.set_pat("my-pat-token".to_string());
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer my-pat-token");
+    }
+
+    #[test]
+    fn test_auth_headers_with_pat_excludes_api_keys() {
+        let mut config = Configuration::new();
+        config.set_auth_key(
+            "apiKeyAuth",
+            APIKey {
+                key: "my-api-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        config.set_auth_key(
+            "appKeyAuth",
+            APIKey {
+                key: "my-app-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        // PAT overrides all key-based auth
+        config.set_pat("my-pat-token".to_string());
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer my-pat-token");
+    }
+
+    #[test]
+    fn test_auth_headers_without_pat_returns_api_keys() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_BEARER_TOKEN").ok();
+        env::remove_var("DD_BEARER_TOKEN");
+
+        let mut config = Configuration::new();
+        config.set_auth_key(
+            "apiKeyAuth",
+            APIKey {
+                key: "my-api-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        config.set_auth_key(
+            "appKeyAuth",
+            APIKey {
+                key: "my-app-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+
+        let headers = config.auth_headers();
+        assert!(headers.iter().any(|(k, v)| k == "DD-API-KEY" && v == "my-api-key"));
+        assert!(headers.iter().any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+        // No Authorization header should be present
+        assert!(!headers.iter().any(|(k, _)| k == "Authorization"));
+
+        match old_pat {
+            Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+            None => env::remove_var("DD_BEARER_TOKEN"),
+        }
+    }
+
+    #[test]
+    fn test_dd_pat_env_var() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_BEARER_TOKEN").ok();
+
+        env::set_var("DD_BEARER_TOKEN", "env-pat-token");
+
+        let config = Configuration::default();
+        assert_eq!(config.pat.as_deref(), Some("env-pat-token"));
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer env-pat-token");
+
+        // Restore env
+        match old_pat {
+            Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+            None => env::remove_var("DD_BEARER_TOKEN"),
+        }
+    }
+
+    #[test]
+    fn test_empty_dd_pat_does_not_set_pat() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_BEARER_TOKEN").ok();
+        let old_app_key = env::var("DD_APP_KEY").ok();
+
+        env::set_var("DD_BEARER_TOKEN", "");
+        env::set_var("DD_APP_KEY", "my-app-key");
+
+        let config = Configuration::default();
+        assert!(config.pat.is_none());
+
+        let headers = config.auth_headers();
+        assert!(headers.iter().any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+
+        // Restore env
+        match old_pat {
+            Some(v) => env::set_var("DD_BEARER_TOKEN", v),
+            None => env::remove_var("DD_BEARER_TOKEN"),
+        }
+        match old_app_key {
+            Some(v) => env::set_var("DD_APP_KEY", v),
+            None => env::remove_var("DD_APP_KEY"),
+        }
+    }
+}

src/datadogV1/api/api_authentication.rs

@@ -143,13 +143,14 @@ impl AuthenticationAPI {
         };
 
         // build auth
-        if let Some(local_key) = local_configuration.auth_keys.get("apiKeyAuth") {
+        for (key, value) in local_configuration.auth_headers() {
             headers.insert(
-                "DD-API-KEY",
-                HeaderValue::from_str(local_key.key.as_str())
-                    .expect("failed to parse DD-API-KEY header"),
+                reqwest::header::HeaderName::from_bytes(key.as_bytes())
+                    .expect("failed to parse auth header name"),
+                HeaderValue::from_str(value.as_str())
+                    .expect("failed to parse auth header value"),
             );
-        };
+        }
 
         local_req_builder = local_req_builder.headers(headers);
         let local_req = local_req_builder.build()?;