Authorization header support (#45)

tnsimon · simontien47 · web-flow · commit eda5e4948cf3 · 2023-08-10T22:12:03.000-04:00
* feat: suppert auth headers

* docs: update readme optional config

* fix: update setup

---------

Co-authored-by: Simon Tien &lt;simontien47@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -57,6 +57,16 @@ spec:
               ### OPTIONAL
               ###
 
+              # API Key scheme https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+              # default: no scheme ""
+              apiKeyScheme: ""
+
+              # Header name for API key
+              #
+              # This defaults to X-API-Key when unset but supports customizations
+              # e.g. Authorization 
+              apiKeyHeaderName: ""
+
               # Server ID for the PowerDNS API.
               # When unset, defaults to "localhost".
               #
diff --git a/main.go b/main.go
@@ -28,6 +28,11 @@ import (
 	"github.com/joeig/go-powerdns/v3"
 )
 
+const (
+	defaultAuthHeader = "X-API-Key"
+	defaultScheme     = ""
+)
+
 var GroupName = os.Getenv("GROUP_NAME")
 
 func main() {
@@ -81,6 +86,17 @@ type powerDNSProviderConfig struct {
 	// secret which contains the PowerDNS API Key.
 	APIKeySecretRef *cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
 
+	// Scheme supports HTTP AuthSchemes
+	// https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+	//
+	// +optional default ""
+	APIKeyScheme string `json:"apiKeyScheme"`
+
+	// APIKeyHeaderName is the header name where apiKey will be set
+	//
+	// +optional default "X-API-Key"
+	APIKeyHeaderName string `json:"apiKeyHeaderName"`
+
 	// ServerID is the server ID in the PowerDNS API.
 	// When unset, defaults to "localhost".
 	ServerID string `json:"serverID"`
@@ -245,7 +261,10 @@ func (c *powerDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopC
 // loadConfig is a small helper function that decodes JSON configuration into
 // the typed config struct.
 func loadConfig(cfgJSON *apiextensionsv1.JSON) (*powerDNSProviderConfig, error) {
-	cfg := &powerDNSProviderConfig{}
+	cfg := &powerDNSProviderConfig{
+		APIKeyScheme:     defaultScheme,
+		APIKeyHeaderName: defaultAuthHeader,
+	}
 	// handle the 'base case' where no configuration has been provided
 	if cfgJSON == nil {
 		return cfg, nil
@@ -325,7 +344,9 @@ func (c *powerDNSProviderSolver) init(config *apiextensionsv1.JSON, namespace st
 
 	// Add request headers
 	headers := map[string]string{
-		"X-API-Key":    apiKey,
+		cfg.APIKeyHeaderName: strings.TrimLeft(
+			strings.Trim(cfg.APIKeyScheme, " ")+" "+apiKey,
+			" "),
 		"Content-Type": "application/json",
 	}
 	maps.Copy(headers, cfg.Headers)
diff --git a/main_test.go b/main_test.go
@@ -32,10 +32,18 @@ func TestNoProxyNoTLS(t *testing.T) {
 	test(t, "_out/testdata/no-tls")
 }
 
+func TestNoProxyNoTLSAuthHdr(t *testing.T) {
+	test(t, "_out/testdata/no-tls-auth-hdr")
+}
+
 func TestNoProxyTLS(t *testing.T) {
 	test(t, "_out/testdata/tls")
 }
 
+func TestNoProxyTLSAuthHdr(t *testing.T) {
+	test(t, "_out/testdata/tls-auth-hdr")
+}
+
 func TestProxyNoTLS(t *testing.T) {
 	test(t, "_out/testdata/no-tls-with-proxy")
 }
diff --git a/scripts/setup-tests.sh b/scripts/setup-tests.sh
@@ -21,14 +21,14 @@ EOF
 
 openssl req -x509 -config _out/openssl.conf -newkey rsa:4096 -keyout _out/key.pem -out _out/cert.pem -sha256 -days 30 -nodes -subj '/CN=localhost'
 
-for suite in tls tls-with-proxy; do
+for suite in tls tls-with-proxy tls-auth-hdr; do
   mkdir -p _out/testdata/${suite}
   cp testdata/pdns/test/${suite}/apikey.yml _out/testdata/${suite}/apikey.yml
   sed "s#__CERT__#$(base64 -w0 _out/cert.pem)#g" testdata/pdns/test/${suite}/config.json > _out/testdata/${suite}/config.json
 done
 
 # No TLS
-for suite in no-tls no-tls-with-proxy; do
+for suite in no-tls no-tls-with-proxy no-tls-auth-hdr; do
   mkdir -p _out/testdata/${suite}
   cp testdata/pdns/test/${suite}/{config.json,apikey.yml} _out/testdata/${suite}
 done
diff --git a/testdata/pdns/test/no-tls-auth-hdr/apikey.yml b/testdata/pdns/test/no-tls-auth-hdr/apikey.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pdns-api-key
+type: Opaque
+data:
+  key: dGVzdDEyMw==
diff --git a/testdata/pdns/test/no-tls-auth-hdr/config.json b/testdata/pdns/test/no-tls-auth-hdr/config.json
@@ -0,0 +1,10 @@
+{
+    "host": "http://127.0.0.1:8080",
+    "apiKeySecretRef": {
+        "name": "pdns-api-key",
+        "key": "key"
+    },
+    "apiKeyScheme": "",
+    "apiKeyHeaderName": "X-API-Key",
+    "ttl": 10
+}
diff --git a/testdata/pdns/test/tls-auth-hdr/apikey.yml b/testdata/pdns/test/tls-auth-hdr/apikey.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pdns-api-key
+type: Opaque
+data:
+  key: dGVzdDEyMw==
diff --git a/testdata/pdns/test/tls-auth-hdr/config.json b/testdata/pdns/test/tls-auth-hdr/config.json
@@ -0,0 +1,11 @@
+{
+    "host": "https://127.0.0.1:8443",
+    "apiKeySecretRef": {
+        "name": "pdns-api-key",
+        "key": "key"
+    },
+    "apiKeyScheme": "",
+    "apiKeyHeaderName": "X-API-Key",
+    "ttl": 10,
+    "caBundle": "__CERT__"
+}

Original file line number	Diff line number	Diff line change
`@@ -32,10 +32,18 @@ func TestNoProxyNoTLS(t *testing.T) {`
`32`	`32`	`test(t, "_out/testdata/no-tls")`
`33`	`33`	`}`
`34`	`34`
	`35`	`+func TestNoProxyNoTLSAuthHdr(t *testing.T) {`
	`36`	`+ test(t, "_out/testdata/no-tls-auth-hdr")`
	`37`	`+}`
	`38`	`+`
`35`	`39`	`func TestNoProxyTLS(t *testing.T) {`
`36`	`40`	`test(t, "_out/testdata/tls")`
`37`	`41`	`}`
`38`	`42`
	`43`	`+func TestNoProxyTLSAuthHdr(t *testing.T) {`
	`44`	`+ test(t, "_out/testdata/tls-auth-hdr")`
	`45`	`+}`
	`46`	`+`
`39`	`47`	`func TestProxyNoTLS(t *testing.T) {`
`40`	`48`	`test(t, "_out/testdata/no-tls-with-proxy")`
`41`	`49`	`}`