API key based authentication support (#232)

* added support for API auth for V3

* fix: update module path to match repository owner

* Revert "fix: update module path to match repository owner"

This reverts commit cc06347.

* fix: update authentication handling to use API key directly

* refactor: remove unused AuthType and constants for cleaner code

* fix: add missing newline

* plumb API key into each of v4 client instances

* refactor: replace constant usage for API key header with local definition

* chore: update changelog to include API key authentication support

* fix tests

* added tests for client creation for API key case

* refactor: extract authentication header logic into SetAuthHeader function

* make functions not exported

* fix: reorder import statements for clarity

* refactor: consolidate authentication header logic into a single function

Author: amanalinutanix

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added witness configuration to recovery plan spec.
 - Added support for creating, deleting, and listing idempotence identifiers.
+- Added support for authenticating using API key based authentication.  
 
 ### Changed
 - Updated the v3 Cluster spec and status structs to match latest swagger spec

internal/client.go

@@ -21,16 +21,17 @@ import (
 	"github.com/hashicorp/go-cleanhttp"
 	"go.uber.org/zap"
 
-	"github.com/nutanix-cloud-native/prism-go-client"
+	prismgoclient "github.com/nutanix-cloud-native/prism-go-client"
 )
 
 type Scheme string
 
 const (
-	defaultBaseURL  = "%s://%s/"
-	mediaType       = "application/json"
-	formEncodedType = "application/x-www-form-urlencoded"
-	octetStreamType = "application/octet-stream"
+	defaultBaseURL      = "%s://%s/"
+	mediaType           = "application/json"
+	formEncodedType     = "application/x-www-form-urlencoded"
+	octetStreamType     = "application/octet-stream"
+	ntnxAPIKeyHeaderKey = "X-ntnx-api-key"
 
 	SchemeHTTP  Scheme = "http"
 	SchemeHTTPS Scheme = "https"
@@ -229,6 +230,14 @@ func NewClient(opts ...ClientOption) (*Client, error) {
 	return c, nil
 }
 
+func decorateRequestWithAuthHeaders(req *http.Request, c *prismgoclient.Credentials) {
+	if c.APIKey != "" {
+		decorateRequestWithAPIKeyHeaders(req, c.APIKey)
+	} else {
+		decorateRequestWithBasicAuthHeaders(req, c.Username, c.Password)
+	}
+}
+
 // NewRequest creates a request
 func (c *Client) NewRequest(method, urlStr string, body interface{}) (*http.Request, error) {
 	req, err := c.NewUnAuthRequest(method, urlStr, body)
@@ -239,20 +248,25 @@ func (c *Client) NewRequest(method, urlStr string, body interface{}) (*http.Requ
 	if c.cookies != nil {
 		decorateRequestWithCookies(req, c.cookies)
 	} else {
-		decorateRequestWithBasicAuthHeaders(req, c.credentials.Username, c.credentials.Password)
+		decorateRequestWithAuthHeaders(req, c.credentials)
 	}
 
 	return req, nil
 }
 
+// decorateRequestWithAPIKeyHeaders adds the API key to the request header
+func decorateRequestWithAPIKeyHeaders(req *http.Request, apiKey string) {
+	req.Header.Add(ntnxAPIKeyHeaderKey, apiKey)
+}
+
 func (c *Client) refreshCookies(ctx context.Context) error {
 	req, err := c.NewUnAuthRequest(http.MethodGet, "/users/me", nil)
 	if err != nil {
 		return err
 	}
 
 	req = req.WithContext(ctx)
-	decorateRequestWithBasicAuthHeaders(req, c.credentials.Username, c.credentials.Password)
+	decorateRequestWithAuthHeaders(req, c.credentials)
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return err

structs.go

@@ -1,8 +1,10 @@
 package prismgoclient
 
-// Credentials needed username and password
+// Credentials can include either username and password for basic authentication
+// or an API key for API key-based authentication
 type Credentials struct {
 	URL                string
+	APIKey             string
 	Username           string
 	Password           string
 	Endpoint           string

v3/v3.go

@@ -7,7 +7,7 @@ import (
 	"net/http"
 
 	"github.com/go-logr/logr"
-	"github.com/nutanix-cloud-native/prism-go-client"
+	prismgoclient "github.com/nutanix-cloud-native/prism-go-client"
 	"github.com/nutanix-cloud-native/prism-go-client/internal"
 )
 
@@ -84,8 +84,14 @@ func WithUserAgent(userAgent string) ClientOption {
 
 // NewV3Client return a internal to operate V3 resources
 func NewV3Client(credentials prismgoclient.Credentials, opts ...ClientOption) (*Client, error) {
-	if credentials.Username == "" || credentials.Password == "" || credentials.Endpoint == "" {
-		return nil, fmt.Errorf("username, password and endpoint are required")
+	if credentials.APIKey != "" {
+		if credentials.Endpoint == "" {
+			return nil, fmt.Errorf("endpoint is required for api key auth")
+		}
+	} else {
+		if credentials.Username == "" || credentials.Password == "" || credentials.Endpoint == "" {
+			return nil, fmt.Errorf("username, password and endpoint are required for basic auth")
+		}
 	}
 
 	v3Client := &Client{

v3/v3_test.go

@@ -8,11 +8,11 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/nutanix-cloud-native/prism-go-client"
+	prismgoclient "github.com/nutanix-cloud-native/prism-go-client"
 	"github.com/nutanix-cloud-native/prism-go-client/internal/testhelpers"
 )
 
-func TestNewV3Client(t *testing.T) {
+func TestNewV3ClientBasicAuth(t *testing.T) {
 	// verifies positive client creation
 	cred := prismgoclient.Credentials{
 		URL:                "foo.com",
@@ -40,7 +40,38 @@ func TestNewV3Client(t *testing.T) {
 
 	v3Client, err = NewV3Client(cred)
 	assert.Nil(t, v3Client)
-	assert.EqualError(t, err, "username, password and endpoint are required")
+	assert.EqualError(t, err, "username, password and endpoint are required for basic auth")
+}
+
+func TestNewV3ClientAPIKey(t *testing.T) {
+	// verifies positive client creation
+	cred := prismgoclient.Credentials{
+		URL:                "foo.com",
+		Port:               "",
+		Endpoint:           "0.0.0.0",
+		Insecure:           true,
+		FoundationEndpoint: "10.0.0.0",
+		FoundationPort:     "8000",
+		RequiredFields:     nil,
+		APIKey:             "my-api-key",
+	}
+	v3Client, err := NewV3Client(cred)
+	assert.NoError(t, err)
+	assert.NotNil(t, v3Client)
+
+	// verify missing client scenario
+	cred = prismgoclient.Credentials{
+		URL:      "foo.com",
+		Insecure: true,
+		RequiredFields: map[string][]string{
+			"prism_central": {"username", "password", "endpoint"},
+		},
+		APIKey: "my-api-key",
+	}
+
+	v3Client, err = NewV3Client(cred)
+	assert.Nil(t, v3Client)
+	assert.EqualError(t, err, "endpoint is required for api key auth")
 }
 
 func TestNewV3ClientWithPEMEncodedCertBundle(t *testing.T) {

v4/v4.go

@@ -23,8 +23,25 @@ import (
 const (
 	defaultEndpointPort = "9440"
 	authorizationHeader = "Authorization"
+	ntnxAPIKeyHeaderKey = "X-ntnx-api-key"
 )
 
+// apiClient is an interface that defines methods for adding default headers to the API client.
+type apiClient interface {
+	AddDefaultHeader(key, value string)
+}
+
+// setAuthHeader sets the authentication header for the API client based on the provided credentials.
+func setAuthHeader(apiClient apiClient, credentials prismgoclient.Credentials) {
+	if credentials.APIKey != "" {
+		apiClient.AddDefaultHeader(ntnxAPIKeyHeaderKey, credentials.APIKey)
+	} else {
+		apiClient.AddDefaultHeader(
+			authorizationHeader,
+			fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	}
+}
+
 // Client manages the V4 API
 type Client struct {
 	CategoriesApiInstance   *prismApi.CategoriesApi
@@ -48,8 +65,14 @@ type ClientOption func(*Client) error
 
 // NewV4Client return an internal to operate V4 resources
 func NewV4Client(credentials prismgoclient.Credentials, opts ...ClientOption) (*Client, error) {
-	if credentials.Username == "" || credentials.Password == "" || credentials.Endpoint == "" {
-		return nil, fmt.Errorf("username, password and endpoint are required")
+	if credentials.APIKey != "" {
+		if credentials.Endpoint == "" {
+			return nil, fmt.Errorf("endpoint is required for api key auth")
+		}
+	} else {
+		if credentials.Username == "" || credentials.Password == "" || credentials.Endpoint == "" {
+			return nil, fmt.Errorf("username, password and endpoint are required for basic auth")
+		}
 	}
 
 	v4Client := &Client{}
@@ -90,8 +113,7 @@ func initVmApiInstance(v4Client *Client, credentials prismgoclient.Credentials)
 	apiClientInstance.VerifySSL = !credentials.Insecure
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.VmApiInstance = vmApi.NewVmApi(apiClientInstance)
 	v4Client.ImagesApiInstance = vmApi.NewImagesApi(apiClientInstance)
 	return nil
@@ -106,8 +128,7 @@ func initClusterApiInstance(v4Client *Client, credentials prismgoclient.Credenti
 	apiClientInstance.VerifySSL = !credentials.Insecure
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.ClustersApiInstance = clusterApi.NewClustersApi(apiClientInstance)
 	return nil
 }
@@ -121,8 +142,7 @@ func initPrismApiInstance(v4Client *Client, credentials prismgoclient.Credential
 	apiClientInstance.VerifySSL = !credentials.Insecure
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.TasksApiInstance = prismApi.NewTasksApi(apiClientInstance)
 	v4Client.CategoriesApiInstance = prismApi.NewCategoriesApi(apiClientInstance)
 	return nil
@@ -137,8 +157,7 @@ func initSubnetApiInstance(v4Client *Client, credentials prismgoclient.Credentia
 	apiClientInstance.SetVerifySSL(!credentials.Insecure)
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.SubnetsApiInstance = networkingApi.NewSubnetsApi(apiClientInstance)
 	v4Client.SubnetIPReservationApi = networkingApi.NewSubnetIPReservationApi(apiClientInstance)
 	return nil
@@ -153,8 +172,7 @@ func initStorageApiInstance(v4Client *Client, credentials prismgoclient.Credenti
 	apiClientInstance.SetVerifySSL(!credentials.Insecure)
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.StorageContainerAPI = clusterApi.NewStorageContainersApi(apiClientInstance)
 	return nil
 }
@@ -168,8 +186,7 @@ func initVolumesApiInstance(v4Client *Client, credentials prismgoclient.Credenti
 	apiClientInstance.SetVerifySSL(!credentials.Insecure)
 	apiClientInstance.Host = ep.host
 	apiClientInstance.Port = ep.port
-	apiClientInstance.AddDefaultHeader(
-		authorizationHeader, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)))))
+	setAuthHeader(apiClientInstance, credentials)
 	v4Client.VolumeGroupsApiInstance = volumesApi.NewVolumeGroupsApi(apiClientInstance)
 	return nil
 }

v4/v4_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestNewV4Client(t *testing.T) {
+func TestNewV4ClientBasicAuth(t *testing.T) {
 	// verifies positive client creation
 	cred := prismgoclient.Credentials{
 		URL:                "foo.com",
@@ -44,5 +44,45 @@ func TestNewV4Client(t *testing.T) {
 
 	v4Client, err = NewV4Client(cred)
 	assert.Nil(t, v4Client)
-	assert.EqualError(t, err, "username, password and endpoint are required")
+	assert.EqualError(t, err, "username, password and endpoint are required for basic auth")
+}
+
+func TestNewV4Client(t *testing.T) {
+	// verifies positive client creation
+	cred := prismgoclient.Credentials{
+		URL:                "foo.com",
+		APIKey:             "my-api-key",
+		Port:               "",
+		Endpoint:           "0.0.0.0",
+		Insecure:           true,
+		FoundationEndpoint: "10.0.0.0",
+		FoundationPort:     "8000",
+		RequiredFields:     nil,
+	}
+	v4Client, err := NewV4Client(cred)
+	assert.NoError(t, err)
+	assert.NotNil(t, v4Client)
+	assert.NotNil(t, v4Client.VmApiInstance)
+	assert.NotNil(t, v4Client.ImagesApiInstance)
+	assert.NotNil(t, v4Client.SubnetsApiInstance)
+	assert.NotNil(t, v4Client.SubnetIPReservationApi)
+	assert.NotNil(t, v4Client.ClustersApiInstance)
+	assert.NotNil(t, v4Client.TasksApiInstance)
+	assert.NotNil(t, v4Client.StorageContainerAPI)
+	assert.NotNil(t, v4Client.CategoriesApiInstance)
+	assert.NotNil(t, v4Client.VolumeGroupsApiInstance)
+
+	// verify missing client scenario
+	cred = prismgoclient.Credentials{
+		URL:      "foo.com",
+		Insecure: true,
+		RequiredFields: map[string][]string{
+			"prism_central": {"username", "password", "endpoint"},
+		},
+		APIKey: "my-api-key",
+	}
+
+	v4Client, err = NewV4Client(cred)
+	assert.Nil(t, v4Client)
+	assert.EqualError(t, err, "endpoint is required for api key auth")
 }