wip

Author: ja-openai

docs/_docs/refs/configurations.md

@@ -225,6 +225,21 @@ Providers and properties:
   - `l10n.resttemplate.stateless.msal.client-secret=<client-credential-client-secret-id>`
   - `l10n.resttemplate.stateless.msal.scopes=<Application ID URI>/.default`
 
+### CLI Header Auth (e.g., Cloudflare Access)
+
+Configure the CLI to attach static headers (such as Cloudflare Access credentials) to each request
+instead of performing the legacy form login or MSAL flows.
+
+```
+l10n.resttemplate.authentication-mode=HEADER
+l10n.resttemplate.header.headers.CF-Access-Client-Id=<client-id>
+l10n.resttemplate.header.headers.CF-Access-Client-Secret=<client-secret>
+```
+
+Add additional headers as needed by appending more `headers.<Name>=<value>` properties. Values can
+also be provided through environment variables using Spring Boot's relaxed binding, for example
+`L10N_RESTTEMPLATE_HEADER_HEADERS_CF-ACCESS-CLIENT-SECRET`.
+
 ## Box Platform Integration
 
 ### Custom Configurations

restclient/src/main/java/com/box/l10n/mojito/rest/resttemplate/AuthenticatedRestTemplate.java

@@ -72,28 +72,41 @@ protected void init() {
     makeRestTemplateWithCustomObjectMapper(restTemplate);
     setErrorHandlerWithLogging(restTemplate);
 
-    boolean stateless =
-        resttemplateConfig
-            .getAuthenticationMode()
-            .equals(ResttemplateConfig.AuthenticationMode.STATELESS);
-
-    if (stateless) {
-      logger.info("Using stateless Bearer token interceptor");
-      if (bearerTokenInterceptor == null) {
-        throw new IllegalStateException(
-            "Stateless auth selected but BearerTokenInterceptor is not available. Ensure MSAL config is set.");
+    ResttemplateConfig.AuthenticationMode mode = resttemplateConfig.getAuthenticationMode();
+
+    switch (mode) {
+      case STATELESS -> {
+        logger.info("Using stateless Bearer token interceptor");
+        if (bearerTokenInterceptor == null) {
+          throw new IllegalStateException(
+              "Stateless auth selected but BearerTokenInterceptor is not available. Ensure MSAL config is set.");
+        }
+        List<ClientHttpRequestInterceptor> interceptors =
+            Collections.<ClientHttpRequestInterceptor>singletonList(bearerTokenInterceptor);
+        restTemplate.setRequestFactory(
+            new InterceptingClientHttpRequestFactory(restTemplate.getRequestFactory(), interceptors));
+      }
+      case HEADER -> {
+        logger.info("Using header-based authentication");
+        Map<String, String> headers = resttemplateConfig.getHeader().getHeaders();
+        if (headers == null || headers.isEmpty()) {
+          throw new IllegalStateException(
+              "Header authentication selected but no headers have been configured (l10n.resttemplate.header.headers)");
+        }
+        List<ClientHttpRequestInterceptor> interceptors =
+            Collections.<ClientHttpRequestInterceptor>singletonList(
+                new HeaderAuthenticationInterceptor(headers));
+        restTemplate.setRequestFactory(
+            new InterceptingClientHttpRequestFactory(restTemplate.getRequestFactory(), interceptors));
+      }
+      case STATEFUL -> {
+        logger.info("Using stateful CSRF interceptor");
+        List<ClientHttpRequestInterceptor> interceptors =
+            Collections.<ClientHttpRequestInterceptor>singletonList(
+                formLoginAuthenticationCsrfTokenInterceptor);
+        restTemplate.setRequestFactory(
+            new InterceptingClientHttpRequestFactory(restTemplate.getRequestFactory(), interceptors));
       }
-      List<ClientHttpRequestInterceptor> interceptors =
-          Collections.<ClientHttpRequestInterceptor>singletonList(bearerTokenInterceptor);
-      restTemplate.setRequestFactory(
-          new InterceptingClientHttpRequestFactory(restTemplate.getRequestFactory(), interceptors));
-    } else {
-      logger.info("Using stateful CSRF interceptor");
-      List<ClientHttpRequestInterceptor> interceptors =
-          Collections.<ClientHttpRequestInterceptor>singletonList(
-              formLoginAuthenticationCsrfTokenInterceptor);
-      restTemplate.setRequestFactory(
-          new InterceptingClientHttpRequestFactory(restTemplate.getRequestFactory(), interceptors));
     }
   }
 

restclient/src/main/java/com/box/l10n/mojito/rest/resttemplate/HeaderAuthenticationInterceptor.java

@@ -0,0 +1,28 @@
+package com.box.l10n.mojito.rest.resttemplate;
+
+import java.io.IOException;
+import java.util.Map;
+import org.springframework.http.HttpRequest;
+import org.springframework.http.client.ClientHttpRequestExecution;
+import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.ClientHttpResponse;
+
+class HeaderAuthenticationInterceptor implements ClientHttpRequestInterceptor {
+
+  private final Map<String, String> headers;
+
+  HeaderAuthenticationInterceptor(Map<String, String> headers) {
+    this.headers = headers;
+  }
+
+  @Override
+  public ClientHttpResponse intercept(
+      HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {
+    headers.forEach((name, value) -> {
+      if (name != null && value != null) {
+        request.getHeaders().set(name, value);
+      }
+    });
+    return execution.execute(request, body);
+  }
+}

restclient/src/main/java/com/box/l10n/mojito/rest/resttemplate/ResttemplateConfig.java

@@ -1,5 +1,7 @@
 package com.box.l10n.mojito.rest.resttemplate;
 
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Set;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
@@ -22,6 +24,8 @@ public class ResttemplateConfig {
 
   StatelessAuthentication stateless = new StatelessAuthentication();
 
+  HeaderAuthentication header = new HeaderAuthentication();
+
   AuthenticationMode authenticationMode = AuthenticationMode.STATEFUL;
 
   public static class Authentication {
@@ -63,7 +67,21 @@ public enum CredentialProvider {
 
   public enum AuthenticationMode {
     STATEFUL,
-    STATELESS
+    STATELESS,
+    HEADER
+  }
+
+  public static class HeaderAuthentication {
+
+    Map<String, String> headers = new HashMap<>();
+
+    public Map<String, String> getHeaders() {
+      return headers;
+    }
+
+    public void setHeaders(Map<String, String> headers) {
+      this.headers = headers;
+    }
   }
 
   public static class StatelessAuthentication {
@@ -184,6 +202,14 @@ public void setStateless(StatelessAuthentication stateless) {
     this.stateless = stateless;
   }
 
+  public HeaderAuthentication getHeader() {
+    return header;
+  }
+
+  public void setHeader(HeaderAuthentication header) {
+    this.header = header;
+  }
+
   public AuthenticationMode getAuthenticationMode() {
     return authenticationMode;
   }

restclient/src/test/java/com/box/l10n/mojito/rest/resttemplate/AuthenticatedRestTemplateTest.java

@@ -56,6 +56,8 @@ public void before() {
 
     // resets the mock server that was set inside the rest template
     authenticatedRestTemplate.restTemplate = new CookieStoreRestTemplate();
+    resttemplateConfig.setAuthenticationMode(ResttemplateConfig.AuthenticationMode.STATEFUL);
+    resttemplateConfig.getHeader().getHeaders().clear();
     authenticatedRestTemplate.init();
 
     // if port was 0, then the server will randomize it on start up, and now we
@@ -226,6 +228,41 @@ public void testAuthRestTemplateFor401() {
             .withHeader("X-CSRF-TOKEN", WireMock.matching("madeup-csrf-value")));
   }
 
+  @Test
+  public void testHeaderAuthenticationAddsConfiguredHeaders() {
+    Map<String, String> originalHeaders =
+        new HashMap<>(resttemplateConfig.getHeader().getHeaders());
+    ResttemplateConfig.AuthenticationMode originalMode =
+        resttemplateConfig.getAuthenticationMode();
+
+    try {
+      resttemplateConfig.setAuthenticationMode(ResttemplateConfig.AuthenticationMode.HEADER);
+      resttemplateConfig.getHeader().getHeaders().clear();
+      resttemplateConfig.getHeader().getHeaders().put("CF-Access-Client-Id", "client-id");
+      resttemplateConfig.getHeader().getHeaders().put("CF-Access-Client-Secret", "client-secret");
+
+      authenticatedRestTemplate.restTemplate = new CookieStoreRestTemplate();
+      authenticatedRestTemplate.init();
+
+      WireMock.stubFor(
+          WireMock.get(WireMock.urlEqualTo("/header-protected"))
+              .willReturn(WireMock.aResponse().withStatus(HttpStatus.OK.value())));
+
+      authenticatedRestTemplate.getForObject("header-protected", String.class);
+
+      WireMock.verify(
+          WireMock.getRequestedFor(WireMock.urlEqualTo("/header-protected"))
+              .withHeader("CF-Access-Client-Id", WireMock.equalTo("client-id"))
+              .withHeader("CF-Access-Client-Secret", WireMock.equalTo("client-secret")));
+    } finally {
+      resttemplateConfig.setAuthenticationMode(originalMode);
+      resttemplateConfig.getHeader().getHeaders().clear();
+      resttemplateConfig.getHeader().getHeaders().putAll(originalHeaders);
+      authenticatedRestTemplate.restTemplate = new CookieStoreRestTemplate();
+      authenticatedRestTemplate.init();
+    }
+  }
+
   protected void initialAuthenticationMock() {
     String expectedResponse = "expected content";