NetApp · cgrinds · Jul 12, 2024
@@ -360,6 +360,13 @@ func (c *Client) fetchTokenWithAuthRetry() error {
 		if err != nil {
 			return err
 		}
+		// If the credential script returns an authToken, use it without re-fetching
+		if pollerAuth.AuthToken != "" {
+			c.token = pollerAuth.AuthToken
+			c.request.Header.Set("Authorization", "Bearer "+c.token)
+			c.Logger.Debug().Msg("Using authToken from credential script")
+			return nil
+		}
 		authB := authBody{
 			Username: pollerAuth.Username,
 			Password: pollerAuth.Password,

@@ -123,8 +123,9 @@ func (c *Credentials) fetchCerts(p *conf.Poller) (string, error) {
 }
 
 type ScriptResponse struct {
-	Username string `yaml:"username"`
-	Data     string `yaml:"password"`
+	Username  string `yaml:"username"`
+	Data      string `yaml:"password"`
+	AuthToken string `yaml:"authToken"`
 }
 
 func (c *Credentials) execScript(cmdPath string, kind string, timeout string, e func(ctx context.Context, path string) *exec.Cmd) (ScriptResponse, error) {
@@ -195,7 +196,7 @@ func (c *Credentials) execScript(cmdPath string, kind string, timeout string, e
 			Msg("Failed to parse YAML output. Treating as plain text.")
 	}
 
-	if err == nil && response.Data != "" {
+	if err == nil && (response.Data != "" || response.AuthToken != "") {
 		// If parsing is successful and data is not empty, return the response.
 		// Username is optional, so it's okay if it's not present.
 		return response, nil
@@ -229,6 +230,7 @@ func (c *Credentials) setNextUpdate() {
 type PollerAuth struct {
 	Username             string
 	Password             string
+	AuthToken            string
 	IsCert               bool
 	HasCredentialScript  bool
 	HasCertificateScript bool
@@ -332,6 +334,7 @@ func getPollerAuth(c *Credentials, poller *conf.Poller) (PollerAuth, error) {
 		return PollerAuth{
 			Username:            response.Username,
 			Password:            response.Data,
+			AuthToken:           response.AuthToken,
 			HasCredentialScript: true,
 			Schedule:            poller.CredentialsScript.Schedule,
 			insecureTLS:         insecureTLS,

@@ -538,6 +538,22 @@ Pollers:
     username: username
     credentials_script:
       path: testdata/get_credentials_yaml_heredoc
+`,
+		},
+
+		{
+			name:       "credentials_script returns authToken",
+			pollerName: "test",
+			want: PollerAuth{
+				AuthToken:           "abcd",
+				HasCredentialScript: true,
+			},
+			yaml: `
+Pollers:
+  test:
+    addr: a.b.c
+    credentials_script:
+      path: testdata/get_credentials_authToken
 `,
 		},
 	}
@@ -577,6 +593,9 @@ Pollers:
 			if tt.want.Password != got.Password {
 				t.Errorf("got password=[%s], want password=[%s]", got.Password, tt.want.Password)
 			}
+			if tt.want.AuthToken != got.AuthToken {
+				t.Errorf("got authToken=[%s], want authToken=[%s]", got.AuthToken, tt.want.AuthToken)
+			}
 			if tt.want.IsCert != got.IsCert {
 				t.Errorf("got IsCert=[%t], want IsCert=[%t]", got.IsCert, tt.want.IsCert)
 			}

@@ -0,0 +1,3 @@
+#!/bin/bash
+# Used by pkg/auth/auth_test.go
+echo 'authToken: abcd'