issue #11 -Implement authentication refactor: Add CfAuth interface, ApiTokenAuth and EmailKeyAuth implementations, and CfAuthBuilder for flexible authentication in CfDnsClient. Update tests and adjust related classes for compatibility.

This commit is contained in:
2026-01-23 15:36:17 +01:00
parent 773573bd39
commit b593ca7311
11 changed files with 195 additions and 76 deletions
@@ -1,5 +1,6 @@
package codes.thischwa.cf;
import codes.thischwa.cf.auth.CfAuth;
import codes.thischwa.cf.model.AbstractResponse;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -19,6 +20,7 @@ import org.apache.hc.core5.http.HttpHeaders;
import org.apache.hc.core5.http.io.entity.EntityUtils;
import org.apache.hc.core5.http.io.entity.StringEntity;
import org.apache.hc.core5.http.message.BasicClassicHttpRequest;
import org.jetbrains.annotations.NotNull;
/**
* Abstract base class for creating HTTP clients to interact with the Cloudflare API. Provides
@@ -27,23 +29,20 @@ import org.apache.hc.core5.http.message.BasicClassicHttpRequest;
*/
@Slf4j
abstract class CfBasicHttpClient {
private final String baseUrl;
private final String authEmail;
private final String authKey;
private final String baseUrl;
private final CfAuth auth;
private final ObjectMapper objectMapper;
CfBasicHttpClient(String baseUrl, String authEmail, String authKey)
throws IllegalArgumentException {
if (authEmail == null || authEmail.isBlank()) {
throw new IllegalArgumentException("Authentication email must not be null or blank!");
}
if (authKey == null || authKey.isBlank()) {
throw new IllegalArgumentException("Authentication key must not be null or blank!");
}
/**
* Creates a new Cloudflare HTTP client with the specified base URL and authentication.
*
* @param baseUrl the base URL for the Cloudflare API
* @param auth the authentication mechanism to use
*/
CfBasicHttpClient(@NotNull String baseUrl, @NotNull CfAuth auth) {
this.baseUrl = baseUrl;
this.authEmail = authEmail;
this.authKey = authKey;
this.auth = auth;
this.objectMapper = JsonConf.initObjectMapper();
}
@@ -53,8 +52,9 @@ abstract class CfBasicHttpClient {
request.addHeader(HttpHeaders.ACCEPT_ENCODING, "gzip");
request.addHeader(HttpHeaders.ACCEPT, ContentType.APPLICATION_JSON.getMimeType());
request.addHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType());
request.addHeader("X-Auth-Email", authEmail);
request.addHeader("X-Auth-Key", authKey);
if (request instanceof ClassicHttpRequest classicRequest) {
auth.applyAuth(classicRequest);
}
}).build();
}
@@ -1,5 +1,6 @@
package codes.thischwa.cf;
import codes.thischwa.cf.auth.CfAuth;
import codes.thischwa.cf.fluent.ZoneOperations;
import codes.thischwa.cf.fluent.ZoneOperationsImpl;
import codes.thischwa.cf.model.AbstractResponse;
@@ -26,57 +27,71 @@ import org.jetbrains.annotations.Nullable;
* records and zones within the Cloudflare system, including creating, updating, retrieving, and
* deleting DNS records.
*
* <p>Example:
* <p>Example with API token authentication (recommended):
* <pre><code>
* // Create a new CfDnsClient instance
* CfDnsClient cfDnsClient = new CfDnsClient(
* "email@example.com",
* "yourApiKey"
* );
* // Create a new CfDnsClient instance with API token
* CfDnsClient cfDnsClient = new CfDnsClient(CfAuthBuilder.build("your-api-token"));
*
* // Retrieve a zone
* ZoneEntity zone = cfDnsClient.zoneGet("example.com");
* System.out.println("Zone ID: " + zone.getId());
*
* // Retrieve records of a subdomain
* List&lt;{@link RecordEntity}&gt; records = cfDnsClient.recordGet(zone, "sld");
* List&lt;RecordEntity&gt; records = cfDnsClient.recordList(zone, "sld");
* records.forEach(record ->
* System.out.println("Record Type: " + record.getType() + ", Value: " + record.getContent())
* );
*
* // Create a record for the subdomain "api"
* RecordEntity created = cfDnsClient.recordCreateSld(zone, "api", 60, RecordType.A, "192.168.1.10");
* System.out.println("Created Record ID: " + created.getId());
* </code></pre>
*
* <p>Example with email/key authentication (legacy):
* <pre><code>
* CfDnsClient cfDnsClient = new CfDnsClient(
* CfAuthBuilder.build("email@example.com", "your-api-key")
* );
* </code></pre>
*
* <p>Example with exception throwing enabled:
* <pre><code>
* // Throws exception when results are empty
* CfDnsClient cfDnsClient = new CfDnsClient(true, CfAuthBuilder.build("your-api-token"));
* </code></pre>
*
* <p>Example with custom base URL:
* <pre><code>
* CfAuth auth = CfAuthBuilder.build("your-api-token");
* auth.setBaseUrl("https://custom-api.example.com");
* CfDnsClient cfDnsClient = new CfDnsClient(auth);
* </code></pre>
*/
@Slf4j
public class CfDnsClient extends CfBasicHttpClient {
private static final String DEFAULT_BASEURL = "https://api.cloudflare.com/client/v4";
public static final String DEFAULT_BASEURL = "https://api.cloudflare.com/client/v4";
private final ResponseValidator responseValidator;
private final boolean emptyResultThrowsException;
/**
* Constructs a new instance of {@code CfDnsClient}.
* Constructs a new instance of {@code CfDnsClient} with default configuration.
*
* @param authEmail The email address associated with the Cloudflare account, used for
* authentication.
* @param authKey The API key of the Cloudflare account, used as part of the authentication
* process.
* @param auth The authentication mechanism to use (ApiTokenAuth or EmailKeyAuth)
*/
public CfDnsClient(String authEmail, String authKey) {
this(DEFAULT_BASEURL, authEmail, authKey);
public CfDnsClient(CfAuth auth) {
this(false, DEFAULT_BASEURL, auth);
}
/**
* Constructs a new instance of {@code CfDnsClient}.
*
* @param baseUrl The base URL of the Cloudflare API to be used for requests.
* @param authEmail The email address associated with the Cloudflare account, used for
* authentication.
* @param authKey The API key of the Cloudflare account, used as part of the authentication
* process.
* @param baseUrl The base URL of the Cloudflare API to be used for requests.
* @param auth The authentication mechanism to use (ApiTokenAuth or EmailKeyAuth)
*/
public CfDnsClient(String baseUrl, String authEmail, String authKey) {
this(false, baseUrl, authEmail, authKey);
public CfDnsClient(String baseUrl, CfAuth auth) {
this(false, baseUrl, auth);
}
/**
@@ -85,13 +100,10 @@ public class CfDnsClient extends CfBasicHttpClient {
* @param emptyResultThrowsException A boolean value indicating whether an exception should be
* thrown when the result is empty. Applies to both single and
* multiple result requests. Default is false.
* @param authEmail The email address associated with the Cloudflare account,
* used for authentication.
* @param authKey The API key of the Cloudflare account, used as part of the
* authentication process.
* @param auth The authentication mechanism to use (ApiTokenAuth or EmailKeyAuth)
*/
public CfDnsClient(boolean emptyResultThrowsException, String authEmail, String authKey) {
this(emptyResultThrowsException, DEFAULT_BASEURL, authEmail, authKey);
public CfDnsClient(boolean emptyResultThrowsException, CfAuth auth) {
this(emptyResultThrowsException, DEFAULT_BASEURL, auth);
}
/**
@@ -101,14 +113,10 @@ public class CfDnsClient extends CfBasicHttpClient {
* thrown when the result is empty. Applies to both single and
* multiple result requests. Default is false.
* @param baseUrl The base URL for the Cloudflare API endpoint.
* @param authEmail The email associated with the Cloudflare account for
* authentication.
* @param authKey The API key for authenticating the client with Cloudflare
* services.
* @param auth The authentication mechanism to use (ApiTokenAuth or EmailKeyAuth)
*/
public CfDnsClient(boolean emptyResultThrowsException, String baseUrl, String authEmail,
String authKey) {
super(baseUrl, authEmail, authKey);
public CfDnsClient(boolean emptyResultThrowsException, String baseUrl, CfAuth auth) {
super(baseUrl, auth);
this.responseValidator = new ResponseValidator(emptyResultThrowsException);
this.emptyResultThrowsException = emptyResultThrowsException;
}
@@ -0,0 +1,31 @@
package codes.thischwa.cf.auth;
import org.apache.hc.core5.http.ClassicHttpRequest;
import org.jetbrains.annotations.NotNull;
/**
* Authentication mechanism using Cloudflare API token.
* This is the recommended authentication method for the Cloudflare API.
*/
public class ApiTokenAuth implements CfAuth {
private final String apiToken;
/**
* Creates a new API token authentication object.
*
* @param apiToken the Cloudflare API token
* @throws IllegalArgumentException if the API token is null or blank
*/
public ApiTokenAuth(@NotNull String apiToken) {
if (apiToken.isBlank()) {
throw new IllegalArgumentException("API token must not be null or blank!");
}
this.apiToken = apiToken;
}
@Override
public void applyAuth(ClassicHttpRequest request) {
request.addHeader("Authorization", "Bearer " + apiToken);
}
}
@@ -0,0 +1,19 @@
package codes.thischwa.cf.auth;
import org.apache.hc.core5.http.ClassicHttpRequest;
/**
* Interface for Cloudflare authentication mechanisms.
* Implementations of this interface provide different methods of authentication
* with the Cloudflare API (e.g., API token, email/key combination).
*/
public interface CfAuth {
/**
* Applies authentication headers to the given HTTP request.
*
* @param request the HTTP request to authenticate
*/
void applyAuth(ClassicHttpRequest request);
}
@@ -0,0 +1,12 @@
package codes.thischwa.cf.auth;
public class CfAuthBuilder {
public static ApiTokenAuth build(String apiToken) {
return new ApiTokenAuth(apiToken);
}
public static EmailKeyAuth build(String authEmail, String authKey) {
return new EmailKeyAuth(authEmail, authKey);
}
}
@@ -0,0 +1,38 @@
package codes.thischwa.cf.auth;
import org.apache.hc.core5.http.ClassicHttpRequest;
import org.jetbrains.annotations.NotNull;
/**
* Authentication mechanism using Cloudflare account email and API key.
* This is the legacy authentication method for the Cloudflare API.
*/
public class EmailKeyAuth implements CfAuth {
private final String authEmail;
private final String authKey;
/**
* Creates a new email/key authentication object.
*
* @param authEmail the email address associated with the Cloudflare account
* @param authKey the API key of the Cloudflare account
* @throws IllegalArgumentException if email or key is null or blank
*/
public EmailKeyAuth(@NotNull String authEmail, @NotNull String authKey) {
if (authEmail.isBlank()) {
throw new IllegalArgumentException("Authentication email must not be null or blank!");
}
if (authKey.isBlank()) {
throw new IllegalArgumentException("Authentication key must not be null or blank!");
}
this.authEmail = authEmail;
this.authKey = authKey;
}
@Override
public void applyAuth(ClassicHttpRequest request) {
request.addHeader("X-Auth-Email", authEmail);
request.addHeader("X-Auth-Key", authKey);
}
}
@@ -0,0 +1,5 @@
/**
* The authentication package of CloudflareDNS-java.
*/
package codes.thischwa.cf.auth;
@@ -64,10 +64,10 @@ public class RecordEntity extends AbstractEntity {
*/
public static RecordEntity build(String name, RecordType type, Integer ttl, String content) {
RecordEntity rec = new RecordEntity();
rec.setName(name);
rec.setType(type.getType());
rec.setTtl(ttl);
rec.setContent(content);
rec.name = name;
rec.type = type.getType();
rec.ttl = ttl;
rec.content = content;
return rec;
}
@@ -81,7 +81,7 @@ public class RecordEntity extends AbstractEntity {
public static RecordEntity build(String id, String content) {
RecordEntity rec = new RecordEntity();
rec.setId(id);
rec.setContent(content);
rec.content = content;
return rec;
}
@@ -104,8 +104,12 @@ public class RecordEntity extends AbstractEntity {
throw new IllegalArgumentException("Invalid record type: " + type + ". Must be one of: "
+ java.util.Arrays.toString(RecordType.values()), e);
}
RecordEntity rec = build(name, recordType, ttl, content);
RecordEntity rec = new RecordEntity();
rec.setId(id);
rec.name = name;
rec.type = recordType.getType();
rec.ttl = ttl;
rec.content = content;
return rec;
}
@@ -199,6 +199,6 @@ public enum RecordType {
@Override
public String toString() {
return getType();
return type;
}
}
@@ -4,6 +4,7 @@ import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assumptions.assumeTrue;
import codes.thischwa.cf.auth.CfAuthBuilder;
import codes.thischwa.cf.model.RecordType;
import codes.thischwa.cf.model.ZoneEntity;
import java.util.List;
@@ -22,24 +23,22 @@ public class CfClientPenTest {
private static final String ZONE_STR = "mein-d-ns.de"; // existing baseline zone
private static final String API_EMAIL = System.getenv("API_EMAIL");
private static final String API_KEY = System.getenv("API_KEY");
private static final String API_TOKEN = System.getenv("API_TOKEN");
@BeforeAll
static void checkEnv() {
assumeTrue(API_EMAIL != null && !API_EMAIL.isBlank(), "API_EMAIL not set; skipping pen tests");
assumeTrue(API_KEY != null && !API_KEY.isBlank(), "API_KEY not set; skipping pen tests");
assumeTrue(API_TOKEN != null && !API_TOKEN.isBlank(), "API_TOKEN not set; skipping pen tests");
}
private CfDnsClient newClient() {
return new CfDnsClient(true, API_EMAIL, API_KEY);
return new CfDnsClient(true, CfAuthBuilder.build(API_TOKEN));
}
@Test
@DisplayName("Invalid credentials should not authenticate and must throw CloudflareApiException")
void testInvalidCredentialsShouldFail() {
// Use syntactically valid but wrong credentials
CfDnsClient badClient = new CfDnsClient("invalid@example.com", UUID.randomUUID().toString());
CfDnsClient badClient = new CfDnsClient(CfAuthBuilder.build("invalid@example.com", UUID.randomUUID().toString()));
assertThrows(CloudflareApiException.class, badClient::zoneList);
}
@@ -8,6 +8,9 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
import static org.junit.jupiter.api.Assumptions.assumeTrue;
import codes.thischwa.cf.auth.ApiTokenAuth;
import codes.thischwa.cf.auth.CfAuthBuilder;
import codes.thischwa.cf.auth.EmailKeyAuth;
import codes.thischwa.cf.model.BatchEntry;
import codes.thischwa.cf.model.RecordEntity;
import codes.thischwa.cf.model.RecordType;
@@ -28,15 +31,13 @@ public class CfClientTest {
private static final String SLD_STR = "devsld";
private static final int TTL = 60;
private static final String API_EMAIL = System.getenv("API_EMAIL");
private static final String API_KEY = System.getenv("API_KEY");
private static final String API_TOKEN = System.getenv("API_TOKEN");
private final CfDnsClient client = new CfDnsClient(true, API_EMAIL, API_KEY);
private final CfDnsClient client = new CfDnsClient(true, CfAuthBuilder.build(API_TOKEN));
@BeforeAll
static void checkEnv() {
assumeTrue(API_EMAIL != null && !API_EMAIL.isBlank(), "API_EMAIL not set; skipping pen tests");
assumeTrue(API_KEY != null && !API_KEY.isBlank(), "API_KEY not set; skipping pen tests");
assumeTrue(API_TOKEN != null && !API_TOKEN.isBlank(), "API_TOKEN not set; skipping client tests");
}
@Test
@@ -106,13 +107,13 @@ public class CfClientTest {
void testDns() throws Exception {
// starting point: already existing zone 'mein-d-ns.de'
ZoneEntity z = client.zoneGet(ZONE_STR);
assertEquals("0a83dd6e7f8c46039f2517bbded8115e", z.getId());
assertEquals("cf9d8b12f61423f280e0a3ea2a96d921", z.getId());
assertEquals("mein-d-ns.de", z.getName());
assertEquals("active", z.getStatus());
assertEquals(2, z.getNameServers().size());
assertTrue(z.getNameServers().contains("sergi.ns.cloudflare.com"));
assertEquals(4, z.getOriginalNameServers().size());
assertTrue(z.getOriginalNameServers().contains("a.ns14.net"));
assertTrue(z.getNameServers().contains("rafe.ns.cloudflare.com"));
assertTrue(z.getOriginalNameServers().size() >= 2);
assertTrue(z.getOriginalNameServers().contains("blair.ns.cloudflare.com"));
assertNotNull(z.getActivatedOn());
assertNotNull(z.getModifiedOn());
assertNotNull(z.getCreatedOn());
@@ -226,10 +227,12 @@ public class CfClientTest {
@Test
void testException() {
assertThrows(IllegalArgumentException.class, () -> new CfDnsClient(null, "key"));
assertThrows(IllegalArgumentException.class, () -> new CfDnsClient("email", null));
assertThrows(IllegalArgumentException.class, () -> new CfDnsClient("email", ""));
assertThrows(IllegalArgumentException.class, () -> new CfDnsClient("", "key"));
// Test EmailKeyAuth validation
assertThrows(IllegalArgumentException.class, () -> new EmailKeyAuth("email", ""));
assertThrows(IllegalArgumentException.class, () -> new EmailKeyAuth("", "key"));
// Test ApiTokenAuth validation;
assertThrows(IllegalArgumentException.class, () -> new ApiTokenAuth(""));
}
@Test