feat: added skip-hash option for basic-auth creation (#576)

* feat: added skip-hash option for basic-auth creation

* tests: added unit tests for new methods

* style: removed unnecessary declarations

* chore: added changelog for basic-auth skip-hash change

* style: introduced credentialOptions to make the credential interface cleaner

* style: reusing CreateWithOptions and UpdateWithOptions methods

Author: Prashansa-K

CHANGELOG.md

@@ -1,5 +1,6 @@
 # Table of Contents
 
+- [v0.68.0](#v0680)
 - [v0.67.0](#v0670)
 - [v0.66.1](#v0661)
 - [v0.66.0](#v0660)
@@ -84,6 +85,15 @@
 - [0.2.0](#020)
 - [0.1.0](#010)
 
+## [v0.68.0]
+
+> Release date: 2025/09/26
+
+- Added `BasicAuthOptions` to allow skipping hashing for
+  BasicAuth passwords. `CreateWithOptions` and `UpdateWitOptions`
+  methods are added for basic-auth for the same.
+  [#576](https://github.com/Kong/go-kong/pull/576)
+
 ## [v0.67.0]
 
 > Release date: 2025/05/26

kong/acl_service.go

@@ -37,7 +37,9 @@ func (s *ACLService) Create(ctx context.Context,
 	consumerUsernameOrID *string, aclGroup *ACLGroup,
 ) (*ACLGroup, error) {
 	cred, err := s.client.credentials.Create(ctx, "acl",
-		consumerUsernameOrID, aclGroup)
+		consumerUsernameOrID, credentialOptions{
+			credential: aclGroup,
+		})
 	if err != nil {
 		return nil, err
 	}
@@ -94,7 +96,9 @@ func (s *ACLService) Update(ctx context.Context,
 	consumerUsernameOrID *string, aclGroup *ACLGroup,
 ) (*ACLGroup, error) {
 	cred, err := s.client.credentials.Update(ctx, "acl",
-		consumerUsernameOrID, aclGroup)
+		consumerUsernameOrID, credentialOptions{
+			credential: aclGroup,
+		})
 	if err != nil {
 		return nil, err
 	}

kong/basic_auth_service.go

@@ -3,19 +3,33 @@ package kong
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 )
 
+// BasicAuthOptions provides configuration options for basic auth operations
+// +k8s:deepcopy-gen=true
+type BasicAuthOptions struct {
+	BasicAuth
+	SkipHash *bool
+}
+
 // AbstractBasicAuthService handles basic-auth credentials in Kong.
 type AbstractBasicAuthService interface {
 	// Create creates a basic-auth credential in Kong
 	// is auto-generated.
 	Create(ctx context.Context, consumerUsernameOrID *string, basicAuth *BasicAuth) (*BasicAuth, error)
+	// CreateWithOptions creates a basic-auth credential in Kong
+	// with the options provided.
+	CreateWithOptions(ctx context.Context, consumerUsernameOrID *string, opts *BasicAuthOptions) (*BasicAuth, error)
 	// Get fetches a basic-auth credential from Kong.
 	Get(ctx context.Context, consumerUsernameOrID, usernameOrID *string) (*BasicAuth, error)
 	// GetByID fetches a basic-auth credential from Kong using ID.
 	GetByID(ctx context.Context, id *string) (*BasicAuth, error)
 	// Update updates a basic-auth credential in Kong
 	Update(ctx context.Context, consumerUsernameOrID *string, basicAuth *BasicAuth) (*BasicAuth, error)
+	// UpdateWithOptions updates a basic-auth credential in Kong
+	// with the options provided.
+	UpdateWithOptions(ctx context.Context, consumerUsernameOrID *string, opts *BasicAuthOptions) (*BasicAuth, error)
 	// Delete deletes a basic-auth credential in Kong
 	Delete(ctx context.Context, consumerUsernameOrID, usernameOrID *string) error
 	// List fetches a list of basic-auth credentials in Kong.
@@ -37,8 +51,35 @@ type BasicAuthService service
 func (s *BasicAuthService) Create(ctx context.Context,
 	consumerUsernameOrID *string, basicAuth *BasicAuth,
 ) (*BasicAuth, error) {
+	if basicAuth == nil {
+		return nil, fmt.Errorf("basic auth credential is required")
+	}
+
+	return s.CreateWithOptions(ctx, consumerUsernameOrID, &BasicAuthOptions{BasicAuth: *basicAuth, SkipHash: nil})
+}
+
+// CreateWithOptions creates a basic-auth credential in Kong
+// with the options provided.
+// If an ID is specified, it will be used to
+// create a basic-auth in Kong, otherwise an ID
+// is auto-generated.
+func (s *BasicAuthService) CreateWithOptions(ctx context.Context,
+	consumerUsernameOrID *string, opts *BasicAuthOptions,
+) (*BasicAuth, error) {
+	if opts == nil {
+		return nil, fmt.Errorf("basic auth options and credential are required")
+	}
+
+	var skipHash bool
+	if opts.SkipHash != nil {
+		skipHash = *opts.SkipHash
+	}
+
 	cred, err := s.client.credentials.Create(ctx, "basic-auth",
-		consumerUsernameOrID, basicAuth)
+		consumerUsernameOrID, credentialOptions{
+			credential: &opts.BasicAuth,
+			skipHash:   skipHash,
+		})
 	if err != nil {
 		return nil, err
 	}
@@ -94,8 +135,32 @@ func (s *BasicAuthService) GetByID(ctx context.Context,
 func (s *BasicAuthService) Update(ctx context.Context,
 	consumerUsernameOrID *string, basicAuth *BasicAuth,
 ) (*BasicAuth, error) {
+	if basicAuth == nil {
+		return nil, fmt.Errorf("basic auth credential is required")
+	}
+
+	return s.UpdateWithOptions(ctx, consumerUsernameOrID, &BasicAuthOptions{BasicAuth: *basicAuth, SkipHash: nil})
+}
+
+// UpdateWithOptions updates a basic-auth credential in Kong
+// with the options provided.
+func (s *BasicAuthService) UpdateWithOptions(ctx context.Context,
+	consumerUsernameOrID *string, opts *BasicAuthOptions,
+) (*BasicAuth, error) {
+	if opts == nil {
+		return nil, fmt.Errorf("basic auth options and credential are required")
+	}
+
+	var skipHash bool
+	if opts.SkipHash != nil {
+		skipHash = *opts.SkipHash
+	}
+
 	cred, err := s.client.credentials.Update(ctx, "basic-auth",
-		consumerUsernameOrID, basicAuth)
+		consumerUsernameOrID, credentialOptions{
+			credential: &opts.BasicAuth,
+			skipHash:   skipHash,
+		})
 	if err != nil {
 		return nil, err
 	}

kong/basic_auth_service_test.go

@@ -398,3 +398,194 @@ func TestBasicAuthListMethods(T *testing.T) {
 	require.NoError(client.Consumers.Delete(defaultCtx, consumer1.ID))
 	require.NoError(client.Consumers.Delete(defaultCtx, consumer2.ID))
 }
+
+func TestBasicAuthCreateWithOptions(T *testing.T) {
+	RunWhenDBMode(T, "postgres")
+
+	assert := assert.New(T)
+	require := require.New(T)
+
+	client, err := NewTestClient(nil, nil)
+	require.NoError(err)
+	assert.NotNil(client)
+
+	// Test with nil options
+	basicAuth, err := client.BasicAuths.CreateWithOptions(defaultCtx,
+		String("foo"), nil)
+	require.Error(err)
+	assert.Nil(basicAuth)
+	assert.Contains(err.Error(), "basic auth options and credential are required")
+
+	// consumer for the basic-auth:
+	consumer := &Consumer{
+		Username: String("foo"),
+	}
+
+	consumer, err = client.Consumers.Create(defaultCtx, consumer)
+	require.NoError(err)
+	require.NotNil(consumer)
+
+	// Test with empty consumer ID
+	opts := &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			Username: String("test-username"),
+			Password: String("test-password"),
+		},
+	}
+	basicAuth, err = client.BasicAuths.CreateWithOptions(defaultCtx,
+		String(""), opts)
+	require.Error(err)
+	assert.Nil(basicAuth)
+
+	// Test with non-existent consumer
+	basicAuth, err = client.BasicAuths.CreateWithOptions(defaultCtx,
+		String("does-not-exist"), opts)
+	require.Error(err)
+	assert.Nil(basicAuth)
+
+	// Test with missing username
+	optsNoUsername := &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			Password: String("test-password"),
+		},
+	}
+	basicAuth, err = client.BasicAuths.CreateWithOptions(defaultCtx,
+		consumer.ID, optsNoUsername)
+	require.Error(err)
+	assert.Nil(basicAuth)
+
+	// Test successful creation with SkipHash = false
+	uuid1 := uuid.NewString()
+	skipHashFalse := false
+	opts = &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			ID:       String(uuid1),
+			Username: String("test-username"),
+			Password: String("test-password"),
+		},
+		SkipHash: &skipHashFalse,
+	}
+	basicAuth, err = client.BasicAuths.CreateWithOptions(defaultCtx,
+		consumer.ID, opts)
+	require.NoError(err)
+	assert.NotNil(basicAuth)
+	assert.Equal(uuid1, *basicAuth.ID)
+	assert.Equal("test-username", *basicAuth.Username)
+	// password should be hashed when SkipHash is false
+	assert.NotEqual("test-password", *basicAuth.Password)
+
+	// Clean up
+	err = client.BasicAuths.Delete(defaultCtx, consumer.ID, basicAuth.Username)
+	require.NoError(err)
+
+	// Test with SkipHash = true can work only with Konnect for now
+	// TODO: enable this test for Konnect when we have a way to run tests against Konnect
+
+	// Test successful creation with nil SkipHash (should default to false)
+	uuid3 := uuid.NewString()
+	opts = &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			ID:       String(uuid3),
+			Username: String("test-username-3"),
+			Password: String("test-password-3"),
+		},
+		SkipHash: nil,
+	}
+	basicAuthNilSkip, err := client.BasicAuths.CreateWithOptions(defaultCtx,
+		consumer.ID, opts)
+	require.NoError(err)
+	assert.NotNil(basicAuthNilSkip)
+	assert.Equal(uuid3, *basicAuthNilSkip.ID)
+	assert.Equal("test-username-3", *basicAuthNilSkip.Username)
+	// password should be hashed when SkipHash is nil (defaults to false)
+	assert.NotEqual("test-password-3", *basicAuthNilSkip.Password)
+
+	require.NoError(client.Consumers.Delete(defaultCtx, consumer.ID))
+}
+
+func TestBasicAuthUpdateWithOptions(T *testing.T) {
+	RunWhenDBMode(T, "postgres")
+
+	assert := assert.New(T)
+	require := require.New(T)
+
+	client, err := NewTestClient(nil, nil)
+	require.NoError(err)
+	assert.NotNil(client)
+
+	// consumer for the basic-auth:
+	consumer := &Consumer{
+		Username: String("foo"),
+	}
+
+	consumer, err = client.Consumers.Create(defaultCtx, consumer)
+	require.NoError(err)
+	require.NotNil(consumer)
+
+	// Create initial basic auth credential
+	uuidStr := uuid.NewString()
+	basicAuth := &BasicAuth{
+		ID:       String(uuidStr),
+		Username: String("initial-username"),
+		Password: String("initial-password"),
+	}
+
+	createdBasicAuth, err := client.BasicAuths.Create(defaultCtx,
+		consumer.ID, basicAuth)
+	require.NoError(err)
+	assert.NotNil(createdBasicAuth)
+
+	// Test with nil options
+	updatedBasicAuth, err := client.BasicAuths.UpdateWithOptions(defaultCtx,
+		consumer.ID, nil)
+	require.Error(err)
+	assert.Nil(updatedBasicAuth)
+	assert.Contains(err.Error(), "basic auth options and credential are required")
+
+	// Test successful update with SkipHash = false
+	skipHashFalse := false
+	opts := &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			ID:       createdBasicAuth.ID,
+			Username: String("updated-username"),
+			Password: String("updated-password"),
+		},
+		SkipHash: &skipHashFalse,
+	}
+	updatedBasicAuth, err = client.BasicAuths.UpdateWithOptions(defaultCtx,
+		consumer.ID, opts)
+	require.NoError(err)
+	assert.NotNil(updatedBasicAuth)
+	assert.Equal("updated-username", *updatedBasicAuth.Username)
+	// password should be hashed when SkipHash is false
+	assert.NotEqual("updated-password", *updatedBasicAuth.Password)
+
+	// Test successful update with SkipHash = true
+	// Test with SkipHash = true can work only with Konnect for now
+	// TODO: enable this test for Konnect when we have a way to run tests against Konnect
+
+	// Test successful update with nil SkipHash (should default to false)
+	opts = &BasicAuthOptions{
+		BasicAuth: BasicAuth{
+			ID:       createdBasicAuth.ID,
+			Username: String("updated-username-3"),
+			Password: String("updated-password-3"),
+		},
+		SkipHash: nil,
+	}
+	updatedBasicAuth, err = client.BasicAuths.UpdateWithOptions(defaultCtx,
+		consumer.ID, opts)
+	require.NoError(err)
+	assert.NotNil(updatedBasicAuth)
+	assert.Equal("updated-username-3", *updatedBasicAuth.Username)
+	// password should be hashed when SkipHash is nil (defaults to false)
+	assert.NotEqual("updated-password-3", *updatedBasicAuth.Password)
+
+	// Verify the credential was actually updated
+	retrievedBasicAuth, err := client.BasicAuths.Get(defaultCtx,
+		consumer.ID, updatedBasicAuth.Username)
+	require.NoError(err)
+	assert.Equal("updated-username-3", *retrievedBasicAuth.Username)
+
+	require.NoError(client.Consumers.Delete(defaultCtx, consumer.ID))
+}