greenbone
diff --git a/‎pkg/auth/README.md‎
Lines changed: 68 additions & 0 deletions b/‎pkg/auth/README.md‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎pkg/auth/auth_client.go‎
Lines changed: 125 additions & 0 deletions b/‎pkg/auth/auth_client.go‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎pkg/auth/auth_client_test.go‎
Lines changed: 111 additions & 0 deletions b/‎pkg/auth/auth_client_test.go‎
Lines changed: 111 additions & 0 deletions
@@ -0,0 +1,68 @@
+<!-- gomarkdoc:embed:start -->
+
+<!-- Code generated by gomarkdoc. DO NOT EDIT -->
+
+# auth
+
+```go
+import "github.com/greenbone/opensight-golang-libraries/pkg/auth"
+```
+
+Package auth provides a client to authenticate against a Keycloak server.
+
+## Index
+
+- [type KeycloakClient](<#KeycloakClient>)
+  - [func NewKeycloakClient\(httpClient \*http.Client, cfg KeycloakConfig\) \*KeycloakClient](<#NewKeycloakClient>)
+  - [func \(c \*KeycloakClient\) GetToken\(ctx context.Context\) \(string, error\)](<#KeycloakClient.GetToken>)
+- [type KeycloakConfig](<#KeycloakConfig>)
+
+
+<a name="KeycloakClient"></a>
+## type [KeycloakClient](<https://github.com/greenbone/opensight-golang-libraries/blob/main/pkg/auth/auth_client.go#L42-L47>)
+
+KeycloakClient can be used to authenticate against a Keycloak server.
+
+```go
+type KeycloakClient struct {
+    // contains filtered or unexported fields
+}
+```
+
+<a name="NewKeycloakClient"></a>
+### func [NewKeycloakClient](<https://github.com/greenbone/opensight-golang-libraries/blob/main/pkg/auth/auth_client.go#L50>)
+
+```go
+func NewKeycloakClient(httpClient *http.Client, cfg KeycloakConfig) *KeycloakClient
+```
+
+NewKeycloakClient creates a new KeycloakClient.
+
+<a name="KeycloakClient.GetToken"></a>
+### func \(\*KeycloakClient\) [GetToken](<https://github.com/greenbone/opensight-golang-libraries/blob/main/pkg/auth/auth_client.go#L60>)
+
+```go
+func (c *KeycloakClient) GetToken(ctx context.Context) (string, error)
+```
+
+GetToken retrieves a valid access token. The token is cached and refreshed before expiry. The token is obtained by \`Resource owner password credentials grant\` flow. Ref: https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows-direct
+
+<a name="KeycloakConfig"></a>
+## type [KeycloakConfig](<https://github.com/greenbone/opensight-golang-libraries/blob/main/pkg/auth/auth_client.go#L23-L29>)
+
+KeycloakConfig holds the credentials and configuration details
+
+```go
+type KeycloakConfig struct {
+    ClientID      string
+    Username      string
+    Password      string
+    AuthURL       string
+    KeycloakRealm string
+}
+```
+
+Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
+
+
+<!-- gomarkdoc:embed:end -->
@@ -0,0 +1,125 @@
+// SPDX-FileCopyrightText: 2025 Greenbone AG <https://greenbone.net>
+//
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+// Package auth provides a client to authenticate against a Keycloak server.
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+)
+
+const tokenRefreshMargin = 10 * time.Second
+
+// KeycloakConfig holds the credentials and configuration details
+type KeycloakConfig struct {
+	ClientID      string
+	Username      string
+	Password      string
+	AuthURL       string
+	KeycloakRealm string
+}
+
+type tokenInfo struct {
+	AccessToken string
+	ExpiresAt   time.Time
+}
+
+type authResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"` // in seconds
+}
+
+// KeycloakClient can be used to authenticate against a Keycloak server.
+type KeycloakClient struct {
+	httpClient *http.Client
+	cfg        KeycloakConfig
+	tokenInfo  tokenInfo
+	tokenMutex sync.RWMutex
+}
+
+// NewKeycloakClient creates a new KeycloakClient.
+func NewKeycloakClient(httpClient *http.Client, cfg KeycloakConfig) *KeycloakClient {
+	return &KeycloakClient{
+		httpClient: httpClient,
+		cfg:        cfg,
+	}
+}
+
+// GetToken retrieves a valid access token. The token is cached and refreshed before expiry.
+// The token is obtained by `Resource owner password credentials grant` flow.
+// Ref: https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows-direct
+func (c *KeycloakClient) GetToken(ctx context.Context) (string, error) {
+	getCachedToken := func() (token string, ok bool) {
+		c.tokenMutex.RLock()
+		defer c.tokenMutex.RUnlock()
+		if time.Now().Before(c.tokenInfo.ExpiresAt.Add(-tokenRefreshMargin)) {
+			return c.tokenInfo.AccessToken, true
+		} else {
+			return "", false
+		}
+	}
+
+	token, ok := getCachedToken()
+	if ok {
+		return token, nil
+	}
+
+	// need to retrieve new token
+	c.tokenMutex.Lock()
+	defer c.tokenMutex.Unlock()
+
+	// check again in case another goroutine already refreshed the token
+	if time.Now().Before(c.tokenInfo.ExpiresAt.Add(-tokenRefreshMargin)) {
+		return c.tokenInfo.AccessToken, nil
+	}
+
+	data := url.Values{}
+	data.Set("client_id", c.cfg.ClientID)
+	data.Set("password", c.cfg.Password)
+	data.Set("username", c.cfg.Username)
+	data.Set("grant_type", "password")
+
+	authenticationURL := fmt.Sprintf("%s/realms/%s/protocol/openid-connect/token",
+		c.cfg.AuthURL, c.cfg.KeycloakRealm)
+
+	req, err := http.NewRequest(http.MethodPost, authenticationURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return "", fmt.Errorf("failed to create authentication request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to execute authentication request with retry: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		respBody, err := io.ReadAll(resp.Body)
+		if err != nil {
+			respBody = []byte("failed to read response body: " + err.Error())
+		}
+		return "", fmt.Errorf("authentication request failed with status: %s: %s", resp.Status, string(respBody))
+	}
+
+	var authResponse authResponse
+	if err := json.NewDecoder(resp.Body).Decode(&authResponse); err != nil {
+		return "", fmt.Errorf("failed to parse authentication response: %w", err)
+	}
+
+	c.tokenInfo = tokenInfo{
+		AccessToken: authResponse.AccessToken,
+		ExpiresAt:   time.Now().Add(time.Duration(authResponse.ExpiresIn) * time.Second),
+	}
+
+	return authResponse.AccessToken, nil
+}
@@ -0,0 +1,111 @@
+// SPDX-FileCopyrightText: 2025 Greenbone AG <https://greenbone.net>
+//
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package auth
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKeycloakClient_GetToken(t *testing.T) {
+	tests := map[string]struct {
+		responseBody string
+		responseCode int
+		wantErr      bool
+		wantToken    string
+	}{
+		"successful token retrieval": {
+			responseBody: `{"access_token": "test-token", "expires_in": 3600}`,
+			responseCode: http.StatusOK,
+			wantErr:      false,
+			wantToken:    "test-token",
+		},
+		"failed authentication": {
+			responseBody: `{}`,
+			responseCode: http.StatusUnauthorized,
+			wantErr:      true,
+		},
+	}
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			var serverCallCount atomic.Int32
+			mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				serverCallCount.Add(1)
+				w.WriteHeader(tt.responseCode)
+				_, err := w.Write([]byte(tt.responseBody))
+				require.NoError(t, err)
+			}))
+			defer mockServer.Close()
+
+			client := NewKeycloakClient(http.DefaultClient, KeycloakConfig{
+				AuthURL: mockServer.URL,
+				// the other fields are also required in real scenario, but omit here for brevity
+			})
+			gotToken, err := client.GetToken(context.Background())
+			assert.True(t, serverCallCount.Load() > 0, "server was not called")
+
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.wantToken, gotToken)
+			}
+		})
+	}
+}
+
+func TestKeycloakClient_GetToken_Refresh(t *testing.T) {
+	tests := map[string]struct {
+		responseBody     string
+		responseCode     int
+		wantServerCalled int
+		wantToken        string
+	}{
+		"token is cached": {
+			responseBody:     `{"access_token": "test-token", "expires_in": 3600}`,
+			responseCode:     http.StatusOK,
+			wantServerCalled: 1, // should be called only once due to caching
+			wantToken:        "test-token",
+		},
+		"token expiry handling": {
+			responseBody:     `{"access_token": "test-token", "expires_in": 0}`, // expires immediately
+			responseCode:     http.StatusOK,
+			wantServerCalled: 2, // should be called twice due to expiry
+			wantToken:        "test-token",
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			var serverCallCount atomic.Int32
+			mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				serverCallCount.Add(1)
+				w.WriteHeader(tc.responseCode)
+				_, err := w.Write([]byte(tc.responseBody))
+				require.NoError(t, err)
+			}))
+			defer mockServer.Close()
+
+			client := NewKeycloakClient(http.DefaultClient, KeycloakConfig{
+				AuthURL: mockServer.URL,
+				// the other fields are also required in real scenario, but omit here for brevity
+			})
+			_, err := client.GetToken(context.Background())
+			require.NoError(t, err)
+
+			gotToken, err := client.GetToken(context.Background()) // second call to test caching/refresh
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.wantServerCalled, int(serverCallCount.Load()), "unexpected number of server calls")
+			assert.Equal(t, tc.wantToken, gotToken)
+		})
+	}
+}