pushpin-publish: support bearer auth (#48315)

Author: jkarneges

Cargo.lock

@@ -39,7 +39,7 @@ mio = { version = "1", features = ["os-poll", "os-ext", "net"] }
 notify = "7"
 openssl = "=0.10.72"
 paste = "1.0"
-rustls = { version = "0.23", features = ["ring"] }
+rustls = { version = "0.23", default-features = false, features = ["ring", "std", "tls12"] }
 rustls-native-certs = "0.6"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

Cargo.toml

@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2021-2023 Fanout, Inc.
+ * Copyright (C) 2026 Fastly, Inc.
  *
  * This file is part of Pushpin.
  *
@@ -22,7 +23,7 @@
 
 use clap::{Arg, ArgAction, Command};
 use pushpin::core::version;
-use pushpin::publish::{run, Action, Config, Content, Message};
+use pushpin::publish::{run, Action, AuthType, Config, Content, Message};
 use std::env;
 use std::error::Error;
 use std::process;
@@ -45,7 +46,7 @@ struct Args {
     no_seq: bool,
     no_eol: bool,
     spec: String,
-    user: Option<String>,
+    auth: Option<(AuthType, String)>,
 }
 
 fn process_args_and_run(args: Args) -> Result<(), Box<dyn Error>> {
@@ -112,7 +113,7 @@ fn process_args_and_run(args: Args) -> Result<(), Box<dyn Error>> {
 
     let config = Config {
         spec: args.spec,
-        basic_auth: args.user,
+        auth: args.auth,
         channel: args.channel,
         id: args.id,
         prev_id: args.prev_id,
@@ -242,6 +243,14 @@ fn main() {
                 .value_name("user:pass")
                 .help("Authenticate using basic auth"),
         )
+        .arg(
+            Arg::new("bearer")
+                .short('B')
+                .long("bearer")
+                .num_args(1)
+                .value_name("token")
+                .help("Authenticate using bearer auth"),
+        )
         .get_matches();
 
     let channel = matches.get_one::<String>("channel").unwrap().clone();
@@ -289,6 +298,17 @@ fn main() {
     let spec = matches.get_one::<String>("spec").unwrap().clone();
 
     let user = matches.get_one::<String>("user").cloned();
+    let bearer = matches.get_one::<String>("bearer").cloned();
+
+    let auth = match (user, bearer) {
+        (Some(_), Some(_)) => {
+            eprintln!("Error: only one authentication method can be specified");
+            process::exit(1);
+        }
+        (Some(user), None) => Some((AuthType::Basic, user)),
+        (None, Some(bearer)) => Some((AuthType::Bearer, bearer)),
+        (None, None) => None,
+    };
 
     let args = Args {
         channel,
@@ -305,7 +325,7 @@ fn main() {
         no_seq,
         no_eol,
         spec,
-        user,
+        auth,
     };
 
     if let Err(e) = process_args_and_run(args) {

src/bin/pushpin-publish.rs

@@ -309,9 +309,15 @@ impl Write for Stream {
     }
 }
 
+#[derive(Copy, Clone)]
+pub enum AuthType {
+    Basic,
+    Bearer,
+}
+
 fn publish_http(
     base_url: &str,
-    basic_auth: Option<&str>,
+    auth: Option<(AuthType, &str)>,
     item: &serde_json::Value,
 ) -> Result<(), Box<dyn Error>> {
     let parsed_url = match parse_url(base_url) {
@@ -340,12 +346,17 @@ fn publish_http(
         body.len()
     );
 
-    if let Some(s) = basic_auth {
+    if let Some((auth_type, value)) = auth {
         if parsed_url.scheme != "https" {
             return Err("Authentication requires https".into());
         }
 
-        req.push_str(&format!("Authorization: Basic {}\r\n", base64::encode(s)));
+        let header_value = match auth_type {
+            AuthType::Basic => format!("Basic {}", base64::encode(value)),
+            AuthType::Bearer => format!("Bearer {value}"),
+        };
+
+        req.push_str(&format!("Authorization: {header_value}\r\n"));
     }
 
     req += "\r\n";
@@ -391,7 +402,7 @@ fn publish_http(
 
             let pos = match rest.find(' ') {
                 Some(pos) => pos,
-                None => return Err(io::Error::from(io::ErrorKind::InvalidData).into()),
+                None => rest.len(),
             };
 
             let code = &rest[..pos];
@@ -451,7 +462,7 @@ pub enum Action {
 
 pub struct Config {
     pub spec: String,
-    pub basic_auth: Option<String>,
+    pub auth: Option<(AuthType, String)>,
     pub channel: String,
     pub id: String,
     pub prev_id: String,
@@ -609,9 +620,9 @@ pub fn run(config: &Config) -> Result<(), Box<dyn Error>> {
     if config.spec.starts_with("https:") || config.spec.starts_with("http:") {
         let item = tnet_to_json(&item)?;
 
-        let basic_auth = config.basic_auth.as_deref();
+        let auth = config.auth.as_ref().map(|(t, v)| (*t, v.as_str()));
 
-        publish_http(&config.spec, basic_auth, &item)?;
+        publish_http(&config.spec, auth, &item)?;
     } else {
         publish_zmq(&config.spec, &item)?;
     }