feat(auth): add API token authentication support (#70)

Add token-based authentication as alternative to username/password.
Implements mutual exclusivity validation and environment variable support.

Add build tags to differentiate integration tests from unit tests.
Add unit tests for configs on both post-processor and builder.

Signed-off-by: Ville Vesilehto <ville.vesilehto@upcloud.com>

Author: thevilledev

.web-docs/components/builder/upcloud/README.md

@@ -9,10 +9,6 @@ The upcloud builder is used to generate storage templates on UpCloud.
 
 <!-- Code generated from the comments of the Config struct in builder/upcloud/config.go; DO NOT EDIT MANUALLY -->
 
-- `username` (string) - The username to use when interfacing with the UpCloud API.
-
-- `password` (string) - The password to use when interfacing with the UpCloud API.
-
 - `zone` (string) - The zone in which the server and template should be created (e.g. nl-ams1).
 
 - `storage_uuid` (string) - The UUID of the storage you want to use as a template when creating the server.
@@ -34,6 +30,12 @@ The upcloud builder is used to generate storage templates on UpCloud.
 
 <!-- Code generated from the comments of the Config struct in builder/upcloud/config.go; DO NOT EDIT MANUALLY -->
 
+- `username` (string) - The username to use when interfacing with the UpCloud API.
+
+- `password` (string) - The password to use when interfacing with the UpCloud API.
+
+- `token` (string) - The API token to use when interfacing with the UpCloud API. This is mutually exclusive with username and password.
+
 - `storage_name` (string) - The name of the storage that will be used to find the first matching storage in the list of existing templates.
 
   Note that `storage_uuid` parameter has higher priority. You should use either `storage_uuid` or `storage_name` for not strict matching (e.g "ubuntu server 20.04").

.web-docs/components/post-processor/upcloud-import/README.md

@@ -9,10 +9,6 @@ Username and password configuration arguments can be omitted if environment vari
 
 <!-- Code generated from the comments of the Config struct in post-processor/upcloud-import/config.go; DO NOT EDIT MANUALLY -->
 
-- `username` (string) - The username to use when interfacing with the UpCloud API.
-
-- `password` (string) - The password to use when interfacing with the UpCloud API.
-
 - `zones` ([]string) - The list of zones in which the template should be imported
 
 - `template_name` (string) - The name of the template. Use `replace_existing` to replace existing template
@@ -25,6 +21,12 @@ Username and password configuration arguments can be omitted if environment vari
 
 <!-- Code generated from the comments of the Config struct in post-processor/upcloud-import/config.go; DO NOT EDIT MANUALLY -->
 
+- `username` (string) - The username to use when interfacing with the UpCloud API.
+
+- `password` (string) - The password to use when interfacing with the UpCloud API.
+
+- `token` (string) - The API token to use when interfacing with the UpCloud API. This is mutually exclusive with username and password.
+
 - `replace_existing` (bool) - Replace existing template if one exists with the same name. Defaults to `false`.
 
 - `storage_tier` (string) - The storage tier to use. Available options are `maxiops`, `archive`, and `standard`. Defaults to `maxiops`.

CHANGELOG.md

@@ -5,6 +5,10 @@ See updating [Changelog example here](https://keepachangelog.com/en/1.0.0/)
 
 ## [Unreleased]
 
+### Added
+
+- Authentication token support through `UPCLOUD_TOKEN` environment variable and `token` config parameter
+
 ## [1.6.0] - 2025-05-23
 
 ### Added

Makefile

@@ -24,11 +24,10 @@ PACKER_SDC_RENDER_DOCS=$(PACKER_SDC) renderdocs -src docs-src/ -partials docs-pa
 default: build
 
 test:
-	@go test -race -count $(COUNT) $(TEST) -timeout=3m
+	@go test -race -count $(COUNT) -tags "!integration" $(TEST) -timeout=3m
 
 test_integration: build install
-
-	PACKER_ACC=1 go test -count 1 -v $(TESTARGS) ./...  -timeout=120m
+	PACKER_ACC=1 go test -count 1 -v -tags integration $(TESTARGS) ./...  -timeout=120m
 
 build:
 	@go build -v -o ${BINARY}

builder/upcloud/artifact_test.go

@@ -1,3 +1,5 @@
+//go:build !integration
+
 package upcloud //nolint:testpackage // not all fields can be exported in Artifact
 
 import (

builder/upcloud/builder.go

@@ -54,6 +54,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 	b.driver = driver.NewDriver(&driver.DriverConfig{
 		Username:    b.config.Username,
 		Password:    b.config.Password,
+		Token:       b.config.Token,
 		Timeout:     b.config.Timeout,
 		SSHUsername: b.config.Comm.SSHUsername,
 	})

builder/upcloud/builder_acc_test.go

@@ -1,3 +1,5 @@
+//go:build integration
+
 package upcloud //nolint:testpackage // not all fields can be exported in Artifact
 
 import (

builder/upcloud/config.go

@@ -61,10 +61,13 @@ type Config struct {
 	Comm                communicator.Config `mapstructure:",squash"`
 
 	// The username to use when interfacing with the UpCloud API.
-	Username string `mapstructure:"username" required:"true"`
+	Username string `mapstructure:"username"`
 
 	// The password to use when interfacing with the UpCloud API.
-	Password string `mapstructure:"password" required:"true"`
+	Password string `mapstructure:"password"`
+
+	// The API token to use when interfacing with the UpCloud API. This is mutually exclusive with username and password.
+	Token string `mapstructure:"token"`
 
 	// The zone in which the server and template should be created (e.g. nl-ams1).
 	Zone string `mapstructure:"zone" required:"true"`
@@ -141,8 +144,8 @@ func (c *Config) Prepare(raws ...interface{}) ([]string, error) {
 		return nil, fmt.Errorf("failed to decode configuration: %w", err)
 	}
 
-	c.setEnv()
-	c.setDefaults()
+	c.SetEnv()
+	c.SetDefaults()
 
 	if errs := c.validate(); errs != nil && len(errs.Errors) > 0 {
 		return nil, errs
@@ -152,7 +155,7 @@ func (c *Config) Prepare(raws ...interface{}) ([]string, error) {
 }
 
 // setDefaults sets default values for configuration fields.
-func (c *Config) setDefaults() {
+func (c *Config) SetDefaults() {
 	if c.TemplatePrefix == "" && len(c.TemplateName) == 0 {
 		c.TemplatePrefix = DefaultTemplatePrefix
 	}
@@ -185,30 +188,73 @@ func (c *Config) validate() *packer.MultiError {
 		errs = packer.MultiErrorAppend(errs, es...)
 	}
 
-	if c.Username == "" {
+	// Validate authentication
+	if authErrs := c.validateAuthentication(); authErrs != nil {
+		errs = packer.MultiErrorAppend(errs, authErrs.Errors...)
+	}
+
+	// Validate required fields
+	if c.Zone == "" {
 		errs = packer.MultiErrorAppend(
-			errs, errors.New("'username' must be specified"),
+			errs, errors.New("'zone' must be specified"),
 		)
 	}
 
-	if c.Password == "" {
+	if c.StorageUUID == "" && c.StorageName == "" {
 		errs = packer.MultiErrorAppend(
-			errs, errors.New("'password' must be specified"),
+			errs, errors.New("'storage_uuid' or 'storage_name' must be specified"),
 		)
 	}
 
-	if c.Zone == "" {
+	// Validate template configuration
+	if templateErrs := c.validateTemplate(); templateErrs != nil {
+		errs = packer.MultiErrorAppend(errs, templateErrs.Errors...)
+	}
+
+	return errs
+}
+
+// validateAuthentication checks authentication configuration.
+func (c *Config) validateAuthentication() *packer.MultiError {
+	var errs *packer.MultiError
+
+	// Check authentication: either username/password OR token, but not both
+	hasUsernamePassword := c.Username != "" || c.Password != ""
+	hasAPIToken := c.Token != ""
+
+	if hasUsernamePassword && hasAPIToken {
 		errs = packer.MultiErrorAppend(
-			errs, errors.New("'zone' must be specified"),
+			errs, errors.New("you cannot specify both username/password and token. Use either username/password or token for authentication"),
 		)
 	}
 
-	if c.StorageUUID == "" && c.StorageName == "" {
+	if !hasUsernamePassword && !hasAPIToken {
 		errs = packer.MultiErrorAppend(
-			errs, errors.New("'storage_uuid' or 'storage_name' must be specified"),
+			errs, errors.New("authentication required: specify either username and password, or token"),
 		)
 	}
 
+	// If using username/password, both must be provided
+	if hasUsernamePassword && (c.Username == "" || c.Password == "") {
+		if c.Username == "" {
+			errs = packer.MultiErrorAppend(
+				errs, errors.New("'username' must be specified when using username/password authentication"),
+			)
+		}
+		if c.Password == "" {
+			errs = packer.MultiErrorAppend(
+				errs, errors.New("'password' must be specified when using username/password authentication"),
+			)
+		}
+	}
+
+	return errs
+}
+
+// validateTemplate checks template configuration.
+func (c *Config) validateTemplate() *packer.MultiError {
+	var errs *packer.MultiError
+
 	if len(c.TemplatePrefix) > maxTemplatePrefixLength {
 		errs = packer.MultiErrorAppend(
 			errs, errors.New("'template_prefix' must be 0-40 characters"),
@@ -231,12 +277,16 @@ func (c *Config) validate() *packer.MultiError {
 }
 
 // get params from environment.
-func (c *Config) setEnv() {
+func (c *Config) SetEnv() {
 	if c.Username == "" {
 		c.Username = driver.UsernameFromEnv()
 	}
 
 	if c.Password == "" {
 		c.Password = driver.PasswordFromEnv()
 	}
+
+	if c.Token == "" {
+		c.Token = driver.TokenFromEnv()
+	}
 }