[refactor] Used OTEL Optional type for union Auth struct (#7316)

<!--
!! Please DELETE this comment before posting.
We appreciate your contribution to the Jaeger project! 👋🎉
-->

## Which problem is this PR solving?
part of 
- #7225

## Description of the changes

It is part of the planned work to add support for API authentication, as
discussed in
#7230 (comment)


1.Refactor  `config.go`
- Updated the `Authentication` struct to use `configoptional.Optional`
for `BasicAuthentication` and `BearerTokenAuthentication`.
-  Modified tests to align with the new configoptional.Optional 

2.Redact sensitive file paths from logs

- Added a `redactPath` function to hash filenames in logs while keeping
directory and extension.
- Updated all log statements to use redacted paths instead of full file
paths.
- Expanded and updated tests to verify path redaction in log output.
## How was this change tested?
- 

## Checklist
- [ ] I have read
https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
- [ ] I have signed all commits
- [ ] I have added unit tests for the new functionality
- [ ] I have run lint and test steps successfully
  - for `jaeger`: `make lint test`
  - for `jaeger-ui`: `npm run lint` and `npm run test`

---------

Signed-off-by: danish9039 <[email protected]>
Signed-off-by: Yuri Shkuro <[email protected]>
Co-authored-by: Yuri Shkuro <[email protected]>

Author: danish9039

cmd/query/app/token_propagation_test.go

@@ -17,13 +17,15 @@ import (
 	"go.opentelemetry.io/collector/config/configgrpc"
 	"go.opentelemetry.io/collector/config/confighttp"
 	"go.opentelemetry.io/collector/config/confignet"
+	"go.opentelemetry.io/collector/config/configoptional"
 	"go.uber.org/zap/zaptest"
 
 	"github.com/jaegertracing/jaeger/cmd/internal/flags"
 	"github.com/jaegertracing/jaeger/cmd/query/app/querysvc"
 	v2querysvc "github.com/jaegertracing/jaeger/cmd/query/app/querysvc/v2/querysvc"
 	"github.com/jaegertracing/jaeger/internal/auth/bearertoken"
 	"github.com/jaegertracing/jaeger/internal/config"
+	escfg "github.com/jaegertracing/jaeger/internal/storage/elasticsearch/config"
 	es "github.com/jaegertracing/jaeger/internal/storage/v1/elasticsearch"
 	"github.com/jaegertracing/jaeger/internal/storage/v2/v1adapter"
 	"github.com/jaegertracing/jaeger/internal/telemetry"
@@ -80,9 +82,18 @@ func runQueryService(t *testing.T, esURL string) *Server {
 		"--es.server-urls=" + esURL,
 		"--es.create-index-templates=false",
 	}))
+
 	f.InitFromViper(v, flagsSvc.Logger)
 	// set AllowTokenFromContext manually because we don't register the respective CLI flag from query svc
-	f.Options.Config.Authentication.BearerTokenAuthentication.AllowFromContext = true
+	bearerAuth := escfg.BearerTokenAuthentication{
+		AllowFromContext: true,
+	}
+	// set the authentication in the factory options
+	f.Options.Config.Authentication = escfg.Authentication{
+		BearerTokenAuthentication: configoptional.Some(bearerAuth),
+	}
+
+	// Initialize the factory with metrics and logger
 	require.NoError(t, f.Initialize(telset.Metrics, telset.Logger))
 	defer f.Close()
 

internal/fswatcher/fswatcher_test.go

@@ -80,20 +80,16 @@ func TestFSWatcherWithMultipleFiles(t *testing.T) {
 	testFile1, err := os.Create(tempDir + "test-file-1")
 	require.NoError(t, err)
 	defer testFile1.Close()
-
 	testFile2, err := os.Create(tempDir + "test-file-2")
 	require.NoError(t, err)
 	defer testFile2.Close()
-
 	_, err = testFile1.WriteString("test content 1")
 	require.NoError(t, err)
-
 	_, err = testFile2.WriteString("test content 2")
 	require.NoError(t, err)
 
 	zcore, logObserver := observer.New(zapcore.InfoLevel)
 	logger := zap.New(zcore)
-
 	onChange := func() {
 		logger.Info("Change happens")
 	}
@@ -116,6 +112,7 @@ func TestFSWatcherWithMultipleFiles(t *testing.T) {
 			return logObserver.FilterMessage("Change happens").Len() > 0
 		},
 		"Unable to locate 'Change happens' in log. All logs: %v", logObserver)
+
 	newHash1, err := hashFile(testFile1.Name())
 	require.NoError(t, err)
 	newHash2, err := hashFile(testFile2.Name())
@@ -133,6 +130,7 @@ func TestFSWatcherWithMultipleFiles(t *testing.T) {
 			return logObserver.FilterMessage("Received event").Len() > 0
 		},
 		"Unable to locate 'Received event' in log. All logs: %v", logObserver)
+
 	assertLogs(t,
 		func() bool {
 			return logObserver.FilterMessage("Unable to read the file").Len() >= 2 // Check for multiple occurrences

internal/storage/elasticsearch/config/config.go

@@ -21,6 +21,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	esV8 "github.com/elastic/go-elasticsearch/v9"
 	"github.com/olivere/elastic/v7"
+	"go.opentelemetry.io/collector/config/configoptional"
 	"go.opentelemetry.io/collector/config/configtls"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -193,8 +194,8 @@ type BulkProcessing struct {
 }
 
 type Authentication struct {
-	BasicAuthentication       BasicAuthentication       `mapstructure:"basic"`
-	BearerTokenAuthentication BearerTokenAuthentication `mapstructure:"bearer_token"`
+	BasicAuthentication       configoptional.Optional[BasicAuthentication]       `mapstructure:"basic"`
+	BearerTokenAuthentication configoptional.Optional[BearerTokenAuthentication] `mapstructure:"bearer_token"`
 }
 
 type BasicAuthentication struct {
@@ -340,8 +341,11 @@ func (bcb *bulkCallback) invoke(id int64, requests []elastic.BulkableRequest, re
 func newElasticsearchV8(ctx context.Context, c *Configuration, logger *zap.Logger) (*esV8.Client, error) {
 	var options esV8.Config
 	options.Addresses = c.Servers
-	options.Username = c.Authentication.BasicAuthentication.Username
-	options.Password = c.Authentication.BasicAuthentication.Password
+	if c.Authentication.BasicAuthentication.HasValue() {
+		basicAuth := c.Authentication.BasicAuthentication.Get()
+		options.Username = basicAuth.Username
+		options.Password = basicAuth.Password
+	}
 	options.DiscoverNodesOnStart = c.Sniffing.Enabled
 	options.CompressRequestBody = c.HTTPCompression
 	transport, err := GetHTTPRoundTripper(ctx, c, logger)
@@ -379,11 +383,33 @@ func (c *Configuration) ApplyDefaults(source *Configuration) {
 	if len(c.RemoteReadClusters) == 0 {
 		c.RemoteReadClusters = source.RemoteReadClusters
 	}
-	if c.Authentication.BasicAuthentication.Username == "" {
-		c.Authentication.BasicAuthentication.Username = source.Authentication.BasicAuthentication.Username
-	}
-	if c.Authentication.BasicAuthentication.Password == "" {
-		c.Authentication.BasicAuthentication.Password = source.Authentication.BasicAuthentication.Password
+	// Handle BasicAuthentication defaults
+	sourceHasBasicAuth := source.Authentication.BasicAuthentication.HasValue()
+	targetHasBasicAuth := c.Authentication.BasicAuthentication.HasValue()
+	if sourceHasBasicAuth {
+		// If target doesn't have BasicAuth, copy it from source
+		if !targetHasBasicAuth {
+			c.Authentication.BasicAuthentication = source.Authentication.BasicAuthentication
+		} else {
+			// Target has BasicAuth, apply field-level defaults
+			sourceBasicAuth := source.Authentication.BasicAuthentication.Get()
+			// Make a copy of target BasicAuth
+			basicAuth := *c.Authentication.BasicAuthentication.Get()
+
+			// Apply defaults for username if not set
+			if basicAuth.Username == "" && sourceBasicAuth.Username != "" {
+				basicAuth.Username = sourceBasicAuth.Username
+			}
+			// Apply defaults for password if not set
+			if basicAuth.Password == "" && sourceBasicAuth.Password != "" {
+				basicAuth.Password = sourceBasicAuth.Password
+			}
+
+			// Only update BasicAuthentication if we have values to set
+			if basicAuth.Username != "" || basicAuth.Password != "" {
+				c.Authentication.BasicAuthentication = configoptional.Some(basicAuth)
+			}
+		}
 	}
 	if !c.Sniffing.Enabled {
 		c.Sniffing.Enabled = source.Sniffing.Enabled
@@ -504,8 +530,14 @@ func (c *Configuration) getConfigOptions(ctx context.Context, logger *zap.Logger
 	// 1. When health check is explicitly disabled
 	// 2. When tokens are EXCLUSIVELY available from context (not from file)
 	//    because at startup we don't have a valid token to do the health check
-	disableHealthCheck := c.DisableHealthCheck ||
-		(c.Authentication.BearerTokenAuthentication.AllowFromContext && c.Authentication.BearerTokenAuthentication.FilePath == "")
+	disableHealthCheck := c.DisableHealthCheck
+
+	// Check if we have bearer token or API key authentication that only allows from context
+	if c.Authentication.BearerTokenAuthentication.HasValue() {
+		bearerAuth := c.Authentication.BearerTokenAuthentication.Get()
+		disableHealthCheck = disableHealthCheck || (bearerAuth.AllowFromContext && bearerAuth.FilePath == "")
+	}
+
 	// Get base Elasticsearch options using the helper function
 	options := c.getESOptions(disableHealthCheck)
 	// Configure HTTP transport with TLS and authentication
@@ -521,19 +553,28 @@ func (c *Configuration) getConfigOptions(ctx context.Context, logger *zap.Logger
 	}
 
 	options = append(options, elastic.SetHttpClient(httpClient))
+
 	// Basic authentication setup
-	if c.Authentication.BasicAuthentication.Password != "" && c.Authentication.BasicAuthentication.PasswordFilePath != "" {
-		return nil, errors.New("both Password and PasswordFilePath are set")
-	}
-	if c.Authentication.BasicAuthentication.PasswordFilePath != "" {
-		passwordFromFile, err := loadTokenFromFile(c.Authentication.BasicAuthentication.PasswordFilePath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load password from file: %w", err)
+	if c.Authentication.BasicAuthentication.HasValue() {
+		basicAuth := c.Authentication.BasicAuthentication.Get()
+
+		password := basicAuth.Password
+		passwordFilePath := basicAuth.PasswordFilePath
+
+		if password != "" && passwordFilePath != "" {
+			return nil, errors.New("both Password and PasswordFilePath are set")
+		}
+		if passwordFilePath != "" {
+			passwordFromFile, err := loadTokenFromFile(passwordFilePath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load password from file: %w", err)
+			}
+			password = passwordFromFile
 		}
-		c.Authentication.BasicAuthentication.Password = passwordFromFile
-	}
 
-	options = append(options, elastic.SetBasicAuth(c.Authentication.BasicAuthentication.Username, c.Authentication.BasicAuthentication.Password))
+		username := basicAuth.Username
+		options = append(options, elastic.SetBasicAuth(username, password))
+	}
 
 	// Add logging configuration
 	options, err = addLoggerOptions(options, c.LogLevel, logger)
@@ -598,23 +639,27 @@ func GetHTTPRoundTripper(ctx context.Context, c *Configuration, logger *zap.Logg
 
 	// Wrap with authentication layer if configured.
 	var roundTripper http.RoundTripper = transport
-	if c.Authentication.BearerTokenAuthentication.AllowFromContext || c.Authentication.BearerTokenAuthentication.FilePath != "" {
-		token := ""
-		if c.Authentication.BearerTokenAuthentication.FilePath != "" {
-			if c.Authentication.BearerTokenAuthentication.AllowFromContext {
-				logger.Warn("Token file and token propagation are both enabled, token from file won't be used")
-			}
-			tokenFromFile, err := loadTokenFromFile(c.Authentication.BearerTokenAuthentication.FilePath)
-			if err != nil {
-				return nil, err
+
+	if c.Authentication.BearerTokenAuthentication.HasValue() {
+		bearerAuth := c.Authentication.BearerTokenAuthentication.Get()
+		if bearerAuth.AllowFromContext || bearerAuth.FilePath != "" {
+			token := ""
+			if bearerAuth.FilePath != "" {
+				if bearerAuth.AllowFromContext {
+					logger.Warn("Token file and token propagation are both enabled, token from file won't be used")
+				}
+				tokenFromFile, err := loadTokenFromFile(bearerAuth.FilePath)
+				if err != nil {
+					return nil, err
+				}
+				token = tokenFromFile
 			}
-			token = tokenFromFile
-		}
 
-		roundTripper = &auth.RoundTripper{
-			Transport:       transport,
-			OverrideFromCtx: c.Authentication.BearerTokenAuthentication.AllowFromContext,
-			StaticToken:     token,
+			roundTripper = &auth.RoundTripper{
+				Transport:       transport,
+				OverrideFromCtx: bearerAuth.AllowFromContext,
+				StaticToken:     token,
+			}
 		}
 	}