scalytics
diff --git a/‎cmd/kshark/main.go‎
Lines changed: 392 additions & 22 deletions b/‎cmd/kshark/main.go‎
Lines changed: 392 additions & 22 deletions
diff --git a/‎cmd/kshark/ssrf_test.go‎
Lines changed: 93 additions & 0 deletions b/‎cmd/kshark/ssrf_test.go‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎docs/RELEASE.md‎
Lines changed: 14 additions & 0 deletions b/‎docs/RELEASE.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 12 additions & 2 deletions b/‎go.mod‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 30 additions & 4 deletions b/‎go.sum‎
Lines changed: 30 additions & 4 deletions
diff --git a/‎internal/connectapi/client.go‎
Lines changed: 175 additions & 0 deletions b/‎internal/connectapi/client.go‎
Lines changed: 175 additions & 0 deletions
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"net"
+	"testing"
+)
+
+func TestClassifyIP(t *testing.T) {
+	tests := []struct {
+		name string
+		ip   string
+		want ssrfVerdict
+	}{
+		// DENY (always blocked)
+		{"loopback v4", "127.0.0.1", ssrfDeny},
+		{"loopback v4 high", "127.255.255.254", ssrfDeny},
+		{"loopback v6", "::1", ssrfDeny},
+		{"link-local", "169.254.1.1", ssrfDeny},
+		{"cloud metadata", "169.254.169.254", ssrfDeny},
+		{"link-local v6", "fe80::1", ssrfDeny},
+		{"CGN", "100.64.0.1", ssrfDeny},
+		{"TEST-NET-1", "192.0.2.1", ssrfDeny},
+		{"multicast", "224.0.0.1", ssrfDeny},
+		{"reserved", "240.0.0.1", ssrfDeny},
+		{"broadcast", "255.255.255.255", ssrfDeny},
+
+		// WARN (RFC1918 — allowed for PrivateLink)
+		{"10/8", "10.0.0.1", ssrfWarn},
+		{"172.16/12", "172.16.0.1", ssrfWarn},
+		{"192.168/16", "192.168.1.1", ssrfWarn},
+		{"ULA v6", "fc00::1", ssrfWarn},
+
+		// ALLOW (public)
+		{"google dns", "8.8.8.8", ssrfAllow},
+		{"cloudflare", "1.1.1.1", ssrfAllow},
+		{"public v6", "2001:4860:4860::8888", ssrfAllow},
+		{"172.32 outside /12", "172.32.0.1", ssrfAllow},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ip := net.ParseIP(tt.ip)
+			if ip == nil {
+				t.Fatalf("bad test IP: %s", tt.ip)
+			}
+			got := classifyIP(ip)
+			if got != tt.want {
+				t.Errorf("classifyIP(%s) = %d, want %d", tt.ip, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsAllowedURL_Blocked(t *testing.T) {
+	blocked := []struct {
+		name string
+		url  string
+	}{
+		{"loopback", "http://127.0.0.1:8081"},
+		{"cloud metadata", "http://169.254.169.254/latest/meta-data/"},
+		{"ftp scheme", "ftp://example.com/subjects"},
+		{"embedded creds", "http://user:pass@registry.example.com:8081"},
+	}
+
+	for _, tt := range blocked {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := isAllowedURL(tt.url)
+			if err == nil {
+				t.Errorf("isAllowedURL(%q) should have been blocked", tt.url)
+			}
+		})
+	}
+}
+
+func TestIsAllowedURL_RFC1918_Warns(t *testing.T) {
+	warned := []string{
+		"https://10.0.0.5:8081/subjects",
+		"https://172.16.0.1:8081/subjects",
+		"https://192.168.1.100:8081/subjects",
+	}
+
+	for _, u := range warned {
+		t.Run(u, func(t *testing.T) {
+			warning, err := isAllowedURL(u)
+			if err != nil {
+				t.Errorf("isAllowedURL(%q) unexpected error: %v", u, err)
+			}
+			if warning == "" {
+				t.Errorf("isAllowedURL(%q) should have returned a warning", u)
+			}
+		})
+	}
+}
@@ -5,7 +5,21 @@
 ### Unreleased
 
 #### Features
+- **Connector Config Probe (SPEC-002):** Probe MongoDB, DB2, and PostgreSQL targets by reading connector configs from Kafka Connect REST API or local JSON files. Layered diagnostics (DNS -> TCP -> TLS -> Application Protocol) with actionable hints.
+  - New flags: `--connect-url`, `--connector-name`, `--connector-config`, `--connect-basic-auth`, `--connect-bearer-token`, `--connect-ca-cert`
+  - Environment variable fallback: `KSHARK_CONNECT_AUTH`, `KSHARK_CONNECT_TOKEN`
+  - MongoDB probe via official driver (SRV, SCRAM-SHA-256, TLS, ping, collection check)
+  - PostgreSQL probe via pgx (wire protocol v3, all auth mechanisms)
+  - DB2 probe via custom DRDA wire protocol (EXCSAT/ACCSEC/SECCHK/ACCRDB)
+  - JDBC URL parsing for DB2 and PostgreSQL connector configs
+  - Connector-only mode: run without `-props` when only probing connector targets
 - **JAAS config credential extraction:** kshark now automatically extracts `username` and `password` from `sasl.jaas.config` when `sasl.username` / `sasl.password` are not explicitly set. This makes kshark compatible with standard Java Kafka client properties files that only use `sasl.jaas.config` for authentication (e.g., files generated by Confluent Cloud).
+- **Improved AI Analysis Prompt (SPEC-001):** Layered reasoning hints, enhanced JSON schema with `likelyCategory`, `confidence`, `severity`, and `evidence` fields. Defensive re-redaction before AI export.
+
+#### Security
+- **SSRF Protection:** Two-tier SSRF validation for Schema Registry, REST Proxy, and Connect API. Blocks loopback/link-local/cloud metadata (DENY). Warns on RFC1918 private IPs (WARN) since PrivateLink targets are common. Redirect-based SSRF bypass prevention via `CheckRedirect` handler.
+- **Credential Redaction:** `sasl.jaas.config` now redacted in all output (was previously leaking JAAS credentials). Added `bearer`, `token`, `credential` keyword matching. Credential scrubbing in database probe error messages.
+- **Connect API Security:** URL scheme validation (http/https only), response body limit (1MB), link-local IP blocking, redirect protection.
 
 ---
 
 
@@ -2,13 +2,23 @@ module github.com/your-username/kshark
 
 go 1.23.2
 
-require github.com/segmentio/kafka-go v0.4.49
+require (
+	github.com/jackc/pgx/v5 v5.7.4
+	github.com/segmentio/kafka-go v0.4.49
+	go.mongodb.org/mongo-driver/v2 v2.1.0
+)
 
 require (
-	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.2 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
@@ -1,24 +1,46 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.4 h1:9wKznZrhWa2QiHL+NjTSPP6yjl3451BX3imWDnokYlg=
+github.com/jackc/pgx/v5 v5.7.4/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/pierrec/lz4/v4 v4.1.15 h1:MO0/ucJhngq7299dKLwIMtgTfbkoSPF6AoMYDd8Q4q0=
 github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/segmentio/kafka-go v0.4.49 h1:GJiNX1d/g+kG6ljyJEoi9++PUMdXGAxb7JGPiDCuNmk=
 github.com/segmentio/kafka-go v0.4.49/go.mod h1:Y1gn60kzLEEaW28YshXyk2+VCUKbJ3Qr6DrnT3i4+9E=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
 github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
 github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mongodb.org/mongo-driver/v2 v2.1.0 h1:/ELnVNjmfUKDsoBisXxuJL0noR9CfeUIrP7Yt3R+egg=
+go.mongodb.org/mongo-driver/v2 v2.1.0/go.mod h1:AWiLRShSrk5RHQS3AEn3RL19rqOzVq49MCpWQ3x/huI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -27,6 +49,8 @@ golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -44,5 +68,7 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,175 @@
+package connectapi
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+)
+
+// ConnectAuthOpts holds authentication options for the Kafka Connect REST API.
+type ConnectAuthOpts struct {
+	BasicAuth   string // "user:password" or empty
+	BearerToken string // bearer token or empty
+	CACertPath  string // path to CA cert PEM file or empty
+}
+
+// ConnectClient is an HTTP client for the Kafka Connect REST API.
+type ConnectClient struct {
+	baseURL    string
+	httpClient *http.Client
+	auth       ConnectAuthOpts
+}
+
+// NewConnectClient creates a new ConnectClient.
+func NewConnectClient(baseURL string, auth ConnectAuthOpts) (*ConnectClient, error) {
+	// Validate URL scheme
+	u, err := url.Parse(baseURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid Connect URL: %w", err)
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return nil, fmt.Errorf("Connect URL must use http or https scheme, got: %s", u.Scheme)
+	}
+
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+
+	if auth.CACertPath != "" {
+		caPEM, err := os.ReadFile(auth.CACertPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read Connect CA cert %s: %w", auth.CACertPath, err)
+		}
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(caPEM) {
+			return nil, fmt.Errorf("failed to parse Connect CA cert from %s", auth.CACertPath)
+		}
+		transport.TLSClientConfig = &tls.Config{
+			RootCAs: pool,
+		}
+	}
+
+	return &ConnectClient{
+		baseURL: strings.TrimRight(baseURL, "/"),
+		httpClient: &http.Client{
+			Timeout:   15 * time.Second,
+			Transport: transport,
+			// Prevent redirect-based SSRF: do not follow redirects automatically.
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return fmt.Errorf("Connect API redirect blocked (to %s): redirects are not followed for security", req.URL.Host)
+			},
+		},
+		auth: auth,
+	}, nil
+}
+
+// isLinkLocalIP checks if an IP is in the link-local range (169.254.0.0/16)
+// which includes the cloud metadata endpoint 169.254.169.254.
+func isLinkLocalIP(host string) bool {
+	ips, err := net.LookupHost(host)
+	if err != nil {
+		return false
+	}
+	for _, ipStr := range ips {
+		ip := net.ParseIP(ipStr)
+		if ip == nil {
+			continue
+		}
+		// Block link-local (169.254.0.0/16) — includes cloud metadata
+		if ip4 := ip.To4(); ip4 != nil && ip4[0] == 169 && ip4[1] == 254 {
+			return true
+		}
+	}
+	return false
+}
+
+// GetConnectorConfig fetches the configuration for a named connector.
+func (c *ConnectClient) GetConnectorConfig(ctx context.Context, name string) (map[string]string, error) {
+	// SSRF protection: block link-local addresses (cloud metadata)
+	u, _ := url.Parse(c.baseURL)
+	if u != nil && isLinkLocalIP(u.Hostname()) {
+		return nil, fmt.Errorf("Connect URL resolves to link-local address (blocked for security)")
+	}
+
+	reqURL := fmt.Sprintf("%s/connectors/%s/config", c.baseURL, url.PathEscape(name))
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, reqURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Accept", "application/json")
+	c.applyAuth(req)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("Connect API unreachable: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // limit to 1MB
+
+	switch {
+	case resp.StatusCode == http.StatusOK:
+		var cfg map[string]string
+		if err := json.Unmarshal(body, &cfg); err != nil {
+			return nil, fmt.Errorf("failed to decode connector config: %w", err)
+		}
+		return cfg, nil
+
+	case resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden:
+		return nil, fmt.Errorf("Connect API auth failed (HTTP %d): check --connect-basic-auth or --connect-bearer-token", resp.StatusCode)
+
+	case resp.StatusCode == http.StatusNotFound:
+		return nil, fmt.Errorf("connector '%s' not found. Use GET /connectors to list available connectors", name)
+
+	default:
+		return nil, fmt.Errorf("Connect API returned HTTP %d: %s", resp.StatusCode, string(body))
+	}
+}
+
+// ListConnectors returns the names of all connectors.
+func (c *ConnectClient) ListConnectors(ctx context.Context) ([]string, error) {
+	reqURL := fmt.Sprintf("%s/connectors", c.baseURL)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, reqURL, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Accept", "application/json")
+	c.applyAuth(req)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("Connect API unreachable: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("Connect API returned HTTP %d", resp.StatusCode)
+	}
+
+	var names []string
+	if err := json.NewDecoder(resp.Body).Decode(&names); err != nil {
+		return nil, fmt.Errorf("failed to decode connector list: %w", err)
+	}
+	return names, nil
+}
+
+func (c *ConnectClient) applyAuth(req *http.Request) {
+	if c.auth.BasicAuth != "" {
+		parts := strings.SplitN(c.auth.BasicAuth, ":", 2)
+		if len(parts) == 2 {
+			req.SetBasicAuth(parts[0], parts[1])
+		}
+	}
+	if c.auth.BearerToken != "" {
+		req.Header.Set("Authorization", "Bearer "+c.auth.BearerToken)
+	}
+}