Skip to content

Add support for registering/ revoking API Keys generated externally in gateways #845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renuka-fernando merged 18 commits into from
Feb 5, 2026
Merged

Add support for registering/ revoking API Keys generated externally in gateways #845

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4f719e9
Add initial changes for API Key creation and deletion
Thushani-Jayasekera Jan 29, 2026
ffc36bb
Fix coderabbit review changes
Thushani-Jayasekera Jan 29, 2026
146fdbc
Fix documentation for retry logic
Thushani-Jayasekera Jan 29, 2026
0a19229
Move files to common folder entirely
Thushani-Jayasekera Jan 29, 2026
52d8210
Fix coderabbit review comments
Thushani-Jayasekera Jan 29, 2026
ae1e57d
Add support to update with a new regenerated API Key
Thushani-Jayasekera Jan 29, 2026
3277bed
Merge remote-tracking branch 'upstream/main' into api-key
Thushani-Jayasekera Jan 29, 2026
2bb3ba6
Fix coderabbit review comments and improve external api key validation
Thushani-Jayasekera Jan 30, 2026
f631043
Merge remote-tracking branch 'upstream/main' into api-key
Thushani-Jayasekera Feb 2, 2026
96ec5ce
Add support to accept valid apikey name as identifier and fix build i…
Thushani-Jayasekera Feb 2, 2026
bfd9ef4
Merge remote-tracking branch 'upstream/main' into api-key
Thushani-Jayasekera Feb 2, 2026
4b1920f
Fix test files
Thushani-Jayasekera Feb 2, 2026
3b3a940
Enhance API key handling by updating
Thushani-Jayasekera Feb 3, 2026
681dbf4
Fix openapi and add configurable params for apikey and apikey name le…
Thushani-Jayasekera Feb 5, 2026
9e0e097
Merge remote-tracking branch 'upstream/main' into api-key
Thushani-Jayasekera Feb 5, 2026
dce3c1b
Update documentation
Thushani-Jayasekera Feb 5, 2026
f4c8f99
Update go.mod and go.sum file for integration test failures
Thushani-Jayasekera Feb 5, 2026
31630ff
Fix api-keys.feature file
Thushani-Jayasekera Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
200 changes: 200 additions & 0 deletions common/apikey/api_key_hash_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
/*
* Copyright (c) 2026, WSO2 LLC. (https://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package apikey

import (
"crypto/rand"
"encoding/base64"
"fmt"
"testing"
"time"

"golang.org/x/crypto/argon2"
)

func TestAPIKeyHashedValidation(t *testing.T) {
store := NewAPIkeyStore()

// Create a plain text API key (69 bytes like real generated keys)
plainAPIKey := "apip_88f8399ef29761f92f4f6d2dbd6dcd78399b3bcb8c53417cb23726e5780ac215"

// Hash the API key using Argon2id (simulating what the gateway controller does)
salt := make([]byte, 16)
_, err := rand.Read(salt)
if err != nil {
t.Fatalf("Failed to generate salt: %v", err)
}

hash := argon2.IDKey([]byte(plainAPIKey), salt, 1, 64*1024, 4, 32)
saltEncoded := base64.RawStdEncoding.EncodeToString(salt)
hashEncoded := base64.RawStdEncoding.EncodeToString(hash)
hashedAPIKey := fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
64*1024, 1, 4, saltEncoded, hashEncoded)

// Create API key with hashed value
apiKey := &APIKey{
ID: "test-id-1",
Name: "test-key",
Source: "local",
APIKey: hashedAPIKey, // Store hashed key
APIId: "api-123",
Operations: "[\"*\"]",
Status: Active,
CreatedAt: time.Now(),
CreatedBy: "test-user",
UpdatedAt: time.Now(),
ExpiresAt: nil,
}

// Store the API key
err = store.StoreAPIKey("api-123", apiKey)
if err != nil {
t.Fatalf("Failed to store API key: %v", err)
}

// Test validation with correct plain text key
valid, err := store.ValidateAPIKey("api-123", "/test", "GET", plainAPIKey)
if err != nil {
t.Fatalf("Validation failed with error: %v", err)
}
if !valid {
t.Error("Validation should succeed with correct plain text API key")
}
}

func TestAPIKeyHashedValidationFailures(t *testing.T) {
store := NewAPIkeyStore()

plainAPIKey := "apip_88f8399ef29761f92f4f6d2dbd6dcd78399b3bcb8c53417cb23726e5780ac215"

// Hash the API key using Argon2id
salt := make([]byte, 16)
_, err := rand.Read(salt)
if err != nil {
t.Fatalf("Failed to generate salt: %v", err)
}

hash := argon2.IDKey([]byte(plainAPIKey), salt, 1, 64*1024, 4, 32)
saltEncoded := base64.RawStdEncoding.EncodeToString(salt)
hashEncoded := base64.RawStdEncoding.EncodeToString(hash)
hashedAPIKey := fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
64*1024, 1, 4, saltEncoded, hashEncoded)

apiKey := &APIKey{
ID: "test-id-2",
Name: "test-key-2",
APIKey: hashedAPIKey,
Source: "local",
APIId: "api-456",
Operations: "[\"*\"]",
Status: Active,
CreatedAt: time.Now(),
CreatedBy: "test-user",
UpdatedAt: time.Now(),
ExpiresAt: nil,
}

err = store.StoreAPIKey("api-456", apiKey)
if err != nil {
t.Fatalf("Failed to store API key: %v", err)
}

// Test validation with wrong plain text key
wrongKey := "apip_wrong399ef29761f92f4f6d2dbd6dcd78399b3bcb8c53417cb23726e5780ac999"
valid, err := store.ValidateAPIKey("api-456", "/test", "GET", wrongKey)
if err != nil {
if err != ErrNotFound {
t.Fatalf("Expected ErrNotFound, got: %v", err)
}
}
if valid {
t.Error("Validation should fail with incorrect plain text API key")
}

// Test validation with non-existent API
valid, err = store.ValidateAPIKey("non-existent-api", "/test", "GET", plainAPIKey)
if err == nil {
t.Error("Expected error for non-existent API")
}
if valid {
t.Error("Validation should fail for non-existent API")
}
}

func TestAPIKeyHashedRevocation(t *testing.T) {
store := NewAPIkeyStore()

plainAPIKey := "apip_revoke399ef29761f92f4f6d2dbd6dcd78399b3bcb8c53417cb23726e5780ac215"

// Hash the API key using Argon2id
salt := make([]byte, 16)
_, err := rand.Read(salt)
if err != nil {
t.Fatalf("Failed to generate salt: %v", err)
}

hash := argon2.IDKey([]byte(plainAPIKey), salt, 1, 64*1024, 4, 32)
saltEncoded := base64.RawStdEncoding.EncodeToString(salt)
hashEncoded := base64.RawStdEncoding.EncodeToString(hash)
hashedAPIKey := fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
64*1024, 1, 4, saltEncoded, hashEncoded)

apiKey := &APIKey{
ID: "test-id-3",
Name: "revoke-test-key",
APIKey: hashedAPIKey,
Source: "local",
APIId: "api-789",
Operations: "[\"*\"]",
Status: Active,
CreatedAt: time.Now(),
CreatedBy: "test-user",
UpdatedAt: time.Now(),
ExpiresAt: nil,
}

err = store.StoreAPIKey("api-789", apiKey)
if err != nil {
t.Fatalf("Failed to store API key: %v", err)
}

// Verify key works before revocation
valid, err := store.ValidateAPIKey("api-789", "/test", "GET", plainAPIKey)
if err != nil {
t.Fatalf("Validation failed before revocation: %v", err)
}
if !valid {
t.Error("API key should be valid before revocation")
}

// Revoke the API key using plain text key
err = store.RevokeAPIKey("api-789", plainAPIKey)
if err != nil {
t.Fatalf("Failed to revoke API key: %v", err)
}

// Verify key no longer works after revocation
valid, err = store.ValidateAPIKey("api-789", "/test", "GET", plainAPIKey)
if err != nil && err != ErrNotFound {
t.Fatalf("Unexpected error during validation after revocation: %v", err)
}
if valid {
t.Error("API key should be invalid after revocation")
}
}
Loading
Loading