Merge pull request #644 from thivindu/api-key

Implement API key hashing

Author: thivindu

docs/gateway/policies/apikey-authentication.md

@@ -217,6 +217,17 @@ gateway_controller:
       # Expected issuer value in the JWT `iss` claim
       issuer: ""
 
+  # API key hashing configuration
+  # Used to hash API keys before storing/comparing them
+  # By default, API keys hashing is enabled with SHA-256 algorithm
+  # Supported algorithms: "sha256", "bcrypt", "argon2id"
+  # By default a user can have up to 10 API keys per API
+  api_key:
+    # Number of API keys allowed per user per API
+    api_keys_per_user_per_api: 10
+    # Hashing algorithm: "sha256", "bcrypt", "argon2id"
+    algorithm: sha256
+
   # Logging configuration
   logging:
     # Log level: "debug", "info", "warn", or "error"

gateway/configs/config.yaml

@@ -8,7 +8,11 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+require (
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+)
 
 // Local module replacements for Docker builds
 replace github.com/wso2/api-platform/sdk => ../../sdk

gateway/gateway-builder/go.mod

@@ -7,8 +7,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

gateway/gateway-builder/go.sum

@@ -347,7 +347,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/ErrorResponse"
 
-  /apis/{id}/generate-api-key:
+  /apis/{id}/api-keys:
     post:
       summary: Generate API key for an API
       description: |
@@ -402,7 +402,6 @@ paths:
               schema:
                 $ref: "#/components/schemas/ErrorResponse"
 
-  /apis/{id}/api-keys:
     get:
       summary: Get the list of API keys for an API
       description: |
@@ -442,13 +441,13 @@ paths:
 
   /apis/{id}/api-keys/{apiKeyName}/regenerate:
     post:
-      summary: Rotate API key for an API
+      summary: Regenerate API key for an API
       description: |
-        Rotate the given API key for the specified API. The newly rotated key can be
+        Regenerate the given API key for the specified API. The newly generated key can be
         used by clients to authenticate requests to the API if API Key validation
         policy is applied. The key is a 32-byte random value encoded in hexadecimal
         and prefixed with "apip_".
-      operationId: rotateAPIKey
+      operationId: regenerateAPIKey
       tags:
         - API Management
       parameters:
@@ -464,7 +463,7 @@ paths:
           in: path
           required: true
           description: |
-            Name of the API key to rotate
+            Name of the API key to regenerate
           schema:
             type: string
           example: weather-api-key
@@ -473,10 +472,10 @@ paths:
         content:
           application/yaml:
             schema:
-              $ref: "#/components/schemas/APIKeyRotationRequest"
+              $ref: "#/components/schemas/APIKeyRegenerationRequest"
           application/json:
             schema:
-              $ref: "#/components/schemas/APIKeyRotationRequest"
+              $ref: "#/components/schemas/APIKeyRegenerationRequest"
       responses:
         '200':
           description: API key rotated successfully
@@ -503,8 +502,8 @@ paths:
               schema:
                 $ref: "#/components/schemas/ErrorResponse"
 
-  /apis/{id}/revoke-api-key:
-    post:
+  /apis/{id}/api-keys/{apiKeyName}:
+    delete:
       summary: Revoke an API key
       description: |
         Revoke a previously generated API key for the specified API. Once revoked,
@@ -521,15 +520,14 @@ paths:
           schema:
             type: string
           example: weather-api-v1.0
-      requestBody:
-        required: true
-        content:
-          application/yaml:
-            schema:
-              $ref: "#/components/schemas/APIKeyRevocationRequest"
-          application/json:
-            schema:
-              $ref: "#/components/schemas/APIKeyRevocationRequest"
+        - name: apiKeyName
+          in: path
+          required: true
+          description: |
+            Name of the API key to revoke
+          schema:
+            type: string
+          example: weather-api-key
       responses:
         '200':
           description: API key revoked successfully
@@ -2243,6 +2241,10 @@ components:
         message:
           type: string
           example: API key generated successfully
+        remaining_api_key_quota:
+          type: integer
+          description: Remaining API key quota for the user
+          example: 9
         api_key:
           $ref: '#/components/schemas/APIKey'
       required:
@@ -2299,7 +2301,7 @@ components:
         - created_at
         - created_by
         - expires_at
-    APIKeyRotationRequest:
+    APIKeyRegenerationRequest:
       type: object
       properties:
         expires_in:
@@ -2329,15 +2331,6 @@ components:
           format: date-time
           description: Expiration timestamp
           example: "2026-12-08T10:30:00Z"
-    APIKeyRevocationRequest:
-      type: object
-      properties:
-        api_key:
-          type: string
-          description: API key to be revoked
-          example: "apip_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
-      required:
-        - api_key
     APIKeyRevocationResponse:
       type: object
       properties:

gateway/gateway-controller/api/openapi.yaml

@@ -114,6 +114,8 @@ func main() {
 
 	// Initialize in-memory API key store for xDS
 	apiKeyStore := storage.NewAPIKeyStore(log)
+	apiKeySnapshotManager := apikeyxds.NewAPIKeySnapshotManager(apiKeyStore, log)
+	apiKeyXDSManager := apikeyxds.NewAPIKeyStateManager(apiKeyStore, apiKeySnapshotManager, log)
 
 	// Load configurations from database on startup (if persistent mode)
 	if cfg.IsPersistentMode() && db != nil {
@@ -131,7 +133,7 @@ func main() {
 		if err := storage.LoadAPIKeysFromDatabase(db, configStore, apiKeyStore); err != nil {
 			log.Fatal("Failed to load API keys from database", zap.Error(err))
 		}
-		log.Info("Loaded API keys", zap.Int("count", apiKeyStore.Count()))
+		log.Info("Loaded API keys", zap.Int("count", apiKeyXDSManager.GetAPIKeyCount()))
 	}
 
 	// Initialize xDS snapshot manager with router config
@@ -174,12 +176,10 @@ func main() {
 		}
 	}()
 
-	apiKeySnapshotManager := apikeyxds.NewAPIKeySnapshotManager(apiKeyStore, log)
-	apiKeyXDSManager := apikeyxds.NewAPIKeyStateManager(apiKeyStore, apiKeySnapshotManager, log)
-
 	// Generate initial API key snapshot if API keys were loaded from database
-	if cfg.IsPersistentMode() && apiKeyStore.Count() > 0 {
-		log.Info("Generating initial API key snapshot for policy engine", zap.Int("api_key_count", apiKeyStore.Count()))
+	if cfg.IsPersistentMode() && apiKeyXDSManager.GetAPIKeyCount() > 0 {
+		log.Info("Generating initial API key snapshot for policy engine",
+			zap.Int("api_key_count", apiKeyXDSManager.GetAPIKeyCount()))
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		if err := apiKeySnapshotManager.UpdateSnapshot(ctx); err != nil {
 			log.Warn("Failed to generate initial API key snapshot", zap.Error(err))
@@ -432,10 +432,10 @@ func generateAuthConfig(config *config.Config) commonmodels.AuthConfig {
 		"PUT /llm-proxies/:id":    {"admin", "developer"},
 		"DELETE /llm-proxies/:id": {"admin", "developer"},
 
-		"POST /apis/:id/generate-api-key":                {"admin", "consumer"},
+		"POST /apis/:id/api-keys":                        {"admin", "consumer"},
 		"GET /apis/:id/api-keys":                         {"admin", "consumer"},
 		"POST /apis/:id/api-keys/:apiKeyName/regenerate": {"admin", "consumer"},
-		"POST /apis/:id/revoke-api-key":                  {"admin", "consumer"},
+		"DELETE /apis/:id/api-keys/:apiKeyName":          {"admin", "consumer"},
 
 		"GET /config_dump": {"admin"},
 	}

gateway/gateway-controller/cmd/controller/main.go

@@ -21,6 +21,7 @@ require (
 	github.com/wso2/api-platform/sdk v0.0.0
 	github.com/xeipuuv/gojsonschema v1.2.0
 	go.uber.org/zap v1.27.1
+	golang.org/x/crypto v0.46.0
 	google.golang.org/grpc v1.78.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
@@ -87,7 +88,6 @@ require (
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.23.0 // indirect
-	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect