Merge pull request #950 from Thushani-Jayasekera/api-key

Gateway Controller - API Key Update Restrictions

Author: renuka-fernando

gateway/gateway-controller/pkg/api/handlers/handlers.go

@@ -2550,7 +2550,12 @@ func (s *APIServer) UpdateAPIKey(c *gin.Context, id string, apiKeyName string) {
 	result, err := s.apiKeyService.UpdateAPIKey(params)
 	if err != nil {
 		// Check error type to determine appropriate status code
-		if strings.Contains(err.Error(), "not found") {
+		if storage.IsOperationNotAllowedError(err) {
+			c.JSON(http.StatusBadRequest, api.ErrorResponse{
+				Status:  "error",
+				Message: err.Error(),
+			})
+		} else if strings.Contains(err.Error(), "not found") {
 			c.JSON(http.StatusNotFound, api.ErrorResponse{
 				Status:  "error",
 				Message: err.Error(),

gateway/gateway-controller/pkg/storage/errors.go

@@ -33,6 +33,9 @@ var (
 
 	// ErrDatabaseUnavailable is returned when the database storage is unavailable
 	ErrDatabaseUnavailable = errors.New("database storage is unavailable")
+
+	// ErrOperationNotAllowed is returned when an operation is not permitted
+	ErrOperationNotAllowed = errors.New("operation not allowed")
 )
 
 // IsConflictError checks if an error is a conflict error
@@ -50,3 +53,8 @@ func IsNotFoundError(err error) bool {
 func IsDatabaseUnavailableError(err error) bool {
 	return errors.Is(err, ErrDatabaseUnavailable)
 }
+
+// IsOperationNotAllowedError checks if an error is an operation not allowed error
+func IsOperationNotAllowedError(err error) bool {
+	return errors.Is(err, ErrOperationNotAllowed)
+}

gateway/gateway-controller/pkg/storage/sqlite.go

@@ -1544,7 +1544,7 @@ func (s *SQLiteStorage) UpdateAPIKey(apiKey *models.APIKey) error {
 			LIMIT 1
 		`
 		var duplicateID, duplicateName string
-		err := s.db.QueryRow(duplicateCheckQuery, apiKey.APIId, apiKey.IndexKey, apiKey.Name).Scan(&duplicateID, &duplicateName)
+		err := tx.QueryRow(duplicateCheckQuery, apiKey.APIId, apiKey.IndexKey, apiKey.Name).Scan(&duplicateID, &duplicateName)
 		if err != nil && !errors.Is(err, sql.ErrNoRows) {
 			tx.Rollback()
 			return fmt.Errorf("failed to check for duplicate API key: %w", err)

gateway/gateway-controller/pkg/utils/api_key.go

@@ -507,6 +507,14 @@ func (s *APIKeyService) UpdateAPIKey(params APIKeyUpdateParams) (*APIKeyUpdateRe
 		return nil, fmt.Errorf("API key '%s' not found for API '%s'", params.APIKeyName, params.Handle)
 	}
 
+	// Validate that only external API keys can be updated
+	if existingKey.Source != "external" {
+		logger.Warn("Attempted to update a locally generated API key",
+			slog.String("source", existingKey.Source),
+			slog.String("api_key_name", params.APIKeyName))
+		return nil, fmt.Errorf("%w: updates are only allowed for externally generated API keys. For locally generated keys, please use the regenerate endpoint to create a new key", storage.ErrOperationNotAllowed)
+	}
+
 	// Check authorization - only creator can update their own key (unless admin)
 	err = s.canRegenerateAPIKey(user, existingKey, logger)
 	if err != nil {