Merge pull request #11979 from IsuruMaduranga/custom-api-key-header

Backend changes for custom api key header feature

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/API.java

@@ -152,6 +152,7 @@ public void setSoapToRestSequences(List<SOAPToRestSequence> soapToRestSequences)
 
     //Custom authorization header specific to the API
     private String authorizationHeader;
+    private String apiKeyHeader;
     private Set<Scope> scopes;
 
     private boolean isDefaultVersion = false;
@@ -1175,6 +1176,12 @@ public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
 
+    public String getApiKeyHeader() { return apiKeyHeader; }
+
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
     /**
      * Check the status of the Json schema validation property.
      *

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/APIProduct.java

@@ -89,6 +89,7 @@ public class APIProduct {
      * Custom authorization header specific to the API
      */
     private String authorizationHeader;
+    private String apiKeyHeader;
 
     private CORSConfiguration corsConfiguration;
 
@@ -439,6 +440,14 @@ public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
 
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
     public CORSConfiguration getCorsConfiguration() {
         return corsConfiguration;
     }

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIAuthenticationHandler.java

@@ -94,6 +94,7 @@ public class APIAuthenticationHandler extends AbstractHandler implements Managed
     private SynapseEnvironment synapseEnvironment;
 
     private String authorizationHeader;
+    private String apiKeyHeader;
     private String apiSecurity;
     private String apiLevelPolicy;
     private String certificateInformation;
@@ -201,6 +202,24 @@ public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
 
+    /**
+     * To get the Api Key Header.
+     *
+     * @return Relevant the Api Key Header of the API request
+     */
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
+    /**
+     * To set the Api Key Header.
+     *
+     * @param apiKeyHeader the Api Key Header of the API request.
+     */
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
     /**
      * To get the API level security expected for the current API in gateway level.
      *
@@ -335,7 +354,7 @@ protected void initializeAuthenticators() {
             authenticators.add(authenticator);
         }
         if (isApiKeyProtected) {
-            Authenticator authenticator = new ApiKeyAuthenticator(APIConstants.API_KEY_HEADER_QUERY_PARAM, apiLevelPolicy, isOAuthBasicAuthMandatory);
+            Authenticator authenticator = new ApiKeyAuthenticator(apiKeyHeader, apiLevelPolicy, isOAuthBasicAuthMandatory);
             authenticator.init(synapseEnvironment);
             authenticators.add(authenticator);
         }
@@ -631,7 +650,7 @@ private void handleAuthFailure(MessageContext messageContext, APISecurityExcepti
             errorDetail =
                     APISecurityConstants.getFailureMessageDetailDescription(e.getErrorCode(), e.getMessage()) + "'"
                             + authorizationHeader + " : Bearer ACCESS_TOKEN' or '" + authorizationHeader +
-                            " : Basic ACCESS_TOKEN' or 'apikey: API_KEY'" ;
+                            " : Basic ACCESS_TOKEN' or '" + apiKeyHeader + " : API_KEY'";
         }
         messageContext.setProperty(SynapseConstants.ERROR_DETAIL, errorDetail);
 

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java

@@ -69,6 +69,7 @@ public class CORSRequestHandler extends AbstractHandler implements ManagedLifecy
     private List<String> allowedMethodList;
     private boolean allowCredentialsEnabled;
     private String authorizationHeader;
+    private String apiKeyHeader;
 
     public void init(SynapseEnvironment synapseEnvironment) {
         if (log.isDebugEnabled()) {
@@ -95,6 +96,9 @@ void initializeHeaders() {
         if (authorizationHeader != null) {
             allowHeaders += APIConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT + authorizationHeader;
         }
+        if (apiKeyHeader != null) {
+            allowHeaders += APIConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT + apiKeyHeader;
+        }
         if (allowedOrigins == null) {
             String allowedOriginsList = APIUtil.getAllowedOrigins();
             if (!allowedOriginsList.isEmpty()) {
@@ -447,4 +451,12 @@ public String getAuthorizationHeader() {
     public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
+
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -335,6 +335,7 @@ public final class APIConstants {
     public static final String API_OVERVIEW_OUTSEQUENCE = "overview_outSequence";
     public static final String API_OVERVIEW_FAULTSEQUENCE = "overview_faultSequence";
     public static final String API_OVERVIEW_AUTHORIZATION_HEADER = "overview_authorizationHeader";
+    public static final String API_OVERVIEW_API_KEY_HEADER = "overview_apiKeyHeader";
     public static final String API_OVERVIEW_API_SECURITY = "overview_apiSecurity";
     public static final String API_OVERVIEW_WS_URI_MAPPING = "overview_wsUriMapping";
     public static final String AUTHORIZATION_HEADER_BASIC = "Basic";
@@ -459,10 +460,12 @@ public final class APIConstants {
     public static final String MEDIATOR_CONFIG = "MediatorConfigs.";
     public static final String OAUTH_CONFIGS = "OAuthConfigurations.";
     public static final String AUTHORIZATION_HEADER = "AuthorizationHeader";
+    public static final String API_KEY_HEADER = "ApiKeyHeader";
     public static final String API_SECURITY = "APISecurity";
     public static final String API_LEVEL_POLICY = "APILevelPolicy";
     public static final String CERTIFICATE_INFORMATION = "CertificateInformation";
     public static final String AUTHORIZATION_HEADER_DEFAULT = "Authorization";
+    public static final String API_KEY_HEADER_DEFAULT = "ApiKey";
     public static final String HEADER_TENANT = "xWSO2Tenant";
     public static final String X_WSO2_TENANT_HEADER = "X-WSO2-Tenant";
     public static final String AUTHORIZATION_QUERY_PARAM_DEFAULT = "access_token";
@@ -1596,6 +1599,7 @@ private ConfigParameters() {
 
     //swagger MG related constants
     public static final String X_WSO2_AUTH_HEADER = "x-wso2-auth-header";
+    public static final String X_WSO2_API_KEY_HEADER = "x-wso2-api-key-header";
     public static final String X_THROTTLING_TIER = "x-throttling-tier";
     public static final String X_WSO2_CORS = "x-wso2-cors";
     public static final String X_WSO2_PRODUCTION_ENDPOINTS = "x-wso2-production-endpoints";

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/definitions/OAS2Parser.java

@@ -839,6 +839,9 @@ public String getOASDefinitionForPublisher(API api, String oasDefinition) throws
         if (api.getAuthorizationHeader() != null) {
             swagger.setVendorExtension(APIConstants.X_WSO2_AUTH_HEADER, api.getAuthorizationHeader());
         }
+        if (api.getApiKeyHeader() != null) {
+            swagger.setVendorExtension(APIConstants.X_WSO2_API_KEY_HEADER, api.getApiKeyHeader());
+        }
         if (api.getApiLevelPolicy() != null) {
             swagger.setVendorExtension(APIConstants.X_THROTTLING_TIER, api.getApiLevelPolicy());
         }
@@ -1681,6 +1684,12 @@ public API setExtensionsToAPI(String apiDefinition, API api) throws APIManagemen
         if (StringUtils.isNotBlank(authHeader)) {
             api.setAuthorizationHeader(authHeader);
         }
+        //Setup custom api key header for API
+        String apiKeyHeader = OASParserUtil.getApiKeyHeaderFromSwagger(extensions);
+        if (StringUtils.isNotBlank(apiKeyHeader)) {
+            api.setApiKeyHeader(apiKeyHeader);
+        }
+
         //Setup application Security
         List<String> applicationSecurity = OASParserUtil.getApplicationSecurityTypes(extensions);
         Boolean isOptional = OASParserUtil.getAppSecurityStateFromSwagger(extensions);

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/definitions/OAS3Parser.java

@@ -953,6 +953,9 @@ public String getOASDefinitionForPublisher(API api, String oasDefinition) throws
         if (api.getAuthorizationHeader() != null) {
             openAPI.addExtension(APIConstants.X_WSO2_AUTH_HEADER, api.getAuthorizationHeader());
         }
+        if (api.getApiKeyHeader() != null) {
+            openAPI.addExtension(APIConstants.X_WSO2_API_KEY_HEADER, api.getApiKeyHeader());
+        }
         if (api.getApiLevelPolicy() != null) {
             openAPI.addExtension(APIConstants.X_THROTTLING_TIER, api.getApiLevelPolicy());
         }
@@ -1930,6 +1933,12 @@ public API setExtensionsToAPI(String apiDefinition, API api) throws APIManagemen
         if (StringUtils.isNotBlank(authHeader)) {
             api.setAuthorizationHeader(authHeader);
         }
+        //Setup custom api key header for API
+        String apiKeyHeader = OASParserUtil.getApiKeyHeaderFromSwagger(extensions);
+        if (StringUtils.isNotBlank(apiKeyHeader)) {
+            api.setApiKeyHeader(apiKeyHeader);
+        }
+
         //Setup application Security
         List<String> applicationSecurity = OASParserUtil.getApplicationSecurityTypes(extensions);
         Boolean isOptional = OASParserUtil.getAppSecurityStateFromSwagger(extensions);

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/definitions/OASParserUtil.java

@@ -1649,6 +1649,18 @@ public static String getAuthorizationHeaderFromSwagger(Map<String, Object> exten
         return authorizationHeader == null ? null : authorizationHeader.toString();
     }
 
+    /**
+     * This method returns extension of custom API key Header related to micro-gw
+     *
+     * @param extensions Map<String, Object>
+     * @return API key header header value as String
+     * @throws APIManagementException throws if an error occurred
+     */
+    public static String getApiKeyHeaderFromSwagger(Map<String, Object> extensions) throws APIManagementException {
+        Object apiKeyHeader = extensions.get(APIConstants.X_WSO2_API_KEY_HEADER);
+        return apiKeyHeader == null ? null : apiKeyHeader.toString();
+    }
+
     /**
      * This method returns extension of custom authorization Header related to micro-gw
      *

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java

@@ -704,6 +704,7 @@ public static API getAPI(GovernanceArtifact artifact)
             api.setEnvironments(extractEnvironmentsForAPI(environments));
             api.setCorsConfiguration(getCorsConfigurationFromArtifact(artifact));
             api.setAuthorizationHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER));
+            api.setApiKeyHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER));
             api.setApiSecurity(artifact.getAttribute(APIConstants.API_OVERVIEW_API_SECURITY));
 
             //get endpoint config string from artifact, parse it as a json and set the environment list configured with
@@ -914,6 +915,7 @@ public static GenericArtifact createAPIArtifactContent(GenericArtifact artifact,
             artifact.setAttribute(APIConstants.API_PRODUCTION_THROTTLE_MAXTPS, api.getProductionMaxTps());
             artifact.setAttribute(APIConstants.API_SANDBOX_THROTTLE_MAXTPS, api.getSandboxMaxTps());
             artifact.setAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER, api.getAuthorizationHeader());
+            artifact.setAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER, api.getApiKeyHeader());
             artifact.setAttribute(APIConstants.API_OVERVIEW_API_SECURITY, api.getApiSecurity());
             artifact.setAttribute(APIConstants.API_OVERVIEW_ENABLE_JSON_SCHEMA,
                     Boolean.toString(api.isEnabledSchemaValidation()));
@@ -1089,6 +1091,7 @@ public static GenericArtifact createAPIProductArtifactContent(GenericArtifact ar
             artifact.setAttribute(APIConstants.API_OVERVIEW_CORS_CONFIGURATION,
                     APIUtil.getCorsConfigurationJsonFromDto(apiProduct.getCorsConfiguration()));
             artifact.setAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER, apiProduct.getAuthorizationHeader());
+            artifact.setAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER, apiProduct.getApiKeyHeader());
             artifact.setAttribute(APIConstants.API_OVERVIEW_API_SECURITY, apiProduct.getApiSecurity());
 
             //Validate if the API has an unsupported context before setting it in the artifact
@@ -9398,6 +9401,7 @@ public static API getReducedPublisherAPIForListing(GovernanceArtifact artifact,
             api.setImplementation(artifact.getAttribute(APIConstants.PROTOTYPE_OVERVIEW_IMPLEMENTATION));
 
             api.setAuthorizationHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER));
+            api.setApiKeyHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER));
             api.setApiSecurity(artifact.getAttribute(APIConstants.API_OVERVIEW_API_SECURITY));
 
         } catch (GovernanceException e) {

components/apimgt/org.wso2.carbon.apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/APIConstants.java

@@ -82,6 +82,7 @@ public final class APIConstants {
     public static final String API_OVERVIEW_OUTSEQUENCE = "overview_outSequence";
     public static final String API_OVERVIEW_FAULTSEQUENCE = "overview_faultSequence";
     public static final String API_OVERVIEW_AUTHORIZATION_HEADER = "overview_authorizationHeader";
+    public static final String API_OVERVIEW_API_KEY_HEADER = "overview_apiKeyHeader";
     public static final String API_OVERVIEW_API_SECURITY = "overview_apiSecurity";
     public static final String API_OVERVIEW_RESPONSE_CACHING = "overview_responseCaching";
     public static final String API_OVERVIEW_CACHE_TIMEOUT = "overview_cacheTimeout";

components/apimgt/org.wso2.carbon.apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/dto/DevPortalAPI.java

@@ -46,6 +46,7 @@ public class DevPortalAPI extends DevPortalAPIInfo {
     private String subscriptionAvailability; // need to decide isSubscriptionAvailable
     private String subscriptionAvailableOrgs; // (subscriptionAvailableTenants): need to decide the value of "isSubscriptionAvailable"
     private String authorizationHeader;
+    private String apiKeyHeader;
     private List<String> securityScheme = new ArrayList<>();
     private Set<String> environments;
     private Set<String> apiCategories;
@@ -221,6 +222,14 @@ public String getAuthorizationHeader() {
         return authorizationHeader;
     }
 
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
     public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }

components/apimgt/org.wso2.carbon.apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/dto/PublisherAPI.java

@@ -65,6 +65,7 @@ public class PublisherAPI extends PublisherAPIInfo {
     private String productionMaxTps;
     private String sandboxMaxTps;
     private String authorizationHeader;
+    private String apiKeyHeader;
     private String apiSecurity; // ?check whether same to private List<String> securityScheme = new ArrayList<>();
     private boolean enableSchemaValidation;
     private boolean enableSubscriberVerification;
@@ -348,6 +349,14 @@ public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
 
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
     public String getApiSecurity() {
         return apiSecurity;
     }
@@ -621,6 +630,7 @@ public String toString() {
                 + ", subscriptionAvailability=" + subscriptionAvailability + ", subscriptionAvailableOrgs="
                 + subscriptionAvailableOrgs + ", implementation=" + implementation + ", productionMaxTps="
                 + productionMaxTps + ", sandboxMaxTps=" + sandboxMaxTps + ", authorizationHeader=" + authorizationHeader
+                + ", apiKeyHeader=" + apiKeyHeader
                 + ", apiSecurity=" + apiSecurity + ", enableSchemaValidation=" + enableSchemaValidation
                 + ", enableSubscriberVerification=" + enableSubscriberVerification + ", enableStore=" + enableStore
                 + ", testKey=" + testKey + ", contextTemplate=" + contextTemplate + ", availableTierNames="

components/apimgt/org.wso2.carbon.apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/dto/PublisherAPIProduct.java

@@ -46,7 +46,8 @@ public class PublisherAPIProduct extends PublisherAPIProductInfo {
     private Set<String> environments;    
     private String transports;    
     private CORSConfiguration corsConfiguration;    
-    private String authorizationHeader;  
+    private String authorizationHeader;
+    private String apiKeyHeader;
     private String contextTemplate;
     private boolean enableSchemaValidation;
     private boolean isMonetizationEnabled;
@@ -161,6 +162,15 @@ public String getAuthorizationHeader() {
     public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
+
+    public String getApiKeyHeader() {
+        return apiKeyHeader;
+    }
+
+    public void setApiKeyHeader(String apiKeyHeader) {
+        this.apiKeyHeader = apiKeyHeader;
+    }
+
     public String getContextTemplate() {
         return contextTemplate;
     }

components/apimgt/org.wso2.carbon.apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/utils/RegistryPersistenceUtil.java

@@ -174,6 +174,7 @@ public static GenericArtifact createAPIArtifactContent(GenericArtifact artifact,
             artifact.setAttribute(APIConstants.API_PRODUCTION_THROTTLE_MAXTPS, api.getProductionMaxTps());
             artifact.setAttribute(APIConstants.API_SANDBOX_THROTTLE_MAXTPS, api.getSandboxMaxTps());
             artifact.setAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER, api.getAuthorizationHeader());
+            artifact.setAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER, api.getApiKeyHeader());
             artifact.setAttribute(APIConstants.API_OVERVIEW_API_SECURITY, api.getApiSecurity());
             artifact.setAttribute(APIConstants.API_OVERVIEW_ENABLE_JSON_SCHEMA,
                                             Boolean.toString(api.isEnableSchemaValidation()));
@@ -680,6 +681,7 @@ public static API getAPI(GovernanceArtifact artifact, Registry registry)
             api.setCorsConfiguration(getCorsConfigurationFromArtifact(artifact));
             api.setWebsubSubscriptionConfiguration(getWebsubSubscriptionConfigurationFromArtifact(artifact));
             api.setAuthorizationHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER));
+            api.setApiKeyHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER));
             api.setApiSecurity(artifact.getAttribute(APIConstants.API_OVERVIEW_API_SECURITY));
             //set data and status related to monetization
             api.setMonetizationEnabled(Boolean.parseBoolean(artifact.getAttribute
@@ -1469,6 +1471,7 @@ public static GenericArtifact createAPIProductArtifactContent(GenericArtifact ar
             artifact.setAttribute(APIConstants.API_OVERVIEW_CORS_CONFIGURATION,
                     getCorsConfigurationJsonFromDto(apiProduct.getCorsConfiguration()));
             artifact.setAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER, apiProduct.getAuthorizationHeader());
+            artifact.setAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER, apiProduct.getApiKeyHeader());
             artifact.setAttribute(APIConstants.API_OVERVIEW_API_SECURITY, apiProduct.getApiSecurity());
 
             //Validate if the API has an unsupported context before setting it in the artifact
@@ -1568,6 +1571,7 @@ public static APIProduct getAPIProduct(GovernanceArtifact artifact, Registry reg
             apiProduct.setTransports(artifact.getAttribute(APIConstants.API_OVERVIEW_TRANSPORTS));
             apiProduct.setApiSecurity(artifact.getAttribute(APIConstants.API_OVERVIEW_API_SECURITY));
             apiProduct.setAuthorizationHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_AUTHORIZATION_HEADER));
+            apiProduct.setApiKeyHeader(artifact.getAttribute(APIConstants.API_OVERVIEW_API_KEY_HEADER));
             apiProduct.setCorsConfiguration(getCorsConfigurationFromArtifact(artifact));
             apiProduct.setCreatedTime(registry.get(artifactPath).getCreatedTime());
             apiProduct.setLastUpdated(registry.get(artifactPath).getLastModified());