Implement API key generation

Author: thivindu

gateway/gateway-controller/api/openapi.yaml

@@ -376,6 +376,82 @@ paths:
               schema:
                 $ref: "#/components/schemas/ErrorResponse"
 
+  /apis/{name}/{version}/api-key:
+    post:
+      summary: Generate API key for an API
+      description: |
+        Generate a new API key for the specified API. The generated key can be
+        used by clients to authenticate requests to the API if API Key validation
+        policy is applied. The key is a 32-byte random value encoded in hexadecimal
+        and prefixed with "gw_".
+      operationId: generateAPIKey
+      tags:
+        - API Management
+      parameters:
+        - name: name
+          in: path
+          required: true
+          description: Name of the API to generate the API key for
+          schema:
+            type: string
+          example: weather-api
+        - name: version
+          in: path
+          required: true
+          description: Version of the API
+          schema:
+            type: string
+          example: v1.0
+      responses:
+        '201':
+          description: API key generated successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  status:
+                    type: string
+                    example: success
+                  message:
+                    type: string
+                    example: API key generated successfully
+                  name:
+                    type: string
+                    description: Name of the API
+                    example: weather-api
+                  version:
+                    type: string
+                    description: Version of the API
+                    example: v1.0
+                  api_key:
+                    type: string
+                    description: Generated API key with gw_ prefix
+                    example: "gw_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+                  created_at:
+                    type: string
+                    format: date-time
+                    description: Timestamp when the API key was generated
+                    example: "2025-12-08T10:30:00Z"
+                  expires_at:
+                    type: string
+                    format: date-time
+                    nullable: true
+                    description: Expiration timestamp (null if no expiration)
+                    example: null
+        '404':
+          description: API configuration not found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '500':
+          description: Internal server error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+
   /certificates:
     get:
       summary: List all custom certificates

gateway/gateway-controller/pkg/api/generated/generated.go

@@ -21,6 +21,7 @@ package handlers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -1437,3 +1438,95 @@ func (s *APIServer) GetConfigDump(c *gin.Context) {
 		zap.Int("policies", len(policies)),
 		zap.Int("certificates", len(certificates)))
 }
+
+// GenerateAPIKey implements ServerInterface.GenerateAPIKey
+// (POST /apis/{name}/{version}/api-key)
+func (s *APIServer) GenerateAPIKey(c *gin.Context, name string, version string) {
+	// Get correlation-aware logger from context
+	log := middleware.GetLogger(c, s.logger)
+
+	// Check if API exists
+	_, err := s.store.GetByNameVersion(name, version)
+	if err != nil {
+		log.Warn("API configuration not found for API Key generation",
+			zap.String("name", name),
+			zap.String("version", version))
+		c.JSON(http.StatusNotFound, api.ErrorResponse{
+			Status:  "error",
+			Message: fmt.Sprintf("API configuration with name '%s' and version '%s' not found", name, version),
+		})
+		return
+	}
+
+	// Generate new API key
+	apiKey, err := models.GenerateAPIKey(name, version)
+	if err != nil {
+		log.Error("Failed to generate API key",
+			zap.Error(err),
+			zap.String("name", name),
+			zap.String("version", version))
+		c.JSON(http.StatusInternalServerError, api.ErrorResponse{
+			Status:  "error",
+			Message: "Failed to generate API key",
+		})
+		return
+	}
+
+	// Save API key to database (only if persistent mode)
+	if s.db != nil {
+		if err := s.db.SaveAPIKey(apiKey); err != nil {
+			if errors.Is(err, storage.ErrConflict) {
+				// This should be extremely rare with 32-byte random keys
+				log.Warn("API key collision detected, retrying",
+					zap.String("name", name),
+					zap.String("version", version))
+
+				// Retry once with a new key
+				apiKey, err = models.GenerateAPIKey(name, version)
+				if err != nil {
+					log.Error("Failed to regenerate API key after collision", zap.Error(err))
+					c.JSON(http.StatusInternalServerError, api.ErrorResponse{
+						Status:  "error",
+						Message: "Failed to generate unique API key",
+					})
+					return
+				}
+
+				if err := s.db.SaveAPIKey(apiKey); err != nil {
+					log.Error("Failed to save API key after retry", zap.Error(err))
+					c.JSON(http.StatusInternalServerError, api.ErrorResponse{
+						Status:  "error",
+						Message: "Failed to save API key",
+					})
+					return
+				}
+			} else {
+				log.Error("Failed to save API key to database",
+					zap.Error(err),
+					zap.String("name", name),
+					zap.String("version", version))
+				c.JSON(http.StatusInternalServerError, api.ErrorResponse{
+					Status:  "error",
+					Message: "Failed to save API key",
+				})
+				return
+			}
+		}
+	}
+
+	log.Info("API key generated successfully",
+		zap.String("name", name),
+		zap.String("version", version),
+		zap.String("key_id", apiKey.ID))
+
+	// Return success response
+	c.JSON(http.StatusCreated, gin.H{
+		"status":     "success",
+		"message":    "API key generated successfully",
+		"name":       apiKey.APIName,
+		"version":    apiKey.APIVersion,
+		"api_key":    apiKey.APIKey,
+		"created_at": apiKey.CreatedAt.Format(time.RFC3339),
+		"expires_at": nil, // No expiration by default
+	})
+}

gateway/gateway-controller/pkg/api/handlers/handlers.go

@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package models
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// APIKeyStatus represents the status of an API key
+type APIKeyStatus string
+
+const (
+	APIKeyStatusActive  APIKeyStatus = "active"
+	APIKeyStatusRevoked APIKeyStatus = "revoked"
+	APIKeyStatusExpired APIKeyStatus = "expired"
+)
+
+// APIKey represents an API key for an API
+type APIKey struct {
+	ID         string       `json:"id" db:"id"`
+	APIKey     string       `json:"api_key" db:"api_key"`
+	APIName    string       `json:"api_name" db:"api_name"`
+	APIVersion string       `json:"api_version" db:"api_version"`
+	Status     APIKeyStatus `json:"status" db:"status"`
+	CreatedAt  time.Time    `json:"created_at" db:"created_at"`
+	UpdatedAt  time.Time    `json:"updated_at" db:"updated_at"`
+	ExpiresAt  *time.Time   `json:"expires_at" db:"expires_at"`
+}
+
+// GenerateAPIKey creates a new API key with a random 32-byte value prefixed with "gw_"
+func GenerateAPIKey(apiName, apiVersion string) (*APIKey, error) {
+	// Generate UUID for the record ID
+	id := uuid.New().String()
+
+	// Generate 32 random bytes
+	randomBytes := make([]byte, 32)
+	if _, err := rand.Read(randomBytes); err != nil {
+		return nil, fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+
+	// Encode to hex and prefix with "gw_"
+	apiKey := "gw_" + hex.EncodeToString(randomBytes)
+
+	now := time.Now()
+
+	return &APIKey{
+		ID:         id,
+		APIKey:     apiKey,
+		APIName:    apiName,
+		APIVersion: apiVersion,
+		Status:     APIKeyStatusActive,
+		CreatedAt:  now,
+		UpdatedAt:  now,
+		ExpiresAt:  nil, // No expiration by default
+	}, nil
+}
+
+// IsValid checks if the API key is valid (active and not expired)
+func (ak *APIKey) IsValid() bool {
+	if ak.Status != APIKeyStatusActive {
+		return false
+	}
+
+	if ak.ExpiresAt != nil && time.Now().After(*ak.ExpiresAt) {
+		return false
+	}
+
+	return true
+}
+
+// IsExpired checks if the API key has expired
+func (ak *APIKey) IsExpired() bool {
+	return ak.ExpiresAt != nil && time.Now().After(*ak.ExpiresAt)
+}

gateway/gateway-controller/pkg/models/api_key.go

@@ -83,5 +83,35 @@ CREATE TABLE IF NOT EXISTS deployment_configs (
     FOREIGN KEY(id) REFERENCES deployments(id) ON DELETE CASCADE
 );
 
--- Set schema version to 3
-PRAGMA user_version = 3;
+-- Table for API keys
+CREATE TABLE IF NOT EXISTS api_keys (
+    -- Primary identifier (UUID)
+    id TEXT PRIMARY KEY,
+    
+    -- The generated API key
+    api_key TEXT NOT NULL UNIQUE,
+    
+    -- API reference
+    api_name TEXT NOT NULL,
+    api_version TEXT NOT NULL,
+    
+    -- Key status
+    status TEXT NOT NULL CHECK(status IN ('active', 'revoked', 'expired')) DEFAULT 'active',
+    
+    -- Timestamps
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP NULL,  -- NULL means no expiration
+    
+    -- Foreign key relationship to deployments
+    FOREIGN KEY (api_name, api_version) REFERENCES deployments(name, version) ON DELETE CASCADE
+);
+
+-- Indexes for API key lookups
+CREATE INDEX IF NOT EXISTS idx_api_key ON api_keys(api_key);
+CREATE INDEX IF NOT EXISTS idx_api_key_api ON api_keys(api_name, api_version);
+CREATE INDEX IF NOT EXISTS idx_api_key_status ON api_keys(status);
+CREATE INDEX IF NOT EXISTS idx_api_key_expiry ON api_keys(expires_at);
+
+-- Set schema version to 4
+PRAGMA user_version = 4;

gateway/gateway-controller/pkg/storage/gateway-controller-db.sql

@@ -105,6 +105,35 @@ type Storage interface {
 	// May be expensive for large datasets; consider pagination in future versions.
 	GetAllConfigsByKind(kind string) ([]*models.StoredConfig, error)
 
+	// SaveAPIKey persists a new API key.
+	//
+	// Returns an error if an API key with the same key value already exists.
+	// Implementations should ensure this operation is atomic (all-or-nothing).
+	SaveAPIKey(apiKey *models.APIKey) error
+
+	// GetAPIKeyByKey retrieves an API key by its key value.
+	//
+	// Returns an error if the API key is not found.
+	// This is used for API key validation during authentication.
+	GetAPIKeyByKey(key string) (*models.APIKey, error)
+
+	// GetAPIKeysByAPI retrieves all API keys for a specific API (name and version).
+	//
+	// Returns an empty slice if no API keys exist for the API.
+	// Used for listing API keys associated with an API.
+	GetAPIKeysByAPI(apiName, apiVersion string) ([]*models.APIKey, error)
+
+	// UpdateAPIKey updates an existing API key (e.g., to revoke or expire it).
+	//
+	// Returns an error if the API key does not exist.
+	// Implementations should ensure this operation is atomic and thread-safe.
+	UpdateAPIKey(apiKey *models.APIKey) error
+
+	// DeleteAPIKey removes an API key by its key value.
+	//
+	// Returns an error if the API key does not exist.
+	DeleteAPIKey(key string) error
+
 	// SaveCertificate persists a new certificate.
 	//
 	// Returns an error if a certificate with the same name already exists.