fix: add validation for duplicated API keys (#5955)

gavinkflam · melsal13 · commit 920c346fdba3 · 2025-05-09T12:13:09.000-07:00
* reject duplicated API keys
* enhance api-key-auth e2e test to cover duplicated client IDs

Signed-off-by: Gavin Lam &lt;gavin.oss@tutamail.com&gt;
Signed-off-by: melsal13 &lt;mmvsal13@gmail.com&gt;
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -1124,6 +1124,8 @@ func (t *Translator) buildAPIKeyAuth(
 	}
 
 	credentials := make(map[string]ir.PrivateBytes)
+	seenKeys := make(sets.Set[string])
+
 	for _, ref := range policy.Spec.APIKeyAuth.CredentialRefs {
 		credentialsSecret, err := t.validateSecretRef(
 			false, from, ref, resources)
@@ -1134,6 +1136,13 @@ func (t *Translator) buildAPIKeyAuth(
 			if _, ok := credentials[clientid]; ok {
 				continue
 			}
+
+			keyString := string(key)
+			if seenKeys.Has(keyString) {
+				return nil, errors.New("duplicated API key")
+			}
+
+			seenKeys.Insert(keyString)
 			credentials[clientid] = key
 		}
 	}
diff --git a/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.in.yaml b/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.in.yaml
@@ -0,0 +1,62 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.envoyproxy.io"
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/"
+      backendRefs:
+      - name: service-1
+        port: 8080
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-1
+  spec:
+    targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-1
+    apiKeyAuth:
+      extractFrom:
+      - headers: ["X-API-KEY"]
+      credentialRefs:
+      - name: "credential-1"
+secrets:
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: default
+    name: credential-1
+  data:
+    client1: "a2V5MQ=="
+    client2: "a2V5Mg=="
+    client3: "a2V5Mg=="
diff --git a/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml b/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml
@@ -0,0 +1,183 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    creationTimestamp: null
+    name: gateway-1
+    namespace: envoy-gateway
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - allowedRoutes:
+        namespaces:
+          from: All
+      hostname: '*.envoyproxy.io'
+      name: http
+      port: 80
+      protocol: HTTP
+  status:
+    listeners:
+    - attachedRoutes: 1
+      conditions:
+      - lastTransitionTime: null
+        message: Sending translated listener configuration to the data plane
+        reason: Programmed
+        status: "True"
+        type: Programmed
+      - lastTransitionTime: null
+        message: Listener has been successfully translated
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Listener references have been resolved
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      name: http
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+      - group: gateway.networking.k8s.io
+        kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    creationTimestamp: null
+    name: httproute-1
+    namespace: default
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http
+    rules:
+    - backendRefs:
+      - name: service-1
+        port: 8080
+      matches:
+      - path:
+          value: /
+  status:
+    parents:
+    - conditions:
+      - lastTransitionTime: null
+        message: Route is accepted
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Resolved all the Object references for the Route
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+      parentRef:
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
+infraIR:
+  envoy-gateway/gateway-1:
+    proxy:
+      listeners:
+      - address: null
+        name: envoy-gateway/gateway-1/http
+        ports:
+        - containerPort: 10080
+          name: http-80
+          protocol: HTTP
+          servicePort: 80
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway-name: gateway-1
+          gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+      name: envoy-gateway/gateway-1
+      namespace: envoy-gateway-system
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    creationTimestamp: null
+    name: policy-for-route-1
+    namespace: default
+  spec:
+    apiKeyAuth:
+      credentialRefs:
+      - group: null
+        kind: null
+        name: credential-1
+      extractFrom:
+      - headers:
+        - X-API-KEY
+    targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-1
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
+      conditions:
+      - lastTransitionTime: null
+        message: 'APIKeyAuth: duplicated API key.'
+        reason: Invalid
+        status: "False"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+xdsIR:
+  envoy-gateway/gateway-1:
+    accessLog:
+      json:
+      - path: /dev/stdout
+    http:
+    - address: 0.0.0.0
+      hostnames:
+      - '*.envoyproxy.io'
+      isHTTP2: false
+      metadata:
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
+      name: envoy-gateway/gateway-1/http
+      path:
+        escapedSlashesAction: UnescapeAndRedirect
+        mergeSlashes: true
+      port: 10080
+      routes:
+      - destination:
+          name: httproute/default/httproute-1/rule/0
+          settings:
+          - addressType: IP
+            endpoints:
+            - host: 7.7.7.7
+              port: 8080
+            name: httproute/default/httproute-1/rule/0/backend/0
+            protocol: HTTP
+            weight: 1
+        directResponse:
+          statusCode: 500
+        hostname: gateway.envoyproxy.io
+        isHTTP2: false
+        metadata:
+          kind: HTTPRoute
+          name: httproute-1
+          namespace: default
+        name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
+        pathMatch:
+          distinct: false
+          name: ""
+          prefix: /
+        security: {}
+    readyListener:
+      address: 0.0.0.0
+      ipFamily: IPv4
+      path: /ready
+      port: 19003
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -13,6 +13,7 @@ new features: |
 bug fixes: |
   Fix reference grant from SecurityPolicy to referenced remoteJWKS backend not respected.
   Added validation for header values.
+  Added validation for duplicated API keys.
 
 # Enhancements that improve performance.
 performance improvements: |
diff --git a/test/e2e/testdata/api-key-auth.yaml b/test/e2e/testdata/api-key-auth.yaml
@@ -10,6 +10,15 @@ data:
   # key2
   client2: "a2V5Mg=="
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: gateway-conformance-infra
+  name: api-key-auth-users-secret-2
+data:
+  # key2 - duplicate client id should be ignored
+  client1: "a2V5Mg=="
+---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
@@ -76,6 +85,7 @@ spec:
       - headers: ["X-API-KEY"]
     credentialRefs:
       - name: "api-key-auth-users-secret-1"
+      - name: "api-key-auth-users-secret-2"
 ---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: SecurityPolicy
@@ -92,6 +102,7 @@ spec:
       - cookies: ["X-API-KEY"]
     credentialRefs:
       - name: "api-key-auth-users-secret-1"
+      - name: "api-key-auth-users-secret-2"
 
 ---
 apiVersion: gateway.envoyproxy.io/v1alpha1
@@ -109,3 +120,4 @@ spec:
       - params: ["X-API-KEY"]
     credentialRefs:
       - name: "api-key-auth-users-secret-1"
+      - name: "api-key-auth-users-secret-2"

Original file line number	Diff line number	Diff line change
`@@ -1124,6 +1124,8 @@ func (t *Translator) buildAPIKeyAuth(`
`1124`	`1124`	`}`
`1125`	`1125`
`1126`	`1126`	`credentials := make(map[string]ir.PrivateBytes)`
	`1127`	`+ seenKeys := make(sets.Set[string])`
	`1128`	`+`
`1127`	`1129`	`for _, ref := range policy.Spec.APIKeyAuth.CredentialRefs {`
`1128`	`1130`	`credentialsSecret, err := t.validateSecretRef(`
`1129`	`1131`	`false, from, ref, resources)`
`@@ -1134,6 +1136,13 @@ func (t *Translator) buildAPIKeyAuth(`
`1134`	`1136`	`if _, ok := credentials[clientid]; ok {`
`1135`	`1137`	`continue`
`1136`	`1138`	`}`
	`1139`	`+`
	`1140`	`+ keyString := string(key)`
	`1141`	`+ if seenKeys.Has(keyString) {`
	`1142`	`+ return nil, errors.New("duplicated API key")`
	`1143`	`+ }`
	`1144`	`+`
	`1145`	`+ seenKeys.Insert(keyString)`
`1137`	`1146`	`credentials[clientid] = key`
`1138`	`1147`	`}`
`1139`	`1148`	`}`