Merge pull request #13523 from nisan-abeywickrama/fix-www-authenticate

Add test case for validating WWW-Authorization header when invocating an API with API Keys using invalid Authorization header
wso2 · Sep 2, 2024 · 0641b54 · 0641b54
2 parents efd6ee7 + aeeec6b
commit 0641b54
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/...ackend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java b/...ackend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java
@@ -1240,6 +1240,40 @@ public void testInvocationWithApiKeysWithoutSubscription() throws Exception {
                 ", but got " + invocationResponseAfterSubscriptionRemoved.getResponseCode());
     }
 
+    @Test(description = "Testing the WWW-Authorization header when invocating an API with API Keys using invalid Authorization header",
+            dependsOnMethods = {"testCreateAndPublishAPIWithOAuth2"})
+    public void testWWWAuthorizationHeaderForApiWithApiKeys() throws Exception{
+
+        String expectedValue = "API Key realm=\"WSO2 API Manager\"";
+
+        // Validate WWW-Authenticate response header when request is made without Authorization header
+        Map<String, String> requestHeaders1 = new HashMap<>();
+        requestHeaders1.put("accept", "application/json");
+
+        HttpResponse response1 =
+                HTTPSClientUtils.doGet(getAPIInvocationURLHttps(mutualSSLandOAuthMandatoryAPIContext, API_VERSION_1_0_0) +
+                        API_END_POINT_METHOD, requestHeaders1);
+
+        String wwwAuthenticateHeader = response1.getHeaders().get("WWW-Authenticate");
+
+        Assert.assertTrue(wwwAuthenticateHeader.contains(expectedValue),
+                "The WWW-Authenticate header does not contain the expected API Key value.");
+
+        // Validate WWW-Authenticate response header when request is made with invalid Authorization header
+        Map<String, String> requestHeaders2 = new HashMap<>();
+        requestHeaders2.put("accept", "application/json");
+        requestHeaders2.put("Authorization", null);
+
+        HttpResponse response2 =
+                HTTPSClientUtils.doGet(getAPIInvocationURLHttps(mutualSSLandOAuthMandatoryAPIContext, API_VERSION_1_0_0) +
+                        API_END_POINT_METHOD, requestHeaders2);
+
+        wwwAuthenticateHeader = response2.getHeaders().get("WWW-Authenticate");
+
+        Assert.assertTrue(wwwAuthenticateHeader.contains(expectedValue),
+                "The WWW-Authenticate header does not contain the expected API Key value.");
+    }
+
     @AfterClass(alwaysRun = true)
     public void cleanUpArtifacts() throws Exception {
         restAPIStore.deleteApplication(applicationId);