API Key YAML Example

[predic8]

…key support

• Extract X-Api-Key into a constant for reusability in tests.
• Improve router lifecycle handling with DefaultRouter adjustments.
• Enhance YAML configuration for API key handling, including support for registry-based ApiKeyStores.
• Minor refactoring and cleanup in Apis.yaml and related test files.

Summary by CodeRabbit

• New Features

  • Support for YAML-based API key store configuration alongside existing XML setup.
  • New example demonstrating API key validation integrated with an OpenAPI spec.

• Refactor

  • Simplified internal CLI control flow for router handling.

• Tests

  • Consolidated API key header usage into a single constant and adjusted test visibility.

• Documentation

  • Updated inline JavaDoc (removed outdated deprecation note).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

RouterCLI uses Java pattern matching to inline router retrieval and type-checking. ApiKeysInterceptor now loads ApiKeyStore instances from the router registry in addition to the XML beanFactory. Added an API Key OpenAPI example YAML and small test cleanups (header constant and method visibility).

Changes

Cohort / File(s)	Summary
Router CLI pattern match core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java	Replaced separate router retrieval and instanceof check with an inline getRouter(...) instanceof ... dr pattern; calls dr.waitFor() when matched.
ApiKey registry loading core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java	In init, aggregate ApiKeyStore instances from router.getRegistry() when present, alongside existing XML beanFactory discovery; adjusted imports and added TODO/comment.
API Key OpenAPI example distribution/examples/security/api-key/apikey-openapi/apis.yaml	New YAML example defining a file-based API key store, OpenAPI validator, and header extractor (X-Api-Key) with flows referencing OpenAPI spec.
Tests & extractor docs distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java, core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java	Added API_KEY_HEADER constant and replaced hardcoded header usages; reduced test methods' visibility to package-private. Removed a deprecation note from ApiKeyHeaderExtractor JavaDoc (doc-only).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• improve tests #2412: Modifies the same test file (APIKeyWithOpenAPIExampleTest)—overlapping test edits and header constant changes.
• refactor: move globalInterceptor to beanFactory #2510: Related registry/bean-registry work—both PRs adjust router/registry usage and ApiKey store discovery.
• Router factor out hotdeploy #2466: Changes to RouterCLI and router lifecycle handling (including waitFor() usage) overlap with the CLI pattern-match refactor.

Suggested labels

7.x

Suggested reviewers

• rrayst
• christiangoerdes

Poem

🐰 I hopped through code and left a tiny mark,
Pattern-matching paths and YAML in the park,
Keys snug in files, tests tidy and neat,
Routers wait quietly—my work's complete! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'API Key YAML Example' is vague and only partially captures the scope of changes. The PR involves API key interceptor enhancements, registry-based store loading, router lifecycle improvements, and test refactoring—not just a simple example.	Consider a more descriptive title like 'Add API Key YAML configuration support and router lifecycle improvements' that better reflects the main changes across the codebase.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

distribution/examples/security/api-key/apikey-openapi/apis.yaml (1)

23-24: Remove or document commented-out code.

The commented expressionExtractor configuration should either be removed if it's not needed, or documented with a comment explaining when to use it as an alternative to headerExtractor.

🔎 Suggested improvement

If this is meant to show an alternative approach, add a comment:

           - headerExtractor:
               name: "X-Api-Key"
+          # Alternative: Extract from expression
 #          - expressionExtractor:
 #              expression: "header['X-Api-Key']"

Or remove it entirely if it's not needed for the example.

distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java (1)

29-29: Good refactoring to extract the header name as a constant.

Extracting "X-Api-Key" into a constant eliminates duplication and makes the tests more maintainable.

Optionally, consider renaming to API_KEY_HEADER_NAME to make it clearer that this is the header name rather than the key value itself, though the current name is acceptable in context.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89397c8 and 926ad02.

📒 Files selected for processing (4)

• core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java
• core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java
• distribution/examples/security/api-key/apikey-openapi/apis.yaml
• distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Automated tests
• GitHub Check: Analyze (java)

🔇 Additional comments (2)

distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java (1)

37-37: LGTM: Method visibility changes are appropriate.

Reducing test method visibility from public to package-private is fine with JUnit 5, which doesn't require public test methods. This aligns with modern Java testing conventions.

Also applies to: 46-46, 58-58, 83-83

core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java (1)

78-79: The pattern matching correctly handles all router types.

All initialization paths (oas, yaml, xml) explicitly return DefaultRouter instances. RouterXmlBootstrap.initByXML() explicitly retrieves and returns a DefaultRouter bean from the Spring context (line 52 in RouterXmlBootstrap.java), making the instanceof DefaultRouter check at line 78 always true. The waitFor() method is only defined on DefaultRouter, and since that's the only router type returned by getRouter(), the code correctly ensures waitFor() is always called.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

distribution/examples/security/api-key/apikey-openapi/apis.yaml (1)

18-18: Clarify the rationale for required: false in a security example.

Setting required: false is counterintuitive for an API key security demonstration. While the comment on line 17 mentions OpenAPI validation, it doesn't clearly explain why API key validation is optional here. Consider either setting required: true or enhancing the comment to explicitly state the demonstration goal (e.g., "Set to false to demonstrate dual validation paths—OpenAPI validator enforces security").

🧹 Nitpick comments (2)

core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java (1)

28-28: Consider reverting to specific import.

While wildcard imports work, importing only the methods actually used (joining) makes dependencies more explicit and aids IDE optimization.

🔎 Proposed fix

-import static java.util.stream.Collectors.*;
+import static java.util.stream.Collectors.joining;

distribution/examples/security/api-key/apikey-openapi/apis.yaml (1)

25-25: Add newline at end of file.

POSIX standards and many tools expect text files to end with a newline character. This improves compatibility with line-based tools like diff and wc.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 926ad02 and 8fd57be.

📒 Files selected for processing (4)

• core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java
• core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java
• distribution/examples/security/api-key/apikey-openapi/apis.yaml
• distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java

💤 Files with no reviewable changes (1)

• core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Automated tests
• GitHub Check: Analyze (java)

🔇 Additional comments (3)

core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java (1)

86-96: LGTM! Registry support for YAML configuration added correctly.

The dual-source loading (XML beanFactory and YAML registry) is well-structured with clear comments explaining the configuration sources. The null-checks prevent NPEs, and the aggregation into this.stores ensures both XML and YAML stores are available.

distribution/examples/security/api-key/apikey-openapi/apis.yaml (1)

15-25: LGTM! Flow ordering and validation configuration are well-designed.

The explicit ordering—extracting the API key before invoking openapiValidator—is correctly implemented and clearly documented. The comments effectively explain why the validator is positioned in the flow rather than relying on default pre-flow validation.

distribution/src/test/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java (1)

29-93: LGTM! Test refactoring improves maintainability.

The extraction of API_KEY_HEADER as a constant eliminates magic strings and improves consistency across test methods. Reducing test method visibility to package-private is appropriate and follows best practices. All usages are correctly updated.

[membrane-ci-server]

This pull request needs "/ok-to-test" from an authorized committer.