test(api-proxy): add validateApiKeys orchestration tests

lpcox · Copilot · Copilot · lpcox · commit fc6fcbd6fbcd · 2026-04-24T11:05:49.000-07:00
Port and adapt 18 tests from PR #2199 (copilot-swe-agent) covering the validateApiKeys orchestrator for all four providers: - OpenAI: valid (200), auth_rejected (401), skipped (custom target), no-op (no key) - Anthropic: valid (400 = key accepted), auth_rejected (401, 403), skipped (custom target) - Copilot: valid (200 with ghu_ token), auth_rejected (401), skipped (custom target, BYOK mode) - Gemini: valid (200), auth_rejected (403), skipped (custom target) - Cross-cutting: network_error (timeout), no-op (no keys at all) To make validateApiKeys testable without module-level state: - Added overrides parameter for injecting keys/targets in tests - Exported keyValidationResults and resetKeyValidationState() - Used 'in' operator for override resolution (supports explicit undefined) Co-authored-by: copilot-swe-agent[bot] <198982749+copilot-swe-agent[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/containers/api-proxy/server.js b/containers/api-proxy/server.js
@@ -900,6 +900,14 @@ const keyValidationResults = {};
 /** Set to true once validateApiKeys() has finished (regardless of outcome). */
 let keyValidationComplete = false;
 
+/** Reset validation state (used in tests). */
+function resetKeyValidationState() {
+  for (const key of Object.keys(keyValidationResults)) {
+    delete keyValidationResults[key];
+  }
+  keyValidationComplete = false;
+}
+
 /**
  * Perform a lightweight probe against the provider's API to check if the
  * configured key is still accepted.  Results are logged and stored in
@@ -911,61 +919,88 @@ let keyValidationComplete = false;
  *
  * Only validates against known default targets.  Custom/enterprise targets
  * are skipped because we don't know what probe endpoints they expose.
+ *
+ * @param {object} [overrides={}] - Optional key/target overrides (used in tests)
+ * @param {string} [overrides.openaiKey] - Override OPENAI_API_KEY
+ * @param {string} [overrides.openaiTarget] - Override OPENAI_API_TARGET
+ * @param {string} [overrides.anthropicKey] - Override ANTHROPIC_API_KEY
+ * @param {string} [overrides.anthropicTarget] - Override ANTHROPIC_API_TARGET
+ * @param {string} [overrides.copilotGithubToken] - Override COPILOT_GITHUB_TOKEN
+ * @param {string} [overrides.copilotApiKey] - Override COPILOT_API_KEY
+ * @param {string} [overrides.copilotAuthToken] - Override COPILOT_AUTH_TOKEN
+ * @param {string} [overrides.copilotTarget] - Override COPILOT_API_TARGET
+ * @param {string} [overrides.copilotIntegrationId] - Override COPILOT_INTEGRATION_ID
+ * @param {string} [overrides.geminiKey] - Override GEMINI_API_KEY
+ * @param {string} [overrides.geminiTarget] - Override GEMINI_API_TARGET
+ * @param {number} [overrides.timeoutMs] - Override probe timeout
  */
-async function validateApiKeys() {
+async function validateApiKeys(overrides = {}) {
   const mode = (process.env.AWF_VALIDATE_KEYS || 'warn').toLowerCase(); // off | warn | strict
   if (mode === 'off') {
     logRequest('info', 'key_validation', { message: 'Key validation disabled (AWF_VALIDATE_KEYS=off)' });
     keyValidationComplete = true;
     return;
   }
 
-  const TIMEOUT_MS = 10_000;
+  const ov = (key, fallback) => key in overrides ? overrides[key] : fallback;
+  const openaiKey = ov('openaiKey', OPENAI_API_KEY);
+  const openaiTarget = ov('openaiTarget', OPENAI_API_TARGET);
+  const anthropicKey = ov('anthropicKey', ANTHROPIC_API_KEY);
+  const anthropicTarget = ov('anthropicTarget', ANTHROPIC_API_TARGET);
+  const copilotGithubToken = ov('copilotGithubToken', COPILOT_GITHUB_TOKEN);
+  const copilotApiKey = ov('copilotApiKey', COPILOT_API_KEY);
+  const copilotAuthToken = ov('copilotAuthToken', COPILOT_AUTH_TOKEN);
+  const copilotTarget = ov('copilotTarget', COPILOT_API_TARGET);
+  const copilotIntegrationId = ov('copilotIntegrationId', COPILOT_INTEGRATION_ID);
+  const geminiKey = ov('geminiKey', GEMINI_API_KEY);
+  const geminiTarget = ov('geminiTarget', GEMINI_API_TARGET);
+  const TIMEOUT_MS = ov('timeoutMs', 10_000);
+
   const probes = [];
 
   // --- Copilot (COPILOT_GITHUB_TOKEN only — COPILOT_API_KEY has no probe endpoint) ---
-  if (COPILOT_GITHUB_TOKEN) {
-    if (COPILOT_API_TARGET !== 'api.githubcopilot.com') {
-      keyValidationResults.copilot = { status: 'skipped', message: `Custom target ${COPILOT_API_TARGET}; validation skipped` };
+  if (copilotGithubToken) {
+    if (copilotTarget !== 'api.githubcopilot.com') {
+      keyValidationResults.copilot = { status: 'skipped', message: `Custom target ${copilotTarget}; validation skipped` };
       logRequest('info', 'key_validation', { provider: 'copilot', ...keyValidationResults.copilot });
     } else {
-      probes.push(probeProvider('copilot', `https://${COPILOT_API_TARGET}/models`, {
+      probes.push(probeProvider('copilot', `https://${copilotTarget}/models`, {
         method: 'GET',
         headers: {
-          'Authorization': `Bearer ${COPILOT_GITHUB_TOKEN}`,
-          'Copilot-Integration-Id': COPILOT_INTEGRATION_ID,
+          'Authorization': `Bearer ${copilotGithubToken}`,
+          'Copilot-Integration-Id': copilotIntegrationId,
         },
       }, TIMEOUT_MS));
     }
-  } else if (COPILOT_API_KEY && !COPILOT_GITHUB_TOKEN) {
+  } else if (copilotApiKey && !copilotGithubToken) {
     keyValidationResults.copilot = { status: 'skipped', message: 'COPILOT_API_KEY configured but startup validation is not supported for this auth mode' };
     logRequest('info', 'key_validation', { provider: 'copilot', ...keyValidationResults.copilot });
   }
 
   // --- OpenAI ---
-  if (OPENAI_API_KEY) {
-    if (OPENAI_API_TARGET !== 'api.openai.com') {
-      keyValidationResults.openai = { status: 'skipped', message: `Custom target ${OPENAI_API_TARGET}; validation skipped` };
+  if (openaiKey) {
+    if (openaiTarget !== 'api.openai.com') {
+      keyValidationResults.openai = { status: 'skipped', message: `Custom target ${openaiTarget}; validation skipped` };
       logRequest('info', 'key_validation', { provider: 'openai', ...keyValidationResults.openai });
     } else {
-      probes.push(probeProvider('openai', `https://${OPENAI_API_TARGET}/v1/models`, {
+      probes.push(probeProvider('openai', `https://${openaiTarget}/v1/models`, {
         method: 'GET',
-        headers: { 'Authorization': `Bearer ${OPENAI_API_KEY}` },
+        headers: { 'Authorization': `Bearer ${openaiKey}` },
       }, TIMEOUT_MS));
     }
   }
 
   // --- Anthropic ---
-  if (ANTHROPIC_API_KEY) {
-    if (ANTHROPIC_API_TARGET !== 'api.anthropic.com') {
-      keyValidationResults.anthropic = { status: 'skipped', message: `Custom target ${ANTHROPIC_API_TARGET}; validation skipped` };
+  if (anthropicKey) {
+    if (anthropicTarget !== 'api.anthropic.com') {
+      keyValidationResults.anthropic = { status: 'skipped', message: `Custom target ${anthropicTarget}; validation skipped` };
       logRequest('info', 'key_validation', { provider: 'anthropic', ...keyValidationResults.anthropic });
     } else {
       // POST /v1/messages with an empty body — 400 = key valid (bad body), 401 = key invalid
-      probes.push(probeProvider('anthropic', `https://${ANTHROPIC_API_TARGET}/v1/messages`, {
+      probes.push(probeProvider('anthropic', `https://${anthropicTarget}/v1/messages`, {
         method: 'POST',
         headers: {
-          'x-api-key': ANTHROPIC_API_KEY,
+          'x-api-key': anthropicKey,
           'anthropic-version': '2023-06-01',
           'content-type': 'application/json',
         },
@@ -975,14 +1010,14 @@ async function validateApiKeys() {
   }
 
   // --- Gemini ---
-  if (GEMINI_API_KEY) {
-    if (GEMINI_API_TARGET !== 'generativelanguage.googleapis.com') {
-      keyValidationResults.gemini = { status: 'skipped', message: `Custom target ${GEMINI_API_TARGET}; validation skipped` };
+  if (geminiKey) {
+    if (geminiTarget !== 'generativelanguage.googleapis.com') {
+      keyValidationResults.gemini = { status: 'skipped', message: `Custom target ${geminiTarget}; validation skipped` };
       logRequest('info', 'key_validation', { provider: 'gemini', ...keyValidationResults.gemini });
     } else {
-      probes.push(probeProvider('gemini', `https://${GEMINI_API_TARGET}/v1beta/models`, {
+      probes.push(probeProvider('gemini', `https://${geminiTarget}/v1beta/models`, {
         method: 'GET',
-        headers: { 'x-goog-api-key': GEMINI_API_KEY },
+        headers: { 'x-goog-api-key': geminiKey },
       }, TIMEOUT_MS));
     }
   }
@@ -1451,4 +1486,4 @@ if (require.main === module) {
 }
 
 // Export for testing
-module.exports = { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute, shouldStripHeader, stripGeminiKeyParam, validateApiKeys, probeProvider, httpProbe };
+module.exports = { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute, shouldStripHeader, stripGeminiKeyParam, validateApiKeys, probeProvider, httpProbe, keyValidationResults, resetKeyValidationState };
diff --git a/containers/api-proxy/server.test.js b/containers/api-proxy/server.test.js
@@ -3,9 +3,10 @@
  */
 
 const http = require('http');
+const https = require('https');
 const tls = require('tls');
 const { EventEmitter } = require('events');
-const { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute, shouldStripHeader, stripGeminiKeyParam, httpProbe } = require('./server');
+const { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute, shouldStripHeader, stripGeminiKeyParam, httpProbe, validateApiKeys, keyValidationResults, resetKeyValidationState } = require('./server');
 
 describe('normalizeApiTarget', () => {
   it('should strip https:// prefix', () => {
@@ -1063,3 +1064,238 @@ describe('httpProbe', () => {
     ).rejects.toThrow(/timed out/i);
   });
 });
+
+// ── Helpers for validateApiKeys tests ──────────────────────────────────────────
+
+/**
+ * Create a mock https.request implementation that responds with the given status code.
+ */
+function mockHttpsRequestWithStatus(statusCode) {
+  return jest.spyOn(https, 'request').mockImplementation((options, callback) => {
+    const req = new EventEmitter();
+    req.write = jest.fn();
+    req.end = jest.fn(() => {
+      setImmediate(() => {
+        const res = new EventEmitter();
+        res.statusCode = statusCode;
+        res.resume = jest.fn();
+        callback(res);
+        setImmediate(() => res.emit('end'));
+      });
+    });
+    req.destroy = jest.fn();
+    return req;
+  });
+}
+
+/**
+ * Collect structured log lines emitted by logRequest() (written to process.stdout).
+ */
+function collectLogOutput() {
+  const lines = [];
+  const spy = jest.spyOn(process.stdout, 'write').mockImplementation((data) => {
+    try {
+      lines.push(JSON.parse(data.toString()));
+    } catch {
+      // ignore non-JSON writes
+    }
+    return true;
+  });
+  return { lines, spy };
+}
+
+describe('validateApiKeys', () => {
+  afterEach(() => {
+    jest.restoreAllMocks();
+    resetKeyValidationState();
+  });
+
+  // ── OpenAI ─────────────────────────────────────────────────────────────────
+
+  it('marks OpenAI valid when probe returns 200', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(200);
+    await validateApiKeys({ openaiKey: 'sk-test', openaiTarget: 'api.openai.com' });
+    expect(keyValidationResults.openai.status).toBe('valid');
+    const log = lines.find(l => l.provider === 'openai' && l.status === 'valid');
+    expect(log).toBeDefined();
+  });
+
+  it('marks OpenAI auth_rejected when probe returns 401', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(401);
+    await validateApiKeys({ openaiKey: 'sk-bad', openaiTarget: 'api.openai.com' });
+    expect(keyValidationResults.openai.status).toBe('auth_rejected');
+    const failLog = lines.find(l => l.event === 'key_validation_failed' && l.provider === 'openai');
+    expect(failLog).toBeDefined();
+    expect(failLog.level).toBe('error');
+  });
+
+  it('skips OpenAI for custom API target', async () => {
+    const { lines } = collectLogOutput();
+    await validateApiKeys({ openaiKey: 'sk-test', openaiTarget: 'my-llm-router.internal' });
+    expect(keyValidationResults.openai.status).toBe('skipped');
+    const log = lines.find(l => l.provider === 'openai' && l.status === 'skipped');
+    expect(log).toBeDefined();
+  });
+
+  it('does not validate OpenAI when key is not provided', async () => {
+    collectLogOutput();
+    const spy = jest.spyOn(https, 'request');
+    await validateApiKeys({ openaiKey: undefined });
+    expect(keyValidationResults.openai).toBeUndefined();
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  // ── Anthropic ──────────────────────────────────────────────────────────────
+
+  it('marks Anthropic valid when probe returns 400 (key valid, body incomplete)', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(400);
+    await validateApiKeys({ anthropicKey: 'sk-ant-test', anthropicTarget: 'api.anthropic.com' });
+    expect(keyValidationResults.anthropic.status).toBe('valid');
+    const log = lines.find(l => l.provider === 'anthropic' && l.status === 'valid');
+    expect(log).toBeDefined();
+    expect(log.note).toContain('probe body rejected');
+  });
+
+  it('marks Anthropic auth_rejected when probe returns 401', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(401);
+    await validateApiKeys({ anthropicKey: 'sk-ant-bad', anthropicTarget: 'api.anthropic.com' });
+    expect(keyValidationResults.anthropic.status).toBe('auth_rejected');
+    const failLog = lines.find(l => l.event === 'key_validation_failed' && l.provider === 'anthropic');
+    expect(failLog).toBeDefined();
+  });
+
+  it('marks Anthropic auth_rejected when probe returns 403', async () => {
+    mockHttpsRequestWithStatus(403);
+    await validateApiKeys({ anthropicKey: 'sk-ant-bad', anthropicTarget: 'api.anthropic.com' });
+    expect(keyValidationResults.anthropic.status).toBe('auth_rejected');
+  });
+
+  it('skips Anthropic for custom API target', async () => {
+    const { lines } = collectLogOutput();
+    await validateApiKeys({ anthropicKey: 'sk-ant-test', anthropicTarget: 'proxy.corp.internal' });
+    expect(keyValidationResults.anthropic.status).toBe('skipped');
+    const log = lines.find(l => l.provider === 'anthropic' && l.status === 'skipped');
+    expect(log).toBeDefined();
+  });
+
+  // ── Copilot ────────────────────────────────────────────────────────────────
+
+  it('marks Copilot valid when probe returns 200 with non-classic token', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(200);
+    await validateApiKeys({
+      copilotGithubToken: 'ghu_valid_token',
+      copilotTarget: 'api.githubcopilot.com',
+      copilotIntegrationId: 'copilot-developer-cli',
+    });
+    expect(keyValidationResults.copilot.status).toBe('valid');
+    const log = lines.find(l => l.provider === 'copilot' && l.status === 'valid');
+    expect(log).toBeDefined();
+  });
+
+  it('marks Copilot auth_rejected when probe returns 401', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(401);
+    await validateApiKeys({
+      copilotGithubToken: 'ghu_invalid',
+      copilotTarget: 'api.githubcopilot.com',
+      copilotIntegrationId: 'copilot-developer-cli',
+    });
+    expect(keyValidationResults.copilot.status).toBe('auth_rejected');
+    const failLog = lines.find(l => l.event === 'key_validation_failed' && l.provider === 'copilot');
+    expect(failLog).toBeDefined();
+  });
+
+  it('skips Copilot for custom API target', async () => {
+    const { lines } = collectLogOutput();
+    await validateApiKeys({
+      copilotGithubToken: 'ghu_valid',
+      copilotTarget: 'copilot-api.mycompany.ghe.com',
+      copilotIntegrationId: 'copilot-developer-cli',
+    });
+    expect(keyValidationResults.copilot.status).toBe('skipped');
+    const log = lines.find(l => l.provider === 'copilot' && l.status === 'skipped');
+    expect(log).toBeDefined();
+  });
+
+  it('skips Copilot when only COPILOT_API_KEY is set (BYOK mode)', async () => {
+    collectLogOutput();
+    const spy = jest.spyOn(https, 'request');
+    await validateApiKeys({
+      copilotGithubToken: undefined,
+      copilotApiKey: 'sk-byok-key',
+      copilotTarget: 'api.githubcopilot.com',
+    });
+    expect(keyValidationResults.copilot.status).toBe('skipped');
+    expect(keyValidationResults.copilot.message).toContain('COPILOT_API_KEY');
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  // ── Gemini ─────────────────────────────────────────────────────────────────
+
+  it('marks Gemini valid when probe returns 200', async () => {
+    const { lines } = collectLogOutput();
+    mockHttpsRequestWithStatus(200);
+    await validateApiKeys({ geminiKey: 'ai-test-key', geminiTarget: 'generativelanguage.googleapis.com' });
+    expect(keyValidationResults.gemini.status).toBe('valid');
+    const log = lines.find(l => l.provider === 'gemini' && l.status === 'valid');
+    expect(log).toBeDefined();
+  });
+
+  it('marks Gemini auth_rejected when probe returns 403', async () => {
+    mockHttpsRequestWithStatus(403);
+    await validateApiKeys({ geminiKey: 'ai-bad-key', geminiTarget: 'generativelanguage.googleapis.com' });
+    expect(keyValidationResults.gemini.status).toBe('auth_rejected');
+  });
+
+  it('skips Gemini for custom API target', async () => {
+    const { lines } = collectLogOutput();
+    await validateApiKeys({ geminiKey: 'ai-test', geminiTarget: 'my-vertex-endpoint.internal' });
+    expect(keyValidationResults.gemini.status).toBe('skipped');
+    const log = lines.find(l => l.provider === 'gemini' && l.status === 'skipped');
+    expect(log).toBeDefined();
+  });
+
+  // ── Cross-cutting ──────────────────────────────────────────────────────────
+
+  it('handles network_error when probe times out', async () => {
+    collectLogOutput();
+    jest.spyOn(https, 'request').mockImplementation((options, callback) => {
+      const req = new EventEmitter();
+      req.write = jest.fn();
+      req.end = jest.fn(); // never responds
+      req.destroy = jest.fn((err) => {
+        setImmediate(() => req.emit('error', err || new Error('socket hang up')));
+      });
+      // Simulate Node's built-in timeout: fire 'timeout' event after the requested delay
+      if (options.timeout) {
+        setTimeout(() => req.emit('timeout'), options.timeout);
+      }
+      return req;
+    });
+    await validateApiKeys({
+      openaiKey: 'sk-test',
+      openaiTarget: 'api.openai.com',
+      timeoutMs: 50,
+    });
+    expect(keyValidationResults.openai.status).toBe('network_error');
+  }, 5000);
+
+  it('does not validate any provider when no keys are provided', async () => {
+    collectLogOutput();
+    const spy = jest.spyOn(https, 'request');
+    await validateApiKeys({
+      openaiKey: undefined,
+      anthropicKey: undefined,
+      copilotGithubToken: undefined,
+      copilotApiKey: undefined,
+      geminiKey: undefined,
+    });
+    expect(Object.keys(keyValidationResults)).toHaveLength(0);
+    expect(spy).not.toHaveBeenCalled();
+  });
+});
