From 6e32a549544304abe52f1e0e8c408f9f335364ad Mon Sep 17 00:00:00 2001
From: Nisan Abeywickrama
 <29643986+nisan-abeywickrama@users.noreply.github.com>
Date: Mon, 26 Aug 2024 11:11:54 +0530
Subject: [PATCH] Add test case for validating WWW-Authenticate header during
 unauthorized invocation of API with Api keys

---
 .../api/lifecycle/APISecurityTestCase.java    | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java
index ec3793a745..7675a7c9a9 100644
--- a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java
+++ b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/api/lifecycle/APISecurityTestCase.java
@@ -1240,6 +1240,38 @@ public void testInvocationWithApiKeysWithoutSubscription() throws Exception {
                 ", but got " + invocationResponseAfterSubscriptionRemoved.getResponseCode());
     }
 
+    @Test(description = "Testing the WWW-Authorization header when invocating an API with API Keys using invalid Authorization header",
+            dependsOnMethods = {"testCreateAndPublishAPIWithOAuth2"})
+    public void testApiKeyResponseHeader() throws Exception{
+
+        String expectedValue = "API Key realm=\"WSO2 API Manager\"";
+
+        Map<String, String> requestHeaders1 = new HashMap<>();
+        requestHeaders1.put("accept", "application/json");
+
+        HttpResponse response1 =
+                HTTPSClientUtils.doGet(getAPIInvocationURLHttps(mutualSSLandOAuthMandatoryAPIContext, API_VERSION_1_0_0) +
+                        API_END_POINT_METHOD, requestHeaders1);
+
+        String wwwAuthenticateHeader = response1.getHeaders().get("WWW-Authenticate");
+
+        Assert.assertTrue(wwwAuthenticateHeader.contains(expectedValue),
+                "The WWW-Authenticate header does not contain the expected API Key value.");
+
+        Map<String, String> requestHeaders2 = new HashMap<>();
+        requestHeaders2.put("accept", "application/json");
+        requestHeaders2.put("Authorization", null);
+
+        HttpResponse response2 =
+                HTTPSClientUtils.doGet(getAPIInvocationURLHttps(mutualSSLandOAuthMandatoryAPIContext, API_VERSION_1_0_0) +
+                        API_END_POINT_METHOD, requestHeaders2);
+
+        wwwAuthenticateHeader = response2.getHeaders().get("WWW-Authenticate");
+
+        Assert.assertTrue(wwwAuthenticateHeader.contains(expectedValue),
+                "The WWW-Authenticate header does not contain the expected API Key value.");
+    }
+
     @AfterClass(alwaysRun = true)
     public void cleanUpArtifacts() throws Exception {
         restAPIStore.deleteApplication(applicationId);