feat: limit community API keys

Author: yohamta0

api/v1/api.gen.go

@@ -555,7 +555,7 @@ paths:
 
     post:
       summary: "Create API key"
-      description: "Full key returned only in this response"
+      description: "Full key returned only in this response. Community edition installs can create up to 2 API keys."
       operationId: "createAPIKey"
       tags:
         - "api-keys"
@@ -585,7 +585,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
         "403":
-          description: "Requires admin role"
+          description: "Requires admin role or community API key limit reached"
           content:
             application/json:
               schema:

api/v1/api.yaml

@@ -15,14 +15,25 @@ import (
 // It generates an ephemeral ed25519 key pair, signs a JWT with the requested features,
 // and updates the manager's internal state so Checker() returns a licensed state.
 func NewTestManager(features ...string) *Manager {
+	return newTestManager(time.Now().Add(24*time.Hour), nil, features...)
+}
+
+// NewExpiredTestManager creates a Manager with a loaded license that is expired
+// and outside its grace period.
+func NewExpiredTestManager(features ...string) *Manager {
+	zeroGraceDays := 0
+	return newTestManager(time.Now().Add(-time.Hour), &zeroGraceDays, features...)
+}
+
+func newTestManager(expiresAt time.Time, graceDays *int, features ...string) *Manager {
 	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		panic("ed25519.GenerateKey: " + err.Error())
 	}
 
 	claims := &LicenseClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(24 * time.Hour)),
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			Issuer:    "dagu-test",
 			Subject:   "test-license",
@@ -31,6 +42,7 @@ func NewTestManager(features ...string) *Manager {
 		Plan:          "pro",
 		Features:      features,
 		ActivationID:  "act-test",
+		GraceDays:     graceDays,
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)

internal/license/testing.go

@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"reflect"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/dagucloud/dagu/api/v1"
@@ -88,6 +89,7 @@ type API struct {
 	baseConfigStore      baseconfig.Store
 	secretStore          secretpkg.Store
 	licenseManager       *license.Manager
+	apiKeyCreateMu       sync.Mutex
 	workspaceStore       workspace.Store
 	leaseStaleThreshold  time.Duration
 	schedulerStateStore  scheduler.WatermarkStore

internal/service/frontend/api/v1/api.go

@@ -10,10 +10,13 @@ import (
 
 	"github.com/dagucloud/dagu/api/v1"
 	"github.com/dagucloud/dagu/internal/auth"
+	"github.com/dagucloud/dagu/internal/license"
 	"github.com/dagucloud/dagu/internal/service/audit"
 	authservice "github.com/dagucloud/dagu/internal/service/auth"
 )
 
+const communityAPIKeyLimit = 2
+
 // ListAPIKeys returns a list of all API keys. Requires admin role.
 func (a *API) ListAPIKeys(ctx context.Context, _ api.ListAPIKeysRequestObject) (api.ListAPIKeysResponseObject, error) {
 	if err := a.requireAPIKeyManagement(); err != nil {
@@ -73,6 +76,13 @@ func (a *API) CreateAPIKey(ctx context.Context, request api.CreateAPIKeyRequestO
 		}
 	}
 
+	a.apiKeyCreateMu.Lock()
+	defer a.apiKeyCreateMu.Unlock()
+
+	if err := a.requireCommunityAPIKeyLimit(ctx); err != nil {
+		return nil, err
+	}
+
 	result, err := a.authService.CreateAPIKey(ctx, authservice.CreateAPIKeyInput{
 		Name:            request.Body.Name,
 		Description:     valueOf(request.Body.Description),
@@ -292,6 +302,34 @@ func (a *API) requireAPIKeyManagement() error {
 	return nil
 }
 
+func (a *API) requireCommunityAPIKeyLimit(ctx context.Context) error {
+	if !a.isCommunityLicense() {
+		return nil
+	}
+
+	keys, err := a.authService.ListAPIKeys(ctx)
+	if err != nil {
+		return err
+	}
+	if len(keys) < communityAPIKeyLimit {
+		return nil
+	}
+
+	return &Error{
+		Code: api.ErrorCodeForbidden,
+		Message: "Community edition supports up to 2 API keys. " +
+			"Delete an existing key or configure a license to create more.",
+		HTTPStatus: http.StatusForbidden,
+	}
+}
+
+func (a *API) isCommunityLicense() bool {
+	if a.licenseManager == nil {
+		return true
+	}
+	return !license.HasActiveLicense(a.licenseManager.Checker())
+}
+
 // toAPIKey converts a core auth.APIKey into its API representation.
 func toAPIKey(key *auth.APIKey) api.APIKey {
 	return api.APIKey{

internal/service/frontend/api/v1/apikeys.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/dagucloud/dagu/api/v1"
 	"github.com/dagucloud/dagu/internal/cmn/config"
+	"github.com/dagucloud/dagu/internal/license"
 	"github.com/dagucloud/dagu/internal/service/frontend"
 	"github.com/dagucloud/dagu/internal/test"
 	"github.com/stretchr/testify/assert"
@@ -50,6 +51,36 @@ func setupBuiltinAuthServer(t *testing.T) test.Server {
 	return server
 }
 
+func setupBuiltinAuthCommunityServer(t *testing.T) test.Server {
+	t.Helper()
+	return setupBuiltinAuthTestServer(t)
+}
+
+func setupBuiltinAuthExpiredLicenseServer(t *testing.T) test.Server {
+	t.Helper()
+	return setupBuiltinAuthTestServer(t, frontend.WithLicenseManager(license.NewExpiredTestManager()))
+}
+
+func setupBuiltinAuthTestServer(t *testing.T, opts ...frontend.ServerOption) test.Server {
+	t.Helper()
+	server := test.SetupServer(t,
+		test.WithConfigMutator(func(cfg *config.Config) {
+			cfg.Server.Auth.Mode = config.AuthModeBuiltin
+			cfg.Server.Auth.Builtin.Token.Secret = "jwt-secret-key"
+			cfg.Server.Auth.Builtin.Token.TTL = 24 * time.Hour
+		}),
+		test.WithServerOptions(opts...),
+	)
+
+	// Create admin via setup endpoint
+	server.Client().Post("/api/v1/auth/setup", api.SetupRequest{
+		Username: "admin",
+		Password: "adminpass",
+	}).ExpectStatus(http.StatusOK).Send(t)
+
+	return server
+}
+
 // TestAPIKeys_ListEmpty tests listing API keys when none exist
 func TestAPIKeys_ListEmpty(t *testing.T) {
 	t.Parallel()
@@ -218,6 +249,68 @@ func TestAPIKeys_CreateDuplicate(t *testing.T) {
 	}).WithBearerToken(token).ExpectStatus(http.StatusConflict).Send(t)
 }
 
+func TestAPIKeys_CreateCommunityLimit(t *testing.T) {
+	t.Parallel()
+	server := setupBuiltinAuthCommunityServer(t)
+	token := getAdminToken(t, server)
+
+	for _, name := range []string{"community-key-1", "community-key-2"} {
+		server.Client().Post("/api/v1/api-keys", api.CreateAPIKeyRequest{
+			Name: name,
+			Role: api.UserRoleViewer,
+		}).WithBearerToken(token).ExpectStatus(http.StatusCreated).Send(t)
+	}
+
+	resp := server.Client().Post("/api/v1/api-keys", api.CreateAPIKeyRequest{
+		Name: "community-key-3",
+		Role: api.UserRoleViewer,
+	}).WithBearerToken(token).ExpectStatus(http.StatusForbidden).Send(t)
+
+	var errResp api.Error
+	resp.Unmarshal(t, &errResp)
+	assert.Equal(t, api.ErrorCodeForbidden, errResp.Code)
+	assert.Contains(t, errResp.Message, "Community edition supports up to 2 API keys")
+
+	listResp := server.Client().Get("/api/v1/api-keys").
+		WithBearerToken(token).
+		ExpectStatus(http.StatusOK).Send(t)
+
+	var listResult api.APIKeysListResponse
+	listResp.Unmarshal(t, &listResult)
+	assert.Len(t, listResult.ApiKeys, 2)
+}
+
+func TestAPIKeys_CreateExpiredLicenseUsesCommunityLimit(t *testing.T) {
+	t.Parallel()
+	server := setupBuiltinAuthExpiredLicenseServer(t)
+	token := getAdminToken(t, server)
+
+	for _, name := range []string{"expired-key-1", "expired-key-2"} {
+		server.Client().Post("/api/v1/api-keys", api.CreateAPIKeyRequest{
+			Name: name,
+			Role: api.UserRoleViewer,
+		}).WithBearerToken(token).ExpectStatus(http.StatusCreated).Send(t)
+	}
+
+	server.Client().Post("/api/v1/api-keys", api.CreateAPIKeyRequest{
+		Name: "expired-key-3",
+		Role: api.UserRoleViewer,
+	}).WithBearerToken(token).ExpectStatus(http.StatusForbidden).Send(t)
+}
+
+func TestAPIKeys_CreateLicensedAllowsMoreThanCommunityLimit(t *testing.T) {
+	t.Parallel()
+	server := setupBuiltinAuthServer(t)
+	token := getAdminToken(t, server)
+
+	for _, name := range []string{"licensed-key-1", "licensed-key-2", "licensed-key-3"} {
+		server.Client().Post("/api/v1/api-keys", api.CreateAPIKeyRequest{
+			Name: name,
+			Role: api.UserRoleViewer,
+		}).WithBearerToken(token).ExpectStatus(http.StatusCreated).Send(t)
+	}
+}
+
 // TestAPIKeys_GetNotFound tests getting a non-existent API key
 func TestAPIKeys_GetNotFound(t *testing.T) {
 	t.Parallel()