Skip to content

[TT-7524] [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH #7261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 11, 2025
Merged

[TT-7524] [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH #7261

merged 7 commits into from
Aug 11, 2025

Conversation

MaciekMis
Copy link
Contributor

@MaciekMis MaciekMis commented Jul 29, 2025
edited
Loading

User description

TT-7524
Summary [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH
Type Bug Bug
Status In Dev
Points N/A
Labels codilime_refined

Description

Updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway API does not trigger the Tyk vendor extension (x-tyk-api-gateway) update, which results in the API description being out of sync or invalid.

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

  • I ensured that the documentation is up to date
  • I explained why this PR updates go.mod in detail with reasoning why it's required
  • I would like a code coverage CI quality gate exception and have explained why

PR Type

Bug fix, Tests

Description

  • Fix removal of obsolete operations in Tyk extension during OAS PATCH.

  • Add test to ensure outdated operations are deleted.

  • Enhance middleware import logic for operation cleanup.

  • Improve consistency between Gateway and Dashboard OAS handling.

Diagram Walkthrough

flowchart LR
  PATCH_OAS["PATCH OAS API"] -- "Triggers" --> importMiddlewares["importMiddlewares updates operations"]
  importMiddlewares -- "Collects current ops" --> removeObsolete["removeObsoleteOperations removes outdated ops"]
  removeObsolete -- "Cleans up" --> TykExtension["Tyk Extension up-to-date"]
  default_test["Add test for obsolete ops removal"] -- "Verifies" --> removeObsolete
Loading

File Walkthrough
Relevant files
Bug fix
default.go
Remove obsolete operations from Tyk extension during import

apidef/oas/default.go

  • Track current operations during middleware import.
  • Add removeObsoleteOperations to delete outdated operations.
  • Call cleanup after updating operations.
  • Use slices.Contains for efficient operation checks.
 +21/-0   
Tests
default_test.go
Test removal of obsolete operations from Tyk extension     

apidef/oas/default_test.go

  • Add test to verify removal of outdated operations.
  • Ensure Tyk extension matches expected operations after update.
 +28/-0   

@buger
Copy link
Member

buger commented Jul 29, 2025

I'm a bot and I 👍 this PR title. 🤖

@github-actions GitHub Actions
Copy link
Contributor

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Correctness of Obsolete Operation Removal

The new removeObsoleteOperations function deletes operations not present in the current OAS paths. The reviewer should ensure that this logic does not inadvertently remove valid operations or leave stale ones, especially in edge cases where operation IDs may overlap or be regenerated.

 
func (s *OAS) removeObsoleteOperations(currentOperations []string) {
	tykOperations := s.getTykOperations()
	obsoleteOperations := make([]string, 0)

	for id := range tykOperations {
		if !slices.Contains(currentOperations, id) {
			obsoleteOperations = append(obsoleteOperations, id)
		}
	}

	for _, operationID := range obsoleteOperations {
		delete(tykOperations, operationID)
	}
}
Use of slices.Contains

The use of slices.Contains for checking existence in potentially large lists could have performance implications. The reviewer should consider if the list of operations could be large enough to warrant a more efficient lookup structure, such as a map.

 
if !slices.Contains(currentOperations, id) {
	obsoleteOperations = append(obsoleteOperations, id)

@github-actions GitHub Actions
Copy link
Contributor

PR Code Suggestions ✨

No code suggestions found for the PR.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 29, 2025
edited
Loading

API Changes

no api changes detected

@github-actions GitHub Actions
Copy link
Contributor

🚀 Performance Snapshot

Effort Perf Risk Hot Paths Benchmarks TL;DR
Low 🟢 Minimal performance impact with efficient operation cleanup during OAS PATCH operations
## Performance Impact Analysis

The PR adds a new removeObsoleteOperations function that cleans up outdated operations from the Tyk extension during OAS API updates. This change ensures proper synchronization between the API description and Tyk extension when using PATCH operations, preventing inconsistencies that previously occurred.

The implementation uses slices.Contains for checking operation existence, which has O(n) complexity but operates on typically small sets of operation IDs. The function builds a list of obsolete operations first before removing them, which is memory-efficient and avoids modifying the map during iteration.

## Critical Areas

The changes affect the API definition update path, specifically when using PATCH operations on OAS APIs. This is not in the critical request handling path, as it only impacts API management operations, not runtime request processing. The operation cleanup happens during API updates, which are infrequent administrative actions.

The implementation is efficient for the expected scale of operations in a typical API definition (usually tens of operations, not thousands), making the linear search acceptable.

## Optimization Recommendations

The current implementation is appropriate for the expected scale. If future APIs contain hundreds of operations, consider:

  1. Using a map-based approach instead of slice for currentOperations to achieve O(1) lookups instead of O(n) with slices.Contains.
  2. Preallocating the obsoleteOperations slice with a capacity estimate to reduce potential reallocations.

However, these optimizations are likely unnecessary for typical API definitions with a modest number of operations.

## Summary
  • The changes have minimal performance impact as they only affect API management operations, not runtime request handling
  • The implementation is efficient for typical API definitions with a modest number of operations
  • The fix properly addresses the synchronization issue between API descriptions and Tyk extensions during PATCH operations
  • No significant performance concerns identified in the implementation

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🚦 Connectivity Review Snapshot

Effort Tests Security Perf TL;DR
Low 🔒 none 🟢 Fixes OAS PATCH operation to properly clean up obsolete operations in Tyk extension
## Connectivity Assessment
  • Redis Connections: No changes to Redis connectivity - this PR only affects in-memory processing of OAS definitions during API updates.
  • RPC Connections: No impact on RPC connections or MDCB mode functionality.
  • Synchronization Mechanisms: Improves synchronization between API definition and Tyk extension by properly removing obsolete operations when paths are updated via PATCH.
## Test Coverage Validation
  • Redis Tests: Not applicable - no Redis connectivity changes.
  • RPC Tests: Not applicable - no RPC connectivity changes.
  • Failure Scenario Tests: The PR adds a specific test case that verifies obsolete operations are properly removed from the Tyk extension when updating an OAS API definition.
## Security & Performance Impact
  • Authentication Changes: No changes to authentication mechanisms.
  • Performance Considerations: Slight performance improvement by cleaning up obsolete operations that would otherwise remain in memory.
  • Error Handling: No changes to error handling paths.
## Summary & Recommendations
  • This PR fixes an important issue where PATCH operations on OAS APIs didn't properly update the Tyk vendor extension.
  • The implementation uses slices.Contains for checking operation existence, which is appropriate for the expected small number of operations.
  • The fix ensures consistency between Gateway and Dashboard behavior for OAS handling.
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

@github-actions GitHub Actions
Copy link
Contributor

📦 Impact Review Snapshot

Effort Downstream Updates Compatibility Docs TL;DR
Low 🟢 📖 Fix ensures consistent behavior between Gateway and Dashboard for OAS PATCH operations
## Impact Assessment

This PR fixes an issue where PATCH operations on OAS APIs via the Gateway API didn't properly update the Tyk vendor extension (x-tyk-api-gateway), causing out-of-sync API definitions. The fix adds a removeObsoleteOperations function that cleans up operations in the Tyk extension that are no longer present in the current OAS paths.

The change is primarily internal to the Gateway and doesn't modify any API schemas or interfaces. It ensures that the Gateway behaves consistently with the Dashboard when handling OAS API updates, which is important for downstream repositories that interact with both components.

## Required Updates

No immediate updates are required in downstream repositories as this is a bug fix that doesn't change any schemas or interfaces. However, repositories that interact with both Gateway and Dashboard should be aware of the improved consistency:

  • tyk-operator: No changes needed, but will benefit from more consistent behavior when managing APIs via Gateway
  • tyk-charts: No changes needed
  • portal: No changes needed, but will benefit from more consistent API definitions
  • tyk-sink: No changes needed
## Compatibility Concerns

This change has no backward compatibility issues. It's a bug fix that ensures the Gateway properly updates the Tyk vendor extension during PATCH operations, which aligns with expected behavior. The fix ensures that obsolete operations are properly removed from the Tyk extension, which was already the expected behavior but wasn't working correctly.

The change is transparent to API consumers and doesn't modify any public interfaces or schemas.

## Summary & Recommendations
  • This PR fixes an important consistency issue between Gateway and Dashboard behavior for OAS API updates
  • The fix is self-contained within the Gateway and doesn't require changes to downstream repositories
  • Testing should verify that OAS API updates via both Gateway and Dashboard produce consistent results
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

@github-actions GitHub Actions
Copy link
Contributor

Error during chat processing: Error: Failed to get response from AI model during iteration 14. terminated

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🛡️ Security Snapshot

Effort Risk Level Tests Compliance TL;DR
Low 🟢 ✔️ Low-risk cleanup function that properly removes obsolete operations from Tyk extension during OAS PATCH
## Security Impact Analysis

The PR adds a removeObsoleteOperations function that cleans up outdated operations from the Tyk extension (x-tyk-api-gateway) during OAS API updates via PATCH. This change ensures proper synchronization between the API definition and its middleware configuration, preventing potential inconsistencies that could lead to unexpected behavior. The implementation uses a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Identified Vulnerabilities

No vulnerabilities were identified in this change. The implementation:

  • Uses standard Go library functions (slices.Contains) for checking operation existence
  • Properly handles map iteration and deletion
  • Doesn't introduce any input validation issues or memory safety concerns
  • Doesn't modify authentication or authorization logic
## Security Recommendations

The implementation is secure as-is. The only minor consideration would be to ensure that the currentOperations slice doesn't grow excessively large in APIs with many endpoints, but this is more of a performance concern than a security issue. The current implementation is appropriate for the expected scale of operations in typical API definitions.

## OWASP Compliance

This change doesn't impact any OWASP Top 10 categories directly. It's a maintenance function that ensures data consistency between API definitions and their middleware configurations. The change doesn't modify authentication, authorization, input validation, or any other security-critical components.

## Summary
  • The PR fixes an important consistency issue between API definitions and their middleware configurations
  • The implementation is clean and doesn't introduce any security concerns
  • The change is well-tested with a specific test case that verifies obsolete operations are properly removed
  • No security issues identified – change LGTM.

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🚦 Connectivity Review Snapshot

Effort Tests Security Perf TL;DR
Low 🔒 none 🟢 Fixes OAS PATCH operation to properly clean up obsolete operations in Tyk extension
## Connectivity Assessment
  • Redis Connections: No changes to Redis connectivity - this PR only affects in-memory processing of OAS definitions during API updates. The existing Redis notification mechanism for API updates remains unchanged.
  • RPC Connections: No impact on RPC connections or MDCB mode functionality. The fix is localized to the OAS processing logic before the API definition is stored.
  • Synchronization Mechanisms: Improves synchronization between API definition and Tyk extension by properly removing obsolete operations when paths are updated via PATCH, ensuring consistent behavior across Gateway and Dashboard.
## Test Coverage Validation
  • Redis Tests: Not applicable - no Redis connectivity changes. The existing Redis notification flow for API updates (NoticeApiUpdated) is used without modification.
  • RPC Tests: Not applicable - no RPC connectivity changes. The fix occurs before the API definition is sent to storage.
  • Failure Scenario Tests: The PR adds a specific test case that verifies obsolete operations are properly removed from the Tyk extension when updating an OAS API definition, ensuring the fix works as expected.
## Security & Performance Impact
  • Authentication Changes: No changes to authentication mechanisms.
  • Performance Considerations: Slight performance improvement by cleaning up obsolete operations that would otherwise remain in memory. The implementation uses slices.Contains which is appropriate for the typically small number of operations in an API definition.
  • Error Handling: No changes to error handling paths. The existing error handling for API updates remains intact.
## Summary & Recommendations
  • This PR fixes an important issue where PATCH operations on OAS APIs didn't properly update the Tyk vendor extension, causing inconsistencies between the API definition and its middleware configuration.
  • The fix ensures that when API paths are updated or removed via PATCH, the corresponding operations in the Tyk extension are also cleaned up.
  • The implementation is efficient and follows the same pattern used elsewhere in the codebase for cleaning up unused resources.
  • The fix maintains the existing Redis notification flow for API updates, ensuring that all Gateway nodes in a cluster will receive the updated API definition.
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

@github-actions GitHub Actions
Copy link
Contributor

🚀 Performance Snapshot

Effort Perf Risk Hot Paths Benchmarks TL;DR
Low 🟢 Minimal performance impact with efficient operation cleanup during OAS PATCH operations
## Performance Impact Analysis

The PR adds a new removeObsoleteOperations function that cleans up outdated operations from the Tyk extension during OAS API updates. This change ensures proper synchronization between the API description and Tyk extension when using PATCH operations, preventing inconsistencies that previously occurred.

The implementation uses slices.Contains for checking operation existence, which has O(n) complexity but operates on typically small sets of operation IDs. The function builds a list of obsolete operations first before removing them, which is memory-efficient and avoids modifying the map during iteration.

## Critical Areas

The changes affect the API definition update path, specifically when using PATCH operations on OAS APIs. This is not in the critical request handling path, as it only impacts API management operations, not runtime request processing. The operation cleanup happens during API updates, which are infrequent administrative actions.

The implementation is efficient for the expected scale of operations in a typical API definition (usually tens of operations, not thousands), making the linear search acceptable.

## Optimization Recommendations

The current implementation is appropriate for the expected scale. If future APIs contain hundreds of operations, consider:

  1. Using a map-based approach instead of slice for currentOperations to achieve O(1) lookups instead of O(n) with slices.Contains.
  2. Preallocating the obsoleteOperations slice with a capacity estimate to reduce potential reallocations.

However, these optimizations are likely unnecessary for typical API definitions with a modest number of operations.

## Summary
  • The changes have minimal performance impact as they only affect API management operations, not runtime request handling
  • The implementation is efficient for typical API definitions with a modest number of operations
  • The fix properly addresses the synchronization issue between API descriptions and Tyk extensions during PATCH operations
  • No significant performance concerns identified in the implementation

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

Analysis of PR #7261: [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH

This PR addresses an issue where updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway API does not properly update the Tyk vendor extension (x-tyk-api-gateway), resulting in the API description being out of sync or invalid.

Key Changes

  1. Added removeObsoleteOperations Function:

    func (s *OAS) removeObsoleteOperations(currentOperations []string) {
    tykOperations := s.getTykOperations()
    obsoleteOperations := make([]string, 0)

    for id := range tykOperations {
        if !slices.Contains(currentOperations, id) {
            obsoleteOperations = append(obsoleteOperations, id)
        }
    }

    for _, operationID := range obsoleteOperations {
        delete(tykOperations, operationID)
    }
}

    This function identifies and removes operations from the Tyk extension that are no longer present in the current OAS paths.

  2. Updated importMiddlewares Function:
    The function now collects all current operations from OAS paths and calls removeObsoleteOperations to clean up outdated ones:

    func (s *OAS) importMiddlewares(overRideValues TykExtensionConfigParams) {
    // ...
    currentOperations := make([]string, 0)

    for path, pathItem := range s.Paths.Map() {
        // ...
        for _, method := range allowedMethods {
            if operation := pathItem.GetOperation(method); operation != nil {
                // ...
                currentOperations = append(currentOperations, s.getOperationID(path, method))
                // ...
            }
        }
    }

    s.removeObsoleteOperations(currentOperations)
    // ...
}

  3. Added Test Coverage:
    A test for TestRemoveObsoleteOperations was added to verify that obsolete operations are properly removed:

    func TestRemoveObsoleteOperations(t *testing.T) {
    t.Run("should remove obsolete operations", func(t *testing.T) {
        var s OAS
        s.SetTykExtension(&XTykAPIGateway{
            Middleware: &Middleware{
                Operations: Operations{
                    "op1": &Operation{},
                    "op2": &Operation{},
                    "op3": &Operation{},
                },
            },
        })

        s.removeObsoleteOperations([]string{"op1", "op3"})

        operations := s.getTykOperations()
        assert.Len(t, operations, 2)
        assert.Contains(t, operations, "op1")
        assert.Contains(t, operations, "op3")
        assert.NotContains(t, operations, "op2")
    })
}

Problem Context

Before this fix, when updating an API using PATCH operations via the Gateway API, the Tyk vendor extension (x-tyk-api-gateway) wasn't properly updated to remove operations that were no longer present in the API definition. This resulted in:

  1. Inconsistent behavior between Gateway CE and Dashboard
  2. Out-of-sync API definitions
  3. Potential invalid configurations with references to non-existent operations

Implementation Details

The implementation uses a two-phase approach:

  1. First, it identifies obsolete operations by comparing existing operations in the Tyk extension with the current operations in the OAS paths
  2. Then, it removes the obsolete operations from the Tyk extension

This approach avoids modifying the map during iteration and uses slices.Contains for efficient operation checks.

Impact and Benefits

  1. Consistency: Gateway CE now behaves the same way as Dashboard for middleware and PATCH operations
  2. Data Integrity: API definitions remain in sync and valid after updates
  3. Maintainability: Clean removal of obsolete operations prevents accumulation of stale configuration

The changes are focused and minimal, with appropriate test coverage to verify the functionality. This fix ensures that when API paths are removed or modified via PATCH operations, the corresponding operations in the Tyk extension are properly cleaned up, maintaining consistency between the API definition and its Tyk extension.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

shults
shults approved these changes Jul 30, 2025
View reviewed changes
Copy link
Contributor

@shults shults left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025

📦 Impact Review Snapshot

Effort Downstream Updates Compatibility Docs TL;DR
Low 🟢 📖 Fix ensures consistent behavior between Gateway and Dashboard for OAS PATCH operations
## Impact Assessment

This PR fixes an issue where PATCH operations on OAS APIs via the Gateway API didn't properly update the Tyk vendor extension (x-tyk-api-gateway), causing out-of-sync API definitions. The fix adds a removeObsoleteOperations function that cleans up operations in the Tyk extension that are no longer present in the current OAS paths.

The change is primarily internal to the Gateway and doesn't modify any API schemas or interfaces. It ensures that the Gateway behaves consistently with the Dashboard when handling OAS API updates, which is important for downstream repositories that interact with both components.

## Required Updates

No immediate updates are required in downstream repositories as this is a bug fix that doesn't change any schemas or interfaces. However, repositories that interact with both Gateway and Dashboard should be aware of the improved consistency:

  • tyk-operator: No changes needed, but will benefit from more consistent behavior when managing APIs via Gateway
  • tyk-charts: No changes needed
  • portal: No changes needed, but will benefit from more consistent API definitions
  • tyk-sink: No changes needed
## Compatibility Concerns

This change has no backward compatibility issues. It's a bug fix that ensures the Gateway properly updates the Tyk vendor extension during PATCH operations, which aligns with expected behavior. The fix ensures that obsolete operations are properly removed from the Tyk extension, which was already the expected behavior but wasn't working correctly.

The change is transparent to API consumers and doesn't modify any public interfaces or schemas.

## Summary & Recommendations
  • This PR fixes an important consistency issue between Gateway and Dashboard behavior for OAS API updates
  • The fix is self-contained within the Gateway and doesn't require changes to downstream repositories
  • Testing should verify that OAS API updates via both Gateway and Dashboard produce consistent results
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025

🛡️ Security Snapshot

Effort Risk Level Tests Compliance TL;DR
Low 🟢 ✔️ Low-risk cleanup function that properly removes obsolete operations from Tyk extension during OAS PATCH
## Security Impact Analysis

The PR adds a removeObsoleteOperations function that cleans up outdated operations from the Tyk extension (x-tyk-api-gateway) during OAS API updates via PATCH. This change ensures proper synchronization between the API definition and its middleware configuration, preventing potential inconsistencies that could lead to unexpected behavior. The implementation uses a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Identified Vulnerabilities

No vulnerabilities were identified in this change. The implementation:

  • Uses standard Go library functions (slices.Contains) for checking operation existence
  • Properly handles map iteration and deletion
  • Doesn't introduce any input validation issues or memory safety concerns
  • Doesn't modify authentication or authorization logic
## Security Recommendations

The implementation is secure as-is. The only minor consideration would be to ensure that the currentOperations slice doesn't grow excessively large in APIs with many endpoints, but this is more of a performance concern than a security issue. The current implementation is appropriate for the expected scale of operations in typical API definitions.

## OWASP Compliance

This change doesn't impact any OWASP Top 10 categories directly. It's a maintenance function that ensures data consistency between API definitions and their middleware configurations. The change doesn't modify authentication, authorization, input validation, or any other security-critical components.

## Summary
  • The PR fixes an important consistency issue between API definitions and their middleware configurations
  • The implementation is clean and doesn't introduce any security concerns
  • The change is well-tested with a specific test case that verifies obsolete operations are properly removed
  • No security issues identified – change LGTM.

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025

Analysis of PR #7261: [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH

This PR addresses an important consistency issue between the Gateway CE and Dashboard when handling OAS API updates via PATCH operations.

Problem Identified

When updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway API, the Tyk vendor extension (x-tyk-api-gateway) wasn't properly updated to remove operations that were no longer present in the API definition. This resulted in:

  1. Inconsistent behavior between Gateway CE and Dashboard
  2. Out-of-sync API definitions
  3. Potential invalid configurations with references to non-existent operations

Solution Implemented

The PR adds a new removeObsoleteOperations function in apidef/oas/default.go that:

func (s *OAS) removeObsoleteOperations(currentOperations []string) {
    tykOperations := s.getTykOperations()
    obsoleteOperations := make([]string, 0)

    for id := range tykOperations {
        if !slices.Contains(currentOperations, id) {
            obsoleteOperations = append(obsoleteOperations, id)
        }
    }

    for _, operationID := range obsoleteOperations {
        delete(tykOperations, operationID)
    }
}

This function:

  1. Collects all operations that exist in the Tyk extension but are not in the current API definition
  2. Removes these obsolete operations from the Tyk extension

The importMiddlewares function was updated to track current operations during processing and call this cleanup function:

currentOperations := make([]string, 0)

for path, pathItem := range s.Paths.Map() {
    // ...
    for _, method := range allowedMethods {
        if operation := pathItem.GetOperation(method); operation != nil {
            // ...
            currentOperations = append(currentOperations, s.getOperationID(path, method))
            // ...
        }
    }
}

s.removeObsoleteOperations(currentOperations)

Testing

The PR adds a dedicated test for the removeObsoleteOperations function that verifies obsolete operations are properly removed:

func TestOAS_RemoveObsoleteOperations(t *testing.T) {
    t.Run("should remove obsolete operations", func(t *testing.T) {
        var s OAS
        s.SetTykExtension(&XTykAPIGateway{
            Middleware: &Middleware{
                Operations: Operations{
                    "op1": &Operation{},
                    "op2": &Operation{},
                    "op3": &Operation{},
                },
            },
        })

        s.removeObsoleteOperations([]string{"op1", "op3"})

        operations := s.getTykOperations()
        assert.Len(t, operations, 2)
        assert.Contains(t, operations, "op1")
        assert.Contains(t, operations, "op3")
        assert.NotContains(t, operations, "op2")
    })
}

It also adds a test case in TestOAS_BuildDefaultTykExtension to ensure that operations not present in the new OAS paths definition are removed during the extension building process.

Impact

This fix ensures consistent behavior between Gateway CE and Dashboard when handling OAS API updates via PATCH operations. It maintains the integrity of API definitions by properly cleaning up obsolete operations in the Tyk extension, preventing potential issues with references to non-existent operations.

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025

Analysis of PR #7261: Fix for OAS PATCH Operation Middleware Sync

This PR addresses an important issue where updating an API with the PATCH operation via Gateway API doesn't properly update the Tyk vendor extension (x-tyk-api-gateway), resulting in out-of-sync or invalid API definitions.

The Problem

When using PATCH to update an OAS API, operations that were removed from the API definition would still remain in the Tyk extension (x-tyk-api-gateway). This created inconsistencies between:

  • The actual API paths defined in the OAS document
  • The middleware operations stored in the Tyk extension

This inconsistency could lead to:

  • Orphaned middleware configurations for endpoints that no longer exist
  • Potential errors or unexpected behavior when processing requests
  • Different behavior between Gateway CE and Dashboard for the same operation

The Solution

The PR introduces a new function removeObsoleteOperations that:

  1. Tracks all current operations during middleware import
  2. Identifies operations in the Tyk extension that are no longer present in the API paths
  3. Removes these obsolete operations from the extension
func (s *OAS) removeObsoleteOperations(currentOperations []string) {
    tykOperations := s.getTykOperations()
    obsoleteOperations := make([]string, 0)

    for id := range tykOperations {
        if !slices.Contains(currentOperations, id) {
            obsoleteOperations = append(obsoleteOperations, id)
        }
    }

    for _, operationID := range obsoleteOperations {
        delete(tykOperations, operationID)
    }
}

The implementation is efficient and safe:

  • It builds a list of obsolete operations first, then removes them to avoid modifying the map during iteration
  • It uses slices.Contains for checking operation existence, which is appropriate for the typically small number of operations in an API definition

Testing

A test case was added to verify that obsolete operations are properly removed:

  • It creates a fake operation in the Tyk extension
  • It verifies that after building the default Tyk extension, the fake operation is removed
  • It ensures that only the expected operations remain

This fix ensures consistent behavior between Gateway CE and Dashboard when handling OAS API updates via PATCH operations, maintaining the integrity of API definitions.

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

edsonmichaque
edsonmichaque approved these changes Aug 5, 2025
View reviewed changes
Copy link
Contributor

@edsonmichaque edsonmichaque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MaciekMis MaciekMis enabled auto-merge (squash) August 5, 2025 08:21
@MaciekMis MaciekMis disabled auto-merge August 5, 2025 08:21
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2025

🛡️ Security Snapshot

Effort Risk Level Tests Compliance TL;DR
Low 🟢 ✔️ Low-risk cleanup function that properly removes obsolete operations from Tyk extension during OAS PATCH
## Security Impact Analysis

The PR adds a removeObsoleteOperations function that cleans up outdated operations from the Tyk extension (x-tyk-api-gateway) during OAS API updates via PATCH. This change ensures proper synchronization between the API definition and its middleware configuration, preventing potential inconsistencies that could lead to unexpected behavior. The implementation uses a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Identified Vulnerabilities

No vulnerabilities were identified in this change. The implementation:

  • Uses standard Go library functions (slices.Contains) for checking operation existence
  • Properly handles map iteration and deletion
  • Doesn't introduce any input validation issues or memory safety concerns
  • Doesn't modify authentication or authorization logic
## Security Recommendations

The implementation is secure as-is. The only minor consideration would be to ensure that the currentOperations slice doesn't grow excessively large in APIs with many endpoints, but this is more of a performance concern than a security issue. The current implementation is appropriate for the expected scale of operations in typical API definitions.

## OWASP Compliance

This change doesn't impact any OWASP Top 10 categories directly. It's a maintenance function that ensures data consistency between API definitions and their middleware configurations. The change doesn't modify authentication, authorization, input validation, or any other security-critical components.

## Summary

No security issues identified – change LGTM.

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2025

📦 Impact Review Snapshot

| Effort | Downstream Updates | Compatibility | Docs | TL;DR |
|:-----:|:------------------:|:-------------:|:----:|-------|
| Low | ✅ | 🟢 | 📖 | Fix ensures consistent behavior between Gateway and Dashboard for OAS PATCH operations |

## Impact Assessment

This PR addresses an important issue where PATCH operations on OAS APIs via Gateway API don't properly update the Tyk vendor extension (x-tyk-api-gateway), resulting in out-of-sync or invalid API definitions. The fix adds a removeObsoleteOperations function that cleans up operations in the Tyk extension that are no longer present in the current OAS paths.

The implementation is clean and efficient, first collecting all current operations during middleware import, then identifying and removing any operations in the Tyk extension that aren't in the current set. This ensures that when API paths are removed or modified via PATCH, the corresponding operations in the Tyk extension are properly cleaned up.

## Required Updates

No immediate updates are required in downstream repositories as this is a bug fix that doesn't change any schemas or interfaces. However, repositories that interact with both Gateway and Dashboard should be aware of the improved consistency:

  • tyk-operator: No changes needed, but will benefit from more consistent behavior when managing APIs via Gateway
  • tyk-charts: No changes needed
  • portal: No changes needed, but will benefit from more consistent API definitions
  • tyk-sink: No changes needed
## Compatibility Concerns

This change has no backward compatibility issues. It's a bug fix that ensures the Gateway properly updates the Tyk vendor extension during PATCH operations, which aligns with expected behavior. The fix ensures that obsolete operations are properly removed from the Tyk extension, which was already the expected behavior but wasn't working correctly.

The implementation uses standard Go library functions (slices.Contains) for checking operation existence and follows a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Summary & Recommendations
  • This PR fixes an important consistency issue between Gateway and Dashboard behavior for OAS API updates
  • The fix is well-implemented with a clean approach to identifying and removing obsolete operations
  • The change is well-tested with a specific test case that verifies obsolete operations are properly removed
  • The implementation is efficient for typical API definitions with a modest number of operations
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2025

PR Analysis: Fix for OAS PATCH Operation Middleware Sync

Problem Overview

This PR addresses an important issue where updating an API with the PATCH operation via Gateway API doesn't properly update the Tyk vendor extension (x-tyk-api-gateway), resulting in out-of-sync or invalid API definitions.

When using PATCH to update an OAS API, operations that were removed from the API definition would still remain in the Tyk extension (x-tyk-api-gateway). This created inconsistencies between:

  • The actual API paths defined in the OAS document
  • The middleware operations stored in the Tyk extension

Technical Context

The PATCH operation is handled by the apiOASPatchHandler function in gateway/api.go, which:

  1. Extracts the OAS object from the request body
  2. Gets the existing API spec and fills the OAS object with the current API definition
  3. Merges the new OAS object with the existing one, retaining the server URL
  4. Calls BuildDefaultTykExtension to update the Tyk extension
  5. Updates the API definition

The issue occurred because during this process, the importMiddlewares function (called by BuildDefaultTykExtension) would update existing operations but wouldn't remove operations that were no longer present in the API definition.

Solution Implementation

The PR introduces a new function removeObsoleteOperations that:

  1. Takes a list of current operations from the OAS paths
  2. Identifies operations in the Tyk extension that are no longer present in the API paths
  3. Removes these obsolete operations from the extension
func (s *OAS) removeObsoleteOperations(currentOperations []string) {
    tykOperations := s.getTykOperations()
    obsoleteOperations := make([]string, 0)

    for id := range tykOperations {
        if !slices.Contains(currentOperations, id) {
            obsoleteOperations = append(obsoleteOperations, id)
        }
    }

    for _, operationID := range obsoleteOperations {
        delete(tykOperations, operationID)
    }
}

The importMiddlewares function is modified to:

  • Track current operations during processing
  • Call removeObsoleteOperations after processing all operations
func (s *OAS) importMiddlewares(overRideValues TykExtensionConfigParams) {
    // ...
    currentOperations := make([]string, 0)

    for path, pathItem := range s.Paths.Map() {
        // ...
        for _, method := range allowedMethods {
            if operation := pathItem.GetOperation(method); operation != nil {
                // ...
                currentOperations = append(currentOperations, s.getOperationID(path, method))
                // ...
            }
        }
    }

    s.removeObsoleteOperations(currentOperations)
    // ...
}

Testing

The PR includes a test case that verifies the functionality:

  • It creates a fake operation in the Tyk extension
  • It calls BuildDefaultTykExtension which triggers the middleware import process
  • It verifies that the fake operation is removed and only the expected operations remain

Impact

This fix ensures consistent behavior between Gateway CE and Dashboard when handling OAS API updates via PATCH operations, maintaining the integrity of API definitions and preventing potential issues with references to non-existent operations.

The change improves the reliability of the API management process by ensuring that the Tyk extension accurately reflects the current state of the API definition, which is critical for proper request processing and middleware application.

The implementation is efficient and safe:

  • It builds a list of obsolete operations first, then removes them to avoid modifying the map during iteration
  • It uses slices.Contains for checking operation existence, which is appropriate for the typically small number of operations in an API definition
  • The change is minimal and focused on the specific issue, with no side effects on other parts of the system

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2025

🚀 Performance Snapshot

Effort Perf Risk Hot Paths Benchmarks TL;DR
Low 🟢 Minimal performance impact with efficient operation cleanup during OAS PATCH operations
## Performance Impact Analysis

The PR adds a new removeObsoleteOperations function that cleans up outdated operations from the Tyk extension during OAS API updates. This change ensures proper synchronization between the API description and Tyk extension when using PATCH operations, preventing inconsistencies that previously occurred.

The implementation uses slices.Contains for checking operation existence, which has O(n) complexity but operates on typically small sets of operation IDs. The function builds a list of obsolete operations first before removing them, which is memory-efficient and avoids modifying the map during iteration.

## Critical Areas

The changes affect the API definition update path, specifically when using PATCH operations on OAS APIs. This is not in the critical request handling path, as it only impacts API management operations, not runtime request processing. The operation cleanup happens during API updates, which are infrequent administrative actions.

The implementation is efficient for the expected scale of operations in a typical API definition (usually tens of operations, not thousands), making the linear search acceptable.

## Optimization Recommendations

The current implementation is appropriate for the expected scale. If future APIs contain hundreds of operations, consider:

  1. Using a map-based approach instead of slice for currentOperations to achieve O(1) lookups instead of O(n) with slices.Contains.
  2. Preallocating the obsoleteOperations slice with a capacity estimate to reduce potential reallocations.

However, these optimizations are likely unnecessary for typical API definitions with a modest number of operations.

## Summary
  • The changes have minimal performance impact as they only affect API management operations, not runtime request processing
  • The implementation is efficient for typical API definitions with a modest number of operations
  • The fix properly addresses the synchronization issue between API descriptions and Tyk extensions during PATCH operations
  • No significant performance concerns identified in the implementation

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🛡️ Security Snapshot

Effort Risk Level Tests Compliance TL;DR
Low 🟢 ✔️ Low-risk cleanup function that properly removes obsolete operations from Tyk extension during OAS PATCH
## Security Impact Analysis

The PR adds a removeObsoleteOperations function that cleans up outdated operations from the Tyk extension (x-tyk-api-gateway) during OAS API updates via PATCH. This change ensures proper synchronization between the API definition and its middleware configuration, preventing potential inconsistencies that could lead to unexpected behavior. The implementation uses a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Identified Vulnerabilities

No vulnerabilities were identified in this change. The implementation:

  • Uses standard Go library functions (slices.Contains) for checking operation existence
  • Properly handles map iteration and deletion
  • Doesn't introduce any input validation issues or memory safety concerns
  • Doesn't modify authentication or authorization logic
## Security Recommendations

The implementation is secure as-is. The only minor consideration would be to ensure that the currentOperations slice doesn't grow excessively large in APIs with many endpoints, but this is more of a performance concern than a security issue. The current implementation is appropriate for the expected scale of operations in typical API definitions.

## OWASP Compliance

This change doesn't impact any OWASP Top 10 categories directly. It's a maintenance function that ensures data consistency between API definitions and their middleware configurations. The change doesn't modify authentication, authorization, input validation, or any other security-critical components.

## Summary

No security issues identified – change LGTM.

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

📦 Impact Review Snapshot

Effort Downstream Updates Compatibility Docs TL;DR
Low 🟢 📖 Fix ensures consistent behavior between Gateway and Dashboard for OAS PATCH operations
## Impact Assessment

This PR addresses an issue where PATCH operations on OAS APIs via the Gateway API don't properly update the Tyk vendor extension (x-tyk-api-gateway), causing out-of-sync or invalid API definitions. The fix adds a removeObsoleteOperations function that cleans up operations in the Tyk extension that are no longer present in the current OAS paths.

The implementation is clean and efficient, first collecting all current operations during middleware import, then identifying and removing any operations in the Tyk extension that aren't in the current set. This ensures that when API paths are removed or modified via PATCH, the corresponding operations in the Tyk extension are properly cleaned up.

## Required Updates

No immediate updates are required in downstream repositories as this is a bug fix that doesn't change any schemas or interfaces. However, repositories that interact with both Gateway and Dashboard should be aware of the improved consistency:

  • tyk-operator: No changes needed, but will benefit from more consistent behavior when managing APIs via Gateway
  • tyk-charts: No changes needed
  • portal: No changes needed, but will benefit from more consistent API definitions
  • tyk-sink: No changes needed
## Compatibility Concerns

This change has no backward compatibility issues. It's a bug fix that ensures the Gateway properly updates the Tyk vendor extension during PATCH operations, which aligns with expected behavior. The fix ensures that obsolete operations are properly removed from the Tyk extension, which was already the expected behavior but wasn't working correctly.

The implementation uses standard Go library functions (slices.Contains) for checking operation existence and follows a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Summary & Recommendations
  • This PR fixes an important consistency issue between Gateway and Dashboard behavior for OAS API updates
  • The fix is well-implemented with a clean approach to identifying and removing obsolete operations
  • The change is well-tested with a specific test case that verifies obsolete operations are properly removed
  • The implementation is efficient for typical API definitions with a modest number of operations
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

@github-actions GitHub Actions
Copy link
Contributor

🚀 Performance Snapshot

Effort Perf Risk Hot Paths Benchmarks TL;DR
Low 🟢 Minimal performance impact with efficient operation cleanup during OAS PATCH operations
## Performance Impact Analysis

The PR adds a new removeObsoleteOperations function that cleans up outdated operations from the Tyk extension during OAS API updates. This change ensures proper synchronization between the API description and Tyk extension when using PATCH operations, preventing inconsistencies that previously occurred.

The implementation uses slices.Contains for checking operation existence, which has O(n) complexity but operates on typically small sets of operation IDs. The function builds a list of obsolete operations first before removing them, which is memory-efficient and avoids modifying the map during iteration.

## Critical Areas

The changes affect the API definition update path, specifically when using PATCH operations on OAS APIs. This is not in the critical request handling path, as it only impacts API management operations, not runtime request processing. The operation cleanup happens during API updates, which are infrequent administrative actions.

The implementation is efficient for the expected scale of operations in a typical API definition (usually tens of operations, not thousands), making the linear search acceptable.

## Optimization Recommendations

The current implementation is appropriate for the expected scale. If future APIs contain hundreds of operations, consider:

  1. Using a map-based approach instead of slice for currentOperations to achieve O(1) lookups instead of O(n) with slices.Contains.
  2. Preallocating the obsoleteOperations slice with a capacity estimate to reduce potential reallocations.

However, these optimizations are likely unnecessary for typical API definitions with a modest number of operations.

## Summary
  • The changes have minimal performance impact as they only affect API management operations, not runtime request handling
  • The implementation is efficient for typical API definitions with a modest number of operations
  • The fix properly addresses the synchronization issue between API descriptions and Tyk extensions during PATCH operations
  • No significant performance concerns identified in the implementation

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🚦 Connectivity Review Snapshot

Effort Tests Security Perf TL;DR
Low 🔒 none 🟢 Fixes OAS PATCH operation to properly clean up obsolete operations in Tyk extension
## Connectivity Assessment
  • Redis Connections: No changes to Redis connectivity - this PR only affects in-memory processing of OAS definitions during API updates, with the existing Redis notification flow for API updates remaining intact.
  • RPC Connections: No impact on RPC connections or MDCB mode functionality - the fix occurs before the API definition is stored and distributed.
  • Synchronization Mechanisms: Improves synchronization between API definition and Tyk extension by properly removing obsolete operations when paths are updated via PATCH, ensuring consistent behavior across Gateway and Dashboard.
## Test Coverage Validation
  • Redis Tests: Not applicable - no Redis connectivity changes. The existing Redis notification flow for API updates (NoticeApiUpdated) is used without modification.
  • RPC Tests: Not applicable - no RPC connectivity changes. The fix occurs before the API definition is sent to storage.
  • Failure Scenario Tests: The PR adds a specific test case that verifies obsolete operations are properly removed from the Tyk extension when updating an OAS API definition.
## Security & Performance Impact
  • Authentication Changes: No changes to authentication mechanisms.
  • Performance Considerations: Slight performance improvement by cleaning up obsolete operations that would otherwise remain in memory. The implementation uses slices.Contains which is appropriate for the typically small number of operations in an API definition.
  • Error Handling: No changes to error handling paths. The existing error handling for API updates remains intact.
## Summary & Recommendations
  • This PR fixes an important issue where PATCH operations on OAS APIs didn't properly update the Tyk vendor extension, causing inconsistencies between the API definition and its middleware configuration.
  • The fix ensures that when API paths are updated or removed via PATCH, the corresponding operations in the Tyk extension are also cleaned up.
  • The implementation is efficient and follows the same pattern used elsewhere in the codebase for cleaning up unused resources.
  • The fix maintains the existing Redis notification flow for API updates, ensuring that all Gateway nodes in a cluster will receive the updated API definition.
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

@github-actions GitHub Actions
Copy link
Contributor

🛡️ Security Snapshot

Effort Risk Level Tests Compliance TL;DR
Low 🟢 ✔️ Low-risk cleanup function that properly removes obsolete operations from Tyk extension during OAS PATCH
## Security Impact Analysis

The PR adds a removeObsoleteOperations function that cleans up outdated operations from the Tyk extension (x-tyk-api-gateway) during OAS API updates via PATCH. This change ensures proper synchronization between the API definition and its middleware configuration, preventing potential inconsistencies that could lead to unexpected behavior. The implementation uses a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Identified Vulnerabilities

No vulnerabilities were identified in this change. The implementation:

  • Uses standard Go library functions (slices.Contains) for checking operation existence
  • Properly handles map iteration and deletion
  • Doesn't introduce any input validation issues or memory safety concerns
  • Doesn't modify authentication or authorization logic
## Security Recommendations

The implementation is secure as-is. The only minor consideration would be to ensure that the currentOperations slice doesn't grow excessively large in APIs with many endpoints, but this is more of a performance concern than a security issue. The current implementation is appropriate for the expected scale of operations in typical API definitions.

## OWASP Compliance

This change doesn't impact any OWASP Top 10 categories directly. It's a maintenance function that ensures data consistency between API definitions and their middleware configurations. The change doesn't modify authentication, authorization, input validation, or any other security-critical components.

## Summary

No security issues identified – change LGTM.

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

🚀 Performance Snapshot

Effort Perf Risk Hot Paths Benchmarks TL;DR
Low 🟢 Minimal performance impact with efficient operation cleanup during OAS PATCH operations
## Performance Impact Analysis

The PR adds a new removeObsoleteOperations function that cleans up outdated operations from the Tyk extension during OAS API updates. This change ensures proper synchronization between the API description and Tyk extension when using PATCH operations, preventing inconsistencies that previously occurred.

The implementation uses slices.Contains for checking operation existence, which has O(n) complexity but operates on typically small sets of operation IDs. The function builds a list of obsolete operations first before removing them, which is memory-efficient and avoids modifying the map during iteration.

## Critical Areas

The changes affect the API definition update path, specifically when using PATCH operations on OAS APIs. This is not in the critical request handling path, as it only impacts API management operations, not runtime request processing. The operation cleanup happens during API updates, which are infrequent administrative actions.

The implementation is efficient for the expected scale of operations in a typical API definition (usually tens of operations, not thousands), making the linear search acceptable.

## Optimization Recommendations

The current implementation is appropriate for the expected scale. If future APIs contain hundreds of operations, consider:

  1. Using a map-based approach instead of slice for currentOperations to achieve O(1) lookups instead of O(n) with slices.Contains.
  2. Preallocating the obsoleteOperations slice with a capacity estimate to reduce potential reallocations.

However, these optimizations are likely unnecessary for typical API definitions with a modest number of operations.

## Summary
  • The changes have minimal performance impact as they only affect API management operations, not runtime request handling
  • The implementation is efficient for typical API definitions with a modest number of operations
  • The fix properly addresses the synchronization issue between API descriptions and Tyk extensions during PATCH operations
  • No significant performance concerns identified in the implementation

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

@github-actions GitHub Actions
Copy link
Contributor

Analysis of PR #7261: [OAS] Gateway CE behaves differently from Dashboard for middleware and PATCH

Problem Overview

This PR addresses an issue where updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway API doesn't properly update the Tyk vendor extension (x-tyk-api-gateway), resulting in out-of-sync or invalid API definitions.

When using PATCH to update an OAS API, operations that were removed from the API definition would still remain in the Tyk extension (x-tyk-api-gateway). This created inconsistencies between:

  • The actual API paths defined in the OAS document
  • The middleware operations stored in the Tyk extension

This inconsistency led to:

  • Orphaned middleware configurations for endpoints that no longer exist
  • Different behavior between Gateway CE and Dashboard for the same operation

Technical Context

The PATCH operation is handled by the apiOASPatchHandler function in gateway/api.go, which:

  1. Extracts the OAS object from the request body
  2. Gets the existing API spec and fills the OAS object with the current API definition
  3. Merges the new OAS object with the existing one
  4. Calls BuildDefaultTykExtension to update the Tyk extension
  5. Updates the API definition

The issue occurred because during this process, the importMiddlewares function (called by BuildDefaultTykExtension) would update existing operations but wouldn't remove operations that were no longer present in the API definition.

Solution Implementation

The PR introduces a new function removeObsoleteOperations that:

func (s *OAS) removeObsoleteOperations(currentOperations []string) {
    tykOperations := s.getTykOperations()
    obsoleteOperations := make([]string, 0)

    for id := range tykOperations {
        if !slices.Contains(currentOperations, id) {
            obsoleteOperations = append(obsoleteOperations, id)
        }
    }

    for _, operationID := range obsoleteOperations {
        delete(tykOperations, operationID)
    }
}

The importMiddlewares function was modified to track current operations during processing and call this cleanup function:

func (s *OAS) importMiddlewares(overRideValues TykExtensionConfigParams) {
    // ...
    currentOperations := make([]string, 0)

    for path, pathItem := range s.Paths.Map() {
        // ...
        for _, method := range allowedMethods {
            if operation := pathItem.GetOperation(method); operation != nil {
                // ...
                currentOperations = append(currentOperations, s.getOperationID(path, method))
                // ...
            }
        }
    }

    s.removeObsoleteOperations(currentOperations)
    // ...
}

Implementation Details

The implementation follows a two-phase approach:

  1. First, it identifies obsolete operations by comparing existing operations in the Tyk extension with the current operations in the OAS paths
  2. Then, it removes the obsolete operations from the Tyk extension

This approach avoids modifying the map during iteration and uses slices.Contains for efficient operation checks.

The fix is triggered during the PATCH operation when BuildDefaultTykExtension is called:

if tykExtensionConfigParams != nil {
    err = oasObjToPatch.BuildDefaultTykExtension(*tykExtensionConfigParams, false)
    if err != nil {
        doJSONWrite(w, http.StatusBadRequest, apiError(err.Error()))
        return
    }
}

Testing

A test was added to verify the functionality:

t.Run("operations not present in new oas paths definition should be removed", func(t *testing.T) {
    fakeOperationName := "fakeOperation"
    fakeOperation := &Operation{
        MockResponse: &MockResponse{
            Enabled: true,
        },
    }
    oasDef := getOASDef(true, true)

    // Add a fake operation to the Tyk extension
    extension := &XTykAPIGateway{
        Middleware: &Middleware{
            Operations: map[string]*Operation{fakeOperationName: fakeOperation},
        },
    }
    oasDef.SetTykExtension(extension)
    
    // Verify the fake operation exists
    assert.Greater(t, len(oasDef.getTykOperations()), 0)

    // Call BuildDefaultTykExtension which should remove the fake operation
    expectedOperations := getExpectedOperations(true, true, middlewareMockResponse)
    err := oasDef.BuildDefaultTykExtension(tykExtensionConfigParams, true)

    // Verify the fake operation was removed
    assert.NoError(t, err)
    assert.Equal(t, expectedOperations, oasDef.getTykOperations())
})

Impact and Benefits

This fix ensures:

  1. Consistency: Gateway CE now behaves the same way as Dashboard for middleware and PATCH operations
  2. Data Integrity: API definitions remain in sync and valid after updates
  3. Maintainability: Clean removal of obsolete operations prevents accumulation of stale configuration
  4. Reliability: Middleware configurations accurately reflect the current API paths

The implementation is efficient and safe, building a list of obsolete operations first before removing them to avoid modifying the map during iteration. The fix maintains backward compatibility and doesn't change any public interfaces or schemas.

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

@github-actions GitHub Actions
Copy link
Contributor

📦 Impact Review Snapshot

Effort Downstream Updates Compatibility Docs TL;DR
Low 🟢 📖 Fix ensures consistent behavior between Gateway and Dashboard for OAS PATCH operations
## Impact Assessment

This PR addresses an issue where PATCH operations on OAS APIs via the Gateway API don't properly update the Tyk vendor extension (x-tyk-api-gateway), causing out-of-sync or invalid API definitions. The fix adds a removeObsoleteOperations function that cleans up operations in the Tyk extension that are no longer present in the current OAS paths.

The implementation is clean and efficient, first collecting all current operations during middleware import, then identifying and removing any operations in the Tyk extension that aren't in the current set. This ensures that when API paths are removed or modified via PATCH, the corresponding operations in the Tyk extension are properly cleaned up.

## Required Updates

No immediate updates are required in downstream repositories as this is a bug fix that doesn't change any schemas or interfaces. However, repositories that interact with both Gateway and Dashboard should be aware of the improved consistency:

  • tyk-operator: No changes needed, but will benefit from more consistent behavior when managing APIs via Gateway
  • tyk-charts: No changes needed
  • portal: No changes needed, but will benefit from more consistent API definitions
  • tyk-sink: No changes needed
## Compatibility Concerns

This change has no backward compatibility issues. It's a bug fix that ensures the Gateway properly updates the Tyk vendor extension during PATCH operations, which aligns with expected behavior. The fix ensures that obsolete operations are properly removed from the Tyk extension, which was already the expected behavior but wasn't working correctly.

The implementation uses standard Go library functions (slices.Contains) for checking operation existence and follows a safe approach by first collecting obsolete operations and then removing them in a separate step, avoiding modification during iteration.

## Summary & Recommendations
  • This PR fixes an important consistency issue between Gateway and Dashboard behavior for OAS API updates
  • The fix is well-implemented with a clean approach to identifying and removing obsolete operations
  • The change is well-tested with a specific test case that verifies obsolete operations are properly removed
  • The implementation is efficient for typical API definitions with a modest number of operations
  • No suggestions to provide – change LGTM.

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@MaciekMis MaciekMis merged commit dbabb5f into master Aug 11, 2025
45 of 47 checks passed
@MaciekMis MaciekMis deleted the TT-7524-oas-gateway-ce-behaves-differently-from-dashboard-for-middleware-and-patch branch August 11, 2025 11:06
@MaciekMis
Copy link
Contributor Author

/release to release-5.8

@tykbot tykbot
Copy link

tykbot bot commented Aug 11, 2025

Working on it! Note that it can take a few minutes.

tykbot bot pushed a commit that referenced this pull request Aug 11, 2025
@MaciekMis
[TT-7524] [OAS] Gateway CE behaves differently from Dashboard for mid…
d713aa0 
…dleware and PATCH (#7261)

<details open>
<summary><a href="https://tyktech.atlassian.net/browse/TT-7524"
title="TT-7524" target="_blank">TT-7524</a></summary>
  <br />
  <table>
    <tr>
      <th>Summary</th>
<td>[OAS] Gateway CE behaves differently from Dashboard for middleware
and PATCH</td>
    </tr>
    <tr>
      <th>Type</th>
      <td>
<img alt="Bug"
src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium"
/>
        Bug
      </td>
    </tr>
    <tr>
      <th>Status</th>
      <td>In Dev</td>
    </tr>
    <tr>
      <th>Points</th>
      <td>N/A</td>
    </tr>
    <tr>
      <th>Labels</th>
<td><a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20codilime_refined%20ORDER%20BY%20created%20DESC"
title="codilime_refined">codilime_refined</a></td>
    </tr>
  </table>
</details>
<!--
  do not remove this marker as it will break jira-lint's functionality.
  added_by_jira_lint
-->

---

<!-- Provide a general summary of your changes in the Title above -->

Updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway
API does not trigger the Tyk vendor extension (x-tyk-api-gateway)
update, which results in the API description being out of sync or
invalid.

<!-- This project only accepts pull requests related to open issues. -->
<!-- If suggesting a new feature or change, please discuss it in an
issue first. -->
<!-- If fixing a bug, there should be an issue describing it with steps
to reproduce. -->
<!-- OSS: Please link to the issue here. Tyk: please create/link the
JIRA ticket. -->

<!-- Why is this change required? What problem does it solve? -->

<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [x] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why

___

Bug fix, Tests

___

- Fix removal of obsolete operations in Tyk extension during OAS PATCH.

- Add test to ensure outdated operations are deleted.

- Enhance middleware import logic for operation cleanup.

- Improve consistency between Gateway and Dashboard OAS handling.

___

```mermaid
flowchart LR
  PATCH_OAS["PATCH OAS API"] -- "Triggers" --> importMiddlewares["importMiddlewares updates operations"]
  importMiddlewares -- "Collects current ops" --> removeObsolete["removeObsoleteOperations removes outdated ops"]
  removeObsolete -- "Cleans up" --> TykExtension["Tyk Extension up-to-date"]
  default_test["Add test for obsolete ops removal"] -- "Verifies" --> removeObsolete
```

<details> <summary><h3> File Walkthrough</h3></summary>

<table><thead><tr><th></th><th align="left">Relevant
files</th></tr></thead><tbody><tr><td><strong>Bug
fix</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>default.go</strong><dd><code>Remove obsolete operations
from Tyk extension during import</code></dd></summary>
<hr>

apidef/oas/default.go

<ul><li>Track current operations during middleware import.<br> <li> Add
<code>removeObsoleteOperations</code> to delete outdated operations.<br>
<li> Call cleanup after updating operations.<br> <li> Use
<code>slices.Contains</code> for efficient operation checks.</ul>

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7261/files#diff-83c3a85bdd05785178ee519b05b1fe2008435dc4ae9448d72b080b5f67c491ad">+21/-0</a>&nbsp;
&nbsp; </td>

</tr>
</table></td></tr><tr><td><strong>Tests</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>default_test.go</strong><dd><code>Test removal of
obsolete operations from Tyk extension</code>&nbsp; &nbsp; &nbsp;
</dd></summary>
<hr>

apidef/oas/default_test.go

<ul><li>Add test to verify removal of outdated operations.<br> <li>
Ensure Tyk extension matches expected operations after update.</ul>

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7261/files#diff-ab6848f71731083885a9d7d7970faa68a6783a98477c78413ae3979cb5add7db">+28/-0</a>&nbsp;
&nbsp; </td>

</tr>
</table></td></tr></tr></tbody></table>

</details>

___

(cherry picked from commit dbabb5f)
@buger buger mentioned this pull request Aug 11, 2025
Merged
7 tasks
@tykbot tykbot
Copy link

tykbot bot commented Aug 11, 2025

@MaciekMis Created merge PRs

radkrawczyk pushed a commit that referenced this pull request Aug 12, 2025
@buger @MaciekMis
Merging to release-5.8: [TT-7524] [OAS] Gateway CE behaves differentl…
7385095 
…y from Dashboard for middleware and PATCH (#7261) (#7292)

### **User description**
[TT-7524] [OAS] Gateway CE behaves differently from Dashboard for
middleware and PATCH (#7261)

### **User description**
<details open>
<summary><a href="https://tyktech.atlassian.net/browse/TT-7524"
title="TT-7524" target="_blank">TT-7524</a></summary>
  <br />
  <table>
    <tr>
      <th>Summary</th>
<td>[OAS] Gateway CE behaves differently from Dashboard for middleware
and PATCH</td>
    </tr>
    <tr>
      <th>Type</th>
      <td>
<img alt="Bug"

src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium"
/>
        Bug
      </td>
    </tr>
    <tr>
      <th>Status</th>
      <td>In Dev</td>
    </tr>
    <tr>
      <th>Points</th>
      <td>N/A</td>
    </tr>
    <tr>
      <th>Labels</th>
<td><a

href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20codilime_refined%20ORDER%20BY%20created%20DESC"
title="codilime_refined">codilime_refined</a></td>
    </tr>
  </table>
</details>
<!--
  do not remove this marker as it will break jira-lint's functionality.
  added_by_jira_lint
-->

---

<!-- Provide a general summary of your changes in the Title above -->

## Description

Updating an API with the PATCH /tyk/apis/oas/{apiId} command via Gateway
API does not trigger the Tyk vendor extension (x-tyk-api-gateway)
update, which results in the API description being out of sync or
invalid.

## Related Issue

<!-- This project only accepts pull requests related to open issues. -->
<!-- If suggesting a new feature or change, please discuss it in an
issue first. -->
<!-- If fixing a bug, there should be an issue describing it with steps
to reproduce. -->
<!-- OSS: Please link to the issue here. Tyk: please create/link the
JIRA ticket. -->

## Motivation and Context

<!-- Why is this change required? What problem does it solve? -->

## How This Has Been Tested

<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->

## Screenshots (if appropriate)

## Types of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [x] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why


___

### **PR Type**
Bug fix, Tests


___

### **Description**
Remove obsolete Tyk operations on OAS PATCH
Track current operations during import
Add test verifying obsolete cleanup
Keep Gateway and Dashboard behavior consistent


___

### Diagram Walkthrough


```mermaid
flowchart LR
  OAS["OAS Paths/Operations"] -- "importMiddlewares" --> Collect["Collect current operation IDs"]
  Collect -- "compare" --> Cleanup["removeObsoleteOperations deletes stale ops"]
  Cleanup -- "result" --> XTyk["x-tyk-api-gateway middleware up-to-date"]
  Test["Unit test"] -- "asserts cleanup" --> Cleanup
```



<details> <summary><h3> File Walkthrough</h3></summary>

<table><thead><tr><th></th><th align="left">Relevant
files</th></tr></thead><tbody><tr><td><strong>Bug
fix</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>default.go</strong><dd><code>Remove obsolete operations
during middleware import</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></summary>
<hr>

apidef/oas/default.go

<ul><li>Track current operation IDs during import.<br> <li> Remove
obsolete operations via new helper.<br> <li> Use slices.Contains for
membership checks.<br> <li> Invoke cleanup after per-operation
import.</ul>


</details>


  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7292/files#diff-83c3a85bdd05785178ee519b05b1fe2008435dc4ae9448d72b080b5f67c491ad">+21/-0</a>&nbsp;
&nbsp; </td>

</tr>
</table></td></tr><tr><td><strong>Tests</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>default_test.go</strong><dd><code>Test cleanup of
obsolete Tyk operations</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; </dd></summary>
<hr>

apidef/oas/default_test.go

<ul><li>Add test ensuring obsolete operations are removed.<br> <li>
Validate Tyk extension matches expected operations.</ul>


</details>


  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7292/files#diff-ab6848f71731083885a9d7d7970faa68a6783a98477c78413ae3979cb5add7db">+28/-0</a>&nbsp;
&nbsp; </td>

</tr>
</table></td></tr></tr></tbody></table>

</details>

___



[TT-7524]:
https://tyktech.atlassian.net/browse/TT-7524?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: Maciej Miś <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shults shults shults approved these changes

@edsonmichaque edsonmichaque edsonmichaque approved these changes

Assignees
No one assigned
Labels
bug Review effort 3/5 Tyk Product Development
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MaciekMis @buger @shults @edsonmichaque