tests: integration suite

gateway/internal/config/config.go

@@ -4,6 +4,7 @@ package config
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -39,6 +40,11 @@ const (
 	// configures the timeout budget used for public auth upstream calls.
 	publicAuthUpstreamTimeoutEnvVar = "GATEWAY_PUBLIC_AUTH_UPSTREAM_TIMEOUT"
 
+	// authServiceBaseURLEnvVar names the environment variable that configures
+	// the optional Auth / Session Service public HTTP base URL used by gateway
+	// public-auth delegation.
+	authServiceBaseURLEnvVar = "GATEWAY_AUTH_SERVICE_BASE_URL"
+
 	// adminHTTPAddrEnvVar names the environment variable that configures the
 	// private admin HTTP listener address. When it is empty, the admin listener
 	// remains disabled.
@@ -464,6 +470,15 @@ type PublicHTTPConfig struct {
 	AntiAbuse PublicHTTPAntiAbuseConfig
 }
 
+// AuthServiceConfig describes the optional public-auth upstream used by the
+// gateway runtime.
+type AuthServiceConfig struct {
+	// BaseURL is the absolute base URL of the Auth / Session Service public
+	// HTTP API. When BaseURL is empty, the gateway keeps using its built-in
+	// unavailable public-auth adapter.
+	BaseURL string
+}
+
 // AdminHTTPConfig describes the private operational HTTP listener used for
 // metrics exposure. The listener remains disabled when Addr is empty.
 type AdminHTTPConfig struct {
@@ -591,6 +606,10 @@ type Config struct {
 	// PublicHTTP configures the public unauthenticated REST listener.
 	PublicHTTP PublicHTTPConfig
 
+	// AuthService configures the optional public-auth delegation to the Auth /
+	// Session Service.
+	AuthService AuthServiceConfig
+
 	// AdminHTTP configures the optional private admin listener used for metrics
 	// exposure.
 	AdminHTTP AdminHTTPConfig
@@ -766,6 +785,12 @@ func DefaultResponseSignerConfig() ResponseSignerConfig {
 	return ResponseSignerConfig{}
 }
 
+// DefaultAuthServiceConfig returns the default public-auth upstream settings.
+// The zero value keeps the built-in unavailable adapter active.
+func DefaultAuthServiceConfig() AuthServiceConfig {
+	return AuthServiceConfig{}
+}
+
 // LoadFromEnv loads Config from the process environment, applies defaults for
 // omitted settings, and validates the resulting values.
 func LoadFromEnv() (Config, error) {
@@ -773,6 +798,7 @@ func LoadFromEnv() (Config, error) {
 		ShutdownTimeout:    defaultShutdownTimeout,
 		Logging:            DefaultLoggingConfig(),
 		PublicHTTP:         DefaultPublicHTTPConfig(),
+		AuthService:        DefaultAuthServiceConfig(),
 		AdminHTTP:          DefaultAdminHTTPConfig(),
 		AuthenticatedGRPC:  DefaultAuthenticatedGRPCConfig(),
 		SessionCacheRedis:  DefaultSessionCacheRedisConfig(),
@@ -825,6 +851,11 @@ func LoadFromEnv() (Config, error) {
 	}
 	cfg.PublicHTTP.AuthUpstreamTimeout = publicAuthUpstreamTimeout
 
+	rawAuthServiceBaseURL, ok := os.LookupEnv(authServiceBaseURLEnvVar)
+	if ok {
+		cfg.AuthService.BaseURL = rawAuthServiceBaseURL
+	}
+
 	rawAdminHTTPAddr, ok := os.LookupEnv(adminHTTPAddrEnvVar)
 	if ok {
 		cfg.AdminHTTP.Addr = rawAdminHTTPAddr
@@ -1082,6 +1113,17 @@ func LoadFromEnv() (Config, error) {
 	if cfg.PublicHTTP.AuthUpstreamTimeout <= 0 {
 		return Config{}, fmt.Errorf("load gateway config: %s must be positive", publicAuthUpstreamTimeoutEnvVar)
 	}
+	cfg.AuthService.BaseURL = strings.TrimSpace(cfg.AuthService.BaseURL)
+	if cfg.AuthService.BaseURL != "" {
+		parsedAuthServiceBaseURL, err := url.Parse(cfg.AuthService.BaseURL)
+		if err != nil {
+			return Config{}, fmt.Errorf("load gateway config: parse %s: %w", authServiceBaseURLEnvVar, err)
+		}
+		if parsedAuthServiceBaseURL.Scheme == "" || parsedAuthServiceBaseURL.Host == "" {
+			return Config{}, fmt.Errorf("load gateway config: %s must be an absolute URL", authServiceBaseURLEnvVar)
+		}
+		cfg.AuthService.BaseURL = strings.TrimRight(parsedAuthServiceBaseURL.String(), "/")
+	}
 	if addr := strings.TrimSpace(cfg.AdminHTTP.Addr); addr != "" {
 		cfg.AdminHTTP.Addr = addr
 	}