feat: user service
This commit is contained in:
Ilia Denisov
@@ -45,6 +45,11 @@ const (
|
||||
// public-auth delegation.
|
||||
authServiceBaseURLEnvVar = "GATEWAY_AUTH_SERVICE_BASE_URL"
|
||||
|
||||
// userServiceBaseURLEnvVar names the environment variable that configures
|
||||
// the optional User Service internal HTTP base URL used by authenticated
|
||||
// gateway self-service delegation.
|
||||
userServiceBaseURLEnvVar = "GATEWAY_USER_SERVICE_BASE_URL"
|
||||
|
||||
// adminHTTPAddrEnvVar names the environment variable that configures the
|
||||
// private admin HTTP listener address. When it is empty, the admin listener
|
||||
// remains disabled.
|
||||
@@ -479,6 +484,15 @@ type AuthServiceConfig struct {
|
||||
BaseURL string
|
||||
}
|
||||
|
||||
// UserServiceConfig describes the optional authenticated self-service upstream
|
||||
// used by the gateway runtime.
|
||||
type UserServiceConfig struct {
|
||||
// BaseURL is the absolute base URL of the User Service internal HTTP API.
|
||||
// When BaseURL is empty, the gateway keeps using its built-in unavailable
|
||||
// downstream adapter for the reserved `user.*` routes.
|
||||
BaseURL string
|
||||
}
|
||||
|
||||
// AdminHTTPConfig describes the private operational HTTP listener used for
|
||||
// metrics exposure. The listener remains disabled when Addr is empty.
|
||||
type AdminHTTPConfig struct {
|
||||
@@ -610,6 +624,10 @@ type Config struct {
|
||||
// Session Service.
|
||||
AuthService AuthServiceConfig
|
||||
|
||||
// UserService configures the optional authenticated self-service
|
||||
// delegation to User Service.
|
||||
UserService UserServiceConfig
|
||||
|
||||
// AdminHTTP configures the optional private admin listener used for metrics
|
||||
// exposure.
|
||||
AdminHTTP AdminHTTPConfig
|
||||
@@ -791,6 +809,13 @@ func DefaultAuthServiceConfig() AuthServiceConfig {
|
||||
return AuthServiceConfig{}
|
||||
}
|
||||
|
||||
// DefaultUserServiceConfig returns the default authenticated self-service
|
||||
// upstream settings. The zero value keeps the built-in unavailable adapter
|
||||
// active for reserved `user.*` routes.
|
||||
func DefaultUserServiceConfig() UserServiceConfig {
|
||||
return UserServiceConfig{}
|
||||
}
|
||||
|
||||
// LoadFromEnv loads Config from the process environment, applies defaults for
|
||||
// omitted settings, and validates the resulting values.
|
||||
func LoadFromEnv() (Config, error) {
|
||||
@@ -799,6 +824,7 @@ func LoadFromEnv() (Config, error) {
|
||||
Logging: DefaultLoggingConfig(),
|
||||
PublicHTTP: DefaultPublicHTTPConfig(),
|
||||
AuthService: DefaultAuthServiceConfig(),
|
||||
UserService: DefaultUserServiceConfig(),
|
||||
AdminHTTP: DefaultAdminHTTPConfig(),
|
||||
AuthenticatedGRPC: DefaultAuthenticatedGRPCConfig(),
|
||||
SessionCacheRedis: DefaultSessionCacheRedisConfig(),
|
||||
@@ -856,6 +882,11 @@ func LoadFromEnv() (Config, error) {
|
||||
cfg.AuthService.BaseURL = rawAuthServiceBaseURL
|
||||
}
|
||||
|
||||
rawUserServiceBaseURL, ok := os.LookupEnv(userServiceBaseURLEnvVar)
|
||||
if ok {
|
||||
cfg.UserService.BaseURL = rawUserServiceBaseURL
|
||||
}
|
||||
|
||||
rawAdminHTTPAddr, ok := os.LookupEnv(adminHTTPAddrEnvVar)
|
||||
if ok {
|
||||
cfg.AdminHTTP.Addr = rawAdminHTTPAddr
|
||||
@@ -1124,6 +1155,17 @@ func LoadFromEnv() (Config, error) {
|
||||
}
|
||||
cfg.AuthService.BaseURL = strings.TrimRight(parsedAuthServiceBaseURL.String(), "/")
|
||||
}
|
||||
cfg.UserService.BaseURL = strings.TrimSpace(cfg.UserService.BaseURL)
|
||||
if cfg.UserService.BaseURL != "" {
|
||||
parsedUserServiceBaseURL, err := url.Parse(cfg.UserService.BaseURL)
|
||||
if err != nil {
|
||||
return Config{}, fmt.Errorf("load gateway config: parse %s: %w", userServiceBaseURLEnvVar, err)
|
||||
}
|
||||
if parsedUserServiceBaseURL.Scheme == "" || parsedUserServiceBaseURL.Host == "" {
|
||||
return Config{}, fmt.Errorf("load gateway config: %s must be an absolute URL", userServiceBaseURLEnvVar)
|
||||
}
|
||||
cfg.UserService.BaseURL = strings.TrimRight(parsedUserServiceBaseURL.String(), "/")
|
||||
}
|
||||
if addr := strings.TrimSpace(cfg.AdminHTTP.Addr); addr != "" {
|
||||
cfg.AdminHTTP.Addr = addr
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"encoding/pem"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
@@ -14,6 +15,8 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
var configEnvMu sync.Mutex
|
||||
|
||||
func TestLoadFromEnv(t *testing.T) {
|
||||
customResponseSignerPrivateKeyPEMPath := new(string)
|
||||
*customResponseSignerPrivateKeyPEMPath = writeTestResponseSignerPEMFile(t)
|
||||
@@ -27,6 +30,9 @@ func TestLoadFromEnv(t *testing.T) {
|
||||
customAuthServiceBaseURL := new(string)
|
||||
*customAuthServiceBaseURL = " http://127.0.0.1:8082/ "
|
||||
|
||||
customUserServiceBaseURL := new(string)
|
||||
*customUserServiceBaseURL = " http://127.0.0.1:8083/ "
|
||||
|
||||
customAuthenticatedGRPCAddr := new(string)
|
||||
*customAuthenticatedGRPCAddr = "127.0.0.1:9191"
|
||||
|
||||
@@ -80,6 +86,7 @@ func TestLoadFromEnv(t *testing.T) {
|
||||
shutdownTimeout *string
|
||||
publicHTTPAddr *string
|
||||
authServiceBaseURL *string
|
||||
userServiceBaseURL *string
|
||||
authenticatedGRPCAddr *string
|
||||
authenticatedGRPCFreshnessWindow *string
|
||||
sessionCacheRedisAddr *string
|
||||
@@ -217,6 +224,40 @@ func TestLoadFromEnv(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "custom user service base url",
|
||||
userServiceBaseURL: customUserServiceBaseURL,
|
||||
sessionCacheRedisAddr: customSessionCacheRedisAddr,
|
||||
responseSignerPrivateKeyPEMPath: customResponseSignerPrivateKeyPEMPath,
|
||||
want: Config{
|
||||
ShutdownTimeout: 5 * time.Second,
|
||||
Logging: DefaultLoggingConfig(),
|
||||
PublicHTTP: DefaultPublicHTTPConfig(),
|
||||
UserService: UserServiceConfig{
|
||||
BaseURL: "http://127.0.0.1:8083",
|
||||
},
|
||||
AdminHTTP: DefaultAdminHTTPConfig(),
|
||||
AuthenticatedGRPC: DefaultAuthenticatedGRPCConfig(),
|
||||
SessionCacheRedis: SessionCacheRedisConfig{
|
||||
Addr: "127.0.0.1:6379",
|
||||
DB: defaultSessionCacheRedisDB,
|
||||
KeyPrefix: defaultSessionCacheRedisKeyPrefix,
|
||||
LookupTimeout: defaultSessionCacheRedisLookupTimeout,
|
||||
},
|
||||
ReplayRedis: DefaultReplayRedisConfig(),
|
||||
SessionEventsRedis: SessionEventsRedisConfig{
|
||||
Stream: "gateway:session_events",
|
||||
ReadBlockTimeout: defaultSessionEventsRedisReadBlockTimeout,
|
||||
},
|
||||
ClientEventsRedis: ClientEventsRedisConfig{
|
||||
Stream: "gateway:client_events",
|
||||
ReadBlockTimeout: defaultClientEventsRedisReadBlockTimeout,
|
||||
},
|
||||
ResponseSigner: ResponseSignerConfig{
|
||||
PrivateKeyPEMPath: *customResponseSignerPrivateKeyPEMPath,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "custom authenticated grpc address",
|
||||
authenticatedGRPCAddr: customAuthenticatedGRPCAddr,
|
||||
@@ -368,6 +409,7 @@ func TestLoadFromEnv(t *testing.T) {
|
||||
shutdownTimeoutEnvVar,
|
||||
publicHTTPAddrEnvVar,
|
||||
authServiceBaseURLEnvVar,
|
||||
userServiceBaseURLEnvVar,
|
||||
authenticatedGRPCAddrEnvVar,
|
||||
authenticatedGRPCFreshnessWindowEnvVar,
|
||||
sessionCacheRedisAddrEnvVar,
|
||||
@@ -379,6 +421,7 @@ func TestLoadFromEnv(t *testing.T) {
|
||||
setEnvValue(t, shutdownTimeoutEnvVar, tt.shutdownTimeout)
|
||||
setEnvValue(t, publicHTTPAddrEnvVar, tt.publicHTTPAddr)
|
||||
setEnvValue(t, authServiceBaseURLEnvVar, tt.authServiceBaseURL)
|
||||
setEnvValue(t, userServiceBaseURLEnvVar, tt.userServiceBaseURL)
|
||||
setEnvValue(t, authenticatedGRPCAddrEnvVar, tt.authenticatedGRPCAddr)
|
||||
setEnvValue(t, authenticatedGRPCFreshnessWindowEnvVar, tt.authenticatedGRPCFreshnessWindow)
|
||||
setEnvValue(t, sessionCacheRedisAddrEnvVar, tt.sessionCacheRedisAddr)
|
||||
@@ -492,7 +535,7 @@ func TestLoadFromEnvOperationalSettings(t *testing.T) {
|
||||
restoreEnvs(t, append(
|
||||
append(
|
||||
append(
|
||||
append(operationalEnvVars(), sessionCacheRedisEnvVars()...),
|
||||
append(append(operationalEnvVars(), authServiceBaseURLEnvVar, userServiceBaseURLEnvVar), sessionCacheRedisEnvVars()...),
|
||||
sessionEventsRedisEnvVars()...,
|
||||
),
|
||||
clientEventsRedisEnvVars()...,
|
||||
@@ -563,6 +606,8 @@ func TestLoadFromEnvAuthService(t *testing.T) {
|
||||
|
||||
restoreEnvs(t,
|
||||
authServiceBaseURLEnvVar,
|
||||
userServiceBaseURLEnvVar,
|
||||
logLevelEnvVar,
|
||||
sessionCacheRedisAddrEnvVar,
|
||||
sessionEventsRedisStreamEnvVar,
|
||||
clientEventsRedisStreamEnvVar,
|
||||
@@ -581,6 +626,72 @@ func TestLoadFromEnvAuthService(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadFromEnvUserService(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
customSessionCacheRedisAddr := new(string)
|
||||
*customSessionCacheRedisAddr = "127.0.0.1:6379"
|
||||
|
||||
customSessionEventsRedisStream := new(string)
|
||||
*customSessionEventsRedisStream = "gateway:session_events"
|
||||
|
||||
customClientEventsRedisStream := new(string)
|
||||
*customClientEventsRedisStream = "gateway:client_events"
|
||||
|
||||
customResponseSignerPrivateKeyPEMPath := new(string)
|
||||
*customResponseSignerPrivateKeyPEMPath = writeTestResponseSignerPEMFile(t)
|
||||
|
||||
invalidRelativeURL := new(string)
|
||||
*invalidRelativeURL = "/user"
|
||||
|
||||
invalidURL := new(string)
|
||||
*invalidURL = "://bad"
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
value *string
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "relative url rejected",
|
||||
value: invalidRelativeURL,
|
||||
wantErr: userServiceBaseURLEnvVar + " must be an absolute URL",
|
||||
},
|
||||
{
|
||||
name: "malformed url rejected",
|
||||
value: invalidURL,
|
||||
wantErr: "parse " + userServiceBaseURLEnvVar,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
tt := tt
|
||||
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
restoreEnvs(t,
|
||||
authServiceBaseURLEnvVar,
|
||||
userServiceBaseURLEnvVar,
|
||||
logLevelEnvVar,
|
||||
sessionCacheRedisAddrEnvVar,
|
||||
sessionEventsRedisStreamEnvVar,
|
||||
clientEventsRedisStreamEnvVar,
|
||||
responseSignerPrivateKeyPEMPathEnvVar,
|
||||
)
|
||||
setEnvValue(t, userServiceBaseURLEnvVar, tt.value)
|
||||
setEnvValue(t, sessionCacheRedisAddrEnvVar, customSessionCacheRedisAddr)
|
||||
setEnvValue(t, sessionEventsRedisStreamEnvVar, customSessionEventsRedisStream)
|
||||
setEnvValue(t, clientEventsRedisStreamEnvVar, customClientEventsRedisStream)
|
||||
setEnvValue(t, responseSignerPrivateKeyPEMPathEnvVar, customResponseSignerPrivateKeyPEMPath)
|
||||
|
||||
_, err := LoadFromEnv()
|
||||
require.Error(t, err)
|
||||
require.ErrorContains(t, err, tt.wantErr)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadFromEnvAuthenticatedGRPCAntiAbuse(t *testing.T) {
|
||||
customSessionCacheRedisAddr := new(string)
|
||||
*customSessionCacheRedisAddr = "127.0.0.1:6379"
|
||||
@@ -1276,6 +1387,9 @@ func setEnvValue(t *testing.T, envVar string, value *string) {
|
||||
func restoreEnvs(t *testing.T, envVars ...string) {
|
||||
t.Helper()
|
||||
|
||||
configEnvMu.Lock()
|
||||
t.Cleanup(configEnvMu.Unlock)
|
||||
|
||||
for _, envVar := range envVars {
|
||||
restoreEnv(t, envVar)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user