feat: edge gateway service

gateway/internal/replay/redis.go

@@ -0,0 +1,131 @@
+package replay
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"galaxy/gateway/internal/config"
+
+	"github.com/redis/go-redis/v9"
+)
+
+// RedisStore implements Store with Redis SETNX reservations over a dedicated
+// key namespace.
+type RedisStore struct {
+	client         *redis.Client
+	keyPrefix      string
+	reserveTimeout time.Duration
+}
+
+// NewRedisStore constructs a Redis-backed replay store that reuses the
+// SessionCache Redis deployment settings and applies the replay-specific key
+// namespace and timeout controls from replayCfg.
+func NewRedisStore(sessionCfg config.SessionCacheRedisConfig, replayCfg config.ReplayRedisConfig) (*RedisStore, error) {
+	if strings.TrimSpace(sessionCfg.Addr) == "" {
+		return nil, errors.New("new redis replay store: redis addr must not be empty")
+	}
+	if sessionCfg.DB < 0 {
+		return nil, errors.New("new redis replay store: redis db must not be negative")
+	}
+	if strings.TrimSpace(replayCfg.KeyPrefix) == "" {
+		return nil, errors.New("new redis replay store: replay key prefix must not be empty")
+	}
+	if replayCfg.ReserveTimeout <= 0 {
+		return nil, errors.New("new redis replay store: reserve timeout must be positive")
+	}
+
+	options := &redis.Options{
+		Addr:            sessionCfg.Addr,
+		Username:        sessionCfg.Username,
+		Password:        sessionCfg.Password,
+		DB:              sessionCfg.DB,
+		Protocol:        2,
+		DisableIdentity: true,
+	}
+	if sessionCfg.TLSEnabled {
+		options.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS12}
+	}
+
+	return &RedisStore{
+		client:         redis.NewClient(options),
+		keyPrefix:      replayCfg.KeyPrefix,
+		reserveTimeout: replayCfg.ReserveTimeout,
+	}, nil
+}
+
+// Close releases the underlying Redis client resources.
+func (s *RedisStore) Close() error {
+	if s == nil || s.client == nil {
+		return nil
+	}
+
+	return s.client.Close()
+}
+
+// Ping verifies that the configured Redis backend is reachable within the
+// replay reserve timeout budget.
+func (s *RedisStore) Ping(ctx context.Context) error {
+	if s == nil || s.client == nil {
+		return errors.New("ping redis replay store: nil store")
+	}
+	if ctx == nil {
+		return errors.New("ping redis replay store: nil context")
+	}
+
+	pingCtx, cancel := context.WithTimeout(ctx, s.reserveTimeout)
+	defer cancel()
+
+	if err := s.client.Ping(pingCtx).Err(); err != nil {
+		return fmt.Errorf("ping redis replay store: %w", err)
+	}
+
+	return nil
+}
+
+// Reserve records the authenticated deviceSessionID and requestID pair for
+// ttl. It rejects duplicates while the reservation remains active.
+func (s *RedisStore) Reserve(ctx context.Context, deviceSessionID string, requestID string, ttl time.Duration) error {
+	if s == nil || s.client == nil {
+		return errors.New("reserve replay request in redis: nil store")
+	}
+	if ctx == nil {
+		return errors.New("reserve replay request in redis: nil context")
+	}
+	if strings.TrimSpace(deviceSessionID) == "" {
+		return errors.New("reserve replay request in redis: empty device session id")
+	}
+	if strings.TrimSpace(requestID) == "" {
+		return errors.New("reserve replay request in redis: empty request id")
+	}
+	if ttl <= 0 {
+		return errors.New("reserve replay request in redis: ttl must be positive")
+	}
+
+	reserveCtx, cancel := context.WithTimeout(ctx, s.reserveTimeout)
+	defer cancel()
+
+	reserved, err := s.client.SetNX(reserveCtx, s.reservationKey(deviceSessionID, requestID), "1", ttl).Result()
+	if err != nil {
+		return fmt.Errorf("reserve replay request in redis: %w", err)
+	}
+	if !reserved {
+		return fmt.Errorf("reserve replay request in redis: %w", ErrDuplicate)
+	}
+
+	return nil
+}
+
+func (s *RedisStore) reservationKey(deviceSessionID string, requestID string) string {
+	return s.keyPrefix + encodeKeyComponent(deviceSessionID) + ":" + encodeKeyComponent(requestID)
+}
+
+func encodeKeyComponent(value string) string {
+	return base64.RawURLEncoding.EncodeToString([]byte(value))
+}
+
+var _ Store = (*RedisStore)(nil)

gateway/internal/replay/redis_test.go

@@ -0,0 +1,254 @@
+package replay
+
+import (
+	"context"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"galaxy/gateway/internal/config"
+
+	"github.com/alicebob/miniredis/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewRedisStore(t *testing.T) {
+	t.Parallel()
+
+	server := miniredis.RunT(t)
+
+	tests := []struct {
+		name       string
+		sessionCfg config.SessionCacheRedisConfig
+		replayCfg  config.ReplayRedisConfig
+		wantErr    string
+	}{
+		{
+			name: "valid config",
+			sessionCfg: config.SessionCacheRedisConfig{
+				Addr: server.Addr(),
+				DB:   2,
+			},
+			replayCfg: config.ReplayRedisConfig{
+				KeyPrefix:      "gateway:replay:",
+				ReserveTimeout: 250 * time.Millisecond,
+			},
+		},
+		{
+			name: "empty redis addr",
+			replayCfg: config.ReplayRedisConfig{
+				KeyPrefix:      "gateway:replay:",
+				ReserveTimeout: 250 * time.Millisecond,
+			},
+			wantErr: "redis addr must not be empty",
+		},
+		{
+			name: "negative redis db",
+			sessionCfg: config.SessionCacheRedisConfig{
+				Addr: server.Addr(),
+				DB:   -1,
+			},
+			replayCfg: config.ReplayRedisConfig{
+				KeyPrefix:      "gateway:replay:",
+				ReserveTimeout: 250 * time.Millisecond,
+			},
+			wantErr: "redis db must not be negative",
+		},
+		{
+			name: "empty replay key prefix",
+			sessionCfg: config.SessionCacheRedisConfig{
+				Addr: server.Addr(),
+			},
+			replayCfg: config.ReplayRedisConfig{
+				ReserveTimeout: 250 * time.Millisecond,
+			},
+			wantErr: "replay key prefix must not be empty",
+		},
+		{
+			name: "non-positive reserve timeout",
+			sessionCfg: config.SessionCacheRedisConfig{
+				Addr: server.Addr(),
+			},
+			replayCfg: config.ReplayRedisConfig{
+				KeyPrefix: "gateway:replay:",
+			},
+			wantErr: "reserve timeout must be positive",
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			store, err := NewRedisStore(tt.sessionCfg, tt.replayCfg)
+			if tt.wantErr != "" {
+				require.Error(t, err)
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				assert.NoError(t, store.Close())
+			})
+		})
+	}
+}
+
+func TestRedisStorePing(t *testing.T) {
+	t.Parallel()
+
+	server := miniredis.RunT(t)
+	store := newTestRedisStore(t, server, config.SessionCacheRedisConfig{}, config.ReplayRedisConfig{})
+
+	require.NoError(t, store.Ping(context.Background()))
+}
+
+func TestRedisStoreReserve(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name            string
+		sessionCfg      config.SessionCacheRedisConfig
+		replayCfg       config.ReplayRedisConfig
+		deviceSessionID string
+		requestID       string
+		ttl             time.Duration
+		secondReserve   func(*testing.T, Store)
+		wantErrIs       error
+		wantErrText     string
+	}{
+		{
+			name:            "first reservation succeeds",
+			deviceSessionID: "device-session-123",
+			requestID:       "request-123",
+			ttl:             5 * time.Second,
+		},
+		{
+			name:            "duplicate reservation is rejected",
+			deviceSessionID: "device-session-123",
+			requestID:       "request-123",
+			ttl:             5 * time.Second,
+			secondReserve: func(t *testing.T, store Store) {
+				t.Helper()
+				err := store.Reserve(context.Background(), "device-session-123", "request-123", 5*time.Second)
+				require.ErrorIs(t, err, ErrDuplicate)
+			},
+		},
+		{
+			name:            "same request id in distinct sessions does not collide",
+			deviceSessionID: "device-session-123",
+			requestID:       "request-123",
+			ttl:             5 * time.Second,
+			secondReserve: func(t *testing.T, store Store) {
+				t.Helper()
+				require.NoError(t, store.Reserve(context.Background(), "device-session-456", "request-123", 5*time.Second))
+			},
+		},
+		{
+			name:        "empty device session id",
+			requestID:   "request-123",
+			ttl:         5 * time.Second,
+			wantErrText: "empty device session id",
+		},
+		{
+			name:            "empty request id",
+			deviceSessionID: "device-session-123",
+			ttl:             5 * time.Second,
+			wantErrText:     "empty request id",
+		},
+		{
+			name:            "non-positive ttl",
+			deviceSessionID: "device-session-123",
+			requestID:       "request-123",
+			wantErrText:     "ttl must be positive",
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			server := miniredis.RunT(t)
+			store := newTestRedisStore(t, server, tt.sessionCfg, tt.replayCfg)
+
+			err := store.Reserve(context.Background(), tt.deviceSessionID, tt.requestID, tt.ttl)
+			if tt.wantErrIs != nil || tt.wantErrText != "" {
+				require.Error(t, err)
+				if tt.wantErrIs != nil {
+					require.ErrorIs(t, err, tt.wantErrIs)
+				}
+				if tt.wantErrText != "" {
+					require.ErrorContains(t, err, tt.wantErrText)
+				}
+				return
+			}
+
+			require.NoError(t, err)
+			if tt.secondReserve != nil {
+				tt.secondReserve(t, store)
+			}
+		})
+	}
+}
+
+func TestRedisStoreReserveReturnsBackendError(t *testing.T) {
+	t.Parallel()
+
+	store, err := NewRedisStore(
+		config.SessionCacheRedisConfig{Addr: unusedTCPAddr(t)},
+		config.ReplayRedisConfig{
+			KeyPrefix:      "gateway:replay:",
+			ReserveTimeout: 100 * time.Millisecond,
+		},
+	)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		assert.NoError(t, store.Close())
+	})
+
+	err = store.Reserve(context.Background(), "device-session-123", "request-123", 5*time.Second)
+	require.Error(t, err)
+	assert.False(t, errors.Is(err, ErrDuplicate))
+	assert.ErrorContains(t, err, "reserve replay request in redis")
+}
+
+func newTestRedisStore(t *testing.T, server *miniredis.Miniredis, sessionCfg config.SessionCacheRedisConfig, replayCfg config.ReplayRedisConfig) *RedisStore {
+	t.Helper()
+
+	if sessionCfg.Addr == "" {
+		sessionCfg.Addr = server.Addr()
+	}
+	if replayCfg.KeyPrefix == "" {
+		replayCfg.KeyPrefix = "gateway:replay:"
+	}
+	if replayCfg.ReserveTimeout == 0 {
+		replayCfg.ReserveTimeout = 250 * time.Millisecond
+	}
+
+	store, err := NewRedisStore(sessionCfg, replayCfg)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		assert.NoError(t, store.Close())
+	})
+
+	return store
+}
+
+func unusedTCPAddr(t *testing.T) string {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	addr := listener.Addr().String()
+	require.NoError(t, listener.Close())
+
+	return addr
+}

gateway/internal/replay/replay.go

@@ -0,0 +1,24 @@
+// Package replay defines the authenticated replay-reservation contract used by
+// the gateway transport pipeline.
+package replay
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+var (
+	// ErrDuplicate reports that the request identifier has already been
+	// reserved for the same device session within the active replay window.
+	ErrDuplicate = errors.New("replay reservation already exists")
+)
+
+// Store reserves authenticated transport request identifiers for a bounded
+// replay window.
+type Store interface {
+	// Reserve marks the deviceSessionID and requestID pair as seen for ttl.
+	// Implementations must wrap ErrDuplicate when the same pair is reserved
+	// again before ttl expires.
+	Reserve(ctx context.Context, deviceSessionID string, requestID string, ttl time.Duration) error
+}