a3s-gateway 0.2.1

A3S Gateway - AI-native API gateway with reverse proxy, routing, and agent orchestration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336

//! Middleware configuration — request/response transformation

use serde::{Deserialize, Serialize};

/// Middleware configuration
///
/// Each middleware has a type and type-specific parameters.
///
/// # Example
///
/// ```hcl
/// middlewares "auth" {
///   type   = "api-key"
///   header = "X-API-Key"
///   keys   = ["secret-key-1", "secret-key-2"]
/// }
///
/// middlewares "rate-limit" {
///   type  = "rate-limit"
///   rate  = 100
///   burst = 50
/// }
/// ```
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct MiddlewareConfig {
    /// Middleware type identifier
    #[serde(rename = "type")]
    pub middleware_type: String,

    /// API key header name (for api-key auth)
    #[serde(default)]
    pub header: Option<String>,

    /// API key values (for api-key auth)
    #[serde(default)]
    pub keys: Vec<String>,

    /// Single value (for custom-header verification)
    #[serde(default)]
    pub value: Option<String>,

    /// Username (for basic-auth)
    #[serde(default)]
    pub username: Option<String>,

    /// Password (for basic-auth)
    #[serde(default)]
    pub password: Option<String>,

    /// Rate limit: requests per second
    #[serde(default)]
    pub rate: Option<u64>,

    /// Rate limit: burst size
    #[serde(default)]
    pub burst: Option<u64>,

    /// CORS: allowed origins
    #[serde(default)]
    pub allowed_origins: Vec<String>,

    /// CORS: allowed methods
    #[serde(default)]
    pub allowed_methods: Vec<String>,

    /// CORS: allowed headers
    #[serde(default)]
    pub allowed_headers: Vec<String>,

    /// CORS: max age in seconds
    #[serde(default)]
    pub max_age: Option<u64>,

    /// Headers to add to request
    #[serde(default)]
    pub request_headers: std::collections::HashMap<String, String>,

    /// Headers to add to response
    #[serde(default)]
    pub response_headers: std::collections::HashMap<String, String>,

    /// Path prefixes to strip
    #[serde(default)]
    pub prefixes: Vec<String>,

    /// Retry: max attempts
    #[serde(default)]
    pub max_retries: Option<u32>,

    /// Retry: interval in milliseconds
    #[serde(default)]
    pub retry_interval_ms: Option<u64>,

    /// IP allowlist
    #[serde(default)]
    pub allowed_ips: Vec<String>,

    /// Forward auth: URL of the external authentication service
    #[serde(default)]
    pub forward_auth_url: Option<String>,

    /// Forward auth: headers to copy from auth response to upstream request
    #[serde(default)]
    pub forward_auth_response_headers: Vec<String>,

    /// Redis URL for distributed rate limiting (e.g., "redis://127.0.0.1:6379")
    #[serde(default)]
    pub redis_url: Option<String>,

    /// Maximum request body size in bytes (for body-limit middleware)
    #[serde(default)]
    pub max_body_bytes: Option<u64>,

    /// Circuit breaker: number of consecutive failures before opening
    #[serde(default)]
    pub failure_threshold: Option<u32>,

    /// Circuit breaker: seconds the circuit stays open before trying half-open
    #[serde(default)]
    pub cooldown_secs: Option<u64>,

    /// Circuit breaker: number of successes in half-open state to close the circuit
    #[serde(default)]
    pub success_threshold: Option<u32>,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_parse_api_key_middleware() {
        let hcl = r#"
            type = "api-key"
            header = "X-API-Key"
            keys = ["key1", "key2"]
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "api-key");
        assert_eq!(mw.header.unwrap(), "X-API-Key");
        assert_eq!(mw.keys, vec!["key1", "key2"]);
    }

    #[test]
    fn test_parse_rate_limit_middleware() {
        let hcl = r#"
            type = "rate-limit"
            rate = 100
            burst = 50
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "rate-limit");
        assert_eq!(mw.rate.unwrap(), 100);
        assert_eq!(mw.burst.unwrap(), 50);
    }

    #[test]
    fn test_parse_cors_middleware() {
        let hcl = r#"
            type = "cors"
            allowed_origins = ["https://example.com", "https://app.example.com"]
            allowed_methods = ["GET", "POST", "PUT"]
            allowed_headers = ["Content-Type", "Authorization"]
            max_age = 3600
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "cors");
        assert_eq!(mw.allowed_origins.len(), 2);
        assert_eq!(mw.allowed_methods.len(), 3);
        assert_eq!(mw.max_age.unwrap(), 3600);
    }

    #[test]
    fn test_parse_headers_middleware() {
        let hcl = r#"
            type = "headers"
            request_headers = {
                "X-Forwarded-Proto" = "https"
            }
            response_headers = {
                "X-Frame-Options" = "DENY"
            }
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "headers");
        assert_eq!(mw.request_headers["X-Forwarded-Proto"], "https");
        assert_eq!(mw.response_headers["X-Frame-Options"], "DENY");
    }

    #[test]
    fn test_parse_strip_prefix_middleware() {
        let hcl = r#"
            type = "strip-prefix"
            prefixes = ["/api/v1", "/api/v2"]
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "strip-prefix");
        assert_eq!(mw.prefixes, vec!["/api/v1", "/api/v2"]);
    }

    #[test]
    fn test_parse_basic_auth_middleware() {
        let hcl = r#"
            type = "basic-auth"
            username = "admin"
            password = "secret"
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "basic-auth");
        assert_eq!(mw.username.unwrap(), "admin");
        assert_eq!(mw.password.unwrap(), "secret");
    }

    #[test]
    fn test_parse_ip_allow_middleware() {
        let hcl = r#"
            type = "ip-allow"
            allowed_ips = ["192.168.1.0/24", "10.0.0.1"]
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "ip-allow");
        assert_eq!(mw.allowed_ips.len(), 2);
    }

    #[test]
    fn test_parse_retry_middleware() {
        let hcl = r#"
            type = "retry"
            max_retries = 3
            retry_interval_ms = 500
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "retry");
        assert_eq!(mw.max_retries.unwrap(), 3);
        assert_eq!(mw.retry_interval_ms.unwrap(), 500);
    }

    #[test]
    fn test_parse_forward_auth_middleware() {
        let hcl = r#"
            type = "forward-auth"
            forward_auth_url = "http://auth.internal:9090/verify"
            forward_auth_response_headers = ["X-User-Id", "X-User-Role"]
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "forward-auth");
        assert_eq!(
            mw.forward_auth_url.unwrap(),
            "http://auth.internal:9090/verify"
        );
        assert_eq!(mw.forward_auth_response_headers.len(), 2);
    }

    #[test]
    fn test_parse_body_limit_middleware() {
        let hcl = r#"
            type = "body-limit"
            max_body_bytes = 1048576
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "body-limit");
        assert_eq!(mw.max_body_bytes.unwrap(), 1_048_576);
    }

    #[test]
    fn test_parse_rate_limit_redis_middleware() {
        let hcl = r#"
            type = "rate-limit-redis"
            rate = 200
            burst = 100
            redis_url = "redis://127.0.0.1:6379"
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "rate-limit-redis");
        assert_eq!(mw.redis_url.unwrap(), "redis://127.0.0.1:6379");
        assert_eq!(mw.rate.unwrap(), 200);
    }

    #[test]
    fn test_middleware_defaults() {
        let hcl = r#"
            type = "noop"
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert!(mw.header.is_none());
        assert!(mw.keys.is_empty());
        assert!(mw.rate.is_none());
        assert!(mw.burst.is_none());
        assert!(mw.allowed_origins.is_empty());
        assert!(mw.request_headers.is_empty());
        assert!(mw.prefixes.is_empty());
        assert!(mw.allowed_ips.is_empty());
        assert!(mw.forward_auth_url.is_none());
        assert!(mw.forward_auth_response_headers.is_empty());
        assert!(mw.redis_url.is_none());
        assert!(mw.max_body_bytes.is_none());
    }

    #[test]
    fn test_parse_circuit_breaker_middleware() {
        let hcl = r#"
            type = "circuit-breaker"
            failure_threshold = 3
            cooldown_secs = 60
            success_threshold = 2
        "#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert_eq!(mw.middleware_type, "circuit-breaker");
        assert_eq!(mw.failure_threshold.unwrap(), 3);
        assert_eq!(mw.cooldown_secs.unwrap(), 60);
        assert_eq!(mw.success_threshold.unwrap(), 2);
    }

    #[test]
    fn test_parse_circuit_breaker_defaults() {
        let hcl = r#"type = "circuit-breaker""#;
        let mw: MiddlewareConfig = hcl::from_str(hcl).unwrap();
        assert!(mw.failure_threshold.is_none());
        assert!(mw.cooldown_secs.is_none());
        assert!(mw.success_threshold.is_none());
    }

    #[test]
    fn test_middleware_config_default_impl() {
        let config = MiddlewareConfig::default();
        assert!(config.middleware_type.is_empty());
        assert!(config.header.is_none());
        assert!(config.keys.is_empty());
        assert!(config.forward_auth_url.is_none());
        assert!(config.max_body_bytes.is_none());
        assert!(config.redis_url.is_none());
        assert!(config.failure_threshold.is_none());
        assert!(config.cooldown_secs.is_none());
        assert!(config.success_threshold.is_none());
    }
}