gateway_runtime/

defaults.rs

//! # Default Handlers
//!
//! This module provides standard implementations for common gateway hooks, offering sane defaults
//! that cover most use cases.
//!
//! ## Components
//! -   `default_error_handler`: Returns simple JSON error responses.
//! -   `default_metadata_annotator`: Injects standard metadata like Request ID and Client IP.
//! -   `default_response_modifier`: Honors the `x-http-code` header for status code overrides.
//! -   `default_incoming_header_matcher`: Filters `Authorization`, `x-request-id` (security) and renames `Refresh`.
//! -   `default_outgoing_header_matcher`: Lowercases all headers.
//! -   `default_auth_verifier`: Basic API Key presence check.

use crate::alloc::string::{String, ToString};
use crate::errors::GatewayError;
use crate::router::{AuthLocation, RouteMetadata};
use crate::{GatewayRequest, GatewayResponse};
use http::StatusCode;
use http_body_util::BodyExt;
use tonic::metadata::MetadataMap;

/// A custom HTTP error handler that returns JSON error responses.
///
/// This handler maps gRPC status codes to HTTP status codes and returns a JSON body
/// with the error details.
pub fn default_error_handler(_req: &GatewayRequest, err: GatewayError) -> GatewayResponse {
    let status = match &err {
        GatewayError::Upstream(s) => crate::errors::map_code_to_status(s.code()),
        GatewayError::Http(_) => StatusCode::INTERNAL_SERVER_ERROR,
        GatewayError::Custom(s, _) => *s,
        GatewayError::MethodNotAllowed => StatusCode::METHOD_NOT_ALLOWED,
        GatewayError::NotFound => StatusCode::NOT_FOUND,
        GatewayError::Encoding(_) => StatusCode::BAD_REQUEST,
    };

    #[derive(serde::Serialize)]
    struct ErrorMessage {
        message: String,
        status_code: u16,
        title: String,
    }

    let msg = ErrorMessage {
        message: err.to_string(),
        status_code: status.as_u16(),
        title: "Error".to_string(),
    };

    let body_bytes = serde_json::to_vec(&msg).unwrap_or_default();
    let body = http_body_util::BodyExt::boxed_unsync(
        http_body_util::Full::new(crate::bytes::Bytes::from(body_bytes))
            .map_err(|_| unreachable!()),
    );

    http::Response::builder()
        .status(status)
        .header("Content-Type", "application/json")
        .body(body)
        .unwrap()
}

/// A metadata annotator that injects request context information.
///
/// This annotator:
/// 1. Generates and injects a unique request ID (`x-request-id`).
///    - It assumes incoming `x-request-id` headers have been stripped by the `HeaderLayer`
///      to ensure the ID is trusted and generated by the gateway.
/// 2. Injects the gateway IP as `x-gateway-ip` (placeholder).
pub fn default_metadata_annotator(_req: &GatewayRequest) -> MetadataMap {
    let mut map = MetadataMap::new();

    // 1. Request ID Generation
    // We strictly generate a new ID.
    #[cfg(feature = "std")]
    {
        // Simple ID generation using timestamp + random-ish suffix (or just nanoseconds for now)
        // In a real production system, use the `uuid` crate.
        let req_id = format!(
            "req-{}",
            std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .unwrap_or_default()
                .as_nanos()
        );
        if let Ok(v) = tonic::metadata::MetadataValue::try_from(req_id.as_str()) {
            map.insert("x-request-id", v);
        }
    }

    // 2. Gateway IP (Placeholder)
    map.insert(
        "x-gateway-ip",
        tonic::metadata::MetadataValue::from_static("127.0.0.1"),
    );

    map
}

/// A response modifier that sets the HTTP status code based on the `x-http-code` header.
pub fn default_response_modifier(_req: &GatewayRequest, resp: &mut GatewayResponse) {
    if let Some(val) = resp.headers().get("x-http-code") {
        if let Ok(s) = val.to_str() {
            if let Ok(code) = s.parse::<u16>() {
                if let Ok(status) = StatusCode::from_u16(code) {
                    *resp.status_mut() = status;
                }
            }
        }
        resp.headers_mut().remove("x-http-code");
        resp.headers_mut()
            .remove("grpc-metadata-x-http-status-code");
    }
}

/// An incoming header matcher that filters specific headers.
///
/// - "authorization": Dropped (Security).
/// - "x-request-id": Dropped (Security - ensure we generate our own).
/// - "refresh": Renamed to "x-refresh-token".
/// - Other: Kept as is.
pub fn default_incoming_header_matcher(key: &str) -> Option<String> {
    let key_lower = key.to_lowercase();
    match key_lower.as_str() {
        "authorization" => None,
        "x-request-id" => None, // Strip incoming request IDs
        "refresh" => Some("x-refresh-token".to_string()),
        _ => Some(key_lower),
    }
}

/// An outgoing header matcher that passes through all headers lowercased.
pub fn default_outgoing_header_matcher(key: &str) -> Option<String> {
    Some(key.to_lowercase())
}

/// A default authentication verifier.
///
/// Checks if the route requires an API Key and verifies its presence in the configured location.
/// Note: This implementation only checks for *presence*, not validity of the key value.
///
/// # Errors
/// Returns `GatewayError::Upstream` with `Unauthenticated` status if the key is missing.
pub fn default_auth_verifier(
    req: &GatewayRequest,
    metadata: &RouteMetadata,
) -> Result<(), GatewayError> {
    if let Some(auth_config) = &metadata.auth_required {
        // Only checking ApiKey for now as per requirement
        if auth_config.scheme == "ApiKey" {
            let present = match auth_config.location {
                AuthLocation::Header => req.headers().contains_key(&auth_config.name),
                AuthLocation::Query => {
                    if let Some(query) = req.uri().query() {
                        // Simple substring check for query param key presence
                        // Robust implementation would parse query string
                        query.contains(&format!("{}=", auth_config.name))
                    } else {
                        false
                    }
                }
                AuthLocation::Cookie => {
                    if let Some(cookie_header) = req.headers().get(http::header::COOKIE) {
                        if let Ok(s) = cookie_header.to_str() {
                            s.contains(&format!("{}=", auth_config.name))
                        } else {
                            false
                        }
                    } else {
                        false
                    }
                }
            };

            if !present {
                return Err(GatewayError::Upstream(tonic::Status::unauthenticated(
                    format!("Missing authentication: {}", auth_config.name),
                )));
            }
        }
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::alloc::vec::Vec;
    use crate::router::{AuthConfig, RouteMetadata};

    #[test]
    fn test_default_incoming_header_matcher() {
        assert_eq!(default_incoming_header_matcher("Authorization"), None);
        assert_eq!(default_incoming_header_matcher("x-request-id"), None);
        assert_eq!(
            default_incoming_header_matcher("REFRESH"),
            Some("x-refresh-token".to_string())
        );
        assert_eq!(
            default_incoming_header_matcher("X-Custom"),
            Some("x-custom".to_string())
        );
    }

    #[test]
    fn test_default_outgoing_header_matcher() {
        assert_eq!(
            default_outgoing_header_matcher("Authorization"),
            Some("authorization".to_string())
        );
    }

    #[test]
    fn test_default_metadata_annotator() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let md = default_metadata_annotator(&req);
        // Check injected
        assert!(md.get("x-request-id").is_some());
        assert_eq!(
            md.get("x-gateway-ip").unwrap().to_str().unwrap(),
            "127.0.0.1"
        );
    }

    #[test]
    fn test_default_response_modifier() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let mut resp = http::Response::builder()
            .header("x-http-code", "418")
            .body(BodyExt::boxed_unsync(
                http_body_util::Full::new(crate::bytes::Bytes::new()).map_err(|_| unreachable!()),
            ))
            .unwrap();

        default_response_modifier(&req, &mut resp);
        assert_eq!(resp.status(), StatusCode::IM_A_TEAPOT);
        assert!(resp.headers().get("x-http-code").is_none());
    }

    #[test]
    fn test_default_response_modifier_invalid() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let mut resp = http::Response::builder()
            .status(StatusCode::OK)
            .header("x-http-code", "invalid")
            .body(BodyExt::boxed_unsync(
                http_body_util::Full::new(crate::bytes::Bytes::new()).map_err(|_| unreachable!()),
            ))
            .unwrap();

        default_response_modifier(&req, &mut resp);
        assert_eq!(resp.status(), StatusCode::OK);
        // Should remove header anyway? Implementation removes it.
        assert!(resp.headers().get("x-http-code").is_none());
    }

    #[test]
    fn test_default_error_handler_not_found() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let err = GatewayError::NotFound;
        let resp = default_error_handler(&req, err);
        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
    }

    #[test]
    fn test_default_error_handler_method_not_allowed() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let err = GatewayError::MethodNotAllowed;
        let resp = default_error_handler(&req, err);
        assert_eq!(resp.status(), StatusCode::METHOD_NOT_ALLOWED);
    }

    #[test]
    fn test_default_error_handler_upstream() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let err = GatewayError::Upstream(tonic::Status::invalid_argument("invalid"));
        let resp = default_error_handler(&req, err);
        assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
    }

    #[test]
    fn test_default_error_handler_json_body() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let err = GatewayError::NotFound;
        let resp = default_error_handler(&req, err);
        assert_eq!(
            resp.headers().get("content-type").unwrap(),
            "application/json"
        );
    }

    #[test]
    fn test_default_auth_verifier_header() {
        let req = http::Request::builder()
            .header("X-API-KEY", "secret")
            .body(Vec::new())
            .unwrap();
        let meta = RouteMetadata {
            auth_required: Some(AuthConfig {
                scheme: "ApiKey".to_string(),
                location: AuthLocation::Header,
                name: "X-API-KEY".to_string(),
            }),
        };
        assert!(default_auth_verifier(&req, &meta).is_ok());
    }

    #[test]
    fn test_default_auth_verifier_missing() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let meta = RouteMetadata {
            auth_required: Some(AuthConfig {
                scheme: "ApiKey".to_string(),
                location: AuthLocation::Header,
                name: "X-API-KEY".to_string(),
            }),
        };
        assert!(default_auth_verifier(&req, &meta).is_err());
    }

    #[test]
    fn test_default_auth_verifier_none_required() {
        let req = http::Request::builder().body(Vec::new()).unwrap();
        let meta = RouteMetadata::default();
        assert!(default_auth_verifier(&req, &meta).is_ok());
    }
}