pomerium / pomerium / 23316660788
52%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 687
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 45.608% (+0.1%) from 45.51%
23316660788

push

github

web-flow 
mcp: unify upstream OAuth flows, remove static-config parallel path (#6197)

## Summary

Removes the legacy static-config OAuth path (which ran parallel to
auto-discovery) and replaces both with a single flow driven by
`upstreamOAuthSetupOptsFromConfig`.

Key changes:
- `host_info`: `ServerHostInfo` carries `UpstreamOAuth2` config instead
of a pre-built `oauth2.Config`; old helpers removed
- Storage: legacy `*UpstreamOAuth2Token` methods removed; all token
operations go through `GetUpstreamMCPToken`/`PutUpstreamMCPToken`
- `upstream_auth`: refresh chain passes `client_secret` from config
rather than storing it per-user in `UpstreamMCPToken`
- Handlers (`connect`, `authorize`, `client_oauth_callback`,
`list_routes`): each collapses its static/auto-discovery branches into
one unified path
- `handler_oauth_callback.go` deleted — the static-config server-side
callback is superseded by `ClientOAuthCallback`
- `ListRoutes` error handling uses the request-id surfacing pattern

## Related issues

- ENG-3698

## User Explanation

Admins can now configure MCP routes with pre-registered OAuth client
credentials (`client_id`, `client_secret`, authorization/token
endpoints, scopes) as an alternative to auto-discovery.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

49 of 119 new or added lines in 6 files covered. (41.18%)

24 existing lines in 8 files now uncovered.

34817 of 76340 relevant lines covered (45.61%)

115.08 hits per line

Uncovered Changes

Lines Coverage File
39
36.23
 4.34% internal/mcp/handler_connect.go
13
12.71
 -4.22% internal/mcp/handler_list_routes.go
10
54.9
 -1.2% internal/mcp/handler_authorization.go
5
64.47
 4.05% internal/mcp/upstream_auth.go
3
87.5
 16.8% internal/mcp/host_info.go

Coverage Regressions

Lines Coverage File
9
80.34
 0.21% pkg/ssh/manager.go
3
57.0
 -0.74% internal/controlplane/server.go
3
87.5
 16.8% internal/mcp/host_info.go
2
92.78
 -1.11% internal/fileutil/watcher.go
2
54.9
 -1.2% internal/mcp/handler_authorization.go
2
36.23
 4.34% internal/mcp/handler_connect.go
2
94.55
 0.0% pkg/fanout/receive.go
1
82.24
 -0.2% pkg/envoy/resource_monitor_linux.go
Jobs
ID Job ID Ran Files Coverage
1 23316660788.1 687
45.61
 GitHub Action Run
Source Files on build 23316660788