23863487953

Committed 01 Apr 2026 06:07PM UTC coverage: 65.611% (+0.09%) from 65.521%

Build # 23863487953

Build Type

push

github

Committed by

web-flow

Commit Message

Enforce Cedar policies on upstream IDP token claims (#4448)

- Cedar policies could not reference upstream IDP claims (e.g. GitHub login, Okta groups) because the Cedar authorizer always evaluated against ToolHive-issued JWT claims, while upstream tokens stored in `identity.UpstreamTokens` were never read.
- Two additional gaps made group-based policies entirely non-functional: `Identity.Groups` was never populated despite a code comment saying authorization logic "MUST" do this extraction, and `CreatePrincipalEntity` always produced empty `Parents` sets, making `principal in THVGroup::"engineering"` always evaluate to false.
- This change wires all three gaps: adds a `PrimaryUpstreamProvider` config option to the Cedar authorizer so it can read upstream IDP token claims, adds `ExtractGroupsFromClaims` to populate groups from those claims, and updates `CreatePrincipalEntity`/`CreateEntitiesForRequest` to build the `THVGroup` parent entity hierarchy so Cedar's `in` operator works for group membership.

Coverage Stats

144 of 155 new or added lines in 5 files covered. (92.9%)

9 existing lines in 4 files now uncovered.

53614 of 81715 relevant lines covered (65.61%)

65.03 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.38

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 23863487953

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous