stacklok / toolhive / 24531375418

66%

Build Type

push

github

Committed by web-flow

Commit Message

Replace groups parameter with variadic parents on entity factory (#4901)

CreatePrincipalEntity previously accepted groups []string and
internally created THVGroup entities with empty parent sets. This
caused a merge-order hazard: dynamically created THVGroup entities
overwrote any static ones loaded from entities_json, severing
parent relationships defined there (e.g. a group that is a child
of a role in a transitive hierarchy).

Refactor CreatePrincipalEntity to accept parents ...cedar.EntityUID
so callers pass pre-built parent UIDs. The function no longer inserts
separate THVGroup entities into the entity map, preserving the static
entity hierarchy from entities_json. Add the same variadic parents
parameter to CreateResourceEntity for server-scoped policies (#4769).

CreateEntitiesForRequest still converts groups to THVGroup parent UIDs
on the principal but the entity map now contains exactly 3 entries
(principal, action, resource) instead of 3+N.

E2E tested in a Kind cluster with real Okta and Entra ID tokens.
Proxy debug logs confirm the refactored entity hierarchy:

  Okta JWT: { "groups": ["Everyone", "engineering"] }
  Entra JWT: { "roles": ["mcp-admin", "developer"] }

  Both produce entityCount:3 with THVGroup parent UIDs on the
  principal entity. Cedar policies using "principal in THVGroup::..."
  evaluate correctly -- the parent UIDs are sufficient for Cedar's
  "in" operator without separate THVGroup entities in the map.

Fixes #4765

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Coverage Stats

16 of 16 new or added lines in 1 file covered. (100.0%)

39 existing lines in 4 files now uncovered.

57498 of 86989 relevant lines covered (66.1%)

62.7 hits per line