stacklok / toolhive / 25511991371

coverage: 64.809% (+0.01%) from 64.799%
25511991371

push

github

web-flow 
Expose explicit primaryUpstreamProvider for Cedar authz on VirtualMCPServer (#5199)

* Expose primaryUpstreamProvider on InlineAuthzConfig

Adds an optional primaryUpstreamProvider field to the inline authz config
on VirtualMCPServer so users with multiple upstream IDPs can pin Cedar to
a non-first provider, instead of being silently bound to whichever
upstream happens to be listed first.

Changes for issue #5197:
- Add PrimaryUpstreamProvider to InlineAuthzConfig (shared type, vMCP-only
  in practice, mirroring the SubjectProviderName precedent on the token-
  exchange and AWS-STS strategies).
- Switch the converter from unconditional first-upstream binding to an
  explicit-then-fallback resolution; both branches normalize through
  authserver.ResolveUpstreamName.
- Reject the spec with AuthServerConfigValidated=False
  (AuthzUpstreamUnknown) when the explicit name does not match any
  declared upstream — Cedar would otherwise deny every request at runtime.
- Suppress the AuthzUpstreamSelectionWarning advisory when the user has
  set the field explicitly; the auto-selection it warns about is no
  longer happening.
- Extend converter and validator tests; regenerate CRD YAMLs and API
  docs.

Existing manifests without the new field keep current behavior — the
fallback branch is unchanged for that path.

* Address code review feedback

Fixed issues from code review:
- MEDIUM: Reject explicit primaryUpstreamProvider when no embedded auth
  server is configured. The early-return direct-IdP branch in
  validateAuthzUpstreamAvailable now checks for a non-empty explicit
  name first and returns SpecValidationError with
  ConditionReasonAuthzUpstreamUnknown when set — closing the silent
  misconfiguration where the converter would forward an unresolvable
  name into Cedar config at runtime.
- MEDIUM: Update the converter block comment so it accurately describes
  both rejection paths (mismatch with declared upstreams AND explicit
  name without an embedded A... (continued)

106 of 122 new or added lines in 5 files covered. (86.89%)

37 existing lines in 5 files now uncovered.

63344 of 97739 relevant lines covered (64.81%)

59.06 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.67
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available