stacklok / toolhive / 25860163109
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 730
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.346% (+0.02%) from 65.324%
25860163109

push

github

web-flow 
Add identityFromToken to MCPExternalAuthConfig CRD (#5269)

Some OAuth2 upstream providers do not expose a usable userinfo
endpoint but include user identity in the token response itself
(e.g. Slack's `authed_user.id`, or Snowflake's `username` reachable
via the gjson `@upstreamjwt` modifier on the embedded access token).
Add an `identityFromToken` block on `OAuth2UpstreamConfig` that
lets operators map subject, name, and email to gjson dot-notation
paths into the token-endpoint response body.

The new type lives alongside `TokenResponseMapping` and
`UserInfoConfig`; doc comments cross-reference the blocks so
operators can find the right one for their provider. The
trust-model warning lives both on the `IdentityFromTokenConfig`
type and inline on `SubjectPath` so it surfaces in the field-by-
field reference (kubectl explain, generated API docs): claims read
from the token response are trusted only via TLS, not
cryptographically verified — prefer OIDC ID tokens when verifiable
claims are required. The same caveat applies to the `@upstreamjwt`
modifier, which performs no signature verification. Subject
uniqueness is scoped to the upstream provider entry; use distinct
providers for distinct trust domains.

Admission validation:

- SubjectPath: required, MinLength=1, MaxLength=256.
- NamePath, EmailPath: optional, MinLength=1, MaxLength=256
  (omit the field rather than setting it to an empty string).
- Reconcile-time: a new `validateOAuth2UpstreamConfig` helper
  rejects empty SubjectPath when the block is set, with errors
  scoped to `oauth2Config[.field]` so callers wrap with their
  own outer scope — matching the contract of
  `ValidateOAuth2DCRConfig`.

Coexistence with `UserInfo` and `TokenResponseMapping` is allowed
at admission; runtime priority is decided by the embedded auth
server in a later commit.

`SyntheticIdentityUpstreams()` — the predicate driving the
`ConditionTypeIdentitySynthesized` advisory — now also skips
upstreams configured with ... (continued)

10 of 24 new or added lines in 2 files covered. (41.67%)

8 existing lines in 3 files now uncovered.

64645 of 98927 relevant lines covered (65.35%)

62.34 hits per line

Uncovered Changes

Lines Coverage File
14
44.91
 -0.24% cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go

Coverage Regressions

Lines Coverage File
3
71.85
 -1.11% pkg/ignore/processor.go
3
79.38
 -0.77% pkg/transport/proxy/httpsse/http_proxy.go
2
96.46
 0.0% pkg/authserver/storage/memory.go
Jobs
ID Job ID Ran Files Coverage
1 25860163109.1 730
65.35
 GitHub Action Run
Source Files on build 25860163109