stacklok / toolhive / 26279315691
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 736
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.808% (+0.09%) from 65.72%
26279315691

push

github

web-flow 
Resolve authz `ConfigMap` for `VirtualMCPServer` (#5290)

A `VirtualMCPServer` with `spec.incomingAuth.authzConfig.type: configMap`
silently produced a vmcp `config.yaml` that referenced the unresolved
`configMap` type token. The vmcp binary's `AuthzConfig` validator only
accepts `cedar` or `none`, so the pod crashed in `CrashLoopBackOff` at
startup. Inline authz also silently dropped `GroupClaimName`,
`RoleClaimName`, `GroupEntityType`, and `EntitiesJSON`, so any enterprise
Cedar policy that walked a `Client → ClaimGroup → PlatformRole` hierarchy
denied every request because the runtime Cedar authorizer built
`THVGroup::` parents while the entity store contained `ClaimGroup::`
entities.

Wire the configMap path end-to-end, plumb the four missing fields
through both source paths, and move `PrimaryUpstreamProvider` onto the
auth server config where it belongs:

  * Extract `LoadAuthzConfigFromConfigMap` as the shared fetch/parse/
    validate helper in `controllerutil`; `AddAuthzConfigOptions` now
    delegates to it. The vMCP converter calls the same helper so the
    failure modes match the `MCPServer`/`MCPRemoteProxy` runner path.

  * Extend `pkg/vmcp/config.AuthzConfig` with `EntitiesJSON`,
    `GroupClaimName`, `RoleClaimName`, `GroupEntityType`, and forward
    all four into `cedar.ConfigOptions` in the Cedar middleware factory.
    `EntitiesJSON` defaults to `"[]"` when unset to preserve the
    historical Cedar contract.

  * Lift the source-agnostic Cedar JWT-claim mapping fields
    (`GroupClaimName`, `RoleClaimName`, `GroupEntityType`) onto
    `AuthzConfigRef` so they work identically for inline and configMap
    users. For configMap users the parsed payload provides the default
    and the spec-level field overrides when set.

  * Move `PrimaryUpstreamProvider` onto `EmbeddedAuthServerConfig`
    (`spec.authServerConfig.primaryUpstreamProvider` on
    `VirtualMCPServer`). The field describes which upstream IDP token
    Cedar reads claims... (continued)

245 of 263 new or added lines in 9 files covered. (93.16%)

12 existing lines in 5 files now uncovered.

65076 of 98888 relevant lines covered (65.81%)

60.43 hits per line

Uncovered Changes

Lines Coverage File
12
91.59
 -3.12% cmd/thv-operator/pkg/controllerutil/authz.go
3
64.0
 0.46% cmd/thv-operator/controllers/virtualmcpserver_controller.go
3
91.84
 0.23% cmd/thv-operator/pkg/vmcpconfig/converter.go

Coverage Regressions

Lines Coverage File
3
22.99
 2.87% pkg/client/manager.go
3
71.85
 -1.11% pkg/ignore/processor.go
3
78.17
 -0.76% pkg/transport/proxy/httpsse/http_proxy.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
1
91.59
 -3.12% cmd/thv-operator/pkg/controllerutil/authz.go
Jobs
ID Job ID Ran Files Coverage
1 26279315691.1 736
65.81
 GitHub Action Run
Source Files on build 26279315691