26279315691

Committed 22 May 2026 09:16AM UTC coverage: 65.808% (+0.09%) from 65.72%

Build # 26279315691

Build Type

push

github

Committed by

web-flow

Commit Message

Resolve authz `ConfigMap` for `VirtualMCPServer` (#5290)

A `VirtualMCPServer` with `spec.incomingAuth.authzConfig.type: configMap`
silently produced a vmcp `config.yaml` that referenced the unresolved
`configMap` type token. The vmcp binary's `AuthzConfig` validator only
accepts `cedar` or `none`, so the pod crashed in `CrashLoopBackOff` at
startup. Inline authz also silently dropped `GroupClaimName`,
`RoleClaimName`, `GroupEntityType`, and `EntitiesJSON`, so any enterprise
Cedar policy that walked a `Client → ClaimGroup → PlatformRole` hierarchy
denied every request because the runtime Cedar authorizer built
`THVGroup::` parents while the entity store contained `ClaimGroup::`
entities.

Wire the configMap path end-to-end, plumb the four missing fields
through both source paths, and move `PrimaryUpstreamProvider` onto the
auth server config where it belongs:

  * Extract `LoadAuthzConfigFromConfigMap` as the shared fetch/parse/
    validate helper in `controllerutil`; `AddAuthzConfigOptions` now
    delegates to it. The vMCP converter calls the same helper so the
    failure modes match the `MCPServer`/`MCPRemoteProxy` runner path.

  * Extend `pkg/vmcp/config.AuthzConfig` with `EntitiesJSON`,
    `GroupClaimName`, `RoleClaimName`, `GroupEntityType`, and forward
    all four into `cedar.ConfigOptions` in the Cedar middleware factory.
    `EntitiesJSON` defaults to `"[]"` when unset to preserve the
    historical Cedar contract.

  * Lift the source-agnostic Cedar JWT-claim mapping fields
    (`GroupClaimName`, `RoleClaimName`, `GroupEntityType`) onto
    `AuthzConfigRef` so they work identically for inline and configMap
    users. For configMap users the parsed payload provides the default
    and the spec-level field overrides when set.

  * Move `PrimaryUpstreamProvider` onto `EmbeddedAuthServerConfig`
    (`spec.authServerConfig.primaryUpstreamProvider` on
    `VirtualMCPServer`). The field describes which upstream IDP token
    Cedar reads claims... (continued)

Coverage Stats

245 of 263 new or added lines in 9 files covered. (93.16%)

12 existing lines in 5 files now uncovered.

65076 of 98888 relevant lines covered (65.81%)

60.43 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.17

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 26279315691

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous