26826473071

Committed 02 Jun 2026 02:28PM UTC coverage: 65.905% (+0.02%) from 65.889%

Build # 26826473071

Build Type

push

github

Committed by

web-flow

Commit Message

Validate CIMD scope, grant_types and response_types against AS policy (#5385)

* Validate CIMD scope, grant_types and response_types against AS policy

C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address tgrunnagle review feedback on CIMD validation

F1  Move TestUnionScopes to registration package where UnionScopes lives;
    delete now-empty handlers/scopes.go and handlers/scopes_test.go
F2  Add assert.ErrorIs(ErrInvalidClient)/NotErrorIs(ErrNotFound) to
    all CIMD policy rejection tests to pin the error type change
F4  Replace 6 positional NewCIMDStorageDecorator args with
    CIMDDecoratorConfig struct — prevents silent swap of adjacent []string
F5  Omitted-scope now calls ValidateScopes(nil, scopesSupported) matching
    DCR: returns DefaultScopes when DefaultScopes ⊆ ScopesSupported,
    error otherwise (document must declare scope explicitly)
F6  Fix dcrErr.Error → dcrErr.ErrorDescription in scope validation hint
    so the human-readable description reaches the fosite hint field
F7  slices.Clone scope slices in CIMDDecoratorConfig constructor
F8  Fix b... (continued)

Coverage Stats

83 of 90 new or added lines in 5 files covered. (92.22%)

4 existing lines in 2 files now uncovered.

66305 of 100607 relevant lines covered (65.9%)

63.13 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.43

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 26826473071

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous