stacklok / toolhive / 27426343274
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 757
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 66.615% (-0.004%) from 66.619%
27426343274

push

github

web-flow 
Define OBOConfig CRD schema for Entra OBO flow (#5494)

* Define OBOConfig CRD schema for Entra OBO flow

The mcpv1beta1.OBOConfig struct was an empty placeholder deferred to a
follow-up RFC. The enterprise OBO overlay needs a user-facing config
surface to read, so populate OBOConfig with the fields the Microsoft
Entra OBO flow requires.

Field names and semantics track the shared obo.MiddlewareParameters
wire contract (not the upstream TokenExchangeConfig): tenantId (+ optional
authority) maps to the contract's tokenUrl, clientSecretRef to
clientSecretEnvVar, audience/scopes collapse via ExchangeTarget(), and the
subject source is selected by subjectTokenProviderName. There is
deliberately no externalTokenHeaderName -- the OBO subject comes from the
authenticated Identity, not a request header.

The schema is structurally valid upstream but inert: an OBO-typed config
still surfaces Valid=False / Reason=EnterpriseRequired at reconcile because
no OBO handler is registered in upstream builds. Field-level validation
lives in kubebuilder markers plus a CEL rule (admission) and the enterprise
handler (reconcile); the Go Validate() arm continues to defer.

Regenerated deepcopy, CRD manifests, and CRD API docs. Added an envtest
suite exercising the new admission-time validation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Align OBOConfig validation with downstream consumer

Address code review and a field-by-field check against the downstream
enterprise OBO consumers (the obo.MiddlewareParameters contract and the
entra exchanger/cache/runtime that consume it):

- Tighten tenantId to a GUID-or-domain pattern mirroring the exchanger's
  validateTenant, so a tenantId admitted by the CRD is one the runtime can
  consume. The previous loose pattern admitted aliases like "common" that
  the exchanger rejects, creating an admission/reconcile gap.
- Correct the authority field: the exchanger deliberately allows a path
  (sovereign / B2C ... (continued)

20 of 32 new or added lines in 2 files covered. (62.5%)

9 existing lines in 4 files now uncovered.

68261 of 102471 relevant lines covered (66.61%)

62.14 hits per line

Uncovered Changes

Lines Coverage File
12
45.49
 -0.05% cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go

Coverage Regressions

Lines Coverage File
3
97.37
 -0.53% pkg/authz/authorizers/cedar/core.go
2
96.47
 0.0% pkg/authserver/storage/memory.go
2
93.94
 -6.06% pkg/foreach/foreach.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 27426343274.1 757
66.61
 GitHub Action Run
Source Files on build 27426343274