stacklok / toolhive / 28057025752
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 772
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.225% (+2.8%) from 64.446%
28057025752

push

github

web-flow 
Add PlatformUserID and identity-in-context plumbing for token storage (#5575)

* Add failing tests for PlatformUserID and identity-in-context plumbing

These tests pin the contract that the platform's canonical user id is
available where storage keys on it, ahead of the production changes that
satisfy them (red TDD step):

- claimsToIdentity populates Identity.PlatformUserID from the `sub` claim.
- TokenValidator.Middleware places the identity into the request context
  before loadUpstreamTokens runs (the MCP-request read path).
- The OAuth callback places the identity into the context before its
  context-dependent storage reads (GetAllUpstreamTokens), which carry no
  tokens argument to supply the user.

They fail to compile until Identity gains a PlatformUserID field, then fail
on assertions until the populate / middleware-reorder / callback-injection
changes land.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Laurel Orr <laurel@stacklok.com>

* Add PlatformUserID and identity-in-context plumbing for token storage

Make the platform's canonical user id available wherever upstream-token
storage keys on it. Turns the tests added in the previous commit green.

- auth.PrincipalInfo gains a PlatformUserID field, populated from `sub` in
  claimsToIdentity (the documented default; middleware whose `sub` is not the
  canonical user id must override it).
- TokenValidator.Middleware places the Identity into the request context
  before loadUpstreamTokens runs, so storage invoked during the load resolves
  the user from context (the MCP-request read path).
- The OAuth callback places the Identity into the context after the subject
  is resolved, so its context-dependent storage calls (GetAllUpstreamTokens,
  DeleteUpstreamTokens) resolve the user; StoreUpstreamTokens is unaffected
  (it keys off tokens.UserID).
- Export NewEmbeddedAuthServerWithStorage so external composition can inject a
  decorated storage.Storage aggr... (continued)

43 of 45 new or added lines in 5 files covered. (95.56%)

9 existing lines in 2 files now uncovered.

70112 of 104295 relevant lines covered (67.22%)

65.55 hits per line

Uncovered Changes

Lines Coverage File
2
88.24
 -0.29% pkg/authserver/runner/embeddedauthserver.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
97.37
 -0.53% pkg/authz/authorizers/cedar/core.go
Jobs
ID Job ID Ran Files Coverage
1 28057025752.1 772
67.22
 GitHub Action Run
Source Files on build 28057025752