stacklok / toolhive / 28113988573

67%

Build Type

push

github

Committed by web-flow

Commit Message

Allow private IPs for in-cluster OIDC and OAuth2 upstream providers (#5618)

* Add AllowPrivateIPs flag to OIDC and OAuth2 upstream configs

Fixes in-cluster provider deployments (e.g. dex, Keycloak as a
ClusterIP service) that were blocked because the HTTP client
unconditionally rejected private IP ranges at dial time.

- Add AllowPrivateIPs bool to OIDCUpstreamRunConfig and
  OAuth2UpstreamRunConfig (serializable, json/yaml tagged, omitempty)
- Add AllowPrivateIPs bool to upstream.OIDCConfig and upstream.OAuth2Config
- Update newHTTPClientForHost to accept an allowPrivateIPs parameter;
  pass allowInsecure || allowPrivateIPs to WithPrivateIPs so the flag
  widens only the private-IP gate — HTTPS is still required for
  non-localhost hosts
- Propagate the flag through buildOIDCConfig and buildPureOAuth2Config
  in the embedded auth server runner
- Add unit tests for newHTTPClientForHost and config propagation

Implements #5614

* Propagate AllowPrivateIPs into OIDC internal oauth2Config and clarify test

Address review feedback:

- Set AllowPrivateIPs on the internal OAuth2Config derived from OIDC
  discovery so the field is consistent for logging and future introspection
- Add a comment to TestNewHTTPClientForHost explaining why the 500ms
  context deadline is sufficient and why the NotContains assertion
  is not vacuous (the private-IP guard fires synchronously before
  any network I/O)

* Regenerate API docs after adding AllowPrivateIPs fields

Coverage Stats

9 of 9 new or added lines in 3 files covered. (100.0%)

69 existing lines in 3 files now uncovered.

69620 of 103723 relevant lines covered (67.12%)

65.35 hits per line