• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28456424340

30 Jun 2026 03:34PM UTC coverage: 67.485% (-0.006%) from 67.491%
28456424340

push

github

web-flow
Add E2E test for upstreamInject identity propagation after cross-pod Redis restore (#5660)

* Add E2E test for upstreamInject identity after cross-pod Redis restore

Implements issue #5658 (Option B: Dex as in-cluster OIDC provider).

- Add DexImage constant to centralized E2E image registry
- Add deployDex/cleanupDex helpers to helpers.go: deploy Dex with
  mockCallback connector (auto-approves, no browser interaction) +
  NodePort service for external test-process access
- Add InstrumentedMCPBackendScript: a Python Flask MCP server that
  correctly handles MCP JSON-RPC and logs every inbound Bearer token
  to a /stats endpoint
- Add getEmbeddedASToken: performs the full OAuth2 PKCE authorization
  code flow from the test process against the embedded AS, rewriting
  in-cluster URLs to NodePort/port-forward addresses at each hop
- Add "When cross-pod session restore preserves upstreamInject identity"
  Context in virtualmcp_redis_session_test.go that verifies the fix
  from #5650: context propagation through loadSession ensures the
  incoming identity (with UpstreamTokens from Dex, keyed by tsid in
  shared Redis) reaches RestoreSession, so upstreamInject can inject
  the Dex token into backend Initialize requests after cross-pod restore
- Remove the TODO(#5336) comment; the test now covers this gap

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address code review feedback on Dex E2E helpers

- Mark InstrumentedBackendScript deprecated in favor of InstrumentedMCPBackendScript
- Wrap Dex NodePort read in Eventually to handle async assignment
- Fix rewriteURLBase to use exact hostname equality instead of substring Contains

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Fix two test failures in Context 5 E2E test

1. Audience mismatch: the operator derives AllowedAudiences from
   oidcRef.ResourceURL; without an explicit ResourceURL it falls back to
   http://<vmcpName>.svc:4483 (the resource name,... (continued)

40 of 48 new or added lines in 5 files covered. (83.33%)

12 existing lines in 4 files now uncovered.

70956 of 105143 relevant lines covered (67.49%)

63.48 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.56
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc