• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28815300516
68%

Build:
DEFAULT BRANCH: main
Ran 06 Jul 2026 06:55PM UTC
Jobs 1
Files 795
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

06 Jul 2026 06:48PM UTC coverage: 67.817% (-0.01%) from 67.827%
28815300516

push

github

web-flow
Filter upstream auth chain via callback hook (#5725)

* Filter upstream auth chain via callback hook

The embedded OAuth authorization server walks every configured upstream
on every authorization, prompting for and storing tokens that a given
authorization may not need. This widens the stored-token surface and
forces needless upstream prompts.

Add an optional UpstreamFilter hook (WithUpstreamFilter), consulted once
in the callback handler after the first upstream resolves, that narrows
the remaining chain to a subset of the configured upstreams:

- The first upstream is always required and is never passed to nor
  removable by the filter.
- The kept set is computed once and carried in PendingAuthorization
  (ChainUpstreams) so the filter is not re-run per leg.
- nextMissingUpstream and the cross-leg identity check now operate on
  the effective chain rather than the raw config.
- A filter error fails the authorization with a server error; it never
  silently falls back to walking every upstream.

With no filter configured, behaviour is unchanged: the handler walks all
configured upstreams as before. SingleLeg flows are unaffected and the
upstream-token storage key contracts are unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Harden upstream chain resolution per review

Addresses stacklok/toolhive#5725 review comments:
- MEDIUM callback.go (3525733910): distinguish a true first leg
  (ResolvedUserID == "") from a subsequent leg; reject a subsequent-leg
  pending that lacks a computed chain instead of recomputing the filter
  against the wrong leg's request context.
- MEDIUM callback.go (3525733913): validate a chain loaded from storage
  (non-empty, leads with the first configured upstream, names only
  configured upstreams) so a tampered PendingAuthorization row cannot
  shrink the chain and disable the cross-leg identity check.
- MEDIUM callback.go (3525733916): restore discrete expected/got/provider
  slog fields on the iden... (continued)

149 of 158 new or added lines in 8 files covered. (94.3%)

70 existing lines in 3 files now uncovered.

72677 of 107167 relevant lines covered (67.82%)

64.34 hits per line

Uncovered Changes

Lines Coverage ∆ File
4
85.89
-0.94% pkg/authserver/upstream/oidc.go
3
86.8
1.65% pkg/authserver/server/handlers/callback.go
2
94.9
1.43% pkg/authserver/server/handlers/handler.go

Coverage Regressions

Lines Coverage ∆ File
59
62.12
-5.0% pkg/workloads/manager.go
6
76.15
-5.5% pkg/secrets/keyring/keyctl_linux.go
5
0.0
-100.0% pkg/workloads/sysproc_unix.go
Jobs
ID Job ID Ran Files Coverage
1 28815300516.1 06 Jul 2026 06:55PM UTC 795
67.82
GitHub Action Run
Source Files on build 28815300516
  • Tree
  • List 795
  • Changed 14
  • Source Changed 9
  • Coverage Changed 13
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28815300516
  • 609c0ad2 on github
  • Prev Build on main (#28792881160)
  • Next Build on main (#28832278790)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc