stacklok / toolhive / 25058060224 / 1
66%
main: 66%

DEFAULT BRANCH: main
Ran
Files 705
Run time 34s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 63.922% (-0.02%) from 63.939%
25058060224.1

push

github

web-flow 
Add awsSts auth type support to vMCP (#5019)

* Add awsSts auth type support to vMCP

The awsSts ExternalAuthType was defined in the CRD but had no
implementation in the vMCP layer, causing DiscoverAndResolveAuth to
fail with "unsupported auth type: awsSts" for any MCPServerEntry using
AWS STS authentication.

Add the full vMCP-side AWS STS auth path:

- AwsStsConverter in the converter registry translates CRD configs to
  BackendAuthStrategy at session discovery time
- AwsStsStrategy performs STS AssumeRoleWithWebIdentity + SigV4 signing
  with a per-config cache (map + sync.RWMutex, SHA-256 keyed) matching
  the TokenExchangeStrategy lifecycle
- TokenProviderName field on AWSStsConfig enables upstream token
  selection when an embedded auth server is present on a vMCP (proxy
  runner and remote proxy are unaffected — upstream swap middleware
  already handles this); the vMCP controller auto-populates it with
  the first configured upstream provider when left empty
- Export ExtractSessionName from pkg/auth/awssts to eliminate
  duplication between the middleware and strategy
- Validator, yaml_loader, and factory registration all updated
- Deep copy, CRD manifests, and API docs regenerated

Closes #5018

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address review feedback for AwsStsStrategy

- Thread caller's context through getOrCreateContext instead of using
  context.Background, so cancellation propagates to NewExchanger
- Add null byte delimiters between fields in buildAwsStsCacheKey to
  prevent field-separator ambiguity
- Cache RequestSigner and sessionDuration in awsStsContext alongside
  roleMapper and exchanger; remove per-request signer allocation
- Call ValidateConfig on cache miss in getOrCreateContext so
  Authenticate without prior Validate still gets a clear error
- Add aws_sts test cases to TestInjectSubjectProviderIfNeeded covering
  auto-population, already-set not overridden, and nil AwsSts config

Co-Authored-By: Cl... (continued)

60401 of 94492 relevant lines covered (63.92%)

57.96 hits per line

Source Files on job 25058060224.1