stacklok / toolhive / 26279315691 / 1
66%
main: 66%

DEFAULT BRANCH: main
Ran
Files 736
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.808% (+0.09%) from 65.72%
26279315691.1

push

github

web-flow 
Resolve authz `ConfigMap` for `VirtualMCPServer` (#5290)

A `VirtualMCPServer` with `spec.incomingAuth.authzConfig.type: configMap`
silently produced a vmcp `config.yaml` that referenced the unresolved
`configMap` type token. The vmcp binary's `AuthzConfig` validator only
accepts `cedar` or `none`, so the pod crashed in `CrashLoopBackOff` at
startup. Inline authz also silently dropped `GroupClaimName`,
`RoleClaimName`, `GroupEntityType`, and `EntitiesJSON`, so any enterprise
Cedar policy that walked a `Client → ClaimGroup → PlatformRole` hierarchy
denied every request because the runtime Cedar authorizer built
`THVGroup::` parents while the entity store contained `ClaimGroup::`
entities.

Wire the configMap path end-to-end, plumb the four missing fields
through both source paths, and move `PrimaryUpstreamProvider` onto the
auth server config where it belongs:

  * Extract `LoadAuthzConfigFromConfigMap` as the shared fetch/parse/
    validate helper in `controllerutil`; `AddAuthzConfigOptions` now
    delegates to it. The vMCP converter calls the same helper so the
    failure modes match the `MCPServer`/`MCPRemoteProxy` runner path.

  * Extend `pkg/vmcp/config.AuthzConfig` with `EntitiesJSON`,
    `GroupClaimName`, `RoleClaimName`, `GroupEntityType`, and forward
    all four into `cedar.ConfigOptions` in the Cedar middleware factory.
    `EntitiesJSON` defaults to `"[]"` when unset to preserve the
    historical Cedar contract.

  * Lift the source-agnostic Cedar JWT-claim mapping fields
    (`GroupClaimName`, `RoleClaimName`, `GroupEntityType`) onto
    `AuthzConfigRef` so they work identically for inline and configMap
    users. For configMap users the parsed payload provides the default
    and the spec-level field overrides when set.

  * Move `PrimaryUpstreamProvider` onto `EmbeddedAuthServerConfig`
    (`spec.authServerConfig.primaryUpstreamProvider` on
    `VirtualMCPServer`). The field describes which upstream IDP token
    Cedar reads claims... (continued)

65076 of 98888 relevant lines covered (65.81%)

60.43 hits per line

Source Files on job 26279315691.1