Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
415 changes: 415 additions & 0 deletions integ-tests/tui/add-gateway-jwt.test.ts

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions integ-tests/tui/setup.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
/**
* TUI integration test setup.
*
* This file is referenced by vitest.config.ts as a setupFile for the 'tui' project.
* It runs before each test file in integ-tests/tui/.
*/
126 changes: 91 additions & 35 deletions src/cli/commands/add/__tests__/validate.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -218,40 +218,29 @@ describe('validate', () => {
expect(result.error?.includes('Invalid authorizer type')).toBeTruthy();
});

// AC11: CUSTOM_JWT requires discoveryUrl
it('returns error for CUSTOM_JWT missing discoveryUrl', () => {
const opts = { ...validGatewayOptionsJwt, discoveryUrl: undefined };
const result = validateAddGatewayOptions(opts);
// AC11: CUSTOM_JWT requires discoveryUrl; at least one of allowedAudience/allowedClients/allowedScopes
it('returns error for CUSTOM_JWT missing required fields', () => {
// discoveryUrl is always required
const result = validateAddGatewayOptions({ ...validGatewayOptionsJwt, discoveryUrl: undefined });
expect(result.valid).toBe(false);
expect(result.error).toBe('--discovery-url is required for CUSTOM_JWT authorizer');
});

// AC11b: at least one of audience/clients/scopes required
it('returns error when all of audience, clients, and scopes are missing', () => {
const opts = {
// All three optional fields absent fails
const noneResult = validateAddGatewayOptions({
...validGatewayOptionsJwt,
allowedAudience: undefined,
allowedClients: undefined,
allowedScopes: undefined,
};
const result = validateAddGatewayOptions(opts);
expect(result.valid).toBe(false);
expect(result.error).toContain('At least one of');
});

it('allows CUSTOM_JWT with only allowedScopes', () => {
const opts = {
...validGatewayOptionsJwt,
allowedAudience: undefined,
allowedClients: undefined,
allowedScopes: 'scope1',
};
const result = validateAddGatewayOptions(opts);
expect(result.valid).toBe(true);
});
expect(noneResult.valid).toBe(false);
expect(noneResult.error).toBe(
'At least one of --allowed-audience, --allowed-clients, --allowed-scopes, or --custom-claims must be provided for CUSTOM_JWT authorizer'
);
});

it('allows CUSTOM_JWT with only allowedAudience', () => {
const opts = { ...validGatewayOptionsJwt, allowedClients: undefined, allowedScopes: undefined };
// AC11b: allowedAudience is optional
it('allows CUSTOM_JWT without allowedAudience', () => {
const opts = { ...validGatewayOptionsJwt, allowedAudience: undefined };
const result = validateAddGatewayOptions(opts);
expect(result.valid).toBe(true);
});
Expand All @@ -269,21 +258,88 @@ describe('validate', () => {
expect(result.error?.includes('.well-known/openid-configuration')).toBeTruthy();
});

it('returns error for HTTP discoveryUrl (HTTPS required)', () => {
// AC13: At least one of audience/clients/scopes must be non-empty
it('returns error when all of audience, clients, and scopes are empty', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
discoveryUrl: 'http://example.com/.well-known/openid-configuration',
allowedAudience: ' ',
allowedClients: undefined,
allowedScopes: undefined,
});
expect(result.valid).toBe(false);
expect(result.error).toBe('Discovery URL must use HTTPS');
expect(result.error).toBe(
'At least one of --allowed-audience, --allowed-clients, --allowed-scopes, or --custom-claims must be provided for CUSTOM_JWT authorizer'
);
});

it('allows CUSTOM_JWT with only allowedClients', () => {
const opts = { ...validGatewayOptionsJwt, allowedAudience: undefined, allowedScopes: undefined };
const result = validateAddGatewayOptions(opts);
// AC-claims1: --custom-claims with valid JSON passes validation
it('accepts valid --custom-claims JSON', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
customClaims: JSON.stringify([
{
inboundTokenClaimName: 'dept',
inboundTokenClaimValueType: 'STRING',
authorizingClaimMatchValue: {
claimMatchOperator: 'EQUALS',
claimMatchValue: { matchValueString: 'engineering' },
},
},
]),
});
expect(result.valid).toBe(true);
});

// AC-claims2: --custom-claims alone satisfies the "at least one constraint" check
it('allows CUSTOM_JWT with only --custom-claims (no audience/clients/scopes)', () => {
const result = validateAddGatewayOptions({
name: 'test-gw',
authorizerType: 'CUSTOM_JWT',
discoveryUrl: 'https://example.com/.well-known/openid-configuration',
customClaims: JSON.stringify([
{
inboundTokenClaimName: 'role',
inboundTokenClaimValueType: 'STRING_ARRAY',
authorizingClaimMatchValue: {
claimMatchOperator: 'CONTAINS_ANY',
claimMatchValue: { matchValueStringList: ['admin'] },
},
},
]),
});
expect(result.valid).toBe(true);
});

// AC-claims3: --custom-claims with invalid JSON fails
it('returns error for --custom-claims with invalid JSON', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
customClaims: 'not json',
});
expect(result.valid).toBe(false);
expect(result.error).toBe('--custom-claims must be valid JSON');
});

// AC-claims4: --custom-claims with empty array fails
it('returns error for --custom-claims with empty array', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
customClaims: '[]',
});
expect(result.valid).toBe(false);
expect(result.error).toBe('--custom-claims must be a non-empty JSON array');
});

// AC-claims5: --custom-claims with invalid claim structure fails
it('returns error for --custom-claims with invalid claim structure', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
customClaims: JSON.stringify([{ badField: 'value' }]),
});
expect(result.valid).toBe(false);
expect(result.error).toContain('Invalid custom claim at index 0');
});

// AC14: Valid options pass
it('passes for valid options', () => {
expect(validateAddGatewayOptions(validGatewayOptionsNone)).toEqual({ valid: true });
Expand All @@ -309,8 +365,8 @@ describe('validate', () => {
expect(result.error).toBe('Both --client-id and --client-secret must be provided together');
});

// AC16: OAuth credentials only valid with CUSTOM_JWT
it('returns error when OAuth credentials used with non-CUSTOM_JWT authorizer', () => {
// AC16: OAuth client credentials only valid with CUSTOM_JWT
it('returns error when OAuth client credentials used with non-CUSTOM_JWT authorizer', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsNone,
clientId: 'my-client-id',
Expand All @@ -320,8 +376,8 @@ describe('validate', () => {
expect(result.error).toBe('OAuth client credentials are only valid with CUSTOM_JWT authorizer');
});

// AC17: valid CUSTOM_JWT with OAuth credentials passes
it('passes for CUSTOM_JWT with OAuth credentials', () => {
// AC17: valid CUSTOM_JWT with OAuth client credentials passes
it('passes for CUSTOM_JWT with OAuth client credentials', () => {
const result = validateAddGatewayOptions({
...validGatewayOptionsJwt,
clientId: 'my-client-id',
Expand Down
1 change: 1 addition & 0 deletions src/cli/commands/add/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ export interface AddGatewayOptions {
allowedAudience?: string;
allowedClients?: string;
allowedScopes?: string;
customClaims?: string;
clientId?: string;
clientSecret?: string;
agents?: string;
Expand Down
27 changes: 24 additions & 3 deletions src/cli/commands/add/validate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { ConfigIO, findConfigRoot } from '../../../lib';
import {
AgentNameSchema,
BuildTypeSchema,
CustomClaimValidationSchema,
GatewayExceptionLevelSchema,
GatewayNameSchema,
ModelProviderSchema,
Expand Down Expand Up @@ -275,16 +276,36 @@ export function validateAddGatewayOptions(options: AddGatewayOptions): Validatio
return { valid: false, error: `Discovery URL must end with ${OIDC_WELL_KNOWN_SUFFIX}` };
}

// allowedAudience, allowedClients, allowedScopes are all optional individually,
// Validate custom claims JSON if provided
if (options.customClaims) {
let parsed: unknown;
try {
parsed = JSON.parse(options.customClaims);
} catch {
return { valid: false, error: '--custom-claims must be valid JSON' };
}
if (!Array.isArray(parsed) || parsed.length === 0) {
return { valid: false, error: '--custom-claims must be a non-empty JSON array' };
}
for (const [i, entry] of parsed.entries()) {
const result = CustomClaimValidationSchema.safeParse(entry);
if (!result.success) {
return { valid: false, error: `Invalid custom claim at index ${i}: ${result.error.issues[0]?.message}` };
}
}
}

// allowedAudience, allowedClients, allowedScopes, customClaims are all optional individually,
// but at least one must be provided
const hasAudience = !!options.allowedAudience?.trim();
const hasClients = !!options.allowedClients?.trim();
const hasScopes = !!options.allowedScopes?.trim();
if (!hasAudience && !hasClients && !hasScopes) {
const hasClaims = !!options.customClaims?.trim();
if (!hasAudience && !hasClients && !hasScopes && !hasClaims) {
return {
valid: false,
error:
'At least one of --allowed-audience, --allowed-clients, or --allowed-scopes must be provided for CUSTOM_JWT authorizer',
'At least one of --allowed-audience, --allowed-clients, --allowed-scopes, or --custom-claims must be provided for CUSTOM_JWT authorizer',
};
}
}
Expand Down
18 changes: 15 additions & 3 deletions src/cli/primitives/GatewayPrimitive.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import type {
AgentCoreGatewayTarget,
AgentCoreMcpSpec,
AgentCoreProjectSpec,
CustomClaimValidation,
GatewayAuthorizerType,
} from '../../schema';
import { AgentCoreGatewaySchema, PolicyEngineModeSchema } from '../../schema';
Expand All @@ -29,6 +30,7 @@ export interface AddGatewayOptions {
allowedAudience?: string;
allowedClients?: string;
allowedScopes?: string;
customClaims?: CustomClaimValidation[];
clientId?: string;
clientSecret?: string;
agents?: string;
Expand Down Expand Up @@ -164,6 +166,7 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
.option('--allowed-audience <audience>', 'Comma-separated allowed audiences (for CUSTOM_JWT)')
.option('--allowed-clients <clients>', 'Comma-separated allowed client IDs (for CUSTOM_JWT)')
.option('--allowed-scopes <scopes>', 'Comma-separated allowed scopes (for CUSTOM_JWT)')
.option('--custom-claims <json>', 'Custom claim validations as JSON array (for CUSTOM_JWT)')
.option('--client-id <id>', 'OAuth client ID for gateway bearer token')
.option('--client-secret <secret>', 'OAuth client secret')
.option('--agents <agents>', 'Comma-separated agent names')
Expand All @@ -190,6 +193,11 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
process.exit(1);
}

// Parse custom claims JSON if provided (already validated)
const parsedCustomClaims = cliOptions.customClaims
? (JSON.parse(cliOptions.customClaims) as CustomClaimValidation[])
: undefined;

const result = await this.add({
name: cliOptions.name!,
description: cliOptions.description,
Expand All @@ -198,6 +206,7 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
allowedAudience: cliOptions.allowedAudience,
allowedClients: cliOptions.allowedClients,
allowedScopes: cliOptions.allowedScopes,
customClaims: parsedCustomClaims,
clientId: cliOptions.clientId,
clientSecret: cliOptions.clientSecret,
agents: cliOptions.agents,
Expand Down Expand Up @@ -334,6 +343,7 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
...(allowedAudience?.length ? { allowedAudience } : {}),
...(allowedClients?.length ? { allowedClients } : {}),
...(allowedScopes?.length ? { allowedScopes } : {}),
...(options.customClaims?.length ? { customClaims: options.customClaims } : {}),
...(options.clientId ? { clientId: options.clientId } : {}),
...(options.clientSecret ? { clientSecret: options.clientSecret } : {}),
};
Expand Down Expand Up @@ -415,9 +425,10 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
});
await this.writeProjectSpec(project);

// Write client secret to .env
const envVarName = computeDefaultCredentialEnvVarName(credentialName);
await setEnvVar(envVarName, jwtConfig.clientSecret!);
// Write client ID and client secret to .env
const envVarPrefix = computeDefaultCredentialEnvVarName(credentialName);
await setEnvVar(`${envVarPrefix}_CLIENT_ID`, jwtConfig.clientId!);
await setEnvVar(`${envVarPrefix}_CLIENT_SECRET`, jwtConfig.clientSecret!);
}

/**
Expand All @@ -434,6 +445,7 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
...(config.jwtConfig.allowedAudience?.length ? { allowedAudience: config.jwtConfig.allowedAudience } : {}),
...(config.jwtConfig.allowedClients?.length ? { allowedClients: config.jwtConfig.allowedClients } : {}),
...(config.jwtConfig.allowedScopes?.length ? { allowedScopes: config.jwtConfig.allowedScopes } : {}),
...(config.jwtConfig.customClaims?.length ? { customClaims: config.jwtConfig.customClaims } : {}),
},
};
}
Expand Down
72 changes: 72 additions & 0 deletions src/cli/primitives/__tests__/GatewayPrimitive.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,78 @@ describe('GatewayPrimitive', () => {
primitive = new GatewayPrimitive();
});

describe('customClaims pipeline', () => {
const SAMPLE_CLAIMS = [
{
inboundTokenClaimName: 'department',
inboundTokenClaimValueType: 'STRING_ARRAY' as const,
authorizingClaimMatchValue: {
claimMatchOperator: 'CONTAINS_ANY' as const,
claimMatchValue: { matchValueStringList: ['engineering', 'sales'] },
},
},
];

it('custom claims from TUI flow are written to authorizerConfiguration', async () => {
await primitive.add({
name: 'jwt-gw',
authorizerType: 'CUSTOM_JWT',
discoveryUrl: 'https://example.com/.well-known/openid-configuration',
allowedAudience: 'aud1',
customClaims: SAMPLE_CLAIMS,
});

const gw = getWrittenGateway();
expect(gw.authorizerConfiguration?.customJwtAuthorizer).toBeDefined();
expect(gw.authorizerConfiguration!.customJwtAuthorizer!.customClaims).toEqual(SAMPLE_CLAIMS);
});

it('custom claims are preserved alongside audience and clients', async () => {
await primitive.add({
name: 'jwt-gw',
authorizerType: 'CUSTOM_JWT',
discoveryUrl: 'https://example.com/.well-known/openid-configuration',
allowedAudience: 'aud1,aud2',
allowedClients: 'client1',
customClaims: SAMPLE_CLAIMS,
});

const gw = getWrittenGateway();
const jwtConfig = gw.authorizerConfiguration!.customJwtAuthorizer!;
expect(jwtConfig.allowedAudience).toEqual(['aud1', 'aud2']);
expect(jwtConfig.allowedClients).toEqual(['client1']);
expect(jwtConfig.customClaims).toEqual(SAMPLE_CLAIMS);
});

it('omits customClaims from authorizerConfiguration when not provided', async () => {
await primitive.add({
name: 'jwt-gw',
authorizerType: 'CUSTOM_JWT',
discoveryUrl: 'https://example.com/.well-known/openid-configuration',
allowedAudience: 'aud1',
});

const gw = getWrittenGateway();
expect(gw.authorizerConfiguration!.customJwtAuthorizer!.customClaims).toBeUndefined();
});

it('custom claims only (no audience/clients/scopes) produces valid config', async () => {
await primitive.add({
name: 'jwt-gw',
authorizerType: 'CUSTOM_JWT',
discoveryUrl: 'https://example.com/.well-known/openid-configuration',
customClaims: SAMPLE_CLAIMS,
});

const gw = getWrittenGateway();
const jwtConfig = gw.authorizerConfiguration!.customJwtAuthorizer!;
expect(jwtConfig.allowedAudience).toBeUndefined();
expect(jwtConfig.allowedClients).toBeUndefined();
expect(jwtConfig.allowedScopes).toBeUndefined();
expect(jwtConfig.customClaims).toEqual(SAMPLE_CLAIMS);
});
});

describe('exceptionLevel', () => {
it('defaults to exceptionLevel NONE', async () => {
await primitive.add({ name: 'test-gw', authorizerType: 'NONE' });
Expand Down
1 change: 1 addition & 0 deletions src/cli/tui/hooks/useCreateMcp.ts
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ export function useCreateGateway() {
allowedAudience: config.jwtConfig?.allowedAudience?.join(','),
allowedClients: config.jwtConfig?.allowedClients?.join(','),
allowedScopes: config.jwtConfig?.allowedScopes?.join(','),
customClaims: config.jwtConfig?.customClaims,
clientId: config.jwtConfig?.clientId,
clientSecret: config.jwtConfig?.clientSecret,
enableSemanticSearch: config.enableSemanticSearch,
Expand Down
Loading
Loading