addressed comments

jrobertboos · jrobertboos · commit b3ae1c4e9f08 · 2026-03-23T09:46:17.000-04:00
diff --git a/src/utils/mcp_headers.py b/src/utils/mcp_headers.py
@@ -125,6 +125,86 @@ def extract_propagated_headers(
     return propagated
 
 
+def find_unresolved_auth_headers(
+    configured: Mapping[str, str],
+    resolved: Mapping[str, str],
+) -> list[str]:
+    """Return configured auth header names that are absent from the resolved headers.
+
+    Comparison is case-insensitive so that ``Authorization`` and ``authorization``
+    are treated as the same header name.
+
+    Args:
+        configured: The server's ``authorization_headers`` configuration mapping
+            (header name → secret path or keyword).
+        resolved: The fully resolved headers that will be sent to the MCP server.
+
+    Returns:
+        List of header names from ``configured`` that could not be resolved, i.e.
+        are not present as a key in ``resolved``. An empty list means all headers
+        were resolved successfully.
+    """
+    resolved_lower = {k.lower() for k in resolved}
+    return [h for h in configured if h.lower() not in resolved_lower]
+
+
+def build_server_headers(
+    mcp_server: ModelContextProtocolServer,
+    client_headers: dict[str, str],
+    request_headers: Optional[Mapping[str, str]],
+    token: Optional[str],
+) -> dict[str, str]:
+    """Build the complete set of headers for a single MCP server.
+
+    Merges client-supplied headers, resolved authorization headers, and propagated
+    request headers in priority order (highest first):
+
+    1. Client-supplied headers (already present in ``client_headers``).
+    2. Statically resolved authorization headers from configuration.
+    3. Kubernetes Bearer token for headers configured with the ``kubernetes`` keyword.
+       ``client`` and ``oauth`` keywords are skipped — those values are already
+       provided by the client in source 1.
+    4. Headers propagated from the incoming request via the server's allowlist.
+
+    Args:
+        mcp_server: MCP server configuration.
+        client_headers: Headers already supplied by the client for this server.
+        request_headers: Headers from the incoming HTTP request, or ``None``.
+        token: Optional Kubernetes service-account token.
+
+    Returns:
+        Merged headers dictionary for the server. May be empty if no headers apply.
+    """
+    server_headers: dict[str, str] = dict(client_headers)
+    existing_lower = {k.lower() for k in server_headers}
+
+    for (
+        header_name,
+        resolved_value,
+    ) in mcp_server.resolved_authorization_headers.items():
+        if header_name.lower() in existing_lower:
+            continue
+        match resolved_value:
+            case constants.MCP_AUTH_KUBERNETES:
+                if token:
+                    server_headers[header_name] = f"Bearer {token}"
+                    existing_lower.add(header_name.lower())
+            case constants.MCP_AUTH_CLIENT | constants.MCP_AUTH_OAUTH:
+                pass  # client-provided; already included via the initial client_headers copy
+            case _:
+                server_headers[header_name] = resolved_value
+                existing_lower.add(header_name.lower())
+
+    if mcp_server.headers and request_headers is not None:
+        propagated = extract_propagated_headers(mcp_server, request_headers)
+        for h_name, h_value in propagated.items():
+            if h_name.lower() not in existing_lower:
+                server_headers[h_name] = h_value
+                existing_lower.add(h_name.lower())
+
+    return server_headers
+
+
 def build_mcp_headers(
     config: AppConfig,
     mcp_headers: McpHeaders,
@@ -162,34 +242,12 @@ def build_mcp_headers(
     complete: McpHeaders = {}
 
     for mcp_server in config.mcp_servers:
-        server_headers: dict[str, str] = dict(mcp_headers.get(mcp_server.name, {}))
-        existing_lower = {k.lower() for k in server_headers}
-
-        for (
-            header_name,
-            resolved_value,
-        ) in mcp_server.resolved_authorization_headers.items():
-            if header_name.lower() in existing_lower:
-                continue
-            match resolved_value:
-                case constants.MCP_AUTH_KUBERNETES:
-                    if token:
-                        server_headers[header_name] = f"Bearer {token}"
-                        existing_lower.add(header_name.lower())
-                case constants.MCP_AUTH_CLIENT | constants.MCP_AUTH_OAUTH:
-                    pass  # client-provided; already included via the initial mcp_headers copy
-                case _:
-                    server_headers[header_name] = resolved_value
-                    existing_lower.add(header_name.lower())
-
-        # Propagate allowlisted headers from the incoming request.
-        if mcp_server.headers and request_headers is not None:
-            propagated = extract_propagated_headers(mcp_server, request_headers)
-            for h_name, h_value in propagated.items():
-                if h_name.lower() not in existing_lower:
-                    server_headers[h_name] = h_value
-                    existing_lower.add(h_name.lower())
-
+        server_headers = build_server_headers(
+            mcp_server,
+            dict(mcp_headers.get(mcp_server.name, {})),
+            request_headers,
+            token,
+        )
         if server_headers:
             complete[mcp_server.name] = server_headers
 
diff --git a/src/utils/responses.py b/src/utils/responses.py
@@ -50,7 +50,11 @@
     NotFoundResponse,
     ServiceUnavailableResponse,
 )
-from utils.mcp_headers import McpHeaders, build_mcp_headers
+from utils.mcp_headers import (
+    McpHeaders,
+    build_mcp_headers,
+    find_unresolved_auth_headers,
+)
 from utils.prompts import get_system_prompt, get_topic_summary_system_prompt
 from utils.query import (
     extract_provider_and_model_from_model_id,
@@ -471,20 +475,17 @@ async def get_mcp_tools(
         headers: dict[str, str] = dict(complete_headers.get(mcp_server.name, {}))
 
         # Skip server if any configured auth header could not be resolved.
-        if mcp_server.authorization_headers:
-            unresolved = [
-                h
-                for h in mcp_server.authorization_headers
-                if not any(k.lower() == h.lower() for k in headers)
-            ]
-            if unresolved:
-                logger.warning(
-                    "Skipping MCP server %s: required %d auth headers but only resolved %d",
-                    mcp_server.name,
-                    len(mcp_server.authorization_headers),
-                    len(mcp_server.authorization_headers) - len(unresolved),
-                )
-                continue
+        unresolved = find_unresolved_auth_headers(
+            mcp_server.authorization_headers, headers
+        )
+        if unresolved:
+            logger.warning(
+                "Skipping MCP server %s: required %d auth headers but only resolved %d",
+                mcp_server.name,
+                len(mcp_server.authorization_headers),
+                len(mcp_server.authorization_headers) - len(unresolved),
+            )
+            continue
 
         authorization = headers.pop("Authorization", None)
         tools.append(
diff --git a/tests/unit/utils/test_mcp_headers.py b/tests/unit/utils/test_mcp_headers.py
@@ -5,9 +5,14 @@
 
 from fastapi import Request
 
+import constants
 from models.config import ModelContextProtocolServer
 from utils import mcp_headers
-from utils.mcp_headers import extract_propagated_headers
+from utils.mcp_headers import (
+    build_server_headers,
+    extract_propagated_headers,
+    find_unresolved_auth_headers,
+)
 
 
 def test_extract_mcp_headers_empty_headers(mocker: MockerFixture) -> None:
@@ -289,3 +294,163 @@ def test_no_headers_field_configured(self) -> None:
         request_headers = {"x-rh-identity": "identity-value"}
         result = extract_propagated_headers(server, request_headers)
         assert not result
+
+
+class TestFindUnresolvedAuthHeaders:
+    """Test cases for find_unresolved_auth_headers function."""
+
+    def test_all_configured_headers_present(self) -> None:
+        """Test that an empty list is returned when all configured headers are resolved."""
+        configured = {"Authorization": "kubernetes", "X-Api-Key": "/var/secrets/key"}
+        resolved = {"Authorization": "Bearer tok", "X-Api-Key": "secret"}
+        assert not find_unresolved_auth_headers(configured, resolved)
+
+    def test_missing_header_is_returned(self) -> None:
+        """Test that a configured header absent from resolved is returned."""
+        configured = {"Authorization": "kubernetes"}
+        resolved: dict[str, str] = {}
+        assert find_unresolved_auth_headers(configured, resolved) == ["Authorization"]
+
+    def test_partially_resolved_returns_missing(self) -> None:
+        """Test that only unresolved headers are returned when some are resolved."""
+        configured = {"Authorization": "kubernetes", "X-Api-Key": "/var/secrets/key"}
+        resolved = {"Authorization": "Bearer tok"}
+        assert find_unresolved_auth_headers(configured, resolved) == ["X-Api-Key"]
+
+    def test_comparison_is_case_insensitive(self) -> None:
+        """Test that header name matching is case-insensitive."""
+        configured = {"Authorization": "kubernetes"}
+        resolved = {"authorization": "Bearer tok"}
+        assert not find_unresolved_auth_headers(configured, resolved)
+
+    def test_empty_configured_returns_empty(self) -> None:
+        """Test that an empty configured dict returns an empty list."""
+        assert not find_unresolved_auth_headers({}, {"Authorization": "Bearer tok"})
+
+    def test_empty_resolved_returns_all_configured(self) -> None:
+        """Test that all configured headers are returned when resolved is empty."""
+        configured = {"Authorization": "kubernetes", "X-Api-Key": "/path"}
+        result = find_unresolved_auth_headers(configured, {})
+        assert sorted(result) == ["Authorization", "X-Api-Key"]
+
+
+class TestBuildServerHeaders:
+    """Test cases for build_server_headers function."""
+
+    def _make_server(
+        self,
+        resolved_auth: dict[str, str] | None = None,
+        headers: list[str] | None = None,
+    ) -> ModelContextProtocolServer:
+        """Create a ModelContextProtocolServer with given auth and allowlist headers."""
+        server = ModelContextProtocolServer(
+            name="test-server",
+            url="http://test:8080",
+            provider_id="xyzzy",
+            headers=headers or [],
+        )
+        object.__setattr__(
+            server, "_resolved_authorization_headers", resolved_auth or {}
+        )
+        return server
+
+    def test_static_resolved_header_is_added(self) -> None:
+        """Test that a statically resolved header value is included in the result."""
+        server = self._make_server(resolved_auth={"Authorization": "static-token"})
+        result = build_server_headers(server, {}, None, None)
+        assert result == {"Authorization": "static-token"}
+
+    def test_kubernetes_token_resolves_to_bearer(self) -> None:
+        """Test that a kubernetes keyword resolves to a Bearer token."""
+        server = self._make_server(
+            resolved_auth={"Authorization": constants.MCP_AUTH_KUBERNETES}
+        )
+        result = build_server_headers(server, {}, None, token="my-k8s-token")
+        assert result == {"Authorization": "Bearer my-k8s-token"}
+
+    def test_kubernetes_without_token_is_skipped(self) -> None:
+        """Test that a kubernetes keyword with no token produces no header."""
+        server = self._make_server(
+            resolved_auth={"Authorization": constants.MCP_AUTH_KUBERNETES}
+        )
+        result = build_server_headers(server, {}, None, token=None)
+        assert not result
+
+    def test_client_keyword_is_skipped(self) -> None:
+        """Test that a client keyword is skipped (value comes from client_headers)."""
+        server = self._make_server(
+            resolved_auth={"Authorization": constants.MCP_AUTH_CLIENT}
+        )
+        result = build_server_headers(server, {}, None, None)
+        assert not result
+
+    def test_oauth_keyword_is_skipped(self) -> None:
+        """Test that an oauth keyword is skipped (value comes from client_headers)."""
+        server = self._make_server(
+            resolved_auth={"Authorization": constants.MCP_AUTH_OAUTH}
+        )
+        result = build_server_headers(server, {}, None, None)
+        assert not result
+
+    def test_client_headers_take_priority_over_resolved(self) -> None:
+        """Test that a client-supplied header is not overwritten by a resolved value."""
+        server = self._make_server(resolved_auth={"Authorization": "static-token"})
+        result = build_server_headers(
+            server, {"Authorization": "client-token"}, None, None
+        )
+        assert result == {"Authorization": "client-token"}
+
+    def test_client_headers_priority_is_case_insensitive(self) -> None:
+        """Test that case-insensitive comparison prevents overwriting client headers."""
+        server = self._make_server(resolved_auth={"authorization": "static-token"})
+        result = build_server_headers(
+            server, {"Authorization": "client-token"}, None, None
+        )
+        assert result == {"Authorization": "client-token"}
+
+    def test_propagated_request_headers_are_added(self) -> None:
+        """Test that allowlisted request headers are propagated."""
+        server = self._make_server(headers=["x-rh-identity"])
+        result = build_server_headers(
+            server, {}, {"x-rh-identity": "my-identity"}, None
+        )
+        assert result == {"x-rh-identity": "my-identity"}
+
+    def test_existing_header_blocks_propagation(self) -> None:
+        """Test that a propagated header does not overwrite an already-set header."""
+        server = self._make_server(headers=["x-rh-identity"])
+        result = build_server_headers(
+            server,
+            {"x-rh-identity": "client-identity"},
+            {"x-rh-identity": "request-identity"},
+            None,
+        )
+        assert result == {"x-rh-identity": "client-identity"}
+
+    def test_no_headers_no_config_returns_empty(self) -> None:
+        """Test that a server with no applicable headers returns an empty dict."""
+        server = self._make_server()
+        result = build_server_headers(server, {}, None, None)
+        assert not result
+
+    def test_multiple_sources_are_merged(self) -> None:
+        """Test that all header sources are combined into one dictionary."""
+        server = self._make_server(
+            resolved_auth={
+                "Authorization": constants.MCP_AUTH_KUBERNETES,
+                "X-Api-Key": "static-key",
+            },
+            headers=["x-request-id"],
+        )
+        result = build_server_headers(
+            server,
+            {"X-Client-Header": "client-value"},
+            {"x-request-id": "req-123"},
+            token="k8s-token",
+        )
+        assert result == {
+            "X-Client-Header": "client-value",
+            "Authorization": "Bearer k8s-token",
+            "X-Api-Key": "static-key",
+            "x-request-id": "req-123",
+        }
