Add CloneResourceMetadataClonesAllProperties test

Author: halter73

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -131,7 +131,7 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         return base.HandleChallengeAsync(properties);
     }
 
-    internal ProtectedResourceMetadata? CloneResourceMetadata(ProtectedResourceMetadata? resourceMetadata)
+    internal static ProtectedResourceMetadata? CloneResourceMetadata(ProtectedResourceMetadata? resourceMetadata)
     {
         if (resourceMetadata is null)
         {

tests/ModelContextProtocol.AspNetCore.Tests/AuthTests.cs

@@ -8,6 +8,7 @@
 using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
 using System.Net;
+using System.Reflection;
 using Xunit.Sdk;
 
 namespace ModelContextProtocol.AspNetCore.Tests;
@@ -188,6 +189,107 @@ public async Task CanAuthenticate_WithDynamicClientRegistration()
             transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
     }
 
+    [Fact]
+    public void CloneResourceMetadataClonesAllProperties()
+    {
+        var propertyNames = typeof(ProtectedResourceMetadata).GetProperties().Select(property => property.Name).ToList();
+
+        // Set metadata properties to non-default values to verify they're copied.
+        var metadata = new ProtectedResourceMetadata
+        {
+            Resource = new Uri("https://example.com/resource"),
+            AuthorizationServers = [new Uri("https://auth1.example.com"), new Uri("https://auth2.example.com")],
+            BearerMethodsSupported = ["header", "body", "query"],
+            ScopesSupported = ["read", "write", "admin"],
+            JwksUri = new Uri("https://example.com/.well-known/jwks.json"),
+            ResourceSigningAlgValuesSupported = ["RS256", "ES256"],
+            ResourceName = "Test Resource",
+            ResourceDocumentation = new Uri("https://docs.example.com"),
+            ResourcePolicyUri = new Uri("https://example.com/policy"),
+            ResourceTosUri = new Uri("https://example.com/terms"),
+            TlsClientCertificateBoundAccessTokens = true,
+            AuthorizationDetailsTypesSupported = ["payment_initiation", "account_information"],
+            DpopSigningAlgValuesSupported = ["RS256", "PS256"],
+            DpopBoundAccessTokensRequired = true
+        };
+
+        // Use reflection to call the internal CloneResourceMetadata method
+        var handlerType = typeof(McpAuthenticationHandler);
+        var cloneMethod = handlerType.GetMethod("CloneResourceMetadata", BindingFlags.Static | BindingFlags.NonPublic);
+        Assert.NotNull(cloneMethod);
+
+        var clonedMetadata = (ProtectedResourceMetadata?)cloneMethod.Invoke(null, [metadata]);
+        Assert.NotNull(clonedMetadata);
+
+        // Ensure the cloned metadata is not the same instance
+        Assert.NotSame(metadata, clonedMetadata);
+
+        // Verify Resource property
+        Assert.Equal(metadata.Resource, clonedMetadata.Resource);
+        Assert.True(propertyNames.Remove(nameof(metadata.Resource)));
+
+        // Verify AuthorizationServers list is cloned and contains the same values
+        Assert.NotSame(metadata.AuthorizationServers, clonedMetadata.AuthorizationServers);
+        Assert.Equal(metadata.AuthorizationServers, clonedMetadata.AuthorizationServers);
+        Assert.True(propertyNames.Remove(nameof(metadata.AuthorizationServers)));
+
+        // Verify BearerMethodsSupported list is cloned and contains the same values
+        Assert.NotSame(metadata.BearerMethodsSupported, clonedMetadata.BearerMethodsSupported);
+        Assert.Equal(metadata.BearerMethodsSupported, clonedMetadata.BearerMethodsSupported);
+        Assert.True(propertyNames.Remove(nameof(metadata.BearerMethodsSupported)));
+
+        // Verify ScopesSupported list is cloned and contains the same values
+        Assert.NotSame(metadata.ScopesSupported, clonedMetadata.ScopesSupported);
+        Assert.Equal(metadata.ScopesSupported, clonedMetadata.ScopesSupported);
+        Assert.True(propertyNames.Remove(nameof(metadata.ScopesSupported)));
+
+        // Verify JwksUri property
+        Assert.Equal(metadata.JwksUri, clonedMetadata.JwksUri);
+        Assert.True(propertyNames.Remove(nameof(metadata.JwksUri)));
+
+        // Verify ResourceSigningAlgValuesSupported list is cloned (nullable list)
+        Assert.NotSame(metadata.ResourceSigningAlgValuesSupported, clonedMetadata.ResourceSigningAlgValuesSupported);
+        Assert.Equal(metadata.ResourceSigningAlgValuesSupported, clonedMetadata.ResourceSigningAlgValuesSupported);
+        Assert.True(propertyNames.Remove(nameof(metadata.ResourceSigningAlgValuesSupported)));
+
+        // Verify ResourceName property
+        Assert.Equal(metadata.ResourceName, clonedMetadata.ResourceName);
+        Assert.True(propertyNames.Remove(nameof(metadata.ResourceName)));
+
+        // Verify ResourceDocumentation property
+        Assert.Equal(metadata.ResourceDocumentation, clonedMetadata.ResourceDocumentation);
+        Assert.True(propertyNames.Remove(nameof(metadata.ResourceDocumentation)));
+
+        // Verify ResourcePolicyUri property
+        Assert.Equal(metadata.ResourcePolicyUri, clonedMetadata.ResourcePolicyUri);
+        Assert.True(propertyNames.Remove(nameof(metadata.ResourcePolicyUri)));
+
+        // Verify ResourceTosUri property
+        Assert.Equal(metadata.ResourceTosUri, clonedMetadata.ResourceTosUri);
+        Assert.True(propertyNames.Remove(nameof(metadata.ResourceTosUri)));
+
+        // Verify TlsClientCertificateBoundAccessTokens property
+        Assert.Equal(metadata.TlsClientCertificateBoundAccessTokens, clonedMetadata.TlsClientCertificateBoundAccessTokens);
+        Assert.True(propertyNames.Remove(nameof(metadata.TlsClientCertificateBoundAccessTokens)));
+
+        // Verify AuthorizationDetailsTypesSupported list is cloned (nullable list)
+        Assert.NotSame(metadata.AuthorizationDetailsTypesSupported, clonedMetadata.AuthorizationDetailsTypesSupported);
+        Assert.Equal(metadata.AuthorizationDetailsTypesSupported, clonedMetadata.AuthorizationDetailsTypesSupported);
+        Assert.True(propertyNames.Remove(nameof(metadata.AuthorizationDetailsTypesSupported)));
+
+        // Verify DpopSigningAlgValuesSupported list is cloned (nullable list)
+        Assert.NotSame(metadata.DpopSigningAlgValuesSupported, clonedMetadata.DpopSigningAlgValuesSupported);
+        Assert.Equal(metadata.DpopSigningAlgValuesSupported, clonedMetadata.DpopSigningAlgValuesSupported);
+        Assert.True(propertyNames.Remove(nameof(metadata.DpopSigningAlgValuesSupported)));
+
+        // Verify DpopBoundAccessTokensRequired property
+        Assert.Equal(metadata.DpopBoundAccessTokensRequired, clonedMetadata.DpopBoundAccessTokensRequired);
+        Assert.True(propertyNames.Remove(nameof(metadata.DpopBoundAccessTokensRequired)));
+
+        // Ensure we've checked every property. When new properties get added, we'll have to update this test along with the CloneResourceMetadata implementation.
+        Assert.Empty(propertyNames);
+    }
+
     private async Task<string?> HandleAuthorizationUrlAsync(Uri authorizationUrl, Uri redirectUri, CancellationToken cancellationToken)
     {
         var redirectResponse = await HttpClient.GetAsync(authorizationUrl, cancellationToken);