|
| 1 | +//go:build server |
| 2 | + |
| 3 | +package config |
| 4 | + |
| 5 | +import ( |
| 6 | + "encoding/json" |
| 7 | + "testing" |
| 8 | + |
| 9 | + "github.com/stretchr/testify/assert" |
| 10 | + "github.com/stretchr/testify/require" |
| 11 | +) |
| 12 | + |
| 13 | +// baseValidConfig returns a minimal Config that passes Validate() so individual |
| 14 | +// tests only need to mutate the single server under test. |
| 15 | +func baseValidConfig(server *ServerConfig) *Config { |
| 16 | + return &Config{ |
| 17 | + Listen: "127.0.0.1:8080", |
| 18 | + ToolsLimit: 15, |
| 19 | + ToolResponseLimit: 1000, |
| 20 | + CallToolTimeout: Duration(60000000000), |
| 21 | + Servers: []*ServerConfig{server}, |
| 22 | + } |
| 23 | +} |
| 24 | + |
| 25 | +func TestAuthBrokerConfig_ApplyDefaults(t *testing.T) { |
| 26 | + t.Run("fills header and header_format when empty", func(t *testing.T) { |
| 27 | + b := &AuthBrokerConfig{Mode: AuthBrokerModeTokenExchange, TokenEndpoint: "https://idp/token"} |
| 28 | + b.ApplyDefaults() |
| 29 | + assert.Equal(t, "Authorization", b.Header) |
| 30 | + assert.Equal(t, "Bearer {token}", b.HeaderFormat) |
| 31 | + }) |
| 32 | + |
| 33 | + t.Run("preserves custom header and header_format", func(t *testing.T) { |
| 34 | + b := &AuthBrokerConfig{ |
| 35 | + Mode: AuthBrokerModeTokenExchange, |
| 36 | + TokenEndpoint: "https://idp/token", |
| 37 | + Header: "X-Upstream-Auth", |
| 38 | + HeaderFormat: "token {token}", |
| 39 | + } |
| 40 | + b.ApplyDefaults() |
| 41 | + assert.Equal(t, "X-Upstream-Auth", b.Header) |
| 42 | + assert.Equal(t, "token {token}", b.HeaderFormat) |
| 43 | + }) |
| 44 | +} |
| 45 | + |
| 46 | +func TestAuthBroker_ValidHTTPBroker(t *testing.T) { |
| 47 | + server := &ServerConfig{ |
| 48 | + Name: "github", |
| 49 | + Protocol: "http", |
| 50 | + URL: "https://api.github.com/mcp", |
| 51 | + AuthBroker: &AuthBrokerConfig{ |
| 52 | + Mode: AuthBrokerModeTokenExchange, |
| 53 | + TokenEndpoint: "https://idp.example.com/token", |
| 54 | + Resource: "https://api.github.com", |
| 55 | + Scopes: []string{"repo"}, |
| 56 | + ClientID: "client-123", |
| 57 | + ClientSecret: "secret-xyz", |
| 58 | + }, |
| 59 | + } |
| 60 | + cfg := baseValidConfig(server) |
| 61 | + require.NoError(t, cfg.Validate()) |
| 62 | + |
| 63 | + // Defaults applied to the in-place broker after Validate(). |
| 64 | + assert.Equal(t, "Authorization", server.AuthBroker.Header) |
| 65 | + assert.Equal(t, "Bearer {token}", server.AuthBroker.HeaderFormat) |
| 66 | +} |
| 67 | + |
| 68 | +func TestAuthBroker_RejectedOnStdio(t *testing.T) { |
| 69 | + server := &ServerConfig{ |
| 70 | + Name: "local", |
| 71 | + Protocol: "stdio", |
| 72 | + Command: "npx", |
| 73 | + Args: []string{"some-mcp"}, |
| 74 | + AuthBroker: &AuthBrokerConfig{ |
| 75 | + Mode: AuthBrokerModeTokenExchange, |
| 76 | + TokenEndpoint: "https://idp.example.com/token", |
| 77 | + }, |
| 78 | + } |
| 79 | + cfg := baseValidConfig(server) |
| 80 | + err := cfg.Validate() |
| 81 | + require.Error(t, err) |
| 82 | + assert.Contains(t, err.Error(), "unsupported in this phase") |
| 83 | +} |
| 84 | + |
| 85 | +func TestAuthBroker_RejectedOnImpliedStdio(t *testing.T) { |
| 86 | + // No protocol + Command set => stdio by inference; broker must be rejected. |
| 87 | + server := &ServerConfig{ |
| 88 | + Name: "local-implied", |
| 89 | + Command: "npx", |
| 90 | + AuthBroker: &AuthBrokerConfig{ |
| 91 | + Mode: AuthBrokerModeTokenExchange, |
| 92 | + TokenEndpoint: "https://idp.example.com/token", |
| 93 | + }, |
| 94 | + } |
| 95 | + cfg := baseValidConfig(server) |
| 96 | + err := cfg.Validate() |
| 97 | + require.Error(t, err) |
| 98 | + assert.Contains(t, err.Error(), "unsupported in this phase") |
| 99 | +} |
| 100 | + |
| 101 | +func TestAuthBroker_InvalidMode(t *testing.T) { |
| 102 | + server := &ServerConfig{ |
| 103 | + Name: "github", |
| 104 | + Protocol: "http", |
| 105 | + URL: "https://api.github.com/mcp", |
| 106 | + AuthBroker: &AuthBrokerConfig{ |
| 107 | + Mode: "magic", |
| 108 | + TokenEndpoint: "https://idp.example.com/token", |
| 109 | + }, |
| 110 | + } |
| 111 | + cfg := baseValidConfig(server) |
| 112 | + err := cfg.Validate() |
| 113 | + require.Error(t, err) |
| 114 | + assert.Contains(t, err.Error(), "mode") |
| 115 | +} |
| 116 | + |
| 117 | +func TestAuthBroker_MissingRequiredFields(t *testing.T) { |
| 118 | + t.Run("missing mode", func(t *testing.T) { |
| 119 | + cfg := baseValidConfig(&ServerConfig{ |
| 120 | + Name: "github", Protocol: "http", URL: "https://api.github.com/mcp", |
| 121 | + AuthBroker: &AuthBrokerConfig{TokenEndpoint: "https://idp/token"}, |
| 122 | + }) |
| 123 | + require.Error(t, cfg.Validate()) |
| 124 | + }) |
| 125 | + t.Run("missing token_endpoint", func(t *testing.T) { |
| 126 | + cfg := baseValidConfig(&ServerConfig{ |
| 127 | + Name: "github", Protocol: "http", URL: "https://api.github.com/mcp", |
| 128 | + AuthBroker: &AuthBrokerConfig{Mode: AuthBrokerModeEntraOBO}, |
| 129 | + }) |
| 130 | + require.Error(t, cfg.Validate()) |
| 131 | + }) |
| 132 | +} |
| 133 | + |
| 134 | +func TestAuthBroker_AllValidModes(t *testing.T) { |
| 135 | + for _, mode := range []string{AuthBrokerModeTokenExchange, AuthBrokerModeEntraOBO, AuthBrokerModeOAuthConnect} { |
| 136 | + t.Run(mode, func(t *testing.T) { |
| 137 | + cfg := baseValidConfig(&ServerConfig{ |
| 138 | + Name: "s", Protocol: "streamable-http", URL: "https://x/mcp", |
| 139 | + AuthBroker: &AuthBrokerConfig{Mode: mode, TokenEndpoint: "https://idp/token"}, |
| 140 | + }) |
| 141 | + require.NoError(t, cfg.Validate()) |
| 142 | + }) |
| 143 | + } |
| 144 | +} |
| 145 | + |
| 146 | +func TestAuthBroker_NoBrokerUnaffected(t *testing.T) { |
| 147 | + // Servers without a broker block validate exactly as before (FR-003). |
| 148 | + cfg := baseValidConfig(&ServerConfig{Name: "plain", Protocol: "stdio", Command: "echo"}) |
| 149 | + require.NoError(t, cfg.Validate()) |
| 150 | +} |
| 151 | + |
| 152 | +func TestAuthBroker_JSONRoundTrip(t *testing.T) { |
| 153 | + raw := `{ |
| 154 | + "name": "github", |
| 155 | + "protocol": "http", |
| 156 | + "url": "https://api.github.com/mcp", |
| 157 | + "auth_broker": { |
| 158 | + "mode": "entra_obo", |
| 159 | + "token_endpoint": "https://login.microsoftonline.com/tenant/oauth2/v2.0/token", |
| 160 | + "resource": "api://upstream", |
| 161 | + "scopes": ["user.read"], |
| 162 | + "client_id": "abc", |
| 163 | + "client_secret": "def", |
| 164 | + "header": "X-Auth", |
| 165 | + "header_format": "Bearer {token}" |
| 166 | + } |
| 167 | + }` |
| 168 | + var sc ServerConfig |
| 169 | + require.NoError(t, json.Unmarshal([]byte(raw), &sc)) |
| 170 | + require.NotNil(t, sc.AuthBroker) |
| 171 | + assert.Equal(t, AuthBrokerModeEntraOBO, sc.AuthBroker.Mode) |
| 172 | + assert.Equal(t, "api://upstream", sc.AuthBroker.Resource) |
| 173 | + assert.Equal(t, []string{"user.read"}, sc.AuthBroker.Scopes) |
| 174 | + assert.Equal(t, "X-Auth", sc.AuthBroker.Header) |
| 175 | +} |
0 commit comments