Address PR review feedback on CIMD wiring and add missing tests

amirejaz · claude · amirejaz · commit 233b73aaab2a · 2026-05-22T15:34:21.000+05:00
- Fix CacheFallbackTTL comment to say it is a fixed TTL (not fallback); matches the fix already applied in PR #5343 - Add TODO(cimd) comment above CIMDRunConfig noting the CRD exposure gap - Add discovery handler tests: CIMDEnabled=true advertises the flag, CIMDEnabled=false omits it, for both AS metadata and OIDC endpoints - Add config defaults tests: CIMDEnabled=true fills in cache size/TTL defaults; CIMDEnabled=false leaves zero fields unchanged - Add resolveCIMDConfig nil-guard test: nil input returns zero values, non-nil passes all fields through Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
diff --git a/pkg/authserver/config.go b/pkg/authserver/config.go
@@ -124,6 +124,10 @@ func (c *RunConfig) validateBaselineClientScopes() error {
 }
 
 // CIMDRunConfig controls client_id metadata document (CIMD) support.
+//
+// TODO(cimd): expose these fields in the MCPExternalAuthConfig CRD so Kubernetes
+// operators can configure CIMD through the normal CRD workflow instead of
+// writing RunConfig YAML directly.
 type CIMDRunConfig struct {
 	// Enabled activates CIMD client lookup when true.
 	Enabled bool `json:"enabled" yaml:"enabled"`
@@ -132,8 +136,8 @@ type CIMDRunConfig struct {
 	// Defaults to 256 when Enabled is true and this field is zero.
 	CacheMaxSize int `json:"cache_max_size,omitempty" yaml:"cache_max_size,omitempty"`
 
-	// CacheFallbackTTL is how long a cached CIMD document is considered valid when
-	// the fetched document carries no Cache-Control header.
+	// CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+	// Cache-Control header parsing is not yet implemented; all entries use this value.
 	// Defaults to 5 minutes when Enabled is true and this field is zero.
 	//nolint:lll // field tags require full JSON+YAML names
 	CacheFallbackTTL time.Duration `json:"cache_fallback_ttl,omitempty" yaml:"cache_fallback_ttl,omitempty" swaggertype:"string" example:"5m"`
diff --git a/pkg/authserver/config_test.go b/pkg/authserver/config_test.go
@@ -589,3 +589,49 @@ func TestConfigApplyDefaults_BaselineClientScopes(t *testing.T) {
 		})
 	}
 }
+
+func TestConfigApplyDefaults_CIMD(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name            string
+		cfg             Config
+		wantMaxSize     int
+		wantFallbackTTL time.Duration
+	}{
+		{
+			name:            "CIMD enabled with zero fields applies defaults",
+			cfg:             Config{Issuer: "https://example.com", CIMDEnabled: true},
+			wantMaxSize:     256,
+			wantFallbackTTL: 5 * time.Minute,
+		},
+		{
+			name: "CIMD enabled preserves non-zero values",
+			cfg: Config{
+				Issuer:               "https://example.com",
+				CIMDEnabled:          true,
+				CIMDCacheMaxSize:     128,
+				CIMDCacheFallbackTTL: 10 * time.Minute,
+			},
+			wantMaxSize:     128,
+			wantFallbackTTL: 10 * time.Minute,
+		},
+		{
+			name:            "CIMD disabled leaves zero fields unchanged",
+			cfg:             Config{Issuer: "https://example.com", CIMDEnabled: false},
+			wantMaxSize:     0,
+			wantFallbackTTL: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			cfg := tt.cfg
+			err := cfg.applyDefaults()
+			require.NoError(t, err)
+			require.Equal(t, tt.wantMaxSize, cfg.CIMDCacheMaxSize)
+			require.Equal(t, tt.wantFallbackTTL, cfg.CIMDCacheFallbackTTL)
+		})
+	}
+}
diff --git a/pkg/authserver/runner/embeddedauthserver_test.go b/pkg/authserver/runner/embeddedauthserver_test.go
@@ -2035,3 +2035,28 @@ func TestNewEmbeddedAuthServer_DeferredCleanupSanitizesLog(t *testing.T) {
 	assert.Contains(t, logged, "redis.example.com",
 		"closeErr host must remain in the Warn record after sanitisation")
 }
+
+func TestResolveCIMDConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("nil input returns zero values", func(t *testing.T) {
+		t.Parallel()
+		enabled, size, ttl := resolveCIMDConfig(nil)
+		assert.False(t, enabled)
+		assert.Zero(t, size)
+		assert.Zero(t, ttl)
+	})
+
+	t.Run("non-nil input passes values through", func(t *testing.T) {
+		t.Parallel()
+		cfg := &authserver.CIMDRunConfig{
+			Enabled:          true,
+			CacheMaxSize:     128,
+			CacheFallbackTTL: 10 * time.Minute,
+		}
+		enabled, size, ttl := resolveCIMDConfig(cfg)
+		assert.True(t, enabled)
+		assert.Equal(t, 128, size)
+		assert.Equal(t, 10*time.Minute, ttl)
+	})
+}
diff --git a/pkg/authserver/server/handlers/handlers_test.go b/pkg/authserver/server/handlers/handlers_test.go
@@ -38,6 +38,7 @@ import (
 // testSetupOptions allows customizing the test handler setup.
 type testSetupOptions struct {
 	AuthorizationEndpointBaseURL string
+	CIMDEnabled                  bool
 }
 
 // testSetup creates a Handler with all dependencies for testing.
@@ -66,6 +67,7 @@ func testSetupWithOptions(t *testing.T, opts testSetupOptions) *Handler {
 	cfg := &server.AuthorizationServerParams{
 		Issuer:                       "https://auth.example.com",
 		AuthorizationEndpointBaseURL: opts.AuthorizationEndpointBaseURL,
+		CIMDEnabled:                  opts.CIMDEnabled,
 		AccessTokenLifespan:          time.Hour,
 		RefreshTokenLifespan:         time.Hour * 24,
 		AuthCodeLifespan:             time.Minute * 10,
@@ -340,3 +342,57 @@ func TestWellKnownRoutes(t *testing.T) {
 }
 
 // TODO: Add TestOAuthRoutes once OAuth handlers are implemented
+
+func TestDiscoveryHandlers_CIMDEnabled_AdvertisesSupport(t *testing.T) {
+	t.Parallel()
+
+	handler := testSetupWithOptions(t, testSetupOptions{CIMDEnabled: true})
+
+	for _, tc := range []struct {
+		name string
+		fn   func(http.ResponseWriter, *http.Request)
+	}{
+		{"OAuth AS metadata", handler.OAuthDiscoveryHandler},
+		{"OIDC discovery", handler.OIDCDiscoveryHandler},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			rec := httptest.NewRecorder()
+			tc.fn(rec, req)
+			require.Equal(t, http.StatusOK, rec.Code)
+
+			var meta sharedobauth.AuthorizationServerMetadata
+			require.NoError(t, json.NewDecoder(rec.Body).Decode(&meta))
+			assert.True(t, meta.ClientIDMetadataDocumentSupported,
+				"client_id_metadata_document_supported must be true when CIMD is enabled")
+		})
+	}
+}
+
+func TestDiscoveryHandlers_CIMDDisabled_OmitsFlag(t *testing.T) {
+	t.Parallel()
+
+	handler := testSetupWithOptions(t, testSetupOptions{CIMDEnabled: false})
+
+	for _, tc := range []struct {
+		name string
+		fn   func(http.ResponseWriter, *http.Request)
+	}{
+		{"OAuth AS metadata", handler.OAuthDiscoveryHandler},
+		{"OIDC discovery", handler.OIDCDiscoveryHandler},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			rec := httptest.NewRecorder()
+			tc.fn(rec, req)
+			require.Equal(t, http.StatusOK, rec.Code)
+
+			var meta sharedobauth.AuthorizationServerMetadata
+			require.NoError(t, json.NewDecoder(rec.Body).Decode(&meta))
+			assert.False(t, meta.ClientIDMetadataDocumentSupported,
+				"client_id_metadata_document_supported must be absent when CIMD is disabled")
+		})
+	}
+}
