Skip to content

Expose UpstreamFilter through authserver.New facade#5733

Open
tgrunnagle wants to merge 3 commits into
mainfrom
awesome-cup
Open

Expose UpstreamFilter through authserver.New facade#5733
tgrunnagle wants to merge 3 commits into
mainfrom
awesome-cup

Conversation

@tgrunnagle

Copy link
Copy Markdown
Contributor

Summary

WithUpstreamFilter (added in #5725) let a caller narrow the upstream authorization chain, but it was only reachable through the low-level handlers.NewHandler constructor. The public pkg/authserver.New facade and its Config had no way to inject an UpstreamFilter, so any caller embedding the auth server through the facade could not install a filter at all.

This adds an UpstreamFilter field to authserver.Config and threads it into the handler options assembled in newServer, mirroring how the existing upstream-token refresher is already wired. A nil filter (the default) preserves current behavior of walking every configured upstream, so the change is fully backward-compatible.

Closes #5732

Type of change

  • New feature

Test plan

  • Unit tests (task test)
  • Linting (task lint-fix)

pkg/authserver/integration_test.go gains TestIntegration_MultiUpstreamChain_ConfigUpstreamFilter, which drives a two-upstream chain end-to-end through authserver.New with a Config.UpstreamFilter that drops the second provider, and asserts the handler redirects straight to the client after the first callback instead of continuing on to provider-2. The pre-existing TestIntegration_MultiUpstreamSequentialChain is unmodified and now implicitly covers the nil-filter (no-behavior-change) path through the same facade wiring. The full pkg/authserver suite passes, and gofmt/lint are clean on all three changed files.

Does this introduce a user-facing change?

No end-user or CLI-facing change. It adds a new optional field, Config.UpstreamFilter, to the public pkg/authserver.Config struct for Go callers that embed the auth server; existing callers are unaffected since a nil filter preserves today's behavior.

Special notes for reviewers

  • Follow-up to Filter upstream auth chain via callback hook #5725, which introduced handlers.UpstreamFilter / WithUpstreamFilter at the handler level but left them unreachable from the authserver.New facade.
  • server_impl.go gains a small buildHandlerOptions helper so the handlers.Option slice is assembled once, appending the filter option only when cfg.UpstreamFilter is non-nil.
  • The new integration test lives in integration_test.go rather than next to handler_chain_test.go as the issue suggested, since it specifically exercises the Configauthserver.Newhandlers.NewHandler wiring; the lower-level chain-narrowing logic (computeChain) is already unit-tested in handler_chain_test.go.
  • No in-repo caller currently sets Config.UpstreamFilter — wiring an actual filter policy for a real caller is out of scope for this issue and left as follow-up work.

Generated with Claude Code

WithUpstreamFilter (added in #5725) was only reachable via the
low-level handlers.NewHandler constructor, so a caller using the
public authserver.New facade had no way to install a filter.

Add Config.UpstreamFilter and thread it into the handler options
built for handlers.NewHandler, mirroring the existing refresher
wiring. A nil filter preserves current behavior.
@github-actions github-actions Bot added the size/S Small PR: 100-299 lines changed label Jul 6, 2026
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.74%. Comparing base (609c0ad) to head (3451b89).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5733      +/-   ##
==========================================
+ Coverage   70.68%   70.74%   +0.05%     
==========================================
  Files         682      682              
  Lines       68949    68958       +9     
==========================================
+ Hits        48736    48783      +47     
+ Misses      16665    16619      -46     
- Partials     3548     3556       +8     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tgrunnagle tgrunnagle left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multi-Agent Consensus Review

Agents consulted: architecture-api-design, security, test-coverage, general-code-quality

Consensus Summary

# Finding Consensus Severity Action
1 Config.Validate() doesn't guard against UpstreamFilter set with fewer than 2 upstreams 9/10 MEDIUM Fix
2 withUpstreamFilter test option is silently ignored by 4 of 5 setup helpers 8/10 MEDIUM Fix
3 Typed-nil interface value can defeat the nil-filter fast path 7/10 LOW Fix
4 New test duplicates leg-1 HTTP flow boilerplate 7/10 LOW Fix
5 Doc comment overstates a "second failure signal" that can't occur 7/10 LOW Fix

Overall

This threads the UpstreamFilter hook added in #5725 through the public authserver.Config/authserver.New facade, mirroring the existing UpstreamTokenRefresher wiring pattern exactly. The approach is sound: buildHandlerOptions preserves nil-filter backward compatibility byte-for-byte, there's no import cycle, and the new integration test proves the wiring with two independent signals (an HTTP status code and a storage-level assertion) rather than a shallow check.

The findings below are validation-gap and test-hygiene polish, not correctness defects. The one worth prioritizing is the Config.Validate() gap: a caller can set UpstreamFilter with a single configured upstream and get a silent no-op instead of a startup error, which cuts against this repo's own "fail loudly on invalid input" convention. The test-option no-op (a withUpstreamFilter option only 1 of 5 setup helpers actually honors) is a real footgun for future test authors, even though it doesn't touch production code. The rest are comment-accuracy and DRY nits in the new test.

Nothing here should block merge.


Generated with Claude Code

Comment thread pkg/authserver/config.go
Comment thread pkg/authserver/config.go Outdated
Comment thread pkg/authserver/integration_test.go Outdated
Comment thread pkg/authserver/integration_test.go Outdated
Comment thread pkg/authserver/integration_test.go
Addresses #5733 review comments:
- MEDIUM pkg/authserver/config.go (3533389467): Validate() now rejects
  UpstreamFilter set with fewer than 2 upstreams, since computeChain
  never consults the filter in that case and it would silently no-op.
- LOW pkg/authserver/config.go (3533389470): doc comment now warns that
  a typed-nil concrete pointer is a non-nil interface value and will
  still be wired in.
Addresses #5733 review comments:
- MEDIUM pkg/authserver/integration_test.go (3533389480): wire
  options.upstreamFilter into setupTestServer and
  setupTestServerWithOIDCProvider's Config literals so withUpstreamFilter
  no longer silently no-ops when applied to those helpers (or to
  setupTestServerWithMockOIDC, which delegates to setupTestServer).
- LOW pkg/authserver/integration_test.go (3533389475): extract the
  shared client->authorize->first-upstream->callback boilerplate into
  runFirstLeg, reused by runChainFlow and the new filter test.
- LOW pkg/authserver/integration_test.go (3533389477): reword the new
  test's doc comment, which overstated a "second failure signal" from
  mockoidc that can't actually occur given the test's control flow.
@github-actions github-actions Bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Jul 7, 2026
@tgrunnagle tgrunnagle marked this pull request as ready for review July 7, 2026 03:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Expose UpstreamFilter through the pkg/authserver.New facade (Config passthrough)

1 participant