test(auth): added tests to verify header propagation

Author: manusa

pkg/kubernetes/impersonate_roundtripper.go

@@ -2,11 +2,6 @@ package kubernetes
 
 import "net/http"
 
-const (
-	AuthorizationHeader            = "Kubernetes-Authorization"
-	AuthorizationBearerTokenHeader = "Kubernetes-Authorization-Bearer-Token"
-)
-
 type impersonateRoundTripper struct {
 	delegate http.RoundTripper
 }

pkg/kubernetes/kubernetes.go

@@ -19,6 +19,11 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
+const (
+	AuthorizationHeader            = "Kubernetes-Authorization"
+	AuthorizationBearerTokenHeader = "kubernetes-authorization-bearer-token"
+)
+
 type CloseWatchKubeConfig func() error
 
 type Kubernetes struct {
@@ -126,28 +131,41 @@ func (k *Kubernetes) Derived(ctx context.Context) *Kubernetes {
 	if !ok {
 		return k
 	}
-	var _ error // TODO: ignored --> should be handled eventually
 	derivedCfg := rest.CopyConfig(k.cfg)
 	derivedCfg.BearerToken = bearerToken
 	derivedCfg.BearerTokenFile = ""
-	derivedCfg.AuthProvider = nil
 	derivedCfg.Username = ""
 	derivedCfg.Password = ""
+	derivedCfg.AuthProvider = nil
+	derivedCfg.AuthConfigPersister = nil
+	derivedCfg.ExecProvider = nil
 	derivedCfg.Impersonate = rest.ImpersonationConfig{}
-	clientcmdapiConfig, _ := k.clientCmdConfig.RawConfig()
-	clientcmdapiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
+	clientCmdApiConfig, err := k.clientCmdConfig.RawConfig()
+	if err != nil {
+		return k
+	}
+	clientCmdApiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
 	derived := &Kubernetes{
 		Kubeconfig:      k.Kubeconfig,
-		clientCmdConfig: clientcmd.NewDefaultClientConfig(clientcmdapiConfig, nil),
+		clientCmdConfig: clientcmd.NewDefaultClientConfig(clientCmdApiConfig, nil),
 		cfg:             derivedCfg,
+		scheme:          k.scheme,
+		parameterCodec:  k.parameterCodec,
+	}
+	derived.clientSet, err = kubernetes.NewForConfig(derived.cfg)
+	if err != nil {
+		return k
+	}
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(derived.cfg)
+	if err != nil {
+		return k
 	}
-	derived.clientSet, _ = kubernetes.NewForConfig(derived.cfg)
-	discoveryClient, _ := discovery.NewDiscoveryClientForConfig(derived.cfg)
 	derived.discoveryClient = memory.NewMemCacheClient(discoveryClient)
 	derived.deferredDiscoveryRESTMapper = restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(derived.discoveryClient))
-	derived.dynamicClient, _ = dynamic.NewForConfig(derived.cfg)
-	derived.scheme = runtime.NewScheme()
-	derived.parameterCodec = runtime.NewParameterCodec(derived.scheme)
+	derived.dynamicClient, err = dynamic.NewForConfig(derived.cfg)
+	if err != nil {
+		return k
+	}
 	derived.Helm = helm.NewHelm(derived)
 	return derived
 }

pkg/mcp/common_test.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/mark3labs/mcp-go/client"
+	"github.com/mark3labs/mcp-go/client/transport"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
 	"github.com/pkg/errors"
@@ -97,6 +98,7 @@ type mcpContext struct {
 	profile            Profile
 	readOnly           bool
 	disableDestructive bool
+	clientOptions      []transport.ClientOption
 	before             func(*mcpContext)
 	after              func(*mcpContext)
 	ctx                context.Context
@@ -124,8 +126,8 @@ func (c *mcpContext) beforeEach(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	c.mcpHttpServer = server.NewTestServer(c.mcpServer.server)
-	if c.mcpClient, err = client.NewSSEMCPClient(c.mcpHttpServer.URL + "/sse"); err != nil {
+	c.mcpHttpServer = server.NewTestServer(c.mcpServer.server, server.WithSSEContextFunc(contextFunc))
+	if c.mcpClient, err = client.NewSSEMCPClient(c.mcpHttpServer.URL+"/sse", c.clientOptions...); err != nil {
 		t.Fatal(err)
 		return
 	}

pkg/mcp/mcp_test.go

@@ -2,7 +2,9 @@ package mcp
 
 import (
 	"context"
+	"github.com/mark3labs/mcp-go/client"
 	"github.com/mark3labs/mcp-go/mcp"
+	"net/http"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -88,3 +90,81 @@ func TestDisableDestructive(t *testing.T) {
 		})
 	})
 }
+
+func TestSseHeaders(t *testing.T) {
+	mockServer := NewMockServer()
+	defer mockServer.Close()
+	before := func(c *mcpContext) {
+		c.withKubeConfig(mockServer.config)
+		c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization-bearer-token": "a-token-from-mcp-client"}))
+	}
+	pathHeaders := make(map[string]http.Header, 0)
+	mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		pathHeaders[req.URL.Path] = req.Header.Clone()
+		// Request Performed by DiscoveryClient to Kube API (Get API Groups legacy -core-)
+		if req.URL.Path == "/api" {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0"}]}`))
+			return
+		}
+		// Request Performed by DiscoveryClient to Kube API (Get API Groups)
+		if req.URL.Path == "/apis" {
+			w.Header().Set("Content-Type", "application/json")
+			//w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[{"name":"apps","versions":[{"groupVersion":"apps/v1","version":"v1"}],"preferredVersion":{"groupVersion":"apps/v1","version":"v1"}}]}`))
+			_, _ = w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[]}`))
+			return
+		}
+		// Request Performed by DiscoveryClient to Kube API (Get API Resources)
+		if req.URL.Path == "/api/v1" {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"kind":"APIResourceList","apiVersion":"v1","resources":[{"name":"pods","singularName":"","namespaced":true,"kind":"Pod","verbs":["get","list","watch","create","update","patch","delete"]}]}`))
+			return
+		}
+		// Request Performed by DynamicClient
+		if req.URL.Path == "/api/v1/namespaces/default/pods" {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"kind":"PodList","apiVersion":"v1","items":[]}`))
+			return
+		}
+		// Request Performed by kubernetes.Interface
+		if req.URL.Path == "/api/v1/namespaces/default/pods/a-pod-to-delete" {
+			w.WriteHeader(200)
+			return
+		}
+		w.WriteHeader(404)
+	}))
+	testCaseWithContext(t, &mcpContext{before: before}, func(c *mcpContext) {
+		c.callTool("pods_list", map[string]interface{}{})
+		t.Run("DiscoveryClient propagates headers to Kube API", func(t *testing.T) {
+			if len(pathHeaders) == 0 {
+				t.Fatalf("No requests were made to Kube API")
+			}
+			if pathHeaders["/api"] == nil || pathHeaders["/api"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
+				t.Fatalf("Overridden header Authorization not found in request to /api")
+			}
+			if pathHeaders["/apis"] == nil || pathHeaders["/apis"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
+				t.Fatalf("Overridden header Authorization not found in request to /apis")
+			}
+			if pathHeaders["/api/v1"] == nil || pathHeaders["/api/v1"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
+				t.Fatalf("Overridden header Authorization not found in request to /api/v1")
+			}
+		})
+		t.Run("DynamicClient propagates headers to Kube API", func(t *testing.T) {
+			if len(pathHeaders) == 0 {
+				t.Fatalf("No requests were made to Kube API")
+			}
+			if pathHeaders["/api/v1/namespaces/default/pods"] == nil || pathHeaders["/api/v1/namespaces/default/pods"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
+				t.Fatalf("Overridden header Authorization not found in request to /api/v1/namespaces/default/pods")
+			}
+		})
+		c.callTool("pods_delete", map[string]interface{}{"name": "a-pod-to-delete"})
+		t.Run("kubernetes.Interface propagates headers to Kube API", func(t *testing.T) {
+			if len(pathHeaders) == 0 {
+				t.Fatalf("No requests were made to Kube API")
+			}
+			if pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"] == nil || pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
+				t.Fatalf("Overridden header Authorization not found in request to /api/v1/namespaces/default/pods/a-pod-to-delete")
+			}
+		})
+	})
+}