feat: auth handles multi-cluster case correctly

Cali0707 · Cali0707 · commit 3ae349160aa7 · 2025-10-01T14:17:22.000-04:00
Signed-off-by: Calum Murray &lt;cmurray@redhat.com&gt;
diff --git a/pkg/http/authorization.go b/pkg/http/authorization.go
@@ -24,10 +24,12 @@ import (
 type KubernetesApiTokenVerifier interface {
 	// KubernetesApiVerifyToken TODO: clarify proper implementation
 	KubernetesApiVerifyToken(ctx context.Context, token, audience, cluster string) (*authenticationapiv1.UserInfo, []string, error)
+	// GetTargetParameterName returns the parameter name used for target identification in MCP requests
+	GetTargetParameterName() string
 }
 
-// extractClusterFromRequest extracts cluster parameter from MCP request body
-func extractClusterFromRequest(r *http.Request) (string, error) {
+// extractTargetFromRequest extracts cluster parameter from MCP request body
+func extractTargetFromRequest(r *http.Request, targetName string) (string, error) {
 	if r.Body == nil {
 		return "", nil
 	}
@@ -53,8 +55,8 @@ func extractClusterFromRequest(r *http.Request) (string, error) {
 		return "", nil
 	}
 
-	// Extract cluster parameter
-	if cluster, ok := mcpRequest.Params.Arguments["cluster"].(string); ok {
+	// Extract target parameter
+	if cluster, ok := mcpRequest.Params.Arguments[targetName].(string); ok {
 		return cluster, nil
 	}
 
@@ -166,7 +168,8 @@ func AuthorizationMiddleware(staticConfig *config.StaticConfig, oidcProvider *oi
 			}
 			// Kubernetes API Server TokenReview validation
 			if err == nil && staticConfig.ValidateToken {
-				cluster, clusterErr := extractClusterFromRequest(r)
+				targetParameterName := verifier.GetTargetParameterName()
+				cluster, clusterErr := extractTargetFromRequest(r, targetParameterName)
 				if clusterErr != nil {
 					klog.V(2).Infof("Failed to extract cluster from request, using default: %v", clusterErr)
 				}

Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,12 @@ import (`
`24`	`24`	`type KubernetesApiTokenVerifier interface {`
`25`	`25`	`// KubernetesApiVerifyToken TODO: clarify proper implementation`
`26`	`26`	`KubernetesApiVerifyToken(ctx context.Context, token, audience, cluster string) (*authenticationapiv1.UserInfo, []string, error)`
	`27`	`+ // GetTargetParameterName returns the parameter name used for target identification in MCP requests`
	`28`	`+ GetTargetParameterName() string`
`27`	`29`	`}`
`28`	`30`
`29`		`-// extractClusterFromRequest extracts cluster parameter from MCP request body`
`30`		`-func extractClusterFromRequest(r *http.Request) (string, error) {`
	`31`	`+// extractTargetFromRequest extracts cluster parameter from MCP request body`
	`32`	`+func extractTargetFromRequest(r *http.Request, targetName string) (string, error) {`
`31`	`33`	`if r.Body == nil {`
`32`	`34`	`return "", nil`
`33`	`35`	`}`
`@@ -53,8 +55,8 @@ func extractClusterFromRequest(r *http.Request) (string, error) {`
`53`	`55`	`return "", nil`
`54`	`56`	`}`
`55`	`57`
`56`		`- // Extract cluster parameter`
`57`		`- if cluster, ok := mcpRequest.Params.Arguments["cluster"].(string); ok {`
	`58`	`+ // Extract target parameter`
	`59`	`+ if cluster, ok := mcpRequest.Params.Arguments[targetName].(string); ok {`
`58`	`60`	`return cluster, nil`
`59`	`61`	`}`
`60`	`62`
`@@ -166,7 +168,8 @@ func AuthorizationMiddleware(staticConfig config.StaticConfig, oidcProvider oi`
`166`	`168`	`}`
`167`	`169`	`// Kubernetes API Server TokenReview validation`
`168`	`170`	`if err == nil && staticConfig.ValidateToken {`
`169`		`- cluster, clusterErr := extractClusterFromRequest(r)`
	`171`	`+ targetParameterName := verifier.GetTargetParameterName()`
	`172`	`+ cluster, clusterErr := extractTargetFromRequest(r, targetParameterName)`
`170`	`173`	`if clusterErr != nil {`
`171`	`174`	`klog.V(2).Infof("Failed to extract cluster from request, using default: %v", clusterErr)`
`172`	`175`	`}`