Skip to content

Commit fde4b1d

Browse files
manusamanusa
authored
test(auth): complete test cases for token validation (#253)
Signed-off-by: Marc Nuri <[email protected]>
1 parent dfcecd5 commit fde4b1d

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

pkg/http/http_test.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -619,10 +619,12 @@ func TestAuthorizationRawToken(t *testing.T) {
619619
}
620620
for _, c := range cases {
621621
testCaseWithContext(t, &httpContext{StaticConfig: &config.StaticConfig{RequireOAuth: true, OAuthAudience: c.audience, ValidateToken: c.validateToken}}, func(ctx *httpContext) {
622+
tokenReviewed := false
622623
ctx.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
623624
if req.URL.EscapedPath() == "/apis/authentication.k8s.io/v1/tokenreviews" {
624625
w.Header().Set("Content-Type", "application/json")
625626
_, _ = w.Write([]byte(tokenReviewSuccessful))
627+
tokenReviewed = true
626628
return
627629
}
628630
}))
@@ -641,6 +643,14 @@ func TestAuthorizationRawToken(t *testing.T) {
641643
t.Errorf("Expected HTTP 200 OK, got %d", resp.StatusCode)
642644
}
643645
})
646+
t.Run(fmt.Sprintf("Protected resource with audience = '%s' and validate-token = '%t', with VALID Authorization header performs token validation accordingly", c.audience, c.validateToken), func(t *testing.T) {
647+
if tokenReviewed == true && !c.validateToken {
648+
t.Errorf("Expected token review to be skipped when validate-token is false, but it was performed")
649+
}
650+
if tokenReviewed == false && c.validateToken {
651+
t.Errorf("Expected token review to be performed when validate-token is true, but it was skipped")
652+
}
653+
})
644654
})
645655
}
646656

@@ -658,10 +668,12 @@ func TestAuthorizationOidcToken(t *testing.T) {
658668
cases := []bool{false, true}
659669
for _, validateToken := range cases {
660670
testCaseWithContext(t, &httpContext{StaticConfig: &config.StaticConfig{RequireOAuth: true, OAuthAudience: "mcp-server", ValidateToken: validateToken}, OidcProvider: oidcProvider}, func(ctx *httpContext) {
671+
tokenReviewed := false
661672
ctx.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
662673
if req.URL.EscapedPath() == "/apis/authentication.k8s.io/v1/tokenreviews" {
663674
w.Header().Set("Content-Type", "application/json")
664675
_, _ = w.Write([]byte(tokenReviewSuccessful))
676+
tokenReviewed = true
665677
return
666678
}
667679
}))
@@ -680,6 +692,14 @@ func TestAuthorizationOidcToken(t *testing.T) {
680692
t.Errorf("Expected HTTP 200 OK, got %d", resp.StatusCode)
681693
}
682694
})
695+
t.Run(fmt.Sprintf("Protected resource with validate-token='%t' with VALID OIDC Authorization header performs token validation accordingly", validateToken), func(t *testing.T) {
696+
if tokenReviewed == true && !validateToken {
697+
t.Errorf("Expected token review to be skipped when validate-token is false, but it was performed")
698+
}
699+
if tokenReviewed == false && validateToken {
700+
t.Errorf("Expected token review to be performed when validate-token is true, but it was skipped")
701+
}
702+
})
683703
})
684704

685705
}

0 commit comments

Comments
 (0)