fix: Add validation to ensure added auth token getters are used by the tool

anubhav756 · anubhav756 · commit 6d49fdeb79bb · 2025-05-12T19:35:13.000+05:30
Previously, the `ToolboxTool.add_auth_token_getters` method only validated against existing registered getters or conflicts with client headers. It did not verify if *all* the auth token getters provided were actually used or required by the specific tool instance they were being added to.

This PR enhances the validation in `add_auth_token_getters`. It now leverages the `used_auth_token_getters` information returned by the existing `identify_required_authn_params` call. This allows the method to confirm that every getter passed in is genuinely required by the tool, raising an error if any are unused.

This ensures that only relevant auth token getters are attempted to be registered for a tool, preventing misconfigurations and human errors.

&gt; [!NOTE]
&gt; This validation aligns with the existing validation logic already present in the `ToolboxClient.load_tool` method, promoting a consistent approach to handling auth token getter requirements across the codebase.
diff --git a/packages/toolbox-core/src/toolbox_core/tool.py b/packages/toolbox-core/src/toolbox_core/tool.py
@@ -311,7 +311,7 @@ def add_auth_token_getters(
         new_getters = MappingProxyType(
             dict(self.__auth_service_token_getters, **auth_token_getters)
         )
-        # create a read-only updated for params that are still required
+        # find the updated required authn params and the auth token getters used
         new_req_authn_params, new_req_authz_tokens, used_auth_token_getters = (
             identify_required_authn_params(
                 self.__required_authn_params,
@@ -320,10 +320,16 @@ def add_auth_token_getters(
             )
         )
 
-        # TODO: Add validation for used_auth_token_getters
+        # ensure no auth token getter provided remains unused
+        unused_auth = set(incoming_services) - used_auth_token_getters
+        if unused_auth:
+            raise ValueError(
+                f"Authentication source(s) `{', '.join(unused_auth)}` unused by tool `{self.__name__}`."
+            )
 
         return self.__copy(
             auth_service_token_getters=new_getters,
+            # create a read-only map for params that are still required
             required_authn_params=MappingProxyType(new_req_authn_params),
             required_authz_tokens=new_req_authz_tokens,
         )
diff --git a/packages/toolbox-core/tests/test_tool.py b/packages/toolbox-core/tests/test_tool.py
@@ -11,8 +11,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+
 import inspect
-from typing import AsyncGenerator, Callable
+from typing import AsyncGenerator, Callable, Mapping
 from unittest.mock import AsyncMock, Mock
 
 import pytest
@@ -92,6 +94,12 @@ def auth_header_key() -> str:
     return "test-auth_token"
 
 
+@pytest.fixture
+def unused_auth_getters() -> dict[str, Callable[[], str]]:
+    """Provides an auth getter for a service not required by sample_tool."""
+    return {"unused-auth-service": lambda: "unused-token-value"}
+
+
 def test_create_func_docstring_one_param_real_schema():
     """
     Tests create_func_docstring with one real ParameterSchema instance.
@@ -432,3 +440,32 @@ def test_tool_add_auth_token_getters_conflict_with_existing_client_header(
 
     with pytest.raises(ValueError, match=expected_error_message):
         tool_instance.add_auth_token_getters(new_auth_getters_causing_conflict)
+
+
+def test_add_auth_token_getters_unused_token(
+    http_session: ClientSession,
+    sample_tool_params: list[ParameterSchema],
+    sample_tool_description: str,
+    unused_auth_getters: Mapping[str, Callable[[], str]],
+):
+    """
+    Tests ValueError when add_auth_token_getters is called with a getter for
+    an unused authentication service.
+    """
+    tool_instance = ToolboxTool(
+        session=http_session,
+        base_url=TEST_BASE_URL,
+        name=TEST_TOOL_NAME,
+        description=sample_tool_description,
+        params=sample_tool_params,
+        required_authn_params={},
+        required_authz_tokens=[],
+        auth_service_token_getters={},
+        bound_params={},
+        client_headers={},
+    )
+
+    expected_error_message = "Authentication source\(s\) \`unused-auth-service\` unused by tool \`sample_tool\`."
+
+    with pytest.raises(ValueError, match=expected_error_message):
+        tool_instance.add_auth_token_getters(unused_auth_getters)

Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,7 @@ def add_auth_token_getters(`
`311`	`311`	`new_getters = MappingProxyType(`
`312`	`312`	`dict(self.__auth_service_token_getters, **auth_token_getters)`
`313`	`313`	`)`
`314`		`- # create a read-only updated for params that are still required`
	`314`	`+ # find the updated required authn params and the auth token getters used`
`315`	`315`	`new_req_authn_params, new_req_authz_tokens, used_auth_token_getters = (`
`316`	`316`	`identify_required_authn_params(`
`317`	`317`	`self.__required_authn_params,`
`@@ -320,10 +320,16 @@ def add_auth_token_getters(`
`320`	`320`	`)`
`321`	`321`	`)`
`322`	`322`
`323`		`- # TODO: Add validation for used_auth_token_getters`
	`323`	`+ # ensure no auth token getter provided remains unused`
	`324`	`+ unused_auth = set(incoming_services) - used_auth_token_getters`
	`325`	`+ if unused_auth:`
	`326`	`+ raise ValueError(`
	`327`	+ f"Authentication source(s) `{', '.join(unused_auth)}` unused by tool `{self.__name__}`."
	`328`	`+ )`
`324`	`329`
`325`	`330`	`return self.__copy(`
`326`	`331`	`auth_service_token_getters=new_getters,`
	`332`	`+ # create a read-only map for params that are still required`
`327`	`333`	`required_authn_params=MappingProxyType(new_req_authn_params),`
`328`	`334`	`required_authz_tokens=new_req_authz_tokens,`
`329`	`335`	`)`