reorg

dogacancolak · dogacancolak · commit 3e4407d2dd44 · 2025-08-29T20:10:09.000-04:00
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -78,6 +78,11 @@ async def callback_handler() -> tuple[str, str | None]:
         callback_handler=callback_handler,
     )
 
+@pytest.fixture
+def oauth_provider_without_scope(oauth_provider: OAuthClientProvider) -> OAuthClientProvider:
+    """Create OAuth provider without predefined scope."""
+    oauth_provider.context.client_metadata.scope = None
+    return oauth_provider
 
 class TestPKCEParameters:
     """Test PKCE parameter generation."""
@@ -391,6 +396,130 @@ async def test_handle_metadata_response_success(self, oauth_provider: OAuthClien
         assert oauth_provider.context.oauth_metadata is not None
         assert str(oauth_provider.context.oauth_metadata.issuer) == "https://auth.example.com/"
 
+    @pytest.mark.anyio
+    async def test_prioritize_prm_scopes_over_oauth_metadata(self, oauth_provider_without_scope: OAuthClientProvider):
+        """Test that PRM scopes are prioritized over auth server metadata scopes."""
+        provider = oauth_provider_without_scope
+
+        # Set up PRM metadata with specific scopes
+        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+            scopes_supported=["resource:read", "resource:write"],
+        )
+
+        # Create OAuth metadata response with different scopes
+        oauth_metadata_response = httpx.Response(
+            200,
+            content=(
+                b'{"issuer": "https://auth.example.com", '
+                b'"authorization_endpoint": "https://auth.example.com/authorize", '
+                b'"token_endpoint": "https://auth.example.com/token", '
+                b'"registration_endpoint": "https://auth.example.com/register", '
+                b'"scopes_supported": ["read", "write", "admin"]}'
+            ),
+        )
+
+        # Process the OAuth metadata
+        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+
+        # Verify that PRM scopes are used (not OAuth metadata scopes)
+        assert provider.context.client_metadata.scope == "resource:read resource:write"
+
+    @pytest.mark.anyio
+    async def test_fallback_to_oauth_metadata_scopes_when_no_prm_scopes(
+        self, oauth_provider_without_scope: OAuthClientProvider
+    ):
+        """Test fallback to OAuth metadata scopes when PRM has no scopes."""
+        provider = oauth_provider_without_scope
+
+        # Set up PRM metadata without scopes
+        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+            scopes_supported=None,  # No scopes in PRM
+        )
+
+        # Create OAuth metadata response with scopes
+        oauth_metadata_response = httpx.Response(
+            200,
+            content=(
+                b'{"issuer": "https://auth.example.com", '
+                b'"authorization_endpoint": "https://auth.example.com/authorize", '
+                b'"token_endpoint": "https://auth.example.com/token", '
+                b'"registration_endpoint": "https://auth.example.com/register", '
+                b'"scopes_supported": ["read", "write", "admin"]}'
+            ),
+        )
+
+        # Process the OAuth metadata
+        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+
+        # Verify that OAuth metadata scopes are used as fallback
+        assert provider.context.client_metadata.scope == "read write admin"
+
+    @pytest.mark.anyio
+    async def test_no_scope_changes_when_both_missing(self, oauth_provider_without_scope: OAuthClientProvider):
+        """Test that no scope changes occur when both PRM and OAuth metadata lack scopes."""
+        provider = oauth_provider_without_scope
+
+        # Set up PRM metadata without scopes
+        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+            scopes_supported=None,  # No scopes in PRM
+        )
+
+        # Create OAuth metadata response without scopes
+        oauth_metadata_response = httpx.Response(
+            200,
+            content=(
+                b'{"issuer": "https://auth.example.com", '
+                b'"authorization_endpoint": "https://auth.example.com/authorize", '
+                b'"token_endpoint": "https://auth.example.com/token", '
+                b'"registration_endpoint": "https://auth.example.com/register"}'
+                # No scopes_supported field
+            ),
+        )
+
+        # Process the OAuth metadata
+        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+
+        # Verify that scope remains None
+        assert provider.context.client_metadata.scope is None
+
+    @pytest.mark.anyio
+    async def test_preserve_existing_client_scope(
+        self, oauth_provider: OAuthClientProvider
+    ):
+        """Test that existing client scope is preserved regardless of metadata."""
+        provider = oauth_provider
+
+        # Set up PRM metadata with scopes
+        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
+            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
+            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
+            scopes_supported=["resource:read", "resource:write"],
+        )
+
+        # Create OAuth metadata response with scopes
+        oauth_metadata_response = httpx.Response(
+            200,
+            content=(
+                b'{"issuer": "https://auth.example.com", '
+                b'"authorization_endpoint": "https://auth.example.com/authorize", '
+                b'"token_endpoint": "https://auth.example.com/token", '
+                b'"registration_endpoint": "https://auth.example.com/register", '
+                b'"scopes_supported": ["read", "write", "admin"]}'
+            ),
+        )
+
+        # Process the OAuth metadata
+        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+
+        # Verify that predefined scope is preserved
+        assert provider.context.client_metadata.scope == "read write"
+
     @pytest.mark.anyio
     async def test_register_client_request(self, oauth_provider: OAuthClientProvider):
         """Test client registration request building."""
@@ -960,180 +1089,3 @@ async def callback_handler() -> tuple[str, str | None]:
         result = provider._extract_resource_metadata_from_www_auth(init_response)
         assert result is None, f"Should return None for {description}"
 
-
-@pytest.fixture
-def client_metadata_no_scope() -> OAuthClientMetadata:
-    """Client metadata without a predefined scope."""
-    return OAuthClientMetadata(
-        client_name="Test Client",
-        client_uri=AnyHttpUrl("https://example.com"),
-        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
-        # No scope defined
-        scope=None,
-    )
-
-
-@pytest.fixture
-def oauth_provider_without_scope(
-    client_metadata_no_scope: OAuthClientMetadata, mock_storage: MockTokenStorage
-) -> OAuthClientProvider:
-    """Create OAuth provider without predefined scope."""
-
-    async def redirect_handler(url: str) -> None:
-        pass
-
-    async def callback_handler() -> tuple[str, str | None]:
-        return "test_auth_code", "test_state"
-
-    return OAuthClientProvider(
-        server_url="https://api.example.com/v1/mcp",
-        client_metadata=client_metadata_no_scope,
-        storage=mock_storage,
-        redirect_handler=redirect_handler,
-        callback_handler=callback_handler,
-    )
-
-
-class TestScopeHandlingPriority:
-    """Test OAuth scope handling priority between PRM and auth metadata."""
-
-    @pytest.mark.anyio
-    async def test_prioritize_prm_scopes_over_oauth_metadata(self, oauth_provider_without_scope: OAuthClientProvider):
-        """Test that PRM scopes are prioritized over auth server metadata scopes."""
-        provider = oauth_provider_without_scope
-
-        # Set up PRM metadata with specific scopes
-        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
-            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-            scopes_supported=["resource:read", "resource:write"],
-        )
-
-        # Create OAuth metadata response with different scopes
-        oauth_metadata_response = httpx.Response(
-            200,
-            content=(
-                b'{"issuer": "https://auth.example.com", '
-                b'"authorization_endpoint": "https://auth.example.com/authorize", '
-                b'"token_endpoint": "https://auth.example.com/token", '
-                b'"registration_endpoint": "https://auth.example.com/register", '
-                b'"scopes_supported": ["read", "write", "admin"]}'
-            ),
-        )
-
-        # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
-
-        # Verify that PRM scopes are used (not OAuth metadata scopes)
-        assert provider.context.client_metadata.scope == "resource:read resource:write"
-
-    @pytest.mark.anyio
-    async def test_fallback_to_oauth_metadata_scopes_when_no_prm_scopes(
-        self, oauth_provider_without_scope: OAuthClientProvider
-    ):
-        """Test fallback to OAuth metadata scopes when PRM has no scopes."""
-        provider = oauth_provider_without_scope
-
-        # Set up PRM metadata without scopes
-        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
-            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-            scopes_supported=None,  # No scopes in PRM
-        )
-
-        # Create OAuth metadata response with scopes
-        oauth_metadata_response = httpx.Response(
-            200,
-            content=(
-                b'{"issuer": "https://auth.example.com", '
-                b'"authorization_endpoint": "https://auth.example.com/authorize", '
-                b'"token_endpoint": "https://auth.example.com/token", '
-                b'"registration_endpoint": "https://auth.example.com/register", '
-                b'"scopes_supported": ["read", "write", "admin"]}'
-            ),
-        )
-
-        # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
-
-        # Verify that OAuth metadata scopes are used as fallback
-        assert provider.context.client_metadata.scope == "read write admin"
-
-    @pytest.mark.anyio
-    async def test_no_scope_changes_when_both_missing(self, oauth_provider_without_scope: OAuthClientProvider):
-        """Test that no scope changes occur when both PRM and OAuth metadata lack scopes."""
-        provider = oauth_provider_without_scope
-
-        # Set up PRM metadata without scopes
-        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
-            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-            scopes_supported=None,  # No scopes in PRM
-        )
-
-        # Create OAuth metadata response without scopes
-        oauth_metadata_response = httpx.Response(
-            200,
-            content=(
-                b'{"issuer": "https://auth.example.com", '
-                b'"authorization_endpoint": "https://auth.example.com/authorize", '
-                b'"token_endpoint": "https://auth.example.com/token", '
-                b'"registration_endpoint": "https://auth.example.com/register"}'
-                # No scopes_supported field
-            ),
-        )
-
-        # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
-
-        # Verify that scope remains None
-        assert provider.context.client_metadata.scope is None
-
-    @pytest.mark.anyio
-    async def test_preserve_existing_client_scope(
-        self, client_metadata_no_scope: OAuthClientMetadata, mock_storage: MockTokenStorage
-    ):
-        """Test that existing client scope is preserved regardless of metadata."""
-        # Create client with predefined scope
-        client_metadata = client_metadata_no_scope
-        client_metadata.scope = "predefined:scope"
-
-        # Create provider
-        async def redirect_handler(url: str) -> None:
-            pass
-
-        async def callback_handler() -> tuple[str, str | None]:
-            return "test_auth_code", "test_state"
-
-        provider = OAuthClientProvider(
-            server_url="https://api.example.com/v1/mcp",
-            client_metadata=client_metadata,
-            storage=mock_storage,
-            redirect_handler=redirect_handler,
-            callback_handler=callback_handler,
-        )
-
-        # Set up PRM metadata with scopes
-        provider.context.protected_resource_metadata = ProtectedResourceMetadata(
-            resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-            authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-            scopes_supported=["resource:read", "resource:write"],
-        )
-
-        # Create OAuth metadata response with scopes
-        oauth_metadata_response = httpx.Response(
-            200,
-            content=(
-                b'{"issuer": "https://auth.example.com", '
-                b'"authorization_endpoint": "https://auth.example.com/authorize", '
-                b'"token_endpoint": "https://auth.example.com/token", '
-                b'"registration_endpoint": "https://auth.example.com/register", '
-                b'"scopes_supported": ["read", "write", "admin"]}'
-            ),
-        )
-
-        # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
-
-        # Verify that predefined scope is preserved
-        assert provider.context.client_metadata.scope == "predefined:scope"
