Skip to content

feat(a2a): Add A2A authentication middleware with TIP token propagation support #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cuericlee merged 20 commits into from
Nov 21, 2025
Merged

feat(a2a): Add A2A authentication middleware with TIP token propagation support #304

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
5bd4a31
feat: add run_processor support for Agent Runner
loveyana Nov 8, 2025
c7fd907
Merge remote-tracking branch 'upstream/main'
loveyana Nov 11, 2025
9b76272
feat(a2a): add credential service and auto auth token injection
loveyana Nov 11, 2025
a46cdfa
revert
loveyana Nov 13, 2025
c0ed951
revert
loveyana Nov 13, 2025
981fe54
Merge remote-tracking branch 'upstream/main'
loveyana Nov 13, 2025
5fd0c92
feat: Add A2A authentication middleware with TIP token propagation su…
loveyana Nov 13, 2025
f68e2d0
feat(identity): add unit test for middleware and credential service
loveyana Nov 13, 2025
5758a88
fix tests
loveyana Nov 13, 2025
cf90e60
Update test_ve_a2a_middlewares.py
loveyana Nov 13, 2025
0248c33
Make credential_service parameter optional
loveyana Nov 14, 2025
d9f8f62
Fix example class name in docstrings
loveyana Nov 14, 2025
4b33f91
Initialize token variable in A2AAuthMiddleware
loveyana Nov 14, 2025
4b39973
Update docstring examples to use lowercase type values
loveyana Nov 14, 2025
d4b5bad
Fix type annotation for _identity_client in auth config
loveyana Nov 14, 2025
05982b8
Add VeADK A2A auth switch and utility enhancements
loveyana Nov 20, 2025
b7583d8
Merge remote-tracking branch 'upstream/main'
loveyana Nov 20, 2025
5b00f22
Merge remote-tracking branch 'upstream/main'
loveyana Nov 20, 2025
404f149
Remove unused test and fix import formatting
loveyana Nov 20, 2025
4c9ed63
Update A2A agent docs with authentication instructions
loveyana Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
279 changes: 279 additions & 0 deletions tests/test_a2a_credentials.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,279 @@
# Copyright (c) 2025 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Unit tests for VeCredentialStore."""

import pytest

from a2a.client.base_client import ClientCallContext

from veadk.a2a.credentials import VeCredentialStore


class TestVeCredentialStore:
"""Test suite for VeCredentialStore."""

@pytest.mark.asyncio
async def test_set_and_get_by_session_id(self):
"""Test setting and getting credentials by session ID."""
store = VeCredentialStore()

# Set credentials synchronously
store.set_credentials(
session_id="session_123",
security_scheme_name="inbound_auth",
credential="bearer_token_xyz",
)

# Get credentials
context = ClientCallContext(state={"sessionId": "session_123"})
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token == "bearer_token_xyz"

@pytest.mark.asyncio
async def test_set_and_get_by_user_id(self):
"""Test setting and getting credentials by user ID."""
store = VeCredentialStore()

# Set credentials synchronously
store.set_credentials(
user_id="user_456",
security_scheme_name="inbound_auth",
credential="bearer_token_abc",
)

# Get credentials
context = ClientCallContext(state={"userId": "user_456"})
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token == "bearer_token_abc"

@pytest.mark.asyncio
async def test_fallback_to_user_id(self):
"""Test fallback from session ID to user ID."""
store = VeCredentialStore()

# Set credentials by user ID
store.set_credentials(
user_id="user_789",
security_scheme_name="inbound_auth",
credential="bearer_token_fallback",
)

# Try to get with session ID (should fail) then fallback to user ID
context = ClientCallContext(
state={"sessionId": "nonexistent_session", "userId": "user_789"}
)
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token == "bearer_token_fallback"

@pytest.mark.asyncio
async def test_user_id_priority(self):
"""Test that user ID takes priority over user ID."""
store = VeCredentialStore()

# Set credentials for both session and user
store.set_credentials(
session_id="session_priority",
security_scheme_name="inbound_auth",
credential="session_token",
)
store.set_credentials(
user_id="user_priority",
security_scheme_name="inbound_auth",
credential="user_token",
)

# Get with both session ID and user ID - should return session token
context = ClientCallContext(
state={"sessionId": "session_priority", "userId": "user_priority"}
)
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token == "user_token"

@pytest.mark.asyncio
async def test_async_set_credentials(self):
"""Test async version of set_credentials."""
store = VeCredentialStore()

# Set credentials asynchronously
await store.set_credentials_async(
session_id="async_session",
security_scheme_name="inbound_auth",
credential="async_token",
)

# Get credentials
context = ClientCallContext(state={"sessionId": "async_session"})
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token == "async_token"

@pytest.mark.asyncio
async def test_multiple_security_schemes(self):
"""Test storing multiple security schemes for the same session."""
store = VeCredentialStore()

# Set multiple credentials for the same session
store.set_credentials(
session_id="multi_session",
security_scheme_name="inbound_auth",
credential="inbound_token",
)
store.set_credentials(
session_id="multi_session",
security_scheme_name="outbound_auth",
credential="outbound_token",
)

# Get both credentials
context = ClientCallContext(state={"sessionId": "multi_session"})

inbound_token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)
outbound_token = await store.get_credentials(
security_scheme_name="outbound_auth",
context=context,
)

assert inbound_token == "inbound_token"
assert outbound_token == "outbound_token"

@pytest.mark.asyncio
async def test_clear_specific_context(self):
"""Test clearing credentials for a specific context."""
store = VeCredentialStore()

# Set credentials for two sessions
store.set_credentials(
session_id="session_1",
security_scheme_name="inbound_auth",
credential="token_1",
)
store.set_credentials(
session_id="session_2",
security_scheme_name="inbound_auth",
credential="token_2",
)

# Clear session_1
store.clear("session_1")

# Verify session_1 is cleared
context1 = ClientCallContext(state={"sessionId": "session_1"})
token1 = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context1,
)
assert token1 is None

# Verify session_2 still exists
context2 = ClientCallContext(state={"sessionId": "session_2"})
token2 = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context2,
)
assert token2 == "token_2"

@pytest.mark.asyncio
async def test_clear_all(self):
"""Test clearing all credentials."""
store = VeCredentialStore()

# Set multiple credentials
store.set_credentials(
session_id="session_a",
security_scheme_name="inbound_auth",
credential="token_a",
)
store.set_credentials(
user_id="user_b",
security_scheme_name="inbound_auth",
credential="token_b",
)

# Clear all
store.clear()

# Verify all are cleared
context_a = ClientCallContext(state={"sessionId": "session_a"})
token_a = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context_a,
)
assert token_a is None

context_b = ClientCallContext(state={"userId": "user_b"})
token_b = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context_b,
)
assert token_b is None

@pytest.mark.asyncio
async def test_no_context(self):
"""Test behavior when no context is provided."""
store = VeCredentialStore()

token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=None,
)

assert token is None

@pytest.mark.asyncio
async def test_missing_session_and_user(self):
"""Test behavior when neither session ID nor user ID is in context."""
store = VeCredentialStore()

context = ClientCallContext(state={"someOtherKey": "value"})
token = await store.get_credentials(
security_scheme_name="inbound_auth",
context=context,
)

assert token is None

def test_set_credentials_without_ids_raises_error(self):
"""Test that set_credentials raises error when neither session_id nor user_id is provided."""
store = VeCredentialStore()

with pytest.raises(
ValueError, match="Either session_id or user_id must be provided"
):
store.set_credentials(
security_scheme_name="inbound_auth",
credential="token",
)
Loading