feat(tools): repo_search with allowlist post-filter
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Bergqvist
92
internal/tools/repo_search.go
Normal file
92
internal/tools/repo_search.go
Normal file
@@ -0,0 +1,92 @@
|
||||
package tools
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/allowlist"
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/gitea"
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/registry"
|
||||
)
|
||||
|
||||
type RepoSearch struct {
|
||||
c *gitea.Client
|
||||
a *allowlist.Allowlist
|
||||
}
|
||||
|
||||
func NewRepoSearch(c *gitea.Client, a *allowlist.Allowlist) *RepoSearch {
|
||||
return &RepoSearch{c: c, a: a}
|
||||
}
|
||||
|
||||
func (t *RepoSearch) Descriptor() registry.ToolDescriptor {
|
||||
return registry.ToolDescriptor{
|
||||
Name: "repo_search",
|
||||
Description: "Search repos by query string. Filters results by owner allowlist.",
|
||||
InputSchema: json.RawMessage(`{
|
||||
"type":"object",
|
||||
"properties":{
|
||||
"q":{"type":"string"},
|
||||
"owner":{"type":"string"},
|
||||
"page":{"type":"integer","minimum":1},
|
||||
"limit":{"type":"integer","minimum":1,"maximum":50}
|
||||
},
|
||||
"required":["q"]
|
||||
}`),
|
||||
}
|
||||
}
|
||||
|
||||
type repoSearchArgs struct {
|
||||
Q string `json:"q"`
|
||||
Owner string `json:"owner"`
|
||||
Page int `json:"page"`
|
||||
Limit int `json:"limit"`
|
||||
}
|
||||
|
||||
func (t *RepoSearch) Call(ctx context.Context, raw json.RawMessage) (json.RawMessage, error) {
|
||||
var args repoSearchArgs
|
||||
if err := parseArgs(raw, &args); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if args.Q == "" {
|
||||
return nil, fmt.Errorf("q is required: %w", gitea.ErrValidation)
|
||||
}
|
||||
if args.Owner != "" {
|
||||
if err := t.a.Check(args.Owner); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if args.Page < 1 {
|
||||
args.Page = 1
|
||||
}
|
||||
if args.Limit < 1 || args.Limit > 50 {
|
||||
args.Limit = 30
|
||||
}
|
||||
|
||||
repos, err := t.c.SearchRepos(ctx, args.Q, args.Owner, args.Page, args.Limit)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Post-filter when owner not specified — only allowlisted owners survive.
|
||||
if args.Owner == "" {
|
||||
filtered := make([]gitea.Repo, 0, len(repos))
|
||||
for _, r := range repos {
|
||||
parts := strings.SplitN(r.FullName, "/", 2)
|
||||
if len(parts) != 2 {
|
||||
continue
|
||||
}
|
||||
if t.a.Check(parts[0]) == nil {
|
||||
filtered = append(filtered, r)
|
||||
}
|
||||
}
|
||||
repos = filtered
|
||||
}
|
||||
|
||||
out := map[string]any{"repos": repos}
|
||||
if len(repos) == args.Limit {
|
||||
out["next_page"] = args.Page + 1
|
||||
}
|
||||
return textOK(out)
|
||||
}
|
||||
61
internal/tools/repo_search_test.go
Normal file
61
internal/tools/repo_search_test.go
Normal file
@@ -0,0 +1,61 @@
|
||||
package tools_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/allowlist"
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/gitea"
|
||||
"gitea.d-ma.be/mathias/gitea-mcp/internal/tools"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestRepoSearchWithOwner(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
assert.Equal(t, "/api/v1/repos/search", r.URL.Path)
|
||||
assert.Equal(t, "infra", r.URL.Query().Get("q"))
|
||||
assert.Equal(t, "mathias", r.URL.Query().Get("owner"))
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_, _ = w.Write([]byte(`{"data":[{"name":"infra","full_name":"mathias/infra","default_branch":"main"}],"ok":true}`))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
tool := tools.NewRepoSearch(gitea.NewClient(srv.URL, "tok"), allowlist.New([]string{"mathias"}))
|
||||
out, err := tool.Call(context.Background(), json.RawMessage(`{"q":"infra","owner":"mathias"}`))
|
||||
require.NoError(t, err)
|
||||
assert.Contains(t, string(out), `"full_name":"mathias/infra"`)
|
||||
}
|
||||
|
||||
func TestRepoSearchPostFiltersWithoutOwner(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// No owner param expected when owner is empty
|
||||
assert.Empty(t, r.URL.Query().Get("owner"))
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_, _ = w.Write([]byte(`{"data":[{"name":"x","full_name":"mathias/x"},{"name":"y","full_name":"evil/y"}],"ok":true}`))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
tool := tools.NewRepoSearch(gitea.NewClient(srv.URL, "tok"), allowlist.New([]string{"mathias"}))
|
||||
out, err := tool.Call(context.Background(), json.RawMessage(`{"q":"x"}`))
|
||||
require.NoError(t, err)
|
||||
assert.Contains(t, string(out), `"mathias/x"`)
|
||||
assert.NotContains(t, string(out), `"evil/y"`)
|
||||
}
|
||||
|
||||
func TestRepoSearchAllowlistRejectsExplicitOwner(t *testing.T) {
|
||||
tool := tools.NewRepoSearch(gitea.NewClient("http://unused", ""), allowlist.New([]string{"mathias"}))
|
||||
_, err := tool.Call(context.Background(), json.RawMessage(`{"q":"infra","owner":"evil"}`))
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRepoSearchRequiresQ(t *testing.T) {
|
||||
tool := tools.NewRepoSearch(gitea.NewClient("http://unused", ""), allowlist.New([]string{"mathias"}))
|
||||
_, err := tool.Call(context.Background(), json.RawMessage(`{}`))
|
||||
require.Error(t, err)
|
||||
assert.True(t, errors.Is(err, gitea.ErrValidation))
|
||||
}
|
||||
Reference in New Issue
Block a user