mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tools): repo_search with allowlist post-filter

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Bergqvist
2026-05-04 22:44:44 +02:00
parent 43e016e8fa
commit 61cce37ff5
5 changed files with 203 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
internal/tools/repo_search_test.go Normal file
View File

@@ -0,0 +1,61 @@
package tools_test
import (
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"testing"
"gitea.d-ma.be/mathias/gitea-mcp/internal/allowlist"
"gitea.d-ma.be/mathias/gitea-mcp/internal/gitea"
"gitea.d-ma.be/mathias/gitea-mcp/internal/tools"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestRepoSearchWithOwner(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, "/api/v1/repos/search", r.URL.Path)
assert.Equal(t, "infra", r.URL.Query().Get("q"))
assert.Equal(t, "mathias", r.URL.Query().Get("owner"))
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write([]byte(`{"data":[{"name":"infra","full_name":"mathias/infra","default_branch":"main"}],"ok":true}`))
}))
defer srv.Close()
tool := tools.NewRepoSearch(gitea.NewClient(srv.URL, "tok"), allowlist.New([]string{"mathias"}))
out, err := tool.Call(context.Background(), json.RawMessage(`{"q":"infra","owner":"mathias"}`))
require.NoError(t, err)
assert.Contains(t, string(out), `"full_name":"mathias/infra"`)
}
func TestRepoSearchPostFiltersWithoutOwner(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// No owner param expected when owner is empty
assert.Empty(t, r.URL.Query().Get("owner"))
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write([]byte(`{"data":[{"name":"x","full_name":"mathias/x"},{"name":"y","full_name":"evil/y"}],"ok":true}`))
}))
defer srv.Close()
tool := tools.NewRepoSearch(gitea.NewClient(srv.URL, "tok"), allowlist.New([]string{"mathias"}))
out, err := tool.Call(context.Background(), json.RawMessage(`{"q":"x"}`))
require.NoError(t, err)
assert.Contains(t, string(out), `"mathias/x"`)
assert.NotContains(t, string(out), `"evil/y"`)
}
func TestRepoSearchAllowlistRejectsExplicitOwner(t *testing.T) {
tool := tools.NewRepoSearch(gitea.NewClient("http://unused", ""), allowlist.New([]string{"mathias"}))
_, err := tool.Call(context.Background(), json.RawMessage(`{"q":"infra","owner":"evil"}`))
require.Error(t, err)
}
func TestRepoSearchRequiresQ(t *testing.T) {
tool := tools.NewRepoSearch(gitea.NewClient("http://unused", ""), allowlist.New([]string{"mathias"}))
_, err := tool.Call(context.Background(), json.RawMessage(`{}`))
require.Error(t, err)
assert.True(t, errors.Is(err, gitea.ErrValidation))
}