c7e0192486
Closes #6 on gitea.d-ma.be/mathias/hyperguild. Dex is deployed at auth.d-ma.be. All three MCP servers now accept JWTs issued by Dex in addition to static bearer tokens, enabling claude.ai OAuth 2.0 integration without abandoning backward-compat CLI auth. Changes: - internal/auth/: new Validator (JWKS auto-refresh via lestrrat-go/jwx/v2), ProtectedResourceHandler (RFC 9728 /.well-known/oauth-protected-resource) - internal/mcp/Server: adds optional *auth.Validator; checkAuth tries JWT first, then static token fallback; both-nil = auth disabled (unchanged default) - cmd/supervisor, cmd/routing: construct Validator from DEX_ISSUER_URL + MCP_AUDIENCE env vars; register protected-resource handler when set - ingestion/internal/auth/: same Validator + handler (separate module) - ingestion/internal/mcp/BearerAuth: same JWT-or-static chain - ingestion/cmd/server: same wiring pattern New env vars (all optional; absent = static-token-only, same as before): DEX_ISSUER_URL — Dex issuer URL (e.g. https://auth.d-ma.be) MCP_AUDIENCE — expected aud claim (e.g. brain, supervisor) MCP_RESOURCE_URL — resource identifier for RFC 9728 metadata response Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
159 lines
4.7 KiB
Go
159 lines
4.7 KiB
Go
package mcp_test
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/mathiasbq/supervisor/internal/mcp"
|
|
"github.com/mathiasbq/supervisor/internal/registry"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func jsonBody(t *testing.T, v any) *bytes.Buffer {
|
|
t.Helper()
|
|
b, err := json.Marshal(v)
|
|
require.NoError(t, err)
|
|
return bytes.NewBuffer(b)
|
|
}
|
|
|
|
func TestMCPInitialize(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "", nil)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"id": 1,
|
|
"method": "initialize",
|
|
"params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
result := resp["result"].(map[string]any)
|
|
assert.Equal(t, "2024-11-05", result["protocolVersion"])
|
|
}
|
|
|
|
func TestMCPToolsList(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "", nil)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 2, "method": "tools/list", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
result := resp["result"].(map[string]any)
|
|
assert.NotNil(t, result["tools"])
|
|
}
|
|
|
|
func TestMCPUnknownMethod(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "", nil)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 3, "method": "unknown/method", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
assert.NotNil(t, resp["error"])
|
|
}
|
|
|
|
func TestMCPNotificationKnownMethodGetsNoResponseBody(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "", nil)
|
|
|
|
// JSON-RPC 2.0 notification: "id" field absent. Per spec, server MUST NOT
|
|
// reply. notifications/initialized is part of the standard MCP handshake.
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"method": "notifications/initialized",
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Empty(t, strings.TrimSpace(rr.Body.String()),
|
|
"notifications must not receive a response body")
|
|
}
|
|
|
|
func TestMCPAuth(t *testing.T) {
|
|
const token = "s3cr3t"
|
|
|
|
cases := []struct {
|
|
name string
|
|
token string
|
|
authHeader string
|
|
wantStatus int
|
|
}{
|
|
{"no token configured passes without header", "", "", http.StatusOK},
|
|
{"correct bearer passes", token, "Bearer " + token, http.StatusOK},
|
|
{"wrong bearer rejected", token, "Bearer wrong", http.StatusUnauthorized},
|
|
{"missing header rejected", token, "", http.StatusUnauthorized},
|
|
{"wrong scheme rejected", token, "Basic " + token, http.StatusUnauthorized},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, tc.token, nil)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
if tc.authHeader != "" {
|
|
req.Header.Set("Authorization", tc.authHeader)
|
|
}
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, tc.wantStatus, rr.Code)
|
|
if tc.wantStatus == http.StatusUnauthorized {
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
rpcErr, ok := resp["error"].(map[string]any)
|
|
require.True(t, ok, "expected error object in response")
|
|
assert.Equal(t, float64(-32001), rpcErr["code"])
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestMCPNotificationUnknownMethodGetsNoResponseBody(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "", nil)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"method": "notifications/totally-unknown",
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Empty(t, strings.TrimSpace(rr.Body.String()),
|
|
"unknown notifications must also receive no response body")
|
|
}
|