928f23ab1b
Enables exposing the supervisor MCP via Tailscale Funnel for claude.ai custom-connector tests. Auth is opt-in: empty SUPERVISOR_MCP_TOKEN preserves the existing unauthenticated behavior for tailnet-internal callers and local dev. When the token is set, every request must carry "Authorization: Bearer <token>" or it is rejected with HTTP 401 and a JSON-RPC -32001 error. Comparison uses crypto/subtle.ConstantTimeCompare; the token value and the supplied header are never logged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
159 lines
4.7 KiB
Go
159 lines
4.7 KiB
Go
package mcp_test
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/mathiasbq/supervisor/internal/mcp"
|
|
"github.com/mathiasbq/supervisor/internal/registry"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func jsonBody(t *testing.T, v any) *bytes.Buffer {
|
|
t.Helper()
|
|
b, err := json.Marshal(v)
|
|
require.NoError(t, err)
|
|
return bytes.NewBuffer(b)
|
|
}
|
|
|
|
func TestMCPInitialize(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "")
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"id": 1,
|
|
"method": "initialize",
|
|
"params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
result := resp["result"].(map[string]any)
|
|
assert.Equal(t, "2024-11-05", result["protocolVersion"])
|
|
}
|
|
|
|
func TestMCPToolsList(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "")
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 2, "method": "tools/list", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
result := resp["result"].(map[string]any)
|
|
assert.NotNil(t, result["tools"])
|
|
}
|
|
|
|
func TestMCPUnknownMethod(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "")
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 3, "method": "unknown/method", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
assert.NotNil(t, resp["error"])
|
|
}
|
|
|
|
func TestMCPNotificationKnownMethodGetsNoResponseBody(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "")
|
|
|
|
// JSON-RPC 2.0 notification: "id" field absent. Per spec, server MUST NOT
|
|
// reply. notifications/initialized is part of the standard MCP handshake.
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"method": "notifications/initialized",
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Empty(t, strings.TrimSpace(rr.Body.String()),
|
|
"notifications must not receive a response body")
|
|
}
|
|
|
|
func TestMCPAuth(t *testing.T) {
|
|
const token = "s3cr3t"
|
|
|
|
cases := []struct {
|
|
name string
|
|
token string
|
|
authHeader string
|
|
wantStatus int
|
|
}{
|
|
{"no token configured passes without header", "", "", http.StatusOK},
|
|
{"correct bearer passes", token, "Bearer " + token, http.StatusOK},
|
|
{"wrong bearer rejected", token, "Bearer wrong", http.StatusUnauthorized},
|
|
{"missing header rejected", token, "", http.StatusUnauthorized},
|
|
{"wrong scheme rejected", token, "Basic " + token, http.StatusUnauthorized},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, tc.token)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": map[string]any{},
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
if tc.authHeader != "" {
|
|
req.Header.Set("Authorization", tc.authHeader)
|
|
}
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, tc.wantStatus, rr.Code)
|
|
if tc.wantStatus == http.StatusUnauthorized {
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
rpcErr, ok := resp["error"].(map[string]any)
|
|
require.True(t, ok, "expected error object in response")
|
|
assert.Equal(t, float64(-32001), rpcErr["code"])
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestMCPNotificationUnknownMethodGetsNoResponseBody(t *testing.T) {
|
|
reg := registry.New()
|
|
srv := mcp.NewServer(reg, "")
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", jsonBody(t, map[string]any{
|
|
"jsonrpc": "2.0",
|
|
"method": "notifications/totally-unknown",
|
|
}))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Empty(t, strings.TrimSpace(rr.Body.String()),
|
|
"unknown notifications must also receive no response body")
|
|
}
|