From fde4b1dc0f2fad58f1fdd768e13eec1ebd939de9 Mon Sep 17 00:00:00 2001
From: Marc Nuri <marc@marcnuri.com>
Date: Fri, 8 Aug 2025 10:31:50 +0300
Subject: [PATCH] test(auth): complete test cases for token validation (#253)

Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
 pkg/http/http_test.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pkg/http/http_test.go b/pkg/http/http_test.go
index 01b33c5..d285cb3 100644
--- a/pkg/http/http_test.go
+++ b/pkg/http/http_test.go
@@ -619,10 +619,12 @@ func TestAuthorizationRawToken(t *testing.T) {
 	}
 	for _, c := range cases {
 		testCaseWithContext(t, &httpContext{StaticConfig: &config.StaticConfig{RequireOAuth: true, OAuthAudience: c.audience, ValidateToken: c.validateToken}}, func(ctx *httpContext) {
+			tokenReviewed := false
 			ctx.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				if req.URL.EscapedPath() == "/apis/authentication.k8s.io/v1/tokenreviews" {
 					w.Header().Set("Content-Type", "application/json")
 					_, _ = w.Write([]byte(tokenReviewSuccessful))
+					tokenReviewed = true
 					return
 				}
 			}))
@@ -641,6 +643,14 @@ func TestAuthorizationRawToken(t *testing.T) {
 					t.Errorf("Expected HTTP 200 OK, got %d", resp.StatusCode)
 				}
 			})
+			t.Run(fmt.Sprintf("Protected resource with audience = '%s' and validate-token = '%t', with VALID Authorization header performs token validation accordingly", c.audience, c.validateToken), func(t *testing.T) {
+				if tokenReviewed == true && !c.validateToken {
+					t.Errorf("Expected token review to be skipped when validate-token is false, but it was performed")
+				}
+				if tokenReviewed == false && c.validateToken {
+					t.Errorf("Expected token review to be performed when validate-token is true, but it was skipped")
+				}
+			})
 		})
 	}
 
@@ -658,10 +668,12 @@ func TestAuthorizationOidcToken(t *testing.T) {
 	cases := []bool{false, true}
 	for _, validateToken := range cases {
 		testCaseWithContext(t, &httpContext{StaticConfig: &config.StaticConfig{RequireOAuth: true, OAuthAudience: "mcp-server", ValidateToken: validateToken}, OidcProvider: oidcProvider}, func(ctx *httpContext) {
+			tokenReviewed := false
 			ctx.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				if req.URL.EscapedPath() == "/apis/authentication.k8s.io/v1/tokenreviews" {
 					w.Header().Set("Content-Type", "application/json")
 					_, _ = w.Write([]byte(tokenReviewSuccessful))
+					tokenReviewed = true
 					return
 				}
 			}))
@@ -680,6 +692,14 @@ func TestAuthorizationOidcToken(t *testing.T) {
 					t.Errorf("Expected HTTP 200 OK, got %d", resp.StatusCode)
 				}
 			})
+			t.Run(fmt.Sprintf("Protected resource with validate-token='%t' with VALID OIDC Authorization header performs token validation accordingly", validateToken), func(t *testing.T) {
+				if tokenReviewed == true && !validateToken {
+					t.Errorf("Expected token review to be skipped when validate-token is false, but it was performed")
+				}
+				if tokenReviewed == false && validateToken {
+					t.Errorf("Expected token review to be performed when validate-token is true, but it was skipped")
+				}
+			})
 		})
 
 	}