mirror of
https://github.com/opf/openproject.git
synced 2026-06-13 19:20:00 +00:00
Jan Sandbrink
4d305df714
We generate those tokens with a prefix, so that we can decide by looking at a token, whether it's an API Token or a different kind of token, so that we can decide which code path to choose for validating the token. The usage of access tokens as Bearer token has the usability advantage, that you can paste them as plaintext into tools that expect you to specify the token as a header. Also the Basic auth approach for our old tokens usually rather caused issues, such as browsers prompting for credentials in surprising situations. If we were to deprecate basic authentication one day, this change today could've been the first step towards that.
132 lines
4.4 KiB
Ruby
132 lines
4.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
#-- copyright
|
|
# OpenProject is an open source project management software.
|
|
# Copyright (C) the OpenProject GmbH
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License version 3.
|
|
#
|
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
|
|
# Copyright (C) 2006-2013 Jean-Philippe Lang
|
|
# Copyright (C) 2010-2013 the ChiliProject Team
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License
|
|
# as published by the Free Software Foundation; either version 2
|
|
# of the License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
#
|
|
# See COPYRIGHT and LICENSE files for more details.
|
|
#++
|
|
|
|
require "spec_helper"
|
|
|
|
RSpec.describe "MCP tools/list", with_flag: { mcp_server: true } do
|
|
subject do
|
|
header "Authorization", "Bearer #{access_token.plaintext_token}"
|
|
header "X-Authentication-Scheme", "Bearer"
|
|
header "Content-Type", "application/json"
|
|
post "/mcp", request_body.to_json
|
|
end
|
|
|
|
let(:access_token) { create(:oauth_access_token, scopes: "mcp") }
|
|
let(:request_body) do
|
|
{
|
|
jsonrpc: "2.0",
|
|
id: "Test-Request",
|
|
method: "tools/list",
|
|
params: {}
|
|
}
|
|
end
|
|
let(:parsed_results) { JSON.parse(last_response.body).fetch("result") }
|
|
|
|
let(:server_config) { create(:mcp_configuration, identifier: "mcp_server") }
|
|
let(:tool_config) { create(:mcp_configuration, identifier: McpTools::SearchProject.qualified_name) }
|
|
|
|
before do
|
|
server_config.save!
|
|
tool_config.save!
|
|
end
|
|
|
|
context "when the mcp_server enterprise feature is enabled", with_ee: %i[mcp_server] do
|
|
it_behaves_like "MCP result response"
|
|
|
|
it "includes the search_project tool" do
|
|
subject
|
|
|
|
tool = parsed_results.fetch("tools").find { |t| t.fetch("name") == "search_project" }
|
|
expect(tool).not_to be_nil
|
|
expect(tool.fetch("title")).to eq(tool_config.title)
|
|
expect(tool.fetch("description")).to eq(tool_config.description)
|
|
end
|
|
|
|
context "when not passing a token" do
|
|
subject do
|
|
# TODO: It's actually a hack that we expect clients to provide this header for proper WWW-Authenticate responses
|
|
# Regular clients will never see the extended WWW-Authenticate headers with resource_metadata hints
|
|
header "X-Authentication-Scheme", "Bearer"
|
|
header "Content-Type", "application/json"
|
|
post "/mcp", request_body.to_json
|
|
end
|
|
|
|
it_behaves_like "MCP unauthenticated response"
|
|
end
|
|
|
|
context "when passing an API token via Bearer authentication" do
|
|
subject do
|
|
header "Authorization", "Bearer #{apikey.plain_value}"
|
|
header "Content-Type", "application/json"
|
|
post "/mcp", request_body.to_json
|
|
end
|
|
|
|
let(:apikey) { create(:api_token) }
|
|
|
|
it_behaves_like "MCP result response"
|
|
end
|
|
|
|
context "when passing a Bearer token with a wrong scope" do
|
|
let(:access_token) { create(:oauth_access_token, scopes: "api_v3") }
|
|
|
|
it_behaves_like "MCP unauthenticated response"
|
|
end
|
|
|
|
context "when the MCP server is disabled via configuration" do
|
|
let(:server_config) { create(:mcp_configuration, identifier: "mcp_server", enabled: false) }
|
|
|
|
it "responds in a 404" do
|
|
subject
|
|
expect(last_response).to have_http_status(404)
|
|
end
|
|
end
|
|
|
|
context "when the search_project tool is disabled" do
|
|
let(:tool_config) { create(:mcp_configuration, identifier: McpTools::SearchProject.qualified_name, enabled: false) }
|
|
|
|
it_behaves_like "MCP result response"
|
|
|
|
it "does not include the search_project tool" do
|
|
subject
|
|
|
|
tool = parsed_results.fetch("tools").find { |t| t.fetch("name") == "search_project" }
|
|
expect(tool).to be_nil
|
|
end
|
|
end
|
|
end
|
|
|
|
context "when the mcp_server enterprise feature is disabled" do
|
|
it "responds in a 404" do
|
|
subject
|
|
expect(last_response).to have_http_status(404)
|
|
end
|
|
end
|
|
end
|