michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: granular RBAC with resource/operation bindings, users, groups
Some checks failed
CI / lint (pull_request) Has been cancelled
Details
CI / typecheck (pull_request) Has been cancelled
Details
CI / test (pull_request) Has been cancelled
Details
CI / build (pull_request) Has been cancelled
Details
CI / package (pull_request) Has been cancelled
Details

Browse Source 
- Replace admin role with granular roles: view, create, delete, edit, run
- Two binding types: resource bindings (role+resource+optional name) and
  operation bindings (role:run + action like backup, logs, impersonate)
- Name-scoped resource bindings for per-instance access control
- Remove role from project members (all permissions via RBAC)
- Add users, groups, RBAC CRUD endpoints and CLI commands
- describe user/group shows all RBAC access (direct + inherited)
- create rbac supports --subject, --binding, --operation flags
- Backup/restore handles users, groups, RBAC definitions
- mcplocal project-based MCP endpoint discovery
- Full test coverage for all new functionality

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Michal
2026-02-23 11:05:19 +00:00
parent a6b5e24a8d
commit dcda93d179
67 changed files with 7256 additions and 498 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
src/mcplocal/tests/project-discovery.test.ts Normal file
View File

@@ -0,0 +1,87 @@
import { describe, it, expect, vi } from 'vitest';
import { refreshProjectUpstreams } from '../src/discovery.js';
import { McpRouter } from '../src/router.js';
function mockMcpdClient(servers: Array<{ id: string; name: string; transport: string }>) {
return {
baseUrl: 'http://test:3100',
token: 'test-token',
get: vi.fn(async () => servers),
post: vi.fn(async () => ({ result: {} })),
put: vi.fn(),
delete: vi.fn(),
forward: vi.fn(async () => ({ status: 200, body: servers })),
};
}
describe('refreshProjectUpstreams', () => {
it('registers project-scoped servers as upstreams', async () => {
const router = new McpRouter();
const client = mockMcpdClient([
{ id: 'srv-1', name: 'grafana', transport: 'stdio' },
{ id: 'srv-2', name: 'ha', transport: 'stdio' },
]);
const registered = await refreshProjectUpstreams(router, client as any, 'smart-home');
expect(registered).toEqual(['grafana', 'ha']);
expect(router.getUpstreamNames()).toContain('grafana');
expect(router.getUpstreamNames()).toContain('ha');
expect(client.get).toHaveBeenCalledWith('/api/v1/projects/smart-home/servers');
});
it('removes stale upstreams on refresh', async () => {
const router = new McpRouter();
// First refresh: 2 servers
const client1 = mockMcpdClient([
{ id: 'srv-1', name: 'grafana', transport: 'stdio' },
{ id: 'srv-2', name: 'ha', transport: 'stdio' },
]);
await refreshProjectUpstreams(router, client1 as any, 'smart-home');
expect(router.getUpstreamNames()).toHaveLength(2);
// Second refresh: only 1 server
const client2 = mockMcpdClient([
{ id: 'srv-1', name: 'grafana', transport: 'stdio' },
]);
await refreshProjectUpstreams(router, client2 as any, 'smart-home');
expect(router.getUpstreamNames()).toEqual(['grafana']);
});
it('forwards auth token via forward() method', async () => {
const router = new McpRouter();
const servers = [{ id: 'srv-1', name: 'grafana', transport: 'stdio' }];
const client = mockMcpdClient(servers);
await refreshProjectUpstreams(router, client as any, 'smart-home', 'user-token-123');
expect(client.forward).toHaveBeenCalledWith('GET', '/api/v1/projects/smart-home/servers', '', undefined);
expect(router.getUpstreamNames()).toContain('grafana');
});
it('throws on failed project fetch', async () => {
const router = new McpRouter();
const client = mockMcpdClient([]);
client.forward.mockResolvedValue({ status: 403, body: { error: 'Forbidden' } });
await expect(
refreshProjectUpstreams(router, client as any, 'secret-project', 'bad-token'),
).rejects.toThrow('Failed to fetch project servers: 403');
});
it('URL-encodes project name', async () => {
const router = new McpRouter();
const client = mockMcpdClient([]);
await refreshProjectUpstreams(router, client as any, 'my project');
expect(client.get).toHaveBeenCalledWith('/api/v1/projects/my%20project/servers');
});
it('handles empty project server list', async () => {
const router = new McpRouter();
const client = mockMcpdClient([]);
const registered = await refreshProjectUpstreams(router, client as any, 'empty-project');
expect(registered).toEqual([]);
expect(router.getUpstreamNames()).toHaveLength(0);
});
});