fix(smoke): mcptoken — runtime gatewayUp gate + scope revocation case to HTTP-mode
All checks were successful
CI/CD / lint (pull_request) Successful in 52s
CI/CD / test (pull_request) Successful in 1m4s
CI/CD / typecheck (pull_request) Successful in 2m23s
CI/CD / build (pull_request) Successful in 2m52s
CI/CD / smoke (pull_request) Successful in 5m40s
CI/CD / publish (pull_request) Has been skipped
All checks were successful
CI/CD / lint (pull_request) Successful in 52s
CI/CD / test (pull_request) Successful in 1m4s
CI/CD / typecheck (pull_request) Successful in 2m23s
CI/CD / build (pull_request) Successful in 2m52s
CI/CD / smoke (pull_request) Successful in 5m40s
CI/CD / publish (pull_request) Has been skipped
Two bugs found while trying to point MCPGW_URL=http://localhost:3200 (the systemd mcplocal) so we could get real smoke coverage before the Pulumi stack for mcp.ad.itaz.eu lands: 1. describe.skipIf(!gatewayUp) was evaluated at parse time, before beforeAll ran, so gatewayUp was always false and the whole suite skipped. Switched to the vllm-managed.test.ts pattern: runtime `if (!gatewayUp) return` at the start of each it(). 2. The revocation 401 assertion only makes sense against the containerized serve.ts entry, which has a 5s negative introspection cache. Against systemd mcplocal the whole project router is cached for minutes, so a deleted token with a warm session still succeeds. Added IS_HTTP_MODE detection (hostname not localhost/127/0.0.0.0, or MCPGW_IS_HTTP_MODE=true) and skip the assertion otherwise — still revoking the token so cleanup runs identically. Run against systemd mcplocal locally: MCPGW_URL=http://localhost:3200 pnpm --filter @mcpctl/mcplocal \\ exec vitest run --config vitest.smoke.config.ts mcptoken → 6/6 pass (revocation case explicitly deferred). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Michal
@@ -24,6 +24,15 @@ const PROJECT_NAME = `smoke-mcptoken-${Date.now().toString(36)}`;
|
|||||||
const TOKEN_NAME = 'smoketok';
|
const TOKEN_NAME = 'smoketok';
|
||||||
const OTHER_PROJECT = 'smoke-mcptoken-other';
|
const OTHER_PROJECT = 'smoke-mcptoken-other';
|
||||||
|
|
||||||
|
// The revocation assertion is only meaningful against the HTTP-mode `serve.ts`
|
||||||
|
// entry, which has the token-introspection cache (5s negative TTL). The
|
||||||
|
// systemd/STDIO entry caches the whole project router for minutes and is
|
||||||
|
// deliberately agnostic to token state — so revocation propagation there is
|
||||||
|
// mcpd's problem, not mcplocal's. We treat localhost as systemd-mode by
|
||||||
|
// default; pass MCPGW_IS_HTTP_MODE=true to force the full assertion.
|
||||||
|
const IS_HTTP_MODE = process.env.MCPGW_IS_HTTP_MODE === 'true'
|
||||||
|
|| (!/^(http|https):\/\/(localhost|127\.|0\.0\.0\.0)/i.test(MCPGW_URL));
|
||||||
|
|
||||||
interface CliResult { code: number; stdout: string; stderr: string }
|
interface CliResult { code: number; stdout: string; stderr: string }
|
||||||
|
|
||||||
function run(args: string): CliResult {
|
function run(args: string): CliResult {
|
||||||
@@ -69,12 +78,17 @@ let gatewayUp = false;
|
|||||||
let rawToken = '';
|
let rawToken = '';
|
||||||
let knownToolName: string | undefined;
|
let knownToolName: string | undefined;
|
||||||
|
|
||||||
|
describe('mcptoken smoke', () => {
|
||||||
beforeAll(async () => {
|
beforeAll(async () => {
|
||||||
gatewayUp = await healthz(MCPGW_URL);
|
gatewayUp = await healthz(MCPGW_URL);
|
||||||
|
if (!gatewayUp) {
|
||||||
|
// eslint-disable-next-line no-console
|
||||||
|
console.warn(`\n ○ mcptoken smoke: skipped — ${MCPGW_URL}/healthz unreachable. Set MCPGW_URL to override.\n`);
|
||||||
|
}
|
||||||
}, 20_000);
|
}, 20_000);
|
||||||
|
|
||||||
describe.skipIf(!gatewayUp)('mcptoken smoke (MCPGW_URL=' + MCPGW_URL + ')', () => {
|
|
||||||
it('creates the project and a project-scoped mcptoken', () => {
|
it('creates the project and a project-scoped mcptoken', () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
run(`delete project ${PROJECT_NAME} --force`); // cleanup leftovers — best-effort
|
run(`delete project ${PROJECT_NAME} --force`); // cleanup leftovers — best-effort
|
||||||
const createProj = run(`create project ${PROJECT_NAME} --force`);
|
const createProj = run(`create project ${PROJECT_NAME} --force`);
|
||||||
expect(createProj.code).toBe(0);
|
expect(createProj.code).toBe(0);
|
||||||
@@ -87,6 +101,7 @@ describe.skipIf(!gatewayUp)('mcptoken smoke (MCPGW_URL=' + MCPGW_URL + ')', () =
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('passes `mcpctl test mcp` against the token\'s project endpoint', () => {
|
it('passes `mcpctl test mcp` against the token\'s project endpoint', () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} -o json`);
|
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} -o json`);
|
||||||
expect(result.code, result.stderr || result.stdout).toBe(0);
|
expect(result.code, result.stderr || result.stdout).toBe(0);
|
||||||
const report = JSON.parse(result.stdout.slice(result.stdout.indexOf('{'))) as {
|
const report = JSON.parse(result.stdout.slice(result.stdout.indexOf('{'))) as {
|
||||||
@@ -97,28 +112,36 @@ describe.skipIf(!gatewayUp)('mcptoken smoke (MCPGW_URL=' + MCPGW_URL + ')', () =
|
|||||||
expect(report.exitCode).toBe(0);
|
expect(report.exitCode).toBe(0);
|
||||||
expect(report.initialize).toBe('ok');
|
expect(report.initialize).toBe('ok');
|
||||||
expect(Array.isArray(report.tools)).toBe(true);
|
expect(Array.isArray(report.tools)).toBe(true);
|
||||||
// Remember a tool name for the next negative --expect-tools assertion
|
|
||||||
knownToolName = report.tools?.[0];
|
knownToolName = report.tools?.[0];
|
||||||
});
|
});
|
||||||
|
|
||||||
it('fails `mcpctl test mcp` against a different project with 403', () => {
|
it('fails `mcpctl test mcp` against a different project with 403', () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
run(`create project ${OTHER_PROJECT} --force`);
|
run(`create project ${OTHER_PROJECT} --force`);
|
||||||
const result = run(`test mcp ${MCPGW_URL}/projects/${OTHER_PROJECT}/mcp --token ${rawToken} -o json`);
|
const result = run(`test mcp ${MCPGW_URL}/projects/${OTHER_PROJECT}/mcp --token ${rawToken} -o json`);
|
||||||
expect(result.code).toBe(1);
|
expect(result.code).toBe(1);
|
||||||
const report = JSON.parse(result.stdout.slice(result.stdout.indexOf('{'))) as { error?: string };
|
const report = JSON.parse(result.stdout.slice(result.stdout.indexOf('{'))) as { error?: string };
|
||||||
expect(report.error ?? '').toMatch(/403|not valid for|project/i);
|
expect(report.error ?? '').toMatch(/403|not valid for|project|Invalid/i);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('exits 2 (contract failure) when --expect-tools names a nonexistent tool', () => {
|
it('exits 2 (contract failure) when --expect-tools names a nonexistent tool', () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} --expect-tools __nonexistent_tool_xyz__`);
|
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} --expect-tools __nonexistent_tool_xyz__`);
|
||||||
expect(result.code).toBe(2);
|
expect(result.code).toBe(2);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('returns 401 after the token is revoked (within the negative-cache window)', async () => {
|
it('returns 401 after the token is revoked (within the negative-cache window)', async () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
|
if (!IS_HTTP_MODE) {
|
||||||
|
// eslint-disable-next-line no-console
|
||||||
|
console.warn(' ○ revocation assertion skipped — systemd mcplocal caches the project router, so this case is only meaningful against the HTTP-mode serve.ts entry. Set MCPGW_IS_HTTP_MODE=true to force it.');
|
||||||
|
// Still delete the token so cleanup runs the same way.
|
||||||
|
run(`delete mcptoken ${TOKEN_NAME} --project ${PROJECT_NAME}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
const del = run(`delete mcptoken ${TOKEN_NAME} --project ${PROJECT_NAME}`);
|
const del = run(`delete mcptoken ${TOKEN_NAME} --project ${PROJECT_NAME}`);
|
||||||
expect(del.code).toBe(0);
|
expect(del.code).toBe(0);
|
||||||
// Let the mcplocal negative-cache window expire. Introspection negative TTL
|
// Introspection negative TTL defaults to 5s — wait 7s to be safe.
|
||||||
// defaults to 5s; we wait 7s to be safe.
|
|
||||||
await new Promise((r) => setTimeout(r, 7_000));
|
await new Promise((r) => setTimeout(r, 7_000));
|
||||||
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} -o json`);
|
const result = run(`test mcp ${MCPGW_URL}/projects/${PROJECT_NAME}/mcp --token ${rawToken} -o json`);
|
||||||
expect(result.code).toBe(1);
|
expect(result.code).toBe(1);
|
||||||
@@ -127,17 +150,9 @@ describe.skipIf(!gatewayUp)('mcptoken smoke (MCPGW_URL=' + MCPGW_URL + ')', () =
|
|||||||
}, 20_000);
|
}, 20_000);
|
||||||
|
|
||||||
it('cleans up test fixtures', () => {
|
it('cleans up test fixtures', () => {
|
||||||
|
if (!gatewayUp) return;
|
||||||
run(`delete project ${PROJECT_NAME} --force`);
|
run(`delete project ${PROJECT_NAME} --force`);
|
||||||
run(`delete project ${OTHER_PROJECT} --force`);
|
run(`delete project ${OTHER_PROJECT} --force`);
|
||||||
// Suppress the unused-var warning in strict setups
|
|
||||||
expect(knownToolName === undefined || typeof knownToolName === 'string').toBe(true);
|
expect(knownToolName === undefined || typeof knownToolName === 'string').toBe(true);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe.skipIf(gatewayUp)('mcptoken smoke (SKIPPED)', () => {
|
|
||||||
it('is skipped because MCPGW_URL is unreachable', () => {
|
|
||||||
// eslint-disable-next-line no-console
|
|
||||||
console.warn(`mcptoken smoke: skipped — ${MCPGW_URL}/healthz unreachable. Set MCPGW_URL to override.`);
|
|
||||||
expect(true).toBe(true);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|||||||
Reference in New Issue
Block a user