kubectl-mcp-server 1.12.0__py3-none-any.whl

tests/conftest.py

@@ -0,0 +1,379 @@
+"""
+Pytest configuration and shared fixtures for kubectl-mcp-server tests.
+"""
+
+import pytest
+import json
+import sys
+from unittest.mock import Mock, MagicMock, patch
+from typing import Dict, Any, List
+from datetime import datetime
+
+
+@pytest.fixture
+def mock_kube_config():
+    """Mock kubernetes config loading."""
+    with patch("kubernetes.config.load_kube_config") as mock:
+        mock.return_value = None
+        yield mock
+
+
+@pytest.fixture
+def mock_kube_contexts():
+    """Mock kubernetes contexts."""
+    contexts = [
+        {
+            "name": "minikube",
+            "context": {
+                "cluster": "minikube",
+                "user": "minikube",
+                "namespace": "default"
+            }
+        },
+        {
+            "name": "production",
+            "context": {
+                "cluster": "prod-cluster",
+                "user": "admin",
+                "namespace": "production"
+            }
+        }
+    ]
+    active_context = contexts[0]
+
+    with patch("kubernetes.config.list_kube_config_contexts") as mock:
+        mock.return_value = (contexts, active_context)
+        yield mock
+
+
+@pytest.fixture
+def mock_pod():
+    """Create a mock Pod object."""
+    pod = MagicMock()
+    pod.metadata.name = "test-pod"
+    pod.metadata.namespace = "default"
+    pod.metadata.labels = {"app": "test"}
+    pod.metadata.creation_timestamp = datetime.now()
+    pod.status.phase = "Running"
+    pod.status.pod_ip = "10.0.0.1"
+    pod.status.conditions = []
+    pod.spec.containers = [MagicMock(name="container1", image="nginx:latest")]
+    pod.spec.node_name = "node-1"
+    return pod
+
+
+@pytest.fixture
+def mock_deployment():
+    """Create a mock Deployment object."""
+    deployment = MagicMock()
+    deployment.metadata.name = "test-deployment"
+    deployment.metadata.namespace = "default"
+    deployment.metadata.labels = {"app": "test"}
+    deployment.metadata.creation_timestamp = datetime.now()
+    deployment.spec.replicas = 3
+    deployment.status.ready_replicas = 3
+    deployment.status.available_replicas = 3
+    deployment.status.replicas = 3
+    return deployment
+
+
+@pytest.fixture
+def mock_service():
+    """Create a mock Service object."""
+    service = MagicMock()
+    service.metadata.name = "test-service"
+    service.metadata.namespace = "default"
+    service.spec.type = "ClusterIP"
+    service.spec.cluster_ip = "10.96.0.1"
+    service.spec.ports = [MagicMock(port=80, target_port=8080, protocol="TCP")]
+    return service
+
+
+@pytest.fixture
+def mock_node():
+    """Create a mock Node object."""
+    node = MagicMock()
+    node.metadata.name = "test-node"
+    node.metadata.labels = {"node-role.kubernetes.io/control-plane": ""}
+    node.status.conditions = [MagicMock(type="Ready", status="True")]
+    node.status.node_info.kubelet_version = "v1.28.0"
+    node.status.node_info.os_image = "Ubuntu 22.04"
+    node.status.node_info.architecture = "amd64"
+    node.status.capacity = {"cpu": "4", "memory": "8Gi", "pods": "110"}
+    node.status.allocatable = {"cpu": "3800m", "memory": "7Gi", "pods": "100"}
+    return node
+
+
+@pytest.fixture
+def mock_namespace():
+    """Create a mock Namespace object."""
+    namespace = MagicMock()
+    namespace.metadata.name = "test-namespace"
+    namespace.metadata.labels = {"env": "test"}
+    namespace.metadata.creation_timestamp = datetime.now()
+    namespace.status.phase = "Active"
+    return namespace
+
+
+@pytest.fixture
+def mock_configmap():
+    """Create a mock ConfigMap object."""
+    configmap = MagicMock()
+    configmap.metadata.name = "test-configmap"
+    configmap.metadata.namespace = "default"
+    configmap.data = {"key1": "value1", "key2": "value2"}
+    return configmap
+
+
+@pytest.fixture
+def mock_secret():
+    """Create a mock Secret object."""
+    secret = MagicMock()
+    secret.metadata.name = "test-secret"
+    secret.metadata.namespace = "default"
+    secret.type = "Opaque"
+    secret.data = {"password": "c2VjcmV0"}  # base64 encoded
+    return secret
+
+
+@pytest.fixture
+def mock_core_v1_api(mock_pod, mock_service, mock_namespace, mock_configmap, mock_secret, mock_node):
+    """Mock CoreV1Api."""
+    api = MagicMock()
+
+    # Pod methods
+    api.list_namespaced_pod.return_value.items = [mock_pod]
+    api.list_pod_for_all_namespaces.return_value.items = [mock_pod]
+    api.read_namespaced_pod.return_value = mock_pod
+    api.read_namespaced_pod_log.return_value = "Test log output"
+
+    # Service methods
+    api.list_namespaced_service.return_value.items = [mock_service]
+    api.list_service_for_all_namespaces.return_value.items = [mock_service]
+    api.read_namespaced_service.return_value = mock_service
+
+    # Namespace methods
+    api.list_namespace.return_value.items = [mock_namespace]
+    api.read_namespace.return_value = mock_namespace
+    api.create_namespace.return_value = mock_namespace
+
+    # ConfigMap methods
+    api.list_namespaced_config_map.return_value.items = [mock_configmap]
+    api.read_namespaced_config_map.return_value = mock_configmap
+
+    # Secret methods
+    api.list_namespaced_secret.return_value.items = [mock_secret]
+    api.read_namespaced_secret.return_value = mock_secret
+
+    # Node methods
+    api.list_node.return_value.items = [mock_node]
+    api.read_node.return_value = mock_node
+
+    # Events
+    api.list_namespaced_event.return_value.items = []
+
+    return api
+
+
+@pytest.fixture
+def mock_apps_v1_api(mock_deployment):
+    """Mock AppsV1Api."""
+    api = MagicMock()
+
+    api.list_namespaced_deployment.return_value.items = [mock_deployment]
+    api.list_deployment_for_all_namespaces.return_value.items = [mock_deployment]
+    api.read_namespaced_deployment.return_value = mock_deployment
+    api.read_namespaced_deployment_scale.return_value.spec.replicas = 3
+
+    api.list_namespaced_stateful_set.return_value.items = []
+    api.list_namespaced_daemon_set.return_value.items = []
+    api.list_namespaced_replica_set.return_value.items = []
+
+    return api
+
+
+@pytest.fixture
+def mock_networking_v1_api():
+    """Mock NetworkingV1Api."""
+    api = MagicMock()
+
+    ingress = MagicMock()
+    ingress.metadata.name = "test-ingress"
+    ingress.metadata.namespace = "default"
+    api.list_namespaced_ingress.return_value.items = [ingress]
+    api.read_namespaced_ingress.return_value = ingress
+
+    network_policy = MagicMock()
+    network_policy.metadata.name = "test-policy"
+    api.list_namespaced_network_policy.return_value.items = [network_policy]
+
+    return api
+
+
+@pytest.fixture
+def mock_batch_v1_api():
+    """Mock BatchV1Api."""
+    api = MagicMock()
+
+    job = MagicMock()
+    job.metadata.name = "test-job"
+    job.metadata.namespace = "default"
+    api.list_namespaced_job.return_value.items = [job]
+
+    cronjob = MagicMock()
+    cronjob.metadata.name = "test-cronjob"
+    api.list_namespaced_cron_job.return_value.items = [cronjob]
+
+    return api
+
+
+@pytest.fixture
+def mock_version_api():
+    """Mock VersionApi."""
+    api = MagicMock()
+
+    version_info = MagicMock()
+    version_info.git_version = "v1.28.0"
+    version_info.major = "1"
+    version_info.minor = "28"
+    version_info.platform = "linux/amd64"
+    version_info.build_date = "2024-01-01T00:00:00Z"
+    version_info.go_version = "go1.21.0"
+    version_info.compiler = "gc"
+
+    api.get_code.return_value = version_info
+    return api
+
+
+@pytest.fixture
+def mock_kubectl_subprocess():
+    """Mock subprocess calls for kubectl."""
+    with patch("subprocess.run") as mock_run:
+        mock_run.return_value = MagicMock(
+            returncode=0,
+            stdout="Command executed successfully",
+            stderr=""
+        )
+        yield mock_run
+
+
+@pytest.fixture
+def mock_helm_subprocess():
+    """Mock subprocess calls for helm."""
+    with patch("subprocess.run") as mock_run:
+        mock_run.return_value = MagicMock(
+            returncode=0,
+            stdout=json.dumps([
+                {"name": "test-release", "namespace": "default", "status": "deployed"}
+            ]),
+            stderr=""
+        )
+        yield mock_run
+
+
+@pytest.fixture
+def mcp_server(mock_kube_config):
+    """Create an MCPServer instance with mocked dependencies."""
+    with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies") as mock_deps:
+        mock_deps.return_value = True
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        server = MCPServer(name="test-server")
+        yield server
+
+
+@pytest.fixture
+def mock_all_kubernetes_apis(
+    mock_kube_config,
+    mock_kube_contexts,
+    mock_core_v1_api,
+    mock_apps_v1_api,
+    mock_networking_v1_api,
+    mock_batch_v1_api,
+    mock_version_api
+):
+    """Patch all Kubernetes API clients."""
+    with patch("kubernetes.client.CoreV1Api", return_value=mock_core_v1_api), \
+         patch("kubernetes.client.AppsV1Api", return_value=mock_apps_v1_api), \
+         patch("kubernetes.client.NetworkingV1Api", return_value=mock_networking_v1_api), \
+         patch("kubernetes.client.BatchV1Api", return_value=mock_batch_v1_api), \
+         patch("kubernetes.client.VersionApi", return_value=mock_version_api), \
+         patch("kubernetes.client.ApiClient") as mock_api_client:
+
+        mock_api_client.return_value.sanitize_for_serialization.return_value = {}
+
+        yield {
+            "core_v1": mock_core_v1_api,
+            "apps_v1": mock_apps_v1_api,
+            "networking_v1": mock_networking_v1_api,
+            "batch_v1": mock_batch_v1_api,
+            "version": mock_version_api,
+        }
+
+
+class MockResponse:
+    """Mock HTTP response for testing."""
+    def __init__(self, json_data: Dict, status_code: int = 200):
+        self.json_data = json_data
+        self.status_code = status_code
+        self.text = json.dumps(json_data)
+
+    def json(self):
+        return self.json_data
+
+
+@pytest.fixture
+def sample_pod_yaml():
+    """Sample pod YAML for testing."""
+    return """
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: default
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    ports:
+    - containerPort: 80
+"""
+
+
+@pytest.fixture
+def sample_deployment_yaml():
+    """Sample deployment YAML for testing."""
+    return """
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+  namespace: default
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: test
+  template:
+    metadata:
+      labels:
+        app: test
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        ports:
+        - containerPort: 80
+"""
+
+
+def pytest_configure(config):
+    """Configure pytest markers."""
+    config.addinivalue_line(
+        "markers", "unit: mark test as a unit test"
+    )
+    config.addinivalue_line(
+        "markers", "integration: mark test as an integration test"
+    )
+    config.addinivalue_line(
+        "markers", "slow: mark test as slow running"
+    )

tests/test_auth.py

@@ -0,0 +1,256 @@
+"""Tests for the MCP Authorization module."""
+
+import os
+import pytest
+from unittest.mock import patch, MagicMock
+
+
+class TestAuthConfig:
+    """Tests for authentication configuration."""
+
+    def test_auth_disabled_by_default(self):
+        """Test that auth is disabled by default."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.enabled is False
+
+    def test_auth_enabled_via_env(self):
+        """Test enabling auth via environment variable."""
+        with patch.dict(os.environ, {"MCP_AUTH_ENABLED": "true"}, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.enabled is True
+
+    def test_auth_issuer_from_env(self):
+        """Test issuer URL from environment."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ENABLED": "true",
+            "MCP_AUTH_ISSUER": "https://auth.example.com"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.issuer_url == "https://auth.example.com"
+
+    def test_auth_audience_default(self):
+        """Test default audience value."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.audience == "kubectl-mcp-server"
+
+    def test_auth_audience_custom(self):
+        """Test custom audience value."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_AUDIENCE": "custom-audience"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.audience == "custom-audience"
+
+    def test_auth_required_scopes_default(self):
+        """Test default required scopes."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert "mcp:tools" in config.required_scopes
+
+    def test_auth_required_scopes_custom(self):
+        """Test custom required scopes."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_REQUIRED_SCOPES": "mcp:read,mcp:write"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert "mcp:read" in config.required_scopes
+            assert "mcp:write" in config.required_scopes
+
+    def test_effective_jwks_uri_derived(self):
+        """Test JWKS URI is derived from issuer."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ISSUER": "https://auth.example.com"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.effective_jwks_uri == "https://auth.example.com/.well-known/jwks.json"
+
+    def test_effective_jwks_uri_explicit(self):
+        """Test explicit JWKS URI takes precedence."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ISSUER": "https://auth.example.com",
+            "MCP_AUTH_JWKS_URI": "https://custom.example.com/jwks"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.effective_jwks_uri == "https://custom.example.com/jwks"
+
+    def test_config_validation_disabled(self):
+        """Test validation passes when auth is disabled."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.validate() is True
+
+    def test_config_validation_enabled_without_issuer(self):
+        """Test validation fails when enabled without issuer."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ENABLED": "true"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.validate() is False
+
+    def test_config_validation_enabled_with_issuer(self):
+        """Test validation passes when properly configured."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ENABLED": "true",
+            "MCP_AUTH_ISSUER": "https://auth.example.com"
+        }, clear=True):
+            from kubectl_mcp_tool.auth.config import get_auth_config
+            config = get_auth_config()
+            assert config.validate() is True
+
+
+class TestMCPScopes:
+    """Tests for MCP scope definitions."""
+
+    def test_all_scopes_returns_list(self):
+        """Test all_scopes returns a list."""
+        from kubectl_mcp_tool.auth.scopes import MCPScopes
+        scopes = MCPScopes.all_scopes()
+        assert isinstance(scopes, list)
+        assert len(scopes) > 0
+
+    def test_scope_values(self):
+        """Test scope enum values."""
+        from kubectl_mcp_tool.auth.scopes import MCPScopes
+        assert MCPScopes.READ.value == "mcp:read"
+        assert MCPScopes.WRITE.value == "mcp:write"
+        assert MCPScopes.ADMIN.value == "mcp:admin"
+        assert MCPScopes.TOOLS.value == "mcp:tools"
+        assert MCPScopes.HELM.value == "mcp:helm"
+
+    def test_read_scopes(self):
+        """Test read-only scopes."""
+        from kubectl_mcp_tool.auth.scopes import MCPScopes
+        scopes = MCPScopes.read_scopes()
+        assert "mcp:read" in scopes
+        assert "mcp:diagnostics" in scopes
+
+    def test_admin_scopes_includes_all(self):
+        """Test admin scopes include all scopes."""
+        from kubectl_mcp_tool.auth.scopes import MCPScopes
+        admin_scopes = MCPScopes.admin_scopes()
+        all_scopes = MCPScopes.all_scopes()
+        assert set(admin_scopes) == set(all_scopes)
+
+
+class TestToolScopes:
+    """Tests for tool-to-scope mappings."""
+
+    def test_get_required_scopes_read_tool(self):
+        """Test read tools require read scope."""
+        from kubectl_mcp_tool.auth.scopes import get_required_scopes, MCPScopes
+        scopes = get_required_scopes("get_pods")
+        assert MCPScopes.READ.value in scopes
+
+    def test_get_required_scopes_write_tool(self):
+        """Test write tools require write scope."""
+        from kubectl_mcp_tool.auth.scopes import get_required_scopes, MCPScopes
+        scopes = get_required_scopes("scale_deployment")
+        assert MCPScopes.WRITE.value in scopes
+
+    def test_get_required_scopes_admin_tool(self):
+        """Test admin tools require admin scope."""
+        from kubectl_mcp_tool.auth.scopes import get_required_scopes, MCPScopes
+        scopes = get_required_scopes("drain_node")
+        assert MCPScopes.ADMIN.value in scopes
+
+    def test_get_required_scopes_helm_tool(self):
+        """Test helm tools require helm scope."""
+        from kubectl_mcp_tool.auth.scopes import get_required_scopes, MCPScopes
+        scopes = get_required_scopes("helm_list_releases")
+        assert MCPScopes.HELM.value in scopes
+
+    def test_get_required_scopes_unknown_tool(self):
+        """Test unknown tools require default scope."""
+        from kubectl_mcp_tool.auth.scopes import get_required_scopes, MCPScopes
+        scopes = get_required_scopes("unknown_tool_xyz")
+        assert MCPScopes.TOOLS.value in scopes
+
+    def test_has_required_scopes_with_tools_scope(self):
+        """Test mcp:tools grants access to all tools."""
+        from kubectl_mcp_tool.auth.scopes import has_required_scopes, MCPScopes
+        token_scopes = {MCPScopes.TOOLS.value}
+        assert has_required_scopes(token_scopes, "get_pods") is True
+        assert has_required_scopes(token_scopes, "drain_node") is True
+
+    def test_has_required_scopes_with_admin_scope(self):
+        """Test mcp:admin grants access to all tools."""
+        from kubectl_mcp_tool.auth.scopes import has_required_scopes, MCPScopes
+        token_scopes = {MCPScopes.ADMIN.value}
+        assert has_required_scopes(token_scopes, "get_pods") is True
+        assert has_required_scopes(token_scopes, "drain_node") is True
+
+    def test_has_required_scopes_read_only(self):
+        """Test read scope grants access to read tools only."""
+        from kubectl_mcp_tool.auth.scopes import has_required_scopes, MCPScopes
+        token_scopes = {MCPScopes.READ.value}
+        assert has_required_scopes(token_scopes, "get_pods") is True
+        assert has_required_scopes(token_scopes, "scale_deployment") is False
+
+    def test_has_required_scopes_write_not_admin(self):
+        """Test write scope doesn't grant admin access."""
+        from kubectl_mcp_tool.auth.scopes import has_required_scopes, MCPScopes
+        token_scopes = {MCPScopes.WRITE.value}
+        assert has_required_scopes(token_scopes, "scale_deployment") is True
+        assert has_required_scopes(token_scopes, "drain_node") is False
+
+
+class TestAuthVerifier:
+    """Tests for authentication verifier creation."""
+
+    def test_create_verifier_auth_disabled(self):
+        """Test verifier is None when auth disabled."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.auth import get_auth_config, create_auth_verifier
+            config = get_auth_config()
+            verifier = create_auth_verifier(config)
+            assert verifier is None
+
+    def test_create_verifier_missing_fastmcp_auth(self):
+        """Test graceful handling when FastMCP auth not available."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ENABLED": "true",
+            "MCP_AUTH_ISSUER": "https://auth.example.com"
+        }, clear=True):
+            from kubectl_mcp_tool.auth import get_auth_config, create_auth_verifier
+            config = get_auth_config()
+
+            # Mock the import to fail
+            with patch.dict('sys.modules', {'fastmcp.server.auth': None}):
+                verifier = create_auth_verifier(config)
+                # Should return None gracefully when auth module not available
+                assert verifier is None
+
+
+class TestMCPServerAuth:
+    """Tests for MCP server with authentication."""
+
+    def test_server_initializes_without_auth(self):
+        """Test server initializes with auth disabled."""
+        with patch.dict(os.environ, {}, clear=True):
+            from kubectl_mcp_tool.mcp_server import MCPServer
+            server = MCPServer(name="test-server")
+            assert server.auth_config.enabled is False
+
+    def test_server_with_auth_enabled(self):
+        """Test server with auth enabled loads config."""
+        with patch.dict(os.environ, {
+            "MCP_AUTH_ENABLED": "true",
+            "MCP_AUTH_ISSUER": "https://auth.example.com"
+        }, clear=True):
+            from kubectl_mcp_tool.mcp_server import MCPServer
+            server = MCPServer(name="test-server")
+            assert server.auth_config.enabled is True
+            assert server.auth_config.issuer_url == "https://auth.example.com"