codeant-ai-for-open-source[bot] commented on code in PR #38747: URL: https://github.com/apache/superset/pull/38747#discussion_r3006147001
########## tests/unit_tests/mcp_service/test_auth_user_resolution.py: ########## @@ -0,0 +1,446 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Tests for MCP user resolution priority and stale g.user prevention.""" + +from typing import Any +from unittest.mock import MagicMock, patch + +import pytest +from flask import g + +from superset.mcp_service.auth import ( + _resolve_user_from_jwt_context, + get_user_from_request, + mcp_auth_hook, +) +from superset.mcp_service.mcp_config import default_user_resolver + + +def _make_mock_user(username: str = "testuser") -> MagicMock: + """Create a mock User with required attributes.""" + user = MagicMock() + user.username = username + user.roles = [] + user.groups = [] + return user + + +def _make_access_token( + claims: dict[str, Any] | None = None, **kwargs: Any +) -> MagicMock: + """Create a mock AccessToken matching FastMCP's format.""" + token = MagicMock() + token.claims = claims or {} + token.client_id = kwargs.get("client_id", "") + token.scopes = kwargs.get("scopes", []) + # Remove auto-created attributes so getattr fallbacks work correctly + for attr in ("subject", "payload"): + if attr not in kwargs: Review Comment: **Suggestion:** The helper `_make_access_token` unconditionally calls `delattr(token, attr)` for `"subject"` and `"payload"` when those names are not present in `kwargs`, but these attributes are not pre-existing on a plain `MagicMock`, so `delattr` will raise `AttributeError` whenever they were never set, causing all tests that construct a token without those kwargs to error at runtime instead of running. [possible bug] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ JWT resolution tests error before assertions execute. - ❌ default_user_resolver tests fail with AttributeError. - ⚠️ MCP auth safety regressions might go undetected. ``` </details> ```suggestion if attr not in kwargs and hasattr(token, attr): ``` <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Open `tests/unit_tests/mcp_service/test_auth_user_resolution.py` and locate `_make_access_token` at lines 42–57; note the loop `for attr in ("subject", "payload"):` with `delattr(token, attr)` when the name is not present in `kwargs`. 2. Observe multiple tests in the same file (e.g., `test_jwt_context_resolves_correct_user` at lines ~63–80, `test_default_resolver_extracts_sub_from_claims` at lines ~372–375) calling `_make_access_token(claims={...})` without passing `subject` or `payload` in `kwargs`. 3. During such a call, `_make_access_token` creates `token = MagicMock()` and then immediately executes `delattr(token, "subject")` and `delattr(token, "payload")` because neither key is in `kwargs`. 4. Because a fresh `MagicMock` instance does not predefine attributes `subject` or `payload`, `delattr(token, "subject")` attempts to remove a non-existent attribute and raises `AttributeError`, causing each of those tests to error out before their assertions are executed. ``` </details> <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** tests/unit_tests/mcp_service/test_auth_user_resolution.py **Line:** 52:53 **Comment:** *Possible Bug: The helper `_make_access_token` unconditionally calls `delattr(token, attr)` for `"subject"` and `"payload"` when those names are not present in `kwargs`, but these attributes are not pre-existing on a plain `MagicMock`, so `delattr` will raise `AttributeError` whenever they were never set, causing all tests that construct a token without those kwargs to error at runtime instead of running. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38747&comment_hash=41875c1b4a4c78ff7dd5f3c40baabe401a0e14f7de5da9d37dedb34005c0206c&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38747&comment_hash=41875c1b4a4c78ff7dd5f3c40baabe401a0e14f7de5da9d37dedb34005c0206c&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
