Re: [PR] fix(mcp): enforce audience, algorithm, issuer binding, and token scopes (strict mode) [superset]

Tue, 02 Jun 2026 12:25:25 -0700 


bito-code-review[bot] commented on code in PR #40653:
URL: https://github.com/apache/superset/pull/40653#discussion_r3343851791


##########
tests/unit_tests/mcp_service/test_auth_rbac.py:
##########
@@ -343,3 +343,105 @@ def 
test_visibility_data_model_metadata_allowed(app_context) -> None:
         result = is_tool_visible_to_current_user(tool)
 
     assert result is True
+
+
+# -- Scope-aware authorization (intersection of token scopes and RBAC) --
+
+
+def _patch_token_scopes(scopes):
+    """Patch the JWT access-token lookup used by ``_get_token_scopes``.
+
+    ``scopes=None`` simulates no JWT context / no token; a list simulates a
+    token that advertises those scopes; an empty list simulates a token with
+    no scopes (treated as scope-less -> RBAC-only).
+    """
+    if scopes is None:
+        token = None
+    else:
+        token = MagicMock()
+        token.scopes = scopes
+    return patch(
+        "fastmcp.server.dependencies.get_access_token",
+        return_value=token,
+    )

Review Comment:
   <!-- Bito Reply -->
   The change correctly addresses the maintenance concern by moving the helper 
function to a contiguous block before the test sections. This ensures that the 
helper is available for all tests and prevents potential NameError issues if 
future tests are inserted between the previous location and the function 
definition.
   
   **tests/unit_tests/mcp_service/test_auth_rbac.py**
   ```
   +def _patch_token_scopes(scopes):
   +    """Patch the JWT access-token lookup used by ``_get_token_scopes``.
   +
   +    ``scopes=None`` simulates no JWT context / no token; a list simulates a
   +    token that advertises those scopes; an empty list simulates a token with
   +    no scopes (treated as scope-less -> RBAC-only).
   +    """
   +    if scopes is None:
   +        token = None
   +    else:
   +        token = MagicMock()
   +        token.scopes = scopes
   +    return patch(
   +        "fastmcp.server.dependencies.get_access_token",
   +        return_value=token,
   +    )
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to