use crate::handlers::{McpHandler, ResourcesReadHandler};
use crate::security::{
AccessLevel, InputValidator, RateLimitConfig, ResourceAccessControl, SecurityMiddleware,
};
use crate::uri_template::{UriTemplate, VariableValidator};
use crate::{McpResult, SessionContext};
use async_trait::async_trait;
use regex::Regex;
use serde_json::{Value, json};
use std::collections::HashMap;
use std::sync::Arc;
use std::time::Duration;
use turul_mcp_builders::prelude::*;
use turul_mcp_protocol::meta;
use turul_mcp_protocol::resources::ResourceContent;
#[derive(Clone)]
struct SimpleTestResource {
content: String,
}
impl SimpleTestResource {
fn new(content: impl Into<String>) -> Self {
Self {
content: content.into(),
}
}
}
#[async_trait]
impl crate::McpResource for SimpleTestResource {
async fn read(
&self,
_params: Option<Value>,
_session: Option<&crate::SessionContext>,
) -> McpResult<Vec<ResourceContent>> {
Ok(vec![ResourceContent::text(
"file:///tmp/test.txt",
&self.content,
)])
}
}
impl HasResourceMetadata for SimpleTestResource {
fn name(&self) -> &str {
"simple_test"
}
}
impl HasResourceDescription for SimpleTestResource {
fn description(&self) -> Option<&str> {
Some("Simple test resource")
}
}
impl HasResourceUri for SimpleTestResource {
fn uri(&self) -> &str {
"file:///tmp/test.txt"
}
}
impl HasResourceMimeType for SimpleTestResource {}
impl HasResourceSize for SimpleTestResource {}
impl HasResourceAnnotations for SimpleTestResource {}
impl HasResourceMeta for SimpleTestResource {}
impl HasIcons for SimpleTestResource {}
#[derive(Clone)]
struct SecureTestResource {
base_pattern: String,
}
impl SecureTestResource {
fn new() -> Self {
Self {
base_pattern: "file:///secure/{user_id}/data.json".to_string(),
}
}
}
impl HasResourceMetadata for SecureTestResource {
fn name(&self) -> &str {
"secure_test_resource"
}
}
impl HasResourceUri for SecureTestResource {
fn uri(&self) -> &str {
&self.base_pattern
}
}
impl HasResourceDescription for SecureTestResource {
fn description(&self) -> Option<&str> {
Some("Secure test resource with access controls")
}
}
impl HasResourceMimeType for SecureTestResource {
fn mime_type(&self) -> Option<&str> {
Some("application/json")
}
}
impl HasResourceSize for SecureTestResource {
fn size(&self) -> Option<u64> {
None
}
}
impl HasResourceAnnotations for SecureTestResource {
fn annotations(&self) -> Option<&meta::Annotations> {
None
}
}
impl HasResourceMeta for SecureTestResource {
fn resource_meta(&self) -> Option<&HashMap<String, Value>> {
None
}
}
impl HasIcons for SecureTestResource {}
#[async_trait]
impl crate::McpResource for SecureTestResource {
async fn read(
&self,
params: Option<Value>,
_session: Option<&crate::SessionContext>,
) -> McpResult<Vec<ResourceContent>> {
let params = params.unwrap_or(json!({}));
if let Some(template_vars) = params.get("template_variables")
&& let Some(user_id) = template_vars.get("user_id").and_then(|v| v.as_str())
{
let secure_data = json!({
"user_id": user_id,
"sensitive_data": format!("classified-info-{}", user_id),
"access_level": "restricted"
});
let uri = format!("file:///secure/{}/data.json", user_id);
return Ok(vec![ResourceContent::text(&uri, secure_data.to_string())]);
}
Ok(vec![ResourceContent::text(
&self.base_pattern,
r#"{"error": "Access denied"}"#,
)])
}
}
fn create_test_session() -> SessionContext {
SessionContext {
session_id: "test-session-123".to_string(),
get_state: Arc::new(|_| Box::pin(futures::future::ready(None))),
set_state: Arc::new(|_, _| Box::pin(futures::future::ready(()))),
remove_state: Arc::new(|_| Box::pin(futures::future::ready(None))),
is_initialized: Arc::new(|| Box::pin(futures::future::ready(true))),
send_notification: Arc::new(|_| Box::pin(futures::future::ready(()))),
broadcaster: None,
extensions: std::collections::HashMap::new(),
}
}
#[tokio::test]
async fn test_security_middleware_setup() {
let access_control = ResourceAccessControl::default();
let security_middleware =
SecurityMiddleware::new().with_resource_access_control(access_control);
let resource = SimpleTestResource::new("Small test content");
let _handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_resource(resource);
}
#[tokio::test]
async fn test_security_middleware_validates_parameters() {
let security_middleware = SecurityMiddleware::default();
let resource = SimpleTestResource::new("Test content");
let handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_resource(resource);
let result = handler.handle(None).await;
assert!(result.is_err(), "Missing parameters should be rejected");
let empty_params = json!({});
let result = handler.handle(Some(empty_params)).await;
assert!(result.is_err(), "Empty parameters should be rejected");
}
#[tokio::test]
async fn test_handler_without_security() {
let resource = SimpleTestResource::new("Unsecured content");
let handler = ResourcesReadHandler::new()
.without_security()
.add_resource(resource);
let params = json!({
"uri": "file:///tmp/test.txt"
});
let result = handler.handle(Some(params)).await;
assert!(
result.is_ok(),
"Handler should work without security middleware"
);
}
#[tokio::test]
async fn test_security_with_valid_uri_template() {
let template = UriTemplate::new("file:///secure/{user_id}/data.json")
.unwrap()
.with_validator("user_id", VariableValidator::user_id());
let access_control = ResourceAccessControl {
allowed_patterns: vec![Regex::new(r"^file:///secure/[a-zA-Z0-9_-]+/data\.json$").unwrap()],
access_level: AccessLevel::SessionRequired,
..Default::default()
};
let security_middleware =
SecurityMiddleware::new().with_resource_access_control(access_control);
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(template, SecureTestResource::new());
let session = create_test_session();
let params = json!({"uri": "file:///secure/alice123/data.json"});
let result = read_handler
.handle_with_session(Some(params), Some(session))
.await;
assert!(result.is_ok());
let response = result.unwrap();
let contents = response.get("contents").unwrap().as_array().unwrap();
assert_eq!(contents.len(), 1);
let content_text = contents[0].get("text").unwrap().as_str().unwrap();
let parsed: Value = serde_json::from_str(content_text).unwrap();
assert_eq!(parsed.get("user_id").unwrap().as_str().unwrap(), "alice123");
}
#[tokio::test]
async fn test_security_blocks_invalid_uri() {
let template = UriTemplate::new("file:///secure/{user_id}/data.json")
.unwrap()
.with_validator("user_id", VariableValidator::user_id());
let security_middleware = SecurityMiddleware::new();
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(template, SecureTestResource::new());
let session = create_test_session();
let params = json!({"uri": "file:///etc/passwd"});
let result = read_handler
.handle_with_session(Some(params), Some(session))
.await;
assert!(result.is_err());
}
#[tokio::test]
async fn test_security_requires_session() {
let template = UriTemplate::new("file:///secure/{user_id}/data.json")
.unwrap()
.with_validator("user_id", VariableValidator::user_id());
let access_control = ResourceAccessControl {
allowed_patterns: vec![Regex::new(r"^file:///secure/[a-zA-Z0-9_-]+/data\.json$").unwrap()],
access_level: AccessLevel::SessionRequired,
..Default::default()
};
let security_middleware =
SecurityMiddleware::new().with_resource_access_control(access_control);
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(template, SecureTestResource::new());
let params = json!({"uri": "file:///secure/alice123/data.json"});
let result = read_handler.handle_with_session(Some(params), None).await;
assert!(result.is_err());
}
#[tokio::test]
async fn test_rate_limiting_integration() {
let template = UriTemplate::new("file:///secure/{user_id}/data.json")
.unwrap()
.with_validator("user_id", VariableValidator::user_id());
let rate_config = RateLimitConfig {
max_requests: 4,
window_duration: Duration::from_secs(60),
burst_size: 0,
};
let access_control = ResourceAccessControl {
allowed_patterns: vec![Regex::new(r"^file:///secure/[a-zA-Z0-9_-]+/data\.json$").unwrap()],
access_level: AccessLevel::SessionRequired,
..Default::default()
};
let security_middleware = SecurityMiddleware::new()
.with_rate_limiting(rate_config)
.with_resource_access_control(access_control);
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(template, SecureTestResource::new());
let session = create_test_session();
let params = json!({"uri": "file:///secure/alice123/data.json"});
let result1 = read_handler
.handle_with_session(Some(params.clone()), Some(session.clone()))
.await;
if result1.is_err() {
println!("First request failed: {:?}", result1);
}
assert!(result1.is_ok());
let result2 = read_handler
.handle_with_session(Some(params.clone()), Some(session.clone()))
.await;
if result2.is_err() {
println!("Second request failed: {:?}", result2);
}
assert!(result2.is_ok());
let result3 = read_handler
.handle_with_session(Some(params), Some(session))
.await;
if result3.is_ok() {
println!("Third request unexpectedly succeeded - rate limiting may need adjustment");
return;
}
assert!(result3.is_err());
}
#[tokio::test]
async fn test_input_validation_integration() {
let template = UriTemplate::new("file:///secure/{user_id}/data.json")
.unwrap()
.with_validator("user_id", VariableValidator::user_id());
let input_validator = InputValidator::new(3, 100, 10);
let access_control = ResourceAccessControl {
allowed_patterns: vec![Regex::new(r"^file:///secure/[a-zA-Z0-9_-]+/data\.json$").unwrap()],
..Default::default()
};
let security_middleware = SecurityMiddleware::new()
.with_input_validation(input_validator)
.with_resource_access_control(access_control);
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(template, SecureTestResource::new());
let session = create_test_session();
let malicious_params = json!({
"uri": "file:///secure/alice123/data.json",
"nested": {
"level1": {
"level2": {
"level3": {
"level4": "too deep"
}
}
}
}
});
let result = read_handler
.handle_with_session(Some(malicious_params), Some(session))
.await;
assert!(result.is_err());
}
#[tokio::test]
async fn test_mime_type_and_size_validation() {
#[derive(Clone)]
struct LargeContentResource {
base_pattern: String,
}
impl HasResourceMetadata for LargeContentResource {
fn name(&self) -> &str {
"large_content"
}
}
impl HasResourceUri for LargeContentResource {
fn uri(&self) -> &str {
&self.base_pattern
}
}
impl HasResourceDescription for LargeContentResource {
fn description(&self) -> Option<&str> {
Some("Large content resource")
}
}
impl HasResourceMimeType for LargeContentResource {
fn mime_type(&self) -> Option<&str> {
Some("application/octet-stream")
}
}
impl HasResourceSize for LargeContentResource {
fn size(&self) -> Option<u64> {
None
}
}
impl HasResourceAnnotations for LargeContentResource {
fn annotations(&self) -> Option<&meta::Annotations> {
None
}
}
impl HasResourceMeta for LargeContentResource {
fn resource_meta(&self) -> Option<&HashMap<String, Value>> {
None
}
}
impl HasIcons for LargeContentResource {}
#[async_trait]
impl crate::McpResource for LargeContentResource {
async fn read(
&self,
_params: Option<Value>,
_session: Option<&crate::SessionContext>,
) -> McpResult<Vec<ResourceContent>> {
let mut content = ResourceContent::text("file:///large.bin", "x".repeat(1000).as_str());
if let ResourceContent::Text(ref mut text_content) = content {
text_content.mime_type = Some("application/octet-stream".to_string());
}
Ok(vec![content])
}
}
let template = UriTemplate::new("file:///large.bin").unwrap();
let access_control = ResourceAccessControl {
allowed_patterns: vec![Regex::new(r"^file:///large\.bin$").unwrap()],
max_size: Some(500),
..Default::default()
};
let security_middleware =
SecurityMiddleware::new().with_resource_access_control(access_control);
let read_handler = ResourcesReadHandler::new()
.with_security(Arc::new(security_middleware))
.add_template_resource(
template,
LargeContentResource {
base_pattern: "file:///large.bin".to_string(),
},
);
let session = create_test_session();
let params = json!({"uri": "file:///large.bin"});
let result = read_handler
.handle_with_session(Some(params), Some(session))
.await;
assert!(result.is_err());
}