AttestoMCP.Test.Factory (AttestoMCP v0.5.0)

Copy Markdown View Source

Test fixtures for exercising a host MCP server's Attesto pipeline.

This factory mints access tokens and DPoP proofs for host application test suites, including the shipped AttestoMCP.Test.DPoPAssertions helpers. It is built entirely on Attesto's published API (Attesto.Token.mint/3, Attesto.DPoP.compute_ath/1, Attesto.PrincipalKind.new/3, Attesto.Config.new/1, Attesto.Keystore.Static) plus JOSE, so it has no dependency on any Attesto-internal test scaffolding.

The module compiles only when ExUnit is loaded (it registers an ExUnit.Callbacks.on_exit/1 cleanup in config/0), so it adds nothing to a host's production build.

defmodule MyApp.MCPAuthTest do
  use ExUnit.Case
  import AttestoMCP.Test.DPoPAssertions

  setup do
    %{config: AttestoMCP.Test.Factory.config()}
  end
end

Summary

Functions

access_token(config, opts \\ [])

Mint a signed access token for config.

config()

Build an Attesto.Config backed by an in-memory Attesto.Keystore.Static.

dpop_jwk()

Generate a fresh P-256 JWK for use as a DPoP proof key.

dpop_proof(access_token, opts \\ [])

Build a DPoP proof JWT bound to access_token and return {proof, jkt}.

htu()

The audience the factory mints tokens for, usable as the request htu.

self_signed_cert_der()

Build a self-signed certificate (DER) for exercising mTLS sender constraints.

Functions

access_token(config, opts \\ [])

@spec access_token(
  Attesto.Config.t(),
  keyword()
) :: String.t()

Mint a signed access token for config.

Options:

  • :scopes - scopes granted to the token (default [AttestoMCP.Scopes.tools_call()]).
  • :dpop_jkt - JWK thumbprint to bind the token to (RFC 9449 cnf.jkt).
  • :mtls_cert_thumbprint - certificate thumbprint to bind the token to (RFC 8705).

config()

@spec config() :: Attesto.Config.t()

Build an Attesto.Config backed by an in-memory Attesto.Keystore.Static.

The signing key is registered into the :attesto application environment and removed again via ExUnit.Callbacks.on_exit/1, so each test gets an isolated keystore.

dpop_jwk()

@spec dpop_jwk() :: JOSE.JWK.t()

Generate a fresh P-256 JWK for use as a DPoP proof key.

dpop_proof(access_token, opts \\ [])

@spec dpop_proof(
  String.t(),
  keyword()
) :: {String.t(), String.t()}

Build a DPoP proof JWT bound to access_token and return {proof, jkt}.

jkt is the RFC 7638 thumbprint of the proof key, suitable for passing as :dpop_jkt to access_token/2. Options:

  • :jwk - reuse a specific key (default a fresh P-256 key).
  • :htm - the proof htm claim (default "POST").
  • :htu - the proof htu claim (default the factory audience).

htu()

@spec htu() :: String.t()

The audience the factory mints tokens for, usable as the request htu.

self_signed_cert_der()

@spec self_signed_cert_der() :: binary()

Build a self-signed certificate (DER) for exercising mTLS sender constraints.