From b86d526b81befad0c9ed8b73ce02494d0396c89c Mon Sep 17 00:00:00 2001
From: Marc Nuri <marc@marcnuri.com>
Date: Thu, 4 Dec 2025 17:13:07 +0100
Subject: [PATCH] test(core): add denied resources tests for resources_scale
 tool

Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
 pkg/mcp/resources_test.go | 88 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/pkg/mcp/resources_test.go b/pkg/mcp/resources_test.go
index 27846574..86908da8 100644
--- a/pkg/mcp/resources_test.go
+++ b/pkg/mcp/resources_test.go
@@ -723,6 +723,94 @@ func (s *ResourcesSuite) TestResourcesScale() {
 	})
 }
 
+func (s *ResourcesSuite) TestResourcesScaleDenied() {
+	s.Require().NoError(toml.Unmarshal([]byte(`
+		denied_resources = [
+			{ group = "apps", version = "v1" },
+			{ group = "", version = "v1", kind = "ReplicationController" }
+		]
+	`), s.Cfg), "Expected to parse denied resources config")
+	s.InitMcpClient()
+	s.Run("resources_scale get (denied by kind)", func() {
+		deniedByKind, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "v1",
+			"kind":       "ReplicationController",
+			"namespace":  "default",
+			"name":       "nonexistent-rc",
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByKind.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByKind.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: /v1, Kind=ReplicationController"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByKind.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("resources_scale update (denied by kind)", func() {
+		deniedByKind, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "v1",
+			"kind":       "ReplicationController",
+			"namespace":  "default",
+			"name":       "nonexistent-rc",
+			"scale":      1337,
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByKind.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByKind.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: /v1, Kind=ReplicationController"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByKind.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("resources_scale get (denied by group)", func() {
+		deniedByGroup, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "StatefulSet",
+			"namespace":  "default",
+			"name":       "nonexistent-statefulset",
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByGroup.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByGroup.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: apps/v1, Kind=StatefulSet"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByGroup.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("resources_scale update (denied by group)", func() {
+		deniedByGroup, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "StatefulSet",
+			"namespace":  "default",
+			"name":       "nonexistent-statefulset",
+			"scale":      1337,
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByGroup.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByGroup.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: apps/v1, Kind=StatefulSet"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByGroup.Content[0].(mcp.TextContent).Text)
+		})
+	})
+}
+
 func TestResources(t *testing.T) {
 	suite.Run(t, new(ResourcesSuite))
 }