test(core): add denied resources tests for resources_scale tool

pkg/mcp/resources_test.go

@@ -723,6 +723,74 @@ func (s *ResourcesSuite) TestResourcesScale() {
 	})
 }
 
+func (s *ResourcesSuite) TestResourcesScaleDenied() {
+	s.Require().NoError(toml.Unmarshal([]byte(`
+		denied_resources = [
+			{ group = "apps", version = "v1", kind = "Deployment" },
+			{ group = "apps", version = "v1", kind = "StatefulSet" }
+		]
+	`), s.Cfg), "Expected to parse denied resources config")
+	s.InitMcpClient()
+	s.Run("resources_scale get (denied by kind)", func() {
+		deniedByKind, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "Deployment",
+			"namespace":  "default",
+			"name":       "deployment",
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByKind.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByKind.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: apps/v1, Kind=Deployment"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByKind.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("resources_scale update (denied by kind)", func() {
+		deniedByKind, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "Deployment",
+			"namespace":  "default",
+			"name":       "deployment",
+			"scale":      5,
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByKind.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByKind.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: apps/v1, Kind=Deployment"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByKind.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("resources_scale (denied by group)", func() {
+		deniedByGroup, err := s.CallTool("resources_scale", map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "StatefulSet",
+			"namespace":  "default",
+			"name":       "nonexistent-statefulset",
+		})
+		s.Run("has error", func() {
+			s.Truef(deniedByGroup.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			msg := deniedByGroup.Content[0].(mcp.TextContent).Text
+			s.Contains(msg, "resource not allowed:")
+			expectedMessage := "failed to get/update resource scale:(.+:)? resource not allowed: apps/v1, Kind=StatefulSet"
+			s.Regexpf(expectedMessage, msg,
+				"expected descriptive error '%s', got %v", expectedMessage, deniedByGroup.Content[0].(mcp.TextContent).Text)
+		})
+	})
+}
+
 func TestResources(t *testing.T) {
 	suite.Run(t, new(ResourcesSuite))
 }