golemcloud · mschuwalow · Apr 16, 2026 · Apr 16, 2026
diff --git a/integration-tests/tests/custom_api/agent_http_principal_rust.rs b/integration-tests/tests/custom_api/agent_http_principal_rust.rs
@@ -0,0 +1,210 @@
+// Copyright 2024-2026 Golem Cloud
+//
+// Licensed under the Golem Source License v1.1 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://license.golem.cloud/LICENSE
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::custom_api::http_test_context::{HttpTestContext, make_test_context};
+use golem_common::base_model::agent::AgentTypeName;
+use golem_common::base_model::http_api_deployment::HttpApiDeploymentAgentOptions;
+use golem_common::model::http_api_deployment::{
+    HttpApiDeploymentAgentSecurity, TestSessionHeaderAgentSecurity,
+};
+use golem_test_framework::config::EnvBasedTestDependencies;
+use pretty_assertions::assert_eq;
+use serde_json::json;
+use test_r::test_dep;
+use test_r::{inherit_test_dep, test};
+
+inherit_test_dep!(EnvBasedTestDependencies);
+
+#[test_dep]
+async fn test_context(deps: &EnvBasedTestDependencies) -> HttpTestContext {
+    make_test_context(
+        deps,
+        vec![(
+            AgentTypeName("PrincipalAgent".to_string()),
+            HttpApiDeploymentAgentOptions {
+                security: Some(HttpApiDeploymentAgentSecurity::TestSessionHeader(
+                    TestSessionHeaderAgentSecurity {
+                        header_name: "x-golem-test-session".to_string(),
+                    },
+                )),
+            },
+        )],
+        "golem_it_agent_sdk_rust_release",
+        "golem-it:agent-sdk-rust",
+    )
+    .await
+    .unwrap()
+}
+
+#[test]
+#[tracing::instrument]
+async fn principal_auto_injection(agent: &HttpTestContext) -> anyhow::Result<()> {
+    let response = agent
+        .client
+        .get(
+            agent
+                .base_url
+                .join("/principal-agent/test-agent/echo-principal")?,
+        )
+        .send()
+        .await?;
+
+    assert_eq!(response.status(), reqwest::StatusCode::OK);
+
+    let body: serde_json::Value = response.json().await?;
+    assert_eq!(body, json!({ "value": {"anonymous": null} }));
+
+    Ok(())
+}
+
+#[test]
+#[tracing::instrument]
+async fn principal_auto_injection_middle_segment(agent: &HttpTestContext) -> anyhow::Result<()> {
+    let response = agent
+        .client
+        .get(
+            agent
+                .base_url
+                .join("/principal-agent/test-agent/echo-principal-mid/foo-value/1")?,
+        )
+        .send()
+        .await?;
+
+    let body: serde_json::Value = response.json().await?;
+
+    assert_eq!(
+        body,
+        json!({ "value": {"anonymous": null}, "foo": "foo-value", "bar": 1 })
+    );
+
+    Ok(())
+}
+
+#[test]
+#[tracing::instrument]
+async fn principal_auto_injection_last_segment(agent: &HttpTestContext) -> anyhow::Result<()> {
+    let response = agent
+        .client
+        .get(
+            agent
+                .base_url
+                .join("/principal-agent/test-agent/echo-principal-last/foo-value/2")?,
+        )
+        .send()
+        .await?;
+
+    let body: serde_json::Value = response.json().await?;
+
+    assert_eq!(
+        body,
+        json!({ "value": {"anonymous": null}, "foo": "foo-value", "bar": 2 })
+    );
+
+    Ok(())
+}
+
+#[test]
+#[tracing::instrument]
+async fn default_test_header_oidc_principal(agent: &HttpTestContext) -> anyhow::Result<()> {
+    let response = agent
+        .client
+        .get(
+            agent
+                .base_url
+                .join("/principal-agent/test-agent/authed-principal")?,
+        )
+        .header("x-golem-test-session", "{}")
+        .send()
+        .await?;
+
+    let mut body: serde_json::Value = response.json().await?;
+    // claims include exp, which is not deterministic in tests
+    if let Some(oidc) = body
+        .get_mut("value")
+        .and_then(|v| v.get_mut("oidc"))
+        .and_then(|v| v.as_object_mut())
+    {
+        oidc.remove("claims");
+    }
+
+    assert_eq!(
+        body,
+        json!({
+            "value": {
+                "oidc": {
+                    "email": null,
+                    "email_verified": null,
+                    "family_name": null,
+                    "given_name": null,
+                    "issuer": "http://test-idp.com",
+                    "name": null,
+                    "picture": null,
+                    "preferred_username": null,
+                    "sub": "test-user",
+                }
+            }
+        })
+    );
+
+    Ok(())
+}
+
+#[test]
+#[tracing::instrument]
+async fn test_header_oidc_principal_with_overrides(agent: &HttpTestContext) -> anyhow::Result<()> {
+    let response = agent
+        .client
+        .get(
+            agent
+                .base_url
+                .join("/principal-agent/test-agent/authed-principal")?,
+        )
+        .header(
+            "x-golem-test-session",
+            "{ \"subject\": \"bob\", \"email\": \"bob@golem.cloud\"}",
+        )
+        .send()
+        .await?;
+
+    let mut body: serde_json::Value = response.json().await?;
+    // claims include exp, which is not deterministic in tests
+    if let Some(oidc) = body
+        .get_mut("value")
+        .and_then(|v| v.get_mut("oidc"))
+        .and_then(|v| v.as_object_mut())
+    {
+        oidc.remove("claims");
+    }
+
+    assert_eq!(
+        body,
+        json!({
+            "value": {
+                "oidc": {
+                    "email": "bob@golem.cloud",
+                    "email_verified": null,
+                    "family_name": null,
+                    "given_name": null,
+                    "issuer": "http://test-idp.com",
+                    "name": null,
+                    "picture": null,
+                    "preferred_username": null,
+                    "sub": "bob",
+                }
+            }
+        })
+    );
+
+    Ok(())
+}
diff --git a/integration-tests/tests/custom_api/mod.rs b/integration-tests/tests/custom_api/mod.rs
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+mod agent_http_principal_rust;
 mod agent_http_principal_ts;
 mod agent_http_routes_rust;
 mod agent_http_routes_ts;

diff --git a/sdks/rust/Cargo.lock b/sdks/rust/Cargo.lock