factory

func BuildAuthzConfig ¶ added in v0.30.1

func BuildAuthzConfig(authzCfg *config.AuthzConfig) (*authz.Config, error)

BuildAuthzConfig builds the authorizer-agnostic *authz.Config that the vMCP core admission seam (core.Config.Authz) consumes from the incoming-auth config, or (nil, nil) when no Cedar policies are configured.

It is the SAME config newCedarAuthzMiddleware builds the HTTP authz middleware from, surfaced so the composition root can feed it to core.New via server.Config.Authz once server.New routes through Serve. The nil return mirrors that middleware's nil result for the no-policies case, preserving allow-all parity (a nil core Authz is allow-all).

func NewIncomingAuthMiddleware ¶

func NewIncomingAuthMiddleware(
	ctx context.Context,
	cfg *config.IncomingAuthConfig,
	serverName string,
	passThroughTools map[string]struct{},
	upstreamReader upstreamtoken.TokenReader,
	keyProvider keys.PublicKeyProvider,
) (
	authMw func(http.Handler) http.Handler,
	authzMw func(http.Handler) http.Handler,
	authInfoHandler http.Handler,
	err error,
)

NewIncomingAuthMiddleware creates HTTP middleware for incoming authentication and authorization based on the vMCP configuration.

This factory handles all incoming auth types:

• "oidc": OIDC token validation
• "local": Local OS user authentication
• "anonymous": Anonymous user (no authentication required)

Authentication and authorization are returned as separate middleware to allow the caller to insert discovery and annotation-enrichment middleware between them. This ensures the authz middleware can access tool annotations populated by the discovery pipeline.

All middleware types now directly create and inject Identity into the context, eliminating the need for a separate conversion layer.

The serverName parameter is the VirtualMCPServer name and is used as the Cedar resource entity name in authorization policy evaluation. It must match the resource name used when compiling Cedar policies for this server.

The passThroughTools parameter is optional (pass nil for none). Tool names in this set bypass the response filter's policy check in tools/list responses. This is used when the optimizer is enabled: its meta-tools (find_tool, call_tool) would otherwise be rejected by Cedar default-deny since no policy references them by name. Authorization for the underlying backend tools is enforced by the middleware's call_tool interception.

Returns:

• authMw: Composed auth + MCP parser middleware (auth runs first, then parser)
• authzMw: Authorization middleware (nil if authz is not configured)
• authInfoHandler: Handler for /.well-known/oauth-protected-resource endpoint (may be nil)
• err: Error if middleware creation fails

func NewOutgoingAuthRegistry ¶

func NewOutgoingAuthRegistry(
	_ context.Context,
	envReader env.Reader,
) (auth.OutgoingAuthRegistry, error)

NewOutgoingAuthRegistry creates an OutgoingAuthRegistry with all available strategies.

All strategies are registered upfront. Most are stateless; token_exchange and aws_sts maintain an internal per-config cache initialized on first use. This simplifies the factory and eliminates on-demand strategy registration.

Registered Strategies:

• "unauthenticated": Default fallback for backends without auth
• "header_injection": Custom HTTP header injection
• "token_exchange": RFC-8693 OAuth 2.0 token exchange
• "upstream_inject": Per-upstream token injection from stored credentials
• "aws_sts": AWS STS AssumeRoleWithWebIdentity + SigV4 request signing

Parameters:

• ctx: Context for any initialization that requires it
• envReader: Environment variable reader for dependency injection

Returns:

• auth.OutgoingAuthRegistry: Registry with all strategies registered
• error: Any error during strategy initialization or registration