auth

type Authorizer ¶

type Authorizer interface {
	// Authorize checks if an identity is authorized to perform an action on a resource.
	Authorize(ctx context.Context, identity *auth.Identity, action string, resource string) error

	// AuthorizeToolCall checks if an identity can call a specific tool.
	AuthorizeToolCall(ctx context.Context, identity *auth.Identity, toolName string) error

	// AuthorizeResourceAccess checks if an identity can access a specific resource.
	AuthorizeResourceAccess(ctx context.Context, identity *auth.Identity, resourceURI string) error
}

Authorizer handles authorization decisions. This integrates with ToolHive's existing Cedar-based authorization.

type DefaultOutgoingAuthRegistry ¶ added in v0.6.0

type DefaultOutgoingAuthRegistry struct {
	// contains filtered or unexported fields
}

DefaultOutgoingAuthRegistry is a thread-safe implementation of OutgoingAuthRegistry that maintains a registry of authentication strategies.

Thread-safety: Safe for concurrent calls to RegisterStrategy and GetStrategy. Strategy implementations must be thread-safe as they are called concurrently. It uses sync.RWMutex for thread-safety as HTTP servers are inherently concurrent.

This registry supports dynamic registration of strategies and retrieval by name. It does not perform authentication itself - that is done by the Strategy implementations.

Example usage:

registry := NewDefaultOutgoingAuthRegistry()
registry.RegisterStrategy("header_injection", NewHeaderInjectionStrategy())
strategy, err := registry.GetStrategy("header_injection")
if err == nil {
    err = strategy.Authenticate(ctx, req, metadata)
}

func NewDefaultOutgoingAuthRegistry() *DefaultOutgoingAuthRegistry

func (r *DefaultOutgoingAuthRegistry) GetStrategy(name string) (Strategy, error)

func (r *DefaultOutgoingAuthRegistry) RegisterStrategy(name string, strategy Strategy) error

type OutgoingAuthRegistry ¶ added in v0.6.0

type OutgoingAuthRegistry interface {
	// GetStrategy retrieves an authentication strategy by name.
	// Returns an error if the strategy is not found.
	GetStrategy(name string) (Strategy, error)

	// RegisterStrategy registers a new authentication strategy.
	// The strategy name must match the name returned by strategy.Name().
	// Returns an error if:
	//   - name is empty
	//   - strategy is nil
	//   - a strategy with the same name is already registered
	//   - strategy.Name() does not match the registration name
	RegisterStrategy(name string, strategy Strategy) error
}

OutgoingAuthRegistry manages authentication strategies for outgoing requests to backend MCP servers. This is a registry that stores and retrieves Strategy implementations.

The registry supports dynamic strategy registration, allowing custom authentication strategies to be added at runtime. Once registered, strategies can be retrieved by name and used to authenticate requests to backends.

Responsibilities:

• Maintain registry of available strategies
• Retrieve strategies by name
• Register new strategies dynamically

This registry does NOT perform authentication itself. Authentication is performed by Strategy implementations retrieved from this registry.

Usage Pattern:

1. Register strategies during application initialization
2. Resolve strategy once at client creation time (cold path)
3. Call strategy.Authenticate() directly per-request (hot path)

Thread-safety: Implementations must be safe for concurrent access.

type Strategy ¶

type Strategy interface {
	// Name returns the strategy identifier.
	Name() string

	// Authenticate performs authentication and modifies the request.
	// The metadata contains strategy-specific configuration.
	Authenticate(ctx context.Context, req *http.Request, metadata map[string]any) error

	// Validate checks if the strategy configuration is valid.
	Validate(metadata map[string]any) error
}

Strategy defines how to authenticate to a backend. This interface enables pluggable authentication strategies.