authz

package

v0.7.0 Latest Latest Go to latest Published: Jan 15, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Documentation ¶

Overview ¶

Package authz provides authorization utilities for MCP servers. It supports a pluggable authorizer architecture where different authorization backends (e.g., Cedar, OPA) can be registered and used based on configuration.

Package authz provides authorization utilities for MCP servers.

Index ¶

Constants
Variables
func CreateMiddleware(config *types.MiddlewareConfig, runner types.MiddlewareRunner) error
func CreateMiddlewareFromConfig(c *Config, serverName string) (types.MiddlewareFunction, error)
func GetMiddlewareFromFile(serverName, path string) (func(http.Handler) http.Handler, error)
func Middleware(a authorizers.Authorizer, next http.Handler) http.Handler
type Config
type ConfigType
type FactoryMiddleware
- func (*FactoryMiddleware) Close() error
- func (m *FactoryMiddleware) Handler() types.MiddlewareFunction
type FactoryMiddlewareParams
type ResponseFilteringWriter
- func NewResponseFilteringWriter(w http.ResponseWriter, authorizer authorizers.Authorizer, r *http.Request, ...) *ResponseFilteringWriter

Constants ¶

View Source

const (
	MiddlewareType = "authorization"
)

Factory middleware type constant

Variables ¶

View Source

var LoadConfig = authorizers.LoadConfig

LoadConfig is an alias for authorizers.LoadConfig for backward compatibility.

View Source

var MCPMethodToFeatureOperation = map[string]struct {
	Feature   authorizers.MCPFeature
	Operation authorizers.MCPOperation
}{
	"tools/call":      {Feature: authorizers.MCPFeatureTool, Operation: authorizers.MCPOperationCall},
	"tools/list":      {Feature: authorizers.MCPFeatureTool, Operation: authorizers.MCPOperationList},
	"prompts/get":     {Feature: authorizers.MCPFeaturePrompt, Operation: authorizers.MCPOperationGet},
	"prompts/list":    {Feature: authorizers.MCPFeaturePrompt, Operation: authorizers.MCPOperationList},
	"resources/read":  {Feature: authorizers.MCPFeatureResource, Operation: authorizers.MCPOperationRead},
	"resources/list":  {Feature: authorizers.MCPFeatureResource, Operation: authorizers.MCPOperationList},
	"features/list":   {Feature: "", Operation: authorizers.MCPOperationList},
	"ping":            {Feature: "", Operation: ""},
	"progress/update": {Feature: "", Operation: ""},
	"initialize":      {Feature: "", Operation: ""},
}

MCPMethodToFeatureOperation maps MCP method names to feature and operation pairs.

View Source

var NewConfig = authorizers.NewConfig

NewConfig is an alias for authorizers.NewConfig for backward compatibility.

Functions ¶

func CreateMiddleware ¶ added in v0.2.8

func CreateMiddleware(config *types.MiddlewareConfig, runner types.MiddlewareRunner) error

CreateMiddleware factory function for authorization middleware

func CreateMiddlewareFromConfig ¶ added in v0.7.0

func CreateMiddlewareFromConfig(c *Config, serverName string) (types.MiddlewareFunction, error)

CreateMiddlewareFromConfig creates an HTTP middleware from the configuration.

func GetMiddlewareFromFile ¶

func GetMiddlewareFromFile(serverName, path string) (func(http.Handler) http.Handler, error)

GetMiddlewareFromFile loads the authorization configuration from a file and creates an HTTP middleware.

func Middleware ¶ added in v0.7.0

func Middleware(a authorizers.Authorizer, next http.Handler) http.Handler

Middleware creates an HTTP middleware that authorizes MCP requests. This middleware extracts the MCP message from the request, determines the feature, operation, and resource ID, and authorizes the request using the configured authorizer.

For list operations (tools/list, prompts/list, resources/list), the middleware allows the request to proceed but intercepts the response to filter out items that the user is not authorized to access based on the corresponding call/get/read policies.

The authorizer parameter should implement the authorizers.Authorizer interface, which can be created using authz.CreateMiddlewareFromConfig() or directly from an authorizer package (e.g., cedar.NewCedarAuthorizer()).

Types ¶

type Config ¶

type Config = authorizers.Config

Config is an alias for authorizers.Config for backward compatibility.

type ConfigType ¶

type ConfigType = authorizers.ConfigType

ConfigType is an alias for authorizers.ConfigType for backward compatibility.

type FactoryMiddleware ¶ added in v0.2.8

type FactoryMiddleware struct {
	// contains filtered or unexported fields
}

FactoryMiddleware wraps authorization middleware functionality for factory pattern

func (*FactoryMiddleware) Close ¶ added in v0.2.8

func (*FactoryMiddleware) Close() error

Close cleans up any resources used by the middleware.

func (*FactoryMiddleware) Handler ¶ added in v0.2.8

func (m *FactoryMiddleware) Handler() types.MiddlewareFunction

Handler returns the middleware function used by the proxy.

type FactoryMiddlewareParams ¶ added in v0.2.8

type FactoryMiddlewareParams struct {
	ConfigPath string  `json:"config_path,omitempty"` // Kept for backwards compatibility
	ConfigData *Config `json:"config_data,omitempty"` // New field for config contents
}

FactoryMiddlewareParams represents the parameters for authorization middleware

type ResponseFilteringWriter ¶ added in v0.0.38

type ResponseFilteringWriter struct {
	http.ResponseWriter
	// contains filtered or unexported fields
}

ResponseFilteringWriter wraps an http.ResponseWriter to intercept and filter responses

func NewResponseFilteringWriter ¶ added in v0.0.38

func NewResponseFilteringWriter(
	w http.ResponseWriter, authorizer authorizers.Authorizer, r *http.Request, method string,
) *ResponseFilteringWriter

NewResponseFilteringWriter creates a new response filtering writer

func (*ResponseFilteringWriter) Flush ¶ added in v0.0.38

func (rfw *ResponseFilteringWriter) Flush()

Flush implements http.Flusher if the underlying ResponseWriter supports it. This method is required for streaming support (SSE, streamable-http).

func (*ResponseFilteringWriter) FlushAndFilter ¶ added in v0.6.0

func (rfw *ResponseFilteringWriter) FlushAndFilter() error

FlushAndFilter processes the captured response and applies filtering if needed. Returns an error if filtering or writing fails.

func (*ResponseFilteringWriter) Write ¶ added in v0.0.38

func (rfw *ResponseFilteringWriter) Write(data []byte) (int, error)

Write captures the response body for filtering

func (*ResponseFilteringWriter) WriteHeader ¶ added in v0.0.38

func (rfw *ResponseFilteringWriter) WriteHeader(statusCode int)

WriteHeader captures the status code

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
authorizers Package authorizers provides the authorization framework and abstractions for ToolHive.	Package authorizers provides the authorization framework and abstractions for ToolHive.
cedar Package cedar provides authorization utilities using Cedar policies.	Package cedar provides authorization utilities using Cedar policies.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL