Documentation
¶
Overview ¶
Package authorizers provides the authorization framework and abstractions for ToolHive. It defines interfaces for authorization decisions and configuration handling.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsRegistered ¶
IsRegistered returns true if a factory is registered for the given config type.
func Register ¶
func Register(configType string, factory AuthorizerFactory)
Register registers an AuthorizerFactory for the given config type. This is typically called from an init() function in the authorizer package. It panics if a factory is already registered for the given type.
func RegisteredTypes ¶
func RegisteredTypes() []string
RegisteredTypes returns a list of all registered config types.
Types ¶
type Authorizer ¶
type Authorizer interface {
AuthorizeWithJWTClaims(
ctx context.Context,
feature MCPFeature,
operation MCPOperation,
resourceID string,
arguments map[string]interface{},
) (bool, error)
}
Authorizer defines the interface for making authorization decisions. Implementations of this interface evaluate whether a given operation on an MCP feature should be permitted, based on JWT claims and the specific resource being accessed.
type AuthorizerFactory ¶
type AuthorizerFactory interface {
// ValidateConfig validates the authorizer-specific configuration.
// The rawConfig is the JSON-encoded authorizer configuration.
ValidateConfig(rawConfig json.RawMessage) error
// CreateAuthorizer creates an Authorizer instance from the configuration.
// The rawConfig is the JSON-encoded authorizer configuration.
CreateAuthorizer(rawConfig json.RawMessage, serverName string) (Authorizer, error)
}
AuthorizerFactory is the interface that authorizer implementations must satisfy to register themselves with the authorizers registry. Each authorizer type (e.g., Cedar, OPA) implements this interface to provide validation and instantiation of authorizers from their specific configuration format.
func GetFactory ¶
func GetFactory(configType string) AuthorizerFactory
GetFactory returns the AuthorizerFactory for the given config type. Returns nil if no factory is registered for the type.
type Config ¶
type Config struct {
// Version is the version of the configuration format.
Version string `json:"version" yaml:"version"`
// Type is the type of authorization configuration (e.g., "cedarv1").
Type ConfigType `json:"type" yaml:"type"`
// contains filtered or unexported fields
}
Config represents the authorization configuration. This struct contains the common fields (version/type) needed to identify which authorizer factory to use. The full raw configuration is preserved so that each authorizer implementation can parse it with domain-specific knowledge (e.g., Cedar configs have a "cedar" field at the top level).
func LoadConfig ¶
LoadConfig loads the authorization configuration from a file. It supports both JSON and YAML formats, detected by file extension.
func NewConfig ¶
NewConfig creates a new Config from a full configuration structure. The fullConfig parameter should be the complete configuration including version, type, and authorizer-specific fields (e.g., "cedar" field for Cedar configs). This maintains backwards compatibility with the v1.0 configuration schema.
func (*Config) MarshalJSON ¶
MarshalJSON implements custom JSON marshaling. If we have the original raw config, use that to preserve all fields. Otherwise, just marshal version and type.
func (*Config) RawConfig ¶
func (c *Config) RawConfig() json.RawMessage
RawConfig returns the raw configuration bytes for the authorizer factory to parse with domain-specific knowledge.
func (*Config) UnmarshalJSON ¶
UnmarshalJSON implements custom JSON unmarshaling that preserves the raw config while extracting the version and type fields.
type ConfigType ¶
type ConfigType string
ConfigType represents the type of authorization configuration.
type MCPFeature ¶
type MCPFeature string
MCPFeature represents an MCP feature type. In the MCP protocol, there are three main features: - Tools: Allow models to call functions in external systems - Prompts: Provide structured templates for interacting with language models - Resources: Share data that provides context to language models
const ( // MCPFeatureTool represents the MCP tool feature. MCPFeatureTool MCPFeature = "tool" // MCPFeaturePrompt represents the MCP prompt feature. MCPFeaturePrompt MCPFeature = "prompt" // MCPFeatureResource represents the MCP resource feature. MCPFeatureResource MCPFeature = "resource" )
type MCPOperation ¶
type MCPOperation string
MCPOperation represents an operation on an MCP feature. Each feature supports different operations: - List: Get a list of available items (tools, prompts, resources) - Get: Get a specific prompt - Call: Call a specific tool - Read: Read a specific resource
const ( // MCPOperationList represents a list operation. MCPOperationList MCPOperation = "list" // MCPOperationGet represents a get operation. MCPOperationGet MCPOperation = "get" // MCPOperationCall represents a call operation. MCPOperationCall MCPOperation = "call" // MCPOperationRead represents a read operation. MCPOperationRead MCPOperation = "read" )
Source Files
Directories