Skip to content

feat: add OPA plugin for policy enforcement #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Sep 9, 2025
Merged

feat: add OPA plugin for policy enforcement #853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
bb88930
Initial OPA plugin template
monshri Aug 19, 2025
2868659
Adding opa server installation, tool invoke with policy evaluations
monshri Aug 19, 2025
ad6f8c4
Sample policy holders for pre/post tool, resource and prompt invocati…
monshri Aug 20, 2025
59c69cb
feat: add shared context capabilities and fixed error issues.
Aug 22, 2025
9d48b03
fix: plugin cleanup to support multiple external plugins.
Aug 22, 2025
f2ba4e6
fix(lint): fixed linting issues
Aug 22, 2025
4670e29
feat(error): update error handling with enforce_ignore_error
Aug 23, 2025
e78b1cb
Additiona of context-tool-policy mapping using applied_to
monshri Aug 28, 2025
08c1ebd
Changes in plugin config schema
monshri Aug 28, 2025
881bf30
Schema update models.py
monshri Aug 28, 2025
cb09080
updated schema
monshri Aug 28, 2025
ff2e269
Adding endpoint to policy
monshri Aug 28, 2025
ed0abf3
documentation for OPA Plugin
monshri Aug 29, 2025
c954595
documentation update
monshri Aug 29, 2025
f403297
documentation update
monshri Aug 29, 2025
5624858
documentation update
monshri Aug 29, 2025
323fdae
documentation update
monshri Aug 29, 2025
7735cd0
fix: flake8 and doctest
monshri Sep 4, 2025
d9eaa4f
fix: solving doctest errors
monshri Sep 4, 2025
a659ddd
fix:doctest
monshri Sep 4, 2025
18928e9
Adding tool_name variable change
monshri Sep 4, 2025
2a0fdd6
test cases for opapluginfilter
monshri Sep 9, 2025
c040da1
merge main into feat/271-opa-plugin
monshri Sep 9, 2025
15f4f2c
Update manifest.in with exclude
monshri Sep 9, 2025
5195644
updated prehook
monshri Sep 9, 2025
3a0fa92
updating documentation
monshri Sep 9, 2025
c0038b6
rebase
crivetimihai Sep 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions MANIFEST.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,13 @@ exclude llms-full.txt
prune deployment
prune mcp-servers
prune agent_runtimes

# Exclude opa
exclude plugins/external/opa/.dockerignore
exclude plugins/external/opa/.env.template
exclude plugins/external/opa/.ruff.toml
exclude plugins/external/opa/Containerfile
exclude plugins/external/opa/MANIFEST.in
exclude plugins/external/opa/opaserver/rego/example.rego
exclude plugins/external/opa/pyproject.toml
exclude plugins/external/opa/run-server.sh
2 changes: 2 additions & 0 deletions mcpgateway/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3151,6 +3151,8 @@ async def handle_rpc(request: Request, db: Session = Depends(get_db), user=Depen
result = await tool_service.invoke_tool(db=db, name=method, arguments=params, request_headers=headers)
if hasattr(result, "model_dump"):
result = result.model_dump(by_alias=True, exclude_none=True)
except PluginViolationError:
return JSONResponse(status_code=403, content={"detail": "policy_deny"})
except (ValueError, Exception):
# If not a tool, try forwarding to gateway
try:
Expand Down
32 changes: 28 additions & 4 deletions mcpgateway/plugins/framework/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,29 @@ class PluginMode(str, Enum):
DISABLED = "disabled"


class ToolTemplate(BaseModel):
class BaseTemplate(BaseModel):
"""Base Template.The ToolTemplate, PromptTemplate and ResourceTemplate could be extended using this
Attributes:
context (Optional[list[str]]): specifies the keys of context to be extracted. The context could be global (shared between the plugins) or
local (shared within the plugin). Example: global.key1.
extensions (Optional[dict[str, Any]]): add custom keys for your specific plugin. Example - 'policy'
key for opa plugin.
Examples:
>>> base = BaseTemplate(context=["global.key1.key2", "local.key1.key2"])
>>> base.context
['global.key1.key2', 'local.key1.key2']
>>> base = BaseTemplate(context=["global.key1.key2"], extensions={"policy" : "sample policy"})
>>> base.extensions
{'policy': 'sample policy'}
"""

context: Optional[list[str]] = None
extensions: Optional[dict[str, Any]] = None


class ToolTemplate(BaseTemplate):
"""Tool Template.
Attributes:
Expand All @@ -110,7 +132,7 @@ class ToolTemplate(BaseModel):
result: bool = False


class PromptTemplate(BaseModel):
class PromptTemplate(BaseTemplate):
"""Prompt Template.
Attributes:
Expand All @@ -134,7 +156,7 @@ class PromptTemplate(BaseModel):
result: bool = False


class ResourceTemplate(BaseModel):
class ResourceTemplate(BaseTemplate):
"""Resource Template.
Attributes:
Expand Down Expand Up @@ -215,6 +237,8 @@ class AppliedTo(BaseModel):
tools (Optional[list[ToolTemplate]]): tools and fields to be applied.
prompts (Optional[list[PromptTemplate]]): prompts and fields to be applied.
resources (Optional[list[ResourceTemplate]]): resources and fields to be applied.
global_context (Optional[list[str]]): keys in the context to be applied on globally
local_context(Optional[list[str]]): keys in the context to be applied on locally
"""

tools: Optional[list[ToolTemplate]] = None
Expand Down Expand Up @@ -308,7 +332,7 @@ class PluginConfig(BaseModel):
mode: PluginMode = PluginMode.ENFORCE
priority: Optional[int] = None # Lower = higher priority
conditions: Optional[list[PluginCondition]] = None # When to apply
applied_to: Optional[list[AppliedTo]] = None # Fields to apply to.
applied_to: Optional[AppliedTo] = None # Fields to apply to.
config: Optional[dict[str, Any]] = None
mcp: Optional[MCPConfig] = None

Expand Down
7 changes: 7 additions & 0 deletions plugins/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,13 @@ plugins:
- pattern: "secret\\s*[:=]\\s*\\S+"
replacement: "secret: [REDACTED]"

- name: "OPAPluginFilter"
kind: "external"
priority: 10 # adjust the priority
mcp:
proto: STREAMABLEHTTP
url: http://127.0.0.1:8000/mcp

# Plugin directories to scan
plugin_dirs:
- "plugins/native" # Built-in plugins
Expand Down
7 changes: 7 additions & 0 deletions plugins/external/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ plugins:
proto: STREAMABLEHTTP
url: http://127.0.0.1:3000/mcp

- name: "OPAPluginFilter"
kind: "external"
priority: 10 # adjust the priority
mcp:
proto: STREAMABLEHTTP
url: http://127.0.0.1:8000/mcp

# Plugin directories to scan
plugin_dirs:
- "plugins/native" # Built-in plugins
Expand Down
Loading
Loading