Remove actions

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/mcp_route.go

@@ -237,16 +237,13 @@ type MCPRouteOAuth struct {
 // MCPRouteAuthorization defines the authorization configuration for a MCPRoute.
 type MCPRouteAuthorization struct {
 	// Rules defines a list of authorization rules.
-	// These rules are evaluated in order, the first matching rule will be applied,
-	// and the rest will be skipped.
+	//
+	// Requests that match any rule and satisfy the rule's conditions will be allowed.
+	// Requests that do not match any rule or fail to satisfy the matched rule's conditions will be denied.
+	// If no rules are defined, all requests will be denied.
 	//
 	// +optional
 	Rules []MCPRouteAuthorizationRule `json:"rules,omitempty"`
-
-	// DefaultAction defines the default action to be taken if no rules match.
-	// If not specified, the default action is Deny.
-	// +optional
-	DefaultAction *egv1a1.AuthorizationAction `json:"defaultAction"`
 }
 
 // MCPRouteAuthorizationRule defines an authorization rule for MCPRoute based on the MCP authorization spec.
@@ -261,11 +258,6 @@ type MCPRouteAuthorizationRule struct {
 	//
 	// +kubebuilder:validation:Required
 	Target MCPAuthorizationTarget `json:"target"`
-
-	// Action defines whether to allow or deny requests that match this rule.
-	//
-	// +kubebuilder:validation:Required
-	Action egv1a1.AuthorizationAction `json:"action"`
 }
 
 // MCPAuthorizationTarget defines the target of an authorization rule.

api/v1alpha1/zz_generated.deepcopy.go

@@ -13,7 +13,6 @@ import (
 	"strings"
 	"time"
 
-	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/go-logr/logr"
 	"github.com/google/uuid"
 	appsv1 "k8s.io/api/apps/v1"
@@ -477,19 +476,7 @@ func mcpConfig(mcpRoutes []aigv1a1.MCPRoute) *filterapi.MCPConfig {
 			authorization := route.Spec.SecurityPolicy.Authorization
 			mcpRoute.Authorization = &filterapi.MCPRouteAuthorization{}
 
-			defaultAction := ptr.Deref(authorization.DefaultAction, egv1a1.AuthorizationActionDeny)
-			if defaultAction == egv1a1.AuthorizationActionAllow {
-				mcpRoute.Authorization.DefaultAction = filterapi.AuthorizationActionAllow
-			} else {
-				mcpRoute.Authorization.DefaultAction = filterapi.AuthorizationActionDeny
-			}
-
 			for _, rule := range authorization.Rules {
-				action := filterapi.AuthorizationActionDeny
-				if rule.Action == egv1a1.AuthorizationActionAllow {
-					action = filterapi.AuthorizationActionAllow
-				}
-
 				scopes := make([]string, len(rule.Source.JWTSource.Scopes))
 				for i, scope := range rule.Source.JWTSource.Scopes {
 					scopes[i] = string(scope)
@@ -505,7 +492,6 @@ func mcpConfig(mcpRoutes []aigv1a1.MCPRoute) *filterapi.MCPConfig {
 				}
 
 				mcpRule := filterapi.MCPRouteAuthorizationRule{
-					Action: action,
 					Source: filterapi.MCPAuthorizationSource{
 						JWTSource: filterapi.JWTSource{
 							Scopes: scopes,

internal/controller/gateway.go

@@ -68,9 +68,6 @@ type MCPRouteAuthorization struct {
 	// These rules are evaluated in order, the first matching rule will be applied,
 	// and the rest will be skipped.
 	Rules []MCPRouteAuthorizationRule `json:"rules,omitempty"`
-
-	// DefaultAction defines the action to take when no rules match.
-	DefaultAction AuthorizationAction `json:"defaultAction,omitempty"`
 }
 
 // MCPRouteAuthorizationRule defines an authorization rule for MCPRoute based on the MCP authorization spec.
@@ -81,21 +78,8 @@ type MCPRouteAuthorizationRule struct {
 
 	// Target defines the authorization target for this rule.
 	Target MCPAuthorizationTarget `json:"target"`
-
-	// Action defines whether to allow or deny requests that match this rule.
-	Action AuthorizationAction `json:"action"`
 }
 
-// AuthorizationAction represents an authorization decision.
-type AuthorizationAction string
-
-const (
-	// AuthorizationActionAllow allows the request.
-	AuthorizationActionAllow AuthorizationAction = "Allow"
-	// AuthorizationActionDeny denies the request.
-	AuthorizationActionDeny AuthorizationAction = "Deny"
-)
-
 type MCPAuthorizationTarget struct {
 	// Tools defines the list of tools this rule applies to.
 	Tools []ToolCall `json:"tools"`

internal/filterapi/mcpconfig.go

@@ -25,11 +25,9 @@ func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorizati
 		return true
 	}
 
-	defaultAction := authorization.DefaultAction == filterapi.AuthorizationActionAllow
-
-	// If there are no rules, return the default action.
+	// If no rules are defined, deny all requests.
 	if len(authorization.Rules) == 0 {
-		return defaultAction
+		return false
 	}
 
 	// If the rules are defined, a valid bearer token is required.
@@ -61,11 +59,11 @@ func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorizati
 			continue
 		}
 		if scopesSatisfied(scopeSet, rule.Source.JWTSource.Scopes) {
-			return rule.Action == filterapi.AuthorizationActionAllow
+			return true
 		}
 	}
 
-	return defaultAction
+	return false
 }
 
 func bearerToken(header string) (string, error) {