authorization impl draft

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/mcp_route.go

@@ -267,8 +267,6 @@ type MCPAuthorizationTarget struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=16
 	Tools []ToolCall `json:"tools"`
-
-	// TODO: we can add resources, prompts, etc. in the future.
 }
 
 type MCPAuthorizationSource struct {
@@ -286,21 +284,27 @@ type JWTSource struct {
 	// +kubebuilder:validation:MaxItems=16
 	Scopes []egv1a1.JWTScope `json:"scopes"`
 
-	//TODO : we can add more fields in the future, e.g., audiences, claims, etc.
+	// TODO : we can add more fields in the future, e.g., audiences, claims, etc.
 }
 
 type ToolCall struct {
-	// Tools defines the list of tool names this rule applies to. The name must be a fully qualified tool name including the backend name.
-	// For example, "mcp-backend-name__tool-name".
-	Name string `json:"name"`
+	// BackendName is the name of the backend this tool belongs to.
+	//
+	// +kubebuilder:validation:Required
+	BackendName string `json:"backendName"`
+
+	// ToolName is the name of the tool.
+	//
+	// +kubebuilder:validation:Required
+	ToolName string `json:"toolName"`
 
 	// Arguments defines the arguments that must be present in the tool call for this rule to match.
 	//
 	// +optional
-	Arguments map[string]string `json:"arguments,omitempty"`
+	// Arguments map[string]string `json:"arguments,omitempty"`
 }
 
-type ToolArgument struct {
+/*type ToolArgument struct {
 	// Name is the name of the argument.
 	Name string `json:"name"`
 
@@ -312,7 +316,7 @@ type ArgumentValues struct {
 	Include []string `json:"include,omitempty"`
 
 	IncludeRegex []string `json:"includeRegex,omitempty"`
-}
+}*/
 
 // JWKS defines how to obtain JSON Web Key Sets (JWKS) either from a remote HTTP/HTTPS endpoint or from a local source.
 // +kubebuilder:validation:XValidation:rule="has(self.remoteJWKS) || has(self.localJWKS)", message="either remoteJWKS or localJWKS must be specified."

api/v1alpha1/zz_generated.deepcopy.go

@@ -23,7 +23,7 @@ require (
 	github.com/envoyproxy/go-control-plane v0.14.0
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0
 	github.com/go-logr/logr v1.4.3
-	github.com/golang-jwt/jwt/v4 v4.5.2
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/cel-go v0.26.1
 	github.com/google/go-cmp v0.7.0
 	github.com/google/jsonschema-go v0.3.0
@@ -158,7 +158,6 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect

go.mod

@@ -235,8 +235,6 @@ github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=

go.sum

@@ -27,6 +27,9 @@ type MCPRoute struct {
 
 	// Backends is the list of backends that this route can route to.
 	Backends []MCPBackend `json:"backends"`
+
+	// Authorization is the authorization configuration for this route.
+	Authorization *MCPRouteAuthorization `json:"authorization,omitempty"`
 }
 
 // MCPBackend is the MCP backend configuration.
@@ -58,3 +61,62 @@ type MCPToolSelector struct {
 
 // MCPRouteName is the name of the MCP route.
 type MCPRouteName = string
+
+// MCPRouteAuthorization defines the authorization configuration for a MCPRoute.
+type MCPRouteAuthorization struct {
+	// Rules defines a list of authorization rules.
+	// These rules are evaluated in order, the first matching rule will be applied,
+	// and the rest will be skipped.
+	Rules []MCPRouteAuthorizationRule `json:"rules,omitempty"`
+
+	// DefaultAction defines the action to take when no rules match.
+	// If unset, the default is Deny.
+	DefaultAction *AuthorizationAction `json:"defaultAction,omitempty"`
+}
+
+// MCPRouteAuthorizationRule defines an authorization rule for MCPRoute based on the MCP authorization spec.
+// Reference: https://modelcontextprotocol.io/specification/draft/basic/authorization#scope-challenge-handling
+type MCPRouteAuthorizationRule struct {
+	// Source defines the authorization source for this rule.
+	Source MCPAuthorizationSource `json:"source"`
+
+	// Target defines the authorization target for this rule.
+	Target MCPAuthorizationTarget `json:"target"`
+
+	// Action defines whether to allow or deny requests that match this rule.
+	Action AuthorizationAction `json:"action"`
+}
+
+// AuthorizationAction represents an authorization decision.
+type AuthorizationAction string
+
+const (
+	// AuthorizationActionAllow allows the request.
+	AuthorizationActionAllow AuthorizationAction = "Allow"
+	// AuthorizationActionDeny denies the request.
+	AuthorizationActionDeny AuthorizationAction = "Deny"
+)
+
+type MCPAuthorizationTarget struct {
+	// Tools defines the list of tools this rule applies to.
+	Tools []ToolCall `json:"tools"`
+}
+
+type MCPAuthorizationSource struct {
+	// JWTSource defines the JWT scopes required for this rule to match.
+	JWTSource JWTSource `json:"jwtSource,omitempty"`
+}
+
+type JWTSource struct {
+	// Scopes defines the list of JWT scopes required for the rule.
+	// If multiple scopes are specified, all scopes must be present in the JWT for the rule to match.
+	Scopes []string `json:"scopes"`
+}
+
+type ToolCall struct {
+	// BackendName is the name of the backend this tool belongs to.
+	BackendName string `json:"backendName"`
+
+	// ToolName is the name of the tool.
+	ToolName string `json:"toolName"`
+}

internal/filterapi/mcpconfig.go

@@ -0,0 +1,124 @@
+// Copyright Envoy AI Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package mcpproxy
+
+import (
+	"errors"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+	"k8s.io/utils/ptr"
+
+	"github.com/envoyproxy/ai-gateway/internal/filterapi"
+)
+
+func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorization, headers http.Header, backendName, toolName string) bool {
+	defaultAction := ptr.Deref(authorization.DefaultAction, filterapi.AuthorizationActionDeny) == filterapi.AuthorizationActionAllow
+
+	// If there are no rules, return the default action.
+	if len(authorization.Rules) == 0 {
+		return defaultAction
+	}
+
+	// If the rules are defined, a valid bearer token is required.
+	token, err := bearerToken(headers.Get("Authorization"))
+	if err != nil {
+		m.l.Info("missing or invalid bearer token", slog.String("error", err.Error()))
+		return false
+	}
+
+	claims := jwt.MapClaims{}
+	// JWT verification is performed by Envoy before reaching here. So we only need to parse the token without verification.
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	if _, _, err := parser.ParseUnverified(token, claims); err != nil {
+		m.l.Info("failed to parse JWT token", slog.String("error", err.Error()))
+		return false
+	}
+
+	scopeSet := make(map[string]struct{})
+	for _, scope := range extractScopes(claims) {
+		scopeSet[scope] = struct{}{}
+	}
+
+	target := filterapi.ToolCall{BackendName: backendName, ToolName: toolName}
+	for _, rule := range authorization.Rules {
+		if !toolTargetMatches(target, rule.Target.Tools) {
+			continue
+		}
+		if scopesSatisfied(scopeSet, rule.Source.JWTSource.Scopes) {
+			return rule.Action == filterapi.AuthorizationActionAllow
+		}
+	}
+
+	return defaultAction
+}
+
+func bearerToken(header string) (string, error) {
+	if header == "" {
+		return "", errors.New("missing Authorization header")
+	}
+
+	parts := strings.SplitN(header, " ", 2)
+	if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
+		return "", errors.New("invalid Authorization header")
+	}
+
+	token := strings.TrimSpace(parts[1])
+	if token == "" {
+		return "", errors.New("missing bearer token")
+	}
+	return token, nil
+}
+
+func extractScopes(claims jwt.MapClaims) []string {
+	raw, ok := claims["scope"]
+	if !ok {
+		return nil
+	}
+
+	switch v := raw.(type) {
+	case string:
+		return strings.Fields(v)
+	case []string:
+		return v
+	case []interface{}:
+		scopes := make([]string, 0, len(v))
+		for _, item := range v {
+			if s, ok := item.(string); ok && s != "" {
+				scopes = append(scopes, s)
+			}
+		}
+		return scopes
+	default:
+		return nil
+	}
+}
+
+func toolTargetMatches(target filterapi.ToolCall, tools []filterapi.ToolCall) bool {
+	if len(tools) == 0 {
+		return true
+	}
+	for _, t := range tools {
+		if t.BackendName == target.BackendName && t.ToolName == target.ToolName {
+			return true
+		}
+	}
+	return false
+}
+
+func scopesSatisfied(have map[string]struct{}, required []string) bool {
+	if len(required) == 0 {
+		return true
+	}
+	for _, scope := range required {
+		if _, ok := have[scope]; !ok {
+			return false
+		}
+	}
+	return true
+}