authorization against tool arguments

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/mcp_route.go

@@ -308,25 +308,13 @@ type ToolCall struct {
 	ToolName string `json:"toolName"`
 
 	// Arguments defines the arguments that must be present in the tool call for this rule to match.
+	// Keys must exist and their values must match the provided RE2-compatible regular expressions.
+	// If the argument is a non-string type, it will be matched against its JSON representation.
 	//
 	// +optional
-	// Arguments map[string]string `json:"arguments,omitempty"`
+	Arguments map[string]string `json:"arguments,omitempty"`
 }
 
-/*type ToolArgument struct {
-	// Name is the name of the argument.
-	Name string `json:"name"`
-
-	// Value is the value of the argument.
-	Value ArgumentValues `json:"value"`
-}
-
-type ArgumentValues struct {
-	Include []string `json:"include,omitempty"`
-
-	IncludeRegex []string `json:"includeRegex,omitempty"`
-}*/
-
 // JWKS defines how to obtain JSON Web Key Sets (JWKS) either from a remote HTTP/HTTPS endpoint or from a local source.
 // +kubebuilder:validation:XValidation:rule="has(self.remoteJWKS) || has(self.localJWKS)", message="either remoteJWKS or localJWKS must be specified."
 // +kubebuilder:validation:XValidation:rule="!(has(self.remoteJWKS) && has(self.localJWKS))", message="remoteJWKS and localJWKS cannot both be specified."

api/v1alpha1/zz_generated.deepcopy.go

@@ -500,6 +500,7 @@ func mcpConfig(mcpRoutes []aigv1a1.MCPRoute) *filterapi.MCPConfig {
 					tools[i] = filterapi.ToolCall{
 						BackendName: tool.BackendName,
 						ToolName:    tool.ToolName,
+						Arguments:   tool.Arguments,
 					}
 				}
 

internal/controller/gateway.go

@@ -118,4 +118,8 @@ type ToolCall struct {
 
 	// ToolName is the name of the tool.
 	ToolName string `json:"toolName"`
+
+	// Arguments defines required arguments (exact key names with regex patterns for values).
+	// All patterns must match for the rule to apply.
+	Arguments map[string]string `json:"arguments,omitempty"`
 }

internal/filterapi/mcpconfig.go

@@ -6,17 +6,19 @@
 package mcpproxy
 
 import (
+	"encoding/json"
 	"errors"
 	"log/slog"
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/envoyproxy/ai-gateway/internal/filterapi"
 )
 
-func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorization, headers http.Header, backendName, toolName string) bool {
+func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorization, headers http.Header, backendName, toolName string, argments any) bool {
 	defaultAction := authorization.DefaultAction == filterapi.AuthorizationActionAllow
 
 	// If there are no rules, return the default action.
@@ -44,9 +46,14 @@ func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorizati
 		scopeSet[scope] = struct{}{}
 	}
 
-	target := filterapi.ToolCall{BackendName: backendName, ToolName: toolName}
 	for _, rule := range authorization.Rules {
-		if !toolTargetMatches(target, rule.Target.Tools) {
+		var args map[string]any
+		if argments != nil {
+			if cast, ok := argments.(map[string]any); ok {
+				args = cast
+			}
+		}
+		if !toolMatches(args, filterapi.ToolCall{BackendName: backendName, ToolName: toolName}, rule.Target.Tools) {
 			continue
 		}
 		if scopesSatisfied(scopeSet, rule.Source.JWTSource.Scopes) {
@@ -98,15 +105,54 @@ func extractScopes(claims jwt.MapClaims) []string {
 	}
 }
 
-func toolTargetMatches(target filterapi.ToolCall, tools []filterapi.ToolCall) bool {
+func toolMatches(args map[string]any, target filterapi.ToolCall, tools []filterapi.ToolCall) bool {
 	if len(tools) == 0 {
 		return true
 	}
+
 	for _, t := range tools {
-		if t.BackendName == target.BackendName && t.ToolName == target.ToolName {
+		if t.BackendName != target.BackendName || t.ToolName != target.ToolName {
+			continue
+		}
+		if len(t.Arguments) == 0 {
+			return true
+		}
+		if args == nil {
+			return false
+		}
+		allMatch := true
+		for key, pattern := range t.Arguments {
+			rawVal, ok := args[key]
+			if !ok {
+				allMatch = false
+				break
+			}
+			re, err := regexp.Compile(pattern)
+			if err != nil {
+				allMatch = false
+				break
+			}
+			var data []byte
+			if s, ok := rawVal.(string); ok {
+				data = []byte(s)
+			} else {
+				jsonVal, err := json.Marshal(rawVal)
+				if err != nil {
+					allMatch = false
+					break
+				}
+				data = jsonVal
+			}
+			if !re.Match(data) {
+				allMatch = false
+				break
+			}
+		}
+		if allMatch {
 			return true
 		}
 	}
+	// If no matching tool entry or no arguments matched, fail.
 	return false
 }
 

internal/mcpproxy/authorization.go

@@ -36,6 +36,7 @@ func TestAuthorizeRequest(t *testing.T) {
 		header        string
 		backendName   string
 		toolName      string
+		args          map[string]any
 		expectAllowed bool
 	}{
 		{
@@ -59,6 +60,156 @@ func TestAuthorizeRequest(t *testing.T) {
 			toolName:      "tool1",
 			expectAllowed: true,
 		},
+		{
+			name: "matching tool scope and arguments regex allowed",
+			auth: &filterapi.MCPRouteAuthorization{
+				DefaultAction: filterapi.AuthorizationActionDeny,
+				Rules: []filterapi.MCPRouteAuthorizationRule{
+					{
+						Source: filterapi.MCPAuthorizationSource{
+							JWTSource: filterapi.JWTSource{Scopes: []string{"read"}},
+						},
+						Target: filterapi.MCPAuthorizationTarget{
+							Tools: []filterapi.ToolCall{{
+								BackendName: "backend1",
+								ToolName:    "tool1",
+								Arguments: map[string]string{
+									"mode":  "fast|slow",
+									"user":  "u-[0-9]+",
+									"debug": "true",
+								},
+							}},
+						},
+						Action: filterapi.AuthorizationActionAllow,
+					},
+				},
+			},
+			header:      "Bearer " + makeToken("read"),
+			backendName: "backend1",
+			toolName:    "tool1",
+			args: map[string]any{
+				"mode":  "fast",
+				"user":  "u-123",
+				"debug": "true",
+			},
+			expectAllowed: true,
+		},
+		{
+			name: "argument regex mismatch denied",
+			auth: &filterapi.MCPRouteAuthorization{
+				DefaultAction: filterapi.AuthorizationActionDeny,
+				Rules: []filterapi.MCPRouteAuthorizationRule{
+					{
+						Source: filterapi.MCPAuthorizationSource{
+							JWTSource: filterapi.JWTSource{Scopes: []string{"read"}},
+						},
+						Target: filterapi.MCPAuthorizationTarget{
+							Tools: []filterapi.ToolCall{{
+								BackendName: "backend1",
+								ToolName:    "tool1",
+								Arguments: map[string]string{
+									"mode": "fast|slow",
+								},
+							}},
+						},
+						Action: filterapi.AuthorizationActionAllow,
+					},
+				},
+			},
+			header:      "Bearer " + makeToken("read"),
+			backendName: "backend1",
+			toolName:    "tool1",
+			args: map[string]any{
+				"mode": "other",
+			},
+			expectAllowed: false,
+		},
+		{
+			name: "missing argument denies when required",
+			auth: &filterapi.MCPRouteAuthorization{
+				DefaultAction: filterapi.AuthorizationActionDeny,
+				Rules: []filterapi.MCPRouteAuthorizationRule{
+					{
+						Source: filterapi.MCPAuthorizationSource{
+							JWTSource: filterapi.JWTSource{Scopes: []string{"read"}},
+						},
+						Target: filterapi.MCPAuthorizationTarget{
+							Tools: []filterapi.ToolCall{{
+								BackendName: "backend1",
+								ToolName:    "tool1",
+								Arguments: map[string]string{
+									"mode": "fast",
+								},
+							}},
+						},
+						Action: filterapi.AuthorizationActionAllow,
+					},
+				},
+			},
+			header:        "Bearer " + makeToken("read"),
+			backendName:   "backend1",
+			toolName:      "tool1",
+			args:          map[string]any{},
+			expectAllowed: false,
+		},
+		{
+			name: "numeric argument matches via JSON string",
+			auth: &filterapi.MCPRouteAuthorization{
+				DefaultAction: filterapi.AuthorizationActionDeny,
+				Rules: []filterapi.MCPRouteAuthorizationRule{
+					{
+						Source: filterapi.MCPAuthorizationSource{
+							JWTSource: filterapi.JWTSource{Scopes: []string{"read"}},
+						},
+						Target: filterapi.MCPAuthorizationTarget{
+							Tools: []filterapi.ToolCall{{
+								BackendName: "backend1",
+								ToolName:    "tool1",
+								Arguments: map[string]string{
+									"count": "^4[0-9]$",
+								},
+							}},
+						},
+						Action: filterapi.AuthorizationActionAllow,
+					},
+				},
+			},
+			header:        "Bearer " + makeToken("read"),
+			backendName:   "backend1",
+			toolName:      "tool1",
+			args:          map[string]any{"count": 42},
+			expectAllowed: true,
+		},
+		{
+			name: "object argument can be matched via JSON string",
+			auth: &filterapi.MCPRouteAuthorization{
+				DefaultAction: filterapi.AuthorizationActionDeny,
+				Rules: []filterapi.MCPRouteAuthorizationRule{
+					{
+						Source: filterapi.MCPAuthorizationSource{
+							JWTSource: filterapi.JWTSource{Scopes: []string{"read"}},
+						},
+						Target: filterapi.MCPAuthorizationTarget{
+							Tools: []filterapi.ToolCall{{
+								BackendName: "backend1",
+								ToolName:    "tool1",
+								Arguments: map[string]string{
+									"payload": `"kind":"test"`,
+								},
+							}},
+						},
+						Action: filterapi.AuthorizationActionAllow,
+					},
+				},
+			},
+			header:      "Bearer " + makeToken("read"),
+			backendName: "backend1",
+			toolName:    "tool1",
+			args: map[string]any{
+				"payload": map[string]any{"kind": "test", "value": 123},
+			},
+			expectAllowed: true,
+		},
 		{
 			name: "matching tool but insufficient scopes not allowed",
 			auth: &filterapi.MCPRouteAuthorization{
@@ -294,7 +445,7 @@ func TestAuthorizeRequest(t *testing.T) {
 			if tt.header != "" {
 				headers.Set("Authorization", tt.header)
 			}
-			allowed := proxy.authorizeRequest(tt.auth, headers, tt.backendName, tt.toolName)
+			allowed := proxy.authorizeRequest(tt.auth, headers, tt.backendName, tt.toolName, tt.args)
 			if allowed != tt.expectAllowed {
 				t.Fatalf("expected %v, got %v", tt.expectAllowed, allowed)
 			}

internal/mcpproxy/authorization_test.go

@@ -542,7 +542,7 @@ func (m *MCPProxy) handleToolCallRequest(ctx context.Context, s *session, w http
 
 	// Enforce authentication if required by the route.
 	if route.authorization != nil {
-		if !m.authorizeRequest(route.authorization, headers, backendName, toolName) {
+		if !m.authorizeRequest(route.authorization, headers, backendName, toolName, p.Arguments) {
 			onErrorResponse(w, http.StatusUnauthorized, "authorization failed")
 			return fmt.Errorf("authorization failed")
 		}

internal/mcpproxy/handlers.go

@@ -642,6 +642,14 @@ spec:
                                     rule applies to.
                                   items:
                                     properties:
+                                      arguments:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Arguments defines the arguments that must be present in the tool call for this rule to match.
+                                          Keys must exist and their values must match the provided RE2-compatible regular expressions.
+                                          If the argument is a non-string type, it will be matched against its JSON representation.
+                                        type: object
                                       backendName:
                                         description: BackendName is the name of the
                                           backend this tool belongs to.

manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_mcproutes.yaml

@@ -1985,6 +1985,11 @@ References:
   type="string"
   required="true"
   description="ToolName is the name of the tool."
+/><ApiField
+  name="arguments"
+  type="object (keys:string, values:string)"
+  required="false"
+  description="Arguments defines the arguments that must be present in the tool call for this rule to match.<br />Keys must exist and their values must match the provided RE2-compatible regular expressions.<br />If the argument is a non-string type, it will be matched against its JSON representation."
 />