http

package
v0.9.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 9, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package http provides authorization using HTTP-based Policy Decision Points (PDPs).

Index

Constants

View Source 
const ConfigType = "httpv1"

ConfigType is the configuration type identifier for HTTP-based PDP authorization.

Variables

This section is empty.

Functions

This section is empty.

Types

type Authorizer 

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer implements the authorizers.Authorizer interface using an HTTP PDP.

func NewAuthorizer 

func NewAuthorizer(config ConfigOptions, serverName string) (*Authorizer, error)

NewAuthorizer creates a new HTTP PDP authorizer from the provided configuration. Note: This function validates the config as a defensive measure, even though the factory also validates. This protects against direct calls to NewAuthorizer that bypass the factory.

func (*Authorizer) AuthorizeWithJWTClaims 

func (a *Authorizer) AuthorizeWithJWTClaims(
	ctx context.Context,
	feature authorizers.MCPFeature,
	operation authorizers.MCPOperation,
	resourceID string,
	arguments map[string]interface{},
) (bool, error)

AuthorizeWithJWTClaims implements the authorizers.Authorizer interface. It extracts JWT claims from the context, builds a PORC expression, and delegates the authorization decision to the configured PDP.

func (*Authorizer) Close 

func (a *Authorizer) Close() error

Close releases resources used by the authorizer.

type ClaimMapper 

type ClaimMapper interface {
	// MapClaims maps JWT claims to principal attributes suitable for the target PDP.
	// The input is the raw JWT claims map, and the output is a map with claims
	// transformed according to the mapper's conventions.
	MapClaims(claims map[string]any) map[string]any
}

ClaimMapper defines the interface for mapping JWT claims to principal attributes. Different PDP implementations may have different conventions for claim names (e.g., MPE uses m-prefixed claims like "mroles", while OIDC uses standard claims like "roles").

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client handles HTTP communication with the PDP server.

func NewClient 

func NewClient(config *ConnectionConfig) (*Client, error)

NewClient creates a new HTTP client for PDP communication.

func (*Client) Authorize 

func (c *Client) Authorize(ctx context.Context, porc PORC, probe bool) (bool, error)

Authorize sends an authorization request to the PDP server. It returns true if the request is authorized, false otherwise.

func (*Client) Close 

func (c *Client) Close() error

Close closes the HTTP client and releases resources.

type Config 

type Config struct {
	Version string         `json:"version"`
	Type    string         `json:"type"`
	Options *ConfigOptions `json:"pdp"`
}

Config represents the complete authorization configuration file structure for HTTP-based PDP authorization. This includes the common version/type fields plus the PDP-specific "pdp" field.

type ConfigOptions 

type ConfigOptions struct {
	// HTTP contains the HTTP connection configuration.
	HTTP *ConnectionConfig `json:"http,omitempty" yaml:"http,omitempty"`

	// Context configures what context information is included in the PORC.
	// By default, no MCP context is included in the PORC.
	Context *ContextConfig `json:"context,omitempty" yaml:"context,omitempty"`

	// ClaimMapping specifies which claim mapper to use for mapping JWT claims
	// to principal attributes. This field is required. Valid values: "mpe", "standard".
	// - "mpe": Uses MPE-specific m-prefixed claims (mroles, mgroups, mclearance, mannotations)
	// - "standard": Uses standard OIDC claim names (roles, groups)
	ClaimMapping string `json:"claim_mapping,omitempty" yaml:"claim_mapping,omitempty"`
}

ConfigOptions represents the HTTP PDP authorization configuration options.

func (*ConfigOptions) CreateClaimMapper 

func (c *ConfigOptions) CreateClaimMapper() (ClaimMapper, error)

CreateClaimMapper creates a ClaimMapper based on the configured claim mapping type.

func (*ConfigOptions) GetClaimMapping 

func (c *ConfigOptions) GetClaimMapping() string

GetClaimMapping returns the configured claim mapping type. The claim_mapping field is required and validated, so this will never return an empty string.

func (*ConfigOptions) GetContextConfig 

func (c *ConfigOptions) GetContextConfig() ContextConfig

GetContextConfig returns the context configuration, or a default empty config if nil.

func (*ConfigOptions) Validate 

func (c *ConfigOptions) Validate() error

Validate validates the HTTP PDP configuration options.

type ConnectionConfig 

type ConnectionConfig struct {
	// URL is the base URL of the PDP server (e.g., "http://localhost:9000").
	URL string `json:"url" yaml:"url"`

	// Timeout is the HTTP request timeout in seconds. Default is 30.
	Timeout int `json:"timeout,omitempty" yaml:"timeout,omitempty"`

	// InsecureSkipVerify skips TLS certificate verification. Use only for testing.
	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty" yaml:"insecure_skip_verify,omitempty"`
}

ConnectionConfig contains configuration for the HTTP connection to the PDP.

type Context 

type Context map[string]interface{}

Context represents additional context for the authorization decision.

type ContextConfig 

type ContextConfig struct {
	// IncludeArgs enables inclusion of tool/prompt arguments in context.mcp.args.
	// Default is false.
	IncludeArgs bool `json:"include_args,omitempty" yaml:"include_args,omitempty"`

	// IncludeOperation enables inclusion of MCP operation metadata in context.mcp:
	// feature, operation, and resource_id fields.
	// Default is false.
	IncludeOperation bool `json:"include_operation,omitempty" yaml:"include_operation,omitempty"`
}

ContextConfig configures what context information is included in the PORC. All options default to false, meaning no MCP context is included by default.

type DecisionResponse 

type DecisionResponse struct {
	Allow bool `json:"allow"`
}

DecisionResponse represents the response from the PDP decision endpoint.

type Factory 

type Factory struct{}

Factory implements the authorizers.AuthorizerFactory interface for HTTP PDPs.

func (*Factory) CreateAuthorizer 

func (*Factory) CreateAuthorizer(rawConfig json.RawMessage, serverName string) (authorizers.Authorizer, error)

CreateAuthorizer creates an HTTP PDP Authorizer from the configuration.

func (*Factory) ValidateConfig 

func (*Factory) ValidateConfig(rawConfig json.RawMessage) error

ValidateConfig validates the HTTP PDP configuration.

type MPEClaimMapper 

type MPEClaimMapper struct{}

MPEClaimMapper implements ClaimMapper for Manetu PolicyEngine (MPE). MPE uses m-prefixed claims (mroles, mgroups, mclearance, mannotations) and also accepts standard OIDC claims (roles, groups, clearance, annotations) which are mapped to their m-prefixed equivalents.

func (*MPEClaimMapper) MapClaims 

func (*MPEClaimMapper) MapClaims(claims map[string]any) map[string]any

MapClaims maps JWT claims to MPE-compatible principal attributes. It maps standard JWT claims to MPE-specific principal attributes:

  • sub -> sub (subject identifier)
  • roles/mroles -> mroles (roles)
  • groups/mgroups -> mgroups (groups)
  • scope/scopes -> scopes (access scopes)
  • clearance/mclearance -> mclearance (clearance level)
  • annotations/mannotations -> mannotations (additional annotations)

Returns map[string]any to ensure the PDP can properly unmarshal the PORC structure for identity phase evaluation.

type PORC 

type PORC map[string]interface{}

PORC represents a Principal-Operation-Resource-Context authorization request. This is a common input format for Policy Decision Points (PDPs).

type PORCBuilder 

type PORCBuilder struct {
	// contains filtered or unexported fields
}

PORCBuilder builds PORC (Principal-Operation-Resource-Context) expressions from MCP authorization parameters for use with HTTP-based PDPs.

func NewPORCBuilder 

func NewPORCBuilder(serverID string, contextConfig ContextConfig, claimMapper ClaimMapper) *PORCBuilder

NewPORCBuilder creates a new PORC builder with the given server ID, context configuration, and claim mapper.

func (*PORCBuilder) Build 

func (b *PORCBuilder) Build(
	feature authorizers.MCPFeature,
	operation authorizers.MCPOperation,
	resourceID string,
	claims map[string]interface{},
	arguments map[string]interface{},
) PORC

Build creates a PORC expression from MCP authorization parameters. It maps MCP concepts to the PORC model:

  • principal: Built from JWT claims (sub, roles, groups, scopes, etc.)
  • operation: Derived from MCP feature and operation (e.g., "mcp:tool:call")
  • resource: The MCP resource identifier (tool name, prompt name, resource URI)
  • context: Additional context including tool arguments

type Principal 

type Principal map[string]interface{}

Principal represents the principal (subject) making the request.

type StandardClaimMapper 

type StandardClaimMapper struct{}

StandardClaimMapper implements ClaimMapper for standard OIDC claims. This mapper passes through standard OIDC claim names without modification and can be used with PDPs that expect standard OIDC conventions.

func (*StandardClaimMapper) MapClaims 

func (*StandardClaimMapper) MapClaims(claims map[string]any) map[string]any

MapClaims maps JWT claims using standard OIDC conventions. It preserves standard claim names and normalizes common variations:

  • sub -> sub (subject identifier)
  • roles -> roles (roles, preserving standard name)
  • groups -> groups (groups, preserving standard name)
  • scope/scopes -> scopes (access scopes, normalized to plural)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.