mcp: pass access token to the upstream (#5593)

2025-07-31 15:29:48 +02:00 · 2025-04-29 12:13:18 -04:00 · 2025-04-29 12:13:18 -04:00 · 5b024a8ada
commit 5b024a8ada
parent b9e3a5d301
15 changed files with 774 additions and 719 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -16,7 +16,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/log"
-	"github.com/pomerium/pomerium/internal/mcp"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@ -29,7 +28,6 @@ type Authorize struct {
 	store         *store.Store
 	currentConfig *atomicutil.Value[*config.Config]
 	accessTracker *AccessTracker
-	mcp           *atomicutil.Value[*mcp.Handler]

 	tracerProvider oteltrace.TracerProvider
 	tracer         oteltrace.Tracer
@ -40,17 +38,11 @@ func New(ctx context.Context, cfg *config.Config) (*Authorize, error) {
 	tracerProvider := trace.NewTracerProvider(ctx, "Authorize")
 	tracer := tracerProvider.Tracer(trace.PomeriumCoreTracer)

-	mcp, err := mcp.New(ctx, mcp.DefaultPrefix, cfg)
-	if err != nil {
-		return nil, fmt.Errorf("authorize: failed to create mcp handler: %w", err)
-	}
-
 	a := &Authorize{
 		currentConfig:  atomicutil.NewValue(cfg),
 		store:          store.New(),
 		tracerProvider: tracerProvider,
 		tracer:         tracer,
-		mcp:            atomicutil.NewValue(mcp),
 	}
 	a.accessTracker = NewAccessTracker(a, accessTrackerMaxSize, accessTrackerDebouncePeriod)

@ -93,6 +85,7 @@ func validateOptions(o *config.Options) error {
 func newPolicyEvaluator(
 	ctx context.Context,
 	opts *config.Options, store *store.Store, previous *evaluator.Evaluator,
+	evaluatorOpts ...evaluator.Option,
 ) (*evaluator.Evaluator, error) {
 	metrics.AddPolicyCountCallback("pomerium-authorize", func() int64 {
 		return int64(opts.NumPolicies())
@ -136,7 +129,7 @@ func newPolicyEvaluator(
 	}

 	allPolicies := slices.Collect(opts.GetAllPolicies())
-	return evaluator.New(ctx, store, previous,
+	evaluatorOpts = append([]evaluator.Option{
 		evaluator.WithPolicies(allPolicies),
 		evaluator.WithClientCA(clientCA),
 		evaluator.WithAddDefaultClientCertificateRule(addDefaultClientCertificateRule),
@ -148,7 +141,8 @@ func newPolicyEvaluator(
 		evaluator.WithJWTClaimsHeaders(opts.JWTClaimsHeaders),
 		evaluator.WithJWTGroupsFilter(opts.JWTGroupsFilter),
 		evaluator.WithDefaultJWTIssuerFormat(opts.JWTIssuerFormat),
-	)
+	}, evaluatorOpts...)
+	return evaluator.New(ctx, store, previous, evaluatorOpts...)
 }

 // OnConfigChange updates internal structures based on config.Options
@ -160,11 +154,4 @@ func (a *Authorize) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	} else {
 		a.state.Store(newState)
 	}
-
-	mcp, err := mcp.New(ctx, mcp.DefaultPrefix, cfg)
-	if err != nil {
-		log.Ctx(ctx).Error().Err(err).Msg("proxy: failed to update authorize state from configuration settings")
-	} else {
-		a.mcp.Store(mcp)
-	}
 }