3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-01 07:50:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

mcp: add upstream oauth2 config types (#5592)

Browse source
This commit is contained in:
Denis Mishin 2025-04-28 19:18:44 -04:00 committed by GitHub
parent daaf5b8e30
commit b9e3a5d301
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 1350 additions and 962 deletions
Download patch file Download diff file Expand all files Collapse all files

58
config/custom.go
View file

@ -670,12 +670,66 @@ func MCPFromPB(src *configpb.MCP) *MCP {
if src == nil {
return nil
}
return &MCP{}
var v MCP
if uo := src.GetUpstreamOauth2(); uo != nil {
v.UpstreamOAuth2 = &UpstreamOAuth2{
ClientID: uo.GetClientId(),
ClientSecret: uo.GetClientSecret(),
Endpoint: OAuth2EndpointFromPB(uo.Oauth2Endpoint),
Scopes: uo.GetScopes(),
}
}
return &v
}
func OAuth2EndpointFromPB(src *configpb.OAuth2Endpoint) OAuth2Endpoint {
if src == nil {
return OAuth2Endpoint{}
}
var authStyle OAuth2EndpointAuthStyle
switch src.GetAuthStyle() {
case configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_HEADER:
authStyle = OAuth2EndpointAuthStyleInHeader
case configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_PARAMS:
authStyle = OAuth2EndpointAuthStyleInParams
default:
authStyle = OAuth2EndpointAuthStyleAuto
}
return OAuth2Endpoint{
AuthURL: src.GetAuthUrl(),
TokenURL: src.GetTokenUrl(),
AuthStyle: authStyle,
}
}
func MCPToPB(src *MCP) *configpb.MCP {
if src == nil {
return nil
}
return &configpb.MCP{}
v := new(configpb.MCP)
if src.UpstreamOAuth2 != nil {
var authStyle *configpb.OAuth2AuthStyle
switch src.UpstreamOAuth2.Endpoint.AuthStyle {
case OAuth2EndpointAuthStyleInHeader:
authStyle = configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_HEADER.Enum()
case OAuth2EndpointAuthStyleInParams:
authStyle = configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_PARAMS.Enum()
default:
authStyle = nil
}
v.UpstreamOauth2 = &configpb.UpstreamOAuth2{
ClientId: src.UpstreamOAuth2.ClientID,
ClientSecret: src.UpstreamOAuth2.ClientSecret,
Oauth2Endpoint: &configpb.OAuth2Endpoint{
AuthUrl: src.UpstreamOAuth2.Endpoint.AuthURL,
TokenUrl: src.UpstreamOAuth2.Endpoint.TokenURL,
AuthStyle: authStyle,
},
Scopes: src.UpstreamOAuth2.Scopes,
}
}
return v
}

3
config/options_test.go
View file

@ -1495,12 +1495,15 @@ func TestRoute_FromToProto(t *testing.T) {
for i := range pb.LoadBalancingWeights {
pb.LoadBalancingWeights[i] = mathrand.Uint32N(10000) + 1
}
pb.Mcp.UpstreamOauth2.Oauth2Endpoint.AuthStyle = nil
case 1:
pb.Redirect, err = redirectGen.Gen()
require.NoError(t, err)
pb.Mcp.UpstreamOauth2.Oauth2Endpoint.AuthStyle = configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_PARAMS.Enum()
case 2:
pb.Response, err = responseGen.Gen()
require.NoError(t, err)
pb.Mcp.UpstreamOauth2.Oauth2Endpoint.AuthStyle = configpb.OAuth2AuthStyle_OAUTH2_AUTH_STYLE_IN_HEADER.Enum()
}
return pb
}

29
config/policy.go
View file

@ -208,7 +208,34 @@ type Policy struct {
}
// MCP is an experimental support for Model Context Protocol upstreams configuration
type MCP struct{}
type MCP struct {
// UpstreamOAuth2 specifies that before the request reaches the MCP upstream server, it should acquire an OAuth2 token
UpstreamOAuth2 *UpstreamOAuth2 `mapstructure:"upstream_oauth2" yaml:"upstream_oauth2,omitempty" json:"upstream_oauth2,omitempty"`
}
type UpstreamOAuth2 struct {
ClientID string `mapstructure:"client_id" yaml:"client_id,omitempty" json:"client_id,omitempty"`
ClientSecret string `mapstructure:"client_secret" yaml:"client_secret,omitempty" json:"client_secret,omitempty"`
Endpoint OAuth2Endpoint `mapstructure:"endpoint" yaml:"endpoint,omitempty" json:"endpoint,omitempty"`
Scopes []string `mapstructure:"scopes" yaml:"scopes,omitempty" json:"scopes,omitempty"`
}
type OAuth2Endpoint struct {
AuthURL string `mapstructure:"auth_url" yaml:"auth_url,omitempty" json:"auth_url,omitempty"`
TokenURL string `mapstructure:"token_url" yaml:"token_url,omitempty" json:"token_url,omitempty"`
AuthStyle OAuth2EndpointAuthStyle `mapstructure:"auth_style" yaml:"auth_style,omitempty" json:"auth_style,omitempty"`
}
type OAuth2EndpointAuthStyle string
const (
// OAuth2EndpointAuthStyleInHeader indicates that the auth style is in the header
OAuth2EndpointAuthStyleInHeader OAuth2EndpointAuthStyle = "header"
// OAuth2EndpointAuthStyleInParams indicates that the auth style is in the params
OAuth2EndpointAuthStyleInParams OAuth2EndpointAuthStyle = "params"
// OAuth2EndpointAuthStyleAuto indicates that the auth style is auto
OAuth2EndpointAuthStyleAuto OAuth2EndpointAuthStyle = ""
)
// RewriteHeader is a policy configuration option to rewrite an HTTP header.
type RewriteHeader struct {

1799
pkg/grpc/config/config.pb.go
View file

File diff suppressed because it is too large Load diff

61
pkg/grpc/config/config.proto
View file

@ -1,12 +1,13 @@
syntax = "proto3";
package pomerium.config;
option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "envoy/config/cluster/v3/cluster.proto";
import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
message Config {
string name = 1;
@ -16,7 +17,9 @@ message Config {
message RouteRewriteHeader {
string header = 1;
oneof matcher { string prefix = 3; }
oneof matcher {
string prefix = 3;
}
string value = 2;
}
@ -54,7 +57,9 @@ enum BearerTokenFormat {
// Next ID: 73.
message Route {
message StringList { repeated string values = 1; }
message StringList {
repeated string values = 1;
}
string name = 1;
string description = 67;
@ -75,8 +80,7 @@ message Route {
repeated string allowed_users = 4 [deprecated = true];
// repeated string allowed_groups = 5 [ deprecated = true ];
repeated string allowed_domains = 6 [deprecated = true];
map<string, google.protobuf.ListValue> allowed_idp_claims = 32
[ deprecated = true ];
map<string, google.protobuf.ListValue> allowed_idp_claims = 32 [deprecated = true];
string prefix = 7;
string path = 8;
@ -147,9 +151,41 @@ message Route {
optional MCP mcp = 72;
}
message MCP {}
message MCP {
optional UpstreamOAuth2 upstream_oauth2 = 1;
}
message PPLPolicy { bytes raw = 1; }
message UpstreamOAuth2 {
string client_id = 1;
string client_secret = 2;
OAuth2Endpoint oauth2_endpoint = 3;
repeated string scopes = 4;
}
message OAuth2Endpoint {
string auth_url = 1;
string token_url = 2;
// if unset, auto-detect which authentication
// style the provider wants by trying both ways and caching
// the successful way for the future.
optional OAuth2AuthStyle auth_style = 3;
}
enum OAuth2AuthStyle {
OAUTH2_AUTH_STYLE_UNSPECIFIED = 0;
// OAUTH2_AUTH_STYLE_IN_PARAMS sends the "client_id" and "client_secret"
// in the POST body as application/x-www-form-urlencoded parameters.
OAUTH2_AUTH_STYLE_IN_PARAMS = 1;
// OAUTH2_AUTH_STYLE_IN_HEADER sends the client_id and client_password
// using HTTP Basic Authorization. This is an optional style
// described in the OAuth2 RFC 6749 section 2.3.1.
OAUTH2_AUTH_STYLE_IN_HEADER = 2;
}
message PPLPolicy {
bytes raw = 1;
}
message Policy {
string id = 1;
@ -172,7 +208,9 @@ message Settings {
bytes key_bytes = 4;
string id = 5;
}
message StringList { repeated string values = 1; }
message StringList {
repeated string values = 1;
}
optional string installation_id = 71;
optional string log_level = 3;
@ -275,8 +313,7 @@ message Settings {
optional string envoy_bind_config_source_address = 111;
optional bool envoy_bind_config_freebind = 112;
repeated string programmatic_redirect_domain_whitelist = 68;
optional envoy.extensions.filters.network.http_connection_manager.v3
.HttpConnectionManager.CodecType codec_type = 73;
optional envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType codec_type = 73;
// optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
optional string primary_color = 85;
optional string secondary_color = 86;