mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-05 19:08:03 +02:00
9363457849
## Summary
Adds support for extending authorization log with Model Context Protocol
details.
i.e.
```json
{
"level": "info",
"server-name": "all",
"service": "authorize",
"mcp-method": "tools/call",
"mcp-tool": "describe_table",
"mcp-tool-parameters": { "table_name": "Categories" },
"allow": true,
"allow-why-true": ["email-ok", "mcp-tool-ok"],
"deny": false,
"deny-why-false": [],
"time": "2025-06-24T17:40:41-04:00",
"message": "authorize check"
}
```
## Related issues
Fixes
https://linear.app/pomerium/issue/ENG-2393/mcp-authorize-each-incoming-request-to-an-mcp-route
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
105 lines
4.2 KiB
Go
105 lines
4.2 KiB
Go
package log
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
)
|
|
|
|
// An AuthorizeLogField is a field in the authorize logs.
|
|
type AuthorizeLogField string
|
|
|
|
// known authorize log fields
|
|
const (
|
|
AuthorizeLogFieldCheckRequestID AuthorizeLogField = "check-request-id"
|
|
AuthorizeLogFieldEmail AuthorizeLogField = "email"
|
|
AuthorizeLogFieldEnvoyRouteChecksum AuthorizeLogField = "envoy-route-checksum"
|
|
AuthorizeLogFieldEnvoyRouteID AuthorizeLogField = "envoy-route-id"
|
|
AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName)
|
|
AuthorizeLogFieldHost AuthorizeLogField = "host"
|
|
AuthorizeLogFieldIDToken AuthorizeLogField = "id-token"
|
|
AuthorizeLogFieldIDTokenClaims AuthorizeLogField = "id-token-claims"
|
|
AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email"
|
|
AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id"
|
|
AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id"
|
|
AuthorizeLogFieldIP AuthorizeLogField = "ip"
|
|
AuthorizeLogFieldMCPMethod AuthorizeLogField = "mcp-method"
|
|
AuthorizeLogFieldMCPTool AuthorizeLogField = "mcp-tool"
|
|
AuthorizeLogFieldMCPToolParameters AuthorizeLogField = "mcp-tool-parameters"
|
|
AuthorizeLogFieldMethod AuthorizeLogField = "method"
|
|
AuthorizeLogFieldPath AuthorizeLogField = "path"
|
|
AuthorizeLogFieldQuery AuthorizeLogField = "query"
|
|
AuthorizeLogFieldRemovedGroupsCount AuthorizeLogField = "removed-groups-count"
|
|
AuthorizeLogFieldRequestID AuthorizeLogField = "request-id"
|
|
AuthorizeLogFieldRouteChecksum AuthorizeLogField = "route-checksum"
|
|
AuthorizeLogFieldRouteID AuthorizeLogField = "route-id"
|
|
AuthorizeLogFieldServiceAccountID AuthorizeLogField = "service-account-id"
|
|
AuthorizeLogFieldSessionID AuthorizeLogField = "session-id"
|
|
AuthorizeLogFieldUser AuthorizeLogField = "user"
|
|
)
|
|
|
|
// DefaultAuthorizeLogFields are the fields to log by default.
|
|
var DefaultAuthorizeLogFields = []AuthorizeLogField{
|
|
AuthorizeLogFieldRequestID,
|
|
AuthorizeLogFieldCheckRequestID,
|
|
AuthorizeLogFieldMethod,
|
|
AuthorizeLogFieldPath,
|
|
AuthorizeLogFieldHost,
|
|
AuthorizeLogFieldIP,
|
|
AuthorizeLogFieldSessionID,
|
|
AuthorizeLogFieldImpersonateSessionID,
|
|
AuthorizeLogFieldImpersonateUserID,
|
|
AuthorizeLogFieldImpersonateEmail,
|
|
AuthorizeLogFieldRemovedGroupsCount,
|
|
AuthorizeLogFieldServiceAccountID,
|
|
AuthorizeLogFieldUser,
|
|
AuthorizeLogFieldEmail,
|
|
AuthorizeLogFieldEnvoyRouteChecksum,
|
|
AuthorizeLogFieldEnvoyRouteID,
|
|
AuthorizeLogFieldRouteChecksum,
|
|
AuthorizeLogFieldRouteID,
|
|
}
|
|
|
|
// ErrUnknownAuthorizeLogField indicates that an authorize log field is unknown.
|
|
var ErrUnknownAuthorizeLogField = errors.New("unknown authorize log field")
|
|
|
|
var authorizeLogFieldLookup = map[AuthorizeLogField]struct{}{
|
|
AuthorizeLogFieldCheckRequestID: {},
|
|
AuthorizeLogFieldEmail: {},
|
|
AuthorizeLogFieldEnvoyRouteChecksum: {},
|
|
AuthorizeLogFieldEnvoyRouteID: {},
|
|
AuthorizeLogFieldHeaders: {},
|
|
AuthorizeLogFieldHost: {},
|
|
AuthorizeLogFieldIDToken: {},
|
|
AuthorizeLogFieldIDTokenClaims: {},
|
|
AuthorizeLogFieldImpersonateEmail: {},
|
|
AuthorizeLogFieldImpersonateSessionID: {},
|
|
AuthorizeLogFieldImpersonateUserID: {},
|
|
AuthorizeLogFieldIP: {},
|
|
AuthorizeLogFieldMCPMethod: {},
|
|
AuthorizeLogFieldMCPTool: {},
|
|
AuthorizeLogFieldMCPToolParameters: {},
|
|
AuthorizeLogFieldMethod: {},
|
|
AuthorizeLogFieldPath: {},
|
|
AuthorizeLogFieldQuery: {},
|
|
AuthorizeLogFieldRemovedGroupsCount: {},
|
|
AuthorizeLogFieldRequestID: {},
|
|
AuthorizeLogFieldRouteChecksum: {},
|
|
AuthorizeLogFieldRouteID: {},
|
|
AuthorizeLogFieldServiceAccountID: {},
|
|
AuthorizeLogFieldSessionID: {},
|
|
AuthorizeLogFieldUser: {},
|
|
}
|
|
|
|
// Validate returns an error if the authorize log field is invalid.
|
|
func (field AuthorizeLogField) Validate() error {
|
|
if _, ok := GetHeaderField(field); ok {
|
|
return nil
|
|
}
|
|
|
|
_, ok := authorizeLogFieldLookup[field]
|
|
if !ok {
|
|
return fmt.Errorf("%w: %s", ErrUnknownAuthorizeLogField, field)
|
|
}
|
|
|
|
return nil
|
|
}
|