Initial PR to make the toolsets agnostic of the usd MCP implementation (migration to go-sdk).
The decoupling will also be needed to move the different toolsets to separate nested packages (toolsets).
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Add 'previous' parameter to pods_log tool to retrieve logs from terminated containers, equivalent to kubectl logs --previous functionality.
This enables debugging of containers that have restarted due to crashes or updates.
Signed-off-by: Samuel Masuy <samuel.masuy@goto.com>
Co-authored-by: opencode <noreply@opencode.ai>
As a prior step to providing support for toolsets
this change repurposes the current work in profiles
which partially aligns with the toolsets expected features
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Adds DisableDynamicClientRegistration and OAuthScopes to be able to override
the values proxied from the configured authorization server.
DisableDynamicClientRegistration removes the registration_endpoint field from
the well-known authorization resource metadata.
This forces VSCode to show a for to input the Client ID and Client Secret since
these can't be discovered.
The OAuthScopes allows to override the scopes_supported field.
VSCode automatically makes an auth request for all of the
supported scopes.
In many cases, this is not supported by the auth server.
By providing this configuration, the user (MCP Server administrator)
is able to set which scopes are effectively supported and
force VSCode to only request these.
Signed-off-by: Marc Nuri <marc@marcnuri.com>
It's unclear how the scopes are going to be populated in the JWT.
Disable scope authorization for the time being.
Signed-off-by: Marc Nuri <marc@marcnuri.com>
test(http): bootstrap tests for HTTP server
Contains tests for the main endpoints (proxied and handled)
- /sse
- /message
- /mcp
- /healthz
- /.well-known/oauth-protected-resource
Verifies graceful shutdown works as expected
Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
fix: empty config for CI
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Pass correct audience
---
Validate server and authorization url via url.Parse
---
Import go-oidc/v3
---
Wire initialized oidc provider if authorization url is set
---
Wire oidc issuer validation
Introduce require-oauth flag
When this flag is enabled, authorization middleware will be turned on.
When this flag is enabled, Derived which is generated based on the client
token will not be used.
---
Wire Authorization middleware to http mux
This commit adds authorization middleware. Additionally, this commit
rejects the requests if the bearer token is absent in Authorization
header of the request.
---
Add offline token validation for expiration and audience
Per Model Context Protocol specification, MCP Servers must check the
audience field of the token to ensure that they are generated specifically
for them.
This commits parses the JWT token and asserts that audience is correct
and token is not expired.
---
Add online token verification via TokenReview request to API Server
This commit sends online token verification by sending request to
TokenReview endpoint of API Server with the token and expected audience.
If API Server returns the status as authenticated, that means this token
can be used to generate a new ad hoc token for MCP Server.
If API Server returns the status as not authenticated, that means this token
is invalid and MCP Server returns 401 to force the client to initiate OAuth flow.
---
Serve oauth protected resource metadata endpoint
---
Introduce server-url to be represented in protected resource metadata
---
Add error return type in Derived function
---
Return error if error occurs in Derived, when require-oauth
---
Add test cases for authorization-url and server-url
---
Wire server-url to audience, if it is set
---
Remove redundant ssebaseurl parameter from http
Introduce allow/deny tool functionality in toml config
---
Remove duplicate fields that already defined in staticConfig
---
Add unit tests to verify tool valid check
---
Wire staticConfig to fix unit tests
---
Rename to enabled/disabled instead of allowed/denied
feat(config): deny resources by using RESTMapper as an interceptor
This approach ensures that resources in the deny list are **always**
processed regardless of the implementation.
The RESTMapper takes care of verifying that the requested Group Version Kind
complies with the deny list while checking for the REST endpoint.
---
feat(config): provide a limited clientset which check access
---
review: addressed PR comments
---
feat(config): provide a limited metrics clientset to check access
---
review: addressed PR comments regarding pods_exec
