[#3109] Implement authorization abstraction

This patch implements an 'authorizer' abstraction under pkg/authz, and then moves
the Cedar implementation as the first/canonical form under pkg/authz/authorizers/cedar.

The configuration schema remains untouched, though the mechanism for loading configuration
has been reworked to avoid violating the authorizer abstraction with Cedar-isms.

This fixes #3109

Signed-off-by: Greg Haskins <greg@manetu.com>

Author: ghaskins

Taskfile.yml

@@ -86,7 +86,7 @@ tasks:
         platforms: [linux, darwin]
       # we have to use ldflags to avoid the LC_DYSYMTAB linker error.
       # https://github.com/stacklok/toolhive/issues/1687
-      - go test -ldflags=-extldflags=-Wl,-w -json -race -coverprofile=coverage/coverage.out $(go list ./... | grep -v '/test/e2e' | grep -v '/cmd/thv-operator/test-integration') | gotestfmt -hide "all"
+      - go test -ldflags=-extldflags=-Wl,-w -json -race -coverpkg=./... -coverprofile=coverage/coverage.out $(go list ./... | grep -v '/test/e2e' | grep -v '/cmd/thv-operator/test-integration') | gotestfmt -hide "all"
       - go tool cover -func=coverage/coverage.out
       - echo "Generating HTML coverage report in coverage/coverage.html"
       - go tool cover -html=coverage/coverage.out -o coverage/coverage.html

cmd/thv-operator/controllers/mcpremoteproxy_runconfig_test.go

@@ -30,6 +30,7 @@ import (
 
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
 	"github.com/stacklok/toolhive/pkg/authz"
+	"github.com/stacklok/toolhive/pkg/authz/authorizers/cedar"
 	"github.com/stacklok/toolhive/pkg/runner"
 	transporttypes "github.com/stacklok/toolhive/pkg/transport/types"
 )
@@ -158,10 +159,12 @@ func TestCreateRunConfigFromMCPRemoteProxy(t *testing.T) {
 				t.Helper()
 				assert.Equal(t, "authz-proxy", config.Name)
 				assert.NotNil(t, config.AuthzConfig)
-				assert.Equal(t, authz.ConfigTypeCedarV1, config.AuthzConfig.Type)
-				assert.NotNil(t, config.AuthzConfig.Cedar)
-				assert.Len(t, config.AuthzConfig.Cedar.Policies, 2)
-				assert.Contains(t, config.AuthzConfig.Cedar.Policies[0], "tools/list")
+				assert.Equal(t, authz.ConfigType(cedar.ConfigType), config.AuthzConfig.Type)
+
+				cedarCfg, err := cedar.ExtractConfig(config.AuthzConfig)
+				require.NoError(t, err)
+				assert.Len(t, cedarCfg.Options.Policies, 2)
+				assert.Contains(t, cedarCfg.Options.Policies[0], "tools/list")
 			},
 		},
 		{

cmd/thv-operator/controllers/mcpserver_runconfig_test.go

@@ -19,6 +19,7 @@ import (
 	ctrlutil "github.com/stacklok/toolhive/cmd/thv-operator/pkg/controllerutil"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/runconfig/configmap/checksum"
 	"github.com/stacklok/toolhive/pkg/authz"
+	"github.com/stacklok/toolhive/pkg/authz/authorizers/cedar"
 	"github.com/stacklok/toolhive/pkg/container/kubernetes"
 	"github.com/stacklok/toolhive/pkg/runner"
 	transporttypes "github.com/stacklok/toolhive/pkg/transport/types"
@@ -322,14 +323,15 @@ func TestCreateRunConfigFromMCPServer(t *testing.T) {
 				// Verify authorization config is set
 				assert.NotNil(t, config.AuthzConfig)
 				assert.Equal(t, "v1", config.AuthzConfig.Version)
-				assert.Equal(t, authz.ConfigTypeCedarV1, config.AuthzConfig.Type)
-				assert.NotNil(t, config.AuthzConfig.Cedar)
+				assert.Equal(t, authz.ConfigType(cedar.ConfigType), config.AuthzConfig.Type)
 
 				// Check Cedar-specific configuration
-				assert.Len(t, config.AuthzConfig.Cedar.Policies, 2)
-				assert.Contains(t, config.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
-				assert.Contains(t, config.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
-				assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, config.AuthzConfig.Cedar.EntitiesJSON)
+				cedarCfg, err := cedar.ExtractConfig(config.AuthzConfig)
+				require.NoError(t, err)
+				assert.Len(t, cedarCfg.Options.Policies, 2)
+				assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
+				assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
+				assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, cedarCfg.Options.EntitiesJSON)
 			},
 		},
 		{
@@ -359,11 +361,13 @@ func TestCreateRunConfigFromMCPServer(t *testing.T) {
 				// For ConfigMap type, with new feature, authorization config is embedded in RunConfig
 				require.NotNil(t, config.AuthzConfig)
 				assert.Equal(t, "v1", config.AuthzConfig.Version)
-				assert.Equal(t, authz.ConfigTypeCedarV1, config.AuthzConfig.Type)
-				require.NotNil(t, config.AuthzConfig.Cedar)
-				assert.Len(t, config.AuthzConfig.Cedar.Policies, 1)
-				assert.Contains(t, config.AuthzConfig.Cedar.Policies[0], "call_tool")
-				assert.Equal(t, "[]", config.AuthzConfig.Cedar.EntitiesJSON)
+				assert.Equal(t, authz.ConfigType(cedar.ConfigType), config.AuthzConfig.Type)
+
+				cedarCfg, err := cedar.ExtractConfig(config.AuthzConfig)
+				require.NoError(t, err)
+				assert.Len(t, cedarCfg.Options.Policies, 1)
+				assert.Contains(t, cedarCfg.Options.Policies[0], "call_tool")
+				assert.Equal(t, "[]", cedarCfg.Options.EntitiesJSON)
 			},
 		},
 		{
@@ -748,14 +752,15 @@ func TestEnsureRunConfigConfigMap(t *testing.T) {
 				// Verify authorization configuration is properly serialized
 				assert.NotNil(t, runConfig.AuthzConfig, "AuthzConfig should be present in runconfig.json")
 				assert.Equal(t, "v1", runConfig.AuthzConfig.Version)
-				assert.Equal(t, authz.ConfigTypeCedarV1, runConfig.AuthzConfig.Type)
-				assert.NotNil(t, runConfig.AuthzConfig.Cedar)
+				assert.Equal(t, authz.ConfigType(cedar.ConfigType), runConfig.AuthzConfig.Type)
 
 				// Check Cedar-specific configuration
-				assert.Len(t, runConfig.AuthzConfig.Cedar.Policies, 2)
-				assert.Contains(t, runConfig.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
-				assert.Contains(t, runConfig.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
-				assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, runConfig.AuthzConfig.Cedar.EntitiesJSON)
+				cedarCfg, err := cedar.ExtractConfig(runConfig.AuthzConfig)
+				require.NoError(t, err)
+				assert.Len(t, cedarCfg.Options.Policies, 2)
+				assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
+				assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
+				assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, cedarCfg.Options.EntitiesJSON)
 			},
 		},
 		{
@@ -968,12 +973,14 @@ func TestEnsureRunConfigConfigMap(t *testing.T) {
 
 		require.NotNil(t, runConfig.AuthzConfig)
 		assert.Equal(t, "v1", runConfig.AuthzConfig.Version)
-		assert.Equal(t, authz.ConfigTypeCedarV1, runConfig.AuthzConfig.Type)
-		require.NotNil(t, runConfig.AuthzConfig.Cedar)
-		assert.Len(t, runConfig.AuthzConfig.Cedar.Policies, 2)
-		assert.Contains(t, runConfig.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
-		assert.Contains(t, runConfig.AuthzConfig.Cedar.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
-		assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, runConfig.AuthzConfig.Cedar.EntitiesJSON)
+		assert.Equal(t, authz.ConfigType(cedar.ConfigType), runConfig.AuthzConfig.Type)
+
+		cedarCfg, err := cedar.ExtractConfig(runConfig.AuthzConfig)
+		require.NoError(t, err)
+		assert.Len(t, cedarCfg.Options.Policies, 2)
+		assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"call_tool", resource == Tool::"weather");`)
+		assert.Contains(t, cedarCfg.Options.Policies, `permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");`)
+		assert.Equal(t, `[{"uid": {"type": "User", "id": "user1"}, "attrs": {}}]`, cedarCfg.Options.EntitiesJSON)
 	})
 }
 

cmd/thv-operator/pkg/controllerutil/authz.go

@@ -17,6 +17,7 @@ import (
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/kubernetes/configmaps"
 	"github.com/stacklok/toolhive/pkg/authz"
+	"github.com/stacklok/toolhive/pkg/authz/authorizers/cedar"
 	"github.com/stacklok/toolhive/pkg/runner"
 )
 
@@ -162,6 +163,36 @@ func EnsureAuthzConfigMap(
 	return nil
 }
 
+func addAuthzInlineConfigOptions(
+	authzRef *mcpv1alpha1.AuthzConfigRef,
+	options *[]runner.RunConfigBuilderOption,
+) error {
+	if authzRef.Inline == nil {
+		return fmt.Errorf("inline authz config type specified but inline config is nil")
+	}
+
+	policies := authzRef.Inline.Policies
+	entitiesJSON := authzRef.Inline.EntitiesJSON
+
+	// Create authorization config using the full config structure
+	// This maintains backwards compatibility with the v1.0 schema
+	authzCfg, err := authz.NewConfig(cedar.Config{
+		Version: "v1",
+		Type:    cedar.ConfigType,
+		Options: &cedar.ConfigOptions{
+			Policies:     policies,
+			EntitiesJSON: entitiesJSON,
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create authz config: %w", err)
+	}
+
+	// Add authorization config to options
+	*options = append(*options, runner.WithAuthzConfig(authzCfg))
+	return nil
+}
+
 // AddAuthzConfigOptions adds authorization configuration options to builder options
 func AddAuthzConfigOptions(
 	ctx context.Context,
@@ -176,26 +207,7 @@ func AddAuthzConfigOptions(
 
 	switch authzRef.Type {
 	case mcpv1alpha1.AuthzConfigTypeInline:
-		if authzRef.Inline == nil {
-			return fmt.Errorf("inline authz config type specified but inline config is nil")
-		}
-
-		policies := authzRef.Inline.Policies
-		entitiesJSON := authzRef.Inline.EntitiesJSON
-
-		// Create authorization config
-		authzCfg := &authz.Config{
-			Version: "v1",
-			Type:    authz.ConfigTypeCedarV1,
-			Cedar: &authz.CedarConfig{
-				Policies:     policies,
-				EntitiesJSON: entitiesJSON,
-			},
-		}
-
-		// Add authorization config to options
-		*options = append(*options, runner.WithAuthzConfig(authzCfg))
-		return nil
+		return addAuthzInlineConfigOptions(authzRef, options)
 
 	case mcpv1alpha1.AuthzConfigTypeConfigMap:
 		// Validate reference

cmd/thv-operator/test-integration/mcp-server/mcpserver_runconfig_integration_test.go

@@ -16,6 +16,7 @@ import (
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/runconfig/configmap/checksum"
 	"github.com/stacklok/toolhive/pkg/authz"
+	"github.com/stacklok/toolhive/pkg/authz/authorizers/cedar"
 	"github.com/stacklok/toolhive/pkg/runner"
 	transporttypes "github.com/stacklok/toolhive/pkg/transport/types"
 )
@@ -481,12 +482,14 @@ var _ = Describe("RunConfig ConfigMap Integration Tests", func() {
 			// Verify authorization configuration
 			Expect(runConfig.AuthzConfig).NotTo(BeNil())
 			Expect(runConfig.AuthzConfig.Version).To(Equal("v1"))
-			Expect(runConfig.AuthzConfig.Type).To(Equal(authz.ConfigTypeCedarV1))
-			Expect(runConfig.AuthzConfig.Cedar).NotTo(BeNil())
-			Expect(runConfig.AuthzConfig.Cedar.Policies).To(HaveLen(2))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[0]).To(ContainSubstring("call_tool"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[1]).To(ContainSubstring("get_prompt"))
-			Expect(runConfig.AuthzConfig.Cedar.EntitiesJSON).To(ContainSubstring("user1"))
+			Expect(runConfig.AuthzConfig.Type).To(Equal(authz.ConfigType(cedar.ConfigType)))
+
+			cedarCfg, err := cedar.ExtractConfig(runConfig.AuthzConfig)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(cedarCfg.Options.Policies).To(HaveLen(2))
+			Expect(cedarCfg.Options.Policies[0]).To(ContainSubstring("call_tool"))
+			Expect(cedarCfg.Options.Policies[1]).To(ContainSubstring("get_prompt"))
+			Expect(cedarCfg.Options.EntitiesJSON).To(ContainSubstring("user1"))
 		})
 
 		It("Should handle deterministic ConfigMap generation", func() {
@@ -795,26 +798,27 @@ var _ = Describe("RunConfig ConfigMap Integration Tests", func() {
 			// Verify authorization configuration was embedded from external ConfigMap
 			Expect(runConfig.AuthzConfig).NotTo(BeNil())
 			Expect(runConfig.AuthzConfig.Version).To(Equal("v1"))
-			Expect(runConfig.AuthzConfig.Type).To(Equal(authz.ConfigTypeCedarV1))
+			Expect(runConfig.AuthzConfig.Type).To(Equal(authz.ConfigType(cedar.ConfigType)))
 
 			// Verify Cedar configuration
-			Expect(runConfig.AuthzConfig.Cedar).NotTo(BeNil())
+			cedarCfg, err := cedar.ExtractConfig(runConfig.AuthzConfig)
+			Expect(err).NotTo(HaveOccurred())
 
 			// Check policies are present
-			Expect(runConfig.AuthzConfig.Cedar.Policies).To(HaveLen(3))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[0]).To(ContainSubstring("call_tool"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[0]).To(ContainSubstring("weather"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[1]).To(ContainSubstring("get_prompt"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[1]).To(ContainSubstring("greeting"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[2]).To(ContainSubstring("forbid"))
-			Expect(runConfig.AuthzConfig.Cedar.Policies[2]).To(ContainSubstring("sensitive_data"))
+			Expect(cedarCfg.Options.Policies).To(HaveLen(3))
+			Expect(cedarCfg.Options.Policies[0]).To(ContainSubstring("call_tool"))
+			Expect(cedarCfg.Options.Policies[0]).To(ContainSubstring("weather"))
+			Expect(cedarCfg.Options.Policies[1]).To(ContainSubstring("get_prompt"))
+			Expect(cedarCfg.Options.Policies[1]).To(ContainSubstring("greeting"))
+			Expect(cedarCfg.Options.Policies[2]).To(ContainSubstring("forbid"))
+			Expect(cedarCfg.Options.Policies[2]).To(ContainSubstring("sensitive_data"))
 
 			// Verify entities are embedded
-			Expect(runConfig.AuthzConfig.Cedar.EntitiesJSON).NotTo(BeEmpty())
+			Expect(cedarCfg.Options.EntitiesJSON).NotTo(BeEmpty())
 
 			// Parse entities to verify they're correctly embedded
 			var entities []interface{}
-			err = json.Unmarshal([]byte(runConfig.AuthzConfig.Cedar.EntitiesJSON), &entities)
+			err = json.Unmarshal([]byte(cedarCfg.Options.EntitiesJSON), &entities)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(entities).To(HaveLen(2))