mc/mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: mc:v0.7.1
Branches Tags
mc:master
mc:v0.7.5 mc:v0.7.4 mc:v0.7.3 mc:v0.7.2 mc:v0.7.1 mc:v0.7.0 mc:v0.6.0 mc:v0.5.0 mc:v0.4.0 mc:v0.3.0 mc:v0.2.0 mc:v0.1.0
..
compare: mc:v0.7.2
Branches Tags
mc:master
mc:v0.7.5 mc:v0.7.4 mc:v0.7.3 mc:v0.7.2 mc:v0.7.1 mc:v0.7.0 mc:v0.6.0 mc:v0.5.0 mc:v0.4.0 mc:v0.3.0 mc:v0.2.0 mc:v0.1.0

1 Commits
v0.7.1 ... v0.7.2

Author SHA1 Message Date
Kyle Isom
86d516acf6 Drop admin requirement from agent interceptor, reject guests 
The agent now accepts any authenticated user or system account, except
those with the guest role. Admin is reserved for MCIAS account management
and policy changes, not routine deploy/stop/start operations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-28 16:07:17 -07:00
2 changed files with 30 additions and 5 deletions
Expand all files Collapse all files

11
internal/auth/auth.go
View File

@@ -206,7 +206,10 @@ func TokenInfoFromContext(ctx context.Context) *TokenInfo {
}
// AuthInterceptor returns a gRPC unary server interceptor that validates
// bearer tokens and requires the "admin" role.
// bearer tokens. Any authenticated user or system account is accepted,
// except guests which are explicitly rejected. Admin role is not required
// for agent operations — it is reserved for MCIAS account management and
// policy changes.
func AuthInterceptor(validator TokenValidator) grpc.UnaryServerInterceptor {
return func(
ctx context.Context,
@@ -240,9 +243,9 @@ func AuthInterceptor(validator TokenValidator) grpc.UnaryServerInterceptor {
return nil, status.Error(codes.Unauthenticated, "invalid token")
}
if !tokenInfo.HasRole("admin") {
slog.Warn("permission denied", "method", info.FullMethod, "user", tokenInfo.Username)
return nil, status.Error(codes.PermissionDenied, "admin role required")
if tokenInfo.HasRole("guest") {
slog.Warn("guest access denied", "method", info.FullMethod, "user", tokenInfo.Username)
return nil, status.Error(codes.PermissionDenied, "guest access not permitted")
}
slog.Info("rpc", "method", info.FullMethod, "user", tokenInfo.Username, "account_type", tokenInfo.AccountType)

24
internal/auth/auth_test.go
View File

@@ -126,7 +126,7 @@ func TestInterceptorRejectsInvalidToken(t *testing.T) {
}
}
func TestInterceptorRejectsNonAdmin(t *testing.T) {
func TestInterceptorAcceptsRegularUser(t *testing.T) {
server := mockMCIAS(t, func(authHeader string) (any, int) {
return &TokenInfo{
Valid: true,
@@ -142,6 +142,28 @@ func TestInterceptorRejectsNonAdmin(t *testing.T) {
md := metadata.Pairs("authorization", "Bearer user-token")
ctx := metadata.NewIncomingContext(context.Background(), md)
_, err := callInterceptor(ctx, v)
if err != nil {
t.Fatalf("expected regular user to be accepted, got %v", err)
}
}
func TestInterceptorRejectsGuest(t *testing.T) {
server := mockMCIAS(t, func(authHeader string) (any, int) {
return &TokenInfo{
Valid: true,
Username: "visitor",
Roles: []string{"guest"},
AccountType: "human",
}, http.StatusOK
})
defer server.Close()
v := validatorFromServer(t, server)
md := metadata.Pairs("authorization", "Bearer guest-token")
ctx := metadata.NewIncomingContext(context.Background(), md)
_, err := callInterceptor(ctx, v)
if err == nil {
t.Fatal("expected error, got nil")