@elliotding/ai-agent-mcp 0.1.25 → 0.1.27

package/src/auth/middleware.ts

@@ -1,244 +0,0 @@
-/**
- * Authentication and Permission Middlewares
- * Token authentication and permission checking for HTTP endpoints
- */
-
-import { FastifyRequest, FastifyReply } from 'fastify';
-import { verifyToken, TokenPayload } from './token-validator';
-import { checkPermission } from './permissions';
-import { logger } from '../utils/logger';
-
-/**
- * Extended request with user info
- */
-export interface AuthenticatedRequest extends FastifyRequest {
-  user?: TokenPayload;
-}
-
-/**
- * Token Authentication Middleware
- * Verifies token via external REST API
- */
-export async function tokenAuthMiddleware(
-  request: AuthenticatedRequest,
-  reply: FastifyReply
-): Promise<void> {
-  try {
-    // Extract token from Authorization header
-    const authHeader = request.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      logger.warn(
-        { 
-          type: 'auth',
-          operation: 'middleware',
-          ip: request.ip, 
-          url: request.url 
-        },
-        'Missing or invalid Authorization header'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
-      });
-      return;
-    }
-
-    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
-
-    // Verify token via external API
-    const payload = await verifyToken(token);
-    if (!payload) {
-      logger.warn(
-        { 
-          type: 'auth',
-          operation: 'middleware',
-          ip: request.ip, 
-          url: request.url 
-        },
-        'Token validation failed'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Invalid or expired token',
-      });
-      return;
-    }
-
-    // Attach user info to request
-    request.user = payload;
-
-    logger.debug(
-      { 
-        type: 'auth',
-        operation: 'middleware',
-        userId: payload.userId,
-        email: payload.email,
-        groups: payload.groups
-      },
-      `Token authentication successful for user ${payload.userId}`
-    );
-  } catch (error) {
-    logger.error({ 
-      type: 'auth',
-      operation: 'middleware',
-      error: error instanceof Error ? error.message : 'Unknown error' 
-    }, 'Token authentication error');
-    reply.code(500).send({
-      error: 'Internal Server Error',
-      message: 'Authentication failed',
-    });
-  }
-}
-
-/**
- * Token Authentication Middleware with Legacy Bearer Token Support
- * Supports both token validation via API and legacy bearer tokens
- */
-export async function tokenAuthOrLegacyMiddleware(
-  request: AuthenticatedRequest,
-  reply: FastifyReply
-): Promise<void> {
-  try {
-    const authHeader = request.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      logger.warn(
-        { 
-          type: 'auth',
-          operation: 'middleware_legacy',
-          ip: request.ip, 
-          url: request.url 
-        },
-        'Missing or invalid Authorization header'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Missing or invalid Authorization header',
-      });
-      return;
-    }
-
-    const token = authHeader.substring(7);
-
-    // Try to validate via API first
-    const payload = await verifyToken(token);
-    if (payload) {
-      // API validation successful
-      request.user = payload;
-      logger.debug(
-        { 
-          type: 'auth',
-          operation: 'middleware_legacy',
-          userId: payload.userId,
-          email: payload.email,
-          groups: payload.groups
-        },
-        `Token validated via API for user ${payload.userId}`
-      );
-      return;
-    }
-
-    // Fallback to legacy bearer token (for backward compatibility)
-    logger.debug(
-      { 
-        type: 'auth',
-        operation: 'middleware_legacy',
-        ip: request.ip 
-      },
-      'API validation failed, using legacy bearer token mode'
-    );
-    
-    // In legacy mode, we don't have user info, so continue without setting request.user
-    // The endpoint will handle the legacy token separately
-  } catch (error) {
-    logger.error({ 
-      type: 'auth',
-      operation: 'middleware_legacy',
-      error: error instanceof Error ? error.message : 'Unknown error' 
-    }, 'Token authentication error');
-    reply.code(500).send({
-      error: 'Internal Server Error',
-      message: 'Authentication failed',
-    });
-  }
-}
-
-/**
- * Permission Check Middleware Factory
- * Creates middleware to check permissions for a specific tool
- */
-export function requirePermission(toolName: string) {
-  return async (request: AuthenticatedRequest, reply: FastifyReply): Promise<void> => {
-    try {
-      if (!request.user) {
-        logger.error(
-          { 
-            type: 'auth',
-            operation: 'permission_check',
-            url: request.url 
-          },
-          'Permission check called without authentication'
-        );
-        reply.code(401).send({
-          error: 'Unauthorized',
-          message: 'Authentication required',
-        });
-        return;
-      }
-
-      // Check permission
-      const permissionCheck = checkPermission(toolName, request.user.groups);
-
-      if (!permissionCheck.allowed) {
-        logger.warn(
-          {
-            type: 'auth',
-            operation: 'permission_check',
-            userId: request.user.userId,
-            email: request.user.email,
-            groups: request.user.groups,
-            toolName,
-            reason: permissionCheck.reason,
-          },
-          `Permission denied for user ${request.user.userId} to access tool ${toolName}`
-        );
-        reply.code(403).send({
-          error: 'Forbidden',
-          message: permissionCheck.reason || 'Insufficient permissions',
-        });
-        return;
-      }
-
-      logger.debug(
-        { 
-          type: 'auth',
-          operation: 'permission_check',
-          userId: request.user.userId, 
-          toolName 
-        },
-        `Permission granted for user ${request.user.userId} to access tool ${toolName}`
-      );
-    } catch (error) {
-      logger.error({ 
-        type: 'auth',
-        operation: 'permission_check',
-        toolName, 
-        error: error instanceof Error ? error.message : 'Unknown error' 
-      }, 'Permission check error');
-      reply.code(500).send({
-        error: 'Internal Server Error',
-        message: 'Permission check failed',
-      });
-    }
-  };
-}
-
-/**
- * Permission Check for Tool Call
- * Checks permission when tools/call is invoked
- */
-export function checkToolCallPermission(
-  toolName: string,
-  user: TokenPayload
-): { allowed: boolean; reason?: string } {
-  return checkPermission(toolName, user.groups);
-}

package/src/auth/permissions.ts

@@ -1,323 +0,0 @@
-/**
- * Permission Control System
- * Group-based access control for MCP tools
- * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
- */
-
-import { logger, logAuthAttempt } from '../utils/logger';
-
-/**
- * Known groups from CSP
- * Users may belong to one or more groups
- */
-export const KnownGroups = {
-  ZNET: 'zNet',                      // zNet team - full access
-  CLIENT_PUBLIC: 'Client-Public',    // Client-Public team - standard access
-  ADMIN: 'admin',                    // Admin group - full access (if exists)
-} as const;
-
-/**
- * Permission level for operations
- */
-export enum PermissionLevel {
-  READ = 'read',
-  WRITE = 'write',
-  ADMIN = 'admin',
-}
-
-/**
- * Tool permission configuration
- */
-export interface ToolPermission {
-  tool: string;
-  allowedGroups: string[];  // Changed from requiredRole to allowedGroups
-  requiredPermission: PermissionLevel;
-}
-
-/**
- * Default permission rules for each tool
- * All authenticated users (with valid groups) can use these tools
- */
-const defaultPermissions: ToolPermission[] = [
-  // sync_resources - available to all authenticated users
-  {
-    tool: 'sync_resources',
-    allowedGroups: ['*'],  // * means all authenticated users
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // manage_subscription - available to all authenticated users
-  {
-    tool: 'manage_subscription',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // search_resources - read-only, all authenticated users
-  {
-    tool: 'search_resources',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.READ,
-  },
-  // upload_resource - requires write permission
-  {
-    tool: 'upload_resource',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // uninstall_resource - requires write permission
-  {
-    tool: 'uninstall_resource',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // track_usage - internal telemetry tool, always allowed for all authenticated users
-  {
-    tool: 'track_usage',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-];
-
-/**
- * Custom permission rules (can be overridden via config)
- */
-let permissionRules: Map<string, ToolPermission> = new Map();
-
-/**
- * Initialize permission system
- */
-export function initializePermissions(customRules?: ToolPermission[]): void {
-  // Load default permissions
-  for (const perm of defaultPermissions) {
-    permissionRules.set(perm.tool, perm);
-  }
-
-  // Override with custom rules if provided
-  if (customRules && customRules.length > 0) {
-    logger.info(
-      { count: customRules.length },
-      'Loading custom permission rules'
-    );
-    for (const perm of customRules) {
-      permissionRules.set(perm.tool, perm);
-    }
-  }
-
-  logger.info(
-    { toolCount: permissionRules.size },
-    'Permission system initialized'
-  );
-}
-
-/**
- * Check if a user has permission to access a tool
- * @param toolName - The name of the tool to check
- * @param userGroups - The groups the user belongs to (from CSP API)
- */
-export function checkPermission(
-  toolName: string,
-  userGroups: string[]
-): { allowed: boolean; reason?: string } {
-  const checkStartTime = Date.now();
-  
-  logger.debug({
-    type: 'permission_check',
-    toolName,
-    userGroups,
-    timestamp: new Date().toISOString()
-  }, `Checking permission for tool: ${toolName}`);
-  
-  // Check if tool has permission rules
-  const permission = permissionRules.get(toolName);
-  if (!permission) {
-    // If no permission rule defined, deny by default
-    logger.warn({ 
-      type: 'permission_check',
-      toolName,
-      userGroups,
-      result: 'denied',
-      reason: 'no_rule',
-      timestamp: new Date().toISOString()
-    }, 'No permission rule found for tool, denying access');
-    
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      userGroups,
-      reason: 'no_rule',
-      duration: Date.now() - checkStartTime
-    });
-    
-    return {
-      allowed: false,
-      reason: `Tool '${toolName}' has no permission rule defined`,
-    };
-  }
-
-  // If no groups provided, deny access
-  if (!userGroups || userGroups.length === 0) {
-    logger.warn(
-      { 
-        type: 'permission_check',
-        toolName,
-        result: 'denied',
-        reason: 'no_groups',
-        timestamp: new Date().toISOString()
-      },
-      'Permission denied: user has no groups'
-    );
-    
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      reason: 'no_groups',
-      duration: Date.now() - checkStartTime
-    });
-    
-    return {
-      allowed: false,
-      reason: `User must belong to at least one group to access tools`,
-    };
-  }
-
-  // Admin group bypasses all checks
-  if (userGroups.includes(KnownGroups.ADMIN) || userGroups.includes('admin')) {
-    logger.info(
-      { 
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        result: 'granted',
-        reason: 'admin_bypass',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Admin group access granted'
-    );
-    
-    logAuthAttempt('permission_check', true, {
-      toolName,
-      userGroups,
-      reason: 'admin',
-      duration: Date.now() - checkStartTime
-    });
-    
-    return { allowed: true };
-  }
-
-  // Check if tool allows all authenticated users
-  if (permission.allowedGroups.includes('*')) {
-    logger.info(
-      { 
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        allowedGroups: permission.allowedGroups,
-        result: 'granted',
-        reason: 'wildcard',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Permission granted (tool allows all authenticated users)'
-    );
-    
-    logAuthAttempt('permission_check', true, {
-      toolName,
-      userGroups,
-      reason: 'wildcard',
-      duration: Date.now() - checkStartTime
-    });
-    
-    return { allowed: true };
-  }
-
-  // Check if user belongs to any of the allowed groups
-  const hasAllowedGroup = userGroups.some((group) =>
-    permission.allowedGroups.includes(group)
-  );
-
-  if (!hasAllowedGroup) {
-    logger.warn(
-      { 
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        allowedGroups: permission.allowedGroups,
-        result: 'denied',
-        reason: 'group_mismatch',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Permission denied: user not in allowed groups'
-    );
-    
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      userGroups,
-      allowedGroups: permission.allowedGroups,
-      reason: 'group_mismatch',
-      duration: Date.now() - checkStartTime
-    });
-    
-    return {
-      allowed: false,
-      reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
-    };
-  }
-
-  logger.info(
-    { 
-      type: 'permission_check',
-      toolName,
-      userGroups,
-      allowedGroups: permission.allowedGroups,
-      result: 'granted',
-      reason: 'group_match',
-      duration: Date.now() - checkStartTime,
-      timestamp: new Date().toISOString()
-    },
-    'Permission granted (user in allowed groups)'
-  );
-  
-  logAuthAttempt('permission_check', true, {
-    toolName,
-    userGroups,
-    matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
-    duration: Date.now() - checkStartTime
-  });
-  
-  return { allowed: true };
-}
-
-/**
- * Get permission info for a tool
- */
-export function getToolPermission(toolName: string): ToolPermission | undefined {
-  return permissionRules.get(toolName);
-}
-
-/**
- * Get all permission rules
- */
-export function getAllPermissions(): ToolPermission[] {
-  return Array.from(permissionRules.values());
-}
-
-/**
- * Update permission rule for a tool
- */
-export function updatePermission(permission: ToolPermission): void {
-  permissionRules.set(permission.tool, permission);
-  logger.info(
-    { tool: permission.tool, permission },
-    'Permission rule updated'
-  );
-}
-
-/**
- * Remove permission rule for a tool
- */
-export function removePermission(toolName: string): void {
-  permissionRules.delete(toolName);
-  logger.info({ toolName }, 'Permission rule removed');
-}
-
-// Initialize with default permissions
-initializePermissions();