@samik081/mcp-authentik 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +581 -0
- package/dist/core/client.d.ts +48 -0
- package/dist/core/client.js +99 -0
- package/dist/core/config.d.ts +2 -0
- package/dist/core/config.js +47 -0
- package/dist/core/errors.d.ts +2 -0
- package/dist/core/errors.js +50 -0
- package/dist/core/logger.d.ts +6 -0
- package/dist/core/logger.js +17 -0
- package/dist/core/server.d.ts +3 -0
- package/dist/core/server.js +18 -0
- package/dist/core/tools.d.ts +15 -0
- package/dist/core/tools.js +41 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.js +47 -0
- package/dist/tools/admin.d.ts +4 -0
- package/dist/tools/admin.js +128 -0
- package/dist/tools/applications.d.ts +4 -0
- package/dist/tools/applications.js +324 -0
- package/dist/tools/authenticators.d.ts +4 -0
- package/dist/tools/authenticators.js +136 -0
- package/dist/tools/brands.d.ts +4 -0
- package/dist/tools/brands.js +164 -0
- package/dist/tools/crypto.d.ts +4 -0
- package/dist/tools/crypto.js +163 -0
- package/dist/tools/enterprise.d.ts +4 -0
- package/dist/tools/enterprise.js +132 -0
- package/dist/tools/events.d.ts +4 -0
- package/dist/tools/events.js +451 -0
- package/dist/tools/flows.d.ts +4 -0
- package/dist/tools/flows.js +335 -0
- package/dist/tools/groups.d.ts +4 -0
- package/dist/tools/groups.js +161 -0
- package/dist/tools/index.d.ts +4 -0
- package/dist/tools/index.js +59 -0
- package/dist/tools/managed.d.ts +4 -0
- package/dist/tools/managed.js +145 -0
- package/dist/tools/oauth2.d.ts +4 -0
- package/dist/tools/oauth2.js +184 -0
- package/dist/tools/outposts.d.ts +4 -0
- package/dist/tools/outposts.js +320 -0
- package/dist/tools/policies.d.ts +4 -0
- package/dist/tools/policies.js +447 -0
- package/dist/tools/property-mappings.d.ts +4 -0
- package/dist/tools/property-mappings.js +287 -0
- package/dist/tools/providers.d.ts +4 -0
- package/dist/tools/providers.js +275 -0
- package/dist/tools/rac.d.ts +4 -0
- package/dist/tools/rac.js +190 -0
- package/dist/tools/rbac.d.ts +4 -0
- package/dist/tools/rbac.js +283 -0
- package/dist/tools/root.d.ts +4 -0
- package/dist/tools/root.js +14 -0
- package/dist/tools/sources.d.ts +4 -0
- package/dist/tools/sources.js +268 -0
- package/dist/tools/ssf.d.ts +4 -0
- package/dist/tools/ssf.js +47 -0
- package/dist/tools/stages.d.ts +4 -0
- package/dist/tools/stages.js +533 -0
- package/dist/tools/tasks.d.ts +4 -0
- package/dist/tools/tasks.js +67 -0
- package/dist/tools/tenants.d.ts +4 -0
- package/dist/tools/tenants.js +208 -0
- package/dist/tools/tokens.d.ts +4 -0
- package/dist/tools/tokens.js +159 -0
- package/dist/tools/users.d.ts +4 -0
- package/dist/tools/users.js +236 -0
- package/dist/types/index.d.ts +7 -0
- package/dist/types/index.js +1 -0
- package/package.json +55 -0
|
@@ -0,0 +1,190 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { registerTool } from '../core/tools.js';
|
|
3
|
+
export function registerRacTools(server, client, config) {
|
|
4
|
+
// ── RAC Endpoints ──
|
|
5
|
+
// 1. List RAC endpoints
|
|
6
|
+
registerTool(server, config, {
|
|
7
|
+
name: 'authentik_rac_endpoints_list',
|
|
8
|
+
description: 'List RAC (Remote Access Control) endpoints with optional filters.',
|
|
9
|
+
accessTier: 'read-only',
|
|
10
|
+
category: 'rac',
|
|
11
|
+
inputSchema: {
|
|
12
|
+
name: z.string().optional().describe('Filter by endpoint name'),
|
|
13
|
+
provider: z.number().optional().describe('Filter by provider ID'),
|
|
14
|
+
search: z.string().optional().describe('Search across fields'),
|
|
15
|
+
ordering: z.string().optional().describe('Field to order by'),
|
|
16
|
+
page: z.number().optional().describe('Page number'),
|
|
17
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
18
|
+
},
|
|
19
|
+
handler: async (args) => {
|
|
20
|
+
const result = await client.racApi.racEndpointsList({
|
|
21
|
+
name: args.name,
|
|
22
|
+
provider: args.provider,
|
|
23
|
+
search: args.search,
|
|
24
|
+
ordering: args.ordering,
|
|
25
|
+
page: args.page,
|
|
26
|
+
pageSize: args.page_size,
|
|
27
|
+
});
|
|
28
|
+
return JSON.stringify(result, null, 2);
|
|
29
|
+
},
|
|
30
|
+
});
|
|
31
|
+
// 2. Get RAC endpoint
|
|
32
|
+
registerTool(server, config, {
|
|
33
|
+
name: 'authentik_rac_endpoints_get',
|
|
34
|
+
description: 'Get a single RAC endpoint by its UUID.',
|
|
35
|
+
accessTier: 'read-only',
|
|
36
|
+
category: 'rac',
|
|
37
|
+
inputSchema: {
|
|
38
|
+
pbm_uuid: z.string().describe('RAC endpoint UUID'),
|
|
39
|
+
},
|
|
40
|
+
handler: async (args) => {
|
|
41
|
+
const result = await client.racApi.racEndpointsRetrieve({
|
|
42
|
+
pbmUuid: args.pbm_uuid,
|
|
43
|
+
});
|
|
44
|
+
return JSON.stringify(result, null, 2);
|
|
45
|
+
},
|
|
46
|
+
});
|
|
47
|
+
// 3. Create RAC endpoint
|
|
48
|
+
registerTool(server, config, {
|
|
49
|
+
name: 'authentik_rac_endpoints_create',
|
|
50
|
+
description: 'Create a new RAC endpoint for remote access.',
|
|
51
|
+
accessTier: 'full',
|
|
52
|
+
category: 'rac',
|
|
53
|
+
inputSchema: {
|
|
54
|
+
name: z.string().describe('Endpoint name (required)'),
|
|
55
|
+
provider: z.number().describe('RAC provider ID (required)'),
|
|
56
|
+
protocol: z.enum(['rdp', 'vnc', 'ssh']).describe('Connection protocol (required)'),
|
|
57
|
+
host: z.string().describe('Target host address (required)'),
|
|
58
|
+
auth_mode: z.enum(['static', 'prompt']).describe('Authentication mode (required)'),
|
|
59
|
+
settings: z.record(z.unknown()).optional().describe('Additional endpoint settings'),
|
|
60
|
+
property_mappings: z.array(z.string()).optional().describe('List of property mapping UUIDs'),
|
|
61
|
+
maximum_connections: z.number().optional().describe('Maximum concurrent connections'),
|
|
62
|
+
},
|
|
63
|
+
handler: async (args) => {
|
|
64
|
+
const result = await client.racApi.racEndpointsCreate({
|
|
65
|
+
endpointRequest: {
|
|
66
|
+
name: args.name,
|
|
67
|
+
provider: args.provider,
|
|
68
|
+
protocol: args.protocol,
|
|
69
|
+
host: args.host,
|
|
70
|
+
authMode: args.auth_mode,
|
|
71
|
+
settings: args.settings,
|
|
72
|
+
propertyMappings: args.property_mappings,
|
|
73
|
+
maximumConnections: args.maximum_connections,
|
|
74
|
+
},
|
|
75
|
+
});
|
|
76
|
+
return JSON.stringify(result, null, 2);
|
|
77
|
+
},
|
|
78
|
+
});
|
|
79
|
+
// 4. Update RAC endpoint
|
|
80
|
+
registerTool(server, config, {
|
|
81
|
+
name: 'authentik_rac_endpoints_update',
|
|
82
|
+
description: 'Update an existing RAC endpoint. Only provided fields are modified (partial update).',
|
|
83
|
+
accessTier: 'full',
|
|
84
|
+
category: 'rac',
|
|
85
|
+
inputSchema: {
|
|
86
|
+
pbm_uuid: z.string().describe('RAC endpoint UUID (required)'),
|
|
87
|
+
name: z.string().optional().describe('New endpoint name'),
|
|
88
|
+
provider: z.number().optional().describe('New RAC provider ID'),
|
|
89
|
+
protocol: z.enum(['rdp', 'vnc', 'ssh']).optional().describe('New connection protocol'),
|
|
90
|
+
host: z.string().optional().describe('New target host address'),
|
|
91
|
+
auth_mode: z.enum(['static', 'prompt']).optional().describe('New authentication mode'),
|
|
92
|
+
settings: z.record(z.unknown()).optional().describe('New endpoint settings'),
|
|
93
|
+
property_mappings: z.array(z.string()).optional().describe('New list of property mapping UUIDs'),
|
|
94
|
+
maximum_connections: z.number().optional().describe('New maximum concurrent connections'),
|
|
95
|
+
},
|
|
96
|
+
handler: async (args) => {
|
|
97
|
+
const result = await client.racApi.racEndpointsPartialUpdate({
|
|
98
|
+
pbmUuid: args.pbm_uuid,
|
|
99
|
+
patchedEndpointRequest: {
|
|
100
|
+
name: args.name,
|
|
101
|
+
provider: args.provider,
|
|
102
|
+
protocol: args.protocol,
|
|
103
|
+
host: args.host,
|
|
104
|
+
authMode: args.auth_mode,
|
|
105
|
+
settings: args.settings,
|
|
106
|
+
propertyMappings: args.property_mappings,
|
|
107
|
+
maximumConnections: args.maximum_connections,
|
|
108
|
+
},
|
|
109
|
+
});
|
|
110
|
+
return JSON.stringify(result, null, 2);
|
|
111
|
+
},
|
|
112
|
+
});
|
|
113
|
+
// 5. Delete RAC endpoint
|
|
114
|
+
registerTool(server, config, {
|
|
115
|
+
name: 'authentik_rac_endpoints_delete',
|
|
116
|
+
description: 'Delete a RAC endpoint by its UUID. This action is irreversible.',
|
|
117
|
+
accessTier: 'full',
|
|
118
|
+
category: 'rac',
|
|
119
|
+
tags: ['destructive'],
|
|
120
|
+
inputSchema: {
|
|
121
|
+
pbm_uuid: z.string().describe('RAC endpoint UUID to delete'),
|
|
122
|
+
},
|
|
123
|
+
handler: async (args) => {
|
|
124
|
+
await client.racApi.racEndpointsDestroy({
|
|
125
|
+
pbmUuid: args.pbm_uuid,
|
|
126
|
+
});
|
|
127
|
+
return `RAC endpoint "${args.pbm_uuid}" deleted successfully.`;
|
|
128
|
+
},
|
|
129
|
+
});
|
|
130
|
+
// ── RAC Connection Tokens (no create — Pitfall 8) ──
|
|
131
|
+
// 6. List RAC connection tokens
|
|
132
|
+
registerTool(server, config, {
|
|
133
|
+
name: 'authentik_rac_connection_tokens_list',
|
|
134
|
+
description: 'List RAC connection tokens with optional filters. Tokens are system-managed (no create).',
|
|
135
|
+
accessTier: 'read-only',
|
|
136
|
+
category: 'rac',
|
|
137
|
+
inputSchema: {
|
|
138
|
+
endpoint: z.string().optional().describe('Filter by endpoint UUID'),
|
|
139
|
+
provider: z.number().optional().describe('Filter by provider ID'),
|
|
140
|
+
search: z.string().optional().describe('Search across fields'),
|
|
141
|
+
ordering: z.string().optional().describe('Field to order by'),
|
|
142
|
+
page: z.number().optional().describe('Page number'),
|
|
143
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
144
|
+
},
|
|
145
|
+
handler: async (args) => {
|
|
146
|
+
const result = await client.racApi.racConnectionTokensList({
|
|
147
|
+
endpoint: args.endpoint,
|
|
148
|
+
provider: args.provider,
|
|
149
|
+
search: args.search,
|
|
150
|
+
ordering: args.ordering,
|
|
151
|
+
page: args.page,
|
|
152
|
+
pageSize: args.page_size,
|
|
153
|
+
});
|
|
154
|
+
return JSON.stringify(result, null, 2);
|
|
155
|
+
},
|
|
156
|
+
});
|
|
157
|
+
// 7. Get RAC connection token
|
|
158
|
+
registerTool(server, config, {
|
|
159
|
+
name: 'authentik_rac_connection_tokens_get',
|
|
160
|
+
description: 'Get a single RAC connection token by its UUID.',
|
|
161
|
+
accessTier: 'read-only',
|
|
162
|
+
category: 'rac',
|
|
163
|
+
inputSchema: {
|
|
164
|
+
connection_token_uuid: z.string().describe('Connection token UUID'),
|
|
165
|
+
},
|
|
166
|
+
handler: async (args) => {
|
|
167
|
+
const result = await client.racApi.racConnectionTokensRetrieve({
|
|
168
|
+
connectionTokenUuid: args.connection_token_uuid,
|
|
169
|
+
});
|
|
170
|
+
return JSON.stringify(result, null, 2);
|
|
171
|
+
},
|
|
172
|
+
});
|
|
173
|
+
// 8. Delete RAC connection token
|
|
174
|
+
registerTool(server, config, {
|
|
175
|
+
name: 'authentik_rac_connection_tokens_delete',
|
|
176
|
+
description: 'Delete a RAC connection token by its UUID. This action is irreversible.',
|
|
177
|
+
accessTier: 'full',
|
|
178
|
+
category: 'rac',
|
|
179
|
+
tags: ['destructive'],
|
|
180
|
+
inputSchema: {
|
|
181
|
+
connection_token_uuid: z.string().describe('Connection token UUID to delete'),
|
|
182
|
+
},
|
|
183
|
+
handler: async (args) => {
|
|
184
|
+
await client.racApi.racConnectionTokensDestroy({
|
|
185
|
+
connectionTokenUuid: args.connection_token_uuid,
|
|
186
|
+
});
|
|
187
|
+
return `RAC connection token "${args.connection_token_uuid}" deleted successfully.`;
|
|
188
|
+
},
|
|
189
|
+
});
|
|
190
|
+
}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
2
|
+
import type { AuthentikClient } from '../core/client.js';
|
|
3
|
+
import type { AppConfig } from '../types/index.js';
|
|
4
|
+
export declare function registerRbacTools(server: McpServer, client: AuthentikClient, config: AppConfig): void;
|
|
@@ -0,0 +1,283 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { registerTool } from '../core/tools.js';
|
|
3
|
+
export function registerRbacTools(server, client, config) {
|
|
4
|
+
// ── Roles CRUD ─────────────────────────────────────────────────────
|
|
5
|
+
// 1. List roles
|
|
6
|
+
registerTool(server, config, {
|
|
7
|
+
name: 'authentik_rbac_roles_list',
|
|
8
|
+
description: 'List RBAC roles with optional filters.',
|
|
9
|
+
accessTier: 'read-only',
|
|
10
|
+
category: 'rbac',
|
|
11
|
+
inputSchema: {
|
|
12
|
+
group_name: z.string().optional().describe('Filter by group name'),
|
|
13
|
+
search: z.string().optional().describe('Search across role fields'),
|
|
14
|
+
ordering: z.string().optional().describe('Field to order by (prefix with - for descending)'),
|
|
15
|
+
page: z.number().optional().describe('Page number'),
|
|
16
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
17
|
+
},
|
|
18
|
+
handler: async (args) => {
|
|
19
|
+
const result = await client.rbacApi.rbacRolesList({
|
|
20
|
+
groupName: args.group_name,
|
|
21
|
+
search: args.search,
|
|
22
|
+
ordering: args.ordering,
|
|
23
|
+
page: args.page,
|
|
24
|
+
pageSize: args.page_size,
|
|
25
|
+
});
|
|
26
|
+
return JSON.stringify(result, null, 2);
|
|
27
|
+
},
|
|
28
|
+
});
|
|
29
|
+
// 2. Get role
|
|
30
|
+
registerTool(server, config, {
|
|
31
|
+
name: 'authentik_rbac_roles_get',
|
|
32
|
+
description: 'Get a single RBAC role by its UUID.',
|
|
33
|
+
accessTier: 'read-only',
|
|
34
|
+
category: 'rbac',
|
|
35
|
+
inputSchema: {
|
|
36
|
+
uuid: z.string().describe('Role UUID'),
|
|
37
|
+
},
|
|
38
|
+
handler: async (args) => {
|
|
39
|
+
const result = await client.rbacApi.rbacRolesRetrieve({
|
|
40
|
+
uuid: args.uuid,
|
|
41
|
+
});
|
|
42
|
+
return JSON.stringify(result, null, 2);
|
|
43
|
+
},
|
|
44
|
+
});
|
|
45
|
+
// 3. Create role
|
|
46
|
+
registerTool(server, config, {
|
|
47
|
+
name: 'authentik_rbac_roles_create',
|
|
48
|
+
description: 'Create a new RBAC role.',
|
|
49
|
+
accessTier: 'full',
|
|
50
|
+
category: 'rbac',
|
|
51
|
+
inputSchema: {
|
|
52
|
+
name: z.string().describe('Role name (required)'),
|
|
53
|
+
},
|
|
54
|
+
handler: async (args) => {
|
|
55
|
+
const result = await client.rbacApi.rbacRolesCreate({
|
|
56
|
+
roleRequest: {
|
|
57
|
+
name: args.name,
|
|
58
|
+
},
|
|
59
|
+
});
|
|
60
|
+
return JSON.stringify(result, null, 2);
|
|
61
|
+
},
|
|
62
|
+
});
|
|
63
|
+
// 4. Update role
|
|
64
|
+
registerTool(server, config, {
|
|
65
|
+
name: 'authentik_rbac_roles_update',
|
|
66
|
+
description: 'Update an existing RBAC role. Only provided fields are modified (partial update).',
|
|
67
|
+
accessTier: 'full',
|
|
68
|
+
category: 'rbac',
|
|
69
|
+
inputSchema: {
|
|
70
|
+
uuid: z.string().describe('Role UUID (required)'),
|
|
71
|
+
name: z.string().optional().describe('New role name'),
|
|
72
|
+
},
|
|
73
|
+
handler: async (args) => {
|
|
74
|
+
const result = await client.rbacApi.rbacRolesPartialUpdate({
|
|
75
|
+
uuid: args.uuid,
|
|
76
|
+
patchedRoleRequest: {
|
|
77
|
+
name: args.name,
|
|
78
|
+
},
|
|
79
|
+
});
|
|
80
|
+
return JSON.stringify(result, null, 2);
|
|
81
|
+
},
|
|
82
|
+
});
|
|
83
|
+
// 5. Delete role
|
|
84
|
+
registerTool(server, config, {
|
|
85
|
+
name: 'authentik_rbac_roles_delete',
|
|
86
|
+
description: 'Delete an RBAC role by its UUID. This action is irreversible.',
|
|
87
|
+
accessTier: 'full',
|
|
88
|
+
category: 'rbac',
|
|
89
|
+
tags: ['destructive'],
|
|
90
|
+
inputSchema: {
|
|
91
|
+
uuid: z.string().describe('Role UUID to delete'),
|
|
92
|
+
},
|
|
93
|
+
handler: async (args) => {
|
|
94
|
+
await client.rbacApi.rbacRolesDestroy({
|
|
95
|
+
uuid: args.uuid,
|
|
96
|
+
});
|
|
97
|
+
return `Role "${args.uuid}" deleted successfully.`;
|
|
98
|
+
},
|
|
99
|
+
});
|
|
100
|
+
// ── Permissions ────────────────────────────────────────────────────
|
|
101
|
+
// 6. List permissions
|
|
102
|
+
registerTool(server, config, {
|
|
103
|
+
name: 'authentik_rbac_permissions_list',
|
|
104
|
+
description: 'List all available permissions, filterable by model and app.',
|
|
105
|
+
accessTier: 'read-only',
|
|
106
|
+
category: 'rbac',
|
|
107
|
+
inputSchema: {
|
|
108
|
+
codename: z.string().optional().describe('Filter by permission codename'),
|
|
109
|
+
content_type_model: z.string().optional().describe('Filter by content type model'),
|
|
110
|
+
content_type_app_label: z.string().optional().describe('Filter by content type app label'),
|
|
111
|
+
role: z.string().optional().describe('Filter by role UUID'),
|
|
112
|
+
user: z.number().optional().describe('Filter by user ID'),
|
|
113
|
+
search: z.string().optional().describe('Search across permission fields'),
|
|
114
|
+
ordering: z.string().optional().describe('Field to order by'),
|
|
115
|
+
page: z.number().optional().describe('Page number'),
|
|
116
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
117
|
+
},
|
|
118
|
+
handler: async (args) => {
|
|
119
|
+
const result = await client.rbacApi.rbacPermissionsList({
|
|
120
|
+
codename: args.codename,
|
|
121
|
+
contentTypeModel: args.content_type_model,
|
|
122
|
+
contentTypeAppLabel: args.content_type_app_label,
|
|
123
|
+
role: args.role,
|
|
124
|
+
user: args.user,
|
|
125
|
+
search: args.search,
|
|
126
|
+
ordering: args.ordering,
|
|
127
|
+
page: args.page,
|
|
128
|
+
pageSize: args.page_size,
|
|
129
|
+
});
|
|
130
|
+
return JSON.stringify(result, null, 2);
|
|
131
|
+
},
|
|
132
|
+
});
|
|
133
|
+
// ── Permissions by role ────────────────────────────────────────────
|
|
134
|
+
// 7. List permissions assigned to a role
|
|
135
|
+
registerTool(server, config, {
|
|
136
|
+
name: 'authentik_rbac_permissions_by_role_list',
|
|
137
|
+
description: 'List object permissions assigned to a specific model, filterable by role.',
|
|
138
|
+
accessTier: 'read-only',
|
|
139
|
+
category: 'rbac',
|
|
140
|
+
inputSchema: {
|
|
141
|
+
model: z.string().describe('Model identifier (e.g. "authentik_core.application")'),
|
|
142
|
+
object_pk: z.string().optional().describe('Object primary key to filter permissions for'),
|
|
143
|
+
search: z.string().optional().describe('Search across fields'),
|
|
144
|
+
ordering: z.string().optional().describe('Field to order by'),
|
|
145
|
+
page: z.number().optional().describe('Page number'),
|
|
146
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
147
|
+
},
|
|
148
|
+
handler: async (args) => {
|
|
149
|
+
const result = await client.rbacApi.rbacPermissionsAssignedByRolesList({
|
|
150
|
+
model: args.model,
|
|
151
|
+
objectPk: args.object_pk,
|
|
152
|
+
search: args.search,
|
|
153
|
+
ordering: args.ordering,
|
|
154
|
+
page: args.page,
|
|
155
|
+
pageSize: args.page_size,
|
|
156
|
+
});
|
|
157
|
+
return JSON.stringify(result, null, 2);
|
|
158
|
+
},
|
|
159
|
+
});
|
|
160
|
+
// 8. Assign permissions to a role
|
|
161
|
+
registerTool(server, config, {
|
|
162
|
+
name: 'authentik_rbac_permissions_by_role_assign',
|
|
163
|
+
description: 'Assign permission(s) to a role. When object_pk is set, permissions are only assigned to the specific object.',
|
|
164
|
+
accessTier: 'full',
|
|
165
|
+
category: 'rbac',
|
|
166
|
+
inputSchema: {
|
|
167
|
+
uuid: z.string().describe('Role UUID'),
|
|
168
|
+
permissions: z.array(z.string()).describe('Array of permission codenames to assign'),
|
|
169
|
+
model: z.string().optional().describe('Model identifier for scoped permissions'),
|
|
170
|
+
object_pk: z.string().optional().describe('Object primary key for object-level permissions'),
|
|
171
|
+
},
|
|
172
|
+
handler: async (args) => {
|
|
173
|
+
const result = await client.rbacApi.rbacPermissionsAssignedByRolesAssign({
|
|
174
|
+
uuid: args.uuid,
|
|
175
|
+
permissionAssignRequest: {
|
|
176
|
+
permissions: args.permissions,
|
|
177
|
+
model: args.model,
|
|
178
|
+
objectPk: args.object_pk,
|
|
179
|
+
},
|
|
180
|
+
});
|
|
181
|
+
return JSON.stringify(result, null, 2);
|
|
182
|
+
},
|
|
183
|
+
});
|
|
184
|
+
// 9. Unassign permissions from a role
|
|
185
|
+
registerTool(server, config, {
|
|
186
|
+
name: 'authentik_rbac_permissions_by_role_unassign',
|
|
187
|
+
description: 'Unassign permission(s) from a role. When object_pk is set, permissions are only unassigned from the specific object.',
|
|
188
|
+
accessTier: 'full',
|
|
189
|
+
category: 'rbac',
|
|
190
|
+
inputSchema: {
|
|
191
|
+
uuid: z.string().describe('Role UUID'),
|
|
192
|
+
permissions: z.array(z.string()).describe('Array of permission codenames to unassign'),
|
|
193
|
+
model: z.string().optional().describe('Model identifier for scoped permissions'),
|
|
194
|
+
object_pk: z.string().optional().describe('Object primary key for object-level permissions'),
|
|
195
|
+
},
|
|
196
|
+
handler: async (args) => {
|
|
197
|
+
await client.rbacApi.rbacPermissionsAssignedByRolesUnassignPartialUpdate({
|
|
198
|
+
uuid: args.uuid,
|
|
199
|
+
patchedPermissionAssignRequest: {
|
|
200
|
+
permissions: args.permissions,
|
|
201
|
+
model: args.model,
|
|
202
|
+
objectPk: args.object_pk,
|
|
203
|
+
},
|
|
204
|
+
});
|
|
205
|
+
return `Permissions unassigned from role "${args.uuid}" successfully.`;
|
|
206
|
+
},
|
|
207
|
+
});
|
|
208
|
+
// ── Permissions by user ────────────────────────────────────────────
|
|
209
|
+
// 10. List permissions assigned to a user
|
|
210
|
+
registerTool(server, config, {
|
|
211
|
+
name: 'authentik_rbac_permissions_by_user_list',
|
|
212
|
+
description: 'List object permissions assigned to a specific model, filterable by user.',
|
|
213
|
+
accessTier: 'read-only',
|
|
214
|
+
category: 'rbac',
|
|
215
|
+
inputSchema: {
|
|
216
|
+
model: z.string().describe('Model identifier (e.g. "authentik_core.user")'),
|
|
217
|
+
object_pk: z.string().optional().describe('Object primary key to filter permissions for'),
|
|
218
|
+
search: z.string().optional().describe('Search across fields'),
|
|
219
|
+
ordering: z.string().optional().describe('Field to order by'),
|
|
220
|
+
page: z.number().optional().describe('Page number'),
|
|
221
|
+
page_size: z.number().optional().describe('Number of results per page'),
|
|
222
|
+
},
|
|
223
|
+
handler: async (args) => {
|
|
224
|
+
const result = await client.rbacApi.rbacPermissionsAssignedByUsersList({
|
|
225
|
+
model: args.model,
|
|
226
|
+
objectPk: args.object_pk,
|
|
227
|
+
search: args.search,
|
|
228
|
+
ordering: args.ordering,
|
|
229
|
+
page: args.page,
|
|
230
|
+
pageSize: args.page_size,
|
|
231
|
+
});
|
|
232
|
+
return JSON.stringify(result, null, 2);
|
|
233
|
+
},
|
|
234
|
+
});
|
|
235
|
+
// 11. Assign permissions to a user
|
|
236
|
+
registerTool(server, config, {
|
|
237
|
+
name: 'authentik_rbac_permissions_by_user_assign',
|
|
238
|
+
description: 'Assign permission(s) to a user.',
|
|
239
|
+
accessTier: 'full',
|
|
240
|
+
category: 'rbac',
|
|
241
|
+
inputSchema: {
|
|
242
|
+
id: z.number().describe('User ID'),
|
|
243
|
+
permissions: z.array(z.string()).describe('Array of permission codenames to assign'),
|
|
244
|
+
model: z.string().optional().describe('Model identifier for scoped permissions'),
|
|
245
|
+
object_pk: z.string().optional().describe('Object primary key for object-level permissions'),
|
|
246
|
+
},
|
|
247
|
+
handler: async (args) => {
|
|
248
|
+
const result = await client.rbacApi.rbacPermissionsAssignedByUsersAssign({
|
|
249
|
+
id: args.id,
|
|
250
|
+
permissionAssignRequest: {
|
|
251
|
+
permissions: args.permissions,
|
|
252
|
+
model: args.model,
|
|
253
|
+
objectPk: args.object_pk,
|
|
254
|
+
},
|
|
255
|
+
});
|
|
256
|
+
return JSON.stringify(result, null, 2);
|
|
257
|
+
},
|
|
258
|
+
});
|
|
259
|
+
// 12. Unassign permissions from a user
|
|
260
|
+
registerTool(server, config, {
|
|
261
|
+
name: 'authentik_rbac_permissions_by_user_unassign',
|
|
262
|
+
description: 'Unassign permission(s) from a user.',
|
|
263
|
+
accessTier: 'full',
|
|
264
|
+
category: 'rbac',
|
|
265
|
+
inputSchema: {
|
|
266
|
+
id: z.number().describe('User ID'),
|
|
267
|
+
permissions: z.array(z.string()).describe('Array of permission codenames to unassign'),
|
|
268
|
+
model: z.string().optional().describe('Model identifier for scoped permissions'),
|
|
269
|
+
object_pk: z.string().optional().describe('Object primary key for object-level permissions'),
|
|
270
|
+
},
|
|
271
|
+
handler: async (args) => {
|
|
272
|
+
await client.rbacApi.rbacPermissionsAssignedByUsersUnassignPartialUpdate({
|
|
273
|
+
id: args.id,
|
|
274
|
+
patchedPermissionAssignRequest: {
|
|
275
|
+
permissions: args.permissions,
|
|
276
|
+
model: args.model,
|
|
277
|
+
objectPk: args.object_pk,
|
|
278
|
+
},
|
|
279
|
+
});
|
|
280
|
+
return `Permissions unassigned from user ${args.id} successfully.`;
|
|
281
|
+
},
|
|
282
|
+
});
|
|
283
|
+
}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
2
|
+
import type { AuthentikClient } from '../core/client.js';
|
|
3
|
+
import type { AppConfig } from '../types/index.js';
|
|
4
|
+
export declare function registerRootTools(server: McpServer, client: AuthentikClient, config: AppConfig): void;
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { registerTool } from '../core/tools.js';
|
|
2
|
+
export function registerRootTools(server, client, config) {
|
|
3
|
+
// 1. Get root configuration
|
|
4
|
+
registerTool(server, config, {
|
|
5
|
+
name: 'authentik_root_config',
|
|
6
|
+
description: 'Get root configuration including capabilities, error reporting settings, and UI configuration.',
|
|
7
|
+
accessTier: 'read-only',
|
|
8
|
+
category: 'root',
|
|
9
|
+
handler: async () => {
|
|
10
|
+
const result = await client.rootApi.rootConfigRetrieve();
|
|
11
|
+
return JSON.stringify(result, null, 2);
|
|
12
|
+
},
|
|
13
|
+
});
|
|
14
|
+
}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
2
|
+
import type { AuthentikClient } from '../core/client.js';
|
|
3
|
+
import type { AppConfig } from '../types/index.js';
|
|
4
|
+
export declare function registerSourceTools(server: McpServer, client: AuthentikClient, config: AppConfig): void;
|