Movatterモバイル変換

Skip to content

coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit348a2e0

dannykopping

authored

feat: add configs for external auth MCP usage + tool allow/denylist (#19794)

Closescoder/internal#988The logic for allowing/denying tools can be found inhttps://github.com/coder/aibridge/pull/4/files#diff-330a6371a583dd8cadeed79b95499e3a87960ad8ea4d6a94061e8f88a44834c3 (`ProxyBase.filterAllowedTools`).

1 parent655a36c commit348a2e0Copy full SHA for 348a2e0

File tree

11 files changed

+88

-0

lines changed

cli
- server.go
coderd
- apidoc
  - docs.go
  - swagger.json
- externalauth
  - externalauth.go
codersdk
- deployment.go
- deployment_test.go
- testdata
  - githubcfg.yaml
docs/reference/api
- general.md
- schemas.md
site/src
- api
  - typesGenerated.ts
- pages/DeploymentSettingsPage/ExternalAuthSettingsPage
  - ExternalAuthSettingsPageView.stories.tsx

11 files changed

+88

-0

lines changed

`‎cli/server.go‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2722,6 +2722,12 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder`
`2722`	`2722`	`provider.DisplayName=v.Value`
`2723`	`2723`	`case"DISPLAY_ICON":`
`2724`	`2724`	`provider.DisplayIcon=v.Value`
	`2725`	`+case"MCP_URL":`
	`2726`	`+provider.MCPURL=v.Value`
	`2727`	`+case"MCP_TOOL_ALLOW_REGEX":`
	`2728`	`+provider.MCPToolAllowRegex=v.Value`
	`2729`	`+case"MCP_TOOL_DENY_REGEX":`
	`2730`	`+provider.MCPToolDenyRegex=v.Value`
`2725`	`2731`	`}`
`2726`	`2732`	`providers[providerNum]=provider`
`2727`	`2733`	`}`

`‎coderd/apidoc/docs.go‎`

Lines changed: 9 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 9 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/externalauth/externalauth.go‎`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,19 @@ type Config struct {`
`81`	`81`	`// AppInstallationsURL is an API endpoint that returns a list of`
`82`	`82`	`// installations for the user. This is used for GitHub Apps.`
`83`	`83`	`AppInstallationsURLstring`
	`84`	`+// MCPURL is the endpoint that clients must use to communicate with the associated`
	`85`	`+// MCP server.`
	`86`	`+MCPURLstring`
	`87`	`+// MCPToolAllowRegex is a [regexp.Regexp] to match tools which are explicitly allowed to be`
	`88`	`+// injected into Coder AI Bridge upstream requests.`
	`89`	`+// In the case of conflicts, [MCPToolDenylistPattern] overrides items evaluated by this list.`
	`90`	`+// This field can be nil if unspecified in the config.`
	`91`	`+MCPToolAllowRegex*regexp.Regexp`
	`92`	`+// MCPToolDenyRegex is a [regexp.Regexp] to match tools which are explicitly NOT allowed to be`
	`93`	`+// injected into Coder AI Bridge upstream requests.`
	`94`	`+// In the case of conflicts, items evaluated by this list override [MCPToolAllowRegex].`
	`95`	`+// This field can be nil if unspecified in the config.`
	`96`	`+MCPToolDenyRegex*regexp.Regexp`
`84`	`97`	`}`
`85`	`98`
`86`	`99`	`// GenerateTokenExtra generates the extra token data to store in the database.`
`@@ -608,6 +621,21 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut`
`608`	`621`	`instrumented=instrument.NewGithub(entry.ID,oauthConfig)`
`609`	`622`	`}`
`610`	`623`
	`624`	`+varmcpToolAllow*regexp.Regexp`
	`625`	`+varmcpToolDeny*regexp.Regexp`
	`626`	`+ifentry.MCPToolAllowRegex!="" {`
	`627`	`+mcpToolAllow,err=regexp.Compile(entry.MCPToolAllowRegex)`
	`628`	`+iferr!=nil {`
	`629`	`+returnnil,xerrors.Errorf("compile MCP tool allow regex for external auth provider %q: %w",entry.ID,entry.MCPToolAllowRegex)`
	`630`	`+}`
	`631`	`+}`
	`632`	`+ifentry.MCPToolDenyRegex!="" {`
	`633`	`+mcpToolDeny,err=regexp.Compile(entry.MCPToolDenyRegex)`
	`634`	`+iferr!=nil {`
	`635`	`+returnnil,xerrors.Errorf("compile MCP tool deny regex for external auth provider %q: %w",entry.ID,entry.MCPToolDenyRegex)`
	`636`	`+}`
	`637`	`+}`
	`638`	`+`
`611`	`639`	`cfg:=&Config{`
`612`	`640`	`InstrumentedOAuth2Config:instrumented,`
`613`	`641`	`ID:entry.ID,`
`@@ -620,6 +648,9 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut`
`620`	`648`	`DisplayName:entry.DisplayName,`
`621`	`649`	`DisplayIcon:entry.DisplayIcon,`
`622`	`650`	`ExtraTokenKeys:entry.ExtraTokenKeys,`
	`651`	`+MCPURL:entry.MCPURL,`
	`652`	`+MCPToolAllowRegex:mcpToolAllow,`
	`653`	`+MCPToolDenyRegex:mcpToolDeny,`
`623`	`654`	`}`
`624`	`655`
`625`	`656`	`ifentry.DeviceFlow {`

`‎codersdk/deployment.go‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -742,6 +742,9 @@ type ExternalAuthConfig struct {`
`742`	`742`	ExtraTokenKeys []string`json:"-" yaml:"extra_token_keys"`
`743`	`743`	DeviceFlowbool`json:"device_flow" yaml:"device_flow"`
`744`	`744`	DeviceCodeURLstring`json:"device_code_url" yaml:"device_code_url"`
	`745`	+MCPURLstring`json:"mcp_url" yaml:"mcp_url"`
	`746`	+MCPToolAllowRegexstring`json:"mcp_tool_allow_regex" yaml:"mcp_tool_allow_regex"`
	`747`	+MCPToolDenyRegexstring`json:"mcp_tool_deny_regex" yaml:"mcp_tool_deny_regex"`
`745`	`748`	`// Regex allows API requesters to match an auth config by`
`746`	`749`	`// a string (e.g. coder.com) instead of by it's type.`
`747`	`750`	`//`

`‎codersdk/deployment_test.go‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -399,6 +399,9 @@ func TestExternalAuthYAMLConfig(t *testing.T) {`
`399`	`399`	`Regex:"^https://example.com/.*$",`
`400`	`400`	`DisplayName:"GitHub",`
`401`	`401`	`DisplayIcon:"/static/icons/github.svg",`
	`402`	`+MCPURL:"https://api.githubcopilot.com/mcp/",`
	`403`	`+MCPToolAllowRegex:".*",`
	`404`	`+MCPToolDenyRegex:"create_gist",`
`402`	`405`	`}`
`403`	`406`
`404`	`407`	`// Input the github section twice for testing a slice of configs.`

`‎codersdk/testdata/githubcfg.yaml‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,9 @@ externalAuthProviders:`
`17`	`17`	`-token`
`18`	`18`	`device_flow:true`
`19`	`19`	`device_code_url:https://example.com/device`
	`20`	`+mcp_url:https://api.githubcopilot.com/mcp/`
	`21`	`+mcp_tool_allow_regex:.*`
	`22`	`+mcp_tool_deny_regex:create_gist`
`20`	`23`	`regex:^https://example.com/.*$`
`21`	`24`	`display_name:GitHub`
`22`	`25`	`display_icon:/static/icons/github.svg`

`‎docs/reference/api/general.md‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎docs/reference/api/schemas.md‎`

Lines changed: 15 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎site/src/api/typesGenerated.ts‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

[8]ページ先頭

©2009-2025 Movatter.jp