Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add configs for external auth MCP usage + tool allow/denylist#19794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
dannykopping merged 2 commits intomainfromdk/aibridge-mcp-ext-auth
Sep 16, 2025
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletionscli/server.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -2722,6 +2722,12 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
provider.DisplayName = v.Value
case "DISPLAY_ICON":
provider.DisplayIcon = v.Value
case "MCP_URL":
provider.MCPURL = v.Value
case "MCP_TOOL_ALLOW_REGEX":
provider.MCPToolAllowRegex = v.Value
case "MCP_TOOL_DENY_REGEX":
provider.MCPToolDenyRegex = v.Value
}
providers[providerNum] = provider
}
Expand Down
9 changes: 9 additions & 0 deletionscoderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

9 changes: 9 additions & 0 deletionscoderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

31 changes: 31 additions & 0 deletionscoderd/externalauth/externalauth.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -81,6 +81,19 @@ type Config struct {
// AppInstallationsURL is an API endpoint that returns a list of
// installations for the user. This is used for GitHub Apps.
AppInstallationsURL string
// MCPURL is the endpoint that clients must use to communicate with the associated
// MCP server.
MCPURL string
// MCPToolAllowRegex is a [regexp.Regexp] to match tools which are explicitly allowed to be
// injected into Coder AI Bridge upstream requests.
// In the case of conflicts, [MCPToolDenylistPattern] overrides items evaluated by this list.
// This field can be nil if unspecified in the config.
MCPToolAllowRegex *regexp.Regexp
// MCPToolDenyRegex is a [regexp.Regexp] to match tools which are explicitly NOT allowed to be
// injected into Coder AI Bridge upstream requests.
// In the case of conflicts, items evaluated by this list override [MCPToolAllowRegex].
// This field can be nil if unspecified in the config.
MCPToolDenyRegex *regexp.Regexp
}

// GenerateTokenExtra generates the extra token data to store in the database.
Expand DownExpand Up@@ -608,6 +621,21 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut
instrumented = instrument.NewGithub(entry.ID, oauthConfig)
}

var mcpToolAllow *regexp.Regexp
var mcpToolDeny *regexp.Regexp
if entry.MCPToolAllowRegex != "" {
mcpToolAllow, err = regexp.Compile(entry.MCPToolAllowRegex)
if err != nil {
return nil, xerrors.Errorf("compile MCP tool allow regex for external auth provider %q: %w", entry.ID, entry.MCPToolAllowRegex)
}
}
if entry.MCPToolDenyRegex != "" {
mcpToolDeny, err = regexp.Compile(entry.MCPToolDenyRegex)
if err != nil {
return nil, xerrors.Errorf("compile MCP tool deny regex for external auth provider %q: %w", entry.ID, entry.MCPToolDenyRegex)
}
}

cfg := &Config{
InstrumentedOAuth2Config: instrumented,
ID: entry.ID,
Expand All@@ -620,6 +648,9 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut
DisplayName: entry.DisplayName,
DisplayIcon: entry.DisplayIcon,
ExtraTokenKeys: entry.ExtraTokenKeys,
MCPURL: entry.MCPURL,
MCPToolAllowRegex: mcpToolAllow,
MCPToolDenyRegex: mcpToolDeny,
}

if entry.DeviceFlow {
Expand Down
3 changes: 3 additions & 0 deletionscodersdk/deployment.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -742,6 +742,9 @@ type ExternalAuthConfig struct {
ExtraTokenKeys []string `json:"-" yaml:"extra_token_keys"`
DeviceFlow bool `json:"device_flow" yaml:"device_flow"`
DeviceCodeURL string `json:"device_code_url" yaml:"device_code_url"`
MCPURL string `json:"mcp_url" yaml:"mcp_url"`
MCPToolAllowRegex string `json:"mcp_tool_allow_regex" yaml:"mcp_tool_allow_regex"`
MCPToolDenyRegex string `json:"mcp_tool_deny_regex" yaml:"mcp_tool_deny_regex"`
// Regex allows API requesters to match an auth config by
// a string (e.g. coder.com) instead of by it's type.
//
Expand Down
3 changes: 3 additions & 0 deletionscodersdk/deployment_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -399,6 +399,9 @@ func TestExternalAuthYAMLConfig(t *testing.T) {
Regex: "^https://example.com/.*$",
DisplayName: "GitHub",
DisplayIcon: "/static/icons/github.svg",
MCPURL: "https://api.githubcopilot.com/mcp/",
MCPToolAllowRegex: ".*",
MCPToolDenyRegex: "create_gist",
}

// Input the github section twice for testing a slice of configs.
Expand Down
3 changes: 3 additions & 0 deletionscodersdk/testdata/githubcfg.yaml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -17,6 +17,9 @@ externalAuthProviders:
- token
device_flow: true
device_code_url: https://example.com/device
mcp_url: https://api.githubcopilot.com/mcp/
mcp_tool_allow_regex: .*
mcp_tool_deny_regex: create_gist
regex: ^https://example.com/.*$
display_name: GitHub
display_icon: /static/icons/github.svg
3 changes: 3 additions & 0 deletionsdocs/reference/api/general.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

15 changes: 15 additions & 0 deletionsdocs/reference/api/schemas.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

3 changes: 3 additions & 0 deletionssite/src/api/typesGenerated.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

Original file line numberDiff line numberDiff line change
Expand Up@@ -23,6 +23,9 @@ const meta: Meta<typeof ExternalAuthSettingsPageView> = {
device_code_url: "",
display_icon: "",
display_name: "GitHub",
mcp_url: "",
mcp_tool_allow_regex: "",
mcp_tool_deny_regex: "",
},
],
},
Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp