Skip to content

Instantly share code, notes, and snippets.

@DinoChiesa

DinoChiesa/protected_mcp-authz.rego

Created October 29, 2025 22:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DinoChiesa/2b6b87bcd62b5cc81457d8923365590c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DinoChiesa/2b6b87bcd62b5cc81457d8923365590c to your computer and use it in GitHub Desktop.
Download ZIP
Protected MCP Authz #rego
Raw
protected_mcp-authz.rego
package protected_mcp.authz
import data.domains_and_roles
import data.roles_and_permissions
import data.users_and_roles
default allowed := {}
allowed := {"allowing_role": role_and_source, "permission": j} if {
domain_roles := [sourcedroles |
some domain
parts := split(input.user, "@")
count(parts) == 2
domain == parts[1]
role := domains_and_roles[domain].roles[_]
sourcedroles := {"role": role, "source": "domain"}
]
some i, j
role_and_source := domain_roles[i]
perms := roles_and_permissions[role_and_source.role]
permission_matches(input, perms[j])
} else := {"allowing_role": role_and_source, "permission": j} if {
user_roles := [mapped |
role := users_and_roles[input.user].roles[_]
mapped := {"role": role, "source": "user"}
]
some i, j
role_and_source := user_roles[i]
perms := roles_and_permissions[role_and_source.role]
permission_matches(input, perms[j])
}
permission_matches(input1, permission) if {
input1.method == permission.method
check_tool(input1, permission)
}
check_tool(input2, permission) if {
permission.method != "tools/call"
input2.method == permission.method
not has_key(permission, "tool")
}
check_tool(input2, permission) if {
permission.method == "tools/call"
input2.method == permission.method
input2.tool == permission.tool
}
has_key(obj, key) if {
_ := obj[key]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment