phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-12-03 09:53:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

added a fix

Browse source
This commit is contained in:
Omar Abdelwahab 2025-11-03 16:55:13 -08:00
parent c49fef8087
commit 1143db0f64
6 changed files with 81 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

22
client-sdks/stainless/openapi.yml
View file

@ -7656,7 +7656,7 @@ components:
title: ResponseGuardrailSpec title: ResponseGuardrailSpec
description: >- description: >-
Specification for a guardrail to apply during response generation. Specification for a guardrail to apply during response generation.
MCPAuthentication: MCPAuthorization:
type: object type: object
properties: properties:
type: type:
@ -7666,19 +7666,19 @@ components:
- basic - basic
- api_key - api_key
description: >- description: >-
Authentication type ("bearer", "basic", or "api_key") Authorization type ("bearer", "basic", or "api_key")
token: token:
type: string type: string
description: Bearer token for bearer authentication description: Bearer token for bearer authorization
username: username:
type: string type: string
description: Username for basic authentication description: Username for basic authorization
password: password:
type: string type: string
description: Password for basic authentication description: Password for basic authorization
api_key: api_key:
type: string type: string
description: API key for api_key authentication description: API key for api_key authorization
header_name: header_name:
type: string type: string
default: X-API-Key default: X-API-Key
@ -7688,9 +7688,9 @@ components:
required: required:
- type - type
- header_name - header_name
title: MCPAuthentication title: MCPAuthorization
description: >- description: >-
Authentication configuration for MCP servers. Authorization configuration for MCP servers.
OpenAIResponseInputTool: OpenAIResponseInputTool:
oneOf: oneOf:
- $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch'
@ -7730,10 +7730,10 @@ components:
- type: object - type: object
description: >- description: >-
(Optional) HTTP headers to include when connecting to the server (Optional) HTTP headers to include when connecting to the server
authentication: authorization:
$ref: '#/components/schemas/MCPAuthentication' $ref: '#/components/schemas/MCPAuthorization'
description: >- description: >-
(Optional) Authentication configuration for the MCP server (Optional) Authorization configuration for the MCP server
require_approval: require_approval:
oneOf: oneOf:
- type: string - type: string

22
docs/static/deprecated-llama-stack-spec.yaml vendored
View file

@ -7711,7 +7711,7 @@ components:
title: ResponseGuardrailSpec title: ResponseGuardrailSpec
description: >- description: >-
Specification for a guardrail to apply during response generation. Specification for a guardrail to apply during response generation.
MCPAuthentication: MCPAuthorization:
type: object type: object
properties: properties:
type: type:
@ -7721,19 +7721,19 @@ components:
- basic - basic
- api_key - api_key
description: >- description: >-
Authentication type ("bearer", "basic", or "api_key") Authorization type ("bearer", "basic", or "api_key")
token: token:
type: string type: string
description: Bearer token for bearer authentication description: Bearer token for bearer authorization
username: username:
type: string type: string
description: Username for basic authentication description: Username for basic authorization
password: password:
type: string type: string
description: Password for basic authentication description: Password for basic authorization
api_key: api_key:
type: string type: string
description: API key for api_key authentication description: API key for api_key authorization
header_name: header_name:
type: string type: string
default: X-API-Key default: X-API-Key
@ -7743,9 +7743,9 @@ components:
required: required:
- type - type
- header_name - header_name
title: MCPAuthentication title: MCPAuthorization
description: >- description: >-
Authentication configuration for MCP servers. Authorization configuration for MCP servers.
OpenAIResponseInputTool: OpenAIResponseInputTool:
oneOf: oneOf:
- $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch'
@ -7785,10 +7785,10 @@ components:
- type: object - type: object
description: >- description: >-
(Optional) HTTP headers to include when connecting to the server (Optional) HTTP headers to include when connecting to the server
authentication: authorization:
$ref: '#/components/schemas/MCPAuthentication' $ref: '#/components/schemas/MCPAuthorization'
description: >- description: >-
(Optional) Authentication configuration for the MCP server (Optional) Authorization configuration for the MCP server
require_approval: require_approval:
oneOf: oneOf:
- type: string - type: string

22
docs/static/llama-stack-spec.yaml vendored
View file

@ -6443,7 +6443,7 @@ components:
title: ResponseGuardrailSpec title: ResponseGuardrailSpec
description: >- description: >-
Specification for a guardrail to apply during response generation. Specification for a guardrail to apply during response generation.
MCPAuthentication: MCPAuthorization:
type: object type: object
properties: properties:
type: type:
@ -6453,19 +6453,19 @@ components:
- basic - basic
- api_key - api_key
description: >- description: >-
Authentication type ("bearer", "basic", or "api_key") Authorization type ("bearer", "basic", or "api_key")
token: token:
type: string type: string
description: Bearer token for bearer authentication description: Bearer token for bearer authorization
username: username:
type: string type: string
description: Username for basic authentication description: Username for basic authorization
password: password:
type: string type: string
description: Password for basic authentication description: Password for basic authorization
api_key: api_key:
type: string type: string
description: API key for api_key authentication description: API key for api_key authorization
header_name: header_name:
type: string type: string
default: X-API-Key default: X-API-Key
@ -6475,9 +6475,9 @@ components:
required: required:
- type - type
- header_name - header_name
title: MCPAuthentication title: MCPAuthorization
description: >- description: >-
Authentication configuration for MCP servers. Authorization configuration for MCP servers.
OpenAIResponseInputTool: OpenAIResponseInputTool:
oneOf: oneOf:
- $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch'
@ -6517,10 +6517,10 @@ components:
- type: object - type: object
description: >- description: >-
(Optional) HTTP headers to include when connecting to the server (Optional) HTTP headers to include when connecting to the server
authentication: authorization:
$ref: '#/components/schemas/MCPAuthentication' $ref: '#/components/schemas/MCPAuthorization'
description: >- description: >-
(Optional) Authentication configuration for the MCP server (Optional) Authorization configuration for the MCP server
require_approval: require_approval:
oneOf: oneOf:
- type: string - type: string

22
docs/static/stainless-llama-stack-spec.yaml vendored
View file

@ -7656,7 +7656,7 @@ components:
title: ResponseGuardrailSpec title: ResponseGuardrailSpec
description: >- description: >-
Specification for a guardrail to apply during response generation. Specification for a guardrail to apply during response generation.
MCPAuthentication: MCPAuthorization:
type: object type: object
properties: properties:
type: type:
@ -7666,19 +7666,19 @@ components:
- basic - basic
- api_key - api_key
description: >- description: >-
Authentication type ("bearer", "basic", or "api_key") Authorization type ("bearer", "basic", or "api_key")
token: token:
type: string type: string
description: Bearer token for bearer authentication description: Bearer token for bearer authorization
username: username:
type: string type: string
description: Username for basic authentication description: Username for basic authorization
password: password:
type: string type: string
description: Password for basic authentication description: Password for basic authorization
api_key: api_key:
type: string type: string
description: API key for api_key authentication description: API key for api_key authorization
header_name: header_name:
type: string type: string
default: X-API-Key default: X-API-Key
@ -7688,9 +7688,9 @@ components:
required: required:
- type - type
- header_name - header_name
title: MCPAuthentication title: MCPAuthorization
description: >- description: >-
Authentication configuration for MCP servers. Authorization configuration for MCP servers.
OpenAIResponseInputTool: OpenAIResponseInputTool:
oneOf: oneOf:
- $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch'
@ -7730,10 +7730,10 @@ components:
- type: object - type: object
description: >- description: >-
(Optional) HTTP headers to include when connecting to the server (Optional) HTTP headers to include when connecting to the server
authentication: authorization:
$ref: '#/components/schemas/MCPAuthentication' $ref: '#/components/schemas/MCPAuthorization'
description: >- description: >-
(Optional) Authentication configuration for the MCP server (Optional) Authorization configuration for the MCP server
require_approval: require_approval:
oneOf: oneOf:
- type: string - type: string

24
src/llama_stack/apis/agents/openai_responses.py
View file

@ -403,7 +403,11 @@ class OpenAIResponseText(BaseModel):
# Must match type Literals of OpenAIResponseInputToolWebSearch below # Must match type Literals of OpenAIResponseInputToolWebSearch below
WebSearchToolTypes = ["web_search", "web_search_preview", "web_search_preview_2025_03_11"] WebSearchToolTypes = [
"web_search",
"web_search_preview",
"web_search_preview_2025_03_11",
]
@json_schema_type @json_schema_type
@ -480,14 +484,14 @@ class AllowedToolsFilter(BaseModel):
@json_schema_type @json_schema_type
class MCPAuthentication(BaseModel): class MCPAuthorization(BaseModel):
"""Authentication configuration for MCP servers. """Authorization configuration for MCP servers.
:param type: Authentication type ("bearer", "basic", or "api_key") :param type: Authorization type ("bearer", "basic", or "api_key")
:param token: Bearer token for bearer authentication :param token: Bearer token for bearer authorization
:param username: Username for basic authentication :param username: Username for basic authorization
:param password: Password for basic authentication :param password: Password for basic authorization
:param api_key: API key for api_key authentication :param api_key: API key for api_key authorization
:param header_name: Custom header name for API key (default: "X-API-Key") :param header_name: Custom header name for API key (default: "X-API-Key")
""" """
@ -507,7 +511,7 @@ class OpenAIResponseInputToolMCP(BaseModel):
:param server_label: Label to identify this MCP server :param server_label: Label to identify this MCP server
:param server_url: URL endpoint of the MCP server :param server_url: URL endpoint of the MCP server
:param headers: (Optional) HTTP headers to include when connecting to the server :param headers: (Optional) HTTP headers to include when connecting to the server
:param authentication: (Optional) Authentication configuration for the MCP server :param authorization: (Optional) Authorization configuration for the MCP server
:param require_approval: Approval requirement for tool calls ("always", "never", or filter) :param require_approval: Approval requirement for tool calls ("always", "never", or filter)
:param allowed_tools: (Optional) Restriction on which tools can be used from this server :param allowed_tools: (Optional) Restriction on which tools can be used from this server
""" """
@ -516,7 +520,7 @@ class OpenAIResponseInputToolMCP(BaseModel):
server_label: str server_label: str
server_url: str server_url: str
headers: dict[str, Any] | None = None headers: dict[str, Any] | None = None
authentication: MCPAuthentication | None = None authorization: MCPAuthorization | None = None
require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never" require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never"
allowed_tools: list[str] | AllowedToolsFilter | None = None allowed_tools: list[str] | AllowedToolsFilter | None = None

40
tests/integration/responses/test_mcp_authentication.py
View file

@ -16,12 +16,12 @@ from .helpers import setup_mcp_tools
# Skip these tests in replay mode until recordings are generated # Skip these tests in replay mode until recordings are generated
pytestmark = pytest.mark.skipif( pytestmark = pytest.mark.skipif(
os.environ.get("LLAMA_STACK_TEST_INFERENCE_MODE") == "replay", os.environ.get("LLAMA_STACK_TEST_INFERENCE_MODE") == "replay",
reason="No recordings yet for authentication tests. Run with --inference-mode=record-if-missing to generate.", reason="No recordings yet for authorization tests. Run with --inference-mode=record-if-missing to generate.",
) )
def test_mcp_authentication_bearer(compat_client, text_model_id): def test_mcp_authorization_bearer(compat_client, text_model_id):
"""Test that bearer authentication is correctly applied to MCP requests.""" """Test that bearer authorization is correctly applied to MCP requests."""
if not isinstance(compat_client, LlamaStackAsLibraryClient): if not isinstance(compat_client, LlamaStackAsLibraryClient):
pytest.skip("in-process MCP server is only supported in library client") pytest.skip("in-process MCP server is only supported in library client")
@ -33,7 +33,7 @@ def test_mcp_authentication_bearer(compat_client, text_model_id):
"type": "mcp", "type": "mcp",
"server_label": "auth-mcp", "server_label": "auth-mcp",
"server_url": "<FILLED_BY_TEST_RUNNER>", "server_url": "<FILLED_BY_TEST_RUNNER>",
"authentication": { "authorization": {
"type": "bearer", "type": "bearer",
"token": test_token, "token": test_token,
}, },
@ -42,7 +42,7 @@ def test_mcp_authentication_bearer(compat_client, text_model_id):
mcp_server_info, mcp_server_info,
) )
# Create response - authentication should be applied # Create response - authorization should be applied
response = compat_client.responses.create( response = compat_client.responses.create(
model=text_model_id, model=text_model_id,
input="What is the boiling point of myawesomeliquid?", input="What is the boiling point of myawesomeliquid?",
@ -60,8 +60,8 @@ def test_mcp_authentication_bearer(compat_client, text_model_id):
assert response.output[1].error is None assert response.output[1].error is None
def test_mcp_authentication_different_token(compat_client, text_model_id): def test_mcp_authorization_different_token(compat_client, text_model_id):
"""Test authentication with a different bearer token.""" """Test authorization with a different bearer token."""
if not isinstance(compat_client, LlamaStackAsLibraryClient): if not isinstance(compat_client, LlamaStackAsLibraryClient):
pytest.skip("in-process MCP server is only supported in library client") pytest.skip("in-process MCP server is only supported in library client")
@ -73,7 +73,7 @@ def test_mcp_authentication_different_token(compat_client, text_model_id):
"type": "mcp", "type": "mcp",
"server_label": "auth2-mcp", "server_label": "auth2-mcp",
"server_url": "<FILLED_BY_TEST_RUNNER>", "server_url": "<FILLED_BY_TEST_RUNNER>",
"authentication": { "authorization": {
"type": "bearer", "type": "bearer",
"token": test_token, "token": test_token,
}, },
@ -82,7 +82,7 @@ def test_mcp_authentication_different_token(compat_client, text_model_id):
mcp_server_info, mcp_server_info,
) )
# Create response - authentication should be applied # Create response - authorization should be applied
response = compat_client.responses.create( response = compat_client.responses.create(
model=text_model_id, model=text_model_id,
input="What is the boiling point of myawesomeliquid?", input="What is the boiling point of myawesomeliquid?",
@ -97,8 +97,8 @@ def test_mcp_authentication_different_token(compat_client, text_model_id):
assert response.output[1].error is None assert response.output[1].error is None
def test_mcp_authentication_fallback_to_headers(compat_client, text_model_id): def test_mcp_authorization_fallback_to_headers(compat_client, text_model_id):
"""Test that authentication parameter doesn't override existing headers.""" """Test that authorization parameter doesn't override existing headers."""
if not isinstance(compat_client, LlamaStackAsLibraryClient): if not isinstance(compat_client, LlamaStackAsLibraryClient):
pytest.skip("in-process MCP server is only supported in library client") pytest.skip("in-process MCP server is only supported in library client")
@ -112,7 +112,7 @@ def test_mcp_authentication_fallback_to_headers(compat_client, text_model_id):
"server_label": "headers-mcp", "server_label": "headers-mcp",
"server_url": "<FILLED_BY_TEST_RUNNER>", "server_url": "<FILLED_BY_TEST_RUNNER>",
"headers": {"Authorization": f"Bearer {test_token}"}, "headers": {"Authorization": f"Bearer {test_token}"},
"authentication": { "authorization": {
"type": "bearer", "type": "bearer",
"token": "should-not-override", "token": "should-not-override",
}, },
@ -136,19 +136,25 @@ def test_mcp_authentication_fallback_to_headers(compat_client, text_model_id):
assert response.output[1].error is None assert response.output[1].error is None
def test_mcp_authentication_backward_compatibility(compat_client, text_model_id): def test_mcp_authorization_backward_compatibility(compat_client, text_model_id):
"""Test that MCP tools work without authentication (backward compatibility).""" """Test that MCP tools work without authorization (backward compatibility)."""
if not isinstance(compat_client, LlamaStackAsLibraryClient): if not isinstance(compat_client, LlamaStackAsLibraryClient):
pytest.skip("in-process MCP server is only supported in library client") pytest.skip("in-process MCP server is only supported in library client")
# No authentication required # No authorization required
with make_mcp_server(required_auth_token=None) as mcp_server_info: with make_mcp_server(required_auth_token=None) as mcp_server_info:
tools = setup_mcp_tools( tools = setup_mcp_tools(
[{"type": "mcp", "server_label": "noauth-mcp", "server_url": "<FILLED_BY_TEST_RUNNER>"}], [
{
"type": "mcp",
"server_label": "noauth-mcp",
"server_url": "<FILLED_BY_TEST_RUNNER>",
}
],
mcp_server_info, mcp_server_info,
) )
# Create response without authentication # Create response without authorization
response = compat_client.responses.create( response = compat_client.responses.create(
model=text_model_id, model=text_model_id,
input="What is the boiling point of myawesomeliquid?", input="What is the boiling point of myawesomeliquid?",