Update scope validator

2025-06-29 01:44:19 +00:00 · 2025-05-18 13:07:08 +05:30 · 2025-05-18 13:07:08 +05:30 · 5b1daaefc3
commit 5b1daaefc3
parent 33671e6dd1
6 changed files with 52 additions and 51 deletions
--- a/internal/authz/scope_validator.go
+++ b/internal/authz/scope_validator.go
@ -0,0 +1,63 @@
+package authz
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	logger "github.com/wso2/open-mcp-auth-proxy/internal/logging"
+)
+
+type TokenClaims struct {
+	Scopes []string
+}
+
+type ScopeValidator struct{}
+
+// Evaluate and checks the token claims against one or more required scopes.
+func (d *ScopeValidator) ValidateAccess(
+	_ *http.Request,
+	claims *TokenClaims,
+	requiredScopes any,
+) AccessControlResult {
+
+	logger.Info("Required scopes: %v", requiredScopes)
+
+	var scopeStr string
+	switch v := requiredScopes.(type) {
+	case string:
+		scopeStr = v
+	case []string:
+		scopeStr = strings.Join(v, " ")
+	}
+
+	if strings.TrimSpace(scopeStr) == "" {
+		return AccessControlResult{DecisionAllow, ""}
+	}
+
+	scopes := strings.FieldsFunc(scopeStr, func(r rune) bool {
+		return r == ' ' || r == ','
+	})
+	required := make(map[string]struct{}, len(scopes))
+	for _, s := range scopes {
+		if s = strings.TrimSpace(s); s != "" {
+			required[s] = struct{}{}
+		}
+	}
+
+	logger.Info("Token scopes: %v", claims.Scopes)
+	for _, tokenScope := range claims.Scopes {
+		if _, ok := required[tokenScope]; ok {
+			return AccessControlResult{DecisionAllow, ""}
+		}
+	}
+
+	var list []string
+	for s := range required {
+		list = append(list, s)
+	}
+	return AccessControlResult{
+		DecisionDeny,
+		fmt.Sprintf("missing required scope(s): %s", strings.Join(list, ", ")),
+	}
+}