diff --git a/.github/scripts/release.sh b/.github/scripts/release.sh index 35568a2..2a1f6a9 100644 --- a/.github/scripts/release.sh +++ b/.github/scripts/release.sh @@ -19,7 +19,7 @@ GIT_TOKEN=$1 WORK_DIR=$2 VERSION_TYPE=$3 # possible values: major, minor, patch - Check if GIT_TOKEN is empty +# Check if GIT_TOKEN is empty if [ -z "$GIT_TOKEN" ]; then echo "❌ Error: GIT_TOKEN is not set." exit 1 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..775003e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,71 @@ +name: Build and Push container +run-name: Build and Push container +on: + workflow_dispatch: + #schedule: + # - cron: "0 10 * * *" + push: + branches: + - 'main' + - 'master' + tags: + - 'v*' + pull_request: + branches: + - 'main' + - 'master' +env: + IMAGE: git.kvant.cloud/${{github.repository}} +jobs: + build_concierge_backend: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set current time + uses: https://github.com/gerred/actions/current-time@master + id: current_time + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to git.kvant.cloud registry + uses: docker/login-action@v3 + with: + registry: git.kvant.cloud + username: ${{ vars.ORG_PACKAGE_WRITER_USERNAME }} + password: ${{ secrets.ORG_PACKAGE_WRITER_TOKEN }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ${{env.IMAGE}} + # generate Docker tags based on the following events/attributes + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + + - name: Build and push to gitea registry + uses: docker/build-push-action@v6 + with: + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + context: . + provenance: mode=max + sbom: true + build-args: | + BUILD_DATE=${{ steps.current_time.outputs.time }} + cache-from: | + type=registry,ref=${{ env.IMAGE }}:buildcache + type=registry,ref=${{ env.IMAGE }}:${{ github.ref_name }} + type=registry,ref=${{ env.IMAGE }}:main + cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max,image-manifest=true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e55f6b6..0c51bc7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: with: ref: 'main' fetch-depth: 0 - token: ${{ secrets.GIT_BOT_PAT }} + token: ${{ secrets.GITHUB_TOKEN }} - uses: actions/checkout@v2 - name: Set up Go 1.x @@ -60,5 +60,5 @@ jobs: - name: Update artifact version, package, commit, and create release. env: - GITHUB_TOKEN: ${{ secrets.GIT_BOT_PAT }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: bash ./.github/scripts/release.sh $GITHUB_TOKEN ${{ github.workspace }} ${{ github.event.inputs.version_type }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..dc468b1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,48 @@ +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.24@sha256:d9db32125db0c3a680cfb7a1afcaefb89c898a075ec148fdc2f0f646cc2ed509 AS build + +ARG TARGETPLATFORM +ARG BUILDPLATFORM +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace + +RUN apt update -qq && apt install -qq -y git bash curl g++ + +# Download libraries +ADD go.* . +RUN go mod download + +# Build +ADD cmd cmd +ADD internal internal +RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o webhook -ldflags '-w -extldflags "-static"' -o openmcpauthproxy ./cmd/proxy + +#Test +RUN CGO_ENABLED=1 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go test -v -race ./... + + +# Build production container +FROM --platform=${BUILDPLATFORM:-linux/amd64} ubuntu:24.04 + +RUN apt-get update \ + && apt-get install --no-install-recommends -y \ + python3-pip \ + python-is-python3 \ + npm \ + && apt-get autoremove \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN pip install uvenv --break-system-packages + +WORKDIR /app +COPY --from=build /workspace/openmcpauthproxy /app/ + +ADD config.yaml /app + + +ENTRYPOINT ["/app/openmcpauthproxy"] + +ARG IMAGE_SOURCE +LABEL org.opencontainers.image.source=$IMAGE_SOURCE diff --git a/Makefile b/Makefile index c9ef883..b0d0926 100644 --- a/Makefile +++ b/Makefile @@ -30,19 +30,19 @@ build: clean test build-linux build-linux-arm build-darwin build-linux: mkdir -p $(BUILD_DIR)/linux - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION) \ + GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \ -o $(BUILD_DIR)/linux/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy cp config.yaml $(BUILD_DIR)/linux build-linux-arm: mkdir -p $(BUILD_DIR)/linux-arm - GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION) \ + GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \ -o $(BUILD_DIR)/linux-arm/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy cp config.yaml $(BUILD_DIR)/linux-arm build-darwin: mkdir -p $(BUILD_DIR)/darwin - GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION) \ + GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \ -o $(BUILD_DIR)/darwin/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy cp config.yaml $(BUILD_DIR)/darwin diff --git a/README.md b/README.md index 71b4b60..6be3ece 100644 --- a/README.md +++ b/README.md @@ -47,15 +47,7 @@ Open MCP Auth Proxy sits between MCP clients and your MCP server to: ### Basic Usage -1. The repository comes with a default `config.yaml` file that contains the basic configuration: - -```yaml -listen_port: 8080 -base_url: "http://localhost:8000" # Your MCP server URL -paths: - sse: "/sse" - messages: "/messages/" -``` +1. Download the latest release from [Github releases](https://github.com/wso2/open-mcp-auth-proxy/releases/latest). 2. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox): @@ -63,6 +55,16 @@ paths: ./openmcpauthproxy --demo ``` +> The repository comes with a default `config.yaml` file that contains the basic configuration: +> +> ```yaml +> listen_port: 8080 +> base_url: "http://localhost:8000" # Your MCP server URL +> paths: +> sse: "/sse" +> messages: "/messages/" +> ``` + 3. Connect using an MCP client like [MCP Inspector](https://github.com/shashimalcse/inspector)(This is a temporary fork with fixes for authentication [issues](https://github.com/modelcontextprotocol/typescript-sdk/issues/257) in the original implementation) ## Connect an Identity Provider diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go index 6424f18..c43dd7d 100644 --- a/cmd/proxy/main.go +++ b/cmd/proxy/main.go @@ -12,7 +12,7 @@ import ( "github.com/wso2/open-mcp-auth-proxy/internal/authz" "github.com/wso2/open-mcp-auth-proxy/internal/config" "github.com/wso2/open-mcp-auth-proxy/internal/constants" - "github.com/wso2/open-mcp-auth-proxy/internal/logging" + logger "github.com/wso2/open-mcp-auth-proxy/internal/logging" "github.com/wso2/open-mcp-auth-proxy/internal/proxy" "github.com/wso2/open-mcp-auth-proxy/internal/subprocess" "github.com/wso2/open-mcp-auth-proxy/internal/util" @@ -58,7 +58,7 @@ func main() { logger.Warn("%v", err) logger.Warn("Subprocess may fail to start due to missing dependencies") } - + procManager = subprocess.NewManager() if err := procManager.Start(cfg); err != nil { logger.Warn("Failed to start subprocess: %v", err) @@ -95,7 +95,7 @@ func main() { // 5. Build the main router mux := proxy.NewRouter(cfg, provider) - listen_address := fmt.Sprintf(":%d", cfg.ListenPort) + listen_address := fmt.Sprintf("0.0.0.0:%d", cfg.ListenPort) // 6. Start the server srv := &http.Server{ diff --git a/config.yaml b/config.yaml index 5621195..ef70fbb 100644 --- a/config.yaml +++ b/config.yaml @@ -6,29 +6,23 @@ base_url: "http://localhost:8000" # Base URL for the MCP server port: 8000 # Port for the MCP server timeout_seconds: 10 -# Path configuration -paths: - sse: "/sse" # SSE endpoint path - messages: "/messages/" # Messages endpoint path # Transport mode configuration -transport_mode: "sse" # Options: "sse" or "stdio" +transport_mode: "stdio" # Options: "sse" or "stdio" # stdio-specific configuration (used only when transport_mode is "stdio") stdio: enabled: true - user_command: "npx -y @modelcontextprotocol/server-github" + user_command: uvx mcp-server-time --local-timezone=Europe/Zurich + #user_command: "npx -y @modelcontextprotocol/server-github" work_dir: "" # Working directory (optional) # env: # Environment variables (optional) # - "NODE_ENV=development" -# Path mapping (optional) -path_mapping: - -# CORS configuration +# CORS settings cors: allowed_origins: - - "http://localhost:5173" + - "http://localhost:6274" # Origin of your frontend/client app allowed_methods: - "GET" - "POST" @@ -40,8 +34,32 @@ cors: - "mcp-protocol-version" allow_credentials: true -# Demo configuration for Asgardeo -demo: - org_name: "openmcpauthdemo" - client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa" - client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka" +# Keycloak endpoint path mappings +path_mapping: + sse: "/sse" # SSE endpoint path + messages: "/messages/" # Messages endpoint path + /token: /realms/master/protocol/openid-connect/token + /register: /realms/master/clients-registrations/openid-connect + +# Keycloak configuration block +default: + base_url: "https://iam.phoenix-systems.ch" + jwks_url: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/certs" + path: + /.well-known/oauth-authorization-server: + response: + issuer: "https://iam.phoenix-systems.ch/realms/kvant" + jwks_uri: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/certs" + authorization_endpoint: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/auth" + response_types_supported: + - "code" + grant_types_supported: + - "authorization_code" + - "refresh_token" + code_challenge_methods_supported: + - "S256" + - "plain" + /token: + addBodyParams: + - name: "audience" + value: "mcp_proxy" \ No newline at end of file diff --git a/pull_request_template.md b/pull_request_template.md index 9b32185..c401a06 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -1,52 +1,11 @@ ## Purpose -> Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc. + -## Goals -> Describe the solutions that this feature/fix will introduce to resolve the problems described above - -## Approach -> Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here. - -## User stories -> Summary of user stories addressed by this change> - -## Release note -> Brief description of the new feature or bug fix as it will appear in the release notes - -## Documentation -> Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact - -## Training -> Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable - -## Certification -> Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why. - -## Marketing -> Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable - -## Automation tests - - Unit tests - > Code coverage information - - Integration tests - > Details about the test cases and coverage - -## Security checks - - Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no - - Ran FindSecurityBugs plugin and verified report? yes/no - - Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no - -## Samples -> Provide high-level details about the samples related to this feature +## Related Issues + ## Related PRs -> List any other related PRs + ## Migrations (if applicable) -> Describe migration steps and platforms on which migration has been tested - -## Test environment -> List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested - -## Learning -> Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem. \ No newline at end of file +