Enforce Cedar policies on optimizer find_tool and call_tool

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aponcedeleonch

cmd/vmcp/app/commands.go

@@ -456,7 +456,8 @@ func runServe(cmd *cobra.Command, _ []string) error {
 
 	slog.Info(fmt.Sprintf("Setting up incoming authentication (type: %s)", cfg.IncomingAuth.Type))
 
-	authMiddleware, authzMiddleware, authInfoHandler, err := factory.NewIncomingAuthMiddleware(ctx, cfg.IncomingAuth)
+	authMiddleware, cedarAuthorizer, authInfoHandler, err :=
+		factory.NewIncomingAuthMiddleware(ctx, cfg.IncomingAuth)
 	if err != nil {
 		return fmt.Errorf("failed to create authentication middleware: %w", err)
 	}
@@ -539,7 +540,7 @@ func runServe(cmd *cobra.Command, _ []string) error {
 		Host:                    host,
 		Port:                    port,
 		AuthMiddleware:          authMiddleware,
-		AuthzMiddleware:         authzMiddleware,
+		CedarAuthorizer:         cedarAuthorizer,
 		AuthInfoHandler:         authInfoHandler,
 		TelemetryProvider:       telemetryProvider,
 		AuditConfig:             cfg.Audit,

pkg/authz/config.go

@@ -26,22 +26,40 @@ var LoadConfig = authorizers.LoadConfig
 // NewConfig is an alias for authorizers.NewConfig for backward compatibility.
 var NewConfig = authorizers.NewConfig
 
-// CreateMiddlewareFromConfig creates an HTTP middleware from the configuration.
-func CreateMiddlewareFromConfig(c *Config, serverName string) (types.MiddlewareFunction, error) {
-	// Get the factory for this config type
+// CreateAuthorizerFromConfig creates an Authorizer from the configuration.
+func CreateAuthorizerFromConfig(c *Config, serverName string) (authorizers.Authorizer, error) {
 	factory := authorizers.GetFactory(string(c.Type))
 	if factory == nil {
 		return nil, fmt.Errorf("unsupported configuration type: %s", c.Type)
 	}
 
-	// Create the authorizer using the factory, passing the full raw config
 	authz, err := factory.CreateAuthorizer(c.RawConfig(), serverName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create %s authorizer: %w", c.Type, err)
 	}
 
-	// Return the middleware
-	return func(handler http.Handler) http.Handler { return Middleware(authz, handler) }, nil
+	return authz, nil
+}
+
+// CreateMiddlewareFromAuthorizer wraps an existing Authorizer as HTTP middleware.
+// The passThroughTools parameter is optional; tool names in this set bypass the
+// response filter's policy check in tools/list responses. This is used when the
+// optimizer is enabled: its meta-tools (find_tool, call_tool) would otherwise be
+// rejected by Cedar default-deny since no policy references them by name.
+// Authorization for the underlying backend tools is handled inside the optimizer
+// decorator, so letting the meta-tools pass through is safe.
+func CreateMiddlewareFromAuthorizer(a authorizers.Authorizer, passThroughTools map[string]struct{}) types.MiddlewareFunction {
+	return func(handler http.Handler) http.Handler { return Middleware(a, handler, passThroughTools) }
+}
+
+// CreateMiddlewareFromConfig creates an HTTP middleware from the configuration.
+func CreateMiddlewareFromConfig(c *Config, serverName string) (types.MiddlewareFunction, error) {
+	authz, err := CreateAuthorizerFromConfig(c, serverName)
+	if err != nil {
+		return nil, err
+	}
+
+	return CreateMiddlewareFromAuthorizer(authz, nil), nil
 }
 
 // GetMiddlewareFromFile loads the authorization configuration from a file and creates an HTTP middleware.

pkg/authz/config_test.go

@@ -438,3 +438,93 @@ func TestCreateMiddlewareFromConfigErrors(t *testing.T) {
 		assert.Contains(t, err.Error(), "unsupported configuration type")
 	})
 }
+
+func TestCreateAuthorizerFromConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("valid config returns authorizer", func(t *testing.T) {
+		t.Parallel()
+
+		config := mustNewConfig(t, cedar.Config{
+			Version: "1.0",
+			Type:    cedar.ConfigType,
+			Options: &cedar.ConfigOptions{
+				Policies:     []string{`permit(principal, action == Action::"call_tool", resource == Tool::"weather");`},
+				EntitiesJSON: "[]",
+			},
+		})
+
+		a, err := CreateAuthorizerFromConfig(config, "testserver")
+		require.NoError(t, err)
+		require.NotNil(t, a)
+
+		// Verify the authorizer works by checking a tool call
+		ctx := auth.WithIdentity(t.Context(), &auth.Identity{
+			PrincipalInfo: auth.PrincipalInfo{Subject: "user1", Claims: map[string]interface{}{"sub": "user1"}},
+		})
+		authorized, err := a.AuthorizeWithJWTClaims(ctx, "tool", "call", "weather", nil)
+		require.NoError(t, err)
+		assert.True(t, authorized)
+	})
+
+	t.Run("unsupported config type returns error", func(t *testing.T) {
+		t.Parallel()
+
+		config := &Config{
+			Version: "1.0",
+			Type:    "unsupported-type",
+		}
+
+		a, err := CreateAuthorizerFromConfig(config, "testserver")
+		assert.Error(t, err)
+		assert.Nil(t, a)
+		assert.Contains(t, err.Error(), "unsupported configuration type")
+	})
+}
+
+func TestCreateMiddlewareFromAuthorizer(t *testing.T) {
+	t.Parallel()
+
+	config := mustNewConfig(t, cedar.Config{
+		Version: "1.0",
+		Type:    cedar.ConfigType,
+		Options: &cedar.ConfigOptions{
+			Policies:     []string{`permit(principal, action == Action::"call_tool", resource == Tool::"weather");`},
+			EntitiesJSON: "[]",
+		},
+	})
+
+	a, err := CreateAuthorizerFromConfig(config, "testserver")
+	require.NoError(t, err)
+
+	mw := CreateMiddlewareFromAuthorizer(a, nil)
+	require.NotNil(t, mw)
+
+	// Verify middleware wraps a handler correctly
+	handlerCalled := false
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		handlerCalled = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := mcpparser.ParsingMiddleware(mw(testHandler))
+
+	// Build a ping request (always allowed)
+	body, err := json.Marshal(map[string]interface{}{
+		"jsonrpc": "2.0", "id": 1, "method": "ping", "params": map[string]interface{}{},
+	})
+	require.NoError(t, err)
+
+	req, err := http.NewRequest(http.MethodPost, "/messages", bytes.NewBuffer(body))
+	require.NoError(t, err)
+	req.Header.Set("Content-Type", "application/json")
+
+	identity := &auth.Identity{PrincipalInfo: auth.PrincipalInfo{Subject: "user1", Claims: map[string]interface{}{"sub": "user1"}}}
+	req = req.WithContext(auth.WithIdentity(req.Context(), identity))
+
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	assert.True(t, handlerCalled)
+	assert.Equal(t, http.StatusOK, rr.Code)
+}

pkg/authz/integration_test.go

@@ -257,7 +257,7 @@ func TestIntegrationListFiltering(t *testing.T) {
 			})
 
 			// Apply the middleware chain: MCP parsing first, then authorization
-			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, mockHandler))
+			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, mockHandler, nil))
 
 			// Execute the request through the middleware
 			middleware.ServeHTTP(rr, req)
@@ -426,7 +426,7 @@ func TestIntegrationNonListOperations(t *testing.T) {
 			})
 
 			// Apply the middleware chain: MCP parsing first, then authorization
-			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, mockHandler))
+			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, mockHandler, nil))
 
 			// Execute the request through the middleware
 			middleware.ServeHTTP(rr, req)

pkg/authz/middleware.go

@@ -171,7 +171,7 @@ func handleUnauthorized(w http.ResponseWriter, msgID interface{}, err error) {
 // The authorizer parameter should implement the authorizers.Authorizer interface,
 // which can be created using authz.CreateMiddlewareFromConfig() or directly
 // from an authorizer package (e.g., cedar.NewCedarAuthorizer()).
-func Middleware(a authorizers.Authorizer, next http.Handler) http.Handler {
+func Middleware(a authorizers.Authorizer, next http.Handler, passThroughTools map[string]struct{}) http.Handler {
 	// Cache is shared across requests for the same proxy.
 	// Populated from tools/list responses, read during tools/call.
 	annotationCache := NewAnnotationCache()
@@ -218,7 +218,7 @@ func Middleware(a authorizers.Authorizer, next http.Handler) http.Handler {
 		if featureOp.Operation == authorizers.MCPOperationList {
 
 			// Create a response filtering writer to intercept and filter the response
-			filteringWriter := NewResponseFilteringWriter(w, a, r, parsedRequest.Method, annotationCache)
+			filteringWriter := NewResponseFilteringWriter(w, a, r, parsedRequest.Method, annotationCache, passThroughTools)
 
 			// Call the next handler with the filtering writer
 			next.ServeHTTP(filteringWriter, r)

pkg/authz/middleware_test.go

@@ -398,7 +398,7 @@ func TestMiddleware(t *testing.T) {
 			})
 
 			// Apply the middleware chain: MCP parsing first, then authorization
-			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, handler))
+			middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, handler, nil))
 
 			// Serve the request
 			middleware.ServeHTTP(rr, req)
@@ -430,7 +430,7 @@ func TestMiddlewareWithGETRequest(t *testing.T) {
 	})
 
 	// Apply the middleware chain: MCP parsing first, then authorization
-	middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, handler))
+	middleware := mcpparser.ParsingMiddleware(Middleware(authorizer, handler, nil))
 
 	// Create a GET request
 	req, err := http.NewRequest(http.MethodGet, "/messages", nil)
@@ -807,7 +807,7 @@ func TestMiddlewareToolsListTestkit(t *testing.T) {
 					})
 				},
 				mcpparser.ParsingMiddleware,
-				func(h http.Handler) http.Handler { return Middleware(authorizer, h) },
+				func(h http.Handler) http.Handler { return Middleware(authorizer, h, nil) },
 			))
 			server, client, err := testkit.NewStreamableTestServer(opts...)
 			require.NoError(t, err)
@@ -977,7 +977,7 @@ func TestMiddlewareToolsCallTestkit(t *testing.T) {
 					})
 				},
 				mcpparser.ParsingMiddleware,
-				func(h http.Handler) http.Handler { return Middleware(authorizer, h) },
+				func(h http.Handler) http.Handler { return Middleware(authorizer, h, nil) },
 			))
 			server, client, err := testkit.NewStreamableTestServer(opts...)
 			require.NoError(t, err)

pkg/authz/response_filter.go

@@ -24,28 +24,33 @@ var errBug = errors.New("there's a bug")
 // ResponseFilteringWriter wraps an http.ResponseWriter to intercept and filter responses
 type ResponseFilteringWriter struct {
 	http.ResponseWriter
-	authorizer      authorizers.Authorizer
-	request         *http.Request
-	method          string
-	buffer          *bytes.Buffer
-	statusCode      int
-	annotationCache *AnnotationCache
+	authorizer       authorizers.Authorizer
+	request          *http.Request
+	method           string
+	buffer           *bytes.Buffer
+	statusCode       int
+	annotationCache  *AnnotationCache
+	passThroughTools map[string]struct{}
 }
 
 // NewResponseFilteringWriter creates a new response filtering writer.
 // The annotationCache parameter is optional; pass nil to disable annotation caching.
+// The passThroughTools parameter is optional; tools whose names appear in this set
+// bypass policy filtering because authorization is enforced elsewhere (e.g., inside
+// the optimizer decorator for find_tool/call_tool).
 func NewResponseFilteringWriter(
 	w http.ResponseWriter, authorizer authorizers.Authorizer, r *http.Request, method string,
-	annotationCache *AnnotationCache,
+	annotationCache *AnnotationCache, passThroughTools map[string]struct{},
 ) *ResponseFilteringWriter {
 	return &ResponseFilteringWriter{
-		ResponseWriter:  w,
-		authorizer:      authorizer,
-		request:         r,
-		method:          method,
-		buffer:          &bytes.Buffer{},
-		statusCode:      http.StatusOK,
-		annotationCache: annotationCache,
+		ResponseWriter:   w,
+		authorizer:       authorizer,
+		request:          r,
+		method:           method,
+		buffer:           &bytes.Buffer{},
+		statusCode:       http.StatusOK,
+		annotationCache:  annotationCache,
+		passThroughTools: passThroughTools,
 	}
 }
 
@@ -283,39 +288,32 @@ func (rfw *ResponseFilteringWriter) filterToolsResponse(response *jsonrpc2.Respo
 	// subsequent tools/call requests can look up annotations.
 	rfw.annotationCache.SetFromToolsList(listResult.Tools)
 
-	// Note: instantiating the list ensures that no null value is sent over the wire.
-	// This is basically defensive programming, but for clients.
-	filteredTools := []mcp.Tool{}
-	for i, tool := range listResult.Tools {
-		// Inject this tool's annotations into the context so Cedar policies
-		// that use when clauses on resource attributes (e.g. resource.readOnlyHint)
-		// can evaluate correctly. Without this, the authorization check runs
-		// against a context with no annotations and all when clauses fail.
-		ctx := rfw.request.Context()
-		ann := &listResult.Tools[i].Annotations
-		if hasAnyHint(ann) {
-			ctx = authorizers.WithToolAnnotations(ctx, convertMCPAnnotation(ann))
-		}
-
-		// Check if the user is authorized to call this tool
-		authorized, err := rfw.authorizer.AuthorizeWithJWTClaims(
-			ctx,
-			authorizers.MCPFeatureTool,
-			authorizers.MCPOperationCall,
-			tool.Name,
-			nil, // No arguments for the authorization check
-		)
-		if err != nil {
-			slog.Warn("Authorization check failed for tool, skipping",
-				"tool", tool.Name, "error", err)
-			continue
-		}
-
-		if authorized {
-			filteredTools = append(filteredTools, tool)
+	// When the optimizer is enabled, its meta-tools (find_tool, call_tool) appear
+	// in tools/list instead of real backend tools. These meta-tools won't match
+	// any operator-written Cedar policy (which references real tool names), so
+	// default-deny would filter them out — leaving the client with zero tools.
+	// Authorization for the underlying backend tools is enforced inside the
+	// optimizer decorator itself (find_tool filters results, call_tool gates
+	// invocations), so the meta-tools can safely pass through the response filter.
+	// See: https://github.com/stacklok/toolhive/issues/4373
+	passThrough := []mcp.Tool{}
+	regular := []mcp.Tool{}
+	for _, t := range listResult.Tools {
+		if _, ok := rfw.passThroughTools[t.Name]; ok {
+			passThrough = append(passThrough, t)
+		} else {
+			regular = append(regular, t)
 		}
 	}
 
+	// FilterToolsByPolicy checks each tool against the caller's Cedar policies
+	// (injecting annotations into context for when-clause evaluation) and returns
+	// only tools the caller is authorized to call.
+	policyFiltered := FilterToolsByPolicy(rfw.request.Context(), rfw.authorizer, regular)
+	filteredTools := make([]mcp.Tool, 0, len(passThrough)+len(policyFiltered))
+	filteredTools = append(filteredTools, passThrough...)
+	filteredTools = append(filteredTools, policyFiltered...)
+
 	// Create a new result with filtered tools
 	filteredResult := mcp.ListToolsResult{
 		PaginatedResult: listResult.PaginatedResult,