stacklok / toolhive / 24560432784

66%

Build Type

push

github

Committed by web-flow

Commit Message

Add name attribute alias on Resource entities (#4907)

The enterprise Cedar schema (platform-authz branch, 02-cedar-compilation.md
§ entity types) declares "name" as a required String attribute on all three
entity kinds — Tool, Prompt, and Resource. Tool and Prompt entities already
had "name" populated by CreateResourceEntity, but authorizeResourceRead
built its own attributes map with only "uri", so Resource entities lacked
the attribute and would fail schema validation when the enterprise
controller compiles policies.

Add "name": resourceURI alongside the existing "uri": resourceURI in
authorizeResourceRead so Resource entities satisfy the schema.

In CreateResourceEntity, default "name" to resourceID only when the
caller has not already provided one — authorizeResourceRead sets name
to the original unsanitized URI before passing the sanitized form as
resourceID, and the caller's value must survive.

Preserving the caller-provided name also exposes the original URI to
policies, so authors can match on the form they actually know (e.g.
resource.name == "file:///...") rather than the Cedar-sanitized entity
ID.

E2E tested in a Kind cluster with real Entra ID tokens:

  permit(principal in THVGroup::"mcp-admin",
         action == Action::"call_tool",
         resource in MCP::"entra-role-test")
    when { resource.name == "echo" };

  Entra JWT: { "roles": ["mcp-admin", "developer"] }

  call_tool "echo" -> 200 (resource.name matches)
  call_tool "nonexistent_tool" -> 403 (name mismatch)

Fixes #4766

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Coverage Stats

7 of 7 new or added lines in 2 files covered. (100.0%)

46 existing lines in 7 files now uncovered.

57529 of 86994 relevant lines covered (66.13%)

62.91 hits per line