[FEATURE][PLUGIN]: Enhance the IAM pre-tool plugin

[aksharkaul]

🧭 Epic

Title: Enhanced IAM Pre-Tool Plugin with Rich Context Authorization

Goal: Extend the IAM pre-tool plugin to support rich context authorization (ABAC), human-in-the-loop approval workflows, and non-MCP server tools (REST endpoints).

Why now:

• Current plugin framework supports basic RBAC but lacks fine-grained attribute-based access control (ABAC)
• Enterprise deployments need human approval for sensitive operations (financial transfers, data deletion)
• REST tools (non-MCP) need the same authorization controls as MCP tools
• Compliance requirements (SOX, SOC2) mandate approval workflows for certain operations

---

📖 User Stories

US-1: Security Admin - Rich Context Authorization (ABAC)

As a: Security Administrator

I want: Authorization decisions to consider rich context (user attributes, resource attributes, environmental factors)

So that: I can implement fine-grained access control beyond simple role-based permissions

Acceptance Criteria:

Scenario: Authorize based on user department
  Given the IAM plugin is configured with ABAC rules
  And user "alice" has department="engineering"
  When alice invokes tool "deploy_to_production"
  And the tool requires department="devops" OR department="sre"
  Then the tool invocation should be denied
  And an audit log entry should be created

Scenario: Authorize based on resource sensitivity
  Given the IAM plugin is configured with data classification rules
  And resource "customer_database" has classification="confidential"
  When user "bob" with clearance="public" invokes tool "query_database"
  Then the tool invocation should be denied
  And the denial reason should indicate clearance mismatch

Scenario: Authorize based on time window
  Given the IAM plugin is configured with time-based rules
  And tool "batch_delete" is only allowed during maintenance windows
  When user invokes "batch_delete" outside the maintenance window
  Then the tool invocation should be denied
  And the response should include next allowed time window

Technical Requirements:

• Extend GlobalContext to include user attributes from identity provider
• Support ABAC policies in Cedar or OPA format
• Evaluate resource attributes from tool metadata
• Consider environmental factors (time, IP, location)

US-2: Compliance Officer - Human-in-the-Loop Approval

As a: Compliance Officer

I want: Certain tool invocations to require human approval before execution

So that: Sensitive operations have explicit authorization from designated approvers

Acceptance Criteria:

Scenario: Tool requires approval before execution
  Given the IAM plugin is configured to require approval for "wire_transfer"
  When user invokes "wire_transfer" with amount > $10,000
  Then the tool invocation should be paused
  And an approval request should be created
  And the user should receive a pending status

Scenario: Approver approves the request
  Given a pending approval request for "wire_transfer"
  And user "manager" is designated approver
  When "manager" approves the request
  Then the tool invocation should proceed
  And the approval should be recorded in audit trail

Scenario: Approval timeout
  Given a pending approval request
  And the approval timeout is 1 hour
  When 1 hour passes without approval
  Then the request should be automatically denied
  And the user should be notified of timeout

Technical Requirements:

• Integrate with MCP elicitation for approval prompts
• Support configurable approval workflows
• Store pending approvals with timeout
• Notify approvers via webhook or UI

US-3: Developer - Authorize Non-MCP Tools

As a: Developer using REST tools alongside MCP tools

I want: The IAM plugin to authorize REST tool invocations

So that: All tools (MCP and REST) have consistent authorization

Acceptance Criteria:

Scenario: REST tool invocation authorized
  Given a REST tool "api/v1/users" is registered
  And the IAM plugin is configured with REST tool policies
  When user invokes the REST tool via gateway
  Then the IAM plugin should evaluate authorization
  And authorized requests should proceed to the REST endpoint

Scenario: REST tool invocation denied
  Given a REST tool "api/v1/admin/delete" requires admin role
  And user "viewer" has role="viewer"
  When "viewer" invokes the REST tool
  Then the request should be denied with 403 status
  And the denial should be logged

Scenario: Mixed MCP and REST authorization
  Given a virtual server with both MCP and REST tools
  When the IAM plugin evaluates authorization
  Then the same policy engine should be used for both
  And audit logs should capture both tool types

Technical Requirements:

• Hook into REST tool invocation path
• Extract user context from HTTP headers/JWT
• Apply same policy evaluation as MCP tools
• Maintain consistent audit logging

---

🏗 Architecture

Rich Context Authorization Flow

sequenceDiagram
    participant Client
    participant Gateway
    participant IAMPlugin
    participant PolicyEngine
    participant ToolService
    
    Client->>Gateway: tools/call (wire_transfer, amount=50000)
    Gateway->>IAMPlugin: tool_pre_invoke hook
    
    IAMPlugin->>IAMPlugin: Extract user attributes
    IAMPlugin->>IAMPlugin: Extract resource attributes
    IAMPlugin->>IAMPlugin: Get environmental context
    
    IAMPlugin->>PolicyEngine: Evaluate ABAC policy
    PolicyEngine-->>IAMPlugin: Decision + obligations
    
    alt Requires Approval
        IAMPlugin->>IAMPlugin: Create approval request
        IAMPlugin-->>Gateway: Pending (elicitation)
        Gateway-->>Client: Approval required
    else Authorized
        IAMPlugin-->>Gateway: Continue
        Gateway->>ToolService: Execute tool
    else Denied
        IAMPlugin-->>Gateway: Deny with reason
        Gateway-->>Client: 403 Forbidden
    end

Loading

ABAC Context Model

classDiagram
    class AuthorizationContext {
        +subject: SubjectAttributes
        +resource: ResourceAttributes
        +action: ActionAttributes
        +environment: EnvironmentAttributes
    }
    
    class SubjectAttributes {
        +user_id: str
        +roles: list[str]
        +department: str
        +clearance_level: str
        +groups: list[str]
    }
    
    class ResourceAttributes {
        +tool_name: str
        +classification: str
        +owner: str
        +tags: list[str]
    }
    
    class ActionAttributes {
        +operation: str
        +parameters: dict
    }
    
    class EnvironmentAttributes {
        +timestamp: datetime
        +ip_address: str
        +is_maintenance_window: bool
    }
    
    AuthorizationContext --> SubjectAttributes
    AuthorizationContext --> ResourceAttributes
    AuthorizationContext --> ActionAttributes
    AuthorizationContext --> EnvironmentAttributes

Loading

---

📋 Implementation Tasks

Phase 1: Rich Context Foundation

• Extend GlobalContext with user attributes (department, groups, clearance)
• Add resource attributes to tool metadata schema
• Create AuthorizationContext model for ABAC evaluation
• Add environmental context (time, IP, maintenance windows)

Phase 2: ABAC Policy Integration

• Extend Cedar plugin to support ABAC attributes
• Extend OPA plugin to support ABAC attributes
• Create policy templates for common ABAC scenarios
• Add policy validation and testing tools

Phase 3: Human-in-the-Loop Approval

• Create approval request storage (database table)
• Implement approval workflow state machine
• Integrate with MCP elicitation for approval prompts
• Add approver notification webhooks
• Implement approval timeout handling

Phase 4: REST Tool Support

• Hook IAM plugin into REST tool invocation path
• Extract user context from HTTP headers
• Apply policy evaluation to REST tools
• Ensure consistent audit logging

Phase 5: Admin UI

• Add approval queue UI for approvers
• Add ABAC policy editor
• Add audit trail viewer with ABAC details

Phase 6: Testing

• Unit tests for ABAC evaluation
• Unit tests for approval workflows
• Integration tests for REST tool authorization
• Performance tests for policy evaluation

---

⚙️ Configuration Examples

ABAC Policy (Cedar format)

permit (
    principal in Group::"engineering",
    action == Action::"invoke",
    resource == Tool::"deploy_to_staging"
) when {
    context.environment.is_business_hours == true
};

forbid (
    principal,
    action == Action::"invoke", 
    resource == Tool::"wire_transfer"
) unless {
    resource.amount < 10000 ||
    context.approval.status == "approved"
};

Approval Workflow Configuration

iam_plugin:
  approval_workflows:
    - name: high_value_transfer
      trigger:
        tool_pattern: "wire_transfer|bank_transfer"
        conditions:
          - field: "amount"
            operator: ">"
            value: 10000
      approvers:
        - role: "finance_manager"
        - role: "compliance_officer"
      require_all: false  # Any approver can approve
      timeout_minutes: 60
      notification:
        webhook: "https://slack.webhook.url"

---

✅ Success Criteria

• ABAC policies can reference user department, groups, clearance
• ABAC policies can reference resource classification, tags
• Time-based authorization rules work correctly
• Approval workflows pause tool execution until approved
• Approval timeouts automatically deny requests
• REST tools subject to same authorization as MCP tools
• Audit logs capture ABAC context and approval decisions
• Performance: policy evaluation < 10ms for 95th percentile

---

🏁 Definition of Done

• GlobalContext extended with user attributes
• AuthorizationContext model implemented
• Cedar/OPA plugins support ABAC attributes
• Approval workflow implemented with storage
• Elicitation integration for approvals works
• REST tool authorization implemented
• Admin UI for approval queue
• Unit tests for all new functionality
• Integration tests pass
• Documentation updated
• Code passes make verify
• PR reviewed and approved

---

🔗 Related Issues

• [FEATURE][AUTH]: Propagate end user identity and context through the CF workflow #1436 - Propagate end user identity through CF workflow
• [EPIC][PLUGIN]: Per-virtual-server plugin selection with multi-level RBAC #1247 - Per-virtual-server plugin selection
• Cedar Policy Plugin
• OPA Policy Plugin

---

📓 Additional Context

Compliance Requirements Addressed

• SOX: Separation of duties for financial operations
• SOC2: Access control logging and approval workflows
• HIPAA: Data classification-based access control
• GDPR: Purpose limitation through context-aware authorization

[VRamakrishna]

@abhi201191 @viksharma1987 @sandeepnRES

[crivetimihai]

Thank you for this comprehensive epic. After a deep dive into the existing plugin implementations, here's my analysis:

Existing Foundation

Plugin Ecosystem (40+ plugins)

The codebase has a rich plugin ecosystem with Cedar and OPA as the primary policy engines:

Plugin	Hooks	Policy Format	User Context
Cedar	6 (all)	Native Cedar + Custom DSL	Email only
OPA	6 (all)	Rego via external server	Hardcoded "none"
Rate Limiter	2	N/A	Email + Tenant

Key Findings

1. Cedar Plugin Has Approval Code Defined But Unused:

# plugins/external/cedar/cedarpolicyplugin/plugin.py:49-52
class CedarCodes(str, Enum):
    REQUIRES_HUMAN_APPROVAL_CODE = "REQUIRES_APPROVAL"  # Never used!

The enum exists - we just need to wire it up to an approval workflow.

2. OPA Plugin Has Hardcoded User Context:

# plugins/external/opa/opapluginfilter/plugin.py
opa_input = BaseOPAInputKeys(
    user="none",       # ← Should use context.global_context.user
    request_ip="none", # ← Should extract from headers
    headers={},        # ← Should pass actual headers
)

3. Cedar ABAC Context Is Always Empty:

# plugins/external/cedar/cedarpolicyplugin/plugin.py:245-250
return CedarInput(
    principal=principal_expr,
    action=action_expr,
    resource=resource_expr,
    context={}  # ← Always empty! No ABAC attributes
)

4. Rate Limiter Shows Correct Pattern:

# plugins/rate_limiter/rate_limiter.py:139-140
user = context.global_context.user or "anonymous"
tenant = context.global_context.tenant_id or "default"

---

Implementation Roadmap

Phase 1: Fix Existing Plugins (Quick Wins)

1a. Fix OPA user context (low effort):

# Replace hardcoded values:
user = context.global_context.user or "anonymous"
request_ip = payload.headers.get("X-Forwarded-For") if payload.headers else "unknown"
headers = payload.headers.model_dump() if payload.headers else {}

1b. Populate Cedar ABAC context (low effort):

context_data = {
    "user": context.global_context.user,
    "server_id": context.global_context.server_id,
    "tenant_id": context.global_context.tenant_id,
    "timestamp": datetime.now(timezone.utc).isoformat(),
    # After #1436: add groups, roles, department
}
return CedarInput(..., context=context_data)

Phase 2: Rich User Context (Depends on #1436)

Once #1436 delivers UserContext in GlobalContext.metadata:

user_context = context.global_context.metadata.get("user_context", {})
context_data = {
    "user_email": user_context.get("email"),
    "user_groups": user_context.get("groups", []),
    "user_roles": user_context.get("roles", []),
    "user_department": user_context.get("department"),
    "user_clearance": user_context.get("clearance"),
}

Phase 3: Resource Attributes

Extend Tool model for classification:

# In db.py Tool model:
classification: Optional[str]  # public, internal, confidential, restricted
resource_tags: Optional[List[str]]

Expose to plugins via global_context.metadata[TOOL_METADATA]:

# Already exists! tool_service.py:2817
if tool_metadata:
    global_context.metadata[TOOL_METADATA] = tool_metadata

Phase 4: Human-in-the-Loop Approval

4a. Database model:

class ApprovalRequest(Base):
    id: str
    tool_name: str
    tool_args: Dict
    requester_email: str
    required_approvers: List[str]
    status: str  # pending, approved, denied, expired
    created_at: datetime
    expires_at: datetime
    decision_by: Optional[str]
    decision_at: Optional[datetime]

4b. Wire up Cedar's existing code:

if decision == CedarCodes.REQUIRES_HUMAN_APPROVAL_CODE:
    approval_request = await create_approval_request(...)
    return ToolPreInvokeResult(
        continue_processing=False,
        violation=PluginViolation(
            code="REQUIRES_APPROVAL",
            details={"approval_request_id": approval_request.id}
        )
    )

4c. Approval endpoints: New router for approval management

Phase 5: REST Tool Authorization

After #1405 is fixed, route REST invocations through plugin hooks:

# In tool_service.py REST execution path:
if self._plugin_manager and self._plugin_manager.has_hooks_for(ToolHookType.TOOL_PRE_INVOKE):
    # Same hook invocation as MCP tools

---

Dependency Graph

#1436 (User Identity)
    ↓
Phase 2 (Rich ABAC Context)
    ↓
Phase 4 (Approval Workflow)

#1405 (REST Passthrough Bug)
    ↓
Phase 5 (REST Authorization)

No dependencies:
├── Phase 1a (Fix OPA user context)
├── Phase 1b (Cedar ABAC context)
└── Phase 3 (Resource attributes)

---

Recommended Approach

1. Immediate PRs (no dependencies):

   • Fix OPA hardcoded user context
   • Populate Cedar ABAC context with available data

2. After [FEATURE][AUTH]: Propagate end user identity and context through the CF workflow #1436:

   • Enrich Cedar/OPA with user groups, roles, department

3. New infrastructure:

   • Approval workflow (significant but self-contained)

4. After [BUG]: Incomplete implementation of REST passthrough configuration #1405:

   • REST tool plugin hook integration

Would welcome PRs for Phase 1 immediately - these are quick wins that improve the existing plugins without waiting for other issues.