[TT-16566] mcp policy filter tools resource prompt lists

gateway/mw_jsonrpc_access_control.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/TykTechnologies/tyk/internal/httpctx"
+	"github.com/TykTechnologies/tyk/internal/mcp"
 	"github.com/TykTechnologies/tyk/internal/middleware"
 )
 
@@ -53,7 +54,7 @@ func (m *JSONRPCAccessControlMiddleware) ProcessRequest(w http.ResponseWriter, r
 		return nil, http.StatusOK
 	}
 
-	if checkAccessControlRules(accessDef.JSONRPCMethodsAccessRights, state.Method) {
+	if mcp.CheckAccessControlRules(accessDef.JSONRPCMethodsAccessRights, state.Method) {
 		writeJSONRPCAccessDenied(w, r, fmt.Sprintf("method '%s' is not available", state.Method))
 		return nil, middleware.StatusRespond
 	}

gateway/mw_jsonrpc_helpers.go

@@ -5,48 +5,8 @@ import (
 
 	"github.com/TykTechnologies/tyk/internal/httpctx"
 	jsonrpcerrors "github.com/TykTechnologies/tyk/internal/jsonrpc/errors"
-	"github.com/TykTechnologies/tyk/regexp"
-	"github.com/TykTechnologies/tyk/user"
 )
 
-// checkAccessControlRules evaluates allow/block lists against a name.
-// Returns true if the name is denied, false if permitted.
-//
-// Evaluation order:
-//  1. Blocked is checked first — if matched, the request is denied.
-//  2. If Allowed is non-empty and the name does not match any entry, the request is denied.
-//  3. If both lists are empty, access is permitted.
-func checkAccessControlRules(rules user.AccessControlRules, name string) bool {
-	for _, pattern := range rules.Blocked {
-		if matchPattern(pattern, name) {
-			return true
-		}
-	}
-
-	if len(rules.Allowed) == 0 {
-		return false
-	}
-
-	for _, pattern := range rules.Allowed {
-		if matchPattern(pattern, name) {
-			return false
-		}
-	}
-
-	return true
-}
-
-// matchPattern tests name against a regex pattern anchored with ^...$, enforcing full-match semantics.
-// Uses the tyk/regexp package which caches compiled patterns.
-// Falls back to exact-string comparison if the pattern is not valid regex.
-func matchPattern(pattern, name string) bool {
-	re, err := regexp.Compile("^(?:" + pattern + ")$")
-	if err != nil {
-		return pattern == name
-	}
-	return re.MatchString(name)
-}
-
 // writeJSONRPCAccessDenied writes a JSON-RPC 2.0 error response for access-denied cases.
 // Delegates to jsonrpcerrors.WriteJSONRPCError for consistent response shape and HTTP→JSON-RPC
 // error code mapping across all error paths in the gateway.

gateway/mw_jsonrpc_helpers_test.go

@@ -8,134 +8,8 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/TykTechnologies/tyk/internal/httpctx"
-	"github.com/TykTechnologies/tyk/user"
 )
 
-func TestCheckAccessControlRules(t *testing.T) {
-	tests := []struct {
-		name    string
-		rules   user.AccessControlRules
-		input   string
-		wantErr bool
-	}{
-		// Empty rules — everything passes
-		{"empty rules, any input passes", user.AccessControlRules{}, "anything", false},
-		{"empty rules, empty input passes", user.AccessControlRules{}, "", false},
-
-		// Blocked only
-		{"blocked exact match", user.AccessControlRules{Blocked: []string{"tools/list"}}, "tools/list", true},
-		{"blocked no match", user.AccessControlRules{Blocked: []string{"tools/list"}}, "tools/call", false},
-		{"blocked regex match", user.AccessControlRules{Blocked: []string{"delete_.*"}}, "delete_user", true},
-		{"blocked regex no match", user.AccessControlRules{Blocked: []string{"delete_.*"}}, "create_user", false},
-		{"blocked suffix regex", user.AccessControlRules{Blocked: []string{".*_admin"}}, "user_admin", true},
-		{"blocked suffix regex no match", user.AccessControlRules{Blocked: []string{".*_admin"}}, "user_create", false},
-		{"blocked multiple patterns, first matches", user.AccessControlRules{Blocked: []string{"delete_.*", "reset_.*"}}, "delete_all", true},
-		{"blocked multiple patterns, second matches", user.AccessControlRules{Blocked: []string{"delete_.*", "reset_.*"}}, "reset_config", true},
-		{"blocked multiple patterns, none match", user.AccessControlRules{Blocked: []string{"delete_.*", "reset_.*"}}, "get_data", false},
-
-		// Allowed only
-		{"allowed exact match", user.AccessControlRules{Allowed: []string{"tools/call"}}, "tools/call", false},
-		{"allowed not in list", user.AccessControlRules{Allowed: []string{"tools/call"}}, "tools/list", true},
-		{"allowed regex match", user.AccessControlRules{Allowed: []string{"get_.*"}}, "get_weather", false},
-		{"allowed regex no match", user.AccessControlRules{Allowed: []string{"get_.*"}}, "set_config", true},
-		{"allowed multiple patterns, first matches", user.AccessControlRules{Allowed: []string{"get_.*", "list_.*"}}, "get_weather", false},
-		{"allowed multiple patterns, second matches", user.AccessControlRules{Allowed: []string{"get_.*", "list_.*"}}, "list_users", false},
-		{"allowed multiple patterns, none match", user.AccessControlRules{Allowed: []string{"get_.*", "list_.*"}}, "delete_all", true},
-
-		// Both — blocked takes precedence
-		{"deny precedence over allow (exact)",
-			user.AccessControlRules{Blocked: []string{"reset_system"}, Allowed: []string{"reset_system"}},
-			"reset_system", true},
-		{"deny precedence over allow (regex)",
-			user.AccessControlRules{Blocked: []string{".*_system"}, Allowed: []string{"reset_.*"}},
-			"reset_system", true},
-		{"allowed passes when not in blocked",
-			user.AccessControlRules{Blocked: []string{"delete_.*"}, Allowed: []string{"get_.*", "delete_.*"}},
-			"get_weather", false},
-
-		{"alternation: allowed prefix match", user.AccessControlRules{Allowed: []string{"get_.*|set_.*"}}, "get_weather", false},
-		{"alternation: allowed second branch", user.AccessControlRules{Allowed: []string{"get_.*|set_.*"}}, "set_config", false},
-		{"alternation: denied non-matching", user.AccessControlRules{Allowed: []string{"get_.*|set_.*"}}, "delete_all", true},
-		{"alternation: allowed spurious prefix leak", user.AccessControlRules{Allowed: []string{"get_.*|set_.*"}}, "bad_prefix_set_foo", true},
-		{"alternation: blocked spurious trailing leak", user.AccessControlRules{Blocked: []string{"admin|debug"}}, "prefix_debug", false},
-
-		// Edge cases
-		{"pattern with URI chars", user.AccessControlRules{Allowed: []string{"file:///public/.*"}}, "file:///public/readme.md", false},
-		{"pattern with URI chars, no match", user.AccessControlRules{Allowed: []string{"file:///public/.*"}}, "file:///secret/keys.txt", true},
-		{"invalid regex falls back to exact, exact match", user.AccessControlRules{Blocked: []string{"[invalid"}}, "[invalid", true},
-		{"invalid regex falls back to exact, no match", user.AccessControlRules{Blocked: []string{"[invalid"}}, "something", false},
-		{"method name with slash", user.AccessControlRules{Blocked: []string{"tools/list"}}, "tools/list", true},
-		{"method regex with slash", user.AccessControlRules{Allowed: []string{"resources/.*"}}, "resources/read", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			denied := checkAccessControlRules(tt.rules, tt.input)
-			if tt.wantErr {
-				assert.True(t, denied, "expected denied for input %q", tt.input)
-			} else {
-				assert.False(t, denied, "expected allowed for input %q", tt.input)
-			}
-		})
-	}
-}
-
-func TestMatchPattern(t *testing.T) {
-	tests := []struct {
-		pattern string
-		name    string
-		want    bool
-	}{
-		// Exact matches
-		{"get_weather", "get_weather", true},
-		{"get_weather", "get_weather_v2", false}, // anchored: no partial match
-		{"tools/call", "tools/call", true},
-		{"tools/call", "tools/list", false},
-
-		// Prefix wildcards
-		{"get_.*", "get_weather", true},
-		{"get_.*", "set_config", false},
-		{"resources/.*", "resources/read", true},
-		{"resources/.*", "prompts/get", false},
-
-		// Suffix wildcards
-		{".*_admin", "user_admin", true},
-		{".*_admin", "user_create", false},
-		{".*_delete", "record_delete", true},
-
-		// Regex alternation
-		{"get_.*|set_.*", "get_weather", true},
-		{"get_.*|set_.*", "set_config", true},
-		{"get_.*|set_.*", "delete_all", false},
-		{"get_.*|set_.*", "bad_prefix_set_foo", false},
-		{"get_.*|set_.*", "get_weather_extra", true},
-		{"a|b", "xb", false},
-		{"a|b", "ax", false},
-		{"a|b", "a", true},
-		{"a|b", "b", true},
-
-		// URI patterns with slashes
-		{"file:///.*", "file:///repo/README", true},
-		{"file:///public/.*", "file:///public/readme.md", true},
-		{"file:///public/.*", "file:///secret/keys.txt", false},
-
-		// Invalid regex — falls back to exact comparison
-		{"[invalid", "[invalid", true},
-		{"[invalid", "something", false},
-
-		// Empty cases
-		{".*", "", true},
-		{"", "", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.pattern+"_vs_"+tt.name, func(t *testing.T) {
-			got := matchPattern(tt.pattern, tt.name)
-			assert.Equal(t, tt.want, got, "matchPattern(%q, %q)", tt.pattern, tt.name)
-		})
-	}
-}
-
 func TestWriteJSONRPCAccessDenied_WithState(t *testing.T) {
 	r := httptest.NewRequest("POST", "/mcp", nil)
 	state := &httpctx.JSONRPCRoutingState{

gateway/mw_mcp_access_control.go

@@ -55,7 +55,7 @@ func (m *MCPAccessControlMiddleware) ProcessRequest(w http.ResponseWriter, r *ht
 	}
 
 	rules := rulesForPrimitiveType(accessDef.MCPAccessRights, state.PrimitiveType)
-	if checkAccessControlRules(rules, state.PrimitiveName) {
+	if mcp.CheckAccessControlRules(rules, state.PrimitiveName) {
 		writeJSONRPCAccessDenied(w, r,
 			fmt.Sprintf("%s '%s' is not available", state.PrimitiveType, state.PrimitiveName))
 		return nil, middleware.StatusRespond

gateway/res_handler_mcp_list_filter.go

@@ -0,0 +1,133 @@
+package gateway
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/TykTechnologies/tyk/internal/httpctx"
+	"github.com/TykTechnologies/tyk/internal/mcp"
+	"github.com/TykTechnologies/tyk/user"
+)
+
+// MCPListFilterResponseHandler filters MCP list responses (tools/list, prompts/list,
+// resources/list, resources/templates/list) to show only primitives the consumer
+// is authorized to see based on their MCPAccessRights allow/block lists.
+type MCPListFilterResponseHandler struct {
+	BaseTykResponseHandler
+}
+
+// Base returns the base handler for middleware decoration.
+func (h *MCPListFilterResponseHandler) Base() *BaseTykResponseHandler {
+	return &h.BaseTykResponseHandler
+}
+
+// Name returns the handler name for logging and debugging.
+func (h *MCPListFilterResponseHandler) Name() string {
+	return "MCPListFilterResponseHandler"
+}
+
+// Init initializes the handler with the given spec.
+func (h *MCPListFilterResponseHandler) Init(_ any, spec *APISpec) error {
+	h.Spec = spec
+	return nil
+}
+
+// Enabled returns true only for MCP APIs.
+func (h *MCPListFilterResponseHandler) Enabled() bool {
+	return h.Spec.IsMCP()
+}
+
+// HandleResponse filters MCP list responses based on session access rights.
+func (h *MCPListFilterResponseHandler) HandleResponse(_ http.ResponseWriter, res *http.Response, req *http.Request, ses *user.SessionState) error {
+	state := httpctx.GetJSONRPCRoutingState(req)
+	if state == nil {
+		return nil
+	}
+
+	listCfg := h.listConfig(state.Method)
+	if listCfg == nil {
+		return nil
+	}
+
+	// Skip SSE streaming responses — list methods return JSON, but guard against
+	// Streamable HTTP servers that might choose to respond with text/event-stream.
+	// Reading the full body of an SSE stream would block indefinitely.
+	if ct := res.Header.Get("Content-Type"); strings.HasPrefix(ct, "text/event-stream") {
+		return nil
+	}
+
+	rules := h.rulesForAPI(ses, listCfg)
+	if rules.IsEmpty() {
+		return nil
+	}
+
+	body, err := readAndCloseBody(res)
+	if err != nil || len(body) == 0 {
+		return nil //nolint:nilerr // fail-open: pass through on read error
+	}
+
+	newBody, ok := mcp.FilterJSONRPCBody(body, listCfg, rules)
+	if !ok {
+		res.Body = io.NopCloser(bytes.NewReader(body))
+		return nil
+	}
+
+	res.Body = io.NopCloser(bytes.NewReader(newBody))
+	res.ContentLength = int64(len(newBody))
+	res.Header.Set("Content-Length", strconv.Itoa(len(newBody)))
+
+	return nil
+}
+
+// rulesForAPI extracts the access control rules for the current API from the
+// session, returning empty rules if the session has no applicable restrictions.
+func (h *MCPListFilterResponseHandler) rulesForAPI(ses *user.SessionState, cfg *mcp.ListFilterConfig) user.AccessControlRules {
+	if ses == nil {
+		return user.AccessControlRules{}
+	}
+
+	accessDef, ok := ses.AccessRights[h.Spec.APIID]
+	if !ok || accessDef.MCPAccessRights.IsEmpty() {
+		return user.AccessControlRules{}
+	}
+
+	return cfg.RulesFrom(accessDef.MCPAccessRights)
+}
+
+// listConfig returns the filter configuration for a given JSON-RPC method,
+// or nil if the method is not a filterable list method.
+func (h *MCPListFilterResponseHandler) listConfig(method string) *mcp.ListFilterConfig {
+	switch method {
+	case mcp.MethodToolsList:
+		return mcp.ListFilterConfigs["tools"]
+	case mcp.MethodPromptsList:
+		return mcp.ListFilterConfigs["prompts"]
+	case mcp.MethodResourcesList:
+		return mcp.ListFilterConfigs["resources"]
+	case mcp.MethodResourcesTemplatesList:
+		return mcp.ListFilterConfigs["resourceTemplates"]
+	default:
+		return nil
+	}
+}
+
+// readAndCloseBody reads the full response body and closes it. On success the
+// caller owns the returned bytes; the original body is always closed.
+// Returns (nil, nil) when the body is nil.
+func readAndCloseBody(res *http.Response) ([]byte, error) {
+	if res.Body == nil {
+		return nil, nil
+	}
+
+	body, err := io.ReadAll(res.Body)
+	res.Body.Close()
+	if err != nil {
+		res.Body = io.NopCloser(bytes.NewReader(nil))
+		return nil, err
+	}
+
+	return body, nil
+}