duo_client_python/examples/Authorization/evaluate_mcp_capabilities.py at 9ebe1ca5ed839e5ddfbf37272a0797dadd2f1b33 · duosecurity/duo_client_python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
"""
Example of Duo Authorization API MCP capabilities evaluation
"""

from argparse import ArgumentParser, Namespace
import duo_client
from duo_client.authorization import McpCapabilities
import getpass


def _get_arg(args: Namespace, name: str, prompt: str, secure=False):
    """Read arg from CLI flags or stdin, using getpass when sensitive information should not be echoed to tty"""
    value = getattr(args, name)
    if value is not None:
        return value

    if secure is True:
        return getpass.getpass(prompt)
    else:
        return input(prompt)


def prompt_for_credentials(args: Namespace) -> dict:
    """Collect required API credentials from command line prompts

    :return: dictionary containing Duo Authorization API ikey, skey and hostname strings
    """

    ikey = _get_arg(args, "ikey", 'Duo Authorization API integration key ("DI..."): ')
    skey = _get_arg(args, "skey", 'Duo Authorization API integration secret key: ', secure=True)
    host = _get_arg(args, "api_host", 'Duo Authorization API hostname ("api-....duosecurity.com"): ')
    access_token = _get_arg(args, "access_token", 'Access token: ', secure=True)
    mcp_server_id = _get_arg(args, "mcp_server_id", 'MCP Server ID: ')

    return {
        "IKEY": ikey,
        "SKEY": skey,
        "APIHOST": host,
        "ACCESS_TOKEN": access_token,
        "MCP_SERVER_ID": mcp_server_id,
    }


def main():
    """Main program entry point"""

    parser = ArgumentParser()
    parser.add_argument("--ikey", type=str)
    parser.add_argument("--skey", type=str)
    parser.add_argument("--api-host", type=str)
    parser.add_argument("--access-token", type=str)
    parser.add_argument("--mcp-server-id", type=str)
    parser.add_argument("--mcp-server-name", type=str, default='')
    parser.add_argument("--tool", type=str, default=None)
    args = parser.parse_args()

    inputs = prompt_for_credentials(args)

    authz_client = duo_client.Authorization(
        ikey=inputs['IKEY'],
        skey=inputs['SKEY'],
        host=inputs['APIHOST'],
    )

    # Verify that the Duo service is available
    duo_ping = authz_client.ping()
    if 'time' in duo_ping:
        print("\nDuo Authorization service check completed successfully.")
    else:
        print(f"Error: {duo_ping}")

    # Verify that IKEY and SKEY information provided are valid
    duo_check = authz_client.check()
    if 'time' in duo_check:
        print("IKEY and SKEY provided have been verified.")
    else:
        print(f"Error: {duo_check}")

    # Evaluate MCP capabilities
    capabilities = McpCapabilities(
        access_token=inputs['ACCESS_TOKEN'],
        mcp_server_id=inputs['MCP_SERVER_ID'],
        mcp_server_name=args.mcp_server_name,
        tool=args.tool,
    )

    print(f"\nEvaluating MCP capabilities for server {inputs['MCP_SERVER_ID']}...")
    result = authz_client.evaluate(capabilities)

    print(f"\nAuthorized: {result['authorized']}")
    print(f"Allowed capabilities: {result['allowed_capabilities']}")
    print(f"User ID: {result['user_id']}")
    print(f"Non-human identity: {result['non_human_identity']}")
    print(f"Policy version ID: {result['policy_version_id']}")
    print(f"Expires at: {result['expires_at']}")


if __name__ == '__main__':
    main()