Set MCP parent on resource entities for server-scoped policies (#4965)

When serverName is configured on the Cedar authorizer, resource entities
(Tool, Prompt, Resource) need an MCP parent so that server-scoped Cedar
policies like `resource in MCP::"github"` evaluate correctly. Without
this parent, those policies silently match nothing and deny all requests.

Add serverName parameter to CreateEntitiesForRequest and build an
MCP::"<serverName>" parent UID when non-empty. Thread a.serverName
through all four authorize* methods in core.go.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: jhrozek

pkg/authz/authorizers/cedar/core.go

@@ -567,7 +567,9 @@ func (a *Authorizer) authorizeToolCall(
 	})
 
 	// Create Cedar entities
-	entities, err := a.entityFactory.CreateEntitiesForRequest(principal, action, resource, claimsMap, attributes, groups)
+	entities, err := a.entityFactory.CreateEntitiesForRequest(
+		principal, action, resource, claimsMap, attributes, groups, a.serverName,
+	)
 	if err != nil {
 		return false, fmt.Errorf("failed to create Cedar entities: %w", err)
 	}
@@ -604,7 +606,9 @@ func (a *Authorizer) authorizePromptGet(
 	}, attrsMap)
 
 	// Create Cedar entities
-	entities, err := a.entityFactory.CreateEntitiesForRequest(principal, action, resource, claimsMap, attributes, groups)
+	entities, err := a.entityFactory.CreateEntitiesForRequest(
+		principal, action, resource, claimsMap, attributes, groups, a.serverName,
+	)
 	if err != nil {
 		return false, fmt.Errorf("failed to create Cedar entities: %w", err)
 	}
@@ -644,7 +648,9 @@ func (a *Authorizer) authorizeResourceRead(
 	}, attrsMap)
 
 	// Create Cedar entities
-	entities, err := a.entityFactory.CreateEntitiesForRequest(principal, action, resource, claimsMap, attributes, groups)
+	entities, err := a.entityFactory.CreateEntitiesForRequest(
+		principal, action, resource, claimsMap, attributes, groups, a.serverName,
+	)
 	if err != nil {
 		return false, fmt.Errorf("failed to create Cedar entities: %w", err)
 	}
@@ -682,7 +688,9 @@ func (a *Authorizer) authorizeFeatureList(
 	}, attrsMap)
 
 	// Create Cedar entities
-	entities, err := a.entityFactory.CreateEntitiesForRequest(principal, action, resource, claimsMap, attributes, groups)
+	entities, err := a.entityFactory.CreateEntitiesForRequest(
+		principal, action, resource, claimsMap, attributes, groups, a.serverName,
+	)
 	if err != nil {
 		return false, fmt.Errorf("failed to create Cedar entities: %w", err)
 	}

pkg/authz/authorizers/cedar/core_test.go

@@ -1053,6 +1053,7 @@ func TestIsAuthorizedWithEntities(t *testing.T) {
 		map[string]interface{}{"name": "Test User"},
 		map[string]interface{}{"name": "weather"},
 		nil,
+		"",
 	)
 	require.NoError(t, err)
 
@@ -1068,6 +1069,67 @@ func TestIsAuthorizedWithEntities(t *testing.T) {
 	assert.True(t, authorized)
 }
 
+// TestServerScopedPolicyWithMCPParent verifies end-to-end Cedar evaluation
+// with a server-scoped policy. When the authorizer has a serverName, resource
+// entities get an MCP parent and `resource in MCP::"<server>"` matches.
+// When serverName is empty, the same policy denies because there is no parent.
+func TestServerScopedPolicyWithMCPParent(t *testing.T) {
+	t.Parallel()
+
+	policy := `permit(
+		principal,
+		action == Action::"call_tool",
+		resource in MCP::"test-server"
+	);`
+
+	// The MCP entity must be present in the entity store for Cedar's `in`
+	// operator to traverse the parent chain. In production this comes from
+	// entities_json managed by the enterprise controller.
+	mcpEntity := `[{"uid":{"type":"MCP","id":"test-server"},"parents":[],"attrs":{}}]`
+
+	tests := []struct {
+		name       string
+		serverName string
+		wantAllow  bool
+	}{
+		{
+			name:       "serverName_matches_policy_permits",
+			serverName: "test-server",
+			wantAllow:  true,
+		},
+		{
+			name:       "empty_serverName_policy_denies",
+			serverName: "",
+			wantAllow:  false,
+		},
+		{
+			name:       "wrong_serverName_policy_denies",
+			serverName: "other-server",
+			wantAllow:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			authorizer, err := NewCedarAuthorizer(ConfigOptions{
+				Policies:     []string{policy},
+				EntitiesJSON: mcpEntity,
+			}, tt.serverName)
+			require.NoError(t, err)
+
+			identity := &auth.Identity{PrincipalInfo: auth.PrincipalInfo{Subject: "testuser", Claims: map[string]interface{}{"sub": "testuser"}}}
+			ctx := auth.WithIdentity(context.Background(), identity)
+
+			authorized, err := authorizer.AuthorizeWithJWTClaims(ctx, authorizers.MCPFeatureTool, authorizers.MCPOperationCall, "weather", nil)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.wantAllow, authorized,
+				"serverName=%q: expected allow=%v", tt.serverName, tt.wantAllow)
+		})
+	}
+}
+
 // TestParseUpstreamJWTClaims tests the parseUpstreamJWTClaims helper.
 func TestParseUpstreamJWTClaims(t *testing.T) {
 	t.Parallel()

pkg/authz/authorizers/cedar/entity.go

@@ -106,11 +106,17 @@ func (*EntityFactory) CreateResourceEntity(
 // Cedar's `in` operator works for group-based policies. Unlike the pre-refactor
 // code, no separate THVGroup entities are inserted into the entity map — those
 // must come from entities_json to preserve the role hierarchy.
+//
+// When serverName is non-empty, resource entities include an MCP parent UID so
+// that server-scoped Cedar policies (e.g. `resource in MCP::"github"`) evaluate
+// correctly via Cedar's `in` operator. When serverName is empty, resource
+// entities have no parents, preserving backward compatibility.
 func (f *EntityFactory) CreateEntitiesForRequest(
 	principal, action, resource string,
 	claimsMap map[string]interface{},
 	attributes map[string]interface{},
 	groups []string,
+	serverName string,
 ) (cedar.EntityMap, error) {
 	// Parse principal, action, and resource
 	principalType, principalID, err := parseCedarEntityID(principal)
@@ -149,8 +155,15 @@ func (f *EntityFactory) CreateEntitiesForRequest(
 	actionUID, actionEntity := f.CreateActionEntity(actionType, actionID, nil)
 	entities[actionUID] = actionEntity
 
+	// Build MCP parent for resource entity when serverName is set so that
+	// server-scoped policies (e.g. resource in MCP::"github") can match.
+	var resourceParents []cedar.EntityUID
+	if serverName != "" {
+		resourceParents = append(resourceParents, cedar.NewEntityUID("MCP", cedar.String(serverName)))
+	}
+
 	// Create resource entity
-	resourceUID, resourceEntity := f.CreateResourceEntity(resourceType, resourceID, attributes)
+	resourceUID, resourceEntity := f.CreateResourceEntity(resourceType, resourceID, attributes, resourceParents...)
 	entities[resourceUID] = resourceEntity
 
 	return entities, nil

pkg/authz/authorizers/cedar/entity_test.go

@@ -270,6 +270,7 @@ func TestCreateEntitiesForRequest_GroupsAsParents(t *testing.T) {
 				map[string]interface{}{"sub": "user1"},
 				map[string]interface{}{"name": "weather"},
 				tt.groups,
+				"",
 			)
 			require.NoError(t, err)
 			require.NotNil(t, entities)
@@ -387,7 +388,7 @@ func TestCreateCedarEntities(t *testing.T) {
 			factory := NewEntityFactory()
 
 			// Create Cedar entities (no groups for these test cases)
-			entities, err := factory.CreateEntitiesForRequest(tc.principal, tc.action, tc.resource, tc.claimsMap, tc.attributes, nil)
+			entities, err := factory.CreateEntitiesForRequest(tc.principal, tc.action, tc.resource, tc.claimsMap, tc.attributes, nil, "")
 
 			// Check error expectations
 			if tc.expectErr {
@@ -463,3 +464,94 @@ func TestCreateCedarEntities(t *testing.T) {
 		})
 	}
 }
+
+// TestCreateEntitiesForRequest_MCPParent verifies that CreateEntitiesForRequest
+// sets an MCP parent UID on the resource entity when serverName is non-empty,
+// and leaves the resource parentless when serverName is empty.
+func TestCreateEntitiesForRequest_MCPParent(t *testing.T) {
+	t.Parallel()
+
+	factory := NewEntityFactory()
+
+	tests := []struct {
+		name            string
+		resource        string
+		serverName      string
+		wantParentCount int
+		wantMCPParentID string
+	}{
+		{
+			name:            "empty_serverName_no_parent",
+			resource:        "Tool::weather",
+			serverName:      "",
+			wantParentCount: 0,
+		},
+		{
+			name:            "serverName_sets_MCP_parent_on_Tool",
+			resource:        "Tool::weather",
+			serverName:      "github",
+			wantParentCount: 1,
+			wantMCPParentID: "github",
+		},
+		{
+			name:            "serverName_sets_MCP_parent_on_Prompt",
+			resource:        "Prompt::greeting",
+			serverName:      "github",
+			wantParentCount: 1,
+			wantMCPParentID: "github",
+		},
+		{
+			name:            "serverName_sets_MCP_parent_on_Resource",
+			resource:        "Resource::readme",
+			serverName:      "github",
+			wantParentCount: 1,
+			wantMCPParentID: "github",
+		},
+		{
+			name:            "serverName_with_special_characters",
+			resource:        "Tool::weather",
+			serverName:      "my-server.example.com",
+			wantParentCount: 1,
+			wantMCPParentID: "my-server.example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			entities, err := factory.CreateEntitiesForRequest(
+				"Client::user1",
+				"Action::call_tool",
+				tt.resource,
+				map[string]interface{}{"sub": "user1"},
+				map[string]interface{}{},
+				nil,
+				tt.serverName,
+			)
+			require.NoError(t, err)
+			require.NotNil(t, entities)
+
+			// Find the resource entity by scanning for a non-Client, non-Action UID.
+			var resourceEntity cedar.Entity
+			var found bool
+			for uid, ent := range entities {
+				if string(uid.Type) != "Client" && string(uid.Type) != "Action" {
+					resourceEntity = ent
+					found = true
+					break
+				}
+			}
+			require.True(t, found, "resource entity not found in map")
+
+			assert.Equal(t, tt.wantParentCount, resourceEntity.Parents.Len(),
+				"unexpected number of parents on resource entity")
+
+			if tt.wantMCPParentID != "" {
+				mcpUID := cedar.NewEntityUID("MCP", cedar.String(tt.wantMCPParentID))
+				assert.True(t, resourceEntity.Parents.Contains(mcpUID),
+					"expected MCP::%q in resource.Parents", tt.wantMCPParentID)
+			}
+		})
+	}
+}