idZddlmZddlZddlZddlmZmZddlm Z ddl m Z m Z ddl mZejeZe rddlmZdd lmZdd lmZe Gd d ZeegefeegeefzZdd ZddZ ddZy)a$Authorization checks for FastMCP components. This module provides callable-based authorization for tools, resources, and prompts. Auth checks are functions that receive an AuthContext and return True to allow access or False to deny. Auth checks can also raise exceptions: - AuthorizationError: Propagates with the custom message for explicit denial - Other exceptions: Masked for security (logged, treated as auth failure) Example: ```python from fastmcp import FastMCP from fastmcp.server.auth import require_scopes mcp = FastMCP() @mcp.tool(auth=require_scopes("write")) def protected_tool(): ... @mcp.resource("data://secret", auth=require_scopes("read")) def secret_data(): ... @mcp.prompt(auth=require_scopes("admin")) def admin_prompt(): ... ``` ) annotationsN) AwaitableCallable) dataclass) TYPE_CHECKINGcast)AuthorizationError) AccessTokenTool)FastMCPComponentc8eZdZUdZded<ded<eddZy) AuthContextaContext passed to auth check callables. This object is passed to each auth check function and provides access to the current authentication token and the component being accessed. Attributes: token: The current access token, or None if unauthenticated. component: The component (tool, resource, or prompt) being accessed. tool: Backwards-compatible alias for component when it's a Tool. zAccessToken | Nonetokenr componentcVddlm}t|j|r |jSdS)zBackwards-compatible access to the component as a Tool. Returns the component if it's a Tool, None otherwise. rr N)fastmcp.tools.toolr isinstancer)selfr s q/Users/bowang/.openclaw/workspace/ChatDev/.venv/lib/python3.12/site-packages/fastmcp/server/auth/authorization.pytoolzAuthContext.tool?s# ,!+DNND!At~~KtKN)returnz Tool | None)__name__ __module__ __qualname____doc____annotations__propertyrrrrr/s)   LLrrc*t|dfd }|S)aRequire specific OAuth scopes. Returns an auth check that requires ALL specified scopes to be present in the token (AND logic). Args: *scopes: One or more scope strings that must all be present. Example: ```python @mcp.tool(auth=require_scopes("admin")) def admin_tool(): ... @mcp.tool(auth=require_scopes("read", "write")) def read_write_tool(): ... ``` cz|jyjt|jjS)NF)rissubsetsetscopes)ctxrequireds rcheckzrequire_scopes..checkbs0 99   SYY%5%5!677rr&rrboolr$)r%r(r's @rrequire_scopesr,Ns$6{H8 Lrc.t|dfd }|S)aRestrict components with a specific tag to require certain scopes. If the component has the specified tag, the token must have ALL the required scopes. If the component doesn't have the tag, access is allowed. Args: tag: The tag that triggers the scope requirement. scopes: List of scopes required when the tag is present. Example: ```python # Components tagged "admin" require the "admin" scope AuthMiddleware(auth=restrict_tag("admin", scopes=["admin"])) ``` c|jjvry|jyjt |jj S)NTF)rtagsrr#r$r%)r&r'tags rr(zrestrict_tag..check|sE cmm(( ( 99   SYY%5%5!677rr)r+)r0r%r(r's` @r restrict_tagr1js 6{H8 Lrc ^Kt|ts|gn|}ttt|}|D].} ||}t j |r |d{}|sy0y7 #t $rt$r3tjdt|dt|ddYywxYww)aRun auth checks with AND logic. All checks must pass for authorization to succeed. Checks can be synchronous or asynchronous functions. Auth checks can: - Return True to allow access - Return False to deny access - Raise AuthorizationError to deny with a custom message (propagates) - Raise other exceptions (masked for security, treated as denial) Args: checks: A single check function or list of check functions. Each check can be sync (returns bool) or async (returns Awaitable[bool]). ctx: The auth context to pass to each check. Returns: True if all checks pass, False if any check fails. Raises: AuthorizationError: If an auth check explicitly raises it. NFz Auth check rz raised an unexpected exceptionT)exc_info) rlistr AuthCheckinspect isawaitabler Exceptionloggerwarninggetattrrepr)checksr& check_listr(results rrun_auth_checksr@s4",FD!9&vJd9oz2J 3ZF""6*% & &"    NNgeZeEFG11    s;2B-"A%A#A%B-#A%%AB*&B-)B**B-)r%strrr5)r0rAr%z list[str]rr5)r=zAuthCheck | list[AuthCheck]r&rrr*)r __future__rr6loggingcollections.abcrr dataclassesrtypingrrfastmcp.exceptionsr getLoggerrr9fastmcp.server.authr rr fastmcp.utilities.componentsr rr*r5r,r1r@r rrrKs8#/!&1   8 $/'= LL L6 k]D( )Hk]IdO5S,T T 880 '0 0 0r