fix(policy): carry L7 rule params through the proto load path

krishicks · krishicks · commit dd3f3cd08fb7 · 2026-06-26T11:29:00.000-07:00
proto_to_opa_data_json dropped the per-rule params matcher map for both
allow and deny rules, so MCP tools/call rules narrowed by params.name
degraded to allow-any-tool on the production proto load path (the YAML
path enforced correctly). Emit params alongside query for both rule
kinds and add a from_proto regression test.

Signed-off-by: Kris Hicks &lt;khicks@nvidia.com&gt;
diff --git a/crates/openshell-supervisor-network/src/opa.rs b/crates/openshell-supervisor-network/src/opa.rs
@@ -1200,6 +1200,12 @@ fn proto_to_opa_data_json(proto: &ProtoSandboxPolicy, entrypoint_pid: u32) -> St
                                 if !query.is_empty() {
                                     allow["query"] = query.into();
                                 }
+                                let params = a.map_or_else(serde_json::Map::new, |allow| {
+                                    l7_matchers_to_json(&allow.params)
+                                });
+                                if !params.is_empty() {
+                                    allow["params"] = params.into();
+                                }
                                 serde_json::json!({ "allow": allow })
                             })
                             .collect();
@@ -1239,6 +1245,10 @@ fn proto_to_opa_data_json(proto: &ProtoSandboxPolicy, entrypoint_pid: u32) -> St
                                 if !query.is_empty() {
                                     deny["query"] = query.into();
                                 }
+                                let params = l7_matchers_to_json(&d.params);
+                                if !params.is_empty() {
+                                    deny["params"] = params.into();
+                                }
                                 deny
                             })
                             .collect();
@@ -2843,6 +2853,97 @@ network_policies:
         assert!(!eval_l7(&engine, &deny_input));
     }
 
+    #[test]
+    fn l7_mcp_tool_params_from_proto_are_enforced() {
+        // Regression: the proto load path (from_proto) must carry the rule
+        // `params` matcher map. If it is dropped, a tools/call allow rule
+        // narrowed to one tool degrades to allow-any-tool in production, even
+        // though the YAML/add_data_json path enforces it correctly.
+        let mut params = std::collections::HashMap::new();
+        params.insert(
+            "name".to_string(),
+            L7QueryMatcher {
+                glob: String::new(),
+                any: vec!["read_status".to_string(), "submit_*".to_string()],
+            },
+        );
+
+        let mut network_policies = std::collections::HashMap::new();
+        network_policies.insert(
+            "mcp_proto".to_string(),
+            NetworkPolicyRule {
+                name: "mcp_proto".to_string(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "mcp.proto.com".to_string(),
+                    port: 8000,
+                    path: "/mcp".to_string(),
+                    protocol: "mcp".to_string(),
+                    enforcement: "enforce".to_string(),
+                    rules: vec![L7Rule {
+                        allow: Some(L7Allow {
+                            method: "tools/call".to_string(),
+                            path: String::new(),
+                            command: String::new(),
+                            query: std::collections::HashMap::new(),
+                            operation_type: String::new(),
+                            operation_name: String::new(),
+                            fields: Vec::new(),
+                            params,
+                        }),
+                    }],
+                    ..Default::default()
+                }],
+                binaries: vec![NetworkBinary {
+                    path: "/usr/bin/curl".to_string(),
+                    ..Default::default()
+                }],
+            },
+        );
+
+        let proto = ProtoSandboxPolicy {
+            version: 1,
+            filesystem: Some(ProtoFs {
+                include_workdir: true,
+                read_only: vec![],
+                read_write: vec![],
+            }),
+            landlock: Some(openshell_core::proto::LandlockPolicy {
+                compatibility: "best_effort".to_string(),
+            }),
+            process: Some(ProtoProc {
+                run_as_user: "sandbox".to_string(),
+                run_as_group: "sandbox".to_string(),
+            }),
+            network_policies,
+        };
+
+        let engine = OpaEngine::from_proto(&proto).expect("engine from proto");
+
+        let allowed_tool = l7_jsonrpc_input_with_params(
+            "mcp.proto.com",
+            8000,
+            "/mcp",
+            "tools/call",
+            serde_json::json!({ "name": "read_status" }),
+        );
+        assert!(
+            eval_l7(&engine, &allowed_tool),
+            "tools/call for an allowed tool should be permitted"
+        );
+
+        let blocked_tool = l7_jsonrpc_input_with_params(
+            "mcp.proto.com",
+            8000,
+            "/mcp",
+            "tools/call",
+            serde_json::json!({ "name": "blocked_action" }),
+        );
+        assert!(
+            !eval_l7(&engine, &blocked_tool),
+            "tools/call for a non-matching tool must be denied (params matcher must survive the proto load path)"
+        );
+    }
+
     #[test]
     fn l7_jsonrpc_endpoint_ignores_rest_shaped_allow_rules() {
         let data = serde_json::json!({
