Support wildcard ["*"] in allowed-tools filtering (#3445)

lpcox · web-flow · commit 24416ef5098e · 2026-04-09T10:58:20.000-07:00
`buildAllowedToolSets()` treats every entry in the `Tools` list as a literal tool name. When the gh-aw compiler emits `tools: ["*"]`, no tool matches the literal string `"*"`, so all tools get filtered out. ### Changes - **`internal/server/unified.go`**: `buildAllowedToolSets` now detects `"*"` anywhere in the tools list via a `hasWildcard()` helper. Wildcard servers are skipped (not added to the filter map), same as servers with no `Tools` config. Logs `[allowed-tools] Wildcard "*" configured for <serverID>: allowing all tools` when triggered. - **Tests**: Wildcard cases added to `TestIsToolAllowed` table, plus new `TestBuildAllowedToolSets_WildcardStar`, `TestBuildAllowedToolSets_WildcardMixed`, `TestIsToolAllowed_Wildcard`, and `TestRegisterToolsFromBackend_WildcardAllowsAll`. ```go // Before: ["*"] builds a set with literal "*" key — nothing matches // After: if hasWildcard(serverCfg.Tools) { logger.LogInfo("backend", "[allowed-tools] Wildcard \"*\" configured for %s: allowing all tools", serverID) continue } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build1981761529/b514/launcher.test /tmp/go-build1981761529/b514/launcher.test -test.testlogfile=/tmp/go-build1981761529/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 9420�� 9420830/b336/_pkg_.a pkg/mod/github.com/tetratelabs/wazero@v1.11.0/in-ifaceassert x_amd64/vet --gdwarf-5 .io/otel/sdk/res-V=full -o x_amd64/vet` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build1981761529/b496/config.test /tmp/go-build1981761529/b496/config.test -test.testlogfile=/tmp/go-build1981761529/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s -w PXs3z5Xin .cfg 64/pkg/tool/linux_amd64/vet -c .io/otel/attribu/tmp/go-build2334098856/b305/vet.cfg /tmp/go-build3709420830/b148/ 64/pkg/tool/linux_amd64/vet ache�� olang.org/grpc@v1.80.0/channelz/channelz.go .cfg 64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o 64/pkg/tool/linux_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build1981761529/b514/launcher.test /tmp/go-build1981761529/b514/launcher.test -test.testlogfile=/tmp/go-build1981761529/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 9420�� 9420830/b336/_pkg_.a pkg/mod/github.com/tetratelabs/wazero@v1.11.0/in-ifaceassert x_amd64/vet --gdwarf-5 .io/otel/sdk/res-V=full -o x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build1981761529/b514/launcher.test /tmp/go-build1981761529/b514/launcher.test -test.testlogfile=/tmp/go-build1981761529/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 9420�� 9420830/b336/_pkg_.a pkg/mod/github.com/tetratelabs/wazero@v1.11.0/in-ifaceassert x_amd64/vet --gdwarf-5 .io/otel/sdk/res-V=full -o x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build1981761529/b523/mcp.test /tmp/go-build1981761529/b523/mcp.test -test.testlogfile=/tmp/go-build1981761529/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/server/allowed_tools_integration_test.go b/internal/server/allowed_tools_integration_test.go
@@ -463,6 +463,88 @@ func TestIsToolAllowed_Integration(t *testing.T) {
 	assert.True(t, us.isToolAllowed("unknown", "tool"))
 }
 
+// TestBuildAllowedToolSets_WildcardStar verifies that Tools: ["*"] results in no
+// entry in the sets map, meaning all tools are allowed (same as an empty list).
+func TestBuildAllowedToolSets_WildcardStar(t *testing.T) {
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{
+			"wildcard":   {Tools: []string{"*"}},
+			"restricted": {Tools: []string{"a", "b"}},
+			"open":       {},
+		},
+	}
+	sets := buildAllowedToolSets(cfg)
+
+	_, hasWildcardServer := sets["wildcard"]
+	assert.False(t, hasWildcardServer, "server with wildcard must not be in the set map")
+
+	_, hasRestricted := sets["restricted"]
+	assert.True(t, hasRestricted, "restricted server should still be in the set map")
+
+	_, hasOpen := sets["open"]
+	assert.False(t, hasOpen, "open server must not be in the set map")
+}
+
+// TestBuildAllowedToolSets_WildcardMixed verifies that a "*" anywhere in the
+// Tools list causes the server to be treated as unrestricted.
+func TestBuildAllowedToolSets_WildcardMixed(t *testing.T) {
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{
+			"mixed": {Tools: []string{"tool_a", "*", "tool_b"}},
+		},
+	}
+	sets := buildAllowedToolSets(cfg)
+
+	_, hasMixed := sets["mixed"]
+	assert.False(t, hasMixed, "server with wildcard in mixed list must not be in the set map")
+}
+
+// TestIsToolAllowed_Wildcard verifies that isToolAllowed returns true for any
+// tool name when the server is configured with Tools: ["*"].
+func TestIsToolAllowed_Wildcard(t *testing.T) {
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{
+			"wildcard": {Tools: []string{"*"}},
+		},
+	}
+	us := &UnifiedServer{allowedToolSets: buildAllowedToolSets(cfg)}
+
+	assert.True(t, us.isToolAllowed("wildcard", "any_tool"))
+	assert.True(t, us.isToolAllowed("wildcard", "another_tool"))
+	assert.True(t, us.isToolAllowed("wildcard", "delete_everything"))
+}
+
+// TestRegisterToolsFromBackend_WildcardAllowsAll verifies that when a backend
+// is configured with Tools: ["*"], all tools from the backend are registered.
+func TestRegisterToolsFromBackend_WildcardAllowsAll(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+
+	backend := newMockMCPBackendWithTools(t, "elastic-docs", []string{"search_code", "get_file_contents", "delete_repo"})
+	defer backend.Close()
+
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{
+			"elastic-docs": {
+				Type:  "http",
+				URL:   backend.URL,
+				Tools: []string{"*"}, // wildcard — all tools allowed
+			},
+		},
+	}
+
+	us, err := NewUnified(context.Background(), cfg)
+	require.NoError(err)
+	defer us.Close()
+
+	us.toolsMu.RLock()
+	defer us.toolsMu.RUnlock()
+
+	assert.Contains(us.tools, "elastic-docs___search_code", "search_code should be registered")
+	assert.Contains(us.tools, "elastic-docs___get_file_contents", "get_file_contents should be registered")
+	assert.Contains(us.tools, "elastic-docs___delete_repo", "delete_repo should be registered with wildcard")
+}
+
 // ----- helpers -----------------------------------------------------------
 
 // toolNameSet converts a []ToolInfo slice into a name -> bool map for easy lookup.
diff --git a/internal/server/call_backend_tool_test.go b/internal/server/call_backend_tool_test.go
@@ -399,6 +399,8 @@ func TestIsToolAllowed(t *testing.T) {
 		{"empty list allows anything", []string{}, "any_tool", true},
 		{"tool in list", []string{"a", "b"}, "a", true},
 		{"tool not in list", []string{"a", "b"}, "c", false},
+		{"wildcard allows anything", []string{"*"}, "any_tool", true},
+		{"wildcard in mixed list allows anything", []string{"a", "*"}, "z", true},
 	}
 
 	for _, tc := range tests {
diff --git a/internal/server/unified.go b/internal/server/unified.go
@@ -378,14 +378,20 @@ func newErrorCallToolResult(err error) (*sdk.CallToolResult, interface{}, error)
 
 // buildAllowedToolSets converts the per-server Tools lists from the config into pre-computed
 // map[string]bool sets for O(1) lookup. Servers with no Tools list are not added to the map,
-// which signals that all tools are permitted.
+// which signals that all tools are permitted. If the Tools list contains a "*" entry anywhere,
+// the server is treated the same as having no list (all tools allowed).
 func buildAllowedToolSets(cfg *config.Config) map[string]map[string]bool {
 	sets := make(map[string]map[string]bool)
 	if cfg == nil {
 		return sets
 	}
 	for serverID, serverCfg := range cfg.Servers {
 		if len(serverCfg.Tools) > 0 {
+			// Treat "*" anywhere in the list as "allow all" — skip adding to the filter map
+			if hasWildcard(serverCfg.Tools) {
+				logger.LogInfo("backend", "[allowed-tools] Wildcard \"*\" configured for %s: allowing all tools", serverID)
+				continue
+			}
 			set := make(map[string]bool, len(serverCfg.Tools))
 			for _, t := range serverCfg.Tools {
 				set[t] = true
@@ -396,6 +402,16 @@ func buildAllowedToolSets(cfg *config.Config) map[string]map[string]bool {
 	return sets
 }
 
+// hasWildcard reports whether the tools list contains a "*" entry.
+func hasWildcard(tools []string) bool {
+	for _, t := range tools {
+		if t == "*" {
+			return true
+		}
+	}
+	return false
+}
+
 // isToolAllowed reports whether toolName is permitted by the server's configured
 // allowed-tools list. When no list is configured (empty), all tools are allowed.
 // Uses the pre-computed allowedToolSets map for O(1) lookup.

Original file line number	Diff line number	Diff line change
`@@ -399,6 +399,8 @@ func TestIsToolAllowed(t *testing.T) {`
`399`	`399`	`{"empty list allows anything", []string{}, "any_tool", true},`
`400`	`400`	`{"tool in list", []string{"a", "b"}, "a", true},`
`401`	`401`	`{"tool not in list", []string{"a", "b"}, "c", false},`
	`402`	`+ {"wildcard allows anything", []string{"*"}, "any_tool", true},`
	`403`	`+ {"wildcard in mixed list allows anything", []string{"a", "*"}, "z", true},`
`402`	`404`	`}`
`403`	`405`
`404`	`406`	`for _, tc := range tests {`