php-sdk/src/Auth/AuthRouter.php at main · agentruntimecontrolprotocol/php-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php

declare(strict_types=1);

namespace Arcp\Auth;

use Arcp\Errors\UnimplementedException;
use Arcp\Messages\Session\Auth;
use Arcp\Messages\Session\PeerInfo;

/**
 * Routes an inbound auth block to the configured {@see AuthScheme} for
 * its `scheme`. Unknown schemes raise {@see UnimplementedException} so
 * the runtime can convert to `session.rejected`/UNIMPLEMENTED.
 */
final class AuthRouter
{
    /** @var array<string, AuthScheme> */
    private array $schemes = [];

    /** @param iterable<AuthScheme> $schemes */
    public function __construct(iterable $schemes = [])
    {
        foreach ($schemes as $scheme) {
            $this->schemes[$scheme->name()] = $scheme;
        }
    }

    public function register(AuthScheme $scheme): void
    {
        $this->schemes[$scheme->name()] = $scheme;
    }

    public function verify(Auth $auth, PeerInfo $client): AuthResult
    {
        if (!isset($this->schemes[$auth->scheme])) {
            // mTLS and OAuth2 are reserved (RFC §8.2) but unimplemented in v0.1.
            if (\in_array($auth->scheme, ['mtls', 'oauth2'], true)) {
                throw new UnimplementedException(
                    '§8.2',
                    \sprintf('auth scheme %s deferred to v0.2', $auth->scheme),
                );
            }
            return AuthResult::reject('unknown auth scheme: ' . $auth->scheme);
        }
        return $this->schemes[$auth->scheme]->verify($auth, $client);
    }

    public function supports(string $scheme): bool
    {
        return isset($this->schemes[$scheme]);
    }
}