DiscoverAbilitiesAbility.php
7 months ago
ExecuteAbilityAbility.php
7 months ago
GetAbilityInfoAbility.php
7 months ago
McpAbilityHelperTrait.php
7 months ago
ExecuteAbilityAbility.php
223 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Ability for executing WordPress abilities. |
| 4 | * |
| 5 | * @package McpAdapter |
| 6 | */ |
| 7 | |
| 8 | declare( strict_types=1 ); |
| 9 | |
| 10 | namespace WP\MCP\Abilities; |
| 11 | |
| 12 | /** |
| 13 | * Execute Ability - Executes a WordPress ability with provided parameters. |
| 14 | * |
| 15 | * This ability provides the primary execution layer for running any registered |
| 16 | * WordPress ability through the MCP protocol. |
| 17 | * |
| 18 | * SECURITY CONSIDERATIONS: |
| 19 | * - This ability has openWorldHint=true, allowing execution of any registered ability |
| 20 | * - Only abilities with mcp.public=true metadata can be executed via default MCP server. |
| 21 | * - Requires proper WordPress capability checks for secure operation |
| 22 | * - Caller identity verification is enforced through WordPress authentication |
| 23 | * |
| 24 | * @see https://github.com/your-repo/mcp-adapter/docs/security.md for detailed security configuration |
| 25 | */ |
| 26 | final class ExecuteAbilityAbility { |
| 27 | use McpAbilityHelperTrait; |
| 28 | |
| 29 | /** |
| 30 | * Register the ability. |
| 31 | */ |
| 32 | public static function register(): void { |
| 33 | wp_register_ability( |
| 34 | 'mcp-adapter/execute-ability', |
| 35 | array( |
| 36 | 'label' => 'Execute Ability', |
| 37 | 'description' => 'Execute a WordPress ability with the provided parameters. This is the primary execution layer that can run any registered ability.', |
| 38 | 'category' => 'mcp-adapter', |
| 39 | 'input_schema' => array( |
| 40 | 'type' => 'object', |
| 41 | 'properties' => array( |
| 42 | 'ability_name' => array( |
| 43 | 'type' => 'string', |
| 44 | 'description' => 'The full name of the ability to execute', |
| 45 | ), |
| 46 | 'parameters' => array( |
| 47 | 'type' => 'object', |
| 48 | 'description' => 'Parameters to pass to the ability', |
| 49 | ), |
| 50 | ), |
| 51 | 'required' => array( 'ability_name', 'parameters' ), |
| 52 | 'additionalProperties' => false, |
| 53 | ), |
| 54 | 'output_schema' => array( |
| 55 | 'type' => 'object', |
| 56 | 'properties' => array( |
| 57 | 'success' => array( 'type' => 'boolean' ), |
| 58 | 'data' => array( |
| 59 | 'description' => 'The result data from the ability execution', |
| 60 | ), |
| 61 | 'error' => array( |
| 62 | 'type' => 'string', |
| 63 | 'description' => 'Error message if execution failed', |
| 64 | ), |
| 65 | ), |
| 66 | 'required' => array( 'success' ), |
| 67 | ), |
| 68 | 'permission_callback' => array( self::class, 'check_permission' ), |
| 69 | 'execute_callback' => array( self::class, 'execute' ), |
| 70 | 'meta' => array( |
| 71 | 'annotations' => array( |
| 72 | 'priority' => '1.0', |
| 73 | 'readOnlyHint' => false, |
| 74 | 'openWorldHint' => true, |
| 75 | ), |
| 76 | ), |
| 77 | ) |
| 78 | ); |
| 79 | } |
| 80 | |
| 81 | /** |
| 82 | * Check permissions for executing abilities. |
| 83 | * |
| 84 | * Validates user capabilities, caller identity, and MCP exposure restrictions. |
| 85 | * |
| 86 | * @param array $input Input parameters containing ability_name and parameters. |
| 87 | * |
| 88 | * @return bool|\WP_Error True if the user has permission to execute the specified ability. |
| 89 | * @phpstan-return bool|\WP_Error |
| 90 | */ |
| 91 | public static function check_permission( $input = array() ) { |
| 92 | $ability_name = $input['ability_name'] ?? ''; |
| 93 | |
| 94 | if ( empty( $ability_name ) ) { |
| 95 | return new \WP_Error( 'missing_ability_name', 'Ability name is required' ); |
| 96 | } |
| 97 | |
| 98 | // Validate user authentication and capabilities |
| 99 | $user_check = self::validate_user_access(); |
| 100 | if ( is_wp_error( $user_check ) ) { |
| 101 | return $user_check; |
| 102 | } |
| 103 | |
| 104 | // Check MCP exposure restrictions |
| 105 | $exposure_check = self::check_ability_mcp_exposure( $ability_name ); |
| 106 | if ( is_wp_error( $exposure_check ) ) { |
| 107 | return $exposure_check; |
| 108 | } |
| 109 | |
| 110 | // Get the target ability |
| 111 | $ability = wp_get_ability( $ability_name ); |
| 112 | if ( ! $ability ) { |
| 113 | return new \WP_Error( 'ability_not_found', "Ability '{$ability_name}' not found" ); |
| 114 | } |
| 115 | |
| 116 | // Check if the user has permission to execute the target ability |
| 117 | $parameters = empty( $input['parameters'] ) ? null : $input['parameters']; |
| 118 | $permission_result = $ability->check_permissions( $parameters ); |
| 119 | |
| 120 | // Return WP_Error as-is, or convert other values to boolean |
| 121 | if ( is_wp_error( $permission_result ) ) { |
| 122 | return $permission_result; |
| 123 | } |
| 124 | |
| 125 | return (bool) $permission_result; |
| 126 | } |
| 127 | |
| 128 | /** |
| 129 | * Validate user authentication and basic capabilities for execute ability. |
| 130 | * |
| 131 | * @return bool|\WP_Error True if valid, WP_Error if validation fails. |
| 132 | */ |
| 133 | private static function validate_user_access() { |
| 134 | // Verify caller identity - ensure user is authenticated |
| 135 | if ( ! is_user_logged_in() ) { |
| 136 | return new \WP_Error( 'authentication_required', 'User must be authenticated to access this ability' ); |
| 137 | } |
| 138 | |
| 139 | // Check basic capability requirement - allow customization via filter |
| 140 | $required_capability = apply_filters( 'mcp_adapter_execute_ability_capability', 'read' ); |
| 141 | // phpcs:ignore WordPress.WP.Capabilities.Undetermined -- Capability is determined dynamically via filter |
| 142 | if ( ! current_user_can( $required_capability ) ) { |
| 143 | return new \WP_Error( |
| 144 | 'insufficient_capability', |
| 145 | sprintf( 'User lacks required capability: %s', $required_capability ) |
| 146 | ); |
| 147 | } |
| 148 | |
| 149 | return true; |
| 150 | } |
| 151 | |
| 152 | /** |
| 153 | * Execute the ability execution functionality. |
| 154 | * |
| 155 | * Enforces security checks before executing any ability. |
| 156 | * |
| 157 | * @param array $input Input parameters containing ability_name and parameters. |
| 158 | * |
| 159 | * @return array Array containing execution results. |
| 160 | */ |
| 161 | public static function execute( $input = array() ): array { |
| 162 | $ability_name = $input['ability_name'] ?? ''; |
| 163 | $parameters = empty( $input['parameters'] ) ? null : $input['parameters']; |
| 164 | |
| 165 | if ( empty( $ability_name ) ) { |
| 166 | return array( |
| 167 | 'success' => false, |
| 168 | 'error' => 'Ability name is required', |
| 169 | ); |
| 170 | } |
| 171 | |
| 172 | // Enforce security checks before execution |
| 173 | // Note: WordPress will have already called check_permission, but we double-check |
| 174 | // as an additional security layer for direct method calls |
| 175 | $permission_check = self::check_permission( $input ); |
| 176 | if ( is_wp_error( $permission_check ) ) { |
| 177 | return array( |
| 178 | 'success' => false, |
| 179 | 'error' => $permission_check->get_error_message(), |
| 180 | ); |
| 181 | } |
| 182 | |
| 183 | if ( ! $permission_check ) { |
| 184 | return array( |
| 185 | 'success' => false, |
| 186 | 'error' => 'Permission denied for ability execution', |
| 187 | ); |
| 188 | } |
| 189 | |
| 190 | $ability = wp_get_ability( $ability_name ); |
| 191 | |
| 192 | if ( ! $ability ) { |
| 193 | return array( |
| 194 | 'success' => false, |
| 195 | 'error' => "Ability '{$ability_name}' not found", |
| 196 | ); |
| 197 | } |
| 198 | |
| 199 | try { |
| 200 | // Execute the ability |
| 201 | $result = $ability->execute( $parameters ); |
| 202 | |
| 203 | // Check if the result is a WP_Error |
| 204 | if ( is_wp_error( $result ) ) { |
| 205 | return array( |
| 206 | 'success' => false, |
| 207 | 'error' => $result->get_error_message(), |
| 208 | ); |
| 209 | } |
| 210 | |
| 211 | return array( |
| 212 | 'success' => true, |
| 213 | 'data' => $result, |
| 214 | ); |
| 215 | } catch ( \Throwable $e ) { |
| 216 | return array( |
| 217 | 'success' => false, |
| 218 | 'error' => $e->getMessage(), |
| 219 | ); |
| 220 | } |
| 221 | } |
| 222 | } |
| 223 |