vector_mcp 0.3.0 → 0.3.1

data/lib/vector_mcp/security/authorization.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Security
+    # Manages authorization policies for VectorMCP servers
+    # Provides fine-grained access control for tools and resources
+    class Authorization
+      attr_reader :policies, :enabled
+
+      def initialize
+        @policies = {}
+        @enabled = false
+      end
+
+      # Enable authorization system
+      def enable!
+        @enabled = true
+      end
+
+      # Disable authorization (return to pass-through mode)
+      def disable!
+        @enabled = false
+      end
+
+      # Add an authorization policy for a resource type
+      # @param resource_type [Symbol] the type of resource (e.g., :tool, :resource, :prompt)
+      # @param block [Proc] the policy block that receives (user, action, resource)
+      def add_policy(resource_type, &block)
+        @policies[resource_type] = block
+      end
+
+      # Remove an authorization policy
+      # @param resource_type [Symbol] the resource type to remove policy for
+      def remove_policy(resource_type)
+        @policies.delete(resource_type)
+      end
+
+      # Check if a user is authorized to perform an action on a resource
+      # @param user [Object] the authenticated user object
+      # @param action [Symbol] the action being attempted (e.g., :call, :read, :list)
+      # @param resource [Object] the resource being accessed
+      # @return [Boolean] true if authorized, false otherwise
+      def authorize(user, action, resource)
+        return true unless @enabled
+
+        resource_type = determine_resource_type(resource)
+        policy = @policies[resource_type]
+
+        # If no policy is defined, allow access (opt-in authorization)
+        return true unless policy
+
+        begin
+          policy_result = policy.call(user, action, resource)
+          policy_result ? true : false
+        rescue StandardError
+          # Log error but deny access for safety
+          false
+        end
+      end
+
+      # Check if authorization is required
+      # @return [Boolean] true if authorization is enabled
+      def required?
+        @enabled
+      end
+
+      # Get list of resource types with policies
+      # @return [Array<Symbol>] array of resource types
+      def policy_types
+        @policies.keys
+      end
+
+      private
+
+      # Determine the resource type from the resource object
+      # @param resource [Object] the resource object
+      # @return [Symbol] the resource type
+      def determine_resource_type(resource)
+        case resource
+        when VectorMCP::Definitions::Tool
+          :tool
+        when VectorMCP::Definitions::Resource
+          :resource
+        when VectorMCP::Definitions::Prompt
+          :prompt
+        when VectorMCP::Definitions::Root
+          :root
+        else
+          # Try to infer from class name
+          class_name = resource.class.name.split("::").last&.downcase
+          class_name&.to_sym || :unknown
+        end
+      end
+    end
+  end
+end

data/lib/vector_mcp/security/middleware.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Security
+    # Security middleware for request authentication and authorization
+    # Integrates with transport layers to provide security controls
+    class Middleware
+      attr_reader :auth_manager, :authorization
+
+      # Initialize middleware with auth components
+      # @param auth_manager [AuthManager] the authentication manager
+      # @param authorization [Authorization] the authorization manager
+      def initialize(auth_manager, authorization)
+        @auth_manager = auth_manager
+        @authorization = authorization
+      end
+
+      # Authenticate a request and return session context
+      # @param request [Hash] the request object
+      # @param strategy [Symbol] optional authentication strategy override
+      # @return [SessionContext] the session context for the request
+      def authenticate_request(request, strategy: nil)
+        auth_result = @auth_manager.authenticate(request, strategy: strategy)
+        SessionContext.from_auth_result(auth_result)
+      end
+
+      # Check if a session is authorized for an action on a resource
+      # @param session_context [SessionContext] the session context
+      # @param action [Symbol] the action being attempted
+      # @param resource [Object] the resource being accessed
+      # @return [Boolean] true if authorized
+      def authorize_action(session_context, action, resource)
+        # Always allow if authorization is disabled
+        return true unless @authorization.required?
+
+        # Check authorization policy
+        @authorization.authorize(session_context.user, action, resource)
+      end
+
+      # Process a request through the complete security pipeline
+      # @param request [Hash] the request object
+      # @param action [Symbol] the action being attempted
+      # @param resource [Object] the resource being accessed
+      # @return [Hash] result with session_context and authorization status
+      def process_request(request, action: :access, resource: nil)
+        # Step 1: Authenticate the request
+        session_context = authenticate_request(request)
+
+        # Step 2: Check if authentication is required but failed
+        if @auth_manager.required? && !session_context.authenticated?
+          return {
+            success: false,
+            error: "Authentication required",
+            error_code: "AUTHENTICATION_REQUIRED",
+            session_context: session_context
+          }
+        end
+
+        # Step 3: Check authorization if resource is provided
+        if resource && !authorize_action(session_context, action, resource)
+          return {
+            success: false,
+            error: "Access denied",
+            error_code: "AUTHORIZATION_FAILED",
+            session_context: session_context
+          }
+        end
+
+        # Step 4: Success
+        {
+          success: true,
+          session_context: session_context
+        }
+      end
+
+      # Create a request object from different transport formats
+      # @param transport_request [Object] the transport-specific request
+      # @return [Hash] normalized request object
+      def normalize_request(transport_request)
+        case transport_request
+        when Hash
+          # Check if it's a Rack environment (has REQUEST_METHOD key)
+          if transport_request.key?("REQUEST_METHOD")
+            extract_from_rack_env(transport_request)
+          else
+            # Already normalized
+            transport_request
+          end
+        else
+          # Extract from transport-specific request (e.g., custom objects)
+          extract_request_data(transport_request)
+        end
+      end
+
+      # Check if security is enabled
+      # @return [Boolean] true if any security features are enabled
+      def security_enabled?
+        @auth_manager.required? || @authorization.required?
+      end
+
+      # Get security status for debugging/monitoring
+      # @return [Hash] current security configuration status
+      def security_status
+        {
+          authentication: {
+            enabled: @auth_manager.required?,
+            strategies: @auth_manager.available_strategies,
+            default_strategy: @auth_manager.default_strategy
+          },
+          authorization: {
+            enabled: @authorization.required?,
+            policy_types: @authorization.policy_types
+          }
+        }
+      end
+
+      private
+
+      # Extract request data from transport-specific formats
+      # @param transport_request [Object] the transport request
+      # @return [Hash] extracted request data
+      def extract_request_data(transport_request)
+        # Handle Rack environment (for SSE transport)
+        if transport_request.respond_to?(:[]) && transport_request["REQUEST_METHOD"]
+          extract_from_rack_env(transport_request)
+        else
+          # Default fallback
+          { headers: {}, params: {} }
+        end
+      end
+
+      # Extract data from Rack environment
+      # @param env [Hash] the Rack environment
+      # @return [Hash] extracted request data
+      def extract_from_rack_env(env)
+        # Extract headers (HTTP_ prefixed in Rack env)
+        headers = {}
+        env.each do |key, value|
+          next unless key.start_with?("HTTP_")
+
+          # Convert HTTP_X_API_KEY to X-API-Key format
+          header_name = key[5..].split("_").map do |part|
+            case part.upcase
+            when "API" then "API" # Keep API in all caps
+            else part.capitalize
+            end
+          end.join("-")
+          headers[header_name] = value
+        end
+
+        # Add special headers
+        headers["Authorization"] = env["HTTP_AUTHORIZATION"] if env["HTTP_AUTHORIZATION"]
+        headers["Content-Type"] = env["CONTENT_TYPE"] if env["CONTENT_TYPE"]
+
+        # Extract query parameters
+        params = {}
+        if env["QUERY_STRING"]
+          require "uri"
+          params = URI.decode_www_form(env["QUERY_STRING"]).to_h
+        end
+
+        {
+          headers: headers,
+          params: params,
+          method: env["REQUEST_METHOD"],
+          path: env["PATH_INFO"],
+          rack_env: env
+        }
+      end
+    end
+  end
+end

data/lib/vector_mcp/security/session_context.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Security
+    # Represents the security context for a user session
+    # Contains authentication and authorization information
+    class SessionContext
+      attr_reader :user, :authenticated, :permissions, :auth_strategy, :authenticated_at
+
+      # Initialize session context
+      # @param user [Object] the authenticated user object
+      # @param authenticated [Boolean] whether the user is authenticated
+      # @param auth_strategy [String] the authentication strategy used
+      # @param authenticated_at [Time] when authentication occurred
+      def initialize(user: nil, authenticated: false, auth_strategy: nil, authenticated_at: nil)
+        @user = user
+        @authenticated = authenticated
+        @auth_strategy = auth_strategy
+        @authenticated_at = authenticated_at || Time.now
+        @permissions = Set.new
+      end
+
+      # Check if the session is authenticated
+      # @return [Boolean] true if authenticated
+      def authenticated?
+        @authenticated
+      end
+
+      # Check if the user has a specific permission
+      # @param permission [String, Symbol] the permission to check
+      # @return [Boolean] true if user has the permission
+      def can?(permission)
+        @permissions.include?(permission.to_s)
+      end
+
+      # Check if the user can perform an action on a resource
+      # @param action [String, Symbol] the action (e.g., 'read', 'write', 'execute')
+      # @param resource [String, Symbol] the resource (e.g., 'tools', 'resources')
+      # @return [Boolean] true if user can perform the action
+      def can_access?(action, resource)
+        can?("#{action}:#{resource}") || can?("#{action}:*") || can?("*:#{resource}") || can?("*:*")
+      end
+
+      # Add a permission to the session
+      # @param permission [String, Symbol] the permission to add
+      def add_permission(permission)
+        @permissions << permission.to_s
+      end
+
+      # Add multiple permissions to the session
+      # @param permissions [Array<String, Symbol>] the permissions to add
+      def add_permissions(permissions)
+        permissions.each { |perm| add_permission(perm) }
+      end
+
+      # Remove a permission from the session
+      # @param permission [String, Symbol] the permission to remove
+      def remove_permission(permission)
+        @permissions.delete(permission.to_s)
+      end
+
+      # Clear all permissions
+      def clear_permissions
+        @permissions.clear
+      end
+
+      # Get user identifier for logging/auditing
+      # @return [String] a string identifying the user
+      def user_identifier
+        return "anonymous" unless authenticated?
+        return "anonymous" if @user.nil?
+
+        case @user
+        when Hash
+          @user[:user_id] || @user[:sub] || @user[:email] || @user[:api_key] || "authenticated_user"
+        when String
+          @user
+        else
+          @user.respond_to?(:id) ? @user.id.to_s : "authenticated_user"
+        end
+      end
+
+      # Get authentication method used
+      # @return [String] the authentication strategy
+      def auth_method
+        @auth_strategy || "none"
+      end
+
+      # Check if authentication is recent (within specified seconds)
+      # @param max_age [Integer] maximum age in seconds (default: 3600 = 1 hour)
+      # @return [Boolean] true if authentication is recent
+      def auth_recent?(max_age: 3600)
+        return false unless authenticated?
+
+        (Time.now - @authenticated_at) <= max_age
+      end
+
+      # Convert to hash for serialization
+      # @return [Hash] session context as hash
+      def to_h
+        {
+          authenticated: @authenticated,
+          user_identifier: user_identifier,
+          auth_strategy: @auth_strategy,
+          authenticated_at: @authenticated_at&.iso8601,
+          permissions: @permissions.to_a
+        }
+      end
+
+      # Create an anonymous (unauthenticated) session context
+      # @return [SessionContext] an unauthenticated session
+      def self.anonymous
+        new(authenticated: false)
+      end
+
+      # Create an authenticated session context from auth result
+      # @param auth_result [Hash] the authentication result
+      # @return [SessionContext] an authenticated session
+      def self.from_auth_result(auth_result)
+        return anonymous unless auth_result&.dig(:authenticated)
+
+        user_data = auth_result[:user]
+
+        # Handle special marker for authenticated nil user
+        if user_data == :authenticated_nil_user
+          new(
+            user: nil,
+            authenticated: true,
+            auth_strategy: "custom",
+            authenticated_at: Time.now
+          )
+        else
+          # Extract strategy and authenticated_at only if user_data is a Hash
+          strategy = user_data.is_a?(Hash) ? user_data[:strategy] : nil
+          auth_time = user_data.is_a?(Hash) ? user_data[:authenticated_at] : nil
+
+          new(
+            user: user_data,
+            authenticated: true,
+            auth_strategy: strategy,
+            authenticated_at: auth_time
+          )
+        end
+      end
+    end
+  end
+end

data/lib/vector_mcp/security/strategies/api_key.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Security
+    module Strategies
+      # API Key authentication strategy
+      # Supports multiple key formats and storage methods
+      class ApiKey
+        attr_reader :valid_keys
+
+        # Initialize with a list of valid API keys
+        # @param keys [Array<String>] array of valid API keys
+        def initialize(keys: [])
+          @valid_keys = Set.new(keys.map(&:to_s))
+        end
+
+        # Add a valid API key
+        # @param key [String] the API key to add
+        def add_key(key)
+          @valid_keys << key.to_s
+        end
+
+        # Remove an API key
+        # @param key [String] the API key to remove
+        def remove_key(key)
+          @valid_keys.delete(key.to_s)
+        end
+
+        # Authenticate a request using API key
+        # @param request [Hash] the request object
+        # @return [Hash, false] user info hash or false if authentication failed
+        def authenticate(request)
+          api_key = extract_api_key(request)
+          return false unless api_key&.length&.positive?
+
+          if @valid_keys.include?(api_key)
+            {
+              api_key: api_key,
+              strategy: "api_key",
+              authenticated_at: Time.now
+            }
+          else
+            false
+          end
+        end
+
+        # Check if any keys are configured
+        # @return [Boolean] true if keys are available
+        def configured?
+          !@valid_keys.empty?
+        end
+
+        # Get count of configured keys (for debugging)
+        # @return [Integer] number of configured keys
+        def key_count
+          @valid_keys.size
+        end
+
+        private
+
+        # Extract API key from various request formats
+        # @param request [Hash] the request object
+        # @return [String, nil] the extracted API key
+        def extract_api_key(request)
+          headers = normalize_headers(request)
+          params = normalize_params(request)
+
+          extract_from_headers(headers) || extract_from_params(params)
+        end
+
+        # Normalize headers to handle different formats
+        # @param request [Hash] the request object
+        # @return [Hash] normalized headers
+        def normalize_headers(request)
+          # Check if it's a Rack environment (has REQUEST_METHOD)
+          if request["REQUEST_METHOD"]
+            extract_headers_from_rack_env(request)
+          else
+            request[:headers] || request["headers"] || {}
+          end
+        end
+
+        # Normalize params to handle different formats
+        # @param request [Hash] the request object
+        # @return [Hash] normalized params
+        def normalize_params(request)
+          # Check if it's a Rack environment (has REQUEST_METHOD)
+          if request["REQUEST_METHOD"]
+            extract_params_from_rack_env(request)
+          else
+            request[:params] || request["params"] || {}
+          end
+        end
+
+        # Extract headers from Rack environment
+        # @param env [Hash] the Rack environment
+        # @return [Hash] normalized headers
+        def extract_headers_from_rack_env(env)
+          headers = {}
+          env.each do |key, value|
+            next unless key.start_with?("HTTP_")
+
+            # Convert HTTP_X_API_KEY to X-API-Key format
+            header_name = key[5..].split("_").map do |part|
+              case part.upcase
+              when "API" then "API" # Keep API in all caps
+              else part.capitalize
+              end
+            end.join("-")
+            headers[header_name] = value
+          end
+
+          # Add special headers
+          headers["Authorization"] = env["HTTP_AUTHORIZATION"] if env["HTTP_AUTHORIZATION"]
+          headers["Content-Type"] = env["CONTENT_TYPE"] if env["CONTENT_TYPE"]
+          headers
+        end
+
+        # Extract params from Rack environment
+        # @param env [Hash] the Rack environment
+        # @return [Hash] normalized params
+        def extract_params_from_rack_env(env)
+          params = {}
+          if env["QUERY_STRING"]
+            require "uri"
+            params = URI.decode_www_form(env["QUERY_STRING"]).to_h
+          end
+          params
+        end
+
+        # Extract API key from headers
+        # @param headers [Hash] request headers
+        # @return [String, nil] the API key if found
+        def extract_from_headers(headers)
+          # 1. X-API-Key header (most common)
+          api_key = headers["X-API-Key"] || headers["x-api-key"]
+          return api_key if api_key
+
+          # 2. Authorization header
+          extract_from_auth_header(headers["Authorization"] || headers["authorization"])
+        end
+
+        # Extract API key from Authorization header
+        # @param auth_header [String, nil] the authorization header value
+        # @return [String, nil] the API key if found
+        def extract_from_auth_header(auth_header)
+          return nil unless auth_header
+
+          # Bearer token format
+          return auth_header[7..] if auth_header.start_with?("Bearer ")
+
+          # API-Key scheme format
+          return auth_header[8..] if auth_header.start_with?("API-Key ")
+
+          nil
+        end
+
+        # Extract API key from query parameters
+        # @param params [Hash] request parameters
+        # @return [String, nil] the API key if found
+        def extract_from_params(params)
+          params["api_key"] || params["apikey"]
+        end
+      end
+    end
+  end
+end

data/lib/vector_mcp/security/strategies/custom.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Security
+    module Strategies
+      # Custom authentication strategy
+      # Allows developers to implement their own authentication logic
+      class Custom
+        attr_reader :handler
+
+        # Initialize with a custom authentication handler
+        # @param handler [Proc] a block that takes a request and returns user info or false
+        def initialize(&handler)
+          raise ArgumentError, "Custom authentication strategy requires a block" unless handler
+
+          @handler = handler
+        end
+
+        # Authenticate a request using the custom handler
+        # @param request [Hash] the request object
+        # @return [Object, false] result from custom handler or false if authentication failed
+        def authenticate(request)
+          result = @handler.call(request)
+
+          # Ensure result includes strategy info if it's successful
+          if result && result != false
+            format_successful_result(result)
+          else
+            false
+          end
+        rescue NoMemoryError, StandardError
+          # Log error but return false for security
+          false
+        end
+
+        # Check if handler is configured
+        # @return [Boolean] true if handler is present
+        def configured?
+          !@handler.nil?
+        end
+
+        private
+
+        # Format successful authentication result with strategy metadata
+        # @param result [Object] the result from the custom handler
+        # @return [Object] formatted result with strategy metadata
+        def format_successful_result(result)
+          case result
+          when Hash
+            # If result has a :user key, extract it and use as main user data
+            if result.key?(:user)
+              user_data = result[:user]
+              # For nil user, return a marker that will become nil in session context
+              return :authenticated_nil_user if user_data.nil?
+
+              user_data
+            else
+              result.merge(strategy: "custom", authenticated_at: Time.now)
+            end
+          else
+            {
+              user: result,
+              strategy: "custom",
+              authenticated_at: Time.now
+            }
+          end
+        end
+      end
+    end
+  end
+end