awslabs.openapi-mcp-server 0.1.1__py3-none-any.whl

awslabs/openapi_mcp_server/auth/auth_provider.py

@@ -0,0 +1,160 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Base authentication provider interface."""
+
+import abc
+import httpx
+from typing import Any, Dict, Optional
+
+
+class AuthProvider(abc.ABC):
+    """Abstract base class for authentication providers.
+
+    Authentication providers handle different authentication methods for APIs.
+    Implementing classes must provide methods for setting up authentication
+    for HTTP requests.
+    """
+
+    @abc.abstractmethod
+    def get_auth_headers(self) -> Dict[str, str]:
+        """Get authentication headers for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Headers to include in HTTP requests
+
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_auth_params(self) -> Dict[str, str]:
+        """Get authentication query parameters for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Query parameters to include in HTTP requests
+
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_auth_cookies(self) -> Dict[str, str]:
+        """Get authentication cookies for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Cookies to include in HTTP requests
+
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_httpx_auth(self) -> Optional[httpx.Auth]:
+        """Get authentication object for HTTPX.
+
+        Returns:
+            Optional[httpx.Auth]: Authentication object for HTTPX client or None
+
+        """
+        pass
+
+    @abc.abstractmethod
+    def is_configured(self) -> bool:
+        """Check if the authentication provider is properly configured.
+
+        Returns:
+            bool: True if configured, False otherwise
+
+        """
+        pass
+
+    @property
+    @abc.abstractmethod
+    def provider_name(self) -> str:
+        """Get the name of the authentication provider.
+
+        Returns:
+            str: Name of the authentication provider
+
+        """
+        pass
+
+
+class NullAuthProvider(AuthProvider):
+    """No-op authentication provider.
+
+    This provider is used when authentication is disabled or not configured.
+    """
+
+    def __init__(self, config: Any = None):
+        """Initialize with optional configuration.
+
+        Args:
+            config: Optional configuration object (ignored by this provider)
+
+        """
+        # Config is ignored by this provider
+        pass
+
+    def get_auth_headers(self) -> Dict[str, str]:
+        """Get authentication headers for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Empty dict as no authentication is provided
+
+        """
+        return {}
+
+    def get_auth_params(self) -> Dict[str, str]:
+        """Get authentication query parameters for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Empty dict as no authentication is provided
+
+        """
+        return {}
+
+    def get_auth_cookies(self) -> Dict[str, str]:
+        """Get authentication cookies for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Empty dict as no authentication is provided
+
+        """
+        return {}
+
+    def get_httpx_auth(self) -> Optional[httpx.Auth]:
+        """Get authentication object for HTTPX.
+
+        Returns:
+            Optional[httpx.Auth]: None as no authentication is provided
+
+        """
+        return None
+
+    def is_configured(self) -> bool:
+        """Check if the authentication provider is properly configured.
+
+        Returns:
+            bool: Always True as null provider requires no configuration
+
+        """
+        return True
+
+    @property
+    def provider_name(self) -> str:
+        """Get the name of the authentication provider.
+
+        Returns:
+            str: Name of the authentication provider
+
+        """
+        return 'none'

awslabs/openapi_mcp_server/auth/base_auth.py

@@ -0,0 +1,218 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Base authentication provider."""
+
+import functools
+import httpx
+from abc import ABC, abstractmethod
+from awslabs.openapi_mcp_server import logger
+from awslabs.openapi_mcp_server.api.config import Config
+from awslabs.openapi_mcp_server.auth.auth_errors import (
+    AuthError,
+    ConfigurationError,
+    format_error_message,
+)
+from awslabs.openapi_mcp_server.auth.auth_provider import AuthProvider
+from typing import Any, Callable, Dict, Optional, TypeVar, cast
+
+
+# Type variable for method return types
+T = TypeVar('T')
+
+
+class BaseAuthProvider(AuthProvider, ABC):
+    """Base authentication provider.
+
+    This abstract base class provides common functionality for all authentication providers.
+    It implements the Template Method pattern for configuration validation and error handling.
+    """
+
+    def __init__(self, config: Config):
+        """Initialize with configuration.
+
+        Args:
+            config: Application configuration
+
+        """
+        self._config = config
+        self._is_valid = False
+        self._auth_headers: Dict[str, str] = {}
+        self._auth_params: Dict[str, str] = {}
+        self._auth_cookies: Dict[str, str] = {}
+        self._validation_error: Optional[AuthError] = None
+
+        # Template method pattern: validate and initialize
+        try:
+            self._is_valid = self._validate_config()
+            if self._is_valid:
+                self._initialize_auth()
+            else:
+                self._handle_validation_error()
+        except AuthError as e:
+            self._validation_error = e
+            self._is_valid = False
+            self._log_auth_error(e)
+            # Re-raise the exception for test cases to catch
+            raise e
+        except Exception as e:
+            self._validation_error = ConfigurationError(
+                f'Unexpected error during authentication provider initialization: {str(e)}'
+            )
+            self._is_valid = False
+            self._log_auth_error(self._validation_error)
+            # Re-raise the exception for test cases to catch
+            raise self._validation_error
+
+    def _initialize_auth(self) -> None:
+        """Initialize authentication data after validation.
+
+        This method is called after successful validation to set up
+        headers, params, and cookies. Override in subclasses if needed.
+        """
+        pass
+
+    @abstractmethod
+    def _validate_config(self) -> bool:
+        """Validate the configuration.
+
+        Returns:
+            bool: True if configuration is valid, False otherwise
+
+        Raises:
+            AuthError: If validation fails with a specific error
+
+        """
+        pass
+
+    def _handle_validation_error(self) -> None:
+        """Handle validation error.
+
+        This method is called when validation fails but no exception is raised.
+        It should create and log an appropriate error. Override in subclasses.
+        """
+        self._validation_error = ConfigurationError(
+            f'Invalid configuration for {self.provider_name} authentication provider'
+        )
+        self._log_auth_error(self._validation_error)
+
+    def _log_auth_error(self, error: AuthError) -> None:
+        """Log an authentication error.
+
+        Args:
+            error: The authentication error
+
+        """
+        message = format_error_message(self.provider_name, error.error_type, error.message)
+        logger.error(message)
+
+        # Log additional details at debug level
+        if error.details:
+            logger.debug(f'Error details: {error.details}')
+
+    def _log_validation_error(self) -> None:
+        """Log validation error messages.
+
+        This method is kept for backward compatibility.
+        New implementations should use _handle_validation_error instead.
+        """
+        self._handle_validation_error()
+
+    def _requires_valid_config(method: Callable[..., T]) -> Callable[..., T]:  # type: ignore
+        """Ensure a method is only called with valid configuration.
+
+        If the configuration is not valid, returns an empty result.
+        """
+
+        @functools.wraps(method)
+        def wrapper(self: 'BaseAuthProvider', *args: Any, **kwargs: Any) -> T:
+            if not self._is_valid:
+                # Return empty result based on return type annotation
+                return_type = method.__annotations__.get('return')
+                if return_type == Dict[str, str]:
+                    return cast(T, {})
+                elif return_type == Optional[httpx.Auth]:
+                    return cast(T, None)
+                return cast(T, None)
+            return method(self, *args, **kwargs)
+
+        return wrapper
+
+    @_requires_valid_config
+    def get_auth_headers(self) -> Dict[str, str]:
+        """Get authentication headers for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Authentication headers
+
+        """
+        return self._auth_headers
+
+    @_requires_valid_config
+    def get_auth_params(self) -> Dict[str, str]:
+        """Get authentication query parameters for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Authentication query parameters
+
+        """
+        return self._auth_params
+
+    @_requires_valid_config
+    def get_auth_cookies(self) -> Dict[str, str]:
+        """Get authentication cookies for HTTP requests.
+
+        Returns:
+            Dict[str, str]: Authentication cookies
+
+        """
+        return self._auth_cookies
+
+    @_requires_valid_config
+    def get_httpx_auth(self) -> Optional[httpx.Auth]:
+        """Get authentication object for HTTPX.
+
+        Returns:
+            Optional[httpx.Auth]: Authentication object for HTTPX client
+
+        """
+        return None
+
+    def is_configured(self) -> bool:
+        """Check if the authentication provider is properly configured.
+
+        Returns:
+            bool: True if properly configured, False otherwise
+
+        """
+        return self._is_valid
+
+    def get_validation_error(self) -> Optional[AuthError]:
+        """Get the validation error if configuration is invalid.
+
+        Returns:
+            Optional[AuthError]: The validation error or None if configuration is valid
+
+        """
+        return self._validation_error
+
+    @property
+    @abstractmethod
+    def provider_name(self) -> str:
+        """Get the name of the authentication provider.
+
+        Returns:
+            str: Name of the authentication provider
+
+        """
+        pass

awslabs/openapi_mcp_server/auth/basic_auth.py

@@ -0,0 +1,171 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Basic authentication provider."""
+
+import base64
+import httpx
+from awslabs.openapi_mcp_server import logger
+from awslabs.openapi_mcp_server.api.config import Config
+from awslabs.openapi_mcp_server.auth.auth_cache import cached_auth_data
+from awslabs.openapi_mcp_server.auth.auth_errors import MissingCredentialsError
+from awslabs.openapi_mcp_server.auth.base_auth import BaseAuthProvider
+from typing import Dict, Optional
+
+
+class BasicAuthProvider(BaseAuthProvider):
+    """Basic authentication provider.
+
+    This provider adds an Authorization header with Basic authentication
+    to all HTTP requests.
+    """
+
+    def __init__(self, config: Config):
+        """Initialize with configuration.
+
+        Args:
+            config: Application configuration
+
+        """
+        # Store credentials before calling super().__init__
+        self._username = config.auth_username
+        self._password = config.auth_password
+        self._httpx_auth: Optional[httpx.Auth] = None
+        self._credentials_hash = None
+
+        # Call parent initializer which will validate and initialize auth
+        super().__init__(config)
+
+    def _validate_config(self) -> bool:
+        """Validate the configuration.
+
+        Returns:
+            bool: True if username and password are provided, False otherwise
+
+        Raises:
+            MissingCredentialsError: If username or password is missing
+
+        """
+        if not self._username:
+            raise MissingCredentialsError(
+                'Basic authentication requires a username',
+                {
+                    'help': 'Provide a username using --auth-username command line argument or AUTH_USERNAME environment variable'
+                },
+            )
+
+        if not self._password:
+            raise MissingCredentialsError(
+                'Basic authentication requires a password',
+                {
+                    'help': 'Provide a password using --auth-password command line argument or AUTH_PASSWORD environment variable'
+                },
+            )
+
+        # Create a hash of the credentials for caching
+        self._credentials_hash = self._hash_credentials(self._username, self._password)
+        return True
+
+    def _log_validation_error(self) -> None:
+        """Log validation error messages."""
+        logger.error(
+            'Basic authentication requires both username and password. Please provide them using --auth-username and --auth-password command line arguments or AUTH_USERNAME and AUTH_PASSWORD environment variables.'
+        )
+
+    def _initialize_auth(self) -> None:
+        """Initialize authentication data after validation."""
+        # Use cached methods to generate auth data
+        self._auth_headers = self._generate_auth_headers(self._credentials_hash)
+        self._httpx_auth = self._generate_httpx_auth(self._username, self._password)
+
+    @staticmethod
+    def _hash_credentials(username: str, password: str) -> str:
+        """Create a hash of the credentials for caching.
+
+        Args:
+            username: Username
+            password: Password
+
+        Returns:
+            str: Hash of the credentials
+
+        """
+        # Create a hash of the credentials to use as a cache key
+        # This avoids storing the actual credentials in the cache key
+        # Using bcrypt for stronger security
+        import bcrypt
+
+        credentials = f'{username}:{password}'
+        # Generate a salt and hash the credentials
+        # We only need a string representation for caching, so we'll use the hexdigest of the hash
+        hashed = bcrypt.hashpw(credentials.encode('utf-8'), bcrypt.gensalt(rounds=10))
+        # Convert to hex string for consistent cache key format
+        return hashed.hex()
+
+    @cached_auth_data(ttl=3600)  # Cache for 1 hour by default
+    def _generate_auth_headers(self, credentials_hash: str) -> Dict[str, str]:
+        """Generate authentication headers.
+
+        This method is cached to avoid regenerating headers for the same credentials.
+
+        Args:
+            credentials_hash: Hash of the credentials
+
+        Returns:
+            Dict[str, str]: Authentication headers
+
+        """
+        logger.debug(f'Generating new basic auth headers for user: {self._username}')
+
+        # Create the basic auth header
+        auth_string = f'{self._username}:{self._password}'
+        auth_bytes = auth_string.encode('utf-8')
+        encoded_auth = base64.b64encode(auth_bytes).decode('utf-8')
+
+        return {'Authorization': f'Basic {encoded_auth}'}
+
+    @cached_auth_data(ttl=3600)  # Cache for 1 hour by default
+    def _generate_httpx_auth(self, username: str, password: str) -> httpx.BasicAuth:
+        """Generate HTTPX auth object.
+
+        This method is cached to avoid regenerating auth objects for the same credentials.
+
+        Args:
+            username: Username
+            password: Password
+
+        Returns:
+            httpx.BasicAuth: HTTPX auth object
+
+        """
+        logger.debug(f'Generating new HTTPX basic auth object for user: {username}')
+        return httpx.BasicAuth(username=username, password=password)
+
+    def get_httpx_auth(self) -> Optional[httpx.Auth]:
+        """Get authentication object for HTTPX.
+
+        Returns:
+            Optional[httpx.Auth]: Basic auth object for HTTPX client
+
+        """
+        return self._httpx_auth
+
+    @property
+    def provider_name(self) -> str:
+        """Get the name of the authentication provider.
+
+        Returns:
+            str: Name of the authentication provider
+
+        """
+        return 'basic'

awslabs/openapi_mcp_server/auth/bearer_auth.py

@@ -0,0 +1,108 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Bearer token authentication provider."""
+
+from awslabs.openapi_mcp_server import logger
+from awslabs.openapi_mcp_server.api.config import Config
+from awslabs.openapi_mcp_server.auth.auth_cache import cached_auth_data
+from awslabs.openapi_mcp_server.auth.auth_errors import MissingCredentialsError
+from awslabs.openapi_mcp_server.auth.base_auth import BaseAuthProvider
+from typing import Dict
+
+
+class BearerAuthProvider(BaseAuthProvider):
+    """Bearer token authentication provider.
+
+    This provider adds an Authorization header with a Bearer token
+    to all HTTP requests.
+    """
+
+    def __init__(self, config: Config):
+        """Initialize with configuration.
+
+        Args:
+            config: Application configuration
+
+        """
+        # Store token before calling super().__init__
+        self._token = config.auth_token
+        self._token_ttl = getattr(config, 'auth_token_ttl', 3600)  # Default 1 hour
+
+        # Call parent initializer which will validate and initialize auth
+        super().__init__(config)
+
+    def _validate_config(self) -> bool:
+        """Validate the configuration.
+
+        Returns:
+            bool: True if token is provided, False otherwise
+
+        Raises:
+            MissingCredentialsError: If token is missing
+
+        """
+        if not self._token:
+            raise MissingCredentialsError(
+                'Bearer authentication requires a valid token',
+                {
+                    'help': 'Provide a token using --auth-token command line argument or AUTH_TOKEN environment variable'
+                },
+            )
+        return True
+
+    def _log_validation_error(self) -> None:
+        """Log validation error messages."""
+        logger.error(
+            'Bearer authentication requires a valid token. When using bearer authentication, a token must be provided.'
+        )
+        logger.error(
+            'Please provide a token using --auth-token command line argument or AUTH_TOKEN environment variable.'
+        )
+
+    def _initialize_auth(self) -> None:
+        """Initialize authentication data after validation."""
+        # We'll use the cached method to generate headers
+        self._auth_headers = self._generate_auth_headers(self._token)
+
+    @cached_auth_data(ttl=3600)  # Cache for 1 hour by default
+    def _generate_auth_headers(self, token: str) -> Dict[str, str]:
+        """Generate authentication headers.
+
+        This method is cached to avoid regenerating headers for the same token.
+
+        Args:
+            token: Bearer token
+
+        Returns:
+            Dict[str, str]: Authentication headers
+
+        """
+        # Log without including the token
+        logger.debug('Generating new bearer token headers')
+
+        # Calculate token length for debugging purposes
+        token_length = len(token) if token else 0
+        logger.debug(f'Token length: {token_length} characters')
+
+        return {'Authorization': f'Bearer {token}'}
+
+    @property
+    def provider_name(self) -> str:
+        """Get the name of the authentication provider.
+
+        Returns:
+            str: Name of the authentication provider
+
+        """
+        return 'bearer'