belgie-mcp 0.1.0__tar.gz → 0.2.0__tar.gz

{belgie_mcp-0.1.0 → belgie_mcp-0.2.0}/PKG-INFO

@@ -1,9 +1,11 @@
 Metadata-Version: 2.3
 Name: belgie-mcp
-Version: 0.1.0
+Version: 0.2.0
 Summary: Add your description here
 Author: Matt LeMay
 Author-email: Matt LeMay <mplemay@users.noreply.github.com>
+Requires-Dist: belgie-oauth
+Requires-Dist: httpx>=0.24
 Requires-Dist: mcp>=1.26.0
 Requires-Python: >=3.12, <3.15
 Description-Content-Type: text/markdown

{belgie_mcp-0.1.0 → belgie_mcp-0.2.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "belgie-mcp"
-version = "0.1.0"
+version = "0.2.0"
 description = "Add your description here"
 readme = "README.md"
 authors = [
@@ -8,6 +8,8 @@ authors = [
 ]
 requires-python = ">=3.12,<3.15"
 dependencies = [
+    "belgie-oauth",
+    "httpx>=0.24",
     "mcp>=1.26.0",
 ]
 
@@ -15,5 +17,8 @@ dependencies = [
 requires = ["uv_build>=0.9.28,<0.10.0"]
 build-backend = "uv_build"
 
+[tool.uv.build-backend]
+source-exclude = ["**/__tests__/**"]
+
 [tool.uv.sources]
 mcp = { git = "https://github.com/modelcontextprotocol/python-sdk.git", rev = "main" }

belgie_mcp-0.2.0/src/belgie_mcp/__init__.py

@@ -0,0 +1,11 @@
+from belgie_mcp.metadata import create_protected_resource_metadata_router
+from belgie_mcp.plugin import McpPlugin
+from belgie_mcp.verifier import BelgieOAuthTokenVerifier, mcp_auth, mcp_token_verifier
+
+__all__ = [
+    "BelgieOAuthTokenVerifier",
+    "McpPlugin",
+    "create_protected_resource_metadata_router",
+    "mcp_auth",
+    "mcp_token_verifier",
+]

belgie_mcp-0.2.0/src/belgie_mcp/metadata.py

@@ -0,0 +1,51 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from urllib.parse import urlparse
+
+from fastapi import APIRouter, Request
+from mcp.server.auth.json_response import PydanticJSONResponse
+from mcp.server.auth.routes import build_resource_metadata_url
+from mcp.shared.auth import ProtectedResourceMetadata
+
+_ROOT_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource"
+
+
+if TYPE_CHECKING:
+    from fastapi.responses import Response
+    from mcp.server.auth.settings import AuthSettings
+
+
+def create_protected_resource_metadata_router(
+    auth: AuthSettings,
+    *,
+    include_root_fallback: bool = True,
+) -> APIRouter:
+    if auth.resource_server_url is None:
+        msg = "AuthSettings.resource_server_url is required to build protected resource metadata"
+        raise ValueError(msg)
+
+    metadata = ProtectedResourceMetadata(
+        resource=auth.resource_server_url,
+        authorization_servers=[auth.issuer_url],
+        scopes_supported=auth.required_scopes,
+    )
+
+    metadata_url = build_resource_metadata_url(auth.resource_server_url)
+    parsed = urlparse(str(metadata_url))
+    well_known_path = parsed.path
+
+    router = APIRouter()
+
+    async def metadata_handler(_: Request) -> Response:
+        return PydanticJSONResponse(
+            content=metadata,
+            headers={"Cache-Control": "public, max-age=3600"},
+        )
+
+    router.add_api_route(well_known_path, metadata_handler, methods=["GET"])
+
+    if include_root_fallback and well_known_path != _ROOT_RESOURCE_METADATA_PATH:
+        router.add_api_route(_ROOT_RESOURCE_METADATA_PATH, metadata_handler, methods=["GET"])
+
+    return router

belgie_mcp-0.2.0/src/belgie_mcp/plugin.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from urllib.parse import urlparse, urlunparse
+
+from belgie_core.core.protocols import Plugin
+from fastapi import APIRouter
+
+from belgie_mcp.metadata import create_protected_resource_metadata_router
+from belgie_mcp.verifier import mcp_auth, mcp_token_verifier
+
+if TYPE_CHECKING:
+    from belgie_core.core.belgie import Belgie
+    from belgie_oauth.settings import OAuthSettings
+    from mcp.server.auth.provider import TokenVerifier
+    from mcp.server.auth.settings import AuthSettings
+    from pydantic import AnyHttpUrl
+
+
+class McpPlugin(Plugin):
+    def __init__(  # noqa: PLR0913
+        self,
+        settings: OAuthSettings,
+        *,
+        server_url: str | AnyHttpUrl | None = None,
+        base_url: str | AnyHttpUrl | None = None,
+        server_path: str = "/mcp",
+        required_scopes: list[str] | None = None,
+        introspection_endpoint: str | None = None,
+        oauth_strict: bool = False,
+        include_root_fallback: bool = True,
+    ) -> None:
+        resolved_server_url = (
+            str(server_url) if server_url is not None else _build_server_url(_require_base_url(base_url), server_path)
+        )
+        self.auth = mcp_auth(
+            settings,
+            server_url=resolved_server_url,
+            required_scopes=required_scopes,
+        )
+        self.token_verifier = mcp_token_verifier(
+            settings,
+            server_url=resolved_server_url,
+            introspection_endpoint=introspection_endpoint,
+            oauth_strict=oauth_strict,
+        )
+        self._include_root_fallback = include_root_fallback
+
+    auth: AuthSettings
+    token_verifier: TokenVerifier
+
+    def router(self, belgie: Belgie) -> APIRouter:  # noqa: ARG002
+        return APIRouter()
+
+    def public_router(self, belgie: Belgie) -> APIRouter:  # noqa: ARG002
+        return create_protected_resource_metadata_router(
+            self.auth,
+            include_root_fallback=self._include_root_fallback,
+        )
+
+
+def _require_base_url(base_url: str | AnyHttpUrl | None) -> str:
+    if base_url is None:
+        msg = "base_url is required when server_url is not provided"
+        raise ValueError(msg)
+    return str(base_url)
+
+
+def _build_server_url(base_url: str, server_path: str) -> str:
+    parsed = urlparse(base_url)
+    base_path = parsed.path.rstrip("/")
+    path_suffix = server_path.strip("/")
+    full_path = (f"{base_path}/{path_suffix}" if base_path else f"/{path_suffix}") if path_suffix else base_path
+    return urlunparse(parsed._replace(path=full_path, query="", fragment=""))

belgie_mcp-0.2.0/src/belgie_mcp/verifier.py

@@ -0,0 +1,133 @@
+import logging
+from typing import Any
+
+from belgie_oauth.settings import OAuthSettings
+from belgie_oauth.utils import join_url
+from httpx import AsyncClient, HTTPError, Limits, Timeout
+from mcp.server.auth.provider import AccessToken, TokenVerifier
+from mcp.server.auth.settings import AuthSettings
+from mcp.shared.auth_utils import check_resource_allowed, resource_url_from_server_url
+from pydantic import AnyHttpUrl
+
+logger = logging.getLogger(__name__)
+
+_HTTP_OK = 200
+
+
+class BelgieOAuthTokenVerifier(TokenVerifier):
+    def __init__(
+        self,
+        introspection_endpoint: str,
+        server_url: str,
+        *,
+        validate_resource: bool = False,
+    ) -> None:
+        self.introspection_endpoint = str(introspection_endpoint)
+        self.server_url = str(server_url)
+        self.validate_resource = validate_resource
+        self.resource_url = resource_url_from_server_url(self.server_url)
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        if not _is_safe_introspection_endpoint(self.introspection_endpoint):
+            logger.warning("Rejecting introspection endpoint with unsafe scheme: %s", self.introspection_endpoint)
+            return None
+
+        timeout = Timeout(10.0, connect=5.0)
+        limits = Limits(max_connections=10, max_keepalive_connections=5)
+        async with AsyncClient(
+            timeout=timeout,
+            limits=limits,
+            verify=True,
+        ) as client:
+            try:
+                response = await client.post(
+                    self.introspection_endpoint,
+                    data={"token": token},
+                    headers={"Content-Type": "application/x-www-form-urlencoded"},
+                )
+            except HTTPError as exc:
+                logger.warning("Token introspection failed: %s", exc)
+                return None
+
+        if response.status_code != _HTTP_OK:
+            logger.debug("Token introspection returned status %s", response.status_code)
+            return None
+
+        data = response.json()
+        if not data.get("active", False):
+            return None
+
+        if self.validate_resource and not self._validate_resource(data):
+            logger.warning("Token resource validation failed. Expected: %s", self.resource_url)
+            return None
+
+        scopes = data.get("scope", "")
+        return AccessToken(
+            token=token,
+            client_id=data.get("client_id", "unknown"),
+            scopes=scopes.split() if scopes else [],
+            expires_at=data.get("exp"),
+            resource=data.get("aud"),
+        )
+
+    def _validate_resource(self, token_data: dict[str, Any]) -> bool:
+        if not self.server_url or not self.resource_url:
+            return False
+
+        aud: list[str] | str | None = token_data.get("aud")
+        if isinstance(aud, list):
+            return any(self._is_valid_resource(audience) for audience in aud)
+        if aud:
+            return self._is_valid_resource(aud)
+        return False
+
+    def _is_valid_resource(self, resource: str) -> bool:
+        return check_resource_allowed(requested_resource=self.resource_url, configured_resource=resource)
+
+
+def mcp_auth(
+    settings: OAuthSettings,
+    *,
+    server_url: str | AnyHttpUrl,
+    required_scopes: list[str] | None = None,
+) -> AuthSettings:
+    issuer_url = _require_issuer_url(settings)
+    resource_server_url = AnyHttpUrl(str(server_url))
+    scopes = required_scopes if required_scopes is not None else _split_scopes(settings.default_scope)
+
+    return AuthSettings(
+        issuer_url=AnyHttpUrl(issuer_url),
+        resource_server_url=resource_server_url,
+        required_scopes=scopes,
+    )
+
+
+def mcp_token_verifier(
+    settings: OAuthSettings,
+    *,
+    server_url: str | AnyHttpUrl,
+    introspection_endpoint: str | None = None,
+    oauth_strict: bool = False,
+) -> TokenVerifier:
+    issuer_url = _require_issuer_url(settings)
+    endpoint = join_url(issuer_url, "introspect") if introspection_endpoint is None else introspection_endpoint
+    return BelgieOAuthTokenVerifier(
+        introspection_endpoint=endpoint,
+        server_url=str(server_url),
+        validate_resource=oauth_strict,
+    )
+
+
+def _split_scopes(raw_scopes: str) -> list[str]:
+    return [scope for scope in raw_scopes.split(" ") if scope]
+
+
+def _is_safe_introspection_endpoint(endpoint: str) -> bool:
+    return endpoint.startswith(("https://", "http://localhost", "http://127.0.0.1"))
+
+
+def _require_issuer_url(settings: OAuthSettings) -> str:
+    if settings.issuer_url is None:
+        msg = "OAuthSettings.issuer_url is required to build MCP AuthSettings"
+        raise ValueError(msg)
+    return str(settings.issuer_url)

belgie_mcp-0.1.0/src/belgie_mcp/__init__.py

@@ -1,2 +0,0 @@
-def hello() -> str:
-    return "Hello from belgie-mcp!"

belgie_mcp-0.1.0/src/belgie_mcp/verifier.py

@@ -1,23 +0,0 @@
-from mcp.server.auth.provider import AccessToken, TokenVerifier
-from mcp.server.auth.settings import AuthSettings
-from mcp.server.mcpserver import MCPServer
-from pydantic import AnyHttpUrl
-
-
-class SimpleTokenVerifier(TokenVerifier):
-    async def verify_token(self, token: str) -> AccessToken | None:
-        pass  # This is where you would implement actual token validation
-
-
-# Create MCPServer instance as a Resource Server
-mcp = MCPServer(
-    "Weather Service",
-    # Token verifier for authentication
-    token_verifier=SimpleTokenVerifier(),
-    # Auth settings for RFC 9728 Protected Resource Metadata
-    auth=AuthSettings(
-        issuer_url=AnyHttpUrl("https://auth.example.com"),  # Authorization Server URL
-        resource_server_url=AnyHttpUrl("http://localhost:3001"),  # This server's URL
-        required_scopes=["user"],
-    ),
-)